ML16356A689

From kanterella
Revision as of 17:13, 4 May 2018 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
Jump to navigation Jump to search

Palo Verde Nuclear Generating Station Unit 3, Emergency License Amendment Request for a One-Time Extension of Diesel Generator Completion Time
ML16356A689
Person / Time
Site: Palo Verde Arizona Public Service icon.png
Issue date: 12/21/2016
From: Lacal M L
Arizona Public Service Co
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
102-07406-MLL/TNW
Download: ML16356A689 (98)
v  d  e


Text

10 CFR 50.90 A member of the STARS Alliance LLC Callaway Diablo Canyon Palo Verde Wolf Creek MARIA L. LACAL Senior Vice President, Nuclear Regulatory & Oversight Palo Verde Nuclear Generating Station P.O. Box 52034 Phoenix, AZ 85072 Mail Station 7605 Tel 623.393.6491 102-07406-MLL/TNW December 21, 2016 U. S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555-0001

Dear Sirs:

Subject:

Palo Verde Nuclear Generating Station (PVNGS) Unit 3 Docket No. STN 50-530 Renewed Operating License No. NPF-74 Emergency License Amendment Request for a One-Time Extension of the Diesel Generator Completion Time In accordance with the provisions of Section 50.90 of Title 10 of the Code of Federal Regulations (10 CFR), Arizona Public Service Company (APS) is submitting an emergency license amendment request (LAR) for a one-time extension of the emergency diesel generator (DG) completion time described in the Technical Specifications (TS) for Palo Verde Nuclear Generating Station (PVNGS) Unit 3. Specifically, the emergency LAR would extend the TS required action 3.8.1.B.4 completion time from 10 days to 21 days for the purpose of collecting and analyzing data associated with the failure of the PVNGS Unit 3 train B DG and continue with the repair of the DG. During surveillance testing on December 15, 2016, the DG suffered a failure of the number nine right cylinder connecting rod and piston. Current plans to collect and analyze data associated with the engine failure and continue with the repair will exceed the TS required action completion time of 10 days. As a result, APS has evaluated the defense-in-depth and compensatory measures and is requesting a one-time deterministic license amendment to extend the completion time based upon the guidance of Branch Technical Position (BTP) 8-8, Onsite (Emergency Diesel Generators) and Offsite Power Sources Allowed Outage Time Extensions. Enclosure 1 to this letter provides a description and assessment of the proposed changes including a summary of the technical evaluation, a regulatory evaluation, a no significant hazards consideration, and an environmental consideration. The enclosure also contains five attachments. Attachment 1 provides the marked-up existing TS page. Attachment 2 provides the revised (clean) TS page. No TS Bases changes are proposed for this one-time LAR. Attachment 3 provides the compensatory measures, Attachment 4 provides the cold shutdown load summary, and Attachment 5 provides the commitments to control station activities. to this letter provides risk-insights, including the risk-impacts related to the compensatory measures. The risk of the extended completion time has been assessed and will be managed in accordance with the requirements of 10 CFR 50.65(a)(4) and Regulatory 102-07406-MLL/TNW ATTN: Document Control Desk U. S. Nuclear Regulatory Commission Emergency LAR for a One-Time Extension of the Diesel Generator Completion Time Page 2 Guide 1.160, Monitoring the Effectiveness of Maintenance at Nuclear Power Plants. As described in the enclosure, APS will provide the additional compensatory action of deploying temporary non-safety related diesel generator capability for defense-in-depth. After completion of the causal evaluation and if there is confirmation that there is not a common mode failure, a risk-informed license amendment request will be submitted for the duration of the repair and testing of the Unit 3 train B DG. This letter contains commitments as described in Attachment 5 to Enclosure 1.

In accordance with the PVNGS Quality Assurance Program, the Plant Review Board and the Offsite Safety Review Committee have reviewed and approved the emergency LAR. By copy of this letter, this LAR is being forwarded to the Arizona Radiation Regulatory Agency in accordance with 10 CFR 50.91(b)(1). APS requests approval of the LAR on an emergency basis prior to the expiration of the current 10 day completion time, which expires at 3:56 am, December 25, 2016. APS will implement the TS amendment immediately following NRC approval. Absent approval, PVNGS Unit 3 would be required to begin shutdown, pursuant to TS 3.8.1, Condition H.

Should you have any questions concerning the content of this letter, please contact Thomas Weber, Department Leader, Nuclear Regulatory Affairs, at (623) 393-5764. I declare under penalty of perjury that the foregoing is true and correct. Executed on : December 21, 2016__ (Date) Sincerely,

MLL/TNW/CJS/af

Enclosures:

1. Description and Assessment of Proposed License Amendment 2. Risk-Insights Related to One-Time Extended Completion Time cc: K. M. Kennedy NRC Region IV Regional Administrator S. P. Lingam NRC NRR Project Manager for PVNGS M. M. Watford NRC NRR Project Manager C. A. Peabody NRC Senior Resident Inspector for PVNGS T. Morales Arizona Radiation Regulatory Agency (ARRA)

Enclosure 1 Description and Assessment of Proposed License Amendment Description and Assessment of Proposed License Amendment i TABLE OF CONTENTS 1.0 SUMMARY DESCRIPTION 2.0 DETAILED DESCRIPTION 2.1 Proposed Change to the Technical Specifications 2.2 Need for Proposed Change 3.0 BACKGROUND 3.1 System Description 4.0 TECHNICAL ANALYSIS 4.1 Deterministic Evaluation (Defense-in-Depth) 4.2 Safety Margin Evaluation 4.3 Risk Insights and Risk Management, Including Compensatory Actions 4.4 Review of Surveillance Tests 4.5 Operator Training

5.0 REGULATORY EVALUATION

5.1 Applicable Regulatory Requirements 5.2 Precedent 5.3 No Significant Hazards Consideration 5.4 Conclusion

6.0 ENVIRONMENTAL CONSIDERATION

7.0 REFERENCES

ATTACHMENTS 1. Marked-up Technical Specifications Page 2. Revised Technical Specifications Page (Clean Copy) 3. Compensatory Measures 4. Cold Shutdown Load Summary 5. Commitments to Control Station Activities Description and Assessment of Proposed License Amendment ii LIST OF ACRONYMS ac or AC Alternating Current AFAS Auxiliary Feedwater Actuation Signal AFP Auxiliary Feedwater Pump APS Arizona Public Service Company BOP-ESFAS Balance of Plant Engineered Safety Features Actuation System BTP Branch Technical Position CDF Core Damage Frequency CFR Code of Federal Regulations DC Direct Current DG Diesel Generator ESF Engineered Safety Feature ESFAS Engineered Safety Features Actuation System GDC General Design Criterion GSI Generic Safety Issue hp Horsepower HPSI High Pressure Safety Injection ICCDP Incremental Conditional Core Damage Probability ICLERP Incremental Conditional Large Early Release Probability kV kilovolts (1,000 volts) LAR License Amendment Request LCO Limiting Condition for Operation LERF Large Early Release Frequency LOCA Loss of Coolant Accident LOOP Loss of Offsite Power LPSI Low Pressure Safety Injection MCC Motor Control Center PVNGS Palo Verde Nuclear Generating Station RCP Reactor Coolant Pump SBO Station Blackout SBOG Station Blackout Generator SIAS Safety Injection Actuation Signal SR Surveillance Requirement TS Technical Specification UFSAR Updated Final Safety Analysis Report Description and Assessment of Proposed License Amendment 1 1.0 SUMMARY DESCRIPTION In accordance with the provisions of Section 50.90 of Title 10 of the Code of Federal Regulations (10 CFR), Arizona Public Service Company (APS) is submitting an emergency license amendment request (LAR) for a one-time extension of the emergency diesel generator (DG) completion time described in the Technical Specifications (TS) for Palo Verde Nuclear Generating Station (PVNGS) Unit 3. Specifically, the emergency LAR would extend the TS required action 3.8.1.B.4 completion time from 10 days to 21 days for continued repairs and for the purpose of collecting and analyzing data associated with the failure of the PVNGS Unit 3 train B DG. During surveillance testing on December 15, 2016, the B train DG for PVNGS Unit 3 experienced a failure of internal components associated with the number nine right cylinder. Current plans to collect and analyze the data associated with the engine failure and continue with the repair of the DG will exceed the TS required action completion time of 10 days. As a result, APS has evaluated the aspects of this condition considering the guidance of Branch Technical Position (BTP) 8-8, Onsite (Emergency Diesel Generators) and Offsite Power Sources Allowed Outage Time Extensions (Reference 5), and is requesting a license amendment to extend the completion time on a one-time basis. The completion time extension will allow for continued repairs and for the engineering team to perform the root cause investigation, understand the cause of the failure, and evaluate the extent of condition. Following this analysis, a determination on the potential existence of a common mode failure will be made. Enclosure 1 provides a description and assessment of the proposed changes including a summary of the technical evaluation, a regulatory evaluation, a no significant hazards consideration and an environmental consideration. This enclosure also contains five attachments. Attachment 1 provides the marked-up existing TS page. Attachment 2 provides the revised (clean copy) TS page. No TS Bases changes are proposed for this one-time LAR. Attachment 3 provides the compensatory measures which will be used during the extended allowed outage time (AOT). Attachment 4 provides the electrical load summary for train B loss of offsite power (LOOP) loads to enter cold shutdown and Attachment 5 provides the commitments to control station activities. Enclosure 2 to this letter provides a probabilistic risk assessment and insights associated with extending the PVNGS Unit 3 Technical Specification 3.8.1 Condition B.4 completion time for the train B DG from the current 10 days to 21 days. The PRA model meets all scope and quality requirements in Regulatory Guide (RG) 1.200, Revision 2 (Reference 1) to Capability Category II. This plant-specific risk assessment followed the guidance in RG 1.177, Revision 1 (Reference 3), and RG 1.174 (Reference 2) on defense-in-depth, safety margin and PRA information in support of a request for a one-time change to the plant technical specifications. is provided as additional insights to the deterministic evaluation using defense-in-depth technical analysis and compensatory measures contained in this enclosure. Description and Assessment of Proposed License Amendment 2 2.0 DETAILED DESCRIPTION 2.1 Proposed Change to the Technical Specifications The following specific TS changes are proposed to extend the completion time on a one-time basis for the PVNGS Unit 3 B train DG. ~ TS 3.8.1, Electrical Power Systems, AC Sources - Operating Add a new NOTE in the Completion Time column, associated with Required Action B.4 of the TS 3.8.1 Action Table, that reads as follows: NOTE - - - - - - - - - - - - - - - - - - -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - For the Unit 3 Train B DG failure on December 15, 2016, restore the inoperable DG to OPERABLE status within 21 days. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - A marked-up TS page is provided in Attachment 1 of this enclosure and a revised TS page (clean copy) is provided in Attachment 2 of this enclosure. 2.2 Need for Proposed Change During routine scheduled surveillance testing on December 15, 2016, the PVNGS B train DG was operating partially loaded when the load suddenly decreased and a low lube oil pressure trip occurred. The physical damage was readily apparent to plant operators when responding to the event. Oil and metal debris were observed on the engine room floor and the number 9 right cylinder (9R) crankcase cover was deformed. Physical damage was extensive, including but not limited to the number 9 master and articulating rod separating and impacting internal areas of the engine base and block. Both the 9R and 9L pistons, sleeves and associated components were damaged and will require replacement. The counterbalance was also fractured and the crankshaft damaged at this number 9 location. There was damage to the number 8 master and articulating rod, including the physical fracture of two studs on the rod cap. A counterbalance at the number 8 location was also fractured and damaged. Current plans to repair the DG and collect and analyze the engine failure data will exceed the TS required completion time of 10 days. As a result, APS has evaluated the defense-in-depth and compensatory measures and is submitting an emergency LAR to extend the completion time to conduct repairs and allow the engineering team to perform the root cause investigation, understand the cause of the failure and evaluate the extent of condition. Following this analysis, a determination on the potential existence of a common mode failure of the train A DG will be made. Basis for Duration of Completion Time Extension The completion time extension will allow for continued repairs and for the engineering team to perform the root cause investigation, understand the cause of the failure and evaluate the extent of condition. Following this analysis, a determination on the potential existence of a common mode failure will be made. The duration to collect and analyze data is not expected to exceed a total of 21 days. Completed activities include initial visual inspection, damage assessment Description and Assessment of Proposed License Amendment 3 and parts recovery. Preparation for crankshaft and internal parts replacement is underway. Crankshaft removal and engine block repair require the following supporting activities: precision alignment checks of the DG internals, removal of pistons, liners and connecting rods, and removal of right and left bank intercoolers from turbo chargers. A new crankshaft will be installed, followed by engine assembly and retest. To complete repairs and testing of the DG, it is expected that additional time beyond the 21-day extended AOT will be needed. After establishing the cause of failure and confirmation that a common mode failure does not affect the Unit 3 train A DG, a risk-informed license amendment request will be submitted for the duration of the repair of the U3 train B DG. APS requests approval of the LAR on an emergency basis prior to the expiration of the current 10 day completion time, which expires at 3:56 am, December 25, 2016. APS will implement the TS amendment immediately following NRC approval. Absent approval, PVNGS Unit 3 would be required to begin shutdown, pursuant to TS 3.8.1, Condition H.

3.0 BACKGROUND 3.1 System Description Seven physically independent 525 kilovolt (kV) transmission lines of the Western Interconnection are connected to the Palo Verde Nuclear Generating Station (PVNGS) 525 kV switchyard, as shown in Figure 1 below. Three 525 kV tie lines supply power from the switchyard to three startup transformers, which supply power to six 13.8 kV intermediate buses (two per unit). Two physically independent circuits supply offsite (preferred) power to the onsite power system of each PVNGS unit. Salt River Project (SRP) operates and maintains the PVNGS 525kv switchyard, and is the grid operator in the PVNGS area. SRP performs a load flow and dynamic stability (frequency and voltage) study of the grid periodically. The stability study examines the following conditions per the PVNGS UFSAR section 8.2.2 Analysis: ~ A permanent three-phase fault on the 525kv switchyard bus with subsequent loss of the critical 525kv line. ~ A sudden loss of one of three PVNGS units with no underfrequency load shedding measures in effect. ~ The sudden loss of the largest single load in Arizona, New Mexico, Southern California, or Southern Nevada.

The stability study also complies with North American Electric Reliability Corporation (NERC) standards, and is one of the Nuclear Plant Interface Requirements (NPIRs). The study shows the grid remains stable in frequency, phase angle, and voltage. The SRP 525 kV switchyard utilizes a breaker-and-a-half design in which three breakers are provided for every two terminations, either line or transformers.

Description and Assessment of Proposed License Amendment 5 functions as a source of ac power for safe plant shutdown in the event of loss of preferred power and for post-accident operation of engineered safety feature (ESF) loads. Each diesel generator is rated at 5500 kW for continuous operation and 6050 kW for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> out of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Each generator is driven by a turbocharged, four-cycle, 20-cylinder diesel engine. There are no provisions for automatically paralleling the two diesel generators within a unit. Interlocks are provided to prevent manual paralleling of the diesel generators. There are no direct interconnections between the standby power supplies of the individual units.

Each diesel generator is normally connected to a single 4.16 kV safety features bus of a load group. However, there are provisions for connecting both ESF buses to a single diesel generator during emergency conditions. Each load group is independently capable of safely shutting down the unit or mitigating the consequences of a design basis accident. The diesel generators are physically and electrically isolated from each other. Physical separation for fire and missile protection is provided by installing the diesel generators in separate rooms in a Seismic Category I structure. Power and control cables for the diesel generators and associated switchgear are routed in separate raceways.

The components of the standby power supply system, including related controls, required to supply power to ESF and cold shutdown loads conform to the requirements of General Design Criterion 17, IEEE 308, and IEEE 279 (References 6, 7, and 8). Station Blackout 10 CFR Part 50.63 requires that each light water-cooled nuclear power plant be able to withstand and recover from a station blackout (SBO) of a specified duration. The PVNGS SBO 16-hour coping evaluation was submitted to the NRC in APS letter 102-05370 (Reference 9), dated October 28, 2005. Supplemental information was provided in APS letter 102-05465 (Reference 10), dated April 19, 2006. The NRC approved the 16-hour SBO coping evaluation in a Safety Evaluation dated October 31, 2006. The 16-hour coping strategy analysis assumes that one of the two Station Blackout Generators (SBOG), which serves as the Alternate AC (AAC) for PVNGS, is started and connected to the AC distribution system to supply loads in the respective unit during the first hour to allow the analyzed SBO loads to be powered in accordance with administrative or emergency procedures. Should a SBO occur in any one unit, i.e., a loss of offsite power coincident with the unavailability of both emergency diesel generators in that unit, an AAC power source is available to provide the power necessary to cope with a SBO for a minimum of 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br />. The PVNGS response to a SBO has been developed in accordance with RG 1.155, Station Blackout, and NUMARC 87-00, Guidelines and Technical Bases for NUMARC Initiatives Addressing Station Blackout at Light Water Reactors (References 11 and 12). Description and Assessment of Proposed License Amendment 6 The non-safety related AAC power source consists of two 100 percent capacity SBOGs that can be connected to each unit at switchgear NAN-S03 via the primary winding of the ESF transformer that is normally aligned to the train A 4.16kV bus. One SBOG is analyzed to supply all required SBO loads, which are located on the A train. The AAC starting system and diesel fuel oil supply is independent from the black-out unit's power systems and fuel oil supply systems, however, switchgear NAN-S03 at each unit is dependent upon the unit's non-safety related 125V dc power system. This dc system is energized from the AAC power source to maintain its operability during the SBO event. Fuel oil storage tank associated with the SBOGs is maintained with sufficient fuel to support full load operation of the two SBOGs for 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br />.

The AAC power system is not normally connected to the onsite power distribution system. Therefore failure of the AAC components cannot adversely affect the Class 1E power systems.

The AAC power system is physically located and physically protected so that a likely event initiating a SBO will not also affect the AAC system. Connections from the SBOGs to the units are made via cables routed through underground duct banks. Each SBOG has a minimum continuous output rating of 3400 kW at 13.8 kV under worst case anticipated site environmental conditions. This rating is sufficient to provide power to the loads identified as being important for coping with the SBO. Starting and loading of the AAC power system is performed manually; no autostart or automatic loading capability is provided.

Although able to be aligned to Unit 3 train B from a defense in depth perspective, for this emergency LAR the PVNGS SBOGs are not credited to provide power to Unit 3 in response to a LOOP event based on the guidance of BTP 8-8. APS has deployed three portable diesel generators at Unit 3 connected to the 4.16 kV AC FLEX connection box that can supply the train B 4.16 kV AC class bus to maintain the same level of defense-in-depth for safe shutdown of the plant. 4.0 TECHNICAL ANALYSIS 4.1 Deterministic Evaluation PVNGS is connected to the Western Interconnection, one of the two major power grids in North America. Seven physically independent transmission lines supply the PVNGS 525 kV switchyard that supplies offsite power to all three units. These seven transmission lines are designed and located to minimize the likelihood of simultaneous failure. Each unit is provided with two offsite supplies from two of the three startup transformers. For onsite power, each PVNGS unit has two DGs and shares two SBOGs between the three units. The system design configuration ensures that each of the DGs is electrically and physically isolated. In addition, during the requested extended completion time, APS has deployed three portable diesel generators at Unit 3 connected to the 4.16 kV AC FLEX connection box that can supply the B train 4.16 kV AC class bus, and has deployed a diesel-driven FLEX steam generator (SG) makeup pump to Unit 3. Description and Assessment of Proposed License Amendment 7 The defense-in-depth philosophy requires multiple means or barriers to be in place to accomplish safety functions and prevent the release of radioactive material. In the event of a loss of the preferred offsite power sources, the SBOGs can be aligned to either of the 4.16 kV AC class busses per design. During the period of this extended completion time for the train B DG, the associated train B 4.16 kV AC class bus will be powered from offsite power, and if offsite power is lost, would be powered by portable diesel generators, if necessary. The unavailability of the train B DG for this one-time TS change does not reduce the amount of available equipment to a level below that necessary to mitigate a design basis accident. The train A DG is provided with adequate independence to mitigate all postulated accidents. The proposed change will continue to provide multiple means to accomplish safety functions and prevent the release of radioactive material, consistent with the defense-in-depth philosophy. The proposed one-time extension of the TS completion time for the train B DG does not introduce any new common mode failure, and protection against failure modes previously considered in the UFSAR analyses is not compromised. The train A DG, SBOGs, and the portable diesel generators are all of diverse design, thus reducing the potential for common mode failures. The SBOGs are gas turbine generators. The three portable AC diesel generators are self-contained, enclosed tractor trailer mounted Cummins diesel generators. Two are 4.16 kV generators and the third is a 480 V generator with a step-up transformer to convert the output voltage to 4.16 kV. The control systems for the three portable diesel generators have a common design which supports parallel operations. APS has evaluated the defense-in-depth aspects for onsite and offsite power sources from a deterministic perspective. The portable DGs are available as a backup to the inoperable train B DG to maintain the defense-in-depth design philosophy of the electrical system to meet its intended safety function. The portable DGs have the capability to support the loads necessary to mitigate a LOOP event and bring the unit to cold shutdown in case of an extended LOOP concurrent with a single failure of the train A DG during plant operation. The three portable DGs operate in parallel providing a combined output of approximately 4800 kW. Attachment 4 identifies the electrical load summary for the train B bus required for response to a LOOP event including placing the plant in cold shutdown. The load summary is conservatively determined to be approximately 4540 kW including losses for cables and transformers based upon the most heavily loaded of the six PVNGS DGs, which is the Unit 1 train B DG. The result is that the three temporary portable DGs are sufficient to enable a cold shutdown of Unit 3 in the event of a LOOP with a single failure (e.g. DG A) during the extended time period while the B train DG is inoperable.

The portable DGs will be verified available and functional by the completion of a test run prior to the period of extended allowable outage time. The station provides fuel delivery trucks and fuel trailers to perform refueling of the portable generators and the FLEX steam generator make-up pump diesel engine. On-site fuel oil tanks provide the ability to replenish fuel delivery trucks/trailers to support extended operation of the portable DGs. Designated Description and Assessment of Proposed License Amendment 8 personnel are available on all shifts to perform necessary refueling operations. Local commercial fuel delivery provides ready replenishment of onsite inventories. During the extended AOT, routine inspections of the portable DGs will be performed by operations personnel to ensure normal standby conditions are maintained including lubrication and fuel levels, standby temperatures, and general equipment condition. During the unavailability period of the Unit 3 train B DG, power to the class 1E DC distribution system, including the batteries, will be maintained through the battery chargers connected to the preferred power source (offsite power). The batteries will continue to maintain sufficient DC power capacity to satisfy the limiting two-hour design basis event load profile during a loss of coolant accident (LOCA) scenario as documented in the licensing basis. This LOCA scenario includes a loss of offsite power. The design calculation references that the two-hour battery capacity has at least 40% margin accounting for temperature effects, aging, and uncertainty. Following a LOOP, upon restoration of AC power to the train B bus from the portable DGs, charging of the class batteries will be initiated to ensure continued availability of the class 1E DC distribution system.

In the event of a loss of offsite power and the limiting single failure of the train A DG, both the SBOGs and the portable DGs have the capability to establish power to the train B 4.16 kV class bus within one hour using existing procedural guidance. APS will take the following actions identified in Attachment 5 to ensure that necessary equipment remains available during the extended allowed outage time. 4.2 Safety Margin Evaluation The proposed one-time extension of the Unit 3 train B DG completion time remains consistent with the codes and standards applicable to the PVNGS onsite AC sources and electrical distribution system. A loss of all AC power event would require a loss of all offsite power sources, failure of the train A DG, failure of both SBOGs, and failure of the portable DGs. In addition, with deployment of the diesel-driven FLEX SG Makeup Pump at Unit 3, another backup supply of SG makeup independent of offsite power or the 4.16 kV AC buses is provided to mitigate the most likely scenarios associated with a loss of offsite power event. Also, PVNGS has installed a cross-connection which allows make-up to SGs from the station fire protection system which provides additional defense-in-depth for the heat removal safety function. Therefore, there is no significant reduction in the margin of safety. 4.3 Risk Insights and Risk Management, Including Compensatory Actions The risk associated with a one-time extension of the PVNGS Unit 3 Technical Specification 3.8.1 Condition B.4 completion time for the train B DG from the current 10 days to 21 days has been evaluated with a PRA model that meets all scope and quality requirements in RG 1.200, Revision 2 (Reference 1) to Capability Category II. This plant-specific risk assessment followed the guidance in RG 1.177, Revision 1 (Reference 3), and RG 1.174 (Reference 2) on defense-in-depth, safety margin and PRA information in support of a request for a one-time change to the plant licensing basis. Enclosure 2 provides detailed Description and Assessment of Proposed License Amendment 9 information on the risk assessment and insights. Compensatory actions as listed in Attachment 3 will be implemented in accordance with the PVNGS Configuration Risk Management Program (CRMP). 4.4 Review of Surveillance Tests A review of planned surveillance tests was conducted for the 21 day extended AOT being requested in this LAR. This review concluded no surveillance testing of safety related equipment that would impact operability is required and there were no surveillance test requirements that required deferral or an extension beyond their required surveillance interval. 4.5 Operator Training Operators are trained on the strategies and hierarchy of procedures for LOOP that specify use of alternate power sources, including the portable DGs. Training, briefings, and walkdowns are provided to the Operators responsible for operating the portable DGs as part of the preparation for use of the generators. Operations crews are briefed on the implementing procedure. Designated operators will be familiar with instructions for starting and operating the portable DGs. Operations staff has received classroom training for FLEX strategies, which included the use of the portable DGs.

5.0 REGULATORY EVALUATION

5.1 Applicable Regulatory Requirements Relevant elements of NRC requirements, as well as a brief overview of PVNGS design features related to those requirements, are described below, with the NRC requirement identified first, followed by the related PVNGS design features in italics. The regulations in 10 CFR 50.36(c)(2)(ii)(B), Limiting conditions for operation, state: Criterion 2. A process variable, design feature, or operating restriction that is an initial condition of a design basis accident or transient analysis that either assumes the failure of or presents a challenge to the integrity of a fission product barrier. Technical Specification (TS) 3.8.1 currently meets this requirement and will continue to meet this requirement after the proposed one-time change is approved and implemented. The DGs act to mitigate the consequences of design basis accidents that assume a loss of offsite power. For that purpose, redundant DGs are provided to protect against a single-failure. During the current TS 10-day required action completion time, an operating unit is allowed by the TS to remove one of the DGs from service, thereby losing this single-failure protection. This operating condition is considered acceptable for a limited period of Description and Assessment of Proposed License Amendment 10 time and is in conformance with 10 CFR 50.36(c)(2)(i), which authorizes licensees to "follow any remedial action permitted by the technical specifications until the [limiting conditions for operation (LCO)] condition can be met." General Design Criterion (GDC) 17 of Appendix A of 10CFR50 for Electric Power Systems defines design requirements. It does not specify operating requirements or stipulate operational restrictions regarding the loss of offsite power sources. With the implementation of the proposed change, PVNGS Unit 3 will continue to meet the applicable design criteria. The proposed change is a one-time extension to the TS required action completion time. It does not affect the design basis of the plant. In addition, PVNGS Unit 3 will remain within the scope of the TS LCO 3.8.1 and is still subject to the requirements of the action statements as governed by 10 CFR 50.36. PVNGS Unit 3 meets the requirements of GDC 17 (Reference 6). The design of the on-site power source is not changed by the extension of the required action completion time and compliance with the GDC is not affected. The proposed change to extend the completion time does not alter the design basis for loss of all alternating current power governed by 10CFR50.63, Loss of all alternating current power (Station Blackout Rule). In addition, although the normal design of PVNGS Unit 3 is an alternate AC plant, the plant meets the requirements for a 16-hour coping plant, which is unchanged by this LAR. The proposed change to extend the TS required action completion time is consistent with the criteria of RG 1.160 and 10 CFR 50.65, Requirements for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants (Maintenance Rule). The regulations in 10 CFR 50.91(a)(5), provide the following allowances for issuance of an emergency license amendment: "(5) Where the Commission finds that an emergency situation exists, in that failure to act in a timely way would result in derating or shutdown of a nuclear power plant, or in prevention of either resumption of operation or of increase in power output up to the plant's licensed power level, it may issue a license amendment involving no significant hazards consideration without prior notice and opportunity for a hearing or for public comment-" The proposed change is required due to an emergent equipment failure and is necessary to prevent shutdown of PVNGS Unit 3. The change is needed sooner than can be issued under exigent circumstances and this license amendment request is timely considering the unplanned nature of the DG failure. 5.2 Precedent The proposed license amendment was developed using relevant information from an approved change (Reference 13) at another nuclear station.

Description and Assessment of Proposed License Amendment 11 5.3 No Significant Hazards Consideration As required by 10 CFR 50.91(a), Notice for Public Comment, an analysis of the issue of no significant hazards consideration using the standards in 10 CFR 50.92, Issuance of Amendment, is presented below: 1. Does the proposed amendment involve a significant increase in the probability or consequences of an accident previously evaluated? Response: No. The proposed change is a deterministic one-time extension of the Unit 3 B train Diesel Generator TS completion time from 10 days to 21 days. The PVNGS Unit 3 B train emergency diesel generator (DG) provides onsite electrical power to vital systems should offsite electrical power be interrupted. It is not an initiator to any accident previously evaluated. Therefore, this extended period of operation with the B train DG out-of-service will not increase the probability of an accident previously evaluated. The DGs act to mitigate the consequences of design basis accidents that assume a loss of offsite power. For that purpose, redundant DGs are provided to protect against a single-failure and the consequences of a loss of offsite power have already been evaluated. During the current Technical Specification (TS) 10-day required action completion time, an operating unit is allowed by the TS to remove one of the DGs from service, thereby losing this single-failure protection. This operating condition is considered acceptable. The consequences of a design basis accident coincident with a failure of the redundant DG during the proposed extended completion time are the same as those during the existing 10-day TS completion time. Therefore, during the period of the proposed extended required action completion time, there is no significant increase in the consequences of an accident previously evaluated. Therefore, the proposed change will not involve a significant increase in the probability or consequences of an accident previously evaluated. 2. Does the proposed amendment create the possibility of a new or different kind of accident from any accident previously evaluated? Response: No. The proposed change is a deterministic one-time extension of the Unit 3 B train DG TS completion time from 10 days to 21 days. The PVNGS Unit 3 B train emergency DG provides onsite electrical power to vital systems should offsite electrical power be interrupted. There are no new failure modes or mechanisms created due to plant operation for the extended period to collect and analyze data of the PVNGS Unit 3 B train DG. Extended operation with an inoperable DG does not involve any modification in the operational limits or physical design of existing plant systems. There are no new accident precursors generated due to the extended required action completion time. Description and Assessment of Proposed License Amendment 12 Therefore, the proposed change does not create the possibility of a new or different kind of accident from any accident previously evaluated. 3. Does the proposed amendment involve a significant reduction in a margin of safety? Response: No. The proposed change is a deterministic one-time extension of the Unit 3 B Diesel Generator TS completion time from 10 days to 21 days. The PVNGS Unit 3 B train emergency diesel generator (DG) provides onsite electrical power to vital systems should offsite electrical power be interrupted. During the extended completion time, sufficient compensatory measures including supplemental power sources have been established to maintain the defense-in-depth design philosophy to ensure the electrical power system meets its design safety function. The supplemental source has the capacity to bring the unit to cold shutdown in case of a loss of offsite power concurrent with a single failure during plant operation. Therefore, the proposed change does not involve a significant reduction in a margin of safety as defined in the basis for any TS. 5.4 Conclusion APS concludes that operation of the facility in accordance with the proposed amendment does not involve a significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and, accordingly, a finding of "no significant hazards consideration" is justified. Based on the considerations discussed above, (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or the health and safety of the public.

6.0 ENVIRONMENTAL CONSIDERATION

A review has determined that the proposed amendment would change a requirement with respect to installation or use of a facility component located within the restricted area, as defined in 10 CFR 20, Standards for Protection Against Radiation. However, the proposed amendment does not involve (i) a significant hazards consideration, (ii) a significant change in the types or a significant increase in the amounts of any effluents that may be released offsite, or (iii) a significant increase in individual or cumulative occupational radiation exposure. Accordingly, the proposed amendment meets the eligibility criterion for categorical exclusion set forth in 10 CFR 51.22(c)(9). Therefore, pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the proposed amendment.

Description and Assessment of Proposed License Amendment 13

7.0 REFERENCES

1. Regulatory Guide 1.200, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities, Revision 2, dated March 2009 2. Regulatory Guide 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, Revision 2, dated April 2015 3. Regulatory Guide 1.177, An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications, Revision 1, dated May 2011 4. Regulatory Guide 1.160, Monitoring the Effectiveness of Maintenance at Nuclear Power Plants, Revision 3, dated May 2012 5. NUREG-0800, Branch Technical Position (BTP) 8-8, Onsite (Emergency Diesel Generators) and Offsite Power Sources Allowed Outage Time Extensions, dated February 2012 6. 10 CFR 50, Appendix A, General Design Criterion 17, Electric Power Systems 7. IEEE 308, Institute of Electric and Electronic Engineers, Standard Criteria for Class 1E Electric Systems for Nuclear Power Generating Stations, 1971 8. IEEE 279, Institute of Electric and Electronic Engineers, Criteria for Protection Systems for Nuclear Power Generating Stations, 1971 9. APS letter 102-05370, Revised Station Blackout (SBO) Evaluation, dated October 28, 2005, (ADAMS Accession Number ML061720037) 10. APS letter 102-05465, Response to NRC Request for Additional Information (RAI) Regarding Revised Station Blackout Evaluation, dated April 19, 2006, (ADAMS Accession Number ML061160289) 11. Regulatory Guide 1.155, Station Blackout, Revision 0, dated August 1988 12. NUMARC 87-00, Nuclear Management and Resources Council, "Guidelines and Technical Bases for NUMARC Initiatives Addressing Station Blackout at Light Water Reactors, dated November 1987 13. NRC Letter dated February 24, 2015, Comanche Peak, Units 1 and 2 --- Issuance of Amendments RE: Revision to Technical Specification 3.8.1 "AC Sources - Operating," For a 14-Day Completion Time for Offsite Circuits (ADAMS Accession Number ML15008A33) Description and Assessment of Proposed License Amendment ATTACHMENT 1 Marked-up Technical Specifications Page 3.8.1-3 AC Sources ~ Operating 3.8.1 PALO VERDE UNITS 1,2,3 3.8.1-3 AMENDMENT NO. 197, ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME B. (continued) B.4 Restore DG to OPERABLE status. -------NOTE------ For the Unit 3 Train B DG failure on December 15, 2016, restore the inoperable DG to OPERABLE status within 21 days. ------------------ 10 days C. Two required offsite circuits inoperable. C.1 Declare required feature(s) inoperable when its redundant required feature(s) is inoperable. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> from discovery of Condition C concurrent with inoperability of redundant required feature(s) AND C.2 Restore one required offsite circuit to OPERABLE status. 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (continued) Description and Assessment of Proposed License Amendment ATTACHMENT 2 Revised Technical Specifications Page (Clean Copy) 3.8.1-3 AC Sources ~ Operating 3.8.1 PALO VERDE UNITS 1,2,3 3.8.1-3 AMENDMENT NO. 197, ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME B. (continued) B.4 Restore DG to OPERABLE status. -------NOTE------ For the Unit 3 Train B DG failure on December 15, 2016, restore the inoperable DG to OPERABLE status within 21 days.

10 days C. Two required offsite circuits inoperable. C.1 Declare required feature(s) inoperable when its redundant required feature(s) is inoperable. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> from discovery of Condition C concurrent with inoperability of redundant required feature(s) AND C.2 Restore one required offsite circuit to OPERABLE status. 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (continued) Description and Assessment of Proposed License Amendment 1 ATTACHMENT 3 Compensatory Measures 1. The redundant train A DG (along with all of its required systems, subsystems, trains, components, and devices) will be verified OPERABLE (as required by Technical Specification) and no discretionary maintenance activities will be scheduled on the redundant (OPERABLE) DG. 2. No discretionary maintenance activities will be scheduled on the SBOGs. 3. No discretionary maintenance activities will be scheduled on the startup transformers. 4. No discretionary maintenance activities will be scheduled in the Salt River Project (SRP) switchyard or the unit's 13.8 kV power supply lines and transformers which could cause a line outage or challenge offsite power availability to the unit utilizing the extended DG completion time. 5. All activity, including access, in the SRP switchyard shall be closely monitored and controlled. 6. The SBOGs will not be used for non-safety functions (i.e., power peaking to the grid). 7. All maintenance activities associated with Unit 3 will be assessed and managed per 10 CFR 50.65(a)(4) (Maintenance Rule). Planned work will be controlled during the extended completion time so that Unit 3 does not voluntarily enter a YELLOW Risk Management Action Level. 8. The OPERABILITY of the steam driven auxiliary feedwater pump will be verified before entering the extended DG completion time. 9. The system dispatcher will be contacted once per day and informed of the DG status, along with the power needs of the facility. 10. Should a severe weather warning be issued for the local area that could affect the SRP switchyard or the offsite power supply during the extended DG completion time, an operator will be available locally at the SBOG should local operation of the SBOG be required as a result of on-site weather related damage. 11. No discretionary maintenance will be allowed on the main and unit auxiliary transformers associated with the unit. 12. APS has provided three portable diesel generators to ensure the ability to bring Unit 3 to cold shutdown in the event of a LOOP during the extended time period that the Unit 3 train B DG is inoperable. The three portable diesel generators operate in parallel as a set. The result is that the three portable diesel generators are sufficient to enable a cold shutdown of Unit 3 in the event of a LOOP with a single failure during the extended time period while the Unit 3 train B DG is inoperable. The three portable diesel generators are deployed and physically connected to the Unit 3 train B 4.16 kV AC FLEX connection box for the duration of the extended DG completion time 13. A diesel-driven FLEX SG Makeup Pump is deployed to its FLEX pad at Unit 3 for the duration of the extended DG completion time. 14. The following equipment will be protected by signage/chains for the duration of the extended completion time to prevent inadvertent impact from walkdowns, inspections, maintenance and potential for transient combustible fires: a. Both SBOGs b. Unit 3 train A DG Description and Assessment of Proposed License Amendment 2 c. Unit 3 train A Engineered Safety Features (ESF) Switchgear, DC equipment and DC Battery Rooms d. Three AC portable diesel generators deployed at Unit 3 and their connections to the train B FLEX 4.16 kV AC connection box e. Diesel-driven FLEX SG Makeup Pump deployed at Unit 3 f. Turbine driven auxiliary feedwater pump Description and Assessment of Proposed License Amendment 1 ATTACHMENT 4 Cold Shutdown Load Summary Load Breakdown Load Description KW LOP/FS (LOOP) 1ENHND20load 120/240 AC DISTRIBUTION PANEL 18.74 1ENNBV14 SINGLE PHASE VOLTAGE REGULATING TRANSFORMER 22.58 1ENNNV18 SINGLE PHASE VOLTAGE REGULATING TRANSFORMER 16.89 1ENQNN01C2 PLANT COMPUTER MONITORING SYSTEM DIST PNL TRANSFER SWITCH 37.35 1EPHBD32load 120/240 AC DISTRIBUTION PANEL 15.26 1EPHBD36load 120/240 AC DISTRIBUTION PANEL 9.6 1EPHBD38load 120/240 AC DISTRIBUTION PANEL 8.7 1EPKBH12 BATTERY CHARGER 36.27 1EPKBH16 BATTERY CHARGER (BACK-UP) 36.28 1EPKDH14 BATTERY CHARGER 17.93 1EPNBV26 SINGLE PHASE VOLTAGE REGULATING TRANSFORMER 16.48 1EPNDV28 SINGLE PHASE VOLTAGE REGULATING TRANSFORMER 9.39 1EQBBV02 SINGLE PHASE VOLTAGE REGULATING TRANSFORMER 23.3 1EQBND90 MAIN ESSENTIAL LIGHTING PANEL 108.67 1EQFNH13 COMM EQ CHARGER 3.87 1EQFNN01 COMM EQ UPS 9 1EQJNX05 CONDENSATE STORAGE TANK FREEZE PROTECTION TRANSFORMER 27.81 1EQMBV30 SINGLE PHASE REGULATING TRANSFORMER 5.87 1EQMNC06Aload RAD MONITOR RU141/142 HEAT TRACE CABINET 3.03 1EQMNX08B REFUELING TANK HEAT TRACING SECONDARY TRANSFORMER 26.46 Description and Assessment of Proposed License Amendment 2 Load Breakdown Load Description KW LOP/FS (LOOP) 1ESQND03load RADIATION MONITOR DISTRIBUTION PANEL FOR POST ACCIDENT MONITOR UNIT 4.69 1ESQND09load RADIATION MONITOR DISTRIBUTION PANEL 4.67 1JECBE02 ESSENTIAL CHILLER AUXILIARY POWER PANEL 2.92 1JSQBRE145 FUEL BUILDING RADIATION MONITOR 1.4 1JSQBRE146 FUEL BUILDING RADIATION MONITOR 1.4 1JSQBRU01 CONTAINMENT BUILDING RADIATION MONITOR BLOWER MOTOR 1.4 1JSQBRU30 CONTROL ROOM RADIATION MONITOR BLOWER MOTOR 1.4 1JSQBRU34 CONTAINMENT BUILDING REFUEL RADIATION MONITOR BLOWER MOTOR 1.4 1JSQNRE143 PLANT VENT LOW RADIATION MONITOR BLOWER MOTOR 0.47 1JSQNRE144 PLANT VENT HIGH RADIATION MONITOR BLOWER MOTOR 0.47 1MAFBP01 AUXILIARY FEEDWATER PUMP 948.85 1MCHBP01 CHARGING PUMP 64.48 1MCHEP01 CHARGING PUMP 64.48 1MCTBP01 CONDENSATE TRANSFER PUMP 3.18 1MDFBP01 DIESEL GENERATOR FUEL OIL TRANSFER PUMP 1.72 1MECBE01 ESSENTIAL CHILLER 427.79 1MECBP01 ESSENTIAL CHILLED WATER PUMP 13.48 1MECBP10 ESSENTIAL CHILLER B OIL PUMP MOTOR 1.35 1MEWBP01 ESSENTIAL COOLING WATER SYSTEM PUMP 543.28 1MHABZ02 AUXILIARY BUILDING LPSI PUMP ROOM ESSENTIAL AIR CONTROL UNIT 1.21 Description and Assessment of Proposed License Amendment 3 Load Breakdown Load Description KW LOP/FS (LOOP) 1MHABZ04 AUXILIARY FEEDWATER PUMP ROOM ESSENTIAL AIR CONTROL UNIT 2.85 1MHABZ05 AUX BUILDING ESSENTIAL COOLING WATERPUMP ROOM ESSENTIAL AIR CONTROL UNIT 1.62 1MHCNA01B CONTAINMENT BUILDING NORMAL AIR CONTROL UNIT 116.2 1MHCNA01D CONTAINMENT BUILDING NORMAL AIR CONTROL UNIT 116.2 1MHCNA02B CONTAINMENT BUILDING CEDM NORMAL AIR CONTROL UNIT 155.13 1MHCNA02D CONTAINMENT BUILDING CEDM NORMAL AIR CONTROL UNIT 155.13 1MHCNA03B CONTAINMENT BUILDING REACTOR CAVITY NORMAL COOLING FAN 33.65 1MHCNA03D CONTAINMENT BUILDING REACTOR CAVITY NORMAL COOLING FAN 33.65 1MHCNA06B CONTAINMENT BUILDING PRESSURIZER NORMAL COOLING FAN 8.68 1MHDBA01 DIESEL GENERATOR BUILDING CONTROL ROOM ESSENTIAL AIR HANDLING UNIT 12.95 1MHDBJ01 DIESEL GENERATOR BUILDING GENERATOR ROOM ESSENTIAL EXHAUST FAN 82.2 1MHJBF04 CONTROL ROOM ESSENTIAL AIR FILTER 92.01 1MHJBJ01A CONTROL BUILDING BATTERY ROOM D ESSENTIAL EXHAUST FAN 0.34 1MHJBJ01B CONTROL BUILDING BATTERY ROOM B ESSENTIAL EXHAUST FAN 0.34 1MHJBZ03 CONTROL BUILDING ESF SWITCHGEAR ESSENTIAL AIR HANDLING UNIT 4.77 Description and Assessment of Proposed License Amendment 4 Load Breakdown Load Description KW LOP/FS (LOOP) 1MHJBZ04 CONTROL BUILDING ESF EQUIPMENT ESSENTIAL AIR HANDLING UNIT 5.69 1MHSBJ01 SPRAY POND PUMP HOUSE EXHAUST FAN 8.59 1MPCBP01 FUEL POOL COOLING PUMP 2 55.83 1MRCEA05 PRESSURIZER BACKUP HEATER (FROM CLASS 1E BUS) 58.15 1MRCEA16 PRESSURIZER BACKUP HEATER (FROM CLASS 1E BUS) 58.15 1MRCEB10 PRESSURIZER BACKUP HEATER (FROM CLASS 1E BUS) 58.15 1MSIBP01 LOW PRESSURE SAFETY INJECTION PUMP 2 418.37 1MSPBP01 ESSENTIAL SPRAY POND PUMP 471.88 Load Total 4494.05 Gen Description Total KW LOP/FS (LOOP) 1EPEBG02 (value includes additional losses in cables/transformers) EMERGENCY DIESEL GENERATOR 4538.38 Portable Diesel Generators COMBINED OUTPUT CAPACITY 4800.00 ATTACHMENT 5 Commitments to Control Station Activities APS makes the following regulatory commitments: 1. The system load dispatcher will be contacted once per day to ensure no significant grid perturbations (high grid loading unable to withstand a single contingency of line or generation outage) are expected during the extended allowed outage time. 2. Component testing or maintenance of safety systems and important non-safety equipment in the offsite power systems that can increase the likelihood of a plant transient (unit trip) or LOOP will be avoided. 3. Discretionary work will be prohibited in the SRP switchyard during the extended Unit 3 train B DG TS 3.8.1 Condition B required action completion time. 4. TS required systems, subsystems, trains, components, and devices that depend on the remaining power sources will be verified to be operable and positive measures will be provided to preclude subsequent testing or maintenance activities on these systems, subsystems, trains, components, and devices. 5. Steam-driven emergency feed water pump will be controlled as protected equipment. 6. Within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> following unavailability of a portable DG, Unit 3 will enter TS condition 3.8.1.H to place the unit in Mode 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. 7. Availability of the portable DGs will be verified once per shift. 8. Approval of transient combustibles and hot work in Unit 3 will be controlled by the outage control center (OCC). 9. There will be an OCC position responsible for oversight and monitoring of the compensatory measures of Attachment 3 and the actions described in this attachment.

Reference:

1. RCTSAI 4848165 Risk Insights Related to One-Time Extended Completion Time Enclosure 2 Risk Insights Related to One-Time Extended Completion Time Risk Insights Related to One-Time Extended Completion Time i TABLE OF CONTENTS 1.0 Introduction 2.0 Evaluation of Risk Impacts 2.1 Tier 1: Probabilistic Risk Assessment Capability and Insights 2.2 Tier 2: Avoidance of Risk Significant Plant Configurations 2.3 Tier 2: Risk Informed Configuration Management 3.0 References ATTACHMENTS 1. Status of Plant Modifications and Evaluations Credited in the PRA 2. Unit 3 Baseline Average Annual CDF/LERF 3. ICCDP and ICLERP for One-Time Technical Specification Change 4. Internal Events PRA Peer Review A and B Level Findings 5. Internal Events PRA Self-Assessment of ASME SRs Not Met to Capability Category II 6. Internal Flood PRA Peer Review ASME SRs Not Met to Capability Category II 7. Seismic PRA Peer Review ASME SRs Not Met to Capability Category II 8. Internal Fire PRA Peer Review ASME SRs Not Met to Capability Category II 9. External Hazards Screening 10. Progressive Screening Approach for Addressing External Hazards 11. Disposition of Key Assumptions/Sources of Uncertainty Risk Insights Related to One-Time Extended Completion Time 1

1.0 INTRODUCTION

The risk associated with extending the PVNGS Unit 3 one-time Technical Specification 3.8.1 Condition B.4 completion time for the Unit 3 train B DG from the current 10 days to 21 days has been evaluated with a PRA model that meets all scope and quality requirements in RG 1.200, Revision 2 (Reference 1) to Capability Category II. This plant-specific risk assessment followed the guidance in RG 1.177, Revision 1 (Reference 11). 2.0 EVALUATION OF RISK IMPACTS 2.1 Tier 1: Probabilistic Risk Assessment Capability and Insights The CDF and LERF contributions from the PRA models are provided in Attachment 2. The total CDF and LERF meet the NRC RG 1.174, Revision 2 (Reference 10) acceptance criteria for risk-informed licensing changes (i.e., CDF less than 1E-4 per year and LERF less than 1E-5 per year). The risk impact associated with a one-time extension is provided in Attachment 3 and meets the acceptance criteria in RG 1.177, Revision 1 (Reference 11) where compensatory measures are implemented to reduce the sources of increased risk. In the risk impact evaluation, the common cause failure probability term for both DGs failing to run was adjusted from its nominal value to the alpha common cause factor (i.e., an increase in probability of 7.6) to account for the increased potential for the train A DG to fail until the extent of condition analysis can conclude that the train A DG is not susceptible to the same failure cause as the train B DG. Compensatory measures such as deployed temporary or FLEX equipment has not been credited in the quantitative risk assessment. 2.2 Tier 2: Avoidance of Risk Significant Plant Configurations PVNGS plant risk associated with the proposed extended Unit 3 train B DG completion time is determined from RG 1.200, Revision 2 Capability Category II compliant PRA models for internal events, internal flooding, seismic, and internal fires. Associated actions to avoid or respond to these events through function of onsite emergency backup power supplies, and inclusion of additional onsite emergency power are discussed in Tier 3 information below. The dominant risk scenarios associated with unavailability of Train B DG include: ~ Loss of offsite power (i.e., grid, switchyard, or transformer failure) ~ Long term seismic induced loss of offsite power ~ Fires in the Unit 3 Non-Class Switchgear, Engineered Safety Features (ESF) Switchgear, DC equipment and DC Battery Rooms Main Control Room, and Auxiliary Building West and East Corridors and Electrical Chases The dominant impact of all the above scenarios on critical safety functions is the loss of heat removal from the Steam Generators due to failure of all the auxiliary feedwater pumps or loss of power to those pumps. Random or induced loss of coolant accidents are not a dominant contributor to risk at PVNGS due to use of low leakage Reactor Coolant Pump seals (Reference 12). Risk Insights Related to One-Time Extended Completion Time 2 The PRA analysis assumes that other risk significant plant equipment outage configurations will not occur during the extended completion time period by prohibiting elective maintenance on other PRA risk significant plant equipment and avoiding other activities that could challenge unit operation or cause fires in risk significant areas. In addition, adverse weather such as extreme heat, extreme thunderstorms, icing or tornadoes are not assumed likely based on historical evidence during the period of this extended completion time due to Palo Verde's location in the southwestern Sonoran Desert. The Tier 3 compensatory actions mitigate additional plant risk due to events beyond that associated with Unit 3 train B DG unavailability represented in the ICCDP and ICLERP values furnished in the Tier 1 discussion above. 2.3 Tier 3: Risk Informed Configuration Management Risk would also be managed during the extended completion time via the Maintenance Rule 10 CFR 50.65(a)(4) Configuration Risk Management Program, which has been reviewed in prior risk-informed Technical Specification change requests (e.g., Reference 7). Technical Adequacy of the PRA The following sections demonstrate that the quality and level of detail of the PRA model used in the requested change meet NRC requirements in NRC RG 1.200 Revision 2 (Reference 1). Attachment 1 provides the status of plant modifications and evaluations credited in the PRA models, which all have been completed for Unit 3. All the PRA models described below have been peer reviewed and there are no PRA upgrades that have not been peer reviewed. The findings and dispositions from the peer reviews impacting PRA technical quality are described in Attachments 4 through 8. Included in these Attachments are the Facts and Observations (F&Os) from the indicated peer reviews impacting PRA quality, and do not include F&Os describing optional suggestions or industry best practices. The peer review finding dispositions show all peer review findings to be closed by APS, which indicates they have been resolved by APS and meet the associated ASME PRA Standard (Reference

9) supporting requirements to Capability Category II. Thus, all the PRA models described herein comply with all scope and quality Capability Category II supporting requirements per RG 1.200 Revision 2 (Reference 1).

The PRA models credited in this request are the same PRA models credited in the Risk-Informed Completion Time application dated July 31, 2015 (Reference 3). All the plant modifications and evaluations referenced in that application have been completed in Unit 3. The field routed cable routing differences between the three PVNGS units impacting the fire PRA model were resolved by creating one bounding fire PRA model that reflects the most limiting cable routing from each of the three units for each fire area. The breaker coordination issues associated with fire events described in the Risk-Informed Completion Time application were resolved by analysis with no plant modifications or procedure changes required at any of the three units. A PRA model update is in process for these models and insights are available from the updated inputs to the model (e.g., updated reliability, availability and initiating event data) to support the conclusion that the PRA model reflects the as-built, as-operated plant. All pending changes to these PRA models (e.g., design changes, procedure changes, corrective actions) have been reviewed for individual and Risk Insights Related to One-Time Extended Completion Time 3 aggregate impact on this evaluation and determined not to impact the conclusions of the evaluation (i.e., RG 1.174 and RG 1.177 acceptance criteria remain met). Internal Events and Internal Flooding Hazards This one-time Technical Specification change evaluation for the internal events and internal flooding hazards uses peer reviewed plant-specific Internal Events and Internal Flooding PRA models in accordance with RG 1.200, Revision 2 (Reference 1). The APS risk management process ensures that the PRA model used in this application reflects the as-built and as-operated plant for each of the PVNGS units. The Internal Events PRA model was peer reviewed in 1999 by the Combustion Engineering Owners Group (CEOG) prior to the issuance of Regulatory Guide 1.200. As a result, a self-assessment was conducted by APS of the Internal Events PRA model in accordance with Appendix B of RG 1.200, Revision 2 (Reference 1) to address the PRA quality requirements not considered in the CEOG peer review. The Internal Events PRA quality (including the CEOG peer review and self-assessment results) has previously been reviewed by the NRC in requests to extend the Inverter Technical Specification Completion Time dated September 28, 2009 (Reference 7) and to implement TSTF-425 Risk-Informed Surveillance Frequency Control Program dated March 3, 2011 (Reference 8). No PRA upgrades as defined by the ASME PRA Standard RA-Sa-2009 (Reference 9) have occurred to the Internal Events PRA model since conduct of the CEOG peer review in 1999. Attachment 2 of this enclosure identifies the Core Damage Frequency (CDF) and Large Early Release Frequency (LERF) for the Internal Events and Internal Flooding PRA models. Attachment 4 provides the status of A and B level findings from the CEOG peer review of the Internal Events PRA model conducted in accordance with NEI 00-02 (Reference 2). Attachment 5 provides the status of supporting requirements (SRs) not met to Capability Category II from the APS self-assessment of the Internal Events PRA model conducted in accordance with Appendix B of RG 1.200, Revision 2 (Reference 1). Attachment 6 provides the status of findings associated with supporting requirements determined not met to Capability Category II from a peer review of the Internal Flooding PRA conducted in accordance with RG 1.200, Revision 2 (Reference 1). All these findings have been closed by APS dispositions. Fire Hazards The one-time Technical Specification change evaluation of fire hazards will use a peer reviewed plant-specific Fire PRA model in accordance with RG 1.200, Revision 2 (Reference 1). The Fire PRA model is consistent with NUREG/CR-6850 (Reference 4) methodology with no exceptions. The APS risk management process ensures that the PRA model used in this application reflects the as-built and as-operated plant for each of the PVNGS units. Attachment 2 of this enclosure identifies the CDF and LERF for the Fire PRA model. Attachment 8 of this enclosure provides the status of findings associated with supporting requirements (SRs) for the internal fire PRA determined not met to Capability Category II from peer reviews conducted in accordance with RG 1.200, Revision 2 (Reference 1). All of these findings have been closed by APS dispositions.

Risk Insights Related to One-Time Extended Completion Time 4 Seismic Hazards The one-time Technical Specification change evaluation for seismic hazards will use a peer reviewed plant-specific seismic PRA model in accordance with RG 1.200, Revision 2 (Reference 1). The APS risk management process ensures that the PRA model used in this application reflects the as-built and as-operated plant for each of the PVNGS units. Attachment 2 of this enclosure identifies the CDF and LERF for the Seismic PRA model. Attachment 7 of this enclosure provides the status of findings associated with SRs for the seismic PRA determined not met to Capability Category II from a peer review conducted in accordance with RG 1.200, Revision 2 (Reference 1). All these findings have been closed by APS dispositions. Other External Hazards All other external Hazards were screened for applicability to PVNGS per a peer reviewed plant-specific evaluation in accordance with RG 1.200, Revision 2 (Reference 1). There were no findings from the peer review. Attachment 9 of this enclosure provides a summary of the other external hazards screening results. Attachment 10 of this enclosure provides a summary of the progressive screening approach for external hazards. PRA Uncertainty Evaluations Sources of model uncertainty and related assumptions have been identified for the PVNGS PRA models using the guidance of NUREG-1855 (Reference 5) and EPRI TR-1016737 Treatment of Parameter and Model Uncertainty for Probabilistic Risk Assessment (Reference 6).

The detailed process of identifying, characterizing and qualitative screening of model uncertainties is found in Section 5.3 of NUREG-1855 (Reference 5) and Section 3.1.1 of EPRI TR-1016737 (Reference 6). The process in these references was mostly developed to evaluate the uncertainties associated with the internal events PRA model; however, the approach can be applied to other types of hazard groups. The list of assumptions and sources of uncertainty were reviewed to identify those which would be significant for the evaluation of this application. If the PVNGS PRA model used a non-conservative treatment, or methods which are not commonly accepted, the underlying assumption or source of uncertainty was reviewed to determine its impact on this application. Only those assumptions or sources of uncertainty that could significantly impact the configuration risk calculations were considered key for this application.

The PVNGS PRA models do not contain any recovery action or recovery factor for failed emergency DGs. Key PVNGS PRA model specific assumptions and sources of uncertainty for this application are identified and dispositioned in Attachment 11. The conclusion of this review is that no additional sensitivity analyses are required to address PVNGS PRA model specific assumptions or sources of uncertainty for this application. Risk Insights Related to One-Time Extended Completion Time 5

3.0 REFERENCES

1. Regulatory Guide 1.200, An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities, Revision 2, dated March 2009 2. NEI 00-02, Probabilistic Risk Assessment (PRA) Peer Review Process Guidance, Nuclear Energy Institute, dated 2000 3. License Amendment Request to Revise Technical Specifications to implement Risk Informed Completion Time (ADAMS Accession Number ML15218A300) dated July 31, 2015 4. NUREG/CR-6850, EPRI/NRC-RES Fire PRA Methodology for Nuclear Power Facilities, dated September 2005 5. NUREG-1855, Guidance on the Treatment of Uncertainties Associated with PRAs in Risk- Informed Decision Making, dated March 2009 6. EPRI TR-1016737, Treatment of Parameter and Model Uncertainty for Probabilistic Risk Assessments, dated December 2008 7. Palo Verde Nuclear Generating Station, Units 1, 2, and 3, Issuance of Amendments Re: Changes To Technical Specification 3.8.7, "Inverters-Operating" (ADAMS Accession Number ML102670352) dated September 29, 2010 8. Palo Verde Nuclear Generating Station, Units 1, 2, and 3, Issuance Of Amendments Re: Adoption of TSTF-425, Revision 3, "Relocate Surveillance Frequencies To Licensee Control RITSTF Initiative 5b" (ADAMS Accession Number ML112620293) dated December 15, 2011 9. ASME/ANS RA-Sa-2009, Standard for Level l/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications, Addendum A to RAS- 2008, ASME, New York, NY, American Nuclear Society, La Grange Park, Illinois, dated February 2009 10. Regulatory Guide 1.174, An Approach for Using Probabilistic Risk Assessment in Risk- Informed Decisions on Plant-Specific Changes to the Licensing Basis, Revision 2, dated April 2015. 11. Regulatory Guide 1.177, An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications, Revision 1, dated May 2011. 12. WCAP-16175-P-A, Model for Failure of RCP Seals Given Loss of Seal Cooling in CE NSSS Plants, Revision 0, March 2007 Risk Insights Related to One-Time Extended Completion Time 1 ATTACHMENT 1 Status of Plant Modifications and Evaluations Credited in the PRA The PRA model used for determining the risk associated with the one-time extension of the Diesel Generator completion time due to the failure of the Unit 3 B Diesel Generator on December 15, 2016, credits the following modifications to achieve an overall CDF and LERF consistent with NRC Regulatory Guide 1.174 risk limits. The following table provides an updated status for Unit 3 as compared to the table provided in the License Amendment Request to allow risk informed completion times (ADAMS Accession Number ML15218A300). Plant Modification/Evaluation Status Install fuses in Control Room DC ammeter circuits to prevent secondary fires due to multiple fire induced faults. Complete Install fuses in non-class DC motor circuits to prevent secondary fires due to multiple fire induced faults. Complete Replace RCP control cables with one-hour fire rated cables. Complete Install an additional Steam Generator makeup capability to reduce Internal Fire PRA risk. Complete Implement recovery procedures for breaker coordination on class and non-class motor control centers/distribution panels that impact risk significant functions in the Internal Fire PRA. Not required. No plant modifications or procedure changes were required to resolve breaker coordination issues. Supporting requirements of ASME/ANS RA-Sa-2009 SY-C1 and SY-C2 shall be fully met at Capability Category II prior to use of the RICT Program. Complete Validate that the Unit 1 Internal Fire PRA model is bounding for Units 2 and 3 to reflect field-routed cabling or create unit-specific internal fire models for Units 2 and 3 prior to use of the RICT Program at Units 2 and 3. Complete. The Unit 1 internal fire PRA model was adjusted to reflect a bounding evaluation of field-routed cabling for all three units. Risk Insights Related to One-Time Extended Completion Time 1 ATTACHMENT 2 Unit 3 Baseline Average Annual CDF/LERF Hazard CDF (per year) LERF (per year) Internal events 1.3E-6 4.3E-8 Internal flooding 4.3E-7 1.9E-8 Seismic 2.8E-5 5.3E-6 Internal Fire 2.7E-5 2.0E-6 Total 5.7E-51 7.4E-62 Notes: 1. Total CDF meets the RG 1.174 acceptance criteria of < 1E-4 per year 2. Total LERF meets the RG 1.174 acceptance criteria of < 1E-5 per year

References:

1. Regulatory Guide 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, Revision 2, dated April 2015. Risk Insights Related to One-Time Extended Completion Time 1 ATTACHMENT 3 ICCDP and ICLERP for One-Time Technical Specification Change Hazard ICCDF (per year) ICCDP (21 days) ICLERF (per year) ICLERP (21 days) Internal events 1.2E-6 6.9E-8 5.5E-8 3.2E-9 Internal flooding 1.0E-9 5.8E-11 1.0E-9 5.8E-11 Seismic 3.0E-5 1.7E-6 1.6E-6 9.2E-8 Internal Fire 1.1E-4 6.2E-6 2.8E-6 1.6E-7 Total 1.4E-4 7.9E-61 4.5E-6 2.6E-72 Notes: 1. Total ICCDP meets the RG 1.177 acceptance criteria of < 1E-5 with compensatory measures not credited in the quantitative risk evaluation 2. Total ICLERP meets the RG 1.177 acceptance criteria of < 1E-6 with compensatory measures not credited in the quantitative risk evaluation

References:

1. Regulatory Guide 1.177, An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications, Revision 1, dated May 2011. Risk Insights Related to One-Time Extended Completion Time 1 ATTACHMENT 4 Internal Events PRA Peer Review A and B Level Findings Attachment 4: Internal Events PRA Peer Review A and B Level Findings Observation ID Sub-Element(s) Level Status Finding(s) Disposition SY-10 SY-20 A Closed Demand failures of batteries are not considered (i.e., if there is a demand for direct current (DC), battery failure is more likely). Only charger failures, bus faults, circuit breaker failures, battery faults, maintenance and failure to restore after maintenance are modeled. The finding has been resolved and closed by an update of the PRA model. Demand failure of batteries has been added to the model. DA-04 DA-8 A Closed The following common cause factors are significantly lower than Idaho National Engineering Environmental Laboratory (INEEL) recommended values: pumps gamma and delta factors, emergency diesel generator failure to start beta, and auxiliary feedwater (AFW) pumps failure to run beta generic pumps - beta. Note: these are based on generic sources, therefore there is a concern that the values are significantly different from INEEL generic data. A sensitivity evaluation was performed which put these values to those similar to INEEL recommended values caused a CDF increase of approximately 7%. The finding has been resolved and closed by an update of the PRA model. The PRA model common cause factors have been revised consistent with the NRC common cause database. DE-07 DE-7 A Closed In general, human actions across systems appear to treat dependency appropriately. There are some cases where dependencies across systems are not properly addressed. RE-AFA-LOCAL is used redundantly to 1ALFW-2HRS-HR in sequences 7634, 14966, etc. (per PRA Study, 13-NS-C29 Rev. 3, PRA Change Documentation) per C-29 Rev. 3 The finding has been resolved and closed by an update of the PRA model. The PRA model human action dependencies across systems have been addressed. Risk Insights Related to One-Time Extended Completion Time 2 Attachment 4: Internal Events PRA Peer Review A and B Level Findings Observation ID Sub-Element(s) Level Status Finding(s) Disposition QU-03 QU-18, QU-19 A Closed Currently, RE-AFA-LOCAL is being used to recover 1AFAP01-TPAFS. This is a hardware failure basic event. An evaluation should be done to determine the fraction of the basic event that is recoverable. This appears in numerous sequences [e.g., 7830 & 14989 (per PRA Study 13-NS-C29 Rev.3, per C-29 Rev.3)]. The finding has been resolved and closed by an update of the PRA model. The PRA model recovery action for the AFA pump has been modified to appropriately consider the fraction of recoverable events. QU-04 QU-18, QU-19 A Closed Currently, RE-AFA-LOCAL is inappropriately being used to recover some Stuck Open Safety Valve (SOSV) events. The initial failure of the AFW Pump A causes a primary safety lift. The recovery of AFW Pump A would not prevent a lift. Therefore, RE-AFA-LOCAL should not be used when the primary safety valves lift. The finding has been resolved and closed by an update of the PRA model. The PRA model recovery has been removed from stuck open safety valve events. HR-04 HR-9 A Closed It was stated in the opening presentations that the operators would take manual control of the AFW flow path globe valves. This action is not modeled. The current model appears not to include any action to control flow with the exception of local manual control. The finding has been resolved and closed by an update of the PRA model. The PRA model now credits remote manual operation of the AFW flow path valves. SY-12 SY-18 A Closed Batteries C and D appear to have at least a 24-hour mission time prior to depletion. This results in instrumentation being available to adequately control AFW. The bases for the 24-hour mission time are not documented. The finding has been resolved and closed by an update of the PRA documentation. The basis for the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time is provided. Risk Insights Related to One-Time Extended Completion Time 3 Attachment 4: Internal Events PRA Peer Review A and B Level Findings Observation ID Sub-Element(s) Level Status Finding(s) Disposition HR-06 HR-20 A Closed The cycling of the AFW flow path globe and gate valves to maintain AFW flow is not modeled. The finding has been resolved and closed by an update of the PRA model. The PRA model now includes cycling of the AFW flow path valves. IE-7 IE-12 B Closed The Interfacing Systems Loss of Coolant Accident (ISLOCA) treatment for the shutdown cooling suction line appears to have some questionable assumptions. First, it is assumed that the Low Temperature Over Pressure (LTOP) valve would always open. While this is the most likely scenario, the LTOP valve can fail to open. Qualitative arguments were made that should this happen, the resulting LOCA would be inside containment (primarily based on relative pipe lengths). This ignores the fact that the high stress points and stress concentration points are outside containment. Furthermore, the shutdown cooling warmup crossover piping was not considered. The finding has been resolved and closed by an update of the PRA model which now includes failure of the LTOP valve to open and includes the shutdown cooling warm up crossover piping. IE-8 IE-5 B Closed Loss of multiple vital 125 VDC and loss of multiple vital 120VAC buses are not considered as initiators. The finding has been resolved and closed by an update of the PRA model which now includes loss of multiple vital 125 VDC and 120 VAC buses as initiators. Risk Insights Related to One-Time Extended Completion Time 4 Attachment 4: Internal Events PRA Peer Review A and B Level Findings Observation ID Sub-Element(s) Level Status Finding(s) Disposition AS-02 AS-04 B Closed A discussion of Reactor Vessel Rupture was not found. A fire PRA was not performed so accident sequences were not generated to capture the impact of a fire.

Also there does not appear to be coding of locations for basic events. (Fire-Induced Vulnerability Evaluation methodology was used to assess fire impact). Internal flooding is also not specifically included in the accident sequences and no spatial data appears to have been developed (same could be used for fire and flooding). Industry Degraded Core Rulemaking (IDCORE) methodology was used to perform flooding evaluation and this determined that there are no critical flooding areas. The finding has been resolved and closed by an update of the PRA model which now includes reactor vessel rupture event. Separate internal fire and internal flood models have subsequently been created to address the remainder of the finding. AS-5 AS-24 B Closed The Modular Accident Analysis Program (MAAP) analyses used to support timing for human actions look only at a selected set of parameters of interest and neglect to look at the status of other systems which may affect timing and/or success criteria. One particular example is that the Turbine Bypass System is assumed to always work when evaluating the time available for recovery of AFW. The finding has been resolved and closed by an update of the PRA model. Additional MAAP analyses have been performed and associated human reliability actions added to the PRA model to address the status of other systems which impact event timing. SY-02 SY-1 B Closed There is no document that specifies the content, requirements, and formatting for each system study.

This would aid external observers and newcomers in understanding the intent of the system analysis documentation. System studies have been updated to meet ASME SY-C1 and SY-C2 Capability Category II requirements. Risk Insights Related to One-Time Extended Completion Time 5 Attachment 4: Internal Events PRA Peer Review A and B Level Findings Observation ID Sub-Element(s) Level Status Finding(s) Disposition SY-03 SY-3 B Closed Many of the assumptions contained in the AFW analysis address plant phenomena, but contain no plant references. For example, AF024, states no significant diversion paths were identified. But no detailed discussion is provided. There are several piping taps from the condensate storage tank (CST). From a walkdown some of these taps occur high in the tank, while others associated with the condensate transfer pumps are low in the tank. It is not clear that potential diversions through the condensate transfer pumps have been examined. The drawings that illustrate the flow destination for the pumps are not referenced in the AFW system study: DGP-001, ECP-001, and EWP-001. It also appears that the assumptions themselves are not independently reviewed. As a result, the independent reviews of the system studies are not complete. Each individual assumption should have plant documentation and an independent review. The system study independent review would then only need to ensure that the assumption is applicable to and reflects the model itself. This appears to be what is done now, but without an independent review of the assumptions. The specific issue of AFW diversion flow paths has been addressed and documented. System studies have been updated to meet ASME SY-C1 and SY-C2 Capability Category II requirements. Risk Insights Related to One-Time Extended Completion Time 6 Attachment 4: Internal Events PRA Peer Review A and B Level Findings Observation ID Sub-Element(s) Level Status Finding(s) Disposition SY-05 SY-4 B Closed It is difficult to verify that the systems are in agreement with the as-built conditions. The current software is only capable of displaying a two by three portion of the fault tree. When attempting to verify the AFW system, only a sample of the fault tree was examined. From the portion examined no discrepancies were identified. There were no direct references between the fault tree supports and the plant drawings. For example the power supplies to the motor driven pumps are contained in the fault tree, but a plant drawing reference is not directly linked to this dependency. The back of the system study does provide a list of references, but the specific references are not linked to dependencies. Not only does this make review by outside personnel difficult, it makes internal independent reviews difficult as well. System studies have been updated to meet ASME SY-C1 and SY-C2 Capability Category II requirements. DA-01 DA-4 B Closed In quantifying the failure rate of the turbine driven AFW pump to start and run, failures were not considered based on modifications to prevent turbine overspeed trips due to excessive condensation in steam lines. That is, failures that occurred prior to 1995 (that were determined to be due to excessive condensation), were removed from consideration. A reduction in the impact of these failures would be more appropriate than eliminating these failures from consideration. The finding has been resolved and closed by an update of the PRA documentation. Sufficient plant operating experience has elapsed since this finding was provided to substantiate exclusion of condensate line overspeed events from the failure rate of the AFA pump. This evidence was documented as part of the data update. Risk Insights Related to One-Time Extended Completion Time 7 Attachment 4: Internal Events PRA Peer Review A and B Level Findings Observation ID Sub-Element(s) Level Status Finding(s) Disposition DA-02 DA-06 B Closed Currently for demanded components, the failure likelihood is assumed directly related to the surveillance interval. The equation used is 1-exp(-lambda*(interval)/2). This assumption is predicted on the assumption that the likelihood of failure on demand is purely proportional to the hourly failure likelihood. This is not necessarily true. Analysis should be done to ensure that the demand failure likelihoods are appropriately calculated. There are components of the demand failure rate that are not proportional to time such as shock and human errors. The finding has been resolved and closed by an update of the PRA documentation. This issue has been resolved by providing the requested evidence in the PRA documentation. DA-9 DA-9 B Closed When grouping components together for data, are component specific data differences reviewed. (i.e. are a disproportionate number of failures attributed to one component but spread out over several)? Also are the numbers of demands/run hrs comparable? The finding has been resolved and closed by an update of the PRA documentation. This issue has been resolved by considering component specific differences in the grouping of components. DA-07 DA-13 B Closed The NSAC document referenced in evaluating the loss of offsite power (LOP) frequency and duration (NSAC-203, Losses of Offsite Power at U.S. Nuclear Power Plants thru 1993 is not current. More recent NSAC and EPRI documents are available as a reference source.

These documents have the potential to increase the likelihood of offsite power recovery since LOP events and their duration have trended downward. The finding has been resolved and closed by an update of the PRA model and documentation. Subsequent updates of the PRA model have used the current EPRI loss of offsite power data. Risk Insights Related to One-Time Extended Completion Time 8 Attachment 4: Internal Events PRA Peer Review A and B Level Findings Observation ID Sub-Element(s) Level Status Finding(s) Disposition DA-08 General B Closed Plant specific data was derived from a limited number of years data (1994 thru 1996) The finding has been resolved and closed by an update of the PRA model and documentation. Plant specific data has subsequently been updated up to 2014. HR-01 HR-1, HR-14 B Closed Guidance effectively describes the quantification process. Two areas were identified for possible improvements: 1. The process and degree of operation input and review is not documented. Operation input as described appears to be marginal. It was stated that operator input was always obtained for knowledge based actions and was obtained as required for complete skill and rule-based actions. A better practice would be to have all actions developed with operator input. 2. The process for selecting Human Reliability Analyses (HRAs) was not described. A process is identified in Systematic Human Action Reliability Procedure (SHARP). It appears that the SHARP process was not used. However, an undocumented, iterate process between the system analyst and the human action analyst appears to be adequate. The finding has been resolved and closed by an update of the PRA documentation. This issue has been addressed by upgrading the human reliability analysis documentation to address the issues. The HFEs have been placed into the EPRI HRA calculator, which provides a consistent and detailed documentation of the HRAs. Risk Insights Related to One-Time Extended Completion Time 9 Attachment 4: Internal Events PRA Peer Review A and B Level Findings Observation ID Sub-Element(s) Level Status Finding(s) Disposition HR-08 HR-25 B Closed A sensitivity study to determine human action dependencies was not performed nor documented with the PRA results. This is considered to be a good practice to ensure dependent human actions are not inappropriately used. A sensitivity analysis was performed during this review. No issues were noted. The finding has been resolved and closed by an update of the PRA documentation. The requested sensitivity analysis was performed and documented on human action dependencies. HR-09 HR-20 B Closed Human Action (HA) 1AFN-MSIS----HR is failure of the operator to override main steam isolation signal (MSIS) and align the N pump. This action includes diagnosis error. The action 1AFN-MSIS-ND-HR, is a modification factor to remove the diagnosis component of 1AFN-MSIS----HR. In the quantification of these two elements (PRA Study 13-NS-B62, Human Reliability Analysis, p90 and p91) it is stated that 1AFN-MSIS-ND-HR is to be used with 1AFN-MSIS----HR when it occurs in conjunction with failure to align or utilize the code pumps, i.e., in conjunction with another HA that had an equivalent diagnosis element. This is considered appropriate. However, as seen in cutset 10 and others, these two HAs are being used together in cutsets which do not include another HA with the equivalent diagnosis element. This is inappropriate. The finding has been resolved and closed. The human reliability analysis dependency process no longer applies recovery actions and HEP modifications through cutset post-processing. The HRA calculator dependency function is used to manage dependencies between human actions, and this process eliminates the concern raised by the finding. Risk Insights Related to One-Time Extended Completion Time 10 Attachment 4: Internal Events PRA Peer Review A and B Level Findings Observation ID Sub-Element(s) Level Status Finding(s) Disposition HR-09 continued HR-20 B Closed In cutset 10, the initiator is loss of 125 VDC PKB-M42 which results in loss of one AFW pump, an MSIS, failure of the downcomer valves, failure of the turbine-driven AFW pump and the 1AFN-MSIS----HR/1AFN-MSIS-ND-HR combination. This does not appear to be appropriate because there is no other HA which includes the requisite diagnosis error. This is contrary to the stated application conditions in 13-NS-B62. The above discussion also applies for the 1AFW-MFW-----HR/1AFW-MFW-ND-HR combination and any other equivalent combinations. After looking at models in more detail, found that there was another HA in the chain. Direct solution of the trees would yield a cutset with two Human Error Probabilities (HEPs). A recovery analysis pattern removed the two related HAs and replaced them with the pairings discussed above. The concept appears to be appropriate but the manner in which it is applied is confusing at least in this case. Risk Insights Related to One-Time Extended Completion Time 11 Attachment 4: Internal Events PRA Peer Review A and B Level Findings Observation ID Sub-Element(s) Level Status Finding(s) Disposition DE-02 DE-1, DE-3, DE-5 B Closed As mentioned earlier there is no guidance for the system analysis process. This applies to the dependency aspect of the process as well. Section 3.3 of a system study lists the dependencies associated with the system. In general, the attachment appears to completely describe the dependencies associated with the system. I did notice several cases in the high pressure safety injection (HPSI) system study where the component numbers were not identified: 1PHAM37-480-1PW/GHLIA1-2, 1PHBM38-480-1PW/GHI2-9, 1SAARAS-TRA--1AT/GRASA-K405 (MOV 674), etc. In some cases, it was possible to determine the component dependency. In other cases, it was not. Each component and its associated dependency should be explicitly identified. The dependencies associated with hot leg injection appear to be improperly identified. MOV-321 should be 4PKCM43-125--1PW and MOV-331 should be 4PKDM44-125--1PW. The plant references for the dependencies are not directly linked to unique component dependencies. Instead, the references are listed in a single large mass in Appendix D. It would probably save time and lead to better traceability if the references are directly associated with each dependency. There are no plant references associated with the heating, ventilation and air conditioning (HVAC) dependencies dedicated to the HPSI system. This applies to 1EWAECOOLWA--1OP, 1EWBECOOLWB--1OP, 1PHBM38-480-1PW, 1SPAESPA---1OP, etc. The plant references could be a simple as Updated Final Safety Analysis Report (UFSAR) text if direct failure is assumed to be as complicated as design heat-up calculations. The finding has been resolved and closed by an update of the PRA documentation. References for dependencies and HVAC success criteria have been added to the PRA documentation. Risk Insights Related to One-Time Extended Completion Time 12 Attachment 4: Internal Events PRA Peer Review A and B Level Findings Observation ID Sub-Element(s) Level Status Finding(s) Disposition DE-05 DE-4 B Closed Although dependencies are identified in the system analysis, there is no dependency matrix. A dependency matrix is a valuable tool for reviewers and newcomers to the group. I believe that our evaluation of Accident Sequences would have been much more comprehensive with a dependency matrix. There are no plant references associated with the HVAC dependencies dedicated to the HPSI system. This applies to 1EWAECOOLWA--1OP, 1EWBECOOLWB--1OP, 1PHBM38-480-1PW, 1SPAESPA---1OP, etc. The plant references could be a simple as UFSAR text if direct failure is assumed to as complicated as design heat-up calculations. The finding has been resolved and closed by an update of the PRA documentation. A dependency matrix has been added to the PRA documentation. DE-08 DE-7 B Closed Since the general rule is documented as one-recovery action per sequence 13-NS-B62 (B-062), exceptions should be noted and justified. For example, the Station Blackout Generator recovery and the AFW pump A recovery actions are credited redundantly. This is probably appropriate, but the paragraph in B-062 indicates this is not typically done. Therefore justifying the exceptions is probably appropriate. The finding has been resolved and closed by an update of the PRA documentation. Exceptions to the recovery actions were justified. DE-10 DE-12, DE-13, DE-14 B Closed The documentation is considered marginal largely based on the lack of traceability of the system studies to plant documentation for each component dependency. This issue was closed by meeting ASME SR SY-C1 for system notebook documentation. QU-01 QU-1 B Closed The quantification report describes the quantification, but the process is difficult to follow unless knowledgeable about the code used and the specific steps to follow. It is sometimes hard to determine the basis for the delete term logic and the recovery patterns. The finding has been resolved and closed by an update of the PRA documentation. Risk Insights Related to One-Time Extended Completion Time 13 Attachment 4: Internal Events PRA Peer Review A and B Level Findings Observation ID Sub-Element(s) Level Status Finding(s) Disposition QU-05 QU-18, QU-19 B Closed It would probably be a good idea to delete the front *s in the recover search equations. I did not find any instances where this caused a problem in the existing model, but it could be causing problems by accidentally selecting the middle of a basic event verses the beginning. The finding has been resolved and closed by an update of the PRA model recovery instructions. QU-07 QU-25, QU-26, QU-28 B Closed Even though the data bases contain error factors and their code has the capability to easily perform numerical uncertainty analyses, APS did not perform any uncertainty analyses for this update of the Probabilistic Safety Assessment (PSA) and they did not document any sensitivity studies on the impact of key assumptions as part of this PSA update. This issue has been addressed by performing and documenting the quantitative uncertainty analysis. MU-03 MU-4 B Closed The types of changes tracked by the PRA and how this information is obtained are not specified in enough detail within the procedure. The finding has been resolved and closed by an update of the PRA model update procedure. MU-08 MU-11, MU-12 B Closed There is limited guidance on what needs to be considered for reevaluation when a significant change to the PRA models takes place. The finding has been resolved and closed by an update of the PRA model update procedure. HR-03 HR-4, HR-5, HR-6, HR-7 B Closed In the HRA document (B62), Section 4.2, concludes that miscalibration and common cause miscalibration of critical sensors is negligible at PVNGS. This is not consistent with the results from other PRAs. Specifically, the first supporting paragraph of dedicated teams does not minimize exposure to common cause, it actually maximizes common cause. PVNGS's staff previously identified this item. The finding has been resolved and closed by an update of the PRA model common cause modeling to match the NRC common cause database treatment. Risk Insights Related to One-Time Extended Completion Time 14 Attachment 4: Internal Events PRA Peer Review A and B Level Findings Observation ID Sub-Element(s) Level Status Finding(s) Disposition AS-03 AS-6, AS-7, AS-8, AS-24 B. Closed There are some differences between treatment of a small LOCA associated with a pipe break and an induced small LOCA (pressurizer safety valve reclosure) in the transient event trees. For example: pressure injection and recirculation lead to questioning whether containment heat removal is successful. In the Transient Type 2 and Transient Type 3 event trees, RCS integrity can be lost if pressurizer safety valves do not reset after lifting. In the sequences from these event trees where high pressure injection and recirculation are successful, the question relating to containment heat removal is not asked. and use of low pressure injection and recirculation are considered if high pressure injection or recirculation fail. In the Transient Type 2 and Transient Type 3 event trees, consideration of RCS depressurization and use of low pressure systems is not included because the likelihood of high pressure injection or high pressure recirculation are small. It would seem that this assumption should apply to both cases, or not. The finding has been resolved and closed by an update of the PRA model and documentation. Risk Insights Related to One-Time Extended Completion Time 15 Attachment 4: Internal Events PRA Peer Review A and B Level Findings Observation ID Sub-Element(s) Level Status Finding(s) Disposition SY-13 SY-17, SY-20 B Closed The control system study states that only single failures that cause the failure mode of interest are considered. For the Auxiliary Feed Actuation System (AFAS) generated signals, which results (these result) in modeling common cause only. Although this approach may provide a good estimate of the failure rate of these safety signals, it does not necessarily provide the confidence that the signals are appropriately modeled. For AFAS, it appears that since the AFW flow path valves must cycle that control system dependencies may have been missed. That is, normally engineered safety features actuation system (ESFAS) relays appeared to be locked-out following actuation, but for the AFAS valves, the relays need to react to the process system steam generator (S/G) low and high level). It is likely that 120 VAC Vital Bus A and B are needed. The finding has been resolved and closed by an update of the PRA model and documentation to add the indicated control system dependencies. Risk Insights Related to One-Time Extended Completion Time 1 ATTACHMENT 5 Internal Events PRA Self-Assessment of ASME SRs Not Met to Capability Category II Attachment 5: Internal Events PRA Self-Assessment of ASME SRs Not Met to Capability Category II SR Status Self-Assessment Comments Disposition SY-C1 Closed System analysis documentation developed during the Individual Plant Examination (IPE) was abandoned prior to issuance of the ASME PRA. Key elements of the system analysis documentation have been subsequently captured in other PRA documentation that is not designated as system analysis documentation. The System analysis documentation has been updated to reflect the documentation requirements of SY-C1. SY-C2 Closed The following subsections of SR SY-C2 are not met: c, e, j, o, p. The original system analysis documentation developed during the IPE PRA development was abandoned prior to the issuance of the ASME PRA Standard. Other subsections of SR SY-C2 (a, b, d, f, g, h, i, k, l, m, n, q, r, s) are met by alternate documentation generated when the system analysis documentation was abandoned. The System analysis documentation has been updated to reflect the documentation requirements of SY-C2. Risk Insights Related to One-Time Extended Completion Time 1 ATTACHMENT 6 Internal Flood PRA Peer Review ASME SRs Not Met to Capability Category II Attachment 6: Internal Flood PRA Peer Review ASME SRs Not Met to Capability Category II SR Status Finding(s) Disposition IFSO-B2 Closed As noted in SRs IFSO-A1, IFSO-A3, and IFSO-A5, some areas of the documentation do not provide sufficient detail about the process used. Specific items for which improved documentation is needed include: a. Documentation of sources in the Turbine Building. b. The basis for screening sources in the Fuel, Radwaste, and Turbine Buildings (i.e., the way in which the specified criteria are met for each source is not documented). For example, a walkdown during the peer review revealed that there is section of the wet pipe fire protection (FP) system running above the turbine cooling water (TC) pumps that could potentially spray both pumps. It is not clear based on 13-NS-C093 and 13-NS-C094 that this impact was considered and dispositioned. Likewise, feedline breaks in the turbine building are assumed to be bounded by the loss of main feedwater initiating event, but may have different impacts such as loss of instrument air due to humidity impacts. c. The temperature and pressure of flood sources. This finding has been resolved by a documentation update. The following PRA studies have been revised to provide detail about the specific items needed for improvement: a. PRA Study 13-NS-C094 section 4.2.6 was revised to include the flooding sources in the Turbine Building. b. Revised PRA Study 13-NS-C094 sections 4.2.5 and 4.2.6 to include justification for screening sources in the Fuel, Radwaste, and Turbine Building. c. The temperatures and pressures of the plant fluid systems do not need to be defined as all flooding impacts are inherently considered due to the Assumption 2 in PRA Study 13-NS-C096 which identifies that all equipment in the flood area in which a flood initiates, is assumed failed. Therefore it is not necessary to describe systems in terms of pressure and temperature to determine potential flood induced failure modes. Risk Insights Related to One-Time Extended Completion Time 2 Attachment 6: Internal Flood PRA Peer Review ASME SRs Not Met to Capability Category II SR Status Finding(s) Disposition IFEV-A7 Closed Potential flooding mechanisms are primarily limited to failures of components. Human-induced flooding is screened based on plant maintenance practices (see 13 NS-C093, Section 3.2, Item 4 and 13-NS-C097, Section 3.5). This does not indicate that there was any search of plant operating experience and plant maintenance procedures to verify no potential for human-induced flood mechanisms. This finding has been resolved by a documentation update. PRA Study 13-NS-C097 Section 4.1 was revised to document the review of human and maintenance induced flooding events. Spray events such as sprinkler head failures during maintenance were considered on an individual basis in the internal flood model. A review of PVNGS maintenance guidance documentation and procedures via plant personnel discussions did not identify any maintenance procedures which would lead to an internal flooding scenario. IE-C5 Closed Generic pipe failure frequencies from EPRI TR-1013141 were not converted to a per reactor-year basis as required by SR IE-C5. This finding has been resolved by a documentation update. PVNGS has revised the quantification studies to clarify that the results are specifically in units of "per critical-reactor year" that is directly applicable to At-Power operating plant states. In addition, to support PRA applications that relate to risk in terms of annualized risk, the engineering studies documenting the quantification and results were revised to also provide converted core damage frequency (CDF) and large early release frequency (LERF) in units of per reactor-year (per calendar-year). Risk Insights Related to One-Time Extended Completion Time 3 Attachment 6: Internal Flood PRA Peer Review ASME SRs Not Met to Capability Category II SR Status Finding(s) Disposition IFQU-A7 Closed Sources of model uncertainty and related assumptions for the Internal Flooding (IF) quantification are documented in 13-NS-C099, Section 3.1.3. As noted in other SRs related to assumptions and sources of uncertainty, there is no characterization of the impact of these assumptions and sources of uncertainty on the IF model as would be required by backward reference to SRs QU-E4 and QU-F4 in SR IFQU-A7. This finding has been resolved by a documentation update. PRA Study 13-NS-C099 Section 4.4 was revised to incorporate the characterization of model uncertainty sources. Each assumption and source of model uncertainty has been characterized according to WCAP-17507, "PRA Model Uncertainty Database Guidance and Documentation Template for Characterization of Uncertainties" from the Pressurized Water Reactor Owners Group (PWROG) PA-RMSC-0594. IFSN-A16 Closed Based on the decision trees in the Scenario document 13-NS-096 Revision 0, (example Figure 4.2.1.1-1, Sequence 040A1S02), many flood sources that can be isolated have been screened out based a simple assertion that the flood can be isolated without documenting any of the following: a. Whether flood indication is available in the control room, b. How and where the flood source can be isolated, and c. Whether procedures exist for isolation and how much time is available for isolation. Based on a discussion with the plant PRA personnel, the peer review team judged the screening to be reasonable, but documentation is not adequate. The review team judged this to be met at Category I, but even for this, proper documentation is needed as noted in the finding. This finding has been resolved by a documentation update. PRA Study 13-NS-C096 section 3.1.1 was revised to describe the reason for screening out successfully isolated floods. Risk Insights Related to One-Time Extended Completion Time 4 Attachment 6: Internal Flood PRA Peer Review ASME SRs Not Met to Capability Category II SR Status Finding(s) Disposition IFSN-A6 Closed RG 1.200 Revision 2 documents a qualified acceptance of this SR. The NRC resolution states that to meet Capability Category II, the impacts of flood-induced mechanisms that are not formally addressed (e.g., using the mechanisms listed under Capability Category III of this requirement) must be qualitatively assessed using conservative assumptions. This finding has been resolved by a documentation update. Assumption 2 in PRA study 13-NS-C096 was rewritten to clarify that all components within a flood area where the flood originates were assumed susceptible and failed as a result of the flood, spray, steam, jet impingement, pipe whip, humidity, condensation and temperature concerns except when component design (e.g., water-proofing), spatial effects, low pressure source potential or other reasonable judgment could be used for limiting the effect. IFEV-A6 Closed There is no evidence in 13-NS-C097 that a search was made for plant-specific operating experience, plant design features, and conditions that may impact flood likelihood and no Bayesian updating was performed. However, adjustments are made to some initiating event frequencies based on system run times to account for differences between impacts when the pumps are running or in standby. This finding has been resolved by a documentation update. PRA Study13-NS-C097 Section 4.1 was revised to add evidence of the search for plant specific operating experience. The PVNGS Site Work Management System database and License Event Reports were searched for flood type events. Additionally, the PVNGS maintenance procedures were reviewed for flood prevention guidelines. It was determined that none of the flood events identified represented a credible internal flooding scenario which would require additional modeling efforts. Additionally, the lack of internal flooding events does not provide sufficient information to perform a Bayesian update to the initiating event data, and therefore, no update was performed. Risk Insights Related to One-Time Extended Completion Time 1 ATTACHMENT 7 Seismic PRA Peer Review ASME SRs Not Met to Capability Attachment 7: Seismic PRA Peer Review ASME SRs Not Met to Capability Category II SR Status Finding(s) Disposition SHA-E1 Closed Insufficient site-specific velocity profile documentation exists to review the base case profile and possible uncertainties in the site shear-wave velocity profile. Because the site fundamental soil resonance may be near 1 second, a period that may be near a critical structural resonance, documentation of the epistemic uncertainty and aleatory variability of the site velocity profile should be developed. This issue was resolved and reflected in the PRA model and documentation. New site specific data was subsequently collected as part of the NTTF 2.1 analysis. SHA-E2 Closed The evaluation and incorporation of uncertainties in the site response velocity profile may not be properly incorporated because of insufficient or unreviewable site-specific data and/or its documentation. Also, the site response evaluation was completed using a Senior Seismic Hazard Analysis Committee (SSHAC) Level 1 (L1) process which does not meet the ASME general Capability Category II guidelines. A SSHAC L3 analysis was performed subsequent to the seismic PRA development as part of the NTTF response to the NRC 50.54f letter on Fukushima. The SSHAC L3 analysis produced a site hazard curve which is bounded by the SSHAC L1 hazard curve developed and used in the Seismic PRA model. Therefore, the issue is resolved by the updated SSHAC L3 hazard analysis. SFR-A1 Closed Some of the dispositioning in the complete seismic equipment list (SEL) does not have adequate documentation to justify screening of selected components. For example, component 1ENANS01 (13.8 kV Non-Class 1E Switchgear 1ENANS01) is dispositioned (screened) by the statement "Seismically induced failure of NA system (non-seismic class) assumed addressed through seismic LOP." The median fragility of seismic LOP is 0.3 g. For this screening to be viable, APS should demonstrate that the median fragility of 1ENANS01 is significantly higher than 0.3 g. However, these are non-Class 1E electrical components. This type of screening argument is used many times within the complete SEL presented in Appendix B of CN-RAM-12-015. This issue was resolved and reflected in the PRA model and documentation. Contractor performed walkdown and screening evaluation to compare the estimated seismic capacities of selected Non-Safety Related equipment to the capacity assigned to LOP. Re-quantification was performed to reflect updated hazard, updated fragility information and updated S-PRA modeling following the resolution of Findings and Observations from the industry peer review. Risk Insights Related to One-Time Extended Completion Time 2 Attachment 7: Seismic PRA Peer Review ASME SRs Not Met to Capability Category II SR Status Finding(s) Disposition SFR-C6 Closed The CDF is dominated by peak ground acceleration (PGA) in the range of about 0.3 g. Therefore, the effect of using input motion at the 0.3g PGA level should be examined. Contrary to the self-assessment, the soil data is not sufficient to justify a Cv =0.5. The effect of using Cv = 1.0 should be examined. This issue was resolved and reflected in the PRA model and documentation. Contractor performed evaluation of increased uncertainty for soil properties. Re-quantification was performed to reflect updated hazard, updated fragility information and updated S-PRA modeling following the resolution of Findings and Observations from the industry peer review. SFR-F2 Closed The top seven cutsets involve seismic failure events (SF-TBBLD, SF-SOIL, and SF-MF) that are potentially conservative with respect to seismic fragility and may be resulting in a seismic CDF that is not accurately reflecting the true plant response to seismic events. More analysis is required to either justify the seismic fragilities presented or to refine those values. Event SF-TBBLD represents structural failure of the turbine building, resulting in collapse onto the underground pipe tunnel from the CST. The concrete cover over the pipe tunnel is postulated to fail, resulting in failure of the AFW piping from the CST to the AFW pumps. There is the potential that the turbine building failure might not fail the pipe tunnel. Event SF-MF involves seismic failure of main feedwater piping outside of containment (balance of plant). The fragility of this piping is based on a "generic" evaluation of SC-II components and is given a median acceleration of 0.21 g. This issue was resolved and reflected in the PRA model and documentation. Contractor performed seismic fragility investigation for PVNGS Unit 1 Main Feedwater (FW) system. Re-quantification was performed to reflect updated hazard, updated fragility information and updated S-PRA modeling following the resolution of Findings and Observations from the industry peer review. Risk Insights Related to One-Time Extended Completion Time 3 Attachment 7: Seismic PRA Peer Review ASME SRs Not Met to Capability Category II SR Status Finding(s) Disposition SFR-F3 Closed The draft report LTR-RAM-II-12-074 indicates that the draft relay assessment uses the IPEEE relay assessment as the starting point but accounts for the updated seismic hazard curve at the site. However, the report includes the following statement in Section 2.3 (Unaddressed Relays): This list (unaddressed relays) included 69 such relays. Of the relays that have been included in the SPRA, their seismic fragility events are found in many of the dominant CDF cutsets. This issue was resolved and reflected in the PRA model and documentation. LTR-RAM-II-12-074, Revision 2 incorporated the 69 previously unaddressed relays. Re-quantification was performed to reflect updated hazard, updated fragility information and updated S-PRA modeling following the resolution of Findings and Observations from the industry peer review. Risk Insights Related to One-Time Extended Completion Time 4 Attachment 7: Seismic PRA Peer Review ASME SRs Not Met to Capability Category II SR Status Finding(s) Disposition SPR-B1 Closed CN-RAM-12-015, Rev. 0, Palo Verde SPRA Model Development, identifies the following for the Self-Assessment for SPR-B1: "The S-PRA relies on an internal event model that is assumed to be compliant with CCII of the PRA Standard." It is understood that the PVNGS PRA model received an industry PRA peer review in 1995 per the CEOG guidelines when the PRA model existed in the Risk Spectrum software environment. The current PVNGS PRA model has since been converted to the CAFTA software environment. APS has since performed a self-assessment of the PVNGS Fire PRA and Internal Events (FPIE ) PRA model against the ASME/ANS Standard, but a number of SRs do not meet Capability Category II. Furthermore, as discussed in Section 4.2 of CN-RAM-12-024, there are five (5) open items from the FPIE HRA. Open Item #5 addresses that many values of T1/2 were not provided in the HRA Calculator, which indicates that the time required to perform the actions may not be accurate (FPIE SR HR-G5). In addition, Section 4.3.1.4 identifies that PVNGS only uses the Cause-Based Decision Tree Method, which is known to underestimate the impact of time constrained HEPs and as a result, current expectation for meeting supporting requirement HR-G3 is to use a combination of CBDTM and HCR methods to ensure that timing is accurately reflected. The first part of this finding is considered resolved based on conducting a RG 1.200 self-assessment of the internal events PRA model described elsewhere in this enclosure and subsequent peer reviews of the internal flood and internal fire PRA models which are based on the internal events PRA model. The second part of this finding is considered resolved by CN-RAM-12-024 Revision 1 that updated the seismic HEPs based on timing and closed all open items from Revision 0. Re-quantification was performed to reflect updated hazard, updated fragility information and updated S-PRA modeling following the resolution of Findings and Observations from the industry peer review. SPR-B6 Closed The review team could find no evidence that operator actions following relay chatter events were reviewed to ensure task does not change (e.g., additional execution steps to reset relay) if action is in response to relay chatter-induced failure. This issue was resolved and reflected in the PRA model and documentation. LTR-RAM-II-12-074, Revision 2 performed a comprehensive relay assessment to address this finding. Re-quantification was performed to reflect updated hazard, updated fragility information and updated S-PRA modeling following the resolution of Findings and Observations from the industry peer review. Risk Insights Related to One-Time Extended Completion Time 5 Attachment 7: Seismic PRA Peer Review ASME SRs Not Met to Capability Category II SR Status Finding(s) Disposition SPR-B7 Closed Complementary success logic is added in the SPRA logic on a sequence basis for the SIET via the SHIP software, but not for each basic event that represents a seismically-induced failure. This is a limitation of the PRA technology and software which was also noted in the Surry report. As such, this SR is assessed as Not Met. However, SR SPR-B7 has been modified in the proposed revision of the PRA Standard (i.e., Addendum B). At the moment this calculation note's publication CCI/II of the equivalent SR in Addendum B (SPR-B5) reads as follows: In the systems-analysis models, for each basic event that represents a significant seismically-caused failure, INCLUDE the complementary "success" state where applicable to a particular SSC, and DEFINE the criterion used for the term "significant" in this activity. Based on the wording of the new version, success logic addressing significant seismically caused failures are included in the model. With reference to the new wording of SR SPR-B5, this SR could be assessed as met at CCI/II. This finding is considered resolved based on meeting Addendum B of the ASME PRA Std, which changed the requirement for this supporting requirement. SPR-B10 Closed Row SPR-B10 in Attachment 4.5-2 of CN-RAM-12-015 (i.e., the summary attachment of the SPRA self-assessment) identifies the need to examine the effect of including a seismically-induced small-small LOCA. The self-assessment identifies that Section 5.1.3.9 discusses modeling a concurrent small LOCA. Section 5.1.3.9 identifies that a seismic-induced Small LOCA probabilistically models a seismic-induced LOP. It is assumed that this scenario would also address the scenario for a Seismic-induced LOP with a potential for a small-small LOCA. CN-RAM-12-015 Revision 1 addressed this finding. Re-quantification was performed to reflect updated hazard, updated fragility information and updated S-PRA modeling following the resolution of Findings and Observations from the industry peer review. Risk Insights Related to One-Time Extended Completion Time 1 ATTACHMENT 8 Internal Fire PRA Peer Review ASME SRs Not Met to Capability Category II Attachment 8: Internal Fire PRA Peer Review ASME SRs Not Met to Capability Category II SR Status Finding(s) Disposition FSS-D2 Closed Generic Hot Gas Layer (HGL) calculations were performed using Consolidated Model of Fire and Smoke Transport (CFAST) and documented in Hughes report 0001-0014-002-002, Rev 1. The CFAST HGL results have not been applied in a manner consistent with the limitations and assumptions described in the report. This finding has been resolved by PRA model and documentation changes. Generic CFAST evaluations were revised to be specific to account for the limitations and assumptions of the area being modeled. FQ-E1 Closed Several Human Failure Events (HFEs) were discovered to have a failure probability set to zero during the quantification instead of the documented screening value of 1.0 developed during the HRA task. Having the HEPs set to zero potentially impacts the quantification results and the ability to identify significant contributors to CDF, such as initiating events, accident sequences, equipment failures, common cause failures, and operator errors. There is no documentation that shows that a review of the importance of components and basic events to determine that they make logical sense was performed. There is no documentation that a review of nonsignificant cutsets or sequences was performed. This finding has been resolved by PRA model and documentation changes. HFEs documented to have a screening value of 1.0 have been revised in the model to use this screening value. All HFE tools were reviewed, updated to be consistent with the HRA Calculator source database, and validated. A review of component and basic event importance to ensure they make logical sense was subsequently conducted and documented. Conduct of cutset reviews was added to the PRA documentation. Risk Insights Related to One-Time Extended Completion Time 2 Attachment 8: Internal Fire PRA Peer Review ASME SRs Not Met to Capability Category II SR Status Finding(s) Disposition UNC-A1 Closed The following statement was made after several sensitivity results attachments: "Because of the way the cutsets were created, the numbers are not correct. The exercise here is to show the ratios." This negates any of the results reported in the results attachment. The uncertainty analysis, for the most part, does not include any review of the uncertainty results. Therefore, how the PRA model was affected and a check for the reasonableness was not documented. Therefore it is not clear that a check for reasonableness was performed. There is a statement in the Uncertainty Analysis notebook that this analysis was not performed for LERF. Upon review of the notebook it was found that for some uncertainty analyses were run for both CDF and LERF. A review of the uncertainty analysis should be performed and all uncertainty analysis should be performed for CDF and LERF. Many instances were found where assumptions were found in notebooks that were not documented in the assumption section. This could lead to missing an area that needs to be addressed in the uncertainty analysis. (Review documents and verify that where the word "assumes" is used that an actual assumption is being made.) This finding has been resolved by PRA model and documentation changes. The sensitivity results were reviewed and documented to show ratios of results. Documentation has been updated to include how the PRA model is affected by model uncertainty and related assumptions. Sources of LERF uncertainty and assumptions have been identified and documented. All assumptions used in the development of the PRA model have been reviewed and documented. Instances of modeling simplification or conservatism were so noted versus declared as default assumptions. Assumptions with the potential to significantly impact results were addressed in the Uncertainty and Sensitivity analyses Risk Insights Related to One-Time Extended Completion Time 1 ATTACHMENT 9 External Hazards Screening Attachment 9 External Hazards Screening External Hazard Screening Result Screened? (Y/N) Screening Criterion (Note 1) Comment Aircraft Impact Y PS2 PS4 Airport hazard meets 1975 Standard Review Plan (SRP) requirements. Additionally, airways hazard bounding analysis per NUREG-1855 is < 1E-6/y. Avalanche Y C3 Not applicable to the site because of climate and topography. Biological Event Y C3, C5 Sudden influxes not applicable to the plant design [closed loop systems for Essential Cooling Water System (ECWS) and Component Cooling Water System (CWS)]. Slowly developing growth can be detected and mitigated by surveillance. Coastal Erosion Y C3 Not applicable to the site because of location. Drought Y C5 Plant design eliminates drought as a concern and event is slowly developing. External Flooding Y PS2 Plant design meets 1975 SRP requirements. Extreme Wind or Tornado Y PS2 PS4 The plant design basis tornado has a frequency < 1E-7/y. The spray pond nozzles (not protected against missiles) have a bounding median risk < 1E-7/y. Fog Y C1 Limited occurrence because of arid climate and negligible impact on the plant. Forest or Range Fire Y C3 Not applicable to the site because of limited vegetation. Frost Y C1 Limited occurrence because of arid climate. Risk Insights Related to One-Time Extended Completion Time 2 Attachment 9 External Hazards Screening External Hazard Screening Result Screened? (Y/N) Screening Criterion (Note 1) Comment Hail Y C1 C4 Limited occurrence and bounded by other events for which the plant is designed. Flooding impacts covered under Intense Precipitation. High Summer Temperature Y C1 Plant is designed for this hazard. Associated plant trips have not occurred and are not expected. High Tide, Lake Level, or River Stage Y C3 Not applicable to the site because of location. Hurricane Y C4 Covered under Extreme Wind or Tornado and Intense Precipitation. Ice Cover Y C3 C1 Ice blockage causing flooding is not applicable to the site because of location (no nearby rivers and climate conditions). Plant is designed for freezing temperatures, which are infrequent and short in duration. Industrial or Military Facility Accident Y PS2 Explosive hazard impacts and control room habitability impacts meet the 1975 SRP requirements (RGs 1.91 and 1.78). Internal Flooding N None PRAs addressing internal flooding have indicated this hazard typically -6/y. Also, the ASME/ANS PRA Standard requires a detailed PRA for this hazard which is addressed in the PVNGS Internal Flooding PRA. Internal Fire N None PRAs addressing internal fire have indicated this hazard typically -6/y. Also, the ASME/ANS PRA Standard requires a detailed PRA for this hazard which is addressed in the PVNGS Internal Fire PRA. Landslide Y C3 Not applicable to the site because of topography. Risk Insights Related to One-Time Extended Completion Time 3 Attachment 9 External Hazards Screening External Hazard Screening Result Screened? (Y/N) Screening Criterion (Note 1) Comment Lightning Y C1 Lightning strikes causing loss of offsite power or turbine trip are contributors to the initiating event frequencies for these events. However, other causes are also included. The impacts are no greater than already modeled in the internal events PRA. Low Lake Level or River Stage Y C3 Not applicable to the site because of location. Low Winter Temperature Y C1 C5 Extended freezing temperatures are rare, the plant is designed for such events, and their impacts are slow to develop. Meteorite or Satellite Impact Y PS4 The frequency of meteorites greater than 100 lb striking the plant is around 1E-8/y and corresponding satellite impacts is around 2E-9/y. Pipeline Accident Y C3 Pipelines are not close enough to significantly impact plant structures. Release of Chemicals in Onsite Storage Y PS2 Plant storage of chemicals meets 1975 SRP requirements. River Diversion Y C3 Not applicable to the site because of location. Sand or Dust Storm Y C1 C5 The plant is designed for such events. Also, a procedure instructs operators to replace filters before they become inoperable. Seiche Y C3 C1 Not applicable to the site because of location. Onsite reservoirs and spray ponds designed for seiches. Seismic Activity N None PRAs addressing seismic activity have indicated this hazard typically -6/y. Also, the ASME/ANS PRA Standard requires a detailed PRA or Seismic Margins Assessment (SMA) for this hazard which is addressed in the PVNGS Seismic PRA. Risk Insights Related to One-Time Extended Completion Time 4 Attachment 9 External Hazards Screening External Hazard Screening Result Screened? (Y/N) Screening Criterion (Note 1) Comment Snow Y C1 C4 The event damage potential is less than other events for which the plant is designed. Potential flooding impacts covered under external flooding. Soil Shrink-Swell Consolidation Y C1 C5 The potential for this hazard is low at the site, the plant design considers this hazard, and the hazard is slowly developing and can be mitigated. Storm Surge Y C3 Not applicable to the site because of location. Toxic Gas Y C4 Toxic gas covered under release of chemicals in onsite storage, industrial or military facility accident, and transportation accident. Transportation Accident Y PS2 PS4 C3 C4 Potential accidents meet the 1975 SRP requirements. Bounding analyses used for offsite rail shipment of chlorine gas and onsite truck shipment of ammonium hydroxide. Marine accident not applicable to the site because of location. Aviation and pipeline accidents covered under those specific categories. Tsunami Y C3 Not applicable to the site because of location. Turbine-Generated Missiles Y PS2 Potential accidents meet the 1975 SRP requirements. Volcanic Activity Y C3 Not applicable to the site because of location. Waves Y C3 C4 Waves associated with adjacent large bodies of water are not applicable to the site. Waves associated with external flooding are covered under that hazard. Note 1 - See Attachment 10 for descriptions of the screening criteria. Risk Insights Related to One-Time Extended Completion Time 1 ATTACHMENT 10 Progressive Screening Approach for Addressing External Hazards Attachment 10 Progressive Screening Approach for Addressing External Hazards Event Analysis Criterion Source Comments Initial Preliminary Screening C1. Event damage potential is < events for which plant is designed. NUREG/CR-2300 and ASME/ANS Standard RA-Sa-2009 C2. Event has lower mean frequency and no worse consequences than other events analyzed. NUREG/CR-2300 and ASME/ANS Standard RA-Sa-2009 C3. Event cannot occur close enough to the plant to affect it. NUREG/CR-2300 and ASME/ANS Standard RA-Sa-2009 C4. Event is included in the definition of another event. NUREG/CR-2300 and ASME/ANS Standard RA-Sa-2009 Not used to screen. Used only to include within another event. C5. Event develops slowly, allowing adequate time to eliminate or mitigate the threat. ASME/ANS Standard Progressive Screening PS1. Design basis hazard cannot cause a core damage accident. ASME/ANS Standard RA-Sa-2009 PS2. Design basis for the event meets the criteria in the NRC 1975 Standard Review Plan (SRP). NUREG-1407 and ASME/ANS Standard RA-Sa-2009 PS3. Design basis event mean frequency is < 1E-5/y and the mean conditional core damage probability is < 0.1. NUREG-1407 as modified in ASME/ANS Standard RA-Sa-2009 PS4. Bounding mean CDF is < 1E-6/y. NUREG-1407 and ASME/ANS Standard RA-Sa-2009 Risk Insights Related to One-Time Extended Completion Time 2 Attachment 10 Progressive Screening Approach for Addressing External Hazards Event Analysis Criterion Source Comments Detailed PRA Screening not successful. PRA needs to meet requirements in the ASME/ANS PRA Standard. NUREG-1407 and ASME/ANS Standard RA-Sa-2009 Risk Insights Related to One-Time Extended Completion Time 1 ATTACHMENT 11 Disposition of Key Assumptions/Sources of Uncertainty Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Uncertainty Discussion Disposition The only plant system modeled in the PRA that is shared between the three units is the station blackout generators (SBOGs). Simultaneous multiple unit station blackout conditions are screened out based on low probability. SBOGs are assumed aligned to one unit only during an event. SBOGs can be aligned to multiple units to supply limited loads.

The existing PRA model conservatively does not credit SBOGs in more than one unit. Therefore, no sensitivity analysis is required for this application. Risk Insights Related to One-Time Extended Completion Time 2 Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Uncertainty Discussion Disposition Reactor Coolant Pump (RCP) Seal Leak or Rupture RCP Seal Leak or Rupture is not modeled as a loss of RCS Inventory safety function. Based on Westinghouse WCAP-15749 (Reference 1) and pump seal vendor information, it was concluded that because of the very tight clearances, leakage into the seal package from the RCS is limited to about 17 gpm per pump. Each of the four RCPs has a seal package which consists of three seals. As a result, even if the seal package on all four RCPs failed, the total leak rate would be within the capacity of two charging pumps and does not qualify as a LOCA. An analysis showed that continuing to model RCP seal leakage and requiring charging pumps to mitigate the leakage represented an insignificant contribution to CDF or LERF, even assuming one of the three seals on each pump failed. The analysis also showed that modeling catastrophic failure due to operator failure to secure the pumps upon loss of cooling and seal injection was an insignificant contributor to CDF or LERF. No sensitivity analysis is required for this application. Risk Insights Related to One-Time Extended Completion Time 3 Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Uncertainty Discussion Disposition Loss of Coolant Accident (LOCA) Frequencies NUREG/CR-6928 (Reference 2) restated the results from NUREG-1829 (Reference 3). The LOCA frequencies are based upon expert elicitations. The LOCA sizes identified by the NRC are different from those estimated for PVNGS. The slight variance in the range of break sizes for different LOCAs is not significant and is judged to have minimal impact on LOCA frequencies, within the uncertainties associated with the expert elicitation values, and of insignificant impact. Therefore, no sensitivity analysis is required for this application. Loss of Off-site Power (LOP) Frequency The national LOP data presented in the latest EPRI events reports referenced in PRA Study 13-NS-C004 (Reference 4) was used to obtain point-estimates for switchyard centered and severe weather related LOP frequencies. The EPRI Reports indicate that the generic LOP data is subject to user modifications and screenings to fit the local plant designs and environmental conditions. This approach of LOP screening is considered reasonable and necessary to avoid erroneous skewing of the LOP data. The frequency of extreme weather LOP category was obtained as that of the frequency of tornado occurrence with category F2 or higher. The frequency of grid related LOP was obtained by Bayesian updating the reported value for western region (Western Electricity Coordinating Council) in the Draft NRC NUREG/CR-INEEL/EXT-04-02326 (Reference 5). The LOP frequencies are based on recent industry data and are appropriate to represent plant-specific conditions. SBOGs, as well as other additional electric power supplies, are available on site to mitigate LOP. Therefore, no sensitivity analysis is required for this application. Risk Insights Related to One-Time Extended Completion Time 4 Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Uncertainty Discussion Disposition Loss of Off-site Power (LOP) at Switchyard Associated Non-Recovery Probabilities The probabilities of offsite power non-recoveries were obtained from Table 4-1 of the draft NRC NUREG/CR-INEEL/EXT-04-02326 (Reference 5). The error factors associated with LOP frequencies and LOP non-recovery probabilities were obtained from draft NRC NUREG/CR-INEEL/EXT-04-02326 (Reference 5) (when provided); otherwise, by using available in-house statistical programs for lognormal and Weibull distributions. The offsite power non-recovery probabilities are based on the best available data and are appropriate to represent plant-specific conditions. SBO diesel generators, as well as other additional electric power supplies, are available on site to mitigate LOP. Therefore, no sensitivity analysis is required for this application. Battery Life Assumptions The PVNGS batteries are not credited in the long term, because they are conservatively assumed to be discharged after 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> per calculation 01-EC-PK-0207. Although the IEEE Class 1E batteries are designed to operate for 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, Engineering has determined that the class batteries' life is at least 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> in calculation 01-EC-PK-0207. Thus they are available for power recovery at the 3-hour point on the incident timeline. Crediting the actual higher capacities of the batteries and updated load shedding actions from Fukushima driven procedure changes would result in additional mitigation capabilities made available. Therefore, no sensitivity analysis is required for this application. Risk Insights Related to One-Time Extended Completion Time 5 Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Uncertainty Discussion Disposition Human Failure Events (HFEs) during a seismic event Accessibility for completion of non-screened human failure events (HFE) during a seismic event is assumed possible for all non-screened HFEs besides those which are assumed to fail in the case where the corridor building or turbine building collapses. Both the collapse of the corridor building and turbine building and their impact on the access to the Main Steam Support Structure is considered in the Seismic PRA model. There is a pinch point that leads into the MSSS that could restrict movement into the MSSS which would prevent local MSSS actions from being performed. A sensitivity analysis was performed evaluating the impact of not crediting the subject HFEs and there was minimal impact on the CDF and LERF. Therefore, no additional sensitivity analysis is required for this application. Seismic performance shaping factors (PSFs) with respect to seismic-induced flooding. Seismic-only PSFs applied to the internal events HEPs will over-ride the flooding PSFs based on the consideration that the seismic events are more global events than the specific flooding events. No additional modifications are made to the internal events HEP to consider the possibility of seismic-induced flooding events. This is considered a conservative assumption. Therefore, no sensitivity analysis is required for this application. Risk Insights Related to One-Time Extended Completion Time 6 Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Uncertainty Discussion Disposition The Seismic PRA HFE dependency analysis The Seismic PRA dependency analysis assumes that once an accident sequence is initiated, the operator action timing for a seismically induced event is similar to that of an internally induced event for main control room actions. The modification of the timing available due to seismic considerations may result in a longer response or identification time and consequently a higher HEP. A sensitivity analysis was performed in the seismic PRA quantification increasing the failure probability all HEPs to 1.0, resulting in a 39.36%

increase in CDF. For this application, the seismic risk contribution from the emergency diesel generator unavailability is only 5.5% of the total ICCDF and 5.1% of the total ICLERF. Therefore, no sensitivity evaluation is required for this application. Seismic PRA Weighting factors applied to three approaches There is no standardized method to calculate human error probabilities (HEP) in a seismic PRA. Therefore, a mean HEP for each basic event was calculated by combining three accepted approaches (Surry, Kernkraftwerk Muhleberg (KKM), and Swiss Federal Nuclear Safety Inspectorate (ENSI)) using the following weighting factors: 0.7, 0.15, 0.15, respectively. More emphasis was given to the Surry method since it was a selective combination of previous approaches and the most recently performed and published method. However, the Surry method has the potential to be the least conservative approach among the three methods. A sensitivity analysis was performed that ran the Seismic PRA model using only the KKM and ENSI approaches, equally weighted. The change in CDF and LERF was -1.63% and 0.42%. Therefore, no additional sensitivity analysis is required for this application. Risk Insights Related to One-Time Extended Completion Time 7 Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Uncertainty Discussion Disposition Relay chatter correlation Relay chatter between relays of the same manufacturer, model number, and plant location, i.e., building and elevation were assumed to be fully correlated. Also, each relay identified as a control switch, push button, or motor starter are fully correlated with other generic, like components. This is a conservative assumption because the demand experienced by a relay is dictated by in-cabinet response and not the in-structure response spectra (ISRS) which the binning is based. Therefore, no sensitivity analysis is required for this application. Simplified Relay Fragility Parameters Low risk importance relays (based on Risk Achievement Worth) were treated with a simplified fragility analysis and higher importance relays (10 different types) were treated with a detailed fragility analysis. The simplified relay chatter fragility analysis assumed a engineering judgment. This assumption is reasonable given that none relays evaluated using the detailed fragility analysis were determined to have a Therefore, no sensitivity analysis is required for this application. Seismic failure of relays and basic event mapping For the relays modeled in the Seismic PRA, the basic event associated with the seismic failure of the relay must be mapped to an existing internal events target basic event. A key source of modeling uncertainty is associated with the mapping of seismic basic events. Failure modes postulated for the PVNGS internal events model may not fully align with their assigned seismic counterparts. PRA analyst experience is credited in the selection of the appropriate internal events PRA model component failure modes to reflect postulated seismic PRA model component failure modes. This selection was performed by Westinghouse PRA seismic experts and reviewed by APS PRA engineers. Therefore, no sensitivity analysis is required for this application. Risk Insights Related to One-Time Extended Completion Time 8 Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Uncertainty Discussion Disposition Seismic PRA uses internal events PRA as a starting point The PVNGS Seismic PRA assumes that the internal events PRA that is used as a starting point meets the requirements of Capability Category II of the PRA standard. The internal events PRA that was used to develop the Seismic PRA was evaluated separately for its PRA quality and was determined to meet Capability Category II of the PRA standard. Therefore, no sensitivity analysis is required for this application. Success criteria for Seismic PRA If not otherwise specified, the success criteria associated with the internal events PRA logic are considered valid and applicable to accident sequences initiated by a seismic event. However, a standard 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time may not be suitable for a seismic-induced accident scenario because of the longer time needed for offsite power recovery. The base case Seismic PRA uses a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time for the run time of mitigating equipment. A sensitivity case was developed to assess the impact of using a 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> mission time for equipment run failures. The change in overall CDF and LERF for this case is 2.73% and 0.69%, respectively. Therefore, no additional sensitivity analysis is required for this application. Seismic failure correlation Seismic failures are assumed to be completely correlated. This assumption implies that a single basic event is used to model the seismic failure of components that are identified as pertaining to the same fragility. There's one exception to this where failures in the steam path in the Turbine Building are not considered correlated with failures of the feedwater lines. Overall, the main feedwater fragility has the same generic value as the steamline fragility (0.21g). Since a variety of components in multiple locations/elevations in the Turbine Building are potentially involved with a variety of boundary conditions and anchorage conditions, the two basic events associated with main feedwater and steamlines fragility events should not realistically be correlated and this treatment was reviewed in the peer review. Therefore, no sensitivity analysis is required for this application. Risk Insights Related to One-Time Extended Completion Time 9 Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Uncertainty Discussion Disposition Seismically induced Loss of Offsite Power (LOP) The seismically induced LOP is assumed to bound the fragility of non-seismic class system. This assumption implies that a number of non-seismic class systems are not addressed with a specific seismic failure. The basis for this assumption is that seismically induced LOP has a generally low seismic capacity. Scenarios where the non-seismic support systems incur seismically induced failures while offsite power is still available are considered realistic only for very low magnitude seismic events. Therefore, the most significant mitigating equipment will still be available. This is considered a conservative assumption. Therefore, no sensitivity analysis is required for this application. Seismic PRA LOP recovery In the Seismic PRA, LOSP recovery is not credited for any seismic event above the safe shutdown earthquake (SSE), while it is credited with unchanged probability for a seismic event below the SSE. It is realistic to consider that offsite power recovery is available for low magnitude seismic events. The selection of the SSE as a threshold between recovery/no-recovery of offsite power is arbitrary and conservative. Therefore, no sensitivity analysis is required for this application. Risk Insights Related to One-Time Extended Completion Time 10 Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Uncertainty Discussion Disposition Screening of equipment in the Seismic Equipment List (SEL) Screening of equipment in the Seismic Equipment List (SEL) is based on fragility analysis. Equipment screened by the fragility team as inherently rugged is not modeled in the Seismic PRA for their seismic induced failure. In order to quantitatively capture the impact of screened out equipment, generic fragility parameters for the building that housed the screened out equipment were used. The screened equipment are modeled through a surrogate basic event at a system level. Using a surrogate event for a number of components that have been screened out introduces a conservative failure mode. The uncertainty introduced by the use of surrogate equipment for the seismic class I system is judged to have a limited impact on the model. Therefore, no sensitivity analysis is required for this application. Operators tripping the reactor above operating basis earthquake (OBE) It is assumed that the operators will always trip the reactor in case of a seismic event above OBE if even the option for a controlled shutdown is allowed. This is considered a conservative assumption. Therefore, no sensitivity analysis is required for this application. Train N Auxiliary Feedwater (AFN) Pump (AFN) is assumed to remain functional following a design basis earthquake The AFN Pump is assumed to remain functional with small breaks or leaks at instrument tubing. The fragility analysis associated with the AFN Pump only addresses the pump and not the entire piping network. A sensitivity case was developed to assess the uncertainty in crediting the AFN pump and not the associated piping network. The capacity of the AFN pump was reduced to the same system level fragility parameters associated with the instrument air system. CDF and LERF increased by 0.08% and 0.03% and indicates little significance of uncertainty in this simplification of the analysis. Therefore, no additional sensitivity analysis is required for this application. Risk Insights Related to One-Time Extended Completion Time 11 Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Uncertainty Discussion Disposition Main steam line relief valves not explicitly included in the SEL. Main steam line relief valves are screened out of the analysis on the basis that the steam generator and related piping & valves are considered very rugged. For this reason, the seismic failure of the main steam line relief valves is not modeled. A sensitivity case is developed to assess the impact of this assumption. A fully dependent seismic failure across all 20 relief valves is modeled. CDF and LERF values did not change when compared to the base case results. This indicates that no significant uncertainty. Therefore, no additional sensitivity analysis is required for this application. Structural failures of buildings Structural failures of building are assumed to result in major collapse and failure of all equipment hosted inside the building. This is a conservative assumption since the fragility parameters provided are addressing the beginning of the structural failure, and a failure of limited areas of the building may result in failure of only a limited number of equipment inside the building. The most significant example of this assumption is the structural failure of the Turbine Building assumed to be also impacting and failing the CST tunnel. Therefore, no sensitivity analysis is required for this application. The Anticipated Transient Without Scram (ATWS) logic for seismic PRA The ATWS logic for seismic PRA assumes that the RCS pressure will be above the HPSI shutoff head for only a short period of time. Moderator Temperature Coefficient (MTC) and ATWS pressure transient are not influenced by the fact that the event is initiated by a seismic event rather than a spurious failure. Therefore, the success criteria developed for the internal events ATWS are considered valid for the seismic PRA. Therefore, no sensitivity analysis is required for this application. Risk Insights Related to One-Time Extended Completion Time 12 Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Uncertainty Discussion Disposition All flood scenarios on the 40ft and 51ft elevations of the Auxiliary Building assumes that a pipe failure drains the Refueling Water Tank (RWT). A cutset review showed that the contribution of Fire Protection (FP) initiators is very low and that the Internal Flood results are not being skewed by this conservatism. This is a conservative approach and should not have a significant impact on the baseline Internal Flood model. Therefore, no sensitivity analysis is required for this application. A single internal events PRA model was developed to quantify the plant flood risk for multiple units. Since there are no significant differences between the units, the Unit 1 System, Structure, or Component (SSC) designators were used. It was therefore assumed that the quantification results are applicable to all units. It is a realistic assumption that the Unit 1 SSC designators are used, since there are no major differences between the three units in terms of internal flood. Therefore, no sensitivity analysis is required for this application. All components within a flood area where the flood originates were assumed susceptible and failed as a result of the flood, spray, steam, jet impingement, pipe whip, humidity, condensation and temperature concerns except when component design (e.g., waterproofing) spatial effects, low pressure source potential or other reasonable judgment could be used for limiting the effect. This is a conservative assumption that simplifies the impacted component list. Uncertainty exists where exactly the flood would occur, the impact due to the geometry of the room and equipment, and the direction of the spray or splash for a given scenario. This assumption raises CDF. This is a conservative approach that simplifies the impacted component list.

Therefore, no sensitivity analysis is required for this application. Block walls are not credited in the analysis and are treated as typical plant walls. Unless a treatment is non-conservative, the block walls are analyzed on an individual basis. The amount of water that could flow through the gaps is unknown. This has no impact as there were no scenarios where the failure of block walls would lead to a non-conservative treatment. This has no impact and is of low consequence. Therefore, no sensitivity analysis is required for this application. Risk Insights Related to One-Time Extended Completion Time 13 Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Uncertainty Discussion Disposition Breaks in pipes less than or equal to two inches in equivalent diameter were only considered if the break would directly result in a plant trip or result in a flood induced equipment failure that would result in a plant trip or immediate shutdown. The basis for this assumption is as follows: 1. Provides a practical limit to bound the scope of the analysis to potentially large flow rate and significant consequence events. 2. Pipe sizes of less than or equal to two inch diameter do not accurately reflect plant fluid system flood impacts (i.e. two inch diameter pipes produce significantly smaller flood rates). 3. At low flow rates, typical of pressure boundary failure in pipes less than or equal to two inches, the operator response time is longer and less stressful. Such conditions enhance operator actions significantly to successfully mitigate the breaks in small bore pipes. However, piping less than two inches in diameter is considered on an individual basis when necessary for spray and flooding events. Specifically these events are considered in rooms without drains. Piping less than two inches was also considered for spatially specific spray events, however none were modeled and a detailed discussion of the possible events are documented. This is a conservative approach. Therefore, no sensitivity analysis is required for this application. Closed-loop systems and tanks were assumed to instantaneously release the entire system inventory This is a conservative approach that allows for the consideration of all consequences and does not require time based calculations. This is a conservative approach. Therefore, no sensitivity analysis is required for this application. Risk Insights Related to One-Time Extended Completion Time 14 Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Uncertainty Discussion Disposition Control Room staff would be unable to respond effectively to multiple events immediately following the flooding event Human Error Probability (HEP) and Performance Shaping Factors (PSF) adjustments were made during the early stages of a flooding event to account for the additional stress influencing factors. The CDF is higher with this assumption. This is a conservative approach. Therefore, no sensitivity analysis is required for this application. No addition to the Control Room crew is credited early into a flood event when assessing human actions. Operator actions to isolate the flood source are required shortly after detecting that a Pressure Boundary Failure (PBF) has occurred. Often when responding to flood events operators are responding to multiple alarms. It is a realistic assumption that there would be no addition to the Control Room crew early into the flood event when assessing human actions. Therefore, no sensitivity analysis is required for this application. It is assumed that pipes that are larger than 3" were capable of producing major floods unless it was determined that the piping was not capable of producing a major flood. The assumption is conservative as it includes additional piping that may not be conducive to major flooding. Since, major floods are not a major contributor to the Pressure Boundary Failure frequency, its contribution to risk would be considered minimal. This is a conservative approach. Therefore, no sensitivity analysis is required for this application. External tanks were not considered as a flood source unless there is a normally available pathway into the plant whereby the tank contents could empty into a room within the main plant structures. External tanks that are ruptured would not normally propagate into the plant. There were no tanks identified in this Internal Flood PRA that did not propagate into the plant. It was assumed that the impact of an external tank rupture was bounded by the evaluation performed for internal events. Breach of an external tank was assumed to discharge to the yard area and there would be no flood-induced failures of PRA related components. There is no significant impact on the model. Therefore, no sensitivity analysis is required for this application. Risk Insights Related to One-Time Extended Completion Time 15 Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Uncertainty Discussion Disposition Floods are assumed to fail all equipment in the initiating room and then propagate out of the room to surrounding flood areas. Cases in which equipment is deemed as sufficiently high or flood barriers are not expected to retain water to sufficient flood levels are treated on an individual basis. Additionally, splitting the flood areas would generate an unreasonable number of scenarios with no added insight. The Top cutsets are not impacted, however if very specific isolation actions were taken this assumption could be significant. It is a realistic assumption and is of low consequence. Therefore, no sensitivity analysis is required for this application. Floods are assumed to propagate down pipe chases prior than down stairwells in situations where pipe chases are not surrounded by a curb and/or a door must be opened to enter into the stairwell. Water will flow down the path of least resistance therefore a pipe chase is the preferred path over a stairwell with a door in front. It is a realistic assumption and is of low consequence. Therefore, no sensitivity analysis is required for this application. Floods are assumed to propagate through doorways which open out, away from the initiating flood area more readily rather than doorways which open in, towards the initiating flood area. The hydrostatic load that a door can handle is based on whether the door closes against the frame or away (with relation to the room that the flood initiates). A door that is against the frame can withstand a greater load as opposed to away from the door frame. It is a realistic assumption and is of low consequence. Therefore, no sensitivity analysis is required for this application. Risk Insights Related to One-Time Extended Completion Time 16 Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Uncertainty Discussion Disposition Floor drains were assumed to be capable of controlling water levels for spray events. This assumption is based on the expectation that a spray event will not result in a significant accumulation of standing water. During plant walkdowns it was observed that drain entrances were maintained in proper working condition and free of debris. Drains were not credited for any flood or major flood events. It was assumed that spurious actuation of system relief valves would discharge a limited amount of inventory to a discharge tank. Such events were screened out as potential flood sources. It is a realistic assumption and is of low consequence. Therefore, no sensitivity analysis is required for this application. Grouping boundary condition sets for the LERF analysis results in conservative modeling of the containment isolation valves. Grouping boundary condition sets for the LERF analysis is a conservative approach. The LERF contribution of sequences that have been grouped for the LERF analysis and involve failure of containment isolation valves are considered very low. This is a conservative approach and is of low consequence. Therefore, no sensitivity analysis is required for this application. The piping layout for flood sources included in the Internal Flood PRA was shown and estimated to be similar for all three units. To the extent possible, the similarities were confirmed during the plant walkdowns. Therefore, Units 2 and 3 pipe lengths were assumed to be identical to Unit 1 piping lengths. There are no major differences between the three units. It is a realistic assumption and is of low consequence. Therefore, no sensitivity analysis is required for this application. Risk Insights Related to One-Time Extended Completion Time 17 Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Uncertainty Discussion Disposition It is assumed that if a PBF were to occur in the Safety Injection (SI) or Chemical & Volume Control (CH) system piping, that the operator would isolate the flood at one of the two pipe headers connecting the Refueling Water Tank (RWT) to the CH and SI systems. There are no operator procedures for isolating a flood event, therefore the most conservative and bounding location to isolate a flood of the SI or CH is one of the two pipe headers. By isolating at this point it results in the loss of at least one train of the ECCS. This does cause a trip. Therefore the overall impact on the model is small. This is a conservative assumption and is of low consequence. Therefore, no sensitivity analysis is required for this application. It is assumed that spurious actuation of system relief valves would discharge a limited amount of inventory to a discharge tank and such events were screened out as potential flood sources. Spurious actuation of a system relief valve was not determined to be a credible flood source because the inventory that was released would be retained within the flood area and would not lead to an applicable initiating event. The risk is considered negligible as this is not considered to be a significant source of inventory. This is of low consequence. Therefore, no sensitivity analysis is required for this application. Limited or no access to an area where flood initiation occurs was assumed. There was no credit taken for mitigation when the equipment relied on for mitigation was located in the flood initiation area. Operators cannot get into flooded areas. This is of low consequence. Therefore, no sensitivity analysis is required for this application. Only one internal flood initiating event is assumed to occur at a time. The occurrence of simultaneous multiple independent internal flood events were considered to be very unlikely and were not considered in this evaluation. This is consistent with PRA modeling. It is a realistic assumption and is of low consequence. Therefore, no sensitivity analysis is required for this application. Risk Insights Related to One-Time Extended Completion Time 18 Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Uncertainty Discussion Disposition The breach of isolation barrier(s) that may result in a maintenance-induced flood event was assumed to have no impact on altering the propagation paths related to other flooding mechanisms (i.e., pipe failure) for the flood source. This is a simplifying assumption that has negligible impact on the model. Propagation pathways were made to be conservative for all scenarios. Maintenance induced failures such as sprinkler heads were specifically evaluated as spray events in the flood model where they could lead to a plant trip. This is a conservative assumption and is of low consequence. Therefore, no sensitivity analysis is required for this application. The indirect effects of a PBF on the operability of a closed looped system were considered to be immediate. Closed looped systems were considered to be normally operating and provides cooling to equipment that is relied on to maintain the plant in a power production state. It was therefore assumed that operator actions cannot be performed in a timely manner to preclude a plant trip. Most closed loop systems have a limited system capacity. A PBF would drain the system and in most cases an operator action to isolate the PBF would not be feasible. This assumption is conservative and raises CDF. This is a conservative assumption and is of low consequence. Therefore, no sensitivity analysis is required for this application. Risk Insights Related to One-Time Extended Completion Time 19 Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Uncertainty Discussion Disposition The spill rate resulting from a PBF of a potential unlimited flood source that causes a spray event is low enough (i.e., <100 gpm) to have no significant impact on the operation of the affected system. For a potentially unlimited source, a PBF that resulted in a spray event (<100 gpm) would take an extraordinary amount of time to cause a loss of that system. Additionally, given that for most of the large nearly unlimited sources the makeup capabilities of the system would generally exceed the flow rate generated by a spray event. It was therefore assumed that such systems have sufficient design margin to maintain the operability of the system and a plant trip would not occur. Note that for systems with a low system capacity (i.e. the CH system) this assumption was not valid. It is a realistic assumption and is of low consequence. Therefore, no sensitivity analysis is required for this application. Risk Insights Related to One-Time Extended Completion Time 20 Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Uncertainty Discussion Disposition The flow rate from a PBF is assumed static at the maximum possible rate and the scenario is only ended when the source was exhausted or isolated. The spill rate resulting from a PBF of piping is considered to be the highest flow rate possible from the system or piping, and for tank is was assumed to be constant at an assumed flow rate, and for systems requiring pumps is considered the realistic pump flow rate, for the particular break in the originating flood area until the flood source was isolated or its water supply was limited or exhausted. The accumulation of flood water in a flood area was considered halted when the flood source was terminated, or when outflow from the flood area matches or exceeds the inflow of flood water to the flood area. A constant maximum spill rate minimizes the time to reach the critical heights for SSCs that are susceptible to flooding. Spill rates were assumed to fall within the following categories: ~ Spray events: 100 gpm ~ Flood events: greater than 100 gpm but less than 2000 gpm (or maximum capacity of the system, whichever is lower) ~ Major flood events:

greater than 2000 gpm (or the maximum capacity of the system, whichever is lower) This is a conservative assumption and is of low consequence. Therefore, no sensitivity analysis is required for this application. Risk Insights Related to One-Time Extended Completion Time 21 Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Uncertainty Discussion Disposition The treatment of main steamline break and main feedwater line break internal events analysis was assumed to address the impact of these events in assessing whether main feedwater can be recovered following a reactor trip. Recovery of feedwater is important for secondary side heat removal. The internal events analysis was believed to provide sufficient analysis to be used in the internal flooding model. This is of low consequence since the equipment/ components failed in the internal events model is bounding. Feedwater line breaks impact alternate feedwater, steam to auxiliary feedwater pump A, turbine bypass valves and main feedwater. Steamline breaks impact auxiliary feedwater to the faulted steam generator (SG), steam supply to auxiliary feedwater pump A, main feedwater and turbine bypass valves. Additionally, the atmospheric dump valves for steam line break and feedwater line break associated with the faulted SG would be impacted, but are not credited for the faulted SG. Therefore, no sensitivity analysis is required for this application. It was assumed that minimal or no dependency existed between flood-specific and large early release specific Human Failure Events (HFEs). The flood HRA dependency analysis did not include large early release specific HFEs. HFEs specific to large early releases (i.e., post-core damage operator actions) are generally performed several hours after the initiating event occurs. No dependency between early and late operator actions. There is no impact on the model. This is of low consequence. Therefore, no sensitivity analysis is required for this application. Risk Insights Related to One-Time Extended Completion Time 22 Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Uncertainty Discussion Disposition The fire areas defined by the Fire Hazards Analysis (which is contained in the UFSAR, Sections 9B.2.1 through 9B.2.22) will substantially contain the adverse effects of fires originating from any currently installed fixed ignition source or reasonably expected transient ignition source. Fire zone boundaries are similarly assumed adequate or combined. Fire areas are required by regulation to be "sufficiently bounded to withstand the hazards associated with the area" as defined in Generic Letter 86-10 (Enclosure 1 Section 4). Fire zone boundaries are similarly assumed adequate; however, because fire zones have a lesser pedigree than fire areas, their boundaries are verified adequately in this notebook by a FHA review and plant walkdowns. Fire zone boundaries that appear unable to withstand the fire hazards within the zone are combined. The fire PRA utilizes fire compartments which generally align with fire zones, but may be a combination of several fire zones. It is a realistic assumption and is of low consequence. Therefore, no sensitivity analysis is required for this application. Risk Insights Related to One-Time Extended Completion Time 23 Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Uncertainty Discussion Disposition Systems and equipment not credited in the fire-induced risk model (e.g., systems for which cable routing will not be performed) are assumed to be failed in the fire-induced risk model. These systems and equipment are failed in the worst possible failure mode, including spurious operation It is assumed that any fire will minimally result in a loss of Main Feedwater and subsequent reactor trip. This is a simplifying and conservative assumption and is typical of Fire PRAs. However, it may not be true for all fires. The assumption that any fire fails all equipment lacking cable routing information has the potential to affect the assessed fire risk. The assumption that any fire will minimally result in a loss of Main Feedwater and subsequent reactor trip likely adds conservatism to the Fire PRA results. However, the degree of conservatism is relatively small compared with other modeling uncertainties, since Main Feedwater will trip for most transient events. The impact of these assumptions was evaluated by a sensitivity analysis case which concluded that the risk reduction due to crediting all components assumed always failed was small. It is a realistic assumption and is of low consequence. Therefore, no sensitivity analysis is required for this application. It is assumed that the Reactor Protection System (RPS) design is sufficiently fail-safe and redundant to preclude fire-induce failure to scram, or random failure to scram during a fire event, as a risk significant contributor. RPS design is sufficiently fail-safe and redundant to preclude fire-induce failure to scram: Consistent with the guidance in NUREG/CR-6850 Section 2.5.1, type of sequences that can be generally eliminated from consideration in Fire PRA include sequences for which a low frequency argument can be made, and uses ATWS as a specific example, because fire-induced failures will almost certainly remove power from the control rods, resulting a trip, rather than cause a "failure to scram" condition. It is a realistic assumption and is of low consequence. The low frequency of a fire occurring coincident with the low probability of independent failure to scram results in a negligible contribution to fire risk. Therefore, no sensitivity analysis is required for this application. Risk Insights Related to One-Time Extended Completion Time 24 Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Uncertainty Discussion Disposition Properly sized and coordinated electrical protective devices are assumed to function within their design tripping characteristics, thus preventing initiation of secondary fires through circuit faults created by the initiating fire. Electrical protection design calculations provide the documentation of the electrical coordination between overcurrent protective devices. An evaluation was performed to assess the Fire PRA power supply coordination requirements in accordance with NUREG/CR 6850, and provides a link to relevant PVNGS electrical coordination calculations that demonstrate selective tripping capability for each credited Fire PRA power supply. When selective tripping cannot be demonstrated, the current fire PRA model credits cable lengths to limit fault current that fails a power supply. This is a conservative approach because credited cable lengths have a margin of 20% or more applied to the credited cable lengths to ensure that applicable raceways were identified. Additionally, the fire-induced impact is modeled within the credited cable length. Therefore, no sensitivity analysis is required for this application. Risk Insights Related to One-Time Extended Completion Time 25 Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Uncertainty Discussion Disposition It is assumed that Fire PRA targets were assigned the appropriate radiant heat flux damage and temperature damage criteria depending on the cable insulation information available. In other words, all raceways containing cables with thermoplastic or unknown cable insulation were assigned a radiant heat flux damage threshold of 6kW/m2 and 205 °C. All raceways containing cables with thermoset insulation only may be assigned a radiant heat flux damage threshold of 11 kW/m2 and 330 °C but have been initially assigned the thermoplastic damage thresholds. All raceways containing cables were assigned a radiant heat flux damage threshold of 6kW/m2 and 205 °C. Raceways containing cables with thermoset insulation only may be assigned a radiant heat flux damage threshold of 11 kW/m2 and 330 °C but have been initially assigned the thermoplastic damage thresholds. A brief review of the dominant scenarios identified the existence of thermoplastic insulated cables within the target raceways. It is a realistic assumption and is of low consequence. It was concluded that minimal benefit could be obtained by further analysis to identify and model raceways containing only thermoset insulation. Therefore, no sensitivity analysis is required for this application. Risk Insights Related to One-Time Extended Completion Time 26 Attachment 11 Disposition of Key Assumptions/Sources of Uncertainty Assumption / Uncertainty Discussion Disposition Planned plant modifications and recovery actions are assumed in the base case model. These modeled modifications are assumed to correct the fire vulnerability and not introduce any new failure modes. This approach introduces uncertainty in the results, because the actual modifications may vary for those assumed or they may not function as modeled. The assumed modifications are documented in the Fire PRA studies. Plant and model configuration and control mechanisms are in place to ensure that the fire model will be updated to reflect the as-installed modifications. One specific planned plant modification is the installation of an additional Steam Generator makeup capability to address Fire PRA risk. A sensitivity was performed that removes this modification from the model This assumption that the planned plant modifications will be installed and tested/operated as assumed in the fire PRA model has significant impact. The assumption is realistic since the PRA analysis provided details to the design modifications group in developing the plant modifications and procedures. Therefore, no sensitivity analysis is required for this application.

References:

1. WCAP-15749, Guidance for the Implementation of the CEOG Model for Failure of RCP Seals Given Loss of Seal Cooling, Revision 0, December 2008 2. NUREG/CR-6928, Industry-Average Performance for Components and Initiating Events at U.S. Commercial Nuclear Power Plants, January 2007 3. NUREG-1829, Estimating Loss-of-Coolant Accident (LOCA) Frequencies through the Elicitation Process, Draft 4. 13-NS-C004, At-Power PRA Study for Loss Of Offsite Power Statistical Evaluation, Revision 7 5. NUREG/CR-INEEL/EXT 04-0236, Evaluation of Loss of Offsite Power Events at Nuclear Power Plants: 1986-2003, October 2004

Retrieved from "https://kanterella.com/w/index.php?title=ML16356A689&oldid=630749"