Text

Email from Miller to Riley Staff Feedback on NEIs Example of a scenario-based Evaluation
	ML13037A632
Person / Time
Issue date:	02/01/2013
From:	Ed Miller; Containment and Balance of Plant Branch
To:	Jeffrey Riley; Nuclear Energy Institute
	Miller, Ed 415-2481
References
	Download: ML13037A632 (55)
	v • d • e

From:

Miller, Ed To:

jhr@nei.org

Subject:

FW: Staff feedback on NEI"s example of a scenario-based evaluation Date:

Friday, February 01, 2013 5:53:06 PM Attachments:

NEI_Draft_WORKING_EXAMPLE_NRCcomments_2013_02_01.pdf

Jim, As described below, these are the promised high-level comments from the group for discussion at the Feb 21 public meeting. Please let me know if you have any questions in the interim. Thanks.

Ed From: Bensi, Michelle Sent: Friday, February 01, 2013 4:10 PM To: Miller, Ed Cc: Cook, Christopher; Thompson, Jenise; Chokshi, Nilesh

Subject:

Staff feedback on NEI's example of a scenario-based evaluation Ed, Attached is the higher-level feedback from NRC staff on NEIs example of a scenario-based evaluation.

We will provide more detailed feedback on a subsequent draft of the document. Please forward.

Thanks, Shelby

Draft WORKING EXAMPLE Page 1 of 54 Working Example Template:

Scenario Based Integrated Assessment Evaluation of a Sunny Day Dam Failure with Advance Warning of an External Flood and Severe Site Flooding Comment [NRCstaff1]: A few global comments:

Please perform a global consistency check on terms, phrases, etc. This is suggested to ensure actions and events are referred to using the same terminology, which will make it easier to cross-reference between sections.

Integrate the sections of the document using cross-referencing. Often claims are made early in the document without justification. If justification is provided later in the document (e.g., through a detailed assessment), then a cross-reference to that section would be helpful at the point in the document when the claim is initially made.

Questions arose about the physics of the strategy with respect to the temperature of the primary side if the SGs are to be used.

More discussion of required instrumentation and cues is important.

Draft WORKING EXAMPLE Page 2 of 54

=

Background===

The following external flood scenario is based on a sunny day failure of an upstream dam located 200 miles from the site of a 3000 Mwt 4-Loop PWR. The nuclear plant is a single unit site. The site walkdown conducted at the unit in 2012 and submitted to the NRC in November 30, 2012, indicates that all plant design basis flood features were capable of performing their intended functions.

Overview Recommendation 2.1 of the NTTF required that all nuclear power plants perform an external flood hazard re-evaluation using present day methods and assumptions typical of current regulatory practice.

The results of that hazard re-evaluation are discussed in section 5 of the ISG. The hazard information contained in that section noted that the site predicted maximum hazard flood elevation has increased 5 feet from 900 msl to 905 msl. For performing an integrated assessment of this flood elevation increase the following specific characteristics of the external flood hazard were identified flood height and associated effects warning time intermediate water surface elevations that trigger actions by plant personnel flood event duration plant mode(s) of operation during the flood event duration This flood scenario is presented only as a representative example of one flood scenario. The focus of the scenario is on RCS heat removal. For illustration purposes, the example scenario presented does not include consideration of Spent Fuel Pool (SFP) cooling. A complete scenario description would be expected to also successfully disposition make-up to the SFP. Utilities are cautioned that events and mitigating conditions unique to their respective site may warrant additional and/or different response.

The overall integrated assessment scenario discussion is presented as follows:

Section A, Description of the Flood Scenario, provides a detailed discussion of the full scenario including important site elevations, actions and mitigating equipment. Section B of this scenario assessment includes a detailed discussion of flood significant mitigation equipment. Section C provides a graphical presentation of the timeline presented in Section A including task resource loadings and anticipated available staff. Section D includes a high level flood scenario event tree. System operability, reliability and dependency issues are discussed in Sections E through H. An assessment of the feasibility and reliability of flood significant protection and mitigation actions is provided in Sections H and I.

Section J concludes.

Comment [NRCstaff2]: Suggestion: Consider adding a preface to the document to indicate that this is an example, that it is necessarily incomplete, that it represents just one portion of a much larger assessment, etc.

Comment [NRCstaff3]: Suggestion: Consider adding a table of contents and using a numerical section labeling scheme (e.g., 1., 1.1, 1.1.1). This will help the reader understand the overall framework of the document and allow the reader to easily navigate the document.

Comment [NRCstaff4]: Suggestion: Add a preparers note to indicate that there are characteristics/challenges associated with multi-unit sites that are not captured in this example, which is single unit.

Comment [NRCstaff5]: The integrated assessment ISG indicates that the submittal should provide justification that the scenario-based evaluation provides sufficient detail and supporting information to demonstrate that there is high confidence that key safety functions can be maintained. This section of the example may be a place to include this information (e.g., using a preparers note).

Comment [NRCstaff6]: Consider expanding this section to describe, in more detail, how the document is structured. For example, claims are made in early sections of the document but are justified by assessment later in the document.

Draft WORKING EXAMPLE Page 3 of 54 A. Description of the Flood Scenario and Initial Conditions A plant has an external flood protection system that is based on a design basis flood of 900 ft msl. Plant grade is 895 ft msl. The results of the re-evaluated hazard height indicate that a sunny day failure of an upstream dam would create a flood that could reach 905 ft msl. A flood elevation in excess of 900 msl will result in all current licensing basis (CLB) flood protection barriers being overtopped resulting in a loss of core cooling and inventory control safety functions. The anticipated time for the flood to reach plant grade is 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (including consideration of wave run up). The 900 msl level (including margin for wave run up) may be reached as early as 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months after the initial dam breach. A peak flood height of 905 ft msl (including consideration of wave run-up) can potentially be reached 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months later. This peak height is stable for a period of approximately two weeks and is predicted to gradually subside at a rate of 1 ft per day. The re-evaluated hazard assumes an initial river level at the site of 890ft msl.

Table 1 Re-Evaluated Hazard Characteristics From Section 5 of ISG Parameter/Feature Condition Comment Scenario Type Sunny Day Dam Failure No other hazard assumed Plant Initial Condition Full Power Operation All equipment considered operable Plant grade 895 ft msl Initial River Level at site 890 ft msl Warning Time 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months prior to flood reaching site grade 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months for flood to overtop flood barriers Flood Elevation Profile See Figure 1 Flood Duration 13.5 days Flood duration estimated from time water reaches site grade Ancillary conditions Nominal weather conditions1

1.

For purposes of human performance assessments nominal weather conditions assumed a worst two year site wind speed of 40 mph. The likelihood of occurrence of this wind speed in combination with a sunny day dam failure is 0.0015.

Comment [NRCstaff7]: Suggestion: Consider adding a preparers note to indicate that other mechanisms (whether due to dam failure or other causes) would need to be evaluated separately or through specification of an enveloping scenario as discussed in the integrated assessment ISG.

Comment [NRCstaff8]: References to elevations are not consistent throughout the document (e.g., 905 ft MSL, 905 MSL, 905 ft).

Please make consistent.

Suggestion 1: Consider using a datum such as North American Vertical Datum 1988 (NAVD88) or World Geodetic System 1984 (WGS84). MSL is a poor vertical datum nomenclature.

Suggestion 2: State early in the document that all elevations are in a given datum and then simply reference elevations as x ft (e.g., 905 ft).

Comment [NRCstaff9]: The ISG indicates that the following flood scenario parameters should be specified:

flood height and associated effects:

-flood elevation

-wind waves and run-up effects;

-hydrodynamic loading, including debris;

-effects caused by sediment deposition and erosion;

-concurrent site conditions, including adverse weather conditions;

-groundwater ingress; and

-other pertinent factors.

flood event duration, including warning time and intermediate water surface elevations that trigger actions by plant personnel plant mode(s) of operation during the flood event duration other relevant plant-specific factors Consider tabulating all of these values, or including a preparers note when something is not relevant (most of these factor are already included in this table).

One of the items listed above indicates that elevations that trigger actions by plant personnel, should be specified. For this item, it may be helpful to generate a ruler showing flood elevations and actions. Example of a ruler is included in a comment below.

Comment [NRCstaff10]: Consider adding a preparers note that this is not generically true (but is specified here because a sunny-day event is under consideration).

Draft WORKING EXAMPLE Page 4 of 54 Figure 1: Scenario Site Flood Profile The intake structure includes debris protection up to the CLB licensing level of 900 msl. Thus, until plant barriers are overtopped the intake structure does not clog and the service water systems can be maintained operable until the flood height at the site reaches 900 ft msl. Turbine driven AFW pumps can be operated and are protected to a site elevation of 902.5 ft msl. The EDG rooms begin flooding at 902 ft msl and EDGs will not be operable by the time the flood height is expected to reach 905 ft msl.

It has been determined that it is not physically possible to provide protection for the existing CLB flood mitigation equipment at the new higher flood elevation.. However, a mitigation strategy has been developed which provides highly reliable mitigation for flood events above 905 ft MSL with some margin using a dedicated severe flood mitigation system (SFMS). This system provides an alternate source of power, instrumentation and water to maintain the plant in a safe shutdown mode. Details on the Severe Flood Mitigation System are presented in Section B.

The following features characterize the flood scenario:

o The installed physical protection barriers provide 5 feet of protection above plant grade.

o Overtopping the physical protection barriers for an extended period will result in compromising all permanently installed plant shutdown safety systems.

Comment [NRCstaff11]: Consider adding a ruler figure to show elevations and consequences or actions. E.g.,

Comment [NRCstaff12]: Does the strategy only apply to events above 905ft? What about an event resulting in a flood height of say 903 ft, which would cause a loss of EDGs, etc.?

Draft WORKING EXAMPLE Page 5 of 54 o The Flooding Hazard Re-evaluation shows the flood will not reach the site for a period of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months and will not exceed the current plant design basis flood physical protection features of the plant for at least 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months after the dam break o Adverse site weather conditions are not anticipated following a sunny day dam breach.

o Offsite and emergency onsite power is expected to be available until the flood height reaches 902 ft msl. A berm protect offsite power to 905 msl, however procedures de-energize switchyard for purposes of personnel protection. This action is taken after the SFMS has been implemented and verified functional.

o The flood duration for the dam break event is calculated to exceed the height of the physical protection barriers for 13.5 days o As the flood will not reach the site for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , normal land access to the plants protected area is available for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after the dam break o The plant is notified of a dam failure 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months after onset and this is confirmed by gauge readings downstream of the dam o While not credited in this assessment, dam distress can be seen prior to failure (several hours) as the dam owner periodically inspects the dam condition, and that the dam owner will notify the state of impending failure. The state will notify the plant of a potential failure and the plant management will be primed for an event. Other than providing this information to management no other action is taken until the time the dam fails.

The current assessment assumes that the initial action starts at the time the dam breach is reported to the utility administration. Dam owner surveillance activities are likely to extend this time interval by identifying and reporting pre-failure conditions to the state. While not credited reasonable dam operator and state actions are provided in Table 1 prior to the time 0 dam failure point.

o Plant is initially operated at full power and all plant systems are available until the flood level reaches site grade. All safety related systems will be available until the flood level reaches 900 msl. While some residual capability exists beyond that point, the only systems credited are components of the SFMS.

o Plant is shutdown according to plant standard operating procedures for an emergency shutdown. Any RCS leakage prior to reaching cold shutdown conditions is made up by the normal plant charging system.

o Once shutdown and placed on shutdown cooling, RCS leakage is anticipated to be below [0.1 gpm]. As the core is shutdown following emergency guidelines and power is available to the charging pumps throughout the shutdown process, the RCS inventory will be maintained at normal operating levels in accordance with procedures. Specifically, it is expected that over time the average RCS temperature will fall to around 220 F and the long term RCS pressure will be below [100] psia. This will result in a shrinkage of inventory equivalent to about 12% of the inventory associated with shutdown cooling entry. If leakage of 0.1 gpm occurs over the duration of the event inventory makeup sufficient RCS inventory will be available to allow core cooling for approximately [60] days. Thus, long term strategies include monitoring pressurizer level and establishing long term inventory control. To address potential long term issues with Comment [NRCstaff13]: Consider adding reference to durable agreements.

Comment [NRCstaff14]: Suggestion: Add information (here or elsewhere in the document) regarding how the reading is performed (e.g., who goes out and reads the gauge), how frequently the gauge is read, the basis for maintenance of the gauge, etc. Generally provide information regarding the reliability of the gauge.

Draft WORKING EXAMPLE Page 6 of 54 inventory, procedures are in place to utilize FLEX equipment for direct injection into the RCS once the flood water level recedes to 900 ft msl.

[Preparers note: Include discussion of heat removal thermal hydraulics and anticipated coolant levels in the RCS. Include basis for anticipated leakage, description of short and long term inventory control processes (if any) and identify any associated implementation procedure and/or mitigation equipment.]

A detailed external flood timeline for the scenario is presented in Table 2. A simplified version of this timeline is also provided in Section C with associated resource loading estimates.

Site Description and Topology The ability of the plant to respond to and mitigate the event is strongly dependent on the topology of the site and it environs. As the maximum re-evaluated hazard has been predicted to be 905 ft msl, flood mitigation electrical AC supplies (DGs) have been housed in the SFMS building(s) outside the protected site area,under the direct control of the utility, with a floor elevation of 915 ft msl. The mitigation equipment includes a seismic category, tornado resistant building housing two DGs, fuel oil tank and an adjacent pad for a fuel truck. DGs are electrically connected to Motor Control centers (MCCs) which power (1) two submersible pumps located below the flood plain which are capable of providing feed to the SGs (2) a fuel transfer pump and (3) house loads for lighting, HVAC and refrigeration, etc.. Access to this mitigation equipment is available from a highway and local roads which will be above the flood elevation. All major bridges between the surrounding community and the town are expected to remain passable for the event duration.

[Preparers note: Objective of this section is to establish a basis for ensuring that off-site fuel supplies will be available to the site in advance and in the days immediately following the event. Regional resource centers may provide longer term assistance using air support. If relevant provide a topological map of the site. Additionally, pathways required to implement mitigation strategies and ingress to the site should be fully described herein]

Comment [NRCstaff15]: And text related to instrumentation and supporting power.

Comment [NRCstaff16]: Change to topography (global change needed)

Comment [NRCstaff17]: Discussion should include capability of air support to access site or offsite staging areas (which may be challenged by concurrent weather conditions under some flood scenarios) as well as the capability to move resources from staging areas to the site and around the site. Consider adding discussion of applicable durable agreements.

Draft WORKING EXAMPLE Page 7 of 54 B. Overview of Flood Mitigation Features To mitigate this re-evaluated hazard, the plant has built a structure designed to, or evaluated equivalent to ASCE 7-10, Minimum Design Loads for Buildings and Other Structures. The structure is located at an elevation 10 feet above the new flood hazard level that houses two low voltage [X] Kw Diesel Generators (DG) each with a 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months fuel supply. DGs are aligned to a Motor Control Center (MCC) that powers either one of two submersible well pumps, a small fuel transfer pump, and building hotel loads (lighting, communications, refrigeration, and HVAC). The MCC is connected to the well water pumps via two underground capable enclosed in water-protected conduits. The DG Fuel tanks can be resupplied via connections to a Fuel Oil Storage Tank located outside the building or via a direct feed from a fuel oil storage truck. Fuel supplies to the DGs can be cross tied. In addition, the facility houses a small battery and charger capable of remote instrumentation to monitor water levels in the SG and pressurizer.

The location of the DG building is such that the structure can be accessed via multiple roads that are not expected to be flooded. These roads effectively connect the DG building with surrounding communities and provide road access for resupply of fuel and equipment. A helipad area is also adjacent to the building to allow ready access for airborne supplies. Several contracts with local fuel oil dealers are in effect that would allow transport of a fuel oil truck with X gallons of fuel to be provided to the site on x hours notice. The tanker truck is to be park in a lot outside of the DG building and serve as the long term fuel tank for the SFDGs.

Approximately 2000 ft of underground cables connect the MCCs to the submersible well pumps.

The plant has installed one [x] hp AC powered submersible pump in each of two wells located on the flood plain. Each pump is capable of providing up 250 gpm (approximately 3 times that necessary to remove decay heat during this interval). These pumps are included within the plant preventive maintenance program XXX where the pumps are administratively required to be routinely suveilled quarterly and are subject to functional tests once a year prior to flood season. A system performance test is performed every three years. A functional summary of the components of the SFMS is presented in Table 3. Additional features of the pump and discharge / delivery capabilities are as follows:

o Piping is installed between the pumps and SG feedlines such that each well pump feeds one SG.

o The wells, piping and electrical cables have been designed and installed to survive a design basis earthquake o Pumps have been confirmed to provide adequate flow to remove decay heat in excess of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months after shutdown.

o Pumps in well can be powered from either DG o Electrical cable to the pumps and piping from the pumps is installed to resist the effects of the flood including erosion and debris o Supply of well water is sufficient to supply water to the SG for the duration of the event Delivery to the SG is affected by injection through a recently installed tee connection to the AFW line.

The tee branch is normally closed by two manually operated valves. Implementation instructions Comment [NRCstaff18]: Suggestion: Describe how ASCE 7-10 relates to whether the building is a seismic category, tornado resistant building (as described in the previous section) and identify the associated intensities (e.g., wind speeds).

Comment [NRCstaff19]: The scenario is a sunny-day scenario. While articulating the timing and frequency of testing is relevant, it should be clear that, because this is a sunny-day event, it is not reasonable to credit that the equipment will have just been tested. Crediting of equipment testing should be consistent with what is done in normal practice for any equipment that is inspected on an annual basis.

Comment [NRCstaff20]: Suggestion: Provide additional information (here or elsewhere in the document) regarding how the test is performed (e.g., whether and how the valves exercised).

Comment [NRCstaff21]: Are these locked valves?

Draft WORKING EXAMPLE Page 8 of 54 require the: (1) submersible pump discharge piping be connected to the valve flange (2) install intermediate connection spool piece (3) open two manual valves on the AFW tee and(4) open associated submersible pump discharge valves. This task is included in AOP-XXX and is trained upon once per year. Plant has installed valves, flanges and connection points to facilitate establishment of an alternate injection paths to one of four SGs. Spool piece is stored in a protected bin in the vicinity of the connection point.

Table 3 Functional Description of Severe Flood Mitigation System (SFMS)

Component Function Two 250 gpm capacity well water pumps(WWP) (electric drive)

Redundant SG makeup capability Fuel oil pump (electric drive) & hoses Transfer of fuel from external tank / truck to day tank Well/groundwater Water source for SG feed Two Diesel Generators (redundant power supply)

Building lighting, power to submersible pumps, oil transfer pump Motor Control Center Power distribution and connection to loads Cable to well pumps (2)

Connection to loads SG ADVs/MSSVs Used for steam relief paths Site air compressors Used as primary means to open ADVs Nitrogen bottles, batteries Used as backup means to open ADVs Spool piece Connector Establish connection between WWP discharge and SG feed Mechanical gaging devices/equipment Keep ADV/MSSVs open Manual valves Complete connection between WWP and SG feed DG Support Center Building House and protect DGs, and staff for event duration.

SG level monitor/ WWP discharge flowmeters/DG Fuel Level Devices to confirm continued effectiveness of strategy Commodities Food Potable water Support for site personnel Lighting Facilitate operations PZR level monitor Instrument feed routed to and displayed at DG facility SG Level monitor Instrument feed routed to and displayed at DG facility Additional details regarding operational characteristics and reliability of flood mitigation equipment are included in section E.

[Note to Preparer: Include the following:

1.

A P&ID for the flood mitigation system

2.

An elevation diagram showing the relative placement of the DGs and submersible well pumps and associated housing structures with the piping connecting the post-flood mitigation pumps to the SG inlet piping

3.

Building equipment layout drawings should be provided Comment [NRCstaff22]: Suggestion: Add additional instrumentation that would provide relevant information on the plant during the scenario (particularly in a SBO scenario).

Suggestion: Include core exit thermocouples at minimum.

Comment [NRCstaff23]: Convey to the reader/user that this can be a simplified P&ID generated for the purposes of the submittal and need not be a full P&ID.

Draft WORKING EXAMPLE Page 9 of 54

4.

Procedures to surveil, maintain, test, implement and operate (and instrumentation)

5.

Equipment details including:

a.

Manufacturer ratings,

b.

Construction details (mounting, installation and seismic/flood protection)

c.

operating environment requirements}

In anticipation of this challenge the plant installed two low voltage severe flood diesel generators (SFDGs) and a day tank filled with fuel in a protected area at an elevation of 915 ft msl. Each SFDG provides power to an MCC which is capable of powering one of two submersible well pumps located on the site via and underground cable and other facility loads. The MCC also includes a battery supply to power SG level and pressurizer level instrumentation. Each of the well water pumps are capable of being connected to the plant AFW piping and providing low pressure feed to two steam generators.

6. Overview of Timeline and Resource Loading The key event time timelines are identified in Table 2. A graphical illustration of the hazard impact and plant responses is presented in an attached Excel File Figure 2. [EXCEL file is for purposes of illustration only.]

Comment [NRCstaff24]: A few comments on the Excel sheet:

It would be helpful to include an explanation on how to read and interpret the figure/spreadsheet. For example, it was not entirely clear how to interpret the available resources in the staffing table (e.g., Are the available resources inclusive of all available staff or does it only count the number staff on any shift?). Several other interpretations of the figure were not completely clear.

Consider incorporating information on fatigue (either into the figure or into the text). How long could a particular group of staff work before fatigue considerations become a factor?

Consider adding actions not directly related to safety-functions (e.g., actions associated with evacuation or investment protection) that may place a demand on site personnel resources and should factor into the staffing analysis.

Some of the timing information (particularly for the first few tasks in the table) are associated with short time windows, which generally calls in to question the reliability of the actions.

The time line ends with the recession of water from the site. The flood event duration may extend past the recession of water from the site.

Comment [NRCstaff25]: Please clarify what for illustration purposes only means. Does this mean it will not be part of the submittal? Or is this a note to the preparer?

Draft WORKING EXAMPLE Page 10 of 54 Table 2 Detailed Event Timeline Time River Level (ft msl)

Event Action Procedure Impact/Comment

-12 890 Dam operator notes upstream dam to be in distress and actions are being taken to prevent failure Dam operator notifies state emergency organization that significant leakage is occurring at the dam and that the dam spillways have been opened to their maximum capacity Dam Owner Procedure XXX State ERO Procedure XXX Dam condition and operational occurrences are provided to state emergency reponse procedure XXXX

-9 890 State emergency organization notifies control room of increased river flow and dam situation State ERO procedure

XXXX, Letter of understanding exists between state and utility

-8 890 Plant enters flooding preparation procedures including monitoring of river stage gauges Management notification of situation is initiated Procedure XXX 0

890 Dam Breach Occurs Dam Owner notifies State Emergency Organization of Breach Dam Owner Procedure XXX Typically a dam breach will be preceding by a time where the dam operational conditions are monitored and mitigation actions taken.

Such actions may include reducing dam inventory by release of water through spillways. Hazard Re-Comment [NRCstaff26]: Add unit (hours)

Comment [NRCstaff27]: Suggestion: Add a column that includes justifications/explanations/evaluations that are associated with the action (or provides a reference to where the justification can be found elsewhere in the document).

Comment [NRCstaff28]: Is this assumption applicable at all times (e.g., in the middle of the night)?

Comment [NRCstaff29]: Clarify whether this is licensee management. Similar clarifications may be required elsewhere in the document.

Draft WORKING EXAMPLE Page 11 of 54 Table 2 Detailed Event Timeline Time River Level (ft msl)

Event Action Procedure Impact/Comment Evaluation analysis assumes bounding conditions and does not credit potential mitigation efforts.

1 890 Plant is notified of dam breach and confirms rapid increase in river gauge downstream of dam ALERT is declared and ERO is activated Emergency Plan procedure XXX 1.25 890 Plant begins emergency shutdown in accordance with

[AOP-XXX]

AOP-XXX 1.5 890 Plant reaches hot shutdown and begins cooldown at 75oF/hr AOP-XXX 2

890 ERO is staffed Command and Control transferred to Site Director. Work is planned and staffed in accordance with sites Emergency Plan procedures Emergency Plan Procedure XXX Staffing levels are established in accordance with the Emergency Plan 3

890 Crews dispatched from Emergency Facility Test Flood Mitigation diesels []

AOP-xxx Diesels located in dedicated building at 915 ft msl 890 Test submersible pumps Proc-XXX Submersible pumps located in wells which have a top elevation of 900 msl Comment [NRCstaff26]: Add unit (hours)

Comment [NRCstaff27]: Suggestion: Add a column that includes justifications/explanations/evaluations that are associated with the action (or provides a reference to where the justification can be found elsewhere in the document).

Comment [NRCstaff30]: Clarify who at the plant is notified (i.e., who receives the call?).

Comment [NRCstaff31]: Is a NOUE declared prior to the ALERT?

Comment [NRCstaff32]: Consider adding information on plant modes to the timeline Comment [NRCstaff33]: Suggestion: Include a summary description of procedures that are flood-specific and non-routine in nature. This is a global comment.

Comment [NRCstaff34]: Consider adding a preparers note to indicate that PTS considerations may be a factor (e.g., if TS limits are exceeded).

Draft WORKING EXAMPLE Page 12 of 54 Table 2 Detailed Event Timeline Time River Level (ft msl)

Event Action Procedure Impact/Comment 890 Assemble and stage equipment to connect submersible pumps to feedwater lines AOP-XXX Task includes: (1) removal of blind flange cover on spool piece connecting to feedwater piping (2) locate flexible discharge piping for spool piece connection.

Note: flexible piping is already connected to submerged pump and routed to near FW piping.

Connecting pipe is located in vicinity where connection to be established.

4 890 Crews dispatched from Emergency Facility Install flood barriers and ensure availability of portable lighting AOP-XXX Proc-XXX Procedure provides guidance to install flood protection to AB and establish 5 ft berm around switchyard.

Activities protect safety related and selected other structures to 900 msl.

Flood barrier installation will only impact plant response between the 895 msl to 900 msl Comment [NRCstaff26]: Add unit (hours)

Comment [NRCstaff27]: Suggestion: Add a column that includes justifications/explanations/evaluations that are associated with the action (or provides a reference to where the justification can be found elsewhere in the document).

Comment [NRCstaff35]: There are several references to flood barriers throughout the document. It is not clear if there is one set of flood barriers or multiple sets of barriers (and which barriers are being referred to at the different places in the document). For example, early in the document (p. 3-4) there are references to installed physical protection barriers that are overtopped.

Later in the document (p. 34) there are barriers that are referred to as being in place for investment protection. Please clarify this throughout the document.

In addition, if there are CLB barriers that must be installed, consider adding a preparers note to indicate that it is expected that these features would have been evaluated under the flood protection evaluation portion of the integrated assessment.

Draft WORKING EXAMPLE Page 13 of 54 Table 2 Detailed Event Timeline Time River Level (ft msl)

Event Action Procedure Impact/Comment 4.5 890 Plant reaches shutdown cooling entry conditions and plant is placed on shutdown cooling.

Cooldown continues at 50 oF/hr.

AOP-XXX Per AOP-XXX 5

890 Crews dispatched from Emergency Facility Connect submersible pumps to feedwater lines AOP-XXX Connection requires: (1) removal of blind flange and (2) connection of spool piece between submersible pump discharge line and AFW feedline per maintenance procedure 6

890 Plant reaches cold shutdown following procedure [to be provided]

Plant continues to cooldown at 25 oF/hr AOP-XXX 890 RCS is borated to refueling boron concentration AOP-XXX 890 Crew to operate equipment above flood level Comment [NRCstaff26]: Add unit (hours)

Comment [NRCstaff27]: Suggestion: Add a column that includes justifications/explanations/evaluations that are associated with the action (or provides a reference to where the justification can be found elsewhere in the document).

Comment [NRCstaff36]: Reconsider what this means with respect to the proposed strategy, which uses the SGs. Will the plant heat back up?

Draft WORKING EXAMPLE Page 14 of 54 Table 2 Detailed Event Timeline Time River Level (ft msl)

Event Action Procedure Impact/Comment 890 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months staffing of ERO established. 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months schedules are established to assure compliance with 10 CFR 26.205 AOP-XXX Proc-YYY 890 Additional fuel ordered for DGs Proc-XXX See Contract XXX 890 Crew dispatched from Emergency Facility Install backup nitrogen to air operated ADV AOP-XXX Nitrogen bottles stored in vicinity of ADV. Hookup via procedure XXX 890 Install backup DC power to ADV solenoids AOP-XXX DC power source from Batteries. Batteries stored in vicinity of ADV. Batteries maintained and tested via procedures XXX.

9 890 Submersible pumps connected to feedwater lines AOP-XXX (1) locate spool piece and installation materials stored in vicinity of connection point (2) install spool piece (3) re-align discharge

/suction valves as directed 10 890 Plant reaches 100oF Open ADV using plant air compressor. Confirm ADV opens properly AOP-XXXX 890 Backup nitrogen installed on ADV AOP-XXX 890 Backup DC power installed on ADV solenoids Once ADVs open a mechanical device located in Comment [NRCstaff26]: Add unit (hours)

Comment [NRCstaff27]: Suggestion: Add a column that includes justifications/explanations/evaluations that are associated with the action (or provides a reference to where the justification can be found elsewhere in the document).

Comment [NRCstaff37]: Has RHR been started?

Draft WORKING EXAMPLE Page 15 of 54 Table 2 Detailed Event Timeline Time River Level (ft msl)

Event Action Procedure Impact/Comment the vicinity of the ADV is placed on the ADV to prevent closure 11 890 ADV determined not to open Crews dispatched to disable MSSV on two SG to allow venting of SG AOP-XXX MSSV Recovery for action ADV does not open 13 890 MSSV opened on two SG to allow venting of SG AOP-XXX Back-up action 16 890 Flood barriers installed Per procedure XXX AOP-XXX Completion of activity initially started at t=4 hours.

18 892 Portable lighting positioned Per procedure XXX Proc-XXX Completion of activity started at t=4 hours.

22 894 Flood level predicted to exceed height of flood barriers in 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months Operations crew begin removing electrical power from plant equipment that will be flooded.

AOP-XXX Per AOP-XXX, Step X Test of plant heat removal from temporary facility AOP-XXX Per AOP XXX Step X. System operational test confirming connections and valve positions 24 895 Flood reaches site grade Switchyard disconnected from offsite power.

AOP-XXX Lighting established via local units, alarms access door in non-flood areas can be opened manually. Ok to communicate via cell and satellite phones.

Comment [NRCstaff26]: Add unit (hours)

Comment [NRCstaff27]: Suggestion: Add a column that includes justifications/explanations/evaluations that are associated with the action (or provides a reference to where the justification can be found elsewhere in the document).

Draft WORKING EXAMPLE Page 16 of 54 Table 2 Detailed Event Timeline Time River Level (ft msl)

Event Action Procedure Impact/Comment 26 896 Flood level predicted to exceed height of flood barriers in 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Plant taken off of shutdown cooling in anticipation of loss of access to UHS and natural circulation cooling established.

AOP-XXX Flood mitigation heat removal system (bunkered EDGs and submersible pumps) initiated.

AOP-XXX Action taken from bunkered facility.

Heat removal from RCS supported by flood mitigation system and associated instrumentation 30 900 Flood level exceeds height of flood barriers SG level maintained from controls above flood level by second operations crew AOP-XXX SG level monitored via

[identify instruments and procedure]. Instruments powered by dedicated AC source.

Flood waters inundate Intake structure Service Water System inoperable Flood waters enter AB 32 902 TDAFW pump flooded TDAFW lost Comment [NRCstaff26]: Add unit (hours)

Comment [NRCstaff27]: Suggestion: Add a column that includes justifications/explanations/evaluations that are associated with the action (or provides a reference to where the justification can be found elsewhere in the document).

Draft WORKING EXAMPLE Page 17 of 54 Table 2 Detailed Event Timeline Time River Level (ft msl)

Event Action Procedure Impact/Comment Switchyard de-energized Offsite power no-longer available AOP-XXX offsite disconnected prior to switchyard flooding. Site dependent on SFMS for core cooling and portable and battery operated equipment for lighting. Movement around site faciltated by temporary walkways.

EDG rooms begin to flood EDG inoperable EDG becomes flooded once plant flood level reaches 902.5 ft 36 905 Peak flood height reached.

Permanent staff located in bunkered facility for duration of the event. Road access available. Boats provided for potential site excursions.

72 905 Offsite resources available Additional fuel/ for refill and equipment available for back-up Contractural arrangements with RRC Resources expected from regional resource center (RRC) or contracts with organizations not impacted by flooding.

108 905 EDG fuel tank refilled every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Plant stable using Flood EDGs and Well Pumps Comment [NRCstaff26]: Add unit (hours)

Comment [NRCstaff27]: Suggestion: Add a column that includes justifications/explanations/evaluations that are associated with the action (or provides a reference to where the justification can be found elsewhere in the document).

Draft WORKING EXAMPLE Page 18 of 54 Table 2 Detailed Event Timeline Time River Level (ft msl)

Event Action Procedure Impact/Comment Site notified flood likely to recede in X days Administration contacts regional resource center to prepare for long term coping equipment and begin preparing transport of temporary transformers 132 904 Flood peak recedes EDG fuel tank refilled every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Plant begins transition to use of off-site equipment AOP-XXX 156 903 180 902 204 901 228 900 252 899 Site post-flood recovery procedure activated De-watering of plant buildings begins Procedure XXX 300 897 Site Power restored to temporary transformer Procxedure XXX 324 896

[Need to describe Plant Post-Flood Recovery Procedure]

Long term pumps aligned to inject into RCS Procedure XXX 348 895 Flood water recede from site Comment [NRCstaff26]: Add unit (hours)

Comment [NRCstaff27]: Suggestion: Add a column that includes justifications/explanations/evaluations that are associated with the action (or provides a reference to where the justification can be found elsewhere in the document).

Draft WORKING EXAMPLE Page 19 of 54

Draft WORKING EXAMPLE Page 20 of 54 EXCEL SPREADSHEET to be provided illustrating major actions, flood hazard elevations and resource requirements and availability.

(Attached File for Illustrative Purposes only)

Draft WORKING EXAMPLE Page 21 of 54 C. Event Tree Logic To clarify the impact of the actions on event success the scenario is cast in the form of an event tree. As actions are considered feasible and reliable, operational failures of equipment were primarily selected as failure branches. Failure branches with highly reliable recoveries/proceduralized back-up plans are explicitly included. In this scenario the developed failure branch occurs following the inability of the plant staff to create a steam release path using an ADV. A proceduralized back-up action to jack open the MSSVs is included in the event tree. Other failure branches are noted as potential low probability events but for the sake of clarity are not further developed. Top events on the event tree presented in Figure 2 are summarized below.

Table 4 Summary of Top Events Top Event Description Dam Break Occurs Initiating event Pre-Flood Activities Successful Plant receives notification of breach, activates ERO and enters flooding AOP. Action highly reliable (See Section H). As this event is proceduralized by the dam owner and is a required action by the state, timely notification of a dam breach is expected. While not explicitly credited, available dam monitoring programs is likely to provide advance warning of potential issues. The action is not time sensitive as the site will have at least a 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months delay prior to the onset of site flooding. No failure branch has been included for this action.

Equipment Alignment Successful Plant staff aligns DG, procures additional fuel and aligns SG flowpath.

Action is highly reliable (see Section H). These actions are proceduralized and have been validated as feasible and reliable during flood event simulations. Success implies operator successfully aligned: (1) one of the two submersible pumps to the defined AFW injection pathway, and (2) fuel has been aligned to the DG. No failure branch has been included for this action.

Short Term AC Power Available Flood DGs operable. This action involves implementation of straight-forward procedures to start one of the two Flood DGs. Plant staff is trained on implementation of these procedures. These DGs are routinely maintained and tested [quarterly] (See Section E).

Actions are highly reliable action (See Section H). No failure branch has been included for this action.

Well Pumps Functional Submersible pumps operable. Success implies one of two submersible pumps operates and is capable of injecting water into the SG. Equipment is routinely maintained and tested. Action to start pumps is simple and highly reliable action (See Section H)

Secondary Side cooling via ADV successful Success implies ADV is placed in operable condition. Action is feasible and highly reliable, but may be more unusual and receives less Comment [NRCstaff38]: Staff question this decision. Even if this assumption is made in the example, a preparers note should be included to indicate that this is not always the case.

Comment [NRCstaff39]: There are multiple actions that are lumped under pre-flood activities (e.g., notification, EOR activation, operator actions, equipment staging). It would be helpful to have each action delineated here with a cross reference to any relevant supporting assessments.

Comment [NRCstaff40]: Pre-flood activities include activities that involve non-trivial decision-making processes that may result in delays or utilization of available time margin. These considerations should be accounted for in the assessment. In the timeline, consider noting decision points that could result in a delay due to potentially challenging decision-making steps.

Comment [NRCstaff41]: The excel timeline does not match this statement.

Comment [NRCstaff42]: For transparency, it is suggested that the event tree show the failure branches, even if there are no mitigating actions and the branch goes directly to an adverse or low probability end state.

Comment [NRCstaff43]: See related comment above.

Comment [NRCstaff44]: The ET shows a failure branch for this top event.

Draft WORKING EXAMPLE Page 22 of 54 Table 4 Summary of Top Events Top Event Description practical training than the previous actions. This action is proceduralized and is tested during refueling outages. An alternative action is provided should a mechanical or other issue prevent implementation.

Failure implies ADV cannot be opened. Recovery for this action is opening of MSSVs. This failure branch is illustrated in the fault tree.

Secondary Side Cooling via MSSVs Successful Given Failure of ADV to open, success implies MSSV can be placed in an operable condition. Failure implies a heat removal path cannot be established. This action is proceduralized and is tested during refueling outages. Inability to establish heat removal pathways will proceed to core damage. Note that the time to successful complete this event is over [X] hours.

Long term AC Power Successful Success implies Fuel is available throughout the event; fuel oil tanks are refilled in a timely manner and remain operational. These are highly reliable actions (see Section E through G) for details. No failure branch has been included for this action.

Post Flood Activities Successful Success implies plant strategies and equipment to return the plant to a stable long term operational strategy are successful. Actions are proceduralized and occur late in the scenario, allowing time for additional resources and equipment to support site activities. For expected leakage conditions post flood activities have ample time to be effective. This activity will be supported by FLEX phase 3 activities and will be initiated as the flood begins to recede Low likelihood end states (ES) that, if not recovered, could proceed to core damage include:

Inability of DGs to function, short term (2 of 2 DGs fail to supply power to well pumps)

Inability of Well pumps to provide water to the SG feedline (potential well pump or connectivity failure)

Inability to establish a steam release path from the steam generator (failure of both actions Secondary Side Cooling via ADVs and Secondary Side Cooling via MSSVs.)

Inability of DGs to function, long term (Failure of 2 of 2 DGs to run without repair or failure to provide long term fuel supply)

Comment [NRCstaff45]: Consider tabulating this information for each end state that has been described as low likelihood, but which could proceed to core damage. The table may include the end state name from the event tree, the description of the end state (e.g., Inability of DGs to function, short term (2 of 2 DGs fail to supply power to well pumps)), and justification for why the ES is low probability.

Draft WORKING EXAMPLE Page 23 of 54 Figure 3: Sunny Day Dam Failure Event Tree Comment [NRCstaff46]: Request: Is it possible to improve the clarity of this figure?

Draft WORKING EXAMPLE Page 24 of 54 D. Protection Features to address Flood Challenges on System Operability As a result of the location and elevation of the alternate facility, access to the DGs would not be compromised in a flood. As flood protection is important for dam failures which may be seismic in origin, the DGs, connecting cable, well pumps, and well are seismically robust. The site is situated such that external resources will be available to the site.

[Note to Preparer: The remainder of this paragraph should discuss the relationship of the roads to areas where external resources can be obtained. Routes from oil suppliers to the site should be identified along with primary and alternate routes that can be used following seismic events. This section should also discuss the ability of plant staff to access the site following seismic induced flood events.]

In conclusion, availability of roads in the vicinity of the facility ensures that replenishment of fuel was highly likely in a timely fashion.

Prior to site flooding the site has one day to prepare the site for the flood and obtain adequate resources on site. To ensure an adequate fuel supply for the DGs contracts are in place to store an oil tanker truck on a dry area near the day tank. This action is directed by procedure. Adequate supply is available in the day tank aligned with the installed medium voltage diesel generators to maintain continuous operation for one day. The tanker truck contains sufficient oil to refuel the DG tank for a period of [five] days. Hoses can be readily aligned to a tank refill line. Procedure XXX directs the plant staff to refill the tank once the oil tank level reaches 1/2 of the tank level. Tank level may be read via externally mounted gauges or via use of an alternate manually operated device which is stored in the vicinity of the tank (e.g., ruler). The tank refill period is 1/2 hour. The oil consumption rate is such that 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months will be available to perform the action to refill the day tank.

An underground cable was installed from the DGs MCC to installed submersible well pumps located within a well on the site. The underground cable is selected and routed to survive a design basis earthquake. In addition the well has been reinforced to survive a design basis earthquake.

Floating debris is not anticipated to be a concern for implementing the primary mitigation strategy. In the well location the pump suction is not exposed to floating debris. Underground cables are not susceptible to debris impact and connection points are included within structures that are resistant to debris impact.

Hard pipe connections that run above ground are protected from floating debris by [ Note to preparer: describe practices/protective structures].

Long term flooding of the site can erode topsoil covering the cable and expose portions of the cable to hydraulic loads and potential low velocity debris impact.

Piping from the submersible pump can be aligned to a connection to a line feeding the steam generator via manipulating several manually operated valves. Any necessary spool pieces are connected and valves are directed by procedure to be open in advance of the flood reaching the site elevation..

Comment [NRCstaff47]: Consider changing terminology to indicate this is the temporary diesel generator.

Comment [NRCstaff48]: Question: Could a seismic event cause silting in a well that may affect pump capability?

Comment [NRCstaff49]: Consider adding text related to air support (particularly under adverse weather) and access to offsite staging areas.

Comment [NRCstaff50]: Reference the entire section instead of just a single paragraph because the discussion may require much more than a single paragraph.

Comment [NRCstaff51]: While this is a sunny day event, references to other types of events (e.g.,

seismic) are useful as part of the preparers notes.

Draft WORKING EXAMPLE Page 25 of 54 Water quality for the submersible pump is consistent with its intended flood mitigation function as water from a well has been assessed to not impacted by the flood environment [Provide References]. The required pumping capability is well within the design flow capability. Hydrologic studies confirm the ability of the well to provide adequate water supply for decay heat removal for a period in excess of [X] months.

Should the primary submersible pump fail to start or run, the alternate pump can be readily aligned. As the two pumps are anticipated to be available for the event duration, run failures during the mission time can be accommodated by switching to the alternate pump. Both pumps are aligned to the suction source and either pump is capable of discharge to the steam generator (SG) throughout the event. Back flow is prevented via check valves. To ensure reliable system operation, pumps are maintained within an administrative program [Reference XX] which includes preventive maintenance and are testing. Specifically well pumps are visually inspected and bench tested at a frequency of [ ]. Preventive maintenance and functional tests are performed *annually+. DGs are inspected and functionally tested quarterly. DGs are maintained in accordance with manufacturer specifications. Training in operation and repair of the DGs and other support components is performed once a year prior to spring flood season. It is this season where the flood scenario is most likely.

The motor control centers (MCCs) are located in the DG facility.. MMCs provide power the well water pumps and fuel oil transfer pump at the DG facility. In addition to feed operations, the SG must be vented to allow low pressure injection from the portable pumps. This action must be taken via opening of ADVs and is an early required action in the external flood abnormal operating procedure. Actions to mechanically maintain the ADVs open are proceduralized and the necessary systems to perform this action are located in the vicinity of the ADVs. In the event ADVs cannot be actuated, provisions are available to open MSSVs (one MSSV is required for success). These actions are also well proceduralized and will be taken well in advance of the time at which the flood could increase difficulty in accessing the associated equipment. To ensure availability of key equipment and the ability of the staff to use that equipment, periodic surveillances conducted prior to flood season will confirm the availability of key equipment necessary for mechanically assisted opening of ADVs and MSSVs. Table-top walk-throughs of this strategy are also conducted at this time with personnel expected to be responsible for implementing this strategy (see Section H).

[Note to Preparer: INCLUDE LISTING OF MAINTENANCE, TESTING AND IMPLEMENTATION PROCEDURES USED IN PREPARING FLOOD MITIGATION EQUIPMENT]

Comment [NRCstaff52]: Note earlier comment about the relevance of this information under the sunny-day scenario.

Draft WORKING EXAMPLE Page 26 of 54 E. System Capability/Reliability Assessment This section provides the technical support for assessing the reliability of the active components credited in the current scenario. Each active component or class of components included in the mitigation system is compared with respect the criteria included in Table A.1 of Appendix A of the ISG. An overview of the dedicated flood mitigation system is presented in Section B. A reliability assessment of key active components is provided in Tables 6a through 6[].

[Preparers note: A separate comparison should be provided for each component or class of components.

A typical list of components for this example is provided below. For purpose of illustration, selected components are developed and compared in attached tables.]

Table 5:

Active Components Credited in System Design Component Number Manufacturer Identification /Plant ID Table Diesel Generator 2

See Table 6-A Submersible Pump 2

See Table 6-B Battery to Open ADV 1

See Table 6-C (Not provided in example)

IA Compressor (to open ADV) 2 Standard plant equipment (not dedicated to SFMS)

Nitrogen Air supply to open ADV 2

Generic item See Table 6-D (Not provided in example)

Portable / installed lighting Various Not provided Miscellaneous electronics/relays/

switches Various Generic Not provided A review of Table A.1 indicates that all the functional, operational, unavailability and storage characteristics expectation of Table A.1 are met (See Tables 6-A and 6-B below). The following is an example as to what may be included in the remainder of the reliability assessment section.

Comment [NRCstaff53]: Component assessment should include all equipment that must change state, including valves (e.g., the manual valves required to align the well pumps with the SGs).

Comment [NRCstaff54]: In addition to Table A1, the availability and reliability of active components should be justified using operational data, consideration of operational requirements (surveillance, inspection, design control, maintenance, procurement, testing, text control),

and incorporation in other plant programs. Please double-check that all of these considerations are included in this example.

For example, specify whether trends are analyzed based on operational history and whether there is any form of feedback to indicate whether unavailability characteristics are being met.

Comment [NRCstaff55]: Add instrumentation to this table in addition to other active components (see comment above).

Draft WORKING EXAMPLE Page 27 of 54 Table 6-A Assessment of Active Components Comparison of System Capability to Table A.1 of Appendix A (EXAMPLE TABLE)

Component: Flood Mitigation Dedicated Diesel Generator Functional characteristics

1. Equipment is capable of performing its required function (e.g., functional requirements such as pump flow rate, pump discharge pressure are met).

DG is sized to power one WWP, one fuel oil transfer pump, facility lighting and staff living needs (e.g. refrigerator, microwave ) and communications equipment with 50% margin. Functional characteristics of DG is included in

[Appendix]

DGs are air cooled and have no external dependency other than fuel.

A redundant DG is provided and key DG components and repair manuals are available within the DG facility should on site repair be needed Compatible DGs are available at Resource Center for replacement should that be necessary.

2. Equipment is in satisfactory condition.

Equipment is maintained per manufacturers specifications Functional tests occur every [ ] per Procedure XX to ensure functionality. One full system functional test is conducted annually. Performance testing occurs every [

] per procedure

3. Functionality of the equipment may be outside the manufacturers specifications if a documented engineering evaluation justifies that the equipment will be functional when needed during the flood event duration.

Equipment is commercial grade and will be operated within manufacturers specifications.

[Preparer: Note any exceptions].

Equipment tested periodically (See above).

4. There is an engineering basis for the functional requirements for the equipment which:

a. Is auditable and inspectable;

b. is consistent with generally accepted engineering principles;

c.

defines incorporated functional margin; and

d. is controlled within the configuration document control system.

DG functional requirements Controlled by Engineering Processes. [Note procedures and support/sizing calculations))

After 3 days, replacement DGs and pumps will be available Operational Characteristics

[Provide manufacturer characteristics data and DG loading.] See Appendix Comment [NRCstaff56]: Justification should be provided as to why this interval is sufficient to provide confidence that the equipment is in satisfactory condition.

Draft WORKING EXAMPLE Page 28 of 54 Table 6-A Assessment of Active Components Comparison of System Capability to Table A.1 of Appendix A (EXAMPLE TABLE)

Unavailability Characteristics Unavailability to be maintained via administrative program. Unavailability of any one DG is limited to [x] weeks. Note during low reservoir water conditions and with communication from the dam owner longer outages may be established. Unavailability under no circumstances (without replacement) will exceed [ ] weeks.

Equipment storage characteristics DGs stored in a building designed to ASC 7-10. Building includes a 24 DG tank and refill connections which allow refill from an oil truck. Oil quality is checked [x] time per year

Draft WORKING EXAMPLE Page 29 of 54 Table 6-B Assessment of Active Components Comparison of System Capability to Table A.1 of Appendix A (EXAMPLE TABLE)

Component: Submersible Well water Pump Functional characteristics

1. Equipment is capable of performing its required function (e.g., functional requirements such as pump flow rate, pump discharge pressure are met).

To be Completed by Utility

2. Equipment is in satisfactory condition.

3. Functionality of the equipment may be outside the manufacturers specifications if a documented engineering evaluation justifies that the equipment will be functional when needed during the flood event duration.

4. There is an engineering basis for the functional requirements for the equipment which:

a. Is auditable and inspectable;

b. is consistent with generally accepted engineering principles;

c.

defines incorporated functional margin; and

d. is controlled within the configuration document control system.

Operational Characteristics Unavailability Characteristics Equipment storage characteristics

[Add additional tables, as needed]

Draft WORKING EXAMPLE Page 30 of 54 F. Additional comments on Reliability Flood Mitigation Component [EXAMPLE of Discussion]

All components used for the flood mitigation process are commercial grade, and operated within expected component capacities. Components are non-safety grade, but are maintained in accordance with a site program for equipment important to safety. Components receive periodic preventive maintenance in accordance with manufacturer specifications. Active components are tested [annually], prior to flood season, to ensure system is operational and can be operated within expectations.

Adequate supply of replacement parts (or spare components) are available on site to address any operational failures. Plant staff has the necessary skills and training to effect any repairs/replacements.

Repair parts are stored in a flood and seismically secure location and can be accessible within a short time of their need. As a consequence of the equipment and spare part availability, long term failures of active components used for decay heat removal are not considered risk significant.

Submersible pumps are of diverse design and similar capacity.

[Note to Preparer: INCLUDE LISTING and brief description of relevant aspects OF MAINTENANCE, TESTING / Surveillance AND IMPLEMENTATION PROCEDURES USED IN PREPARING FLOOD MITIGATION EQUIPMENT]

No specific reliability values are available for the active components in the SFMS. Reliabilities of key active components are obtained from generic estimates of commercial grade equipment of similar classes and sized components. These reliability estimates presented in Table 7. The values are judged to be overestimate failure rates for nuclear applications as these components will be subject to improved maintenance, surveillance and test programs Comment [NRCstaff57]: Clarify why this information is not available.

Draft WORKING EXAMPLE Page 31 of 54 Table 7 Reliability Evaluation of Key Systems/Components Credited in Flood Mitigation System Design Component Failure Rate Basis Submersible portable pump failure to run 1x 10-4/hour Mean failure rate based on generic value estimated from operation of low pressure, low flow,low pressure electric driven pumps. Considers data from IEEE, NPRDS and ORECA.

Submersible pump failure to start 0.001 Nominal failure to start is 0.02/d.

Reduced value selected based on engineering judgment considering plant staff has more than one day to start pump and has adequate parts and staff on site to make necessary repairs if pump does not immediately start.

DG fail to run 5 x10-5/hr Mean failure rate based on generic failure values of low voltage, low power DG. Considers data from IEEE, NPRDS and ORECA.

DG fail to start 0.01 Mean failure to start based on engineering judgment. DG included in periodic maintenance program.

Failure rate of Electrical cable or connectors Unavailable. Reliability traditionally very high.

Failure of Day Tank to Feed DG (manual valve fails to open) 0.001 Manual valve connection. Typical of Generic data. Valves surveilled routinely and tested periodically.

Comment [NRCstaff58]: The magnitude of this is similar to what may be expected of safety-related equipment that is subject to programs such as maintenance rule and tech specs. Justification for such a low number would likely require more than judgment.

Draft WORKING EXAMPLE Page 32 of 54 G. Equipment Dependencies Equipment dependencies are identified for the following components:

ADVs MSSVs Flood Migitation DGs Well water pumps These dependencies are identified in Table 8 below.

Table 8 Dependencies/Support Systems for Active Flood Mitigation Components Component Primary Support Systems Secondary Support Systems Additional ADVs IA-01 BAT-1 N2-01 Mechanical device to open and prevent closure MSSVs MSSVs MD-1 Mechanical device to open and prevent closure DG-A & DG-B FO-A FOTP-A FO-B FOTP-B Fuel Oil Truck with compatible connecting hose Gravity feed available WWP-1 & WWP-2 DG-A /MCC DG-B/MCC Groundwater*

Level Instrumentation DC-A DC-B

Water from well capable of pumping 250 gpm for a period of [x] months IA -Plant Instrument Air Compressor BAT - Battery FO - Fuel Oil Tank WWP - Well Water Pump N2 - Nitrogen Bottle MD - Mechanical Device DC-Battery/Battery Charger

Draft WORKING EXAMPLE Page 33 of 54 H. Scenario Human Reliability Assessments (HRA)

A representative timeline for the scenario under consideration is presented in Table 1. The timeline assumes primary actions are successfully implemented. Figure 2 illustrates an event tree including dominant failure branches and associated backup strategies are included in Table 1. Human actions associated with the implementation of this mitigation strategy were also considered. Response to the event is governed by the site emergency plan and subsidiary procedures to direct specific maintenance, preparatory and operator actions. Flooding activities important to safety are identified below.

A review of Table 2 indicates that flood specific actions or actions that may be impacted by the flood scenario include:

A. Stage fuel Oil truck at DG facility B. Test SFMS equipment and implement SFMS C. Connect submersible well pumps to feedwater line D. Install backup N2 to ADV E. Open ADV (when RCS reaches 100 F)

F. Open MSSV (if ADV does not open)

G. Removal of electrical connections from equipment to be flooded H. Take off SDC to allow SG feed via severe flood mitigation equipment I.

Periodic refill of DG day tank Normal proceduralized actions associated with performing an emergency cooldown are not included in the above list as these actions are known to be highly reliable and are not impacted by the potential flood.

With the exception of action I, all other flood mitigation actions are directed at preparing the plant for a flood event. Based on the detailed timeline presented in Section A, the overall time available to complete all actions from the time the ERO is fully staffed and perform these operations on a dry site is 22 hours2.546296e-4 days 0.00611 hours 3.637566e-5 weeks 8.371e-6 months .

Beyond this time all actions to be taken on the site are complicated by the presence of flood waters.

As many of the above actions are taken simultaneously the overall actions can be grouped into the following categories and are anticipated to be performed within the specified time windows.

Action Group Description Time Window Following dam breach Administrative Actions Actions to assign resources, activate teams and begin plant shutdown Less than 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Plant shutdown per Emergency Shutdown Procedures Standard Emergency Response 1 to 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Test SFMS Components and prepare System for Operation Test WWPs, DGs, connections, open steam relief and prepare connections to feed SG 2 to 13 hours1.50463e-4 days 0.00361 hours 2.149471e-5 weeks 4.9465e-6 months Transition from SDC system to SFMS Action initiated prior to site inundation 20 to 26 hours3.009259e-4 days 0.00722 hours 4.298942e-5 weeks 9.893e-6 months Operate SFMS Through-out remainder of event (DG fuel oil refill)

Continual Comment [NRCstaff59]: The context of the scenario needs to be better specified (including offsite considerations that may affect staff performance, such as flood impacts on the homes of personnel). This could be helped through documentation of the HFE narrative.

More information on cues and annunciators would be helpful.

Generally, more detail in needed in this section.

Comment [NRCstaff60]: This list is not comprehensive. Other actions (including administrative actions) are appropriate to consider.

Generally, it is not clear how this list of actions relates to other parts of this document.

Draft WORKING EXAMPLE Page 34 of 54 As described in the [fictitious] hazard re-evaluation report *X+, this scenario describes a sunny day dam failure. It is not expected that any additional extreme events will be correlated to the failure of the dam in this scenario. It would be expected that the types of events that would cause significant degradation in the reliability of an action (extreme lightning, hail or bitter cold) would be low frequency events and when considered with a sunny day dam failure of a well monitored and constructed dam the combined frequency of occurrence would be very low. The hazard re-evaluation report does identify the 2-year wind speed as a coincident event and calculated a XX mph continuous wind speed. However, at this magnitude wind speed and the activities being performed outdoors, will not cause a hardship on the operators performing the actions.

Table 10 below illustrates the hazards considered in the scenario and which were deemed applicable to a given key action. Many of the action required to successfully mitigate this scenario are not subject to adverse weather considered due to the being performed inside sheltered from the elements. Operators will be accustomed to performing the key actions out-of-doors in a variety of non-extreme weather conditions which are the conditions anticipated at the time of dam failure. The table describes the disposition of environmental factors with respect to each action and reports the PSF conclusion with respect to any adverse weather conditions.

As actions A through D are performed well in advance of the flood reaching the site, stress levels will be nominal. Opening a steam relief path is an important action in this process. The primary means of the opening the ADVs is via use of the plants IA system. Should the ADVs not open in this manner several alternate strategies exist including, opening the ADV via local bottled nitrogen supplies or jacking open an MSSV. As these action progress, the stresses on the operator may increase, but as there will be ample time (more than 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months margin) to take this actions, and adequate staff levels exist, nominal stress still appears appropriate. Activities to install barriers and remove cables from equipment are investment protection and personnel safety activities and ample staff will be available to adequately perform these actions. Particular concern will be focused on ensuring the removal of electrocution hazards.

[Note to preparer: State what type of training and guidance is available for example, to ensure activities are performed properly they are proceduralized and trained upon. Durations of actions are confirmed by time-in-motion studies. Table top exercises are also performed periodically with appropriate staff.]

Unique human actions important to the flood scenario are identified in Table 9. These actions are discussed in more detail below and have been individually evaluated following the guidance in Appendix C.

Note that cues for actions due to low SG level can be directly monitored in the DG facility. A comparison of the human action characteristics associated with the external flood mitigation activity and the Appendix C criteria are provided in [Tables 9 a--9j].

Comment [NRCstaff61]: The IA submittal should include a description of sources of information used in the evaluation, including the considerations described here.

Draft WORKING EXAMPLE Page 35 of 54 All risk significant utility actions to support this scenario have been evaluated using the qualitative metrics of Appendix C and all applicable attributes of those actions were evaluated as nominal or better. Therefore, human actions supporting the scenario are judged to feasible and reliable. A summary of this assessment is contained in Table 9. Detailed assessment of performance shaping factors are provided in supplementary tables. [Several example tables provided. Also provided is a supplementary table for environmental conditions and action timing and margin. Note to Preparer: Where helpful include time line map for collection of unique actions]

Comment [NRCstaff62]: Similar tables for other PSFs are appropriate. Consider including a preparers note to indicate that other PSFs should be evaluated in a similar manner (e.g., accessibility around a site is not trivial when the site in inundated and may require boats)

Draft WORKING EXAMPLE Page 36 of 54 Table 9 Summary of Key Human Actions for Implementing Credited Flood Mitigation Strategy Action Description of Action Summary Appendix C Assessment Comment Dam Operator informs Sate Emergency Organization of dam break Action is highly reliable.

Appropriate procedures are in place for proper communication. Overall time estimate to initiate full mobilization is 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months from initial notification.

Table 9-a State ERO informs Site management Proceduralized action and lines of communication defined by law.

Nominal ERO activated Standard action Nominal All factors are considered nominal.

No site flooding is expected for more than a day ERO Dispatches Maintenance and Operational crews Standard action Nominal All factors are considered nominal.

No site flooding is expected for more than a day DGs tested and aligned Standard action Table 9-b Procedure XXX Well pumps tested Standard action Table 9-c Procedure XXX Well pumps aligned as alternate SG FW source Proceduralized Flood specific action Table 9-d Procedure XXX. Components and tools needed stored in vicinity of where action is to be performed.

Team not tasked with other risk significant duties. Adequate time available Fuel oil tanker truck staged on high ground with access to DG facility.

Action is highly reliable.

Appropriate procedures and contracts are in place for proper communication.

Overall time estimate to Nominal Comment [NRCstaff63]: Double-check that the same nomenclature/terminology is used here and in Table 2. Consider adding some way to easily map these actions back to the time line (e.g., adding a reference to the time step in the timeline).

Comment [NRCstaff64]: What does this mean?

Comment [NRCstaff65]: Note earlier comment about the value of including a summary description of procedures that are flood-specific and non-routine in nature.

Draft WORKING EXAMPLE Page 37 of 54 Table 9 Summary of Key Human Actions for Implementing Credited Flood Mitigation Strategy Action Description of Action Summary Appendix C Assessment Comment initiate full mobilization is 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months from initial notification.

Operator Shuts down plant and places it in a Steam Generator a low pressure heat removal mode Standard proceduralized action supplemented by flood procedures. Action takes [8 ] hours Nominal Procedure XXX Operator installs necessary connecting spool pieces and aligns feed to SG Simple proceduralized action.

Action can be performed by a single operator in a period of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . Action can be implemented once reactor is shutdown for more than 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . Available time to perform action is 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . Six hours assumes operator has to leave area prior to barrier overtopping (4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months allotted).

Table 9-d Procedure XXX Dedicated team with ample time. Material in vicinity of action.

Operator opens ADV and takes actions to provide continuous low pressure operation Proceduralized action.

Mechanical device can be installed in 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . Access to staging areas not impacted by flood.

Table 9-e All components and tools needed staged near ADVs. Actions are trained upon and proceduralized (Procedure XXX).

Operator opens MSSV given ADV activity cannot be completed.

Action is a backup, but actions has been demonstrated to be feasible.

Tools required, but tools are stationed in an accessible area near the MSSV.

Table 9-f All components and tools needed staged near MSSVs. Actions are trained upon and proceduralized (Procedure XXX).

Draft WORKING EXAMPLE Page 38 of 54 Table 9 Summary of Key Human Actions for Implementing Credited Flood Mitigation Strategy Action Description of Action Summary Appendix C Assessment Comment Operator opens fuel feed to feed DG Simple proceduralized action.

Can be performed in parallel with SG alignment actions.

Operator must be dispatched to DG area. Action takes 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months including preparing the DG for operation.

Table 9-g (Procedure #/steps).

Operator refills day tank.

Action to refuel day tank.

Must be done prior to emptying of day tank to avoid priming of the DG fuel system. Action must be taken once a day with more than 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months available time.

Time to refill tank is 30 minutes.

Table 9-h (Procedure #/step).

Additional resources added to site after 3 days Plant management directs off site contracted resources to deliver resources to day tank area and resources are delivered at least one day before need arises Table 9-i

Draft WORKING EXAMPLE Page 39 of 54 Table 9-A; Assessment of Reliability and Feasibility of Flood Significant Human Actions Action ID: State Notifies Utility of Dam Failure Action: Dam Operator informs State Emergency Organization of dam break Discussion: Action is highly reliable. Appropriate procedures are in place for proper communication.

PSF PSF Categories Applicable Category Summary of Justification Cues and Indications Nominal X

Dam operator maintains routine surveillance on the dam. Examination includes visual surveillance and review of stress sensors at key locations. Routine dam maintenance is performed and dam is considered in good condition.

Degraded Complexity Nominal X

Notification task is simple action. Identified sate coordinator has current plant contact information.

Clear instructions are available as to when dam conditions warrant that the state be informed.

State procedures include specific actions to contact the utility upon notification of a pending or actual dam breach or conditions warranted high discharges from the dam Degraded Special-Equipment Nominal X

Dam operator may rely on stress sensors for early notification action Degraded Human-system Interfaces Nominal NA Degraded Procedures Nominal X

Procedure XXX spells out surveillance checks, conditions requiring dam operator to immediately notify state. State procedures YYY identifies situations when the state must notify utility.

Degraded Training and Experience Nominal X

Dam operators are trained in emergency operating procedure. State officials routinely support flood drills.

Degraded Workload, pressure, Stress Nominal X

Emergency Response organization staffed by trained dedicated staff with adequate resources. No directly impacted by event.

Degraded Environmental Factors Nominal NA Degraded Special Fitness Issues Nominal NA Degraded Staffing Nominal X

Emergency position continuously manned Degraded Communications Nominal X

Communication program in place Degraded AccessabilityAccessibility Nominal NA Comment [NRCstaff66]: For each action, a detailed description should be included justifying the categorization of each PSF. In addition, a summary table (as shown here) should be included.

So, the table is just one piece of the documentation that is appropriate for each action.

Comment [NRCstaff67]: Note that scenario-specific PSFs should be added as appropriate.

Consider showing a table for an action that requires a scenario-specific PSF (e.g., an action associated with decision-making when there are investment protection considerations).

Comment [NRCstaff68]: Since not all actions can be included in the example, consider choosing actions that provide sufficient diversity in the types of actions that may need to be evaluated.

Comment [NRCstaff69]: Note that the ISG includes a moderate category for this PSF.

Draft WORKING EXAMPLE Page 40 of 54 Table 9-A; Assessment of Reliability and Feasibility of Flood Significant Human Actions Action ID: State Notifies Utility of Dam Failure Action: Dam Operator informs State Emergency Organization of dam break Discussion: Action is highly reliable. Appropriate procedures are in place for proper communication.

PSF PSF Categories Applicable Category Summary of Justification Degraded Comment [NRCstaff66]: For each action, a detailed description should be included justifying the categorization of each PSF. In addition, a summary table (as shown here) should be included.

So, the table is just one piece of the documentation that is appropriate for each action.

Comment [NRCstaff67]: Note that scenario-specific PSFs should be added as appropriate.

Consider showing a table for an action that requires a scenario-specific PSF (e.g., an action associated with decision-making when there are investment protection considerations).

Comment [NRCstaff68]: Since not all actions can be included in the example, consider choosing actions that provide sufficient diversity in the types of actions that may need to be evaluated.

Draft WORKING EXAMPLE Page 41 of 54 Table 9-B; Assessment of Reliability and Feasibility of Flood Significant Human Actions Action ID: Flood DGs tested and Aligned per Procedure AOP-XXX Action: Crew dispatched from TSC to (1) unlock and prepare DG facility for use (2) align valves and hoses in the DG fuel system to feed DGs from day tank, (3) start and run DG for 15 minutes Discussion: Action is highly reliable. All subordinate actions are proceduralized. Overall task duration is 75 minutes PSF PSF Categories Applicable Category Summary of Justification Cues and Indications Nominal X

Direction to prepare facility and align DG system included in AOP-XXX.

Degraded Complexity Nominal X

Action is simple, proceduralized and trained on at least once annually.

Degraded Special-Equipment Nominal X

No special equipment required Degraded Human-system Interfaces Nominal NA DG facility is accessible, entry via keys available in TSC, lighting in DG facility initially powered via offsite power.

Copies of procedure available in DG facility.

Degraded Procedures Nominal X

Procedure used for identified action (s) are well written. Training on flood procedure conducted annually.

Degraded Training and Experience Nominal X

Flood mitigation AOP actions trained on annually Degraded Workload, pressure, Stress Nominal X

Adequate staffing is available to ensure low workload.

Time to take action is adequate see Table 10, actions 5 and 6. Significant time margin. Two individual dispatched to DG facility.

Psychological stress is minimized as much of surrounding region not directly impacted by flood. For plant individuals with family in need of help for potential evacuation or other actions, specific individuals can be released.

Degraded Environmental Factors Nominal NA See supplemental Table Degraded Special Fitness Issues Nominal NA Actions do not have a requirement for strength or special fitness. Valves can be readily turned and valves are routine re-positioned during quarterly DG facility surveillance activities.

Degraded Staffing Nominal X

Resource loading plans are established and implemented so adequate resources are expected.

Degraded Communications Nominal X

Communication is via satellite phone Degraded Comment [NRCstaff70]: The DGs could be considered special equipment because they are not part of normal plant equipment. Consider including a discussion of why they need not be considered special equipment.

Draft WORKING EXAMPLE Page 42 of 54 Table 9-B; Assessment of Reliability and Feasibility of Flood Significant Human Actions Action ID: Flood DGs tested and Aligned per Procedure AOP-XXX Action: Crew dispatched from TSC to (1) unlock and prepare DG facility for use (2) align valves and hoses in the DG fuel system to feed DGs from day tank, (3) start and run DG for 15 minutes Discussion: Action is highly reliable. All subordinate actions are proceduralized. Overall task duration is 75 minutes PSF PSF Categories Applicable Category Summary of Justification AccessabilityAccessibility Nominal X

Keys for doors of the DG are located in the TSC and sufficient copies are available to ensure adequate access. The DG facility is located at an elevation above the highest credible flood level determined by the hazard re-evaluation.

Degraded Table 9-B.1: Assessment of ISG Appendix C Environmental factors for PSF Action ID: Flood DGs tested and Aligned per Procedure AOP-XXX Environmental Factor Impact Assessment Comment adverse weather (e.g.,

lightning, hail, wind, precipitation)

No severe weather conditions are anticipated. Human factors consider impact of 40 mph winds.

Wind speeds at this level will have little impact on plant site movements. All operational activities are within a weather protected structure temperatures (e.g., humidity, air and water temperatures, particularly if personnel must enter water)

Area not susceptible to extreme weather conditions. DG operates building HVAC and well as other comforts such as lighting and refrigerator and communication information.

Building environment controlled by HVAC supported by the facility DGs. Doors, vents and fans are available in case of HVAC failure.

conditions hazardous to the health and safety of personnel (e.g., electrical hazards, hazards beneath the water surface, drowning, structural debris)

No hazardous conditions exist during facility preparation.

Procedures limit hazards as facility is re-staffed Facility is above maximum potential flood height. Key indications and equipment (with the exception of WWPs) are located in facility. Boats are available for transport to site.

Roads to and from facility to adjacent community available during maximum flood for facility re-supply.

lack of lighting Facility is well lit.

Replacement lights available.

Back-up battery powered lanterns and flashlights /head lamps and batteries available for

[x]days. Material can be resupplied.

radiation No radiation exposure in facility Facility is located outside the

Draft WORKING EXAMPLE Page 43 of 54 radiation controlled area noise DG operation may be noisy, but will not impact DG implementation DG area walled off from crew living quarters. Within DG room, crew can wear ear protection (available in building) vibration Vibration not judged to be an issue

Draft WORKING EXAMPLE Page 44 of 54 Table 9-D; Assessment of Reliability and Feasibility of Flood Significant Human Actions Action ID: Operator aligns WWP as alternate SG FW source and Operator installs necessary connecting spool pieces and aligns feed to SG (Procedure XXX)

Action: Operator tasks include (1) taking any steps to realign WWP for preparation for injection into SG(2) installing a spool piece Discussion: Action is highly reliable. All subordinate actions are proceduralized. Overall task duration is 75 minutes PSF PSF Categories Applicable Category Summary of Justification Cues and Indications Nominal X

Direction to prepare facility and align DG system included in AOP-XXX.

Degraded Complexity Nominal X

Action is simple, proceduralized and trained on at least once annually.

Degraded Special-Equipment Nominal X

No special equipment required Degraded Human-system Interfaces Nominal NA DG facility is accessableaccessible, entry via keys available in TSC, lighting in DG facility initially powered via offsite power. Copies of procedure available in DG facility.

Degraded Procedures Nominal X

Procedure used for identified action (s) are well written. Training on flood procedure conducted annually.

Degraded Training and Experience Nominal X

Degraded Workload, pressure, Stress Nominal X

Adequate staffing is available to ensure low workload.

Time to take action is adequate see Table 10, actions 5 and 6. Significant time margin. Two individual dispatched to DG facility.

Psychological stress is minimized as much of surrounding region not directly impacted by flood. For plant individuals with family in need of help for potential evacuation or other actions, specific individuals can be released.

Degraded Environmental Factors Nominal NA See supplemental Table 9D.1 Degraded Special Fitness Issues Nominal NA Actions requiring moving a [x] lb spool piece from its storage location. Appropriate tools are available to facilitate the move and lift. Adequate resources are available to perform function.

Degraded Staffing Nominal X

Resource loading plans are established and implemented so adequate resources are expected.

Degraded Communications Nominal X

Communication is via satellite phone Degraded Comment [NRCstaff71]: Actions should be broken down as necessary to capture differences in relevant PSFs.

Comment [NRCstaff72]: Will satellite phones work in all areas of the plant (including inside thick concrete structures)?

Draft WORKING EXAMPLE Page 45 of 54 Table 9-D; Assessment of Reliability and Feasibility of Flood Significant Human Actions Action ID: Operator aligns WWP as alternate SG FW source and Operator installs necessary connecting spool pieces and aligns feed to SG (Procedure XXX)

Action: Operator tasks include (1) taking any steps to realign WWP for preparation for injection into SG(2) installing a spool piece Discussion: Action is highly reliable. All subordinate actions are proceduralized. Overall task duration is 75 minutes PSF PSF Categories Applicable Category Summary of Justification AccessabilityAccessibility Nominal X

Keys for doors of the DG are located in the TSC and sufficient copies are available to ensure adequate access. The DG facility is located at an elevation above the highest credible flood level determined by the hazard re-evaluation.

Degraded Summary of Environmental Impacts A summary of the environmental impact on the performance shaping factors is presented in Table 10.

Comment [NRCstaff71]: Actions should be broken down as necessary to capture differences in relevant PSFs.

Draft WORKING EXAMPLE Page 46 of 54 Table 10- Key Actions and Environmental Factor Impacts Considered Environmental Factors Action High Wind Hail Lightning Poor Lighting Extreme Cold PSF Category due to Enviro Factors Disposition Dam Operator informs Sate Emergency Organization of dam break N/A N/A N/A N/A N/A Nominal Environmental factors will not affect this action. Well prior to flooding reaching the site and this action is well proceduralized State ERO informs Site management N/A N/A N/A N/A N/A Nominal Environmental factors will not affect this action. Well prior to flooding reaching the site and this action is well proceduralized ERO activated N/A N/A N/A N/A N/A Nominal Environmental factors will not affect this action. Well prior to flooding reaching the site and this action is well proceduralized ERO Dispatches Maintenance and Operational crews Y3 N/A N/A N/A N/A Nominal This action requires operators to move about the site, exposed to the elements, however, dispatch will be performed prior to flooding conditions at the site and there are no correlated extreme weather conditions anticipated with this flood scenario.

DGs tested and aligned N/A N/A N/A N/A N/A Nominal Environmental factors will not affect this action. Well prior to flooding reaching the site and this action is well proceduralized Well pumps tested Y3 N/A N/A N/A N/A Nominal This action requires operators to be exposed to the elements, however, dispatch will be performed prior to flooding conditions at the site and there are no correlated extreme weather conditions anticipated with this flood scenario.

Comment [NRCstaff73]: Note that other environmental factors may be important. If they are not applicable to this example, then consider adding a preparers note that the environmental factors included in this example are not an exhaustive list.

Draft WORKING EXAMPLE Page 47 of 54 Table 10- Key Actions and Environmental Factor Impacts Considered Environmental Factors Action High Wind Hail Lightning Poor Lighting Extreme Cold PSF Category due to Enviro Factors Disposition Well pumps aligned as alternate SG FW source Y3 N/A N/A N/A N/A Nominal This action requires operators to be exposed to the elements, however, dispatch will be performed prior to flooding conditions at the site and there are no correlated extreme weather conditions anticipated with this flood scenario.

Fuel oil tanker truck staged on high ground with access to DG facility.

Y3 N/A N/A N/A N/A Nominal This action requires operators to be exposed to the elements, however, dispatch will be performed prior to flooding conditions at the site and there are no correlated extreme weather conditions anticipated with this flood scenario.

Operator Shuts down plant and places it in a Steam Generator a low pressure heat removal mode N/A N/A N/A N/A N/A Nominal Environmental factors will not affect this action. Well prior to flooding reaching the site and this action is well proceduralized Operator installs necessary connecting spool pieces and aligns SG feed to flood protected source N/A N/A N/A N/A N/A Nominal Environmental factors will not affect this action. Well prior to flooding reaching the site and this action is well proceduralized Operator opens ADV and takes actions to provide continuous low pressure operation Y3 N/A N/A N/A N/A Nominal This action requires operators to be exposed to the elements, however, dispatch will be performed prior to flooding conditions at the site and there are no correlated extreme weather conditions anticipated with this flood scenario.

Operator opens MSSV given ADV activity cannot be completed.

Y3 N/A N/A N/A N/A Nominal This action requires operators to be exposed to the elements, however, dispatch will be performed prior to flooding conditions at the site and there are no correlated extreme weather conditions anticipated with this flood scenario.

Operator opens fuel feed to feed DG N/A N/A N/A N/A N/A Nominal Environmental factors will not affect this action. Well prior to flooding reaching the site and this action is well proceduralized Comment [NRCstaff73]: Note that other environmental factors may be important. If they are not applicable to this example, then consider adding a preparers note that the environmental factors included in this example are not an exhaustive list.

Draft WORKING EXAMPLE Page 48 of 54 Table 10- Key Actions and Environmental Factor Impacts Considered Environmental Factors Action High Wind Hail Lightning Poor Lighting Extreme Cold PSF Category due to Enviro Factors Disposition Operator refills day tank.

N/A N/A N/A N/A N/A Nominal Environmental factors will not affect this action. Well prior to flooding reaching the site and this action is well proceduralized Additional resources added to site after 3 days Y3 N/A N/A N/A N/A Nominal Y1 - Applicable hazard considered to impact the action Y2 - Applicable hazard considered in reliability analysis but did not impact the action Y3 - Hazard considered but found to not have any impact on the action N/A - Hazard not applicable to action (see description)

Comment [NRCstaff73]: Note that other environmental factors may be important. If they are not applicable to this example, then consider adding a preparers note that the environmental factors included in this example are not an exhaustive list.

Draft WORKING EXAMPLE Page 49 of 54

Draft WORKING EXAMPLE Page 50 of 54 Timing Analyses Timing analysis of human actions is identified in the ISG as a means to identify reliability of an action.

Relevant timing for operator actions are derived from time in motion studies, walk-throughs and other activities. Outdoor activities were increased[ X%] from site observations to account for potentially less than ideal operational conditions. Important time parameters and available margin based on the Table 2 event timeline are summarized in Table 11. This information is used to support filling out the workload/stress and training portions of the psf table (Table 9A-9J)

In reviewing Table 11, the following terms are associated with each timing element:

T0 = start time, or the point in time in a flooding scenario or HFE narrative at which the conditions exist that will require the human action (e.g., a weather forecast predicts excessive precipitation, a dam failure occurs, a levee onsite is overtopped, leakage develops)

Tdelay = time delay, or the duration of time it takes for the cue to become available that the action will be necessary (assumes that action will not be taken in the absence of a cue)

Tsw = the time window within which the action must be performed to achieve its objective Tavail = the time available for action = (Tsw - Tdelay)

Tcog = cognition time, consisting of detection, diagnosis, and decisionmaking Texe = execution time including travel, collection of tools, donning of PPE, and manipulation of relevant equipment Treqd = time required, or the time required for an individual or crew to accomplish the action = (Tcog + Texe)

The time margin for relevant actions can be expressed as Time Margin =

x 100%

These parameters are identified for each of the flood significant actions included in Table 9-a through 9-i. A summary of these times is identified in Table 10. These actions are and timings are based on table 1 and visually illustrated along with resource demands and availabilities in Section C. Results of the timing analysis demonstrate that the flood critical actions have significant margin and key aspects of the flood preparatory work is finished within an 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months time window. Transition from SDC to SFMS decay heat removal can be performed at any time after the initial preparatory work is complete. The task is delayed until the time the flood elevation approaches site grade. Details of all actions are given in the following procedures. :

{List all applicable implementing procedures]

Comment [NRCstaff74]: It is not clear how uncertainty is handled as part of the timing analysis.

Comment [NRCstaff75]: List and summarize

Draft WORKING EXAMPLE Page 51 of 54 Table 11:

Timeline for Flood critical Human Actions HR ID Action T0 (hr)

Tcomp (hr)

Tdelay (hr)

Tsw (hr)

Tcog (hr)

Texc (hr)

Tavail (hr)

Treqd (hr)

Time Margin

(%)

1 Dam Operator informs State Emergency Organization of dam break 0

0.45 0.25 1

0.1 0.1 0.75 0.2 275.0 2

State ERO informs Site management 0.45 0.9 0.25 1

0.1 0.1 0.75 0.2 275.0 3

ERO activated 2

0.25 4

ERO Dispatches Maintenance and Operational crews 2.25

.25 5

Operator opens fuel feed to feed DG 2.5 3.25 0.25 14 0.25 0.25 13.75 0.5 2650.0 6

DGs tested and aligned 3.25 5.25 0.25 15.5 0.25 0.5 15.25

.75 771.4 7

Well pumps tested 2.5 3.75 0.25 16 0.25 0.75 15.75 1

1475.0 8

Well pumps aligned as alternate SG FW source 4

5.25 1

16 0.25 1 15 1.25 1000 9

Fuel oil tanker truck staged on high ground with access to DG facility.

2 7.25 1

16 0.25 4

15 4.25 252.9 10 Operator Shuts down plant and places it in a Steam Generator a low pressure heat removal mode 0.5 6

11 Operator opens ADV using plant air compressor (action to provide continuous low pressure operation) 4 0.5 14 0.25 0.25 13.5 0.5 2600.0

.12 Operator opens ADV via back-u means given primary ADV activity cannot be completed 4.5 5.5 0

13.5 0.5 0.5 13.5 1

1250.0 13 Operator initiates SG feed via SFMS 20 20.75 0.25 10 0.25 0.25 9.75 0.5 1850.0 14 Operator turns off SDC system 20.25 21 0.25 9.75 0.25 0.25 9.5 0.5 1800.0 15 Operator refills day tank 0.25 12 0.25 0.25 11.75 0.5 2250.0 Comment [NRCstaff76]: Are times nominal or bounding?

Draft WORKING EXAMPLE Page 52 of 54

Draft WORKING EXAMPLE Page 53 of 54 Conclusion As a consequence of the low failure probabilities of flood protected equipment and high reliability of the necessary human actions being taken to implement the external flood mitigation procedures described above,, there is adequate assurance that the site will be protected from an overtopping of the design flood barrier during the re-evaluated hazard.

Draft WORKING EXAMPLE Page 54 of 54

ML13037A632

Contents

Text

Subject:

Subject:

=

Navigation menu

ML13037A632

Text

Subject:

Subject:

=

Navigation menu

Search