Text

From: Miller, Ed To: jhr@nei.org

Subject:

FW: Staff feedback on NEI"s example of a scenario-based evaluation Date: Friday, February 01, 2013 5:53:06 PM Attachments: NEI_Draft_WORKING_EXAMPLE_NRCcomments_2013_02_01.pdf

Jim, As described below, these are the promised high-level comments from the group for discussion at the Feb 21 public meeting. Please let me know if you have any questions in the interim. Thanks.

Ed From: Bensi, Michelle Sent: Friday, February 01, 2013 4:10 PM To: Miller, Ed Cc: Cook, Christopher; Thompson, Jenise; Chokshi, Nilesh

Subject:

Staff feedback on NEI's example of a scenario-based evaluation Ed, Attached is the higher-level feedback from NRC staff on NEIs example of a scenario-based evaluation.

We will provide more detailed feedback on a subsequent draft of the document. Please forward.

Thanks, Shelby

Draft WORKING EXAMPLE Comment [NRCstaff1]: A few global Working Example Template: comments:

Please perform a global consistency check on terms, phrases, etc. This is suggested to ensure Scenario Based Integrated Assessment Evaluation of a Sunny actions and events are referred to using the same terminology, which will make it easier to cross-reference between sections.

Day Dam Failure with Advance Warning of an External Flood Integrate the sections of the document using cross-referencing. Often claims are made early and Severe Site Flooding in the document without justification. If justification is provided later in the document (e.g., through a detailed assessment), then a cross-reference to that section would be helpful at the point in the document when the claim is initially made.

Questions arose about the physics of the strategy with respect to the temperature of the primary side if the SGs are to be used.

More discussion of required instrumentation and cues is important.

Page 1 of 54

Draft WORKING EXAMPLE Background Comment [NRCstaff2]: Suggestion: Consider adding a preface to the document to indicate that this is an example, that it is necessarily incomplete, The following external flood scenario is based on a sunny day failure of an upstream dam located 200 that it represents just one portion of a much larger miles from the site of a 3000 Mwt 4-Loop PWR. The nuclear plant is a single unit site. The site assessment, etc.

walkdown conducted at the unit in 2012 and submitted to the NRC in November 30, 2012, indicates that Comment [NRCstaff3]: Suggestion: Consider all plant design basis flood features were capable of performing their intended functions. adding a table of contents and using a numerical section labeling scheme (e.g., 1., 1.1, 1.1.1). This will help the reader understand the overall framework Overview of the document and allow the reader to easily navigate the document.

Recommendation 2.1 of the NTTF required that all nuclear power plants perform an external flood Comment [NRCstaff4]: Suggestion: Add a preparers note to indicate that there are hazard re-evaluation using present day methods and assumptions typical of current regulatory practice. characteristics/challenges associated with multi-unit The results of that hazard re-evaluation are discussed in section 5 of the ISG. The hazard information sites that are not captured in this example, which is contained in that section noted that the site predicted maximum hazard flood elevation has increased 5 single unit.

feet from 900 msl to 905 msl. For performing an integrated assessment of this flood elevation increase Comment [NRCstaff5]: The integrated assessment ISG indicates that the submittal should the following specific characteristics of the external flood hazard were identified provide justification that the scenario-based evaluation provides sufficient detail and supporting flood height and associated effects information to demonstrate that there is high confidence that key safety functions can be warning time maintained. This section of the example may be a intermediate water surface elevations that trigger actions by plant personnel place to include this information (e.g., using a preparers note).

flood event duration plant mode(s) of operation during the flood event duration This flood scenario is presented only as a representative example of one flood scenario. The focus of the scenario is on RCS heat removal. For illustration purposes, the example scenario presented does not include consideration of Spent Fuel Pool (SFP) cooling. A complete scenario description would be expected to also successfully disposition make-up to the SFP. Utilities are cautioned that events and mitigating conditions unique to their respective site may warrant additional and/or different response.

The overall integrated assessment scenario discussion is presented as follows:

Section A, Description of the Flood Scenario, provides a detailed discussion of the full scenario including important site elevations, actions and mitigating equipment. Section B of this scenario assessment includes a detailed discussion of flood significant mitigation equipment. Section C provides a graphical presentation of the timeline presented in Section A including task resource loadings and anticipated available staff. Section D includes a high level flood scenario event tree. System operability, reliability and dependency issues are discussed in Sections E through H. An assessment of the feasibility and reliability of flood significant protection and mitigation actions is provided in Sections H and I.

Section J concludes. Comment [NRCstaff6]: Consider expanding this section to describe, in more detail, how the document is structured. For example, claims are made in early sections of the document but are justified by assessment later in the document.

Page 2 of 54

Draft WORKING EXAMPLE A. Description of the Flood Scenario and Initial Conditions A plant has an external flood protection system that is based on a design basis flood of 900 ft msl. Plant grade is 895 ft msl. The results of the re-evaluated hazard height indicate that a sunny day failure of Comment [NRCstaff7]: Suggestion: Consider adding a preparers note to indicate that other an upstream dam would create a flood that could reach 905 ft msl. A flood elevation in excess of 900 mechanisms (whether due to dam failure or other msl will result in all current licensing basis (CLB) flood protection barriers being overtopped resulting in a causes) would need to be evaluated separately or through specification of an enveloping scenario as loss of core cooling and inventory control safety functions. The anticipated time for the flood to reach discussed in the integrated assessment ISG.

plant grade is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (including consideration of wave run up). The 900 msl level (including margin Comment [NRCstaff8]: References to for wave run up) may be reached as early as 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> after the initial dam breach. A peak flood height elevations are not consistent throughout the document (e.g., 905 ft MSL, 905 MSL, 905 ft).

of 905 ft msl (including consideration of wave run-up) can potentially be reached 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> later. This Please make consistent.

Suggestion 1: Consider using a datum such as North peak height is stable for a period of approximately two weeks and is predicted to gradually subside at a American Vertical Datum 1988 (NAVD88) or World rate of 1 ft per day. The re-evaluated hazard assumes an initial river level at the site of 890ft msl. Geodetic System 1984 (WGS84). MSL is a poor vertical datum nomenclature.

Suggestion 2: State early in the document that all elevations are in a given datum and then simply reference elevations as x ft (e.g., 905 ft).

Table 1 Comment [NRCstaff9]: The ISG indicates that Re-Evaluated Hazard Characteristics From Section 5 of ISG the following flood scenario parameters should be specified:

Parameter/Feature Condition Comment flood height and associated effects:

Scenario Type Sunny Day Dam Failure No other hazard assumed -flood elevation

-wind waves and run-up effects; Plant Initial Condition Full Power Operation All equipment considered -hydrodynamic loading, including debris; operable -effects caused by sediment deposition and erosion; Plant grade 895 ft msl -concurrent site conditions, including adverse Initial River Level at site 890 ft msl weather conditions; Warning Time 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> prior to flood -groundwater ingress; and

-other pertinent factors.

reaching site grade flood event duration, including warning time and intermediate water surface 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> for flood to elevations that trigger actions by plant personnel overtop flood barriers plant mode(s) of operation during the flood Flood Elevation Profile See Figure 1 event duration other relevant plant-specific factors Flood Duration 13.5 days Flood duration estimated Consider tabulating all of these values, or including from time water reaches a preparers note when something is not relevant site grade (most of these factor are already included in this table).

Ancillary conditions Nominal weather conditions1 One of the items listed above indicates that

1. For purposes of human performance assessments nominal weather conditions assumed a worst two elevations that trigger actions by plant personnel, should be specified. For this item, it may be helpful year site wind speed of 40 mph. The likelihood of occurrence of this wind speed in combination with to generate a ruler showing flood elevations and a sunny day dam failure is 0.0015. actions. Example of a ruler is included in a comment below.

Comment [NRCstaff10]: Consider adding a preparers note that this is not generically true (but is specified here because a sunny-day event is under consideration).

Page 3 of 54

Draft WORKING EXAMPLE Figure 1: Scenario Site Flood Profile The intake structure includes debris protection up to the CLB licensing level of 900 msl. Thus, until plant barriers are overtopped the intake structure does not clog and the service water systems can be maintained operable until the flood height at the site reaches 900 ft msl. Turbine driven AFW pumps can be operated and are protected to a site elevation of 902.5 ft msl. The EDG rooms begin flooding at Comment [NRCstaff11]: Consider adding a ruler figure to show elevations and consequences 902 ft msl and EDGs will not be operable by the time the flood height is expected to reach 905 ft msl. or actions. E.g.,

It has been determined that it is not physically possible to provide protection for the existing CLB flood mitigation equipment at the new higher flood elevation.. However, a mitigation strategy has been developed which provides highly reliable mitigation for flood events above 905 ft MSL with some margin using a dedicated severe flood mitigation system (SFMS). This system provides an alternate source of power, instrumentation and water to maintain the plant in a safe shutdown mode. Details on the Severe Flood Mitigation System are presented in Section B.

The following features characterize the flood scenario:

o The installed physical protection barriers provide 5 feet of protection above plant grade.

o Overtopping the physical protection barriers for an extended period will result in compromising Comment [NRCstaff12]: Does the strategy all permanently installed plant shutdown safety systems. only apply to events above 905ft? What about an event resulting in a flood height of say 903 ft, which would cause a loss of EDGs, etc.?

Page 4 of 54

Draft WORKING EXAMPLE o The Flooding Hazard Re-evaluation shows the flood will not reach the site for a period of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> and will not exceed the current plant design basis flood physical protection features of the plant for at least 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> after the dam break o Adverse site weather conditions are not anticipated following a sunny day dam breach.

o Offsite and emergency onsite power is expected to be available until the flood height reaches 902 ft msl. A berm protect offsite power to 905 msl, however procedures de-energize switchyard for purposes of personnel protection. This action is taken after the SFMS has been implemented and verified functional.

o The flood duration for the dam break event is calculated to exceed the height of the physical protection barriers for 13.5 days o As the flood will not reach the site for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, normal land access to the plants protected area is available for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after the dam break o The plant is notified of a dam failure 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after onset and this is confirmed by gauge readings Comment [NRCstaff13]: Consider adding reference to durable agreements.

downstream of the dam Comment [NRCstaff14]: Suggestion: Add o While not credited in this assessment, dam distress can be seen prior to failure (several hours) information (here or elsewhere in the document) as the dam owner periodically inspects the dam condition, and that the dam owner will notify regarding how the reading is performed (e.g., who goes out and reads the gauge), how frequently the the state of impending failure. The state will notify the plant of a potential failure and the plant gauge is read, the basis for maintenance of the management will be primed for an event. Other than providing this information to gauge, etc. Generally provide information regarding the reliability of the gauge.

management no other action is taken until the time the dam fails.

The current assessment assumes that the initial action starts at the time the dam breach is reported to the utility administration. Dam owner surveillance activities are likely to extend this time interval by identifying and reporting pre-failure conditions to the state. While not credited reasonable dam operator and state actions are provided in Table 1 prior to the time 0 dam failure point.

o Plant is initially operated at full power and all plant systems are available until the flood level reaches site grade. All safety related systems will be available until the flood level reaches 900 msl. While some residual capability exists beyond that point, the only systems credited are components of the SFMS.

o Plant is shutdown according to plant standard operating procedures for an emergency shutdown. Any RCS leakage prior to reaching cold shutdown conditions is made up by the normal plant charging system.

o Once shutdown and placed on shutdown cooling, RCS leakage is anticipated to be below [0.1 gpm]. As the core is shutdown following emergency guidelines and power is available to the charging pumps throughout the shutdown process, the RCS inventory will be maintained at normal operating levels in accordance with procedures. Specifically, it is expected that over time the average RCS temperature will fall to around 220 F and the long term RCS pressure will be below [100] psia. This will result in a shrinkage of inventory equivalent to about 12% of the inventory associated with shutdown cooling entry . If leakage of 0.1 gpm occurs over the duration of the event inventory makeup sufficient RCS inventory will be available to allow core cooling for approximately [60] days. Thus, long term strategies include monitoring pressurizer level and establishing long term inventory control. To address potential long term issues with Page 5 of 54

Draft WORKING EXAMPLE inventory, procedures are in place to utilize FLEX equipment for direct injection into the RCS once the flood water level recedes to 900 ft msl.

[Preparers note: Include discussion of heat removal thermal hydraulics and anticipated coolant levels in the RCS. Include basis for anticipated leakage, description of short and Comment [NRCstaff15]: And text related to instrumentation and supporting power.

long term inventory control processes (if any) and identify any associated implementation procedure and/or mitigation equipment.]

A detailed external flood timeline for the scenario is presented in Table 2. A simplified version of this timeline is also provided in Section C with associated resource loading estimates.

Site Description and Topology Comment [NRCstaff16]: Change to topography (global change needed)

The ability of the plant to respond to and mitigate the event is strongly dependent on the topology of the site and it environs. As the maximum re-evaluated hazard has been predicted to be 905 ft msl, flood mitigation electrical AC supplies (DGs) have been housed in the SFMS building(s) outside the protected site area ,under the direct control of the utility, with a floor elevation of 915 ft msl. The mitigation equipment includes a seismic category, tornado resistant building housing two DGs, fuel oil tank and an adjacent pad for a fuel truck. DGs are electrically connected to Motor Control centers (MCCs) which power (1) two submersible pumps located below the flood plain which are capable of providing feed to the SGs (2) a fuel transfer pump and (3) house loads for lighting, HVAC and refrigeration, etc.. Access to this mitigation equipment is available from a highway and local roads which will be above the flood elevation. All major bridges between the surrounding community and the town are expected to remain passable for the event duration.

[Preparers note: Objective of this section is to establish a basis for ensuring that off-site fuel supplies will be available to the site in advance and in the days immediately following the event. Regional resource centers may provide longer term assistance using air support. If relevant provide a Comment [NRCstaff17]: Discussion should include capability of air support to access site or topological map of the site. Additionally, pathways required to implement mitigation strategies and offsite staging areas (which may be challenged by ingress to the site should be fully described herein] concurrent weather conditions under some flood scenarios) as well as the capability to move resources from staging areas to the site and around the site. Consider adding discussion of applicable durable agreements.

Page 6 of 54

Draft WORKING EXAMPLE B. Overview of Flood Mitigation Features To mitigate this re-evaluated hazard, the plant has built a structure designed to, or evaluated equivalent to ASCE 7-10, Minimum Design Loads for Buildings and Other Structures. The structure is located at an Comment [NRCstaff18]: Suggestion: Describe how ASCE 7-10 relates to whether the building is a elevation 10 feet above the new flood hazard level that houses two low voltage [X] Kw Diesel seismic category, tornado resistant building (as Generators (DG) each with a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> fuel supply. DGs are aligned to a Motor Control Center (MCC) that described in the previous section) and identify the associated intensities (e.g., wind speeds).

powers either one of two submersible well pumps, a small fuel transfer pump, and building hotel loads (lighting, communications, refrigeration, and HVAC). The MCC is connected to the well water pumps via two underground capable enclosed in water-protected conduits. The DG Fuel tanks can be resupplied via connections to a Fuel Oil Storage Tank located outside the building or via a direct feed from a fuel oil storage truck. Fuel supplies to the DGs can be cross tied. In addition, the facility houses a small battery and charger capable of remote instrumentation to monitor water levels in the SG and pressurizer.

The location of the DG building is such that the structure can be accessed via multiple roads that are not expected to be flooded. These roads effectively connect the DG building with surrounding communities and provide road access for resupply of fuel and equipment. A helipad area is also adjacent to the building to allow ready access for airborne supplies. Several contracts with local fuel oil dealers are in effect that would allow transport of a fuel oil truck with X gallons of fuel to be provided to the site on x hours notice. The tanker truck is to be park in a lot outside of the DG building and serve as the long term fuel tank for the SFDGs.

Approximately 2000 ft of underground cables connect the MCCs to the submersible well pumps.

The plant has installed one [x] hp AC powered submersible pump in each of two wells located on the flood plain. Each pump is capable of providing up 250 gpm (approximately 3 times that necessary to remove decay heat during this interval). These pumps are included within the plant preventive maintenance program XXX where the pumps are administratively required to be routinely suveilled quarterly and are subject to functional tests once a year prior to flood season. A system performance Comment [NRCstaff19]: The scenario is a sunny-day scenario. While articulating the timing test is performed every three years. A functional summary of the components of the SFMS is presented and frequency of testing is relevant, it should be in Table 3. Additional features of the pump and discharge / delivery capabilities are as follows: clear that, because this is a sunny-day event, it is not reasonable to credit that the equipment will have just been tested. Crediting of equipment o Piping is installed between the pumps and SG feedlines such that each well pump feeds one SG. testing should be consistent with what is done in o The wells, piping and electrical cables have been designed and installed to survive a design basis normal practice for any equipment that is inspected on an annual basis.

earthquake Comment [NRCstaff20]: Suggestion: Provide o Pumps have been confirmed to provide adequate flow to remove decay heat in excess of 12 additional information (here or elsewhere in the document) regarding how the test is performed hours after shutdown. (e.g., whether and how the valves exercised).

o Pumps in well can be powered from either DG o Electrical cable to the pumps and piping from the pumps is installed to resist the effects of the flood including erosion and debris o Supply of well water is sufficient to supply water to the SG for the duration of the event Delivery to the SG is affected by injection through a recently installed tee connection to the AFW line.

Comment [NRCstaff21]: Are these locked The tee branch is normally closed by two manually operated valves. Implementation instructions valves?

Page 7 of 54

Draft WORKING EXAMPLE require the: (1) submersible pump discharge piping be connected to the valve flange (2) install intermediate connection spool piece (3) open two manual valves on the AFW tee and(4) open associated submersible pump discharge valves . This task is included in AOP-XXX and is trained upon once per year. Plant has installed valves, flanges and connection points to facilitate establishment of an alternate injection paths to one of four SGs. Spool piece is stored in a protected bin in the vicinity of the connection point.

Table 3 Functional Description of Severe Flood Mitigation System (SFMS)

Component Function Two 250 gpm capacity well water Redundant SG makeup capability pumps(WWP) (electric drive)

Fuel oil pump (electric drive) & hoses Transfer of fuel from external tank / truck to day tank Well/groundwater Water source for SG feed Two Diesel Generators (redundant power Building lighting, power to submersible pumps, oil supply) transfer pump Motor Control Center Power distribution and connection to loads Cable to well pumps (2) Connection to loads SG ADVs/MSSVs Used for steam relief paths Site air compressors Used as primary means to open ADVs Nitrogen bottles, batteries Used as backup means to open ADVs Spool piece Connector Establish connection between WWP discharge and SG feed Mechanical gaging devices/equipment Keep ADV/MSSVs open Manual valves Complete connection between WWP and SG feed DG Support Center Building House and protect DGs, and staff for event duration.

SG level monitor/ WWP discharge Devices to confirm continued effectiveness of strategy flowmeters/DG Fuel Level Commodities Support for site personnel Food Potable water Lighting Facilitate operations PZR level monitor Instrument feed routed to and displayed at DG facility SG Level monitor Instrument feed routed to and displayed at DG facility Comment [NRCstaff22]: Suggestion: Add additional instrumentation that would provide relevant information on the plant during the scenario (particularly in a SBO scenario).

Additional details regarding operational characteristics and reliability of flood mitigation equipment are Suggestion: Include core exit thermocouples at minimum.

included in section E.

[Note to Preparer: Include the following:

1. A P&ID for the flood mitigation system Comment [NRCstaff23]: Convey to the

2. An elevation diagram showing the relative placement of the DGs and submersible well pumps and associated reader/user that this can be a simplified P&ID generated for the purposes of the submittal and housing structures with the piping connecting the post-flood mitigation pumps to the SG inlet piping need not be a full P&ID.

3. Building equipment layout drawings should be provided Page 8 of 54

Draft WORKING EXAMPLE

4. Procedures to surveil, maintain, test, implement and operate (and instrumentation)

5. Equipment details including:

a. Manufacturer ratings,

b. Construction details (mounting, installation and seismic/flood protection)

c. operating environment requirements}

In anticipation of this challenge the plant installed two low voltage severe flood diesel generators (SFDGs) and a day tank filled with fuel in a protected area at an elevation of 915 ft msl. Each SFDG provides power to an MCC which is capable of powering one of two submersible well pumps located on the site via and underground cable and other facility loads. The MCC also includes a battery supply to power SG level and pressurizer level instrumentation . Each of the well water pumps are capable of being connected to the plant AFW piping and providing low pressure feed to two steam generators.

6. Overview of Timeline and Resource Loading The key event time timelines are identified in Table 2. A graphical illustration of the hazard impact and plant responses is presented in an attached Excel File Figure 2. [EXCEL file is for purposes of illustration Comment [NRCstaff24]: A few comments on the Excel sheet:

only.] It would be helpful to include an explanation on how to read and interpret the figure/spreadsheet. For example, it was not entirely clear how to interpret the available resources in the staffing table (e.g., Are the available resources inclusive of all available staff or does it only count the number staff on any shift?). Several other interpretations of the figure were not completely clear.

Consider incorporating information on fatigue (either into the figure or into the text). How long could a particular group of staff work before fatigue considerations become a factor?

Consider adding actions not directly related to safety-functions (e.g., actions associated with evacuation or investment protection) that may place a demand on site personnel resources and should factor into the staffing analysis.

Some of the timing information (particularly for the first few tasks in the table) are associated with short time windows, which generally calls in to question the reliability of the actions.

The time line ends with the recession of water from the site. The flood event duration may extend past the recession of water from the site.

Comment [NRCstaff25]: Please clarify what for illustration purposes only means. Does this mean it will not be part of the submittal? Or is this a note to the preparer?

Page 9 of 54

Draft WORKING EXAMPLE Table 2 Detailed Event Timeline River Level Time (ft msl) Event Action Procedure Impact/Comment Comment [NRCstaff26]: Add unit (hours)

Dam operator notifies Dam Owner Comment [NRCstaff27]: Suggestion: Add a state emergency Procedure XXX column that includes justifications/explanations/evaluations that are organization that associated with the action (or provides a reference significant leakage is State ERO to where the justification can be found elsewhere in Dam operator notes upstream occurring at the dam and Procedure XXX Dam condition and the document).

dam to be in distress and actions that the dam spillways operational occurrences are are being taken to prevent have been opened to their provided to state emergency

-12 890 failure maximum capacity reponse procedure XXXX Comment [NRCstaff28]: Is this assumption applicable at all times (e.g., in the middle of the 890 State emergency State ERO night)?

organization notifies procedure control room of increased XXXX, Letter of understanding river flow and dam exists between state and

-9 situation utility 890 Plant enters flooding Procedure XXX preparation procedures including monitoring of river Management notification Comment [NRCstaff29]: Clarify whether this is

-8 stage gauges of situation is initiated licensee management. Similar clarifications may be required elsewhere in the document.

890 Dam Owner Typically a dam breach will Procedure XXX be preceding by a time where the dam operational conditions are monitored and mitigation actions taken.

Such actions may include Dam Owner notifies State reducing dam inventory by Emergency Organization of release of water through 0 Dam Breach Occurs Breach spillways. Hazard Re-Page 10 of 54

Draft WORKING EXAMPLE Table 2 Detailed Event Timeline River Level Time (ft msl) Event Action Procedure Impact/Comment Comment [NRCstaff26]: Add unit (hours)

Evaluation analysis assumes Comment [NRCstaff27]: Suggestion: Add a bounding conditions and column that includes justifications/explanations/evaluations that are does not credit potential associated with the action (or provides a reference mitigation efforts. to where the justification can be found elsewhere in 890 Emergency the document).

Plant is notified of dam breach Plan procedure Comment [NRCstaff30]: Clarify who at the and confirms rapid increase in ALERT is declared and ERO plant is notified (i.e., who receives the call?).

XXX 1 river gauge downstream of dam is activated Comment [NRCstaff31]: Is a NOUE declared prior to the ALERT?

890 Plant begins emergency AOP-XXX Comment [NRCstaff33]: Suggestion: Include a shutdown in accordance with summary description of procedures that are flood-1.25 [AOP-XXX] specific and non-routine in nature. This is a global comment.

890 Plant reaches hot AOP-XXX shutdown and begins Comment [NRCstaff32]: Consider adding information on plant modes to the timeline 1.5 cooldown at 75oF/hr Comment [NRCstaff34]: Consider adding a 890 Command and Control Emergency preparers note to indicate that PTS considerations transferred to Site Plan Procedure may be a factor (e.g., if TS limits are exceeded).

Director. Work is planned XXX and staffed in accordance Staffing levels are with sites Emergency Plan established in accordance 2 ERO is staffed procedures with the Emergency Plan 890 Crews dispatched from Test Flood Mitigation AOP-xxx Diesels located in dedicated 3 Emergency Facility diesels [] building at 915 ft msl 890 Submersible pumps located in wells which have a top Test submersible pumps Proc-XXX elevation of 900 msl Page 11 of 54

Draft WORKING EXAMPLE Table 2 Detailed Event Timeline River Level Time (ft msl) Event Action Procedure Impact/Comment Comment [NRCstaff26]: Add unit (hours) 890 AOP-XXX Task includes: (1) removal of Comment [NRCstaff27]: Suggestion: Add a blind flange cover on spool column that includes justifications/explanations/evaluations that are piece connecting to associated with the action (or provides a reference feedwater piping (2) locate to where the justification can be found elsewhere in flexible discharge piping for the document).

spool piece connection.

Note: flexible piping is already connected to submerged pump and routed Assemble and stage to near FW piping.

equipment to connect Connecting pipe is located in submersible pumps to vicinity where connection to feedwater lines be established.

890 AOP-XXX Procedure provides guidance Comment [NRCstaff35]: There are several Proc-XXX to install flood protection to references to flood barriers throughout the document. It is not clear if there is one set of flood AB and establish 5 ft berm barriers or multiple sets of barriers (and which around switchyard. barriers are being referred to at the different places Activities protect safety in the document). For example, early in the document (p. 3-4) there are references to installed related and selected other physical protection barriers that are overtopped.

structures to 900 msl. Later in the document (p. 34) there are barriers that are referred to as being in place for investment protection. Please clarify this throughout the Flood barrier installation will document.

Install flood barriers and only impact plant response In addition, if there are CLB barriers that must be Crews dispatched from ensure availability of between the 895 msl to 900 installed, consider adding a preparers note to 4 Emergency Facility portable lighting msl indicate that it is expected that these features would have been evaluated under the flood protection evaluation portion of the integrated assessment.

Page 12 of 54

Draft WORKING EXAMPLE Table 2 Detailed Event Timeline River Level Time (ft msl) Event Action Procedure Impact/Comment Comment [NRCstaff26]: Add unit (hours) 890 Plant reaches shutdown AOP-XXX Comment [NRCstaff27]: Suggestion: Add a cooling entry conditions column that includes justifications/explanations/evaluations that are and plant is placed on associated with the action (or provides a reference shutdown cooling. to where the justification can be found elsewhere in Cooldown continues at 50 the document).

o 4.5 F/hr. Per AOP-XXX 890 AOP-XXX Connection requires: (1) removal of blind flange and (2) connection of spool piece between submersible pump discharge line and AFW Crews dispatched from Connect submersible feedline per maintenance 5 Emergency Facility pumps to feedwater lines procedure 890 Plant continues to AOP-XXX cooldown at 25 oF/hr 890 RCS is borated to refueling AOP-XXX Plant reaches cold shutdown boron concentration 6 890 following procedure [to be Comment [NRCstaff36]: Reconsider what this provided] means with respect to the proposed strategy, which uses the SGs. Will the plant heat back up?

Crew to operate equipment above flood level Page 13 of 54

Draft WORKING EXAMPLE Table 2 Detailed Event Timeline River Level Time (ft msl) Event Action Procedure Impact/Comment Comment [NRCstaff26]: Add unit (hours) 890 AOP-XXX Comment [NRCstaff27]: Suggestion: Add a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> staffing of ERO Proc-YYY column that includes established. 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> justifications/explanations/evaluations that are associated with the action (or provides a reference schedules are established to where the justification can be found elsewhere in to assure compliance with the document).

10 CFR 26.205 890 Additional fuel ordered for DGs Proc-XXX See Contract XXX 890 AOP-XXX Nitrogen bottles stored in Install backup nitrogen to vicinity of ADV. Hookup via air operated ADV procedure XXX 890 AOP-XXX DC power source from Batteries. Batteries stored in Crew dispatched from vicinity of ADV. Batteries Emergency Facility Install backup DC power to maintained and tested via ADV solenoids procedures XXX.

890 AOP-XXX (1) locate spool piece and installation materials stored in vicinity of connection point (2) install spool piece Submersible pumps connected (3) re-align discharge 9 to feedwater lines /suction valves as directed 890 Open ADV using plant air AOP-XXXX compressor. Confirm ADV Plant reaches 100oF opens properly Comment [NRCstaff37]: Has RHR been started?

10 890 Backup nitrogen installed on AOP-XXX ADV 890 Backup DC power installed on Once ADVs open a ADV solenoids mechanical device located in Page 14 of 54

Draft WORKING EXAMPLE Table 2 Detailed Event Timeline River Level Time (ft msl) Event Action Procedure Impact/Comment Comment [NRCstaff26]: Add unit (hours) the vicinity of the ADV is Comment [NRCstaff27]: Suggestion: Add a placed on the ADV to column that includes justifications/explanations/evaluations that are prevent closure associated with the action (or provides a reference 890 Crews dispatched to AOP-XXX to where the justification can be found elsewhere in the document).

disable MSSV on two SG to MSSV Recovery for action 11 ADV determined not to open allow venting of SG ADV does not open 890 MSSV opened on two SG AOP-XXX 13 to allow venting of SG Back-up action 890 AOP-XXX Completion of activity 16 Flood barriers installed Per procedure XXX initially started at t=4 hours.

892 Proc-XXX Completion of activity 18 Portable lighting positioned Per procedure XXX started at t=4 hours.

894 Operations crew begin AOP-XXX removing electrical power from plant equipment that will be flooded. Per AOP-XXX, Step X AOP-XXX Per AOP XXX Step X. System Flood level predicted to exceed operational test confirming height of flood barriers in 8 Test of plant heat removal connections and valve 22 hours from temporary facility positions 895 AOP-XXX Lighting established via local units, alarms access door in non-flood areas can be opened manually. Ok to Switchyard disconnected communicate via cell and 24 Flood reaches site grade from offsite power. satellite phones.

Page 15 of 54

Draft WORKING EXAMPLE Table 2 Detailed Event Timeline River Level Time (ft msl) Event Action Procedure Impact/Comment Comment [NRCstaff26]: Add unit (hours)

Plant taken off of AOP-XXX Comment [NRCstaff27]: Suggestion: Add a shutdown cooling in column that includes justifications/explanations/evaluations that are anticipation of loss of associated with the action (or provides a reference access to UHS and natural to where the justification can be found elsewhere in circulation cooling the document).

established.

AOP-XXX Action taken from bunkered facility.

Flood mitigation heat Heat removal from RCS Flood level predicted to exceed removal system (bunkered supported by flood height of flood barriers in 4 EDGs and submersible mitigation system and 26 896 hours pumps) initiated. associated instrumentation AOP-XXX SG level monitored via

[identify instruments and SG level maintained from procedure]. Instruments controls above flood level powered by dedicated AC by second operations crew source.

Flood waters inundate Service Water System Intake structure inoperable Flood level exceeds height of 30 900 flood barriers Flood waters enter AB 32 902 TDAFW pump flooded TDAFW lost Page 16 of 54

Draft WORKING EXAMPLE Table 2 Detailed Event Timeline River Level Time (ft msl) Event Action Procedure Impact/Comment Comment [NRCstaff26]: Add unit (hours)

AOP-XXX offsite disconnected prior to Comment [NRCstaff27]: Suggestion: Add a switchyard flooding. Site column that includes justifications/explanations/evaluations that are dependent on SFMS for core associated with the action (or provides a reference cooling and portable and to where the justification can be found elsewhere in battery operated equipment the document).

for lighting. Movement Offsite power no-longer around site faciltated by Switchyard de-energized available temporary walkways.

EDG becomes flooded once plant flood level reaches EDG rooms begin to flood EDG inoperable 902.5 ft Permanent staff located in bunkered facility for duration of the event. Road Peak flood height reached.

access available. Boats provided for potential site 36 905 excursions.

Contractural Resources expected from arrangements regional resource center Additional fuel/ for refill with RRC (RRC) or contracts with and equipment available organizations not impacted 72 905 Offsite resources available for back-up by flooding.

EDG fuel tank refilled every Plant stable using Flood 108 905 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> EDGs and Well Pumps Page 17 of 54

Draft WORKING EXAMPLE Table 2 Detailed Event Timeline River Level Time (ft msl) Event Action Procedure Impact/Comment Comment [NRCstaff26]: Add unit (hours)

Administration contacts Comment [NRCstaff27]: Suggestion: Add a regional resource center to column that includes justifications/explanations/evaluations that are prepare for long term associated with the action (or provides a reference coping equipment and to where the justification can be found elsewhere in Site notified flood likely to begin preparing transport the document).

recede in X days of temporary transformers AOP-XXX EDG fuel tank refilled every 132 904 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> 156 903 Flood peak recedes 180 902 Plant begins transition to 204 901 use of off-site equipment 228 900 Site post-flood recovery Procedure XXX procedure activated De-watering of plant buildings 252 899 begins Site Power restored to Procxedure 300 897 temporary transformer XXX

[Need to describe Plant Post- Long term pumps aligned Procedure XXX 324 896 Flood Recovery Procedure] to inject into RCS 348 895 Flood water recede from site Page 18 of 54

Draft WORKING EXAMPLE Page 19 of 54

Draft WORKING EXAMPLE EXCEL SPREADSHEET to be provided illustrating major actions, flood hazard elevations and resource requirements and availability.

(Attached File for Illustrative Purposes only)

Page 20 of 54

Draft WORKING EXAMPLE C. Event Tree Logic To clarify the impact of the actions on event success the scenario is cast in the form of an event tree . As actions are considered feasible and reliable, operational failures of equipment were primarily selected as failure branches. Failure branches with highly reliable recoveries/proceduralized back-up plans are Comment [NRCstaff38]: Staff question this decision. Even if this assumption is made in the explicitly included. In this scenario the developed failure branch occurs following the inability of the example, a preparers note should be included to plant staff to create a steam release path using an ADV. A proceduralized back-up action to jack open indicate that this is not always the case.

the MSSVs is included in the event tree. Other failure branches are noted as potential low probability events but for the sake of clarity are not further developed. Top events on the event tree presented in Figure 2 are summarized below.

Table 4 Summary of Top Events Top Event Description Dam Break Occurs Initiating event Pre-Flood Activities Plant receives notification of breach, activates ERO and enters Successful flooding AOP. Action highly reliable (See Section H). As this event is Comment [NRCstaff39]: There are multiple proceduralized by the dam owner and is a required action by the actions that are lumped under pre-flood activities (e.g., notification, EOR activation, operator actions, state, timely notification of a dam breach is expected. While not equipment staging). It would be helpful to have explicitly credited, available dam monitoring programs is likely to each action delineated here with a cross reference to any relevant supporting assessments.

provide advance warning of potential issues. The action is not time sensitive as the site will have at least a 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> delay prior to the Comment [NRCstaff40]: Pre-flood activities include activities that involve non-trivial decision-onset of site flooding. No failure branch has been included for this making processes that may result in delays or action. utilization of available time margin. These considerations should be accounted for in the Equipment Alignment Plant staff aligns DG, procures additional fuel and aligns SG flowpath. assessment. In the timeline, consider noting Successful Action is highly reliable (see Section H). These actions are decision points that could result in a delay due to potentially challenging decision-making steps.

proceduralized and have been validated as feasible and reliable during flood event simulations. Success implies operator successfully Comment [NRCstaff41]: The excel timeline does not match this statement.

aligned: (1) one of the two submersible pumps to the defined AFW Comment [NRCstaff42]: For transparency, it is injection pathway, and (2) fuel has been aligned to the DG. No failure suggested that the event tree show the failure branch has been included for this action. branches, even if there are no mitigating actions and the branch goes directly to an adverse or low Short Term AC Power Flood DGs operable. This action involves implementation of probability end state.

Available straight-forward procedures to start one of the two Flood DGs. Plant Comment [NRCstaff43]: See related comment staff is trained on implementation of these procedures. These DGs above.

are routinely maintained and tested [quarterly] (See Section E).

Actions are highly reliable action (See Section H). No failure branch has been included for this action. Comment [NRCstaff44]: The ET shows a failure branch for this top event.

Well Pumps Functional Submersible pumps operable. Success implies one of two submersible pumps operates and is capable of injecting water into the SG. Equipment is routinely maintained and tested. Action to start pumps is simple and highly reliable action (See Section H)

Secondary Side cooling via Success implies ADV is placed in operable condition. Action is feasible ADV successful and highly reliable, but may be more unusual and receives less Page 21 of 54

Draft WORKING EXAMPLE Table 4 Summary of Top Events Top Event Description practical training than the previous actions. This action is proceduralized and is tested during refueling outages. An alternative action is provided should a mechanical or other issue prevent implementation.

Failure implies ADV cannot be opened. Recovery for this action is opening of MSSVs. This failure branch is illustrated in the fault tree.

Secondary Side Cooling via Given Failure of ADV to open, success implies MSSV can be placed in MSSVs Successful an operable condition. Failure implies a heat removal path cannot be established. This action is proceduralized and is tested during refueling outages. Inability to establish heat removal pathways will proceed to core damage. Note that the time to successful complete this event is over [X] hours.

Long term AC Power Success implies Fuel is available throughout the event; fuel oil tanks Successful are refilled in a timely manner and remain operational. These are highly reliable actions (see Section E through G) for details. No failure branch has been included for this action.

Post Flood Activities Success implies plant strategies and equipment to return the plant to Successful a stable long term operational strategy are successful. Actions are proceduralized and occur late in the scenario, allowing time for additional resources and equipment to support site activities. For expected leakage conditions post flood activities have ample time to be effective. This activity will be supported by FLEX phase 3 activities and will be initiated as the flood begins to recede Low likelihood end states (ES) that, if not recovered, could proceed to core damage include: Comment [NRCstaff45]: Consider tabulating this information for each end state that has been described as low likelihood, but which could Inability of DGs to function, short term (2 of 2 DGs fail to supply power to well pumps) proceed to core damage. The table may include the Inability of Well pumps to provide water to the SG feedline (potential well pump or connectivity end state name from the event tree, the description of the end state (e.g., Inability of DGs to function, failure) short term (2 of 2 DGs fail to supply power to well pumps)), and justification for why the ES is low Inability to establish a steam release path from the steam generator (failure of both actions probability.

Secondary Side Cooling via ADVs and Secondary Side Cooling via MSSVs.)

Inability of DGs to function, long term (Failure of 2 of 2 DGs to run without repair or failure to provide long term fuel supply)

Page 22 of 54

Draft WORKING EXAMPLE Figure 3: Sunny Day Dam Failure Event Tree Comment [NRCstaff46]: Request: Is it possible to improve the clarity of this figure?

Page 23 of 54

Draft WORKING EXAMPLE D. Protection Features to address Flood Challenges on System Operability As a result of the location and elevation of the alternate facility, access to the DGs would not be Comment [NRCstaff47]: Consider changing terminology to indicate this is the temporary diesel compromised in a flood. As flood protection is important for dam failures which may be seismic in origin, generator.

the DGs, connecting cable, well pumps, and well are seismically robust. The site is situated such that Comment [NRCstaff48]: Question: Could a external resources will be available to the site. seismic event cause silting in a well that may affect pump capability?

[Note to Preparer: The remainder of this paragraph should discuss the relationship of the roads to areas Comment [NRCstaff49]: Consider adding text related to air support (particularly under adverse where external resources can be obtained. Routes from oil suppliers to the site should be identified along weather) and access to offsite staging areas.

with primary and alternate routes that can be used following seismic events. This section should also Comment [NRCstaff50]: Reference the entire discuss the ability of plant staff to access the site following seismic induced flood events.] section instead of just a single paragraph because the discussion may require much more than a single paragraph.

In conclusion, availability of roads in the vicinity of the facility ensures that replenishment of fuel was highly Comment [NRCstaff51]: While this is a sunny likely in a timely fashion. day event, references to other types of events (e.g.,

seismic) are useful as part of the preparers notes.

Prior to site flooding the site has one day to prepare the site for the flood and obtain adequate resources on site. To ensure an adequate fuel supply for the DGs contracts are in place to store an oil tanker truck on a dry area near the day tank. This action is directed by procedure. Adequate supply is available in the day tank aligned with the installed medium voltage diesel generators to maintain continuous operation for one day. The tanker truck contains sufficient oil to refuel the DG tank for a period of [five] days. Hoses can be readily aligned to a tank refill line. Procedure XXX directs the plant staff to refill the tank once the oil tank level reaches 1/2 of the tank level. Tank level may be read via externally mounted gauges or via use of an alternate manually operated device which is stored in the vicinity of the tank (e.g., ruler). The tank refill period is 1/2 hour. The oil consumption rate is such that 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> will be available to perform the action to refill the day tank.

An underground cable was installed from the DGs MCC to installed submersible well pumps located within a well on the site. The underground cable is selected and routed to survive a design basis earthquake. In addition the well has been reinforced to survive a design basis earthquake.

Floating debris is not anticipated to be a concern for implementing the primary mitigation strategy. In the well location the pump suction is not exposed to floating debris. Underground cables are not susceptible to debris impact and connection points are included within structures that are resistant to debris impact.

Hard pipe connections that run above ground are protected from floating debris by [ Note to preparer: describe practices/protective structures].

Long term flooding of the site can erode topsoil covering the cable and expose portions of the cable to hydraulic loads and potential low velocity debris impact.

Piping from the submersible pump can be aligned to a connection to a line feeding the steam generator via manipulating several manually operated valves. Any necessary spool pieces are connected and valves are directed by procedure to be open in advance of the flood reaching the site elevation. .

Page 24 of 54

Draft WORKING EXAMPLE Water quality for the submersible pump is consistent with its intended flood mitigation function as water from a well has been assessed to not impacted by the flood environment [Provide References]. The required pumping capability is well within the design flow capability. Hydrologic studies confirm the ability of the well to provide adequate water supply for decay heat removal for a period in excess of [X] months.

Should the primary submersible pump fail to start or run, the alternate pump can be readily aligned. As the two pumps are anticipated to be available for the event duration, run failures during the mission time can be accommodated by switching to the alternate pump. Both pumps are aligned to the suction source and either pump is capable of discharge to the steam generator (SG) throughout the event. Back flow is prevented via check valves. To ensure reliable system operation, pumps are maintained within an administrative program [Reference XX] which includes preventive maintenance and are testing. Specifically well pumps are visually inspected and bench tested at a frequency of [ ]. Preventive maintenance and functional tests are performed *annually+. DGs are inspected and functionally tested quarterly. DGs are maintained in accordance with manufacturer specifications. Training in operation and repair of the DGs and other support components is performed once a year prior to spring flood season. It is this season where the flood scenario is most likely. Comment [NRCstaff52]: Note earlier comment about the relevance of this information under the sunny-day scenario.

The motor control centers (MCCs) are located in the DG facility. . MMCs provide power the well water pumps and fuel oil transfer pump at the DG facility. In addition to feed operations, the SG must be vented to allow low pressure injection from the portable pumps. This action must be taken via opening of ADVs and is an early required action in the external flood abnormal operating procedure. Actions to mechanically maintain the ADVs open are proceduralized and the necessary systems to perform this action are located in the vicinity of the ADVs. In the event ADVs cannot be actuated, provisions are available to open MSSVs (one MSSV is required for success). These actions are also well proceduralized and will be taken well in advance of the time at which the flood could increase difficulty in accessing the associated equipment. To ensure availability of key equipment and the ability of the staff to use that equipment, periodic surveillances conducted prior to flood season will confirm the availability of key equipment necessary for mechanically assisted opening of ADVs and MSSVs. Table-top walk-throughs of this strategy are also conducted at this time with personnel expected to be responsible for implementing this strategy (see Section H) .

[Note to Preparer: INCLUDE LISTING OF MAINTENANCE, TESTING AND IMPLEMENTATION PROCEDURES USED IN PREPARING FLOOD MITIGATION EQUIPMENT]

Page 25 of 54

Draft WORKING EXAMPLE E. System Capability/Reliability Assessment Comment [NRCstaff53]: Component assessment should include all equipment that must change state, including valves (e.g., the manual This section provides the technical support for assessing the reliability of the active components credited in valves required to align the well pumps with the the current scenario. Each active component or class of components included in the mitigation system is SGs).

compared with respect the criteria included in Table A.1 of Appendix A of the ISG. An overview of the Comment [NRCstaff54]: In addition to Table A1, the availability and reliability of active dedicated flood mitigation system is presented in Section B. A reliability assessment of key active components should be justified using operational components is provided in Tables 6a through 6[]. data, consideration of operational requirements (surveillance, inspection, design control, maintenance, procurement, testing, text control),

[Preparers note: A separate comparison should be provided for each component or class of components. and incorporation in other plant programs. Please A typical list of components for this example is provided below. For purpose of illustration, selected double-check that all of these considerations are included in this example.

components are developed and compared in attached tables.] For example, specify whether trends are analyzed based on operational history and whether there is any form of feedback to indicate whether Table 5: unavailability characteristics are being met.

Active Components Credited in System Design Comment [NRCstaff55]: Add instrumentation to this table in addition to other active components (see comment above).

Component Number Manufacturer Table Identification /Plant ID Diesel Generator 2 See Table 6-A Submersible Pump 2 See Table 6-B Battery to Open ADV 1 See Table 6-C (Not provided in example)

IA Compressor (to open 2 Standard plant ADV) equipment (not dedicated to SFMS)

Nitrogen Air supply to 2 Generic item See Table 6-D (Not open ADV provided in example)

Portable / installed Various Not provided lighting Miscellaneous Various Generic Not provided electronics/relays/

switches A review of Table A.1 indicates that all the functional, operational, unavailability and storage characteristics expectation of Table A.1 are met (See Tables 6-A and 6-B below). The following is an example as to what may be included in the remainder of the reliability assessment section.

Page 26 of 54

Draft WORKING EXAMPLE Table 6-A Assessment of Active Components Comparison of System Capability to Table A.1 of Appendix A (EXAMPLE TABLE)

Component: Flood Mitigation Dedicated Diesel Generator Functional characteristics DG is sized to power one WWP, one fuel oil transfer pump, facility lighting and staff living needs (e.g. refrigerator, microwave ) and communications

1. Equipment is capable of performing its required equipment with 50% margin. Functional characteristics of DG is included in function (e.g., functional requirements such as [Appendix]

pump flow rate, pump discharge pressure are met).

DGs are air cooled and have no external dependency other than fuel.

A redundant DG is provided and key DG components and repair manuals are available within the DG facility should on site repair be needed Compatible DGs are available at Resource Center for replacement should that be necessary.

2. Equipment is in satisfactory condition. Equipment is maintained per manufacturers specifications Functional tests occur every [ ] per Procedure XX to ensure functionality. One full system functional test is conducted annually. Performance testing occurs every [

] per procedure Comment [NRCstaff56]: Justification should be provided as to why this interval is sufficient to provide confidence that the equipment is in

3. Functionality of the equipment may be outside Equipment is commercial grade and will be operated within satisfactory condition.

the manufacturers specifications if a documented manufacturers specifications.

engineering evaluation justifies that the equipment will be functional when needed during the flood [Preparer: Note any exceptions].

event duration.

Equipment tested periodically (See above).

4. There is an engineering basis for the functional DG functional requirements Controlled by Engineering Processes. [Note requirements for the equipment which: procedures and support/sizing calculations]]

a. Is auditable and inspectable;

b. is consistent with generally accepted engineering principles; After 3 days, replacement DGs and pumps will be available

c. defines incorporated functional margin; and

d. is controlled within the configuration document control system.

Operational Characteristics [Provide manufacturer characteristics data and DG loading.] See Appendix Page 27 of 54

Draft WORKING EXAMPLE Table 6-A Assessment of Active Components Comparison of System Capability to Table A.1 of Appendix A (EXAMPLE TABLE)

Unavailability Characteristics Unavailability to be maintained via administrative program. Unavailability of any one DG is limited to [x] weeks. Note during low reservoir water conditions and with communication from the dam owner longer outages may be established. Unavailability under no circumstances (without replacement) will exceed [ ] weeks.

Equipment storage characteristics DGs stored in a building designed to ASC 7-10. Building includes a 24 DG tank and refill connections which allow refill from an oil truck. Oil quality is checked [x] time per year Page 28 of 54

Draft WORKING EXAMPLE Table 6-B Assessment of Active Components Comparison of System Capability to Table A.1 of Appendix A (EXAMPLE TABLE)

Component: Submersible Well water Pump Functional characteristics To be Completed by Utility

1. Equipment is capable of performing its required function (e.g., functional requirements such as pump flow rate, pump discharge pressure are met).

2. Equipment is in satisfactory condition.

3. Functionality of the equipment may be outside the manufacturers specifications if a documented engineering evaluation justifies that the equipment will be functional when needed during the flood event duration.

4. There is an engineering basis for the functional requirements for the equipment which:

a. Is auditable and inspectable;

b. is consistent with generally accepted engineering principles;

c. defines incorporated functional margin; and

d. is controlled within the configuration document control system.

Operational Characteristics Unavailability Characteristics Equipment storage characteristics

[Add additional tables, as needed]

Page 29 of 54

Draft WORKING EXAMPLE F. Additional comments on Reliability Flood Mitigation Component [EXAMPLE of Discussion]

All components used for the flood mitigation process are commercial grade, and operated within expected component capacities. Components are non-safety grade, but are maintained in accordance with a site program for equipment important to safety. Components receive periodic preventive maintenance in accordance with manufacturer specifications. Active components are tested [annually], prior to flood season, to ensure system is operational and can be operated within expectations.

Adequate supply of replacement parts (or spare components) are available on site to address any operational failures. Plant staff has the necessary skills and training to effect any repairs/replacements.

Repair parts are stored in a flood and seismically secure location and can be accessible within a short time of their need. As a consequence of the equipment and spare part availability, long term failures of active components used for decay heat removal are not considered risk significant.

Submersible pumps are of diverse design and similar capacity.

[Note to Preparer: INCLUDE LISTING and brief description of relevant aspects OF MAINTENANCE, TESTING / Surveillance AND IMPLEMENTATION PROCEDURES USED IN PREPARING FLOOD MITIGATION EQUIPMENT]

No specific reliability values are available for the active components in the SFMS. Reliabilities of key active Comment [NRCstaff57]: Clarify why this information is not available.

components are obtained from generic estimates of commercial grade equipment of similar classes and sized components. These reliability estimates presented in Table 7. The values are judged to be overestimate failure rates for nuclear applications as these components will be subject to improved maintenance, surveillance and test programs Page 30 of 54

Draft WORKING EXAMPLE Table 7 Reliability Evaluation of Key Systems/Components Credited in Flood Mitigation System Design Component Failure Rate Basis Submersible portable 1x 10-4/hour Mean failure rate based on generic pump failure to run value estimated from operation of low pressure, low flow,low pressure electric driven pumps. Considers data from IEEE, NPRDS and ORECA.

Submersible pump failure 0.001 Nominal failure to start is 0.02/d. Comment [NRCstaff58]: The magnitude of this to start is similar to what may be expected of safety-related Reduced value selected based on equipment that is subject to programs such as engineering judgment considering maintenance rule and tech specs. Justification for such a low number would likely require more than plant staff has more than one day to judgment.

start pump and has adequate parts and staff on site to make necessary repairs if pump does not immediately start.

DG fail to run 5 x10-5/hr Mean failure rate based on generic failure values of low voltage, low power DG. Considers data from IEEE, NPRDS and ORECA.

DG fail to start 0.01 Mean failure to start based on engineering judgment. DG included in periodic maintenance program.

Failure rate of Electrical -- Unavailable. Reliability traditionally cable or connectors very high.

Failure of Day Tank to 0.001 Manual valve connection. Typical of Feed DG (manual valve Generic data. Valves surveilled fails to open) routinely and tested periodically.

Page 31 of 54

Draft WORKING EXAMPLE G. Equipment Dependencies Equipment dependencies are identified for the following components:

ADVs MSSVs Flood Migitation DGs Well water pumps These dependencies are identified in Table 8 below.

Table 8 Dependencies/Support Systems for Active Flood Mitigation Components Primary Support Secondary Support Component Systems Systems Additional Mechanical device to open and prevent closure ADVs IA-01 BAT-1 N2-01 MSSVs Mechanical device to open and MSSVs MD-1 prevent closure Fuel Oil Truck with compatible FO-A FO-B connecting hose DG-A & DG-B FOTP-A FOTP-B Gravity feed available DG-A /MCC DG-B/MCC WWP-1 & WWP-2 Groundwater*

Level Instrumentation DC-A DC-B

• Water from well capable of pumping 250 gpm for a period of [x] months IA -Plant Instrument Air Compressor BAT - Battery FO - Fuel Oil Tank WWP - Well Water Pump N2 - Nitrogen Bottle MD - Mechanical Device DC-Battery/Battery Charger Page 32 of 54

Draft WORKING EXAMPLE H. Scenario Human Reliability Assessments (HRA) Comment [NRCstaff59]: The context of the scenario needs to be better specified (including offsite considerations that may affect staff A representative timeline for the scenario under consideration is presented in Table 1. The timeline assumes performance, such as flood impacts on the homes of primary actions are successfully implemented. Figure 2 illustrates an event tree including dominant failure personnel). This could be helped through documentation of the HFE narrative.

branches and associated backup strategies are included in Table 1. Human actions associated with the implementation of this mitigation strategy were also considered. Response to the event is governed by the More information on cues and annunciators would be helpful.

site emergency plan and subsidiary procedures to direct specific maintenance, preparatory and operator Generally, more detail in needed in this section.

actions. Flooding activities important to safety are identified below.

A review of Table 2 indicates that flood specific actions or actions that may be impacted by the flood scenario include: Comment [NRCstaff60]: This list is not comprehensive. Other actions (including administrative actions) are appropriate to consider.

A. Stage fuel Oil truck at DG facility Generally, it is not clear how this list of actions B. Test SFMS equipment and implement SFMS relates to other parts of this document.

C. Connect submersible well pumps to feedwater line D. Install backup N2 to ADV E. Open ADV (when RCS reaches 100 F)

F. Open MSSV (if ADV does not open)

G. Removal of electrical connections from equipment to be flooded H. Take off SDC to allow SG feed via severe flood mitigation equipment I. Periodic refill of DG day tank Normal proceduralized actions associated with performing an emergency cooldown are not included in the above list as these actions are known to be highly reliable and are not impacted by the potential flood.

With the exception of action I, all other flood mitigation actions are directed at preparing the plant for a flood event. Based on the detailed timeline presented in Section A, the overall time available to complete all actions from the time the ERO is fully staffed and perform these operations on a dry site is 22 hours2.546296e-4 days <br />0.00611 hours <br />3.637566e-5 weeks <br />8.371e-6 months <br />.

Beyond this time all actions to be taken on the site are complicated by the presence of flood waters.

As many of the above actions are taken simultaneously the overall actions can be grouped into the following categories and are anticipated to be performed within the specified time windows.

Action Group Description Time Window Following dam breach Administrative Actions Actions to assign resources, activate teams Less than 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and begin plant shutdown Plant shutdown per Emergency Standard Emergency Response 1 to 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Shutdown Procedures Test SFMS Components and prepare Test WWPs, DGs, connections, open steam 2 to 13 hours1.50463e-4 days <br />0.00361 hours <br />2.149471e-5 weeks <br />4.9465e-6 months <br /> System for Operation relief and prepare connections to feed SG Transition from SDC system to SFMS Action initiated prior to site inundation 20 to 26 hours3.009259e-4 days <br />0.00722 hours <br />4.298942e-5 weeks <br />9.893e-6 months <br /> Operate SFMS Through-out remainder of event (DG fuel oil Continual refill)

Page 33 of 54

Draft WORKING EXAMPLE As described in the [fictitious] hazard re-evaluation report *X+, this scenario describes a sunny day dam failure. It is not expected that any additional extreme events will be correlated to the failure of the dam in this scenario. It would be expected that the types of events that would cause significant degradation in the reliability of an action (extreme lightning, hail or bitter cold) would be low frequency events and when considered with a sunny day dam failure of a well monitored and constructed dam the combined frequency of occurrence would be very low. The hazard re-evaluation report does identify the 2-year wind speed as a coincident event and calculated a XX mph continuous wind speed. However, at this magnitude wind speed and the activities being performed outdoors, will not cause a hardship on the operators performing the actions.

Table 10 below illustrates the hazards considered in the scenario and which were deemed applicable to a given key action. Many of the action required to successfully mitigate this scenario are not subject to adverse weather considered due to the being performed inside sheltered from the elements. Operators will be accustomed to performing the key actions out-of-doors in a variety of non-extreme weather conditions which are the conditions anticipated at the time of dam failure. The table describes the disposition of environmental factors with respect to each action and reports the PSF conclusion with respect to any adverse weather conditions.

As actions A through D are performed well in advance of the flood reaching the site, stress levels will be nominal. Opening a steam relief path is an important action in this process. The primary means of the opening the ADVs is via use of the plants IA system. Should the ADVs not open in this manner several alternate strategies exist including, opening the ADV via local bottled nitrogen supplies or jacking open an MSSV. As these action progress, the stresses on the operator may increase, but as there will be ample time (more than 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> margin) to take this actions, and adequate staff levels exist, nominal stress still appears appropriate. Activities to install barriers and remove cables from equipment are investment protection and personnel safety activities and ample staff will be available to adequately perform these actions. Particular concern will be focused on ensuring the removal of electrocution hazards.

[Note to preparer: State what type of training and guidance is available for example, to ensure activities Comment [NRCstaff61]: The IA submittal should include a description of sources of are performed properly they are proceduralized and trained upon. Durations of actions are confirmed by information used in the evaluation, including the time-in-motion studies. Table top exercises are also performed periodically with appropriate staff.] considerations described here.

Unique human actions important to the flood scenario are identified in Table 9. These actions are discussed in more detail below and have been individually evaluated following the guidance in Appendix C .

Note that cues for actions due to low SG level can be directly monitored in the DG facility. A comparison of the human action characteristics associated with the external flood mitigation activity and the Appendix C criteria are provided in [Tables 9 a--9j].

Page 34 of 54

Draft WORKING EXAMPLE All risk significant utility actions to support this scenario have been evaluated using the qualitative metrics of Appendix C and all applicable attributes of those actions were evaluated as nominal or better. Therefore, human actions supporting the scenario are judged to feasible and reliable. A summary of this assessment is contained in Table 9. Detailed assessment of performance shaping factors are provided in supplementary tables. [Several example tables provided. Also provided is a supplementary table for environmental conditions and action timing and margin. Note to Preparer: Where helpful include time line map for Comment [NRCstaff62]: Similar tables for other PSFs are appropriate. Consider including a collection of unique actions] preparers note to indicate that other PSFs should be evaluated in a similar manner (e.g., accessibility around a site is not trivial when the site in inundated and may require boats)

Page 35 of 54

Draft WORKING EXAMPLE Table 9 Summary of Key Human Actions for Implementing Credited Flood Mitigation Strategy Action Description of Action Summary Comment Appendix C Assessment Dam Operator Action is highly reliable.

informs Sate Appropriate procedures are Emergency in place for proper Table 9-a Organization of dam communication. Overall time break estimate to initiate full Comment [NRCstaff63]: Double-check that the same nomenclature/terminology is used here mobilization is 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> from and in Table 2. Consider adding some way to easily initial notification. map these actions back to the time line (e.g., adding a reference to the time step in the timeline).

State ERO informs Proceduralized action and Nominal Comment [NRCstaff64]: What does this mean?

Site management lines of communication defined by law.

ERO activated Standard action Nominal All factors are considered nominal.

No site flooding is expected for more than a day ERO Dispatches Standard action Nominal All factors are considered nominal.

Maintenance and No site flooding is expected for Operational crews more than a day DGs tested and Standard action Table 9-b Procedure XXX Comment [NRCstaff65]: Note earlier comment about the value of including a summary aligned description of procedures that are flood-specific and non-routine in nature.

Well pumps tested Standard action Table 9-c Procedure XXX Well pumps aligned Proceduralized Flood specific Table 9-d Procedure XXX. Components and as alternate SG FW action tools needed stored in vicinity of source where action is to be performed.

Team not tasked with other risk significant duties. Adequate time available Fuel oil tanker truck Action is highly reliable.

staged on high Appropriate procedures and ground with access contracts are in place for Nominal to DG facility. proper communication.

Overall time estimate to Page 36 of 54

Draft WORKING EXAMPLE Table 9 Summary of Key Human Actions for Implementing Credited Flood Mitigation Strategy Action Description of Action Summary Comment Appendix C Assessment initiate full mobilization is 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> from initial notification.

Operator Shuts Standard proceduralized Nominal Procedure XXX down plant and action supplemented by places it in a Steam flood procedures. Action Generator a low takes [8 ] hours pressure heat removal mode Operator installs Simple proceduralized action. Table 9-d Procedure XXX Dedicated team necessary Action can be performed by a with ample time. Material in connecting spool single operator in a period of vicinity of action.

pieces and aligns 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. Action can be feed to SG implemented once reactor is shutdown for more than 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. Available time to perform action is 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. Six hours assumes operator has to leave area prior to barrier overtopping (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> allotted).

Operator opens Proceduralized action. Table 9-e All components and tools needed ADV and takes Mechanical device can be staged near ADVs. Actions are actions to provide installed in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. Access trained upon and proceduralized continuous low to staging areas not impacted (Procedure XXX).

pressure operation by flood.

Operator opens Action is a backup, but Table 9-f All components and tools needed MSSV given ADV actions has been staged near MSSVs. Actions are activity cannot be demonstrated to be feasible. trained upon and proceduralized completed. Tools required, but tools are (Procedure XXX).

stationed in an accessible area near the MSSV.

Page 37 of 54

Draft WORKING EXAMPLE Table 9 Summary of Key Human Actions for Implementing Credited Flood Mitigation Strategy Action Description of Action Summary Comment Appendix C Assessment Operator opens fuel Simple proceduralized action. Table 9-g (Procedure #/steps).

feed to feed DG Can be performed in parallel with SG alignment actions.

Operator must be dispatched to DG area. Action takes 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> including preparing the DG for operation.

Operator refills day Action to refuel day tank. Table 9-h (Procedure #/step).

tank. Must be done prior to emptying of day tank to avoid priming of the DG fuel system. Action must be taken once a day with more than 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> available time.

Time to refill tank is 30 minutes.

Additional resources Plant management directs off Table 9-i added to site after 3 site contracted resources to days deliver resources to day tank area and resources are delivered at least one day before need arises Page 38 of 54

Draft WORKING EXAMPLE Table 9-A; Comment [NRCstaff66]: For each action, a Assessment of Reliability and Feasibility of Flood Significant Human Actions detailed description should be included justifying the categorization of each PSF. In addition, a Action ID: State Notifies Utility of Dam Failure summary table (as shown here) should be included.

Action: Dam Operator informs State Emergency Organization of dam break So, the table is just one piece of the documentation that is appropriate for each action.

Discussion: Action is highly reliable. Appropriate procedures are in place for proper communication.

Comment [NRCstaff67]: Note that scenario-PSF Applicable specific PSFs should be added as appropriate.

PSF Categories Category Summary of Justification Consider showing a table for an action that requires a scenario-specific PSF (e.g., an action associated Nominal X Dam operator maintains routine surveillance on the with decision-making when there are investment dam. Examination includes visual surveillance and protection considerations).

Cues and Indications review of stress sensors at key locations. Routine dam Comment [NRCstaff68]: Since not all actions maintenance is performed and dam is considered in can be included in the example, consider choosing actions that provide sufficient diversity in the types Degraded good condition. of actions that may need to be evaluated.

Nominal X Notification task is simple action. Identified sate coordinator has current plant contact information.

Clear instructions are available as to when dam conditions warrant that the state be informed .

Complexity State procedures include specific actions to contact the utility upon notification of a pending or actual dam breach or conditions warranted high discharges from Degraded the dam Nominal X Dam operator may rely on stress sensors for early Special-Equipment Degraded notification action Nominal NA Human-system Interfaces Degraded Nominal X Procedure XXX spells out surveillance checks, conditions requiring dam operator to immediately Procedures notify state. State procedures YYY identifies situations Degraded when the state must notify utility.

Nominal X Dam operators are trained in emergency operating Training and Experience Degraded procedure. State officials routinely support flood drills.

Nominal X Emergency Response organization staffed by trained Workload, pressure , Stress dedicated staff with adequate resources. No directly Comment [NRCstaff69]: Note that the ISG Degraded impacted by event. includes a moderate category for this PSF.

Nominal NA Environmental Factors Degraded Nominal NA Special Fitness Issues Degraded Nominal X Staffing Degraded Emergency position continuously manned Nominal X Communications Degraded Communication program in place AccessabilityAccessibility Nominal NA Page 39 of 54

Draft WORKING EXAMPLE Table 9-A; Comment [NRCstaff66]: For each action, a Assessment of Reliability and Feasibility of Flood Significant Human Actions detailed description should be included justifying the categorization of each PSF. In addition, a Action ID: State Notifies Utility of Dam Failure summary table (as shown here) should be included.

Action: Dam Operator informs State Emergency Organization of dam break So, the table is just one piece of the documentation that is appropriate for each action.

Discussion: Action is highly reliable. Appropriate procedures are in place for proper communication.

Comment [NRCstaff67]: Note that scenario-PSF Applicable specific PSFs should be added as appropriate.

PSF Categories Category Summary of Justification Consider showing a table for an action that requires a scenario-specific PSF (e.g., an action associated Degraded with decision-making when there are investment protection considerations).

Comment [NRCstaff68]: Since not all actions can be included in the example, consider choosing actions that provide sufficient diversity in the types of actions that may need to be evaluated.

Page 40 of 54

Draft WORKING EXAMPLE Table 9-B; Assessment of Reliability and Feasibility of Flood Significant Human Actions Action ID: Flood DGs tested and Aligned per Procedure AOP-XXX Action: Crew dispatched from TSC to (1) unlock and prepare DG facility for use (2) align valves and hoses in the DG fuel system to feed DGs from day tank, (3) start and run DG for 15 minutes Discussion: Action is highly reliable. All subordinate actions are proceduralized. Overall task duration is 75 minutes PSF Applicable PSF Categories Category Summary of Justification Nominal X Direction to prepare facility and align DG system Cues and Indications Degraded included in AOP-XXX.

Nominal X Action is simple, proceduralized and trained on at least Complexity Degraded once annually.

Nominal X Special-Equipment Degraded No special equipment required Comment [NRCstaff70]: The DGs could be considered special equipment because they are not Nominal NA DG facility is accessible, entry via keys available in TSC, part of normal plant equipment. Consider including Human-system Interfaces lighting in DG facility initially powered via offsite power. a discussion of why they need not be considered Degraded Copies of procedure available in DG facility. special equipment.

Nominal X Procedure used for identified action (s) are well Procedures written. Training on flood procedure conducted Degraded annually.

Nominal X Training and Experience Degraded Flood mitigation AOP actions trained on annually Nominal X Adequate staffing is available to ensure low workload.

Time to take action is adequate see Table 10, actions 5 and 6. Significant time margin. Two individual dispatched to DG facility.

Workload, pressure , Stress Psychological stress is minimized as much of surrounding region not directly impacted by flood. For plant individuals with family in need of help for potential evacuation or other actions, specific Degraded individuals can be released.

Nominal NA Environmental Factors Degraded See supplemental Table Nominal NA Actions do not have a requirement for strength or special fitness. Valves can be readily turned and valves Special Fitness Issues are routine re-positioned during quarterly DG facility Degraded surveillance activities.

Nominal X Resource loading plans are established and Staffing Degraded implemented so adequate resources are expected.

Nominal X Communications Degraded Communication is via satellite phone Page 41 of 54

Draft WORKING EXAMPLE Table 9-B; Assessment of Reliability and Feasibility of Flood Significant Human Actions Action ID: Flood DGs tested and Aligned per Procedure AOP-XXX Action: Crew dispatched from TSC to (1) unlock and prepare DG facility for use (2) align valves and hoses in the DG fuel system to feed DGs from day tank, (3) start and run DG for 15 minutes Discussion: Action is highly reliable. All subordinate actions are proceduralized. Overall task duration is 75 minutes PSF Applicable PSF Categories Category Summary of Justification Nominal X Keys for doors of the DG are located in the TSC and sufficient copies are available to ensure adequate AccessabilityAccessibility access. The DG facility is located at an elevation above the highest credible flood level determined by the Degraded hazard re-evaluation.

Table 9-B.1: Assessment of ISG Appendix C Environmental factors for PSF Action ID: Flood DGs tested and Aligned per Procedure AOP-XXX Environmental Factor Impact Assessment Comment adverse weather (e.g., No severe weather conditions are Wind speeds at this level will lightning, hail, wind, anticipated. Human factors have little impact on plant site precipitation) consider impact of 40 mph winds. movements. All operational activities are within a weather protected structure temperatures (e.g., humidity, Area not susceptible to extreme Building environment controlled air and water temperatures, weather conditions. DG operates by HVAC supported by the particularly if personnel must building HVAC and well as other facility DGs. Doors, vents and enter water) comforts such as lighting and fans are available in case of refrigerator and communication HVAC failure.

information.

conditions hazardous to the No hazardous conditions exist Facility is above maximum health and safety of personnel during facility preparation. potential flood height. Key (e.g., electrical hazards, Procedures limit hazards as facility indications and equipment (with hazards beneath the water is re-staffed the exception of WWPs) are surface, drowning, structural located in facility. Boats are debris) available for transport to site.

Roads to and from facility to adjacent community available during maximum flood for facility re-supply.

lack of lighting Facility is well lit. Replacement lights available.

Back-up battery powered lanterns and flashlights /head lamps and batteries available for

[x]days. Material can be resupplied.

radiation No radiation exposure in facility Facility is located outside the Page 42 of 54

Draft WORKING EXAMPLE radiation controlled area noise DG operation may be noisy, but will DG area walled off from crew not impact DG implementation living quarters. Within DG room, crew can wear ear protection (available in building) vibration Vibration not judged to be an issue Page 43 of 54

Draft WORKING EXAMPLE Table 9-D; Assessment of Reliability and Feasibility of Flood Significant Human Actions Action ID: Operator aligns WWP as alternate SG FW source and Operator installs necessary connecting spool pieces and aligns feed to SG (Procedure XXX) Comment [NRCstaff71]: Actions should be broken down as necessary to capture differences in Action: Operator tasks include (1) taking any steps to realign WWP for preparation for injection into SG(2) relevant PSFs.

installing a spool piece Discussion: Action is highly reliable. All subordinate actions are proceduralized. Overall task duration is 75 minutes PSF Applicable PSF Categories Category Summary of Justification Nominal X Direction to prepare facility and align DG system Cues and Indications Degraded included in AOP-XXX.

Nominal X Action is simple, proceduralized and trained on at least Complexity Degraded once annually.

Nominal X Special-Equipment Degraded No special equipment required Nominal NA DG facility is accessableaccessible, entry via keys available in TSC, lighting in DG facility initially powered Human-system Interfaces via offsite power. Copies of procedure available in DG Degraded facility.

Nominal X Procedure used for identified action (s) are well Procedures written. Training on flood procedure conducted Degraded annually.

Nominal X Training and Experience Degraded Nominal X Adequate staffing is available to ensure low workload.

Time to take action is adequate see Table 10, actions 5 and 6. Significant time margin. Two individual dispatched to DG facility.

Workload, pressure , Stress Psychological stress is minimized as much of surrounding region not directly impacted by flood. For plant individuals with family in need of help for potential evacuation or other actions, specific Degraded individuals can be released.

Nominal NA Environmental Factors Degraded See supplemental Table 9D.1 Nominal NA Actions requiring moving a [x] lb spool piece from its storage location. Appropriate tools are available to Special Fitness Issues facilitate the move and lift. Adequate resources are Degraded available to perform function.

Nominal X Resource loading plans are established and Staffing Degraded implemented so adequate resources are expected.

Nominal X Communications Comment [NRCstaff72]: Will satellite phones Degraded Communication is via satellite phone work in all areas of the plant (including inside thick concrete structures)?

Page 44 of 54

Draft WORKING EXAMPLE Table 9-D; Assessment of Reliability and Feasibility of Flood Significant Human Actions Action ID: Operator aligns WWP as alternate SG FW source and Operator installs necessary connecting spool pieces and aligns feed to SG (Procedure XXX) Comment [NRCstaff71]: Actions should be broken down as necessary to capture differences in Action: Operator tasks include (1) taking any steps to realign WWP for preparation for injection into SG(2) relevant PSFs.

installing a spool piece Discussion: Action is highly reliable. All subordinate actions are proceduralized. Overall task duration is 75 minutes PSF Applicable PSF Categories Category Summary of Justification Nominal X Keys for doors of the DG are located in the TSC and sufficient copies are available to ensure adequate AccessabilityAccessibility access. The DG facility is located at an elevation above the highest credible flood level determined by the Degraded hazard re-evaluation.

Summary of Environmental Impacts A summary of the environmental impact on the performance shaping factors is presented in Table 10.

Page 45 of 54

Draft WORKING EXAMPLE Table 10- Key Actions and Environmental Factor Impacts Considered Environmental Factors Comment [NRCstaff73]: Note that other environmental factors may be important. If they are PSF Poor Lighting Extreme Cold not applicable to this example, then consider adding High Wind Lightning Category a preparers note that the environmental factors Hail due to included in this example are not an exhaustive list.

Enviro Action Factors Disposition Dam Operator informs Sate Emergency Organization of dam Environmental factors will not affect this action. Well prior to flooding N/A N/A N/A N/A N/A Nominal break reaching the site and this action is well proceduralized State ERO informs Site management Environmental factors will not affect this action. Well prior to flooding N/A N/A N/A N/A N/A Nominal reaching the site and this action is well proceduralized ERO activated Environmental factors will not affect this action. Well prior to flooding N/A N/A N/A N/A N/A Nominal reaching the site and this action is well proceduralized ERO Dispatches Maintenance and This action requires operators to move about the site, exposed to the Operational crews elements, however, dispatch will be performed prior to flooding Y3 N/A N/A N/A N/A Nominal conditions at the site and there are no correlated extreme weather conditions anticipated with this flood scenario.

DGs tested and aligned Environmental factors will not affect this action. Well prior to flooding N/A N/A N/A N/A N/A Nominal reaching the site and this action is well proceduralized Well pumps tested This action requires operators to be exposed to the elements, however, dispatch will be performed prior to flooding conditions at Y3 N/A N/A N/A N/A Nominal the site and there are no correlated extreme weather conditions anticipated with this flood scenario.

Page 46 of 54

Draft WORKING EXAMPLE Table 10- Key Actions and Environmental Factor Impacts Considered Environmental Factors Comment [NRCstaff73]: Note that other environmental factors may be important. If they are PSF Poor Lighting Extreme Cold not applicable to this example, then consider adding High Wind Lightning Category a preparers note that the environmental factors Hail due to included in this example are not an exhaustive list.

Enviro Action Factors Disposition Well pumps aligned as alternate This action requires operators to be exposed to the elements, SG FW source however, dispatch will be performed prior to flooding conditions at Y3 N/A N/A N/A N/A Nominal the site and there are no correlated extreme weather conditions anticipated with this flood scenario.

Fuel oil tanker truck staged on This action requires operators to be exposed to the elements, high ground with access to DG however, dispatch will be performed prior to flooding conditions at Y3 N/A N/A N/A N/A Nominal facility. the site and there are no correlated extreme weather conditions anticipated with this flood scenario.

Operator Shuts down plant and places it in a Steam Generator a Environmental factors will not affect this action. Well prior to flooding N/A N/A N/A N/A N/A Nominal low pressure heat removal mode reaching the site and this action is well proceduralized Operator installs necessary connecting spool pieces and aligns Environmental factors will not affect this action. Well prior to flooding N/A N/A N/A N/A N/A Nominal SG feed to flood protected source reaching the site and this action is well proceduralized Operator opens ADV and takes This action requires operators to be exposed to the elements, actions to provide continuous low however, dispatch will be performed prior to flooding conditions at Y3 N/A N/A N/A N/A Nominal pressure operation the site and there are no correlated extreme weather conditions anticipated with this flood scenario.

Operator opens MSSV given ADV This action requires operators to be exposed to the elements, activity cannot be completed. however, dispatch will be performed prior to flooding conditions at Y3 N/A N/A N/A N/A Nominal the site and there are no correlated extreme weather conditions anticipated with this flood scenario.

Operator opens fuel feed to feed DG Environmental factors will not affect this action. Well prior to flooding N/A N/A N/A N/A N/A Nominal reaching the site and this action is well proceduralized Page 47 of 54

Draft WORKING EXAMPLE Table 10- Key Actions and Environmental Factor Impacts Considered Environmental Factors Comment [NRCstaff73]: Note that other environmental factors may be important. If they are PSF Poor Lighting Extreme Cold not applicable to this example, then consider adding High Wind Lightning Category a preparers note that the environmental factors Hail due to included in this example are not an exhaustive list.

Enviro Action Factors Disposition Operator refills day tank.

Environmental factors will not affect this action. Well prior to flooding N/A N/A N/A N/A N/A Nominal reaching the site and this action is well proceduralized Additional resources added to site after 3 days Y3 N/A N/A N/A N/A Nominal Y1 - Applicable hazard considered to impact the action Y2 - Applicable hazard considered in reliability analysis but did not impact the action Y3 - Hazard considered but found to not have any impact on the action N/A - Hazard not applicable to action (see description)

Page 48 of 54

Draft WORKING EXAMPLE Page 49 of 54

Draft WORKING EXAMPLE Timing Analyses Comment [NRCstaff74]: It is not clear how uncertainty is handled as part of the timing analysis.

Timing analysis of human actions is identified in the ISG as a means to identify reliability of an action.

Relevant timing for operator actions are derived from time in motion studies, walk-throughs and other activities. Outdoor activities were increased[ X%] from site observations to account for potentially less than ideal operational conditions. Important time parameters and available margin based on the Table 2 event timeline are summarized in Table 11. This information is used to support filling out the workload/stress and training portions of the psf table (Table 9A-9J)

In reviewing Table 11, the following terms are associated with each timing element:

T0 = start time, or the point in time in a flooding scenario or HFE narrative at which the conditions exist that will require the human action (e.g., a weather forecast predicts excessive precipitation, a dam failure occurs, a levee onsite is overtopped, leakage develops)

Tdelay = time delay, or the duration of time it takes for the cue to become available that the action will be necessary (assumes that action will not be taken in the absence of a cue)

Tsw = the time window within which the action must be performed to achieve its objective Tavail = the time available for action = (Tsw - Tdelay)

Tcog = cognition time, consisting of detection, diagnosis, and decisionmaking Texe = execution time including travel, collection of tools, donning of PPE, and manipulation of relevant equipment Treqd = time required, or the time required for an individual or crew to accomplish the action = (Tcog + Texe)

The time margin for relevant actions can be expressed as Time Margin = x 100%

These parameters are identified for each of the flood significant actions included in Table 9-a through 9-i. A summary of these times is identified in Table 10. These actions are and timings are based on table 1 and visually illustrated along with resource demands and availabilities in Section C. Results of the timing analysis demonstrate that the flood critical actions have significant margin and key aspects of the flood preparatory work is finished within an 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> time window. Transition from SDC to SFMS decay heat removal can be performed at any time after the initial preparatory work is complete. The task is delayed until the time the flood elevation approaches site grade. Details of all actions are given in the following procedures. :

{List all applicable implementing procedures] Comment [NRCstaff75]: List and summarize Page 50 of 54

Draft WORKING EXAMPLE Table 11:

Timeline for Flood critical Human Actions Comment [NRCstaff76]: Are times nominal or bounding?

Time T0 Tcomp Tdelay Tsw Tcog Texc Tavail Treqd Margin HR ID Action (hr) (hr) (hr) (hr) (hr) (hr) (hr) (hr) (%)

1 Dam Operator informs State Emergency Organization of dam break 0 0.45 0.25 1 0.1 0.1 0.75 0.2 275.0 2 State ERO informs Site management 0.45 0.9 0.25 1 0.1 0.1 0.75 0.2 275.0 3 ERO activated 2 0.25 4 ERO Dispatches Maintenance and Operational crews 2.25 .25 5 Operator opens fuel feed to feed DG 2.5 3.25 0.25 14 0.25 0.25 13.75 0.5 2650.0 6 DGs tested and aligned 3.25 5.25 0.25 15.5 0.25 0.5 15.25 .75 771.4 7 Well pumps tested 2.5 3.75 0.25 16 0.25 0.75 15.75 1 1475.0 8 Well pumps aligned as alternate SG FW source 4 5.25 1 16 0.25 1 15 1.25 1000 9 Fuel oil tanker truck staged on high ground with access to DG facility. 2 7.25 1 16 0.25 4 15 4.25 252.9 10 Operator Shuts down plant and places it in a Steam Generator a low pressure heat removal mode 0.5 6 11 Operator opens ADV using plant air compressor (action to provide continuous low pressure operation) 4 0.5 14 0.25 0.25 13.5 0.5 2600.0

.12 Operator opens ADV via back-u means given primary ADV activity cannot be completed 4.5 5.5 0 13.5 0.5 0.5 13.5 1 1250.0 13 Operator initiates SG feed via SFMS 20 20.75 0.25 10 0.25 0.25 9.75 0.5 1850.0 14 Operator turns off SDC system 20.25 21 0.25 9.75 0.25 0.25 9.5 0.5 1800.0 15 Operator refills day tank 0.25 12 0.25 0.25 11.75 0.5 2250.0 Page 51 of 54

Draft WORKING EXAMPLE Page 52 of 54

Draft WORKING EXAMPLE Conclusion As a consequence of the low failure probabilities of flood protected equipment and high reliability of the necessary human actions being taken to implement the external flood mitigation procedures described above, , there is adequate assurance that the site will be protected from an overtopping of the design flood barrier during the re-evaluated hazard.

Page 53 of 54

Draft WORKING EXAMPLE Page 54 of 54