ML18360A470

From kanterella
Revision as of 13:50, 2 February 2020 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Attachment 2: Response to NRC Questions and Documentation Requests
ML18360A470
Person / Time
Site: Clinton Constellation icon.png
Issue date: 12/14/2018
From:
Exelon Generation Co
To:
NRC/RGN-III, Office of Nuclear Reactor Regulation
Shared Package
ML18360A500 List:
References
RS-18-146
Download: ML18360A470 (14)


Text

ATTACHMENT 2 Response to NRC Questio_ns and Documentation Requests NRC Request 1 Provide a copy of the calculation that supports 24-hour battery life.

Response

Attachment 3 provides EC 626319, "Battery Coping Time Evaluation to Support Inadvertent Isolation of Div. II Air Start Receiver Valves." This evaluation performs a battery coping analysis for Division 1 125V DC Battery 1A and Division 2 125V DC Battery 18 following a postulated loss of offsite power resulting in a loss of all AC power. The postulated event occurs during the specific Mode 4. plant configuration that was present on May 14, 2018, at 0030. The results of the evaluation concluded that either the Division 1 or Division 2 battery could have maintained one SRV open continuously and supplied the loads that would have been present during a postulated Extended Loss of AC Power (ELAP) for more than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

The loads on the Division 1 and Division 2 buses were tabulated for this event based on equipment that was in service at the time. Load shedding was assumed to occur at one hour in accordance with the plant load sh'ed procedure. Since the plant was coming out of an outage and some equipment was out of service, loads (particularly in Division 1) were significantly less than normal DC 'loads. The last battery test showed that the batteries were above 100 percent capacity; therefore, 100 percent capacity was assumed and an aging factor, applied for design basis calculations, was not applied. Battery coping time was evaluated using ETAP.

The calculation conservatively assumes that one SRV is open continuously on the Division 1 and Division 2 batteries throughout the event (i.e., being continuously energized (open) requires more energy than cycling the SRV open and close). Specifically, the DC solenoid that holds the SRV open is assumed to be energized continuously 'starting immediately after the SBO occurs.

A separate GOTHIC analysis showed that an SRV would not be required until about eight hours into the event and then only one SRV would be required periodically to control pressure; therefore, this assumption is conservative. Even with the SRV solenoid continuously energized, the battery coping time for Division 1 is over 150 hours0.00174 days <br />0.0417 hours <br />2.480159e-4 weeks <br />5.7075e-5 months <br /> and the coping time for Division 2 is 25 hours2.893519e-4 days <br />0.00694 hours <br />4.133598e-5 weeks <br />9.5125e-6 months <br />. The GOTHIC analysis assumes SRVs are cycled. The DC analysis assumes one SRV is open continuously. The SRVs use less than one amp to open which is very low loading.

Having them open continuously in the DC analysis is conservative and does not invalidate the GOTHIC analysis .

.NRC Request 2 Slide 9 states that Operators are extensively trained on DG malfunctions. Provide a copy of the training material.

Response

The training material is provided in Attachment 4. In addition, the EO certification guide requires completion of the following tasks that deal with diesel gene!ators or auxiliary power.

  • 350601.03: DG 1A(18){1 C} Pre-start Checks (only one division required)
  • 350601.23: Diesel Generator Operating Logs (only one division required)

Page 1

ATTACHMENT 2*

Response to NRC Questions and Documentation Requests r

  • 350601.34: Alternate Diesel Generator Start - Manual Override of Air Start Solenoids (only one division required)
  • 350601.38: E,mergency Diesel Generator Trip (only one division required)
  • 908001.01: Diesel Generator 1A(B){C} Operability - Manual and Quick Start Operability (only one division required)
  • 3502.01: Verify 480 VAC MCC Circuit Breakers De-energized
  • 351501.20: _480V Unit Sub Breaker Operation
  • 351501.18: 4.16 / 6.9KV Westinghouse DHP or Cutler-Hammer. DHP-VR Switchgear Breaker Operation
  • 351501.19: Div34160VSwitchgear1C1 Breaker Operations
  • 908202.02: Electrical Distribution Verification EO training also includes the following JPMs related to diesel generators or auxiliary power.
  • JPM048: Perform Alt13rnate Diesel Generator Start - Manual Override of Air Start Solenoids

..* JPM271: Locally Shutdown Diesel Generator 1A (Alternate Path 2)

( - .

JPM279: Locally Shutdown P1esel Generator 1A (Alternate Path 1)

  • JPM294: Locally Shutdown Diesel Generator 1A (Alternate* Path 3)
  • JPM600: Reset DIV 1A DG ~ockout Relays
  • JPM043: DC load shed
  • JPM065: Cross Connect DC Distribution Panels 1E and 1F
  • JPM103: Cross tie 480v busses
  • JPM211: DC Load Shedding During a Station Blackout
  • JPM297: DC Load Shedding During a Station Blackout NRC Reguest 3 Slide 18 states that 28 SROs from other stations (including non-Exelon) were given CPS procedures and scenarios that recreated the postulated scenario. Provide a copy of the completed questionnaires for the 28 SROs.

Response

I The surveys are included as Attachment 5.

Page 2

/

ATTACHMENT 2 Response to NRC Questions and Documentation Requests

/

NRC Request 4 Slide 18 states that six CPS Shift Managers were surveyed for four potential ELAP scenarios.

Provide a copy of the completed questionnaires for the six Shift Managers.

Response

The surveys are included as Attachment 6.

NRC Request 5 Slide 19 discusses a time validation that was performed for a CPS EO to walkdown, identify, and correct the out of position air start valves. Provide a copy of the time validation.

Response

The time validation is provided in Attachment 7.

NRC Request 6 Slide 26 states that the OG air start flow path was most recently trained in 2017. Provide a copy of the 2017 training material.

Response

The training material is provided in Attachment 8.

NRC Request 7 Slide 10, under Assumption 2, states that Operators will close one shutdown cooling valve per procedure to extend time to TAF from 10.8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> to about 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Provide a copy of procedures and training (including* any simulator exercises) that direct valve closure. Also discuss whether the procedure directs closure of one or both valves. *

.Response The procedures are provided in Attachment 9. In addition, Attachment 13 provides just-in-time simulator training (i.e., SE-JIT-42) that was administered to licensed operators as part of pre-outage training for the 2018 refueling outage.

It is important to note that isolating SOC is only required if RPV pressurization is expected to occur.

While procedures instruct closure of both SOC valves, closing just one (the outboard) is all that is required to establish the necessary isolation. Closing 1E12-F009 inside the drywell would be a low priority if the penetration is already isolated by closure of the 1E 12-F008. In SBO conditions, the inboard valve would not be the preferred choice due to it being located in the drywell in a fall hazard location.

Page 3

ATTACHMENT 2 Response to NRC Questions and Documentation Requests CPS procedure 3002.01, "Heatup and Pressurization," Section 8.1.3 says "if commencing a non-nuclear heatup ....... Verify all RHR loops have been removed from shutdown cooling and placed in STANDBY per 3312.03."

At 104 PSIG there is an autom,atic shutdown cooling isolation signal. Operators are directed per off-normal procedure 4001.02, "Automatic Isolation," to manually perform the isolation at this point.

Because operators are required to know that this setpoint exists, operators are required and trai[led to maintain RPV pressure below that value (general operations training on band control, not specific training). Operators establish control bands to maintain operating margin to safety system setpoints as part of operating philosophy.

Loss of Shutdown Cooling directs performance of procedure 3312.03, "RHR Shutdown Cooling and Fuel Pool Cooling Assist," Section 8.3.1. The first step in this section is to secure the lineup if shutdown cooling cannot be recovered.

Isolation of SOC is also driven through SBO containment isolation procedure 4200.01C002 (i.e.,

Attachment 14).

In the SBO procedure, operators would isolate SOC when they begin execution of the SBO manual containment isolation. Operators will isolate SOC after it has been determined tha,t RPV boiling and pressurization cannot be prevented, to ensure the low pressure piping (RHR) is

, isolated from the high pressure system (RPV).

As detailed in the response to NRC Request 12, DC load shedding does not remove power to*

NSSS related annunciators thus, operators will receive additional cues to inform them that SOC isolation is required.

  • To manually close the 1E12-F008 (a motor operated valve), located in the Auxiliary Building Steam Tunnel (ASST), the sequence of events would be as follows:

1*. The loss of SOC EO is pre-briefed for emergency entry into applicable areas for SOC operation. Therefore, the operator will be ready for entry quickly.

2. Don Protective Clothing (PCs) if not already done.
3. Enter the ASST and proceed to the back of the room, along the Containment wall. The 1E 12-F008 is in the middle of the room at head-height. The conditions for the room will be agreeable temperatures (due to being in an outage) and poor lighting (every operator carries a flashlight, a mandatory part of an operator's tool set). *
4. Manual operation of an MOV is described in OP-AA-103-005 and is trained in initial qualification and when the GFES topic of Valves is covered in EO continuing training. Valve operation requires simply diseng~ging the clutch mechanism, by pulling down on the clutch lever, and turning the valve handwheel.
5. When the valve stem reaches full closed position, the MCR will be notified that 1E 12-F008 i~ manually closed.

Page4

ATTACHMENT 2 Response to NRC Questions and Documentation Requests Two keys are required to enter the ABST, and Security has both keys, RP only has one. As for timing, the operator will reach the valve in under 20 minutes from receipt of the initial direction to close the valve, if there are no further delays and no time required for changing into PCs.

As for operation of the 1E 12-FOOB, the valve requires approximately 675 revolutions to close. Given the number of operators available, two could easily get this done within the ample time to accomplish this task. This is a 6 hour* action 1in the GOTHIC analysis.

With respect to training regarding isolation of SOC, operators were trained on INPO IER-17-05 in 2017. One plant had an RHR relief valve lift causing a loss of RCS inventory that went undetected for hours. Operators had to isolate SOC to stop the leakage. The CPS RCS leakage off-normal procedure 4001.01 contains instructions to close 1E12-F008 and 1E12-F009 if there is a loss of RCS inventory and the cause cannot be directly identified. Although the

.procedure instructs the operators to close both valves, as noted earlier, closing either of these valves isolates SOC and mitigates this event.

In addition, licensed operators receive training as part of simulator scenarios and JPMs where automatic isolations fail, and manual isolations need to be performed. For example, a JPM could require an operator to initiate the Standby Liquid Control (SLC) system and manually isolate the Reactor Water Cleanup (RWCU) system because the automatic isolation failed.

Simulator scenarios include system automatic isolation failures that require operators to perform the isolations manually.

The goal of training is to prepare the operators to manipulate the plant using approved procedures in a safe manner. To this end, tasks chosen for training are done so using a graded approach to the SAT process. Nuclear Industry Standard Procedure NISP-TR-01 defines a graded approach as an "approach to performing SAT activities in which the level of analysis, documentation, and actions taken are tempered by factors such as the relative importance to nuclear safety, the relative importance to reliability, the complexity of the job performance requirements and the value to business (cost-effectiveness). A graded approach to training encourages the application of techniques that allow the most. efficient use of personnel and resources in training activities."

Determining when and how often a task should be trained on is done by analyzing the Difficulty, Importance, and Frequency of the task (DIF analysis). Determining the periodicity of a topic is based on the risk or consequences associated with improper performance, opportunities for incumbents to maintain proficiency on task performance, and plant and industry OE related to errors associated with performing the task. During a DIF analysis several questions are asked -

and point rating assigned to the task relating to the Difficulty, Importance, and Frequency of that task. These points are compared to a table contained in the NISP procedure and the appropriate training actions are taken with concurrence of the Training Review Committee, which is chaired by the program owner.

Not all possible scenarios can be identified as having a training need. For the scenarios or tasks that have been identified, some of those items are considered similar in nature and are therefore not trained on individually. When developing a task, the NISP asks; Are there similar tasks that could be grouped? For example, if there are no unique characteristics for the XYZ pump, the task "line-up XYZ pump for start" may be stated as "line up a centrifugal pump for Page 5

ATTACHMENT 2 Response to NRC Questions and Documentation Requests start." Similarly, if two scenarios are alike, it's unnecessary to train on both scenarios in many cases. By using the DIF process as outlined above, Exelon ensures operators are prepared to perform their duties using approved procedures in a safe manner.

NRC Request 8 Slide 45 provides results of Exelon's HEP evaluation related to SOC isolation. Provide a copy of the HEP 'evaluation to close the SOC isolation Valve.

Response

The HEP evaluation is included 1n Attachment 10.

NRC Request 9 Provide procedures and training (including any simulator exercises) that direct maintaining RPV pressure low (60-100 psig) during shutdown without low pressure injection available.

Response \

The procedures and training material are provided in Attachment 11.

Operators establish critical parameter control bands any time a parameter that impacts plant operation is in a transient condition. Some critical parameter examples include RPV water level, RPV pressure, Suppression Pool level/temperature, Containment pressure, battery voltage, Service Air pressure, Main Condenser vacuum. The determination and establishment of critical parameter cont~ol bands is required by OP-CL-101-111-1001, "Strategies for Successful Transient Mitigation," and is reinforced in simulator training. The specific critical parameters are.

determined by the Unit Supervisor or as recommended by the Shift Technical Advisor (STA).

The STA also keeps a trend of these critical parameters as a backup to the crew along with a determination of when critical thresholds wil,I be met and.uses this information to help inform the unit supervisor and crew of potential challenges. The selection of a critical parameter control band and the actions required when those bands are exceeded is based on an evaluation of the unit condition. Operators are trained to ensure control bands maintain margin to operating limits.

and safety system setpoints, while also being large enough to provide for operational flexibility without overtaxing the reactor operators. Some initial critical parameter control bands are procedurally established based on the event, such as an initial RPV water level band following a .

reactor scram of RPV Water Level 3 to RPV Water Level 8. In all cases, the Unit Supervisor uses the available procedures, the STA's assessment, and the crew's input, to set critical parameter control bands to ensure safe operation of the unit.

In the event of a postulated extended SBO where the crew fails to rec~ver AC power to Division 2 through either restoration of the Division 2 DG or the Division 3 to Division 2 bus cross-tie, RPV water level would be established as a critical parameter as soon as a postulated event occurs due to the loss of injection. RPV pressure would be assigned as a critical parameter based on the direction in CPS 4200.01, "Loss of AC Power," Section 4.4, "Station

ATTACHMENT 2

- Response to NRC Questions and Documentation Requests Blackout." This instruction directs the crew to Stabilize RPV Pressure. Stabilization is a defined term in CPS procedure 4411.09, "RPV Pressure Control Sources" as follows:

STABILIZATION: Establishing arid maintaining a defined pressure control band below 1065 psig with the intent of keeping RPV pressure from changing until DEPRESSURIZATION is desired.

The operating crew, based on procedural guidance, training, and experience, will maintain RPV pressure less than 104 psig. The selection of this upper limit for a pressure control band is based the knowledge that RHR SOC isolates above 104 psig (RHR SOC automatic isolation setpoint), combined with knowledge that an increase in RPV pressure will result in the loss of available alternate injection systems. Available injection systems for this postulated event include the FLEX pump, Suppression Pool Transfer/Cleanup pump, and the fire pumps, and are listed in CPS 4306.01, "Extended Loss of AC Power/ Loss of Ultimate Heat Sink," in Detail A."

I Some of these systems explicitly require RPV pressure to be less than 100 psig for injection.

Additionally, operators ar1 aware of EOP-1, "RPV Control" guidance to maintain RPV. pressure less than 104 psig until shutdown cooling is res'tored. *

  • In this postulated event, operators will enter CPS 4306.01 and in accordance with those instructions, they will enter EOP-1 for RPV level and pressure control. li:,itially the only available pressure control. system is using the SRVs; however, other sources may become available depending on the state of power recovery to the unit. The SRVs are capable of operating using either the Division 1 or Division 2 DC batteries and based on EC 626319 would have power to operate in excess of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Nine SRVs have backup air bottles in addition to their onboard

The backup air bottles are capable of being recharged using FLEX procedures to ensure a

  • continuous supply of air to the SRVs to allow for pressure control throughout the event.

RPV pressure control will occur regardless of whether any system is actually capable of injecting. RPV level and pressure are independently controlled and are coordinated as necessary to maximize the recovery of both critical parameters. There is no guidance in CPS procedures which would direct an operator to not complete required pressure control actions because an injection pump is not currently aligned for injection. In fact,. CPS procedures acknowledge that maintaining RPV pressure low maximizes the amount of injection available from low pressure and alternate injection systems. Procedure CPS 4306.01 states to prepare for low pressure RPV injection to support "Control RPV water level per EOP-1 RPV Control." In order to meet the intent of this step to prepare for low pressure RPV injection, the operators must maintain RPV pressure less than 100 psig per 4306.01 P004, "FLEX Low Pressure RPV Makeup." Maintaining RPV pressure low allows FLEX strategies to be successful and prevents a challenge to the RPV cooldown limit later when injection is recovered.

As detailed in the response to NRG Request 12, DC load shedding does not remove power to NSSS related annunciators and thus, would not impact operators in controlling RPV pressure.

Page 7

ATTACHMENT 2 Response to NRC Questions and Documentation Requests*

NRC Request 1O Provide a copy of the time validation that supports a 1.5 hour5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> duration for completing the Division 3 DG to Division 2 bus cross-tie.

Response

The time validation is provided in Attachment 12. It should be noted that the time validation is only the time to establish the cross-tie. As soon as the crosstie is completed, within one minute operators in the MCR can initiate RHR 8/C water leg pump (WLP) and SLC injection. The five /

to six hour validation included in EGC's risk evaluation assumed a single operator performing the evolution and performing manual orderly filling and venting of all systems~ For the outage event under consideration, if adequate core cooling is challenged (in CPS procedures, this is defined as -1.00" wide range and lowering), operators will,only perform minimal fill and vents.

The operators will start a WLP, wait for the RHR low system pressure alarm to clear, vent the system high point (which takes a few minutes at most), and then immediately start and inject into the RPV using the RHR C and/or B pump(s).

NRC Request 11

. Was there any additional shutdown SBO training that occurred before the event?

J

Response

  • Just-in-time simulator training (i.e., SE-JIT-42) was administered to licensed operators as part of pre-outage training for the 2018 refueling outage. This training involved a loss of SOC with a loss of offsite power and loss of Di.vision 1 DG. This scenario exercised the objectives of respon~ing to a loss of offsite power, performance of a DC*load shed, and performance of ECCS injection/flooding operations, including realignment of RHR B to LPCI. The training material is provided in Attachment 13.

I NRC Request 12 What Control Room annunciators are impacted by the DC load shed?

Response

The specific impact on Control Room annunciators from DC load shed is as follows:

Division 2 circuit 20 removes power to al~rms for the following ventilation systems:

Control Room Ventilation Diesel Generator Ventilation Screen House Ventilation Standby Gas Treatment System Drywell Cooling Ventilation Containment Ventilation Switchgear Ventilation ECCS Room Ventilation Page 8

ATTACHMENT 2 Response to NRC Questions and Documentation Requests Circuit 24 removes power to the following alarms (none of these are NSSS alarms):

Safety related aux power alarms Component Cooling Water Containment Monitoring (containment isolation valve MOV alarms only)

Cycled Condensate and Makeup Condensate (containment isolation valve alarms for the '----

MOVs only)

Loss of DC alarms Diesel fuel oil Spent fuel pool cooling Fire Protection containment isolation valve alarms Hydrogen control

  • Service and Instrument Air (only isolation valves, backup air bottles, ADS air alarms)

Leak Detection Main Steam (e.g., non-NSSS containment isolation valves such as feedwater, RWCU valves)

Suppression Pool cleanup Suppression Pool makeup

.Shutdown Service Water A sampling of NSSS alarms not impacted:

Residual Heat Removal Reactor Protection System Safety/Relief Valves RPV isolation signal alarms See Attachment 14 for a copy of CPS procedure 4200.01C002, "DC Load Shed During a SBO."

See Attachment 1, and Response to NRC .Request 7 for a discussion of the various impacts of load shed on the recovery actions credited. *

  • NRC Request 13 When would a Site Are Emergency and General Emergency be declared in shutdow*n, and what impact would assembly and evacuation have on resources available?

Response

EAL CA 1 requires declaration of an ALERT in the event of a loss of onsite and offsite AC power to safety buses for 15 minutes or longer. This would occur 15 minutes after the SBO. There are no add_itional escalati~n paths in this EAL sequence.

Escalation to Site Area Emergency and General Emergency starting in Cold Shutdown conditions would be through the CS6 (with Containment closure not established, if RPV level lowers to -145.5 inches) and CG6 (RPV level below TAF for greater than 30 minutes with Containment Challenge Indications). One of the Containment Challenge Indications is containment closure not established after the 30 minute time period.

Page 9

ATTACHMENT 2 Response to NRC Questions and Documentation Requests Based on the GOTHIC analysis, RPV water level of -145.5 inches would not have been reached and a resultant Site Area Emergency declared until approximately 22 hours2.546296e-4 days <br />0.00611 hours <br />3.637566e-5 weeks <br />8.371e-6 months <br /> after the SBO started. The General Emergency would not have been.declared until 30 minutes after reaching TAF, which is beyond the 24-hour mark.

Site assembly and accountability actions are not required to be initiated until a Site Area Emergency is declared. A station evacuation would not be required by the Emergency Plan until after a General Emergency is declared. The TSC and OSC personnel are considered essential and would not be impacted by these actions.

In addition, it should be noted that the CPS TSC can be powered by a dedicated TSC DG in the event of an SBO.

NRC Request 14 Is there any additional training on FLEX or the Division 3 DG to Division 2 bus cross-tie?

Response

The training material is provided in Attachment 15.

FLEX pumps are operated once a year by Operations for PMs. Training on the FLEX tractor is performed every*2 years for EOs, including driving the tractor. The fittings and connections are STORZ connections that are used in fire brigade/fire response, which the majority of operators ,

are trained in using.

The goal of training is to prepare the operators to manipulate the '

plant using approved r procedures in a safe manner. To this end, tasks chosen for training are done so using a graded approach to the SAT process. Nuclear Industry Standard Procedure NISP-TR-01 defines a graded approach as an "approach to performing SAT activities in which the level of analysis, documentation, and actions taken are tempered by factors such as the relative importance to nuclear safety, the relative impqrtance to reliability, the complexity of the job performance requirements and the value to business (cost-effectiveness). A graded approach to training encourages the application of techniques that allow the most efficient use of personnel and resources in training activities."

Determining when and how often a task should be trained on is done by analyzing the Difficulty, Importance, *and Frequency of the task (DIF analysis). Determining the periodicity. of a topic is based on the risk or consequences associated with improper performance, opportunities for incumbents to maintain proficiency on task performance, and plant and industry OE related to errors associated with performing the task. During a.DIF analysis several questions are asked and point rating assigned to the task relating to the Difficulty, Importance, and Frequency of that task. These points are compared to a table contained in the NISP procedure and the appropriate training actions are taken with concurrence of the Training Review Committee, which is chaired by the program owner.

Not all possible scenarios receive specific training. For the scenarios or tasks that have been identified, some of those items are considered similar in nature and are therefore not trained on Page 10

ATTACHMENT 2 Response to NRC Questions and Documentation Requests individually. When developing a task, the NISP asks; Are there similar tasks that could be grouped? For example, if there are no unique characteristics for the XYZ pump, the task "line up XYZ pump for start" may be stated as "line up a centrifugal pump for start." Similarly, if two scenarios are alike, it's unnecessary to train on both scenarios in many cases. By using the DIF process as outlined above, Exelon ensures operators are prepared to perform their duties using approved procedures in a safe manner.

NRC Request 15 What was the RPV water level during the time when both Division 1 and 2 DGs were unavailable? Provide a graph if available.

Response 6 provides a graph that shows RPV water level during the time when both Division 1 and 2 DGs were unavailable. The MSLs are at approximately 104" on Shutdown Range. Level was maintained below 104" following the RPV pressure test that concluded on May 13, 20.18. The Division 2 DG unavailability started after midnight on May 14, 2018. The GOTHIC analysis assumed RPV water level was approximately one foot below the MSLs.

NRC Request 16 Provide additional details on the comments relative to the credit for FLEX being inconsistent with the NRC Tl-191 inspection report and FLEX NRC safety evaluation.

Response*

In support of the Mitigating Strategies Order, EGC submitted the CPS Final Integrated Plan (FIP) to the NRC which outlined compliance with the Order. In that subm,ittal, EGC described in detail how FLEX would be successfully implemented. The NRC performed a detailed review of the analyses, approaches, strategies, training and equipment developed by EGC and documented in the FIP. The NRC issued a Safety Evaluation (SE) following this review. The NRC found EGC adequately addressed the procedures and training associated with FLEX implementation at CPS since procedures had been established and a training program was developed per industry standards. Overall, the NRC SE concluded the CPS FLEX strategies and implementation were satisfactory with respect 'to the Orders.

Subsequent to the issuance of the SE, the NRC performed a Temporary Instruction inspection to verify adequate implementation of the mitigating strategies described in the FIP and SE. The inspection involved interviews and discussions with station personnel, documentation review, and plant walkdowns to verify the strategies could be implemented. The inspection included verification the procedures and guidance were developed, feasible, and integrated into plant procedures; as well as training developed to ensure personnel proficiency in mitigation of the beyond design basis event via FLEX.

See Attachment 17 for specific portions from the NRC SE that appear inconsistent with the assumptions contained in the NRC Choice Letter. The attachment addresses the driving PSFs for which the NRC selected off-nominal (i.e., bad/poor) multipliers - Stress, Complexity, Page 11

ATTACHMENT 2 Response to NRC Questions and Documentation Requests Experience/Training, and Ergonomics - and provides relevant quotes and excerpts from the December 23, 2015 SE that apply to each. EGC's comment made at the November 30, 2018, Regulatory Conference is simply that the two evaluations (NRC SE and risk evaluation) are

~ inconsistent from a regulatory perspective. Selectively relying on probability-based preferences over documented safety conclusions is not consistent with the Commission's principles of good

. regulation (namely, clarity and reliability).

Reliability in terms of the success of the components used within t~e FLEX strategies is addressed via the failure rates and failure probabilities employed in the analysis. Reliability in terms of the success of operator actions is determined through the application of standard, accepted, and detailed HRA methods, such as used in the Exelon risk evaluation.

NUREG-1852 (Demonstrating the Feasibility and Reliability of Operator Manual Action in Response to a Fire) provides suggestions as to how to evaluate ex-control room operator actions. Although the actions are specific to fires, the methods and discussion can be applied to and envelope the FLEX actions, which in this postulated event would have been taken in less severe circumstances (e.g., no equipment damaged by fire, no access points blocked by fire or fire damage). This NU REG discusses the assessment of time, cues, environment, and experience/training, to determine if an action is both feasible and reliable.

  • Feasibility of FLEX-related actionSl is verified by the FLEX validation studies and FLEX Implementation Plan.
  • For reliability, NUREG-1852 concludes that an operator action is reliable if there is

_ample time to complete it, there are cues to al[ow the operators to know that the action should be taken and to assess its success, the environment does not pose unsurmountable barriers, and the staff has demonstrated the ability to carry out the steps required of the action. For timing specifically, the NU REG indicates that an action could be consider.ed reliable (all other noted factors being acceptable) if the margin between available time and required time is a factor of two or larger.

The FLEX Orders clearly are intended to require and be implemented such that FLEX strategies can be implemented with high assurance. The NRC and industry have created FLEX with well

  • thought out designs, procedures, equipment, and training. Site audits and NRC inspections have verified proficiency of FLEX implementation.
  • For the scenarios associated with the SOP under discussion, the time to TAF is about 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, whereas the time required to complete implementation of FLEX strategies is much less, resulting in a factor of greater than 2 between time required and time available. As to the other factors discussed in the NUREG: cues are readily available (loss of power, water level, RPV pressure);*environmental issues are not of concern (other than lighting, there are no unique environmental is_sues related to FLEX actions); and the operators .have received training and demonstrated the ability to complete the FLEX actions (FLEX validation studies, periodic FLEX training). Thus, feasibility and reliability are confirmed using the approach C?f NUREG-1852.

"\

Note also that the NRC Safety Evaluation report states: "Thf? Clinton Training Program assures personnel proficiency in mitigation of BDBEEs. The procedures and training were developed and are maintained in accordance with NEI 12-06. Personnel assigned to direct execution of Page 12

ATTACHMENT 2 Response to NRC Questions and Documentation Requests mitigation strategies (e.g: ERO leaders) receive the necessary training to ensure familiarity with associated tasks Uob aids, instructions, and mitigating strategy time constraints).

)

The Exelon risk evaluation explicitly models operator actions as human failure events (HFEs) following standard PRA modeling practices which meet the quality requirements of the PRA Standard, ASME/ANS RA-Sa-2009. A key component of this modeling is for the HRA analyst to ask operators "what are you going to do?" and factor that input accordingly. Sometimes this includes modeling recovery actions that lack explicit training or procedure steps (SR HR-H2). For all HFEs, the HRA is required to model those steps critical to cognition (decision-making, including those steps needed for recognizing the need for the action) and execution (those steps taken to implement the action); and implicitly relies on the operators being proficient in sub-tasks that contribute to the operation of the plant. An exam pl~ of an implicit .

activity is communications, which is not explicitly modeled in HRA. Implicit activities also include knowing when and how to make lower level decisions such as getting permission before breaking open a system pressure boundary. These impli.cit actions are called "skill-of-the-craft" as they are routinely practiced during normal* plant operations and in establishing plant conditions for maintenance. Additional aids supplement skill-of-the-craft activities to ensure that important d~cisions are made reliably. These additional aids include EOPs, ERO, TSC and extra crew (operations and maintenance). -

Specifically, the PRA Standard requires the addition of recovery actions in order to provide a best-estimate of risk (SR HR-H1). Recovery actions need to be "plausible and feasible" per PRA Standard HLR H. In general, acti~ns should be proceduralized and trained, but the PRA Standard SR HR-H2 (which invokes HR-G3) says either one of these can be, omitted when justification is provided. For example:

  • A procedure is available and known to the operators, but is not directly linked is an example of "not proceduralized but can be credited." .
  • Training is not part of requalification but instead the action is "skill~of-the-craft" meaning*

part of the normal day-to-day operations, such as valve operations or controlling temperature and pressure within a band.

HRA models, like all PRA elements, capture a portion of all the actions and activities that occur after an event, specifically those important actions that are significant contributors to a human failure event. For example:

  • Operator actions typically involve communications, and these are not explicitly modeled in HRA for internal events.
  • Operator actions may include opening valves or starting pumps, arid some steps are selected as Critical to success of start-up; other activities are implicitly included, such as removing a locking device.

All modeled HFEs require consideration of cognitio'n and execution per PRA Standard SR HR-G2. Cognition is required and models critical detection, diagnosis and decision-making steps needed to accomplish the action, specifically those critical steps needed to start the action. Execution models the steps taken to implement and monitor the action through until the end of the mission time. "Failure to stop" an action (when needed) is only modeled if that is part of the HFE success/failure definition (e.g., PWR operator action to terminate SI before Page 13

ATTACHMENT 2 Response to NRC Questions and Documentation Requests pressurizer over-fill). "Failures to stop" that lead to additional equipment failures, and make the plant response worse, are termed Errors of Commission and are not modeled in HR.A (except for fire scenarios where spurious indications may mislead the operators into taking an erroneous action) ..

Clarification of Exelon's NRC Regulatory Conference Presentation in Response to NRC Comments During the November 30, 2018 Regulatory Conference, the NRC made several comments regarding Exelon's presentation slides to which Exelon agreed to clarify in our Written submittal.

The NRC commented that in several instances the Exelon risk assessment HEPs did not match those being presented. One specific example is the use of 0.002 on slide 42 - FLEX Alignment.

  • Here, FLEX Alignment refers to starting the FLEX DG and aligning it to the 480V bus. In the Exelon risk evaluati9n provided to the NRC during the inspection, the HEP for failing to align the FLEX DG is -0.001 (which is related to the failure to execute the necessary steps). The 0.001 value is not what is depicted (or intended) on Slide 42. The Exelon model has a separate HEP for failing to recognize the need to implement FLEX strategies (the "cognitive" HEP) which is also (coincidentally) 0.001. For the purposes of the presentation made at the Regulatory

. Conference, the "execution" HEP of -0.001 and the. "cognitive" HEP of 0 .. 001 were added, and the result (0.002) was used on Slide 42.

  • The NRC commented that perhaps Exelon needs to reperform its risk evaluation to reflect changes in HEPs that are being suggested to the NRC model. For example, this comme11t was raised specifically in reference to the human failure event for failing to complete the Division 3 to Division 2 cross-tie. The Exelon HEPs are based on a detailed HRA methodology that has a different scale for complexity than that used by the NRC with SPAR-H. It is not reasonable to compare the two and expect consistency up and down the scales. The detailed HRA methodology (CBDT/THERP) has only two "settings" - complex, and simple. These are defined in a manner that is different from how SPAR-H defines complexity. Comparing the SPAR-H HEP to the Exelon HEP value (and the assumption related to complexity) is an "apples to oranges" comparison, and the Exelon HEP was not used to arrive at the NRC's significance finding. -Regarding redoing the Exelon analysis to include "more realistic assumptions" - those assumptions produce better (i.e., lower) HEPs. The Ex~lon risk analysis produces a "delta CDF" of 1E-8/year, well below the Green/White threshold, using realistic and reasonable assumptions based on the information available when the analysis was performed prior to the Regulatory Conference. Given that the risk analysis calculated a delta CDF of 1E-8, Exelon did not pursue additional refinement of HEPs or modifications to the model. There is no need to repeat those calculations with HEPs that will produce a delta CDF that is no greater than 1E-8, and in fact would be even lower, and thus farther away from the Green/White threshold.

Page 14