ML023010597

From kanterella
Jump to navigation Jump to search
Part 5 of 7 - GE BWR/4 Advanced Course R-504B
ML023010597
Person / Time
Site: Grand Gulf, Surry  Dominion icon.png
Issue date: 09/19/2002
From:
General Electric Co
To:
Office of Nuclear Reactor Regulation
References
FOIA/PA-2002-0343
Download: ML023010597 (120)
v  d  e


Text

G.E.

Advanced Technology Manual Shutdown Plant Problems Table of Contents 4.10 Shutdown Plant Problems..........................................

1 4.10.1 Introduction.............................................

1 4.10.2 Binding of Gate Valves.....................................

2 4.10.2.1 Thermal Binding Phenomenon 2

4.10.2.2 Pressure Locking Phenomenon........................

2 4.10.2.3 Consequences of Locking............................

3 4.10.3 M ode 3/4 Event..........................................

3 4.10.4 Summary 3

List of Tables 4.10-1 Sequence of Events.............................................

5 List of Figures 4.10-1 Accident Sequence Comparison.......................................

9 4.10-2 Pressure Locking Flexible-Wedge Gate Valve............................

11 4.10-3 RHR System Shutdown Cooling Mode................................

13 U5NRC Technical Training Center 4.10-i Rev 0196 USNRC Technical Training Center 4.10-i Rev 0196

G.E.

Advanced Technology Manual Shutdown Plant Problems 4.10 Shutdown Plant. Problems, Learning Objectives:

1. List two major accident sequences identified at low power and shutdown plant conditions.
2. Describe the differences between full power and low power/shutdown major

" accident sequence classes.

3. List three systems and their components that have a history of becoming pressure locked.
4. -Desbribe the alignment of the Residual Heat Removal System and Recirculation System when in shutdown cooling

-mode'of RHR.

5.- List the Technical Specifications viola-.

tions from the events log.

4.10.1 Introduction In 1989 the Nuclear Regulatory Commis:

sion initiated a progiam to exanine the potential risks presented during low power and shut-down conditions. Two plants, Surry (PWR) and Grand Gulf (BWR), were selected to be studied. -These studies.(NUREG/CR-.6143) along w ith operational experiences indicated that the risk during low power and shutdown condi tions may be significant. '

The risk associated with Grand Gulf operat ing in modes 4 and 5 was shoran to be compa rable with the risk associated with full power operation, 10-6 range., While the risk is low, very few systems/features of the plant are re quired to be available to attenuate a release should it occur. Technical specifications per mits more equipment to be inoperable during low power and shutdown conditions. In certain plant-conditions,'primary containment is not required.

, Figure 4.10-2 presents a comparison of the mean core damage frequency percentages for the major classes of accidents from both the full-power NUREG-1150 and the low power,,

and shutdown mode-analyses NUREG/CR 6143. From this figure, obvious similarities and differences can be seen. The major similari ty observed is that in both analyses the~station blackout (SBO) class is important. In the full power analysis SBOs are dominate accident sequences due to the loss or, degradation of multiple systems. In operating mode 3 and 4 SBOs also show up because they still cause loss or degradation of multiple systems., However,,

there are additional accidents that can cause loss or degradation of multiple systems because of considerations unique to those modes of opera tion.

1

..-,The major differences inthe accident pro gression associated with the SBOs are:

  • Almost all low power and shutdown mode SBOs sequences lead to an interfacing sys tem. LOCA whereas the full power sequenc- -.,

es do not.,.

- * :The containment is always open at the start of the low power and shutdown accidents

.whereas it is isolated at the start of the full

-power accidents.

  • The probability of arresting core damage in the vessel'is greater for full power accidents Lthan -for low power and shutdown condi
tions.

The remaining classes of accidents indicates" a major differences between the two analyses.

In the full poweranalysis, the anticipated tran-,,

sient without scram (ATWS) class is the second Smost important class while in the low power and shutdown analysis the second most impor "tantis SBO, with LOCA being.number one.-

Given the plant conditions analyzed in the two studies, the first point that can be madeis that ATWS sequences were simply not possible with the plant already in a shutdown state. On

- the other hand, since LOCAs were possible in both analyses, why did this class only show up

-USNRC Technical Training Center 4.10-1 Rev 0196 G.E.

Advanced Technology Manual

--- Shutdown °Plant Problems Rey 0196

-USNRC Technical Training-Center "

4.10-1

G.E. 'Advanced Technology Manual Shutdown Plant Problems in low power and shutdo'wii resul.s? While no detailed examination of this phenomenon was undertaken, the most likely reason for the ap pearance of LOCAs results is the intentional disabling of the automatic actuation of the sup pression pool makeup system which i' unique to the Mark III containment. Defeating'atutomat ic actuation of the suppression pool makeup is done for safety reasons. As a result, the con tinued use of injection systemns during a LOCA require operator intervention. The difference in reliability between automatic actuati6fi and oper ator action generally accounts for the fact that LOCAs survived in the low power and shut down analysis but not in the* full power analy sis.

4.10.2 Binding of Gate Valves Thermal binding of double-disc and flexi ble-wedge gate valves has beeni addressed by the NRC and the industry since 1977. Particu larly, throughout the 1980's the industry issued a number of event reports concerning.safety related gate valve failures due to disc-binding.

These failures were attributed to either pressure lockifig or thermal binding. Binding of gate valves in the closed position is of safety concern because gate valves have a variety of applica tions in safety-related systems and may be re quired to open during or immediately following a postulated event. During such' eents, valve performance is severely challenged lýy~the rapid cooldown and depressurization rates which expose the disc to large differential pressures.

Generally valve operators are not sized to open'a valve against bindifig forces. Pressure locking or thermal binding of gate valves repre sents *a nonrevealifig common-mode failure mechanism since normal surveillance tests may not detect or identify them.

Safety-related systems for a BWR in which valves have become piessidre locked include:

HPCI - Steam admission valve LPCS - Injection valve LPCI - Injection valve RCIC - Steam admission valve RR -

Recirc pump discharge valve A review of the events shows that there were two potential causes of pressure locking; liquid entrapment in the bonnet and high AP across the disc while in the closed position.

Most of the events occurred during infrequent plant evolutions such as heat-up, cooldown, and testing. Pressure locking adversely affects operation of motor operated valves, and renders the associated system unavailable.

4.10.2.1 Thermal Binding Phenome non If a wedge gate valve is closed while the system is hot, thermal binding can occur as the system cools. The valve body and discs me chanically interfere because of their different thermal expansion and contraction characteris tics. The difference in thermal contraction can cause the seats to bind the disc so tightly that reopening is extremely difficult or impossible until the valve is reheated. Several potential remedies have been suggested to alleviate this situation:

"* Slightly opening and reclosing a valve peri odically during a cooldown.

"* Limiting valve actuator closing forces.

"* Using compensating spring packs to reduce valve initial closing forces.

In general, neither ac hor dc valve motor operator sizing analyses account for the extra force needed to unseat a valve when it is ther mally bound.

4.10.2.2 Pressure Locking Phenome hon Pressure locking in flexible-wedge and double-disc gate valves generally develops because of valve design in combination with UNKL1echn1ca1 iraining Center 4.10-2 Rev 0196 G.E. ýAdvanced_ Technology Manual Shutdown Plant Problems U~SNRC Technical Training Center 4.10-2 Rev 0196

G.E.AdvacedTecholoy MaualShutdown Pl~ant Problems characteristics of the bonnet and specific local conditions at the valve (temperatures and pres sures). The essential feature to develop pres sure locking is the presence of fluid in the bon net cavity, including the area between the discs.

The fluid may enter the bonnet cavity during normal opening and closing valve cycle. Also, fluid may enter the bonnet cavity of a closed valve which has a AP across the disc. The pressure differential causes the disc to move slightly away from the seat, developing a flow path for fluid so that the bonnet cavity becomes filled with high pressure fluid. Whether these situations lead to a valve pressure locking sce nario depends upon the pressure of the fluid that enters the bonnet cavity, and the difference in pressure between the process fluid and bonnet cavity at the time the MOV is called upon to operate.

4.10.2.3 Consequences of Locking These phenomena can delay the valve stroke time or cause the valve motor actuator to stall.

Events at Susquehanna and FitzPatrick indicate that the RHRILPCI and LPCS injection valves of a BWR are susceptible to pressure locking caused by bonnet cavity pressurization. In both systems the injection valve is normally shut and is require to automatically open upon receipt of an actuation signal. The testable check valve located between the reactor and injection valve is not a leak-tight valve. Leakage past the check valve can pressurize the piping between the valves and the injection valve cavity to reactor pressure. Near leak-tight seating surfaces of the injection valve may allow the valve cavity to remain pressurized and become subject to pres sure locking when injection is needed during a LOCA. Under this condition, the bonnet pres sure is greater than 1000 psig, while the down stream pipe suddenly depressurizes to between 400 and 500 psig. This high internal-to-extema lAP across both seating surfaces would result in.

double-disc drag forces, which if ihey exceed the available thrust of the actuator, will produce pressure locking.

'. When d valve disc becomes locked in the closed position due to pressure-locking or ther mal binding, actuation of the motor will result in locked-rotor current which will rapidly increase the temperature of the motor internals. Within 10 to 15 seconds, the heat buildup can degrade the rmotor's capability. to deliver, a specified torque, damage the motor, or both.

4.10.3 Mode 3/4 Event Hope Creek is a BWR/4 plant rated at 3293 MWt and 1067 MWe with a Mark I contain ment. At the time of the event the plant was operating in an action statement requiring the plant to shutdown in seven days due to an inop erable control room ventilation component. The allowed operating time of seven days was ap proaching expiration so the plant had com menced a reactor shutdown. As part of the normal shutdown procedure the reactor was manually scrammed by placing the mode switch in the shutdown position. The plant entered operating mode 3 at 12:18 am on July 8, 1995.

Table 4.10-1 lists the sequence of events and provides a detailed description of the event to conclusion.

By using the sequence of events, attached figures, technical specifications and this text, answer learning objectives 4 and 5 in this chap ter.

.4.10.4 Summary The reader should be aware that the statistics presented herein are for Grand Gulf. As such, this information should not be generalized to other nuclear power plants without first consid ering all relevant factors. Complete details of the Grand Gulf statistics and insights can be found in SAND94-2949.

What can be generalized, is the apparent change in dominant accident sequences from full power to low power and shutdown condi tions. This is extremely important when you consider that technical specifications action USNRC Technical Training Center 4.10-3 Rev 0196 I Rev 0196 G.E.

Advanced Technology Manual USNRC Technical Training Center

° 4.10-3

G.E.

Advanced Technology Manual Shutdown Plant Problems statements usually require you to go to mode 3 or 4 within some time frame. The NRC felt so concerened about the' apparent change in risk when entering modes 3 and 4 that they enlisted Sandia National Laboratories to evaluate the risk impact of the Limiting Conditions of Operation (LCOs) in the current Grand Gulf technical specifications. The results of the study were published in NUREG/CR-6166.

USNRC Technical Training Center 4.10-i Rev 0196 Shutdown Plant-Problems G.E., Advanced Technology Manual USNRC Technical Training Center 4.10-i Rev 0196

G.E.Techoloy Adancd MaualShutdown Plant Problems Table 4.10-1 Sequence of Events July 8. 7:00 am Operating Shift turnover 7:54 The B RHR pump was placed in service to establish shutdown cooling (SDC) in accordance with procedures. Indicated RHR flow was approximately 10,000 gpm.

7:54 to 9:40 The A and B recirculation pump discharge valves were stroked open and closed to prevent thermal binding in the closed position.

9:40 Nuclear controls operator unsuccessfully attempted to open the 'A' recirculation pump discharge valve.

9:50 Nuclear controls operator unsuccessfully attempted to open the 'A' recirculation pump discharge valve a second time. An action request was initiated to investigate and correct the valve failure.

10:57 Operating mode 4 is reached 11:00 The nuclear controls operator partially opened and left open the 'B' recirculation pump discharge valve to prevent thermal binding in the closed position.

11:52 Reactor pressure indicated zero pounds per square inch gage (psig) and the reactor vessel head vent valves to the equipment drain sump were opened in accordance with procedures.

12:59 pm The electrical supply breaker for the reactor water cleanup supply line inside isolation valve (F001) was opened to support a corrective maintenance activity.

2:38 All high reactor pressure automatic isolation signals for the inboard and outboard shutdown cooling isolation valves were defeated. In addition, the isolation capabilty was defeated for the inboard valve. These signals were defeated in accordance with procedures, to prevent an inadvertent isolation and also in preparation for reactor protection system surveillance testing.

4:35 The shutdown cooling system was secured to facilitate manual operation of the RHR shutdown cooling isolation valves, per procedure, to verify that the valves could be closed manually. This is a precautionary step performed following defeat of the automatic signals.

5:09 Shutdown cooling was returned to service. The RHR heat exchanger inlet temperature promptly increased from 163 degrees to 182 degrees fahrenheit.

5:30 Operators entered the drywell to perform outage activities, assess a drywell cooler leak and to investigate the reason for recirculation pump discharge valve failure.

5:54 Electrical supply breaker for the reactor water cleanup valves was reclosed.

6:45 Operators manually "cracked" open the 'A' recirculation pump discharge valve. Upon exiting the drywell, plant operators reported condensation on drywell surfaces and also fogging of their glasses. The nuclear controls operator opened 'A' recirculation pump discharge valve until he received an electrical dual indication.

7:00 Operating shift turnover USNRC Technical Training Center 4.10-5 Rev 0196 G.E. Technology Advanced Manual USNRC Technical Training Center 4.10-5 Rev 0196

G.E.Techoloy Adancd MaualShutdown Plant Problems Table 4.10-1 Sequence of Events (Continued) 8:00 pm The senior nuclear shift supervisor (SNSS) turnover completed, however, the on coming SNSS was involved with other activities and missed the shift briefing.

8:30 SNSS and NSS performed a control room panel walkdown and noted the 2000 gpm of recirculation system flow. They decided to shut the recirculation pump discharge valves.

8:45 The drywell primary containment instrument gas system was tagged out and depressurized in preparation for outage maintenance activities.

9:00 The nuclear controls operator closed the '.A' recirculation pump discharge valve after RHR heat exchanger inlet temperature decreased to 155 OF and the thermal binding limitation was no longer applicable.

An attempt was made to also close the discharge valve for the 'B' pump, but was unsuccessful. The nuclear controls operator assumed this was due to some valve control interlock and decided to open the valve further and try again to close it.

10:00 to 11:00 The nuclear controls operator noted reactor pressure was indicating approximately 17 psig, but was not confident about the accuracy of the pressure indication at the low end of a 0 - 1500 psig meter. The electrical supply breaker for the RWCU F001 valve was opened in preparation for transferring the RPS system to its alternate power supply.

11:00 The operators noted that drywell floor drain leakage had increased to 1-2 gpm.

July 9, 00:30 RWCU valve F001 was returned to an operable status.

1:00 am The nuclear controls operator noted that a shutdown cooling high pressure trip unit indicated 60 psig. The operator directed an instrument technician to accurately determine reactor pressure. The reading taken indicated pressure between 19 and 24 psig on all channels.

1:30 The operating crew decided to enter the drywell and identify the source of drywell leakage and to manually shut 'B' recirculation pump discharge valve.

4:29 The automatic isolation signals for shutdown cooling inboard and outboard suction valves were restored to normal.

4:49 The automatic isolation signals for shutdown cooling inboard and outboard isolation valves were again bypassed.

4:54 Shutdown cooling was secured and attempt was made to close 'B' recirculation pump discharge valve. In the attempt, the valve was fully opened.

5:00 SNSS and NSS discussed closing the 'B' recirculation pump suction valve as a contingency plan.

5:08 Shutdown cooling was restored. RHR heat exchanger inlet temperature increased approximately 7 OF.

5:50

'B' recirculation pump discharge valve was closed manually, R.HR inlet temperature increased to 191 OF along with vessel bottom head temperature from 150 to 189 OF, in about 2 minutes. Reactor pressure started trending down toward zero.

USNRC Technical Training Center 4.10-7 Rev 0196 G.E. Technology Advanced Manual USNRC Technical Training Center 4.10-7 Rev 0196

Full Power Low Power & Shutdown Figure 4.10-1 Accident Sequence Comparison 4.10-9

0196-4 INTERCONNECTED (EQUAL PRESSURE)

Figure 4.10-2 Pressure Locking Flexible-Wedge Gate Valve 4.10-11

Figure 4.10-3 RHR Systeni Shutdown Cooling Mode I-.

0 tjj Condensate to RCIC Steam from HPCI Line 0

r,,3 ED Wi

G.E. Technology Advanced Manual Technical Issues/Risk Manacement TABLE OF CONTENTS 4.11 RISK MANAGEMENT........................................

4.11-1 4.11.1 Introduction............................................

4.11-1 4.11.2 H istory..............................................

4.11-1 4.11.2.1 Deterministic Analysis 4.11-1 4.11.2.2 Probabilistic Risk Assessment.......................

4.11-2 4.11.2.3 Severe Accident Policy.............................

4.11-4 4.11.3 Risk-Based Regulation....................................

4.11-6 4.11.4 PRA Policy Statement and Implementation Plan....................

4.11-8 4.11.4.1 Risk Management................................

4.11-9 4.11.4.2 Configuration Management.........................

4.11-10 4.11.4.3 On-Line Maintenance.............................

4.11-10 4.11.4.4 Maintenance Rule 4.11-11 4.11.4.5 Inspection of Configuration Management................

4.11-14 4.11.5 Summary.............................................

4.11-15 4.11.6 References............................................

4.11-16 LIST OF TABLES 4.11-1 Insights from Review of Plant IPEs.................................

4.11-19 USNRC Technical Training Center 4.11-i Rev 0196 Rev 0196 G.E. Technology Advanced Manual Technical Issues/Risk Management USNRC Technical Training Center 4.11-i

LIST OF FIGURES 4.11-1 Deterministic Analysis.......................................

4.11-23 4.11-2 Probabilistic Risk Assessment..................................

4.11-25 4.11-3 Elements of PRA..........................................

4.11-27 4.11-4 Historical Perspective.......................................

4.11-29 4.11-5 Major Contributors to Core Damage by Accident Types.................

4.11-31 4.11-6 Relative Importance Factors for BWR Systems......................

4.11-33 4.11-7 Relative Importance Factors for PWR Systems.......................

4.11-35 4.11-8 Risk-Based Regulation.......................................

4.11-37 4.11-9 PRA Policy Statement.......................................

4.11-39 4.11-10 PRA Implementation Plan.....................................

4.11-41 4.11-11 Risk and Configuration Management - Definitions....................

4.11-43 4.11-12 Risk M anagement Factors.....................................

4.11-45 4.11-13 Maintenance Rule - Objectives..................................

4.11-47 4.11-14 Maintenance Rule - Scope.....................................

4.11-49 4.11-15 Configuration Risk Monitoring Methods...........................

4.11-51 4.11-16 Preventive Maintenance Equipment Out-of-Service Matrix...............

4.11-53 4.11-17 Risk M onitoring...........................................

4.11-55 4.11-18 Risk M onitoring Predictive....................................

4.11-57 4.11-19 Risk Profile for Allowed Outage Time Determination...................

4.11-59 ATTACHMENTS NRC Inspection Report Nos. 50-334/94-24 and 50-412/94-25.........

4.11-59 USNRC Technical Training Center 4.11-li Rev 0196 G.E. Technology Advanced Manual Technical Issues/Risk Management Rev 0196 USNRC Technical Training Center 4.11-ii

G.E. Technology Advanced Manual Technical Issues/Risk Management 4.11 RISK MANAGEMENT

,Learning Objectives:

1.' Describe what is meant by the ten in depth," and' explain how nuc.

plants have been designed to incor concept.

2.

Describe how probabilistic risk a (PRAs) of nuclear power plants c "ment deterministic analyses.

"-3. 'Define the term "configuration ma and explain why configuration m

-is necessary in managing risk power plants.

4. Describe methods that are used

-outilities to incorporate risk' ins maintenance planning.

5. Describe how PRA results are u NRC for risk-informed regulation 4.11.1 Introduction

'Nuclear power plants in the U.S.

designed and constructed in accord deterministic analyses. The design ba "nuclear unit are documented in its F Analysis Report (FSAR), which

-yearly as the Updated Safety Analy (USAR).' Nuclear power plant operati ing maintenance and surveillance of sa equipment, is controlled and restricted cal specification requirements.

Throughout the history of commer "power; the regulatory agencies (the later, the NRC) and the nuclear -ind continued to research and implement better methods of operating, maintaini and analyzing nuclear plants and eq reduce risk and to ensure'safety. This section discusses-the major regulatory and industry actions that have been-or are being incorporated to address operational and accident risk manage m "defense ment in nuclear power plants.

lear-power rporate this 4.11.2 -History.

4.11.2.1 Deterministic -Analysis ssessments an comple-Nuclear power plants in the U. S. have been

-designed 'and constructed in accordance with deterministic analyses. Deterministic analyses riagement,"

iinvolve standard good engineering practices, anagement calculations, and judgements; and in the case of at nuclear nuclear power plants, design bases which include the assumption of worst-case conditions for S-

.accident analyses. Examples of these worst-case by nuclear

'conditions include the assumptions of an initial ights into

-reactor power of greater than 100%, restrictive power distributions within the core, conservative engineering factors, the minimum-required sed by the "accident mitigation equipment available, and pipe

-' - breaks of all possible sizes.,

In a large nuclear generating station with a core output rated at over 3000 MW thermal, have been about six pounds of fission products arepro lance with duced each day that the unit is operated at full Lses of each

- -power. -To protect the public from these,fission inal Safety - products during normal and accident situations, a is updated "defense in depth," or multiple levels of assur

'sis Report

-' ance and safety, exists to minimize risk to the ion, includ-

-public from nuclear power plant operation.

fiety-related "- -

-I I

-- I

,I I by techni-A multiple barrier concept-was used in

- *designing and building nuclear units. The first barrier against fission product release is the fuel cial nuclear cladding. ---The' fuel cladding -consists of.,an AEC'and

' enclosed cylindrical cylinder that is designed to Lustry have contain fuel pellets and fission products during fiew and/or normal and abnormal transients. The second ng, testing, ' barrier, if isolated,-is the reactor coolant pressure uipment to boundary. The containment systems, primary USNRC Technical Training Center 4.11-1

-4 Rev 0196 G.E. Technology Advanced Manual Technical Issues/Risk -Management I

G.E. Technology Advanced Manual Technical Issues/Risk Management and secondary containment,, provide two addi tional distinct fission product barriers. These barriers and the protection against the loss of each barrier are required by the Code of Federal Regulations.

Engineered safety features (ESFs) are provid ed in nuclear power plants to mitigate the conse quences of reactor plant accidents. Sections of the General Design Criteria in Appendix A of 10 CFR, Part 50 require that specific systems be provided to serve as ESF systems. Containment systems, a residual heat removal (RHR) system, emergency core cooling systems (ECCSs),

containment heat removal systems, containment atmosphere cleanup systems, and certain cooling water systems are typical of the systems required to be provided as ESF systems. Each of the ESF systems is designed to withstand a single failure without the loss of its protective functions during or following an accident condition. However, this single failure is limited to either an active failure during the injection phase following an accident, or an active or a passive failure during the recirculation phase. Most accident analyzes assume the loss of offsite power. This loss of offsite power is considered in addition to the "single active failure."

The engineered safety features which contain active components are designed with two inde pendent trains. Examples of systems employing this design feature are the ECCSs, in which either train can satisfy all the requirements to safely shut down the plant or meet the final acceptance criteria following an accident. Redun dant pumps, valves, instrument sensors, instru ment strings, and logic devices are required to ensure that no single failure will prevent at least one of these trains from performing its intended function.

All engineered safety feature iystems must be physically separated so that a catastrophic failure of one system will not prevent another engi neered safety feature system from performing its intended function. Electrical power to the engi neered safety features comes from the transmis sion grid via transformers, breakers and busses.

Redundant diesel generators are normally the standby power supply.

ESF systems are designed to remain func tional if a safe shutdown earthquake occurs and are thus designated as Seismic Category I. The reactor coolant pressure boundary, reactor core and vessel internals, and systems or portions of systems that are required for emergency core cooling, post-accident containment heat removal, and post-accident containment atmosphere cleanup are designed to Seismic Category I requirements. ESF systems are also designed to include diversity. "Diversity" refers to different methods of providing the same safety protection or function.

Two systems which illustrate diversity are the core spray system and residual heat removal system; both are low pressure ECCSs. Both of these systems are designed to mitigate the consequences of a loss of coolant accident (LOCA).

However, the core spray system provides core cooling by spray and flooding, while the residual heat removal system utilizes flooding alone.

4.11.2.2 Probabilistic Risk Assessment A PRA is an engineering tool used to quanti fy the risk to a facility. Risk is defined as the likelihood and consequences of rare events at nuclear power plants. These events are generally referred to as severe accidents. The PRA aug ments traditional deterministic engineering analyses by providing quantitative measures of safety and thus a means of addressing the relative significance of issues in relation to plant safety.

Basically, a nuclear power plant PRA answers three questions:

USNRC Technical Training Center 4.11-2 Rev 0196 G.E. Technology Advanced Manual Technical Issues/Risk Management 4.11-2 Rev 0196 USNRC Technical Training Center

G..Tcnlg AdacdMna ehialIse/ikMngmn S

S S

What can go wrong?

How likely is it?

)What are the consequences?

Probabilistic -risk assessment is a

multidisciplinary approach employing various hmethods, including system reliability, contain ment response modeling, and fission release and public consequence analyses, as depicted graphi cally in Figure 4.11-3. A PRA treats the entire plant and its constituent systems in an integrated fashion, and thus subtle interrelationships can be discovered that are important to risk. Another important attribute of probabilistic risk assess ment is that it involves analyses of both single and multiple failures. Multiple failures often lead to situations beyond the plant design basis and,

_in some cases, are more likely than single fail

-ures. By addressing multiple failures, a PRA can cover a broad spectrum of potential accidents at a plant.

The first comprehensive development and application of PRA techniques in the commercial nuclear power industry was the NRC-sponsored "Reactor Safety Study" (RSS). The principal

-objective of the RSS was to quantify the risk to the public from U.S. commercial nuclear power plants. The RSS_ analyzed both a BWR (Peach Bottom) and a PWR (Surry). The report of the RSS results,. generally referred to as WASH

  • 1400, was published in October of 1975. The results of-the. study can be summarized as fol lows: (1) risks from nuclear,power.plant opera

-tion are small as compared to non-nuclear haz ards; (2) the frequencies of core melt accidents are higher than previously thought (calculated to be approximately 5 X 10-5 per reactor year); (3) a variety of accident types are important; (4) design-basis accidents are not dominant contribu tors to risk; and (5) significant-differences in containment designs are important to risk. The basic PRA approach developed by the RSS is still used today.

Because the RSS was the first broad-scale application of event-, and fault-tree methods to a system as complex:as a nuclear power plant, it was one of the more controversial documents in

-,the history of reactor:-safety.-The RSS also analyzed conditions beyond the design basis and attempted to quantify risk. A group called the Lewis Committee performed a peer review of the RSS and published a report, NUtREG/CR-0400, to the NRC three years later to -describe the effects of the RSS results on the regulatory process. The report concluded that although the RSS had some flaws and that PRA had not been formally used in the licensing process, PRA methods were the best available andshould be used to assist in the allocation of,the limited resources available for the improvement of

,safety.

The 1979 accident 'at Three Mile Island (TMI)

"substantially changed the character of the NRC's regulatory approach.- The accident revealed that perhaps nuclear reactors might not be safe enough and that new policies and approaches were required. Based on comments and recom mendations from the Kemeny and. Rogovin investigations of the TMI accident, a substantial program.,to research -severe -accident phenomenology was initiated (i.e.,.those acci dents beyond the design basis which could result in core damage). -It was also recommended that PRA be used m6re by the staff to complement its traditional, non-probabilistic methods of analyz ing nuclear plant safety. Rogovin also suggested in a report to the Commissioners and the public, NUREG/CR-1250, that the NRC policy on severe accidents consider (1) more severe acci dents in:, the licensing °process land (2) probabilistic safety goals to help define what is an acceptable level of plant safety:

In late 1980, the NRC sponsored a current assessment of -severe accident risks for five commercial nuclear power plants in a report USNRC Technical Training Center

411.3 Rev '0196 G.E. Technology Advanced Manual

.Technical Issues/Risk Management cUSNRC Technical Trainin-g Center...

  • '7

-4.ý11-ý3 SRev-,'0196

G.E. Technology Advanced Manual Technical Issues/Risk Mana2ement called "Severe Accident Risks: An Assessment for Five U.S. Nuclear Power Plants," NUREG 1150. This report incliided an update of the RSS risk assessments of Surry and Peach Bottom and provided the latest NRC veisiofi of the state of the art in PRA models, methods, and' approach es.

A summary of the insights gained from early risk assessments are as follows:

1. As illustrated by the NUREG-1150 results and early plarit PRAs, the PRAs reflect details of plant'systems, operations and physical layouts; Since nuclear power plants in the U.S. are not.stan dardized, the PRA results ire very plant specific.

Reactor design, equipment, location, and operation (power levels, testing and maintenance, operator actions) have large impacts on the results. There fore, in detail, the results can differ significantly from plant to plant.

"-2. Even with the differences in the detailed

" results between planf studies, PRAs can be used for some generic applications as listed in NUREG-1050. Some examples are:

"* Regulatory activity prioritization"

"* Safety issue evaluation,

"* Resource allocation,

"* Inspection program implementation, and

". NRC policy development.

3. 'Using PRA in the decisidn making piocess has aided licensee~s in determin ing which design modifications are desirable from both risk-reduction and cost-benefit standpoints for the improve mnent of plant'safety. PRA results'have more recently beeni used by licensees in enforcement discussions and in support of technical specification change requests.
4. PRAs have pointed out some general differences with respect to BWRs and PWRs as classes of plants. For example, NUREG-1 150 states that for BWRs, the principal initiating event contributors to core damage frequency are station black outs (SBOs) and anticipated transients without scram (ATWSs); for PWRs, the princiIal `contributors to core damage frequency are LOCAs. NUREG-1 150 also states that the core damage frequen cies for PWRs are higher than those for BWRs, because BWRs have more redundant methods of supplying water to the reactor coolant system. However, PWRs have lower probabilities of early containment failure given a core-damage sequence, since PWR containments are larger and can withstand higher pressures than BWR containments.

4.11.2.3 Severe Accident Policy In August 'of 1985, the NRC issued the "Policy Statement on Severe Accidents Regard ing Future Designs and Existing Plants" that introduced 'th Commission's plan to address severe accident issues for existing commeicial nuclear power plants. The stated policy was'that

'the public should be subject to no undue risk from the operation of commercial nuclear reac tors. A year later, in August of 1986, the NRC established *bothl qualitative ind quantitative safety goals for the nuclear industry. The quali tative safety goals ire as follows:

Individual mrefnbers of the public should be provided -a level of protection from the consequences-of nuclear power plaht opera tion'such that individuals bear no significant additional risk to life and health.

USNRC Technical Training Center G.E. Technology Advanced Manual Technical. Issues/Risk Manaaement 4.11-4 Rey 0196

G.E. Technology Advanced Manual Technical Issues/Risk Management Societal risks to life and health from nuclear power plant operation should be comparable to or less than the risks of generating electric ity. by viable competing technologies and should not be significant additions to other societal risks.

.The corresponding quantitative safety goals are:..

  • The risk to the average individual in the vicinity of a nuclear power plant of prompt

-fatalities that might result from a reactor accident should not exceed one-tenth of one percent of the sum of prompt fatality risks resulting from other accidents to which Smembers of the U.S. population are generally Pexposed.

The risk to the, population near, a nuclear power plant,of cancer fatalities that might result from nuclear power plant operation should not exceed one-tenth of one percent of the sum of cancer fatality risks resulting from all other causes:

The average accident fatality rate in the U.S.

is approximately_ 5 X 10-4 per individual per

- year, so the quantitative value for the first goal is 5 X 10-7 per individual per year. 'The "vicinity of a nuclear power plant" is defined to be the area within one mile of the plant site boundary. -The average U.S. cancer fatality rate is approximately 2 X,1 0-3 per year, so the quantitative value for

, the second goal is 2 X 10-6 per average individu

-al per year. The "population -near a nuclear

-power plant" is defined as the population within

.10 miles of the plant site.

However, because of arbitrary, assumptions in calculations, uncertainties in PRA analyses, and gaps in equipment reliability data bases, the safety goals are not definitive requirements, but serve as aiming points or numerical benchmarks.

In addition, it should be noted that the goals apply to the industry as a whole and not,to

.individual plants. The safety goals are not in and of themselves meant to serve as the sole bases for licensing decisions. However, when information Jis available that is applicable to a specific licens ing decision, it is to be considered as one factor in the licensing.

Implementation of the NRC plan to address severe accident risk included development of plant-specific examinations that would reveal v yulnerabilities to severe accidents and cost

- effective saety improvements that would reduce

-or eliminate.-the important vulnerabilities. -In Generic Letter 88-20 dated November 23, 1988,

-,allutilities with licensed nuclear power plants

,were requested to perform such examinations.

The specific objectives for these individual plant examinations (IPEs) are for each utility to:

  • Develop an overall appreciation of severe accident behavior,

- Understand the most likely severe accident

- sequences that could occur at its plant,

, Gain a more quantitative understanding of the

- overall probability of core damage and radioactive material releases, and

-If necessary, reduce the overall probability of core damage and radioactive maierial release by appropriate modifications to procedures

-,and1 hardware that would help prevent or mitigate severe accidents.,.

Many of the IPEs subriitted to the NRC have identified unique and/or important safety fea tures. Table 4.11-1 includes a list of insights obtained through analysis of 72 IPEs (25 BWRs and 47 PWRs) covering 106 commercial nuclear

-units (35 BWRs and 71 EWRs). -The items in the list indicate vulnerabilities identified during USNRC Technical Training Center 4.11-5 Rev 0196 G.E. Technology Advanced Manual Technical Issues/Risk Management

-4.11-5 IRev 0196 USNRC Technical Training Center

G.E. Technology Advanced Manual Technical Issues/Risk Management the IPE process at various plants anrid modifica tions that may have been made to plant equipment or procedures t6 reduce the vulnerabilities and hence, the calculated core damage frequencies.

Risk-and reliability-based methods can be used for evaluating allowed outage times, sched uled or preventive maintenance,'action statements requiring shutdown where shutdown risk may be substantial, surveillance test intervals, and analyses of plant configurations resulting from outages of systems or coffiponents. Because of the limitations in the IPE process such as arbi trary assumptions in calculati6ns-, uncertainties in PRA analyses, and gaps in equipment reliability data bases, the insights' identified in' and of themselves do not require any actidn by the individual licensee, buttpr0,vide inforifiation on where vulnerabilities exist in its'plant.

4.11.3 Risk-Based Regulation Technical specification requirements for nuclear power plants define the limiting condi tions for operation (LCOs) and surveillance requirements (SRs) to "issure safety during operation. In general, these requirements are based on deterministic analyses and ehgineering judgements. Experiences'with all modes of plant operation indicate that some elements of the requirements are unnecessarily restrictive, while a few may not be conduciv6 to safety.* Improv ing these 'requirements in-volves many'consider ations and is facilitated by the' availability of plant-specific IPEs and the development of related methods for analysis'. Risk-based regula tion is a regulatory approach in which insights from PRAs are used in combination with deter ministic system and engineering analyses to focus licensee and regulatory attention on issues commensurate with their importance to safety.

Examples of uses of risk insights for risk based regulation include the prioritization of generic safety issues, evaluation of regulatory requirements, assessment of design or operation al adequacy, evaluation of improved safety features, prioritizing inspection activities, evalua tion of events, and evaluation of technical specifi cation revision requests and enforcement issues.

Using risk-and reliability-based methods to improve technical specifications and other regula tory requirements has gained wide interest because they can:

Quantitatively evaliate risk impacts and juttify changes in requirements based on objective risk arguments, and

"* Provide a defensible bases for improved requirements for regulatory applications.

Caution must be. applied when using the results 0f risk assessments, however, because of the limitations of PRA methodology. The plant's initial PRA (and/6r IPE) is a snapshot of the plant at the time the plant c6nfiguration and data were collected and analyzed. The analyses must be revised as modifications are made to the plant design; operating miethods, procedures, etc., to maintain the iisk assessment results current. In addition, a PRA'model is not a complete or accurate model of the plant during all modes of operation. For example, for PWRs, the 'removal of both boric acid makeup pumps from service is not very risky during mode 1 operations; howev er, these pumifips are very important w*hen the achievement of the required shutdown margin in mode 5 is considered. Other limitations of PRAs include the uncertainties in the equipment failure data bases, the level of understanding of physical processes, the uncertainties in quantifying human reliability, the sensitivity of results to analytical assumptions, and modeling constraints.

Quantitative risk estimates have played an importarnt role in' addressing and resolving USNRC Technical Training Center 4.11.6 Rev 0196 G.E. Technology Advanced Manual Technical-Issues/Risk Management USNRC Technical Training Center 4.11-6 Rev 0196

G.E. Technology Advanced Manual Technical Issues/Risk Management V

'--

regulatory issues including:

  • Anticipated transient without scram: Risk assessments contributed to development of the ATWS rule, 10CFR50.62, which re quires all PWRs.to have equipment diverse and independent from the reactor protection

-ýsystem for auxiliary feedwater initiation and turbine trip, requires all CE and B&W PWRs and BWRs to have a diverse scram system, provides functional requirements for the standby !iquid control systems of BWRs, and

- requires,that BWRs have equipment for automatically tripping reactor coolant recircu lation pumps.

Auxiliary feedwater (AFW) system reliability:

  • - The NRC has reviewed information provided on auxiliary feedwater systems in safety analysis reports. As part of each review, the NRC assures that an AFW system reliability

.analysis has been performed. -The Standard

- Review Plan states that an acceptable AFW "system should have ah unreliability in the range of 10-4 to 10-5. Compensating factors

-such as other methods of accomplishing the safety functions of the AFW system or other reliable methods for cooling the reactor core during abnormal conditions may be consid ered to justify a larger unavailability of an AFW system.

Station blackout (loss of all ac power): Risk assessments contributed to development of the blackout rule, 10CFR50..63, which requires licensees to determine a plant

-specific station blackout duration, during which core cooling and containment intergrity would be maintained, and to have procedures addressing station blackout events. The rule allows utilities several design alternatives to ensure that an operating plant can safely shut

, down in the event that all ac power is lost.

One alternative is the installation of a full-capacity alternate ac power source that is

- capable of powering at least one complete set of normal safe shutdown loads.

Backfits: There are many cases where PRAs have been used tosupport the backfit deci sion process. For example, :after the TMI accident several TMI action -plan issues evolved. Consumers Powerperformed a PRA of the Big Rock Point nuclear plant to assist in identifying those -TMI generated changes which might actually have an impact

, on the.risk at the plant. -As a result, Consum "ers Power was able to negotiate exemptions on sevenaissues, which did not significantly

. - lower risk.at BigRock Point, saving over

$45 million. In addition, Consumers Power used the PRA to identify changes necessary

-to reduce the core damage frequency. at Big Rock Point to an acceptable level. The cost of a change is generally considered to be the dollar cost associated with design, licensing, implementation, operation and maintenance.

Sometimes the cost of replacement power is

-included for,a backfit requiring a plant shutdownjto implement. The benefit of the change is the reduction in risk if the change is implemented. The most cost-effective change provides the most improvement in safety for the least cost. This type of cost-benefit analysis was done extensively during the ATWS rule-making process.

Risk-based inspections:, A PRA provides information on dominant accident sequences and their minimal cut sets. This information has-already been used,to design the risk based portions of some plant-specific inspec tion programs. Inspection programs can be prioritized to address the minimization of hardware challenges, the assurance of hard ware availability, and the effectiveness of plant staff actions as they relate to the sys tems and faults included in -the dominant

- USNRC Technical Training Ceiiter 4.11-7 Rev 70196 SG.E. Technology Advanced Manual

.Technical Issues/Risk Management "Rev' 0196

-USNRC Technical Training Center' 11-'7

'G.E...Techno.Technical Issues/Risk Maneent accident sequences.-A PRA supports the assessment of a plant change by providing a quantitative measuireof the relative level of safety associated with the change. This is accomplished by' performing sensitivity studies. A sensitivity study is a study of how different assumptions, configurations, data or other potential changes in the basis of the PRA impact the results.

The NRC staff is expecied to use PRA results to assist in prioritizing regulatory activities, and plant inspectors are expected to use IPE results to prioritize inspection ictivities. The inspectors should be alert for situations which constitute near. misses. That is, the-inspector needs to recognize those events that come'close to accident sequences. Recognizing the 'significance of events at the plant is especially iriportant for those related to sequences initiated by an ATWS or an intersystem LOCA, which can have severe consequences.

Finally, the NRC staff will be involved in more and more discussions in which PRA results are used or misused to justify a particular action or inaction. Therefore, it is important that the staff be familiar with the types of information that a PRA provides and that the staff can use PRA information accurately in discussions and decisions.

4.11.4 PRA Policy Statement and Implementation Plan Deterministic appioaches to regulation consider-a'set of challenges to safety and deter mine how those challenges should be mhitigated.

A probabilistic approach to regulation enhances and extends the traditional deterministic approach by:

SAllowing consideration of a broader set of potential challenge-g to safety,

Providing a logical meahs for prioritizing these challenges based on risk significance, and Allowing consideration of a broader set of resources to defend against these challenges.

In'August of 1995, the NRC issued the "Policy Staiement on the Use of Probabilistic Risk Assessrment Methods in Nuclear Regulatory Activities." The overall objectives of the policy statement are to improve the regulatory process through impr6Ved'risk-informed safety decision making, through'imore efficient use of staff resources, through a reduction in unnecessary burdens on licensees, and through the strength ening of regulatory requirements. The policy statement contains the following elements regard ing the expanded NRC use of PRA:

Increased use of PRA in reactor regulatory matters should be implemented to the'extent supported by.the state of the art in PRA methods and data and in a manner that complements the NRC's deterministic ap proach and supports the NRC's triditional Sdefense-ini-depth philosophy.

PRA should be used to reduce unnecessary conservatism associated with current regula tory requirements. Where appropriate', PRA should be used to support additional regulato ry requirements.

PRA evaluations in support of regulatory decisiohi should be as realistic as possible, and appropriate supporting data should be publicly available.

Uncertainties in PRA evaluations need to be considered in applying the Commission's safety goals for nuclear power plants:

An agency-wide plan has been developed to implement the PRA policy statement. The scope "of the PRA implementation plan includes reactor regulation, reactor safety research, analysis and USNRC-Technical Training Center Rev 0196 SG.E., Technology Advanced.* Manual 4.11-8

Technical Issues/Risk Management evaluation of operational experience, staff train ing, nuclear material, and low and high level waste regulations. The plan provides mecha nisms for monitoring programs and management

- oversight of PRA-related activities. The plan includes both -ongoing and new PRA-related activities., The following are PRA-related regula tory activities that are underway within the NRC:

Graded quality assurance, The maintenance rule,

  • In-service inspection and testing,
  • The IPE insights program, PRA training for the staff, and
  • The reliability data rule.

4.11.4.1 Risk Management Risk management is a means of prioritizing resources and concerns to control the level of safety. As discussed above, the NRC's and nuclear industry's use of risk analyses-have shown that:

0 The risk from nuclear power plant operation is generally low,

  • Low cost improvements can sometimes have significant safety and economic benefits, and Subtle design and operational differences

-make it difficult to generalize dominant risk contributors from plant to plant or for a class of plants.

Because each nuclear power plant is essen tially unique, the most powerful use of the PRA is as a plant-specific tool. PRAs can be used in two basic ways:

1. To support plant operations, mainte nance, inspection, and planning activities;

'and.

,2. To provide information regarding chang es to improve plant safety 'and reliability.

A plant's PRA can beused during all modes of plant operation to prioritize operations and maintenance resources to maintain safety at acceptable levels. This is accomplished, in part, by periodically updating the PRA results to keep current with plant configuration and component failure data. Importance measures can be used to indicate where preventive actions would be most beneficial and what is most important to maintain at acceptable safety levels. Based ofn the updated results, adjustments in plant activities and design can be made, as appropriate,.to maintain the desired level of safety as indicated by the results of the PRA.

"The PRA supports plant activities by, provid ing information on the risk-significant areas in plant operation, -maintenance, :and design.

Operations, maintenance, inspection, and plan ning personnel can then -appropriately address these areas to control the risk at acceptable levels.

Tfhe risk-significant areas are identified by the results of the PRA. These areasare where the most attention and effort should be focused.

Several useful PRA results are, (1) dominant contributors (these indicate which failures are the largest contributors to the likelihood of accident sequences),. (2), dominant, accident. sequences (these depict the failure paths that contribute most to core damage frequency), and (3) importance

,.,.measures (these evaluate what contributes most to core damage, what would reduce the core

-damage frequency the most, and whathas the

'greatest potenitial for increasing core damage frequency should it not be as reliable as desired).

  • The major contributors to core damage by acci dent type for the NUREG-1 150 PWR and BWR

",-plants are shown in Figure 4.11-5, and the relative importance of BWR and PWR systems from NUREG-1050 are shown in Figures 4.11-6 and 4.11-7.

"USNRC Technical' Training -Centi.

4.11-9 Rev' 0196 G.E. Technology Advanced Manual

G.E. Technology Advanced Manual Technical Issues/Risk Management PRA results can be used n imnny ways during plannin'g'and operaii6nal activities at a nuclear plant. The iesults hav-e an important role in risk management, maintenafice planning, and risk-based inspections.

4.11.4.2 Configuration Management C6nfiguration management is one element of risk mahagement and' iisk-based regulation.

Configuration risk refeii to6the risk associated with a specific config'uration of the plant. A configuration usually refers to the status of a plant in which multiple components are simulta neously unavailable. The risk associated with simultaneous outages of multiple components can be much larger than that associated with single component outages. Technical 'specifications forbid outages of redundant trains within a safety system, but many other combinationsibf compo nent outages can pose significint risk. In con trolling operational risk, these configurations need to be analyzed. The configuration manage ment process can be predictive in planning maintenance activities and outage schedules, and can be retrospective in evaluating the risk signifi cance of plant events.

When a component is taken out of service for maintenance or surveillance,'it has an issociated downtime and risk: If the component is con trolled by an allowed outage time in the Technical specifications, then this downtime is limited by the allowed outage time.- Configuration manage ment involves taking measures to avoid risk

-significant configurations. It involves maniaging multiple equipment taken out of service at the same'time, the outage times of components and "systems, the availability of backup components and systems, and outage frequencies...

4.11.4.3 On-Line Maintenance frequency 6f maintenance performed during power operation: Licensees' expansion of'the on-line maintenance concept without-thorough consideration of the safety (risk) aspects raises significant concerns. The on-line maintenance concept extends the use of technical specification allowed outage tirmes beyond the random single failure in a system and a judgement of a reason able time to effect repairs upon which the allowed outage times were based. Compliance with GDC single failure criteria is demonstrated during plant licensing by assuming a worst-case single failure, which often results in multiple equipment failures. This does not imply that it is acceptable to voluntarily remove equipment from service to perform on-line maintenance on the assumption that such actions are bounded by a worst-case single failure.

A simplified qualitative model (shown graphically' in Figure 4.11-12) for evaluating risk can be thought of as including three factors combined in the following way:

Risk= Pi x m x Pc Where:

Pi = The probability of an initiating event, such as a LOCA, turbine trip, or loss of offsite power.

PM=

The probability of not being able to mitigate the event, with core damage prevention as the measure of success ful mitigation.

PC = The probability of not being able to mitigate the consequences, with containment integrity preservation as the measure of success.

Licensees are increasing the amount and USNRC Technical Training Center 4.11-10 Rev 0196 G.E. Technology Advanced Manual Technical Issues/Risk Management 4.11-10 Rev 0196

G.E. Technology, Advanced Manual Technical Issues/Risk Management The intersection of all. three occurrences (initiating event occurs +,mitigating equipment

,fails + containment fails) indicates a worst-case scenario, with core melt and subsequent radioac

- tive release to the public (a Chemobyl-type event, for example). The interkection of the initiating event and mitigating equipment failure would be Sa TMI-type event, in which there is core melt without a release. If the consequence of an event is'defined as financial loss (a viable definition),

one would, have to -say that this intersection

.represents a serious -scenario itself. Even consid ering the traditional definition of consequence (potential for-,core melt),.the intersection of an initiating event and mitigating equipment failure is of concern to the utility and to the NRC.

An effective risk-assessment process includes consideration of the impact of maintenance activities on all three of these risk factors. It also considers the impact of maintenance activities; on both safety-related and non-safety-related equip ment. Multiple or single maintenance activities that simultaneously,,or within a short time frame, impact two or more risk factors tend to increase risk the greatest. In addition, on-line mainte nance tends 'to increase component unavailabilities. With increased scheduling of maintenance during power operation, the overall impact on train unavailability, when averaged

,overa year, has in many cases increased dramati cally and in some cases to the point of invali'dat ing the assumptions licensees themselves have made in their plant-specific IPEs.

-Licensees may not have thoroughly consid ered the safety (risk) aspects of doing more on line maintenance. Some licensees have used the

ý oncept of division or train outages to ensure that

.they do not have a loss of system function.. In Sthe extreme, this could result in,al'of the equip ment in a division being out of service at a time with unexamined risk consequences, while the licensee is in literal compliance with its plant's technical specifications.

For, example, one facility that used a division' or train approach had

,,planned to take out of service the following equipment: the B AFW pump, the B Battery chaiger, the B service water~pump, the B,RHR pump, and the' B charging -pump.

Because Sredundant train equipment was available, no LCO was exceeded.

However, in the event of a Sdesign-basis,transient, such as a loss of offsite Spower precipitatedby maintenance or instrumen tation calibration activities associated with non safety-related equipment in the switchyard, the

.plant would be inma configuration with significant risk implications due to the diminished capability to remove decay heat at a high pressure. This is an example of maintenance simultaneously increasing the probability of an initiating event, in this case the loss of offsite power, and diminish ing the plant's capability to mitigate the event.

There is a clear link between effective mainte nance and safety with regard to such issues as the number of plant transients and challenges to safety systems and the associated need to maxi mize the operability, availability, and reliability of equipment important to.safety. 'In many cases, the, only plant changes needed to reduce the probability of core damage are procedure chang es. An example at one plant included staggering the quarterly tests of the station batteries to reduce the prgbability,of common-cause failures

,of the dc power supplies.

4.11.4.4 Maintenance Rule The maintenance, rule, IOCFR50.65,, be comes effective in July of1996., One objective of the rule is to mofiitor the effectiveness of maintenance activities at the plants for,safety significant plant equipment in order to minimize the likelihood of failures and events caused by the lack of effective maintenance.

Another objective of the rule is to ensure that safety is not Sdegraded when maintenance activities are per-7USNRC Technical 'Training Center

- 4.11-11 Rev 0196 G.E. Technology, Advanced Manual

ý Technical Issues/Risk Management

-USNRC Technical 'Tiaining -Cente'r S...... 4.1 -11

. 7

..... *R ev 0196

G.E.Tecnol,~y Advnce

Maual,

-Technical' Issues/Risk Mahatement formed. The role requires' all nuiclear power plant licensees to 1iionitor the effectiveness of mainte nance activities at theirfplants. The rule provides for continued emphasis on the defenke-in-depth principle by including selected balance-bf-plant (BOP) structures, s'stems, and components (SSCs); integrates risk consideration into the maintenance process; establishes an' enhanced regulatory basis for inspection and enforcement of-BOP maintenance-related issues; and gives a strengthened regulatory basis for ensuring that the progress achieved is sustained in' the future.

The' maintenance rule is a resulti-oriented, performriance-based ruie. A results-orientifd rule places a greater burden on the licensee to'develop the supporting details' needed to implement the rule, as opposed to that necessary for compliance with a traditional prescriptive, process-oriented regulation.'

The maintenance rule consists of three parts:

(1) goals and'monitorirg, (2) effective preventive maintenance, and (3) periodic evaluations and safety assessments.

The scope 'of the rule includes safety-related structures, systems, and components that are relied upon to remain fuinc tionial during and following design-basis events to ensure reactor coolint pressure boundary integrity, reactor shutdown capability, and the capability to prevent or mitigate the'consequences of accidents, and those n'on-safety-related SSCs (1) that are relied upon to mitigate accidents or transients or are used in emergency operating procedures (EOPs), (2) whoie failure could prevent safety-related SSCs from fulfilling their intended functions, or' (3) whose failure could cause a scram or safety system actuation.

The rule requires that licensees monitor the peifor'mance or condition'of certain structures, "systems and components' (SSCs) against licens ee-established goals in a' manner sufficient to provide,'easonable assurance that those SSCs will be capable of performing their intended func-tions. Such monitoring would take into account industry-wide operating experience. The extent "of monitoring may vary from system to system, depending on the contribution to risk. Some monitoring ai the component level may be neces sary; most of the monitoring could be done at the plant, system, or train level. Monitoring is not required where it' lis been' demonstrated that an appropriate preventive maintenance program'is effectively maintaining the performance of an SSC. Each licensee is required to evaluate the overall effectiveness of its maintenance activities at least every refueling cycle, again taking into' account industry-wide operating experience, and to adjust its programrns Wheire'necessary to ensu're that the prevention of failures is appropriately balanced with the minimization of unavailability of SSCs. Finally, in performing monitoring and maintenance activities, licensees should assess the total plant equipment that is out of service and determine the o*erall effect on the performance of safety functions.

In June of 1995, the NRC published a report (NUREG-1526, "Lessons Learned from Early Implemeintation of the Maintenance Rule at Nine Nuclear Power Plants") which documents methods, strengths, and weaknesses found with the implementation of the rule at nine plant sites.

These licensees implemented the rule using the guidance in NUMARC 93-01, "Industry Guide line for Monitoring the Effectiveness of Mainte nance at Nuclear Power Plants," which the NRC has endorsed iri Regulatory Guide 1.160. Most licensees were thorough in determining which SSCs are within the'scope of the rule. Some licensees incorrectly failed to classify a few fnon safety-related systems as being within the scbpe of the rule. These systems included control room annunciators', circulating water systems, reactor coolant pump vibration monitoring 'systems, extraction steam iystems, condenser air-removal systems, screen wash water systems, geneiator gas systems, and turbine lubricating oil systems.

USNRC Technical Training Center Rei 0196 4.11-12 G.E. Technology. Ad-,anced Manual.

Technical Issues/Risk Management The rule requires that reliability goals be established 'ommensurate with safety (risk). In determining which SSCs are risk significant, the typical licensee uses an expert panel consisting of a multidisciplinary team of PRA, operations, and systems experts in a working group format.- The p anel uses deterministic and operational experi Sence information to complement PRA or.IPE insights (importance measures) to establish the relative risk significance of SSCs. The risk determination is then used when setting goals and monitoring as required by the rule. The rule requires that appropriate corrective action shall be taken when the performance or condition of an SSC does not meet established goals.--- Many licensees have assigned the task of determining the root cause and developing corrective action to the responsible system engineer at the site; at some sites the expert panel participates in the process., The relative risk significance of SSCs must be reevaluated based on new information, design changes, and plant modifications.

The rule addresses preventive maintenance activities in the following manner: "adjustments shall be made where necessary to ensure that the objective of preventing failures of [SSCs]

through maintenance is appropriately, balanced against the objective of minimizing the effect of monitoring or preventive maintenance on the availability of [SSCs]." In other words, the unavailability of SSCs must be balanced with their, reliability. Various methods are being implemented by licensees to perform these evaluations. For example, unavailability and reliability can be evaluated and balanced as an

, integral part of monitoring against performance criteria, taking into account performance history, preventive maintenance activities, and out-of service times when developing the performance

-criteria.- SSCs rendered unavailable because of preventive maintenance can be trended and evaluated, and adjustments can be made where necessary to balance the unavailability with reliability. In addition,:the risk contribution associated with the unavailability of the system caused by preventive maintenance activities and the risk contribution associated with the reliability of the SSC can be calculated and then used to evaluate adjustments needed to balance the contribution from each source to ensure consis tency with PRA or IPE evaluations. A fourth

,method involves using the PRA to determine values for unavailability and reliability -which, if met,.would ensure that certain threshold core damage frequency values would not be exceeded,

'and then establish performance criteria in accor

,dance with, the.resiulting unavailability and reliability values.

The rule requires that when performing monitoring and preventive maintenance activities, an assessment of the total plant equipment that is out of service should be considered to determine the overall effect on performance.of safety functions. As expected by the results-or perfor mance-oriented nature of the rule, various meth Sods are being developed and implemented by

- licensees to fulfill this requirement. I One method

.is a matrix approach, which involves listing preanalyzed configuratiohs to supplement exist ing procedural guidance for voluntarý on-line Smaintenarice. The list of preanalyzed configura tions is developed using imlortance measures to

-rank configurations according to risk.. The equipment out-of-service-matrix.includes Spreanalyzed combinations,of, out-of-service

  • equipment. A multilevel approach is then used to either (1) permit theý concurrent activities, (2)
require further evaluation, or (3), forbid the performance of the activities in parallel. A simpli fied example of an equipment out-of-service matrix is shown in Figure 4.11-16. Although the matrix approach is simple to use, it defines a

'limited number of combinations' and ma not address all operational situations and may unnec

- essarl"y limit operational flexibility..

-USNRC Teclinical Training Center 4.11 *RevO196 G.E. Technology Advanced Manual

"* -USNRC -Teihiiiic~al -Traiining* Ce~nter A...

..11-13 "-

S.

.- Rev - 0196

G.E. Technology Advanced Manual Technical Issues/Risk Management Another method 'of monitoring the safety (risk) impact of plant 6onfiguration' involves using the plant IPE to ev'luate the changes in the core damage frequency resulting from equipment outages. In Figure 4.11I-l7, the core damage frequency was calculated for each day, based on the plant configuration that existed at the time, and plotted against time. This plant actually operated diring the charted time period more conservatively than in its IPE, since the time averaged core damage frequency, based on the actual plant configurations, 'vWas lower than the "core damage frequency calculated in accordance with the IPE methodology. The "spikes" in core damage frequeficy correspond to periods of more risk-intensive configurations. Usifig this method in the predictive mode, the analysis of changes in the core damage frequency would be'd6ne during the maintenance plannihng -and sclieduling pro cess. The maintenance schedule wouild be adjust ed to minimize significarit'spikes in the core damage frequency.

FigureI'411 1-18 is a similar examiple from a different plant. This type of configuration control analysis is also being used at some foreign plants : the basii for risk-based technical specifications. IAi Figure 4.11-19, the magnitude of the projected increase in core damage'frequency deiiehimies'th a mount of'time the plant is allowed to be in the analyzed configu ration.- For example, if the calculated increase in core damage frequency is a factor of 10 or less above the baseline,' the allowed duration in that cohfiguration is 30"days; if the calculated increase is between a factorbf 10 and a factor of 30 above the baseline, the allbwed duration is 3 days. If

.the calculated increase in core damage frequency is greater than a fac'tor of 30 above the baseline, then the configuration is not allowed.

Some licensees have implemented or are,:,

considering computer-based safety (risk) moni

'irs tfiat will calculate and display thi risk chang es associated with changes in plant configuration.

Maintenance planners using the system in the predictive mode, or operators using the system on-line in 'real time, would be required by plant procedures to take predetermined actions and/or initiate further evaluations based on the magni tude of any indicated increase in risk (decrease in safety margin) due to a change in plant configura tion or opeiating condition. In order for this type of system to be used for other than full power operating conditions, development and imple mentation of PRA, models' for shutdown plant conditions would be necessary.

4.11.4.5 Inspection of Configuration Management The processes used by the licensees to schedule and plan on-line maintenance should ensure that maintenance and testing schedules are appropriately modified to account for degraded or inoperable equipment. The following are exam ples of questions that should help to determine the opirations/maintenance level of familiarity with the process-employed by a licensee in managing its scheduled maintenance activities.

When planning on-line maintenance:

"* Does the licensee take probabilistic risk insights into account?

"* Does the licensee allow multiple train outag es?

"* How does the licensee take into account componehtand system dependencies?

"* How does the licensee assure that important combiriations 'of equipment needed 'for accident mitigaition are not unavailable at the "same time?

"* By what process does the licensee determine the procedures and testing to emphasize in minimizing component unavailability-and reducing the potential foi accident or transient initiation', including thie impact of mainte nance activities involving non-safety-related equipment?

How does the licensee determine the maxi-USNRC Technical Training Center 4.11-14 Rev 0196 Technical Issues/Risk Management G.E. Technology Advanced Manual USNRC Technical Training Center 4.11-14 Rev 0196

G.E. Technoloav Advanced Manual

- Technical Issues/Risk Management mum amount of time to allow for the mainte nance and how does it determine the risk associated with the decision?

  • At any given time, how much planned maintenance is in progress and how is it coordinated to minimize risk?

Are there occurrences of scheduled mainte nance activities that simultaneously, or within a short period of time, impact two or more of the risk factors discussed in section 4:11.4.3?

Specific.guidance and inspection require ments for mainten ance activities can be found in the NRC, Inspection Manual,, chapter 62700.

,-Attachment I contains an example of an inspec tion report that includes various items related to the inspection of risk and configuration manage ment:

S. IPE results were used to focus the inspectors' attention on 'the emergency switchgear

.ventilation, the loss of which was identified by the IPE as the initiator of the top-ranked sequence contributing to core damage fre quency (cover letter, Notice of Violation, and

-section 3.1.2 of the inspection report).

-The associated violation regarding the white control -power. light for, the emergency switchgear ventilation fans was cited against 10CFR50, Appendix B, Criterion XVI,

","Corrective Actions." -After July; 1996, this type of violation could be cited against the maintenance rule, 10CFR50.65.

Section 4.4 of the report discusses the fact that the technical specifications allow, certain configurations of plant equipment involving auxiliary feedwater:-pumps and high head safety injection pumps that could potentially place the plant in an unanalyzed condition.

This report illustrates how rigorous imple-mentation of risk-based inspection techniques and insights with regard to the plant's configura tion management and on-line maintenance prac

.tices can identify and resolve safety-significant "issues, thei~eby reducing risk and improving

,safety.

4.11.5 Summary Deterministic approaches, to. regulation consider a set of challenges to safety and deter mine how those challenges should be mitigated.

SA probabilistic approach to regulation enhances and extends the traditional deterministic approach by (1) allowing consideration of a broader set of potential challenges to safety, (2)- providing a logical means,for prioritizing these challenges based on,risk significance, and_ (3) allowing consideration of a broader set of resources to defend against these challenges.

'*,'Licensees are increasing the amount and frequency :of maintenance performed during power operation. -Licensees', expansion of the on-line maintenance concept without thoroughly considering the safety (risk) -aspects raises significant concerns. - The maintenance rule is being implemented to ensure that safety is not degraded during the performance of maintenance activities. The rule re quires -all.nuclear power plant licensees to monitor the effectiveness of maintenance activities.

The attached inspection report's content

.reinforces some of the concepts discussed in this

-,section, such as risk-informed inspections (using

,WE results to prioritize inspection activities - see section "3.1.2 of the inspection report) and maintenance rule applications (same section,

-,which discusses maintenance trending, etc), and plant configurations which are *allowed by the

.,technical specifications but put theplant in an undesirable (unsafe/unanalyzed) condition (see section 4.4 of the inspection report).

USNRC Technical Training Center 4.11-15 Rev 0196 Rev, 0196

. USNRC Technical Training Center

ý Technical Issues/Risk Management

ý G.E. Technology Advanced Manual

G.E. Technology Advanced Manual Technical Issues/Risk Mana2ement 4.11.6 References

1. "Reactor Safety Study - An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants" (WASH-1400),; NUREG 75/014, U.S. Nuclear Regulatory Commis sion, Washington, DC, October 1975.
2. "Risk Assessment Review Group Report to the U.S. Nuclear Regulatory Commission,"

NUREG/CR-0400, September 1978.

3. "Report of the President's Commission on the Accident at Three Mile' Island," J.G.

Kemeny et al., October 1979.

4. "Three Mile Island - A Report to the Com missioners and to the Public," NUREG/CR 1250, Vol. 1, January 1980.
5. "Interim Reliability Evaluation Program Procedures Guide," NUREG/CR-2728, U.S. Nuclear Regulatory Commission, Washington, DC, January 1983.'
6. "PRA Procedures' Guide," NUREG/CR 2300, U.S. Nuclear Regulatory' Commis sion, Washington, DC, January 1983.

7." "Probabilistic Risk Assessmnent Reference Document," NUREG-1050, U.S. Nuclear Regulatory Commission', Washington, DC, September 1984.

8. "Severe Accident Risks: An Assessment for Five U.S. Nuclear Power Plants," NUREG 1150, U.S. Nuclear Regulatory Commis sion, June 1989.
9. "Individual Plant Examination for.Severe Accident Vulnerabilities," Generic Letter No.

88-20, U.S. Nuclear Regulatory Commis sioný, Washington, DC, November 1988:

10."Fundamentals of PRA," Idaho National Engineering Laboratory, Idaho Falls, ID, January 1990.

11. "Analysis of Core Damage Frequency:

Internal Events Methodology," NUREG/CR 4550, Vol. 1, Rev. 1, SAND86-2048, Sandia National Laboratories, Albuquerque, NM, January 1990.

12. "Fault Tree Handbook," NUREG-0492, U.S. Nuclear Regulatory Commission, Washington, DC, January 198 1.
13. "Evaluation of Station Blackout Accidents at Nuclear Power Plants - Technical Findings Related to Unresolved Safety Issue A-44,"

NUREG-1032, U.S. Nuclear Regulatory Commission, Washington, DC, June 1988.

14. "Anticipated Transients Without Scram for Light Water Reactors," NUREG- 0480, Vol.

1, U.S. Nuclear Regulatory Commission, Washington, DC, April 1978.

15. "Study of the Value and Impact of Alternative Decay Heat Removal Concepts for Light Water Reactors," NUREG/CR-2883, Vol.

1,2,3, U.S. Nuclear Regulatory Commis sion, Washington, DC, June 1985.

16. "PRA Applications Program for Inspection at ANO-1," NUREG/CR-5058, U.S. Nuclear Regulatory Commission, Washington, DC, March 1988.
17. "Insights 'on Plant Specific Unique and/or Important to Safety Features Identified from 72 IPEs for 106 BWR and PWR Units,"

U2S. Nuclear Regulatory Commission, Washington, DC, July 1995.

18."Handbook of Methods for Risk-Based Analyses of Technical Specifications,"

USNRC Technical Training Center 4.11-16 Rev 0196 Rev 0196 G.E. Technology Advanced Manual-Technical Issues/Risk Management u USNRC Technical Training Center 4.11-16

NUREG/CR-6141, D~ceniber 1994.

19. "Lessons Learned from Early Implementation of The Maintenance Rule at Nine Nuclear Power Plants," NUREG-1526, U.S. Nuclear Regulatory Commission, Washington, DC, June 1995.
20. "Individual Plant Examination: Submittal Guidance," NUREG-1335, U.S. Nuclear Regulatory Commission, Washington, DC, August 1989.
21. "Perspectives on Reactor Safety," NUREG CR-6042, SAND93-0971, Sandia National Laboratories, Albuquerque, NM, March 1994.
22. NRC Inspection Report Nos. 50-334/94-24 and 50-412/94-25, November 1994.

USNRC Technical Training Center 4.11-17 Rev 0196 G.E. Technology Advanced Manual Technical Issues/Risk Management USNRC Technical Training Center 4.11-17 Rev 0196

G..Teholg AdacdMna ehialIse/kMngmn Table 4.11-1 INSIGHTS FROM REVIEW OF PLANT IPEs Insight Additional Nitrogen Supply Gas Turbine Genera tors Containment Venting Capability Additional Diesel Generators Bleed and Feed Description A backup nitrogen supply can usually reduce calculated core damage frequency (CDF) caused by loss of pneumatic power supply to important plant components such as safety/relief valves and main steam isolation valves inside containment.

Gas turbines can be an alternate ac power source to keep the plant functioning during a station blackout (SBO) or loss of offsite power (LOSP) during which even the emergency diesel genera tors (DGs) fail to start.

Containment venting can prevent core damage and provide containment overpressure protection under certain severe accident scenarios. Loss of containment heat removal has been identified in many BWR PRAs as a significant contributor to CDF. A hardened vent provides a means of removing heat from the containment, indepen dent of the RHR and plant service water sys tems.

Increased redundancy and diversity in electrical power supply systems substantially reduces the likelihood of certain accident events. Several IPEs identified the need to perform maintenance and testing of the DGs on a separate schedule using different personnel, and the need for operators to be thoroughly trained in its use.

Most PWRs have bleed and feed (once-through core cooling) capability. Bleed and feed requires high pressure injection pump(s) and PORVs.

Applicability BWR and PWR BWR and PWR BWR BWR and PWR PWR L ____________

USNRC Technical TraiDing Center 4.11-19 Rev 0196 G.E. Technology Advanced Manual Technical Issues/Risk Mana*,ement Rev 0196 USNRC Technical Training Center 4.11-19

G.E. Technology Advanced Manual Technical Issues/Risk Management Table 4.11-1 INSIGHTS FROM REVIEW OF PLANT IPEs (continued)

Cross-tying of Firewa ter System Cross-tying of Multi Unit Safety Systems (Auxiliary Feedwater, Component Cooling Water, Service Water, Control RoomHVAC, Electrical Power)

Increasing Battery Capacity to Cope with Station Blackouts Reliability of Air operated Valves vs.

Motor-o perated Valves Reactor Coolant Pump Modifications Load Shedding A residual heat removal system/firewater cross tie provides the capability for low pressure injection during most events in which normal injection systems are unavailable.

At multi-unit sites, the ability to cross-tie a safety system from the opposite unit affords additional redundancy in that system. Redundant electrical power and air supplies via cross-ties assure reliable system initiation and operation.

The majority of BWR and PWR units have 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> battery capacities. This relatively large capacity provides significant time for recovery in the event of an SBO. CDF may be reduced by increasing battery capacity for plants that have less than 8-hour battery capacities.

General data indicate that the failure probability for air-operated valves (AOVs) is lower than that for motor-operated valves. In addition, AOVs normally fail to their accident positions, reducing the vulnerability to SBO upon the loss of air or loss of power.

Loss of component cooling water and station blackout are initiators for the failures of RCP seals, which result in seal LOCAs. The use of qualified O-rings and/or durable pump seals reduces the probability of seal LOCAs.

Implementation of dc load shedding procedures may extend dc power to 14 hours1.62037e-4 days <br />0.00389 hours <br />2.314815e-5 weeks <br />5.327e-6 months <br /> or greater to cope with a station blackout.

USNRC Technical Training Center BWR and PWR Multi-unit PWRs and BWRs BWR and PWR BWR and PWR PWR BWR and PWR G.E. Technology Advanced Manual Technical Issues/Risk Management Rev 0196 4.11-21

Deterministic Analsis 9 Standard good engineering practices, calculations, and judgements Defense-In-Depth

"* Multiple fission product barriers

"* Redundancy

"* Diversity

  • Single Failure Criteria
  • Worst Case Assumptions Figure 4.11-1 Deterministic Analysis 4.11-23

Probabilistic Risk Iissessment

"* What can go wrong?

"* Likelihood?

"* Consequences?

Results

"* Dominant Contributors

"* Dominant Rccident Sequences

"* Importance Measures Figure 4.11-2 Probabilistic Risk Assessment 4.11-25

Level 1 Plant and System Design Data

.Loss of Power

-TurbineTrip

-Steam Break

  • External Events

.Farthquake

-Flooding Accident Initiators 0

Event Tree F

A CB

)

V F

  • I o

I FAt2 I

I-A Il FI Fault Tree Level 2 A

Release Categories rc FA FAC FD 10E-1 10E-2 10E-3 1OE-4 1OE-5 10E-6 1OE-7 R

DIs I

Release Description Level 3 1OEl 10E3 10ES Consequences Figure 4.11-3 Elements of PRA 0

I-..

Valve Valve Valve valve Valve

history 1975 Reactor Safety Study (WRSH-1400) 1980 Severe Accident Risks: An Assessment An Assessment for Five U.S. Nuclear Power Plants (NUREG-1150) 1985 Severe Accident Policy 1988 Individual Plant Examination (IPE) Program (Generic Letter 88-20) 1993 Evaluation of Potential Severe Accidents During Low Power and Shutdown Operations (NUREG-6143)

Figure 4.11-4 Historical Perspective 4.11-29

CCW-SEAL STATION

~BLACKOUT AT A1W S

STATION AW BLACKOUT INT S LOC*

TRANSIEN SEQUOYAH SW-SEAL LOCA ZION STATION BLACKOUT SURRY LOCA A S STATION BLACKOUT TRANS1!

ATWS(

GRAND GULF PEACH BOTTOM Figure 4.11-5 Major Contributors To Core Damage By Accident Types 4.11-31 SGTR INT SYS LOCA 1094

BWR SYSTEMS SWs PCS RPS HPCI LPCI S/R-VALVE EMERGENCY AC ADS FEEDWATER SYS RHRS RCIC DC POWER LPCS

-,A (jo I I I I I I I I I I I I I I 11111 So I

Minimum Maximum Relative Relative Importance Imporance Relative Importance 0

d<

0 0

=

o 0

I I 1 101 1 1t I

I I I II I1I I

I I I 111I1 10-2 10'1 Relative importance of BWR Systems considering dominant accident sequences from 15 PRAs Source NuReg-1050 Figure 4.11-6 Relative Importance Factors (0

I I I I I 1111 I

I I

I I

I Ac 10"3

SS1S I

I I "1"1111 1 11"11"'11 1

11111111 SYSTEMS Minlmum Maximum AFWS Relatve Relative Importance importance HPRS 0

0 Average Relative PCs Importance 0

DC 0

HPIS 0

CSIS

<0 sws 0~

EMERGENCY AC 0

U.

RHRS 0

RPS 0

I PORV 0<

LPRS 0

LPSI 0

ESAD 0

SUMP I

I103 10"2 10-1 Relative Importance of PWR Systems considering Source NuReg-1oso dominant accident sequences from 15 PRAs Figure 4.11-7 Relative Importance Factors

Risk-Based Regulation H regulatory approach in which insights deriued from PRA are used in combination with deterministic and engineering analyses to focus licensee and regulatory attention on issues commensurate with their importance to safety.

ATWS Rule IOCFR58.62)

Auxiliary Feedwater System Reliability Blackout Rule (IOCFR5O.63)

Backfit ( OCFR5O.109) 0 Risk-Based Inspection Figure 4.11-8 Risk Based Regulation 4.11-37

PRA Policy Statement (August 16, 1995)

Increased use of PRA in reactor regulatory matters should be implemented to the extent supported by state of the art in PRA methods and data and in a manner that complements the NRC's deterministic approach and supports the NRC's traditional defense-in-depth philosophy.

PRA1 should be used to reduce unnecessary conservatism associated with current regulatory requirements. Where appropriate, PRA should be used to support additional regulatory requirements.

PRA evaluations in support of regulatory decisions should be as realistic as possible and appropriate supporting data should be publicly available.

Uncertainties in PRA evaluations need to be considered in applying the Commission's safety goals for nuclear power plants.

Figure 4.11-9 PRA Policy Statement 4.11-39

PRA Implemeiuation Plan Rgency-Wide Plan to Implement the PRA Policy Statement Includes both on-going and new PRA related activities

"* Encourages risk-based initiatiues from licensees PRR Applications

"* Graded Quality Assurance

"* Inseruice Testing

"* Inseruice Inspection

"* Technical Specifications

"* Maintenance Rule

"* IPE Insights

"* Reliability Data Rule (proposed)

Figure 4.11-10 PRA Implementation Plan 4.11-41

Risk Management A means of prioritizing resources and concerns to control the level of safety (risk).

Configuration Management Managing the configuration of level of safety (risk).

plant systems to control the Figure 4.11-11 Risk and Configuration Management - Definitions 4.11-43

0196-X RISK MANAGEMENT FACTORS Risk = Pi X Pm Figure 4.11-12 Risk Management Factors 4.11-45 xPc

Maintenance Rule (10CFR5O.65)

Effective July 1996 Overall objective of rule is to monitor the effectiveness of maintenance activities...for safety significant plant equipment...in order to minimize the likelihood...of failures and events...caused by the lack of effective maintenance.

"* 6oals and Monitoring

"* Effective Preventive Maintenance

"* Periodic Evaluations and Safety Assessments.

Figure 4.11-13 Maintenance Rule - Objectives 4.11-47

Scope Safety-related structures, systems, and components that are relied upon to remain functional during and following design basis events to ensure RCS pressure boundary integrity, reactor shutdown capability, safe shutdown capability, and the capability to prevent or mitigate the consequences of accidents non-safety-related SSCs (1) that are relied upon to mitigate accidents or transients or are used in emergency operating procedures (EOPs),

(2) whose failure could prevent safety-related SSCs from fulfilling their intended functions, or (3) whose failure could cause a scram or safety system actuation.

Figure 4.11-14 Maintenance Rule - Scope 4.11-49

Configuration Risk Munitoring Methods Matrix approach (pre-analyzed configurations) 0 CDF impact analysis Safety (risk) monitor Figure 4.11-15 Configuration Risk Monitoring Methods 4.11-51

I RCC ILPCI A JLPCI B ICS A CS B INJ I

I II I

IA ALT INJ ICOND ICOND IFW STA BTR IB BSTR PMPS PMPS CHGR I

I

' PM Not Allowed:

Risk Eval Reqd &

TS LCO

<1 2 hrs Ops Mgr OK Reqd Or Very High Risk ALT INJ A

I t

L.

I 1

4 4

4 ALT B

INJ COND BSTR TSLCO<7 Or Medium Ops Mgr days Risk OK Reqd I

t

4.

4 4

COND PMPS 1

FW PMPS STA BAT CHGR TS LCO-, 7

-nd Risk Ops Supv days Low OK Reqd LI I

DG BAT CHGR Figure 4.11-16 Preventive Maintenance Equipment Out-Of-Service Matrix 4.11-53 I I..

HPCI h

1.OOE 1-,

-S UIn 0

1.OOE-04 +

4.40E-05 2.60E-05 1.60E-05 -*

New CDF 44-.......................

r

\\I 11 ItUl11 TiJIJXL..

I1 lh II I A.

Il I

III IT1AIl I

IpI~

dIA7 Ai I

M I,

,, l

.I, l,,,,, I,, l, 0'.....

l'o,0' m.......

0.........

-- iQ

-- 6 m-W c

CJ t

C04~C

,izi:ýý9ý 9;

0

,n

-L

-4 U) 01 0 Co Baseline A

IPE 0

New Average CDF II I

I Ljýjlq I-I f IN Uý-h

0196-X UNIT 2 INSTANTANEOUS RISK GRAPH 2.OOE-04 1.50E-04 U

a, S1.OOE-04 Im ca E

0 o5.OOE-05 O.OOE+O0 (A)

(B)

(C)

(D)

(E)

(F)

(G)

(H)

Emergency Chilled Water Pump P162 Control Transformer Replacement Train B Cold Leg Injection Valves 2HV9329/HV9323 Transformer Replacement Train B Cold Leg Injection Valves 2HV9326/HV9332 Transformer Replacement Diesel Generator 2G003 Annual Maintenance and HPSI 2P019 Preventive Maint.

Diesel Generator 2G003 Annual Maintenance and SWC 2P1 14 Preventive Maint.

AFW Pump P141 Preventive Maintenance AFW Pump P141 Preventive Maintenance and PPS Testing Diesel Generator 2G002 Annual Maintenance and SWC 2P1 12 Preventive Maint.

Core damage frequency (CDF) calculated for Mode 1 operations only.

Average CDF for 3 month period = 2.4E-05/yr.

Figure 4.11-18 Risk Monitoring Predictive 4.11-57 G

FJ A

DF H

B C Gc I

S..%

FOREIGN REACTOR RISK PROFILE 200 300 I-Cumulative Target Lifetime Cumulative Average I

12 Month Cumulative Average Point Actual 400 DAYS 0

35 "211 (0

t-,

Co

":13 a

(10 oC,

1 CO CD CD 0

(31 CDo I

30 e

25 C.)

20 15 10 en 0r 5

Factor of 10 100

- NRC Inspection Report Nos. 50-334/94-24 AND 50-412/94-25 Chapter 4.11 Risk Management

ENCLOSUREI1 NOTICE OF VIOLATION Duquesne Light Company Docket Nos.,50-412 Beaver ValleyPower Station, Unit 2

-License Nos. NPF-73, During an NRC inspection conducted between October 11 and Novemberff14, 1994, one violation of NRC requirements was identified.

In accordance with the'

" '"General -Statement of Policy and Procedure for NRC Enforcement Actions,"

10 CFR.Part 2, Appendix C, the violation is listed below:

"10 CFR Part 50, Appendix B, Criterion XVI, "Corrective Actions," states,'

" in 'part', that'measures'shall be established to assu re that conditions adverse to quality, such as failures, malfunctions,'deficiencies, deviations, defective material and -equipment, and.non-conformances are promptly identified and corrected.

Contrary to the above; as of October 21,- 1994, established measures did not assure that' conditions adverse to quality were promptly identified and corrected.

Specifically, the investigations'of an-unusually dim white control power light for emergency switchgear ventilation fans ; -,

'-2HVZ-FN261A on October 30, 1993, and 2HVZ-FN261B on September 24, 1994, failed to identify-that the standby fan would not start if called upon following'the loss of the running fan except when started by'the

.emergency diesel sequencer. -Equipment maintenance history was not used,

"'-to identify"that:a'trend of similar problem descriptions of'a" dim white

"-'control power light has existed since -1989.

This is-a Severity Level IV violation (Supplement-I).

,Pursuant to the provisions of 10 CFR 2.201, Duquesne Light Co4ipany'is hereby

.,requiredto* suimit'a'written statement or explanation'to'the U.S. Nuclear Regulatory Commission,' ATTN:'

Document Control Desk, Washington,, D.C 20555 with'a copy to the'Regional'Administrator, Region I, and a copy to the NRC Resident Inspector at the facility that is the subject'of this Notice,.within

-30 days of the date 'of the letter transmitting this Notice ofViolation..

94-25-01. -*This reply should'beclearly marked as a "Reply-toa Notice of Violation", and should include'for 'each violation' (1)-thedeIas'on for the' violation,' or, if'contested, the basis for disputing'the violation, (2)' the K correftive 'steps that have'been taken and-the'results acliieved, (3) the-'

"corrective steps that will be taken to avoid further violations, and (4) the date when full compliance will be achieved: 'If an adequate reply is not received withinthe time specified in this Notice, an order or a Demand for Information maybe.issued to~showcause why the license should not be modified, suspended, or-revoked,' or why such other action as may'be proper'

  • "should'not be taken.3" Where good cause is shown, consideration will be given to extending'the response time.

Dates at King of Prussia." PennSylvania

,.this 29th day of November, 1994

G.E. Technology Advanced Manual Emergency Action Levels in developing their EAL scheme but may not use portions of both methodologies." The staff stated in Emergency Preparedness Position on Acceptable Deviations from Appendix 1 of NUREG-0654 based upon the Staff's regulatory analysis of NUMARC/NESP-007 that it -recognizes that licensees who continue to use EALs based upon NUREG-0654 could benefit from the technical basis from EALs provided in NUMARCJNESP-007.

However, the staff also recognized that the classification scheme must, remain internally consistent. Likewise, Licensees can benefit from guidance provided in NEI 99-01 without revising their entire EAL scheme. This is particularly true in regard to adopting guidance on EALs for cold shutdown and refueling modes of operation or for Independent Fuel Storage facilities. However, the licensee still needs to ensure that its EAL scheme remains internally consistent.

4.12.3 NUREG-0654 NUREG-0654/FEMA-REP-1 was published to provide a common reference and guidance source for:

" Nuclear facility operators as well as State and local governments in the development of radiological emergency response plans and preparedness in, support of nuclear power plants.

"* Federal Emergency management Agency (FEMA), Nuclear Regulatory Commission (NRC), and other Federal agency personnel engaged in the review of State and, Local' government and licensee plans and preparedness.

"* FEMA, NRC and other Federal agencies in the development ' of the National Radiological Emergency Plan.

NUREG-0654/FEMA-REP-1 was prepared as part of their responsibilities under the Atomic Energy Act, as amended, and the President's Statement of December 7, 1979, with the accompanying Fact Sheet. The responsibilities include development and promulgation of guidance to nuclear facility operators, State and local governments, in cooperation with other Federal agencies. The guidance included preparation of radiological emergency response plans and assessing the adequacy of such plans.

4.12.3.1 NUREG-0654/FEMA-REP-1, Appendix-1 Appendix 1 of NUREG-0654/FEMA-REP-1, contains the Emergency Action Level Guidelines for Nuclear Power Piants. Within Appendix 1 four classes of Emergency Classification Levels (EAL) are established:

"* Notification of Unusual Event

"* Alert

"* Site Area Emergency

"* General Emergency A graduation is provided to assure fuller response preparations for more serious indicators.

The rationale for the notification and alert classes is to provide early and prompt notification of minor events which lead to more serious, consequences given operator error or equipment failure or which might be indicative of more serious conditions which are not yet realized. The site area emergency class reflects conditions' where some significant releases are likely or are occurring but where a core melt situation is not indicated based on current information. In this. situation full mobilization of emergenicy personnel in the near site environs is indicated as well 'as dispatch of monitoring teams and associated-communications. Thed"general emergency: class-involves actual or. imminent substantial core degradation or core melting with potential for loss of containment. The immediate action for this, class is sheltering (staying inside) rather than evacuation until assessment can be made that (1) an evacuation is indicated 'and' (2) an evacuation, if indicated, can be compieted prior to significant release and transport of radioactive material to the affected areas.

Facility licensees have primary responfsibility for accident assessment. This includes prompt action to evaluate any potential risk to the public Rev 0601 USNRC Technical Training Center Emergency Action Levels G.E. Technology Advanced Manual 4.12-2

inspections, the NRCwill determine whether 'further NRC enforcement action is necessary to 'ensure compliance with NRC regulatory requirements.

-In-accordance with 10 CFR 2.790 of the NRC's -"Rules of Practice," a copy of this letter, its enclosures, and your response will be placed in the NRC

-. Public Document Room.

Accordingly, your response..should not,' to the extent possible, include any personal privacy, proprietary, or'safeguards'information so that it can be released to the public and placed in the'NRCPublic Document Room.

The responses -directed by this letter, and the enclosed Notice are not subject to the clearance procedures of the Office of Management and Budget as required by the Paperwork, Reduction Act of 1980, Pub. L. No. 96.511.'

Your cooperation with us is':appreciated.

Sincerely, Original Signed By:"

James C. Linville,' Chief Projects Branch No. 3

-Division of. Reactor Projects Docket Nos. 50-334; 50-412

Enclosures:

1. -

Notice of Violation

2.

NRC Inspection Report Nos. 50-334/94-24 and 50-412/94-25 66lendls:,

'G. S. Thomas,; Vice President, Nucleair Services T. P. Noonan, President,;Nuclear Operations L. R. Freeland, General Manager, Nuclear Operations Unit K. D. Grada, Manager, Quality Services Unit-,

N. R. Tonet, Manager, Nuclear Safety Department H. R. Caldwell, General Superintendent, Nuclear. Operations K. Abraham, PAO (2 copies)

Public Document-Room (PDR)

Local PublicDocument Room.(LPDR)

_..Nuclear Safety Information Center,(NSIC)'

NRC Resident Inspector,.*

Commonwealth of Pennsylvania.

State of Ohione r J

Emergency Action Levels G.E. Technology" Advanced Manual which technical specifications are exceeded and the capability of licensed operators to gain control and bring the indicators back to safe levels. Event-based ICs and EALs refer to discrete occurrences with potential safety significance such as a fire or severe weather. Barrier-based ICs and EALs utilize indications of the level of challenge to the principal barriers used to assure containment of radioactive materials within a nuclear plant. For the most important type of radioactive material, i.e., fission products, there are three principal barriers:

0 S

0 Fuel cladding Reactor coolant system boundary Containment In the NUMARC/NESP-007 methodology, the operating modes (power operation, startup, hot standby, hot shutdown, cold shutdown, refueling, and defueled) to which individual ICs apply are specified. As a plant moves from power operation through the decay heat removal process toward cold shutdown and refueling, barriers to the release of fission products may be reduced, instrumentation to detect symptoms may not be fully effective and partially disabling of safety systems may be permitted by technical specifications. For such operations, ICs and EALs tend to be event-based rather than symptom-based.

The ICs and EALs are divided into four "recognition categories" in NUMARC/NESP-007:

"* A-Abnormal Rad Levels/Radiological Effluent

", F-Fission Product Barrier Degradation

"* H - Hazards or Other Conditions Affecting Plant Safety

"* S-System Malfunction For recognition categories A, H, and S, ICs and associated EALs are developed for each emergency classification level. For these recognition categories, ICs are identified by a three character acronym. For example, AU2 is the second Unusual Event IC in the Abnormal Radiation Level recognition category and SS3 is the third Site Area Emergency IC in the System Malfunction recognition category.

For recognition category F, there are three ICs:

1.

Loss or potential loss of the fuel clad barrier, and

2.

Loss or potential loss of the RCS barrier.

3.

Loss or potential loss of the containment barrier.

The EALs for each of these ICs depend on whether the reactor is a PWR or BWR. The emergency condition level is a function of the number (and extent) of fission product barrier degradation, as indicated below:

UNUSUAL EVENT Any loss or potential loss of containment ALERT Any loss or any potential loss of either fuel clad or RCS SITE AREA EMERGENCY Loss of both fuel clad and RCS; or POtential loss of either; or Potential loss of either. and loss of any additional barrier GENERAL EMERGENCY Loss of two barriers and potential loss of the third bamer Table 4.12-6 provides an example of an emergency action level (EBD-S) bases document for system malfunction category SU5. The acronym SU5 is the fifth Unusual Event IC in the System Malfunction recognition category.

4.12.5 NEI 99-01, (NMRCINESP-007-Rev. 4)

Revision 4 to NUMARCINESP-007 (NEI 99

01) presents the methodology for development of emergency action levels as an alternative to NRC/FEMA guidelines contained in Appendix 1 of NUREG-0654/FEMA-REP-1, Rev.2 "Criteria for Preparation and Evaluation of Radiological Emergency Response Plans and Preparedness in Support of nuclear Power Plants, "October 1980 and 10 CFR 50.47 (a)(4).

Revision 4

of NUMARCINESP-007 enhances Revision 3 (NEI 97-03) by considering the system malfunction initiating conditions and example emergency action levels which address conditions that maybe 4.124 Rev 0601 USNRC Technical Training Center G.E. Technology Advanced Manual Rev 0601 4.12-4

.9 -9 EXECUTIVE

SUMMARY

Beaver Valley Power Station Report Nos. 50-334/94-24 & 50-412/94-25 Plant Operations Good operator performance was demonstrated during response to 'a loss"6fý pressure in the control room temperature control air system, and to a blown fuse in the Unit 1 solid state protection system.

Troubleshooting of a decrease in vacuum on the 2-1 emergency diesel generator was.well planned land documented.

Operators at Unit I demonstrated a strong questioning attitude.

when they identified a potential relationship between an out-of-service quench spray pump and net positive suction head tothe recirculation spray pumps.

However, the recirculation spray pumps were unnecessarily removed from service' before it was determined that one quench spray pump-will ensure adequate net positive suction head.

Maintenance An unusually dim control power light for emergency sswitchg6'ar ventilation fans led to identification of a deficiency with the-control circuitry.' -

I _

Specifically, if the running fan was to fail for any reason, the standby fan'.

could not auto-start or be manually started without first placing the failed fan control switch in "pull to lock" unless sequenced on by the emergency diesel sequencer.

Previous troubleshooting efforts did not identify or correct this problem, and maintenance history trending was not used to identify the need for additional investigations of this control circuitry despite a history of work requests with a similar problem description.

Additionally, operations and maintenance personnel, and the system engineer, were unaware that the licensee's Individual Plant Examination identified the loss of emergency switchgear ventilation as the top ranked initiating sequence contributing to core damage frequency.

The failure to promptly identify the emergency switchgear ventilation control circuitry deficiency is a violation of 10 CFR 50, Appendix B, Criterion XVI, "Corrective Actions."

Operations personnel re-identified a previous deficiency associated with the SLCRS system that had not been repaired for almost three years.

Good management attention has been subsequently focused on the timely repair of this deficiency.

Test data showed that the system still would have performed its function.

Corrective actions to address problems with the diesel speed sensing circuit and the rod control system were also appropriate.

Engineerngj The licensee continued to demonstrate leadership in'the nuclear industry through the identification of significant generic issues.

Specifically, the licensee identified an AMSAC design deficiency which would have made the system inoperable if feedwater flow on one channel was outside its normal band, and issued a 10 CFR Part 21 notification concerning an anomaly with the test circuits on the Unit I solid state protection system.

The AMSAC issue is still under evaluation for Part 21 applicability.

ii

Development for Emergency Action Levels" Nuclear Energy Institute (NEI) submitted NEI 99-01, Methodology for Development of Emergency Action Levels Onsite and Offsite emergency response plans must meet the standards that are listed in 10 CFR 50.47 in order for the staff to-make a positive finding that there is reasonable assurance that adequate protective measures can and will be taken in the event of a radiological, emergency. One of these standards, 10 CFR 50.47(b)(4), pertains to the development of emergency classification and.

actions level scheme.Section IV", Content of Emergency Plans", of Appendix E to 10 CFR Part 50 also contains requirements for the development and review of EALs.

USNRC Technical Training Center G.E. Technology Advanced Manual Emergency Action Levels 4.12-6 Rev 0601

TABLE OF CONTENTS EXECUTIVE

SUMMARY

ii TABLE OF CONTENTS.........................................................

iv 1.0 MAJOR FACILITY ACTIVITIES...........................................

1 2.0 PLANT 2.1 2.2 2.3 2.4 2.5 OPERATIONS (71707).............................................

Operational Safety Verification...............................

Loss of Control Room Temperature Control Air Pressure.........

Unit 1 Quench Spray Pump Maintenance...........................

Operator Response to Unit I Solid State Protection System.....

Unit 2 Emergency Diesel Generator Troubleshooting.............

3.0 MAINTENANCE (62703, 61726, 71707)...................................

3.1 Maintenance Observations.......................................

3.1.1 Unit 2 Rod Control.......................................

3.1.2 Unit 2 Emergency Switchgear Ventilation.................

3.2.

Surveillance Observations.....................................

3.2.1 Supplemental Leak Collection System (SLCRS)

Duct Damage at Unit I................................

3.2.2 Unit 1 Emergency Diesel Generator Speed Sensing Circuit Failures.........................................

4.0 ENGINEERING (71707, 37551, 92903)...................................

4.1 AMSAC Design Omission.........................................

4.2 Calibration of CREBAPS Pressure Switches (Unresolved Item 50-334/94-17-01) (closed)..........................

4.3 Solid State Protection System 10 CFR Part 21 (closed)........

4.4 Auxiliary Feedwater Flow Margin...............................

5.0 PLANT 5.1 5.2 5.3 SUPPORT (71750, 71707).........................................

Radiological Controls.........................................

Security.......................................................

Housekeeping...................................................

6.0 ADMINISTRATIVE.......................................................

6.1 Preliminary Inspection Findings Exit...........................

6.2 Attendance at Exit Meetings Conducted by Region-Based Inspectors.....................................................

6.3 NRC Staff Activities...........................................

1 1

2 2

3 3

4 4 5

5 7

8 9

10 10 11 12 12 13 13 13 14 14 14 14 14 iv

2 2.2 Loss of Control Room Temperature Control Air Pressure On November 14, 1994, at 3:25 p.m., the plant operators at Unit 1 received a control room temperature control air pressure low alarm.

The air system pressure was found at 15 psig.

Normal system pressure is between 50 and 70 psig.

The alarm response procedure refers the operators to the control room emergency habitability system technical specification (3.7.7.1) and Updated Final Safety Analysis Report (UFSAR)

Section 9.13.4 "Main Control Area."

After reviewing these references, the Shift Supervisor concluded that he could not be assured of operability of the Unit I control room supply and exhaust dampers.

These dampers, VS-D-40-1A through D, have a flexible boot seal which provides for air-tight isolation of the control room during accident conditions.

The control room temperature control air system supplies air to these seals.

Consequently, at 4:10 p.m., it was identified that both Units 1 and 2 were required to enter Technical Specification 3.0.3, which requires action within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to initiate plant shutdown.

Both units were in Mode 1 and both units began preparations for plant shutdown.

The operators determined that the loss of air pressure was due to a stuck open automatic moisture blowdown valve.

The valve was isolated and the low pressure alarm cleared at 4:27 p.m.

The units exited Technical Specification 3.0.3 at 4:34 p.m.

Neither unit progressed to the point of reducing power.

The inspectors reviewed this event and concluded that the operators took appropriate response actions.

The inspectors did note that the event indicated a potential single failure vulnerability in the safety-related control room temperature control air system.

The vulnerability is "potential" because the damper seals have backup accumulators and isolation check valves which may allow the seals to work even with a loss of pressure in the rest of the system.

However, the accumulators and the check valves are apparently not tested to ensure this capability.

The licensee was still evaluating this failure vulnerability when the report period ended.

2.3 Unit I Quench Spray Pump Maintenance During a routine control room walkdown, the inspectors noted that the licensee had removed the Unit I 'A' train recirculation spray and quench spray pumps from service.

The pumps were taken out of service by a clearance for maintenance on the quench spray pump (oil leak repair).

The inspectors asked why the recirculation spray pumps were included on the clearance.

The inspectors found that the night-shift crew had a concern about net positive suction head to the recirculation spray pumps when removing a quench spray pump from service.

Some of the flow from the quench spray pumps is diverted directly to the containment sump.

This provides added cooling for the sump water to ensure adequate net positive suction head for the recirculation spray and low head safety injection pumps under all design basis conditions.

The night-shift operators were concerned that removing one quench spray pump from service, while leaving all the recirculation spray pumps in service, might leave the opposite train recirculation spray pumps without sufficient net positive suction head.

4 3.0 MAINTENANCE (62703, 61726, 71707) 3.1 Maintenance Observations The inspectors reviewed selected maintenance activities to assure that: the activity did not violate Technical Specification Limiting Conditions for Operation and that redundant components were operable; required approvals and releases had been obtained prior to commencing work; procedures used for the task were adequate and work was within the skills of the trade; activities were accomplished by qualified personnel; radiological and fire prevention controls were adequate and implemented; OC hold points were established where required and observed; and equipment was properly tested and returned to service.

The maintenance work requests (MWRs) listed below were observed and reviewed.

Unless otherwise indicated, the activities observed and reviewed were properly conducted.

MWR 035464 No. 2 EDG Jacket Water Pressure Alarm Troubleshoot and Repair See Section 3.2.2 of this report.

MWR 036230 Troubleshoot and Repair SSPS Alarms On November 4, 1994, plant operators at Unit 1 received several intermittent alarms and indications associated with the solid state protection system (SSPS).

The intermittent nature of the alarms told the operators that the problem was associated with only one channel of the SSPS (because of the multiplexing arrangement, a problem with only one channel of the SSPS will cause the indications to flash in and out).

The problem was quickly isolated to a blown fuse in channel I of train 'B' in the SSPS.

The inspectors observed the licensee's efforts to verify and replace the fuse.

The inspectors observed excellent coordination between the operations and maintenance personnel.

Part of the maintenance included removing power from the affected channel of the SSPS.

This evolution was very thoroughly researched and briefed.

The Unit 1 Operations Manager reminded everyone of the importance of self-checking, and the pitfalls of haste.

This was particularly appropriate since the plant entered a 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> Technical Specification action statement.

MWR 036371 Troubleshoot and Repair SSPS Intermittent Alarms MWR 035759 Investigate Emergency Switchgear Ventilation Relay 162-HVZBB MWR 036084 Emergency Switchgear Ventilation Fan 2HVZ-FN261A Troubleshooting MWR 036084 Emergency Switchgear Ventilation Fan 2HVZ-FN261B Troubleshooting MWR 036447 Blocking Diode Installation Per DCP 2124 MWRs 035759, 036084, 036084, and 036477 are discussed in Section 3.1.2.

6 162-HVZBB energized with the fan in a standby condition.

The inspectors and licensee personnel physically verified that this relay was indeed energized.

This relay should be de-energized when the fan is in standby.

The consequence of this relay being energized is that fan 2HVZ-FN261B will not auto-start as designed upon loss of the 'A' train fan.

Operators would also be unable to manually start the 'B' fan since relay 162-HVZBB is maintaining the "anti pump" and trip coils of the fan breaker energized.

The inspectors observed various fan manipulations which verified that the 'B' fan would not auto start if a very dim white-light condition existed.

It was possible to clear this locked-up relay and obtain a normal white control power light by first placing the control switch in "pull to lock," then back to auto.

Some operators knew of this condition and considered it to be a "workaround."

Current operating and alarm response procedures (fan auto-stop and high switchgear area temperature) did not specify the need for this control switch manipulation upon failure of the running fan.

Further review of the fan start circuitry with relay personnel determined that both trains of fans would properly auto start with the emergency diesel sequencer if called upon during a loss of power to the respective emergency bus.

The inspectors reviewed the maintenance history (since 1993) for both trains of emergency switch gear supply ventilation fans and noted that three recent MWRs were generated to investigate the dim white light condition.

Each MWR is summarized below:

MWR 015912 was opened on January 14, 1993, and worked on October 10, 1993, to investigate the dim white control power light for fan 2HVZ-FN261A.

Since the control switch was in pull to lock during this maintenance, no problems were found and post maintenance testing verified proper fan operation.

MWR 032143 was opened on June 11, 1994, to investigate the dim white control power light for fan 2HVZ-FN261A.

This MWR was scheduled to be worked during the upcoming refueling outage.

MWR 35001 was opened September 24, 1994, to investigate relay 162-HVZBB following observation of a dim white control power light.

This MWR was voided the same day by the Nuclear Shift Supervisor who was subsequently able to auto start both trains of fans by first placing the control switch in "pull to lock."

The shift supervisor attributed this condition to "system design, not equipment deficiency."

However, no additional follow-up action was pursued.

To eliminate the sneak circuit path, Design Change 2124 has been implemented to install a blocking diode which will allow relays 162-HVZAB/BB to drop out as required with the fans in standby.

The licensee's troubleshooting, as found testing, design change implementation, and post-modification testing during this inspection period were considered by the inspectors to be thorough and adequate to preclude future auto-start circuitry problems.

8 3.2.

Surveillance Observations The inspectors witnessed/reviewed selected surveillance tests to determine whether properly approved procedures were in use, details were adequate, test instrumentation was properly calibrated and used, technical specifications were satisfied, testing was performed by qualified personnel, and test results satisfied acceptance criteria or were properly dispositioned.

The operational surveillance tests (OSTs),

loop-calibration procedures (LCPs),

and relay calibration procedures (RCPs) listed below were observed and reviewed.

Unless otherwise indicated, the activities observed and reviewed were properly conducted without any notable deficiencies.

OST 1.43.6 Containment High Range Monitors Functional Test OST 1.43.7 Noble Gas Monitor Functional Test OST 2.47.1 Containment Airlock Test LCP-2-44F-P21B Emergency Switchgear Area Supply Pressure Loop Calibration 1/2RCP-30A-PC Calibration of ATC and Agastat Timing Relays 3.2.1 Supplemental Leak Collection System (SLCRS)

Duct Damage at Unit 1 On October 16, 1994, the licensee's Operations Department identified some large holes (several square feet in area) in the SLCRS duct leading to the Unit 1 waste gas storage vault.

The licensee also recognized that the deficiency had an outstanding maintenance work request (MWR) that was written in October of 1991.

The function of this part of the SLCRS is to maintain a negative pressure on the waste gas storage vault, in order to reduce the magnitude of a radioactive release from a leak in one of the waste gas storage tanks.

Any release from the waste gas storage tanks would also be changed to an elevated (vice a ground) release because of the SLCRS.

The inspectors reviewed this issue to determine why the licensee had not repaired the damaged duct after almost 3 years, and to evaluate the impact of the damaged duct on the performance of the SLCRS.

The original MWR was categorized as a Priority 2 (urgent/highly desirable),

but was downgraded the day after it was written to a Priority 3 (expedite/desirable).

The deficiency was not repaired immediately because proper work instructions were not readily available for the repair.

Construction maintenance personnel informally told the Engineering Department that they needed a Plant Installation Process Standard (PIPS) to repair the duct.

The need for the PIPS was never formally communicated to engineering management personnel, and, thus, a high priority was never given to completing this document.

The SLCRS System Engineer was aware of the deficiency, and had adequate test data to demonstrate that SLCRS would perform its design basis functions even with the hole.

The test data also showed that the condition was not degrading.

Because of the test data, the maintenance engineering and planning personnel did not place a high priority on the repair, and did not

10 The inspectors observed selected parts of the relay calibrations and the post maintenance test.

The maintenance and testing was adequately controlled.

However, the licensee was not using calibrated instrumentation to verify the relay set points during the post-maintenance test.

The post-maintenance test procedure specified using the diesel skid-mounted tachometer which is not in the licensee's calibration program.

This was pointed out by the inspectors, and the licensee obtained a calibrated stroboscope to ensure the set-points were accurate.

Because of the problems with the No.

1-2 EDG, the licensee checked the operation of the No.

1-1 EDG speed sensing relays during its next regularly scheduled surveillance test.

All of the 140 and 870 rpm relays were found slightly out of tolerance, and were adjusted prior to returning the unit to service.

The licensee has determined that the repeatability problems with the relays on the No.

1-2 EDG were due to contact corrosion.

Other licensee's with the same type of EDGs were contacted, and reported similar problems with the diesel speed sensing circuits.

The speed circuit vendor (MKS Power Systems) does not sell a safety-related version of the circuit any more because of the lack of long-term relay reliability.

The licensee is going to monitor the performance of the relays during every EDG surveillance test until the next refueling outage.

During the refueling outage, the licensee plans to replace the speed sensing circuits with newer, more reliable circuits (similar to the circuits installed at Unit 2).

The inspectors concluded that the licensee's corrective actions to address the problems with the speed sensing circuits were appropriate.

The as-found relay set-points would not have affected the operation of the EDGs under design basis conditions.

In general, deviations which would have affected EDG operability would have been noted during surveillance testing.

The 870 rpm relay which drifted below 490 rpm was also determined not to affect operability.

This relay has a close-permissive function for the EDG output breaker; however, the licensee's test data shows that the diesel will reach rated speed before the generator reaches rated output voltage.

Therefore, the voltage permissive would have prevented the EDG output breaker from closing early.

The initial actions to address the jacket water low pressure alarm could have been more aggressive.

The deficiency was allowed to exist for 4 days before anyone recognized that it might impair operability of the EDG.

The licensee's ARP for low jacket water pressure was a contributing factor to the lack of attention to the alarm.

The ARP did not consider problems with the speed sensing circuits as a possible cause, and all the verifications required by the procedure led the operators to conclude that the pressure detector had malfunctioned.

This observation was discussed with the Unit 1 Operations Manager.

The Operations Manager had already arrived at a similar conclusion and was discussing the event at licensed operator retraining.

4.0 ENGINEERING (71707, 37551, 92903) 4.1 ANSAC Design Omission At Beaver Valley Units 1 and 2, the Anticipated Transient Without Scram (ATWS)

12 4.2 Calibration of CREBAPS Pressure Switches (Unresolved Item 50-334/94-17-01) (closed)

During a routine walkdown of the control room emergency bottled air pressurization system (CREBAPS),

the inspectors noted that several pressure switches, which protect the system from an over-pressure condition, had not been calibrated since 1987.

The switches sense a high pressure condition in the piping downstream of the pressure regulators.

The licensee initiated calibration checks and an analysis of the failure modes of these switches.

The issue was identified as an unresolved item (50-334/94-17-01) pending review of the licensee's failure analysis and the calibration data.

The calibration checks showed that all of the switches would have operated as intended.

The licensee's failure modes analysis showed that failure to isolate one of the air lines on a high pressure condition would not challenge the CREBAPS or the control room pressure boundary.

However, the licensee found, through recent operating experience, that if a switch fails low, CREBAPS system operation can be degraded (the associated discharge line is disabled).

Consequently, the switches will be entered into the licensee's safety-related component calibration program.

This issue is closed.

4.3 Solid State Protection System 10 CFR Part 21 (closed)

On September 1, 1994, the Duquesne Light Company submitted a 10 CFR Part 21 report to the NRC concerning the Beaver Valley Unit I Solid State Protection System (SSPS).

The report concerned an anomaly with the train 'B' SSPS semi automatic tester.

The semi-automatic tester is used to test various logic card circuits.

The licensee found that the tester card was producing extra test pulses.

The extra pulses could prevent testing some logic combinations, which could mask a logic card failure.

This problem was discovered by the licensee during troubleshooting of an unrelated logic card failure indication.

An observant engineer noticed that the test pulse train on the input of the logic card (with the unrelated failure indication) was not correct.

The licensee found that the system clock counter for the semi-automatic tester was causing the additional pulses.

This card was replaced and train 'B' of the SSPS was successfully tested.

The Unit 1 train 'A' and the Unit 2 SSPS logic testers were also checked for proper operation, and no further problems were noted.

The licensee has initiated periodic surveillance checks to verify proper operation of all SSPS logic test circuits.

Westinghouse has issued a Nuclear Safety Advisory Letter as a result of the Duquesne Light Company findings.

The letter recommends that all utilities with Westinghouse solid state protection systems check the semi-automatic test circuits, as a minimum, during each refueling outage.

The inspectors concluded that the licensee demonstrated a strong questioning attitude in the identification of the SSPS semi-automatic tester anomaly, and took appropriate, conservative actions to report and correct the deficiency.

This 10 CFR Part 21 issue is considered closed for Beaver Valley.

14 basis.

Licensee personnel were observed to be properly implementing the radiological protection program.

5.2 Security Implementation of the physical security plan was observed in various plant areas with regard to the following:

protected area and vital area barriers were well maintained and not compromised; isolation zones were clear; personnel and vehicles entering and packages being delivered to the protected area were properly searched and access control was in accordance with approved licensee procedures; persons granted access to the site were badged to indicate whether they have unescorted access or escorted authorization; security access controls to vital areas were maintained and persons in vital areas were authorized; security posts were adequately staffed and equipped, security personnel were alert and knowledgeable regarding position requirements, and that written procedures were available; and adequate illumination was maintained.

Licensee personnel were observed to be properly implementing and following the Physical Security Plan.

5.3 Housekeeping Plant housekeeping controls were monitored, including control and storage of flammable material and other potential safety hazards.

The inspectors conducted detailed walkdowns of accessible areas of both Unit I and Unit 2.

There has been improvement in housekeeping since the last inspection period, and the inspectors have noted management attention to housekeeping.

6.0 ADMINISTRATIVE 6.1 Preliminary Inspection Findings Exit At periodic intervals during this inspection, meetings were held with senior plant management to discuss licensee activities and inspector areas of concern.

Following conclusion of the report period, the resident inspector staff conducted an exit meeting on November 16, 1994, with Beaver Valley management summarizing inspection activity and findings for this period.

6.2 Attendance at Exit Meetings Conducted by Region-Based Inspectors During this inspection period, the inspectors attended the following exit meetings:

Inspection Reporting Dates Subject Report No.

Inspector October 14, 1994 Engineering 94-22/23 R. Paolino October 14, 1994 Unit I SRO Exams 94-21 P. Bissett October 28, 1994 EDSFI Open Items 94-25/26 R. Bhatia November 10, 1994 MOV Open Items 94-23/24 F. Bower

G.E. Technology Advanced Manual Emergency Action Levels Table of Contents 4.12 Emergency Action Levels...................................................

4.12.1 Learning Objectives...................................................

4.12.2 Introduction.........................................................

4.12.3 NUREG-0654.......................................................

4.12.3.1 NUREG-0654/FEMA-REP-1, Appendix-1.........................

4.12.4 NUMARC/NESP-007 4.12.5 NEI 99-01 (NUMARC/NESP-007-Rev. 4 ).................................

4.12.6 Regulatory Guide 1.101...............................................

4.12.7 Sum mary...........................................................

1 1

1 2

2 3

4 5

5 List of Tables Table 4.12-1 Table 4.12-2 Table 4.12-3 Table 4.12-4 Table 4.12-5 Table 4.12-6 NUREG-0654/FEMA-REP-1 (NUE).......................................

7 NUREG-0654/FEMA-REP-1 (ALERT)....................................

11 NUREG-0654/FEMA-REP-1 (SAE)......................................

15 NUREG-0654/FEMA-REP-1 (GE).......................................

19 NUMARC/NESP-007 Recognition Category S.............................

23 EAL Bases Document (EBD-S).........................................

25 USNRC Technical Training Center G.E. Technology Advanced Manual Emergency Action Levels 4.12-i 0601

G.E. Technology Advanced Manual Emergency Action Levels

-4.12 Emergency Action Levels

-4.12.11Learning Objectives

1. State the purpose of the Emergency Action Levels.

, 2. Lisi the foýi Emdrgericy Classification Levels in order of severity.

3. List the four documents used to "establish Emergency Action Levels.

4.12.2 Introductionn The purpose of an Emergency Action Level (EAL) is to trigger the declaration of an emergency classification level (ECL), which, in turn, triggers a certain level of emergency response. These actions are directed toward providing information to offsite emergency response authorities and federal agencies (e.g. plant conditions, meteorological conditions, radiological field monitoring results). Licensees'

-actions to respond directly to the onsite situation are governed by emergency,operating procedures.

Emergency action levels are used by plant personnel

-in determining the appropriate ECL to declare.

- In paragraph 50.47, "Emergency Plans," of 10 CFR Part 50, "Domestic Licensing of Production

,and Utilization Facilities," paragraph (a)(1) states that no operating license for a nuclear power reactor will be issued unless a finding is made by the NRC that there -is reasonable assurance that adequate

-protective measures can and will be taken in the

-event of a radiological emergency. For operating power reactors, 10 CFR 50.54(s)(2)(ii) requires that

"-"If.. the NRC finds that the state of emergency preparedness does not provide reasonable assurance that adequate protective measures can and will be taken in the event of a radiological emergency... the Commission will determine whether the, reactor shall be shutdown until, such deficiencies -.are

-remedied.

Onsite and Offsite emergency response-plans must meet the standards that are listed in 10 CFR

50.47 in order for the staff to make a positive

-,finding that there is -reasonable assurance that

_-adequate protective measures can and will be taken in the event'of a radiological emergency. One of these standards, 10 CFR 50.47(b)(4), pertains to the

-development of ' emergency classification and actions level scheme.Section IV", Content of "Emergency Plans", of Appendix E to 10 CFR-Part 50 also contains requirements -for the development and review of EALs.

" "-Revision,- I 'to-NUREG-0654/FEMA-REP-1, "Criteria ' for' Preparation' and f'Evaluation of Radiological -Emergency -Response Plans and "Prepairedness in Support of Nuclear Power Plants,"

was published in November 1980 to provide specific acceptance criteria for complying with the

-standards setfforth in 10 CFR,50.47.-:

In January 1992, the Nuclear Utilities Management

- and Resource Council (NUMARC) issued Revision 2 of NUMARC/NESP-007, "Methodology for Development for Emergency Action Levels", which contained guidance on EAL development that accounted for lessons learned from the ten years of using the NUREG 0654 ' guidance. The, NRC stated in Revision 3 of Regulatory - Guide ' 1..01,' "that revision -' 2' of NUMARC/NESP-007 ' was 'considered' to be" an acceptable alternative to the guidance provided in NUREG-0654 for deVelopment of EALs to comply with 10"CFR 50.47 and Aipendix E to 410 CFR Part 50. In addition; the need for further guidance for developing Semergency action levels applicable in the shutdown and refueling modes of operation were identified in Revision 3 to Regulatory Guide 1.101.

On February 28, 2000, the Nuclear Energy Institute

"- (NE).submitted NEI 99-01,- Methodology for Development of Emergency Action Levels. The NEI 99-01 methodology is very "'similar to the NUMARCJNESP-007 meth6dology with guidance provided oh initial condition (IC), example EALs and a basis" for each. IC and EAL. NEI 99-01 incorporated new EAL guidance for (1) Shutdown and refueling modes of plant operation, (2) permanently defueled plants, - and '(3) 'Inadependend pent 'Fuel :Storage "Installations (ISFSIs). -

"Prior revisions to Revision 4,of Regulatory

-Guide,1.101 stated that "Licensees may use either NUREG-0654/FEMA-REP-l or NUMARC/NESP-007 USNRC Technical TVining Center G.E. Technology Advanced Manual Emergency Action Levels

-4.12-1

-* Rev 0601

G.E. Technology Advanced Manual Emergency Action Levels in developing their EAL-scheme but may not use portions of both methodologies." The staff stated in Emergency Preparedness Position on Acceptable Deviations from Appendix 1 of NUREG-0654 based "upon the Staffs regulatory analysis of NUMARCINESP-007 that it recognizes that licensees who continue to use EALs based upon NUREG-0654 could benefit from the technical basis from 'EALs provided in NUMARC/NESP-007.

However, the staff also recognized that the classification scheme must remain internally consistent. Likewise, Licensees can benefit from guidance provided in NEI 99-01 without revising their entire EAL scheme. This is particularly true in regard to adopting guidance on EALs for cold shutdown and refueling modes of operation or for Independent Fuel Storage facilities. However, the licensee'still needs to ensuie that its EAL scheme remains internally consistent.

4.12.3 NUREG-0654 NURBG-0654/FEMA-REP-lI was published to provide a common reference and guidance source for:f

"* Nuclear facility operators as, well as State and local governments in the development of radiological emergency response plans and preparedness in support of nuclear power plants.

"* Federal Emergency management Agency (FEMA), Nuclear Regulatory Commission (NRC), aiid other Federal agency personnel engaged in the review of State and, Local government and licensee plans and preparedness.

  • FEMA, NRC and other Federal agencies in the developmeit of the National Radiological Emergency Plan.

NUREG-O654/FEMA-REP-l was prepared as part of their responsibilities under the Atomic Energy Act, as amended, and the President's Statement of

-December 7, 1979, with the-accompanying Fact Sheet. The responsibilities-include development and pr6mulgation of guidance to nuclear facility 6perat6rs, State and local *governments, in cooperation with other Federal agencies. The guidance included, preparation of radiological emergency response plans and assessing the adequacy of such plans.

4.12.3.1 NUREG-0654/FEMA-REP-1, Appendix-1 Appendix 1 of NUREG-0654/FEMA-REP-1, contains the Emergency Action Level Guidelines for Nuclear Power Plants. Within Appendix 1, four classes of Emergency Classification Levels (EAL) are established:

"* Notification of Unusual Event

"* Alert

"* Site Area Emergency

"* General Emergency A graduation is provided to assure fuller response preparations for more serious indicators.

The rationale for the notification and alert classes is to provide early and prompt notification of minor events which lead to more serious consequences given operator error or equipment failure or which might be indicative of more serious* conditions which a're not yet realized. The site area emergency class reflects conditions where some significant releases are likely or are occurring but where a core melt situation is not indicated based on current information. In this situation full mobilization of emergency personnel in the near site environs is indicated'as well as'dispatch of monitoring teams and associated communications.

The general emergency' class involves actual or imminent substantial core degradation or core melting with potential for loss of containment. The immediate action for this'class is sheltering (staying inside) rather than evacuation until assessment can be made that (1) an evacuation is indicated and (2)" an evacuation, if indicated, can be completed prior to significant release and transport of radioactive material to the affected areas.

Facility licensees have primary responsibility for accident assessment. This includes prompt action to evaluate any potential risk to the public USNRC Technical Training Center Rev 0601 4.12-2

G.E. Technology Advanced Manual Emergency Action Levels health and safety, both onsite and offsite, and timely recommendations to State and local governments conceming protective measures. The criteria for identification and classification of accidents and the

-notification of offsite,agencies by the facility licensee are set forth in Appendix 1 of NUREG

-0654/FEMA-REP-1 (Tables 4.12-1...4).

Because of the potential need to take immediate action ý offsite in"' the event of a significant radiological accident, notifications to appropriate

, offsite response organizations must come directly from the facility licensee.

The response organizations which receive these, notifications should have the authority and capability to take immediate predetermined aciions based, on recommendations from the facility licensee. These actions c6uld in-clud6.prompt notification-of -the public in the offsite area, followed by advisories to

  • the puiblic in c6ertain areas to -stay inside-or, if appropriate, evacuate to predetermined relocation host areas.,

The lowest level of emergency action levels,

  • -. Notification of Unusual Events classification,, is comprised of event in progress, or which have occurred, that indicate a potential degradation of the level of safety of the station. These types of events may progress ` to 'more "severe emergency classification if they are not mitigated. No releases of radioactive material requiring offsite response or monitoring are expected unless further degradation of safety systems occurs. Examples of Notification of Unusual Events and actions for -the facility licensee as well as the State and local authorities are listed in Table 4.12-1.

. The next classification, Alert, is comprised of events in progress,, or which have occurred, that involve actual orprtentially-substantial deg*i'daiion of the safety 'level of' the station. At ý'this classification level, mirnior releases of radioactivity "Irfiay occur or may 'have oceurred.: Any releases Sexpected to be limited to small fractions of EPA Protective 'Action' Guideline exposure !levels.

"Examples of Alert events'and actions for the facility licensee as well as the State and local authorities are

-listed in Table 4.12-2.

The Site Area Emergency classification is the second highest classification. Site Area Emergency is comprised of events in progress, or which have occurred, -that involve actual* or potential major failure of plant functions needed for protection of the public. Releases are not expected to exceed EPA Protective Action Guidelines, except near the Site Boundary. Examples of Site Area Emergency events and actions for the facility licensee as well as the State and local authorities are listed in Table 4.12-3.

The highest level classification, General Emergency, is comprised of events in progress, or which have occurred, that involve, actual or imminent substantial core degradation or melting with-, a potential, for the loss of the primary containment integrity. -Release can be reasonably expected to exceed EPA Protective; Action Guideline exposure levels offsite for mor6 th'ithe immediate site area.. Examples 'of,Ge-neral Emergencies and actions for the facility licensee as well as the State and local autlhorities aie listed in "Table 4.12-4.

4.12.4 NUMARCINESP-007 The NUMARCINESP-007 was developed2 to

- replace NUREG-0654/FEMA-REP-1.

The

, ?NUMARC/NESP-007 "- methodology provides guidance on Initial Conditi6ns'(ICs) and example Emergency Action Leels (EALs), for each IC and a basis for IC and EALs. NUMARC/NESP-007 has

.tlree types of ICsand EALs:

"* Symptom based

  • Event based
  • Barrier based

-Te symptm baed EALs refer to those indicators that are measurable over a continuous spetrum,

,(e.g. core temperfti-re, coolant level, radiation meter "readings). Off-niormal readings on such indicators are sympto'ms 6f problems: Tlie"seriousniess of a symptom depends on such factors as the degree to

". USNRC Technical Training Center S-4.12-3 G.E. Technology Advanced Manual Emergency Action Levels S.....

. Rev 0601

" Emergency Action Levels G.E. Technology Advanced Manual which technical specifications are exceeded and the capability of licensed operators to gain control and bring the indicators back to safe levels. Event-based ICs and EALs refer to discrete occurrences with potential safety significance'such as a fire or severe weather.' Barrier-based ICs and EALs utilize indications of the level of challenge to the principal barriers used to assure containment of radioactive materials within a nuclear plant. For the most important type of radioactive material, i.e., fission products, there are three principal barriers:

S S

0 Fuel cladding Reactor coolant system boundary Containment In the NUMARC/NESP-007 methodology, the operating modes (power operation,' startup, hot standby, hot shutdown, cold shutdown, refueling, and defueled) to which individual ICs apply are specified. As a plant moves from power operation through the decay heat removal process toward cold shiutdown and refueling, barriers to the release of fission products may be reduced, insthimentation to detect symptoms may not be fully effective and partially disabling of safety systems may be permitted by technical specifications. For such operations, ICs and EALs tend to be event-based rather than symptom-based.

The ICs and EALs are divided into four "recognition categories" in NUMARC/NESP-007:

"* A-Abnormal Rad Levels/Radiological Effluent

"* F-Fission Product Barrier Degradation

"* H - Hazards or Other Conditions Affecting Plant Safety

"* S-System Malfunction For recognition categories A, H, and S, ICs and associated EALs are developed for each emergency claisification level. For these recognition categories, ICs are identified by a three character acronym. For ekample, AU2 is the second Unusual Event IC in the Abnormal Radiation Level recognition category and SS3 is the third Site Area Emergency IC in the System Malfunction recognition category.

UNUSUAL EVENT Any loss or potential loss of containment ALERT Any loss or any potential loss of either fuel clad or RCS SITE AREA EMERGENCY Loss of both fuel clad and RCS; or Potential loss of either; or Potential loss of either. and loss of any additional barrier GENERAL EMERGENCY Loss of two barriers and potential Iloss of the third barrier Table 4.12-6 provides an example of an emergencya'tioii level (EBD-S) bases document for system malfunction category SU5. The acronym SU5 is the fifth Unusual Event IC in the System Malfunction recognition category.

4.12.5 NEI 99-01 (NUMARC/NESP-007-Rev. 4)

Revision 4 to NUMARC/NESP-007 (NEI 99

01) presents the methodology for development of emergency action levels as an alternative to NRC/FEMA guidelines contained in Appendix 1 of NUREG-0654/FEMA-REP-1, Rev.2 "Criteria for Preparation J and Evaluation of Radiological Emergency Response Plans and Preparedness in Support of nuclear PowerPlants, "October 1980 and 10 CFR 50.47 (a)(4).

Revision 4 of NUMARC/NESP-007 enhances Revision 3 (NEI 97-03) by considering the system malfunction initiating conditions and example emergency action levels which address conditions that maybe Rev 0601 USNRC Technical Training Center For recognition category F, there are three ICs:

1. Loss or potential loss of the fuel clad barrier, and
2.

Loss or potential loss of the RCS barrier.

3.

Loss or potential loss of the containment barrier.

The EALs for each of these ICs depend on whether the reactor is -a PWR or BWR. The emergency condition level is a function of the number (and extent) of fission product barrier degradation, as indicated below:

4.2-4

G.E. Technology Advanced Manual Emergency Action Levels postulated to occur at nuclear powerplants during plant shutdown conditions. Also included are initiating conditions and example emergency action levels that fully address conditions that may be postulated to occur at permanently Defueled Stations and Independent Spent Fuel Storage Installations.

4.12.6 Regulatory Guide 1.101 Regulatory guides are issued to describe and make available to the public such information as methods acceptable to the NRC staff for implementing specific parts of the NRC's regulations, techniques used by staff in evaluating specific problems or postulated accidents, and data needed by the NRC staff in its review of applications for permits and licenses. Regulatory guides are not substitutes for regulations, and compliance with them is not required. Methods and solutions different from those set out in the guides will be acceptable if they provide a basis for the findings requisite to the issuance or continuance of a permit or license by the commission.

Prior revisions to Regulatory Guide 1.101 (revisions 1, 2, and 3) stated that "Licensees may use either NUREG-0654/FEMA-REP-lor NUMARC/NESP-007 in developing their EAL scheme but may not use portions of both methodologies." The staff stated in, Emergency Preparedness Position on Acceptable Deviations from Appendix 1 of NUREG-0654 based upon the Staff's regulatory analysis of NUMARCJNESP-007 that it recognizes that licensees who continue to use EALs based upon NUREG-0654 could benefit from the technical basis from EALs provided in NUMARC/NESP-007.

However, the staff also recognized that the classification scheme must remain internally consistent.

The Staff is proposing a revision to Regulatory Guidel.101 whichwill endorse NEI 99-01. Licensees would be able to benefit from guidance provided in NEI 99-01 without revising their entire EAL scheme. This is particularly so in regards to adopting guidance on EALs for cold shutdown and

-1

-Rev 0601 USNRC Technical Training Center

.. 4.12-5 --....

refueling modes of operation or for Independent Fuel Storage facilities. However, the licensee needs to ensure that its EAL scheme remains, internally consistent.

4.12.7 Summary The NRC decision process for determining the nature of and level of effort for NRC responses to reactor'events or conditions that could, affect the health and 'safety of the public must include all available information.and insights regarding the affected reactor plant. 'The numerical risk estimation guidelines are not meaningful unless they, are accompanied by, an understanding of -the most 4influential assumptions and uncertainties that stand "behind them. It is the understanding (not the numerical result alone) that is intended to aid NRC inspectors-and management inI assessing, the potential degree of loss of defense-in-depth, as a input to determining the appropriate NRC response to events.

The purpose of an Emergency Action Level (EAL) is to trigger the declaration of an emergency classification level (ECL), which, in turn, triggers a certain level of emergency response. These actions are directed toward providing information to offsite emergency response authorities and federal agencies (e.g. plant conditions, meteorological conditions, radiological field monitoring results). Licensees' actions to respond directly to the onsite situation are governed by emergency operating procedures.

Emergency action levels are used by plant personnel in determining the appropriate ECL to declare.

Nuclear Power Plants write their procedures by following at least one of the three emergency response plans:

"* Revision 1 to NUREG-0654/FEMA-REP-1, "Criteria for Preparation and Evaluation of Radiological Emergency Response Plans and Preparedness in Support of Nuclear Power Plants,"

"* Nuclear Utilities Management and Resource Council (NUMARC) issued Revision 2 of NUMARC / NESP-007, "Methodology for Emergency Action Levels G.E. Technology Advanced Manual

G.E. Technology Advanced Manual -

Emergency Action Levels Development for Emergency Action Levels" Nuclear Energy Institute (NEI) submitted NEI 99-01, Methodology for Development of Emergency Action Levels Onsite and Offsite emergency response plans must meet the standards that are listed in 10 CFR 50.47 in order for the staff to make a positive finding that there is reasonable assurance that adequate protective measures can and will be taken in the event of a radiological emergency. One of these standards, 10 CFR 50.47(b)(4), pertains to the development of emergency classification and.

actions level scheme.Section IV", Content of Emergency Plans", of Appendix E to 10 CFR Part 50 also contains requirements for the development and review of EALs.

USNRC Technical Training Center 4.12-6 G.E. Technology Advanced Manual-Emergency Action Levels Rev 0601

G.E. Technology Advanced Manual Emergency Action Levels Table 4.12-1 NUREG 0654/FENA-REP-1 (NUE)

Class Notification of Unusual Event Class Description Unusual events are in progress or have occurred which indicate a potential degradation of the level of safety of the plant. No releases of radioactive material requiring offsite response or monitoring are expected unless further degradation of safety systems occur Licensee Actions

1. Promptly inform State and/or local offsite authorities of nature of unusual condition as soon as discovered
2. Augment on-shift resources as needed
3. Assess and respond State and/or Local Offsite Authority Actions
1. Provide fire or security assistance if requested
2. Escalate to a more severe class, if appropriate
3. Stand by until verbal closeout
4. Escalate to a more severe class, appropriate or
5. Close out with verbal summary to offsite authorities; followed by written summary within24 hours Purpose
1. Assure that the first step in any response later found to be necessary has been carried out.
2. Bring the operating staff to a state of readiness.
3. Provide systematic handling of unusual events information and decision making.

USNRC Technical Training Center 4.12.7 0101 G.E. Technology Advanced Manual Emergency Action Levels USNRC Technical Training Center 4.12-7 0101

G.E. Technology Advanced Manual Emergency Action Levels Table 4.12-1 EXAMPLE INITIATING CONDITIONS: NUE

1.

Emergency Core Cooling System (ECCS) initiated and discharge to vessel

2.

Radiological effluent technical specification limits exceeded

3.

Fuel damage indication. Examples

a. High offgas at BWR air ejector monitor (greater than 500,000 uci/sec; corresponding to 16 isotopes decayed to 30 minutes; or an increase of 100,000 uci/sec within a 30 minute time period)
b. High coolant activity sample (e.g., exceeding coolant technical specifications for iodine spike)
4.

Abnormal coolant temperature and/or pressure or abnormal fuel temperatures outside of technical specification limits

5.

Exceeding either primary/secondary leak rate technical specification or primary system leak rate technical specification

6.

Failure of a safety or relief valve in a safety related system to close following reduction of applicable pressure

7.

Loss of offsite power or loss of onsite AC power capability

8.

Loss of containment integrity requiring shutdown by technical specifications

9.

Loss of engineered safety feature or fire protection system function requiring shutdown by technical specifications (e.g., because of malfunction, personnel error or procedural inadequacy)

10.

Fire within the plant lasting more than 10 minutes

11.

Indications or alarms on process or effluent parameters not functional in control room to an extent requiring plant shutdown or other significant loss of assessment or communication capability (e.g., plant computer, Safety Parameter Display System, all meteorological instrumentation)

12.

Security threat or attempted entry or attempted sabotage

13.

Natural phenomenon being experienced or projected beyond usual levels

a.

Any earthquake felt in-plant or detected on station seismic instrumentation

b. 50 year flood or low water, tsunami, hurricane surge
c.

Any tornado on site

d.

Any hurricane

14.

Other plant conditions exist that warrant increased awareness on the part of a plant operating staff or State and/or local offsite authorities or require plant shutdown under technical specification requirements or involve other than normal controlled shutdown (e.g., cooldown rate exceeding technical specification limits, pipe cracking found during operation)

15.

Transportation of contaminated injured individual from site to offsite hospital USNRC Technical Training Center 4.12-9 Rev 0101 G.E. Technology Advanced Manual Emergency Action Levels USNRC Technical Training Center 4.12-9 Rev 0101

Table 4.12-2 NUREG 0654/FENA-REP-1 (Alert)

Class ALERT Class Description Events are in progress or have occurred which involve an actual or potential substantial degradation of the level of safety of the plant. Any releases expected to be limited to small fractions of the EPA Protective Action Guideline exposure levels.

Purpose

1.

Assure that emergency personnel are readily available to respond if situation becomes more serious or to perform confirmatory radiation monitoring if required

2.

Provide offsite authorities current status information Licensee Actions

1.

Promptly inform State and/or local authorities of alert status and reason for alert as soon as discovered

2.

Augment resources and activate on-site Technical Support Center and on-site operational support center.

Bring Emergency Operations Facility (EOF) and other key emergency personnel to standby status

3.

Assess and respond

4.

Dispatch on-site monitoring teams and associated communications

5.

Provide periodic plant status updates to offsite authorities (at least every 15 minutes)

6.

Provide Periodic meteorological assessments to offsite authorities and, if any releases are occurring, dose estimates for actual releases.

7.

Escalate to a more severe class, if appropriate

8.

Close out or recommend reduction in emergency class by verbal summary to offsite authorities followed by written summary within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> of closeout or class reduction.

State and/or Local Offsite Authority Actions I.

Provide fire or security assistance if requested

2.

Augment resources and bring primary response centers and EBS to standby status 3.

Alert to standby status key emergency personnel including monitoring teams and associated communications

4.

Provide confirmatory offsite radiation monitoring and ingestion pathway dose projections if actual releases substantially exceed technical specification limits

5.

Escalate to a more severe class, if appropriate

6.

Maintain alert status until verbal closeout or reduction of emergency class USNRC Technical Training Center 4.12-11 0101 G.E. Technolo*yv Advanced Manual Emergency Action Levels USNRC Technical Training Center 0101 4.12-11

G.E. Technology Advanced Manual Emergency Action Levels Table 4.12-2 EXAMPLE INITIATING CONDITIONS: ALERT

1. Severe loss of fuel cladding
a.

High offgas at BWR air ejector monitor (greater than 5 ci/sec; corresponding to 16 isotopes decayed 30 minutes)

b.

Very high coolant activity sample (e.g., 300 uci/cc equivalent of 1-13 1)

c.

Failed fuel monitor (PWR) indicates increase greater than 1% fuel failures within 30 minutes or 5% total fuel failures.

2.

Severe Natural phenomena being experienced or projected

a.

Earthquake greater than OBE levels

b.

Flood

c.

Any tornado striking the facility

3.

Steam line break with significant (e.g., greater than 10 gpm) primary to secondary leak rate (PWR) or MSIV malfunction causing leakage (BWR)

4. Primary coolant leak rate greater than 50 gpm
5.

Radiation levels or airborne contamination which indicate a severe degradation in the control of radioactive materials (e.g., increase of factor of 1000 in direct radiation readings within facility)

6.

Loss of offsite power and loss of all onsite AC power (see Site Area Emergency for extended loss)

7.

Loss of all onsite DC power (See Site Area Emergency for extended loss)

8.

Coolant pump seizure leading to fuel failure

9.

Complete loss of any function needed, for plant cold shutdown

10. Failure of the reactor protection system to initiate and complete a scram which brings the reactor subcritical
11. Fuel damage accident with release of radioactivity to containment or fuel handling building
12. Fire potentially affecting safety systems
13. Most or all alarms (annunciators) lost
14. Radiological effluents greater than 10 times technical specification instantaneous limits (an instantaneous rate which, if continued over 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, would result in about I mr at the site boundary under average meteorological conditions)
15. Ongoing security compromise
16. Other plant conditions exist that warrant precautionary activation of technical support center and placing near-site Emergency Operations Facility and other key emergency personnel on standby
17.

Evacuation of control room anticipated or required with control of shutdown systems established from local stations USNRC Tecluilca! Training Center 4.12-13 Rev 0101 G.E. Technology Advanced Manual Emergency Action Levels Rev 0101 USNRC Technical Training Center 4.12-13

XT. Technolov Advanced Manual4Eme3enc6Act Table 4.12-3 NUREG O654JFENA-REP-1 (SAE)

Class Site Area Emergency Class Description Events are in process or have occurred which involve actual or likely major failures of plant functions needed for protection of the public. Any releases not expected to exceed EPA Protective Action Guideline exposure levels except near site boundary.

Purpose I.

Assure that response centers are manned.

2.

Assure that monitoring teams are dispatched

3.

Assure that personnel required for evacuation of near-site areas are at duty stations if situations becomes more serious

4.

Provide consultation with offsite authorities

5.

Provide updates for the public through offsite authorities.

Licensee Actions Promptly inform State and/or local offsite authorities of site area emergency status and reason for emergency as soon as discovered.

2.

Augment resources by activating on-site Technical Support Center, on-site operational support center and near-site Emergency Operations Facility (EOF)

3.

Assess and respond.

4.

Dispatch on-site and offsite monitoring teams and associated communications 5.

Dedicate an individual for plant status updates to offsite authorities and periodic press briefing(perhaps joint with offsite authorities)

6.

Make senior technical and management staff onsite available for consultation with NRC and State on a periodic basis.

7.

Provide meteorological and dose estimates to offsite authorities for actual releases via a dedicated individual or automated data transmission.

8.

Provide release and dose projections based on available plant condition information and foreseeable contingencies.

9.

Escalate to General Emergency class, if appropriate or

10. Close out or recommend reduction in emergency class by briefing of offsite authorities at EOF and by phone followed by written summary within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> of closeout or class reduction State and/or Local Offsite Authority Actions
1.

Provide any assistance requested.

2.

If sheltering near the site is desirable, activate public notification system within at least two miles of the plant.

3.

Provide public within at least about 10 miles periodic updates on emergency status.

4.

Augment resources by activating primary response centers.

5.

Dispatch key emergency personnel including monitoring teams and associated communications.

6.

Alert to standby status other emergency personnel (e.g. those needed for evacuation) and dispatch personnel to near-site duty stations.

7.

Provide offsite monitoring results to licensee, DOE and others and jointly assess them.

8.

Continuously assess information from licensee and offsite monitoring with regard to changes to protective actions already initiated for pubhc and mobilizing evacuation resources.

9.

Recommend placing milk animals within 2 miles on stored feed and assess need to extend distance.

10. Provide press briefings, perhaps with licensee.
11. Escalate to General Emergency class, if appropriate.
12. Maintain site area emergency status until closeout or reduction of emergency class.

USNRC Technical Training Center 4.12-15 0101 Emergency Action Levels USNRC Technical Training Center 4.12-15 0101

G.E. Technology Advanced Manual Emergency Action Levels Table 4.12-3 EXAMPLE INITIATING CONDITIONS: SAE I.

Known loss of coolant accident greater than makeup pump capacity

2.

Degraded core with possible loss of coolable geometry (indicators should include instrumentation to detect inadequate core cooling, coolant activity and/or containment radioactivity levels)

3.

Rapid failure of steam generator tubes (several hundred gpm leakage) with loss of offsite power

4.

BWR steam line break outside containment without isolation

5.

Loss of offsite power and loss of onsite AC power for mote than 15 minutes

6.

Loss of all vital onsite DC power for more than 15 minutes

7.

Complete loss of any function needed for plant hot shutdown

8.

Transient requiring operation of shutdown systems with failure to scram (continued power generation but no core damage immediately evident)

9.

Major damage to spent fuel in containment or fuel handling building (e.g., large object damages fuel or water loss below fuel level)

10.

Fire compromising the functions of safety systems

12.

Most or all alarms (annunciators) lost and plant transient initiated or in progress

13. a.

Effluent monitors detect levels corresponding to greater than 50 mr/hr for 112 hourorrgreater than 500 mr/hr W.B. for two minutes (or five times these levels to the thyroid) at the site boundary for adverse meteorology

b.

These dose rates are projected based on other plant parameters (e.g., radiation level in containment with leak rate appropriate for existing containment pressure) or are measured in the environs

c.

EPA Protective Action Guidelines are projected to be exceeded outside the site boundary

14.

Imminent loss of physical control of the plant

15.

Severe natural phenomena being experienced or projected with plant not in cold shutdown

a.

Earthquake greater than SSE levels

b.

Flood, low water, tsunami, hurricane greater than design levels or failures of protection of vital equipment at lower levels C.

Sustained winds or tornadoes in excess of design levels.

16.

Other plant conditions exist that warrant activation of emergency centers and monitoring teams or a precautionary notification to the public near the site.

17.

Evacuation of control room and control of shutdown systems not established from local stations in 15 minutes.

USNRC Technical Training Center 4.12-17 Rev 0101 G.E. Technology Advanced Manual Emergency Action Levels Rev 0101 USNRC Technical Training Center 4.12-17

G.E. Technol...

Advanced Manualme.

A Table 4.12-4 NUREG 0654[FENA-REP-1 (GE)

Class General Emergency Class Description Events are in process or have occurred which involve actual or imminent substantial core degradation or melting with potential for loss of containment integrity. Releases can be reasonably expected to exceed EPA Protective Action Guideline exposure levels offsite for more that the immediate site area.

Purpose

1.

Initiate predetermined protective actions for the public.

2.

Provide continuous assessment of information from licensee and offsite organization measurements.

3.

Initiate additional measures as indicated by actual or potential releases.

4.

Provide consultation with offsite authorities.

5.

Provide updates for the public through offsite authorities.

Licensee Actions Promptly inform State and local offsite authorities of general emergency status and reason for emergency as soon as discovered (Parallel notification of State/local).

2.

Augment resources by activating on-site Technical Support Center, on-site operational support center and near-site Emergency Operations Facility (EOF).

3.

Assess and respond.

4.

Dispatch on-site and offsite monitoring teams and associated communications.

5.

Dedicate an individual for plant status updates to offsite authorities and periodic press briefing (perhaps joint with offsite authorities).

6.

Make senior technical and management staff onsite available for consultation with NRC and State on a periodic basis.

7.

Provide meteorological and dose estimates to offsite authorities for actual releases via a dedicated individual or automated data transmission.

8.

Provide release and dose projections based on available plant condition information and foreseeable contingencies.

9.

Close out or recommend reduction in emergency class by briefing of offsite authorities at EOF and by phone followed by written summary within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> of close out or class reduction.

State and/or Local Offsite Authority Actions

1.

Provide any assistance requested.

2.

Activate immediate public notification of emergency status and provide public periodic updates.

3.

Recommend sheltering for 2 mile radius and 5 miles downwind and assess need to extend distances. Consider advisability of evacuation.

(projected time available vs.

estimated evacuation times)

4.

Augment resources by activating primary response centers.

5.

Dispatch key emergency personnel including monitoring teams and associated communications.

6.

Dispatch other emergency personnel to duty stations within 5 mile radius and alert all others to standby status.

7.

Provide offsite monitoring results to licensee, DOE and others and jointly assess them.

8.

Continuously assess information from licensee and offsite monitoring with regard to changes to protective actions already initiated for public and mobilizing evacuation resources.

9.

Recommend placing milk animals within 10 miles on stored feed and assess need to extend distance.

10.

Provide press briefings, perhaps with licensee.

11.

Maintain general emergency status until closeout or reduction of emergency class.

USNRC Technical Training Center 4.12-19 11101 Emergency Action Levels 0l10 USNRC Technical Training Center 4.12-19

G.E. Technology Advanced Manual Emergency Action Levels Table 4.12-4 EXAMPLE INITIATING CONDITIONS: GE

1. a.

Effluent monitors detect levels corresponding to 1, rem/hr W.B. or 5 rem/hr thyroid at the site boundary under actual.,meteorological conditions

b.

These dose rates are projected based on other plant parameters (e.g., radiation levels in containment with leak rate appropriate for existing containment pressure with some confi mation from effluent monitors) or are measured in the environs Note: Consider evacuation only within about 2 miles of the site boundary unless these site boundary levels are exceeded by a factor of 10 or projected to continue for 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> or EPA Protective Action Guideline exposure levels are predicted to be exceeded at longer distances

2.

Loss of 2 of 3 fission product barriers with a potential loss of 3rd barrier, (e.g., loss of primary coolant boundary, clad failure, and high potential for loss of containment)

3.

Loss of physical control of the facility Note: Consider 2 mile precautionary evacuation

4.

Other plant conditions exist, from whatever source, that make release of large amounts of radioactivity in a short time period possible, e.g., any core melt situation. See the specific PWR and BWR sequences below.

Notes:

a. For core melt sequences where significant releases from containment are not yet taking place and large amounts of fission products are not yet in the containment atmosphere, consider 2 mile precautionary evacuation. Consider 5 mile, downwind evacuation (450 to 900 sector) if large amounts of fission products (greater than gap activity) are in the containment atmosphere. Recommend sheltering in other parts of the plume exposure Emergency Planning Zone under this circumstance.
b. For core melt sequences where significant releases from containment are not yet taking place and containmentlailure leading to a direct atmospheric release is likely in the sequence but not imminent and large amounts of fission products in addition to noble gases are in the containment atmosphere, consider precautionary evacuation to 5 miles and 10 mile downwind evacuation (450 to 900 sector).
c. For core melt sequences where large amounts'of fission products other than noble gases are in the containment atmosphere and containment failure is judged imminent, recommend shelter for those areas where evacuation cannot be completed before transport of activity to that location.
d. As release information becomes available adjust these actions in accordancewith dose projections, time available to evacuate and estimated evacuation times given current conditions.
6. Example BWR Sequences
a. Transient (e.g., loss of offsite power) plus failure of requisite core shut down systems (e.g.,

scram). Could lead to core melt in several hours with containment failure likely. More severe consequences if pumps trip does not function.

b. Small or large LOCA's with failure of ECCS to perform leading to core melt degradation or melt in minutes to hours. Loss of containment integrity may be imminent.
c.

Small or large LOCA occurs and containment performance is unsuccessful affecting longer term success of the ECCS. Could lead to core degradation or melt in several hours without containment boundary.

d. Shutdown occurs but requisite decay heat removal systems (e.g., RHR) or non-safety systems heat removal means are rendered unavailable. Core degradation or melt could occur in about ten hours with subsequent containment failure.

USNRC Technical Training Center 4.12-21 Rev 0101 G.E. Technology Advanced Manual Emergency Action Levels 4.12-21 Rev 0101 USNRC Technical Training Center

G..Teholg Adicdlaul m

iecyAtonLvl Table 4.12-5 NUMARC/NESP-007 Recognition Category S System Malfunction Initiating Condition Matrix NOUE ALERT SITE AREA EMERGENCY GENERAL EMERGENCY SU1 Loss of All Offsite Power to Essential Busses for Greater Than 15 Minutes.

Modes: PO,SUHstby, Hsd SU2 Inability to reach required shutdown within technical specification limits..

Modes: PO,SUHstby, Hsd SA1 AC power capability to essential busses reduced to a single power source for greater than 15 minutes such that any additional single failure would result in station blackout.

Modes: POSUHstby, Hsd SA2 Failure of reactor protection instrumentation to complete or initiate an automatic reactor scram once a reactor protection system setpoint has been exceeded and manual scrair was successful.

Modes: PO,SUHstby SS1 Loss of All Offsite Power and Loss of All Onsite AC Power to Essential Busses.

Modes: PO,SU,Hstby, Hsd SS2 Failure of reactor protection instrumentation to complete or initiate an automatic reactor scram once a reactor protection system setpoint has been I

exceeded and manual scrarn was NOT successful.

Modes: PO,SU SG1 Prolonged Loss of Offsite Power and Prolonged Loss of All Onsite AC Power to essential Busses.

Modes: PO,SU,Hstby, Hsd SG2 Failure of reactor protection instrumentation to complete an automatic reactor scram and manual scram was NOT successful and there is indication of an L

extreme challenge to the ability to cool the core.

Modes: PO,SU SU3 UNPLANNED loss of most SA3 or all safety system annunciation or indication in the control room for greater than 15 minutes.

Modes: PO,SUHstbyHsd UNPLANNED loss of most SS3 or all safety system annunciation or indication in the control room with either (1) a SIGNIFICANT TRANSIENT in progress, or (2) Compensatory non alarming indicators are unavailable.

Inability to monitor a SIGNIFICANT TRANSIENT in Progress.

SU4 Fuel clad degradation.

Modes: PO,SUHstbyHsd SU5 RCS leakage.

Modes: PO,SU.Hstby, Hsd SA4 SA5 SU6 UNPLANNED Loss of all SA6 onsite or offsite communications capabihties.

Modes: PO,SUHstby, Hsd SU7 Inadvertent Criticality.

Modes: Hstby, Hsd SA7 USNRC Technical Training Center 4.12-23 0101 SG3 SS4 S55 SS6 SS7 SG4 SG5 SG6 SG7 G.E. Technology Advanced Manual Emergency Action Levels 0101 USNRC Technical Training Center 4.12-23

G.E. Technology Advanced Manual Emergency Action Levels Table 4.12-6 EAL BASES DOCUMENT (EBD-S)

EAL BASES DOCUMENT (EBD-S)

SYSTEMS MALFUNCTION CATEGORY SU5 RCS Leakage EVENT TYPE: Coolant Leak OPERATING MODE APPLICABILITY: Run, Startup, Hot Shutdown THRESHOLD VALUE: One of the following:

I. Unidentified or pressure boundary leakage greater than 10 gpm. OR

2. Identified leakage greater than 25 gpm. OR
3. Valid indication of Main Steamline Break.

SHOREHAM EAL INFORMATION:

EAL Threshold Values I and 2 are precursors of more serious RCS barrier challenges and are thus considered as a potential degradation of the level ofsafety ofthe plant. Thus, it is possible to be operating within Technical Specification LCO Action Statement time limits and make a declaration of an Unusual Event in accordance with these EALs. Credit for the action statement time limit should only be given when leakage exceeds technical specification limits but has not yet exceeded the Unusual Event EAL thresholds described above. In addition, indication of main steam line break has been added here as discussed inNUMAR CMethodologyforDevelopment ofEmergency Action Levels NUMARCINESP-OO7Revision 2 Questions andAnswers, June 1993, Fission Product Barier-BWR section.

This was in response to question 4 which states that the main steam line break with isolation can be classified under System Malfunctions.

Valid means that the reading is from instrumentation determined to be operable in accordance with the Technical Specifications or has been verified by other independent methods such as indications displayed on the control panels, reports from plant personnel, or radiological survey results.

Tech Spec Section 3AA coolant system leakage LCO limits are: (1) :no pressure boundary leakage, (2): @ 5 gpm unidentified leakage, (3) @ 25 gpm total leakage averaged over the previous 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> period, and (4) @ 2 gpm increase in unidentified leakage within the previous 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> period in Mode

1. Total leakage is defined as the sum of identified and unidentified leakage.

USNRC Technical Training Center 4.12-25 Rev 0101 Emergency Action Levels G.E. Technology Advanced Manual Rev 0101 4.12-25 USNRC Technical Training Center

G.E. Technology Advanced Manual Emergency Action Levels Table 4.12-6 EAL BASES DOCUMENT (EBD-S)

EAL BASES DOCUMENT (EBD-S)

SYSTEMS MALFUNCTION CATEGORY The EAL Threshold Value 1 uses the generic value of 10 GPM for unidentified leakage or pressure boundary leakage. The 10 gpm value for the unidentified or pressure boundary leakage was selected as it is observable with normal control room indications. Threshold Value 2 uses identified leakage set at a higher value due to the lesser significance of identified leakage in comparison to unidentified or pressure boundary leakage.

REFERENCES:

1.Technical Specification 3.4.4, Coolant Leakage

2. Surveillance Test Procedure No. (STP) 3.0.0.0-01, Reactor Coolant System Leak Rate Calculation
3. Operating Instruction No. (01) 920, Drywell Sump System
4. Alarm Response Procedure (ARP) I C04B, Reactor Water Cleanup and Recirculation
5. Alarm Response Procedure (ARP) I C04C, Reactor Water Cleanup and Recirculation
6. UFSAR Section 5.2.5, Detection of Leakage through Reactor Coolant Pressure Boundary
7. UFSAR Section 15.6.6, Loss-of-Coolant-Accident
8. NEI Methodologyfor Development of Emergency Action Levels NUMARCINESP-007 Revision 4, May 1999 USNRC Technical Training Center 4.12-27 Rev 0101 G.E. Technology Advanced Manual Emergency Action Levels Rev 0101 USNRC Technical Training Center 4.12-27

Boiling Water Reactor GE BWR/4 Technology Advanced Manual Chapter 5.0 Transients

G.E. Technology Advanced Manual Transient Analysis/Introduction Table of Contents 5.1 RNTRODUCTION TO TRANSIENTS...............................................

1 5.1.1 Introduction..............................

1 5.1.2 Transients...............................................................

1 5.1.2.1 Normal Operational Transient......................................

1 5.1.2.2 Abnormal Operational Transient....................................

1 5.1.2.3 Emergency Operational Transient Accident...........................

2 5.1.3 Transients Analysis........................................................

2 5.1.3.1 Transient Example...............................................

3 List of Tables 5.1-1 Parameter Setpoint Aids 5

List of Figures 5.1-1 Chart Recorder 7

5.1-2 Recirculation Loop Instrumentation 9

5.1-3 M ain Steam System 11 5.1-4 Main Steam System (continued) 13 5.1-5 Feedwater System 15 5.1-6 Core Flow Summing Network...................................................

17 5.1-7 EHC System Logic............................................................

19 5.1-8 Pressure Control Spectrum......................................................

21 5.1-9 Feedwater Control System......................................................

23 5.1-10 Recirculation Flow Control Network..............................................

25 5.1-11 Power/Flow M ap..............................................................

27 USNRC Technical Training Center 5.1-i Rev 0500 Rev 0500 USNRC Technical Training Center 5.1.i

G..Tcnlogy AdacdMna1rnin nlssltouto

5.1 INTRODUCTION

TO TRANSIENTS Learning Objectives:

1.

Given a transient curve:

-At selected numbered points, explain what caused the parameter to change.

At selected numbered areas of the curve, explain why the parameter is trending in that area.

State-the cause of the transient (initiating event).

2.

- Givern a plant transient scenario, explain the

'behavior of selected plant parameters, control'systemrs, and equipment for the time' designated in the scenario.

5.1.1Introduction

  • -. During analysis and study'of th'e curves, the "student should concentrate on explaining changes in

"- various parameters -caused by 'the initiating event,

"- subsequent automatic operation of as'sociated control

'systems or systemr response to 'the event.- When explaining the identified points always'try to relate cause and effect (e.g. power changing from flow change). Don't place too much emphasis ofi isolated portions of minor deviations, in traces unless identified by the instructor.

5.1.2ý -Transients In general, the term reactor transient applies to any significant deviation from ihe normal operating "value of any of the key reactor operating parameters.

Transients may-occur as a consequence of an operator error or the malfunction or failure of 'equipment.

Operational transients are divided into three groups:

-* The followfing information is presented with normal, abnormal aid emergency., This division "the emphasis on analyzing given plant transients groups transients according to their relative severity with respect to initiating conditions, transient events,

--on plant operations and safety.

end result and conclusions. The transient curves.

contained ý'in 'this.manual -were compiled and 5.1.2.1 Normal Operational Transient analyzed by members of the NRC's Technical-Training Division. They were produced from data

'Includes' the events that take 'place during a

'-iupplied from the GE BWRI4 Simulator. Specific normal, plant startup,';shutdown, or-load change.

parameter responses of the simulator were recorded -

These events do not take into effect equipment failure in a data file and converted into graphs with the usel 'or operator error. --l "of Excel and Claris CAD computer programs. These graphs are not to be 'considered Engineering 5.1.2.2 Abnormal Operational Transient Simulator Model Quality. Some minor editing of

-the original curves was performed.

Anticipated (Abnormal) transients are devia S-tions from the normal operating conditions that may

'The instructor 'explanations 'accompanying occur one or more'times during the service life of a these cuirves are the result of analysis by the TI7D plant. Anticipated transients range from trivial to Staff during the actiiM' simulator'r'uns 'and sub-,"' significanit in terms of the demands imposed on plant sequent staff seminars, equipment.

Anticipated transients include such S-events as a turbine trip, EHC failure, MSIV closure, Cauitionis advised when'trying to aplply these loss of feedwater flow and loss of feedwater heating.

simulator curves to any operating plant.

Even More specifically, all situations (except for LOCAs) relative-minor changes in set points, capacities, or which could lead to fuel heat imbalances are piping runs 'could cause significant differences in anticipated (abnormal) transients.

"indicated responses.

'USNRC Technical Training Center 5.1.1 Rev 0500 Transient Analysis/lnt*'oduction

°_

_I G.E. Technology Advanced Manual oUSNRC Technical Training Center 5.1-1

  • ,.Rev 0500

G.E. Technoloev Advanced ManualTrnitAalssntdcto Many transients are handled by the reactor control systems, which would return the reactor to its normal operating conditions. Others are beyond the capability of the reactor control systems and require reactor shutdown by the reactor protection system (RPS) in order to avoid damage to the reactor fuel or coolant systems.

5.1.2.3 Emergency Operational Transient Acci dent An emergency operational transient (accident) is a single event, not reasonably expected during the course of plant operations, that has been hypothesized for analysis purposes or postulated from unlikely but possible situations; and that causes or threatens a rupture -of a radioactive material barrier. A pipe rupture is an accident. A fuel clad defect is not.

Design Basis Accident A design basis accident is a hypothesized accident, the characteristics of which are utilized in, the design of those systems, and components pertinent to the preservation of radioactive material boundaries and restriction sof the release of radioactive materials from these boundaries. The potential radiation exposures resulting from these accidents is greater than any -similar accident postulated from the same general assumptions.

Design basis accidents include:

"* control rod drop accident refueling accident

"* main steam line break outside the drywell

"* loss of coolant accident 5.1-3 Transients Analysis Transient analysis begins with applying some fundamental rules:

1.

Do not try and identify the initiating event.

2.

Start with a parameter that you personally know more about.

3.

Stay in the same time frame (i.e. do not continue on the same parameter trying to identify all the points prior to going to the next parameter).

4.

Make a list of what would cause the parameter of interest to change.

5.

Start with the first item on the list and decide what direction and how much of a change you would expect; then look at the change on the curve and see if it is reasonable.

6.

If you are not sure continue down the list.

7.

Go to the parameter that is affected by the one you have chosen (i.e. power effects pressure, pressure effects steam flow).

8.

If you have done everything correctly you will' end up with the initiating event.

9.

Move to the next time frame and continue the process until all points are identified.

10.

Test to see if all points agree with the initiating event.

Figures 5.1-1, represents a blank recorder paper. Each horizontal line is spaced 30 seconds apart and are the same for each parameter. The chart recorder moves from top to bottom, making the top 6 minutes and the bottom time zero.,

The following are general notes applicable to all transients unless otherwise indicated:

Reactor power is from one APRM chan nel. Assume that if this channel changes the other APRM channels also change.

USNRC Technical Training Center 5.1-2 Rev 0500 Transient Anaivsis/Introduction USNRC Technical Training Center 5.1-2 Rev 0500

--,-Total steam flow isfrom the FWCS's Stahting wvith the first item, decide how power summations of the individual flow from the should change and how much, then look at the total flow restrictors on each steam line.

core flow and APRM curves. At the same or near the same -time? frame it-appe.rs -that everything Total feedwater flow is from the FWCS's summed feed flow from the individual flow measurement devices down stream of the last high pressure feedwater heater.

"* Total core flow is the summation of all of the jet pump flows.

"* Turbine steam flow is the turbine first stage pressure converted to steam flow.

Reactor pressure is from one of the reactor, vessel pressure monitoring devices.

Transient one, in section 5.2, is a normal operational transient that will be used during the introduction for purposes of indicating how the various parameters change and the use of the rules identified above. All other transients covered will fall in the abnormal transient category 5.1.3.1 Transient Example Starting with reactor power (rule 2), make alist of things that could change reactor power.

1. Recirculation flow
a. Pump speed change
b. Tripping of a recirculation pump
2. Control rod movement
a. normal rod movement
b. scram
3. Loss of feedwater heating
4. Pressure increase/decrease
5. Standby liquid control system initiation matches, a change in t6tal core,flow caused a change in reactor 1ower.

The next step is to move to the next parameter.

By applying rule number 7, move to reactor pressure. But, before -looking at reactor pressure, decide how pressure should.change.

If power "decreases at a steady rate, pressure should also decrease at that same rate: Look at the pressure curve, it appears that indeed pressure is following reactor power as expected.

-Applying rule number'7 again, if pressure changes, the EHC system,should respond by adjusting the control and/6ro-bypass valves.

Adjusting control valves/BPVs will have an effect on main steam flow. So the next logical parameter is turbine steam flow, and to compare main steam flow to turbine steam flow.

Continuing this process should answer all the questions for the initial change.- If you did not start with the parameter that changed first, the above procedure will bring you around to the initiating event. -This process is used on each time frame of interest until all points are identified.

A synopsis of transient number one takes place in the following manner:'

Recirculation flow decreases due to the "decrease in recirculation pump speed. The

. decrease in core flow results in a higher void, fraction and a negative net core reactivity. The power decrease causes fuel

-,temperature, moderator temperature, and the void fraction ýto -decrease.

This

-continues -until the core net reactivity J again equals zero..During this transient, the power decrease starts immediately after the core net AK/ < 0.

USNRC Technical Training Center 5.1.3 Rev 0500

  • .G.E. Technology Advanced Manual

-Transient Analvsis/Introduction USNRC Technical Training Center

°: 5.1-3 Rev 0500

Power decreases below the steady state and the recirculation system removing a value due to the fuel time constant. Before larger volume of water from the annulus the power generated in the fuel can effect area.

moderator density, fuel temperature must change along with heat transfer to the coolant.

The, fuel in BWRs responds relatively slow with a time constant between 6 and 10 seconds.

" When reactor pressure decreases, due to the power decrease, the EHC system responds by closing down on the CVs to throttle reactor pressure decrease.

" Reactor water level increases due to the recirculation system removing less water from the annulus than is being supplied by the moisture separator, steam dryers and feedwater.

" Prior to a recirculation flow, increase, reactor power increases due to the decrease in feedwater temperature. The increase in reactor power produces an increase in reactor pressure and subsequent increase in steam flow, both total and turbine.

" Following the power decrease with flow, recirculation pump speed is returned to its original value, causing power to increase.

" The increase in reactor power produces a corresponding increase in reactor pressure.

The increase in reactor pressure is sensed by the EHC system which responds by throttling open the turbine control valves.

" The increase in steam flow is monitored by the feedwater control system along with the level decrease and adjust feedwater flow to maintain reactor water level.

"* The decrease in reactor level is caused by the steam flow/feedwater flow mismatch 5.1-4 G.E. Technoloknv Advanced Manual Transient Analvsis/Introduction Rev 0500 USNRC Technical Training Center

G.E. Technology Advanced Manual Transients Analysis/Introduction Table 5.1-1 Level Level Level Level 8 (56.5) 7 (40.5) 4 (33) 3 (12.5)

Level 2 (-38)

Level 1 (-132.5) 50 100 338 & 465 Parameter Setpoint Aids Reactor Vessel Level (inches)

Trip of main turbine, RFP, RCIC, and HPCI High level alarm Low level alarm, permissive for Recirc pump runback to 45%

Reactor scram, Recirc pump runback to 30%, ADS signal, RHR Isolation signal Initiate RCIC and HPCL, ATWS-RPT, RWCU isolation and other seleceted systems Initiate CS and LPCI, Start EDG, ADS signal, Isolate MSIVs Reactor Pressure (psig)

RCIC Isolation HPCI Isolation Permissive for injection of LPCI and CS Main Steam Line pressure of 825 psig closes MSIVs 920 - 1005 1025 1043 1115/1125/1135 1120 22.5 20.0 8.5 7

1.0 1.69 Normal reactor Pressure High pressure alarm Reactor Scram 4/4/3 SRVs opening pressures ATWS - RPT Condenser Vacuum (inches of Hg)

Turbine trip RFP trip MSIV closure BPV closure Turbine First Stage Pressure Usage Bypass EOC-RPT and Scram if <30%

Drywell Pressure (psig)

High pressure alarm Initate HPCI, CS and RHR, Start DIG and RBSVS, isolation signal for selected plant systems USNRC Technical Training Center 5.1-5 Rev 0195 G.E. Technology Advanced Manual Transients Analysis/Introduction 5.1-5 Rev 0195 USNRC Technical Training Center

1194 6HI 4

2 I 1.

LI I II I 1

Time 0

010 20 30 4050 60 70 80 90 100 Takeup Roll Supply Roll Chart Recorder Figure 5.1-1 Chart Recorder 5.1-7

Figure 5.1-2 Recirculation Loop Instrumentation 5.1-9 0594 Fmrm Remeor Vessl Annu1 Rezsnn

01 Figure 5.1-3 Main Steam System CN~

1294 0

L.)

E a/)

E

0)

,G cu Li6 5.1-13

9L-V9 0 to fl 0

CD CD

-a.

01

'.1 CD CD~

a2T 020 go a t'6Ha

1 2

3/

44

jLOOP FLOý 9

10:1 A - SHUT IF PUMP A OFF AND PUMP B ON B -

SHUT IF PUMP B OFF AND PUMP A ON A' -

SHUT IF PUMP A ON OR PUMP B OFF B' - SHUT IF PUMP A OFF OR PUMP B ON Figure 5.1-6 Core Flow Summing Network TOTAL CORE FLOW

S ped Control Unit Turbine 2Va7v 77GaPin Speed 0~tIn' L

ti-a I0 100% Opening Bias oa100%

Steam

+÷,., W Vlrottle ContI Pressure Cnr 105%

OF ir 1

TerrbinTrip S Logbi

,M3u Set IW GI n i.i

o.

Set M

oto 3 3.11 t Irsa 3(+

33( 'l100 Steam~~

()

Steam(small Clo se Blaq Throttle W

W(

Pressutre-----t

-, )I Pressure Control Unit

-Valve Control Unit Figure 5.1-7 Electro Hydraulic Control System Logic Li Line Speed t

Set*

M atc ter Loss of Suitor Load SetCooling Runback Ckt Sync Speed Not Selected F400%I A

Load Re)ect Crossover Pressure Citrcut Stator Amps 1

-L (D

P,O

1010 1000 990 980 55 PSID 980

/Steam Line Pressure Drop 970 Reactor Pressure Pressure 960 (PSIG) 01 950 940 30 PSI Pressure Regulation 930 930 Turbine Inlet Pressure 920 910 900 0 20 40 60 80 100

% Steam Flow

-o FIgure o.1-13 Pressure,oniril opecirum

.j, FlowWA Steam Flow"B" Total Steam Flow Steam Flow"C" Fl1 Summer Steam

  • Seam Flow/l Fl+l,,,Ik Flow"D" L

Compal ao Feed FlowFlow Feedwater~lwB 2-ISme Figure 5.1-9 Feedwater Control System

TO"B"LOOP SPEED CONTROL HI-102% OF RATED RECIRC PUMP SPEED LO-45% SPEED (OPTIONAL SETTING) 74 Open when Rx. water level Is <12,5" Open with loss of Condensate, Cond. Booster or Feed Pump "Y" CONTACTS SHOW FOR FIELD BREAKER CLOSED ERROR UMING NETWORK CAM Figure 5.1-10 Recirculation System Flow Control Network (Shown for A loop, TYP. for B) 5.1-25 1294 OPTIONAL SETTING

50 60 Percent Rated Core Flow FIGURE 5.1-11 Power/Flow Map CA 110 100 90 80 70 60 50 40 30 20 10 110 100 90 80 70 60 50 40 30 20 10 (0

01

0 25 50 75 100 12' APRM "A" (%)

0 2.4 4.8 7.2 9.6 12 Feedwater Flow (Mlbm/hr) 800 880 960 1040 1120 12(

Rx. Pressure (PSIG) 90,

0 12 24 36 48 60 Narrow Range Rx. Level (in) 0 2.4 4.8 7.2

,.6 12 Reactor Steam Flow (Mlbm/hr)

II 0

2.4 4.8 7.2 9.6 12 Turbine Steam Flow (Mlbm/hr)

Transient #1 Febraury 15, 1995 Rev. 1 0

20 40 60 80 100 Total Core Flow (Mlbm/hr)

0 25 50 75 100 12l APRM "A" (%)

5 8*00 880 960 1040 1120 12C Rx. Pressure (PSIG)

TE 10 0

24 4.8 Z2

.6 12 0 2.4 4.8 7.2 9.6 12 Reactor Steam Flow (Mlbm/hr)

Turbine Steam Flow (Mlbm/hr)

Transient # 2 February 15, 1995 Rev. 1 0

2.4 4.8 7.2 9.6 12 0

12 24 36 48 60 0

20 40 60 80 100 Feedwater Flow (Mlbm/hr)

Narrow Range Rx. Level (in)

Total Core Flow (Mlbm/hr)

A

50 75 100 125 8

APRM "A" (%)

0 880 960 1040 1120 1200 Rx. Pressure (PSIG)

1 Reactor Steam Flow (Mlbnm/hr) 0 2.4 4.8 7.2 9.6 12 0

12 24 36 48 60 Narrow Range Rx. Level (in) r T --

r-r-T I

V Transient #3 February 15, 1995 Rev. 1 0

20 40 60 80 100 Total Core Flow (Mlbm/hr) 2Z 0

2.4 4.8 7.2 9.6 12 Turbine Steam Flow (Mlbm/hr) i i

9 25 50 75 100 12ý APRM "A" (%)

5 8

liii ii 111.11 iF I 00 880 960 1040 1120 12(

Rx. Pressure (PSIG) 1 2.4 4.8 7.2 9.6 12 Reactor Steam Flow (Mlbmlhr) 0 2.4 4.8 7.2 9.6 12 Turbine Steam Flow (Mlbm/hr)

Transient #4 February 15, 1995 Rev. 1 0

2.4 4.8 7.2 9.6 1z U

12 X4 36i 4

6 0U 0

2 40 6(0 80 100 Feedwater Flow (Mlbn/hr)

Narrow Range Rx. Level (in)

Total Core Flow (Mlbm/hr) 1t~~tiF~t

)00 A

25 50 75 100 12d APRM "A" (%)

tA 00 880 960 1040 1120 12(

Rx. Pressure (PSIG) 0 12 24 36 48 60 Narrow Range Rx. Level (in) 0 T--- v e

ri-i1111111 44-4-1-4-4-4-4-4-I-

.44 - + -

1-4-4-4 4--I-I-4-4-4-4-4-4-4-I-tt4t441411-20 40 60 80 100 Total Core Flow (Mlbm/hr) 0 2.4 4.8 7.2 9.6 12 Feedwater Flow (Mlbm/hr) 2.4 4.8 7.2 9.6 12 Reactor Steam Flow (Mlbm/hr) 0 2.4 4.8 7.2 9.6 12 Turbine Steam Flow (Mlbmlhr)

Transient #5 5

8

)0

P 25 50 75 100 12A APRM "A" (%)

5 800 880 960 1040 1120 12(

2.4 4.8 7.2 9.6 12 Rx. Pressure (PSIG)

Reactor Steam Flow (Mlbm/hr)

Narrow Range Rx. Level (in)

"I I 0

2.4 4.8 7.2 9.6 12 Turbine Steam Flow (Mlbmlhr)

Tramsient # 6 0

20 40 60 80 100 Total Core Flow (Mlbm/hr) 0 2.4 4.8 7.2 9.6 12 Feedwater Flow (Mlbm/hr) 00 0

25 50 75 I00 125 APRM "A" (%)

0 2.4 4.8 7.2 9.6 1Z Feedwater Flow (Mlbm/hr) 1800 880 960 1040 1120 126 Rx. Pressure (PSIG)

VFFLLLL

.4 -- 4-4 -4--

4 -4-;-

JIL I1LI '

d 12 24 36 48 6b Narrow Range Rx. Level (in) 1 2.4 4.8 7.2 9.6 12 Reactor Steam Flow (Mlbm/hr) 0 20 40 60 80 100 Total Core Flow (Mlbm/hr) fI 0

2.4 4.8 7.2 9.6 12 Turbine Steam Flow (Mlbm/hr)

Transient #7 C

I

0 25 50 75 100 i2Z APRM "A" (%)

20 880 960 1040 1120 126 Rx. Pressure (PSIG) 1111 1117 Reactor Steam Flow (Mlbm/hr) t=

T 0

2.4 4.8 7.2 9.6 12

___I

____I___!

I

.IW,

0 2.4 4.8 7.2 96 12 0

12 24 36 48 60 Feedwater Flow (Mlbm/hr)

Narrow Range Rx. Level (in) 0 20 40 60 80 Total Core Flow (Mlbm/hr)

Transient #8 May 03, 1998 Rev. 1 100 5

81

ý0 2.4 4.8 7.2 9.6 12 Turbine Steam Flow (Mlbm/hr)

25 50 75 100 12M APRM "A" (%)

8 1

7 1

1

  • 00 880 960 1040 1120 120 Rx. Pressure (PSIG)

(I-0 12 24 36 48 60 Narrow Range Rx. Level (in) 2.4 4.8 7.2 9.6 Bl Reactor Steam Flow (Mlbm/hr) 0 2.4 4.8 7.2 9.6 12 Turbine Steam Flow (Mlbm/hr)

Transient #9 0

20 40 60 80 100 Total Core Flow (Mlbm/hr)

-4.- 4 4 4

-I-4--I-4-E.-4--4-4-4--

I I1I1I 2Lm

/

I........

I mL*=l=-

5

25 50 75 100 12, APRM "A" (%)

8 III HL 00 880 960 1040 1120 12C Rx. Pressure (PSIG) 10 0

2.4 4.8 7.2 9.6 12 Reactor Steam Flow (Mlbmbir) 2.4 4.8 7.2 9.6 12 Turbine Steam Flow (Mlbm/hr) 0 2.4 4.8 7.2 9.6 12 Feedwater Flow (Mlbmlbr) 0 12 24 36 48 60 Narrow Range Rx. Level (in)

Transient #10 February 15, 1995 Rev. 1 Transient #10 0

20 40 60 80 100 Total Core Flow (Mlbm/hr)

?0

1 25 50 75 100 12I APRM"A" (%)

7 800 &

7 7

80 960 104O 112o 12 Ra. Pressure (PSIG) 0 2.4 4.8 7.2 9.6 12 Feedwater Flow (Mlbmlhr) 0 2.4 4.8 7.2 9.6 12 Reactor Steam Flow (Mlbm/hr)

I 0

2.4 4.8 7.2 9.6 12 Turbine Steam Flow (Mlbm/hr)

Transient# 11 0

20 40 60 80 100 Total Core Flow (Mlbm/hr)

Narrow Range Rx. Level (in) 10 I

0 L

50 75 10 APRM "A" (%)

o 1.

II --I-iI-I-II 7~

2.4 4.8 7.2 9.6 BZ Reactor Steam Flow (Mlbm/hr) 12 24 36 48 60 Narrow Range Rx. Level (in)

Transient #12 February 16, 1995 Rev. 1 20 40 60 80 100 b

Total Core Flow (Mlbm/hr) 10 0

0 1~

II III III H

0 0 960 1040 1120 12 Rx. Pressure (PSIG) 25 800 81 ILL 0

2.4 4.8 7.2 9.6 12 Turbine Steam Flow (Mlbm/hr) 0

0 25 50 75 100 125 APRM "A" (%)

0 2.4 4.8 7.2 9.6 1Z Feedwater Flow (Mlbm/hr) 820 880 960 1040 1120 120 Rx. Pressure (PSIG) 0 12 24 36 48 60 Narrow Range Rx. Level (in) 0 2.4 4.8 7.2 9.6 12 Reactor Steam Flow (Mlbm/hr) 0 2.4 4.8 7.2 9.6 12 Turbine Steam Flow (Mlbnmhr)

Transient #13 0

20 40 60 80 100 Total Core Flow (Mlbm/hr) 0 2.

4.8 7.2

.6 1 90 I

'00 880 960 1040 1120 120 Rx. Pressure (PSIG) o d 2.4 4.8 7.2 9.6 12 Reactor Steam Flow (Mlbm/hr) 2.4 4.8 7.2 9.6 12 Turbine Steam Flow (Mlbm/hr)

Transient #14 0

2.4 4.8 7.2 9.6 1Z U

1Z 24 do 4

COU U

ZU 4(

0u Ou Ou 1

Feedwater Flow (Mlbm/hr)

Narrow Range Rx. Level (in)

Total Core Flow (Mlbm/hr) 1-

25 50 75 100 125 APRM "A" (%)

0 0

2.4 4.8 7.2 9.6 12 Reactor Steam Flow (Mlbmlhr) 2.4 4.8 7.2 9.6 12 Turbine Steam Flow (Mlbmlhr) 0 2.4 4.8 7.2 9.6 12 Feedwater Flow (Mlbm/hr) 0 12 24 36 48 60 Narrow Range Rx. Level (in)

Transient #15 February 16, 1995 Rev. 1 0

20 40 60 80 100 Total Core Flow (Mlbmlhr) 00 0-01

0 2.4 4.8 7.2 9.6 1Z Feedwater Flow (Mlbm/hr) 25 50 75 100 121 APRM "A" (%)

00 880 960 1040 1120 12C Rx. Pressure (PSIG) 0 2.4 4.8 7.2 9.6 12 Reactor Steam Flow (Mlbm/hr) 44-4---f-k

-4I-I

I

0 2.4 4.8 7.2 9.6 12 Turbine Steam Flow (Mlbm/hr)

Transient #16 U

jZ Z4 do 41 0u u

ZU 4W

(

z u

1uu Narrow Range Rx. Level (in)

Total Core Flow (Mlbm/hr)

=

I I

I 4

+-+--

f-I Q0 1

8,

'00 880 960 1040 1120 120 Rx. Pressure (PSIG)

'0 2.4 4.8 7.2 9.6 12 Reactor Steam Flow (Mlbm/hr)

"(U 2.4 4.8 7.2 9.6 12 Turbine Steam Flow (Mlbmlhr)

Transient #18 February 15, 1995 Rev. 1 0

2.4 4.8 7.2 9.6 12 U

12 24

,du 4-3 ou U

zU 4U bu Ifu 1UU Feedwater Flow (Mlbm/hr)

Narrow Range Rx. Level (in)

Total Core Flow (Mlbm/hr) 8

50 75 Id0 125 8

APRM "A" (%)

0 2.4 4.8 7.2 9.6 12 Feedwater Flow (Mlbm/hr) log U-0 12 24 36 48 60 Narrow Range Rx. Level (in) 7-I-Fl 00 880 960 1040 1120 12(

Rx. Pressure (PSIG) 0 0

20 40 60 80 100 Total Core Flow (Mlbm/hr) 10 0

2.4 4.8 7.2 9.6 12 Reactor Steam Flow (Mlbm/hr) 0 2.4 4.8 7.2 9.6 12 Turbine Steam Flow (Mlbm/hr)

Transient #21 May 7, 1998 Revision #1

0 25 50 75 100 12~

APRM "A7 %

HIM1T

'00 880 960 1040 1120 12C Rx. Pressure (PSIG)

,I 0

1N r

4 R

3g

48.

Le(

Narrow Range Rx. Level (in) 1 2.4 4.8 7.2 9.6 12 Reactor Steam Flow (Mlbm/hr) 0 2.4 4.8 7.2 9.6 12 Turbine Steam Flow (Mlbm/hr)

Transient #22 May 4, 1998 Revision 1 0

20 40 60 80 100 Total Core Flow (Mlbmlhr) 2.4 4.8 7.2 9.6 12 Feedwater Flow (Mlbm/hr)

HL I

I I/1 I I 5

10 1

0 25 50 75 I00 121 APRM

(%)

0

Retrieved from "https://kanterella.com/w/index.php?title=ML023010597&oldid=5431416"