License Amendment Request (LAR) for Extension of Technical Specification (TS) 3.8.1, AC Sources-Operating, Emergency Diesel Generator Completion Time

ML053260088
Person / Time
Site:	Prairie Island
Issue date:	11/21/2005
From:	Thomas J. Palmisano Nuclear Management Co
To:	Document Control Desk, Office of Nuclear Reactor Regulation
References
L-PI-05-036, RG-1.174, RG-1.177
Download: ML053260088 (91)
v • d • e

Text

Prairie Island Nuclear Generating Plant Operated by Nuclear Management Company, LLC L-PI-05-036 10 CFR 50.90 U S Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555-0001 Prairie Island Nuclear Generating Plant Units 1 and 2 Dockets 50-282 and 50-306 License Nos. DPR-42 and DPR-60 License Amendment Request (LAR) For Extension Of Technical Specification (TS) 3.8.1, "AC Sources-Operating," Emergencv Diesel Generator Completion Time Pursuant to 10 CFR 50.90, the Nuclear Management Company, LLC (NMC) hereby requests an amendment to the Prairie Island Nuclear Generating Plant (PINGP) Units 1 and 2 Operating Licenses for extension of the Completion Time associated with TS 3.8.1 Required Action B.4 from 7 days to 14 days and for concomitant TS changes.

This change will allow additional time to restore an inoperable emergency diesel generator (EDG) to operable status. NMC also proposes a minor format correction on TS page 3.8.1 -2. NMC has evaluated these proposed changes in accordance with 10 CFR 50.92 and concluded that they involve no significant hazards consideration.

The proposed changes would allow online performance of EDG maintenance activities that are currently performed during refueling outages and provide additional flexibility to resolve EDG deficiencies and avoid potential unplanned plant shutdown should a condition occur requiring EDG corrective maintenance.

Exhibit A contains NMC's evaluation of this LAR. Exhibit B provides a markup of TS and TS Bases pages. Exhibit C provides revised TS pages. Exhibit D provides the commitments made in this LAR. Exhibit E provides a summary of the probabilistic risk assessment model revisions. Exhibit F provides peer review certification process significance level "A" and "B" findings and their disposition.

NMC requests approval of this LAR within one calendar year of the submittal date.

Once approved, the amendment will be implemented within 90 days.

The proposed Completion Time extension is based on NMC's deterministic engineering analysis and a risk evaluation which was developed in accordance with the guidelines established in Regulatory Guide 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Bases" and Regulatory Guide 1,177, "An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications".

171 7 Wakonade Drive East Welch, Minnesota 55089-9642 Telephone: 651.388.1 121

Document Control Desk Page 2 In accordance with 10 CFR 50.91, NMC is notifying the State of Minnesota of this LAR by transmitting a copy of this letter and attachments to the designated State Official.

Summarv of Commitments This letter contains no revisions to existing commitments. New commitments are listed in Exhibit D.

I declare under penalty of erjury that the foregoing is true and correct.

Executed on NOV 1 1 2013 Thomas J. Palmisano Site Vice President, Prairie Island Nuclear Generating Plant Units 1 and 2 Nuclear Management Company, LLC cc:

Administrator, Region Ill, USNRC Project Manager, Prairie Island, USNRC Resident Inspector, Prairie Island, USNRC State of Minnesota Exhibits:

A. Licensee's Evaluation B. Proposed Technical Specification and Bases Changes (markup)

C. Proposed Technical Specification Changes (retyped)

D. List of Commitments E. Summary of the Prairie Island Probabilistic Risk Assessment Revisions F. Summary of Peer Review Certification

Exhibit A LICENSEE'S EVALUATION License Amendment Request (LAR) For Extension Of Technical Specification (TS) 3.8.1, "AC Sources-Operating," Emergency Diesel Generator Completion Time

1. DESCRIPTION

2. PROPOSED CHANGE

3. BACKGROUND

4. TECHNICAL ANALYSIS

5. REGULATORY SAFETY ANALYSIS 5.1 No Significant Hazards Consideration 5.2 Applicable Regulatory Requirementslcriteria

6. ENVIRONMENTAL CONSIDERATION

1.0 DESCRIPTION

This LAR is a request to amend Operating Licenses DPR-42 and DPR-60 for Prairie Island Nuclear Generating Plant (PINGP) Units 1 and 2.

Pursuant to 10 CFR 50.90, the Nuclear Management Company, LLC (NMC) hereby requests an amendment to the Prairie Island Nuclear Generating Plant (PINGP) Units 1 and 2 Operating Licenses which changes the TS 3.8.1 Condition B.4 Completion Time to 14 days and makes concomitant changes. Currently the TS 3.8.1 Condition 8.4 Completion Time will allow an emergency diesel generator (EDG) to be out of service for 7 days. NMC also proposes to revise the double line at the beginning of the Actions Table on TS page 3.8.1-2 to a single line which conforms the Actions Table to the improved Standard TS guidance for visual cues.

2.0 PROPOSED CHANGE

A brief description of the associated proposed TS and TS Bases changes is provided below along with a discussion of the justification for each change. The specific wording changes to the TS and Bases are provided in Exhibits B and C.

Technical Specification 3.8.1, "AC Sources-Operating" Condition A The second Completion Time adjacent to Required Action A.2 is revised from 14 days to 21 days. The second Completion Time is there to limit the total time that Limiting Condition for Operation (LCO) 3.8.1 is not met in Conditions A and B. Since this LAR Page 1 of 33

Exhibit A TS 3.8.1 Completion Time Extension proposes to increase the EDG Completion Time to 14 days, the new total time limit is 21 days.

Also, correction to a format error is proposed on page 3.8.1-2. A double line appears at the top of the ACTIONS table on this page. In accordance with TSTF-GG-05-01, "Writer's Guide for Plant-Specific lmproved Technical Specifications", (previously known as NUMARC 93-03 and NEI 01 -03, "Writer's Guide for the lmproved Standard Technical Specifications"), Double lines "Indicate the beginning and end of each Specifications Actions, SRs, or other table(s)." Since the ACTIONS table begins on the previous page, this double line will be replaced with a single line.

Condition B The Completion Time adjacent to proposed Required Action B.4 is revised to state, "14 days AND 21 days from discovery of failure to meet LCO". These proposed changes will provide Completion Time extension for the PlNGP EDGs from 7 days to 14 days.

These changes will provide the following benefits:

Allow increased flexibility in the scheduling and performance of EDG preventive maintenance.

Allow better control and allocation of resources. Allowing more time for on-line preventive maintenance, including overhauls, provides the flexibility to focus more quality resources on any required or elected EDG maintenance.

Second Completion Times (Limit on Total Time LC0 Not Met)

The time limits for the second Completion Times in Conditions A and B were determined by simple addition of the first associated Completion Time and the opposite Condition first Completion Time. NMC is aware that the TS Task Force (TSTF) industry traveler, TSTF-439, "Eliminate Second Completion Times Limiting Time From Discovery of Failure To Meet an LCO", proposes to eliminate all second Completion Time limits for total time that an LC0 is not met from the improved Standard Technical Specifications. If TSTF-439 is approved by the NRC prior to approval of this LAR, NMC may elect to eliminate the second Completion Times from TS 3.8.1 Required Actions A.2 and B.4.

Bases B 3.8.1, "AC Sources-Operating":

Required Action A.2 The Bases discussion of the total time limit for the LC0 not met is revised to support Required Action A.2 second Completion Time change to 21 days.

Page 2 of 33

Exhibit A TS 3.8.1 Completion Time Extension Required Action B.4 The Bases discussion of the EDG Completion Time and total time limit for the LC0 not met is revised to support Required Action B.4 Completion Time extension to 14 days and the total time limit extension to 21 days.

These Bases changes are provided for information and are not part of the LAR.

Summary In summary, this LAR proposes TS changes which will extend the EDG Completion Time to 14 days. These changes will provide operational flexibility allowing more efficient application of plant resources to safety significant activities.

3.0 BACKGROUND

The PlNGP Safeguards Distribution System AC sources consist of the offsite power sources and the onsite standby power sources (Train A and Train B EDGs). The onsite Safeguards AC Distribution System is divided into redundant trains so that the loss of any one train does not prevent the minimum safety functions from being performed.

3.1 Offsite Power Sources and Offsite Grid Reliability The output of the PlNGP is delivered to a 3451161 kV Substation, which has five transmission lines. Four of these are 345 kV and the 345 kV portion is arranged in two buses with a breaker-and-one-half scheme. The 161 kV portion of the substation is a single bus arrangement connected to a single 161 kV transmission line. Three separate power systems are provided to the plant 4 kV safeguards buses. Each safeguards bus has two possible paths between it and the offsite transmission system.

Each safeguards bus has a normal and an alternate supply breaker from the offsite transmission system, plus a supply breaker from its associated emergency diesel generator. Each safeguards bus also has two normally open bus tie breakers between itself and the same-train bus of the other unit. A detailed description of the offsite power network and circuits to the onsite emergency buses is found in Chapter 8 of the PlNGP Updated Safety Analysis Report (USAR).

Reliability considerations to minimize the probability of power failure due to faults in the network interconnections and the associated switching are as follows:

a. Redundancy is designed into the network interconnections for the units by having four transmission circuits into the 345 kV system and one transmission circuit into the 161 kV system. These systems are interconnected at the site and any one 345 kV circuit is capable of providing the full power requirements for the startup or shutdown of either unit.

Page 3 of 33

Exhibit A TS 3.8.1 Completion Time Extension

b. Physical separation of transmission lines is maintained on site as much as possible to provide isolation. The transmission line spacing in the vicinity of the site is greater than the height of the towers.

c. Transmission line design for lightning performance is based on less than one outage per 100 miles per year.

d. The substation switching arrangement provides nine 345 kV circuit breakers for six transmission linelgenerator outlets. This type of design is referred to as a breaker-and-one-half design, and includes two full capacity main buses. Dual simultaneous relay protection is provided for each bus and lineloutlet. Breaker failure relaying protects for scenarios where the interrupting device fails to clear a fault.

e. Design and construction of the 345 kV and 161 kV transmission lines exceed the requirements of the National Electrical Safety Code for heavy loading districts, Grade B construction.

With the above features, the probability of loss of more than one source of auxiliary power from credible faults is low, however, in the event of an occurrence causing loss of all the 345 kV and 161 kV connections, power for essential service is supplied from four onsite emergency diesel generators.

In the event that both PlNGP units trip simultaneously, the offsite supply to the safety features system would not be interrupted. The breaker-and-one-half design is such that the two unit trip event does not isolate auxiliary power supply points from the transmission lines serving the substation.

The offsite power supply is adequate to supply the auxiliary safety sources in the event of a two unit trip. Voltage supplied to auxiliary systems from offsite sources after a two unit trip depends on many variables. The direction and magnitude of power flows due to system load, power transactions and pattern of on-line generation play a large role in post--trip voltage. Studies using normal peak-load system steady state load-flow simulation show that loss of the maximum generation from PINGP (a two unit trip) can be sustained with adequate voltage. Offsite sources to auxiliary systems are not interrupted, and provide proper voltage to the safety equipment.

Key to this contingent performance ability are the spinning and standby reserves maintained by the Northern States Power Company (NSP) and other MidContinent Area Power Pool (MAPP) member utilities.

Contingent support immediately after loss of the PlNGP Units is supplied by rotor inertia and governor action of other generating units throughout the interconnected eastern two-thirds of the United States and the eastern half of southern Canada. NSP derives this support over transmission tie-lines with capacity exceeding 3000 MW. After several minutes the MAPP spinning and standby reserve capability replaces the import from the interconnected systems.

Page 4 of 33

Exhibit A TS 3.8.1 Completion Time Extension No customer load interruption or break-up of NSP's transmission system is anticipated as a result of a PINGP two unit trip. The offsite supplies to the plant safety features therefore continue to operate without interruption.

Simulation of a PINGP two unit trip event is performed using computer load flow models. NSP uses two types of load flow programs, one for modeled studies, and a second for analysis of real-time system conditions using telemetered voltage and power flow data. The computer models are representations of the transmission system electrical characteristics and components. Accuracy of the models are periodically verified by comparison with actual historical data. Further studies are performed to examine details of the dynamic conditions after the assumed loss of the PINGP Units.

3.2 Emergency Diesel Generators Each PINGP unit is designed with two redundant 4 kV emergency buses. The onsite standby power source for each redundant 4 kV emergency bus is a dedicated EDG.

The EDGs do not serve a function during normal plant operations. The normal power sources for the safeguards buses are the paths from the Reserve Auxiliary Transformers and the Cooling Tower Substation. If the Reserve Auxiliary Transformers and the Cooling Tower Substation paths should fail, backup power is provided by two EDGs in each unit.

Each EDG, as a backup to the normal standby AC power supply, is capable of sequentially starting and supplying the power requirements of one of the redundant sets of engineered safety features for its reactor unit. In addition, in the event of a station blackout (SBO) condition, each EDG is capable of sequentially starting and supplying the power requirements of the hot shutdown loads for its unit, as well as the essential loads of the blacked out unit, through the use of manual bus tie breakers interconnecting the buses.

The original plant design and construction included two Fairbanks-Morse opposed piston EDGs for the two unit site. These two diesels are now dedicated to Unit 1 to provide onsite standby power sources for 4 kV safeguards buses 15 and 16. The two Unit 1 EDGs are 4 kV, three phase, 2750 kW (continuous rating) synchronous generators.

In 1992, two Societe Alsacienne de Constructions Mecaniques de Mulhouse (SACM)

EDGs, D5 and D6, were installed at PINGP Unit 2 to provide onsite standby power sources for 4 kV safeguards buses 25 and 26. Each SACM EDG comprises two tandem-drive diesel engines. The two Unit 2 EDGs are 4 kV, three phase, 5400 kW (continuous rating) synchronous generators. D5 and D6 are radiator cooled and thus independent of the plant safeguards cooling water system (similar to the service water system for other plants).

Page 5 of 33

Exhibit A TS 3.8.1 Completion Time Extension 3.3 Station Blackout Capability An SBO exists when there is a loss of offsite power (LOOP) and concurrent loss of both of a unit's EDG sources. PlNGP meets the SBO rule of Title 10 Code of Federal Regulations Section 50.63 (10 CFR 50.63) (June 21, 1988) and the related guidance of Regulatory Guide (RG) 1. I 55, "Station Blackout", August 1988. The NRC review and acceptance was provided in, Safety Evaluation of the Prairie Island Nuclear Generating Plant Unit Nos. 1 and 2; Station Blackout Rule 10 CFR 50.63 (TAC Nos. 68588 and 68589)", dated September 18, 1990.

An SBO is assumed to occur on only one unit of a two unit site, in accordance with RG 1.I

55. After either EDG in the non-SBO unit has completed load sequencing and has provided power to the designated safeguards equipment, the operator will manually close two series bus tie breakers to the SBO unit's same-train safeguards bus. These breakers are normally open during plant operation and are administratively and procedurally controlled by the plant operating procedures.

With the use of these two series breakers, with a complete loss of offsite power, any one EDG is able to provide power to its associated unit plus the same-train SBO loads of the other unit and remain within its continuous duty ratings. There is no single known component whose failure would cause the inoperability of both EDGs in a unit.

Tests and analysis have shown that the non-SBO unit's EDG is available and the interconnecting bus ties can be closed within ten minutes of the realization that an SBO condition exists. Under assumptions used by RG 1.I 55 and NUMARC-8700 for a plant of PINGP's configuration, AC electrical power will be restored to at least one safeguards bus on the SBO unit from offsite or from one of its own EDGs within four hours of the onset of an SBO.

3.4 Regulatory Guide 1.155 EDG Reliability Program PlNGP maintains an EDG reliability program based on RG 1.155, "Station Blackout".

The program monitors and evaluates EDG performance and reliability consistent with guidance provided in NUMARC 87-00, "Guidelines for NUMARC Initiatives Addressing Station Blackout at Light Water Reactors". The program requires remedial actions when one or more established reliability "trigger values" are exceeded, requires root cause evaluation and requires corrective actions. Table 1 shows the status of the EDG Reliability Program as of November 2005.

Page 6 of 33

Exhibit A TS 3.8.1 Completion Time Extension Table 1 The EDG reliability program will not be negatively impacted by the proposed amendment. However, there is a potential that, due to the improved maintenance effectiveness and flexibility that will result from implementation of this amendment, EDG performance may improve.

NUMARC 87-00 EDG Target Reliability Levels 3.5 Current TS Requirements and Limitations Unit TS 3.8.1 requires each PlNGP unit to maintain: 1) two operable AC electrical paths between the offsite transmission grid and the onsite 4 kV Safeguards Distribution System; and 2) two operable EDGs capable of supplying the onsite 4 kV Safeguards Distribution System. These two paths, between the offsite transmission grid and the onsite 4 kV Safeguards Distribution System, and separate and independent EDGs for each train, ensure availability of the required power to shut down the reactor and maintain it in a safe shutdown condition after an anticipated operational occurrence (AOO) or a postulated design basis accident (DBA).

With one EDG inoperable, the TS 3.8.1, Condition B, Required Actions and associated Completion Time require the EDG to be restored to operable status within 7 days or enter Condition F for which the Required Actions and Completion Times require the plant to be in Mode 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and Mode 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />.

Failures in last 20 demands Routine EDG preventive maintenance activities typically require 4 to 6 days to perform which often gives rise to NMC and NRC concern that the TS Completion Time of 7 days will not be met. The preventive maintenance completion date can be extended by emergent maintenance issues which challenge the 7 day Completion Time.

Special EDG maintenance overhaul activities, such as periodic cylinder liner replacement, require more than 7 days to perform. Thus, these activities must be scheduled to be performed during a plant refueling outage to avoid plant shutdown due to the current 7 day Completion Time. Extending the EDG Completion Time to 14 days will allow more on-line special overhauls which will improve EDG availability during plant refueling outages and should reduce the risk due to EDG unavailability occurring concurrently with other activities and equipment outages during a refueling outage.

This change provides flexibility to improve the quality of EDG maintenance activities and the quality of outage activities by reducing the competing resource demands.

Failures in last 50 demands Page 7 of 33 Failures in last 100 demands Targets for 0.975 EDG reliability (failures in last 20130/100 demands)

Exhibit A TS 3.8.1 Completion Time Extension

4.0 TECHNICAL ANALYSIS

PlNGP is a two unit plant located on the right bank of the Mississippi River approximately 6 miles northwest of the city of Red Wing, Minnesota. The facility is owned by NSP and operated by NMC. Each unit at PlNGP employs a two-loop pressurized water reactor designed and supplied by Westinghouse Electric Corporation.

The initial PlNGP application for a Construction Permit and Operating License was submitted to the Atomic Energy Commission (AEC) in April 1967. The Final Safety Analysis Report (FSAR) was submitted for application of an Operating License in January 1971. PlNGP Unit 1 began commercial operation in December 1973 and Unit 2 began commercial operation in December 1974.

The PlNGP was designed and constructed to comply with NSP's understanding of the intent of the AEC General Design Criteria (GDC) for Nuclear Power Plant Construction Permits, as proposed on July 10, 1967. PlNGP was not licensed to NUREG-0800, "Standard Review Plan (SRP)."

This LAR proposes to extend the TS allowed Completion Time for an inoperable EDG from 7 days to 14 days. This LAR includes an integrated review and assessment of plant operations, deterministic design basis factors, and an evaluation of overall plant risk using probabilistic risk assessment (PRA) techniques. Deterministically the proposed change is supported by the defense-in-depth basis that is incorporated into the plant design as well as in the approach to maintenance and operation. With respect to plant risk, the proposed change is supported by a plant-specific risk analysis performed in accordance with NRC guidance for making risk-informed decisions and risk-informed changes to the plant Technical Specifications.

This section provides the technical analysis of this proposed change with regard to the principles that adequate defense-in-depth is maintained, that sufficient safety margins are maintained, and that the proposed increases in core damage frequency and risk are small and consistent with the guidance of RG 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Bases", dated November 2002 and RG 1.177, "An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications" dated August, 1998.

4.1 Current Licensing Basis for EDG Allowed Outage Time Under the current licensing basis, if one EDG is inoperable, action must be taken to restore the EDG to operable status within 7 days. In this Condition, the remaining operable EDG and paths are adequate to supply electrical power to the onsite Safeguards Distribution System. The 7 day Completion Time takes into account the capacity and capability of the remaining AC sources and the low probability of a DBA occurring during this period.

Page 8 of 33

Exhibit A TS 3.8.1 Completion Time Extension 4.2 Proposed TS 3.8.1 Changes and Benefits The proposed changes will allow a Completion Time of 14 days for the EDG maintenance or testing activities. This will allow an additional 7 days beyond the current TS allowed Completion Time and avoid or minimize TS required plant shutdown time due to EDG maintenance or testing. A format error is also corrected by removal of the double lines at the top of the Actions Table on TS page 3.8.1-2.

The duration required to perform planned and corrective EDG maintenance has challenged the site's ability to complete these activities within the current TS requirements. Longer Required Action Completion Time durations will likely reduce the regulatory burden associated with EDG maintenance activities.

The extended TS Completion Time for EDGs improves effectiveness of the allowed maintenance period. A significant portion of on-line maintenance activities is associated with preparation and return to service activities, such as, tagging, fluid system drain down, fluid system fill and vent, and cylinder block heat-up. The duration of these activities is relatively constant. Longer Required Action Completion Time durations allows more maintenance to be accomplished during a given on-line maintenance period and therefore would improve maintenance efficiency. Thus the total EDG unavailability may be reduced with this proposed change.

This change will allow some maintenance activities to be performed on-line which would otherwise require performance during a refueling outage. On-line preventive maintenance and scheduled overhauls provide the flexibility to focus more quality resources on any required or elective diesel generator maintenance. For example, during refueling outages, resources are required to support many systems; during on-line maintenance, plant resources can be more focused on the diesel generator overhaul.

Performance of more diesel generator maintenance on-line will improve EDG availability during plant refueling outages. Performing more EDG overhaul activities on-line should reduce the risk and synergistic effects on risk due to EDG unavailability occurring concurrently with other activities and equipment outages during a refueling outage.

4.3 Deterministic Assessment of Proposed EDG AOT Extension The effect of this LAR would be to allow continued power operation of a PlNGP unit up to an additional 7 days while EDG maintenance or testing is performed. The EDG is a backup electrical power supply which is not required unless both of the normal power supplies are unavailable and there is an event that requires operation of the plant emergency safeguards features. Plant operation with one EDG inoperable does not challenge plant operations in a manner that could cause an accident.

Page 9 of 33

Exhibit A TS 3.8.1 Completion Time Extension The PlNGP emergency power source is provided and designed with adequate independency, redundancy, capacity, and testability to permit the functioning of the engineered safety features and protection systems required to avoid undue risk to the health and safety of the public. This power source provides this capacity assuming a failure of a single active component. Independent alternate power systems are provided with adequate capacity and testability to supply the required engineered safety features and protection systems.

The EDGs are connected to the separate safeguards 4 kV auxiliary system buses in each unit. Each set is started automatically on a safety injection signal from its unit or upon the occurrence of undervoltage on its corresponding 4 kV safeguards bus. The EDG arrangement provides adequate capacity to supply the engineered safety features for the DBA in one unit, assuming the failure of a single active component in the system.

Since the emergency power systems can accommodate a single failure, extending the Completion Time for an out of service EDG has no impact on the system design basis.

Safety analyses acceptance criteria as provided in the PlNGP USAR are not impacted by this change. AC power sources credited in the accident analyses will remain the same.

To ensure that the single failure design criterion is met, Limiting Conditions for Operation (LCOs) are specified in the plant TS requiring all redundant components of the onsite power system to be operable. When the required redundancy is not maintained, action is required within a specified time period, referred to as the Completion Time, to initiate a plant shutdown and place the plant in a safe condition.

The Completion Time provides a limited time to restore equipment to operable status and represents a balance between the risk associated with continued plant operation with less than the required system or component redundancy and the risk associated with initiating a plant transient while placing the unit in a safer condition. Thus, while the Completion Times provided in the plant TS Actions Table are designed to permit limited operation with temporary relaxation of the single failure criterion, the acceptability of the maximum length of the Completion Time interval relative to the potential occurrences of design basis events needs to be considered. Since extending the Completion Time for a single inoperable EDG does not change the design basis for standby EDG power, the risk impact of EDG unavailability during the extended Completion Time interval (days 8 through 14 of the proposed 14 day Completion Time) must be evaluated quantitatively using a probabilistic approach.

In the event that an EDG is inoperable in operating Modes 1, 2, 3, and 4, existing TS 3.8.1 Condition 9.2 requires that redundant required features that depend on the remaining operable EDG as a source of emergency power be verified to be operable.

This provides assurance that a loss of offsite power event will not result in a complete loss of safety function during the period when one of the required EDGs is inoperable.

Page 10 of 33

Exhibit A TS 3.8.1 Completion Time Extension PINGP's design satisfies the SBO Rule by providing alternate AC power from the non-blacked out unit's EDGs within ten minutes of the SBO event. Each EDG has sufficient capacity and capability to provide power for the safe shutdown of both units for the 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> SBO duration. The assumptions and the results of the SBO analyses are not changed by an extension of the Completion Time, and compliance with 10 CFR 50.63 will be maintained. In addition, EDG reliability is maintained at or above the SBO target level, and the effectiveness of maintenance on the EDGs and support systems is monitored pursuant to the Maintenance Rule. The operable same-unit EDG is 100%

redundant and provides the required backup electrical power supply to the 100%

redundant emergency safeguards train.

Based on the above discussion, extending the Completion Time for a single inoperable EDG from 7 days to 14 days is acceptable because the proposed change will not impact the plant design basis and safety margins are maintained. The impact of extended plant operation with less than the required equipment redundancy is evaluated in a probabilistic framework in the discussions that follow.

To ensure that the risk associated with extending the Completion Time for an EDG is minimized, and consistent with the philosophy of maintaining defense in depth, restrictions will be applied when removing an EDG from service as described in the Tier 2 evaluation. These measures will ensure the risks associated with removing an EDG from service are managed to minimize the increase in risk during the out of service time.

If this LAR is not granted, a unit with an inoperable EDG would be required to shutdown following 7 days in current TS 3.8.1 Condition B.4. Shutdown of a unit involves many plant operator activities and plant evolutions. These activities and evolutions provide challenges to plant equipment, opportunities for operator errors and increase the possibility of a plant trip. It should also be noted that shutdown of a unit does not remove the desirability of having EDG backup for the 4 kV safeguards buses, but rather places additional dependence on the operable 4 kV bus by requiring operation of the residual heat removal system. By granting this LAR and allowing continued steady state operation, additional operator activities and plant operations evolutions associated with plant shutdown may be avoided. The increased possibility for plant trip may also be avoided. This LAR proposes an additional 7 days as a reasonable time for which a regulatory basis exists for Completion Time extension. This additional time period is small and due to the short time period the probability of a design basis accident occurring during this period is low.

4.4 Probabilistic Risk Assessment (PRA)

Risk informed support for the proposed EDG Completion Time changes is based on 1) a PRA performed to quantify the change in core damage frequency (CDF) and large early release frequency (LERF) produced by the increased Completion Time for the EDGs; 2) implementation of a Configuration Risk Management Program (CRMP) to Page 11 of 33

Exhibit A TS 3.8.1 Completion Time Extension control performance of other high-risk tasks during the EDG outage; and 3) consideration of specific compensatory measures to reduce risk.

The risk impact of the proposed changes has been evaluated and found to be acceptable. The effect on risk of the proposed increase in Completion Time for restoration of an inoperable EDG has been evaluated using NRC's three-tier approach provided in RG 1.177:

Tier 1 - PRA Capability and Insights; Tier 2 - Avoidance of Risk-Significant Plant Configurations; and Tier 3 - Risk-Informed Configuration Risk Management.

As discussed in Exhibit E, the PRA model has been updated in 2005 with changes which support this risk assessment.

4.4.1 Tier I

PRA Capability and Insights Risk-informed support for these proposed changes is based on PRA calculations performed to quantify the change in CDF and LERF resulting from the increased Completion Times for the EDGs.

The PlNGP PRA used for the risk determinations is an upgrade to the Individual Plant Examination (IPE) submitted to the NRC by letter dated March 1, 1994. The NRC accepted the IPE by letter dated May 16, 1997. The NRC letters noted that the IPE submittals met the intent of Generic Letter 88-20! "Individual Plant Examination for Severe Accident Vulnerabilities - 1 OCFR 50.54(f)11, dated November 23, 1988.

Exhibit E provides a brief summary of the recently upgraded PlNGP PRA. This PRA addresses internal events at full power. Other risk sources and operating modes are discussed below. In addition to incorporating recent advances in PRA technology across all elements of the PRA, a special effort was made to ensure that elements of the PRA are adequate to evaluate the risk impacts of the increased Completion Times for the EDGs. These elements include the proper characterization of initiating events involving LOOP, treatment of time dependant offsite power recovery, treatment of operator actions to implement bus ties and other Emergency Operating Procedures (EOPs), and data analysis of key parameters such as EDG failure rates, maintenance unavailabilities and common cause failure probabilities.

For Level 2 analysis (i.e., the containment analysis), LERF was estimated using the methodologies in NUREGICR-6595, January 1999, "An Approach for Estimating the Frequencies of Various Containment Failure Modes and Bypass Events." This approach to LERF evaluation, while somewhat simplified, supports realistic quantification of systematic contributions to containment isolation failures, bypass sequences that are actually derived from the Level 1 sequences model, and conservative evaluation of severe accident challenges which are less important for PWRs with large, dry containments.

Page 12 of 33

Exhibit A TS 3.8.1 Completion Time Extension The scope, level of detail, and quality of the PlNGP PRA is sufficient to support a technically defensible and realistic evaluation of the risk change for this proposed Completion Time extension.

Peer review certification of the PlNGP PRA model using the Westinghouse Owners Group (WOG) Peer Review Certification Guidelines was performed during the week of September 25, 2000. A team of independent PRA experts from nuclear utility groups and PRA consulting organizations carried out this Peer Review Certification. This intensive peer review involved about two person-months of engineering effort by the review team and provided a comprehensive assessment of the strengths and limitations of each element of the PRA model. The findings and observations from this assessment, that were considered important by the review team and that are needed to evaluate the proposed Completion Time extension, have been dispositioned. The Peer Review Certification of the PlNGP PRA model performed by WOG resulted in five Findings and Observations (F&O) with the significance level of "A" and 32 F&Os with a significance level of "B". This resulted in a number of enhancements to the PRA model prior to its use to support these proposed changes. A summary of the significance level A and B F&Os and their corresponding resolutions can be found in Exhibit F.

The certification team determined that with these proposed changes incorporated, the quality of all elements of the PRA model is sufficient to support "risk significant evaluations with deterministic input." As a result of the effort to incorporate the latest industry insights into the PRA model upgrades and certification peer reviews, NMC has concluded that the results of the risk evaluation are technically sound and consistent with the expectations for PRA quality set forth in RG 1.174 and RG 1.177.

4.4.1.I Delta CDFl Delta LERF To determine the effect of the proposed 14-day Completion Time for restoration of an inoperable EDG, the guidance in RG 1.174 and 1.177 was used. The following risk metrics were used to evaluate the risk impacts of extending the EDG Completion Time from 7 days to 14 days:

ACDF = Change in the annual CDF due to the increased on-line maintenance unavailability of EDGs that could result from the increased Completion Time.

This risk metric is used to compare against the criteria in RG 1.I74 to determine whether a change in CDF is regarded as risk significant. These criteria are a function of the baseline annual core damage frequency.

ALERF = Change in the annual LERF due to any increased on-line maintenance unavailability of EDGs that could result from the increased Completion Time. RG 1.I74 criteria were also applied to judge the significance of changes in this risk metric.

The increase in CDF and LERF with the future expected unavailabilities for the EDGs are considered to be very small if they are less than 1 E-6 and 1 E-7/yr, respectively.

Page 13 of 33

Exhibit A TS 3.8.1 Completion Time Extension The current maintenance terms are based on actual plant data and reflect the on-line maintenance that is currently performed on each EDG. It should be noted that although the Completion Time may be relaxed, PlNGP does not intend to relax the EDG performance criteria established in response to Station Blackout (1 OCFR 50.63) and the maintenance rule (1 OCFR 50.65).

It is assumed for the purposes of this analysis that the preventive maintenance (PM) term will increase as a result of performing the major overhaul on line. The existing PM term is assumed to increase to account for a 14 day major overhaul once per refueling cycle for each EDG. The refueling cycle length is assumed to be 18 months with an assumed total planned and unplanned outage duration of 30 days, which yields a cycle length of 51 8 days.

The PM increases were made simultaneously to all EDGs. The ACDF and ALERF results for increased preventive maintenance can be found in Table 2.

Table 2 ACDF and ALERF Results for lncreased PM It can be seen that the ACDF and ALERF results are all less than the RG 1.I74 values for annual average CDF and LERF as shown in Table 2.

As a sensitivity study, it is assumed that the corrective maintenance (CM) term may increase as a result of extended outage time available for emergent work. The existing CM term was scaled by the ratio of the proposed and current Completion Time or 1417.

The PM and CM increases were made simultaneously to all EDGs. The ACDF and ALERF results for increased preventive and corrective maintenance can be found in Table 3.

RG 1.I 74 criteria NA N A

< 1 E-6

< I E-7 Table 3 ACDF and ALERF Results for lncreased PM and CM Unit 2 1.63E-5 5.74E-7 2.12E-7

<5.OE-10 Risk Parameter Base Line CDF Base Line LERF ACDF ALERF Unit 1 1.47E-5 5.74E-7 1.72E-7

<5.OE-10 Page 14 of 33 RG 1.I 74 criteria NA NA

< I E-6

< I E-7 Unit 2 1.63E-5 5.74E-7 3.68E-7

<5.OE-10 Risk Parameter Base Line CDF Base Line LERF ACDF ALERF Unit 1 1.47E-5 5.74E-7 2.91 E-7

<5.OE-10

Exhibit A TS 3.8.1 Completion Time Extension It can be seen that the ACDF and ALERF results are all less than the RG 1.I74 values for annual average CDF and LERF as shown in Table 3.

4.4.1.2 Incremental Conditional Core Damage Probability (1CCDP)I Incremental Conditional Large Early Release Probability (ICLERP)

ICCDP and ICLERP are risk parameters defined in Regulatory Guide 1.177. As defined in Appendix A of RG 1.I 77:

ICCDP = [(conditional CDF with the subject equipment out of service) - (baseline CDF with nominal expected equipment unavailabilities)] (duration of single AOT under consideration). This risk metric is applied in accordance with the guidance of RG 1.I77 to determine whether a proposed increase in Completion Time has an acceptable risk impact.

ICLERP = [(conditional LERF with the subject equipment out of service) - (baseline LERF with nominal expected equipment unavailabilities)] (duration of single AOT under consideration). This risk metric is applied in accordance with the guidance of RG 1.177 to determine whether a proposed increase in Completion Time has an acceptable risk impact.

ICCDP must be less than 5E-7 for the 14 day outage and ICLERP must be less than 5E-8 for the 14 day outage.

The results in Table 4 for ICCDP and ICLERP are computed for each unit with the target EDG inoperable and the remaining EDGs in service, with no other PM and corrective maintenance (CM) terms changed. This case presents the least optimistic case for meeting the ICCDP and ICLERP criteria as all other components are at their average annual maintenance frequency.

Page 15 of 33

Exhibit A TS 3.8.1 Completion Time Extension Table 4 ICCDP and ICLERP for EDG When EDG is Inoperable for Preventative Maintenance The results in Table 4 show that in all cases, the calculated ICCDP when an EDG is inoperable for PM are less than the 5E-07 criteria listed in RG 1.177.

There are a number of reasons that the calculated ICCDP and ICLERP values are significantly less than the RG 1.I77 limits:

Each 4 kV safeguards bus on each unit is supported with its own dedicated EDG with cross-tie capability between the same train across units; There is limited common-cause potential between the Unit 1 and Unit 2 EDG as they are of different design and manufacture; and Cross-tie capability across Unit 1 and Unit 2 4kV buses between the same train is easily accomplished from the control room.

These results illustrate an asymmetry in the risk importance among the EDGs. D l EDG has a higher ICCDP for Unit 2 than for its associated Unit 1. Because D l EDG does not provide power to an auxiliary feedwater (AFW) pump for Unit 1, it is more important to Unit 2 as it supplies power to an air compressor which can supply air for bleed and feed cooling for Unit 2 following a dual unit LOOP and failure of D5 EDG. D5 EDG provides power to an air compressor but also to the Unit 2 motor-driven AFW pump.

Failure of D5 EDG following a dual unit LOOP increases the importance of D l EDG for the reasons described earlier.

In determining the values in Tables 3 and 4, the PRA truncation limit for CDF was set at I

E-1 Olyr and for LERF, at 1 E-I llyr. This is five orders of magnitude below the total CDF, four orders of magnitude below the total LERF and more than an order of magnitude below the value of the truncation limit recommended in Appendix B of Page 16 of 33

Exhibit A TS 3.8.1 Completion Time Extension Electric Power Research Institute (EPRI) Technical Report TR-105396, "PSA Application Guide", dated August 1995.

4.4.1.3 Internal Fire PRA An extension of the TS Completion Time for the EDGs requires a measurement of the increased risk to the plant due to an assumption of longer unavailability times for maintenance for the EDGs. This risk measurement applies to both internal and external initiating events, and to shutdown conditions. If there are areas of the plant that can experience internal fires that damage the capability to receive offsite power to the safeguards buses, the risk due to fires in these areas will be increased somewhat if it is assumed that the onsite diesel generators are more likely to be out of service for maintenance (that is, due to having an extended TS Completion Time). An analysis of the magnitude of that risk increase is provided in this section.

4.4.1.3.1 Individual Plant Examination - External Events (IPEEE) Fire PRA Model The existing Fire PRA for PINGP was prepared from a revision to the IPEEE, submitted in 1998. The 1 OCFR 50 Appendix R (Appendix R) program Safe Shutdown Analysis (SSA) (PINGP calculation GEN-PI-026) was revised and updated in late 2004. The existing Fire PRA model for the PINGP site has not yet been updated to reflect the new cable data and routing information contained in the new analysis. However, applicable fire risk insights can still be obtained from the existing Fire PRA model through incorporation of the changes to cable routing information obtained from the updated SSA and through incorporation of changes to the site PRA model that have occurred since the IPEEE revision was submitted.

The IPEEE Fire PRA was a single unit model that includes Unit 1 equipment and equipment that is common to both units (including equipment shared between the two units).

Fire modeling performed for the IPEEE Fire PRA was limited to those areas that were of highest risk significance to Unit 1, which included a number of common areas (including control and cable spreading rooms, the Auxiliary Feedwaterllnstrument Air Compressor Rooms, and the lower level of the Screenhouse). Only one fire area receiving detailed fire modeling can be considered to be a "Unit 1 only" fire area (Fire Area 58, basement of the Auxiliary Building on the Unit 1 side). However, the modeling that was performed in each case was done to support an analysis of Unit 1 risk.

Nevertheless, for the Unit 1 and common areas that received detailed fire modeling for the IPEEE analysis, the Unit 2 counterpart fire areas are nearly symmetrical in terms of fire area geometry, equipment contained within the fire areas, equipment locations within the compartments and proximity to potential ignition sources, and cable routings, such that similar results could be expected from a full Unit 2 Fire PRA model. The IPEEE report contained an analysis of Unit 2 risk due to internal fires based on the Unit 1 results and the known differences between the two units.

Page 17 of 33

Exhibit A TS 3.8.1 Completion Time Extension 4.4.1.3.2 Fire Risk Analysis Model for EDG Completion Time Extension The analysis model used to evaluate the increase in risk due to internal fires for the EDG Completion Time extension LAR is based on the IPEEE Fire PRA cable database and modeling assumptions, but incorporates the updated PRA model changes and the updated Appendix R SSA and cable routing changes that have occurred since the IPEEE Fire PRA analysis was completed.

It is useful to identify (for further reference) a number of facts relative to a potential risk increase due to internal fires in light of the proposed TS Completion Time extension for the EDGs:

1. The extension of the TS Completion Time for the EDGs is an administrative change only and does not have any significant impact on the likelihood of occurrence of fires at PINGP, or on their location within the plant.

2. The only purpose for the EDGs (relative to plant safety) is to start and run to provide onsite power to safeguards equipment in the event that offsite power is lost.

3. The likelihood of a fire resulting in a complete station blackout is low at PINGP. The IPEEE analysis identified only one fire (a large unsuppressed fire within an electrical panel in the control room) in which loss of offsite power sources to both Unit 1 safeguards 4kV buses was credible and only three additional fire areas in which loss of the offsite sources to both Unit 2 4kV buses was credible. In all other areas, a complete loss of offsite power requires additional equipment failures. Without additional failures, normal offsite power to these buses remains available. The capability to avoid SBO from the fire-related loss of offsite power events is due to the availability of the dedicated EDG. Even if one of the fires of concern occurs during the small fraction of the year in which the dedicated EDG is assumed to be unavailable for maintenance, the capability to cross-tie the train related 4kV bus from the opposite unit to a non-fire affected bus would remain available. Therefore, the additional plant risk from fire induced loss of offsite power events due to the proposed extended Completion Time is very low.

Given Items 1 and 2 above, the analysis scope for increased fire risk due to the proposed EDG Completion Time extension can be reduced to an assessment of the increased risk of SBO and loss of individual safeguards 4 kV AC bus events. It should be noted that detailed fire modeling for Unit 2 specific fire areas has not been performed. Therefore, the application of fire related failures to an assessment of Unit 2 CDF and LERF would produce an overly conservative (and unrealistic) result when compared with the Unit 1 results (detailed fire modeling was performed for the most risk significant unit (Unit 1) and common fire areas for the IPEEE).

According to the guidance provided in RG 1. I 77, risk informed changes to TS generally must be demonstrated to result in a calculated ICCDP of <5E-7 and a change in ICLERP of <5E-8. As described above, rather than performing a full-scope Fire PRA (that would allow determination of the ICCDP or ICLERP due to internal fires), the Page 18 of 33

Exhibit A TS 3.8.1 Completion Time Extension analysis scope for increased fire risk due to the proposed EDG Completion Time extension was reduced to an assessment of the increased risk of SBO and loss of individual safeguards 4 kV AC bus events. If a very small ( 4 E-61yr) change in the frequency of the SBO event is seen for both units, then it can be concluded that the associated fire-related ICCDP and ICLERP due to the Completion Time extension to 14 days are at least this low.

To perform the analysis additional EDG preventive maintenance unavailability equal to that of the existing annual PM unavailability was assumed, that is, the existing unavailability was doubled. This assumption is very conservative, as the extension of the TS Completion Time does not in and of itself result in additional unavailability time.

The purpose of the extension request is to provide adequate time to support required maintenance activities to ensure the continued reliability of the EDGs.

4.4.1.3.3 Analysis Results Table 5, below, shows the relative importance of internal fires to the likelihood of loss of each bus, and the likelihood of occurrence of a SBO event.

Table 5 Bus failure due to internal fires As shown above, the increase in risk of an SBO event or even loss of an individual safeguards bus, due to the proposed EDG Completion Time extension is extremely low.

The same is true for the increase in likelihood of an SBO event. Fire initiating events that degrade into SBO events generally start in bus rooms, and involve fire related (or random) failures of the automatic voltage restoration scheme for the opposite train bus.

Failure of power restoration from the opposite unit is dominated by failure of the operator action to perform bus tie breaker operation rather than unavailability of the opposite unit diesel generator, because offsite power (in addition to its dedicated EDG) remains available to the opposite unit 4kV bus.

Bus 15 16 25 26 SBO SBO Page 19 of 33 Safeguards Train Unit I, Train A Unit 1, Train B Unit 2, Train A Unit 2, Train B Unit 1 Unit 2 Delta (given assumed increase in DG unavailability) 3.00E-08 1.70E-07 1.00E-06

< 1 E-08 2.00E-09 1.20E-08 Bus Failure (or SBO) Frequency From Internal Fires Per Year DG UA=baseline 7.09E-04 9.28E-04 2.56E-02 2.25E-03 3.49E-05 6.63E-05 DG UA=2*baseline 7.09E-04 9.28E-04 2.56E-02 2.25E-03 3.49E-05 6.63E-05

Exhibit A TS 3.8.1 Completion Time Extension As described above, the calculated results of the sensitivity analysis are conservative, since doubling of the preventive maintenance unavailability is not anticipated due simply to the proposed Completion Time extension. Other factors that add to the conservatism of the calculation are:

1. No credit was applied for the likelihood of spurious equipment actuation due to the fire (cables that have the potential to cause spurious actuation of equipment with negative consequences upon exposure to a fire are assumed to fail in this manner with a probability of 1.0).

2. No additional credit was given in the analysis for automatic or manual fire suppression beyond that credited in the IPEEE (no credit for suppression of fires in bus rooms was given).

3. No detailed fire modeling, beyond that available from the IPEEE Fire PRA analysis, was performed for this analysis. With the exception of a fire in the control room G-panel, which was looked at in detail in the IPEEE Fire PRA, the areas with the highest potential for SBO given a fire did not receive detailed fire modeling.

Given the low potential for an SBO calculated by this sensitivity analysis, these conservatisms are not critical to the results. Although a more detailed analysis would tend to increase credit for cases in which an EDG would have been otherwise available to supply a de-energized bus, the calculated frequency of these sequences overall would also have been much lower.

As described above, the increase in probability of an SBO event at either unit from internal fire initiating events, based on conservative assumptions of increased voluntary maintenance under a presumed 14-day TS Completion Time, is very low. This implies that any calculation of internal fire-related ICCDP or ICLERP would be below the RG 1.I 77 acceptance criteria values. Therefore, the proposed extension of the EDG Completion Time to 14 days for the four site diesel generators is acceptable relative to the increase in risk due to internal fires.

4.4.1.4 Other External Events In addition to examining the CDF and LERF from internal events, external events were be reviewed.

The evaluation of seismic events performed as part of the IPEEE used the Electric Power Research Institute (EPRI) Seismic Margins Assessment methodology. Both trains of EDG for each unit were included in the list of components analyzed for safe shutdown following an earthquake. The EDG buildings were also analyzed. The evaluation provided adequate evidence of the ability of PlNGP to resist a seismic event and initiate a safe shutdown of the units. No significant seismic concerns were identified and it was concluded that the plant possesses significant seismic margin.

Page 20 of 33

Exhibit A TS 3.8.1 Completion Time Extension During a design basis safe shutdown earthquake (SSE), the plant switchyard is assumed to fail resulting in a loss of offsite power. The probability of an SSE occurring during the 14 day period that an EDG may be inoperable due to maintenance is low.

With all other EDG remaining operable together with the same train cross-tie capability between 4 kV buses, the proposed changes to the EDG Completion Time have negligible effect on the seismic risk profile at Prairie Island.

Evaluation of high winds, external floods and other external events in the PlNGP IPEEE per NUREG-1407, "Procedural and Submittal Guidance for the Individual Plant Examination of External Events (IPEEE) for Severe Accident Vulnerabilities", published in June 1991, revealed no potential vulnerabilities. The proposed changes to the EDG Completion Time have negligible effect on the risk profile at PlNGP from other external events.

4.4.2 Tier 2: Avoidance of Risk-Significant Plant Configurations There is reasonable assurance that risk-significant equipment configurations will not occur when specific plant equipment is out of service consistent with the proposed TS changes.

Offsite power operability is ensured by TS Section 3.8.1 where SR 3.8.1.I must be performed within one hour and once every eight hours for an inoperable offsite path or EDG.

If an EDG is declared inoperable, the other EDG must have a common cause analysis performed within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or SR 3.8.1.2 must be performed.

It is the intent of management at PlNGP to limit the use of the extended Completion Time to no more than once per EDG per refueling cycle.

Increases in risk posed by potential combinations of equipment out of service will be managed under the Configuration Risk Management Program (CRMP). For example:

An EDG extended Completion Time will not be entered for scheduled maintenance purposes if severe weather conditions are expected; and While in the proposed extended EDG Completion Time, additional elective equipment maintenance, testing or equipment failure will be evaluated using the CRMP and activities that yield unacceptable results via the CRMP will be avoided Additional compensatory actions and configuration risk management controls that will apply when entering the extended EDG Completion Time include:

Weather conditions will be evaluated prior to entering the extended EDG Completion Time for elective maintenance. An extended EDG Completion Time will Page 21 of 33

Exhibit A TS 3.8.1 Completion Time Extension not be entered for elective maintenance purposes if official weather forecasts are predicting severe conditions (tornado or thunderstorm warnings);

Elective maintenance will not be performed in the switchyard that would challenge offsite power availability during the proposed extended EDG Completion Time; The condition of the offsite power supply and switchyard will be evaluated prior to entering the extended EDG Completion Time for elective maintenance. NMC will develop a procedure to determine acceptable grid conditions for entering an extended EDG Completion Time to perform elective maintenance; The system dispatcher will be contacted once per day and informed of the EDG status along with the power needs of the facility; The turbine driven AFW pump on the associated unit will not be removed from service for planned maintenance activities during the extended EDG Completion time; and Operating crews will be briefed on the EDG work plan and procedural actions regarding LOOP and SBO, the 4 kV safeguards bus tie, and Reactor Coolant System bleed and feed.

Procedures will be established to implement these restrictions when an EDG is inoperable for an extended EDG Completion Time in accordance with TS 3.8.1 Condition B.

4.4.3 Tier 3: Risk-Informed Configuration Risk Management Program NMC has developed a CRMP for PlNGP governed by procedure H24.1, "Assessment and Management of Risk Associated With Maintenance Activities", that ensures that the risk impact of equipment out of service is appropriately evaluated prior to performing any maintenance activity. This program requires an integrated view (i.e., both deterministic and probabilistic) to identify risk significant plant equipment outage configurations in a timely manner both during the work management process and for emergent conditions during normal plant operation. Appropriate consideration is given to equipment unavailability, operational activities like testing, or load dispatching and weather conditions.

NMC currently has the capability at PlNGP to perform a configuration dependent assessment of the overall impact on risk of proposed plant configurations prior to, and during, the performance of maintenance activities that remove equipment from service.

Risk is re-assessed if an equipment failure, malfunction or emergent condition produces a plant configuration that has not previously been assessed.

For planned maintenance activities, an assessment of the overall risk of the activity on plant safety, including benefits to system reliability and performance, is currently Page 22 of 33

Exhibit A TS 3.8.1 Completion Time Extension performed prior to scheduled work. The assessment includes the following considerations:

Maintenance activities that affect redundant and diverse systems, structures and components (SSCs) that provide backup for the same function are minimized.

Maintenance is not scheduled that is highly likely to exceed a TS or Technical Requirements Manual (TRM) Completion Time requiring a plant shutdown. For activities that are expected to exceed 50% of a TS Completion Time, a Voluntary LC0 plan is developed to minimize SSC unavailability, maximize SSC reliability and ensure contingency and compensatory actions are in place.

For Maintenance Rule Risk Significant SSCs, the impact of the planned activity on the unavailability performance criteria is evaluated.

As a final check, a quantitative risk assessment is performed to ensure that the activity does not pose any unacceptable risk. This evaluation is performed using the current Level 1 PRA model. The results of the risk assessment are classified by a color code based on the increased risk of the activity shown in Table 6 as follows:

Table 6 Risk Assessment Color Classification Plant operation's management during non-business hour shifts reviews emergent work to ensure that it does not invalidate risk analyses made during the work management process, and if it does, they are capable of updating the risk analyses.

Color Green Yellow Orange Red Page 23 of 33 Risk Level Low Elevated Significant Excessive Plant Impact and Required Action Small impact on plant risk No specific actions are required Consider contingency planning Shift Manager approval to commence planned activity Consider compensatory actions to mitigate risk.

Minimize time spent in configuration Plant Manager approval to commence planned activity Not entered voluntarily Operations Committee must authorize operation for any length of time in this condition.

Immediately restore equipment to service or implement risk management actions to restore at least an ORANGE color

Exhibit A TS 3.8.1 Completion Time Extension If the risk of losing offsite power increases as a result of severe weather or as a result of unavailability or degradation of an offsite source, the CRMP is able to reflect this in the risk analysis.

4.4.4 Maintenance Rule Program To ensure the proposed extension of the EDG Completion Time does not degrade operational safety over time, the Maintenance Rule (MR) requires an evaluation when equipment covered by the MR does not meet its performance criteria.

The reliability and availability of the EDGs are monitored under the MR program. If the pre-established reliability or availability performance criteria are exceeded for the EDGs, they are considered for 10CFR 50.65 (a)(l) actions. These actions require increased management attention and goal setting in order to restore their performance to an acceptable level. The actual out of service time for the EDGs will be minimized to ensure that the reliability and availability performance criteria are met.

4.5 Industry Precedents The NRC has previously reviewed and approved many license amendment requests for extension of the emergency diesel generator TS Completion Time for other nuclear power plants. Recent approvals include: Beaver Valley Power Station, Unit Nos. 1 and 2 - Issuance of Amendment RE: Increase of the Emergency Diesel Generator (EDG) allowed Outage Time From 72 Hours to 14 Days (TAC Nos. MC3331 and MC3332) dated September 29, 2005; and Calvert Cliffs Nuclear Power Plant, Unit Nos. 1 and 2 -

Amendment RE: Extension of Diesel Generator Required Action Time (TAC Nos.

MC8976 and MC8977) dated April 13, 2004.

There are many similarities between these plants and PINGP; there are also some significant differences. The use of these license amendments as precedent is evaluated as follows.

Beaver Valley Power Station (BVPS)

BVPS is a two unit pressurized water reactor plant with two EDGs per unit. The BVPS EDG Completion Time was extended from 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to 14 days, whereas, NMC proposes to extend the PINGP EDG Completion Time from 7 days to 14 days.

Based on the information available in the BVPS submittal dated May 26, 2004, their offsite power sources appear to be comparable to the PINGP offsite power sources in that there appear to be four paths supplying the two safeguards buses.

The relationship of BVPS EDGs to their safeguards buses and capability to supply normal shutdown and post accident loads with a loss of off-site power also appears to be similar to PINGP. The BVPS LAR dated May 26, 2004 stated, Page 24 of 33

Exhibit A TS 3.8.1 Completion Time Extension The EDGs supply onsite emergency AC power to those electrical loads needed to achieve safe shutdown of the plant or to mitigate the consequences of any postulated accidents coincident with the loss of the normal and offsite AC power sources. Each EDG has sufficient capability for operating all required engineered safety equipment which must be operated in the event of any postulated accident.

Similarly, each PlNGP EDG, as a backup to the normal standby AC power supply, is capable of supplying the power requirements of one of the redundant sets of engineered safety features for its reactor unit.

The BVPS LAR provided a deterministic evaluation of the EDG Completion Time extension and concluded it was acceptable because the proposed change will not impact the plant design basis and safety margins are maintained. This LAR for PlNGP makes similar conclusions.

The BVPS LAR performed probabilistic assessments of their proposed EDG Completion Time extension and demonstrated that the guidance of RG 1.I 74 and RG 1.I77 were met. This LAR for PlNGP makes similar PRA conclusions.

The BVPS submittal makes commitments to provide compensatory measures when the extended Completion Time allowance is utilized to minimize risks, including assessment of grid stability. Some of the BVPS commitments may also apply to PINGP. This LAR for PlNGP discusses compensatory measures in section 4.4.2 above and makes appropriate commitments to minimize risks as described in attached Exhibit D.

PlNGP differs significantly from BVPS in the capability to respond to an SBO. BVPS Units 1 and 2 proposed to utilize the EDGs at each unit as an alternate AC power source to operate systems necessary for the required SBO coping duration and recovery. However it appears that the Unit 1 EDGs were not fully capable of supplying both the Unit 1 loads and the Unit 2 SBO loads. NRC letter dated April 6, 2005, stated, The approach to supply power to the blacked-out unit by rescheduling the safety system operation in the unaffected unit (disconnecting loads for short term on the unaffected unit to allow for the affected unit to operate another load) is not acceptable because of the undue risk and operational complications imposed on the unaffected unit.

At PINGP, each EDG, including the smaller Unit 1 EDGs, is capable of supplying the power requirement of the Mode 3 loads for its associated unit as well as the essential loads of the blacked out unit through use of manual bus tie breakers. Unlike BVPS, the PlNGP non-SBO unit's EDGs are available within 10 minutes of realization that an SBO exists, whereas, BVPS may require one hour to supply power to the required SBO loads at both units. Also, the PlNGP EDGs are capable of supplying power to both the SBO and non-SBO unit with simple switching from the control room; no unique reconfiguration of loads is required.

Page 25 of 33

Exhibit A TS 3.8.1 Completion Time Extension Calvert Cliffs Nuclear Power Plant (CCNPP)

CCNPP is a two unit pressurized water reactor plant with two EDGs per unit. The CCNPP EDG Completion Time was extended from 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to 14 days.

Based on the information available in the CCNPP submittal dated May 12, 2003, their offsite power sources appear to be comparable to the PlNGP offsite power sources.

The relationship of CCNPP EDGs to their safeguards buses and capability to supply normal shutdown and post accident loads with a loss of off-site power also appears to be similar to PINGP. The CCNPP LAR dated May 12, 2003 stated, Any combination of two of the safety related DGs (one from each unit) is capable of supplying sufficient power for the operation of necessary engineered safety features (ESF) loads during accident conditions on one unit and shutdown loads of the alternate unit concurrent with a loss of offsite power and for the safe and orderly shutdown of both units under loss of offsite power conditions.

Similarly, each PlNGP EDG, as a backup to the normal standby AC power supply, is capable of supplying the power requirements of one of the redundant sets of engineered safety features for its reactor unit.

The CCNPP LAR provided a deterministic evaluation of the EDG Completion Time extension and concluded it was acceptable because the proposed change will not impact the plant design basis and safety margins are maintained. This LAR for PlNGP makes similar conclusions.

The CCNPP LAR performed probabilistic assessments of their proposed EDG Completion Time extension and demonstrated that the guidance of RG 1.I74 and RG 1.I77 were met except for one EDG. This LAR for PlNGP makes similar PRA conclusions and meets the guidance for all EDGs..

The CCNPP submittal makes commitments to provide compensatory measures when the extended Completion Time allowance is utilized to minimize risks, including assessment of grid stability. Some of the CCNPP commitments may also apply to PINGP. This LAR for PlNGP discusses compensatory measures in section 4.4.2 above and makes appropriate commitments to minimize risks as described in attached Exhibit D.

PlNGP differs significantly from CCNPP in the approach for responding to an SBO.

CCNPP has a dedicated SBO diesel which can be manually aligned to any of the four safeguards buses. At PINGP, each EDG, including the smaller Unit 1 EDGs, is capable of supplying the power requirement of the Mode 3 loads for its associated unit as well as the essential loads of the blacked out unit through use of manual bus tie breakers.

Page 26 of 33

Exhibit A TS 3.8.1 Completion Time Extension 4.6 Technical Analysis Conclusions Current TS 3.8.1 will require a unit to shutdown after an EDG has been inoperable for 7 days. This license amendment requests extension of the Completion Time by an additional 7 days. The EDGs are not required to support normal operation and there are other power sources available to supply the associated safeguards bus. From deterministic and probabilistic perspectives, the risk of extending the Completion Time for an additional 7 days is low.

Based on the above discussion, operation of the Prairie Island Nuclear Generating Plant with the proposed TS changes does not adversely affect nuclear safety or plant operations and the health and welfare of the public is protected.

5.0 REGULATORY SAFETY ANALYSIS 5.1 No Significant Hazards Consideration The Nuclear Management Company has evaluated whether or not a significant hazards consideration is involved with the proposed amendment by focusing on the three standards set forth in 10 CFR 50.92, "Issuance of amendment," as discussed below:

1.

Do the proposed changes involve a significant increase in the probability or consequences of an accident previously evaluated?

Response: No This license amendment request proposes Technical Specification changes to extend the Technical Specification 3.8.1, "AC Sources-Operating, Completion Time for an inoperable emergency diesel generator to 14 days. These changes allow an emergency diesel generator to be inoperable for 7 days more than Technical Specification 3.8.1 currently provides. A minor format correction on the Technical Specification 3.8.1 Actions Table is also proposed.

The emergency diesel generators are safety related components which provide backup electrical power supply to the onsite Safeguards Distribution System.

The emergency diesel generators are not accident initiators, thus allowing an emergency diesel generator to be inoperable for an additional 7 days for performance of maintenance or testing does not increase the probability of a previously evaluated accident.

Deterministic and probabilistic risk assessments evaluated the effect of the proposed Technical Specification changes on the availability of an electrical power supply to the plant emergency safeguards features systems. These assessments concluded that the proposed Technical Specification changes do not involve a significant increase in the risk of power supply unavailability.

Page 27 of 33

Exhibit A TS 3.8.1 Completion Time Extension The plant emergency safeguards features systems consist of two trains for 100%

redundancy within each unit. Accident analyses demonstrate that only one emergency safeguards features train is required for accident mitigation. Thus, with one train inoperable the other train is capable of performing the required safety function. Design basis analyses are not required to be performed assuming extended loss of all power supplies to the plant emergency safeguards features systems. Thus this change does not involve a significant increase in the consequences of a previously analyzed accident.

The Technical Specification format correction is an administrative change and does not involve a significant increase in the probability or consequences of an accident.

Therefore, the proposed changes do not involve a significant increase in the probability or consequences of an accident previously evaluated.

Do the proposed changes create the possibility of a new or different kind of accident from any accident previously evaluated?

Response: No This license amendment request proposes Technical Specification changes to extend the Technical Specification 3.8.1, "AC Sources-Operating," Completion Time for an inoperable emergency diesel generator to 14 days. These changes allow an emergency diesel generator to be inoperable for 7 days more than Technical Specification 3.8.1 currently provides. A minor format correction on the Technical Specification 3.8.1 Actions Table is also proposed.

The proposed Technical Specification changes do not involve a change in the plant design, system operation, or procedures involved with the emergency diesel generators. The proposed changes allow an emergency diesel generator to be inoperable for additional time. There are no new failure modes or mechanisms created due to plant operation for an extended period to perform emergency diesel generator maintenance or testing. Extended operation with an inoperable emergency diesel generator does not involve any modification in the operational limits or physical design of plant systems. There are no new accident precursors generated due to the extended allowed Completion Time.

The Technical Specification format correction is an administrative change and does not create the possibility of a new or different kind of accident.

Therefore, the proposed changes do not create the possibility of a new or different kind of accident from any previously evaluated.

Page 28 of 33

Exhibit A TS 3.8.1 Completion Time Extension Do the proposed changes involve a significant reduction in a margin of safety?

Response: No This license amendment request proposes Technical Specification changes to extend the Technical Specification 3.8.1, "AC Sources-Operating," Completion Time for an inoperable emergency diesel generator to 14 days. These changes allow an emergency diesel generator to be inoperable for 7 days more than Technical Specification 3.8.1 currently provides. A minor format correction on the Technical Specification 3.8.1 Actions Table is also proposed.

Currently, if an inoperable emergency diesel generator is not restored to operable status within 7 days, Technical Specification 3.8.1 will require unit shutdown to MODE 3 within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and MODE 5 within 36 hours4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br />. The proposed Technical Specification changes will allow steady state plant operation at 100% power for an additional 7 days.

There is some risk associated with continued operation for an additional 7 days with one emergency diesel generator inoperable. This risk is judged to be small and reasonable consistent with the risk associated with operations for 7 days with one emergency diesel generator inoperable as allowed by the current Technical Specifications. Specifically, the remaining operable emergency diesel generator and paths are adequate to supply electrical power to the onsite Safeguards Distribution System. An emergency diesel generator is required to operate only if both offsite power sources fail and there is an event which requires operation of the plant emergency safeguards features such as a design basis accident. The probability of a design basis accident occurring during this period is low.

Deterministic and probabilistic risk assessments evaluated the effect of the proposed Technical Specification changes on the availability of an electrical power supply to the plant emergency safeguards features systems. These assessments concluded that the proposed Technical Specification changes do not involve a significant increase in the risk of power supply unavailability.

There is also some risk associated with the Technical Specification unit shutdown evolutions. Plant load change evolutions require additional plant operations activities which introduce equipment challenges, increase the risk of plant trip and increase the risk for operational errors. Also unit shutdown does not remove the desirability of having emergency diesel generator backup for the 4 kV safeguards buses, but rather places dependence on the operable 4 kV bus by requiring operation of the residual heat removal system. Thus, possible additional risk associated with continuing operation an additional 7 days with an inoperable emergency diesel generator may be offset by avoiding the additional risk associated with unit shutdown.

Page 29 of 33

Exhibit A TS 3.8.1 Completion Time Extension Therefore, based on the considerations given above, the proposed changes do not involve a significant reduction in a margin of safety.

Based on the above, the Nuclear Management Company concludes that the proposed amendment presents no significant hazards consideration under the standards set forth in 10 CFR 50.92(c) and, accordingly, a finding of "no significant hazards consideration

is justified.

5.2 Applicable Regulatory Re~uirementslCriteria The regulatory documents and references applicable to emergency diesel generators are identified in Table 7 below. The impact of the proposal to extend the Prairie Island Nuclear Generating Plant emergency diesel generator Technical Specification Completion Time to 14 days was assessed against the requirements and guidelines of these documents and references; a summary of the conclusions is provided in Table 7 with additional discussion following as applicable.

Table 7 Regulatory impact Independence Between Redundant Standby (Onsite)

Power Sources and Between their Distribution Systems Selection, Design and Qualification of Diesel Generator Units Used as Standby (Onsite) Electric Power Systems at Nuclear Power Plants No impact Assessment Impacted No impact No impact Reference AEC GDC 24 AEC GDC 39 1 OCFR50.63 No impact Title Emergency Power for Protection Systems Emergency Power for Engineered Safety Features Loss of All Alternating Current Power General Design Criteria The construction of the Prairie Island Nuclear Generating Plant was significantly complete prior to issuance of 10 CFR 50, Appendix A, General Design Criteria. The Prairie Island Nuclear Generating Plant was designed and constructed to comply with the Atomic Energy Commission General Design Criteria as proposed on July 10, 1967 (AEC GDC) as described in the plant Updated Safety Analysis Report (USAR). AEC GDC 24 and 39 provide design guidance for emergency power sources.

AEC GDC proposed Criterion 24 - Emergency Power for Protection Systems In the event of loss of all offsite power, sufficient alternate sources of power shall be provided to permit the required functioning of the protection systems.

Page 30 of 33

Exhibit A TS 3.8.1 Completion Time Extension The current plant licensing basis provides two emergency diesel generators for each unit to provide alternate sources of power in the event of loss of all offsite power. The proposed Completion Time extension will allow an emergency diesel generator to be inoperable for an additional 7 days. A loss of all offsite power event has a low probability of occurrence and the additional allowed outage time of 7 days is also a small amount of time, thus it is unlikely that a loss of all offsite power will occur during the allowed period of diesel inoperability. Also, the other unit same-train diesel provides an alternate power source. The safeguards load can be supplied by the same train diesel from the opposite unit by connecting the same train safeguards buses through a bus-tie breaker. With the changes proposed in this license amendment request, the requirements of this Criterion continue to be met.

AEC GDC proposed Criterion 39 - Emergency Power for Engineered Safety Features Alternate power systems shall be provided and designed with adequate independency, redundancy, capacity, and testability to permit the functioning required of the engineered safety features. As a minimum, the onsite power system and the offsite power system shall each, independently, provide this capacity assuming a failure of a single active component in each power system.

The changes proposed in this license amendment request do not change the alternate power system design and therefore the independency, redundancy, capacity and testability continue to be adequate. With the changes proposed in this license amendment request, the requirements of this Criterion continue to be met.

Title 10 Code of Federal Resulations Part 50 Section 50.63 (10 CFR 50.63), "Loss of all alternating current power" The changes proposed in the license amendment request will allow an emergency diesel generator to be inoperable for 14 days (7 days more than the current Technical Specifications allow). These changes do not change the method of compliance with 10CFR50.63 and thus the requirements of this regulation continue to be met.

Regulatory Guides Safety Guide 6 (Regulatory Guide 1.6), "Independence Between Redundant Standby (Onsite) Power Sources and Between their Distribution Systems" This Safety Guide describes an acceptable degree of independence between redundant standby power sources and between their distribution systems. The changes proposed in the license amendment request will allow an emergency diesel generator to be inoperable for 14 days (7 days more than the current Technical Specifications allow). These changes do not impact the independence of the emergency diesel generators; thus this license amendment request does not change the plant compliance with this Safety Guide.

Page 31 of 33

Exhibit A TS 3.8.1 Completion Time Extension Regulatory Guide 1.9, "Selection, Design and Qualification of Diesel Generator Units Used as Standby (Onsite) Electric Power Systems at Nuclear Power Plants" This Regulatory Guide describes an acceptable basis for the selection of diesel generator sets of sufficient capacity and margin to implement 10 CFR 50 Appendix A General Design Criterion 17. The changes proposed in the license amendment request will allow an emergency diesel generator to be inoperable for 14 days (7 days more than the current Technical Specifications allow). These changes do not impact the capacity or margin of the emergency diesel generators; thus this license amendment request does not change the plant compliance with this Regulatory Guide.

Other Regulatory Guides exist that may have applicability to emergency diesel generator design or use, such as, Regulatory Guide 1.93, "Availability of Electric Power Sources", and Regulatory Guide 1.155, "Station Blackout", however, the Prairie Island Nuclear Generating Plant is not committed to these guidance documents and thus the impact on their requirements was not considered.

Regulatory Guide 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Bases" Regulatory Guide 1.I74 provides an acceptable method for licensees to use in assessing the nature and impact of licensing basis changes when the licensee chooses to support the changes with risk information. The Nuclear Management Company has performed a probabilistic risk assessment using the guidance of Regulatory Guide 1.174 to support the proposed Technical Specification change which will extend the allowable Completion Time for an emergency diesel generator from 7 days to 14 days.

The guidance in Regulatory Guide 1.I74 is provided as an acceptable change in the annual core damage frequency increase and the annual large early release frequency increase. The probabilistic risk assessment demonstrated that the Regulatory Guide 1.I74 guidance was met when the emergency diesel generator Completion Time is extended to 14 days. Thus, the proposed Technical Specification changes meet the guidance of Regulatory Guide 1.174, which provides a basis for issuance by the NRC.

Regulatory Guide 1.177, "An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications" Regulatory Guide 1.177 provides guidance to improve consistency in regulatory decisions when the results of risk analyses are used to help justify Technical Specification changes. The Nuclear Management Company has performed a probabilistic risk assessment using the guidance of Regulatory Guide 1.I77 to support the proposed Technical Specification change which will extend the allowable Completion Time for an emergency diesel generator from 7 days to 14 days. The guidance in Regulatory Guide 1. I 77 is provided as an acceptable incremental core damage probability and incremental conditional large early release probability. The probabilistic risk assessment demonstrated that the Regulatory Guide 1.I77 guidance Page 32 of 33

Exhibit A TS 3.8.1 Completion Time Extension was met when the emergency diesel generator Completion Time is extended to 14 days. Thus, the proposed Technical Specification changes meet the guidance of Regulatory Guide 1.177, which provides a basis for issuance by the NRC.

Regulatory Requirementslcriteria Conclusions In conclusion, based on the considerations discussed above, (I) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the Commission's regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

6.0 ENVIRONMENTAL CONSIDERATION

A review has determined that the proposed amendment would change a requirement with respect to installation or use of a facility component located within the restricted area, as defined in 10 CFR 20, or would change an inspection or surveillance requirement. However, the proposed amendment does not involve (i) a significant hazards consideration, (ii) a significant change in the types or significant increase in the amounts of any effluent that may be released offsite, or (iii) a significant increase in individual or cumulative occupational radiation exposure. Accordingly, the proposed amendment meets the eligibility criterion for categorical exclusion set forth in 10 CFR 51.22(~)(9). Therefore, pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the proposed amendment.

Page 33 of 33

Exhibit B Proposed Technical Specification and Bases Changes (markup)

Technical Specification Pages Bases pages (for information only) 5 pages follow

AC Sources-Operating 3.8.1 ACTIONS

/

CONDITION

/

A. (continued)

REQUIRED ACTION A.2 Restore path to OPERABLE status.

COMPLETION TlMt a4-4-days from discovery of failure to meet LC0 B. One DG inoperable.

B.l PerformSR3.8.l.lforthe paths.

AND B.2 Declare required feature(s) supported by the inoperable DG inoperable when its required redundant feature(s) is inoperable.

AND 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> AND Once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> fiom discovery of Condition B concurrent with inoperability of redundant required feature(s)

Prairie Island Units 1 and 2 Unit 1 - Amendment No. 44-8 4-67 3.8.1-2 Unit 2 - Amendment No. 4-49 M3

AC Sources-Operating 3.8.1 B. (continued)

ACTIONS B.3.1 Determine OPERABLE DG is not inoperable due to common cause failure.

CONDITION B.3.2 Perform SR3.8.1.2 for OPERABLE DG.

AND REQUIRED ACTION B.4 Restore DG to OPERABLE status.

COMPLETION TIME 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> 24 hours AND a-Wdays from discovery of failure to meet LC0 Prairie Island Units 1 and 2 Unit 1 - Amendment No. 4343 4-67 3.8.1-3 Unit 2 - Amendment No. 4-49 W

AC Sources-Operating B 3.8.1 BASES (continued)

ACTIONS A.2 (continued) while, for instance, a DG is inoperable and that DG is subsequently returned OPERABLE, the LC0 may already have been not met for up to 143 days. This could lead to a total of aWdays, since initial failure to meet the LCO, to restore the offsite circuit. At this time, a DG could again become inoperable, the circuit restored OPERABLE, and an additional u?

days (for a total of days) allowed prior to complete restoration of the LCO. The 21+4 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 7 day and a14 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.

The Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This will result in establishing the "time zero" at the time that the LC0 was initially not met, instead of at the time Condition A was entered.

To ensure a highly reliable power source remains with an inoperable DG, it is necessary to verify the availability of the paths on a more frequent basis. Since the Required Action only specifies "perform,"

a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action being not met. However, if a path fails to pass SR 3.8.1.1, it is inoperable and additional Conditions and Required Actions apply.

Prairie Island Units 1 and 2 Unit 1 -

Revision B 3.8.1-7 Unit 2 -

Revision

AC Sources-Operating B 3.8.1 BASES (continued)

ACTIONS B.3.1 and B.3.2 (continued)

According to the Maintenance Rule, 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is reasonable to confirm that the OPERABLE DG is not affected by the same problem as the inoperable DG.

Operation may continue in Condition B for a period that should not exceed J43-days.

In Condition B, the remaining OPERABLE DG and paths are adequate to supply electrical power to the onsite Safeguards Distribution System. The day Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

The second Completion Time for Required Action B.4 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, an offsite circuit is inoperable and that circuit is subsequently restored OPERABLE, the LC0 may already have been not met for up to 7 days. This could lead to a total of a4-4 days, since initial failure to meet the LCO, to restore the DG. At this time, an offsite circuit could again become inoperable, the DG restored OPERABLE, and an additional 7 days (for a total of 2821-days) allowed prior to complete restoration of the LCO. The a44 day Completion Time provides a limit on time allowed in a specified condition after discovery of failure to meet the LCO. This limit Prairie Island Units 1 and 2 Unit 1 Kevision B 3.8.1-10Unit 2 - -.

!?9 Revision

AC Sources-Operating B 3.8.1 BASES (continued)

ACTIONS B.4 (continued) is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the day and 244 day Completion Times means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.

As in Required Action B.2, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed time "clock." This will result in establishing the "time zero" at the time that the LC0 was initially not met, instead of at the time Condition B was entered.

C.l and C.2 Required Action C. 1, which applies when two paths are inoperable, is intended to provide assurance that an event with a coincident single failure will not result in a complete loss of redundant required safety functions. The Completion Time for this failure of redundant required features is 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The rationale for the 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is that a Completion Time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is allowed for two paths inoperable, based upon the assumption that two complete safety trains are OPERABLE. When a concurrent redundant required feature failure exists, this assumption is not the case, and a Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is appropriate. These features are powered from redundant AC safety trains.

Prairie Island Units 1 and 2 Unit 1 Revision B 3.8.1-1 1 Unit 2 -"Revision

Exhibit C Proposed Technical Specification Changes (retyped)

Technical Specification Pages 2 pages follow

ACTIONS CONDITION A. (continued)

AC Sources-Operating 3.8.1 REQUIRED ACTION A.2 Restore path to OPERABLE status.

COMPLETION I

TIME 7 days AND 2 1 days from discovery of I

failure to meet LC0 B. One DG inoperable.

B.1 PerformSR3.8.1.1forthe paths.

AND B.2 Declare required feature(s) supported by the inoperable DG inoperable when its required redundant feature(s) is inoperable.

AND 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> AND Once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> from discovery of Condition B concurrent with inoperability of redundant I required Prairie Island Units 1 and 2 Unit 1 - Amendment No. 4-58 4-67 3.8.1-2 Unit 2 - Amendment No. 4-49 4-57

AC Sources-Operating 3.8.1 ACTIONS Prairie Island Units 1 and 2 CONDITION B. (continued)

Unit 1 - Amendment No. 44% 1-63 3.8.1-3 Unit 2 - Amendment No. 4-49 4-57 REQUIRED ACTION B.3.1 Determine OPERABLE DG is not inoperable due to common cause failure.

OR B.3.2 Perform SR 3.8.1.2 for OPERABLE DG.

AND B.4 Restore DG to OPERABLE status.

COMPLETION TIME 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> 24 hours 14 days AND 2 1 days from discovery of failure to meet LC0

EXHIBIT D LIST OF COMMITMENTS The following table identifies those actions to which NMC committed in this document.

Any other statements in this submittal are provided for information purposes and are not considered to be commitments. Please direct questions regarding these commitments to Mr. Gabe Salamon at the Nuclear Management Company, (715) 377-3324.

REGULATORY COMMITMENT Procedures shall be established to assure that the following provisions are invoked when an EDG is inoperable for an extended Completion Time in TS 3.8.1 Condition B The condition of the offsite power supply and switchyard will be evaluated prior to entering the extended EDG Completion Time for elective maintenance. NMC will develop a procedure to determine acceptable grid conditions for entering an extended EDG Completion Time to perform elective maintenance.

No elective maintenance will be scheduled in the switchyard that would challenge offsite power availability during the proposed extended EDG Completion Time The system dispatcher will be contacted once per day and informed of the EDG status along with the power needs of the facility The turbine driven AFW pump on the associated unit will not be removed from service for planned maintenance activities during the extended EDG Completion time Assure operating crews are briefed on the EDG work plan and procedural actions regarding:

o LOOPand SBO o 4 kV safeguards bus cross-tie o Reactor Coolant System bleed and feed Weather conditions will be evaluated prior to entering the extended EDG Completion Time for elective maintenance. An extended EDG Completion Time will not be entered for elective maintenance purposes if official weather forecasts are predicting severe conditions (tornado or thunderstorm warnings).

DUE DATE Implementation date of the license amendment requested in letter PI 036

Exhibit E Summary of the Prairie Island Nuclear Generating Plant Probabilistic Risk Assessment Revisions

1. Background

The Prairie Island Nuclear Generating Plant (PINGP) Individual Plant Examination (IPE) was submitted to the NRC by letter dated March 1,1994 to respond to Generic Letter 88-20, "Individual Plant Examination for Severe Accident Vulnerabilities - IOCFR 50.54(f)." The NRC sent requests for Additional Information (RAI) to Northern States Power Company on December 21, 1995. The NRC accepted the IPE by letter dated May 16, 1997. The NRC letters noted that the IPE submittals met the intent of Generic Letter 88-20, "Individual Plant Examination for Severe Accident Vulnerabilities - IOCFR 50.54(f)", dated November 23, 1988.

The history of the PRA model development from the IPE to the current Revision 2.1 model including model enhancements and dominant accident classes is described below.

2. IPE Results (Level 1 and Level 2, Revision 0)

The first full-scope PRA analysis done for PINGP was that performed to satisfy the IPE requirements, and was completed in February 1994. This was a study to determine vulnerabilities to severe accidents from at-power operation. It was based on a Level 1 and Level 2 PRA model performed for Unit 1. Unit 2 vulnerabilities were qualitatively evaluated based on the Unit I results and consideration of asymmetries in plant design and operation that exist between the units. The study found no vulnerabilities to severe accidents at the PINGP. Previously, a limited-scope Individual Plant Evaluation Methodology (IPEM) analysis was completed in 1992. The IPE PRA analysis started with the models built for the IPEM study, and additional details, including the Level 2 portions, were added to arrive at the full scope analysis. The initial data collection effort for that analysis was performed for the period 1978 - 1987, except for the initiating event frequency analysis, which used plant trip information over the period 1975 - 1987 This PRA study is now considered to be Revision 0 of the Level 1 and 2 PRA models.

The core damage frequency (CDF) calculated for the IPE was 5.OE-51r-x-yr. The dominant accident sequences by initiating event were:

=

Loss of coolant accident (LOCAs) (24%);

Loss of off-site power (LOOP) including SBO (22%);

Internal Flooding (21 %);

Transients excluding LOOP (1 9%); and Steam generator tube rupture (SGTR) (1 3%).

Page 1 of 13

Exhibit E PRA Summary Large early release frequency (LERF) was not quantified for the IPE. The total release frequency (the frequency of core damage followed by containment failure) was calculated to be 2.OE-51rx-yr, giving a conditional containment failure probability (CCFP) of approximately 40% (69% including induced SGTR, which was addressed by an Emergency Operating Procedure (EOP) change almost as soon as the IPE was submitted). The dominant contributors to the CCFP were:

Late containment failure due to overpressure following early core damage and vessel failure at high pressure (55%); and SGTR (35%).

3. IPE-External Events (IPEEE) Submittals The initial PlNGP IPEEE analysis was submitted to the NRC in December 1996. It included a seismic margins analysis, a Level 1 fire PRA based upon the IPE Revision 0 Level 1 PRA model, and additional plant-specific analyses to address the "other" postulated external initiating events required for the IPEEE. The fire portion of the IPEEE was updated in 1998. The fire PRA for this update used the Level 1, Revision 1.0 model (see below). The NRC issued a Staff Evaluation Report (May 29, 2001) concluding that "the aspects of seismic; fires; and HFO (other external events) were adequately addressed".

4. Level 1, Revision 1.0 Revision 1.0 of the Unit 1, Level 1 PRA model was completed in 1996. In addition to adding modeling for a few more balance-of-plant systems (for example, the non-safeguards station air system and the steam dump and circulating water systems), this update included modeling for a number of significant changes to the plant safeguards electrical systems that were not yet installed at the time of the IPE submittal. Examples include elimination of sub-fed 480V motor control centers (MCCs), division of the two Unit 1 safeguards 480 V AC buses into four buses and relocation of those buses within the plant; and significant reliability upgrades for the DC power system. Component failure and unavailability data for six key systems were updated for the period 1986 through 1995, as were the initiating event frequencies. LOCA frequencies were reanalyzed to make them more plant-specific, using a pipe failure study technique developed by the Electric Power Research Institute (EPRI).

The CDF calculated for the Revision 1.0 PRA model was 2.4E-51rx-yr. The dominant accident sequences by initiating event were:

LOCAs (5%);

LOOP including station blackout (SBO) (34%);

Internal Flooding (36%);

Transients excluding LOOP (9%); and SGTR (14%).

Page 2 of 13

Exhibit E PRA Summary The decline in the CDF compared with the Revision 1.0 (IPE) model results was primarily due to the development of plant-specific LOCA initiating event frequencies, credit given for the station air to instrument air cross-tie capability, and credit given for an electrical system upgrade and equipment relocation on Unit 1 that effectively eliminated the 480 V safeguards bus dependency on room ventilation.

5. Level 1, Revision 1. I Revision 1. I of the Unit 1, Level 1 model was completed in 1999. This was essentially the same model as Revision 1.O; however, a single top fault tree approach to the quantification of overall CDF was used, as was a standard truncation level of 1 E-10.

Previously, the PRA models were quantified using Set Equation Transformation System (SETS), which allowed different truncation levels for each individual core damage sequence. The total CDF for the Revision 1. I model was calculated to be 2.35E-5lrx-yr, and the breakdown of the CDF by initiating event was approximately that shown above for the Revision 1.0 model.

6. Level 1, Revision 1.2 Revision 1.2 of the Unit I, Level 1 model was completed in 2001. Significant changes were incorporated during this revision. Many of these changes were based on comments received by the Westinghouse Owners Group (WOG) PRA Certification Team Review that took place in October 2000. Changes include:

New LOCA break size groupings (small LOCA (SLOCA), medium LOCA (MLOCA),

large LOCA (LLOCA));

New LOCA break size frequencies based on generic data from NUREGICR-5750; Update to several initiating event frequencies (LOOP, loss of DC (LODC));

Inclusion of Offsite Power recovery actions for non-SBO events; Creation of initiating event trees for the cooling water system (CL), component cooling system (CC), and Instrument Air systems; Power operated relief valve (PORV) LOCA events have been added; Changes to SBO success criteria (removal of diesel generator recovery);

Random reactor coolant pump (RCP) Seal Failure initiating event was added; Updates to several system fault trees; Credit for the Pressurizer PORV accumulator; Upgrade to the Human Reliability Analysis (key operator actions); and The mission time for the emergency diesel generators (EDG) and CL pumps were changed from 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> since offsite power recovery is credited.

The component failure rates from the 1995 update were reviewed against generic data.

If significant differences were found and there was a large impact on the CDF, the component failure rate was updated. Only a few changes were made. Specifically, EDG D5 and D6 failure and unavailability data was changed based on the limited amount of operating experience available during the update period. Generic failure rates from NUREGICR-4550 were used for the D5 and D6 EDGs.

Page 3 of 13

Exhibit E PRA Summary The CDF calculated for the Revision 1.2 PRA model was 2.200E-5lrx-yr. The dominant accident sequences by initiating event were:

LOOP including SBO (23.9%);

LOCAs (23.8%);

Internal Flooding (22.5%);

SGTR (14.8%); and Transients excluding LOOP (1 5.0%).

There was not a significant change in the overall CDF value compared with the Revision 1. I model. However, the distribution of the accident sequences has changed significantly. The LOOP contribution decreased due to crediting offsite power recovery for the non-SBO sequences. The SGTR contribution increased due to re-analysis of the human error actions associated with this event. The LOCA contribution increased due to redefining the LOCA break sizes and the use of generic LOCA frequencies. The internal flooding contribution decreased due to crediting the Pressurizer PORV accumulator. The transient contribution increased due to several reasons since it encompasses many initiating events.

The loss of feedwater transient increased due to changes in the human reliability analysis (HRA). (Key operator actions were re-analyzed based on conditional events, which resulted in a higher probability of failure. A key operator action in the loss of feedwater water transient affected by this includes: establishing feed and bleed conditional on restoring feedwater.);

The normal transient contribution increased due to the modeling addition of challenging a pressurizer PORV during the transient and resulting in a PORV LOCA; and The contribution from a loss of CC and CL transients increased due to the addition of initiating event tree modeling for CL and CC systems.

7. Unit 1 and Unit 2 Level 1. Revision 2.0 Level 1, Revision 2.0 PRA model update was performed in order to obtain a working PRA model for Unit 2. Previously, all probabilistic risk analysis for Unit 2 have involved application of the Unit 1 model results, with modifications that attempted to consider the impact of asymmetries between the units. The update was also performed to correct some errors and make some enhancements to the existing Revision 1.2 PRA model.

The model update was completed in 2002 and was built upon the Level 1 Revision 1.2 model. Major model changes included with this update are:

Addition of Unit 2 frontline and support system logic modeling; Addition of Unit 2 accident sequence logic modeling; Inclusion of CDF and LERF calculations for Unit 2; Page 4 of 13

Exhibit E PRA Summary Removal of the boric acid storage tank (BAST) input to the safety injection (SI) pumps suction logic. The primary suction supply is now only the refueling water storage tank (RWST);

Enhancement of the existing quantification methodology, including incorporation of fault tree-based deletion of mutually exclusive events, including multiple initiating events; Modification to the charging pump system fault tree logic to include an operator action to restart the pumps after a LOOP event since they are not included in the sequencer logic; Use of the same common cause failure (CCF) event for the residual heat removal (RHR) pump discharge check valves in the injection, recirculation, and shutdown cooling modes; A new operator action to prevent load sequencer failure due to loss of cooling to the 4KV safeguards bus rooms (Bus 15, Bus 16, Bus 25, and Bus 26 rooms) were incorporated into the model. In conjunction with this change, a factor for the sequencer failure at elevated temperatures was added to the fault tree logic for the safeguards bus; Update to the logic modeling for the supply /exhaust fans 21, 22, 23, 24 which supply air to the Unit 2 safeguards bus rooms. The original modeling assumed that none of the fans were running (but one train is normally running). This modeling changed assumed supply/exhaust fan sets 21 and 22 are normally running and supply/exhaust 23 and 24 are in standby. Therefore, the failure to start logic was only included for sets 23 and 24. The CCF to start basic events for all four sets was removed from the model; and An incorrect and non-conservative mutually exclusive event related to the Screenhouse Flood Zone 2 Initiating event (I-SHZFLD) was removed from the logic.

This will result in an increase in the contribution of the Screenhouse Flood Zone 2 (SHZFLD) event to the overall results.

The CDF calculated for the Unit 1 Revision 2.0 PRA model was 2.19E-5/rx-yr. The dominant accident sequences by initiating event were:

LOOP including SBO (26.0%);

LOCAs (22.4%);

Internal Flooding (23.2%);

SGTR (1 3.2%); and Transients excluding LOOP (1 5.2%).

There was not a significant change in the overall CDF value compared with the Revision 1.2 model. There were some changes in the distribution of the accident sequences.

The LOOP contribution increased due to the additional cutsets (with higher probabilities) related to the LOOP event with a failure of the operator to start a charging pump and a loss of the CL pumps which lead to a RCP seal LOCA. The small LOCA contribution decreased (which results in a decrease in the LOCA contribution) due to a decrease in the removal of the BAST as a supply source to the SI pumps. The SGTR contribution decreased due the new mutually exclusive logic incorporated into the model, specifically Page 5 of 13

Exhibit E PRA Summary related to preventative maintenance on EDGs. The flood contribution increased due to the removal of a mutually exclusive event related to the Screenhouse Flood Zone 2 initiating event.

The CDF calculated for the Unit 2 Revision 2.0 PRA model was 2.52E-51~-yr. The dominant accident sequences by initiating event were:

LOOP including SBO (25.6%);

LOCAs (1 9.4%);

Internal Flooding (20.1 %);

SGTR (1 1.8%); and Transients excluding LOOP (23.1 %).

There is not a previous Unit 2 model to which the results can be compared; however, Unit 2 can be compared to the Unit 1 results. Unit 2 CDF value is higher than the Unit I result. The Unit 2 CDF value is higher due to an increase in the LOOP and Loss of DC Power Train A initiating events. The LOOP initiating event increase is due to the Unit 2 asymmetries associated with the auxiliary feedwater (AFW) system (Unit 2 motor driven AFW (MDAFW) pump powered from Train A verses Unit 1 MDAFW pump powered from Train B) and the emergency diesel generators system (D5 and D6 have higher CCF to start probability verses D l and D2). These asymmetries result in LOOP event cutsets that have higher probabilities than the Unit 1 results. Also, since the Unit 2 MDAFW pump is powered from Train A, the Loss of DC power Train A event has a larger impact on the Unit 2 CDF results (contributes almost 9% to the overall CDF).

This initiator causes the transient portion of the Unit 2 CDF to increase to 23.1% verses 15.2% in the Unit 1 results. The internal flooding event probability remains virtually the same between the Unit 2 and Unit 1 results; however, due to the increase in Unit 2 CDF value, the contribution in the Unit 2 result is lower. This is also the case for the SGTR event.

8. Unit 1 and Unit 2 Level 1, Revision 2.1 Revision 2.1 of the Unit 1 and Unit 2, Level 1 model was completed in early 2005.

Significant changes were incorporated during this revision. Changes include:

Update to LOOP initiating event frequency including the addition of consequential LOOP; Updates to the RHR, SI, AFW, CL, CC, 125 VDC system, EDG and instrument power system fault trees; Upgrade to the HRA for key operator actions and inclusion of misalignment and miscalibration events; Updated failure data for the EDG and AFW systems; Updated common cause values for the EDG and AFW systems; and Updated internal flooding analysis.

Page 6 of 13

Exhibit E PRA Summary The CDF calculated for the Unit 1 Revision 2.1 PRA model was 1.47E-51m-yr. The dominant accident sequences by initiating event were:

LOCAs (53.5%);

Transients excluding LOOP (20.9%);

SGTR (1 4.2%);

LOOP, including SBO (9.9%); and Internal flooding (1.7%).

There was not a significant change in the overall CDF value compared with the Revision 2.0 model. However, the distribution of the accident sequences has changed significantly. The LOOP contribution decreased due to recalculation of the LOOP initiating event frequency and new EDG common cause and failure data. The LOCA contribution increased due to re-analysis of the human error actions associated with these events. The internal flooding contribution decreased due to reanalysis of the pipe break frequencies and the flows from the break. The transient contribution changed due to several reasons since it encompasses many initiating events.

Transients increased due to the addition of AFW recirculation line valve failure logic, which was added in the recent fault tree update. This added an extra failure mode for the AFW system; The normal transient contribution decreased due to the modeling addition of a factor for the percentage of time that a pressurizer PORV might lift following a transient initiating event; and The credit for the pressurizer PORV air accumulator was increased which reduced the contribution of the loss of instrument air initiating event.

The CDF calculated for the Unit 2 Revision 2.1 PRA model was 1.63E-5Im-yr. The dominant accident sequences by initiating event were:

LOCAs (48.5%);

Transients excluding LOOP (27.3%);

SGTR (1 2.8%);

LOOP, including SBO (1 0.1 %); and Internal flooding (1.5%).

There was a significant change in the overall CDF value compared with the Revision 2.0 model. The distribution of the accident sequences has also changed significantly. The LOOP contribution decreased due to recalculation of the LOOP initiating event frequency and new EDG common cause and failure data. The SGTR contribution decreased due to re-analysis of the human error actions associated with this event.

The LOCA contribution increased due to re-analysis of the human error actions associated with these events. The internal flooding contribution decreased due to reanalysis of the pipe break frequencies and the flows from the break. The transient contribution changed due to several reasons since it encompasses many initiating events.

Exhibit E PRA Summary Transients increased due to the addition of AFW recirculation line valve failure logic, which was added in the recent fault tree update. This added an extra failure mode for the AFW system; The normal transient contribution decreased due to the modeling addition of a factor for the percentage of time that a pressurizer PORV might lift following a transient initiating event; and The credit for the pressurizer PORV air accumulator was increased which reduced the contribution of the loss of instrument air and loss of A train DC initiating events.

Level 2, Revision 1.O Revision 1.0 of the Unit 1, Level 2 PRA model was completed in 1999, and was built upon the Level 1 Revision 1.0 model. In addition to the changes incorporated in the revision to the Level 1 model, this update reflected credit for the potential for hot leg creep rupture phenomenon to facilitate vessel failure at low pressure for early core damage sequences and credit for a change to the emergency procedures that greatly reduced the risk from induced steam generator (SG) tube creep rupture events (these events were not modeled in the 1.0 analysis). Also, credit for containment spray (CS) recirculation was removed from the model, since procedural guidance for operator initiation of the system in the EOPs was removed (based on a licensing-basis calculation that showed that containment pressure would be below the threshold requiring CS recirculation operation for any analyzed event after the RWST had reached low-low level).

The total release frequency (the frequency of core damage followed by containment failure) was calculated to be 8.8E-611-x-yr, giving a conditional containment failure probability (CCFP) of approximately 38%.

The decline in the total release frequency was primarily due to the decline in the Level 1 CDF (from the Revision 0 to the Revision 1 analysis). The decline was slightly less than that seen in the CDF itself due to the relatively large CDF contribution to both measures from internal flooding events. The contribution of flooding events to the total release frequency remained relatively constant at about 35% (9E-6).

LERF was quantified for the Revision 1 Level 2 model. Early core damage sequences involving containment bypass (SGTR and intersystem LOCA (ISLOCA) sequences) and containment isolation failure were considered to be those with the potential to produce a large early release. The calculated LERF was 3.8E-71m-yr. The dominant contributors to the LERF are:

ISLOCA (58% of LERF),

o Catastrophic rupture or transfer open of two series RHR Hot Leg Suction motor operated valves (MOVs) followed by operator failure to cool down and depressurize the reactor to limit RHR pump seal leakage. (41% of LERF),

Page 8 of 13

Exhibit E PRA Summary o Catastrophic rupture or transfer open of two series RHR Hot Leg Suction MOVs, or rupture of two series SI injection check valves, or one SI injection check valve and the RHR shutdown cooling isolation MOV, followed by rupture of the low pressure RHR piping outside containment. (17%);

SGTR (15%),

o STGR followed by common cause failure of either the SI pumps (to start or run) or the RWST to SI suction MOVs to open, followed by operator failure to cool down and depressurize the RCS to RHR shutdown cooling conditions. (14%);

and Transient or LOCA core damage sequences followed by early containment failure (typically through hydrogen combustion) (25%),

o AFW Pumpllnstrument Air Compressor room internal flood (1 5%),

o RCP seal LOCA involving loss of CL and Train A 4kV AC power (5%),

o Loss of secondary heat sink with failure of operator action to perform bleed and feed operation (3%), and o Medium or large LOCA with failure of Emergency Core Cooling System (ECCS) recirculation (1 %).

Level 2, Revision 1.1 No Level 2 or LERF model was developed with this designation (no update to the Level 2 models or to LERF was performed which used the Level 1, Revision 1. I model as input). The basis for this was the nearly identical nature of the Revision 1.0 and Revision 1.I Level 1 models, that is, no significant difference in the Level 2 results could exist based solely on the move to the Revision 1. I model.

Level 2, Revision 1.2 A full Level 2 revision to correspond with the Level 1, Revision 1.2 model is not yet available. However, an update to the LERF results based on the Level 1, Revision 1.2 model has been performed.

One change made to the Level 1 model incorporated in Revision 1.2 had a significant impact on the LERF results. The human error probability (HEP) for the failure of the operator to cool down and depressurize the RCS to shutdown cooling following a SGTR, originally a screening value with a very low probability, was increased by an order of magnitude. This change shifted the majority of the LERF contribution to SGTR sequences (from ISLOCA sequences).

Other than the changes to the underlying Level 1 model, the following changes were made to the LERF calculation itself:

Page 9 of 13

Exhibit E PRA Summary

1) Failure of containment isolation was modeled using a fault tree model for each unscreened containment penetration from the previous analysis. The previous LERF analysis used a point value estimate for the failure of containment isolation.

2) Core damage sequences involving early containment failure but without containment bypass (from the full Level 2 analysis) were excluded from the LERF result. As stated previously, a full Level 2 model update based on the Level 1 Revision 1.2 model has not yet been performed. In addition, these sequences had been conservatively added to the LERF calculation in the absence of certainty about whether they met an industry standard definition of large, early release that was still in development. The American Society of Mechanical Engineers (ASME) PRA Standard defines a large early release as "the rapid, unmitigated release of airborne fission products from the containment to the environment occurring before the effective implementation of offsite emergency response and protective actions".

Under this definition, it is not clear that these early containment failure sequences actually would lead to large early releases, since containment is not directly bypassed. The IPE source term analysis showed only the containment bypass events (induced-SGTR, ISLOCA) to result in the highest releases of volatile (non-noble gas) radionuclides. SGTR events also involved large releases of volatile~, but was considered to be a late release. Containment isolation failure sequences involved early releases but the magnitude of the volatiles was categorized as medium. Also, the majority of these sequences were assumed to lead to early containment failure due to very conservative treatment of the hydrogen combustion phenomenon. However, position papers created for the IPE conclude that, even assuming worst-case hydrogen production conditions post core damage, pressures developed within the containment following a detonation of the hydrogen would not approach the ultimate failure pressure of the containment shell itself. Evidence also exists that ignition sources energetic enough for detonation of the hydrogen do not exist within the containment. Even if containment failure were to occur by this mechanism, it is likely that the timing of the failure would be later than that specified in the LERF definition (time for implementation of protective action recommendations from the emergency plan response would be available due to the additional time required to pressurize containment to its ultimate failure pressure). Therefore, the non-bypass early containment failure sequences were excluded from the LERF calculation (SGTR and containment isolation failure sequences were left in).

The calculated LERF for Revision 1.2 was 6.9E-7lrx-yr. The dominant contributors to the LERF are:

SGTR (87% of LERF),

o STGR followed by common cause failure of either the SI pumps (to start or run) or the RWST to SI suction MOVs to open, followed by operator failure to cool down and depressurize the RCS to RHR shutdown cooling conditions. (69% of LERF);

ISLOCA (13%),

Page 10 of 13

Exhibit E PRA Summary o Catastrophic rupture or transfer open of two series RHR Hot Leg Suction MOVs, or rupture of two series SI injection check valves, or one SI injection check valve and the RHR shutdown cooling isolation MOV, followed by rupture of the low pressure RHR piping outside containment. (9%),

o Catastrophic rupture or transfer open of two series RHR Hot Leg Suction MOVs followed by operator failure to cool down and depressurize the reactor to limit RHR pump seal leakage. (4%); and Core damage sequences followed by failure of containment isolation (0.2%),

o AFWIlnstrument Air Compressor room internal flooding, RCS PORV air accumulators insufficient for bleed and feed operations, two series air operated valves (AOVs) fail to close due to CCF (Containment penetrations 11, 20, or 26)

(0.07%), and o SLOCA, master relays SIA-A1 and SIA-Bl fail to energize (0.02%).

Level 2, Revision 2.0 A full Level 2 revision to correspond with the Level 1, Revision 2.0 model is not yet available. However, an update to the LERF results based on the Level I, Revision 2.0 model has been performed.

One change made to the Level 1 model incorporated in Revision 2.0 had a significant impact on the LERF results. The removal of the BAST as a supply source to the SI pump suction logic significantly reduced to contribution of the SGTR event to the LERF result.

Other than the changes to the underlying Level 1 model, the following changes were made to the LERF calculation itself:

The containment isolation failure logic modeling (gate 1 CIF and 2CIF) was expanded to include catastrophic leakage from the equipment hatch door, the fuel transfer tube, and open personnel or maintenance airlock doors.

The calculated LERF for the Unit 1 Revision 2.0 was 3.88E-7Im-yr. The dominant contributors to the LERF are:

SGTR (76% of LERF),

o STGR followed by common cause failure of the SI pumps (to start or run),

followed by operator failure to cool down and depressurize the RCS to RHR shutdown cooling conditions. (28% of LERF);

ISLOCA (23% of LERF),

o Catastrophic rupture or transfer open of two series RHR Hot Leg Suction MOVs, rupture of two series SI injection check valves, or one SI injection check valve and the RHR shutdown cooling isolation MOV, followed by rupture of the low pressure RHR piping outside containment. (1 1% of LERF),

Exhibit E PRA Summary o Catastrophic rupture or transfer open of two series RHR Hot Leg Suction MOVs followed by operator failure to cool down and depressurize the reactor to limit RHR pump seal leakage. (7% of LERF); and Core damage sequences followed by failure of containment isolation (1 % of LERF),

o AFWIlnstrument Air Compressor room internal flooding, RCS PORV air accumulators insufficient for bleed and feed operations, two series AOVs fail to close due to CCF (Containment penetrations 11, 20, or 26) (0.3% of LERF), and o SLOCA, master relays SIA-A1 and SIA-B1 fail to energize (0.08% of LERF).

The calculated LERF for Unit 2 Revision 2.0 was 3.90E-7lrx-yr. The dominant contributors to the LERF are:

SGTR (76% of LERF),

o STGR followed by common cause failure of the SI pumps (to start or run),

followed by operator failure to cool down and depressurize the RCS to RHR shutdown cooling conditions. (28% of LERF);

ISLOCA (23% of LERF),

o Catastrophic rupture or transfer open of two series RHR Hot Leg Suction MOVs, or rupture of two series SI injection check valves, or one SI injection check valve and the RHR shutdown cooling isolation MOV, followed by rupture of the low pressure RHR piping outside containment. (1 1 % of LERF),

o Catastrophic rupture or transfer open of two series RHR Hot Leg Suction MOVs followed by operator failure to cool down and depressurize the reactor to limit RHR pump seal leakage. (7% of LERF); and Core damage sequences followed by failure of containment isolation (1 % of LERF),

o AFWllnstrument Air Compressor room internal flooding, RCS PORV air accumulators insufficient for bleed and feed operations, two series AOVs fail to close due to CCF (Containment penetrations 11, 20, or 26) (0.3% of LERF).

Level 2, Revision 2.1 A full Level 2 revision to correspond with the Level 1, Revision 2.1 model is not yet available. However, an update to the LERF results based on the Level 1, Revision 2.1 model has been performed. Other than the changes to the underlying Level 1 model, there were no changes made to the LERF model.

The calculated LERF for the Unit 1 Revision 2.1 was 5.74E-71rx-yr. The dominant contributors to the LERF are:

SGTR (54.4% of LERF),

o STGR followed by common cause failure of the SI pumps (to start or run),

followed by operator failure to cool down and depressurize the RCS to RHR shutdown cooling conditions; and Page 12 of 13

Exhibit E PRA Summary ISLOCA (45.2% of LERF),

o Catastrophic rupture or transfer open of two series RHR Hot Leg Suction MOVs followed by operator failure to cool down and depressurize the reactor to limit RHR pump seal leakage, and o Catastrophic rupture or transfer open of two series RHR Hot Leg Suction MOVs, or rupture of two series SI injection check valves, or one SI injection check valve and the RHR shutdown cooling isolation MOV, followed by rupture of the low pressure RHR piping outside containment.

The resulting LERF is higher than the Revision 2.0 model because the recent HRA updates for the Revision 2.1 model resulted in a higher failure probability for the operator actions to cooldown and depressurize the RCS. This resulted in a higher contribution from the ISLOCA sequences and consequentially, a higher LERF value.

The calculated LERF for the Unit 2 Revision 2.1 was 5.74E-71rx-yr. The dominant contributors to the LERF are:

SGTR (54.4% of LERF),

o STGR followed by common cause failure of the SI pumps (to start or run),

followed by operator failure to cool down and depressurize the RCS to RHR shutdown cooling conditions; and ISLOCA (45.1% of LERF),

o Catastrophic rupture or transfer open of two series RHR Hot Leg Suction MOVs followed by operator failure to cool down and depressurize the reactor to limit RHR pump seal leakage, and o Catastrophic rupture or transfer open of two series RHR Hot Leg Suction MOVs, or rupture of two series SI injection check valves, or one SI injection check valve and the RHR shutdown cooling isolation MOV, followed by rupture of the low pressure RHR piping outside containment.

The resulting LERF is higher than the Revision 2.0 model because the recent HRA updates for the Revision 2.1 model resulted in a higher failure probability for the operator actions to cooldown and depressurize the RCS. This resulted in a higher contribution from the ISLOCA sequences and consequentially, a higher LERF value.

Page 13 of 13

Exhibit F Peer Review Certification of the Prairie Island Nuclear Generating Plant Probabilistic Risk Assessment The Peer Review Certification of the Prairie Island Nuclear Generating Plant (PINGP) probabilistic risk assessment (PRA) performed by the Westinghouse Owners Group (WOG) during the period of September 25 - 29, 2000 resulted in five Findings and Observations (F&O) with a significance level of "A" and 32 F&O with the significance level of "B". The significance levels of the WOG Peer Review Certification process have the following definitions:

A - Extremely important and necessary to address to ensure the technical adequacy of the PRA, the quality of the PRA, or the quality of the PRA process.

B - Important and necessary to address, but may be deferred until the next PRA update.

The F&O with the significance levels of " A and "9" were reviewed, dispositioned and documented before the EDG Completion Time Extension License Amendment Request (LAR) was submitted. The following table provides a summary of the significance levels A and B F&O and the corresponding resolutions. The designators of the F&O are as follows:

IE -

Initiating Event AS - Accident Sequence Analysis TH - Thermal Hydraulic Analysis SY - System Analysis DA - Data Analysis HR - Human Reliability Analysis DE - Dependency Analysis QU - Quantification MU - Mainten ance and Update Page 1 of 33

Exhibit F Peer Review Certification Page 2 of 33 Impact on EDG Completion Time The PRA model was changed as a result of this go and any impact on the results are already reported in the LA^.

Significance B

Observation Several items were identified relative to initiating event identification and grouping.

(1) The basis for excluding from the model challenges to the PORVs post reactor trip is not adequately explained. This affects the initiating event grouping for Events 2, 8, 10, 16, 18, 19. Additionally, the model does not appear to directly consider the consequences of a stuck open PORV (no actual transfer to the Small LOCA ET). Though the plant has not actually experienced a PORV opening following a transient, this does not provide a sufficient basis for concluding that PORVs will not open for all initiators in this class. Appendix D writeup (D.12) shows that the PORV-related event frequency contribution is small (4.17E-5) and encompassed by the contributions from other Small LOCAs. However, the new (Rev 2) LOCA frequency for S2 is 6E-5, so Stuck Open PORVs are no longer small contributors to this class.

(2) Random RCP seal failure (i.e., a random failure resulting in RCP seal leakage greater than normal makeup capability) was not included in the IE frequency for small LOCA. Such potential random RCP seal failures Item 1

Status & Resolution CLOSED -

A transfer was added to the small LOCA event tree from a stuck Open following a normal transient. A Random RCP seal LOCA frequency was obtained from NUREGJCR-5750, "Rates of Initiating Events at U.S. Power Plants: 1987 - 1995 and added as a transfer to the small LOCA event tree.

The third issue with the T2 initiator comes from the proposed model and documentation (by a contractor). We are not using that information in the updated model. All initiators used in the original model (I-TRI, I-TR2, I-TR3 and I-TR4) are inputs into the transient event tree.

F&O IE-I,

sub-element 4

IE-4, sub-element 13 Observation have been assessed at frequency in range 1 E-3 to 5E-3 by various sources. This event has been neglected in the IE selection. The updated PI PRA frequency for S1 due to other than random RCP seal LOCA is 5E-3. This is comparable to frequency of random RCP seal LOCA, so the event should be considered.

(3) The T2 initiator (without a stuck open PORV) does not appear to be an input into the transient event tree sequences.

The dual-unit LOSP initiator frequency calculation in file V.SMD.96.005 (Recalculation of LOSP Initiator) appears to be in error. The calculation divides LOSP into PLC (plant centered), Weather (WRL) and Grid Loss (GRL) events, which is correct.

Prairie Island has had 2 dual unit LOSP events in it's 2lyear history (as of 1996 when file was made). In calculating the exposure time, the calc assumes 42 plant years for PI, because it counts unit 1 and unit 2 separately (to be consistent with the generic LOSP data). The resulting Bayesian updated dual-unit LOSP frequency is 0.0316. But if the units are counted individually, then it must be considered that a dual unit LOSP Significance Status & Resolution CLOSED -

The LOOP initiator frequency was updated using a plant specific Bayesian update with current industry and NRC data through 2003.

Impact on EDG Completion Time The PRA model was changed as a result of this F&O and any impact on the results are already reported in the LAR.

Page 3 of 33

IE-6, sub-element 16 Observation at unit 2 affects unit 1, as opposed to the way it was calculated, which effectively assumes unit 1 and unit 2 are two different sites. Therefore, the WRL and GRL frequencies must be doubled because a dual unit LOSP at unit 2 affects unit 1.

Alternatively, the PI site could be considered as a single unit and there would be 2 failures in 20 site-years.

This would be in conflict the generic data and would require modification of the generic exposure time.

Bayesian update was used for LOSP frequency. The Bayesian update algorithm used is very sensitive to the error factor chosen for the generic data. The mean value for the generic prior distribution for LOSP was 0.01 81 with an EF of 1.4. The plant specific data shows that 2 LOSP events have occurred in 25.7 site years (corresponding to a plant-specific point estimate of 0.0788lyr). However, the updated mean calculated using the Bayesian code and these values is.0187 - which hardly moves the prior mean at all. If the EF on the prior were changed to 5, then the updated mean would be.044/yr, apparently more reflective of the plant experience.

The reviewers believe that several calculational mistakes were made in i

Significance Status & Resolution No action was taken on this F&O, as the calculation is not used in any of the current models and will never be used.

Impact on EDG Completion Time No impact.

Page 4 of 33

Page 5 of 33 Impact on EDG Completion Time No Impact.

Item 4

Significance B

Status & Resolution CLOSED -

No action was taken on this F&O, as the calculation is not used in any of the current models and will never be used.

F&O IE-8, sub-ele~ent 13 Observation this analysis.

1) the EF of the prior is calculated assuming that a chi-squared distribution represents the generic data, based on 43 events. This produces a very low EF, since this process ignores the site to site variability.

2) the Bayesian update algorithm used is sensitive to the choice of EF.

3) if the EF on the prior actually was 1.4, then uncertainty bounds of prior and plant specific data would not overlap and it could be said that the prior is not from the same data base as the plant specific.

The latest LOSP report from INEL (NUREGICR-5496) provides a generic mean across the country of.05/yr.

The PRA should be able to defend the derivation of a value significantly less than this.

This comment was generated by a review of the failure database being developed for PRA Rev 2.

The reviewers identified several concerns with the data reduction for LOSP. The LOSP frequency as calculated by this work is 0.0181. The LOSP as calculated by INEL in NUREGICR-5496 is 0.05. This discrepancy is large considering the importance of the event to the overall

PRA results. In addition:

I)

More than 75% of the events in the EPRl database (EPRI-TR-106306) have been screened out as not being applicable. The reviewers checked the screening assessments for several events. In several cases the screening criteria seemed optimistic and used the clause that "power could have been restored if necessary", or "if this event happened at power, OSP

[offsite power] would have been restored". Other times it was stated that an error occurred at shutdown that could not occur at power. The screening of events appears to have been too optimistic about events at shutdown that were assumed to not be possible at power.

Significance

2) The data base screens out all but 56 events. However, the LOSP frequency is calculated as 43 eventst2347 yrs. There is no explanation of the difference between 56 events and 43 events.

Observation Item

3) The basis for the exposure time of 2347 reactor-years is unclear. In the RIF component database the accumulated operating time is listed as 2546 licensed years, 2472 critical years and 2402 commerical years. If there have been 2402 commercial years of operation, at an average availability factor of 80%, there should F&O Impact on EDG Completion Time Page 6 of 33

Page 7 of 33 Impact on EDG Completion Time The PRA model was changed as a result of this F&O and any impact on the results are already reported in the M R.

The PRA model was changed as a result of this F&O and any Significance B

B Observation be 1920 full power years of operation, not 2347. The "2347 reactor years" used for the LOSP calculation obviously includes the time spent at shutdown. If all refueling LOSP events are removed from the failure list, then the time spent at shutdown should also be removed from the exposure time.

The reviewers did not find a discussion of dual unit initiators and subsequent station response, although at least one such initiator (dual-unit loss of offsite power) is identified and an associated frequency is included among the initiating events.

After the review, Prairie Island PRA personnel clarified that three potential dual-unit initiating events were identified: Loss of Offsite Power, Loss of Instrument Air, and Loss of Cooling Water. Of these, only loss of offsite power is modeled as a dual-unit event affecting unit 1 (i.e., an event for which the status of the opposite unit is considered in the accident sequences with respect to availability of opposite unit equipment). The others are not so treated, because their baseline CDF contribution (when considered as single-unit events) is relatively small.

Given the dependence of primary and secondary pressure relief on Item 5

6 Status & Resolution CLOSED -

At the time of the review, a dual unit model did not exist. A dual unit model was created that includes dual unit initiator fault tree modeling for loss of instrument air, loss of cooling water and LOOP.

A detailed initiating event fault tree was created for loss of F&O AS-6, sub-

~

~

~

~

e n

t 4

AS-&

sub-

Page 8 of 33 Item 7

F&O element 10 AS-1 sub-element 8

Observation instrument air, the loss of instrument air event should be discussed, and possibly modeled, independently of other transient events. The primary PORVs or possibly the primarylsecondary safety valves may lift to provide pressure relief in this scenario (loss of IA). This may be a unique enough plant response to warrant special treatment. In addition, challenging these valves results in an increase in the S2 LOCA or steam line break initiating event frequency.

The General Transient event tree (Figure 4.2 in the Accident Sequence notebook) shows that if a consequential PORV LOCA occurs, a transfer is made to the S1 LOCA event tree. The S1 LOCA size range has been defined as 318" to - 1" (actually 718"). However, the equivalent flow area for a primary PORV is expected to be larger than this, and should probably be considered in the S2 LOCA category.

Additionally, the transfer for the MSLB scenario is not included in the Rev.

1.1 model.

Significance B

Status & Resolution instrument air.

CLOSED -

The PRA model was changed such that standard industry LOCA sizes were used. (318 -

2' for small LOCA, 2 - 6 " for medium LOCA and >6" for large LOCAs). The PORV LOCA transfer goes to the correct LOCA tree and the MSLB PORV LOCA transfer was also added.

Impact on EDG Completion Time impact on the results are already reported in the MR.

The PRA model was changed as a result of this F&O and any impact on the results are already reported in the LAR.

Page 9 of 33 Impact on EDG Completion Time No Impact.

This F&O has been resolved and incorporated into the Prairie Island PRA model used to perform the extended EDG Completion Time analysis.

The PRA model was changed as a result of this F&O and any impact on the results are already reported in the LAR.

This is a documentation enhancement issue and has no impact on the PRA model Status & Resolution CLOSED -

The steam generators at Prairie Island are designed such that the tubes can withstand full system dp across the tubes from the primary or secondary sides without sustaining any consequential tube ruptures.

Because of this, the consequential tube rupture event following a primary or secondary depressurization was not modeled.

CLOSED -

The steam generator that has a steam line break upstream of the MSlV OR has a MSlV that fails to close on a steam line break downstream of the MSlV will be failed. The model was changed so that AF is isolated to a faulted SG.

CLOSED -

No action was taken on this F&O, as this documentation is Significance B

B C (items 1-5)

B (items 6-12)

Observation Consequential steam generator tube rupture (i.e., SGTR resulting from a transient that causes a large pressure differential across the steam generator tubes, such as steamline rupture or inadvertently opened and stuck secondary side relief or safety valve) is not modeled in the accident sequences.

The possibility of this consequential event should be addressed in the PRA.

The success criteria for AF are incomplete for Steam Line Break Events. Specifically, they do not include the requirement to isolate flow to the faulted SG.

These observations relate to the Revision 2. Event Tree Notebook Item 8

9 10 F&O sub-

&rnent 8

AS-141 sub-element 17 AS-1S1 sub-element

Page 10 of 33 Impact on EDG Completion Time used for the LAR.

Item Observation provided in the peer review package.

Documentation detail is limited in some areas, and should be expanded.

Actually, some of these details already exist in the previous layer of notebooks; it would be useful to capture this information in one ET notebook to assure completeness and consistency is obtained and maintained for the future updates.

Specific observations noted are as follows (some references are specifically to the SGTR event tree discussion, but may also be applicable to other initiating events):

1. Event progress is not described in detail (ESDs do not have much more information content than ETs; they do not make up for the lack of detailed description of the event, nodes, operator actions, EOPs involved, etc.).

2.

Top event descriptions are not detailed (SG isolation appears to be consisting of MSlV closure only. What about operator actions, termination of A W flow in to the faulted SG etc).

3. Top events with operator actions are not clearly delineated and the dependence among top events is not indicated.

4.

References to EOPs are not F&O 3

Significance Status & Resolution not used in any of the current models and will never be used.

The event tree notebooks have been recently improved to strengthen the documentation.

Page 11 of 33 Item Observation complete (in which EOP(s) and by what means does the operator identify and isolate a faulted SG?)

5. There should be a one-to-one correspondence between the items listed in section 4.1 0 and Appendix D. A summary table may do it.

6. Why is there no SGTR-W branching when SGTR-ST1 fails in the SGTR event tree (there is one in the ESD) ?

7. Give guidance on what happens to sequences that branch into other ETs and end successfully there: for example SGTR has a transfer into ATWS and is successful; is it a success, or simply truncated because it is low frequency? What is the criteria for terminating event tree to event tree looping?

8. MS-FLB events need to be discussed; they have an additional event tree node of "failure to isolate faulted SG",

which makes the event tree different from the transient ET.

SBO event tree needs to be discussed.

9. Where are the "qualitatively assessed" items in ESDs?

10. What is the process that transfers F&O Significance Status & Resolution Impact on EDG Completion Time

AS-1 8, sub-element 10 Observation the system success criteria and operator action definition/success/dependence information from Section 4 and Appendix D to the system analysts and HRA analysts? A couple of summary tables may be used to organize the "work orders" generated for the system and HRA analysts.

1 1. What about stuck open pressurizer PORV after a LOSP event? (maybe after a loss of MFW event also?!) Generic T&H analyses show that the PORVs are challenged after a LOSP event.

12. What happens to the events with RCS break flows that are less than makeup capacity; how long does the CVCS have to run; what happens if CVCS fails; What is the underlying assumption in not modeling them with an event tree (small frequency?) ?

Two steam generator tube rupture modeling items were noted:

The dependency between having a faulted SG following a SGTR with overfill and a stuck open relief valve and the top gates for depressurization and AF are not considered in the SGTR development. The AF top logic Significance Status & Resolution CLOSED -

The initiating event for SGTR has been added underthe respective SG gate and SG PORV gate. Therefore, the fault tree logic was modified as to fail the ability to feed and depressurize the ruptured SG.

Impact on EDG Completion Time The PRA model was changed as a result of this F&O and any impact on the results are already reported in the LAR.

Page 12 of 33

)r u C a, a Fu 2 ti :

2 I:

g s 0 %

2 2 n E!

c u m

.t U)

F m U

a, U

U

([I E!

a, 3

r 0

u m -

I 3

o E J

8s 6 5 a

m L

.s 2 e

m m.r

$C U a U) 5 %

o a, 2 b U, 3 %

u ),

k g c, a 0.2 g

F U 7 I

$ 2 I-U)

CV 7

C 0.-

u Q, - e 0

0 0

n W

5 u

0 m Q, e;

C 0

a-u J -

0 V)

L?

d V) 3 5

cn 3

C m

!E C

rn i7j 5

+

E a

a a

0 0

d u

E Q,

u -

ELL Y-U)

U) 0

0)

)r:

-D a

B g z $ =

u u

a, a ct $2: 2 a,=,,

I 3 g n v, m a,

a ~ r, u u'Z2 g

o 0 Q) ([I Yc 0 m - c i

a

~

~

~

~

o

$5 8 a 3 2 2 0 3 u,d., g t k e a o.G

+

m u

v a, m ~ b g. g e % l s s u L~ or--s'+"

y o k c. 0 c - a, ("m.5 Q

)

Y

~

LI-m o s o z z s o 8 F c n ^ o ! ! f c ~

g L L u c E! z s u

U ) c a, "u-c a,

, + S $

• a, %. %

a a a z Y a

$ d gb,aXs tan. g ~ n - -

~

~

)

a r

n

~

~

C3 m. 2 0 -

m 2 - +

+

g k

d 8:s 8.8 8 gp CZ L+.V).Y a,

" 0 ) c m

" 9 cn^c r e

~ C " ~ Z L $ U I

& g g, b 5 L u a,cCU-

. c ~ L m g $

5 0

~

a = 3 c

~ ~. ~ ~ a g. G

~ + 5 =

~8 m,+o C = 2; a,%

a E p ~JJ+~ g, a o o, c n ~ O ) S s g Z e n c g2.g r o m a L L a, O C N

zcucua, 2. 9, c.g

.cu a, u " r. O

, c c c p - j z = @ O ) U. g 0

@ a, a 3 0 a, s n 0 ) s 0 ) g 5 c ~ u ; p c 2 g ~ % - o LL 2,, %. g $, i L a,Cm5g Or a,

.- gg 6 e g a,

m + x n a, Q O U,. ~ a, E-a 3 0 0 0

" ' ~ w = ~ % U 0 -g5 s g s g a u z 2 z z b - $

a a, + 0. ! = 2 5 I- '8%: 0

~

2

~

~

~

~

e

~

~

s g

W U. E a, L 5 8 -

a, 5 " a, s a, n c a 0 c j % * ~ s. ~. ~

Q Z ~, O).eazs 0 2 a)= 3 g, ~ ~. e ! e : : f gee.. g,-

F-o a, a, o

m m 2 u = + +. -

L + U nl, a, 0, o 0)"2.V)$O 0)SS 2s=.=

c; 0

([I E -

0 z

+

d 0

v,c 2

5. g ~

a, r r t L z.2 3 a,

, s 0 >

x z a, ?

5

$'E ([I.'"

a, mogg 3 04, OZLL 3 E E'

s E m.o 3 +

([I 5 5 8 -2

([I 0

for high pressure recirculation is the only local critical step in the recirculation procedure. This local step is the reason that timing is so critical.

sub-element 4

Observation Item The LOCA break size definitions for the PlNGP PRA are based on different criteria than those for most other PRAs. This would be acceptable if the underlying analyses provided sufficient basis for the definitions, but it appeared that the available analyses do not adequately support the selected definitions.

F&O The following is a comparison of the definitions and their bases, with focus on the injection phase, as discerned from the Event Tree Success Criteria notebook:

PlNGP PRA S1 (Small LOCA category 1) = breaks that are too large to be accommodated by the normal charging system and too small to provide adequate decay heat removal through the break; range defined as 318" to - 1 " diameter breaks.

PlNGP PRA S2 (Small LOCA category 2) = breaks that do not depressurize to within the low head injection system capability but are within the capability of the high head injection system, and that are I Sianificance I Status & Resolution I Impact on EDG Completion I CLOSED -

The PRA model was changed such that standard industry LOCA sizes were used. (318 -

2' for small LOCA, 2 - 6 " for medium LOCA and >6" for large LOCAs). SI Accumulators were added to the large LOCA event tree success criteria.

The PRA model was changed as a result of this F&O and any impact on the results are already reported in the LAR.

Page 15 of 33

Page 16 of 33 Impact on EDG Completion Time Status & Resolution Significance Observation sufficiently large to provide decay heat removal via the break; range defined as - 1" to 5" diameter breaks.

TYPICAL PRA Small LOCA = breaks that are too large to be accommodated by the normal charging system and too small to depressurize to the high head injection setpoint sufficiently rapidly to avoid the need for decay heat removal; typically 318" to 2" diameter breaks.

PlNGP Medium LOCA = breaks that are sufficiently large to depressurize to the shutoff head of the RHR pumps but small enough to be within the capability of the high head injection system, with decay heat removal via the break; range defined as 5" to 12" diameter breaks.

TYPICAL Medium LOCA = breaks that are sufficiently large to depressurize to the high head injection setpoint but for which pressure remains above the RHR pump shutoff head, with decay heat removal via the break; typically 2" to 6" diameter breaks.

PlNGP Large LOCA = breaks beyond the capability of the high head injection system but which do not require accumulator injection, with decay heat removal via the break and Item F&O

Page 17 of 33 Impact on EDG Completion Time Status & Resolution Item Observation shutdown reactivity insertion via borated injection; range defined as 12" and greater but less than the design basis LOCA break size.

PlNGP DBA Large LOCA = break size for which accumulator injection is required in addition to low head injection; range defined as the design basis break size.

TYPICAL Large LOCA = breaks that are sufficiently large to depressurize to the RHR pump shutoff head, with decay heat removal via the break and shutdown reactivity insertion via borated injection; typically > 6" diameter breaks.

Among the implications of the above are the following:

The PlNGP PRA S1 SLOCA plant response and modeling should be similar to the SLOCA response and modeling for typical plant PRAs.

The PlNGP PRA S2 SLOCA plant response and modeling should be similar to the MLOCA response and modeling for typical plant PRAs.

The PlNGP PRA MLOCA assumes that a single train of high head injection can mitigate what is equivalent to the low end of the large LOCA size range for typical plants, for which high head injection is normally F&O Significance

( Item I F&O

( Observation 1 Significance 1 Status 8 Resolution 1 Impact on EDG Completion TH-13, sub-element 1

not credited.

The PlNGP PRA LLOCA (non-DBA) plant response and modeling differs from the LLOCA response and modeling for typical plant PRAs in that it does not include a requirement for accumulator injection; the LLOCA DBA plant response and modeling is equivalent to that for typical PRAs.

The Success Criteria notebook provides some perspective on the rationale for what was done.

However, the guidance reviewed does not explicitly state the approach to be used for determining the need for and types of thermallhydraulic calculations necessary to support the PRA success criteria. Several instances have been noted (in other F&Os) for which detailed analyses have been required, and the MAAP code was used without sufficient justification or check for applicability.

discussion, with references to engineering calcs, regarding the need for cooling for each such room.

However, in some cases, it is not 16 CLOSED -

The Success Criteria notebook is in the process of update in order to incorporate this documentation.

CLOSED -

The Safeguards Ventilation system notebook has been updated in order to incorporate this documentation.

TH-16, sub-eIement 8

This is a documentation enhancement issue and has no impact on the PRA model used for the M R.

This is a documentation enhancement issue and has no impact on the PRA model used for the M R.

As described in the Safeguards Ventilation System Notebook, room cooling requirements have been addressed for the equipment modeled in the PRA. This notebook presents a Page 18 of 33 B

Page 19 of 33 Impact on EDG Completion Time The PRA model was changed as a result of this F&O and any impact on the results are already reported in the LAR.

Item 17 Significance B

Status & Resolution CLOSED -

The PRA model was changed to ensure that ECCS flow and SI accumulators are failed to the RCS loop that is experiencing the LOCA.

F&O TH-17, sub-

&m~ent 4

Observation clear that the rationale provided for not modeling room cooling is sufficient. For example, for the Relay Room, it is stated that analyses have shown that it is necessary to maintain the temperature below 120 deg F, but that room heatup analysis showed that the temperature would reach 120 deg F at 11 hours1.273148e-4 days <br />0.00306 hours <br />1.818783e-5 weeks <br />4.1855e-6 months <br />. Then the statement is made that "This provides sufficient time for the operator to perform the corrective actions per C37.9 AOP2." While there may indeed be sufficient time to perform corrective actions, there is no guarantee that the actions will be performed. Since the temperature exceeds the allowable equipment temperature well within the PRA mission time, there is a dependency on room cooling for this room that should either be modeled or more carefully analyzed.

The fault tree model, for large, medium, and some small S2 LOCAs, credits ECCS flow to the faulted loop.

Unless thermal-hydraulic analyses exist to provide a basis for this, it would be expected that the injection path associated with the faulted loop is unavailable, and only the remaining path would be available for success.

The success criterion should be 1 of 2 pumps to the single intact RCS loop.

l tem SY-2, sub-element 5

SY-4, sub-element 7

SY-7, element Observation The corrective maintenance unavailability basic event for the 120VAC IP Inverters is modeled incorrectly in the Fault Tree. As modeled, with an inverter out of service, the fault tree still allows power to be supplied from the alternate AC source through the inverter to the instrument panel. The same comment may also apply to other inverter (and output breaker) failure models in the PRA.

The 120 VAC Model does not include failures of the 120 VAC Panel (bus faults). These are normally modeled in most PRAs.

As described in the Safeguards Ventilation System Notebook, room cooling requirements have been addressed for the equipment modeled in the PRA. This notebook presents a discussion, with references to engineering calcs, regarding the need for cooling for each such room.

However, in some cases, it is not clear that the rationale provided for not modeling room cooling is sufficient.

For example, for the Relay Room, it is stated that analyses have shown that 1 it is necessary to maintain the Significance CLOSED -

The AC instrument power fault tree was changed such that the corrective maintenance event was moved higher in the fault tree so that it fails all power supplies that feed the instrument bus through the inverter.

Status & Resolution CLOSED -

Instrument panel bus faults were added to the model.

Impact on EDG Completion Time The PRA model was changed as a result of this F&O and any impact on the results are already reported in the M R.

The PRA model was changed as a result of this F&O and any impact on the results are already reported in the LAR.

Page 20 of 33 CLOSED -

The Safeguards Ventilation system notebook has been updated in order to incorporate This is a documentation enhancement issue and has no impact on the PRA model used for the M R.

Page 21 of 33 Impact on EDG Completion Time Item Significance Status & Resolution F&O Observation temperature below 120 deg F, but that room heatup analysis showed that the temperature would reach 120 deg F at 11 hours1.273148e-4 days <br />0.00306 hours <br />1.818783e-5 weeks <br />4.1855e-6 months <br />. Then the statement is made that "This provides sufficient time for the operator to perform the corrective actions per C37.9 AOP2."

While there may indeed be sufficient time to perform corrective actions, there is no guarantee that the actions will be performed. Since the temperature exceeds the allowable equipment temperature well within the PRA mission time, there is a dependency on room cooling for this room that should either be modeled or more carefully analyzed.

As another example, for the rooms housing 120VAC Instrument Power equipment, there is no discussion of ventilation requirements in the notebook. The equipment survivability discussion notes that room cooling is required, and that 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> are available following loss of ventilation to re-establish ventilation. However, actions to open doors or re-establish cooling are not modeled in the fault tree.

One editorial problem also pertains to the ventilation modeling. Assumption 5 in the SI system notebook states that room cooling is not required for SI in injection mode, but the assumption

Page 22 of 33 Impact on EDG Completion Time The PRA model was changed as a result of this F&O and any impact on the results are already reported in the LAR.

The PRA model was changed as a result of this F&O and any impact on the results are Status & Resolution CLOSED -

The pressurizer PORV air accumulator has been added to the feed and bleed model.

The failure probability assigned is high (0.9),

as the accumulator is not specifically designed for feed and bleed use.

CLOSED -

The operating hours for D5 and D6 were corrected. The Significance B

B Observation does not address recirculation mode.

The room heatup calculation actually assumed sump recirculation mode, and that should be noted in the notebook.

The PORV Fault Tree for Feed &

Bleed is applied in sequences involving initiators that would cause containment isolation on an S signal.

The fault tree takes no credit for the PORV accumulators to allow the PORVs to be used after isolation of the air supply, and also takes no credit for operator action to re-establish air to the containment. As a result, the model assumes failure of both PORVs when air is isolated to containment.

As a result of the assumption that the PORV accumulators are not sufficient for Feed and Bleed in scenarios involving an S signal, the model appears to be overly pessimistic regarding credit for feed & bleed.

FR.H. 1 Step 1 1 provides direction to the operators to re-establish air to containment, so consideration should be given to modeling this action, along with associated valve failure probabilities.

The operating hours for the D5 and D6 diesels were not calculated Item 21 22 F&O SY-I79 sub-elef~~ent 13 DA-3, sub-element

Page 23 of 33 Item 23 F&O 7

DA-51 sub-ekfnent 8

Observation correctly. In file V.SMD.95.007, the exposure time for the planned maintenance (PM) and corrective maintenance (CM) unvailablilites is stated as 175,344 hours0.00398 days <br />0.0956 hours <br />5.687831e-4 weeks <br />1.30892e-4 months <br />. This is the same exposure time as for DllD2, and appears to be the full 11 years of operation in the database. D5 and D6 were not installed until 1993. The exposure time the CM and PM for D5 and D6 should be about 24,000 hr.

This increases the PM and CM unavailabilities by a factor of 4.

(The exposure time for fail to start and fail to run is calculated correctly.)

The common cause failure modeling was based on methods and data in NUREGICR-4780. Although the methods in this document are still valid, the CCF factors (numerical values) are based on plant experience and judgment prior to 1988.

NUREGICR-6268 (INEL) is a more current source of common cause data and should be used in the next update. There are several beta factors in the current model that are 0.1 to 0.4 in value. (RHR, Containment Sprays, Fan coolers). In light of the more recent data in NUREGICR-6268, these beta values are high and should be revised.

Status & Resolution plant specific data for all EDG has recently been updated to reflect operating history from 1994 - 2004.

OPEN -

The majority of the common cause factors are still calculated using methods from NUREGICR-4780. Recently, the CCF factors for the EDG and AFW systems were recalculated using the guidance from NUREGICR-6268. It is planned to use this new guidance to update all CCF factors by the end of 2005.

Significance B

Impact on EDG Completion Time already reported in the LAR.

The PRA model was changed as a result of this F&O and any impact on the results are already reported in the MR.

Page 24 of 33 Impact on EDG Completion Time The PRA model was changed as a result of this F&O and any impact on the results are already reported in the MR.

No Impact.

Item 24 25 F&O DA-6, sub-e b - t - ~ e ~ ~

2 DA-8, sub-Status & Resolution OPEN -

The data updated in 1995 was for the systems that are the main drivers of risk. Plant specific data will be updated as needed for risk significant systems. The AFW and EDG system data was recently updated to include plant specific data from 1994 -

2004. The remaining systems will be updated by the end of 2005.

CLOSED -

The NRC issued this same Observation Plant specific data used to support PRA Rev. 1 was collected for the IPE in 1988. Generic failure rates were used extensively in the IPE. In 1995, an updated data collection was performed for AFW pumps, DG's, Air compressors, Cooling water pumps, SI pumps, and RHR pumps, which were selected on the basis of risk-significance to the PRA results. A larger data development effort is underway for Rev 2, but this still limits the plant specific data period to 1995.

The observed status of the use of plant-specific data, given the above, is the following:

(a) 6 components in the Rev. 1 PRA have failure rates based on plant-specific data through 1995; (b) a limited number of other components in Rev. 1 have failure rates based on plant-specific data through 1988; (c) most of the failure rates in Rev. 1 are generic; (d) after the Rev. 2 update, data will only be current through 1995.

The reviewers believe the PRA relies too heavily on plant data that is not sufficiently current with the as-operated plant.

Notebook V.SMN.92.028 states that Significance B

B

4kv breakers are included in the fault tree models but are not common caused together because the the components supplied by the breakers already include any breaker common cause failures that have occurred.

The component boundaries for all components fed by these breakers (pumps, buses) should be consistent so that breaker failure rates and CCF rates can be consistently applied.

There are also no CCF events for bus feeder breakers.

Most PRAs treat 4kv breakers separately from served components, and include separate CCF events for the important sets of breakers.

question during the initial review of the IPE. A specific Status & Resolution I Observation Request For Information question was issued by the NRC related to the omission of the CCF modeling of circuit breakers and electrical switchgear. The PI PRA group response follows:

Significance "Common cause failures of circuit breakers and switchgear were not explicitly modeled, but common cause failures of loads supplied through the breakers, such as pumps, valves and other components that can be attributable to common cause mechanisms were modeled.

This implicitly captures circuit breaker common cause failures that are associated with these components. As with circuit breakers, common switchgear (in terms of function and the effects of failures) are implicitly analyzed with other failures, such as emergency diesel generator common cause failures."

The NRC approved the IPE, 1 including this modeling I Impact on EDG Completion Page 25 of 33

Page 26 of 33 Impact on EDG Completion Time No impact.

No Impact.

The PRA model was changed as a result of this F&O and any impact on the results are Status & Resolution assumption.

CLOSED -

No action was taken on this F&O, as the calculation is not used in any of the current models and will never be used.

CLOSED -

No action was taken on this F&O, as the calculation is not used in any of the current models and will never be used.

CLOSED -

A recent update of the pre-initiator human error model Item 26 27 28 F&O DA-10, Sub-e k f ~ ~ e n t 17 DA-I sub-ekment 4

HR-41 sub-element Observation In Rev 1, when the plant specific data was 0 failures in T exposure time, the failure rate was calculated by assuming 0.5 failures in T exposure time. This is mathematically equivalent to using a Bayesian update with a Jeffrey's prior. There is no way of knowing if this estimate is reasonable or not. A more technically sound approach is to use a generic prior for Bayesian update. In Rev2, the data development has changed to use 0.3 failures in the exposure time.

There is no basis for this practice, expecially when the Rev 2 data makes significant use of Bayesian process.

The number of plant specific failures for CVCS pumps in Rev 2.0 seems high - about 60-80. There is no reason to use Bayesian update techniques when there are such a large number of plant specific failures. In fact, since the plant specific failure rate is relatively high compared to generic sources, it could likely be shown that the PI CVCS pumps are not in the same population as generic pumps and a Bayesian update process should not be used.

The equation used to quantify latent errors is not intuitive, and appears to be incorrect.

Significance B

B B

Page 27 of 33 Impact on EDG Completion Time already reported in the M R.

Status & Resolution has been completed such that industry accepted methods are now used.

Item Observation The equation presented in the HRA notebook suggests that there is a time period in which a component can be considered available after corrective maintenance (CM) but prior to retest (assumed to be 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />). Conversely, the equation implies that no retest is performed following preventive maintenance (PM). This most likely does not reflect maintenance practices. Furthermore, the peer review guidance suggests that latent errors may be screened when a post maintenance test is performed.

The summation of the PM, test (T),

and random failure (RF) frequencies does not have any physical meaning, as the terms appear to be mutually exclusive. In addition, for components only exposed to latent error on a refueling outage frequency, the approach mentions that the operators would most likely find a latent error prior to startup. For these cases, a TI value of 4 is assumed which is very similar to the CM cases. However, in practice, at-power surveillance test intervals are being substituted for TI values applied to components exposed to latent error only during refuelling (e.g., CTRAINAXXZ, CVHCS11XXZ). Lastly, it seems that the refueling frequency value of 8.55E-05lhr is artificially reducing the F&O 6

Significance

Page 28 of 33 Impact on EDG Completion Time The PRA model was changed as a result of this F&O and any impact on the results are already reported in the LAR.

The PRA model was changed as a result of this F&O and any impact on the results are already reported in the LAR.

Significance B

A Observation HEP in these cases.

Subsequent to the review, PlNGP PRA personnel provided the response shown under "Plant Response or Resolution.

The HRA documentation indicates that operator interviews were conducted when determining the execution time of procedure steps, but the values used appear to be generic.

Further, a "generic" value of 45 minutes is identified as the shortest time to core damage for any accident.

This value is then used in the screening analysis for several operator actions where the time to core damage is being estimated.

There doesn't appear to be a basis for the 45 minute value. Furthermore, it not clear that this value is applicable to the actions modeled.

Two of the ten most important operator actions, ABUS27RESY and N 12 1 DRYXXY (sorted by FV), are quantified using screening values.

This is contrary to the PlNGP PRA groundrules and industry guidance.

Item 29 30 Status & Resolution CLOSED -

A recent update of the pre-initiator human error model has been completed such that industry accepted methods are now used.

CLOSED -

ABUS27RESY was removed from the model, as this is an action that would not be performed during accident conditions. A recent plant modification was added to the instrument air system fault tree which caused the importance of operator action N121 DRYXXY to decrease.

An HRA upgrade was performed for the EDG F&O HR-6, sub-e~en~ent 10 HR-7, sub-element 13

I Observation I Significance 1 Status & Resolution 1 Impact on EDG Completion Based on the operator action sensitivity study performed, there are several scenarios involving multiple human error events. Some of the dependencies appear to have been recognized, but it was not intuitively obvious how they were factored into the quantification of conditional HEPs (e.g., FDBLDOPATY). Several scenarios involve more than 4 HEPs, and this raises a question regarding how the operator actions are being placed within the model. The product of some of these multiple HEP scenarios result in total crew failure probabilities less than 1 E-06, which appears to be optimistic.

The local actions in the switchover to containment sump recirculation are modeled as 4 actions that are easy to recall. In actuality there are 13 distinct actions and only 4 are given as critical. No justification is given for the non-critical steps. Even accepting that the other 9 actions are not critical, they would certainly affect the operator's ability to remember the steps. In general there doesn't appear to be any evidence for the non-criticality of tasks or that the 1 Completion Time extension, which performed detailed HRA modeling on all of the risk important operator actions.

CLOSED -

A new dependency analysis has been completed that identifies all dependant combinations of operator actions and ensures that multiple combinations are not less than 1 E-05.

CLOSED -

Recently, an update of the HRA model has been completed where all important operator actions were calculated using current industry standards.

Time The PRA model was changed as a result of this F&O and any impact on the results are already reported in the LAR.

The PRA model was changed as a result of this F&O and any impact on the results are already reported in the LAR.

Page 29 of 33

I Item 1 F&O I Observation A quantification notebook describing the following items needs to be created:

33 how the one-top CDF model is constructed (guidance);

how any technical adjustments are made to the top of the FT or in the systems below (beyond what is documented in the system and event tree notebooks) to allow quantification; QU-I sub-element 1

any special logic introduced to model sequences (flags, etc.);

added complexity they introduce has been considered.

This F&O relates to both guidance and documentation sub-elements of QU.

supporting files (such as MUTEX, 1

1 1

RECOVERY. BE,.Tc, etc),

I I

I summary inputloutput files; results summary files and conclusions (See QU-5 also);

I I

I computer run parameters; type of computer and operating system, list and version of executable codes used; I

I I

limitations of the code; CLOSED -

A Quantification Notebook was created detailing the Rev 1.2 and Rev 2.0 PRA model results. The notebook contains sufficient guidance for performing the process and sufficient detail to document the inputs and outputs of the process.

Significance This is a documentation enhancement issue and has no impact on the PRA model used for the LAR.

references to supporting model notebooks (ET, system, HRA, data) etc.

Status & Resolution Page 30 of 33 Impact on EDG Completion Time

QU-3, sub-element 8

QU-5, sub-element 31 Observation Modifications performed in the one-top fault tree, such as creation of the AFW-T fault tree from the full AFW tree, must be documented either in the quantification or system notebooks.

The contribution of LOOP sequences that lead to loss of cooling water and instrument air could be greatly reduced if credit could be given to recovery of offsite power within the calculated time to core uncovery of 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />.

The Peer Review supplemental guidance (draft subtier criteria) states that, for a category 3 classification for this sub-element, one must fullfill the following:

"The accident sequence results by sequence, sequence types, and total should be reviewed and compared to similar plants to assure reasonableness and to identify any Significance Status & Resolution CLOSED -

For the Rev 1.2 and higher models, recovery of offsite power was credited for the LOOP sequences that lead to loss of cooling water and instrument air.

OPEN -

A Quantification Notebook was created detailing the Rev 1.2 PRA model results. The notebook contains a thorough evaluation of the quantification results meeting the standards in the Draft version of the "ASME PRA Standard" including review of top cutsets, Impact on EDG Completion Time The PRA model was changed as a result of this F&O and any impact on the results are already reported in the LAR.

This is a documentation enhancement issue and has no impact on the PRA model used for the LAR.

Page 31 of 33

Page 32 of 33 Impact on EDG Completion Time This is a documentation enhancement issue and has no impact on the PRA model used for the M R.

This is a documentation enhancement issue and has no impact on the PRA model used for the MR.

Item 36 37 Observation exceptions.

A detailed description of the Top 10 to 100 accident cutsets should be provided because they are be important in ensuring that the model results are well understood and that modeling assumption impacts are likewise well known.

Similarly, the dominant accident sequences or functional failure groups should also be discussed. These functional failure groups should be based on a scheme similar to that identified by NEI in NEI 91-04, Appendix B."

A summary of top sequences by initiating event was provided, as was a listing of risk-important systems and operator actions. Detailed descriptions of cutsets were not provided, nor was a comparison of results to similar plants.

Neither a quantitative uncertainty analysis nor a qualitative evaluation of significant sources of uncertainty are addressed.

PRA group procedure 3.001A requires evaluation of PRA results when the model is updated, and documentation in accordance with PRA group procedure 1.002A. The procedure F&O QU-61 sub-element 27 MU-41 sub-element 6

Significance B

B Status & Resolution dominant accident sequences, initiating events, importance measures, model asymmetries, and operator actions.

Results from the Westinghouse MSPl Cross Comparison document related to Prairie Island will be addressed as part of the MSPl Project by December 2005.

Once this is completed this F&O will be considered closed.

OPEN -

This activity will be completed as part of the data update, which will be completed by the end of 2005.

CLOSED -

An extensive review of the Rev 1.2 and Rev 2.0 model results (top cutsets, dominant accident sequences, initiating

Page 33 of 33 Impact on EDG Completion Time Significance Observation indicates that the evaluation must include a review of top cutsets and basic event importance measures to ensure that dominant contributors to risk are modeled accurately and that dependent operator actions are treated appropriately, with focus on understanding and addressing risk significant issues that have resulted from the latest requantification.

For a full PRA update, consideration should also be given to reviewing more than just dominant contributors and top cutsets, depending on the extent of modeling change. For example, the in-progress Rev 2 model upgrade may produce results that will require a deeper review than an examination of top cutsets, top risk importance contributors, and overall CDFILERF values.

Item Status & Resolution events review, importance measures, model asymmetries, operator actions) has been performed and is documented in the Quantification Notebook.

Fleet PRA procedures have also been developed and implemented which address the PRA model maintenance issues.

F&O