george a. lippard vice president, nuclear operations 803.3452015/12/16 · george a. lippard vice...

George A. Lippard Vice President, Nuclear Operations

803.345.4810

June 22, 2017 RC-17-0088

U.S. Nuclear Regulatory Commission (NRC) Document Control Desk Washington, DC 20555

Dear Sir/ Madam:

Subject: VIRGIL C. SUMMER NUCLEAR STATION (VCSNS), UNIT 1 DOCKET NO. 50-395 OPERATING LICENSE NO. NPF-12 LICENSE AMENDMENT REQUEST - LAR-15-01424 IMPLEMENTATION OF WCAP-15376-P-A, REVISION 1 - "RISK-INFORMED ASSESSMENT OF THE RTS AND ESFAS SURVEILLANCE TEST INTERVALS AND REACTOR TRIP BREAKER TEST AND COMPLETION TIMES" RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION

References: 1. T. D. Gatlin, SCE&G, letter to Document Control Desk, NRC, License Amendment Request - LAR-15-01424 Implementation of WCAP-15376-P-A, Revision 1 - "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times," dated December 16, 2015 [ML15356A048]

2. S. A. Williams, NRC, letter to G. A. Lippard, SCE&G, Virgil C. Summer Nuclear Station, Unit 1 - Supplemental Information Needed for Acceptance of License Amendment Request for Implementation of WCAP-15376-P-A, Rev. 1 (CAC NO. MF7196), dated February 22, 2016 [ML16032A170]

3. S. A. Williams, NRC, letter to G. A. Lippard, SCE&G, Virgil C. Summer Nuclear Station, Unit No. 1 - Request for Additional Information RE: License Amendment Request for Implementation ofTSTF-411 (WCAP-15376-P-A), Revision 1 (CAC NO. MF7196), dated November 8, 2016 [ML16302A125]

4. G. A. Lippard, SCE&G, letter to NRC Document Control Desk, License Amendment Request - LAR-15-01424, Implementation of WCAP-15376-P-A, Revision 1, Response to Request for Supplemental Information, dated March 7, 2016 [ML16069A021]

5. G. A. Lippard, SCE&G, letter to NRC Document Control Desk, License Amendment Request - LAR-15-01424 Implementation of WCAP-15376-P-A, Revision 1 - "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times" Response to Request for Additional Information, dated February 6, 2017 [ML17037D369]

V. C. Summer Nuclear Station • P. 0. Box 88 • Jenkinsville, South Carolina • 29065 • F (803) 941-9776 • www.sceg.com

Document Control Desk CR-15-01424 RC-17-0088 Page 2 of 2

6. S. A. Williams, NRC, letter to G. A. Lippard, SCE&G, Virgil C. Summer Nuclear Station, Unit No. 1 - Request for Additional Information RE: License Amendment Request for Implementation ofTSTF-411 (WCAP-15376-P-A), Revision 1 (CAC NO. MF7196), dated May 11, 2017 [ML17095A284]

7. M. Orenak, NRC, email to T. Stewart, SCE&G, Virgil C. Summer Nuclear Station, Unit No. 1 - Request for Additional Information RE: License Amendment Request for Implementation ofTSTF-411 (WCAP-15376-P-A), Revision 1 (CAC No. MF7196), dated June 15, 2017

South Carolina Electric & Gas Company (SCE&G), acting for itself and as agent for South Carolina Public Service Authority pursuant to 10 CFR 50.90, submitted License Amendment Request (LAR) per Reference 1. In References 2 and 3, the NRC requested that SCE&G provide supplemental and additional information to assist in the review of Reference 1. SCE&G provided a response to the NRC requests in References 4 and 5. NRC review of Reference 5 determined that follow-up requests for additional information (RAIs) were required and a RAI was issued per Reference 6. This letter's Attachment I contains SCE&G's response to the follow-up RAIs.

Per Reference 7, VCSNS will provide a response to follow-up RAI 1 by July 10, 2017.

If you have any questions regarding this submittal, please contact Mr. Bruce L. Thompson at (803) 931-5042.

I certify under penalty that the foregoing is correct and true.

TS/GAL/wm

Attachment: VCSNS Response to Request for Additional Information

cc: Without Attachments unless noted

S. M. Shealy W. M. Cherry C. Haney

K. B. Marsh S. A. Byrne J. B. Archie N. S. Cams J. H. Hamilton

NRC Resident Inspector S. E. Jenkins (with Attachment) Paulette Ledbetter (with Attachment) K. M. Sutton NSRC RTS (CR-15-01424) File (813.20) PRSF (RC-17-0088) (with Attachment)

S. A. Williams (with Attachment)

Document Control Desk Attachment CR-15-01424 RC-17-0088 Page 1 of 15

VIRGIL C. SUMMER NUCLEAR STATION (VCSNS) UNIT 1 DOCKET NO. 50-395

OPERATING LICENSE NO. NPF-12

ATTACHMENT

VCSNS RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION


By letter dated December 16, 2015 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML15356A048), as supplemented by letter dated March 7, 2016 (ADAMS Accession No. ML16069A021), and February 6, 2017 (ADAMS Accession No. ML17037D369), South Carolina Electric & Gas Company (SCE&G, the licensee), submitted a license amendment request (LAR) for the Virgil C. Summer Nuclear Station, Unit No. 1 (VCSNS). The licensee proposes to revise Technical Specification (TS) 3/4.3.1, "Reactor Trip System Instrumentation," and TS 3/4.3.2, "Engineered Safety Feature Actuation System Instrumentation," to implement the allowed outage time, bypass test time, and surveillance frequency changes approved by the U.S. Nuclear Regulatory Commission (NRC) in Technical Specification Task Force (TSTF) Traveler TSTF-411, Revision 1, "Surveillance Test Interval Extensions for Components of the Reactor Protection System (WCAP-15376-P)" (ADAMS Accession No. ML022470164).

The NRC staff has reviewed the February 6, 2017, response to a request for additional information (RAI), and has determined follow-up RAIs are needed to complete NRC staff review.

Follow up RA11:

In the cover letter to the February 6, 2017, supplement, the licensee stated that the probabilistic risk assessment (PRA) model was peer reviewed in June 2016 and that the final version of the Peer Review Report has not yet been received by VCSNS. As such, the facts and observations (F&Os) from this peer review were not included in the LAR, as supplemented. In addition, the response to RA11 noted some open F&Os from a previous peer review. Therefore, the NRC staff requests the following additional information.

a. Please confirm what impact, if any, the June 2016 peer review had on the PRA model of record used to support the LAR, and as supplemented, by RAI responses.

b. In 2011, the licensee performed a Capability Category II gap self-assessment for the PRA model against the Regulatory Guide 1.200, Revision 2, and the ASME/ANS PRA Model Internal Events Standard as a follow-up to a 2007 review against Regulatory Guide 1.200, Revision 1. The response to RA11 identified that some open suggestions/findings had not been resolved. Finding 6_9 involved system-related screenings from the PRA model as specified in system supporting requirements. The licensee's resolution states that re-screening of all of the systems is not yet complete.

Please complete the resolution of finding 6_9, and provide an updated resolution of this finding and an assessment of its significance to the application. Alternatively, please justify why resolution of this Finding will not affect this application.


SCE&G Response

Virgil C. Summer Nuclear Station (VCSNS) Unit 1 will provide a response by July 10, 2017, as noted in the cover letter.

Follow-up RAI 7d, 7f, 7g, 7i, 7j, and 12

The NRC staff has reviewed the response to RAI 7 for the plant-specific analysis of the Engineered Safety Features Actuation System (ESFAS) signals 8.a and 6.h, and has determined that additional information is necessary regarding the risk evaluation associated with extending their surveillance test intervals (STIs). Therefore, please address the following:

a. The proposed TS STIs apply to analog channels, logic cabinets, and master relays. Based on the response to RAI 7.j, the risk calculation provided in the March 7, 2016, supplement evaluated the STI extension for analog channels.

For these two signals, logic cabinets and the master relays do not appear to be quantified in the risk evaluation. The WCAP-15376-P-A analysis for the logic cabinet discussed in the response does not appear to be applicable for these two signals since the TSTF-411, Revision 1, stipulates the plant specific functions not evaluated generically for WCAP-15376-P-A or WCAP-10271-P-A must have a plant-specific analysis. In addition, the response to RAI 7.i describes a test in which more than one of the LAR-related instrumentation and control (l&C) components are tested, and indicates that the proposed STI extensions apply to this test. However, the response did not specify if the risk associated with this test is included in the risk assessment.

Please clarify whether logic cabinet and master relays for those two signals and the test described in response to RAI 7.i were included in plant-specific risk evaluation. If the approach taken in the response to the RAIs to evaluate only the analog channels is sufficient, please provide justification. If not, then, consistent with TSTF-411, Revision 1 guidance, complete a plant-specific risk evaluation for these two signals for all proposed STI extensions to l&C components (analog channels, logic cabinet, master relays) and applicable tests involving these components. Please describe how this updated STI extension risk analysis is performed. Please include what was evaluated (e.g., components, tests) for the proposed TS changes; method used to evaluate their STI extension (e.g., increasing failure rates, etc.); as well as other assumptions such as test unavailability. If an updated risk assessment is performed to include the logic cabinet and master relays, provide updated results for the LAR following RG 1.177, RG 1.174, and TSTF-411, Revision 1 guidance, and provide updated results of the response to RA112 regarding cumulative risk as appropriate.

b. The response to RAI 7.d requested a description of the method used to evaluate the common cause failure (CCF) for the STI extension. The response


stated that the software generates the appropriate common cause basic events using Multiple Greek Letter common cause factors. However, there was no discussion on how the CCF probabilities are adjusted for extending the STI.

Please explain how the change in the CCF was evaluated for the STI extension for each of the l&C components in the proposed TS changes, and include an example of how the CCF probability was adjusted.

c. The response to the RAI 7.f stated that doubling the failure rate for the unavailability of the STI extension of analog channels was conservative, but did not provide a basis for this conclusion. Since the STI unavailability depends on the testing scheme (e.g., staggered), please explain what testing scheme was used for calculating the analog channels STI unavailability and why the method described in the RAI response is conservative for this testing scheme. Also, clarify what the fault exposure time was taken to be (e.g., STI/2).

The response to RAI 7.f does not appear to address components not included in the WCAP- 10271-P-A STI extensions, as requested. Because neither of the logic cabinet nor the master relays for these two signals were included in the WCAP-10271 STI extensions, according to WCAP-15376-P-A, please explain the testing scheme used for calculating their STI unavailability and the fault exposure time used.

d. The RAI 7.g.i stated: "Explain why the increase in CDF/LERF [Core Damage Frequency/Large Early Release Frequency] for the new signals given in the supplementary information response is low."

If an updated plant-specific risk assessment for each of these two signals in a, above is performed, and if the updated analysis does not retain the conclusion of "small" risk per RG 1.177, explain why the risk is not "small." Please explain, consistent with RG 1.174 guidance that the change in risk is in an acceptable range. Please provide justification, if applicable. In addition, if the risk assessment was updated and resulted in any new Tier 2 measures, please provide Tier 2 results consistent with RG 1.177 guidance. Include demonstration that there are appropriate restrictions on dominant risk-significant configurations associated with the change, and Tier 2 documentation, as discussed in Section 4.

SCE&G Response

a. An updated plant-specific risk analysis was performed to include the analog channels, the logic cabinets, and the master relays following RG 1.177, "An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications," RG 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis," and TSTF-411, Revision 1 guidance. The components for the analog channel model included the sensor (pressure or level


transmitter), loop power supply, and input relays to the logic circuits. The components for the logic cabinet model included the universal logic card and the safeguards driver card. The components for the master relay model included the master relay.

These signals (EFW Suction Transfer on Low Pressure, 6.h and Automatic Switchover to Containment Sump on RWST Level Low-Low, 8a) are represented in the base risk assessment by four separate channels feeding into 3 of 4 combination gates. The following components and failures within these channels are modeled; 1) for the analog channel; transmitter failure including common cause, the comparator failure including common cause, loop power supply failure including common cause, common cause miscalibration of transmitter, and input relay failure including common cause, 2) for the logic cabinets, universal logic card failure including common cause and safeguard driver card failure including common cause are modeled, 3) for the master relay, master relay failure including common cause and slave relay failure including common cause.

The updated plant-specific risk analysis was performed by increasing the analog channel components failure probability by a factor of two, proportional to the increased Analog Channel Operability Test (ACOT) interval. The logic cabinet and master relay components were increased by a factor of three, proportional to the increased Actuation Logic Test (ALT) and Master Relay test interval. The base case and extended STI failure probabilities used in the updated plant-specific risk analysis are shown in Table 7-1.

Table 7-1 Component Base Case Failure Probability Extended STI Failure Probability

Analog Channel Comparator 7.46E-04/demand 1,49E-03/demand Loop Power Supply 3.53E-05/demand 7.06E-05/demand Input Relays 3,9E-05/demand 7.80E-05/demand

Logic Cabinet Universal Logic Card 3.83E-04/demand 1.15E-03/demand Safeguards Driver Circuit 5.9E-04/demand 1,77E-03/demand

Master Relay 1.1E-05/demand 3.30E-05/demand

ESFAS train unavailable due to maintenance and test are also included in the updated plant-specific risk analysis, however the unavailability values were not modified from the base case. The extended STI will reduce the unavailability due to maintenance and testing. Not taking credit for this reduced unavailability is conservative.

All necessary l&C components are modeled in the PRA. Therefore, the EFW Suction Transfer on Low Pressure signal and Automatic Switchover to Containment Sump on RWST Level Low-Low are modeled in the updated plant-specific risk analysis sufficiently for this application.


The updated plant-specific risk analysis resulted in a delta CDF of 0 and a delta LERF of 0 for the EFW Suction Transfer on Low Pressure signal, 6h. The updated analysis also resulted in a delta CDF of 5.0E-07/yr and a delta LERF of 3.1 E-08/yr for the Automatic Switchover to Containment Sump on RWST Level Low-Low, 8a.

The test evaluated in the updated risk analysis consists of the extended ACOT from quarterly to semi-annually (STI increased by 2), and the extended Actuation Logic Test (ALT) and Master Relay testing from monthly to quarterly (STI increased by 3). The unavailability due to the additional test described in the response to RAI 7.i (Actuation Logic and Master Relay Testing) was not changed in the analysis since the extended STI of quarterly is conservative relative to tests performed more frequently.

All of the components except for the sensors are modeled with a failure probability on demand. For all other components, their failure probability on demand was doubled when extending the STI from quarterly to semi-annually for the ACOT or tripled when extending the ALT and Master Relay Test STI from monthly to quarterly. This is equivalent to doubling and tripling the fault exposure times for the respective tests.

The analysis conservatively assumes the test unavailability is unaffected by the extended STI and was not changed from the values in the baseline model. Component unavailability due to testing will decrease when STIs are extended, resulting in lower CDF/LERF values.

Updates to the previous response to RAI 12, which was provided in the February 6, 2017 response to the NRC's request for additional information (ML17037D369), are shown in Table 12-1 on the following page.


Table 12-1 Pre-TOP to

WC AP-10271 -P-A WC AP-10271 -P-A to

WC AP-14333-P-A WCAP-14333-P-A to

WCAP-15376-P-A Pre-TOP

to WCAP-15376

ACDF/yr 2/4 logic 3.5E-07 8.0E-07 2/3 logic 6.1E-07 8.5E-07

EFW Suction ESFAS 6.h

0 0

RWST level ESFAS 8.a

3.8E-08 5.0E-07

Total ACDF/yr

(T 6.5E-07 1.35E-06 2.0E-06

ALERF/yr 2/4 logic 2.0E-08 3.1E-08 2/3 logic 2.2E-08 5.7E-08

EFW Suction ESFAS 6.h

0 0

RWST level ESFAS 8.a

4.0E-10 3.1E-08

Total ALERF/yr1

0^ 2.2E-08 8.8E-08 1.1E-07

Notes to Table 12-1: (1) 2/3 logic are used for Total delta CDF/yr and delta LERF/yr calculations because

VCSNS predominantly uses 2/3 logic and because this use is conservative (maximizes the total risk increase).

(2) The original Individual Plant Examination (IPE) and Individual Plant Examination for External Events (IPEEE) included incorporation of WCAP-10271-P-A, so this was not a risk-informed change for VCSNS.

Because the cumulative increase in CDF exceeds 1.0E-06/yr and the cumulative increase in LERF exceeds 1.0E-07/yr, the following table is provided to show that the total VCSNS CDF is less than 1.0E-04/yr and the total VCSNS LERF is less than 1.0E-05/yr. Therefore, both delta CDF and delta LERF meet the application guidance in Regulatory Guide 1.174 for small changes (Region II of Figures 4 and 5 of RG 1.174). (The information below for CDF was provided in the original license amendment submittal as part of Table 8.)


Table 1 2-2 Hazard Group CDF (yr-1) LERF (yr-1) Internal Events (including internal flooding)0' 5.67E-06 1.06E-07 Seismic 1.5E-05 1.5E-07 Fire(2' 4.80E-05 3.30E-06

Total 6.87E-05 3.56E-06 Notes to Table 12-2: (1) VCSNS has updated the internal events PRA model since the December 16, 2015

submittal, and the current CDF is lower than the value provided above. If this value was used in the table, the Total CDF would be lower.

(2) VCSNS has updated the Fire PRA model since the December 16, 2015 submittal.

Since there are no changes in the Technical Specification Allowed Outage Time (AOT) for these signals, changes in ICCDP and ICLERF are not considered applicable.

b. Multiple Greek Letter (MGL) common cause factors were used for common cause failure (CCF) and the CCF probabilities were generated using CAFTA common cause tool for each of the l&C components. These CCF can also be manually calculated using the following equation:

( k \ r w c 1 - * " * V f C - l / i = 1 J

Pi = X p 2 = P .P3 = Y'P4 = 8,ps = e, ...,pm+1 = 0

The number of parameters is always one less than system size. For example, in a system of three components (m=3), those parameters which contribute are (3 and y. Other parameters, i.e., 5, e, ... will be zero.

Further description of the variables used in the above equation are as follows:

= probability of a CCF BE involving k specific components in a common cause component group of size m, (1 < k < m).

Qt = total failure frequency of the component on account of all independent and common cause events

/ m — l \ ( m - l ) ! The binomial coefficient = (- = 7- -7-7 — 3 3 \ k - l J ( k - 1 ) ! ( m — k f .


The MGL parameters are numerically given in Table 7-5 but are linked to variables for model convenience. A description of the first three MGL parameters ((B.y.S) are described below.

/? = conditional probability that the common cause of a component failure will be shared by one or more additional components.

y = conditional probability that the common cause of a component failure that is shared by one or more components will be shared by two or more components in addition to the first.

5 = conditional probability that the common cause of a component failure that is shared by two or more components will be shared by three or more components in addition to the first.

Table 7-5 Component MGL Parameters Component MGL Parameter Value Source

Analog Channel Components (Pressure or Level Transmitters, Comparators, Loop Power Supplies, Relays) Beta MGL Parameter 0.08 WCAP-15376-P-A, Page 8-17,

Analog Channels Gamma MGL Parameter 0.33 WCAP-15376-P-A, Page 8-17,

Analog Channels Delta MGL Parameter 0.52 WCAP-15376-P-A, Page 8-17,

Analog Channels Logic Cabinet Components Universal Logic Card Beta MGL Parameter 0.044 WCAP-15376-P-A, Page 8-17,

Universal Logic Card Safeguards Driver Card Beta MGL Parameter

0.05 WCAP-15376-P-A, Page 8-17, Safeguards Driver Card

Master Relay Components Master Relay Beta MGL Parameter 0.15 WCAP-15376-P-A, Page 8-17,

Master Relay Slave Relay Beta MGL Parameter 0.15 WCAP-15376-P-A, Page 8-17,

Slave Relay


For the extended STI for these two functions 6h and 8a, the CCF probabilities were calculated using the same MGL common cause factors, same equation, but with new basic event failure probabilities. For example the common cause factors for the analog channel comparators with the extended STI failure probability of 1.49E-03 are:

Qi (Failure of 1 of 4 components) = 1.49E-03 (assume the independent failure probability is equal to the total failure probability)

Q2 (Failure of 2 of 4 components) = 1/3 p (1-y) Qt = 1/3 (0.08) (1-0.33) 1.49E-03 = 2.66E-05

Q3 (Failure of 3 of 4 components) = 1/3 p y (1-5) Qt = 1/3 (0.08) (0.33) (1-0.52) 1.49E-03 = 6.29E-06

Q4 (Failure of 4 of 4 components) = p y 5 Qt = (0.08) (0.33) (0.52) 1.49E-03 = 2.04E-05

The common cause factors for the base case analog channel comparators failure probability of 7.46E-04 are:

Q1 = 7.46E-04

Q2 = 1.33E-05

Q3 = 3.15E-06

Q4 = 1.02E-05

As expected, the new CCF probabilities are 2 times greater than the base case since the component failure probabilities were doubled for the extended STI.

c. The response to the RAI 7.f stated that "To represent the change in operational testing to six-months, these analog channel basic event failure probabilities were conservatively doubled. In addition, no credit has been taken for the reduced amount of time that the components may be unavailable due to increased test interval." The intent of the statements was that the methodology is conservative since the components' failure probabilities were doubled, no credit was taken for the reduced unavailability due to increased test interval. With the extended STI doubled, the component unavailability will be reduced proportionally. The evaluation took into account the increase in likelihood of failing between tests, but did not take credit for the benefits of reduced component unavailability. Therefore, the approach is conservative.

Specific fault exposure times were not used directly in the updated plant-specific risk analysis. For components with a known failure probability (FP) based on a particular


STI, the component failure probability for the extended test interval was determined by increasing the current failure probability by a factor equal to the test interval increase as shown by:

FP(extended STI) = FP(current STI) x (extended STI/current STI)

This assumes a linear relation between failure probability and the STI which is consistent with using the current failure rate times the extended STI/2 fault exposure time.

The testing scheme for analog channels, logic cabinets and master relays, used in the updated plant-specific risk evaluation is non-staggered. A non-staggered scheme is a scheme where components are tested simultaneously, whereas a staggered testing scheme is a scheme where components are tested sequentially. Mathematically, it can be shown that the probability of a common cause basic event for a non-staggered testing scheme is greater than that of a staggered scheme. Therefore, the evaluation using a non-staggered testing scheme yields a higher CCF and bounds the staggered testing scheme. The actual testing scheme for the two analog channels proposed in the LAR changes the analog channel operational test (ACOT) from quarterly to semi-annually on a non-staggered basis. The testing scheme for the logic cabinets proposed in the LAR changes the actuation logic test (ALT) from monthly to quarterly on a staggered test bases. The VCSNS Technical Specifications define a staggered test basis as dividing the test interval into n equal subintervals and testing one system, subsystem, train or other designated component at the beginning of each subinterval. Therefore each train of the logic cabinets will be tested at least every 184 days. Similarly for the master relays, the testing scheme proposed in the LAR changes the master relay test from monthly to quarterly on a staggered test basis resulting in each train of master relays tested at least every 184 days.

d. An updated plant-specific risk assessment for each of the two signals was performed as described in the response to part a above. The analysis retains the conclusion of "small" risk per RG 1.177 since there is no change in the Technical Specification Completion Time (CT) for these signals. Test duration for these signals is also not affected.

The delta CDF and delta LERF results for these 2 signals fall in acceptance Region III of Figures 4 and 5 of RG 1.174 for very small changes in CDF and LERF. The cumulative results, when combined with changes of other components in WCAP-15376 fall in acceptance Region II of RG 1.174 (small changes in CDF and LERF). Therefore, the evaluation results meet acceptance criteria set forth in RG 1.174.

Since the actuation logic testing for these two signals is performed in conjunction with all other signals (i.e. as part of the same test), the risk significance of the configuration is already accounted for in the Tier 2 recommendations, which have already been developed. No additional Tier 2 measures are required for the two additional signals. There are no additional restrictions as identified in WCAP-15376.


Follow-up RAI 7.k.ii:

Limitation and Condition number 4 from the NRC staffs SE on the WCAP-15376 topical report states: 'To ensure consistency with the reference plant, the model assumptions for human reliability in WCAP-15376-P, Rev. 0 should be confirmed to be applicable to the plant-specific configuration." The response to RAI 7.k.ii identified that limitation and condition number 4 is confirmed because the operator actions modeled in the WCAP-15376-P-A analysis are not applicable for these two plant-specific signals. A review of WCAP-15376-P-A indicates that these operator actions in the response are back-up actuation signals.

The response does not appear to fully address the limitation and condition because the human reliability modeling should be confirmed to be applicable to the plant-specific configuration for these two signals not evaluated in the topical report. The response to RAI 7.k.iii identified that there are operator actions to back-up both automatic functions. Since these operator actions are not evaluated in WCAP 15376-P-A, and, therefore, model assumptions in WCAP-15376-P-A are not applicable to V.C. Summer plant-specific signals, please confirm that these operator actions for the two signals are in the PRA model and explain what they are.

SCE&G Response

ESFAS Signal 8.a (RWST Level lo-lo) initiates automatic switchover to the Containment Sump (from the Refueling Water Storage Tank (RWST)) when RWST level decreases to the lo-lo level setpoint (18 percent). This automatic action opens the Residual Heat Removal Pump and Reactor Building Spray Pump Suction Valves from the Containment Sump, and closes the pump suction valves from the RWST. VCSNS Emergency Operating Procedure (EOP) 2.2, "Transfer to Cold Leg Recirculation," includes steps for the operator to verify that this automatic action has occurred, and if it has not, steps direct the operator to ensure the valves are aligned appropriately. The valves are operated from the Main Control Board. The Reference Pages for the EOPs which precede this automatic function alert the operator that the function occurs on RWST lo-lo level, and direct the operator to transition to EOP-2.2 when the setpoint is reached. A preliminary Main Control Board alarm annunciates when the RWST lo-level setpoint is reached (RWST LVL LO), and then another alarm annunciates when the level reaches the automatic action setpoint (RWST LVL LO-LO XFER TO SUMP). The Reference Page criterion, procedural guidance to ensure the automatic actions were appropriately completed, and the preliminary alarm (in addition to operator training) ensure adequate time is available to back-up the automatic actions should they fail to occur. The VCSNS Probability Risk Assessment (PRA) Model does not take credit for the operator action to back-up the automatic actions from ESFAS Signal 8.a.

ESFAS Signal 6.h (Emergency Feedwater (EFW) Suction Transfer on Low Pressure) initiates opening of the EFW Pump Suction Valves from the alternate source (Service Water (SW) System) and provides a start signal to the SW Pumps (which are typically running during normal operation) if the normal EFW supply source (Condensate Storage Tank (CST)) is empty. The annunciator response procedure for Main Control Board (MCB)


Annunciator EFP SUCT HDR PRESS LOXFER TO SW/directs the operator to ensure the EFW supply transfers to SW on decreasing CST level. The associated valves and pumps are operated from the Main Control Board. Additionally, VCSNS EOP-15.0, "Loss of Secondary Heat Sink," directs the operator to verify the automatic swap to SW is complete if CST level decreases to a level of 5.3 feet (the equivalent of Low EFW Suction Pressure). Because EOP-15.0 is entered upon an extreme challenge to the Heat Sink safety function, it takes precedence over other procedures likely to be in effect. The MCB annunciator and associated guidance, the procedure priority for the associated EOP, and the ability to operate the required pumps and valves from the control board ensure adequate time is available to back-up the automatic actions should they fail to occur. The VCSNS PRA Model does not take credit for the operator actions to back-up the automatic actions from ESFAS Signal 6.h.

The VCSNS PRA model takes no credit for the above operator actions which back up these signals (i.e. they are not included in the human reliability modeling or other PRA modeling). From a PRA standpoint, this means that operator action to back up these signals always fail. Neither of these signals are related to the operator actions credited in the WCAP-15376 analyses (Reactor trip from the main control board switches, Reactor trip by interrupting power to the motor-generator sets, Insertion of the control rods via the rod control system, Safety Injection actuation from the main control board switches, Safety Injection by actuation of individual components, Emergency Feedwater pump start). Inclusion of these two signals in the LAR, therefore, does not impact confirmation of applicability of the human reliability analysis in WCAP-15376 to VCSNS.

Follow-up RAI 9:

The response to RAI 9 describes how the configuration risk management program (CRMP) tool uses surrogates for signals not modeled in the PRA. (Surrogates are not used for the signals 6.h. or 8.a, according to the response to RAI 7.c.iv.). However, the response to RAI 9 did not provide sufficient information for the surrogates described.

The NRC staff requests the following additional information regarding l&C surrogates for non-modeled signals in the CRMP tool.

a. The response to RAI 9.ii describes surrogates for analog channels as doubling the "initiating event frequencies (reactor trip or safety injection)". Reactor trip and safety injection signals are applicable to a wide range of initiating events and accident sequences. Please discuss whether all initiating events are increased, or if only some initiating events are increased, please confirm that the initiating event frequencies which are increased (i.e., doubled) as a surrogate cover the possible initiators for the non-modeled signals.

i i b. The unavailability of a logic cabinet may have a different plant and risk impact

than the unavailability of an analog channel, therefore, doubling the initiating event frequency may not be applicable. Please confirm that the PRA modeling of


the logic cabinet unavailability accounts for the plant response impact of the non-modeled signals (as well as associated relevant modeled signals).

c. The response to RAI 9 does not include master relays, which are also part of the proposed TS changes. The unavailability of a master relay may also have a different risk significance than an analog channel, and the doubling of the initiating event frequency may not be appropriate. Please describe and justify surrogates, if used, for master relays associated with the functions in the LAR Please confirm that the PRA modeling of the master relays unavailability accounts for the impact on the plant response.

SCE&G Response

a. The VCSNS Configuration Risk Management Program (CRMP) utilizes initiating event frequency multiplication during tests for which the likelihood of incurring a reactor trip or safety injection are increased. This approach is utilized when the test trips the affected bistables such that the associated channel's input to reactor trip or safety injection is made-up, effectively reducing the number of remaining channel failures needed to result in inadvertent actuation from 2-of-3 to 1-of-2 (for a function utilizing 2-of-3 coincidence). This multiplication practice alerts the operator (and updates the risk profile) to reflect that the test increases the likelihood of inadvertently having that event, due to reducing the coincidence of additional failures or spurious operations required to cause the event. The likelihood of other initiating events is not impacted during these tests, and is therefore not increased. The increase in initiator frequency during these tests is performed for all tests that trip bistables which input to a safety injection signal or a reactor trip signal, regardless of whether the particular signal being tested is explicitly modeled in the CRMP. Furthermore, tripping the affected bistable(s) in this manner (in the plant) prevents the failure postulated (in the model) which is the failure to provide the appropriate protection signal when plant conditions warrant that signal (i.e. once the bistable is tripped, the failure of that bistable to provide input to the required coincidence cannot occur; it is already providing the required input). The CRMP does not remove the failure mode from the risk calculation when such bistables are tripped, so the CRMP results are conservative during testing.

It should also be noted that, while this particular RAI relates to inadvertent safety injection and/or reactor trip, the VCSNS CRMP increases other initiating event frequencies if the particular test or activity in progress impacts the likelihood of other events. For example, an activity that increases the likelihood of inadvertently tripping a Main Feedwater Pump will be modeled in the CRMP by multiplying the Loss of Main Feedwater initiating event frequency by two.

b. The VCSNS CRMP does not use initiating event multiplication to model unavailability of an analog channel or unavailability of a logic cabinet. If an analog channel is unavailable to perform its function, its bistables are placed in the tripped condition (i.e. its signal to the Reactor Protection System (RPS) and/or Engineered Safety Feature Actuation System (ESFAS) is made-up, negating the potential for the failure modeled in the CRMP- see item 'a' above). The logic cabinet is a subcomponent of the Solid


State Protection System Cabinet. Unavailability of a logic cabinet necessitates removal of that train's SSPS Cabinet from service in the CRMP tool. This, in turn, prevents calculating credit for any of that train's RPS/ESFAS mitigation functions (regardless of whether the input signals are modeled), and is therefore appropriately accounted for in the VCSNS CRMP tool. The VCSNS CRMP models SSPS actuation logic and master relay testing by removing the affected train's SSPS Cabinet from service, as discussed here.

c. The VCSNS CRMP does not use initiating event multiplication or surrogates to model unavailability of master relays. If a subcomponent in the RPS/ESFAS system is unavailable (e.g. master relay), the associated train's SSPS Cabinet is removed from service in the CRMP tool. This results in a conservative risk profile because doing so prevents taking credit for any of that train's RPS/ESFAS mitigation functions, not just the functions impacted by that particular relay. It should be noted that, while the VCSNS PRA model (which is used in the CRMP) includes master relays, the CRMP tool does not provide the option of removing individual relays from service. This necessitates removal of the train's SSPS Cabinet in the CRMP tool if such a relay fails. While this is a conservative approach, it ensures appropriate risk awareness is maintained when a subcomponent in the RPS/ESFAS system is degraded.