Text

Additional Information Supporting the Request for Amendment to Technical Specification 3.1.7, Standby Liquid Control (SLC) System.
	ML102861911
Person / Time
Site:	Dresden, Quad Cities
Issue date:	10/12/2010
From:	Hansen J; Exelon Generation Co, Exelon Nuclear
To:	; Document Control Desk, Office of Nuclear Reactor Regulation
References
	RS-10-172, TAC ME2567, TAC ME2568, TAC ME2569, TAC ME2570
	Download: ML102861911 (71)
	v • d • e

Exelon Generation 4300 Winfield Road www.exeloncorp.com Nuclear Warrenville, IL60555 RS-10-172 10 CFR 50.90 October 12, 2010 U. S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555-0001 Dresden Nuclear Power Station, Units 2 and 3 Renewed Facility Operating License Nos. DPR-19 and DPR-25 NRC Docket Nos. 50-237 and 50-249 Quad Cities Nuclear Power Station, Units 1 and 2 Renewed Facility Operating License Nos. DPR-29 and DPR-30 NRC Docket Nos. 50-254 and 50-265

Subject:

Additional Information Supporting the Request for Amendment to Technical Specification 3.1.7, "Standby Liquid Control (SLC) System"

Reference:

1. Letter from Mr. Jeffrey L. Hansen (Exelon Generation Company, LLC) to U. S. NRC, "Request for Amendment to Technical Specification 3.1.7, 'Standby Liquid Control (SLC) System l , " dated November 10, 2009

2. Letter from U. S. NRC to Mr. Michael J. Pacilio (Exelon Nuclear),

"Dresden Nuclear Power Station, Units 2 and 3, and Quad Cities Nuclear Power Station, Units 1 and 2 - Request for Additional Information Related to Exelon Generation Company's Request to Amend Standby Liquid Control Technical Specifications (TAC Nos.

ME2567 THRU ME2670),t' dated September 23, 2010 In Reference 1, Exelon Generation Company, LLC (EGC) requested an amendment to Appendix A, Technical Specifications (TS) of Renewed Facility Operating License Nos.

DPR-19 and DPR-25 for Dresden Nuclear Power Station, Units 2 and 3 (DNPS), and Renewed Facility Operating License Nos. DPR-29 and DPR-30 for Quad Cities Nuclear Power Station, Units 1 and 2 (QCNPS). The proposed amendment revises Technical Specification (TS) 3.1.7, "Standby Liquid Control (SLC) System'" to extend the completion time (CT) for Condition 8 (Le., "Two SLC subsystems inoperable.") from eight hours to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

In Reference 2, the NRC forwarded requests for additional information (RAls) concerning the Reference 1 license amendment request. Attachment 1 to this letter provides the information requested by the NRC.

October 12, 2010 U. S. Nuclear Regulatory Commission Page 2 EGC has reviewed the information supporting a finding of no significant hazards consideration that was provided to the NRC in Reference 1. The additional information provided in this submittal does not affect the bases for concluding that the proposed license amendment does not involve a significant hazards consideration. No new regulatory commitments are established by this submittal.

If you have any questions concerning this letter, please contact Mr. Timothy A. Byam at (630) 657-2804.

I declare under penalty of perjury that the foregoing is true and correct. Executed on the 12th day of October 2010.

Respectfully, en Manager - Licensing Exelon Generation Company, LLC Attachments:

1. Additional Information Supporting the Request for Amendment to Technical Specification 3.1.7, "Standby Liquid Control (SLC) System"

2. WC-AA-1 01, liOn-line Work Control Process, II Revision 17

3. OP-AA-1 08-117, IIProtected Equipment Program, II Revision 1

AITACHMENT 1 Additional Information Supporting the Request for Amendment to Technical Specification 3.1.7, IIStandby Liquid Control (SLC) System ll

ATIACHMENT 1 Additional Information Supporting the Request for Amendment to ll Technical Specification 3.1.7, IIStandby Liquid Control (SLC) System In reviewing the Exelon Generation Company's (EGC's) submittal dated November 10, 2009 (Agencywide Documents Access and Management System Accession No. ML093140516), related to your request to amend Technical Specification (TS) 3.1.7, "Standby Liquid Control (SLC) System, " for the Dresden Nuclear Power Station (DNPS),

Units 1 and 2, and Quad Cities Nuclear Power Station (QCNPS), Units 1 and 2, the NRC staff has determined that the following information is needed in order to complete its review:

Question 1:

Identify adequate defense-in-depth for mitigation of anticipated transient without scram (A TWS) events for the extended 72-hour completion time period. The SLC system mitigates an ATWS event by delivering a concentrated borated solution to the reactor pressure vessel to shutdown the reactor. The TS Required Action being modified addresses the condition where both SLC trains are inoperable. In the event of an A TWS during this condition, there is no system available to inject concentrated borated solution into the reactor pressure vessel in a timely manner to achieve shutdown. The licensee submittal addresses the low probability of an A TWS event due to the reliability and diversity of the control rods, and also discusses the recirculation pump trip feature which reduces reactor power. However, there is no mechanism identified to assure safe shutdown to subcritical conditions as normally ensured by the operation of one of the two SLC trains.

Response 1:

The Standby Liquid Control (SLC) system is used in conjunction with other systems and the procedural guidance in the Emergency Operating Procedures (EOPs) as one method to shut down the reactor during an anticipated transient without scram (ATWS) event. The safety objective of the SLC system is to provide a backup method, which is redundant to, but independent of, the control rods, to establish and maintain the reactor subcritical as the nuclear system cools. The Completion Time (CT) extension has no impact on any plant design functions.

As demonstrated in Reference 1, Dresden Nuclear Power Station (DNPS) and Quad Cities Nuclear Power Station (QCNPS) Technical Specifications (TS) Limiting Condition for Operation (LCO) 3.1.7 requires the operability of two SLC subsystems when the reactor is in Modes 1, 2, and 3. In Modes 1 and 2, the SLC system satisfies the requirements of Atomic Energy Commission (AEC) Criteria 27, 28, 29 and 30 and 10 CFR 50.62, IIRequirements for reduction of risk from anticipated transients without scram (ATWS) events for Iight-water-cooled nuclear power plants. 1I Mode 3 was applied to TS 3.1.7 when the Alternative Source Term (AST) amendment (see Reference 2) was implemented at DNPS and QCNPS under 10 CFR 50.67, IIAccident source term. II 10 CFR 50.62(c) requires, and DNPS and QCNPS satisfies, the requirements which demonstrate redundancy and defense-in-depth for an ATWS condition. The technical basis for the NRC ATWS Rule (Le., 10 CFR 50.62) lies in the assessment of the failure to scram attributed to common cause failures of the electrical portion of the scram system or the mechanical portion of the scram system.

The elements of the rule provided redundant and diverse methods to cope with each of these postulated failure modes.

Page 1 of 13

ATIACHMENT 1 Additional Information Supporting the Request for Amendment to Technical Specification 3.1.7, "Standby Liquid Control (SLC) System" For the electrical common cause failure modes(1), the rule implemented Alternate Rod Insertion (ARI) and Recirculation Pump Trip (RPT) as diverse and redundant methods to achieve reactor shutdown despite the common cause electrical failure to scram. Neither ARI nor RPT are affected by the SLC CT extension and, therefore, represent redundant and diverse methods of ensuring sufficient negative reactivity insertion to bring the reactor subcritical.

For the mechanical common cause failure modes, the rule implemented an SLC requirement that was not single failure proof and required successful RPT. In other words, the ATWS Rule (Le., 10 CFR 50.62) recognized that 1) mechanical ATWS events were of low frequency, and 2) a non-redundant SLC system that allows portions of the system to be unavailable at power (e.g., one SLC pump unavailable for 7 days) was acceptable and consistent with the philosophy of the TS (Le., the TS generally allows portions of a system to be unavailable if the risk is acceptably low).

Subsequently, the BWR Owners' Group (BWROG) implemented Emergency Procedure Guideline (EPG) changes that enhance the ability to use the SLC system in an effective manner, and which provide additional defense-in-depth through alternative methods for insertion of negative reactivity. The BWROG additions of these alternative methods are real plant enhancements to safety which are incorporated into the DNPS and QCNPS EOPs.

The defense-in-depth associated with a mechanical common cause failure of the scram system, in addition to the SLC system, involves the following:

RPT to significantly reduce power (automatic initiation)

Reactor Pressure vessel (RPV) pressure control is satisfied by implementation of RPT. This is not affected by the SLC extended CT.

EOP actions by the crew to provide techniques to deal with the failure to scram

- Lower RPV water level to further reduce power

- Use the main condenser as a heat sink

- Direct all of the reactor heat to the main condenser

In parallel with these control room actions, the following also occurs.

The crew takes two actions, anyone of which is sufficient for negative reactivity insertion over a portion of the ATWS spectrum:

- Control Room Operator inserts individual control rods with the highest reactivity worth rods first.

- Field Auxiliary Operators align alternate Boron injection for reactivity control. This action may be directed in accordance with EOPs only if the initial attempts for SLC initiation are unsuccessful.

(1) INEL in NUREG/CR-5500 calculated that the probability of an ATWS event with an electrical scram failure is approximately twice as likely as an ATWS due to a mechanical scram failure.

Page 2 of 13

ATIACHMENT 1 Additional Information Supporting the Request for Amendment to Technical Specification 3.1.7, "Standby Liquid Control (SLC) System" The ability to lower RPV water level coupled with RPT can reduce power level to within the turbine bypass capacity of the main condenser, allowing hours for the crew to insert additional negative reactivity from individual control rods or alternate Boron injection.

Even without the main condenser, the reduced RPV water level can bring the power level within the suppression pool cooling (SPC) capability depending on the severity of the ATWS based on plant specific Modular Accident Analysis Program (MAAP) thermal hydraulic calculations.

The design requirements for reactivity control at DNPS and QCNPS are satisfied for the current configuration. The existing TS 3.1.7 allows both trains of the SLC system to be out of service for up to 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . Currently, there are no additional redundancies or defense-in-depth measures stipulated when both trains of the SLC system are taken out of service. The increase to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months relies on these same existing defense-in-depth measures. The Probabilistic Risk Assessment (PRA) evaluation demonstrates that the incremental risk incurred by the increase in the CT is acceptable with acceptable margin as documented in Reference 1.

In the introduction to Regulatory Guide (RG) 1.177, "An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications,1I the RG states, liThe use of PRA technology should be increased in all regulatory matters to the extent supported by the state of the art in PRA methods and data and in a manner that complements the NRC's deterministic approach and supports the NRC's traditional defense-in-depth philosophy. II This statement is elaborated on in section 2.2.1, IIDefense-ln-Depth,1I with the following:

"The engineering evaluation conducted should determine whether the impact of the proposed TS change is consistent with the defense-in-depth philosophy. In this regard, the intent of the principle is to ensure that the philosophy of defense in-depth is maintained, not to prevent changes in the way defense-in-depth is achieved."

The existing TS 3.1.7 allows both trains of the SLC system to be out of service for up to 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . The increase to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months relies on these same existing defense-in-depth measures.

Defense-in-depth "has been and continues to be an effective way to account for uncertainties in equipment and human performance... When a comprehensive risk analysis can be performed, it can be used to help determine the appropriate extent of defense in depth (e.g., balance among core damage prevention, containment failures, and consequence mitigation) to ensure protection of public health and safety."

Thus risk informed information, when the risk increases are quantitatively assessed to be small or very small, can be used to provide an appropriate assessment and balance of defense-in-depth.

In Section 2, RG 1.177 states, II ...AOT requirements for multiple trains out of service should not be longer than that for one of the constituent trains. II It is clear that this RG Page 3 of 13

ATIACHMENT 1 Additional Information Supporting the Request for Amendment to Technical Specification 3.1.7, "Standby Liquid Control (SLC) System" allows the use of risk information to justify multiple train (Le., entire system) inoperability as long as the period of inoperability is appropriately short. Reference 1 provides the comprehensive risk analysis that determines that the risk increases of this TS change are livery small. 1I Because the SLC system CT is utilized only for emergent maintenance, no additional planned unavailability time will be incurred. During the extended CT period risk will be managed in accordance with 10 CFR 50.65, IIRequirements for monitoring the effectiveness of maintenance at nuclear power plants," paragraph (a)(4) , which will include additional risk mitigation actions as appropriate.

In the case of an emergent system failure, this amendment will reduce the possibility of a required reactor shutdown resulting from SLC System failures. The SLC System is not an initiator of any analyzed design basis event and therefore the CT extension does not increase the probability of a plant transient like a reactor shutdown would. The CT extension to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months could avoid the possibility of an undesirable transient caused by the shutdown of the reactor as a result of compliance with the 8-hour CT currently in TS 3.1.7 Condition B and, thus, minimizes potential risk contribution associated with a plant shutdown as discussed below.

Competing Risk In addition to the very low calculated risk associated with the continued power operation with SLC in a TS Required Action, it has previously been noted by both NRC and industry studies that imposing a shutdown will introduce its own risks. It is therefore a trade-off in the risks of staying at power versus a forced shutdown.

Continued power operation with the SLC system in a TS Required Action contributes to the accumulated risk. However, the requirement to demand a shutdown when SLC is inoperable can be considered an averted risk if it can be avoided. While this averted risk is not quantified(1) in the DNPS or QCNPS SLC CT extension request, it is judged that the risk associated with the forced shutdown is approximately equivalent to the risk of remaining at power.

Defense-in-Depth Assessment Consistency with the defense-in-depth philosophy as noted in RG 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, II Section 2.2.1.1, is maintained if:

A reasonable balance is preserved among prevention of core damage, prevention of containment failure, and consequence mitigation.

Over-reliance on programmatic activities to compensate for weaknesses in plant design is avoided.

(1) The forced shutdown risk is estimated at 7.BE-OB per demand for DNPS based on the DR2058 at-power PRA model (1.0E-07 per demand for QCNPS based on the QC1 058 at-power PRA model). This represents an approximation of the averted risk. Additional PRA analysis was provided for both DNPS and QCNPS in Reference 1.

Page 4 of 13

ATIACHMENT 1 Additional Information Supporting the Request for Amendment to Technical Specification 3.1.7, "Standby Liquid Control (SLC) System"

System redundancy, independence, and diversity are preserved, commensurate with the expected frequency, consequences of challenges to the system, and uncertainties (e.g., no risk outliers).

Defenses against potential common cause failures are preserved and the potential for the introduction of new common cause failure mechanisms is assessed.

Independence of barriers is not degraded.

Defenses against human errors are preserved.

The intent of the general design criteria in 10 CFR Part 50, Appendix A, is maintained.

A discussion of the proposed changes against the defense-in-depth criteria listed above is provided below.

A reasonable balance is preserved among prevention of core damage. prevention of containment failure. and consequence mitigation.

The proposed change involves extension of the CT for the SLC system from 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months for SLC System emergent repairs. Core damage due to an ATWS will be prevented by the availability of redundant and diverse methods of inserting sufficient negative reactivity to control the fission process and reach a safe, stable state. These include actions such as reactor scram and individual control rod insertion, as needed, and the use of ARI and RPT as discussed above.

Prevention of containment failure will be assured based on adequate decay heat removal capability provided by safety systems, via Balance of Plant (Le., the main condenser), or containment vent. Although the proposed CT changes do impact core damage frequency (CDF) and large early release frequency (LERF), this impact is very low in accordance with RG 1.174 and RG 1.177. Consequence mitigation remains acceptable during the CT extension. Therefore, a reasonable balance among prevention of core damage, prevention of containment failure, and consequence mitigation is preserved.

Over-reliance on programmatic activities to compensate for weaknesses in plant design is avoided.

The proposed change involves extension of the CT for the SLC System from 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . If DNPS or QCNPS should enter TS LCO 3.1.7 Condition B, EGC will rely on the normal work process controls to define the appropriate compensatory actions taken for a condition where the SLC System is inoperable. This process is proceduralized and assesses risk and manages the increase in risk that may result from maintenance activities. Since operators are trained in the appropriate work processes, there is no overreliance on programmatic activities specific to this condition necessary to compensate for the SLC unavailability.

System redundancy. independence. and diversity are preserved commensurate with the expected frequency. consequences of challenges to the system. and uncertainties (e.g.. no risk outliers).

Page 5 of 13

ATTACHMENT 1 Additional Information Supporting the Request for Amendment to Technical Specification 3.1.7, "Standby Liquid Control (SLC) System" The safety equipment associated with the operable reactivity control systems will continue to be capable of performing the necessary safety functions consistent with accident analysis assumptions. The degree of redundancy provided by the available reactivity control systems is commensurate with the expected frequency of the accident challenge and the consequences of the challenge including the uncertainties.

Defenses against potential common cause failures are preserved and the potential for the introduction of new common cause failure mechanisms is assessed.

The scram system, RPT, ARI, and alternate boron injection assure the availability and capability of redundant, independent, and diverse means of accomplishing critical safety functions during the proposed CT extension. The proposed plant configuration poses no new common cause failures. Existing station work practices include programmatic controls to minimize the likelihood of human error induced common cause failures. As such, appropriate measures will be taken to preserve defenses against potential common cause failures and no new common cause failure mechanisms will be introduced as a result of SLC system maintenance and restoration.

Independence of barriers is not degraded.

As discussed above, means of achieving and maintaining safe shutdown conditions will be maintained during the proposed CT extension. These means are independent, redundant, and diverse and, consequently, they will prevent undue challenges to the fuel cladding, reactor coolant pressure boundary, and containment from occurring. Therefore, the independence of barriers will not be degraded by the proposed CT extensions.

Defenses against human errors are preserved.

Critical safety functions will be maintained during the proposed CT extension. The work control process includes operator briefs to assure that the operating staff is fully aware of the plant configuration and actions that may be needed in order to respond to problems that could arise during the proposed CT extension. The increased CT will provide the necessary time to implement SLC repairs. This will reduce time pressure during the repairs, which will facilitate improved operator and maintenance personnel performance, resulting in reduced errors. These measures will assure that the defenses against human errors will be adequately preserved during the proposed CT extension.

The intent of the General Design Criteria in 10 CFR Part 50. Appendix A, is maintained [Note - Atomic Energy Commission (AEC) Criteria 27.28.29 and 30 are applicable for DNPS and QCNPSJ.

The proposed change involves an extension of the current TS CT for systems that are impacted by the SLC repairs. The systems that are affected during a particular SLC LCO outage are all associated with the SLC System leaving the primary reactivity control method and the backup scram system fully capable and operable to Page 6 of 13

ATTACHMENT 1 Additional Information Supporting the Request for Amendment to Technical Specification 3.1.7, "Standby Liquid Control (SLC) System" perform their safety functions. The proposed changes do not modify the plant design bases or the design criteria that were applied to structures, systems, and components during plant licensing. Consequently, the plant design with respect to the General Design Criteria is not affected by the proposed change.

Conclusion In conclusion, and as stated in Reference 1, the control rods are the primary reactivity control system for the reactors at DNPS and QCNPS. In conjunction with the Reactor Protection System (RPS), the control rods provide the primary means for reliable control of reactivity changes to ensure that fuel design limits are not exceeded. In addition to control rods and RPS, the ARI system provides a separate set of backup scram valves(1) in the event that the normal scram path cannot be initiated by RPS. Defense-in-depth is maintained through these systems.

For the primary control rod scram function to fail, a diverse number of failures would have to occur in order in prevent the scram valves from opening. Also as noted, the ARI system would be available as a separate means for reactor shutdown in the event that the normal scram path cannot be initiated by the RPS. In conjunction with the ARI system, the ATWS RPT provides an additional means for rapid power reduction in the event that the normal scram path cannot be initiated by RPS. Manual insertion of individual control rods coupled with successful RPT is another proceduralized method to shut down the reactor. The use of the alternate boron injection method is proceduralized and can be used in conjunction with the ATWS EOP response steps to safely insert sufficient negative reactivity to bring the reactor subcritical.

Adequate redundancy and defense-in-depth exists for reactivity control and the proposed change to the SLC System CT does not affect the redundancy, independence, or diversity of the RPS and ARI systems, or the RPT.

Question 2:

Clarify the intended reliance on emergency operating procedure (EOP) actions as an alternate means of boration and provide evaluations that justify any credited actions related to the requirements of Title 10 of the Code of Federal Regulations, Section 50.67, Accident source term," as appropriate.

Page 17 of 19 of Attachment 1 states the following:

By letter dated October 10, 2002, EGC requested an amendment to the DNPS and QCNPS TSs regarding the adoption of an alternate source term (AST) methodology. The [Nuclear Regulatory Commission] NRC approved the requested license amendment by letter and safety evaluation (SE) dated September 11, 2006. As part of the proposed [alternate source term] AST methodology, EGC proposed the use of the SLC system to inject sodium pentaborate into the [reactor pressure vessel] RPV following a [Ioss-of-coolant accident] LOCA in order to maintain suppression pool pH above 7 (i.e., In order to ensure against re-evolution of elemental iodine). As such, the SLC is required (1) AAI success may also require APT success under worst case assumed conditions.

Page 7 of 13

AITACHMENT 1 Additional Information Supporting the Request for Amendment to Technical Specification 3.1.7, "Standby Liquid Control (SLC) System" to be operable in Mode 3 to ensure that offsite doses remain within the limits of 10 CFR 50.67, Accident source term" following a loss-of-coolant accident (LOCA) involving significant fission product releases. However, additional redundancy for the control of suppression pool pH control following a LOCA is established by the DNPS and QCNPS Emergency Operating Procedures (EOPs). The EOPs describe the actions and criteria for manual addition of boron into the condensate systems, should [reactor protection system] RPS, control rods, the control rod drive system, and the SLC be unable to perform the specifed [sic] design functions. Therefore, the proposed SLC [completion time]

CT extension will not impact the ability of DNPS and QCNPS to comply with the requirements of 10 CFR 50.67.

The license amendment request (LAR) describes alternative means for boration as additional redundancy in support of defense-in-depth measures to justify the proposed extension of the TS 3. 1.7 completion time. These alternative means of boration consist of actions in the EOPs. Page 4 of Attachment 1 of the LAR states that the SLC system is required to be operable to ensure that offsite doses remain within 10 CFR 50.67 limits following a LOCA. The SLC system is credited for maintaining pH balance in the suppression pool at or above 7 following a LOCA to ensure that iodine will be retained in the suppression pool.

The NRC staff has identified that the proposed alternate means of boration are not currently included in the DNPS and QCNPS licensing basis. The LAR indicates that the licensees intend to credit the referenced EOP actions as an alternate boration pathway to meet the requirements of 10 CFR 50.67. If so, then additional justification is required to support reliance on these actions as a credited alternate boration pathway. The NRC document "Guidance on the Assessment of a BWR [boiling-water reactor] SLC System for pH Control," dated February 12, 2004 (ADAMS Accession No. ML040640364) provides an approach that is acceptable to the NRC staff for evaluating the alternative controls of the suppression pool pH against appropriate methodologies.

If Exelon's intent is not to credit a new alternate boration pathway, then clarification is needed regarding the use of the EOP actions as an alternative means of boration with respect to defense-in-depth as related to 10 CFR 50.67. Please provide the following information:

1) Does the alternate injection path require actions in areas outside the control room?

2) Confirm that these areas will be accessible during the design basis accidents in your licensing bases (LOCA, Main Steamline Break etc.)?

3) What additional personnel will be required?

4) Confirm that these actions can be completed within a timeframe consistent the current licensing basis.

Response 2:

The SLC CT Extension LAR (Reference 1) stated the following regarding Alternative Source Term:

Page 8 of 13

ATIACHMENT 1 Additional Information Supporting the Request for Amendment to Technical Specification 3.1.7, IIStandby Liquid Control (SLC) System ll The SLC System is required to be operable in Modes 1, 2 and 3 to ensure that offsite doses remain within the limits of 10 CFR 50.67, IIAccident source term ll limits following LOCA involving significant fission product releases. However, additional redundancy for the control of suppression pool pH control following a LOCA is established by the DNPS and QCNPS EOPs. The EOPs describe the actions and criteria for alternate means of manual addition of boron into the condensate systems should the SLC System fail to operate as designed.

Exelon Generation Company, LLC (EGC) does not intend to credit the referenced EOP actions in the Licensing Basis as an alternate boration pathway to meet the requirements of 10 CFR 50.67. The reference to the existing DNPS and QCNPS EOP procedures for alternate SLC injection are provided only to illustrate that additional methods currently exist to enhance and support sodium pentaborate injection in the event of a Design Basis Loss of Coolant Accident (LOCA) which occurs in conjunction with an outage of the entire SLC system. It is understood that the alternate injection methods contained in the DNPS and QCNPS EOPs do not satisfy all of the requirements in the NRC's IIGuidance on the Assessment of a BWR SLC System for pH Control, II dated February 12, 2004.

In response to the four questions identified above, EGC has reviewed the EOP actions associated with the alternate sodium pentaborate injection path. The alternate injection path is not formally credited in the plant design basis for defense in depth; rather, the method augments EOP actions in the extremely unlikely event that boron injection is required and SLC is not available.

Many of the required actions associated with the alternate injection path are performed outside the Main Control Room. It is expected that these areas will be accessible following an accident; however, radiological conditions are highly event dependent and plant entry would be strictly controlled by the emergency response organization. It is expected the alternate injection would be implemented using the normal compliment of on-shift staff personnel. The timeframe for implementation of the alternate injection method is consistent with the EGC requirements for pH control.

It should be noted that sodium pentaborate injection for pH control is only required for the design basis LOCA where suppression pool IIscrubbingll is credited for dose mitigation. The proposed CT extension has no physical impact on any plant design feature and therefore does not affect the alternate injection methodology and relationship to the plant's design basis.

Based on the above, the DNPS and QCNPS SLC systems continue to comply with the requirements of the NRC's IIGuidance on the Assessment of a BWR SLC System for pH ControlII as demonstrated and accepted in the DNPS and QCNPS AST License Amendment (Reference 2). The Safety Evaluation provided in Reference 2 addresses the SLC system redundancy and states:

To demonstrate that the SLC system was capable of performing its intended safety function during a LOCA following AST implementation, the licensee utilized the guidance provided by the NRC in the review guideline document titled IIGuidance on the Assessment of a BWR SLC System for pH Control II ...

Page 9 of 13

ATIACHMENT 1 Additional Information Supporting the Request for Amendment to Technical Specification 3.1.7, "Standby Liquid Control (SLC) System" The fourth guideline in this document concerns the lack of redundancy of a plant's SLC system with respect to its active components. A plant can offset this lack of redundancy by showing acceptable quality and reliability of non-redundant active components and/or compensatory actions in the event of failure of the non-redundant active components by meeting the six criteria outlined in the document. ..

The NRC staff has reviewed the calculations and justifications provided by the licensee and, based in this review, finds that the analysis presented in the licensee's submittal support the conclusion that the SLC system will operate as required and that the suppression pool pH will stay basic for the period of 30 days after a LOCA.

The criteria stipulated in the "Guidance on the Assessment of a BWR SLC System for pH Control" do not refer to the licensee's established SLC System TS CT. The acceptability of the SLC System to fulfill the pH injection requirements does not depend on the existing CT. The bases for redundancy and defense in depth of SLC injection for pH control centers around "showing acceptable quality and reliability of non-redundant active components and/or compensatory actions in the event of failure of the non-redundant active components by meeting the six criteria outlined in the document. ThisII has been accepted in the DNPS and QCNPS AST Safety Evaluation. In extending the CT from 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , the defense-in-depth and redundancy justification remain.

In summary, the DNPS and QCNPS SLC system has satisfied the redundancy and defense-in-depth with respect to the SLC injection requirements as indicated in the AST Safety Evaluation. The evaluation performed in response to the NRC's "Guidance on the Assessment of a BWR SLC System for pH Control, demonstrated an acceptable II quality and reliability of non-redundant active components and/or compensatory actions in the event of failure of the non-redundant active components. The increase in the CT is now significantly restricted to those prescribed times when an emergent failure results in entry into Condition B of TS 3.1.7 (Le., both SLC trains inoperable).

Question 3:

Please demonstrate how General Design Criteria (GDC) 26, "Protection Systems Fail-Safe Design, " and GDC 27, "Redundancy of Reactivity Control, " regulatory requirements are met during the requested extended outage time for both trains of SLC inoperable.

Response 3:

DNPS and QCNPS were designed and licensed prior to the development of the General Design Criteria (GDC). Therefore, conformance with the NRC GDC was not part of the design basis of the DNPS or QCNPS systems. However, as part of the initial licensing of the DNPS and QCNPS stations, an evaluation of the design basis against the draft NRC GDC was completed. The results of these evaluations, with respect to the first draft of the 70 proposed "General Design Criteria for Nuclear Power Plant Construction Permits" issued by the Atomic Energy Commission (AEC) in July 1967, are documented in the DNPS and QCNPS Updated Final Safety Analysis Reports (UFSAR) Section 3.1.

As documented in DNPS UFSAR Section 3.1.1.4.8 and QCNPS UFSAR Section 3.1.4.8, General Design Criterion 26, "Protection Systems Fail-Safe Design'" states the Page 10 of 13

ATIACHMENT 1 Additional Information Supporting the Request for Amendment to Technical Specification 3.1.7, "Standby Liquid Control (SLC) System" "protection systems shall be designed to fail into a safe state or into a state established as tolerable on a defined basis if conditions such as disconnection of the system, loss of energy (e.g., electric power, instrument air), or adverse environments (e.g., extreme heat or cold, fire, steam, or water) are experienced. The EGC evaluation against this II criterion indicates that a failure of anyone reactor protection system input or subsystem component will produce a trip in one of the two channels. This is a situation insufficient to produce a reactor scram, but the logic is readily available to perform its protective function upon another trip (either by failure or by exceeding the present trip). As stated in ONPS UFSAR Section 3.1.2.3.4, a "failure of anyone reactor protection system input or subsystem will not prevent a subsequent trip signal or a tripped condition on both channels from initiating the protective function. All control equipment and motive power sources are designed to operate under conditions of design basis environmental extremes." It is clear that the protection system addressed by GOC 26 above is the RPS.

In summary, the proposed change to the ONPS and QCNPS TS described in Reference 1, does not affect the RPS or the ability of the protection systems to scram the reactor.

The proposed change will allow extended operation with the SLC system function inoperable but this does not affect compliance with the fail-safe design of the RPS. The RPS will continue to fail into a safe state as required by GOC 26.

GOC 27, "Redundancy of Reactivity Control, as documented in ONPS UFSAR Section II 3.1.1.5.1 and QCNPS UFSAR Section 3.1.5.1, states that at "Ieast two independent reactivity control systems, preferably of different principles, shall be provided. II GOC 27 requires only two redundant and independent reactivity control systems. DNPS and QCNPS have the following reactivity control systems:

1. Control Rods: The control rod system, in conjunction with the use of burnable poison in the fuel and the reactor coolant recirculation system flow control, has the capability of controlling reactivity changes resulting from load changes, long-term reactivity changes, xenon burnout and fuel burnup.

Reactor shutdown by the control rod system, in conjunction with the reactor protection system, is sufficiently rapid to prevent fuel design limits from being exceeded during any anticipated operational transients. The control rod system is designed with a positive means of insertion and is capable of maintaining the reactor subcritical under hot or cold conditions with the highest worth control rod in the fully withdrawn position.

2. Combinations of RPT(1) and one of the following additional negative reactivity insertion methods:

(a) Standby Liquid Control System: This system is able to shutdown the reactor from normal operation, for anticipated operational occurrences in the event control rods do not function (an event recognized by the NRC to be -1 E-6 probability), and during cold conditions.

(1) Recirculation Pump Trip: This reactivity control system is automatically initiated and is capable of significantly reducing reactor power in the event of an ATWS from full power to approximately 40%-50%

power.

Page 11 of 13

ATIACHMENT 1 Additional Information Supporting the Request for Amendment to Technical Specification 3.1.7, "Standby Liquid Control (SLC) System" (b) Individual Control Rod insertion: This reactivity control system is manually initiated and provides for operator insertion of individual Control Rods to reduce power.

Thus, the reactivity control systems for DNPS and QCNPS meet the requirements of GDC 27.

In addition, TS were defined by the NRC to recognize that there are certain allowances for equipment inoperabilities, and as long as the CT is met no undue risk to the health and safety of the public is incurred. Risk-informed TS have been approved by the NRC in recognition that original judgments of CTs were based on experience and engineering judgment and not informed by quantitative data from mature risk assessments.

The fact that there is an existing CT for both subsystems being inoperable rather than this event being relegated to TS 3.0.3 recognizes the judgment in the redundancy and diversity of BWR reactivity control systems and the extremely low probability of the ATWS event occurrence.

Question 4:

The Notices of Enforcement Discretion (NOEDs) referenced in the application provide lists of compensatory actions and additional committed actions. The NRC's basis for the NOEDs considered the compensatory measures to reduce the probability of a plant transient while ensuring the availability of other safety related equipment. Please describe how each compensatory action is addressed in the proposed change or demonstrate why it is not necessary. (Compensatory actions: 1) both A 7WS recirculation pump trip systems would be protected, 2) the reactor protection system (RPS) would be protected, and 3) all production risk activities would be prohibited)

Response 4:

The DNPS and QCNPS SLC CT LAR (Le., Reference 1) risk evaluations do not credit any compensatory measures as a means to reduce risk during the proposed extended SLC CT. However, work process controls are in place in accordance with the EGC Risk Management On-Line Risk Program defined in EGC procedure WC-AA-1 01, "On-Line Work Control Process." A copy of this procedure is provided as Attachment 2. This program, as required by 10 CFR 50.65(a)(4), assesses risk and manages the increase in risk that may result in maintenance activities, including emergent activities.

The current EGC online risk program assesses changes in both 1) probabilistic results, and 2) Defense-in-Depth results and reports results using colors (Le., GREEN, YELLOW, ORANGE, and RED) for each approach. Overall online risk is assessed using the most limiting (Le., worst) risk color input from either the probabilistic or the Defense-in-Depth approach. For the probabilistic approach with unavailability of both trains of the SLC system, instantaneous Core Damage Frequency (CDF) and Large Early Release Frequency (LERF) results in Risk Increase Factors (RIFs) over the zero maintenance CDF and LERF in the "GREEN" range for DNPS and "YELLOW" range for QCNPS. For the Defense-in-Depth approach with unavailability of both trains of the SLC System, the Reactivity Control Safety Function uses a deterministic approach and assesses risk as "ORANGE" for both DNPS and QCNPS. The Reactivity Control Safety Page 12 of 13

ATIACHMENT 1 Additional Information Supporting the Request for Amendment to Technical Specification 3.1.7, "Standby Liquid Control (SLC) System" Function result of 1I0RANGE" from the Defense-in-Depth approach is the most limiting result and drives the overall online risk color to be 1I0RANGE".

Compensatory actions taken for a change in overall plant risk are in accordance with EGC procedure WC-AA-1 01. For an ORANGE condition, the procedure drives the station to implement the following actions.

IIRequires senior management review and approval prior to entering this condition. Compensatory measures shall be taken to reduce risk, including limiting unavailability time and establishing contingency plans for restoration and / or protection of SSCs as defined in OP-AA-1 08-117, Protected Equipment Program, relied upon to mitigate events. If an emergent condition causes, or degradation may cause an unplanned entry into this condition, notify station duty manager. II The Protected Equipment Program described in procedure OP-AA-108-117, provided in Attachment 3, includes the following:

IIProtected Equipment: Any SSC which has been identified as being essential to ensure that either defense-in-depth of a Key Safety Function is maintained, unit generation is maintained or overall risk levels are maintained. 1I As described above, the EGC Risk Management Program defines the appropriate compensatory actions taken for a condition where the SLC system is inoperable. These actions are consistent with those identified in previous NOEDs and specifically detailed in the RAI question above.

References:

1. Letter from Mr. Jeffrey L. Hansen (Exelon Generation Company, LLC) to U. S.

NRC, "Request for Amendment to Technical Specification 3.1.7, IIStandby Liquid Control (SLC) System II," dated November 10, 2009

2. Letter from U. S. NRC to Mr. Christopher M. Crane (Exelon Generation Company, LLC), "Dresden Nuclear Power Station, Units 2 and 3, and Quad Cities Nuclear Power Station Units 1 and 2 - Issuance of Amendments Re: Adoption of Alternative Source Term Methodology,1I dated September 11,2006

3. Letter from M. A. Satorius (U. S. NRC) to C. M. Crane (Exelon Generation Company, LLC), IINotice of Enforcement Discretion for Exelon Generation Company LLC Regarding Quad Cities Nuclear Power Station, Unit 1 (NOED 06 01)," dated October 18, 2006

4. Letter from M. A. Satorius (U. S. NRC) to C. M. Crane (Exelon Generation Company, LLC), "Notice of Enforcement Discretion for Exelon Generation Company LLC Regarding Dresden Nuclear Power Station, Unit 2 (NOED 07-3-01 ;

TAC MD4044),1I dated January 24,2007 Page 13 of 13

ATTACHMENT 2 WC-AA-1 01, liOn-line Work Control Process, Revision 17 II

Exelcn WC-AA-101 Revision 17 Page 1 of 41 Nuclear Level 3 - Information Use ON-LINE WORK CONTROL PROCESS

1. PURPOSE 1.1 . General 1.1.1. This procedure establishes the administrative controls for performing on-line maintenance of structures/systems/components (SSC) in order to enhance overall plant safety and reliability.

1.1.2. This procedure applies to units in power operations in PWR modes 1, 2, 3/BWR modes 1,2.

1.2. Discussion 1.2.1. Nuclear stations perform corrective, preventive, and predictive maintenance activities on SSCs important to safety and reliability at power to ensure that an SSCs overall reliability will be maintained or improved. The benefits of well managed maintenance conducted during power operations include increased system and unit reliability, reduction of SSC deficiencies that could impact operations, more focused attention during periods when fewer activities are competing for specialized resources, and reduction of work scope during outages. Maintenance activities that are planned and executed within established bounds and acceptable levels of risk maintain overall plant safety. A configuration risk assessment of planned maintenance activities is conducted prior to initiating any maintenance activity. (CM-1, CM-2, CM-4) 1.3. Process Integration 1.3.1. On-Line Work Control, On-Line Maintenance, and the Configuration Risk Management Program are subsets of the Work Management Process.

1.4. Electronic-Based Automated Features and Retrieval 1.4.1. This document is available via electronic central file.

1.4.2. To get document on one page, print Attachment 1 separately from the main document.

WC-AA-101 Revision 17 Page 2 of 41

2. TERMS AND DEFINITIONS 2.1. (a)(1) Action Step Committed Due Date - Date approved by maintenance rule expert panel for completion of an (a)(1) action item.

2.2. Administrative Limit - The limit on the amount of time allowed for a SSC to be inoperable or unavailable. This will always be less than a Regulatory Limit, such as an LCO.

2.3. Aggregate Risk - Is the average core damage frequency (CDF) based on actual SSC unavailability. The average CDF is calculated as a rolling 12 month average for each unit. Aggregate risk may be expressed as either the absolute CDF value, or normalized to the zero-maintenance CDF.

2.4. CDF - Core Damage Frequency measured in core damage events per year.

2.5. Compensatory Measure - Action taken to protect a key safety function.

2.6. Confidence Run - A period of time when vital equipment is operated to ensure it is functioning properly. Confidence runs are utilized to ensure a single componenUtrain can successfully operate when the opposite train is removed from service. See Attachment 10 for details and guidelines.

2.7. Configuration Risk - The risk assessed for plant configuration changes as a result of the Configuration Risk Management Program (CRMP) 2.8. Contingency Plan - Plan for restoration of, and/or mitigating the loss of, a key safety function.

2.9. CRMP - The configuration risk management program ensures that configuration risk is assessed (probabilistic and/or deterministic) and managed due to any plant configuration change, consistent with the requirements of 10CFR50.65 (a)(4).

2.10. Dedicated Operator - A worker that is assigned actions (Le. component manipulations) to maintain systems/components available in support of online risk assessments or other programs. This individual has received a pre-job briefing, is in direct communications with the control room, is stationed to immediately respond and perform the system restoration and has no other responsibilities that will inhibit the ability to immediately take action. If, as described in the Station's licensing basis, the allowed time to complete the action is less than 30 minutes, a dedicated operator must be assigned to perform the action.

WC-AA-101 Revision 17 Page 3 of 41 2.11. Designated Operator - A worker that is assigned actions (Le. component manipulations) to maintain systems/components available in support of online risk assessments or other programs. This individual has received a pre-job briefing and is stationed in the same building as the affected component(s) and is in direct communications with the control room. The individual can participate in other activities but cannot be distracted from performing actions that were briefed if needed. The dispatching supervisor must ensure that collateral duties do not interfere with the designated operator response. If, as described in the Station's licensing basis, the allowed time to complete the action is greater than 30 minutes, a dedicated operator may be assigned to perform the action.

2.12. Dominant Risk Factor - A redundant/diverse SSC which, if lost concurrent with other SSCs being unavailable for planned maintenance, would cause an unplanned entry into a red CDF risk configuration, disrupt continued power operations, or result in the loss of a key safety function. The SSC would be termed Protected Equipment if selected for protection under this procedure.

2.13. Emergent Condition - Unplanned SSC failure/malfunction impacting a safety function, or a potential loss of plant equipment due to external flooding, or potential loss of offsite power due to severe weather or grid instability, or discovery of a missed technical specification surveillance or other unplanned configuration change.

2.14. High Risk Evolution (HREl - An activity (or portion of activity), or external/internal condition that represents a significant increase in the likelihood of an initiating event monitored in the Configuration Risk Management Program.

2.15. Initiating Event- Each site's PARAGON program (or equivalent) contains PTOTs, which correspond to risk-significant initiating events. The initiating events listed under the PTOTs are those events that should be considered for potential HREs.

2.16. Instantaneous CDF Change Criteria - The increase in COF during the time that the equipment is unavailable compared with the base COF. The instantaneous COF change criteria utilize thresholds and color bands. The resulting allowed ratio of risk increase are based, in part, on criteria contained in the EPRI PSA Applications Guide combined with qualitative judgment of Exelon Nuclear risk management personnel.

2.17. Key Components- Support components or multiple frontline components as modeled in the site-specific Configuration Risk model PTOTs 2.18. Key Safety Function - Key Safety Function is defined in OP-AA-108-117. The key safety functions are monitored by a combination of SFOTs and/or PTOTs.

2.19. LERF - Large Early Release Frequency is the frequency of a release of unfiltered fission products due to a significant core damage event prior to evacuation of the nearby population.

WC-AA-101 Revision 17 Page 4 of 41 2.20. Mitigating System Performance Index (MSPI) - The sum of changes in a simplified core damage frequency evaluation resulting from differences in unavailability and unreliability relative to industry standard baseline values. The MSPI is supplemented with system component performance limits.

2.21. MSPI "At Risk": A MSPI system where unreliability and/or unavailability performance has declined to a point where there is a real potential for reaching the MSPI green to white threshold. This is defined as meeting the following criteria for the thirty-six (36) month rolling period:

- When the risk cap is invoked, or

- When failure margin to non-green is equal to zero (0) for any component failure mode, or

- When the actual failures are greater than zero (0) AND the smallest failure margin to non-green is less than two (2), or

- When the smallest value of "train unplanned hours to white" is less than the equivalent LCO AOT hours or seven (7) days, whichever is the lower value.

2.22. Predefine Activities - Activities performed on a periodic bases generated from the work management database.

2.23. Operational Risk Activity - Refer to WC-AA-104, "Integrated Risk Management."

2.24. Probabilistic Risk Assessment (PRA) - A quantitative assessment of the risk associated with plant operation and maintenance. The risk is measured in terms of the frequency of occurrence of different events including severe core damage.

2.25. PTOT - Plant Transient Decision Tree evaluates potential for initiating a plant transient or for decreasing mitigation capability. PTDTs are also known as PTATs (Plant Transient Analysis Tree) in some PARAGON models.

2.26. Risk Analysis - A measure of plant risk based upon probabilistic and deterministic insights.

2.27. SFOT - Safety Function Decision Tree evaluates defense-in-depth of key safety functions. SFDTs are also known as SFATs (Safety Function Analysis Tree) in some PARAGON models.

2.28. Simple Activity - any activity in which a single person performs all required plant manipulations without the assistance of a technical expert. Individuals performing verifications or addressing alarm functions are NOT considered as performing manipulations.

2.29. SSC - Structure, System, or Component.

2.30. SUMMER - Defined in WC-AA-107 Seasonal/Readiness.

2.31. TRM - Technical Requirements Manual.

WC-AA-101 Revision 17 Page 5 of 41 2.32. Unavailable - An sse in a position in which it is unable to perform its intended function (refer to Attachment 6 for additional guidance).

3. RESPONSIBILITIES 3.1. Plant Manager - or designated alternate must approve any activity as specified in Attachment 1 "On-Line Maintenance Requirements List." The approval shall be documented on Attachment 2 "Online Maintenance Approval Form".

3.2. Work Control Manager - is responsible for overall implementation of this procedure.

3.3. Cycle Manager Owns the cycle plan Cycle Manager or Work Week Manager Screens the proposed schedule against the criteria of Attachment 1 "On-line Maintenance Requirements List" and ensure requirements are met.

Ensures, or designates, that a risk assessment of planned and emergent work has been performed and evaluates the results against the criteria of Attachment 3 "Configuration Risk Management Criteria."

Ensures completion and approval of Attachment 2 "On-line Maintenance Approval Form."

3.5. Work Week Manager (WWMl - owns and enforces the scheduling, work execution, and performance review processes from turnover with the Cycle Manager at E-7 through E+1, and Ensures completion and approval of Attachment 2 "On-line Maintenance Approval Form." .

Oversees the preparation and coordination activities of any Online Maintenance Project Coordinator(s) required by this procedure.

Ensures a listing of Operational risk activities is provided to the Operations Center (NOO) as prescribed by OP-AA-108-107-1001.

WC*AA*101 Revision 17 Page 6 of 41 3.6. Online Maintenance Project Coordinator - designated by Cycle Manager or WWM to manage special or complex projects during on-line operation.

The Online Maintenance Project Coordinator shall serve as the single point of contact between the Shift, Work Week Manager, and work groups.

The Online Maintenance Project Coordinator shall work with the Work Week Manager to ensure the "scope of work" is adequately defined, lessons learned are applied, fragnets and timelines are accurate, a readiness review is conducted, work is executed on-time and as scheduled, and all paperwork is closed out.

3.7. Shift Operations Superintendent (SOS)

Ensures shift operations reassess risk if emergent condition results in a plant configuration that has not been previously assessed.

Ensures shift operations apply Protected Equipment barriers as appropriate.

3.8. Operations Shift Management (CM*5)

Ensures a listing of Operational risk activities is provided to the Operations Center (NOO) as prescribed by OP-M-108-107-1001.

Ensures planned load reductions (as described in section 4.2.5) are coordinated with the Operations Center.

Ensures Operations is notified of shutdown LCO work as specified in Attachment 1.

Determines if online risk is affected prior to plant configuration changes that have not been previously assessed in accordance with reference 6.34.

Ensures appropriate actions are taken to mitigate online risk.

3.9. Site Maintenance Rule Coordinator (SMRC)

Provides SSC Unavailability (MR) information required by this procedure.

Monitors the schedule process to ensure maintenance rule (a)(1) action step committed due dates are being met.

3.10. Site SSPI Data Steward Provides Safety System Unavailability (WANO) information required by this procedure.

3.11. Site MSPI Data Steward Provides MSPI (NRC) information required by this procedure.

WC-AA-101 Revision 17 Page 7 of 41 3.12. Site Risk Management Engineer (SRME)

Serves as an advisor to the Cycle Manager, Site Maintenance Rule Coordinator, and Shift Operations relative to risk assessment tools, interpretation of risk assessment results, and risk significance of any actual or anticipated plant configuration.

Serves as point of contact with corporate risk management engineering.

Reviews work week risk profiles Trends aggregate risk to ensure the average baseline risk is maintained within an acceptable band.

3.13. Risk Management Engineer (RME)

Ensure the PRA model meets owners group certification standards and is maintained current with the design configuration of the plant in accordance with ER-AA-600.

Ensure the PRA risk threshold bases documentation is maintained and readily retrievable.

WC-AA-101 Revision 17 Page 8 of 41

4. MAIN BODY 4.1. Precautions 4.1.1. The Operating Shift shall continuously evaluate the risk of the scheduled on-line maintenance activity based upon conditions, such as the power grid stability, the weather forecast, and the current plant and SSC status. This includes information obtained from day ahead forecasts. If severe weather (high wind, severe thunderstorm warning, tornado watch/warning) or conditions that are potential HREs for loss of offsite power (see Attachment 9) are expected, then planned unavailability of AC power sources shall be deferred. Risk shall be reassessed if emergent condition results in a plant configuration that has not been previously assessed. (CM-1, CM-2, CM-3, CM-4) 4.1.2. Compliance with individual Limiting Conditions for Operation (LCO) Action Statements when multiple SSCs are inoperable does not provide assurance that an acceptable risk level or safety function is adequately maintained. When multiple SSCs are removed from service, an assessment shall be conducted to ensure acceptable risk levels are maintained. (CM-1, CM-2, CM-4) 4.1.3. When bundling work, "preconditioning" of Technical Specification and/or ASME Code related SSCs should be avoided. Acceptable preconditioning should be limited to those activities required to provide personnel protection, SSC protection/preservation, or to align a system to enable testing. To the greatest extent possible, SSCs should be tested in the "as-found" condition.

4.1.4. When SSCs are made unavailable, then CONSULT OP-AA-1 08-117, Protected Equipment Program, for protected equipment requirements.

WC-AA-101 Revision 17 Page 9 of 41 4.1.5. Risk Assessments for Heavy Lifts: Movement of heavy loads is governed by MA-AA-716-022, Control of Heavy Loads Program and site-specific procedures. These procedures detail the roles and responsibilities for individuals performing or reviewing heavy load lift activities.

The impact to online risk must be assessed for any heavy load movements that occur near or over equipment that is needed for safe shutdown of the unit or in areas that contain irradiated fuel.

Actions taken should be commensurate with the projected significance of the heavy load movement and the impacts to on-line risk if a dropped load were to occur. These actions could include but are not limited to:

Additional compensatory measures (i.e. redundant rigging, safe lifting practices), enhanced briefings and increased oversight by the working group.

Scheduling the work to ensure availability of redundant/diverse trains and/or protection of those trains in accordance with OP-AA-1 08-117, Protected Equipment Program if necessary.

Performing an analysis to determine the plant impacts from a dropped load if necessary.

4.1.6. Limiting Condition for Operation (LCO) 3.0.4.b: If implemented in a sites Technical Specifications, LCO 3.0.4 allows entry into a MODE or other specified condition in the Applicability with inoperable equipment required by TS, provided that a risk assessment demonstrates the acceptability. The risk assessment shall address all inoperable systems and components, consideration of the results, determination of the acceptability of entering the MODE or other specified condition in the Applicability, and establishment of risk management actions, if appropriate. The use of LCO 3.0.4.b is subject to the following limitations.

LCO 3.0.4.b is intended to be used when unanticipated circumstances occur which would otherwise delay unit startup. It is not intended for routine intentional use.

LCO 3.0A.b should not be used unless there is a reasonable probability of completing restoration such that the requirement of the LCO would be met prior to the expiration of the ACTION Completion Times that would require existing the Applicability.

The risk assessment must consider all unavailable TS equipment. The risk impact of inoperable TS equipment not covered by the current risk assessment tools must be qualitatively assessed.

Corporate Duty Executive shall be notified via the NDO if LCO 3.0.4.b. is invoked for a mode change.

Technical Specification 3.0.4.b must be implemented at the site.

See also OU-AA-103, "Shutdown Safety Management Program."

WC-AA-101 Revision 17 Page 10 of 41 4.2. Limitations 4.2.1. Exit and re-entry into the same LCO action statement for the sole purpose of resetting a Technical Specification or ATR clock is unacceptable.

4.2.2. During the planning and scheduling process, the following factors should be qualitatively assessed. (CM-1, CM-2, CM-3, CM-4)

Effect on reactivity Effect on RCS inventory (pressure and level)

Effect on redundant/diverse SSCs Potential to cause a plant transient or ESF actuation Number of SSC surveillances being conducted at one time Effect of LCO entries on both units at one time Effect of weather/time of year Effect of grid instability Effect of high Operational risk activities Effect on containment integrity (isolation and heat removal)

Effect of plant alterations on available SSCs Effect of maintenance activities on available SSCs Effect on plant security and effective implementation of the site protection strategy If an offsite power source becomes unavailable or degraded, or the risk of losing offsite power significantly increases due to severe weather, then systems required to mitigate the loss of offsite power shall be made available as soon as possible. (CM-1, CM-2, CM-3, CM-4) 4.2.4. If a plant configuration, maintenance activity, and/or external condition causes a significant increase in the likelihood of an initiating event, then consideration should be given to increasing the risk level in the applicable SFDT or PTDT through the use of the PARAGON High Risk Evolution trigger (see Attachment 9, High Risk Evolution Determination). HRE determination will be done by the Work Management organization for planned work and the Operations organization for emergent work. Sites using Passport for work orders will designate HRE activities in Passport using a Work Planning Factor of "HE". This applies to conditions that are manually evaluated and NOT to conditions that are modeled in the site risk program to automatically activate an HRE.

4.2.5. Guidelines for scheduling load reductions to perform on-line maintenance, (load reductions due to equipment failure/malfunction or emergent conditions are exempt from the following limitations).

1. To ensure a station's unplanned capability loss factor (UCLF) is not affected, all planned load reductions must be arranged with the Operations Center (NDO) at least 30 days in advance of the load reduction.

WC-AA-101 Revision 17 Page 11 of 41

2. During Maximum Emergency Generation Alert (red grid) conditions all planned load reductions must be suspended. Surveillances may be deferred (not to exceed the critical date).

3. Planned load reductions should be limited in magnitude and duration to the load reductions associated with the following routine activities; turbine valve test surveillances, feedwater pump swaps; or (BWR) CRD scram timing, core rod pattern adjustment, or circulating water flow reversal. Additional work requiring a load reduction should be bundled with the routine activities listed previously.

A. During the summer period as designated by WC-AA-1 07, any additional work timelines for load reductions must be limited to the duration of the activities listed above in 4.2.5.3., (BWRHCU maintenance/recovery may extend the duration provided the extension is not excessive).

B. For the remainder of the year, additional work timelines for load reductions may be extended provided the activities are performed within the optimum times listed in 4.2.5.4.

4. The optimum times for load reductions are as follows:

A. For activities requiring load reductions ~8 hours in duration, the preferred order is;

1. 22:00 Saturday until 06:00 Sunday

2. 22:00 until 06:00 Monday through Saturday B. For activities requiring load reductions >8 hours in duration;

1. 22:00 Friday until 06:00 Monday

5. Activities requiring load reductions that are exceptions to the above limitations should be economically justified (replacement power costs as determined by the Operations Center (NOO) versus the total cost of doing the activity during another on-line or outage timeframe).

6. Planned Load Reductions performed to facilitate non- routine maintenance work (e.g. condenser tube plugging or cleaning), should be scheduled to minimize the overall duration. As necessary, site and corporate challenges should be performed to assess readiness prior to execution of the load drop.

WC-AA-101 Revision 17 Page 12 of 41 4.2.6 Administrative review and control requirements are established in Attachment 1 "On-Line Maintenance Requirements List."

- These requirements are not meant to prohibit work but to ensure site management has a level of control and oversight commensurate with the risk of work.

- Site/Corporate challenge calls should be considered for emergent work or for scope increases in planned work that meets the requirement of Attachment 1 (e.g. LCO that exceeds 50% AOT following increase in planned work scope).

4.2.7. If there is a difference in the required working hours for specific conditions shown on Attachment 1, THEN schedule the activity using the more conservative working hours specified.

4.2.8. To ensure outage resources are effectively used to keep outage time to a minimum, (BWR) CRD maintenance that does not require containment entry, freeze seals on drive inlet or outlet lines to the RPV, or replacement of scram air isolation valves will be performed on-line. Inclusion of on-line CRD maintenance into the outage scope will only be done based on an approved business case that also considers nuclear safety and design basis.

Due to the number or CRDs as well as the impact of CRD work, to limit the time power is reduced, maintenance involving CRD HCU components will be performed outside the normal 13 week CRD system window. HCU work should be loaded into the unit cycle plan based on the operational impact as described in Attachment 4, "Guideline for BWR CRD On-line Maintenance". CRD HCU work may be scheduled in any week and need not be limited to the 13 week CRD system window.

4.2.9. To ensure outage resources are effectively used to keep outage time to a minimum, electric bus maintenance that does not require the unit to be shut down should be performed on-line. Inclusion of on-line electric bus maintenance into outage scope will only be done based upon an approved business case that also considers nuclear safety and design basis.

4.2.10. To ensure down time of important chemistry control equipment does not have an adverse impact on chemistry parameters or action levels, chemistry system outages will be scheduled in accordance with the guidelines in Attachment 5, "Outage Guidelines for Important Chemistry Control Equipment".

4.2.11. To ensure that MSPI unavailability is accounted for most favorably, planned unavailability for MSPI components MUST be identified during the calendar_quarter PRIOR to the quarter in which the planned maintenance will take place as specified in WC-AA-101-1003, Right Work Preparation Process. Failure to adjust MSPI baseline unavailability prior to the calendar quarter will result in the accrual of unavailability against MSPI.

WC-AA-101 Revision 17 Page 13 of 41 4.2.12. When removing vital equipment from service, a suitable confidence run must be performed on the opposite train prior to relying on that opposite train equipment as the sole train or component supporting plant operation. See Attachment 10 for details and guidelines.

4.3. Prerequisites 4.3.1. Accurate preplanning, bundling of work and testing, and job coordination shall be utilized to ensure the effective balancing of SSC unavailability and reliability while minimizing aggregate risk.

4.3.2. On-Line Work Control is based upon a 13 week cycle template containing work windows on major safety related and risk significant SSCs. For scheduling convenience, these windows are tied to the SSC surveillance intervals. The intent of the work window is to permit the maximum bundling of maintenance tasks and minimize the number of maintenance outages on SSCs, thus minimizing SSC unavailability and optimizing reliability.

4.3.3 Plant risk shall be managed by the most restrictive risk threshold specified within Attachment 3, "Configuration Risk Management Criteria". (CM-1, CM-2, CM-4) 4.3.4 Unique plant conditions and compensatory measures may provide additional information not considered in the base calculation of configuration risk within PARAGON. Configuration-specific plant risk may be determined by the Site (or Corporate) Risk Management Engineer using this information in lieu of that calculated within PARAGON in those circumstances where there is reason to believe that the base configuration risk calculation does not adequately reflect the unique attributes of the configuration. This calculation must consider the CDF/LERF impacts as well as SFDT and PTOT, and assign the corresponding new color, using the configuration risk management criteria in Attachment 3. The color resulting from this calculation replaces the PARAGON result for the configuration in question, on a one-time basis.

Where appropriate, the new considerations should be implemented as a PARAGON change so that the impact is reflected in future configuration risk determinations. If the PARAGON model is not changed (or cannot practically be changed), it is important to note that, since this type of calculation is configuration-specific, a unique evaluation by the Risk Management Engineer in accordance with References 6.29 and 6.30 is required any time this approach is used.

Approval by the site Operations director or Work Control directors or designees is required for the type of the calculation described above. Approval by the Director, Risk Management is also required.

WC-AA-101 Revision 17 Page 14 of 41 Process Map On-line maintenance work shall be determined and reviewed in accordance with the process map shown below.

ARJlNRJlNO Inaiated 4.5.1 ScreenmgComm ARJlNRIWO Screened and Processed WC-M-l06 All 4.52 45.16 I ShIftMansgor 4.5.3 SmIen~Comm WilWorkbe Reduce Overal RefuellForced

,--JI' Plant Risk Outage !<t- YES performed during an Outage?

OU*M-l01/102 All NO 4.5.4 ScreeningComm Assign Department WC-AA-l06 AI NO 4.55 Is Aclivity due

~YES to Emergent ">----NO Condnion?

NO 4.5.1

"'- 4.5.6 Cycle Manager Schedule Work Is Assessment of 4.5.7 Cyd. Manage' /WWM WC-AA*l0HOO2 All NOI------<

Risk Acceptable?

Review Work Against 50S Attachment 1 4.5.12 Shift Manager Take Appropriate 4.5.8 4.5.9 CycJeMa_

Actions to Mitigate Risk Is Attachment 2 Ensure Completion of YES Required?

YES Attachment 2

-C""

NO 4.5.1 4.5.1 4.5.14 Plan"'" 4.5.15 FlSfNor1<er Is Continued Execute and Is Attachment 2 Operation YES Plan Work Closeout YES Acceptable?

Justified? Work MA-M-716-l110 All MA*AA*716-l111 AR Work Completed

WC-AA-101 Revision 17 Page 15 of 41 4.4. Procedure The following written instructions provide implementation detail for each activity on the process map.

ARlWRIWO Initiated ARIWR or WO initiated.

4.5.1 , Screening Comm Work will be screened and processed in accordance with WC-AA-ARIWRfWO 106.

Screened and Processed Facility & Minor maintenance activities are administered per MA-AA-WC*AA-106 I All 716-002/003 respectively and are not covered by this procedure.

WC-AA-1 06, MA-AA-716-002/003 Will the work be performed during an outage?

Will Work be performed during an Outage? If YES, go to Step 4.5.3.

If NO, go to Step 4.5.4.

I 4.5.3 Screeninll Comm Add to outage list.

Refuel/Forced Outage OU-AA-101/102 I All OU-AA-101/102 4.5.4 I Screening Comm Assign Assign the appropriate Work Group or Department and process Department document.

WC-Mo106 I All WC-AA-106 Is activity due to emergent condition? (refer to definition 2.9)

Is Activity due to Emergent Condition? If YES, go to Step 4.5.11.

If NO, go to Step 4.5.6.

WC*AA*101 Revision 17 Page 16 of 41 4.5.6 I Cycle Manager Cycle Manager, or designee, ensures the work week risk profile is Schedule acceptable as prescribed in Attachment 3. An independent review Work of the work week risk profile will be conducted by the end of E-2 WC-AA-l01-1002 I All WC-AA-1 01-1 002 Review all work on the schedule between E-6 and E-2 against the 4.5.7 I Cycle Manager I WWM criteria outlined in Attachment 1, "On-line Maintenance Review Work Against Requirements List."

Attachment 1 Any emergent work entering the schedule after E-2 shall be assessed and the work week risk profile shall be updated to reflect an risk si nificant chan e in lant confi uration.

4.5.8 Does Attachment 1 "On-line Maintenance Requirements List" require additional documentation and approval using Attachment 2?

Is Attachment 2

. Required?

If YES, go to Step 4.5.9.

Ensure Attachment 2 is prepared.

4.5.9 I Cycle Manager If during planning and scheduling work scope expands on any activity such that the administrative limit specified in Attachment 1 Ensure Completion of Attachment 2 will be exceeded, then an Attachment 2 shall be prepared and approved.

(Exceptions are work of short duration, 1 shift or less, that do not place the unit in an orange or red risk configuration. Exceptions will be determined b the a eratin Shift or Work Week Mana er.

4.5.1 Has Attachment 2 been reviewed and approved as acceptable?

Is Attachment 2 Acceptable? If YES, go to Step 4.5.15.

WC-AA-101 Revision 17 Page 17 of 41 Does reassessment of risk against the ongoing work week risk file result in a green or yellow risk color as prescribed in Attachment 3.

~ (The following requirement shall not delay nor impede restoration of the plant to a stable condition).

Is Assessment of Risk Acceptable? Shift Operations must reassess risk and document the result of the evaluation (risk color), even if there is .!1Q corresponding change in

~ risk status, in the Shift Manager log.

If YES, go to Step 4.5.14.

If NO, go to Step 4.5.12.

If emergent condition results in an orange or red risk color, or risk results are unavailable, the following compensatory measures must be enacted to mitigate the risk until such time as risk is reduced to an acceptable level.

1. Protect redundant/diverse SSCs.

2. Station Duty Manager is contacted for further direction and support.

3. At a minimum, the following compensatory actions shall be established. (CM-1, CM-2, CM-4) 45.12 I Shift Manager

Shift Operations to be briefed on current plant risk Take Appropriate config uration.

Actions to Mitigate Risk

Shift Operations to reduce duration of ongoing risk sensitive activities.

Shift Operations to evaluate and defer upcoming activities that could adversely impact the current plant risk configuration.

(The following requirement shall not impede shift operations execution of the prescribed compensatory actions).

If risk is indeterminate or PRA results are unavailable as described within Attachment 3, the site risk management engineer must be contacted to evaluate the risk. The site risk management engineer may provide a preliminary verbal evaluation based upon qualitative judgment pending completion of a quantitative risk assessment.

WC-AA-101 Revision 17 Page 18 of 41 Are compensatory measures sufficient to ensure continued safe Is Continued operation?

Operation Justified?

If YES then go to Step 4.5.14.

If NO, then go to Step 4.5.16.

4.5.141 Planner Develop work instruction per work package planning procedure.

Plan Work MA-AA-716-010 I All MA-AA-716-010 During the execution week Shift Operations shall document, within the shift manager log, all changes in risk color resulting from a change in plant configuration.

4.5.151 FLSlWorker Execute and Closeout Cycle Manager, or designee, shall ensure the work week risk profile Work is updated to reflect any risk significant change in plant MA-AA-716-011 I All configuration.

MA-AA-716-011 4.5.16 I Shift Manager Transition to a mode or other specified condition that reduces Reduce Overall Plant Risk overall plant risk to an acceptable level.

Work completed

( woo< Comp"". )

5. DOCUMENTATION - None

WC-AA-101 Revision 17 Page 19 of 41

6. REFERENCES 6.1. Commitments CM-1: Braidwood License Amendment #108 (Step 1.2.1.,4.1.1.,4.1.2.,4.1.4.,

4.2.2.,4.2.3.,4.3.3.,4.5.12.)

CM-2: Byron License Amendment #114 (Step 1.2.1.,4.1.1.,4.1.2.,4.1.4.,4.2.2.,

4.2.3.,4.3.3.,4.5.12.)

CM-3: LaSalle Safety Evaluation related to Amendment #150 for Unit 1 and Amendment #136 for Unit 2 dated 01/30102 (Section 3.2). (Steps 4.1.1.,4.2.2., and 4.2.3.)

CM-4: Clinton License Amendment #141 (IR 667746) (Step 1.2.1,4.1.1,4.1.2,4.1.4, 4.2.2, 4.2.3, 4.3.3, 4.5.12)

CM-5: Byron Root Cause Investigation CAPR under IR 759945 (ATI 759945-31)

(Step 3.8) 6.2. INPO letter, "Managing Maintenance During Power Operations," dated February 17, 1995.

6.3. WC-AA-106, Work Screening and Processing 6.4. MA-AA-716-002, Facilities Maintenance 6.5. MA-AA-716-003, Fix It Now (FIN) 1Minor Maintenance 6.6. WC-AA-101-1002, On-Line Scheduling 6.7. MA-AA-716-010, Maintenance Planning 6.8. WC-AA-104, Integrated Risk Management 6.9. MA-AA-716-011, Work Execution and Closeout 6.10. ER-AA-310, Maintenance Rule 6.11. OU-AA-101, Refueling Outage 6.12. OU-AA-102, Forced Outage Management 6.13. EPRI TR-105396, "PSA Applications Guide," August 1995.

6.14. NUMARC 93-01, "Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants"

WC-AA-101 Revision 17 Page 20 of 41 6.15. NRC Information Notice 97-16, "Preconditioning of Plant SSCs before ASME Code Inservice Testing or Technical Specification Surveillance Testing" 6.16. ER-AA-600, Risk Management 6.17. Braidwood/Byron Technical Requirements Manual Appendix T, "Configuration Risk Management Program" 6.18. OP-AA-1 08-117, Protected Equipment Program 6.19. OP-AA-108-107-1001, Station Response to Grid Capacity Conditions 6.20. CY-AA-120-000 System chemistry Control 6.21. OU-AA-103, Shutdown Safety Management Program 6.22. WC-AA-101-1003, Right Work Preparation Process 6.23. WC-AA-1 07, Seasonal Readiness 6.24. MA-AA-716-022, Control of Heavy Loads Program 6.25. MA-AA-716-021, Rigging and Lifting Program 6.26. NRC Generic Letter 2006-02, "Grid Reliability and the Impact on Plant Risk and the Operability of Offsite Power."

6.27. MA-MA-716-010-1005, Work Order (W/O) Planning Process 6.28. MA-MW-716-010-1000, Passport Work Planning Manual 6.29. ER-AA-600-1012, Risk Management Documentation 6.30. ER-AA-600-1042, On-Line Risk Management 6.31. NEI 08-05, Revision 0, "Industry Initiative on Control of Heavy Loads", July 2008.

6.32. RIS 2005-25, CLARIFICATION OF NRC GUIDELINES FOR CONTROL OF HEAVY LOADS, October 31,2005 6.33. NRC R1S 2008, ENDORSEMENT OF NEI GUIDANCE FOR REACTOR VESSEL HEAD HEAVY LOAD LIFTS, December 1 2008 6.34. OP-AA-101-111, Roles and Responsibilities of On-Shift Personnel

WC-AA-101 Revision 17 Page 21 of 41

7. ATTACHMENTS 7.1. Attachment 1 - On-Line Maintenance Requirements List 7.2. Attachment 2 - On-Line Maintenance Approval Form 7.3. Attachment 3 - Configuration Risk Management Criteria 7.4. Attachment 4 - Guideline for BWR CRD On-Line Maintenance 7.5. Attachment 5 - Outage Guidelines for Important Chemistry Control Equipment 7.6. Attachment 6 - Unavailability Guidelines 7.7 Attachment 7 - No Longer Used - Deleted to OP-AA-1 08-117, Protected Equipment Program 7.8 Attachment 8 - No Longer Used - Deleted to OP-AA-108-117, Protected Equipment Program 7.9 Attachment 9 - High Risk Evolution Determination 7.7. Attachment 10 - Guidelines for Confidence Runs

WC-AA-101 Revision 17 Page 22 of 41 ATTACHMENT 1 On-Line Maintenance Requirements List Page 1 of2 Description of Requirements activity/conditions Administrative Project Fragnet per Minimum APPROVALS/NOTIFICATIONS Other Requirements limit Coordinator WC*AA*101-1002 Work Hours Requlred(4) Required Requlred(3)

< 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months TSITRM

~ith Shutdown Required 50 %of AOT If duration >

12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months If duration> 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Developed by the end of E-?

24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months a day IF Administrative Limit is exceeded OR ihe requirements in previous 3 coluriin'S are NOT met, I!:!St:f. complete

Contingency plan and packages.

IF duration exceeds administrative limit Attachment 2. THEN perWC*AA*191-1904:

During Summer, always complete Attachment 2.

During summer, notify Operations Center

Readiness review AND Corporate challenge before the E-2 Freeze.

(NDO) of all short time clock LCO's before Tuesday of E-1 regardless of duration

Daily call status report

> 24 and < ?2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months If duration > If duration> 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months a IF Administrative Limit is exceeded OR IF duration exceeds administrative limit TSITRM with 50 % of AOT 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months 4Jeveloped by the end day ihe requirements in previous 3 coluriin'S THEN per WC*AA*191*1904:

Shutdown Required ofE-? are NOT met, THEN complete Attachment 2.

Readiness review AND Corporate challenge before the During Summer, always complete attachment 2.

During Summer, notify Operations Center

.E-2 Freeze.

Daily call status report (NDO) of all short time clock LCO's before Tuesday of E-1 regardless of duration

? day TSITRM with 3.5 days If duration> If duration> 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months a IF Administrative Limit is exceeded OR IF duration exceeds administrative limit Shutdown Required 42 hours4.861111e-4 days 0.0117 hours 6.944444e-5 weeks 1.5981e-5 months in 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months Developed by the end day ihe requirements in previous 3 coluriiiiS THEN per WC-AA-191-1904:

Summer period (25%)

ofE-? are NOT met, THEN complete Attachment 2.

Readiness review At!Q Corporate challenge before the 14 day TSITRM with ? days If Duration If duration > 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months 2 shifts, !E Administrative Limit is exceeded QB

.E-2 Freeze.

DailV call status report

!E duration exceeds administrative limit Shutdown Required 3.5 days in >48hours Developed by the end ? days a the requirements in previous 3 columns THEN per WC*AA*191-1004:

Summer period (25%)

ofE-? week(1) are NOT met, THEN complete Attachment 2.

Readiness review AND Corporate challenge before the

~ 30 day TSITRM 15 days If duration If duration> 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months 1 shift, iF Administrative Limit is exceeded OR E-2 Freeze.

Daily call status report with Shutdown exceeds Developed by the end 5 days a ihe requirements in previous 3 coluriiiiS Required Administrative of E-? week(1) are NOTmet, Limit THEN complete Attachment 2.

LCO work window Complete Attachment 2 that could significantly delay plant startup from a forced oUtaae LCO that has first Contingency plan time activities or a history of problems meeting LCO end dates.

Mode change with Use applicable Use Use applicable limit Use Complete Attachment 2 inoperable TSITRM limit based on applicable based on AOT from applicable equipment using AOT from rows guidance rows above limit based on LCO 3.0A.bITLCO above based onAOT AOTfrom 3.0A.b from rows rows above above MSPI Monitored MSPI System If duration> 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months a Complete Attachment 2 Attachment 2 is required for notification Components classified as Developed by the end day for that the unavailability goal is or will be Uat risk" ofE-? maintenance exceeded even if the system outage is outaQes of a very short duration.

TSITRM with NO 213 time clock 1 shift, 5 days IF Administrative Limit is exceeded OR Shutdown Required a week(1) ihe requirements in previous 3 coluriiiiS are NOT met, THEN complete Attachment 2.

Maintenance Rule 3/4 If duration > 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months 1 Shift, 5 days IF Administrative Limit is exceeded OR Risk Significant unavailability2) and exceeds 3/4 a week(1) ihe requirements in previous 3 coluriiiiS time unavailability(2) time are NOT met, THEN complete Developed by the end Attachment 2.

ofE-?

(1) IF the Administrative limit IS exceeded, THEN work Will proceed 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months per day until completed.

(2) Refer to Attachment 6 for clarification of 'unavailability'.

(3) Work hours apply to critical path activities. Plant manager may impose more aggressive work hours.

(4) Fragnets and Project Coordinators may be assigned to work windows not meeting the requirements of Attachment 1, if the complexity warrants, based on the Cycle Manager's evaluation. In addition, the Cycle Managers may waive Project Coordinator requirements if the project is simple in nature and does not involve multiple work groups performing unrelated/different maintenance activities.

WC*AA*101 Revision 17 Page 23 of 41 ATTACHMENT 1 On-Line Maintenance Requirements List Page 2 of2 Description of Requirements actlvltv/condltlons Administrative Project Fragnet per Minimum APPROVALS/NOTIFICATIONS Other Requirements Limit Coordinator WC*AA*101*1002 Work Hours Requlred(4) Required Requlred(3)

Chemistry control Complete Attachment 2 Chemistry supplies chemistry equipment outages, See attachment 5 for .

Per WC-AA-191*1004:

Corporate challenge before the performance predictions by end of E-6.

Equipment is to come out of service additional information. . E-2 Freeze.

Daily call status report ONLY for:

ITSITRM required surveillances Work that improves operation without going into action level one.

Work would have adverse refuel outage impact Note: Refer to CY-AA-120-OO0 for chemistry actions associated with work windows.

On Line Safety Risk Complete Attachment 2 is maintained at YEllOW during scheduled work AND work schedule is NOT continuous On Line Safety Risk Complete Attachment 2 If Planned work will result in the On is NOT maintained at Line Safety Risk condition of ORANGE, GREEN or YELLOW THEN during scheduled work

Readiness review AND corporate Challenge before the E-2 freeze.

Daily call status report.

Note: These requirements also apply for outage activities on the opposite unit that imoact the ooeratina unit.

Engineering does Complete Attachment 2 NOT concur redundancy of SSGs exist to support scheduled work Surveillances are Complete Attachment 2 scheduled that MAY challenge redundant components of SSCs that are not available during scheduled work.

Scheduled work or Per WC-AA*1 01-1 004 contingency plan would result in Environmental

Readiness review and corporate challenge before the E-2 freeze.

Permit Violation

Daily call status report.

WC-AA-101 Revision 17 Page 24 of 41 ATTACHMENT 2 On-Line Maintenance Approval Form Page 1 of2 EPN/Description: _

Note: Complete only those line items that are applicable.

Description of work to be performed: (Provide summary of maintenance, inspections, surveillances, etc.)

Project Coordinator: Execution WWM: _

Tech Spec Ref: LCO Time Clock: _

Planned Outage Duration: Scheduled Outage Start Date: _

Administrative Limit: Scheduled Outage Finish Date: _

SSC Unavailability (MR): Current SSC Unavailability (MR): _

MSPI Margin Projected: Current MSPI Margin: _

P~ectedSSC Unavaila~lny(MR): ~

Most Limiting Risk Color: Due to: CDF_SFDT PTDT_LERF_

P~ectedAggffiga~RiskValue: ~

Note: The following information is for notification purposes only.

Safety System Unavailability Goal: (WANO) _

Current Safety System Unavailability: (WANO) _

Projected Safety System Unavailability: (WANO) _

WC-AA-101 Revision 17 Page 25 of41 ATTACHMENT 2 On-Line Maintenance Approval Form Page 2 of2

1. Provide a brief justification as to why this maintenance activity should continue. As a minimum, explain how sse reliability and/or safety will be improved as a result of this action.

2. Summarize all contingency plans, compensatory actions, and dominant risk factor(s) as needed per Attachment 1.

Prepared by: _

Approved by: Plant Manager/designee: _

WC-AA-101 Revision 17 Page 26 of 41 ATTACHMENT 3 Configuration Risk Management Criteria Page 1 of 2 Color Risk Threshold(5} Required Action CDF(1) - <2x Zero Maintenance CDF(2);

AND No specific actions are required.

SFDT3) - optimal defense in depth; Green AND PTDT(4) -!!2. appreciable increase in initiating event frequency or decrease in mitigation capability; AND LERF(1) - <2x Zero Maintenance LERF(2)

CDF(1) - ~x Zero Maintenance CDF(2); Limit the unavailability time by establishing a continuous work schedule or provide justification on Attachment 2. Review OR 3 protected equipment requirements in OP-AA-108-117, SFDT ) - nominal defense in depth (key safety function with redundancy);

Yellow Protected Equipment Program.

OR PTDT(4) - acceptable increase in initiating event frequency or decrease in mitigation capability; OR LERF(1) - ~2x Zero Maintenance LERF(2)

Requires senior management review and approval prior to CDF(1) - ~10x Zero Maintenance CDF(2); entering this condition. Compensatory measures shall be OR taken to reduce risk, including limiting unavailability time and SFDT(3) - marginal defense in depth (key safety function without redundancy); establishing contingency plans for restoration and / or Orange OR protection of SSCs as defined in OP-AA-1 08-117, Protected PTDr) - significant increase in initiating event frequency or decrease in mitigation capability; Equipment Program, relied upon to mitigate events. !f an OR emergent condition causes, or degradation may cause an LERF(1) - ~10x Zero Maintenance LERF(2); unplanned entry into this condition, notify station duty manager.

It is unacceptable to voluntarily enter this condition.

If 20x Zero Maintenance CDF(2) is < 5E-4, CDF(1) >= 5E-4 !f an emergent condition causes, or degradation may cause If 20x Zero Maintenance CDF(2) is >= 5E-4 but <1E-3, CDF(1) >= 20x Zero Maintenance CDF(2) an unplanned entry into this condition, immediate actions shall If 20x Zero Maintenance CDF(2) >= 1E-3, CDF(1) >= 1E-3 be taken to restore and/or protect SSCs relied upon to mitigate OR events, and to contact the station duty manager for direction If 20x Zero Maintenance LEW) is < 5E-5, LERF(1) >= 5E-5 and support.

If 20x Zero Maintenance LERF(2) is >= 5E-5 but <1 E-4, LERF(1) >= 20x Zero Maintenance LERF(2)

Red If 20x Zero Maintenance LERF(2) >= 1E-3, LERF(1) >= 1E-3 OR 3

SFDT ) - unacceptable defense in depth (loss of a key safety function);

OR PTDT(4) - unacceptable increase in initiating event frequency or decrease in mitigation capability;

WC-AA-101 Revision 17 Page 27 of 41 ATIACHMENT3 Configuration Risk Management Criteria Page 2 of 2 I Note: Until a LERF model is deployed at the station, LERF criteria do not apply.

(1) Factor increase in CDF (or LERF) during the time the SSC is unavailable. This is a risk configuration state as a factor increase on a per year basis, not the average risk for a year.

(2) The Zero Maintenance CDF (or LERF) is obtained by assuming that all equipment modeled in the PRA is available.

(3) SFDT is the Safety Function Decision Tree rating obtained using the PARAGON Code.

(4) PTDT is the Plant Transient Decision Tree rating obtained using the PARAGON Code (trip/scram initiator should only be activated for an order of magnitude increase in the probability of a trip/scram).

(5) Risk is indeterminate if results are unavailable for all of the PARAGON modules (CDF/LERF, SFDT, PTDT). If PRA results (CDF/LERF) are unavailable, the overall risk color is the most limiting of the SFDT or PTDT results.

WC-AA-101 Revision 17 Page 28 of 41 ATTACHMENT 4 Guideline for BWR CRD On-Line Maintenance Page 1 of 1 Type of control rod Operation Impact1 Schedule requirements 2 Peripheral rod Insert drive and recover power with rods and/or flow. Schedule in any work week. Consider availability of resources Little if any load drop required for PMT and RTS. and overall CRD system priorities. May work numerous rods Each rod insertion results in a 1% load reduction. concurrently.

Typically power can be recovered with rods and/or flow.

Non-peripheral rod Requires a preparatory load drop of apprOXimately Work no more than two Non-peripheral rods at 48 concurrently.

which is at position 5% to take drive OOS. Each rod insertion results in May work concurrently with numerous peripheral and/or power 48 for the entire an additional 5% load reduction. Typically power can rod(s). Schedule the week prior to quarterly/monthly routine load operating cycle be recovered with rods and/or flow. Recovery drops. Insert drive as late as possible in the week to minimize requires a preparatory load drop of apprOXimately the time the rod is inserted thereby minimizing the xenon 15% to PMT and RTS. Power changes may require transient and maximizing the RTS return rate. After APRM gain adjustments. maintenance, reduce power for quarterly/monthly surveillances and perform PMT. Then return drive to normal position and recover power.

Control Cell Core Rods Note: Power Rods and Shaper Rods are swapped during deep/shallow rod swaps every 4 to 6 months Power Rods Little if any preparatory load drop required to take Schedule the week prior to quarterly/monthly routine load drops.

(maintained at 00-24) drive OOS. Each rod insertion results in a 0% to 5% Insert drive early in the week, recover power with rods and/or load reduction. Typically power can be recovered flow. After maintenance, reduce power for quarterly/monthly with rods and/or flow. Recovery requires a surveillances and perform PMT. Then return drive to normal preparatory load drop of approximately 25% to PMT position and recover power.

and RTS. Power changes may require APRM gain adjustments.

Shaper Rods Requires a preparatory load drop of apprOXimately It is preferred to schedule these rods after routine rod swaps (maintained at 26-48) 5% to take drive OOS. Each rod insertion results in configure this drive as a power rod and treat as a Power Rod.

an additional 5% load reduction. Typically power can OR be recovered with rods and/or flow. Recovery Work no more than two Non-peripheral rods at 48 concurrently.

requires a preparatory load drop of approximately May work concurrently with numerous peripheral and/or power 25% to PMT and RTS. Power changes may require rod(s). Schedule the week prior to quarterly/monthly routine load APRM gain adjustments. drops. Insert drive as late as possible in the week to minimize the time the rod is inserted thereby minimizing the xenon transient and OOS time. After maintenance, reduce power for quarterly/monthly surveillances and perform PMT. Then return drive to normal position and recover power.

All Control Rod Reduce power to 75% and maintain for the duration Remove CRD(s) from service in a prescribed order; perform Option of the work period during low system demand. maintenance around-the-clock, then PMT and RTS. To shorten APRM gain adjustment may be required. the duration of any power deratings, mUlti-disciplined and cross trained crews should be utilized.

The preparatory power reductions and control rod worth presented here are approximations. During the planning process for scheduling each CRD, a Qualified Nuclear Engineer will determine the appropriate load reductions and losses. This unique evaluation is necessary to account for the changing reactivity worth of each CRD.

2 Removing more than one drive at a time may be limited by the Analyzed Rod Position Sequence employed for the current operating cycle.

WC-AA*101 Revision 17 Page 29 of 41 ATTACHMENT 5 Outage Guidelines for Important Chemistry Control Equipment Page 1 of 1 Important chemistry control equipment includes at a minimum:

BWR reactor water cleanup system

BWR Hydrogen water chemistry systems

BWR Noble Metal monitoring equipment

BWR Zinc injection equipment (Limerick only)

PWR CVCS letdown system

PWR steam generator blowdown

PWR condensate chemical feed

PWR and BWR sample panels

1. Work will not be done on these systems on line unless:

The work is required by Technical SpecificationslTRM OR

The work improves system performance and can be done without entry into Chemistry Action Level 1 OR Scheduling of chemistry system work presents an adverse impact on the refuel outage plan such as extension of critical path, degraded outage water chemistry control, increased outage dose rates, degraded shutdown risk, or limits start up chemistry control.

2. If work is done On-Line, then ADHERE to the following.

a. By the end of week E-6, site Chemistry will provide the projected maximum system down time allowed to avoid entry into a chemistry action level (not applicable to sample panel outages).

b. Because chemistry performance goals are significantly less than action levels, outages on the systems listed here will have a corporate challenge per WC-AA-101-1004 by the end of E-2.

b. Work Control should ensure that work that could adversely affect system chemistry is not scheduled at the same time as the system outage for important chemistry control equipment. Such work may include condensate demineralizer work, reactor power changes, waterbox isolation, condensate or feed pump swaps, and activities that alter the operating status of hydrogen water chemistry systems.

c. Steps should be taken to minimize down time of important chemistry control equipment. System outage activities should be scheduled to ensure chemistry parameters do not project entry into an action level. If entry into an action level is unavoidable, then around-the-clock maintenance must be considered.

d. Work Control will ensure that scheduled system outage down time supports the goal of avoiding entry into chemistry action levels.

e. Work Control will coordinate with Chemistry to schedule steps for suppressing limiting parameters in advance of the system outage. This may include scheduling resin work such as fresh Powdex and cleaning deep beds, ahead of time or establishing alternate sampling methods.

WC-AA-101 Revision 17 Page 30 of 41 ATTACHMENT 6 Unavailability Guidelines Page 1 of6 PROGRAM: MAINTENANCE RULE (A)(4) MAINTENANCE RULE (A)(2) WANOSSPI REACTOR OVERSIGHT SYSTEM MONITORING PROCESS PI MSPI INDUSTRY GUIDANCE:

NUMARC 93-01, Section NUMARC 93-01, WANG IG19.1 NEt 99-02 Rev. 6, 11 (endorsed by RG 1.182, Appendix B, (endorsed by (approved by NRC)

Rev. 0) RG 1.182, Rev. 0)

EXELON NUCLEAR PROCEDURE: WC-AA-101 ER-AA-310 LS-AA-1001 LS-AA2200 CASE 1; OPERABLE Generally available. But if EQUIPMENT Available. Available. Available. evaluated as operable because operator action is substituted for automatic action during testing, Case 4 applies.

WC-AA-101 Revision 17 Page 31 of 41 ATTACHMENT 6 Unavailability Guidelines Paae 2 of 6 PROGRAM: MAINTENANCE RULE (A)(4) MAINTENANCE RULE (A)(2) WANOSSPI REACTOR OVERSIGHT SYSTEM MONITORING PROCESS PI MSPI CASE 2; INOPERABLE Unavailable for e-quipment tagged Generally unavailable for testing, Generally unavailable for testing, EQUIPMENT, TAGGED OUT- Generally unavailable, but can be out-of-service. Case 4 could apply. Generally Case 4 could apply. Unavailable OF-SERVICE considered available if activity is unavailable for equipment tagged for equipment tagged out-of-planned "to allow for prompt out-of-service, but unavailability is service.

restoration". not reported if an "installed spare" is available. A train is considered an installed spare if it may be Assessment may take into account time removed from service without needed for restoration. Written guidance violating the single failure must be provided for restoration.

criterion.

Contingency plan for restoration is documented

Restoration from a routine surveillance is straightforward and is covered by pre-job brief.

To credit operator actions outside the control room, the following conditions apply:

Operations must have reasonable assurance that the action can be completed in the time available in the plant specific PRA model or design basis (if the action is not modeled in the PRA). This evaluation should take into consideration the number of actions required and the environment conditions that are expected.

If, as described in the Station's licensing basis, the allowed time to complete the action is less than 30 minutes, a dedicated operator must be assigned to perform the action.

If, as described in the Station's licensing basis, the allowed time to complete the action is greater than 30 minutes, a designated operator may be assigned to perform the action.

WC-AA-101 Revision 17 Page 32 of 41 ATIACHMENT6 Unavailability Guidelines Page 3 of6 PROGRAM: MAINTENANCE RULE (A)(4) MAINTENANCE RULE (A)(2) WANO SSPI REACTOR OVERSIGHT SYSTEM MONITORING PROCESS PI MSPI CASE 3; INOPERABLE EQUIPMENT DUE TO OFF- Available Available Available Available, if allowed by NORMAL ALIGNMENT Basis Document Exception DURING TESTING, INITIATION SIGNAL WOULD AUTOMATICALLY RE-ALIGN (BUT NOT WITHIN DESIGN/LICENSING BASIS TIME)

WC-AA-101 Revision 17 Page 33 of 41 ATTACHMENT 6 Unavailability Guidelines Page 4 of 6 PROGRAM: MAINTENANCE RULE (A)(4) MAINTENANCE RULE WANOSSPI REACTOR OVERSIGHT (A)(2) SYSTEM PROCESS PI MSPI MONITORING CASE 4; TESTING THAT WOULD SSCs out of service for SSCs out of service for REQUIRE OPERATOR ACTION TO Available if equipment could be "promptly restored to testing are considered Available if restoration testing are considered RESTORE SYSTEM) service". unavailable, unless the can be performed "in unavailable, unless the function can be promptly a matter of minutes" function can be promptly restored either by an by a control room or a restored either by an operator Assessment may take into account time needed for operator in the control in the control room or by a restoration. Written guidance must be provided for "dedicated local room or by a dedicated operator". dedicated operator stationed restoration. locally for that purpose or if operator stationed locally

Contingency plan for restoration is documented allowed by a Basis Document for that purpose.

Restoration from a routine surveillance is Restoration actions must Exception. Restoration straightforward and is covered by pre-job brief. be contained in a written Guidance states that actions must be contained in procedure, must be to credit restoration by a written procedure, must be To credit operator actions outside the control room, the uncomplicated (a single a local operator, the uncomplicated (a single following conditions apply: action or a few simple operator must be action or a few simple dedicated to

Operations must have reasonable assurance that the actions), and must not restoration by the actions), and must not require action can be completed in the time available in the require diagnosis or repair. diagnosis or repair. Credit for Credit for a dedicated local surveillance a dedicated local operator plant specific PRA model or design basis (if the action operator can be taken only procedure. Guidance can be taken only if (s)he is is not modeled in the PRA). This evaluation should if (s)he is positioned at the does not require that positioned at the proper take into consideration the number of actions required proper location throughout restoration by a location throughout the and the environment conditions that are expected.

the duration of the test for control room operator duration of the test for the

If, as described in the Station's licensing basis, the be proceduralized.

allowed time to complete the action is less than 30 the purpose of restoration purpose of restoration of the minutes, a dedicated operator must be assigned to of the train should a valid train should a valid demand perform the action. demand occur. The intent occur. The intent of this If, as described in the Station's licensing basis, the allowed of this paragraph is to paragraph is to allow time to complete the action is greater than 30 minutes, allow licensees to take licensees to take credit for a designated operator may be assigned to perform the credit for restoration restoration actions that are action. actions that are virtually virtually certain to be certain to be successful successful (i.e., probability (Le., probability nearly nearly equal to 1) during equal to 1) during accident accident conditions.

conditions.

WC-AA-101 Revision 17 Page 34 of 41 AITACHMENT6 Unavailability Guidelines Pace 5 of 6 PROGRAM: MAINTENANCE RULE (A)(4) MAINTENANCE RULE (A)(2) WANO SSPI REACTOR OVERSIGHT SYSTEM MONITORING PROCESS MSPI CASE 5; FOLLOWING SystemlTrain is considered If PMT is successful, Unavailability ends when Unavailability ends when MAINTENANCE, A available. SystemlTrain is considered train is returned to normal train is returned to normal SYSTEMITRAIN HAS BEEN available from the time the standby alignment. standby alignment.

RETURNED TO ITS NORMAL (This is the position taken normal alignment was ALIGNMENT BUT IS STILL at the March 2001 Midwest restored. (The SSPI systems are INOPERABLE PENDING PMT. ROG Risk Management normally in standby.) If PMT later shows train Focus Group Meeting, A PMT failure unrelated was unable to perform its even following major to the maintenance work If PMT later shows train function, the train is overhauls. ) would be considered a was unable to perform its reclassified as unavailable.

functional failure and the function, the train is If PMT shows train is SystemlTrain would still be reclassified as unavailable.

unavailable, then risk considered available from would be re-assessed, i.e., the time of system the PMT failure would be restoration until the system treated as an emergent was removed from service condition under WC-AA- due to the "new" failure.

101.

A PMT failure would not be a functional failure if the failure was due to the maintenance work being tested, and unavailability would be "backfit" to include the time up to the PMT failure. Unavailability would continue until repairs were made and the system restored.

WC-AA-101 Revision 17 Page 35 of 41 ATIACHMENT6 Unavailability Guidelines Page 6 of 6 PROGRAM: MAINTENANCE RULE (A)(4) MAINTENANCE RULE (A)(2) WANOSSPI REACTOR OVERSIGHT SYSTEM MONITORING PROCESS MSPI CASE 6; A SYSTEMITRAIN IS Not applicable to "Fault Exposure" time is "Fault Exposure" "Fault Exposure" time is DETERMINED, IN HINDSIGHT, assessment of plant not counted as unavailability could apply not counted as TO HAVE BEEN IN AN configuration in the past unavailability. Instead, up to discovery. unavailability.

UNDETECTED FAILED because (a)(4) risk functional failures are CONDITION. assessment is look ahead. evaluated, but not against Time required for repairs Time required for repairs the Availability after discovery could count after discovery could count Could impact assessment Performance Criterion. as unplanned as unplanned Note: Although (a)(4) of future configuration: unavailability. unavailability, unless assessments do not apply

If system/train was in Time required for repairs component unavailability is to past plant service at the time of after discovery could count preplanned during the configurations, Site Risk discovery, the failure as unavailability. calendar quarter PRIOR to Management Engineers should be assessed as an the quarter the may need to perform emergent condition under If the actual failure time unavailability occurs.

assessments of WC-AA-101. can be determined, undetected failures using

If system/train was unavailability is counted the SOP guidelines. already considered from time of failure.

unavailable at time of Generally, under SOP, the discovery, unplanned undetected failed condition repairs could extend is assessed assuming that system/train unavailability all other equipment is beyond the originally available. In other words, planned return-to-service SOP assessments would time, and this could require exclude the concurrent re-assessment of plant unavailability of other configuration.

equipment unless that unavailability was due to a common cause.

WC-AA-101 Revision 17 Page 36 of 41 ATTACHMENT 7 This Attachment No Longer Used Page 1 of 1

WC-AA-101 Revision 17 Page 37 of 41 ATTACHMENT 8 This Attachment No Longer Used Page 1 of 1 I

I I

I

WC-AA-101 Revision 17 Page 38 of 41 ATTACHMENT 9 High Risk Evolution Determination Page 1 of3 Each site's PARAGON program (or equivalent) contains PTDTs, which correspond to risk-*

significant initiating events. The initiating events listed under the PTDTs are those events that should be considered for potential HREs.

HREs can be caused by planned surveillance and activities, external conditions, and abnormal plant conditions.

A flow chart is provided on the Page 3 of this attachment to assess planned surveillances and activities to determine whether the activity should be classified as an HRE.

Specific requirements related to external events for classifying HREs for a loss of offsite power (LOOP) have been developed. Specifically, the LOOP HRE trigger in PARAGON (and for Severe Weather, the Turbine Trip HRE trigger) should be activated if any of the following conditions are present.

Unexpected repeated station power line trips due to area environmental conditions such icing, wind, or storms.

Severe Weather as defined below:

Sustained winds and wind gusts (in accordance with site procedures).

Severe Thunderstorm Warning

Tornado Warning NOTE: In advance of meeting the HRE criteria for severe weather (e.g. at a Tornado Watch), a review should be performed to determine if any ongoing or planned activities could be managed to avoid increased on-line risk impacts.

Pennsylvania Jersey Maryland (PJM) Transmission System Operator maximum emergency generation action (for CPS, Ameren Transmission Operations Load Shed)

Actual switchyard voltage alarms or notifications indicating voltage below that required for offsite source technical specification operability limits

Predicted Unit trip contingency switchyard voltage below minimum required sWitchyard voltage (unless a site specific analysis has been performed).

Notified that at the current time a condition exists such that if a transmission line or other transmission facility were to trip, then site will be below voltage operability limits.

WC*AA*101 Revision 17 Page 39 of 41 ATTACHMENT 9 High Risk Evolution Determination Page 2 of3 IF advanced notice is given on any of these conditions from organizations such as the transmission system operator or weather forecasters, THEN evaluate the risk for the periods when the condition is expected to occur.

Continued on next page,

WC-AA-101 Revision 17 Page 40 of 41 ATTACHMENT 9 High Risk Evolution Determination Page 3 of 3 Continue Is the activity classified as a Production Risk Activity?

YES NO Could an error cause loss of a key component as modeled in the Site >-------NO Specific Configuration Risk PTATs?

Is the activity performed every 92 days or more frequently?

NO YES Is the activity a simple YES--.

activity?

NO Activity is a High Risk Evolution, turn on the most Not a High Risk Evolution applicable High Risk Evolution Trigger Other external events or abnormal conditions that may result in a significant increase in the likelihood of a significant event should be considered HREs and the applicable HRE trigger in PARAGON should be used.

WC-AA-101 Revision 17 Page 41 of 41 ATTACHMENT 10 Guidelines for Confidence Runs Page 1 of 1 The purpose of this attachment is to describe precautions to be used when placing equipment in service in support of maintenance on the opposite train. This guidance does not apply to the declaration of operability and does not apply to normal procedurally controlled train or component swaps.

The scope of this attachment addresses vital equipment. For the purpose of this discussion, vital equipment is equipment which can cause a plant trip or derate or a short duration LCO or action through its own single failure. Examples include, but are not limited to:

RPS Bus or Rod Drive MG-Sets/Power Supplies Stator Cooling Pumps Isophase Bus Duct Cooling Fans Key Ventilation Systems with limited redundancy (e.g. Control Room Ventilation, Drywell Chillers)

When removing vital equipment from service, a suitable confidence run must be performed on the opposite train prior to relying on that opposite train equipment as the sole train or component supporting plant operation.

As a general rule, 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months may be considered a suitable length of time for a confidence run.

If a 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months run is not practicable, a shorter run may be adequate, but the following must be considered:

- The run is of sufficient duration to establish the quality and acceptability of the component/train operation (e.g. flow, amps, vibrations, pressures stable)

If a suitable confidence run cannot be performed at the time the opposite train is removed from service (possible due to emergent failure), consideration should be given to developing a monitoring plan for the in-service train/component to ensure proper operation.

ATIACHMENT 3 OP-AA-108-117, "Protected Equipment Program," Revision 1

OP-AA-108-117 Revision 1 Page 1 of 12 Level 3 - Informational Use Nuclear PROTECTED EQUIPMENT PROGRAM

1. PURPOSE 1.1. This procedure provides guidance for protecting equipment in order to minimize plant risk. This involves limiting or prohibiting operation or maintenance of plant equipment when SSCs are made unavailable.

1.2. The intent of protecting systems and components is to provide additional administrative barriers to guard against inadvertently rendering a component or system, which is important to unit risk and nuclear safety, inoperable or unavailable.

It is also applicable to those systems and activities that pose a potential risk to generation.

1.3. Protected equipment actions taken in accordance with this procedure support the Configuration Risk Management Program and are classified as risk management actions for the purpose of compliance with 10CFR50.65 (a)(4). Failure to meet the requirements of this procedure is a potential violation of 10CFR50.65 (a)(4).

1.4. This procedure applies to online and shutdown conditions.

The online goal is to maintain plant risk within acceptable levels by maintaining defense in depth of key safety functions, preventing inadvertent plant trips, transients, or Technical Specification Limiting Conditions for Operations (LCO) entries.

The shutdown goal is to maintain shutdown risk within acceptable levels by maintaining defense in depth of key safety functions.

1.5. It is acceptable to protect additional equipment at the discretion of the Shift Manager. The Shift Manager has final authority on what equipment will be protected and allowing work on or around protected equipment.

1.6. The intent of this procedure is not to have equipment permanently protected. If a SSC were to become unavailable and the unavailability of the SSC alone causes a red risk condition, then protecting of this equipment under normal plant conditions is not required.

OP-AA-108-117 Revision 1 Page 2 of 12

2. TERMS AND DEFINITIONS 2.1. Key Safety Functions: They are listed as follows:

Decay Heat Removal Spent Fuel Pool Cooling (Outage)

Inventory Control Electrical Power (includes both onsite & offsite power)

Reactivity Control Primary Containment Integrity (Containment Isolation, Containment Pressure and Temperature Control) 2.2. Lowered ReS Inventory: For PWR's, lowered RCS inventory condition is defined as reactor coolant system water level at or below the vessel flange with fuel in the vessel. For BWR's, lowered inventory condition is defined as RCS level at or below the flange with fuel in the vessel and the head is detensioned.

2.3. Predetermined Protection Schemes: A standardized protection scheme that uses PARAGON (the Exelon Configuration Risk Management Software) for risk significant SSCs to determine what equipment to protect. Protection schemes for Technical Specifications and unit generation are determined manually by knowledge of Technical Specification requirements and plant operations. Predetermined protection schemes are maintained in either an electronic database or a site specific procedurelT&RM that can be administered by Operations. The use of standardized postings ensures a consistent application of the protected equipment program and reduces work activity conflicts associated with the protected train.

2.4. Protected Equipment: Any SSC which has been identified as being essential to ensure that either defense-in-depth of a Key Safety Function is maintained, unit generation is maintained or overall risk levels are maintained.

2.5. sse: Structure, System, or Component 2.6. Work Near Protected Equipment: Work near protected equipment is defined as within two feet or within striking range of long tools, scaffold poles, etc.

3. RESPONSIBILITIES 3.1. Equipment Operator and / or Reactor Operator Installs protected equipment postings and barriers.

Walks down protected equipment postings each shift typically during operator rounds, to ensure they are intact.

3.2. Shift Supervisor Ensures protected equipment is tracked.

OP-AA-108-117 Revision 1 Page 3 of 12 3.3. Shift Manager Has overall authority of the protected equipment program.

Authorizes work on or near protected equipment.

Communicates protected equipment status changes to the station duty team and Shutdown Safety Manager (if applicable).

3.4. Shutdown Safety Review Board Determines the protected equipment requirements for all scheduled outages based on plant configuration and planned defense-in-depth.

3.5. Work Week Manager and / or Cycle Manager In conjunction with Risk Engineers and Operations Services, determines the protected equipment requirements for all online workweek activities and unplanned outages.

4. MAIN BODY 4.1. Development of Protected Equipment 4.1.1. The Shutdown Safety Manager or designee determines the protected equipment requirements for all scheduled outages based on plant configuration and planned defense-in-depth.

4.1.2. Outage Management and Operations determines the protected equipment requirements for all unplanned outages.

4.1.3. Online Work Management and Operations determines the protected equipment requirements for all online workweek activities.

4.1.4. Shift Management will promptly determine the systems and components to be protected for emergent issues affecting risk significant SSC availability.

4.2. When to Protect Equipment 4.2.1. When SSCs are planned to or become unavailable, then PROTECT redundant equipment if plant configuration is such that redundant equipment unavailability or manipulation would cause:

1. An overall online or outage risk assessment change to red risk (CM-2, CM-3, CM-4),

2. A loss of generation capability of> 20 MWe, or

3. An entry into Tech Spec 3.0.3 (3.0.1 for TMI) or a shutdown Tech Spec LCO of 12 hrs or less (i.e. be in hot shutdown in 12 hrs or less). I

OP-AA-108-117 Revision 1 Page 4 of 12 4.2.2. When SSCs are planned to or become unavailable and overall online or outage risk results in an actual orange or red risk, then PROTECT the redundant SSCs. (CM-2, CM-3, CM-4) 4.2.3. When SSCs are planned to or become unavailable and outage risk for a key safety function results in an actual orange or red risk, then PROTECT the redundant SSCs.

4.2.4. When a degrading trend in a critical plant parameter for a SSC has been identified, then PROTECT the redundant SSC if the unavailability of the redundant SSC results in an actual orange or red risk condition.

For example, if a site has two fuel pool cooling pumps and the running pump is identified as haVing an increasing trend in outboard bearing temperature during an outage when increased fuel pool loading exists and a loss of one FPC pump would cause an orange condition, then the redundant fuel pool cooling pump (Le., pump without the degrading condition) should be protected.

4.2.5. At a minimum, PROTECT the following during outage conditions: (CM-1)

One in-service decay heat removal train and required support systems with fuel in the reactor vessel, regardless of the availability of the other train(s),

One reactor inventory make-up train and required support systems during lowered RCS inventory conditions, and One spent fuel pool cooling train once core offload starts until the time to boil in the spent fuel pool is greater than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

4.2.6. The following guidance is provided for determining when to protect equipment during an outage:

CONSIDER additional equipment protection during elevated risk conditions when normal backup systems are reduced to one. For example, consider additional protection in the switchyard if offsite power sources are reduced to one.

Extend the protected train concept to work within the station switchyard and associated relays, switchgear and transformers. This includes activities by station, supplemental, and transmission personnel.

4.2.7. PROTECT equipment as directed by site specific procedures.

OP-AA-108-117 Revision 1 Page 5 of 12 NOTE: Single components within a sWitchyard may be protected by locking the sWitchyard or by flagging off the single component.

Consideration should be given to installing robust barriers around key equipment and towers in the switchyard to minimize the potential for a vehicle to strike equipment.

4.2.8. When entire switchyards or areas with fences and gates are being protected, then PROTECT the equipment using one of the following two methods:

A lock and/or chain different than that used for normal access.

A physical barrier placed in front of the gate used for normal access.

4.2.9. When supplemental equipment is being used to prevent an inadvertent drain down during operations with the potential to drain with fuel in the vessel (during an OPDRV), such as steam line plugs or electric freeze seal machines, then PROTECT the sources to that equipment (e.g. power supplies to electric freeze machines, air supplies to main steam line plugs or OTSG Cold Leg Dams, etc.).

1. Power supply protection for electric freeze seal machines should extend back to the 480 VAC breaker since dual power supplies are required for these machines.

2. Air supply protection should extend back to the first isolation valve from the air header.

4.2.10. When deemed prudent by the Shift Manager, then IMPLEMENT additional equipment protection.

4.2.11. The Shift Manager has final authority in determining systems and equipment to be protected. Adding additional components or modifying where signs / barriers are posted is acceptable provided a reduction in the scope of the protected equipment does not occur. Reducing the scope of protected equipment is not acceptable.

4.3. Posting of Protected Equipment Signs and Robust Barriers 4.3.1. Protected equipment and systems are to be clearly identified in the field to prevent inadvertent work on or near the protected equipment. Physical barriers are to be used whenever possible, particularly in cases where bumping into a component may cause an inadvertent trip or system transient. (CM-1) 4.3.2. Protected equipment postings are to be encompassing enough to alert personnel from all directions. (CM-1) 4.3.3. For short duration equipment unavailability, such as surveillance testing of less than one shift (typically less than 8 to 12 hrs), posting is not required. The Shift Manager should consider posting if complications extend the work beyond one shift.

OP-AA-10S-117 Revision 1 Page 6 of 12 4.3.4. Relying solely on the work schedule to prevent work on or activity around protected equipment is not acceptable.

NOTE: Equipment should be protected in a manner that provides reasonable assurance that it will not be inadvertently operated.

While signs provide a visual reminder of the presence of protected equipment, they are not a sufficient deterrent by themselves. For this reason, an additional key element of protecting equipment is to post it such that a physical action, such as moving a barrier tape or unlocking a door, is required to access the protected equipment.

4.3.5. PROTECT equipment using at least one of the following posting methods: (CM-1)

Barrier rope, devices, or tape that establishes a boundary around the protected equipment with applicable postings to warn personnel of vital information regarding protected equipment status.

Placement of highly visible reminders such as "little men," orange cones, or easels that can also bear signage to delineate the protected equipment.

Reusable laminated signs are also an alternative.

Magnetic placards that are placed on breaker doors or panels to mark the protected equipment.

Barrier rope, physical devices, tape and other similar devices or door handle covers for room doors.

Protective Covers (clamshells, plastic cylinders or rings) may be placed over devices that should not be manipulated, as long as operability is not affected.

4.3.6. WHEN equipment protection is required, THEN POST the following:

The equipment being protected, Main power supply feed breaker or driving force supply isolation valve, and Instrumentation, which if tripped, would render the protected equipment unavailable. Consider both the transmitters and the associated trip units.

4.3.7. If radiological conditions prevent posting equipment (e.g. forced oxidation), then CONSIDER the following:

Posting the equipment prior to the radiological condition occurring.

Posting the protected equipment signs at the entrance to the high radiation area and ensuring the high radiation brief discusses the protected equipment.

When the radiological condition clears, the equipment should be posted as soon as practical.

OP-AA-108-117 Revision 1 Page 7 of 12 4.3.8. The following considerations and examples are to be evaluated when protecting equipment:

For extent of protection, barriers must extend back at least one component.

For example:

Concerning pumps and fans, the local and remote control switches, the pump general area, the power supply (Le. back to the pump / fan feeder breaker), specific instruments (or instrument racks as appropriate) that could cause a pump trip or are required for monitoring, and necessary support systems (e.g. cooling water).

For valves, the local and remote control switches, the valve general area, the valve driving force (Le. main power supply feed breaker or air supply isolation valve), and interlocked valves (Le. valves that when stroked could cause the valve being protected to change position).

During outage conditions, extent of protection for a decay heat removal train and an inventory make-up train (when required) must extend back to an available offsite feed and an available emergency feed. Additionally, a train of support systems must be protected. For example:

For a decay heat removal pump, in addition to what is stated in the above bullet under pumps & fans, also include the bus, one normal electrical supply feed and one emergency electrical supply feed to the bus (including the emergency diesel generator or station blackout diesel generator), a heat exchanger cooling water supply pump and control, associated trip instrumentation of the power supply and cooling water pump.

Concerning electrical buses and switchgear:

If an entire bus or switchgear is protected, no work on or racking of breakers in or out on that bus or switchgear should be permitted unless step 4.4.3 is followed.

If a single breaker on the bus or sWitchgear is protected, then work may be permitted on other breaker compartments provided the work to be performed has been evaluated to ensure it cannot result in actuation of the protected breaker.

For large components, consider posting room doors or general area ingress.

When protecting an entire system, consider placing barriers on control panel controls, in front of room/area ingress points, in front of the main load center under which a majority of the breakers are located, and around instrument racks that provide system trips.

OP-AA-108-117 Revision 1 Page 8 of 12 CAUTION Though a consistent list of protected equipment when taking an SSC out of service is desirable, additional SSCs that may also be out of service at the same have the potential to increase the list of protected equipment. The configuration specific results must be reviewed to validate the protected equipment list.

4.3.9. UTILIZE predetermined protection schemes (if available).

1. Deletion of elements from the predetermined protection scheme must be approved by the Shift Manager and must be covered by another posting method.

2. More extensive postings must include all elements of the predetermined protection scheme.

4.4. Work on or Near Protected Equipment (CM-1) 4.4.1. Generally, work on or near protected equipment will not be allowed. Exceptions to this rule are as follows:

Operator performing rounds, inspections, and alarm response.

Fire Brigade Members and the Medical Response Team during response to emergencies.

Personnel performing Abnormal Operating Procedures / Emergency Operating Procedures / Emergency Plan actions.

Security Officers who have received an appropriate brief from Shift Management and are performing their official rounds or alarm response.

Fire Patrols who have received an appropriate brief from Shift Management and are performing their official duties.

Electrical and instrument maintenance activities on loads supplied by protected switchgear, load control center, or vital instrument busses provided that the load is isolated from the protected equipment by a clearance or over-current protection (e.g. fuse or breaker) is available to isolate the protected power supply from equipment fault or personnel error at an energized work location.

Other activities as approved by the Shift Manager.

OP-AA-108-117 Revision 1 Page 9 of 12 NOTE: It is understood that emergent equipment failures may occur and a required surveillance test may need to be performed on the protected equipment to prevent the test from becoming overdue. Planned system or component outages should take into account protected equipment requirements and the surveillance test schedule prior to removing the equipment from service.

4.4.2. The following evolutions should not be performed on protected equipment:

Corrective or elective maintenance, Preventative maintenance which is intrusive in nature, Non-critical surveillance testing where an unsatisfactory outcome could render the equipment unavailable, Any evolution where human performance error could result in damage to or loss of the protected equipment unless the Shift Manager agrees there is reasonable assurance that no adverse effects could occur, or Equipment or system operation which renders the protected equipment unavailable.

NOTE: This note applies to steps 4.4.3 & 4.4.4. The shift manager cannot delegate the authority to authorize access to protected equipment areas to senior licensed operators who are not part of the on-shift control room team. For example, this authority cannot be delegated to an SRO assigned, often permanently or on long-term rotation, to the work control center or outage control center unless that SRO is an active member of the control room shift.

4.4.3. If work on protected equipment is required, then COMPLY with the following:

The work group will complete Attachment 1, Protected Equipment Work Approval Form, During outage conditions, the work group will receive OCC approval from the SaM or SOD prior to obtaining Shift Manager authorization.

Work must be authorized by the Shift Manager using Attachment 1, Protected Equipment Work Approval Form, The work group will brief the Shift Manager on the critical steps and what human performance tools or actions are in place to minimize the potential for inadvertent impact/operation of the protected equipment, Continuous work group supervisory oversight of the work activity, and Operations supervision will provide periodic monitoring of work in the affected area.

OP-AA-108-117 Revision 1 Page 10 of 12 4.4.4. If work near protected equipment is required, then COMPLY with the following:

The work group will complete Attachment 1, Protected Equipment Work Approval Form, During outage conditions, the work group will receive OCC approval from the SOM or SOD prior to obtaining Shift Manager authorization.

Work must be authorized by the Shift Manager using Attachment 1, Protected Equipment Work Approval Form, The work group will brief the Shift Manager on the critical steps and what human performance tools or actions are in place to minimize the potential for inadvertent impact/operation of the protected equipment, Periodic work group supervisory oversight of the work activity, and Operations supervision will provide periodic monitoring of work in the affected area.

4.5. Protected Equipment Tracking Sheets 4.5.1. TRACK protected equipment using a tracking log.

4.5.2. The tracking log may be hard copy or electronic facsimile and has no retention requirements.

4.5.3. The tracking log will be completed by Operations and it shall contain the following minimum information:

Equipment number or noun name Location and type of posting device Installation check-off information Removal check-off information 4.6. Protected Equipment Verification and Communication (CM-1) 4.6.1. WALKDOWN protected equipment postings during rounds and VERIFY the following:

1. The postings remain properly established.

2. No unauthorized work is being performed on or within 2 feet of the protected equipment.

3. There is nothing in the area (e.g., scaffolding) that could interfere with the functioning of the protected equipment.

4.6.2. ENSURE frequent communications to station and supplemental workers identify the status of protected equipment and any planned protected equipment changes.

OP-AA-108-117 Revision 1 Page 11 of 12 4.6.3. REVIEW protected equipment at the following meetings or briefings:

Operations shift turnover meetings Daily / shiftly standard department (inclUding contractors) briefings Daily POD meeting Shiftly Outage briefings Daily Online Work Control meetings 4.6.4. COMMUNICATE protected equipment status changes and emergent conditions requiring equipment to be protected to station and supplemental workers.

1. Communications may include a plant PA announcement.

4.6.5. COMMUNICATE switchyard protected equipment to the Transmission Operator and INFORM them that the protected equipment is considered vital and no actions should be performed that could jeopardize power availability.

5. DOCUMENTATION 5.1. None

6. REFERENCES 6.1. Commitments 6.1.1. CM-1: INPO SOER 09-1, Shutdown Safety (Steps 4.2.5, 4.3.1, 4.3.2, 4.3.5, 4.4, 4.6) 6.1.2. CM-2: Braidwood License Amendment #108 (Steps 4.2.1.1 and 4.2.2) 6.1.3. CM-3: Byron License Amendment #114 (Steps 4.2.1.1 and 4.2.2) 6.1.4. CM-4: Clinton License Amendment #141 (Steps 4.2.1.1 and 4.2.2) 6.2. Procedures 6.2.1. HU-AA-1211, Briefings - Pre-Job, Heightened Level of Awareness, Infrequent Plant Activity and Post-Job Briefings 6.2.2. OU-AA-103, Shutdown Safety Management Program 6.2.3. WC-AA-101, Online Work Control Process

7. ATTACHMENTS 7.1. Attachment 1, Protected Equipment Work Approval Form

OP-AA-108-117 Revision 1 Page 12 of 12 Attachment 1 Protected Equipment Work Approval Form Page 1 of 1 Protected Equipment or Train: wa # / Task

Title:

Brief description of work and potential impact on protected equipment:

Reason why work must be performed while equipment/train is protected:

Planned duration of work including shift(s) when Responsible Supervisor(s) (name and contact #):

work will occur:

Contingency plans regarding work scope to minimize impact on protected components:

Requesting Supervisor:

Signature: _ Date: _ _/_ _/_ _

acc Approval (only required during outage conditions):

Signature: _ Date: _ _/_ _/_ _

Shift Manager Approval Section Evaluate the overall risk on the protected component or train due to the performance of this

- - work.

- - Verify that the proper PJB level has been specified. (PJB, HLA, IPA)

Discuss with the work group supervisor(s) the methods to communicate with the MCR concerning start/stop times and expectations concerning reporting deviations from the

- - approved plan.

Consider the need to perform a job site inspection prior to the start of the work to ensure there

- - are no hidden risks that may have been missed.

Approved: Date: __/_ _/_ _

Shift Manager / Designee

_ _ The master copy of the approved form will reside in the MCR until the work is completed.

_ _ A copy of this approved form will reside with the work package until work is completed.

v t e Letter Sequence Request
TAC:ME2567, (Withdrawn, Closed) TAC:ME2568, (Withdrawn, Closed) TAC:ME2569, (Withdrawn, Closed) TAC:ME2570, (Open)
Initiation Request, Request, Request Acceptance... Administration Questions 23 September 2010 Answers Results Withdrawal Other:
MONTHYEAR2010-07-19 [Table View]

RS-10-172, Additional Information Supporting the Request for Amendment to Technical Specification 3.1.7, Standby Liquid Control (SLC) System.

Text

Subject:

Reference:

References:

Title:

Navigation menu

RS-10-172, Additional Information Supporting the Request for Amendment to Technical Specification 3.1.7, Standby Liquid Control (SLC) System.

Text

Subject:

Reference:

References:

Title:

Navigation menu

Search