Request for Amendment to Technical Specification 3.3.1.1, Reactor Protection System (RPS) Instrumentation Scram Discharge Volume Level Instrumentation Surveillance Requirements

ML070330254
Person / Time
Site:	Clinton
Issue date:	01/26/2007
From:	O'Neill T AmerGen Energy Co
To:	Document Control Desk, Office of Nuclear Reactor Regulation
References
RS-07-014
Download: ML070330254 (79)
v • d • e

Text

AmerGen Energy Company, LLC www.exeloncorp.com AmerGen. An Exelon Company 4300 Winfield Road Warrenville, I L60555 10 CFR 50.90 RS-07-014 January 26, 2007 U. S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, D. C. 20555 Clinton Power Station, Unit 1 Facility Operating License No. NPF-62 NRC Docket No. 50-461

Subject:

Request for Amendment to Technical Specification 3.3.1.1, "Reactor Protection System (RPS) Instrumentation" Scram Discharge Volume Level Instrumentation Surveillance Requirements In accordance with 10 CFR 50.90, "Application for amendment of license or construction permit," AmerGen Energy Company, LLC (AmerGen) hereby requests the following amendment to Appendix A, Technical Specifications (TS), of Facility Operating License No. NPF-62 for Clinton Power Station (CPS), Unit 1. Specifically, the proposed change will revise TS 3.3.1.1, "Reactor Protection System (RPS) Instrumentation," Table 3.3.1.1-1, "Reactor Protection System Instrumentation," Function 8, "Scram Discharge Volume Water Level - High," item b, "Float Switch," by replacing Surveillance Requirement (SR) 3.3.1.1.9 with SR 3.3.1.1.12. This change will effectively revise the surveillance frequency for the scram discharge volume (SDV) level float switch from every 92 days to every 24 months. This risk based amendment request is supported by an evaluation of the change in core damage and large early release frequencies with respect to NRC Regulatory Guide 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis,"

guidance. This change is being requested to reduce personnel radiation exposure that is inherent in the current surveillance frequency that requires containment entry at power.

The information supporting the proposed TS changes is subdivided as follows.

Attachment 1 provides an evaluation of the proposed change.

Attachment 2 contains the copy of the marked up TS page.

Attachment 3 contains the marked up TS Bases pages provided for information only.

Attachment 4 provides the risk assessment supporting the proposed changes.

,4oo(

January 26, 2007 U. S. Nuclear Regulatory Commission Page 2 The proposed TS changes have been reviewed by the CPS Plant Operations Review Committee and approved by the Nuclear Safety Review Board in accordance with the AmerGen Quality Assurance Program and associated procedures. No new regulatory commitments are established by this submittal.

AmerGen is notifying the State of Illinois of this application for amendment to the TS by transmitting a copy of this letter and its attachments to the designated State Official.

AmerGen requests approval of the proposed changes by January 31, 2008. Once approved, the amendment shall be implemented within 60 days.

Should you have any questions concerning this submittal, please contact Mr. Timothy A. Byam at (630) 657-2804.

I declare under penalty of perjury that the foregoing is true and correct. Executed on the 26th day of January 2007.

Very truly yours, Thomas S. O'Neill Vice President - Regulatory Affairs : Evaluation of Proposed Change : Mark-up of Proposed Technical Specification Page Changes : Mark-up of Technical Specification Bases Page Changes (For Information Only) : Clinton Power Station Scram Discharge Volume Level Instrument Surveillance Interval Extension Risk Assessment

ATTACHMENT 1 Evaluation of Proposed Change

Subject:

Request for Amendment to Technical Specification 3.3.1.1, "Reactor Protection System (RPS) instrumentation" Scram Discharge Volume Level Instrument Surveillance Requirements

1.0 INTRODUCTION

2.0 DESCRIPTION

OF PROPOSED AMENDMENT

3.0 BACKGROUND

4.0 TECHNICAL ANALYSIS

5.0 REGULATORY ANALYSIS

5.1 No Significant Hazards Consideration 5.2 Regulatory Requirements and Criteria

6.0 ENVIRONMENTAL CONSIDERATION

7.0 PRECEDENTS

8.0 REFERENCES

Page 1 of 10

ATTACHMENT 1 Evaluation of Proposed Change

1.0 INTRODUCTION

In accordance with 10 CFR 50.90, "Application for amendment of license or construction permit," AmerGen Energy Company, LLC (AmerGen) hereby requests the following amendment to Appendix A, Technical Specifications (TS), of Facility Operating License No. NPF-62 for Clinton Power Station (CPS), Unit 1. Specifically, the proposed change will revise TS 3.3.1.1, "Reactor Protection System (RPS) Instrumentation," Table 3.3.1.1-1, "Reactor Protection System Instrumentation," Function 8, "Scram Discharge Volume Water Level - High," item b, "Float Switch," by replacing Surveillance Requirement (SR) 3.3.1.1.9 with SR 3.3.1.1.12. This change will effectively revise the surveillance frequency for the scram discharge volume (SDV) level float switch from every 92 days to every 24 months. This risk based amendment request is supported by an evaluation of the change in core damage and large early release frequencies with respect to NRC Regulatory Guide 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis,"

guidance (Reference 1). This change is being requested to reduce personnel radiation exposure that is inherent in the current surveillance frequency that requires containment entry at power.

2.0 DESCRIPTION

OF PROPOSED AMENDMENT The proposed change will revise the TS Table 3.3.1.1-1 Function 8, item b applicable surveillance requirements to replace SR 3.3.1.1.9 with SR 3.3.1.1.12. provides the marked up TS page indicating the proposed change. Attachment 3 provides a marked up TS Bases pages. The TS Bases pages are provided for information only and do not require NRC approval.

3.0 BACKGROUND

The RPS initiates a reactor scram when one or more monitored parameters exceed their specified limit, to preserve the integrity of the fuel cladding and the Reactor Coolant System (RCS), and minimize the energy that must be absorbed following a loss of coolant accident (LOCA) or other transients requiring a scram. This can be accomplished either automatically or manually.

The RPS, as described in the CPS Updated Safety Analysis Report (USAR), Section 7.2, includes sensors, trip modules, bypass circuits, and switches that are necessary to cause initiation of a reactor scram. One of the input parameters to the scram logic is from instrumentation that monitors SDV water level.

The SDV receives the water displaced by the motion of the CRD pistons during a reactor scram.

Should this volume fill to a point where there is insufficient volume to accept the displaced water, control rod insertion would be hindered. Therefore, a reactor scram is initiated when the remaining free volume is still sufficient to accommodate the water from a full core scram.

Page 2 of 10

ATTACHMENT 1 Evaluation of Proposed Change SDV water level is measured by two diverse methods. The level in the SDV is measured by four float type level switches and four transmitters and associated analog trip modules for a total of eight level signals. The outputs of these devices are arranged so that there is a signal from a level switch and a transmitter and associated analog trip module to each trip logic division. One channel of each type of Scram Discharge Volume Water Level - High Function associated with each of the four trip logic divisions is required to be Operable to ensure that no single instrument failure will preclude a scram from these Functions on a valid signal.

In accordance with TS Table 3.3.1.1-1 Function 8, SR 3.3.1.1.9 and SR 3.3.1.1.10 are required to be completed for the transmitters in Modes 1, 2, and 5. In addition, SR 3.3.1.1.9 is required to be completed for the float switches in Modes 1, 2, and 5. SR 3.3.1.1.9 requires that a Channel Functional Test be performed on each required channel every 92 days. The Channel Functional Test is performed to ensure that the entire channel will perform the intended function.

SR 3.3.1.1.10 requires that the analog trip modules be calibrated every 92 days to provide a check of the actual trip setpoints. The channel must be declared inoperable if the trip setting is discovered to be less conservative than the Allowable Value specified in TS Table 3.3.1.1-1. If the trip setting is discovered to be less conservative than accounted for in the appropriate setpoint methodology, but is not beyond the Allowable Value, the channel performance is still within the requirements of the plant safety analysis. Under these conditions, the setpoint must be readjusted to be equal to or more conservative than accounted for in the appropriate setpoint methodology.

4.0 TECHNICAL ANALYSIS

4.1 Surveillance Test History A review of recent surveillance test history and condition reports entered into the corrective action program was completed to determine whether the as-found condition of the affected instrumentation trip settings were less conservative than the Allowable Value specified for TS Table 3.3.1.1-1 Function 8.b. For Function 8.b, SDV water level is measured by four float switches (1C11-NO13A through D). To satisfy SR 3.3.1.1.9, CPS procedures 9431.22, "SDV High Water Level Float Switch C11 -NO1 3A (B, C, D) Channel Calibration," and 9531.22, "SDV High Water Level Float Switch C11-NO13A, (B, C, D)

Channel Functional," are performed. These surveillances have routinely shown that the as-found condition of the instruments has not required readjustment. Surveillance test results from the past 12 quarters have been reviewed and it was determined that the as-found condition of the four float switches have been found to be within the acceptance criteria specified in the surveillance test procedures. In addition, the float switches are mechanical devices that are not subject to instrument setpoint drift and furthermore have not been subject to failures requiring mechanical adjustment during this period.

4.2 Dose Evaluation AmerGen has performed a review of the dose associated with the performance of SR 3.3.1.1.9 every 92 days. This review indicated that the dose received for each performance of the surveillance is approximately 50 mrem. Therefore, based on Page 3 of 10

ATTACHMENT 1 Evaluation of Proposed Change performance of the channel functional test of the float switches every 92 days, the total dose associated with this surveillance in a given cycle is approximately 400 mrem. By extending the surveillance interval to once every 24 months (i.e., once per cycle) the dose reduction per cycle would be approximately 350 mrem.

4.3 Risk Evaluation The proposed change is evaluated to determine that current regulations and applicable requirements continue to be met, that adequate defense-in-depth and sufficient safety margins are maintained, and that any increase in core damage frequency (CDF) or large early release frequency (LERF) is small and consistent with the NRC Safety Goal Policy Statement, USNRC, "Use of Probabilistic Risk Assessment Methods in Nuclear Activities:

Final Policy Statement," Federal Register, Volume 60, p.42622, August 16, 1995.

A risk analysis was performed to evaluate the risk significance of extending the TS surveillance interval for the SDV level instruments. As noted above, these instruments provide a reactor scram on high scram discharge volume level in order to ensure that the reactor is scrammed before the volume fills with water to the point that it cannot accommodate a scram. This supporting evaluation calculated the change in frequency of Anticipated Transient Without Scram (ATWS) events due to surveillance interval extensions for these instruments and evaluated the change in CDF and LERF with respect to NRC Regulatory Guide 1.174 (Reference 1).

The risk impact of the proposed change has been evaluated and found to be acceptable.

The calculated risk increases, as described below, are very small as characterized by Reference 1.

The effect on risk of the requested extension in surveillance interval for the SDV Water Level - High Function instruments has been evaluated using Regulatory Guide 1.177, "An Approach for Plant-Specific Risk-Informed Decisionmaking: Technical Specifications,"

(Reference 2).

Risk-informed support for the proposed change is based on probabilistic risk assessment (PRA) calculations performed to quantify the change in CDF and LERF resulting from the extension of the SDV Water Level - High Function channel functional test surveillance interval.

The CPS PRA model and documentation has been maintained current and is routinely updated to reflect the current plant configuration following refueling outages and to reflect the accumulation of additional plant operating history and component failure data. The Level 1 and Level 2 CPS PRA analyses were originally developed and submitted to the NRC in September, 1992 as the Clinton Power Station Individual Plant Examination (IPE)

Submittal (Reference 4). The CPS PRA has been updated several times since the original IPE.

The CPS internal events PRA model of record (i.e., CL06B) was used to perform this assessment. The base results are as follows.

Page 4 of 10

ATTACHMENT 1 Evaluation of Proposed Change CDF: 6.47E-6/yr (1E-1 1 truncation limit)

LERF: 1.56E-7/yr (1E-12 truncation limit)

The CPS PRA model used includes a detailed Level 1 and Level 2 PRA. The quality is more than sufficient for this risk assessment.

Like most industry PRAs, the RPS is not modeled in detail in the CPS PRA. Due to the extensive redundancy and diversity of the design, the RPS and control rod drive (CRD) mechanisms are highly reliable and are modeled in the CPS PRA with a failure probability distributed between the electrical and mechanical portions of the system. The failure probabilities used in the CPS PRA for the mechanical and electrical failure to scram events are based on generic industry precursor data for reactor trip failures, as documented in NUREG/CR-5500, "Reliability Study: General Electric Reactor Protection System, 1984 - 1995," (Reference 3).

The SDV level instrumentation is not a primary or expected means of initiating a reactor trip in Boiling Water reactors (BWRs). The Reference 3 reliability study estimates that SDV events contribute less than 1% to the overall RPS unavailability (i.e., the early SDV operating experience events are no longer significant risk contributors to General Electric BWR RPS unavailability). The majority of legitimate demands on this RPS input are a result of SDV level increases from flow through the CRDs following a reactor trip due to other causes. Failure of the SDV level instruments during these conditions would not result in a failure to scram or ATWS; rather, the principal purpose of the SDV level instruments is to assure that any flow to the SDVs prior to a legitimate reactor trip for other reasons is not sufficient to prevent full insertion of control rods.

This analysis followed the guidance provided in References 1 and 2. Consistent with the guidance in these Regulatory Guides, this analysis used the following risk acceptance guidelines provided in Reference 1.

Quantitative Criteria Acceptance Guideline ACDF [ ALERF Region I: No Changes Allowed >1 E-5/yr >1 E-6/yr Region I1: Small Change in Risk 1E-6/yr to 1E-5/yr 1E-7/yr to 1E-6/yr Region IIl: Very Small Change in Risk <1E-6/yr <1E-7/yr The risk analysis was performed using the current version of the full-power internal events PRA. Given the very small risk impact of the proposed changes, external events were addressed qualitatively.

Consistent with the guidance in Reference 2 for surveillance test interval extension amendment requests, this assessment considered both test-limited risk and test-caused Page 5 of 10

ATTACHMENT 1 Evaluation of Proposed Change risk. The risk contribution associated with surveillance test intervals is primarily due to the possibility that the surveilled equipment will fail between consecutive surveillance tests.

This contribution is referred to as "test-limited" risk in Reference 2. This aspect of the risk contribution was addressed in this risk analysis in the calculation of SDV level instrumentation failure rates using the Standby Failure Rate model. The Standby Failure Rate model uses the time between tests as an input in the determination of component unavailabilities.

This risk assessment included development of a fault tree that models the contribution of SDV events to RPS failure (see attachment 4 to this letter). The fault tree was calculated for the quarterly test configuration and for the 24-month test configuration. The delta increase in the SDV fault tree results was used to modify the RPS mechanical failure probability in the overall CPS model CDF and LERF fault trees.

The Reference 2 term "test-caused" risk refers to risk contributions associated with adverse effects of test errors, in this case, inadvertently induced scram. The effect of test-caused errors on transient frequencies is an inverse function (i.e., longer test intervals result in reductions in test-caused transient frequencies). This impact of reduced plant transient frequencies due to extension of the surveillance test interval was conservatively not credited in this analysis.

The results of the quantification of the SDV level instrumentation impact on the CPS risk profile are as follows.

Quarterly 24-Month Test Interval Test Interval Risk Metric (Base) (LAR) Change RPS Unavailability due to SDV High Level 4.166E-8 9.129E-8 4.96E-8 Core Damage Frequency (CDF) 6.466E-6/yr 6.472E-6/yr 6.OE-9/yr Large Early Release Frequency (LERF) 1.564E-7/yr 1.576E-7/yr 1.2E-9/yr This risk assessment estimated the increase in CDF and LERF due to the proposed change to extend the current 3-month surveillance interval for the SDV water level instruments to a 24-month interval. The changes in CDF and LERF are as follows.

ACDF = 6.OE-9/yr ALERF = 1.2E-9/yr These quantitative risk results fall into the Reference 1 Region III risk category (i.e., "very small" risk impact) with significant margin. Therefore, the proposed change is acceptable from a risk perspective without the need for special compensatory actions. A detailed summary of this assessment is provided in Attachment 4.

Page 6 of 10

ATTACHMENT 1 Evaluation of Proposed Change

5.0 REGULATORY ANALYSIS

5.1 NO SIGNIFICANT HAZARDS CONSIDERATION AmerGen Energy Company, LLC (AmerGen) has evaluated whether or not a significant hazards consideration is involved with the proposed amendment to Facility Operating License No. NPF-62 for Clinton Power Station (CPS), Unit 1 by focusing on the three standards set forth in 10 CFR 50.92, "Issuance of amendment," discussed below.

The proposed change will revise Technical Specification (TS) 3.3.1.1, "Reactor Protection System (RPS) Instrumentation," Table 3.3.1.1-1, "Reactor Protection System Instrumentation,"

Function 8, "Scram Discharge Volume Water Level - High," item b, "Float Switches," by replacing Surveillance Requirement (SR) 3.3.1.1.9 with SR 3.3.1.1.12. This change will effectively revise the surveillance frequency for the scram discharge volume (SDV) level float switch from every 92 days to every 24 months. This risk based amendment request is supported by an evaluation of the change in core damage and large early release frequencies with respect to NRC Regulatory Guide 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis,"

guidance. This change is being requested to reduce personnel radiation exposure that is inherent in the current surveillance frequency that requires containment entry at power.

1. Does the proposed amendment involve a significant increase in the probability or consequences of an accident previously evaluated?

Response: No.

The proposed TS change involves a change in the surveillance frequency for the SDV water level float switch channel functional test. The proposed TS change does not physically impact the plant. The proposed change does not affect the design of the SDV water level instruments, the operational characteristics or function of the instruments, the interfaces between the instruments and the RPS, or the reliability of the SDV water level instruments.

The proposed TS change does not degrade the performance of, or increase the challenges to, any safety systems assumed to function in the accident analysis. As noted in the Bases to TS 3.3.1.1, even though the two types of SDV Water Level - High Functions are an input to the RPS logic, no credit is taken for a scram initiated from these functions for any of the design basis accidents or transients evaluated in the CPS Updated Safety Analysis Report (USAR). An inoperable SDV water level instrument is not considered as an initiator of any analyzed event. The proposed TS change does not impact the usefulness of the SRs in evaluating the operability of required systems and components, or the way in which the surveillances are performed. In addition, the frequency of surveillance testing is not considered an initiator of any analyzed accident, nor does a revision to the frequency introduce any accident initiators. Therefore, the proposed change does not involve a significant increase in the probability of an accident previously evaluated.

The consequences of a previously analyzed event are dependent on the initial conditions assumed in the analysis, the availability and successful functioning of equipment assumed to operate in response to the analyzed event, and the setpoints at which these actions are initiated. The consequences of a previously evaluated accident are not significantly Page 7 of 10

ATTACHMENT 1 Evaluation of Proposed Change increased by the proposed change. The proposed change does not affect the performance of any equipment credited to mitigate the radiological consequences of an accident. The risk assessment of the proposed changes has concluded that there is an insignificant increase in the core damage frequency as well as the total population dose rate. Historical review of surveillance test results and associated maintenance records did not find evidence of failures that would invalidate the above conclusions.

Therefore, the proposed change does not alter the ability to detect and mitigate events and, as such, does not involve a significant increase in the consequences of an accident previously evaluated.

2. Does the proposed amendment create the possibility of a new or different kind of accident from any accident previously evaluated?

Response: No.

The proposed TS change does not introduce any failure mechanisms of a different type than those previously evaluated, since there are no physical changes being made to the facility.

No new or different equipment is being installed. No installed equipment is being operated in a different manner. There is no change being made to the parameters within which CPS is operated. There are no setpoints at which protective or mitigative actions are initiated that are affected by this proposed action. The change does not alter assumptions made in the safety analysis. This proposed action will not alter the manner in which equipment operation is initiated, nor will the function demands on credited equipment be changed. No alteration in the procedures, which ensure the unit remains within analyzed limits, is proposed, and no change is being made to procedures relied upon to respond to an off-normal event. As a result, no new failure modes are being introduced. The way surveillance tests are performed remains unchanged. A historical review of surveillance test results and associated maintenance records indicated there was no evidence of any failures that would invalidate the above conclusions.

Therefore, the proposed change does not create the possibility of a new or different kind of accident from any previously evaluated.

3. Does the proposed amendment involve a significant reduction in a margin of safety?

Response: No.

Margins of safety are established in the design of components, the configuration of components to meet certain performance parameters, and in the establishment of setpoints to initiate alarms or actions. The proposed TS change involves a change in the surveillance frequency for the SDV water level float switch channel functional test. There is no change in the design of the affected systems, no alteration of the setpoints at which alarms or actions are initiated, and no change in plant configuration from original design. The proposed change does not significantly impact the condition or performance of structures, systems, and components relied upon for accident mitigation. The proposed change does not result Page 8 of 10

A'TACHMENT 1 Evaluation of Proposed Change in any hardware changes or in any changes to the analytical limits assumed in accident analyses. Existing operating margin between plant conditions and actual plant setpoints is not significantly reduced due to these changes. The proposed change does not significantly impact any safety analysis assumptions or results.

AmerGen has conducted a risk assessment to determine the impact of a change to the SDV water level instrument surveillance frequency from the current once every 92 days to once every 24 months for the risk measures of Core Damage Frequency (CDF) and Large Early Release Frequency (LERF). This assessment indicated that the proposed CPS surveillance frequency extension has a very small change in risk to the public and is an acceptable plant change from a risk perspective.

Therefore, the proposed change does not involve a significant reduction in a margin of safety.

5.2 Regulatory Requirements/Criteria The proposed change has been evaluated to determine whether applicable regulations and requirements continue to be met. To fully evaluate the effect of the proposed extension in the SDV Water Level - High Function surveillance intervals, PRA methods and a deterministic analysis were utilized. AmerGen has determined that the proposed change does not require any exemptions or relief from regulatory requirements, other than the Technical Specifications, and does not affect conformance with any General Design Criteria (GDC) differently than described in the CPS USAR.

Regulatory requirement 10 CFR 50.36, 'Technical specifications," provides the content required in a licensee's TS. Specifically, 10 CFR 50.36(c)(3) requires that the TS include surveillance requirements. The proposed SR frequency changes continue to support the requirements of 10 CFR 50.36(c)(3) to assure that the necessary quality of systems and components is maintained, that facility operation will be within safety limits, and that the limiting conditions for operation are met.

Applicable regulatory requirements will continue to be met, adequate defense-in-depth will be maintained, sufficient safety margins will be maintained, and any increase in plant risk is very small and consistent with the NRC "Safety Goals for the Operations of Nuclear Power Plants; Policy Statement," Federal Register, Vol.51, p.30028 (51 FR 30028), August 4, 1986, as interpreted by NRC Regulatory Guide 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis," and Regulatory Guide 1.177, "An Approach for Plant-Specific, Risk-Informed Decision-Making:

Technical Specifications." The guidelines of Regulatory Guide 1.177 for the increased SDV water level instrument surveillance interval have been met. The evaluation of changes in CDF and LERF due to the longer surveillance interval have been shown to meet the risk significance criteria of Regulatory Guide 1.174 with substantial margin.

In conclusion, based on the considerations discussed above, (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the NRC regulations, and (3)

Page 9 of 10

ATTACHMENT 1 Evaluation of Proposed Change the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

6.0 ENVIRONMENTAL CONSIDERATION

A review has determined that the proposed amendment would change a requirement with respect to installation or use of a facility component located within the restricted area, as defined in 10 CFR 20, "Standards for Protection Against Radiation," or would change an inspection or surveillance requirement. However, the proposed amendment does not involve: (i) a significant hazards consideration, (ii) a significant change in the types or significant increase in the amounts of any effluent that may be released offsite, or (iii) a significant increase in individual or cumulative occupational radiation exposure. Accordingly, the proposed amendment meets the eligibility criterion for categorical exclusion set forth in 10 CFR 51.22 (c) (9), "Criterion for categorical exclusion; identification of licensing and regulatory actions eligible for categorical exclusion or otherwise not requiring environmental review." Therefore, pursuant to 10 CFR 51.22 (b), no environmental impact statement or environmental assessment need be prepared in connection with the proposed amendment.

7.0 PRECEDENT The proposed amendment incorporates into the CPS TS a change that is similar to the change approved by the NRC for the Hatch Nuclear Plant, Units 1 and 2 on April 15, 1994 (Reference 5).

8.0 REFERENCES

1) Regulatory Guide 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis," Revision 1, dated November 2002

2) Regulatory Guide 1.177, "An Approach for Plant-Specific Risk-Informed Decisionmaking: Technical Specifications," dated August 1998

3) NUREG/CR-5500, "Reliability Study: General Electric Reactor Protection System, 1984

- 1995," Volume 3, dated May 1999

4) Letter from J. S. Perry (Illinois Power Company) to U.S. NRC, "Response to Generic Letter 88-20, Supplement 1,," dated September 23, 1992

5) Letter from U. S. NRC to Mr. J. T. Beckham (Georgia Power Company), "Issuance of Amendments - Edwin I. Hatch Nuclear Plant, Units 1 and 2 (TAC Nos. M87803 and M87804)," dated April 15, 1994 Page 10 of 10

ATTACHMENT 2 Mark-up of Proposed Technical Specification Page Changes Revised Technical Specification Page 3.3-9

RPS Instrumentation 3.3.1.1 Table :3.3.1.1-1 (page .3 of 3)

ReactoLr rPotectior ystem Inst Lulmefntation A'P'LI:ABLE C('NDIT IONS M(D[)ES OR REQUIRED REFERENCED OTHER CHANNELS FROM SFE(IFIED PER REQUI RED SURVEILLANCE ALLOWABLE FUNCTION CONDITIONS FUNCTION ACTION D. 1 REQUIREMENTS VALUE

3. .Scram Dischacqe Volume Water Level-High (cont illnue )

b. Float Switch 4 H SR ~ L~ 763 ft. 3-1/4

,R 1 1:3 iicw S 1 for SR 3.3.1.1.15 1C1-NO1.3A,B and :5 763 ft.

1-11/16 inches msl for ICII-N013C, [

SR 023 3ý 1. 1i 9 < 76:3 ft. :3-1/4 inches msl for SR :3. 3. 1. 1.15 lC11-NO13A, B and

• 763 ft.

1-11/16 inches msl for iCIl-NO13C, D

9. Turbine Stop Valve Closure. > 3:3.3% RTE 4 E 3SR 3. 3. 1. 1. 9  :< 7% close:d SR 3.3.1. 1.13 SR 3.3. 1. 1.15 SR 3.3. 1 .1. 16 SR :3.3. 1. 1. 17

10. TublLine ContVrol Valve > 3.3.3t RTP 4 E SR 3.3. 1. 1. 9 > 465 psici Fast Closure, Trip Oil SR 3.3.1.1.13 I Lressure-Low SR 3.3.1.1.15 SR 3.3. 1. 1. 16 SR 3.3. 1.1.17 1i. Reactor Mode 1,2 SR 3.3.1.1.12 NA Switch-Shutdown Posit ion SR 3.3.1.1.15 F (a)

I SR 3.3.1.1.12 NA SR 3.3.1.1.15

12. Manual Scram 1,2 4 H SR 3.3.1.1.9 NA SR 3.3.1.1.15 5 (a) 4 I SR 3.3.1.1.9 NA SR 3.3.1.1.15 (a) With any control rod withdrawn from a core cell containing one Lormore fuel assemblies.

CLINTON 3.3-9 3Amendment No. 149

A'TACHMENT 3 Mark-up of Technical Specification Bases Page Changes (For Information Only)

Revised Technical Specification Bases Pages B 3.3-27 B 3.3-30a

RPS Instrumentation B 3.3.1.1 BASES SURVEILLANCE SR 3.3.1.1.9 and SR 3.3.1.1.12 (continued)

REQUIREMENTS The 24 month Frequency s based on the need to perform this Surveillance under the conditions that apply during a plant outage and the potential for an unplanned transient if the g&1~J-V Surveillance were performed with the reactor at power.

Operating experience has shown that these com o ents usually pass the Surveillance.

The calibration of analog trip modules provides a check of Z> 5. L, the actual trip setpoints. The channel must be declared inoperable if the trip setting is discovered to be less conservative than the Allowable Value specified in Table 3.3.1.1-1. If the trip setting is discovered to be less conservative than accounted for in the appropriate setpoint methodology, but is not beyond the Allowable Value, the channel performance is still within the requirements of the plant safety analysis. Under these conditions, the setpoint must be readjusted to be equal to or more conservative than accounted for in the appropriate setpoint methodology.

The Frequency of 92 days for SR 3.3.1.1.10 is based on the reliability analysis of Reference 9.

SR 3.3.1.1.11 and SR 3.3.1.1.13 A CHANNEL CALIBRATION is a complete check of the instrument loop and the sensor. This test verifies the channel responds to the measured parameter within the necessary range and accuracy. CHANNEL CALIBRATION leaves the channel adjusted to account for instrument drifts between successive calibrations consistent with the plant specific setpoint methodology.

The SR 3.3.1.1.13 calibration for selected Functions is modified by a Note as identified in Table 3.3.1.1-1. This Note, which applies only to those Functions identified in Table 3.3.1.1-1, is divided into three parts. Part 1 of the Note requires evaluation of instrument performance for the condition where the as-found setting for these instrument channels is outside its As-Found Tolerance (AFT) but conservative with respect to the Allowable Value.

Evaluation of instrument performance will verify that the instrument will continue to behave in accordance with design-basis assumptions. The purpose of the assessment is to ensure confidence in the instrument performance prior to returning the instrument to service. Initial evaluation will be performed by the technician performing the surveillance who will evaluate the instrument's ability to (continued)

CLINTON B 3.3-27 Revision No. 10-7

RPS Instrumentation B 3.3.1.1 BASES REFERENCES 1. USAR, Section 7.2.

2. USAR, Section 5.2.2.

3. USAR, Section 6.3.3.

4. USAR, Chapter 15.

5. USAR, Section 15.4.1.2.

6. NEDO-23842, "Continuous Control Rod Withdrawal in the Startup Range," April 18, 1978.

7. USAR, Section 15.4.9.

8. Letter, P. Check (NRC) to G. Lainas (NRC), "BWR Scram Discharge System Safety Evaluation," December 1, 1980, as attached to NRC Generic Letter dated December 9, 1980.

9. NEDO-30851-P-A, "Technical Specification Improvement Analyses for BWR Reactor Protection System,"

March 1988.

10. NEDO-32291-A, "System Analyses for Elimination of Selected Response Time Testing Requirements," January 1994.

11. Calculation IP-0-0002.

412. Calculation IP-0-0024.

CLINTON B 3.3-30a Revision No. 4-6

ATTACHMENT 3 Mark-up of Technical Specification Bases Page Changes (For Information Only)

Insert #1 (Bases page B 3.3-27):

The 24-month Frequency for the Scram Discharge Volume float switch channel functional test is based on a plant-specific risk analysis documented in Reference 13. This analysis demonstrated that a surveillance test interval of 24 months resulted in a very small increase in core damage frequency and large early release frequency. In addition, this frequency supports optimizing radiological exposures as low as reasonably achievable.

Insert #2 (Bases page B 3.3-30a):

13. Risk Management Document No. 1073, "Scram Discharge Volume Level Instrument Surveillance Interval Extension Risk Assessment," dated November 17, 2006.

ATTACHMENT 4 Clinton Power Station Scram Discharge Volume Level Instrument Surveillance Interval Extension Risk Assessment

RM Documentation Approval RM DOCUMENTATION NO. 1073 REV: I PAGE NO. 1 STATION: Clinton UNIT(S) AFFECTED: Unit I TITLE: Scram Discharge Volume Level Instrument Surveillance Interval Extension Risk Assessment

SUMMARY

(Include UREs incorporated):

This risk study was performed to evaluate the risk significance of extending the Techtical Specification surveillance intervals for the Scram Discharge Level Instruments. These instruments provide a reactor scram on high scram discharge volume high level in order to ensure that the reactor is scrammed before the volume fills with water to the point that it can not accommodate a scram. This study calculates the change Infrequency of ATWS events due to surveillance interval extensions for these instruments and evaluates the change In Core Damage and Large Early Release Frequency with respect to NRC Regulatory Guide 1.174 guidance.

The impact on CDF and LERF falls into the RG 1.174 Region III risk category, "Very Small" risk impact.

As such, the proposed LAR amendment is acceptable from a risk perspective without the need for special compensatory actions.

Internal RM Documentation Electronic Calculation Data Files: See body of the documenta Prepared by: Vincent Andersen Print, I .. >I/117/0(v Sign Date Reviewed by: Lan Lee, ....... . I 00 Print Sign Date Method of Review: [X] Detailed [ ] Alternate This RM documentation supersedes: N/A In Its entirety.

Approved by: greg Krueger//7 7 $

Printat External RM Documentat0n Reviewed by: . ......... _ / /

Print Sign Date Approved by: __ __ __ _ /

Print Sign Date Do any ASSUMPTIONS / ENGINEERING JUDGEMENTS require later verification? [ ] Yes [X] No Tracked By: AT#, URE# etc.)________________ _,_. ........

1

1.0 PURPOSE This risk study was performed to evaluate the risk significance of extending the Technical Specification surveillance intervals for the Scram Discharge Level Instruments, as outlined in Technical Specification Section 3.3.1.1, Table 3.3.1.1-1, item 8 [Ref. 1]. These instruments provide a reactor scram on high scram discharge volume high level in order to ensure that the reactor is scrammed before the volume fills with water to the point that it can not accommodate a scram. This study calculates the change in frequency of ATWS events due to surveillance interval extensions for these instruments and evaluates the change in Core Damage and Large Early Release Frequency with respect to NRC Regulatory Guide 1.174 guidance.

2.0 BACKGROUND

Operating events in the late 1970s and early 1980s identified the potential for inadvertent filling of the SDV and in one case resulting in the inability to scram 76 of 185 rods at the Browns Ferry Plant [Ref. 2]. Investigation into the causes of this event led to the issuance of Generic Letter 81-18 [Ref. 3], which contains operating and design criteria for BWR Scram Discharge Volumes.

Like most industry PRAs, the reactor protection system (RPS) is not modeled in detail in the Clinton PRA. Due to the extensive redundancy and diversity of the design, the RPS and CRD mechanisms are highly reliable and are modeled as "super components" in the CPS PRA with a failure probability distributed between the electrical and mechanical portions of the system. The failure probabilities used in the CPS PRA for the mechanical and electrical failure to scram events are based on generic industry precursor data for reactor trip failures, as documented in NUREG/CR-5500 [Ref. 4].

SDV level instrumentation is not a primary or expected means of initiating a reactor trip in BWRs.

The NUREG/CR-5500 RPS reliability study estimates that SDV events contribute less than 1% to the overall RPS unavailability (i.e., the early SDV operating experience events are no longer significant risk contributors to General Electric BWR RPS unavailability). The majority of legitimate demands on this RPS input are a result of SDV level increases from flow through the control rod drives following a reactor trip due to other causes. Failure of the SDV level instruments during these conditions would not result in a failure to scram or ATWS; rather, the principal purpose of the SDV level instruments is to assure that any flow to the SDVs prior to a legitimate reactor trip for other reasons is not sufficient to prevent full insertion of control rods.

3.0 APPROACH Risk Metrics and Criteria This analysis follows the guidance provided in NRC Regulatory Guide 1.174 [Ref. 12] and NRC Regulatory Guide 1.177 [Ref. 13]. Consistent with the guidance in these Regulatory Guides, this analysis uses the following risk acceptance guidelines provided in NRC Regulatory Guide 1.174:

Quantitative Criteria Acceptance Guideline AGDF ALERF RG 1.174 Region I: No Changes Allowed >1E-5/yr >1E-6/yr RG 1.174 Region II: Small Change in Risk 1E-6/yr to 1E-5/yr 1E-7/yr to 1E-6/yr RG 1.174 Region III: Very Small Change in Risk <1E-6/yr <1E-7/yr The ACDF risk metric is calculated as the proposed LAR configuration CDF (i.e., extension of the SDV level instrument surveillances from once per quarter to once per 24 months) minus the CPS 2

base CDF. Similarly, the ALERF risk metric is calculated as the proposed LAR configuration LERF minus the CPS base LERF.

General Approach This risk analysis is performed using the CPS CL06B full-power internal events PRA. Given the very small risk impact of the proposed LAR, external events are discussed qualitatively.

Shutdown risk assessment is not included in this analysis as it is not impacted by the proposed LAR.

Consistent with the guidance provided in Regulatory Guide 1.177 for surveillance test interval extension LARs, this risk assessment considers both of the following:

• Test-limited risk

• Test-caused risk The risk contribution associated with surveillance test intervals is primarily due to the possibility that the surveilled equipment will fail between consecutive surveillance tests. This contribution is referred to as "test-limited" risk in Regulatory Guide 1.177. This aspect of the risk contribution is addressed in this risk analysis in the calculation of SDV level instrumentation failure rates using the Standby Failure Rate model. The Standby Failure Rate model uses the time between tests as an input in the determination of component unavailabilities.

As the RPS function is modeled in the CPS PRA as a super component, this risk assessment includes development of a fault tree that models the contribution of SDV events to RPS failure.

This fault tree contains two major sub-trees that model:

• Frequency of filling SDV

• Probability of failure to scram given high SDV level This fault tree is calculated for the quarterly test configuration, and for the 24-month test configuration. The delta increase in the SDV fault tree results is used to modify the RPS mechanical failure probability in the CL06B CDF and LERF fault trees.

The RG 1.177 term "test-caused" risk refers to risk contributions associated with adverse effects of test errors, in this case, inadvertently induced scram. The effect of test-caused errors on transient frequencies is an inverse function (i.e., longer test intervals result in reductions in test-caused transient frequencies). This impact of reduced plant transient frequencies due to extension of the surveillance test interval is conservatively not credited in this analysis.

PRA Quality The CPS 2006B internal events PRA model of record (CL06B) is used to perform this calculation.

The CL06B base results are:

• CDF: 6.47E-6/yr @1E-11 truncation limit

• LERF: 1.56E-7/yr @1E-12 truncation limit The quality of the CL06B is more than sufficient for this risk assessment. The CL06B PRA includes a detailed Level 1 PRA and Level 2 PRA. Refer to the CL06B PRA Quantification Notebook for details on the quality attributes of the CPS PRA.

4.0 ANALYSIS The section discusses the following major steps of the risk analysis:

3

• Development of SDV fault tree

• Data analysis

• Quantification of ACDF and ALERF 4.1 Development of SDV Fault Tree The Scram Discharge Volume (SDV) is part of the reactor scram discharge circuit. Two SDV tanks receive reactor water displaced from the top side of the control rod drive piston upon rod insertion during a scram. The tanks have the capacity to receive reactor water displaced from all the control rod drives upon reactor scram. The SDVs share two drain (FO11 & F181) valves in series and two vent valves (F180 & F010) in series. The vent and drain valves are normally opened to ensure that SDVs are empty and thus have adequate capacity to receive reactor water discharged from the control rod drives upon reactor scram.

Because maintaining adequate capacity in the SDV is important, the SDVs are equipped with four sets of level instruments (Division A, B, C & D) to detect high level in the SDVs. A level transmitter and a level switch comprise of one set of instrumentation. The level switch and level

-transmitter provide redundant and diverse level monitoring. The level switch initiates upon high SDV level via a float on the surface of the water in the SDV while the level transmitter initiates on pressure differential between the top and bottom of SDV. Division A and B monitor level in SDV A and Division C and D monitor level in SDV B. Because the two volumes are well connected through common drain and vent lines, they effectively act as one volume (i.e. water will seek the same level in both). Upon detecting high level on 2 of 4 divisions, a scram signal is generated to open all scram valves to rapidly insert all control rods into the reactor.

When a scram signal is received, the scram valves (2 for each CRDM) open and the scram header vent and SDV drain valves close. In this configuration, the water side of the accumulator is connected to the under-piston water port, and the over-piston water port is connected to the scram discharge circuit which is closed. Pressurized nitrogen in the accumulator or reactor pressure itself force water into the under piston portion of the Control Rod Drive Mechanism and exert an upward force on the piston. As the control rod piston inserts, the displaced water flows through the other scram valve and into the scram discharge circuit to the SDVs. The capacity of the SDV is adequate to receive the discharge from all control rod water displaced.

The function of interest associated with the SDV is to receive reactor water from the CRD drives during reactor scram. Failure to provide adequate capacity for the displaced water would lead to failure to scram the reactor. To ensure SDVs have the capacity to receive the volume of water discharged, SDV level must be below the high level scram setpoint. If the setpoint is reached, a scram would be initiated by 2 of the 4 level instrumentation divisions. A SDV high level initiated scram would preclude failure of a subsequent required reactor scram.

A fault tree is developed as part of this risk assessment to model the contribution of SDV events to RPS failure. This fault tree contains two major sub-trees that model:

• Frequency of filling SDV

• Probability of failure to scram given high SDV level Each of these sub-trees is discussed below. Refer to Attachment A of this analysis for more detail on the development of the SDV fault tree.

Frequency of Filling the SDV The usual method of supplying water to the SDVs is from a successful reactor scram; however, in this case, a reactor trip signal has already been provided and control rods are already in the 4

process of insertion. For the SDV level instrumentation to provide the initial reactor trip signal, water addition to the SDV must have occurred due to other reasons.

The following potential sources of water being present in one or both of the SDVs while the reactor is still at power have been considered in developing the SDV fault tree (those sources explicitly included in the fault tree model are highlighted in bold type):

• Flow from the reactor

- Large flow rates

-- Slow scram from a loss of instrument air

-- Multiple scram outlet valves fail open simultaneously

- Small flow rates

-- Scram valve leakage during extended operation with the SDV drain valves closed

• Backflow through SDV drain or vent valves from

- Lines connected to the vent or drain lines to the sump (n/a to CPS, refer to Attachment A)

- Failure of drain line isolation valves to the equipment sump from high pressure sources (n/a to CPS, see Attachment A)

• Operation with water in the SDVs

- Failure to drain the SDV following the last scram.

Modeling of the potential for these water sources leading to a high level in the SDV includes consideration of operator actions to take corrective action where indication is available in the control room and there is sufficient time to take this action.

SDV Level Instrumentation Given water addition to the SDVs, the SDV level instrumentation would initiate a reactor scram.

This portion of the SDV fault tree models failure of the SDV level instrumentation in initiating a reactor scram given high level in the SDVs. The following are included in the fault tree:

• Level Switch random and common cause failures

• Level Transmitter random and common cause failures

• Analog Trip Module (ATM) random and common cause failures

• Failure due to calibration errors.

The SDV level instrumentation fault tree logic reflects a two out of four division trip logic, with each of the four divisions requiring either a level switch or level transmitter/trip module signal.

4.2 Data Analysis Failure probabilities for the events in the SDV fault tree are assigned based on the data analysis approaches and the plant specific and generic data used in the CPS CL06B.

The basic events in the SDV fault tree include:

• Initiating Events

• Air-operated valve (AOV) failure rates

• Level switch failure rates

• Level transmitter failure rates

• ATM failure rates

• Probability of a reactor trip between level instrument functional tests 5

• Probability of failing to drain the SDV due to vent or drain line plugging

• Human actions

- Failure to trip reactor on loss of Instrument Air or Multiple Rod Drift

- Instrument miscalibration

- Failure to perform functional level instrument check after calibration

- Failure to verify SDV vent and drain valves open after Scram re-set The basic event probabilities used in the SDV fault tree analysis are summarized in Table B-2.

Some of the basic event probabilities in the SDV fault tree are influenced by the length of the surveillance test interval for the SDV level instruments; as such, Table B-2 summarizes the values for the quarterly test configuration and for the 24-month test configuration.

Refer to Attachment B for further details on the data analysis.

4.3 Quantification of ACDF and ALERF The SDV fault tree discussed in Section 4.1 was quantified both for the quarterly test configuration and for the 24-month configuration, using the probabilities summarized in Table B-2.

The difference in the two results is the increase in the SDV failure to scram contribution to the RPS function unavailability. Both SDV fault tree quantifications were quantified at a truncation limit of 1E-12 (four orders of magnitude below the expected overall result). The results are as follows:

• SDV scram failure probability (Quarterly Test Configuration): 4.166E-8

• SDV scram failure probability (24-Month Test Configuration): 9.129E-8 The RPS failure probability used in the CPS CL06B PRA is:

Electrical RPS Failure (basic event 1RPSYRPS-ELECFCC) 3.70E-6 Mechanical RPS Failure (basic event 1RPSYRPS-MECHFCC) 2.1OE-6 TOTAL: 5.80E-6 As can be seen from the base quarterly test configuration quantification, the SDV failure contribution (calculated using the fault tree developed here) to overall CPS RPS unavailability is approximately 1%. This result is consistent with the findings of NUREG/CR-5500.

Increasing the SDV level instrument surveillance interval to 24-months increases the SDV failure contribution by 4.96E-8 (i.e., 9.129E 4.166E-8). This increase is used to modify the CL06B basic event 1RPSYRPS-MECHFCC from its base value of 2.10E-6 to 2.1496E-6. The CL06B model is then re-quantified to determine the CDF and LERF for the 24-month test configuration.

5.0 RESULTS The quantification of the SDV Level Instrumentation impact on the CPS risk profile was performed using the CL06B PRA and the CAFTA software. The results of the quantification are as follows:

Quarterly 24-Month Test Interval Test Interval Risk Metric (Base) (LAR) Change RPS Unavailability due to SDV High Level 4.166E-8 9.129E-8 4.96E-8 Core Damage Frequency (CDF) 6.466E-6/yr 6.472E-6/yr 6.OE-9/yr Large Early Release Frequency (LERF) 1.564E-7/yr 1.576E-7/yr 1 .2E-9/yr 6

The impact on CDF and LERF falls into the RG 1.174 Region III risk category, "Very Small" risk im pact.

The risk impact is very small and well within the RG 1.174 Region III range such that explicit consideration of external event risk would not impact these results. As such, external events are not explicitly analyzed here.

6.0 CONCLUSION

S This risk assessment estimates the increase in CDF and LERF due to the proposed LAR to extend the current 3-month surveillance interval for the SDV level instruments to a 24-month interval. The changes in CDF and LERF are as follows:

• ACDF = 6.OE-9/yr

• ALERF = 1.2E-9/yr These quantitative risk results fall into the RG 1.174 Region III risk category, "Very Small" risk impact, with significant margin. As such, the proposed LAR amendment is acceptable from a risk perspective without the need for special compensatory actions.

7. 0 REFERENCES

[1] CPS Technical Specifications, Section 3.3.1.1, RPS Instrumentation Surveillance Requirements.

[2] USNRC, IE Bulletin 80-17, "Failure of 76 of 185 Control Rods to Fully Insert During a Scram at a BWR", July 3, 1980.

[3] USNRC, Generic Letter 81-18, "BWR Scram Discharge System; Clarification of Diverse Instrument Requirement", March 30, 1981.

[4] INEEL, Reliability Study: General Electric Reactor Protection System,1984 - 1995, NUREG/CR-5500, Vol. 3, May 1999.

[5] CPS P&ID M05-1078 sheet 3, Rev. D.

[6] CPS P&ID M05-1046 sheet 3, Rev. L.

[7] CPS P&ID M05-1047 sheet 3, Rev. M.

[8] INEEL, Rates of Initiating Events at U.S. Nuclear Power Plants:1987-1995, NUREG/CR-5750, February 1999.

[9] Sandia National Laboratories, Accident Sequence Evaluation Program Human Reliability Analysis Procedure, NUREG/CR-4772, February 1987.

[10] Sandia National Laboratories, Interim Reliability Evaluation Program Procedures Guide, NUREG/CR-2728, January 1983.

[11] INEEL, "CCF Parameter Estimations, 2003 Update",

http://nrcoe.inl.qov/results/CCF/CCFParamWebhelp/CC, May 2006

[12] USNRC, Regulatory Guide 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis", Revision 1, November 2002.

7

[13] USNRC, Regulatory Guide Decisionmaking: Technical 1.177, "An Approach Specifications", August 1998.for Plant-Specific Risk-Informed 8

ATTACHMENT A SCRAM DISCHARGE VOLUME (SDV) FAULT TREE A fault tree is developed as part of this risk assessment to model the contribution of SDV events to RPS failure. The top event of the fault tree is gate SDV-SCRAM (SDV Level Fails Scram Function). This fault tree is an 'AND" gate of the following two sub-trees:

• SDV-FILL (SDV Fill)

• Z-SDV-INST (SDV Instrumentation Failure)

Each of these sub-trees is discussed below.

The SDV-SCRAM fault tree is provided at the end of this Attachment.

A.1 MODELING BOUNDARIES Gate SDV-FIIl The fault tree logic for filling the SDVs (gate SDV-FILL) models sources of water that are physically connected by piping to the SDVs. The logic also assesses operating activities that may result in water collecting in or being left in the SDVs. Physical conditions in the SDV drain and vent piping that may result in the inability to drain the SDVs similar to those that were known to occur in several BWRs in the late 1970s and early 1980s are also postulated and modeled in the tree [Refs. 2 and 3].

Gate Z-SDV-INST The fault tree logic under gate Z-SDV-INST models failure of the SDV level instrumentation to detect high SDV level and initiate a scram. Reactor protection circuitry outside this boundary is associated with other scram functions and is represented by the RPS electric failure basic event (1 RPSYRPS-ELECFCC) included in the CPS CL06B PRA.

Failure of the SDV level instrumentation during a condition in which the SDVs contain a high water level will lead to a failure to scram for hydraulic reasons. The modeling developed under gate Z-SDV-INST is a subset of the mechanical causes of failure to scram represented by the RPS mechanical failure basic event (1 RPSYRPS-MECHFCC) included in the CPS CL06B PRA.

A.2 Success Criteria Gate SDV-FIIl The conditions considered in the development of the fault tree for which SDV can fill without detection until the high level setpoint is reached are as follows:

A-1

Gate Z-SDV-INST The success criteria for scram initiation upon SDV high level is actuation of 2 of 4 SDV level instrumentation divisions. Although Division A&B and C&D monitor level in SDV A and B, respectively, the two volumes are connected by relatively large lines that permit good hydraulic communication. Therefore, water entering one SDV will affect level in both SDVs and initiate a reactor scram. A scram signal is sent to the scram circuitry which relays the signal to open the 4 groups of scram valves in the HCUs, causing a rapid insertion of the control rods into the reactor core. Concurrently, a signal to close the SDV vent and drain valves is initiated.

A.3 FAULT TREE ASSUMPTIONS Gate SDV-FiII

1. Failure to Drain SDVs Following a Scram: The most common reason for water entering the SDVs would be as a result of a plant trip. On recovery of plant conditions that resulted in the trip, the scram is reset, which drains the SDV and clears the high level condition. In the fault tree, If SDV level instruments were not functioning and the SDV was not drained as a part of the scram reset, a return to power operation with the SDVs full is assumed. Failure of the SDV to drain during a scram reset is modeled as having three potential causes:

- Obstructions in the vent or drain lines (Z-SDVDRTKP)

- A vent or drain valve fails to open during scram reset (Z-1OF4VAVO)

- Operator fails to open the SDV valves during scram reset: This postulated failure mode is not applicable to CPS. The CPS SDV vent and drain valves open A-2

automatically on reset of the scram. Therefore there is no potential for failure of the operator to open these valves on returning to power operation.

Each functional check that is performed on the SDV level instrumentation also verifies that there is no water in the SDVs. Therefore, for there to be water in the SDVs from a previous reactor trip, a scram must have occurred since the last functional test. As a result, events are included in the fault tree representing the potential for a trip in between functional tests (Z-TRIP30DX associated with the monthly check of SDV vent and drain valve position and Z-TRIP90DX associated with the periodic functional test of the level instruments).

2. Slow Scram: The scram valves for each CRD mechanism are air operated and fail safe in that they open on a loss of air pressure. A loss of instrument air or a rupture of an air line leading to the scram valves therefore will result in reactor shutdown due to insertion of the rods. Depending on its cause, this loss of instrument air pressure may be slow and it is not certain that reactor trip resulting from other systems dependent on instrument air will necessarily precede the gradual opening of the scram valves. Depending on how many scram valves open as air pressure decreases, it may be possible to raise the level in the SDVs before a legitimate reactor trip occurs for this event other than that provided by the SDV level instrumentation. To preclude the occurrence of a slow scram, an annunciator is provided to alert the operators to low scram air header conditions so that they may initiate a manual trip. Both the potential for low scram valve air header pressure (%TIA) and the operator action to trip the reactor are included in the fault tree (Z-LOIATRPH). The operator is instructed by Procedure 4004.01 "Instrument Air Loss" to scram the reactor (turn mode switch to shutdown) on receipt of the low scram pilot valve air header pressure annunciator in the control room. This annunciator is just one of a number of annunciators that would indicate the need for the operator to take these actions following a loss of instrument air.

3. Flow from Multiple Scram Valves: Similar to the slow scram, it is assumed that coincident failure of multiple scram outlet valves can result in flow to the SDVs without a reactor trip due to other causes. Flow from at least two scram valves is assumed to lead to filling of the associated SDV (IEYG1V-AVT). It is conservatively assumed that even with the SDV drain valves opened, the flow is greater than the flow capacity of the drain line thus leading to SDV fill up. However, the operators are required by procedure to scram the reactor any time multiple rods have drifted out of position. An action to initiate this scram is included in the fault tree (Z-AVOATRPH). The operator action to manually scram the reactor on multiple rod drift is required by Procedure 4007.02, "Multiple Rod Drift".

4. Scram Valve Leakage: Leakage into the SDV through scram outlet valves could lead to fill up of the SDV but only if the normally opened drain valves are closed. As leakage is not expected to be large, the drain valves would have to be closed for an extended period of time. Closure of the drain valves is not a normal configuration during power operation and in the fault tree is assumed to be due to be due to inadvertent closure (Z-1OF2VAVT) or planned operation with the valves closed. It is further assumed that there is a periodic check of the position of these valves that would limit the exposure time of the SDVs to this configuration to under a month.

5. Backflow Through SDV Drain and Vent Lines: The drain and vent lines from the SDVs are piped to sumps in the containment. Depending how a specific plant is configured, there may be junctions connected to other fluid systems that flow to the same sump. If the elevation of these other fluid systems is sufficiently high then flow would be permitted toward the SDVs, and it is possible that fluid from these other systems could end up in the SDVs.

A-3

Although considered, this failure mode is not applicable for CPS. A review of the P&IDs

[Refs. 5, 6, 7] did not reveal any lines that connect with the SDV vent and drain lines prior to discharging to the sump.

Further, some plants have vent and drain lines permanently connected to high pressure systems that may be directed to the same sump to which the SDV vent and drain lines are connected. A rupture of the isolation valves on these high pressure system lines could blow fluid that may be in the sump at the time back through the vent and drain lines into the SDVs. The potential for backflow to the SDVs from the sump is considered in the development of the fault tree but is judged not applicable to CPS because the Equipment Drain Sump (1 RE05T) to which the SDV drains does not have any high pressure systems connected to it beyond the SDV drain valves. Further, the sump has a 4 inch diameter vent line that connects to the HVAC exhaust which would prevent pressurization of the sump and backflow into the SDV discharge line.

6. SDV fill up is the prerequisite for the SDV level instrumentation and circuitry to function.

The need for the level instrumentation to initiate a trip would depend on fill potential described above. As noted above, filling of the SDV is not necessarily a condition that requires a scram. Manual insertion of rods during the course of a normal shutdown for other reasons can eliminate the potential for a failure to scram due to this cause.

Therefore for any of these five means of filling the SDVs to lead to an ATWS, there must be a condition or initiating event that also leads to a need to scram the reactor:

- Failure to Drain SDVs Following a Scram: Having modeled the potential for failing to drain the SDVs following a reactor trip, there is a need for another reactor trip to occur before an ATWS would result. The frequency of an initiator is simply modeled with a gate under which all of the potential initiating events considered in the PRA are OR'ed together (Z-IE).

- Slow Scram: The most likely cause of a slow scram is a loss of instrument air (refer to discussion above regarding operator action to scram plant on loss of air). This initiator will eventually lead to a legitimate reactor trip due to loss of balance of plant systems (condenser vacuum, feedwater, MSIV closure). A loss of instrument air is included as the initiating event for a slow scram (%TIA).

- Flow from Multiple Scram Valves: It is assumed that multiple rods drifting into the core would eventually result in the operators initiating a reactor trip. The drift of the first rod into the core using an annual mission time followed shortly by a second rod (within the next 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />) is modeled as the initiating event (IEYGlV-AVT).

- Scram Valve Leakage: Operation with the SDV drain valves closed is assumed to result in a gradual filling of the SDVs from normal scram valve leakage. For this condition to lead to an ATWS, an initiating event requiring a reactor scram must occur while the SDV drain valves are closed. The frequency of an initiating event is modeled with a gate under which all of the potential initiating events considered in the PRA are OR'ed together (Z-IE).

Gate Z-SDV-INST

1. Each of the two SDVs is equipped with two pairs of level sensors (2 level switches and 2 level transmitters). For example, for each SDV, there are two instrument divisions and each division is equipped with level transmitter and a level switch. The level transmitter interprets the SDV level by pressure differential between the top and bottom of the tank.

The level switch is initiated by a float on the water surface. Since the two sensors are A-4

redundant to each other for level detection in the SDV, both sensors on a division have to fail to detect SDV high level before the division fails. Gates Z-DIV1, 2, 3 and 4 of the fault tree reflect this logic.

2. A scram signal is sent to all four scram division logic modules if 2 out of 4 level instrumentation divisions detects a high SDV. Division 1 and 2 instrumentation detect level in SDV A and division 3 and 4 instrumentation detect level in SDV B. The 2 out of 4 logic indicates that a high level detected on either SDV would initiate a reactor scram signal to all 4 scram division logic, thus resulting in full scram. Therefore, failure to produce a scram signal would be a result of 3 of 4 instrumentation division failure. This is modeling is reflected in fault tree gate Z-SDV-INST.

3. Pre-initiating event instrumentation miscalibration is considered for the SDV level instrumentation. The level instruments are calibrated every operating cycle (once per 24 months) and it is assumed that miscalibration could lead to failure of all level instruments of a given type (i.e., switches or transmitters). Calibration of level transmitters and switches is performed under separate procedures using functionally different methods (switches require filling the level column in which they are each installed, level transmitters require applying a known pressure to the transmitter). Therefore, a single basic event is used to represent the calibration error for each level instrument type (i.e.,

switches or transmitters). A functional test of each loop is also performed subsequent to calibration. However, the functional check is part of the calibration procedure and is likely to be completed by the same personnel that performed the calibration immediately following the calibration. Therefore, only limited credit for the post calibration test is taken (Attachment B contains the quantification of the human errors included in the SDV analysis).

4. There are no post-initiator operator actions associated with the SDV level instrumentation fault tree. If a failure to scram occurs as a result of high water level in the SDV, operator actions are required to shutdown the reactor with SLC and are considered in the ATWS event tree when used. This analysis only considers changes in RPS unavailability, therefore use of SLC and operator action to reset a scram and drain the SDV following a reactor trip in order to insert rods are not credited. The purpose of a scram reset is among other things, to empty the SDVs to ensure successful scram function on the next abnormal event that requires a plant scram. It is assumed that should a legitimate reactor scram occur with the SDVs full, that the scram is not cleared and an ATWS results.

5. Modeling of a failure to generate a SCRAM signal on high SDV level is limited to failures of the level switches, level transmitters and analog trip modules (ATMs) in the four SDV instrumentation channels. Other components such as digital signal conditioner and connectors in the path of signal are not included. Bypass, refuel and shutdown switch failures also are not included in the modeling because they are already in the desired position (open) and the probability that they would change state is relatively low compared with instrument failure.

6. Common cause failures of the level transmitters, level switches, and ATMs are modeled.

The CCF modeling is consistent with the methodology and date used in the CPS CL06B PSA. The CCF failure rates are derived using the ALPHA methodology.

7. Loss of 120 VAC power to the SCRAM circuitry is not modeled as the signal circuitry is designed to fail safe.

A-5

I 12 6I 6 I 7 I W:\Engineer\Exelon\Clinton\APPLIl.A\RM-1073.caf 111/15/2006 1 Page 1 A-6

FAILURETO DRAINSDEV E*OAUSE DRAINORV ENT VALVESAREECLOSED Page I PRO-.AILIFYOFA FAILUSEOF DRAINCE PRECURSOR TRIP FILLING VENTVALVESTO OPEN THE SDV SINZE LAST VALVEPOSITON DRAINVALVESFAILSTO VERIFYVENTAND DRAIN PR;URSOR TRIP POPEN AFTERA [VALVES : RE-SET FOPNIL LOWING 1n2 W:\EngineerXExelon\Clinton\APPLI.-.\RM-1073.caf 11/1-5/2006 Page 2 A-7

FAILLRETO DRAINSWA BE- USE DR INOR VE14T LIND AR OEAITRUCTED Z.SE'VE-3 FP9p I PNBABILITrYFA SDV FAILSTODRAIN PRECURSORTRIP T FILLING AFTERAPRECURSOR THESDVSINCETIIE LAST TRIP DUETO PLU0SII'2S FUNTSIONAL IZ-TRIFNDDX DZRDVDRTKP 9.FE04

-( 8.IA 1l I W:\Engineer\Exelon\Clinton\APPLI.._\RM-1073.caf 11/1512006 1 Page 3 A-8

1 4 1 5 1 W:\Engineer\Exelon\Clinton\APPLI -. \RM-1073.caf 111/15/2006 1 Page 4 A-9

ISLOCAIEý Z-ISLOCA INTERFACINGSYSTEM LOCAINITIATORIN RHR SINT ERFACINGSYSTEM LPCI INJC

.1E-l0

.SUCTIONLPNE LOCAINITIATORIN FWS INTERFACIN4SYSTEM LGCAINITATOR iNSoc SYSTEM IINT ERFACINGSYSTEM 2 0DE-01E-12 INTJ%ISLOcCA-SECA ERFAC:Ir SYSTEM IN iATOR 1INHPCS LOCCA LOCAINITIATOR INSDC SYSTEM RETIUN LTAIN A SYSTEM INTERFACING SYSTEM INTERFACINGSYSTEM LC A INITIATORIN RHR LOCOAINITIATOR INSDC RETURNTRAINB LPCIINJA lu E.19 A

E%-ISLO0AEC O -1PA

,a .1E-1 INTERFACING S YSTEM LOCAINITIATORINRHR LPCIINJ B 1E.2 5

11t15/200G I Page W:\Eng ineer\Exelon\Glinton\APPL I..ARM-I 073-caf 111/15/2006 1Page 5 W:\Engineer\Exelon\Clinton*,PPLl...\RM-1073.caf A-10

I W:\Engineer\Exelon\Clinton\APPLI._.\RM-1073.caf 111/15/2006 1 Page 6 A-11

SMALLLOOAIE:

Z.SC.IES paq- 4 NL SMALLBREAK LOCA. INIT:SMALLBREAKLOCA ABOVECORE INSIDE BELOWCORE INSIDE DRYWELL DR3IAELL g r2 WA: E n o l -7 1 W

355E03 32E -03 W:\Engineer\Ezxelon\Glinton\APPL I---RM-i 073.caf 11/15/2006 Page 7 A-12

W:\Engineer\Exelon\Clinton\APPL[...\RM-1073.caf 11/15/2006 Page8 A-13

I W:\Engineer\Exelon\clintonýAPP,,..\RM-1073.caf 11/15/2006 Page 9 A-1 4

REF.LEGBR.EAIS

-TRAN-RL MEDEIU I RANGEFF NIRIUANGE AX WATER REFERENCE LEG A WATER REFERENCE LEG B LINEBREAK LINEBREAK

" 224E,03 I 22,E -03 1i12 W:\FngineerXExelon\Clinton\APPL ..

\RM -1073.caf 11/15/2006 Page 10 A-1 5

LOSS OF [1 BUS la Z.TRANtCI Pagje9 LOSSOF NON - 'A FUTY DC BUS1E INITIATOR ELOSSOF NO N SAFE rYDO]

USO1E IAUT IFI 525E01 5.25E-21 1 2 I W:\Engineer\Exelon\Clinton\APPLI...\RM-1073.caf 111/15/2006 1 Page 11 A-16

IW:\Engineer\Exelon\Clinton\APPLI...\RM-1073.caf 11/15/2006 1 Page 12 A-17

INVERTER.INDLCED IEý Z-TRAN-INV M515CLOSUREINITATIN. TT CAUSED BYXFN R EVENTDUETO DIV1 INV FAILUREWITH INVERTER 9001A IN SAINT. .MIB1EIN MAINT.

COE+00 IflDE4 LSURE IRITIATIIC 511 TT CAUSEDBYXEIR EVENTDUETO DIV52INV FAILURE WTH INSERTER SWIE INSAINT. S001A IN ISAINT.

1 2 1WA\Engineer\Exelon\ClintonXAPPLI --RM-1 013.caf j11/15/2006 Page 13 A-1 8

I W:\Engineer\Exelon\ClintonkAPPLI...\RM-1073.caf I11/15/2006 1 Page 14 A-1 9

SW:\Fngineer\Exelon\Clinton\APPLI...\RM-1 073.caf 111/15/2006 f Page 15 A-20

A-21 W:\Engineer\Exelon\Clinton\APPLI...\RM-1073_Gaf 11/15/2006 1Page 17 A-22

1 2 1 W:\Engineer\Exelon\Clinton\APPLI...\RM-1073.caf 11/15/2006 Page 1 A-23

2 1 3 1 WA\Engineer\Exelon\Clinton\APPLI._.\RM-1073_caf . 11/15/2006 1 Page 19 A-24

E-03 17.a 4 11120 Pag 20 W:\E ngineer\Exelon\Clinton\APPL I...\RM -1073.cat 11115/2006 Page 20 A-25

001 FCFT110LEI,--L P0l13A OF LEVELSWITCHESDE'S OF LVLSMRTCHESIVS 1 1AND2 AND4 CO NSN CAUSEEALUE FAILURE CM ILRE Z-1.TCFSLX 1 2 WV:\Engineer\Exelon\clinton\APPLI ..\RM-1 073.caf 11/15/2006 Page 21 A-26

1 111/20 Pag 221 W:\Engineer\Exelon\Clinton\APPLI... \RM-1073_caf 11/15/2006 Page22 A-27

14E-04 W:\Engineer\Exelon\Clinton\APPLI.. .\RM-1073_caf 111/15/2006 Page 23 A-28

2,2E-05 W:\Engineer\Exelon\Clinton\APPLI...\RM-1073_caf I11/15/2006 Page24 A-29

1 4 I 6 1 W:\Engineer\Exelon\Clinton\APPLl . \RM-1073_caf 111/15/2006 Page 25 A-30

1 3 1 I S I W:\Engineer\Exelon\Clinton\APPLlI..\RM-1073.caf 111/15/2006 Page 26 A-31

2.02E-05 2 1 W:\Engineer\Exelon\Clinton\APPLl -\RM-1073.caf 111/15/2006 1 Page 27 A-32

W:kEngineer\Exelon\Clinton\APPLI...\RM-1073.caf 111/15/20061 Page 28 A-33

1.14E-04 W:\Engineer\Exelon\Clinton\APPLI...\RM-1073.caf 11/115/2006 Page 29 A-34

1 1 1 i I

• W:\Engineer\[zxelon\Clinton\APPLI ...\RM-1 073-caf 111/1512006 1Page 30 A-35

1 4 I 5 1 W:\Engineer\Exelon\Clinton\APPLI -- \RM-1073.caf 111/15/2006 1Page 31 A-36

E-5 1 4 1 1 1 W

\Engineer\Exelon\Clinton\APPL[...\RM-1013cral 111/15/20061 Page 32 A-37

ATTACHMENT B DATA ANALYSIS FOR SDV FAULT TREE This attachment summarizes the data analysis for the SDV fault tree developed for this risk assessment.

B.1 RANDOM FAILURES Level Instrumentation The SDV level instruments and trip modules are assigned failure data consistent with that used in the CPS CL06B PRA. The failure probabilities for each of these components is calculated using the standby failure probability model (1 - e-" V2):

I Failure Probability Component Rate Quarterly 24-Month Level Switches 3.30E-7/hr 3.61 E-4 2.89E-3 Level Transmitters 1.OOE-6/hr n/a 8.72E-3 ATMs 1.87E-6/hr 2.05_E-3 1.63E-2 The level transmitters are not subject to quarterly functional tests; this risk assessment uses the 24-month calibration interval as the basis for determining the failure probability for these components for both the base case and the LAR configuration case.

SDV Drain and Vent Valves 1 of 4 SDV Drain/Vent Valves FTO After Trip (Z-1OF4VAVO)

This basic event represents any one of the four drain and vent valves to open during a scram reset. Failure of either of the two series vent line valves to open post scram reset is assumed to cause a vacuum to be drawn in the SDVs and prohibit water from flowing out through the drain lines. Failure of either of the two series drain line valves to open post scram reset isolates the SDV drain path. The failure rate of an air operated valve to open on demand is 2.OOE-3/demand.

There are two drain AOVs and two vent AOVs in the SDV system; therefore, the probability of this event is 8.OOE-3.

Probability of a Trip Filling SDV in Precedinq Month (Z-TRIP30DX)

To fill the SDV, a precursor trip must occur in the period since the last SDV drain and vent valve position check. These valve positions are verified once per month and this verification schedule is not to be modified by the proposed LAR. The mean time between trips is 96 days based on an annual trip frequency of 3.8/year (including Manual Shutdown initiators).

Using the standby failure probability model (1 - et/2), the probability of this event is calculated as:

Probability = 1 - EXP (-(1/96 days)(30 days)/2)

= 1.45E-1 B-1

Drain Valves Inadvertently Close (Z-1OF2VAVT)

The failure rate for inadvertent transfer of an AOV is 1.50E-7/hr. There are two valves in the drain line and it is assumed that valve position is checked once per month. Using the standby failure probability model (1 - e-k t/2), the probability of this event is calculated as:

Probability = 2 x [1 - EXP (-(1.50E-7/hr)(720 hrs)/2)]

= 1.08E-4 Scram Valve Leakage (Z-SVLVSAVL)

It is assumed that all scram discharge valves leak to some extent; therefore, it is certain that, with time, operation with the SDV drain valves closed will result in water collecting in the SDVs. As such, this event is assigned a 1.0 probability.

SDV DrainNent Lines Plugqqed SDV Fails to Drain After Trip Due to Plugging or Blockage (Z-SDVDRTKP)

In the early 1980s, several plants experienced problems with the ability to drain the SDVs following a reactor trip [Ref. 2]. The causes were a result of plugging conditions in the lines downstream of the drain and vent valves and corrective action has been taken to preclude this condition in all BWRs. Because of the corrective actions, all known mechanisms for this failure mode should have been addressed; however, to bound the potential for any other unknown mechanisms, one industry failure to drain the SDV is used to determine the failure probability for draining the SDVs due to other causes. The following inputs to this event probability calculation are used:

• 1 industry event for failure to drain the SDVs

• Approximately 800 reactor calendar years of U.S. BWR operation

• 75% average availability [Table 3-1 of Ref. 8]

• Average of 1.8 reactor trips per year [Table 3-1 of Ref. 8]

Probability = 1 SDV drain failure event / [(800 yrs)(0.75)(1.8 trips/yr)]

= 9.26E-4 Probability of Trip Filling SDV Since Preceding Functional Test (Z-TRIP90DX)

It is recognized that failure to drain the SDVs due to plugging would be discovered by performance of the functional test for the level instruments. This test currently occurs every 90 days and is being extended to a 24-month interval. The mean time between trips is 96 days based on an annual trip frequency of 3.8/year (including Manual Shutdown initiators). Using the standby failure probability model (1 - e-k t/2), the probability of this event is calculated as:

" Quarterly Test Interval: 1 - EXP (-(1/96 days)(90 days)/2) = 3.74E-1

• 24-Month Test Interval: 1 - EXP (-(1/96 days)(730 days)/2) = 9.78E-1 B.2 COMMON CAUSE FAILURES The common cause failure event probabilities are calculated using the same data and methodology used in the CPS CL06B PRA. The CCF methodology used is the ALPHA methodology. The CCF ALPHA parameters are based on the latest INEEL data [Ref. 11].

The CCF basic event probabilities for different combinations of failures are calculated as follows:

B-2

0 CCF of 2 out of 4 Components: 1/3 x [Random Failure Probability] x ALPHA2 0 CCF of 3 out of 4 Components: 1/3 x [Random Failure Probability] x ALPHA3 0 CCF of 4 out of 4 Components: [Random Failure Probability] x ALPHA4 The calculations of the CCF basic events in the SDV fault tree are summarized in Table B-I.

B.3 INITIATING EVENTS Failure of Multiple Scram Valves (IEYGIV-AVT)

The single new initiating event postulated and developed as a part of this analysis is failure of multiple scram valves (IEYGIV-AVT). All other initiating events in the SDV fault tree are taken directly from the CL06B PRA. Derivation of the IEYGIV-AVT initiating event frequency is as follows and is based on the air operated valve data from the CPS CL06B PRA.

• Air operated valve inadvertent transfer: 1.50E-7/hr

• The initial valve failure has an annual exposure period (8760 hrs)

• Subsequent valve failures are assigned an exposure period equal to the 24-hr PRA mission time

• Number of permutations = n!/ (n-k)! = 20,880 n = 145 CRDMs k = 2 valves required to open to result in high flow to SDVs Permutations are used instead of combinations as there are two ways the first scram discharge valve may fail open first followed by the failure of the second valve within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

Frequency = (1.50E-7/hr)(8760 hrs)(1.50E-7/hr)(24 hrs)(20,880 permutations)

= 9.88E-5/yr B.4 OPERATOR ACTIONS The following operator actions are considered in the SDV fault tree.

Operator Action Basic Event Procedure Miscalibration of Level Z-CALBRLSH CPS Procedure 9531.22, "SDV High Water Switches Level Float Switch C11-N013A(B,C,D)

Channel Calibration" Miscalibration of Level Z-CALBRTRH CPS Procedure 9431.05, "RPS Scram Transmitters Discharge Volume High Level "C11-N012A(B,C,D) Channel Calibration Operator Fails to Trip Plant Z-LOIATRPH Procedure 4004.01, "Instrument Air Loss" on Loss of Instrument Air Operator Fails to Trip Plant Z-AVOATRPH Procedure 4007.02, "Multiple Rod Drift' on Multiple Rod Drift B-3

Operator Fails to Perform Z-SDVLVLSH Not credited as noted below.

Level Instrument Functional Test Prior to Startup Operator Fails to Verify Vent Z-SDVD-AVH CPS Procedure 4001.01, "Reactor Scram" and Drain Valves Open Following Reset Miscalibration of SDV Level Switches (Z-CALBRLSH)

A base human error probability (BHEP) of 3.OOE-2 is assumed as a screening value per page 3-4 of NUREG/CR-4772 for miscalibration of level instruments [Ref. 9]. It is assumed that the calibration followed by a post calibration check supports a 0.1 recovery factor, given the post calibration check is in the same procedure and is performed immediately following the calibration.

Therefore, the total HEP is 3.00E-3. (See Attachment B-1 for derivation).

Miscalibration of SDV Level Transmitters (Z-CALBRTRH)

A BHEP of 3.OOE-2 is assumed as a screening value per page 3-4 of NUREG/CR-4772 for miscalibration of level instruments. It is assumed that the calibration procedure is performed with a post calibration check of the work, allowing for a 0.1 recovery factor, given the post calibration check is in the same procedure and is performed immediately following the calibration.

Therefore, the total HEP is 3.OOE-3. (See Attachment B-i)

Operator Fails to Trip Plant on Loss of Instrument Air (Z-LOIATRPH)

For a loss of instrument air to result in filling the SDV to the point that it would fail to insert rods, a relatively gradual rate of depressurization must occur. It is assumed that 10-20 minutes is available to the operator to trip the reactor in this situation. A value of 3.7E-2 for failing to initiate this trip is derived in Attachment B-2.

Operator Fails to Trip Plant on Multiple Rod Drift (Z-AVOATRPH)

The HEP of 3.7E-2 calculated above is used for this action as well due to similarity in performance shaping factors.

Failure to Perform Functional Test of SDV Level Instruments on Startup (Z-SDVLVLSH)

CPS uses the quarterly test to assure the SDV level instruments are functional as opposed to performing such a test on each startup. It is this test that is being considered for extension from quarterly to every 24 months. Therefore, a value of 1.0 is assigned to for failing to perform a functional test on each startup.

Failure to Verify SDV Vent and Dent Valves Open Following Reset (Z-SDVD-AVH)

As a part of resetting the scram, the SDV drain and vent valves receive an automatic signal to open. If a valve were to fail to open on reset, the operator would recognize it had not opened as a part of post scram recovery procedures. A BHEP probability of 3.OOE-2 is used as a screening value for this HEP with a recovery factor of 0.1 per page 3-4 of NUREG/CR-4772. Therefore, the total HEP is 3.OOE-3.

B.5 DATA

SUMMARY

The basic event failure probabilities for the events used in the SDV fault tree analysis are summarized in Table B-2.

B-4

Table B-1

SUMMARY

OF CCF BASIC EVENT PROBABILITY CALCULATIONS FOR SDV FAULT TREE Random Failure Comnen Foailur CCF ALPHA Parameters CCBE Probability Probability Component CCBE CCCGI Type CCBE ID CCBE Description Size Size 3-Month 24-Month ALPHA1 ALPHA2 ALPHA4 3-Month ATMs Z-12CCFATZ COMMON CAUSE FAILURE OF ATMS DIVS 2 4 2.05E-03 1.63E-02 9.68E-01 2.10E-02 6.92E-03 3.72E-03 1.44E-05 1.14E-04 I ANfl9 Z-13CCFATZ COMMON CAUSE FAILURE OF ATMS DIVS 2 4 2.05E-03 1.63E-02 9.68E-01 2.10E-02 6.92E-03 3.72E-03 1.44E-05 1.14E-04 1 AND 3 Z-14CCFATZ COMMON CAUSE FAILURE OF ATMS DIVS 2 4 2.05E-03 1.63E-02 9.68E-01 2.10E-02 6.92E-03 3.72E-03 1.44E-05 1.14E-04 1 AND 4 Z-23CCFATZ COMMON CAUSE ATM FAILURE DIVS 2 2 4 2.05E-03 1.63E-02 9.68E-01 2.1OE-02 6.92E-03 3.72E-03 1.44E-05 1.14E-04 AND3 Z-24CCFATZ COMMON CAUSE ATM FAILURE DIVS 2 2 4 2.05E-03 1.63E-02 9.68E-01 2.1OE-02 6.92E-03 3.72E-03 1.44E-05 1.14E-04 AND4 Z-34CCFATZ COMMON CAUSE ATM FAILURE DIVS 3 2 4 2.05E-03 1.63E-02 9.68E-01 2.10E-02 6.92E-03 3.72E-03 1.44E-05 1.14E-04 AND4 Z-123CCATZ COMMON CAUSE FAILURE OF DIV 1,2, &3 3 4 2.05E-03 1.63E-02 9.68E-01 2.1OE-02 6.92E-03 3.72E-03 4.73E-06 3.76E-05 ANALOG TRIP MODULES Z-124CCATZ COMMON CAUSE FAILURE OF DIV 1,2, &4 3 4 2.05E-03 1.63E-02 9.68E-01 2.10E-02 6.92E-03 3.72E-03 4.73E-06 3.76E-05 ANALOG TRIP MODULES Z-134CCATZ COMMON CAUSE FAILURE OF DIV 1,3, &4 3 4 2.05E-03 1.63E-02 9.68E-01' 2.10E-02 6.92E-03 3.72E-03 4.73E-06 3.76E-05 ANALOG TRIP MODULES Z-234CCATZ COMMON CAUSE FAILURE OF DIV 2,3, &4 3 4 2.05E-03 1.63E-02 9.68E-01 2.10E-02 6.92E-03 3.72E-03 4.73E-06 3.76E-05 ANALOG TRIP MODULES Z-4ATCCATZ COMMON CAUSE FAILURE OF ALL 4 4 2.05E-03 1.63E-02 9.68E-01 2.10E-02 6.92E-03 3.72E-03 7.63E-06 6.06E-05 ANALOG TRIP MODULES Level Z-12CCFLSZ COMMON CAUSE FAILURE OF LEVEL .2 4 n/a 8.72E-03 9.68E-01 2.10E-02 6.92E-03 3.72E-03 n/a 6.10E-05 Transmitters TRANSMITTERS DIVS 1 AND 2 Z-13CCFLSZ COMMON CAUSE FAILURE OF LEVEL 2 4 n/a 8.72E-03 9.68E-01 2.10E-02 6.92E-03 3.72E-03 n/a 6.10E-05 TRANSMITTERS DIVS 1 AND 3 Z-14CCFLSZ COMMON CAUSE FAILURE OF LEVEL 2 4 n/a 8.72E-03 9.68E-01 2.10E-02 6.92E-03 3.72E-03 n/a 6.10E-05 TRANSMITTERS DIVS 1 AND 4 Z-23CCFLSZ COMMON CAUSE FAILURE OF LEVEL 2 4 n/a 8.72E-03 9.68E-01 2.10E-02 6.92E-03 3.72E-03 n/a 6.1OE-05 TRANSMITTERS DIVS 2 AND 3 Z-24CCFLSZ COMMON CAUSE FAILURE OF LEVEL 2 4 n/a 8.72E-03 9.68E-01 2.10E-02 6.92E-03 3.72E-03 n/a 6.10E-05 TRANSMITTERS DIVS 2 AND 4 Z-34CCFLSZ COMMON CAUSE FAILURE OF LEVEL 2 4 n/a 8.72E-03 9.68E-01 2.1OE-02 6.92E-03 3.72E-03 n/a 6.1OE-05 TRANSMITTERS DIVS 3 AND 4 1 -1 B-5

Table B-1

SUMMARY

OF CCF BASIC EVENT PROBABILITY CALCULATIONS FOR SDV FAULT TREE Random Failure Raomai CCF ALPHA Parameters CCBE Probability Probability Component CCBE CCCG 2MJLA4o Type CCBE ID CCBE Description Size Size 3-Month 24-Month ALPHA1 ALPHA2 JALPHA4 3-Month24-Month Level Z-123CCLSZ COMMON CAUSE FAILURE OF LEVEL 3 4 n/a 8.72E-03 9.68E-01 2.10E-02 6.92E-03 3.72E-03 n/a 2.01E-05 TrqnQmittArQ T ,ANk*,'iT - rF ii\/qi 1 9 Amfl n

(Cont.) Z-124CCLSZ COMMON CAUSE FAILURE OF LEVEL 3 4 n/a 8.72E-03 9.68E-01 2.10E-02 6.92E-03 3.72E-03 n/a 2.01E-05 TRANSMITTERS DIVS 1,2, AND 4 Z-134CCLSZ COMMON CAUSE FAILURE OF LEVEL 3 4 n/a 8.72E-03 9.68E-01 2.10E-02 6.92E-03 3.72E-03 n/a 2.01 E-05 TRANSMITTERS DIVS 1,3, AND 4 Z-234CCLSZ COMMON CAUSE FAILURE OF LEVEL 3 4 n/a 8.72E-03 9.68E-01 2.1OE-02 6.92E-03 3.72E-03 n/a 2.01 E-05 TRANSMITTERS DIVS 2, 3, AND 4 Z-4LSCCLSZ COMMON CAUSE FAILURE OF ALL 4 4 4 n/a 8.72E-03 9.68E-01 2.10E-02 6.92E-03 3.72E-03 n/a 3.24E-05 TRANSMITTERS Level Switch Z-12CCFSLX COMMON CAUSE FAILURE OF LEVEL 2 4 3.61 E-04 2.89E-03 9.68E-01 2.10E-02 6.92E-03 3.72E-03 2.53E-06 2.02E-05 SWITCHES DIVS 1 AND 2 Z-13CCFSLX COMMON CAUSE FAILURE OF LEVEL 2 4 3.61 E-04 2.89E-03 9.68E-01 2.10E-02 6.92E-03 3.72E03 2.53E-06 2.02E-05 SWITCHES DIVS 1 AND 3 Z-14CCFSLX COMMON CAUSE FAILURE OF LVL 2 4 3.61 E-04 2.89E-03 9.68E-01 2.10E-02 6.92E-03 3.72E-03 2.53E-06 2.02E-05 SWITCHES DIVS 1 AND 4 Z-23CCFSLX COMMON CAUSE FAILURE OF LEVEL 2 4 3.61 E-04 2.89E-03 9.68E-01 2.10E-02 6.92E-03 3.72E-03 2.53E-06 2.02E-05 SWITCHES DIVS 2 AND 3 Z-24CCFSLX COMMON CAUSE FAILURE OF LEVEL 2 4 3.61 E-04 2.89E-03 9.68E-01 2.10E-02 6.92E-03 3.72E-03 2.53E-06 2.02E-05 SWITCHES DIVS 2 AND 4 Z-34CCFSLX COMMON CAUSE FAILURE OF LEVEL 2 4 3.61 E-04 2.89E-03 9.68E-01 2.10E-02 6.92E-03 3.72E-03 2.53E-06 2.02E-05 SWITCHES DIVS 3 AND 4 Z-123CCSLX COMMON CAUSE FAILURE OF LVL 3 4 3.61 E-04 2.89E-03 9.68E-01 2.10E-02 6.92E-03 3.72E-03 8.33E-07 6.67E-06 SWITCHES DIVS 1,2, AND 3 Z-124CCSLX COMMON CAUSE FAILURE OF LEVEL 3 4 3.61 E-04 2.89E-03 9.68E-01 2.10E-02 6.92E-03 3.72E-03 8.33E-07 6.67E-06 SWITCHES DIVS 1,2, AND 4 Z-134CCSLX COMMON CAUSE FAILURE OF LVL 3 4 3.61 E-04 2.89E-03 9.68E-01 2.1OE-02 6.92E-03 3.72E-03 8.33E-07 6.67E-06 SWITCHES DIVS 1,3, AND 4 Z-234CCSLX COMMON CAUSE FAILURE OF LEVEL 3 4 3.61 E-04 2.89E-03 9.68E-01 2.10E-02 6.92E-03 3.72E-03 8.33E-07 6.67E-06 SWITCHES DIVS 2, 3, AND 4 Z-4LSCCSLX COMMON CAUSE FAILURE OF SDV LEVEL 4 4 3.61 E-04 2.89E-03 9.68E-01 2.10E-02 6.92E-03 3.72E-03 1.34E-06 1.08E-05 SWITCHES (ALL DIVS) I I I I I I I I I B-6

Table B-2

SUMMARY

OF BASIC EVENT PROBABILITIES IN SDV FAULT TREE Probability Basic Event ID Description 3-Month 24-Month IEYG1V-AVT 2 SCRAM OUTLET VALVES INADVERTENTLY OPEN 9.88E-05 9.88E-05 Z-123CCATZ COMMON CAUSE FAILURE OF DIV 1,2, & 3 ANALOG TRIP 4.73E-06 3.76E-05 MODULES Z-123CCLSZ COMMON CAUSE FAILURE OF LEVEL TRANSMITTERS DIVS 2.01 E-05 2.01 E-05 1,2, AND 3 Z-123CCSLX COMMON CAUSE FAILURE OF LVL SWITCHES DIVS 1, 2, 8.33E-07 6.67E-06 AND 3 Z-124CCATZ COMMON CAUSE FAILURE OF DIV 1, 2, & 4 ANALOG TRIP 4.73E-06 3.76E-05 MODULES Z-124CCLSZ COMMON CAUSE FAILURE OF LEVEL TRANSMITTERS DIVS 2.01 E-05 2.01 E-05 1,2, AND4 Z-124CCSLX COMMON CAUSE FAILURE OF LEVEL SWITCHES DIVS 1,2, 8.33E-07 6.67E-06 AND 4 Z-12CCFATZ COMMON CAUSE FAILURE OF ATMS DIVS 1 AND 2 1.44E-05 1.14E-04 Z-12CCFLSZ COMMON CAUSE FAILURE OF LEVEL TRANSMITTERS DIVS 6.10E-05 6.1OE-05 1 AND 2 Z-12CCFSLX COMMON CAUSE FAILURE OF LEVEL SWITCHES DIVS 1 2.53E-06 2.02E-05 AND 2 Z-1 34CCATZ COMMON CAUSE FAILURE OF DIV 1, 3, & 4 ANALOG TRIP 4.73E-06 3.76E-05 MODULES Z-134CCLSZ COMMON CAUSE FAILURE OF LEVEL TRANSMITTERS DIVS 2.01E-05 2.01E-05 1,3, AND 4 Z-134CCSLX COMMON CAUSE FAILURE OF LVL SWITCHES DIVS 1, 3, 8.33E-07 6.67E-06 AND 4 Z-13CCFATZ COMMON CAUSE FAILURE OF ATMS DIVS 1 AND 3 1.44E-05 1.14E-04 Z-13CCFLSZ COMMON CAUSE FAILURE OF LEVEL TRANSMITTERS DIVS 6.1OE-05 6.1OE-05 1 AND 3 Z-13CCFSLX COMMON CAUSE FAILURE OF LEVEL SWITCHES DIVS 1 2.53E-06 2.02E-05 AND 3 Z-14CCFATZ COMMON CAUSE FAILURE OF ATMS DIVS 1 AND 4 1.44E-05 1.14E-04 Z-14CCFLSZ COMMON CAUSE FAILURE OF LEVEL TRANSMITTERS DIVS 6.10E-05 6.1OE-05 1 AND 4 Z-14CCFSLX COMMON CAUSE FAILURE OF LVL SWITCHES DIVS 1 AND 4 2.53E-06 2.02E-05 Z-1OF2VAVT 1 OF 2 SDV DRAIN VLVS INADVERTENTLY CLOSES 1.08E-04 1.08E-04 (ASSUME CHECKED 1/MONTH)

Z-1OF4VAVO 1 OF 4 SDV VENT OR DRAIN VALVES FAILS TO OPEN AFTER 8.OOE-03 8.OOE-03 A PRECURSOR TRIP Z-234CCATZ COMMON CAUSE FAILURE OF DIV 2, 3, & 4 ANALOG TRIP 4.73E-06 3.76E-05 MODULES B-7

Table B-2

SUMMARY

OF BASIC EVENT PROBABILITIES IN SDV FAULT TREE Probability Basic Event ID Description 3-Month 124-Month Z-234CCLSZ COMMON CAUSE FAILURE OF LEVEL TRANSMITTERS DIVS 2.01 E-05 2.01 E-05

2. 3. AND 4 Z-234CCSLX COMMON CAUSE FAILURE OF LEVEL SWITCHES DIVS 2, 3, 8.33E-07 6.67E-06 AND 4 Z-23CCFATZ COMMON CAUSE ATM FAILURE DIVS 2 AND 3 1.44E-05 1.14E-04 Z-23CCFLSZ COMMON CAUSE FAILURE OF LEVEL TRANSMITTERS DIVS 6.1OE-05 6.1OE-05 2 AND 3 Z-23CCFSLX COMMON CAUSE FAILURE OF LEVEL SWITCHES DIVS 2 2.53E-06 2.02E-05 AND 3 Z-24CCFATZ COMMON CAUSE ATM FAILURE DIVS 2 AND 4 1.44E-05 1.14E-04 Z-24CCFLSZ COMMON CAUSE FAILURE OF LEVEL TRANSMITTERS DIVS 6.1OE-05 6.1OE-05 2 AND 4 Z-24CCFSLX COMMON CAUSE FAILURE OF LEVEL SWITCHES DIVS 2 2.53E-06 2.02E-05 AND 4 Z-34CCFATZ COMMON CAUSE ATM FAILURE DIVS 3 AND 4 1.44E-05 1.14E-04 Z-34CCFLSZ COMMON CAUSE FAILURE OF LEVEL TRANSMITTERS DIVS 6.1OE-05 6.10E-05 3 AND 4 Z-34CCFSLX COMMON CAUSE FAILURE OF LEVEL SWITCHES DIVS 3 2.53E-06 2.02E-05 AND 4 Z-4ATCCATZ COMMON CAUSE FAILURE OF ALL ANALOG TRIP MODULES 7.63E-06 6.06E-05 Z-4LSCCLSZ COMMON CAUSE FAILURE OF ALL 4 TRANSMITTERS 3.24E-05 3.24E-05 Z-4LSCCSLX COMMON CAUSE FAILURE OF SDV LEVEL SWITCHES (ALL 1.34E-06 1.08E-05 DIVS)

Z-AVOATRPH OPERATOR FAILS TO TRIP PLANT ON MULTIPLE ROD DRIFT 3.72E-02 3.72E-02 Z-CALBRLSH MISCALIBRATION OF LEVEL SWITCHES 3.OOE-03 3.OOE-03 Z-CALBRTRH MISCALIBRATION OF LEVEL TRANSMITTERS 3.OOE-03 3.OOE-03 Z-LOIATRPH OPERATOR FAILS TO TRIP PLANT ON LOSS OF IA 3.72E-02 3.72E-02 Z-NO12ALSZ LEVEL TRANSMITTER 1C1 1N012A FAILS TO INITIATE ON 8.72E-03 8.72E-03 HIGH LEVEL Z-NO12BLSZ DIV 2 LVL TRANSMITTER 1C11N012B FAILS 8.72E-03 8.72E-03 Z-NO12CLSZ LEVEL TRANSMITTER 1C11N012C FAILURE 8.72E-03 8.72E-03 Z-NO12DLSZ LEVEL TRANSMITTER 1C11N012D FAILS 8.72E-03 8.72E-03 B-8

Table B-2

SUMMARY

OF BASIC EVENT PROBABILITIES IN SDV FAULT TREE Probability Basic Event ID Description 3-Month] 24-Month Z-NO13ASLX LEVEL SWITCH 1C11N013A FAILS TO INITIATE ON HIGH SDV 3.61E-04 2.89E-03 LEVEL Z-NO13BSLX FAILURE OF LVL SWITCH 1C11N013B FAILS TO INITIATE ON 3.61 E-04 2.89E-03 HIGH SDV LVL Z-NO1 3CSLX LEVEL SWITCH 1Cl N01 3C FAILS TO INITIATE ON HIGH SDV 3.61 E-04 2.89E-03 LVL Z-NO13DSLX LEVEL SWITCH 1C11N013D FAILURE 3.61 E-04 2.89E-03 Z-N601 AATZ ANALOG TRIP MODULE 1C11 N601 A FAILS TO ACTUATE 2.05E-03 1.63E-02 Z-N601BATZ TRIP MODULE 1C11N601B FAILS 2.05E-03 1.63E-02 Z-N601CATZ TRIP MODULE 1C11 N601C FAILS TO ACTUATE 2.05E-03 1.63E-02 Z-N601DATZ TRIP MODULE 1C11 N601D FAILS TO ACTUATE 2.05E-03 1.63E-02 Z-SDVD-AVH OPERATOR FAILS TO VERIFY VENT AND DRAIN VALVES 3.OOE-03 3.OOE-03 OPEN FOLLOWING RE-SET Z-SDVDRTKP SDV FAILS TO DRAIN AFTER A PRECURSOR TRIP DUE TO 9.26E-04 9.26E-04 PLUGGING Z-SDVLVLSH OP FAILS TO PERFORM LVL INSTRUMENT FUNCTIONAL 1.OOE+00 1.OOE+00 TEST PRIOR TO STARTUP Z-SVLVSAVL SCRAM VALVE LEAKAGE 1.OOE+00 1.OOE+00 Z-TRIP30DX PROBABILITY OF A PRECURSOR TRIP FILLING THE SDV 1.45E-01 1.45E-01 SINCE LAST VALVE POSITION Z-TRIP90DX PROBABILITY OF A PRECURSOR TRIP FILLING THE SDV 3.74E-01 9.78E-01 SINCE THE LAST FUNCTIONAL B-9

Attachment B-1 SDV LEVEL INSTRUMENT MISCALIBRATION Miscalibration of SDV Level Transmitters Procedure CPS 9431.05 provides guidance for the plant personnel to properly calibrate the SDV level transmitters and analog trip modules. I&C and Operations personnel are required to validate each other's actions by marking a checkbox beside the procedural steps as they progress through the calibration procedure. The procedure is comprised of three major parts, functional test prior to calibration, calibration, and post calibration test. The pre-calibration functional test verifies proper functioning of the sensor channels prior to calibrating the level transmitters and ATMs in the channels. This validation would identify any potential loop malfunction due to setpoint drifts or miscalibration from the prior calibration activity. The functional test is performed using the DAC in the calibration mode. Status lights are available to indicate whether the instrument train is working properly or not. The I&C technician and operator proceed to calibrate the level transmitters and ATMs after the functional test. After calibration, a post calibration test is performed to ensure that the instrumentation trains are properly functioning per the acceptance criteria. If the acceptance criteria are not met, a re-calibration is performed. Although there is no automatic annunciators in the control room that would alarm in the event that the instrument are not calibrated correctly, the post-calibration test would validate proper function of the instrument trains. Therefore, the post-calibration test is credited as a recovery factor in the HEP analysis.

Miscalibration of SDV Level Switches Procedure CPS 9431.22 provides guidance for the plant personnel to properly calibrate the SDV level switches. The structure of the procedure is very similar to that of CPS 9431.05 in that a functional test is performed prior to loop calibration, then followed by the calibration activity and restoration and post-calibration test (calibration adjustment and acceptance criteria). The post-calibration functional check, if done properly, would identify any potential failure of the level switch and channel logic.

Assumed Dependencies Between SDV Level Transmitter and Level Switch Calibration The calibration methods between the level switches and level transmitters are functionally different, the level switches being tested by adding water to the column in which the switches are installed and the level transmitters having a pressure applied to the input to the sensor to simulate the differential pressure that would exist if water were in the SDV. Therefore, there is little potential for common cause calibration failure that should be considered for the two sets of instruments.

However, the functional tests that are performed on each of the sets of instruments following calibration are part of the same procedures used to calibrate the instruments and would be performed immediately following the calibration by the same personnel that performed the calibration. To account for this dependency, the recovery factors for two human error events that lead to miscalibration of the switches and transmitters are increased by a factor of 10 (see Revised Recovery Factor in table below).

Calculation While the calibration errors can be treated as functionally independent, the HEP calculation for the two events are similar. The requirements with respect to checks and validations are also very similar between the two events. Therefore, the HEP derived below can be applied to both human error events:

HEP = BHEP x Recovery Factors B-10

= 3E-2 x 0.1

= 3.OOE-3 Refer to the table below for a discussion of the selection of the 3E-2 BHEP and the 1E-1 recovery factor.

HEP Component Value Basis Comment Basic Human Error .03 NUREG/CR 4772, .02 for Errors of Omission (EOM)

Probability (BHEP) Table 5.2, Note 2 .01 for Errors of Commission (ECOM)

This is the basic human error probability, the starting point for nominal pre-accident HEP, with no credit for recovery Recover Factors .01 NUREG/CR 4772, Per above discussion, post calibration Table 5.2, Case VI test can be effective if performed correctly to identify a calibration error.

Full credit for this recovery factor would be taken only if the calibration and post-calibration functional test were performed at different times, or by different personnel.

Revised Recovery 0.1 Engineering Base 0.1 recovery factor increased an Factor Judgement order of magnitude in this analysis to account for potential dependency between calibration of SDV level instrumentation and subsequent functional check. The relatively high dependency factor can be attributed to the same I&C technicians performing both of these tasks.

Within person Complete NUREG/CR 4772, Complete dependency between the dependency Dependency Table 5-4 separate task is assessed using Table (parallel system) 5-4 of NUREG/CR-4772. Many of the actions performed on different components are assumed to occur closely in time. The instruments are typically located in the same general visual reference. Calibration personnel are also required to initial most of the steps taken as validation of the step has been performed. Although there may be exceptions, a conservative assumption is being made that all tasks are being performed closely in time, by the same personnel in the same general area. Complete dependence is I applied, as a result.

B-11

Attachment B-2 OPERATOR FAILS TO MANUALLY TRIP THE REACTOR AFTER LOSS OF IA (Z-LOIATRPH)

The scenario where this action becomes important is a loss of IA. Loss of IA would lead to lowering of the pressure in the scram pilot valves air header. This in turn would potentially result in a gradual opening of the scram valves and leakage of reactor water into the scram discharge volumes. Concurrently, the control rods would begin to drift as the differential pressure across the control rod drive pistons increases when the scram valves gradually open. The concern is that if the water level in the scram discharge volumes gets too high, the remaining capacity would not be adequate to support the displaced reactor water from a full reactor scram. The scenario also assumes that the scram discharge volume level instrumentation fails to initiate a scram upon reaching the high level setpoint. In this case, the operator must manually trip the reactor by turning the scram mode switch to SHUTDOWN. Manually scramming the reactor results in rapid insertion of all control rods into the reactor core as air is vented from the scram pilot valves air header. It is not certain how quickly the scram valves will open on gradual loss of air pressure. If the scram valves open sufficiently fast such that a scram occurs prior to filling the SDV, then operator action to scram the reactor is not required. Given that it is not certain how fast the scram valves would open, this analysis conservatively assumes that the valves would open slowly enough to cause gradual fill up of the SDV.

Governing Procedures 0 4004.01: Loss of Instrument Air Compelling Signals

• IA header lowers to 60 psig after loss of IA

• Control rod begins to drift

• SDV level increase resulting in a rod block

• Scram pit vlv air hdr press lo Instrumentation Available for Diagnosis

• IA header pressure indication

• Scram pit vlv air hdr press lo

• SDV level instrumentation

• Control rod positions Initial Conditions/Assumptions

• Loss of IA and failure of SA to start. System pressure continues to decrease.

• The control room crew is familiar with the Loss of IA procedure since they are periodically trained on it.

• In order to initiate a successful scram in the scenario described above, the operator must manually scram the reactor prior to SDV level reaching the high level trip setpoint.

• It is assumed that level in the SDV would not reach a point that would compromise a reactor trip as long as the operator manually trips the reactor within about 10-20 minutes.

B-12

Event Timinq Time Value Timing Threshold (Min.) Basis First time compelling signal 0 Low scram valve header low pressure alarm received (TO) (Note 1).

Latest time event can be 10-20 Prior to SDV level reaching high level trip completed (Tm) setpoint (Note 2).

Time required to complete action 2 Turn mode switch to SHUTDOWN (Ta)

Time available for diagnosis of 8- 18 Td = Tm - To - Ta need to manually scram(Td)

1) The compelling signal is initiation of the low scram valve header low pressure annunciator. This is taken as time 0 for the analysis.

2) It is not clear when SDV level gets to the high level scram setpoint since it depends on how slowly the scram valves open on decreasing header pressure. Therefore, the time is estimated to be 10 to 20 minutes after the low scram valve header pressure alarm.

Sequence of Events

1. Loss of instrument Air and SA compressors did not start. Pressure gradually lowers due to leakage.

2. Scram valve header low pressure

3. Scram valves gradually open resulting leakage of reactor water in the CRD into the SDVs

4. SDV level increases

5. Operator turns mode switch to SHUTDOWN This scenario assumes that the scram valves gradually open as pressure in the scram valves header decreases resulting in fill up of the SDV. Also, SDV high level instruments fail to send a scram signal to the scram valves when level reaches the scram setpoint.

Task Breakdown

• Manual Scram

" Turn mode switch Actions covered in training.

Diagnosis HEP Diagnosis HEPs for 1 min. to 30 mins. after receipt of the cue are summarized in the table below Figure 8-1, Nominal Post-Diagnosis Curve, of NUREG/CR 4772. The lower bound HEP is employed in this risk assessment because the symptoms associated with LOIA are well recognized by the CPS operators and they are trained on this scenario.

B-1 3

NUREG/CR-4772 Diagnosis Human Error Probability (Nominal)

Time (min) Lower Bound Median Upper Bound 1 1.OOE+00 1.OOE+00 1.00E+00 2 2.50E-01 5.OOE-01 1.OOE+00 3 1.11 E-01 3.33E-01 1.OOE+00 4 6.25E-02 2.50E-01 1.00E+00 5 4.OOE-02 2.00E-01 1.OOE+00 6 2.78E-02 1.67E-01 1.OOE+00 7 2.04E-02 1.43E-01 1.OOE+00 8 1.56E-02 1.25E-01 1.OOE+00 9 1.23E-02 1.11E-01 1.OOE+00 10 1.OOE-02 1.OOE-01 1.OOE+00 11 7.29E-03 7.29E-02 7.29E-01 12 5.46E-03 5.46E-02 5.46E-01 13 4.18E-03 4.18E-02 4.18E-01 14 3.27E-03 3.27E-02 3.27E-01 15 2.60E-03 2.60E-02 2.60E-01 16 2.1OE-03 2.1OE-02 2.1OE-01 17 1.72E-03 1.72E-02 1.72E-01 18 1.42E-03 1.42E-02 1.42E-01 19 1.19E-03 1.19E-02 1.19E-01 20 1.OOE-03 1.OOE-02 1.OOE-01 21 7.73E-04 7.58E-03 7.58E-02 22 6.04E-04 5.82E-03 5.82E-02 23 4.78E-04 4.52E-03 4.52E-02 24 3.81 E-04 3.55E-03 3.55E-02 25 3.07E-04 2.82E-03 2.82E-02 26 2.50E-04 2.25E-03 2.25E-02 27 2.05E-04 1.82E-03 1.82E-02 28 1.69E-04 1.48E-03 1.48E-02 29 1.40E-04 1.21 E-03 1.21 E-02 30 1.17E-04 1.OOE-03 1.OOE-02 The latest time to successfully trip the reactor is assumed to be 8 to 18 minutes after receipt of the compelling signal. This assumption is considered appropriate given that it takes time for the IA system pressure to decrease due to system leakages to a point where operating equipment would fail. Ten (10) minutes is assumed in this calculation. Therefore, the resultant diagnosis HEP value is 1.OOE-2.

B-14

Post-Diagnosis HEP The HEPs for the post-diagnosis operator actions are summarized in the following table. This information and approach is based on Table 8-5 of NUREG/CR-4772.

HEP Task (Error Factor) Basis Operator A fails to turn mode 0.02. Table 8-5, item 3, Step-by switch to SHUTDOWN (5) Step, moderately high stress (Note 1)

SS fails to call for manual trip 0.2 Table 8-5, item 6, recovery on low scram valve header (5) from step-by-step done under pressure or SDV high level moderately high stress (1) The action is considered Rule-based per procedural guidance. Moderately high stress is used instead of extremely high stress as there are various compelling signals available to diagnosis the LOIA event and the operators are trained to perform this action upon receipt of the compelling signals.

Therefore, the post-diagnosis HEP is calculated as follows:

Post-Diagnosis HEP = 2E-2 x 0.2

= 4.OOE-3 Total HEP Median HEP = Diagnosis HEP + Post-diagnosis HEP

= 1.00E-2 + 4.OOE-3 The median HEP is converted to the mean HEP by multiplying the median HEP by a multiplication factor assuming the HEP is distributed log normally. The multiplication factor is calculated per the following equation:

Multiplication Factor = EXP[(1/1.645) (ln(EF)))2/2]

The above equation can be found on page 125 of NUREG/CR-2728 [Ref. 10].

The Error Factor for the diagnosis HEP contribution is 10 over the 1 minute to 30 minute range.

The Error Factor for the post-diagnosis HEP is 5. The EF of 10 is conservatively used here to apply to both HEP contributors. Using the above equation, the multiplication factor for an EF=10 is 2.66.

The resultant mean HEP for this action is calculated as follows:

HEP = (1.00E-2 + 4.OOE-3) x 2.66

= 3.72E-4 B-15