Text

Evaluation - Memorandum Regarding Licensee Event Report Safety Significance Review in Response to Findings Associated with Inspection Procedure 95003; Evaluation of NRC Assessment and Inspection Processes at Pilgrim Nuclear Power Station
	ML18158A130
Person / Time
Site:	Pilgrim
Issue date:	06/07/2018
From:	Frank Arner; NRC Region 1
To:	Jimi Yerokun; Division of Reactor Safety I
Shared Package
ML18158A104	List: ML18158A110; ML18158A130; ML18158A133;
References
	Download: ML18158A130 (50)
	v • d • e

UNITED STATES NUCLEAR REGULATORY COMMISSION REGION I 2100 RENAISSANCE BOULEVARD, SUITE 100 KING OF PRUSSIA, PA 19406-2713 June 6, 2018 MEMORANDUM TO: Jimi T. Yerokun, Director Division of Reactor Safety FROM: Frank J. Arner, Senior Reactor Analyst /RA/

Division of Reactor Safety

SUBJECT:

LICENSEE EVENT REPORT SAFETY SIGNIFICANCE REVIEW IN RESPONSE TO FINDINGS ASSOCIATED WITH INSPECTION PROCEDURE 95003: EVALUATION OF NRC ASSESSMENT AND INSPECTION PROCESSES AT PILGRIM NUCLEAR POWER STATION In accordance with Inspection Procedure (IP) 95003, Supplemental Inspection for Repetitive Degraded Cornerstones, Multiple Degraded Cornerstones, Multiple Yellow Inputs, or One Red Input, Region I conducted an evaluation to determine whether the NRCs assessment and inspection processes applied at Pilgrim Nuclear Power Station (Pilgrim) appropriately characterized licensee performance based on previous inspection information and whether sufficient warning was provided to identify a significant reduction in safety. The result of the review is documented in ADAMS (ML18157A040). The review also identified that Licensee Event Reports (LERs) in the 2011 - 2013 timeframe may not have been consistently evaluated and documented as findings or violations consistent with ROP and enforcement guidance. In response to this observation, a more expansive review of 37 LERs from 2007 through 2014 was conducted to determine if any issues may have been greater than very low safety significance and not adequately evaluated consistent with ROP and enforcement guidance.

An independent assessment by a Region I Senior Reactor Analyst determined that during the timeframe of 2010 - 2013 there appeared to be inconsistencies with the evaluation and follow-up documentation of LERs. Specifically, many of the issues described within the LERs appear to have been more appropriately evaluated as self-revealing issues with performance deficiencies, requiring a greater level of detail within the LER closeout inspection report descriptions. However, it should be noted that, due to the regulatory judgment that can be applied when reviewing an issue, some variance between inspectors assessment of an issue can be expected. Additionally, this effort was not an attempt to re-inspect the issue, and therefore in many cases it may be inaccurate to have assumed a performance deficiency existed from information provided within the LERs, without a detailed inspection follow-up.

Notwithstanding this, an attempt was made to evaluate the safety significance of each LER given the limited information provided in the LER.

CONTACT: Frank J. Arner, RI/DRS (610) 337-5194

J. Yerokun 2 This assessment did not identify any LERs with apparent performance deficiencies which would have exceeded the threshold of a very low safety significant issue. As noted, the reviewer did not seek additional clarifying information from the responsible inspectors/management related to how these LERs were originally assessed due to the very low safety significance of the potential performance deficiency. Enclosure 1 contains the summary and results of this review. contains a brief summary of each of the 37 LERs reviewed along with the safety significance assessment. :

Safety Significance Review - Closeout of Licensee Event Reports 2007 through 2014 :

PILGRIM STATION (Best Estimate Safety Significance Review of Licensee Event Reports)

ML18158A130 Non-Sensitive Publicly Available SUNSI Review Sensitive Non-Publicly Available OFFICE RI/DRS RI/DRS NAME FArner/fa JYerokun/jy DATE 6/6/18 6/6/18 Enclosure 1 Safety Significance Review - Closeout of Licensee Event Reports 2007 through 2014

Background

In accordance with Section 03.11 of Inspection Procedure 95003, Region I conducted a review of NRCs oversight of Pilgrim Nuclear Power Station (Pilgrim) for the period leading to the plants placement in Column 4 of NRCs Action Matrix. The review also identified that Licensee Event Reports (LERs) in the 2011 - 2013 timeframe may not have been consistently evaluated and documented as findings or violations consistent with ROP and enforcement guidance.

Scope/Activities Conducted In response to the teams findings, a review of 37 LERs from 2007 through 2014 was conducted by a regional senior reactor analyst (SRA) to perform a best estimate determination if any issues may have been greater than very low safety significance and not adequately evaluated consistent with ROP and enforcement guidance. The LER description of the event and overall content was used to attempt to assess the safety significance of the issue. For cases, where there had been no apparent PD identified within the closeout inspection report for the LER, but there appeared to be one as described within the LER, the analyst made an assumption of what the potential PD could have been in order to perform the appropriate risk assessment.

Therefore, it must be recognized that there is uncertainty involved in this assessment without detailed inspection of the issues. In very few instances, if more information was critical to the risk assessment, such as exposure time of a PD, and this information was not readily available within the LER description, an attempt was made to review the inspection report for additional clarification. The assessment of safety significance was performed for all 37 LERs, including those that had been documented with PDs and non-cited violations (NCVs) to independently confirm the very low safety significance determinations.

The analyst did not seek additional information from the Division of Reactor Project (DRP) branch if there was an apparent different conclusion relative to how issues should have been handled in the corresponding closeout documentation of the LERs. There was one exception to this where a detailed licensee root cause evaluation was reviewed to gain a better insight into the appropriateness of a PD assumption and the best estimate risk evaluation for the issue.

Lastly, this effort was an attempt to determine what the risk of the issue would have been in the timeframe it existed in order to better understand how it would have been evaluated and treated within the ROP. This required finding a best case match of the Pilgrim PRA model near the timeframe of the events. The analyst therefore used Pilgrim SPAR model version 8.24, which compared favorably to what had been used during an alternate sequence precursor (ASP) analysis for the NEMO severe weather event in 2013. This model was thought to provide a best estimate tool for assessing the risk at the time of the notable events. The SRA made various modeling changes as appropriate for any event evaluated. Additionally, discussions were held with an Idaho National Labs (INL) SPAR model expert to assess any significant differences which may have existed in the modeling over the given timeframes evaluated. Lastly, the SRA tried to match what Inspection Manual Chapter 0609 Significance Determination Process (SDP) procedures that were in place at the time of the events as some have been revised such as IMC 0609, Appendix I - Operator Requalification Training, which had the potential to affect the risk determination. These efforts were performed to ensure that the risk determination matched the procedures, tools and guidance in place at the time of the events, which could influence the assessment within the ROP.

2 Results/Assessment This independent review confirmed that during the timeframe of 2010 - 2013 there appeared to be inconsistencies with the evaluation and follow-up documentation of LERs. Specifically, many of the issues described within the LERs may have been more appropriately evaluated as self-revealing issues with performance deficiencies, requiring a greater level of detail within the LER closeout inspection report descriptions. However, it is recognized, that due to the regulatory judgement that can be applied when reviewing an issue some variance between inspectors assessment of an issue could be expected. Additionally, this effort was not an attempt to re-inspect the issue, and therefore in many cases it may be inaccurate to have assumed a performance deficiency existed from information provided within the LERs, without a detailed inspection follow-up.

A total of six detailed risk evaluations (DREs) were performed for issues that appeared to have potential performance deficiencies as described within the LER. In a few cases additional DREs were performed for LERs even if the analyst did not identify the potential for a PD within the LER. This was performed as a sensitivity study for what the safety significance of the issue may have been if a PD had been established. There was one LER, 2013-003, Loss of Offsite Power Event Due to Winter Storm NEMO, which would have been elevated above the very low safety significance level if a PD had been determined which directly caused the loss of offsite power event. The analyst, and the original inspection at the time of the event, did not identify a PD relative to this event given the details within the LER.

This review did not identify any LERs with apparent performance deficiencies which would have exceeded the threshold of a very low safety significant issue. Additionally, the analyst independently verified LERs that had been originally documented as non-cited violations (NCVs) with very low safety significance has been appropriately assessed.

Conclusion/Summary This review did not identify any LERs with clear performance deficiencies which would have exceeded the threshold of a very low safety significant issue. This review is considered to be a best effort based on incomplete information in that actual inspection follow-up of the LER issues was not performed by the reviewer. As stated, in many cases, additional follow-up with the Licensee and gathering of additional facts often results in the conclusion that no performance deficiency existed or supports a specific PD determination. During the normal course of performing detailed risk evaluations, there is typically discussions with the Licensee to gather additional facts related to the risk evaluation. This was not performed given the nature of the review, but in the analysts opinion would have had no effect on the final conclusions.

ENCLOSURE 2 PILGRIM STATION (Best Estimate Safety Significance Review of Licensee Event Reports)

Background

The following LER reviews provide a best estimate independent determination of the safety significance for LERS from the 2007 through 2014 timeframe. The LER description of the event was used to try to assess the risk of an issue, assuming a performance deficiency (PD) had existed. For cases where there had been no apparent PD identified in the initial review and closeout of the LER, the assumptions made by the analyst of what the potential PD would have been would impact the assessment of the risk significance. Therefore it is recognized that there is uncertainty involved in this assessment. This was not an attempt to re-inspect the issue, and therefore in some cases it may be presumptuous to assume or conclude a PD existed from information provided within an LER, when a PD was not originally documented.

Notwithstanding this, the analyst attempted to independently determine a best estimate of safety significance for the applicable LERs. If more information was critical to the assessment, such as exposure time or how long a deficiency existed, and this information was not readily available within the LER description, an attempt to review the associated Inspection Report was made for additional clarification. The assessment of safety significance was performed for all LERs, including those that had been documented with PDs to independently confirm the very low safety significance determinations. For the LERs reviewed, a brief excerpt from the LERs is provided along with the analysts assessment of safety significance.

Precautions and Limitations The following review was performed as a best estimate of the safety impact of the LERs given the information enclosed within the LER. As noted above, there was no attempt at re-inspecting the issue in further detail with few exceptions. The review was intended to use the facts within the LER to determine a best estimate of the risk which would have been determined at the time of the events if a PD was involved, using an assumed best available plant specific model for that timeframe. When appropriate the analyst commented or gave an opinion on if a PD appeared to exist given the LER description. There was no attempt made to interview the inspectors involved in the original LER closeouts. Therefore, in some cases, additional information may have been available to support that no PD had existed even if the LER implied one had existed.

During the normal course of performing detailed risk evaluations, there is typically multiple discussions held with the Licensee to gather additional facts related to the risk evaluation for the potential PD. This was not performed given the nature of this review. It is important to note that an SDP evaluation of a PD, can be much different than what may be documented within the LER from a risk perspective. This is due to the different risk metrics used such as conditional core damage probability (CCDP) and increase in core damage frequency (CDF) per year. For instance accident sequence precursor (ASP) reviews do not use the same assumptions in many cases when mapping a PD to risk such as is done for SDPs.

2 Assessment of LERs (2007 through 2014) 2007001 Primary Containment Isolations Following a Manual Reactor Scram The analyst noted that Pilgrim manually scrammed the Unit after an increase in reactor coolant system unidentified leak rate. The Licensee Event Report (LER) identified that the root cause of the increase in unidentified leakage was the failure of valve packing for Reactor Water Clean-up (RWCU) valve MO-1201-85, which is located inside primary containment and is not accessible during power operation. The failure was due to inadequate preventive maintenance of the valve packing.

The analyst noted the Inspection Procedure 95003 evaluation had identified that this issue had been documented as an NCV of very low safety significance. The SRA agreed with this assessment and determined that this would have appropriately screened to Green, or an issue of very low safety significance. This event would be screened through (IMC 0609, Appendix A, Exhibit 1) Section B, Transient Initiator that caused a reactor trip but did NOT include the loss of mitigating equipment relied upon to transition plant from trip to stable condition.

2007002 Emergency Diesel Generator Kilowatt (KW) Power Oscillations On February 23, 2007 while operating the "B" Emergency Diesel Generator (EDG)", oscillations in Kilowatt (KW) output were observed that reached administrative test abort criteria of > 200 KW total span. The "B" EDG was manually shutdown. Previously on January 25, 2007 during an operability test following an overhaul of the "B" EDG, unexpected KW oscillations up to 150 KW were observed but these oscillations did not reach the abort criteria.

The root cause of the oscillations was clogging of internal passages in the Woodward hydraulic governor due to the intrusion of foreign material. It was discovered that the oil in the governor was contaminated with particles of aluminum of varying size. The source of the particles was an aluminum label from the shutdown solenoid that separated from the solenoid and was free to move about inside the governor.

Corrective action taken includes replacement of the Woodward hydraulic governor and retest of the "B" EDG to demonstrate operability. Pilgrim verified similar conditions did not exist in "A" EDG and Station Blackout Diesel Generator. Maintenance personnel were trained on the lessons learned from these events. An Operating Experience (OE) report was issued to the industry and Entergy fleet concerning potential for the valve label being introduced as foreign material into the hydraulic governor.

The analyst noted the 95003 evaluation had identified that this issue had been documented as an NCV of very low safety significance. The analyst noted that the risk of this issue would be highly dependent on the exposure time and how this failure was modeled. For instance if the failure was due to foreign material within the governor for a long period of time this may be modeled as a failure to run (FTR) and therefore have an exposure time based on proven EDG run time equivalent to a 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months mission time. Therefore the analyst reviewed the associated inspection report from the 2007 timeframe which had performed the risk evaluation. The analyst concluded that a 29 day exposure time was appropriate for the issue. This was based on the likelihood that the contaminants were established 29 days earlier from the facts surrounding the issue. The analyst performed an independent review using a 2013 version of the Pilgrim SPAR model with an assumed 29 day exposure period for the finding. The increase in CDF/yr was a

3 nominal 2E-7/yr. This was based on setting the EDG fail to run event to TRUE, ensuring full common cause was applied. Given that the internal event risk increase was in the low E-7/yr range (consistent with the range determined at the time of the issue) and the senior reactor analyst (SRA) in the 2007 timeframe had evaluated no change in the safety significance due to external driven fire events along with LERF contributions, the analyst concluded the issue had been appropriately determined to be of very low safety significance.

2007003, Reactor Coolant Boundary Leakage due to Reactor Vessel Nozzle Weld Crack Propagation On April 26, 2007, at approximately 1930 hours0.0223 days 0.536 hours 0.00319 weeks 7.34365e-4 months , the N2K recirculation system inlet nozzle experienced slight water seepage while repairs were being performed to install a full structural weld overlay. At the time that the leakage was noted, the reactor was shutdown for refueling.

All required control rods were in the fully inserted position. The reactor vessel was at atmospheric pressure. The reactor vessel water temperature was less than 212 degrees Fahrenheit. Reactor water level was flooded up for refueling and being maintained at the 116' elevation. The LER noted that if this flaw had remained in-service, slow growth crack rates would be expected during future operating cycles.

The analyst did not identify any clear performance deficiency through an initial review of the LER. Given the description of extremely small seepage at the limited water head pressure during shutdown conditions, it is the analysts judgment that this issue would be of very low risk significance if a performance deficiency would have been identified, given the diverse means of low pressure injection sources typically available at boiling water reactors.

2007004, Target Rock Relief Valves' Test Pressures Exceed Technical Specification Tolerance Limit On June 13 2007, Pilgrim Station was notified that three of the four Target Rock relief valve pilot assemblies exceeded the Technical Specification (TS) tolerance limit of 1115 +/-11 psi (+/- 1%)

during routine testing at the Wyle Laboratories test facility. Certified replacement relief valve pilot assemblies were previously installed in the plant.

The cause of the as-found initial popping pressures exceeding the TS tolerance limit for two of the pilot valves was "setpoint variance". The cause of the as-found initial popping pressure exceeding the TS tolerance limit for the third pilot valve was corrosion bonding.

The analyst noted that this had been documented by the 95003 evaluation as an item that had been identified as an NCV (very low safety significance). The analyst reviewed the LER description and determined the risk significance was appropriate. The analyst noted that the Pilgrim station had done a review of the appropriate safety functions that could be affected by out of tolerance SRVS, such as Minimum Critical Power Ratio, Overpressure Events, Anticipated Transients without Scram, and ability of HPCI and RCIC to perform their functions.

Therefore, with these safety functions not impacted the issue would be of very low safety significance.

2007005, Reactor Scram Resulting from Low Vacuum Turbine Trip The direct cause of the event was an improperly calibrated low vacuum turbine trip #1 setting during refuel outage (RFO) 16. The root cause analysis identified that technicians failed to

4 properly apply human performance tools relative to the low vacuum trip instrument when the instrument calibration was performed. This had been appropriately screened as very low safety significance and documented as an NCV according to the spreadsheet provided by the 95003 self-assessment team. The analyst agreed with this assessment and that it would Screen to Green, (IMC 0609, Appendix A, Exhibit 1), Transient without loss of any mitigating equipment.

2008001, Failure to Meet Technical Specification Requirements for Secondary Containment The analyst noted from the LER description that on January 10, 2008 between 0700 and 1600 hours0.0185 days 0.444 hours 0.00265 weeks 6.088e-4 months , on-line testing of the Reactor Building Isolation Control System (RBICS) ventilation dampers was performed. This testing identified that in the closed position, damper AO-N-78 did not fully close. The damper did not meet Technical Specification requirements for full damper closure. Subsequently, Technical Specification compensatory actions to restore operability or to secure the damper were not taken for approximately 96 hours0.00111 days 0.0267 hours 1.587302e-4 weeks 3.6528e-5 months . The reactor was at full power conditions prior to and during the event.

The analyst used inspection manual chapter (IMC 0609, Appendix A, Exhibit 3- Barrier Integrity Screening, and determined this would screen to Green (very low safety significance),

representing potential degradation of the ability of the standby gas treatment system to perform its function to maintain secondary containment.

2008002, Failure to Meet Technical Specification Requirements for Undervoltage Relay Trip Setting On January 11, 2008, the as-found, post-service, calibration test of the GE Type RAV11.B AC undervoltage (UV) 127-A5/1 and 127-A5/2 relays determined that the undervoltage relays that had been installed on the A5 safety-related 4KV bus from May 2, 2005 to June 11, 2007 exceeded the Technical Specification (TS) required set point range of 20-25% specified in TS Table 3.2.B.

The undervoltage protection is provided by two (2) GE Type RAVI 1B AC undervoltage relays within the A5 (127-A5/1 and 127-A5/2) and A6 (127-A6/1 and 127-A6/2) buses which actuate in a two out of two logic. If 4160 V bus voltage drops below 1040 volts (25% of ,bus rated), relays 127-A5/1 and 127-A5/2 will operate and will trip the Residual Heat Removal (RHR), Core Spray (CS), and Control Rod Drive (CRD) pump motor supply breakers without any intentional time delay. These relays will also trip the Unit Aux Transformer (UAT) feeder breaker to the A-5 (A-6) bus and provide a permissive signal in the close logic for the output breaker of the associated emergency diesel generator.

The LER documented that the safety significance of the issue was low. The Licensee determined that there would be no adverse impact on the operation of the components installed downstream of the A5 bus with the as-found settings. The relays tripping at a higher voltage than the no-adjust limit would not have a significant effect on any safety-related equipment. The relays actuate to shed loads on the bus in anticipation of loss of off-site power and bus voltage restoration from the emergency diesel generator. A time delay exists in the logic to allow residual bus voltage to decay prior to closure of the emergency diesel supply breaker, therefore a slightly premature actuation of these relays does not challenge safety-related equipment.

5 The analyst determined the above evaluation to be reasonable. At voltages of 30% of nominal, these would represent unstable conditions for downstream equipment to be operated from these offsite power voltage levels and therefore transferring over to a stable source of power (EDGs) at a slightly higher undervoltage setpoint would not represent an adverse condition, but would result in safety related equipment being restored to proper voltage supply. Therefore, the issue would be estimated to be of very low safety significance if a Phase 3 detailed risk evaluation would be performed.

2008003, RCIC System Declared Inoperable During Surveillance Testing due to Procedure Error The LER documented that on October 6, 2008, at 2224 hours0.0257 days 0.618 hours 0.00368 weeks 8.46232e-4 months , the Reactor Core Isolation Cooling (RCIC) System was declared inoperable. This action was taken because the RCIC system received an inadvertent Group 5 isolation signal during the performance of an Instrumentation and Control (I&C) surveillance. All isolations went to completion. RCIC was not operating at the time of the surveillance. The Group 5 isolation was reset and RCIC was placed in stand-by line up.

The cause of the event was due to an error introduced into the recently revised surveillance procedure. The restoration section of the procedure was sequenced incorrectly in that the procedure required the removal of control relay contact blocking devices (boots) prior to the resetting of the RCIC automatic isolation signal.

The analyst determined given the very limited exposure time (effect was during an I&C test), the issue would screen to Green, in accordance with IMC 0609, Appendix A, Exhibit 2-Mitigating Systems Cornerstone. The analyst noted that an NCV had been identified for the issue from a review of the 95003 self-assessment team determination and agreed with this assessment.

2008004, High Pressure Coolant Injection System Inoperable Due to Undervoltage Relay Failure in Valve Power Supply Circuit The LER noted that on October 21, 2008, at 1944 hours0.0225 days 0.54 hours 0.00321 weeks 7.39692e-4 months , with the plant operating at 100%

power, the Control Room received a Motor Control Center (MCC) D9 trouble alarm. Operators noted that the indicator light for the High Pressure Coolant Injection (HPCI) Injection Valve MO-2301-8 was extinguished. Investigation at the MCC revealed that the 125V DC valve control power circuit for the normally closed HPCI Injection Valve MO-2301-8 was de-energized due to failure of the undervoltage relay in the 250V DC power feed to the valve motor operator. HPCI was declared inoperable and applicable Technical Specification (TS) Limiting Conditions for Operation (LCO) were applied. The undervoltage relay was replaced, and HPCI was returned to operable standby status at 0404 hours0.00468 days 0.112 hours 6.679894e-4 weeks 1.53722e-4 months on October 22, 2008. The most probable root cause of the event was identified to be an isolated premature failure of the undervoltage relay due to a manufacturing defect.

The HPCI System provides high pressure makeup water to the reactor vessel after isolation of the vessel. The HPCI System was inoperable for approximately 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months and 30 minutes due to the loss of 125V DC control power to HPCI Injection Valve MO-2301-8. During this time frame the ADS, Core Spray, RHR, and RCIC Systems were operable and met the 14 day Technical Specification 3.5.C.2 limiting condition for operation requirements for operating the plant with an inoperable HPCI System. There was no NCV identified and it was not clear to the analyst that a

6 performance deficiency would have existed. Notwithstanding this, if there was a PD, the limited exposure time would result in the issue screening to Green or an issue of very low safety significance, Green.

2008005, HPCI System Declared Inoperable During Surveillance Testing due to Human Error On November 20, 2008, at 1657 hours0.0192 days 0.46 hours 0.00274 weeks 6.304885e-4 months , the High Pressure Coolant Injection (HPCI) System was declared inoperable with the plant at 100% power. No other plant equipment was out of service at the time. This action was taken because the HPCI System isolated on a Group IV signal when Instrumentation and Control (I&C) Technicians were performing a scheduled surveillance test of temperature switches in the HPCI steam leak detection circuitry. This isolation was not part of the planned evolution.

The HPCI System provides high pressure makeup water to the reactor vessel after isolation of the vessel. The HPCI System was inoperable for approximately 67 minutes due to the inadvertent isolation during an l&C Surveillance test. The analyst determined that this issue had been appropriately documented as an NCV and would screen to Green, given the limited exposure time where HPCI was adversely affected.

2008006 Scram with Switchyard breaker fault during winter storm The LER documented that on December 19, 2008 at 1831 hours0.0212 days 0.509 hours 0.00303 weeks 6.966955e-4 months during a severe winter storm an automatic reactor scram occurred with the plant operating at 100% power. The automatic scram initiated from a valid Reactor Protection (RPS) Signal resulting from fast closure of the turbine control valves due to actuation of the main transformer bus differential relay (87B/MT).

Automatic response from the main transformer protective relay scheme included opening 345 kV circuit breakers ACB-104 and ACB-105; main turbine trip; and fast transfer of 4.16 kV power from the Unit Auxiliary Transformer (UAT) to the Startup transformer (SUT).

The turbine trip resulted in automatic closing of the turbine control valves and stop valves. Three (3) turbine steam bypass valves opened to divert steam flow to the main condenser. These turbine steam bypass valves have a capacity for diverting 25% of the rated steam flow. In accordance with the analyzed transient analysis for a load reject event, reactor pressure increased and three (3) of the four (4) main steam relief valves (MSRVs) opened when mechanical set pressure was exceeded. The MSRVs reset and long term reactor pressure control was accomplished using the turbine steam bypass valves.

A review of the LER indicated that a successful fast transfer to offsite power occurred with the condenser heat sink remaining available. There was no NCV found for this issue. However, it was not clear that any performance deficiency existed given the description of the event within the LER. The analyst determined that if there was a PD, this would screen to Green in accordance with IMC 0609, Appendix A, Exhibit 1, because there was no concurrent loss of mitigating equipment relied on to transition the plant from the onset of the trip to a stable shutdown condition.

7 2008-007, Momentary Loss of all 345KV offsite power to the Startup Transformer from SWYD breaker Fault This event occurred in Hot Shutdown, not at normal power conditions and before shutdown cooling was placed in service.

The direct cause stated within the LER that the momentary loss of all 345kv off-site power was a Phase B to ground fault on the switchyard Line 355 bus section (Bridgewater Station), which caused ACB-102 and ACB-103 breakers to trip. The ACB-103 breaker tripped because it received a remote transfer trip signal from Auburn Street Station owned by the transmission system operator, National Grid (NGRID). The ground fault was cleared by the ACB-102 breaker, and the Bridgewater Station breakers (the ACB-105 breaker was already open from the previous day's reactor scram), however, the ACB-103 breaker should not have tripped. Tripping of ACB-102 and ACB-103 resulted in a loss of the SUT and transferring of the safety busses to the EDGs.

Per plant design, when a fault occurs on Line 355 or its associated switchyard bus section, ACB-102 and ACB-105 open automatically to isolate the fault in response to both Pilgrim Station and Bridgewater protective relaying. ACB-103 should remain closed and continue to supply power to the SUT. The directional ground overcurrent relay (DGOR) at Auburn Street Station, which is designed to respond to a disturbance up to 85 percent of Line 342 length, responded to the Line 355 fault and sent the transfer trip to the Pilgrim and Canal Line 342 breakers. This transfer trip signal should not have occurred for such a fault. It was subsequently determined that a relay at Auburn Street Station caused the inadvertent trip.

At the time of the loss of power, the Reactor pressure was at 546 psig, with power still available from an offsite source (23KV line).

The analyst noted the following Background information from the LER:

The LER stated that only two other station loss of offsite power events occurred in the past 22 years. The first was in 1987 and is documented in LER 87-14-01. The second was during a blizzard in April, 1997, and is documented in LER 97-07-01. As with this most recent event, the plant was not on-line for either of the other two, so none of the events challenged the safe shutdown of the reactor from power. The risk to the plant from this type of event is the loss of the preferred power source.

The analyst observation from reading this LER was that this event was not within the control of the Licensee with respect to the tripping of Line 103, and loss of the 345KV feed to the SUT.

Therefore, it would not be expected that a PD or finding would be identified.

During the loss of power, SWYD breakers opened and momentarily power was lost to the Startup transformer (SUT). The EDGs started and powered both safety busses. RCIC and HPCI were placed on pressure control and level control.

If a finding were identified that caused this transient, the analyst noted that IMC 0609, Appendix G SDP Shutdown, would not apply as outlined in IMC 0609, Appendix G:

Appendix G is applicable during refueling outages, forced outages, and maintenance outages starting when the plant has met the entry conditions for RHR/DHR and cooling has been initiated, and ending when the plant is heating up and RHR/DHR has been secured.

8 Note: If the licensee is in a refueling outage or forced outage and the plant is above RHR/DHR entry conditions, then inspectors will use the full power SDP tools acknowledging: (1) decay heat is less compared to full power, potentially allowing for more time for operator recovery, (2) some mitigating systems may require manual operation versus automatic operation, and (3) some containment systems may not be required to be operable potentially increasing the likelihood of containment failure. If the plant is shutdown and the entry conditions for RHR/DHR and RHR/DHR cooling have not been met then Appendix G does not apply The Pilgrim Unit did not have a SPAR model which incorporates Shutdown condition initiating events. Therefore, as a sensitivity study, the analyst reviewed an available boiling water reactor (BWR) SPAR model as a surrogate to the Pilgrim station (Brunswick Unit 1 SPAR Model Version 8.20, Saphire 8.1.6), in order to obtain an understanding of typical important core damage sequences for early shutdown conditions (i.e. Shutdown Early Condition Event Tree).

The analyst used the LOOP scenario for the early shutdown condition with a probability of a LOOP of 1.0. Ninety percent of the top cutsets were associated with a LOOP, with failure of emergency power, failure of the alternate power to the emergency busses, with failure to recover EDGs and Offsite Power.

To attempt to risk inform the issue, the Pilgrim SPAR At-Power LOOPSC event tree was set to 1.0, with the assumption that a finding impacted the failure of the Startup Transformer to remain energized. The 23kV Line was set at a failure rate of 0.1/year to account for its potential availability (unaffected by a PD on the 345kV ring bus or SUT). In order to simulate the actual conditions, the following SPAR model Change Set was applied:

ACP-CRB-CC-505 set to False (Unit Generator already opened before event)

ACP-CRB-CC-605 set to False ACP-CRB-CF-505606 set to False -Unit Auxiliary Generator feeder breakers ACP-TFM-TM-X4 set to False -SUT in Test and Maintenance LOOPSC set to 1.0 to account for the loss of the 345 SWYD source to the Startup Transformer ACP-23KV61 was set to 0.1 in the AND GATE for the 23kV power source Given the station conditions when the SUT lost power to the safety busses for the 2nd time within a day, the Unit Aux Generator breakers could not fail to open as they had previously already opened, and the SUT had been energized so this could not be in Test and Maintenance. Additionally, the ACP breaker failures had not been incorporated into the Pilgrim SPAR model in the 2008 timeframe for failure of unit auxiliary generator breakers to open, which would prevent the SBO EDGs and EDG breakers from closing in on the affected safety busses.

This additional failure scenario was apparently not incorporated in the plant risk modeling until the 2010 timeframe, according to an interview with an Idaho National Lab (INL) SPAR model expert.

The Pilgrim equivalent sequences to the Brunswick Early Shutdown sequence was LOOPSC 28-05, which is a LOOP with failure of Emergency Power, and Failure to recover EDGs and Offsite Power. An additional sequence was solved because at the time of SUT power loss, HPCI and RCIC had to start when the condenser was lost. The 28-22 sequence was also solved for a LOOP with loss of Emergency Power, Failure of High Pressure Injection, and Failure to recover an EDG or Offsite Power within 30 minutes.

9 These sequences were solved to determine a CCDP to inform the risk for this condition and resulted in a value of 1E-7. Therefore, although the model is intended for At-Power conditions and Shutdown Cooling was not yet in service, solving the sequences of importance as reflected by the Brunswick Shutdown Event Tree model and including the high pressure system potential failures, resulted in a CCDP reflecting very low safety significance.

The analyst noted that there was no NCV or Finding identified for this issue.

If a finding were identified, this would have possibly gone through IMC 0609, Appendix M, be informed by the above risk sensitivity and due to the availability of redundant safety systems, the availability of offsite power line 23kV and the SBO DG as well as the EDGs this issue would have been recommended as GREEN or of very low safety significance.

However, it should be noted that from reading the LER a Performance Deficiency does not appear to have existed. This issue also did not appear to have been reasonable for the Licensee to foresee and prevent as noted in the discussion above.

Additionally, qualitative risk information included that during the event, plant operations kept the EDG's in service for several hours to supply power to the emergency busses due to this grid disturbance before successfully returning the busses to their normal electrical system line-up.

Subsequently, the 345kV Lines 342 and 355 re-energized, Ring bus breakers ACB-102 and ACB-103 auto reclosed, and remained closed per design.

2009001 Target Rock Relief Valves Test Pressure Exceeded Limit Due to setpoint Variance The analyst determined that a high or slightly low setting had no appreciable affect on any risk mitigating functions. Therefore the risk would be of very low safety significance, GREEN. This was similar to the event for LER 2007-004 which documented setpoint issues with SRVs. There was no NCV found for this issue, however the risk would be of very low safety significance.

2009002 Failure to Meet TS Requirements for Secondary Containment The Secondary Containment System, in conjunction with other engineered safeguards and nuclear safety systems, limits radioactive material release during normal plant operations to within 10 CFR 20 limits and limits the release to the environs of radioactive materials so that the offsite dose from a postulated DBA will be below the guideline values of 10CFR100.

This issue would Screen to Green in accordance with IMC 0609, Appendix A, Exhibit 3 Barrier Integrity, as it would have represented degradation of a radiological barrier function provided by the standby gas treatement (SBGT) system. The analyst noted the NCV determination for this issue was consistent with this guidance.

2010001, Single Train of RBCCW system Inoperable for Time period Exceeding TS Limits The LER stated that on January 10, 2010 during a backwash evolution on the Reactor Building Closed Cooling Water (RBCCW) System heat exchanger, plant operators discovered a broken bolt on the pipe clamp for the seismic support for the instrument line of the local pump suction pressure gauge attached to the RBCCW "A" Train pump suction pipe. The seismic support is provided to ensure instrument line integrity and is relied on to ensure that RBCCW leakage limits will not be exceeded. The broken bolt compromised the design function of the seismic support and RBCCW "A" Train was conservatively declared inoperable until a new bolt was installed. Pilgrim Station was operating at 100% power when the condition was identified.

10 Subsequent engineering reviews could not determine the exact time that the bolt broke. Based on the condition of the bolt it was assumed that the bolt was broken for a time period that exceeded the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months allowable Technical Specification (TS) Limiting Condition of Operation (LCO) action statement for one RBCCW subsystem inoperable.

An immediate corrective action was completed to install a new bolt on the seismic support clamp. Additional corrective actions were taken to identify extent of condition and to walkdown the Reactor Building Auxiliary Bay areas where similar conditions could exist. No other broken bolts or seismic support damage was identified.

The probable apparent cause was identified to be corrosion that caused a progressive crack which eventually failed the bolt.

If there was a finding or PD determined due to this event, it would screen into a detailed risk evaluation through IMC 0609, Appendix A, Exhibit 2, because it would represent a loss of function of at least a single train for greater than its TS allowed outage time. The 95003 self-assessment team identified that an NCV had not been identified for the issue.

This issue was determined to only have an effect on the A RBCCW loop during a Seismic Event. The analyst used the NRC SPAR Model Version 8.24, SAPHIRE 8.1.6 with the assumption that it would provide a close match to the model used in the 2010 timeframe.

To try to bound the condition, the analyst used a very conservative assumption that a 0.05g Seismic event would result in the loss of the instrument line, thereby rendering the A RBCCW train non-functional.

Change sets were developed for the base case and the conditional case for the SPAR model runs.

Base Case: Prior to 2011, a discussion with an Idaho National Labs expert on the SPAR models indicated that several basic events for the failures of breakers to open were not part of the models. These included the normal Unit Aux Generator breakers 505 and 605 which can have a large effect on risk due to the modeling of the failure to open, rendering the EDGs not being able to close in on the safety bus. Therefore the following changes were made to the base case change set:

ACP-CRB-CC-505 set to ignore ACP-CRB-CC-605 set to ignore ACP-CRB-CF-505605 set to ignore ACP-CRB-CF-504604 set to ignore Initiating Event LOOPGR used as surrogate for Seismic, set to frequency of 1.0/yr All offsite power recovery events, 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months , 16 hour1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months , 30 minutes set to TRUE (No recovery ability for offsite power due to Seismic event assumed)

The Conditional Case was set with a Change set to the same as the above with the addition of the basic event, RBC-HTX-PG-E209A, set to probability of failure of 1.0. This was a surrogate to simulate the above effect of the potential PD in losing the A train of RBCCW.

The base case CCDP was 1.1E-4 The conditional case CCDP was 5.8E-4 The delta CCDP was 4.7E-4

11 The Initiating Event frequency for a Seismic Event with a conditional LOOP probability was taken from the RASP Handbook for External Events for Pilgrim. The Seismic Event frequency 1.3E-3/yr x 0.11 (conditional probability of loss-of-offsite-power (LOOP)) = 1.6E-4/yr for a frequency of a Seismic Event causing a LOOP.

Therefore, the risk of the issue was determined by multiplying the frequency of the driving initiating event times the CCDP. This resulted in 1.6E-4/yr x delta CCDP 4.7E-4 = 7E-8/yr increase in risk or of very low safety significance, GREEN. This was a very conservative assumption and a bounding condition for a postulated Seismic Issue with a LOOP with assumed total failure of the A RBCCW train with no recovery.

The dominant core damage sequence was a Seismic Event with LOOP, and failure of suppression pool cooling with failure of containment spray and failure of late injection sources such as diesel driven firewater.

2010002, Standby Gas Treatment Declared Inoperable After Discovery of Open Demister Door The LER noted that at 22:55 EDT on March 25, 2010, the normally closed Demister Door on 'B' Train of Standby Gas Treatment (SBGT) was found open. The door was opened during the performance of a scheduled surveillance and was subsequently not closed at the completion of surveillance. With this door being open the 'B' Train of SBGT was unable to perform its safety-related function. Because of the physical configuration of the SBGT system, it could not be immediately verified whether the 'A' Train would have been able to perform its safety-related function, since it could have drawn suction through the open demister door of the 'B' Train and the normally open crosstie between the trains. Upon discovery of the condition, a 36-hour LCO was entered in accordance with the Technical Specification (TS) 3.7.B.1.a, the 'B' demister door was closed, LCO was exited, and operability of both 'A' and 'B' Trains of the SBGT System was established.

The analyst used inspection manual chapter (IMC 0609, Appendix A, Exhibit 3- Barrier Integrity Screening, and determined this would screen to Green (very low safety significance),

representing potential degradation of the ability of the standby gas treatment system to perform its function to maintain secondary containment. This had been classified as licensee identified but through the description may have been appropriate as a self-revealing finding.

2011-001-00, TS Required Shutdown - RBCCW B Declared Inoperable The LER described that the B train of RBCCW was declared inoperable and expected to exceed its 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months LCO as required by TS prior to return to operable status. At 100% power salt service water (SSW) was detected in the RBCCW system due to high chloride levels and increased inventory in the system. This affected the B RBCCW HX which is designed to cool RBCCW under normal and post-accident conditions. Leak detection and repair identified a single tube leak resulting from an improperly modified tube sleeve which accelerated wear on the parent tube. This sleeve was installed in 2005. RBCCW system has 2 independent loops with each having 3 pumps. The 2 loops can be cross tied through 2, 12 inch cross tie headers which are normally closed. This effected the E-209B HX. The applicable TS action applies when the Rx coolant temperature is above 212 deg F with a 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months available limiting condition for operation (LCO).

12 As the plant entered the LCO and shutdown prior to exceeding the TS allowable LCO, if there was a performance deficiency, this would have been considered to be screened initially through IMC 0609, Attachment 4. Table 3 would indicate this would be routed through IMC 0609, Appendix G, as a degraded condition which could affect mitigating systems during the shutdown, due to the loss of redundancy of Shutdown Cooling (i.e. one RBCCW heat exchanger out of service). If Exhibit 3 of IMC 0609 Appendix G Attachment 1 were to be answered yes to an actual loss of safety function for greater than TS allowable, an Appendix G Phase 2 approach would be used. It is not apparent this would be the correct interpretation for a shutdown condition for TSs, however a review of the Phase 2 worksheets was conservatively performed. The plant shutdown on February 20, 2011 and a review of the 2nd quarter Pilgrim inspection report showed the plant reached 100% full power conditions on February 24.

Therefore, at most, a 3 day exposure in a shutdown condition would be appropriate to be assumed. The leak into the system at power was easily identified and would not be expected to immediately impact any function while still at power conditions. Therefore, the Appendix G approach was used because the issue impacted the ability to remove decay heat during the time it had to be worked on or was unavailable because it was removed from service for repairs.

The affected work on one train of RBCCW would impact one loop of shutdown cooling, therefore a risk review would have worksheet 4 as the affected shutdown area due to the degraded condition. Worksheet 4 is associated with the SDP Worksheet for a BWR Plant -

Loss of Operating Train of RHR (LORHR) in plant operating state (POS 1) (Head On). The initiating event likelihood (IEL) would be either 1 or 2 as it is not known how long RHR was in shutdown cooling prior to returning to power. An IEL of 2 would be for less than a complete 3 days of RHR Shutdown cooling operation during the work. For this evaluation a bounding value of 1 was used.

The LORHR- RHRREC - CV would be the limiting sequence with a bounding value for LORHR of (1), as noted this is considered conservative given the time period involved, credit for normal recovery of RHRREC given typical times to vessel pressurization beyond RHR ability (exceed head of pumps) would be greater than 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , value of (3), and full credit for Containment venting with makeup (3). This sequence would therefore be a 7 or of very low safety significance, E-7.

If there was a performance deficiency determined for this issue, given the limited timeframe in which the B HX was out of service, the effect on shutdown operations when the system was taken out of service would represent the risk increase and appears that it would have been determined to be of very low safety significance utilizing a conservative Phase 2 evaluation.

There did not appear to have been an NCV documented for this issue.

2011-002-0 Reactor Scram during a Planned Reactor Cool-Down with All Control Rods Fully Inserted This LER documented that on February 20, 2011 with the reactor shutdown, and with reactor pressure vessel cool-down in progress, reactor water level control was lost due to issues with the Mechanical Pressure Regulator. The reactor cooldown was the result of using the Mechanical Pressure Regulator (MPR). This method was selected following successful performance in the simulator during just-in-time (JIT) training. Corrective actions to respond to this event included to incorporate using the Bypass Valve Jack as the preferred method to execute cooldown. Also planned actions consisted of performing analysis of the MPR and level response during plant cooldown at the plant simulator.

13 This was a potential Plant Simulator Fidelity issue. If inspection would determine that a performance deficiency existed with training and simulator fidelity, IMC 0609, Appendix I, Licensed Operator Requalification SDP at the time of this event would effectively evaluate this as a possible finding with training and simulator fidelity. The IMC 0609, Appendix I version in effect, had a flowchart which screened simulator fidelity issues or deviations from the plant and simulator that impact operations as a GREEN finding or of very low safety significance.

This IMC 0609, Appendix I was revised and issued on 12/06/11 with an effective date of 01/01/12. The new flowchart for simulator fidelity issues would, after this date, screen this issue as a White issue or Low to Moderate risk. This occurs when simulator fidelity negatively impacts operator performance in the actual plant during a reportable event.

Notwithstanding this existing revision, if this issue were to have been determined to be a finding, it appears that it would have Screened as GREEN or of very low safety significance at the time of the event with the previous version of Appendix I in effect prior to 01/01/12.

2011003, Reactor Scram on Intermediate Range Monitor High - High Flux The LER described that on May 10, 2011, during startup Mode with reactor thermal power at approximately 1.7 percent, Pilgrim Nuclear Power Station (PNPS) experienced an automatic reactor scram while raising reactor temperature and pressure. The reactor scrammed on intermediate range monitor (IRM) hi-hi flux on both reactor protection system channels. Prior to the scram, operators took the reactor critical, reached the point of adding heat, and established a heatup rate. During the heatup, operators observed a high heatup rate and in response, the shift manager directed operators to insert control rods to reduce the heatup rate. The number of rods or number of notches to insert was not specified. Power began to lower as expected; however, operators did not recognize that inserting control rods to reduce heatup rate with rising moderator temperature caused the reactor to become subcritical. After achieving a temperature change from the power reduction, operators withdrew the same control rods before evaluating the core condition. The resultant reactor response was a faster power ascension rate than expected, which led to an automatic intermediate-range high-flux reactor trip. All systems operated as expected, in accordance with design.

The analyst noted this was appropriately handled through IMC 0609, Appendix M and was determined to be a White issue or of low to moderate risk.

2011-004-00, Technical Specification Required Shutdown - Drywell to Torus DP The LER noted that on May 14, 2011, with the plant operating at 14% power, Pilgrim commenced a controlled shutdown due to inoperable Drywell to Suppression Chamber Vacuum Breakers. The inability to maintain Drywell to Torus differential pressure (DP) was caused by improper sealing of 3 of 10 Drywell to Torus vacuum breakers.

The direct cause was improper magnet to striker plate clearance adjustment. The root cause of the event was lack of relevant information in a maintenance procedure. The venting and vacuum relief system consists of 10 vacuum breakers and are required to open to relieve excessive Drywell to torus DP.

The LER stated that the failure of 3 vacuum breakers to seal closed did not affect the capability to equalize pressure between the Drywell and Torus. Therefore the function to protect structural integrity of containment was maintained. Pilgrim engineering analysis determined that the safety analysis and TS 3.7.A.8 requirements did not require the 1.17 psid DP to be maintained until 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after power is raised above 15%. This was not exceeded. The equivalent leak

14 path opening was estimated to be less than a 2 inch diameter pipe and the reactor was operated at reduced power levels. The conclusion was that this indicated the leak path was within the analytical maximum allowed value described in the TS Bases.

This indicates that the leak path was within the analytical maximum allowed value described in the FSAR and TS Bases. However, since the drywell to suppression chamber leakage did not satisfy the more conservative TS 4.7.A.4.b.4 limit (i.e., does not exceed differential pressure decay rate which would occur through a 1 inch diameter opening without the addition of air or nitrogen), the vacuum breakers were declared inoperable and the reactor was shutdown per TS 3.7.A.5.

The analyst did not find any concerns with the above conclusions based on the information provided, and therefore, since the leak path was within analyzed limits other than not meeting the more restrictive TS limit, the issue would not be expected to impact plant risk. Screen to Green (i.e. given function not lost). The issue had a very low exposure time, due to the timing coming out of an outage condition.

2011005, Technical Specification Required Shutdown Due To Inoperable Feedwater Check Valve The LER described that on Thursday, November 17, 2011, at 1515 hours0.0175 days 0.421 hours 0.0025 weeks 5.764575e-4 months , with the reactor at approximately 50% core thermal power, the station entered a 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months cold shutdown action statement due to the inability to provide a manual isolation for a main feedwater line check valve that had been declared inoperable due to a leak. The reactor was at reduced power in order to perform a planned main condenser thermal backwash. While at reduced power an inspection of the main steam tunnel (a normally locked closed high radiation area) was performed as part of a scheduled system inspection. The inspection identified a leak on the feedwater line 'B' outboard check valve (6-CK-62B). The feedwater check valve was declared inoperable and the Limiting Condition for Operation (LCO) for Technical Specification (TS) 3.7.A.2.a.5 "All containment isolation check valves are operable or at least one containment isolation valve in each line is secured in the isolated position" was entered. Because there was no ability to manually isolate the primary containment penetration the station was required to be in cold shutdown within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months per TS 3.7.A.5.

The LER determined that the root cause of the check valve leakage was the failure of the work crew to adequately perform a final inspection of the pressure sealing surface during the last RFO. The craft were aware of the importance of the pressure sealing surface but did not perform a final inspection or did not perform it in sufficient detail to identify the score on the valve body. In addition, Entergy did not have adequate programmatic controls for check valve inspection in place.

The analyst noted that indications of a leak began approximately one week prior to the plant shutting down due to the leak. The LER documented that the check valve leak and subsequent reduction in nuclear safety margin is mitigated by the demonstrated operability of upstream primary containment check valve 6-CK-58B and the limited extent of the leak. Feedwater check valve 6-CK-62B is in series with check valve 6-CK-58B to function as primary containment isolation valves for containment penetration X-9B. Had containment isolation been required, the inboard check valve, 6-CK-58B would have isolated; preventing containment and reactor vessel pressure and flow from exiting containment through the 'B' feedwater line.

Based on the above, IMC 0609, Appendix A, Exhibit 3 Barrier Integrity would have screened the issue to Green because there was no actual open pathway in the physical integrity of

15 reactor containment due to the functional, in-path, upstream check valve. The analyst noted there was no NCV documented for this self-revealing issue.

2011-006-00, HPCI Turbine Governor Control Valve Failure On November 30, 2011, the HPCI system was declared inoperable due to the HPCI turbine governor control valve (HO-2301-24) failing to open during post maintenance testing for work on the alternate shutdown panel controller. The HPCI system also failed from an attempt to start from the control room which was indicative of a valve failure. The last successful run was performed on 11/17/2011 during a planned LCO to install a new HPCI GEMAC controller. The pump failed to develop appropriate flow from that work but did work from the control room on 11/17/2011.

The cause of the failure was mechanically binding of the remote servo mechanism at the top of the piston stroke due to excessive particulate which reduced body to piston clearances. The lack of periodic inspection was the reason for the particulate and was not performed because preventive maintenance (PM) procedures were not updated to incorporate vendor guidance.

Various corrective actions were performed to include PMs, evaluations of lube oil contamination levels and address procedure issues.

After the failure, it appears that the HPCI system was restored to operable status 3 days later.

Therefore, using best estimate engineering judgment, the analyst assumed that the servo mechanism during the last run had not repositioned due to the stuck servo piston mechanism.

This would affect the porting of oil at startup and not allow the repositioning or opening of the control valve in the analysts opinion.

The total exposure from the last successful test to restoration after maintenance was estimated at 16 days exposure, exceeding the TS allowed outage time and therefore a detailed risk evaluation would have been required if a performance deficiency was identified.

The NRC SPAR Model Version 8.24, using SAPHIRE 8.1.6 was assumed to provide a close match to the model used in this 2011 timeframe. Similar modifications to the model were made, as reflected in the evaluation of LER 2013-003 below, to more accurately reflect station procedures and provide a best estimate of risk.

The analyst discussed modeling of HPCI and RCIC fail to run events in general with an Idaho National Labs SPAR model expert who acknowledged that HPCI and RCIC fail to run events were subject to analyst expert judgment on mission time, considering the various postulated initiating events and could be modified as necessary to give a best estimate approximation of risk. The HPCI and RCIC fail to run basic events are calculated based on a 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months mission time. However, in many cases, plants that have control rod drive (CRD) pumps, especially those powered off of safety busses, have procedures within emergency operating procedures (EOPs) to maximize flow as an alternate injection source and this flowrate can exceed decay heat requirements within 4 to 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months nominally.

The analyst initially ran a conditional case with HPCI fail to start event for an exposure time of 16 days. The result was an increase in core damage frequency of 4.91E-7/yr. To further refine the results, the analyst noted that many sequences had a RCIC fail to run event in the dominant sequence. Therefore to get a best estimate of risk and run a sensitivity analysis, the RCIC fail to run event was divided up into 2 segments. This removes the conservative value of using a 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months mission time and recognizes that CRD pumps (both required) would be able to fulfill

16 decay heat requirements at about the 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months timeframe. The analyst divided the RCIC fail to run into 2 segments. A fail to run event based on a 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months mission added to an AND gate for the fault tree of CRD (fault tree revised to reflect both pumps required) x the fail to run RCIC event for a 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months mission time. This is a best estimate for a more accurate fail to run estimate. This method had also been discussed with an Idaho National Labs expert and had been used by another Licensee in response to a HPCI finding (in the analysts experience) to further get a more accurate representation of a failure to run probability.

The revised RCIC fail to run (FTR) basic event probability was set at 1.2E-2 based on the above calculation. A post-processing rule was developed and applied to include this best estimate for events that did not result in station blackout (SBO) sequences where CRD would not be available, but included Loss of Main Feedwater, Loss of Condenser Heat Sink, and inadvertent stuck opening of an SRV where pressure would be low after 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The base case value for RCIC fail to run prior to this modification was 3.9E-2 based on a 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months mission time.

The basic event, ACP-XHE-XM-NORECBKR, (failure of the Unit Aux Generator breakers to open) was set to 1.2E-2 consistent with reasons outlined in the analysis below for LER 2013-008.

This sensitivity run performed to eliminate some of the conservatism in the RCIC fail to run rate based on 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months of mission time resulted in the following results:

Base case 8.3E-6/yr Condition Case HPCI Fail to Start 1.55E-5/yr Delta CDF = 7.18E-6/yr The exposure time was 16 days.therefore the delta CDF would be 7.18E-6/yr x 16/365 =

3.1E-7/yr increase in CDF due to HPCI failure to start for 16 days using revised RCIC FTR rates for a best estimate mission time.

The dominant core damage sequences consisted of a medium break loss-of-coolant event with the failure to take manual action to depressurize using the SRVs before core uncovery, and loss of condenser heat sink initiating events with failure to take actions to depressurize, and the failure of the reactor core isolation cooling (RCIC) system to run or start. It was noted that a nominal 36% of the core damage sequences involved operators failing to take action to depressurize the vessel using the SRVs before core damage.

Therefore, the estimated increase in risk would be in the range of 3.1E-7/yr to 4.91E-7/yr (no adjustment for RCIC FTR). This outcome would then result in a review of external events.

Given the nature of this historical review, detailed evaluations of external risk contributions was not practical. In some cases, affected systems such as high pressure coolant injection are front line systems and may be credited in some external event scenarios. Therefore, it would be reasonable to assume that the contribution from external events would be equal to those for internal events. This assumption is consistent with the assumptions within a Special Inspection Report (SIT 05000293.2015007, ADAMS Accession No. ML15147A412), as documented in Attachment A4-1 Quantitative and Qualitative Evaluations for an SRV finding. This assumption is likely conservative and will be applied in this case as an external event Pilgrim SPAR model was not available. Therefore, using best estimate values for RCIC FTR basic event would result in a total increase in CDF/yr of 6.2E-7, or of very low safety significance (GREEN). During a detailed risk evaluation a detailed review would be undertaken to try to refine this estimate, however it likely would not result in an increase over the Green threshold.

17 A large early release frequency (LERF) review shows that per IMC 0609, Appendix H, for high pressure sequences and low pressure sequences with the containment dry, the LERF factor is 1.0. Using this, there are quite a few high pressure sequences within the dominant cutsets which are assumed to result in core damage. Therefore, an initial conservative Phase 2 estimate would put the increase in LERF based on the condition likely in the very low E-7/yr range based on the values within the IMC 0609, Appendix H.

For LERF, a performance deficiency if it were to exist would be considered a Type A finding and, as such, the calculated increase in CDF value in conjunction with an appropriate LERF factor would be used to determine the estimated increase in LERF. Per Appendix H, Table 5.2, LERF factors of 1.0 and 0.6 are used for high pressure core damage accident sequences with the drywell dry or flooded, respectively. These Appendix H LERF factors are considered conservative bounding values The SRA determined that the risk characterization of the issue using delta LERF using the factors specified in IMC 0609 Appendix H would be overly conservative for a variety of reasons:

More recent insights from an NRC Office of Research sponsored study by Energy Research, Inc. (ERI/NRC-03-04, November 2003 and subsequent State of the Art Reactor Consequence Analysis Project at Peach Bottom Nuclear Power Station (NUREG/CR-7110) have identified that improved modeling and analysis of anticipated types and sizes of reactor coolant ruptures, projected containment heating and fuel-coolant interactions, and operator actions taken in accordance with Severe Accident Management Guidelines, (to flood containment), significantly reduce the potential for containment breach and the likelihood of a LERF.

Results of these NRC sponsored accident progression analyses in ERI/NRC 03-204, The Probability of High-Pressure Melt Ejection-Induced Direct Containment Heating Failure in BWRs with Mark I Design, indicates that without reactor coolant system injection during a station blackout (i.e. no injection), there is a high-probability that the RCS would subsequently depressurize as a result of either temperature-induced creep rupture of the steam lines or a stuck open SRV (due to cycling at high temperature). The ERI/NRC 03-324 estimates a 0.9 probability of creep rupture of the steam lines during an SBO, and approximately a 0.5 probability of a stuck open SRV. If RCS depressurization occurs, the high RCS pressure sequences and their contribution to delta LERF are eliminated. These failure probabilities suggest a very likely probability of a low pressure condition with water in the containment, considering severe accident management guidance (SAMG) delineates mitigation actions for core meltdown accidents. These include directions for RPV control and primary containment flooding and include instructions to depressurize the RPV and prevent re-pressurization.

As noted, 36% of the core damage sequences involved operators failing to open the SRVs in high pressure conditions with the loss of high pressure systems and therefore core damage results. This direction is in the EOPs. If this manual action failure occurred, the subsequent entry into SAMGS provides additional guidance to depressurize and therefore independent procedures further providing instruction to depressurize.

Per the State-of-the-Art Reactor Consequence Analyses (reference Table 4 in NUREG-1935), the timeline for the start of core damage to lower head failure during an SBO event (i.e. similar to failure of injection) is approximately 7 hours8.101852e-5 days 0.00194 hours 1.157407e-5 weeks 2.6635e-6 months . This would allow excessive time for numerous personnel to recognize the need to depressurize the vessel. (i.e. control room or technical support center personnel).

18 For similar Mark I SDP evaluated LERF issues (reference Oyster Creek Integrated Inspection Report 05000219/2016004, dated January 25, 2017), Licensees with a similar Mark I design have used a LERF multiplier of 0.1 considered to be conservative in its estimate).

A similar application using the same multiplier (0.1 for internal and external events) would result in an estimated increase in LERF of 6.2E-8/yr. In accordance with IMC 0609, the higher of the two risk metric values is used to assign significance. Lastly, this LERF assessment is consistent with similar LERF evaluations performed by other SRAs in Region I, as documented for the Pilgrim Station, (Inspection Report FIN 05000293/2016004-05, Feedwater Regulating Valve Failure Results in Reactor Scram). In conclusion, the above delta LERF value would be consistent with the safety significance determined by internal and external events CDF contribution or of very low safety significance (GREEN). This would be the recommendation for this LER review.

The analyst noted there was no NCV identified that was documented in an inspection report for this issue.

2011007, Safety Relief Valve Declared Inoperable Due to Leakage On Monday, December 26, 2011, at 1250 hours0.0145 days 0.347 hours 0.00207 weeks 4.75625e-4 months , with the reactor at 100% core thermal power, the station entered a 24-hour action statement to initiate a controlled shutdown and be less than 104 psig reactor pressure due to suspected leakage across the first stage of safety relief valve (SRV) RV-203-3D. The SRV was declared inoperable due to criteria specified in a Pilgrim plant procedure. Specifically, the SRV is inoperable if the pilot stage thermocouple temperature is 35° F below its baseline temperature. The safety relief valve was declared inoperable and the Limiting Condition for Operation (LCO) for Technical Specification (TS) 3.6.D was entered. Due to the valve being declared inoperable, the station was required to be shutdown and reactor coolant pressure be below 104 psig within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months per TS 3.6.D.2.

Upon indications of exceeding the criteria, the Pilgrim plant shutdown limiting exposure time to the degraded condition to within the LCO. There was no definitive cause found for the failure and therefore no readily apparent performance deficiency. Given this information and the extremely short period of exposure time the issue would be assessed as of very low safety significance, however as stated no PD appeared to have existed.

2012001, Safety Relief Valves' Test Pressure Exceeded Setpoint Limits The LER stated that on March 28, 2012, Pilgrim Nuclear Power Station (PNPS) was notified that three of four, two-stage Target Rock Safety Relief Valve (SRV) pilot assemblies exceeded the Technical Specification (TS) tolerance limit for routine set point pressure testing performed at the Wyle Laboratories test facility. Certified replacement three-stage SRVs were installed in the plant at the time Pilgrim was notified. The cause of the as-found initial popping pressures exceeding the TS tolerance limit for the pilot valves was "setpoint variance" and "corrosion bonding." Corrective action was taken to replace the two-stage Target Rock SRVs with certified tested replacement three-stage Target Rock SRVs during Refueling Outage 18. The corrective action also included revising the PNPS Safety Analysis and Technical Specifications (TS) to reflect a 3% tolerance on set pressure for the new SRVs. The safety significance of the event was negligible and the condition posed no threat to public health and safety. An evaluation of the as-found set pressures and the potential increase in peak reactor pressure indicates that the increase would have been negligible and reactor vessel system integrity would not have impacted.

19 The analyst noted that based on no safety function impacted by the drift, identical to LER 2007004 conclusions, this issue would be of very low safety significance, Green. There was not an NCV identified for this issue.

2012-002-00, Manual Reactor Scram Due to Degraded Condenser Vaccum The LER described that on May 22, 2012 with reactor at 35% core thermal power, during a planned power reduction to support thermal backwash of main condenser, a manual reactor scram was inserted due to degrading main condenser vacuum. This was attributed to the loss of the steam jet air ejector (SJAE) inter condenser loop seal due to a partially open SJAE steam supply valve. The root cause of the valve being open was due to inadequate processing of an emergent work order related to the reach rod position indication versus the actual position.

This appears to have potentially been a self-revealing finding or NCV that caused a reactor scram.

IMC 0609, Appendix A, Exhibit 1 - Initiating Events Screening Questions, would SCREEN this issue to GREEN, because the finding caused a reactor trip but did NOT result in the loss of mitigating equipment such as feedwater or the heat sink. Per the LER, there was no apparent loss of the condenser heat sink or MSIV closure during the event.

2012003, Both Trains of Standby Gas Treatment System Inoperable On Wednesday, October 31, 2012 at 1200 hours0.0139 days 0.333 hours 0.00198 weeks 4.566e-4 months , with the reactor mode switch in RUN at approximately 100 percent core thermal power and steady state conditions, Standby Gas Treatment (SBGT) System Train "B" was removed from service (made inoperable) for surveillance testing. At 1441 hours0.0167 days 0.4 hours 0.00238 weeks 5.483005e-4 months , the control room staff declared the SBGT System Train "A" inoperable as a result of an engineering analysis that determined that 480 VAC feeder breaker to Motor Control Center (MCC) B15 had the potential to exceed its trip set point under the worst case bus loading. The inoperability of both SBGT System Trains "A" and "B" could have prevented the fulfillment of the safety functions to "control the release of radioactive material" and "mitigate the consequences of an accident.

The analyst used inspection manual chapter (IMC 0609, Appendix A, Exhibit 3- Barrier Integrity Screening, and determined if a PD existed, this would screen to Green (very low safety significance), representing potential degradation of the ability of the standby gas treatment system to perform its function to maintain secondary containment.

2013001, Inadvertent Trip of Both Recirculation Pumps and Subsequent Manual Scram The LER documented that on Thursday, January 10, 2013 at 1534 hour0.0178 days 0.426 hours 0.00254 weeks 5.83687e-4 months [EST], with the reactor at 100% core thermal power, both reactor recirculation pumps unexpectedly tripped and a manual reactor scram was inserted as required by station procedures. Following the reactor scram, all rods were verified to be fully inserted and the Primary Containment Isolation System Group II (Reactor Building) and Group VI (Reactor Water Cleanup System) actuations occurred as designed due to the expected reactor water level shrink associated with the scram signal. All other plant systems responded as designed. The scram was uncomplicated and decay heat was released to the main condenser via the turbine by-pass valves.

If a PD were determined to have existed, this would screen to Green in accordance with IMC 0609, Appendix A, Exhibit 1, because there was no loss of mitigating equipment relied on to transition the plant from the onset of the trip to a stable shutdown condition.

20 2013002, SRV-3B Safety Relief Valve Declared Inoperable Due to Leakage and Setpoint Drift The LER documented that on Sunday January 20, 2013, at 2050 hours0.0237 days 0.569 hours 0.00339 weeks 7.80025e-4 months with the reactor at 100%

core thermal power (RMSS in RUN), PNPS declared SRV-3B inoperable and entered Technical Specification (TS) 3.6.D.2 requiring an orderly reactor shutdown such that reactor coolant pressure is less than 104 psig within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . On Monday January 21, 2013, at 1300 hours0.015 days 0.361 hours 0.00215 weeks 4.9465e-4 months (16 hrs and 10 minutes) reactor coolant pressure was lowered to less than 104 psig. SRV-3B had been declared inoperable consistent with PNPS procedures that state an SRV is inoperable if the first stage pilot thermocouple temperature is 35° F below its baseline temperature. This LER Supplement provides the determination of cause for the leakage. The cause of the SRV leakage was that the natural frequency of the pilot assembly was close to a resonant frequency of the valve assembly when installed on the PNPS main steam line that had failed to be considered in the design of the SRV. A contributing cause was wear and looseness of parts in the main stage of RV-203-3B.

The LER noted that Pilgrim has installed temperature monitoring to provide sufficient indication of SRV leakage to ensure that timely actions can be taken to ensure that the plant is maintained in a safe condition. Procedure 2.2.23 provides the instructions and guidance for interpreting and responding to SRV temperature indications. Based on these instructions, the plant was shutdown. The SRV would have been able to respond if needed to meet its core cooling or reactor pressure vessel over protection functions. As a result, the plant safety was maintained. The risk of operating with a leaking SRV is characterized by an increased chance of having an inadvertently opened SRV with increased chance of that valve failing to reclose.

Assuming the plant operated for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months with this condition, this results in a change in core damage frequency of less than 1.0E-7.

If a PD were determined to have existed, the analyst found the Licensees assessment to be reasonable. The impact on the SRV function was bounded by the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months assumption.

Therefore the risk would be of very low safety significance, Green.

The analyst noted there was no NCV documented for the issue.

2013-003 Loss of Offsite Power Events Due to Winter Storm NEMO The LER documented that in anticipation of a major snow storm impacting Pilgrim on February 8, 2013, Operations entered Procedure 2.1.37 (Coastal Storm Preparations), Procedure 2.1.42 (Operations during Severe Weather), and EN-EP-302 (Severe Weather Response) at 0800 hours0.00926 days 0.222 hours 0.00132 weeks 3.044e-4 months on February 7, 2013. At 1021 hours0.0118 days 0.284 hours 0.00169 weeks 3.884905e-4 months on February 8, Station Risk was declared at elevated risk due to the winter storm warning. During the storm on February 8, wind speeds between 42 and 49 mph occurred through 2338 hours0.0271 days 0.649 hours 0.00387 weeks 8.89609e-4 months when the plant information system stopped recording weather data until 1840 the following day. The wind direction was from the ocean toward the switchyard during the storm.

On February 8, 2013, at 2018 hours0.0234 days 0.561 hours 0.00334 weeks 7.67849e-4 months , the Shutdown Transformer was declared inoperable due to repeated offsite 23kV Trouble/Trip Bypass alarms and reports from NSTAR regarding the power loss and restoration events on the Line via the Manomet Substation.

On February 8th, two line faults occurred on both 345KV transmission lines connected to the PNPS ring bus. At 2102 hours0.0243 days 0.584 hours 0.00348 weeks 7.99811e-4 months a major fault occurred on off-site Line 342 which remained de-energized for the remainder of the storm. At 2117 hours0.0245 days 0.588 hours 0.0035 weeks 8.055185e-4 months a fault on Line 355 occurred resulting in a full load reject of the PNPS generator, a subsequent reactor scram, and loss of the SUT.

21 Emergency diesel generators (EDGs) automatically started and provided power to safety buses A5 and A6. Groups I, II, and VI isolations went to completion. Reactor Core Isolation Cooling (RCIC) system was placed in service to maintain reactor vessel water level. High Pressure Coolant Injection (HPCI) system was placed in service to control reactor pressure. All systems performed as designed, to bring the reactor to Mode 3, including initiation of reactor water cleanup isolation, reactor building isolation system, and standby gas treatment system.

At 2200 hours0.0255 days 0.611 hours 0.00364 weeks 8.371e-4 months , an Unusual Event was declared (EAL SU 1.1) for loss of off-site power to Emergency Busses.

At 2211 hours0.0256 days 0.614 hours 0.00366 weeks 8.412855e-4 months , off-site line 355 was restored and ACB-102 was closed manually to reenergize the SUT. At 2340 hours0.0271 days 0.65 hours 0.00387 weeks 8.9037e-4 months , a 'B' phase fault on the SUT bus work tripped the SUT bus lockout relay. Walkdowns of the switchyard were conducted by Maintenance and Engineering to assess the condition of the SUT bus. The relays that initiated the bus trip indicated the fault was within the SUT protection scheme, but external to the SUT. Breaker ACB-102 was closed at 1809 hours0.0209 days 0.503 hours 0.00299 weeks 6.883245e-4 months on February 9th. At 0813 hours0.00941 days 0.226 hours 0.00134 weeks 3.093465e-4 months on February 9th, NSTAR reenergized Line 355 and the SUT was energized and non-safety related buses Al, A2, A3, A4 were energized from the SUT commencing at 1815. At 0400 on February 10, off-site power was restored to safety-related 4160V bus A5 through the SUT via a single 345KV line. At 0830 hours0.00961 days 0.231 hours 0.00137 weeks 3.15815e-4 months , off-site power was restored to safety-related 4160V bus via A6 through SUT. The EDGs were secured and were on standby. Residual heat removal was in shutdown cooling mode maintaining the reactor in cold shutdown. Fuel pool cooling was in service with fuel pool temperatures trending down.

If a performance deficiency or Finding was related to the station not performing modifications to enhance reliability of the Switchyard or to shutdown prior to the storm, then the following method would likely have been performed to determine the increase in risk. The inspection into whether a PD existed would have had to review and determine if modifications of any sort could have prevented this issue or if a finding was reasonable in accordance with IMC 0612:

The issue would Screen into a Detailed Risk Evaluation per IMC 0609, Appendix A, because the LOOP event caused a reactor trip AND the loss of mitigation equipment relied upon to transition the plant to stable shutdown conditions (e.g. condenser heat sink with MSIV closure)

The analyst used the NRC SPAR Model Version 8.24, SAPHIRE 8.1.6, which was assumed to provide a close match to the model used in the 2013 timeframe. This was noted to be the same model version used for a Final Precursor Analysis (Accident Sequence Precursor Program-Office of Nuclear Regulatory Research) for this 02/08/2013 Pilgrim Station event for Two Losses of Offsite Power Due to Winter Storm Nemo. The analyst used best available information obtained during the review of an A EDG preliminary White finding in the 2017 timeframe to revise the model as the analyst estimated would have occurred if an SDP had been performed.

Several of the notable revisions or assumptions were as follows:

For LOOP events, the engine driven firepump was credited to allow additional recovery time for offsite power recovery and an EDG. A SPAR-H calculation was performed to calculate an operator failure to place the firewater pump in service at 1.2E-2.

The failure to shed DC loads was calculated to be 1.2E-2 based on SPAR-H for SBO sequences.

Operator failure to manually depressurize given a Station Blackout Scenario was set at 5E-4 consistent with the normal failure probability.

22 Successful shedding of DC loads, success of High Pressure Injection, placing Engine Driven Firewater in service and successful depressurization sequence resulted in an extension to recover offsite power to 16 hours1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months . (this includes estimated boil-off time)

Containment Venting was recalculated incorporating performance shaping factors for operator failure to be 5E-2 (failure probability in the SBO sequences). This had no impact due to Late Injection remaining failed and no FLEX at time of these events HPCI and RCIC failure to run rate was left at 3.95E-2 versus the existing 2018 model setting of 0.12.

An error was found in that the EDG recovery fault trees did not have the failure of the Unit Generator feeder breakers to open in an OR Gate - this was modified to preclude the double counting of recovery (i.e. EDG is not recoverable if you cant recover from the interlock preventing its breaker from closing due to the failed Unit Aux Generator Bkr.)

ACP-XHE-XM-NORECBKR modified to 1.2E-2 based on SPAR-H assuming nominal time available, High Stress, Moderately Complex and Experience Low due to nominal 6 to 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months available in a SBO with HPCI, RCIC and DC before depletion and boiloff The LOOPWR was used as the conditional event and set to 1.0 due to the event occurring in the given year.

The analyst modeled this similar to an initiating event type finding found within Susquehanna Steam Electric Station NRC IR 05000387/2010004. Adams Accession Number: ML103160334 The base case for a LOOPWR event is 9.23E-8/yr The conditional case with LOOPWR was set to 1.0. This resulted in 2.48E-5/yr increase in risk due to the event, if a PD was assumed to have occurred for failure to prevent the LOOP.

Therefore, the increase in risk would be 2.47E-5/yr when normalized to one year exposure or of substantial safety significance (YELLOW).

The dominant core damage sequence would be the LOOP occurrence, with a failure of emergency power supplies, (EDGs and SBO DG), with failure to recover offsite power in 16 hours1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months , failure to recover an EDG and failure of any late injection sources due to failure of power to SRVs and subsequent closure.

The dominant core damage cutset was a LOOP, with failure of A EDG to run, failure of B EDG to run, failure of SBO to run, failure to recover an EDG and failure to recover offsite power in 16 hours1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months , with convolution applied.

A second dominant core damage cutset was a LOOP, with common cause failure of the Unit Aux Generator supply breakers to open 505 and 606, and failure to recover and restore one of these breakers. This interlock prevents EDGs from closing in on the safety busses.

A LERF analysis would be performed similar to the review for LER 2013-008, Loss of Feedwater, and the estimated increase in risk would remain bounded by the increase in risk from the internal event or LOOP event as described within LER 2013008. The risk increase would be based on the change in CDF of 2.47E-5/yr or of substantial safety significance if a finding was determined relative to the initiating event.

As noted above, for a finding to have existed, the NRC would have had to determine that Licensee actions did not meet a standard or a violation occurred which should have been

23 prevented from happening. This would have to have been reasonably within the Licensees control to foresee and prevent. A PD was not readily apparent given the facts within the LER.

It is noted that a second loss of power to the SUT occurred with the plant shutdown for about 41 hours4.74537e-4 days 0.0114 hours 6.779101e-5 weeks 1.56005e-5 months , while in Shutdown Cooling. The event would be bounded by the initial LOOP event risk determined from above.

LER 2013-004, Manual Scram Inserted During Reactor Shutdown The LER documented that on April 14, 2013 the reactor was already subcritical on the IRMs range 2 and lowering, when a manual reactor scram was inserted due to reactor pressure decreasing faster than normal.

This was caused by relief valves lifting un-expectantly from the steam seal header. The cause was that operation of the steam seal bypass valve at a steam line pressure above the design of 250 psig allowed opening the relief valves and resultant RPV pressure reducing at a rate that operators determined should be terminated. The root cause evaluation (RCE) determined that a procedure did not limit the pressure for operation of the steam seal bypass valve. The reactor was already subcritical on IRM range 2 during the event. Therefore, the normal risk driver such as failure of the Unit Auxiliary Generator breakers to open would not be applicable as the turbine would have been tripped well before the event. Additionally, the offsite power breakers failing to open basic events would also not be applicable. The excessive cooldown resulted in a manual closure of the MSIVs to stop the cooldown. This recovery of the condenser heat sink is normally failed in the base case for a loss of condenser heat sink event. In this case, procedures exist to re-pressurize across the MSIVs in order to re-open them if needed. The analyst went through with a regional operational expert the procedure and method and considered a failure estimate of 5E-2 as a very conservative value given the human performance shaping factors involved and excessive time available to recover the heat sink if required. If a PD had been identified, the risk review would have been as follows:

IMC 0609, Appendix A, Exhibit 1 - Initiating Events Screening Questions, would have screened this issue to GREEN, because the finding did NOT cause a reactor trip AND loss of mitigation equipment therefore it would have been screened GREEN. This interpretation would be the minimization of the impact in causing a reactor trip as the reactor was already shutdown.

However, as a sensitivity to this screening, the SPAR model was run assuming a loss of condenser heat sink event (LOCHS). In order to provide a best estimate of the risk increase, the model required adjustments using change sets and several post processing rules. A change set was developed for the base case and condition case with the UAT breakers (505 and 605) and offsite power breakers (504 and 604) failure to open events set to False. This mirrors the condition of the plant at the time of the event. Additionally, for both the base case and condition case, PCS-XHE-XM-LTLCHS (recovery of loss of condenser heat sink) was set to 5E-2 vice TRUE (always failed) given the conditions of the event and the condenser being recoverable with opening the MSIVs. At the time of the overcooling, the reactor was shutdown and subcritical, therefore ATWS events would also not be applicable as many of the control rods were already inserted in the soft shutdown. Only 1 SRV would be required to open as well, given the power and status of the plant, instead of 2 in the normal base case of the at power model. Post processing rules were written such that a common cause failure of the battery chargers, where the batteries would still be available to power the SRV and High Pressure system functions for at least 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , were written to add recovery of the MSIVs for both the base case and conditional case for core damage sequences involving CCF failure of the battery chargers. When the modeling changes were performed to represent the actual condition of the

24 plant at the time of the manual closure of the MSIVs this resulted in a delta CCDP of 7.5E-7 with the conditional case being a LOCHS set at 1.0. Therefore, this initiating event, LOCHS set to 1, resulted in less than 1E-6/yr increase in risk and matched the intent of the screening question for a very low safety significant event. The above was performed as a sensitivity to confirm that screening the issue due to the reactor already being subcritical and shutdown gave an appropriate representation of plant risk of the event.

2013-005-00, Primary Containment Declared Inoperable During HPCI Testing On May 23, 2013 during power ascension from RFO 19, the Licensee discovered a leak associated with the HPCI turbine exhaust line and declared primary containment inoperable.

This was found during low pressure testing at about 2% power.

The cause was the failure to provide work package instructions necessary to adequately tighten all of the bolting associated with the affected HPCI turbine exhaust piping flange joint. This was due to the lack of understanding of the joint bolting configuration that 4 of the studs were threaded into each side of the butterfly valve body, which is different from the 16 studs that pass through the butterfly valve flange bolt holes and are captured by nuts at the adjacent check valve and plant piping flanges.

If there was a performance deficiency with this, it would be screened through IMC 0609, Appendix A as affecting Exhibit 3, Barrier Integrity. A conservative answer would be Yes, relative to if the finding allowed an open pathway from primary containment and effected integrity of valves etc. This would result in an SDP review using IMC 0609, Appendix H, dated 5/6/2004. IMC 0609, Appendix H, Table 6.2 Phase 2 for Type B findings for a Mark I containment would screen this as very low safety significance GREEN, due to the very low exposure time of less than 1 day. The screening process is less than 3 days and this is a very conservative assumption that leakage would exceed 100% containment volume per day.

Therefore, if a finding was identified this would have been determined to be of very low safety significance.

2013-006 HPCI Controller Failure to Achieve Rated Flow while in Auto Mode During startup testing the HPCI system failed to deliver 4250 gpm. The actual flowrate appeared to be in the area of 3750 gpm. This was due to a flow controller being out of calibration. The flow controller had successfully functioned within the last 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months during a previous test and therefore the exposure time was extremely limited. Additionally, this flowrate would not render the system totally non-functional for many events.

The Licensee calculated a delta CDF/year increase on the order of 5E-9/yr given the limited 26 hour3.009259e-4 days 0.00722 hours 4.298942e-5 weeks 9.893e-6 months exposure. An IMC 0609 screening would have conservatively resulted in a DRE if one were to conclude there was a loss of system function. That would only be relative to the function of HPCI for a SBLOCA or MBLOCA scenario given the small amount of flow reduction and HPCI may have been able to achieve this function. However, if screened to a detailed risk evaluation, this would have been bounded by the review of LER 2011-006 due to the very limited exposure time and would have been of very low safety significance or GREEN.

2013007, Ultimate Heat Sink and Salt Service Water System Declared Inoperable The LER documented that on Tuesday, July 16, 2013 at 1652 [EDT] and again on Wednesday, July 17, 2013 at 1054 [EDT] with the reactor at 100% core thermal power (CTP) the Pilgrim Nuclear Power Station (PNPS) declared the ultimate heat sink (UHS) and the salt service water

25 (SSW) system inoperable due to high sea water inlet temperatures greater than 75°F. A maximum sea water inlet temperature reading of 75.5°F was observed and the maximum duration for either event was 5.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months . The limiting condition for operation (LCO) action for technical specification (TS) 3.5.B.4 was entered then exited based on the rise and fall of sea water inlet temperature. Plant systems and components operated as required and no equipment failures occurred. The plant was not shutdown due to the short duration of the sea water temperature excursion. The cause of the high sea water inlet temperature readings was sustained increased sea water surface temperature in Cape Cod Bay due to hot summer weather conditions and the contribution from recirculation of water from the plant's outfall due to wind and tidal conditions. Corrective action was completed to establish an operational decision making issue (ODMI) action plan to reduce station power levels prior to reaching the TS UHS LCO temperature limit.

The LER documented that although long term accident analyses do not address sea water temperatures above 75°F, an engineering evaluation was performed to address the reported events. This evaluation assumed a short duration event (i.e.,12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ) where UHS inlet temperatures exceeded 75°F and remained less than 78°F. This evaluation concluded all structures, systems, and components (SSCs) would be capable of performing their safety functions with UHS/seawater temperatures of up to 78°F for short durations provided that average sea water temperature is less than 75°F for the 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months time period evaluated.

Given the extremely short duration of exposure and the above review of functionality, the analyst estimated this to be of very low safety significance (Green), if a PD would have been identified. There was no clear PD from the description of the event.

2013-008-00, Manual Scram - Reactor Feed Pump Trip On August 22, 2013 at 98% power, Pilgrim was manually scrammed due to lowering water level resulting from the trip of the reactor feed pumps. The pumps tripped due to a loss of power to the pump seal cooling water flow switch relays and resultant automatic actuation of the feed pump trip circuit.

The direct cause of the trip was an automatic actuation of the feed pump trip circuitry. The feed system has 3 motor driven feed pumps. Each pump is provided with mechanical seals at the end of the pump casing. The seal design has an internal pumping ring, which circulates water between the seal cavity and external cooler. The cooler is cooled by turbine building closed cooling water (TBCCW) which passes through flow switches, which at the time of event, provided both an alarm and feed pump trip function given a low flow of cooling water to the external coolers. All TBCCW flow switch relays are powered from a single breaker Y1, 120VAC.

In 2011 a modification was implemented to revise the configuration of the feedpump TBCCW flow switches and pump trip relays. This was initiated to address scram trip reduction efforts.

The modification revised the feed pump trip relay logic design and inadvertently introduced a new configuration that initiates actuation of the feed pump trip logic on loss of power to the cooling water flow switch relays. Previously, a loss of power to the relays would not trip the feed pumps.

On August 22, 2013, a ground fault occurred on circuit 24 powered from the same 120 VAC power panel Y1. The breaker opened and the loss of power to the cooling water flow switch relays caused the reactor feed pumps to trip.

26 Reactor level continued to lower until a Group I isolation signal (closed MSIVs) and started HPCI and RCIC and the EDGs.

LER Root cause: Single point vulnerability design criteria for mod with the feed pump low seal cooling water flow mod was not clearly defined and implemented.

ANALYST REVIEW The analyst in order to more clearly understand what the PD would specifically be associated with performed a more detailed review of the Licensees root cause evaluation (RCE) and associated condition reports to try to gather the best available information to be informed on a risk analysis. It was determined that previous to the modification performed in 2011, a loss of power to the associated circuit or from the panel feed would not have resulted in a loss of Feedwater. Additionally, the modification was to remove some vulnerability with respect to power reductions caused by the original circuit and not for expected plant scrams due to the circuit design.

A review of the RCE indicated that the associated power to the affected reactor feedpump circuits was common to all 3 pumps. The Y1 power panel breaker 24, feeds 6 circuits. Three circuits are associated with the 3 affected Reactor Feedpump cooling water flow switches which were involved with the transient. Two other circuits feed plant heating inlet valve controls and have 10 amp fuses to protect the feeds. The last circuit is Bleeder trip valves and Spill Valves for Heaters E-102A, E-103A, E-103B, E-104A and E-104B. There are 14 solenoids and 32 Limit Switches in this circuit. A similar short to ground on any component will result in trip of circuit breaker 24.

Further review of the RCE indicated that in the 1998 timeframe a faulty splice was performed for the wires associated with the failed circuit which shorted causing this loss of feed event. The splice did not conform to required standards and would from a review of the facts be considered another performance deficiency which led to the cable short and ultimately the tripping of circuit breaker 24 and the total loss of feedwater event.

The analyst noted the following guidance when performing an SDP evaluation for an issue which may involve several different performance deficiencies such as this:

From Inspection Manual 0308, Attachment 3 on SDP requirements 0308.06 THE INDEPENDENCE OF INSPECTION FINDINGS Inspection findings are independent entities. As such, each finding, which has been determined to be the proximate cause of a particular degraded condition, is assessed on its own.

When multiple inspection findings having different proximate causes are determined to be separate and independent, yet cause degraded conditions that overlap in time, the SDP will treat each of them independently. In other words, if there are two independent findings that are present during the same period of time, one of the degraded conditions is assessed for safety or security significance while the other degraded condition is assumed not to be in effect (i.e., in its nominal or baseline state and vice versa).

27 In this respect, the SDP is different from other ROP risk-informed processes (e.g., the reactive inspection program as defined in IMC 0309, Reactive Inspection Decision Basis for Reactors),

which would assess the significance of all of the degraded conditions during the same period of time regardless of whether or not they were caused by deficient performance.

The analyst determined from the facts that two degraded conditions existed after the performance of the modification in 2011. The first performance deficiency occurred in the 1998 timeframe when a splice was improperly performed which resulted in the eventual failure of a wire and the trip of circuit breaker 24, initiating this event. The second performance deficiency appears to have occurred with the implementation of a modification in 2011 that may not have met the Licensees design control procedures. The modification initiated a new failure mode for a total loss of Feedwater by the design change and a new single point vulnerability going forward from 2011. To map the risk to the PD associated with the modification a nominal failure rate of the circuit (loss of power) would have to be assumed because that would be required for this event. The modification did not initiate a condition such as faulty feedwater controllers or feedwater control logic which would cause the event by itself, but needed another condition or degradation for its occurrence (i.e. fault causing loss of the 24 circuit breaker and power loss).

The analyst bounded the risk review by evaluating the potential performance deficiency with the 2011 modification made to the Reactor Feed pump TBCCW flow switch logic. This now essentially armed the condition of a total loss of Feedwater event with a loss of power to the power circuit feeding the TBCCW switches, which occurred subsequently in 2013.

Key Assumption:

The Analyst used the information contained within the Root Cause Evaluation, specific to a condition review search data base. This was assumed to be a key input which would have been researched and considered to inform a best estimate risk review. The Licensee had performed a review of their data base from 01/01/2000 to 2015 relative to any input that involved the Y1 panel and/or associated circuit breaker. The analyst noted 3 occurrences where it was documented that failures caused the opening of circuit breaker 24. The wiring short which caused this loss of feedwater event, a trip of the circuit breaker associated with SV 3067 wiring after this event occurred (several weeks later), and in 2015 a trip caused by insulation damage and a short circuit for Limit Switch ZS-3206 associated with a Bleeder Trip Valve. The above data was gathered to try to develop a best estimate of conditions that have caused this breaker to open over the years to estimate a nominal failure rate for power from the circuit. The 3 failures of the circuit within the 15 year timeframe would be 1 failure every 5 years or 0.2 failures per year. If a review had been performed after this event there would have been 2 failures noted since 2000 both occurring in 2013 over the 13 year timeframe with one of them caused by an inappropriate splice (PD). It is an estimate that 1 nominal failure (no PD) or tripping of the circuit in 13 years would be increased to a 0.2 failure rate given circuit splices and faults can occur. Additionally, this 0.2 failures per year was considered to be the nominal failure rate seen at the plant given the data within the root cause evaluation condition report search through 2015. Therefore a 0.2/yr failure rate of circuit 21 was considered to be a best estimate and was assumed for the conditional initiating event frequency for a Loss of Feedwater event, essentially armed for a nominal 2 years when the inappropriate modification was performed. Specifically, this increase in a loss of feedwater event frequency was due to the potential PD associated with the modification in 2011. This represents the increase in risk due to the modification (i.e. a higher probability of a loss of feedwater event over the industry data) and is above the base case or nominal expected frequency for a Loss of Feedwater event in the SPAR model of 7 in 100 years (7E-2/yr). Based on this best available information the risk increase was evaluated within the Pilgrim SPAR model.

28 If it was concluded through inspection that a performance deficiency existed then the risk would be calculated and represented by the increase in the initiating event frequency created by the PD. The modification was in place for more than a year, from the above dates, a nominal 2 years, so the maximum SDP exposure time of 1 year would be assumed.

The NRC SPAR Model Version 8.24, using SAPHIRE 8.1.6 was assumed to provide a close match to the model used in the 2013 timeframe.

IMC 0609.04, Phase 1 Initial Screening and Characterization of Findings, Initiating Events cornerstone, would determine that the finding contributed to both the likelihood of a reactor trip AND the likelihood that mitigation equipment functions are impacted (i.e loss of Feedwater and the Heat sink initially)

A Phase 3 SDP evaluation, would set the exposure time to the maximum value of 1 year. The following SPAR model modifications were made:

SPAR model basic event IE-LOMFW, Loss of Main Feedwater, was set to a frequency corresponding to the above best estimate determined by data analysis for loss of circuit breaker 24 from panel Y-1, to 0.2/yr. This is an Initiating Event frequency increase from the base or nominal case of 6.89E-2 or around 7 in 100 years.

NOTE: This method of calculation is essentially equivalent to performing a conditional core damage probability (CCDP) for a Loss of feedwater event and then subtracting the baseline core damage probability (CDP) (i.e. 6.89E-2/year x 1 year) for a loss of main feedwater event in the SPAR model (i.e. CCDP-CDP).

The SPAR model basic event, ACP-XHE-XM-NORECBKR was modified to a value of 1.2E-2 based on a SPAR-H calculation for the base and condition case. This assumed nominal time available for recovery, High Stress, Moderately Complex, and Experience Low with all other assumptions nominal.

The above basic event is associated with a modeling issue where the breakers from the unit auxiliary transformer (breakers 505 and 605) which normally feed the two safety busses A5 and A6, fail to open upon a reactor scram and turbine trip. This failure has a large impact on plant risk for initiating events. Because the breakers do not open, the Offsite power breakers, the EDG breakers and the Shutdown Transformer offsite power source are all prevented from closing in on the safety busses. This creates an SBO type of situation because a power source cannot close on the safety busses.

The analyst noted that the dominant core damage sequence is a loss of main feedwater, with a common cause failure of the 505 and 605 unit feeder breakers to open on each respective safety bus. The final mitigating event is the failure to recover or open one of the two breakers such that a safety bus can be supplied by another source (i.e. offsite power, EDGs, Shutdown transformer Bus A8). The analyst notes that in this scenario, HPCI and RCIC would both start and run to supply RPV water level and be used for pressure control. The DC batteries would likely have at least 6 to 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months of power to ensure the SRVs can remain with power and to supply DC motive power for HPCI and RCIC. These systems would be utilized at the time of this event. Therefore, it would be expected that likely up to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months or so would be available before the SRVs would close and another hour before boil-off to the top of active fuel. (these are conservative estimates)

29 The first thing that would be expected for the operating shift crew would be to confirm the reactor is shutdown, and control RPV level and pressure. A check of the safety busses would show that no power was feeding the A5 and A6 busses. Logically, they would attempt to open the breakers via the handswitch in the control room. (Unit auxiliary breakers from unit generator feed). If this failed, they would locally try to trip the breaker open (i.e. possibly a mechanical sticking issue). Finally, after the Turbine would coast-down and there would be no power on the bus, they likely would attempt to rack the breaker out which would allow the interlock to be defeated and the other sources to close in. It is noted only 1 of the 2 breaker interlocks would have to be reset for power to be available to 1 of the 2 safety busses to prevent core damage.

Therefore, the previous assumption of barely adequate time in the SPAR-H calculation which resulted in a value of 0.12 probability of failure was revised to 1.2E-2 with nominal time available, which would actually be more than nominal timeseveral hours if not up to 5 to 9 hours1.041667e-4 days 0.0025 hours 1.488095e-5 weeks 3.4245e-6 months before torus temperatures would approach the heat capacity temperature limit and DC power supplies would be challenged with respect to supporting the SRV opening function and HPCI/RCIC operation.

For a Loss of Feedwater Event, and no Loss of power to the A5 and A6 busses (not a sequence where the breakers would fail to open), the Control Rod Drive system would be expected to handle decay heat levels at about 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The EOPs also state to use this source as one of the many injection sources available. Therefore, the analyst revised the RCIC and HPCI Failure to run basic event (which is based normally on 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ), to a value associated with a mission time of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months + The failure of the CRD fault tree (revised to reflect an OR gate for either CRD pump (i.e. need them both for success) x (The RCIC and HPCI Fail to run probabilities for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ). This gives appropriate credit for the CRD pumps to be able to handle decay heat after a period of time. An assumption is that the CRD pumps which are powered off the safety busses A5 and A6 could perform the function of HPCI or RCIC for decay heat removal after about 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months with reduced decay heat levels. Basic Events for HPCI fail to run and RCIC fail to run were modified for the Loss of Feedwater event to be based on the above resulting in a 1.2E-2 failure to run probability. This was revised from the 3.9E-2 failure probability for a 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months mission time and adjusts for the conservatism in the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months assumption. This method was discussed with an INL SPAR model expert and has been used by Industry PRA models. It is assumed a loss of complete power to the safety busses as noted above would result in the loss of DC power for HPCI/RCIC operation in the nominal 6-9 hour timeframe as well.

The recovery of the condenser, (opening of MSIVs) has a base case value of 0.34 which was an arbitrary value assigned as discussed with an Idaho National Laboratories SPAR model expert on April 9, 2018. The analyst discussed the actual procedure Pilgrim uses to re-open or recover the MSIVs after their closure with senior regional operation inspector experts and determined that a 5E-2 failure probability would be a best estimate based on SPAR-H calculation inputs for performance shaping factors. However, the analyst used a 0.1 failure probability to be conservative due to uncertainties involved.

(PCS-XHE-XM-LTLMFW - revised to 0.1 from 0.34 for base case and condition case)

No credit was given for blackout (no power) local operation of RCIC, which may be a very conservative assumption for the indirect SBO caused by the unit aux gen. feeder breakers failing to open

30 The following influential assumptions were used:

The IEF due to a potential performance deficiency was assumed to be a constant 0.2/yr (i.e. the inadequate modification subjected the condition to a 0.2/year increased exposure for a loss of feedwater event).

Nominal Test and Maintenance Values were used for all other basic events Base Case for the Loss of Main Feedwater initiating event was 2E-7/yr with the above modifications to the model The Conditional Case with setting the higher loss of feedwater initiating event frequency due to the condition was 5.89E-7/yr.

The increase in risk due to the potential finding was therefore calculated to be (5.89E-7/yr - 2E-7/yr) or 3.89E-7/yr. This was the total estimated change in core damage frequency for the condition. This would be of very low safety significance or GREEN.

The dominant core damage sequence involved a Loss of Feedwater Event, and common cause failure of both the 505 4kV and 605 4kV breaker from the unit auxiliary transformer to fail to open, and failure to recover from this, or to open one of the two breakers. This was a contribution close to 2E-7 increase in core damage for the event and made up 33% of the core damage cutsets. A second dominant core damage sequence involved a loss of main feedwater event, and operator failure to depressurize and failure to place RHR in Suppression Pool Cooling.

A LERF review shows that per IMC 0609, Appendix H, for high pressure sequences and low pressure sequences with the containment dry the LERF factor is 1.0. Using this, there are quite a few high pressure sequences within the dominant cutsets. Therefore, an initial conservative Phase 2 estimate would put the increase in LERF based on the condition likely in the very low E-7/yr range. However, this is considered to be a conservative assumption based on a more refined review.

For LERF, a performance deficiency if it were to exist would be considered a Type A finding and, as such, the calculated increase in CDF value in conjunction with an appropriate LERF factor would be used to determine the estimated increase in LERF. Per Appendix H, Table 5.2, LERF factors of 1.0 and 0.6 are used for high pressure core damage accident sequences with the drywell dry or flooded, respectively. These Appendix H LERF factors are considered conservative bounding values. More recent insights from an NRC Office of Research sponsored study by Energy Research, Inc. (ERI/NRC-03-04, November 2003 and subsequent State of the Art Reactor Consequence Analysis Project at Peach Bottom Nuclear Power Station (NUREG/CR-7110) have identified that improved modeling and analysis of anticipated types and sizes of reactor coolant ruptures, projected containment heating and fuel-coolant interactions, and operator actions taken in accordance with Severe Accident Management Guidelines, (to flood containment), significantly reduce the potential for containment breach and the likelihood of a LERF. Furthermore, the dominant sequences discussed above in many cases would result in considerable time (estimated 8-10 hours) before postulated core damage and an additional 8-10 hours until containment breach. Therefore, the above reports indicate a more benign containment response at the time of vessel breach, in terms of direct containment heating and fuel-coolant interaction-induced containment failure. For similar Mark I containment issues (reference Oyster Creek Integrated Inspection Report 05000219/2016004, dated January 25, 2017, Licensees have used a LERF multiplier of 0.1 considered to be conservative in its estimate). A similar detailed review using the same multiplier would result in an estimated

31 increase in LERF of 3E-8/yr. In accordance with IMC 0609, the higher of the two risk metric values is used to assign significance. This is consistent with similar LERF evaluations documented for the Pilgrim Station as well, (Inspection Report FIN 05000293/2016004-05, Feedwater Regulating Valve Failure Results in Reactor Scram). For additional considerations the evaluation of LERF previously within LER 2011-006 would also apply. Therefore a best estimate would be that delta LERF would not elevate the risk and the safety significance would remain consistent with the increase in CDF/yr determined by the internal Loss of Feedwater event review or of very low safety significance (GREEN). This would be the recommendation for this LER review.

2013-009-00 Loss of Offsite Power and Reactor Scram October 14, 2013 from 100% core thermal power, and offsite power 345kV Line 342 out of service for upgrade, a LOOP occurred due to the loss of the second 345kV Line 355. MSIVs closed on loss of power to the reactor protection system, and EDGs both started and supplied power to Bus 5 and Bus 6. HPCI and RCIC were placed into service to control cooldown and level. The cause of Line 355 loss was a failure of offsite substation tower support. The Line was repaired and energized in about 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

Line 342 was scheduled to be out of service for approximately 6 weeks to allow for major relay upgrade.

On October 11, 2013, at 0700 hours0.0081 days 0.194 hours 0.00116 weeks 2.6635e-4 months , the Line 342 was removed from service and work commenced. 3.5 days later the event occurred where the other line failed.

The loss of Line 355 was a defective tower support (wood pole) at the Carver Substation.

The root cause of the LOOP from Line 355 was inadequate pre-defined risk based criteria for planned offsite maintenance. Pilgrim procedures did not address risk mitigation for having one 345Kv line out of service for maintenance. The Equipment out of Service risk color was unchanged and integrated risk screened out as low.

The LER indicated that the event which caused a Loss of power to the SUT, had elevated station risk to Yellow and resulted in a Conditional Core Damage Frequency of 1.9E-5/yr.

BEST ESTIMATE RISK EVALUATION If a Finding existed, this would likely be determined to be a Maintenance Rule A.4 performance deficiency, due to the lack of a valid risk assessment and protective measures.

IMC 0609, Appendix K, Maintenance Risk Assessment and Risk Management SDP was assumed to not have changed significantly from the 2013 timeframe. The risk of the issue is therefore equivalent to the risk deficit, or Incremental Core Damage Probability (ICDP). This is the (ICDF actual) multiplied by the duration of the issue in hours divided by 8760 hour0.101 days 2.433 hours 0.0145 weeks 0.00333 months s/per year.

The risk deficit ICDPD is equal to the ICDP when the PD involved not conducting a risk assessment. The assumption will be the Licensee did not perform a risk assessment.

The NRC SPAR Model Version 8.24, using SAPHIRE 8.1.6 was assumed to provide a close match to the model used in the 2013 timeframe. This was noted to be the same model version used for a Final Precursor Analysis (Accident Sequence Precursor Program- Office of Nuclear Regulatory Research) for a 02/08/2013 Pilgrim Station event for Two Losses of Offsite Power Due to Winter Storm Nemo. The analyst used best available information obtained during the

32 review of an A EDG finding in the 2017 timeframe to revise the model as appropriate. Several of the notable revisions or assumptions were as follows:

For LOOP events, the engine driven firepump was credited to allow additional recovery time for offsite power recovery and an EDG. A SPAR-H calculation was performed to calculate an operator failure to place the firewater pump in service at 1.2E-2.

The failure to shed DC loads was calculated to be 1.2E-2 based on SPAR-H for SBO sequences Operator failure to manually depressurize given a Station Blackout Scenario was set at 5E-4 consistent with the normal failure probability.

Successful shedding of DC loads, success of High Pressure Injection, placing Engine Driven Firewater in service and successful depressurization sequence resulted in an extension to recover offsite power to 16 hours1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months .

Containment Venting was recalculated including operator failure to be 5E-2 failure probability in the SBO sequences.

HPCI and RCIC failure to run rate was left at 3.95E-2 versus the existing 2018 model setting of 0.12.

An error was found in that the EDG recovery fault trees did not have the failure of the Unit Generator feeder breakers to open in an OR Gate - this was modified to preclude the double counting of recovery (i.e. EDG is not recoverable if you cant recover from the interlock preventing its breaker from closing due to the failed Unit Aux Generator Bkr.)

ACP-XHE-XM-NORECBKR modified to 1.2E-2 based on SPAR-H assuming nominal time available, High Stress, Moderately Complex and Experience Low due to nominal 6 to 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months available in a SBO with HPCI, RCIC and DC before depletion and boiloff Test and Maintenance was set to 0, and it was unknown what other equipment was out of service for the exposure time The analyst considered that with the 342 line removed from service, a best estimate method for calculating the impact on ICDP would be to increase the frequency of a LOOP Grid related, LOOP Weather related, and LOOP Switchyard related by one order of magnitude higher in the given year to reflect the increased chance of a loss of the 345kV offsite power to the SUT with one line out of service. This was thought to be a conservative estimate. The Loss of the 342 line typically would leave the 355, 345kV line still available to feed the SUT with an offsite power source which would then supply power to the safety busses A5 and A6 on a Unit Trip.

Additionally, although it is modeled as part of emergency power to the safety busses, the 23KV offsite power line comes from a different source and would be available to feed the safety busses as well, so 1 out of the 3 offsite sources to the safety busses was taken out of service during this planned evolution.

Line 342 was scheduled to be out of service for 6 weeks, however the event where both sources were lost occurred within 3 days of the removal of line 342. Therefore the actual incurred risk will be calculated for the condition.

For 6 weeks planned before the loss of the other line The conditional CCDP with an increase of an order of magnitude for LOOPWR, GR and SC with ZERO test and maintenance was 2.35E-6/yr The base case CCDP was 2.33E-7/yr The Delta CCDP was 2.11E-6/yr Therefore the ICDP was 2.11E-6/yr x (6 weeks/52 weeks) planned, = 2.4E-7/yr (GREEN)

33 Note: This was for the planned time, not the actual time and this time could have changed and wasnt the actual exposed risk.

However, the actual risk increase (ICDPactual) is the ICDPD incurred in this case. The actual risk increase occurred while this configuration existed for a nominal 3 days, prior to the Licensee taking actions to resolve the issue.

Therefore the ICDP was 2.11E-6/yr x (3 days/365 days) = 1.7E-8/yr, which would be a best estimate for the actual risk incurred if a PD existed and would be of very low safety significance GREEN, in accordance with IMC 0609, Appendix K flowcharts.

2013-010, Automatic Group I Primary Containment Isolation Actuation During Plant Start Up Due To High Reactor Water Level October 19, 2013 with reactor power at nominal 1% power during startup, at about 290 psig with the mechanical pressure regulator in control, 3 bypass valves inadvertently opened, resulting in level swell and a Group I primary containment isolation signal, which resulted in automatic closure of the MSIVs and loss of the heat sink.

The reason the bypass valves rapidly opened was due to a malfunction of the mechanical pressure regulator (MPR). The MPR malfunctioned because an increased error signal between turbine steam pressure and the MPR setpoint due to friction between the MPR pilot valve and the pilot valve bushing resulting from lack of rotation of the pilot valve bushing. Corrective action was taken to flush the needle valve that controls oil flow to the pilot valve bushing and exercise of the pilot valve bushing to restore proper rotation.

The steam pressure regulator portion of the system consists of two independent pressure regulators; one is of the hydraulic-mechanical design (MPR) and the other is of the electro-hydraulic design (EPR). These subsystems are relied on to control main steam pressure. The MPR system is used for plant start up pressure control (150 to 1050 psig) until pressure reaches the low end of the EPR control range (between 910 to 1010 psig).

If a performance deficiency were determined to exist, IMC 0609 screening would apply. IMC 0609, Appendix A, Exhibit 1 Initiating Events Screening Questions, Section B would result in a NO response due to the potential finding not causing a reactor trip. Both a reactor trip AND the loss of mitigation equipment such as the condenser is required for a DRE. Section C. Support system Initiators could be potentially answered as Yes, due to the complete loss of the bypass valve function which contributed to or caused an initiating event in that a Loss of Condenser Heat Sink occurred. Therefore, it is assumed a Yes answer would lead to a DRE.

The analyst recognized that the MPR is only used during startup and shutdown conditions. In other words while the reactor is being started up and going through pressure ranges. The MPR would be used at startup until the Electronic Pressure Regulator, (normally in control) would take over to control within the 910 psig to 1010 psig region. It would be expected that the EPR would normally be in service with the failure mode of the MPR being active when in control.

The analyst went through the LER history and noted that a LOOP event had occurred several days prior on October 14, 2013 due to the loss of power to the station Unit Transformer.

However, this caused an expected loss of power and closure of the MSIVs due to loss of power to RPS. Therefore, the MPR may not have functioned during that shutdown several days prior.

However, LER 2013008 associated with a total loss of main feedwater event, had occurred on

34 August 22, 2013 and again had resulted in closure of MSIVs due to low level. However, the MPR would have had to function during the startup from that event, estimated to have been on August 24, 2013 or in that timeframe. There was no evidence of failure during that startup and the MPR was assumed to have functioned properly.

Therefore, from August 24, 2013 until this event on October 19, 2013 it would be unknown when the MPR would fail. Therefore a T/2 exposure time or 2 months divided by 2 would be used for a 1 month assumed exposure time due to the issue.

The NRC SPAR Model Version 8.24, using SAPHIRE 8.1.6 was assumed to provide a close match to the model used in the 2013 timeframe and was therefore used to perform a best estimate of the potential risk associated with a potential performance deficiency.

The SPAR model basic event, ACP-XHE-XM-NORECBKR was modified to a value of 1.2E-2 based on a SPAR-H calculation. This assumed nominal time available for recovery, High Stress, Moderately Complex, and Experience Low with all other assumptions nominal. This was applied to the base case and conditional case.

The conditional case used IE-LOCHS set to 1.0, because this event resulted in a loss of the condenser heat sink, with bypass valves failed open and therefore uncertainty would be involved with quick recovery of re-opening the MSIVs due to the differential pressure buildup (DP) across them.

The reason for this adjustment to ACP-XHE-XM-NORECBKR was defined in the review of LER 2013-008 and in the analysts review would account for the timeframe available to take measures to get one of the two failed closed Unit Auxiliary breakers open to allow offsite power, the EDGs or the 23KV line to feed the safety busses.

The base case was determined to be 5.42E-7/yr The conditional case was determined to be 3.92E-6/yr The delta CCDP was determined to be 3.37E-6/yr.

Delta CCDP 3.37E-6/yr x Exposure time 1 month (1/12) = 2.8E-7/yr This delta would be considered to be representative of the equivalent delta CDF/yr and is essentially calculating a CCDP and subtracting out the CCDP from the base case using the nominal LOCHS frequency.

The dominant core damage sequences are LOCHS with failure of High Pressure Injection and failure of Depressurization. This sequence is associated with the common cause failure of breakers 505 and 605 from the Unit Aux generator to open and prevent power feeding the safety busses. Therefore, DC power will run out and result in a loss of the above functions.

The second dominant sequence is associated with LOCHS with success of High Pressure Injection, failure of Suppression Pool Cooling, Success to Depressurize, Success of Condensate, failure to spray containment for cooling, and failure to vent containment.

A review of LERF would result in likely a very low E-7/yr, due to many of the sequences being high pressure. If the conservative values within IMC 0609, Appendix H were applied for containment factors for a Mark I, this could result in a LERF impact in the very low E-7/yr range.

However, this is considered conservative for a variety of reasons recognizing the core damage sequences dominating are of the 8 to 10 hour1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months timeframe, and considering the evaluations within LER 2011-006 and LER 2013-008:

35 For LERF, a performance deficiency if it were to exist would be considered a Type A finding and, as such, the calculated increase in CDF value in conjunction with an appropriate LERF factor would be used to determine the estimated increase in LERF. Per Appendix H, Table 5.2, LERF factors of 1.0 and 0.6 are used for high pressure core damage accident sequences with the drywell dry or flooded, respectively. These Appendix H LERF factors are considered conservative bounding values. More recent insights from an NRC Office of Research sponsored study by Energy Research, Inc. (ERI/NRC-03-04, November 20030 and subsequent State of the Art Reactor Consequence Analysis Project at Peach Bottom Nuclear Power Station (NUREG/CR-7110) have identified that improved modeling and analysis of anticipated types and sizes of reactor coolant ruptures, projected containment heating and fuel-coolant interactions, and operator actions taken in accordance with Severe Accident Management Guidelines, (to flood containment), significantly reduce the potential for containment breach and the likelihood of a LERF. Furthermore, the dominant sequences discussed above would result in considerable time (estimated 8-10 hours) before postulated core damage and additional time on the order of 7 more hours before a containment breach. Therefore, LERF if reviewed in further detail would be determined to not be a significant risk contributor and the safety significance of any potential performance deficiency if one existed, may be defined by the estimated increase in CDF (2.8E-7/yr) or very low safety significance (GREEN).

2014-001-00, "Condition Prohibited By Technical Specifications" is submitted in accordance with 10 CFR 50.73(a)(2)(i)(B) "Any operation or condition which was prohibited by Technical Specifications".

On May 6, 2014, with Pilgrim Nuclear Power Station (PNPS) in the RUN Mode operating at 100 percent power, the NRC Resident Inspector raised a concern about the PNPS method of complying with PNPS Technical Specification(TS) Limiting Condition for Operation (LCO) 3.7.A.2.b when a Primary Containment Isolation Valve is inoperable. TS LCO 3.7.A.2.b.requires that at least one containment isolation valve in each line having an inoperable valve shall be deactivated in the isolated condition This was determined to be an administrative issue from the review of the LER with no loss of any function. Therefore no risk increase was incurred as the valves were in the closed position to support their containment isolation function. The analyst agreed with the previous categorization of Green or of an NCV (very low safety significance).

ML18158A130

Contents

Text

SUBJECT:

Background

Background

Navigation menu

ML18158A130

Text

SUBJECT:

Background

Background

Navigation menu

Search