L-17-189, Response to Request for Additional Information Regarding License Amendment Request to Adopt National Fire Protection Association (NFPA) Standard 805 (CAC No. MF7190): Difference between revisions

From kanterella
Jump to navigation Jump to search
(Created page by program invented by StriderTol)
 
(Created page by program invented by StriderTol)
 
Line 1: Line 1:
{{Adams
#REDIRECT [[L-17-189, Davis-Besse, Unit 1 - Response to Request for Additional Information Regarding License Amendment Request to Adopt National Fire Protection Association (NFPA) Standard 805 (CAC No. MF7190)]]
| number = ML17170A000
| issue date = 06/16/2017
| title = Response to Request for Additional Information Regarding License Amendment Request to Adopt National Fire Protection Association (NFPA) Standard 805 (CAC No. MF7190)
| author name = Boles B D
| author affiliation = FirstEnergy Nuclear Operating Co
| addressee name =
| addressee affiliation = NRC/Document Control Desk, NRC/NRR
| docket = 05000346
| license number = NPF-003
| contact person =
| case reference number = CAC MF7190, L-17-189
| document type = Letter type:L, Response to Request for Additional Information (RAI)
| page count = 25
| project = CAC:MF7190
| stage = Response to RAI
}}
 
=Text=
{{#Wiki_filter:FENOC Fi rstEnergy Nuclear Ope ra tin9 Comp;,ny ' Brian D. Boles Vice President
-Nuclear June 16, 2017 L-17-189 ATTN: Document Control Desk U.S. Nuclear Regulatory Commission Washington, DC 20555-0001
 
==SUBJECT:==
Davis-Besse Nuclear Power Station, Unit No. 1 Docket No. 50-346, License No. NPF-3 5501 North State Route 2 Oak Harbor, Ohio 43449 419-321-7676 Fax:419-321-7582 Response to Request for Additional Information Regarding License Amendment Request to Adopt National Fire Protection Association (NFPA) Standard 805 (CAC No. MF7190) By letter dated December 16, 2015 (ADAMS Accession No. ML 15350A314), as supplemented by letters dated March 7, 2016, July 28, 2016, December 16, 2016, and January 17, 2017 (Accession Nos. ML 16067A195, ML 16210A422, ML 16351A330, and ML 17017 A504 respectively), FirstEnergy Nuclear Operating Company (FE NOC) submitted a license amendment request to change the Davis-Besse Nuclear Power Station, Unit No. 1 fire protection program to one based on the National Fire Protection Association Standard 805, "Performance-Based Standard for Fire Protection for Light Water Reactor Electric Generating Plants," 2001 Edition. The Nuclear Regulatory Commission (NRC) staff requested additional information in a letter dated April 19, 2017 (Accession No. ML 16256A066) to complete its review of the LAR. In accordance with the April 19, 2017 letter, the FENOC response is attached. There are no regulatory commitments contained in this submittal.
If there are any questions or if additional information is required, please contact Mr. Thomas A. Lentz, Manager -Fleet Licensing, at 330-315-6810.
I declare under penalty of perjury that the foregoing is true and correct. Executed on June lu ,2017. Sincerely , Brian D. Boles Davis-Besse Nuclear Power Station , Unit No. 1 L-17-189 Page 2
 
==Attachment:==
 
Response to Request for Additional Information cc: NRC Regional Administrator
-Region Ill NRC Resident Inspector NRC Project Manager Executive Director, Ohio Emergency Management Agency, State of Ohio (NRC Liaison) Utility Radiological Safety Board Attachment L-17-189 Response to Request for Additional Information Page 1 of 23 The NRC requested additional information to complete its review of a FENOC license amendment request (LAR) for the Davis-Besse Nuclear Power Station (DBNPS). The LAR would change the current fire protection program to one based on the National Fire Protection Association Standard 805 (NFPA 805), "Performance-Based Standard for Fire Protection for Light Water Reactor Electric Generating Plants," 2001 Edition. The NRC staff's request is provided below in bold text followed by the corresponding FENOC response.
Fire Protection Engineering (FPE) Request for Additional Information (RAI) 01.01 LAR Table B-3, "Nuclear Safety Performance Criteria [NSPC]," identifies an instrument modification to address variance from deterministic requirement (VFDR) DB-2033. In response to FPE RAI 01.c (December 16, 2016), the licensee stated: DB-2033 will be added to Table S-1. If DB-2036 in Table S-2 concludes the instrumentation in its current condition will remain available after an inadvertent containment spray, then no modification for DB-2033 will be necessary.
If modifications are required, then adding DB-2033 to Table S-1 will ensure they are implemented.
LAR Table S-2, "Implementation Items," describes item. DB-2036 as an update to documentation, such as system assurance and fire protection engineering software (SAFE), for containment spray modifications and instrumentation.
: a. If the containment spray modifications are new modifications required to meet the NSPC, describe the modifications and revise LAR Attachment S, Table S-1, "Plant Modifications Committed," as appropriate.
Otherwise, describe how the modifications will resolve the variance identified in DB-2033. b. Specify if the containment spray modifications will meet the NSPC using a deterministic approach or a performance-based approach.
If the modifications will be credited as part of a performance-based compliance strategy, discuss how it meets the risk criteria, maintains safety margins, and maintains defense-in-depth.
Also, discuss how the modifications will affect the fire risk values in LAR Attachment W for the plant (i.e., core damage frequency and large early release frequency) and the applicable fire areas. Response:
In the response to FPE RAI 01.c, FENOC indicated that, should DB-2036 conclude the Attachment L-17-189 Page 2 of 23 instrumentation in its current condition remains available after inadvertent containment spray, then no modification (DB-2033) will be necessary.
The instrumentation listed in DB-2033 will not need modifications to meet the NSPC. An evaluation dated November 29, 2016 concluded that the components in DB-2033 are protected from an inadvertent containment spray. However, this report also concluded that some of the temperature elements were not qualified for submergence.
In the event of inadvertent containment spray, operator actions to stop containment spray are required in order to prevent equipment submergence.
The necessary operator actions will be added to VFDRs DB-1028, DB-1409, and DB-1751. The results of these additional recovery actions will be incorporated into the updates included with PRA RAI 03. A revision to LAR Attachment G will be provided in a future transmittal.
DB-2033 will not be added to LAR Attachment S, Table S-1 since upgrades to instrumentation seals are unnecessary.
DB-2036 will remain in LAR Attachment S, Table S-2 to update documentation such as SAFE and procedures for the environmentally qualified equipment FPE RAI 04.01 LAR Attachment L, Approval Request 2, states: "Flame spread to adjacent cable trays in high density safety-related areas is also reduced by the use of bottom trays with a layer of ceramic fiber on top." The licensee's response to FPE RAI 04.b (December 16, 2016) states that cable trays in fire compartment 11-01 (turbine building}
do not have ceramic fiber on top as originally indicated in LAR Table 4-3. Describe how an exposure fire that could potentially impact the thermoplastic cables in fire compartment 11-01, which does not have the ceramic fiber installed on the top of the trays, will not affect the ability to meet the NSPC and will maintain the safety margins and defense-in-depth, as described in Approval Request 2. Response:
LAR Attachment L Approval Request 2 refers to "cable trays in high density related areas." The turbine building (11-01) is not a safety-related area. An exposure fire evaluation in fire compartment 11-01 determined there is no effect on the ability to meet the NSPC and maintain the safety margins and defense-in-depth.
However, this will be addressed in the revised LAR approval request as discussed in the response below. The use of solid-bottom cable trays is identified within Approval Request 2 as one of the factors supporting the Safety Margin and Defense-in-Depth (DID) section. The cable trays protected on three sides without ceramic fiber on top strengthens DID echelons 2 and 3 by delaying the time of ignition of the electrical cables in the tray and allowing time for manual fire suppression response.
Approval Request 2 will be revised to note Attachment L-17-189 Page 3 of 23 that there are some solid-bottom cable trays that also have a layer of ceramic fiber on top which provides additional defense-in-depth to prevent fire propagation between cable trays. The effectiveness of electrical cable tray solid metal bottom covers only as a barrier was demonstrated in a series of cable tray fires performed by Sandia National Labs and discussed in NUREG/CR-5384, Section 3.4.5. The test results regarding tray barriers, including solid tray bottom covers, is also summarized in NUREG/CR-6850 Section 11.5.1.7.3, Step 7.a.3, NUREG/CR-6850 Appendix Q, Section Q.2.2, and NUREG/CR-0381 Tables V and VI.
* NUREG/CR-6850 Section 11.5.1.7.3 states: Passive fire protection features that might prevent ignition of secondary combustible elements or limit flame propagation should be documented.
Examples are fire breaks (e.g., spatial separation or a fire barrier installed within open raceways), solid-bottom trays or tray bottoms, tray covers, mastic coatings, and fire wraps.
* NUREG/CR-6850 Appendix Q, Section Q.2.2 states: The barrier test findings are as follows. Propagation of the fire to the second tray was prevented in each case. That is, each barrier prevented ignition of a cable tray [located above] when exposed to a cable tray fire in a lower tray .... For application to the Fire PRA [probabilistic risk analysis], the barrier test findings are considered most appropriate to exposure fires with smaller heat release rates and to cable trays in a stack th reatened by fires in lower trays. In these cases, each barrier prevents cable tray ignition until well after the fire brigade reaches the scene ....
* NUREG/CR-0381 Table V, Results of Full Scale Single-Tray Tests for Test #23 (solid bottom tray with PVC [polyvinyl chloride]
insulated cables and no top cover or coating), shows a time to ignition of 10 minutes.
* NUREG/CR-0381 Table VI, Results of Full Scale Two-Tray Tests for Test #34 (solid bottom tray with PVC insulated cables and no top cover or coating), shows that ignition of the lower tray did not occur until after 20 minutes and that fire did not propagate to the top tray. As noted in LAR Table 4-3, electrical cable tray systems in many areas of the plant are protected on three sides by metal covers and on top by ceramic fiber (Kaowool), except in fire compartment 11-01 (non-safety turbine building) where cable tray systems are only protected on three sides by metal covers (no ceramic fiber top cover). After further review of LAR Table 4-3, it has been identified that there is also one other fire compartment (portions of V-01, spent fuel pool area) in which credited "cable tray Attachment L-17-189 Page 4 of 23 systems" are only protected on three sides by metal covers (no ceramic fiber top cover). The R* abbreviation at the end of LAR Table 4-3 is hereby updated to note that portions of fire compartment V-01 (spent fuel pool area) do not include the ceramic fiber on top of the cable tray systems. The Sandia testing demonstrated that having a cable tray barrier consisting of only a solid metal bottom cover is effective in delaying ignition of the exposed cable tray above. The electrical cable tray protective configuration and the type of cable construction are design inputs within the detailed fire modeling performed for the fire PRA. Based on the effectiveness of only solid metal bottom tray covers as demonstrated in testing, the limited quantity of thermoplastic cable material, and results of the fire compartment detailed fire modeling analysis, an exposure fire in fire compartments 11-01 and V-01 will not affect the ability to meet the NFPA 805 Section 1.5.1 NSPC and will maintain the safety margins and defense-in-depth, as described in Approval Request 2. A revision to the LAR Attachment L will be provided in a future transmittal.
FPE RAI 08.01 NFPA 805, Section 3.3.7.2, requires outdoor high-pressure flammable gas storage containers to be located so that the long axis is not pointed at buildings.
The requirement is to address the potential for the storage tanks "rocketing" and acting as missiles, rather than exposure fire hazards. In LAR Attachment A 1 (p. 46), the licensee stated that the hydrogen and propane storage tanks are oriented with the long axis toward buildings.
The licensee stated in the LAR and in response to FPE RAI 08 {December 16, 2016) that it complies with NFPA 805, Section 3.3.7.2, using an existing engineering equivalency evaluation.
The licensee's response to FPE RAI 08 indicates that the bases for compliance relies on exceeding safe distance criteria in specified NFPA standards.
However, the criteria in the specified NFPA standards are associated with protection from radiant heat based on the storage volume, and do not account for potential missiles generated by the storage tanks. Address the potential for missiles generated by the hydrogen and propane storage tanks by: a. Submitting a performance-based method for NRC approval in accordance with 10 CFR 50.48{c){2){vii), include the information described in RG 1.205, Section 2.2.2; or b. Demonstrating that the location of the storage tanks relative to the nearest exposed equipment and/or buildings located along the long axis of the tanks is a minimal risk; or Attachment L-17-189 Page 5 of 23 c. Demonstrating compliance with NFPA 805, Section 3.3.7, based on the location of the storage tanks relative to the nearest exposed equipment and/or buildings located along the long axis of the tanks. Response:
Compliance with NFPA 805, Section 3.3. 7 is discussed as follows: NFPA 805 Section 3.3.7.2 states the following: Outdoor high-pressure flammable gas storage containers shall be located so that the long axis is not pointed at buildings.
The long axis end of a horizontal storage container is structurally the weaker point of a cylinder's design; therefore, if it were to potentially rupture it would be most likely to propel material along the length of the axis. The NFPA codes (30, 55 [which superseded 50A], and 58) inherently recognize this and recommend safe distances from structures and property lines based on consideration of this along with other factors. FENOC has determined that a fire or potential storage container rupture will not result in penetration of an adjacent wall based on a consideration of factors such as: separation distance, building construction and other physical obstacles, storage container size and pressure, ~elief devices, and tank anchorage.
An existing engineering equivalency evaluation (EEEE) demonstrated using deterministic methods that both the portable hydrogen containers secured on the specifically designed Department of Transportation trailer and the location of the permanently mounted propane tanks maintain a conservative safe distance as recommended for hydrogen in NFPA 50A and for propane in NFPA 58 as follows:
* Hydrogen trailer: NFPA 50A-1973, Table 2 or NFPA 55-2010, Table 10.3.2.2.1(a) requires a safe distance to the nearest structure of 25 feet. The closest end of the hydrogen trailer to the auxiliary and turbine buildings is approximately 239 feet. This exceeds the minimum safe distance by a multiple of approximately nine times.
* Propane tanks: NFPA 58-2004, Table 6.3.1 requires a safe distance to the nearest structure of 10 feet. The closest end of the propane tank to the turbine building is 43 feet. This exceeds the minimum safe distance by a multiple of approximately four times. Exceeding the minimum distances required by NFPA 55 and NFPA 58 by factors of nine and four, respectively, results in a conclusion that any nearby structures would be safe from an exposure fire or missiles projected due to a tank rupture. In addition, the EEEE Attachment L-17-189 Page 6 of 23 addresses several other considerations contributing to the conclusion that the location of the storage tanks relative to the nearest exposed PRA fire compartment and equipment is a minimal risk for radiant heat exposure and for missiles.
Those considerations include:
* The tanks are securely mounted to steel bulkheads or to concrete, thereby reasonably precluding the tanks from becoming a missile,
* The tanks have pressure relief devices that reasonably preclude the tanks from overpressurization and becoming potential missiles,
* Surfaces of the nearest exposed structures are of concrete and steel construction, and
* The hydrogen tanks have additional obstacles between the tanks and building that would absorb potential missile damage. The EEEE analysis concluded that the separation distances of the hydrogen and propane tanks exceeded the safe distance requirements of NFPA 55 and NFPA 58, in addition to other physical factors that safeguard the nearest exposed equipment and fire compartments located along the long axis. The EEEE demonstrated "functional equivalency" to NFPA 805 section 3.3.7.2 for both the hydrogen and propane storage. FPE RAI 10 In the December 16, 2016, and January 17, 2017, letters, the licensee indicated in several RAI responses that it will perform additional engineering equivalency evaluations and may need to make additional plant modifications.
In addition, the licensee identified it will provide revisions to several LAR attachments in the future. Provide the additional changes to the LAR, including changes related to the additional engineering equivalency evaluations and plant modifications.
Response:
Engineering Equivalency Evaluations (EEEEs) In support of the NFPA 805 project, several LAR Attachment S items were identified regarding revision or development of EEEEs. One item required revision of some of the existing fire barrier EEEEs and several other items required previous code compliance evaluations to be updated and developed into EEEEs. The transitioning fire barrier EEEEs, as identified in LAR Attachment S, Table S-2 Item Attachment L-17-189 Page 7 of 23 DB-1825, have all been reviewed and are being enhanced for format and an increased level of supporting detail. The fire barrier EEEEs fulfill the NFPA 805 Section 3.11 requirements for transition and their results (conclusions) remain valid; therefore, no plant modifications are foreseen as the EEEEs are revised. The table below lists the code compliance reviews that are being updated and converted into NFPA code comparison EEEEs for items that were not identified as complies.
The table identifies the NFPA code, the subject matter of the code review, the related NFPA 805 section, the associated LAR Attachment S (Att. S) item, which previously identified the need to prepare a separate EEEE NFPA code comparison evaluation, and identifies the status or summary of recommendations to resolve the non-compliances.
NFPA Subject NFPA 805 LAR Att. S Identified Non-Compliance Code Section Item 10 Fire Extinguishers 3.7 DB-2054 In progress, expected in July 2017 13 Fire Sprinkler Systems 3.9 DB-2056 In progress, expected in July 2017 15 Fire Deluge Systems 3.9 DB-2056 None 20 Fire Pumps 3.5.3 DB-2053 None. 72E Fire Detectors 3.8.2 DB-2055 None 80 Fire Doors 3.11.3 DB-2057 None. 90A Fire Dampers 3.11/3 DB-2057 In progress, expected in July 2017 The NFPA code EEEEs have been drafted and are in the process of being finalized.
A few instances of minor code non-compliance have been identified, and they are being reviewed for resolution through either administrative changes or physical plant modification.
Any modifications required as a result of the NFPA code comparison EEEEs are expected to be known by July 2017, and will be submitted to the NRC as an updated LAR Attachment S. LAR Attachment Revisions Updated LAR Attachments are expected to be provided by August 2017. Safe Shutdown Analysis (SSA) RAI 03.01 Section 3.5.1.1 of the Nuclear Energy Institute (NEI) document NEI 00-01, "Guidance for Post-Fire Safe Shutdown Circuit Analysis," Revision 2, (ADAMS Accession No. ML091770265), states that for ungrounded direct-current circuits, a single hot short from the same source is assumed to occur unless it can be demonstrated that the occurrence of a same-source short is not affected in the fire area. NEI 00-01 further states that multiple shorts-to-ground are to be evaluated for their impact on ungrounded circuits.
Attachment L-17-189 Page 8 of 23 In LAR Attachment B, the licensee stated that it "aligns with intent" of NEI 00-01, Section 3.5.1.1. In response to SSA RAI 03 (December 16, 2016), the licensee stated that the methodology for evaluation ungrounded direct-current circuits (described in the LAR) was used for compliance with the 10 CFR 50 Appendix R regulations, and the methodology meets the intent of the guidance in NEI 00-01. However, the licensee further stated that the Appendix R resolution categories described in its RAI response will not be transitioned to the NFPA 805 licensing basis. Provide the alignment basis and explanation for NEI 00-01, Section 3.5.1.1, for the NFPA 805 program. Response:
The response to SSA RAI 03 provided several examples where the Fire Hazards Analysis Report (FHAR) dispositioned certain cable damage failures by assessing the credibility of the required number of shorts. The response included the following conclusion:
Therefore, this methodology aligns with the intent of the guidance in NEI 00-01 with respect to circuit failures for ungrounded direct-current circuits.
These resolution categories will not be transitioned to the NFPA 805 licensing basis. When the component is required to maintain long term safe and stable conditions at hot standby, but had cable damage, a VFDR was assigned and a fire risk evaluation was performed.
The following supplemental information is provided:
The FHAR methodology for resolving circuit failures for ungrounded direct-current circuits based on the number of required shorts was not credited for NFPA 805 transition.
To support the new licensing basis for these circuits under NFPA 805, the nuclear safety capability assessment (NSCA) assigned a VFDR to the analysis failures of these ungrounded direct-current circuits.
The VFDR was then dispositioned during the performance of the fire risk evaluation (FRE) process, by using risk insights to evaluate the circuit failure consequence.
This methodology aligns with the intent of NEI 00-01, Rev. 2, Section 3.5.1.1. SSA RAI 07.01 In LAR Table G-1, "Davis-Besse Recovery Actions [RAs] and Activities Occurring at the Primary Control Station(s)," the licensee identified three RAs associated with VFDRs that involve the loss of reactor coolant pump (RCP) seal cooling via the seal injection flow path. The licensee stated that within 8 hours, the RAs will involve either manually aligning seal injection flow to all the RCP seals, manually Attachment L-17-189 Page 9 of 23 align component cooling water to the RCP thermal barrier or cooling down the reactor coolant system (RCS) to place the plant between 280 degrees Fahrenheit
(°F) and 350 °F. The first two options re-establish RCP seal cooling to prevent a loss-of-coolant accident through the seal. In response to SSA RAI 07 (December 16, 2016), the licensee stated: Based on manufacturer testing, the elastomer components of the N-9000 [RCP] seals should not experience any significant failure for short periods of time (24 hours or less), even if RCS temperature remains high without seal cooling. Therefore, operator activities to cool down the plant to an RCS temperature between 280 °F and 350 °F are not required to maintain safe and stable conditions.
The licensee further explained that the three RAs associated with maintaining seal cooling are considered defense-in-depth RAs. Based on the assumption that the seals would not fail under 24 hours, it is not clear if failures of the RCP N-9000 shutdown seals are modeled in the probabilistic risk assessments (PRAs). a. Specify whether or not the failure of the RCP shutdown seals was modeled in the fire and internal events PRAs, and identify the NRC-approved guidance that was used as the basis for that modeling.
Response:
DBNPS utilizes Byron Jackson RCPs with 3-stage N-9000 RCP seals. No shutdown seals are installed.
The NRC approved the seal model outlined in WCAP-16175-P, "Model for Failure of RCP Seals given Loss of Seal Cooling in CE NSSS Plants." However, the report develops seal models specific to the Combustion Engineering (CE) designed plants. The design used by Babcock & Wilcox for DBNPS is slightly different than the CE design and there has been no explicit endorsement of a seal model for the DBNPS design. The major difference in the designs is that the DBNPS RCPs do not utilize the 4 th (vapor) stage, and seal injection is provided to the seals from the makeup system in addition to seal cooling by the component cooling water (CCW) system. Failure of the RCP N-9000 seals is modeled in the PRA. The model is a slightly modified version of the seal LOCA model submitted in the DBNPS individual plant examination (IPE) submittal (ML073600839), which was accepted by the NRC at that time. A description of the model and the modifications made to it since the IPE are included in the response to SSA RAI 07.01 .b below. While the seal model was initially developed prior to the development and NRC acceptance of WCAP-16175-P, aspects of the model are consistent with the guidance contained therein, as indicated in the response to SSA RAI 07.01 .b below. Note that FENOC did not participate in the development of WCAP-16175-P, and has not purchased rights to the completed report, Attachment L-17-189 Page 10 of 23 so comparisons are made to information from the non-proprietary version of WCAP-16175-NP-A.
SSA RAI 07.01 b. If the modeling was not based on NRC-approved guidance, describe and justify the modeling of the failure of the RCP shutdown seals in the fire and internal events PRAs. Alternatively, confirm that updated modeling using NRC-approved guidance will be included in the integrated analysis provided in response to PRA RAI 03 (see NRC letter dated October 18, 2016). Response:
RCP seal failure modeling is relatively simple compared to treatments for some other types of RCPs. It was assumed in the IPE that significant leakage through the seals would result if the RCPs continued to operate for an extended period under either of the following conditions:
* Loss of seal return (due to inadvertent closure of the seal return isolation valve), or
* Loss of cooling of the pump's thermal barrier heat exchanger by the CCW system and loss of seal injection from the makeup system. In either case, failure to trip the RCPs in a timely fashion was assumed in the IPE to lead to a leakage rate of approximately 50 gallons per minute (gpm) per pump. This would require the failure of the seals on two RCPs to reach leakage above the criterion for a small LOCA (defined as a leak in excess of the normal capacity of the makeup system (approximately 100 gpm), but too small to remove full decay heat). The assumption was later revised to conservatively consider the failure of any one RCP seal package to meet small LOCA criterion, which is the assumption used in the current modeling.
The model assumes an RCP seal LOCA occurs if the RCPs are not tripped within 30 minutes of a loss of seal return. A 30 minute loss of seal return test performed on a seal that had already undergone 5000 hours of qualification testing showed no noticeable change in the seal components from conditions found prior to running the loss of seal return test. Therefore, the 30 minute requirement in the PRA to trip the RCPs is conservative. The time available to trip the RCPs after a loss of seal cooling and injection has been expanded from the 10 minutes assumed by the IPE to 30 minutes in the current PRA model. The 30 minute timing for allowable operation without seal cooling is consistent with statements made in WCAP-1675-NP-A, Rev. 0, which indicate seal performance remains acceptable for 30 minutes following a loss of seal cooling. The CCW system is also used to cool the makeup pumps, which may only be Attachment L-17-189 Page 11 of 23 run for 60 minutes without cooling. A RCP seal LOCA is conservatively assumed if the RCPs are not tripped within 70 minutes of a loss of all CCW, since loss of the makeup pumps will fail seal injection.
The RCP seal LOCA model assumes no seal failures occur if the RCPs are tripped within the time constraints listed above. This is based on a Byron Jackson N-9000 test, which subjected an aged N-9000 seal to station blackout conditions for eight hours. The seal performed essentially as expected during the test, and test data did not indicate any developing trends that would denote impending catastrophic failure. While the WCAP-1675-NP-A report does postulate failures of the N-9000 seals after successfully tripping the RCPs on loss of seal cooling, failure probabilities and the fault tree models are redacted from the report. However, Section 11.0 of the report concludes that ''RCP seal failure probability is negligible for CE PWRs with the improved RCP seal designs." It is therefore reasonable to conclude that the probability of mechanical failure of the seals after successfully tripping the RCPs upon loss of seal cooling is less than the probability that operators fail to trip the RCPs in time to protect the seals. Since the human failure event is likely to dominate RCP seal failure sequences, the current RCP seal failure model is judged to sufficiently model the probability of RCP seal failure. SSA RAI 09.01 NFPA 805, Section 4.2.4, requires that when the use of RAs results in the use of a performance-based approach, the additional risk presented by their use be evaluated.
In LAR Table B-3, the licensee indicates that fire compartment 11-01 includes VFDR DB-1923, which is for the loss of automatic and timely control room trip capability of the main turbine. The disposition of this VFDR stated "it was determined that the risk, safety margin, and defense in depth meet the acceptance criteria of NFPA 805 Section 4.2.4 with a recovery action credited." However, in response to SSA RAI 09 (December 16, 2016), the licensee stated that the actions required for the VFDR in 11-01 are taken in the main control room and, therefore, are not RAs. Provide a corrected disposition for VFDR DB-1923 in fire area 11-01, given that there is no RA to be credited.
Response:
A review of the analytical documents supporting resolution of DB-1923 has confirmed that the operator actions required can be fulfilled in the main control room. The last four words of the LAR, Attachment C disposition for DB-1923 is hereby changed to read " ... no further action required."
Attachment L-17-189 Page 12 of 23 LAR, Attachment G has been reviewed to confirm that DB-1923 is not associated with fire area 11-01. In addition, Attachment G is hereby revised to remove the association of DB-1923 from fire compartments CC-01, DF-01, 11-04, and U-01, as the review of the analytical documents described above determined that the same operator action from the main control room can be accomplished from all five fire compartments associated with DB-1923. SSA RAI 10.01 NFPA 805, Section 4.2.1, requires that one success path necessary to achieve and maintain the NSPC be maintained free of fire damage by a single fire. In LAR Attachment C, for all fire compartments, the licensee referenced VFDR DB-2012, which states: Fire damage to installed makeup pumps could result in loss of ability to maintain RCS Inventory and Pressure. This could challenge the NSPC for Inventory and Pressure.
This is a separation issue. The LAR states that this VFDR will be corrected by plant modification ECP 13-0463, which installed additional RCS charging pumps, connections, and associated auxiliaries. The LAR further indicates that these modifications are associated with the development of diverse and flexible coping strategies (FLEX). In response to SSA RAI 1 0.b (December 16, 2016), the licensee stated (emphasis added): In every deterministic case, the function for make-up or for high pressure injection (HPI) remains available, and the NSPC are met without VFDR DB-2012. As a result, VFDR DB-2012 has been closed. Therefore, no recovery actions are credited to resolve this concern. For the fire compartments where non-deterministic methods were used to evaluate separation for makeup or high-pressure injection, clarify if the FLEX RCS makeup pumps and RAs will be needed to meet the risk criteria, maintain defense-in-depth, and maintain safety margin. Response:
Where non-deterministic methods evaluated separation for makeup or high-pressure injection, VFDRs were identified and dispositioned in the applicable fire risk evaluations.
The plant modification ECP 13-0463 was tracked by DB-1983, which installed FLEX RCS makeup pumps as an overall plant design modification that is not credited to meet any NSPC.
Attachment L-17-189 Page 13 of 23 The fire PRA model and the fire risk evaluations credit the FLEX modifications for risk offset as discussed in Regulatory Guide 1.205, Revision 1, Regulatory Position C.2.2.4.1:
Note that the acceptance guidelines of Regulatory Guide 1.17 4 may require the total CDF, LERF, or both, to evaluate changes where the risk impact exceeds specific guidelines.
If there are additional VFDRs associated with that fire area (e.g., equipment or cables that do not meet the requirements; recovery actions that were not previously approved by the NRC), then those VFDRs would either have to be brought into deterministic compliance, or any additional risk associated with those VFDRs would have to be offset by an equal or greater reduction in risk for that fire area. Any actions necessary to use the FLEX equipment would be considered other actions that do not involve the success path. As such, Regulatory Guide 1.205, Revision 1, Regulatory Position C.2.4 indicates:
NFPA 805, Section 4.2.3.1, identifies recovery actions for which the additional risk must be evaluated, as required by NFPA 805, Section 4.2.4. These "success path" recovery actions are operator actions that, if not successful, would lead to the fire-induced failure of the "one success path of required cables and equipment to achieve and maintain the nuclear safety performance criteria." Other operator actions that do not involve the success path may be credited in plant procedures or the fire PRA to overcome a combination of fire-induced and random failures may also be recovery actions, but licensees do not need to evaluate the additional risk of their use. As a modification credited in the fire PRA for risk reduction, operation of the FLEX equipment is incorporated into the human reliability analysis (HRA) for the fire PRA. A feasibility study was completed based on NUREG-1921 guidance on all FLEX-related operator actions and was found to be satisfactory.
Modeling was done for FLEX-related human failure events (HFEs) that are performed within one hour, using NUREG-1921 guidance, and it was determined to be an acceptable modeling approach.
For HFEs performed after one hour, the internal events human error probability was used without alteration.
The feasibility also established timelines for operator actions that implement the FLEX actions, and indicated an adequate margin for inclusion into the fire PRA model. FLEX RCS makeup pumps are credited for risk offset. Actions expected to place the pumps in service are not recovery actions because they are not credited for the one success path that is deterministically evaluated on a fire area by fire area basis. These other operator actions that do not involve the success path have been evaluated for Attachment L-17-189 Page 14 of 23 feasibility, as explained above, and therefore meet the risk, defense-in-depth and safety margin criteria for NFPA 805. Probabilistic Risk Assessment (PRA) RAI 02.01 In response to PRA RAI 02.e.v (January 17, 2017), the licensee stated that the NRC's 2010 updated component unreliability dataset for permanently installed equipment will be used for the FLEX equipment failure rates as part of the integrated analysis to be provided in response to PRA RAI 03 (see NRC letter dated October 18, 2016). However, the performance of FLEX equipment may be different from permanently installed equipment with fixed power supplies and fixed suction and discharge lines which could result in higher failure rates than for permanently installed equipment.
: a. Justify the use of failure rates based on permanently installed equipment for each individual piece of FLEX equipment.
Discuss the sensitivity of the risk results to the failure rates used for FLEX equipment.
For example, provide the results of a sensitivity study that shows the impact on total risk and change-in-risk of using bounding failure rates for FLEX equipment and compare these values to the total risk and change-in-risk values when the failure rates for matching permanently installed equipment are used. Response:
The NRC's 2015 updated component unreliability dataset was released in December 2016, and FENOC is considering performing a data update for all generic priors for PRA failure data to the 2015 data. This would also include using the 2015 data for the FLEX equipment.
If the data update is complete prior to beginning the response to PRA RAI 03, the updated data will be used in that response.
However, the discussion below is applicable regardless of whether the 2010 or 2015 dataset is used in the PRA RAI 03 response.
The NRC's updated component unreliability dataset for permanently-installed equipment was used for all FLEX equipment because datasets specific to FLEX equipment are not currently available.
Research sponsored by the Electric Power Research Institute (EPRI) is underway, and is expected to release an unreliability dataset for FLEX equipment by the end of 2017. At that time, it will be possible to utilize the EPRI data in failure rate estimation for the FLEX equipment.
In addition, in the normal course of performing periodic PRA updates, plant experience is collected and used to perform Bayesian updates using generic sources as priors. Therefore, failure rates will reflect actual plant experience in the future. Until other data becomes available, use of the NRC updated component unreliability dataset for permanently-installed equipment can be justified for FLEX equipment as Attachment L-17-189 Page 15 of 23 follows: Emergency Feedwater:
The diesel driven emergency feedwater (EFW) pump (P310) is permanently-installed equipment with fixed power supplies and fixed suction and discharge lines. It is included in the station's Maintenance Rule program and is maintained in the same manner as any risk-significant plant component.
As such, the NRC updated component unreliability dataset is directly applicable to this equipment, and no sensitivity studies on the failure rate are necessary.
The alternate low pressure EFW pump (FX-P1 P) is a trailer mounted, self-priming, diesel-driven pump. It is a self-contained unit in that the pump is permanently connected to the diesel engine and has its own battery for electrical support. The unit also contains a 250-gallon fuel tank. The trailer is stored indoors, is secured to the floor of the EFW facility, and does not need to be moved to be placed in service. Therefore, the only essential difference between this pump and a permanently installed driven pump is the non-permanent connections of the suction and discharge hoses. Any increase in failure rate would have to be due to failures of the temporary hoses used to connect the pump to the EFW system. Since the hoses are rated for this application and are inspected annually, which is more frequent than installed piping is typically inspected, it would not be expected that their failure rates would be significantly different from that of installed piping. There is the possibility that, when placing the pumps in service, the hoses may be improperly connected to the equipment, but this is accounted for in the HRA, and need not be included in the equipment failure rate itself. Since the pump must be started locally and has no interlocks with other plant systems, its control circuitry is simpler than many permanently installed pumps. Having fewer components, the simpler circuitry would tend to be less prone to failure than more complicated circuits, which would tend to drive the failure rate of the pump lower. FLEX RCS Charging Pumps: The FLEX RCS charging pumps (P296-1 and P296-2) are permanently-mounted positive displacement pumps with electric motor drivers. They are mounted in the auxiliary building in an environment similar to that of any other modeled pump. The commercially available pumps and motors themselves would not be expected to have a failure rate different from any other commercially available positive displacement pump and motor combination.
Any increase in failure rate would have to be due to failures of the temporary cabling or hoses used to connect the pumps and motors to plant systems. Since the cables and hoses are rated for this application and are inspected annually, which is more frequent than installed cables or piping are typically inspected, it would not be expected that their failure rates would be significantly different from that of installed cabling or piping. There is the possibility that, when placing the pumps in service, the cables or hoses may be improperly connected to the equipment, but this is accounted for in the HRA, and need not be included in the equipment failure rate itself. Since the pumps must be started locally and have no interlocks with other plant systems, the control circuitry is simpler than many permanently installed pumps.
Attachment L-17-189 Page 16 of 23 Having fewer components, the simpler circuitry would tend to be less prone to failure than more complicated circuits, which would tend to drive the failure rate of the pumps lower. FLEX Turbine Marine 480 Volt (V) Generators:
The FLEX turbine marine 480 V generators (FX-K1 P and FX-K1A) are trailer-mounted , diesel fueled, combustion turbine generators.
Both generators are designed to be used outdoors in adverse weather conditions, but both are stored indoors in climate controlled spaces. FX-K1 P is stored in the EFW facility, and does not need to be relocated to be put in service. FX-K1A does need to be relocated, but during a fire scenario, six hours is available to do so, and there would be no obstructions in the travel path. However, the need to relocate and properly deploy FX-K1A is assessed in the HRA and does not impact the failure rate of the equipment itself. Both generators need to be connected to the diesel fuel tank in the EFW facility or a portable fuel tank, but are otherwise self-contained units. There is no essential difference between these generators and permanently-installed generators except for the fuel connections and the temporary power cables that connect the generator to the EFW facility electrical bus. Since the cables and hoses are rated for this application and are inspected annually, which is more frequent than installed cables or piping are typically inspected, it would not be expected that their failure rates would be significantly different from that of installed cabling or piping. There is the possibility that, when placing a generator in service, the cables or fuel hose may be improperly connected to the equipment, but this is accounted for in the HRA, and need not be included in the equipment failure rate itself. Since the generators must be started locally and have no interlocks with other plant systems, the control circuitry is simpler than many permanently installed generators.
Having fewer components, the simpler circuitry would tend to be less prone to failure than more complicated circuits, which would tend to drive the failure rate of the generators lower. Test & Maintenance:
With the exception of the EFW pump (P310), the FLEX equipment is tested and maintained in accordance with the FLEX program for DBNPS. The program is based on industry guidance developed specifically for FLEX equipment, which recognizes the different needs of portable standby equipment to maintain equipment reliability.
As noted above, P310 is monitored and maintained per the Maintenance Rule program. Sensitivity Studies: To show the sensitivity of results to the failure rates of the FLEX equipment that is not permanently connected to plant systems (FX-P1 P, FX-K1 P, FX-K1A, P296-1, and P296-2) a sensitivity study will be performed as part of the PRA RAI 03 response.
The study will show the impact on risk and change in risk of using the 5 th and 95 th percentile failure rates from the NRC's updated component unreliability dataset for permanently installed equipment.
As noted above, the 2010 or 2015 data will be used, dependent on the status of the overall data update effort. The dataset used will be noted in the PRA Attachment L-17-189 Page 17 of 23 RAI 03 response.
No sensitivity study will be performed on the EFW pump (P310), since it is permanently installed and connected, and the NRC's updated component unreliability dataset for permanently installed equipment is directly applicable.
PRA RAI 02.01 b. Alternatively, provide and justify bounding failure rates for FLEX equipment, and confirm that these bounding failure rates will be used in the integrated analysis provided in response to PRA RAI 03 (see NRC letter dated October 18, 2016). Response:
Failure rates have been justified above, and therefore, this question is not applicable.
PRA RAI 11.01 In response to PRA RAI 11 (January 17, 2017), the licensee stated that main control room (MCR) abandonment scenarios due to loss of habitability were modeled for the post-transition plant using a simplified fault tree in combination with the fire scenario initiators that lead to these scenarios.
The licensee stated in response to PRA RAI 11.a that "[t]he actions required for successful alternate shutdown are modeled as a single Human Failure Event (HFE) in the simplified fault tree." The response also indicates that the simplified fault tree accounts for fire-induced failures, but this is not described and the fault tree is not provided.
Accordingly, it is not clear what events are included in the simplified fault tree model (besides the single HFE) and why a separated simplified model is adequate for this application.
Given that differences in fire damage can lead to the need for different operator response actions, it is not clear how the RAs for alternate shutdown can be modeled as a single HFE. a. Describe the basic events that comprise the simplified fault tree for MCR abandonment scenarios due to loss of habitability.
Justify that this model is adequate for determining the fire contribution from these scenarios.
Describe the hardware failures included in the simplified fault tree, and justify any exclusion of cable or equipment failures that are included in the detailed fire PRA model. Also, discuss how the impacts of fire damage are accounted for in the model. Response:
Attachment L-17-189 Page 18 of 23 The following discussion relates to the portion of the fault tree that models actions after the criteria for control room abandonment are met. Thus, actions that would be taken prior to that point are modeled elsewhere, and are not addressed here. Since the serious fire procedures revisions for the NFPA 805 transition are not yet complete, the fault tree described below represents the current draft procedures, and details of the modeling are subject to change. However, the overall modeling philosophy is not expected to significantly change, and any significant changes will be noted in the response to PRA RAI 03. The control room abandonment fault tree considers failure of human actions to abandon the control room, RCS integrity, feedwater availability, and power to the auxiliary shutdown panel (ASP). Failure of any of these aspects is considered to be failure of abandonment leading to core damage. The tree can be described as follows: The first aspect of the fault tree determines if operators successfully perform the human actions necessary to abandon the control room. Per the current control room abandonment procedure, the same actions are taken regardless of the reason for abandoning the control room or the specific state of the plant. The simplified logic considers failure of any of the required actions as leading to core damage. The second aspect of the fault tree determines if RCS integrity is maintained.
Due to difficulties in determining emergency sump and borated storage water tank level from the ASP, it is conservatively assumed that recirculation from the emergency sump is not possible from the ASP. Thus, if RCS integrity is not maintained during control room abandonment scenarios, core damage is assumed. RCP seal LOCAs are not modeled in the abandonment fault tree. Tripping the RCPs prevents RCP seal LOCAs, so tripping the RCPs is considered a required action for the control room abandonment HFE. Since a loss of main feedwater is assumed in every fire scenario, it is assumed the power operated relief valve (PORV) or pressurizer safety valves will open to relieve steam during the plant trip. Therefore, failure of those valves to close is considered in the abandonment tree, along with the possibility that the block valve will fail to close to prevent mitigation of a stuck open PORV. The logic also includes fire-induced spurious opening of the PORV. Recovery of the PORV block valve is allowed if its cables are damaged in a control room or spread room fire, and the control room is abandoned.
This action has been evaluated for Information Notice (IN) 92-18 concerns (the potential exists for a fire to affect the circuitry of motor operated valves such that the valve could be driven hard into its seat because a fire has affected the wiring and made the torque switch ineffective).
Fires that impact the PORV block valve cabling in the control room or cable spread room cannot bypass the valve's limit switch and drive the valve into its seat, and actions taken during control room abandonment isolate the impacted cables from the control circuit, and close the valve. These actions are considered key actions in the control room abandonment HFE, and failure of any of them is considered to lead to core damage. In addition, the control room abandonment procedure removes power from the PORV solenoid, which is credited to close the Attachment L-17-189 Page 19 of 23 PORV if it receives a spurious high pressure signal. However, this action is not credited to close the PORV if its cabling is impacted by a fire, since the hot short itself is considered to supply the power to keep the valve open. Regardless, the action to remove power from the PORV is considered a key action and core damage is assumed if it is not performed.
In addition to the human actions credited to mitigate a fire opened PORV, it has been decided to credit a DC hot short duration factor for PORV hot shorts per NUREG-7150 guidance.
Since this was decided after the fire model peer review, FENOC acknowledges it represents a new methodology that has not been peer reviewed.
Therefore, a focused scope peer review of the method will be performed prior to implementation.
Actions for preserving RCS inventory by isolating RCP seal return and the letdown flowpath are also included in the abandonment HFE. The third aspect of the fault tree considers if feedwater is available to the steam generators.
Only feedwater to steam generator 1 (SG 1) from the auxiliary feedwater system (AFW) train 1 or the EFW is considered for success. If feedwater from both of those sources fails, core damage is assumed. The abandonment fault tree uses logic based on the logic gates used by the internal events model to determine AFW train 1 to SG1 and EFW failure. For the AFW train 1 model, some gates were excluded since they would not apply in an abandonment scenario.
The removed gates represent failure of logic signals that reposition valves or start the AFW pumps. Human actions taken during abandonment will properly align the needed valves and start AFW pump 1. Failures of valves due to random failures of the valve itself are retained in the logic, since some portion of the failure rate is due to mechanical binding that could not be resolved by manual movement of the valve. Motor operated valve (MOV) MS 106, which is the steam isolation valve from SG1 to AFW train 1, has been evaluated for IN 92-18 concerns and is recoverable by manual actions if its cables are impacted by a control room or cable spread room fire. Any other MOV that has control cables impacted by the fire has those failures retained in the simplified logic, and are conservatively not credited for manual operation.
Fire-induced failures to start or run of AFW pump 1 are removed from the logic, since local manual actions will start and control the pump. Random failures to start and run are retained in the logic, however. Finally, loss of AFW due to steam generator overfill is also removed from the simplified logic, since the manual actions taken during abandonment will prevent the issue, and failure of those actions are assumed to result in core damage by the abandonment HFE. The remaining logic from the AFW train 1 internal events model is retained.
For the EFW logic, the full logic from the internal events model is used, with the following exceptions:
The human action event to start the pump from the control room is replaced by one representing travelling to the EFW facility and starting and controlling the pump locally. Fire-induced failures of the EFW pump and flow control valve are removed from the logic. This is because the logic is only used for control room abandonment scenarios and the control room will only be abandoned for fires in the control room itself, or in the cable spreading room. Local operation and control of the EFW pump will bypass any damage caused in the control room or spread room. The remainder of the logic is retained, including fire impacts to AF608, which can still prevent feeding SG1 from EFW through the AFW line. If the EFW pump fails to run, Attachment L-17-189 Page 20 of 23 credit is taken for deploying and starting the portable FLEX low pressure feedwater pump. However, the human action to do so is not included in the abandonment HFE. Since this action is only credited if the EFW pump ran for at least one hour, initial abandonment would have been successful.
The HFE for the portable FLEX pump is included in the EFW fault tree. Finally, the fault tree considers if power is available to the ASP. It is assumed that if power is not available from 120 V essential distribution panel Y1, then control from the ASP is not possible and core damage results. The same logic used by the internal events and fire PRA models is used in the abandonment tree to determine failure of power from Y1. However, some alterations to the base PRA model were made to support abandonment modeling.
The alterations consisted of placing direct fire impacts to emergency diesel generator 1, 4160 V bus C 1, CCW pumps 1 and 3, and service water (SW) pumps 1 and 3 under AND gates with flag events to identify the fire-induced failure in the cutsets. During post-processing of the cutsets, those flags are replaced by the control room abandonment HFE if the control room abandonment flag is also present in the cutset. Similarly, spurious operation events for certain breakers are also replaced by the abandonment HFE during post-processing of the cutsets. This represents isolating the components from the control room and cable spread room, and restarting the components or resetting the breakers in the proper alignment as directed by the abandonment procedure.
Also, the HFEs for starting the spare CCW or backup SW pump are conservatively failed for all fires in the control room or cable spread room. This was done to simplify modeling, and is conservative, since those actions could be performed in some non-abandonment fire scenarios in the cable spread room or control room. Thus, only the sequence top logic is simplified.
Assumptions are made that a loss of feedwater, loss of RCS integrity, loss of power to the ASP, or failure of one of the abandonment human actions lead directly to core damage. The fault tree logic used to determine loss of feedwater or loss of RCS integrity utilizes the full applicable PRA system logic and detailed fire modeling.
PRA RAI 11.01 b. Justify how failure of operator actions required for alternate shutdown can be modeled as a single HFE for MCR abandonment scenarios due to loss of habitability, even though differences in fire impact may require different response actions. Response:
The current control room abandonment procedure at DBNPS follows the same actions regardless of the reason for abandoning the control room or the actual state of the plant at the time. The purpose of the procedure is to place the plant in a known state to Attachment L-17-189 Page 21 of 23 reduce the impact of the fire and minimize need for diagnostic decision making. The required actions are separated into different attachments, which are performed independently by separate operators.
The reactor coolant pumps are tripped, the PORV block valve is closed, and the makeup pumps are tripped. The train 2 power system is de-energized and essential train 1 power is isolated from cables that enter the cable spread room or control room. AFW train 2 is tripped and AFW train 1 is manually controlled to SG1. The PRA model assumption is that either all the key steps in the procedure attachments are performed correctly, or core damage results. Steps are considered to be key steps if they support maintaining feedwater, preventing reactor coolant loss, or supplying power to the ASP. Credit is not taken for redundant steps, so they are effectively considered to be completely dependent.
Key steps are also conservatively considered to be required for success regardless of whether plant conditions actually require their completion.
For example, the operator action to close the PORV block valve is considered a key step, and if that action fails, core damage is assumed even in scenarios where the PORV does not spuriously open and closing the block valve is therefore not necessary.
There are two exceptions to the bundled HFE philosophy, both related to local operation of the EFW pump if it is required after control room abandonment.
The decision to credit local EFW operation was made later in the modeling process, so these actions are not bundled in the abandonment HFE, but are modeled separately as part of the EFW fault tree. The first action is locally starting the EFW pump itself, and the second is deploying and starting the portable FLEX low pressure feedwater pump if the EFW pump should fail to run. Further, control room abandonment is only performed for fires in the control room itself or in the cable spreading room. Therefore, there will be no direct fire impact on the local actions that are required, so the actions do not change based on the specific fire scenario.
The simplified model conservatively treats failure of any single action as a failure to abandon the control room, which results in core damage. While the control room abandonment HFE is described as a single HFE, it is more accurate to describe it as a CAFTA module. Seven separate HFEs were developed and included under an OR gate. The resulting probability of that gate is used as the HFE probability in the fault tree. This simplifies the resulting cutsets, since for a given fire scenario, it results in a single cutset vs seven nearly identical cutsets. Each separate HFE was developed with its own specific timing considerations and required actions. As noted in the response to part (a) of this question, final revisions of the station serious fire procedures for the NFPA 805 transition are not yet complete, and therefore, the specifics of the abandonment HFEs are subject to change. Any significant changes will be noted in the response to PRA RAI 03. The specific HFEs currently modeled in the abandonment HFE are as follows: CHABAN OF-COG: Operators fail to decide to abandon MCR and go to ASP Attachment L-17-189 Page 22 of 23 CHABANDF-PORV:
Operators fail to close/isolate the PORV during MCR abandonment Open PORV power supply breaker (PORV fails closed on loss of power) Isolate PORV block valve control from control room Close PORV block valve CHABANDF-OVRFL:
Operators fail to prevent overfill of SGs during MCR abandonment Locally trip AFP2 Isolate AFP 1 control from control room Place AFP1 on low speed stop CHABANDF-RCPS:
Operators fail to trip RCPs during MCR abandonment Isolate Bus B control power Open Bus B source breakers Isolate Bus A control power Open breakers for RCPs powered by Bus A CHABANDF-L TOWN: Operators fail to isolate RCS letdown during MCR abandonment Isolate and bleed off air to MU38 (closes valve, isolates RCP seal return) Isolate and bleed off air to MU3 (closes valve, isolates letdown) CHABANDF-AFW:
Operators fail to take manual control of AFW to maintain SG level Isolate control for AFW train 1 MOVs from MCR Align AFW train 1 MOVs to feed SG 1 with AFW pump 1 Manually control AFW pump 1 speed to maintain SG level Take manual control of SG 1 atmospheric vent valve to maintain SG 1 pressure CHABANDF-EDG:
Operators fail to restore CCW to EDG1 and repower C1/E1 Isolate EOG 1 control from MCR Press emergency shutdown button for EDG2 Isolate control for CCW & SW train 1 pumps and valves from control room Align CCW & SW valves to supply cooling to EDG1 Start CCW & SW pumps to supply train 1 Verify feed breakers to bus E1 are closed PRA RAI 12.01 In response to PRA RAI 12 (January 17, 2017), the licensee indicated that MCR abandonment scenarios due to loss of control were modeled for the transition plant using the same simplified fault tree approach as described in its response to PRA RAI 11 (January 17, 2017). However, the licensee's response to PRA RAI 12 did not explain how the conditional core damage probability and conditional large early release probability were determined for MCR abandonment scenarios due to loss of control.
Attachment L-17-189 Page 23 of 23 a. Describe the basic events that comprise the simplified fault tree for MCR abandonment scenarios due to loss of control. Justify that this model is adequate for determining the fire contribution from these scenarios.
Describe the hardware failures included in the simplified fault tree, and justify any exclusion of cable or equipment failures that are included in the detailed fire PRA model. Also, discuss how the impacts of fire damage are accounted for in the model. Response:
Simplified fault tree basic event descriptions for MCR abandonment scenarios due to loss of control are the same as those described in the response to PRA RAI 11.01 for abandonment scenarios due to loss of habitability.
As stated in the response to PRA RAI 11.01 (a), current control room abandonment procedure actions are taken regardless of the reason for abandoning the control room or the specific state of the plant. PRA RAI 12.01 b. Justify how failure of operator actions required for alternate shutdown can be modeled as a single HFE for MCR abandonment scenarios due to loss of control, even though differences in fire impact may require different response actions. Response:
Justification of failure of operator actions required for alternate shutdown being modeled as a single HFE for MCR abandonment scenarios due to loss of control is the same as those described in the response to PRA RAI 11.01 for abandonment scenarios due to loss of habitability.
As stated in the response to PRA RAI 11.01 (b), current control room abandonment procedure actions are taken regardless of the reason for abandoning the control room or the specific state of the plant.}}

Latest revision as of 21:20, 1 February 2019

Redirect to:

Retrieved from "https://kanterella.com/w/index.php?title=L-17-189,_Response_to_Request_for_Additional_Information_Regarding_License_Amendment_Request_to_Adopt_National_Fire_Protection_Association_(NFPA)_Standard_805_(CAC_No._MF7190)&oldid=1260889"