Proposed Emergency Technical Specification Change One Time Extension of the Completion Time for the Low Head Safety Injection (Lhsi) Train B

ML042950140
Person / Time
Site:	Surry
Issue date:	10/20/2004
From:	Grecheck E Virginia Electric & Power Co (VEPCO)
To:	Document Control Desk, Office of Nuclear Reactor Regulation
References
04-647
Download: ML042950140 (29)
v • d • e

Text

VIRGINIA ELECTRIC AND POWER COMPANY

RICHMOND, VIRGINIA 2 x 6 1 October 20,2004 U.S. Nuclear Regulatory Commission Attention: Document Control Desk Washington, D.C. 20555 Serial No.04-647 NL&OS/ETS RO Docket No.

50-281 License No. DPR-37 VIRGINIA ELECTRIC AND POWER COMPANY (DOMINION)

SURRY POWER STATION UNIT 2 PROPOSED EMERGENCY TECHNICAL SPECIFICATION CHANGE ONE TIME EXTENSION OF THE COMPLETION TIME FOR THE LOW HEAD SAFETY INJECTION (LHSI) TRAIN B Pursuant to 10 CFR 50.90 and 10 CFR 50.91 (a)(5), Dominion requests an emergency amendment of the Facility Operating License, in the form of changes to the Technical Specifications to Facility Operating License Number DPR-37 for Surry Power Station Unit 2. The proposed change will revise Technical Specification (TS) 3.3.B.3 by adding a Note to allow a one-time 7-day Allowed Outage Time to repair a leak that was discovered on the Low Head Safety Injection pump seal package. Dominion requests that the proposed change be processed as an emergency change to prevent an unnecessary plant transient and unscheduled shutdown of Surry Unit 2. Surry Unit 2 entered TS 3.3.B.3 at 1157 hours0.0134 days <br />0.321 hours <br />0.00191 weeks <br />4.402385e-4 months <br /> on October 19, 2004 due to a leak identified in the seal package of the B Low Head Safety Injection pump. The current Allowed Outage Time for this Action is 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

The proposed change is based on a risk-informed evaluation performed in accordance with Regulatory Guides (RG) 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions On Plant-Specific Changes to the Licensing Basis, and RG 1.177, An Approach for Plant-Specific, Risk-Informed Decisionmaking:

Technical Specifications.

A discussion of the proposed Technical Specifications change and the basis for the emergency Technical Specification are provided in.

The marked-up and proposed Technical Specifications pages are provided in Attachments 2 and 3, respectively. The associated Bases changes are being provided for information only and will be implemented after approval of the proposed Technical Specification.

We have evaluated the proposed Technical Specifications change and have determined that it does not involve a significant hazards consideration as defined in 10 CFR 50.92.

The basis for that determination is provided in Attachment 1. We have also determined that operation with the proposed change will not result in any significant increase in the amount of effluents that may be released offsite and no significant increase in individual or cumulative occupational radiation exposure. Therefore, the proposed amendment is eligible for categorical exclusion as set forth in 10 CFR 51.22(~)(9). Pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment is needed in

Serial No.04-647 Docket No. 50-281 Emergency TS change - TS 3.5.2 Page 2 of 3 connection with the approval of the proposed changes. The basis for that determination is also provided in Attachment 1.

In order to avoid an unnecessary plant shutdown, Dominion requests that the proposed Technical Specification change be reviewed and approved by 1100 hours0.0127 days <br />0.306 hours <br />0.00182 weeks <br />4.1855e-4 months <br /> on October 22, 2004. The extended Completion Time will expire upon returning the B train of the Unit 2 LHSl system to operable status or on October 26, at 1157 hours0.0134 days <br />0.321 hours <br />0.00191 weeks <br />4.402385e-4 months <br />, whichever occurs first.

If you have any further questions or require additional information, please contact Mr. Thomas Shaub at (804) 273-2763.

Very truly yours, Eugene S. Grecheck Vice President - Nuclear Support Services Attachments Commitments made in this letter:

The following compensatory measures will be taken to provide additional assurance that public health and safety will not be adversely affected by this request.

There will be no planned maintenance on either Units Emergency Diesel Generators.

There will be no planned maintenance on the Unit 2 A LHSl subsystem.

There will be no planned maintenance activities on switchyardheserve station service transformers.

There will be no planned maintenance on the Alternate AC Diesel Generator (AAC DG).

There will be no planned maintenance on the 2 of the 3 unit 1 and any of the Unit 2 High Head Safety Injection (HHSI) pumps including the HHSl crosstie capability.

(Note: 1 B HHSl pump is tagged out for bearing maintenance).

There will be no planned maintenance or testing on any other Unit 2 Engineered Safeguards Functions (ESF) components that could render them inoperable.

Serial No.04-647 Docket No. 50-281 Emergency TS change - TS 3.5.2 Page 3 of 3 cc:

U.S. Nuclear Regulatory Commission Region II Sam Nunn Atlanta Federal Center 61 Forsyth Street, SW Suite 23T85 Atlanta, Georgia 30303 Commissioner Bureau of Radiological Health 1500 East Main Street Suite 240 Richmond, VA 23218 Mr. N. P. Garrett NRC Senior Resident Inspector Surry Power Station Mr. S. R. Monarque NRC Project Manager U. S. Nuclear Regulatory Commission One White Flint North 1 1555 Rockville Pike Mail Stop 8-HI2 Rockville, MD 20852

SN: 04-647 Docket No.: 50-281

Subject:

Proposed Emergency Technical Specification Change One Time Extension of The Allowed Outage Time For The Unit 2 Low Head Safety Injection (LHSI) Train B COMMONWEALTH OF VIRGINIA

)

)

COUNTY OF HENRICO 1

The foregoing document was acknowledged before me, in and for the County and Commonwealth aforesaid, today by Eugene S. Grecheck who is Vice President -

Nuclear Support Services of Virginia Electric and Power Company. He has affirmed before me that he is duly authorized to execute and file the foregoing document in behalf of that Company, and that the statements in the document are true to the best of his knowledge and belief.

,2004.

71/

Acknowledged before me this Joz day of My Commission Expires:

a. 2006.

hW (SEAL)

Serial No.04-647 Docket No. 50-281 Discussion of Emergency Technical Specification Change Surry Power Station Unit 2 Virginia Electric and Power Company (Dominion)

Table of Contents

1. Introduction

2. Background

3. Need for Technical Specification Change

4. Description of Proposed Change 4.1 Technical Specification Change 4.2 Basis of Change

4.3 System Description

5. Technical Evaluation 5.1 Risk Assessment 5.2 Defense-In-Depth Assessment 5.3 Safety Margin Assessment 5.4 Dominant Accident Sequences 5.5 Summary

6. Regulatory Safety Analysis 6.1 No Significant Hazards Consideration 6.2 Environmental Assessment

7. Conclusion - Surry PRA Peer Assessment A & B Level F&O Review Summary

Discussion of Change 1.O Introduction Pursuant to 10 CFR 50.90 and 10 CFR 50.91(a)(5), Virginia Electric and Power Company (Dominion) requests an emergency amendment to Facility Operating License Number DPR-37 in the form of a change to the Technical Specifications (TS) for Surry Power Station Unit 2. The proposed change will revise Technical Specification 3.3.B.3 by adding a note to the Allowed Outage Time (AOT) to permit a one-time 7-day AOT to repair a seal leak that was discovered on the B Low Head Safety Injection Pump (2 P-lB) during surveillance testing. This change should be processed as an emergency change to prevent an unscheduled shutdown of Surry Unit 2. The proposed change is based on a risk-informed evaluation performed in accordance with Regulatory Guides (RG) 1.174, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions On Plant-Specific Changes to the Licensing Basis, and RG 1.177, An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications.

A TS Bases change, reflecting the proposed change to the AOT associated with the Technical Specification change discussed above, is included for information only. The TS Bases will be revised following NRC approval of the license amendment.

The proposed change qualifies for categorical exclusion from an environmental assessment as set forth in 10 CFR 51.22(~)(9). Therefore, no environmental impact statement or environmental assessment is needed in connection with the approval of the proposed change.

2.0

Background

On October 19, 2004, at 1157 hours0.0134 days <br />0.321 hours <br />0.00191 weeks <br />4.402385e-4 months <br />, the Unit 2 B Low Head Safety Injection (LHSI) pump was declared inoperable due to leakage from the outboard seal during pump operation. In addition, a seal head tank low level alarm was received in the control room. The pump was declared inoperable and TS 3.3.B.3 was entered. TS 3.3.A.3.b requires one LHSl pump to be OPERABLE in each safety injection subsystem. The AOT of TS 3.3.B.3. is 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> for one safety injection subsystem inoperable.

In order to return the B LHSl train to OPERABLE status, repairs must be completed, and post-maintenance testing must be performed. Although this design has a motor spacer and sleeve arrangement for the seal, inadequate clearance is available between the pump shaft and motor shaft to remove the seal assembly. Therefore the motor must be removed. This activity requires scaffolding be built to gain access to the motor leads.

The scaffold will then need to be removed prior to seal replacement activities, because it will interfere with the seal removal. The seal is a John Crane tandem seal design which will need to be disassembled in segments and parts lifted over the removed coupling portion of the pump shaft. Once the seal has been removed the replacement seal will be installed and the process reversed, including rebuilding scaffolding to provide access to the motor terminals. Based on previous maintenance experience, approximately 60 hours6.944444e-4 days <br />0.0167 hours <br />9.920635e-5 weeks <br />2.283e-5 months <br /> are required to perform the seal repair activity and perform the return to service testing. Therefore, the time required to perform these activities may challenge the 72-hour AOT.

In the event the seal replacement is unsuccessful, Page 2 of 18

additional time will be required for troubleshooting, motor and seal disassembly, and seal replacement. Therefore, a one-time 7-day AOT for TS 3.3.B.3 is requested to replace the seal package leak on the 6 LHSl pump. The extended AOT will expire upon returning the Unit 2 LHSl subsystem to OPERABLE status, or on October 26, 2004 at 1157 hours0.0134 days <br />0.321 hours <br />0.00191 weeks <br />4.402385e-4 months <br />, whichever occurs first. This one-time emergency change will prevent an unnecessary shutdown of Surry Unit 2.

The proposed one-time AOT change in this license amendment request has been evaluated in accordance with Regulatory Guide (RG) 1.1 74, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis, and RG 1.1 77, An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications. The approach addresses, as documented in this report, the impact on defense-in-depth and the impact on safety margins, as well as an evaluation of the impact on risk. The risk evaluation considers the three-tiered approach as presented by the NRC in Regulatory Guide 1.1 77. Tier 1, PRA Capability and Insights, assessed the impact of the proposed AOT changes on core damage frequency (CDF), incremental conditional core damage probability (ICCDP), large early release frequency (LERF), and incremental conditional large early release probability (ICLERP). Tier 2, Avoidance of Risk-Significant Plant Configurations, considers potential risk-significant plant operating configurations, and Tier 3, Risk-Informed Plant Configuration Control and Management, assess emerging plant conditions. Use of the extended AOT will be minimized.

Scheduling and performing maintenance and surveillance testing will be controlled in accordance with 10 CFR 50.65(a)(4),

Maintenance Rule.

Although not required by the PRA analysis, compensatory measures will be established to improve defense-in-depth during the extended AOT duration.

As discussed above, the proposed one-time AOT change is based on a risk-informed evaluation performed in accordance with RG 1.174 and RG 1.177. The CDF impact and the LERF impact, as well as the ICCDP and ICLERP associated with the proposed AOT change are summarized below. These values meet the acceptance criteria in RG 1.1 74 and RG 1.177 for the proposed change.

3.0 Need for Technical Specification Change The proposed one-time change to the AOT of Surry Unit 2 Technical Specifications 3.3.B.3 is needed to avoid the unnecessary shutdown of the plant to complete pump seal repair activities. The change averts known risks from complex and error likely plant shutdown and startup evolutions. In addition, the proposed change eliminates the need for preparing, reviewing and approving a Notice of Enforcement Discretion (NOED).

Page 3 of 18

4.0 Description of Proposed Change 4.1 The proposed change will revise the Technical Specifications as follows:

TS 3.3.6.3

1. A Note is being added to the AOT of TS 3.3.B.3 to allow a one-time 7-day AOT to permit repair of the Unit 2 B LHSl pump seal package.

TS Bases A TS Bases change, reflecting the proposed change to the AOT associated with the TS change discussed above, is included for information only. The TS Bases will be revised following NRC approval of the license amendment.

4.2 Basis for the Technical Specification Change The proposed one-time AOT change from 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to 7 days to permit repair of the Unit 2 LHSl pump seal package is based on a risk-informed analysis performed in accordance with RG 1.174 and RG 1.177.

4.3

System Description

The function of the ECCS is to provide core cooling and negative reactivity to ensure that the reactor core is protected after any of the following accidents.

0 Loss of coolant accident (LOCA), coolant leakage greater than the capability of the normal charging system 0

Rupture of a control rod drive mechanism - control rod assembly ejection accident, 0

Loss of secondary coolant accident, including uncontrolled steam release or loss of feedwater, and Steam generator tube rupture (SGTR).

The Safety Injection System consists of two separate subsystems: the high head safety injection (HHSI) subsystem and the LHSl subsystem. Each subsystem consists of two redundant, 100% capacity trains.

Engineered Safeguards Functions (ESF).

The purpose of Engineered Safeguard Systems is to protect the public and station in the event of the occurrence of the Design Basis Accident (DBA). The four systems considered part of the ESF systems are:

1. Safety Injection

2. Containment Spray

3. Recirculation Spray

4. Containment Vacuum The safety injection system flow paths consists of piping, valves, and pumps such that water from the RWST can be injected into the reactor coolant system (RCS) following Page 4 of 18

an accident. The major components of each subsystem are the HHSl pumps and the LHSl pumps. Each of the two subsystems consists of two 100% capacity trains that are interconnected and redundant such that either train is capable of supplying 100% of the flow required to mitigate the consequences of an accident. This interconnecting and redundant subsystem design provides the operators with the ability to utilize components from the opposite trains to achieve the required 100% flow to the core.

The HHSl subsystem consists of three charging pumps providing flow to normal charging, cold legs, hot legs, and seal injection. HHSl pump C is a swing pump that can be powered from either safety bus. In addition, there is a unit-to-unit crosstie between the HHSl systems. For injection mode, these pumps take flow from the Refueling Water Storage Tank (RWST). The LHSl system consists of two 100%

capacity trains, with one LHSl pump per train, providing flow to the cold legs or hot legs.

For injection mode, these pumps take flow from the RWST. During cold leg and hot leg recirculation phase, the LHSl pump suction is transferred to the containment sump. In the recirculation mode the LHSI pumps also supply flow to the HHSl pumps.

5.0 Technical Analysis 5.1 Risk Assessment A risk-informed evaluation to determine the impact of the proposed change on plant risk was performed in accordance with Regulatory Guides 1.1 74 and 1.1 77.

The Tier 1 and Tier 2 results are discussed below. Tier 3 requirements ensure that the risk impact of out-of-service equipment is evaluated prior to performing any maintenance activity and is met by the Maintenance Rule Program as required by 1 OCFR50.65(a)(4).

The Surry WinNUPRA S03A model was used for the calculational results. This model was deemed suitable for use in this risk-informed application since it models the as-built and as-operated plant. The model has undergone a PRA Industry Peer review. A review of the Peer Review Findings and Observations (F&Os) was performed to ensure that none of the F&Os would invalidate the results of this evaluation. Enclosure 1 contains a matrix with the B significance level F&Os from the Surry PRA Peer Review. There were no A significance level F&Os for Surry.

5.1.1 Method of Analysis and Results-Tier 1: PRA Capability and Insights The method of analysis and results for the proposed Allowed Outage Time change is discussed below.

In Tier 1, the impact of the Allowed Outage Time change of core damage frequency (CDF), incremental conditional core damage probability (ICCDP), large early release frequency (LERF), and incremental conditional large early release probability (ICLERP) is determined.

Page 5 of 18

0 ICCDP = [(conditional CDF with the subject equipment out of service) - (baseline CDF with nominal expected equipment unavailabilities)] X (duration of single allowed outage time (AOT) under consideration)

ICCDP ICLERP ICLERP = {( conditional LERF with the subject equipment out of service) - (baseline LERF with nominal expected equipment unavailabilities)} X (duration of single AOT under consideration)

With Potential Common Without Potential Common Cause Cause 2.3 E-7 7.4E-8

<1.OE-10

<1.OE-10 These results are below the RG 1.I77 single event limits of 5E-7 for ICCDP and 5E-8 for ICLERP.

In addition, the average annual increase in core damage and large early release frequencies for this one-time Completion Time change are 2.3E-7 and <1.OE-10 per year. These increases in risk are characterized as "very small" in accordance with RG 1.174.

Results are presented with and without common cause vulnerability present. The latter is more applicable, since the other pump seal does not leak.

The results of the risk evaluations associated with the proposed Completion Time change meet the acceptance criteria in RG 1.1 74 and RG 1.1 77.

5.1.2 Tier 2: Avoidance of Risk-Significant Plant Configurations Surry Power Station's program for complying with 10 CFR 50.65(a)(4) fully satisfies the guidance in Regulatory Guide 1.1 77 for Tier 2 Risk-Informed Configuration Risk Management Program (CRMP). The Surry 10 CFR 50.65(a)(4) program performs full model PRA analyses of all planned maintenance configurations at power in advance using the SCIENTECH Safety Monitor. The PRA model in the SCIENTECH Safety Monitor is a comprehensive, component level, core damage and large early release model.

Configurations that approach or exceed the NUMARC 93-01 risk limits (1.OE-6 cumulative increase in core damage probability) are avoided or addressed by compensatory measures per procedure. Historically, Surry rarely approaches this limit.

Emergent configurations are identified and analyzed by the on-shift staff for prompt determination of whether risk management actions are needed. The configuration analysis and risk management processes are fully proceduralized in compliance with the requirements of 10 CFR 50.65(a)(4).

The components in the Safety Injection subsystems are explicitly included in the 10 CFR 50.65(a)(4) scope and their removal from service is monitored, analyzed, and Page 6 of 18

managed using the Safety Monitor tool. In addition, possible loss of offsite power hazards (grid loading/stability, switchyard or other electrical maintenance, external events such as severe weather) are all included in the Safety Monitor model and are explicitly accounted for in the (a)(4) program. When configuration risk approaches the (a)(4) risk limits, plant procedures direct the implementation of risk management actions in compliance with the regulations. If the configuration is planned, these steps must be taken in advance. Individually, most fluid system components do not approach the required risk management thresholds of the (a)(4) regulation. While combinations of unavailable equipment and/or evolutions may approach the limits and even require risk management actions, the risks arising from these configurations will be managed in accordance with station procedures.

Dominion concludes that the Surry 10 CFR 50.65(a)(4) program provides reasonable assurance that risk-significant plant equipment outage configurations will not occur when any of the components associated with the Technical Specification request are inoperable. The 10 CFR 50.65(a)(4) program has provisions for assessing the need for additional actions if additional equipment-out-of-service conditions exist while the plant is in the risk-informed Completion Time. Therefore, Dominion believes that the Surry 10 CFR 50.65(a)(4) program satisfies the intent of Tier 2 to avoid risk-significant plant configurations.

5.1.3. Tier 3: Risk-Informed Plant Configuration Control and Management Surry Power Station's program for complying 10 CFR 50.65(a)(4) fully satisfies the guidance in Regulatory Guide 1.1 77 for Tier 3 Risk-Informed Configuration Risk Management. The Surry 10 CFR 50.65(a)(4) program performs full model PRA analyses of all planned maintenance configurations at power in advance using the SCIENTECH Safety Monitor. The PRA model in the SCIENTECH Safety Monitor is a comprehensive, component level, core damage and large early release model. The Surry Regulatory Guide 1.1 77 Tier 3 Risk-Informed Configuration Management Program has been previously evaluated by the by the NRC in its review and approval of the following amendments: 1 ) RPS/ESFAS analog instrument surveillance interval extension (Amendment Nos. 228 and 228), 2) 14-day allowed outage time for the pressurizer PORV accumulators (Amendment Nos. 231 and 231), 3) Containment Type A Surveillance Test Interval (Amendment No. 233), and 4) Underground Fuel Oil Storage Tanks (Amendment Nos. 236 and 235).

Configurations that approach or exceed the NUMARC 93-01 risk limits (a 1.OE-6 cumulative increase in core damage probability) are avoided or addressed by compensatory measures per procedure.

Historically, Surry rarely approaches this limit. Emergent configurations are identified and analyzed by the on-shift staff for prompt determination of whether risk management actions are needed. The configuration analysis and risk management processes are fully proceduralized in compliance with the requirements of 10 CFR 50.65(a)(4).

The LHSl system is included in the 10 CFR 50.65(a)(4) scope and removal from service is monitored, analyzed and managed using the Safety Monitor tool.

In addition, possible loss of offsite power hazards (grid loading/stability, switchyard or other electrical maintenance, external events such as severe weather) are all included in the Safety Monitor model and are explicitly accounted for in the (a)(4) program. When configuration risk approaches the (a)(4) risk limits, plant procedures direct the Page 7 of 18

implementation of risk management actions in compliance with the regulations. If the configuration is planned, these steps must be taken in advance.

Individually, most fluid system components do not approach the required risk management thresholds of the (a)(4) regulation. While combinations of unavailable equipment and/or evolutions, may approach the limits and even require risk management actions, the risks arising from these configurations will be managed in accordance with station procedures.

5.1.4 External Events The internal events analysis used for the quantification of the risk impact of the proposed Allowed Outage Time change includes internal initiating events and internal flooding. Qualitative assessments were performed for the risk impact of the proposed Allowed Outage Time change on seismic, fire, floods and other external events evaluated in the Individual Plant Examination of External Events (IPEEE). The external event analyses have not been updated since completion of the IPEEE, and portions of these analyses were deterministic.

A seismic PRA analysis was prepared and reported in the IPEEE. The dominant failures involved Turbine Building collapse or failure of components in the Turbine Building leading to a loss of ultimate heat sink. These components are completely independent of the Safety Injection system and therefore would not impact the analysis presented above.

The internal fire analysis in the IPEEE used the EPRl FIVE methodology with quantification of the unscreened fire areas. The core damage frequency from internal fires reported in the IPEEE was 6.3E-6 per year, which is a small fraction of the reported internal events core damage frequency.

The other events, including high winds, floods, transportation and aircraft accidents analyses used a screening methodology with quantification of potentially significant events. The only aspect of the other events quantified was the aircraft accident analysis. The aircraft accident analysis resulted in core damage frequency of 1.1 E-7 per year, which is a very small fraction of the reported internal events core damage frequency.

Page 8 of 18

The following Table provides a summary of the qualitative assessments of the external event analyses for the requested Completion Time change.

Allowed Outage Time Change

- External Event Analvsis External Event Assessment Qualitative Assessment Emergency Core Cooling (ECCS)

Internal Fire ECCS was not associated with any vulnerabilities or Seismic unique significance in fire events.

ECCS is seismically qualified and was not associated 5.1.6 Cumulative CDF and LERF Impact High Winds, Floods, Transportation and Nearby Faci Ii tv Accidents The previously approved and proposed risk-informed changes at Surry with their associated estimated increase in core damage risk are provided below.

with any vulnerabilities or unique significance in seismic events.

ECCS was not associated with any vulnerabilities or unique significance in these events Surry Risk-Informed Change Approved reactor protection system and engineered safety features actuation system analog channel surveillance test internal extensions from monthly to quarterly and allowed outaae time extensions 14 day allowed outage time for the PORV nitroaen accumulators Containment Type A Surveillance Test Interval Underground Fuel Oil Storage Tanks Proposed 7 day emergency core cooling system allowed outage time extension (assuming only one 7 day entry)

Cumulative Total Estimated increase in CDF per year 1 E-07 5E-07 N/A 2E-08 2.3 E-07

<9E-07 Estimated increase in LERF per year 1 E-08*

9E-08 5E-08 2E-10

<1.OE-10

<1.6E-07 LERF was not calculated, but was estimated based on generic 0.1 containment failure probability for large, dry PWRs.

The cumulative estimated increases in risk associated with all the approved and proposed risk-informed changes is less than <9E-07 per year for CDF and 1.6E-07 per Page 9 of 18

year for LERF. These increases in risk are considered acceptably small per Regulatory Guide 1.174.

5.1.7 PRA Model The PRA model utilized for the evaluation of the Allowed Outage Time change is applicable to both Units 1 and 2, and the model reflects the as-built, as-operated plant.

Furthermore, a program exists to periodically update the internal events PRA model in accordance with the Industry Peer Review guidance in NEI 00-02.

provides a summary of the Findings and Observations from the Surry industry peer reviews and how this application is impacted by those peer review comments.

5.2 Defense-In-Dept h Assessment The proposed change to the ECCS Allowed Outage Time maintains the system redundancy, independence, and diversity commensurate with the expected challenges to system operation. The opposite train of emergency power and the associated engineered safety equipment remain operable to mitigate the consequences of any previously analyzed accident. In addition to the Technical Specifications, the Work Management Program, and Maintenance Rule (a)(4) Program provide for controls and assessments to preclude the possibility of simultaneous outages of redundant trains and to ensure system reliability. The proposed increase in the Allowed Outage Time for the ECCS will not alter the assumptions relative to the causes or mitigation of an accident.

The proposed change needs to meet the defense-in-depth principle consisting of a number of elements. These elements and the impact of the proposed change on each of these elements are as follows:

A reasonable balance among prevention of core damage, prevention of containment failure, and consequence mitigation is preserved.

The proposed Allowed Outage Time change has only a small calculated impact on CDF and LERF.

The change does not degrade core damage prevention and compensate with improved containment integrity nor do these changes degrade containment integrity and compensate with improved core damage prevention. The balance between prevention of core damage and prevention of containment failure is maintained. Consequence mitigation remains unaffected by the proposed changes.

Furthermore, no new accident or transients are introduced with the requested change and the likelihood of accidents or transients is not impacted.

Over-reliance on programmatic activities to compensate for weaknesses in plant design.

Safety systems will still function in the same manner with the same reliability.

Although not required by the Tier 2 analysis, as additional defense-in-depth, the following compensatory measures will be taken to provide additional assurance that public health and safety will not adversely be affected by this request.

Page 10 of 18

There will be no planned maintenance on either Units Emergency Diesel Generators.

There will be no planned maintenance on the Unit 2 A LHSl subsystem.

There will be no planned maintenance activities on switchyardheserve station service transformers.

There will be no planned maintenance on the Alternate AC Diesel Generator (AAC DG).

There will be no planned maintenance on 2 of the 3 Unit 1 and any of the Unit 2 High Head Safety Injection (HHSI) pumps including the HHSl crosstie capability. (Note: 1 B HHSl pump is tagged out for bearing maintenance)

There will be no planned maintenance or testing on any other Unit 2 Engineered Safeguards Functions (ESF) components that could render them inoperable.

System redundancy, independence, and diversity are maintained commensurate with the expected frequency and consequences of challenges to the system.

There is no impact on the redundancy, independence, or diversity of the Unit 2 ECCS or on the ability of the plant to respond to events with diverse systems. The ECCS is a diverse and redundant system and will remain so.

Defenses against potential common cause failures are maintained and the potential for introduction of new common cause failure mechanisms is assessed.

Defenses against common cause failures are maintained. The AOT extension requested is not sufficiently long to expect new common cause failure mechanisms to arise. In addition, the operating environment for these components remains the same so, again, new common cause failures modes are not expected. In addition, backup systems are not impacted by this change and no new common cause links between the primary and backup systems are introduced. Therefore, no new potential common cause failure mechanisms have been introduced by the proposed change.

Independence of barriers is not degraded.

The barriers protecting the public and the independence of these barriers are maintained. Multiple systems will not be taken out of service simultaneously that could lead to degradation of these barriers and an increase in risk to the public. In addition, the extended AOT does not provide a mechanism that degrades the independence of the barriers, fuel cladding, reactor coolant system, and containment.

Page 11 of 18

0 Defenses against human errors are maintained.

No new operator actions related to the one-time AOT extension are required to maintain plant safety. No new operating, maintenance, or test procedures have been introduced due to the change. Administrative controls have been implemented to reflect the compensatory measures that are being established. The increase in the AOT will relieve the time pressure to complete troubleshooting, test and repair activities which should facilitate improved operator and maintenance personnel performance resulting in reduced system re-alignment and re-assembly errors.

It is concluded that defense-in-depth is not impacted by the proposed changes.

5.3 Safety Margin Assessment The overall margin of safety is not decreased due to the increased AOT for the ECCS since the system design and operation are not altered by the proposed increase in AOT.

The safety analysis acceptance criteria stated in the Updated Final Safety Analysis Report (UFSAR) are not impacted by the change. Redundancy and diversity of the ECCS will be maintained. The proposed change will not allow plant operation in a configuration outside the design basis.

The ECCS requirements credited in the accident analysis will remain the same. It was concluded that safety margins were not impacted by the proposed changes.

5.4 Dominant Accident Sequences The dominant accident sequences involving failure of the LHSl function were reviewed for the case of one train of the LHSl system unavailable. The results are as follows.

With elevated common cause LHSl vulnerability of the redundant operable train (the RG 1.1 77 corrective maintenance assumption):

0 The top sequence is a small break LOCA with successful RCS cooldown and depressurization, but with failure of LHSl recirculation. The dominant failures are common cause failures of the LHSI pumps or the associated MOVs or check valves.

The next sequence is a small break LOCA with failure to cooldown and depressurize and failure of high-pressure recirculation. Common cause failure of the LHSl pumps or the associate MOVs or check valves are the dominant failures that cause failure of high head recirculation.

0 There are no other sequences contributing more than 5% the overall CDF.

The large break LOCA is not a significant contributor in either case, due to its low initiating event frequency (-4.5E-G/yr). The small break LOCA frequency is -7E-3/yr.

Page 12 of 18

5.5 Summary The proposed Completion Time change is based on a risk-informed evaluation performed in accordance with RG 1.174 and RG 1.177. The ICCDP with and without potential common cause vulnerability is 2.3E-7 and 7.4E-8 respectively. The ICLERP with and without potential common cause vulnerability is <1.OE-10. These results are well below the RG 1.174 limits of 1E-6 for ICCDP and 1E-7 for ICLERP. They are also below the RG 1.1 77 single event limits of 5E-7 for ICCDP and 5E-8 for ICLERP. The defense-in-depth and safety margin is not impacted by the proposed changes.

6.0 Regulatory Safety Analysis 6.1 No Significant Hazards Consideration The proposed change will provide a one-time revision to the AOT of TS 3.3.B.3 to allow repair of the Unit 2 B LHSl pump seal package. The proposed change is based on a risk-informed evaluation performed in accordance with Regulatory Guides (RG) 1.1 74, An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions On Plant-Specific Changes to the Licensing Basis, and RG 1.1 77, An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications.

Dominion has evaluated whether or not a significant hazards consideration is involved with the proposed changes by focusing on the three standards set forth in 10 CFR 50.92, Issuance of Amendment, as discussed below:

1. Does the proposed license amendment involve a significant increase in the probability or consequences of an accident previously evaluated?

The proposed changes do not alter any plant equipment or operating practices in such a manner that the probability of an accident is increased. The proposed changes will not alter assumptions relative to the mitigation of an accident or transient event.

The ICCDP with and without potential common cause vulnerability is 2.3E-7 and 7.4E-8, respectively. The ICLERP with and without potential common cause vulnerability is 4.OE-10. These results are well below the RG 1.174 limits of 1 E-6 for ICCDP and 1 E-7 for ICLERP. They are also below the RG 1.177 single event limits of 5.E-7 for ICCDP and 5E-8 for ICLERP.

Therefore, the proposed change does not involve a significant increase in the probability or consequences of an accident previously evaluated.

2. Does the proposed license amendment create the possibility of a new or different kind of accident from any accident previously evaluated?

The proposed change does not involve a physical alteration of the plant (no new or different type of equipment will be installed) or a change in the methods governing normal plant operation.

Therefore, the proposed changes do not create the possibility of a new or different kind of accident from any accident previously evaluated.

Page 13 of 18

3. Does the proposed amendment involve a significant reduction in a margin of safety?

The impact on safety margins is discussed in Section 5.3 of this license amendment request. The systems design and operation are not affected by the proposed changes. The safety analysis acceptance criteria are not altered by the proposed changes.

Therefore, the proposed change does not involve a significant reduction in the margin of safety.

Based on the above, Dominion concludes that the proposed change presents no significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and, accordingly, a finding of no significant hazards consideration is justified.

6.2 Environmental Assessment This amendment request meets the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(~)(9) as follows:

(i)

The amendment involves no significant hazards consideration.

As described above, the proposed change involves no significant hazards consideration.

(ii)

There is no significant change in the types or significant increase in the amounts of any effluents that may be released offsite.

The proposed change does not involve the installation of any new equipment, or the modification of any equipment that may affect the types or amounts of effluents that may be released offsite. Therefore, there is no significant change in the types or significant increase in the amounts of any effluents that may be released offsite.

(iii)

There is no significant increase in individual or cumulative occupation radiation exposure.

The proposed change does not involve plant physical changes, or introduce any new mode of plant operation. Therefore, there is no significant increase in individual or cumulative occupational radiation exposure.

Based on the above, Dominion concludes that the proposed changes meet the criteria specified in 10 CFR 51.22 for a categorical exclusion from the requirements of 10 CFR 51.22 relative to requiring a specific environmental assessment by the Commission.

Page 14 of 18

7.0 Conclusion The proposed change will allow a one-time revision to the AOT for TS 3.3.B.3 to allow repair of the Unit 2 B LHSl pump seal package.

The risk-informed evaluation concludes that the increase in annual core damage and large early release frequencies associated with the proposed change are characterized as very small changes by RG 1.174.

The incremental conditional core damage and large and early release probabilities associated with the proposed change are each within the acceptance criteria in RG 1.1 77. The proposed change will allow repair of the Unit 2 LHSl pump seal package without having to shut down the plant since activities will take longer than the current AOT.

In addition, the proposed extended AOT would eliminate the administrative burden of requesting a notice of enforcement discretion for performing pipe repair activities.

The Station Nuclear Safety and Operating Committee (SNSOC) has reviewed the proposed change to the Technical Specifications and have concluded that it does not involve a significant hazards consideration and will not endanger the health and safety of the public.

Page 15 of 18 DA-6 DA-8 DA-9 Surry PRA Peer Assessment B Level F&O Review Summary B

The models for the EDGs do not consider common cause miscalibration of instrument channels B

The approach used for defining CCF terms, by adding fail to start and fail to run data variables can lead to conservative or non-conservative results.

The beta factor used for CCF of valve plugging may be too conservative.

B The following matrix contains the B significance level F&Os from the Surry PRA Peer Assessment HR-4 B

H R-5 B

Element HEPs in post-IPE updates were not well documented, and need to be evaluated in detail.

The evaluation of dependencies between operator actions focused too much on time between actions and not enough on different clues being present and additional crews evaluatina the situation.

Level of F/o 1 Significance IE - Initiating Events Description IE-3 B

Initiating Event frequencies have not been updated since the IPE.

AS - Accident Sequence Dev AS-2 I B

No process is in place to identify and incorporate plant changes into the PRA model.

AS-8 I

B The RCP Seal LOCA model does not include a contribution from early seal failure DA - Data Analysis DE - Dependency DE-3 I The methods used to determine CCF groups is simplistic, and other CCF terms should be considered.

HR - Human Reliability HR-2 B

The Surry IPE did not include human errors related to instrument miscalibration, or CCF due to miscalibration Impact on Application None. Although a formal process was not seen by the Certification team, the SOA update did review plant changes since the previous update.

None: This was included in a previous update.

None. This was included in a previous update.

None. This was included in a previous update.

None. This was fixed in a previous update.

None. Addressed by a previous update.

~

~

~~

None.

Potentially risk significant calibration errors will only occur in the RPS and ESFAS systems.

None: Addressed by a previous update.

None: The HEP sensitivity case adequate addresses this observation.

None: Addressed by a previous update.

~

Page 16 of 18

Element I E-8 L2, Containment Performance Analysis MU, Maint & Update B

SY, Systems Analysis The PRA model needs to be evaluated for effects of the power upgrade.

The requirements for review of operating experience, plant procedures and plant-controlled documents in support of a PSA update are not detailed in the PSA guidance documents.

Level of Significance None - not related to LHSl portion of the PRA model.

None. Although a formal process was not seen by the Certification team, the SOA update did review plant changes since the previous update.

I E-5 Activities to evaluate the effects on the PSA of changes to equipment failure rates, initiator frequencies, and human error probabilities are minimal, and should be reevaluated each major PSA update.

B None: Addressed by a previous update.

~~~~

~~~

The program does not appear to have a formal requirement for incorporating based on plant design changes.

The RPS model does not properly identify the required support systems.

I E-9 L2-2 MU-2 MU-3 None: The plant design changes were reviewed in a previous update. The programmatic issue does not affect this analysis file.

None: Addressed by a previous update.

B B

B B

MU-4 B

Description Impact on Application I

The Surry charging line connection to the RCS needs to be evaluated for a potential failure mechanism that a small break LOCA event at Oconee.

The Surry ISLOCA analysis needs to be reviewed for the potential pathway from a leak in the RCP thermal barrier heat exchanger and a failure to isolate the CCW lines to the heat exchanaer The potential for an initiating event due to failure/clogging of the screen wash system Need to ensure that the effects of increased core power (upgrade to 2586 MWt since the IPE) have been properly accounted for in the PRA analysis None - not related to LHSl portion of the PRA model.

None - not related to LHSl portion of the PRA model.

None - not related to LHSl portion of the PRA model.

None - not related to LHSl portion of the PRA model.

The Level 2 analysis needs to be updated to consider the effects of the SAMGs.

None: Current LERF model is conservative.

Page 17 of 18

Element TH, Thermal Hydraulic Analysis F/O SY-5 SY-11 TH-2 Level of Significance B

B B

Description The RPS logic model is incorrect.

The fault tree indicates that success of either logic train allows challenge to both reactor trip breakers. Actual design is logic train A send signal to RTA and logic train B sends signal to RTB.

The system notebook for HHSl does not discuss Unit 1/Unit 2 differences, and the dependency table was not up to date.

The presentation of assumptions related to room cooling of systems other than ESGR and the Aux Bldg Ventilation System is not well documented, although it appears that they were adequately addressed in the modeling process.

Impact on Application None: Addressed by a previous update.

None:

Any differences in the HHSl system between units would not impact the delta CDF/LERF calculations in this analysis file.

None:

From the F&O itself, the assumptions appear valid, but simply were not well documented in the documents reviewed by the Certification Team.

In any

case, such differences would not affect the delta CDF/LERF within this analysis file.

Page 18 of 18

Serial No.04-647 Docket No. 50-281 Mark-up of Unit 2 Technical Specifications Change Surry Power Station Unit 2 Virginia Electric and Power Company (Dominion)

TS 3.3-4 05-31-95 T

If the inoperable subsystem is not repaired within the specified allowable time period, the reactor will initially be placed in HOT SHUTDOWN to provide for reduction of the decay heat from the fuel, and consequent reduction of cooling requirements after a postulated loss-of-coolant accident. If the malfunction(s) is not corrected the reactor will be placed in COLD SHUTDOWN following normal shutdown and cooldown procedures.

Assuming the reactor has been operating at full RATED POWER for at least 100 days, the magnitude of the decay heat production decreases as follows after a unit trip from full RATED POWER.

P Time Afte r Shutdown D

W a/ oofR ATFD POWFR) ?

1 min.

3.7 30 min.

1.6 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> t.3 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> 0.75 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> 0.48 Thus, the requirement for core cooling in case of a postulated loss-of-coolant accident, while in HOT SHUTDOWN, is reduced by orders of magnitude below the requirements for handling a postulated loss-of-coolant accident occurring during POWER OPERATION. Placing and maintaining the reactor in HOT SHUTDOWN significantly reduces the potential consequences of a loss-of-coolant accident, allows access to some of the Safety Injection System components in order to effect repairs, and minimizes the plant's exposure to thermal cycling.

Failure to complete repairs within 72 ho rs is considered indicative of?

case, the reactor is @aced in COLD SHUTDOWN.

unforeseen problems (Le., possibly the need @

of ajor maintenance). In such a The accumulators are able to accept leakage from the Reactor Coolant System without any effect on their operability. Allowable inleakage is based on the volume of water that can be added to the initial amount without exceeding the volume given in Specification 3.3.A.2.

?

p,L l;p* 5w, 7% 3.3.8.3 -f, p-+* Oz--f&e e)c k W Z

J mpcw *Y f i i c 0s.

TS 3.3-3 maintenance provided that not more than one valve has power restored, and the testing and maintenance is completed and power removed within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.

3.

With one safety injection subsystem inoperable, inoperable subsystemto OPERABLE status within place the reactor in HOT SHUTDOWN within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. a C.

If the requirements of Specification 3.3.A are not satisfied as allowed by Specification 3.3.8, the reactor shall be placed in COLD SHUTDOWN in the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

Basis The normal procedure for starting the reactor is, first, to heat the reactor coolant to near operating temperature by running the reactor coolant pumps. The reactor is then made critical by withdrawing control rods and/or diluting boron in the coolant. With this mode of startup the Safety Injection System is required to be OPERABLE as specified. During LOW POWER PHYSICS TESTS there is a negligible amount of energy stored in the system. Therefore, an accident comparable in severity to the Design Basis Accident is not possible, and the full capacity of the Safety Injection System would not be necessary.

The OPERABLE status of the subsystems is to be demonstrated by periodic1 tests, detailed in TS Section 4.11. A large fraction of these tests are performed while the reactor is operating in the power range. If a subsystem is found to be p inoperable, it will be possible in most cases to effect repairs and restore the subsystem to full operability within a relatively short time. A subsystem being inoperable does not negate the ability of the system to perform its function, but it reduces the redundancy provided in the reactor design and thereby limits the ability to tolerate additional subsystem failures. In some cases, additional k components (i.e., charging pumps) are installed to allow a component to be inoperable without affecting system redundancy.

Serial No.04-647 Docket No. 50-281 Proposed Unit 2 Technical Specifications Change Surry Power Station Unit 2 Virginia Electric and Power Company (Dominion)

TS 3.3-3 maintenance provided that not more than one valve has power restored, and the testing and maintenance is completed and power removed within 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.

3.

With one safety injection subsystem inoperable, restore the inoperable subsystem to OPERABLE status within 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />s* or place the reactor in HOT SHUTDOWN within the next 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.

C.

If the requirements of Specification 3.3.A are not satisfied as allowed by Specification 3.3.B, the reactor shall be placed in COLD SHUTDOWN in the following 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />.

Basis The normal procedure for starting the reactor is, first, to heat the reactor coolant to near operating temperature by running the reactor coolant pumps. The reactor is then made critical by withdrawing control rods and/or diluting boron in the coolant. With this mode of startup the Safety Injection System is required to be OPERABLE as specified. During LOW POWER PHYSICS TESTS there is a negligible amount of energy stored in the system. Therefore, an accident comparable in severity to the Design Basis Accident is not possible, and the full capacity of the Safety Injection System would not be necessary.

The OPERABLE status of the subsystems is to be demonstrated by periodic tests, detailed in TS Section 4.1 1. A large fraction of these tests are performed while the reactor is operating in the power range. If a subsystem is found to be inoperable, it will be possible in most cases to effect repairs and restore the subsystem to full operability within a relatively short time. A subsystem being inoperable does not negate the ability of the system to perform its function, but it reduces the redundancy provided in the reactor design and thereby limits the ability to tolerate additional subsystem failures. In some cases, additional components (i.e., charging pumps) are installed to allow a component to be inoperable without affecting system redundancy.

The Allowed Outage Time for the October 19,2004 entry into TS 3.3.B.3 for the Unit 2 B Low Head Safety Injection Subsystem is 7 days.

Amendment Nos.

TS 3.3-4 If the inoperable subsystem is not repaired within the specified allowable time period, the reactor will initially be placed in HOT SHUTDOWN to provide for reduction of the decay heat from the fuel, and consequent reduction of cooling requirements after a postulated loss-of-coolant accident. If the malfunction(s) is not corrected the reactor will be placed in COLD SHUTDOWN following normal shutdown and cooldown procedures.

Assuming the reactor has been operating at full RATED POWER for at least 100 days, the magnitude of the decay heat production decreases as follows after a unit trip from full RATED POWER.

Time After Shutdown Decay Heat. (% of RATED POWER) 1 min.

3.7 30 min.

1.6 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> 1.3 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> 0.75 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> 0.48 Thus, the requirement for core cooling in case of a postulated loss-of-coolant accident, while in HOT SHUTDOWN, is reduced by orders of magnitude below the requirements for handling a postulated loss-of-coolant accident occurring during POWER OPERATION. Placing and maintaining the reactor in HOT SHUTDOWN significantly reduces the potential consequences of a loss-of-coolant accident, allows access to some of the Safety Injection System components in order to effect repairs, and minimizes the plants exposure to thermal cycling.

Failure to complete repairs within 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />s* is considered indicative of unforeseen I

problems (i.e., possibly the need of major maintenance). In such a case, the reactor is placed in COLD SHUTDOWN.

The accumulators are able to accept leakage from the Reactor Coolant System without any effect on their operability. Allowable inleakage is based on the volume of water that can be added to the initial amount without exceeding the volume given in Specification 3.3.A.2.

A note has been added to TS 3.3.B.3 to permit a one-time extension of the Allowed Outage Time to 7 days to effect repairs on the Unit 2 B LHSI pump seal package.

Amendment Nos.