ML16146A540: Difference between revisions

From kanterella
Jump to navigation Jump to search
(Created page by program invented by StriderTol)
(Created page by program invented by StriderTol)
 
(4 intermediate revisions by the same user not shown)
Line 3: Line 3:
| issue date = 05/18/2016
| issue date = 05/18/2016
| title = Proposed License Amendment Request Extension of TS 3.14 Service Water Flow Path Allowed Outage Times and Deletion of Expired Temporary Service Water Jumper Requirements
| title = Proposed License Amendment Request Extension of TS 3.14 Service Water Flow Path Allowed Outage Times and Deletion of Expired Temporary Service Water Jumper Requirements
| author name = Sartain M D
| author name = Sartain M
| author affiliation = Virginia Electric & Power Co (VEPCO)
| author affiliation = Virginia Electric & Power Co (VEPCO)
| addressee name =  
| addressee name =  
Line 17: Line 17:


=Text=
=Text=
{{#Wiki_filter:VIRGINIA ELECTRIC AND POWER COMPANY RICHMOND, VIRGINIA 23261 May 18, 2016 U. S. Nuclear Regulatory Commission Attention:
{{#Wiki_filter:VIRGINIA ELECTRIC AND POWER COMPANY RICHMOND, VIRGINIA 23261 May 18, 2016 10 CFR 50.90 U. S. Nuclear Regulatory Commission                       Serial No.:    16-1~0 Attention: Document Control Desk                           SPS/LIC-CGL: RO Washington, DC 20555-0001                                  Docket Nos.: 50-280/281 License Nos.: DPR-32/37 VIRGINIA ELECTRIC AND POWER COMPANY SURRY POWER STATION UNITS 1 AND 2 PROPOSED LICENSE AMENDMENT REQUEST EXTENSION OF TS 3.14 SERVICE WATER FLOW PATH ALLOWED OUTAGE TIMES AND DELETION OF EXPIRED TEMPORARY SERVICE WATER JUMPER REQUIREMENTS Pursuant to 10 CFR 50.90, Virginia Electric and Power Company (Dominion) is submitting a license amendment request to revise Surry Power Station (Surry) Units 1 ahd 2 Technical Specification (TS) 3.14, "Circulating and Service Water Systems," to extend the Allowed Outage Time (AOT) for only one operable Service Water (SW) flow path to the Charging Pump SW (CPSW) subsystem and to the Main Control Room/Emergency Switchgear Room (MCR/ESGR) Air Conditioning (AC) subsystem.
Document Control Desk Washington, DC 20555-0001 VIRGINIA ELECTRIC AND POWER COMPANY SURRY POWER STATION UNITS 1 AND 2 PROPOSED LICENSE AMENDMENT REQUEST 10 CFR 50.90 Serial No.:
TS 3.14.A.5 and TS 3.14.A.7 require two SW flow paths to the CPSW subsystem and to the MCR/ESGR AC subsystem, respectively, to be operable. Currently, the TS 3.14.C AOT for only one operable CPSW or MCR/ESGR AC flow path is 24 hours. The proposed revision extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours to 72 hours. A supporting probabilistic risk assessment (PRA) was performed for the proposed AOT changes. The PRA concluded that the increase in risk associated with the proposed changes is consistent with the Regulatory Guide (RG) 1.174 and RG 1.177 acceptance guidelines for a permanent TS AOT change.
SPS/LIC-CGL:
This PRA evaluation demonstrates that defense-in-depth will not be significantly impacted by changing the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24 to 72 hours. The proposed change also deletes the Operating License (OL) conditions, TS requirements, and TS 3.14 Basis discussion for the temporary SW jumper to the Component Cooling Heat Exchangers (CCHXs). These requirements have expired and are no longer necessary.*
RO Docket Nos.: 50-280/281 License Nos.: DPR-32/37 EXTENSION OF TS 3.14 SERVICE WATER FLOW PATH ALLOWED OUTAGE TIMES AND DELETION OF EXPIRED TEMPORARY SERVICE WATER JUMPER REQUIREMENTS Pursuant to 10 CFR 50.90, Virginia Electric and Power Company (Dominion) is submitting a license amendment request to revise Surry Power Station (Surry) Units 1 ahd 2 Technical Specification (TS) 3.14, "Circulating and Service Water Systems," to extend the Allowed Outage Time (AOT) for only one operable Service Water (SW) flow path to the Charging Pump SW (CPSW) subsystem and to the Main Control Room/Emergency Switchgear Room (MCR/ESGR)
Deletion of the OL conditions, the temporary TS requirements, and the TS 3.14 Basis*
Air Conditioning (AC) subsystem.
discussion is administrative in nature. provides a discussion and assessment of the proposed change, including the results and conclusions from the supporting PRA. The marked-up and proposed pages for the TS and TS Basis are provided in Attachments 2 and 3, respectively._ The TS Basis changes are provided for NRC information only. Attachment 4 provides a discussion of the technical adequacy of the PRA model.
TS 3.14.A.5 and TS 3.14.A.7 require two SW flow paths to the CPSW subsystem and to the MCR/ESGR AC subsystem, respectively, to be operable.
We have evaluated the proposed amendment and have determined that it does not involve a significant hazards consideration as defined in 10 CFR 50.92. The basis for
Currently, the TS 3.14.C AOT for only one operable CPSW or MCR/ESGR AC flow path is 24 hours. The proposed revision extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours to 72 hours. A supporting probabilistic risk assessment (PRA) was performed for the proposed AOT changes. The PRA concluded that the increase in risk associated with the proposed changes is consistent with the Regulatory Guide (RG) 1.17 4 and RG 1.177 acceptance guidelines for a permanent TS AOT change. This PRA evaluation demonstrates that defense-in-depth will not be significantly impacted by changing the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24 to 72 hours. The proposed change also deletes the Operating License (OL) conditions, TS requirements, and TS 3.14 Basis discussion for the temporary SW jumper to the Component Cooling Heat Exchangers (CCHXs). These requirements have expired and are no longer necessary.*
Deletion of the OL conditions, the temporary TS requirements, and the TS 3.14 Basis* discussion is administrative in nature. Attachment 1 provides a discussion and assessment of the proposed change, including the results and conclusions from the supporting PRA. The marked-up and proposed pages for the TS and TS Basis are provided in Attachments 2 and 3, respectively._
The TS Basis changes are provided for NRC information only. Attachment 4 provides a discussion of the technical adequacy of the PRA model. We have evaluated the proposed amendment and have determined that it does not involve a significant hazards consideration as defined in 1 O CFR 50.92. The basis for Serial No. 16-180 Docket Nos. 50-280/281 Page 2 of 3 this determination is included in Attachment
: 1. We have also determined that operation with the proposed change will not result in any significant increase in the amount of effluents that may be released offsite or any significant increase in individual or cumulative occupational radiation exposure.
Therefore, the proposed amendment is eligible for categorical exclusion from an environmental assessment as set forth in 10 CFR 51.22(c)(9).
Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment is needed in connection with the approval of the proposed change. The proposed TS change has been reviewed and approved by the Facility Safety Review Committee.
Dominion requests approval of the proposed change by May 31, 2017 with a 60-day implementation period. Should you have any questions or require additional information, please contact Mr. Gary D. Miller at (804) 273-2771.
Respectfully, Mark D. Sartain Vice President
-Nuclear Engineering Commitments contained in this letter: None Attachments:
: 1. Discussion of Change 2. Marked-up Technical Specifications and Basis Pages 3. Proposed Technical Specifications and Basis Pages 4. Technical Adequacy of the Probabilistic Risk Assessment Model COMMONWEAL TH OF VIRGINIA COUNTY OF HENRICO The foregoing document was acknowledged before me, in and for the County and Commonwealth aforesaid, today by Mr. Mark D. Sartain, who is Vice President
-Nuclear Engineering, of Virginia Electric and Power Company. He has affirmed before me that he is duly authorized to execute and file the foregoing document in behalf of that company, and that the statements in the document are true to the best of his knowledge and belief. Acknowledged before me this [ 8 'Jlday 2016. My Commission Expires: 5 -3 \ -\ g . \ALL 2:1u.e.e.
Notary Public --.,.,. . . *.
.. , ' . NOTARY PUBLIC :Commonwealth of Virginia . Reg. It My* commission
!;.itp11v
.. s Mt\l31;z.o 18 ---* v -
cc: U.S. Nuclear Regulatory Commission
-Region II Marquis One Tower 245 Peachtree Center Avenue, NE Suite 1200 Atlanta, GA 30303-1257 State Health Commissioner Virginia Department of Health James Madison Building -ih floor 109 Governor Street Suite 730 Richmond, VA 23219 Ms. K. R. Cotton Gross NRC Project Manager -Surry U.S. Nuclear Regulatory Commission One White Flint North Mail Stop 08 G-9A 11555 Rockville Pike Rockville, MD 20852-2738 Dr. V. Sreenivas NRC Project Manager -North Anna U.S. Nuclear Regulatory Commission One White Flint North Mail Stop 08 G-9A 11555 Rockville Pike Rockville, MD 20852-2738 NRC Senior Resident Inspector Surry Power Station Serial No. 16-180 Docket Nos. 50-280/281 Page 3 of 3 Attachment 1 . DISCUSSION OF CHANGE Virginia Electric and Power Company (Dominion)
Surry Station Units 1 and 2 Serial No. 16-180 Docket Nos. 50-280/281 Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 1 of 36 DISCUSSION OF CHANGE TABLE OF CONTENTS 1.0. Introduction


===2.0 Description===
Serial No. 16-180 Docket Nos. 50-280/281 Page 2 of 3 this determination is included in Attachment 1. We have also determined that operation with the proposed change will not result in any significant increase in the amount of effluents that may be released offsite or any significant increase in individual or cumulative occupational radiation exposure. Therefore, the proposed amendment is eligible for categorical exclusion from an environmental assessment as set forth in 10 CFR 51.22(c)(9). Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment is needed in connection with the approval of the proposed change. The proposed TS change has been reviewed and approved by the Facility Safety Review Committee.
Dominion requests approval of the proposed change by May 31, 2017 with a 60-day implementation period.
Should you have any questions or require additional information, please contact Mr. Gary D. Miller at (804) 273-2771.
Respectfully, Mark D. Sartain Vice President - Nuclear Engineering Commitments contained in this letter: None Attachments:
: 1. Discussion of Change
: 2. Marked-up Technical Specifications and Basis Pages
: 3. Proposed Technical Specifications and Basis Pages
: 4. Technical Adequacy of the Probabilistic Risk Assessment Model COMMONWEALTH OF VIRGINIA COUNTY OF HENRICO The foregoing document was acknowledged before me, in and for the County and Commonwealth aforesaid, today by Mr. Mark D. Sartain, who is Vice President - Nuclear Engineering, of Virginia Electric and Power Company. He has affirmed before me that he is duly authorized to execute and file the foregoing document in behalf of that company, and that the statements in the document are true to the best of his knowledge and belief.
Acknowledged before me this [              8'Jlday of~ 2016.
My Commission Expires:              5 - 3 \ - \g .
            -- .,.,. . . *. ;Ni~l t.~)~dtr* .. , '
                    . NOTARY PUBLIC
                                                                \ALL ~. 2:1u.e.e.
Notary Public
:Commonwealth of Virginia
          .                Reg. It 1'fD5~~
My* commission !;.itp11v ..s    Mt\l31;z.o 18
          -                  - -
* v -


of Proposed Change 3.0 Technical Evaluation
Serial No. 16-180 Docket Nos. 50-280/281 Page 3 of 3 cc: U.S. Nuclear Regulatory Commission - Region II Marquis One Tower 245 Peachtree Center Avenue, NE Suite 1200 Atlanta, GA 30303-1257 State Health Commissioner Virginia Department of Health James Madison Building - ih floor 109 Governor Street Suite 730 Richmond, VA 23219 Ms. K. R. Cotton Gross NRC Project Manager - Surry U.S. Nuclear Regulatory Commission One White Flint North Mail Stop 08 G-9A 11555 Rockville Pike Rockville, MD 20852-2738 Dr. V. Sreenivas NRC Project Manager - North Anna U.S. Nuclear Regulatory Commission One White Flint North Mail Stop 08 G-9A 11555 Rockville Pike Rockville, MD 20852-2738 NRC Senior Resident Inspector Surry Power Station


===3.1 Charging===
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1
Pump Service Water Subsystem and Main Control Room and Emergency Switchgear Room Air Conditioning Subsystem Description
    . DISCUSSION OF CHANGE Virginia Electric and Power Company (Dominion)
Surry Station Units 1 and 2


===3.2 Evaluation===
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 1 of 36 DISCUSSION OF CHANGE TABLE OF CONTENTS 1.0. Introduction 2.0 Description of Proposed Change 3.0 Technical Evaluation 3.1 Charging Pump Service Water Subsystem and Main Control Room and Emergency Switchgear Room Air Conditioning Subsystem Description 3.2 Evaluation of Extended Allowed Outage Time 3.3 Deletion of Requirements for Temporary Service Water Jumper to Component Cooling Heat Exchangers 4.0 Regulatory Evaluation 4.1 Applicable Regulatory Requirements 4.2 NUREG-1431, Standard Technical Specifications -
Westinghouse Plants 4.3 No Significant Hazards Consideration 5.0 Probabilistic Risk Assessment 5.1 Purpose 5.2 Introduction 5.3 Analysis 5.4 Results and Conclusions 6.0 Environmental Assessment 7 .0 Conclusion


of Extended Allowed Outage Time 3.3 Deletion of Requirements for Temporary Service Water Jumper to Component Cooling Heat Exchangers
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 2 of 36 DISCUSSION OF CHANGE


===4.0 Regulatory===
==1.0     INTRODUCTION==


Evaluation
The proposed change revises Surry Power Station (Surry) Units 1 and 2 Technical Specification (TS) 3.14, "Circulating and Service Water Systems," to extend the Allowed Outage Time (AOT) for only one operable Service Water (SW) flow path to the Charging Pump SW (CPSW) subsystem and to the Main Control Room/Emergency Switchgear Room (MCR/ESGR) Air Conditioning (AC) subsystem. TS 3.14.A.5 and TS 3.14.A.7 require two SW flow paths to the CPSW subsystem and to the MCR/ESGR AC subsystem, respectively, to be operable. Currently, the TS 3.14.C AOT for only one operable CPSW or MCR/ESGR AC flow path is 24 hours. The proposed revision extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours to 72 hours. The CPSW subsystem is a support system for the Charging/High Head Safety Injection (HHSI) pumps. The proposed CPSW AOT extension aligns the CPSW support system AOT with the AOT for the supported components (i.e., the Charging/HHS! pumps). The proposed MCR/ESGR AC AOT extension revises the AOT .,to be the same as the CPSW AOT since both subsystems share common piping. The proposed increased AOTs for only one operable SW flow path to the CPSW subsystems and to the MCR/ESGR AC subsystems will provide a more reasonable time frame for performing system maintenance and repairs.
A supporting probabilistic risk assessment (PRA) was performed for the proposed AOT changes. The PRA concluded that the increase in risk associated with the proposed changes .is consistent with the Regulatory Guide (RG) 1.174 and RG 1.177 acceptance guidelines for a permanent TS AOT change. This PRA evaluation demonstrates that defense-in-depth will not be significantly impacted by changing the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24 to 72 hours.        Furthermore, no enhancements, procedure revisions, or compensatory actions are recommended as a result of the RG 1.177 Tier 2 evaluation.
The proposed change also deletes the Operating License (OL) conditions, TS requirements, and TS 3.14 Basis discussion for the temporary SW jumper to the Component Cooling Heat Exchangers (CCHXs). These requirements were included in the Surry TS to allow cleaning, inspection, repair and recoating of the SW supply piping to the CCHXs during the Unit 1 2013 and 2015 refueling outages. These requirements have expired and are no longer necessary. Deletion of the OL conditions, the temporary TS requirements, and the TS 3.14 Basis discussion is administrative in nature. The TS 3.14 Basis deletion is provided to the NRC for information.


===4.1 Applicable===
==2.0      DESCRIPTION==
OF PROPOSED CHANGE The proposed revision extends the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24 to 72 hours.


Regulatory Requirements 4.2 NUREG-1431, Standard Technical Specifications  
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 3 of 36 TS 3.14.C currently states:
-Westinghouse Plants 4.3 No Significant Hazards Consideration
C. The requirements of Specifications 3.14.A.5, 3.14.A.6, and 3.14.A.7 may be modified to allow unit operation with only one OPERABLE flow path to the charging pump service water subsystem, the recirculation spray subsystems, and to the main control and emergency switchgear rooms air conditioning condensers. If the affected systems are not restored to the requirements of Specifications 3. 14.A.5, 3.14.A.6, and 3.14.A.7 within 24 hours, the reactor shall be placed in HOT SHUTDOWN. If the requirements of Specifications 3. 14.A. 5, 3.14.A. 6, and 3. 14.A. 7 are not met within an additional 48 hours, the reactor shall be placed in COLD SHUTDOWN.
The proposed change revises the Surry TS as follows: 1) TS 3.14.C is revised to extend the CPSW subsystem flow path and the MCR/ESGR AC condensers flow path AOTs from 24 to 72 hours and to relocate the flow path AOT for the Recirculation Spray (RS) subsystems to a new specification, and 2) new TS 3.14;0 is created for the existing flow path AOT for the RS subsystems. The flow path AOT in the new TS 3.14.D for the RS subsystems is not being modified. The revised TS 3.14.C and the new TS 3.14.D are proposed as follows:
C. The requirements of Specifications 3.14.A.5 and 3.14.A.7 may be modified to allow unit operation with only one OPERABLE flow path to the charging pump service water subsystem and to the main control and emergency switchgear rooms air conditioning condensers.      If the affected systems are not restored to the requirements of Specifications 3.14.A.5 and 3.14.A.7 within 72 hours, the reactor shall be placed in HOT SHUTDOWN within the next 6 hours. If the requirements of Specifications 3.14.A.5 and 3.14.A.7 are not satisfied as allowed by this Specification, the reactor shall be placed in COLD SHUTDOWN within the next 30 hours.
D. The requirements of Specification 3.14.A.6 may be modified to allow unit operation with only one OPERABLE flow path to the recirculation spray subsystems. If the affected system is not restored to the requirements of Specification 3. 14.A. 6 within 24 hours, the reactor shall be placed in HOT SHUTDOWN within the next 6 hours. If the requirements of Specification 3. 14.A. 6 are not met within an additional 48 hours, the reactor shall be placed in COLD SHUTDOWN within the next 30 hours.
The proposed revision also deletes the following requirements for the temporary SW jumper to the CCHXs:
: 1. Unit 1 License Condition U on page 9 of the Unit 1 Operating License
: 2. Unit 2 License Condition U on    p~ge 9 of the Unit 2 Operating License
: 3. Note Bin TS Table 3.7-2 on page TS 3.7-20


===5.0 Probabilistic===
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 4 of 36
: 4. The footnote associated with TS 3.14.A.2.b on page TS 3.14-1
: 5. The last paragraph in the TS 3.14 Basis on pages TS 3.14-4 and TS 3.14-4a


Risk Assessment
==3.0    TECHNICAL EVALUATION==


===5.1 Purpose===
3.1    Charging Pump Service Water Subsystem and Main Control Room and Emergency Switchgear Room Air Conditioning Subsystem Description The Surry Units 1 and 2 Circulating Water (CW) and Service Water (SW) Systems, which are supplied by the James River, are designed for the removal of heat resulting from the operation of various systems and components for both units. The CW System cools the main condenser, and the SW System provides cooling water to the following components:
5.2 Introduction
: 1. Bearing Cooling (BC) water heat exchangers,
: 2. Component Cooling (CC) heat exchangers,
: 3. Recirculation Spray (RS) heat exchangers,
: 4. Main control room and emergency switchgear                room    (MCR/ESGR)        air conditioning (AC) condensers (chillers), and
: 5. Charging Pump Service Water (CPSW) subsystem.
The CW and SW Systems' configuration is shown in Figures 1 and 2 (located at the end of Attachment 1). Figure 3 below is provided for illustration purposes and shows the flow paths and components of interest.
The SW flow paths in the Mechanical Equipment Rooms (MERs) support both the CPSW subsystems and the MCR/ESGR AC subsystems. The MER flow paths include several interconnected and redundant trains, gravity fed from the Intake Canal. There are three 8-inch SW supply headers. Each header takes its supply from a 96-inch condenser inlet line, and the connection is upstream of the condenser isolation valves.
The three 8-inch headers supply two 6-inch headers. The 6-inch supply headers are 100% redundant (i.e., one header can supply 100% of the required SW flow).
Since the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem are being modified by the proposed revision, this design description focuses on the CPSW and the MCR/ESGR AC subsystems.


===5.3 Analysis===
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 5 of 36 1-VS* P - tA/1 -VS-£-"        I*                                l *V  P
5.4 Results and Conclusions
* l C/1 -VS-C ..I C 2 W
* P* l i----- ]. W
* P l OO l  W P - 100 l
* W
* P
* lOA ~==t X1 w.        o l *V S *S
* 1A 2*$ W.,.78
                                                              }-
Tutb 8kl 8 n 2-s w ..... 7 x  2-    ... 77              X 2 -S W ...7CI 1* W
* 7 7
:c
(/)
0                          :r I 0 C .W Line        U,,.<                  2A C .W. Une
                                                                            *)
0 Figure 3 - SW Supply to the CPSW and the MCR/ESGR AC Subsystems CPSW Subsystem Description A CPSW subsystem for each unit provides water to cool the charging pump intermediate seal coolers and the charging pump lubricating oil coolers. The seal coolers reject their heat to a dedicated closed-loop subsystem of the CC System (i.e., the Charging Pump Component Cooling Water System). Heat from this system and the lube oil coolers is transferred to the CPSW subsystem.
Either of two 100%-capacity CPSW pumps (1-SW-P-10A/10B and 2-SW-P-10A/10B) delivers water from the SW System to the charging pump intermediate seal coolers and the charging pump lubricating oil coolers, thereby maintaining the charging pump lubricating oil and the CC System water used to cool the charging pump mechanical seals at the proper temperature. Each pump has a duplex suction strainer. To ensure that service water is continually available, one CPSW pump is in operation while the other pump is maintained in standby. The standby pump is automatically actuated on


===6.0 Environmental===
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 6 of 36 low pump discharge pressure to supply SW in the event of failure of the operating pump.
The two redundant 100%-capacity CPSW pumps are located in MER-3 and MER-4 and are separated by seismic, missile-protected, 3-hour fire rated walls, ceiling, and floor.
The SW supply headers are normally cross-connected at the discharge of the strainers.
An automatic actuating fire safe isolation ball valve is installed in the cross-connect piping between the two pump trains. The separation and cross-connect of the two redundant pump trains is designed to meet the requirements in 10 CFR 50 Appendix R.
The installation of two full-capacity CPSW pumps provides 100% redundancy for this cooling water system. The components of the CPSW subsystem, including pumps and heat exchangers are designed to Seismic Class I criteria.
I The CPSW pumps are connected to the emergency electrical bus to ensure they will operate in the event of a loss of station power.
Post-accident monitoring requirements for the CPSW subsystem status are satisfied by flow and temperature measurement at the discharge of each CPSW pump. Flow and temperature indications are displayed in the MGR.
MCR/ESGR AC Subsystem Description The CPSW suction flow paths also supply suction for the A, B, and C MCR/ESGR chiller pumps (1-VS-P-1A/1B/1C) that supply the A, B, and C MCR/ESGR chillers (1-VS-E-4A/4B/4f), which are located in MER-3.              Chiller pumps D and E (1-VS-P-1D/1E) that supply the D and E MCR/ESGR chillers (1-VS-E-4D/4E), which are located in MER-5, take suction upstream of the suction (rotating) strainers in MER-3/ MER-4 and downstream of a duplex strainer in MER-5.
Significant installed defense-in-depth exists for the chiller pumps and chillers, since there are a total of five MCR/ESGR chillers. As noted above, three chillers are located in MER-3, and two chillers are located in MER-5. This configuration ensures that MGR envelope air handling capacity remains available in the event that both CPSW headers in MER-3 and MER-4 are unavailable. In addition, this arrangement prevents full loss of cooling in the event of a fire in either MER-3 or MER-5. Three of the five chillers are powered from either of two buses, enabling maximum system flexibility in aligning the chillers as required. Additional equipment includes control panels and isolation switches for affected air handling units and cables routed to provide the required separation. The additional equipment is seismically and environmentally qualified, as applicable. Control of the AC system is remote manual from the control room.


Assessment 7 .0 Conclusion 
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 7 of 36 3.2    Evaluation of Extended Allowed Outage Time The CPSW subsystem is a support system for the charging pumps. As discussed in Section 3.1, the design function of the CPSW subsystem is to provide cooling to the charging pump intermediate seal coolers and the charging pump lubricating oil Qoolers.
"' DISCUSSION OF CHANGE
The charging pumps provide a charging (i.e., reactor coolant makeup) function during normal plant operation and are also used as High Head Safety Injection (HHSI) pumps to supply borated water to . the Reactor Coolant System (RCS) during accident conditions.
Surry TS 3.3, "Safety Injection System," specifies in TS 3.3.A.3 that two Safety Injection (SI) subsystems are required to be operable with the subsystems including one operable HHSI pump. With one SI subsystem inoperable, TS 3.3.B.3 requires restoration of the inoperable subsystem to operable status within 72 hours. The proposed extension of the AOT for the SW flow paths to the CPSW subsystem from 24 to 72 hours brings the support system AOT into alignment with the AOT for the supported component (i.e., Charging/HHS! pump). In addition, the design functions of the CPSW subsystem and the Charging/HHS! pumps are not impacted by the proposed revision.
As shown in Figure 3, the CPSW suction paths also supply suction for the A,. B, and C MCR/ESGR chillers. Since the CPSW subsyste.m and the MCR/ESGR AC subsystem share common piping, it is appropriate for the AOTs for the two subsystems to be the.
same. The MCR/ESGR AC subsystem is a support system for the A, B, and C MCR/ESGR chillers. TS 3.23, "Main Control Room and Emergency Switchgear Room Air Conditioning System," specifies a 7-day time frame to return an inoperable/not powered as required chiller to operable status in TS 3.23.A.1.c; thus, the proposed 72.-
hour AOT for the MCR/ESGR AC subsystem is more limiting that the AOT for the supported components (i.e., A, B, and C MCR/ESGR chillers). In addition, the design functions of the MCR/ESGR AC subsystem and the MCR/ESGR chillers are not impacted by the proposed revision.
Leakage in the fiberglass reinforced p1pmg portion of the CPSW and the MCR/ESGR AC subsystems has occurred recently. The current 24-hour AOTs present an unnecessarily limited time frame to facilitate repairs. The proposed increased AOTs for only one operable SW flow path to the CPSW subsystems and to the MCR/ESGR AC subsystems will provide a more reasonable time frame for performing system maintenance and repairs.
3.3    Deletion . of Requirements for Temporary . Service Water Jumper to Component Cooling Heat Exchangers The OL conditions and the requirements in TS Table 3.7-2 and TS 3.14 for the temporary SW jumper to the CCHXs were approved by the NRC by TS Amendments 279/279 issued on September 23, 2013. These requirements were included in the


==1.0 INTRODUCTION==
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 8of36 Surry TS to allow cleaning, inspection, repair, and recoating in the SW supply piping to the CCHXs during the Unit 1 2013 and 2015 refueling outages. Deletion of the OL conditions, the temporary TS requirements, and the TS 3.14 Basis discussion is administrative in nature and is appropriate since the requirements have expired and are no longer necessary. The TS 3.14 Basis deletion is provided to the NRC for information.


Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 2 of 36 The proposed change revises Surry Power Station (Surry) Units 1 and 2 Technical Specification (TS) 3.14, "Circulating and Service Water Systems," to extend the Allowed Outage Time (AOT) for only one operable Service Water (SW) flow path to the Charging Pump SW (CPSW) subsystem and to the Main Control Room/Emergency Switchgear Room (MCR/ESGR)
==4.0    REGULATORY EVALUATION==
Air Conditioning (AC) subsystem.
TS 3.14.A.5 and TS 3.14.A.7 require two SW flow paths to the CPSW subsystem and to the MCR/ESGR AC subsystem, respectively, to be operable.
Currently, the TS 3.14.C AOT for only one operable CPSW or MCR/ESGR AC flow path is 24 hours. The proposed revision extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours to 72 hours. The CPSW subsystem is a support system for the Charging/High Head Safety Injection (HHSI) pumps. The proposed CPSW AOT extension aligns the CPSW support system AOT with the AOT for the supported components (i.e., the Charging/HHS!
pumps). The proposed MCR/ESGR AC AOT extension revises the AOT .,to be the same as the CPSW AOT since both subsystems share common piping. The proposed increased AOTs for only one operable SW flow path to the CPSW subsystems and to the MCR/ESGR AC subsystems will provide a more reasonable time frame for performing system maintenance and repairs. A supporting probabilistic risk assessment (PRA) was performed for the proposed AOT changes. The PRA concluded that the increase in risk associated with the proposed changes .is consistent with the Regulatory Guide (RG) 1.17 4 and RG 1.177 acceptance guidelines for a permanent TS AOT change. This PRA evaluation demonstrates that defense-in-depth will not be significantly impacted by changing the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24 to 72 hours. Furthermore, no enhancements, procedure revisions, or compensatory actions are recommended as a result of the RG 1.177 Tier 2 evaluation.
The proposed change also deletes the Operating License (OL) conditions, TS requirements, and TS 3.14 Basis discussion for the temporary SW jumper to the Component Cooling Heat Exchangers (CCHXs). These requirements were included in the Surry TS to allow cleaning, inspection, repair and recoating of the SW supply piping to the CCHXs during the Unit 1 2013 and 2015 refueling outages. These requirements have expired and are no longer necessary.
Deletion of the OL conditions, the temporary TS requirements, and the TS 3.14 Basis discussion is administrative in nature. The TS 3.14 Basis deletion is provided to the NRC for information.  


==2.0 DESCRIPTION==
4.1    Applicable Regulatory Requirements The regulations in Appendix A to Title 10 of the Code of Federal Regulations (10 CFR)
Part 50 establish minimum principal design criteria for water-cooled nuclear power plants, while 10 CFR 50 Appendix B and the licen$ee quality assurance programs establish quality assurance requirements for the design, manufacture, construction, and operation of structures, systems, and components. The current regulatory requirements of 10 CFR 50 Appendix A that are applicable to the CPSW support function for the charging pumps include: General Design Criteria (GDC) 1, 35, 36, and 37. The current regulatory requirements that are applicable to the MCR/ESGR AC function for providing safe conditions in the control room is GDC 19.
During the initial plant licensing of Surry Units 1 and 2, it was demonstrated that the design of the SI Systems met the regulatory requirements in place at that time. The GDC included in Appendix A to 10 CFR 50 did not become effective until May 21, 1971.
The Construction Permits for SPS Units 1 and 2 were issued prior to May 21, 1971; consequently, Surry Units 1 and 2 were not subject to current GDC requirements (SECY-92-223, dated September 18, 1992). The following information demonstrates SPS Units 1 and 2 meet the intent of the GDC published in 1967 (Draft GDC).
Specifically, Section 1.4 of the SPS Units 1 and 2 Updated Final Safety Analysis Report (UFSAR) discusses SPS compliance with these criteria. The draft GDC associated with the Emergency Core Cooling System (ECCS) are addressed below since the CPSW system provides a support function for the charging pumps, which are also used as HHSI pumps to supply borated water to the RCS during accident conditions. The draft criterion associated with the Control Room is also addressed below.
* Quality Standards (Criterion 1 - draft)
Those systems and components of reactor facilities that are essential to the prevention of accidents which could affect the public health and safety or to the mitigation of their consequences are designed, fabricated, and erected in accordance with quality standards that reflect the importance of the safety function to be performed. Where generally recognized codes or standards on design, materials, fabrication, and inspection are used, they shall be identified. Where adherence to such codes or standards does not suffice to assure a quality product in


OF PROPOSED CHANGE The proposed revision extends the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24 to 72 hours.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 9 of 36 keeping with the safety function, they shall be supplemented or modified as necessary. A showing of sufficiency and applicability of codes, standards, quality assurance programs, test procedures, and inspection acceptance levels used is required.
TS 3.14.C currently states: Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 3 of 36 C. The requirements of Specifications 3.14.A.5, 3.14.A.6, and 3.14.A.7 may be modified to allow unit operation with only one OPERABLE flow path to the charging pump service water subsystem, the recirculation spray subsystems, and to the main control and emergency switchgear rooms air conditioning condensers.
Design Conformance Structures, systems, and components important to safety are designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed.
If the affected systems are not restored to the requirements of Specifications
The SI System includes features necessary to ensure core cooling and negative reactivity following a limiting event. Approved design codes are used when appropriate to the nuclear application. Vessels comply with Section Ill of the ASME Code under the specific classification dictated by their use. Piping conforms to the requirements of USAS 831.1.
: 3. 14.A.5, 3.14.A.6, and 3.14.A.7 within 24 hours, the reactor shall be placed in HOT SHUTDOWN.
The Quality Assurance Program was established to provide assurance that
If the requirements of Specifications
  *safety-related structures, systems, and components satisfactorily perform their intended safety functions.
: 3. 14.A. 5, 3.14.A. 6, and 3. 14.A. 7 are not met within an additional 48 hours, the reactor shall be placed in COLD SHUTDOWN.
* Control Room (Criterion 11 - draft)
The proposed change revises the Surry TS as follows: 1) TS 3.14.C is revised to extend the CPSW subsystem flow path and the MCR/ESGR AC condensers flow path AOTs from 24 to 72 hours and to relocate the flow path AOT for the Recirculation Spray (RS) subsystems to a new specification, and 2) new TS 3.14;0 is created for the existing flow path AOT for the RS subsystems.
The facility shall be provided with a control room from which actions to maintain safe
The flow path AOT in the new TS 3.14.D for the RS subsystems is not being modified.
  *operational status of the plant can be controlled. Adequate radiation protection shall be provided to permit access, even under accident conditions, to equipment in the
The revised TS 3.14.C and the new TS 3.14.D are proposed as follows: ' , C. The requirements of Specifications 3.14.A.5 and 3.14.A.7 may be modified to allow unit operation with only one OPERABLE flow path to the charging pump service water subsystem and to the main control and emergency switchgear rooms air conditioning condensers.
  *control room or other areas necessary to shut down and maintain safe control of the facility without radiation exposures of personnel in excess of 10 CFR 20 limits. It shall be possible to shut the reactor down and maintain it in a safe condition if access to the control room is lost due to fire or other causes.
If the affected systems are not restored to the requirements of Specifications 3.14.A.5 and 3.14.A.7 within 72 hours, the reactor shall be placed in HOT SHUTDOWN within the next 6 hours. If the requirements of Specifications 3.14.A.5 and 3.14.A.7 are not satisfied as allowed by this Specification, the reactor shall be placed in COLD SHUTDOWN within the next 30 hours. D. The requirements of Specification 3.14.A.6 may be modified to allow unit operation with only one OPERABLE flow path to the recirculation spray subsystems.
Design Conformance The control room is located at grade level in the service building. Safety-related switchgear, motor-generator sets, auxiliary instrument areas, battery rooms, and communications equipment are located in the basement of the service building.
If the affected system is not restored to the requirements of Specification
Sufficient shielding, distance, and containment integrity are provided to ensure that under postulated accident conditions during occupancy of the control room, control room personnel shall not be subjected to doses that, in the aggregate, would exceed the limits in 10 CFR 50.67. Emergency air-conditioning equipment is provided within the envelope of the shielded control room and associated portions of the basement, collectively called the control and relay room area. The control room is provided with the switchyard control panel, electrical recording panels, de distribution panels, and a control panel for the operation of the diesel-generator system. The control panels contain those instruments and controls necessary for the operation of station and
: 3. 14.A. 6 within 24 hours, the reactor shall be placed in HOT SHUTDOWN within the next 6 hours. If the requirements of Specification
: 3. 14.A. 6 are not met within an additional 48 hours, the reactor shall be placed in COLD SHUTDOWN within the next 30 hours. The proposed revision also deletes the following requirements for the temporary SW jumper to the CCHXs: 1. Unit 1 License Condition U on page 9 of the Unit 1 Operating License
: 2. Unit 2 License Condition U on 9 of the Unit 2 Operating License
: 3. Note Bin TS Table 3.7-2 on page TS 3.7-20
: 4. The footnote associated with TS 3.14.A.2.b on page TS 3.14-1 Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 4 of 36 5. The last paragraph in the TS 3.14 Basis on pages TS 3.14-4 and TS 3.14-4a 3.0 TECHNICAL EVALUATION


===3.1 Charging===
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 10of36 unit systems such as the reactor and its auxiliary systems, the turbine generator, and the steam and power conversion systems. Loading from the various station electrical distribution boards, such as the start-up boards, shutdown boards, and motor control centers, is accomplished from the station control panels.
Pump Service Water Subsystem and Main Control Room and Emergency Switchgear Room Air Conditioning Subsystem Description The Surry Units 1 and 2 Circulating Water (CW) and Service Water (SW) Systems, which are supplied by the James River, are designed for the removal of heat resulting from the operation of various systems and components for both units. The CW System cools the main condenser, and the SW System provides cooling water to the following components:
The control room is common to the two units and is continuously occupied by qualified operating personnel under all operating and accident conditions. In the event that access to the control room is restricted, either local control stations or the manual operation of critical components within the main control area can be used to affect hot shutdown from outside the control room.
: 1. Bearing Cooling (BC) water heat exchangers, 2. Component Cooling (CC) heat exchangers, 3. Recirculation Spray (RS) heat exchangers, 4. Main control room and emergency switchgear room (MCR/ESGR) air conditioning (AC) condensers (chillers), and 5. Charging Pump Service Water (CPSW) subsystem.
* Engineered Safety Features Basis for Design (Criterion 37 - draft)
The CW and SW Systems' configuration is shown in Figures 1 and 2 (located at the end of Attachment 1 ). Figure 3 below is provided for illustration purposes and shows the flow paths and components of interest.
Engineered safety features shall be provideo in the facility to back up the safety provided by the core design, the reactor coolant pressure boundary, and their protection systems. As a minimum, such engineered safety features shall be designed to cope with any size reactor coolant pressure boundary break up to and including the circumferential rupture of any pipe in that boundary assuming unobstructed discharge from both ends.
The SW flow paths in the Mechanical Equipment Rooms (MERs) support both the CPSW subsystems and the MCR/ESGR AC subsystems.
Design Conformance Engineered safeguards are provided in the facility to back up the safety provided by the design of the core, the reactor coolant pressure boundary, and their protection systems. Engineered safeguards are provided to cope with any size reactor coolant pipe break up to and including the circumferential rupture of any pipe in that boundary and an unobstructed discharge from both ends, and to separately cope with any* steam or feedwater line break. Limiting the release of fission products from the reactor fuel is accomplished by the SI System, which, by cooling the core, keeps the fuel in place and substantially intact and significantly limits the metal.:.water reaction ..
The MER flow paths include several interconnected and redundant trains, gravity fed from the Intake Canal. There are three 8-inch SW supply headers. Each header takes its supply from a 96-inch condenser inlet line, and the connection is upstream of the condenser isolation valves. The three 8-inch headers supply two 6-inch headers. The 6-inch supply headers are 100% redundant (i.e., one header can supply 100% of the required SW flow). Since the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem are being modified by the proposed revision, this design description focuses on the CPSW and the MCR/ESGR AC subsystems.
* Reliability and Testability of Engineered Safety Features (Criterion 38 - draft)
2 W*P*l l* W*P*lOA
All engineered safety features shall oe designed to provide high functional reliability and ready testability. In determining the suitability of a facility for a proposed site,
(/) 0 X 1 w. o l*V S*S*1 A 1* W*7 7 I 0 ,,.< C.W Line U :r 1-VS*P-tA/1-VS-&#xa3;-" I* }-2-s w ..... 7 :c 2*$W.,.78 x 2-... 77 2 A *) C.W.Une 0 Tutb 8kl 8 n Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 5 of 36 l*V P* l C/1-VS-C .. I C i-----]. W*P l OO l W P-1 00 X 2-S W ... 7CI " . Figure 3 -SW Supply to the CPSW and the MCR/ESGR AC Subsystems CPSW Subsystem Description A CPSW subsystem for each unit provides water to cool the charging pump intermediate seal coolers and the charging pump lubricating oil coolers. The seal coolers reject their heat to a dedicated closed-loop subsystem of the CC System (i.e., the Charging Pump Component Cooling Water System). Heat from this system and the lube oil coolers is transferred to the CPSW subsystem.
  . the degree of reliance upon and acceptance of the inherent and engineered safety afforded by the systems, including engineered safety features, will be influenced by the known and the demonstrated performance capability and reliability of the systems, arid by the extent to which the operability of such systems can be tested and inspected where appropriate during the life of the plant.
Either of two 100%-capacity CPSW pumps (1-SW-P-10A/10B and 2-SW-P-10A/10B) delivers water from the SW System to the charging pump intermediate seal coolers and the charging pump lubricating oil coolers, thereby maintaining the charging pump lubricating oil and the CC System water used to cool the charging pump mechanical seals at the proper temperature.
Each pump has a duplex suction strainer.
To ensure that service water is continually available , one CPSW pump is in operation while the other pump is maintained in standby. The standby pump is automatically actuated on Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 6 of 36 low pump discharge pressure to supply SW in the event of failure of the operating pump. The two redundant 100%-capacity CPSW pumps are located in MER-3 and MER-4 and are separated by seismic, missile-protected, 3-hour fire rated walls, ceiling, and floor. The SW supply headers are normally cross-connected at the discharge of the strainers.
An automatic actuating fire safe isolation ball valve is installed in the cross-connect piping between the two pump trains. The separation and cross-connect of the two redundant pump trains is designed to meet the requirements in 10 CFR 50 Appendix R. The installation of two full-capacity CPSW pumps provides 100% redundancy for this cooling water system. The components of the CPSW subsystem, including pumps and heat exchangers are designed to Seismic Class I criteria.
I The CPSW pumps are connected to the emergency electrical bus to ensure they will operate in the event of a loss of station power. Post-accident monitoring requirements for the CPSW subsystem status are satisfied by flow and temperature measurement at the discharge of each CPSW pump. Flow and temperature indications are displayed in the MGR. MCR/ESGR AC Subsystem Description The CPSW suction flow paths also supply suction for the A, B, and C MCR/ESGR chiller pumps (1-VS-P-1A/1B/1C) that supply the A, B, and C MCR/ESGR chillers (1-VS-E-4A/4B/4f), which are located in MER-3. Chiller pumps D and E (1-VS-P-1D/1E) that supply the D and E MCR/ESGR chillers (1-VS-E-4D/4E), which are located in MER-5, take suction upstream of the suction (rotating) strainers in MER-3/ MER-4 and downstream of a duplex strainer in MER-5. Significant installed defense-in-depth exists for the chiller pumps and chillers, since there are a total of five MCR/ESGR chillers.
As noted above, three chillers are located in MER-3, and two chillers are located in MER-5. This configuration ensures that MGR envelope air handling capacity remains available in the event that both CPSW headers in MER-3 and MER-4 are unavailable.
In addition, this arrangement prevents full loss of cooling in the event of a fire in either MER-3 or MER-5. Three of the five chillers are powered from either of two buses, enabling maximum system flexibility in aligning the chillers as required.
Additional equipment includes control panels and isolation switches for affected air handling units and cables routed to provide the required separation.
The additional equipment is seismically and environmentally qualified, as applicable.
Control of the AC system is remote manual from the control room.


===3.2 Evaluation===
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 11of36 Design Conformance Engineered safeguards are designed to provide such functional reliability and ready testability as is necessary to avoid undue risk to the health and safety of the public.
A comprehensive program of testing has been formulated for equipment, systems, and system controls vital to the functioning of engineered safeguards. The program consists of performance tests of individual pieces of equipment in the manufacturer's shop, integrated tests of the system as a whole, and periodic tests of the activation circuitry and mechanical components to ensure reliable performance, upon demand, throughout the unit lifetime.
Design provisions are made so that components of the SI System can be tested periodically for operability and functional performance.
The engineered safeguards components are checked periodically and routinely. In the event that one of the components requires maintenance as a result of failure to perform according to prescribed limits during the test, the necessary corrections or minor maintenance are accomplished and the component is retested im.mediately.
* Engineered Safety Features Performance Capability (Criterion 41 - draft)
Engineered safety features, such as emergency core cooling and containment heat removal systems, shall provide sufficient performance capability to accommodate partial loss of installed capacity and still fulfill the required safety function. As a minimum, each. engineered safety feature shall provide this required safety function assuming a failure of a single active component.
Design Conformance Engineered safeguards, such as the SI System and the containment heat removal system, provide sufficient performance capability to accommodate the failure of any single active component without any undue risk to the health and safety of the public. The overall capability of the engineered safeguards meets the suggested requirements of 10 CFR 50.67 or RG 1.183, as applicable, for the occurrence of any rupture of a reactor coolant or Main Steam System pipe, including the double-ended rupture of a reactor coolant pipe, known as the design-basis accident.
* Emergency Core Cooling Systems Capability (Criterion 44 - draft)
At least two emergency core cooling systems, preferably of different design principles, each with a capability for accomplishing abundant emergency core cooling, shall be provided. Each emergency core cooling system and the core shall be designed to prevent fuel and clad damage that would interfere with the emergency core cooling *function and to limit the clad metal-water reaction to negligible amounts for all sizes of breaks in the reactor coolant pressure boundary,


of Extended Allowed Outage Time Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 7 of 36 The CPSW subsystem is a support system for the charging pumps. As discussed in Section 3.1, the design function of the CPSW subsystem is to provide cooling to the charging pump intermediate seal coolers and the charging pump lubricating oil Qoolers. The charging pumps provide a charging (i.e., reactor coolant makeup) function during normal plant operation and are also used as High Head Safety Injection (HHSI) pumps to supply borated water to . the Reactor Coolant System (RCS) during accident conditions.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 12 of 36 including the double-ended rupture of the largest pipe. The performance of each emergency core cooling system shall be evaluated conservatively in each area of uncertainty.
Surry TS 3.3, "Safety Injection System," specifies in TS 3.3.A.3 that two Safety Injection (SI) subsystems are required to be operable with the subsystems including one operable HHSI pump. With one SI subsystem inoperable, TS 3.3.B.3 requires restoration of the inoperable subsystem to operable status within 72 hours. The proposed extension of the AOT for the SW flow paths to the CPSW subsystem from 24 to 72 hours brings the support system AOT into alignment with the AOT for the supported component (i.e., Charging/HHS!
Design Conformance The SI System employs a passive system of accumulators that do not require any external signals or source of power for their operation to cope with the short-term cooling requirements of a large reactor coolant pipe break. The HHSI and the Low Head SI (LHSI) Systems, each capable of supplying the required emergency cooling, are also provided for small-break protection and to keep the core submerged after the accumulators have discharged following a large break. These systems are arranged so that the single failure of any active component does not interfere with meeting the short-term cooling requirements. The HHSI and LHSI Systems are each capable of fulfilling long-term cooling requirements. The failure of any single active component or the development of excessive leakage during the long-term cooling period does not interfere with the ability to meet necessary long-term cooling objectives with one of the systems.
pump). In addition, the design functions of the CPSW subsystem and the Charging/HHS!
The primary purpose of the SI System is to automatically deliver cooling water to the reactor core in the everit of a LOCA. This limits the fuel clad temperature and thereby ensures that the core remains intact and in place with its essential heat transfer geometry preserved. This protection is afforded for: all pipe break sizes up to and including the hypothetical instantaneous circumferential rupture of a reactor coolant loop, assuming unobstructed discharge from both ends; a loss of coolant associated with the rod ejection accident; and a steam generator tube rupture.
pumps are not impacted by the proposed revision.
* Inspection of Emergency Core Cooling Systems (Criterion 45 - draft)
As shown in Figure 3, the CPSW suction paths also supply suction for the A,. B, and C MCR/ESGR chillers.
Design provisions shall be made to facilitate physical inspection of all critical parts of the emergency core cooling systems, including reactor vessel internals and water injection nozzles.
Since the CPSW subsyste.m and the MCR/ESGR AC subsystem share common piping, it is appropriate for the AOTs for the two subsystems to be the. same. The MCR/ESGR AC subsystem is a support system for the A, B, and C MCR/ESGR chillers.
Design Conformance Design provisions are made for the inspection of components of the SI System to the extent practical. An inspection is performed periodically to demonstrate system readiness. The pressure containment boundaries can be inspected for leaks from pump seals, valve packing, flanged joints, and safety valves during system testing.
TS 3.23, "Main Control Room and Emergency Switchgear Room Air Conditioning System," specifies a 7-day time frame to return an inoperable/not powered as required chiller to operable status in TS 3.23.A.1.c; thus, the proposed hour AOT for the MCR/ESGR AC subsystem is more limiting that the AOT for the supported components (i.e., A, B, and C MCR/ESGR chillers).
In addition, critical parts of the reactor vessel internals, injection nozzles, pipes, valves, and SI pumps can be inspected visually or by boroscopic examination for evidence of erosion, corrosion, and vibration wear, and non-destructive tests can be performed where such techniques are desirable, practical, and appropriate.
In addition, the design functions of the MCR/ESGR AC subsystem and the MCR/ESGR chillers are not impacted by the proposed revision.
Leakage in the fiberglass reinforced p1pmg portion of the CPSW and the MCR/ESGR AC subsystems has occurred recently.
The current 24-hour AOTs present an unnecessarily limited time frame to facilitate repairs. The proposed increased AOTs for only one operable SW flow path to the CPSW subsystems and to the MCR/ESGR AC subsystems will provide a more reasonable time frame for performing system maintenance and repairs. 3.3 Deletion . of Requirements for Temporary . Service Water Jumper to Component Cooling Heat Exchangers The OL conditions and the requirements in TS Table 3.7-2 and TS 3.14 for the temporary SW jumper to the CCHXs were approved by the NRC by TS Amendments 279/279 issued on September 23, 2013. These requirements were included in the Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 8of36 Surry TS to allow cleaning, inspection, repair, and recoating in the SW supply piping to the CCHXs during the Unit 1 2013 and 2015 refueling outages. Deletion of the OL conditions, the temporary TS requirements, and the TS 3.14 Basis discussion is administrative in nature and is appropriate since the requirements have expired and are no longer necessary.
The TS 3.14 Basis deletion is provided to the NRC for information.  


==4.0 REGULATORY EVALUATION==
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 13 of 36
 
* Testing of Emergency Core Cooling Systems (Criterion 47 - draft)
===4.1 Applicable===
A capability shall be provided to test periodically the delivery capability of the emergency core cooling systems at a location as close to the core as is practical.
Design Conformance Design provisions include special instrumentation, testing, and sampling lines to perform the tests, and unit shutdown to demonstrate the proper automatic operation of the SI System. A test signal is supplied to initiate automatic action. The test
  *demonstrates the operation of the valves, pump circuit bre.akers, and autOmatic circuitry. In addition, other tests are performed periodically to verify that the SI pumps attain required discharge heads.
Quality Assurance Quality assurance criteria provided in 10 CFR Part 50, Appendix B, applicable to the subject systems include: Criteria Ill, V, XI, XVI, and XVII. Criteria Ill and V require measures to ensure that applicable regulatory requirements and the design basis, as defined -in 10 CFR 50.2, "Definitions," and as specified in the license application, are correctly translated into controlled specifications, drawings, procedures, and a
instructions. Criterion XI requires test program to ensure that the subject systems will perform satisfactorily *in service and requires that test results shall be documented and evaluated to ensure that test requirements have been satisfied. Criterion XVI requires measures to ensure. that conditions adverse to quality, such as failures, malfunctions, deficiencies, deviations, defective material and equipment, and nonconformances, are promptly*.identified and corrected, and that significant conditions *adverse to quality are documented and reported to management. Criterion XVII requires maintenance of records of activities affecting quality.
4.2    NUREG-1431, Standard Technical Specifications- Westinghouse Plants The proposed change was compared to similar requirements in TS 3. 7 .8, Service Water System (SWS) in NUREG-1431, Standard Technical Specifications - Westinghouse Plants. It was determined that the proposed change for the CPSW subsystem is consistent with the 72-hour completion time for restoration of one inoperable SWS train to operable status in NUREG-1431.
* 4.3    No Significant Hazards Consideration The proposed change revises Surry Power Station (Surry) Units 1 and 2 Technical Specification (TS) 3.14, "Circulating and Service Water Systems," to extend the Allowed Outage Time (AOT) for only one operable Service Water (SW) flow path to the Charging Pump SW (CPSW) subsystem and to the Main Control Room/Emergency Switchgear Room (MCR/ESGR) Air Conditioning (AC) subsystem. TS 3.14.A.5 and TS 3.14.A.7


Regulatory Requirements The regulations in Appendix A to Title 10 of the Code of Federal Regulations (10 CFR) Part 50 establish minimum principal design criteria for water-cooled nuclear power plants, while 10 CFR 50 Appendix B and the licen$ee quality assurance programs establish quality assurance requirements for the design, manufacture, construction, and operation of structures, systems, and components.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 14 of 36 require two SW flow paths to the CPSW subsystem _and to the MCR/ESGR AC subsystem, respectively, to be operable. Currently, the TS 3.14.C AOT for only one operable CPSW or MCR/ESGR AC flow path is 24 hours. The proposed revision extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours to 72 hours. The CPSW subsystem is a support system for the Charging/High Head Safety Injection (HHSI) pumps; the proposed CPSW AOT extension aligns the CPSW support system AOT with the AOT for the supported components (i.e., the
The current regulatory requirements of 10 CFR 50 Appendix A that are applicable to the CPSW support function for the charging pumps include: General Design Criteria (GDC) 1, 35, 36, and 37. The current regulatory requirements that are applicable to the MCR/ESGR AC function for providing safe conditions in the control room is GDC 19. During the initial plant licensing of Surry Units 1 and 2, it was demonstrated that the design of the SI Systems met the regulatory requirements in place at that time. The GDC included in Appendix A to 10 CFR 50 did not become effective until May 21, 1971. The Construction Permits for SPS Units 1 and 2 were issued prior to May 21, 1971; consequently, Surry Units 1 and 2 were not subject to current GDC requirements (SECY-92-223, dated September 18, 1992). The following information demonstrates SPS Units 1 and 2 meet the intent of the GDC published in 1967 (Draft GDC). Specifically, Section 1.4 of the SPS Units 1 and 2 Updated Final Safety Analysis Report (UFSAR) discusses SPS compliance with these criteria.
* Charging/HHS! pumps). The proposed MCR/ESGR AC AOT extension revises the AOT to be the same as the CPSW AOT since both subsystems share common piping ..
The draft GDC associated with the Emergency Core Cooling System (ECCS) are addressed below since the CPSW system provides a support function for the charging pumps, which are also used as HHSI pumps to supply borated water to the RCS during accident conditions.
The proposed increased AOTs for only one operable SW flow path to the CPSW subsystems and to the MCR/ESGR AC subsystems will provide a more reasonable time frame for performing system maintenance and repairs.
The draft criterion associated with the Control Room is also addressed below.
* A supporting probabilistic risk assessment (PRA) was performed for the proposed AOT changes. The PRA concluded that the increase in risk associated with the proposed changes is consistent with the Regulatory Guide (RG) 1.174 and RG 1.177 acceptance guidelines for a permanent TS AOT change. This PRA evaluation demonstrates that defense-in-depth will not be significantly impacted by changing the AOTs for only one operable.SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24:to 72 hours.       Furthermore, no enhancements, procedure revisions, or compensatory actions are recommended as a result of the RG 1.177 Tier 2 evaluation.
* Quality Standards (Criterion 1 -draft) Those systems and components of reactor facilities that are essential to the prevention of accidents which could affect the public health and safety or to the mitigation of their consequences are designed, fabricated, and erected in accordance with quality standards that reflect the importance of the safety function to be performed.
Where generally recognized codes or standards on design, materials, fabrication, and inspection are used, they shall be identified.
Where adherence to such codes or standards does not suffice to assure a quality product in Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 9 of 36 keeping with the safety function, they shall be supplemented or modified as necessary.
A showing of sufficiency and applicability of codes, standards, quality assurance programs, test procedures, and inspection acceptance levels used is required.
Design Conformance Structures, systems, and components important to safety are designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed.
The SI System includes features necessary to ensure core cooling and negative reactivity following a limiting event. Approved design codes are used when appropriate to the nuclear application.
Vessels comply with Section Ill of the ASME Code under the specific classification dictated by their use. Piping conforms to the requirements of USAS 831.1. The Quality Assurance Program was established to provide assurance that *safety-related structures, systems, and components satisfactorily perform their intended safety functions.
* Control Room (Criterion 11 -draft) The facility shall be provided with a control room from which actions to maintain safe *operational status of the plant can be controlled.
Adequate radiation protection shall be provided to permit access, even under accident conditions, to equipment in the *control room or other areas necessary to shut down and maintain safe control of the facility without radiation exposures of personnel in excess of 10 CFR 20 limits. It shall be possible to shut the reactor down and maintain it in a safe condition if access to the control room is lost due to fire or other causes. Design Conformance The control room is located at grade level in the service building.
Safety-related switchgear, motor-generator sets, auxiliary instrument areas, battery rooms, and communications equipment are located in the basement of the service building.
Sufficient shielding, distance, and containment integrity are provided to ensure that under postulated accident conditions during occupancy of the control room, control room personnel shall not be subjected to doses that, in the aggregate, would exceed the limits in 10 CFR 50.67. Emergency air-conditioning equipment is provided within the envelope of the shielded control room and associated portions of the basement, collectively called the control and relay room area. The control room is provided with the switchyard control panel, electrical recording panels, de distribution panels, and a control panel for the operation of the diesel-generator system. The control panels contain those instruments and controls necessary for the operation of station and Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 10of36 unit systems such as the reactor and its auxiliary systems, the turbine generator, and the steam and power conversion systems. Loading from the various station electrical distribution boards, such as the start-up boards, shutdown boards, and motor control centers, is accomplished from the station control panels. The control room is common to the two units and is continuously occupied by qualified operating personnel under all operating and accident conditions.
In the event that access to the control room is restricted, either local control stations or the manual operation of critical components within the main control area can be used to affect hot shutdown from outside the control room.
* Engineered Safety Features Basis for Design (Criterion 37 -draft) Engineered safety features shall be provideo in the facility to back up the safety provided by the core design, the reactor coolant pressure boundary, and their protection systems. As a minimum, such engineered safety features shall be designed to cope with any size reactor coolant pressure boundary break up to and including the circumferential rupture of any pipe in that boundary assuming unobstructed discharge from both ends. Design Conformance Engineered safeguards are provided in the facility to back up the safety provided by the design of the core, the reactor coolant pressure boundary, and their protection systems. Engineered safeguards are provided to cope with any size reactor coolant pipe break up to and including the circumferential rupture of any pipe in that boundary and an unobstructed discharge from both ends, and to separately cope with any* steam or feedwater line break. Limiting the release of fission products from the reactor fuel is accomplished by the SI System, which, by cooling the core, keeps the fuel in place and substantially intact and significantly limits the metal.:.water reaction ..
* Reliability and Testability of Engineered Safety Features (Criterion 38 -draft) All engineered safety features shall oe designed to provide high functional reliability and ready testability.
In determining the suitability of a facility for a proposed site, . the degree of reliance upon and acceptance of the inherent and engineered safety afforded by the systems, including engineered safety features, will be influenced by the known and the demonstrated performance capability and reliability of the systems, arid by the extent to which the operability of such systems can be tested and inspected where appropriate during the life of the plant.
Design Conformance Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 11of36 Engineered safeguards are designed to provide such functional reliability and ready testability as is necessary to avoid undue risk to the health and safety of the public. A comprehensive program of testing has been formulated for equipment, systems, and system controls vital to the functioning of engineered safeguards.
The program consists of performance tests of individual pieces of equipment in the manufacturer's shop, integrated tests of the system as a whole, and periodic tests of the activation circuitry and mechanical components to ensure reliable performance, upon demand, throughout the unit lifetime.
Design provisions are made so that components of the SI System can be tested periodically for operability and functional performance.
The engineered safeguards components are checked periodically and routinely.
In the event that one of the components requires maintenance as a result of failure to perform according to prescribed limits during the test, the necessary corrections or minor maintenance are accomplished and the component is retested im.mediately.
* Engineered Safety Features Performance Capability (Criterion 41 -draft) Engineered safety features, such as emergency core cooling and containment heat removal systems, shall provide sufficient performance capability to accommodate partial loss of installed capacity and still fulfill the required safety function.
As a minimum, each. engineered safety feature shall provide this required safety function assuming a failure of a single active component.
Design Conformance Engineered safeguards, such as the SI System and the containment heat removal system, provide sufficient performance capability to accommodate the failure of any single active component without any undue risk to the health and safety of the public. The overall capability of the engineered safeguards meets the suggested requirements of 10 CFR 50.67 or RG 1.183, as applicable, for the occurrence of any rupture of a reactor coolant or Main Steam System pipe, including the double-ended rupture of a reactor coolant pipe, known as the design-basis accident.
* Emergency Core Cooling Systems Capability (Criterion 44 -draft) At least two emergency core cooling systems, preferably of different design principles, each with a capability for accomplishing abundant emergency core cooling, shall be provided.
Each emergency core cooling system and the core shall be designed to prevent fuel and clad damage that would interfere with the emergency core cooling *function and to limit the clad metal-water reaction to negligible amounts for all sizes of breaks in the reactor coolant pressure boundary, Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 12 of 36 including the double-ended rupture of the largest pipe. The performance of each emergency core cooling system shall be evaluated conservatively in each area of uncertainty.
Design Conformance The SI System employs a passive system of accumulators that do not require any external signals or source of power for their operation to cope with the short-term cooling requirements of a large reactor coolant pipe break. The HHSI and the Low Head SI (LHSI) Systems, each capable of supplying the required emergency cooling, are also provided for small-break protection and to keep the core submerged after the accumulators have discharged following a large break. These systems are arranged so that the single failure of any active component does not interfere with meeting the short-term cooling requirements.
The HHSI and LHSI Systems are each capable of fulfilling long-term cooling requirements.
The failure of any single active component or the development of excessive leakage during the long-term cooling period does not interfere with the ability to meet necessary term cooling objectives with one of the systems. The primary purpose of the SI System is to automatically deliver cooling water to the reactor core in the everit of a LOCA. This limits the fuel clad temperature and thereby ensures that the core remains intact and in place with its essential heat transfer geometry preserved.
This protection is afforded for: all pipe break sizes up to and including the hypothetical instantaneous circumferential rupture of a reactor coolant loop, assuming unobstructed discharge from both ends; a loss of coolant associated with the rod ejection accident; and a steam generator tube rupture.
* Inspection of Emergency Core Cooling Systems (Criterion 45 -draft) Design provisions shall be made to facilitate physical inspection of all critical parts of the emergency core cooling systems, including reactor vessel internals and water injection nozzles. Design Conformance Design provisions are made for the inspection of components of the SI System to the extent practical.
An inspection is performed periodically to demonstrate system readiness.
The pressure containment boundaries can be inspected for leaks from pump seals, valve packing, flanged joints, and safety valves during system testing. In addition, critical parts of the reactor vessel internals, injection nozzles, pipes, valves, and SI pumps can be inspected visually or by boroscopic examination for evidence of erosion, corrosion, and vibration wear, and non-destructive tests can be performed where such techniques are desirable, practical, and appropriate.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 13 of 36
* Testing of Emergency Core Cooling Systems (Criterion 47 -draft) A capability shall be provided to test periodically the delivery capability of the emergency core cooling systems at a location as close to the core as is practical.
Design Conformance Design provisions include special instrumentation, testing, and sampling lines to perform the tests, and unit shutdown to demonstrate the proper automatic operation of the SI System. A test signal is supplied to initiate automatic action. The test *demonstrates the operation of the valves, pump circuit bre.akers, and autOmatic circuitry.
In addition, other tests are performed periodically to verify that the SI pumps attain required discharge heads. Quality Assurance Quality assurance criteria provided in 10 CFR Part 50, Appendix B, applicable to the subject systems include: Criteria Ill, V, XI, XVI, and XVII. Criteria Ill and V require measures to ensure that applicable regulatory requirements and the design basis, as defined -in 10 CFR 50.2, "Definitions," and as specified in the license application, are correctly translated into controlled specifications, drawings, procedures, and instructions.
Criterion XI requires a test program to ensure that the subject systems will perform satisfactorily
*in service and requires that test results shall be documented and evaluated to ensure that test requirements have been satisfied.
Criterion XVI requires measures to ensure. that conditions adverse to quality, such as failures, malfunctions, deficiencies, deviations, defective material and equipment, and nonconformances, are promptly*.identified and corrected, and that significant conditions
*adverse to quality are documented and reported to management.
Criterion XVII requires maintenance of records of activities affecting quality. 4.2 NUREG-1431, Standard Technical Specifications-Westinghouse Plants The proposed change was compared to similar requirements in TS 3. 7 .8, Service Water System (SWS) in NUREG-1431, Standard Technical Specifications
-Westinghouse Plants. It was determined that the proposed change for the CPSW subsystem is consistent with the 72-hour completion time for restoration of one inoperable SWS train to operable status in NUREG-1431.
* 4.3 No Significant Hazards Consideration The proposed change revises Surry Power Station (Surry) Units 1 and 2 Technical Specification (TS) 3.14, "Circulating and Service Water Systems," to extend the Allowed Outage Time (AOT) for only one operable Service Water (SW) flow path to the Charging Pump SW (CPSW) subsystem and to the Main Control Room/Emergency Switchgear Room (MCR/ESGR)
Air Conditioning (AC) subsystem.
TS 3.14.A.5 and TS 3.14.A.7 Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 14 of 36 require two SW flow paths to the CPSW subsystem
_and to the MCR/ESGR AC subsystem, respectively, to be operable.
Currently, the TS 3.14.C AOT for only one operable CPSW or MCR/ESGR AC flow path is 24 hours. The proposed revision extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours to 72 hours. The CPSW subsystem is a support system for the Charging/High Head Safety Injection (HHSI) pumps; the proposed CPSW AOT extension aligns the CPSW support system AOT with the AOT for the supported components (i.e., the
* Charging/HHS!
pumps). The proposed MCR/ESGR AC AOT extension revises the AOT to be the same as the CPSW AOT since both subsystems share common piping .. The proposed increased AOTs for only one operable SW flow path to the CPSW subsystems and to the MCR/ESGR AC subsystems will provide a more reasonable time frame for performing system maintenance and repairs.
* A supporting probabilistic risk assessment (PRA) was performed for the proposed AOT changes. The PRA concluded that the increase in risk associated with the proposed changes is consistent with the Regulatory Guide (RG) 1.17 4 and RG 1.177 acceptance guidelines for a permanent TS AOT change. This PRA evaluation demonstrates that defense-in-depth will not be significantly impacted by changing the AOTs for only one operable.SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24:to 72 hours. Furthermore, no enhancements, procedure revisions, or compensatory actions are recommended as a result of the RG 1.177 Tier 2 evaluation.
The proposed change also deletes the Operating License (OL) conditions, TS requirements, and TS 3.14 Basis discussion for the temporary SW jumper to the Component Cooling Heat Exchangers (CCHXs). These requirements were included in the Surry TS to allow cleaning, inspection, repair, and recoating of the SW supply piping to the CCHXs during the Unit 1 2013 and 2015 refueling outages. These requirements*
The proposed change also deletes the Operating License (OL) conditions, TS requirements, and TS 3.14 Basis discussion for the temporary SW jumper to the Component Cooling Heat Exchangers (CCHXs). These requirements were included in the Surry TS to allow cleaning, inspection, repair, and recoating of the SW supply piping to the CCHXs during the Unit 1 2013 and 2015 refueling outages. These requirements*
have expired and are no longer necessary.
have expired and are no longer necessary. Deletion of the OL conditions, the temporary TS requirements, and the TS 3.14 Basis discussion is administrative in
Deletion of the OL conditions, the temporary TS requirements, and the TS 3.14 Basis discussion is administrative in
* nature. The TS 3.14 Basis deletion is provided to the NRC for information.
* nature. The TS 3.14 Basis deletion is provided to the NRC for information.
Dominion has evaluated whether a significant hazards consideration is involved with the proposed amendment by focusing on the three standards set forth in 10 CFR 50.92, "Issuance of amendment," as discussed below: 1. Does the proposed change involve a significant increase in the probability or consequences of an accident previously evaluated?
Dominion has evaluated whether a significant hazards consideration is involved with the proposed amendment by focusing on the three standards set forth in 10 CFR 50.92, "Issuance of amendment," as discussed below:
Response:
: 1. Does the proposed change involve a significant increase in the probability or consequences of an accident previously evaluated?
No. The proposed change extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours to 72 hours. The CPSW subsystem is a support system for the Charging/High Head Safety Injection (HHSI) pumps; the proposed CPSW AOT extension aligns the CPSW support system AOT with the AOT for the supported components (i.e., the Charging/HHS!
Response: No.
pumps). The proposed MCR/ESGR
The proposed change extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours to 72 hours. The CPSW subsystem is a support system for the Charging/High Head Safety Injection (HHSI) pumps; the proposed CPSW AOT extension aligns the CPSW support system AOT with the AOT for the supported components (i.e., the Charging/HHS! pumps). The proposed MCR/ESGR
* Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 15 of 36 AC AOT extension revises the AOT to be the same as the CPSW AOT since both subsystems share common piping. The design function of the CPSW system, which is to provide cooling to the charging pump *intermediate seal coolers and the charging pump lubricating oil coolers, *is not impacted by the proposed revision, nor is the design function of the Charging/HHS!
 
pumps impacted.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1
Furthermore, the design functions of the MCR/ESGR AC subsystem and the MCR/ESGR chillers are not impacted by the proposed revision.
* Page 15 of 36 AC AOT extension revises the AOT to be the same as the CPSW AOT since both subsystems share common piping. The design function of the CPSW system, which is to provide cooling to the charging pump *intermediate seal coolers and the charging pump lubricating oil coolers, *is not impacted by the proposed revision, nor is the design function of the Charging/HHS! pumps impacted. Furthermore, the design functions of the MCR/ESGR AC subsystem and the MCR/ESGR chillers are not impacted by the proposed revision. In addition, the proposed change deletes the now expired and no longer necessary requirements for the temporary SW jumper to the CCHXs. The deletion of these temporary requirements is administrative in nature. As a result, the proposed change does not involve a significant increase in the probability or consequences of an accident previously evaluated.
In addition, the proposed change deletes the now expired and no longer necessary requirements for the temporary SW jumper to the CCHXs. The deletion of these temporary requirements is administrative in nature. As a result, the proposed change does not involve a significant increase in the probability or consequences of an accident previously evaluated.
: 2. Does the proposed change create the possibility of a new or different kind of accident from any accident previously evaluated?
: 2. Does the proposed change create the possibility of a new or different kind of accident from any accident previously evaluated?
Response:
Response: No.
No. The proposed change extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours to 72 hours. In addition, the proposed change deletes the now expired and no longer necessary requirements for . the temporary SW jumper to the CCHXs. The proposed change does not involve a physical alteration of the plant (i.e., no new or different type of equipment will be installed) and does not impact plant operation.
The proposed change extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours to 72 hours. In addition, the proposed change deletes the now expired and no longer necessary requirements for .the temporary SW jumper to the CCHXs. The proposed change does not involve a physical alteration of the plant (i.e., no new or different type of equipment will be installed) and does not impact plant operation. Furthermore, the proposed change does not impose any new or different requirements that could initiate an acddent. The proposed change does not alter assumptions made in the safety analysis and is consistent with the safety analysis assumptions. Therefore, the proposed change does not create the possibility of a new or different kind of acddent from any accident previously evaluated.
Furthermore, the proposed change does not impose any new or different requirements that could initiate an acddent. The proposed change does not alter assumptions made in the safety analysis and is consistent with the safety analysis assumptions.
: 3. Does the proposed change involve a significant reduction in a margin of safety?
Therefore, the proposed change does not create the possibility of a new or different kind of acddent from any accident previously evaluated.
Response: No.
: 3. Does the proposed change involve a significant reduction in a margin of safety? Response:
The proposed change extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours to 72 hours. The proposed change does not adversely affect any current plant safety margins or the reliability of the equipment assumed in the safety analysis. There are no changes being made to any safety analysis assumptions, safety limits, or limiting safety system settings that would adversely affect plant safety as a result of the proposed change. Furthermore, as noted above, a supporting PRA was performed for the proposed AOT changes. The PRA concluded that the increase in risk associated with the proposed changes is consistent with the HG 1.174 and RG 1.177 acceptance guidelines for a permanent TS AOT change. This PRA evaluation demonstrates that defense-in-depth will not be significantly impacted by changing the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24 to 72 hours.
No. The proposed change extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours to 72 hours. The proposed change does not adversely affect any current plant safety margins or the reliability of the equipment assumed in the safety analysis.
There are no changes being made to any safety analysis assumptions, safety limits, or limiting safety system settings that would adversely affect plant safety as a result of the proposed change. Furthermore, as noted above, a supporting PRA was performed for the proposed AOT changes. The PRA concluded that the increase in risk associated with the proposed changes is consistent with the HG 1.17 4 and RG 1.177 acceptance guidelines for a permanent TS AOT change. This PRA evaluation demonstrates that defense-in-depth will not be significantly impacted by changing the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24 to 72 hours.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 16 of 36 In addition, the proposed change deletes the now expired and no longer necessary requirements for the temporary SW jumper to the CCHXs. The deletion of these temporary requirements is administrative in nature. Therefore, the proposed change does not involve a significant reduction in a margin of safety. Based on the above, Dominion concludes that the proposed change presents no significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and, accordingly, a finding of "no significant hazards consideration" is justified.  


===5.0 PROBABILISTIC===
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 16 of 36 In addition, the proposed change deletes the now expired and no longer necessary requirements for the temporary SW jumper to the CCHXs. The deletion of these temporary requirements is administrative in nature. Therefore, the proposed change does not involve a significant reduction in a margin of safety.
Based on the above, Dominion concludes that the proposed change presents no significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and, accordingly, a finding of "no significant hazards consideration" is justified.
5.0     PROBABILISTIC RISK ASSESSMENT 5.1      Purpose The purpose of this assessment is to utilize the Surry PRA to evaluate the impact on Core Damage Frequency (CDF) and Large, Early Release Frequency (LERF) for the CPSW and MCR/ESGR AC subsystems flow path AOT extensions. Using guidance from RG 1.174 and RG 1.177, this assessment evaluates the risk of changing Surry TS 3.14.C to allow a single service water flow path to be available to the CPSW subsystem and to the MCR/ESGR AC subsystem for up to 72 hours.
5.2      Introduction The S007Aa PRA model allows analysis of the conditional risk at Surry Power Station when one or more SW flow paths to safety-related loads in the MERs are unavailable utilizing a detailed probabilistic assessment of risk from internal events and internal flooding :hazards at power. This risk evaluation will be supplemented with qualitative insights to assess the fire, seismic, shutdown and other external risks.
RG 1.177 identifies a three-tiered approach for licensees to evaluate the risk associated with proposed TS Configuration Time (CT) changes. Tier 1 is an evaluation of the impact on plant risk of the proposed TS change as expressed by the change in core damage frequency (~CDF), the incremental conditional core damage probability (ICCDP), the change in large early release frequency (~LERF), and the incremental conditional large early release probability (ICLERP). Tier 2 is an identification of potentially high-risk configurations that could exist if equipment, in addition to that associated with the change, were to be taken out of service simultaneously or other risk-significant operational factors, such as concurrent system or equipment testing were also involved. The objective of this part of the evaluation. is to ensure that appropriate restrictions on dominant risk-significant configurations associated with the change are in place. Tier 3 is the establishment of an overall configuration risk management program (CRMP) to ensure that other potentially lower probability, but nonetheless risk-significant, configurations resulting from maintenance and other operational activities are identified and compensated for.


RISK ASSESSMENT
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 17 of 36 Figure 3 in Section 3.1 above shows the SW supply to the CPSW and the MCR/ESGR AC subsystems. The SW flow paths in the MERs support both the CPSW subsystems and the MCR/ESGR AC subsystems.                The MER flow paths include several interconnected and redundant trains, gravity fed from the Intake Canal. Originating at the Intake Canal, there are three 8-inch SW supply headers. Each header takes its supply from a 96-inch condenser inlet line, and the connection is upstream of the condenser isolation valves. The three 8-inch headers supply two 6-inch headers. The 6-inch supply headers are 100% redundant (i.e., one header can supply 100% of the required SW flow). The SW supply headers are normally cross-connected in MER-3 and MER-4 via the 1-SW-263 valve. This valve is closed during a fire in related equipment areas in accordance with the 10 CFR 50 Appendix R fire protection program.
Two motor operated strainers are normally in service on each of the 6-inch SW supply headers. Each strainer is supplied with a back wash from the discharge of the control room chiller service water pumps. For the following analysis and discussion, SW flow through 1-VS-S-1A is referred to as the "A SW Header" and SW flow through 1-VS-S-18 is referred to as the "B SW Header".
The CPSW system is credited in Surry's PRA as a support system for HHSI. The CPSW *system supplies SW flow to the charging pump intermediate seal coolers and lube oil coolers. *Heat from the lube oil cooler is transferred to the CPSW subsystem.
The seal coolers reject their heat to a dedicated closed-loop subsystem of the CC System (i.e., the Charging Pump Component Cooling Water System). Heat from this system and the lube oil coolers is transferred to the CPSW subsystem.
Downstream of the 6-inch SW supply headers are two CPSW pump trains for each unit
*'I' (four total). Each pump traih can provide 100% required flow for its unit, so there is 100% redundancy for each unit. The CPSW pump trains can be cross-connected via tie lines that are normally isolated. Hence, the Unit 2 CPSW pumps can be aligned to cool Unit 1 charging pump lube oil coolers and vice versa; this alignment is not automatic and requires local operation. One CPSW pump per unit is normally running and the other is in sta~dby. The standby CPSW pump will auto start on low discharge pressure for the running pump.
The output of either pump can feed the three charging pump lube oil coolers for one unit. The charging pump lube oil cooler outlet control valves are actuated automatically when the charging pump is running. No operator actions are required to start or control CPSW flow to a specific lube oil cooler. The CPSW lube oil cooler discharge flow is directed to the discharge tunnel via a single pipe. The success criterion for the CPSW system to service its required loads is: one CPSW pump available, taking suction from at least one available 6-inch SW header.
Five chillers are installed in the MERs. The condenser water pump for ttie chillers takes suction from the SW supply line, pumps it through the chiller condenser, and returns it to the CW System. Three chillers (A/B/C) are in MER-3 downstream of the rotating


===5.1 Purpose===
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 18 of 36 strainers; two chillers (D/E) are in MER-5 upstream of the rotating strainers and downstream of a duplex strainer. These units provide chilled water that circulates through air handlers to remove heat from the atmosphere in the MCR, emergency switchgear rooms, and relay rooms. Air conditioning of these areas prevents electrical equipment from overheating and supports control room habitability during design basis
The purpose of this assessment is to utilize the Surry PRA to evaluate the impact on Core Damage Frequency (CDF) and Large, Early Release Frequency (LERF) for the CPSW and MCR/ESGR AC subsystems flow path AOT extensions.
. accidents. During normal plant operation one or two chillers may be operating depending on SW temperatures. During an emergency, the 1/2-E-O procedure verifies that one control room chiller is operating, with a results not obtained step to start required equipment within 1 hour in accordance with O-OP-VS..:006. The Surry PRA models the ESGR HVAC as a support system for the emergency electrical power systems, 4160 V, 480 V, 125 VAC, and 120 VDC.
Using guidance from RG 1.174 and RG 1.177, this assessment evaluates the risk of changing Surry TS 3.14.C to allow a single service water flow path to be available to the CPSW subsystem and to the MCR/ESGR AC subsystem for up to 72 hours. 5.2 Introduction The S007 Aa PRA model allows analysis of the conditional risk at Surry Power Station when one or more SW flow paths to safety-related loads in the MERs are unavailable utilizing a detailed probabilistic assessment of risk from internal events and internal flooding :hazards at power. This risk evaluation will be supplemented with qualitative insights to assess the fire, seismic, shutdown and other external risks. RG 1.177 identifies a three-tiered approach for licensees to evaluate the risk associated with proposed TS Configuration Time (CT) changes. Tier 1 is an evaluation of the impact on plant risk of the proposed TS change as expressed by the change in core damage frequency the incremental conditional core damage probability (ICCDP), the change in large early release frequency and the incremental conditional large early release probability (ICLERP).
In order to satisfy TS 3.14.A.5 and .3.14.A.7 at least two independent SW flow paths must be available to supply MER loads. This risk assessment analyzes conditional risk with only one SW flow path to the MERs ..
Tier 2 is an identification of potentially high-risk configurations that could exist if equipment, in addition to that associated with the change, were to be taken out of service simultaneously or other risk-significant operational factors, such as concurrent system or equipment testing were also involved.
5.3   Analysis Inputs The following inputs are used for this assessment:
The objective of this part of the evaluation.
is to ensure that appropriate restrictions on dominant risk-significant configurations associated with the change are in place. Tier 3 is the establishment of an overall configuration risk management program (CRMP) to ensure that other potentially lower probability, but nonetheless risk-significant, configurations resulting from maintenance and other operational activities are identified and compensated for. 
., *'I' Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 17 of 36 Figure 3 in Section 3.1 above shows the SW supply to the CPSW and the MCR/ESGR AC subsystems.
The SW flow paths in the MERs support both the CPSW subsystems and the MCR/ESGR AC subsystems.
The MER flow paths include several interconnected and redundant trains, gravity fed from the Intake Canal. Originating at the Intake Canal, there are three 8-inch SW supply headers. Each header takes its supply from a 96-inch condenser inlet line, and the connection is upstream of the condenser isolation valves. The three 8-inch headers supply two 6-inch headers. The 6-inch supply headers are 100% redundant (i.e., one header can supply 100% of the required SW flow). The SW supply headers are normally cross-connected in MER-3 and MER-4 via the 1-SW-263 valve. This valve is closed during a fire in related equipment areas in accordance with the 10 CFR 50 Appendix R fire protection program. Two motor operated strainers are normally in service on each of the 6-inch SW supply headers. Each strainer is supplied with a back wash from the discharge of the control room chiller service water pumps. For the following analysis and discussion, SW flow through 1-VS-S-1A is referred to as the "A SW Header" and SW flow through 1-VS-S-18 is referred to as the "B SW Header". The CPSW system is credited in Surry's PRA as a support system for HHSI. The CPSW *system supplies SW flow to the charging pump intermediate seal coolers and lube oil coolers. *Heat from the lube oil cooler is transferred to the CPSW subsystem.
The seal coolers reject their heat to a dedicated closed-loop subsystem of the CC System (i.e., the Charging Pump Component Cooling Water System). Heat from this system and the lube oil coolers is transferred to the CPSW subsystem.
Downstream of the 6-inch SW supply headers are two CPSW pump trains for each unit (four total). Each pump traih can provide 100% required flow for its unit, so there is 100% redundancy for each unit. The CPSW pump trains can be cross-connected via tie lines that are normally isolated.
Hence, the Unit 2 CPSW pumps can be aligned to cool Unit 1 charging pump lube oil coolers and vice versa; this alignment is not automatic and requires local operation.
One CPSW pump per unit is normally running and the other is in The standby CPSW pump will auto start on low discharge pressure for the running pump. The output of either pump can feed the three charging pump lube oil coolers for one unit. The charging pump lube oil cooler outlet control valves are actuated automatically when the charging pump is running. No operator actions are required to start or control CPSW flow to a specific lube oil cooler. The CPSW lube oil cooler discharge flow is directed to the discharge tunnel via a single pipe. The success criterion for the CPSW system to service its required loads is: one CPSW pump available, taking suction from at least one available 6-inch SW header. Five chillers are installed in the MERs. The condenser water pump for ttie chillers takes suction from the SW supply line, pumps it through the chiller condenser, and returns it to the CW System. Three chillers (A/B/C) are in MER-3 downstream of the rotating Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 18 of 36 strainers; two chillers (D/E) are in MER-5 upstream of the rotating strainers and downstream of a duplex strainer.
These units provide chilled water that circulates through air handlers to remove heat from the atmosphere in the MCR, emergency switchgear rooms, and relay rooms. Air conditioning of these areas prevents electrical equipment from overheating and supports control room habitability during design basis . accidents.
During normal plant operation one or two chillers may be operating depending on SW temperatures.
During an emergency, the 1/2-E-O procedure verifies that one control room chiller is operating, with a results not obtained step to start required equipment within 1 hour in accordance with O-OP-VS..:006.
The Surry PRA models the ESGR HVAC as a support system for the emergency electrical power systems, 4160 V, 480 V, 125 VAC, and 120 VDC. In order to satisfy TS 3.14.A.5 and .3.14.A.7 at least two independent SW flow paths must be available to supply MER loads. This risk assessment analyzes conditional risk with only one SW flow path to the MERs .. 5.3 Analysis Inputs The following inputs are used for this assessment:
* Surry Average Maintenance PRA model S007Aa,
* Surry Average Maintenance PRA model S007Aa,
* RG 1.174,
* RG 1.174,
* RG 1.177, and
* RG 1.177, and
* CAFTA code suite. Risk Impact Evaluation The NRC staff has identified a three-tiered approach in RG 1.177 for licensees to evaluate the risk associated with proposed TS Completion Time {CT) changes. The following sections document the three tiered evaluation for CPSW and MCR/ESGR.
* CAFTA code suite.
AC . subsystems flow path AOT extensions.
Risk Impact Evaluation The NRC staff has identified a three-tiered approach in RG 1.177 for licensees to evaluate the risk associated with proposed TS Completion Time {CT) changes. The following sections document the three tiered evaluation for CPSW and MCR/ESGR. AC
. subsystems flow path AOT extensions.
RG 1.177 PRA Quality Evaluation RG 1.177 contains the following discussion of PRA Technical Adequacy:
RG 1.177 PRA Quality Evaluation RG 1.177 contains the following discussion of PRA Technical Adequacy:
The technical adequacy of the PRA must be compatible with the safety implications of the TS change being requested and the role that the PRA plays in justifying that change. That is, the more the potential change in risk or the greater the uncertainty in that risk from the requested TS change, or both, the more rigor that must go into ensuring the technical adequacy of the PRA. This applies to Tier 1 (above), and it also applies to Tier 2 and Tier 3 to the extent that a PRA model is used.
The technical adequacy of the PRA must be compatible with the safety implications of the TS change being requested and the role that the PRA plays in justifying that change. That is, the more the potential change in risk or the greater the uncertainty in that risk from the requested TS change, or both, the more rigor that must go into ensuring the technical adequacy of the PRA. This applies to Tier 1 (above), and it also applies to Tier 2 and Tier 3 to the extent that a PRA model is used.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 19 of 36 Regulatory Guide 1.200 describes one acceptable approach for determining whether the technical adequacy of the PRA, in total or the parts that are used to support an application, is sufficient to provide confidence in the results such that the PRA can be used in regulatory decisionmaking for light-water reactors.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 19 of 36 Regulatory Guide 1.200 describes one acceptable approach for determining whether the technical adequacy of the PRA, in total or the parts that are used to support an application, is sufficient to provide confidence in the results such that the PRA can be used in regulatory decisionmaking for light-water reactors.
A detailed discussion and evaluation of PRA quality of the S007 Aa model with respect to this application is provided in Attachment
A detailed discussion and evaluation of PRA quality of the S007Aa model with respect to this application is provided in Attachment 4.
: 4. RG 1.177 Tier 1 Analysis RG 1 :177 contains the following discussion concerning Tier 1 Analysis:
RG 1.177 Tier 1 Analysis RG 1:177 contains the following discussion concerning Tier 1 Analysis:
In Tier 1, the licensee should assess the impact of the proposed TS change on GDF, ICCDP, LERF, and ICLERP. To support this assessment, two aspects need to be considered:
In Tier 1, the licensee should assess the impact of the proposed TS change on GDF, ICCDP, LERF, and ICLERP. To support this assessment, two aspects need to be considered: (1) the validity of the PRA and (2) the PRA insights and findings. The licensee should demonstrate that its PRA is valid for assessing the proposed TS changes and identify the impact of the TS change on plant risk.
(1) the validity of the PRA and (2) the PRA insights and findings.
TS conditions addressed by CTs are entered infrequently and are temp9rary by their very nature. However, TS do not typically restrict the frequency of entry into conditions addressed by* CTs. Therefore, the following TS acceptance guidelines specific to permanent CT changes are provided for evaluating the risk associated with the revised CT, in addition to those acceptance guidelines given in Regulatory Guide 1. 174.
The licensee should demonstrate that its PRA is valid for assessing the proposed TS changes and identify the impact of the TS change on plant risk. TS conditions addressed by CTs are entered infrequently and are temp9rary by their very nature. However, TS do not typically restrict the frequency of entry into conditions addressed by* CTs. Therefore, the following TS acceptance guidelines specific to permanent CT changes are provided for evaluating the risk associated with the revised CT, in addition to those acceptance guidelines given in Regulatory Guide 1. 17 4. The licensee has demonstrated that the TS CT change has only a small quantitative impact on plant risk. An /CCDP of less than 1.0x10-6 and an ICLERP of less than 1. Ox10-7 are considered small fOr a single TS condition entry. (Tier 1 }. RG 1.17 4 Acceptance Criteria are as follows:
The licensee has demonstrated that the TS CT change has only a small quantitative impact on plant risk. An /CCDP of less than 1.0x10-6 and an ICLERP of less than
: 1. Ox10-7 are considered small fOr a single TS condition entry. (Tier 1}.
RG 1.174 Acceptance Criteria are as follows:
* When the calculated increase in GDF is very small, which is taken as being less than 10-6 per reactor year, the change will be considered regardless of whether there is a calculation of the total GDF (Region Ill).
* When the calculated increase in GDF is very small, which is taken as being less than 10-6 per reactor year, the change will be considered regardless of whether there is a calculation of the total GDF (Region Ill).
* When the calculated increase in GDF is in the range of 10-6 per reactor year to 10-5 per reactor year, applications will be considered only if it can be* reasonably shown that the total GDF is less than 10-4 per reactor year (Region II).
* When the calculated increase in GDF is in the range of 10-6 per reactor year to 10-5 per reactor year, applications will be considered only if it can be* reasonably shown that the total GDF is less than 10-4 per reactor year (Region II).
* Applications that result in increases to GDF above 10-5 per reactor year (Region I) would not normally be considered.
* Applications that result in increases to GDF above 10-5 per reactor year (Region I) would not normally be considered.
Acceptance criteria for LERF are structured similarly at an order of magnitude less (1 E-7, etc.). Tier 1 Analysis Assumptions
Acceptance criteria for LERF are structured similarly at an order of magnitude less (1 E-7, etc.).
* The PRA model S007 Aa is valid for performing this assessment.
Tier 1 Analysis Assumptions
.. Ser ial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 20 of 36
* The PRA model S007Aa is valid for performing this assessment.
* For the purposes of calculations, this assessment assumes the MER SW headers will accumulate 15 days of unavailable configuration time every year as a result of the proposed change. This is a conservative assumption based on Surry's Operating Experience for CPSW headers and the desired maintenance strategy for Surry.
 
* This analysis assumes that if only one SW flow path to MER loads is available, SW is being supplied to the MER SW loads from one CW inlet , to one 8-inch SW supply header, to one 6-inch SW header, through one rotating strainer. This is a conservative assumption.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1
Tier 1 Analysis Results MER SW header maintenance is explicitly modeled in the average maintenance model S007Aa. Therefore, a and for the proposed change to AOTs for MER SW flow paths to the CPSW subsystem and to the MCR/ESGR AC subsystem may be directly calculated from the model by comparing CDF results with increased unavailability on MER headers (refer to second bulleted assumption).
.                                                                                    Page 20 of 36
Incremental core damage and large early release probabilities for a single 72-hour period are also calculated.
* For the purposes of ~CDF/~LERF calculations, this assessment assumes the MER SW headers will accumulate 15 days of unavailable configuration time every year as a result of the proposed change. This is a conservative assumption based on Surry's Operating Experience for CPSW headers and the desired maintenance strategy for Surry.
The MER headers supply SW to safety-related loads at both Surry units; therefore, risk at both units is explicitly analyzed.
* This analysis assumes that if only one SW flow path to MER loads is available, SW is being supplied to the MER SW loads from one CW inlet, to one 8-inch SW supply header, to one 6-inch SW header, through one rotating strainer. This is a conservative assumption.
Results are as follows: Table 1: RG 1.177Tier1 Analysis Results RG 1.177 RG 1.177 15 Day Header U1 U2 ACDF U1 U2 ALE RF Unavailability ACDF ACDF Criteria ALE RF ALE RF Criteria 9.20E-1.05E-A SW Header 08 07 1.00E-06 3.02E-08 4.23E-08 1.00E-07 8.29E-1.25E-B SW Header 08 08 1.00E-06 6.47E-08 5.61E-09 1.00E-07 RG 1.177 RG 1.177 Single 72hr TS U1 U2 ICCDP U1 U2 IC LE RP entry ICCDP ICCDP Criteria ICLERP IC LE RP Criteria 1.84E-2.09E-A SW Header 08 08 1.00E-06 6.03E-09 8.46E-09 1.00E-07 1.66E-2.50E-B SW Header 08 09 1.00E-06 1.29E-08 1.12E-09 1.00E-07 Note: These risk metrics are simultaneously applicable to both TS 3.14.A.5 and TS 3.14.A. 7 for CPSW and MCR/ESGR SW supplies, respectively The tightest margin to RG 1.177 acceptance criteria is on Unit 1 LERF with "B" SW header out of service for 15 days over one year. Cutsets for these configurations were reviewed and are discussed in detail below.
Tier 1 Analysis Results MER SW header maintenance is explicitly modeled in the average maintenance model S007Aa. Therefore, a ~CDF and ~LERF for the proposed change to AOTs for MER SW flow paths to the CPSW subsystem and to the MCR/ESGR AC subsystem may be directly calculated from the model by comparing CDF results with increased unavailability on MER headers (refer to second bulleted assumption). Incremental core damage and large early release probabilities for a single 72-hour period are also calculated. The MER headers supply SW to safety-related loads at both Surry units; therefore, risk at both units is explicitly analyzed. Results are as follows:
Table 1: RG 1.177Tier1 Analysis Results RG 1.177                               RG 1.177 15 Day Header       U1         U2         ACDF           U1         U2         ALE RF Unavailability     ACDF       ACDF         Criteria     ALE RF     ALE RF       Criteria 9.20E-     1.05E-A SW Header         08         07       1.00E-06     3.02E-08   4.23E-08       1.00E-07 8.29E-     1.25E-B SW Header         08         08       1.00E-06     6.47E-08   5.61E-09       1.00E-07 RG 1.177                               RG 1.177 Single 72hr TS       U1         U2         ICCDP           U1         U2         IC LE RP entry       ICCDP       ICCDP         Criteria     ICLERP     IC LE RP     Criteria 1.84E-     2.09E-A SW Header         08         08       1.00E-06     6.03E-09 8.46E-09         1.00E-07 1.66E-     2.50E-B SW Header         08         09       1.00E-06     1.29E-08 1.12E-09         1.00E-07 Note: These risk metrics are simultaneously applicable to both TS 3.14.A.5 and TS 3.14.A. 7 for CPSW and MCR/ESGR SW supplies, respectively The tightest margin to RG 1.177 acceptance criteria is on Unit 1 LERF with "B" SW header out of service for 15 days over one year. Cutsets for these configurations were reviewed and are discussed in detail below.
 
Serial No. 16-180
Serial No. 16-180
* Docket Nos. 50-280/281 Attachment 1 Page 21of36 An engineering GOTHIC calculation establishes that the ESGR does not require chiller operation during the PRA mission time of 24 hours, as long as one of the ESGR air handling units (per unit) is operating, and there is not a initiating event which requires SI, which may have higher heat loads than assumed in this engineering calculation.
* Docket Nos. 50-280/281 Attachment 1 Page 21of36 An engineering GOTHIC calculation establishes that the ESGR does not require chiller operation during the PRA mission time of 24 hours, as long as one of the ESGR air handling units (per unit) is operating, and there is not a initiating event which requires SI, which may have higher heat loads than assumed in this engineering calculation.
During normal operating conditions, a total loss of chilled water can be successfully mitigated by control room evacuation and shutdown from the remote shutdown panels in conjunction with performance of contingency actions of O-AP-13.02 (opening doors, temporary cooling etc.). These actions have been shown by GOTHIC calculations to substantially improve environmental conditions in the ESGR in loss of chilled water events. If SI is required to mitigate an event, then a subsequent loss of chilled water is assumed to fail ESGR HVAC, and no recovery is possible.
During normal operating conditions, a total loss of chilled water can be successfully mitigated by control room evacuation and shutdown from the remote shutdown panels in conjunction with performance of contingency actions of O-AP-13.02 (opening doors, temporary cooling etc.). These actions have been shown by GOTHIC calculations to substantially improve environmental conditions in the ESGR in loss of chilled water events. If SI is required to mitigate an event, then a subsequent loss of chilled water is assumed to fail ESGR HVAC, and no recovery is possible. In these sequences, the loss of ESGR HVAC is modeled as a Station Blackout (SBO).
In these sequences, the loss of ESGR HVAC is modeled as a Station Blackout (SBO). In a configuration with only one SW flow path available to the MCR/ESGR chillers, accident sequences that require SI to successfully avoid core damage such as SLOCA and SGTR become elevated in the PRA. These sequences involve failure of the in-service SW flow path, upstream of D/E chiller suction in MER 5. Since this flow path is gravity fed, its primary failure mode is via obstruction (plugging).
In a configuration with only one SW flow path available to the MCR/ESGR chillers, accident sequences that require SI to successfully avoid core damage such as SLOCA and SGTR become elevated in the PRA. These sequences involve failure of the in-service SW flow path, upstream of D/E chiller suction in MER 5. Since this flow path is gravity fed, its primary failure mode is via obstruction (plugging). S007Aa has identified that the most probable means of rendering the sole SW flow path unavailable is obstruction of CW intake/traveling water screens at the high level intake structure.
S007Aa has identified that the most probable means of rendering the sole SW flow path unavailable is obstruction of CW intake/traveling water screens at the high level intake structure.
The PRA has assigned a probability of 8E-5 that CW obstruction would occur during the 24-hour mission time following an initiating event. A SGTR event that involves SBO caused by loss of ESGR HVAC is considered a Large Early Release by S007Aa.
The PRA has assigned a probability of 8E-5 that CW obstruction would occur during the 24-hour mission time following an initiating event. A SGTR event that involves SBO caused by loss of ESGR HVAC is considered a Large Early Release by S007Aa. In a configuration with one CPSW header isolated, cutsets that involve failure of the second CPSW header become elevated in the PRA. Loss of the second SW header renders HHSI unavailable, which is important to CDF for SLOCA and SGTR sequences.
In a configuration with one CPSW header isolated, cutsets that involve failure of the second CPSW header become elevated in the PRA. Loss of the second SW header renders HHSI unavailable, which is important to CDF for SLOCA and SGTR sequences.
In SLOCA with HHSI failure, operators must successfully cooldown and depressurize the RCS and then place the RCS on Low Head Recirculation.
In SLOCA with HHSI failure, operators must successfully cooldown and depressurize the RCS and then place the RCS on Low Head Recirculation. For SGTR with HHSI failure, isolation of the ruptured SG becomes important to mitigate the event. The dominant failure mode for CPSW flow paths is obstruction of the rotating strainers 1-VS-S-1 A/B. Bypass SW flow paths around the rotating strainers are not credited *in the PRA model. The S007Aa model assesses the probability that the in-service rotating strainer would fail via plugging during a 24-hour mission time following an initiating
For SGTR with HHSI failure, isolation of the ruptured SG becomes important to mitigate the event. The dominant failure mode for CPSW flow paths is obstruction of the rotating strainers S-1 A/B. Bypass SW flow paths around the rotating strainers are not credited *in the PRA model. The S007 Aa model assesses the probability that the in-service rotating strainer would fail via plugging during a 24-hour mission time following an initiating
* event to be approximately 1.5E-4.
* event to be approximately 1.5E-4. Another potential failure mode for the in-service SW header is a loss of power to the in-service rotating strainer.
Another potential failure mode for the in-service SW header is a loss of power to the in-service rotating strainer. The 8007Aa model has a 480V Emergency Power dependency modeled for the rotating strainers 1-VS-S-1A/B. It is assumed that loss of power to a rotating strainer will cause the strainer to become obstructed within the mission time. Bypass SW flow paths around the rotating strainers are not credited in the PRA model. The electric power dependency in the model is creating asymmetric SGTR delta risk results across the two units and two headers. In a configuration with one CPSW header out of service, the model has identified that a catastrophic failure (fault or other de-energization sequence via LOOP) of a single emergency bus could
The 8007 Aa model has a 480V Emergency Power dependency modeled for the rotating strainers 1-VS-S-1A/B.
 
It is assumed that loss of power to a rotating strainer will cause the strainer to become obstructed within the mission time. Bypass SW flow paths around the rotating strainers are not credited in the PRA model. The electric power dependency in the model is creating asymmetric SGTR delta risk results across the two units and two headers. In a configuration with one CPSW header out of service, the model has identified that a catastrophic failure (fault or other de-energization sequence via LOOP) of a single emergency bus could Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 22 of 36 disable HHSI via the in-service rotating strainer and also the SG isolation safety function via 480V EP dependency for SG Isolation MOVs. This is also a significant LERF sequence for this configuration, as SGTR with failure of HHSI and SG isolation is considered Large Early Release in S007 Aa. The following are known conservatisms in this analysis that give very high confidence that the proposed change meets Tier 1 acceptance criteria with high margin:
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 22 of 36 disable HHSI via the in-service rotating strainer and also the SG isolation safety function via 480V EP dependency for SG Isolation MOVs. This is also a significant LERF sequence for this configuration, as SGTR with failure of HHSI and SG isolation is considered Large Early Release in S007Aa.
* No credit in the PRA model is given for placing a second or third SW header in service in accordance with O-AP-12, Attachment
The following are known conservatisms in this analysis that give very high confidence that the proposed change meets Tier 1 acceptance criteria with high margin:
: 1. Some SW crosstie flow paths (such as the 2A Header) may be available or recoverable during maintenance configurations where TS 3.14.A.5 and TS 3.14.A.7 are not considered met. These flow paths could be used to bypass an ob.structed CW intake.
* No credit in the PRA model is given for placing a second or third SW header in service in accordance with O-AP-12, Attachment 1. Some SW crosstie flow paths (such as the 2A Header) may be available or recoverable during maintenance configurations where TS 3.14.A.5 and TS 3.14.A.7 are not considered met. These flow paths could be used to bypass an ob.structed CW intake.
* No credit in the PRA model is given for manual operator action to bypass an obstructed rotating strainer by placing the duplex strainer 1-SW-S-10 in service in accordance with O-AP-12.
* No credit in the PRA model is given for manual operator action to bypass an obstructed rotating strainer by placing the duplex strainer 1-SW-S-10 in service in accordance with O-AP-12.
* No credit in the PRA model is given for operator action in accordance with the EOPs to cooldown and depressurize the RCS in SGTR scenarios where Auxiliary Feedwater (AFW) is successful but HHSI fails. Human Reliability Analysis for this credit is under development and stations, such as North Anna which is similar to Surry, have this operator action credited with a Human Event Probabi.lity (HEP).
* No credit in the PRA model is given for operator action in accordance with the EOPs to cooldown and depressurize the RCS in SGTR scenarios where Auxiliary Feedwater (AFW) is successful but HHSI fails. Human Reliability Analysis for this credit is under development and stations, such as North Anna which is similar to Surry, have this operator action credited with a Human Event Probabi.lity (HEP).
* The 8007 Aa models an electric power dependency for rotating strainers 1-VS-S-1A/B.
* The 8007Aa models an electric power dependency for rotating strainers 1-VS-S-1A/B. It is modeled in the internal events PRA that the strainers will become obstructed If not rotating (Probability=1). Actual strainer behavior with no rotation during accident sequences is uncertain. It is unlikely (Probability<1) that the strainer will become obstructed in a 24-hour mission time if not rotating since debris must be present in order for the strainer to become obstructed.
It is modeled in the internal events PRA that the strainers will become obstructed If not rotating (Probability=1).
The results of this analysis indicate that the potential increase in core damage risk due to the proposed change is very small and satisfies the Region 111 criteria of RG 1.177 Tier 1 analysis. [Refer to Table 1, above.]
Actual strainer behavior with no rotation during accident sequences is uncertain.
Shutdown Risk Evaluation In cases where there is no probabilistic shutdown PRA model available for evaluating the risk impact of a proposed change, as is currently the case with the Surry PRA, a qualitative evaluation process may be applied to assess shutdown risk. In general, this approach involves determining whether or not the proposed change affects functions that are credited in OU-AA-200, Shutdown Risk Management, and then considering what impacts the application may have on shutdown defense-in-depth, in particular the following shutdown plant key safety functions: Decay Heat Removal, RCS/Spent Fuel Pool (SFP) Inventory Control, Reactivity Control, Electrical Power, SFP Cooling and Containment Integrity.
It is unlikely (Probability<1) that the strainer will become obstructed in a 24-hour mission time if not rotating since debris must be present in order for the strainer to become obstructed.
 
The results of this analysis indicate that the potential increase in core damage risk due to the proposed change is very small and satisfies the Region 111 criteria of RG 1.177 Tier 1 analysis.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 23 of 36 The CPSW system supports HHSI pumps, which contributes to the RCS/SFP inventory control and reactivity control shutdown key safety functions. During plant shutdown, the LHSI System provides the primary source for RCS inventory control/make-up. The HHSI System provides additional defense-in-depth for inventory/reactivity control.
[Refer to Table 1, above.] Shutdown Risk Evaluation In cases where there is no probabilistic shutdown PRA model available for evaluating the risk impact of a proposed change, as is currently the case with the Surry PRA, a qualitative evaluation process may be applied to assess shutdown risk. In general, this approach involves determining whether or not the proposed change affects functions that are credited in OU-AA-200, Shutdown Risk Management, and then considering what impacts the application may have on shutdown defense-in-depth, in particular the following shutdown plant key safety functions:
Therefore, it is concluded that the proposed change has a very small impact on defense-in depth for the associated shutdown Key Safety Functions and shutdown risk.
Decay Heat Removal, RCS/Spent Fuel Pool (SFP) Inventory Control, Reactivity Control, Electrical Power, SFP Cooling and Containment Integrity.
The MCR/ESGR ventilation system does not directly support any of the Shutdown Key safety functions, but it does support control room habitability during a fuel handling accident. The discussion of failure modes in the internal events discussion also applies to shutdown modes; therefore, it is concluded that proposed change has a very small impact on shutdown risk.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 23 of 36 The CPSW system supports HHSI pumps, which contributes to the RCS/SFP inventory control and reactivity control shutdown key safety functions.
It is concluded that the proposed change has negligible impact on shutdown CDF and LERF.
During plant shutdown, the LHSI System provides the primary source for RCS inventory control/make-up.
Internal Fire Hazard Evaluation The Individual Plant Examination for External Events (IPEEE) and the Fire Contingency Action (FCA) procedures are used to evaluate the impact of the AOT change for configurations with only one SW flow path to the CPSW subsystem and the ESGR and MCR chillers on the fire risk since a full-scope fire PRA model has not been developed for Surry. The IPEEE screened out all but four areas as insignificant contributors to the fire CDF. The areas which did not screen out include the Cable Vault and Tunnel (CVT), the Emergency Switchgear Room (ESGR), the Main Control Room (MCR), and the Normal Switchgear Room (NSGR), so these areas are included in the scope of this
The HHSI System provides additional defense-in-depth for inventory/reactivity control. Therefore, it is concluded that the proposed change has a very small impact on defense-in depth for the associated shutdown Key Safety Functions and shutdown risk. The MCR/ESGR ventilation system does not directly support any of the Shutdown Key safety functions, but it does support control room habitability during a fuel handling accident.
. analysis. A review of the Appendix R Report and the IPEEE shows that a fire in two areas, Mechanical Equipment Room 3 (MER 3) and Mechanical Equipment Room 4 (MER 4), may damage multiple CPSW components and the SW supply to the ESGR and MCR chillers. Unavailability of a SW Header in addition to the fire damage could cause a failure of these subsystems. As a result, MER 3 and MER 4 are included in the scope of this analysis even though they screened out as low risk in the IPEEE.
The discussion of failure modes in the internal events discussion also applies to shutdown modes; therefore, it is concluded that proposed change has a very small impact on shutdown risk. It is concluded that the proposed change has negligible impact on shutdown CDF and LERF. Internal Fire Hazard Evaluation The Individual Plant Examination for External Events (IPEEE) and the Fire Contingency Action (FCA) procedures are used to evaluate the impact of the AOT change for configurations with only one SW flow path to the CPSW subsystem and the ESGR and MCR chillers on the fire risk since a full-scope fire PRA model has not been developed for Surry. The IPEEE screened out all but four areas as insignificant contributors to the fire CDF. The areas which did not screen out include the Cable Vault and Tunnel (CVT), the Emergency Switchgear Room (ESGR), the Main Control Room (MCR), and the Normal Switchgear Room (NSGR), so these areas are included in the scope of this . analysis.
Although a fire in Mechanical Equipment Room 5 (MER 5) may damage two of the five ESGR and MCR chillers, this area is screened out since additional equipment damage is limited and a LOCA is not expected, so the ESGR and MCR chillers are not required during the PRA mission time as discussed in the internal events analysis. A review of the Appendix R Report indicates that power or control cables for one or more CPSW pumps, Rotating Strainers, or ESGR and MCR chillers may be damaged in each of these areas except the NSGR. Given the defense-in-depth available for these subsystems and the lack of emergency equipment damaged in an NSGR fire, this area is screened out from further evaluation.
A review of the Appendix R Report and the IPEEE shows that a fire in two areas, Mechanical Equipment Room 3 (MER 3) and Mechanical Equipment Room 4 (MER 4), may damage multiple CPSW components and the SW supply to the ESGR and MCR chillers.
An FCA procedure is available for each of the remaining areas to support safe shutdown (SSD) during a limiting fire, which is characterized by the actual or imminent loss of a component that supports the SSD functions monitored in O-AP-48.00. It is
Unavailability of a SW Header in addition to the fire damage could cause a failure of these subsystems.
 
As a result, MER 3 and MER 4 are included in the scope of this analysis even though they screened out as low risk in the IPEEE. Although a fire in Mechanical Equipment Room 5 (MER 5) may damage two of the five ESGR and MCR chillers, this area is screened out since additional equipment damage is limited and a LOCA is not expected, so the ESGR and MCR chillers are not required during the PRA mission time as discussed in the internal events analysis.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 24 of 36 assumed that a fire in these areas which does not cause sufficient damage to enter the respective FCA procedure can be characterized as a general transient and is adequately addressed by the internal events analysis.
A review of the Appendix R Report indicates that power or control cables for one or more CPSW pumps, Rotating Strainers, or ESGR and MCR chillers may be damaged in each of these areas except the NSGR. Given the defense-in-depth available for these subsystems and the lack of emergency equipment damaged in an NSGR fire, this area is screened out from further evaluation.
The impact of the AOT change on the fire risk is dependent on the exact configuration for which the TS is entered. The fire scenarios on which the proposed change is expected to have the most impact are those in which the fire damages one or more components affecting the SW supply to or redundant equipment for the CPSW subsystem or the ESGR and MCR chillers. The TS 3.14.C action statement could be entered for having two of the three 8" SW supply headers unavailable and/or one of the two 6" SW supply headers unavailable. If the maintenance configuration only involves two of the 8" headers, the impact on fire risk from the CPSW subsystem is negligible since the remaining 8" line is not susceptible to fire damage.                 However, this configuration could result in the SW supply to the MER 5 chillers (40, 4E) being unavailable, which could lead to a loss of ESGR and MCR chillers if a fire damages the remaining in service equipment. If the maintenance configuration only involves unavailability of one of the 6" SW headers, fire damage to susceptible components on the opposite 6" SW supply could cause a failure of the entire CPSW subsystem and three of the ESGR and MCR chillers. Unavailability of the two 8" SW headers supplying the MER 5 chillers in addition to unavailability of one 6" SW header would allow fire damage to the available 6" header to result in a loss of all ESGR and MCR chillers. In order to bound the consequences of a fire on various possible maintenance configurations of the SW headers, the following analysis considers the impact of unavailability of a 6" SW Header on the CPSW subsystem, and it considers the impact of unavailability of two 8" SW headers and a 6" SW Header on the ESGR and MCR chiller subsystem.
An FCA procedure is available for each of the remaining areas to support safe shutdown (SSD) during a limiting fire, which is characterized by the actual or imminent loss of a component that supports the SSD functions monitored in O-AP-48.00.
The IPEEE Quantitative Screening models the Rotating Strainers as mechanical strainers that do not require electrical power, and they are assumed to be unaffected by fire damage. Given a loss of power to the strainer, flow through the strainer is not obstructed unless debris causes plugging within the PRA mission time. As a result of the uncertainty associated with the failure rate due to plugging of the Rotating Strainers following a loss of electrical power, the internal events PRA model conservatively assumes this condition leads to a loss of SW flow through the strainer. If the Rotating Strainers are considered susceptible to fire damage, then damage to a Rotating Strainer concurrent with unavailability of the opposite 6" SW Header would cause a loss of CPSW and failure of three chillers. In order to be consistent with the internal events analysis, this fire analysis will qualitatively investigate the impact of the AOT change on the fire risk conservatively assuming fire damage to the power or control cables for the strainer will result in failure of the SW flow path.
It is Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 24 of 36 assumed that a fire in these areas which does not cause sufficient damage to enter the respective FCA procedure can be characterized as a general transient and is adequately addressed by the internal events analysis.
CVTs and ESGRs Fires in the CVTs and ESGRs cause varying amounts of damage to the CPSW subsystem as described by the Appendix R Report and the IPEEE. The FCA
The impact of the AOT change on the fire risk is dependent on the exact configuration for which the TS is entered. The fire scenarios on which the proposed change is expected to have the most impact are those in which the fire damages one or more components affecting the SW supply to or redundant equipment for the CPSW subsystem or the ESGR and MCR chillers.
 
The TS 3.14.C action statement could be entered for having two of the three 8" SW supply headers unavailable and/or one of the two 6" SW supply headers unavailable.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 25 of 36 procedures used to achieve SSD for these fire areas include 1-FCA-3.00 and 2-FCA-3.00 for the U1 and U2 CVTs, respectively, and 1-FCA-4.00 and 2-FCA-4.00 for the U1 and U2 ESGRs, respectively. A fire in the U1 CVT may damage the cables for 1-SW-P-10A and 1-VS-S-1A, and a fire in the U2 CVT will not damage any of the CPSW pumps or strainers. A fire in the U1 ESGR may damage the cables for both U1 CPSW pumps, and a fire in the U2 ESGR may damage the cables for both U2 CPSW pumps and 1-VS-S-1 B. Fire damage in each of these areas may disable Charging for the fire-affected unit. As a result, the fire strategies rely on the opposite unit to provide Inventory Control to the fire-affected unit through the Charging Cross-Tie (CH-XTIE).
If the maintenance configuration only involves two of the 8" headers, the impact on fire risk from the CPSW subsystem is negligible since the remaining 8" line is not susceptible to fire damage. However, this configuration could result in the SW supply to the MER 5 chillers (40, 4E) being unavailable, which could lead to a loss of ESGR and MCR chillers if a fire damages the remaining in service equipment.
The additional unavailability of a SW Header due to the AOT extension increases the likelihood of losing all Charging to both units during a fire due to CPSW failure. During a U2 CVT fire or U1 ESGR fire with a SW Header unavailable, random failure of the second SW header or the opposite unit CPSW pumps is needed to cause a loss of Charging. During a U1 CVT or U2 ESGR fire, power to one of the Rotating Strainers may be damaged by the fire, which would fail one of the SW Headers. If the opposite SW Header is unavailable, a total loss of CPSW would occur. Since no random failures are required in addition to the fire damage and SW Header unavailability, the fire scenarios in the U1 CVT and U2 ESGR are the most limiting of these areas. However, given.the likelihood of the SW Header unavailability, which contributes to these potential CPSW failures, the failure to supply Charging to the fire-affected unit is still dominated
If the maintenance configuration only involves unavailability of one of the 6" SW headers, fire damage to susceptible components on the opposite 6" SW supply could cause a failure of the entire CPSW subsystem and three of the ESGR and MCR chillers.
* by the HEP to establish the CH-XTIE between units.
Unavailability of the two 8" SW headers supplying the MER 5 chillers in addition to unavailability of one 6" SW header would allow fire damage to the available 6" header to result in a loss of all ESGR and MCR chillers.
If the Heactor Coolant System (RCS) remains intact, the accident resembles a transient, and the consequences of losing all Charging are minimal since core heat removal can be achieved using Natural Circulation of the RCS with secondary cooling provided by Auxiliary Feedwater (AFW). These conditions are established by actions taken with the
In order to bound the consequences of a fire on various possible maintenance configurations of the SW headers, the following analysis considers the impact of unavailability of a 6" SW Header on the CPSW subsystem, and it considers the impact of unavailability of two 8" SW headers and a 6" SW Header on the ESGR and MCR chiller subsystem.
* FCA procedures. Spurious operations could affect the High/Low pressure boundary by opening valves and causing a LOCA, but actions taken in the FCA procedures mitigate this potential. RCS integrity is maintained by isolating the Reactor Head Vents, the Pressurizer PORVs, and Letdown. Isolation switches in the Control Room ensure that these valves will not be reopened by the fire. In addition, RCP seal cooling is terminated by isolating seal injection and thermal barrier cooling after the pumps have been tripped. The likelihood of developing an RCP seal LOCA is minimized due to the Flowserve low-leakage seals, and proactive isolation of the RCP seals using manual valves precludes the potential for spurious operations to re-introduce cold water to the hot seals, which would cause catastrophic seal failure due to*thermal shock. Alignment of suction sources and a flow path to the steam generators (SGs) for AFW is directed by the FCAs as well and includes AFW cross-tie from the opposite unit, if necessary. The AFW flow path is protected from spurious operations by prepositioning the MOVs and then de-energizing them. In addition, the AFW cross-tie MOVs are located in the opposite unit's Safeguards Building, thus preventing fire damage from affecting the ability to utilize the cross-tie. The fire strategies for these areas address the potential loss of Charging, and the resulting impact of the change in SW Header AOT on the fire risk for these areas is low,
The IPEEE Quantitative Screening models the Rotating Strainers as mechanical strainers that do not require electrical power, and they are assumed to be unaffected by fire damage. Given a loss of power to the strainer, flow through the strainer is not obstructed unless debris causes plugging within the PRA mission time. As a result of the uncertainty associated with the failure rate due to plugging of the Rotating Strainers following a loss of electrical power, the internal events PRA model conservatively assumes this condition leads to a loss of SW flow through the strainer.
 
If the Rotating Strainers are considered susceptible to fire damage, then damage to a Rotating Strainer concurrent with unavailability of the opposite 6" SW Header would cause a loss of CPSW and failure of three chillers.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 26 of 36 As discussed in the internal events analysis, ESGR and MCR chiller operation within the 24 hour PRA mission time is not required as long as one of the ESGR AHUs per unit is operating or a LOCA has not occurred, although, in the case of ESGR fires, ventilation is not credited for the fire-affected unit. For fires in the U2 CVT and U1 ESGR, at least one chiller will remain available and the 6'' SW headers are not affected by the fire. As a result, additional random failures would be required to cause a loss of ESGR and MCR cooling, so the impact of the TS change due to fires in these areas is negligible. A fire in the U1 CVT will not damage any of the chillers, but it may damage 1-VS-S-1A, which would isolate the A 6" SW header supplying CPSW, as well as chillers 4A, 4B, and 4C. If a fire occurred in this area concurrent with maintenance on the B 6" SW Header and the 2A and 2C 8" SW headers supplying the 40 and 4E chillers, then a loss of all five chillers would occur. A fire in the U2 ESGR may damage the normal power and control cables for all five chillers. To account for this potential, chillers 40 and 4E have an alternate power supply (AAC Diesel Generator) and local controls which are aligned using O-FCA-19.00 and allow these chillers to be used during a U2 ESGR fire. However, maintenance on the 2A and 2C 8" SW headers would cause the 40 and 4E chillers to be unavailable, resulting in a loss of all five chillers. The U1 CVT and U2 ESGR are the most limiting of these areas since no random failures are required in addition to the fire and maintenance configuration to cause a loss of all five chillers. In order for a total loss of chillers to cause an SBO due to loss of ESGR HVAC during a fire, either both of the dedicated AHUs must fail or a LOCA must develop.
In order to be consistent with the internal events analysis, this fire analysis will qualitatively investigate the impact of the AOT change on the fire risk conservatively assuming fire damage to the power or control cables for the strainer will result in failure of the SW flow path. CVTs and ESGRs Fires in the CVTs and ESGRs cause varying amounts of damage to the CPSW subsystem as described by the Appendix R Report and the IPEEE. The FCA Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 25 of 36 procedures used to achieve SSD for these fire areas include 1-FCA-3.00 and 2-FCA-3.00 for the U1 and U2 CVTs, respectively, and 1-FCA-4.00 and 2-FCA-4.00 for the U1 and U2 ESGRs, respectively.
Combining the frequency of the fire, the probability of the maintenance configuration with only one SW supply line available, and the probabilities of the AHUs failing or a LOCA developing, which is minimized by the fire strategies and low-leakage RCP seals, causes the resulting cutsets to be low risk contributors. Accounting for fire severity and suppression would further reduce the results of these cutsets. Given the low frequency of these failure combinations, the impact of the change in SW Header AOT on the fire risk for these scenarios is low.
A fire in the U1 CVT may damage the cables for 1-SW-P-10A and 1-VS-S-1A, and a fire in the U2 CVT will not damage any of the CPSW pumps or strainers.
The MCR contains control cables for all of the CPSW pumps. There is physical separation between units for the CPSW pump controls in the MCR, and control of each pump can also be transferred to the Appendix R Panel in the ESGR. The fire strategy to achieve SSD during an MCR fire is O-FCA-1.00. If the fire severity necessitates evacuation of the control room, the operators will transfer control of the CPSW pumps to the Appendix R Panel. The Rotating Strainers are locally controlled from the MERs and are unaffected by a fire in the MCR. If one of the SW Headers is unavailable, random failure of the second SW header or the all of the CPSW pumps is needed to cause a loss of Charging. The fire strategy for the MCR is very similar to the strategies for the CVTs and ESGRs in that an RCS High/Low pressure boundary is established, allowing Natural Circulation of the RCS to be used, and AFW is aligned to the SGs for secondary cooling. The Reactor Head Vents, the Pressurizer PORVs, and Letdown are isolated from the MCR at the Auxiliary Shutdown Panel (ASP) in the ESGR, and the isolation switches ensure the valves will not reopen due to the fire. The failure of CPSW would
A fire in the U1 ESGR may damage the cables for both U1 CPSW pumps, and a fire in the U2 ESGR may damage the cables for both U2 CPSW pumps and 1-VS-S-1 B. Fire damage in each of these areas may disable Charging for the affected unit. As a result, the fire strategies rely on the opposite unit to provide Inventory Control to the fire-affected unit through the Charging Cross-Tie (CH-XTIE).
 
The additional unavailability of a SW Header due to the AOT extension increases the likelihood of losing all Charging to both units during a fire due to CPSW failure. During a U2 CVT fire or U1 ESGR fire with a SW Header unavailable, random failure of the second SW header or the opposite unit CPSW pumps is needed to cause a loss of Charging.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 27 of 36 cause a loss of RCP seal injection, but thermal barrier cooling may continue to be supplied to the RCP seals. Since RCP seal cooling is not proactively isolated during this fire scenario, RCP seal injection is monitored and the seals are isolated when flow is lost. As a result, the potential for thermal shock of the seals is mitigated, and the likelihood of seal failure remains low. Since the potential for a LOCA is mitigated by actions taken to ensure the integrity of the RCS pressure boundary is maintained and by the low-leakage seals, this accident will most likely resemble a transient. Alignment of suction sources and a flow path to the steam generators (SGs) for AFW is directed by the FCA procedure and includes AFW cross-tie from the opposite unit, if necessary.
During a U1 CVT or U2 ESGR fire, power to one of the Rotating Strainers may be damaged by the fire, which would fail one of the SW Headers. If the opposite SW Header is unavailable, a total loss of CPSW would occur. Since no random failures are required in addition to the fire damage and SW Header unavailability, the fire scenarios in the U1 CVT and U2 ESGR are the most limiting of these areas. However, given.the likelihood of the SW Header unavailability, which contributes to these potential CPSW failures, the failure to supply Charging to the fire-affected unit is still dominated
The AFW flow path is protected from spurious operations by transferring control of the AFW pumps and discharge MOVs to the ASP. The fire strategy for this scenario addresses the potential loss of Charging, and the resulting impact of the change in SW Header AOT on the fire risk for this scenario is low.
* by the HEP to establish the CH-XTIE between units. If the Heactor Coolant System (RCS) remains intact, the accident resembles a transient, and the consequences of losing all Charging are minimal since core heat removal can be achieved using Natural Circulation of the RCS with secondary cooling provided by Auxiliary Feedwater (AFW). These conditions are established by actions taken with the
The MGR contains control cables for all of the ESGR and MGR chillers as well.
* FCA procedures.
However, isolation switches are available for three of the five chillers, which can be controlled from outside the control room. One ESGR AHU per unit is isolated from the control room as well. Consistent with previous discussion, the chillers are not required within the 24 hour PRA mission time if one ESGR AHU per unit is operation and a LOCA has not developed. The frequency of fires requiring evacuation of the control room is low given the control room is continuously manned, so detection and suppression of the fires before evacuation is likely. Similar to the ESGR and CVT fire scenarios, the frequency of the fire, the probability of the maintenance configuration with only one .sw supply line available, and random failure of the chillers unaffected by the fire are a low frequency combination of faiilures. The probabilities of the AHUs failing or a LOCA developing in addition to these failures cause the resulting cutsets to be low risk contributors. Given the low frequency of these failure combinations, the impact of the change in SW Header AOT on the .fire risk for these scenarios is low.
Spurious operations could affect the High/Low pressure boundary by opening valves and causing a LOCA, but actions taken in the FCA procedures mitigate this potential.
If the fire is small enough that habitability conditions and extent of equipment damage allow operators to remain in the control room, the FCA procedure for the MGR is not entered and the fire is considered non-limiting. The impact of the SW Header AOT change on this fire scenario is considered bounded by the internal events analysis.
RCS integrity is maintained by isolating the Reactor Head Vents, the Pressurizer PORVs, and Letdown. Isolation switches in the Control Room ensure that these valves will not be reopened by the fire. In addition, RCP seal cooling is terminated by isolating seal injection and thermal barrier cooling after the pumps have been tripped. The likelihood of developing an RCP seal LOCA is minimized due to the Flowserve low-leakage seals, and proactive isolation of the RCP seals using manual valves precludes the potential for spurious operations to re-introduce cold water to the hot seals, which would cause catastrophic seal failure due to*thermal shock. Alignment of suction sources and a flow path to the steam generators (SGs) for AFW is directed by the FCAs as well and includes AFW cross-tie from the opposite unit, if necessary.
MER 3 and MER 4 These fire areas were included in the scope of the analysis due to the extent of potential damage to the CPSW pumps, Rotating Strainers, and damage to piping supplying the 4A, 48, and 4C chillers. The FCA procedure used to achieve SSD for both of these fire areas is O-FCA-7.00. In each of these areas, three of the four CPSW pumps and one of the two Rotating Strainers may be damaged. In addition, portions of the 6" SW supply piping are non-metallic and susceptible to fire damage. The FCA procedure relies on the available CPSW pump and strainer to provide Charging Pump Cooling and uses the CPSW pump discharge cross-tie to cool both units' Charging Pumps. Random failure of the fourth CPSW pump would cause a failure of CPSW, but this system failure mode is
The AFW flow path is protected from spurious operations by prepositioning the MOVs and then de-energizing them. In addition, the AFW cross-tie MOVs are located in the opposite unit's Safeguards Building, thus preventing fire damage from affecting the ability to utilize the cross-tie.
 
The fire strategies for these areas address the potential loss of Charging, and the resulting impact of the change in SW Header AOT on the fire risk for these areas is low, Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 26 of 36 As discussed in the internal events analysis, ESGR and MCR chiller operation within the 24 hour PRA mission time is not required as long as one of the ESGR AHUs per unit is operating or a LOCA has not occurred, although, in the case of ESGR fires, ventilation is not credited for the fire-affected unit. For fires in the U2 CVT and U1 ESGR, at least one chiller will remain available and the 6'' SW headers are not affected by the fire. As a result, additional random failures would be required to cause a loss of ESGR and MCR cooling, so the impact of the TS change due to fires in these areas is negligible.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 28 of 36 not impacted by the unavailability of the SW Header. However, if the fire damages the Rotating Strainer or non-metallic piping and the opposite 6" SW Header is unavailable, a loss of CPSW and three chillers would occur. Fire damage to the non-metallic piping during maintenance involving the 2A and 2C 8" SW headers in addition to the opposite 6" SW header would result in a loss of all five ESGR and MCR chillers.
A fire in the U 1 CVT will not damage any of the chillers, but it may damage 1-VS-S-1A, which would isolate the A 6" SW header supplying CPSW, as well as chillers 4A, 4B, and 4C. If a fire occurred in this area concurrent with maintenance on the B 6" SW Header and the 2A and 2C 8" SW headers supplying the 40 and 4E chillers, then a loss of all five chillers would occur. A fire in the U2 ESGR may damage the normal power and control cables for all five chillers.
To account for this potential, chillers 40 and 4E have an alternate power supply (AAC Diesel Generator) and local controls which are aligned using O-FCA-19.00 and allow these chillers to be used during a U2 ESGR fire. However, maintenance on the 2A and 2C 8" SW headers would cause the 40 and 4E chillers to be unavailable, resulting in a loss of all five chillers.
The U1 CVT and U2 ESGR are the most limiting of these areas since no random failures are required in addition to the fire and maintenance configuration to cause a loss of all five chillers.
In order for a total loss of chillers to cause an SBO due to loss of ESGR HVAC during a fire, either both of the dedicated AHUs must fail or a LOCA must develop. Combining the frequency of the fire, the probability of the maintenance configuration with only one SW supply line available, and the probabilities of the AHUs failing or a LOCA developing, which is minimized by the fire strategies and low-leakage RCP seals, causes the resulting cutsets to be low risk contributors.
Accounting for fire severity and suppression would further reduce the results of these cutsets. Given the low frequency of these failure combinations, the impact of the change in SW Header AOT on the fire risk for these scenarios is low. The MCR contains control cables for all of the CPSW pumps. There is physical separation between units for the CPSW pump controls in the MCR, and control of each pump can also be transferred to the Appendix R Panel in the ESGR. The fire strategy to achieve SSD during an MCR fire is O-FCA-1.00.
If the fire severity necessitates evacuation of the control room, the operators will transfer control of the CPSW pumps to the Appendix R Panel. The Rotating Strainers are locally controlled from the MERs and are unaffected by a fire in the MCR. If one of the SW Headers is unavailable, random failure of the second SW header or the all of the CPSW pumps is needed to cause a loss of Charging.
The fire strategy for the MCR is very similar to the strategies for the CVTs and ESGRs in that an RCS High/Low pressure boundary is established, allowing Natural Circulation of the RCS to be used, and AFW is aligned to the SGs for secondary cooling. The Reactor Head Vents, the Pressurizer PORVs, and Letdown are isolated from the MCR at the Auxiliary Shutdown Panel (ASP) in the ESGR, and the isolation switches ensure the valves will not reopen due to the fire. The failure of CPSW would Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 27 of 36 cause a loss of RCP seal injection, but thermal barrier cooling may continue to be supplied to the RCP seals. Since RCP seal cooling is not proactively isolated during this fire scenario, RCP seal injection is monitored and the seals are isolated when flow is lost. As a result, the potential for thermal shock of the seals is mitigated, and the likelihood of seal failure remains low. Since the potential for a LOCA is mitigated by actions taken to ensure the integrity of the RCS pressure boundary is maintained and by the low-leakage seals, this accident will most likely resemble a transient.
Alignment of suction sources and a flow path to the steam generators (SGs) for AFW is directed by the FCA procedure and includes AFW cross-tie from the opposite unit, if necessary.
The AFW flow path is protected from spurious operations by transferring control of the AFW pumps and discharge MOVs to the ASP. The fire strategy for this scenario addresses the potential loss of Charging, and the resulting impact of the change in SW Header AOT on the fire risk for this scenario is low. The MGR contains control cables for all of the ESGR and MGR chillers as well. However, isolation switches are available for three of the five chillers, which can be controlled from outside the control room. One ESGR AHU per unit is isolated from the control room as well. Consistent with previous discussion, the chillers are not required within the 24 hour PRA mission time if one ESGR AHU per unit is operation and a LOCA has not developed.
The frequency of fires requiring evacuation of the control room is low given the control room is continuously manned, so detection and suppression of the fires before evacuation is likely. Similar to the ESGR and CVT fire scenarios, the frequency of the fire, the probability of the maintenance configuration with only one .sw supply line available, and random failure of the chillers unaffected by the fire are a low frequency combination of faiilures.
The probabilities of the AHUs failing or a LOCA developing in addition to these failures cause the resulting cutsets to be low risk contributors.
Given the low frequency of these failure combinations, the impact of the change in SW Header AOT on the .fire risk for these scenarios is low. If the fire is small enough that habitability conditions and extent of equipment damage allow operators to remain in the control room, the FCA procedure for the MGR is not entered and the fire is considered non-limiting.
The impact of the SW Header AOT change on this fire scenario is considered bounded by the internal events analysis.
MER 3 and MER 4 These fire areas were included in the scope of the analysis due to the extent of potential damage to the CPSW pumps, Rotating Strainers, and damage to piping supplying the 4A, 48, and 4C chillers.
The FCA procedure used to achieve SSD for both of these fire areas is O-FCA-7.00.
In each of these areas, three of the four CPSW pumps and one of the two Rotating Strainers may be damaged. In addition, portions of the 6" SW supply piping are non-metallic and susceptible to fire damage. The FCA procedure relies on the available CPSW pump and strainer to provide Charging Pump Cooling and uses the CPSW pump discharge cross-tie to cool both units' Charging Pumps. Random failure of the fourth CPSW pump would cause a failure of CPSW, but this system failure mode is Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 28 of 36 not impacted by the unavailability of the SW Header. However, if the fire damages the Rotating Strainer or non-metallic piping and the opposite 6" SW Header is unavailable, a loss of CPSW and three chillers would occur. Fire damage to the non-metallic piping during maintenance involving the 2A and 2C 8" SW headers in addition to the opposite 6" SW header would result in a loss of all five ESGR and MCR chillers.
The equipment damaged by a fire in MER 4 is limited and will not cause a fire-induced LOCA. As a result, a loss of Charging or the ESGR and MCR chillers due to a fire in this area during SW Header maintenance is easily mitigated by station procedures and available equipment, and the impact of the AOT change is negligible.
The equipment damaged by a fire in MER 4 is limited and will not cause a fire-induced LOCA. As a result, a loss of Charging or the ESGR and MCR chillers due to a fire in this area during SW Header maintenance is easily mitigated by station procedures and available equipment, and the impact of the AOT change is negligible.
The potential equipment damaged from a fire in MER 3 is more extensive and includes electrical cables for the #3 EOG output breaker, #2 EOG output breaker, and the 2H emergency bus offsite power supply breaker. However, if the damage is limited to this equipment, the loss of Charging due to a fire in this area during SW Header maintenance does not have a significant adverse impact on the fire risk since a induced LOCA will not occur, and shutdown can be achieved using the available station procedures.
The potential equipment damaged from a fire in MER 3 is more extensive and includes electrical cables for the #3 EOG output breaker, #2 EOG output breaker, and the 2H emergency bus offsite power supply breaker. However, if the damage is limited to this equipment, the loss of Charging due to a fire in this area during SW Header maintenance does not have a significant adverse impact on the fire risk since a fire-induced LOCA will not occur, and shutdown can be achieved using the available station procedures. Fire damage alone to the EOG and 2H bus breakers would fail the EOG output ,breakers open, preventing the EOGs from supplying the emergency buses, and the 2H bus offsite supply breaker closed, preventing it from opening following a LOOP signal. This damage state would *allow both U2 emergency buses to remain energized from offsite power. If offsite power to one of the U2 emergency buses is lost due to fire-induced spurious opening of the 2H bus supply breaker or random failure of either emergency bus, 2-FCA-4.00 is entered. As discussed for the limiting U2 ESGR fire scenario, a loss of all Charging and failure of both Unit 2 emergency buses is adequately addressed by 2-FCA-4.00.
Fire damage alone to the EOG and 2H bus breakers would fail the EOG output ,breakers open, preventing the EOGs from supplying the emergency buses, and the 2H bus offsite supply breaker closed, preventing it from opening following a LOOP signal. This damage state would *allow both U2 emergency buses to remain energized from offsite power. If offsite power to one of the U2 emergency buses is lost due to induced spurious opening of the 2H bus supply breaker or random failure of either emergency bus, 2-FCA-4.00 is entered. As discussed for the limiting U2 ESGR fire scenario, a loss of all Charging and failure of both Unit 2 emergency buses is adequately addressed by 2-FCA-4.00.
Three of the five ESGR and MCR chillers may be damaged by a fire in MER 3. The MER 5 chillers are unaffected by a fire in this area, but they could be unavailable due to 8" SW header maintenance. Given equipment damage in this area is limited, multiple random failures would be required in addition to SW Header maintenance for this scenario to lead to a loss .of ESGR cooling resulting in an SBO. Due to the low frequency of these cutsets, the impact of the SW Header AOT change on the fire risk for these scenarios is negligible.
Three of the five ESGR and MCR chillers may be damaged by a fire in MER 3. The MER 5 chillers are unaffected by a fire in this area, but they could be unavailable due to 8" SW header maintenance.
MER 3 contains non-metallic SW supply piping which is susceptible to fire damage, and a flood propagation path exists between the MER 3 and the ESGRs. In order to mitigate flooding from the failed piping, the SW supply to MER 3 is isolated as directed by the FCA. If isolation of the SW supply fails and the flood propagates to the ESGRs, loss of all Charging would occur as a consequence of the emergency bus failures, so there is no additional impact due tq the additional SW Header maintenance. Since the extent of damage due to a fire in MER 3 is limited relative to other areas evaluated and a fire-induced LOCA will not occur, the impact of the SW Header AOT change on the fire risk for this area is low.
Given equipment damage in this area is limited, multiple random failures would be required in addition to SW Header maintenance for this scenario to lead to a loss .of ESGR cooling resulting in an SBO. Due to the low frequency of these cutsets, the impact of the SW Header AOT change on the fire risk for these scenarios is negligible.
 
MER 3 contains non-metallic SW supply piping which is susceptible to fire damage, and a flood propagation path exists between the MER 3 and the ESGRs. In order to mitigate flooding from the failed piping, the SW supply to MER 3 is isolated as directed by the FCA. If isolation of the SW supply fails and the flood propagates to the ESGRs, loss of all Charging would occur as a consequence of the emergency bus failures, so there is no additional impact due tq the additional SW Header maintenance.
...                                                                         , Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 29of36 Conclusion The most limiting fire scenarios for this evaluation are those that involve fire-induced failure of a Rotating Strainer, which could cause a total loss of CPSW and three ESGR
Since the extent of damage due to a fire in MER 3 is limited relative to other areas evaluated and a fire-induced LOCA will not occur, the impact of the SW Header AOT change on the fire risk for this area is low.
* and MCR chillers if the alternate 6" header is unavailable, and loss of all five chillers if the 8" SW headers supplying MER 5 are also unavailable. The known conservatisms in this analysis include assumed failure of the Rotating Strainers due to fire damage, which are assumed to be unaffected by fire damage in the IPEEE, and lack of credit for the duplex strainer to bypass a plugged Rotating Strainer, which could be aligned using O-AP-12.00 unless the 6" A SW Header is isolated upstream of the Rotating Strainer 1-VS-S-1A. If the IPEEE treatment of the Rotating Strainers is used, the impact on the fire risk is negligible. Based on the review of the significant fire areas, the expected equipment damage, and the fire strategies used to achieve SSD, it is concluded that the consequence of losing CPSW during these scenarios is small, and the likelihood of causing an SBO due to failure of ESGR cooling is low. These insights demonstrate the impact of the SW Header AOT change on the overall fire risk is acceptable and bounded by the internal events analysis.
... Conclusion , Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 29of36 The most limiting fire scenarios for this evaluation are those that involve fire-induced failure of a Rotating Strainer, which could cause a total loss of CPSW and three ESGR
Seismic* Hazard Evaluation Generic Letter (GL) 88-20 Supplement 4 was issued by the NRC in June 1991. This letter and NUREG-1407 requested each nuclear plant licensee to perform an IPEEE.. In a December 1991 letter to the NRC, Surry identified the planned approach to address the IPEEE. For non-seismic external events and fires, the IPEEE effort was completed and a report was submitted to the NRC in December 1997.
* and MCR chillers if the alternate 6" header is unavailable, and loss of all five chillers if the 8" SW headers supplying MER 5 are also unavailable.
Surry was categorized in NUREG-1407 as a focused scope plant. As identified in Surry's December 1991 letter, the Seismic Margins Method (SMM) developed by Electric Power Research Institute (EPRI) with enhancements was selected for Surry . .* A completion schedule for IPEEE - Seismic was initially provided by . Surry in its September 1992 letter to the NRC which also noted that elements of the effort to resolve IPEEE - Seismic, notably plant walkdowns, will be integrated with the resolution of Unresolved Safety Issue (USI) A-46 identified in NRC's Supplement 1 to GL 87-02 of May 1992.
The known conservatisms in this analysis include assumed failure of the Rotating Strainers due to fire damage, which are assumed to be unaffected by fire damage in the IPEEE, and lack of credit for the duplex strainer to bypass a plugged Rotating Strainer, which could be aligned using O-AP-12.00 unless the 6" A SW Header is isolated upstream of the Rotating Strainer 1-VS-S-1A.
In September 1995, the NRC issued Supplement 5 to GL 88-20. This letter gave further guidance on the basis for selection of components that needed capacity evaluation.
If the IPEEE treatment of the Rotating Strainers is used, the impact on the fire risk is negligible.
Based on GL 88-20, Supplement 5, Surry submitted a revised approach to NRC in November 1995. This approach, while still retaining the Seismic Probabilistic Risk Assessment (SPRA) methodology and treating Surry as a focused scope plant, identified areas where screening and judgment by experienced and trained engineers would eliminate the need for performing capacity calculations for rugged components, structures, and systems; and require such evaluations only for weaker and critical components.       The IPEEE - Seismic program at Surry has been performed in
Based on the review of the significant fire areas, the expected equipment damage, and the fire strategies used to achieve SSD, it is concluded that the consequence of losing CPSW during these scenarios is small, and the likelihood of causing an SBO due to failure of ESGR cooling is low. These insights demonstrate the impact of the SW Header AOT change on the overall fire risk is acceptable and bounded by the internal events analysis.
 
Seismic* Hazard Evaluation Generic Letter (GL) 88-20 Supplement 4 was issued by the NRC in June 1991. This letter and NUREG-1407 requested each nuclear plant licensee to perform an IPEEE.. In a December 1991 letter to the NRC, Surry identified the planned approach to address the IPEEE. For non-seismic external events and fires, the IPEEE effort was completed and a report was submitted to the NRC in December 1997. Surry was categorized in NUREG-1407 as a focused scope plant. As identified in Surry's December 1991 letter, the Seismic Margins Method (SMM) developed by Electric Power Research Institute (EPRI) with enhancements was selected for Surry ...
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 30 of 36 accordance with the SPRA methodology for a focused plant and Surry's stated commitments.
* A completion schedule for IPEEE -Seismic was initially provided by . Surry in its September 1992 letter to the NRC which also noted that elements of the effort to resolve IPEEE -Seismic, notably plant walkdowns, will be integrated with the resolution of Unresolved Safety Issue (USI) A-46 identified in NRC's Supplement 1 to GL 87-02 of May 1992. In September 1995, the NRC issued Supplement 5 to GL 88-20. This letter gave further guidance on the basis for selection of components that needed capacity evaluation.
In February 1996, a peer review was conducted to assess the implementation of the IPEEE - Seismic program at Surry. This review included walkdown of about 15% of the items representing all classes of equipment in the Safe Shutdown Equipment List.
Based on GL 88-20, Supplement 5, Surry submitted a revised approach to NRC in November 1995. This approach, while still retaining the Seismic Probabilistic Risk Assessment (SPRA) methodology and treating Surry as a focused scope plant, identified areas where screening and judgment by experienced and trained engineers would eliminate the need for performing capacity calculations for rugged components, structures, and systems; and require such evaluations only for weaker and critical components.
Although a few open issues were noted at the time of the review, the reviewer concluded that the Seismic Review Teams involved did an excellent seismic walkdown review at Surry.
The IPEEE -Seismic program at Surry has been performed in Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 30 of 36 accordance with the SPRA methodology for a focused plant and Surry's stated commitments.
In summary, the IPEEE-Seismic program, integrated with the USI A-46 effort, resulted in several plant improvements and design modifications. The SPRA quantification concluded that no severe accident vulnerabilities exist at Surry from a potential seismic event. No other .cost beneficial upgrade can be performed to improve the seismic margin and the core damage frequency of the plant.
In February 1996, a peer review was conducted to assess the implementation of the IPEEE -Seismic program at Surry. This review included walkdown of about 15% of the items representing all classes of equipment in the Safe Shutdown Equipment List. Although a few open issues were noted at the time of the review, the reviewer concluded that the Seismic Review Teams involved did an excellent seismic walkdown review at Surry. In summary, the IPEEE-Seismic program, integrated with the USI A-46 effort, resulted in several plant improvements and design modifications.
* The Surry Seismic Probability Risk Assessment Pilot Plant Report was reviewed and this proposed change does not impact the conclusions drawn in that report. The following is a discussion of SPRA quantification results from that report.
The SPRA quantification concluded that no severe accident vulnerabilities exist at Surry from a potential seismic event. No other . cost beneficial upgrade can be performed to improve the seismic margin and the core damage frequency of the plant.
The dominant Seismic PRA sequence (52%) involves the failure of the turbine building, starting a chain of events that fails SW. Since the power cables to the CW isolation valves run through cable trays in the turbine building, it was assumed that the failure of the steel superstructure would fail the valve cables, even though they are in the concrete portion of the turbine building below ground elevation. Failure of the cables prevents the CW isolation valves from closing, the canal will rapidly drain through the CW lines, SW cooling will be lost, and core damage is assumed. The proposed change does not have an adverse impact on this sequence.
* The Surry Seismic Probability Risk Assessment Pilot Plant Report was reviewed and this proposed change does not impact the conclusions drawn in that report. The following is a discussion of SPRA quantification results from that report. The dominant Seismic PRA sequence (52%) involves the failure of the turbine building, starting a chain of events that fails SW. Since the power cables to the CW isolation valves run through cable trays in the turbine building, it was assumed that the failure of the steel superstructure would fail the valve cables, even though they are in the concrete portion of the turbine building below ground elevation.
25.7% of SPS seismic risk is associated with seismic-induced SW flooding. This risk is dominated by seismic-induced ruptures of BC heat exchangers. The proposed change does not have an adverse effect on seismic induced flooding sequences.
Failure of the cables prevents the CW isolation valves from closing, the canal will rapidly drain through the CW lines, SW cooling will be lost, and core damage is assumed. The proposed change does not have an adverse impact on this sequence.
25.7% of SPS seismic risk is associated with seismic-induced SW flooding.
This risk is dominated by seismic-induced ruptures of BC heat exchangers.
The proposed change does not have an adverse effect on seismic induced flooding sequences.
Seismic induced LOCA, SGTR and MSLB sequences where MER SW supply has a support function make up approximately 2% of seismic core damage risk. Therefore, it is concluded that the proposed change has a negligible impact on seismic risk and is screened from further evaluation.
Seismic induced LOCA, SGTR and MSLB sequences where MER SW supply has a support function make up approximately 2% of seismic core damage risk. Therefore, it is concluded that the proposed change has a negligible impact on seismic risk and is screened from further evaluation.
Other External Hazards Evaluation The other external hazards, as identified by NUREG/CR-2300 and NUREG/CR-4839, have been taken into consideration.
Other External Hazards Evaluation The other external hazards, as identified by NUREG/CR-2300 and NUREG/CR-4839, have been taken into consideration. Following the initial screening, seven events were identified as needing more detailed evaluation. These events included aircraft accidents, external flooding, tornado generated missiles and high winds, pipeline accidents, transportation accidents, accidents in nearby industrial or military facilities,
Following the initial screening, seven events were identified as needing more detailed evaluation.
 
These events included aircraft accidents, external flooding, tornado generated missiles and high winds, pipeline accidents, transportation accidents, accidents in nearby industrial or military facilities, Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 31 of 36 and release of chemicals from on-site storage. Since the effects of these external events on Surry Power Station were analyzed as part of NUREG-1150, the analysis performed in the IPEEE used the method and in some cases the results obtained by NUREG/CR-4550.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 31 of 36 and release of chemicals from on-site storage. Since the effects of these external events on Surry Power Station were analyzed as part of NUREG-1150, the analysis performed in the IPEEE used the method and in some cases the results obtained by NUREG/CR-4550. However, in each case the Surry UFSAR information was used to make sure that the results obtained by NUREG/CR-4550 were still valid.
However, in each case the Surry UFSAR information was used to make sure that the results obtained by NUREG/CR-4550 were still valid. The study concluded that there are no significant external events other than those identified in NUREG-1407.
The study concluded that there are no significant external events other than those identified in NUREG-1407. The non-seismic external events of interest, except for aircraft impacts, pipeline accidents and external flooding, were screened out based on the UFSAR information and the results reached by NUREG/CR-4550. The bounding analysis performed for the effects of aircraft impacts and pipeline accidents were based on the methods used by NUREG/CR-4550. The results of these two analyses indicate that the frequency of the events occurring is small. The actual risk from these hazards to the safe operation of the plant would be less than the screening value, because most safety-related equipment is inside Class I structures and is designed to withstand the loads imposed by the external event. The bounding analysis for external flooding considered the worst case occurrence of the 1 hour in 1 square mile probable maximum precipitation (PMP).     The consequences of this occurrence were mitigated by implementation of a procedural revision and modification of turbine building. roof parapets to reduce roof top accumulation during intense precipitation. Therefore, it can be concluded that non-seismic external events do not pose a significant risk to the safe operation of Surry Power Station.
The non-seismic external events of interest, except for aircraft impacts, pipeline accidents and external flooding, were screened out based on the UFSAR information and the results reached by NUREG/CR-4550.
* Based on the above, other External Events have been screened from further evaluation for this proposed change.
The bounding analysis performed for the effects of aircraft impacts and pipeline accidents were based on the methods used by NUREG/CR-4550.
RG 1.177 Tier 2: Avoidance *of Risk Significant Plant Configurations RG 1.177 contains the following discussion concerning Tier 2 analysis:
The results of these two analyses indicate that the frequency of the events occurring is small. The actual risk from these hazards to the safe operation of the plant would be less than the screening value, because most safety-related equipment is inside Class I structures and is designed to withstand the loads imposed by the external event. The bounding analysis for external flooding considered the worst case occurrence of the 1 hour in 1 square mile probable maximum precipitation (PMP). The consequences of this occurrence were mitigated by implementation of a procedural revision and modification of turbine building.
The licensee should provide reasonable assurance that risk-significant plant equipment outage configurations will not occur when specific plant equipment is out of service consistent with the proposed TS change. An effective way to perform such an assessment is to evaluate equipment according to its contribution to plant risk (or safety) while the equipment covered by the proposed CT change is out of service.
roof parapets to reduce roof top accumulation during intense precipitation.
Evaluation of such combinations of equipment out of service against the Tier 1 ICCDP and ICLERP. acceptance guidelines could be one appropriate method of identifying risk-significant configurations. Once plant equipment is so evaluated, an assessment can be made as whether certain enhancements to the TS or procedures are needed to avoid risk significant plant configurations. In addition,* compensatory actions that can mitigate any corresponding increase in risk (e.g., backup equipment, increased surveillance frequency, or upgraded procedures and training) should be identified and evaluated. Any changes made to the plant design or operating procedures as a result of such a risk evaluation (e.g., required backup equipment, increased surveillance frequency, or upgraded procedures and training required before certain plant system
Therefore, it can be concluded that non-seismic external events do not pose a significant risk to the safe operation of Surry Power Station.
* Based on the above, other External Events have been screened from further evaluation for this proposed change. RG 1.177 Tier 2: Avoidance  
*of Risk Significant Plant Configurations RG 1.177 contains the following discussion concerning Tier 2 analysis:
The licensee should provide reasonable assurance that risk-significant plant equipment outage configurations will not occur when specific plant equipment is out of service consistent with the proposed TS change. An effective way to perform such an assessment is to evaluate equipment according to its contribution to plant risk (or safety) while the equipment covered by the proposed CT change is out of service. Evaluation of such combinations of equipment out of service against the Tier 1 ICCDP and ICLERP. acceptance guidelines could be one appropriate method of identifying risk-significant configurations.
Once plant equipment is so evaluated, an assessment can be made as whether certain enhancements to the TS or procedures are needed to avoid risk significant plant configurations.
In addition,*
compensatory actions that can mitigate any corresponding increase in risk (e.g., backup equipment, increased surveillance frequency, or upgraded procedures and training) should be identified and evaluated.
Any changes made to the plant design or operating procedures as a result of such a risk evaluation (e.g., required backup equipment, increased surveillance frequency, or upgraded procedures and training required before certain plant system
. ' Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 32 of 36 configurations can be entered) should be incorporated into the analyses utilized for TS changes as described under Tier 1 above. A detailed review of PRA importance metrics (Risk Achievement Worth, Fussell-Vesely) from the Tier 1 PRA Model did not reveal any risk significant maintenance configurations when one MER header is considered unavailable.
No enhancements, procedure revisions or compensatory actions are recommended from the Tier 2 evaluation.
RG 1.177 Tier 3: Risk-Informed Plant Configuration Control and Management The Dominion 10 CFR 50.65(a)(4) program fully satisfies the recommendations of RG 1.177 Tier 3. RG 1.177 Section 2.3 states that: The licensee should develop a program that ensures that the risk impact of out-of-service equipment is appropriately evaluated prior to performing any maintenance activity.
A viable program would be one that is able to uncover risk-significant plant equipment outage configurations in a timely manner during normal plant operation.
The Dominion 10 CFR 50.65(a)(4) program performs PRA analyses of planned maintenance configurations in advance. The MER SW system is included in the 10 CFR 50.65(a)(4) scope and its removal from service is monitored, analyzed, and managed. Configurations that approach or exceed the NUMARC 93-01 risk limits are identified and either avoided or addressed by risk management actions. Emergent configurations are identified and analyzed by the on-shift staff for prompt determination of whether risk management actions are needed. The configuration analysis and risk management processes are fully proceduralized in compliance with the requirements of 10 CFR 50.65(a)(4).
Dominion's (a)(4) program is implemented with station procedures WM-AA-300, Work Management, and NF-AA-PRA-370, MRule (a)(4) Risk Monitor Guidance.
To support Dominion's 1 OCFR 50.65(a)(4) program, a dedicated PRA model is used to perform configuration risk analysis.
The model uses the S007 Aa model as a framework with some adjustments to optimize the model for configuration risk calculations.
The model allows for quantitative Level 1 and Level 2 (LERF) assessments of internal events and internal floods hazards for at-power configurations.
Risk during shutdown configurations and risks due to other hazards are assessed qualitatively.
Changes in plant configuration or PRA model features are dispositioned and managed by Dominion's PRA configuration control process. Procedures are in place to ensure that actions are taken as necessary to qualitatively assess configurations outside the scope of the PRA model. 


===5.4 Results===
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 32 of 36 configurations can be entered) should be incorporated into the analyses utilized for TS changes as described under Tier 1 above.
and Conclusions Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 33 of 36 The increase in risk associated with the proposed change is consistent with the RG 1.17 4 and RG 1.177 acceptance guidelines for a permanent TS Completion Time change. This evaluation demonstrates that nuclear defense-in-depth will not be significantly impacted by allowing a single SW flow path to be available to the CPSW subsystem and to the MCR/ESGR AC subsystem for up to 72 hours. 6.0 ENVIRONMENTAL ASSESSMENT The proposed change will revise a requirement with respect to installation or use of a facility component located within the restricted area, as defined in 10 CFR 20. Specifically, the proposed change extends the AOT for only one operable flow path from 24 hours to 72 hours. In addition, the proposed change deletes the now expired and no longer necessary requirements for the temporary SW jumper to the CCHXs. However,*
A detailed review of PRA importance metrics (Risk Achievement Worth, Fussell-Vesely) from the Tier 1 PRA Model did not reveal any risk significant maintenance configurations when one MER header is considered unavailable. No enhancements, procedure revisions or compensatory actions are recommended from the Tier 2 evaluation.
RG 1.177 Tier 3: Risk-Informed Plant Configuration Control and Management The Dominion 10 CFR 50.65(a)(4) program fully satisfies the recommendations of RG 1.177 Tier 3. RG 1.177 Section 2.3 states that:
The licensee should develop a program that ensures that the risk impact of out-of-service equipment is appropriately evaluated prior to performing any maintenance activity. A viable program would be one that is able to uncover risk-significant plant equipment outage configurations in a timely manner during normal plant operation.
The Dominion 10 CFR 50.65(a)(4) program performs PRA analyses of planned maintenance configurations in advance. The MER SW system is included in the 10 CFR 50.65(a)(4) scope and its removal from service is monitored, analyzed, and
.' ~ managed. Configurations that approach or exceed the NUMARC 93-01 risk limits are identified and either avoided or addressed by risk management actions. Emergent configurations are identified and analyzed by the on-shift staff for prompt determination of whether risk management actions are needed. The configuration analysis and risk management processes are fully proceduralized in compliance with the requirements of 10 CFR 50.65(a)(4). Dominion's (a)(4) program is implemented with station procedures WM-AA-300, Work Management, and NF-AA-PRA-370, MRule (a)(4) Risk Monitor Guidance.
To support Dominion's 10CFR 50.65(a)(4) program, a dedicated PRA model is used to perform configuration risk analysis. The model uses the S007Aa model as a framework with some adjustments to optimize the model for configuration risk calculations. The model allows for quantitative Level 1 and Level 2 (LERF) assessments of internal events and internal floods hazards for at-power configurations. Risk during shutdown configurations and risks due to other hazards are assessed qualitatively. Changes in plant configuration or PRA model features are dispositioned and managed by Dominion's PRA configuration control process. Procedures are in place to ensure that actions are taken as necessary to qualitatively assess configurations outside the scope of the PRA model.
 
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 33 of 36 5.4    Results and Conclusions The increase in risk associated with the proposed change is consistent with the RG 1.174 and RG 1.177 acceptance guidelines for a permanent TS Completion Time change. This evaluation demonstrates that nuclear defense-in-depth will not be significantly impacted by allowing a single SW flow path to be available to the CPSW subsystem and to the MCR/ESGR AC subsystem for up to 72 hours.
6.0     ENVIRONMENTAL ASSESSMENT The proposed change will revise a requirement with respect to installation or use of a facility component located within the restricted area, as defined in 10 CFR 20.
Specifically, the proposed change extends the AOT for only one operable flow path from 24 hours to 72 hours. In addition, the proposed change deletes the now expired and no longer necessary requirements for the temporary SW jumper to the CCHXs. However,*
the proposed change does not involve (i) a significant hazards consideration, (ii) a significant change in the types or a significant increase in the amounts of any effluent that may be released offsite, or (iii) a significant increase in individual or cumulative occupational radiation exposure.
the proposed change does not involve (i) a significant hazards consideration, (ii) a significant change in the types or a significant increase in the amounts of any effluent that may be released offsite, or (iii) a significant increase in individual or cumulative occupational radiation exposure.
Accordingly, the proposed change meets the eligibility criterion for categorical exclusion set forth. in 10 CFR 51.22(c)(9).
Accordingly, the proposed change meets the eligibility criterion for categorical exclusion set forth. in 10 CFR 51.22(c)(9). Therefore, pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the proposed change.
Therefore, pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the proposed change. 7 .0 CONCLUSION The proposed change extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours to 72 hours. The CPSW subsystem is a support system for the Charging/High Head Safety Injection (HHSI) pumps. The proposed CPSW AOT extension aligns the CPSW support system AOT with the AOT for the supported components (i.e., the Charging/HHS!
 
pumps). The proposed MCR/ESGR AC AOT extension revises the AOT to be the same as the CPSW AOT since both subsystems share common piping. The design functions of the CPSW subsystem and the Charging/HHS!.
==7.0     CONCLUSION==
pumps, as well as the design functions of the MCR/ESGR AC subsystem and chillers are not impacted by the proposed revision.
 
In addition, the proposed change deletes the now expired and no longer necessary requirements for the temporary SW jumper to the CCHXs; the deletion of the OL conditions, the temporary TS requirements, and the TS 3.14 Basis discussion is administrative in nature. The proposed change does not physically alter plant equipment, does not impact plant operation, and does not affect the safety analyses.
The proposed change extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours to 72 hours. The CPSW subsystem is a support system for the Charging/High Head Safety Injection (HHSI) pumps. The proposed CPSW AOT extension aligns the CPSW support system AOT with the AOT for the supported components (i.e., the Charging/HHS! pumps). The proposed MCR/ESGR AC AOT extension revises the AOT to be the same as the CPSW AOT since both subsystems share common piping. The design functions of the CPSW subsystem and the Charging/HHS!. pumps, as well as the design functions of the MCR/ESGR AC subsystem and chillers are not impacted by the proposed revision. In addition, the proposed change deletes the now expired and no longer necessary requirements for the temporary SW jumper to the CCHXs; the deletion of the OL conditions, the temporary TS requirements, and the TS 3.14 Basis discussion is administrative in nature. The proposed change does not physically alter plant equipment, does not impact plant operation, and does not affect the safety analyses.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 34 of 36 Furthermore, a supporting probabilistic risk assessment (PRA) was performed for the proposed AOT changes. The PRA concluded that the increase in risk associated with the proposed changes is consistent with the Regulatory Guide (RG) 1.17 4 and RG 1.177 acceptance guidelines for a permanent TS AOT change. This PRA evaluation demonstrates that defense-in-depth will not be significantly impacted by changing the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24 to 72 hours. Furthermore, no enhancements, procedure revisions, or compensatory actions are recommended as a result of the RG 1.177 Tier 2 evaluation.
 
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 34 of 36 Furthermore, a supporting probabilistic risk assessment (PRA) was performed for the proposed AOT changes. The PRA concluded that the increase in risk associated with the proposed changes is consistent with the Regulatory Guide (RG) 1.174 and RG 1.177 acceptance guidelines for a permanent TS AOT change.               This PRA evaluation demonstrates that defense-in-depth will not be significantly impacted by changing the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24 to 72 hours. Furthermore, no enhancements, procedure revisions, or compensatory actions are recommended as a result of the RG 1.177 Tier 2 evaluation.
Therefore, Dominion concludes, based on the considerations discussed herein, that (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendments will not be inimical to the common defense and security or to the health and safety of the public.
Therefore, Dominion concludes, based on the considerations discussed herein, that (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendments will not be inimical to the common defense and security or to the health and safety of the public.
Discharge Canru ) ----------.*-
 
105 Unit.1 RSHXS 104 Unlt 1 BCHXS 101 103 B&C A B c CCHXS (Commoo) RWMUPP r---------------------i l i i MER4 ! I I I ' ! ! j__ __ --------______ _l 205 Unlt2 RSHXS 204 B&C Abandoned I r-------cwMovs 1 206 : I I I I I LJnjj 1 Unit 2 C-----1111111111 111111111 111111111 1111*1*1 11*11111*
Discharge Canru                                                             )
11111111'--*----
105                                                        r---------------------i      205 l                        i Unit.1 RSHXS B&C                                      ~~~~~---- -------~          Unlt2 RSHXS            B&C i MER4                   !
HL Intake Intake Canal HL Intake Figure 1 -Service Water System Simplified Diagram "U 0 (/) n> O CD ca o ::i. CD A" IU CD -w ...... z 01 z 0 0 0' -(/) -->. w. 0) 0) 01 I 0 -->. I (X) No CX> 0 i'3 CX> -->. 
I                       I I                       '
*10u,;,,
104                                                      !                       !   204 j__ __ ---- ---- ______ _l CCHXS (Commoo)
FromUnl2 BSHX ldot\\zt 111:1'1 I IJD!I 103 103 /l 8 l.agmid C\sdJ -lliv.httgo 115 -RGcircSpmy l!X SIY -Sm.i:o'Walcr It -A:n#Eommt RIA -Rmfuli:n Monlcr p -"""1>
Unlt 1 BCHXS Abandoned r-------I cwMovs           1 206         :
-"'6:r0pGm!od\'uM>
A        B        c                                                                                        I I
E: -H""'&lcn!J'<
I I
TJ!I -Typbol mo -RD:iSanoQ fgJT?ndU'O D:iLx:tar Fram!l:i<1.rnlful:2
I 101            103 "U 0 (/)
[!!] -lll:id\'>1.-o
n> O CD RWMUPP                                                                                          ca o      ::i.
!JC Cooliog P1 Tl -T<mJlGIU!unolndi>:>:r*
    - - - - - 1 1 1 1 1 1 1 1 1 1 111111111 111111111 *HlllHlll----------------------~11.Hl*I  1111*1*1 11*11111* 1 1 1 1 1 1 1 1 ' - - * - - - -           CD A" IU CD -
Mooh-Modmniool CC -Cbmp:oin!Cooing FG -FbwG.uu rot fl -Fbolhimtar LG -Lwull:log>
C                                  LJnjj 1                                                      Unit 2                                                  w ...... z HL Intake                            Intake Canal            HL Intake                                                  01 z
&deg;"*'"'
0 0' 0
CO::hargg Ta:r.:.I = .. R:aril..w. f (FIG.1!H) tA *1B 1C 10 s,,..,,,.,;i;, MrN tll2 !! Figure 2 -Gravity-supplied Service Water System Loads '"""' !Ja!dluml><<r.C.mit Sv:Ilam Dmi!FFhJr S.W '-"'""'OM!i.lfu>Uolod Fmm-r sw.12 TDTuofuo Eli:lgS'll .Sdiq ..... Jkl::.llJimE
w.(/)
\J 0 CJ) ID 0 CD ca o ::::!. (!) ;;>;"" ID (!) -W.-..z 0) z 0 0 0. ...... CJ) --" w. 0) 0) 01 I 0 --" I (X> NO CX> CX> --"
0)
* Attachment 2 Serial No. 16-180 Docket Nos. 50-280/281
: 0) 01     I 0     -->.
:MARKED-UP TECHNICAL SPECIFICATIONS AND BASIS PAGES (Basis Changes are for NRC Information Only) Virginia Electric and Power Company (Dominion)
I   (X)
Figure 1 - Service Water System Simplified Diagram                                                                  No CX>
0 i'3 CX>
 
Fram!l:i<1.rnlful:2
                                                                                ~--------~--------~ a~~1~'f"'
ToUn~t CO::hargg Ta:r.:.I
  *10u,;,,
D'~Tum<I ldot\\zt                                                                        ~J:'"'.l FromUnl2
                    -~                                                                                    &deg;"*'"'
                                                                                                                          =.
BSHX SW~iul R:aril..w.
                                                                                                            ~"'              f     (FIG.1!H)
                                                                                                                                                        !Ja!dluml><<r.C.mit Sv:Ilam Dmi!FFhJr S.W
                                                                                                                                                        '-"'""'OM!i.lfu>Uolod Fmm-r 111:1'1 103
                                    /l I IJD!I 103 8
MrN tll2 l.agmid                                                                                    tA *1B 1C        10                                  TDTuofuo                     \J    0      CJ)
Eli:lgS'll                   ID 0          CD C\sdJ  -lliv.httgo                      [!!] -lll:id\'>1.-o                                  s,,..,,,.,;i;,                                      .Sdiq.....                   ca o           ::::!.
115 sw.12                                      (!)   ;;>;"" ID
                    -RGcircSpmy                      !JC  -~ Cooliog
                    -llorJ!l:io:~
(!)   -
l!X                                    P1  -Pm~~.to.:fmkr W.-..z SIY It
                    -Sm.i:o'Walcr
                    -A:n#Eommt Tl -T<mJlGIU!unolndi>:>:r*
Mooh-Modmniool 0) 0 z 0 0.
                                                                                                                                                                          ~kD Jkl::.llJimE  ...... CJ)   --"
RIA    -Rmfuli:n Monlcr                CC  -Cbmp:oin!Cooing p      -"""1>                          FG  -FbwG.uu
: w.           0)
: 0)     01       I
            ~1.1::w -"'6:r0pGm!od\'uM>              rot -nm....WP<o''""''-                                                                                                                        0     --"
E:      -H""'&lcn!J'<                    fl  -Fbolhimtar                                                                                                                                I   (X>
TJ!I  -Typbol                          LG  -Lwull:log>
NO CX>
mo      - RD:iSanoQ fgJT?ndU'O D:iLx:tar
                                                                                                                                                                                                  ~
CX>
Figure 2 - Gravity-supplied Service Water System Loads                                                                                        --"
 
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 2
:MARKED-UP TECHNICAL SPECIFICATIONS AND BASIS PAGES (Basis Changes are for NRC Information Only)
Virginia Electric and Power Company (Dominion)
Surry Station Units 1 and 2
Surry Station Units 1 and 2
: 4. T. (Continued)
 
: 16. For the applicable U FSAR Chapter 14 events, Surry 1 will re-analyze the transient consistent with VEPCO's NRG-approved reload design methodology in VEP-FRD-42, Rev. 2.1-A. If NRC review is deemed necessary pursuant to the requirements of 1 O CFR 50.59, the accident analyses will be submitted to the NRC for review prior to operation at the uprate power level. These commitments apply to the following Surry 1 UFSAR Chapter 14 DNBR analyses that were analyzed at 2546 MWt consistent with the 1 Statistical DNBR Evaluation Methodology in VEP-NE-2-A:  
T. (Continued)
*Section 14.2.7 -Excessive Heat Removal due to Feedwater System Malfunctions (Full Power Feedwater Temperature Reduction case only);
: 16. For the applicable U FSAR Chapter 14           Prior to operating above events, Surry 1 will re-analyze the             2546 MWt (98.4% RP).
* Section 14.2.8 -Excessive Load Increase Incident;
transient consistent with VEPCO's NRG-approved reload design methodology in VEP-FRD-42, Rev. 2.1-A.
* Section 14.2.9 -Loss of Reactor Coolant Flow; and
If NRC review is deemed necessary pursuant to the requirements of 10 CFR 50.59, the accident analyses will be submitted to the NRC for review prior to operation at the uprate power level. These commitments apply to the following Surry 1 UFSAR Chapter 14 DNBR analyses that were analyzed at 2546 MWt consistent with the1 Statistical DNBR Evaluation Methodology in VEP-NE-2-A:
* Section 14.2.10 -Loss of External Electrical Load Prior to operating above 2546 MWt (98.4% RP). FOR THE NUCLEAR REGULATORY COMMISSION Original signed by: Samuel J. Collins, Director Office of Nuclear Reactor Regulation  
                *Section 14.2.7 - Excessive Heat Removal due to Feedwater System Malfunctions (Full Power Feedwater Temperature Reduction case only);
* Section 14.2.8 - Excessive Load Increase Incident;
* Section 14.2.9 - Loss of Reactor Coolant Flow; and
* Section 14.2.10 - Loss of External Electrical Load 4.
FOR THE NUCLEAR REGULATORY COMMISSION Original signed by:
Samuel J. Collins, Director Office of Nuclear Reactor Regulation


==Attachment:==
==Attachment:==
Appendix A, Technical Specifications Date of Issuance: March 20, 2003 Surry - Unit 1                                                Renewed License No. DPR-32 Amendment No.-2f9-


Appendix A, Technical Specifications Date of Issuance:
09 23 13 <E-T. (Continued)
March 20, 2003 Surry -Unit 1 Renewed License No. DPR-32 Amendment No.-2f9- T. (Continued)
: 16. For the applicable UFSAR Chapter 14             Prior to operating above events, Surry 2 will re-analyze the             2546 MWt (98.4% RP).
: 16. For the applicable UFSAR Chapter 14 events, Surry 2 will re-analyze the transient consistent with VEPCO's NRG-approved reload design methodology in VEP-FRD-42, Rev. 2.1-A. If NRC review is deemed necessary pursuant to the requirements of 1 O CFR 50.59, the accident analyses will be submitted to the NRC for review prior to operation at the uprate power level. These commitments apply to the following Surry 2 UFSAR Chapter 14 DNBR analyses that were analyzed at 2546 MWt consistent with the Statistical DNBR Evaluation Methodology in VEP-NE-2-A:  
transient consistent with VEPCO's NRG-approved reload design methodology in VEP-FRD-42, Rev. 2.1-A.
*Section 14.2.7 -Excessive Heat Removal due to Feedwater System Malfunctions (Full Power Feedwater Temperature Reduction case only);
If NRC review is deemed necessary pursuant to the requirements of 10 CFR 50.59, the accident analyses will be submitted to the NRC for review prior to operation at the uprate power level. These commitments apply to the following Surry 2 UFSAR Chapter 14 DNBR analyses that were analyzed at 2546 MWt consistent with the Statistical DNBR Evaluation Methodology in VEP-NE-2-A:
* Section 14.2.8 -Excessive Load Increase Incident;
                *Section 14.2.7 - Excessive Heat Removal due to Feedwater System Malfunctions (Full Power Feedwater Temperature Reduction case only);
* Section 14.2.9 -Loss of Reactor Coolant Flow; and
* Section 14.2.8 - Excessive Load Increase Incident;
* Section 14.2.10 -Loss of External Electrical Load 09 23 13 <E-Prior to operating above 2546 MWt (98.4% RP). 4. This renewed license is effective as of the date of issuance and shall expire at midnight on January 29, 2033. FOR THE NUCLEAR REGULATORY COMMISSION Original signed by: Samuel J. Collins, Director Office of Nuclear Reactor Regulation  
* Section 14.2.9 - Loss of Reactor Coolant Flow; and
* Section 14.2.10 - Loss of External Electrical Load
: 4. This renewed license is effective as of the date of issuance and shall expire at midnight on January 29, 2033.
FOR THE NUCLEAR REGULATORY COMMISSION Original signed by:
Samuel J. Collins, Director Office of Nuclear Reactor Regulation


==Attachment:==
==Attachment:==
Appendix A, Technical Specifications Date of Issuance: March 20, 2003 Surry - Unit 2                                                Renewed License No. DPR-37 Amendment No.~
TABLE 3.7-2 (Continued)
ENGINEERED SAFEGUARDS ACTION INSTRUMENT OPERATING CONDITIONS Minimum                    Permissible Total Number OPERABLE          Channels        Bypass      Operator Functional Unit                      Of Channels    Channels        To Trip    Conditions Actions
: 3. AUXILIARY FEEDWATER (continued)
: e. Trip of main feedwater pumps - start motor driven      2/MFWpump l/MFW pump            2-1 each                      24 pumps                                                                              MFWpump
: f. Automatic actuation logic                                    2            2                1                          22
: 4. LOSS OF POWER
: a. 4.16 kv emergency bus undervoltage (loss of voltage)      3/bus        2/bus          2/bus                        26
: b. 4.16 kv emergency bus undervoltage (degraded voltage)      3/bus        2/bus          2/bus                        26
: 5. NON-ESSENTIAL SERVICE WATER ISOLATION
: a. Low intake canal level* Nots g
: b. Automatic actuation logic 4
2 3
2 3
1 20 14
                                                                                                                                      .~ <E:-
: 6. ENGINEERED SAFEGAURDS ACTUATION INTERLOCKS - Note A
: a. Pressurizer pressure, P-11                                  3            2                2                        23
: b. Low-low Tavg, P-12                                          3            2                2                        23
: c. Reactor trip, P-4                                            2            2                1                        24
: 7. RECIRCULATION MODE TRANSFER
: a. RWST Level - Low-Low*                                        4            3                2                        25
: b. Automatic Actuation Logic and Actuation Relays                2            2              1                          14
: 8. RECIRCULATION SPRAY
: a. RWST Level - Low Coincident with High High                  4            3                2                        20 Containment Pressure*
: b. Automatic Actuation Logic and Actuation Relays              2            2              1                          14 xc angers is m                        1    e m e tripped condition. In this condition, two t                                                                                                                                      t


Appendix A, Technical Specifications Date of Issuance:
TS 3.14-1
March 20, 2003 Surry -Unit 2 Renewed License No. DPR-37 Amendment t TABLE 3.7-2 (Continued)
                                                                                        *-B9 23 13 3.14 CIRCULATING AND SERVICE WATER SYSTEMS Applicability Applies to the operational status of the Circulating and Service Water Systems.
ENGINEERED SAFEGUARDS ACTION INSTRUMENT OPERATING CONDITIONS Functional Unit 3. AUXILIARY FEEDWATER (continued)
Objective To define those limiting conditions of the Circulating and Service Water Systems necessary to assure safe station operation.
: e. Trip of main feedwater pumps -start motor driven pumps f. Automatic actuation logic 4. LOSS OF POWER a. 4.16 kv emergency bus undervoltage (loss of voltage) b. 4.16 kv emergency bus undervoltage (degraded voltage) 5. NON-ESSENTIAL SERVICE WATER ISOLATION
Specification A. The Reactor Coolant System temperature or pressure of a reactor unit shall not exceed 350&deg; F or 450 psig, respectively, or the reactor shall not be critical unless:
: a. Low intake canal level* Nots g b. Automatic actuation logic 6. ENGINEERED SAFEGAURDS ACTUATION INTERLOCKS
: 1. The high level intake canal is filled to at least elevation +23.0 feet at the high level intake structure.
-Note A a. Pressurizer pressure, P-11 b. Low-low Tavg, P-12 c. Reactor trip, P-4 7. RECIRCULATION MODE TRANSFER a. RWST Level -Low-Low* b. Automatic Actuation Logic and Actuation Relays 8. RECIRCULATION SPRAY a. RWST Level -Low Coincident with High High Containment Pressure*
: b. Automatic Actuation Logic and Actuation Relays Minimum Total Number OPERABLE Of Channels Channels 2/MFWpump l/MFW pump 2 2 3/bus 2/bus 3/bus 2/bus 4 3 2 2 3 2 3 2 2 2 4 3 2 2 4 3 2 2 Permissible Channels Bypass Operator To Trip Conditions Actions 2-1 each 24 MFWpump 1 22 2/bus 26 2/bus 26 3 20 1 14 2 23 2 23 1 24 2 25 1 14 2 20 1 14 xc angers is m 1 e m e tripped condition.
In this condition, two ,. <E:-t 3.14 CIRCULATING AND SERVICE WATER SYSTEMS Applicability Applies to the operational status of the Circulating and Service Water Systems. Objective TS 3.14-1 *-B9 23 13 To define those limiting conditions of the Circulating and Service Water Systems necessary to assure safe station operation.
Specification A. The Reactor Coolant System temperature or pressure of a reactor unit shall not exceed 350&deg; F or 450 psig, respectively, or the reactor shall not be critical unless: 1. The high level intake canal is filled to at least elevation  
+23.0 feet at the high level intake structure.
: 2. Unit subsystems, including piping and valves, shall be operable to the extent of being able to establish the following:
: 2. Unit subsystems, including piping and valves, shall be operable to the extent of being able to establish the following:
: a. Flow to and from one bearing cooling water heat exchanger.
: a. Flow to and from one bearing cooling water heat exchanger.
: b. Flow to and from the component cooling heat exchangers required by Specification  
: b. Flow to and from the component cooling heat exchangers required by Specification 3.13~                                                                ,% ~
,% 3. At least two circulating pumps are operating or are operable.
: 3. At least two circulating wate~ pumps are operating or are operable.
: 4. Three emergency service water pumps are operable; these pumps will service both units simultaneously.
: 4. Three emergency service water pumps are operable; these pumps will service both units simultaneously.
Amendment TS 3.14-2 04-02-07 5. Two service water flow paths to the charging pump service water subsystem are OPERABLE.
Amendment Nos.~and~
 
TS 3.14-2 04-02-07   ~
: 5. Two service water flow paths to the charging pump service water subsystem are OPERABLE.
: 6. Two service water flow paths to the recirculation spray subsystems are OPERABLE.
: 6. Two service water flow paths to the recirculation spray subsystems are OPERABLE.
: 7. Two service water flow paths to the main control room and emergency switchgear room air conditioning subsystems are OPERABLE.
: 7. Two service water flow paths to the main control room and emergency switchgear room air conditioning subsystems are OPERABLE.
B. The requirements of Specification 3.14.A.4 may be modified to allow one Emergency Service Water pump to remain inoperable for a period not to exceed 7 days. If this pump is not OPERABLE in 7 days, then place both units in HOT SHUTDOWN within the next 6 hours and COLD SHUTDOWN within the next 30 hours. The requirements of 3 .14.A.4 may be modified to have two Emergency Service Water pumps OPERABLE with one unit in COLD SHUTDOWN with combined Spent Fuel pit and shutdown unit decay heat loads of 25 million BTU/HR or less. One of the two remaining pumps may be inoperable for a period not to exceed 7 days. If this pump is not OPERABLE in 7 days, then place the operating unit in HOT SHUTDOWN within the next 6 hours and COLD SHUTDOWN within the next 30 hours. Amendment i
B. The requirements of Specification 3.14.A.4 may be modified to allow one Emergency Service Water pump to remain inoperable for a period not to exceed 7 days. If this pump is not OPERABLE in 7 days, then place both units in HOT SHUTDOWN within the next 6 hours and COLD SHUTDOWN within the next 30 hours.
... LBDCR!TSCR 441 -INSERT 1 on pages TS 3.14-2 and TS 3.14-3: C. The requirements of Specifications 3.14.A.5 and 3.14.A.7 may be modified to allow unit operation with only one OPERABLE flow path to the charging pump service water subsystem and to the main control and emergency switchgear rooms air conditioning condensers.
The requirements of 3 .14.A.4 may be modified to have two Emergency Service Water pumps OPERABLE with one unit in COLD SHUTDOWN with combined Spent Fuel pit and shutdown unit decay heat loads of 25 million BTU/HR or less.
If the affected systems are not restored to the requirements of Specifications 3.14.A.5 and 3.14.A.7 within 72 hours, the reactor shall be placed in HOT SHUTDOWN within the next 6 hours. If the requirements of Specifications 3.14.A.5 and 3.14.A.7 are not satisfied as allowed by this Specification, the reactor shall be placed in COLD SHUTDOWN within the next 30 hours.
One of the two remaining pumps may be inoperable for a period not to exceed 7 days. If this pump is not OPERABLE in 7 days, then place the operating unit in HOT SHUTDOWN within the next 6 hours and COLD SHUTDOWN within the next 30 hours.
* D. The requirements of Specification 3.14.A.6 may modified to allow unit operation with only one OPERABLE flow path to the recirculation spray subsystems.
i
If the affected system is not restored to the requirements of Specification 3.14.A.6 within 24 hours, the reactor shall be placed in HOT SHUTDOWN within *the next 6 hours. If the requirements of Specification 3.14.A.6 are not met within an additional 48 hours, the reaCtor shall be placed in COLD SHUTDOWN within the next 30 hours.
                                                                                        ~
Basis TS 3.14-3 04 02=07 l be p aced m s o Specifications 3.14.A.5, 3.1 are not met within an additional  
                                                                                      ~
,% 48 c or shall be laced in COLD SHUTDOWN.
Amendment Nos.~ and~
The Circulating and Service Water Systems are designed for the removal of heat resulting from the operation of various systems and components of either or both of the units. Untreated water, supplied from the James River and stored in the high level intake canal is circulated by gravity through the recirculation spray coolers and the bearing cooling water heat exchangers and to the charging pumps lubricating oil cooler service water pumps which supply service water to the charging pump lube oil coolers. In addition, the Circulating and Service Water Systems supply cooling water to the component cooling water heat exchangers and to the main control and emergency switchgear rooms air conditioning condensers.
 
The Component Cooling heat exchangers are used during normal plant operations to cool various station components and when in shutdown to remove residual heat from the reactor. Component Cooling is not required on the accident unit during a loss-of-coolant accident.
LBDCR!TSCR 441 - INSERT 1 on pages TS 3.14-2 and TS 3.14-3:
If the loss-of-coolant accident is coincident with a loss of off-site power, the nonaccident unit will be maintained at HOT SHUTDOWN with the ability to reach COLD SHUTDOWN.
C. The requirements of Specifications 3.14.A.5 and 3.14.A.7 may be modified to allow unit operation with only one OPERABLE flow path to the charging pump service water subsystem and to the main control and emergency switchgear rooms air conditioning condensers.       If the affected systems are not restored to the requirements of Specifications 3.14.A.5 and 3.14.A.7 within 72 hours, the reactor shall be placed in HOT SHUTDOWN within the next 6 hours. If the requirements of Specifications 3.14.A.5 and 3.14.A.7 are not satisfied as allowed by this Specification, the reactor shall be placed in COLD SHUTDOWN within the next 30 hours.
The long term Service Water requirement for a loss-of-coolant accident in one unit with simultaneous loss-of-station power and the second unit being brought to HOT SHUTDOWN is greater than 15,000 gpm. Additional Service Water is necessary to bring the nonaccident unit to COLD SHUTDOWN.
* D. The requirements of Specification 3.14.A.6 may b~ modified to allow unit operation with only one OPERABLE flow path to the recirculation spray subsystems. If the affected system is not restored to the requirements of Specification 3.14.A.6 within 24 hours, the reactor shall be placed in HOT SHUTDOWN within *the next 6 hours. If the requirements of Specification 3.14.A.6 are not met within an additional 48 hours, the reaCtor shall be placed in COLD SHUTDOWN within the next 30 hours.
Three diesel driven Emergency Service Water pumps with a design capacity of 15,000 gpm each, are provided to supply water to the High Level Intake canal during a loss-of-station power incident.
 
Thus, considering the single active failure of one pump, three Emergency Service Water pumps are required to be OPERABLE.
TS 3.14-3 04 02=07 l be p aced m                                                 s o Specifications 3.14.A.5, 3.1                       are not met within an additional ,% ~
The allowed outage time of 7 days provides operational flexibility to allow for repairs up to and Amendment TS 3.14-4 09-23-13 including replacement of an Emergency Service Water pump without forcing dual unit outages, yet limits the amount of operating time without the specified number of pumps. When one Unit is in Cold Shutdown and the heat load from the shutdown unit and spent fuel pool drops to less than 25 million BTU/HR, then one Emergency Service Water pump may be removed from service for the subsequent time that the unit remains in Cold Shutdown due to the reduced residual heat removal and hence component cooling requirements.
48               c or shall be laced in COLD SHUTDOWN.
A minimum level of + 17 .2 feet in the High Level Intake canal is required to provide design flow of Service Water through the Recirculation Spray heat exchangers during a loss-of-coolant accident for the first 24 hours. If the water level falls below +23' 6", signals are generated to trip both unit's turbines and to close the nonessential Circulating and Service Water valves. A High Level Intake canal level of +23' 6" ensures actuation prior to canal level falling to elevation  
Basis The Circulating and Service Water Systems are designed for the removal of heat resulting from the operation of various systems and components of either or both of the units.
+23'. The Circulating Water and Service Water isolation valves which are required to close to conserve Intake Canal inventory are periodically verified to limit total leakage flow out of the Intake Canal. In addition, passive vacuum breakers are installed on the Circulating Water pump discharge lines to assure that a reverse siphon is not continued for canal levels less than +23 feet when Circulating Water pumps are de-energized.
Untreated water, supplied from the James River and stored in the high level intake canal is circulated by gravity through the recirculation spray coolers and the bearing cooling water heat exchangers and to the charging pumps lubricating oil cooler service water pumps which supply service water to the charging pump lube oil coolers.
The remaining six feet of canal level is provided coincident with ESW pump operation as the required source of Service Water for heat loads following the Design Basis Accident.
In addition, the Circulating and Service Water Systems supply cooling water to the component cooling water heat exchangers and to the main control and emergency switchgear rooms air conditioning condensers. The Component Cooling heat exchangers are used during normal plant operations to cool various station components and when in shutdown to remove residual heat from the reactor. Component Cooling is not required on the accident unit during a loss-of-coolant accident. If the loss-of-coolant accident is coincident with a loss of off-site power, the nonaccident unit will be maintained at HOT SHUTDOWN with the ability to reach COLD SHUTDOWN.
facilitate cleaning, inspecting, repairing (as needed), and recoating (as needed) of the ater (SW) supply line to the Component Cooling Heat Exchangers (CC s), a temporary, sa -related, seismic, not fully missile protected SW supply li temporary jumper) will be us as discussed in the temporary footnote to .14.A.2.b.
The long term Service Water requirement for a loss-of-coolant accident in one unit with simultaneous loss-of-station power and the second unit being brought to HOT SHUTDOWN is greater than 15,000 gpm. Additional Service Water is necessary to bring the nonaccident unit to COLD SHUTDOWN. Three diesel driven Emergency Service Water pumps with a design capacity of 15,000 gpm each, are provided to supply water to the High Level Intake canal during a loss-of-station power incident. Thus, considering the single active failure of one pump, three Emergency Service Water pumps are required to be OPERABLE. The allowed outage time of 7 days provides operational flexibility to allow for repairs up to and Amendment Nos.~and~
The temporary jumper is requ
 
* d since service water is supplied e CCHXs by a single concrete-encased line. To re ve the SW supply I' from service for extended CCHXs is provided in Virgini y's letter Serial No. 12-615, dated September 26, 2012. e use of the temporary jumper is on of up to 35 days d
TS 3.14-4 09-23-13 including replacement of an Emergency Service Water pump without forcing dual unit outages, yet limits the amount of operating time without the specified number of pumps.
* g each of the 2013 and 2015 Unit 1 refueling o ordance with the compensatory measures (including a Contin vided in the letter referenced above. The only automatic function in the ply line when Unit 1 is in COLD SHUTDOWN or REFUELING SHUTDOWN is Amendment _
When one Unit is in Cold Shutdown and the heat load from the shutdown unit and spent fuel pool drops to less than 25 million BTU/HR, then one Emergency Service Water pump may be removed from service for the subsequent time that the unit remains in Cold Shutdown due to the reduced residual heat removal and hence component cooling requirements.
TS 3.14-4a 09 23 13 e SW supply motor operated valves, which close on low isolation valve in the tempor established by the Station Abnormal Procedures.  
A minimum level of + 17 .2 feet in the High Level Intake canal is required to provide design flow of Service Water through the Recirculation Spray heat exchangers during a loss-of-coolant accident for the first 24 hours. If the water level falls below +23' 6",
signals are generated to trip both unit's turbines and to close the nonessential Circulating and Service Water valves. A High Level Intake canal level of +23' 6" ensures actuation prior to canal level falling to elevation +23'. The Circulating Water and Service Water isolation valves which are required to close to conserve Intake Canal inventory are periodically verified to limit total leakage flow out of the Intake Canal. In addition, passive vacuum breakers are installed on the Circulating Water pump discharge lines to assure that a reverse siphon is not continued for canal levels less than +23 feet when Circulating Water pumps are de-energized. The remaining six feet of canal level is provided coincident with ESW pump operation as the required source of Service Water for heat loads following the Design Basis Accident.
facilitate cleaning, inspecting, repairing (as needed), and recoating (as needed) of the ater (SW) supply line to the Component Cooling Heat Exchangers (CC             s), a temporary, sa     -related, seismic, not fully missile protected SW supply li       temporary jumper) will be us       as discussed in the temporary footnote to             .14.A.2.b. The temporary jumper is requ
* d since service water is supplied             e CCHXs by a single concrete-encased line. To re           ve the SW supply I'       from service for extended CCHXs is provided in Virgini                                     y's letter Serial No. 12-615, dated September 26, 2012.       e use of the temporary jumper is on of up to 35 days d
* g each of the 2013 and 2015 Unit 1 refueling o ordance with the compensatory measures (including a Contin vided in the letter referenced above. The only automatic function in the ply line when Unit 1 is in COLD SHUTDOWN or REFUELING SHUTDOWN is Amendment Nos.~and~              ~ _
 
TS 3.14-4a 09 23 13 e SW supply motor operated valves, which close on low Intak'::!:e;...>-"_***~*
isolation valve in the tempor established by the Station Abnormal Procedures.


==References:==
==References:==


UFSAR Section 9.9 UFSAR Section 10.3.4 UFSAR Section 14.5 Service Water System Circulating Water System Loss-of-Coolant Accidents, Including the Design Basis Accident Amendment Attachment 3 Serial No. 16-180 Docket Nos. 50-280/281 PROPOSED TECHNICAL SPECIFICATIONS AND BASIS PAGES (Basis Changes are for NRC Information Only) Virginia Electric and Power Company (Dominion)
UFSAR Section 9.9             Service Water System UFSAR Section 10.3.4           Circulating Water System UFSAR Section 14.5             Loss-of-Coolant Accidents, Including the Design Basis Accident Amendment Nos.~ and~
Surry Station Units 1 and 2   T. (Continued)
 
: 16. For the applicable UFSAR Chapter 14 events, Surry 1 will re-analyze the transient consistent with VEPCO's NRG-approved reload design methodology in VEP-FRD-42, Rev. 2.1-A. If NRG review is deemed necessary pursuant to the requirements of 10 CFR 50.59, the accident analyses will be submitted to the NRG for review prior to operation at the uprate power level. These commitments apply to the following Surry 1 UFSAR Chapter 14 DNBR analyses that were analyzed at 2546 MWt consistent with the Statistical DNBR Evaluation Methodology in VEP-NE-2-A:
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 3 PROPOSED TECHNICAL SPECIFICATIONS AND BASIS PAGES (Basis Changes are for NRC Information Only)
* Section 14.2.7 -Excessive Heat Removal due to Feedwater System Malfunctions (Full Power Feedwater Temperature Reduction case only);
Virginia Electric and Power Company (Dominion)
* Section 14.2.8 -Excessive Load Increase Incident;
Surry Station Units 1 and 2
* Section 14.2.9 -Loss of Reactor Coolant Flow; and
 
* Section 14.2.10 -Loss of External Electrical Load U. Deleted by Amendment No. ___ _ Prior to operating above 2546 MWt (98.4% RP). 4. This renewed license is effective as of the date of issuance and shall expire at midnight on May 25, 2032. FOR THE NUCLEAR REGULATORY COMMISSION Original signed by: Samuel J. Collins, Director Office of Nuclear Reactor Regulation  
T. (Continued)
: 16. For the applicable UFSAR Chapter 14             Prior to operating above events, Surry 1 will re-analyze the             2546 MWt (98.4% RP).
transient consistent with VEPCO's NRG-approved reload design methodology in VEP-FRD-42, Rev. 2.1-A.
If NRG review is deemed necessary pursuant to the requirements of 10 CFR 50.59, the accident analyses will be submitted to the NRG for review prior to operation at the uprate power level. These commitments apply to the following Surry 1 UFSAR Chapter 14 DNBR analyses that were analyzed at 2546 MWt consistent with the Statistical DNBR Evaluation Methodology in VEP-NE-2-A:
* Section 14.2.7 - Excessive Heat Removal due to Feedwater System Malfunctions (Full Power Feedwater Temperature Reduction case only);
* Section 14.2.8 - Excessive Load Increase Incident;
* Section 14.2.9 - Loss of Reactor Coolant Flow; and
* Section 14.2.10 - Loss of External Electrical Load U. Deleted by Amendment No. _ _ __
: 4. This renewed license is effective as of the date of issuance and shall expire at midnight on May 25, 2032.
FOR THE NUCLEAR REGULATORY COMMISSION Original signed by:
Samuel J. Collins, Director Office of Nuclear Reactor Regulation


==Attachment:==
==Attachment:==
Appendix A, Technical Specifications Date of Issuance: March 20, 2003 Surry - Unit 1                                                Renewed License No. DPR-32 Amendment No.


Appendix A, Technical Specifications Date of Issuance:
T. (Continued) *
March 20, 2003 Surry -Unit 1 Renewed License No. DPR-32 Amendment No. T. (Continued)
: 16. For the applicable UFSAR Chapter 14             Prior to operating above events, Surry 2 will re-analyze the             2546 MWt (98.4% RP).
* 16. For the applicable UFSAR Chapter 14 events, Surry 2 will re-analyze the transient consistent with VEPCO's N RC-approved reload design methodology in VEP-FRD-42, Rev. 2.1-A. If N RC review is deemed necessary pursuant to the requirements of 10 CFR 50.59, the accident analyses will be submitted to the NRG for review prior to operation at the uprate power level. These commitments apply to the following Surry 2 UFSAR Chapter 14 DNBR analyses that were analyzed at 2546 MWt consistent with the Statistical DNBR Evaluation Methodology in VEP-NE-2-A:
transient consistent with VEPCO's N RC-approved reload design methodology in VEP-FRD-42, Rev. 2.1-A.
* Section 14.2. 7 -Excessive Heat Removal due to Feedwater System Malfunctions (Full Power Feedwater Temperature Reduction case only);
If N RC review is deemed necessary pursuant to the requirements of 10 CFR 50.59, the accident analyses will be submitted to the NRG for review prior to operation at the uprate power level. These commitments apply to the following Surry 2 UFSAR Chapter 14 DNBR analyses that were analyzed at 2546 MWt consistent with the Statistical DNBR Evaluation Methodology in VEP-NE-2-A:
* Section 14.2.8 -Excessive Load Increase Incident;
* Section 14.2.7 - Excessive Heat Removal due to Feedwater System Malfunctions (Full Power Feedwater Temperature Reduction case only);
* Section 14.2.9 -Loss of Reactor Coolant Flow; and
* Section 14.2.8 - Excessive Load Increase Incident;
* Section 14.2.10 -Loss of External Electrical Load U. Deleted by Amendment No. ___ _ Prior to operating above 2546 MWt (98.4% RP). 4. This renewed license is effective as of the date of issuance and shall expire at midnight on January 29, 2033. FOR THE NUCLEAR REGULATORY COMMISSION Original signed by: Samuel J. Collins, Director Office of Nuclear Reactor Regulation  
* Section 14.2.9 - Loss of Reactor Coolant Flow; and
* Section 14.2.10 - Loss of External Electrical Load U. Deleted by Amendment No. _ _ __
: 4. This renewed license is effective as of the date of issuance and shall expire at midnight on January 29, 2033.
FOR THE NUCLEAR REGULATORY COMMISSION Original signed by:
Samuel J. Collins, Director Office of Nuclear Reactor Regulation


==Attachment:==
==Attachment:==
Appendix A, Technical Specifications Date of Issuance: March 20, 2003 Surry - Unit 2                                                Renewed License No. DPR-37 Amendment No.


Appendix A, Technical Specifications Date of Issuance:
March 20, 2003 Surry -Unit 2 Renewed License No. DPR-37 Amendment No.
TABLE 3.7-2 (Continued)
TABLE 3.7-2 (Continued)
ENGINEERED SAFEGUARDS ACTION INSTRUMENT OPERATING CONDITIONS Minimum Permissible Total Number OPERABLE Channels Bypass Operator Functional Unit Of Channels Channels To Trip Conditions Actions 3. AUXILIARY FEEDWATER (continued)
ENGINEERED SAFEGUARDS ACTION INSTRUMENT OPERATING CONDITIONS Minimum                       Permissible Total Number OPERABLE               Channels       Bypass       Operator Functional Unit                             Of Channels         Channels         To Trip     Conditions Actions
: e. Trip of main feedwater pumps -start motor driven 2/MFWpump l/MFWpump 2-1 each 24 pumps MFWpump f. Automatic actuation logic 2 2 1 22 4. LOSS OF POWER a. 4.16 kv emergency bus undervoltage (loss of voltage) 3/bus 2/bus 2/bus 26 b. 4.16 kv emergency bus undervoltage (degraded voltage) 3/bus 2/bus 2/bus 26 5. NON-ESSENTIAL SERVICE WATER ISOLATION
: 3. AUXILIARY FEEDWATER (continued)
: a. Low intake canal level* 4 3 3 20 b. Automatic actuation logic 2 2 l 14 6. ENGINEERED SAFEGUARDS ACTUATION INTERLOCKS  
: e. Trip of main feedwater pumps - start motor driven             2/MFWpump l/MFWpump                   2-1 each                       24 pumps                                                                                               MFWpump
-Note A a. Pressurizer pressure, P-11 3 2 2 23 b. Low-low Tavg, P-12 3 2 2 23 c. Reactor trip, P-4 2 2 24 7. RECIRCULATION MODE TRANSFER a. RWST Level-Low-Low* 4 3 2 25 b. Automatic Actuation Logic and Actuation Relays 2 2 l 14 8. RECIRCULATION SPRAY a. RWST Level -Low Coincident with High High 4 3 2 20 Containment Pressure* b. Automatic Actuation Logic and Actuation Relays 2 2 14 g p,. a g Note A -Engineered Safeguards Actuation Interlocks are described in Table 4.1-A z 0
: f. Automatic actuation logic                                             2               2               1                           22
* There is a Safety Analysis Limit associated with this ESP function.
: 4. LOSS OF POWER
If during calibration the setpoint is found to be conservative with respect to the Setting Limit but outside its predefined calibration tolerance, then the channel shall be brought back to within its predefined calibration tolerance before returning the channel to service. The calibration tolerances are specified in a document controlled under 10 CPR 50.59.
: a. 4.16 kv emergency bus undervoltage (loss of voltage)                 3/bus           2/bus           2/bus                         26
TS 3.14-1 3.14 CIRCULATING AND SERVICE WATER SYSTEMS Applicability Applies to the operational status of the Circulating and Service Water Systems. Objective To define those limiting conditions of the Circulating and Service Water Systems necessary to assure safe station operation.
: b. 4.16 kv emergency bus undervoltage (degraded voltage)               3/bus           2/bus           2/bus                         26
Specification A. The Reactor Coolant System temperature or pressure of a reactor unit shall not exceed 350&deg; For 450 psig, respectively, or the reactor shall not be critical unless: 1. The high level intake canal is filled to at least elevation  
: 5. NON-ESSENTIAL SERVICE WATER ISOLATION
+23.0 feet at the high level intake structure.
: a. Low intake canal level*                                               4               3               3                           20
: b. Automatic actuation logic                                             2               2               l                           14
: 6. ENGINEERED SAFEGUARDS ACTUATION INTERLOCKS - Note A
: a. Pressurizer pressure, P-11                                             3               2               2                           23
: b. Low-low Tavg, P-12                                                     3               2               2                           23
: c. Reactor trip, P-4                                                     2               2                                           24
: 7. RECIRCULATION MODE TRANSFER
: a. RWST Level- Low-Low*                                                   4               3               2                           25
: b. Automatic Actuation Logic and Actuation Relays                         2               2               l                           14
: 8. RECIRCULATION SPRAY
: a. RWST Level - Low Coincident with High High                             4               3               2                           20
~
g Containment Pressure*
p,. b. Automatic Actuation Logic and Actuation Relays                         2               2                                           14 a
g   Note A - Engineered Safeguards Actuation Interlocks are described in Table 4.1-A z
0
~
* There is a Safety Analysis Limit associated with this ESP function. If during calibration the setpoint is found to be conservative with respect to the Setting Limit but outside its predefined calibration tolerance, then the channel shall be brought back to within its predefined calibration tolerance before returning the channel to service. The calibration tolerances are specified in a document controlled under 10 CPR 50.59.
 
TS 3.14-1 3.14 CIRCULATING AND SERVICE WATER SYSTEMS Applicability Applies to the operational status of the Circulating and Service Water Systems.
Objective To define those limiting conditions of the Circulating and Service Water Systems necessary to assure safe station operation.
Specification A. The Reactor Coolant System temperature or pressure of a reactor unit shall not exceed 350&deg; For 450 psig, respectively, or the reactor shall not be critical unless:
: 1. The high level intake canal is filled to at least elevation +23.0 feet at the high level intake structure.
: 2. Unit subsystems, including piping and valves, shall be operable to the extent of being able to establish the following:
: 2. Unit subsystems, including piping and valves, shall be operable to the extent of being able to establish the following:
: a. Flow to and from one bearing cooling water heat exchanger.
: a. Flow to and from one bearing cooling water heat exchanger.
: b. Flow to and from the component cooling heat exchangers required by Specification 3.13. 3. At least two circulating water pumps are operating or are operable.
: b. Flow to and from the component cooling heat exchangers required by Specification 3.13.
: 3. At least two circulating water pumps are operating or are operable.
: 4. Three emergency service water pumps are operable; these pumps will service both units simultaneously.
: 4. Three emergency service water pumps are operable; these pumps will service both units simultaneously.
Amendment Nos.
Amendment Nos.
TS 3.14-2 5. Two service water flow paths to the charging pump service water subsystem are OPERABLE.
 
TS 3.14-2
: 5. Two service water flow paths to the charging pump service water subsystem are OPERABLE.
: 6. Two service water flow paths to the recirculation spray subsystems are OPERABLE.
: 6. Two service water flow paths to the recirculation spray subsystems are OPERABLE.
: 7. Two service water flow paths to the main control room and emergency switchgear room air conditioning subsystems are OPERABLE.
: 7. Two service water flow paths to the main control room and emergency switchgear room air conditioning subsystems are OPERABLE.
B. The requirements of Specification 3.14.A.4 may be modified to allow one Emergency Service Water pump to remain inoperable for a period not to exceed 7 days. If this pump is not OPERABLE in 7 days, then place both units in HOT SHUTDOWN within the next 6 hours and COLD SHUTDOWN within the next 30 hours. The requirements of 3 .14.A.4 may be modified to have two Emergency Service Water pumps OPERABLE with one unit in COLD SHUTDOWN with combined Spent Fuel pit and shutdown unit decay heat loads of 25 million BTU/HR or less. One of the two remaining pumps may be inoperable for a period not to exceed 7 days. If this pump is not OPERABLE in 7 days, then place the operating unit in HOT SHUTDOWN within the next 6 hours and COLD SHUTDOWN within the next 30 hours. C. The requirements of Specifications 3.14.A.5 and 3.14.A.7 may be modified to allow unit operation with only one OPERABLE flow path to the charging pump service water subsystem and to the main control and emergency switchgear rooms air conditioning condensers.
B. The requirements of Specification 3.14.A.4 may be modified to allow one Emergency Service Water pump to remain inoperable for a period not to exceed 7 days. If this pump is not OPERABLE in 7 days, then place both units in HOT SHUTDOWN within the next 6 hours and COLD SHUTDOWN within the next 30 hours.
If the affected systems are not restored to the requirements of Specifications 3.14.A.5 and 3.14.A.7 within 72 hours, the reactor shall be placed in HOT SHUTDOWN within the next 6 hours. If the requirements of Specifications 3.14.A.5 and 3.14.A.7 are not satisfied as allowed by this Specification, the reactor shall be placed in COLD SHUTDOWN within the next 30 hours. D. The requirements of Specification 3.14.A.6 may be modified to allow unit operation with only one OPERABLE flow path to the recirculation spray subsystems.
The requirements of 3 .14.A.4 may be modified to have two Emergency Service Water pumps OPERABLE with one unit in COLD SHUTDOWN with combined Spent Fuel pit and shutdown unit decay heat loads of 25 million BTU/HR or less.
If the affected system is not restored to the requirements of Specification 3.14.A.6 within 24 hours, the reactor shall be placed in HOT SHUTDOWN within the next 6 hours. If the requirements of Specification 3.14.A.6 are not met within an additional 48 hours, the reactor shall be placed in COLD SHUTDOWN within the next 30 hours. Amendment Nos.
One of the two remaining pumps may be inoperable for a period not to exceed 7 days. If this pump is not OPERABLE in 7 days, then place the operating unit in HOT SHUTDOWN within the next 6 hours and COLD SHUTDOWN within the next 30 hours.
TS 3.14-3 Basis The Circulating and Service Water Systems are designed for the removal of heat resulting from the operation of various systems and components of either or both of the units. Untreated water, supplied from the James River and stored in the high level intake canal is circulated by gravity through the recirculation spray coolers and the bearing cooling water heat exchangers and to the charging pumps lubricating oil cooler service water pumps which supply service water to the charging pump lube oil coolers. In addition, the Circulating and Service Water Systems supply cooling water to the component cooling water heat exchangers and to the main control and emergency switchgear rooms air conditioning condensers.
C. The requirements of Specifications 3.14.A.5 and 3.14.A.7 may be modified to allow unit operation with only one OPERABLE flow path to the charging pump service water subsystem and to the main control and emergency switchgear rooms air conditioning condensers. If the affected systems are not restored to the requirements of Specifications 3.14.A.5 and 3.14.A.7 within 72 hours, the reactor shall be placed in HOT SHUTDOWN within the next 6 hours. If the requirements of Specifications 3.14.A.5 and 3.14.A.7 are not satisfied as allowed by this Specification, the reactor shall be placed in COLD SHUTDOWN within the next 30 hours.
The Component Cooling heat exchangers are used during normal plant operations to cool various station components and when in shutdown to remove residual heat from the reactor. Component Cooling is not required on the accident unit during a loss-of-coolant accident.
D. The requirements of Specification 3.14.A.6 may be modified to allow unit operation with only one OPERABLE flow path to the recirculation spray subsystems. If the affected system is not restored to the requirements of Specification 3.14.A.6 within 24 hours, the reactor shall be placed in HOT SHUTDOWN within the next 6 hours. If the requirements of Specification 3.14.A.6 are not met within an additional 48 hours, the reactor shall be placed in COLD SHUTDOWN within the next 30 hours.
If the loss-of-coolant accident is coincident with a loss of off-site power, the nonaccident unit will be maintained at HOT SHUTDOWN with the ability to reach COLD SHUTDOWN.
Amendment Nos.
The long term Service Water requirement for a loss-of-coolant accident in one unit with simultaneous loss-of-station power and the second unit being brought to HOT SHUTDOWN is greater than 15,000 gpm. Additional Service Water is necessary to bring the nonaccident unit to COLD SHUTDOWN.
 
Three diesel driven Emergency Service Water pumps with a design capacity of 15,000 gpm each, are provided to supply water to the High Level Intake canal during a loss-of-station power incident.
TS 3.14-3 Basis The Circulating and Service Water Systems are designed for the removal of heat resulting from the operation of various systems and components of either or both of the units.
Thus, considering the single active failure of one pump, three Emergency Service Water pumps are required to be OPERABLE.
Untreated water, supplied from the James River and stored in the high level intake canal is circulated by gravity through the recirculation spray coolers and the bearing cooling water heat exchangers and to the charging pumps lubricating oil cooler service water pumps which supply service water to the charging pump lube oil coolers.
The allowed outage time of 7 days provides operational flexibility to allow for repairs up to and Amendment Nos.
In addition, the Circulating and Service Water Systems supply cooling water to the component cooling water heat exchangers and to the main control and emergency switchgear rooms air conditioning condensers. The Component Cooling heat exchangers are used during normal plant operations to cool various station components and when in shutdown to remove residual heat from the reactor. Component Cooling is not required on the accident unit during a loss-of-coolant accident. If the loss-of-coolant accident is coincident with a loss of off-site power, the nonaccident unit will be maintained at HOT SHUTDOWN with the ability to reach COLD SHUTDOWN.
TS 3.14-4 including replacement of an Emergency Service Water pump without forcing dual unit outages, yet limits the amount of operating time without the specified number of pumps. When one Unit is in Cold Shutdown and the heat load from the shutdown unit and spent fuel pool drops to less than 25 million BTU/HR, then one Emergency Service Water pump may be removed from service for the subsequent time that the unit remains in Cold Shutdown due to the reduced residual heat removal and hence component cooling requirements.
The long term Service Water requirement for a loss-of-coolant accident in one unit with simultaneous loss-of-station power and the second unit being brought to HOT SHUTDOWN is greater than 15,000 gpm. Additional Service Water is necessary to bring the nonaccident unit to COLD SHUTDOWN. Three diesel driven Emergency Service Water pumps with a design capacity of 15,000 gpm each, are provided to supply water to the High Level Intake canal during a loss-of-station power incident. Thus, considering the single active failure of one pump, three Emergency Service Water pumps are required to be OPERABLE. The allowed outage time of 7 days provides operational flexibility to allow for repairs up to and Amendment Nos.
A minimum level of + 17 .2 feet in the High Level Intake canal is required to provide design flow of Service Water through the Recirculation Spray heat exchangers during a loss-of-coolant accident for the first 24 hours. If the water level falls below +23' 6", signals are generated to trip both unit's turbines and to close the nonessential Circulating and Service Water valves. A High Level Intake canal level of +23' 6" ensures actuation prior to canal level falling to elevation  
 
+23'. The Circulating Water and Service Water isolation valves which are required to close to conserve Intake Canal inventory are periodically verified to limit total leakage flow out of the Intake Canal. In addition, passive vacuum breakers are installed on the Circulating Water pump discharge lines to assure that a reverse siphon is not continued for canal levels less than +23 feet when Circulating Water pumps are de-energized.
TS 3.14-4 including replacement of an Emergency Service Water pump without forcing dual unit outages, yet limits the amount of operating time without the specified number of pumps.
The remaining six feet of canal level is provided coincident with ESW pump operation as the required source of Service Water for heat loads following the Design Basis Accident.  
When one Unit is in Cold Shutdown and the heat load from the shutdown unit and spent fuel pool drops to less than 25 million BTU/HR, then one Emergency Service Water pump may be removed from service for the subsequent time that the unit remains in Cold Shutdown due to the reduced residual heat removal and hence component cooling requirements.
A minimum level of + 17 .2 feet in the High Level Intake canal is required to provide design flow of Service Water through the Recirculation Spray heat exchangers during a loss-of-coolant accident for the first 24 hours. If the water level falls below +23' 6",
signals are generated to trip both unit's turbines and to close the nonessential Circulating and Service Water valves. A High Level Intake canal level of +23' 6" ensures actuation prior to canal level falling to elevation +23'. The Circulating Water and Service Water isolation valves which are required to close to conserve Intake Canal inventory are periodically verified to limit total leakage flow out of the Intake Canal. In addition, passive vacuum breakers are installed on the Circulating Water pump discharge lines to assure that a reverse siphon is not continued for canal levels less than +23 feet when Circulating Water pumps are de-energized. The remaining six feet of canal level is provided coincident with ESW pump operation as the required source of Service Water for heat loads following the Design Basis Accident.


==References:==
==References:==


UFSAR Section 9.9 UFSAR Section 10.3.4 UFSAR Section 14.5 Service Water System Circulating Water System Loss-of-Coolant Accidents, Including the Design Basis Accident Amendment Nos.
UFSAR Section 9.9                 Service Water System UFSAR Section 10.3.4               Circulating Water System UFSAR Section 14.5                 Loss-of-Coolant Accidents, Including the Design Basis Accident Amendment Nos.
Attachment 4 Serial No. 16-180 Docket Nos. 50-280/281 TECHNICAL ADEQUACY OF THE PROBABILISTIC RISK ASSESSMENT MODEL Virginia Electric and Power Company (Dominion)
 
Surry Station Units 1 and 2 TECHNICAL ADEQUACY OF THE PROBABILISTIC RISK ASSESSMENT CPRA) MODEL Serial No. 16-18'0 Docket Nos. 50-280/281 Attachment 4 Page 1 of 36 The PRA model used to analyze the risk of the LBDCR/TSCR 441 is referred to as S007 Aa. The effective date of this model is September 30, 2009 ... Surry PRA Model Notebook QU.2, Revision 5, documents the quantification of the PRA model. This is the most recent evaluation of the SPS internal events at-power risk profile. The PRA model is maintained and updated under a PRA configuration control program in accordance with Dominion procedures.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 TECHNICAL ADEQUACY OF THE PROBABILISTIC RISK ASSESSMENT MODEL Virginia Electric and Power Company (Dominion)
Plant changes, including physical and procedural modifications and changes in performance data, are reviewed and the PRA model is updated to reflect such changes periodically by qualified personnel, with independent reviews and approvals.
Surry Station Units 1 and 2
Summary of the SPS PRA History The Level 1 and Level 2 SPS PRA analyses were originally developed and submitted to the Nuclear Regulatory Commission (NRC) in 1991 as the Individual Plant Examination (IPE) submittal.
 
The SPS PRA has been updated many times, since the original IPE. A summary of the SPS PRA history is as follows:
Serial No. 16-18'0 Docket Nos. 50-280/281 Attachment 4 Page 1 of 36 TECHNICAL ADEQUACY OF THE PROBABILISTIC RISK ASSESSMENT CPRA) MODEL The PRA model used to analyze the risk of the LBDCR/TSCR 441 is referred to as S007Aa. The effective date of this model is September 30, 2009 . . Surry PRA Model Notebook QU.2, Revision 5, documents the quantification of the PRA model. This is the most recent evaluation of the SPS internal events at-power risk profile. The PRA model is maintained and updated under a PRA configuration control program in accordance with Dominion procedures. Plant changes, including physical and procedural modifications and changes in performance data, are reviewed and the PRA model is updated to reflect such changes periodically by qualified personnel, with independent reviews and approvals.
Summary of the SPS PRA History The Level 1 and Level 2 SPS PRA analyses were originally developed and submitted to the Nuclear Regulatory Commission (NRC) in 1991 as the Individual Plant Examination (IPE) submittal. The SPS PRA has been updated many times, since the original IPE. A summary of the SPS PRA history is as follows:
* Original IPE (August 1991)
* Original IPE (August 1991)
* Individual Plant Examination External Events (IPEEE) 1991 through 1994
* Individual Plant Examination External Events (IPEEE) 1991 through 1994
* 1998 -Data update; update to address issues needed to support the Maintenance Rule program
* 1998 - Data update; update to address issues needed to support the Maintenance Rule program
* 2001 -Data update; update to address more Maintenance Rule issues, address peer review Facts and Observations (F&Os)
* 2001 - Data update; update to address more Maintenance Rule issues, address peer review Facts and Observations (F&Os)
* 2002 -Update RCP seal LOCA model due to installation of high temperature o-rings; added internal flooding, additional changes for Maintenance Rule and Safety Monitor
* 2002 - Update RCP seal LOCA model due to installation of high temperature o-rings; added internal flooding, additional changes for Maintenance Rule and Safety Monitor
* 2004 -Update to address applicable F&Os from North Anna peer review
* 2004 - Update to address applicable F&Os from North Anna peer review
* 2005 -Update to include plant changes to reduce turbine building flood risk
* 2005 - Update to include plant changes to reduce turbine building flood risk
* 2006 -Data update and update to address MSPI requirements
* 2006 - Data update and update to address MSPI requirements
* 2006 -Update to support ESGR chilled water Tech Spec change; added loss of main control room HVAC and loss of instrument air to the model; added logic from the IPEEE fire and seismic models
* 2006 - Update to support ESGR chilled water Tech Spec change; added loss of main control room HVAC and loss of instrument air to the model; added logic from the IPEEE fire and seismic models
* 2009 -Data update; addressed American Society of Mechanical Engineers (ASME) PRA Standard SRs that were not met; extensive changes throughout the model as the model was converted to CAFTA Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 2of36
* 2009 - Data update; addressed American Society of Mechanical Engineers (ASME) PRA Standard SRs that were not met; extensive changes throughout the model as the model was converted to CAFTA
* 2009 -Updated Interfacing Systems LOCA (ISLOCA) initiator frequency, added EOG and AAC diesel fails to load (FTL) basic events, and added rupture failure of the SW expansion joints for the CCW heat exchangers as flood scenarios (current model of record) The SPS PRA model has benefited from the following technical PRA peer reviews. 1998 NEI PRA Peer Review The SPS internal events PRA received a formal industry PRA model peer review in 1998. The purpose of the PRA peer review process is to provide a method for establishing the technical quality of .a PRA model for the spectrum of potential risk-informed plant licensing applications for which the PRA model may be used. The PRA peer review process used a team composed of industry PRA and system analysts, each with significant expertise in both PRA model development and PRA applications.
 
This team provided both an objective review of the PRA technical elements and a subjective assessment, based on their PRA experience, regarding the acceptability of the PRA elements.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 2of36
The team used a set of checklists as a framework within which to evaluate the scope, comprehensiveness, completeness, and fidelity of the PRA products available.
* 2009 - Updated Interfacing Systems LOCA (ISLOCA) initiator frequency, added EOG and AAC diesel fails to load (FTL) basic events, and added rupture failure of the SW expansion joints for the CCW heat exchangers as flood scenarios (current model of record)
The SPS review team used the "Westinghouse Owner's Group (WOG) Peer Review Process Guidance" as the basis for the review. The general scope of the PRA peer review included a review of eleven main technical elements, using checklist tables (to cover the elements and sub-elements), for an at-power PRA including internal events, internal flooding, and containment performance, with focus on Large Early Release Frequency (LERF). The F&Os from the PRA peer review were prioritized into four categories (A through D) based upon importance to the completeness of the model. Categories A and B F&Os are considered significant enough that the technical adequacy of the model may be impacted.
The SPS PRA model has benefited from the following technical PRA peer reviews.
Categories C and D are considered minor. Subsequent to the peer review, the model has been updated to address all Category A, B, and D F&Os. Category B items from the 1998 NEI PRA Peer Review (all closed) are listed below: ..
1998 NEI PRA Peer Review The SPS internal events PRA received a formal industry PRA model peer review in 1998. The purpose of the PRA peer review process is to provide a method for establishing the technical quality of .a PRA model for the spectrum of potential risk-informed plant licensing applications for which the PRA model may be used. The PRA peer review process used a team composed of industry PRA and system analysts, each with significant expertise in both PRA model development and PRA applications. This team provided both an objective review of the PRA technical elements and a subjective assessment, based on their PRA experience, regarding the acceptability of the PRA elements. The team used a set of checklists as a framework within which to evaluate the scope, comprehensiveness, completeness, and fidelity of the PRA products available. The SPS review team used the "Westinghouse Owner's Group (WOG) Peer Review Process Guidance" as the basis for the review.
OBSERVATION OBSERVATION (ID: AS-2 ) I ElementAS I Subelement 5 and 9 (Also MU) OBSERVATION (ID: AS-8 ) I Element _AS __ I Subelement
The general scope of the PRA peer review included a review of eleven main technical elements, using checklist tables (to cover the elements and sub-elements), for an at-power PRA including internal events, internal flooding, and containment performance, with focus on Large Early Release Frequency (LERF).
_AS-12_ Serial No. 16-1SO Docket Nos. 50-280/281 Attachment 4 Page 3 of 36 1998 NEI PRA Peer Review Category B Closed Items OBSERVATION Detail The models and analyses are consistent, as best as the reviewers could determine, with the as built plant, and were consistent with plant operating procedures at the time the IPE was completed.
The F&Os from the PRA peer review were prioritized into four categories (A through D) based upon importance to the completeness of the model. Categories A and B F&Os are considered significant enough that the technical adequacy of the model may be impacted. Categories C and D are considered minor. Subsequent to the peer review, the model has been updated to address all Category A, B, and D F&Os. Category B items from the 1998 NEI PRA Peer Review (all closed) are listed below:
However, there is no process in place to identify and incorporate changes in plant operation into the PRA model. This process should also include periodic review of industry standards that may impact the PRA. Some examples of where such a process could impact the model include, the timing for switchover to hot leg recirculation after event initiation (9 hours in the current EOP), and a review of potential impacts on the PSA due to the power uprate program. The focus of this comment is on the lack of process more than any current discrepancies found in the model, and is related to the IPE Maintenance and Update Process elements.
 
The RCP seal LOCA model appears to include an optimistic interpretation of the WOG and NRC models, and does not include a contribution from early seal failure. POSSIBLE RESOLUTION Establish a formal process for identifying changes to plant procedures (EOPs/AOPs), and evaluating the impact of these changes on the PRA model. This process should also include periodic review of industry standards that may affect modeling assumptions and success criteria used in the PRA. The resolution of this comment should be incorporated as an element of the PRA Maintenance and Update Process. Consider an evaluation of the sensitivity of the PRA results to use of a model that includes the possibility of early seal failure. Also evaluate the potential impact on the model due to recent changes to the WOG seal cooling restoration emergency response guidelines (advising against restoration of seal cooling after a relatively brief coolinq loss). PLANT RESPONSE OR RESOLUTION PRA update guidance was developed, which includes a review of plant procedures (EOPs), assumptions for components, and system recovery models based upon human actions (Nuclear Safety Analysis Manual -Part IV, Chapter J, subsequently superseded by PRA Manual -Part IV, Chapter A). The current industry guidance suggests a voluntary periodic review of industry standards, which will be considered as resources allow. Recent PRA updates (S03A, S05A) provide examples of the process. An RC pump seal failure model (the so-called Rhodes model) that is acceptable to the NRC for use in PRA was developed and implemented for the T4, T1A and T6 event trees. This model addresses the probability of early seal failure, and does not allow restoration of seal cooling after a relatively brief cooling loss. For Surry, the model is discussed fully in SM-1296, implemented in the SOA-D PRA models. For the S03A model, the T1A (SBO) accident sequence model was revised to be fully consistent with the WOG2000 RCP seal LOCA model, and the T4 and T6 accident sequences models were revised to incorporate simplified logic consistent with the WOG2000 model. STATUS This F&O is Closed. The PRA adequately addresses early seal failure contribution, so this F&O is CLOSED. Future model updates are planned to include additional model detail (and remove conservatisms) for the seal failure contribution for events other than T1A.
Serial No. 16-1SO Docket Nos. 50-280/281 Attachment 4 Page 3 of 36 1998 NEI PRA Peer Review Category B Closed Items OBSERVATION         OBSERVATION Detail                                      POSSIBLE RESOLUTION          PLANT RESPONSE OR RESOLUTION                                  STATUS OBSERVATION        The models and analyses are consistent, as best as the    Establish a formal process    PRA update guidance was developed, which includes a            This F&O is Closed.
OBSERVATION OBSERVATION Detail OBSERVATION The models for the EDGs do include common cause (ID: DA-6 ) I failures of fuel oil system. In general the models do Element ___QA_ I consider common/shared components and support Subelement DA-systems explicitly.
(ID: AS-2     )   I reviewers could determine, with the as built plant, and   for identifying changes to    review of plant procedures (EOPs), assumptions for ElementAS I         were consistent with plant operating procedures at the    plant procedures              components, and system recovery models based upon Subelement 5 and    time the IPE was completed. However, there is no          (EOPs/AOPs), and              human actions (Nuclear Safety Analysis Manual - Part 9    (Also MU)      process in place to identify and incorporate changes in    evaluating the impact of      IV, Chapter J, subsequently superseded by PRA Manual plant operation into the PRA model. This process           these changes on the PRA      - Part IV, Chapter A). The current industry guidance should also include periodic review of industry standards model. This process should    suggests a voluntary periodic review of industry that may impact the PRA. Some examples of where           also include periodic review  standards, which will be considered as resources allow.
The models do not appear to include 11 the effects of common maintenance crews or l&C technicians.
such a process could impact the model include, the         of industry standards that    Recent PRA updates (S03A, S05A) provide examples of timing for switchover to hot leg recirculation after event may affect modeling          the process.
Specifically, there is no consideration of common cause miscalibration of instrumentation channels.
initiation (9 hours in the current EOP), and a review of   assumptions and success potential impacts on the PSA due to the power uprate       criteria used in the PRA.
OBSERVATION
program. The focus of this comment is on the lack of       The resolution of this process more than any current discrepancies found in       comment should be the model, and is related to the IPE Maintenance and       incorporated as an element Update Process elements.                                   of the PRA Maintenance and Update Process.
{Implementation of NUREG/CR-4780 methodology) (ID: DA-8 ) I Reviewers question the validity of the approach used for Element defining CCF terms, by adding fail to start and fail to run DA/DE I data variables.
OBSERVATION        The RCP seal LOCA model appears to include an             Consider an evaluation of    An RC pump seal failure model (the so-called Rhodes            The PRA adequately (ID: AS-8    )  I  optimistic interpretation of the WOG and NRC models,       the sensitivity of the PRA    model) that is acceptable to the NRC for use in PRA            addresses early seal Element _AS _ _      and does not include a contribution from early seal       results to use of a model    was developed and implemented for the T4, T1A and T6          failure contribution, so I Subelement        failure.                                                  that includes the possibility event trees. This model addresses the probability of           this F&O is CLOSED.
Method added value of QD and A, but Subelement DA-the events are not consistent (i.e. per-demand and per-12/DE-9 hour). Assuming a mission time of one hour and a demand for the device, the terms can be added. But what if: 1. Common cause failure is dominated by running failures, there is no mission time associated with the use of the common cause term -non-conservative result 2. Running failure rate is comparable to start term, but common cause dominated by start terms -overly conservative result. OBSERVATION The common cause failure probability of valves failing (ID: DA-9 ) I due to plugging is (0.1)(1.25-7 f/hr)(2160 hrs), or about Element ___QA_ I 1 E-4. The 0.1 beta factor used for this calculation may Subelement
_AS-12_                                                                        of early seal failure. Also  early seal failure, and does not allow restoration of seal    Future model updates evaluate the potential        cooling after a relatively brief cooling loss. For Surry, the are planned to include impact on the model due to   model is discussed fully in SM-1296, implemented in the        additional model detail recent changes to the WOG     SOA-D PRA models. For the S03A model, the T1A                  (and remove seal cooling restoration     (SBO) accident sequence model was revised to be fully          conservatisms) for the emergency response           consistent with the WOG2000 RCP seal LOCA model,              seal failure contribution guidelines (advising against and the T4 and T6 accident sequences models were              for events other than restoration of seal cooling   revised to incorporate simplified logic consistent with the    T1A.
_9 __ be overly conservative.
after a relatively brief     WOG2000 model.
The net result is that many of the top sequences (for the 3-year maintenance case) involve common cause valve plugging terms. It is unusual to have passive equipment failures be so prominent in the dominant cutsets (more prominent than active equipment failures).
coolinq loss).
POSSIBLE RESOLUTION Update the models to include common cause instrumentation miscalibration.
 
Documentation should at least include a qualitative discussion of the potential impact of common maintenance crews and similar procedures.
Serial No. 16-18'D Docket Nos. 50-280/281 Attachment 4 Page 4 of 36 OBSERVATION      OBSERVATION Detail                                        POSSIBLE RESOLUTION          PLANT RESPONSE OR RESOLUTION                               STATUS OBSERVATION    The models for the EDGs do include common cause            Update the models to        Miscalibration of instrumentation channels is resolved as  This F&O is CLOSED.
The documentation should also highlight areas where CCF was not included because of design diversity or other similar considerations.
(ID: DA-6 )   I  failures of fuel oil system. In general the models do      include common cause        a human reliability rather than an equipment common Element ___QA_ I consider common/shared components and support              instrumentation              cause fault. The HEP fault behaves the same as an Subelement DA-  systems explicitly. The models do not appear to include    miscalibration.             equipment CCF, but is quantified on the basis of human 11              the effects of common maintenance crews or l&C              Documentation should at      error rather than equipment reliability. For North Anna, technicians. Specifically, there is no consideration of    least include a qualitative  HEP events are created for the following instrument common cause miscalibration of instrumentation              discussion of the potential  channels: EOG, 1-LM-PT-100A/B/C/D, MS flow, MS channels.                                                  impact of common            differential pressure, MS low pressure, and pressurizer maintenance crews and        pressure. The models are discussed fully in SM-1269, similar procedures. The      implemented in the NOA-D PRA models. For Surry, HEP documentation should also    events are created for the following instrument channels:
Reevaluate CCF analysis as described in Surry guidance documents.
highlight areas where CCF    EOG, 1-LM-PT-100A/B/C/D, MS flow, MS differential was not included because of  pressure, steam generator level, pressurizer pressure design diversity or other    RWST level, intake canal level and RC delta T and similar considerations.     TAVE. The models are discussed fully in SM-1310, implemented in the SOA-D PRA models.
Fully incorporate NUREG/CR-4780 methods. Consider the use of a more realistic beta factor in the analysis.
OBSERVATION    {Implementation of NUREG/CR-4780 methodology)              Reevaluate CCF analysis as  The common cause fault (CCF) approach is revised to        This F&O is CLOSED.
Serial No. 16-18'D Docket Nos. 50-280/281 Attachment 4 Page 4 of 36 PLANT RESPONSE OR RESOLUTION STATUS Miscalibration of instrumentation channels is resolved as This F&O is CLOSED. a human reliability rather than an equipment common cause fault. The HEP fault behaves the same as an equipment CCF, but is quantified on the basis of human error rather than equipment reliability.
(ID: DA-8 )   I Reviewers question the validity of the approach used for    described in Surry guidance  incorporate the following: Alpha-factor model, INEEL Element         defining CCF terms, by adding fail to start and fail to run documents. Fully            data base of CCF events from NUREG/CR-6268, DA/DE    I    data variables. Method added value of QD and A, but        incorporate NUREG/CR-       different failure modes (run and demand), and different Subelement DA-   the events are not consistent (i.e. per-demand and per-     4780 methods.                CCF events based upon population size (e.g., 2 of 3 as 12/DE-9         hour). Assuming a mission time of one hour and a                                         well as 3 of 3 CCF events. Guidance for the CCF demand for the device, the terms can be added. But                                       models was taken from NUREG/CR-5485, which what if:                                                                                 extends the technology developed for NUREG/CR-4780.
For North Anna, HEP events are created for the following instrument channels:
: 1. Common cause failure is dominated by running                                         The models are discussed fully in SM-1309, failures, there is no mission time associated with the use                               implemented in the SOA-D PRA models for Surry, and in of the common cause term - non-conservative result                                       the DA.3 notebook and revisions prepared for
EOG, 1-LM-PT-100A/B/C/D, MS flow, MS differential pressure, MS low pressure, and pressurizer pressure.
: 2. Running failure rate is comparable to start term, but                                 subsequent model updates (starting with S03A).
The models are discussed fully in SM-1269, implemented in the NOA-D PRA models. For Surry, HEP events are created for the following instrument channels:
common cause dominated by start terms - overly conservative result.
EOG, 1-LM-PT-100A/B/C/D, MS flow, MS differential pressure, steam generator level, pressurizer pressure RWST level, intake canal level and RC delta T and TAVE. The models are discussed fully in SM-1310, implemented in the SOA-D PRA models. The common cause fault (CCF) approach is revised to This F&O is CLOSED. incorporate the following:
OBSERVATION   The common cause failure probability of valves failing     Consider the use of a more  The common cause fault (CCF) approach is revised to        This F&O is CLOSED.
Alpha-factor model, INEEL data base of CCF events from NUREG/CR-6268, different failure modes (run and demand), and different CCF events based upon population size (e.g., 2 of 3 as well as 3 of 3 CCF events. Guidance for the CCF models was taken from NUREG/CR-5485, which extends the technology developed for NUREG/CR-4780.
(ID: DA-9 )   I due to plugging is (0.1)(1.25-7 f/hr)(2160 hrs), or about   realistic beta factor in the incorporate the following: Alpha-factor model, INEEL Element ___QA_ I 1E-4. The 0.1 beta factor used for this calculation may     analysis.                    data base of CCF events from NUREG/CR-6268, Subelement _9__  be overly conservative. The net result is that many of                                   different failure modes (run and demand), and different the top sequences (for the 3-year maintenance case)                                     CCF events based upon population size (e.g., 2 of 3 as involve common cause valve plugging terms. It is                                         well as 3 of 3 CCF events. Guidance for the CCF unusual to have passive equipment failures be so                                         models was taken from NUREG/CR-5485, which prominent in the dominant cutsets (more prominent than                                   extends the technology developed for NUREG/CR-4780.
The models are discussed fully in SM-1309, implemented in the SOA-D PRA models for Surry, and in the DA.3 notebook and revisions prepared for subsequent model updates (starting with S03A). The common cause fault (CCF) approach is revised to This F&O is CLOSED. incorporate the following:
active equipment failures).                                                             The models are discussed fully in SM-1309, implemented in the SOA-D PRA models for Surry, and in the DA.3 notebook and revisions prepared for subsequent model updates (startina with S03A).
Alpha-factor model, INEEL data base of CCF events from NUREG/CR-6268, different failure modes (run and demand), and different CCF events based upon population size (e.g., 2 of 3 as well as 3 of 3 CCF events. Guidance for the CCF models was taken from NUREG/CR-5485, which extends the technology developed for NUREG/CR-4780.
 
The models are discussed fully in SM-1309, implemented in the SOA-D PRA models for Surry, and in the DA.3 notebook and revisions prepared for subsequent model updates (startina with S03A).
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 5 of 36 OBSERVATION            OBSERVATION Detail                                        POSSIBLE RESOLUTION            PLANT RESPONSE OR RESOLUTION                               STATUS OBSERVATION          The methods used to determine CCF groups are                The generic data base          The common cause fault (CCF) approach was revised to      This F&O is CLOSED.
OBSERVATION OBSERVATION (ID: DE-3 ) I Element _DE_ I Subelement
(ID: DE-3      )      I simplistic. Determination of the set of active              development project            incorporate the following: Alpha-factor model, !NEEL Element _DE_ I          components based on 1% contribution to CDF severely          identifies a large number of    data base of CCF events from NUREG/CR-6268, Subelement _8_ _        limits the number and type of common cause terms            common-cause groups.            different failure modes (run and demand), and different used in the model. As an evaluation tool for plant          Incorporate these groups or    CCF events based upon population size (e.g., 2 of 3 as vulnerabilities (i.e., the IPE), it is more than sufficient, better justify their exclusion. well as 3 of 3 CCF events. Guidance for the CCF but as an evaluation tool for Risk-informed Applications,                                    models was taken from NUREG/CR-5485, which it is not enough. Events that should be considered                                          extends the technology developed for NUREG/CR-4780.
_8 __ OBSERVATION (ID: HR-2) I Element HR/DE/SY I Subelements HR-4,7/DE-7/SY OBSERVATION (ID: HR-4 ) I Element---1::!.R..__
include: Breaker fail to operate (Open/Close) Auxiliary                                      The models are discussed fully in SM-1309, Feedwater Pumps (back-leakage)            Ventilation fans                                  implemented in the SOA-D PRA models for Surry, and in the DA.3 notebook and revisions prepared for subsequent model updates (starting with S03A).
I Subelement
OBSERVATION          Table D.1-1 of Section D.1 of the Surry IPE lists the pre-   Provide the basis for          Miscalibration of instrumentation channels is resolved as  This F&O is CLOSED.
_jL_ OBSERVATION Detail The methods used to determine CCF groups are simplistic.
(ID: HR-2)        I    initiator errors considered in the analysis. The list        excluding miscalibration        a human reliability rather than an equipment common Element                contains only mispositioning events (valves, blank          events, or develop              cause fault. The HEP fault behaves the same as an HR/DE/SY I            flanges, etc.). No instrument miscalibration events are     appropriate events for          equipment CCF, but is quantified on the basis of human Subelements HR-         contained in the list. The procedure for system analysis    inclusion in the next update    error rather than equipment reliability. For North Anna, 4,7/DE-7/SY          (page 19 of 58) indicates that common cause His should      of the PSA model.               HEP events are created for the following instrument be modeled for miscalibration of instruments used to                                        channels: EDG, 1-LM-PT-100NB/C/D, MS flow, MS initiate systems following an action or in any standby                                      differential pressure, MS low pressure, and pressurizer equipment items such as the level instrumentation in                                        pressure. The models are discussed fully in SM-1269, storage tanks.                                                                              implemented in the NOA-D PRA models. For Surry, HEP events are created for the following instrument channels:
Determination of the set of active components based on 1 % contribution to CDF severely limits the number and type of common cause terms used in the model. As an evaluation tool for plant vulnerabilities (i.e., the IPE), it is more than sufficient, but as an evaluation tool for Risk-informed Applications, it is not enough. Events that should be considered include: Breaker fail to operate (Open/Close)
EOG, 1-LM-PT-100NB/C/D, MS flow, MS differential pressure, steam generator level, pressurizer pressure RWST level, intake canal level and RC delta T and TAVE. The models are discussed fully in SM-1310, implemented in the SOA-D PRA models.
Auxiliary Feedwater Pumps (back-leakage)
OBSERVATION           HEP development for the IPE model was extensively            Perform and document            The HEP events developed since the IPE have received        This F&O is CLOSED.
Ventilation fans Table D.1-1 of Section D.1 of the Surry IPE lists the initiator errors considered in the analysis.
(ID: HR-4 )        I  documented; however, HEPs developed for subsequent          development of HEPs that        detailed analysis. For North Anna, the models are Element---1::!.R..__ I  updates of the IPE model were not as well documented        arise from model updates.      discussed fully in SM-1269, implemented in the NOA-D Subelement _jL_        (and by implication, were not developed in as much                                          PRA models. For Surry, the models are discussed fully detail). For many of the HEPs in subsequent updates, a                                      in SM-1310, implemented in the SOA-D PRA models, value of 0.1 was used. It is not clear whether this is a                                    and in the HR-series notebooks developed for the S03A screening value or some other value.                                                        and subsequent updates. This process was also reviewed as part of the HRA re-peer review exercise prior to the RG1 .200 review for Surrv.
The list contains only mispositioning events (valves, blank flanges, etc.). No instrument miscalibration events are contained in the list. The procedure for system analysis (page 19 of 58) indicates that common cause His should be modeled for miscalibration of instruments used to initiate systems following an action or in any standby equipment items such as the level instrumentation in storage tanks. HEP development for the IPE model was extensively documented; however, HEPs developed for subsequent updates of the IPE model were not as well documented (and by implication, were not developed in as much detail). For many of the HEPs in subsequent updates, a value of 0.1 was used. It is not clear whether this is a screening value or some other value. POSSIBLE RESOLUTION The generic data base development project identifies a large number of common-cause groups. Incorporate these groups or better justify their exclusion.
 
Provide the basis for excluding miscalibration events, or develop appropriate events for inclusion in the next update of the PSA model. Perform and document development of HEPs that arise from model updates. Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 5 of 36 PLANT RESPONSE OR RESOLUTION The common cause fault (CCF) approach was revised to incorporate the following:
Serial No. 16-18'0 Docket Nos. 50-280/281 Attachment 4 Page 6 of 36 OBSERVATION        OBSERVATION Detail                                        POSSIBLE RESOLUTION          PLANT RESPONSE OR RESOLUTION                                STATUS OBSERVATION      In a sensitivity analysis (SM-1174, Addendum A) to          Reevaluate dependence        The dependency among the HEPs is being evaluated            This F&O is CLOSED.
Alpha-factor model, !NEEL data base of CCF events from NUREG/CR-6268, different failure modes (run and demand), and different CCF events based upon population size (e.g., 2 of 3 as well as 3 of 3 CCF events. Guidance for the CCF models was taken from NUREG/CR-5485, which extends the technology developed for NUREG/CR-4780.
(ID: HR-5 )    I  evaluate dependency among His contained in cutsets,        without excessive emphasis-  based on the following principles (SM-1310):
The models are discussed fully in SM-1309, implemented in the SOA-D PRA models for Surry, and in the DA.3 notebook and revisions prepared for subsequent model updates (starting with S03A). Miscalibration of instrumentation channels is resolved as a human reliability rather than an equipment common cause fault. The HEP fault behaves the same as an equipment CCF, but is quantified on the basis of human error rather than equipment reliability.
Element __!:!R_ I  time between actions was listed as the major factor in     on time between actions.      1. Functions: If two HEPs are working for two different Subelement __.l.&sect;_ establishing independence of the operator actions. In                                    functions, these two HEPs will be justified as most cases, time (itself) is not an adequate factor, but is                              independent HEPs.
For North Anna, HEP events are created for the following instrument channels:
a parameter which can be associated with more                                            2. Steps of procedure: Because operators are trained to defensible factors. For example, one cutset contained                                    follow procedure step by step, on the view of operators, two HEPs -- one for early SG isolation following a SGTR                                  each step is a new and independent instruction. If two and one for late SG isolation. The time difference of                                     HEPs are based on two different steps or two different several hours between the actions was cited as the                                        procedures, even these two HEPs work for the same basis for the actions' independence. Better factors for                                   function, they still may be justified as independent independence might have been different clues calling for                                 HEPs. A sensitivity analysis was performed for the S03A the need to isolate the SG or actuation of the TSC, or                                    model update (and has been incorporated into the PRA additional/new crew for the late isolation. All of these                                  quantification process for subsequent updates) to review are related to time, but time (itself) is not the factor.                                 the cutsets with multiple HEPs and determine if a dependency may exist between the HEPs. Refer to the PRA QU.2 notebooks for further detail. This process was also reviewed as part of the HRA re-peer review exercise prior to the RG1 .200 review for Surry.
EDG, 1-LM-PT-100NB/C/D, MS flow, MS differential pressure, MS low pressure, and pressurizer pressure.
OBSERVATION      Initiating event frequencies have not been updated since    Include an update of          The North Anna and Surry initiating event frequencies        This F&O is CLOSED.
The models are discussed fully in SM-1269, implemented in the NOA-D PRA models. For Surry, HEP events are created for the following instrument channels:
(ID: IE-3 )  I    the IPE submittal in 1991. As a result, recent industry    initiating event frequencies  were updated in the NOA-D and SOA-D PRA updates by Element _l_E_ I    information and operating experience have not been          during the next update.       several sources. The rare initiator frequencies from Subelement _1_3_  incorporated into the initiating events analysis. This     Also, individual applications NUREG/CR-5750 are used as priors for Bayesian (Also MU)         information could alter the initiating event frequencies    should be reviewed to         updating with plant specific histories. The moderate currently contained in the model. For example:              determine if they are        frequency transient initiating event frequencies are Two plants (Salem and Wolf Creek) have                  affected before submittal or  created from plant specific data (1990-2000 LERs) and experienced losses of circulating and service water that    implementation.              a non-informative gamma prior distribution. Finally, resulted in plant trips.                                                                  some plant unique initiating events are quantified with One plant (Oconee) has experienced a small break                                      new fault tree models directly linked to the integrated LOCA (thermal fatigue of charging line).                                                  PRA model. For North Anna, these models are One plant (WNP-2) has experienced an internal                                        discussed fully in Calculation SM-1266, implemented in flood.                                                                                    the NOA-D PRA models. For Surry, these models are A draft NUREG updating initiating events has (very                                    discussed fully in Calculation SM-1307, implemented in recently) been issued (LOCA frequencies, particularly,                                    the SOA-D PRA models. All IE frequencies have have been affected).                                                                      subsequently been updated in 2005 and documented in the IE.1 and IE.2 notebooks.
EOG, 1-LM-PT-100NB/C/D, MS flow, MS differential pressure, steam generator level, pressurizer pressure RWST level, intake canal level and RC delta T and TAVE. The models are discussed fully in SM-1310, implemented in the SOA-D PRA models. The HEP events developed since the IPE have received detailed analysis.
 
For North Anna, the models are discussed fully in SM-1269, implemented in the NOA-D PRA models. For Surry, the models are discussed fully in SM-1310, implemented in the SOA-D PRA models, and in the HR-series notebooks developed for the S03A and subsequent updates. This process was also reviewed as part of the HRA re-peer review exercise prior to the RG1 .200 review for Surrv. STATUS This F&O is CLOSED. This F&O is CLOSED. This F&O is CLOSED.
Serial No. 16-18'0 Docket Nos. 50-280/281 Attachment 4 Page 7 of 36 OBSERVATION        OBSERVATION Detail                                      POSSIBLE RESOLUTION            PLANT RESPONSE OR RESOLUTION                                STATUS OBSERVATION      A recent industry event (Oconee) involved a small break   Evaluate the susceptibility of The referenced Oconee event was evaluated as part of       This F&O is CLOSED.
OBSERVATION OBSERVATION Detail OBSERVATION In a sensitivity analysis (SM-117 4, Addendum A) to (ID: HR-5 ) I evaluate dependency among His contained in cutsets, Element __!:!R_ I time between actions was listed as the major factor in Subelement
(ID: IE-4    )   I  LOCA (>10 gpm) at the charging line connection to the      the Surry piping to this    ** INPO SEN 163, Recurring Event, High Pressure Element _IE_ I      RCS. The mechanism for the crack in the thermal            failure mechanism, and        Injection Line Leak, and as part of NRC IN 97-46, Subelement          sleeve at the connection point was thermal fatigue. Is    adjust the LOCA                Unisolable Crack in High-Pressure Injection Piping.
__.l.&sect;_ establishing independence of the operator actions. In most cases, time (itself) is not an adequate factor, but is a parameter which can be associated with more defensible factors. For example, one cutset contained two HEPs --one for early SG isolation following a SGTR and one for late SG isolation.
7      (Also MU) the Surry piping subject to this type of event? If so, has frequencies, as appropriate. The design of the CVCS and HHSI systems at both it been considered in the initiating event frequency?                                    North Anna and Surry is significantly different than that of Oconee, Unit 2. NAPS and SPS designs do not include combination CVCS makeup and HHSI lines.
The time difference of several hours between the actions was cited as the basis for the actions' independence.
Each unit has only one CVCS makeup line which carries full makeup flow and the eves system employs a regenerative heat exchanger to heat the makeup water to within 100 degrees of the RCS cold leg temperature, thereby minimizing thermal shock. The Oconee failure mechanism is not considered valid for the North Anna or Surry designs, and should not require LOCA frequency adjustment. The Current North Anna and Surry LOCA frequencies are developed from NUREG/CR-5750, per the evaluation in the IE.2 PRA notebook. This NUREG observed that no small LOCA events had occurred in U.
Better factors for independence might have been different clues calling for the need to isolate the SG or actuation of the TSC, or additional/new crew for the late isolation.
S. nuclear power plants up to 1995. However, the 1997 Oconee 2 event could possibly be categorized as a very small LOCA / leak, and four such events from 1987 -
All of these are related to time, but time (itself) is not the factor. OBSERVATION Initiating event frequencies have not been updated since (ID: IE-3 ) I the IPE submittal in 1991. As a result, recent industry Element _l_E_ I information and operating experience have not been Subelement
1995 are included within the NUREG/CR-5750 initiating event frequencies.
_1_3_ incorporated into the initiating events analysis.
 
This (Also MU) information could alter the initiating event frequencies currently contained in the model. For example: Two plants (Salem and Wolf Creek) have experienced losses of circulating and service water that resulted in plant trips. One plant (Oconee) has experienced a small break LOCA (thermal fatigue of charging line). One plant (WNP-2) has experienced an internal flood. A draft NUREG updating initiating events has (very recently) been issued (LOCA frequencies, particularly, have been affected).
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 8 of 36 OBSERVATION    OBSERVATION Detail                                    POSSIBLE RESOLUTION          PLANT RESPONSE OR RESOLUTION                                STATUS OBSERVATION  An industry issue of about 5-6 years ago was the        Determine if the ISLOCA      The industry issue initially surfaced in July 1984 as a      Additional information (ID:: IE-5 ) I creation of an ISLOCA caused by a leak in an RCP        path is applicable to the   Westinghouse 10 CFR Part 21 issue. However, since            can be found in a Element IE  I thermal barrier heat exchanger and a failure to isolate  Surry model, and address it, Westinghouse was not the source vendor for the Surry        7/9/1990 NRC letter Subelem~      the CCW lines that provided cooling water to the heat    if appropriate.             CC system, this Part 21 issue was not communicated to        (Serial No. 90-442), and 14          exchanger. How was this potential ISLOCA pathway                                      Surry at that time. In May 1989, Surry communicated          drawings 11448-FM-treated by the initiating events analysis? Does it apply                              this issue to NRC and subsequently, NRC Information          072A shts 1 through 4.
POSSIBLE RESOLUTION Reevaluate dependence without excessive emphasis-on time between actions. Include an update of initiating event frequencies during the next update. Also, individual applications should be reviewed to determine if they are affected before submittal or implementation.
to the Surry model?                                                                  Notice 89-54 (June 23, 1989) was issued to all                This F&O is CLOSED.
Serial No. 16-18'0 Docket Nos. 50-280/281 Attachment 4 Page 6 of 36 PLANT RESPONSE OR RESOLUTION STATUS The dependency among the HEPs is being evaluated This F&O is CLOSED. based on the following principles (SM-1310):
licensees. This NRC IN is probably the source of the industry issue quoted in the certification comment. Surry submitted system design information to NRC in a June 5, 1989 letter to NRC (Serial No. 89-406) clarifying resolution of the concern. This licensee response provides a detailed description of the problem and an assessment of the resolution. In summary, the operating history of Westinghouse RC Pump (RCP) thermal barriers indicates only one minor internal leak in over 12 million hours of operation (8.3 E-8/hr or 7.3 E-4/yr). Catastrophic failure of RCP thermal barrier is not a credible ~vent. Westinghouse calculated the credible leak rate at 7.5 gpm. This low leak rate is due to high water purity in RC and CC water, conservatism in tube design supporting tube collapse rather that cracking, and low crack propagation due to external forces tending to close crack. The existing 1989 design was sufficient for isolating the RCP thermal barrier leak, but design enhancements were pursued since manual operator action is required for the credible leak (automatic isolation would occur for leak rates higher than 10 gpm). The event would not be classified an interfacing system LOCA (ISLOCA) since the CC system would be isolated from the RCS, and all isolation would occur within the containment. More appropriately, the event would be classified a very small break LOCA (based upon the 7.5 gpm credible leak) with a frequency well below the Surry and North Anna IPE S2 frequency of 2.1 E-2/yr.
: 1. Functions:
 
If two HEPs are working for two different functions, these two HEPs will be justified as independent HEPs. 2. Steps of procedure:
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 9 of 36 OBSERVATION        OBSERVATION Detail                                       POSSIBLE RESOLUTION         PLANT RESPONSE OR RESOLUTION                                  STATUS OBSERVATION     The FMEA portion of the Initiating Events notebook          Determine the plant's      The Surry LOSW IE is actually an evolution of a loss of        This F&O is CLOSED.
Because operators are trained to follow procedure step by step, on the view of operators, each step is a new and independent instruction.
(ID: IE-8    )   I (page 12 of 28) states that screen wash pumps do not        susceptibility to clogged  circ water initiator. We do not currently model this with a Element _IE_/      have to operate during an accident. The implication is      intake screens, and update  fault tree, so there is no specific screen clogging Subelement _ll_    that because of this there is no need to consider the       the initiating event        contribution identified for this initiator. Currently, the screen wash system further. However, clogged screens        frequency as appropriate. Surry PRA uses a plant specific Bayesian update of can cause plant trips, and this failure mechanism should                                generic industry experience for loss of Circulating Water be considered in the development of initiating event                                    to evaluate the IE-T6 (Loss of Circulating Water) frequencies. Recent industry events at Salem and Wolf                                  frequency. The plant specific clogged screen failure Creek illustrate a plant's susceptibility to clogged intake                            event is therefore considered, since it is part of the screens.                                                                               overall industry and plant-specific experience leading to loss of CW. However, an evaluation has been performed for the S03A model update to establish that the IE frequency used for this event would encompass contributions from events such as clogged intake screens I screen wash faults. Should the model be changed in the future to model this IE with a fault tree, this failure mechanism would be addressed exolicitlv.
If two HEPs are based on two different steps or two different procedures, even these two HEPs work for the same function, they still may be justified as independent HEPs. A sensitivity analysis was performed for the S03A model update (and has been incorporated into the PRA quantification process for subsequent updates) to review the cutsets with multiple HEPs and determine if a dependency may exist between the HEPs. Refer to the PRA QU.2 notebooks for further detail. This process was also reviewed as part of the HRA re-peer review exercise prior to the RG1 .200 review for Surry. The North Anna and Surry initiating event frequencies This F&O is CLOSED. were updated in the NOA-D and SOA-D PRA updates by several sources. The rare initiator frequencies from NUREG/CR-5750 are used as priors for Bayesian updating with plant specific histories.
OBSERVATION      The reactor core has been upgraded to 2586 MWt. Has        Ensure that the effects of  The effect of the 4.5% core power uprate on the timing          This F&O is CLOSED.
The moderate frequency transient initiating event frequencies are created from plant specific data (1990-2000 LERs) and a non-informative gamma prior distribution.
(ID: IE-9) I      the effect of this change been considered on the           increased core power have  of HEPs used in the SPS PRA Model, and on the Element ___lg_ I  moderator temperature coefficient/reactivity feedback,     been properly accounted for success criteria of hardware credited in the SPS PRA Subelement        particularly for early in a core's life? Also, has the      in the analysis.            Model has been evaluated using MAAP 4.0.5. The 16      (Also  increased decay heat load been considered in the                                       results of the analysis show that no changes are see AS-9, and MU)  success criteria for decay heat removal?                                                required to the current success criteria or HEP calculations. The details of the analysis are documented in SPS Notebook SPS-RA.MD.SC.001 Rev 0.
Finally, some plant unique initiating events are quantified with new fault tree models directly linked to the integrated PRA model. For North Anna, these models are discussed fully in Calculation SM-1266, implemented in the NOA-D PRA models. For Surry, these models are discussed fully in Calculation SM-1307, implemented in the SOA-D PRA models. All IE frequencies have subsequently been updated in 2005 and documented in the IE.1 and IE.2 notebooks.
 
OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION OBSERVATION A recent industry event (Oconee) involved a small break Evaluate the susceptibility of (ID: IE-4 ) I LOCA (>10 gpm) at the charging line connection to the the Surry piping to this ** Element _IE_ I RCS. The mechanism for the crack in the thermal failure mechanism, and Subelement sleeve at the connection point was thermal fatigue. Is adjust the LOCA 7 (Also MU) the Surry piping subject to this type of event? If so, has frequencies, as appropriate.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 10 of 36 OBSERVATION          OBSERVATION Detail                                       POSSIBLE RESOLUTION          PLANT RESPONSE OR RESOLUTION                              STATUS OBSERVATION         The consequences of operator actions after core            Include appropriate .        Our Level I model takes into account all human error        The approach taken is (ID: L2-2      )   I damage are not considered in the PSA or the LERF            consideration of EOP (and    probabilities due to EOP actions. The human error          consistent with that Element L2            assessment. After core damage has occurred, the            also SAMG) actions in the   probabilities based on SAMG actions are not                applied in other PWR I Subelement _8        control room staff will continue to attempt to implement    PSA models                  incorporated into our model. According to WOG              PRAs, but this issue will and 10_                EOP actions (and now SAMG actions). Considering the                                      procedures, once the core temperature reaches 1200 F,      be treated as a EOP actions, only those that prevent core damage                                        the operator leaves the EOPs and enters the SAMGs          recognized source of (have an impact on the GDF) are modeled in the Level 1                                  (control room guideline SACRG-1). Our Level I model        uncertainty in the LERF PSA. Several EOP actions that can impact the LERF                                        was developed independent of the SAMG actions. We          model. With this action, are:                                                                                    recognize that inappropriate SAMG actions may cause        this F&O is CLOSED.
it been considered in the initiating event frequency?
FR-C.1 actions to depressurize the RCS at the onset                                  negative consequences which may result in greater of core overheating greatly decreases the probability of                                source term releases to the atmosphere. For this a high pressure reactor vessel failure, while significantly                              reason a technical support center (TSC) is formed that increasing: a) the potential for core concrete                                          reviews real time plant parameter data and provides interactions, and b) the fission product release from                                    expert guidance to the operation staff during a severe RCS to containment (which, in turn, increases the                                       accident condition. Additionally training on the SAMGs source term for containment failures).                                                   is provided every 3 years which includes a discussion of FR-H.1 actions to establish some type of feedwater                                    these cautions and recommendations to the operators.
Serial No. 16-18'0 Docket Nos. 50-280/281 Attachment 4 Page 7 of 36 PLANT RESPONSE OR RESOLUTION STATUS The referenced Oconee event was evaluated as part of This F&O is CLOSED. INPO SEN 163, Recurring Event, High Pressure Injection Line Leak, and as part of NRC IN 97-46, Unisolable Crack in High-Pressure Injection Piping. The design of the CVCS and HHSI systems at both North Anna and Surry is significantly different than that of Oconee, Unit 2. NAPS and SPS designs do not include combination CVCS makeup and HHSI lines. Each unit has only one CVCS makeup line which carries full makeup flow and the eves system employs a regenerative heat exchanger to heat the makeup water to within 100 degrees of the RCS cold leg temperature, thereby minimizing thermal shock. The Oconee failure mechanism is not considered valid for the North Anna or Surry designs, and should not require LOCA frequency adjustment.
flow to the SGs increases the chances of SG tube failure                                The operators are taught to be aware of their plants due to thermal stresses of cold water being injected onto                                most dominant accident sequences and the hot SG tubes, but can also increase the potential for                                    consequences of inadequate actions.
The Current North Anna and Surry LOCA frequencies are developed from NUREG/CR-5750, per the evaluation in the IE.2 PRA notebook.
arresting the core damage in-vessel. These two aspects can impact the LERF.
This NUREG observed that no small LOCA events had occurred in U. S. nuclear power plants up to 1995. However, the 1997 Oconee 2 event could possibly be categorized as a very small LOCA / leak, and four such events from 1987 -1995 are included within the NUREG/CR-5750 initiating event frequencies.
ECA-0.0 actions to start sprays when offsite power is restored. This can prevent overpressure failure of containment, but can also de-inert containment and lead to a hydrogen burn. When combined with the added hydrogen from in-vessel recovery, the hydrogen burn may challenge containment. Also, these operator actions should be substantiated by an HRA analysis to determine th.e HEP. The plant has also completed implementation of the SAMG. The SAMG contains a set of accident management strategies that would be implemented for each of the core damage accidents.
OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION OBSERVATION An industry issue of about 5-6 years ago was the Determine if the ISLOCA (ID:: IE-5 ) I creation of an ISLOCA caused by a leak in an RCP path is applicable to the Element IE I thermal barrier heat exchanger and a failure to isolate Surry model, and address it, the CCW lines that provided cooling water to the heat if appropriate.
14 exchanger.
How was this potential ISLOCA pathway treated by the initiating events analysis?
Does it apply to the Surry model? Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 8 of 36 PLANT RESPONSE OR RESOLUTION STATUS The industry issue initially surfaced in July 1984 as a Additional information Westinghouse 10 CFR Part 21 issue. However, since can be found in a Westinghouse was not the source vendor for the Surry 7 /9/1990 NRC letter CC system, this Part 21 issue was not communicated to (Serial No. 90-442), and Surry at that time. In May 1989, Surry communicated drawings 11448-FM-this issue to NRC and subsequently, NRC Information 072A shts 1 through 4. Notice 89-54 (June 23, 1989) was issued to all This F&O is CLOSED. licensees.
This NRC IN is probably the source of the industry issue quoted in the certification comment. Surry submitted system design information to NRC in a June 5, 1989 letter to NRC (Serial No. 89-406) clarifying resolution of the concern. This licensee response provides a detailed description of the problem and an assessment of the resolution.
In summary, the operating history of Westinghouse RC Pump (RCP) thermal barriers indicates only one minor internal leak in over 12 million hours of operation (8.3 E-8/hr or 7.3 E-4/yr). Catastrophic failure of RCP thermal barrier is not a credible Westinghouse calculated the credible leak rate at 7.5 gpm. This low leak rate is due to high water purity in RC and CC water, conservatism in tube design supporting tube collapse rather that cracking, and low crack propagation due to external forces tending to close crack. The existing 1989 design was sufficient for isolating the RCP thermal barrier leak, but design enhancements were pursued since manual operator action is required for the credible leak (automatic isolation would occur for leak rates higher than 10 gpm). The event would not be classified an interfacing system LOCA (ISLOCA) since the CC system would be isolated from the RCS, and all isolation would occur within the containment.
More appropriately, the event would be classified a very small break LOCA (based upon the 7.5 gpm credible leak) with a frequency well below the Surry and North Anna IPE S2 frequency of 2.1 E-2/yr.
OBSERVATION OBSERVATION Detail OBSERVATION The FMEA portion of the Initiating Events notebook (ID: IE-8 ) I (page 12 of 28) states that screen wash pumps do not Element _IE_/ have to operate during an accident.
The implication is Subelement
_ll_ that because of this there is no need to consider the screen wash system further. However, clogged screens can cause plant trips, and this failure mechanism should be considered in the development of initiating event frequencies.
Recent industry events at Salem and Wolf Creek illustrate a plant's susceptibility to clogged intake screens. OBSERVATION The reactor core has been upgraded to 2586 MWt. Has (ID: IE-9) I the effect of this change been considered on the Element ___lg_ I moderator temperature coefficient/reactivity feedback, Subelement particularly for early in a core's life? Also, has the 16 (Also increased decay heat load been considered in the see AS-9, and MU) success criteria for decay heat removal? POSSIBLE RESOLUTION Determine the plant's susceptibility to clogged intake screens, and update the initiating event frequency as appropriate.
Ensure that the effects of increased core power have been properly accounted for in the analysis.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 9 of 36 PLANT RESPONSE OR RESOLUTION STATUS The Surry LOSW IE is actually an evolution of a loss of This F&O is CLOSED. circ water initiator.
We do not currently model this with a fault tree, so there is no specific screen clogging contribution identified for this initiator.
Currently, the Surry PRA uses a plant specific Bayesian update of generic industry experience for loss of Circulating Water to evaluate the IE-T6 (Loss of Circulating Water) frequency.
The plant specific clogged screen failure event is therefore considered, since it is part of the overall industry and plant-specific experience leading to loss of CW. However, an evaluation has been performed for the S03A model update to establish that the IE frequency used for this event would encompass contributions from events such as clogged intake screens I screen wash faults. Should the model be changed in the future to model this IE with a fault tree, this failure mechanism would be addressed exolicitlv.
The effect of the 4.5% core power uprate on the timing This F&O is CLOSED. of HEPs used in the SPS PRA Model, and on the success criteria of hardware credited in the SPS PRA Model has been evaluated using MAAP 4.0.5. The results of the analysis show that no changes are required to the current success criteria or HEP calculations.
The details of the analysis are documented in SPS Notebook SPS-RA.MD.SC.001 Rev 0.
OBSERVATION OBSERVATION (ID: L2-2 ) I Element L2 I Subelement
_8 and 10_ OBSERVATION (ID: MU-2 ) I Element .....M!L.._
I Subelement
_4 __ OBSERVATION Detail The consequences of operator actions after core damage are not considered in the PSA or the LERF assessment.
After core damage has occurred, the control room staff will continue to attempt to implement EOP actions (and now SAMG actions).
Considering the EOP actions, only those that prevent core damage (have an impact on the GDF) are modeled in the Level 1 PSA. Several EOP actions that can impact the LERF are: FR-C.1 actions to depressurize the RCS at the onset of core overheating greatly decreases the probability of a high pressure reactor vessel failure, while significantly increasing:
a) the potential for core concrete interactions, and b) the fission product release from RCS to containment (which, in turn, increases the source term for containment failures).
FR-H.1 actions to establish some type of feedwater flow to the SGs increases the chances of SG tube failure due to thermal stresses of cold water being injected onto hot SG tubes, but can also increase the potential for arresting the core damage in-vessel.
These two aspects can impact the LERF. ECA-0.0 actions to start sprays when offsite power is restored.
This can prevent overpressure failure of containment, but can also de-inert containment and lead to a hydrogen burn. When combined with the added hydrogen from in-vessel recovery, the hydrogen burn may challenge containment.
Also, these operator actions should be substantiated by an HRA analysis to determine th.e HEP. The plant has also completed implementation of the SAMG. The SAMG contains a set of accident management strategies that would be implemented for each of the core damage accidents.
The implementation of some of the strategies has neqative consequences that should be addressed.
The implementation of some of the strategies has neqative consequences that should be addressed.
The core power has been upgraded.
OBSERVATION        The core power has been upgraded. Effects of this           At the next upgrade,        See discussion for equivalent F&O IE-09.                  This F&O is CLOSED.
Effects of this change have not been incorporated into the PSA model. Factors that could be affected by the core power upgrade include the moderator temperature coefficient (for ATWS) and the decay heat load (for several accident sequences).
(ID: MU-2 )      I  change have not been incorporated into the PSA model.       evaluate the effects of the Element .....M!L.._ I Factors that could be affected by the core power           core upgrade and Subelement _4__      upgrade include the moderator temperature coefficient       incorporate, as appropriate, (for ATWS) and the decay heat load (for several             into the PSA model.
POSSIBLE RESOLUTION Include appropriate . consideration of EOP (and also SAMG) actions in the PSA models At the next upgrade, evaluate the effects of the core upgrade and incorporate, as appropriate, into the PSA model. Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 10 of 36 PLANT RESPONSE OR RESOLUTION Our Level I model takes into account all human error probabilities due to EOP actions. The human error probabilities based on SAMG actions are not incorporated into our model. According to WOG procedures, once the core temperature reaches 1200 F, the operator leaves the EOPs and enters the SAMGs (control room guideline SACRG-1).
accident sequences).
Our Level I model was developed independent of the SAMG actions. We recognize that inappropriate SAMG actions may cause negative consequences which may result in greater source term releases to the atmosphere.
 
For this reason a technical support center (TSC) is formed that reviews real time plant parameter data and provides expert guidance to the operation staff during a severe accident condition.
Serial No. 16-180 '
Additionally training on the SAMGs is provided every 3 years which includes a discussion of these cautions and recommendations to the operators.
Docket Nos. 50-280/281 Attachment 4 Page 11 of 36 OBSERVATION      OBSERVATION Detail                                    POSSIBLE RESOLUTION            PLANT RESPONSE OR RESOLUTION                                STATUS OBSERVATION    Requirements for review of operating experience, plant  Develop additional guidance    PRA update guidance was developed, which includes a        This F&O is Closed.
The operators are taught to be aware of their plants most dominant accident sequences and the consequences of inadequate actions. See discussion for equivalent F&O IE-09. STATUS The approach taken is consistent with that applied in other PWR PRAs, but this issue will be treated as a recognized source of uncertainty in the LERF model. With this action, this F&O is CLOSED. This F&O is CLOSED.
(ID: MU-3 )    I procedures, and plant-controlled documents in support    on .the review process        review of: (1) Technical Specification revisions, (2)
OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION OBSERVATION Requirements for review of operating experience, plant Develop additional guidance (ID: MU-3 ) I procedures, and plant-controlled documents in support on .the review process Element __M!L_ 1 of a PSA update are not detailed in the PSA guidance . requirements, describing Subelement
Element __M!L_ 1  of a PSA update are not detailed in the PSA guidance . requirements, describing      station .engineering Design Qhange lists, (3) station Subelement _4_    documents.                                               which data should be          procedures, and (4) operating experience. (Nuclear reviewed and how the           Safety Analysis Manual - Part IV, Chapter J, review should be               subsequently superseded by PRA Manual~ Part IV, documented.                    Chapter A). Recent PRA updates (S03A, SOSA) provide examples of the process.
_4_ documents.
OBSERVATION    Activities to evaluate the effects on the PSA of changes Revisit initiator frequencies, Both the Surry and North Anna PRA models have been          This F&O is CLOSED.
which data should be reviewed and how the review should be documented.
(ID: MU-4 )   I to equipment failure rates, initiator frequencies, and   equipment failure rates, and. updated to include changes in data. For North Anna Element __M!!__ I human error probabilities are minimal.                   human error probabilities      and Surry, initiating events were updated as Subelement __&sect;__                                                          with each update to            documented in calculations SM-1266 for North Anna determine whether they are    and SM-1370 fqr Surry. Component unavailabilities were still adequately estimated. updated for both North Anna and Surry as documented in calculations SM-1266 and SM-1308, respectively. The component reliabilities for risk significant pumps and the EDGs were Bayesian updated with plant specific data for Surry as documented in SM-1311. Further, a full data update was performed in 2005 for the MSPI update, as documented in the DA series of PRA notebooks. The HEPs were reviewed and updated as necessary following the PRA self-assessment per RG1 .200 and in response to the subsequent HRA re-peer review comments. Input from Operations personnel at Surry was obtained to provide better estimation of the times associated with the performance of emergency procedures. A PRA update process and sched'ule addressing data updates has been implemented in the PRAManual.
OBSERVATION Activities to evaluate the effects on the PSA of changes Revisit initiator frequencies, (ID: MU-4 ) I to equipment failure rates, initiator frequencies, and equipment failure rates, and. Element __M!!__ I human error probabilities are minimal. human error probabilities Subelement
 
__&sect;__ with each update to determine whether they are still adequately estimated.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 12 of 36 OBSERVATION      OBSERVATION Detail                                        POSSIBLE RESOLUTION            PLANT RESPONSE OR RESOLUTION                              STATUS OBSERVATION    The program does not appear to have a formal                The following suggestions,    PRA update guidance was developed, which includes a      This F&O is Closed.
Serial No. 16-180 ' Docket Nos. 50-280/281 Attachment 4 Page 11 of 36 PLANT RESPONSE OR RESOLUTION STATUS PRA update guidance was developed, which includes a This F&O is Closed. review of: (1) Technical Specification revisions, (2) station .engineering Design Qhange lists, (3) station procedures, and (4) operating experience. (Nuclear Safety Analysis Manual -Part IV, Chapter J, subsequently superseded by PRA Part IV, Chapter A). Recent PRA updates (S03A, SOSA) provide examples of the process. Both the Surry and North Anna PRA models have been This F&O is CLOSED. updated to include changes in data. For North Anna and Surry, initiating events were updated as documented in calculations SM-1266 for North Anna and SM-1370 fqr Surry. Component unavailabilities were updated for both North Anna and Surry as documented in calculations SM-1266 and SM-1308, respectively.
(ID: SY-2) I    requirement for incorporating changes based on plant        while directed to the          review of: (1) Technical Specification revisions, (2)
The component reliabilities for risk significant pumps and the EDGs were Bayesian updated with plant specific data for Surry as documented in SM-1311. Further, a full data update was performed in 2005 for the MSPI update, as documented in the DA series of PRA notebooks.
Element _SY_ I  design changes. For example, a later EOP change              systems analysis element,      station engineering Design Change lists, (3) station Subelement      identifies the time to hot leg recirculation switchover as 9 are actually applicable more  procedures, and (4) operating experience. (Nuclear
The HEPs were reviewed and updated as necessary following the PRA self-assessment per RG1 .200 and in response to the subsequent HRA re-peer review comments.
_5_(See also AS- hours. The model says 16 hours. There is an advantage        broadly, within the context of Safety Analysis Manual - Part IV, Chapter J, 5, and MU)      to identifying operator actions to specific procedure        the overall PSA                subsequently superseded by PRA Manual - Part IV, steps. The downside is, procedures change. Thus, the         Maintenance and Update        Chapter A). Recent PRA updates (S03A, SOSA) provide models and documentation need to be updated                  process.                      examples of the process.
Input from Operations personnel at Surry was obtained to provide better estimation of the times associated with the performance of emergency procedures.
periodically.                                                1. Develop a PSA change program that tracks identified changes to procedures, design, etc.
A PRA update process and sched'ule addressing data updates has been implemented in the PRAManual.
Develop a process for incorporating changes into the PSA. NOTE: This does necessarily mean formal review required; notification from the program sponsor (Procedures group, admin, design engineering, etc.) is sufficient for most changes.
OBSERVATION OBSERVATION Detail OBSERVATION The program does not appear to have a formal (ID: SY-2) I requirement for incorporating changes based on plant Element _SY_ I design changes. For example, a later EOP change Subelement identifies the time to hot leg recirculation switchover as 9 _5_(See also AS-hours. The model says 16 hours. There is an advantage 5, and MU) to identifying operator actions to specific procedure steps. The downside is, procedures change. Thus, the models and documentation need to be updated periodically.
: 2. Consider becoming part of the review cycle for selected changes (e.g., for risk significant system design changes, PSA review is required). This will probably require a change to plant, engineering procedures. There are going to be changes in plant configuration that could significantly affect the PSA.
POSSIBLE RESOLUTION The following suggestions, while directed to the systems analysis element, are actually applicable more broadly, within the context of the overall PSA Maintenance and Update process. 1. Develop a PSA change program that tracks identified changes to procedures, design, etc. Develop a process for incorporating changes into the PSA. NOTE: This does necessarily mean formal review required; notification from the program sponsor (Procedures group, admin, design engineering, etc.) is sufficient for most changes. 2. Consider becoming part of the review cycle for selected changes (e.g., for risk significant system design changes, PSA review is required).
A formal review by the PSA group for selected changes has the potential for saving money (change should not be made in terms of plant risk}, minimizing the effects of the change on the PSA and PSA based programs and possibly identifying alternative changes.
This will probably require a change to plant, engineering procedures.
 
There are going to be changes in plant configuration that could significantly affect the PSA. A formal review by the PSA group for selected changes has the potential for saving money (change should not be made in terms of plant risk}, minimizing the effects of the change on the PSA and PSA based programs and possibly identifying alternative changes. Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 12 of 36 PLANT RESPONSE OR RESOLUTION STATUS PRA update guidance was developed, which includes a This F&O is Closed. review of: (1) Technical Specification revisions, (2) station engineering Design Change lists, (3) station procedures, and (4) operating experience. (Nuclear Safety Analysis Manual -Part IV, Chapter J, subsequently superseded by PRA Manual -Part IV, Chapter A). Recent PRA updates (S03A, SOSA) provide examples of the process.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 13 of 36 OBSERVATION          OBSERVATION Detail                                      POSSIBLE RESOLUTION -    PLANT RESPONSE OR RESOLUTION                                STATUS OBSERVATION        The RPS model does not properly identify the required     1. Review the RPS system Fault trees RP1 for both Surry and North Anna were          This F&O is CLOSED.
OBSERVATION OBSERVATION Detail OBSERVATION The RPS model does not properly identify the required (ID: SY-4 ) I support systems. RPS logic receives power from Class Element _SY_ I 1 E 125V DC buses 1A and 18. Failure of the DC buses Subelement removes power to the RTB shunt trip coils which limits -12_ operator action in the control room if reactor trip fails. OBSERVATION The RPS logic model is incorrect.
(ID: SY-4 )      I  support systems. RPS logic receives power from Class      and include DC power    revised to include separate logic for RTA and RTB Element _SY_ I      1E 125V DC buses 1A and 18. Failure of the DC buses        dependency.             including the input logic signal with recovery. The Subelement          removes power to the RTB shunt trip coils which limits                              models also include failure of the trip breaker
The fault tree (ID: SY-5 ) I indicates that success of either logic train allows Element _SY_ I challenge to both reactor trip breakers.
- 12_                operator action in the control room if reactor trip fails.                          (RTNRTB), and RTNRTB recovery thorough the shunt trip relay (including failure of 125 voe, human reliability model, and failure of the shunt trip relay). The models are discussed fully in SM-1151, implemented in the SOA-D PRA models for Surry, and in SM-1292, implemented in the NOA-D PRA models for North Anna.
Actual design is Subelement logic train A sends signal to RTA and logic train B sends _5 __ signal to RTB. OBSERVATION Review of HHSI: SM-1162, SPPR 97-018, S2.07.1 (ID: SY-11 ) I (page 7 of 27). System notebook update states 1A and Element ...fil__ I 1 C charging pumps are dependent on CCW (for Subelement SY-5 recirculation).
OBSERVATION        The RPS logic model is incorrect. The fault tree          Correct the logic model. Fault trees RP1 for both Surry and North Anna were          This F&O is CLOSED.
What about Unit 2? 1 B is not dependent on CCW due to a design change. What about Unit 2? How are unit to unit differences identified and modeled? Dependency table from IPE model wasn't updated in SM-1162 or SM-1165 to account for CCW dependency.
(ID: SY- 5  )     I indicates that success of either logic train allows                                revised to include separate logic for RTA and RTB Element _SY_ I      challenge to both reactor trip breakers. Actual design is                          including the input logic signal with recovery. The Subelement          logic train A sends signal to RTA and logic train B sends                          models also include failure of the trip breaker
Also, success criteria section of system notebook was not updated. POSSIBLE RESOLUTION
_5_ _                signal to RTB.                                                                      (RTNRTB), and RTA/RTB recovery thorough the shunt trip relay (including failure of 125 voe, human reliability model, and failure of the shunt trip relay). The models are discussed fully in SM-1151, implemented in the SOA-D PRA models for Surry, and in SM-1292, implemented in the NOA-D PRA models for North Anna.
-1 . Review the RPS system and include DC power dependency.
OBSERVATION       Review of HHSI: SM-1162, SPPR 97-018, S2.07.1              Set up Unit 2 model, or  Surry charging pumps have seal coolers with a CC              This F&O is CLOSED.
Correct the logic model. Set up Unit 2 model, or address impact on CDF. Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 13 of 36 PLANT RESPONSE OR RESOLUTION STATUS Fault trees RP1 for both Surry and North Anna were This F&O is CLOSED. revised to include separate logic for RTA and RTB including the input logic signal with recovery.
(ID: SY-11 )    I    (page 7 of 27). System notebook update states 1A and       address impact on CDF. cooling dependency that currently has a difference Element ...fil__ I   1C charging pumps are dependent on CCW (for                                         between Units 1 and 2. For Surry Unit 1, the A & C Subelement SY-5     recirculation). What about Unit 2? 1B is not dependent                             pump seal coolers 1-CH-E-7NB/E/F require CC cooling, on CCW due to a design change. What about Unit 2?                                   but the B pump seal coolers 1-CH-E-7C/D are isolated How are unit to unit differences identified and modeled?                           (11448-FM-071 B Sh 2). For Surry Unit 2, all NB/C Dependency table from IPE model wasn't updated in                                   pump seal coolers 2-CH-E-7A/B/C/D/E/F require CC SM-1162 or SM-1165 to account for CCW dependency.                                   cooling (11548-FM-071 B Sh 2). Potentially, all Surry Also, success criteria section of system notebook was                               charging pumps may be upgraded so that their CHP not updated.                                                                       seal coolers can be isolated, but at this time, only the Surry Unit 1 B pump does not require CC cooling, which explains the difference between Surry Unit 1 and 2 charging pump CC cooling. Update as of S05A model:
The models also include failure of the trip breaker (RTNRTB), and RTNRTB recovery thorough the shunt trip relay (including failure of 125 voe, human reliability model, and failure of the shunt trip relay). The models are discussed fully in SM-1151, implemented in the SOA-D PRA models for Surry, and in SM-1292, implemented in the NOA-D PRA models for North Anna. Fault trees RP1 for both Surry and North Anna were This F&O is CLOSED. revised to include separate logic for RTA and RTB including the input logic signal with recovery.
the dependency on CC has been added to the 1B pump as well, to account for the possibility that cooling might be needed if the pumps were used for high head recirculation with hot sump water. Note: This is a legacy model issue. The current configuration of Surry Power Station is that no charging pump seal Coolers are normally isolated. The S007Aa model reflects the current olant confiauration.
The models also include failure of the trip breaker (RTNRTB), and RTA/RTB recovery thorough the shunt trip relay (including failure of 125 voe, human reliability model, and failure of the shunt trip relay). The models are discussed fully in SM-1151, implemented in the SOA-D PRA models for Surry, and in SM-1292, implemented in the NOA-D PRA models for North Anna. Surry charging pumps have seal coolers with a CC This F&O is CLOSED. cooling dependency that currently has a difference between Units 1 and 2. For Surry Unit 1, the A & C pump seal coolers 1-CH-E-7NB/E/F require CC cooling, but the B pump seal coolers 1-CH-E-7C/D are isolated (11448-FM-071 B Sh 2). For Surry Unit 2, all NB/C pump seal coolers 2-CH-E-7A/B/C/D/E/F require CC cooling (11548-FM-071 B Sh 2). Potentially, all Surry charging pumps may be upgraded so that their CHP seal coolers can be isolated, but at this time, only the Surry Unit 1 B pump does not require CC cooling, which explains the difference between Surry Unit 1 and 2 charging pump CC cooling. Update as of S05A model: the dependency on CC has been added to the 1 B pump as well, to account for the possibility that cooling might be needed if the pumps were used for high head recirculation with hot sump water. Note: This is a legacy model issue. The current configuration of Surry Power Station is that no charging pump seal Coolers are normally isolated.
 
The S007Aa model reflects the current olant confiauration.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 14 of 36 OBSERVATION    OBSERVATION Detail                                      POSSIBLE RESOLUTION . -    PLANT RESPONSE OR RESOLUTION                                STATUS OBSERVATION  Several HVAC systems are modeled in detail and are       Develop more detailed      HVAC dependencies are addressed in the fault trees          This F&O is CLOSED.
OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION . -OBSERVATION Several HVAC systems are modeled in detail and are Develop more detailed (ID: TH-2 ) I well documented.
(ID: TH-2  )  I well documented. These include ESGR room cooling          documentation for modeling  where needed, and discussions are provided in Element TH I    and the Auxiliary Building Ventilation System, but these  assumptions regarding      individual system notebooks (SY.3 series) and the Subelement 8    are the only ventilation dependencies modeled in the      HVAC requirements.          dependency notebook (SY.1). An integrated HVAC PSA. Some of the systems models provide a one line        Provide basis for excluding dependency document has not been prepared.
These include ESGR room cooling documentation for modeling Element TH I and the Auxiliary Building Ventilation System, but these assumptions regarding Subelement 8 are the only ventilation dependencies modeled in the HVAC requirements.
assumption stating that room cooling is not,required, but HVAC dependencies where    Regarding specific dependencies: The charging pumps little if any basis is provided for these assumptions. HVAC is not modeled        and the emergency switchgear room already have Based on discussions with the PSA group engineers        explicitly. It may be      ventilation dependencies included in the PRA model.
PSA. Some of the systems models provide a one line Provide basis for excluding assumption stating that room cooling is not,required, but HVAC dependencies where little if any basis is provided for these assumptions.
during this review, it appears that the HVAC              appropriate to include an  The other major components with potential HVAC requirements were adequately addressed in the             overview of HVAC issues as  dependencies were evaluated and found to have a modeling process, but the assumptions were not clearly    part of a dependencies      negligible ventilation dependency. Those SSC's are as documented, and no process is defined for the            notebook.                   follows:
HVAC is not modeled Based on discussions with the PSA group engineers explicitly.
determination of the need for room cooling.                                              Low Head Safety Injection pumps - The LHSI pumps take suction from the cold RWST early during a LOCA.
It may be during this review, it appears that the HVAC appropriate to include an requirements were adequately addressed in the overview of HVAC issues as modeling process, but the assumptions were not clearly part of a dependencies documented, and no process is defined for the notebook.
After Recirculation Mode Transfer, the sump water will be cooled by the RSHX's, so that LHSI ventilation is not necessary.
determination of the need for room cooling. Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 14 of 36 PLANT RESPONSE OR RESOLUTION STATUS HVAC dependencies are addressed in the fault trees This F&O is CLOSED. where needed, and discussions are provided in individual system notebooks (SY.3 series) and the dependency notebook (SY.1). An integrated HVAC dependency document has not been prepared.
Outside Recirculation Spray pumps - The CS subsystem provides approximately 300 gpm 45oF water from RWST to each ORSP. There is no ceiling in the ORSP rooms. It is not a closed room. Hence, the room ventilation is not necessary.
Regarding specific dependencies:
Emergency Diesel Generators - The EDG's have self-contained cooling systems.
The charging pumps and the emergency switchgear room already have ventilation dependencies included in the PRA model. The other major components with potential HVAC dependencies were evaluated and found to have a negligible ventilation dependency.
Alternate AC Generator - The AAC DG has a self-contained cooling system.
Those SSC's are as follows: Low Head Safety Injection pumps -The LHSI pumps take suction from the cold RWST early during a LOCA. After Recirculation Mode Transfer, the sump water will be cooled by the RSHX's, so that LHSI ventilation is not necessary.
Auxiliary Feedwater pumps - These pumps take suction from the ECST or a backup system that is at ambient temperature. They are therefore self-cooling and require no HVAC.
Outside Recirculation Spray pumps -The CS subsystem provides approximately 300 gpm 45oF water from RWST to each ORSP. There is no ceiling in the ORSP rooms. It is not a closed room. Hence, the room ventilation is not necessary.
Station batteries - The heat load in this room is the batteries themselves and the heat load from the batteries may be ignored.
Emergency Diesel Generators
Turbine building SSC's - The potentially important SSC's in the TB are the MFW and the CN pumps, in case they are needed as a backup to the AFW system.
-The EDG's have self-contained cooling systems. Alternate AC Generator
On a reactor trip, the FW heaters no longer function as heaters and both CN and MFW flows are at relatively cold condenser temperatures. The Turbine Building SSC's are therefore self-coolinQ.
-The AAC DG has a self-contained cooling system. Auxiliary Feedwater pumps -These pumps take suction from the ECST or a backup system that is at ambient temperature.
 
They are therefore self-cooling and require no HVAC. Station batteries
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 15 of 36 There are only 3 Category C F&Os that need to be addressed and they are listed in below:
-The heat load in this room is the batteries themselves and the heat load from the batteries may be ignored. Turbine building SSC's -The potentially important SSC's in the TB are the MFW and the CN pumps, in case they are needed as a backup to the AFW system. On a reactor trip, the FW heaters no longer function as heaters and both CN and MFW flows are at relatively cold condenser temperatures.
Category C F&Os that Need to be Addressed F&O          Description DE-1          Develop a system to initiating event dependency matrix to better show the dependencies modeled for each initiator.
The Turbine Building SSC's are therefore self-coolinQ.
(PRA Configuration Control Database (PRACC) record 4023)
There are only 3 Category C F&Os that need to be addressed and they are listed in below: Category C F&Os that Need to be Addressed F&O Description Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 15 of 36 DE-1 Develop a system to initiating event dependency matrix to better show the dependencies modeled for each initiator. (PRA Configuration Control Database (PRACC) record 4023) DE-4 Develop master dependency matrices for front-line to front-line, for support to front-line, and initiator to system dependencies. (PRACC record 4023) SY-13 Update references that support mission times that are less than 24 hours. (PRACC record 4012) All three of these involve documentation issues that do not impact the PRA model results and do not affect the technical adequacy of the PRA model. Records have been added in the PRACC database to track the above tasks to completion.
DE-4          Develop master dependency matrices for front-line to front-line, for support to front-line, and initiator to system dependencies. (PRACC record 4023)
SY-13         Update references that support mission times that are less than 24 hours. (PRACC record 4012)
All three of these involve documentation issues that do not impact the PRA model results and do not affect the technical adequacy of the PRA model. Records have been added in the PRACC database to track the above tasks to completion.
2010 SPS PRA Focused Peer Review The Surry PRA model underwent a focused peer review in February 2010 using the PRA Peer Review Certification process performed by the Pressurized-Water Reactor Owners Group (PWROG). To determine whether a full scope or focused peer review was necessary, the changes to each of the model elements were reviewed to assess whether the changes involved either of the following:
2010 SPS PRA Focused Peer Review The Surry PRA model underwent a focused peer review in February 2010 using the PRA Peer Review Certification process performed by the Pressurized-Water Reactor Owners Group (PWROG). To determine whether a full scope or focused peer review was necessary, the changes to each of the model elements were reviewed to assess whether the changes involved either of the following:
* new methodology
* new methodology
* significant change in the scope or capability If changes to an element involved either a new methodology or a significant scope or capability change, then the element requires a peer review as required in the ASME PRA standard (RA-Sb-2005).
* significant change in the scope or capability If changes to an element involved either a new methodology or a significant scope or capability change, then the element requires a peer review as required in the ASME PRA standard (RA-Sb-2005). Based on the assessment of the changes to each PRA model element, a peer review was performed on the elements shown below:
Based on the assessment of the changes to each PRA model element, a peer review was performed on the elements shown below:
 
Element Peer Reviewed Elements High Level Requirement Serial No. 16-18'0 Docket Nos. 50-280/281 Attachment 4 Page 16 of 36 IE -Initiating Events Initiating Events Review support system initiator modeling meets SRs IE-C6, C7, CS, C9, and C12. AS -Accident Sequence Accident Sequence Review upgraded event trees for SBO, RCP Seal, LOCA, SGTR and ATVVS meets all HLRs for AS. HR -Human Reliability Huma_n Reliability Review implementation of SPAR-H methodology meets Analysis HLR-HR-Analysis G. IF -Internal Flooding Internal Flooding Review internal flooding model meets all HLR5 for IF. QU -Quantification Quantification Review conversion to CAFTA meets HLRs for QU-B, C, and D. The AS and IF elements required a full review against all of the high level requirements (HLRs). However, changes in the IE, HR and QU elements only required specific HLR verification.
Serial No. 16-18'0 Docket Nos. 50-280/281 Attachment 4 Page 16 of 36 Peer Reviewed Elements Element                            High Level Requirement IE - Initiating Events             Initiating Events Review support system initiator modeling meets SRs IE- C6, C7, CS, C9, and C12.
The review process included:
AS - Accident Sequence             Accident Sequence Review upgraded event trees for SBO, RCP Seal, LOCA, SGTR and ATVVS meets all HLRs for AS.
* Review of the PRA model against the technical elements and associated supporting requirements (SRs) -Focus is on meeting capability category II.
HR - Human Reliability             Huma_n Reliability Review implementation of SPAR-H methodology meets Analysis HLR-HR-Analysis                           G.
IF - Internal Flooding             Internal Flooding Review internal flooding model meets all HLR5 for IF.
QU - Quantification                 Quantification Review conversion to CAFTA meets HLRs for QU-B, C, and D.
The AS and IF elements required a full review against all of the high level requirements (HLRs). However, changes in the IE, HR and QU elements only required specific HLR verification. The review process included:
* Review of the PRA model against the technical elements and associated supporting requirements (SRs) - Focus is on meeting capability category II.
* At the SR level, the review team's judgment was used to assess whether the PRA meets one of the three capability categories for each of the SRs.
* At the SR level, the review team's judgment was used to assess whether the PRA meets one of the three capability categories for each of the SRs.
* Evaluation of the PRA-model is supported by: o NEI 05-04 process, o Addendum to ASME/ANS PRA Standard RA-S-2008, o SR interpretations from ASME website, o NRC clarifications and qualifications as provided in Appendix A of RG 1.200, Rev. 2, o Reviewers' experience and knowledge, o Consensus with fellow reviewers, and o Input and clarifications from the host utility.
* Evaluation of the PRA-model is supported by:
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 17 of 36 The gaps identified during the self-assessment and the ones that remain to be addressed are listed in table below: 2010 SPS Peer Review Remaining Gaps that Need to be Addressed Title Description NEI Current Status I Comment Importance to Application Element/ ASMESR Gap For each flood area, identify the IFS0-81 No documentation on why None. This is judged to be a documentation  
o NEI 05-04 process, o Addendum to ASME/ANS PRA Standard RA-S-2008, o SR interpretations from ASME website, o NRC clarifications and qualifications as provided in Appendix A of RG 1.200, Rev. 2, o Reviewers' experience and knowledge, o Consensus with fellow reviewers, and o Input and clarifications from the host utility.
#1 potential sources of flooding floods in containment were consideration only and does not affect the technical screened out. adequacy of the PRA model or sequences relevant to this application.
 
Gap The NRC clarification for Cat II says No documentation discussing This is judged to be a primarily a documentation  
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 17 of 36 The gaps identified during the self-assessment and the ones that remain to be addressed are listed in table below:
#2 to address jet impingement, humidity, how jet impingement, pipe consideration only. This issue does not affect etc. qualitatively using conservative wipe, humidity and other types sequences relevant to this application.
2010 SPS Peer Review Remaining Gaps that Need to be Addressed Title               Description                 NEI   Current Status I Comment                   Importance to Application Element/
assumptions of failures impact plant systems. Gap Document the relative contribution of LE-G3 No documentation of LERF None. This is judged to be a documentation  
ASMESR Gap   For each flood area, identify the     IFS0-81   No documentation on why       None. This is judged to be a documentation
#3 contributors to LERF contributions for accident consideration only arid does not affect the technical sequences.
#1     potential sources of flooding                   floods in containment were     consideration only and does not affect the technical screened out.                 adequacy of the PRA model or sequences relevant to this application.
adequacy of the PRA model. Gap Document the system functions and SY-C2 All documentation*
Gap   The NRC clarification for Cat II says IFSN~A6    No documentation discussing   This is judged to be a primarily a documentation
None. This is judged to be a documentation  
#2     to address jet impingement, humidity,           how jet impingement, pipe     consideration only. This issue does not affect etc. qualitatively using conservative           wipe, humidity and other types sequences relevant to this application.
#7 boundaries.
assumptions                                     of failures impact plant systems.
requirements are considered consideration only and does not affect the technical met except for completion of adequacy of the PRA model. walkdown checklists.
Gap   Document the relative contribution of LE-G3     No documentation of LERF       None. This is judged to be a documentation
Gap Initiating Event Fault Tree Modeling IE-C10 IE-C1 O: Not all possible A sensitivity study for this configuration demonstrated  
#3     contributors to LERF                             contributions for accident     consideration only arid does not affect the technical sequences.                     adequacy of the PRA model.
#9 IE-C12 combination of cutsets are that the support system initiators as modeled did not captured, impact the results.3 Comparison with generic IE-C12: No comparison with sources and similar plants is expected to render generic sources for initiating similar results to the I Es compared.4 events modeled using fault trees.
Gap   Document the system functions and     SY-C2     All documentation*             None. This is judged to be a documentation
Title Description NEI Current Status I Comment Element/ ASMESR Gap Use of SPAR-H methodology, which HR-E3 New Human Error Probabilities  
#7     boundaries.                                     requirements are considered   consideration only and does not affect the technical met except for completion of   adequacy of the PRA model.
#10 does not meet the intent of several HR-G4 (HEPS) added to the SPS PRA SRs in the HR element. HR-G6 were based on SPAR-H. The HR-12 Peer Review identified the HR-13 SPAR-H methodology is not a HR-E4 consensus model and has HR-G1 some limitations.
walkdown checklists.
HR-G3 HR-G5 Gap Walkdown sheets do not contain all IFS0-82 IFS0-82: Complete the #11 the requested information IFQU-A9 walkdown sheets and verify no impact to IF events. IFQU-A9: Similiar to IFS0-82, need to clearly document the spatial relationship between flood sources and PRA equipment.
Gap   Initiating Event Fault Tree Modeling IE-C10     IE-C1 O: Not all possible     A sensitivity study for this configuration demonstrated
Notes: Note 1: Gaps 4, 5, 6 and 8 have been addressed in S007Aa. Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 18 of 36 Importance to Application This gap was evaluated by performing a sensitivity study (Sensitivity
#9                                           IE-C12     combination of cutsets are     that the support system initiators as modeled did not 3
#1) which multiplies HEPs in the $007 Aa model by 10. This sensitivity demonstrates that this issue does not impact the results of this analysis.
captured,                     impact the results. Comparison with generic IE-C12: No comparison with     sources and similar plants is expected to render generic sources for initiating similar results to the IEs compared. 4 events modeled using fault trees.
This is judged to be a primarily a documentation consideration only. This issue does not affect sequences relevant to this application.  
 
' Note 2: Gaps 9 through 11 were identified during the 2010 PWROG focused PRA peer review. Note 3: IE-C10: If fault-tree modeling is used for initiating events, CAPTURE within the initiating event fault tree models all relevant combinations of events involving the annual frequency of one component failure combined with the unavailability (or failure during the repair time of the first component) of other components.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 18 of 36 Title             Description                   NEI       Current Status I Comment                   Importance to Application Element/
Following are the Peer Review comments with applicability response to this proposed change: F&O: 2-2, Assessment:
ASMESR Gap     Use of SPAR-H methodology, which     HR-E3         New Human Error Probabilities This gap was evaluated by performing a sensitivity
Cat 1-111 is NQT Met 2-3 Basis: A review of SSIE cutsets found that they are not adequate due to:
#10     does not meet the intent of several   HR-G4         (HEPS) added to the SPS PRA   study (Sensitivity #1) which multiplies HEPs in the SRs in the HR element.               HR-G6         were based on SPAR-H. The     $007Aa model by 10. This sensitivity demonstrates HR-12         Peer Review identified the   that this issue does not impact the results of this HR-13         SPAR-H methodology is not a   analysis.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 19 of 36 (1) The cutsets do not include all possible combinations, idr i/Jxample, (a) Train A CCW pump fails-to-run and Train B CC pump fails-to-start is in the cutset, but other failure events that could lead to Train B CCW pump fails-to-start such as AC failure, No Actuation Signal are not included; (b) relief valve failure is not showing up in the cutsets of Joss ofCCW Response:
HR-E4         consensus model and has HR-G1         some limitations.
Fault tree reviews indicate that these types of basic events are modeled but are truncated out of the final results. Therefore, this F&O does not impact this analysis.
HR-G3 HR-G5 Gap   Walkdown sheets do not contain all   IFS0-82       IFS0-82: Complete the         This is judged to be a primarily a documentation
(2) Cutsets including both PROB-xxxxxB-.STDBY (Train B) and -PROB-xxxxxA-STDBY (Train A) events may be underestimating the impact Response:
#11   the requested information             IFQU-A9       walkdown sheets and verify no consideration only. This issue does not affect impact to IF events.         sequences relevant to this application.
Cutset review indicated that alignment probabilities were not significant to this evaluation (3) Surry SSIE models do not include passive failures (i.e. pipe breaks affecting only the source system) which are screened from the flooding analysis.
IFQU-A9: Similiar to IFS0-82, need to clearly document the spatial relationship between flood sources and PRA equipment.                                         '
These failure modes may be important in the SSIE model. For the CC system the model includes this IE, (%FLOOD-AB-SPRA Y-CCP1ABCD SPRAY IN AUX BLDG 2'-0" ELEV IN VICINITY OF CC PUMPS 1-CC-P-1AIB/CID)
Notes:
Response:
Note 1:   Gaps 4, 5, 6 and 8 have been addressed in S007Aa.
Note 2: Gaps 9 through 11 were identified during the 2010 PWROG focused PRA peer review.
Note 3:   IE-C10: If fault-tree modeling is used for initiating events, CAPTURE within the initiating event fault tree models all relevant combinations of events involving the annual frequency of one component failure combined with the unavailability (or failure during the repair time of the first component) of other components. Following are the Peer Review comments with applicability response to this proposed change:
F&O: 2-2, Assessment: Cat 1-111 is NQT Met 2-3 Basis: A review of SSIE cutsets found that they are not adequate due to:
 
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 19 of 36 (1) The cutsets do not include all possible combinations, idr i/Jxample, (a) Train A CCW pump fails-to-run and Train B CC pump fails-to-start is in the cutset, but other failure events that could lead to Train B CCW pump fails-to-start such as AC failure, No Actuation Signal are not included; (b) relief valve failure is not showing up in the cutsets of Joss ofCCW
 
===Response===
Fault tree reviews indicate that these types of basic events are modeled but are truncated out of the final results.
Therefore, this F&O does not impact this analysis.
(2) Cutsets including both PROB-xxxxxB-.STDBY (Train B) and -PROB-xxxxxA-STDBY (Train A) events may be underestimating the impact
 
===Response===
Cutset review indicated that alignment probabilities were not significant to this evaluation (3) Surry SSIE models do not include passive failures (i.e. pipe breaks affecting only the source system) which are screened from the flooding analysis. These failure modes may be important in the SSIE model. For the CC system the model includes this IE, (%FLOOD-AB-SPRA Y-CCP1ABCD SPRAY IN AUX BLDG 2'-0" ELEV IN VICINITY OF CC PUMPS 1-CC-P-1AIB/CID)
 
===Response===
Inclusion of these low probability passive failure modes would not impact the significant accident scenarios because general plant transients are not significant to this application.
Inclusion of these low probability passive failure modes would not impact the significant accident scenarios because general plant transients are not significant to this application.
Note 4: IE-C12: COMPARE results and EXPLAIN differences in the initiating event analysis with generic data sources to provide a reasonableness check of the results. Following are the Peer Review comments with applicability response to this proposed change:
Note 4: IE-C12: COMPARE results and EXPLAIN differences in the initiating event analysis with generic data sources to provide a reasonableness check of the results. Following are the Peer Review comments with applicability response to this proposed change:
F&O: 3-4 Assessment:
 
Cat 1-111 is NOT Met Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 20 of 36 Basis: Comparison of IE frequencies to industry mean values is performed in SPS PRA Notebook Part Ill, Volume IE.3, Revision 1, Table 2-4 by comparing 7 modeled Initiating Events with 5 other unit results and to NUREGICR-5750. The remaining 12 Initiating Events (with Fault Trees) are not compared.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 20 of 36 F&O: 3-4 Assessment: Cat 1-111 is NOT Met Basis: Comparison of IE frequencies to industry mean values is performed in SPS PRA Notebook Part Ill, Volume IE.3, Revision 1, Table 2-4 by comparing 7 modeled Initiating Events with 5 other unit results and to NUREGICR-5750. The remaining 12 Initiating Events (with Fault Trees) are not compared. Other Initiating Events are not compared.
Other Initiating Events are not compared.
 
Response:
===Response===
This is primarily a documentation concern. The Loss of SW IE was compared to the standard and the industry and was demonstrated to be reasonable.
This is primarily a documentation concern. The Loss of SW IE was compared to the standard and the industry and was demonstrated to be reasonable. The SPS Loss of SW IE is unique due to the gravity feed configuration. The comparison of the modeled IEs demonstrated that the Surry frequencies were within the range of the standard and similar plants. The IEs that were not compared are expected to have similar results.
The SPS Loss of SW IE is unique due to the gravity feed configuration.
The following F&Os from the 2010 SPS PRA Focused Peer Review are considered closed:
The comparison of the modeled IEs demonstrated that the Surry frequencies were within the range of the standard and similar plants. The I Es that were not compared are expected to have similar results. The following F&Os from the 2010 SPS PRA Focused Peer Review are considered closed: 2010 SPS Peer Review Closed F&Os
2010 SPS Peer Review Closed F&Os
 
== Description:==
F&O Comment:                              . Dominion Response:                              Status F&O: 1-10    Mission time for  The turbine driven AFW pump logic used      The modeling of the TDAFW pump failure to      This F&O TDAFW during a      under gate U1-SGC-BO is based on a 24        run with a mission time of 24 hours instead of  question is SBO is 24 hours,    hour mission time. This may be somewhat      4 hours is conservative. The basic approach    considered which is            conservative since the turbine driven pump  taken for adding different running failure      Closed.
conservative.      is only credited for 4 hours in SBO.        basic events with different mission times is that if the 24 hour mission time basic event has a high risk importance, then a new basic event with a mission time for the sequence would be developed. Since the importance of the TDAFW running failure basic events is not significant, a separate basic event was riot added.
 
Serial No. 16-18()
Docket Nos. 50-280/281 Attachment 4 Page 21 of 36


== Description:==
== Description:==
F&O Comment:                                  Dominion Response:                              Status F&O: 3-5  Consider adding      Recovery events are added to cutsets          The two recovery actions that the reviewer      This F&O some recovery basic  based on post-processing with                  identified as not being in the Surry PRA        question is events to the fault  QRECOVER and plant-specific rule file as      model but were calculated in the HR.3 model      considered tree model instead of discussed in SPS HR.3 notebook, Section        notebook were removed from the model            Closed.
adding as part of    2.2, and the QU.1 notebook. Some              during the transition from the Winnupra post-quantification  recovery actions (e.g., REC-FTSCC and          model to the Cafta model. Since the standby processing using      REC-FTSBC) should be modeled as HEPs          pumps get an auto-start signal if the running QRECOVER.            in the FT so all pertinent cutsets are        pump fails, these recoveries were AND'd generated and dependency assessed.            with the failure of the pressure switch. Since REC-FTSCC and REC-FTSBC are listed in          these were not showing up in the cutsets, it HR.3 as recovery events; however, they        was determine that credit for the operator are not utilized in the quantification        recovery would not be included. If these process. These actions are typically          pressure switch failure basic events had a utilized in Initiating Event fault trees in    high importance, then adding the recovery conjunction with auto-start failures. Not      credit would be considered.
modeling these actions may cause cutsets not to be generated, dependencies not evaluated, and overall results impacted.
F&O: 3-19 Use of SPAR-H for    The plant's approach to analyzing HEPs is      Since this F&O relates to using SPAR-H, and      This F&O HRA has limited      more involved than the Category I              F&O 3-18 indicates that SPAR-H method is        question is accounting for        requirements (it is actually closer to        not a valid method to meet Cat II, then this    considered Performance Shaping  Category 11/111), but it does not address all  F&O will be closed out to F&O 3-18.              Closed.
Factors              of the PSFs identified for the Category 11/111 requirements (a limitation of the SPAR-H method); therefore, MET was selected for Category I. While SPAR-H methodology is close to meeting CC 11/111, one of the limitations is that the PSFs are limited to the eight chosen. Additionally, each of the eight PSFs should be evaluated for interaction impacts which are not covered by the method.
Serial No. 16-180
* Docket Nos. 50-280/281 Attachment 4 Page 22 of 36


F&O Comment: . Dominion Response:
== Description:==
Status F&O: 1-10 Mission time for The turbine driven AFW pump logic used The modeling of the TDAFW pump failure to This F&O TDAFW during a under gate U1-SGC-BO is based on a 24 run with a mission time of 24 hours instead of question is SBO is 24 hours, hour mission time. This may be somewhat 4 hours is conservative.
F&O Comment:                                         Dominion Response:                               Status F&O: 2-8    QU.2 does not              SPS QU.2 Notebook Sectio_n 2.3:2                    Detailed descriptions of the CDF and LERF        This F&O include detailed            discusses the dominant core damage                  cutsets are contained in the worksheets            question is description of the          accident sequences and has a detailed                named "Top 100 U1 CDF Cutsets" and "Top          considered CDF and LERF                description of the top 5 sequences. Section          100 U1 LERF Cutsets" in Attachment 3 of            Closed.
The basic approach considered which is conservative since the turbine driven pump taken for adding different running failure Closed. conservative.
cutsets.                    2.3.3 discusses the top CDF cutsets but              the QU.2 notebook.
is only credited for 4 hours in SBO. basic events with different mission times is that if the 24 hour mission time basic event has a high risk importance, then a new basic event with a mission time for the sequence would be developed.
does not document the review of a sample of significant cutsets. It is noted that Section 2.4.2 documents the review of nonsignificant cutsets. SPS QU.2 Notebook documents a review of the top 5 sequences but has no review of a sample of significant cutsets.
Since the importance of the TDAFW running failure basic events is not significant, a separate basic event was riot added.
2012 SPS PRA Focused Peer Review A focused scope Peer Review of the SPS PRA model against the requirements of the ASME/ ANS PRA standard RA-Sb-2005 and any Clarifications and Qualifications provided in the NRC endorsement of the Standard contained in Revision 2 to RG 1.200 was conducted in June, 2012.
In the course of this review, thirty (30) new F&Os were prepared, including twenty-one (21) suggestions, and nine (9) findings. Many of these F&Os involve documentation issues. The 21 suggestions do not affect the technical adequacy of the PRA model and have no impact on the results of this evaluation. The following 9 findings have been evaluated as described in Table 4 below:
Nine Findings from 2012 SPS PRA Focused Peer Review F&O      Element                      F&O Details                                  Possible Resolution              Basis of Significance        Importance to Application 1-2    IE-C6    Scenario 1 in AS.2, Attachment 3, Appendix ISLOCA F        Expand the discussion to include    The calculated impact on      There is no impact on CDF or is screened even though the event frequency would be      the probability of operator failure  CDF is small (<1 %), the      LERF as this is a documentation greater than 1.0E-06 (calculated as 3.85E-06). This        to secure HHSI and other failure    impact needs to be more        enhancement (Ref. PRACC scenario should be reconsidered to ensure the             modes that would result in
* fully documented to ensure    16415), therefore this gap has no screening is appropriately justified using the criteria    continued HHSI operation given a    the screening criteria is met. impact on this application.
specified in IE-C6.                                        rupture in the LHSI PiPina.


==
Serial No. 16-18e'.        "
Description:==
Docket Nos. 50-280/281 Attachment 4 Page 23 of 36 F&O  Element                      F&O Details                          Possible Resolution              Basis of Significance        Importance to Application 1-6 QU-87  This guidance does not seem to be technically        Remove t~e mutually exclusive        The impact of the removal    A bounding sensitivity study supported by NUREG/CR-5485 Section 5.4.4 which        logic for common cause failures or    of the basic event            evaluating the removal of the only supports removal of combinations of two common  modify the logic to ensure only      combinations cannot be        mutually exclusive logic for cause failure events where the combinations include  combinations of events including a    estimated based on            common cause failures results in the same pump (e.g., CCF of Pumps A and B in          common component and failure          available information.        an increase in the baseline CDF combination with CCF of pumps A and C). Further,      mode (e.g., Component A              However, because this        and LERF values (Ref. PRACC NUREG/CR-5485 Section 5.2 notes that NUREG/CR-        Independent Failure to Start in      process may impact the        16418). However, the new 4780, Volume 1 discusses conditions under which      combination with CCF of              importance of high safety    increase baseline CDF/LERF these combinations may be valid (see NU REG/CR-      Component A and B to Start) are      significant components, it is values would not impact the delta 4780, Volume 1, Section 3.3.1).                      removed.                              designated as a finding.      CDF/LERF results of this application because CCFs do not play a major role. With one CHSW header OOS, only 1 independent failure is required to fail the HHSI safety function.
1-8 DA-05  A global assumption is made that staggered testing is Provide justification for application The alpha factors for        A bounding sensitivity study applicable to all common cause events SPS DA.3        of the staggered testing              components tested on a        changing all CCFs from Revision 5, Section 2.2.1, Item 1). Typically, some  assumption to components tested      non-staggered basis are      "staggered basis" to "non-components such as containment isolation valves,      on an outage frequency including      typically higher than those  staggered basis" results in an HHSI isolation valves, and others may only be tested  verification that redundant          tested on a staggered basis. increase in the baseline CDF and during the outages. Additional justification for      components are tested by              Therefore, this could be a    LERF values (Ref. PRACC application of the staggered testing assumption to    different personnel at different      significant impact on CDF or  16419. However, the new those components tested on an 18 month basis during  times or apply alpha factors based    LERF depending on the        increase baseline CDF/LERF outages is needed.*                                  on a non-staggered testing            specific components          values would not impact the delta scheme to those components.          affected.                    CDF/LERF results of this application because CCFs do not play a major role. With one CHSW header OOS, only 1 independent failure is required to fail the HHSI safety function.


F&O Comment: F&O: 3-5 Consider adding Recovery events are added to cutsets some recovery basic based on post-processing with events to the fault QRECOVER and plant-specific rule file as tree model instead of discussed in SPS HR.3 notebook, Section adding as part of 2.2, and the QU.1 notebook.
Serial No. 16-18!Y Docket Nos. 50-280/281 Attachment 4 Page 24 of 36 F&O   Element                      F&O Details                              Possible Resolution            Basis of Significance          Importance to Aoolication 1-10 OA-06    The AAC diesel is included in a common cause group        There are two approaches that        The qualitative discussion    A bounding sensitivity study SY-83    with the other emergency diesel generators even          can be considered. The most          of not all diesel CCF        evaluating the common cause though SPS notebook SY.3.EP states that "The AAC          defensible approach would be to     mechanisms existing          group of emergency generators diesel has a different manufacturer for the generator    identify all legitimate common      between the EOGs and the      results in an increase in the and the diesel engine and is unique to both units."      elements between the EOGs and        SBO diesel is legitimate. baseline COF and LERF values SPS OA.3 addresses this in an assumption that states      the SBO diesel, review the          However, the selection of    (Ref. PRACC 16420). However, that "If SBO diesel is modeled as one of the EOG CCF      CCFWIN database to exclude          0.1 does not have a          the new increase in baseline groups, because of the less similarity between the       diesel failure mechanisms that are   numerical justification, and COF/LERF values would not EOG and SBO diesel, the alpha factor of 3 of 3 EOGs      not common between the Surry        could potentially be          impact the delta COF/LERF
Some post-quantification recovery actions (e.g., REC-FTSCC and processing using REC-FTSBC) should be modeled as HEPs QRECOVER.
                                                        =
in the FT so all pertinent cutsets are generated and dependency assessed.
CCF to run may be set as 1.06E-2*0.9 9.54E-3 and          EOGs and the SBO diesel, and        conservative or non-         results. Therefore, this gap has the alpha factor of AAC diesel and 2 EOGs CCF to run      calculate the actual alpha factors. conservative, and it is not  no impact on this application.
REC-FTSCC and REC-FTSBC are listed in HR.3 as recovery events; however, they are not utilized in the quantification process. These actions are typically utilized in Initiating Event fault trees in conjunction with auto-start failures.
                                              =
Not modeling these actions may cause cutsets not to be generated, dependencies not evaluated, and overall results impacted.
may be set as 1.06E-2
F&O: 3-19 Use of SPAR-H for The plant's approach to analyzing HEPs is HRA has limited more involved than the Category I accounting for requirements (it is actually closer to Performance Shaping Category 11/111), but it does not address all Factors of the PSFs identified for the Category 11/111 requirements (a limitation of the SPAR-H method); therefore, MET was selected for Category I. While SPAR-H methodology is close to meeting CC 11/111, one of the limitations is that the PSFs are limited to the eight chosen. Additionally, each of the eight PSFs should be evaluated for interaction impacts which are not covered by the method. Serial No. 16-18() Docket Nos. 50-280/281 Attachment 4 Page 21 of 36 Dominion Response:
* 0.1 1.06E-3." However,            The second approach would be to      apparent the degree to there is no technical basis for the factor of 1O
Status The two recovery actions that the reviewer This F&O identified as not being in the Surry PRA question is model but were calculated in the HR.3 model considered notebook were removed from the model Closed. during the transition from the Winnupra model to the Cafta model. Since the standby pumps get an auto-start signal if the running pump fails, these recoveries were AND'd with the failure of the pressure switch. Since these were not showing up in the cutsets, it was determine that credit for the operator recovery would not be included.
* identify that the factor of 10      which it affects the results reduction, only a qualitative discussion, yet this is    reduction in the alpha factor is an  since no sensitivities were dispositioned as not being a source of uncertainty.      estimate without a numerical        documented.
If these pressure switch failure basic events had a high importance, then adding the recovery credit would be considered.
basis, which makes it a plant-       Any modeling assumption specific modeling uncertainty for   that could result in lowering Surry. Then sensitivity analyses    the importance of the could provide some insight into      EOGs could impact the importance the assumed          applications such as MSPI.
Since this F&O relates to using SPAR-H, and This F&O F&O 3-18 indicates that SPAR-H method is question is not a valid method to meet Cat II, then this considered F&O will be closed out to F&O 3-18. Closed.
factor (0.1, 0.2, 0.5, etc.) would have on the results.
2-2  IE-C3    The issue of ISLOCA flood propagation and steaming        For the successfully isolated      Flood propagation and          There is no impact on COF or effects in the Safeguards Building is not adequately      ISLOCA sequences, consider          steam effects may not be an    LERF as this is a documentation addressed. Section 2.4 of the IE.1 notebook states        potential flood and steam effects  issue, but it cannot be        enhancement (Ref. PRACC that flooding/spatial effects need not be considered     from water that leaked out the     determined for certain        16421), therefore this gap has no because an unisolated ISLOCA was assumed to go            break prior to isolation. Also,    without further evaluation. impact on this application.
directly to core damage. However, if there is a          consider the potential for the successful isolation prior to core damage, there is still isolation valve to be failed due to a question about the effects of the water/steam that      the effects.
was already leaked. For example, AFW pump operation should be shown not to be impacted, as well as potential effects on the credited isolation valve itself.
The PRA staff researched the issue during the peer review and provided information that appears to justify the operability of the isolation valve, but additional analysis is required and needs to be documented.


==
Serial No. 16-180-Docket Nos. 50-280/281 Attachment 4 Page 25 of 36 F&O  Element                      F&O Details                              Possible Resolution        Basis of Significance        Importance to Application 2-3 DA-A2  Regarding component boundaries, Section 3.3.1 of the    Review GCF (and even the      While it is recognized that  There is no impact on CDF or DA-D6  CCF GARD (NF-AA-PRA-101-2062, Rev. 4) states,            independent failure data) for  modeling extra events (such  LERF as this is a documentation "When defining common cause failure events (and          component boundary consistency as diesel generator output    enhancement and as stated in utilizing generic data concerning the probability of    with the generic data and CCF  breakers when they are part  the description adds modeling these events), the analyst must ensure that the          factors.                      of the diesel component      conservatism (Ref. PRACC component boundaries assumed for common cause                                          boundary in NUREG/CR-        16422), therefore this gap has no failures are consistent with the boundaries used for the                                6928) is conservative, for    impact on this application.
Description:==
independent failures." DOM.DA.1 Rev. 2 states "To                                      accuracy and compliance ensure consistency between the generic database and                                    with the Dominion GARD the plant specific database, the component boundary                                    and DOM.DA.1 notebook, needs to be verified. This notebook documents the                                      component boundaries generic database with component boundaries defined                                      should be consistent with according to NUREG/CR-6928. This generic database                                      the data.
shall be applicable to all of the Dominion PRA models."
However, Assumption 8 in Section 2.2.1 of SPS DA.3 Rev. 5 states "CCF data boundaries were not compared to the boundaries of DOM DA.1. Generic common cause failure factors were used because no plant specific common cause failures were identified.
A review of the generic common cause failures indicates that its boundaries were wider than DOM DA.1 boundaries."


F&O Comment: F&O: 2-8 QU.2 does not SPS QU.2 Notebook Sectio_n 2.3:2 include detailed discusses the dominant core damage description of the accident sequences and has a detailed CDF and LERF description of the top 5 sequences.
Serial No. 16-180'-
Section cutsets. 2.3.3 discusses the top CDF cutsets but does not document the review of a sample of significant cutsets. It is noted that Section 2.4.2 documents the review of nonsignificant cutsets. SPS QU.2 Notebook documents a review of the top 5 sequences but has no review of a sample of significant cutsets. Serial No. 16-180
Docket Nos. 50-280/281 Attachment 4 Page 26 of 36 F&O Element                       F&O Details                             Possible Resolution             Basis of Sianificance      Importance to Application 2-5 SY-B3  The CCF grouping appears to have been performed          Perform a thorough review of all    The missing CCF            A bounding sensitivity study of DA-A1  properly for pumps and some MOVs examined.               system models to identify any        component groups yields    additional CCFs results in an However, checks of the Electric Power system model      missing CCF groups. It is           non-conservative and       increase in the baseline CDF and and check valves in SI and FW models show CCF            acceptable to treat the             potentially significant    LERF values (Ref. PRACC combinations that are missing. In the Electric Power    combinations greater than 4         results.                   16423). However, the new system model, the CCF of buses, inverters, breakers     failures a single event as long as                              increase baseline CDF/LERF and fuel oil pump strainers (possibly other components   the combinations are summed                                      values would not impact the delta as well) were modeled for complete failure of all in the and treated as complete system                                  CDF/LERF results of this group, but not for smaller numbers. For example,         failure. For such cases, it is still                            application because CCFs do not Table 3.8-1 shows 1EETFM-C8-480TFM being                 necessary to model the                                          play a major role. With one comprised of eight transformers. However, failure of a   combinations of 2, 3 and 4                                      CHSW header OOS, only 1 group as small as 2 (e.g., transformer 1H/1J) could be   failures.                                                        independent failure is required to significant, as these transformers feed the 480V buses                                                                   fail the HHS! safety function.
* Docket Nos. 50-280/281 Attachment 4 Page 22 of 36 Dominion Response:
that power the 1N2A and 1B/28 recirculation spray pumps. While it is acceptable to model CCF of combinations greater than 4 jointly (as is stated in the Section 3.2.2 of the GARD, this means creating a joint probability that sums all the 5/8, 6/8, 7/8 and 8/8 combinations into one), the individual combinations of 2, 3 and 4 still need to be captured.
Status Detailed descriptions of the CDF and LERF This F&O cutsets are contained in the worksheets question is named "Top 100 U1 CDF Cutsets" and "Top considered 100 U1 LERF Cutsets" in Attachment 3 of Closed. the QU.2 notebook.
2012 SPS PRA Focused Peer Review A focused scope Peer Review of the SPS PRA model against the requirements of the ASME/ ANS PRA standard RA-Sb-2005 and any Clarifications and Qualifications provided in the NRC endorsement of the Standard contained in Revision 2 to RG 1.200 was conducted in June, 2012. In the course of this review, thirty (30) new F&Os were prepared, including twenty-one (21) suggestions, and nine (9) findings.
Many of these F&Os involve documentation issues. The 21 suggestions do not affect the technical adequacy of the PRA model and have no impact on the results of this evaluation.
The following 9 findings have been evaluated as described in Table 4 below: Nine Findings from 2012 SPS PRA Focused Peer Review F&O Element F&O Details Possible Resolution Basis of Significance Importance to Application 1-2 IE-C6 Scenario 1 in AS.2, Attachment 3, Appendix ISLOCA F Expand the discussion to include The calculated impact on There is no impact on CDF or is screened even though the event frequency would be the probability of operator failure CDF is small (<1 %), the LERF as this is a documentation greater than 1.0E-06 (calculated as 3.85E-06).
This to secure HHSI and other failure impact needs to be more enhancement (Ref. PRACC scenario should be reconsidered to ensure the modes that would result in
* fully documented to ensure 16415), therefore this gap has no screening is appropriately justified using the criteria continued HHSI operation given a the screening criteria is met. impact on this application.
specified in IE-C6. rupture in the LHSI PiPina.
F&O Element F&O Details Possible Resolution 1-6 QU-87 This guidance does not seem to be technically Remove mutually exclusive supported by NUREG/CR-5485 Section 5.4.4 which logic for common cause failures or only supports removal of combinations of two common modify the logic to ensure only cause failure events where the combinations include combinations of events including a the same pump (e.g., CCF of Pumps A and B in common component and failure combination with CCF of pumps A and C). Further, mode (e.g., Component A NUREG/CR-5485 Section 5.2 notes that NUREG/CR-Independent Failure to Start in 4780, Volume 1 discusses conditions under which combination with CCF of these combinations may be valid (see NU REG/CR-Component A and B to Start) are 4780, Volume 1, Section 3.3.1). removed. 1-8 DA-05 A global assumption is made that staggered testing is Provide justification for application applicable to all common cause events SPS DA.3 of the staggered testing Revision 5, Section 2.2.1, Item 1). Typically, some assumption to components tested components such as containment isolation valves, on an outage frequency including HHSI isolation valves, and others may only be tested verification that redundant during the outages. Additional justification for components are tested by application of the staggered testing assumption to different personnel at different those components tested on an 18 month basis during times or apply alpha factors based outages is needed.* on a non-staggered testing scheme to those components.
Serial No. 16-18e'. " Docket Nos. 50-280/281 Attachment 4 Page 23 of 36 Basis of Significance Importance to Application The impact of the removal A bounding sensitivity study of the basic event evaluating the removal of the combinations cannot be mutually exclusive logic for estimated based on common cause failures results in available information.
an increase in the baseline CDF However, because this and LERF values (Ref. PRACC process may impact the 16418). However, the new importance of high safety increase baseline CDF/LERF significant components, it is values would not impact the delta designated as a finding. CDF/LERF results of this application because CCFs do not play a major role. With one CHSW header OOS, only 1 independent failure is required to fail the HHSI safety function.
The alpha factors for A bounding sensitivity study components tested on a changing all CCFs from non-staggered basis are "staggered basis" to "non-typically higher than those staggered basis" results in an tested on a staggered basis. increase in the baseline CDF and Therefore, this could be a LERF values (Ref. PRACC significant impact on CDF or 16419. However, the new LERF depending on the increase baseline CDF/LERF specific components values would not impact the delta affected.
CDF/LERF results of this application because CCFs do not play a major role. With one CHSW header OOS, only 1 independent failure is required to fail the HHSI safety function.
F&O Element F&O Details Possible Resolution 1-10 OA-06 The AAC diesel is included in a common cause group There are two approaches that SY-83 with the other emergency diesel generators even can be considered.
The most though SPS notebook SY.3.EP states that "The AAC defensible approach would be to diesel has a different manufacturer for the generator identify all legitimate common and the diesel engine and is unique to both units." elements between the EOGs and SPS OA.3 addresses this in an assumption that states the SBO diesel, review the that "If SBO diesel is modeled as one of the EOG CCF CCFWIN database to exclude groups, because of the less similarity between the diesel failure mechanisms that are EOG and SBO diesel, the alpha factor of 3 of 3 EOGs not common between the Surry CCF to run may be set as 1.06E-2*0.9
= 9.54E-3 and EOGs and the SBO diesel, and the alpha factor of AAC diesel and 2 EOGs CCF to run calculate the actual alpha factors. may be set as 1.06E-2
* 0.1 = 1.06E-3." However, The second approach would be to there is no technical basis for the factor of 1 O
* identify that the factor of 10 reduction, only a qualitative discussion, yet this is reduction in the alpha factor is an dispositioned as not being a source of uncertainty.
estimate without a numerical basis, which makes it a plant-specific modeling uncertainty for Surry. Then sensitivity analyses could provide some insight into the importance the assumed factor (0.1, 0.2, 0.5, etc.) would have on the results. 2-2 IE-C3 The issue of ISLOCA flood propagation and steaming For the successfully isolated effects in the Safeguards Building is not adequately ISLOCA sequences, consider addressed.
Section 2.4 of the IE.1 notebook states potential flood and steam effects that flooding/spatial effects need not be considered from water that leaked out the because an unisolated ISLOCA was assumed to go break prior to isolation.
Also, directly to core damage. However, if there is a consider the potential for the successful isolation prior to core damage, there is still isolation valve to be failed due to a question about the effects of the water/steam that the effects. was already leaked. For example, AFW pump operation should be shown not to be impacted, as well as potential effects on the credited isolation valve itself. The PRA staff researched the issue during the peer review and provided information that appears to justify the operability of the isolation valve, but additional analysis is required and needs to be documented.
Serial No. 16-18!Y Docket Nos. 50-280/281 Attachment 4 Page 24 of 36 Basis of Significance Importance to Aoolication The qualitative discussion A bounding sensitivity study of not all diesel CCF evaluating the common cause mechanisms existing group of emergency generators between the EOGs and the results in an increase in the SBO diesel is legitimate.
baseline COF and LERF values However, the selection of (Ref. PRACC 16420). However, 0.1 does not have a the new increase in baseline numerical justification, and COF/LERF values would not could potentially be impact the delta COF/LERF conservative or non-results. Therefore, this gap has conservative, and it is not no impact on this application.
apparent the degree to which it affects the results since no sensitivities were documented.
Any modeling assumption that could result in lowering the importance of the EOGs could impact applications such as MSPI. Flood propagation and There is no impact on COF or steam effects may not be an LERF as this is a documentation issue, but it cannot be enhancement (Ref. PRACC determined for certain 16421), therefore this gap has no without further evaluation.
impact on this application.
F&O Element F&O Details 2-3 DA-A2 Regarding component boundaries, Section 3.3.1 of the DA-D6 CCF GARD (NF-AA-PRA-101-2062, Rev. 4) states, "When defining common cause failure events (and utilizing generic data concerning the probability of these events), the analyst must ensure that the component boundaries assumed for common cause failures are consistent with the boundaries used for the independent failures." DOM.DA.1 Rev. 2 states "To ensure consistency between the generic database and the plant specific database, the component boundary needs to be verified.
This notebook documents the generic database with component boundaries defined according to NUREG/CR-6928.
This generic database shall be applicable to all of the Dominion PRA models." However, Assumption 8 in Section 2.2.1 of SPS DA.3 Rev. 5 states "CCF data boundaries were not compared to the boundaries of DOM DA.1. Generic common cause failure factors were used because no plant specific common cause failures were identified.
A review of the generic common cause failures indicates that its boundaries were wider than DOM DA.1 boundaries." Possible Resolution Review GCF (and even the independent failure data) for component boundary consistency with the generic data and CCF factors. Serial No. 16-180-Docket Nos. 50-280/281 Attachment 4 Page 25 of 36 Basis of Significance Importance to Application While it is recognized that There is no impact on CDF or modeling extra events (such LERF as this is a documentation as diesel generator output enhancement and as stated in breakers when they are part the description adds modeling of the diesel component conservatism (Ref. PRACC boundary in NUREG/CR-16422), therefore this gap has no 6928) is conservative, for impact on this application.
accuracy and compliance with the Dominion GARD and DOM.DA.1 notebook, component boundaries should be consistent with the data.
F&O Element F&O Details 2-5 SY-B3 The CCF grouping appears to have been performed DA-A1 properly for pumps and some MOVs examined.
However, checks of the Electric Power system model and check valves in SI and FW models show CCF combinations that are missing. In the Electric Power system model, the CCF of buses, inverters, breakers and fuel oil pump strainers (possibly other components as well) were modeled for complete failure of all in the group, but not for smaller numbers. For example, Table 3.8-1 shows 1 EETFM-C8-480TFM being comprised of eight transformers.
However, failure of a group as small as 2 (e.g., transformer 1H/1J) could be significant, as these transformers feed the 480V buses that power the 1N2A and 1 B/28 recirculation spray pumps. While it is acceptable to model CCF of combinations greater than 4 jointly (as is stated in the Section 3.2.2 of the GARD, this means creating a joint probability that sums all the 5/8, 6/8, 7/8 and 8/8 combinations into one), the individual combinations of 2, 3 and 4 still need to be captured.
The other logic reviewed that are missing combinations are seen under gates 1-Sl-82, 1-Sl-236, 1-FW-27, 1-FW-28, 1-FW-29 and 1-FW-61/1-FW-62.
The other logic reviewed that are missing combinations are seen under gates 1-Sl-82, 1-Sl-236, 1-FW-27, 1-FW-28, 1-FW-29 and 1-FW-61/1-FW-62.
These instances were identified in a short review of the system models, and the review team is concerned the problem is widespread.
These instances were identified in a short review of the system models, and the review team is concerned the problem is widespread.
Another item noted is Section 2.3 of the DOM.DA.3 notebook states "The Supply Breakers that feed the Emergency Buses, if there is a loss of off-site power, should be modeled for a common cause failure to open when the Emergency Diesel Generators are required to be running and supplying power to the emergency buses." This was not modeled in the EP fault trees (they would be expected under gates 1-EP-BKR-15H8-FTO and 1-EP-BKR-15J8-FTO-LC, etc.). Possible Resolution Perform a thorough review of all system models to identify any missing CCF groups. It is acceptable to treat the combinations greater than 4 failures a single event as long as the combinations are summed and treated as complete system failure. For such cases, it is still necessary to model the combinations of 2, 3 and 4 failures.
Another item noted is Section 2.3 of the DOM.DA.3 notebook states "The Supply Breakers that feed the Emergency Buses, if there is a loss of off-site power, should be modeled for a common cause failure to open when the Emergency Diesel Generators are required to be running and supplying power to the emergency buses." This was not modeled in the EP fault trees (they would be expected under gates 1-EP-BKR-15H8-FTO and 1-EP-BKR-15J8-FTO-LC, etc.).
Serial No. Docket Nos. 50-280/281 Attachment 4 Page 26 of 36 Basis of Sianificance Importance to Application The missing CCF A bounding sensitivity study of component groups yields additional CCFs results in an non-conservative and increase in the baseline CDF and potentially significant LERF values (Ref. PRACC results. 16423). However, the new increase baseline CDF/LERF values would not impact the delta CDF/LERF results of this application because CCFs do not play a major role. With one CHSW header OOS, only 1 independent failure is required to fail the HHS! safety function.
F&O 2-8 2-9 Element F&O Details Possible Resolution SY-83 The DOM.DA.3 R3 notebook Section 2.3 states that Update the_ model to be consistent DA-A1 CCF of air-cooled transformers would not be modeled. with the DOM DA.3 guidelines.
There is no mention of this in the EP system notebook.
Many of the transformers modeled in the PRA are air-cooled but have CCF modeled. The Surry PRA model would need to be updated to match the assumption in the DOM DA.3 notebook.
DA-E3 EPRI generic CCF sources of model uncertainty are Evaluate the plant-specific tabulated in Table 1 of the SPS DA.3, Rev. 5 sources of model uncertainty notebook.
DA-A-2 notes that component boundaries related to the Surry CCF analysis.
are not consistent with the failure data, but states that this is a consensus model approach and not a source -of uncertainty for Surry. This should be considered a source of model uncertainty and/or be corrected.
Missing from the evaluation of sources of model uncertainty are all SPS-specific assumptions, including those tabulated in SPS DA.3 Rev. 5 Section 2.2. Serial No. 16-180" Docket Nos. 50-280/281 Attachment 4 Page 27 of 36 Basis of Sinnificance Importance to Aoolication This is presented as a There is no impact on CDF or finding because the PRA LERF as this is conservative and staff identified that the will be removed from the model assumption in the DA.3 (Ref. PRACC 16424); therefore, Rev. 3 notebook is correct this gap has no impact on this and the model should be application.
updated. Sources of uncertainty There is no impact on CDF or specific to the Surry CCF LERF as this is a documentation analysis need to be enhancement (Ref. PRACC considered.
16425), therefore this gap has no impact on this application.
Review of Open Issues against the PRA Model (PRA Configuration Control) The PRA Configuration control database (PRACC) was reviewed in order if any known modeling issues open against the S007 Aa model could impact the results of this analysis.
The following open issues were identified from Surry's PRACC database.
These issues were addressed either by adjusting the S007 Aa PRA model used to perform this risk evaluation, or by performing a sensitivity study to demonstrate that the issue was not significant to this analysis.
PRAC Date Description Importance to c Identified Application 1790 3/8/2004 Evaluate 1 (2)CWHEP-LIC-1 (2)06A/B via HRA methods. Current value is selected to Addressed with HEP be consistent with 1CWHEP-LIC-LVL sensitivity
#1 9486 10/21/2008 During the 2008 model update, the MAAP runs for the different scenarios were not Addressed with HEP completed in time before the model change freeze date. Need to update the HEPs in sensitivity
#1 the HR.2 notebook usino the times calculated from the MAAP runs.
PRAC Date c Identified 9804 3/12/2009 Description
: . --The 2-RC-P-1C RCP seal will be replaced with a new Flowserve seal that has low leakage when there's a loss of .RCP seal cooling. These seals are similar to the seals used by the Combustion Engineering (CE) plants. Therefore, the RCP seal LOCA model needs to be based on the CE seal LOCA model. WCAP-16175-P-A, RCP Seal Failure Model CE NSSS, documents the seal LOCA model. New seal package was installed in pump 02-RC-P-1 C during the 2009 fall outage 11/18/09.
*********
The operator action to trip the RCPs given failure of RCP Seal Cooling should have the Tsw (time available to perform the action) set to 20 minutes based on the following:
WCAP-16175-P-A Rev 0, Model for Failure of RCP Seals Given Loss of Seal Cooling in CE NSSS Plants NRC SER specifically references RCP seal failure model condition event tree (in Chapter 6 of WCAP-16175-P, Revision 0) for stopping the RCP(s) affected by a LOSC. WCAP-16175-P-A Section 6.0, RCP Seal Failure Model. The event tree contains a node representing RCP20: RCPs Secured Within 20 Minutes? Therefore, it can be interpreted the NRC SER approved securing (i.e., tripping) the RCPs within 20 minutes. This has been agreed upon during discussion with Bill, Luke and Allen. Note, currently 8007 Aa does not model this operator action. Acm 7/22/15 Serial No. 16-180" Docket Nos. 50-280/281 Attachment 4 Page 28 of 36 Importance to Application Addressed with Model change PRAC c 10931 Date Identified 1/20/2010 Description
---.. _=...';;,_.
-SPS operator actions, HEP-C-CDSGTR (cool down and depressurize RCS after a SGTR) and HEP-C-SGTR (isolate affected SG after a SGTR), are documented as having the same engineering time, Te, of 60 minutes in the SPS HR.2 Notebook.
The equivalent operator actions for NAPS, HEP-1 E3-13 (cool down and depressurize RCS after a SGTR) and HEP-1 E3-3 (isolate affected SG after a SGTR), are documented as having a Te of 75 minutes and 56 minutes, respectively, in the NAPS HR.2 Notebook.
Serial No.
Docket Nos. 50-280/281 Attachment 4 Page 29 of 36 Importance to Application Addressed with HEP sensitivity
#1 Furthermore, HEP-C-CDSGTR does not have a valid MMP run available for the basis of the 60 m_inute Te, and HEP-1 E3-13 references older IPE MMP runs from NAPS and SPS. HEP-1 E3-3 also references an IPE MMP run. Therefore, new MMP runs shol:Jld be run for HEP-C-CDSGTR, HEP-C-SGTR, HEP-1 E3-13, and HEP-1 E3-3; and adequate documentation of the new MMP runs should be placed in HR.2 Notebooks.
4/23/2014 This should be considered complete and closed when the model SPS-R06 is released.
IPE MMP runs are no longer used and all necessary MMP runs are documented in our SC element notebooks to support post HEP reauired timinas.
PRAC Date c Identified 11521 71712010 Description
...
From the Surry 2010 Peer Review report documented in Surry notebook Part IV Appendix A.3. In 2002, an operator survey was complete to document timing estimates from operators of various experience levels. The timing results from the survey are used in the HRA for the HEPs. Table 6.1 of HR.2 states "the response times for operator actions may be estimated by procedure talk through or operator surveys. Therefore, this is retained as a source of uncertainty." For the SPAR-H HEPs, time available is based on engineering judgment.
The delay (TDelay), action(TM) and response times (T1 /2) are conservative estimates based on a table top review of the procedures as well as input from other HEPs of similar actions and events. For the SPAR-H HEPs recently added to the SPS PRA model, the time available to complete the actions were not based on applicable generic studies (e.g. thermal/hydraulic analysis or simulations from similar plants) but on engineering judgment.
In addition, prior HEPs were developed using the results of a 2002 survey and not on thermal/hydraulic analysis. (This F&O originated from SR HR-G4) Associated SR.(s) HR-G4 Serial No. 16-180-* Docket Nos. 50-280/281 Attachment 4 Page 30 of 36 Importance to Application Addressed with HEP sensitivity
#1 PRAC c 11522 Date Identified 7/7/2010 Description From the Surry 2010 Peer Review report documented in Surry notebook Part IV Appendix A.3. SPS HR.2 does not check the consistency of the post-initiator HEP quantifications.
A comparison of previous HEP values with current HEP values is found in the QU.2 notebook supporting files but no relative comparisons are made. A review of the SPS HEPs relative to each other to check for reasonableness has not been performed. (This F&O originated from SR HR-G6) Associated SR(s) HR-G6 Serial No. 16-180. * ' Docket Nos. 50-280/281 Attachment 4 Page 31 of 36 Importance to Application Addressed with HEP sensitivity
#1 PRAC Date c Identified 11523 7/7/2010 Description From the Surry 2010 Peer Review report documented in Surry notebook Part IV Appendix A.3. The delay (Delay), action TM and response times (T1/2) are conservative estimates based on a table top review of the procedures as well as input from other HEPs of similar actions and events. The newly added SPAR-H HEPs based the required time to complete actions on a table top review of the procedures and input from other procedures.
To meet CC II, base the required time to complete the actions (for significant HEPs) on action time measurements in either walkthroughs or talkthroughs of the procedures or simulator observations. (This F&O originated from SR HR-G5) Associated SR(s): HR-GS Serial No. 16-180. ** T Docket Nos. 50-280/281 Attachment 4 Page 32 of 36 Importance to Application Addressed with HEP sensitivity
#1 PRAC Date c Identified 11526 7/7/2010 Description*
". ***Cloned from Record 11524*** From the Surry 2010 Peer Review report documented in Surry notebook Part IV Appendix A.3. This F&O contained several different issues. Thus, this PRACC record was cloned so that each issue has its own PRACC record. Several documentation issues were identified:
: 3. The SPAR-H HEPs recently added to the SPS PRA model are documented in HR.2. Four HEPs noted in Table A-2 (Neyv HEPs Added) that were evaluated, do not appear in the Fault Tree. One new HEP listed (HEP-CPORTGENRMP) was not analyzed and is also not in the FT. New HEPs added for the recent model update were not necessarily covered by the 2002 survey results. System Analysis notebooks and review of HR.2 does not indicate that simulator observations or talkthroughs with operators were performed.
For the SPAR-H HEPs recently added to the SPS PRA model, the time available to complete the actions were not based on applicable generic studies (e.g. thermal/hydraulic analysis or simulations from similar plants). (This F&O originated from SR HR-11) Associated SR(s) HR-11 HR-12 Serial No.
p Docket Nos. 50-280/281 Attachment 4 Page 33 of 36 Importance to Application Addressed with HEP sensitivity
#1 PRAC c 11538 Date Identified 7/8/2010 Description From the Surry 2010 Peer Review report documented in Surry notebook Part IV Appendix A.3. SPS GARD NF-AA-PRA-101-2052 states in Section 3.5, "the SPAR-H model is not recommended where more detailed analysis of diagnosis errors is needed" and Serial No. 16-180'" " Docket Nos. 50-280/281 Attachment 4 Page 34 of 36 Importance to Application Addressed with HEP sensitivity
#1 references NUREG/CR-1842 for more information.
The NUREG states "This approach results in a somewhat 'generic' answer that is suffiCient for some of the broad regulatory applications for which SPAR-H is intended, but perhaps is insufficient for detailed plant-specific evaluations (a limitation)" and also references NUREG-1792.
This NUREG states "detailed assessments of the significant HFE contributors should be performed."
* The SPAR-H methodology is not a consensus model and seldom used in plant specific utility PRAs. Referenced documents show it should not be used to obtain detailed results. Additionally, it cannot be assumed that conservative results are obtained by SPAR-H as the evaluation of PSFs better than nominal can produce nonconservative values. (This F&O originated from SR HR-G1) Associated SR(s) HR-G1 PRAC Date c Identified 11568 7/13/2010 13932 7/11/2011 16525 9/7/2012 16527 9/7/2012 16674 12/6/2012 Description
-.. *-From the Surry 2010 Peer Review report documented in Surry notebook Part IV Appendix A.3. The analysis uses an "engineering judgment" approach to dependency analysis which considers most "recognized" PSFs. Most of the dependencies are associated with one or two factors, and it is not clear how all of the "recognized" factors affect any single dependency analysis.
There is no comparison of the "engineering judgment" based results to results that would be obtained from using other techniques such as the HRA calculator.
A comparison of the Surry dependency results with those obtained from using an available dependency calculator produced the same results if only one PSF were considered.
Also, differences were obtained when comparing 2-and 3-error combination dependencies.
Newer techniques for analyzing dependency are available.
These techniques allow consideration of multiple PSFs during the analysis. (This F&O originated from SR HR-G7) Associated SR(s) HR-G7 Changes RCP seal packages to N-9000 Flowserve.
This potentially affects the Loss of Seal Coolinq sequences as the RCP seals are modeled. REACTOR COOLANT PUMP SEAL REPLACEMENT 1-RC-P-1A REACTOR COOLANT PUMP (RCP) SEAL REPLACEMENT (1-RC-P-1C)
REACTOR COOLANT PUMP (RCP) SEAL REPLACEMENT (2-RC-P-1 B)/S/2 Serial No. 16-180"' ' ,r Docket Nos. 50-280/281 Attachment 4 Page 35 of 36 Importance to Application Addressed with HEP sensitivity
#1 Addressed with Model change Addressed with Model chanqe Addressed with Model change Addressed with Model change PRAC Date c Identified 17079 3/12/2014 17822 1/12/2016 17872 3/10/2016 Description The MAAP parameter file lists parameter MWCSTO (ECST initial water inventory) as 91, 137 gal referencing Surry AFW Design Basis Document (SDBD-SPS-AFW)
Rev. 13. This value is different in the latest revision of Surry DBD, and the Tech Spec minimum is 96,000 gal. Consider revising parameter MWCSTO. Also, HHSI pump flow curve (parameters ZHDP5 and WVPM5) references Rev.2 of ME-0771. The latest revision of this calculation is Rev.4 and it provides a slightly ,/' Serial No. 16-180-*
Docket Nos. 50-280/281 Attachment 4 Page 36 of 36 Importance to Application Addressed with HEP sensitivity
#1 different pump curve (see test limit curve). Consider revising the HHSI pump curve per the latest revision of ME-0771. 4/15/2014 per email dtd.4/1/2014 from CBL NSA's ECST sizing calc SM-1612 seems to indicate that the ECST volume minimum setpoint is set so that the TS min available volume of 96,000 gal is met, accounting for unusable volume due to vortexing and -suction nozzle position (page 12). HR worksheet for HEP-C-XFERBS describes procedural actions to close feeder Addressed with breakers for transfer buses. In the SPSR06 model this HEP is and'ed with LOOP Model change initiators including CLOOP and RSST failures (initiators).
Closing the feed fort transfer bus does not, in and of itself, help the station recover from LOOP or RSST failure. Therefore this modeling is incorrect.
The SM-1123 calculation used as a basis for the fault tree structure for HEP-C-Addressed with HVACES for loss of chilled water/ESGR AHUs does not bound all of the initiating Model change events and accident sequences this HEP is applied to. The ESGR heat loads assumed in this calculation are for normal operating, 100% power conditions.
Events such as LOCA which require SI have the potential for higher heat loads than what is assumed in SM-1123. Refer SY.2 assumption VS06. If chilled water is unavailable, it is uncertain as to whether the operator actions of O-AP-13.02 are sufficient to prevent failure of ESGR electrical equipment in accident sequences that require SI.
VIRGINIA ELECTRIC AND POWER COMPANY RICHMOND, VIRGINIA 23261 May 18, 2016 U. S. Nuclear Regulatory Commission Attention:
Document Control Desk Washington, DC 20555-0001 VIRGINIA ELECTRIC AND POWER COMPANY SURRY POWER STATION UNITS 1 AND 2 PROPOSED LICENSE AMENDMENT REQUEST 10 CFR 50.90 Serial No.:
SPS/LIC-CGL:
RO Docket Nos.: 50-280/281 License Nos.: DPR-32/37 EXTENSION OF TS 3.14 SERVICE WATER FLOW PATH ALLOWED OUTAGE TIMES AND DELETION OF EXPIRED TEMPORARY SERVICE WATER JUMPER REQUIREMENTS Pursuant to 10 CFR 50.90, Virginia Electric and Power Company (Dominion) is submitting a license amendment request to revise Surry Power Station (Surry) Units 1 ahd 2 Technical Specification (TS) 3.14, "Circulating and Service Water Systems," to extend the Allowed Outage Time (AOT) for only one operable Service Water (SW) flow path to the Charging Pump SW (CPSW) subsystem and to the Main Control Room/Emergency Switchgear Room (MCR/ESGR)
Air Conditioning (AC) subsystem.
TS 3.14.A.5 and TS 3.14.A.7 require two SW flow paths to the CPSW subsystem and to the MCR/ESGR AC subsystem, respectively, to be operable.
Currently, the TS 3.14.C AOT for only one operable CPSW or MCR/ESGR AC flow path is 24 hours. The proposed revision extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours to 72 hours. A supporting probabilistic risk assessment (PRA) was performed for the proposed AOT changes. The PRA concluded that the increase in risk associated with the proposed changes is consistent with the Regulatory Guide (RG) 1.17 4 and RG 1.177 acceptance guidelines for a permanent TS AOT change. This PRA evaluation demonstrates that defense-in-depth will not be significantly impacted by changing the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24 to 72 hours. The proposed change also deletes the Operating License (OL) conditions, TS requirements, and TS 3.14 Basis discussion for the temporary SW jumper to the Component Cooling Heat Exchangers (CCHXs). These requirements have expired and are no longer necessary.*
Deletion of the OL conditions, the temporary TS requirements, and the TS 3.14 Basis* discussion is administrative in nature. Attachment 1 provides a discussion and assessment of the proposed change, including the results and conclusions from the supporting PRA. The marked-up and proposed pages for the TS and TS Basis are provided in Attachments 2 and 3, respectively._
The TS Basis changes are provided for NRC information only. Attachment 4 provides a discussion of the technical adequacy of the PRA model. We have evaluated the proposed amendment and have determined that it does not involve a significant hazards consideration as defined in 1 O CFR 50.92. The basis for Serial No. 16-180 Docket Nos. 50-280/281 Page 2 of 3 this determination is included in Attachment
: 1. We have also determined that operation with the proposed change will not result in any significant increase in the amount of effluents that may be released offsite or any significant increase in individual or cumulative occupational radiation exposure.
Therefore, the proposed amendment is eligible for categorical exclusion from an environmental assessment as set forth in 10 CFR 51.22(c)(9).
Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment is needed in connection with the approval of the proposed change. The proposed TS change has been reviewed and approved by the Facility Safety Review Committee.
Dominion requests approval of the proposed change by May 31, 2017 with a 60-day implementation period. Should you have any questions or require additional information, please contact Mr. Gary D. Miller at (804) 273-2771.
Respectfully, Mark D. Sartain Vice President
-Nuclear Engineering Commitments contained in this letter: None Attachments:
: 1. Discussion of Change 2. Marked-up Technical Specifications and Basis Pages 3. Proposed Technical Specifications and Basis Pages 4. Technical Adequacy of the Probabilistic Risk Assessment Model COMMONWEAL TH OF VIRGINIA COUNTY OF HENRICO The foregoing document was acknowledged before me, in and for the County and Commonwealth aforesaid, today by Mr. Mark D. Sartain, who is Vice President
-Nuclear Engineering, of Virginia Electric and Power Company. He has affirmed before me that he is duly authorized to execute and file the foregoing document in behalf of that company, and that the statements in the document are true to the best of his knowledge and belief. Acknowledged before me this [ 8 'Jlday 2016. My Commission Expires: 5 -3 \ -\ g . \ALL 2:1u.e.e.
Notary Public --.,.,. . . *.
.. , ' . NOTARY PUBLIC :Commonwealth of Virginia . Reg. It My* commission
!;.itp11v
.. s Mt\l31;z.o 18 ---* v -
cc: U.S. Nuclear Regulatory Commission
-Region II Marquis One Tower 245 Peachtree Center Avenue, NE Suite 1200 Atlanta, GA 30303-1257 State Health Commissioner Virginia Department of Health James Madison Building -ih floor 109 Governor Street Suite 730 Richmond, VA 23219 Ms. K. R. Cotton Gross NRC Project Manager -Surry U.S. Nuclear Regulatory Commission One White Flint North Mail Stop 08 G-9A 11555 Rockville Pike Rockville, MD 20852-2738 Dr. V. Sreenivas NRC Project Manager -North Anna U.S. Nuclear Regulatory Commission One White Flint North Mail Stop 08 G-9A 11555 Rockville Pike Rockville, MD 20852-2738 NRC Senior Resident Inspector Surry Power Station Serial No. 16-180 Docket Nos. 50-280/281 Page 3 of 3 Attachment 1 . DISCUSSION OF CHANGE Virginia Electric and Power Company (Dominion)
Surry Station Units 1 and 2 Serial No. 16-180 Docket Nos. 50-280/281 Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 1 of 36 DISCUSSION OF CHANGE TABLE OF CONTENTS 1.0. Introduction


===2.0 Description===
Serial No. 16-180" Docket Nos. 50-280/281 Attachment 4 Page 27 of 36 F&O  Element                          F&O Details                              Possible Resolution            Basis of Sinnificance        Importance to Aoolication 2-8  SY-83      The DOM.DA.3 R3 notebook Section 2.3 states that          Update the_ model to be consistent This is presented as a        There is no impact on CDF or DA-A1      CCF of air-cooled transformers would not be modeled.      with the DOM DA.3 guidelines.      finding because the PRA      LERF as this is conservative and There is no mention of this in the EP system notebook.                                      staff identified that the    will be removed from the model Many of the transformers modeled in the PRA are air-                                        assumption in the DA.3        (Ref. PRACC 16424); therefore, cooled but have CCF modeled. The Surry PRA model                                            Rev. 3 notebook is correct    this gap has no impact on this would need to be updated to match the assumption in                                          and the model should be      application.
the DOM DA.3 notebook.                                                                      updated.
2-9  DA-E3      EPRI generic CCF sources of model uncertainty are        Evaluate the plant-specific        Sources of uncertainty        There is no impact on CDF or tabulated in Table 1 of the SPS DA.3, Rev. 5              sources of model uncertainty      specific to the Surry CCF    LERF as this is a documentation notebook. DA-A-2 notes that component boundaries          related to the Surry CCF analysis. analysis need to be          enhancement (Ref. PRACC are not consistent with the failure data, but states that                                    considered.                  16425), therefore this gap has no this is a consensus model approach and not a source                                                                        impact on this application.
                -of uncertainty for Surry. This should be considered a source of model uncertainty and/or be corrected.
Missing from the evaluation of sources of model uncertainty are all SPS-specific assumptions, including those tabulated in SPS DA.3 Rev. 5 Section 2.2.
Review of Open Issues against the PRA Model (PRA Configuration Control)
The PRA Configuration control database (PRACC) was reviewed in order if any known modeling issues open against the S007Aa model could impact the results of this analysis. The following open issues were identified from Surry's PRACC database. These issues were addressed either by adjusting the S007Aa PRA model used to perform this risk evaluation, or by performing a sensitivity study to demonstrate that the issue was not significant to this analysis.
PRAC          Date                                                      Description                                                   Importance to c      Identified                                                                                                                    Application 1790      3/8/2004          Evaluate 1(2)CWHEP-LIC-1 (2)06A/B via HRA methods. Current value is selected to                        Addressed with HEP be consistent with 1CWHEP-LIC-LVL                                                                      sensitivity #1 9486      10/21/2008        During the 2008 model update, the MAAP runs for the different scenarios were not                        Addressed with HEP completed in time before the model change freeze date. Need to update the HEPs in                      sensitivity #1 the HR.2 notebook usino the times calculated from the MAAP runs.


of Proposed Change 3.0 Technical Evaluation
Serial No. 16-180" Docket Nos. 50-280/281 Attachment 4 Page 28 of 36 PRAC    Date                                          Description                                          Importance to c  Identified                                              -
                                                                      . ~
                                                                          -~.
                                                                            ~
Application 9804  3/12/2009  The 2-RC-P-1C RCP seal will be replaced with a new Flowserve seal that has low          Addressed with leakage when there's a loss of .RCP seal cooling. These seals are similar to the seals  Model change used by the Combustion Engineering (CE) plants. Therefore, the RCP seal LOCA model needs to be based on the CE seal LOCA model. WCAP-16175-P-A, RCP Seal Failure Model CE NSSS, documents the seal LOCA model.
New seal package was installed in pump 02-RC-P-1 C during the 2009 fall outage 11/18/09.
The operator action to trip the RCPs given failure of RCP Seal Cooling should have the Tsw (time available to perform the action) set to 20 minutes based on the following:
WCAP-16175-P-A Rev 0, Model for Failure of RCP Seals Given Loss of Seal Cooling in CE NSSS Plants NRC SER specifically references RCP seal failure model condition event tree (in Chapter 6 of WCAP-16175-P, Revision 0) for stopping the RCP(s) affected by a LOSC.
WCAP-16175-P-A Section 6.0, RCP Seal Failure Model. The event tree contains a node representing RCP20: RCPs Secured Within 20 Minutes?
Therefore, it can be interpreted the NRC SER approved securing (i.e., tripping) the RCPs within 20 minutes.
This has been agreed upon during discussion with Bill, Luke and Allen.
Note, currently 8007Aa does not model this operator action.
Acm 7/22/15


===3.1 Charging===
Serial No. 16-180~
Pump Service Water Subsystem and Main Control Room and Emergency Switchgear Room Air Conditioning Subsystem Description
Docket Nos. 50-280/281 Attachment 4 Page 29 of 36 PRAC    Date                                          Description                                      Importance to c  Identified                                    -- - .._=...';;,_. -                                Application 10931 1/20/2010  SPS operator actions, HEP-C-CDSGTR (cool down and depressurize RCS after a          Addressed with HEP SGTR) and HEP-C-SGTR (isolate affected SG after a SGTR), are documented as          sensitivity #1 having the same engineering time, Te, of 60 minutes in the SPS HR.2 Notebook. The equivalent operator actions for NAPS, HEP-1 E3-13 (cool down and depressurize RCS after a SGTR) and HEP-1 E3-3 (isolate affected SG after a SGTR), are documented as having a Te of 75 minutes and 56 minutes, respectively, in the NAPS HR.2 Notebook.
Furthermore, HEP-C-CDSGTR does not have a valid MMP run available for the basis of the 60 m_inute Te, and HEP-1 E3-13 references older IPE MMP runs from NAPS and SPS. HEP-1 E3-3 also references an IPE MMP run.
Therefore, new MMP runs shol:Jld be run for HEP-C-CDSGTR, HEP-C-SGTR, HEP-1E3-13, and HEP-1 E3-3; and adequate documentation of the new MMP runs should be placed in HR.2 Notebooks.
4/23/2014 This should be considered complete and closed when the model SPS-R06 is released. IPE MMP runs are no longer used and all necessary MMP runs are documented in our SC element notebooks to support post HEP reauired timinas.


===3.2 Evaluation===
Serial No. 16-180-
* Docket Nos. 50-280/281 Attachment 4 Page 30 of 36 PRAC    Date                                            Description                                          Importance to c  Identified                                                  ... ~*.,,._.                              Application 11521 71712010    From the Surry 2010 Peer Review report documented in Surry notebook Part IV              Addressed with HEP Appendix A.3.                                                                           sensitivity #1 In 2002, an operator survey was complete to document timing estimates from operators of various experience levels. The timing results from the survey are used in the HRA for the HEPs. Table 6.1 of HR.2 states "the response times for operator actions may be estimated by procedure talk through or operator surveys. Therefore, this is retained as a source of uncertainty." For the SPAR-H HEPs, time available is based on engineering judgment. The delay (TDelay), action(TM) and response times (T1 /2) are conservative estimates based on a table top review of the procedures as well as input from other HEPs of similar actions and events.
For the SPAR-H HEPs recently added to the SPS PRA model, the time available to complete the actions were not based on applicable generic studies (e.g.
thermal/hydraulic analysis or simulations from similar plants) but on engineering judgment. In addition, prior HEPs were developed using the results of a 2002 survey and not on thermal/hydraulic analysis.
(This F&O originated from SR HR-G4)
Associated SR.(s)
HR-G4


of Extended Allowed Outage Time 3.3 Deletion of Requirements for Temporary Service Water Jumper to Component Cooling Heat Exchangers
Serial No. 16-180. * '
Docket Nos. 50-280/281 Attachment 4 Page 31 of 36 PRAC    Date                                          Description                                        Importance to c  Identified                                                                                            Application 11522 7/7/2010    From the Surry 2010 Peer Review report documented in Surry notebook Part IV            Addressed with HEP Appendix A.3.                                                                         sensitivity #1 SPS HR.2 does not check the consistency of the post-initiator HEP quantifications. A comparison of previous HEP values with current HEP values is found in the QU.2 notebook supporting files but no relative comparisons are made.
A review of the SPS HEPs relative to each other to check for reasonableness has not been performed.
(This F&O originated from SR HR-G6)
Associated SR(s)
HR-G6


===4.0 Regulatory===
Serial No. 16-180. ** T Docket Nos. 50-280/281 Attachment 4 Page 32 of 36 PRAC    Date                                          Description                                          Importance to c  Identified                                                                                            Application 11523 7/7/2010    From the Surry 2010 Peer Review report documented in Surry notebook Part IV            Addressed with HEP Appendix A.3.                                                                          sensitivity #1 The delay (Delay), action TM and response times (T1/2) are conservative estimates based on a table top review of the procedures as well as input from other HEPs of similar actions and events.
The newly added SPAR-H HEPs based the required time to complete actions on a table top review of the procedures and input from other procedures.
To meet CC II, base the required time to complete the actions (for significant HEPs) on action time measurements in either walkthroughs or talkthroughs of the procedures or simulator observations.
(This F&O originated from SR HR-G5)
Associated SR(s): HR-GS


Evaluation
Serial No. 16-180~' p Docket Nos. 50-280/281 Attachment 4 Page 33 of 36 PRAC    Date                                          Description*                                        Importance to c  Identified                                                    ".                                      Application 11526 7/7/2010    ***Cloned from Record 11524***                                                          Addressed with HEP sensitivity #1 From the Surry 2010 Peer Review report documented in Surry notebook Part IV Appendix A.3.
This F&O contained several different issues. Thus, this PRACC record was cloned so that each issue has its own PRACC record.
Several documentation issues were identified:
: 3. The SPAR-H HEPs recently added to the SPS PRA model are documented in HR.2. Four HEPs noted in Table A-2 (Neyv HEPs Added) that were evaluated, do not appear in the Fault Tree. One new HEP listed (HEP-CPORTGENRMP) was not analyzed and is also not in the FT. New HEPs added for the recent model update were not necessarily covered by the 2002 survey results. System Analysis notebooks and review of HR.2 does not indicate that simulator observations or talkthroughs with operators were performed.
For the SPAR-H HEPs recently added to the SPS PRA model, the time available to complete the actions were not based on applicable generic studies (e.g. thermal/hydraulic analysis or simulations from similar plants).
(This F&O originated from SR HR-11)
Associated SR(s)
HR-11 HR-12


===4.1 Applicable===
Serial No. 16-180'" "
Docket Nos. 50-280/281 Attachment 4 Page 34 of 36 PRAC    Date                                            Description                                        Importance to c  Identified                                                                                              Application 11538 7/8/2010    From the Surry 2010 Peer Review report documented in Surry notebook Part IV              Addressed with HEP Appendix A.3.                                                                            sensitivity #1 SPS GARD NF-AA-PRA-101-2052 states in Section 3.5, "the SPAR-H model is not recommended where more detailed analysis of diagnosis errors is needed" and references NUREG/CR-1842 for more information. The NUREG states "This approach results in a somewhat 'generic' answer that is suffiCient for some of the broad regulatory applications for which SPAR-H is intended, but perhaps is insufficient for detailed plant-specific evaluations (a limitation)" and also references NUREG-1792. This NUREG states "detailed assessments of the significant HFE contributors should be performed."
* The SPAR-H methodology is not a consensus model and seldom used in plant specific utility PRAs. Referenced documents show it should not be used to obtain detailed results. Additionally, it cannot be assumed that conservative results are obtained by SPAR-H as the evaluation of PSFs better than nominal can produce nonconservative values.
(This F&O originated from SR HR-G1)
Associated SR(s)
HR-G1


Regulatory Requirements 4.2 NUREG-1431, Standard Technical Specifications
Serial No. 16-180"' ' ,r Docket Nos. 50-280/281 Attachment 4 Page 35 of 36 PRAC    Date                                            Description                                        Importance to c  Identified                                    -              .. *-                                    Application 11568 7/13/2010  From the Surry 2010 Peer Review report documented in Surry notebook Part IV              Addressed with HEP Appendix A.3.                                                                            sensitivity #1 The analysis uses an "engineering judgment" approach to dependency analysis which considers most "recognized" PSFs. Most of the dependencies are associated with one or two factors, and it is not clear how all of the "recognized" factors affect any single dependency analysis. There is no comparison of the "engineering judgment" based results to results that would be obtained from using other techniques such as the HRA calculator. A comparison of the Surry dependency results with those obtained from using an available dependency calculator produced the same results if only one PSF were considered. Also, differences were obtained when comparing 2-and 3-error combination dependencies.
-Westinghouse Plants 4.3 No Significant Hazards Consideration
Newer techniques for analyzing dependency are available. These techniques allow consideration of multiple PSFs during the analysis.
(This F&O originated from SR HR-G7)
Associated SR(s)
HR-G7 13932 7/11/2011  Changes RCP seal packages to N-9000 Flowserve. This potentially affects the Loss        Addressed with of Seal Coolinq sequences as the RCP seals are modeled.                                 Model change 16525 9/7/2012    REACTOR COOLANT PUMP SEAL REPLACEMENT 1-RC-P-1A                                          Addressed with Model chanqe 16527 9/7/2012    REACTOR COOLANT PUMP (RCP) SEAL REPLACEMENT (1-RC-P-1C)                                  Addressed with Model change 16674 12/6/2012  REACTOR COOLANT PUMP (RCP) SEAL REPLACEMENT (2-RC-P-1 B)/S/2                            Addressed with Model change


===5.0 Probabilistic===
                                                                                                                                        ,/'
Serial No. 16-180- * '~<"
Docket Nos. 50-280/281 Attachment 4 Page 36 of 36 PRAC    Date                                              Description                                          Importance to c    Identified                                                                                                Application 17079  3/12/2014  The MAAP parameter file lists parameter MWCSTO (ECST initial water inventory) as            Addressed with HEP 91, 137 gal referencing Surry AFW Design Basis Document (SDBD-SPS-AFW) Rev.                sensitivity #1
: 13. This value is different in the latest revision of Surry DBD, and the Tech Spec minimum is 96,000 gal. Consider revising parameter MWCSTO.
Also, HHSI pump flow curve (parameters ZHDP5 and WVPM5) references Rev.2 of ME-0771. The latest revision of this calculation is Rev.4 and it provides a slightly different pump curve (see test limit curve). Consider revising the HHSI pump curve per the latest revision of ME-0771.
4/15/2014 per email dtd.4/1/2014 from CBL NSA's ECST sizing calc SM-1612 seems to indicate that the ECST volume minimum setpoint is set so that the TS min available volume of 96,000 gal is met, accounting for unusable volume due to vortexing and                                  -
suction nozzle position (page 12).
17822  1/12/2016  HR worksheet for HEP-C-XFERBS describes procedural actions to close feeder                  Addressed with breakers for transfer buses. In the SPSR06 model this HEP is and'ed with LOOP              Model change initiators including CLOOP and RSST failures (initiators). Closing the feed fort transfer bus does not, in and of itself, help the station recover from LOOP or RSST failure.
Therefore this modeling is incorrect.
17872  3/10/2016  The SM-1123 calculation used as a basis for the fault tree structure for HEP-C-            Addressed with HVACES for loss of chilled water/ESGR AHUs does not bound all of the initiating            Model change events and accident sequences this HEP is applied to. The ESGR heat loads assumed in this calculation are for normal operating, 100% power conditions. Events such as LOCA which require SI have the potential for higher heat loads than what is assumed in SM-1123. Refer SY.2 assumption VS06. If chilled water is unavailable, it is uncertain as to whether the operator actions of O-AP-13.02 are sufficient to prevent failure of ESGR electrical equipment in accident sequences that require SI.


Risk Assessment
VIRGINIA ELECTRIC AND POWER COMPANY RICHMOND, VIRGINIA 23261 May 18, 2016 10 CFR 50.90 U. S. Nuclear Regulatory Commission                        Serial No.:    16-1~0 Attention: Document Control Desk                            SPS/LIC-CGL: RO Washington, DC 20555-0001                                  Docket Nos.:  50-280/281 License Nos.: DPR-32/37 VIRGINIA ELECTRIC AND POWER COMPANY SURRY POWER STATION UNITS 1 AND 2 PROPOSED LICENSE AMENDMENT REQUEST EXTENSION OF TS 3.14 SERVICE WATER FLOW PATH ALLOWED OUTAGE TIMES AND DELETION OF EXPIRED TEMPORARY SERVICE WATER JUMPER REQUIREMENTS Pursuant to 10 CFR 50.90, Virginia Electric and Power Company (Dominion) is submitting a license amendment request to revise Surry Power Station (Surry) Units 1 ahd 2 Technical Specification (TS) 3.14, "Circulating and Service Water Systems," to extend the Allowed Outage Time (AOT) for only one operable Service Water (SW) flow path to the Charging Pump SW (CPSW) subsystem and to the Main Control Room/Emergency Switchgear Room (MCR/ESGR) Air Conditioning (AC) subsystem.
TS 3.14.A.5 and TS 3.14.A.7 require two SW flow paths to the CPSW subsystem and to the MCR/ESGR AC subsystem, respectively, to be operable. Currently, the TS 3.14.C AOT for only one operable CPSW or MCR/ESGR AC flow path is 24 hours. The proposed revision extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours to 72 hours. A supporting probabilistic risk assessment (PRA) was performed for the proposed AOT changes. The PRA concluded that the increase in risk associated with the proposed changes is consistent with the Regulatory Guide (RG) 1.174 and RG 1.177 acceptance guidelines for a permanent TS AOT change.
This PRA evaluation demonstrates that defense-in-depth will not be significantly impacted by changing the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24 to 72 hours. The proposed change also deletes the Operating License (OL) conditions, TS requirements, and TS 3.14 Basis discussion for the temporary SW jumper to the Component Cooling Heat Exchangers (CCHXs). These requirements have expired and are no longer necessary.*
Deletion of the OL conditions, the temporary TS requirements, and the TS 3.14 Basis*
discussion is administrative in nature. provides a discussion and assessment of the proposed change, including the results and conclusions from the supporting PRA. The marked-up and proposed pages for the TS and TS Basis are provided in Attachments 2 and 3, respectively._ The TS Basis changes are provided for NRC information only. Attachment 4 provides a discussion of the technical adequacy of the PRA model.
We have evaluated the proposed amendment and have determined that it does not involve a significant hazards consideration as defined in 10 CFR 50.92. The basis for


===5.1 Purpose===
Serial No. 16-180 Docket Nos. 50-280/281 Page 2 of 3 this determination is included in Attachment 1. We have also determined that operation with the proposed change will not result in any significant increase in the amount of effluents that may be released offsite or any significant increase in individual or cumulative occupational radiation exposure. Therefore, the proposed amendment is eligible for categorical exclusion from an environmental assessment as set forth in 10 CFR 51.22(c)(9). Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment is needed in connection with the approval of the proposed change. The proposed TS change has been reviewed and approved by the Facility Safety Review Committee.
5.2 Introduction
Dominion requests approval of the proposed change by May 31, 2017 with a 60-day implementation period.
Should you have any questions or require additional information, please contact Mr. Gary D. Miller at (804) 273-2771.
Respectfully, Mark D. Sartain Vice President - Nuclear Engineering Commitments contained in this letter: None Attachments:
: 1. Discussion of Change
: 2. Marked-up Technical Specifications and Basis Pages
: 3. Proposed Technical Specifications and Basis Pages
: 4. Technical Adequacy of the Probabilistic Risk Assessment Model COMMONWEALTH OF VIRGINIA COUNTY OF HENRICO The foregoing document was acknowledged before me, in and for the County and Commonwealth aforesaid, today by Mr. Mark D. Sartain, who is Vice President - Nuclear Engineering, of Virginia Electric and Power Company. He has affirmed before me that he is duly authorized to execute and file the foregoing document in behalf of that company, and that the statements in the document are true to the best of his knowledge and belief.
Acknowledged before me this [              8'Jlday of~ 2016.
My Commission Expires:              5 - 3 \ - \g .
            -- .,.,. . . *. ;Ni~l t.~)~dtr* .. , '
                    . NOTARY PUBLIC
                                                                \ALL ~. 2:1u.e.e.
Notary Public
:Commonwealth of Virginia
          .                Reg. It 1'fD5~~
My* commission !;.itp11v ..s    Mt\l31;z.o 18
          -                  - -
* v -


===5.3 Analysis===
Serial No. 16-180 Docket Nos. 50-280/281 Page 3 of 3 cc: U.S. Nuclear Regulatory Commission - Region II Marquis One Tower 245 Peachtree Center Avenue, NE Suite 1200 Atlanta, GA 30303-1257 State Health Commissioner Virginia Department of Health James Madison Building - ih floor 109 Governor Street Suite 730 Richmond, VA 23219 Ms. K. R. Cotton Gross NRC Project Manager - Surry U.S. Nuclear Regulatory Commission One White Flint North Mail Stop 08 G-9A 11555 Rockville Pike Rockville, MD 20852-2738 Dr. V. Sreenivas NRC Project Manager - North Anna U.S. Nuclear Regulatory Commission One White Flint North Mail Stop 08 G-9A 11555 Rockville Pike Rockville, MD 20852-2738 NRC Senior Resident Inspector Surry Power Station
5.4 Results and Conclusions


===6.0 Environmental===
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1
    . DISCUSSION OF CHANGE Virginia Electric and Power Company (Dominion)
Surry Station Units 1 and 2


Assessment 7 .0 Conclusion
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 1 of 36 DISCUSSION OF CHANGE TABLE OF CONTENTS 1.0. Introduction 2.0 Description of Proposed Change 3.0 Technical Evaluation 3.1 Charging Pump Service Water Subsystem and Main Control Room and Emergency Switchgear Room Air Conditioning Subsystem Description 3.2 Evaluation of Extended Allowed Outage Time 3.3 Deletion of Requirements for Temporary Service Water Jumper to Component Cooling Heat Exchangers 4.0 Regulatory Evaluation 4.1 Applicable Regulatory Requirements 4.2 NUREG-1431, Standard Technical Specifications -
"' DISCUSSION OF CHANGE
Westinghouse Plants 4.3 No Significant Hazards Consideration 5.0 Probabilistic Risk Assessment 5.1 Purpose 5.2 Introduction 5.3 Analysis 5.4 Results and Conclusions 6.0 Environmental Assessment 7 .0 Conclusion


==1.0 INTRODUCTION==
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 2 of 36 DISCUSSION OF CHANGE


Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 2 of 36 The proposed change revises Surry Power Station (Surry) Units 1 and 2 Technical Specification (TS) 3.14, "Circulating and Service Water Systems," to extend the Allowed Outage Time (AOT) for only one operable Service Water (SW) flow path to the Charging Pump SW (CPSW) subsystem and to the Main Control Room/Emergency Switchgear Room (MCR/ESGR)
==1.0      INTRODUCTION==
Air Conditioning (AC) subsystem.
TS 3.14.A.5 and TS 3.14.A.7 require two SW flow paths to the CPSW subsystem and to the MCR/ESGR AC subsystem, respectively, to be operable.
Currently, the TS 3.14.C AOT for only one operable CPSW or MCR/ESGR AC flow path is 24 hours. The proposed revision extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours to 72 hours. The CPSW subsystem is a support system for the Charging/High Head Safety Injection (HHSI) pumps. The proposed CPSW AOT extension aligns the CPSW support system AOT with the AOT for the supported components (i.e., the Charging/HHS!
pumps). The proposed MCR/ESGR AC AOT extension revises the AOT .,to be the same as the CPSW AOT since both subsystems share common piping. The proposed increased AOTs for only one operable SW flow path to the CPSW subsystems and to the MCR/ESGR AC subsystems will provide a more reasonable time frame for performing system maintenance and repairs. A supporting probabilistic risk assessment (PRA) was performed for the proposed AOT changes. The PRA concluded that the increase in risk associated with the proposed changes .is consistent with the Regulatory Guide (RG) 1.17 4 and RG 1.177 acceptance guidelines for a permanent TS AOT change. This PRA evaluation demonstrates that defense-in-depth will not be significantly impacted by changing the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24 to 72 hours. Furthermore, no enhancements, procedure revisions, or compensatory actions are recommended as a result of the RG 1.177 Tier 2 evaluation.
The proposed change also deletes the Operating License (OL) conditions, TS requirements, and TS 3.14 Basis discussion for the temporary SW jumper to the Component Cooling Heat Exchangers (CCHXs). These requirements were included in the Surry TS to allow cleaning, inspection, repair and recoating of the SW supply piping to the CCHXs during the Unit 1 2013 and 2015 refueling outages. These requirements have expired and are no longer necessary.
Deletion of the OL conditions, the temporary TS requirements, and the TS 3.14 Basis discussion is administrative in nature. The TS 3.14 Basis deletion is provided to the NRC for information.


==2.0 DESCRIPTION==
The proposed change revises Surry Power Station (Surry) Units 1 and 2 Technical Specification (TS) 3.14, "Circulating and Service Water Systems," to extend the Allowed Outage Time (AOT) for only one operable Service Water (SW) flow path to the Charging Pump SW (CPSW) subsystem and to the Main Control Room/Emergency Switchgear Room (MCR/ESGR) Air Conditioning (AC) subsystem. TS 3.14.A.5 and TS 3.14.A.7 require two SW flow paths to the CPSW subsystem and to the MCR/ESGR AC subsystem, respectively, to be operable. Currently, the TS 3.14.C AOT for only one operable CPSW or MCR/ESGR AC flow path is 24 hours. The proposed revision extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours to 72 hours. The CPSW subsystem is a support system for the Charging/High Head Safety Injection (HHSI) pumps. The proposed CPSW AOT extension aligns the CPSW support system AOT with the AOT for the supported components (i.e., the Charging/HHS! pumps). The proposed MCR/ESGR AC AOT extension revises the AOT .,to be the same as the CPSW AOT since both subsystems share common piping. The proposed increased AOTs for only one operable SW flow path to the CPSW subsystems and to the MCR/ESGR AC subsystems will provide a more reasonable time frame for performing system maintenance and repairs.
A supporting probabilistic risk assessment (PRA) was performed for the proposed AOT changes. The PRA concluded that the increase in risk associated with the proposed changes .is consistent with the Regulatory Guide (RG) 1.174 and RG 1.177 acceptance guidelines for a permanent TS AOT change. This PRA evaluation demonstrates that defense-in-depth will not be significantly impacted by changing the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24 to 72 hours.        Furthermore, no enhancements, procedure revisions, or compensatory actions are recommended as a result of the RG 1.177 Tier 2 evaluation.
The proposed change also deletes the Operating License (OL) conditions, TS requirements, and TS 3.14 Basis discussion for the temporary SW jumper to the Component Cooling Heat Exchangers (CCHXs). These requirements were included in the Surry TS to allow cleaning, inspection, repair and recoating of the SW supply piping to the CCHXs during the Unit 1 2013 and 2015 refueling outages. These requirements have expired and are no longer necessary. Deletion of the OL conditions, the temporary TS requirements, and the TS 3.14 Basis discussion is administrative in nature. The TS 3.14 Basis deletion is provided to the NRC for information.


==2.0      DESCRIPTION==
OF PROPOSED CHANGE The proposed revision extends the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24 to 72 hours.
OF PROPOSED CHANGE The proposed revision extends the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24 to 72 hours.
TS 3.14.C currently states: Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 3 of 36 C. The requirements of Specifications 3.14.A.5, 3.14.A.6, and 3.14.A.7 may be modified to allow unit operation with only one OPERABLE flow path to the charging pump service water subsystem, the recirculation spray subsystems, and to the main control and emergency switchgear rooms air conditioning condensers.
 
If the affected systems are not restored to the requirements of Specifications
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 3 of 36 TS 3.14.C currently states:
: 3. 14.A.5, 3.14.A.6, and 3.14.A.7 within 24 hours, the reactor shall be placed in HOT SHUTDOWN.
C. The requirements of Specifications 3.14.A.5, 3.14.A.6, and 3.14.A.7 may be modified to allow unit operation with only one OPERABLE flow path to the charging pump service water subsystem, the recirculation spray subsystems, and to the main control and emergency switchgear rooms air conditioning condensers. If the affected systems are not restored to the requirements of Specifications 3. 14.A.5, 3.14.A.6, and 3.14.A.7 within 24 hours, the reactor shall be placed in HOT SHUTDOWN. If the requirements of Specifications 3. 14.A. 5, 3.14.A. 6, and 3. 14.A. 7 are not met within an additional 48 hours, the reactor shall be placed in COLD SHUTDOWN.
If the requirements of Specifications
The proposed change revises the Surry TS as follows: 1) TS 3.14.C is revised to extend the CPSW subsystem flow path and the MCR/ESGR AC condensers flow path AOTs from 24 to 72 hours and to relocate the flow path AOT for the Recirculation Spray (RS) subsystems to a new specification, and 2) new TS 3.14;0 is created for the existing flow path AOT for the RS subsystems. The flow path AOT in the new TS 3.14.D for the RS subsystems is not being modified. The revised TS 3.14.C and the new TS 3.14.D are proposed as follows:
: 3. 14.A. 5, 3.14.A. 6, and 3. 14.A. 7 are not met within an additional 48 hours, the reactor shall be placed in COLD SHUTDOWN.
C. The requirements of Specifications 3.14.A.5 and 3.14.A.7 may be modified to allow unit operation with only one OPERABLE flow path to the charging pump service water subsystem and to the main control and emergency switchgear rooms air conditioning condensers.       If the affected systems are not restored to the requirements of Specifications 3.14.A.5 and 3.14.A.7 within 72 hours, the reactor shall be placed in HOT SHUTDOWN within the next 6 hours. If the requirements of Specifications 3.14.A.5 and 3.14.A.7 are not satisfied as allowed by this Specification, the reactor shall be placed in COLD SHUTDOWN within the next 30 hours.
The proposed change revises the Surry TS as follows: 1) TS 3.14.C is revised to extend the CPSW subsystem flow path and the MCR/ESGR AC condensers flow path AOTs from 24 to 72 hours and to relocate the flow path AOT for the Recirculation Spray (RS) subsystems to a new specification, and 2) new TS 3.14;0 is created for the existing flow path AOT for the RS subsystems.
D. The requirements of Specification 3.14.A.6 may be modified to allow unit operation with only one OPERABLE flow path to the recirculation spray subsystems. If the affected system is not restored to the requirements of Specification 3. 14.A. 6 within 24 hours, the reactor shall be placed in HOT SHUTDOWN within the next 6 hours. If the requirements of Specification 3. 14.A. 6 are not met within an additional 48 hours, the reactor shall be placed in COLD SHUTDOWN within the next 30 hours.
The flow path AOT in the new TS 3.14.D for the RS subsystems is not being modified.
The proposed revision also deletes the following requirements for the temporary SW jumper to the CCHXs:
The revised TS 3.14.C and the new TS 3.14.D are proposed as follows: ' , C. The requirements of Specifications 3.14.A.5 and 3.14.A.7 may be modified to allow unit operation with only one OPERABLE flow path to the charging pump service water subsystem and to the main control and emergency switchgear rooms air conditioning condensers.
: 1. Unit 1 License Condition U on page 9 of the Unit 1 Operating License
If the affected systems are not restored to the requirements of Specifications 3.14.A.5 and 3.14.A.7 within 72 hours, the reactor shall be placed in HOT SHUTDOWN within the next 6 hours. If the requirements of Specifications 3.14.A.5 and 3.14.A.7 are not satisfied as allowed by this Specification, the reactor shall be placed in COLD SHUTDOWN within the next 30 hours. D. The requirements of Specification 3.14.A.6 may be modified to allow unit operation with only one OPERABLE flow path to the recirculation spray subsystems.
: 2. Unit 2 License Condition U on   p~ge 9 of the Unit 2 Operating License
If the affected system is not restored to the requirements of Specification
: 3. 14.A. 6 within 24 hours, the reactor shall be placed in HOT SHUTDOWN within the next 6 hours. If the requirements of Specification
: 3. 14.A. 6 are not met within an additional 48 hours, the reactor shall be placed in COLD SHUTDOWN within the next 30 hours. The proposed revision also deletes the following requirements for the temporary SW jumper to the CCHXs: 1. Unit 1 License Condition U on page 9 of the Unit 1 Operating License
: 2. Unit 2 License Condition U on 9 of the Unit 2 Operating License
: 3. Note Bin TS Table 3.7-2 on page TS 3.7-20
: 3. Note Bin TS Table 3.7-2 on page TS 3.7-20
: 4. The footnote associated with TS 3.14.A.2.b on page TS 3.14-1 Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 4 of 36 5. The last paragraph in the TS 3.14 Basis on pages TS 3.14-4 and TS 3.14-4a 3.0 TECHNICAL EVALUATION


===3.1 Charging===
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 4 of 36
Pump Service Water Subsystem and Main Control Room and Emergency Switchgear Room Air Conditioning Subsystem Description The Surry Units 1 and 2 Circulating Water (CW) and Service Water (SW) Systems, which are supplied by the James River, are designed for the removal of heat resulting from the operation of various systems and components for both units. The CW System cools the main condenser, and the SW System provides cooling water to the following components:
: 4. The footnote associated with TS 3.14.A.2.b on page TS 3.14-1
: 1. Bearing Cooling (BC) water heat exchangers, 2. Component Cooling (CC) heat exchangers, 3. Recirculation Spray (RS) heat exchangers, 4. Main control room and emergency switchgear room (MCR/ESGR) air conditioning (AC) condensers (chillers), and 5. Charging Pump Service Water (CPSW) subsystem.
: 5. The last paragraph in the TS 3.14 Basis on pages TS 3.14-4 and TS 3.14-4a
The CW and SW Systems' configuration is shown in Figures 1 and 2 (located at the end of Attachment 1 ). Figure 3 below is provided for illustration purposes and shows the flow paths and components of interest.
The SW flow paths in the Mechanical Equipment Rooms (MERs) support both the CPSW subsystems and the MCR/ESGR AC subsystems.
The MER flow paths include several interconnected and redundant trains, gravity fed from the Intake Canal. There are three 8-inch SW supply headers. Each header takes its supply from a 96-inch condenser inlet line, and the connection is upstream of the condenser isolation valves. The three 8-inch headers supply two 6-inch headers. The 6-inch supply headers are 100% redundant (i.e., one header can supply 100% of the required SW flow). Since the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem are being modified by the proposed revision, this design description focuses on the CPSW and the MCR/ESGR AC subsystems.
2 W*P*l l* W*P*lOA
(/) 0 X 1 w. o l*V S*S*1 A 1* W*7 7 I 0 ,,.< C.W Line U :r 1-VS*P-tA/1-VS-&#xa3;-" I* }-2-s w ..... 7 :c 2*$W.,.78 x 2-... 77 2 A *) C.W.Une 0 Tutb 8kl 8 n Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 5 of 36 l*V P* l C/1-VS-C .. I C i-----]. W*P l OO l W P-1 00 X 2-S W ... 7CI " . Figure 3 -SW Supply to the CPSW and the MCR/ESGR AC Subsystems CPSW Subsystem Description A CPSW subsystem for each unit provides water to cool the charging pump intermediate seal coolers and the charging pump lubricating oil coolers. The seal coolers reject their heat to a dedicated closed-loop subsystem of the CC System (i.e., the Charging Pump Component Cooling Water System). Heat from this system and the lube oil coolers is transferred to the CPSW subsystem.
Either of two 100%-capacity CPSW pumps (1-SW-P-10A/10B and 2-SW-P-10A/10B) delivers water from the SW System to the charging pump intermediate seal coolers and the charging pump lubricating oil coolers, thereby maintaining the charging pump lubricating oil and the CC System water used to cool the charging pump mechanical seals at the proper temperature.
Each pump has a duplex suction strainer.
To ensure that service water is continually available , one CPSW pump is in operation while the other pump is maintained in standby. The standby pump is automatically actuated on Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 6 of 36 low pump discharge pressure to supply SW in the event of failure of the operating pump. The two redundant 100%-capacity CPSW pumps are located in MER-3 and MER-4 and are separated by seismic, missile-protected, 3-hour fire rated walls, ceiling, and floor. The SW supply headers are normally cross-connected at the discharge of the strainers.
An automatic actuating fire safe isolation ball valve is installed in the cross-connect piping between the two pump trains. The separation and cross-connect of the two redundant pump trains is designed to meet the requirements in 10 CFR 50 Appendix R. The installation of two full-capacity CPSW pumps provides 100% redundancy for this cooling water system. The components of the CPSW subsystem, including pumps and heat exchangers are designed to Seismic Class I criteria.
I The CPSW pumps are connected to the emergency electrical bus to ensure they will operate in the event of a loss of station power. Post-accident monitoring requirements for the CPSW subsystem status are satisfied by flow and temperature measurement at the discharge of each CPSW pump. Flow and temperature indications are displayed in the MGR. MCR/ESGR AC Subsystem Description The CPSW suction flow paths also supply suction for the A, B, and C MCR/ESGR chiller pumps (1-VS-P-1A/1B/1C) that supply the A, B, and C MCR/ESGR chillers (1-VS-E-4A/4B/4f), which are located in MER-3. Chiller pumps D and E (1-VS-P-1D/1E) that supply the D and E MCR/ESGR chillers (1-VS-E-4D/4E), which are located in MER-5, take suction upstream of the suction (rotating) strainers in MER-3/ MER-4 and downstream of a duplex strainer in MER-5. Significant installed defense-in-depth exists for the chiller pumps and chillers, since there are a total of five MCR/ESGR chillers.
As noted above, three chillers are located in MER-3, and two chillers are located in MER-5. This configuration ensures that MGR envelope air handling capacity remains available in the event that both CPSW headers in MER-3 and MER-4 are unavailable.
In addition, this arrangement prevents full loss of cooling in the event of a fire in either MER-3 or MER-5. Three of the five chillers are powered from either of two buses, enabling maximum system flexibility in aligning the chillers as required.
Additional equipment includes control panels and isolation switches for affected air handling units and cables routed to provide the required separation.
The additional equipment is seismically and environmentally qualified, as applicable.
Control of the AC system is remote manual from the control room. 


===3.2 Evaluation===
==3.0    TECHNICAL EVALUATION==


of Extended Allowed Outage Time Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 7 of 36 The CPSW subsystem is a support system for the charging pumps. As discussed in Section 3.1, the design function of the CPSW subsystem is to provide cooling to the charging pump intermediate seal coolers and the charging pump lubricating oil Qoolers. The charging pumps provide a charging (i.e., reactor coolant makeup) function during normal plant operation and are also used as High Head Safety Injection (HHSI) pumps to supply borated water to . the Reactor Coolant System (RCS) during accident conditions.
3.1   Charging Pump Service Water Subsystem and Main Control Room and Emergency Switchgear Room Air Conditioning Subsystem Description The Surry Units 1 and 2 Circulating Water (CW) and Service Water (SW) Systems, which are supplied by the James River, are designed for the removal of heat resulting from the operation of various systems and components for both units. The CW System cools the main condenser, and the SW System provides cooling water to the following components:
Surry TS 3.3, "Safety Injection System," specifies in TS 3.3.A.3 that two Safety Injection (SI) subsystems are required to be operable with the subsystems including one operable HHSI pump. With one SI subsystem inoperable, TS 3.3.B.3 requires restoration of the inoperable subsystem to operable status within 72 hours. The proposed extension of the AOT for the SW flow paths to the CPSW subsystem from 24 to 72 hours brings the support system AOT into alignment with the AOT for the supported component (i.e., Charging/HHS!
: 1. Bearing Cooling (BC) water heat exchangers,
pump). In addition, the design functions of the CPSW subsystem and the Charging/HHS!
: 2. Component Cooling (CC) heat exchangers,
pumps are not impacted by the proposed revision.
: 3. Recirculation Spray (RS) heat exchangers,
As shown in Figure 3, the CPSW suction paths also supply suction for the A,. B, and C MCR/ESGR chillers.
: 4. Main control room and emergency switchgear                room    (MCR/ESGR)        air conditioning (AC) condensers (chillers), and
Since the CPSW subsyste.m and the MCR/ESGR AC subsystem share common piping, it is appropriate for the AOTs for the two subsystems to be the. same. The MCR/ESGR AC subsystem is a support system for the A, B, and C MCR/ESGR chillers.
: 5. Charging Pump Service Water (CPSW) subsystem.
TS 3.23, "Main Control Room and Emergency Switchgear Room Air Conditioning System," specifies a 7-day time frame to return an inoperable/not powered as required chiller to operable status in TS 3.23.A.1.c; thus, the proposed hour AOT for the MCR/ESGR AC subsystem is more limiting that the AOT for the supported components (i.e., A, B, and C MCR/ESGR chillers).
The CW and SW Systems' configuration is shown in Figures 1 and 2 (located at the end of Attachment 1). Figure 3 below is provided for illustration purposes and shows the flow paths and components of interest.
In addition, the design functions of the MCR/ESGR AC subsystem and the MCR/ESGR chillers are not impacted by the proposed revision.
The SW flow paths in the Mechanical Equipment Rooms (MERs) support both the CPSW subsystems and the MCR/ESGR AC subsystems. The MER flow paths include several interconnected and redundant trains, gravity fed from the Intake Canal. There are three 8-inch SW supply headers. Each header takes its supply from a 96-inch condenser inlet line, and the connection is upstream of the condenser isolation valves.
Leakage in the fiberglass reinforced p1pmg portion of the CPSW and the MCR/ESGR AC subsystems has occurred recently.
The three 8-inch headers supply two 6-inch headers. The 6-inch supply headers are 100% redundant (i.e., one header can supply 100% of the required SW flow).
The current 24-hour AOTs present an unnecessarily limited time frame to facilitate repairs. The proposed increased AOTs for only one operable SW flow path to the CPSW subsystems and to the MCR/ESGR AC subsystems will provide a more reasonable time frame for performing system maintenance and repairs. 3.3 Deletion . of Requirements for Temporary . Service Water Jumper to Component Cooling Heat Exchangers The OL conditions and the requirements in TS Table 3.7-2 and TS 3.14 for the temporary SW jumper to the CCHXs were approved by the NRC by TS Amendments 279/279 issued on September 23, 2013. These requirements were included in the Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 8of36 Surry TS to allow cleaning, inspection, repair, and recoating in the SW supply piping to the CCHXs during the Unit 1 2013 and 2015 refueling outages. Deletion of the OL conditions, the temporary TS requirements, and the TS 3.14 Basis discussion is administrative in nature and is appropriate since the requirements have expired and are no longer necessary.
Since the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem are being modified by the proposed revision, this design description focuses on the CPSW and the MCR/ESGR AC subsystems.
The TS 3.14 Basis deletion is provided to the NRC for information.  


==4.0 REGULATORY EVALUATION==
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 5 of 36 1-VS* P - tA/1 -VS-&#xa3;-"        I*                                l *V  P
* l C/1 -VS-C ..I C 2 W
* P* l i----- ]. W
* P l OO l  W P - 100 l
* W
* P
* lOA ~==t X1 w.        o l *V S *S
* 1A 2*$ W.,.78
                                                              }-
Tutb 8kl 8 n 2-s w ..... 7 x  2-    ... 77              X 2 -S W ...7CI 1* W
* 7 7
:c
(/)
0                           :r I 0 C .W Line        U,,.<                  2A C .W. Une
                                                                            *)
0 Figure 3 - SW Supply to the CPSW and the MCR/ESGR AC Subsystems CPSW Subsystem Description A CPSW subsystem for each unit provides water to cool the charging pump intermediate seal coolers and the charging pump lubricating oil coolers. The seal coolers reject their heat to a dedicated closed-loop subsystem of the CC System (i.e., the Charging Pump Component Cooling Water System). Heat from this system and the lube oil coolers is transferred to the CPSW subsystem.
Either of two 100%-capacity CPSW pumps (1-SW-P-10A/10B and 2-SW-P-10A/10B) delivers water from the SW System to the charging pump intermediate seal coolers and the charging pump lubricating oil coolers, thereby maintaining the charging pump lubricating oil and the CC System water used to cool the charging pump mechanical seals at the proper temperature. Each pump has a duplex suction strainer. To ensure that service water is continually available, one CPSW pump is in operation while the other pump is maintained in standby. The standby pump is automatically actuated on


===4.1 Applicable===
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 6 of 36 low pump discharge pressure to supply SW in the event of failure of the operating pump.
The two redundant 100%-capacity CPSW pumps are located in MER-3 and MER-4 and are separated by seismic, missile-protected, 3-hour fire rated walls, ceiling, and floor.
The SW supply headers are normally cross-connected at the discharge of the strainers.
An automatic actuating fire safe isolation ball valve is installed in the cross-connect piping between the two pump trains. The separation and cross-connect of the two redundant pump trains is designed to meet the requirements in 10 CFR 50 Appendix R.
The installation of two full-capacity CPSW pumps provides 100% redundancy for this cooling water system. The components of the CPSW subsystem, including pumps and heat exchangers are designed to Seismic Class I criteria.
I The CPSW pumps are connected to the emergency electrical bus to ensure they will operate in the event of a loss of station power.
Post-accident monitoring requirements for the CPSW subsystem status are satisfied by flow and temperature measurement at the discharge of each CPSW pump. Flow and temperature indications are displayed in the MGR.
MCR/ESGR AC Subsystem Description The CPSW suction flow paths also supply suction for the A, B, and C MCR/ESGR chiller pumps (1-VS-P-1A/1B/1C) that supply the A, B, and C MCR/ESGR chillers (1-VS-E-4A/4B/4f), which are located in MER-3.              Chiller pumps D and E (1-VS-P-1D/1E) that supply the D and E MCR/ESGR chillers (1-VS-E-4D/4E), which are located in MER-5, take suction upstream of the suction (rotating) strainers in MER-3/ MER-4 and downstream of a duplex strainer in MER-5.
Significant installed defense-in-depth exists for the chiller pumps and chillers, since there are a total of five MCR/ESGR chillers. As noted above, three chillers are located in MER-3, and two chillers are located in MER-5. This configuration ensures that MGR envelope air handling capacity remains available in the event that both CPSW headers in MER-3 and MER-4 are unavailable. In addition, this arrangement prevents full loss of cooling in the event of a fire in either MER-3 or MER-5. Three of the five chillers are powered from either of two buses, enabling maximum system flexibility in aligning the chillers as required. Additional equipment includes control panels and isolation switches for affected air handling units and cables routed to provide the required separation. The additional equipment is seismically and environmentally qualified, as applicable. Control of the AC system is remote manual from the control room.


Regulatory Requirements The regulations in Appendix A to Title 10 of the Code of Federal Regulations (10 CFR) Part 50 establish minimum principal design criteria for water-cooled nuclear power plants, while 10 CFR 50 Appendix B and the licen$ee quality assurance programs establish quality assurance requirements for the design, manufacture, construction, and operation of structures, systems, and components.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 7 of 36 3.2    Evaluation of Extended Allowed Outage Time The CPSW subsystem is a support system for the charging pumps. As discussed in Section 3.1, the design function of the CPSW subsystem is to provide cooling to the charging pump intermediate seal coolers and the charging pump lubricating oil Qoolers.
The current regulatory requirements of 10 CFR 50 Appendix A that are applicable to the CPSW support function for the charging pumps include: General Design Criteria (GDC) 1, 35, 36, and 37. The current regulatory requirements that are applicable to the MCR/ESGR AC function for providing safe conditions in the control room is GDC 19. During the initial plant licensing of Surry Units 1 and 2, it was demonstrated that the design of the SI Systems met the regulatory requirements in place at that time. The GDC included in Appendix A to 10 CFR 50 did not become effective until May 21, 1971. The Construction Permits for SPS Units 1 and 2 were issued prior to May 21, 1971; consequently, Surry Units 1 and 2 were not subject to current GDC requirements (SECY-92-223, dated September 18, 1992). The following information demonstrates SPS Units 1 and 2 meet the intent of the GDC published in 1967 (Draft GDC). Specifically, Section 1.4 of the SPS Units 1 and 2 Updated Final Safety Analysis Report (UFSAR) discusses SPS compliance with these criteria.
The charging pumps provide a charging (i.e., reactor coolant makeup) function during normal plant operation and are also used as High Head Safety Injection (HHSI) pumps to supply borated water to . the Reactor Coolant System (RCS) during accident conditions.
The draft GDC associated with the Emergency Core Cooling System (ECCS) are addressed below since the CPSW system provides a support function for the charging pumps, which are also used as HHSI pumps to supply borated water to the RCS during accident conditions.
Surry TS 3.3, "Safety Injection System," specifies in TS 3.3.A.3 that two Safety Injection (SI) subsystems are required to be operable with the subsystems including one operable HHSI pump. With one SI subsystem inoperable, TS 3.3.B.3 requires restoration of the inoperable subsystem to operable status within 72 hours. The proposed extension of the AOT for the SW flow paths to the CPSW subsystem from 24 to 72 hours brings the support system AOT into alignment with the AOT for the supported component (i.e., Charging/HHS! pump). In addition, the design functions of the CPSW subsystem and the Charging/HHS! pumps are not impacted by the proposed revision.
The draft criterion associated with the Control Room is also addressed below.
As shown in Figure 3, the CPSW suction paths also supply suction for the A,. B, and C MCR/ESGR chillers. Since the CPSW subsyste.m and the MCR/ESGR AC subsystem share common piping, it is appropriate for the AOTs for the two subsystems to be the.
* Quality Standards (Criterion 1 -draft) Those systems and components of reactor facilities that are essential to the prevention of accidents which could affect the public health and safety or to the mitigation of their consequences are designed, fabricated, and erected in accordance with quality standards that reflect the importance of the safety function to be performed.
same. The MCR/ESGR AC subsystem is a support system for the A, B, and C MCR/ESGR chillers. TS 3.23, "Main Control Room and Emergency Switchgear Room Air Conditioning System," specifies a 7-day time frame to return an inoperable/not powered as required chiller to operable status in TS 3.23.A.1.c; thus, the proposed 72.-
Where generally recognized codes or standards on design, materials, fabrication, and inspection are used, they shall be identified.
hour AOT for the MCR/ESGR AC subsystem is more limiting that the AOT for the supported components (i.e., A, B, and C MCR/ESGR chillers). In addition, the design functions of the MCR/ESGR AC subsystem and the MCR/ESGR chillers are not impacted by the proposed revision.
Where adherence to such codes or standards does not suffice to assure a quality product in Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 9 of 36 keeping with the safety function, they shall be supplemented or modified as necessary.
Leakage in the fiberglass reinforced p1pmg portion of the CPSW and the MCR/ESGR AC subsystems has occurred recently. The current 24-hour AOTs present an unnecessarily limited time frame to facilitate repairs. The proposed increased AOTs for only one operable SW flow path to the CPSW subsystems and to the MCR/ESGR AC subsystems will provide a more reasonable time frame for performing system maintenance and repairs.
A showing of sufficiency and applicability of codes, standards, quality assurance programs, test procedures, and inspection acceptance levels used is required.
3.3    Deletion . of Requirements for Temporary . Service Water Jumper to Component Cooling Heat Exchangers The OL conditions and the requirements in TS Table 3.7-2 and TS 3.14 for the temporary SW jumper to the CCHXs were approved by the NRC by TS Amendments 279/279 issued on September 23, 2013. These requirements were included in the
 
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 8of36 Surry TS to allow cleaning, inspection, repair, and recoating in the SW supply piping to the CCHXs during the Unit 1 2013 and 2015 refueling outages. Deletion of the OL conditions, the temporary TS requirements, and the TS 3.14 Basis discussion is administrative in nature and is appropriate since the requirements have expired and are no longer necessary. The TS 3.14 Basis deletion is provided to the NRC for information.
 
==4.0    REGULATORY EVALUATION==
 
4.1    Applicable Regulatory Requirements The regulations in Appendix A to Title 10 of the Code of Federal Regulations (10 CFR)
Part 50 establish minimum principal design criteria for water-cooled nuclear power plants, while 10 CFR 50 Appendix B and the licen$ee quality assurance programs establish quality assurance requirements for the design, manufacture, construction, and operation of structures, systems, and components. The current regulatory requirements of 10 CFR 50 Appendix A that are applicable to the CPSW support function for the charging pumps include: General Design Criteria (GDC) 1, 35, 36, and 37. The current regulatory requirements that are applicable to the MCR/ESGR AC function for providing safe conditions in the control room is GDC 19.
During the initial plant licensing of Surry Units 1 and 2, it was demonstrated that the design of the SI Systems met the regulatory requirements in place at that time. The GDC included in Appendix A to 10 CFR 50 did not become effective until May 21, 1971.
The Construction Permits for SPS Units 1 and 2 were issued prior to May 21, 1971; consequently, Surry Units 1 and 2 were not subject to current GDC requirements (SECY-92-223, dated September 18, 1992). The following information demonstrates SPS Units 1 and 2 meet the intent of the GDC published in 1967 (Draft GDC).
Specifically, Section 1.4 of the SPS Units 1 and 2 Updated Final Safety Analysis Report (UFSAR) discusses SPS compliance with these criteria. The draft GDC associated with the Emergency Core Cooling System (ECCS) are addressed below since the CPSW system provides a support function for the charging pumps, which are also used as HHSI pumps to supply borated water to the RCS during accident conditions. The draft criterion associated with the Control Room is also addressed below.
* Quality Standards (Criterion 1 - draft)
Those systems and components of reactor facilities that are essential to the prevention of accidents which could affect the public health and safety or to the mitigation of their consequences are designed, fabricated, and erected in accordance with quality standards that reflect the importance of the safety function to be performed. Where generally recognized codes or standards on design, materials, fabrication, and inspection are used, they shall be identified. Where adherence to such codes or standards does not suffice to assure a quality product in
 
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 9 of 36 keeping with the safety function, they shall be supplemented or modified as necessary. A showing of sufficiency and applicability of codes, standards, quality assurance programs, test procedures, and inspection acceptance levels used is required.
Design Conformance Structures, systems, and components important to safety are designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed.
Design Conformance Structures, systems, and components important to safety are designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed.
The SI System includes features necessary to ensure core cooling and negative reactivity following a limiting event. Approved design codes are used when appropriate to the nuclear application.
The SI System includes features necessary to ensure core cooling and negative reactivity following a limiting event. Approved design codes are used when appropriate to the nuclear application. Vessels comply with Section Ill of the ASME Code under the specific classification dictated by their use. Piping conforms to the requirements of USAS 831.1.
Vessels comply with Section Ill of the ASME Code under the specific classification dictated by their use. Piping conforms to the requirements of USAS 831.1. The Quality Assurance Program was established to provide assurance that *safety-related structures, systems, and components satisfactorily perform their intended safety functions.
The Quality Assurance Program was established to provide assurance that
* Control Room (Criterion 11 -draft) The facility shall be provided with a control room from which actions to maintain safe *operational status of the plant can be controlled.
  *safety-related structures, systems, and components satisfactorily perform their intended safety functions.
Adequate radiation protection shall be provided to permit access, even under accident conditions, to equipment in the *control room or other areas necessary to shut down and maintain safe control of the facility without radiation exposures of personnel in excess of 10 CFR 20 limits. It shall be possible to shut the reactor down and maintain it in a safe condition if access to the control room is lost due to fire or other causes. Design Conformance The control room is located at grade level in the service building.
* Control Room (Criterion 11 - draft)
Safety-related switchgear, motor-generator sets, auxiliary instrument areas, battery rooms, and communications equipment are located in the basement of the service building.
The facility shall be provided with a control room from which actions to maintain safe
Sufficient shielding, distance, and containment integrity are provided to ensure that under postulated accident conditions during occupancy of the control room, control room personnel shall not be subjected to doses that, in the aggregate, would exceed the limits in 10 CFR 50.67. Emergency air-conditioning equipment is provided within the envelope of the shielded control room and associated portions of the basement, collectively called the control and relay room area. The control room is provided with the switchyard control panel, electrical recording panels, de distribution panels, and a control panel for the operation of the diesel-generator system. The control panels contain those instruments and controls necessary for the operation of station and Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 10of36 unit systems such as the reactor and its auxiliary systems, the turbine generator, and the steam and power conversion systems. Loading from the various station electrical distribution boards, such as the start-up boards, shutdown boards, and motor control centers, is accomplished from the station control panels. The control room is common to the two units and is continuously occupied by qualified operating personnel under all operating and accident conditions.
  *operational status of the plant can be controlled. Adequate radiation protection shall be provided to permit access, even under accident conditions, to equipment in the
In the event that access to the control room is restricted, either local control stations or the manual operation of critical components within the main control area can be used to affect hot shutdown from outside the control room.
  *control room or other areas necessary to shut down and maintain safe control of the facility without radiation exposures of personnel in excess of 10 CFR 20 limits. It shall be possible to shut the reactor down and maintain it in a safe condition if access to the control room is lost due to fire or other causes.
* Engineered Safety Features Basis for Design (Criterion 37 -draft) Engineered safety features shall be provideo in the facility to back up the safety provided by the core design, the reactor coolant pressure boundary, and their protection systems. As a minimum, such engineered safety features shall be designed to cope with any size reactor coolant pressure boundary break up to and including the circumferential rupture of any pipe in that boundary assuming unobstructed discharge from both ends. Design Conformance Engineered safeguards are provided in the facility to back up the safety provided by the design of the core, the reactor coolant pressure boundary, and their protection systems. Engineered safeguards are provided to cope with any size reactor coolant pipe break up to and including the circumferential rupture of any pipe in that boundary and an unobstructed discharge from both ends, and to separately cope with any* steam or feedwater line break. Limiting the release of fission products from the reactor fuel is accomplished by the SI System, which, by cooling the core, keeps the fuel in place and substantially intact and significantly limits the metal.:.water reaction ..
Design Conformance The control room is located at grade level in the service building. Safety-related switchgear, motor-generator sets, auxiliary instrument areas, battery rooms, and communications equipment are located in the basement of the service building.
* Reliability and Testability of Engineered Safety Features (Criterion 38 -draft) All engineered safety features shall oe designed to provide high functional reliability and ready testability.
Sufficient shielding, distance, and containment integrity are provided to ensure that under postulated accident conditions during occupancy of the control room, control room personnel shall not be subjected to doses that, in the aggregate, would exceed the limits in 10 CFR 50.67. Emergency air-conditioning equipment is provided within the envelope of the shielded control room and associated portions of the basement, collectively called the control and relay room area. The control room is provided with the switchyard control panel, electrical recording panels, de distribution panels, and a control panel for the operation of the diesel-generator system. The control panels contain those instruments and controls necessary for the operation of station and
In determining the suitability of a facility for a proposed site, . the degree of reliance upon and acceptance of the inherent and engineered safety afforded by the systems, including engineered safety features, will be influenced by the known and the demonstrated performance capability and reliability of the systems, arid by the extent to which the operability of such systems can be tested and inspected where appropriate during the life of the plant.
 
Design Conformance Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 11of36 Engineered safeguards are designed to provide such functional reliability and ready testability as is necessary to avoid undue risk to the health and safety of the public. A comprehensive program of testing has been formulated for equipment, systems, and system controls vital to the functioning of engineered safeguards.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 10of36 unit systems such as the reactor and its auxiliary systems, the turbine generator, and the steam and power conversion systems. Loading from the various station electrical distribution boards, such as the start-up boards, shutdown boards, and motor control centers, is accomplished from the station control panels.
The program consists of performance tests of individual pieces of equipment in the manufacturer's shop, integrated tests of the system as a whole, and periodic tests of the activation circuitry and mechanical components to ensure reliable performance, upon demand, throughout the unit lifetime.
The control room is common to the two units and is continuously occupied by qualified operating personnel under all operating and accident conditions. In the event that access to the control room is restricted, either local control stations or the manual operation of critical components within the main control area can be used to affect hot shutdown from outside the control room.
* Engineered Safety Features Basis for Design (Criterion 37 - draft)
Engineered safety features shall be provideo in the facility to back up the safety provided by the core design, the reactor coolant pressure boundary, and their protection systems. As a minimum, such engineered safety features shall be designed to cope with any size reactor coolant pressure boundary break up to and including the circumferential rupture of any pipe in that boundary assuming unobstructed discharge from both ends.
Design Conformance Engineered safeguards are provided in the facility to back up the safety provided by the design of the core, the reactor coolant pressure boundary, and their protection systems. Engineered safeguards are provided to cope with any size reactor coolant pipe break up to and including the circumferential rupture of any pipe in that boundary and an unobstructed discharge from both ends, and to separately cope with any* steam or feedwater line break. Limiting the release of fission products from the reactor fuel is accomplished by the SI System, which, by cooling the core, keeps the fuel in place and substantially intact and significantly limits the metal.:.water reaction ..
* Reliability and Testability of Engineered Safety Features (Criterion 38 - draft)
All engineered safety features shall oe designed to provide high functional reliability and ready testability. In determining the suitability of a facility for a proposed site,
  . the degree of reliance upon and acceptance of the inherent and engineered safety afforded by the systems, including engineered safety features, will be influenced by the known and the demonstrated performance capability and reliability of the systems, arid by the extent to which the operability of such systems can be tested and inspected where appropriate during the life of the plant.
 
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 11of36 Design Conformance Engineered safeguards are designed to provide such functional reliability and ready testability as is necessary to avoid undue risk to the health and safety of the public.
A comprehensive program of testing has been formulated for equipment, systems, and system controls vital to the functioning of engineered safeguards. The program consists of performance tests of individual pieces of equipment in the manufacturer's shop, integrated tests of the system as a whole, and periodic tests of the activation circuitry and mechanical components to ensure reliable performance, upon demand, throughout the unit lifetime.
Design provisions are made so that components of the SI System can be tested periodically for operability and functional performance.
Design provisions are made so that components of the SI System can be tested periodically for operability and functional performance.
The engineered safeguards components are checked periodically and routinely.
The engineered safeguards components are checked periodically and routinely. In the event that one of the components requires maintenance as a result of failure to perform according to prescribed limits during the test, the necessary corrections or minor maintenance are accomplished and the component is retested im.mediately.
In the event that one of the components requires maintenance as a result of failure to perform according to prescribed limits during the test, the necessary corrections or minor maintenance are accomplished and the component is retested im.mediately.
* Engineered Safety Features Performance Capability (Criterion 41 - draft)
* Engineered Safety Features Performance Capability (Criterion 41 -draft) Engineered safety features, such as emergency core cooling and containment heat removal systems, shall provide sufficient performance capability to accommodate partial loss of installed capacity and still fulfill the required safety function.
Engineered safety features, such as emergency core cooling and containment heat removal systems, shall provide sufficient performance capability to accommodate partial loss of installed capacity and still fulfill the required safety function. As a minimum, each. engineered safety feature shall provide this required safety function assuming a failure of a single active component.
As a minimum, each. engineered safety feature shall provide this required safety function assuming a failure of a single active component.
Design Conformance Engineered safeguards, such as the SI System and the containment heat removal system, provide sufficient performance capability to accommodate the failure of any single active component without any undue risk to the health and safety of the public. The overall capability of the engineered safeguards meets the suggested requirements of 10 CFR 50.67 or RG 1.183, as applicable, for the occurrence of any rupture of a reactor coolant or Main Steam System pipe, including the double-ended rupture of a reactor coolant pipe, known as the design-basis accident.
Design Conformance Engineered safeguards, such as the SI System and the containment heat removal system, provide sufficient performance capability to accommodate the failure of any single active component without any undue risk to the health and safety of the public. The overall capability of the engineered safeguards meets the suggested requirements of 10 CFR 50.67 or RG 1.183, as applicable, for the occurrence of any rupture of a reactor coolant or Main Steam System pipe, including the double-ended rupture of a reactor coolant pipe, known as the design-basis accident.
* Emergency Core Cooling Systems Capability (Criterion 44 -draft) At least two emergency core cooling systems, preferably of different design principles, each with a capability for accomplishing abundant emergency core cooling, shall be provided.
* Emergency Core Cooling Systems Capability (Criterion 44 - draft)
Each emergency core cooling system and the core shall be designed to prevent fuel and clad damage that would interfere with the emergency core cooling *function and to limit the clad metal-water reaction to negligible amounts for all sizes of breaks in the reactor coolant pressure boundary, Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 12 of 36 including the double-ended rupture of the largest pipe. The performance of each emergency core cooling system shall be evaluated conservatively in each area of uncertainty.
At least two emergency core cooling systems, preferably of different design principles, each with a capability for accomplishing abundant emergency core cooling, shall be provided. Each emergency core cooling system and the core shall be designed to prevent fuel and clad damage that would interfere with the emergency core cooling *function and to limit the clad metal-water reaction to negligible amounts for all sizes of breaks in the reactor coolant pressure boundary,
Design Conformance The SI System employs a passive system of accumulators that do not require any external signals or source of power for their operation to cope with the short-term cooling requirements of a large reactor coolant pipe break. The HHSI and the Low Head SI (LHSI) Systems, each capable of supplying the required emergency cooling, are also provided for small-break protection and to keep the core submerged after the accumulators have discharged following a large break. These systems are arranged so that the single failure of any active component does not interfere with meeting the short-term cooling requirements.
 
The HHSI and LHSI Systems are each capable of fulfilling long-term cooling requirements.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 12 of 36 including the double-ended rupture of the largest pipe. The performance of each emergency core cooling system shall be evaluated conservatively in each area of uncertainty.
The failure of any single active component or the development of excessive leakage during the long-term cooling period does not interfere with the ability to meet necessary term cooling objectives with one of the systems. The primary purpose of the SI System is to automatically deliver cooling water to the reactor core in the everit of a LOCA. This limits the fuel clad temperature and thereby ensures that the core remains intact and in place with its essential heat transfer geometry preserved.
Design Conformance The SI System employs a passive system of accumulators that do not require any external signals or source of power for their operation to cope with the short-term cooling requirements of a large reactor coolant pipe break. The HHSI and the Low Head SI (LHSI) Systems, each capable of supplying the required emergency cooling, are also provided for small-break protection and to keep the core submerged after the accumulators have discharged following a large break. These systems are arranged so that the single failure of any active component does not interfere with meeting the short-term cooling requirements. The HHSI and LHSI Systems are each capable of fulfilling long-term cooling requirements. The failure of any single active component or the development of excessive leakage during the long-term cooling period does not interfere with the ability to meet necessary long-term cooling objectives with one of the systems.
This protection is afforded for: all pipe break sizes up to and including the hypothetical instantaneous circumferential rupture of a reactor coolant loop, assuming unobstructed discharge from both ends; a loss of coolant associated with the rod ejection accident; and a steam generator tube rupture.
The primary purpose of the SI System is to automatically deliver cooling water to the reactor core in the everit of a LOCA. This limits the fuel clad temperature and thereby ensures that the core remains intact and in place with its essential heat transfer geometry preserved. This protection is afforded for: all pipe break sizes up to and including the hypothetical instantaneous circumferential rupture of a reactor coolant loop, assuming unobstructed discharge from both ends; a loss of coolant associated with the rod ejection accident; and a steam generator tube rupture.
* Inspection of Emergency Core Cooling Systems (Criterion 45 -draft) Design provisions shall be made to facilitate physical inspection of all critical parts of the emergency core cooling systems, including reactor vessel internals and water injection nozzles. Design Conformance Design provisions are made for the inspection of components of the SI System to the extent practical.
* Inspection of Emergency Core Cooling Systems (Criterion 45 - draft)
An inspection is performed periodically to demonstrate system readiness.
Design provisions shall be made to facilitate physical inspection of all critical parts of the emergency core cooling systems, including reactor vessel internals and water injection nozzles.
The pressure containment boundaries can be inspected for leaks from pump seals, valve packing, flanged joints, and safety valves during system testing. In addition, critical parts of the reactor vessel internals, injection nozzles, pipes, valves, and SI pumps can be inspected visually or by boroscopic examination for evidence of erosion, corrosion, and vibration wear, and non-destructive tests can be performed where such techniques are desirable, practical, and appropriate.
Design Conformance Design provisions are made for the inspection of components of the SI System to the extent practical. An inspection is performed periodically to demonstrate system readiness. The pressure containment boundaries can be inspected for leaks from pump seals, valve packing, flanged joints, and safety valves during system testing.
In addition, critical parts of the reactor vessel internals, injection nozzles, pipes, valves, and SI pumps can be inspected visually or by boroscopic examination for evidence of erosion, corrosion, and vibration wear, and non-destructive tests can be performed where such techniques are desirable, practical, and appropriate.
 
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 13 of 36
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 13 of 36
* Testing of Emergency Core Cooling Systems (Criterion 47 -draft) A capability shall be provided to test periodically the delivery capability of the emergency core cooling systems at a location as close to the core as is practical.
* Testing of Emergency Core Cooling Systems (Criterion 47 - draft)
Design Conformance Design provisions include special instrumentation, testing, and sampling lines to perform the tests, and unit shutdown to demonstrate the proper automatic operation of the SI System. A test signal is supplied to initiate automatic action. The test *demonstrates the operation of the valves, pump circuit bre.akers, and autOmatic circuitry.
A capability shall be provided to test periodically the delivery capability of the emergency core cooling systems at a location as close to the core as is practical.
In addition, other tests are performed periodically to verify that the SI pumps attain required discharge heads. Quality Assurance Quality assurance criteria provided in 10 CFR Part 50, Appendix B, applicable to the subject systems include: Criteria Ill, V, XI, XVI, and XVII. Criteria Ill and V require measures to ensure that applicable regulatory requirements and the design basis, as defined -in 10 CFR 50.2, "Definitions," and as specified in the license application, are correctly translated into controlled specifications, drawings, procedures, and instructions.
Design Conformance Design provisions include special instrumentation, testing, and sampling lines to perform the tests, and unit shutdown to demonstrate the proper automatic operation of the SI System. A test signal is supplied to initiate automatic action. The test
Criterion XI requires a test program to ensure that the subject systems will perform satisfactorily  
  *demonstrates the operation of the valves, pump circuit bre.akers, and autOmatic circuitry. In addition, other tests are performed periodically to verify that the SI pumps attain required discharge heads.
*in service and requires that test results shall be documented and evaluated to ensure that test requirements have been satisfied.
Quality Assurance Quality assurance criteria provided in 10 CFR Part 50, Appendix B, applicable to the subject systems include: Criteria Ill, V, XI, XVI, and XVII. Criteria Ill and V require measures to ensure that applicable regulatory requirements and the design basis, as defined -in 10 CFR 50.2, "Definitions," and as specified in the license application, are correctly translated into controlled specifications, drawings, procedures, and a
Criterion XVI requires measures to ensure. that conditions adverse to quality, such as failures, malfunctions, deficiencies, deviations, defective material and equipment, and nonconformances, are promptly*.identified and corrected, and that significant conditions  
instructions. Criterion XI requires test program to ensure that the subject systems will perform satisfactorily *in service and requires that test results shall be documented and evaluated to ensure that test requirements have been satisfied. Criterion XVI requires measures to ensure. that conditions adverse to quality, such as failures, malfunctions, deficiencies, deviations, defective material and equipment, and nonconformances, are promptly*.identified and corrected, and that significant conditions *adverse to quality are documented and reported to management. Criterion XVII requires maintenance of records of activities affecting quality.
*adverse to quality are documented and reported to management.
4.2     NUREG-1431, Standard Technical Specifications- Westinghouse Plants The proposed change was compared to similar requirements in TS 3. 7 .8, Service Water System (SWS) in NUREG-1431, Standard Technical Specifications - Westinghouse Plants. It was determined that the proposed change for the CPSW subsystem is consistent with the 72-hour completion time for restoration of one inoperable SWS train to operable status in NUREG-1431.
Criterion XVII requires maintenance of records of activities affecting quality. 4.2 NUREG-1431, Standard Technical Specifications-Westinghouse Plants The proposed change was compared to similar requirements in TS 3. 7 .8, Service Water System (SWS) in NUREG-1431, Standard Technical Specifications  
* 4.3     No Significant Hazards Consideration The proposed change revises Surry Power Station (Surry) Units 1 and 2 Technical Specification (TS) 3.14, "Circulating and Service Water Systems," to extend the Allowed Outage Time (AOT) for only one operable Service Water (SW) flow path to the Charging Pump SW (CPSW) subsystem and to the Main Control Room/Emergency Switchgear Room (MCR/ESGR) Air Conditioning (AC) subsystem. TS 3.14.A.5 and TS 3.14.A.7
-Westinghouse Plants. It was determined that the proposed change for the CPSW subsystem is consistent with the 72-hour completion time for restoration of one inoperable SWS train to operable status in NUREG-1431.
 
* 4.3 No Significant Hazards Consideration The proposed change revises Surry Power Station (Surry) Units 1 and 2 Technical Specification (TS) 3.14, "Circulating and Service Water Systems," to extend the Allowed Outage Time (AOT) for only one operable Service Water (SW) flow path to the Charging Pump SW (CPSW) subsystem and to the Main Control Room/Emergency Switchgear Room (MCR/ESGR)
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 14 of 36 require two SW flow paths to the CPSW subsystem _and to the MCR/ESGR AC subsystem, respectively, to be operable. Currently, the TS 3.14.C AOT for only one operable CPSW or MCR/ESGR AC flow path is 24 hours. The proposed revision extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours to 72 hours. The CPSW subsystem is a support system for the Charging/High Head Safety Injection (HHSI) pumps; the proposed CPSW AOT extension aligns the CPSW support system AOT with the AOT for the supported components (i.e., the
Air Conditioning (AC) subsystem.
* Charging/HHS! pumps). The proposed MCR/ESGR AC AOT extension revises the AOT to be the same as the CPSW AOT since both subsystems share common piping ..
TS 3.14.A.5 and TS 3.14.A.7 Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 14 of 36 require two SW flow paths to the CPSW subsystem
The proposed increased AOTs for only one operable SW flow path to the CPSW subsystems and to the MCR/ESGR AC subsystems will provide a more reasonable time frame for performing system maintenance and repairs.
_and to the MCR/ESGR AC subsystem, respectively, to be operable.
* A supporting probabilistic risk assessment (PRA) was performed for the proposed AOT changes. The PRA concluded that the increase in risk associated with the proposed changes is consistent with the Regulatory Guide (RG) 1.174 and RG 1.177 acceptance guidelines for a permanent TS AOT change. This PRA evaluation demonstrates that defense-in-depth will not be significantly impacted by changing the AOTs for only one operable.SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24:to 72 hours.       Furthermore, no enhancements, procedure revisions, or compensatory actions are recommended as a result of the RG 1.177 Tier 2 evaluation.
Currently, the TS 3.14.C AOT for only one operable CPSW or MCR/ESGR AC flow path is 24 hours. The proposed revision extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours to 72 hours. The CPSW subsystem is a support system for the Charging/High Head Safety Injection (HHSI) pumps; the proposed CPSW AOT extension aligns the CPSW support system AOT with the AOT for the supported components (i.e., the
* Charging/HHS!
pumps). The proposed MCR/ESGR AC AOT extension revises the AOT to be the same as the CPSW AOT since both subsystems share common piping .. The proposed increased AOTs for only one operable SW flow path to the CPSW subsystems and to the MCR/ESGR AC subsystems will provide a more reasonable time frame for performing system maintenance and repairs.
* A supporting probabilistic risk assessment (PRA) was performed for the proposed AOT changes. The PRA concluded that the increase in risk associated with the proposed changes is consistent with the Regulatory Guide (RG) 1.17 4 and RG 1.177 acceptance guidelines for a permanent TS AOT change. This PRA evaluation demonstrates that defense-in-depth will not be significantly impacted by changing the AOTs for only one operable.SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24:to 72 hours. Furthermore, no enhancements, procedure revisions, or compensatory actions are recommended as a result of the RG 1.177 Tier 2 evaluation.
The proposed change also deletes the Operating License (OL) conditions, TS requirements, and TS 3.14 Basis discussion for the temporary SW jumper to the Component Cooling Heat Exchangers (CCHXs). These requirements were included in the Surry TS to allow cleaning, inspection, repair, and recoating of the SW supply piping to the CCHXs during the Unit 1 2013 and 2015 refueling outages. These requirements*
The proposed change also deletes the Operating License (OL) conditions, TS requirements, and TS 3.14 Basis discussion for the temporary SW jumper to the Component Cooling Heat Exchangers (CCHXs). These requirements were included in the Surry TS to allow cleaning, inspection, repair, and recoating of the SW supply piping to the CCHXs during the Unit 1 2013 and 2015 refueling outages. These requirements*
have expired and are no longer necessary.
have expired and are no longer necessary. Deletion of the OL conditions, the temporary TS requirements, and the TS 3.14 Basis discussion is administrative in
Deletion of the OL conditions, the temporary TS requirements, and the TS 3.14 Basis discussion is administrative in
* nature. The TS 3.14 Basis deletion is provided to the NRC for information.
* nature. The TS 3.14 Basis deletion is provided to the NRC for information.
Dominion has evaluated whether a significant hazards consideration is involved with the proposed amendment by focusing on the three standards set forth in 10 CFR 50.92, "Issuance of amendment," as discussed below: 1. Does the proposed change involve a significant increase in the probability or consequences of an accident previously evaluated?
Dominion has evaluated whether a significant hazards consideration is involved with the proposed amendment by focusing on the three standards set forth in 10 CFR 50.92, "Issuance of amendment," as discussed below:
Response:
: 1. Does the proposed change involve a significant increase in the probability or consequences of an accident previously evaluated?
No. The proposed change extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours to 72 hours. The CPSW subsystem is a support system for the Charging/High Head Safety Injection (HHSI) pumps; the proposed CPSW AOT extension aligns the CPSW support system AOT with the AOT for the supported components (i.e., the Charging/HHS!
Response: No.
pumps). The proposed MCR/ESGR
The proposed change extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours to 72 hours. The CPSW subsystem is a support system for the Charging/High Head Safety Injection (HHSI) pumps; the proposed CPSW AOT extension aligns the CPSW support system AOT with the AOT for the supported components (i.e., the Charging/HHS! pumps). The proposed MCR/ESGR
* Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 15 of 36 AC AOT extension revises the AOT to be the same as the CPSW AOT since both subsystems share common piping. The design function of the CPSW system, which is to provide cooling to the charging pump *intermediate seal coolers and the charging pump lubricating oil coolers, *is not impacted by the proposed revision, nor is the design function of the Charging/HHS!
 
pumps impacted.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1
Furthermore, the design functions of the MCR/ESGR AC subsystem and the MCR/ESGR chillers are not impacted by the proposed revision.
* Page 15 of 36 AC AOT extension revises the AOT to be the same as the CPSW AOT since both subsystems share common piping. The design function of the CPSW system, which is to provide cooling to the charging pump *intermediate seal coolers and the charging pump lubricating oil coolers, *is not impacted by the proposed revision, nor is the design function of the Charging/HHS! pumps impacted. Furthermore, the design functions of the MCR/ESGR AC subsystem and the MCR/ESGR chillers are not impacted by the proposed revision. In addition, the proposed change deletes the now expired and no longer necessary requirements for the temporary SW jumper to the CCHXs. The deletion of these temporary requirements is administrative in nature. As a result, the proposed change does not involve a significant increase in the probability or consequences of an accident previously evaluated.
In addition, the proposed change deletes the now expired and no longer necessary requirements for the temporary SW jumper to the CCHXs. The deletion of these temporary requirements is administrative in nature. As a result, the proposed change does not involve a significant increase in the probability or consequences of an accident previously evaluated.
: 2. Does the proposed change create the possibility of a new or different kind of accident from any accident previously evaluated?
: 2. Does the proposed change create the possibility of a new or different kind of accident from any accident previously evaluated?
Response:
Response: No.
No. The proposed change extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours to 72 hours. In addition, the proposed change deletes the now expired and no longer necessary requirements for . the temporary SW jumper to the CCHXs. The proposed change does not involve a physical alteration of the plant (i.e., no new or different type of equipment will be installed) and does not impact plant operation.
The proposed change extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours to 72 hours. In addition, the proposed change deletes the now expired and no longer necessary requirements for .the temporary SW jumper to the CCHXs. The proposed change does not involve a physical alteration of the plant (i.e., no new or different type of equipment will be installed) and does not impact plant operation. Furthermore, the proposed change does not impose any new or different requirements that could initiate an acddent. The proposed change does not alter assumptions made in the safety analysis and is consistent with the safety analysis assumptions. Therefore, the proposed change does not create the possibility of a new or different kind of acddent from any accident previously evaluated.
Furthermore, the proposed change does not impose any new or different requirements that could initiate an acddent. The proposed change does not alter assumptions made in the safety analysis and is consistent with the safety analysis assumptions.
: 3. Does the proposed change involve a significant reduction in a margin of safety?
Therefore, the proposed change does not create the possibility of a new or different kind of acddent from any accident previously evaluated.
Response: No.
: 3. Does the proposed change involve a significant reduction in a margin of safety? Response:
The proposed change extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours to 72 hours. The proposed change does not adversely affect any current plant safety margins or the reliability of the equipment assumed in the safety analysis. There are no changes being made to any safety analysis assumptions, safety limits, or limiting safety system settings that would adversely affect plant safety as a result of the proposed change. Furthermore, as noted above, a supporting PRA was performed for the proposed AOT changes. The PRA concluded that the increase in risk associated with the proposed changes is consistent with the HG 1.174 and RG 1.177 acceptance guidelines for a permanent TS AOT change. This PRA evaluation demonstrates that defense-in-depth will not be significantly impacted by changing the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24 to 72 hours.
No. The proposed change extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours to 72 hours. The proposed change does not adversely affect any current plant safety margins or the reliability of the equipment assumed in the safety analysis.
There are no changes being made to any safety analysis assumptions, safety limits, or limiting safety system settings that would adversely affect plant safety as a result of the proposed change. Furthermore, as noted above, a supporting PRA was performed for the proposed AOT changes. The PRA concluded that the increase in risk associated with the proposed changes is consistent with the HG 1.17 4 and RG 1.177 acceptance guidelines for a permanent TS AOT change. This PRA evaluation demonstrates that defense-in-depth will not be significantly impacted by changing the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24 to 72 hours.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 16 of 36 In addition, the proposed change deletes the now expired and no longer necessary requirements for the temporary SW jumper to the CCHXs. The deletion of these temporary requirements is administrative in nature. Therefore, the proposed change does not involve a significant reduction in a margin of safety. Based on the above, Dominion concludes that the proposed change presents no significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and, accordingly, a finding of "no significant hazards consideration" is justified.  


===5.0 PROBABILISTIC===
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 16 of 36 In addition, the proposed change deletes the now expired and no longer necessary requirements for the temporary SW jumper to the CCHXs. The deletion of these temporary requirements is administrative in nature. Therefore, the proposed change does not involve a significant reduction in a margin of safety.
Based on the above, Dominion concludes that the proposed change presents no significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and, accordingly, a finding of "no significant hazards consideration" is justified.
5.0     PROBABILISTIC RISK ASSESSMENT 5.1      Purpose The purpose of this assessment is to utilize the Surry PRA to evaluate the impact on Core Damage Frequency (CDF) and Large, Early Release Frequency (LERF) for the CPSW and MCR/ESGR AC subsystems flow path AOT extensions. Using guidance from RG 1.174 and RG 1.177, this assessment evaluates the risk of changing Surry TS 3.14.C to allow a single service water flow path to be available to the CPSW subsystem and to the MCR/ESGR AC subsystem for up to 72 hours.
5.2      Introduction The S007Aa PRA model allows analysis of the conditional risk at Surry Power Station when one or more SW flow paths to safety-related loads in the MERs are unavailable utilizing a detailed probabilistic assessment of risk from internal events and internal flooding :hazards at power. This risk evaluation will be supplemented with qualitative insights to assess the fire, seismic, shutdown and other external risks.
RG 1.177 identifies a three-tiered approach for licensees to evaluate the risk associated with proposed TS Configuration Time (CT) changes. Tier 1 is an evaluation of the impact on plant risk of the proposed TS change as expressed by the change in core damage frequency (~CDF), the incremental conditional core damage probability (ICCDP), the change in large early release frequency (~LERF), and the incremental conditional large early release probability (ICLERP). Tier 2 is an identification of potentially high-risk configurations that could exist if equipment, in addition to that associated with the change, were to be taken out of service simultaneously or other risk-significant operational factors, such as concurrent system or equipment testing were also involved. The objective of this part of the evaluation. is to ensure that appropriate restrictions on dominant risk-significant configurations associated with the change are in place. Tier 3 is the establishment of an overall configuration risk management program (CRMP) to ensure that other potentially lower probability, but nonetheless risk-significant, configurations resulting from maintenance and other operational activities are identified and compensated for.


RISK ASSESSMENT
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 17 of 36 Figure 3 in Section 3.1 above shows the SW supply to the CPSW and the MCR/ESGR AC subsystems. The SW flow paths in the MERs support both the CPSW subsystems and the MCR/ESGR AC subsystems.                The MER flow paths include several interconnected and redundant trains, gravity fed from the Intake Canal. Originating at the Intake Canal, there are three 8-inch SW supply headers. Each header takes its supply from a 96-inch condenser inlet line, and the connection is upstream of the condenser isolation valves. The three 8-inch headers supply two 6-inch headers. The 6-inch supply headers are 100% redundant (i.e., one header can supply 100% of the required SW flow). The SW supply headers are normally cross-connected in MER-3 and MER-4 via the 1-SW-263 valve. This valve is closed during a fire in related equipment areas in accordance with the 10 CFR 50 Appendix R fire protection program.
Two motor operated strainers are normally in service on each of the 6-inch SW supply headers. Each strainer is supplied with a back wash from the discharge of the control room chiller service water pumps. For the following analysis and discussion, SW flow through 1-VS-S-1A is referred to as the "A SW Header" and SW flow through 1-VS-S-18 is referred to as the "B SW Header".
The CPSW system is credited in Surry's PRA as a support system for HHSI. The CPSW *system supplies SW flow to the charging pump intermediate seal coolers and lube oil coolers. *Heat from the lube oil cooler is transferred to the CPSW subsystem.
The seal coolers reject their heat to a dedicated closed-loop subsystem of the CC System (i.e., the Charging Pump Component Cooling Water System). Heat from this system and the lube oil coolers is transferred to the CPSW subsystem.
Downstream of the 6-inch SW supply headers are two CPSW pump trains for each unit
*'I' (four total). Each pump traih can provide 100% required flow for its unit, so there is 100% redundancy for each unit. The CPSW pump trains can be cross-connected via tie lines that are normally isolated. Hence, the Unit 2 CPSW pumps can be aligned to cool Unit 1 charging pump lube oil coolers and vice versa; this alignment is not automatic and requires local operation. One CPSW pump per unit is normally running and the other is in sta~dby. The standby CPSW pump will auto start on low discharge pressure for the running pump.
The output of either pump can feed the three charging pump lube oil coolers for one unit. The charging pump lube oil cooler outlet control valves are actuated automatically when the charging pump is running. No operator actions are required to start or control CPSW flow to a specific lube oil cooler. The CPSW lube oil cooler discharge flow is directed to the discharge tunnel via a single pipe. The success criterion for the CPSW system to service its required loads is: one CPSW pump available, taking suction from at least one available 6-inch SW header.
Five chillers are installed in the MERs. The condenser water pump for ttie chillers takes suction from the SW supply line, pumps it through the chiller condenser, and returns it to the CW System. Three chillers (A/B/C) are in MER-3 downstream of the rotating


===5.1 Purpose===
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 18 of 36 strainers; two chillers (D/E) are in MER-5 upstream of the rotating strainers and downstream of a duplex strainer. These units provide chilled water that circulates through air handlers to remove heat from the atmosphere in the MCR, emergency switchgear rooms, and relay rooms. Air conditioning of these areas prevents electrical equipment from overheating and supports control room habitability during design basis
The purpose of this assessment is to utilize the Surry PRA to evaluate the impact on Core Damage Frequency (CDF) and Large, Early Release Frequency (LERF) for the CPSW and MCR/ESGR AC subsystems flow path AOT extensions.
. accidents. During normal plant operation one or two chillers may be operating depending on SW temperatures. During an emergency, the 1/2-E-O procedure verifies that one control room chiller is operating, with a results not obtained step to start required equipment within 1 hour in accordance with O-OP-VS..:006. The Surry PRA models the ESGR HVAC as a support system for the emergency electrical power systems, 4160 V, 480 V, 125 VAC, and 120 VDC.
Using guidance from RG 1.174 and RG 1.177, this assessment evaluates the risk of changing Surry TS 3.14.C to allow a single service water flow path to be available to the CPSW subsystem and to the MCR/ESGR AC subsystem for up to 72 hours. 5.2 Introduction The S007 Aa PRA model allows analysis of the conditional risk at Surry Power Station when one or more SW flow paths to safety-related loads in the MERs are unavailable utilizing a detailed probabilistic assessment of risk from internal events and internal flooding :hazards at power. This risk evaluation will be supplemented with qualitative insights to assess the fire, seismic, shutdown and other external risks. RG 1.177 identifies a three-tiered approach for licensees to evaluate the risk associated with proposed TS Configuration Time (CT) changes. Tier 1 is an evaluation of the impact on plant risk of the proposed TS change as expressed by the change in core damage frequency the incremental conditional core damage probability (ICCDP), the change in large early release frequency and the incremental conditional large early release probability (ICLERP).
In order to satisfy TS 3.14.A.5 and .3.14.A.7 at least two independent SW flow paths must be available to supply MER loads. This risk assessment analyzes conditional risk with only one SW flow path to the MERs ..
Tier 2 is an identification of potentially high-risk configurations that could exist if equipment, in addition to that associated with the change, were to be taken out of service simultaneously or other risk-significant operational factors, such as concurrent system or equipment testing were also involved.
5.3   Analysis Inputs The following inputs are used for this assessment:
The objective of this part of the evaluation.
is to ensure that appropriate restrictions on dominant risk-significant configurations associated with the change are in place. Tier 3 is the establishment of an overall configuration risk management program (CRMP) to ensure that other potentially lower probability, but nonetheless risk-significant, configurations resulting from maintenance and other operational activities are identified and compensated for. 
., *'I' Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 17 of 36 Figure 3 in Section 3.1 above shows the SW supply to the CPSW and the MCR/ESGR AC subsystems.
The SW flow paths in the MERs support both the CPSW subsystems and the MCR/ESGR AC subsystems.
The MER flow paths include several interconnected and redundant trains, gravity fed from the Intake Canal. Originating at the Intake Canal, there are three 8-inch SW supply headers. Each header takes its supply from a 96-inch condenser inlet line, and the connection is upstream of the condenser isolation valves. The three 8-inch headers supply two 6-inch headers. The 6-inch supply headers are 100% redundant (i.e., one header can supply 100% of the required SW flow). The SW supply headers are normally cross-connected in MER-3 and MER-4 via the 1-SW-263 valve. This valve is closed during a fire in related equipment areas in accordance with the 10 CFR 50 Appendix R fire protection program. Two motor operated strainers are normally in service on each of the 6-inch SW supply headers. Each strainer is supplied with a back wash from the discharge of the control room chiller service water pumps. For the following analysis and discussion, SW flow through 1-VS-S-1A is referred to as the "A SW Header" and SW flow through 1-VS-S-18 is referred to as the "B SW Header". The CPSW system is credited in Surry's PRA as a support system for HHSI. The CPSW *system supplies SW flow to the charging pump intermediate seal coolers and lube oil coolers. *Heat from the lube oil cooler is transferred to the CPSW subsystem.
The seal coolers reject their heat to a dedicated closed-loop subsystem of the CC System (i.e., the Charging Pump Component Cooling Water System). Heat from this system and the lube oil coolers is transferred to the CPSW subsystem.
Downstream of the 6-inch SW supply headers are two CPSW pump trains for each unit (four total). Each pump traih can provide 100% required flow for its unit, so there is 100% redundancy for each unit. The CPSW pump trains can be cross-connected via tie lines that are normally isolated.
Hence, the Unit 2 CPSW pumps can be aligned to cool Unit 1 charging pump lube oil coolers and vice versa; this alignment is not automatic and requires local operation.
One CPSW pump per unit is normally running and the other is in The standby CPSW pump will auto start on low discharge pressure for the running pump. The output of either pump can feed the three charging pump lube oil coolers for one unit. The charging pump lube oil cooler outlet control valves are actuated automatically when the charging pump is running. No operator actions are required to start or control CPSW flow to a specific lube oil cooler. The CPSW lube oil cooler discharge flow is directed to the discharge tunnel via a single pipe. The success criterion for the CPSW system to service its required loads is: one CPSW pump available, taking suction from at least one available 6-inch SW header. Five chillers are installed in the MERs. The condenser water pump for ttie chillers takes suction from the SW supply line, pumps it through the chiller condenser, and returns it to the CW System. Three chillers (A/B/C) are in MER-3 downstream of the rotating Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 18 of 36 strainers; two chillers (D/E) are in MER-5 upstream of the rotating strainers and downstream of a duplex strainer.
These units provide chilled water that circulates through air handlers to remove heat from the atmosphere in the MCR, emergency switchgear rooms, and relay rooms. Air conditioning of these areas prevents electrical equipment from overheating and supports control room habitability during design basis . accidents.
During normal plant operation one or two chillers may be operating depending on SW temperatures.
During an emergency, the 1/2-E-O procedure verifies that one control room chiller is operating, with a results not obtained step to start required equipment within 1 hour in accordance with O-OP-VS..:006.
The Surry PRA models the ESGR HVAC as a support system for the emergency electrical power systems, 4160 V, 480 V, 125 VAC, and 120 VDC. In order to satisfy TS 3.14.A.5 and .3.14.A.7 at least two independent SW flow paths must be available to supply MER loads. This risk assessment analyzes conditional risk with only one SW flow path to the MERs .. 5.3 Analysis Inputs The following inputs are used for this assessment:
* Surry Average Maintenance PRA model S007Aa,
* Surry Average Maintenance PRA model S007Aa,
* RG 1.174,
* RG 1.174,
* RG 1.177, and
* RG 1.177, and
* CAFTA code suite. Risk Impact Evaluation The NRC staff has identified a three-tiered approach in RG 1.177 for licensees to evaluate the risk associated with proposed TS Completion Time {CT) changes. The following sections document the three tiered evaluation for CPSW and MCR/ESGR.
* CAFTA code suite.
AC . subsystems flow path AOT extensions.
Risk Impact Evaluation The NRC staff has identified a three-tiered approach in RG 1.177 for licensees to evaluate the risk associated with proposed TS Completion Time {CT) changes. The following sections document the three tiered evaluation for CPSW and MCR/ESGR. AC
. subsystems flow path AOT extensions.
RG 1.177 PRA Quality Evaluation RG 1.177 contains the following discussion of PRA Technical Adequacy:
RG 1.177 PRA Quality Evaluation RG 1.177 contains the following discussion of PRA Technical Adequacy:
The technical adequacy of the PRA must be compatible with the safety implications of the TS change being requested and the role that the PRA plays in justifying that change. That is, the more the potential change in risk or the greater the uncertainty in that risk from the requested TS change, or both, the more rigor that must go into ensuring the technical adequacy of the PRA. This applies to Tier 1 (above), and it also applies to Tier 2 and Tier 3 to the extent that a PRA model is used.
The technical adequacy of the PRA must be compatible with the safety implications of the TS change being requested and the role that the PRA plays in justifying that change. That is, the more the potential change in risk or the greater the uncertainty in that risk from the requested TS change, or both, the more rigor that must go into ensuring the technical adequacy of the PRA. This applies to Tier 1 (above), and it also applies to Tier 2 and Tier 3 to the extent that a PRA model is used.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 19 of 36 Regulatory Guide 1.200 describes one acceptable approach for determining whether the technical adequacy of the PRA, in total or the parts that are used to support an application, is sufficient to provide confidence in the results such that the PRA can be used in regulatory decisionmaking for light-water reactors.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 19 of 36 Regulatory Guide 1.200 describes one acceptable approach for determining whether the technical adequacy of the PRA, in total or the parts that are used to support an application, is sufficient to provide confidence in the results such that the PRA can be used in regulatory decisionmaking for light-water reactors.
A detailed discussion and evaluation of PRA quality of the S007 Aa model with respect to this application is provided in Attachment
A detailed discussion and evaluation of PRA quality of the S007Aa model with respect to this application is provided in Attachment 4.
: 4. RG 1.177 Tier 1 Analysis RG 1 :177 contains the following discussion concerning Tier 1 Analysis:
RG 1.177 Tier 1 Analysis RG 1:177 contains the following discussion concerning Tier 1 Analysis:
In Tier 1, the licensee should assess the impact of the proposed TS change on GDF, ICCDP, LERF, and ICLERP. To support this assessment, two aspects need to be considered:
In Tier 1, the licensee should assess the impact of the proposed TS change on GDF, ICCDP, LERF, and ICLERP. To support this assessment, two aspects need to be considered: (1) the validity of the PRA and (2) the PRA insights and findings. The licensee should demonstrate that its PRA is valid for assessing the proposed TS changes and identify the impact of the TS change on plant risk.
(1) the validity of the PRA and (2) the PRA insights and findings.
TS conditions addressed by CTs are entered infrequently and are temp9rary by their very nature. However, TS do not typically restrict the frequency of entry into conditions addressed by* CTs. Therefore, the following TS acceptance guidelines specific to permanent CT changes are provided for evaluating the risk associated with the revised CT, in addition to those acceptance guidelines given in Regulatory Guide 1. 174.
The licensee should demonstrate that its PRA is valid for assessing the proposed TS changes and identify the impact of the TS change on plant risk. TS conditions addressed by CTs are entered infrequently and are temp9rary by their very nature. However, TS do not typically restrict the frequency of entry into conditions addressed by* CTs. Therefore, the following TS acceptance guidelines specific to permanent CT changes are provided for evaluating the risk associated with the revised CT, in addition to those acceptance guidelines given in Regulatory Guide 1. 17 4. The licensee has demonstrated that the TS CT change has only a small quantitative impact on plant risk. An /CCDP of less than 1.0x10-6 and an ICLERP of less than 1. Ox10-7 are considered small fOr a single TS condition entry. (Tier 1 }. RG 1.17 4 Acceptance Criteria are as follows:
The licensee has demonstrated that the TS CT change has only a small quantitative impact on plant risk. An /CCDP of less than 1.0x10-6 and an ICLERP of less than
: 1. Ox10-7 are considered small fOr a single TS condition entry. (Tier 1}.
RG 1.174 Acceptance Criteria are as follows:
* When the calculated increase in GDF is very small, which is taken as being less than 10-6 per reactor year, the change will be considered regardless of whether there is a calculation of the total GDF (Region Ill).
* When the calculated increase in GDF is very small, which is taken as being less than 10-6 per reactor year, the change will be considered regardless of whether there is a calculation of the total GDF (Region Ill).
* When the calculated increase in GDF is in the range of 10-6 per reactor year to 10-5 per reactor year, applications will be considered only if it can be* reasonably shown that the total GDF is less than 10-4 per reactor year (Region II).
* When the calculated increase in GDF is in the range of 10-6 per reactor year to 10-5 per reactor year, applications will be considered only if it can be* reasonably shown that the total GDF is less than 10-4 per reactor year (Region II).
* Applications that result in increases to GDF above 10-5 per reactor year (Region I) would not normally be considered.
* Applications that result in increases to GDF above 10-5 per reactor year (Region I) would not normally be considered.
Acceptance criteria for LERF are structured similarly at an order of magnitude less (1 E-7, etc.). Tier 1 Analysis Assumptions
Acceptance criteria for LERF are structured similarly at an order of magnitude less (1 E-7, etc.).
* The PRA model S007 Aa is valid for performing this assessment.
Tier 1 Analysis Assumptions
.. Ser ial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 20 of 36
* The PRA model S007Aa is valid for performing this assessment.
* For the purposes of calculations, this assessment assumes the MER SW headers will accumulate 15 days of unavailable configuration time every year as a result of the proposed change. This is a conservative assumption based on Surry's Operating Experience for CPSW headers and the desired maintenance strategy for Surry.
 
* This analysis assumes that if only one SW flow path to MER loads is available, SW is being supplied to the MER SW loads from one CW inlet , to one 8-inch SW supply header, to one 6-inch SW header, through one rotating strainer. This is a conservative assumption.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1
Tier 1 Analysis Results MER SW header maintenance is explicitly modeled in the average maintenance model S007Aa. Therefore, a and for the proposed change to AOTs for MER SW flow paths to the CPSW subsystem and to the MCR/ESGR AC subsystem may be directly calculated from the model by comparing CDF results with increased unavailability on MER headers (refer to second bulleted assumption).
.                                                                                    Page 20 of 36
Incremental core damage and large early release probabilities for a single 72-hour period are also calculated.
* For the purposes of ~CDF/~LERF calculations, this assessment assumes the MER SW headers will accumulate 15 days of unavailable configuration time every year as a result of the proposed change. This is a conservative assumption based on Surry's Operating Experience for CPSW headers and the desired maintenance strategy for Surry.
The MER headers supply SW to safety-related loads at both Surry units; therefore, risk at both units is explicitly analyzed.
* This analysis assumes that if only one SW flow path to MER loads is available, SW is being supplied to the MER SW loads from one CW inlet, to one 8-inch SW supply header, to one 6-inch SW header, through one rotating strainer. This is a conservative assumption.
Results are as follows: Table 1: RG 1.177Tier1 Analysis Results RG 1.177 RG 1.177 15 Day Header U1 U2 ACDF U1 U2 ALE RF Unavailability ACDF ACDF Criteria ALE RF ALE RF Criteria 9.20E-1.05E-A SW Header 08 07 1.00E-06 3.02E-08 4.23E-08 1.00E-07 8.29E-1.25E-B SW Header 08 08 1.00E-06 6.47E-08 5.61E-09 1.00E-07 RG 1.177 RG 1.177 Single 72hr TS U1 U2 ICCDP U1 U2 IC LE RP entry ICCDP ICCDP Criteria ICLERP IC LE RP Criteria 1.84E-2.09E-A SW Header 08 08 1.00E-06 6.03E-09 8.46E-09 1.00E-07 1.66E-2.50E-B SW Header 08 09 1.00E-06 1.29E-08 1.12E-09 1.00E-07 Note: These risk metrics are simultaneously applicable to both TS 3.14.A.5 and TS 3.14.A. 7 for CPSW and MCR/ESGR SW supplies, respectively The tightest margin to RG 1.177 acceptance criteria is on Unit 1 LERF with "B" SW header out of service for 15 days over one year. Cutsets for these configurations were reviewed and are discussed in detail below.
Tier 1 Analysis Results MER SW header maintenance is explicitly modeled in the average maintenance model S007Aa. Therefore, a ~CDF and ~LERF for the proposed change to AOTs for MER SW flow paths to the CPSW subsystem and to the MCR/ESGR AC subsystem may be directly calculated from the model by comparing CDF results with increased unavailability on MER headers (refer to second bulleted assumption). Incremental core damage and large early release probabilities for a single 72-hour period are also calculated. The MER headers supply SW to safety-related loads at both Surry units; therefore, risk at both units is explicitly analyzed. Results are as follows:
Table 1: RG 1.177Tier1 Analysis Results RG 1.177                               RG 1.177 15 Day Header       U1         U2         ACDF           U1         U2         ALE RF Unavailability     ACDF       ACDF         Criteria     ALE RF     ALE RF       Criteria 9.20E-     1.05E-A SW Header         08         07       1.00E-06     3.02E-08   4.23E-08       1.00E-07 8.29E-     1.25E-B SW Header         08         08       1.00E-06     6.47E-08   5.61E-09       1.00E-07 RG 1.177                               RG 1.177 Single 72hr TS       U1         U2         ICCDP           U1         U2         IC LE RP entry       ICCDP       ICCDP         Criteria     ICLERP     IC LE RP     Criteria 1.84E-     2.09E-A SW Header         08         08       1.00E-06     6.03E-09 8.46E-09         1.00E-07 1.66E-     2.50E-B SW Header         08         09       1.00E-06     1.29E-08 1.12E-09         1.00E-07 Note: These risk metrics are simultaneously applicable to both TS 3.14.A.5 and TS 3.14.A. 7 for CPSW and MCR/ESGR SW supplies, respectively The tightest margin to RG 1.177 acceptance criteria is on Unit 1 LERF with "B" SW header out of service for 15 days over one year. Cutsets for these configurations were reviewed and are discussed in detail below.
 
Serial No. 16-180
Serial No. 16-180
* Docket Nos. 50-280/281 Attachment 1 Page 21of36 An engineering GOTHIC calculation establishes that the ESGR does not require chiller operation during the PRA mission time of 24 hours, as long as one of the ESGR air handling units (per unit) is operating, and there is not a initiating event which requires SI, which may have higher heat loads than assumed in this engineering calculation.
* Docket Nos. 50-280/281 Attachment 1 Page 21of36 An engineering GOTHIC calculation establishes that the ESGR does not require chiller operation during the PRA mission time of 24 hours, as long as one of the ESGR air handling units (per unit) is operating, and there is not a initiating event which requires SI, which may have higher heat loads than assumed in this engineering calculation.
During normal operating conditions, a total loss of chilled water can be successfully mitigated by control room evacuation and shutdown from the remote shutdown panels in conjunction with performance of contingency actions of O-AP-13.02 (opening doors, temporary cooling etc.). These actions have been shown by GOTHIC calculations to substantially improve environmental conditions in the ESGR in loss of chilled water events. If SI is required to mitigate an event, then a subsequent loss of chilled water is assumed to fail ESGR HVAC, and no recovery is possible.
During normal operating conditions, a total loss of chilled water can be successfully mitigated by control room evacuation and shutdown from the remote shutdown panels in conjunction with performance of contingency actions of O-AP-13.02 (opening doors, temporary cooling etc.). These actions have been shown by GOTHIC calculations to substantially improve environmental conditions in the ESGR in loss of chilled water events. If SI is required to mitigate an event, then a subsequent loss of chilled water is assumed to fail ESGR HVAC, and no recovery is possible. In these sequences, the loss of ESGR HVAC is modeled as a Station Blackout (SBO).
In these sequences, the loss of ESGR HVAC is modeled as a Station Blackout (SBO). In a configuration with only one SW flow path available to the MCR/ESGR chillers, accident sequences that require SI to successfully avoid core damage such as SLOCA and SGTR become elevated in the PRA. These sequences involve failure of the in-service SW flow path, upstream of D/E chiller suction in MER 5. Since this flow path is gravity fed, its primary failure mode is via obstruction (plugging).
In a configuration with only one SW flow path available to the MCR/ESGR chillers, accident sequences that require SI to successfully avoid core damage such as SLOCA and SGTR become elevated in the PRA. These sequences involve failure of the in-service SW flow path, upstream of D/E chiller suction in MER 5. Since this flow path is gravity fed, its primary failure mode is via obstruction (plugging). S007Aa has identified that the most probable means of rendering the sole SW flow path unavailable is obstruction of CW intake/traveling water screens at the high level intake structure.
S007Aa has identified that the most probable means of rendering the sole SW flow path unavailable is obstruction of CW intake/traveling water screens at the high level intake structure.
The PRA has assigned a probability of 8E-5 that CW obstruction would occur during the 24-hour mission time following an initiating event. A SGTR event that involves SBO caused by loss of ESGR HVAC is considered a Large Early Release by S007Aa.
The PRA has assigned a probability of 8E-5 that CW obstruction would occur during the 24-hour mission time following an initiating event. A SGTR event that involves SBO caused by loss of ESGR HVAC is considered a Large Early Release by S007Aa. In a configuration with one CPSW header isolated, cutsets that involve failure of the second CPSW header become elevated in the PRA. Loss of the second SW header renders HHSI unavailable, which is important to CDF for SLOCA and SGTR sequences.
In a configuration with one CPSW header isolated, cutsets that involve failure of the second CPSW header become elevated in the PRA. Loss of the second SW header renders HHSI unavailable, which is important to CDF for SLOCA and SGTR sequences.
In SLOCA with HHSI failure, operators must successfully cooldown and depressurize the RCS and then place the RCS on Low Head Recirculation.
In SLOCA with HHSI failure, operators must successfully cooldown and depressurize the RCS and then place the RCS on Low Head Recirculation. For SGTR with HHSI failure, isolation of the ruptured SG becomes important to mitigate the event. The dominant failure mode for CPSW flow paths is obstruction of the rotating strainers 1-VS-S-1 A/B. Bypass SW flow paths around the rotating strainers are not credited *in the PRA model. The S007Aa model assesses the probability that the in-service rotating strainer would fail via plugging during a 24-hour mission time following an initiating
For SGTR with HHSI failure, isolation of the ruptured SG becomes important to mitigate the event. The dominant failure mode for CPSW flow paths is obstruction of the rotating strainers S-1 A/B. Bypass SW flow paths around the rotating strainers are not credited *in the PRA model. The S007 Aa model assesses the probability that the in-service rotating strainer would fail via plugging during a 24-hour mission time following an initiating
* event to be approximately 1.5E-4.
* event to be approximately 1.5E-4. Another potential failure mode for the in-service SW header is a loss of power to the in-service rotating strainer.
Another potential failure mode for the in-service SW header is a loss of power to the in-service rotating strainer. The 8007Aa model has a 480V Emergency Power dependency modeled for the rotating strainers 1-VS-S-1A/B. It is assumed that loss of power to a rotating strainer will cause the strainer to become obstructed within the mission time. Bypass SW flow paths around the rotating strainers are not credited in the PRA model. The electric power dependency in the model is creating asymmetric SGTR delta risk results across the two units and two headers. In a configuration with one CPSW header out of service, the model has identified that a catastrophic failure (fault or other de-energization sequence via LOOP) of a single emergency bus could
The 8007 Aa model has a 480V Emergency Power dependency modeled for the rotating strainers 1-VS-S-1A/B.
 
It is assumed that loss of power to a rotating strainer will cause the strainer to become obstructed within the mission time. Bypass SW flow paths around the rotating strainers are not credited in the PRA model. The electric power dependency in the model is creating asymmetric SGTR delta risk results across the two units and two headers. In a configuration with one CPSW header out of service, the model has identified that a catastrophic failure (fault or other de-energization sequence via LOOP) of a single emergency bus could Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 22 of 36 disable HHSI via the in-service rotating strainer and also the SG isolation safety function via 480V EP dependency for SG Isolation MOVs. This is also a significant LERF sequence for this configuration, as SGTR with failure of HHSI and SG isolation is considered Large Early Release in S007 Aa. The following are known conservatisms in this analysis that give very high confidence that the proposed change meets Tier 1 acceptance criteria with high margin:
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 22 of 36 disable HHSI via the in-service rotating strainer and also the SG isolation safety function via 480V EP dependency for SG Isolation MOVs. This is also a significant LERF sequence for this configuration, as SGTR with failure of HHSI and SG isolation is considered Large Early Release in S007Aa.
* No credit in the PRA model is given for placing a second or third SW header in service in accordance with O-AP-12, Attachment
The following are known conservatisms in this analysis that give very high confidence that the proposed change meets Tier 1 acceptance criteria with high margin:
: 1. Some SW crosstie flow paths (such as the 2A Header) may be available or recoverable during maintenance configurations where TS 3.14.A.5 and TS 3.14.A.7 are not considered met. These flow paths could be used to bypass an ob.structed CW intake.
* No credit in the PRA model is given for placing a second or third SW header in service in accordance with O-AP-12, Attachment 1. Some SW crosstie flow paths (such as the 2A Header) may be available or recoverable during maintenance configurations where TS 3.14.A.5 and TS 3.14.A.7 are not considered met. These flow paths could be used to bypass an ob.structed CW intake.
* No credit in the PRA model is given for manual operator action to bypass an obstructed rotating strainer by placing the duplex strainer 1-SW-S-10 in service in accordance with O-AP-12.
* No credit in the PRA model is given for manual operator action to bypass an obstructed rotating strainer by placing the duplex strainer 1-SW-S-10 in service in accordance with O-AP-12.
* No credit in the PRA model is given for operator action in accordance with the EOPs to cooldown and depressurize the RCS in SGTR scenarios where Auxiliary Feedwater (AFW) is successful but HHSI fails. Human Reliability Analysis for this credit is under development and stations, such as North Anna which is similar to Surry, have this operator action credited with a Human Event Probabi.lity (HEP).
* No credit in the PRA model is given for operator action in accordance with the EOPs to cooldown and depressurize the RCS in SGTR scenarios where Auxiliary Feedwater (AFW) is successful but HHSI fails. Human Reliability Analysis for this credit is under development and stations, such as North Anna which is similar to Surry, have this operator action credited with a Human Event Probabi.lity (HEP).
* The 8007 Aa models an electric power dependency for rotating strainers 1-VS-S-1A/B.
* The 8007Aa models an electric power dependency for rotating strainers 1-VS-S-1A/B. It is modeled in the internal events PRA that the strainers will become obstructed If not rotating (Probability=1). Actual strainer behavior with no rotation during accident sequences is uncertain. It is unlikely (Probability<1) that the strainer will become obstructed in a 24-hour mission time if not rotating since debris must be present in order for the strainer to become obstructed.
It is modeled in the internal events PRA that the strainers will become obstructed If not rotating (Probability=1).
The results of this analysis indicate that the potential increase in core damage risk due to the proposed change is very small and satisfies the Region 111 criteria of RG 1.177 Tier 1 analysis. [Refer to Table 1, above.]
Actual strainer behavior with no rotation during accident sequences is uncertain.
Shutdown Risk Evaluation In cases where there is no probabilistic shutdown PRA model available for evaluating the risk impact of a proposed change, as is currently the case with the Surry PRA, a qualitative evaluation process may be applied to assess shutdown risk. In general, this approach involves determining whether or not the proposed change affects functions that are credited in OU-AA-200, Shutdown Risk Management, and then considering what impacts the application may have on shutdown defense-in-depth, in particular the following shutdown plant key safety functions: Decay Heat Removal, RCS/Spent Fuel Pool (SFP) Inventory Control, Reactivity Control, Electrical Power, SFP Cooling and Containment Integrity.
It is unlikely (Probability<1) that the strainer will become obstructed in a 24-hour mission time if not rotating since debris must be present in order for the strainer to become obstructed.
 
The results of this analysis indicate that the potential increase in core damage risk due to the proposed change is very small and satisfies the Region 111 criteria of RG 1.177 Tier 1 analysis.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 23 of 36 The CPSW system supports HHSI pumps, which contributes to the RCS/SFP inventory control and reactivity control shutdown key safety functions. During plant shutdown, the LHSI System provides the primary source for RCS inventory control/make-up. The HHSI System provides additional defense-in-depth for inventory/reactivity control.
[Refer to Table 1, above.] Shutdown Risk Evaluation In cases where there is no probabilistic shutdown PRA model available for evaluating the risk impact of a proposed change, as is currently the case with the Surry PRA, a qualitative evaluation process may be applied to assess shutdown risk. In general, this approach involves determining whether or not the proposed change affects functions that are credited in OU-AA-200, Shutdown Risk Management, and then considering what impacts the application may have on shutdown defense-in-depth, in particular the following shutdown plant key safety functions:
Therefore, it is concluded that the proposed change has a very small impact on defense-in depth for the associated shutdown Key Safety Functions and shutdown risk.
Decay Heat Removal, RCS/Spent Fuel Pool (SFP) Inventory Control, Reactivity Control, Electrical Power, SFP Cooling and Containment Integrity.
The MCR/ESGR ventilation system does not directly support any of the Shutdown Key safety functions, but it does support control room habitability during a fuel handling accident. The discussion of failure modes in the internal events discussion also applies to shutdown modes; therefore, it is concluded that proposed change has a very small impact on shutdown risk.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 23 of 36 The CPSW system supports HHSI pumps, which contributes to the RCS/SFP inventory control and reactivity control shutdown key safety functions.
It is concluded that the proposed change has negligible impact on shutdown CDF and LERF.
During plant shutdown, the LHSI System provides the primary source for RCS inventory control/make-up.
Internal Fire Hazard Evaluation The Individual Plant Examination for External Events (IPEEE) and the Fire Contingency Action (FCA) procedures are used to evaluate the impact of the AOT change for configurations with only one SW flow path to the CPSW subsystem and the ESGR and MCR chillers on the fire risk since a full-scope fire PRA model has not been developed for Surry. The IPEEE screened out all but four areas as insignificant contributors to the fire CDF. The areas which did not screen out include the Cable Vault and Tunnel (CVT), the Emergency Switchgear Room (ESGR), the Main Control Room (MCR), and the Normal Switchgear Room (NSGR), so these areas are included in the scope of this
The HHSI System provides additional defense-in-depth for inventory/reactivity control. Therefore, it is concluded that the proposed change has a very small impact on defense-in depth for the associated shutdown Key Safety Functions and shutdown risk. The MCR/ESGR ventilation system does not directly support any of the Shutdown Key safety functions, but it does support control room habitability during a fuel handling accident.
. analysis. A review of the Appendix R Report and the IPEEE shows that a fire in two areas, Mechanical Equipment Room 3 (MER 3) and Mechanical Equipment Room 4 (MER 4), may damage multiple CPSW components and the SW supply to the ESGR and MCR chillers. Unavailability of a SW Header in addition to the fire damage could cause a failure of these subsystems. As a result, MER 3 and MER 4 are included in the scope of this analysis even though they screened out as low risk in the IPEEE.
The discussion of failure modes in the internal events discussion also applies to shutdown modes; therefore, it is concluded that proposed change has a very small impact on shutdown risk. It is concluded that the proposed change has negligible impact on shutdown CDF and LERF. Internal Fire Hazard Evaluation The Individual Plant Examination for External Events (IPEEE) and the Fire Contingency Action (FCA) procedures are used to evaluate the impact of the AOT change for configurations with only one SW flow path to the CPSW subsystem and the ESGR and MCR chillers on the fire risk since a full-scope fire PRA model has not been developed for Surry. The IPEEE screened out all but four areas as insignificant contributors to the fire CDF. The areas which did not screen out include the Cable Vault and Tunnel (CVT), the Emergency Switchgear Room (ESGR), the Main Control Room (MCR), and the Normal Switchgear Room (NSGR), so these areas are included in the scope of this . analysis.
Although a fire in Mechanical Equipment Room 5 (MER 5) may damage two of the five ESGR and MCR chillers, this area is screened out since additional equipment damage is limited and a LOCA is not expected, so the ESGR and MCR chillers are not required during the PRA mission time as discussed in the internal events analysis. A review of the Appendix R Report indicates that power or control cables for one or more CPSW pumps, Rotating Strainers, or ESGR and MCR chillers may be damaged in each of these areas except the NSGR. Given the defense-in-depth available for these subsystems and the lack of emergency equipment damaged in an NSGR fire, this area is screened out from further evaluation.
A review of the Appendix R Report and the IPEEE shows that a fire in two areas, Mechanical Equipment Room 3 (MER 3) and Mechanical Equipment Room 4 (MER 4), may damage multiple CPSW components and the SW supply to the ESGR and MCR chillers.
An FCA procedure is available for each of the remaining areas to support safe shutdown (SSD) during a limiting fire, which is characterized by the actual or imminent loss of a component that supports the SSD functions monitored in O-AP-48.00. It is
Unavailability of a SW Header in addition to the fire damage could cause a failure of these subsystems.
 
As a result, MER 3 and MER 4 are included in the scope of this analysis even though they screened out as low risk in the IPEEE. Although a fire in Mechanical Equipment Room 5 (MER 5) may damage two of the five ESGR and MCR chillers, this area is screened out since additional equipment damage is limited and a LOCA is not expected, so the ESGR and MCR chillers are not required during the PRA mission time as discussed in the internal events analysis.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 24 of 36 assumed that a fire in these areas which does not cause sufficient damage to enter the respective FCA procedure can be characterized as a general transient and is adequately addressed by the internal events analysis.
A review of the Appendix R Report indicates that power or control cables for one or more CPSW pumps, Rotating Strainers, or ESGR and MCR chillers may be damaged in each of these areas except the NSGR. Given the defense-in-depth available for these subsystems and the lack of emergency equipment damaged in an NSGR fire, this area is screened out from further evaluation.
The impact of the AOT change on the fire risk is dependent on the exact configuration for which the TS is entered. The fire scenarios on which the proposed change is expected to have the most impact are those in which the fire damages one or more components affecting the SW supply to or redundant equipment for the CPSW subsystem or the ESGR and MCR chillers. The TS 3.14.C action statement could be entered for having two of the three 8" SW supply headers unavailable and/or one of the two 6" SW supply headers unavailable. If the maintenance configuration only involves two of the 8" headers, the impact on fire risk from the CPSW subsystem is negligible since the remaining 8" line is not susceptible to fire damage.                 However, this configuration could result in the SW supply to the MER 5 chillers (40, 4E) being unavailable, which could lead to a loss of ESGR and MCR chillers if a fire damages the remaining in service equipment. If the maintenance configuration only involves unavailability of one of the 6" SW headers, fire damage to susceptible components on the opposite 6" SW supply could cause a failure of the entire CPSW subsystem and three of the ESGR and MCR chillers. Unavailability of the two 8" SW headers supplying the MER 5 chillers in addition to unavailability of one 6" SW header would allow fire damage to the available 6" header to result in a loss of all ESGR and MCR chillers. In order to bound the consequences of a fire on various possible maintenance configurations of the SW headers, the following analysis considers the impact of unavailability of a 6" SW Header on the CPSW subsystem, and it considers the impact of unavailability of two 8" SW headers and a 6" SW Header on the ESGR and MCR chiller subsystem.
An FCA procedure is available for each of the remaining areas to support safe shutdown (SSD) during a limiting fire, which is characterized by the actual or imminent loss of a component that supports the SSD functions monitored in O-AP-48.00.
The IPEEE Quantitative Screening models the Rotating Strainers as mechanical strainers that do not require electrical power, and they are assumed to be unaffected by fire damage. Given a loss of power to the strainer, flow through the strainer is not obstructed unless debris causes plugging within the PRA mission time. As a result of the uncertainty associated with the failure rate due to plugging of the Rotating Strainers following a loss of electrical power, the internal events PRA model conservatively assumes this condition leads to a loss of SW flow through the strainer. If the Rotating Strainers are considered susceptible to fire damage, then damage to a Rotating Strainer concurrent with unavailability of the opposite 6" SW Header would cause a loss of CPSW and failure of three chillers. In order to be consistent with the internal events analysis, this fire analysis will qualitatively investigate the impact of the AOT change on the fire risk conservatively assuming fire damage to the power or control cables for the strainer will result in failure of the SW flow path.
It is Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 24 of 36 assumed that a fire in these areas which does not cause sufficient damage to enter the respective FCA procedure can be characterized as a general transient and is adequately addressed by the internal events analysis.
CVTs and ESGRs Fires in the CVTs and ESGRs cause varying amounts of damage to the CPSW subsystem as described by the Appendix R Report and the IPEEE. The FCA
The impact of the AOT change on the fire risk is dependent on the exact configuration for which the TS is entered. The fire scenarios on which the proposed change is expected to have the most impact are those in which the fire damages one or more components affecting the SW supply to or redundant equipment for the CPSW subsystem or the ESGR and MCR chillers.
 
The TS 3.14.C action statement could be entered for having two of the three 8" SW supply headers unavailable and/or one of the two 6" SW supply headers unavailable.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 25 of 36 procedures used to achieve SSD for these fire areas include 1-FCA-3.00 and 2-FCA-3.00 for the U1 and U2 CVTs, respectively, and 1-FCA-4.00 and 2-FCA-4.00 for the U1 and U2 ESGRs, respectively. A fire in the U1 CVT may damage the cables for 1-SW-P-10A and 1-VS-S-1A, and a fire in the U2 CVT will not damage any of the CPSW pumps or strainers. A fire in the U1 ESGR may damage the cables for both U1 CPSW pumps, and a fire in the U2 ESGR may damage the cables for both U2 CPSW pumps and 1-VS-S-1 B. Fire damage in each of these areas may disable Charging for the fire-affected unit. As a result, the fire strategies rely on the opposite unit to provide Inventory Control to the fire-affected unit through the Charging Cross-Tie (CH-XTIE).
If the maintenance configuration only involves two of the 8" headers, the impact on fire risk from the CPSW subsystem is negligible since the remaining 8" line is not susceptible to fire damage. However, this configuration could result in the SW supply to the MER 5 chillers (40, 4E) being unavailable, which could lead to a loss of ESGR and MCR chillers if a fire damages the remaining in service equipment.
The additional unavailability of a SW Header due to the AOT extension increases the likelihood of losing all Charging to both units during a fire due to CPSW failure. During a U2 CVT fire or U1 ESGR fire with a SW Header unavailable, random failure of the second SW header or the opposite unit CPSW pumps is needed to cause a loss of Charging. During a U1 CVT or U2 ESGR fire, power to one of the Rotating Strainers may be damaged by the fire, which would fail one of the SW Headers. If the opposite SW Header is unavailable, a total loss of CPSW would occur. Since no random failures are required in addition to the fire damage and SW Header unavailability, the fire scenarios in the U1 CVT and U2 ESGR are the most limiting of these areas. However, given.the likelihood of the SW Header unavailability, which contributes to these potential CPSW failures, the failure to supply Charging to the fire-affected unit is still dominated
If the maintenance configuration only involves unavailability of one of the 6" SW headers, fire damage to susceptible components on the opposite 6" SW supply could cause a failure of the entire CPSW subsystem and three of the ESGR and MCR chillers.
* by the HEP to establish the CH-XTIE between units.
Unavailability of the two 8" SW headers supplying the MER 5 chillers in addition to unavailability of one 6" SW header would allow fire damage to the available 6" header to result in a loss of all ESGR and MCR chillers.
If the Heactor Coolant System (RCS) remains intact, the accident resembles a transient, and the consequences of losing all Charging are minimal since core heat removal can be achieved using Natural Circulation of the RCS with secondary cooling provided by Auxiliary Feedwater (AFW). These conditions are established by actions taken with the
In order to bound the consequences of a fire on various possible maintenance configurations of the SW headers, the following analysis considers the impact of unavailability of a 6" SW Header on the CPSW subsystem, and it considers the impact of unavailability of two 8" SW headers and a 6" SW Header on the ESGR and MCR chiller subsystem.
* FCA procedures. Spurious operations could affect the High/Low pressure boundary by opening valves and causing a LOCA, but actions taken in the FCA procedures mitigate this potential. RCS integrity is maintained by isolating the Reactor Head Vents, the Pressurizer PORVs, and Letdown. Isolation switches in the Control Room ensure that these valves will not be reopened by the fire. In addition, RCP seal cooling is terminated by isolating seal injection and thermal barrier cooling after the pumps have been tripped. The likelihood of developing an RCP seal LOCA is minimized due to the Flowserve low-leakage seals, and proactive isolation of the RCP seals using manual valves precludes the potential for spurious operations to re-introduce cold water to the hot seals, which would cause catastrophic seal failure due to*thermal shock. Alignment of suction sources and a flow path to the steam generators (SGs) for AFW is directed by the FCAs as well and includes AFW cross-tie from the opposite unit, if necessary. The AFW flow path is protected from spurious operations by prepositioning the MOVs and then de-energizing them. In addition, the AFW cross-tie MOVs are located in the opposite unit's Safeguards Building, thus preventing fire damage from affecting the ability to utilize the cross-tie. The fire strategies for these areas address the potential loss of Charging, and the resulting impact of the change in SW Header AOT on the fire risk for these areas is low,
The IPEEE Quantitative Screening models the Rotating Strainers as mechanical strainers that do not require electrical power, and they are assumed to be unaffected by fire damage. Given a loss of power to the strainer, flow through the strainer is not obstructed unless debris causes plugging within the PRA mission time. As a result of the uncertainty associated with the failure rate due to plugging of the Rotating Strainers following a loss of electrical power, the internal events PRA model conservatively assumes this condition leads to a loss of SW flow through the strainer.
 
If the Rotating Strainers are considered susceptible to fire damage, then damage to a Rotating Strainer concurrent with unavailability of the opposite 6" SW Header would cause a loss of CPSW and failure of three chillers.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 26 of 36 As discussed in the internal events analysis, ESGR and MCR chiller operation within the 24 hour PRA mission time is not required as long as one of the ESGR AHUs per unit is operating or a LOCA has not occurred, although, in the case of ESGR fires, ventilation is not credited for the fire-affected unit. For fires in the U2 CVT and U1 ESGR, at least one chiller will remain available and the 6'' SW headers are not affected by the fire. As a result, additional random failures would be required to cause a loss of ESGR and MCR cooling, so the impact of the TS change due to fires in these areas is negligible. A fire in the U1 CVT will not damage any of the chillers, but it may damage 1-VS-S-1A, which would isolate the A 6" SW header supplying CPSW, as well as chillers 4A, 4B, and 4C. If a fire occurred in this area concurrent with maintenance on the B 6" SW Header and the 2A and 2C 8" SW headers supplying the 40 and 4E chillers, then a loss of all five chillers would occur. A fire in the U2 ESGR may damage the normal power and control cables for all five chillers. To account for this potential, chillers 40 and 4E have an alternate power supply (AAC Diesel Generator) and local controls which are aligned using O-FCA-19.00 and allow these chillers to be used during a U2 ESGR fire. However, maintenance on the 2A and 2C 8" SW headers would cause the 40 and 4E chillers to be unavailable, resulting in a loss of all five chillers. The U1 CVT and U2 ESGR are the most limiting of these areas since no random failures are required in addition to the fire and maintenance configuration to cause a loss of all five chillers. In order for a total loss of chillers to cause an SBO due to loss of ESGR HVAC during a fire, either both of the dedicated AHUs must fail or a LOCA must develop.
In order to be consistent with the internal events analysis, this fire analysis will qualitatively investigate the impact of the AOT change on the fire risk conservatively assuming fire damage to the power or control cables for the strainer will result in failure of the SW flow path. CVTs and ESGRs Fires in the CVTs and ESGRs cause varying amounts of damage to the CPSW subsystem as described by the Appendix R Report and the IPEEE. The FCA Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 25 of 36 procedures used to achieve SSD for these fire areas include 1-FCA-3.00 and 2-FCA-3.00 for the U1 and U2 CVTs, respectively, and 1-FCA-4.00 and 2-FCA-4.00 for the U1 and U2 ESGRs, respectively.
Combining the frequency of the fire, the probability of the maintenance configuration with only one SW supply line available, and the probabilities of the AHUs failing or a LOCA developing, which is minimized by the fire strategies and low-leakage RCP seals, causes the resulting cutsets to be low risk contributors. Accounting for fire severity and suppression would further reduce the results of these cutsets. Given the low frequency of these failure combinations, the impact of the change in SW Header AOT on the fire risk for these scenarios is low.
A fire in the U1 CVT may damage the cables for 1-SW-P-10A and 1-VS-S-1A, and a fire in the U2 CVT will not damage any of the CPSW pumps or strainers.
The MCR contains control cables for all of the CPSW pumps. There is physical separation between units for the CPSW pump controls in the MCR, and control of each pump can also be transferred to the Appendix R Panel in the ESGR. The fire strategy to achieve SSD during an MCR fire is O-FCA-1.00. If the fire severity necessitates evacuation of the control room, the operators will transfer control of the CPSW pumps to the Appendix R Panel. The Rotating Strainers are locally controlled from the MERs and are unaffected by a fire in the MCR. If one of the SW Headers is unavailable, random failure of the second SW header or the all of the CPSW pumps is needed to cause a loss of Charging. The fire strategy for the MCR is very similar to the strategies for the CVTs and ESGRs in that an RCS High/Low pressure boundary is established, allowing Natural Circulation of the RCS to be used, and AFW is aligned to the SGs for secondary cooling. The Reactor Head Vents, the Pressurizer PORVs, and Letdown are isolated from the MCR at the Auxiliary Shutdown Panel (ASP) in the ESGR, and the isolation switches ensure the valves will not reopen due to the fire. The failure of CPSW would
A fire in the U1 ESGR may damage the cables for both U1 CPSW pumps, and a fire in the U2 ESGR may damage the cables for both U2 CPSW pumps and 1-VS-S-1 B. Fire damage in each of these areas may disable Charging for the affected unit. As a result, the fire strategies rely on the opposite unit to provide Inventory Control to the fire-affected unit through the Charging Cross-Tie (CH-XTIE).
 
The additional unavailability of a SW Header due to the AOT extension increases the likelihood of losing all Charging to both units during a fire due to CPSW failure. During a U2 CVT fire or U1 ESGR fire with a SW Header unavailable, random failure of the second SW header or the opposite unit CPSW pumps is needed to cause a loss of Charging.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 27 of 36 cause a loss of RCP seal injection, but thermal barrier cooling may continue to be supplied to the RCP seals. Since RCP seal cooling is not proactively isolated during this fire scenario, RCP seal injection is monitored and the seals are isolated when flow is lost. As a result, the potential for thermal shock of the seals is mitigated, and the likelihood of seal failure remains low. Since the potential for a LOCA is mitigated by actions taken to ensure the integrity of the RCS pressure boundary is maintained and by the low-leakage seals, this accident will most likely resemble a transient. Alignment of suction sources and a flow path to the steam generators (SGs) for AFW is directed by the FCA procedure and includes AFW cross-tie from the opposite unit, if necessary.
During a U1 CVT or U2 ESGR fire, power to one of the Rotating Strainers may be damaged by the fire, which would fail one of the SW Headers. If the opposite SW Header is unavailable, a total loss of CPSW would occur. Since no random failures are required in addition to the fire damage and SW Header unavailability, the fire scenarios in the U1 CVT and U2 ESGR are the most limiting of these areas. However, given.the likelihood of the SW Header unavailability, which contributes to these potential CPSW failures, the failure to supply Charging to the fire-affected unit is still dominated
The AFW flow path is protected from spurious operations by transferring control of the AFW pumps and discharge MOVs to the ASP. The fire strategy for this scenario addresses the potential loss of Charging, and the resulting impact of the change in SW Header AOT on the fire risk for this scenario is low.
* by the HEP to establish the CH-XTIE between units. If the Heactor Coolant System (RCS) remains intact, the accident resembles a transient, and the consequences of losing all Charging are minimal since core heat removal can be achieved using Natural Circulation of the RCS with secondary cooling provided by Auxiliary Feedwater (AFW). These conditions are established by actions taken with the
The MGR contains control cables for all of the ESGR and MGR chillers as well.
* FCA procedures.
However, isolation switches are available for three of the five chillers, which can be controlled from outside the control room. One ESGR AHU per unit is isolated from the control room as well. Consistent with previous discussion, the chillers are not required within the 24 hour PRA mission time if one ESGR AHU per unit is operation and a LOCA has not developed. The frequency of fires requiring evacuation of the control room is low given the control room is continuously manned, so detection and suppression of the fires before evacuation is likely. Similar to the ESGR and CVT fire scenarios, the frequency of the fire, the probability of the maintenance configuration with only one .sw supply line available, and random failure of the chillers unaffected by the fire are a low frequency combination of faiilures. The probabilities of the AHUs failing or a LOCA developing in addition to these failures cause the resulting cutsets to be low risk contributors. Given the low frequency of these failure combinations, the impact of the change in SW Header AOT on the .fire risk for these scenarios is low.
Spurious operations could affect the High/Low pressure boundary by opening valves and causing a LOCA, but actions taken in the FCA procedures mitigate this potential.
If the fire is small enough that habitability conditions and extent of equipment damage allow operators to remain in the control room, the FCA procedure for the MGR is not entered and the fire is considered non-limiting. The impact of the SW Header AOT change on this fire scenario is considered bounded by the internal events analysis.
RCS integrity is maintained by isolating the Reactor Head Vents, the Pressurizer PORVs, and Letdown. Isolation switches in the Control Room ensure that these valves will not be reopened by the fire. In addition, RCP seal cooling is terminated by isolating seal injection and thermal barrier cooling after the pumps have been tripped. The likelihood of developing an RCP seal LOCA is minimized due to the Flowserve low-leakage seals, and proactive isolation of the RCP seals using manual valves precludes the potential for spurious operations to re-introduce cold water to the hot seals, which would cause catastrophic seal failure due to*thermal shock. Alignment of suction sources and a flow path to the steam generators (SGs) for AFW is directed by the FCAs as well and includes AFW cross-tie from the opposite unit, if necessary.
MER 3 and MER 4 These fire areas were included in the scope of the analysis due to the extent of potential damage to the CPSW pumps, Rotating Strainers, and damage to piping supplying the 4A, 48, and 4C chillers. The FCA procedure used to achieve SSD for both of these fire areas is O-FCA-7.00. In each of these areas, three of the four CPSW pumps and one of the two Rotating Strainers may be damaged. In addition, portions of the 6" SW supply piping are non-metallic and susceptible to fire damage. The FCA procedure relies on the available CPSW pump and strainer to provide Charging Pump Cooling and uses the CPSW pump discharge cross-tie to cool both units' Charging Pumps. Random failure of the fourth CPSW pump would cause a failure of CPSW, but this system failure mode is
The AFW flow path is protected from spurious operations by prepositioning the MOVs and then de-energizing them. In addition, the AFW cross-tie MOVs are located in the opposite unit's Safeguards Building, thus preventing fire damage from affecting the ability to utilize the cross-tie.
 
The fire strategies for these areas address the potential loss of Charging, and the resulting impact of the change in SW Header AOT on the fire risk for these areas is low, Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 26 of 36 As discussed in the internal events analysis, ESGR and MCR chiller operation within the 24 hour PRA mission time is not required as long as one of the ESGR AHUs per unit is operating or a LOCA has not occurred, although, in the case of ESGR fires, ventilation is not credited for the fire-affected unit. For fires in the U2 CVT and U1 ESGR, at least one chiller will remain available and the 6'' SW headers are not affected by the fire. As a result, additional random failures would be required to cause a loss of ESGR and MCR cooling, so the impact of the TS change due to fires in these areas is negligible.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 28 of 36 not impacted by the unavailability of the SW Header. However, if the fire damages the Rotating Strainer or non-metallic piping and the opposite 6" SW Header is unavailable, a loss of CPSW and three chillers would occur. Fire damage to the non-metallic piping during maintenance involving the 2A and 2C 8" SW headers in addition to the opposite 6" SW header would result in a loss of all five ESGR and MCR chillers.
A fire in the U 1 CVT will not damage any of the chillers, but it may damage 1-VS-S-1A, which would isolate the A 6" SW header supplying CPSW, as well as chillers 4A, 4B, and 4C. If a fire occurred in this area concurrent with maintenance on the B 6" SW Header and the 2A and 2C 8" SW headers supplying the 40 and 4E chillers, then a loss of all five chillers would occur. A fire in the U2 ESGR may damage the normal power and control cables for all five chillers.
To account for this potential, chillers 40 and 4E have an alternate power supply (AAC Diesel Generator) and local controls which are aligned using O-FCA-19.00 and allow these chillers to be used during a U2 ESGR fire. However, maintenance on the 2A and 2C 8" SW headers would cause the 40 and 4E chillers to be unavailable, resulting in a loss of all five chillers.
The U1 CVT and U2 ESGR are the most limiting of these areas since no random failures are required in addition to the fire and maintenance configuration to cause a loss of all five chillers.
In order for a total loss of chillers to cause an SBO due to loss of ESGR HVAC during a fire, either both of the dedicated AHUs must fail or a LOCA must develop. Combining the frequency of the fire, the probability of the maintenance configuration with only one SW supply line available, and the probabilities of the AHUs failing or a LOCA developing, which is minimized by the fire strategies and low-leakage RCP seals, causes the resulting cutsets to be low risk contributors.
Accounting for fire severity and suppression would further reduce the results of these cutsets. Given the low frequency of these failure combinations, the impact of the change in SW Header AOT on the fire risk for these scenarios is low. The MCR contains control cables for all of the CPSW pumps. There is physical separation between units for the CPSW pump controls in the MCR, and control of each pump can also be transferred to the Appendix R Panel in the ESGR. The fire strategy to achieve SSD during an MCR fire is O-FCA-1.00.
If the fire severity necessitates evacuation of the control room, the operators will transfer control of the CPSW pumps to the Appendix R Panel. The Rotating Strainers are locally controlled from the MERs and are unaffected by a fire in the MCR. If one of the SW Headers is unavailable, random failure of the second SW header or the all of the CPSW pumps is needed to cause a loss of Charging.
The fire strategy for the MCR is very similar to the strategies for the CVTs and ESGRs in that an RCS High/Low pressure boundary is established, allowing Natural Circulation of the RCS to be used, and AFW is aligned to the SGs for secondary cooling. The Reactor Head Vents, the Pressurizer PORVs, and Letdown are isolated from the MCR at the Auxiliary Shutdown Panel (ASP) in the ESGR, and the isolation switches ensure the valves will not reopen due to the fire. The failure of CPSW would Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 27 of 36 cause a loss of RCP seal injection, but thermal barrier cooling may continue to be supplied to the RCP seals. Since RCP seal cooling is not proactively isolated during this fire scenario, RCP seal injection is monitored and the seals are isolated when flow is lost. As a result, the potential for thermal shock of the seals is mitigated, and the likelihood of seal failure remains low. Since the potential for a LOCA is mitigated by actions taken to ensure the integrity of the RCS pressure boundary is maintained and by the low-leakage seals, this accident will most likely resemble a transient.
Alignment of suction sources and a flow path to the steam generators (SGs) for AFW is directed by the FCA procedure and includes AFW cross-tie from the opposite unit, if necessary.
The AFW flow path is protected from spurious operations by transferring control of the AFW pumps and discharge MOVs to the ASP. The fire strategy for this scenario addresses the potential loss of Charging, and the resulting impact of the change in SW Header AOT on the fire risk for this scenario is low. The MGR contains control cables for all of the ESGR and MGR chillers as well. However, isolation switches are available for three of the five chillers, which can be controlled from outside the control room. One ESGR AHU per unit is isolated from the control room as well. Consistent with previous discussion, the chillers are not required within the 24 hour PRA mission time if one ESGR AHU per unit is operation and a LOCA has not developed.
The frequency of fires requiring evacuation of the control room is low given the control room is continuously manned, so detection and suppression of the fires before evacuation is likely. Similar to the ESGR and CVT fire scenarios, the frequency of the fire, the probability of the maintenance configuration with only one .sw supply line available, and random failure of the chillers unaffected by the fire are a low frequency combination of faiilures.
The probabilities of the AHUs failing or a LOCA developing in addition to these failures cause the resulting cutsets to be low risk contributors.
Given the low frequency of these failure combinations, the impact of the change in SW Header AOT on the .fire risk for these scenarios is low. If the fire is small enough that habitability conditions and extent of equipment damage allow operators to remain in the control room, the FCA procedure for the MGR is not entered and the fire is considered non-limiting.
The impact of the SW Header AOT change on this fire scenario is considered bounded by the internal events analysis.
MER 3 and MER 4 These fire areas were included in the scope of the analysis due to the extent of potential damage to the CPSW pumps, Rotating Strainers, and damage to piping supplying the 4A, 48, and 4C chillers.
The FCA procedure used to achieve SSD for both of these fire areas is O-FCA-7.00.
In each of these areas, three of the four CPSW pumps and one of the two Rotating Strainers may be damaged. In addition, portions of the 6" SW supply piping are non-metallic and susceptible to fire damage. The FCA procedure relies on the available CPSW pump and strainer to provide Charging Pump Cooling and uses the CPSW pump discharge cross-tie to cool both units' Charging Pumps. Random failure of the fourth CPSW pump would cause a failure of CPSW, but this system failure mode is Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 28 of 36 not impacted by the unavailability of the SW Header. However, if the fire damages the Rotating Strainer or non-metallic piping and the opposite 6" SW Header is unavailable, a loss of CPSW and three chillers would occur. Fire damage to the non-metallic piping during maintenance involving the 2A and 2C 8" SW headers in addition to the opposite 6" SW header would result in a loss of all five ESGR and MCR chillers.
The equipment damaged by a fire in MER 4 is limited and will not cause a fire-induced LOCA. As a result, a loss of Charging or the ESGR and MCR chillers due to a fire in this area during SW Header maintenance is easily mitigated by station procedures and available equipment, and the impact of the AOT change is negligible.
The equipment damaged by a fire in MER 4 is limited and will not cause a fire-induced LOCA. As a result, a loss of Charging or the ESGR and MCR chillers due to a fire in this area during SW Header maintenance is easily mitigated by station procedures and available equipment, and the impact of the AOT change is negligible.
The potential equipment damaged from a fire in MER 3 is more extensive and includes electrical cables for the #3 EOG output breaker, #2 EOG output breaker, and the 2H emergency bus offsite power supply breaker. However, if the damage is limited to this equipment, the loss of Charging due to a fire in this area during SW Header maintenance does not have a significant adverse impact on the fire risk since a induced LOCA will not occur, and shutdown can be achieved using the available station procedures.
The potential equipment damaged from a fire in MER 3 is more extensive and includes electrical cables for the #3 EOG output breaker, #2 EOG output breaker, and the 2H emergency bus offsite power supply breaker. However, if the damage is limited to this equipment, the loss of Charging due to a fire in this area during SW Header maintenance does not have a significant adverse impact on the fire risk since a fire-induced LOCA will not occur, and shutdown can be achieved using the available station procedures. Fire damage alone to the EOG and 2H bus breakers would fail the EOG output ,breakers open, preventing the EOGs from supplying the emergency buses, and the 2H bus offsite supply breaker closed, preventing it from opening following a LOOP signal. This damage state would *allow both U2 emergency buses to remain energized from offsite power. If offsite power to one of the U2 emergency buses is lost due to fire-induced spurious opening of the 2H bus supply breaker or random failure of either emergency bus, 2-FCA-4.00 is entered. As discussed for the limiting U2 ESGR fire scenario, a loss of all Charging and failure of both Unit 2 emergency buses is adequately addressed by 2-FCA-4.00.
Fire damage alone to the EOG and 2H bus breakers would fail the EOG output ,breakers open, preventing the EOGs from supplying the emergency buses, and the 2H bus offsite supply breaker closed, preventing it from opening following a LOOP signal. This damage state would *allow both U2 emergency buses to remain energized from offsite power. If offsite power to one of the U2 emergency buses is lost due to induced spurious opening of the 2H bus supply breaker or random failure of either emergency bus, 2-FCA-4.00 is entered. As discussed for the limiting U2 ESGR fire scenario, a loss of all Charging and failure of both Unit 2 emergency buses is adequately addressed by 2-FCA-4.00.
Three of the five ESGR and MCR chillers may be damaged by a fire in MER 3. The MER 5 chillers are unaffected by a fire in this area, but they could be unavailable due to 8" SW header maintenance. Given equipment damage in this area is limited, multiple random failures would be required in addition to SW Header maintenance for this scenario to lead to a loss .of ESGR cooling resulting in an SBO. Due to the low frequency of these cutsets, the impact of the SW Header AOT change on the fire risk for these scenarios is negligible.
Three of the five ESGR and MCR chillers may be damaged by a fire in MER 3. The MER 5 chillers are unaffected by a fire in this area, but they could be unavailable due to 8" SW header maintenance.
MER 3 contains non-metallic SW supply piping which is susceptible to fire damage, and a flood propagation path exists between the MER 3 and the ESGRs. In order to mitigate flooding from the failed piping, the SW supply to MER 3 is isolated as directed by the FCA. If isolation of the SW supply fails and the flood propagates to the ESGRs, loss of all Charging would occur as a consequence of the emergency bus failures, so there is no additional impact due tq the additional SW Header maintenance. Since the extent of damage due to a fire in MER 3 is limited relative to other areas evaluated and a fire-induced LOCA will not occur, the impact of the SW Header AOT change on the fire risk for this area is low.
Given equipment damage in this area is limited, multiple random failures would be required in addition to SW Header maintenance for this scenario to lead to a loss .of ESGR cooling resulting in an SBO. Due to the low frequency of these cutsets, the impact of the SW Header AOT change on the fire risk for these scenarios is negligible.
 
MER 3 contains non-metallic SW supply piping which is susceptible to fire damage, and a flood propagation path exists between the MER 3 and the ESGRs. In order to mitigate flooding from the failed piping, the SW supply to MER 3 is isolated as directed by the FCA. If isolation of the SW supply fails and the flood propagates to the ESGRs, loss of all Charging would occur as a consequence of the emergency bus failures, so there is no additional impact due tq the additional SW Header maintenance.
...                                                                         , Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 29of36 Conclusion The most limiting fire scenarios for this evaluation are those that involve fire-induced failure of a Rotating Strainer, which could cause a total loss of CPSW and three ESGR
Since the extent of damage due to a fire in MER 3 is limited relative to other areas evaluated and a fire-induced LOCA will not occur, the impact of the SW Header AOT change on the fire risk for this area is low.
* and MCR chillers if the alternate 6" header is unavailable, and loss of all five chillers if the 8" SW headers supplying MER 5 are also unavailable. The known conservatisms in this analysis include assumed failure of the Rotating Strainers due to fire damage, which are assumed to be unaffected by fire damage in the IPEEE, and lack of credit for the duplex strainer to bypass a plugged Rotating Strainer, which could be aligned using O-AP-12.00 unless the 6" A SW Header is isolated upstream of the Rotating Strainer 1-VS-S-1A. If the IPEEE treatment of the Rotating Strainers is used, the impact on the fire risk is negligible. Based on the review of the significant fire areas, the expected equipment damage, and the fire strategies used to achieve SSD, it is concluded that the consequence of losing CPSW during these scenarios is small, and the likelihood of causing an SBO due to failure of ESGR cooling is low. These insights demonstrate the impact of the SW Header AOT change on the overall fire risk is acceptable and bounded by the internal events analysis.
... Conclusion , Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 29of36 The most limiting fire scenarios for this evaluation are those that involve fire-induced failure of a Rotating Strainer, which could cause a total loss of CPSW and three ESGR
Seismic* Hazard Evaluation Generic Letter (GL) 88-20 Supplement 4 was issued by the NRC in June 1991. This letter and NUREG-1407 requested each nuclear plant licensee to perform an IPEEE.. In a December 1991 letter to the NRC, Surry identified the planned approach to address the IPEEE. For non-seismic external events and fires, the IPEEE effort was completed and a report was submitted to the NRC in December 1997.
* and MCR chillers if the alternate 6" header is unavailable, and loss of all five chillers if the 8" SW headers supplying MER 5 are also unavailable.
Surry was categorized in NUREG-1407 as a focused scope plant. As identified in Surry's December 1991 letter, the Seismic Margins Method (SMM) developed by Electric Power Research Institute (EPRI) with enhancements was selected for Surry . .* A completion schedule for IPEEE - Seismic was initially provided by . Surry in its September 1992 letter to the NRC which also noted that elements of the effort to resolve IPEEE - Seismic, notably plant walkdowns, will be integrated with the resolution of Unresolved Safety Issue (USI) A-46 identified in NRC's Supplement 1 to GL 87-02 of May 1992.
The known conservatisms in this analysis include assumed failure of the Rotating Strainers due to fire damage, which are assumed to be unaffected by fire damage in the IPEEE, and lack of credit for the duplex strainer to bypass a plugged Rotating Strainer, which could be aligned using O-AP-12.00 unless the 6" A SW Header is isolated upstream of the Rotating Strainer 1-VS-S-1A.
In September 1995, the NRC issued Supplement 5 to GL 88-20. This letter gave further guidance on the basis for selection of components that needed capacity evaluation.
If the IPEEE treatment of the Rotating Strainers is used, the impact on the fire risk is negligible.
Based on GL 88-20, Supplement 5, Surry submitted a revised approach to NRC in November 1995. This approach, while still retaining the Seismic Probabilistic Risk Assessment (SPRA) methodology and treating Surry as a focused scope plant, identified areas where screening and judgment by experienced and trained engineers would eliminate the need for performing capacity calculations for rugged components, structures, and systems; and require such evaluations only for weaker and critical components.       The IPEEE - Seismic program at Surry has been performed in
Based on the review of the significant fire areas, the expected equipment damage, and the fire strategies used to achieve SSD, it is concluded that the consequence of losing CPSW during these scenarios is small, and the likelihood of causing an SBO due to failure of ESGR cooling is low. These insights demonstrate the impact of the SW Header AOT change on the overall fire risk is acceptable and bounded by the internal events analysis.
 
Seismic* Hazard Evaluation Generic Letter (GL) 88-20 Supplement 4 was issued by the NRC in June 1991. This letter and NUREG-1407 requested each nuclear plant licensee to perform an IPEEE.. In a December 1991 letter to the NRC, Surry identified the planned approach to address the IPEEE. For non-seismic external events and fires, the IPEEE effort was completed and a report was submitted to the NRC in December 1997. Surry was categorized in NUREG-1407 as a focused scope plant. As identified in Surry's December 1991 letter, the Seismic Margins Method (SMM) developed by Electric Power Research Institute (EPRI) with enhancements was selected for Surry ...
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 30 of 36 accordance with the SPRA methodology for a focused plant and Surry's stated commitments.
* A completion schedule for IPEEE -Seismic was initially provided by . Surry in its September 1992 letter to the NRC which also noted that elements of the effort to resolve IPEEE -Seismic, notably plant walkdowns, will be integrated with the resolution of Unresolved Safety Issue (USI) A-46 identified in NRC's Supplement 1 to GL 87-02 of May 1992. In September 1995, the NRC issued Supplement 5 to GL 88-20. This letter gave further guidance on the basis for selection of components that needed capacity evaluation.
In February 1996, a peer review was conducted to assess the implementation of the IPEEE - Seismic program at Surry. This review included walkdown of about 15% of the items representing all classes of equipment in the Safe Shutdown Equipment List.
Based on GL 88-20, Supplement 5, Surry submitted a revised approach to NRC in November 1995. This approach, while still retaining the Seismic Probabilistic Risk Assessment (SPRA) methodology and treating Surry as a focused scope plant, identified areas where screening and judgment by experienced and trained engineers would eliminate the need for performing capacity calculations for rugged components, structures, and systems; and require such evaluations only for weaker and critical components.
Although a few open issues were noted at the time of the review, the reviewer concluded that the Seismic Review Teams involved did an excellent seismic walkdown review at Surry.
The IPEEE -Seismic program at Surry has been performed in Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 30 of 36 accordance with the SPRA methodology for a focused plant and Surry's stated commitments.
In summary, the IPEEE-Seismic program, integrated with the USI A-46 effort, resulted in several plant improvements and design modifications. The SPRA quantification concluded that no severe accident vulnerabilities exist at Surry from a potential seismic event. No other .cost beneficial upgrade can be performed to improve the seismic margin and the core damage frequency of the plant.
In February 1996, a peer review was conducted to assess the implementation of the IPEEE -Seismic program at Surry. This review included walkdown of about 15% of the items representing all classes of equipment in the Safe Shutdown Equipment List. Although a few open issues were noted at the time of the review, the reviewer concluded that the Seismic Review Teams involved did an excellent seismic walkdown review at Surry. In summary, the IPEEE-Seismic program, integrated with the USI A-46 effort, resulted in several plant improvements and design modifications.
* The Surry Seismic Probability Risk Assessment Pilot Plant Report was reviewed and this proposed change does not impact the conclusions drawn in that report. The following is a discussion of SPRA quantification results from that report.
The SPRA quantification concluded that no severe accident vulnerabilities exist at Surry from a potential seismic event. No other . cost beneficial upgrade can be performed to improve the seismic margin and the core damage frequency of the plant.
The dominant Seismic PRA sequence (52%) involves the failure of the turbine building, starting a chain of events that fails SW. Since the power cables to the CW isolation valves run through cable trays in the turbine building, it was assumed that the failure of the steel superstructure would fail the valve cables, even though they are in the concrete portion of the turbine building below ground elevation. Failure of the cables prevents the CW isolation valves from closing, the canal will rapidly drain through the CW lines, SW cooling will be lost, and core damage is assumed. The proposed change does not have an adverse impact on this sequence.
* The Surry Seismic Probability Risk Assessment Pilot Plant Report was reviewed and this proposed change does not impact the conclusions drawn in that report. The following is a discussion of SPRA quantification results from that report. The dominant Seismic PRA sequence (52%) involves the failure of the turbine building, starting a chain of events that fails SW. Since the power cables to the CW isolation valves run through cable trays in the turbine building, it was assumed that the failure of the steel superstructure would fail the valve cables, even though they are in the concrete portion of the turbine building below ground elevation.
25.7% of SPS seismic risk is associated with seismic-induced SW flooding. This risk is dominated by seismic-induced ruptures of BC heat exchangers. The proposed change does not have an adverse effect on seismic induced flooding sequences.
Failure of the cables prevents the CW isolation valves from closing, the canal will rapidly drain through the CW lines, SW cooling will be lost, and core damage is assumed. The proposed change does not have an adverse impact on this sequence.
25.7% of SPS seismic risk is associated with seismic-induced SW flooding.
This risk is dominated by seismic-induced ruptures of BC heat exchangers.
The proposed change does not have an adverse effect on seismic induced flooding sequences.
Seismic induced LOCA, SGTR and MSLB sequences where MER SW supply has a support function make up approximately 2% of seismic core damage risk. Therefore, it is concluded that the proposed change has a negligible impact on seismic risk and is screened from further evaluation.
Seismic induced LOCA, SGTR and MSLB sequences where MER SW supply has a support function make up approximately 2% of seismic core damage risk. Therefore, it is concluded that the proposed change has a negligible impact on seismic risk and is screened from further evaluation.
Other External Hazards Evaluation The other external hazards, as identified by NUREG/CR-2300 and NUREG/CR-4839, have been taken into consideration.
Other External Hazards Evaluation The other external hazards, as identified by NUREG/CR-2300 and NUREG/CR-4839, have been taken into consideration. Following the initial screening, seven events were identified as needing more detailed evaluation. These events included aircraft accidents, external flooding, tornado generated missiles and high winds, pipeline accidents, transportation accidents, accidents in nearby industrial or military facilities,
Following the initial screening, seven events were identified as needing more detailed evaluation.
 
These events included aircraft accidents, external flooding, tornado generated missiles and high winds, pipeline accidents, transportation accidents, accidents in nearby industrial or military facilities, Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 31 of 36 and release of chemicals from on-site storage. Since the effects of these external events on Surry Power Station were analyzed as part of NUREG-1150, the analysis performed in the IPEEE used the method and in some cases the results obtained by NUREG/CR-4550.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 31 of 36 and release of chemicals from on-site storage. Since the effects of these external events on Surry Power Station were analyzed as part of NUREG-1150, the analysis performed in the IPEEE used the method and in some cases the results obtained by NUREG/CR-4550. However, in each case the Surry UFSAR information was used to make sure that the results obtained by NUREG/CR-4550 were still valid.
However, in each case the Surry UFSAR information was used to make sure that the results obtained by NUREG/CR-4550 were still valid. The study concluded that there are no significant external events other than those identified in NUREG-1407.
The study concluded that there are no significant external events other than those identified in NUREG-1407. The non-seismic external events of interest, except for aircraft impacts, pipeline accidents and external flooding, were screened out based on the UFSAR information and the results reached by NUREG/CR-4550. The bounding analysis performed for the effects of aircraft impacts and pipeline accidents were based on the methods used by NUREG/CR-4550. The results of these two analyses indicate that the frequency of the events occurring is small. The actual risk from these hazards to the safe operation of the plant would be less than the screening value, because most safety-related equipment is inside Class I structures and is designed to withstand the loads imposed by the external event. The bounding analysis for external flooding considered the worst case occurrence of the 1 hour in 1 square mile probable maximum precipitation (PMP).     The consequences of this occurrence were mitigated by implementation of a procedural revision and modification of turbine building. roof parapets to reduce roof top accumulation during intense precipitation. Therefore, it can be concluded that non-seismic external events do not pose a significant risk to the safe operation of Surry Power Station.
The non-seismic external events of interest, except for aircraft impacts, pipeline accidents and external flooding, were screened out based on the UFSAR information and the results reached by NUREG/CR-4550.
* Based on the above, other External Events have been screened from further evaluation for this proposed change.
The bounding analysis performed for the effects of aircraft impacts and pipeline accidents were based on the methods used by NUREG/CR-4550.
RG 1.177 Tier 2: Avoidance *of Risk Significant Plant Configurations RG 1.177 contains the following discussion concerning Tier 2 analysis:
The results of these two analyses indicate that the frequency of the events occurring is small. The actual risk from these hazards to the safe operation of the plant would be less than the screening value, because most safety-related equipment is inside Class I structures and is designed to withstand the loads imposed by the external event. The bounding analysis for external flooding considered the worst case occurrence of the 1 hour in 1 square mile probable maximum precipitation (PMP). The consequences of this occurrence were mitigated by implementation of a procedural revision and modification of turbine building.
The licensee should provide reasonable assurance that risk-significant plant equipment outage configurations will not occur when specific plant equipment is out of service consistent with the proposed TS change. An effective way to perform such an assessment is to evaluate equipment according to its contribution to plant risk (or safety) while the equipment covered by the proposed CT change is out of service.
roof parapets to reduce roof top accumulation during intense precipitation.
Evaluation of such combinations of equipment out of service against the Tier 1 ICCDP and ICLERP. acceptance guidelines could be one appropriate method of identifying risk-significant configurations. Once plant equipment is so evaluated, an assessment can be made as whether certain enhancements to the TS or procedures are needed to avoid risk significant plant configurations. In addition,* compensatory actions that can mitigate any corresponding increase in risk (e.g., backup equipment, increased surveillance frequency, or upgraded procedures and training) should be identified and evaluated. Any changes made to the plant design or operating procedures as a result of such a risk evaluation (e.g., required backup equipment, increased surveillance frequency, or upgraded procedures and training required before certain plant system
Therefore, it can be concluded that non-seismic external events do not pose a significant risk to the safe operation of Surry Power Station.
 
* Based on the above, other External Events have been screened from further evaluation for this proposed change. RG 1.177 Tier 2: Avoidance  
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 32 of 36 configurations can be entered) should be incorporated into the analyses utilized for TS changes as described under Tier 1 above.
*of Risk Significant Plant Configurations RG 1.177 contains the following discussion concerning Tier 2 analysis:
A detailed review of PRA importance metrics (Risk Achievement Worth, Fussell-Vesely) from the Tier 1 PRA Model did not reveal any risk significant maintenance configurations when one MER header is considered unavailable. No enhancements, procedure revisions or compensatory actions are recommended from the Tier 2 evaluation.
The licensee should provide reasonable assurance that risk-significant plant equipment outage configurations will not occur when specific plant equipment is out of service consistent with the proposed TS change. An effective way to perform such an assessment is to evaluate equipment according to its contribution to plant risk (or safety) while the equipment covered by the proposed CT change is out of service. Evaluation of such combinations of equipment out of service against the Tier 1 ICCDP and ICLERP. acceptance guidelines could be one appropriate method of identifying risk-significant configurations.
RG 1.177 Tier 3: Risk-Informed Plant Configuration Control and Management The Dominion 10 CFR 50.65(a)(4) program fully satisfies the recommendations of RG 1.177 Tier 3. RG 1.177 Section 2.3 states that:
Once plant equipment is so evaluated, an assessment can be made as whether certain enhancements to the TS or procedures are needed to avoid risk significant plant configurations.
The licensee should develop a program that ensures that the risk impact of out-of-service equipment is appropriately evaluated prior to performing any maintenance activity. A viable program would be one that is able to uncover risk-significant plant equipment outage configurations in a timely manner during normal plant operation.
In addition,*
The Dominion 10 CFR 50.65(a)(4) program performs PRA analyses of planned maintenance configurations in advance. The MER SW system is included in the 10 CFR 50.65(a)(4) scope and its removal from service is monitored, analyzed, and
compensatory actions that can mitigate any corresponding increase in risk (e.g., backup equipment, increased surveillance frequency, or upgraded procedures and training) should be identified and evaluated.
.' ~ managed. Configurations that approach or exceed the NUMARC 93-01 risk limits are identified and either avoided or addressed by risk management actions. Emergent configurations are identified and analyzed by the on-shift staff for prompt determination of whether risk management actions are needed. The configuration analysis and risk management processes are fully proceduralized in compliance with the requirements of 10 CFR 50.65(a)(4). Dominion's (a)(4) program is implemented with station procedures WM-AA-300, Work Management, and NF-AA-PRA-370, MRule (a)(4) Risk Monitor Guidance.
Any changes made to the plant design or operating procedures as a result of such a risk evaluation (e.g., required backup equipment, increased surveillance frequency, or upgraded procedures and training required before certain plant system
To support Dominion's 10CFR 50.65(a)(4) program, a dedicated PRA model is used to perform configuration risk analysis. The model uses the S007Aa model as a framework with some adjustments to optimize the model for configuration risk calculations. The model allows for quantitative Level 1 and Level 2 (LERF) assessments of internal events and internal floods hazards for at-power configurations. Risk during shutdown configurations and risks due to other hazards are assessed qualitatively. Changes in plant configuration or PRA model features are dispositioned and managed by Dominion's PRA configuration control process. Procedures are in place to ensure that actions are taken as necessary to qualitatively assess configurations outside the scope of the PRA model.
. ' Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 32 of 36 configurations can be entered) should be incorporated into the analyses utilized for TS changes as described under Tier 1 above. A detailed review of PRA importance metrics (Risk Achievement Worth, Fussell-Vesely) from the Tier 1 PRA Model did not reveal any risk significant maintenance configurations when one MER header is considered unavailable.
No enhancements, procedure revisions or compensatory actions are recommended from the Tier 2 evaluation.
RG 1.177 Tier 3: Risk-Informed Plant Configuration Control and Management The Dominion 10 CFR 50.65(a)(4) program fully satisfies the recommendations of RG 1.177 Tier 3. RG 1.177 Section 2.3 states that: The licensee should develop a program that ensures that the risk impact of out-of-service equipment is appropriately evaluated prior to performing any maintenance activity.
A viable program would be one that is able to uncover risk-significant plant equipment outage configurations in a timely manner during normal plant operation.
The Dominion 10 CFR 50.65(a)(4) program performs PRA analyses of planned maintenance configurations in advance. The MER SW system is included in the 10 CFR 50.65(a)(4) scope and its removal from service is monitored, analyzed, and managed. Configurations that approach or exceed the NUMARC 93-01 risk limits are identified and either avoided or addressed by risk management actions. Emergent configurations are identified and analyzed by the on-shift staff for prompt determination of whether risk management actions are needed. The configuration analysis and risk management processes are fully proceduralized in compliance with the requirements of 10 CFR 50.65(a)(4).
Dominion's (a)(4) program is implemented with station procedures WM-AA-300, Work Management, and NF-AA-PRA-370, MRule (a)(4) Risk Monitor Guidance.
To support Dominion's 1 OCFR 50.65(a)(4) program, a dedicated PRA model is used to perform configuration risk analysis.
The model uses the S007 Aa model as a framework with some adjustments to optimize the model for configuration risk calculations.
The model allows for quantitative Level 1 and Level 2 (LERF) assessments of internal events and internal floods hazards for at-power configurations.
Risk during shutdown configurations and risks due to other hazards are assessed qualitatively.
Changes in plant configuration or PRA model features are dispositioned and managed by Dominion's PRA configuration control process. Procedures are in place to ensure that actions are taken as necessary to qualitatively assess configurations outside the scope of the PRA model.


===5.4 Results===
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 33 of 36 5.4    Results and Conclusions The increase in risk associated with the proposed change is consistent with the RG 1.174 and RG 1.177 acceptance guidelines for a permanent TS Completion Time change. This evaluation demonstrates that nuclear defense-in-depth will not be significantly impacted by allowing a single SW flow path to be available to the CPSW subsystem and to the MCR/ESGR AC subsystem for up to 72 hours.
and Conclusions Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 33 of 36 The increase in risk associated with the proposed change is consistent with the RG 1.17 4 and RG 1.177 acceptance guidelines for a permanent TS Completion Time change. This evaluation demonstrates that nuclear defense-in-depth will not be significantly impacted by allowing a single SW flow path to be available to the CPSW subsystem and to the MCR/ESGR AC subsystem for up to 72 hours. 6.0 ENVIRONMENTAL ASSESSMENT The proposed change will revise a requirement with respect to installation or use of a facility component located within the restricted area, as defined in 10 CFR 20. Specifically, the proposed change extends the AOT for only one operable flow path from 24 hours to 72 hours. In addition, the proposed change deletes the now expired and no longer necessary requirements for the temporary SW jumper to the CCHXs. However,*
6.0     ENVIRONMENTAL ASSESSMENT The proposed change will revise a requirement with respect to installation or use of a facility component located within the restricted area, as defined in 10 CFR 20.
Specifically, the proposed change extends the AOT for only one operable flow path from 24 hours to 72 hours. In addition, the proposed change deletes the now expired and no longer necessary requirements for the temporary SW jumper to the CCHXs. However,*
the proposed change does not involve (i) a significant hazards consideration, (ii) a significant change in the types or a significant increase in the amounts of any effluent that may be released offsite, or (iii) a significant increase in individual or cumulative occupational radiation exposure.
the proposed change does not involve (i) a significant hazards consideration, (ii) a significant change in the types or a significant increase in the amounts of any effluent that may be released offsite, or (iii) a significant increase in individual or cumulative occupational radiation exposure.
Accordingly, the proposed change meets the eligibility criterion for categorical exclusion set forth. in 10 CFR 51.22(c)(9).
Accordingly, the proposed change meets the eligibility criterion for categorical exclusion set forth. in 10 CFR 51.22(c)(9). Therefore, pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the proposed change.
Therefore, pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the proposed change. 7 .0 CONCLUSION The proposed change extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours to 72 hours. The CPSW subsystem is a support system for the Charging/High Head Safety Injection (HHSI) pumps. The proposed CPSW AOT extension aligns the CPSW support system AOT with the AOT for the supported components (i.e., the Charging/HHS!
 
pumps). The proposed MCR/ESGR AC AOT extension revises the AOT to be the same as the CPSW AOT since both subsystems share common piping. The design functions of the CPSW subsystem and the Charging/HHS!.
==7.0     CONCLUSION==
pumps, as well as the design functions of the MCR/ESGR AC subsystem and chillers are not impacted by the proposed revision.
 
In addition, the proposed change deletes the now expired and no longer necessary requirements for the temporary SW jumper to the CCHXs; the deletion of the OL conditions, the temporary TS requirements, and the TS 3.14 Basis discussion is administrative in nature. The proposed change does not physically alter plant equipment, does not impact plant operation, and does not affect the safety analyses.
The proposed change extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours to 72 hours. The CPSW subsystem is a support system for the Charging/High Head Safety Injection (HHSI) pumps. The proposed CPSW AOT extension aligns the CPSW support system AOT with the AOT for the supported components (i.e., the Charging/HHS! pumps). The proposed MCR/ESGR AC AOT extension revises the AOT to be the same as the CPSW AOT since both subsystems share common piping. The design functions of the CPSW subsystem and the Charging/HHS!. pumps, as well as the design functions of the MCR/ESGR AC subsystem and chillers are not impacted by the proposed revision. In addition, the proposed change deletes the now expired and no longer necessary requirements for the temporary SW jumper to the CCHXs; the deletion of the OL conditions, the temporary TS requirements, and the TS 3.14 Basis discussion is administrative in nature. The proposed change does not physically alter plant equipment, does not impact plant operation, and does not affect the safety analyses.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 34 of 36 Furthermore, a supporting probabilistic risk assessment (PRA) was performed for the proposed AOT changes. The PRA concluded that the increase in risk associated with the proposed changes is consistent with the Regulatory Guide (RG) 1.17 4 and RG 1.177 acceptance guidelines for a permanent TS AOT change. This PRA evaluation demonstrates that defense-in-depth will not be significantly impacted by changing the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24 to 72 hours. Furthermore, no enhancements, procedure revisions, or compensatory actions are recommended as a result of the RG 1.177 Tier 2 evaluation.
 
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 1 Page 34 of 36 Furthermore, a supporting probabilistic risk assessment (PRA) was performed for the proposed AOT changes. The PRA concluded that the increase in risk associated with the proposed changes is consistent with the Regulatory Guide (RG) 1.174 and RG 1.177 acceptance guidelines for a permanent TS AOT change.               This PRA evaluation demonstrates that defense-in-depth will not be significantly impacted by changing the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24 to 72 hours. Furthermore, no enhancements, procedure revisions, or compensatory actions are recommended as a result of the RG 1.177 Tier 2 evaluation.
Therefore, Dominion concludes, based on the considerations discussed herein, that (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendments will not be inimical to the common defense and security or to the health and safety of the public.
Therefore, Dominion concludes, based on the considerations discussed herein, that (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendments will not be inimical to the common defense and security or to the health and safety of the public.
Discharge Canru ) ----------.*-
 
105 Unit.1 RSHXS 104 Unlt 1 BCHXS 101 103 B&C A B c CCHXS (Commoo) RWMUPP r---------------------i l i i MER4 ! I I I ' ! ! j__ __ --------______ _l 205 Unlt2 RSHXS 204 B&C Abandoned I r-------cwMovs 1 206 : I I I I I LJnjj 1 Unit 2 C-----1111111111 111111111 111111111 1111*1*1 11*11111*
Discharge Canru                                                             )
11111111'--*----
105                                                        r---------------------i      205 l                        i Unit.1 RSHXS B&C                                      ~~~~~---- -------~          Unlt2 RSHXS            B&C i MER4                   !
HL Intake Intake Canal HL Intake Figure 1 -Service Water System Simplified Diagram "U 0 (/) n> O CD ca o ::i. CD A" IU CD -w ...... z 01 z 0 0 0' -(/) -->. w. 0) 0) 01 I 0 -->. I (X) No CX> 0 i'3 CX> -->. 
I                       I I                       '
*10u,;,,
104                                                      !                       !   204 j__ __ ---- ---- ______ _l CCHXS (Commoo)
FromUnl2 BSHX ldot\\zt 111:1'1 I IJD!I 103 103 /l 8 l.agmid C\sdJ -lliv.httgo 115 -RGcircSpmy l!X SIY -Sm.i:o'Walcr It -A:n#Eommt RIA -Rmfuli:n Monlcr p -"""1>
Unlt 1 BCHXS Abandoned r-------I cwMovs           1 206         :
-"'6:r0pGm!od\'uM>
A        B        c                                                                                        I I
E: -H""'&lcn!J'<
I I
TJ!I -Typbol mo -RD:iSanoQ fgJT?ndU'O D:iLx:tar Fram!l:i<1.rnlful:2
I 101            103 "U 0 (/)
[!!] -lll:id\'>1.-o
n> O CD RWMUPP                                                                                          ca o      ::i.
!JC Cooliog P1 Tl -T<mJlGIU!unolndi>:>:r*
    - - - - - 1 1 1 1 1 1 1 1 1 1 111111111 111111111 *HlllHlll----------------------~11.Hl*I  1111*1*1 11*11111* 1 1 1 1 1 1 1 1 ' - - * - - - -           CD A" IU CD -
Mooh-Modmniool CC -Cbmp:oin!Cooing FG -FbwG.uu rot fl -Fbolhimtar LG -Lwull:log>
C                                  LJnjj 1                                                      Unit 2                                                  w ...... z HL Intake                            Intake Canal            HL Intake                                                  01 z
&deg;"*'"'
0 0' 0
CO::hargg Ta:r.:.I = .. R:aril..w. f (FIG.1!H) tA *1B 1C 10 s,,..,,,.,;i;, MrN tll2 !! Figure 2 -Gravity-supplied Service Water System Loads '"""' !Ja!dluml><<r.C.mit Sv:Ilam Dmi!FFhJr S.W '-"'""'OM!i.lfu>Uolod Fmm-r sw.12 TDTuofuo Eli:lgS'll .Sdiq ..... Jkl::.llJimE
w.(/)
\J 0 CJ) ID 0 CD ca o ::::!. (!) ;;>;"" ID (!) -W.-..z 0) z 0 0 0. ...... CJ) --" w. 0) 0) 01 I 0 --" I (X> NO CX> CX> --"
0)
* Attachment 2 Serial No. 16-180 Docket Nos. 50-280/281
: 0) 01     I 0     -->.
:MARKED-UP TECHNICAL SPECIFICATIONS AND BASIS PAGES (Basis Changes are for NRC Information Only) Virginia Electric and Power Company (Dominion)
I   (X)
Figure 1 - Service Water System Simplified Diagram                                                                  No CX>
0 i'3 CX>
 
Fram!l:i<1.rnlful:2
                                                                                ~--------~--------~ a~~1~'f"'
ToUn~t CO::hargg Ta:r.:.I
  *10u,;,,
D'~Tum<I ldot\\zt                                                                        ~J:'"'.l FromUnl2
                    -~                                                                                    &deg;"*'"'
                                                                                                                          =.
BSHX SW~iul R:aril..w.
                                                                                                            ~"'              f     (FIG.1!H)
                                                                                                                                                        !Ja!dluml><<r.C.mit Sv:Ilam Dmi!FFhJr S.W
                                                                                                                                                        '-"'""'OM!i.lfu>Uolod Fmm-r 111:1'1 103
                                    /l I IJD!I 103 8
MrN tll2 l.agmid                                                                                    tA *1B 1C        10                                  TDTuofuo                     \J    0      CJ)
Eli:lgS'll                   ID 0          CD C\sdJ  -lliv.httgo                      [!!] -lll:id\'>1.-o                                  s,,..,,,.,;i;,                                      .Sdiq.....                   ca o           ::::!.
115 sw.12                                      (!)   ;;>;"" ID
                    -RGcircSpmy                      !JC  -~ Cooliog
                    -llorJ!l:io:~
(!)   -
l!X                                    P1  -Pm~~.to.:fmkr W.-..z SIY It
                    -Sm.i:o'Walcr
                    -A:n#Eommt Tl -T<mJlGIU!unolndi>:>:r*
Mooh-Modmniool 0) 0 z 0 0.
                                                                                                                                                                          ~kD Jkl::.llJimE  ...... CJ)   --"
RIA    -Rmfuli:n Monlcr                CC  -Cbmp:oin!Cooing p      -"""1>                          FG  -FbwG.uu
: w.           0)
: 0)     01       I
            ~1.1::w -"'6:r0pGm!od\'uM>              rot -nm....WP<o''""''-                                                                                                                        0     --"
E:      -H""'&lcn!J'<                    fl  -Fbolhimtar                                                                                                                                I   (X>
TJ!I  -Typbol                          LG  -Lwull:log>
NO CX>
mo      - RD:iSanoQ fgJT?ndU'O D:iLx:tar
                                                                                                                                                                                                  ~
CX>
Figure 2 - Gravity-supplied Service Water System Loads                                                                                        --"
 
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 2
:MARKED-UP TECHNICAL SPECIFICATIONS AND BASIS PAGES (Basis Changes are for NRC Information Only)
Virginia Electric and Power Company (Dominion)
Surry Station Units 1 and 2
Surry Station Units 1 and 2
: 4. T. (Continued)
 
: 16. For the applicable U FSAR Chapter 14 events, Surry 1 will re-analyze the transient consistent with VEPCO's NRG-approved reload design methodology in VEP-FRD-42, Rev. 2.1-A. If NRC review is deemed necessary pursuant to the requirements of 1 O CFR 50.59, the accident analyses will be submitted to the NRC for review prior to operation at the uprate power level. These commitments apply to the following Surry 1 UFSAR Chapter 14 DNBR analyses that were analyzed at 2546 MWt consistent with the 1 Statistical DNBR Evaluation Methodology in VEP-NE-2-A:  
T. (Continued)
*Section 14.2.7 -Excessive Heat Removal due to Feedwater System Malfunctions (Full Power Feedwater Temperature Reduction case only);
: 16. For the applicable U FSAR Chapter 14           Prior to operating above events, Surry 1 will re-analyze the             2546 MWt (98.4% RP).
* Section 14.2.8 -Excessive Load Increase Incident;
transient consistent with VEPCO's NRG-approved reload design methodology in VEP-FRD-42, Rev. 2.1-A.
* Section 14.2.9 -Loss of Reactor Coolant Flow; and
If NRC review is deemed necessary pursuant to the requirements of 10 CFR 50.59, the accident analyses will be submitted to the NRC for review prior to operation at the uprate power level. These commitments apply to the following Surry 1 UFSAR Chapter 14 DNBR analyses that were analyzed at 2546 MWt consistent with the1 Statistical DNBR Evaluation Methodology in VEP-NE-2-A:
* Section 14.2.10 -Loss of External Electrical Load Prior to operating above 2546 MWt (98.4% RP). FOR THE NUCLEAR REGULATORY COMMISSION Original signed by: Samuel J. Collins, Director Office of Nuclear Reactor Regulation  
                *Section 14.2.7 - Excessive Heat Removal due to Feedwater System Malfunctions (Full Power Feedwater Temperature Reduction case only);
* Section 14.2.8 - Excessive Load Increase Incident;
* Section 14.2.9 - Loss of Reactor Coolant Flow; and
* Section 14.2.10 - Loss of External Electrical Load 4.
FOR THE NUCLEAR REGULATORY COMMISSION Original signed by:
Samuel J. Collins, Director Office of Nuclear Reactor Regulation


==Attachment:==
==Attachment:==
Appendix A, Technical Specifications Date of Issuance: March 20, 2003 Surry - Unit 1                                                Renewed License No. DPR-32 Amendment No.-2f9-


Appendix A, Technical Specifications Date of Issuance:
09 23 13 <E-T. (Continued)
March 20, 2003 Surry -Unit 1 Renewed License No. DPR-32 Amendment No.-2f9- T. (Continued)
: 16. For the applicable UFSAR Chapter 14             Prior to operating above events, Surry 2 will re-analyze the             2546 MWt (98.4% RP).
: 16. For the applicable UFSAR Chapter 14 events, Surry 2 will re-analyze the transient consistent with VEPCO's NRG-approved reload design methodology in VEP-FRD-42, Rev. 2.1-A. If NRC review is deemed necessary pursuant to the requirements of 1 O CFR 50.59, the accident analyses will be submitted to the NRC for review prior to operation at the uprate power level. These commitments apply to the following Surry 2 UFSAR Chapter 14 DNBR analyses that were analyzed at 2546 MWt consistent with the Statistical DNBR Evaluation Methodology in VEP-NE-2-A:  
transient consistent with VEPCO's NRG-approved reload design methodology in VEP-FRD-42, Rev. 2.1-A.
*Section 14.2.7 -Excessive Heat Removal due to Feedwater System Malfunctions (Full Power Feedwater Temperature Reduction case only);
If NRC review is deemed necessary pursuant to the requirements of 10 CFR 50.59, the accident analyses will be submitted to the NRC for review prior to operation at the uprate power level. These commitments apply to the following Surry 2 UFSAR Chapter 14 DNBR analyses that were analyzed at 2546 MWt consistent with the Statistical DNBR Evaluation Methodology in VEP-NE-2-A:
* Section 14.2.8 -Excessive Load Increase Incident;
                *Section 14.2.7 - Excessive Heat Removal due to Feedwater System Malfunctions (Full Power Feedwater Temperature Reduction case only);
* Section 14.2.9 -Loss of Reactor Coolant Flow; and
* Section 14.2.8 - Excessive Load Increase Incident;
* Section 14.2.10 -Loss of External Electrical Load 09 23 13 <E-Prior to operating above 2546 MWt (98.4% RP). 4. This renewed license is effective as of the date of issuance and shall expire at midnight on January 29, 2033. FOR THE NUCLEAR REGULATORY COMMISSION Original signed by: Samuel J. Collins, Director Office of Nuclear Reactor Regulation  
* Section 14.2.9 - Loss of Reactor Coolant Flow; and
* Section 14.2.10 - Loss of External Electrical Load
: 4. This renewed license is effective as of the date of issuance and shall expire at midnight on January 29, 2033.
FOR THE NUCLEAR REGULATORY COMMISSION Original signed by:
Samuel J. Collins, Director Office of Nuclear Reactor Regulation


==Attachment:==
==Attachment:==
Appendix A, Technical Specifications Date of Issuance: March 20, 2003 Surry - Unit 2                                                Renewed License No. DPR-37 Amendment No.~
TABLE 3.7-2 (Continued)
ENGINEERED SAFEGUARDS ACTION INSTRUMENT OPERATING CONDITIONS Minimum                    Permissible Total Number OPERABLE          Channels        Bypass      Operator Functional Unit                      Of Channels    Channels        To Trip    Conditions Actions
: 3. AUXILIARY FEEDWATER (continued)
: e. Trip of main feedwater pumps - start motor driven      2/MFWpump l/MFW pump            2-1 each                      24 pumps                                                                              MFWpump
: f. Automatic actuation logic                                    2            2                1                          22
: 4. LOSS OF POWER
: a. 4.16 kv emergency bus undervoltage (loss of voltage)      3/bus        2/bus          2/bus                        26
: b. 4.16 kv emergency bus undervoltage (degraded voltage)      3/bus        2/bus          2/bus                        26
: 5. NON-ESSENTIAL SERVICE WATER ISOLATION
: a. Low intake canal level* Nots g
: b. Automatic actuation logic 4
2 3
2 3
1 20 14
                                                                                                                                      .~ <E:-
: 6. ENGINEERED SAFEGAURDS ACTUATION INTERLOCKS - Note A
: a. Pressurizer pressure, P-11                                  3            2                2                        23
: b. Low-low Tavg, P-12                                          3            2                2                        23
: c. Reactor trip, P-4                                            2            2                1                        24
: 7. RECIRCULATION MODE TRANSFER
: a. RWST Level - Low-Low*                                        4            3                2                        25
: b. Automatic Actuation Logic and Actuation Relays                2            2              1                          14
: 8. RECIRCULATION SPRAY
: a. RWST Level - Low Coincident with High High                  4            3                2                        20 Containment Pressure*
: b. Automatic Actuation Logic and Actuation Relays              2            2              1                          14 xc angers is m                        1    e m e tripped condition. In this condition, two t                                                                                                                                      t


Appendix A, Technical Specifications Date of Issuance:
TS 3.14-1
March 20, 2003 Surry -Unit 2 Renewed License No. DPR-37 Amendment t TABLE 3.7-2 (Continued)
                                                                                        *-B9 23 13 3.14 CIRCULATING AND SERVICE WATER SYSTEMS Applicability Applies to the operational status of the Circulating and Service Water Systems.
ENGINEERED SAFEGUARDS ACTION INSTRUMENT OPERATING CONDITIONS Functional Unit 3. AUXILIARY FEEDWATER (continued)
Objective To define those limiting conditions of the Circulating and Service Water Systems necessary to assure safe station operation.
: e. Trip of main feedwater pumps -start motor driven pumps f. Automatic actuation logic 4. LOSS OF POWER a. 4.16 kv emergency bus undervoltage (loss of voltage) b. 4.16 kv emergency bus undervoltage (degraded voltage) 5. NON-ESSENTIAL SERVICE WATER ISOLATION
Specification A. The Reactor Coolant System temperature or pressure of a reactor unit shall not exceed 350&deg; F or 450 psig, respectively, or the reactor shall not be critical unless:
: a. Low intake canal level* Nots g b. Automatic actuation logic 6. ENGINEERED SAFEGAURDS ACTUATION INTERLOCKS
: 1. The high level intake canal is filled to at least elevation +23.0 feet at the high level intake structure.
-Note A a. Pressurizer pressure, P-11 b. Low-low Tavg, P-12 c. Reactor trip, P-4 7. RECIRCULATION MODE TRANSFER a. RWST Level -Low-Low* b. Automatic Actuation Logic and Actuation Relays 8. RECIRCULATION SPRAY a. RWST Level -Low Coincident with High High Containment Pressure*
: b. Automatic Actuation Logic and Actuation Relays Minimum Total Number OPERABLE Of Channels Channels 2/MFWpump l/MFW pump 2 2 3/bus 2/bus 3/bus 2/bus 4 3 2 2 3 2 3 2 2 2 4 3 2 2 4 3 2 2 Permissible Channels Bypass Operator To Trip Conditions Actions 2-1 each 24 MFWpump 1 22 2/bus 26 2/bus 26 3 20 1 14 2 23 2 23 1 24 2 25 1 14 2 20 1 14 xc angers is m 1 e m e tripped condition.
In this condition, two ,. <E:-t 3.14 CIRCULATING AND SERVICE WATER SYSTEMS Applicability Applies to the operational status of the Circulating and Service Water Systems. Objective TS 3.14-1 *-B9 23 13 To define those limiting conditions of the Circulating and Service Water Systems necessary to assure safe station operation.
Specification A. The Reactor Coolant System temperature or pressure of a reactor unit shall not exceed 350&deg; F or 450 psig, respectively, or the reactor shall not be critical unless: 1. The high level intake canal is filled to at least elevation  
+23.0 feet at the high level intake structure.
: 2. Unit subsystems, including piping and valves, shall be operable to the extent of being able to establish the following:
: 2. Unit subsystems, including piping and valves, shall be operable to the extent of being able to establish the following:
: a. Flow to and from one bearing cooling water heat exchanger.
: a. Flow to and from one bearing cooling water heat exchanger.
: b. Flow to and from the component cooling heat exchangers required by Specification  
: b. Flow to and from the component cooling heat exchangers required by Specification 3.13~                                                                ,% ~
,% 3. At least two circulating pumps are operating or are operable.
: 3. At least two circulating wate~ pumps are operating or are operable.
: 4. Three emergency service water pumps are operable; these pumps will service both units simultaneously.
: 4. Three emergency service water pumps are operable; these pumps will service both units simultaneously.
Amendment TS 3.14-2 04-02-07 5. Two service water flow paths to the charging pump service water subsystem are OPERABLE.
Amendment Nos.~and~
 
TS 3.14-2 04-02-07   ~
: 5. Two service water flow paths to the charging pump service water subsystem are OPERABLE.
: 6. Two service water flow paths to the recirculation spray subsystems are OPERABLE.
: 6. Two service water flow paths to the recirculation spray subsystems are OPERABLE.
: 7. Two service water flow paths to the main control room and emergency switchgear room air conditioning subsystems are OPERABLE.
: 7. Two service water flow paths to the main control room and emergency switchgear room air conditioning subsystems are OPERABLE.
B. The requirements of Specification 3.14.A.4 may be modified to allow one Emergency Service Water pump to remain inoperable for a period not to exceed 7 days. If this pump is not OPERABLE in 7 days, then place both units in HOT SHUTDOWN within the next 6 hours and COLD SHUTDOWN within the next 30 hours. The requirements of 3 .14.A.4 may be modified to have two Emergency Service Water pumps OPERABLE with one unit in COLD SHUTDOWN with combined Spent Fuel pit and shutdown unit decay heat loads of 25 million BTU/HR or less. One of the two remaining pumps may be inoperable for a period not to exceed 7 days. If this pump is not OPERABLE in 7 days, then place the operating unit in HOT SHUTDOWN within the next 6 hours and COLD SHUTDOWN within the next 30 hours. Amendment i
B. The requirements of Specification 3.14.A.4 may be modified to allow one Emergency Service Water pump to remain inoperable for a period not to exceed 7 days. If this pump is not OPERABLE in 7 days, then place both units in HOT SHUTDOWN within the next 6 hours and COLD SHUTDOWN within the next 30 hours.
... LBDCR!TSCR 441 -INSERT 1 on pages TS 3.14-2 and TS 3.14-3: C. The requirements of Specifications 3.14.A.5 and 3.14.A.7 may be modified to allow unit operation with only one OPERABLE flow path to the charging pump service water subsystem and to the main control and emergency switchgear rooms air conditioning condensers.
The requirements of 3 .14.A.4 may be modified to have two Emergency Service Water pumps OPERABLE with one unit in COLD SHUTDOWN with combined Spent Fuel pit and shutdown unit decay heat loads of 25 million BTU/HR or less.
If the affected systems are not restored to the requirements of Specifications 3.14.A.5 and 3.14.A.7 within 72 hours, the reactor shall be placed in HOT SHUTDOWN within the next 6 hours. If the requirements of Specifications 3.14.A.5 and 3.14.A.7 are not satisfied as allowed by this Specification, the reactor shall be placed in COLD SHUTDOWN within the next 30 hours.
One of the two remaining pumps may be inoperable for a period not to exceed 7 days. If this pump is not OPERABLE in 7 days, then place the operating unit in HOT SHUTDOWN within the next 6 hours and COLD SHUTDOWN within the next 30 hours.
* D. The requirements of Specification 3.14.A.6 may modified to allow unit operation with only one OPERABLE flow path to the recirculation spray subsystems.
i
If the affected system is not restored to the requirements of Specification 3.14.A.6 within 24 hours, the reactor shall be placed in HOT SHUTDOWN within *the next 6 hours. If the requirements of Specification 3.14.A.6 are not met within an additional 48 hours, the reaCtor shall be placed in COLD SHUTDOWN within the next 30 hours.
                                                                                        ~
Basis TS 3.14-3 04 02=07 l be p aced m s o Specifications 3.14.A.5, 3.1 are not met within an additional  
                                                                                      ~
,% 48 c or shall be laced in COLD SHUTDOWN.
Amendment Nos.~ and~
The Circulating and Service Water Systems are designed for the removal of heat resulting from the operation of various systems and components of either or both of the units. Untreated water, supplied from the James River and stored in the high level intake canal is circulated by gravity through the recirculation spray coolers and the bearing cooling water heat exchangers and to the charging pumps lubricating oil cooler service water pumps which supply service water to the charging pump lube oil coolers. In addition, the Circulating and Service Water Systems supply cooling water to the component cooling water heat exchangers and to the main control and emergency switchgear rooms air conditioning condensers.
 
The Component Cooling heat exchangers are used during normal plant operations to cool various station components and when in shutdown to remove residual heat from the reactor. Component Cooling is not required on the accident unit during a loss-of-coolant accident.
LBDCR!TSCR 441 - INSERT 1 on pages TS 3.14-2 and TS 3.14-3:
If the loss-of-coolant accident is coincident with a loss of off-site power, the nonaccident unit will be maintained at HOT SHUTDOWN with the ability to reach COLD SHUTDOWN.
C. The requirements of Specifications 3.14.A.5 and 3.14.A.7 may be modified to allow unit operation with only one OPERABLE flow path to the charging pump service water subsystem and to the main control and emergency switchgear rooms air conditioning condensers.       If the affected systems are not restored to the requirements of Specifications 3.14.A.5 and 3.14.A.7 within 72 hours, the reactor shall be placed in HOT SHUTDOWN within the next 6 hours. If the requirements of Specifications 3.14.A.5 and 3.14.A.7 are not satisfied as allowed by this Specification, the reactor shall be placed in COLD SHUTDOWN within the next 30 hours.
The long term Service Water requirement for a loss-of-coolant accident in one unit with simultaneous loss-of-station power and the second unit being brought to HOT SHUTDOWN is greater than 15,000 gpm. Additional Service Water is necessary to bring the nonaccident unit to COLD SHUTDOWN.
* D. The requirements of Specification 3.14.A.6 may b~ modified to allow unit operation with only one OPERABLE flow path to the recirculation spray subsystems. If the affected system is not restored to the requirements of Specification 3.14.A.6 within 24 hours, the reactor shall be placed in HOT SHUTDOWN within *the next 6 hours. If the requirements of Specification 3.14.A.6 are not met within an additional 48 hours, the reaCtor shall be placed in COLD SHUTDOWN within the next 30 hours.
Three diesel driven Emergency Service Water pumps with a design capacity of 15,000 gpm each, are provided to supply water to the High Level Intake canal during a loss-of-station power incident.
 
Thus, considering the single active failure of one pump, three Emergency Service Water pumps are required to be OPERABLE.
TS 3.14-3 04 02=07 l be p aced m                                                 s o Specifications 3.14.A.5, 3.1                       are not met within an additional ,% ~
The allowed outage time of 7 days provides operational flexibility to allow for repairs up to and Amendment TS 3.14-4 09-23-13 including replacement of an Emergency Service Water pump without forcing dual unit outages, yet limits the amount of operating time without the specified number of pumps. When one Unit is in Cold Shutdown and the heat load from the shutdown unit and spent fuel pool drops to less than 25 million BTU/HR, then one Emergency Service Water pump may be removed from service for the subsequent time that the unit remains in Cold Shutdown due to the reduced residual heat removal and hence component cooling requirements.
48               c or shall be laced in COLD SHUTDOWN.
A minimum level of + 17 .2 feet in the High Level Intake canal is required to provide design flow of Service Water through the Recirculation Spray heat exchangers during a loss-of-coolant accident for the first 24 hours. If the water level falls below +23' 6", signals are generated to trip both unit's turbines and to close the nonessential Circulating and Service Water valves. A High Level Intake canal level of +23' 6" ensures actuation prior to canal level falling to elevation  
Basis The Circulating and Service Water Systems are designed for the removal of heat resulting from the operation of various systems and components of either or both of the units.
+23'. The Circulating Water and Service Water isolation valves which are required to close to conserve Intake Canal inventory are periodically verified to limit total leakage flow out of the Intake Canal. In addition, passive vacuum breakers are installed on the Circulating Water pump discharge lines to assure that a reverse siphon is not continued for canal levels less than +23 feet when Circulating Water pumps are de-energized.
Untreated water, supplied from the James River and stored in the high level intake canal is circulated by gravity through the recirculation spray coolers and the bearing cooling water heat exchangers and to the charging pumps lubricating oil cooler service water pumps which supply service water to the charging pump lube oil coolers.
The remaining six feet of canal level is provided coincident with ESW pump operation as the required source of Service Water for heat loads following the Design Basis Accident.
In addition, the Circulating and Service Water Systems supply cooling water to the component cooling water heat exchangers and to the main control and emergency switchgear rooms air conditioning condensers. The Component Cooling heat exchangers are used during normal plant operations to cool various station components and when in shutdown to remove residual heat from the reactor. Component Cooling is not required on the accident unit during a loss-of-coolant accident. If the loss-of-coolant accident is coincident with a loss of off-site power, the nonaccident unit will be maintained at HOT SHUTDOWN with the ability to reach COLD SHUTDOWN.
facilitate cleaning, inspecting, repairing (as needed), and recoating (as needed) of the ater (SW) supply line to the Component Cooling Heat Exchangers (CC s), a temporary, sa -related, seismic, not fully missile protected SW supply li temporary jumper) will be us as discussed in the temporary footnote to .14.A.2.b.
The long term Service Water requirement for a loss-of-coolant accident in one unit with simultaneous loss-of-station power and the second unit being brought to HOT SHUTDOWN is greater than 15,000 gpm. Additional Service Water is necessary to bring the nonaccident unit to COLD SHUTDOWN. Three diesel driven Emergency Service Water pumps with a design capacity of 15,000 gpm each, are provided to supply water to the High Level Intake canal during a loss-of-station power incident. Thus, considering the single active failure of one pump, three Emergency Service Water pumps are required to be OPERABLE. The allowed outage time of 7 days provides operational flexibility to allow for repairs up to and Amendment Nos.~and~
The temporary jumper is requ
 
* d since service water is supplied e CCHXs by a single concrete-encased line. To re ve the SW supply I' from service for extended CCHXs is provided in Virgini y's letter Serial No. 12-615, dated September 26, 2012. e use of the temporary jumper is on of up to 35 days d
TS 3.14-4 09-23-13 including replacement of an Emergency Service Water pump without forcing dual unit outages, yet limits the amount of operating time without the specified number of pumps.
* g each of the 2013 and 2015 Unit 1 refueling o ordance with the compensatory measures (including a Contin vided in the letter referenced above. The only automatic function in the ply line when Unit 1 is in COLD SHUTDOWN or REFUELING SHUTDOWN is Amendment _
When one Unit is in Cold Shutdown and the heat load from the shutdown unit and spent fuel pool drops to less than 25 million BTU/HR, then one Emergency Service Water pump may be removed from service for the subsequent time that the unit remains in Cold Shutdown due to the reduced residual heat removal and hence component cooling requirements.
TS 3.14-4a 09 23 13 e SW supply motor operated valves, which close on low isolation valve in the tempor established by the Station Abnormal Procedures.  
A minimum level of + 17 .2 feet in the High Level Intake canal is required to provide design flow of Service Water through the Recirculation Spray heat exchangers during a loss-of-coolant accident for the first 24 hours. If the water level falls below +23' 6",
signals are generated to trip both unit's turbines and to close the nonessential Circulating and Service Water valves. A High Level Intake canal level of +23' 6" ensures actuation prior to canal level falling to elevation +23'. The Circulating Water and Service Water isolation valves which are required to close to conserve Intake Canal inventory are periodically verified to limit total leakage flow out of the Intake Canal. In addition, passive vacuum breakers are installed on the Circulating Water pump discharge lines to assure that a reverse siphon is not continued for canal levels less than +23 feet when Circulating Water pumps are de-energized. The remaining six feet of canal level is provided coincident with ESW pump operation as the required source of Service Water for heat loads following the Design Basis Accident.
facilitate cleaning, inspecting, repairing (as needed), and recoating (as needed) of the ater (SW) supply line to the Component Cooling Heat Exchangers (CC             s), a temporary, sa     -related, seismic, not fully missile protected SW supply li       temporary jumper) will be us       as discussed in the temporary footnote to             .14.A.2.b. The temporary jumper is requ
* d since service water is supplied             e CCHXs by a single concrete-encased line. To re           ve the SW supply I'       from service for extended CCHXs is provided in Virgini                                     y's letter Serial No. 12-615, dated September 26, 2012.       e use of the temporary jumper is on of up to 35 days d
* g each of the 2013 and 2015 Unit 1 refueling o ordance with the compensatory measures (including a Contin vided in the letter referenced above. The only automatic function in the ply line when Unit 1 is in COLD SHUTDOWN or REFUELING SHUTDOWN is Amendment Nos.~and~              ~ _
 
TS 3.14-4a 09 23 13 e SW supply motor operated valves, which close on low Intak'::!:e;...>-"_***~*
isolation valve in the tempor established by the Station Abnormal Procedures.


==References:==
==References:==


UFSAR Section 9.9 UFSAR Section 10.3.4 UFSAR Section 14.5 Service Water System Circulating Water System Loss-of-Coolant Accidents, Including the Design Basis Accident Amendment Attachment 3 Serial No. 16-180 Docket Nos. 50-280/281 PROPOSED TECHNICAL SPECIFICATIONS AND BASIS PAGES (Basis Changes are for NRC Information Only) Virginia Electric and Power Company (Dominion)
UFSAR Section 9.9             Service Water System UFSAR Section 10.3.4           Circulating Water System UFSAR Section 14.5             Loss-of-Coolant Accidents, Including the Design Basis Accident Amendment Nos.~ and~
Surry Station Units 1 and 2   T. (Continued)
 
: 16. For the applicable UFSAR Chapter 14 events, Surry 1 will re-analyze the transient consistent with VEPCO's NRG-approved reload design methodology in VEP-FRD-42, Rev. 2.1-A. If NRG review is deemed necessary pursuant to the requirements of 10 CFR 50.59, the accident analyses will be submitted to the NRG for review prior to operation at the uprate power level. These commitments apply to the following Surry 1 UFSAR Chapter 14 DNBR analyses that were analyzed at 2546 MWt consistent with the Statistical DNBR Evaluation Methodology in VEP-NE-2-A:
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 3 PROPOSED TECHNICAL SPECIFICATIONS AND BASIS PAGES (Basis Changes are for NRC Information Only)
* Section 14.2.7 -Excessive Heat Removal due to Feedwater System Malfunctions (Full Power Feedwater Temperature Reduction case only);
Virginia Electric and Power Company (Dominion)
* Section 14.2.8 -Excessive Load Increase Incident;
Surry Station Units 1 and 2
* Section 14.2.9 -Loss of Reactor Coolant Flow; and
 
* Section 14.2.10 -Loss of External Electrical Load U. Deleted by Amendment No. ___ _ Prior to operating above 2546 MWt (98.4% RP). 4. This renewed license is effective as of the date of issuance and shall expire at midnight on May 25, 2032. FOR THE NUCLEAR REGULATORY COMMISSION Original signed by: Samuel J. Collins, Director Office of Nuclear Reactor Regulation  
T. (Continued)
: 16. For the applicable UFSAR Chapter 14             Prior to operating above events, Surry 1 will re-analyze the             2546 MWt (98.4% RP).
transient consistent with VEPCO's NRG-approved reload design methodology in VEP-FRD-42, Rev. 2.1-A.
If NRG review is deemed necessary pursuant to the requirements of 10 CFR 50.59, the accident analyses will be submitted to the NRG for review prior to operation at the uprate power level. These commitments apply to the following Surry 1 UFSAR Chapter 14 DNBR analyses that were analyzed at 2546 MWt consistent with the Statistical DNBR Evaluation Methodology in VEP-NE-2-A:
* Section 14.2.7 - Excessive Heat Removal due to Feedwater System Malfunctions (Full Power Feedwater Temperature Reduction case only);
* Section 14.2.8 - Excessive Load Increase Incident;
* Section 14.2.9 - Loss of Reactor Coolant Flow; and
* Section 14.2.10 - Loss of External Electrical Load U. Deleted by Amendment No. _ _ __
: 4. This renewed license is effective as of the date of issuance and shall expire at midnight on May 25, 2032.
FOR THE NUCLEAR REGULATORY COMMISSION Original signed by:
Samuel J. Collins, Director Office of Nuclear Reactor Regulation


==Attachment:==
==Attachment:==
Appendix A, Technical Specifications Date of Issuance: March 20, 2003 Surry - Unit 1                                                Renewed License No. DPR-32 Amendment No.


Appendix A, Technical Specifications Date of Issuance:
T. (Continued) *
March 20, 2003 Surry -Unit 1 Renewed License No. DPR-32 Amendment No. T. (Continued)
: 16. For the applicable UFSAR Chapter 14             Prior to operating above events, Surry 2 will re-analyze the             2546 MWt (98.4% RP).
* 16. For the applicable UFSAR Chapter 14 events, Surry 2 will re-analyze the transient consistent with VEPCO's N RC-approved reload design methodology in VEP-FRD-42, Rev. 2.1-A. If N RC review is deemed necessary pursuant to the requirements of 10 CFR 50.59, the accident analyses will be submitted to the NRG for review prior to operation at the uprate power level. These commitments apply to the following Surry 2 UFSAR Chapter 14 DNBR analyses that were analyzed at 2546 MWt consistent with the Statistical DNBR Evaluation Methodology in VEP-NE-2-A:
transient consistent with VEPCO's N RC-approved reload design methodology in VEP-FRD-42, Rev. 2.1-A.
* Section 14.2. 7 -Excessive Heat Removal due to Feedwater System Malfunctions (Full Power Feedwater Temperature Reduction case only);
If N RC review is deemed necessary pursuant to the requirements of 10 CFR 50.59, the accident analyses will be submitted to the NRG for review prior to operation at the uprate power level. These commitments apply to the following Surry 2 UFSAR Chapter 14 DNBR analyses that were analyzed at 2546 MWt consistent with the Statistical DNBR Evaluation Methodology in VEP-NE-2-A:
* Section 14.2.8 -Excessive Load Increase Incident;
* Section 14.2.7 - Excessive Heat Removal due to Feedwater System Malfunctions (Full Power Feedwater Temperature Reduction case only);
* Section 14.2.9 -Loss of Reactor Coolant Flow; and
* Section 14.2.8 - Excessive Load Increase Incident;
* Section 14.2.10 -Loss of External Electrical Load U. Deleted by Amendment No. ___ _ Prior to operating above 2546 MWt (98.4% RP). 4. This renewed license is effective as of the date of issuance and shall expire at midnight on January 29, 2033. FOR THE NUCLEAR REGULATORY COMMISSION Original signed by: Samuel J. Collins, Director Office of Nuclear Reactor Regulation  
* Section 14.2.9 - Loss of Reactor Coolant Flow; and
* Section 14.2.10 - Loss of External Electrical Load U. Deleted by Amendment No. _ _ __
: 4. This renewed license is effective as of the date of issuance and shall expire at midnight on January 29, 2033.
FOR THE NUCLEAR REGULATORY COMMISSION Original signed by:
Samuel J. Collins, Director Office of Nuclear Reactor Regulation


==Attachment:==
==Attachment:==
Appendix A, Technical Specifications Date of Issuance: March 20, 2003 Surry - Unit 2                                                Renewed License No. DPR-37 Amendment No.


Appendix A, Technical Specifications Date of Issuance:
March 20, 2003 Surry -Unit 2 Renewed License No. DPR-37 Amendment No.
TABLE 3.7-2 (Continued)
TABLE 3.7-2 (Continued)
ENGINEERED SAFEGUARDS ACTION INSTRUMENT OPERATING CONDITIONS Minimum Permissible Total Number OPERABLE Channels Bypass Operator Functional Unit Of Channels Channels To Trip Conditions Actions 3. AUXILIARY FEEDWATER (continued)
ENGINEERED SAFEGUARDS ACTION INSTRUMENT OPERATING CONDITIONS Minimum                       Permissible Total Number OPERABLE               Channels       Bypass       Operator Functional Unit                             Of Channels         Channels         To Trip     Conditions Actions
: e. Trip of main feedwater pumps -start motor driven 2/MFWpump l/MFWpump 2-1 each 24 pumps MFWpump f. Automatic actuation logic 2 2 1 22 4. LOSS OF POWER a. 4.16 kv emergency bus undervoltage (loss of voltage) 3/bus 2/bus 2/bus 26 b. 4.16 kv emergency bus undervoltage (degraded voltage) 3/bus 2/bus 2/bus 26 5. NON-ESSENTIAL SERVICE WATER ISOLATION
: 3. AUXILIARY FEEDWATER (continued)
: a. Low intake canal level* 4 3 3 20 b. Automatic actuation logic 2 2 l 14 6. ENGINEERED SAFEGUARDS ACTUATION INTERLOCKS  
: e. Trip of main feedwater pumps - start motor driven             2/MFWpump l/MFWpump                   2-1 each                       24 pumps                                                                                               MFWpump
-Note A a. Pressurizer pressure, P-11 3 2 2 23 b. Low-low Tavg, P-12 3 2 2 23 c. Reactor trip, P-4 2 2 24 7. RECIRCULATION MODE TRANSFER a. RWST Level-Low-Low* 4 3 2 25 b. Automatic Actuation Logic and Actuation Relays 2 2 l 14 8. RECIRCULATION SPRAY a. RWST Level -Low Coincident with High High 4 3 2 20 Containment Pressure* b. Automatic Actuation Logic and Actuation Relays 2 2 14 g p,. a g Note A -Engineered Safeguards Actuation Interlocks are described in Table 4.1-A z 0
: f. Automatic actuation logic                                             2               2               1                           22
* There is a Safety Analysis Limit associated with this ESP function.
: 4. LOSS OF POWER
If during calibration the setpoint is found to be conservative with respect to the Setting Limit but outside its predefined calibration tolerance, then the channel shall be brought back to within its predefined calibration tolerance before returning the channel to service. The calibration tolerances are specified in a document controlled under 10 CPR 50.59.
: a. 4.16 kv emergency bus undervoltage (loss of voltage)                 3/bus           2/bus           2/bus                         26
TS 3.14-1 3.14 CIRCULATING AND SERVICE WATER SYSTEMS Applicability Applies to the operational status of the Circulating and Service Water Systems. Objective To define those limiting conditions of the Circulating and Service Water Systems necessary to assure safe station operation.
: b. 4.16 kv emergency bus undervoltage (degraded voltage)               3/bus           2/bus           2/bus                         26
Specification A. The Reactor Coolant System temperature or pressure of a reactor unit shall not exceed 350&deg; For 450 psig, respectively, or the reactor shall not be critical unless: 1. The high level intake canal is filled to at least elevation  
: 5. NON-ESSENTIAL SERVICE WATER ISOLATION
+23.0 feet at the high level intake structure.
: a. Low intake canal level*                                               4               3               3                           20
: b. Automatic actuation logic                                             2               2               l                           14
: 6. ENGINEERED SAFEGUARDS ACTUATION INTERLOCKS - Note A
: a. Pressurizer pressure, P-11                                             3               2               2                           23
: b. Low-low Tavg, P-12                                                     3               2               2                           23
: c. Reactor trip, P-4                                                     2               2                                           24
: 7. RECIRCULATION MODE TRANSFER
: a. RWST Level- Low-Low*                                                   4               3               2                           25
: b. Automatic Actuation Logic and Actuation Relays                         2               2               l                           14
: 8. RECIRCULATION SPRAY
: a. RWST Level - Low Coincident with High High                             4               3               2                           20
~
g Containment Pressure*
p,. b. Automatic Actuation Logic and Actuation Relays                         2               2                                           14 a
g   Note A - Engineered Safeguards Actuation Interlocks are described in Table 4.1-A z
0
~
* There is a Safety Analysis Limit associated with this ESP function. If during calibration the setpoint is found to be conservative with respect to the Setting Limit but outside its predefined calibration tolerance, then the channel shall be brought back to within its predefined calibration tolerance before returning the channel to service. The calibration tolerances are specified in a document controlled under 10 CPR 50.59.
 
TS 3.14-1 3.14 CIRCULATING AND SERVICE WATER SYSTEMS Applicability Applies to the operational status of the Circulating and Service Water Systems.
Objective To define those limiting conditions of the Circulating and Service Water Systems necessary to assure safe station operation.
Specification A. The Reactor Coolant System temperature or pressure of a reactor unit shall not exceed 350&deg; For 450 psig, respectively, or the reactor shall not be critical unless:
: 1. The high level intake canal is filled to at least elevation +23.0 feet at the high level intake structure.
: 2. Unit subsystems, including piping and valves, shall be operable to the extent of being able to establish the following:
: 2. Unit subsystems, including piping and valves, shall be operable to the extent of being able to establish the following:
: a. Flow to and from one bearing cooling water heat exchanger.
: a. Flow to and from one bearing cooling water heat exchanger.
: b. Flow to and from the component cooling heat exchangers required by Specification 3.13. 3. At least two circulating water pumps are operating or are operable.
: b. Flow to and from the component cooling heat exchangers required by Specification 3.13.
: 3. At least two circulating water pumps are operating or are operable.
: 4. Three emergency service water pumps are operable; these pumps will service both units simultaneously.
: 4. Three emergency service water pumps are operable; these pumps will service both units simultaneously.
Amendment Nos.
Amendment Nos.
TS 3.14-2 5. Two service water flow paths to the charging pump service water subsystem are OPERABLE.
 
TS 3.14-2
: 5. Two service water flow paths to the charging pump service water subsystem are OPERABLE.
: 6. Two service water flow paths to the recirculation spray subsystems are OPERABLE.
: 6. Two service water flow paths to the recirculation spray subsystems are OPERABLE.
: 7. Two service water flow paths to the main control room and emergency switchgear room air conditioning subsystems are OPERABLE.
: 7. Two service water flow paths to the main control room and emergency switchgear room air conditioning subsystems are OPERABLE.
B. The requirements of Specification 3.14.A.4 may be modified to allow one Emergency Service Water pump to remain inoperable for a period not to exceed 7 days. If this pump is not OPERABLE in 7 days, then place both units in HOT SHUTDOWN within the next 6 hours and COLD SHUTDOWN within the next 30 hours. The requirements of 3 .14.A.4 may be modified to have two Emergency Service Water pumps OPERABLE with one unit in COLD SHUTDOWN with combined Spent Fuel pit and shutdown unit decay heat loads of 25 million BTU/HR or less. One of the two remaining pumps may be inoperable for a period not to exceed 7 days. If this pump is not OPERABLE in 7 days, then place the operating unit in HOT SHUTDOWN within the next 6 hours and COLD SHUTDOWN within the next 30 hours. C. The requirements of Specifications 3.14.A.5 and 3.14.A.7 may be modified to allow unit operation with only one OPERABLE flow path to the charging pump service water subsystem and to the main control and emergency switchgear rooms air conditioning condensers.
B. The requirements of Specification 3.14.A.4 may be modified to allow one Emergency Service Water pump to remain inoperable for a period not to exceed 7 days. If this pump is not OPERABLE in 7 days, then place both units in HOT SHUTDOWN within the next 6 hours and COLD SHUTDOWN within the next 30 hours.
If the affected systems are not restored to the requirements of Specifications 3.14.A.5 and 3.14.A.7 within 72 hours, the reactor shall be placed in HOT SHUTDOWN within the next 6 hours. If the requirements of Specifications 3.14.A.5 and 3.14.A.7 are not satisfied as allowed by this Specification, the reactor shall be placed in COLD SHUTDOWN within the next 30 hours. D. The requirements of Specification 3.14.A.6 may be modified to allow unit operation with only one OPERABLE flow path to the recirculation spray subsystems.
The requirements of 3 .14.A.4 may be modified to have two Emergency Service Water pumps OPERABLE with one unit in COLD SHUTDOWN with combined Spent Fuel pit and shutdown unit decay heat loads of 25 million BTU/HR or less.
If the affected system is not restored to the requirements of Specification 3.14.A.6 within 24 hours, the reactor shall be placed in HOT SHUTDOWN within the next 6 hours. If the requirements of Specification 3.14.A.6 are not met within an additional 48 hours, the reactor shall be placed in COLD SHUTDOWN within the next 30 hours. Amendment Nos.
One of the two remaining pumps may be inoperable for a period not to exceed 7 days. If this pump is not OPERABLE in 7 days, then place the operating unit in HOT SHUTDOWN within the next 6 hours and COLD SHUTDOWN within the next 30 hours.
TS 3.14-3 Basis The Circulating and Service Water Systems are designed for the removal of heat resulting from the operation of various systems and components of either or both of the units. Untreated water, supplied from the James River and stored in the high level intake canal is circulated by gravity through the recirculation spray coolers and the bearing cooling water heat exchangers and to the charging pumps lubricating oil cooler service water pumps which supply service water to the charging pump lube oil coolers. In addition, the Circulating and Service Water Systems supply cooling water to the component cooling water heat exchangers and to the main control and emergency switchgear rooms air conditioning condensers.
C. The requirements of Specifications 3.14.A.5 and 3.14.A.7 may be modified to allow unit operation with only one OPERABLE flow path to the charging pump service water subsystem and to the main control and emergency switchgear rooms air conditioning condensers. If the affected systems are not restored to the requirements of Specifications 3.14.A.5 and 3.14.A.7 within 72 hours, the reactor shall be placed in HOT SHUTDOWN within the next 6 hours. If the requirements of Specifications 3.14.A.5 and 3.14.A.7 are not satisfied as allowed by this Specification, the reactor shall be placed in COLD SHUTDOWN within the next 30 hours.
The Component Cooling heat exchangers are used during normal plant operations to cool various station components and when in shutdown to remove residual heat from the reactor. Component Cooling is not required on the accident unit during a loss-of-coolant accident.
D. The requirements of Specification 3.14.A.6 may be modified to allow unit operation with only one OPERABLE flow path to the recirculation spray subsystems. If the affected system is not restored to the requirements of Specification 3.14.A.6 within 24 hours, the reactor shall be placed in HOT SHUTDOWN within the next 6 hours. If the requirements of Specification 3.14.A.6 are not met within an additional 48 hours, the reactor shall be placed in COLD SHUTDOWN within the next 30 hours.
If the loss-of-coolant accident is coincident with a loss of off-site power, the nonaccident unit will be maintained at HOT SHUTDOWN with the ability to reach COLD SHUTDOWN.
Amendment Nos.
The long term Service Water requirement for a loss-of-coolant accident in one unit with simultaneous loss-of-station power and the second unit being brought to HOT SHUTDOWN is greater than 15,000 gpm. Additional Service Water is necessary to bring the nonaccident unit to COLD SHUTDOWN.
 
Three diesel driven Emergency Service Water pumps with a design capacity of 15,000 gpm each, are provided to supply water to the High Level Intake canal during a loss-of-station power incident.
TS 3.14-3 Basis The Circulating and Service Water Systems are designed for the removal of heat resulting from the operation of various systems and components of either or both of the units.
Thus, considering the single active failure of one pump, three Emergency Service Water pumps are required to be OPERABLE.
Untreated water, supplied from the James River and stored in the high level intake canal is circulated by gravity through the recirculation spray coolers and the bearing cooling water heat exchangers and to the charging pumps lubricating oil cooler service water pumps which supply service water to the charging pump lube oil coolers.
The allowed outage time of 7 days provides operational flexibility to allow for repairs up to and Amendment Nos.
In addition, the Circulating and Service Water Systems supply cooling water to the component cooling water heat exchangers and to the main control and emergency switchgear rooms air conditioning condensers. The Component Cooling heat exchangers are used during normal plant operations to cool various station components and when in shutdown to remove residual heat from the reactor. Component Cooling is not required on the accident unit during a loss-of-coolant accident. If the loss-of-coolant accident is coincident with a loss of off-site power, the nonaccident unit will be maintained at HOT SHUTDOWN with the ability to reach COLD SHUTDOWN.
TS 3.14-4 including replacement of an Emergency Service Water pump without forcing dual unit outages, yet limits the amount of operating time without the specified number of pumps. When one Unit is in Cold Shutdown and the heat load from the shutdown unit and spent fuel pool drops to less than 25 million BTU/HR, then one Emergency Service Water pump may be removed from service for the subsequent time that the unit remains in Cold Shutdown due to the reduced residual heat removal and hence component cooling requirements.
The long term Service Water requirement for a loss-of-coolant accident in one unit with simultaneous loss-of-station power and the second unit being brought to HOT SHUTDOWN is greater than 15,000 gpm. Additional Service Water is necessary to bring the nonaccident unit to COLD SHUTDOWN. Three diesel driven Emergency Service Water pumps with a design capacity of 15,000 gpm each, are provided to supply water to the High Level Intake canal during a loss-of-station power incident. Thus, considering the single active failure of one pump, three Emergency Service Water pumps are required to be OPERABLE. The allowed outage time of 7 days provides operational flexibility to allow for repairs up to and Amendment Nos.
A minimum level of + 17 .2 feet in the High Level Intake canal is required to provide design flow of Service Water through the Recirculation Spray heat exchangers during a loss-of-coolant accident for the first 24 hours. If the water level falls below +23' 6", signals are generated to trip both unit's turbines and to close the nonessential Circulating and Service Water valves. A High Level Intake canal level of +23' 6" ensures actuation prior to canal level falling to elevation  
 
+23'. The Circulating Water and Service Water isolation valves which are required to close to conserve Intake Canal inventory are periodically verified to limit total leakage flow out of the Intake Canal. In addition, passive vacuum breakers are installed on the Circulating Water pump discharge lines to assure that a reverse siphon is not continued for canal levels less than +23 feet when Circulating Water pumps are de-energized.
TS 3.14-4 including replacement of an Emergency Service Water pump without forcing dual unit outages, yet limits the amount of operating time without the specified number of pumps.
The remaining six feet of canal level is provided coincident with ESW pump operation as the required source of Service Water for heat loads following the Design Basis Accident.  
When one Unit is in Cold Shutdown and the heat load from the shutdown unit and spent fuel pool drops to less than 25 million BTU/HR, then one Emergency Service Water pump may be removed from service for the subsequent time that the unit remains in Cold Shutdown due to the reduced residual heat removal and hence component cooling requirements.
A minimum level of + 17 .2 feet in the High Level Intake canal is required to provide design flow of Service Water through the Recirculation Spray heat exchangers during a loss-of-coolant accident for the first 24 hours. If the water level falls below +23' 6",
signals are generated to trip both unit's turbines and to close the nonessential Circulating and Service Water valves. A High Level Intake canal level of +23' 6" ensures actuation prior to canal level falling to elevation +23'. The Circulating Water and Service Water isolation valves which are required to close to conserve Intake Canal inventory are periodically verified to limit total leakage flow out of the Intake Canal. In addition, passive vacuum breakers are installed on the Circulating Water pump discharge lines to assure that a reverse siphon is not continued for canal levels less than +23 feet when Circulating Water pumps are de-energized. The remaining six feet of canal level is provided coincident with ESW pump operation as the required source of Service Water for heat loads following the Design Basis Accident.


==References:==
==References:==


UFSAR Section 9.9 UFSAR Section 10.3.4 UFSAR Section 14.5 Service Water System Circulating Water System Loss-of-Coolant Accidents, Including the Design Basis Accident Amendment Nos.
UFSAR Section 9.9                 Service Water System UFSAR Section 10.3.4               Circulating Water System UFSAR Section 14.5                 Loss-of-Coolant Accidents, Including the Design Basis Accident Amendment Nos.
Attachment 4 Serial No. 16-180 Docket Nos. 50-280/281 TECHNICAL ADEQUACY OF THE PROBABILISTIC RISK ASSESSMENT MODEL Virginia Electric and Power Company (Dominion)
 
Surry Station Units 1 and 2 TECHNICAL ADEQUACY OF THE PROBABILISTIC RISK ASSESSMENT CPRA) MODEL Serial No. 16-18'0 Docket Nos. 50-280/281 Attachment 4 Page 1 of 36 The PRA model used to analyze the risk of the LBDCR/TSCR 441 is referred to as S007 Aa. The effective date of this model is September 30, 2009 ... Surry PRA Model Notebook QU.2, Revision 5, documents the quantification of the PRA model. This is the most recent evaluation of the SPS internal events at-power risk profile. The PRA model is maintained and updated under a PRA configuration control program in accordance with Dominion procedures.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 TECHNICAL ADEQUACY OF THE PROBABILISTIC RISK ASSESSMENT MODEL Virginia Electric and Power Company (Dominion)
Plant changes, including physical and procedural modifications and changes in performance data, are reviewed and the PRA model is updated to reflect such changes periodically by qualified personnel, with independent reviews and approvals.
Surry Station Units 1 and 2
Summary of the SPS PRA History The Level 1 and Level 2 SPS PRA analyses were originally developed and submitted to the Nuclear Regulatory Commission (NRC) in 1991 as the Individual Plant Examination (IPE) submittal.
 
The SPS PRA has been updated many times, since the original IPE. A summary of the SPS PRA history is as follows:
Serial No. 16-18'0 Docket Nos. 50-280/281 Attachment 4 Page 1 of 36 TECHNICAL ADEQUACY OF THE PROBABILISTIC RISK ASSESSMENT CPRA) MODEL The PRA model used to analyze the risk of the LBDCR/TSCR 441 is referred to as S007Aa. The effective date of this model is September 30, 2009 . . Surry PRA Model Notebook QU.2, Revision 5, documents the quantification of the PRA model. This is the most recent evaluation of the SPS internal events at-power risk profile. The PRA model is maintained and updated under a PRA configuration control program in accordance with Dominion procedures. Plant changes, including physical and procedural modifications and changes in performance data, are reviewed and the PRA model is updated to reflect such changes periodically by qualified personnel, with independent reviews and approvals.
Summary of the SPS PRA History The Level 1 and Level 2 SPS PRA analyses were originally developed and submitted to the Nuclear Regulatory Commission (NRC) in 1991 as the Individual Plant Examination (IPE) submittal. The SPS PRA has been updated many times, since the original IPE. A summary of the SPS PRA history is as follows:
* Original IPE (August 1991)
* Original IPE (August 1991)
* Individual Plant Examination External Events (IPEEE) 1991 through 1994
* Individual Plant Examination External Events (IPEEE) 1991 through 1994
* 1998 -Data update; update to address issues needed to support the Maintenance Rule program
* 1998 - Data update; update to address issues needed to support the Maintenance Rule program
* 2001 -Data update; update to address more Maintenance Rule issues, address peer review Facts and Observations (F&Os)
* 2001 - Data update; update to address more Maintenance Rule issues, address peer review Facts and Observations (F&Os)
* 2002 -Update RCP seal LOCA model due to installation of high temperature o-rings; added internal flooding, additional changes for Maintenance Rule and Safety Monitor
* 2002 - Update RCP seal LOCA model due to installation of high temperature o-rings; added internal flooding, additional changes for Maintenance Rule and Safety Monitor
* 2004 -Update to address applicable F&Os from North Anna peer review
* 2004 - Update to address applicable F&Os from North Anna peer review
* 2005 -Update to include plant changes to reduce turbine building flood risk
* 2005 - Update to include plant changes to reduce turbine building flood risk
* 2006 -Data update and update to address MSPI requirements
* 2006 - Data update and update to address MSPI requirements
* 2006 -Update to support ESGR chilled water Tech Spec change; added loss of main control room HVAC and loss of instrument air to the model; added logic from the IPEEE fire and seismic models
* 2006 - Update to support ESGR chilled water Tech Spec change; added loss of main control room HVAC and loss of instrument air to the model; added logic from the IPEEE fire and seismic models
* 2009 -Data update; addressed American Society of Mechanical Engineers (ASME) PRA Standard SRs that were not met; extensive changes throughout the model as the model was converted to CAFTA Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 2of36
* 2009 - Data update; addressed American Society of Mechanical Engineers (ASME) PRA Standard SRs that were not met; extensive changes throughout the model as the model was converted to CAFTA
* 2009 -Updated Interfacing Systems LOCA (ISLOCA) initiator frequency, added EOG and AAC diesel fails to load (FTL) basic events, and added rupture failure of the SW expansion joints for the CCW heat exchangers as flood scenarios (current model of record) The SPS PRA model has benefited from the following technical PRA peer reviews. 1998 NEI PRA Peer Review The SPS internal events PRA received a formal industry PRA model peer review in 1998. The purpose of the PRA peer review process is to provide a method for establishing the technical quality of .a PRA model for the spectrum of potential risk-informed plant licensing applications for which the PRA model may be used. The PRA peer review process used a team composed of industry PRA and system analysts, each with significant expertise in both PRA model development and PRA applications.
 
This team provided both an objective review of the PRA technical elements and a subjective assessment, based on their PRA experience, regarding the acceptability of the PRA elements.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 2of36
The team used a set of checklists as a framework within which to evaluate the scope, comprehensiveness, completeness, and fidelity of the PRA products available.
* 2009 - Updated Interfacing Systems LOCA (ISLOCA) initiator frequency, added EOG and AAC diesel fails to load (FTL) basic events, and added rupture failure of the SW expansion joints for the CCW heat exchangers as flood scenarios (current model of record)
The SPS review team used the "Westinghouse Owner's Group (WOG) Peer Review Process Guidance" as the basis for the review. The general scope of the PRA peer review included a review of eleven main technical elements, using checklist tables (to cover the elements and sub-elements), for an at-power PRA including internal events, internal flooding, and containment performance, with focus on Large Early Release Frequency (LERF). The F&Os from the PRA peer review were prioritized into four categories (A through D) based upon importance to the completeness of the model. Categories A and B F&Os are considered significant enough that the technical adequacy of the model may be impacted.
The SPS PRA model has benefited from the following technical PRA peer reviews.
Categories C and D are considered minor. Subsequent to the peer review, the model has been updated to address all Category A, B, and D F&Os. Category B items from the 1998 NEI PRA Peer Review (all closed) are listed below: ..
1998 NEI PRA Peer Review The SPS internal events PRA received a formal industry PRA model peer review in 1998. The purpose of the PRA peer review process is to provide a method for establishing the technical quality of .a PRA model for the spectrum of potential risk-informed plant licensing applications for which the PRA model may be used. The PRA peer review process used a team composed of industry PRA and system analysts, each with significant expertise in both PRA model development and PRA applications. This team provided both an objective review of the PRA technical elements and a subjective assessment, based on their PRA experience, regarding the acceptability of the PRA elements. The team used a set of checklists as a framework within which to evaluate the scope, comprehensiveness, completeness, and fidelity of the PRA products available. The SPS review team used the "Westinghouse Owner's Group (WOG) Peer Review Process Guidance" as the basis for the review.
OBSERVATION OBSERVATION (ID: AS-2 ) I ElementAS I Subelement 5 and 9 (Also MU) OBSERVATION (ID: AS-8 ) I Element _AS __ I Subelement
The general scope of the PRA peer review included a review of eleven main technical elements, using checklist tables (to cover the elements and sub-elements), for an at-power PRA including internal events, internal flooding, and containment performance, with focus on Large Early Release Frequency (LERF).
_AS-12_ Serial No. 16-1SO Docket Nos. 50-280/281 Attachment 4 Page 3 of 36 1998 NEI PRA Peer Review Category B Closed Items OBSERVATION Detail The models and analyses are consistent, as best as the reviewers could determine, with the as built plant, and were consistent with plant operating procedures at the time the IPE was completed.
The F&Os from the PRA peer review were prioritized into four categories (A through D) based upon importance to the completeness of the model. Categories A and B F&Os are considered significant enough that the technical adequacy of the model may be impacted. Categories C and D are considered minor. Subsequent to the peer review, the model has been updated to address all Category A, B, and D F&Os. Category B items from the 1998 NEI PRA Peer Review (all closed) are listed below:
However, there is no process in place to identify and incorporate changes in plant operation into the PRA model. This process should also include periodic review of industry standards that may impact the PRA. Some examples of where such a process could impact the model include, the timing for switchover to hot leg recirculation after event initiation (9 hours in the current EOP), and a review of potential impacts on the PSA due to the power uprate program. The focus of this comment is on the lack of process more than any current discrepancies found in the model, and is related to the IPE Maintenance and Update Process elements.
 
The RCP seal LOCA model appears to include an optimistic interpretation of the WOG and NRC models, and does not include a contribution from early seal failure. POSSIBLE RESOLUTION Establish a formal process for identifying changes to plant procedures (EOPs/AOPs), and evaluating the impact of these changes on the PRA model. This process should also include periodic review of industry standards that may affect modeling assumptions and success criteria used in the PRA. The resolution of this comment should be incorporated as an element of the PRA Maintenance and Update Process. Consider an evaluation of the sensitivity of the PRA results to use of a model that includes the possibility of early seal failure. Also evaluate the potential impact on the model due to recent changes to the WOG seal cooling restoration emergency response guidelines (advising against restoration of seal cooling after a relatively brief coolinq loss). PLANT RESPONSE OR RESOLUTION PRA update guidance was developed, which includes a review of plant procedures (EOPs), assumptions for components, and system recovery models based upon human actions (Nuclear Safety Analysis Manual -Part IV, Chapter J, subsequently superseded by PRA Manual -Part IV, Chapter A). The current industry guidance suggests a voluntary periodic review of industry standards, which will be considered as resources allow. Recent PRA updates (S03A, S05A) provide examples of the process. An RC pump seal failure model (the so-called Rhodes model) that is acceptable to the NRC for use in PRA was developed and implemented for the T4, T1A and T6 event trees. This model addresses the probability of early seal failure, and does not allow restoration of seal cooling after a relatively brief cooling loss. For Surry, the model is discussed fully in SM-1296, implemented in the SOA-D PRA models. For the S03A model, the T1A (SBO) accident sequence model was revised to be fully consistent with the WOG2000 RCP seal LOCA model, and the T4 and T6 accident sequences models were revised to incorporate simplified logic consistent with the WOG2000 model. STATUS This F&O is Closed. The PRA adequately addresses early seal failure contribution, so this F&O is CLOSED. Future model updates are planned to include additional model detail (and remove conservatisms) for the seal failure contribution for events other than T1A.
Serial No. 16-1SO Docket Nos. 50-280/281 Attachment 4 Page 3 of 36 1998 NEI PRA Peer Review Category B Closed Items OBSERVATION         OBSERVATION Detail                                      POSSIBLE RESOLUTION          PLANT RESPONSE OR RESOLUTION                                  STATUS OBSERVATION        The models and analyses are consistent, as best as the    Establish a formal process    PRA update guidance was developed, which includes a            This F&O is Closed.
OBSERVATION OBSERVATION Detail OBSERVATION The models for the EDGs do include common cause (ID: DA-6 ) I failures of fuel oil system. In general the models do Element ___QA_ I consider common/shared components and support Subelement DA-systems explicitly.
(ID: AS-2     )   I reviewers could determine, with the as built plant, and   for identifying changes to    review of plant procedures (EOPs), assumptions for ElementAS I         were consistent with plant operating procedures at the    plant procedures              components, and system recovery models based upon Subelement 5 and    time the IPE was completed. However, there is no          (EOPs/AOPs), and              human actions (Nuclear Safety Analysis Manual - Part 9    (Also MU)      process in place to identify and incorporate changes in    evaluating the impact of      IV, Chapter J, subsequently superseded by PRA Manual plant operation into the PRA model. This process           these changes on the PRA      - Part IV, Chapter A). The current industry guidance should also include periodic review of industry standards model. This process should    suggests a voluntary periodic review of industry that may impact the PRA. Some examples of where           also include periodic review  standards, which will be considered as resources allow.
The models do not appear to include 11 the effects of common maintenance crews or l&C technicians.
such a process could impact the model include, the         of industry standards that    Recent PRA updates (S03A, S05A) provide examples of timing for switchover to hot leg recirculation after event may affect modeling          the process.
Specifically, there is no consideration of common cause miscalibration of instrumentation channels.
initiation (9 hours in the current EOP), and a review of   assumptions and success potential impacts on the PSA due to the power uprate       criteria used in the PRA.
OBSERVATION
program. The focus of this comment is on the lack of       The resolution of this process more than any current discrepancies found in       comment should be the model, and is related to the IPE Maintenance and       incorporated as an element Update Process elements.                                   of the PRA Maintenance and Update Process.
{Implementation of NUREG/CR-4780 methodology) (ID: DA-8 ) I Reviewers question the validity of the approach used for Element defining CCF terms, by adding fail to start and fail to run DA/DE I data variables.
OBSERVATION        The RCP seal LOCA model appears to include an             Consider an evaluation of    An RC pump seal failure model (the so-called Rhodes            The PRA adequately (ID: AS-8    )  I  optimistic interpretation of the WOG and NRC models,       the sensitivity of the PRA    model) that is acceptable to the NRC for use in PRA            addresses early seal Element _AS _ _      and does not include a contribution from early seal       results to use of a model    was developed and implemented for the T4, T1A and T6          failure contribution, so I Subelement        failure.                                                  that includes the possibility event trees. This model addresses the probability of           this F&O is CLOSED.
Method added value of QD and A, but Subelement DA-the events are not consistent (i.e. per-demand and per-12/DE-9 hour). Assuming a mission time of one hour and a demand for the device, the terms can be added. But what if: 1. Common cause failure is dominated by running failures, there is no mission time associated with the use of the common cause term -non-conservative result 2. Running failure rate is comparable to start term, but common cause dominated by start terms -overly conservative result. OBSERVATION The common cause failure probability of valves failing (ID: DA-9 ) I due to plugging is (0.1)(1.25-7 f/hr)(2160 hrs), or about Element ___QA_ I 1 E-4. The 0.1 beta factor used for this calculation may Subelement
_AS-12_                                                                        of early seal failure. Also  early seal failure, and does not allow restoration of seal    Future model updates evaluate the potential        cooling after a relatively brief cooling loss. For Surry, the are planned to include impact on the model due to   model is discussed fully in SM-1296, implemented in the        additional model detail recent changes to the WOG     SOA-D PRA models. For the S03A model, the T1A                  (and remove seal cooling restoration     (SBO) accident sequence model was revised to be fully          conservatisms) for the emergency response           consistent with the WOG2000 RCP seal LOCA model,              seal failure contribution guidelines (advising against and the T4 and T6 accident sequences models were              for events other than restoration of seal cooling   revised to incorporate simplified logic consistent with the    T1A.
_9 __ be overly conservative.
after a relatively brief     WOG2000 model.
The net result is that many of the top sequences (for the 3-year maintenance case) involve common cause valve plugging terms. It is unusual to have passive equipment failures be so prominent in the dominant cutsets (more prominent than active equipment failures).
coolinq loss).
POSSIBLE RESOLUTION Update the models to include common cause instrumentation miscalibration.
 
Documentation should at least include a qualitative discussion of the potential impact of common maintenance crews and similar procedures.
Serial No. 16-18'D Docket Nos. 50-280/281 Attachment 4 Page 4 of 36 OBSERVATION      OBSERVATION Detail                                        POSSIBLE RESOLUTION          PLANT RESPONSE OR RESOLUTION                               STATUS OBSERVATION    The models for the EDGs do include common cause            Update the models to        Miscalibration of instrumentation channels is resolved as  This F&O is CLOSED.
The documentation should also highlight areas where CCF was not included because of design diversity or other similar considerations.
(ID: DA-6 )   I  failures of fuel oil system. In general the models do      include common cause        a human reliability rather than an equipment common Element ___QA_ I consider common/shared components and support              instrumentation              cause fault. The HEP fault behaves the same as an Subelement DA-  systems explicitly. The models do not appear to include    miscalibration.             equipment CCF, but is quantified on the basis of human 11              the effects of common maintenance crews or l&C              Documentation should at      error rather than equipment reliability. For North Anna, technicians. Specifically, there is no consideration of    least include a qualitative  HEP events are created for the following instrument common cause miscalibration of instrumentation              discussion of the potential  channels: EOG, 1-LM-PT-100A/B/C/D, MS flow, MS channels.                                                  impact of common            differential pressure, MS low pressure, and pressurizer maintenance crews and        pressure. The models are discussed fully in SM-1269, similar procedures. The      implemented in the NOA-D PRA models. For Surry, HEP documentation should also    events are created for the following instrument channels:
Reevaluate CCF analysis as described in Surry guidance documents.
highlight areas where CCF    EOG, 1-LM-PT-100A/B/C/D, MS flow, MS differential was not included because of  pressure, steam generator level, pressurizer pressure design diversity or other    RWST level, intake canal level and RC delta T and similar considerations.     TAVE. The models are discussed fully in SM-1310, implemented in the SOA-D PRA models.
Fully incorporate NUREG/CR-4780 methods. Consider the use of a more realistic beta factor in the analysis.
OBSERVATION    {Implementation of NUREG/CR-4780 methodology)              Reevaluate CCF analysis as  The common cause fault (CCF) approach is revised to        This F&O is CLOSED.
Serial No. 16-18'D Docket Nos. 50-280/281 Attachment 4 Page 4 of 36 PLANT RESPONSE OR RESOLUTION STATUS Miscalibration of instrumentation channels is resolved as This F&O is CLOSED. a human reliability rather than an equipment common cause fault. The HEP fault behaves the same as an equipment CCF, but is quantified on the basis of human error rather than equipment reliability.
(ID: DA-8 )   I Reviewers question the validity of the approach used for    described in Surry guidance  incorporate the following: Alpha-factor model, INEEL Element         defining CCF terms, by adding fail to start and fail to run documents. Fully            data base of CCF events from NUREG/CR-6268, DA/DE    I    data variables. Method added value of QD and A, but        incorporate NUREG/CR-       different failure modes (run and demand), and different Subelement DA-   the events are not consistent (i.e. per-demand and per-     4780 methods.                CCF events based upon population size (e.g., 2 of 3 as 12/DE-9         hour). Assuming a mission time of one hour and a                                         well as 3 of 3 CCF events. Guidance for the CCF demand for the device, the terms can be added. But                                       models was taken from NUREG/CR-5485, which what if:                                                                                 extends the technology developed for NUREG/CR-4780.
For North Anna, HEP events are created for the following instrument channels:
: 1. Common cause failure is dominated by running                                         The models are discussed fully in SM-1309, failures, there is no mission time associated with the use                               implemented in the SOA-D PRA models for Surry, and in of the common cause term - non-conservative result                                       the DA.3 notebook and revisions prepared for
EOG, 1-LM-PT-100A/B/C/D, MS flow, MS differential pressure, MS low pressure, and pressurizer pressure.
: 2. Running failure rate is comparable to start term, but                                 subsequent model updates (starting with S03A).
The models are discussed fully in SM-1269, implemented in the NOA-D PRA models. For Surry, HEP events are created for the following instrument channels:
common cause dominated by start terms - overly conservative result.
EOG, 1-LM-PT-100A/B/C/D, MS flow, MS differential pressure, steam generator level, pressurizer pressure RWST level, intake canal level and RC delta T and TAVE. The models are discussed fully in SM-1310, implemented in the SOA-D PRA models. The common cause fault (CCF) approach is revised to This F&O is CLOSED. incorporate the following:
OBSERVATION   The common cause failure probability of valves failing     Consider the use of a more  The common cause fault (CCF) approach is revised to        This F&O is CLOSED.
Alpha-factor model, INEEL data base of CCF events from NUREG/CR-6268, different failure modes (run and demand), and different CCF events based upon population size (e.g., 2 of 3 as well as 3 of 3 CCF events. Guidance for the CCF models was taken from NUREG/CR-5485, which extends the technology developed for NUREG/CR-4780.
(ID: DA-9 )   I due to plugging is (0.1)(1.25-7 f/hr)(2160 hrs), or about   realistic beta factor in the incorporate the following: Alpha-factor model, INEEL Element ___QA_ I 1E-4. The 0.1 beta factor used for this calculation may     analysis.                    data base of CCF events from NUREG/CR-6268, Subelement _9__  be overly conservative. The net result is that many of                                   different failure modes (run and demand), and different the top sequences (for the 3-year maintenance case)                                     CCF events based upon population size (e.g., 2 of 3 as involve common cause valve plugging terms. It is                                         well as 3 of 3 CCF events. Guidance for the CCF unusual to have passive equipment failures be so                                         models was taken from NUREG/CR-5485, which prominent in the dominant cutsets (more prominent than                                   extends the technology developed for NUREG/CR-4780.
The models are discussed fully in SM-1309, implemented in the SOA-D PRA models for Surry, and in the DA.3 notebook and revisions prepared for subsequent model updates (starting with S03A). The common cause fault (CCF) approach is revised to This F&O is CLOSED. incorporate the following:
active equipment failures).                                                             The models are discussed fully in SM-1309, implemented in the SOA-D PRA models for Surry, and in the DA.3 notebook and revisions prepared for subsequent model updates (startina with S03A).
Alpha-factor model, INEEL data base of CCF events from NUREG/CR-6268, different failure modes (run and demand), and different CCF events based upon population size (e.g., 2 of 3 as well as 3 of 3 CCF events. Guidance for the CCF models was taken from NUREG/CR-5485, which extends the technology developed for NUREG/CR-4780.
 
The models are discussed fully in SM-1309, implemented in the SOA-D PRA models for Surry, and in the DA.3 notebook and revisions prepared for subsequent model updates (startina with S03A).
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 5 of 36 OBSERVATION            OBSERVATION Detail                                        POSSIBLE RESOLUTION            PLANT RESPONSE OR RESOLUTION                               STATUS OBSERVATION          The methods used to determine CCF groups are                The generic data base          The common cause fault (CCF) approach was revised to      This F&O is CLOSED.
OBSERVATION OBSERVATION (ID: DE-3 ) I Element _DE_ I Subelement
(ID: DE-3      )      I simplistic. Determination of the set of active              development project            incorporate the following: Alpha-factor model, !NEEL Element _DE_ I          components based on 1% contribution to CDF severely          identifies a large number of    data base of CCF events from NUREG/CR-6268, Subelement _8_ _        limits the number and type of common cause terms            common-cause groups.            different failure modes (run and demand), and different used in the model. As an evaluation tool for plant          Incorporate these groups or    CCF events based upon population size (e.g., 2 of 3 as vulnerabilities (i.e., the IPE), it is more than sufficient, better justify their exclusion. well as 3 of 3 CCF events. Guidance for the CCF but as an evaluation tool for Risk-informed Applications,                                    models was taken from NUREG/CR-5485, which it is not enough. Events that should be considered                                          extends the technology developed for NUREG/CR-4780.
_8 __ OBSERVATION (ID: HR-2) I Element HR/DE/SY I Subelements HR-4,7/DE-7/SY OBSERVATION (ID: HR-4 ) I Element---1::!.R..__
include: Breaker fail to operate (Open/Close) Auxiliary                                      The models are discussed fully in SM-1309, Feedwater Pumps (back-leakage)            Ventilation fans                                  implemented in the SOA-D PRA models for Surry, and in the DA.3 notebook and revisions prepared for subsequent model updates (starting with S03A).
I Subelement
OBSERVATION          Table D.1-1 of Section D.1 of the Surry IPE lists the pre-   Provide the basis for          Miscalibration of instrumentation channels is resolved as  This F&O is CLOSED.
_jL_ OBSERVATION Detail The methods used to determine CCF groups are simplistic.
(ID: HR-2)        I    initiator errors considered in the analysis. The list        excluding miscalibration        a human reliability rather than an equipment common Element                contains only mispositioning events (valves, blank          events, or develop              cause fault. The HEP fault behaves the same as an HR/DE/SY I            flanges, etc.). No instrument miscalibration events are     appropriate events for          equipment CCF, but is quantified on the basis of human Subelements HR-         contained in the list. The procedure for system analysis    inclusion in the next update    error rather than equipment reliability. For North Anna, 4,7/DE-7/SY          (page 19 of 58) indicates that common cause His should      of the PSA model.               HEP events are created for the following instrument be modeled for miscalibration of instruments used to                                        channels: EDG, 1-LM-PT-100NB/C/D, MS flow, MS initiate systems following an action or in any standby                                      differential pressure, MS low pressure, and pressurizer equipment items such as the level instrumentation in                                        pressure. The models are discussed fully in SM-1269, storage tanks.                                                                              implemented in the NOA-D PRA models. For Surry, HEP events are created for the following instrument channels:
Determination of the set of active components based on 1 % contribution to CDF severely limits the number and type of common cause terms used in the model. As an evaluation tool for plant vulnerabilities (i.e., the IPE), it is more than sufficient, but as an evaluation tool for Risk-informed Applications, it is not enough. Events that should be considered include: Breaker fail to operate (Open/Close)
EOG, 1-LM-PT-100NB/C/D, MS flow, MS differential pressure, steam generator level, pressurizer pressure RWST level, intake canal level and RC delta T and TAVE. The models are discussed fully in SM-1310, implemented in the SOA-D PRA models.
Auxiliary Feedwater Pumps (back-leakage)
OBSERVATION           HEP development for the IPE model was extensively            Perform and document            The HEP events developed since the IPE have received        This F&O is CLOSED.
Ventilation fans Table D.1-1 of Section D.1 of the Surry IPE lists the initiator errors considered in the analysis.
(ID: HR-4 )        I  documented; however, HEPs developed for subsequent          development of HEPs that        detailed analysis. For North Anna, the models are Element---1::!.R..__ I  updates of the IPE model were not as well documented        arise from model updates.      discussed fully in SM-1269, implemented in the NOA-D Subelement _jL_        (and by implication, were not developed in as much                                          PRA models. For Surry, the models are discussed fully detail). For many of the HEPs in subsequent updates, a                                      in SM-1310, implemented in the SOA-D PRA models, value of 0.1 was used. It is not clear whether this is a                                    and in the HR-series notebooks developed for the S03A screening value or some other value.                                                        and subsequent updates. This process was also reviewed as part of the HRA re-peer review exercise prior to the RG1 .200 review for Surrv.
The list contains only mispositioning events (valves, blank flanges, etc.). No instrument miscalibration events are contained in the list. The procedure for system analysis (page 19 of 58) indicates that common cause His should be modeled for miscalibration of instruments used to initiate systems following an action or in any standby equipment items such as the level instrumentation in storage tanks. HEP development for the IPE model was extensively documented; however, HEPs developed for subsequent updates of the IPE model were not as well documented (and by implication, were not developed in as much detail). For many of the HEPs in subsequent updates, a value of 0.1 was used. It is not clear whether this is a screening value or some other value. POSSIBLE RESOLUTION The generic data base development project identifies a large number of common-cause groups. Incorporate these groups or better justify their exclusion.
 
Provide the basis for excluding miscalibration events, or develop appropriate events for inclusion in the next update of the PSA model. Perform and document development of HEPs that arise from model updates. Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 5 of 36 PLANT RESPONSE OR RESOLUTION The common cause fault (CCF) approach was revised to incorporate the following:
Serial No. 16-18'0 Docket Nos. 50-280/281 Attachment 4 Page 6 of 36 OBSERVATION        OBSERVATION Detail                                        POSSIBLE RESOLUTION          PLANT RESPONSE OR RESOLUTION                                STATUS OBSERVATION      In a sensitivity analysis (SM-1174, Addendum A) to          Reevaluate dependence        The dependency among the HEPs is being evaluated            This F&O is CLOSED.
Alpha-factor model, !NEEL data base of CCF events from NUREG/CR-6268, different failure modes (run and demand), and different CCF events based upon population size (e.g., 2 of 3 as well as 3 of 3 CCF events. Guidance for the CCF models was taken from NUREG/CR-5485, which extends the technology developed for NUREG/CR-4780.
(ID: HR-5 )    I  evaluate dependency among His contained in cutsets,        without excessive emphasis-  based on the following principles (SM-1310):
The models are discussed fully in SM-1309, implemented in the SOA-D PRA models for Surry, and in the DA.3 notebook and revisions prepared for subsequent model updates (starting with S03A). Miscalibration of instrumentation channels is resolved as a human reliability rather than an equipment common cause fault. The HEP fault behaves the same as an equipment CCF, but is quantified on the basis of human error rather than equipment reliability.
Element __!:!R_ I  time between actions was listed as the major factor in     on time between actions.      1. Functions: If two HEPs are working for two different Subelement __.l.&sect;_ establishing independence of the operator actions. In                                    functions, these two HEPs will be justified as most cases, time (itself) is not an adequate factor, but is                              independent HEPs.
For North Anna, HEP events are created for the following instrument channels:
a parameter which can be associated with more                                            2. Steps of procedure: Because operators are trained to defensible factors. For example, one cutset contained                                    follow procedure step by step, on the view of operators, two HEPs -- one for early SG isolation following a SGTR                                  each step is a new and independent instruction. If two and one for late SG isolation. The time difference of                                     HEPs are based on two different steps or two different several hours between the actions was cited as the                                        procedures, even these two HEPs work for the same basis for the actions' independence. Better factors for                                   function, they still may be justified as independent independence might have been different clues calling for                                 HEPs. A sensitivity analysis was performed for the S03A the need to isolate the SG or actuation of the TSC, or                                    model update (and has been incorporated into the PRA additional/new crew for the late isolation. All of these                                  quantification process for subsequent updates) to review are related to time, but time (itself) is not the factor.                                 the cutsets with multiple HEPs and determine if a dependency may exist between the HEPs. Refer to the PRA QU.2 notebooks for further detail. This process was also reviewed as part of the HRA re-peer review exercise prior to the RG1 .200 review for Surry.
EDG, 1-LM-PT-100NB/C/D, MS flow, MS differential pressure, MS low pressure, and pressurizer pressure.
OBSERVATION      Initiating event frequencies have not been updated since    Include an update of          The North Anna and Surry initiating event frequencies        This F&O is CLOSED.
The models are discussed fully in SM-1269, implemented in the NOA-D PRA models. For Surry, HEP events are created for the following instrument channels:
(ID: IE-3 )  I    the IPE submittal in 1991. As a result, recent industry    initiating event frequencies  were updated in the NOA-D and SOA-D PRA updates by Element _l_E_ I    information and operating experience have not been          during the next update.       several sources. The rare initiator frequencies from Subelement _1_3_  incorporated into the initiating events analysis. This     Also, individual applications NUREG/CR-5750 are used as priors for Bayesian (Also MU)         information could alter the initiating event frequencies    should be reviewed to         updating with plant specific histories. The moderate currently contained in the model. For example:              determine if they are        frequency transient initiating event frequencies are Two plants (Salem and Wolf Creek) have                  affected before submittal or  created from plant specific data (1990-2000 LERs) and experienced losses of circulating and service water that    implementation.              a non-informative gamma prior distribution. Finally, resulted in plant trips.                                                                  some plant unique initiating events are quantified with One plant (Oconee) has experienced a small break                                      new fault tree models directly linked to the integrated LOCA (thermal fatigue of charging line).                                                  PRA model. For North Anna, these models are One plant (WNP-2) has experienced an internal                                        discussed fully in Calculation SM-1266, implemented in flood.                                                                                    the NOA-D PRA models. For Surry, these models are A draft NUREG updating initiating events has (very                                    discussed fully in Calculation SM-1307, implemented in recently) been issued (LOCA frequencies, particularly,                                    the SOA-D PRA models. All IE frequencies have have been affected).                                                                      subsequently been updated in 2005 and documented in the IE.1 and IE.2 notebooks.
EOG, 1-LM-PT-100NB/C/D, MS flow, MS differential pressure, steam generator level, pressurizer pressure RWST level, intake canal level and RC delta T and TAVE. The models are discussed fully in SM-1310, implemented in the SOA-D PRA models. The HEP events developed since the IPE have received detailed analysis.
 
For North Anna, the models are discussed fully in SM-1269, implemented in the NOA-D PRA models. For Surry, the models are discussed fully in SM-1310, implemented in the SOA-D PRA models, and in the HR-series notebooks developed for the S03A and subsequent updates. This process was also reviewed as part of the HRA re-peer review exercise prior to the RG1 .200 review for Surrv. STATUS This F&O is CLOSED. This F&O is CLOSED. This F&O is CLOSED.
Serial No. 16-18'0 Docket Nos. 50-280/281 Attachment 4 Page 7 of 36 OBSERVATION        OBSERVATION Detail                                      POSSIBLE RESOLUTION            PLANT RESPONSE OR RESOLUTION                                STATUS OBSERVATION      A recent industry event (Oconee) involved a small break   Evaluate the susceptibility of The referenced Oconee event was evaluated as part of       This F&O is CLOSED.
OBSERVATION OBSERVATION Detail OBSERVATION In a sensitivity analysis (SM-117 4, Addendum A) to (ID: HR-5 ) I evaluate dependency among His contained in cutsets, Element __!:!R_ I time between actions was listed as the major factor in Subelement
(ID: IE-4    )   I  LOCA (>10 gpm) at the charging line connection to the      the Surry piping to this    ** INPO SEN 163, Recurring Event, High Pressure Element _IE_ I      RCS. The mechanism for the crack in the thermal            failure mechanism, and        Injection Line Leak, and as part of NRC IN 97-46, Subelement          sleeve at the connection point was thermal fatigue. Is    adjust the LOCA                Unisolable Crack in High-Pressure Injection Piping.
__.l.&sect;_ establishing independence of the operator actions. In most cases, time (itself) is not an adequate factor, but is a parameter which can be associated with more defensible factors. For example, one cutset contained two HEPs --one for early SG isolation following a SGTR and one for late SG isolation.
7      (Also MU) the Surry piping subject to this type of event? If so, has frequencies, as appropriate. The design of the CVCS and HHSI systems at both it been considered in the initiating event frequency?                                    North Anna and Surry is significantly different than that of Oconee, Unit 2. NAPS and SPS designs do not include combination CVCS makeup and HHSI lines.
The time difference of several hours between the actions was cited as the basis for the actions' independence.
Each unit has only one CVCS makeup line which carries full makeup flow and the eves system employs a regenerative heat exchanger to heat the makeup water to within 100 degrees of the RCS cold leg temperature, thereby minimizing thermal shock. The Oconee failure mechanism is not considered valid for the North Anna or Surry designs, and should not require LOCA frequency adjustment. The Current North Anna and Surry LOCA frequencies are developed from NUREG/CR-5750, per the evaluation in the IE.2 PRA notebook. This NUREG observed that no small LOCA events had occurred in U.
Better factors for independence might have been different clues calling for the need to isolate the SG or actuation of the TSC, or additional/new crew for the late isolation.
S. nuclear power plants up to 1995. However, the 1997 Oconee 2 event could possibly be categorized as a very small LOCA / leak, and four such events from 1987 -
All of these are related to time, but time (itself) is not the factor. OBSERVATION Initiating event frequencies have not been updated since (ID: IE-3 ) I the IPE submittal in 1991. As a result, recent industry Element _l_E_ I information and operating experience have not been Subelement
1995 are included within the NUREG/CR-5750 initiating event frequencies.
_1_3_ incorporated into the initiating events analysis.
 
This (Also MU) information could alter the initiating event frequencies currently contained in the model. For example: Two plants (Salem and Wolf Creek) have experienced losses of circulating and service water that resulted in plant trips. One plant (Oconee) has experienced a small break LOCA (thermal fatigue of charging line). One plant (WNP-2) has experienced an internal flood. A draft NUREG updating initiating events has (very recently) been issued (LOCA frequencies, particularly, have been affected).
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 8 of 36 OBSERVATION    OBSERVATION Detail                                    POSSIBLE RESOLUTION          PLANT RESPONSE OR RESOLUTION                                STATUS OBSERVATION  An industry issue of about 5-6 years ago was the        Determine if the ISLOCA      The industry issue initially surfaced in July 1984 as a      Additional information (ID:: IE-5 ) I creation of an ISLOCA caused by a leak in an RCP        path is applicable to the   Westinghouse 10 CFR Part 21 issue. However, since            can be found in a Element IE  I thermal barrier heat exchanger and a failure to isolate  Surry model, and address it, Westinghouse was not the source vendor for the Surry        7/9/1990 NRC letter Subelem~      the CCW lines that provided cooling water to the heat    if appropriate.             CC system, this Part 21 issue was not communicated to        (Serial No. 90-442), and 14          exchanger. How was this potential ISLOCA pathway                                      Surry at that time. In May 1989, Surry communicated          drawings 11448-FM-treated by the initiating events analysis? Does it apply                              this issue to NRC and subsequently, NRC Information          072A shts 1 through 4.
POSSIBLE RESOLUTION Reevaluate dependence without excessive emphasis-on time between actions. Include an update of initiating event frequencies during the next update. Also, individual applications should be reviewed to determine if they are affected before submittal or implementation.
to the Surry model?                                                                  Notice 89-54 (June 23, 1989) was issued to all                This F&O is CLOSED.
Serial No. 16-18'0 Docket Nos. 50-280/281 Attachment 4 Page 6 of 36 PLANT RESPONSE OR RESOLUTION STATUS The dependency among the HEPs is being evaluated This F&O is CLOSED. based on the following principles (SM-1310):
licensees. This NRC IN is probably the source of the industry issue quoted in the certification comment. Surry submitted system design information to NRC in a June 5, 1989 letter to NRC (Serial No. 89-406) clarifying resolution of the concern. This licensee response provides a detailed description of the problem and an assessment of the resolution. In summary, the operating history of Westinghouse RC Pump (RCP) thermal barriers indicates only one minor internal leak in over 12 million hours of operation (8.3 E-8/hr or 7.3 E-4/yr). Catastrophic failure of RCP thermal barrier is not a credible ~vent. Westinghouse calculated the credible leak rate at 7.5 gpm. This low leak rate is due to high water purity in RC and CC water, conservatism in tube design supporting tube collapse rather that cracking, and low crack propagation due to external forces tending to close crack. The existing 1989 design was sufficient for isolating the RCP thermal barrier leak, but design enhancements were pursued since manual operator action is required for the credible leak (automatic isolation would occur for leak rates higher than 10 gpm). The event would not be classified an interfacing system LOCA (ISLOCA) since the CC system would be isolated from the RCS, and all isolation would occur within the containment. More appropriately, the event would be classified a very small break LOCA (based upon the 7.5 gpm credible leak) with a frequency well below the Surry and North Anna IPE S2 frequency of 2.1 E-2/yr.
: 1. Functions:
 
If two HEPs are working for two different functions, these two HEPs will be justified as independent HEPs. 2. Steps of procedure:
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 9 of 36 OBSERVATION        OBSERVATION Detail                                       POSSIBLE RESOLUTION         PLANT RESPONSE OR RESOLUTION                                  STATUS OBSERVATION     The FMEA portion of the Initiating Events notebook          Determine the plant's      The Surry LOSW IE is actually an evolution of a loss of        This F&O is CLOSED.
Because operators are trained to follow procedure step by step, on the view of operators, each step is a new and independent instruction.
(ID: IE-8    )   I (page 12 of 28) states that screen wash pumps do not        susceptibility to clogged  circ water initiator. We do not currently model this with a Element _IE_/      have to operate during an accident. The implication is      intake screens, and update  fault tree, so there is no specific screen clogging Subelement _ll_    that because of this there is no need to consider the       the initiating event        contribution identified for this initiator. Currently, the screen wash system further. However, clogged screens        frequency as appropriate. Surry PRA uses a plant specific Bayesian update of can cause plant trips, and this failure mechanism should                                generic industry experience for loss of Circulating Water be considered in the development of initiating event                                    to evaluate the IE-T6 (Loss of Circulating Water) frequencies. Recent industry events at Salem and Wolf                                  frequency. The plant specific clogged screen failure Creek illustrate a plant's susceptibility to clogged intake                            event is therefore considered, since it is part of the screens.                                                                               overall industry and plant-specific experience leading to loss of CW. However, an evaluation has been performed for the S03A model update to establish that the IE frequency used for this event would encompass contributions from events such as clogged intake screens I screen wash faults. Should the model be changed in the future to model this IE with a fault tree, this failure mechanism would be addressed exolicitlv.
If two HEPs are based on two different steps or two different procedures, even these two HEPs work for the same function, they still may be justified as independent HEPs. A sensitivity analysis was performed for the S03A model update (and has been incorporated into the PRA quantification process for subsequent updates) to review the cutsets with multiple HEPs and determine if a dependency may exist between the HEPs. Refer to the PRA QU.2 notebooks for further detail. This process was also reviewed as part of the HRA re-peer review exercise prior to the RG1 .200 review for Surry. The North Anna and Surry initiating event frequencies This F&O is CLOSED. were updated in the NOA-D and SOA-D PRA updates by several sources. The rare initiator frequencies from NUREG/CR-5750 are used as priors for Bayesian updating with plant specific histories.
OBSERVATION      The reactor core has been upgraded to 2586 MWt. Has        Ensure that the effects of  The effect of the 4.5% core power uprate on the timing          This F&O is CLOSED.
The moderate frequency transient initiating event frequencies are created from plant specific data (1990-2000 LERs) and a non-informative gamma prior distribution.
(ID: IE-9) I      the effect of this change been considered on the           increased core power have  of HEPs used in the SPS PRA Model, and on the Element ___lg_ I  moderator temperature coefficient/reactivity feedback,     been properly accounted for success criteria of hardware credited in the SPS PRA Subelement        particularly for early in a core's life? Also, has the      in the analysis.            Model has been evaluated using MAAP 4.0.5. The 16      (Also  increased decay heat load been considered in the                                       results of the analysis show that no changes are see AS-9, and MU)  success criteria for decay heat removal?                                                required to the current success criteria or HEP calculations. The details of the analysis are documented in SPS Notebook SPS-RA.MD.SC.001 Rev 0.
Finally, some plant unique initiating events are quantified with new fault tree models directly linked to the integrated PRA model. For North Anna, these models are discussed fully in Calculation SM-1266, implemented in the NOA-D PRA models. For Surry, these models are discussed fully in Calculation SM-1307, implemented in the SOA-D PRA models. All IE frequencies have subsequently been updated in 2005 and documented in the IE.1 and IE.2 notebooks.
 
OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION OBSERVATION A recent industry event (Oconee) involved a small break Evaluate the susceptibility of (ID: IE-4 ) I LOCA (>10 gpm) at the charging line connection to the the Surry piping to this ** Element _IE_ I RCS. The mechanism for the crack in the thermal failure mechanism, and Subelement sleeve at the connection point was thermal fatigue. Is adjust the LOCA 7 (Also MU) the Surry piping subject to this type of event? If so, has frequencies, as appropriate.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 10 of 36 OBSERVATION          OBSERVATION Detail                                       POSSIBLE RESOLUTION          PLANT RESPONSE OR RESOLUTION                              STATUS OBSERVATION         The consequences of operator actions after core            Include appropriate .        Our Level I model takes into account all human error        The approach taken is (ID: L2-2      )   I damage are not considered in the PSA or the LERF            consideration of EOP (and    probabilities due to EOP actions. The human error          consistent with that Element L2            assessment. After core damage has occurred, the            also SAMG) actions in the   probabilities based on SAMG actions are not                applied in other PWR I Subelement _8        control room staff will continue to attempt to implement    PSA models                  incorporated into our model. According to WOG              PRAs, but this issue will and 10_                EOP actions (and now SAMG actions). Considering the                                      procedures, once the core temperature reaches 1200 F,      be treated as a EOP actions, only those that prevent core damage                                        the operator leaves the EOPs and enters the SAMGs          recognized source of (have an impact on the GDF) are modeled in the Level 1                                  (control room guideline SACRG-1). Our Level I model        uncertainty in the LERF PSA. Several EOP actions that can impact the LERF                                        was developed independent of the SAMG actions. We          model. With this action, are:                                                                                    recognize that inappropriate SAMG actions may cause        this F&O is CLOSED.
it been considered in the initiating event frequency?
FR-C.1 actions to depressurize the RCS at the onset                                  negative consequences which may result in greater of core overheating greatly decreases the probability of                                source term releases to the atmosphere. For this a high pressure reactor vessel failure, while significantly                              reason a technical support center (TSC) is formed that increasing: a) the potential for core concrete                                          reviews real time plant parameter data and provides interactions, and b) the fission product release from                                    expert guidance to the operation staff during a severe RCS to containment (which, in turn, increases the                                       accident condition. Additionally training on the SAMGs source term for containment failures).                                                   is provided every 3 years which includes a discussion of FR-H.1 actions to establish some type of feedwater                                    these cautions and recommendations to the operators.
Serial No. 16-18'0 Docket Nos. 50-280/281 Attachment 4 Page 7 of 36 PLANT RESPONSE OR RESOLUTION STATUS The referenced Oconee event was evaluated as part of This F&O is CLOSED. INPO SEN 163, Recurring Event, High Pressure Injection Line Leak, and as part of NRC IN 97-46, Unisolable Crack in High-Pressure Injection Piping. The design of the CVCS and HHSI systems at both North Anna and Surry is significantly different than that of Oconee, Unit 2. NAPS and SPS designs do not include combination CVCS makeup and HHSI lines. Each unit has only one CVCS makeup line which carries full makeup flow and the eves system employs a regenerative heat exchanger to heat the makeup water to within 100 degrees of the RCS cold leg temperature, thereby minimizing thermal shock. The Oconee failure mechanism is not considered valid for the North Anna or Surry designs, and should not require LOCA frequency adjustment.
flow to the SGs increases the chances of SG tube failure                                The operators are taught to be aware of their plants due to thermal stresses of cold water being injected onto                                most dominant accident sequences and the hot SG tubes, but can also increase the potential for                                    consequences of inadequate actions.
The Current North Anna and Surry LOCA frequencies are developed from NUREG/CR-5750, per the evaluation in the IE.2 PRA notebook.
arresting the core damage in-vessel. These two aspects can impact the LERF.
This NUREG observed that no small LOCA events had occurred in U. S. nuclear power plants up to 1995. However, the 1997 Oconee 2 event could possibly be categorized as a very small LOCA / leak, and four such events from 1987 -1995 are included within the NUREG/CR-5750 initiating event frequencies.
ECA-0.0 actions to start sprays when offsite power is restored. This can prevent overpressure failure of containment, but can also de-inert containment and lead to a hydrogen burn. When combined with the added hydrogen from in-vessel recovery, the hydrogen burn may challenge containment. Also, these operator actions should be substantiated by an HRA analysis to determine th.e HEP. The plant has also completed implementation of the SAMG. The SAMG contains a set of accident management strategies that would be implemented for each of the core damage accidents.
OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION OBSERVATION An industry issue of about 5-6 years ago was the Determine if the ISLOCA (ID:: IE-5 ) I creation of an ISLOCA caused by a leak in an RCP path is applicable to the Element IE I thermal barrier heat exchanger and a failure to isolate Surry model, and address it, the CCW lines that provided cooling water to the heat if appropriate.
14 exchanger.
How was this potential ISLOCA pathway treated by the initiating events analysis?
Does it apply to the Surry model? Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 8 of 36 PLANT RESPONSE OR RESOLUTION STATUS The industry issue initially surfaced in July 1984 as a Additional information Westinghouse 10 CFR Part 21 issue. However, since can be found in a Westinghouse was not the source vendor for the Surry 7 /9/1990 NRC letter CC system, this Part 21 issue was not communicated to (Serial No. 90-442), and Surry at that time. In May 1989, Surry communicated drawings 11448-FM-this issue to NRC and subsequently, NRC Information 072A shts 1 through 4. Notice 89-54 (June 23, 1989) was issued to all This F&O is CLOSED. licensees.
This NRC IN is probably the source of the industry issue quoted in the certification comment. Surry submitted system design information to NRC in a June 5, 1989 letter to NRC (Serial No. 89-406) clarifying resolution of the concern. This licensee response provides a detailed description of the problem and an assessment of the resolution.
In summary, the operating history of Westinghouse RC Pump (RCP) thermal barriers indicates only one minor internal leak in over 12 million hours of operation (8.3 E-8/hr or 7.3 E-4/yr). Catastrophic failure of RCP thermal barrier is not a credible Westinghouse calculated the credible leak rate at 7.5 gpm. This low leak rate is due to high water purity in RC and CC water, conservatism in tube design supporting tube collapse rather that cracking, and low crack propagation due to external forces tending to close crack. The existing 1989 design was sufficient for isolating the RCP thermal barrier leak, but design enhancements were pursued since manual operator action is required for the credible leak (automatic isolation would occur for leak rates higher than 10 gpm). The event would not be classified an interfacing system LOCA (ISLOCA) since the CC system would be isolated from the RCS, and all isolation would occur within the containment.
More appropriately, the event would be classified a very small break LOCA (based upon the 7.5 gpm credible leak) with a frequency well below the Surry and North Anna IPE S2 frequency of 2.1 E-2/yr.
OBSERVATION OBSERVATION Detail OBSERVATION The FMEA portion of the Initiating Events notebook (ID: IE-8 ) I (page 12 of 28) states that screen wash pumps do not Element _IE_/ have to operate during an accident.
The implication is Subelement
_ll_ that because of this there is no need to consider the screen wash system further. However, clogged screens can cause plant trips, and this failure mechanism should be considered in the development of initiating event frequencies.
Recent industry events at Salem and Wolf Creek illustrate a plant's susceptibility to clogged intake screens. OBSERVATION The reactor core has been upgraded to 2586 MWt. Has (ID: IE-9) I the effect of this change been considered on the Element ___lg_ I moderator temperature coefficient/reactivity feedback, Subelement particularly for early in a core's life? Also, has the 16 (Also increased decay heat load been considered in the see AS-9, and MU) success criteria for decay heat removal? POSSIBLE RESOLUTION Determine the plant's susceptibility to clogged intake screens, and update the initiating event frequency as appropriate.
Ensure that the effects of increased core power have been properly accounted for in the analysis.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 9 of 36 PLANT RESPONSE OR RESOLUTION STATUS The Surry LOSW IE is actually an evolution of a loss of This F&O is CLOSED. circ water initiator.
We do not currently model this with a fault tree, so there is no specific screen clogging contribution identified for this initiator.
Currently, the Surry PRA uses a plant specific Bayesian update of generic industry experience for loss of Circulating Water to evaluate the IE-T6 (Loss of Circulating Water) frequency.
The plant specific clogged screen failure event is therefore considered, since it is part of the overall industry and plant-specific experience leading to loss of CW. However, an evaluation has been performed for the S03A model update to establish that the IE frequency used for this event would encompass contributions from events such as clogged intake screens I screen wash faults. Should the model be changed in the future to model this IE with a fault tree, this failure mechanism would be addressed exolicitlv.
The effect of the 4.5% core power uprate on the timing This F&O is CLOSED. of HEPs used in the SPS PRA Model, and on the success criteria of hardware credited in the SPS PRA Model has been evaluated using MAAP 4.0.5. The results of the analysis show that no changes are required to the current success criteria or HEP calculations.
The details of the analysis are documented in SPS Notebook SPS-RA.MD.SC.001 Rev 0.
OBSERVATION OBSERVATION (ID: L2-2 ) I Element L2 I Subelement
_8 and 10_ OBSERVATION (ID: MU-2 ) I Element .....M!L.._
I Subelement
_4 __ OBSERVATION Detail The consequences of operator actions after core damage are not considered in the PSA or the LERF assessment.
After core damage has occurred, the control room staff will continue to attempt to implement EOP actions (and now SAMG actions).
Considering the EOP actions, only those that prevent core damage (have an impact on the GDF) are modeled in the Level 1 PSA. Several EOP actions that can impact the LERF are: FR-C.1 actions to depressurize the RCS at the onset of core overheating greatly decreases the probability of a high pressure reactor vessel failure, while significantly increasing:
a) the potential for core concrete interactions, and b) the fission product release from RCS to containment (which, in turn, increases the source term for containment failures).
FR-H.1 actions to establish some type of feedwater flow to the SGs increases the chances of SG tube failure due to thermal stresses of cold water being injected onto hot SG tubes, but can also increase the potential for arresting the core damage in-vessel.
These two aspects can impact the LERF. ECA-0.0 actions to start sprays when offsite power is restored.
This can prevent overpressure failure of containment, but can also de-inert containment and lead to a hydrogen burn. When combined with the added hydrogen from in-vessel recovery, the hydrogen burn may challenge containment.
Also, these operator actions should be substantiated by an HRA analysis to determine th.e HEP. The plant has also completed implementation of the SAMG. The SAMG contains a set of accident management strategies that would be implemented for each of the core damage accidents.
The implementation of some of the strategies has neqative consequences that should be addressed.
The implementation of some of the strategies has neqative consequences that should be addressed.
The core power has been upgraded.
OBSERVATION        The core power has been upgraded. Effects of this           At the next upgrade,        See discussion for equivalent F&O IE-09.                  This F&O is CLOSED.
Effects of this change have not been incorporated into the PSA model. Factors that could be affected by the core power upgrade include the moderator temperature coefficient (for ATWS) and the decay heat load (for several accident sequences).
(ID: MU-2 )      I  change have not been incorporated into the PSA model.       evaluate the effects of the Element .....M!L.._ I Factors that could be affected by the core power           core upgrade and Subelement _4__      upgrade include the moderator temperature coefficient       incorporate, as appropriate, (for ATWS) and the decay heat load (for several             into the PSA model.
POSSIBLE RESOLUTION Include appropriate . consideration of EOP (and also SAMG) actions in the PSA models At the next upgrade, evaluate the effects of the core upgrade and incorporate, as appropriate, into the PSA model. Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 10 of 36 PLANT RESPONSE OR RESOLUTION Our Level I model takes into account all human error probabilities due to EOP actions. The human error probabilities based on SAMG actions are not incorporated into our model. According to WOG procedures, once the core temperature reaches 1200 F, the operator leaves the EOPs and enters the SAMGs (control room guideline SACRG-1).
accident sequences).
Our Level I model was developed independent of the SAMG actions. We recognize that inappropriate SAMG actions may cause negative consequences which may result in greater source term releases to the atmosphere.
 
For this reason a technical support center (TSC) is formed that reviews real time plant parameter data and provides expert guidance to the operation staff during a severe accident condition.
Serial No. 16-180 '
Additionally training on the SAMGs is provided every 3 years which includes a discussion of these cautions and recommendations to the operators.
Docket Nos. 50-280/281 Attachment 4 Page 11 of 36 OBSERVATION      OBSERVATION Detail                                    POSSIBLE RESOLUTION            PLANT RESPONSE OR RESOLUTION                                STATUS OBSERVATION    Requirements for review of operating experience, plant  Develop additional guidance    PRA update guidance was developed, which includes a        This F&O is Closed.
The operators are taught to be aware of their plants most dominant accident sequences and the consequences of inadequate actions. See discussion for equivalent F&O IE-09. STATUS The approach taken is consistent with that applied in other PWR PRAs, but this issue will be treated as a recognized source of uncertainty in the LERF model. With this action, this F&O is CLOSED. This F&O is CLOSED.
(ID: MU-3 )    I procedures, and plant-controlled documents in support    on .the review process        review of: (1) Technical Specification revisions, (2)
OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION OBSERVATION Requirements for review of operating experience, plant Develop additional guidance (ID: MU-3 ) I procedures, and plant-controlled documents in support on .the review process Element __M!L_ 1 of a PSA update are not detailed in the PSA guidance . requirements, describing Subelement
Element __M!L_ 1  of a PSA update are not detailed in the PSA guidance . requirements, describing      station .engineering Design Qhange lists, (3) station Subelement _4_    documents.                                               which data should be          procedures, and (4) operating experience. (Nuclear reviewed and how the           Safety Analysis Manual - Part IV, Chapter J, review should be               subsequently superseded by PRA Manual~ Part IV, documented.                    Chapter A). Recent PRA updates (S03A, SOSA) provide examples of the process.
_4_ documents.
OBSERVATION    Activities to evaluate the effects on the PSA of changes Revisit initiator frequencies, Both the Surry and North Anna PRA models have been          This F&O is CLOSED.
which data should be reviewed and how the review should be documented.
(ID: MU-4 )   I to equipment failure rates, initiator frequencies, and   equipment failure rates, and. updated to include changes in data. For North Anna Element __M!!__ I human error probabilities are minimal.                   human error probabilities      and Surry, initiating events were updated as Subelement __&sect;__                                                          with each update to            documented in calculations SM-1266 for North Anna determine whether they are    and SM-1370 fqr Surry. Component unavailabilities were still adequately estimated. updated for both North Anna and Surry as documented in calculations SM-1266 and SM-1308, respectively. The component reliabilities for risk significant pumps and the EDGs were Bayesian updated with plant specific data for Surry as documented in SM-1311. Further, a full data update was performed in 2005 for the MSPI update, as documented in the DA series of PRA notebooks. The HEPs were reviewed and updated as necessary following the PRA self-assessment per RG1 .200 and in response to the subsequent HRA re-peer review comments. Input from Operations personnel at Surry was obtained to provide better estimation of the times associated with the performance of emergency procedures. A PRA update process and sched'ule addressing data updates has been implemented in the PRAManual.
OBSERVATION Activities to evaluate the effects on the PSA of changes Revisit initiator frequencies, (ID: MU-4 ) I to equipment failure rates, initiator frequencies, and equipment failure rates, and. Element __M!!__ I human error probabilities are minimal. human error probabilities Subelement
 
__&sect;__ with each update to determine whether they are still adequately estimated.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 12 of 36 OBSERVATION      OBSERVATION Detail                                        POSSIBLE RESOLUTION            PLANT RESPONSE OR RESOLUTION                              STATUS OBSERVATION    The program does not appear to have a formal                The following suggestions,    PRA update guidance was developed, which includes a      This F&O is Closed.
Serial No. 16-180 ' Docket Nos. 50-280/281 Attachment 4 Page 11 of 36 PLANT RESPONSE OR RESOLUTION STATUS PRA update guidance was developed, which includes a This F&O is Closed. review of: (1) Technical Specification revisions, (2) station .engineering Design Qhange lists, (3) station procedures, and (4) operating experience. (Nuclear Safety Analysis Manual -Part IV, Chapter J, subsequently superseded by PRA Part IV, Chapter A). Recent PRA updates (S03A, SOSA) provide examples of the process. Both the Surry and North Anna PRA models have been This F&O is CLOSED. updated to include changes in data. For North Anna and Surry, initiating events were updated as documented in calculations SM-1266 for North Anna and SM-1370 fqr Surry. Component unavailabilities were updated for both North Anna and Surry as documented in calculations SM-1266 and SM-1308, respectively.
(ID: SY-2) I    requirement for incorporating changes based on plant        while directed to the          review of: (1) Technical Specification revisions, (2)
The component reliabilities for risk significant pumps and the EDGs were Bayesian updated with plant specific data for Surry as documented in SM-1311. Further, a full data update was performed in 2005 for the MSPI update, as documented in the DA series of PRA notebooks.
Element _SY_ I  design changes. For example, a later EOP change              systems analysis element,      station engineering Design Change lists, (3) station Subelement      identifies the time to hot leg recirculation switchover as 9 are actually applicable more  procedures, and (4) operating experience. (Nuclear
The HEPs were reviewed and updated as necessary following the PRA self-assessment per RG1 .200 and in response to the subsequent HRA re-peer review comments.
_5_(See also AS- hours. The model says 16 hours. There is an advantage        broadly, within the context of Safety Analysis Manual - Part IV, Chapter J, 5, and MU)      to identifying operator actions to specific procedure        the overall PSA                subsequently superseded by PRA Manual - Part IV, steps. The downside is, procedures change. Thus, the         Maintenance and Update        Chapter A). Recent PRA updates (S03A, SOSA) provide models and documentation need to be updated                  process.                      examples of the process.
Input from Operations personnel at Surry was obtained to provide better estimation of the times associated with the performance of emergency procedures.
periodically.                                                1. Develop a PSA change program that tracks identified changes to procedures, design, etc.
A PRA update process and sched'ule addressing data updates has been implemented in the PRAManual.
Develop a process for incorporating changes into the PSA. NOTE: This does necessarily mean formal review required; notification from the program sponsor (Procedures group, admin, design engineering, etc.) is sufficient for most changes.
OBSERVATION OBSERVATION Detail OBSERVATION The program does not appear to have a formal (ID: SY-2) I requirement for incorporating changes based on plant Element _SY_ I design changes. For example, a later EOP change Subelement identifies the time to hot leg recirculation switchover as 9 _5_(See also AS-hours. The model says 16 hours. There is an advantage 5, and MU) to identifying operator actions to specific procedure steps. The downside is, procedures change. Thus, the models and documentation need to be updated periodically.
: 2. Consider becoming part of the review cycle for selected changes (e.g., for risk significant system design changes, PSA review is required). This will probably require a change to plant, engineering procedures. There are going to be changes in plant configuration that could significantly affect the PSA.
POSSIBLE RESOLUTION The following suggestions, while directed to the systems analysis element, are actually applicable more broadly, within the context of the overall PSA Maintenance and Update process. 1. Develop a PSA change program that tracks identified changes to procedures, design, etc. Develop a process for incorporating changes into the PSA. NOTE: This does necessarily mean formal review required; notification from the program sponsor (Procedures group, admin, design engineering, etc.) is sufficient for most changes. 2. Consider becoming part of the review cycle for selected changes (e.g., for risk significant system design changes, PSA review is required).
A formal review by the PSA group for selected changes has the potential for saving money (change should not be made in terms of plant risk}, minimizing the effects of the change on the PSA and PSA based programs and possibly identifying alternative changes.
This will probably require a change to plant, engineering procedures.
 
There are going to be changes in plant configuration that could significantly affect the PSA. A formal review by the PSA group for selected changes has the potential for saving money (change should not be made in terms of plant risk}, minimizing the effects of the change on the PSA and PSA based programs and possibly identifying alternative changes. Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 12 of 36 PLANT RESPONSE OR RESOLUTION STATUS PRA update guidance was developed, which includes a This F&O is Closed. review of: (1) Technical Specification revisions, (2) station engineering Design Change lists, (3) station procedures, and (4) operating experience. (Nuclear Safety Analysis Manual -Part IV, Chapter J, subsequently superseded by PRA Manual -Part IV, Chapter A). Recent PRA updates (S03A, SOSA) provide examples of the process.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 13 of 36 OBSERVATION          OBSERVATION Detail                                      POSSIBLE RESOLUTION -    PLANT RESPONSE OR RESOLUTION                                STATUS OBSERVATION        The RPS model does not properly identify the required     1. Review the RPS system Fault trees RP1 for both Surry and North Anna were          This F&O is CLOSED.
OBSERVATION OBSERVATION Detail OBSERVATION The RPS model does not properly identify the required (ID: SY-4 ) I support systems. RPS logic receives power from Class Element _SY_ I 1 E 125V DC buses 1A and 18. Failure of the DC buses Subelement removes power to the RTB shunt trip coils which limits -12_ operator action in the control room if reactor trip fails. OBSERVATION The RPS logic model is incorrect.
(ID: SY-4 )      I  support systems. RPS logic receives power from Class      and include DC power    revised to include separate logic for RTA and RTB Element _SY_ I      1E 125V DC buses 1A and 18. Failure of the DC buses        dependency.             including the input logic signal with recovery. The Subelement          removes power to the RTB shunt trip coils which limits                              models also include failure of the trip breaker
The fault tree (ID: SY-5 ) I indicates that success of either logic train allows Element _SY_ I challenge to both reactor trip breakers.
- 12_                operator action in the control room if reactor trip fails.                          (RTNRTB), and RTNRTB recovery thorough the shunt trip relay (including failure of 125 voe, human reliability model, and failure of the shunt trip relay). The models are discussed fully in SM-1151, implemented in the SOA-D PRA models for Surry, and in SM-1292, implemented in the NOA-D PRA models for North Anna.
Actual design is Subelement logic train A sends signal to RTA and logic train B sends _5 __ signal to RTB. OBSERVATION Review of HHSI: SM-1162, SPPR 97-018, S2.07.1 (ID: SY-11 ) I (page 7 of 27). System notebook update states 1A and Element ...fil__ I 1 C charging pumps are dependent on CCW (for Subelement SY-5 recirculation).
OBSERVATION        The RPS logic model is incorrect. The fault tree          Correct the logic model. Fault trees RP1 for both Surry and North Anna were          This F&O is CLOSED.
What about Unit 2? 1 B is not dependent on CCW due to a design change. What about Unit 2? How are unit to unit differences identified and modeled? Dependency table from IPE model wasn't updated in SM-1162 or SM-1165 to account for CCW dependency.
(ID: SY- 5  )     I indicates that success of either logic train allows                                revised to include separate logic for RTA and RTB Element _SY_ I      challenge to both reactor trip breakers. Actual design is                          including the input logic signal with recovery. The Subelement          logic train A sends signal to RTA and logic train B sends                          models also include failure of the trip breaker
Also, success criteria section of system notebook was not updated. POSSIBLE RESOLUTION
_5_ _                signal to RTB.                                                                      (RTNRTB), and RTA/RTB recovery thorough the shunt trip relay (including failure of 125 voe, human reliability model, and failure of the shunt trip relay). The models are discussed fully in SM-1151, implemented in the SOA-D PRA models for Surry, and in SM-1292, implemented in the NOA-D PRA models for North Anna.
-1 . Review the RPS system and include DC power dependency.
OBSERVATION       Review of HHSI: SM-1162, SPPR 97-018, S2.07.1              Set up Unit 2 model, or  Surry charging pumps have seal coolers with a CC              This F&O is CLOSED.
Correct the logic model. Set up Unit 2 model, or address impact on CDF. Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 13 of 36 PLANT RESPONSE OR RESOLUTION STATUS Fault trees RP1 for both Surry and North Anna were This F&O is CLOSED. revised to include separate logic for RTA and RTB including the input logic signal with recovery.
(ID: SY-11 )    I    (page 7 of 27). System notebook update states 1A and       address impact on CDF. cooling dependency that currently has a difference Element ...fil__ I   1C charging pumps are dependent on CCW (for                                         between Units 1 and 2. For Surry Unit 1, the A & C Subelement SY-5     recirculation). What about Unit 2? 1B is not dependent                             pump seal coolers 1-CH-E-7NB/E/F require CC cooling, on CCW due to a design change. What about Unit 2?                                   but the B pump seal coolers 1-CH-E-7C/D are isolated How are unit to unit differences identified and modeled?                           (11448-FM-071 B Sh 2). For Surry Unit 2, all NB/C Dependency table from IPE model wasn't updated in                                   pump seal coolers 2-CH-E-7A/B/C/D/E/F require CC SM-1162 or SM-1165 to account for CCW dependency.                                   cooling (11548-FM-071 B Sh 2). Potentially, all Surry Also, success criteria section of system notebook was                               charging pumps may be upgraded so that their CHP not updated.                                                                       seal coolers can be isolated, but at this time, only the Surry Unit 1 B pump does not require CC cooling, which explains the difference between Surry Unit 1 and 2 charging pump CC cooling. Update as of S05A model:
The models also include failure of the trip breaker (RTNRTB), and RTNRTB recovery thorough the shunt trip relay (including failure of 125 voe, human reliability model, and failure of the shunt trip relay). The models are discussed fully in SM-1151, implemented in the SOA-D PRA models for Surry, and in SM-1292, implemented in the NOA-D PRA models for North Anna. Fault trees RP1 for both Surry and North Anna were This F&O is CLOSED. revised to include separate logic for RTA and RTB including the input logic signal with recovery.
the dependency on CC has been added to the 1B pump as well, to account for the possibility that cooling might be needed if the pumps were used for high head recirculation with hot sump water. Note: This is a legacy model issue. The current configuration of Surry Power Station is that no charging pump seal Coolers are normally isolated. The S007Aa model reflects the current olant confiauration.
The models also include failure of the trip breaker (RTNRTB), and RTA/RTB recovery thorough the shunt trip relay (including failure of 125 voe, human reliability model, and failure of the shunt trip relay). The models are discussed fully in SM-1151, implemented in the SOA-D PRA models for Surry, and in SM-1292, implemented in the NOA-D PRA models for North Anna. Surry charging pumps have seal coolers with a CC This F&O is CLOSED. cooling dependency that currently has a difference between Units 1 and 2. For Surry Unit 1, the A & C pump seal coolers 1-CH-E-7NB/E/F require CC cooling, but the B pump seal coolers 1-CH-E-7C/D are isolated (11448-FM-071 B Sh 2). For Surry Unit 2, all NB/C pump seal coolers 2-CH-E-7A/B/C/D/E/F require CC cooling (11548-FM-071 B Sh 2). Potentially, all Surry charging pumps may be upgraded so that their CHP seal coolers can be isolated, but at this time, only the Surry Unit 1 B pump does not require CC cooling, which explains the difference between Surry Unit 1 and 2 charging pump CC cooling. Update as of S05A model: the dependency on CC has been added to the 1 B pump as well, to account for the possibility that cooling might be needed if the pumps were used for high head recirculation with hot sump water. Note: This is a legacy model issue. The current configuration of Surry Power Station is that no charging pump seal Coolers are normally isolated.
 
The S007Aa model reflects the current olant confiauration.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 14 of 36 OBSERVATION    OBSERVATION Detail                                      POSSIBLE RESOLUTION . -    PLANT RESPONSE OR RESOLUTION                                STATUS OBSERVATION  Several HVAC systems are modeled in detail and are       Develop more detailed      HVAC dependencies are addressed in the fault trees          This F&O is CLOSED.
OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION . -OBSERVATION Several HVAC systems are modeled in detail and are Develop more detailed (ID: TH-2 ) I well documented.
(ID: TH-2  )  I well documented. These include ESGR room cooling          documentation for modeling  where needed, and discussions are provided in Element TH I    and the Auxiliary Building Ventilation System, but these  assumptions regarding      individual system notebooks (SY.3 series) and the Subelement 8    are the only ventilation dependencies modeled in the      HVAC requirements.          dependency notebook (SY.1). An integrated HVAC PSA. Some of the systems models provide a one line        Provide basis for excluding dependency document has not been prepared.
These include ESGR room cooling documentation for modeling Element TH I and the Auxiliary Building Ventilation System, but these assumptions regarding Subelement 8 are the only ventilation dependencies modeled in the HVAC requirements.
assumption stating that room cooling is not,required, but HVAC dependencies where    Regarding specific dependencies: The charging pumps little if any basis is provided for these assumptions. HVAC is not modeled        and the emergency switchgear room already have Based on discussions with the PSA group engineers        explicitly. It may be      ventilation dependencies included in the PRA model.
PSA. Some of the systems models provide a one line Provide basis for excluding assumption stating that room cooling is not,required, but HVAC dependencies where little if any basis is provided for these assumptions.
during this review, it appears that the HVAC              appropriate to include an  The other major components with potential HVAC requirements were adequately addressed in the             overview of HVAC issues as  dependencies were evaluated and found to have a modeling process, but the assumptions were not clearly    part of a dependencies      negligible ventilation dependency. Those SSC's are as documented, and no process is defined for the            notebook.                   follows:
HVAC is not modeled Based on discussions with the PSA group engineers explicitly.
determination of the need for room cooling.                                              Low Head Safety Injection pumps - The LHSI pumps take suction from the cold RWST early during a LOCA.
It may be during this review, it appears that the HVAC appropriate to include an requirements were adequately addressed in the overview of HVAC issues as modeling process, but the assumptions were not clearly part of a dependencies documented, and no process is defined for the notebook.
After Recirculation Mode Transfer, the sump water will be cooled by the RSHX's, so that LHSI ventilation is not necessary.
determination of the need for room cooling. Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 14 of 36 PLANT RESPONSE OR RESOLUTION STATUS HVAC dependencies are addressed in the fault trees This F&O is CLOSED. where needed, and discussions are provided in individual system notebooks (SY.3 series) and the dependency notebook (SY.1). An integrated HVAC dependency document has not been prepared.
Outside Recirculation Spray pumps - The CS subsystem provides approximately 300 gpm 45oF water from RWST to each ORSP. There is no ceiling in the ORSP rooms. It is not a closed room. Hence, the room ventilation is not necessary.
Regarding specific dependencies:
Emergency Diesel Generators - The EDG's have self-contained cooling systems.
The charging pumps and the emergency switchgear room already have ventilation dependencies included in the PRA model. The other major components with potential HVAC dependencies were evaluated and found to have a negligible ventilation dependency.
Alternate AC Generator - The AAC DG has a self-contained cooling system.
Those SSC's are as follows: Low Head Safety Injection pumps -The LHSI pumps take suction from the cold RWST early during a LOCA. After Recirculation Mode Transfer, the sump water will be cooled by the RSHX's, so that LHSI ventilation is not necessary.
Auxiliary Feedwater pumps - These pumps take suction from the ECST or a backup system that is at ambient temperature. They are therefore self-cooling and require no HVAC.
Outside Recirculation Spray pumps -The CS subsystem provides approximately 300 gpm 45oF water from RWST to each ORSP. There is no ceiling in the ORSP rooms. It is not a closed room. Hence, the room ventilation is not necessary.
Station batteries - The heat load in this room is the batteries themselves and the heat load from the batteries may be ignored.
Emergency Diesel Generators
Turbine building SSC's - The potentially important SSC's in the TB are the MFW and the CN pumps, in case they are needed as a backup to the AFW system.
-The EDG's have self-contained cooling systems. Alternate AC Generator
On a reactor trip, the FW heaters no longer function as heaters and both CN and MFW flows are at relatively cold condenser temperatures. The Turbine Building SSC's are therefore self-coolinQ.
-The AAC DG has a self-contained cooling system. Auxiliary Feedwater pumps -These pumps take suction from the ECST or a backup system that is at ambient temperature.
 
They are therefore self-cooling and require no HVAC. Station batteries
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 15 of 36 There are only 3 Category C F&Os that need to be addressed and they are listed in below:
-The heat load in this room is the batteries themselves and the heat load from the batteries may be ignored. Turbine building SSC's -The potentially important SSC's in the TB are the MFW and the CN pumps, in case they are needed as a backup to the AFW system. On a reactor trip, the FW heaters no longer function as heaters and both CN and MFW flows are at relatively cold condenser temperatures.
Category C F&Os that Need to be Addressed F&O          Description DE-1          Develop a system to initiating event dependency matrix to better show the dependencies modeled for each initiator.
The Turbine Building SSC's are therefore self-coolinQ.
(PRA Configuration Control Database (PRACC) record 4023)
There are only 3 Category C F&Os that need to be addressed and they are listed in below: Category C F&Os that Need to be Addressed F&O Description Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 15 of 36 DE-1 Develop a system to initiating event dependency matrix to better show the dependencies modeled for each initiator. (PRA Configuration Control Database (PRACC) record 4023) DE-4 Develop master dependency matrices for front-line to front-line, for support to front-line, and initiator to system dependencies. (PRACC record 4023) SY-13 Update references that support mission times that are less than 24 hours. (PRACC record 4012) All three of these involve documentation issues that do not impact the PRA model results and do not affect the technical adequacy of the PRA model. Records have been added in the PRACC database to track the above tasks to completion.
DE-4          Develop master dependency matrices for front-line to front-line, for support to front-line, and initiator to system dependencies. (PRACC record 4023)
SY-13         Update references that support mission times that are less than 24 hours. (PRACC record 4012)
All three of these involve documentation issues that do not impact the PRA model results and do not affect the technical adequacy of the PRA model. Records have been added in the PRACC database to track the above tasks to completion.
2010 SPS PRA Focused Peer Review The Surry PRA model underwent a focused peer review in February 2010 using the PRA Peer Review Certification process performed by the Pressurized-Water Reactor Owners Group (PWROG). To determine whether a full scope or focused peer review was necessary, the changes to each of the model elements were reviewed to assess whether the changes involved either of the following:
2010 SPS PRA Focused Peer Review The Surry PRA model underwent a focused peer review in February 2010 using the PRA Peer Review Certification process performed by the Pressurized-Water Reactor Owners Group (PWROG). To determine whether a full scope or focused peer review was necessary, the changes to each of the model elements were reviewed to assess whether the changes involved either of the following:
* new methodology
* new methodology
* significant change in the scope or capability If changes to an element involved either a new methodology or a significant scope or capability change, then the element requires a peer review as required in the ASME PRA standard (RA-Sb-2005).
* significant change in the scope or capability If changes to an element involved either a new methodology or a significant scope or capability change, then the element requires a peer review as required in the ASME PRA standard (RA-Sb-2005). Based on the assessment of the changes to each PRA model element, a peer review was performed on the elements shown below:
Based on the assessment of the changes to each PRA model element, a peer review was performed on the elements shown below:
 
Element Peer Reviewed Elements High Level Requirement Serial No. 16-18'0 Docket Nos. 50-280/281 Attachment 4 Page 16 of 36 IE -Initiating Events Initiating Events Review support system initiator modeling meets SRs IE-C6, C7, CS, C9, and C12. AS -Accident Sequence Accident Sequence Review upgraded event trees for SBO, RCP Seal, LOCA, SGTR and ATVVS meets all HLRs for AS. HR -Human Reliability Huma_n Reliability Review implementation of SPAR-H methodology meets Analysis HLR-HR-Analysis G. IF -Internal Flooding Internal Flooding Review internal flooding model meets all HLR5 for IF. QU -Quantification Quantification Review conversion to CAFTA meets HLRs for QU-B, C, and D. The AS and IF elements required a full review against all of the high level requirements (HLRs). However, changes in the IE, HR and QU elements only required specific HLR verification.
Serial No. 16-18'0 Docket Nos. 50-280/281 Attachment 4 Page 16 of 36 Peer Reviewed Elements Element                            High Level Requirement IE - Initiating Events             Initiating Events Review support system initiator modeling meets SRs IE- C6, C7, CS, C9, and C12.
The review process included:
AS - Accident Sequence             Accident Sequence Review upgraded event trees for SBO, RCP Seal, LOCA, SGTR and ATVVS meets all HLRs for AS.
* Review of the PRA model against the technical elements and associated supporting requirements (SRs) -Focus is on meeting capability category II.
HR - Human Reliability             Huma_n Reliability Review implementation of SPAR-H methodology meets Analysis HLR-HR-Analysis                           G.
IF - Internal Flooding             Internal Flooding Review internal flooding model meets all HLR5 for IF.
QU - Quantification                 Quantification Review conversion to CAFTA meets HLRs for QU-B, C, and D.
The AS and IF elements required a full review against all of the high level requirements (HLRs). However, changes in the IE, HR and QU elements only required specific HLR verification. The review process included:
* Review of the PRA model against the technical elements and associated supporting requirements (SRs) - Focus is on meeting capability category II.
* At the SR level, the review team's judgment was used to assess whether the PRA meets one of the three capability categories for each of the SRs.
* At the SR level, the review team's judgment was used to assess whether the PRA meets one of the three capability categories for each of the SRs.
* Evaluation of the PRA-model is supported by: o NEI 05-04 process, o Addendum to ASME/ANS PRA Standard RA-S-2008, o SR interpretations from ASME website, o NRC clarifications and qualifications as provided in Appendix A of RG 1.200, Rev. 2, o Reviewers' experience and knowledge, o Consensus with fellow reviewers, and o Input and clarifications from the host utility.
* Evaluation of the PRA-model is supported by:
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 17 of 36 The gaps identified during the self-assessment and the ones that remain to be addressed are listed in table below: 2010 SPS Peer Review Remaining Gaps that Need to be Addressed Title Description NEI Current Status I Comment Importance to Application Element/ ASMESR Gap For each flood area, identify the IFS0-81 No documentation on why None. This is judged to be a documentation  
o NEI 05-04 process, o Addendum to ASME/ANS PRA Standard RA-S-2008, o SR interpretations from ASME website, o NRC clarifications and qualifications as provided in Appendix A of RG 1.200, Rev. 2, o Reviewers' experience and knowledge, o Consensus with fellow reviewers, and o Input and clarifications from the host utility.
#1 potential sources of flooding floods in containment were consideration only and does not affect the technical screened out. adequacy of the PRA model or sequences relevant to this application.
 
Gap The NRC clarification for Cat II says No documentation discussing This is judged to be a primarily a documentation  
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 17 of 36 The gaps identified during the self-assessment and the ones that remain to be addressed are listed in table below:
#2 to address jet impingement, humidity, how jet impingement, pipe consideration only. This issue does not affect etc. qualitatively using conservative wipe, humidity and other types sequences relevant to this application.
2010 SPS Peer Review Remaining Gaps that Need to be Addressed Title               Description                 NEI   Current Status I Comment                   Importance to Application Element/
assumptions of failures impact plant systems. Gap Document the relative contribution of LE-G3 No documentation of LERF None. This is judged to be a documentation  
ASMESR Gap   For each flood area, identify the     IFS0-81   No documentation on why       None. This is judged to be a documentation
#3 contributors to LERF contributions for accident consideration only arid does not affect the technical sequences.
#1     potential sources of flooding                   floods in containment were     consideration only and does not affect the technical screened out.                 adequacy of the PRA model or sequences relevant to this application.
adequacy of the PRA model. Gap Document the system functions and SY-C2 All documentation*
Gap   The NRC clarification for Cat II says IFSN~A6    No documentation discussing   This is judged to be a primarily a documentation
None. This is judged to be a documentation  
#2     to address jet impingement, humidity,           how jet impingement, pipe     consideration only. This issue does not affect etc. qualitatively using conservative           wipe, humidity and other types sequences relevant to this application.
#7 boundaries.
assumptions                                     of failures impact plant systems.
requirements are considered consideration only and does not affect the technical met except for completion of adequacy of the PRA model. walkdown checklists.
Gap   Document the relative contribution of LE-G3     No documentation of LERF       None. This is judged to be a documentation
Gap Initiating Event Fault Tree Modeling IE-C10 IE-C1 O: Not all possible A sensitivity study for this configuration demonstrated  
#3     contributors to LERF                             contributions for accident     consideration only arid does not affect the technical sequences.                     adequacy of the PRA model.
#9 IE-C12 combination of cutsets are that the support system initiators as modeled did not captured, impact the results.3 Comparison with generic IE-C12: No comparison with sources and similar plants is expected to render generic sources for initiating similar results to the I Es compared.4 events modeled using fault trees.
Gap   Document the system functions and     SY-C2     All documentation*             None. This is judged to be a documentation
Title Description NEI Current Status I Comment Element/ ASMESR Gap Use of SPAR-H methodology, which HR-E3 New Human Error Probabilities  
#7     boundaries.                                     requirements are considered   consideration only and does not affect the technical met except for completion of   adequacy of the PRA model.
#10 does not meet the intent of several HR-G4 (HEPS) added to the SPS PRA SRs in the HR element. HR-G6 were based on SPAR-H. The HR-12 Peer Review identified the HR-13 SPAR-H methodology is not a HR-E4 consensus model and has HR-G1 some limitations.
walkdown checklists.
HR-G3 HR-G5 Gap Walkdown sheets do not contain all IFS0-82 IFS0-82: Complete the #11 the requested information IFQU-A9 walkdown sheets and verify no impact to IF events. IFQU-A9: Similiar to IFS0-82, need to clearly document the spatial relationship between flood sources and PRA equipment.
Gap   Initiating Event Fault Tree Modeling IE-C10     IE-C1 O: Not all possible     A sensitivity study for this configuration demonstrated
Notes: Note 1: Gaps 4, 5, 6 and 8 have been addressed in S007Aa. Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 18 of 36 Importance to Application This gap was evaluated by performing a sensitivity study (Sensitivity
#9                                           IE-C12     combination of cutsets are     that the support system initiators as modeled did not 3
#1) which multiplies HEPs in the $007 Aa model by 10. This sensitivity demonstrates that this issue does not impact the results of this analysis.
captured,                     impact the results. Comparison with generic IE-C12: No comparison with     sources and similar plants is expected to render generic sources for initiating similar results to the IEs compared. 4 events modeled using fault trees.
This is judged to be a primarily a documentation consideration only. This issue does not affect sequences relevant to this application.  
 
' Note 2: Gaps 9 through 11 were identified during the 2010 PWROG focused PRA peer review. Note 3: IE-C10: If fault-tree modeling is used for initiating events, CAPTURE within the initiating event fault tree models all relevant combinations of events involving the annual frequency of one component failure combined with the unavailability (or failure during the repair time of the first component) of other components.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 18 of 36 Title             Description                   NEI       Current Status I Comment                   Importance to Application Element/
Following are the Peer Review comments with applicability response to this proposed change: F&O: 2-2, Assessment:
ASMESR Gap     Use of SPAR-H methodology, which     HR-E3         New Human Error Probabilities This gap was evaluated by performing a sensitivity
Cat 1-111 is NQT Met 2-3 Basis: A review of SSIE cutsets found that they are not adequate due to:
#10     does not meet the intent of several   HR-G4         (HEPS) added to the SPS PRA   study (Sensitivity #1) which multiplies HEPs in the SRs in the HR element.               HR-G6         were based on SPAR-H. The     $007Aa model by 10. This sensitivity demonstrates HR-12         Peer Review identified the   that this issue does not impact the results of this HR-13         SPAR-H methodology is not a   analysis.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 19 of 36 (1) The cutsets do not include all possible combinations, idr i/Jxample, (a) Train A CCW pump fails-to-run and Train B CC pump fails-to-start is in the cutset, but other failure events that could lead to Train B CCW pump fails-to-start such as AC failure, No Actuation Signal are not included; (b) relief valve failure is not showing up in the cutsets of Joss ofCCW Response:
HR-E4         consensus model and has HR-G1         some limitations.
Fault tree reviews indicate that these types of basic events are modeled but are truncated out of the final results. Therefore, this F&O does not impact this analysis.
HR-G3 HR-G5 Gap   Walkdown sheets do not contain all   IFS0-82       IFS0-82: Complete the         This is judged to be a primarily a documentation
(2) Cutsets including both PROB-xxxxxB-.STDBY (Train B) and -PROB-xxxxxA-STDBY (Train A) events may be underestimating the impact Response:
#11   the requested information             IFQU-A9       walkdown sheets and verify no consideration only. This issue does not affect impact to IF events.         sequences relevant to this application.
Cutset review indicated that alignment probabilities were not significant to this evaluation (3) Surry SSIE models do not include passive failures (i.e. pipe breaks affecting only the source system) which are screened from the flooding analysis.
IFQU-A9: Similiar to IFS0-82, need to clearly document the spatial relationship between flood sources and PRA equipment.                                         '
These failure modes may be important in the SSIE model. For the CC system the model includes this IE, (%FLOOD-AB-SPRA Y-CCP1ABCD SPRAY IN AUX BLDG 2'-0" ELEV IN VICINITY OF CC PUMPS 1-CC-P-1AIB/CID)
Notes:
Response:
Note 1:   Gaps 4, 5, 6 and 8 have been addressed in S007Aa.
Note 2: Gaps 9 through 11 were identified during the 2010 PWROG focused PRA peer review.
Note 3:   IE-C10: If fault-tree modeling is used for initiating events, CAPTURE within the initiating event fault tree models all relevant combinations of events involving the annual frequency of one component failure combined with the unavailability (or failure during the repair time of the first component) of other components. Following are the Peer Review comments with applicability response to this proposed change:
F&O: 2-2, Assessment: Cat 1-111 is NQT Met 2-3 Basis: A review of SSIE cutsets found that they are not adequate due to:
 
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 19 of 36 (1) The cutsets do not include all possible combinations, idr i/Jxample, (a) Train A CCW pump fails-to-run and Train B CC pump fails-to-start is in the cutset, but other failure events that could lead to Train B CCW pump fails-to-start such as AC failure, No Actuation Signal are not included; (b) relief valve failure is not showing up in the cutsets of Joss ofCCW
 
===Response===
Fault tree reviews indicate that these types of basic events are modeled but are truncated out of the final results.
Therefore, this F&O does not impact this analysis.
(2) Cutsets including both PROB-xxxxxB-.STDBY (Train B) and -PROB-xxxxxA-STDBY (Train A) events may be underestimating the impact
 
===Response===
Cutset review indicated that alignment probabilities were not significant to this evaluation (3) Surry SSIE models do not include passive failures (i.e. pipe breaks affecting only the source system) which are screened from the flooding analysis. These failure modes may be important in the SSIE model. For the CC system the model includes this IE, (%FLOOD-AB-SPRA Y-CCP1ABCD SPRAY IN AUX BLDG 2'-0" ELEV IN VICINITY OF CC PUMPS 1-CC-P-1AIB/CID)
 
===Response===
Inclusion of these low probability passive failure modes would not impact the significant accident scenarios because general plant transients are not significant to this application.
Inclusion of these low probability passive failure modes would not impact the significant accident scenarios because general plant transients are not significant to this application.
Note 4: IE-C12: COMPARE results and EXPLAIN differences in the initiating event analysis with generic data sources to provide a reasonableness check of the results. Following are the Peer Review comments with applicability response to this proposed change:
Note 4: IE-C12: COMPARE results and EXPLAIN differences in the initiating event analysis with generic data sources to provide a reasonableness check of the results. Following are the Peer Review comments with applicability response to this proposed change:
F&O: 3-4 Assessment:
 
Cat 1-111 is NOT Met Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 20 of 36 Basis: Comparison of IE frequencies to industry mean values is performed in SPS PRA Notebook Part Ill, Volume IE.3, Revision 1, Table 2-4 by comparing 7 modeled Initiating Events with 5 other unit results and to NUREGICR-5750. The remaining 12 Initiating Events (with Fault Trees) are not compared.
Serial No. 16-180 Docket Nos. 50-280/281 Attachment 4 Page 20 of 36 F&O: 3-4 Assessment: Cat 1-111 is NOT Met Basis: Comparison of IE frequencies to industry mean values is performed in SPS PRA Notebook Part Ill, Volume IE.3, Revision 1, Table 2-4 by comparing 7 modeled Initiating Events with 5 other unit results and to NUREGICR-5750. The remaining 12 Initiating Events (with Fault Trees) are not compared. Other Initiating Events are not compared.
Other Initiating Events are not compared.
 
Response:
===Response===
This is primarily a documentation concern. The Loss of SW IE was compared to the standard and the industry and was demonstrated to be reasonable.
This is primarily a documentation concern. The Loss of SW IE was compared to the standard and the industry and was demonstrated to be reasonable. The SPS Loss of SW IE is unique due to the gravity feed configuration. The comparison of the modeled IEs demonstrated that the Surry frequencies were within the range of the standard and similar plants. The IEs that were not compared are expected to have similar results.
The SPS Loss of SW IE is unique due to the gravity feed configuration.
The following F&Os from the 2010 SPS PRA Focused Peer Review are considered closed:
The comparison of the modeled IEs demonstrated that the Surry frequencies were within the range of the standard and similar plants. The I Es that were not compared are expected to have similar results. The following F&Os from the 2010 SPS PRA Focused Peer Review are considered closed: 2010 SPS Peer Review Closed F&Os
2010 SPS Peer Review Closed F&Os


== Description:==
== Description:==
F&O Comment:                              . Dominion Response:                              Status F&O: 1-10    Mission time for  The turbine driven AFW pump logic used      The modeling of the TDAFW pump failure to      This F&O TDAFW during a      under gate U1-SGC-BO is based on a 24        run with a mission time of 24 hours instead of  question is SBO is 24 hours,    hour mission time. This may be somewhat      4 hours is conservative. The basic approach    considered which is            conservative since the turbine driven pump  taken for adding different running failure      Closed.
conservative.      is only credited for 4 hours in SBO.        basic events with different mission times is that if the 24 hour mission time basic event has a high risk importance, then a new basic event with a mission time for the sequence would be developed. Since the importance of the TDAFW running failure basic events is not significant, a separate basic event was riot added.
Serial No. 16-18()
Docket Nos. 50-280/281 Attachment 4 Page 21 of 36
== Description:==
F&O Comment:                                  Dominion Response:                              Status F&O: 3-5  Consider adding      Recovery events are added to cutsets          The two recovery actions that the reviewer      This F&O some recovery basic  based on post-processing with                  identified as not being in the Surry PRA        question is events to the fault  QRECOVER and plant-specific rule file as      model but were calculated in the HR.3 model      considered tree model instead of discussed in SPS HR.3 notebook, Section        notebook were removed from the model            Closed.
adding as part of    2.2, and the QU.1 notebook. Some              during the transition from the Winnupra post-quantification  recovery actions (e.g., REC-FTSCC and          model to the Cafta model. Since the standby processing using      REC-FTSBC) should be modeled as HEPs          pumps get an auto-start signal if the running QRECOVER.            in the FT so all pertinent cutsets are        pump fails, these recoveries were AND'd generated and dependency assessed.            with the failure of the pressure switch. Since REC-FTSCC and REC-FTSBC are listed in          these were not showing up in the cutsets, it HR.3 as recovery events; however, they        was determine that credit for the operator are not utilized in the quantification        recovery would not be included. If these process. These actions are typically          pressure switch failure basic events had a utilized in Initiating Event fault trees in    high importance, then adding the recovery conjunction with auto-start failures. Not      credit would be considered.
modeling these actions may cause cutsets not to be generated, dependencies not evaluated, and overall results impacted.
F&O: 3-19 Use of SPAR-H for    The plant's approach to analyzing HEPs is      Since this F&O relates to using SPAR-H, and      This F&O HRA has limited      more involved than the Category I              F&O 3-18 indicates that SPAR-H method is        question is accounting for        requirements (it is actually closer to        not a valid method to meet Cat II, then this    considered Performance Shaping  Category 11/111), but it does not address all  F&O will be closed out to F&O 3-18.              Closed.
Factors              of the PSFs identified for the Category 11/111 requirements (a limitation of the SPAR-H method); therefore, MET was selected for Category I. While SPAR-H methodology is close to meeting CC 11/111, one of the limitations is that the PSFs are limited to the eight chosen. Additionally, each of the eight PSFs should be evaluated for interaction impacts which are not covered by the method.
Serial No. 16-180
* Docket Nos. 50-280/281 Attachment 4 Page 22 of 36


F&O Comment: . Dominion Response:
== Description:==
Status F&O: 1-10 Mission time for The turbine driven AFW pump logic used The modeling of the TDAFW pump failure to This F&O TDAFW during a under gate U1-SGC-BO is based on a 24 run with a mission time of 24 hours instead of question is SBO is 24 hours, hour mission time. This may be somewhat 4 hours is conservative.
F&O Comment:                                         Dominion Response:                               Status F&O: 2-8    QU.2 does not              SPS QU.2 Notebook Sectio_n 2.3:2                    Detailed descriptions of the CDF and LERF        This F&O include detailed            discusses the dominant core damage                  cutsets are contained in the worksheets            question is description of the          accident sequences and has a detailed                named "Top 100 U1 CDF Cutsets" and "Top          considered CDF and LERF                description of the top 5 sequences. Section          100 U1 LERF Cutsets" in Attachment 3 of            Closed.
The basic approach considered which is conservative since the turbine driven pump taken for adding different running failure Closed. conservative.
cutsets.                    2.3.3 discusses the top CDF cutsets but              the QU.2 notebook.
is only credited for 4 hours in SBO. basic events with different mission times is that if the 24 hour mission time basic event has a high risk importance, then a new basic event with a mission time for the sequence would be developed.
does not document the review of a sample of significant cutsets. It is noted that Section 2.4.2 documents the review of nonsignificant cutsets. SPS QU.2 Notebook documents a review of the top 5 sequences but has no review of a sample of significant cutsets.
Since the importance of the TDAFW running failure basic events is not significant, a separate basic event was riot added.
2012 SPS PRA Focused Peer Review A focused scope Peer Review of the SPS PRA model against the requirements of the ASME/ ANS PRA standard RA-Sb-2005 and any Clarifications and Qualifications provided in the NRC endorsement of the Standard contained in Revision 2 to RG 1.200 was conducted in June, 2012.
In the course of this review, thirty (30) new F&Os were prepared, including twenty-one (21) suggestions, and nine (9) findings. Many of these F&Os involve documentation issues. The 21 suggestions do not affect the technical adequacy of the PRA model and have no impact on the results of this evaluation. The following 9 findings have been evaluated as described in Table 4 below:
Nine Findings from 2012 SPS PRA Focused Peer Review F&O      Element                      F&O Details                                  Possible Resolution              Basis of Significance        Importance to Application 1-2    IE-C6    Scenario 1 in AS.2, Attachment 3, Appendix ISLOCA F        Expand the discussion to include    The calculated impact on      There is no impact on CDF or is screened even though the event frequency would be      the probability of operator failure  CDF is small (<1 %), the      LERF as this is a documentation greater than 1.0E-06 (calculated as 3.85E-06). This        to secure HHSI and other failure    impact needs to be more        enhancement (Ref. PRACC scenario should be reconsidered to ensure the             modes that would result in
* fully documented to ensure    16415), therefore this gap has no screening is appropriately justified using the criteria    continued HHSI operation given a    the screening criteria is met. impact on this application.
specified in IE-C6.                                        rupture in the LHSI PiPina.


==
Serial No. 16-18e'.        "
Description:==
Docket Nos. 50-280/281 Attachment 4 Page 23 of 36 F&O  Element                      F&O Details                          Possible Resolution              Basis of Significance        Importance to Application 1-6 QU-87  This guidance does not seem to be technically        Remove t~e mutually exclusive        The impact of the removal    A bounding sensitivity study supported by NUREG/CR-5485 Section 5.4.4 which        logic for common cause failures or    of the basic event            evaluating the removal of the only supports removal of combinations of two common  modify the logic to ensure only      combinations cannot be        mutually exclusive logic for cause failure events where the combinations include  combinations of events including a    estimated based on            common cause failures results in the same pump (e.g., CCF of Pumps A and B in          common component and failure          available information.        an increase in the baseline CDF combination with CCF of pumps A and C). Further,      mode (e.g., Component A              However, because this        and LERF values (Ref. PRACC NUREG/CR-5485 Section 5.2 notes that NUREG/CR-        Independent Failure to Start in      process may impact the        16418). However, the new 4780, Volume 1 discusses conditions under which      combination with CCF of              importance of high safety    increase baseline CDF/LERF these combinations may be valid (see NU REG/CR-      Component A and B to Start) are      significant components, it is values would not impact the delta 4780, Volume 1, Section 3.3.1).                      removed.                              designated as a finding.      CDF/LERF results of this application because CCFs do not play a major role. With one CHSW header OOS, only 1 independent failure is required to fail the HHSI safety function.
1-8 DA-05  A global assumption is made that staggered testing is Provide justification for application The alpha factors for        A bounding sensitivity study applicable to all common cause events SPS DA.3        of the staggered testing              components tested on a        changing all CCFs from Revision 5, Section 2.2.1, Item 1). Typically, some  assumption to components tested      non-staggered basis are      "staggered basis" to "non-components such as containment isolation valves,      on an outage frequency including      typically higher than those  staggered basis" results in an HHSI isolation valves, and others may only be tested  verification that redundant          tested on a staggered basis. increase in the baseline CDF and during the outages. Additional justification for      components are tested by              Therefore, this could be a    LERF values (Ref. PRACC application of the staggered testing assumption to    different personnel at different      significant impact on CDF or  16419. However, the new those components tested on an 18 month basis during  times or apply alpha factors based    LERF depending on the        increase baseline CDF/LERF outages is needed.*                                  on a non-staggered testing            specific components          values would not impact the delta scheme to those components.          affected.                    CDF/LERF results of this application because CCFs do not play a major role. With one CHSW header OOS, only 1 independent failure is required to fail the HHSI safety function.


F&O Comment: F&O: 3-5 Consider adding Recovery events are added to cutsets some recovery basic based on post-processing with events to the fault QRECOVER and plant-specific rule file as tree model instead of discussed in SPS HR.3 notebook, Section adding as part of 2.2, and the QU.1 notebook.
Serial No. 16-18!Y Docket Nos. 50-280/281 Attachment 4 Page 24 of 36 F&O   Element                      F&O Details                              Possible Resolution            Basis of Significance          Importance to Aoolication 1-10 OA-06    The AAC diesel is included in a common cause group        There are two approaches that        The qualitative discussion    A bounding sensitivity study SY-83    with the other emergency diesel generators even          can be considered. The most          of not all diesel CCF        evaluating the common cause though SPS notebook SY.3.EP states that "The AAC          defensible approach would be to     mechanisms existing          group of emergency generators diesel has a different manufacturer for the generator    identify all legitimate common      between the EOGs and the      results in an increase in the and the diesel engine and is unique to both units."      elements between the EOGs and        SBO diesel is legitimate. baseline COF and LERF values SPS OA.3 addresses this in an assumption that states      the SBO diesel, review the          However, the selection of    (Ref. PRACC 16420). However, that "If SBO diesel is modeled as one of the EOG CCF      CCFWIN database to exclude          0.1 does not have a          the new increase in baseline groups, because of the less similarity between the       diesel failure mechanisms that are   numerical justification, and COF/LERF values would not EOG and SBO diesel, the alpha factor of 3 of 3 EOGs      not common between the Surry        could potentially be          impact the delta COF/LERF
Some post-quantification recovery actions (e.g., REC-FTSCC and processing using REC-FTSBC) should be modeled as HEPs QRECOVER.
                                                        =
in the FT so all pertinent cutsets are generated and dependency assessed.
CCF to run may be set as 1.06E-2*0.9 9.54E-3 and          EOGs and the SBO diesel, and        conservative or non-         results. Therefore, this gap has the alpha factor of AAC diesel and 2 EOGs CCF to run      calculate the actual alpha factors. conservative, and it is not  no impact on this application.
REC-FTSCC and REC-FTSBC are listed in HR.3 as recovery events; however, they are not utilized in the quantification process. These actions are typically utilized in Initiating Event fault trees in conjunction with auto-start failures.
                                              =
Not modeling these actions may cause cutsets not to be generated, dependencies not evaluated, and overall results impacted.
may be set as 1.06E-2
F&O: 3-19 Use of SPAR-H for The plant's approach to analyzing HEPs is HRA has limited more involved than the Category I accounting for requirements (it is actually closer to Performance Shaping Category 11/111), but it does not address all Factors of the PSFs identified for the Category 11/111 requirements (a limitation of the SPAR-H method); therefore, MET was selected for Category I. While SPAR-H methodology is close to meeting CC 11/111, one of the limitations is that the PSFs are limited to the eight chosen. Additionally, each of the eight PSFs should be evaluated for interaction impacts which are not covered by the method. Serial No. 16-18() Docket Nos. 50-280/281 Attachment 4 Page 21 of 36 Dominion Response:
* 0.1 1.06E-3." However,            The second approach would be to      apparent the degree to there is no technical basis for the factor of 1O
Status The two recovery actions that the reviewer This F&O identified as not being in the Surry PRA question is model but were calculated in the HR.3 model considered notebook were removed from the model Closed. during the transition from the Winnupra model to the Cafta model. Since the standby pumps get an auto-start signal if the running pump fails, these recoveries were AND'd with the failure of the pressure switch. Since these were not showing up in the cutsets, it was determine that credit for the operator recovery would not be included.
* identify that the factor of 10      which it affects the results reduction, only a qualitative discussion, yet this is    reduction in the alpha factor is an  since no sensitivities were dispositioned as not being a source of uncertainty.      estimate without a numerical        documented.
If these pressure switch failure basic events had a high importance, then adding the recovery credit would be considered.
basis, which makes it a plant-       Any modeling assumption specific modeling uncertainty for   that could result in lowering Surry. Then sensitivity analyses    the importance of the could provide some insight into      EOGs could impact the importance the assumed          applications such as MSPI.
Since this F&O relates to using SPAR-H, and This F&O F&O 3-18 indicates that SPAR-H method is question is not a valid method to meet Cat II, then this considered F&O will be closed out to F&O 3-18. Closed.
factor (0.1, 0.2, 0.5, etc.) would have on the results.
2-2  IE-C3    The issue of ISLOCA flood propagation and steaming        For the successfully isolated      Flood propagation and          There is no impact on COF or effects in the Safeguards Building is not adequately      ISLOCA sequences, consider          steam effects may not be an    LERF as this is a documentation addressed. Section 2.4 of the IE.1 notebook states        potential flood and steam effects  issue, but it cannot be        enhancement (Ref. PRACC that flooding/spatial effects need not be considered     from water that leaked out the     determined for certain        16421), therefore this gap has no because an unisolated ISLOCA was assumed to go            break prior to isolation. Also,    without further evaluation. impact on this application.
directly to core damage. However, if there is a          consider the potential for the successful isolation prior to core damage, there is still isolation valve to be failed due to a question about the effects of the water/steam that      the effects.
was already leaked. For example, AFW pump operation should be shown not to be impacted, as well as potential effects on the credited isolation valve itself.
The PRA staff researched the issue during the peer review and provided information that appears to justify the operability of the isolation valve, but additional analysis is required and needs to be documented.


==
Serial No. 16-180-Docket Nos. 50-280/281 Attachment 4 Page 25 of 36 F&O  Element                      F&O Details                              Possible Resolution        Basis of Significance        Importance to Application 2-3 DA-A2  Regarding component boundaries, Section 3.3.1 of the    Review GCF (and even the      While it is recognized that  There is no impact on CDF or DA-D6  CCF GARD (NF-AA-PRA-101-2062, Rev. 4) states,            independent failure data) for  modeling extra events (such  LERF as this is a documentation "When defining common cause failure events (and          component boundary consistency as diesel generator output    enhancement and as stated in utilizing generic data concerning the probability of    with the generic data and CCF  breakers when they are part  the description adds modeling these events), the analyst must ensure that the          factors.                      of the diesel component      conservatism (Ref. PRACC component boundaries assumed for common cause                                          boundary in NUREG/CR-        16422), therefore this gap has no failures are consistent with the boundaries used for the                                6928) is conservative, for    impact on this application.
Description:==
independent failures." DOM.DA.1 Rev. 2 states "To                                      accuracy and compliance ensure consistency between the generic database and                                    with the Dominion GARD the plant specific database, the component boundary                                    and DOM.DA.1 notebook, needs to be verified. This notebook documents the                                      component boundaries generic database with component boundaries defined                                      should be consistent with according to NUREG/CR-6928. This generic database                                      the data.
shall be applicable to all of the Dominion PRA models."
However, Assumption 8 in Section 2.2.1 of SPS DA.3 Rev. 5 states "CCF data boundaries were not compared to the boundaries of DOM DA.1. Generic common cause failure factors were used because no plant specific common cause failures were identified.
A review of the generic common cause failures indicates that its boundaries were wider than DOM DA.1 boundaries."


F&O Comment: F&O: 2-8 QU.2 does not SPS QU.2 Notebook Sectio_n 2.3:2 include detailed discusses the dominant core damage description of the accident sequences and has a detailed CDF and LERF description of the top 5 sequences.
Serial No. 16-180'-
Section cutsets. 2.3.3 discusses the top CDF cutsets but does not document the review of a sample of significant cutsets. It is noted that Section 2.4.2 documents the review of nonsignificant cutsets. SPS QU.2 Notebook documents a review of the top 5 sequences but has no review of a sample of significant cutsets. Serial No. 16-180
Docket Nos. 50-280/281 Attachment 4 Page 26 of 36 F&O Element                       F&O Details                             Possible Resolution             Basis of Sianificance      Importance to Application 2-5 SY-B3  The CCF grouping appears to have been performed          Perform a thorough review of all    The missing CCF            A bounding sensitivity study of DA-A1  properly for pumps and some MOVs examined.               system models to identify any        component groups yields    additional CCFs results in an However, checks of the Electric Power system model      missing CCF groups. It is           non-conservative and       increase in the baseline CDF and and check valves in SI and FW models show CCF            acceptable to treat the             potentially significant    LERF values (Ref. PRACC combinations that are missing. In the Electric Power    combinations greater than 4         results.                   16423). However, the new system model, the CCF of buses, inverters, breakers     failures a single event as long as                              increase baseline CDF/LERF and fuel oil pump strainers (possibly other components   the combinations are summed                                      values would not impact the delta as well) were modeled for complete failure of all in the and treated as complete system                                  CDF/LERF results of this group, but not for smaller numbers. For example,         failure. For such cases, it is still                            application because CCFs do not Table 3.8-1 shows 1EETFM-C8-480TFM being                 necessary to model the                                          play a major role. With one comprised of eight transformers. However, failure of a   combinations of 2, 3 and 4                                      CHSW header OOS, only 1 group as small as 2 (e.g., transformer 1H/1J) could be   failures.                                                        independent failure is required to significant, as these transformers feed the 480V buses                                                                   fail the HHS! safety function.
* Docket Nos. 50-280/281 Attachment 4 Page 22 of 36 Dominion Response:
that power the 1N2A and 1B/28 recirculation spray pumps. While it is acceptable to model CCF of combinations greater than 4 jointly (as is stated in the Section 3.2.2 of the GARD, this means creating a joint probability that sums all the 5/8, 6/8, 7/8 and 8/8 combinations into one), the individual combinations of 2, 3 and 4 still need to be captured.
Status Detailed descriptions of the CDF and LERF This F&O cutsets are contained in the worksheets question is named "Top 100 U1 CDF Cutsets" and "Top considered 100 U1 LERF Cutsets" in Attachment 3 of Closed. the QU.2 notebook.
2012 SPS PRA Focused Peer Review A focused scope Peer Review of the SPS PRA model against the requirements of the ASME/ ANS PRA standard RA-Sb-2005 and any Clarifications and Qualifications provided in the NRC endorsement of the Standard contained in Revision 2 to RG 1.200 was conducted in June, 2012. In the course of this review, thirty (30) new F&Os were prepared, including twenty-one (21) suggestions, and nine (9) findings.
Many of these F&Os involve documentation issues. The 21 suggestions do not affect the technical adequacy of the PRA model and have no impact on the results of this evaluation.
The following 9 findings have been evaluated as described in Table 4 below: Nine Findings from 2012 SPS PRA Focused Peer Review F&O Element F&O Details Possible Resolution Basis of Significance Importance to Application 1-2 IE-C6 Scenario 1 in AS.2, Attachment 3, Appendix ISLOCA F Expand the discussion to include The calculated impact on There is no impact on CDF or is screened even though the event frequency would be the probability of operator failure CDF is small (<1 %), the LERF as this is a documentation greater than 1.0E-06 (calculated as 3.85E-06).
This to secure HHSI and other failure impact needs to be more enhancement (Ref. PRACC scenario should be reconsidered to ensure the modes that would result in
* fully documented to ensure 16415), therefore this gap has no screening is appropriately justified using the criteria continued HHSI operation given a the screening criteria is met. impact on this application.
specified in IE-C6. rupture in the LHSI PiPina.
F&O Element F&O Details Possible Resolution 1-6 QU-87 This guidance does not seem to be technically Remove mutually exclusive supported by NUREG/CR-5485 Section 5.4.4 which logic for common cause failures or only supports removal of combinations of two common modify the logic to ensure only cause failure events where the combinations include combinations of events including a the same pump (e.g., CCF of Pumps A and B in common component and failure combination with CCF of pumps A and C). Further, mode (e.g., Component A NUREG/CR-5485 Section 5.2 notes that NUREG/CR-Independent Failure to Start in 4780, Volume 1 discusses conditions under which combination with CCF of these combinations may be valid (see NU REG/CR-Component A and B to Start) are 4780, Volume 1, Section 3.3.1). removed. 1-8 DA-05 A global assumption is made that staggered testing is Provide justification for application applicable to all common cause events SPS DA.3 of the staggered testing Revision 5, Section 2.2.1, Item 1). Typically, some assumption to components tested components such as containment isolation valves, on an outage frequency including HHSI isolation valves, and others may only be tested verification that redundant during the outages. Additional justification for components are tested by application of the staggered testing assumption to different personnel at different those components tested on an 18 month basis during times or apply alpha factors based outages is needed.* on a non-staggered testing scheme to those components.
Serial No. 16-18e'. " Docket Nos. 50-280/281 Attachment 4 Page 23 of 36 Basis of Significance Importance to Application The impact of the removal A bounding sensitivity study of the basic event evaluating the removal of the combinations cannot be mutually exclusive logic for estimated based on common cause failures results in available information.
an increase in the baseline CDF However, because this and LERF values (Ref. PRACC process may impact the 16418). However, the new importance of high safety increase baseline CDF/LERF significant components, it is values would not impact the delta designated as a finding. CDF/LERF results of this application because CCFs do not play a major role. With one CHSW header OOS, only 1 independent failure is required to fail the HHSI safety function.
The alpha factors for A bounding sensitivity study components tested on a changing all CCFs from non-staggered basis are "staggered basis" to "non-typically higher than those staggered basis" results in an tested on a staggered basis. increase in the baseline CDF and Therefore, this could be a LERF values (Ref. PRACC significant impact on CDF or 16419. However, the new LERF depending on the increase baseline CDF/LERF specific components values would not impact the delta affected.
CDF/LERF results of this application because CCFs do not play a major role. With one CHSW header OOS, only 1 independent failure is required to fail the HHSI safety function.
F&O Element F&O Details Possible Resolution 1-10 OA-06 The AAC diesel is included in a common cause group There are two approaches that SY-83 with the other emergency diesel generators even can be considered.
The most though SPS notebook SY.3.EP states that "The AAC defensible approach would be to diesel has a different manufacturer for the generator identify all legitimate common and the diesel engine and is unique to both units." elements between the EOGs and SPS OA.3 addresses this in an assumption that states the SBO diesel, review the that "If SBO diesel is modeled as one of the EOG CCF CCFWIN database to exclude groups, because of the less similarity between the diesel failure mechanisms that are EOG and SBO diesel, the alpha factor of 3 of 3 EOGs not common between the Surry CCF to run may be set as 1.06E-2*0.9
= 9.54E-3 and EOGs and the SBO diesel, and the alpha factor of AAC diesel and 2 EOGs CCF to run calculate the actual alpha factors. may be set as 1.06E-2
* 0.1 = 1.06E-3." However, The second approach would be to there is no technical basis for the factor of 1 O
* identify that the factor of 10 reduction, only a qualitative discussion, yet this is reduction in the alpha factor is an dispositioned as not being a source of uncertainty.
estimate without a numerical basis, which makes it a plant-specific modeling uncertainty for Surry. Then sensitivity analyses could provide some insight into the importance the assumed factor (0.1, 0.2, 0.5, etc.) would have on the results. 2-2 IE-C3 The issue of ISLOCA flood propagation and steaming For the successfully isolated effects in the Safeguards Building is not adequately ISLOCA sequences, consider addressed.
Section 2.4 of the IE.1 notebook states potential flood and steam effects that flooding/spatial effects need not be considered from water that leaked out the because an unisolated ISLOCA was assumed to go break prior to isolation.
Also, directly to core damage. However, if there is a consider the potential for the successful isolation prior to core damage, there is still isolation valve to be failed due to a question about the effects of the water/steam that the effects. was already leaked. For example, AFW pump operation should be shown not to be impacted, as well as potential effects on the credited isolation valve itself. The PRA staff researched the issue during the peer review and provided information that appears to justify the operability of the isolation valve, but additional analysis is required and needs to be documented.
Serial No. 16-18!Y Docket Nos. 50-280/281 Attachment 4 Page 24 of 36 Basis of Significance Importance to Aoolication The qualitative discussion A bounding sensitivity study of not all diesel CCF evaluating the common cause mechanisms existing group of emergency generators between the EOGs and the results in an increase in the SBO diesel is legitimate.
baseline COF and LERF values However, the selection of (Ref. PRACC 16420). However, 0.1 does not have a the new increase in baseline numerical justification, and COF/LERF values would not could potentially be impact the delta COF/LERF conservative or non-results. Therefore, this gap has conservative, and it is not no impact on this application.
apparent the degree to which it affects the results since no sensitivities were documented.
Any modeling assumption that could result in lowering the importance of the EOGs could impact applications such as MSPI. Flood propagation and There is no impact on COF or steam effects may not be an LERF as this is a documentation issue, but it cannot be enhancement (Ref. PRACC determined for certain 16421), therefore this gap has no without further evaluation.
impact on this application.
F&O Element F&O Details 2-3 DA-A2 Regarding component boundaries, Section 3.3.1 of the DA-D6 CCF GARD (NF-AA-PRA-101-2062, Rev. 4) states, "When defining common cause failure events (and utilizing generic data concerning the probability of these events), the analyst must ensure that the component boundaries assumed for common cause failures are consistent with the boundaries used for the independent failures." DOM.DA.1 Rev. 2 states "To ensure consistency between the generic database and the plant specific database, the component boundary needs to be verified.
This notebook documents the generic database with component boundaries defined according to NUREG/CR-6928.
This generic database shall be applicable to all of the Dominion PRA models." However, Assumption 8 in Section 2.2.1 of SPS DA.3 Rev. 5 states "CCF data boundaries were not compared to the boundaries of DOM DA.1. Generic common cause failure factors were used because no plant specific common cause failures were identified.
A review of the generic common cause failures indicates that its boundaries were wider than DOM DA.1 boundaries." Possible Resolution Review GCF (and even the independent failure data) for component boundary consistency with the generic data and CCF factors. Serial No. 16-180-Docket Nos. 50-280/281 Attachment 4 Page 25 of 36 Basis of Significance Importance to Application While it is recognized that There is no impact on CDF or modeling extra events (such LERF as this is a documentation as diesel generator output enhancement and as stated in breakers when they are part the description adds modeling of the diesel component conservatism (Ref. PRACC boundary in NUREG/CR-16422), therefore this gap has no 6928) is conservative, for impact on this application.
accuracy and compliance with the Dominion GARD and DOM.DA.1 notebook, component boundaries should be consistent with the data.
F&O Element F&O Details 2-5 SY-B3 The CCF grouping appears to have been performed DA-A1 properly for pumps and some MOVs examined.
However, checks of the Electric Power system model and check valves in SI and FW models show CCF combinations that are missing. In the Electric Power system model, the CCF of buses, inverters, breakers and fuel oil pump strainers (possibly other components as well) were modeled for complete failure of all in the group, but not for smaller numbers. For example, Table 3.8-1 shows 1 EETFM-C8-480TFM being comprised of eight transformers.
However, failure of a group as small as 2 (e.g., transformer 1H/1J) could be significant, as these transformers feed the 480V buses that power the 1N2A and 1 B/28 recirculation spray pumps. While it is acceptable to model CCF of combinations greater than 4 jointly (as is stated in the Section 3.2.2 of the GARD, this means creating a joint probability that sums all the 5/8, 6/8, 7/8 and 8/8 combinations into one), the individual combinations of 2, 3 and 4 still need to be captured.
The other logic reviewed that are missing combinations are seen under gates 1-Sl-82, 1-Sl-236, 1-FW-27, 1-FW-28, 1-FW-29 and 1-FW-61/1-FW-62.
The other logic reviewed that are missing combinations are seen under gates 1-Sl-82, 1-Sl-236, 1-FW-27, 1-FW-28, 1-FW-29 and 1-FW-61/1-FW-62.
These instances were identified in a short review of the system models, and the review team is concerned the problem is widespread.
These instances were identified in a short review of the system models, and the review team is concerned the problem is widespread.
Another item noted is Section 2.3 of the DOM.DA.3 notebook states "The Supply Breakers that feed the Emergency Buses, if there is a loss of off-site power, should be modeled for a common cause failure to open when the Emergency Diesel Generators are required to be running and supplying power to the emergency buses." This was not modeled in the EP fault trees (they would be expected under gates 1-EP-BKR-15H8-FTO and 1-EP-BKR-15J8-FTO-LC, etc.). Possible Resolution Perform a thorough review of all system models to identify any missing CCF groups. It is acceptable to treat the combinations greater than 4 failures a single event as long as the combinations are summed and treated as complete system failure. For such cases, it is still necessary to model the combinations of 2, 3 and 4 failures.
Another item noted is Section 2.3 of the DOM.DA.3 notebook states "The Supply Breakers that feed the Emergency Buses, if there is a loss of off-site power, should be modeled for a common cause failure to open when the Emergency Diesel Generators are required to be running and supplying power to the emergency buses." This was not modeled in the EP fault trees (they would be expected under gates 1-EP-BKR-15H8-FTO and 1-EP-BKR-15J8-FTO-LC, etc.).
Serial No. Docket Nos. 50-280/281 Attachment 4 Page 26 of 36 Basis of Sianificance Importance to Application The missing CCF A bounding sensitivity study of component groups yields additional CCFs results in an non-conservative and increase in the baseline CDF and potentially significant LERF values (Ref. PRACC results. 16423). However, the new increase baseline CDF/LERF values would not impact the delta CDF/LERF results of this application because CCFs do not play a major role. With one CHSW header OOS, only 1 independent failure is required to fail the HHS! safety function.
 
F&O 2-8 2-9 Element F&O Details Possible Resolution SY-83 The DOM.DA.3 R3 notebook Section 2.3 states that Update the_ model to be consistent DA-A1 CCF of air-cooled transformers would not be modeled. with the DOM DA.3 guidelines.
Serial No. 16-180" Docket Nos. 50-280/281 Attachment 4 Page 27 of 36 F&O   Element                         F&O Details                               Possible Resolution           Basis of Sinnificance        Importance to Aoolication 2-8  SY-83     The DOM.DA.3 R3 notebook Section 2.3 states that         Update the_ model to be consistent This is presented as a        There is no impact on CDF or DA-A1     CCF of air-cooled transformers would not be modeled.     with the DOM DA.3 guidelines.     finding because the PRA      LERF as this is conservative and There is no mention of this in the EP system notebook.                                       staff identified that the    will be removed from the model Many of the transformers modeled in the PRA are air-                                         assumption in the DA.3        (Ref. PRACC 16424); therefore, cooled but have CCF modeled. The Surry PRA model                                             Rev. 3 notebook is correct    this gap has no impact on this would need to be updated to match the assumption in                                         and the model should be      application.
There is no mention of this in the EP system notebook.
the DOM DA.3 notebook.                                                                      updated.
Many of the transformers modeled in the PRA are air-cooled but have CCF modeled. The Surry PRA model would need to be updated to match the assumption in the DOM DA.3 notebook.
2-9  DA-E3     EPRI generic CCF sources of model uncertainty are         Evaluate the plant-specific       Sources of uncertainty        There is no impact on CDF or tabulated in Table 1 of the SPS DA.3, Rev. 5             sources of model uncertainty       specific to the Surry CCF    LERF as this is a documentation notebook. DA-A-2 notes that component boundaries         related to the Surry CCF analysis. analysis need to be          enhancement (Ref. PRACC are not consistent with the failure data, but states that                                   considered.                  16425), therefore this gap has no this is a consensus model approach and not a source                                                                       impact on this application.
DA-E3 EPRI generic CCF sources of model uncertainty are Evaluate the plant-specific tabulated in Table 1 of the SPS DA.3, Rev. 5 sources of model uncertainty notebook.
                -of uncertainty for Surry. This should be considered a source of model uncertainty and/or be corrected.
DA-A-2 notes that component boundaries related to the Surry CCF analysis.
Missing from the evaluation of sources of model uncertainty are all SPS-specific assumptions, including those tabulated in SPS DA.3 Rev. 5 Section 2.2.
are not consistent with the failure data, but states that this is a consensus model approach and not a source -of uncertainty for Surry. This should be considered a source of model uncertainty and/or be corrected.
Review of Open Issues against the PRA Model (PRA Configuration Control)
Missing from the evaluation of sources of model uncertainty are all SPS-specific assumptions, including those tabulated in SPS DA.3 Rev. 5 Section 2.2. Serial No. 16-180" Docket Nos. 50-280/281 Attachment 4 Page 27 of 36 Basis of Sinnificance Importance to Aoolication This is presented as a There is no impact on CDF or finding because the PRA LERF as this is conservative and staff identified that the will be removed from the model assumption in the DA.3 (Ref. PRACC 16424); therefore, Rev. 3 notebook is correct this gap has no impact on this and the model should be application.
The PRA Configuration control database (PRACC) was reviewed in order if any known modeling issues open against the S007Aa model could impact the results of this analysis. The following open issues were identified from Surry's PRACC database. These issues were addressed either by adjusting the S007Aa PRA model used to perform this risk evaluation, or by performing a sensitivity study to demonstrate that the issue was not significant to this analysis.
updated. Sources of uncertainty There is no impact on CDF or specific to the Surry CCF LERF as this is a documentation analysis need to be enhancement (Ref. PRACC considered.
PRAC         Date                                                     Description                                                   Importance to c       Identified                                                                                                                     Application 1790     3/8/2004           Evaluate 1(2)CWHEP-LIC-1 (2)06A/B via HRA methods. Current value is selected to                         Addressed with HEP be consistent with 1CWHEP-LIC-LVL                                                                       sensitivity #1 9486     10/21/2008         During the 2008 model update, the MAAP runs for the different scenarios were not                       Addressed with HEP completed in time before the model change freeze date. Need to update the HEPs in                       sensitivity #1 the HR.2 notebook usino the times calculated from the MAAP runs.
16425), therefore this gap has no impact on this application.
 
Review of Open Issues against the PRA Model (PRA Configuration Control) The PRA Configuration control database (PRACC) was reviewed in order if any known modeling issues open against the S007 Aa model could impact the results of this analysis.
Serial No. 16-180" Docket Nos. 50-280/281 Attachment 4 Page 28 of 36 PRAC   Date                                           Description                                          Importance to c   Identified                                             -
The following open issues were identified from Surry's PRACC database.
                                                                      . ~
These issues were addressed either by adjusting the S007 Aa PRA model used to perform this risk evaluation, or by performing a sensitivity study to demonstrate that the issue was not significant to this analysis.
                                                                          -~.
PRAC Date Description Importance to c Identified Application 1790 3/8/2004 Evaluate 1 (2)CWHEP-LIC-1 (2)06A/B via HRA methods. Current value is selected to Addressed with HEP be consistent with 1CWHEP-LIC-LVL sensitivity  
                                                                            ~
#1 9486 10/21/2008 During the 2008 model update, the MAAP runs for the different scenarios were not Addressed with HEP completed in time before the model change freeze date. Need to update the HEPs in sensitivity  
Application 9804 3/12/2009   The 2-RC-P-1C RCP seal will be replaced with a new Flowserve seal that has low           Addressed with leakage when there's a loss of .RCP seal cooling. These seals are similar to the seals   Model change used by the Combustion Engineering (CE) plants. Therefore, the RCP seal LOCA model needs to be based on the CE seal LOCA model. WCAP-16175-P-A, RCP Seal Failure Model CE NSSS, documents the seal LOCA model.
#1 the HR.2 notebook usino the times calculated from the MAAP runs.
New seal package was installed in pump 02-RC-P-1 C during the 2009 fall outage 11/18/09.
PRAC Date c Identified 9804 3/12/2009 Description
: . --The 2-RC-P-1C RCP seal will be replaced with a new Flowserve seal that has low leakage when there's a loss of .RCP seal cooling. These seals are similar to the seals used by the Combustion Engineering (CE) plants. Therefore, the RCP seal LOCA model needs to be based on the CE seal LOCA model. WCAP-16175-P-A, RCP Seal Failure Model CE NSSS, documents the seal LOCA model. New seal package was installed in pump 02-RC-P-1 C during the 2009 fall outage 11/18/09.  
*********
The operator action to trip the RCPs given failure of RCP Seal Cooling should have the Tsw (time available to perform the action) set to 20 minutes based on the following:
The operator action to trip the RCPs given failure of RCP Seal Cooling should have the Tsw (time available to perform the action) set to 20 minutes based on the following:
WCAP-16175-P-A Rev 0, Model for Failure of RCP Seals Given Loss of Seal Cooling in CE NSSS Plants NRC SER specifically references RCP seal failure model condition event tree (in Chapter 6 of WCAP-16175-P, Revision 0) for stopping the RCP(s) affected by a LOSC. WCAP-16175-P-A Section 6.0, RCP Seal Failure Model. The event tree contains a node representing RCP20: RCPs Secured Within 20 Minutes? Therefore, it can be interpreted the NRC SER approved securing (i.e., tripping) the RCPs within 20 minutes. This has been agreed upon during discussion with Bill, Luke and Allen. Note, currently 8007 Aa does not model this operator action. Acm 7/22/15 Serial No. 16-180" Docket Nos. 50-280/281 Attachment 4 Page 28 of 36 Importance to Application Addressed with Model change PRAC c 10931 Date Identified 1/20/2010 Description
WCAP-16175-P-A Rev 0, Model for Failure of RCP Seals Given Loss of Seal Cooling in CE NSSS Plants NRC SER specifically references RCP seal failure model condition event tree (in Chapter 6 of WCAP-16175-P, Revision 0) for stopping the RCP(s) affected by a LOSC.
---.. _=...';;,_.  
WCAP-16175-P-A Section 6.0, RCP Seal Failure Model. The event tree contains a node representing RCP20: RCPs Secured Within 20 Minutes?
-SPS operator actions, HEP-C-CDSGTR (cool down and depressurize RCS after a SGTR) and HEP-C-SGTR (isolate affected SG after a SGTR), are documented as having the same engineering time, Te, of 60 minutes in the SPS HR.2 Notebook.
Therefore, it can be interpreted the NRC SER approved securing (i.e., tripping) the RCPs within 20 minutes.
The equivalent operator actions for NAPS, HEP-1 E3-13 (cool down and depressurize RCS after a SGTR) and HEP-1 E3-3 (isolate affected SG after a SGTR), are documented as having a Te of 75 minutes and 56 minutes, respectively, in the NAPS HR.2 Notebook.
This has been agreed upon during discussion with Bill, Luke and Allen.
Serial No.
Note, currently 8007Aa does not model this operator action.
Docket Nos. 50-280/281 Attachment 4 Page 29 of 36 Importance to Application Addressed with HEP sensitivity
Acm 7/22/15
#1 Furthermore, HEP-C-CDSGTR does not have a valid MMP run available for the basis of the 60 m_inute Te, and HEP-1 E3-13 references older IPE MMP runs from NAPS and SPS. HEP-1 E3-3 also references an IPE MMP run. Therefore, new MMP runs shol:Jld be run for HEP-C-CDSGTR, HEP-C-SGTR, HEP-1 E3-13, and HEP-1 E3-3; and adequate documentation of the new MMP runs should be placed in HR.2 Notebooks.
 
4/23/2014 This should be considered complete and closed when the model SPS-R06 is released.
Serial No. 16-180~
IPE MMP runs are no longer used and all necessary MMP runs are documented in our SC element notebooks to support post HEP reauired timinas.
Docket Nos. 50-280/281 Attachment 4 Page 29 of 36 PRAC    Date                                          Description                                      Importance to c   Identified                                     -- - .._=...';;,_. -                                 Application 10931 1/20/2010  SPS operator actions, HEP-C-CDSGTR (cool down and depressurize RCS after a           Addressed with HEP SGTR) and HEP-C-SGTR (isolate affected SG after a SGTR), are documented as           sensitivity #1 having the same engineering time, Te, of 60 minutes in the SPS HR.2 Notebook. The equivalent operator actions for NAPS, HEP-1 E3-13 (cool down and depressurize RCS after a SGTR) and HEP-1 E3-3 (isolate affected SG after a SGTR), are documented as having a Te of 75 minutes and 56 minutes, respectively, in the NAPS HR.2 Notebook.
PRAC Date c Identified 11521 71712010 Description
Furthermore, HEP-C-CDSGTR does not have a valid MMP run available for the basis of the 60 m_inute Te, and HEP-1 E3-13 references older IPE MMP runs from NAPS and SPS. HEP-1 E3-3 also references an IPE MMP run.
...
Therefore, new MMP runs shol:Jld be run for HEP-C-CDSGTR, HEP-C-SGTR, HEP-1E3-13, and HEP-1 E3-3; and adequate documentation of the new MMP runs should be placed in HR.2 Notebooks.
From the Surry 2010 Peer Review report documented in Surry notebook Part IV Appendix A.3. In 2002, an operator survey was complete to document timing estimates from operators of various experience levels. The timing results from the survey are used in the HRA for the HEPs. Table 6.1 of HR.2 states "the response times for operator actions may be estimated by procedure talk through or operator surveys. Therefore, this is retained as a source of uncertainty." For the SPAR-H HEPs, time available is based on engineering judgment.
4/23/2014 This should be considered complete and closed when the model SPS-R06 is released. IPE MMP runs are no longer used and all necessary MMP runs are documented in our SC element notebooks to support post HEP reauired timinas.
The delay (TDelay), action(TM) and response times (T1 /2) are conservative estimates based on a table top review of the procedures as well as input from other HEPs of similar actions and events. For the SPAR-H HEPs recently added to the SPS PRA model, the time available to complete the actions were not based on applicable generic studies (e.g. thermal/hydraulic analysis or simulations from similar plants) but on engineering judgment.
 
In addition, prior HEPs were developed using the results of a 2002 survey and not on thermal/hydraulic analysis. (This F&O originated from SR HR-G4) Associated SR.(s) HR-G4 Serial No. 16-180-* Docket Nos. 50-280/281 Attachment 4 Page 30 of 36 Importance to Application Addressed with HEP sensitivity
Serial No. 16-180-
#1 PRAC c 11522 Date Identified 7/7/2010 Description From the Surry 2010 Peer Review report documented in Surry notebook Part IV Appendix A.3. SPS HR.2 does not check the consistency of the post-initiator HEP quantifications.
* Docket Nos. 50-280/281 Attachment 4 Page 30 of 36 PRAC   Date                                           Description                                          Importance to c   Identified                                                   ... ~*.,,._.                               Application 11521 71712010    From the Surry 2010 Peer Review report documented in Surry notebook Part IV             Addressed with HEP Appendix A.3.                                                                           sensitivity #1 In 2002, an operator survey was complete to document timing estimates from operators of various experience levels. The timing results from the survey are used in the HRA for the HEPs. Table 6.1 of HR.2 states "the response times for operator actions may be estimated by procedure talk through or operator surveys. Therefore, this is retained as a source of uncertainty." For the SPAR-H HEPs, time available is based on engineering judgment. The delay (TDelay), action(TM) and response times (T1 /2) are conservative estimates based on a table top review of the procedures as well as input from other HEPs of similar actions and events.
A comparison of previous HEP values with current HEP values is found in the QU.2 notebook supporting files but no relative comparisons are made. A review of the SPS HEPs relative to each other to check for reasonableness has not been performed. (This F&O originated from SR HR-G6) Associated SR(s) HR-G6 Serial No. 16-180. * ' Docket Nos. 50-280/281 Attachment 4 Page 31 of 36 Importance to Application Addressed with HEP sensitivity
For the SPAR-H HEPs recently added to the SPS PRA model, the time available to complete the actions were not based on applicable generic studies (e.g.
#1 PRAC Date c Identified 11523 7/7/2010 Description From the Surry 2010 Peer Review report documented in Surry notebook Part IV Appendix A.3. The delay (Delay), action TM and response times (T1/2) are conservative estimates based on a table top review of the procedures as well as input from other HEPs of similar actions and events. The newly added SPAR-H HEPs based the required time to complete actions on a table top review of the procedures and input from other procedures.
thermal/hydraulic analysis or simulations from similar plants) but on engineering judgment. In addition, prior HEPs were developed using the results of a 2002 survey and not on thermal/hydraulic analysis.
To meet CC II, base the required time to complete the actions (for significant HEPs) on action time measurements in either walkthroughs or talkthroughs of the procedures or simulator observations. (This F&O originated from SR HR-G5) Associated SR(s): HR-GS Serial No. 16-180. ** T Docket Nos. 50-280/281 Attachment 4 Page 32 of 36 Importance to Application Addressed with HEP sensitivity
(This F&O originated from SR HR-G4)
#1 PRAC Date c Identified 11526 7/7/2010 Description*
Associated SR.(s)
". ***Cloned from Record 11524*** From the Surry 2010 Peer Review report documented in Surry notebook Part IV Appendix A.3. This F&O contained several different issues. Thus, this PRACC record was cloned so that each issue has its own PRACC record. Several documentation issues were identified:
HR-G4
 
Serial No. 16-180. * '
Docket Nos. 50-280/281 Attachment 4 Page 31 of 36 PRAC    Date                                          Description                                        Importance to c  Identified                                                                                            Application 11522 7/7/2010   From the Surry 2010 Peer Review report documented in Surry notebook Part IV           Addressed with HEP Appendix A.3.                                                                         sensitivity #1 SPS HR.2 does not check the consistency of the post-initiator HEP quantifications. A comparison of previous HEP values with current HEP values is found in the QU.2 notebook supporting files but no relative comparisons are made.
A review of the SPS HEPs relative to each other to check for reasonableness has not been performed.
(This F&O originated from SR HR-G6)
Associated SR(s)
HR-G6
 
Serial No. 16-180. ** T Docket Nos. 50-280/281 Attachment 4 Page 32 of 36 PRAC    Date                                          Description                                          Importance to c   Identified                                                                                           Application 11523 7/7/2010   From the Surry 2010 Peer Review report documented in Surry notebook Part IV           Addressed with HEP Appendix A.3.                                                                         sensitivity #1 The delay (Delay), action TM and response times (T1/2) are conservative estimates based on a table top review of the procedures as well as input from other HEPs of similar actions and events.
The newly added SPAR-H HEPs based the required time to complete actions on a table top review of the procedures and input from other procedures.
To meet CC II, base the required time to complete the actions (for significant HEPs) on action time measurements in either walkthroughs or talkthroughs of the procedures or simulator observations.
(This F&O originated from SR HR-G5)
Associated SR(s): HR-GS
 
Serial No. 16-180~' p Docket Nos. 50-280/281 Attachment 4 Page 33 of 36 PRAC    Date                                          Description*                                        Importance to c   Identified                                                     ".                                      Application 11526 7/7/2010   ***Cloned from Record 11524***                                                         Addressed with HEP sensitivity #1 From the Surry 2010 Peer Review report documented in Surry notebook Part IV Appendix A.3.
This F&O contained several different issues. Thus, this PRACC record was cloned so that each issue has its own PRACC record.
Several documentation issues were identified:
: 3. The SPAR-H HEPs recently added to the SPS PRA model are documented in HR.2. Four HEPs noted in Table A-2 (Neyv HEPs Added) that were evaluated, do not appear in the Fault Tree. One new HEP listed (HEP-CPORTGENRMP) was not analyzed and is also not in the FT. New HEPs added for the recent model update were not necessarily covered by the 2002 survey results. System Analysis notebooks and review of HR.2 does not indicate that simulator observations or talkthroughs with operators were performed.
: 3. The SPAR-H HEPs recently added to the SPS PRA model are documented in HR.2. Four HEPs noted in Table A-2 (Neyv HEPs Added) that were evaluated, do not appear in the Fault Tree. One new HEP listed (HEP-CPORTGENRMP) was not analyzed and is also not in the FT. New HEPs added for the recent model update were not necessarily covered by the 2002 survey results. System Analysis notebooks and review of HR.2 does not indicate that simulator observations or talkthroughs with operators were performed.
For the SPAR-H HEPs recently added to the SPS PRA model, the time available to complete the actions were not based on applicable generic studies (e.g. thermal/hydraulic analysis or simulations from similar plants). (This F&O originated from SR HR-11) Associated SR(s) HR-11 HR-12 Serial No.
For the SPAR-H HEPs recently added to the SPS PRA model, the time available to complete the actions were not based on applicable generic studies (e.g. thermal/hydraulic analysis or simulations from similar plants).
p Docket Nos. 50-280/281 Attachment 4 Page 33 of 36 Importance to Application Addressed with HEP sensitivity
(This F&O originated from SR HR-11)
#1 PRAC c 11538 Date Identified 7/8/2010 Description From the Surry 2010 Peer Review report documented in Surry notebook Part IV Appendix A.3. SPS GARD NF-AA-PRA-101-2052 states in Section 3.5, "the SPAR-H model is not recommended where more detailed analysis of diagnosis errors is needed" and Serial No. 16-180'" " Docket Nos. 50-280/281 Attachment 4 Page 34 of 36 Importance to Application Addressed with HEP sensitivity
Associated SR(s)
#1 references NUREG/CR-1842 for more information.
HR-11 HR-12
The NUREG states "This approach results in a somewhat 'generic' answer that is suffiCient for some of the broad regulatory applications for which SPAR-H is intended, but perhaps is insufficient for detailed plant-specific evaluations (a limitation)" and also references NUREG-1792.
 
This NUREG states "detailed assessments of the significant HFE contributors should be performed."
Serial No. 16-180'" "
* The SPAR-H methodology is not a consensus model and seldom used in plant specific utility PRAs. Referenced documents show it should not be used to obtain detailed results. Additionally, it cannot be assumed that conservative results are obtained by SPAR-H as the evaluation of PSFs better than nominal can produce nonconservative values. (This F&O originated from SR HR-G1) Associated SR(s) HR-G1 PRAC Date c Identified 11568 7/13/2010 13932 7/11/2011 16525 9/7/2012 16527 9/7/2012 16674 12/6/2012 Description
Docket Nos. 50-280/281 Attachment 4 Page 34 of 36 PRAC    Date                                            Description                                        Importance to c  Identified                                                                                              Application 11538 7/8/2010   From the Surry 2010 Peer Review report documented in Surry notebook Part IV             Addressed with HEP Appendix A.3.                                                                           sensitivity #1 SPS GARD NF-AA-PRA-101-2052 states in Section 3.5, "the SPAR-H model is not recommended where more detailed analysis of diagnosis errors is needed" and references NUREG/CR-1842 for more information. The NUREG states "This approach results in a somewhat 'generic' answer that is suffiCient for some of the broad regulatory applications for which SPAR-H is intended, but perhaps is insufficient for detailed plant-specific evaluations (a limitation)" and also references NUREG-1792. This NUREG states "detailed assessments of the significant HFE contributors should be performed."
-.. *-From the Surry 2010 Peer Review report documented in Surry notebook Part IV Appendix A.3. The analysis uses an "engineering judgment" approach to dependency analysis which considers most "recognized" PSFs. Most of the dependencies are associated with one or two factors, and it is not clear how all of the "recognized" factors affect any single dependency analysis.
* The SPAR-H methodology is not a consensus model and seldom used in plant specific utility PRAs. Referenced documents show it should not be used to obtain detailed results. Additionally, it cannot be assumed that conservative results are obtained by SPAR-H as the evaluation of PSFs better than nominal can produce nonconservative values.
There is no comparison of the "engineering judgment" based results to results that would be obtained from using other techniques such as the HRA calculator.
(This F&O originated from SR HR-G1)
A comparison of the Surry dependency results with those obtained from using an available dependency calculator produced the same results if only one PSF were considered.
Associated SR(s)
Also, differences were obtained when comparing 2-and 3-error combination dependencies.
HR-G1
Newer techniques for analyzing dependency are available.
 
These techniques allow consideration of multiple PSFs during the analysis. (This F&O originated from SR HR-G7) Associated SR(s) HR-G7 Changes RCP seal packages to N-9000 Flowserve.
Serial No. 16-180"' ' ,r Docket Nos. 50-280/281 Attachment 4 Page 35 of 36 PRAC   Date                                             Description                                        Importance to c   Identified                                     -              .. *-                                    Application 11568 7/13/2010   From the Surry 2010 Peer Review report documented in Surry notebook Part IV             Addressed with HEP Appendix A.3.                                                                           sensitivity #1 The analysis uses an "engineering judgment" approach to dependency analysis which considers most "recognized" PSFs. Most of the dependencies are associated with one or two factors, and it is not clear how all of the "recognized" factors affect any single dependency analysis. There is no comparison of the "engineering judgment" based results to results that would be obtained from using other techniques such as the HRA calculator. A comparison of the Surry dependency results with those obtained from using an available dependency calculator produced the same results if only one PSF were considered. Also, differences were obtained when comparing 2-and 3-error combination dependencies.
This potentially affects the Loss of Seal Coolinq sequences as the RCP seals are modeled. REACTOR COOLANT PUMP SEAL REPLACEMENT 1-RC-P-1A REACTOR COOLANT PUMP (RCP) SEAL REPLACEMENT (1-RC-P-1C)
Newer techniques for analyzing dependency are available. These techniques allow consideration of multiple PSFs during the analysis.
REACTOR COOLANT PUMP (RCP) SEAL REPLACEMENT (2-RC-P-1 B)/S/2 Serial No. 16-180"' ' ,r Docket Nos. 50-280/281 Attachment 4 Page 35 of 36 Importance to Application Addressed with HEP sensitivity
(This F&O originated from SR HR-G7)
#1 Addressed with Model change Addressed with Model chanqe Addressed with Model change Addressed with Model change PRAC Date c Identified 17079 3/12/2014 17822 1/12/2016 17872 3/10/2016 Description The MAAP parameter file lists parameter MWCSTO (ECST initial water inventory) as 91, 137 gal referencing Surry AFW Design Basis Document (SDBD-SPS-AFW)
Associated SR(s)
Rev. 13. This value is different in the latest revision of Surry DBD, and the Tech Spec minimum is 96,000 gal. Consider revising parameter MWCSTO. Also, HHSI pump flow curve (parameters ZHDP5 and WVPM5) references Rev.2 of ME-0771. The latest revision of this calculation is Rev.4 and it provides a slightly ,/' Serial No. 16-180-*
HR-G7 13932 7/11/2011  Changes RCP seal packages to N-9000 Flowserve. This potentially affects the Loss         Addressed with of Seal Coolinq sequences as the RCP seals are modeled.                                 Model change 16525 9/7/2012    REACTOR COOLANT PUMP SEAL REPLACEMENT 1-RC-P-1A                                         Addressed with Model chanqe 16527 9/7/2012    REACTOR COOLANT PUMP (RCP) SEAL REPLACEMENT (1-RC-P-1C)                                 Addressed with Model change 16674 12/6/2012  REACTOR COOLANT PUMP (RCP) SEAL REPLACEMENT (2-RC-P-1 B)/S/2                             Addressed with Model change
Docket Nos. 50-280/281 Attachment 4 Page 36 of 36 Importance to Application Addressed with HEP sensitivity
 
#1 different pump curve (see test limit curve). Consider revising the HHSI pump curve per the latest revision of ME-0771. 4/15/2014 per email dtd.4/1/2014 from CBL NSA's ECST sizing calc SM-1612 seems to indicate that the ECST volume minimum setpoint is set so that the TS min available volume of 96,000 gal is met, accounting for unusable volume due to vortexing and -suction nozzle position (page 12). HR worksheet for HEP-C-XFERBS describes procedural actions to close feeder Addressed with breakers for transfer buses. In the SPSR06 model this HEP is and'ed with LOOP Model change initiators including CLOOP and RSST failures (initiators).
                                                                                                                                        ,/'
Closing the feed fort transfer bus does not, in and of itself, help the station recover from LOOP or RSST failure. Therefore this modeling is incorrect.
Serial No. 16-180- * '~<"
The SM-1123 calculation used as a basis for the fault tree structure for HEP-C-Addressed with HVACES for loss of chilled water/ESGR AHUs does not bound all of the initiating Model change events and accident sequences this HEP is applied to. The ESGR heat loads assumed in this calculation are for normal operating, 100% power conditions.
Docket Nos. 50-280/281 Attachment 4 Page 36 of 36 PRAC    Date                                              Description                                          Importance to c   Identified                                                                                                 Application 17079 3/12/2014   The MAAP parameter file lists parameter MWCSTO (ECST initial water inventory) as           Addressed with HEP 91, 137 gal referencing Surry AFW Design Basis Document (SDBD-SPS-AFW) Rev.                 sensitivity #1
Events such as LOCA which require SI have the potential for higher heat loads than what is assumed in SM-1123. Refer SY.2 assumption VS06. If chilled water is unavailable, it is uncertain as to whether the operator actions of O-AP-13.02 are sufficient to prevent failure of ESGR electrical equipment in accident sequences that require SI.}}
: 13. This value is different in the latest revision of Surry DBD, and the Tech Spec minimum is 96,000 gal. Consider revising parameter MWCSTO.
Also, HHSI pump flow curve (parameters ZHDP5 and WVPM5) references Rev.2 of ME-0771. The latest revision of this calculation is Rev.4 and it provides a slightly different pump curve (see test limit curve). Consider revising the HHSI pump curve per the latest revision of ME-0771.
4/15/2014 per email dtd.4/1/2014 from CBL NSA's ECST sizing calc SM-1612 seems to indicate that the ECST volume minimum setpoint is set so that the TS min available volume of 96,000 gal is met, accounting for unusable volume due to vortexing and                                 -
suction nozzle position (page 12).
17822  1/12/2016  HR worksheet for HEP-C-XFERBS describes procedural actions to close feeder                 Addressed with breakers for transfer buses. In the SPSR06 model this HEP is and'ed with LOOP               Model change initiators including CLOOP and RSST failures (initiators). Closing the feed fort transfer bus does not, in and of itself, help the station recover from LOOP or RSST failure.
Therefore this modeling is incorrect.
17872  3/10/2016  The SM-1123 calculation used as a basis for the fault tree structure for HEP-C-             Addressed with HVACES for loss of chilled water/ESGR AHUs does not bound all of the initiating             Model change events and accident sequences this HEP is applied to. The ESGR heat loads assumed in this calculation are for normal operating, 100% power conditions. Events such as LOCA which require SI have the potential for higher heat loads than what is assumed in SM-1123. Refer SY.2 assumption VS06. If chilled water is unavailable, it is uncertain as to whether the operator actions of O-AP-13.02 are sufficient to prevent failure of ESGR electrical equipment in accident sequences that require SI.}}

Latest revision as of 02:12, 5 February 2020

Proposed License Amendment Request Extension of TS 3.14 Service Water Flow Path Allowed Outage Times and Deletion of Expired Temporary Service Water Jumper Requirements
ML16146A540
Person / Time
Site: Surry  Dominion icon.png
Issue date: 05/18/2016
From: Mark D. Sartain
Virginia Electric & Power Co (VEPCO)
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
Download: ML16146A540 (95)


Text

VIRGINIA ELECTRIC AND POWER COMPANY RICHMOND, VIRGINIA 23261 May 18, 2016 10 CFR 50.90 U. S. Nuclear Regulatory Commission Serial No.: 16-1~0 Attention: Document Control Desk SPS/LIC-CGL: RO Washington, DC 20555-0001 Docket Nos.: 50-280/281 License Nos.: DPR-32/37 VIRGINIA ELECTRIC AND POWER COMPANY SURRY POWER STATION UNITS 1 AND 2 PROPOSED LICENSE AMENDMENT REQUEST EXTENSION OF TS 3.14 SERVICE WATER FLOW PATH ALLOWED OUTAGE TIMES AND DELETION OF EXPIRED TEMPORARY SERVICE WATER JUMPER REQUIREMENTS Pursuant to 10 CFR 50.90, Virginia Electric and Power Company (Dominion) is submitting a license amendment request to revise Surry Power Station (Surry) Units 1 ahd 2 Technical Specification (TS) 3.14, "Circulating and Service Water Systems," to extend the Allowed Outage Time (AOT) for only one operable Service Water (SW) flow path to the Charging Pump SW (CPSW) subsystem and to the Main Control Room/Emergency Switchgear Room (MCR/ESGR) Air Conditioning (AC) subsystem.

TS 3.14.A.5 and TS 3.14.A.7 require two SW flow paths to the CPSW subsystem and to the MCR/ESGR AC subsystem, respectively, to be operable. Currently, the TS 3.14.C AOT for only one operable CPSW or MCR/ESGR AC flow path is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The proposed revision extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. A supporting probabilistic risk assessment (PRA) was performed for the proposed AOT changes. The PRA concluded that the increase in risk associated with the proposed changes is consistent with the Regulatory Guide (RG) 1.174 and RG 1.177 acceptance guidelines for a permanent TS AOT change.

This PRA evaluation demonstrates that defense-in-depth will not be significantly impacted by changing the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24 to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The proposed change also deletes the Operating License (OL) conditions, TS requirements, and TS 3.14 Basis discussion for the temporary SW jumper to the Component Cooling Heat Exchangers (CCHXs). These requirements have expired and are no longer necessary.*

Deletion of the OL conditions, the temporary TS requirements, and the TS 3.14 Basis*

discussion is administrative in nature. provides a discussion and assessment of the proposed change, including the results and conclusions from the supporting PRA. The marked-up and proposed pages for the TS and TS Basis are provided in Attachments 2 and 3, respectively._ The TS Basis changes are provided for NRC information only. Attachment 4 provides a discussion of the technical adequacy of the PRA model.

We have evaluated the proposed amendment and have determined that it does not involve a significant hazards consideration as defined in 10 CFR 50.92. The basis for

Serial No.16-180 Docket Nos. 50-280/281 Page 2 of 3 this determination is included in Attachment 1. We have also determined that operation with the proposed change will not result in any significant increase in the amount of effluents that may be released offsite or any significant increase in individual or cumulative occupational radiation exposure. Therefore, the proposed amendment is eligible for categorical exclusion from an environmental assessment as set forth in 10 CFR 51.22(c)(9). Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment is needed in connection with the approval of the proposed change. The proposed TS change has been reviewed and approved by the Facility Safety Review Committee.

Dominion requests approval of the proposed change by May 31, 2017 with a 60-day implementation period.

Should you have any questions or require additional information, please contact Mr. Gary D. Miller at (804) 273-2771.

Respectfully, Mark D. Sartain Vice President - Nuclear Engineering Commitments contained in this letter: None Attachments:

1. Discussion of Change
2. Marked-up Technical Specifications and Basis Pages
3. Proposed Technical Specifications and Basis Pages
4. Technical Adequacy of the Probabilistic Risk Assessment Model COMMONWEALTH OF VIRGINIA COUNTY OF HENRICO The foregoing document was acknowledged before me, in and for the County and Commonwealth aforesaid, today by Mr. Mark D. Sartain, who is Vice President - Nuclear Engineering, of Virginia Electric and Power Company. He has affirmed before me that he is duly authorized to execute and file the foregoing document in behalf of that company, and that the statements in the document are true to the best of his knowledge and belief.

Acknowledged before me this [ 8'Jlday of~ 2016.

My Commission Expires: 5 - 3 \ - \g .

-- .,.,. . . *. ;Ni~l t.~)~dtr* .. , '

. NOTARY PUBLIC

\ALL ~. 2:1u.e.e.

Notary Public

Commonwealth of Virginia

. Reg. It 1'fD5~~

My* commission !;.itp11v ..s Mt\l31;z.o 18

- - -

  • v -

Serial No.16-180 Docket Nos. 50-280/281 Page 3 of 3 cc: U.S. Nuclear Regulatory Commission - Region II Marquis One Tower 245 Peachtree Center Avenue, NE Suite 1200 Atlanta, GA 30303-1257 State Health Commissioner Virginia Department of Health James Madison Building - ih floor 109 Governor Street Suite 730 Richmond, VA 23219 Ms. K. R. Cotton Gross NRC Project Manager - Surry U.S. Nuclear Regulatory Commission One White Flint North Mail Stop 08 G-9A 11555 Rockville Pike Rockville, MD 20852-2738 Dr. V. Sreenivas NRC Project Manager - North Anna U.S. Nuclear Regulatory Commission One White Flint North Mail Stop 08 G-9A 11555 Rockville Pike Rockville, MD 20852-2738 NRC Senior Resident Inspector Surry Power Station

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1

. DISCUSSION OF CHANGE Virginia Electric and Power Company (Dominion)

Surry Station Units 1 and 2

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 1 of 36 DISCUSSION OF CHANGE TABLE OF CONTENTS 1.0. Introduction 2.0 Description of Proposed Change 3.0 Technical Evaluation 3.1 Charging Pump Service Water Subsystem and Main Control Room and Emergency Switchgear Room Air Conditioning Subsystem Description 3.2 Evaluation of Extended Allowed Outage Time 3.3 Deletion of Requirements for Temporary Service Water Jumper to Component Cooling Heat Exchangers 4.0 Regulatory Evaluation 4.1 Applicable Regulatory Requirements 4.2 NUREG-1431, Standard Technical Specifications -

Westinghouse Plants 4.3 No Significant Hazards Consideration 5.0 Probabilistic Risk Assessment 5.1 Purpose 5.2 Introduction 5.3 Analysis 5.4 Results and Conclusions 6.0 Environmental Assessment 7 .0 Conclusion

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 2 of 36 DISCUSSION OF CHANGE

1.0 INTRODUCTION

The proposed change revises Surry Power Station (Surry) Units 1 and 2 Technical Specification (TS) 3.14, "Circulating and Service Water Systems," to extend the Allowed Outage Time (AOT) for only one operable Service Water (SW) flow path to the Charging Pump SW (CPSW) subsystem and to the Main Control Room/Emergency Switchgear Room (MCR/ESGR) Air Conditioning (AC) subsystem. TS 3.14.A.5 and TS 3.14.A.7 require two SW flow paths to the CPSW subsystem and to the MCR/ESGR AC subsystem, respectively, to be operable. Currently, the TS 3.14.C AOT for only one operable CPSW or MCR/ESGR AC flow path is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The proposed revision extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The CPSW subsystem is a support system for the Charging/High Head Safety Injection (HHSI) pumps. The proposed CPSW AOT extension aligns the CPSW support system AOT with the AOT for the supported components (i.e., the Charging/HHS! pumps). The proposed MCR/ESGR AC AOT extension revises the AOT .,to be the same as the CPSW AOT since both subsystems share common piping. The proposed increased AOTs for only one operable SW flow path to the CPSW subsystems and to the MCR/ESGR AC subsystems will provide a more reasonable time frame for performing system maintenance and repairs.

A supporting probabilistic risk assessment (PRA) was performed for the proposed AOT changes. The PRA concluded that the increase in risk associated with the proposed changes .is consistent with the Regulatory Guide (RG) 1.174 and RG 1.177 acceptance guidelines for a permanent TS AOT change. This PRA evaluation demonstrates that defense-in-depth will not be significantly impacted by changing the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24 to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Furthermore, no enhancements, procedure revisions, or compensatory actions are recommended as a result of the RG 1.177 Tier 2 evaluation.

The proposed change also deletes the Operating License (OL) conditions, TS requirements, and TS 3.14 Basis discussion for the temporary SW jumper to the Component Cooling Heat Exchangers (CCHXs). These requirements were included in the Surry TS to allow cleaning, inspection, repair and recoating of the SW supply piping to the CCHXs during the Unit 1 2013 and 2015 refueling outages. These requirements have expired and are no longer necessary. Deletion of the OL conditions, the temporary TS requirements, and the TS 3.14 Basis discussion is administrative in nature. The TS 3.14 Basis deletion is provided to the NRC for information.

2.0 DESCRIPTION

OF PROPOSED CHANGE The proposed revision extends the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24 to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 3 of 36 TS 3.14.C currently states:

C. The requirements of Specifications 3.14.A.5, 3.14.A.6, and 3.14.A.7 may be modified to allow unit operation with only one OPERABLE flow path to the charging pump service water subsystem, the recirculation spray subsystems, and to the main control and emergency switchgear rooms air conditioning condensers. If the affected systems are not restored to the requirements of Specifications 3. 14.A.5, 3.14.A.6, and 3.14.A.7 within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, the reactor shall be placed in HOT SHUTDOWN. If the requirements of Specifications 3. 14.A. 5, 3.14.A. 6, and 3. 14.A. 7 are not met within an additional 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />, the reactor shall be placed in COLD SHUTDOWN.

The proposed change revises the Surry TS as follows: 1) TS 3.14.C is revised to extend the CPSW subsystem flow path and the MCR/ESGR AC condensers flow path AOTs from 24 to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> and to relocate the flow path AOT for the Recirculation Spray (RS) subsystems to a new specification, and 2) new TS 3.14;0 is created for the existing flow path AOT for the RS subsystems. The flow path AOT in the new TS 3.14.D for the RS subsystems is not being modified. The revised TS 3.14.C and the new TS 3.14.D are proposed as follows:

C. The requirements of Specifications 3.14.A.5 and 3.14.A.7 may be modified to allow unit operation with only one OPERABLE flow path to the charging pump service water subsystem and to the main control and emergency switchgear rooms air conditioning condensers. If the affected systems are not restored to the requirements of Specifications 3.14.A.5 and 3.14.A.7 within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, the reactor shall be placed in HOT SHUTDOWN within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. If the requirements of Specifications 3.14.A.5 and 3.14.A.7 are not satisfied as allowed by this Specification, the reactor shall be placed in COLD SHUTDOWN within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

D. The requirements of Specification 3.14.A.6 may be modified to allow unit operation with only one OPERABLE flow path to the recirculation spray subsystems. If the affected system is not restored to the requirements of Specification 3. 14.A. 6 within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, the reactor shall be placed in HOT SHUTDOWN within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. If the requirements of Specification 3. 14.A. 6 are not met within an additional 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />, the reactor shall be placed in COLD SHUTDOWN within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

The proposed revision also deletes the following requirements for the temporary SW jumper to the CCHXs:

1. Unit 1 License Condition U on page 9 of the Unit 1 Operating License
2. Unit 2 License Condition U on p~ge 9 of the Unit 2 Operating License
3. Note Bin TS Table 3.7-2 on page TS 3.7-20

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 4 of 36

4. The footnote associated with TS 3.14.A.2.b on page TS 3.14-1
5. The last paragraph in the TS 3.14 Basis on pages TS 3.14-4 and TS 3.14-4a

3.0 TECHNICAL EVALUATION

3.1 Charging Pump Service Water Subsystem and Main Control Room and Emergency Switchgear Room Air Conditioning Subsystem Description The Surry Units 1 and 2 Circulating Water (CW) and Service Water (SW) Systems, which are supplied by the James River, are designed for the removal of heat resulting from the operation of various systems and components for both units. The CW System cools the main condenser, and the SW System provides cooling water to the following components:

1. Bearing Cooling (BC) water heat exchangers,
2. Component Cooling (CC) heat exchangers,
3. Recirculation Spray (RS) heat exchangers,
4. Main control room and emergency switchgear room (MCR/ESGR) air conditioning (AC) condensers (chillers), and
5. Charging Pump Service Water (CPSW) subsystem.

The CW and SW Systems' configuration is shown in Figures 1 and 2 (located at the end of Attachment 1). Figure 3 below is provided for illustration purposes and shows the flow paths and components of interest.

The SW flow paths in the Mechanical Equipment Rooms (MERs) support both the CPSW subsystems and the MCR/ESGR AC subsystems. The MER flow paths include several interconnected and redundant trains, gravity fed from the Intake Canal. There are three 8-inch SW supply headers. Each header takes its supply from a 96-inch condenser inlet line, and the connection is upstream of the condenser isolation valves.

The three 8-inch headers supply two 6-inch headers. The 6-inch supply headers are 100% redundant (i.e., one header can supply 100% of the required SW flow).

Since the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem are being modified by the proposed revision, this design description focuses on the CPSW and the MCR/ESGR AC subsystems.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 5 of 36 1-VS* P - tA/1 -VS-£-" I* l *V P

  • l C/1 -VS-C ..I C 2 W
  • P* l i----- ]. W
  • P l OO l W P - 100 l
  • W
  • P
  • lOA ~==t X1 w. o l *V S *S
  • 1A 2*$ W.,.78

}-

Tutb 8kl 8 n 2-s w ..... 7 x 2- ... 77 X 2 -S W ...7CI 1* W

  • 7 7
c

(/)

0 :r I 0 C .W Line U,,.< 2A C .W. Une

  • )

0 Figure 3 - SW Supply to the CPSW and the MCR/ESGR AC Subsystems CPSW Subsystem Description A CPSW subsystem for each unit provides water to cool the charging pump intermediate seal coolers and the charging pump lubricating oil coolers. The seal coolers reject their heat to a dedicated closed-loop subsystem of the CC System (i.e., the Charging Pump Component Cooling Water System). Heat from this system and the lube oil coolers is transferred to the CPSW subsystem.

Either of two 100%-capacity CPSW pumps (1-SW-P-10A/10B and 2-SW-P-10A/10B) delivers water from the SW System to the charging pump intermediate seal coolers and the charging pump lubricating oil coolers, thereby maintaining the charging pump lubricating oil and the CC System water used to cool the charging pump mechanical seals at the proper temperature. Each pump has a duplex suction strainer. To ensure that service water is continually available, one CPSW pump is in operation while the other pump is maintained in standby. The standby pump is automatically actuated on

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 6 of 36 low pump discharge pressure to supply SW in the event of failure of the operating pump.

The two redundant 100%-capacity CPSW pumps are located in MER-3 and MER-4 and are separated by seismic, missile-protected, 3-hour fire rated walls, ceiling, and floor.

The SW supply headers are normally cross-connected at the discharge of the strainers.

An automatic actuating fire safe isolation ball valve is installed in the cross-connect piping between the two pump trains. The separation and cross-connect of the two redundant pump trains is designed to meet the requirements in 10 CFR 50 Appendix R.

The installation of two full-capacity CPSW pumps provides 100% redundancy for this cooling water system. The components of the CPSW subsystem, including pumps and heat exchangers are designed to Seismic Class I criteria.

I The CPSW pumps are connected to the emergency electrical bus to ensure they will operate in the event of a loss of station power.

Post-accident monitoring requirements for the CPSW subsystem status are satisfied by flow and temperature measurement at the discharge of each CPSW pump. Flow and temperature indications are displayed in the MGR.

MCR/ESGR AC Subsystem Description The CPSW suction flow paths also supply suction for the A, B, and C MCR/ESGR chiller pumps (1-VS-P-1A/1B/1C) that supply the A, B, and C MCR/ESGR chillers (1-VS-E-4A/4B/4f), which are located in MER-3. Chiller pumps D and E (1-VS-P-1D/1E) that supply the D and E MCR/ESGR chillers (1-VS-E-4D/4E), which are located in MER-5, take suction upstream of the suction (rotating) strainers in MER-3/ MER-4 and downstream of a duplex strainer in MER-5.

Significant installed defense-in-depth exists for the chiller pumps and chillers, since there are a total of five MCR/ESGR chillers. As noted above, three chillers are located in MER-3, and two chillers are located in MER-5. This configuration ensures that MGR envelope air handling capacity remains available in the event that both CPSW headers in MER-3 and MER-4 are unavailable. In addition, this arrangement prevents full loss of cooling in the event of a fire in either MER-3 or MER-5. Three of the five chillers are powered from either of two buses, enabling maximum system flexibility in aligning the chillers as required. Additional equipment includes control panels and isolation switches for affected air handling units and cables routed to provide the required separation. The additional equipment is seismically and environmentally qualified, as applicable. Control of the AC system is remote manual from the control room.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 7 of 36 3.2 Evaluation of Extended Allowed Outage Time The CPSW subsystem is a support system for the charging pumps. As discussed in Section 3.1, the design function of the CPSW subsystem is to provide cooling to the charging pump intermediate seal coolers and the charging pump lubricating oil Qoolers.

The charging pumps provide a charging (i.e., reactor coolant makeup) function during normal plant operation and are also used as High Head Safety Injection (HHSI) pumps to supply borated water to . the Reactor Coolant System (RCS) during accident conditions.

Surry TS 3.3, "Safety Injection System," specifies in TS 3.3.A.3 that two Safety Injection (SI) subsystems are required to be operable with the subsystems including one operable HHSI pump. With one SI subsystem inoperable, TS 3.3.B.3 requires restoration of the inoperable subsystem to operable status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The proposed extension of the AOT for the SW flow paths to the CPSW subsystem from 24 to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> brings the support system AOT into alignment with the AOT for the supported component (i.e., Charging/HHS! pump). In addition, the design functions of the CPSW subsystem and the Charging/HHS! pumps are not impacted by the proposed revision.

As shown in Figure 3, the CPSW suction paths also supply suction for the A,. B, and C MCR/ESGR chillers. Since the CPSW subsyste.m and the MCR/ESGR AC subsystem share common piping, it is appropriate for the AOTs for the two subsystems to be the.

same. The MCR/ESGR AC subsystem is a support system for the A, B, and C MCR/ESGR chillers. TS 3.23, "Main Control Room and Emergency Switchgear Room Air Conditioning System," specifies a 7-day time frame to return an inoperable/not powered as required chiller to operable status in TS 3.23.A.1.c; thus, the proposed 72.-

hour AOT for the MCR/ESGR AC subsystem is more limiting that the AOT for the supported components (i.e., A, B, and C MCR/ESGR chillers). In addition, the design functions of the MCR/ESGR AC subsystem and the MCR/ESGR chillers are not impacted by the proposed revision.

Leakage in the fiberglass reinforced p1pmg portion of the CPSW and the MCR/ESGR AC subsystems has occurred recently. The current 24-hour AOTs present an unnecessarily limited time frame to facilitate repairs. The proposed increased AOTs for only one operable SW flow path to the CPSW subsystems and to the MCR/ESGR AC subsystems will provide a more reasonable time frame for performing system maintenance and repairs.

3.3 Deletion . of Requirements for Temporary . Service Water Jumper to Component Cooling Heat Exchangers The OL conditions and the requirements in TS Table 3.7-2 and TS 3.14 for the temporary SW jumper to the CCHXs were approved by the NRC by TS Amendments 279/279 issued on September 23, 2013. These requirements were included in the

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 8of36 Surry TS to allow cleaning, inspection, repair, and recoating in the SW supply piping to the CCHXs during the Unit 1 2013 and 2015 refueling outages. Deletion of the OL conditions, the temporary TS requirements, and the TS 3.14 Basis discussion is administrative in nature and is appropriate since the requirements have expired and are no longer necessary. The TS 3.14 Basis deletion is provided to the NRC for information.

4.0 REGULATORY EVALUATION

4.1 Applicable Regulatory Requirements The regulations in Appendix A to Title 10 of the Code of Federal Regulations (10 CFR)

Part 50 establish minimum principal design criteria for water-cooled nuclear power plants, while 10 CFR 50 Appendix B and the licen$ee quality assurance programs establish quality assurance requirements for the design, manufacture, construction, and operation of structures, systems, and components. The current regulatory requirements of 10 CFR 50 Appendix A that are applicable to the CPSW support function for the charging pumps include: General Design Criteria (GDC) 1, 35, 36, and 37. The current regulatory requirements that are applicable to the MCR/ESGR AC function for providing safe conditions in the control room is GDC 19.

During the initial plant licensing of Surry Units 1 and 2, it was demonstrated that the design of the SI Systems met the regulatory requirements in place at that time. The GDC included in Appendix A to 10 CFR 50 did not become effective until May 21, 1971.

The Construction Permits for SPS Units 1 and 2 were issued prior to May 21, 1971; consequently, Surry Units 1 and 2 were not subject to current GDC requirements (SECY-92-223, dated September 18, 1992). The following information demonstrates SPS Units 1 and 2 meet the intent of the GDC published in 1967 (Draft GDC).

Specifically, Section 1.4 of the SPS Units 1 and 2 Updated Final Safety Analysis Report (UFSAR) discusses SPS compliance with these criteria. The draft GDC associated with the Emergency Core Cooling System (ECCS) are addressed below since the CPSW system provides a support function for the charging pumps, which are also used as HHSI pumps to supply borated water to the RCS during accident conditions. The draft criterion associated with the Control Room is also addressed below.

  • Quality Standards (Criterion 1 - draft)

Those systems and components of reactor facilities that are essential to the prevention of accidents which could affect the public health and safety or to the mitigation of their consequences are designed, fabricated, and erected in accordance with quality standards that reflect the importance of the safety function to be performed. Where generally recognized codes or standards on design, materials, fabrication, and inspection are used, they shall be identified. Where adherence to such codes or standards does not suffice to assure a quality product in

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 9 of 36 keeping with the safety function, they shall be supplemented or modified as necessary. A showing of sufficiency and applicability of codes, standards, quality assurance programs, test procedures, and inspection acceptance levels used is required.

Design Conformance Structures, systems, and components important to safety are designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed.

The SI System includes features necessary to ensure core cooling and negative reactivity following a limiting event. Approved design codes are used when appropriate to the nuclear application. Vessels comply with Section Ill of the ASME Code under the specific classification dictated by their use. Piping conforms to the requirements of USAS 831.1.

The Quality Assurance Program was established to provide assurance that

  • safety-related structures, systems, and components satisfactorily perform their intended safety functions.
  • Control Room (Criterion 11 - draft)

The facility shall be provided with a control room from which actions to maintain safe

  • operational status of the plant can be controlled. Adequate radiation protection shall be provided to permit access, even under accident conditions, to equipment in the
  • control room or other areas necessary to shut down and maintain safe control of the facility without radiation exposures of personnel in excess of 10 CFR 20 limits. It shall be possible to shut the reactor down and maintain it in a safe condition if access to the control room is lost due to fire or other causes.

Design Conformance The control room is located at grade level in the service building. Safety-related switchgear, motor-generator sets, auxiliary instrument areas, battery rooms, and communications equipment are located in the basement of the service building.

Sufficient shielding, distance, and containment integrity are provided to ensure that under postulated accident conditions during occupancy of the control room, control room personnel shall not be subjected to doses that, in the aggregate, would exceed the limits in 10 CFR 50.67. Emergency air-conditioning equipment is provided within the envelope of the shielded control room and associated portions of the basement, collectively called the control and relay room area. The control room is provided with the switchyard control panel, electrical recording panels, de distribution panels, and a control panel for the operation of the diesel-generator system. The control panels contain those instruments and controls necessary for the operation of station and

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 10of36 unit systems such as the reactor and its auxiliary systems, the turbine generator, and the steam and power conversion systems. Loading from the various station electrical distribution boards, such as the start-up boards, shutdown boards, and motor control centers, is accomplished from the station control panels.

The control room is common to the two units and is continuously occupied by qualified operating personnel under all operating and accident conditions. In the event that access to the control room is restricted, either local control stations or the manual operation of critical components within the main control area can be used to affect hot shutdown from outside the control room.

  • Engineered Safety Features Basis for Design (Criterion 37 - draft)

Engineered safety features shall be provideo in the facility to back up the safety provided by the core design, the reactor coolant pressure boundary, and their protection systems. As a minimum, such engineered safety features shall be designed to cope with any size reactor coolant pressure boundary break up to and including the circumferential rupture of any pipe in that boundary assuming unobstructed discharge from both ends.

Design Conformance Engineered safeguards are provided in the facility to back up the safety provided by the design of the core, the reactor coolant pressure boundary, and their protection systems. Engineered safeguards are provided to cope with any size reactor coolant pipe break up to and including the circumferential rupture of any pipe in that boundary and an unobstructed discharge from both ends, and to separately cope with any* steam or feedwater line break. Limiting the release of fission products from the reactor fuel is accomplished by the SI System, which, by cooling the core, keeps the fuel in place and substantially intact and significantly limits the metal.:.water reaction ..

  • Reliability and Testability of Engineered Safety Features (Criterion 38 - draft)

All engineered safety features shall oe designed to provide high functional reliability and ready testability. In determining the suitability of a facility for a proposed site,

. the degree of reliance upon and acceptance of the inherent and engineered safety afforded by the systems, including engineered safety features, will be influenced by the known and the demonstrated performance capability and reliability of the systems, arid by the extent to which the operability of such systems can be tested and inspected where appropriate during the life of the plant.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 11of36 Design Conformance Engineered safeguards are designed to provide such functional reliability and ready testability as is necessary to avoid undue risk to the health and safety of the public.

A comprehensive program of testing has been formulated for equipment, systems, and system controls vital to the functioning of engineered safeguards. The program consists of performance tests of individual pieces of equipment in the manufacturer's shop, integrated tests of the system as a whole, and periodic tests of the activation circuitry and mechanical components to ensure reliable performance, upon demand, throughout the unit lifetime.

Design provisions are made so that components of the SI System can be tested periodically for operability and functional performance.

The engineered safeguards components are checked periodically and routinely. In the event that one of the components requires maintenance as a result of failure to perform according to prescribed limits during the test, the necessary corrections or minor maintenance are accomplished and the component is retested im.mediately.

  • Engineered Safety Features Performance Capability (Criterion 41 - draft)

Engineered safety features, such as emergency core cooling and containment heat removal systems, shall provide sufficient performance capability to accommodate partial loss of installed capacity and still fulfill the required safety function. As a minimum, each. engineered safety feature shall provide this required safety function assuming a failure of a single active component.

Design Conformance Engineered safeguards, such as the SI System and the containment heat removal system, provide sufficient performance capability to accommodate the failure of any single active component without any undue risk to the health and safety of the public. The overall capability of the engineered safeguards meets the suggested requirements of 10 CFR 50.67 or RG 1.183, as applicable, for the occurrence of any rupture of a reactor coolant or Main Steam System pipe, including the double-ended rupture of a reactor coolant pipe, known as the design-basis accident.

At least two emergency core cooling systems, preferably of different design principles, each with a capability for accomplishing abundant emergency core cooling, shall be provided. Each emergency core cooling system and the core shall be designed to prevent fuel and clad damage that would interfere with the emergency core cooling *function and to limit the clad metal-water reaction to negligible amounts for all sizes of breaks in the reactor coolant pressure boundary,

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 12 of 36 including the double-ended rupture of the largest pipe. The performance of each emergency core cooling system shall be evaluated conservatively in each area of uncertainty.

Design Conformance The SI System employs a passive system of accumulators that do not require any external signals or source of power for their operation to cope with the short-term cooling requirements of a large reactor coolant pipe break. The HHSI and the Low Head SI (LHSI) Systems, each capable of supplying the required emergency cooling, are also provided for small-break protection and to keep the core submerged after the accumulators have discharged following a large break. These systems are arranged so that the single failure of any active component does not interfere with meeting the short-term cooling requirements. The HHSI and LHSI Systems are each capable of fulfilling long-term cooling requirements. The failure of any single active component or the development of excessive leakage during the long-term cooling period does not interfere with the ability to meet necessary long-term cooling objectives with one of the systems.

The primary purpose of the SI System is to automatically deliver cooling water to the reactor core in the everit of a LOCA. This limits the fuel clad temperature and thereby ensures that the core remains intact and in place with its essential heat transfer geometry preserved. This protection is afforded for: all pipe break sizes up to and including the hypothetical instantaneous circumferential rupture of a reactor coolant loop, assuming unobstructed discharge from both ends; a loss of coolant associated with the rod ejection accident; and a steam generator tube rupture.

Design provisions shall be made to facilitate physical inspection of all critical parts of the emergency core cooling systems, including reactor vessel internals and water injection nozzles.

Design Conformance Design provisions are made for the inspection of components of the SI System to the extent practical. An inspection is performed periodically to demonstrate system readiness. The pressure containment boundaries can be inspected for leaks from pump seals, valve packing, flanged joints, and safety valves during system testing.

In addition, critical parts of the reactor vessel internals, injection nozzles, pipes, valves, and SI pumps can be inspected visually or by boroscopic examination for evidence of erosion, corrosion, and vibration wear, and non-destructive tests can be performed where such techniques are desirable, practical, and appropriate.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 13 of 36

A capability shall be provided to test periodically the delivery capability of the emergency core cooling systems at a location as close to the core as is practical.

Design Conformance Design provisions include special instrumentation, testing, and sampling lines to perform the tests, and unit shutdown to demonstrate the proper automatic operation of the SI System. A test signal is supplied to initiate automatic action. The test

  • demonstrates the operation of the valves, pump circuit bre.akers, and autOmatic circuitry. In addition, other tests are performed periodically to verify that the SI pumps attain required discharge heads.

Quality Assurance Quality assurance criteria provided in 10 CFR Part 50, Appendix B, applicable to the subject systems include: Criteria Ill, V, XI, XVI, and XVII. Criteria Ill and V require measures to ensure that applicable regulatory requirements and the design basis, as defined -in 10 CFR 50.2, "Definitions," and as specified in the license application, are correctly translated into controlled specifications, drawings, procedures, and a

instructions. Criterion XI requires test program to ensure that the subject systems will perform satisfactorily *in service and requires that test results shall be documented and evaluated to ensure that test requirements have been satisfied. Criterion XVI requires measures to ensure. that conditions adverse to quality, such as failures, malfunctions, deficiencies, deviations, defective material and equipment, and nonconformances, are promptly*.identified and corrected, and that significant conditions *adverse to quality are documented and reported to management. Criterion XVII requires maintenance of records of activities affecting quality.

4.2 NUREG-1431, Standard Technical Specifications- Westinghouse Plants The proposed change was compared to similar requirements in TS 3. 7 .8, Service Water System (SWS) in NUREG-1431, Standard Technical Specifications - Westinghouse Plants. It was determined that the proposed change for the CPSW subsystem is consistent with the 72-hour completion time for restoration of one inoperable SWS train to operable status in NUREG-1431.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 14 of 36 require two SW flow paths to the CPSW subsystem _and to the MCR/ESGR AC subsystem, respectively, to be operable. Currently, the TS 3.14.C AOT for only one operable CPSW or MCR/ESGR AC flow path is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The proposed revision extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The CPSW subsystem is a support system for the Charging/High Head Safety Injection (HHSI) pumps; the proposed CPSW AOT extension aligns the CPSW support system AOT with the AOT for the supported components (i.e., the

  • Charging/HHS! pumps). The proposed MCR/ESGR AC AOT extension revises the AOT to be the same as the CPSW AOT since both subsystems share common piping ..

The proposed increased AOTs for only one operable SW flow path to the CPSW subsystems and to the MCR/ESGR AC subsystems will provide a more reasonable time frame for performing system maintenance and repairs.

  • A supporting probabilistic risk assessment (PRA) was performed for the proposed AOT changes. The PRA concluded that the increase in risk associated with the proposed changes is consistent with the Regulatory Guide (RG) 1.174 and RG 1.177 acceptance guidelines for a permanent TS AOT change. This PRA evaluation demonstrates that defense-in-depth will not be significantly impacted by changing the AOTs for only one operable.SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24:to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Furthermore, no enhancements, procedure revisions, or compensatory actions are recommended as a result of the RG 1.177 Tier 2 evaluation.

The proposed change also deletes the Operating License (OL) conditions, TS requirements, and TS 3.14 Basis discussion for the temporary SW jumper to the Component Cooling Heat Exchangers (CCHXs). These requirements were included in the Surry TS to allow cleaning, inspection, repair, and recoating of the SW supply piping to the CCHXs during the Unit 1 2013 and 2015 refueling outages. These requirements*

have expired and are no longer necessary. Deletion of the OL conditions, the temporary TS requirements, and the TS 3.14 Basis discussion is administrative in

  • nature. The TS 3.14 Basis deletion is provided to the NRC for information.

Dominion has evaluated whether a significant hazards consideration is involved with the proposed amendment by focusing on the three standards set forth in 10 CFR 50.92, "Issuance of amendment," as discussed below:

1. Does the proposed change involve a significant increase in the probability or consequences of an accident previously evaluated?

Response: No.

The proposed change extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The CPSW subsystem is a support system for the Charging/High Head Safety Injection (HHSI) pumps; the proposed CPSW AOT extension aligns the CPSW support system AOT with the AOT for the supported components (i.e., the Charging/HHS! pumps). The proposed MCR/ESGR

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1

  • Page 15 of 36 AC AOT extension revises the AOT to be the same as the CPSW AOT since both subsystems share common piping. The design function of the CPSW system, which is to provide cooling to the charging pump *intermediate seal coolers and the charging pump lubricating oil coolers, *is not impacted by the proposed revision, nor is the design function of the Charging/HHS! pumps impacted. Furthermore, the design functions of the MCR/ESGR AC subsystem and the MCR/ESGR chillers are not impacted by the proposed revision. In addition, the proposed change deletes the now expired and no longer necessary requirements for the temporary SW jumper to the CCHXs. The deletion of these temporary requirements is administrative in nature. As a result, the proposed change does not involve a significant increase in the probability or consequences of an accident previously evaluated.
2. Does the proposed change create the possibility of a new or different kind of accident from any accident previously evaluated?

Response: No.

The proposed change extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. In addition, the proposed change deletes the now expired and no longer necessary requirements for .the temporary SW jumper to the CCHXs. The proposed change does not involve a physical alteration of the plant (i.e., no new or different type of equipment will be installed) and does not impact plant operation. Furthermore, the proposed change does not impose any new or different requirements that could initiate an acddent. The proposed change does not alter assumptions made in the safety analysis and is consistent with the safety analysis assumptions. Therefore, the proposed change does not create the possibility of a new or different kind of acddent from any accident previously evaluated.

3. Does the proposed change involve a significant reduction in a margin of safety?

Response: No.

The proposed change extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The proposed change does not adversely affect any current plant safety margins or the reliability of the equipment assumed in the safety analysis. There are no changes being made to any safety analysis assumptions, safety limits, or limiting safety system settings that would adversely affect plant safety as a result of the proposed change. Furthermore, as noted above, a supporting PRA was performed for the proposed AOT changes. The PRA concluded that the increase in risk associated with the proposed changes is consistent with the HG 1.174 and RG 1.177 acceptance guidelines for a permanent TS AOT change. This PRA evaluation demonstrates that defense-in-depth will not be significantly impacted by changing the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24 to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 16 of 36 In addition, the proposed change deletes the now expired and no longer necessary requirements for the temporary SW jumper to the CCHXs. The deletion of these temporary requirements is administrative in nature. Therefore, the proposed change does not involve a significant reduction in a margin of safety.

Based on the above, Dominion concludes that the proposed change presents no significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and, accordingly, a finding of "no significant hazards consideration" is justified.

5.0 PROBABILISTIC RISK ASSESSMENT 5.1 Purpose The purpose of this assessment is to utilize the Surry PRA to evaluate the impact on Core Damage Frequency (CDF) and Large, Early Release Frequency (LERF) for the CPSW and MCR/ESGR AC subsystems flow path AOT extensions. Using guidance from RG 1.174 and RG 1.177, this assessment evaluates the risk of changing Surry TS 3.14.C to allow a single service water flow path to be available to the CPSW subsystem and to the MCR/ESGR AC subsystem for up to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

5.2 Introduction The S007Aa PRA model allows analysis of the conditional risk at Surry Power Station when one or more SW flow paths to safety-related loads in the MERs are unavailable utilizing a detailed probabilistic assessment of risk from internal events and internal flooding :hazards at power. This risk evaluation will be supplemented with qualitative insights to assess the fire, seismic, shutdown and other external risks.

RG 1.177 identifies a three-tiered approach for licensees to evaluate the risk associated with proposed TS Configuration Time (CT) changes. Tier 1 is an evaluation of the impact on plant risk of the proposed TS change as expressed by the change in core damage frequency (~CDF), the incremental conditional core damage probability (ICCDP), the change in large early release frequency (~LERF), and the incremental conditional large early release probability (ICLERP). Tier 2 is an identification of potentially high-risk configurations that could exist if equipment, in addition to that associated with the change, were to be taken out of service simultaneously or other risk-significant operational factors, such as concurrent system or equipment testing were also involved. The objective of this part of the evaluation. is to ensure that appropriate restrictions on dominant risk-significant configurations associated with the change are in place. Tier 3 is the establishment of an overall configuration risk management program (CRMP) to ensure that other potentially lower probability, but nonetheless risk-significant, configurations resulting from maintenance and other operational activities are identified and compensated for.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 17 of 36 Figure 3 in Section 3.1 above shows the SW supply to the CPSW and the MCR/ESGR AC subsystems. The SW flow paths in the MERs support both the CPSW subsystems and the MCR/ESGR AC subsystems. The MER flow paths include several interconnected and redundant trains, gravity fed from the Intake Canal. Originating at the Intake Canal, there are three 8-inch SW supply headers. Each header takes its supply from a 96-inch condenser inlet line, and the connection is upstream of the condenser isolation valves. The three 8-inch headers supply two 6-inch headers. The 6-inch supply headers are 100% redundant (i.e., one header can supply 100% of the required SW flow). The SW supply headers are normally cross-connected in MER-3 and MER-4 via the 1-SW-263 valve. This valve is closed during a fire in related equipment areas in accordance with the 10 CFR 50 Appendix R fire protection program.

Two motor operated strainers are normally in service on each of the 6-inch SW supply headers. Each strainer is supplied with a back wash from the discharge of the control room chiller service water pumps. For the following analysis and discussion, SW flow through 1-VS-S-1A is referred to as the "A SW Header" and SW flow through 1-VS-S-18 is referred to as the "B SW Header".

The CPSW system is credited in Surry's PRA as a support system for HHSI. The CPSW *system supplies SW flow to the charging pump intermediate seal coolers and lube oil coolers. *Heat from the lube oil cooler is transferred to the CPSW subsystem.

The seal coolers reject their heat to a dedicated closed-loop subsystem of the CC System (i.e., the Charging Pump Component Cooling Water System). Heat from this system and the lube oil coolers is transferred to the CPSW subsystem.

Downstream of the 6-inch SW supply headers are two CPSW pump trains for each unit

  • 'I' (four total). Each pump traih can provide 100% required flow for its unit, so there is 100% redundancy for each unit. The CPSW pump trains can be cross-connected via tie lines that are normally isolated. Hence, the Unit 2 CPSW pumps can be aligned to cool Unit 1 charging pump lube oil coolers and vice versa; this alignment is not automatic and requires local operation. One CPSW pump per unit is normally running and the other is in sta~dby. The standby CPSW pump will auto start on low discharge pressure for the running pump.

The output of either pump can feed the three charging pump lube oil coolers for one unit. The charging pump lube oil cooler outlet control valves are actuated automatically when the charging pump is running. No operator actions are required to start or control CPSW flow to a specific lube oil cooler. The CPSW lube oil cooler discharge flow is directed to the discharge tunnel via a single pipe. The success criterion for the CPSW system to service its required loads is: one CPSW pump available, taking suction from at least one available 6-inch SW header.

Five chillers are installed in the MERs. The condenser water pump for ttie chillers takes suction from the SW supply line, pumps it through the chiller condenser, and returns it to the CW System. Three chillers (A/B/C) are in MER-3 downstream of the rotating

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 18 of 36 strainers; two chillers (D/E) are in MER-5 upstream of the rotating strainers and downstream of a duplex strainer. These units provide chilled water that circulates through air handlers to remove heat from the atmosphere in the MCR, emergency switchgear rooms, and relay rooms. Air conditioning of these areas prevents electrical equipment from overheating and supports control room habitability during design basis

. accidents. During normal plant operation one or two chillers may be operating depending on SW temperatures. During an emergency, the 1/2-E-O procedure verifies that one control room chiller is operating, with a results not obtained step to start required equipment within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> in accordance with O-OP-VS..:006. The Surry PRA models the ESGR HVAC as a support system for the emergency electrical power systems, 4160 V, 480 V, 125 VAC, and 120 VDC.

In order to satisfy TS 3.14.A.5 and .3.14.A.7 at least two independent SW flow paths must be available to supply MER loads. This risk assessment analyzes conditional risk with only one SW flow path to the MERs ..

5.3 Analysis Inputs The following inputs are used for this assessment:

  • Surry Average Maintenance PRA model S007Aa,
  • CAFTA code suite.

Risk Impact Evaluation The NRC staff has identified a three-tiered approach in RG 1.177 for licensees to evaluate the risk associated with proposed TS Completion Time {CT) changes. The following sections document the three tiered evaluation for CPSW and MCR/ESGR. AC

. subsystems flow path AOT extensions.

RG 1.177 PRA Quality Evaluation RG 1.177 contains the following discussion of PRA Technical Adequacy:

The technical adequacy of the PRA must be compatible with the safety implications of the TS change being requested and the role that the PRA plays in justifying that change. That is, the more the potential change in risk or the greater the uncertainty in that risk from the requested TS change, or both, the more rigor that must go into ensuring the technical adequacy of the PRA. This applies to Tier 1 (above), and it also applies to Tier 2 and Tier 3 to the extent that a PRA model is used.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 19 of 36 Regulatory Guide 1.200 describes one acceptable approach for determining whether the technical adequacy of the PRA, in total or the parts that are used to support an application, is sufficient to provide confidence in the results such that the PRA can be used in regulatory decisionmaking for light-water reactors.

A detailed discussion and evaluation of PRA quality of the S007Aa model with respect to this application is provided in Attachment 4.

RG 1.177 Tier 1 Analysis RG 1:177 contains the following discussion concerning Tier 1 Analysis:

In Tier 1, the licensee should assess the impact of the proposed TS change on GDF, ICCDP, LERF, and ICLERP. To support this assessment, two aspects need to be considered: (1) the validity of the PRA and (2) the PRA insights and findings. The licensee should demonstrate that its PRA is valid for assessing the proposed TS changes and identify the impact of the TS change on plant risk.

TS conditions addressed by CTs are entered infrequently and are temp9rary by their very nature. However, TS do not typically restrict the frequency of entry into conditions addressed by* CTs. Therefore, the following TS acceptance guidelines specific to permanent CT changes are provided for evaluating the risk associated with the revised CT, in addition to those acceptance guidelines given in Regulatory Guide 1. 174.

The licensee has demonstrated that the TS CT change has only a small quantitative impact on plant risk. An /CCDP of less than 1.0x10-6 and an ICLERP of less than

1. Ox10-7 are considered small fOr a single TS condition entry. (Tier 1}.

RG 1.174 Acceptance Criteria are as follows:

  • When the calculated increase in GDF is very small, which is taken as being less than 10-6 per reactor year, the change will be considered regardless of whether there is a calculation of the total GDF (Region Ill).
  • When the calculated increase in GDF is in the range of 10-6 per reactor year to 10-5 per reactor year, applications will be considered only if it can be* reasonably shown that the total GDF is less than 10-4 per reactor year (Region II).
  • Applications that result in increases to GDF above 10-5 per reactor year (Region I) would not normally be considered.

Acceptance criteria for LERF are structured similarly at an order of magnitude less (1 E-7, etc.).

Tier 1 Analysis Assumptions

  • The PRA model S007Aa is valid for performing this assessment.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1

. Page 20 of 36

  • For the purposes of ~CDF/~LERF calculations, this assessment assumes the MER SW headers will accumulate 15 days of unavailable configuration time every year as a result of the proposed change. This is a conservative assumption based on Surry's Operating Experience for CPSW headers and the desired maintenance strategy for Surry.
  • This analysis assumes that if only one SW flow path to MER loads is available, SW is being supplied to the MER SW loads from one CW inlet, to one 8-inch SW supply header, to one 6-inch SW header, through one rotating strainer. This is a conservative assumption.

Tier 1 Analysis Results MER SW header maintenance is explicitly modeled in the average maintenance model S007Aa. Therefore, a ~CDF and ~LERF for the proposed change to AOTs for MER SW flow paths to the CPSW subsystem and to the MCR/ESGR AC subsystem may be directly calculated from the model by comparing CDF results with increased unavailability on MER headers (refer to second bulleted assumption). Incremental core damage and large early release probabilities for a single 72-hour period are also calculated. The MER headers supply SW to safety-related loads at both Surry units; therefore, risk at both units is explicitly analyzed. Results are as follows:

Table 1: RG 1.177Tier1 Analysis Results RG 1.177 RG 1.177 15 Day Header U1 U2 ACDF U1 U2 ALE RF Unavailability ACDF ACDF Criteria ALE RF ALE RF Criteria 9.20E- 1.05E-A SW Header 08 07 1.00E-06 3.02E-08 4.23E-08 1.00E-07 8.29E- 1.25E-B SW Header 08 08 1.00E-06 6.47E-08 5.61E-09 1.00E-07 RG 1.177 RG 1.177 Single 72hr TS U1 U2 ICCDP U1 U2 IC LE RP entry ICCDP ICCDP Criteria ICLERP IC LE RP Criteria 1.84E- 2.09E-A SW Header 08 08 1.00E-06 6.03E-09 8.46E-09 1.00E-07 1.66E- 2.50E-B SW Header 08 09 1.00E-06 1.29E-08 1.12E-09 1.00E-07 Note: These risk metrics are simultaneously applicable to both TS 3.14.A.5 and TS 3.14.A. 7 for CPSW and MCR/ESGR SW supplies, respectively The tightest margin to RG 1.177 acceptance criteria is on Unit 1 LERF with "B" SW header out of service for 15 days over one year. Cutsets for these configurations were reviewed and are discussed in detail below.

Serial No.16-180

  • Docket Nos. 50-280/281 Attachment 1 Page 21of36 An engineering GOTHIC calculation establishes that the ESGR does not require chiller operation during the PRA mission time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, as long as one of the ESGR air handling units (per unit) is operating, and there is not a initiating event which requires SI, which may have higher heat loads than assumed in this engineering calculation.

During normal operating conditions, a total loss of chilled water can be successfully mitigated by control room evacuation and shutdown from the remote shutdown panels in conjunction with performance of contingency actions of O-AP-13.02 (opening doors, temporary cooling etc.). These actions have been shown by GOTHIC calculations to substantially improve environmental conditions in the ESGR in loss of chilled water events. If SI is required to mitigate an event, then a subsequent loss of chilled water is assumed to fail ESGR HVAC, and no recovery is possible. In these sequences, the loss of ESGR HVAC is modeled as a Station Blackout (SBO).

In a configuration with only one SW flow path available to the MCR/ESGR chillers, accident sequences that require SI to successfully avoid core damage such as SLOCA and SGTR become elevated in the PRA. These sequences involve failure of the in-service SW flow path, upstream of D/E chiller suction in MER 5. Since this flow path is gravity fed, its primary failure mode is via obstruction (plugging). S007Aa has identified that the most probable means of rendering the sole SW flow path unavailable is obstruction of CW intake/traveling water screens at the high level intake structure.

The PRA has assigned a probability of 8E-5 that CW obstruction would occur during the 24-hour mission time following an initiating event. A SGTR event that involves SBO caused by loss of ESGR HVAC is considered a Large Early Release by S007Aa.

In a configuration with one CPSW header isolated, cutsets that involve failure of the second CPSW header become elevated in the PRA. Loss of the second SW header renders HHSI unavailable, which is important to CDF for SLOCA and SGTR sequences.

In SLOCA with HHSI failure, operators must successfully cooldown and depressurize the RCS and then place the RCS on Low Head Recirculation. For SGTR with HHSI failure, isolation of the ruptured SG becomes important to mitigate the event. The dominant failure mode for CPSW flow paths is obstruction of the rotating strainers 1-VS-S-1 A/B. Bypass SW flow paths around the rotating strainers are not credited *in the PRA model. The S007Aa model assesses the probability that the in-service rotating strainer would fail via plugging during a 24-hour mission time following an initiating

  • event to be approximately 1.5E-4.

Another potential failure mode for the in-service SW header is a loss of power to the in-service rotating strainer. The 8007Aa model has a 480V Emergency Power dependency modeled for the rotating strainers 1-VS-S-1A/B. It is assumed that loss of power to a rotating strainer will cause the strainer to become obstructed within the mission time. Bypass SW flow paths around the rotating strainers are not credited in the PRA model. The electric power dependency in the model is creating asymmetric SGTR delta risk results across the two units and two headers. In a configuration with one CPSW header out of service, the model has identified that a catastrophic failure (fault or other de-energization sequence via LOOP) of a single emergency bus could

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 22 of 36 disable HHSI via the in-service rotating strainer and also the SG isolation safety function via 480V EP dependency for SG Isolation MOVs. This is also a significant LERF sequence for this configuration, as SGTR with failure of HHSI and SG isolation is considered Large Early Release in S007Aa.

The following are known conservatisms in this analysis that give very high confidence that the proposed change meets Tier 1 acceptance criteria with high margin:

  • No credit in the PRA model is given for placing a second or third SW header in service in accordance with O-AP-12, Attachment 1. Some SW crosstie flow paths (such as the 2A Header) may be available or recoverable during maintenance configurations where TS 3.14.A.5 and TS 3.14.A.7 are not considered met. These flow paths could be used to bypass an ob.structed CW intake.
  • No credit in the PRA model is given for manual operator action to bypass an obstructed rotating strainer by placing the duplex strainer 1-SW-S-10 in service in accordance with O-AP-12.
  • No credit in the PRA model is given for operator action in accordance with the EOPs to cooldown and depressurize the RCS in SGTR scenarios where Auxiliary Feedwater (AFW) is successful but HHSI fails. Human Reliability Analysis for this credit is under development and stations, such as North Anna which is similar to Surry, have this operator action credited with a Human Event Probabi.lity (HEP).
  • The 8007Aa models an electric power dependency for rotating strainers 1-VS-S-1A/B. It is modeled in the internal events PRA that the strainers will become obstructed If not rotating (Probability=1). Actual strainer behavior with no rotation during accident sequences is uncertain. It is unlikely (Probability<1) that the strainer will become obstructed in a 24-hour mission time if not rotating since debris must be present in order for the strainer to become obstructed.

The results of this analysis indicate that the potential increase in core damage risk due to the proposed change is very small and satisfies the Region 111 criteria of RG 1.177 Tier 1 analysis. [Refer to Table 1, above.]

Shutdown Risk Evaluation In cases where there is no probabilistic shutdown PRA model available for evaluating the risk impact of a proposed change, as is currently the case with the Surry PRA, a qualitative evaluation process may be applied to assess shutdown risk. In general, this approach involves determining whether or not the proposed change affects functions that are credited in OU-AA-200, Shutdown Risk Management, and then considering what impacts the application may have on shutdown defense-in-depth, in particular the following shutdown plant key safety functions: Decay Heat Removal, RCS/Spent Fuel Pool (SFP) Inventory Control, Reactivity Control, Electrical Power, SFP Cooling and Containment Integrity.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 23 of 36 The CPSW system supports HHSI pumps, which contributes to the RCS/SFP inventory control and reactivity control shutdown key safety functions. During plant shutdown, the LHSI System provides the primary source for RCS inventory control/make-up. The HHSI System provides additional defense-in-depth for inventory/reactivity control.

Therefore, it is concluded that the proposed change has a very small impact on defense-in depth for the associated shutdown Key Safety Functions and shutdown risk.

The MCR/ESGR ventilation system does not directly support any of the Shutdown Key safety functions, but it does support control room habitability during a fuel handling accident. The discussion of failure modes in the internal events discussion also applies to shutdown modes; therefore, it is concluded that proposed change has a very small impact on shutdown risk.

It is concluded that the proposed change has negligible impact on shutdown CDF and LERF.

Internal Fire Hazard Evaluation The Individual Plant Examination for External Events (IPEEE) and the Fire Contingency Action (FCA) procedures are used to evaluate the impact of the AOT change for configurations with only one SW flow path to the CPSW subsystem and the ESGR and MCR chillers on the fire risk since a full-scope fire PRA model has not been developed for Surry. The IPEEE screened out all but four areas as insignificant contributors to the fire CDF. The areas which did not screen out include the Cable Vault and Tunnel (CVT), the Emergency Switchgear Room (ESGR), the Main Control Room (MCR), and the Normal Switchgear Room (NSGR), so these areas are included in the scope of this

. analysis. A review of the Appendix R Report and the IPEEE shows that a fire in two areas, Mechanical Equipment Room 3 (MER 3) and Mechanical Equipment Room 4 (MER 4), may damage multiple CPSW components and the SW supply to the ESGR and MCR chillers. Unavailability of a SW Header in addition to the fire damage could cause a failure of these subsystems. As a result, MER 3 and MER 4 are included in the scope of this analysis even though they screened out as low risk in the IPEEE.

Although a fire in Mechanical Equipment Room 5 (MER 5) may damage two of the five ESGR and MCR chillers, this area is screened out since additional equipment damage is limited and a LOCA is not expected, so the ESGR and MCR chillers are not required during the PRA mission time as discussed in the internal events analysis. A review of the Appendix R Report indicates that power or control cables for one or more CPSW pumps, Rotating Strainers, or ESGR and MCR chillers may be damaged in each of these areas except the NSGR. Given the defense-in-depth available for these subsystems and the lack of emergency equipment damaged in an NSGR fire, this area is screened out from further evaluation.

An FCA procedure is available for each of the remaining areas to support safe shutdown (SSD) during a limiting fire, which is characterized by the actual or imminent loss of a component that supports the SSD functions monitored in O-AP-48.00. It is

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 24 of 36 assumed that a fire in these areas which does not cause sufficient damage to enter the respective FCA procedure can be characterized as a general transient and is adequately addressed by the internal events analysis.

The impact of the AOT change on the fire risk is dependent on the exact configuration for which the TS is entered. The fire scenarios on which the proposed change is expected to have the most impact are those in which the fire damages one or more components affecting the SW supply to or redundant equipment for the CPSW subsystem or the ESGR and MCR chillers. The TS 3.14.C action statement could be entered for having two of the three 8" SW supply headers unavailable and/or one of the two 6" SW supply headers unavailable. If the maintenance configuration only involves two of the 8" headers, the impact on fire risk from the CPSW subsystem is negligible since the remaining 8" line is not susceptible to fire damage. However, this configuration could result in the SW supply to the MER 5 chillers (40, 4E) being unavailable, which could lead to a loss of ESGR and MCR chillers if a fire damages the remaining in service equipment. If the maintenance configuration only involves unavailability of one of the 6" SW headers, fire damage to susceptible components on the opposite 6" SW supply could cause a failure of the entire CPSW subsystem and three of the ESGR and MCR chillers. Unavailability of the two 8" SW headers supplying the MER 5 chillers in addition to unavailability of one 6" SW header would allow fire damage to the available 6" header to result in a loss of all ESGR and MCR chillers. In order to bound the consequences of a fire on various possible maintenance configurations of the SW headers, the following analysis considers the impact of unavailability of a 6" SW Header on the CPSW subsystem, and it considers the impact of unavailability of two 8" SW headers and a 6" SW Header on the ESGR and MCR chiller subsystem.

The IPEEE Quantitative Screening models the Rotating Strainers as mechanical strainers that do not require electrical power, and they are assumed to be unaffected by fire damage. Given a loss of power to the strainer, flow through the strainer is not obstructed unless debris causes plugging within the PRA mission time. As a result of the uncertainty associated with the failure rate due to plugging of the Rotating Strainers following a loss of electrical power, the internal events PRA model conservatively assumes this condition leads to a loss of SW flow through the strainer. If the Rotating Strainers are considered susceptible to fire damage, then damage to a Rotating Strainer concurrent with unavailability of the opposite 6" SW Header would cause a loss of CPSW and failure of three chillers. In order to be consistent with the internal events analysis, this fire analysis will qualitatively investigate the impact of the AOT change on the fire risk conservatively assuming fire damage to the power or control cables for the strainer will result in failure of the SW flow path.

CVTs and ESGRs Fires in the CVTs and ESGRs cause varying amounts of damage to the CPSW subsystem as described by the Appendix R Report and the IPEEE. The FCA

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 25 of 36 procedures used to achieve SSD for these fire areas include 1-FCA-3.00 and 2-FCA-3.00 for the U1 and U2 CVTs, respectively, and 1-FCA-4.00 and 2-FCA-4.00 for the U1 and U2 ESGRs, respectively. A fire in the U1 CVT may damage the cables for 1-SW-P-10A and 1-VS-S-1A, and a fire in the U2 CVT will not damage any of the CPSW pumps or strainers. A fire in the U1 ESGR may damage the cables for both U1 CPSW pumps, and a fire in the U2 ESGR may damage the cables for both U2 CPSW pumps and 1-VS-S-1 B. Fire damage in each of these areas may disable Charging for the fire-affected unit. As a result, the fire strategies rely on the opposite unit to provide Inventory Control to the fire-affected unit through the Charging Cross-Tie (CH-XTIE).

The additional unavailability of a SW Header due to the AOT extension increases the likelihood of losing all Charging to both units during a fire due to CPSW failure. During a U2 CVT fire or U1 ESGR fire with a SW Header unavailable, random failure of the second SW header or the opposite unit CPSW pumps is needed to cause a loss of Charging. During a U1 CVT or U2 ESGR fire, power to one of the Rotating Strainers may be damaged by the fire, which would fail one of the SW Headers. If the opposite SW Header is unavailable, a total loss of CPSW would occur. Since no random failures are required in addition to the fire damage and SW Header unavailability, the fire scenarios in the U1 CVT and U2 ESGR are the most limiting of these areas. However, given.the likelihood of the SW Header unavailability, which contributes to these potential CPSW failures, the failure to supply Charging to the fire-affected unit is still dominated

  • by the HEP to establish the CH-XTIE between units.

If the Heactor Coolant System (RCS) remains intact, the accident resembles a transient, and the consequences of losing all Charging are minimal since core heat removal can be achieved using Natural Circulation of the RCS with secondary cooling provided by Auxiliary Feedwater (AFW). These conditions are established by actions taken with the

  • FCA procedures. Spurious operations could affect the High/Low pressure boundary by opening valves and causing a LOCA, but actions taken in the FCA procedures mitigate this potential. RCS integrity is maintained by isolating the Reactor Head Vents, the Pressurizer PORVs, and Letdown. Isolation switches in the Control Room ensure that these valves will not be reopened by the fire. In addition, RCP seal cooling is terminated by isolating seal injection and thermal barrier cooling after the pumps have been tripped. The likelihood of developing an RCP seal LOCA is minimized due to the Flowserve low-leakage seals, and proactive isolation of the RCP seals using manual valves precludes the potential for spurious operations to re-introduce cold water to the hot seals, which would cause catastrophic seal failure due to*thermal shock. Alignment of suction sources and a flow path to the steam generators (SGs) for AFW is directed by the FCAs as well and includes AFW cross-tie from the opposite unit, if necessary. The AFW flow path is protected from spurious operations by prepositioning the MOVs and then de-energizing them. In addition, the AFW cross-tie MOVs are located in the opposite unit's Safeguards Building, thus preventing fire damage from affecting the ability to utilize the cross-tie. The fire strategies for these areas address the potential loss of Charging, and the resulting impact of the change in SW Header AOT on the fire risk for these areas is low,

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 26 of 36 As discussed in the internal events analysis, ESGR and MCR chiller operation within the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> PRA mission time is not required as long as one of the ESGR AHUs per unit is operating or a LOCA has not occurred, although, in the case of ESGR fires, ventilation is not credited for the fire-affected unit. For fires in the U2 CVT and U1 ESGR, at least one chiller will remain available and the 6 SW headers are not affected by the fire. As a result, additional random failures would be required to cause a loss of ESGR and MCR cooling, so the impact of the TS change due to fires in these areas is negligible. A fire in the U1 CVT will not damage any of the chillers, but it may damage 1-VS-S-1A, which would isolate the A 6" SW header supplying CPSW, as well as chillers 4A, 4B, and 4C. If a fire occurred in this area concurrent with maintenance on the B 6" SW Header and the 2A and 2C 8" SW headers supplying the 40 and 4E chillers, then a loss of all five chillers would occur. A fire in the U2 ESGR may damage the normal power and control cables for all five chillers. To account for this potential, chillers 40 and 4E have an alternate power supply (AAC Diesel Generator) and local controls which are aligned using O-FCA-19.00 and allow these chillers to be used during a U2 ESGR fire. However, maintenance on the 2A and 2C 8" SW headers would cause the 40 and 4E chillers to be unavailable, resulting in a loss of all five chillers. The U1 CVT and U2 ESGR are the most limiting of these areas since no random failures are required in addition to the fire and maintenance configuration to cause a loss of all five chillers. In order for a total loss of chillers to cause an SBO due to loss of ESGR HVAC during a fire, either both of the dedicated AHUs must fail or a LOCA must develop.

Combining the frequency of the fire, the probability of the maintenance configuration with only one SW supply line available, and the probabilities of the AHUs failing or a LOCA developing, which is minimized by the fire strategies and low-leakage RCP seals, causes the resulting cutsets to be low risk contributors. Accounting for fire severity and suppression would further reduce the results of these cutsets. Given the low frequency of these failure combinations, the impact of the change in SW Header AOT on the fire risk for these scenarios is low.

The MCR contains control cables for all of the CPSW pumps. There is physical separation between units for the CPSW pump controls in the MCR, and control of each pump can also be transferred to the Appendix R Panel in the ESGR. The fire strategy to achieve SSD during an MCR fire is O-FCA-1.00. If the fire severity necessitates evacuation of the control room, the operators will transfer control of the CPSW pumps to the Appendix R Panel. The Rotating Strainers are locally controlled from the MERs and are unaffected by a fire in the MCR. If one of the SW Headers is unavailable, random failure of the second SW header or the all of the CPSW pumps is needed to cause a loss of Charging. The fire strategy for the MCR is very similar to the strategies for the CVTs and ESGRs in that an RCS High/Low pressure boundary is established, allowing Natural Circulation of the RCS to be used, and AFW is aligned to the SGs for secondary cooling. The Reactor Head Vents, the Pressurizer PORVs, and Letdown are isolated from the MCR at the Auxiliary Shutdown Panel (ASP) in the ESGR, and the isolation switches ensure the valves will not reopen due to the fire. The failure of CPSW would

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 27 of 36 cause a loss of RCP seal injection, but thermal barrier cooling may continue to be supplied to the RCP seals. Since RCP seal cooling is not proactively isolated during this fire scenario, RCP seal injection is monitored and the seals are isolated when flow is lost. As a result, the potential for thermal shock of the seals is mitigated, and the likelihood of seal failure remains low. Since the potential for a LOCA is mitigated by actions taken to ensure the integrity of the RCS pressure boundary is maintained and by the low-leakage seals, this accident will most likely resemble a transient. Alignment of suction sources and a flow path to the steam generators (SGs) for AFW is directed by the FCA procedure and includes AFW cross-tie from the opposite unit, if necessary.

The AFW flow path is protected from spurious operations by transferring control of the AFW pumps and discharge MOVs to the ASP. The fire strategy for this scenario addresses the potential loss of Charging, and the resulting impact of the change in SW Header AOT on the fire risk for this scenario is low.

The MGR contains control cables for all of the ESGR and MGR chillers as well.

However, isolation switches are available for three of the five chillers, which can be controlled from outside the control room. One ESGR AHU per unit is isolated from the control room as well. Consistent with previous discussion, the chillers are not required within the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> PRA mission time if one ESGR AHU per unit is operation and a LOCA has not developed. The frequency of fires requiring evacuation of the control room is low given the control room is continuously manned, so detection and suppression of the fires before evacuation is likely. Similar to the ESGR and CVT fire scenarios, the frequency of the fire, the probability of the maintenance configuration with only one .sw supply line available, and random failure of the chillers unaffected by the fire are a low frequency combination of faiilures. The probabilities of the AHUs failing or a LOCA developing in addition to these failures cause the resulting cutsets to be low risk contributors. Given the low frequency of these failure combinations, the impact of the change in SW Header AOT on the .fire risk for these scenarios is low.

If the fire is small enough that habitability conditions and extent of equipment damage allow operators to remain in the control room, the FCA procedure for the MGR is not entered and the fire is considered non-limiting. The impact of the SW Header AOT change on this fire scenario is considered bounded by the internal events analysis.

MER 3 and MER 4 These fire areas were included in the scope of the analysis due to the extent of potential damage to the CPSW pumps, Rotating Strainers, and damage to piping supplying the 4A, 48, and 4C chillers. The FCA procedure used to achieve SSD for both of these fire areas is O-FCA-7.00. In each of these areas, three of the four CPSW pumps and one of the two Rotating Strainers may be damaged. In addition, portions of the 6" SW supply piping are non-metallic and susceptible to fire damage. The FCA procedure relies on the available CPSW pump and strainer to provide Charging Pump Cooling and uses the CPSW pump discharge cross-tie to cool both units' Charging Pumps. Random failure of the fourth CPSW pump would cause a failure of CPSW, but this system failure mode is

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 28 of 36 not impacted by the unavailability of the SW Header. However, if the fire damages the Rotating Strainer or non-metallic piping and the opposite 6" SW Header is unavailable, a loss of CPSW and three chillers would occur. Fire damage to the non-metallic piping during maintenance involving the 2A and 2C 8" SW headers in addition to the opposite 6" SW header would result in a loss of all five ESGR and MCR chillers.

The equipment damaged by a fire in MER 4 is limited and will not cause a fire-induced LOCA. As a result, a loss of Charging or the ESGR and MCR chillers due to a fire in this area during SW Header maintenance is easily mitigated by station procedures and available equipment, and the impact of the AOT change is negligible.

The potential equipment damaged from a fire in MER 3 is more extensive and includes electrical cables for the #3 EOG output breaker, #2 EOG output breaker, and the 2H emergency bus offsite power supply breaker. However, if the damage is limited to this equipment, the loss of Charging due to a fire in this area during SW Header maintenance does not have a significant adverse impact on the fire risk since a fire-induced LOCA will not occur, and shutdown can be achieved using the available station procedures. Fire damage alone to the EOG and 2H bus breakers would fail the EOG output ,breakers open, preventing the EOGs from supplying the emergency buses, and the 2H bus offsite supply breaker closed, preventing it from opening following a LOOP signal. This damage state would *allow both U2 emergency buses to remain energized from offsite power. If offsite power to one of the U2 emergency buses is lost due to fire-induced spurious opening of the 2H bus supply breaker or random failure of either emergency bus, 2-FCA-4.00 is entered. As discussed for the limiting U2 ESGR fire scenario, a loss of all Charging and failure of both Unit 2 emergency buses is adequately addressed by 2-FCA-4.00.

Three of the five ESGR and MCR chillers may be damaged by a fire in MER 3. The MER 5 chillers are unaffected by a fire in this area, but they could be unavailable due to 8" SW header maintenance. Given equipment damage in this area is limited, multiple random failures would be required in addition to SW Header maintenance for this scenario to lead to a loss .of ESGR cooling resulting in an SBO. Due to the low frequency of these cutsets, the impact of the SW Header AOT change on the fire risk for these scenarios is negligible.

MER 3 contains non-metallic SW supply piping which is susceptible to fire damage, and a flood propagation path exists between the MER 3 and the ESGRs. In order to mitigate flooding from the failed piping, the SW supply to MER 3 is isolated as directed by the FCA. If isolation of the SW supply fails and the flood propagates to the ESGRs, loss of all Charging would occur as a consequence of the emergency bus failures, so there is no additional impact due tq the additional SW Header maintenance. Since the extent of damage due to a fire in MER 3 is limited relative to other areas evaluated and a fire-induced LOCA will not occur, the impact of the SW Header AOT change on the fire risk for this area is low.

... , Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 29of36 Conclusion The most limiting fire scenarios for this evaluation are those that involve fire-induced failure of a Rotating Strainer, which could cause a total loss of CPSW and three ESGR

  • and MCR chillers if the alternate 6" header is unavailable, and loss of all five chillers if the 8" SW headers supplying MER 5 are also unavailable. The known conservatisms in this analysis include assumed failure of the Rotating Strainers due to fire damage, which are assumed to be unaffected by fire damage in the IPEEE, and lack of credit for the duplex strainer to bypass a plugged Rotating Strainer, which could be aligned using O-AP-12.00 unless the 6" A SW Header is isolated upstream of the Rotating Strainer 1-VS-S-1A. If the IPEEE treatment of the Rotating Strainers is used, the impact on the fire risk is negligible. Based on the review of the significant fire areas, the expected equipment damage, and the fire strategies used to achieve SSD, it is concluded that the consequence of losing CPSW during these scenarios is small, and the likelihood of causing an SBO due to failure of ESGR cooling is low. These insights demonstrate the impact of the SW Header AOT change on the overall fire risk is acceptable and bounded by the internal events analysis.

Seismic* Hazard Evaluation Generic Letter (GL) 88-20 Supplement 4 was issued by the NRC in June 1991. This letter and NUREG-1407 requested each nuclear plant licensee to perform an IPEEE.. In a December 1991 letter to the NRC, Surry identified the planned approach to address the IPEEE. For non-seismic external events and fires, the IPEEE effort was completed and a report was submitted to the NRC in December 1997.

Surry was categorized in NUREG-1407 as a focused scope plant. As identified in Surry's December 1991 letter, the Seismic Margins Method (SMM) developed by Electric Power Research Institute (EPRI) with enhancements was selected for Surry . .* A completion schedule for IPEEE - Seismic was initially provided by . Surry in its September 1992 letter to the NRC which also noted that elements of the effort to resolve IPEEE - Seismic, notably plant walkdowns, will be integrated with the resolution of Unresolved Safety Issue (USI) A-46 identified in NRC's Supplement 1 to GL 87-02 of May 1992.

In September 1995, the NRC issued Supplement 5 to GL 88-20. This letter gave further guidance on the basis for selection of components that needed capacity evaluation.

Based on GL 88-20, Supplement 5, Surry submitted a revised approach to NRC in November 1995. This approach, while still retaining the Seismic Probabilistic Risk Assessment (SPRA) methodology and treating Surry as a focused scope plant, identified areas where screening and judgment by experienced and trained engineers would eliminate the need for performing capacity calculations for rugged components, structures, and systems; and require such evaluations only for weaker and critical components. The IPEEE - Seismic program at Surry has been performed in

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 30 of 36 accordance with the SPRA methodology for a focused plant and Surry's stated commitments.

In February 1996, a peer review was conducted to assess the implementation of the IPEEE - Seismic program at Surry. This review included walkdown of about 15% of the items representing all classes of equipment in the Safe Shutdown Equipment List.

Although a few open issues were noted at the time of the review, the reviewer concluded that the Seismic Review Teams involved did an excellent seismic walkdown review at Surry.

In summary, the IPEEE-Seismic program, integrated with the USI A-46 effort, resulted in several plant improvements and design modifications. The SPRA quantification concluded that no severe accident vulnerabilities exist at Surry from a potential seismic event. No other .cost beneficial upgrade can be performed to improve the seismic margin and the core damage frequency of the plant.

  • The Surry Seismic Probability Risk Assessment Pilot Plant Report was reviewed and this proposed change does not impact the conclusions drawn in that report. The following is a discussion of SPRA quantification results from that report.

The dominant Seismic PRA sequence (52%) involves the failure of the turbine building, starting a chain of events that fails SW. Since the power cables to the CW isolation valves run through cable trays in the turbine building, it was assumed that the failure of the steel superstructure would fail the valve cables, even though they are in the concrete portion of the turbine building below ground elevation. Failure of the cables prevents the CW isolation valves from closing, the canal will rapidly drain through the CW lines, SW cooling will be lost, and core damage is assumed. The proposed change does not have an adverse impact on this sequence.

25.7% of SPS seismic risk is associated with seismic-induced SW flooding. This risk is dominated by seismic-induced ruptures of BC heat exchangers. The proposed change does not have an adverse effect on seismic induced flooding sequences.

Seismic induced LOCA, SGTR and MSLB sequences where MER SW supply has a support function make up approximately 2% of seismic core damage risk. Therefore, it is concluded that the proposed change has a negligible impact on seismic risk and is screened from further evaluation.

Other External Hazards Evaluation The other external hazards, as identified by NUREG/CR-2300 and NUREG/CR-4839, have been taken into consideration. Following the initial screening, seven events were identified as needing more detailed evaluation. These events included aircraft accidents, external flooding, tornado generated missiles and high winds, pipeline accidents, transportation accidents, accidents in nearby industrial or military facilities,

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 31 of 36 and release of chemicals from on-site storage. Since the effects of these external events on Surry Power Station were analyzed as part of NUREG-1150, the analysis performed in the IPEEE used the method and in some cases the results obtained by NUREG/CR-4550. However, in each case the Surry UFSAR information was used to make sure that the results obtained by NUREG/CR-4550 were still valid.

The study concluded that there are no significant external events other than those identified in NUREG-1407. The non-seismic external events of interest, except for aircraft impacts, pipeline accidents and external flooding, were screened out based on the UFSAR information and the results reached by NUREG/CR-4550. The bounding analysis performed for the effects of aircraft impacts and pipeline accidents were based on the methods used by NUREG/CR-4550. The results of these two analyses indicate that the frequency of the events occurring is small. The actual risk from these hazards to the safe operation of the plant would be less than the screening value, because most safety-related equipment is inside Class I structures and is designed to withstand the loads imposed by the external event. The bounding analysis for external flooding considered the worst case occurrence of the 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> in 1 square mile probable maximum precipitation (PMP). The consequences of this occurrence were mitigated by implementation of a procedural revision and modification of turbine building. roof parapets to reduce roof top accumulation during intense precipitation. Therefore, it can be concluded that non-seismic external events do not pose a significant risk to the safe operation of Surry Power Station.

  • Based on the above, other External Events have been screened from further evaluation for this proposed change.

RG 1.177 Tier 2: Avoidance *of Risk Significant Plant Configurations RG 1.177 contains the following discussion concerning Tier 2 analysis:

The licensee should provide reasonable assurance that risk-significant plant equipment outage configurations will not occur when specific plant equipment is out of service consistent with the proposed TS change. An effective way to perform such an assessment is to evaluate equipment according to its contribution to plant risk (or safety) while the equipment covered by the proposed CT change is out of service.

Evaluation of such combinations of equipment out of service against the Tier 1 ICCDP and ICLERP. acceptance guidelines could be one appropriate method of identifying risk-significant configurations. Once plant equipment is so evaluated, an assessment can be made as whether certain enhancements to the TS or procedures are needed to avoid risk significant plant configurations. In addition,* compensatory actions that can mitigate any corresponding increase in risk (e.g., backup equipment, increased surveillance frequency, or upgraded procedures and training) should be identified and evaluated. Any changes made to the plant design or operating procedures as a result of such a risk evaluation (e.g., required backup equipment, increased surveillance frequency, or upgraded procedures and training required before certain plant system

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 32 of 36 configurations can be entered) should be incorporated into the analyses utilized for TS changes as described under Tier 1 above.

A detailed review of PRA importance metrics (Risk Achievement Worth, Fussell-Vesely) from the Tier 1 PRA Model did not reveal any risk significant maintenance configurations when one MER header is considered unavailable. No enhancements, procedure revisions or compensatory actions are recommended from the Tier 2 evaluation.

RG 1.177 Tier 3: Risk-Informed Plant Configuration Control and Management The Dominion 10 CFR 50.65(a)(4) program fully satisfies the recommendations of RG 1.177 Tier 3. RG 1.177 Section 2.3 states that:

The licensee should develop a program that ensures that the risk impact of out-of-service equipment is appropriately evaluated prior to performing any maintenance activity. A viable program would be one that is able to uncover risk-significant plant equipment outage configurations in a timely manner during normal plant operation.

The Dominion 10 CFR 50.65(a)(4) program performs PRA analyses of planned maintenance configurations in advance. The MER SW system is included in the 10 CFR 50.65(a)(4) scope and its removal from service is monitored, analyzed, and

.' ~ managed. Configurations that approach or exceed the NUMARC 93-01 risk limits are identified and either avoided or addressed by risk management actions. Emergent configurations are identified and analyzed by the on-shift staff for prompt determination of whether risk management actions are needed. The configuration analysis and risk management processes are fully proceduralized in compliance with the requirements of 10 CFR 50.65(a)(4). Dominion's (a)(4) program is implemented with station procedures WM-AA-300, Work Management, and NF-AA-PRA-370, MRule (a)(4) Risk Monitor Guidance.

To support Dominion's 10CFR 50.65(a)(4) program, a dedicated PRA model is used to perform configuration risk analysis. The model uses the S007Aa model as a framework with some adjustments to optimize the model for configuration risk calculations. The model allows for quantitative Level 1 and Level 2 (LERF) assessments of internal events and internal floods hazards for at-power configurations. Risk during shutdown configurations and risks due to other hazards are assessed qualitatively. Changes in plant configuration or PRA model features are dispositioned and managed by Dominion's PRA configuration control process. Procedures are in place to ensure that actions are taken as necessary to qualitatively assess configurations outside the scope of the PRA model.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 33 of 36 5.4 Results and Conclusions The increase in risk associated with the proposed change is consistent with the RG 1.174 and RG 1.177 acceptance guidelines for a permanent TS Completion Time change. This evaluation demonstrates that nuclear defense-in-depth will not be significantly impacted by allowing a single SW flow path to be available to the CPSW subsystem and to the MCR/ESGR AC subsystem for up to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

6.0 ENVIRONMENTAL ASSESSMENT The proposed change will revise a requirement with respect to installation or use of a facility component located within the restricted area, as defined in 10 CFR 20.

Specifically, the proposed change extends the AOT for only one operable flow path from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. In addition, the proposed change deletes the now expired and no longer necessary requirements for the temporary SW jumper to the CCHXs. However,*

the proposed change does not involve (i) a significant hazards consideration, (ii) a significant change in the types or a significant increase in the amounts of any effluent that may be released offsite, or (iii) a significant increase in individual or cumulative occupational radiation exposure.

Accordingly, the proposed change meets the eligibility criterion for categorical exclusion set forth. in 10 CFR 51.22(c)(9). Therefore, pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the proposed change.

7.0 CONCLUSION

The proposed change extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The CPSW subsystem is a support system for the Charging/High Head Safety Injection (HHSI) pumps. The proposed CPSW AOT extension aligns the CPSW support system AOT with the AOT for the supported components (i.e., the Charging/HHS! pumps). The proposed MCR/ESGR AC AOT extension revises the AOT to be the same as the CPSW AOT since both subsystems share common piping. The design functions of the CPSW subsystem and the Charging/HHS!. pumps, as well as the design functions of the MCR/ESGR AC subsystem and chillers are not impacted by the proposed revision. In addition, the proposed change deletes the now expired and no longer necessary requirements for the temporary SW jumper to the CCHXs; the deletion of the OL conditions, the temporary TS requirements, and the TS 3.14 Basis discussion is administrative in nature. The proposed change does not physically alter plant equipment, does not impact plant operation, and does not affect the safety analyses.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 34 of 36 Furthermore, a supporting probabilistic risk assessment (PRA) was performed for the proposed AOT changes. The PRA concluded that the increase in risk associated with the proposed changes is consistent with the Regulatory Guide (RG) 1.174 and RG 1.177 acceptance guidelines for a permanent TS AOT change. This PRA evaluation demonstrates that defense-in-depth will not be significantly impacted by changing the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24 to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Furthermore, no enhancements, procedure revisions, or compensatory actions are recommended as a result of the RG 1.177 Tier 2 evaluation.

Therefore, Dominion concludes, based on the considerations discussed herein, that (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendments will not be inimical to the common defense and security or to the health and safety of the public.

Discharge Canru )

105 r---------------------i 205 l i Unit.1 RSHXS B&C ~~~~~---- -------~ Unlt2 RSHXS B&C i MER4  !

I I I '

104  !  ! 204 j__ __ ---- ---- ______ _l CCHXS (Commoo)

Unlt 1 BCHXS Abandoned r-------I cwMovs 1 206  :

A B c I I

I I

I 101 103 "U 0 (/)

n> O CD RWMUPP ca o  ::i.

- - - - - 1 1 1 1 1 1 1 1 1 1 111111111 111111111 *HlllHlll----------------------~11.Hl*I 1111*1*1 11*11111* 1 1 1 1 1 1 1 1 ' - - * - - - - CD A" IU CD -

C LJnjj 1 Unit 2 w ...... z HL Intake Intake Canal HL Intake 01 z

0 0' 0

w.(/)

0)

0) 01 I 0 -->.

I (X)

Figure 1 - Service Water System Simplified Diagram No CX>

0 i'3 CX>

Fram!l:i<1.rnlful:2

~--------~--------~ a~~1~'f"'

ToUn~t CO::hargg Ta:r.:.I

  • 10u,;,,

D'~Tum<<r.C.mit Sv:Ilam Dmi!FFhJr S.W

'-"'""'OM!i.lfu>Uolod Fmm-r 111:1'1 103

/l I IJD!I 103 8

MrN tll2 l.agmid tA *1B 1C 10 TDTuofuo \J 0 CJ)

Eli:lgS'll ID 0 CD C\sdJ -lliv.httgo [!!] -lll:id\'>1.-o s,,..,,,.,;i;, .Sdiq..... ca o  ::::!.

115 sw.12 (!)  ;;>;"" ID

-RGcircSpmy !JC -~ Cooliog

-llorJ!l:io:~

(!) -

l!X P1 -Pm~~.to.:fmkr W.-..z SIY It

-Sm.i:o'Walcr

-A:n#Eommt Tl -T<mJlGIU!unolndi>:>:r*

Mooh-Modmniool 0) 0 z 0 0.

~kD Jkl::.llJimE ...... CJ) --"

RIA -Rmfuli:n Monlcr CC -Cbmp:oin!Cooing p -"""1> FG -FbwG.uu

w. 0)
0) 01 I

~1.1::w -"'6:r0pGm!od\'uM> rot -nm....WP<o""- 0 --"

E: -H""'&lcn!J'< fl -Fbolhimtar I (X>

TJ!I -Typbol LG -Lwull:log>

NO CX>

mo - RD:iSanoQ fgJT?ndU'O D:iLx:tar

~

CX>

Figure 2 - Gravity-supplied Service Water System Loads --"

Serial No.16-180 Docket Nos. 50-280/281 Attachment 2

MARKED-UP TECHNICAL SPECIFICATIONS AND BASIS PAGES (Basis Changes are for NRC Information Only)

Virginia Electric and Power Company (Dominion)

Surry Station Units 1 and 2

T. (Continued)

16. For the applicable U FSAR Chapter 14 Prior to operating above events, Surry 1 will re-analyze the 2546 MWt (98.4% RP).

transient consistent with VEPCO's NRG-approved reload design methodology in VEP-FRD-42, Rev. 2.1-A.

If NRC review is deemed necessary pursuant to the requirements of 10 CFR 50.59, the accident analyses will be submitted to the NRC for review prior to operation at the uprate power level. These commitments apply to the following Surry 1 UFSAR Chapter 14 DNBR analyses that were analyzed at 2546 MWt consistent with the1 Statistical DNBR Evaluation Methodology in VEP-NE-2-A:

  • Section 14.2.7 - Excessive Heat Removal due to Feedwater System Malfunctions (Full Power Feedwater Temperature Reduction case only);
  • Section 14.2.8 - Excessive Load Increase Incident;
  • Section 14.2.10 - Loss of External Electrical Load 4.

FOR THE NUCLEAR REGULATORY COMMISSION Original signed by:

Samuel J. Collins, Director Office of Nuclear Reactor Regulation

Attachment:

Appendix A, Technical Specifications Date of Issuance: March 20, 2003 Surry - Unit 1 Renewed License No. DPR-32 Amendment No.-2f9-

09 23 13 <E-T. (Continued)

16. For the applicable UFSAR Chapter 14 Prior to operating above events, Surry 2 will re-analyze the 2546 MWt (98.4% RP).

transient consistent with VEPCO's NRG-approved reload design methodology in VEP-FRD-42, Rev. 2.1-A.

If NRC review is deemed necessary pursuant to the requirements of 10 CFR 50.59, the accident analyses will be submitted to the NRC for review prior to operation at the uprate power level. These commitments apply to the following Surry 2 UFSAR Chapter 14 DNBR analyses that were analyzed at 2546 MWt consistent with the Statistical DNBR Evaluation Methodology in VEP-NE-2-A:

  • Section 14.2.7 - Excessive Heat Removal due to Feedwater System Malfunctions (Full Power Feedwater Temperature Reduction case only);
  • Section 14.2.8 - Excessive Load Increase Incident;
  • Section 14.2.10 - Loss of External Electrical Load
4. This renewed license is effective as of the date of issuance and shall expire at midnight on January 29, 2033.

FOR THE NUCLEAR REGULATORY COMMISSION Original signed by:

Samuel J. Collins, Director Office of Nuclear Reactor Regulation

Attachment:

Appendix A, Technical Specifications Date of Issuance: March 20, 2003 Surry - Unit 2 Renewed License No. DPR-37 Amendment No.~

TABLE 3.7-2 (Continued)

ENGINEERED SAFEGUARDS ACTION INSTRUMENT OPERATING CONDITIONS Minimum Permissible Total Number OPERABLE Channels Bypass Operator Functional Unit Of Channels Channels To Trip Conditions Actions

3. AUXILIARY FEEDWATER (continued)
e. Trip of main feedwater pumps - start motor driven 2/MFWpump l/MFW pump 2-1 each 24 pumps MFWpump
f. Automatic actuation logic 2 2 1 22
4. LOSS OF POWER
a. 4.16 kv emergency bus undervoltage (loss of voltage) 3/bus 2/bus 2/bus 26
b. 4.16 kv emergency bus undervoltage (degraded voltage) 3/bus 2/bus 2/bus 26
5. NON-ESSENTIAL SERVICE WATER ISOLATION
a. Low intake canal level* Nots g
b. Automatic actuation logic 4

2 3

2 3

1 20 14

.~ <E:-

6. ENGINEERED SAFEGAURDS ACTUATION INTERLOCKS - Note A
a. Pressurizer pressure, P-11 3 2 2 23
b. Low-low Tavg, P-12 3 2 2 23
c. Reactor trip, P-4 2 2 1 24
7. RECIRCULATION MODE TRANSFER
a. RWST Level - Low-Low* 4 3 2 25
b. Automatic Actuation Logic and Actuation Relays 2 2 1 14
8. RECIRCULATION SPRAY
a. RWST Level - Low Coincident with High High 4 3 2 20 Containment Pressure*
b. Automatic Actuation Logic and Actuation Relays 2 2 1 14 xc angers is m 1 e m e tripped condition. In this condition, two t t

TS 3.14-1

  • -B9 23 13 3.14 CIRCULATING AND SERVICE WATER SYSTEMS Applicability Applies to the operational status of the Circulating and Service Water Systems.

Objective To define those limiting conditions of the Circulating and Service Water Systems necessary to assure safe station operation.

Specification A. The Reactor Coolant System temperature or pressure of a reactor unit shall not exceed 350° F or 450 psig, respectively, or the reactor shall not be critical unless:

1. The high level intake canal is filled to at least elevation +23.0 feet at the high level intake structure.
2. Unit subsystems, including piping and valves, shall be operable to the extent of being able to establish the following:
a. Flow to and from one bearing cooling water heat exchanger.
b. Flow to and from the component cooling heat exchangers required by Specification 3.13~ ,% ~
3. At least two circulating wate~ pumps are operating or are operable.
4. Three emergency service water pumps are operable; these pumps will service both units simultaneously.

Amendment Nos.~and~

TS 3.14-2 04-02-07 ~

5. Two service water flow paths to the charging pump service water subsystem are OPERABLE.
6. Two service water flow paths to the recirculation spray subsystems are OPERABLE.
7. Two service water flow paths to the main control room and emergency switchgear room air conditioning subsystems are OPERABLE.

B. The requirements of Specification 3.14.A.4 may be modified to allow one Emergency Service Water pump to remain inoperable for a period not to exceed 7 days. If this pump is not OPERABLE in 7 days, then place both units in HOT SHUTDOWN within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and COLD SHUTDOWN within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

The requirements of 3 .14.A.4 may be modified to have two Emergency Service Water pumps OPERABLE with one unit in COLD SHUTDOWN with combined Spent Fuel pit and shutdown unit decay heat loads of 25 million BTU/HR or less.

One of the two remaining pumps may be inoperable for a period not to exceed 7 days. If this pump is not OPERABLE in 7 days, then place the operating unit in HOT SHUTDOWN within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and COLD SHUTDOWN within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

i

~

~

Amendment Nos.~ and~

LBDCR!TSCR 441 - INSERT 1 on pages TS 3.14-2 and TS 3.14-3:

C. The requirements of Specifications 3.14.A.5 and 3.14.A.7 may be modified to allow unit operation with only one OPERABLE flow path to the charging pump service water subsystem and to the main control and emergency switchgear rooms air conditioning condensers. If the affected systems are not restored to the requirements of Specifications 3.14.A.5 and 3.14.A.7 within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, the reactor shall be placed in HOT SHUTDOWN within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. If the requirements of Specifications 3.14.A.5 and 3.14.A.7 are not satisfied as allowed by this Specification, the reactor shall be placed in COLD SHUTDOWN within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

  • D. The requirements of Specification 3.14.A.6 may b~ modified to allow unit operation with only one OPERABLE flow path to the recirculation spray subsystems. If the affected system is not restored to the requirements of Specification 3.14.A.6 within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, the reactor shall be placed in HOT SHUTDOWN within *the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. If the requirements of Specification 3.14.A.6 are not met within an additional 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />, the reaCtor shall be placed in COLD SHUTDOWN within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

TS 3.14-3 04 02=07 l be p aced m s o Specifications 3.14.A.5, 3.1 are not met within an additional ,% ~

48 c or shall be laced in COLD SHUTDOWN.

Basis The Circulating and Service Water Systems are designed for the removal of heat resulting from the operation of various systems and components of either or both of the units.

Untreated water, supplied from the James River and stored in the high level intake canal is circulated by gravity through the recirculation spray coolers and the bearing cooling water heat exchangers and to the charging pumps lubricating oil cooler service water pumps which supply service water to the charging pump lube oil coolers.

In addition, the Circulating and Service Water Systems supply cooling water to the component cooling water heat exchangers and to the main control and emergency switchgear rooms air conditioning condensers. The Component Cooling heat exchangers are used during normal plant operations to cool various station components and when in shutdown to remove residual heat from the reactor. Component Cooling is not required on the accident unit during a loss-of-coolant accident. If the loss-of-coolant accident is coincident with a loss of off-site power, the nonaccident unit will be maintained at HOT SHUTDOWN with the ability to reach COLD SHUTDOWN.

The long term Service Water requirement for a loss-of-coolant accident in one unit with simultaneous loss-of-station power and the second unit being brought to HOT SHUTDOWN is greater than 15,000 gpm. Additional Service Water is necessary to bring the nonaccident unit to COLD SHUTDOWN. Three diesel driven Emergency Service Water pumps with a design capacity of 15,000 gpm each, are provided to supply water to the High Level Intake canal during a loss-of-station power incident. Thus, considering the single active failure of one pump, three Emergency Service Water pumps are required to be OPERABLE. The allowed outage time of 7 days provides operational flexibility to allow for repairs up to and Amendment Nos.~and~

TS 3.14-4 09-23-13 including replacement of an Emergency Service Water pump without forcing dual unit outages, yet limits the amount of operating time without the specified number of pumps.

When one Unit is in Cold Shutdown and the heat load from the shutdown unit and spent fuel pool drops to less than 25 million BTU/HR, then one Emergency Service Water pump may be removed from service for the subsequent time that the unit remains in Cold Shutdown due to the reduced residual heat removal and hence component cooling requirements.

A minimum level of + 17 .2 feet in the High Level Intake canal is required to provide design flow of Service Water through the Recirculation Spray heat exchangers during a loss-of-coolant accident for the first 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. If the water level falls below +23' 6",

signals are generated to trip both unit's turbines and to close the nonessential Circulating and Service Water valves. A High Level Intake canal level of +23' 6" ensures actuation prior to canal level falling to elevation +23'. The Circulating Water and Service Water isolation valves which are required to close to conserve Intake Canal inventory are periodically verified to limit total leakage flow out of the Intake Canal. In addition, passive vacuum breakers are installed on the Circulating Water pump discharge lines to assure that a reverse siphon is not continued for canal levels less than +23 feet when Circulating Water pumps are de-energized. The remaining six feet of canal level is provided coincident with ESW pump operation as the required source of Service Water for heat loads following the Design Basis Accident.

facilitate cleaning, inspecting, repairing (as needed), and recoating (as needed) of the ater (SW) supply line to the Component Cooling Heat Exchangers (CC s), a temporary, sa -related, seismic, not fully missile protected SW supply li temporary jumper) will be us as discussed in the temporary footnote to .14.A.2.b. The temporary jumper is requ

  • d since service water is supplied e CCHXs by a single concrete-encased line. To re ve the SW supply I' from service for extended CCHXs is provided in Virgini y's letter Serial No.12-615, dated September 26, 2012. e use of the temporary jumper is on of up to 35 days d
  • g each of the 2013 and 2015 Unit 1 refueling o ordance with the compensatory measures (including a Contin vided in the letter referenced above. The only automatic function in the ply line when Unit 1 is in COLD SHUTDOWN or REFUELING SHUTDOWN is Amendment Nos.~and~ ~ _

TS 3.14-4a 09 23 13 e SW supply motor operated valves, which close on low Intak'::!:e;...>-"_***~*

isolation valve in the tempor established by the Station Abnormal Procedures.

References:

UFSAR Section 9.9 Service Water System UFSAR Section 10.3.4 Circulating Water System UFSAR Section 14.5 Loss-of-Coolant Accidents, Including the Design Basis Accident Amendment Nos.~ and~

Serial No.16-180 Docket Nos. 50-280/281 Attachment 3 PROPOSED TECHNICAL SPECIFICATIONS AND BASIS PAGES (Basis Changes are for NRC Information Only)

Virginia Electric and Power Company (Dominion)

Surry Station Units 1 and 2

T. (Continued)

16. For the applicable UFSAR Chapter 14 Prior to operating above events, Surry 1 will re-analyze the 2546 MWt (98.4% RP).

transient consistent with VEPCO's NRG-approved reload design methodology in VEP-FRD-42, Rev. 2.1-A.

If NRG review is deemed necessary pursuant to the requirements of 10 CFR 50.59, the accident analyses will be submitted to the NRG for review prior to operation at the uprate power level. These commitments apply to the following Surry 1 UFSAR Chapter 14 DNBR analyses that were analyzed at 2546 MWt consistent with the Statistical DNBR Evaluation Methodology in VEP-NE-2-A:

  • Section 14.2.7 - Excessive Heat Removal due to Feedwater System Malfunctions (Full Power Feedwater Temperature Reduction case only);
  • Section 14.2.8 - Excessive Load Increase Incident;
  • Section 14.2.10 - Loss of External Electrical Load U. Deleted by Amendment No. _ _ __
4. This renewed license is effective as of the date of issuance and shall expire at midnight on May 25, 2032.

FOR THE NUCLEAR REGULATORY COMMISSION Original signed by:

Samuel J. Collins, Director Office of Nuclear Reactor Regulation

Attachment:

Appendix A, Technical Specifications Date of Issuance: March 20, 2003 Surry - Unit 1 Renewed License No. DPR-32 Amendment No.

T. (Continued) *

16. For the applicable UFSAR Chapter 14 Prior to operating above events, Surry 2 will re-analyze the 2546 MWt (98.4% RP).

transient consistent with VEPCO's N RC-approved reload design methodology in VEP-FRD-42, Rev. 2.1-A.

If N RC review is deemed necessary pursuant to the requirements of 10 CFR 50.59, the accident analyses will be submitted to the NRG for review prior to operation at the uprate power level. These commitments apply to the following Surry 2 UFSAR Chapter 14 DNBR analyses that were analyzed at 2546 MWt consistent with the Statistical DNBR Evaluation Methodology in VEP-NE-2-A:

  • Section 14.2.7 - Excessive Heat Removal due to Feedwater System Malfunctions (Full Power Feedwater Temperature Reduction case only);
  • Section 14.2.8 - Excessive Load Increase Incident;
  • Section 14.2.10 - Loss of External Electrical Load U. Deleted by Amendment No. _ _ __
4. This renewed license is effective as of the date of issuance and shall expire at midnight on January 29, 2033.

FOR THE NUCLEAR REGULATORY COMMISSION Original signed by:

Samuel J. Collins, Director Office of Nuclear Reactor Regulation

Attachment:

Appendix A, Technical Specifications Date of Issuance: March 20, 2003 Surry - Unit 2 Renewed License No. DPR-37 Amendment No.

TABLE 3.7-2 (Continued)

ENGINEERED SAFEGUARDS ACTION INSTRUMENT OPERATING CONDITIONS Minimum Permissible Total Number OPERABLE Channels Bypass Operator Functional Unit Of Channels Channels To Trip Conditions Actions

3. AUXILIARY FEEDWATER (continued)
e. Trip of main feedwater pumps - start motor driven 2/MFWpump l/MFWpump 2-1 each 24 pumps MFWpump
f. Automatic actuation logic 2 2 1 22
4. LOSS OF POWER
a. 4.16 kv emergency bus undervoltage (loss of voltage) 3/bus 2/bus 2/bus 26
b. 4.16 kv emergency bus undervoltage (degraded voltage) 3/bus 2/bus 2/bus 26
5. NON-ESSENTIAL SERVICE WATER ISOLATION
a. Low intake canal level* 4 3 3 20
b. Automatic actuation logic 2 2 l 14
6. ENGINEERED SAFEGUARDS ACTUATION INTERLOCKS - Note A
a. Pressurizer pressure, P-11 3 2 2 23
b. Low-low Tavg, P-12 3 2 2 23
c. Reactor trip, P-4 2 2 24
7. RECIRCULATION MODE TRANSFER
a. RWST Level- Low-Low* 4 3 2 25
b. Automatic Actuation Logic and Actuation Relays 2 2 l 14
8. RECIRCULATION SPRAY
a. RWST Level - Low Coincident with High High 4 3 2 20

~

g Containment Pressure*

p,. b. Automatic Actuation Logic and Actuation Relays 2 2 14 a

g Note A - Engineered Safeguards Actuation Interlocks are described in Table 4.1-A z

0

~

  • There is a Safety Analysis Limit associated with this ESP function. If during calibration the setpoint is found to be conservative with respect to the Setting Limit but outside its predefined calibration tolerance, then the channel shall be brought back to within its predefined calibration tolerance before returning the channel to service. The calibration tolerances are specified in a document controlled under 10 CPR 50.59.

TS 3.14-1 3.14 CIRCULATING AND SERVICE WATER SYSTEMS Applicability Applies to the operational status of the Circulating and Service Water Systems.

Objective To define those limiting conditions of the Circulating and Service Water Systems necessary to assure safe station operation.

Specification A. The Reactor Coolant System temperature or pressure of a reactor unit shall not exceed 350° For 450 psig, respectively, or the reactor shall not be critical unless:

1. The high level intake canal is filled to at least elevation +23.0 feet at the high level intake structure.
2. Unit subsystems, including piping and valves, shall be operable to the extent of being able to establish the following:
a. Flow to and from one bearing cooling water heat exchanger.
b. Flow to and from the component cooling heat exchangers required by Specification 3.13.
3. At least two circulating water pumps are operating or are operable.
4. Three emergency service water pumps are operable; these pumps will service both units simultaneously.

Amendment Nos.

TS 3.14-2

5. Two service water flow paths to the charging pump service water subsystem are OPERABLE.
6. Two service water flow paths to the recirculation spray subsystems are OPERABLE.
7. Two service water flow paths to the main control room and emergency switchgear room air conditioning subsystems are OPERABLE.

B. The requirements of Specification 3.14.A.4 may be modified to allow one Emergency Service Water pump to remain inoperable for a period not to exceed 7 days. If this pump is not OPERABLE in 7 days, then place both units in HOT SHUTDOWN within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and COLD SHUTDOWN within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

The requirements of 3 .14.A.4 may be modified to have two Emergency Service Water pumps OPERABLE with one unit in COLD SHUTDOWN with combined Spent Fuel pit and shutdown unit decay heat loads of 25 million BTU/HR or less.

One of the two remaining pumps may be inoperable for a period not to exceed 7 days. If this pump is not OPERABLE in 7 days, then place the operating unit in HOT SHUTDOWN within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and COLD SHUTDOWN within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

C. The requirements of Specifications 3.14.A.5 and 3.14.A.7 may be modified to allow unit operation with only one OPERABLE flow path to the charging pump service water subsystem and to the main control and emergency switchgear rooms air conditioning condensers. If the affected systems are not restored to the requirements of Specifications 3.14.A.5 and 3.14.A.7 within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, the reactor shall be placed in HOT SHUTDOWN within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. If the requirements of Specifications 3.14.A.5 and 3.14.A.7 are not satisfied as allowed by this Specification, the reactor shall be placed in COLD SHUTDOWN within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

D. The requirements of Specification 3.14.A.6 may be modified to allow unit operation with only one OPERABLE flow path to the recirculation spray subsystems. If the affected system is not restored to the requirements of Specification 3.14.A.6 within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, the reactor shall be placed in HOT SHUTDOWN within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. If the requirements of Specification 3.14.A.6 are not met within an additional 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />, the reactor shall be placed in COLD SHUTDOWN within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

Amendment Nos.

TS 3.14-3 Basis The Circulating and Service Water Systems are designed for the removal of heat resulting from the operation of various systems and components of either or both of the units.

Untreated water, supplied from the James River and stored in the high level intake canal is circulated by gravity through the recirculation spray coolers and the bearing cooling water heat exchangers and to the charging pumps lubricating oil cooler service water pumps which supply service water to the charging pump lube oil coolers.

In addition, the Circulating and Service Water Systems supply cooling water to the component cooling water heat exchangers and to the main control and emergency switchgear rooms air conditioning condensers. The Component Cooling heat exchangers are used during normal plant operations to cool various station components and when in shutdown to remove residual heat from the reactor. Component Cooling is not required on the accident unit during a loss-of-coolant accident. If the loss-of-coolant accident is coincident with a loss of off-site power, the nonaccident unit will be maintained at HOT SHUTDOWN with the ability to reach COLD SHUTDOWN.

The long term Service Water requirement for a loss-of-coolant accident in one unit with simultaneous loss-of-station power and the second unit being brought to HOT SHUTDOWN is greater than 15,000 gpm. Additional Service Water is necessary to bring the nonaccident unit to COLD SHUTDOWN. Three diesel driven Emergency Service Water pumps with a design capacity of 15,000 gpm each, are provided to supply water to the High Level Intake canal during a loss-of-station power incident. Thus, considering the single active failure of one pump, three Emergency Service Water pumps are required to be OPERABLE. The allowed outage time of 7 days provides operational flexibility to allow for repairs up to and Amendment Nos.

TS 3.14-4 including replacement of an Emergency Service Water pump without forcing dual unit outages, yet limits the amount of operating time without the specified number of pumps.

When one Unit is in Cold Shutdown and the heat load from the shutdown unit and spent fuel pool drops to less than 25 million BTU/HR, then one Emergency Service Water pump may be removed from service for the subsequent time that the unit remains in Cold Shutdown due to the reduced residual heat removal and hence component cooling requirements.

A minimum level of + 17 .2 feet in the High Level Intake canal is required to provide design flow of Service Water through the Recirculation Spray heat exchangers during a loss-of-coolant accident for the first 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. If the water level falls below +23' 6",

signals are generated to trip both unit's turbines and to close the nonessential Circulating and Service Water valves. A High Level Intake canal level of +23' 6" ensures actuation prior to canal level falling to elevation +23'. The Circulating Water and Service Water isolation valves which are required to close to conserve Intake Canal inventory are periodically verified to limit total leakage flow out of the Intake Canal. In addition, passive vacuum breakers are installed on the Circulating Water pump discharge lines to assure that a reverse siphon is not continued for canal levels less than +23 feet when Circulating Water pumps are de-energized. The remaining six feet of canal level is provided coincident with ESW pump operation as the required source of Service Water for heat loads following the Design Basis Accident.

References:

UFSAR Section 9.9 Service Water System UFSAR Section 10.3.4 Circulating Water System UFSAR Section 14.5 Loss-of-Coolant Accidents, Including the Design Basis Accident Amendment Nos.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 TECHNICAL ADEQUACY OF THE PROBABILISTIC RISK ASSESSMENT MODEL Virginia Electric and Power Company (Dominion)

Surry Station Units 1 and 2

Serial No. 16-18'0 Docket Nos. 50-280/281 Attachment 4 Page 1 of 36 TECHNICAL ADEQUACY OF THE PROBABILISTIC RISK ASSESSMENT CPRA) MODEL The PRA model used to analyze the risk of the LBDCR/TSCR 441 is referred to as S007Aa. The effective date of this model is September 30, 2009 . . Surry PRA Model Notebook QU.2, Revision 5, documents the quantification of the PRA model. This is the most recent evaluation of the SPS internal events at-power risk profile. The PRA model is maintained and updated under a PRA configuration control program in accordance with Dominion procedures. Plant changes, including physical and procedural modifications and changes in performance data, are reviewed and the PRA model is updated to reflect such changes periodically by qualified personnel, with independent reviews and approvals.

Summary of the SPS PRA History The Level 1 and Level 2 SPS PRA analyses were originally developed and submitted to the Nuclear Regulatory Commission (NRC) in 1991 as the Individual Plant Examination (IPE) submittal. The SPS PRA has been updated many times, since the original IPE. A summary of the SPS PRA history is as follows:

  • Original IPE (August 1991)
  • Individual Plant Examination External Events (IPEEE) 1991 through 1994
  • 2001 - Data update; update to address more Maintenance Rule issues, address peer review Facts and Observations (F&Os)
  • 2002 - Update RCP seal LOCA model due to installation of high temperature o-rings; added internal flooding, additional changes for Maintenance Rule and Safety Monitor
  • 2004 - Update to address applicable F&Os from North Anna peer review
  • 2005 - Update to include plant changes to reduce turbine building flood risk
  • 2006 - Data update and update to address MSPI requirements
  • 2006 - Update to support ESGR chilled water Tech Spec change; added loss of main control room HVAC and loss of instrument air to the model; added logic from the IPEEE fire and seismic models
  • 2009 - Data update; addressed American Society of Mechanical Engineers (ASME) PRA Standard SRs that were not met; extensive changes throughout the model as the model was converted to CAFTA

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 2of36

  • 2009 - Updated Interfacing Systems LOCA (ISLOCA) initiator frequency, added EOG and AAC diesel fails to load (FTL) basic events, and added rupture failure of the SW expansion joints for the CCW heat exchangers as flood scenarios (current model of record)

The SPS PRA model has benefited from the following technical PRA peer reviews.

1998 NEI PRA Peer Review The SPS internal events PRA received a formal industry PRA model peer review in 1998. The purpose of the PRA peer review process is to provide a method for establishing the technical quality of .a PRA model for the spectrum of potential risk-informed plant licensing applications for which the PRA model may be used. The PRA peer review process used a team composed of industry PRA and system analysts, each with significant expertise in both PRA model development and PRA applications. This team provided both an objective review of the PRA technical elements and a subjective assessment, based on their PRA experience, regarding the acceptability of the PRA elements. The team used a set of checklists as a framework within which to evaluate the scope, comprehensiveness, completeness, and fidelity of the PRA products available. The SPS review team used the "Westinghouse Owner's Group (WOG) Peer Review Process Guidance" as the basis for the review.

The general scope of the PRA peer review included a review of eleven main technical elements, using checklist tables (to cover the elements and sub-elements), for an at-power PRA including internal events, internal flooding, and containment performance, with focus on Large Early Release Frequency (LERF).

The F&Os from the PRA peer review were prioritized into four categories (A through D) based upon importance to the completeness of the model. Categories A and B F&Os are considered significant enough that the technical adequacy of the model may be impacted. Categories C and D are considered minor. Subsequent to the peer review, the model has been updated to address all Category A, B, and D F&Os. Category B items from the 1998 NEI PRA Peer Review (all closed) are listed below:

Serial No. 16-1SO Docket Nos. 50-280/281 Attachment 4 Page 3 of 36 1998 NEI PRA Peer Review Category B Closed Items OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION The models and analyses are consistent, as best as the Establish a formal process PRA update guidance was developed, which includes a This F&O is Closed.

(ID: AS-2 ) I reviewers could determine, with the as built plant, and for identifying changes to review of plant procedures (EOPs), assumptions for ElementAS I were consistent with plant operating procedures at the plant procedures components, and system recovery models based upon Subelement 5 and time the IPE was completed. However, there is no (EOPs/AOPs), and human actions (Nuclear Safety Analysis Manual - Part 9 (Also MU) process in place to identify and incorporate changes in evaluating the impact of IV, Chapter J, subsequently superseded by PRA Manual plant operation into the PRA model. This process these changes on the PRA - Part IV, Chapter A). The current industry guidance should also include periodic review of industry standards model. This process should suggests a voluntary periodic review of industry that may impact the PRA. Some examples of where also include periodic review standards, which will be considered as resources allow.

such a process could impact the model include, the of industry standards that Recent PRA updates (S03A, S05A) provide examples of timing for switchover to hot leg recirculation after event may affect modeling the process.

initiation (9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br /> in the current EOP), and a review of assumptions and success potential impacts on the PSA due to the power uprate criteria used in the PRA.

program. The focus of this comment is on the lack of The resolution of this process more than any current discrepancies found in comment should be the model, and is related to the IPE Maintenance and incorporated as an element Update Process elements. of the PRA Maintenance and Update Process.

OBSERVATION The RCP seal LOCA model appears to include an Consider an evaluation of An RC pump seal failure model (the so-called Rhodes The PRA adequately (ID: AS-8 ) I optimistic interpretation of the WOG and NRC models, the sensitivity of the PRA model) that is acceptable to the NRC for use in PRA addresses early seal Element _AS _ _ and does not include a contribution from early seal results to use of a model was developed and implemented for the T4, T1A and T6 failure contribution, so I Subelement failure. that includes the possibility event trees. This model addresses the probability of this F&O is CLOSED.

_AS-12_ of early seal failure. Also early seal failure, and does not allow restoration of seal Future model updates evaluate the potential cooling after a relatively brief cooling loss. For Surry, the are planned to include impact on the model due to model is discussed fully in SM-1296, implemented in the additional model detail recent changes to the WOG SOA-D PRA models. For the S03A model, the T1A (and remove seal cooling restoration (SBO) accident sequence model was revised to be fully conservatisms) for the emergency response consistent with the WOG2000 RCP seal LOCA model, seal failure contribution guidelines (advising against and the T4 and T6 accident sequences models were for events other than restoration of seal cooling revised to incorporate simplified logic consistent with the T1A.

after a relatively brief WOG2000 model.

coolinq loss).

Serial No. 16-18'D Docket Nos. 50-280/281 Attachment 4 Page 4 of 36 OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION The models for the EDGs do include common cause Update the models to Miscalibration of instrumentation channels is resolved as This F&O is CLOSED.

(ID: DA-6 ) I failures of fuel oil system. In general the models do include common cause a human reliability rather than an equipment common Element ___QA_ I consider common/shared components and support instrumentation cause fault. The HEP fault behaves the same as an Subelement DA- systems explicitly. The models do not appear to include miscalibration. equipment CCF, but is quantified on the basis of human 11 the effects of common maintenance crews or l&C Documentation should at error rather than equipment reliability. For North Anna, technicians. Specifically, there is no consideration of least include a qualitative HEP events are created for the following instrument common cause miscalibration of instrumentation discussion of the potential channels: EOG, 1-LM-PT-100A/B/C/D, MS flow, MS channels. impact of common differential pressure, MS low pressure, and pressurizer maintenance crews and pressure. The models are discussed fully in SM-1269, similar procedures. The implemented in the NOA-D PRA models. For Surry, HEP documentation should also events are created for the following instrument channels:

highlight areas where CCF EOG, 1-LM-PT-100A/B/C/D, MS flow, MS differential was not included because of pressure, steam generator level, pressurizer pressure design diversity or other RWST level, intake canal level and RC delta T and similar considerations. TAVE. The models are discussed fully in SM-1310, implemented in the SOA-D PRA models.

OBSERVATION {Implementation of NUREG/CR-4780 methodology) Reevaluate CCF analysis as The common cause fault (CCF) approach is revised to This F&O is CLOSED.

(ID: DA-8 ) I Reviewers question the validity of the approach used for described in Surry guidance incorporate the following: Alpha-factor model, INEEL Element defining CCF terms, by adding fail to start and fail to run documents. Fully data base of CCF events from NUREG/CR-6268, DA/DE I data variables. Method added value of QD and A, but incorporate NUREG/CR- different failure modes (run and demand), and different Subelement DA- the events are not consistent (i.e. per-demand and per- 4780 methods. CCF events based upon population size (e.g., 2 of 3 as 12/DE-9 hour). Assuming a mission time of one hour and a well as 3 of 3 CCF events. Guidance for the CCF demand for the device, the terms can be added. But models was taken from NUREG/CR-5485, which what if: extends the technology developed for NUREG/CR-4780.

1. Common cause failure is dominated by running The models are discussed fully in SM-1309, failures, there is no mission time associated with the use implemented in the SOA-D PRA models for Surry, and in of the common cause term - non-conservative result the DA.3 notebook and revisions prepared for
2. Running failure rate is comparable to start term, but subsequent model updates (starting with S03A).

common cause dominated by start terms - overly conservative result.

OBSERVATION The common cause failure probability of valves failing Consider the use of a more The common cause fault (CCF) approach is revised to This F&O is CLOSED.

(ID: DA-9 ) I due to plugging is (0.1)(1.25-7 f/hr)(2160 hrs), or about realistic beta factor in the incorporate the following: Alpha-factor model, INEEL Element ___QA_ I 1E-4. The 0.1 beta factor used for this calculation may analysis. data base of CCF events from NUREG/CR-6268, Subelement _9__ be overly conservative. The net result is that many of different failure modes (run and demand), and different the top sequences (for the 3-year maintenance case) CCF events based upon population size (e.g., 2 of 3 as involve common cause valve plugging terms. It is well as 3 of 3 CCF events. Guidance for the CCF unusual to have passive equipment failures be so models was taken from NUREG/CR-5485, which prominent in the dominant cutsets (more prominent than extends the technology developed for NUREG/CR-4780.

active equipment failures). The models are discussed fully in SM-1309, implemented in the SOA-D PRA models for Surry, and in the DA.3 notebook and revisions prepared for subsequent model updates (startina with S03A).

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 5 of 36 OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION The methods used to determine CCF groups are The generic data base The common cause fault (CCF) approach was revised to This F&O is CLOSED.

(ID: DE-3 ) I simplistic. Determination of the set of active development project incorporate the following: Alpha-factor model, !NEEL Element _DE_ I components based on 1% contribution to CDF severely identifies a large number of data base of CCF events from NUREG/CR-6268, Subelement _8_ _ limits the number and type of common cause terms common-cause groups. different failure modes (run and demand), and different used in the model. As an evaluation tool for plant Incorporate these groups or CCF events based upon population size (e.g., 2 of 3 as vulnerabilities (i.e., the IPE), it is more than sufficient, better justify their exclusion. well as 3 of 3 CCF events. Guidance for the CCF but as an evaluation tool for Risk-informed Applications, models was taken from NUREG/CR-5485, which it is not enough. Events that should be considered extends the technology developed for NUREG/CR-4780.

include: Breaker fail to operate (Open/Close) Auxiliary The models are discussed fully in SM-1309, Feedwater Pumps (back-leakage) Ventilation fans implemented in the SOA-D PRA models for Surry, and in the DA.3 notebook and revisions prepared for subsequent model updates (starting with S03A).

OBSERVATION Table D.1-1 of Section D.1 of the Surry IPE lists the pre- Provide the basis for Miscalibration of instrumentation channels is resolved as This F&O is CLOSED.

(ID: HR-2) I initiator errors considered in the analysis. The list excluding miscalibration a human reliability rather than an equipment common Element contains only mispositioning events (valves, blank events, or develop cause fault. The HEP fault behaves the same as an HR/DE/SY I flanges, etc.). No instrument miscalibration events are appropriate events for equipment CCF, but is quantified on the basis of human Subelements HR- contained in the list. The procedure for system analysis inclusion in the next update error rather than equipment reliability. For North Anna, 4,7/DE-7/SY (page 19 of 58) indicates that common cause His should of the PSA model. HEP events are created for the following instrument be modeled for miscalibration of instruments used to channels: EDG, 1-LM-PT-100NB/C/D, MS flow, MS initiate systems following an action or in any standby differential pressure, MS low pressure, and pressurizer equipment items such as the level instrumentation in pressure. The models are discussed fully in SM-1269, storage tanks. implemented in the NOA-D PRA models. For Surry, HEP events are created for the following instrument channels:

EOG, 1-LM-PT-100NB/C/D, MS flow, MS differential pressure, steam generator level, pressurizer pressure RWST level, intake canal level and RC delta T and TAVE. The models are discussed fully in SM-1310, implemented in the SOA-D PRA models.

OBSERVATION HEP development for the IPE model was extensively Perform and document The HEP events developed since the IPE have received This F&O is CLOSED.

(ID: HR-4 ) I documented; however, HEPs developed for subsequent development of HEPs that detailed analysis. For North Anna, the models are Element---1::!.R..__ I updates of the IPE model were not as well documented arise from model updates. discussed fully in SM-1269, implemented in the NOA-D Subelement _jL_ (and by implication, were not developed in as much PRA models. For Surry, the models are discussed fully detail). For many of the HEPs in subsequent updates, a in SM-1310, implemented in the SOA-D PRA models, value of 0.1 was used. It is not clear whether this is a and in the HR-series notebooks developed for the S03A screening value or some other value. and subsequent updates. This process was also reviewed as part of the HRA re-peer review exercise prior to the RG1 .200 review for Surrv.

Serial No. 16-18'0 Docket Nos. 50-280/281 Attachment 4 Page 6 of 36 OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION In a sensitivity analysis (SM-1174, Addendum A) to Reevaluate dependence The dependency among the HEPs is being evaluated This F&O is CLOSED.

(ID: HR-5 ) I evaluate dependency among His contained in cutsets, without excessive emphasis- based on the following principles (SM-1310):

Element __!:!R_ I time between actions was listed as the major factor in on time between actions. 1. Functions: If two HEPs are working for two different Subelement __.l.§_ establishing independence of the operator actions. In functions, these two HEPs will be justified as most cases, time (itself) is not an adequate factor, but is independent HEPs.

a parameter which can be associated with more 2. Steps of procedure: Because operators are trained to defensible factors. For example, one cutset contained follow procedure step by step, on the view of operators, two HEPs -- one for early SG isolation following a SGTR each step is a new and independent instruction. If two and one for late SG isolation. The time difference of HEPs are based on two different steps or two different several hours between the actions was cited as the procedures, even these two HEPs work for the same basis for the actions' independence. Better factors for function, they still may be justified as independent independence might have been different clues calling for HEPs. A sensitivity analysis was performed for the S03A the need to isolate the SG or actuation of the TSC, or model update (and has been incorporated into the PRA additional/new crew for the late isolation. All of these quantification process for subsequent updates) to review are related to time, but time (itself) is not the factor. the cutsets with multiple HEPs and determine if a dependency may exist between the HEPs. Refer to the PRA QU.2 notebooks for further detail. This process was also reviewed as part of the HRA re-peer review exercise prior to the RG1 .200 review for Surry.

OBSERVATION Initiating event frequencies have not been updated since Include an update of The North Anna and Surry initiating event frequencies This F&O is CLOSED.

(ID: IE-3 ) I the IPE submittal in 1991. As a result, recent industry initiating event frequencies were updated in the NOA-D and SOA-D PRA updates by Element _l_E_ I information and operating experience have not been during the next update. several sources. The rare initiator frequencies from Subelement _1_3_ incorporated into the initiating events analysis. This Also, individual applications NUREG/CR-5750 are used as priors for Bayesian (Also MU) information could alter the initiating event frequencies should be reviewed to updating with plant specific histories. The moderate currently contained in the model. For example: determine if they are frequency transient initiating event frequencies are Two plants (Salem and Wolf Creek) have affected before submittal or created from plant specific data (1990-2000 LERs) and experienced losses of circulating and service water that implementation. a non-informative gamma prior distribution. Finally, resulted in plant trips. some plant unique initiating events are quantified with One plant (Oconee) has experienced a small break new fault tree models directly linked to the integrated LOCA (thermal fatigue of charging line). PRA model. For North Anna, these models are One plant (WNP-2) has experienced an internal discussed fully in Calculation SM-1266, implemented in flood. the NOA-D PRA models. For Surry, these models are A draft NUREG updating initiating events has (very discussed fully in Calculation SM-1307, implemented in recently) been issued (LOCA frequencies, particularly, the SOA-D PRA models. All IE frequencies have have been affected). subsequently been updated in 2005 and documented in the IE.1 and IE.2 notebooks.

Serial No. 16-18'0 Docket Nos. 50-280/281 Attachment 4 Page 7 of 36 OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION A recent industry event (Oconee) involved a small break Evaluate the susceptibility of The referenced Oconee event was evaluated as part of This F&O is CLOSED.

(ID: IE-4 ) I LOCA (>10 gpm) at the charging line connection to the the Surry piping to this ** INPO SEN 163, Recurring Event, High Pressure Element _IE_ I RCS. The mechanism for the crack in the thermal failure mechanism, and Injection Line Leak, and as part of NRC IN 97-46, Subelement sleeve at the connection point was thermal fatigue. Is adjust the LOCA Unisolable Crack in High-Pressure Injection Piping.

7 (Also MU) the Surry piping subject to this type of event? If so, has frequencies, as appropriate. The design of the CVCS and HHSI systems at both it been considered in the initiating event frequency? North Anna and Surry is significantly different than that of Oconee, Unit 2. NAPS and SPS designs do not include combination CVCS makeup and HHSI lines.

Each unit has only one CVCS makeup line which carries full makeup flow and the eves system employs a regenerative heat exchanger to heat the makeup water to within 100 degrees of the RCS cold leg temperature, thereby minimizing thermal shock. The Oconee failure mechanism is not considered valid for the North Anna or Surry designs, and should not require LOCA frequency adjustment. The Current North Anna and Surry LOCA frequencies are developed from NUREG/CR-5750, per the evaluation in the IE.2 PRA notebook. This NUREG observed that no small LOCA events had occurred in U.

S. nuclear power plants up to 1995. However, the 1997 Oconee 2 event could possibly be categorized as a very small LOCA / leak, and four such events from 1987 -

1995 are included within the NUREG/CR-5750 initiating event frequencies.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 8 of 36 OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION An industry issue of about 5-6 years ago was the Determine if the ISLOCA The industry issue initially surfaced in July 1984 as a Additional information (ID:: IE-5 ) I creation of an ISLOCA caused by a leak in an RCP path is applicable to the Westinghouse 10 CFR Part 21 issue. However, since can be found in a Element IE I thermal barrier heat exchanger and a failure to isolate Surry model, and address it, Westinghouse was not the source vendor for the Surry 7/9/1990 NRC letter Subelem~ the CCW lines that provided cooling water to the heat if appropriate. CC system, this Part 21 issue was not communicated to (Serial No.90-442), and 14 exchanger. How was this potential ISLOCA pathway Surry at that time. In May 1989, Surry communicated drawings 11448-FM-treated by the initiating events analysis? Does it apply this issue to NRC and subsequently, NRC Information 072A shts 1 through 4.

to the Surry model? Notice 89-54 (June 23, 1989) was issued to all This F&O is CLOSED.

licensees. This NRC IN is probably the source of the industry issue quoted in the certification comment. Surry submitted system design information to NRC in a June 5, 1989 letter to NRC (Serial No.89-406) clarifying resolution of the concern. This licensee response provides a detailed description of the problem and an assessment of the resolution. In summary, the operating history of Westinghouse RC Pump (RCP) thermal barriers indicates only one minor internal leak in over 12 million hours of operation (8.3 E-8/hr or 7.3 E-4/yr). Catastrophic failure of RCP thermal barrier is not a credible ~vent. Westinghouse calculated the credible leak rate at 7.5 gpm. This low leak rate is due to high water purity in RC and CC water, conservatism in tube design supporting tube collapse rather that cracking, and low crack propagation due to external forces tending to close crack. The existing 1989 design was sufficient for isolating the RCP thermal barrier leak, but design enhancements were pursued since manual operator action is required for the credible leak (automatic isolation would occur for leak rates higher than 10 gpm). The event would not be classified an interfacing system LOCA (ISLOCA) since the CC system would be isolated from the RCS, and all isolation would occur within the containment. More appropriately, the event would be classified a very small break LOCA (based upon the 7.5 gpm credible leak) with a frequency well below the Surry and North Anna IPE S2 frequency of 2.1 E-2/yr.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 9 of 36 OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION The FMEA portion of the Initiating Events notebook Determine the plant's The Surry LOSW IE is actually an evolution of a loss of This F&O is CLOSED.

(ID: IE-8 ) I (page 12 of 28) states that screen wash pumps do not susceptibility to clogged circ water initiator. We do not currently model this with a Element _IE_/ have to operate during an accident. The implication is intake screens, and update fault tree, so there is no specific screen clogging Subelement _ll_ that because of this there is no need to consider the the initiating event contribution identified for this initiator. Currently, the screen wash system further. However, clogged screens frequency as appropriate. Surry PRA uses a plant specific Bayesian update of can cause plant trips, and this failure mechanism should generic industry experience for loss of Circulating Water be considered in the development of initiating event to evaluate the IE-T6 (Loss of Circulating Water) frequencies. Recent industry events at Salem and Wolf frequency. The plant specific clogged screen failure Creek illustrate a plant's susceptibility to clogged intake event is therefore considered, since it is part of the screens. overall industry and plant-specific experience leading to loss of CW. However, an evaluation has been performed for the S03A model update to establish that the IE frequency used for this event would encompass contributions from events such as clogged intake screens I screen wash faults. Should the model be changed in the future to model this IE with a fault tree, this failure mechanism would be addressed exolicitlv.

OBSERVATION The reactor core has been upgraded to 2586 MWt. Has Ensure that the effects of The effect of the 4.5% core power uprate on the timing This F&O is CLOSED.

(ID: IE-9) I the effect of this change been considered on the increased core power have of HEPs used in the SPS PRA Model, and on the Element ___lg_ I moderator temperature coefficient/reactivity feedback, been properly accounted for success criteria of hardware credited in the SPS PRA Subelement particularly for early in a core's life? Also, has the in the analysis. Model has been evaluated using MAAP 4.0.5. The 16 (Also increased decay heat load been considered in the results of the analysis show that no changes are see AS-9, and MU) success criteria for decay heat removal? required to the current success criteria or HEP calculations. The details of the analysis are documented in SPS Notebook SPS-RA.MD.SC.001 Rev 0.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 10 of 36 OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION The consequences of operator actions after core Include appropriate . Our Level I model takes into account all human error The approach taken is (ID: L2-2 ) I damage are not considered in the PSA or the LERF consideration of EOP (and probabilities due to EOP actions. The human error consistent with that Element L2 assessment. After core damage has occurred, the also SAMG) actions in the probabilities based on SAMG actions are not applied in other PWR I Subelement _8 control room staff will continue to attempt to implement PSA models incorporated into our model. According to WOG PRAs, but this issue will and 10_ EOP actions (and now SAMG actions). Considering the procedures, once the core temperature reaches 1200 F, be treated as a EOP actions, only those that prevent core damage the operator leaves the EOPs and enters the SAMGs recognized source of (have an impact on the GDF) are modeled in the Level 1 (control room guideline SACRG-1). Our Level I model uncertainty in the LERF PSA. Several EOP actions that can impact the LERF was developed independent of the SAMG actions. We model. With this action, are: recognize that inappropriate SAMG actions may cause this F&O is CLOSED.

FR-C.1 actions to depressurize the RCS at the onset negative consequences which may result in greater of core overheating greatly decreases the probability of source term releases to the atmosphere. For this a high pressure reactor vessel failure, while significantly reason a technical support center (TSC) is formed that increasing: a) the potential for core concrete reviews real time plant parameter data and provides interactions, and b) the fission product release from expert guidance to the operation staff during a severe RCS to containment (which, in turn, increases the accident condition. Additionally training on the SAMGs source term for containment failures). is provided every 3 years which includes a discussion of FR-H.1 actions to establish some type of feedwater these cautions and recommendations to the operators.

flow to the SGs increases the chances of SG tube failure The operators are taught to be aware of their plants due to thermal stresses of cold water being injected onto most dominant accident sequences and the hot SG tubes, but can also increase the potential for consequences of inadequate actions.

arresting the core damage in-vessel. These two aspects can impact the LERF.

ECA-0.0 actions to start sprays when offsite power is restored. This can prevent overpressure failure of containment, but can also de-inert containment and lead to a hydrogen burn. When combined with the added hydrogen from in-vessel recovery, the hydrogen burn may challenge containment. Also, these operator actions should be substantiated by an HRA analysis to determine th.e HEP. The plant has also completed implementation of the SAMG. The SAMG contains a set of accident management strategies that would be implemented for each of the core damage accidents.

The implementation of some of the strategies has neqative consequences that should be addressed.

OBSERVATION The core power has been upgraded. Effects of this At the next upgrade, See discussion for equivalent F&O IE-09. This F&O is CLOSED.

(ID: MU-2 ) I change have not been incorporated into the PSA model. evaluate the effects of the Element .....M!L.._ I Factors that could be affected by the core power core upgrade and Subelement _4__ upgrade include the moderator temperature coefficient incorporate, as appropriate, (for ATWS) and the decay heat load (for several into the PSA model.

accident sequences).

Serial No.16-180 '

Docket Nos. 50-280/281 Attachment 4 Page 11 of 36 OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION Requirements for review of operating experience, plant Develop additional guidance PRA update guidance was developed, which includes a This F&O is Closed.

(ID: MU-3 ) I procedures, and plant-controlled documents in support on .the review process review of: (1) Technical Specification revisions, (2)

Element __M!L_ 1 of a PSA update are not detailed in the PSA guidance . requirements, describing station .engineering Design Qhange lists, (3) station Subelement _4_ documents. which data should be procedures, and (4) operating experience. (Nuclear reviewed and how the Safety Analysis Manual - Part IV, Chapter J, review should be subsequently superseded by PRA Manual~ Part IV, documented. Chapter A). Recent PRA updates (S03A, SOSA) provide examples of the process.

OBSERVATION Activities to evaluate the effects on the PSA of changes Revisit initiator frequencies, Both the Surry and North Anna PRA models have been This F&O is CLOSED.

(ID: MU-4 ) I to equipment failure rates, initiator frequencies, and equipment failure rates, and. updated to include changes in data. For North Anna Element __M!!__ I human error probabilities are minimal. human error probabilities and Surry, initiating events were updated as Subelement __§__ with each update to documented in calculations SM-1266 for North Anna determine whether they are and SM-1370 fqr Surry. Component unavailabilities were still adequately estimated. updated for both North Anna and Surry as documented in calculations SM-1266 and SM-1308, respectively. The component reliabilities for risk significant pumps and the EDGs were Bayesian updated with plant specific data for Surry as documented in SM-1311. Further, a full data update was performed in 2005 for the MSPI update, as documented in the DA series of PRA notebooks. The HEPs were reviewed and updated as necessary following the PRA self-assessment per RG1 .200 and in response to the subsequent HRA re-peer review comments. Input from Operations personnel at Surry was obtained to provide better estimation of the times associated with the performance of emergency procedures. A PRA update process and sched'ule addressing data updates has been implemented in the PRAManual.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 12 of 36 OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION The program does not appear to have a formal The following suggestions, PRA update guidance was developed, which includes a This F&O is Closed.

(ID: SY-2) I requirement for incorporating changes based on plant while directed to the review of: (1) Technical Specification revisions, (2)

Element _SY_ I design changes. For example, a later EOP change systems analysis element, station engineering Design Change lists, (3) station Subelement identifies the time to hot leg recirculation switchover as 9 are actually applicable more procedures, and (4) operating experience. (Nuclear

_5_(See also AS- hours. The model says 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br />. There is an advantage broadly, within the context of Safety Analysis Manual - Part IV, Chapter J, 5, and MU) to identifying operator actions to specific procedure the overall PSA subsequently superseded by PRA Manual - Part IV, steps. The downside is, procedures change. Thus, the Maintenance and Update Chapter A). Recent PRA updates (S03A, SOSA) provide models and documentation need to be updated process. examples of the process.

periodically. 1. Develop a PSA change program that tracks identified changes to procedures, design, etc.

Develop a process for incorporating changes into the PSA. NOTE: This does necessarily mean formal review required; notification from the program sponsor (Procedures group, admin, design engineering, etc.) is sufficient for most changes.

2. Consider becoming part of the review cycle for selected changes (e.g., for risk significant system design changes, PSA review is required). This will probably require a change to plant, engineering procedures. There are going to be changes in plant configuration that could significantly affect the PSA.

A formal review by the PSA group for selected changes has the potential for saving money (change should not be made in terms of plant risk}, minimizing the effects of the change on the PSA and PSA based programs and possibly identifying alternative changes.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 13 of 36 OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION - PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION The RPS model does not properly identify the required 1. Review the RPS system Fault trees RP1 for both Surry and North Anna were This F&O is CLOSED.

(ID: SY-4 ) I support systems. RPS logic receives power from Class and include DC power revised to include separate logic for RTA and RTB Element _SY_ I 1E 125V DC buses 1A and 18. Failure of the DC buses dependency. including the input logic signal with recovery. The Subelement removes power to the RTB shunt trip coils which limits models also include failure of the trip breaker

- 12_ operator action in the control room if reactor trip fails. (RTNRTB), and RTNRTB recovery thorough the shunt trip relay (including failure of 125 voe, human reliability model, and failure of the shunt trip relay). The models are discussed fully in SM-1151, implemented in the SOA-D PRA models for Surry, and in SM-1292, implemented in the NOA-D PRA models for North Anna.

OBSERVATION The RPS logic model is incorrect. The fault tree Correct the logic model. Fault trees RP1 for both Surry and North Anna were This F&O is CLOSED.

(ID: SY- 5 ) I indicates that success of either logic train allows revised to include separate logic for RTA and RTB Element _SY_ I challenge to both reactor trip breakers. Actual design is including the input logic signal with recovery. The Subelement logic train A sends signal to RTA and logic train B sends models also include failure of the trip breaker

_5_ _ signal to RTB. (RTNRTB), and RTA/RTB recovery thorough the shunt trip relay (including failure of 125 voe, human reliability model, and failure of the shunt trip relay). The models are discussed fully in SM-1151, implemented in the SOA-D PRA models for Surry, and in SM-1292, implemented in the NOA-D PRA models for North Anna.

OBSERVATION Review of HHSI: SM-1162, SPPR 97-018, S2.07.1 Set up Unit 2 model, or Surry charging pumps have seal coolers with a CC This F&O is CLOSED.

(ID: SY-11 ) I (page 7 of 27). System notebook update states 1A and address impact on CDF. cooling dependency that currently has a difference Element ...fil__ I 1C charging pumps are dependent on CCW (for between Units 1 and 2. For Surry Unit 1, the A & C Subelement SY-5 recirculation). What about Unit 2? 1B is not dependent pump seal coolers 1-CH-E-7NB/E/F require CC cooling, on CCW due to a design change. What about Unit 2? but the B pump seal coolers 1-CH-E-7C/D are isolated How are unit to unit differences identified and modeled? (11448-FM-071 B Sh 2). For Surry Unit 2, all NB/C Dependency table from IPE model wasn't updated in pump seal coolers 2-CH-E-7A/B/C/D/E/F require CC SM-1162 or SM-1165 to account for CCW dependency. cooling (11548-FM-071 B Sh 2). Potentially, all Surry Also, success criteria section of system notebook was charging pumps may be upgraded so that their CHP not updated. seal coolers can be isolated, but at this time, only the Surry Unit 1 B pump does not require CC cooling, which explains the difference between Surry Unit 1 and 2 charging pump CC cooling. Update as of S05A model:

the dependency on CC has been added to the 1B pump as well, to account for the possibility that cooling might be needed if the pumps were used for high head recirculation with hot sump water. Note: This is a legacy model issue. The current configuration of Surry Power Station is that no charging pump seal Coolers are normally isolated. The S007Aa model reflects the current olant confiauration.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 14 of 36 OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION . - PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION Several HVAC systems are modeled in detail and are Develop more detailed HVAC dependencies are addressed in the fault trees This F&O is CLOSED.

(ID: TH-2 ) I well documented. These include ESGR room cooling documentation for modeling where needed, and discussions are provided in Element TH I and the Auxiliary Building Ventilation System, but these assumptions regarding individual system notebooks (SY.3 series) and the Subelement 8 are the only ventilation dependencies modeled in the HVAC requirements. dependency notebook (SY.1). An integrated HVAC PSA. Some of the systems models provide a one line Provide basis for excluding dependency document has not been prepared.

assumption stating that room cooling is not,required, but HVAC dependencies where Regarding specific dependencies: The charging pumps little if any basis is provided for these assumptions. HVAC is not modeled and the emergency switchgear room already have Based on discussions with the PSA group engineers explicitly. It may be ventilation dependencies included in the PRA model.

during this review, it appears that the HVAC appropriate to include an The other major components with potential HVAC requirements were adequately addressed in the overview of HVAC issues as dependencies were evaluated and found to have a modeling process, but the assumptions were not clearly part of a dependencies negligible ventilation dependency. Those SSC's are as documented, and no process is defined for the notebook. follows:

determination of the need for room cooling. Low Head Safety Injection pumps - The LHSI pumps take suction from the cold RWST early during a LOCA.

After Recirculation Mode Transfer, the sump water will be cooled by the RSHX's, so that LHSI ventilation is not necessary.

Outside Recirculation Spray pumps - The CS subsystem provides approximately 300 gpm 45oF water from RWST to each ORSP. There is no ceiling in the ORSP rooms. It is not a closed room. Hence, the room ventilation is not necessary.

Emergency Diesel Generators - The EDG's have self-contained cooling systems.

Alternate AC Generator - The AAC DG has a self-contained cooling system.

Auxiliary Feedwater pumps - These pumps take suction from the ECST or a backup system that is at ambient temperature. They are therefore self-cooling and require no HVAC.

Station batteries - The heat load in this room is the batteries themselves and the heat load from the batteries may be ignored.

Turbine building SSC's - The potentially important SSC's in the TB are the MFW and the CN pumps, in case they are needed as a backup to the AFW system.

On a reactor trip, the FW heaters no longer function as heaters and both CN and MFW flows are at relatively cold condenser temperatures. The Turbine Building SSC's are therefore self-coolinQ.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 15 of 36 There are only 3 Category C F&Os that need to be addressed and they are listed in below:

Category C F&Os that Need to be Addressed F&O Description DE-1 Develop a system to initiating event dependency matrix to better show the dependencies modeled for each initiator.

(PRA Configuration Control Database (PRACC) record 4023)

DE-4 Develop master dependency matrices for front-line to front-line, for support to front-line, and initiator to system dependencies. (PRACC record 4023)

SY-13 Update references that support mission times that are less than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. (PRACC record 4012)

All three of these involve documentation issues that do not impact the PRA model results and do not affect the technical adequacy of the PRA model. Records have been added in the PRACC database to track the above tasks to completion.

2010 SPS PRA Focused Peer Review The Surry PRA model underwent a focused peer review in February 2010 using the PRA Peer Review Certification process performed by the Pressurized-Water Reactor Owners Group (PWROG). To determine whether a full scope or focused peer review was necessary, the changes to each of the model elements were reviewed to assess whether the changes involved either of the following:

  • new methodology
  • significant change in the scope or capability If changes to an element involved either a new methodology or a significant scope or capability change, then the element requires a peer review as required in the ASME PRA standard (RA-Sb-2005). Based on the assessment of the changes to each PRA model element, a peer review was performed on the elements shown below:

Serial No. 16-18'0 Docket Nos. 50-280/281 Attachment 4 Page 16 of 36 Peer Reviewed Elements Element High Level Requirement IE - Initiating Events Initiating Events Review support system initiator modeling meets SRs IE- C6, C7, CS, C9, and C12.

AS - Accident Sequence Accident Sequence Review upgraded event trees for SBO, RCP Seal, LOCA, SGTR and ATVVS meets all HLRs for AS.

HR - Human Reliability Huma_n Reliability Review implementation of SPAR-H methodology meets Analysis HLR-HR-Analysis G.

IF - Internal Flooding Internal Flooding Review internal flooding model meets all HLR5 for IF.

QU - Quantification Quantification Review conversion to CAFTA meets HLRs for QU-B, C, and D.

The AS and IF elements required a full review against all of the high level requirements (HLRs). However, changes in the IE, HR and QU elements only required specific HLR verification. The review process included:

  • Review of the PRA model against the technical elements and associated supporting requirements (SRs) - Focus is on meeting capability category II.
  • At the SR level, the review team's judgment was used to assess whether the PRA meets one of the three capability categories for each of the SRs.
  • Evaluation of the PRA-model is supported by:

o NEI 05-04 process, o Addendum to ASME/ANS PRA Standard RA-S-2008, o SR interpretations from ASME website, o NRC clarifications and qualifications as provided in Appendix A of RG 1.200, Rev. 2, o Reviewers' experience and knowledge, o Consensus with fellow reviewers, and o Input and clarifications from the host utility.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 17 of 36 The gaps identified during the self-assessment and the ones that remain to be addressed are listed in table below:

2010 SPS Peer Review Remaining Gaps that Need to be Addressed Title Description NEI Current Status I Comment Importance to Application Element/

ASMESR Gap For each flood area, identify the IFS0-81 No documentation on why None. This is judged to be a documentation

  1. 1 potential sources of flooding floods in containment were consideration only and does not affect the technical screened out. adequacy of the PRA model or sequences relevant to this application.

Gap The NRC clarification for Cat II says IFSN~A6 No documentation discussing This is judged to be a primarily a documentation

  1. 2 to address jet impingement, humidity, how jet impingement, pipe consideration only. This issue does not affect etc. qualitatively using conservative wipe, humidity and other types sequences relevant to this application.

assumptions of failures impact plant systems.

Gap Document the relative contribution of LE-G3 No documentation of LERF None. This is judged to be a documentation

  1. 3 contributors to LERF contributions for accident consideration only arid does not affect the technical sequences. adequacy of the PRA model.

Gap Document the system functions and SY-C2 All documentation* None. This is judged to be a documentation

  1. 7 boundaries. requirements are considered consideration only and does not affect the technical met except for completion of adequacy of the PRA model.

walkdown checklists.

Gap Initiating Event Fault Tree Modeling IE-C10 IE-C1 O: Not all possible A sensitivity study for this configuration demonstrated

  1. 9 IE-C12 combination of cutsets are that the support system initiators as modeled did not 3

captured, impact the results. Comparison with generic IE-C12: No comparison with sources and similar plants is expected to render generic sources for initiating similar results to the IEs compared. 4 events modeled using fault trees.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 18 of 36 Title Description NEI Current Status I Comment Importance to Application Element/

ASMESR Gap Use of SPAR-H methodology, which HR-E3 New Human Error Probabilities This gap was evaluated by performing a sensitivity

  1. 10 does not meet the intent of several HR-G4 (HEPS) added to the SPS PRA study (Sensitivity #1) which multiplies HEPs in the SRs in the HR element. HR-G6 were based on SPAR-H. The $007Aa model by 10. This sensitivity demonstrates HR-12 Peer Review identified the that this issue does not impact the results of this HR-13 SPAR-H methodology is not a analysis.

HR-E4 consensus model and has HR-G1 some limitations.

HR-G3 HR-G5 Gap Walkdown sheets do not contain all IFS0-82 IFS0-82: Complete the This is judged to be a primarily a documentation

  1. 11 the requested information IFQU-A9 walkdown sheets and verify no consideration only. This issue does not affect impact to IF events. sequences relevant to this application.

IFQU-A9: Similiar to IFS0-82, need to clearly document the spatial relationship between flood sources and PRA equipment. '

Notes:

Note 1: Gaps 4, 5, 6 and 8 have been addressed in S007Aa.

Note 2: Gaps 9 through 11 were identified during the 2010 PWROG focused PRA peer review.

Note 3: IE-C10: If fault-tree modeling is used for initiating events, CAPTURE within the initiating event fault tree models all relevant combinations of events involving the annual frequency of one component failure combined with the unavailability (or failure during the repair time of the first component) of other components. Following are the Peer Review comments with applicability response to this proposed change:

F&O: 2-2, Assessment: Cat 1-111 is NQT Met 2-3 Basis: A review of SSIE cutsets found that they are not adequate due to:

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 19 of 36 (1) The cutsets do not include all possible combinations, idr i/Jxample, (a) Train A CCW pump fails-to-run and Train B CC pump fails-to-start is in the cutset, but other failure events that could lead to Train B CCW pump fails-to-start such as AC failure, No Actuation Signal are not included; (b) relief valve failure is not showing up in the cutsets of Joss ofCCW

Response

Fault tree reviews indicate that these types of basic events are modeled but are truncated out of the final results.

Therefore, this F&O does not impact this analysis.

(2) Cutsets including both PROB-xxxxxB-.STDBY (Train B) and -PROB-xxxxxA-STDBY (Train A) events may be underestimating the impact

Response

Cutset review indicated that alignment probabilities were not significant to this evaluation (3) Surry SSIE models do not include passive failures (i.e. pipe breaks affecting only the source system) which are screened from the flooding analysis. These failure modes may be important in the SSIE model. For the CC system the model includes this IE, (%FLOOD-AB-SPRA Y-CCP1ABCD SPRAY IN AUX BLDG 2'-0" ELEV IN VICINITY OF CC PUMPS 1-CC-P-1AIB/CID)

Response

Inclusion of these low probability passive failure modes would not impact the significant accident scenarios because general plant transients are not significant to this application.

Note 4: IE-C12: COMPARE results and EXPLAIN differences in the initiating event analysis with generic data sources to provide a reasonableness check of the results. Following are the Peer Review comments with applicability response to this proposed change:

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 20 of 36 F&O: 3-4 Assessment: Cat 1-111 is NOT Met Basis: Comparison of IE frequencies to industry mean values is performed in SPS PRA Notebook Part Ill, Volume IE.3, Revision 1, Table 2-4 by comparing 7 modeled Initiating Events with 5 other unit results and to NUREGICR-5750. The remaining 12 Initiating Events (with Fault Trees) are not compared. Other Initiating Events are not compared.

Response

This is primarily a documentation concern. The Loss of SW IE was compared to the standard and the industry and was demonstrated to be reasonable. The SPS Loss of SW IE is unique due to the gravity feed configuration. The comparison of the modeled IEs demonstrated that the Surry frequencies were within the range of the standard and similar plants. The IEs that were not compared are expected to have similar results.

The following F&Os from the 2010 SPS PRA Focused Peer Review are considered closed:

2010 SPS Peer Review Closed F&Os

Description:

F&O Comment: . Dominion Response: Status F&O: 1-10 Mission time for The turbine driven AFW pump logic used The modeling of the TDAFW pump failure to This F&O TDAFW during a under gate U1-SGC-BO is based on a 24 run with a mission time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> instead of question is SBO is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, hour mission time. This may be somewhat 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is conservative. The basic approach considered which is conservative since the turbine driven pump taken for adding different running failure Closed.

conservative. is only credited for 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> in SBO. basic events with different mission times is that if the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time basic event has a high risk importance, then a new basic event with a mission time for the sequence would be developed. Since the importance of the TDAFW running failure basic events is not significant, a separate basic event was riot added.

Serial No. 16-18()

Docket Nos. 50-280/281 Attachment 4 Page 21 of 36

Description:

F&O Comment: Dominion Response: Status F&O: 3-5 Consider adding Recovery events are added to cutsets The two recovery actions that the reviewer This F&O some recovery basic based on post-processing with identified as not being in the Surry PRA question is events to the fault QRECOVER and plant-specific rule file as model but were calculated in the HR.3 model considered tree model instead of discussed in SPS HR.3 notebook, Section notebook were removed from the model Closed.

adding as part of 2.2, and the QU.1 notebook. Some during the transition from the Winnupra post-quantification recovery actions (e.g., REC-FTSCC and model to the Cafta model. Since the standby processing using REC-FTSBC) should be modeled as HEPs pumps get an auto-start signal if the running QRECOVER. in the FT so all pertinent cutsets are pump fails, these recoveries were AND'd generated and dependency assessed. with the failure of the pressure switch. Since REC-FTSCC and REC-FTSBC are listed in these were not showing up in the cutsets, it HR.3 as recovery events; however, they was determine that credit for the operator are not utilized in the quantification recovery would not be included. If these process. These actions are typically pressure switch failure basic events had a utilized in Initiating Event fault trees in high importance, then adding the recovery conjunction with auto-start failures. Not credit would be considered.

modeling these actions may cause cutsets not to be generated, dependencies not evaluated, and overall results impacted.

F&O: 3-19 Use of SPAR-H for The plant's approach to analyzing HEPs is Since this F&O relates to using SPAR-H, and This F&O HRA has limited more involved than the Category I F&O 3-18 indicates that SPAR-H method is question is accounting for requirements (it is actually closer to not a valid method to meet Cat II, then this considered Performance Shaping Category 11/111), but it does not address all F&O will be closed out to F&O 3-18. Closed.

Factors of the PSFs identified for the Category 11/111 requirements (a limitation of the SPAR-H method); therefore, MET was selected for Category I. While SPAR-H methodology is close to meeting CC 11/111, one of the limitations is that the PSFs are limited to the eight chosen. Additionally, each of the eight PSFs should be evaluated for interaction impacts which are not covered by the method.

Serial No.16-180

  • Docket Nos. 50-280/281 Attachment 4 Page 22 of 36

Description:

F&O Comment: Dominion Response: Status F&O: 2-8 QU.2 does not SPS QU.2 Notebook Sectio_n 2.3:2 Detailed descriptions of the CDF and LERF This F&O include detailed discusses the dominant core damage cutsets are contained in the worksheets question is description of the accident sequences and has a detailed named "Top 100 U1 CDF Cutsets" and "Top considered CDF and LERF description of the top 5 sequences. Section 100 U1 LERF Cutsets" in Attachment 3 of Closed.

cutsets. 2.3.3 discusses the top CDF cutsets but the QU.2 notebook.

does not document the review of a sample of significant cutsets. It is noted that Section 2.4.2 documents the review of nonsignificant cutsets. SPS QU.2 Notebook documents a review of the top 5 sequences but has no review of a sample of significant cutsets.

2012 SPS PRA Focused Peer Review A focused scope Peer Review of the SPS PRA model against the requirements of the ASME/ ANS PRA standard RA-Sb-2005 and any Clarifications and Qualifications provided in the NRC endorsement of the Standard contained in Revision 2 to RG 1.200 was conducted in June, 2012.

In the course of this review, thirty (30) new F&Os were prepared, including twenty-one (21) suggestions, and nine (9) findings. Many of these F&Os involve documentation issues. The 21 suggestions do not affect the technical adequacy of the PRA model and have no impact on the results of this evaluation. The following 9 findings have been evaluated as described in Table 4 below:

Nine Findings from 2012 SPS PRA Focused Peer Review F&O Element F&O Details Possible Resolution Basis of Significance Importance to Application 1-2 IE-C6 Scenario 1 in AS.2, Attachment 3, Appendix ISLOCA F Expand the discussion to include The calculated impact on There is no impact on CDF or is screened even though the event frequency would be the probability of operator failure CDF is small (<1 %), the LERF as this is a documentation greater than 1.0E-06 (calculated as 3.85E-06). This to secure HHSI and other failure impact needs to be more enhancement (Ref. PRACC scenario should be reconsidered to ensure the modes that would result in

  • fully documented to ensure 16415), therefore this gap has no screening is appropriately justified using the criteria continued HHSI operation given a the screening criteria is met. impact on this application.

specified in IE-C6. rupture in the LHSI PiPina.

Serial No.16-18e'. "

Docket Nos. 50-280/281 Attachment 4 Page 23 of 36 F&O Element F&O Details Possible Resolution Basis of Significance Importance to Application 1-6 QU-87 This guidance does not seem to be technically Remove t~e mutually exclusive The impact of the removal A bounding sensitivity study supported by NUREG/CR-5485 Section 5.4.4 which logic for common cause failures or of the basic event evaluating the removal of the only supports removal of combinations of two common modify the logic to ensure only combinations cannot be mutually exclusive logic for cause failure events where the combinations include combinations of events including a estimated based on common cause failures results in the same pump (e.g., CCF of Pumps A and B in common component and failure available information. an increase in the baseline CDF combination with CCF of pumps A and C). Further, mode (e.g., Component A However, because this and LERF values (Ref. PRACC NUREG/CR-5485 Section 5.2 notes that NUREG/CR- Independent Failure to Start in process may impact the 16418). However, the new 4780, Volume 1 discusses conditions under which combination with CCF of importance of high safety increase baseline CDF/LERF these combinations may be valid (see NU REG/CR- Component A and B to Start) are significant components, it is values would not impact the delta 4780, Volume 1, Section 3.3.1). removed. designated as a finding. CDF/LERF results of this application because CCFs do not play a major role. With one CHSW header OOS, only 1 independent failure is required to fail the HHSI safety function.

1-8 DA-05 A global assumption is made that staggered testing is Provide justification for application The alpha factors for A bounding sensitivity study applicable to all common cause events SPS DA.3 of the staggered testing components tested on a changing all CCFs from Revision 5, Section 2.2.1, Item 1). Typically, some assumption to components tested non-staggered basis are "staggered basis" to "non-components such as containment isolation valves, on an outage frequency including typically higher than those staggered basis" results in an HHSI isolation valves, and others may only be tested verification that redundant tested on a staggered basis. increase in the baseline CDF and during the outages. Additional justification for components are tested by Therefore, this could be a LERF values (Ref. PRACC application of the staggered testing assumption to different personnel at different significant impact on CDF or 16419. However, the new those components tested on an 18 month basis during times or apply alpha factors based LERF depending on the increase baseline CDF/LERF outages is needed.* on a non-staggered testing specific components values would not impact the delta scheme to those components. affected. CDF/LERF results of this application because CCFs do not play a major role. With one CHSW header OOS, only 1 independent failure is required to fail the HHSI safety function.

Serial No. 16-18!Y Docket Nos. 50-280/281 Attachment 4 Page 24 of 36 F&O Element F&O Details Possible Resolution Basis of Significance Importance to Aoolication 1-10 OA-06 The AAC diesel is included in a common cause group There are two approaches that The qualitative discussion A bounding sensitivity study SY-83 with the other emergency diesel generators even can be considered. The most of not all diesel CCF evaluating the common cause though SPS notebook SY.3.EP states that "The AAC defensible approach would be to mechanisms existing group of emergency generators diesel has a different manufacturer for the generator identify all legitimate common between the EOGs and the results in an increase in the and the diesel engine and is unique to both units." elements between the EOGs and SBO diesel is legitimate. baseline COF and LERF values SPS OA.3 addresses this in an assumption that states the SBO diesel, review the However, the selection of (Ref. PRACC 16420). However, that "If SBO diesel is modeled as one of the EOG CCF CCFWIN database to exclude 0.1 does not have a the new increase in baseline groups, because of the less similarity between the diesel failure mechanisms that are numerical justification, and COF/LERF values would not EOG and SBO diesel, the alpha factor of 3 of 3 EOGs not common between the Surry could potentially be impact the delta COF/LERF

=

CCF to run may be set as 1.06E-2*0.9 9.54E-3 and EOGs and the SBO diesel, and conservative or non- results. Therefore, this gap has the alpha factor of AAC diesel and 2 EOGs CCF to run calculate the actual alpha factors. conservative, and it is not no impact on this application.

=

may be set as 1.06E-2

  • 0.1 1.06E-3." However, The second approach would be to apparent the degree to there is no technical basis for the factor of 1O
  • identify that the factor of 10 which it affects the results reduction, only a qualitative discussion, yet this is reduction in the alpha factor is an since no sensitivities were dispositioned as not being a source of uncertainty. estimate without a numerical documented.

basis, which makes it a plant- Any modeling assumption specific modeling uncertainty for that could result in lowering Surry. Then sensitivity analyses the importance of the could provide some insight into EOGs could impact the importance the assumed applications such as MSPI.

factor (0.1, 0.2, 0.5, etc.) would have on the results.

2-2 IE-C3 The issue of ISLOCA flood propagation and steaming For the successfully isolated Flood propagation and There is no impact on COF or effects in the Safeguards Building is not adequately ISLOCA sequences, consider steam effects may not be an LERF as this is a documentation addressed. Section 2.4 of the IE.1 notebook states potential flood and steam effects issue, but it cannot be enhancement (Ref. PRACC that flooding/spatial effects need not be considered from water that leaked out the determined for certain 16421), therefore this gap has no because an unisolated ISLOCA was assumed to go break prior to isolation. Also, without further evaluation. impact on this application.

directly to core damage. However, if there is a consider the potential for the successful isolation prior to core damage, there is still isolation valve to be failed due to a question about the effects of the water/steam that the effects.

was already leaked. For example, AFW pump operation should be shown not to be impacted, as well as potential effects on the credited isolation valve itself.

The PRA staff researched the issue during the peer review and provided information that appears to justify the operability of the isolation valve, but additional analysis is required and needs to be documented.

Serial No. 16-180-Docket Nos. 50-280/281 Attachment 4 Page 25 of 36 F&O Element F&O Details Possible Resolution Basis of Significance Importance to Application 2-3 DA-A2 Regarding component boundaries, Section 3.3.1 of the Review GCF (and even the While it is recognized that There is no impact on CDF or DA-D6 CCF GARD (NF-AA-PRA-101-2062, Rev. 4) states, independent failure data) for modeling extra events (such LERF as this is a documentation "When defining common cause failure events (and component boundary consistency as diesel generator output enhancement and as stated in utilizing generic data concerning the probability of with the generic data and CCF breakers when they are part the description adds modeling these events), the analyst must ensure that the factors. of the diesel component conservatism (Ref. PRACC component boundaries assumed for common cause boundary in NUREG/CR- 16422), therefore this gap has no failures are consistent with the boundaries used for the 6928) is conservative, for impact on this application.

independent failures." DOM.DA.1 Rev. 2 states "To accuracy and compliance ensure consistency between the generic database and with the Dominion GARD the plant specific database, the component boundary and DOM.DA.1 notebook, needs to be verified. This notebook documents the component boundaries generic database with component boundaries defined should be consistent with according to NUREG/CR-6928. This generic database the data.

shall be applicable to all of the Dominion PRA models."

However, Assumption 8 in Section 2.2.1 of SPS DA.3 Rev. 5 states "CCF data boundaries were not compared to the boundaries of DOM DA.1. Generic common cause failure factors were used because no plant specific common cause failures were identified.

A review of the generic common cause failures indicates that its boundaries were wider than DOM DA.1 boundaries."

Serial No.16-180'-

Docket Nos. 50-280/281 Attachment 4 Page 26 of 36 F&O Element F&O Details Possible Resolution Basis of Sianificance Importance to Application 2-5 SY-B3 The CCF grouping appears to have been performed Perform a thorough review of all The missing CCF A bounding sensitivity study of DA-A1 properly for pumps and some MOVs examined. system models to identify any component groups yields additional CCFs results in an However, checks of the Electric Power system model missing CCF groups. It is non-conservative and increase in the baseline CDF and and check valves in SI and FW models show CCF acceptable to treat the potentially significant LERF values (Ref. PRACC combinations that are missing. In the Electric Power combinations greater than 4 results. 16423). However, the new system model, the CCF of buses, inverters, breakers failures a single event as long as increase baseline CDF/LERF and fuel oil pump strainers (possibly other components the combinations are summed values would not impact the delta as well) were modeled for complete failure of all in the and treated as complete system CDF/LERF results of this group, but not for smaller numbers. For example, failure. For such cases, it is still application because CCFs do not Table 3.8-1 shows 1EETFM-C8-480TFM being necessary to model the play a major role. With one comprised of eight transformers. However, failure of a combinations of 2, 3 and 4 CHSW header OOS, only 1 group as small as 2 (e.g., transformer 1H/1J) could be failures. independent failure is required to significant, as these transformers feed the 480V buses fail the HHS! safety function.

that power the 1N2A and 1B/28 recirculation spray pumps. While it is acceptable to model CCF of combinations greater than 4 jointly (as is stated in the Section 3.2.2 of the GARD, this means creating a joint probability that sums all the 5/8, 6/8, 7/8 and 8/8 combinations into one), the individual combinations of 2, 3 and 4 still need to be captured.

The other logic reviewed that are missing combinations are seen under gates 1-Sl-82, 1-Sl-236, 1-FW-27, 1-FW-28, 1-FW-29 and 1-FW-61/1-FW-62.

These instances were identified in a short review of the system models, and the review team is concerned the problem is widespread.

Another item noted is Section 2.3 of the DOM.DA.3 notebook states "The Supply Breakers that feed the Emergency Buses, if there is a loss of off-site power, should be modeled for a common cause failure to open when the Emergency Diesel Generators are required to be running and supplying power to the emergency buses." This was not modeled in the EP fault trees (they would be expected under gates 1-EP-BKR-15H8-FTO and 1-EP-BKR-15J8-FTO-LC, etc.).

Serial No.16-180" Docket Nos. 50-280/281 Attachment 4 Page 27 of 36 F&O Element F&O Details Possible Resolution Basis of Sinnificance Importance to Aoolication 2-8 SY-83 The DOM.DA.3 R3 notebook Section 2.3 states that Update the_ model to be consistent This is presented as a There is no impact on CDF or DA-A1 CCF of air-cooled transformers would not be modeled. with the DOM DA.3 guidelines. finding because the PRA LERF as this is conservative and There is no mention of this in the EP system notebook. staff identified that the will be removed from the model Many of the transformers modeled in the PRA are air- assumption in the DA.3 (Ref. PRACC 16424); therefore, cooled but have CCF modeled. The Surry PRA model Rev. 3 notebook is correct this gap has no impact on this would need to be updated to match the assumption in and the model should be application.

the DOM DA.3 notebook. updated.

2-9 DA-E3 EPRI generic CCF sources of model uncertainty are Evaluate the plant-specific Sources of uncertainty There is no impact on CDF or tabulated in Table 1 of the SPS DA.3, Rev. 5 sources of model uncertainty specific to the Surry CCF LERF as this is a documentation notebook. DA-A-2 notes that component boundaries related to the Surry CCF analysis. analysis need to be enhancement (Ref. PRACC are not consistent with the failure data, but states that considered. 16425), therefore this gap has no this is a consensus model approach and not a source impact on this application.

-of uncertainty for Surry. This should be considered a source of model uncertainty and/or be corrected.

Missing from the evaluation of sources of model uncertainty are all SPS-specific assumptions, including those tabulated in SPS DA.3 Rev. 5 Section 2.2.

Review of Open Issues against the PRA Model (PRA Configuration Control)

The PRA Configuration control database (PRACC) was reviewed in order if any known modeling issues open against the S007Aa model could impact the results of this analysis. The following open issues were identified from Surry's PRACC database. These issues were addressed either by adjusting the S007Aa PRA model used to perform this risk evaluation, or by performing a sensitivity study to demonstrate that the issue was not significant to this analysis.

PRAC Date Description Importance to c Identified Application 1790 3/8/2004 Evaluate 1(2)CWHEP-LIC-1 (2)06A/B via HRA methods. Current value is selected to Addressed with HEP be consistent with 1CWHEP-LIC-LVL sensitivity #1 9486 10/21/2008 During the 2008 model update, the MAAP runs for the different scenarios were not Addressed with HEP completed in time before the model change freeze date. Need to update the HEPs in sensitivity #1 the HR.2 notebook usino the times calculated from the MAAP runs.

Serial No.16-180" Docket Nos. 50-280/281 Attachment 4 Page 28 of 36 PRAC Date Description Importance to c Identified -

. ~

-~.

~

Application 9804 3/12/2009 The 2-RC-P-1C RCP seal will be replaced with a new Flowserve seal that has low Addressed with leakage when there's a loss of .RCP seal cooling. These seals are similar to the seals Model change used by the Combustion Engineering (CE) plants. Therefore, the RCP seal LOCA model needs to be based on the CE seal LOCA model. WCAP-16175-P-A, RCP Seal Failure Model CE NSSS, documents the seal LOCA model.

New seal package was installed in pump 02-RC-P-1 C during the 2009 fall outage 11/18/09.

The operator action to trip the RCPs given failure of RCP Seal Cooling should have the Tsw (time available to perform the action) set to 20 minutes based on the following:

WCAP-16175-P-A Rev 0, Model for Failure of RCP Seals Given Loss of Seal Cooling in CE NSSS Plants NRC SER specifically references RCP seal failure model condition event tree (in Chapter 6 of WCAP-16175-P, Revision 0) for stopping the RCP(s) affected by a LOSC.

WCAP-16175-P-A Section 6.0, RCP Seal Failure Model. The event tree contains a node representing RCP20: RCPs Secured Within 20 Minutes?

Therefore, it can be interpreted the NRC SER approved securing (i.e., tripping) the RCPs within 20 minutes.

This has been agreed upon during discussion with Bill, Luke and Allen.

Note, currently 8007Aa does not model this operator action.

Acm 7/22/15

Serial No. 16-180~

Docket Nos. 50-280/281 Attachment 4 Page 29 of 36 PRAC Date Description Importance to c Identified -- - .._=...';;,_. - Application 10931 1/20/2010 SPS operator actions, HEP-C-CDSGTR (cool down and depressurize RCS after a Addressed with HEP SGTR) and HEP-C-SGTR (isolate affected SG after a SGTR), are documented as sensitivity #1 having the same engineering time, Te, of 60 minutes in the SPS HR.2 Notebook. The equivalent operator actions for NAPS, HEP-1 E3-13 (cool down and depressurize RCS after a SGTR) and HEP-1 E3-3 (isolate affected SG after a SGTR), are documented as having a Te of 75 minutes and 56 minutes, respectively, in the NAPS HR.2 Notebook.

Furthermore, HEP-C-CDSGTR does not have a valid MMP run available for the basis of the 60 m_inute Te, and HEP-1 E3-13 references older IPE MMP runs from NAPS and SPS. HEP-1 E3-3 also references an IPE MMP run.

Therefore, new MMP runs shol:Jld be run for HEP-C-CDSGTR, HEP-C-SGTR, HEP-1E3-13, and HEP-1 E3-3; and adequate documentation of the new MMP runs should be placed in HR.2 Notebooks.

4/23/2014 This should be considered complete and closed when the model SPS-R06 is released. IPE MMP runs are no longer used and all necessary MMP runs are documented in our SC element notebooks to support post HEP reauired timinas.

Serial No. 16-180-

  • Docket Nos. 50-280/281 Attachment 4 Page 30 of 36 PRAC Date Description Importance to c Identified ... ~*.,,._. Application 11521 71712010 From the Surry 2010 Peer Review report documented in Surry notebook Part IV Addressed with HEP Appendix A.3. sensitivity #1 In 2002, an operator survey was complete to document timing estimates from operators of various experience levels. The timing results from the survey are used in the HRA for the HEPs. Table 6.1 of HR.2 states "the response times for operator actions may be estimated by procedure talk through or operator surveys. Therefore, this is retained as a source of uncertainty." For the SPAR-H HEPs, time available is based on engineering judgment. The delay (TDelay), action(TM) and response times (T1 /2) are conservative estimates based on a table top review of the procedures as well as input from other HEPs of similar actions and events.

For the SPAR-H HEPs recently added to the SPS PRA model, the time available to complete the actions were not based on applicable generic studies (e.g.

thermal/hydraulic analysis or simulations from similar plants) but on engineering judgment. In addition, prior HEPs were developed using the results of a 2002 survey and not on thermal/hydraulic analysis.

(This F&O originated from SR HR-G4)

Associated SR.(s)

HR-G4

Serial No.16-180. * '

Docket Nos. 50-280/281 Attachment 4 Page 31 of 36 PRAC Date Description Importance to c Identified Application 11522 7/7/2010 From the Surry 2010 Peer Review report documented in Surry notebook Part IV Addressed with HEP Appendix A.3. sensitivity #1 SPS HR.2 does not check the consistency of the post-initiator HEP quantifications. A comparison of previous HEP values with current HEP values is found in the QU.2 notebook supporting files but no relative comparisons are made.

A review of the SPS HEPs relative to each other to check for reasonableness has not been performed.

(This F&O originated from SR HR-G6)

Associated SR(s)

HR-G6

Serial No.16-180. ** T Docket Nos. 50-280/281 Attachment 4 Page 32 of 36 PRAC Date Description Importance to c Identified Application 11523 7/7/2010 From the Surry 2010 Peer Review report documented in Surry notebook Part IV Addressed with HEP Appendix A.3. sensitivity #1 The delay (Delay), action TM and response times (T1/2) are conservative estimates based on a table top review of the procedures as well as input from other HEPs of similar actions and events.

The newly added SPAR-H HEPs based the required time to complete actions on a table top review of the procedures and input from other procedures.

To meet CC II, base the required time to complete the actions (for significant HEPs) on action time measurements in either walkthroughs or talkthroughs of the procedures or simulator observations.

(This F&O originated from SR HR-G5)

Associated SR(s): HR-GS

Serial No. 16-180~' p Docket Nos. 50-280/281 Attachment 4 Page 33 of 36 PRAC Date Description* Importance to c Identified ". Application 11526 7/7/2010 ***Cloned from Record 11524*** Addressed with HEP sensitivity #1 From the Surry 2010 Peer Review report documented in Surry notebook Part IV Appendix A.3.

This F&O contained several different issues. Thus, this PRACC record was cloned so that each issue has its own PRACC record.

Several documentation issues were identified:

3. The SPAR-H HEPs recently added to the SPS PRA model are documented in HR.2. Four HEPs noted in Table A-2 (Neyv HEPs Added) that were evaluated, do not appear in the Fault Tree. One new HEP listed (HEP-CPORTGENRMP) was not analyzed and is also not in the FT. New HEPs added for the recent model update were not necessarily covered by the 2002 survey results. System Analysis notebooks and review of HR.2 does not indicate that simulator observations or talkthroughs with operators were performed.

For the SPAR-H HEPs recently added to the SPS PRA model, the time available to complete the actions were not based on applicable generic studies (e.g. thermal/hydraulic analysis or simulations from similar plants).

(This F&O originated from SR HR-11)

Associated SR(s)

HR-11 HR-12

Serial No.16-180'" "

Docket Nos. 50-280/281 Attachment 4 Page 34 of 36 PRAC Date Description Importance to c Identified Application 11538 7/8/2010 From the Surry 2010 Peer Review report documented in Surry notebook Part IV Addressed with HEP Appendix A.3. sensitivity #1 SPS GARD NF-AA-PRA-101-2052 states in Section 3.5, "the SPAR-H model is not recommended where more detailed analysis of diagnosis errors is needed" and references NUREG/CR-1842 for more information. The NUREG states "This approach results in a somewhat 'generic' answer that is suffiCient for some of the broad regulatory applications for which SPAR-H is intended, but perhaps is insufficient for detailed plant-specific evaluations (a limitation)" and also references NUREG-1792. This NUREG states "detailed assessments of the significant HFE contributors should be performed."

  • The SPAR-H methodology is not a consensus model and seldom used in plant specific utility PRAs. Referenced documents show it should not be used to obtain detailed results. Additionally, it cannot be assumed that conservative results are obtained by SPAR-H as the evaluation of PSFs better than nominal can produce nonconservative values.

(This F&O originated from SR HR-G1)

Associated SR(s)

HR-G1

Serial No.16-180"' ' ,r Docket Nos. 50-280/281 Attachment 4 Page 35 of 36 PRAC Date Description Importance to c Identified - .. *- Application 11568 7/13/2010 From the Surry 2010 Peer Review report documented in Surry notebook Part IV Addressed with HEP Appendix A.3. sensitivity #1 The analysis uses an "engineering judgment" approach to dependency analysis which considers most "recognized" PSFs. Most of the dependencies are associated with one or two factors, and it is not clear how all of the "recognized" factors affect any single dependency analysis. There is no comparison of the "engineering judgment" based results to results that would be obtained from using other techniques such as the HRA calculator. A comparison of the Surry dependency results with those obtained from using an available dependency calculator produced the same results if only one PSF were considered. Also, differences were obtained when comparing 2-and 3-error combination dependencies.

Newer techniques for analyzing dependency are available. These techniques allow consideration of multiple PSFs during the analysis.

(This F&O originated from SR HR-G7)

Associated SR(s)

HR-G7 13932 7/11/2011 Changes RCP seal packages to N-9000 Flowserve. This potentially affects the Loss Addressed with of Seal Coolinq sequences as the RCP seals are modeled. Model change 16525 9/7/2012 REACTOR COOLANT PUMP SEAL REPLACEMENT 1-RC-P-1A Addressed with Model chanqe 16527 9/7/2012 REACTOR COOLANT PUMP (RCP) SEAL REPLACEMENT (1-RC-P-1C) Addressed with Model change 16674 12/6/2012 REACTOR COOLANT PUMP (RCP) SEAL REPLACEMENT (2-RC-P-1 B)/S/2 Addressed with Model change

,/'

Serial No. 16-180- * '~<"

Docket Nos. 50-280/281 Attachment 4 Page 36 of 36 PRAC Date Description Importance to c Identified Application 17079 3/12/2014 The MAAP parameter file lists parameter MWCSTO (ECST initial water inventory) as Addressed with HEP 91, 137 gal referencing Surry AFW Design Basis Document (SDBD-SPS-AFW) Rev. sensitivity #1

13. This value is different in the latest revision of Surry DBD, and the Tech Spec minimum is 96,000 gal. Consider revising parameter MWCSTO.

Also, HHSI pump flow curve (parameters ZHDP5 and WVPM5) references Rev.2 of ME-0771. The latest revision of this calculation is Rev.4 and it provides a slightly different pump curve (see test limit curve). Consider revising the HHSI pump curve per the latest revision of ME-0771.

4/15/2014 per email dtd.4/1/2014 from CBL NSA's ECST sizing calc SM-1612 seems to indicate that the ECST volume minimum setpoint is set so that the TS min available volume of 96,000 gal is met, accounting for unusable volume due to vortexing and -

suction nozzle position (page 12).

17822 1/12/2016 HR worksheet for HEP-C-XFERBS describes procedural actions to close feeder Addressed with breakers for transfer buses. In the SPSR06 model this HEP is and'ed with LOOP Model change initiators including CLOOP and RSST failures (initiators). Closing the feed fort transfer bus does not, in and of itself, help the station recover from LOOP or RSST failure.

Therefore this modeling is incorrect.

17872 3/10/2016 The SM-1123 calculation used as a basis for the fault tree structure for HEP-C- Addressed with HVACES for loss of chilled water/ESGR AHUs does not bound all of the initiating Model change events and accident sequences this HEP is applied to. The ESGR heat loads assumed in this calculation are for normal operating, 100% power conditions. Events such as LOCA which require SI have the potential for higher heat loads than what is assumed in SM-1123. Refer SY.2 assumption VS06. If chilled water is unavailable, it is uncertain as to whether the operator actions of O-AP-13.02 are sufficient to prevent failure of ESGR electrical equipment in accident sequences that require SI.

VIRGINIA ELECTRIC AND POWER COMPANY RICHMOND, VIRGINIA 23261 May 18, 2016 10 CFR 50.90 U. S. Nuclear Regulatory Commission Serial No.: 16-1~0 Attention: Document Control Desk SPS/LIC-CGL: RO Washington, DC 20555-0001 Docket Nos.: 50-280/281 License Nos.: DPR-32/37 VIRGINIA ELECTRIC AND POWER COMPANY SURRY POWER STATION UNITS 1 AND 2 PROPOSED LICENSE AMENDMENT REQUEST EXTENSION OF TS 3.14 SERVICE WATER FLOW PATH ALLOWED OUTAGE TIMES AND DELETION OF EXPIRED TEMPORARY SERVICE WATER JUMPER REQUIREMENTS Pursuant to 10 CFR 50.90, Virginia Electric and Power Company (Dominion) is submitting a license amendment request to revise Surry Power Station (Surry) Units 1 ahd 2 Technical Specification (TS) 3.14, "Circulating and Service Water Systems," to extend the Allowed Outage Time (AOT) for only one operable Service Water (SW) flow path to the Charging Pump SW (CPSW) subsystem and to the Main Control Room/Emergency Switchgear Room (MCR/ESGR) Air Conditioning (AC) subsystem.

TS 3.14.A.5 and TS 3.14.A.7 require two SW flow paths to the CPSW subsystem and to the MCR/ESGR AC subsystem, respectively, to be operable. Currently, the TS 3.14.C AOT for only one operable CPSW or MCR/ESGR AC flow path is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The proposed revision extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. A supporting probabilistic risk assessment (PRA) was performed for the proposed AOT changes. The PRA concluded that the increase in risk associated with the proposed changes is consistent with the Regulatory Guide (RG) 1.174 and RG 1.177 acceptance guidelines for a permanent TS AOT change.

This PRA evaluation demonstrates that defense-in-depth will not be significantly impacted by changing the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24 to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The proposed change also deletes the Operating License (OL) conditions, TS requirements, and TS 3.14 Basis discussion for the temporary SW jumper to the Component Cooling Heat Exchangers (CCHXs). These requirements have expired and are no longer necessary.*

Deletion of the OL conditions, the temporary TS requirements, and the TS 3.14 Basis*

discussion is administrative in nature. provides a discussion and assessment of the proposed change, including the results and conclusions from the supporting PRA. The marked-up and proposed pages for the TS and TS Basis are provided in Attachments 2 and 3, respectively._ The TS Basis changes are provided for NRC information only. Attachment 4 provides a discussion of the technical adequacy of the PRA model.

We have evaluated the proposed amendment and have determined that it does not involve a significant hazards consideration as defined in 10 CFR 50.92. The basis for

Serial No.16-180 Docket Nos. 50-280/281 Page 2 of 3 this determination is included in Attachment 1. We have also determined that operation with the proposed change will not result in any significant increase in the amount of effluents that may be released offsite or any significant increase in individual or cumulative occupational radiation exposure. Therefore, the proposed amendment is eligible for categorical exclusion from an environmental assessment as set forth in 10 CFR 51.22(c)(9). Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment is needed in connection with the approval of the proposed change. The proposed TS change has been reviewed and approved by the Facility Safety Review Committee.

Dominion requests approval of the proposed change by May 31, 2017 with a 60-day implementation period.

Should you have any questions or require additional information, please contact Mr. Gary D. Miller at (804) 273-2771.

Respectfully, Mark D. Sartain Vice President - Nuclear Engineering Commitments contained in this letter: None Attachments:

1. Discussion of Change
2. Marked-up Technical Specifications and Basis Pages
3. Proposed Technical Specifications and Basis Pages
4. Technical Adequacy of the Probabilistic Risk Assessment Model COMMONWEALTH OF VIRGINIA COUNTY OF HENRICO The foregoing document was acknowledged before me, in and for the County and Commonwealth aforesaid, today by Mr. Mark D. Sartain, who is Vice President - Nuclear Engineering, of Virginia Electric and Power Company. He has affirmed before me that he is duly authorized to execute and file the foregoing document in behalf of that company, and that the statements in the document are true to the best of his knowledge and belief.

Acknowledged before me this [ 8'Jlday of~ 2016.

My Commission Expires: 5 - 3 \ - \g .

-- .,.,. . . *. ;Ni~l t.~)~dtr* .. , '

. NOTARY PUBLIC

\ALL ~. 2:1u.e.e.

Notary Public

Commonwealth of Virginia

. Reg. It 1'fD5~~

My* commission !;.itp11v ..s Mt\l31;z.o 18

- - -

  • v -

Serial No.16-180 Docket Nos. 50-280/281 Page 3 of 3 cc: U.S. Nuclear Regulatory Commission - Region II Marquis One Tower 245 Peachtree Center Avenue, NE Suite 1200 Atlanta, GA 30303-1257 State Health Commissioner Virginia Department of Health James Madison Building - ih floor 109 Governor Street Suite 730 Richmond, VA 23219 Ms. K. R. Cotton Gross NRC Project Manager - Surry U.S. Nuclear Regulatory Commission One White Flint North Mail Stop 08 G-9A 11555 Rockville Pike Rockville, MD 20852-2738 Dr. V. Sreenivas NRC Project Manager - North Anna U.S. Nuclear Regulatory Commission One White Flint North Mail Stop 08 G-9A 11555 Rockville Pike Rockville, MD 20852-2738 NRC Senior Resident Inspector Surry Power Station

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1

. DISCUSSION OF CHANGE Virginia Electric and Power Company (Dominion)

Surry Station Units 1 and 2

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 1 of 36 DISCUSSION OF CHANGE TABLE OF CONTENTS 1.0. Introduction 2.0 Description of Proposed Change 3.0 Technical Evaluation 3.1 Charging Pump Service Water Subsystem and Main Control Room and Emergency Switchgear Room Air Conditioning Subsystem Description 3.2 Evaluation of Extended Allowed Outage Time 3.3 Deletion of Requirements for Temporary Service Water Jumper to Component Cooling Heat Exchangers 4.0 Regulatory Evaluation 4.1 Applicable Regulatory Requirements 4.2 NUREG-1431, Standard Technical Specifications -

Westinghouse Plants 4.3 No Significant Hazards Consideration 5.0 Probabilistic Risk Assessment 5.1 Purpose 5.2 Introduction 5.3 Analysis 5.4 Results and Conclusions 6.0 Environmental Assessment 7 .0 Conclusion

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 2 of 36 DISCUSSION OF CHANGE

1.0 INTRODUCTION

The proposed change revises Surry Power Station (Surry) Units 1 and 2 Technical Specification (TS) 3.14, "Circulating and Service Water Systems," to extend the Allowed Outage Time (AOT) for only one operable Service Water (SW) flow path to the Charging Pump SW (CPSW) subsystem and to the Main Control Room/Emergency Switchgear Room (MCR/ESGR) Air Conditioning (AC) subsystem. TS 3.14.A.5 and TS 3.14.A.7 require two SW flow paths to the CPSW subsystem and to the MCR/ESGR AC subsystem, respectively, to be operable. Currently, the TS 3.14.C AOT for only one operable CPSW or MCR/ESGR AC flow path is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The proposed revision extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The CPSW subsystem is a support system for the Charging/High Head Safety Injection (HHSI) pumps. The proposed CPSW AOT extension aligns the CPSW support system AOT with the AOT for the supported components (i.e., the Charging/HHS! pumps). The proposed MCR/ESGR AC AOT extension revises the AOT .,to be the same as the CPSW AOT since both subsystems share common piping. The proposed increased AOTs for only one operable SW flow path to the CPSW subsystems and to the MCR/ESGR AC subsystems will provide a more reasonable time frame for performing system maintenance and repairs.

A supporting probabilistic risk assessment (PRA) was performed for the proposed AOT changes. The PRA concluded that the increase in risk associated with the proposed changes .is consistent with the Regulatory Guide (RG) 1.174 and RG 1.177 acceptance guidelines for a permanent TS AOT change. This PRA evaluation demonstrates that defense-in-depth will not be significantly impacted by changing the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24 to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Furthermore, no enhancements, procedure revisions, or compensatory actions are recommended as a result of the RG 1.177 Tier 2 evaluation.

The proposed change also deletes the Operating License (OL) conditions, TS requirements, and TS 3.14 Basis discussion for the temporary SW jumper to the Component Cooling Heat Exchangers (CCHXs). These requirements were included in the Surry TS to allow cleaning, inspection, repair and recoating of the SW supply piping to the CCHXs during the Unit 1 2013 and 2015 refueling outages. These requirements have expired and are no longer necessary. Deletion of the OL conditions, the temporary TS requirements, and the TS 3.14 Basis discussion is administrative in nature. The TS 3.14 Basis deletion is provided to the NRC for information.

2.0 DESCRIPTION

OF PROPOSED CHANGE The proposed revision extends the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24 to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 3 of 36 TS 3.14.C currently states:

C. The requirements of Specifications 3.14.A.5, 3.14.A.6, and 3.14.A.7 may be modified to allow unit operation with only one OPERABLE flow path to the charging pump service water subsystem, the recirculation spray subsystems, and to the main control and emergency switchgear rooms air conditioning condensers. If the affected systems are not restored to the requirements of Specifications 3. 14.A.5, 3.14.A.6, and 3.14.A.7 within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, the reactor shall be placed in HOT SHUTDOWN. If the requirements of Specifications 3. 14.A. 5, 3.14.A. 6, and 3. 14.A. 7 are not met within an additional 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />, the reactor shall be placed in COLD SHUTDOWN.

The proposed change revises the Surry TS as follows: 1) TS 3.14.C is revised to extend the CPSW subsystem flow path and the MCR/ESGR AC condensers flow path AOTs from 24 to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> and to relocate the flow path AOT for the Recirculation Spray (RS) subsystems to a new specification, and 2) new TS 3.14;0 is created for the existing flow path AOT for the RS subsystems. The flow path AOT in the new TS 3.14.D for the RS subsystems is not being modified. The revised TS 3.14.C and the new TS 3.14.D are proposed as follows:

C. The requirements of Specifications 3.14.A.5 and 3.14.A.7 may be modified to allow unit operation with only one OPERABLE flow path to the charging pump service water subsystem and to the main control and emergency switchgear rooms air conditioning condensers. If the affected systems are not restored to the requirements of Specifications 3.14.A.5 and 3.14.A.7 within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, the reactor shall be placed in HOT SHUTDOWN within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. If the requirements of Specifications 3.14.A.5 and 3.14.A.7 are not satisfied as allowed by this Specification, the reactor shall be placed in COLD SHUTDOWN within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

D. The requirements of Specification 3.14.A.6 may be modified to allow unit operation with only one OPERABLE flow path to the recirculation spray subsystems. If the affected system is not restored to the requirements of Specification 3. 14.A. 6 within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, the reactor shall be placed in HOT SHUTDOWN within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. If the requirements of Specification 3. 14.A. 6 are not met within an additional 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />, the reactor shall be placed in COLD SHUTDOWN within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

The proposed revision also deletes the following requirements for the temporary SW jumper to the CCHXs:

1. Unit 1 License Condition U on page 9 of the Unit 1 Operating License
2. Unit 2 License Condition U on p~ge 9 of the Unit 2 Operating License
3. Note Bin TS Table 3.7-2 on page TS 3.7-20

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 4 of 36

4. The footnote associated with TS 3.14.A.2.b on page TS 3.14-1
5. The last paragraph in the TS 3.14 Basis on pages TS 3.14-4 and TS 3.14-4a

3.0 TECHNICAL EVALUATION

3.1 Charging Pump Service Water Subsystem and Main Control Room and Emergency Switchgear Room Air Conditioning Subsystem Description The Surry Units 1 and 2 Circulating Water (CW) and Service Water (SW) Systems, which are supplied by the James River, are designed for the removal of heat resulting from the operation of various systems and components for both units. The CW System cools the main condenser, and the SW System provides cooling water to the following components:

1. Bearing Cooling (BC) water heat exchangers,
2. Component Cooling (CC) heat exchangers,
3. Recirculation Spray (RS) heat exchangers,
4. Main control room and emergency switchgear room (MCR/ESGR) air conditioning (AC) condensers (chillers), and
5. Charging Pump Service Water (CPSW) subsystem.

The CW and SW Systems' configuration is shown in Figures 1 and 2 (located at the end of Attachment 1). Figure 3 below is provided for illustration purposes and shows the flow paths and components of interest.

The SW flow paths in the Mechanical Equipment Rooms (MERs) support both the CPSW subsystems and the MCR/ESGR AC subsystems. The MER flow paths include several interconnected and redundant trains, gravity fed from the Intake Canal. There are three 8-inch SW supply headers. Each header takes its supply from a 96-inch condenser inlet line, and the connection is upstream of the condenser isolation valves.

The three 8-inch headers supply two 6-inch headers. The 6-inch supply headers are 100% redundant (i.e., one header can supply 100% of the required SW flow).

Since the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem are being modified by the proposed revision, this design description focuses on the CPSW and the MCR/ESGR AC subsystems.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 5 of 36 1-VS* P - tA/1 -VS-£-" I* l *V P

  • l C/1 -VS-C ..I C 2 W
  • P* l i----- ]. W
  • P l OO l W P - 100 l
  • W
  • P
  • lOA ~==t X1 w. o l *V S *S
  • 1A 2*$ W.,.78

}-

Tutb 8kl 8 n 2-s w ..... 7 x 2- ... 77 X 2 -S W ...7CI 1* W

  • 7 7
c

(/)

0 :r I 0 C .W Line U,,.< 2A C .W. Une

  • )

0 Figure 3 - SW Supply to the CPSW and the MCR/ESGR AC Subsystems CPSW Subsystem Description A CPSW subsystem for each unit provides water to cool the charging pump intermediate seal coolers and the charging pump lubricating oil coolers. The seal coolers reject their heat to a dedicated closed-loop subsystem of the CC System (i.e., the Charging Pump Component Cooling Water System). Heat from this system and the lube oil coolers is transferred to the CPSW subsystem.

Either of two 100%-capacity CPSW pumps (1-SW-P-10A/10B and 2-SW-P-10A/10B) delivers water from the SW System to the charging pump intermediate seal coolers and the charging pump lubricating oil coolers, thereby maintaining the charging pump lubricating oil and the CC System water used to cool the charging pump mechanical seals at the proper temperature. Each pump has a duplex suction strainer. To ensure that service water is continually available, one CPSW pump is in operation while the other pump is maintained in standby. The standby pump is automatically actuated on

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 6 of 36 low pump discharge pressure to supply SW in the event of failure of the operating pump.

The two redundant 100%-capacity CPSW pumps are located in MER-3 and MER-4 and are separated by seismic, missile-protected, 3-hour fire rated walls, ceiling, and floor.

The SW supply headers are normally cross-connected at the discharge of the strainers.

An automatic actuating fire safe isolation ball valve is installed in the cross-connect piping between the two pump trains. The separation and cross-connect of the two redundant pump trains is designed to meet the requirements in 10 CFR 50 Appendix R.

The installation of two full-capacity CPSW pumps provides 100% redundancy for this cooling water system. The components of the CPSW subsystem, including pumps and heat exchangers are designed to Seismic Class I criteria.

I The CPSW pumps are connected to the emergency electrical bus to ensure they will operate in the event of a loss of station power.

Post-accident monitoring requirements for the CPSW subsystem status are satisfied by flow and temperature measurement at the discharge of each CPSW pump. Flow and temperature indications are displayed in the MGR.

MCR/ESGR AC Subsystem Description The CPSW suction flow paths also supply suction for the A, B, and C MCR/ESGR chiller pumps (1-VS-P-1A/1B/1C) that supply the A, B, and C MCR/ESGR chillers (1-VS-E-4A/4B/4f), which are located in MER-3. Chiller pumps D and E (1-VS-P-1D/1E) that supply the D and E MCR/ESGR chillers (1-VS-E-4D/4E), which are located in MER-5, take suction upstream of the suction (rotating) strainers in MER-3/ MER-4 and downstream of a duplex strainer in MER-5.

Significant installed defense-in-depth exists for the chiller pumps and chillers, since there are a total of five MCR/ESGR chillers. As noted above, three chillers are located in MER-3, and two chillers are located in MER-5. This configuration ensures that MGR envelope air handling capacity remains available in the event that both CPSW headers in MER-3 and MER-4 are unavailable. In addition, this arrangement prevents full loss of cooling in the event of a fire in either MER-3 or MER-5. Three of the five chillers are powered from either of two buses, enabling maximum system flexibility in aligning the chillers as required. Additional equipment includes control panels and isolation switches for affected air handling units and cables routed to provide the required separation. The additional equipment is seismically and environmentally qualified, as applicable. Control of the AC system is remote manual from the control room.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 7 of 36 3.2 Evaluation of Extended Allowed Outage Time The CPSW subsystem is a support system for the charging pumps. As discussed in Section 3.1, the design function of the CPSW subsystem is to provide cooling to the charging pump intermediate seal coolers and the charging pump lubricating oil Qoolers.

The charging pumps provide a charging (i.e., reactor coolant makeup) function during normal plant operation and are also used as High Head Safety Injection (HHSI) pumps to supply borated water to . the Reactor Coolant System (RCS) during accident conditions.

Surry TS 3.3, "Safety Injection System," specifies in TS 3.3.A.3 that two Safety Injection (SI) subsystems are required to be operable with the subsystems including one operable HHSI pump. With one SI subsystem inoperable, TS 3.3.B.3 requires restoration of the inoperable subsystem to operable status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The proposed extension of the AOT for the SW flow paths to the CPSW subsystem from 24 to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> brings the support system AOT into alignment with the AOT for the supported component (i.e., Charging/HHS! pump). In addition, the design functions of the CPSW subsystem and the Charging/HHS! pumps are not impacted by the proposed revision.

As shown in Figure 3, the CPSW suction paths also supply suction for the A,. B, and C MCR/ESGR chillers. Since the CPSW subsyste.m and the MCR/ESGR AC subsystem share common piping, it is appropriate for the AOTs for the two subsystems to be the.

same. The MCR/ESGR AC subsystem is a support system for the A, B, and C MCR/ESGR chillers. TS 3.23, "Main Control Room and Emergency Switchgear Room Air Conditioning System," specifies a 7-day time frame to return an inoperable/not powered as required chiller to operable status in TS 3.23.A.1.c; thus, the proposed 72.-

hour AOT for the MCR/ESGR AC subsystem is more limiting that the AOT for the supported components (i.e., A, B, and C MCR/ESGR chillers). In addition, the design functions of the MCR/ESGR AC subsystem and the MCR/ESGR chillers are not impacted by the proposed revision.

Leakage in the fiberglass reinforced p1pmg portion of the CPSW and the MCR/ESGR AC subsystems has occurred recently. The current 24-hour AOTs present an unnecessarily limited time frame to facilitate repairs. The proposed increased AOTs for only one operable SW flow path to the CPSW subsystems and to the MCR/ESGR AC subsystems will provide a more reasonable time frame for performing system maintenance and repairs.

3.3 Deletion . of Requirements for Temporary . Service Water Jumper to Component Cooling Heat Exchangers The OL conditions and the requirements in TS Table 3.7-2 and TS 3.14 for the temporary SW jumper to the CCHXs were approved by the NRC by TS Amendments 279/279 issued on September 23, 2013. These requirements were included in the

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 8of36 Surry TS to allow cleaning, inspection, repair, and recoating in the SW supply piping to the CCHXs during the Unit 1 2013 and 2015 refueling outages. Deletion of the OL conditions, the temporary TS requirements, and the TS 3.14 Basis discussion is administrative in nature and is appropriate since the requirements have expired and are no longer necessary. The TS 3.14 Basis deletion is provided to the NRC for information.

4.0 REGULATORY EVALUATION

4.1 Applicable Regulatory Requirements The regulations in Appendix A to Title 10 of the Code of Federal Regulations (10 CFR)

Part 50 establish minimum principal design criteria for water-cooled nuclear power plants, while 10 CFR 50 Appendix B and the licen$ee quality assurance programs establish quality assurance requirements for the design, manufacture, construction, and operation of structures, systems, and components. The current regulatory requirements of 10 CFR 50 Appendix A that are applicable to the CPSW support function for the charging pumps include: General Design Criteria (GDC) 1, 35, 36, and 37. The current regulatory requirements that are applicable to the MCR/ESGR AC function for providing safe conditions in the control room is GDC 19.

During the initial plant licensing of Surry Units 1 and 2, it was demonstrated that the design of the SI Systems met the regulatory requirements in place at that time. The GDC included in Appendix A to 10 CFR 50 did not become effective until May 21, 1971.

The Construction Permits for SPS Units 1 and 2 were issued prior to May 21, 1971; consequently, Surry Units 1 and 2 were not subject to current GDC requirements (SECY-92-223, dated September 18, 1992). The following information demonstrates SPS Units 1 and 2 meet the intent of the GDC published in 1967 (Draft GDC).

Specifically, Section 1.4 of the SPS Units 1 and 2 Updated Final Safety Analysis Report (UFSAR) discusses SPS compliance with these criteria. The draft GDC associated with the Emergency Core Cooling System (ECCS) are addressed below since the CPSW system provides a support function for the charging pumps, which are also used as HHSI pumps to supply borated water to the RCS during accident conditions. The draft criterion associated with the Control Room is also addressed below.

  • Quality Standards (Criterion 1 - draft)

Those systems and components of reactor facilities that are essential to the prevention of accidents which could affect the public health and safety or to the mitigation of their consequences are designed, fabricated, and erected in accordance with quality standards that reflect the importance of the safety function to be performed. Where generally recognized codes or standards on design, materials, fabrication, and inspection are used, they shall be identified. Where adherence to such codes or standards does not suffice to assure a quality product in

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 9 of 36 keeping with the safety function, they shall be supplemented or modified as necessary. A showing of sufficiency and applicability of codes, standards, quality assurance programs, test procedures, and inspection acceptance levels used is required.

Design Conformance Structures, systems, and components important to safety are designed, fabricated, erected, and tested to quality standards commensurate with the importance of the safety functions to be performed.

The SI System includes features necessary to ensure core cooling and negative reactivity following a limiting event. Approved design codes are used when appropriate to the nuclear application. Vessels comply with Section Ill of the ASME Code under the specific classification dictated by their use. Piping conforms to the requirements of USAS 831.1.

The Quality Assurance Program was established to provide assurance that

  • safety-related structures, systems, and components satisfactorily perform their intended safety functions.
  • Control Room (Criterion 11 - draft)

The facility shall be provided with a control room from which actions to maintain safe

  • operational status of the plant can be controlled. Adequate radiation protection shall be provided to permit access, even under accident conditions, to equipment in the
  • control room or other areas necessary to shut down and maintain safe control of the facility without radiation exposures of personnel in excess of 10 CFR 20 limits. It shall be possible to shut the reactor down and maintain it in a safe condition if access to the control room is lost due to fire or other causes.

Design Conformance The control room is located at grade level in the service building. Safety-related switchgear, motor-generator sets, auxiliary instrument areas, battery rooms, and communications equipment are located in the basement of the service building.

Sufficient shielding, distance, and containment integrity are provided to ensure that under postulated accident conditions during occupancy of the control room, control room personnel shall not be subjected to doses that, in the aggregate, would exceed the limits in 10 CFR 50.67. Emergency air-conditioning equipment is provided within the envelope of the shielded control room and associated portions of the basement, collectively called the control and relay room area. The control room is provided with the switchyard control panel, electrical recording panels, de distribution panels, and a control panel for the operation of the diesel-generator system. The control panels contain those instruments and controls necessary for the operation of station and

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 10of36 unit systems such as the reactor and its auxiliary systems, the turbine generator, and the steam and power conversion systems. Loading from the various station electrical distribution boards, such as the start-up boards, shutdown boards, and motor control centers, is accomplished from the station control panels.

The control room is common to the two units and is continuously occupied by qualified operating personnel under all operating and accident conditions. In the event that access to the control room is restricted, either local control stations or the manual operation of critical components within the main control area can be used to affect hot shutdown from outside the control room.

  • Engineered Safety Features Basis for Design (Criterion 37 - draft)

Engineered safety features shall be provideo in the facility to back up the safety provided by the core design, the reactor coolant pressure boundary, and their protection systems. As a minimum, such engineered safety features shall be designed to cope with any size reactor coolant pressure boundary break up to and including the circumferential rupture of any pipe in that boundary assuming unobstructed discharge from both ends.

Design Conformance Engineered safeguards are provided in the facility to back up the safety provided by the design of the core, the reactor coolant pressure boundary, and their protection systems. Engineered safeguards are provided to cope with any size reactor coolant pipe break up to and including the circumferential rupture of any pipe in that boundary and an unobstructed discharge from both ends, and to separately cope with any* steam or feedwater line break. Limiting the release of fission products from the reactor fuel is accomplished by the SI System, which, by cooling the core, keeps the fuel in place and substantially intact and significantly limits the metal.:.water reaction ..

  • Reliability and Testability of Engineered Safety Features (Criterion 38 - draft)

All engineered safety features shall oe designed to provide high functional reliability and ready testability. In determining the suitability of a facility for a proposed site,

. the degree of reliance upon and acceptance of the inherent and engineered safety afforded by the systems, including engineered safety features, will be influenced by the known and the demonstrated performance capability and reliability of the systems, arid by the extent to which the operability of such systems can be tested and inspected where appropriate during the life of the plant.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 11of36 Design Conformance Engineered safeguards are designed to provide such functional reliability and ready testability as is necessary to avoid undue risk to the health and safety of the public.

A comprehensive program of testing has been formulated for equipment, systems, and system controls vital to the functioning of engineered safeguards. The program consists of performance tests of individual pieces of equipment in the manufacturer's shop, integrated tests of the system as a whole, and periodic tests of the activation circuitry and mechanical components to ensure reliable performance, upon demand, throughout the unit lifetime.

Design provisions are made so that components of the SI System can be tested periodically for operability and functional performance.

The engineered safeguards components are checked periodically and routinely. In the event that one of the components requires maintenance as a result of failure to perform according to prescribed limits during the test, the necessary corrections or minor maintenance are accomplished and the component is retested im.mediately.

  • Engineered Safety Features Performance Capability (Criterion 41 - draft)

Engineered safety features, such as emergency core cooling and containment heat removal systems, shall provide sufficient performance capability to accommodate partial loss of installed capacity and still fulfill the required safety function. As a minimum, each. engineered safety feature shall provide this required safety function assuming a failure of a single active component.

Design Conformance Engineered safeguards, such as the SI System and the containment heat removal system, provide sufficient performance capability to accommodate the failure of any single active component without any undue risk to the health and safety of the public. The overall capability of the engineered safeguards meets the suggested requirements of 10 CFR 50.67 or RG 1.183, as applicable, for the occurrence of any rupture of a reactor coolant or Main Steam System pipe, including the double-ended rupture of a reactor coolant pipe, known as the design-basis accident.

At least two emergency core cooling systems, preferably of different design principles, each with a capability for accomplishing abundant emergency core cooling, shall be provided. Each emergency core cooling system and the core shall be designed to prevent fuel and clad damage that would interfere with the emergency core cooling *function and to limit the clad metal-water reaction to negligible amounts for all sizes of breaks in the reactor coolant pressure boundary,

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 12 of 36 including the double-ended rupture of the largest pipe. The performance of each emergency core cooling system shall be evaluated conservatively in each area of uncertainty.

Design Conformance The SI System employs a passive system of accumulators that do not require any external signals or source of power for their operation to cope with the short-term cooling requirements of a large reactor coolant pipe break. The HHSI and the Low Head SI (LHSI) Systems, each capable of supplying the required emergency cooling, are also provided for small-break protection and to keep the core submerged after the accumulators have discharged following a large break. These systems are arranged so that the single failure of any active component does not interfere with meeting the short-term cooling requirements. The HHSI and LHSI Systems are each capable of fulfilling long-term cooling requirements. The failure of any single active component or the development of excessive leakage during the long-term cooling period does not interfere with the ability to meet necessary long-term cooling objectives with one of the systems.

The primary purpose of the SI System is to automatically deliver cooling water to the reactor core in the everit of a LOCA. This limits the fuel clad temperature and thereby ensures that the core remains intact and in place with its essential heat transfer geometry preserved. This protection is afforded for: all pipe break sizes up to and including the hypothetical instantaneous circumferential rupture of a reactor coolant loop, assuming unobstructed discharge from both ends; a loss of coolant associated with the rod ejection accident; and a steam generator tube rupture.

Design provisions shall be made to facilitate physical inspection of all critical parts of the emergency core cooling systems, including reactor vessel internals and water injection nozzles.

Design Conformance Design provisions are made for the inspection of components of the SI System to the extent practical. An inspection is performed periodically to demonstrate system readiness. The pressure containment boundaries can be inspected for leaks from pump seals, valve packing, flanged joints, and safety valves during system testing.

In addition, critical parts of the reactor vessel internals, injection nozzles, pipes, valves, and SI pumps can be inspected visually or by boroscopic examination for evidence of erosion, corrosion, and vibration wear, and non-destructive tests can be performed where such techniques are desirable, practical, and appropriate.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 13 of 36

A capability shall be provided to test periodically the delivery capability of the emergency core cooling systems at a location as close to the core as is practical.

Design Conformance Design provisions include special instrumentation, testing, and sampling lines to perform the tests, and unit shutdown to demonstrate the proper automatic operation of the SI System. A test signal is supplied to initiate automatic action. The test

  • demonstrates the operation of the valves, pump circuit bre.akers, and autOmatic circuitry. In addition, other tests are performed periodically to verify that the SI pumps attain required discharge heads.

Quality Assurance Quality assurance criteria provided in 10 CFR Part 50, Appendix B, applicable to the subject systems include: Criteria Ill, V, XI, XVI, and XVII. Criteria Ill and V require measures to ensure that applicable regulatory requirements and the design basis, as defined -in 10 CFR 50.2, "Definitions," and as specified in the license application, are correctly translated into controlled specifications, drawings, procedures, and a

instructions. Criterion XI requires test program to ensure that the subject systems will perform satisfactorily *in service and requires that test results shall be documented and evaluated to ensure that test requirements have been satisfied. Criterion XVI requires measures to ensure. that conditions adverse to quality, such as failures, malfunctions, deficiencies, deviations, defective material and equipment, and nonconformances, are promptly*.identified and corrected, and that significant conditions *adverse to quality are documented and reported to management. Criterion XVII requires maintenance of records of activities affecting quality.

4.2 NUREG-1431, Standard Technical Specifications- Westinghouse Plants The proposed change was compared to similar requirements in TS 3. 7 .8, Service Water System (SWS) in NUREG-1431, Standard Technical Specifications - Westinghouse Plants. It was determined that the proposed change for the CPSW subsystem is consistent with the 72-hour completion time for restoration of one inoperable SWS train to operable status in NUREG-1431.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 14 of 36 require two SW flow paths to the CPSW subsystem _and to the MCR/ESGR AC subsystem, respectively, to be operable. Currently, the TS 3.14.C AOT for only one operable CPSW or MCR/ESGR AC flow path is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The proposed revision extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The CPSW subsystem is a support system for the Charging/High Head Safety Injection (HHSI) pumps; the proposed CPSW AOT extension aligns the CPSW support system AOT with the AOT for the supported components (i.e., the

  • Charging/HHS! pumps). The proposed MCR/ESGR AC AOT extension revises the AOT to be the same as the CPSW AOT since both subsystems share common piping ..

The proposed increased AOTs for only one operable SW flow path to the CPSW subsystems and to the MCR/ESGR AC subsystems will provide a more reasonable time frame for performing system maintenance and repairs.

  • A supporting probabilistic risk assessment (PRA) was performed for the proposed AOT changes. The PRA concluded that the increase in risk associated with the proposed changes is consistent with the Regulatory Guide (RG) 1.174 and RG 1.177 acceptance guidelines for a permanent TS AOT change. This PRA evaluation demonstrates that defense-in-depth will not be significantly impacted by changing the AOTs for only one operable.SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24:to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Furthermore, no enhancements, procedure revisions, or compensatory actions are recommended as a result of the RG 1.177 Tier 2 evaluation.

The proposed change also deletes the Operating License (OL) conditions, TS requirements, and TS 3.14 Basis discussion for the temporary SW jumper to the Component Cooling Heat Exchangers (CCHXs). These requirements were included in the Surry TS to allow cleaning, inspection, repair, and recoating of the SW supply piping to the CCHXs during the Unit 1 2013 and 2015 refueling outages. These requirements*

have expired and are no longer necessary. Deletion of the OL conditions, the temporary TS requirements, and the TS 3.14 Basis discussion is administrative in

  • nature. The TS 3.14 Basis deletion is provided to the NRC for information.

Dominion has evaluated whether a significant hazards consideration is involved with the proposed amendment by focusing on the three standards set forth in 10 CFR 50.92, "Issuance of amendment," as discussed below:

1. Does the proposed change involve a significant increase in the probability or consequences of an accident previously evaluated?

Response: No.

The proposed change extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The CPSW subsystem is a support system for the Charging/High Head Safety Injection (HHSI) pumps; the proposed CPSW AOT extension aligns the CPSW support system AOT with the AOT for the supported components (i.e., the Charging/HHS! pumps). The proposed MCR/ESGR

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1

  • Page 15 of 36 AC AOT extension revises the AOT to be the same as the CPSW AOT since both subsystems share common piping. The design function of the CPSW system, which is to provide cooling to the charging pump *intermediate seal coolers and the charging pump lubricating oil coolers, *is not impacted by the proposed revision, nor is the design function of the Charging/HHS! pumps impacted. Furthermore, the design functions of the MCR/ESGR AC subsystem and the MCR/ESGR chillers are not impacted by the proposed revision. In addition, the proposed change deletes the now expired and no longer necessary requirements for the temporary SW jumper to the CCHXs. The deletion of these temporary requirements is administrative in nature. As a result, the proposed change does not involve a significant increase in the probability or consequences of an accident previously evaluated.
2. Does the proposed change create the possibility of a new or different kind of accident from any accident previously evaluated?

Response: No.

The proposed change extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. In addition, the proposed change deletes the now expired and no longer necessary requirements for .the temporary SW jumper to the CCHXs. The proposed change does not involve a physical alteration of the plant (i.e., no new or different type of equipment will be installed) and does not impact plant operation. Furthermore, the proposed change does not impose any new or different requirements that could initiate an acddent. The proposed change does not alter assumptions made in the safety analysis and is consistent with the safety analysis assumptions. Therefore, the proposed change does not create the possibility of a new or different kind of acddent from any accident previously evaluated.

3. Does the proposed change involve a significant reduction in a margin of safety?

Response: No.

The proposed change extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The proposed change does not adversely affect any current plant safety margins or the reliability of the equipment assumed in the safety analysis. There are no changes being made to any safety analysis assumptions, safety limits, or limiting safety system settings that would adversely affect plant safety as a result of the proposed change. Furthermore, as noted above, a supporting PRA was performed for the proposed AOT changes. The PRA concluded that the increase in risk associated with the proposed changes is consistent with the HG 1.174 and RG 1.177 acceptance guidelines for a permanent TS AOT change. This PRA evaluation demonstrates that defense-in-depth will not be significantly impacted by changing the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24 to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 16 of 36 In addition, the proposed change deletes the now expired and no longer necessary requirements for the temporary SW jumper to the CCHXs. The deletion of these temporary requirements is administrative in nature. Therefore, the proposed change does not involve a significant reduction in a margin of safety.

Based on the above, Dominion concludes that the proposed change presents no significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and, accordingly, a finding of "no significant hazards consideration" is justified.

5.0 PROBABILISTIC RISK ASSESSMENT 5.1 Purpose The purpose of this assessment is to utilize the Surry PRA to evaluate the impact on Core Damage Frequency (CDF) and Large, Early Release Frequency (LERF) for the CPSW and MCR/ESGR AC subsystems flow path AOT extensions. Using guidance from RG 1.174 and RG 1.177, this assessment evaluates the risk of changing Surry TS 3.14.C to allow a single service water flow path to be available to the CPSW subsystem and to the MCR/ESGR AC subsystem for up to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

5.2 Introduction The S007Aa PRA model allows analysis of the conditional risk at Surry Power Station when one or more SW flow paths to safety-related loads in the MERs are unavailable utilizing a detailed probabilistic assessment of risk from internal events and internal flooding :hazards at power. This risk evaluation will be supplemented with qualitative insights to assess the fire, seismic, shutdown and other external risks.

RG 1.177 identifies a three-tiered approach for licensees to evaluate the risk associated with proposed TS Configuration Time (CT) changes. Tier 1 is an evaluation of the impact on plant risk of the proposed TS change as expressed by the change in core damage frequency (~CDF), the incremental conditional core damage probability (ICCDP), the change in large early release frequency (~LERF), and the incremental conditional large early release probability (ICLERP). Tier 2 is an identification of potentially high-risk configurations that could exist if equipment, in addition to that associated with the change, were to be taken out of service simultaneously or other risk-significant operational factors, such as concurrent system or equipment testing were also involved. The objective of this part of the evaluation. is to ensure that appropriate restrictions on dominant risk-significant configurations associated with the change are in place. Tier 3 is the establishment of an overall configuration risk management program (CRMP) to ensure that other potentially lower probability, but nonetheless risk-significant, configurations resulting from maintenance and other operational activities are identified and compensated for.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 17 of 36 Figure 3 in Section 3.1 above shows the SW supply to the CPSW and the MCR/ESGR AC subsystems. The SW flow paths in the MERs support both the CPSW subsystems and the MCR/ESGR AC subsystems. The MER flow paths include several interconnected and redundant trains, gravity fed from the Intake Canal. Originating at the Intake Canal, there are three 8-inch SW supply headers. Each header takes its supply from a 96-inch condenser inlet line, and the connection is upstream of the condenser isolation valves. The three 8-inch headers supply two 6-inch headers. The 6-inch supply headers are 100% redundant (i.e., one header can supply 100% of the required SW flow). The SW supply headers are normally cross-connected in MER-3 and MER-4 via the 1-SW-263 valve. This valve is closed during a fire in related equipment areas in accordance with the 10 CFR 50 Appendix R fire protection program.

Two motor operated strainers are normally in service on each of the 6-inch SW supply headers. Each strainer is supplied with a back wash from the discharge of the control room chiller service water pumps. For the following analysis and discussion, SW flow through 1-VS-S-1A is referred to as the "A SW Header" and SW flow through 1-VS-S-18 is referred to as the "B SW Header".

The CPSW system is credited in Surry's PRA as a support system for HHSI. The CPSW *system supplies SW flow to the charging pump intermediate seal coolers and lube oil coolers. *Heat from the lube oil cooler is transferred to the CPSW subsystem.

The seal coolers reject their heat to a dedicated closed-loop subsystem of the CC System (i.e., the Charging Pump Component Cooling Water System). Heat from this system and the lube oil coolers is transferred to the CPSW subsystem.

Downstream of the 6-inch SW supply headers are two CPSW pump trains for each unit

  • 'I' (four total). Each pump traih can provide 100% required flow for its unit, so there is 100% redundancy for each unit. The CPSW pump trains can be cross-connected via tie lines that are normally isolated. Hence, the Unit 2 CPSW pumps can be aligned to cool Unit 1 charging pump lube oil coolers and vice versa; this alignment is not automatic and requires local operation. One CPSW pump per unit is normally running and the other is in sta~dby. The standby CPSW pump will auto start on low discharge pressure for the running pump.

The output of either pump can feed the three charging pump lube oil coolers for one unit. The charging pump lube oil cooler outlet control valves are actuated automatically when the charging pump is running. No operator actions are required to start or control CPSW flow to a specific lube oil cooler. The CPSW lube oil cooler discharge flow is directed to the discharge tunnel via a single pipe. The success criterion for the CPSW system to service its required loads is: one CPSW pump available, taking suction from at least one available 6-inch SW header.

Five chillers are installed in the MERs. The condenser water pump for ttie chillers takes suction from the SW supply line, pumps it through the chiller condenser, and returns it to the CW System. Three chillers (A/B/C) are in MER-3 downstream of the rotating

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 18 of 36 strainers; two chillers (D/E) are in MER-5 upstream of the rotating strainers and downstream of a duplex strainer. These units provide chilled water that circulates through air handlers to remove heat from the atmosphere in the MCR, emergency switchgear rooms, and relay rooms. Air conditioning of these areas prevents electrical equipment from overheating and supports control room habitability during design basis

. accidents. During normal plant operation one or two chillers may be operating depending on SW temperatures. During an emergency, the 1/2-E-O procedure verifies that one control room chiller is operating, with a results not obtained step to start required equipment within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> in accordance with O-OP-VS..:006. The Surry PRA models the ESGR HVAC as a support system for the emergency electrical power systems, 4160 V, 480 V, 125 VAC, and 120 VDC.

In order to satisfy TS 3.14.A.5 and .3.14.A.7 at least two independent SW flow paths must be available to supply MER loads. This risk assessment analyzes conditional risk with only one SW flow path to the MERs ..

5.3 Analysis Inputs The following inputs are used for this assessment:

  • Surry Average Maintenance PRA model S007Aa,
  • CAFTA code suite.

Risk Impact Evaluation The NRC staff has identified a three-tiered approach in RG 1.177 for licensees to evaluate the risk associated with proposed TS Completion Time {CT) changes. The following sections document the three tiered evaluation for CPSW and MCR/ESGR. AC

. subsystems flow path AOT extensions.

RG 1.177 PRA Quality Evaluation RG 1.177 contains the following discussion of PRA Technical Adequacy:

The technical adequacy of the PRA must be compatible with the safety implications of the TS change being requested and the role that the PRA plays in justifying that change. That is, the more the potential change in risk or the greater the uncertainty in that risk from the requested TS change, or both, the more rigor that must go into ensuring the technical adequacy of the PRA. This applies to Tier 1 (above), and it also applies to Tier 2 and Tier 3 to the extent that a PRA model is used.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 19 of 36 Regulatory Guide 1.200 describes one acceptable approach for determining whether the technical adequacy of the PRA, in total or the parts that are used to support an application, is sufficient to provide confidence in the results such that the PRA can be used in regulatory decisionmaking for light-water reactors.

A detailed discussion and evaluation of PRA quality of the S007Aa model with respect to this application is provided in Attachment 4.

RG 1.177 Tier 1 Analysis RG 1:177 contains the following discussion concerning Tier 1 Analysis:

In Tier 1, the licensee should assess the impact of the proposed TS change on GDF, ICCDP, LERF, and ICLERP. To support this assessment, two aspects need to be considered: (1) the validity of the PRA and (2) the PRA insights and findings. The licensee should demonstrate that its PRA is valid for assessing the proposed TS changes and identify the impact of the TS change on plant risk.

TS conditions addressed by CTs are entered infrequently and are temp9rary by their very nature. However, TS do not typically restrict the frequency of entry into conditions addressed by* CTs. Therefore, the following TS acceptance guidelines specific to permanent CT changes are provided for evaluating the risk associated with the revised CT, in addition to those acceptance guidelines given in Regulatory Guide 1. 174.

The licensee has demonstrated that the TS CT change has only a small quantitative impact on plant risk. An /CCDP of less than 1.0x10-6 and an ICLERP of less than

1. Ox10-7 are considered small fOr a single TS condition entry. (Tier 1}.

RG 1.174 Acceptance Criteria are as follows:

  • When the calculated increase in GDF is very small, which is taken as being less than 10-6 per reactor year, the change will be considered regardless of whether there is a calculation of the total GDF (Region Ill).
  • When the calculated increase in GDF is in the range of 10-6 per reactor year to 10-5 per reactor year, applications will be considered only if it can be* reasonably shown that the total GDF is less than 10-4 per reactor year (Region II).
  • Applications that result in increases to GDF above 10-5 per reactor year (Region I) would not normally be considered.

Acceptance criteria for LERF are structured similarly at an order of magnitude less (1 E-7, etc.).

Tier 1 Analysis Assumptions

  • The PRA model S007Aa is valid for performing this assessment.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1

. Page 20 of 36

  • For the purposes of ~CDF/~LERF calculations, this assessment assumes the MER SW headers will accumulate 15 days of unavailable configuration time every year as a result of the proposed change. This is a conservative assumption based on Surry's Operating Experience for CPSW headers and the desired maintenance strategy for Surry.
  • This analysis assumes that if only one SW flow path to MER loads is available, SW is being supplied to the MER SW loads from one CW inlet, to one 8-inch SW supply header, to one 6-inch SW header, through one rotating strainer. This is a conservative assumption.

Tier 1 Analysis Results MER SW header maintenance is explicitly modeled in the average maintenance model S007Aa. Therefore, a ~CDF and ~LERF for the proposed change to AOTs for MER SW flow paths to the CPSW subsystem and to the MCR/ESGR AC subsystem may be directly calculated from the model by comparing CDF results with increased unavailability on MER headers (refer to second bulleted assumption). Incremental core damage and large early release probabilities for a single 72-hour period are also calculated. The MER headers supply SW to safety-related loads at both Surry units; therefore, risk at both units is explicitly analyzed. Results are as follows:

Table 1: RG 1.177Tier1 Analysis Results RG 1.177 RG 1.177 15 Day Header U1 U2 ACDF U1 U2 ALE RF Unavailability ACDF ACDF Criteria ALE RF ALE RF Criteria 9.20E- 1.05E-A SW Header 08 07 1.00E-06 3.02E-08 4.23E-08 1.00E-07 8.29E- 1.25E-B SW Header 08 08 1.00E-06 6.47E-08 5.61E-09 1.00E-07 RG 1.177 RG 1.177 Single 72hr TS U1 U2 ICCDP U1 U2 IC LE RP entry ICCDP ICCDP Criteria ICLERP IC LE RP Criteria 1.84E- 2.09E-A SW Header 08 08 1.00E-06 6.03E-09 8.46E-09 1.00E-07 1.66E- 2.50E-B SW Header 08 09 1.00E-06 1.29E-08 1.12E-09 1.00E-07 Note: These risk metrics are simultaneously applicable to both TS 3.14.A.5 and TS 3.14.A. 7 for CPSW and MCR/ESGR SW supplies, respectively The tightest margin to RG 1.177 acceptance criteria is on Unit 1 LERF with "B" SW header out of service for 15 days over one year. Cutsets for these configurations were reviewed and are discussed in detail below.

Serial No.16-180

  • Docket Nos. 50-280/281 Attachment 1 Page 21of36 An engineering GOTHIC calculation establishes that the ESGR does not require chiller operation during the PRA mission time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, as long as one of the ESGR air handling units (per unit) is operating, and there is not a initiating event which requires SI, which may have higher heat loads than assumed in this engineering calculation.

During normal operating conditions, a total loss of chilled water can be successfully mitigated by control room evacuation and shutdown from the remote shutdown panels in conjunction with performance of contingency actions of O-AP-13.02 (opening doors, temporary cooling etc.). These actions have been shown by GOTHIC calculations to substantially improve environmental conditions in the ESGR in loss of chilled water events. If SI is required to mitigate an event, then a subsequent loss of chilled water is assumed to fail ESGR HVAC, and no recovery is possible. In these sequences, the loss of ESGR HVAC is modeled as a Station Blackout (SBO).

In a configuration with only one SW flow path available to the MCR/ESGR chillers, accident sequences that require SI to successfully avoid core damage such as SLOCA and SGTR become elevated in the PRA. These sequences involve failure of the in-service SW flow path, upstream of D/E chiller suction in MER 5. Since this flow path is gravity fed, its primary failure mode is via obstruction (plugging). S007Aa has identified that the most probable means of rendering the sole SW flow path unavailable is obstruction of CW intake/traveling water screens at the high level intake structure.

The PRA has assigned a probability of 8E-5 that CW obstruction would occur during the 24-hour mission time following an initiating event. A SGTR event that involves SBO caused by loss of ESGR HVAC is considered a Large Early Release by S007Aa.

In a configuration with one CPSW header isolated, cutsets that involve failure of the second CPSW header become elevated in the PRA. Loss of the second SW header renders HHSI unavailable, which is important to CDF for SLOCA and SGTR sequences.

In SLOCA with HHSI failure, operators must successfully cooldown and depressurize the RCS and then place the RCS on Low Head Recirculation. For SGTR with HHSI failure, isolation of the ruptured SG becomes important to mitigate the event. The dominant failure mode for CPSW flow paths is obstruction of the rotating strainers 1-VS-S-1 A/B. Bypass SW flow paths around the rotating strainers are not credited *in the PRA model. The S007Aa model assesses the probability that the in-service rotating strainer would fail via plugging during a 24-hour mission time following an initiating

  • event to be approximately 1.5E-4.

Another potential failure mode for the in-service SW header is a loss of power to the in-service rotating strainer. The 8007Aa model has a 480V Emergency Power dependency modeled for the rotating strainers 1-VS-S-1A/B. It is assumed that loss of power to a rotating strainer will cause the strainer to become obstructed within the mission time. Bypass SW flow paths around the rotating strainers are not credited in the PRA model. The electric power dependency in the model is creating asymmetric SGTR delta risk results across the two units and two headers. In a configuration with one CPSW header out of service, the model has identified that a catastrophic failure (fault or other de-energization sequence via LOOP) of a single emergency bus could

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 22 of 36 disable HHSI via the in-service rotating strainer and also the SG isolation safety function via 480V EP dependency for SG Isolation MOVs. This is also a significant LERF sequence for this configuration, as SGTR with failure of HHSI and SG isolation is considered Large Early Release in S007Aa.

The following are known conservatisms in this analysis that give very high confidence that the proposed change meets Tier 1 acceptance criteria with high margin:

  • No credit in the PRA model is given for placing a second or third SW header in service in accordance with O-AP-12, Attachment 1. Some SW crosstie flow paths (such as the 2A Header) may be available or recoverable during maintenance configurations where TS 3.14.A.5 and TS 3.14.A.7 are not considered met. These flow paths could be used to bypass an ob.structed CW intake.
  • No credit in the PRA model is given for manual operator action to bypass an obstructed rotating strainer by placing the duplex strainer 1-SW-S-10 in service in accordance with O-AP-12.
  • No credit in the PRA model is given for operator action in accordance with the EOPs to cooldown and depressurize the RCS in SGTR scenarios where Auxiliary Feedwater (AFW) is successful but HHSI fails. Human Reliability Analysis for this credit is under development and stations, such as North Anna which is similar to Surry, have this operator action credited with a Human Event Probabi.lity (HEP).
  • The 8007Aa models an electric power dependency for rotating strainers 1-VS-S-1A/B. It is modeled in the internal events PRA that the strainers will become obstructed If not rotating (Probability=1). Actual strainer behavior with no rotation during accident sequences is uncertain. It is unlikely (Probability<1) that the strainer will become obstructed in a 24-hour mission time if not rotating since debris must be present in order for the strainer to become obstructed.

The results of this analysis indicate that the potential increase in core damage risk due to the proposed change is very small and satisfies the Region 111 criteria of RG 1.177 Tier 1 analysis. [Refer to Table 1, above.]

Shutdown Risk Evaluation In cases where there is no probabilistic shutdown PRA model available for evaluating the risk impact of a proposed change, as is currently the case with the Surry PRA, a qualitative evaluation process may be applied to assess shutdown risk. In general, this approach involves determining whether or not the proposed change affects functions that are credited in OU-AA-200, Shutdown Risk Management, and then considering what impacts the application may have on shutdown defense-in-depth, in particular the following shutdown plant key safety functions: Decay Heat Removal, RCS/Spent Fuel Pool (SFP) Inventory Control, Reactivity Control, Electrical Power, SFP Cooling and Containment Integrity.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 23 of 36 The CPSW system supports HHSI pumps, which contributes to the RCS/SFP inventory control and reactivity control shutdown key safety functions. During plant shutdown, the LHSI System provides the primary source for RCS inventory control/make-up. The HHSI System provides additional defense-in-depth for inventory/reactivity control.

Therefore, it is concluded that the proposed change has a very small impact on defense-in depth for the associated shutdown Key Safety Functions and shutdown risk.

The MCR/ESGR ventilation system does not directly support any of the Shutdown Key safety functions, but it does support control room habitability during a fuel handling accident. The discussion of failure modes in the internal events discussion also applies to shutdown modes; therefore, it is concluded that proposed change has a very small impact on shutdown risk.

It is concluded that the proposed change has negligible impact on shutdown CDF and LERF.

Internal Fire Hazard Evaluation The Individual Plant Examination for External Events (IPEEE) and the Fire Contingency Action (FCA) procedures are used to evaluate the impact of the AOT change for configurations with only one SW flow path to the CPSW subsystem and the ESGR and MCR chillers on the fire risk since a full-scope fire PRA model has not been developed for Surry. The IPEEE screened out all but four areas as insignificant contributors to the fire CDF. The areas which did not screen out include the Cable Vault and Tunnel (CVT), the Emergency Switchgear Room (ESGR), the Main Control Room (MCR), and the Normal Switchgear Room (NSGR), so these areas are included in the scope of this

. analysis. A review of the Appendix R Report and the IPEEE shows that a fire in two areas, Mechanical Equipment Room 3 (MER 3) and Mechanical Equipment Room 4 (MER 4), may damage multiple CPSW components and the SW supply to the ESGR and MCR chillers. Unavailability of a SW Header in addition to the fire damage could cause a failure of these subsystems. As a result, MER 3 and MER 4 are included in the scope of this analysis even though they screened out as low risk in the IPEEE.

Although a fire in Mechanical Equipment Room 5 (MER 5) may damage two of the five ESGR and MCR chillers, this area is screened out since additional equipment damage is limited and a LOCA is not expected, so the ESGR and MCR chillers are not required during the PRA mission time as discussed in the internal events analysis. A review of the Appendix R Report indicates that power or control cables for one or more CPSW pumps, Rotating Strainers, or ESGR and MCR chillers may be damaged in each of these areas except the NSGR. Given the defense-in-depth available for these subsystems and the lack of emergency equipment damaged in an NSGR fire, this area is screened out from further evaluation.

An FCA procedure is available for each of the remaining areas to support safe shutdown (SSD) during a limiting fire, which is characterized by the actual or imminent loss of a component that supports the SSD functions monitored in O-AP-48.00. It is

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 24 of 36 assumed that a fire in these areas which does not cause sufficient damage to enter the respective FCA procedure can be characterized as a general transient and is adequately addressed by the internal events analysis.

The impact of the AOT change on the fire risk is dependent on the exact configuration for which the TS is entered. The fire scenarios on which the proposed change is expected to have the most impact are those in which the fire damages one or more components affecting the SW supply to or redundant equipment for the CPSW subsystem or the ESGR and MCR chillers. The TS 3.14.C action statement could be entered for having two of the three 8" SW supply headers unavailable and/or one of the two 6" SW supply headers unavailable. If the maintenance configuration only involves two of the 8" headers, the impact on fire risk from the CPSW subsystem is negligible since the remaining 8" line is not susceptible to fire damage. However, this configuration could result in the SW supply to the MER 5 chillers (40, 4E) being unavailable, which could lead to a loss of ESGR and MCR chillers if a fire damages the remaining in service equipment. If the maintenance configuration only involves unavailability of one of the 6" SW headers, fire damage to susceptible components on the opposite 6" SW supply could cause a failure of the entire CPSW subsystem and three of the ESGR and MCR chillers. Unavailability of the two 8" SW headers supplying the MER 5 chillers in addition to unavailability of one 6" SW header would allow fire damage to the available 6" header to result in a loss of all ESGR and MCR chillers. In order to bound the consequences of a fire on various possible maintenance configurations of the SW headers, the following analysis considers the impact of unavailability of a 6" SW Header on the CPSW subsystem, and it considers the impact of unavailability of two 8" SW headers and a 6" SW Header on the ESGR and MCR chiller subsystem.

The IPEEE Quantitative Screening models the Rotating Strainers as mechanical strainers that do not require electrical power, and they are assumed to be unaffected by fire damage. Given a loss of power to the strainer, flow through the strainer is not obstructed unless debris causes plugging within the PRA mission time. As a result of the uncertainty associated with the failure rate due to plugging of the Rotating Strainers following a loss of electrical power, the internal events PRA model conservatively assumes this condition leads to a loss of SW flow through the strainer. If the Rotating Strainers are considered susceptible to fire damage, then damage to a Rotating Strainer concurrent with unavailability of the opposite 6" SW Header would cause a loss of CPSW and failure of three chillers. In order to be consistent with the internal events analysis, this fire analysis will qualitatively investigate the impact of the AOT change on the fire risk conservatively assuming fire damage to the power or control cables for the strainer will result in failure of the SW flow path.

CVTs and ESGRs Fires in the CVTs and ESGRs cause varying amounts of damage to the CPSW subsystem as described by the Appendix R Report and the IPEEE. The FCA

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 25 of 36 procedures used to achieve SSD for these fire areas include 1-FCA-3.00 and 2-FCA-3.00 for the U1 and U2 CVTs, respectively, and 1-FCA-4.00 and 2-FCA-4.00 for the U1 and U2 ESGRs, respectively. A fire in the U1 CVT may damage the cables for 1-SW-P-10A and 1-VS-S-1A, and a fire in the U2 CVT will not damage any of the CPSW pumps or strainers. A fire in the U1 ESGR may damage the cables for both U1 CPSW pumps, and a fire in the U2 ESGR may damage the cables for both U2 CPSW pumps and 1-VS-S-1 B. Fire damage in each of these areas may disable Charging for the fire-affected unit. As a result, the fire strategies rely on the opposite unit to provide Inventory Control to the fire-affected unit through the Charging Cross-Tie (CH-XTIE).

The additional unavailability of a SW Header due to the AOT extension increases the likelihood of losing all Charging to both units during a fire due to CPSW failure. During a U2 CVT fire or U1 ESGR fire with a SW Header unavailable, random failure of the second SW header or the opposite unit CPSW pumps is needed to cause a loss of Charging. During a U1 CVT or U2 ESGR fire, power to one of the Rotating Strainers may be damaged by the fire, which would fail one of the SW Headers. If the opposite SW Header is unavailable, a total loss of CPSW would occur. Since no random failures are required in addition to the fire damage and SW Header unavailability, the fire scenarios in the U1 CVT and U2 ESGR are the most limiting of these areas. However, given.the likelihood of the SW Header unavailability, which contributes to these potential CPSW failures, the failure to supply Charging to the fire-affected unit is still dominated

  • by the HEP to establish the CH-XTIE between units.

If the Heactor Coolant System (RCS) remains intact, the accident resembles a transient, and the consequences of losing all Charging are minimal since core heat removal can be achieved using Natural Circulation of the RCS with secondary cooling provided by Auxiliary Feedwater (AFW). These conditions are established by actions taken with the

  • FCA procedures. Spurious operations could affect the High/Low pressure boundary by opening valves and causing a LOCA, but actions taken in the FCA procedures mitigate this potential. RCS integrity is maintained by isolating the Reactor Head Vents, the Pressurizer PORVs, and Letdown. Isolation switches in the Control Room ensure that these valves will not be reopened by the fire. In addition, RCP seal cooling is terminated by isolating seal injection and thermal barrier cooling after the pumps have been tripped. The likelihood of developing an RCP seal LOCA is minimized due to the Flowserve low-leakage seals, and proactive isolation of the RCP seals using manual valves precludes the potential for spurious operations to re-introduce cold water to the hot seals, which would cause catastrophic seal failure due to*thermal shock. Alignment of suction sources and a flow path to the steam generators (SGs) for AFW is directed by the FCAs as well and includes AFW cross-tie from the opposite unit, if necessary. The AFW flow path is protected from spurious operations by prepositioning the MOVs and then de-energizing them. In addition, the AFW cross-tie MOVs are located in the opposite unit's Safeguards Building, thus preventing fire damage from affecting the ability to utilize the cross-tie. The fire strategies for these areas address the potential loss of Charging, and the resulting impact of the change in SW Header AOT on the fire risk for these areas is low,

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 26 of 36 As discussed in the internal events analysis, ESGR and MCR chiller operation within the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> PRA mission time is not required as long as one of the ESGR AHUs per unit is operating or a LOCA has not occurred, although, in the case of ESGR fires, ventilation is not credited for the fire-affected unit. For fires in the U2 CVT and U1 ESGR, at least one chiller will remain available and the 6 SW headers are not affected by the fire. As a result, additional random failures would be required to cause a loss of ESGR and MCR cooling, so the impact of the TS change due to fires in these areas is negligible. A fire in the U1 CVT will not damage any of the chillers, but it may damage 1-VS-S-1A, which would isolate the A 6" SW header supplying CPSW, as well as chillers 4A, 4B, and 4C. If a fire occurred in this area concurrent with maintenance on the B 6" SW Header and the 2A and 2C 8" SW headers supplying the 40 and 4E chillers, then a loss of all five chillers would occur. A fire in the U2 ESGR may damage the normal power and control cables for all five chillers. To account for this potential, chillers 40 and 4E have an alternate power supply (AAC Diesel Generator) and local controls which are aligned using O-FCA-19.00 and allow these chillers to be used during a U2 ESGR fire. However, maintenance on the 2A and 2C 8" SW headers would cause the 40 and 4E chillers to be unavailable, resulting in a loss of all five chillers. The U1 CVT and U2 ESGR are the most limiting of these areas since no random failures are required in addition to the fire and maintenance configuration to cause a loss of all five chillers. In order for a total loss of chillers to cause an SBO due to loss of ESGR HVAC during a fire, either both of the dedicated AHUs must fail or a LOCA must develop.

Combining the frequency of the fire, the probability of the maintenance configuration with only one SW supply line available, and the probabilities of the AHUs failing or a LOCA developing, which is minimized by the fire strategies and low-leakage RCP seals, causes the resulting cutsets to be low risk contributors. Accounting for fire severity and suppression would further reduce the results of these cutsets. Given the low frequency of these failure combinations, the impact of the change in SW Header AOT on the fire risk for these scenarios is low.

The MCR contains control cables for all of the CPSW pumps. There is physical separation between units for the CPSW pump controls in the MCR, and control of each pump can also be transferred to the Appendix R Panel in the ESGR. The fire strategy to achieve SSD during an MCR fire is O-FCA-1.00. If the fire severity necessitates evacuation of the control room, the operators will transfer control of the CPSW pumps to the Appendix R Panel. The Rotating Strainers are locally controlled from the MERs and are unaffected by a fire in the MCR. If one of the SW Headers is unavailable, random failure of the second SW header or the all of the CPSW pumps is needed to cause a loss of Charging. The fire strategy for the MCR is very similar to the strategies for the CVTs and ESGRs in that an RCS High/Low pressure boundary is established, allowing Natural Circulation of the RCS to be used, and AFW is aligned to the SGs for secondary cooling. The Reactor Head Vents, the Pressurizer PORVs, and Letdown are isolated from the MCR at the Auxiliary Shutdown Panel (ASP) in the ESGR, and the isolation switches ensure the valves will not reopen due to the fire. The failure of CPSW would

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 27 of 36 cause a loss of RCP seal injection, but thermal barrier cooling may continue to be supplied to the RCP seals. Since RCP seal cooling is not proactively isolated during this fire scenario, RCP seal injection is monitored and the seals are isolated when flow is lost. As a result, the potential for thermal shock of the seals is mitigated, and the likelihood of seal failure remains low. Since the potential for a LOCA is mitigated by actions taken to ensure the integrity of the RCS pressure boundary is maintained and by the low-leakage seals, this accident will most likely resemble a transient. Alignment of suction sources and a flow path to the steam generators (SGs) for AFW is directed by the FCA procedure and includes AFW cross-tie from the opposite unit, if necessary.

The AFW flow path is protected from spurious operations by transferring control of the AFW pumps and discharge MOVs to the ASP. The fire strategy for this scenario addresses the potential loss of Charging, and the resulting impact of the change in SW Header AOT on the fire risk for this scenario is low.

The MGR contains control cables for all of the ESGR and MGR chillers as well.

However, isolation switches are available for three of the five chillers, which can be controlled from outside the control room. One ESGR AHU per unit is isolated from the control room as well. Consistent with previous discussion, the chillers are not required within the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> PRA mission time if one ESGR AHU per unit is operation and a LOCA has not developed. The frequency of fires requiring evacuation of the control room is low given the control room is continuously manned, so detection and suppression of the fires before evacuation is likely. Similar to the ESGR and CVT fire scenarios, the frequency of the fire, the probability of the maintenance configuration with only one .sw supply line available, and random failure of the chillers unaffected by the fire are a low frequency combination of faiilures. The probabilities of the AHUs failing or a LOCA developing in addition to these failures cause the resulting cutsets to be low risk contributors. Given the low frequency of these failure combinations, the impact of the change in SW Header AOT on the .fire risk for these scenarios is low.

If the fire is small enough that habitability conditions and extent of equipment damage allow operators to remain in the control room, the FCA procedure for the MGR is not entered and the fire is considered non-limiting. The impact of the SW Header AOT change on this fire scenario is considered bounded by the internal events analysis.

MER 3 and MER 4 These fire areas were included in the scope of the analysis due to the extent of potential damage to the CPSW pumps, Rotating Strainers, and damage to piping supplying the 4A, 48, and 4C chillers. The FCA procedure used to achieve SSD for both of these fire areas is O-FCA-7.00. In each of these areas, three of the four CPSW pumps and one of the two Rotating Strainers may be damaged. In addition, portions of the 6" SW supply piping are non-metallic and susceptible to fire damage. The FCA procedure relies on the available CPSW pump and strainer to provide Charging Pump Cooling and uses the CPSW pump discharge cross-tie to cool both units' Charging Pumps. Random failure of the fourth CPSW pump would cause a failure of CPSW, but this system failure mode is

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 28 of 36 not impacted by the unavailability of the SW Header. However, if the fire damages the Rotating Strainer or non-metallic piping and the opposite 6" SW Header is unavailable, a loss of CPSW and three chillers would occur. Fire damage to the non-metallic piping during maintenance involving the 2A and 2C 8" SW headers in addition to the opposite 6" SW header would result in a loss of all five ESGR and MCR chillers.

The equipment damaged by a fire in MER 4 is limited and will not cause a fire-induced LOCA. As a result, a loss of Charging or the ESGR and MCR chillers due to a fire in this area during SW Header maintenance is easily mitigated by station procedures and available equipment, and the impact of the AOT change is negligible.

The potential equipment damaged from a fire in MER 3 is more extensive and includes electrical cables for the #3 EOG output breaker, #2 EOG output breaker, and the 2H emergency bus offsite power supply breaker. However, if the damage is limited to this equipment, the loss of Charging due to a fire in this area during SW Header maintenance does not have a significant adverse impact on the fire risk since a fire-induced LOCA will not occur, and shutdown can be achieved using the available station procedures. Fire damage alone to the EOG and 2H bus breakers would fail the EOG output ,breakers open, preventing the EOGs from supplying the emergency buses, and the 2H bus offsite supply breaker closed, preventing it from opening following a LOOP signal. This damage state would *allow both U2 emergency buses to remain energized from offsite power. If offsite power to one of the U2 emergency buses is lost due to fire-induced spurious opening of the 2H bus supply breaker or random failure of either emergency bus, 2-FCA-4.00 is entered. As discussed for the limiting U2 ESGR fire scenario, a loss of all Charging and failure of both Unit 2 emergency buses is adequately addressed by 2-FCA-4.00.

Three of the five ESGR and MCR chillers may be damaged by a fire in MER 3. The MER 5 chillers are unaffected by a fire in this area, but they could be unavailable due to 8" SW header maintenance. Given equipment damage in this area is limited, multiple random failures would be required in addition to SW Header maintenance for this scenario to lead to a loss .of ESGR cooling resulting in an SBO. Due to the low frequency of these cutsets, the impact of the SW Header AOT change on the fire risk for these scenarios is negligible.

MER 3 contains non-metallic SW supply piping which is susceptible to fire damage, and a flood propagation path exists between the MER 3 and the ESGRs. In order to mitigate flooding from the failed piping, the SW supply to MER 3 is isolated as directed by the FCA. If isolation of the SW supply fails and the flood propagates to the ESGRs, loss of all Charging would occur as a consequence of the emergency bus failures, so there is no additional impact due tq the additional SW Header maintenance. Since the extent of damage due to a fire in MER 3 is limited relative to other areas evaluated and a fire-induced LOCA will not occur, the impact of the SW Header AOT change on the fire risk for this area is low.

... , Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 29of36 Conclusion The most limiting fire scenarios for this evaluation are those that involve fire-induced failure of a Rotating Strainer, which could cause a total loss of CPSW and three ESGR

  • and MCR chillers if the alternate 6" header is unavailable, and loss of all five chillers if the 8" SW headers supplying MER 5 are also unavailable. The known conservatisms in this analysis include assumed failure of the Rotating Strainers due to fire damage, which are assumed to be unaffected by fire damage in the IPEEE, and lack of credit for the duplex strainer to bypass a plugged Rotating Strainer, which could be aligned using O-AP-12.00 unless the 6" A SW Header is isolated upstream of the Rotating Strainer 1-VS-S-1A. If the IPEEE treatment of the Rotating Strainers is used, the impact on the fire risk is negligible. Based on the review of the significant fire areas, the expected equipment damage, and the fire strategies used to achieve SSD, it is concluded that the consequence of losing CPSW during these scenarios is small, and the likelihood of causing an SBO due to failure of ESGR cooling is low. These insights demonstrate the impact of the SW Header AOT change on the overall fire risk is acceptable and bounded by the internal events analysis.

Seismic* Hazard Evaluation Generic Letter (GL) 88-20 Supplement 4 was issued by the NRC in June 1991. This letter and NUREG-1407 requested each nuclear plant licensee to perform an IPEEE.. In a December 1991 letter to the NRC, Surry identified the planned approach to address the IPEEE. For non-seismic external events and fires, the IPEEE effort was completed and a report was submitted to the NRC in December 1997.

Surry was categorized in NUREG-1407 as a focused scope plant. As identified in Surry's December 1991 letter, the Seismic Margins Method (SMM) developed by Electric Power Research Institute (EPRI) with enhancements was selected for Surry . .* A completion schedule for IPEEE - Seismic was initially provided by . Surry in its September 1992 letter to the NRC which also noted that elements of the effort to resolve IPEEE - Seismic, notably plant walkdowns, will be integrated with the resolution of Unresolved Safety Issue (USI) A-46 identified in NRC's Supplement 1 to GL 87-02 of May 1992.

In September 1995, the NRC issued Supplement 5 to GL 88-20. This letter gave further guidance on the basis for selection of components that needed capacity evaluation.

Based on GL 88-20, Supplement 5, Surry submitted a revised approach to NRC in November 1995. This approach, while still retaining the Seismic Probabilistic Risk Assessment (SPRA) methodology and treating Surry as a focused scope plant, identified areas where screening and judgment by experienced and trained engineers would eliminate the need for performing capacity calculations for rugged components, structures, and systems; and require such evaluations only for weaker and critical components. The IPEEE - Seismic program at Surry has been performed in

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 30 of 36 accordance with the SPRA methodology for a focused plant and Surry's stated commitments.

In February 1996, a peer review was conducted to assess the implementation of the IPEEE - Seismic program at Surry. This review included walkdown of about 15% of the items representing all classes of equipment in the Safe Shutdown Equipment List.

Although a few open issues were noted at the time of the review, the reviewer concluded that the Seismic Review Teams involved did an excellent seismic walkdown review at Surry.

In summary, the IPEEE-Seismic program, integrated with the USI A-46 effort, resulted in several plant improvements and design modifications. The SPRA quantification concluded that no severe accident vulnerabilities exist at Surry from a potential seismic event. No other .cost beneficial upgrade can be performed to improve the seismic margin and the core damage frequency of the plant.

  • The Surry Seismic Probability Risk Assessment Pilot Plant Report was reviewed and this proposed change does not impact the conclusions drawn in that report. The following is a discussion of SPRA quantification results from that report.

The dominant Seismic PRA sequence (52%) involves the failure of the turbine building, starting a chain of events that fails SW. Since the power cables to the CW isolation valves run through cable trays in the turbine building, it was assumed that the failure of the steel superstructure would fail the valve cables, even though they are in the concrete portion of the turbine building below ground elevation. Failure of the cables prevents the CW isolation valves from closing, the canal will rapidly drain through the CW lines, SW cooling will be lost, and core damage is assumed. The proposed change does not have an adverse impact on this sequence.

25.7% of SPS seismic risk is associated with seismic-induced SW flooding. This risk is dominated by seismic-induced ruptures of BC heat exchangers. The proposed change does not have an adverse effect on seismic induced flooding sequences.

Seismic induced LOCA, SGTR and MSLB sequences where MER SW supply has a support function make up approximately 2% of seismic core damage risk. Therefore, it is concluded that the proposed change has a negligible impact on seismic risk and is screened from further evaluation.

Other External Hazards Evaluation The other external hazards, as identified by NUREG/CR-2300 and NUREG/CR-4839, have been taken into consideration. Following the initial screening, seven events were identified as needing more detailed evaluation. These events included aircraft accidents, external flooding, tornado generated missiles and high winds, pipeline accidents, transportation accidents, accidents in nearby industrial or military facilities,

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 31 of 36 and release of chemicals from on-site storage. Since the effects of these external events on Surry Power Station were analyzed as part of NUREG-1150, the analysis performed in the IPEEE used the method and in some cases the results obtained by NUREG/CR-4550. However, in each case the Surry UFSAR information was used to make sure that the results obtained by NUREG/CR-4550 were still valid.

The study concluded that there are no significant external events other than those identified in NUREG-1407. The non-seismic external events of interest, except for aircraft impacts, pipeline accidents and external flooding, were screened out based on the UFSAR information and the results reached by NUREG/CR-4550. The bounding analysis performed for the effects of aircraft impacts and pipeline accidents were based on the methods used by NUREG/CR-4550. The results of these two analyses indicate that the frequency of the events occurring is small. The actual risk from these hazards to the safe operation of the plant would be less than the screening value, because most safety-related equipment is inside Class I structures and is designed to withstand the loads imposed by the external event. The bounding analysis for external flooding considered the worst case occurrence of the 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> in 1 square mile probable maximum precipitation (PMP). The consequences of this occurrence were mitigated by implementation of a procedural revision and modification of turbine building. roof parapets to reduce roof top accumulation during intense precipitation. Therefore, it can be concluded that non-seismic external events do not pose a significant risk to the safe operation of Surry Power Station.

  • Based on the above, other External Events have been screened from further evaluation for this proposed change.

RG 1.177 Tier 2: Avoidance *of Risk Significant Plant Configurations RG 1.177 contains the following discussion concerning Tier 2 analysis:

The licensee should provide reasonable assurance that risk-significant plant equipment outage configurations will not occur when specific plant equipment is out of service consistent with the proposed TS change. An effective way to perform such an assessment is to evaluate equipment according to its contribution to plant risk (or safety) while the equipment covered by the proposed CT change is out of service.

Evaluation of such combinations of equipment out of service against the Tier 1 ICCDP and ICLERP. acceptance guidelines could be one appropriate method of identifying risk-significant configurations. Once plant equipment is so evaluated, an assessment can be made as whether certain enhancements to the TS or procedures are needed to avoid risk significant plant configurations. In addition,* compensatory actions that can mitigate any corresponding increase in risk (e.g., backup equipment, increased surveillance frequency, or upgraded procedures and training) should be identified and evaluated. Any changes made to the plant design or operating procedures as a result of such a risk evaluation (e.g., required backup equipment, increased surveillance frequency, or upgraded procedures and training required before certain plant system

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 32 of 36 configurations can be entered) should be incorporated into the analyses utilized for TS changes as described under Tier 1 above.

A detailed review of PRA importance metrics (Risk Achievement Worth, Fussell-Vesely) from the Tier 1 PRA Model did not reveal any risk significant maintenance configurations when one MER header is considered unavailable. No enhancements, procedure revisions or compensatory actions are recommended from the Tier 2 evaluation.

RG 1.177 Tier 3: Risk-Informed Plant Configuration Control and Management The Dominion 10 CFR 50.65(a)(4) program fully satisfies the recommendations of RG 1.177 Tier 3. RG 1.177 Section 2.3 states that:

The licensee should develop a program that ensures that the risk impact of out-of-service equipment is appropriately evaluated prior to performing any maintenance activity. A viable program would be one that is able to uncover risk-significant plant equipment outage configurations in a timely manner during normal plant operation.

The Dominion 10 CFR 50.65(a)(4) program performs PRA analyses of planned maintenance configurations in advance. The MER SW system is included in the 10 CFR 50.65(a)(4) scope and its removal from service is monitored, analyzed, and

.' ~ managed. Configurations that approach or exceed the NUMARC 93-01 risk limits are identified and either avoided or addressed by risk management actions. Emergent configurations are identified and analyzed by the on-shift staff for prompt determination of whether risk management actions are needed. The configuration analysis and risk management processes are fully proceduralized in compliance with the requirements of 10 CFR 50.65(a)(4). Dominion's (a)(4) program is implemented with station procedures WM-AA-300, Work Management, and NF-AA-PRA-370, MRule (a)(4) Risk Monitor Guidance.

To support Dominion's 10CFR 50.65(a)(4) program, a dedicated PRA model is used to perform configuration risk analysis. The model uses the S007Aa model as a framework with some adjustments to optimize the model for configuration risk calculations. The model allows for quantitative Level 1 and Level 2 (LERF) assessments of internal events and internal floods hazards for at-power configurations. Risk during shutdown configurations and risks due to other hazards are assessed qualitatively. Changes in plant configuration or PRA model features are dispositioned and managed by Dominion's PRA configuration control process. Procedures are in place to ensure that actions are taken as necessary to qualitatively assess configurations outside the scope of the PRA model.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 33 of 36 5.4 Results and Conclusions The increase in risk associated with the proposed change is consistent with the RG 1.174 and RG 1.177 acceptance guidelines for a permanent TS Completion Time change. This evaluation demonstrates that nuclear defense-in-depth will not be significantly impacted by allowing a single SW flow path to be available to the CPSW subsystem and to the MCR/ESGR AC subsystem for up to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

6.0 ENVIRONMENTAL ASSESSMENT The proposed change will revise a requirement with respect to installation or use of a facility component located within the restricted area, as defined in 10 CFR 20.

Specifically, the proposed change extends the AOT for only one operable flow path from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. In addition, the proposed change deletes the now expired and no longer necessary requirements for the temporary SW jumper to the CCHXs. However,*

the proposed change does not involve (i) a significant hazards consideration, (ii) a significant change in the types or a significant increase in the amounts of any effluent that may be released offsite, or (iii) a significant increase in individual or cumulative occupational radiation exposure.

Accordingly, the proposed change meets the eligibility criterion for categorical exclusion set forth. in 10 CFR 51.22(c)(9). Therefore, pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the proposed change.

7.0 CONCLUSION

The proposed change extends the AOT for only one operable CPSW or MCR/ESGR AC flow path from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. The CPSW subsystem is a support system for the Charging/High Head Safety Injection (HHSI) pumps. The proposed CPSW AOT extension aligns the CPSW support system AOT with the AOT for the supported components (i.e., the Charging/HHS! pumps). The proposed MCR/ESGR AC AOT extension revises the AOT to be the same as the CPSW AOT since both subsystems share common piping. The design functions of the CPSW subsystem and the Charging/HHS!. pumps, as well as the design functions of the MCR/ESGR AC subsystem and chillers are not impacted by the proposed revision. In addition, the proposed change deletes the now expired and no longer necessary requirements for the temporary SW jumper to the CCHXs; the deletion of the OL conditions, the temporary TS requirements, and the TS 3.14 Basis discussion is administrative in nature. The proposed change does not physically alter plant equipment, does not impact plant operation, and does not affect the safety analyses.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 1 Page 34 of 36 Furthermore, a supporting probabilistic risk assessment (PRA) was performed for the proposed AOT changes. The PRA concluded that the increase in risk associated with the proposed changes is consistent with the Regulatory Guide (RG) 1.174 and RG 1.177 acceptance guidelines for a permanent TS AOT change. This PRA evaluation demonstrates that defense-in-depth will not be significantly impacted by changing the AOTs for only one operable SW flow path to the CPSW subsystem and to the MCR/ESGR AC subsystem from 24 to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Furthermore, no enhancements, procedure revisions, or compensatory actions are recommended as a result of the RG 1.177 Tier 2 evaluation.

Therefore, Dominion concludes, based on the considerations discussed herein, that (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendments will not be inimical to the common defense and security or to the health and safety of the public.

Discharge Canru )

105 r---------------------i 205 l i Unit.1 RSHXS B&C ~~~~~---- -------~ Unlt2 RSHXS B&C i MER4  !

I I I '

104  !  ! 204 j__ __ ---- ---- ______ _l CCHXS (Commoo)

Unlt 1 BCHXS Abandoned r-------I cwMovs 1 206  :

A B c I I

I I

I 101 103 "U 0 (/)

n> O CD RWMUPP ca o  ::i.

- - - - - 1 1 1 1 1 1 1 1 1 1 111111111 111111111 *HlllHlll----------------------~11.Hl*I 1111*1*1 11*11111* 1 1 1 1 1 1 1 1 ' - - * - - - - CD A" IU CD -

C LJnjj 1 Unit 2 w ...... z HL Intake Intake Canal HL Intake 01 z

0 0' 0

w.(/)

0)

0) 01 I 0 -->.

I (X)

Figure 1 - Service Water System Simplified Diagram No CX>

0 i'3 CX>

Fram!l:i<1.rnlful:2

~--------~--------~ a~~1~'f"'

ToUn~t CO::hargg Ta:r.:.I

  • 10u,;,,

D'~Tum<<r.C.mit Sv:Ilam Dmi!FFhJr S.W

'-"'""'OM!i.lfu>Uolod Fmm-r 111:1'1 103

/l I IJD!I 103 8

MrN tll2 l.agmid tA *1B 1C 10 TDTuofuo \J 0 CJ)

Eli:lgS'll ID 0 CD C\sdJ -lliv.httgo [!!] -lll:id\'>1.-o s,,..,,,.,;i;, .Sdiq..... ca o  ::::!.

115 sw.12 (!)  ;;>;"" ID

-RGcircSpmy !JC -~ Cooliog

-llorJ!l:io:~

(!) -

l!X P1 -Pm~~.to.:fmkr W.-..z SIY It

-Sm.i:o'Walcr

-A:n#Eommt Tl -T<mJlGIU!unolndi>:>:r*

Mooh-Modmniool 0) 0 z 0 0.

~kD Jkl::.llJimE ...... CJ) --"

RIA -Rmfuli:n Monlcr CC -Cbmp:oin!Cooing p -"""1> FG -FbwG.uu

w. 0)
0) 01 I

~1.1::w -"'6:r0pGm!od\'uM> rot -nm....WP<o""- 0 --"

E: -H""'&lcn!J'< fl -Fbolhimtar I (X>

TJ!I -Typbol LG -Lwull:log>

NO CX>

mo - RD:iSanoQ fgJT?ndU'O D:iLx:tar

~

CX>

Figure 2 - Gravity-supplied Service Water System Loads --"

Serial No.16-180 Docket Nos. 50-280/281 Attachment 2

MARKED-UP TECHNICAL SPECIFICATIONS AND BASIS PAGES (Basis Changes are for NRC Information Only)

Virginia Electric and Power Company (Dominion)

Surry Station Units 1 and 2

T. (Continued)

16. For the applicable U FSAR Chapter 14 Prior to operating above events, Surry 1 will re-analyze the 2546 MWt (98.4% RP).

transient consistent with VEPCO's NRG-approved reload design methodology in VEP-FRD-42, Rev. 2.1-A.

If NRC review is deemed necessary pursuant to the requirements of 10 CFR 50.59, the accident analyses will be submitted to the NRC for review prior to operation at the uprate power level. These commitments apply to the following Surry 1 UFSAR Chapter 14 DNBR analyses that were analyzed at 2546 MWt consistent with the1 Statistical DNBR Evaluation Methodology in VEP-NE-2-A:

  • Section 14.2.7 - Excessive Heat Removal due to Feedwater System Malfunctions (Full Power Feedwater Temperature Reduction case only);
  • Section 14.2.8 - Excessive Load Increase Incident;
  • Section 14.2.10 - Loss of External Electrical Load 4.

FOR THE NUCLEAR REGULATORY COMMISSION Original signed by:

Samuel J. Collins, Director Office of Nuclear Reactor Regulation

Attachment:

Appendix A, Technical Specifications Date of Issuance: March 20, 2003 Surry - Unit 1 Renewed License No. DPR-32 Amendment No.-2f9-

09 23 13 <E-T. (Continued)

16. For the applicable UFSAR Chapter 14 Prior to operating above events, Surry 2 will re-analyze the 2546 MWt (98.4% RP).

transient consistent with VEPCO's NRG-approved reload design methodology in VEP-FRD-42, Rev. 2.1-A.

If NRC review is deemed necessary pursuant to the requirements of 10 CFR 50.59, the accident analyses will be submitted to the NRC for review prior to operation at the uprate power level. These commitments apply to the following Surry 2 UFSAR Chapter 14 DNBR analyses that were analyzed at 2546 MWt consistent with the Statistical DNBR Evaluation Methodology in VEP-NE-2-A:

  • Section 14.2.7 - Excessive Heat Removal due to Feedwater System Malfunctions (Full Power Feedwater Temperature Reduction case only);
  • Section 14.2.8 - Excessive Load Increase Incident;
  • Section 14.2.10 - Loss of External Electrical Load
4. This renewed license is effective as of the date of issuance and shall expire at midnight on January 29, 2033.

FOR THE NUCLEAR REGULATORY COMMISSION Original signed by:

Samuel J. Collins, Director Office of Nuclear Reactor Regulation

Attachment:

Appendix A, Technical Specifications Date of Issuance: March 20, 2003 Surry - Unit 2 Renewed License No. DPR-37 Amendment No.~

TABLE 3.7-2 (Continued)

ENGINEERED SAFEGUARDS ACTION INSTRUMENT OPERATING CONDITIONS Minimum Permissible Total Number OPERABLE Channels Bypass Operator Functional Unit Of Channels Channels To Trip Conditions Actions

3. AUXILIARY FEEDWATER (continued)
e. Trip of main feedwater pumps - start motor driven 2/MFWpump l/MFW pump 2-1 each 24 pumps MFWpump
f. Automatic actuation logic 2 2 1 22
4. LOSS OF POWER
a. 4.16 kv emergency bus undervoltage (loss of voltage) 3/bus 2/bus 2/bus 26
b. 4.16 kv emergency bus undervoltage (degraded voltage) 3/bus 2/bus 2/bus 26
5. NON-ESSENTIAL SERVICE WATER ISOLATION
a. Low intake canal level* Nots g
b. Automatic actuation logic 4

2 3

2 3

1 20 14

.~ <E:-

6. ENGINEERED SAFEGAURDS ACTUATION INTERLOCKS - Note A
a. Pressurizer pressure, P-11 3 2 2 23
b. Low-low Tavg, P-12 3 2 2 23
c. Reactor trip, P-4 2 2 1 24
7. RECIRCULATION MODE TRANSFER
a. RWST Level - Low-Low* 4 3 2 25
b. Automatic Actuation Logic and Actuation Relays 2 2 1 14
8. RECIRCULATION SPRAY
a. RWST Level - Low Coincident with High High 4 3 2 20 Containment Pressure*
b. Automatic Actuation Logic and Actuation Relays 2 2 1 14 xc angers is m 1 e m e tripped condition. In this condition, two t t

TS 3.14-1

  • -B9 23 13 3.14 CIRCULATING AND SERVICE WATER SYSTEMS Applicability Applies to the operational status of the Circulating and Service Water Systems.

Objective To define those limiting conditions of the Circulating and Service Water Systems necessary to assure safe station operation.

Specification A. The Reactor Coolant System temperature or pressure of a reactor unit shall not exceed 350° F or 450 psig, respectively, or the reactor shall not be critical unless:

1. The high level intake canal is filled to at least elevation +23.0 feet at the high level intake structure.
2. Unit subsystems, including piping and valves, shall be operable to the extent of being able to establish the following:
a. Flow to and from one bearing cooling water heat exchanger.
b. Flow to and from the component cooling heat exchangers required by Specification 3.13~ ,% ~
3. At least two circulating wate~ pumps are operating or are operable.
4. Three emergency service water pumps are operable; these pumps will service both units simultaneously.

Amendment Nos.~and~

TS 3.14-2 04-02-07 ~

5. Two service water flow paths to the charging pump service water subsystem are OPERABLE.
6. Two service water flow paths to the recirculation spray subsystems are OPERABLE.
7. Two service water flow paths to the main control room and emergency switchgear room air conditioning subsystems are OPERABLE.

B. The requirements of Specification 3.14.A.4 may be modified to allow one Emergency Service Water pump to remain inoperable for a period not to exceed 7 days. If this pump is not OPERABLE in 7 days, then place both units in HOT SHUTDOWN within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and COLD SHUTDOWN within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

The requirements of 3 .14.A.4 may be modified to have two Emergency Service Water pumps OPERABLE with one unit in COLD SHUTDOWN with combined Spent Fuel pit and shutdown unit decay heat loads of 25 million BTU/HR or less.

One of the two remaining pumps may be inoperable for a period not to exceed 7 days. If this pump is not OPERABLE in 7 days, then place the operating unit in HOT SHUTDOWN within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and COLD SHUTDOWN within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

i

~

~

Amendment Nos.~ and~

LBDCR!TSCR 441 - INSERT 1 on pages TS 3.14-2 and TS 3.14-3:

C. The requirements of Specifications 3.14.A.5 and 3.14.A.7 may be modified to allow unit operation with only one OPERABLE flow path to the charging pump service water subsystem and to the main control and emergency switchgear rooms air conditioning condensers. If the affected systems are not restored to the requirements of Specifications 3.14.A.5 and 3.14.A.7 within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, the reactor shall be placed in HOT SHUTDOWN within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. If the requirements of Specifications 3.14.A.5 and 3.14.A.7 are not satisfied as allowed by this Specification, the reactor shall be placed in COLD SHUTDOWN within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

  • D. The requirements of Specification 3.14.A.6 may b~ modified to allow unit operation with only one OPERABLE flow path to the recirculation spray subsystems. If the affected system is not restored to the requirements of Specification 3.14.A.6 within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, the reactor shall be placed in HOT SHUTDOWN within *the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. If the requirements of Specification 3.14.A.6 are not met within an additional 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />, the reaCtor shall be placed in COLD SHUTDOWN within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

TS 3.14-3 04 02=07 l be p aced m s o Specifications 3.14.A.5, 3.1 are not met within an additional ,% ~

48 c or shall be laced in COLD SHUTDOWN.

Basis The Circulating and Service Water Systems are designed for the removal of heat resulting from the operation of various systems and components of either or both of the units.

Untreated water, supplied from the James River and stored in the high level intake canal is circulated by gravity through the recirculation spray coolers and the bearing cooling water heat exchangers and to the charging pumps lubricating oil cooler service water pumps which supply service water to the charging pump lube oil coolers.

In addition, the Circulating and Service Water Systems supply cooling water to the component cooling water heat exchangers and to the main control and emergency switchgear rooms air conditioning condensers. The Component Cooling heat exchangers are used during normal plant operations to cool various station components and when in shutdown to remove residual heat from the reactor. Component Cooling is not required on the accident unit during a loss-of-coolant accident. If the loss-of-coolant accident is coincident with a loss of off-site power, the nonaccident unit will be maintained at HOT SHUTDOWN with the ability to reach COLD SHUTDOWN.

The long term Service Water requirement for a loss-of-coolant accident in one unit with simultaneous loss-of-station power and the second unit being brought to HOT SHUTDOWN is greater than 15,000 gpm. Additional Service Water is necessary to bring the nonaccident unit to COLD SHUTDOWN. Three diesel driven Emergency Service Water pumps with a design capacity of 15,000 gpm each, are provided to supply water to the High Level Intake canal during a loss-of-station power incident. Thus, considering the single active failure of one pump, three Emergency Service Water pumps are required to be OPERABLE. The allowed outage time of 7 days provides operational flexibility to allow for repairs up to and Amendment Nos.~and~

TS 3.14-4 09-23-13 including replacement of an Emergency Service Water pump without forcing dual unit outages, yet limits the amount of operating time without the specified number of pumps.

When one Unit is in Cold Shutdown and the heat load from the shutdown unit and spent fuel pool drops to less than 25 million BTU/HR, then one Emergency Service Water pump may be removed from service for the subsequent time that the unit remains in Cold Shutdown due to the reduced residual heat removal and hence component cooling requirements.

A minimum level of + 17 .2 feet in the High Level Intake canal is required to provide design flow of Service Water through the Recirculation Spray heat exchangers during a loss-of-coolant accident for the first 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. If the water level falls below +23' 6",

signals are generated to trip both unit's turbines and to close the nonessential Circulating and Service Water valves. A High Level Intake canal level of +23' 6" ensures actuation prior to canal level falling to elevation +23'. The Circulating Water and Service Water isolation valves which are required to close to conserve Intake Canal inventory are periodically verified to limit total leakage flow out of the Intake Canal. In addition, passive vacuum breakers are installed on the Circulating Water pump discharge lines to assure that a reverse siphon is not continued for canal levels less than +23 feet when Circulating Water pumps are de-energized. The remaining six feet of canal level is provided coincident with ESW pump operation as the required source of Service Water for heat loads following the Design Basis Accident.

facilitate cleaning, inspecting, repairing (as needed), and recoating (as needed) of the ater (SW) supply line to the Component Cooling Heat Exchangers (CC s), a temporary, sa -related, seismic, not fully missile protected SW supply li temporary jumper) will be us as discussed in the temporary footnote to .14.A.2.b. The temporary jumper is requ

  • d since service water is supplied e CCHXs by a single concrete-encased line. To re ve the SW supply I' from service for extended CCHXs is provided in Virgini y's letter Serial No.12-615, dated September 26, 2012. e use of the temporary jumper is on of up to 35 days d
  • g each of the 2013 and 2015 Unit 1 refueling o ordance with the compensatory measures (including a Contin vided in the letter referenced above. The only automatic function in the ply line when Unit 1 is in COLD SHUTDOWN or REFUELING SHUTDOWN is Amendment Nos.~and~ ~ _

TS 3.14-4a 09 23 13 e SW supply motor operated valves, which close on low Intak'::!:e;...>-"_***~*

isolation valve in the tempor established by the Station Abnormal Procedures.

References:

UFSAR Section 9.9 Service Water System UFSAR Section 10.3.4 Circulating Water System UFSAR Section 14.5 Loss-of-Coolant Accidents, Including the Design Basis Accident Amendment Nos.~ and~

Serial No.16-180 Docket Nos. 50-280/281 Attachment 3 PROPOSED TECHNICAL SPECIFICATIONS AND BASIS PAGES (Basis Changes are for NRC Information Only)

Virginia Electric and Power Company (Dominion)

Surry Station Units 1 and 2

T. (Continued)

16. For the applicable UFSAR Chapter 14 Prior to operating above events, Surry 1 will re-analyze the 2546 MWt (98.4% RP).

transient consistent with VEPCO's NRG-approved reload design methodology in VEP-FRD-42, Rev. 2.1-A.

If NRG review is deemed necessary pursuant to the requirements of 10 CFR 50.59, the accident analyses will be submitted to the NRG for review prior to operation at the uprate power level. These commitments apply to the following Surry 1 UFSAR Chapter 14 DNBR analyses that were analyzed at 2546 MWt consistent with the Statistical DNBR Evaluation Methodology in VEP-NE-2-A:

  • Section 14.2.7 - Excessive Heat Removal due to Feedwater System Malfunctions (Full Power Feedwater Temperature Reduction case only);
  • Section 14.2.8 - Excessive Load Increase Incident;
  • Section 14.2.10 - Loss of External Electrical Load U. Deleted by Amendment No. _ _ __
4. This renewed license is effective as of the date of issuance and shall expire at midnight on May 25, 2032.

FOR THE NUCLEAR REGULATORY COMMISSION Original signed by:

Samuel J. Collins, Director Office of Nuclear Reactor Regulation

Attachment:

Appendix A, Technical Specifications Date of Issuance: March 20, 2003 Surry - Unit 1 Renewed License No. DPR-32 Amendment No.

T. (Continued) *

16. For the applicable UFSAR Chapter 14 Prior to operating above events, Surry 2 will re-analyze the 2546 MWt (98.4% RP).

transient consistent with VEPCO's N RC-approved reload design methodology in VEP-FRD-42, Rev. 2.1-A.

If N RC review is deemed necessary pursuant to the requirements of 10 CFR 50.59, the accident analyses will be submitted to the NRG for review prior to operation at the uprate power level. These commitments apply to the following Surry 2 UFSAR Chapter 14 DNBR analyses that were analyzed at 2546 MWt consistent with the Statistical DNBR Evaluation Methodology in VEP-NE-2-A:

  • Section 14.2.7 - Excessive Heat Removal due to Feedwater System Malfunctions (Full Power Feedwater Temperature Reduction case only);
  • Section 14.2.8 - Excessive Load Increase Incident;
  • Section 14.2.10 - Loss of External Electrical Load U. Deleted by Amendment No. _ _ __
4. This renewed license is effective as of the date of issuance and shall expire at midnight on January 29, 2033.

FOR THE NUCLEAR REGULATORY COMMISSION Original signed by:

Samuel J. Collins, Director Office of Nuclear Reactor Regulation

Attachment:

Appendix A, Technical Specifications Date of Issuance: March 20, 2003 Surry - Unit 2 Renewed License No. DPR-37 Amendment No.

TABLE 3.7-2 (Continued)

ENGINEERED SAFEGUARDS ACTION INSTRUMENT OPERATING CONDITIONS Minimum Permissible Total Number OPERABLE Channels Bypass Operator Functional Unit Of Channels Channels To Trip Conditions Actions

3. AUXILIARY FEEDWATER (continued)
e. Trip of main feedwater pumps - start motor driven 2/MFWpump l/MFWpump 2-1 each 24 pumps MFWpump
f. Automatic actuation logic 2 2 1 22
4. LOSS OF POWER
a. 4.16 kv emergency bus undervoltage (loss of voltage) 3/bus 2/bus 2/bus 26
b. 4.16 kv emergency bus undervoltage (degraded voltage) 3/bus 2/bus 2/bus 26
5. NON-ESSENTIAL SERVICE WATER ISOLATION
a. Low intake canal level* 4 3 3 20
b. Automatic actuation logic 2 2 l 14
6. ENGINEERED SAFEGUARDS ACTUATION INTERLOCKS - Note A
a. Pressurizer pressure, P-11 3 2 2 23
b. Low-low Tavg, P-12 3 2 2 23
c. Reactor trip, P-4 2 2 24
7. RECIRCULATION MODE TRANSFER
a. RWST Level- Low-Low* 4 3 2 25
b. Automatic Actuation Logic and Actuation Relays 2 2 l 14
8. RECIRCULATION SPRAY
a. RWST Level - Low Coincident with High High 4 3 2 20

~

g Containment Pressure*

p,. b. Automatic Actuation Logic and Actuation Relays 2 2 14 a

g Note A - Engineered Safeguards Actuation Interlocks are described in Table 4.1-A z

0

~

  • There is a Safety Analysis Limit associated with this ESP function. If during calibration the setpoint is found to be conservative with respect to the Setting Limit but outside its predefined calibration tolerance, then the channel shall be brought back to within its predefined calibration tolerance before returning the channel to service. The calibration tolerances are specified in a document controlled under 10 CPR 50.59.

TS 3.14-1 3.14 CIRCULATING AND SERVICE WATER SYSTEMS Applicability Applies to the operational status of the Circulating and Service Water Systems.

Objective To define those limiting conditions of the Circulating and Service Water Systems necessary to assure safe station operation.

Specification A. The Reactor Coolant System temperature or pressure of a reactor unit shall not exceed 350° For 450 psig, respectively, or the reactor shall not be critical unless:

1. The high level intake canal is filled to at least elevation +23.0 feet at the high level intake structure.
2. Unit subsystems, including piping and valves, shall be operable to the extent of being able to establish the following:
a. Flow to and from one bearing cooling water heat exchanger.
b. Flow to and from the component cooling heat exchangers required by Specification 3.13.
3. At least two circulating water pumps are operating or are operable.
4. Three emergency service water pumps are operable; these pumps will service both units simultaneously.

Amendment Nos.

TS 3.14-2

5. Two service water flow paths to the charging pump service water subsystem are OPERABLE.
6. Two service water flow paths to the recirculation spray subsystems are OPERABLE.
7. Two service water flow paths to the main control room and emergency switchgear room air conditioning subsystems are OPERABLE.

B. The requirements of Specification 3.14.A.4 may be modified to allow one Emergency Service Water pump to remain inoperable for a period not to exceed 7 days. If this pump is not OPERABLE in 7 days, then place both units in HOT SHUTDOWN within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and COLD SHUTDOWN within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

The requirements of 3 .14.A.4 may be modified to have two Emergency Service Water pumps OPERABLE with one unit in COLD SHUTDOWN with combined Spent Fuel pit and shutdown unit decay heat loads of 25 million BTU/HR or less.

One of the two remaining pumps may be inoperable for a period not to exceed 7 days. If this pump is not OPERABLE in 7 days, then place the operating unit in HOT SHUTDOWN within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and COLD SHUTDOWN within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

C. The requirements of Specifications 3.14.A.5 and 3.14.A.7 may be modified to allow unit operation with only one OPERABLE flow path to the charging pump service water subsystem and to the main control and emergency switchgear rooms air conditioning condensers. If the affected systems are not restored to the requirements of Specifications 3.14.A.5 and 3.14.A.7 within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, the reactor shall be placed in HOT SHUTDOWN within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. If the requirements of Specifications 3.14.A.5 and 3.14.A.7 are not satisfied as allowed by this Specification, the reactor shall be placed in COLD SHUTDOWN within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

D. The requirements of Specification 3.14.A.6 may be modified to allow unit operation with only one OPERABLE flow path to the recirculation spray subsystems. If the affected system is not restored to the requirements of Specification 3.14.A.6 within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, the reactor shall be placed in HOT SHUTDOWN within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. If the requirements of Specification 3.14.A.6 are not met within an additional 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />, the reactor shall be placed in COLD SHUTDOWN within the next 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

Amendment Nos.

TS 3.14-3 Basis The Circulating and Service Water Systems are designed for the removal of heat resulting from the operation of various systems and components of either or both of the units.

Untreated water, supplied from the James River and stored in the high level intake canal is circulated by gravity through the recirculation spray coolers and the bearing cooling water heat exchangers and to the charging pumps lubricating oil cooler service water pumps which supply service water to the charging pump lube oil coolers.

In addition, the Circulating and Service Water Systems supply cooling water to the component cooling water heat exchangers and to the main control and emergency switchgear rooms air conditioning condensers. The Component Cooling heat exchangers are used during normal plant operations to cool various station components and when in shutdown to remove residual heat from the reactor. Component Cooling is not required on the accident unit during a loss-of-coolant accident. If the loss-of-coolant accident is coincident with a loss of off-site power, the nonaccident unit will be maintained at HOT SHUTDOWN with the ability to reach COLD SHUTDOWN.

The long term Service Water requirement for a loss-of-coolant accident in one unit with simultaneous loss-of-station power and the second unit being brought to HOT SHUTDOWN is greater than 15,000 gpm. Additional Service Water is necessary to bring the nonaccident unit to COLD SHUTDOWN. Three diesel driven Emergency Service Water pumps with a design capacity of 15,000 gpm each, are provided to supply water to the High Level Intake canal during a loss-of-station power incident. Thus, considering the single active failure of one pump, three Emergency Service Water pumps are required to be OPERABLE. The allowed outage time of 7 days provides operational flexibility to allow for repairs up to and Amendment Nos.

TS 3.14-4 including replacement of an Emergency Service Water pump without forcing dual unit outages, yet limits the amount of operating time without the specified number of pumps.

When one Unit is in Cold Shutdown and the heat load from the shutdown unit and spent fuel pool drops to less than 25 million BTU/HR, then one Emergency Service Water pump may be removed from service for the subsequent time that the unit remains in Cold Shutdown due to the reduced residual heat removal and hence component cooling requirements.

A minimum level of + 17 .2 feet in the High Level Intake canal is required to provide design flow of Service Water through the Recirculation Spray heat exchangers during a loss-of-coolant accident for the first 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. If the water level falls below +23' 6",

signals are generated to trip both unit's turbines and to close the nonessential Circulating and Service Water valves. A High Level Intake canal level of +23' 6" ensures actuation prior to canal level falling to elevation +23'. The Circulating Water and Service Water isolation valves which are required to close to conserve Intake Canal inventory are periodically verified to limit total leakage flow out of the Intake Canal. In addition, passive vacuum breakers are installed on the Circulating Water pump discharge lines to assure that a reverse siphon is not continued for canal levels less than +23 feet when Circulating Water pumps are de-energized. The remaining six feet of canal level is provided coincident with ESW pump operation as the required source of Service Water for heat loads following the Design Basis Accident.

References:

UFSAR Section 9.9 Service Water System UFSAR Section 10.3.4 Circulating Water System UFSAR Section 14.5 Loss-of-Coolant Accidents, Including the Design Basis Accident Amendment Nos.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 TECHNICAL ADEQUACY OF THE PROBABILISTIC RISK ASSESSMENT MODEL Virginia Electric and Power Company (Dominion)

Surry Station Units 1 and 2

Serial No. 16-18'0 Docket Nos. 50-280/281 Attachment 4 Page 1 of 36 TECHNICAL ADEQUACY OF THE PROBABILISTIC RISK ASSESSMENT CPRA) MODEL The PRA model used to analyze the risk of the LBDCR/TSCR 441 is referred to as S007Aa. The effective date of this model is September 30, 2009 . . Surry PRA Model Notebook QU.2, Revision 5, documents the quantification of the PRA model. This is the most recent evaluation of the SPS internal events at-power risk profile. The PRA model is maintained and updated under a PRA configuration control program in accordance with Dominion procedures. Plant changes, including physical and procedural modifications and changes in performance data, are reviewed and the PRA model is updated to reflect such changes periodically by qualified personnel, with independent reviews and approvals.

Summary of the SPS PRA History The Level 1 and Level 2 SPS PRA analyses were originally developed and submitted to the Nuclear Regulatory Commission (NRC) in 1991 as the Individual Plant Examination (IPE) submittal. The SPS PRA has been updated many times, since the original IPE. A summary of the SPS PRA history is as follows:

  • Original IPE (August 1991)
  • Individual Plant Examination External Events (IPEEE) 1991 through 1994
  • 2001 - Data update; update to address more Maintenance Rule issues, address peer review Facts and Observations (F&Os)
  • 2002 - Update RCP seal LOCA model due to installation of high temperature o-rings; added internal flooding, additional changes for Maintenance Rule and Safety Monitor
  • 2004 - Update to address applicable F&Os from North Anna peer review
  • 2005 - Update to include plant changes to reduce turbine building flood risk
  • 2006 - Data update and update to address MSPI requirements
  • 2006 - Update to support ESGR chilled water Tech Spec change; added loss of main control room HVAC and loss of instrument air to the model; added logic from the IPEEE fire and seismic models
  • 2009 - Data update; addressed American Society of Mechanical Engineers (ASME) PRA Standard SRs that were not met; extensive changes throughout the model as the model was converted to CAFTA

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 2of36

  • 2009 - Updated Interfacing Systems LOCA (ISLOCA) initiator frequency, added EOG and AAC diesel fails to load (FTL) basic events, and added rupture failure of the SW expansion joints for the CCW heat exchangers as flood scenarios (current model of record)

The SPS PRA model has benefited from the following technical PRA peer reviews.

1998 NEI PRA Peer Review The SPS internal events PRA received a formal industry PRA model peer review in 1998. The purpose of the PRA peer review process is to provide a method for establishing the technical quality of .a PRA model for the spectrum of potential risk-informed plant licensing applications for which the PRA model may be used. The PRA peer review process used a team composed of industry PRA and system analysts, each with significant expertise in both PRA model development and PRA applications. This team provided both an objective review of the PRA technical elements and a subjective assessment, based on their PRA experience, regarding the acceptability of the PRA elements. The team used a set of checklists as a framework within which to evaluate the scope, comprehensiveness, completeness, and fidelity of the PRA products available. The SPS review team used the "Westinghouse Owner's Group (WOG) Peer Review Process Guidance" as the basis for the review.

The general scope of the PRA peer review included a review of eleven main technical elements, using checklist tables (to cover the elements and sub-elements), for an at-power PRA including internal events, internal flooding, and containment performance, with focus on Large Early Release Frequency (LERF).

The F&Os from the PRA peer review were prioritized into four categories (A through D) based upon importance to the completeness of the model. Categories A and B F&Os are considered significant enough that the technical adequacy of the model may be impacted. Categories C and D are considered minor. Subsequent to the peer review, the model has been updated to address all Category A, B, and D F&Os. Category B items from the 1998 NEI PRA Peer Review (all closed) are listed below:

Serial No. 16-1SO Docket Nos. 50-280/281 Attachment 4 Page 3 of 36 1998 NEI PRA Peer Review Category B Closed Items OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION The models and analyses are consistent, as best as the Establish a formal process PRA update guidance was developed, which includes a This F&O is Closed.

(ID: AS-2 ) I reviewers could determine, with the as built plant, and for identifying changes to review of plant procedures (EOPs), assumptions for ElementAS I were consistent with plant operating procedures at the plant procedures components, and system recovery models based upon Subelement 5 and time the IPE was completed. However, there is no (EOPs/AOPs), and human actions (Nuclear Safety Analysis Manual - Part 9 (Also MU) process in place to identify and incorporate changes in evaluating the impact of IV, Chapter J, subsequently superseded by PRA Manual plant operation into the PRA model. This process these changes on the PRA - Part IV, Chapter A). The current industry guidance should also include periodic review of industry standards model. This process should suggests a voluntary periodic review of industry that may impact the PRA. Some examples of where also include periodic review standards, which will be considered as resources allow.

such a process could impact the model include, the of industry standards that Recent PRA updates (S03A, S05A) provide examples of timing for switchover to hot leg recirculation after event may affect modeling the process.

initiation (9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br /> in the current EOP), and a review of assumptions and success potential impacts on the PSA due to the power uprate criteria used in the PRA.

program. The focus of this comment is on the lack of The resolution of this process more than any current discrepancies found in comment should be the model, and is related to the IPE Maintenance and incorporated as an element Update Process elements. of the PRA Maintenance and Update Process.

OBSERVATION The RCP seal LOCA model appears to include an Consider an evaluation of An RC pump seal failure model (the so-called Rhodes The PRA adequately (ID: AS-8 ) I optimistic interpretation of the WOG and NRC models, the sensitivity of the PRA model) that is acceptable to the NRC for use in PRA addresses early seal Element _AS _ _ and does not include a contribution from early seal results to use of a model was developed and implemented for the T4, T1A and T6 failure contribution, so I Subelement failure. that includes the possibility event trees. This model addresses the probability of this F&O is CLOSED.

_AS-12_ of early seal failure. Also early seal failure, and does not allow restoration of seal Future model updates evaluate the potential cooling after a relatively brief cooling loss. For Surry, the are planned to include impact on the model due to model is discussed fully in SM-1296, implemented in the additional model detail recent changes to the WOG SOA-D PRA models. For the S03A model, the T1A (and remove seal cooling restoration (SBO) accident sequence model was revised to be fully conservatisms) for the emergency response consistent with the WOG2000 RCP seal LOCA model, seal failure contribution guidelines (advising against and the T4 and T6 accident sequences models were for events other than restoration of seal cooling revised to incorporate simplified logic consistent with the T1A.

after a relatively brief WOG2000 model.

coolinq loss).

Serial No. 16-18'D Docket Nos. 50-280/281 Attachment 4 Page 4 of 36 OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION The models for the EDGs do include common cause Update the models to Miscalibration of instrumentation channels is resolved as This F&O is CLOSED.

(ID: DA-6 ) I failures of fuel oil system. In general the models do include common cause a human reliability rather than an equipment common Element ___QA_ I consider common/shared components and support instrumentation cause fault. The HEP fault behaves the same as an Subelement DA- systems explicitly. The models do not appear to include miscalibration. equipment CCF, but is quantified on the basis of human 11 the effects of common maintenance crews or l&C Documentation should at error rather than equipment reliability. For North Anna, technicians. Specifically, there is no consideration of least include a qualitative HEP events are created for the following instrument common cause miscalibration of instrumentation discussion of the potential channels: EOG, 1-LM-PT-100A/B/C/D, MS flow, MS channels. impact of common differential pressure, MS low pressure, and pressurizer maintenance crews and pressure. The models are discussed fully in SM-1269, similar procedures. The implemented in the NOA-D PRA models. For Surry, HEP documentation should also events are created for the following instrument channels:

highlight areas where CCF EOG, 1-LM-PT-100A/B/C/D, MS flow, MS differential was not included because of pressure, steam generator level, pressurizer pressure design diversity or other RWST level, intake canal level and RC delta T and similar considerations. TAVE. The models are discussed fully in SM-1310, implemented in the SOA-D PRA models.

OBSERVATION {Implementation of NUREG/CR-4780 methodology) Reevaluate CCF analysis as The common cause fault (CCF) approach is revised to This F&O is CLOSED.

(ID: DA-8 ) I Reviewers question the validity of the approach used for described in Surry guidance incorporate the following: Alpha-factor model, INEEL Element defining CCF terms, by adding fail to start and fail to run documents. Fully data base of CCF events from NUREG/CR-6268, DA/DE I data variables. Method added value of QD and A, but incorporate NUREG/CR- different failure modes (run and demand), and different Subelement DA- the events are not consistent (i.e. per-demand and per- 4780 methods. CCF events based upon population size (e.g., 2 of 3 as 12/DE-9 hour). Assuming a mission time of one hour and a well as 3 of 3 CCF events. Guidance for the CCF demand for the device, the terms can be added. But models was taken from NUREG/CR-5485, which what if: extends the technology developed for NUREG/CR-4780.

1. Common cause failure is dominated by running The models are discussed fully in SM-1309, failures, there is no mission time associated with the use implemented in the SOA-D PRA models for Surry, and in of the common cause term - non-conservative result the DA.3 notebook and revisions prepared for
2. Running failure rate is comparable to start term, but subsequent model updates (starting with S03A).

common cause dominated by start terms - overly conservative result.

OBSERVATION The common cause failure probability of valves failing Consider the use of a more The common cause fault (CCF) approach is revised to This F&O is CLOSED.

(ID: DA-9 ) I due to plugging is (0.1)(1.25-7 f/hr)(2160 hrs), or about realistic beta factor in the incorporate the following: Alpha-factor model, INEEL Element ___QA_ I 1E-4. The 0.1 beta factor used for this calculation may analysis. data base of CCF events from NUREG/CR-6268, Subelement _9__ be overly conservative. The net result is that many of different failure modes (run and demand), and different the top sequences (for the 3-year maintenance case) CCF events based upon population size (e.g., 2 of 3 as involve common cause valve plugging terms. It is well as 3 of 3 CCF events. Guidance for the CCF unusual to have passive equipment failures be so models was taken from NUREG/CR-5485, which prominent in the dominant cutsets (more prominent than extends the technology developed for NUREG/CR-4780.

active equipment failures). The models are discussed fully in SM-1309, implemented in the SOA-D PRA models for Surry, and in the DA.3 notebook and revisions prepared for subsequent model updates (startina with S03A).

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 5 of 36 OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION The methods used to determine CCF groups are The generic data base The common cause fault (CCF) approach was revised to This F&O is CLOSED.

(ID: DE-3 ) I simplistic. Determination of the set of active development project incorporate the following: Alpha-factor model, !NEEL Element _DE_ I components based on 1% contribution to CDF severely identifies a large number of data base of CCF events from NUREG/CR-6268, Subelement _8_ _ limits the number and type of common cause terms common-cause groups. different failure modes (run and demand), and different used in the model. As an evaluation tool for plant Incorporate these groups or CCF events based upon population size (e.g., 2 of 3 as vulnerabilities (i.e., the IPE), it is more than sufficient, better justify their exclusion. well as 3 of 3 CCF events. Guidance for the CCF but as an evaluation tool for Risk-informed Applications, models was taken from NUREG/CR-5485, which it is not enough. Events that should be considered extends the technology developed for NUREG/CR-4780.

include: Breaker fail to operate (Open/Close) Auxiliary The models are discussed fully in SM-1309, Feedwater Pumps (back-leakage) Ventilation fans implemented in the SOA-D PRA models for Surry, and in the DA.3 notebook and revisions prepared for subsequent model updates (starting with S03A).

OBSERVATION Table D.1-1 of Section D.1 of the Surry IPE lists the pre- Provide the basis for Miscalibration of instrumentation channels is resolved as This F&O is CLOSED.

(ID: HR-2) I initiator errors considered in the analysis. The list excluding miscalibration a human reliability rather than an equipment common Element contains only mispositioning events (valves, blank events, or develop cause fault. The HEP fault behaves the same as an HR/DE/SY I flanges, etc.). No instrument miscalibration events are appropriate events for equipment CCF, but is quantified on the basis of human Subelements HR- contained in the list. The procedure for system analysis inclusion in the next update error rather than equipment reliability. For North Anna, 4,7/DE-7/SY (page 19 of 58) indicates that common cause His should of the PSA model. HEP events are created for the following instrument be modeled for miscalibration of instruments used to channels: EDG, 1-LM-PT-100NB/C/D, MS flow, MS initiate systems following an action or in any standby differential pressure, MS low pressure, and pressurizer equipment items such as the level instrumentation in pressure. The models are discussed fully in SM-1269, storage tanks. implemented in the NOA-D PRA models. For Surry, HEP events are created for the following instrument channels:

EOG, 1-LM-PT-100NB/C/D, MS flow, MS differential pressure, steam generator level, pressurizer pressure RWST level, intake canal level and RC delta T and TAVE. The models are discussed fully in SM-1310, implemented in the SOA-D PRA models.

OBSERVATION HEP development for the IPE model was extensively Perform and document The HEP events developed since the IPE have received This F&O is CLOSED.

(ID: HR-4 ) I documented; however, HEPs developed for subsequent development of HEPs that detailed analysis. For North Anna, the models are Element---1::!.R..__ I updates of the IPE model were not as well documented arise from model updates. discussed fully in SM-1269, implemented in the NOA-D Subelement _jL_ (and by implication, were not developed in as much PRA models. For Surry, the models are discussed fully detail). For many of the HEPs in subsequent updates, a in SM-1310, implemented in the SOA-D PRA models, value of 0.1 was used. It is not clear whether this is a and in the HR-series notebooks developed for the S03A screening value or some other value. and subsequent updates. This process was also reviewed as part of the HRA re-peer review exercise prior to the RG1 .200 review for Surrv.

Serial No. 16-18'0 Docket Nos. 50-280/281 Attachment 4 Page 6 of 36 OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION In a sensitivity analysis (SM-1174, Addendum A) to Reevaluate dependence The dependency among the HEPs is being evaluated This F&O is CLOSED.

(ID: HR-5 ) I evaluate dependency among His contained in cutsets, without excessive emphasis- based on the following principles (SM-1310):

Element __!:!R_ I time between actions was listed as the major factor in on time between actions. 1. Functions: If two HEPs are working for two different Subelement __.l.§_ establishing independence of the operator actions. In functions, these two HEPs will be justified as most cases, time (itself) is not an adequate factor, but is independent HEPs.

a parameter which can be associated with more 2. Steps of procedure: Because operators are trained to defensible factors. For example, one cutset contained follow procedure step by step, on the view of operators, two HEPs -- one for early SG isolation following a SGTR each step is a new and independent instruction. If two and one for late SG isolation. The time difference of HEPs are based on two different steps or two different several hours between the actions was cited as the procedures, even these two HEPs work for the same basis for the actions' independence. Better factors for function, they still may be justified as independent independence might have been different clues calling for HEPs. A sensitivity analysis was performed for the S03A the need to isolate the SG or actuation of the TSC, or model update (and has been incorporated into the PRA additional/new crew for the late isolation. All of these quantification process for subsequent updates) to review are related to time, but time (itself) is not the factor. the cutsets with multiple HEPs and determine if a dependency may exist between the HEPs. Refer to the PRA QU.2 notebooks for further detail. This process was also reviewed as part of the HRA re-peer review exercise prior to the RG1 .200 review for Surry.

OBSERVATION Initiating event frequencies have not been updated since Include an update of The North Anna and Surry initiating event frequencies This F&O is CLOSED.

(ID: IE-3 ) I the IPE submittal in 1991. As a result, recent industry initiating event frequencies were updated in the NOA-D and SOA-D PRA updates by Element _l_E_ I information and operating experience have not been during the next update. several sources. The rare initiator frequencies from Subelement _1_3_ incorporated into the initiating events analysis. This Also, individual applications NUREG/CR-5750 are used as priors for Bayesian (Also MU) information could alter the initiating event frequencies should be reviewed to updating with plant specific histories. The moderate currently contained in the model. For example: determine if they are frequency transient initiating event frequencies are Two plants (Salem and Wolf Creek) have affected before submittal or created from plant specific data (1990-2000 LERs) and experienced losses of circulating and service water that implementation. a non-informative gamma prior distribution. Finally, resulted in plant trips. some plant unique initiating events are quantified with One plant (Oconee) has experienced a small break new fault tree models directly linked to the integrated LOCA (thermal fatigue of charging line). PRA model. For North Anna, these models are One plant (WNP-2) has experienced an internal discussed fully in Calculation SM-1266, implemented in flood. the NOA-D PRA models. For Surry, these models are A draft NUREG updating initiating events has (very discussed fully in Calculation SM-1307, implemented in recently) been issued (LOCA frequencies, particularly, the SOA-D PRA models. All IE frequencies have have been affected). subsequently been updated in 2005 and documented in the IE.1 and IE.2 notebooks.

Serial No. 16-18'0 Docket Nos. 50-280/281 Attachment 4 Page 7 of 36 OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION A recent industry event (Oconee) involved a small break Evaluate the susceptibility of The referenced Oconee event was evaluated as part of This F&O is CLOSED.

(ID: IE-4 ) I LOCA (>10 gpm) at the charging line connection to the the Surry piping to this ** INPO SEN 163, Recurring Event, High Pressure Element _IE_ I RCS. The mechanism for the crack in the thermal failure mechanism, and Injection Line Leak, and as part of NRC IN 97-46, Subelement sleeve at the connection point was thermal fatigue. Is adjust the LOCA Unisolable Crack in High-Pressure Injection Piping.

7 (Also MU) the Surry piping subject to this type of event? If so, has frequencies, as appropriate. The design of the CVCS and HHSI systems at both it been considered in the initiating event frequency? North Anna and Surry is significantly different than that of Oconee, Unit 2. NAPS and SPS designs do not include combination CVCS makeup and HHSI lines.

Each unit has only one CVCS makeup line which carries full makeup flow and the eves system employs a regenerative heat exchanger to heat the makeup water to within 100 degrees of the RCS cold leg temperature, thereby minimizing thermal shock. The Oconee failure mechanism is not considered valid for the North Anna or Surry designs, and should not require LOCA frequency adjustment. The Current North Anna and Surry LOCA frequencies are developed from NUREG/CR-5750, per the evaluation in the IE.2 PRA notebook. This NUREG observed that no small LOCA events had occurred in U.

S. nuclear power plants up to 1995. However, the 1997 Oconee 2 event could possibly be categorized as a very small LOCA / leak, and four such events from 1987 -

1995 are included within the NUREG/CR-5750 initiating event frequencies.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 8 of 36 OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION An industry issue of about 5-6 years ago was the Determine if the ISLOCA The industry issue initially surfaced in July 1984 as a Additional information (ID:: IE-5 ) I creation of an ISLOCA caused by a leak in an RCP path is applicable to the Westinghouse 10 CFR Part 21 issue. However, since can be found in a Element IE I thermal barrier heat exchanger and a failure to isolate Surry model, and address it, Westinghouse was not the source vendor for the Surry 7/9/1990 NRC letter Subelem~ the CCW lines that provided cooling water to the heat if appropriate. CC system, this Part 21 issue was not communicated to (Serial No.90-442), and 14 exchanger. How was this potential ISLOCA pathway Surry at that time. In May 1989, Surry communicated drawings 11448-FM-treated by the initiating events analysis? Does it apply this issue to NRC and subsequently, NRC Information 072A shts 1 through 4.

to the Surry model? Notice 89-54 (June 23, 1989) was issued to all This F&O is CLOSED.

licensees. This NRC IN is probably the source of the industry issue quoted in the certification comment. Surry submitted system design information to NRC in a June 5, 1989 letter to NRC (Serial No.89-406) clarifying resolution of the concern. This licensee response provides a detailed description of the problem and an assessment of the resolution. In summary, the operating history of Westinghouse RC Pump (RCP) thermal barriers indicates only one minor internal leak in over 12 million hours of operation (8.3 E-8/hr or 7.3 E-4/yr). Catastrophic failure of RCP thermal barrier is not a credible ~vent. Westinghouse calculated the credible leak rate at 7.5 gpm. This low leak rate is due to high water purity in RC and CC water, conservatism in tube design supporting tube collapse rather that cracking, and low crack propagation due to external forces tending to close crack. The existing 1989 design was sufficient for isolating the RCP thermal barrier leak, but design enhancements were pursued since manual operator action is required for the credible leak (automatic isolation would occur for leak rates higher than 10 gpm). The event would not be classified an interfacing system LOCA (ISLOCA) since the CC system would be isolated from the RCS, and all isolation would occur within the containment. More appropriately, the event would be classified a very small break LOCA (based upon the 7.5 gpm credible leak) with a frequency well below the Surry and North Anna IPE S2 frequency of 2.1 E-2/yr.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 9 of 36 OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION The FMEA portion of the Initiating Events notebook Determine the plant's The Surry LOSW IE is actually an evolution of a loss of This F&O is CLOSED.

(ID: IE-8 ) I (page 12 of 28) states that screen wash pumps do not susceptibility to clogged circ water initiator. We do not currently model this with a Element _IE_/ have to operate during an accident. The implication is intake screens, and update fault tree, so there is no specific screen clogging Subelement _ll_ that because of this there is no need to consider the the initiating event contribution identified for this initiator. Currently, the screen wash system further. However, clogged screens frequency as appropriate. Surry PRA uses a plant specific Bayesian update of can cause plant trips, and this failure mechanism should generic industry experience for loss of Circulating Water be considered in the development of initiating event to evaluate the IE-T6 (Loss of Circulating Water) frequencies. Recent industry events at Salem and Wolf frequency. The plant specific clogged screen failure Creek illustrate a plant's susceptibility to clogged intake event is therefore considered, since it is part of the screens. overall industry and plant-specific experience leading to loss of CW. However, an evaluation has been performed for the S03A model update to establish that the IE frequency used for this event would encompass contributions from events such as clogged intake screens I screen wash faults. Should the model be changed in the future to model this IE with a fault tree, this failure mechanism would be addressed exolicitlv.

OBSERVATION The reactor core has been upgraded to 2586 MWt. Has Ensure that the effects of The effect of the 4.5% core power uprate on the timing This F&O is CLOSED.

(ID: IE-9) I the effect of this change been considered on the increased core power have of HEPs used in the SPS PRA Model, and on the Element ___lg_ I moderator temperature coefficient/reactivity feedback, been properly accounted for success criteria of hardware credited in the SPS PRA Subelement particularly for early in a core's life? Also, has the in the analysis. Model has been evaluated using MAAP 4.0.5. The 16 (Also increased decay heat load been considered in the results of the analysis show that no changes are see AS-9, and MU) success criteria for decay heat removal? required to the current success criteria or HEP calculations. The details of the analysis are documented in SPS Notebook SPS-RA.MD.SC.001 Rev 0.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 10 of 36 OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION The consequences of operator actions after core Include appropriate . Our Level I model takes into account all human error The approach taken is (ID: L2-2 ) I damage are not considered in the PSA or the LERF consideration of EOP (and probabilities due to EOP actions. The human error consistent with that Element L2 assessment. After core damage has occurred, the also SAMG) actions in the probabilities based on SAMG actions are not applied in other PWR I Subelement _8 control room staff will continue to attempt to implement PSA models incorporated into our model. According to WOG PRAs, but this issue will and 10_ EOP actions (and now SAMG actions). Considering the procedures, once the core temperature reaches 1200 F, be treated as a EOP actions, only those that prevent core damage the operator leaves the EOPs and enters the SAMGs recognized source of (have an impact on the GDF) are modeled in the Level 1 (control room guideline SACRG-1). Our Level I model uncertainty in the LERF PSA. Several EOP actions that can impact the LERF was developed independent of the SAMG actions. We model. With this action, are: recognize that inappropriate SAMG actions may cause this F&O is CLOSED.

FR-C.1 actions to depressurize the RCS at the onset negative consequences which may result in greater of core overheating greatly decreases the probability of source term releases to the atmosphere. For this a high pressure reactor vessel failure, while significantly reason a technical support center (TSC) is formed that increasing: a) the potential for core concrete reviews real time plant parameter data and provides interactions, and b) the fission product release from expert guidance to the operation staff during a severe RCS to containment (which, in turn, increases the accident condition. Additionally training on the SAMGs source term for containment failures). is provided every 3 years which includes a discussion of FR-H.1 actions to establish some type of feedwater these cautions and recommendations to the operators.

flow to the SGs increases the chances of SG tube failure The operators are taught to be aware of their plants due to thermal stresses of cold water being injected onto most dominant accident sequences and the hot SG tubes, but can also increase the potential for consequences of inadequate actions.

arresting the core damage in-vessel. These two aspects can impact the LERF.

ECA-0.0 actions to start sprays when offsite power is restored. This can prevent overpressure failure of containment, but can also de-inert containment and lead to a hydrogen burn. When combined with the added hydrogen from in-vessel recovery, the hydrogen burn may challenge containment. Also, these operator actions should be substantiated by an HRA analysis to determine th.e HEP. The plant has also completed implementation of the SAMG. The SAMG contains a set of accident management strategies that would be implemented for each of the core damage accidents.

The implementation of some of the strategies has neqative consequences that should be addressed.

OBSERVATION The core power has been upgraded. Effects of this At the next upgrade, See discussion for equivalent F&O IE-09. This F&O is CLOSED.

(ID: MU-2 ) I change have not been incorporated into the PSA model. evaluate the effects of the Element .....M!L.._ I Factors that could be affected by the core power core upgrade and Subelement _4__ upgrade include the moderator temperature coefficient incorporate, as appropriate, (for ATWS) and the decay heat load (for several into the PSA model.

accident sequences).

Serial No.16-180 '

Docket Nos. 50-280/281 Attachment 4 Page 11 of 36 OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION Requirements for review of operating experience, plant Develop additional guidance PRA update guidance was developed, which includes a This F&O is Closed.

(ID: MU-3 ) I procedures, and plant-controlled documents in support on .the review process review of: (1) Technical Specification revisions, (2)

Element __M!L_ 1 of a PSA update are not detailed in the PSA guidance . requirements, describing station .engineering Design Qhange lists, (3) station Subelement _4_ documents. which data should be procedures, and (4) operating experience. (Nuclear reviewed and how the Safety Analysis Manual - Part IV, Chapter J, review should be subsequently superseded by PRA Manual~ Part IV, documented. Chapter A). Recent PRA updates (S03A, SOSA) provide examples of the process.

OBSERVATION Activities to evaluate the effects on the PSA of changes Revisit initiator frequencies, Both the Surry and North Anna PRA models have been This F&O is CLOSED.

(ID: MU-4 ) I to equipment failure rates, initiator frequencies, and equipment failure rates, and. updated to include changes in data. For North Anna Element __M!!__ I human error probabilities are minimal. human error probabilities and Surry, initiating events were updated as Subelement __§__ with each update to documented in calculations SM-1266 for North Anna determine whether they are and SM-1370 fqr Surry. Component unavailabilities were still adequately estimated. updated for both North Anna and Surry as documented in calculations SM-1266 and SM-1308, respectively. The component reliabilities for risk significant pumps and the EDGs were Bayesian updated with plant specific data for Surry as documented in SM-1311. Further, a full data update was performed in 2005 for the MSPI update, as documented in the DA series of PRA notebooks. The HEPs were reviewed and updated as necessary following the PRA self-assessment per RG1 .200 and in response to the subsequent HRA re-peer review comments. Input from Operations personnel at Surry was obtained to provide better estimation of the times associated with the performance of emergency procedures. A PRA update process and sched'ule addressing data updates has been implemented in the PRAManual.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 12 of 36 OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION The program does not appear to have a formal The following suggestions, PRA update guidance was developed, which includes a This F&O is Closed.

(ID: SY-2) I requirement for incorporating changes based on plant while directed to the review of: (1) Technical Specification revisions, (2)

Element _SY_ I design changes. For example, a later EOP change systems analysis element, station engineering Design Change lists, (3) station Subelement identifies the time to hot leg recirculation switchover as 9 are actually applicable more procedures, and (4) operating experience. (Nuclear

_5_(See also AS- hours. The model says 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br />. There is an advantage broadly, within the context of Safety Analysis Manual - Part IV, Chapter J, 5, and MU) to identifying operator actions to specific procedure the overall PSA subsequently superseded by PRA Manual - Part IV, steps. The downside is, procedures change. Thus, the Maintenance and Update Chapter A). Recent PRA updates (S03A, SOSA) provide models and documentation need to be updated process. examples of the process.

periodically. 1. Develop a PSA change program that tracks identified changes to procedures, design, etc.

Develop a process for incorporating changes into the PSA. NOTE: This does necessarily mean formal review required; notification from the program sponsor (Procedures group, admin, design engineering, etc.) is sufficient for most changes.

2. Consider becoming part of the review cycle for selected changes (e.g., for risk significant system design changes, PSA review is required). This will probably require a change to plant, engineering procedures. There are going to be changes in plant configuration that could significantly affect the PSA.

A formal review by the PSA group for selected changes has the potential for saving money (change should not be made in terms of plant risk}, minimizing the effects of the change on the PSA and PSA based programs and possibly identifying alternative changes.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 13 of 36 OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION - PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION The RPS model does not properly identify the required 1. Review the RPS system Fault trees RP1 for both Surry and North Anna were This F&O is CLOSED.

(ID: SY-4 ) I support systems. RPS logic receives power from Class and include DC power revised to include separate logic for RTA and RTB Element _SY_ I 1E 125V DC buses 1A and 18. Failure of the DC buses dependency. including the input logic signal with recovery. The Subelement removes power to the RTB shunt trip coils which limits models also include failure of the trip breaker

- 12_ operator action in the control room if reactor trip fails. (RTNRTB), and RTNRTB recovery thorough the shunt trip relay (including failure of 125 voe, human reliability model, and failure of the shunt trip relay). The models are discussed fully in SM-1151, implemented in the SOA-D PRA models for Surry, and in SM-1292, implemented in the NOA-D PRA models for North Anna.

OBSERVATION The RPS logic model is incorrect. The fault tree Correct the logic model. Fault trees RP1 for both Surry and North Anna were This F&O is CLOSED.

(ID: SY- 5 ) I indicates that success of either logic train allows revised to include separate logic for RTA and RTB Element _SY_ I challenge to both reactor trip breakers. Actual design is including the input logic signal with recovery. The Subelement logic train A sends signal to RTA and logic train B sends models also include failure of the trip breaker

_5_ _ signal to RTB. (RTNRTB), and RTA/RTB recovery thorough the shunt trip relay (including failure of 125 voe, human reliability model, and failure of the shunt trip relay). The models are discussed fully in SM-1151, implemented in the SOA-D PRA models for Surry, and in SM-1292, implemented in the NOA-D PRA models for North Anna.

OBSERVATION Review of HHSI: SM-1162, SPPR 97-018, S2.07.1 Set up Unit 2 model, or Surry charging pumps have seal coolers with a CC This F&O is CLOSED.

(ID: SY-11 ) I (page 7 of 27). System notebook update states 1A and address impact on CDF. cooling dependency that currently has a difference Element ...fil__ I 1C charging pumps are dependent on CCW (for between Units 1 and 2. For Surry Unit 1, the A & C Subelement SY-5 recirculation). What about Unit 2? 1B is not dependent pump seal coolers 1-CH-E-7NB/E/F require CC cooling, on CCW due to a design change. What about Unit 2? but the B pump seal coolers 1-CH-E-7C/D are isolated How are unit to unit differences identified and modeled? (11448-FM-071 B Sh 2). For Surry Unit 2, all NB/C Dependency table from IPE model wasn't updated in pump seal coolers 2-CH-E-7A/B/C/D/E/F require CC SM-1162 or SM-1165 to account for CCW dependency. cooling (11548-FM-071 B Sh 2). Potentially, all Surry Also, success criteria section of system notebook was charging pumps may be upgraded so that their CHP not updated. seal coolers can be isolated, but at this time, only the Surry Unit 1 B pump does not require CC cooling, which explains the difference between Surry Unit 1 and 2 charging pump CC cooling. Update as of S05A model:

the dependency on CC has been added to the 1B pump as well, to account for the possibility that cooling might be needed if the pumps were used for high head recirculation with hot sump water. Note: This is a legacy model issue. The current configuration of Surry Power Station is that no charging pump seal Coolers are normally isolated. The S007Aa model reflects the current olant confiauration.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 14 of 36 OBSERVATION OBSERVATION Detail POSSIBLE RESOLUTION . - PLANT RESPONSE OR RESOLUTION STATUS OBSERVATION Several HVAC systems are modeled in detail and are Develop more detailed HVAC dependencies are addressed in the fault trees This F&O is CLOSED.

(ID: TH-2 ) I well documented. These include ESGR room cooling documentation for modeling where needed, and discussions are provided in Element TH I and the Auxiliary Building Ventilation System, but these assumptions regarding individual system notebooks (SY.3 series) and the Subelement 8 are the only ventilation dependencies modeled in the HVAC requirements. dependency notebook (SY.1). An integrated HVAC PSA. Some of the systems models provide a one line Provide basis for excluding dependency document has not been prepared.

assumption stating that room cooling is not,required, but HVAC dependencies where Regarding specific dependencies: The charging pumps little if any basis is provided for these assumptions. HVAC is not modeled and the emergency switchgear room already have Based on discussions with the PSA group engineers explicitly. It may be ventilation dependencies included in the PRA model.

during this review, it appears that the HVAC appropriate to include an The other major components with potential HVAC requirements were adequately addressed in the overview of HVAC issues as dependencies were evaluated and found to have a modeling process, but the assumptions were not clearly part of a dependencies negligible ventilation dependency. Those SSC's are as documented, and no process is defined for the notebook. follows:

determination of the need for room cooling. Low Head Safety Injection pumps - The LHSI pumps take suction from the cold RWST early during a LOCA.

After Recirculation Mode Transfer, the sump water will be cooled by the RSHX's, so that LHSI ventilation is not necessary.

Outside Recirculation Spray pumps - The CS subsystem provides approximately 300 gpm 45oF water from RWST to each ORSP. There is no ceiling in the ORSP rooms. It is not a closed room. Hence, the room ventilation is not necessary.

Emergency Diesel Generators - The EDG's have self-contained cooling systems.

Alternate AC Generator - The AAC DG has a self-contained cooling system.

Auxiliary Feedwater pumps - These pumps take suction from the ECST or a backup system that is at ambient temperature. They are therefore self-cooling and require no HVAC.

Station batteries - The heat load in this room is the batteries themselves and the heat load from the batteries may be ignored.

Turbine building SSC's - The potentially important SSC's in the TB are the MFW and the CN pumps, in case they are needed as a backup to the AFW system.

On a reactor trip, the FW heaters no longer function as heaters and both CN and MFW flows are at relatively cold condenser temperatures. The Turbine Building SSC's are therefore self-coolinQ.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 15 of 36 There are only 3 Category C F&Os that need to be addressed and they are listed in below:

Category C F&Os that Need to be Addressed F&O Description DE-1 Develop a system to initiating event dependency matrix to better show the dependencies modeled for each initiator.

(PRA Configuration Control Database (PRACC) record 4023)

DE-4 Develop master dependency matrices for front-line to front-line, for support to front-line, and initiator to system dependencies. (PRACC record 4023)

SY-13 Update references that support mission times that are less than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. (PRACC record 4012)

All three of these involve documentation issues that do not impact the PRA model results and do not affect the technical adequacy of the PRA model. Records have been added in the PRACC database to track the above tasks to completion.

2010 SPS PRA Focused Peer Review The Surry PRA model underwent a focused peer review in February 2010 using the PRA Peer Review Certification process performed by the Pressurized-Water Reactor Owners Group (PWROG). To determine whether a full scope or focused peer review was necessary, the changes to each of the model elements were reviewed to assess whether the changes involved either of the following:

  • new methodology
  • significant change in the scope or capability If changes to an element involved either a new methodology or a significant scope or capability change, then the element requires a peer review as required in the ASME PRA standard (RA-Sb-2005). Based on the assessment of the changes to each PRA model element, a peer review was performed on the elements shown below:

Serial No. 16-18'0 Docket Nos. 50-280/281 Attachment 4 Page 16 of 36 Peer Reviewed Elements Element High Level Requirement IE - Initiating Events Initiating Events Review support system initiator modeling meets SRs IE- C6, C7, CS, C9, and C12.

AS - Accident Sequence Accident Sequence Review upgraded event trees for SBO, RCP Seal, LOCA, SGTR and ATVVS meets all HLRs for AS.

HR - Human Reliability Huma_n Reliability Review implementation of SPAR-H methodology meets Analysis HLR-HR-Analysis G.

IF - Internal Flooding Internal Flooding Review internal flooding model meets all HLR5 for IF.

QU - Quantification Quantification Review conversion to CAFTA meets HLRs for QU-B, C, and D.

The AS and IF elements required a full review against all of the high level requirements (HLRs). However, changes in the IE, HR and QU elements only required specific HLR verification. The review process included:

  • Review of the PRA model against the technical elements and associated supporting requirements (SRs) - Focus is on meeting capability category II.
  • At the SR level, the review team's judgment was used to assess whether the PRA meets one of the three capability categories for each of the SRs.
  • Evaluation of the PRA-model is supported by:

o NEI 05-04 process, o Addendum to ASME/ANS PRA Standard RA-S-2008, o SR interpretations from ASME website, o NRC clarifications and qualifications as provided in Appendix A of RG 1.200, Rev. 2, o Reviewers' experience and knowledge, o Consensus with fellow reviewers, and o Input and clarifications from the host utility.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 17 of 36 The gaps identified during the self-assessment and the ones that remain to be addressed are listed in table below:

2010 SPS Peer Review Remaining Gaps that Need to be Addressed Title Description NEI Current Status I Comment Importance to Application Element/

ASMESR Gap For each flood area, identify the IFS0-81 No documentation on why None. This is judged to be a documentation

  1. 1 potential sources of flooding floods in containment were consideration only and does not affect the technical screened out. adequacy of the PRA model or sequences relevant to this application.

Gap The NRC clarification for Cat II says IFSN~A6 No documentation discussing This is judged to be a primarily a documentation

  1. 2 to address jet impingement, humidity, how jet impingement, pipe consideration only. This issue does not affect etc. qualitatively using conservative wipe, humidity and other types sequences relevant to this application.

assumptions of failures impact plant systems.

Gap Document the relative contribution of LE-G3 No documentation of LERF None. This is judged to be a documentation

  1. 3 contributors to LERF contributions for accident consideration only arid does not affect the technical sequences. adequacy of the PRA model.

Gap Document the system functions and SY-C2 All documentation* None. This is judged to be a documentation

  1. 7 boundaries. requirements are considered consideration only and does not affect the technical met except for completion of adequacy of the PRA model.

walkdown checklists.

Gap Initiating Event Fault Tree Modeling IE-C10 IE-C1 O: Not all possible A sensitivity study for this configuration demonstrated

  1. 9 IE-C12 combination of cutsets are that the support system initiators as modeled did not 3

captured, impact the results. Comparison with generic IE-C12: No comparison with sources and similar plants is expected to render generic sources for initiating similar results to the IEs compared. 4 events modeled using fault trees.

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 18 of 36 Title Description NEI Current Status I Comment Importance to Application Element/

ASMESR Gap Use of SPAR-H methodology, which HR-E3 New Human Error Probabilities This gap was evaluated by performing a sensitivity

  1. 10 does not meet the intent of several HR-G4 (HEPS) added to the SPS PRA study (Sensitivity #1) which multiplies HEPs in the SRs in the HR element. HR-G6 were based on SPAR-H. The $007Aa model by 10. This sensitivity demonstrates HR-12 Peer Review identified the that this issue does not impact the results of this HR-13 SPAR-H methodology is not a analysis.

HR-E4 consensus model and has HR-G1 some limitations.

HR-G3 HR-G5 Gap Walkdown sheets do not contain all IFS0-82 IFS0-82: Complete the This is judged to be a primarily a documentation

  1. 11 the requested information IFQU-A9 walkdown sheets and verify no consideration only. This issue does not affect impact to IF events. sequences relevant to this application.

IFQU-A9: Similiar to IFS0-82, need to clearly document the spatial relationship between flood sources and PRA equipment. '

Notes:

Note 1: Gaps 4, 5, 6 and 8 have been addressed in S007Aa.

Note 2: Gaps 9 through 11 were identified during the 2010 PWROG focused PRA peer review.

Note 3: IE-C10: If fault-tree modeling is used for initiating events, CAPTURE within the initiating event fault tree models all relevant combinations of events involving the annual frequency of one component failure combined with the unavailability (or failure during the repair time of the first component) of other components. Following are the Peer Review comments with applicability response to this proposed change:

F&O: 2-2, Assessment: Cat 1-111 is NQT Met 2-3 Basis: A review of SSIE cutsets found that they are not adequate due to:

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 19 of 36 (1) The cutsets do not include all possible combinations, idr i/Jxample, (a) Train A CCW pump fails-to-run and Train B CC pump fails-to-start is in the cutset, but other failure events that could lead to Train B CCW pump fails-to-start such as AC failure, No Actuation Signal are not included; (b) relief valve failure is not showing up in the cutsets of Joss ofCCW

Response

Fault tree reviews indicate that these types of basic events are modeled but are truncated out of the final results.

Therefore, this F&O does not impact this analysis.

(2) Cutsets including both PROB-xxxxxB-.STDBY (Train B) and -PROB-xxxxxA-STDBY (Train A) events may be underestimating the impact

Response

Cutset review indicated that alignment probabilities were not significant to this evaluation (3) Surry SSIE models do not include passive failures (i.e. pipe breaks affecting only the source system) which are screened from the flooding analysis. These failure modes may be important in the SSIE model. For the CC system the model includes this IE, (%FLOOD-AB-SPRA Y-CCP1ABCD SPRAY IN AUX BLDG 2'-0" ELEV IN VICINITY OF CC PUMPS 1-CC-P-1AIB/CID)

Response

Inclusion of these low probability passive failure modes would not impact the significant accident scenarios because general plant transients are not significant to this application.

Note 4: IE-C12: COMPARE results and EXPLAIN differences in the initiating event analysis with generic data sources to provide a reasonableness check of the results. Following are the Peer Review comments with applicability response to this proposed change:

Serial No.16-180 Docket Nos. 50-280/281 Attachment 4 Page 20 of 36 F&O: 3-4 Assessment: Cat 1-111 is NOT Met Basis: Comparison of IE frequencies to industry mean values is performed in SPS PRA Notebook Part Ill, Volume IE.3, Revision 1, Table 2-4 by comparing 7 modeled Initiating Events with 5 other unit results and to NUREGICR-5750. The remaining 12 Initiating Events (with Fault Trees) are not compared. Other Initiating Events are not compared.

Response

This is primarily a documentation concern. The Loss of SW IE was compared to the standard and the industry and was demonstrated to be reasonable. The SPS Loss of SW IE is unique due to the gravity feed configuration. The comparison of the modeled IEs demonstrated that the Surry frequencies were within the range of the standard and similar plants. The IEs that were not compared are expected to have similar results.

The following F&Os from the 2010 SPS PRA Focused Peer Review are considered closed:

2010 SPS Peer Review Closed F&Os

Description:

F&O Comment: . Dominion Response: Status F&O: 1-10 Mission time for The turbine driven AFW pump logic used The modeling of the TDAFW pump failure to This F&O TDAFW during a under gate U1-SGC-BO is based on a 24 run with a mission time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> instead of question is SBO is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, hour mission time. This may be somewhat 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is conservative. The basic approach considered which is conservative since the turbine driven pump taken for adding different running failure Closed.

conservative. is only credited for 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> in SBO. basic events with different mission times is that if the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time basic event has a high risk importance, then a new basic event with a mission time for the sequence would be developed. Since the importance of the TDAFW running failure basic events is not significant, a separate basic event was riot added.

Serial No. 16-18()

Docket Nos. 50-280/281 Attachment 4 Page 21 of 36

Description:

F&O Comment: Dominion Response: Status F&O: 3-5 Consider adding Recovery events are added to cutsets The two recovery actions that the reviewer This F&O some recovery basic based on post-processing with identified as not being in the Surry PRA question is events to the fault QRECOVER and plant-specific rule file as model but were calculated in the HR.3 model considered tree model instead of discussed in SPS HR.3 notebook, Section notebook were removed from the model Closed.

adding as part of 2.2, and the QU.1 notebook. Some during the transition from the Winnupra post-quantification recovery actions (e.g., REC-FTSCC and model to the Cafta model. Since the standby processing using REC-FTSBC) should be modeled as HEPs pumps get an auto-start signal if the running QRECOVER. in the FT so all pertinent cutsets are pump fails, these recoveries were AND'd generated and dependency assessed. with the failure of the pressure switch. Since REC-FTSCC and REC-FTSBC are listed in these were not showing up in the cutsets, it HR.3 as recovery events; however, they was determine that credit for the operator are not utilized in the quantification recovery would not be included. If these process. These actions are typically pressure switch failure basic events had a utilized in Initiating Event fault trees in high importance, then adding the recovery conjunction with auto-start failures. Not credit would be considered.

modeling these actions may cause cutsets not to be generated, dependencies not evaluated, and overall results impacted.

F&O: 3-19 Use of SPAR-H for The plant's approach to analyzing HEPs is Since this F&O relates to using SPAR-H, and This F&O HRA has limited more involved than the Category I F&O 3-18 indicates that SPAR-H method is question is accounting for requirements (it is actually closer to not a valid method to meet Cat II, then this considered Performance Shaping Category 11/111), but it does not address all F&O will be closed out to F&O 3-18. Closed.

Factors of the PSFs identified for the Category 11/111 requirements (a limitation of the SPAR-H method); therefore, MET was selected for Category I. While SPAR-H methodology is close to meeting CC 11/111, one of the limitations is that the PSFs are limited to the eight chosen. Additionally, each of the eight PSFs should be evaluated for interaction impacts which are not covered by the method.

Serial No.16-180

  • Docket Nos. 50-280/281 Attachment 4 Page 22 of 36

Description:

F&O Comment: Dominion Response: Status F&O: 2-8 QU.2 does not SPS QU.2 Notebook Sectio_n 2.3:2 Detailed descriptions of the CDF and LERF This F&O include detailed discusses the dominant core damage cutsets are contained in the worksheets question is description of the accident sequences and has a detailed named "Top 100 U1 CDF Cutsets" and "Top considered CDF and LERF description of the top 5 sequences. Section 100 U1 LERF Cutsets" in Attachment 3 of Closed.

cutsets. 2.3.3 discusses the top CDF cutsets but the QU.2 notebook.

does not document the review of a sample of significant cutsets. It is noted that Section 2.4.2 documents the review of nonsignificant cutsets. SPS QU.2 Notebook documents a review of the top 5 sequences but has no review of a sample of significant cutsets.

2012 SPS PRA Focused Peer Review A focused scope Peer Review of the SPS PRA model against the requirements of the ASME/ ANS PRA standard RA-Sb-2005 and any Clarifications and Qualifications provided in the NRC endorsement of the Standard contained in Revision 2 to RG 1.200 was conducted in June, 2012.

In the course of this review, thirty (30) new F&Os were prepared, including twenty-one (21) suggestions, and nine (9) findings. Many of these F&Os involve documentation issues. The 21 suggestions do not affect the technical adequacy of the PRA model and have no impact on the results of this evaluation. The following 9 findings have been evaluated as described in Table 4 below:

Nine Findings from 2012 SPS PRA Focused Peer Review F&O Element F&O Details Possible Resolution Basis of Significance Importance to Application 1-2 IE-C6 Scenario 1 in AS.2, Attachment 3, Appendix ISLOCA F Expand the discussion to include The calculated impact on There is no impact on CDF or is screened even though the event frequency would be the probability of operator failure CDF is small (<1 %), the LERF as this is a documentation greater than 1.0E-06 (calculated as 3.85E-06). This to secure HHSI and other failure impact needs to be more enhancement (Ref. PRACC scenario should be reconsidered to ensure the modes that would result in

  • fully documented to ensure 16415), therefore this gap has no screening is appropriately justified using the criteria continued HHSI operation given a the screening criteria is met. impact on this application.

specified in IE-C6. rupture in the LHSI PiPina.

Serial No.16-18e'. "

Docket Nos. 50-280/281 Attachment 4 Page 23 of 36 F&O Element F&O Details Possible Resolution Basis of Significance Importance to Application 1-6 QU-87 This guidance does not seem to be technically Remove t~e mutually exclusive The impact of the removal A bounding sensitivity study supported by NUREG/CR-5485 Section 5.4.4 which logic for common cause failures or of the basic event evaluating the removal of the only supports removal of combinations of two common modify the logic to ensure only combinations cannot be mutually exclusive logic for cause failure events where the combinations include combinations of events including a estimated based on common cause failures results in the same pump (e.g., CCF of Pumps A and B in common component and failure available information. an increase in the baseline CDF combination with CCF of pumps A and C). Further, mode (e.g., Component A However, because this and LERF values (Ref. PRACC NUREG/CR-5485 Section 5.2 notes that NUREG/CR- Independent Failure to Start in process may impact the 16418). However, the new 4780, Volume 1 discusses conditions under which combination with CCF of importance of high safety increase baseline CDF/LERF these combinations may be valid (see NU REG/CR- Component A and B to Start) are significant components, it is values would not impact the delta 4780, Volume 1, Section 3.3.1). removed. designated as a finding. CDF/LERF results of this application because CCFs do not play a major role. With one CHSW header OOS, only 1 independent failure is required to fail the HHSI safety function.

1-8 DA-05 A global assumption is made that staggered testing is Provide justification for application The alpha factors for A bounding sensitivity study applicable to all common cause events SPS DA.3 of the staggered testing components tested on a changing all CCFs from Revision 5, Section 2.2.1, Item 1). Typically, some assumption to components tested non-staggered basis are "staggered basis" to "non-components such as containment isolation valves, on an outage frequency including typically higher than those staggered basis" results in an HHSI isolation valves, and others may only be tested verification that redundant tested on a staggered basis. increase in the baseline CDF and during the outages. Additional justification for components are tested by Therefore, this could be a LERF values (Ref. PRACC application of the staggered testing assumption to different personnel at different significant impact on CDF or 16419. However, the new those components tested on an 18 month basis during times or apply alpha factors based LERF depending on the increase baseline CDF/LERF outages is needed.* on a non-staggered testing specific components values would not impact the delta scheme to those components. affected. CDF/LERF results of this application because CCFs do not play a major role. With one CHSW header OOS, only 1 independent failure is required to fail the HHSI safety function.

Serial No. 16-18!Y Docket Nos. 50-280/281 Attachment 4 Page 24 of 36 F&O Element F&O Details Possible Resolution Basis of Significance Importance to Aoolication 1-10 OA-06 The AAC diesel is included in a common cause group There are two approaches that The qualitative discussion A bounding sensitivity study SY-83 with the other emergency diesel generators even can be considered. The most of not all diesel CCF evaluating the common cause though SPS notebook SY.3.EP states that "The AAC defensible approach would be to mechanisms existing group of emergency generators diesel has a different manufacturer for the generator identify all legitimate common between the EOGs and the results in an increase in the and the diesel engine and is unique to both units." elements between the EOGs and SBO diesel is legitimate. baseline COF and LERF values SPS OA.3 addresses this in an assumption that states the SBO diesel, review the However, the selection of (Ref. PRACC 16420). However, that "If SBO diesel is modeled as one of the EOG CCF CCFWIN database to exclude 0.1 does not have a the new increase in baseline groups, because of the less similarity between the diesel failure mechanisms that are numerical justification, and COF/LERF values would not EOG and SBO diesel, the alpha factor of 3 of 3 EOGs not common between the Surry could potentially be impact the delta COF/LERF

=

CCF to run may be set as 1.06E-2*0.9 9.54E-3 and EOGs and the SBO diesel, and conservative or non- results. Therefore, this gap has the alpha factor of AAC diesel and 2 EOGs CCF to run calculate the actual alpha factors. conservative, and it is not no impact on this application.

=

may be set as 1.06E-2

  • 0.1 1.06E-3." However, The second approach would be to apparent the degree to there is no technical basis for the factor of 1O
  • identify that the factor of 10 which it affects the results reduction, only a qualitative discussion, yet this is reduction in the alpha factor is an since no sensitivities were dispositioned as not being a source of uncertainty. estimate without a numerical documented.

basis, which makes it a plant- Any modeling assumption specific modeling uncertainty for that could result in lowering Surry. Then sensitivity analyses the importance of the could provide some insight into EOGs could impact the importance the assumed applications such as MSPI.

factor (0.1, 0.2, 0.5, etc.) would have on the results.

2-2 IE-C3 The issue of ISLOCA flood propagation and steaming For the successfully isolated Flood propagation and There is no impact on COF or effects in the Safeguards Building is not adequately ISLOCA sequences, consider steam effects may not be an LERF as this is a documentation addressed. Section 2.4 of the IE.1 notebook states potential flood and steam effects issue, but it cannot be enhancement (Ref. PRACC that flooding/spatial effects need not be considered from water that leaked out the determined for certain 16421), therefore this gap has no because an unisolated ISLOCA was assumed to go break prior to isolation. Also, without further evaluation. impact on this application.

directly to core damage. However, if there is a consider the potential for the successful isolation prior to core damage, there is still isolation valve to be failed due to a question about the effects of the water/steam that the effects.

was already leaked. For example, AFW pump operation should be shown not to be impacted, as well as potential effects on the credited isolation valve itself.

The PRA staff researched the issue during the peer review and provided information that appears to justify the operability of the isolation valve, but additional analysis is required and needs to be documented.

Serial No. 16-180-Docket Nos. 50-280/281 Attachment 4 Page 25 of 36 F&O Element F&O Details Possible Resolution Basis of Significance Importance to Application 2-3 DA-A2 Regarding component boundaries, Section 3.3.1 of the Review GCF (and even the While it is recognized that There is no impact on CDF or DA-D6 CCF GARD (NF-AA-PRA-101-2062, Rev. 4) states, independent failure data) for modeling extra events (such LERF as this is a documentation "When defining common cause failure events (and component boundary consistency as diesel generator output enhancement and as stated in utilizing generic data concerning the probability of with the generic data and CCF breakers when they are part the description adds modeling these events), the analyst must ensure that the factors. of the diesel component conservatism (Ref. PRACC component boundaries assumed for common cause boundary in NUREG/CR- 16422), therefore this gap has no failures are consistent with the boundaries used for the 6928) is conservative, for impact on this application.

independent failures." DOM.DA.1 Rev. 2 states "To accuracy and compliance ensure consistency between the generic database and with the Dominion GARD the plant specific database, the component boundary and DOM.DA.1 notebook, needs to be verified. This notebook documents the component boundaries generic database with component boundaries defined should be consistent with according to NUREG/CR-6928. This generic database the data.

shall be applicable to all of the Dominion PRA models."

However, Assumption 8 in Section 2.2.1 of SPS DA.3 Rev. 5 states "CCF data boundaries were not compared to the boundaries of DOM DA.1. Generic common cause failure factors were used because no plant specific common cause failures were identified.

A review of the generic common cause failures indicates that its boundaries were wider than DOM DA.1 boundaries."

Serial No.16-180'-

Docket Nos. 50-280/281 Attachment 4 Page 26 of 36 F&O Element F&O Details Possible Resolution Basis of Sianificance Importance to Application 2-5 SY-B3 The CCF grouping appears to have been performed Perform a thorough review of all The missing CCF A bounding sensitivity study of DA-A1 properly for pumps and some MOVs examined. system models to identify any component groups yields additional CCFs results in an However, checks of the Electric Power system model missing CCF groups. It is non-conservative and increase in the baseline CDF and and check valves in SI and FW models show CCF acceptable to treat the potentially significant LERF values (Ref. PRACC combinations that are missing. In the Electric Power combinations greater than 4 results. 16423). However, the new system model, the CCF of buses, inverters, breakers failures a single event as long as increase baseline CDF/LERF and fuel oil pump strainers (possibly other components the combinations are summed values would not impact the delta as well) were modeled for complete failure of all in the and treated as complete system CDF/LERF results of this group, but not for smaller numbers. For example, failure. For such cases, it is still application because CCFs do not Table 3.8-1 shows 1EETFM-C8-480TFM being necessary to model the play a major role. With one comprised of eight transformers. However, failure of a combinations of 2, 3 and 4 CHSW header OOS, only 1 group as small as 2 (e.g., transformer 1H/1J) could be failures. independent failure is required to significant, as these transformers feed the 480V buses fail the HHS! safety function.

that power the 1N2A and 1B/28 recirculation spray pumps. While it is acceptable to model CCF of combinations greater than 4 jointly (as is stated in the Section 3.2.2 of the GARD, this means creating a joint probability that sums all the 5/8, 6/8, 7/8 and 8/8 combinations into one), the individual combinations of 2, 3 and 4 still need to be captured.

The other logic reviewed that are missing combinations are seen under gates 1-Sl-82, 1-Sl-236, 1-FW-27, 1-FW-28, 1-FW-29 and 1-FW-61/1-FW-62.

These instances were identified in a short review of the system models, and the review team is concerned the problem is widespread.

Another item noted is Section 2.3 of the DOM.DA.3 notebook states "The Supply Breakers that feed the Emergency Buses, if there is a loss of off-site power, should be modeled for a common cause failure to open when the Emergency Diesel Generators are required to be running and supplying power to the emergency buses." This was not modeled in the EP fault trees (they would be expected under gates 1-EP-BKR-15H8-FTO and 1-EP-BKR-15J8-FTO-LC, etc.).

Serial No.16-180" Docket Nos. 50-280/281 Attachment 4 Page 27 of 36 F&O Element F&O Details Possible Resolution Basis of Sinnificance Importance to Aoolication 2-8 SY-83 The DOM.DA.3 R3 notebook Section 2.3 states that Update the_ model to be consistent This is presented as a There is no impact on CDF or DA-A1 CCF of air-cooled transformers would not be modeled. with the DOM DA.3 guidelines. finding because the PRA LERF as this is conservative and There is no mention of this in the EP system notebook. staff identified that the will be removed from the model Many of the transformers modeled in the PRA are air- assumption in the DA.3 (Ref. PRACC 16424); therefore, cooled but have CCF modeled. The Surry PRA model Rev. 3 notebook is correct this gap has no impact on this would need to be updated to match the assumption in and the model should be application.

the DOM DA.3 notebook. updated.

2-9 DA-E3 EPRI generic CCF sources of model uncertainty are Evaluate the plant-specific Sources of uncertainty There is no impact on CDF or tabulated in Table 1 of the SPS DA.3, Rev. 5 sources of model uncertainty specific to the Surry CCF LERF as this is a documentation notebook. DA-A-2 notes that component boundaries related to the Surry CCF analysis. analysis need to be enhancement (Ref. PRACC are not consistent with the failure data, but states that considered. 16425), therefore this gap has no this is a consensus model approach and not a source impact on this application.

-of uncertainty for Surry. This should be considered a source of model uncertainty and/or be corrected.

Missing from the evaluation of sources of model uncertainty are all SPS-specific assumptions, including those tabulated in SPS DA.3 Rev. 5 Section 2.2.

Review of Open Issues against the PRA Model (PRA Configuration Control)

The PRA Configuration control database (PRACC) was reviewed in order if any known modeling issues open against the S007Aa model could impact the results of this analysis. The following open issues were identified from Surry's PRACC database. These issues were addressed either by adjusting the S007Aa PRA model used to perform this risk evaluation, or by performing a sensitivity study to demonstrate that the issue was not significant to this analysis.

PRAC Date Description Importance to c Identified Application 1790 3/8/2004 Evaluate 1(2)CWHEP-LIC-1 (2)06A/B via HRA methods. Current value is selected to Addressed with HEP be consistent with 1CWHEP-LIC-LVL sensitivity #1 9486 10/21/2008 During the 2008 model update, the MAAP runs for the different scenarios were not Addressed with HEP completed in time before the model change freeze date. Need to update the HEPs in sensitivity #1 the HR.2 notebook usino the times calculated from the MAAP runs.

Serial No.16-180" Docket Nos. 50-280/281 Attachment 4 Page 28 of 36 PRAC Date Description Importance to c Identified -

. ~

-~.

~

Application 9804 3/12/2009 The 2-RC-P-1C RCP seal will be replaced with a new Flowserve seal that has low Addressed with leakage when there's a loss of .RCP seal cooling. These seals are similar to the seals Model change used by the Combustion Engineering (CE) plants. Therefore, the RCP seal LOCA model needs to be based on the CE seal LOCA model. WCAP-16175-P-A, RCP Seal Failure Model CE NSSS, documents the seal LOCA model.

New seal package was installed in pump 02-RC-P-1 C during the 2009 fall outage 11/18/09.

The operator action to trip the RCPs given failure of RCP Seal Cooling should have the Tsw (time available to perform the action) set to 20 minutes based on the following:

WCAP-16175-P-A Rev 0, Model for Failure of RCP Seals Given Loss of Seal Cooling in CE NSSS Plants NRC SER specifically references RCP seal failure model condition event tree (in Chapter 6 of WCAP-16175-P, Revision 0) for stopping the RCP(s) affected by a LOSC.

WCAP-16175-P-A Section 6.0, RCP Seal Failure Model. The event tree contains a node representing RCP20: RCPs Secured Within 20 Minutes?

Therefore, it can be interpreted the NRC SER approved securing (i.e., tripping) the RCPs within 20 minutes.

This has been agreed upon during discussion with Bill, Luke and Allen.

Note, currently 8007Aa does not model this operator action.

Acm 7/22/15

Serial No. 16-180~

Docket Nos. 50-280/281 Attachment 4 Page 29 of 36 PRAC Date Description Importance to c Identified -- - .._=...';;,_. - Application 10931 1/20/2010 SPS operator actions, HEP-C-CDSGTR (cool down and depressurize RCS after a Addressed with HEP SGTR) and HEP-C-SGTR (isolate affected SG after a SGTR), are documented as sensitivity #1 having the same engineering time, Te, of 60 minutes in the SPS HR.2 Notebook. The equivalent operator actions for NAPS, HEP-1 E3-13 (cool down and depressurize RCS after a SGTR) and HEP-1 E3-3 (isolate affected SG after a SGTR), are documented as having a Te of 75 minutes and 56 minutes, respectively, in the NAPS HR.2 Notebook.

Furthermore, HEP-C-CDSGTR does not have a valid MMP run available for the basis of the 60 m_inute Te, and HEP-1 E3-13 references older IPE MMP runs from NAPS and SPS. HEP-1 E3-3 also references an IPE MMP run.

Therefore, new MMP runs shol:Jld be run for HEP-C-CDSGTR, HEP-C-SGTR, HEP-1E3-13, and HEP-1 E3-3; and adequate documentation of the new MMP runs should be placed in HR.2 Notebooks.

4/23/2014 This should be considered complete and closed when the model SPS-R06 is released. IPE MMP runs are no longer used and all necessary MMP runs are documented in our SC element notebooks to support post HEP reauired timinas.

Serial No. 16-180-

  • Docket Nos. 50-280/281 Attachment 4 Page 30 of 36 PRAC Date Description Importance to c Identified ... ~*.,,._. Application 11521 71712010 From the Surry 2010 Peer Review report documented in Surry notebook Part IV Addressed with HEP Appendix A.3. sensitivity #1 In 2002, an operator survey was complete to document timing estimates from operators of various experience levels. The timing results from the survey are used in the HRA for the HEPs. Table 6.1 of HR.2 states "the response times for operator actions may be estimated by procedure talk through or operator surveys. Therefore, this is retained as a source of uncertainty." For the SPAR-H HEPs, time available is based on engineering judgment. The delay (TDelay), action(TM) and response times (T1 /2) are conservative estimates based on a table top review of the procedures as well as input from other HEPs of similar actions and events.

For the SPAR-H HEPs recently added to the SPS PRA model, the time available to complete the actions were not based on applicable generic studies (e.g.

thermal/hydraulic analysis or simulations from similar plants) but on engineering judgment. In addition, prior HEPs were developed using the results of a 2002 survey and not on thermal/hydraulic analysis.

(This F&O originated from SR HR-G4)

Associated SR.(s)

HR-G4

Serial No.16-180. * '

Docket Nos. 50-280/281 Attachment 4 Page 31 of 36 PRAC Date Description Importance to c Identified Application 11522 7/7/2010 From the Surry 2010 Peer Review report documented in Surry notebook Part IV Addressed with HEP Appendix A.3. sensitivity #1 SPS HR.2 does not check the consistency of the post-initiator HEP quantifications. A comparison of previous HEP values with current HEP values is found in the QU.2 notebook supporting files but no relative comparisons are made.

A review of the SPS HEPs relative to each other to check for reasonableness has not been performed.

(This F&O originated from SR HR-G6)

Associated SR(s)

HR-G6

Serial No.16-180. ** T Docket Nos. 50-280/281 Attachment 4 Page 32 of 36 PRAC Date Description Importance to c Identified Application 11523 7/7/2010 From the Surry 2010 Peer Review report documented in Surry notebook Part IV Addressed with HEP Appendix A.3. sensitivity #1 The delay (Delay), action TM and response times (T1/2) are conservative estimates based on a table top review of the procedures as well as input from other HEPs of similar actions and events.

The newly added SPAR-H HEPs based the required time to complete actions on a table top review of the procedures and input from other procedures.

To meet CC II, base the required time to complete the actions (for significant HEPs) on action time measurements in either walkthroughs or talkthroughs of the procedures or simulator observations.

(This F&O originated from SR HR-G5)

Associated SR(s): HR-GS

Serial No. 16-180~' p Docket Nos. 50-280/281 Attachment 4 Page 33 of 36 PRAC Date Description* Importance to c Identified ". Application 11526 7/7/2010 ***Cloned from Record 11524*** Addressed with HEP sensitivity #1 From the Surry 2010 Peer Review report documented in Surry notebook Part IV Appendix A.3.

This F&O contained several different issues. Thus, this PRACC record was cloned so that each issue has its own PRACC record.

Several documentation issues were identified:

3. The SPAR-H HEPs recently added to the SPS PRA model are documented in HR.2. Four HEPs noted in Table A-2 (Neyv HEPs Added) that were evaluated, do not appear in the Fault Tree. One new HEP listed (HEP-CPORTGENRMP) was not analyzed and is also not in the FT. New HEPs added for the recent model update were not necessarily covered by the 2002 survey results. System Analysis notebooks and review of HR.2 does not indicate that simulator observations or talkthroughs with operators were performed.

For the SPAR-H HEPs recently added to the SPS PRA model, the time available to complete the actions were not based on applicable generic studies (e.g. thermal/hydraulic analysis or simulations from similar plants).

(This F&O originated from SR HR-11)

Associated SR(s)

HR-11 HR-12

Serial No.16-180'" "

Docket Nos. 50-280/281 Attachment 4 Page 34 of 36 PRAC Date Description Importance to c Identified Application 11538 7/8/2010 From the Surry 2010 Peer Review report documented in Surry notebook Part IV Addressed with HEP Appendix A.3. sensitivity #1 SPS GARD NF-AA-PRA-101-2052 states in Section 3.5, "the SPAR-H model is not recommended where more detailed analysis of diagnosis errors is needed" and references NUREG/CR-1842 for more information. The NUREG states "This approach results in a somewhat 'generic' answer that is suffiCient for some of the broad regulatory applications for which SPAR-H is intended, but perhaps is insufficient for detailed plant-specific evaluations (a limitation)" and also references NUREG-1792. This NUREG states "detailed assessments of the significant HFE contributors should be performed."

  • The SPAR-H methodology is not a consensus model and seldom used in plant specific utility PRAs. Referenced documents show it should not be used to obtain detailed results. Additionally, it cannot be assumed that conservative results are obtained by SPAR-H as the evaluation of PSFs better than nominal can produce nonconservative values.

(This F&O originated from SR HR-G1)

Associated SR(s)

HR-G1

Serial No.16-180"' ' ,r Docket Nos. 50-280/281 Attachment 4 Page 35 of 36 PRAC Date Description Importance to c Identified - .. *- Application 11568 7/13/2010 From the Surry 2010 Peer Review report documented in Surry notebook Part IV Addressed with HEP Appendix A.3. sensitivity #1 The analysis uses an "engineering judgment" approach to dependency analysis which considers most "recognized" PSFs. Most of the dependencies are associated with one or two factors, and it is not clear how all of the "recognized" factors affect any single dependency analysis. There is no comparison of the "engineering judgment" based results to results that would be obtained from using other techniques such as the HRA calculator. A comparison of the Surry dependency results with those obtained from using an available dependency calculator produced the same results if only one PSF were considered. Also, differences were obtained when comparing 2-and 3-error combination dependencies.

Newer techniques for analyzing dependency are available. These techniques allow consideration of multiple PSFs during the analysis.

(This F&O originated from SR HR-G7)

Associated SR(s)

HR-G7 13932 7/11/2011 Changes RCP seal packages to N-9000 Flowserve. This potentially affects the Loss Addressed with of Seal Coolinq sequences as the RCP seals are modeled. Model change 16525 9/7/2012 REACTOR COOLANT PUMP SEAL REPLACEMENT 1-RC-P-1A Addressed with Model chanqe 16527 9/7/2012 REACTOR COOLANT PUMP (RCP) SEAL REPLACEMENT (1-RC-P-1C) Addressed with Model change 16674 12/6/2012 REACTOR COOLANT PUMP (RCP) SEAL REPLACEMENT (2-RC-P-1 B)/S/2 Addressed with Model change

,/'

Serial No. 16-180- * '~<"

Docket Nos. 50-280/281 Attachment 4 Page 36 of 36 PRAC Date Description Importance to c Identified Application 17079 3/12/2014 The MAAP parameter file lists parameter MWCSTO (ECST initial water inventory) as Addressed with HEP 91, 137 gal referencing Surry AFW Design Basis Document (SDBD-SPS-AFW) Rev. sensitivity #1

13. This value is different in the latest revision of Surry DBD, and the Tech Spec minimum is 96,000 gal. Consider revising parameter MWCSTO.

Also, HHSI pump flow curve (parameters ZHDP5 and WVPM5) references Rev.2 of ME-0771. The latest revision of this calculation is Rev.4 and it provides a slightly different pump curve (see test limit curve). Consider revising the HHSI pump curve per the latest revision of ME-0771.

4/15/2014 per email dtd.4/1/2014 from CBL NSA's ECST sizing calc SM-1612 seems to indicate that the ECST volume minimum setpoint is set so that the TS min available volume of 96,000 gal is met, accounting for unusable volume due to vortexing and -

suction nozzle position (page 12).

17822 1/12/2016 HR worksheet for HEP-C-XFERBS describes procedural actions to close feeder Addressed with breakers for transfer buses. In the SPSR06 model this HEP is and'ed with LOOP Model change initiators including CLOOP and RSST failures (initiators). Closing the feed fort transfer bus does not, in and of itself, help the station recover from LOOP or RSST failure.

Therefore this modeling is incorrect.

17872 3/10/2016 The SM-1123 calculation used as a basis for the fault tree structure for HEP-C- Addressed with HVACES for loss of chilled water/ESGR AHUs does not bound all of the initiating Model change events and accident sequences this HEP is applied to. The ESGR heat loads assumed in this calculation are for normal operating, 100% power conditions. Events such as LOCA which require SI have the potential for higher heat loads than what is assumed in SM-1123. Refer SY.2 assumption VS06. If chilled water is unavailable, it is uncertain as to whether the operator actions of O-AP-13.02 are sufficient to prevent failure of ESGR electrical equipment in accident sequences that require SI.