LR-N18-0021, Supplemental Information to License Amendment Request for Implementation of WCAP-14333 and WCAP-15376, Reactor Trip System Instrumentation and Engineered Safety Feature Actuation System Instrumentation Test Times and Completion Times

From kanterella
Revision as of 11:11, 6 January 2025 by StriderTol (talk | contribs) (StriderTol Bot change)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Supplemental Information to License Amendment Request for Implementation of WCAP-14333 and WCAP-15376, Reactor Trip System Instrumentation and Engineered Safety Feature Actuation System Instrumentation Test Times and Completion Times
ML18040A319
Person / Time
Site: Salem  PSEG icon.png
Issue date: 02/09/2018
From: Mcfeaters C
Public Service Enterprise Group
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
EPID L-2017-LLA-0442, LAR S17-05, LR-N18-0021
Download: ML18040A319 (22)
v  d  e


Text

FEB 09 2018 LR-N18-0021 LAR S17-05 PSEG Nuclear LLC P.O. Box 236, Hancocks Bridge, New Jersey 08038-0236 0PSEG NuclearLLC 10 CFR 50.90 U. S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555-0001 Salem Generating Station, Units 1 and 2 Renewed Facility Operating License Nos. DPR-70 and DPR-75 NRC Docket Nos. 50-272 and 50-311

Subject:

Supplemental Information to License Amendment Request for Implementation ofWCAP-14333 and WCAP-15376, Reactor Trip System Instrumentation and Engineered Safety Feature Actuation System Instrumentation Test Times and Completion Times

References:

1. PSEG letter to NRC, "License Amendment Request for Implementation of WCAP-14333 and WCAP-15376, Reactor Trip System Instrumentation and Engineered Safety Feature Actuation System Instrumentation Test Times and Completion Times" dated December 18, 2017 (ADAMS Accession No. ML17352A502)
2. NRC letter to PSEG, "Salem Nuclear Generating Station, Unit Nos. 1 and 2 -

Supplemental Information Needed for Acceptance of Requested Licensing Action Re: Implementation of WCAP-14333 and WCAP-15376 (EPID L-2017-LLA-0442)," dated January 31, 2018 (ADAMS Accession No. ML180258916)

In the Reference 1 letter, PSEG Nuclear LLC (PSEG) submitted a license amendment request (LAR) to Renewed Facility Operating License Nos. DPR-70 and DPR-75 for Salem Generating Station, Units 1 and 2 to revise TS 3/4.3.1, "Reactor Trip System lnstn.;mentation, " and TS 3/4.3.2, "Engineered Safety Feature Actuation System Instrumentation. "

In the Reference 2 letter, the Nuclear Regulatory Commission staff requested that PSEG supplement the application with information necessary to enable the NRC staff to begin its detailed technical review. A conference call was held with the NRC on January 25, 2018, to clarify the supplemental information request. The requested information is provided in the Attachment to this letter.

PSEG has determined that the information provided in this submittal does not alter the conclusions reached in the 10 CFR 50.92 no significant hazards determination previously submitted. In addition, the information provided in this submittal does not affect the bases for concluding that neither an environmental impact statement nor an environmental assessment needs to be prepared in connection with the proposed amendment.

LR-N18-0021 Page 2 10 CFR 50.90 There are no regulatory commitments contained in this letter. If you have any questions or require additional information, please contact Ms. Tanya Timberman at 856-339-1426.

l declare under penalty of perjury that the foregoing is true and correct.

Executed on __ _/_*8:_/J_'I_o (Date)

Respectfully,

(/. fj:zS::

Charles V. McFeaters Site Vice President Salem Generating Station

Attachment:

Supplemental Information Needed for Acceptance of Requested Licensing Action Re: Implementation of WCAP-14333 and WCAP-15376 cc:

Administrator, Region I, NRC Project Manager, NRC NRC Senior Resident Inspector, Salem Mr. P. Mulligan, Chief, NJBNE Corporate Commitment Tracking Coordinator Salem Commitment Tracking Coordinator

LR-N18-0021 LAR S17-05 Attachment Supplemental Information Needed for Acceptance of Requested Licensing Action Re: Implementation of WCAP-14333 and WCAP-15376

LR-N18-0021 Attachment LAR 517-05 Supplemental Information Needed for Acceptance of Requested Licensing Action Re: Implementation of WCAP-14333 and WCAP-15376 By letter dated December 18, 2017, PSEG Nuclear LLC (PSEG) submitted a license amendment request to revise Technical Specification (TS) 3/4.3.1, "Reactor Trip System Instrumentation," and Technical Specification 3/4.3.2, "Engineered Safety Feature Actuation System Instrumentation," to increase the completion times and bypass test times at Salem Nuclear Generating Station (Salem), Unit Nos. 1 and 2. By letter dated January 31, 2018, the Nuclear Regulatory Commission staff requested that PSEG supplement the application to address the following requested information:

1. For the risk contribution associated with internal fires, the PRA should include:
a. A quantitative evaluation (i.e., PRA) that:
i.

Meets an NRC-endorsed industry standard, ii.

Is peer-reviewed in accordance with RG 1.200, and iii.

Includes the result of the reviews, including all open findings and observations (F&Os), and the change in risk.

OR

b. A sufficient qualitative evaluation of the risk contributors that:
i.

Is of sufficient scope and depth. If the IPEEE fire evaluation is used as a basis, deficiencies in the evaluation that result from using the EPRI FIVE methodology should be addressed, including using NRC-approved methods for plant partitioning, to account for multiple spurious actuations, for plant response modeling, for fire scenario selection and analysis, to account for human reliability, for fire risk quantification, and to account for uncertainty.

ii.

Includes a discussion that clearly demonstrates why the risk contributions will not affect the decision as to the acceptability of the increase in risk.

iii.

If the basis for the qualitative evaluation relies on a PRA, the PRA should meet the criteria outlined above for quantitative evaluations.

AND

2. For the risk contribution associated with seismic events, the LAR should include:
a. A quantitative evaluation (i.e., PRA) that:
i.

Meets an NRC-endorsed industry standard, ii.

Is peer-reviewed in accordance with RG 1.200, and iii.

Includes the result of the reviews, including all open findings and observations (F&Os), and the change in risk.

1

LR-N18-0021 Attachment OR

b. A sufficient qualitative evaluation of the risk contributors that:

LAR 517-05

i.

Is of sufficient scope and depth. The evaluation should be performed using current state-of-knowledge where applicable, including updated site-specific seismic hazard analyses, seismic fragility assessments, and seismic systems analysis.

ii.

Includes a discussion that clearly demonstrates why the risk contributions will not affect the decision as to the acceptability of the increase in risk.

iii.

If the basis for the qualitative evaluation relies on a PRA, the PRA should meet the criteria outlined above for quantitative evaluations.

PSEG Response This attachment supplements the PRA analysis provided in the original submittal to support the required changes for implementation of WCAP-14333 and WCAP-15376 into the Technical Specifications (TS).

The revised sections below replace in their entirety sections 4.3.2, 4.3.2.1, 4.3.2.2, 4.3.2.4, 4.3.4.4, 4.3.4.5, 4.3.4.6 and 4.3.4.8 in the license amendment request dated December 18, 2017.

The qualitative evaluations described below in sections 4.3.4.5 and 4.3.4.6 are of sufficient scope and depth, and clearly demonstrate why the risk contributions due to fire and seismic hazards will not affect the decision as to the acceptability of the increase in risk. The bases for the qualitative evaluations described below rely in part on the Salem Full Power Internal Events (FPIE) PRA Model of Record which was developed and peer reviewed consistent with the ASME PRA Standard as endorsed by Regulatory Guide 1.200. The result of the FPIE PRA reviews, including the applicability of peer review findings and observations (F&Os), was provided in Section 4.3.1 and Tables 4-8 through 4-19 in Attachment 1 to PSEG's December 18, 2017 submittal.

4.3.2 External Events Consideration (replaces Section 4.3.2)

When an adequate PRA model does not exist to characterize the risk associated with a LAR, section 2.3.2 of NRC Regulatory Guide 1.177 [Reference 1 0] allows for the use of a qualitative analysis. In addition, section 2.3.1 of NRC Regulatory Guide 1.174 [Reference 8] allows for a qualitative treatment of risk hazards when an adequate PRA model does not exist, provided that the licensee can demonstrate that those risk contributions would not affect the decision of the LAR. Finally, section 2.4 of NRC Regulatory Guide 1.174 provides guidance regarding indication of high total CDF or LERF, or potential vulnerabilities which could prohibit changes that lead to even very small risk increases.

As part of the risk assessment, PSEG performed a qualitative evaluation of the change in risk for internal fires, external floods and seismic hazards using insights primarily from the internal events and internal flooding PRA [Reference 15] supported by the information in WCAP-14333

[Reference 1] and WCAP-15376 [Reference 2]. In addition, PSEG reviewed the internal events 2

LR-N18-0021 Attachment LAR 517-05 and flooding PRA and the Salem Individual Plant Examination for External Events (IPEEE)

[Reference 21] for indication of high CDF or LERF or a serious, uncorrected vulnerability.

The purpose of this section is to describe the Salem IPEEE which is used in later sections of this LAR as part of the Tier 1 risk assessment.

External hazards were evaluated in the Salem IPEEE submittal in response to the NRC IPEEE Program (Generic Letter 88-20, Supplement 4) [Reference 22]. The IPEEE Program was a one-time review of external hazard risk and was limited in its purpose to the identification of potential plant vulnerabilities and the understanding of associated severe accident risks.

The results of the Salem IPEEE study are documented in the Salem IPEEE. Each of the Salem external event evaluations were reviewed as part of the submittal by the NRC and compared to the requirements of NUREG-1407 [Reference 23].

Consistent with Generic Letter 88-20, the Salem IPEEE Submittal does not screen out seismic or fire hazards, but provides quantitative analyses. The following sections provide a brief summary of the seismic and fire hazards probabilistic analysis.

4.3.2.1 Seismic PRA (replaces Section 4.3.2. 1)

The seismic risk analysis provided in the Salem Individual Plant Examination for External Events was based on a detailed Seismic Probabilistic Risk Assessment. A Seismic Probabilistic Risk Assessment analysis approach was taken to identify any potential seismic vulnerabilities at Salem. The Seismic PRA method was deemed an acceptable methodology identified in NUREG-1407. This PRA technique included consideration of the following elements:

Seismic hazard analysis Seismic fragility assessment Seismic systems analysis Quantification of the seismically induced core damage frequency The Salem Seismic PRA study was a detailed analysis that, like the internal fire analysis, used quantification and model elements (e.g., system fault trees, event tree structures, random failure rates, common cause failures, etc.) consistent with those employed in the internal events portion of the Salem PRA.

Some of the highlights of the Salem Seismic PRA methodology included the following:

Seismic hazard curve was based on the EPRI site specific seismic hazard study. In addition, revised Lawrence Livermore National Laboratory (LLNL) seismic hazard estimates were used as input as a sensitivity case.

A seismic event was not always assumed to result in a Loss of Offsite Power (LOOP).

Seismic failure of offsite power was evaluated on a probabilistic basis according to component fragilities.

The Salem IPEEE stated that no plant unique or new vulnerabilities associated with the Seismic Analysis were identified. The Seismic PRA for Salem, with its originaiiPEEE hazard curves and 3

LR-N18-0021 Attachment LAR 517-05 identified dependencies and fragilities, can be used to provide general quantitative and qualitative insights. See section 4.3.4.6 for the risk evaluation and insights.

4.3.2.2 Fire PRA (replaces Section 4.3.2.2)

The analysis of the impact of internal fires consisted of a screening of fire areas based on EPRI Fire Induced Vulnerability Evaluation (FIVE) methodology [Reference 24]. As prescribed by the FIVE methodology, detailed area-by-area equipment and cable inventories were developed from the Appendix R analysis, the Safe Shutdown Analysis (SSA), and the Fire Hazards Analysis (FHA) [Reference 25]. The fire evaluation was performed on the basis of fire areas, which are plant locations completely enclosed by rated fire barriers. The fire area boundaries were assumed to be effective in preventing a fire from spreading from the originating area to another area based on the implementation of a satisfactory fire barrier surveillance and maintenance program, and observation during the walkdown. The fire area boundaries recognized in this study are defined in Sections 3 through 5 of the Salem Generating Station FHA and in the SSA. Qualitatively, an area was screened out if the area neither contained safe shutdown equipment nor called for a manual or automatic plant trip, given the condition that all equipment in the area is damaged. Quantitatively, an area was screened out if the CDF could be shown to be less than 1 E-06 per year, assuming a reactor trip and all equipment in the area failed and was unrecoverable.

In theory, the contribution to core damage frequency from fires anywhere in the plant may be assessed in detail. However this was impractical due to the large number of possible scenarios and considered unnecessary at the time of the IPEEE, since fires in many plant areas are incapable of causing significant damage regardless of how severe they become. Consequently, the first stage in performing a fire analysis was to perform a systematic screening of all fire areas in accordance with the FIVE methodology. Areas not screened quantitatively or qualitatively were retained for a further detailed PRA evaluation.

The purpose of the qualitative screening was to identify the boundaries of the plant fire areas, together with the location of equipment and cables which, if damaged by fire, would cause a plant shutdown or degradation of shutdown paths identified in the plant's SSA or IPE. This information was then used to qualitatively screen fire areas from further consideration using the criteria developed in the FIVE methodology. The steps involved in qualitative screening included the following:

Step 1 - Identification of Fire Areas Step 2 - Identification of Plant Safe Shutdown Systems Step 3 - Identification of Safe Shutdown Equipment in Each Fire Area Step 4 - Perform Fire Area Safe Shutdown Function Evaluation For the quantitative screening analysis, the FIVE methodology provided a method of screening based on a conservative estimation of the contribution to CDF. The equipment contained within an area was assumed to fail due to a fire. Using an event tree representative of the most significant mitigating features, the contribution to CDF was then calculated. If this contribution was less than 1 E-06 per year using the fault tree and event tree models from the IPE, the area or compartment was able to be screened out.

4

LR-N18-0021 Attachment LAR 517-05 As part of the IPEEE internal fire analysis, one potential plant vulnerability was identified, and a plant enhancement has been implemented as a result [Reference 26]. There are two sets of cables supplying offsite power to the 4kV vital buses and these are routed through one elevation of the turbine and service buildings before entering the auxiliary building. The two sets provide a redundant source of power to the vital 4kV buses. Thus, if one set is damaged by fire, the second set could provide power to all three buses. In the turbine and service buildings, the two redundant sets of cables are separated by less than 10 feet for a portion of the area. No significant fixed combustible sources are located within 30 feet of the cables and are therefore not considered to be risk significant. However, as a result of the fire IPEEE, transient combustible controls similar to those in place for the auxiliary building, penetration areas and service water intake structure have been put into effect for this area of the turbine and service buildings. The internal fire PRA model was credited with this enhancement and was reflected in the IPEEE results.

The fire PRA for Salem, with its IPEEE era methods and data, can be used to provide general quantitative and qualitative insights. See section 4.3.4.5 for risk evaluation and impacts.

4.3.2.4 External Hazard PRA Summary (replaces Section 4.3.2.4)

The Salem Individual Plant Examination for External Events (IPEEE) [Reference 21] can be used for qualitative insights in support of the quantitative and qualitative insights that are based on the peer reviewed internal events and internal flooding PRA and the information in WCAP-14333 and WCAP-15376. Sections 4.3.4.5 and 4.3.4.6 of this LAR contain PSEG's assessment of internal fire and seismic risk.

4.3.4.4 Discussion of Risk Due to External Events (replaces Section 4.3.4.4)

Salem does not have separate probabilistic risk assessments (PRA) for Fire, External Flood or Seismic events. An internal Fire PRA (FPRA) is currently under development. The FPRA was developed as part of the station license renewal project. However, the FPRA did not undergo an industry peer review as required by NRC Regulatory Guide 1.200 for use in risk informed regulatory applications. PSEG is working to complete the FPRA. The current version, which follows the methodology of NUREG/CR-6850 with some incorporation of more recent data and methods can be used to provide valuable insights, but not quantitative information. The project is expected to culminate with an industry peer review. Seismic events are not currently included in the Model of Record (MOR). The Seismic PRA development for both Salem and Hope Creek is being considered as part of a PSEG Nuclear long-term planning strategy, which will determine the need for such an analysis using PRA methods. External Flood, Low Power/Shutdown, as well as other external events are also being considered as part of a long term risk management program strategic plan.

PSEG used a 2-pronged approach to estimating fire and seismic risk. First, the IPEEE results are used to provide insights into the important risk scenarios at Salem. Second, the FPIE PRA is used, in an approach that is completely independent from the IPEEE to characterize the risk associated with this LAR. The scenarios and most of the parameters come directly from the FPIE PRA. The parameters not from the FPIE PRA are individually explained. Section 1.4.3 of the IPEEE explains how the risk of High Winds, External Flood and other external events were screened out as insignificant. However, current concerns about severe weather-induced 5

LR-N18-0021 Attachment LAR 517-05 external flooding warrant a bounding calculation using the FPIE PRA. The risk due to fire, seismic and external flood events is discussed in the following sections.

4.3.4.5 Discussion of Fire Risk (replaces Section 4.3.4.5)

Insights Regarding Fire Risk Gleaned from the IPEEE Section 1.4.2 of Salem's IPEEE discusses the station fire risk. The total CDF from fire events was calculated to be 2.3E-05 per year. The top four scenarios are described as follows:

24% of the total CDF (5.5E-06 per year) caused by a fire in the relay room that damages more than one cabinet and requires control room abandonment. Core cooling by alternate shutdown methods is unsuccessful, leading to core damage.

9.1% of the total CDF (2.1 E-06 per year) caused by a fire in the control room which damages consoles 1, 2, or 3 and requires control room abandonment. Core cooling by alternate shutdown methods is unsuccessful, leading to core damage.

7.4% of the total CDF (1.7E-06 per year) caused by a relay room fire with damage limited to one electrical cabinet. Control room functions remain available but degraded. Core cooling is unsuccessful, leading to core damage.

4.6% of the total CDF (1.1 E-06 per year) caused by a control room fire with damage limited to control console 3. Equipment damage requires control room abandonment. Core cooling by alternate shutdown methods is unsuccessful, leading to core damage.

Another perspective of fire risk is the relative importance for a fire in each area. The top four areas are the relay room (31%), control room (30%), the 460VAC switchgear room (7%), and the 4kVAC switchgear room (7%). Core damage following a relay or control room fire arises primarily from failure to implement alternate shutdown methods following control room abandonment. Such fire scenarios may damage both trains of ESFAS equipment, so the status of a particular component being out-of-service would have a negligible impact since it would have been damaged anyway. The switchgear room fires cause loss of one vital bus. Additional equipment becomes unavailable if the fire is not suppressed. Random failures of equipment unaffected by fire then lead to core damage for these scenarios.

Insights Regarding Fire Risk Gleaned from the FPIE PRA Model As an additional set of stand-alone calculations, the potential impact of fire events on the risk assessment is considered using inputs from the full-power internal events which has been shown to be technically adequate per peer review in accordance RG 1.200. The steps to determine the potential impact of fire events for proposed extensions are:

1. Determine fire initiating event frequencies
2. Determine the actuation signals required for event mitigation
3. Determine the change in signal unavailability
4. Determine the impact on risk metrics 6

LR-N18-0021 Attachment LAR S17-05 The fire ignition frequencies used for this calculation are from the current work-in-progress fire PRA. The plant-specific internal fire boundaries have been identified and the physical analysis units have been defined in accordance with NUREG/CR-6850. The fire ignition frequencies have been calculated from Supplement 1 of NUREG/CR-6850 (FAQ 08-0048) and NUREG-2169. The frequencies for all of the ignition sources are summed, accounting for severity factors and non-suppression probabilities.

Each fire scenario is assumed to not directly impact an ESFAS train to determine the change in unavailability for ESFAS systems. This is a conservative assumption, since WCAP-15376-P-A, Revision 1, Table 8.10 indicates that a system with only one train available would actually have a decreased unavailability due to an increased AOT. If any cases would exist that impact both ESFAS trains, there would be no change in risk due to additional unavailability.

Important Fire Sequences Fire events begin as transient-type events, so the primary means of mitigation is decay heat removal. This function can be accomplished by main feedwater, auxiliary feedwater (AFW), or feed-and-bleed operations. Main feedwater is not credited following fire events since there is a relatively large amount of equipment with unknown cable locations that could be damaged due to the fire. Therefore, AFW and feed-and-bleed are relied upon to mitigate a fire transient.

Since this assessment is directed at the increased signal unavailabilities, alternative methods are required to start AFW and feed-and-bleed.

For fire transient events, AFW normally starts automatically on low-low steam generator level. If that signal is unavailable or failed, then AFW pumps may be started by the operators or the AMSAC system. AMSAC is the ATWS Mitigation System Actuation Circuitry system, and actuates when steam generator level is low and SSPS has failed to actuate. An AMSAC actuation initiates turbine trip and starts all three AFW pumps using methods which are both independent and diverse from SSPS. If no AFW is actuated, operators will initiate feed-and bleed for decay heat removal. The 4th AFW pump is not credited in this calculation, as it is assumed that failure to manually start the normal AFW pumps would also fail to start the 4th pump.

To determine the change in signal unavailability for ESFAS systems, each fire scenario is conservatively assumed to not directly impact an ESFAS train. This is a conservative assumption, since WCAP-15376-P-A, Revision 1, Table 8.10 indicates that a system with only one train available (that is, one train was already failed by the fire) would actually have a decreased unavailability due to an increased AOT and ESFAS signal logic. Any cases that impact both ESFAS trains would show no change in risk due to additional unavailability since both trains would be failed due to the fire. Therefore, the most conservative change in signal unavailability is assumed and applied to the entire fire frequency.

Based on this expected sequence of events, the risk impact related to the change in signal unavailability can be calculated as:

nCDF = f(Fire IE) x change in signal unavailability x HEP(AFW start) x AMSAC failure x HEP(Feed-and-bleed)

The values used for each term are:

f(Fire IE)= 4.62E-1 /yr (based on NRC guidance as discussed above) 7

LR-N18-0021 Attachment LAR 517-05 change in signal unavailability= 2.73E-4 for two trains (from WCAP-15376-P-A, Revision 1, Table 8.1 0)

HEP(AFW Start)= 9.7E-4 (from event AFS-XHE-FO-MDPS in PRA)

AMSAC failure= 5.4E-2 (calculated from AMSAC gate in PRA)

HEP(Feed-and-bleed) = 2.7E-3 (from event SRV-XHE-FO-FANDB in PRA; not dependent with AFS-XHE-FO-MDPS in the baseline PRA model)

Therefore,

.llCDF (total) = 1.8E-11 /yr Since the change in CDF is small, the LERF impact will also be small and the.llCDF and

.llLERF easily meet the acceptance criteria in RG 1.17 4 by several orders of magnitude for conservative fire sequences.

Analysis of AI/ Instrumentation To ensure that all of the changes represented in this application are addressed, an additional assessment based on safety functions is considered. All instrumentation included in this application can be sorted into a small number of types of safety functions that have unique impacts on the fire risk. Tables 1-1 and 1-2 show these safety function assignments, based on TS Tables 3.3-1 and 3.3-3 as shown in Section 2.0 of the original submittal.

8

LR-N18-0021 Attachment 2

3 7

8 9

10 11 12 13 14 16 17 18 19 20 21 22 LAR 517-05 TABLE 1-1 SAFETY FUNCTION OF RTS COMPONENTS Functional Unit Safety Function Power Range, Neutron Flux Reactor Trip Power Range, Neutron Flux High Positive Rate Reactor Trip Overtemperature t.T Reactor Trip Overpower t. T Reactor Trip Pressurizer Pressure - Low Reactor Trip Pressurizer Pressure - High Reactor Trip Pressurizer Water Level - High Reactor Trip Loss of Flow - Single Loop (Above P-8)

Reactor Trip Loss of Flow - Two Loops (Above P-7 and Below P-8)

Reactor Trip Steam Generator Water Level-Low-Low Reactor Trip Undervoltage - Reactor Coolant Pumps Reactor Trip Underfrequency - Reactor Coolant Pumps Reactor Trip Turbine Trip Reactor Trip

a.

Low Autostop Oil Pressure Reactor Trip

b.

Turbine Stop Valve Closure Reactor Trip Safety Injection Input from ESF Reactor Trip Reactor Coolant Pump Breaker Position Trip (Above P-7)

Reactor Trip Reactor Trip Breakers Reactor Trip Automatic Trip Logic Reactor Trip Specific reactor trip signals are not modeled in the PRA since there are many inputs to the reactor trip logic. Section 4.3.4.2 of the original submittal discusses the potential impact of the failure of a single RCP breaker position indication with a simple, conservative assessment. If any single trip function were unavailable, the most likely path to a core damage accident would require at least failure of another indication and failure of operators to manually trip the reactor and perform shutdown via boration. The calculation shown in Section 4.3.4.2 of the original submittal estimated the nCDF at 9.9E-11/yr for internal events. For fire, since the initiating event frequency is even lower, that value bounds this risk change for any single Reactor Trip safety function for fire hazards. Since the change in CDF is negligible, the LERF impact will also be negligible since this safety function does not directly impact containment integrity.

9

LR-N18-0021 Attachment LAR S17-05 TABLE 1-2 SAFETY FUNCTION OF ESFAS COMPONENTS Functional Unit Safety Function 1

Safety Injection, Turbine Trip and Feedwater Isolation ECCS

b.

Automatic Actuation Logic

c.

Containment Pressure-High

d.

Pressurizer Pressure-Low

e.

Differential Pressure Between Steam Lines - High

f.

Steam Flow in Two Steam Lines-High Coincident with Either Tavg - Low-Low or, Coincident with Steam Line Pressure-Low 2

Containment Spray Containment Integrity*

b.

Automatic Actuation Logic

c.

Containment Pressure - High-High 3

Containment Isolation Containment Integrity

a.

Phase "A" Isolation

2.

From Safety Injection Automatic Actuation Logic

b.

Phase "B" Isolation

2.

Automatic Actuation Logic

3.

Containment Pressure - High-High

c.

Containment Ventilation Isolation

2.

Automatic Actuation Logic 4

Steam Line Isolation Secondary Side Heat Removal

b.

Automatic Actuation Logic

c.

Containment Pressure - High-High

d.

Steam Flow in Two Steam Lines-High Coincident with Either Tavg - Low-Low or, Coincident with Steam Line Pressure-Low 5

Turbine Trip & Feedwater Isolation Secondary Side Heat Removal

a.

Steam Generator Water Level -

High-High 6

Safeguards Equipment Control System (SEC)

Multiple Functions 7

Undervoltage, Vital Bus SEC Input

a.

Loss of Voltage

b.

Sustained Degraded Voltage 8

Auxiliary Feedwater Secondary Side Heat Removal

a.

Automatic Actuation Logic

c.

Steam Generator Water Level - Low-Low

i.

Start Motor Driven Pumps ii.

Start Turbine Driven Pumps 10

LR-N18-0021 Attachment Functional Unit

d.

Undervoltage - RCP Start Turbine Driven Pump 9

Semiautomatic Transfer to Recirculation

a.

RWST Level Low

b.

Automatic Actuation Logic Safety Function ECCS

  • Containment integrity via containment spray has no impact on CDF or LERF LAR 517-05 Those components that serve the Secondary Side Heat Removal function are addressed by the analysis of AFW signals above.

Those components that serve the ECCS function can be represented by a signal that starts ECCS components (SI Signal) or enables them to continue functioning in recirculation mode (Semi-automatic transfer to recirculation). A fire scenario may require ECCS actuation if an induced LOCA occurs. Fire-induced LOCAs may occur due to loss of RCP seal cooling, a spurious Sl, or a stuck-open RCS relief valve. The paths to each of these induced LOCAs is slightly different.

A fire-induced LOCA due to loss of RCP seal cooling would first require a fire that damages sufficient equipment to cause the loss of RCP seal injection and loss of cooling to the RCP thermal barrier heat exchangers. Only a portion of the total fire ignition frequency used above for AFW could directly cause these failures. Those fires that occur outside the Containment or Auxiliary Building are not considered capable of causing the failures that failure RCP seal cooling, so the sum of those ignition frequencies is taken as the initiating event in this case, 2.42E-1.

Once RCP seal cooling is lost, there are several ways that an RCP seal LOCA greater than 21 gpm/pump can occur. If the seal LOCA is limited to <=21 gpm/pump, it would not necessarily require ECCS injection since it is within makeup capability from its own unit or via a crosstie from another unit. Paths to a seal LOCA that requires ECCS consist of random failures of the seals, failures to trip the RCPs, or later failures to depressurize the RCS. The most likely of these is the random failure of RCP seals, which based on the WOG-2000 model would occur with a probability of 0.21 for all failures that lead to leak rates greater than 21 gpm/pump.

Therefore, a conservative estimate of the frequency of a fire-induced seal LOCA is 2.42E-1

  • 0.21 = 5.08E-2. This frequency still conservatively assumes that all fires in the Containment or Auxiliary Building will cause a fire that causes a loss of RCP seal cooling while damaging only one train of the ECCS start signals. A similar approach as used in the AFW calculation is applied, where the conservative calculation of the change in CDF would be:

b.CDF = f(Fire-induced seal LOCA) x change in signal unavailability x HEP(ECCS start)

The values used for each term are:

f(Fire-induced seal LOCA) = 5.08E-2 /yr (calculated above) change in signal unavailability = 2. 73E-4 for two trains (from WCAP-15376-P-A, Revision 1, Table 8.1 0) 11

LR-N18-0021 Attachment LAR 517-05 HEP(ECCS Start) = 4.2E-3 (from event SJS-XHE-FO-SAFLO in PRA, which is greater than RHS-XHE-FO-RECIR at 2.00E-3 for semi-automatic recirculation)

Therefore, LlCDF (total) = 5.8E-8 lyr Since the change in CDF is small, the LERF impact will also be small and the LlCDF and LlLERF changes easily meet the acceptance criteria in RG 1.17 4 with an intentionally conservative calculation for fire-induced RCP seal LOCAs.

Other pathways to a fire-induced Small LOCA are less likely than the RCP seal LOCA under these assumptions. A spurious Sl that causes the RCS relief valves to open would require the ECCS equipment to be activated by the fire, and the operators to fail to respond in time to prevent the valves lifting and subsequently sticking open. The combination of the operator failure and stuck-open valves would be much less likely than the random failure probability of the RCP seals used above. A Small LOCA due to a random stuck-open valve would also be of much lower probability than the RCP seal failure.

If a more experience-driven approach is taken to estimate the frequency of a fire-induced Small LOCA, then a much lower value can be shown. As a rough estimate, there have been no fire induced Small LOCAs in the US industry in the past 1 0 years. At an average of 1 00 operating plants per year, that is a rough estimate of 1000 reactor-years of operating experience. A Bayesian approach to the frequency would yield:

f(Fire-induced Small LOCA) = 0.5 events I 1000 reactor-years = 5E-4 I rx-yr Substituting that value as the initiating event yields an even lower estimate of LlCDF:

LlCDF (total) = 5E-4

  • 4.2E-3 = 5. 7E-1 0 lyr Those components that serve the Containment Isolation signals for Containment Integrity would predominantly impact LERF since they have small impact on CDF. To conservatively estimate the impact on LERF, we can conservatively assume that all fire CDF could be impacted by the increased unavailability of a containment isolation signal, again assuming that all fires that contribute to the fire CDF cause failures that impact only one of the containment isolation signals. Though there is no currently calculated value for Fire CDF from an approved Fire PRA model, it can be conservatively assumed to be less than 1 E-4 lyr for the purposes of this bounding calculation.

LlLERF = = f(Fire CDF) x change in signal unavailability x HEP(manual isolation)

The values used for each term are:

f(Fire CDF) = 1 E-4 lyr (bounding estimate) change in signal unavailability = 2. 73E-4 for two trains (from WCAP-15376-P-A, Revision 1, Table 8.1 0)

HEP(manual isolation) = 6E-3 (from event SJS-XHE-FO-MANAC in PRA) 12

LR-N18-0021 Attachment LAR 517-05 Therefore, llLERF (total) = 1.6E-1 0 /yr Therefore, a conservative calculation for llLERF easily meets the acceptance criteria in RG 1.174 with an intentionally conservative calculation.

The other safety functions listed in Table 1-2 are related to the vital bus undervoltage signals and the SEC signals. The vital bus undervoltage signals are inputs to the SEC signals, so these remaining signals are addressed together. The SEC system serves several functions in the PRA, each of which is dispositioned below:

Isolation of Turbine Building Service Water Headers o

The specific signal is backed-up by event SWS-XHE-FO-SWIXO at 2.4E-2 in the PRA o

Failure of this isolation changes the Service Water success criteria; to change the risk measures, multiple additional Service Water hardware failures would need to occur, including manual failure to start SW pumps which would have another HEP (but actuation not modeled) o These operator actions and additional failures make this failure much less impactful than the other safety functions addressed by the calculations above Starting of chilled water pumps o

The pumps support the Unit 1 Emergency Air Compressor, but this component is backed up by the Unit 2 Emergency Air Compressor, Station Air, and a diesel driven air compressor, so is much less impactful than the other safety functions addressed by the calculations above o

The pumps support control room cooling, but this function is backed up by abnormal operating procedures that direct use of the Fire Inside Control Room procedures to use alternative control room cooling methods, represented in the PRA by event RD3-XHE-ABCAV-2 at 3.8E-3 Starting ECCS pumps-addressed by ECCS calculations above Starting Containment Fan Cooler Units - addressed by ECCS calculations above, since it is backed up by the same operator action in the PRA Starting Emergency Diesel Generators o

Emergency Diesel Generators would only be necessary if the fire also caused an induced LOOP o

Actuation is backed up by operator action ESF-XHE-FS-EDG at 4.2E-3 in the PRA (the same value as the ECCS action) 13

LR-N18-0021 Attachment LAR S17-05 o

The combination of the induced LOOP and the operator action is bounded by the calculations above Restart of Control Room Fans and Component Cooling Water pumps, with similar requirements as those for the Emergency Diesel Generators Therefore, all of the calculations for all of the safety functions show that conservative estimates for nCDF and nLERF are all well below the acceptance guidelines for all of the signals that could be impacted by this application. While the specific HEPs used in the calculations may be increased in fire scenarios, the margin to the acceptance criteria provides adequate margin to support the determination of a negligible impact.

Summary of Fire Risk Insights In summary, for the spectrum of scenarios analyzed above, the status of a particular component being out-of-service would have a negligible impact. The spectrum of scenarios addresses all of the safety functions that would be impacted by all of the instrumentation included in the proposed AOT changes. The fire nCDFs, nLERFs and corresponding incremental risk measures are clearly bounded by the risk estimates discussed in the NRC SER in WCAP-14333-P-A, WCAP-15376-P-A, and PSEG risk calculations shown in this amendment. In general, fire scenarios are slowly developing transient scenarios, and the risk comes from long term failures of the operators and equipment to mitigate the transient, not instrument failure. In addition, any risk increase would only occur for fires that fail one (and only one) train of instrumentation since fires that fail both trains of an instrument channel or neither train would not be impacted by an extended AOT. This conclusion is consistent with and supported by the FPIE risk insight that internally generated ATWS and LOCA sequences rely more heavily on ESFAS and RTS instrumentation than fire-initiated scenarios.

4.3.4.6 Discussion of Seismic Risk (replaces Section 4.3.4.6)

Insights Regarding Seismic Risk Gleaned from the IPEEE Section 1.4.1 of Salem's IPEEE reports four significant contributors to seismic related CDF, all associated with station blackout (S80). These four scenarios represent 78% of the total seismic related CDF based on the more conservative LLNL hazard curve:

31% of the total CDF (2.9E-06 per year) is caused by seismic damage to the switchyard ceramic insulators that leads to a loss of offsite power (LOOP). This is coupled with non-seismic failures of the emergency diesel generators (EDGs) or EDG support systems.

14% of the total CDF (1.3E-06 per year) is caused by seismic damage that causes both a LOOP and loss of service water (LOSW). Service water is required to support the EDGs. Therefore, the LOSW leads to a loss of EDGs.

21% of the total CDF (2.0E-06 per year) is caused by seismic damage that causes both a LOOP and a loss of battery trains 'A' and '8'. DC power from the batteries is required to start the EDGs. Therefore, the 'A' and '8' EDGs fail to start. The station has two diesel fuel oil transfer pumps (DFOTPs) powered from the 'A' and '8' vital buses. The 'C' EDG eventually fails when the associated fuel oil day tank is depleted.

14

LR-N18-0021 Attachment LAR 517-05 12% of the total CDF (1.2E-06 per year) is caused by seismic damage that causes both a LOOP and failures of main control room instrumentation and control {I&C) caused by ceiling grid collapse.

Relay chatter was not considered significant to safe shutdown, and no vulnerability to containment failure or containment bypass leading to early failure was identified.

Because damage to equipment during seismic events is often correlated across trains, as shown with failures described above, extension of AOTs for ESFAS/RTS components will have a negligible impact on Seismic risk estimates. If a component is failed during a particular seismic event, it's corresponding opposite train component is also likely to fail; therefore, whether it was out-of-service or not is irrelevant. If a component is not failed during a particular seismic event, it will then only contribute to Seismic risk when it's corresponding opposite train component is out-of-service due to random failures, which are very low and bounded by the internal events analysis. As such, it can qualitatively be inferred that there would be no significant impact on seismic risk due to extending the AOT for these ESFAS/RTS components.

Insights Regarding Seismic Risk Gleaned from the FPIE PRA Model As an additional set of stand-alone calculations, the potential impact of seismic events on the risk assessment is considered using inputs from the full-power internal events which has been shown to be technically adequate per peer review in accordance RG 1.200. The steps to determine the potential impact of seismic events for proposed extensions are:

1. Determine the accidents that can result from a seismic event
2. Determine the systems of interest
3. Determine how the system of interest is used to mitigate the seismically induced event
4. Determine the impact on risk metrics Important Seismic Sequences The primary seismic events of interest for this assessment are a LOOP or an induced Small LOCA. The largest seismic events are expected to cause Larger LOCAs and additional failures, making small changes in the availability of actuation signals a negligible impact as discussed above.

For a Seismically-induced LOOP event, emergency diesel generators (EDGs) are required to start and run, AFW is required to provide secondary side heat removal, and RCP seal cooling (injection or thermal barrier cooling) must continue to prevent an RCP seal LOCA. The only related signal for these functions that may be impacted by the AOT changes is the need to start AFW. As discussed in the Fire section above, AFW may also be started by operator action, or by the AMSAC. Upon failure to start AFW, feed-and-bleed may also be possible as well, but that is also neglected here for conservatism.

Based on this expected sequence of events for a Seismically-induced LOOP, the risk impact related to the change in signal unavailability can be calculated as:

15

LR-N18-0021 Attachment LAR 517-05 nCDF = f(Seismic LOOP) x change in signal unavailability x HEP(AFW start) x AMSAC failure The values used for each term are:

f(Seismic LOOP) = 2.19E-5 /yr (sum of all Seismically-induced LOOPs from all categories of seismic events from LR-N14-00511) change in signal unavailability = 2. 73E-4 for two trains impacted (from WCAP-15376-P-A, Revision 1, Table 8.1 0)

HEP(AFW Start)= 9.7E-4 (from event AFW-XHE-FO-MDPS in PRA)

AMSAC failure= 5.4E-2 (calculated from AMSAC gate in PRA)

Therefore, nCDF (Seismic LOOP) = 3.2E-13 /yr For a Seismically-induced Small LOCA, ECCS is required to provide injection to restore inventory and recirculation capability to maintain inventory and allow decay heat removal. A Small LOCA is more severe than a Seismically-induced LOOP, so a LOOP is assumed to also occur during a Seismically-induced Small LOCA, and it is common practice to assume a Very Small LOCA occurs in any Seismic event. However, in order for the AOT extensions to impact the Seismic risk, the event needs to be severe enough to create the Small LOCA but not so severe as to impact the ECCS.

The risk impact would be calculated similar to that for Seismic LOOP, except a different operator action would be required to backup a failed actuation (SI) signal, with no additional backup actuation system.

Assuming that all Seismic events that cause a LOOP would also cause a Small LOCA, a similar approach is used:

nCDF = f(Seismic LOCA) x change in signal unavailability x HEP(ECCS start)

The values used for each term are:

f(Seismic LOCA) = 2.19E-5 /yr (same as above for Seismically-induced LOOPs) change in signal unavailability= 2.73E-4 for two trains impacted (from WCAP-15376-P-A, Revision 1, Table 8.1 0)

HEP(ECCS Start) = 4.2E-3 (from event SJS-XHE-FO-SAFLO in PRA)

Therefore, 1 Frequency based on calculation using values from PSEG's Response to 10 CFR 50.54(f) Recommendation 2.1 of the Near-Term Task Force Review of the Fukushima Accident - Salem Generating Station, LR-N14-0051, March 2014.

16

LR-N18-0021 Attachment nCDF (Seismic LOCA) = 2.5E-11 /yr LAR 517-05 Since the CDF increase is negligible for both of these cases, the LERF impact will also be negligible and the nCDF and nLERF changes meet the acceptance criteria in RG 1. 17 4.

Analysis of AI/ Instrumentation To ensure that all of the changes represented in this application are addressed, an assessment based on safety functions is considered. All instrumentation included in this application was sorted into a small number of types of safety functions for fire risk in Tables 1-1 and 1-2. A similar approach is applied to seismic risk.

As with fire, since the total seismic initiating event frequency is lower than the total initiating event frequency for internal events, the nCDF from Section 4.3.4.2 of the original submittal bounds this risk change for any single Reactor Trip safety function for seismic hazards. Since the change in CDF is negligible, the LERF impact will also be negligible since this safety function does not directly impact containment integrity.

Those components that serve the Secondary Side Heat Removal or ECCS function are addressed by the analysis of AFW and ECCS signals above for seismic hazards.

Those components that serve the Containment Isolation signals for Containment Integrity would only impact LERF since they have no impact on CDF. To conservatively estimate the impact on LERF, we can conservatively assume that all seismic CDF could be impacted by the increased unavailability of a containment isolation signal, again assuming that all seismic events that contribute to the seismic CDF cause failures that impact only one of the containment isolation signals. Though there is no currently calculated value for Seismic CDF from an approved Seimic PRA model, it can be conservatively assumed to be less than the Seismic LOOP frequency identified above.

nLERF = Seismic CDF x change in signal unavailability x HEP(manual isolation)

The values used for each term are:

Seismic CDF = 2.19E-5 /yr (conservatively set equal to the Seismically-induced LOOP frequency above) change in signal unavailability = 2. 73E-4 for two trains (from WCAP-15376-P-A, Revision 1, Table 8.1 0)

HEP(manual isolation) = 6E-3 (from event SJS-XHE-FO-MANAC in PRA)

Therefore, nLERF (total) = 3.6E-11 /yr Therefore, a conservative calculation for nLERF easily meets the acceptance criteria in RG 1.17 4 with an intentionally conservative calculation.

The other safety functions listed in Table 1-2 are related to the vital bus undervoltage signals and the SEC signals. The vital bus undervoltage signals are inputs to the SEC signals, so these 17

LR-N18-0021 Attachment LAR S17-05 remaining signals are addressed together. The SEC system serves several functions in the PRA, each of which was dispositioned in the Fire analysis, and the same arguments would apply to Seismic.

Therefore, all of the calculations for all of the safety functions show that conservative estimates for nCDF and nLERF are all well below the acceptance guidelines for all of the signals that could be impacted by this application. While the specific HEPs used in the calculations may be increased in seismic scenarios, the margin to the acceptance criteria provides adequate margin to support the determination of a negligible impact. For the more severe seismic events that greatly increase the human error probability, other associated failures would overwhelm the impact from the signal unavailabilities.

Summary of Seismic Risk Insights In summary, for the spectrum of scenarios analyzed above, the status of a particular component being out-of-service would have a negligible impact. The spectrum of scenarios addresses all of the safety functions that would be impacted by all of the instrumentation included in the proposed AOT changes. The seismic nCDFs, nLERFs and corresponding incremental risk measures are clearly bounded by the risk estimates discussed in the NRC SER in WCAP-14333-P-A, WCAP-15376-P-A, and PSEG risk calculations shown in this amendment. In general, seismic scenarios are slowly developing scenarios that resemble FPIE LOOP scenarios, and the risk comes from long term station blackout, not instrument failure. In addition, any risk increase would only occur for seismic events that fail one (and only one) train of instrumentation since events that fail both trains of an instrument channel or neither train would not be impacted by an extended AOT. This conclusion is consistent with and supported by the FPIE risk insight that internally generated ATWS and LOCA sequences rely more heavily on ESFAS and RPS instrumentation than seismic-initiated scenarios.

4.3.4.8 Summary of Tier 1 Results (replaces Section 4.3.4.8)

PSEG has performed an extensive, multi-faceted review for internal events, fire, seismic and external flood scenarios, and the results show that quantitative analysis performed using the FPIE PRA are sufficient to evaluate the risk of implementation of WCAP-14333 and WCAP-15376.

Examining the results of the internal events analysis with all of the cases combined via examination of resulting cutsets and delete-term cutsets, the small increase in average CDF and LERF is partially due to a weather related LOOP or switchyard related LOOP following failure of the signal to automatically start the emergency diesel generator (EDG) in combination with failure of the operators to manually start the EDG. These cutsets which previously fell below truncation are now present due to the increased unavailability of UV relays. Additional important cutsets are related to a main steam line break inside containment followed by failure of Sl signal in combination with failure of operators to manually recover. These cutsets have increased due to the increased unavailability of SSPS logic circuits. New cutsets seen in LERF are similar and also include events initiated by service water.

For external events, the insights from the older I PEEE analyses are consistent with the insights from the calculations that rely on the current, peer reviewed FPIE PRA. PSEG concludes that the reactor trip and ESFAS instrumentation systems are designed to mitigate accidents using all necessary safety functions. Risk increases from external events are at least an order of 18

LR-N18-0021 Attachment LAR 517-05 magnitude below the risk increases measured in the WCAPs and the Salem FPIE PRA. While the external event CDFs and LERFs cannot be known precisely, best evidence is that they are below Region II of the applicable RG 1.174 figures. Thus, the risk increase from increased completion times is well characterized by the WCAPs and the Salem FPIE PRA.

The results presented in Tables 4-24 through 4-27 are well below the regulatory guidelines for a license amendment request:

The CDF and LERF risk metrics are well below the RG 1.17 4 acceptance guidelines for Region Ill, i.e., very small risk change.

The ICCDP for the ESFAS/RTS instrumentation AOT is well below the RG 1.177 acceptance guideline.

The ICLERP for the ESFAS/RTS instrumentation AOT is well below the RG 1.177 acceptance guideline.

19

Retrieved from "https://kanterella.com/w/index.php?title=LR-N18-0021,_Supplemental_Information_to_License_Amendment_Request_for_Implementation_of_WCAP-14333_and_WCAP-15376,_Reactor_Trip_System_Instrumentation_and_Engineered_Safety_Feature_Actuation_System_Instrumentation_Test_Times_and_Completion_Times&oldid=5027595"