Amendment to Technical Specifications 3.8.1, AC Sources - Operating, Extension of the Emergency Diesel Generator Allowed Out of Service Time; 3.8.3, Diesel Fuel Oil, Lube Oil, and Starting Air; and 3.4.9, Pressurizer

ML060040310
Person / Time
Site:	Palo Verde
Issue date:	12/23/2005
From:	Mauldin D Arizona Public Service Co
To:	Document Control Desk, Office of Nuclear Reactor Regulation
References
102-05391-CDM/TNW/JAP
Download: ML060040310 (86)
v • d • e

Text

10 CFR 50.90 David Mauldin Vice President Mail Station 7605 Palo Verde Nuclear Nuclear Engineering TEL (623) 393-5553 P.O. Box 52034 Generating Station and Support FAX (623) 393-6077 Phoenix, AZ 85072-2034 102-05391 -CDM/TNW/JAP December 23, 2005 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555-0001

Subject:

Palo Verde Nuclear Generating Station (PVNGS)

Units 1, 2 and 3 Docket Nos. STN 50-52815291530 Amendment to Technical Specifications 3.8.1, AC Sources -

Operating, Extension of the Emergency Diesel Generator Allowed Out of Service Time; 3.8.3, Diesel Fuel Oil, Lube Oil, and Starting Air; and 3.4.9, Pressurizer

Dear Sirs:

In accordance with 10 CFR 50.90, enclosed is an application for amendment to Facility Operating License Nos. NPF-41, NPF-51, and NPF-74 for Units 1, 2, and 3 of the Palo Verde Nuclear Generating Station (PVNGS), respectively. This License Amendment Request (LAR) revises Technical Specification (TS) 3.8.1, "AC Sources - Operating," to extend the allowed out of service time (AOT) for one inoperable emergency diesel generator (DG) from 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to 10 days. TS 3.8.3, "Diesel Fuel Oil, Lube Oil, and Starting Air," will be revised by the addition of a clarifying note to Condition F of this specification. Additionally, TS 3.4.9, "Pressurizer," will be revised to delete the words contained in the Limiting Condition for Operation (LCO) which require that the two groups of pressurizer heaters are capable of being powered from an emergency power supply.

This application represents a risk-informed licensing change for the proposed emergency diesel generator AOT. The proposed change was developed using the criteria of Regulatory Guide 1.174 and Regulatory Guide 1.177 for risk-informed changes. contains a description of the proposed changes, the supporting technical analyses, and the no significant hazards determination. Enclosures 3 and 4 contain marked-up and revised TS pages, respectively. Enclosure 5 contains the TS Bases changes (for information only) to assist the staff in its review of the proposed changes.

A member of the STARS (Strategic Teaming and Resource Sharing) Alliance Callaway

• Comanche Peak

• Diablo Canyon

• Palo Verde

• South Texas Project

• Wolf Creek

U. S. Nuclear Regulatory Commission ATTN: Document Control Desk Amendment to Technical Specifications 3.8.1, AC Sources -

Operating, Extension of the Emergency Diesel Generator Allowed Out of Service Time; 3.8.3, Diesel Fuel Oil, Lube Oil, and Starting Air; and 3.4.9, Pressurizer Page 2 Based on the responses to the three criteria provided for determining whether a significant hazard consideration exists as stated in 10 CFR 50.92, Arizona Public Service Company (APS) has concluded that the proposed amendment involves no significant hazards consideration.

Inaccordance with the PVNGS Quality Assurance Program, the Plant Review Board and Offsite Safety Review Committee have reviewed and concurred with this proposed amendment. By copy of this letter, this request Isbeing forwarded to the Arizona Radiation Regulatory Agency (ARRA) pursuant to 10 CFR 50.91 (b)(1).

The changes proposed in this LAR are not required to address an immediate safety concern. However, in order to support surveillance testing of the EDGs during cycle 13, for Unit 1,APS requests that this amendment be approved no later than January 15, 2007. APS requests the LAR be made effective upon NRC issuance, to be implemented within 90 days from the date of issuance.

No commitments are being made to the NRC by this letter.

Should you have any questions, please contact Thomas N.Weber at (623) 393-5764.

Sincerely, CDM/TNW/JAP/ca

Enclosures:

Enclosure 1 - Notarized Affidavit

• Enclosure 2 - APS' evaluation of Proposed Changes to Technical Specifications 3.8.1, 3.8.3, and 3.4.9 Attachments to Enclosure 2:

1. Ratio of EDG "A"and EDG "B"Out of Service (OOS) to Basecase Risk Increase Factors

2. Palo Verde Probable Risk Assessment (PRA) Quality and History

• Enclosure 3- Marked-up Technical Specification pages

• Enclosure 4 - Revised Technical Specification pages

• Enclosure 5- Marked-up Technical Specification Bases pages (for information only) cc: B. S. Mallett NRC Region IV,Regional Administrator M. B. Fields NRC NRR Project Manager G.G. Wamick NRC Senior Resident Inspector for PVNGS A. V. Godwin Arizona Radiation Regulatory Agency (ARRA)

I1 Enclosure 1 to Extension of EDG AOT License Amendment Request STATE OF ARIZONA )

) ss.

COUNTY OF MARICOPA )

1,David Mauldin, represent that I am Vice President Nuclear Engineering, Arizona Public Service Company (APS), that the foregoing document has been signed by me on behalf of APS with full authority to do so, and that to the best of my knowledge and belief, the statements made therein are true and correct.

David Mauldin Sworn To Before Me ThisZ3 rd Day Of Hlow&/. , 2005.

Notary Public SSIE LYNN ERGISI4

- - o AL-. I-

' Vj~omm w Expks+J 4, 2007 .

Notary Commission Stamp

Enclosure 2 APS' EVALUATION Proposed Changes to Technical Specifications 3.8.1, 3.8.3, and 3.4.9 1.0 Description 2.0 Proposed Change

3.0 Background

4.0 Technical Analysis 5.0 Regulatory Safety Analysis 5.1 No Significant Hazards Consideration 5.2 Applicable Regulatory Requirements/Criteria 5.3 Conclusion 6.0 Environmental Consideration 7.0 References 8.0 Precedents

Enclosure 2 to Extension of EDG AOT License Amendment Request

1.0 DESCRIPTION

1.1 Extend the Emeraency Diesel Generator (EDG) Allowed Out of Service Time (AOT) in LCO 3.8.1- "AC Sources-Operating" This proposed change to the Palo Verde Nuclear Generating Station (PVNGS)

Units 1, 2, and 3 Technical Specifications (TS) will extend the current allowed completion time for a single emergency diesel generator (EDG) to be out of service from 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to 10 days. Currently, Limiting Condition for Operation (LCO) 3.8.1 - AC Sources-Operating, Condition B, requires one inoperable emergency diesel generator to be restored to operable status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

This proposed change would allow 10 days for the restoration of one inoperable emergency diesel generator to operable status. This change will also extend the maximum time that this LCO cannot be met from 6 days to 13 days. This change will provide operational and maintenance flexibility. It will also allow performance of EDG inspection and maintenance activities during plant operation, reducing plant refueling outage duration and improving EDG availability during shutdown plant conditions.

1.2 Add a note to LCO 3.8.3. Condition F - "Diesel Fuel Oil. Lube Oil, and Starting Air" to allow starting air receiver pressure to be momentarily low during starting The proposed change to LCO 3.8.3 would add a clarifying note to Condition F.

This note would address the condition for a momentary drop in emergency diesel generator's air receiver pressure during the starting sequence for a diesel generator.

1.3 Revise LCO 3.4.9 - "Pressurizer" to eliminate the reference for emergency Power supplv Technical Specification LCO 3.4.9 - "Pressurizer", requires that two groups of pressurizer heaters be operable in Modes 1,2, and 3. Each group is required to have a capacity of at least 125 kW and currently requires that the two groups of heaters be capable of being powered from an emergency power supply. This proposed change would delete the words that the two groups of heaters are "capable of being powered from an emergency power supply."

2.0 PROPOSED CHANGE

S 2.1 Extend the Emergency Diesel Generator (EDG) Allowed Out of Service Time (AOT) in LCO 3.8.1- "AC Sources-Onerating" This proposed change will extend the current allowed AOT for one inoperable emergency diesel generator (EDG) in LCO 3.8.1, Condition B, from 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to I

Enclosure 2 to Extension of EDG AOT License Amendment Request 10 days. This change will also extend the maximum time that this LCO cannot be met from 6 days to 13 days. These changes will read as follows:

Completion Time for LCO 3.8.1, Condition A (one required offsite circuit inoperable), Required Action A.3, currently reads:

"72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> AND 6 days from discovery of failure to meet LCO" Completion Time for LCO 3.8.1, Condition A (one required offsite circuit inoperable), Required Action A.3, would be changed to read:

"72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> AND 13 days from discovery of failure to meet LCO" and, Completion Time for LCO 3.8.1, Condition B (one DG inoperable), Required Action B.4, currently reads:

"72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> AND 6 days from discovery of failure to meet LCO" Completion Time for LCO 3.8.1, Condition B (One DG inoperable), Required Action B.4, would be changed to read:

"0 days AND 1 days from discovery of failure to meet LCO" The changes to Completion Times for LCO 3.8.1, Required Actions A.3 and B.4 from 6 days to 13 days will accommodate for the extension time of the diesel generator AOT to 10 days.

2.2 Addition of note to LCO 3.8.3. Condition F - "Diesel Fuel Oil. Lube Oil, and Starting Air" to allow starting air receiver pressure to be momentarily low during starting The following proposed change would add a note to a portion of LCO 3.8.3, Condition F. This note will clarify the application of LCO 3.8.3, Condition F, for the condition when starting a diesel generator and its associated air receiver pressure drops momentarily below 185 psig. The proposed change is as follows:

Condition F of LCO 3.8.3, currently reads:

"Required Action and associated Completion Time not met.

OR 2

Enclosure 2 to Extension of EDG AOT License Amendment Request One or more DGs with diesel fuel oil, lube oil, or starting air subsystem inoperable for reasons other than Condition A, B, C, D, or E."

With the proposed addition of the note, Condition F of LCO 3.8.3 would be changed to read:

"Required Action and associated Completion Time not met.

OR One or more DGs with diesel fuel oil, lube oil, or starting air subsystem Inoperable for reasons other than Condition A, B, C, D, or E."

This proposed change would alleviate unnecessary declaration of the emergency diesel generator(s) as inoperable during the starting evolution of the diesel generator.

2.3 Revision to LCO 3.4.9 - uPressurizer" to eliminate the reference for emergency Power supplv The following proposed change removes the TS reference for the pressurizer heaters to be capable of being powered from an emergency power supply.

LCO 3.4.9.b currently reads:

"b. Two groups of pressurizer heaters OPERABLE with the capacity of each group > 125 kW and capable of being powered from an emergency power supply."

LCO 3.4.9.b would be changed to read:

"b. Two groups of pressurizer heaters OPERABLE with the capacity of each group > 125 kW."

The portion of this LCO that is being deleted is not necessary to ensure the operability of the pressurizer. In addition, this change will help ensure that while extending the current AOT for the EDG from 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to 10 days that the pressurizer LCO is not mistakenly entered due to a diesel generator being removed from service for greater than 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

3

Enclosure 2 to Extension of EDG AOT License Amendment Request The associated TS Bases changes will be implemented in accordance with TS 5.5.14, "Technical Specifications (TS) Bases Control Program," as a part of the implementation of this amendment, following NRC approval.

3.0 BACKGROUND

3.1 Description of Class 1E Alternating Current (AC) Power System, Emeroencv Diesel Generators (EDGs) and Gas Turbine Generators (GTGs)

Palo Verde Nuclear Generating Station (PVNGS) TS 3.8.1, 'AC Sources -

Operating," specifies control requirements for the Class I E AC electrical power distribution system. The Class 1E AC distribution system is normally supplied power from the preferred off site power sources through Engineered Safety Features (ESF) service transformers (NBN-X03 and NBN-X04). The Class 1E AC distribution system can be fed from the two offsite power sources (525 kilovolt (kV) stepped down to 13.8 kV), and from onsite vital standby power sources (two emergency diesel generators for each unit). Additionally, during a station blackout event (SBO), GTGs can be aligned to supply AC power to an ESF bus. As required by 10 CFR 50, Appendix A, GDC 17, the design of the AC electrical power system provides independence and redundancy to ensure an available source of power to the Engineered Safety Feature (ESF) systems.

The Class 1E AC distribution system for each unit is divided into two load groups (designated Class 4.16 kV buses (PB) PBA-S03 and PBB-S04) so that the loss of any one group or bus does not prevent the minimum safety functions from being performed. Each of these load group or buses has connections to offsite power sources and a single dedicated EDG.

The offsite power is supplied to the 525 kV switchyard from offsite transmission networks. The 525 kV sources are stepped down to three 13.8 kV Startup Transformers which are shared amongst the three PVNGS units. From the 525 kV switchyard, there are two sources which are electrically and physically separated circuits that provide AC power at 4.16 kV through ESF service transformers fed by the 13.8 kV Startup transformer sources, to the Class I E distribution system. A detailed description of the offsite power network and the circuits to the Class 1E buses is found in the PVNGS Updated Final Safety Analysis Report (UFSAR), Chapter 8.

Single line diagrams of the onsite and offsite AC distribution system are shown in Figure 1 (onsite 13.8 kV/4.16 kV distribution system) and Figure 2 (offsite 525 kV switchyard distribution system) below.

4

Enclosure 2 to Extension of EDG AOT License Amendment Request Figure 1 OnSite Electrical Layout Switchyard 5

Enclosure 2 to Extension of EDG AOT License Amendment Request Figure 2 PALO VERDE SWITCHYARD PL910 From UNIT #1 PL920 START UP Transformer #1 PL930 From UNIT #2 START UP 1#1 Transformer #2 From UNIT #3 START UP Transformer #3 6

Enclosure 2 to Extension of EDG AOT License Amendment Request The onsite standby power source for each Class 1E 4.16 kV AC bus is a dedicated EDG. Each EDG is capable of starting automatically on a safety injection actuation signal (SIAS) (e.g., low pressurizer pressure or high containment pressure signals), containment spray actuation signal (CSAS),

auxiliary feedwater actuation signal (AFAS), or on a Class 1E 4.16 kV AC (PB) vital bus degraded voltage or undervoltage signal - loss of power (LOP). After the EDG has started, it will automatically tie to its respective bus if offsite power is tripped as a consequence of vital bus undervoltage or degraded voltage, independent of or coincident with an SIAS, CSAS, or AFAS signal. The EDGs will also start and operate in the standby mode without tying to the vital bus on an SIAS, CSAS, or AFAS signal alone. On a loss of offsite power, an undervoltage/load-shed signal trips all vital loads and non-permanently connected loads from the vital bus. As the EDG is connected to the vital bus, the vital loads are sequentially loaded to their respective vital bus by the ESF load sequencer. The sequencing logic controls the permissive and starting signals to each motor controller to prevent overloading the EDG during this process.

During plant operation with both EDGs operable, in the event of a loss of offsite power (LOOP), the ESF electrical loads are automatically sequentially loaded to the EDGs in sufficient time to provide for safe reactor shutdown or to mitigate the consequences of a Design Basis Accident (DBA) such as a loss of coolant accident (LOCA).

Inthe event of a station blackout (SBO), the gas turbine generators (GTGs) will supply AC power to the emergency loads of the blacked out unit, for a duration of four hours', ensuring that stable operating conditions can be maintained during the SBO. A SBO at PVNGS is the loss of all AC power at one unit. This means the loss of preferred (offsite) power together with the loss of the onsite standby emergency AC power (i.e., the class 1E emergency diesel generators).

The Gas Turbine (GT) system is comprised of two standby gas turbine generators (GTGs), either of which is capable of meeting the AC power requirements for any one of the three PVNGS units. The GTGs are normally shutdown and maintained in a standby condition during normal plant operations, ready to be put into service in the event of a SBO or loss of off site power. The GTGs operate only during a SBO, during system testing, or at the operator's discretion during a loss of offsite power to help restore offsite power.

The GT system is designed to provide and maintain AC power, within voltage and frequency limits, to the emergency loads of the blacked out unit for duration of 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />s1 . This includes being capable of being started and commence loading within one hour of initiation of a SBO and carry the required loads for the remaining three hours of the SBO event. A PVNGS engineering study has 1 Four hour duration is the current PVNGS licensing basis. This coping time duration currently is being evaluated to a 16 hour1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br /> duration.

7

Enclosure 2 to Extension of EDG AOT License Amendment Request shown that the blacked out unit can successfully cope without 4.16 kV power for at least one hour.

The GTG installation is designed to be used as the alternate AC power source and is not to be used as a peaking unit. In the event that a loss of offsite power occurs without a SBO (i.e., one or more of the emergency diesel generators are operating in each unit), a GTG may be started to provide power to the switchyard to enhance restoration of offsite power.

GTGs are designed as non-class 1E and meet the requirements of 10 CFR 50.63 and Regulatory Guide 1.155.

The GTG AC power source is connected to the train A ESF service transformer, NBN-X03. The ability to supply both train A and train B exists at the 4.16 kV level which allows for the compensation of possible out-of-service equipment in either train. In the event of a blackout, the GTGs can be used to regain power to a class bus. The GTGs can only be brought in on the Train A side but can feed either PBA-S03 or PBB-S04 to supply the proper equipment.

3.2 Description of Emeraencv Diesel Generator (EDG) Air Start System The emergency diesel generator air start system provides for storage and control of compressed air for starting the diesel. The diesel engine is started using compressed air furnished by two separate motor driven air compressors. Each compressor pumps air through a check valve, past a relief valve, through a coalescing filter, a refrigerant type air dryer, into an air receiver. The air compressor discharge may be cross connected to pressurize the other receiver, if needed. This is a dual system with either half capable of starting the engine.

Compressed air from the starting air receivers is applied to the starting air control valves on the engine, which are controlled by the starting air solenoids. When the starting air control valves open, starting air is supplied to both banks of air start valves and air distributors. Normally both starting air valves open simultaneously with air drawn from both receivers. If one fails to open, crossover piping admits air to the other bank of cylinders.

As the receivers lose pressure, the compressors begin to replenish air. The air compressors start automatically when sensed pressure is 240 psi or less and stop automatically when pressure reaches 250 psi. If both compressors are Inoperative, the air receivers have sufficient capacity to provide several starts with existing pressure in the receivers. Each air receiver is maintained in a ready-to-use state at a maximum pressure of 250 psig. The compressors and dryers themselves are not required during starting operation.

Each individual air receiver (there are two air receivers per diesel generator) is sized to accomplish 5 EDG starts from its normal operating pressure of 250 psig, and each air receiver will start the EDG in < 10 seconds with a minimum 8

Enclosure 2 to Extension of EDG AOT License Amendment Request pressure of 185 psig. An air receiver low-pressure switch activates when pressure drops below 185 psig (after a 3-minute time delay) on the local panel and actuates a common trouble alarm in the unit control room.

3.3 Description of the Class I E Pressurizer Heaters The reactor coolant system (RCS) pressurizer incorporates 36 single unit sheath type immersion heaters rated at 50 kW each, installed in the bottom head of the vessel. The heaters provide the energy to raise pressure in the pressurizer. The heater sleeves form the pressurizer penetration and are welded to the bottom head to form the pressure boundary. The sheath type immersion heater is exposed directly to the reactor coolant inside the pressurizer.

The heaters are divided into eight banks or groups. Two of the banks are proportional heaters and the other six banks are backup heaters. The proportional banks (P1, P2) consist of 3 heaters in each bank (150 kW per bank). The backup banks (B1, B2, B3, B4, B5, B6) are arranged such that banks B1 and B2 are identical to P1 and P2 (3 heaters in each bank), and banks B3, B4, B5, B6 consist of 6 heaters in each bank (300kW per bank).

Heater banks BI and B2 (150 kW per bank) are designated as the two Class 1E pressurizer heater groups that are described in LCO 3.4.9. Heater banks B1 and B2 are connected to the Class 4.16 kV ESF system (PBA-S03 and PBB-S04 buses) via the Class 1E 480 VAC distribution system (one bank per division of 1E Class power). These two heater banks are normally powered by the offsite power sources and are then automatically powered from the emergency diesel generators during an emergency.

Technical Specification 3.4.9 requirement to have two groups of pressurizer heaters ensures that RCS pressure can be maintained. These two groups (heater banks B1 and B2) are the Class IE pressurizer backup heaters that are described above. The pressurizer heaters maintain RCS pressure to keep the reactor coolant subcooled. Inability to control RCS pressure during natural circulation flow could result in loss of single-phase flow and decreased capability to remove core decay heat.

4.0 TECHNICAL ANALYSIS

PVNGS has evaluated the proposed change to the EDG AOT extension using traditional engineering analyses as well as a risk-informed approach as set forth in Regulatory Guide (RG) 1.177, "An Approach for Plant-Specific, Risk Informed Decisionmaking: Technical Specifications," (Reference 1). RG 1.177 prescribes an acceptable approach for requesting TS changes that go beyond current staff positions, especially for those such as relaxation of AOTs or surveillance test internals. These evaluations and conclusions are also consistent with the guidance of RG 1.174, "An Approach For Using Probabilistic Risk Assessment In 9

Enclosure 2 to Extension of EDG AOT License Amendment Request Risk Informed Decisions On Plant-Specific Changes To The Licensing Basis,"

(Reference 2).

4.1 Deterministic Assessment of the extension to the Emeraencv Diesel Generator (EDG) Allowed Out of Service Time (AOT) in LCO 3.8.1- "AC Sources-Onerating" The emergency diesel generator system (EDG) is a class 1E standby generation system that functions as a standby source of AC power for safe plant shutdown in the event of loss of preferred power. This system includes all necessary auxiliaries to maintain the diesel engine in a readiness condition. Each diesel generator is an independent unit capable of providing power to safety equipment in the event of the loss of the preferred (offsite) power to safely shutdown the plant or mitigate the consequences of a loss of coolant accident (LOCA).

Typically, safety related equipment is powered by the offsite transmission network and the onsite Class I E distribution system.

The diesel generators are normally in a ready standby condition. On receipt of a start signal (under voltage on the respective 4.16kV bus - loss of power (LOP) signal), receipt of a safety injection actuation signal (SIAS), containment spray actuation signal (CSAS) or auxiliary feedwater actuation signal (AFAS) the diesel generators are automatically started to furnish the AC power required for safe plant shutdown. One of the two diesel generators in each unit furnishes power to safety train A equipment and the other diesel generator furnishes power to safety train B equipment.

In addition to the two emergency diesel generators, PVNGS has two alternating current (AC) Gas Turbine Generators (GTGs). The Gas Turbine (GT) system is comprised of two standby GTGs, either of which is capable of meeting the AC power requirements for any one of the three PVNGS units. The GTGs are normally shutdown and maintained in a standby condition during normal plant operations, ready to be put into service in the event of a SBO or loss of offsite power.

4.1.1 Defense in Depth The design and operation of the EDGs are not being modified as a result of the proposed extension to its AOT. However, the proposed change will allow flexibility when the system can be removed from service to perform maintenance activities. The amount of time the EDG can be removed from service only affects the period of time that the EDG may be unavailable and does not affect the design requirements.

The defense-in-depth philosophy requires multiple means or barriers to be in place to accomplish safety functions and prevent the release of radioactive material. PVNGS is designed and operated consistent with the defense-in-depth philosophy. The safety related equipment required to 10

Enclosure 2 to Extension of EDG AOT License Amendment Request mitigate the consequences of postulated accidents consists of two independent divisional load groups. Each of these load groups can be powered from many sources (either of the two offsite sources, from the diesel generators and from the GTGs). Furthermore, the loss of an entire load group will not prevent the safe shutdown of the plant in the event of a design basis accident (DBA). Accordingly, the unavailability of a single EDG by voluntary entry into a TS action statement for EDG maintenance does not reduce the amount of available equipment to a level below that necessary to mitigate a DBA. The remaining power sources and safety related equipment are designed with adequate independence, capacity, and capability to provide power to the necessary equipment during postulated accidents. Specifically, while in Condition B of LCO 3.8.1 with one EDG out of service, two offsite power sources to the affected load group, the GTGs and the entire unaffected load group and its associated EDG will remain available. Therefore, consistent with the defense-in-depth philosophy, the proposed change will continue to provide for multiple means to accomplish safety functions and prevent the release of radioactive material in the event of an accident. In addition, since the proposed extension of the EDG AOT will allow additional EDG maintenance to be performed online, there should be an increase in EDG availability during refueling outages, thus providing increased defense-in-depth during outages.

The proposed extension of the EDG AOT does not introduce any new common cause failure modes and protection against common cause failure modes previously considered, is not compromised. Defenses against human errors are maintained, in that the proposed change does not require any new operator response or introduce any new opportunities for human errors not previously considered. Qualified personnel will continue to perform EDG maintenance whether such maintenance is performed online or during plant shutdowns.

Appropriate restrictions and compensatory measures will be established to assure that system redundancy, independence, and diversity are maintained commensurate with the risk associated with the extended AOT.

These include TS and Maintenance Rule (10 CFR 50.65) programmatic requirements as well as administrative controls in accordance with the configuration risk management program (CRMP). To allow continued plant operation with an inoperable EDG, TS 3.8.1 currently requires all emergency equipment aligned to an operable EDG to have no inoperable components. This requirement is intended to provide assurance that a Loss of Offsite Power (LOOP) occurring concurrent with an inoperable EDG does not result in a complete loss of safety function of critical systems. In addition, appropriate plant procedures will include provisions for implementing the following compensating measures and configuration risk management controls when an EDG is removed from service to assure the 11

Enclosure 2 to Extension of EDG AOT License Amendment Request function of the system is maintained and the philosophy of defense-in-depth, as defined in RG 1.177 (Reference 1), is maintained:

• The redundant EDG (along with all of its required systems, subsystems, trains, components, and devices) will be verified operable (as required by TS) and no elective testing or maintenance activities will be scheduled on the redundant (operable) EDG.

• No elective testing or maintenance activities will be scheduled on the GTGs.

• No elective testing or maintenance activities will be scheduled on the Startup Transformers.

• No elective testing or maintenance activities will be scheduled in the APS switchyard or the unit's 13.8 kV power supply lines and transformers which could cause a line outage or challenge offsite power availability to the unit with the EDG AOT.

• All activity, including access, in the Salt River Project (SRP) switchyard shall be closely monitored and controlled. Elective maintenance within the switchyard that could challenge offsite power supply availability will be evaluated in accordance with 10 CFR 50.65(a)(4) and managed on a graded approach according to risk significance.

• The GTGs will not be used for non-safety functions (i.e., power peaking to the grid).

• Weather conditions are assessed prior to removing a diesel generator from service during planned maintenance activities. Additionally, diesel generator outages will not be scheduled when adverse weather conditions and/or unstable grid conditions are predicted or present.

• All maintenance and testing activities associated with the unit that has the EDG removed for maintenance will be assessed and managed per 10 CFR 50.65 (Maintenance Rule).

4.1.2 Safety Margin The EDG reliability and availability are monitored and evaluated with respect to Maintenance Rule (10 CFR 50.65) performance criteria to assure that EDG out of service times do not degrade operational safety over time.

Additionally, as discussed below, the proposed extension of the EDG AOT will not erode the reduction in severe accident risk that was achieved with implementation of the Station Blackout (SBO) Rule (10 CFR 50.63) or affect any of the safety analyses assumptions or inputs as described in the PVNGS Updated Final Safety Analysis Report (UFSAR).

12

Enclosure 2 to Extension of EDG AOT License Amendment Request 4.1.3 Evaluation of Risk Impact To assess the overall impact on plant safety, a probabilistic Risk Assessment (PRA) was performed consistent with the guidance provided in RG 1.177. The change in Core Damage Frequency (CDF) and Large Early Release Frequency (LERF) resulting from extending the EDG AOT was evaluated. This evaluation included consideration of plant procedure 3ODP-9MT03, "Assessment and Management of Risk When Performing Maintenance in Modes 1-4," that PVNGS established pursuant 10 CFR 50.65 (a)(4). This risk evaluation was performed using the three-tiered approaches suggested in RG 1.177, as follows:

Tier 1, PRA Capability and Insights Tier 2, Avoidance of Risk-Significance Plant Configurations Tier 3, Risk-Informed Configuration Risk Management 4.2 Probabilistic Risk Assessment (PRA) of the Proposed EDG Allowed out of Service Time (AOT) Extension The risk assessment of the proposed change was generated using the current PRA model for the plants, which represents the as-built, as-operated state of all three Palo Verde units. The current model is very different from that represented in the Individual Plant Examination (IPE), submitted to the NRC in response to Generic Letter 88-20 (Reference 3). It has undergone many updates and has, in fact, been completely reconstituted in order to satisfy growing requirements to assure its quality and allow its application to risk-informed decision making.

Section 2, of Attachment 2 to this Enclosure, provides a listing of changes made throughout the history of the PRA.

Some of the model changes relevant to this submittal are as follows:

• Added modeling of the Station Blackout Gas Turbine Generators (GTGs),

which were installed to address the Blackout Rule, 10 CFR 50.63. While the modeling of the GTGs was not credited in the IPE directly, it was used to address and close out Unresolved Safety Issue (USI) A-45 (Shutdown Decay Heat Removal Requirements), which was included as part of the GL 88-20 submittal. It should be noted that all cabling from the GTGs to the three power plant units is underground. Furthermore, the location of the GTG structure and associated support equipment is sufficiently removed from the switchyard that a tornado would be extremely unlikely to affect both.

• Refined modeling of in-plant power distribution failures as Initiating events to ensure completeness.

13

Enclosure 2 to Extension of EDG AOT License Amendment Request

• As more plant specific data has become available through failure data trending and Maintenance Rule (10 CFR 50.65) requirements, failure rates for risk important equipment have been Bayesian-updated. For most equipment included in the scope of the Maintenance Rule, plant specific unavailability values are used.

• Updated Initiating Event Frequencies in 2001, including Loss of Offsite Power (LOOP), resulting in significant decreases to Uncomplicated Reactor Trip and Turbine Trip frequencies. The definition of Uncomplicated Reactor Trip (called Miscellaneous Trip in the model) was narrowed to be consistent with the rest of the industry. Previously, all manual shutdowns, including for planned outages, were counted as initiators. This change resulted in much lower Core Damage Frequency (CDF) and Large Early Release Frequency (LERF), and significantly affected importance measures.

• Added more detail to the switchyard modeling to better assess maintenance activities.

• Credited use of the alternate offsite power supply to each Engineered Safety Features (ESF) bus. This plant feature had not been procedurally allowed due to Technical Specification (TS) interpretation (prior to adopting the Improved Standard TS in 1998).

• A physical plant change added a redundant power supply to the Balance of Plant (BOP) Engineered Safety Features Actuation System (ESFAS) cabinet cooling fans. This change makes spurious load shed actuations much less likely.

The Palo Verde PRA covers At-Power Internal Events (excluding internal flooding) and At-Power Fire Events. Internal flooding was addressed using a screening process. No vulnerabilities were found. In particular, the Diesel Generator Building is not susceptible to flood damage due to having sumps with level alarms, sump pumps and no high capacity water systems present, except the Essential Spray Pond, which provides engine cooling. There are no trip initiators in the Diesel Generator Building.

Other than fire, external events were addressed using screening methods. Palo Verde Is in a low seismic hazard zone and was evaluated to the 0.3g acceleration level in the Individual Plant Examination for External Events (IPEEE). No vulnerabilities were found. The principal impact of a severe earthquake with respect to this proposed amendment would be loss of offsite power (LOOP). This is sufficiently bounded by the sensitivity study performed on LOOP frequency.

Weather is accounted for in this analysis through use of two LOOP initiators, one for severe weather and another for extreme weather.

14

Enclosure 2 to Extension of EDG AOT License Amendment Request Fire events originating in the Diesel Generator Building represent less than 1%of total fire CDF and LERF. Fire CDF is about 24% of Combined CDF and Fire LERF is about 10% of Combined LERF.

The risk analysis presented herein generally conforms to the three-tiered approach that is identified in Regulatory Guide 1.177, An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications, August 1998.

4.2.1 Tier 1. PRA Capability and Insights 4.2.1.1 The following risk metrics are used for this analysis:

• CDF - Core Damage Frequency

• LERF - Large Early Release Frequency

• ICCDP - Incremental Conditional Core Damage Probability = [(conditional CDF with the subject equipment out of service) - (baseline CDF with nominal expected equipment unavailability)] * (duration of a single AOT under consideration).

• ICLERP - Incremental Conditional Large Early Release Probability =

[(conditional LERF with the subject equipment out of service) - (baseline LERF with nominal expected equipment unavailability)] * (duration of a single AOT under consideration).

The PRA model was re-quantified for each case presented. Truncation levels used in this analysis are shown inthe table below. A truncation analysis was performed in PVNGS Engineering Study 13-NS-C029 showing that truncation six orders of magnitude below the result is sufficient to capture at least 90% of actual CDF or LERF.

Table I - Truncation Level lIntemnal Events l1E-11 l2E-1 2l Regulatory Guide 1.177 presents two methodologies for ICCDP and ICLERP, one for preventive maintenance, where common cause failure of the EDGs is not considered likely, and one for a corrective maintenance situation, where an EDG fails, and a long outage is taken in order to affect repairs. Inthe case of corrective maintenance, it is presumed that common cause failure of the other train's EDG is more likely. However, Technical Specifications requires testing the other train upon a failure of an EDG if common cause can be suspected.

Thus, it is unlikely that the plant would operate for any significant length of time 15

Enclosure 2 to Extension of EDG AOT License Amendment Request with the higher potential for the failure of the available EDG. Only the values of the risk metrics for a preventive maintenance case are presented. The metrics were calculated for the corrective maintenance case; there was no material difference in the results and subsequent conclusions.

4.2.1.2 Modelinq of LOOP and Non-Recovery Probabilities The Palo Verde PRA model was updated for this application to use the latest data to account for recent industry experience, specifically the widespread blackout that occurred in the northeastern part of the U.S. and southern Canada in August 2003, as well as the more recent loss of offsite power at Palo Verde in June 2004. LOOP categories and data from draft NUREG/CR-INEELUEXT 02326, "Evaluation of Loss of Off-Site Power Events at Nuclear Power Plants:

1986-2003", were used as starting points for LOOP frequencies and non-recovery probabilities. All five LOOP categories are explicitly modeled, along with their specific non-recovery probabilities. This is documented in PVNGS Engineering Study 13-NS-C004 Rev 4, "At-Power PRA Study for Loss of Offsite Power Statistical Evaluation."

4.2.1.3 Results for Incremental Conditional CDP and LERP The risk metrics required by the Regulatory Guides (RGs) were determined for Internal Events. The RGs provide the following guidelines for maximum increases for both incremental (instantaneous) risk (RG 1.177 - Reference 1) and for average risk increase (RG 1.174- Reference 2):

• ICCDP - 5E-7

• ICLERP - 5E-8

• CDF - 1E-6/yr

• LERF - I E-7/yr Both documents stress that these are not to be considered strict limits, but should be considered In the context of overall plant risk (internal events, external events, full power and shutdown modes) and also in light of the state of knowledge of uncertainties.

The analyses supporting the results presented here for the EDG AOT extension are In PVNGS Engineering Study 13-NS-C060, Rev. 3. The conditional probabilities are shown in Table 2 for Internal Events (excluding floods).

16

Enclosure 2 to Extension of EDG AOT License Amendment Request Table 2: Incremental Conditional CDP and LERP for 10-Day AOT

-. -N - mlI Internal Events ICCDP 6.44 E-7 6.05 E-7 Internal Events ICLERP 3.42 E-8 3.32 E-8 The internal events model results show that for a ten day AOT, ICCDP slightly exceeds the guideline (RG 1.177) for ICCDP of 5E-7, but ICLERP is within the guideline (RG 1.177) of 5E-8.

The methodology for determining the effect on yearly average CDF and LERF is also presented in RG 1.177. Best-estimate unavailability is used for the equipment being analyzed. The current frequency interval practice for the complete teardown of an EDG is once per three years (two 18-month fuel cycles). One train is currently performed every other cycle, or three years.

PVNGS is currently implementing a frequency change to once per four and one half years (three cycles) for these teardowns. The first full three-cycle EDG teardown will begin in the spring of 2006. Maintenance and System Engineering estimate that 6.5 days would be a reasonable length of time to accomplish the required work and allow for retest. However, this outage would replace a current online outage time of about one day. Thus, there would be a net increase of 5.5 days. To determine what the expected actual EDG unavailability would be, the following assumptions were made: A 5.5 day outage, including retest, for one engine each three years (using this assumption of two cycles, as opposed to three cycles, will yield conservation results). The additional unavailability is:

5.5 days /(3.0 yrs

• 365 days/yr) = 5.02E-3 This is added to the current unavailability of 6.74E-3, which results in a new unavailability of 1.1 8E-2. This value is then substituted for the current EDG maintenance unavailability parameter in the model, and the model is re-quantified. The resulting changes to internal events CDF and LERF are presented in Table 3:

Table 3: Changes to Average CDF and LERF r .44E-5/yr 3.OE-7 2.1 mtEebsLEF II.6E6/ 1I.66E-6/yr 2.0E-81yr 1.2 Paragraph 2.2.4 of RG 1.174 presents the acceptance guidelines for changes to CDF (1E-6/yr) and LERF (1E-7/yr).

17

Enclosure 2 to Extension of EDG AOT License Amendment Request 4.2.1.4 Modeling Uncertainty Several sources of modeling uncertainty related to loss of offsite power (LOOP) can be identified:

Regional variation in LOOP frequencv - A recent technical report by Westinghouse performed for the Westinghouse Owners Group, WCAP-16304-P, "Strategy for Identifying and Treating Modeling Uncertainties in PRA Models: Issues Concerning LOCA and LOOP," and draft NUREG

[NUREG/CR-INEEL/EXT-04-02326, Evaluation of Loss of Off-Site Power Events at Nuclear Power Plants: 1986-2003 (draft)] both show significant differences in grid related LOOP frequency among the various grids across the country. In this analysis only the Western Electric Coordinating Counsel (WECC) area was used for the grid related frequency. This was Bayesian-updated with the event that occurred at Palo Verde on June 14, 2004.

• Seasonal variation in LOOP frequenc - Unlike other regions, the WECC did not show a seasonal variation, since no events had occurred for the time period the data covers. The Palo Verde event was not related to seasonal loading characteristics.

• Non-recovery factors - lumping non-recovery factors for all types of LOOPs may not yield representative results - The non-recovery factors applied in this analysis in the determination of ICCDP and ICLERP, which are the more critical metrics, were specific to each type of LOOP.

• Data - Use of generic data may not be appropriate. Also, common cause data may be biased high because of the lack of recent generic and plant specific data and improving EDG performance in recent years. In addition.

the stringent starting time requirements associated with LOCA events bias failure data on the high side (more realistic timing requirements would have resulted in fewer failures counted). The Palo Verde PRA model uses Bayesian-updated reliability data and plant specific unavailability data. This should minimize the uncertainty associated with those values. It can only be acknowledged and pointed out in the results and conclusions that the reliability and common cause values are probably somewhat high.

• Not crediting available power supplies in the PRA model will bias the results hlah - This has applicability in this analysis, because although there are

~t -_ AARO X - -A x -x4gdFA1 Aak nA- A_+-ok MA;____> slag

Enclosure 2 to Extension of EDG AOT License Amendment Request assumptions and modeling of Reactor Coolant Pump seal LOCA. The Combustion Engineering Owners Group developed a RCP seal model, which has been reviewed by the NRC (a Staff Evaluation is currently in progress; RAls have been satisfactorily dispositioned), that shows seal LOCA to be a much lower probability event for Combustion Engineering (CE) plants in general than for the Westinghouse design pump seal. Palo Verde's pump design is unique, even among CE plants. The thermal barrier between the pump volute and the journal bearing is extremely tight and limits leakage from the RCS to about seventeen gallons per minute (gpm) per pump, even with complete seal failure. This leakage can be mitigated using charging pumps, so it is not a LOCA. The current PRA model has incorporated these findings; it does not contain RCP seal leak or LOCA modeling. However, modeling for this application was performed on a previous model revision that included RCP seal LOCA. There is no significant change as a result of deleting this modeling. It should also be pointed out that the Refueling Water Tank has sufficient volume to address seal leakage for nearly two weeks with the plant at normal operating temperature.

4.2.1.5 Sensitivity Analyses The parameters chosen for sensitivity analysis are those that have an impact on the change in risk between the base case and the case of an EDG out of service.

Initiating Events Loss of Offsite Power (LOOP) would be expected to have a significant impact during an EDG outage, since the EDG's sole purpose is to provide power under such circumstances. The effect of a higher LOOP frequency is addressed below. No other initiators would be expected to have a disproportionate impact with an EDG out of service.

Variation of Outage Length As can be seen by the results presented herein, taking the additional unavailability (an increase of about a factor of two) presents minimal risk increase. Small variations in actual unavailability, therefore, would have very small effects on delta (A)CDF or A LERF. The frequency of such outages is not expected to increase from the assumptions used. Should an additional outage for repair of a failed EDG become necessary, the impact of this additional outage would be evaluated as required by the Maintenance Rule (10 CFR 50.65),

paragraphs a(1) and a(2), as well as a(4), as discussed below.

Effect of Higher Loss of Offsite Power Frequency A sensitivity study was performed on the grid related LOOP frequency. This parameter was chosen, because it is the highest of the LOOP types, has the largest uncertainty (largest error factor) and is the only type of LOOP to have occurred at Palo Verde. The frequency was doubled to a value of 2.08E-2/yr.

19

Enclosure 2 to Extension of EDG AOT License Amendment Request The results are shown below for each EDG out of service. For a 100% increase in grid related LOOP frequency, the Internal Events ICCDP increases by 43%.

The values are still within the RG 1.177 guideline of 1E-6. ICLERP still is within the RG 1.177 guideline of 5E-8. The results are shown in Table 4:

Table 4 - ICCDP and ICLERP with Grid Centered IELOOP Doubled IWINI Internal Events ICCDP 9.21 E-7 8.66E-7 Internal Events ICLERP 4.93E-8 4.77E-8 4.2.1.6 Eauinment and Operator Action Importance Changes The change to importance in both equipment and human actions was also investigated. This was done by taking the ratios of Risk Increase Factor (RIF)

(equivalent to Risk Achievement Worth) for an EDG out of service to baseline.

Significant changes are taken to be RIFs that increase by at least a factor of two.

Those failures are all associated with:

1. Maintaining offsite power to the train with the unavailable EDG,

2. Maintaining offsite power to the opposite train,

3. The gas turbine generators (alternate AC), and

4. Supporting the available EDG.

One operator action appears with a RIF ratio greater than 2.0, specifically failure to station an Auxiliary Operator at the Downcomer Feedwater Containment Isolation Valves for manual operation. This is a long term (at least two hours available) action required only after high pressure nitrogen is exhausted (nitrogen provides the motive power to keep the valves open against spring force). With one of two paths aligned (two valves open), the non-essential auxiliary feedwater (AF) system pump may be used. There are also battery and several EDG cooling water valve 'fail to restore after maintenance' events. These are precursor events and are not associated with responding to a LOOP.

The results for loss of electrical power to the two trains of AF are not identical due to the asymmetric nature of the AF system. There are two Class 1E AF pumps located in a seismically qualified structure, one turbine driven (Train A) and one electric driven (Train B). The third pump (electric driven) is non-class 1E, located in the Turbine Building, and powered from Train A Class 1E power, Thus, two of the three pumps ultimately get power from Train A. In addition, the turbine driven pump is less reliable than either of the electric pumps. However, the turbine driven pump can be operated locally with no power available.

20

Enclosure 2 to Extension of EDG AOT License Amendment Request Though not modeled in the PRA, the plant is capable of maintaining hot standby under blackout conditions for an extended period of time. In addition to the local, non-electric powered operation of the turbine driven AF pump noted above, two of the four channels of steam generator level indication can be expected to be available for at least 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> with no battery charging capability. The associated Vital AC panels draw approximately 40 amps from batteries with a capacity of 2,415 amp-hours. There are no other significant loads on the associated DC buses. Atmospheric Dump Valves (ADVs) can also be operated locally. Their position indications would be available in the Control Room. Best-estimate analysis shows that the Condensate Storage Tank (CST) volume is sufficient for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> at hot standby. It is also possible to transfer condensate from one unit to another.

4.2.1.7 Risk Impact to Forced Shutdown Paragraph 2.3.2 of Reg. Guide 1.177 suggests evaluating any risk impact if the proposed TS change involves systems related to decay heat removal. The emergency diesel generator (EDG) is one such system. Additional risk due to a forced shutdown while an EDG is out of service is minimal. This can be shown simply by investigating the likelihood of all the factors that would have to coincide. The daily probability of LOOP is about 6E-5. The additional EDG unavailability from above (section 4.1.2.4) is about 5E-3. One forced plant outage per year is a daily probability of about 3E-3. Thus the likelihood of a forced outage occurring during the 5.5 potential additional EDG outage days and having a LOOP during that time is on the order of 6E-9. This would then be multiplied by the condition core damage probability (CCDP). Clearly, this is an insignificant risk increase.

ICCDP = 5.5 days x (6E-5/day) x (5E-3) x (3E-3) x CCDP << 5E-7 4.2.1.8 Off-Set Shutdown Risk Shutdown risk cannot be quantified because Palo Verde does not have a shutdown risk model. However, some shutdown risk will be avoided by performing the planned maintenance on one EDG during power operation. It is expected that the EDG whose maintenance is to be done online will be available for several more days than is currently possible during a refueling outage.

Furthermore, Integrated Safeguards testing on the train associated with the EDG being maintained online is done at the front end of the outage, providing high confidence in its reliability during the outage.

4.2.1.9 Risk Results Conclusion The results of this analysis provide justification to extend the allowed outage time for the emergency diesel generators to 10 days. The average changes to CDF and LERF are well within the guideline values in RG 1.174. Even though ICCDP 21

Enclosure 2 to Extension of EDG AOT License Amendment Request and ICLERP slightly exceed the guideline values contained in Regulatory Guide 1.177, the calculated increase in internal events risk can be considered acceptable.

External events considered include internal fires and floods. The EDGs have been found not to be vulnerable to those events. The entire diesel generator building contributes less than 1%to total fire CDF, and there are no plant trip initiators in that building. Seismic effects on the plant relative to this analysis are confined to an increased probability of losing offsite power, which is well bounded by the sensitivity performed on the grid related Internal Events LOOP (IELOOP) value.

Modeling uncertainties are well understood. EDG unreliability and common cause data are likely biased high due to increasingly better performance throughout the industry since the Station Blackout and Maintenance Rules were implemented, which are not yet reflected in generic data (Bayesian updated) used in the model.

Also, unit EDG cross-tie capability is not credited inthe PRA model. While the Human Reliability Assessment for this action would yield a relatively high number, it still may serve to mitigate certain types of LOOPs. All of these factors, if considered explicitly, would bring the resulting calculated values down.

The importance analysis showed those basic events become significantly more important with one EDG out of service. Most of those events are for simple components, such as valves and circuit breakers, where a large body of failure data, both generic, and in some cases plant specific, is available. Thus, the parameter uncertainty is low. The only operator action that appears is for a long-term action to block open two containment isolation valves. There is high confidence in carrying out that action, since much time is available for diagnosis; it is simple, proceduralized and practiced.

Existing administrative controls are adequate to control risk during the extended EDG unavailability. Work control practices do not allow taking alternate power sources out of service concurrently. Verifying the operability of the other EDG and of the alternate offsite power supply, and not scheduling the EDG outage during periods of unstable weather, would provide additional assurance that having an EDG out of service for an extended period does not present an unacceptable increase in configuration risk.

4.2.1.10 Qualitv of the PVNGS PRA Section 1, of Attachment 2 to this Enclosure, details the various aspects of establishing and maintaining the quality of the PVNGS PRA model, including:

• Qualification of staff

• Model control and documentation 22

Enclosure 2 to Extension of EDG AOT License Amendment Request

• Software control

• Model update process

• External reviews 4.2.2 Tier 2. Avoidance of Risk-Significant Plant Configurations Tier 2 is an identification of potentially high risk configurations that could exist if equipment, in addition to that associated with the TS change, is taken out of service concurrently or due to other risk significant operational factors. The objective is to ensure that appropriate restrictions are placed on dominant risk significant configurations that would be relevant to the proposed TS change.

4.2.2.1 Offsite Power Reliability and Station Blackout Gas Turbine Generators Since this TS change deals with onsite emergency AC power, the reliability of offsite power is of paramount importance. Severe weather can affect the reliability of offsite power. It is most likely to occur in the summer, when seasonal atmospheric flows bring moisture to the area from the Gulf of Mexico.

Scattered thunderstorms with accompanying dust and high winds are an almost daily possibility, and cannot be predicted. Spring and autumn weather is especially mild. Winter storms can bring significant rain, but are rarely energetic in terms of wind and lightning. They are also much more predictable, as they are typically associated with large systems that develop in the Gulf of Alaska. Thus, the EDG outages would not typically be scheduled during the summer months when the unpredictable severe weather is a possibility, as discussed in 4.1.1.

Summer is also when the grid is most heavily loaded and has the lowest operating margins.

Current procedural guidance does not allow scheduling work on the GTGs (Palo Verde's alternate AC power source) or the Start-up Transformers concurrently with any unit's EDG, as discussed in 4.1.1. Guidance also limits work that may be done in the switchyard during periods an EDG is not available.

4.2.2.2 Unit Interactions Other than sharing Start-up Transformers and the switchyard, the three Palo Verde units are independent of each other. There are no interactions where a configuration in one unit affects the risk profile of another unit. The two Station Blackout Gas Turbine Generators are also shared, but they are not normally connected to any of the units. Because they were designed to serve only one unit at a time (although they can supply two units with load restrictions), no more than one of the site's six EDGs is taken out of service at any given time, as discussed in 4.1.1. This minimizes the possibility of a Station Blackout occurring in more than one unit.

23

Enclosure 2 to Extension of EDG AOT License Amendment Request A review of PVNGS procedure 3ODP-9MT03, Assessment and Management of Risk When Performing Maintenance in Modes 1-4, shows the following:

1. Work on other same-train systems is allowed (with supporting risk analysis) concurrently with EDG work. However, no work is scheduled on the power distribution equipment or the gas turbine generators, which is the set of equipment that becomes significantly more important during EDG unavailability.

2. Opposite train work is not routinely scheduled. Emergent work items are evaluated before addition to the work schedule.

3. EDG work exceeding the scheduled time may require adjustment to the work scheduled for the remainder of the outage, but the same controls would be applied.

Thus, for preventive maintenance work on the EDGs, the current administrative controls are adequate to prevent high risk configurations. Should an EDG unexpectedly become unavailable, the plant configuration would be evaluated and action taken according to the action level (based on the risk-increase factor) entered along with performing any required TS actions. A long term online outage of the EDG for repair purposes would have to be evaluated against other necessary maintenance scheduled during that time and also against the Maintenance Rule unavailability target for the EDG. In any event, actions are required to minimize plant risk. Several performance indicators can be impacted negatively in such a situation. It should be noted that it is most likely that an EDG would be discovered to be inoperable via its surveillance test, which occurs during the time it is scheduled for work anyway. Thus, its unavailability would not have any immediate high risk impact; there would be plenty of time to weigh options.

4.2.3 Tier 3. Risk-informed Configuration Risk Management A Tier 3 configuration risk management program (CRMP) exists at Palo Verde by implementation of Maintenance Rule (10 CFR 50.65 (a)(4)). The CRMP requirements are in Section 5.0.500.19 of the PVNGS Technical Requirements Manual (TRM).

Configuration risk is controlled using Station Procedure 3ODP-9MT03. Palo Verde has implemented the EOOS software in each unit, both to plan maintenance and to show configuration risk in real time.

Conclusion Summary The proposed extension of the EDG AOT is based upon both a deterministic evaluation and a risk-informed assessment. Both of these support the proposed change to a 10 day AOT for the EDG. These changes to LCO 3.8.1 will provide 24

Enclosure 2 to Extension of EDG AOT License Amendment Request the flexibility necessary to optimize both outage schedules and the utilization of resources, while still protecting the health and safety of the public and station personnel.

4.3 Technical analysis for the addition of note to LCO 3.8.3. Condition F - "Diesel Fuel Oil. Lube Oil, and Starting Air to allow starting air receiver pressure to be momentarily low during starting Periodic starting of the emergency Diesel Generator(s) (EDGs) requires isolation of one of the two normally aligned air start receivers. During the subsequent diesel generator start, the air pressure in the one remaining air receiver may momentarily drop below the minimum required pressure of 185 psig. This is a momentary transient (typically less than three minutes) outside the band that does not invalidate the test and may be noted after a successful start on one bank of air compressors/air receivers. This would normally require immediately declaring the now running diesel generator inoperable (entry into LCO 3.8.3, Condition F) due to low pressure in the air start system (<185 psig).

A successful Emergency or Test Mode start of the EDG makes entering the TS action to declare the diesel generator inoperable unnecessary as the engine has started successfully and is operating per procedures. If the engine starts normally, the air receiver system has performed its intended safety function. In all cases when the engine does not start properly, it would be declared inoperable per the requirements of LCO 3.8.1 and a troubleshooting plan would be developed regardless of the receiver air pressure status.

As such, LCO 3.8.3, Condition 'F' would be modified by a note stating that, "Should the required starting air receiver pressure momentarily drop to <185 psig while starting the DG on one air receiver only, then entry into Condition F is not required." It is expected that this condition would be fairly short in duration (less than 3 minutes), as the air start compressor would quickly restore the air receiver pressure after the diesel start.

The note modifying LCO 3.8.3, Condition F has been written to only apply to a single air receiver pressure momentarily dropping below 185 psig during the starting sequence of a diesel generator. This note is written in this manner because this is the only time and sequence of events that this condition is expected to possibly occur and this condition would not prevent the EDG from performing its safety function.

4.4 Technical analysis for the revision to LCO 3.4.9 - "Pressurizer' to eliminate the reference for emergency Dower sunnlv The current PVNGS TS Bases for LCO 3.4.9 describes that, "the heaters are not specifically used in accident analysis and the need to maintain subcooling in the long term during loss of offsite power, as indicated in NUREG-0737 [Clarification 25

Enclosure 2 to Extension of EDG AOT License Amendment Request of TMI Action Plan Requirements], is the reason for their inclusion," into this LCO. The intent of these heaters is to keep the reactor coolant in a subcooled condition with natural circulation at hot, high pressure conditions for an undefined, but extended, time period after a loss of offsite power. While loss of offsite power is a coincident occurrence assumed in the accident analyses, maintaining hot, high pressure conditions over an extended time period is not evaluated in the accident analyses.

The TS Bases also describes that the requirement for the emergency power supplies for the TS pressurizer heaters are based on NUREG-0737. Specifically, NUREG-0737, Task II.E.3.1 - "Emergency Power Supply for Pressurizer Heaters," states:

(1) The pressurizer heater power supply design shall provide the capability to supply, from either the offsite power source or the emergency power source (when offsite power is not available), a predetermined number of pressurizer heaters and associated controls necessary to establish and maintain natural circulation at hot standby conditions. The required heaters and their controls shall be connected to the emergency buses in a manner that will provide redundant power supply capability.

Per plant design, two banks (B1 and 82) of pressurizer heaters, that meet NUREG-0737 and TS 3.4.9 requirements, are connected to the Class 1E 4.16 kV (PB) buses (PBA-S03 and PBB-S04) via Class 1E 480 VAC (PH) Load Centers. The Class 1E 4.16 kV bus distribution systems are described in section 3.1 of this Enclosure. These two heater banks (B1 and B2) are the required pressurizer heater groups that are described in LCO 3.4.9. Additionally, these two heater banks and their physical connection to the Class 1E power distribution systems (PB and PH systems) meet the requirements of NUREG-0737. The Class 1E 4.16 kV buses are normally supplied from offsite power.

Upon a loss of offsite power (LOOP) the diesel generators will automatically start and connect to their dedicated Class 1E 4.16 kV bus, supplying power to the Class 1E pressurizer heaters (81 and 82). Other emergency power supplies can additionally be aligned to the Class 1E 4.16 kV buses via onsite Station Blackout Gas Turbine Generators and crosstie alignments with other units' diesel generators.

In conclusion, there is not a need or a requirement for the inclusion of the words, "and capable of being powered from an emergency power supply," in this LCO.

Therefore, the portion of this LCO that is being deleted is not necessary to ensure the operability of the pressurizer. In addition, this change will help ensure that while extending the current AOT for the EDG from 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to 10 days that the pressurizer LCO is not mistakenly entered due to a diesel generator being removed from service for greater than 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. This Is a similar request to that which was approved in Precedent No. 2 cited at the end of this Enclosure.

26

Enclosure 2 to Extension of EDG AOT License Amendment Request 5.0 REGULATORY SAFETY ANALYSIS 5.1 No Significant Hazards Consideration This license amendment request proposes three changes to the Palo Verde Nuclear Generating Station (PVNGS) Units 1, 2, and 3 Technical Specifications (TS):

• Extend the current allowed completion time for a single emergency diesel generator (EDG) to be out of service from 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to 10 days. Currently, LCO 3.8.1 - AC Sources-Operating, Condition B, requires one inoperable diesel generator to be restored to operable status within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. This proposed change would allow 10 days for the restoration of one inoperable emergency diesel generator to operable status. This change will provide operational and maintenance flexibility. It will also allow performance of EDG inspection and maintenance activities during plant operation, reducing plant refueling outage duration and improving EDG availability during shutdown.

Additionally, corresponding changes to LCO 3.8.1, Condition A.3 and B.4 Completion Times from 6 days to 13 days will be made to accommodate for the extension time of the diesel generator AOT to 10 days.

PVNGS TS 3.8.1, "AC Sources - Operating," specifies control requirements for the Class 1E AC electrical power distribution system. The Class 1E AC distribution system is normally supplied power from the preferred off site power sources through Engineered Safety Features (ESF) service transformers (NBN-X03 and NBN-X04). The Class 1E AC distribution system can be fed from the two offsite power sources (525 kilovolt (kV) stepped down to 13.8 ky), and from onsite vital standby power sources (two diesel generators for each unit). Additionally, during a station blackout event (SBO),

gas turbine generators (GTGs) can be aligned to supply AC power to an ESF bus. As required by 10 CFR 50, Appendix A, GDC 17, the design of the AC electrical power system provides independence and redundancy to ensure an available source of power to the Engineered Safety Feature (ESF) systems.

The Class 1E AC distribution system for each unit is divided into two load groups (designated Class 4.16 kV buses (PB) PBA-S03 and PBB-S04) so that the loss of any one group or bus does not prevent the minimum safety functions from being performed. Each of these load group or buses has connections to offsite power sources and a single dedicated EDG.

• Provide a clarifying note to Condition F of Technical Specification LCO 3.8.3, "Diesel Fuel Oil, Lube Oil, and Starting Air". This note would allow a momentary drop in an emergency diesel generator's air receiver pressure during the starting of the diesel generator on a single air receiver.

27

Enclosure 2 to Extension of EDG AOT License Amendment Request The Emergency Diesel Generator (EDG) air start system provides for storage and control of compressed air for starting the diesel. The diesel engine is started using compressed air furnished by two separate motor driven air compressors. Each compressor pumps air through a check valve, past a relief valve, through a coalescing filter, a refrigerant type air dryer, into an air receiver. The air compressor discharge may be cross connected to pressurize the other receiver, if needed. This is a dual system with either half capable of starting the engine.

Periodic starting of the EDGs requires isolation of one of the two normally aligned air start receivers. During the subsequent diesel generator start, the air pressure in the one remaining air receiver may momentarily drop below the minimum required pressure of 185 psig. This is a momentary transient (typically less than three minutes) outside the band that does not invalidate the test and may be noted after a successful start on one bank of air compressors/air receivers. This would normally require immediately declaring the now running diesel generator inoperable (entry into LCO 3.8.3, Condition F) due to low pressure in the air start system (<185 psig).

A successful 'Emergency' or 'Test Mode' start of the EDG makes entering the TS action to declare the diesel generator inoperable unnecessary as the engine has started successfully and is operating per procedures. If the engine starts normally, the air receiver system has performed its intended safety function. In all cases when the engine does not start properly, it would be declared inoperable per the requirements of TS LCO 3.8.1 and a troubleshooting plan would be developed regardless of the receiver air pressure status.

Modify the wording to Technical Specification LCO 3.4.9 - "Pressurizer", to eliminate the reference that the required pressurizer heater groups are capable of being powered from an emergency power supply.

The PVNGS TS Bases describes that the requirement for the emergency power supplies for the TS pressurizer heaters are based on NUREG-0737.

Specifically, NUREG-0737, Task II.E.3.1 - "Emergency Power Supply for Pressurizer Heaters" states:

(1) The pressurizer heater power supply design shall provide the capability to supply, from either the offsite power source or the emergency power source (when offsite power is not available), a predetermined number of pressurizer heaters and associated controls necessary to establish and maintain natural circulation at hot standby conditions. The required heaters and their controls shall be connected to the emergency buses in a manner that will provide redundant power supply capability.

28

Enclosure 2 to Extension of EDG AOT License Amendment Request Per plant design, the two banks (B1 and B2) of pressurizer heaters, that are used to meet the NUREG-0737 and TS 3.4.9 requirements, are connected to the Class 1E 4.16 kV buses (PBA-S03 and PBB-S04) via Class 1E 480 VAC Load Centers. The Class 1E 4.16 kV bus distribution systems are described in section 3.1 of this Enclosure. These two heater banks (B1 and B2) are the required pressurizer heater groups that are described in LCO 3.4.9.

Additionally, these two heater banks and their physical connection to the Class 1E power distribution systems (PB and PH systems) meet the requirements of NUREG-0737.

The Class I E 4.16 kV buses are normally supplied from offsite power. Upon a loss of offsite power (LOOP) the diesel generators will automatically start and connect to their dedicated Class 1E 4.16 kV bus, supplying power to the class pressurizer heaters (BI and B2). Other emergency power supplies can additionally be aligned to the Class 1E 4.16 kV buses via onsite Station Blackout Gas Turbine Generators and crosstie alignments with other units' diesel generators.

The portion of this LCO that is being deleted is not necessary to ensure the operability of the pressurizer. In addition, this change will help ensure that while extending the current AOT for the EDG from 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to 10 days that the pressurizer LCO is not mistakenly entered due to a diesel generator being removed from service for greater than 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

Arizona Public Service Company (APS) has evaluated whether or not a significant hazards consideration is involved with the proposed amendments by focusing on the three standards set forth in 10 CFR 50.92, "Issuance of Amendment," as discussed below:

1. Does the proposed change involve a significant increase in the probability or consequences of an accident previously evaluated?

Response: No.

The proposed Technical Specification (TS) change to increase the emergency diesel generator (EDG) allowed out of service time (AOT) from 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to 10 days will not cause an accident to occur and will not result in any change in the operation of the associated accident mitigation equipment.

The EDGs are not accident Initiators. The EDGs are designed to mitigate the consequences of previously evaluated accidents including a loss of offsite power. Extending the AOT for a single EDG would not affect the previously evaluated accidents since the remaining EDG supporting the redundant Engineered Safety Features (ESF) systems would continue to be available to perform the accident mitigation functions. The duration of this TS AOT considers that there is a minimal possibility that an accident will occur while a 29

Enclosure 2 to Extension of EDG AOT License Amendment Request component is removed from service. A risk informed assessment was performed which concluded that the increase in plant risk is small and consistent with the guidance contained in Regulatory Guide 1.177, "An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications." The design basis accidents will remain the same postulated events described in the PVNGS Updated Final Safety Analysis Report (UFSAR). In addition, extending the EDG AOT will not impact the consequences of an accident previously evaluated. The consequences of previously evaluated accidents will remain the same during the proposed 10 day AOT as during the current 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> AOT. The ability of the remaining TS required EDG to mitigate the consequences of an accident will not be affected since no additional failures are postulated while equipment is inoperable within the TS AOT. The remaining EDG is sufficient to mitigate the consequences of any design basis accident.

• The proposed addition of a note to Condition F of TS 3.8.3, would allow EDG starting air receiver pressure to momentarily drop below limits during successful starting of an EDG. The EDG air starting system will not be operated or be configured any differently than that which it is currently required and designed for. This proposed change will only add a note for clarification to Condition F of TS 3.8.3. This note describes entering this Condition is not necessary when the EDG starts normally and is operating per required procedures. Momentary transients outside the air receiver pressure range do not invalidate the successful start and running of the EDG. A successful start of the EDG indicates the starting air system has performed its required safety function. This proposed change will not increase the probability or consequence of an accident previously evaluated.

• The proposed TS change associated with the requirements for the pressurizer heaters to be supplied by emergency power will not result in any change in plant design. These components will continue to be powered from Class 1E power sources as described in the proposed TS Bases change associated with this change. As a result, the operation and reliability of the pressurizer heaters will not be affected by the proposed description change.

In addition, operation of the pressurizer heaters is not assumed to mitigate any design basis accident. The proposed changes will not cause an accident to occur and will not result in a change in the operation of any accident mitigation equipment. The design basis accidents remain the same postulated events described in the PVNGS UFSAR.

Therefore, the proposed changes do not involve a significant increase in the probability or consequences of an accident previously evaluated.

30

Enclosure 2 to Extension of EDG AOT License Amendment Request

2. Does the proposed change create the possibility of a new or different accident from any accident previously evaluated?

Response: No.

The proposed changes do not involve a change in the design, configuration, or method of operation of the plant that could create the possibility of a new or different accident. Equipment will be operated in the same configuration and manner that is currently allowed and designed for. The proposed changes do not introduce any new failure modes. This license amendment request does not impact any plant systems that are accident initiators or adversely impact any accident mitigating systems.

Therefore, the proposed changes do not create the possibility of a new or different accident from any accident previously evaluated.

3. Does the proposed change involve a significant reduction in a margin of safety?

Response: No.

The EDG reliability and availability are monitored and evaluated, in accordance with 10 CFR 50.65 (Maintenance Rule) performance criteria, to assure EDG out of service times do not degrade operational safety over time.

Extension of the EDG AOT will not erode the reduction in severe accident risk that was achieved with Implementation of the Station Blackout (SBO) rule (10 CFR 50.63) or affect any safety analyses assumptions or inputs. The SBO coping analysis is unaffected by the AOT extension since the EDGs are not assumed to be available during the coping period. The assumptions used in the coping analysis regarding EDG reliability are unaffected since preventive maintenance and testing will continue to be performed to maintain the reliability assumptions.

Accident mitigation functions will be maintained by the other TS required EDG availability to supply power to the safety related Class 1E electrical loads. The availability of the TS required offsite power combined with the availability of the PVNGS SBO Gas Turbine Generators (GTGs) and the use of the Configuration Risk Management Program required by 10 CFR 50.65(a)(4) provide adequate compensation for the small incremental increase in plant risk of the proposed EDG AOT extension. This small increase in plant risk while operating is offset by a reduction in shutdown risk resulting from the increased availability and reliability of the EDGs during refueling outages, and avoiding transition risk incurred during unplanned plant shutdowns. In addition, the calculated risk measures associated with the proposed AOT are below the acceptance criteria defined in Regulatory Guide 1.177.

31

Enclosure 2 to Extension of EDG AOT License Amendment Request

• The proposed change to add a note to Condition F of TS 3.8.3 does not involve changes to setpoints or limits established or assumed by the accident analyses. This note only applies to those occasions when after a successful start of an EDG has occurred and the starting air receiver pressure has momentarily dropped below its limit. This change allows for not declaring the EDG inoperable solely due to this momentary drop in pressure during a successful start of the EDG. No safety margin will be impacted by this change.

• The proposed TS change associated with the wording description of LCO 3.4.9, "Pressurizer," for the requirement of the pressurizer heaters to be supplied by emergency power does not adversely affect equipment design or operation, and there are no changes being made to the TS required safety limits or system settings that would adversely affect plant safety. The emergency power requirements for the pressurizer heaters, which came from the Three Mile Island (TMI) action item requirement II.E.3.1, "Emergency Power Requirements for Pressurizer Heater," of NUREG-0737, 'A Clarification of TMI Action Plan Requirements," will continue to be met. The pressurizer heaters, used to satisfy the NUREG-0737 and LCO 3.4.9 requirements, are by design, permanently connected to Class 1E power supplies as described in the PVNGS Updated Final Safety Analyses Report, Section 18.1.E.3.1.

Therefore, the proposed changes do not involve a significant reduction in a margin of safety.

Based on the above evaluation, APS concludes that the proposed amendments present no significant hazards consideration under the standards set forth in 10 CFR 50.92(c), and accordingly, a finding of "no significant hazards consideration" is justified.

5.2 Applicable Re-aulatorv Requirements The conformance discussion for General Design Criteria (GDC) is provided in Section 8 and Section 3.1 of the PVNGS UFSAR. The proposed changes have been reviewed and evaluated to determine whether applicable regulations and requirements continue to be met. PVNGS has concluded that the proposed changes associated with this license amendment request do not require any exemptions or relief from any regulatory requirements and do not affect conformance with any GDC differently than that described in the PVNGS UFSAR.

32

Enclosure 2 to Extension of EDG AOT License Amendment Request 5.3 Conclusion Based on the considerations discussed above, (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the Commission's regulations, and (3)the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

6.0 ENVIRONMENTAL CONSIDERATION

APS has evaluated the proposed amendments and determined the proposed amendments do not involve (i) a significant hazards consideration, (ii) a significant change in the types or significant increase in the amounts of any effluent that may be released offsite, or (iii) a significant increase in individual or cumulative occupational radiation exposure. Accordingly, the proposed amendments meet the eligibility criterion for categorical exclusion set forth in 10 CFR 51.22(c)(9). Therefore, pursuant to 10 CFR 51.22(b), no environmental impact statement or environmental assessment need be prepared in connection with the proposed amendments.

7.0 REFERENCES

1. Regulatory Guide 1.177, "An Approach for Plant-Specific, Risk-Informed Decisionmaking: Technical Specifications"

2. Regulatory Guide 1.174 "An Approach for using Probabilistic Risk Assessment in Risk-informed Decisions on Plant-Specific Changes to the Licensing Basis"

3. Letter 161-04750, "Submittal of PVNGS Individual Plant Examination for Severe Accident Vulnerabilities (Response to Generic Letter 88-20)," dated April 28,1992, from W. F. Conway (APS) to USNRC 8.0 PRECEDENTS

1. NRC Issued License Amendment 261,

Subject:

Millstone Nuclear Power Station, Unit No.2 - Issuance of Amendment Re: Emergency Diesel Generator Allowed Outage Time, dated January 4, 2002 (Accession No.:

MLI013310523)

2. NRC Issued License Amendment 151,

Subject:

Grand Gulf Nuclear Station, Unit 1 - Issuance of Amendment Re: Extended Allowed Outage Time for Diesel Generators, dated July 16, 2002 (Accession No.: ML021860203) 33

Enclosure 2 to Extension of EDG AOT License Amendment Request

3. NRC Issued License Amendment 179,

Subject:

Nine Mile Point Nuclear Station, Unit 1 - Issuance of Amendment Re: Diesel Generator Allowed Outage Time, dated February 3, 2003 (Accession No.: ML030340460) 34

Attachment I to Enclosure 2 Ratio of EDG "A" and EDG "B"Out of Service (OOS) to Basecase Risk Increase Factors

Attachment I to Enclosure 2 Extension of EDG AOT Ratio of EDG "A" OOS to Basecase Risk Increase Factors Ratio Event Event Description 1.478E+01 1PBAS03L---CB-ST #EOOS# Norm OSP Supply Bkr to Train A ESF Bus Trips (Local Fault) 1.242E+01 I PBAS03L--XCXBST Norm OSP Supply Bkr to Train A ESF Bus Trips (Cntrl Ckt Fault) 1.026E+01 1NANS05A-CBOST #EOOS# Tie Bkr Between NAN-S05 / S03 Spur Trip (Local Fault) (Unit 1 Only) 1.026E+01 1NANS05B---CBOST #EOOS# Intermediate Bus NAN-S05 Norm Supply Bkr Spur Trip (Local Fault) 1.021 E+01 1NANS03-138BSEPW #EOOS# 13.8kV Bus NAN-S03 Fault 1.021 E+01 1NANS05-138BSEPW #EOOS# 13.8kV Bus NAN-S05 Fault 9.444E+00 1NANS05A--XCXGST Tie Bkr Between NAN-S05 / S03 Spur Trip (Cntrl Ckt Fault) (Unit 1 Only) 9.371 E+00 I SPBHV050A-NV-RO Spray Pond B Nozzle Isolation Valve Fails Closed 9.371 E+00 1SPBHV050B-NV-RC Spray Pond B Nozzle Bypass Valve Fails Open 9.095E+00 1SPBV012---CV-FO Spray Pond Pump B Discharge Check Valve Fails to Open 8.616E+00 1NANS03A--XCXHST Train A ESF Serv X-fmr Supply Breaker Spurious Trip (Cntrl Ckt Fault) 8.421 E+00 IPEBG02----CB-ST #EOOS# DGB Output Breaker Trips (Local Fault) 8.400E+00 1SAB---LOP---2AT #EOOS# LOP/LS Mod Fails to Pass DG Start/Bkr Close Signal From Seqr to K205 8.400E+00 1SAB-DETECT-2AT #EOOS# LOP/LS Mod Fails to Generate DG Start Signal Upon LOP 8.222E+00 1SPBV012---CV-RO Spray Pond Pump B Discharge Check Valve Fails Closed 7.969E+00 INANS03A--- CBOST #EOOS# Train A ESF Serv X-fmr Supply Breaker Spurious Trip (Local Fault) 7.966E+00 ANANX03-SU-XMSPW #EOOS# Start-up Transformer X03 Fails 1

Attachment I to Enclosure 2 Extension of EDG AOT Ratio Event Event Description 7.739E+00 1NANS05B--XCXFST Intermediate Bus NAN-S05 Norm Supply Bkr Spur Trip (Cntrl Ckt Fault) 7.647E+00 1PEBG02---XCXEST DGB Output Breaker Trips (Cntri Ckt Fault) 7.420E+00 ANKNF20----BXAFR GTG Switchgear Battery Fails During Operation 7.375E+00 1SPBHCV136-NV-RO DGB Jacket Cooler Isolation Valve Fails Closed 7.375E+00 1SPBHCV130-NV-RO DGB Air After Cooler Isol Valve Fails Closed 7.375E+00 1SPBHCV126-NV-RO DGB Jacket Cooler Isolation Valve Fails Closed 7.375E+00 1SPBHCV134-NV-RO DGB Jacket Cooler Isolation Valve Fails Closed 7.375E+00 1SPBHCV132-NV-RO DGB Air After Cooler Isol Valve Fails Closed 7.375E+00 I SPBHCV128-NV-RO DGB Lube Oil Cooler Isolation Valve Fails Closed 7.159E+00 1NANS03-138EXOPW Fault in Overhead Lines Between 13.8kV Buses NAN-S05 / NAN-S03 7.013E+00 1NBNX03-138EXOPW Fault in Overhead Lines From NAN-S03 Bus to Train A ESF Serv X-fmr 6.758E+00 1PBA-UVP----2SA #EOOS# Spurious Actuation of UV Protection on Train A ESF Bus 6.667E+00 1NBNX03---XCXDXX Spur Trip of Train A ESF Serv X-fmr Supply/Fdr Bkrs to Both ESF Buses 6.646E+00 1SAB--LDSHED-2AT #EOOS# US Signal Fails to Clear Due to Sequencer or LOP/LS Module Fault 6.331 E+00 1NBNX03-138XMLPW #EOOS# Train A ESF Service Transformer Fails 6.269E+00 1SAB1 -K202-RX-DO #EOOS# LOP Group 1 US Signal Fails to Clear Due to K202 Fail to De-energize 6.170E+00 1SPBHVW50B-NVYRM Spray Pond B Nozzle Bypass Valve Not Restored After Mntc.

5.930E+00 1NKNM4502--CBDST #EOOS# Battery E Supply Breaker to DCCC NKN-M45 Spurious Trip (Local Fault) 5.930E+00 1NKND41 -125BSEPW #EOOS# Local Fault of DC Distribution Panel NKN-D41 5.930E+00 1NKNM45-125BSEPW #EOOS# Local Fault of DC Control Center NKN-M45 2

Attachment 1 to Enclosure 2 Extension of EDG AOT Ratio Event Event Description 5.780E+00 1NKNM4502-XCYJST Battery E Supply Breaker to DCCC NKN-M45 Spurious Trip (Cntrl Ckt Fault) 5.688E+00 1SPBHCV132-NVNRM DGB Air After Cooler Isol Valve Fail to Restore After Mntc 5.688E+00 I SPBHCV136-NVNRM DGB Jacket Cooler Isolation Valve Fail to Restore After Mntc 5.688E+00 1SPBHCV134-NVNRM DGB Jacket Cooler Isolation Valve Fail to Restore After Mntc 5.688E+00 1SPBHCV126-NVNRM DGB Lube Oil Cooler Isolation Valve Fail to Restore After Mntc 5.688E+00 1SPBHCV128-NVNRM DGB Lube Oil Cooler Isolation Valve Fail to Restore After Mntc 5.688E+00 1SPBHCV130-NVNRM DGB Air After Cooler Isol Valve Fail to Restore After Mntc 5.459E+00 1PEBG02---XCXEFT DGB Output Breaker Fails to Close (Cntrl Ckt Fault -

Monthly Test) 5.435E+00 1PEBG02---CBBFT DGB Output Breaker Fails to Close (Local Fault) 5.333E+00 1SPBP01 ---XCPGFS Spray Pond Pump B Fails to Start (Cntrl Ckt Fault) 5.322E+00 1PBBS04BL-XCXBXX Spur Elect Prot Trips DGB Feeder Bkr and Locks Out Alt OSP Supply 5.143E+00 I SABLG-K205RXAFT #EOOS# LOP Train B Group 2 Fails Due to Relay K205 Fail to Transfer 4.980E+00 1HDBHVAC-----20P #EOOS# DGB Engine and Control Room HVAC Fails 4.757E+00 1PEBG02--XCXIFT DGB Output Breaker Fails to Close (Cntrl Ckt Fault -

Refueling Test) 4.739E+00 1PEBG02---DG-FS DGB Fails to Start 4.375E+00 1NANS04A--CBOST #EOOS# Train B ESF Service X-fmr Supply Bkr Spurious Trip (Local Fault) 3.836E+00 1PEBG02----DG-FR DGB Fails to Run 3

Attachment I to Enclosure 2 Extension of EDG AOT Ratio Event Event Description 3.737E+00 1NKNF17----BXAFR Station Battery E to DCCC NKN-M45 Fails During Operation 3.682E+00 1NKNM4509--FU-OC DC Distribution Panel NKN-D41 Fuse Blows 3.675E+00 1SPBPOI ----CBBFT #EOOS# Spray Pond Pump B Circuit Breaker (PBB-S04C) Fails to Close (Local Fault) 3.619E+00 LOOP---------2PW Loss of Off-Site Power to Switchyard Post Trip 3.581 E+00 1SPBP01---MPCFS Spray Pond Pump B Fails to Start (Local Fault) 3.555E+00 AFSNVO03--NV-RO Fuel Oil Supply Valve to GTG Fails Closed 3.555E+00 AFSNVO09---NV-RO Fuel Oil Supply Valve to GTG Fails Closed 3.442E+00 ANANS07DD--FUHOC GTG Load Control Power High Voltage Fuse Premature Open 3.408E+oo 1PBB-UVP-----2SA #EOOS# Spurious Actuation of UV Protection on Train B ESF Bus 3.330E+00 INKNF17---BXNRM Station Battery E to DCCC NKN-M45 Fails Not Restored After Mntc 3.296E+00 ANANS07A---FUHOC GTG Auxiliary Power Bkr High Voltage Fuse Premature Open 3.292E+00 1SPBP01 ---- MP-FR Spray Pond Pump B Fails to Run 3.291 E+00 1SPBP01 ---XCYXOR Spray Pond Pump B Fails to Start Due to Override Contact Failure 3.280E+00 ANANS07-138BSEPW GTG Bus NAN-S07 Fault 3.235E+00 I SABSP-K226RXAFT #EOOS# SP Pump B Fails to Start Due to K226 Failure 3.174E+00 AFSNF01---FX-PG GTG Fuel Oil supply filter plugged 3.167E+00 ANKNF20----BXAFS GTG Switchgear Battery Fails on Demand 3.163E+00 ANHNU5607-CBOFT Transfer Switch NHN-U5607 Fails to Transfer to emerg source (credits manual action) 3.160E+00 INKNF17----BXAFS Station Battery E to DCCC NKN-M45 Fails on Demand 4

Attachment I to Enclosure 2 Extension of EDG AOT Ratio Event Event Description 3.160E+00 ANANS07D--XCYLFT GTG Bus Supply Breaker to Unit 1 Fails to Close (Cntrl Ckt Fault) 3.155E+00 1NANS04A--XCXHST Train B ESF Service X-fmr Supply Bkr Spurious Trip (Cntrl Ckt Fault) 3.153E+00 ANANS07DD--XMDPW GTG Load Control Power Transformer Fails 3.135E+00 ANANS07DD--FU-OC GTG Load Control Power Low Voltage Fuse Premature Open 3.119E+00 1NANS03AB-XCYKFT GTG Supply Bkr to ESF Serv X-fmr NBN-X03 Fail to Close (Cntrl Ckt Fault) 3.119E+00 1NANS03AB--CBOFT #EOOS# GTG Supply Bkr to ESF Serv X-fmr NBN-X03 Fail to Close (Local Fault) 3.119E+00 ANANS07D---CBOFT GTG Bus Supply Breaker to Unit 1 Fails to Close (Local Fault) 3.111 E+00 1PBBS04K---CB-ST #EOOS# Norm OSP Supply Bkr to Train B ESF Bus Fails to Re-Close (Local Fault) 3.105E+00 ANANS07A---XMDPW GTG Auxiliary Power Stepdown Transformer Fails 3.091 E+00 1NANS06-138BSEPW #EOOS# 13.8kV Bus NAN-S06 Fault 3.091 E+00 I NANS04-138BSEPW #EOOS# 13.8kV Bus NAN-S04 Fault 3.089E+00 AGTN-GTG12----CC Common Cause Failure of Both GTGs 3.064E+00 ANANS07-138EXBPW Buried Power Cables From GTGs to Unit Fail 3.060E+00 1NBNX04-138EXOPW Fault in Overhead Lines From NAN-S04 Bus to Train B ESF Serv X-fmr 2.957E+00 1NBNX04---XCXDXX Spur Trip of Train B ESF Serv X-fmr Supply/Fdr Bkrs to Both ESF Buses 2.890E+00 I NBNX04-138XMLPW #EOOS# Train B ESF Service Transformer Fails 2.717E+00 I NANS06K--CBOST #EOOS# Tie Bkr Between NAN-S06 / S04 Spur Trip (Local Fault) (Unit 1 Only)

.2.717E+00 1NANS06H---CBOST #EOOS# Intermediate Bus NAN-S06 Normal Supply Bkr Spurious Trip (Local Fault)

S

Attachment I to Enclosure 2 Extension of EDG AOT Ratio Event Event Description 2.704E+00 1PBBS04K--XCXBST Norm OSP Supply Bkr to Train B ESF Bus Trips (Cntrl Ckt Fault) 2.150E+00 1SAB2-K204-RX-DO #EOOS# LOP Group 2 US Signal Fails to Clear Due to K204 Fail to De-energize 2.067E+00 1NANS06K--XCXGST Tie Bkr Between NAN-S06 / S04 Spur Trip (Cntrl Ckt Fault) (Unit 1 Only) 2.047E+00 1SAB-LOADSEQ-2AT #EOOS# Seqr B Fails to Send Load Shed Signal Upon Receiving ESFAS or LOP Signal 2.036E+00 1AFAP01 -2H-TPAFR AFW Pump A Fails to Run 2 Hours 6

Attachment 1 to Enclosure 2 Extension of EDG AOT Ratio of DG "B" OOS to Basecase Risk Increase Factors Ratio Event Event Description 1.837E+01 1PKAM4102--CBDST #EOOS# Channel A Battery Breaker Trips (Local Fault) 1.783E+01 1PKAM4102-XCXCST Channel A Battery Breaker Trips (Cntrl Ckt Fault) 1.755E+01 1PKAD21-125BSEPW #EOOS# Channel A DC Distribution Panel PKA-D21 Fault (Short-Term) 1.755E+01 1PKAM41 -125BSEPW #EOOS# Channel A DC Control Center Fault (Short-Term) 1.221 E+01 1NANS06-138BSEPW #EOOS# 13.8kV Bus NAN-S06 Fault 1.221 E+01 I NANS04-138BSEPW #EOOS# 13.8kV Bus NAN-S04 Fault 1.191E+01 1PBB-UVP-----2SA #EOOS# Spurious Actuation of UV Protection on Train B ESF Bus 1.092E+01 1PBBS04K---CB-ST #EOOS# Norm OSP Supply Bkr to Train B ESF Bus Fails to Re-Close (Local Fault) 1.048E+01 1NANS06H---CBOST #EOOS# Intermediate Bus NAN-S06 Normal Supply Bkr Spurious Trip (Local Fault) 1.048E+01 1NANS06K---CBOST #EOOS# Tie Bkr Between NAN-S06 / S04 Spur Trip (Local Fault) (Unit 1 Only) 1.029E+01 1NANS04A--CBOST #EOOS# Train B ESF Service X-fmr Supply Bkr Spurious Trip (Local Fault) 9.534E+00 I PBBS04K--XCXBST Norm OSP Supply Bkr to Train B ESF Bus Trips (Cntrl Ckt Fault) 9.438E+00 1SPAV041 -- CV-FO Spray Pond Pump A Discharge Check Valve Fails to Open 9.027E+00 I SM-LOADSEQ-2AT #EOOS# Seqr A Fails to Send Load Shed Signal Upon Receiving ESFAS or LOP Signal 9.027E+00 1SPAHV049A-NV-RO Spray Pond A Nozzle Isolation Valve Fails Closed 9.027E+00 I SPAHVW49B-NV-RC Spray Pond A Nozzle Bypass Valve Fails Open 7

Attachment 1 to Enclosure 2 Extension of EDG AOT Ratio Event Event Description 8.705E+00 1SAA---LOP---2AT #EOOS# LOP/LS Mod Fails to Pass DG Start/Bkr Close Signal From Seqr to K205 8.705E+00 1SM-DETECT--2AT #EOOS# LOP/LS Module Fails to Generate DG Start Signal Upon LOP 8.357E+00 1PEAG01---CB-ST #EOOS# DGA Output Breaker Trips (Local Fault) 8.252E+00 I PBAS03BK-XCXBXX Spur Elect Prot Trips DGA Feeder Bkr and Locks Out Alt OSP Supply 8.214E+00 1SPAV041--CV-RO Spray Pond Pump A Discharge Check Valve Fails Closed 7.597E+00 1NANS06K--XCXGST Tie Bkr Between NAN-S06 / S04 Spur Trip (Cntrl Ckt Fault) (Unit 1 Only) 7.470E+00 ANKNF20---BXAFR GTG Switchgear Battery Fails During Operation 7.439E+00 1PEAGO1---XCXEST DGA Output Breaker Trips (Cntrl Ckt Fault) 7.353E+00 INANS04A--XCXHST Train B ESF Service X-fmr Supply Bkr Spurious Trip (Cntrl Ckt Fault) 7.139E+00 1NBNX04-138EXOPW Fault in Overhead Lines From NAN-S04 Bus to Train B ESF Serv X-fmr 7.1 1OE+00 1SPAHCV127-NV-RO DGA Jacket Cooler Isolation Valve Fails Closed 7.1 1OE+00 1SPAHCV135-NV-RO DGA Lube Oil Cooler Isolation Valve Fails Closed 7.11 OE+00 1SPAHCV129-NV-RO DGA Air After Cooler Isol Valve Fails Closed 7.1 1OE+00 1SPAHCV125-NV-RO DGA Jacket Cooler Isolation Valve Fails Closed 7.1 1OE+00 1SPAHCV131 -NV-RO DGA Air After Cooler Isol Valve Fails Closed 7.1 1OE+00 I SPAHCV133-NV-RO DGA Lube Oil Cooler Isolation Valve Fails Closed 8

Attachment I to Enclosure 2 Extension of EDG AOT Ratio Event Event Description 6.867E+00 1NBNX04---XCXDXX Spur Trip of Train B ESF Serv X-fmr Supply/Fdr Bkrs to Both ESF Buses 6.754E+00 ANANX02-SU-XMSPW #EOOS# Start-up Transformer X02 Fails 6.715E+00 1NBNX04-138XMLPW #EOOS# Train B ESF Service Transformer Fails 6.598E+00 1PKAF11----BXAFR Channel A Battery Fails During Operation 6.596E+00 1SPAP01 ---XCPGFS Spray Pond Pump A Fails to Start (Cntrl Ckt Fault) 6.559E+00 1NANS06H--XCXFST Intermediate Bus NAN-S06 Norm Supply Bkr Spur Trip (Cntrl Ckt Fault) 6.390E+00 1SPAHV049B-NVYRM Spray Pond A Nozzle Bypass Valve Not Restored After Mntc.

6.237E+00 1NANS04-138EXOPW Fault in Overhead Lines Between 13.8kV Buses NAN-S06 / NAN-S04 5.970E+00 1NKNM4502-XCYJST Battery E Supply Breaker to DCCC NKN-M45 Spurious Trip (Cntrl Ckt Fault) 5.970E+00 1NKNM4502--CBDST #EOOS# Battery E Supply Breaker to DCCC NKN-M45 Spurious Trip (Local Fault) 5.970E+00 1NKND41 -125BSEPW #EOOS# Local Fault of DC Distribution Panel NKN-D41 5.970E+00 1NKNM45-125BSEPW #EOOS# Local Fault of DC Control Center NKN-M45 5.609E+00 1SPAHCV129-NVNRM DGA Air After Cooler Isol Valve Fail to Restore After Mntc 5.609E+00 1SPAHCV131 -NVNRM DGA Air After Cooler Isol Valve Fail to Restore After Mntc 5.609E+oo 1SPAHCV133-NVNRM DGA Lube Oil Cooler Isolation Valve Fail to Restore After Mntc 5.609E+00 I SPAHCV127-NVNRM DGA Jacket Cooler Isolation Valve Fail to Restore After Mntc 9

Attachment I to Enclosure 2 Extension of EDG AOT Ratio Event Event Description 5.609E+00 1SPAHCV125-NVNRM DGA Jacket Cooler Isolation Valve Fail to Restore After Mntc 5.609E+00 1SPAHCV135-NVNRM DGA Lube Oil Cooler Isolation Valve Fail to Restore After Mntc 5.400E+00 1SAA -K202-RX-DO #EOOS# LOP Group 1 US Signal Fails to Clear Due to K202 Fail to De-energize 5.372E+OO 1PEAGO1---XCXEFT DGA Output Breaker Fails to Close (Cntrl Ckt Fault -

Monthly Test) 5.350E+00 1PEAG01---CBBFT DGA Output Breaker Fails to Close (Local Fault) 5.097E+00 1SAALG-K205RXAFT #EOOS# LOP Train A Group 2 Fails Due to Relay K205 Fail to Transfer 4.944E+00 1HDAHVAC----20P #EOOS# DGA Engine and Control Room HVAC Fails 4.748E+00 1PEAGO1---XCXIFT DGA Output Breaker Fails to Close (Cntrl Ckt Fault -

Refueling Test) 4.731 E+00 1PEAGO1----DG-FS DGA Fails to Start 4.714E+00 1SPAP01---CBBFT #EOOS# Spray Pond Pump A Circuit Breaker (PBA-S03C) Fails to Close (Local Fault) 4.583E+00 1SPAP01 ----MPCFS Spray Pond Pump A Fails to Start (Local Fault) 4.539E+00 1SAA2-K204-RX-DO #EOOS# LOP Group 2 US Signal Fails to Clear Due to K204 Fail to De-energize 4.241 E+00 1SPAP01 ---- MP-FR Spray Pond Pump A Fails to Run 4.222E+00 1SPAP01---XCYXOR Spray Pond Pump A Fails to Start Due to Override Contact Failure 4.204E+00 1AF-FWIV----2HR CR Op Fails to Direct an AO to the MSSS Bldg for Man Control of FWIVs 4.149E+00 I SAASP-K226RXAFT #EOOS# SP Pump A Fails to Start Due to K226 Failure 10

Attachment 1 to Enclosure 2 Extension of EDG AOT Ratio Event Event Description 3.934E+00 1PEAGOI ---- DG-FR DGA Fails to Run 3.765E+00 I NKNF17--BXAFR Station Battery E to DCCC NKN-M45 Fails During Operation 3.705E+00 INKNM4509--FU-OC DC Distribution Panel NKN-D41 Fuse Blows 3.605E+00 AFSNVO03---NV-RO Fuel Oil Supply Valve to GTG Fails Closed 3.605E+00 AFSNVO09---NV-RO Fuel Oil Supply Valve to GTG Fails Closed 3.557E+00 LOOP---------2PW Loss of Off-Site Power to Switchyard Post Trip 3.496E+00 ANANS07DD--FUHOC GTG Load Control Power High Voltage Fuse Premature Open 3.379E+00 1NKNF17----BXNRM Station Battery E to DCCC NKN-M45 Fails Not Restored After Mntc 3.340E+00 ANANS07A--FUHOC GTG Auxiliary Power Bkr High Voltage Fuse Premature Open 3.324E+00 ANANS07-138BSEPW GTG Bus NAN-S07 Fault 3.261 E+00 1PKAM4123--FU-OC #EOOS# Channel A DC Distribution Panel D21 Fuse (1 of 2) Blows 3.242E+00 1NBNX03-138EXOPW Fault in Overhead Lines From NAN-S03 Bus to Train A ESF Serv X-fmr 3.213E+00 AFSNF01 ---- FX-PG GTG Fuel Oil supply filter plugged 3.209E+00 ANKNF20---BXAFS GTG Switchgear Battery Fails on Demand 3.206E+00 ANHNU5607--CBOFT Transfer Switch NHN-U5607 Fails to Transfer to emerg source (credits manual action) 3.203E+00 1NKNF17----BXAFS Station Battery E to DCCC NKN-M45 Fails on Demand 11

Attachment I to Enclosure 2 Extension of EDG AOT Ratio Event Event Description 3.199E+00 ANANS07D--XCYLFT GTG Bus Supply Breaker to Unit 1 Fails to Close (Cntrl Ckt Fault) 3.192E+00 ANANS07DD--XMDPW GTG Load Control Power Transformer Fails 3.174E+00 ANANS07DD--FU-OC GTG Load Control Power Low Voltage Fuse Premature Open 3.154E+00 1NANS03AB--CBOFT #EOOS# GTG Supply Bkr to ESF Serv X-fmr NBN-X03 Fail to Close (Local Fault) 3.154E+00 ANANS07D---CBOFT GTG Bus Supply Breaker to Unit 1 Fails to Close (Local Fault) 3.154E+00 1NANS03AB-XCYKFT GTG Supply Bkr to ESF Serv X-fmr NBN-X03 Fail to Close (Cntrl Ckt Fault) 3.144E+00 ANANS07A---XMDPW GTG Auxiliary Power Stepdown Transformer Fails 3.124E+00 AGTN-GTG12 ---- CC Common Cause Failure of Both GTGs 3.099E+00 ANANS07-138EXBPW Buried Power Cables From GTGs to Unit Fail 3.082E+00 1NBNX03---XCXDXX Spur Trip of Train A ESF Serv X-fmr Supply/Fdr Bkrs to Both ESF Buses 2.941 E+00 I NBNX03-138XMLPW #EOOS# Train A ESF Service Transformer Fails 2.563E+00 1PBBS04L---CB-FT #EOOS# Alt OSP Supply Bkr to Train B ESF Bus Fails to Close (Local Fault) 2.551 E+00 1PBBS04L--XCYNFT Alt OSP Supply Bkr to Train B ESF Bus Fails to Close (Cntrl Ckt Fault) 2.358E+00 1NANS03A--XCXHST Train A ESF Serv X-fmr Supply Breaker Spurious Trip (Cntrl Ckt Fault) 2.224E+00 ISAA--LDSHED-2AT #EOOS# US Signal Fails to Clear Due to Sequencer or LOP/LS Module Fault 2.097E+00 1AFAP01 -2H-TPAFR AFW Pump A Fails to Run 2 Hours 2.047E+00 1NANS03A---CBOST #EOOS# Train A ESF Serv X-fmr Supply Breaker Spurious Trip (Local Fault) 12

Attachment 2 to Enclosure 2 Palo Verde Probable Risk Assessment (PRA) Quality and History

Attachment 2 to Enclosure 2 Extension of EDG AOT Palo Verde Probabilistic Risk Assessment (PRA) Quality and History Table of Contents

1. Palo Verde PRA Quality Overview ....................................................... 2 1.1. Qualification of PRA Staff ....................................................... 2 1.2. PRA Procedures ....................................................... 2 1.3. Independent Reviews ....................................................... 3 1.4. PRA Configuration Control Program ...................................................... 3 1.5. Peer Reviews ...................................................... 4 1.6. CEOG Cross Comparison Process ....................................................... 4 1.7. CEOG Probable Safety Analysis (PSA) Technical Positions ................. 7 1.8. Continuous Quality Improvement Process ............................................. 7

2. PVNGS PRA Model ...................................................... 8 2.1. Model Overview ....................................................... 8 2.2. Palo Verde PRA Development History ................................................... 9

3. Significant Open Items ...................................................... 12

4. Combustion Engineering Owners Group Technical Positions . . 12 4.1. CEOG PSA Standard: Evaluation of the Initiating Event Frequency for the Loss of Coolant Accident ...................................................... 12 4.2. CEOG PSA Standard: Evaluation of the Initiating Event Frequency for Main Steam Line Break Events ...................................................... 12 4.3. CEOG PSA Standard: Evaluation of the Initiating Event Frequency for Steam Generator Tube Rupture (SGTR) ........................... ............... 13 4.4. CEOG PSA Standard: Success Criteria for the Minimum Number of Safety Injection Pathways Following Large and Small Break LOCAs for CE PWRs ...................................................... 13 4.5. CEOG PSA Standard: Best Estimate ATWS Scenarios and Success Criteria ...................................................... 13 4.6. CEOG PSA Standard: Evaluation of the Mechanical Scram Failure for ATWS Occurrence Frequency ...................................................... 13 4.7. CEOG PSA Standard: Reactor Coolant Pump Seal Failure Probability Given a Loss of Seal Injection .............................................. 13 4.8. CEOG PSA Standard: Evaluation of the Initiating Event Frequency for Reactor Vessel Rupture .......................... ............................ 13

5. Independent External Reviews ...................................................... 13

6. References........................................................................................................ 14 1

Attachment 2 to Enclosure 2 Extension of EDG AOT 1.0 Palo Verde PRA Quality Overview Palo Verde Nuclear Generating Station (PVNGS) personnel have constructed the PRA with a strong commitment towards developing a complete and accurate PRA. This commitment can be seen through the following elements:

• Formal qualification program for the PRA staff

• Use of procedures to control PRA processes

• Independent reviews (checks) of PRA documents

• Comprehensive PRA Configuration Control Program

- Quarterly plant change monitoring program

- Process to control PRA quantification software

- Active open items list (Impact Review database)

- Interface with the site's corrective action program

- Process to maintain configuration of previous risk-informed decisions

• Peer reviews

• Participation in the Combustion Engineering Owners Group (CEOG) cross comparison process

• Incorporation, where applicable, of CEOG PRA Technical Positions

• Commitment of continuous quality improvement These elements are used to achieve a quality PRA and are described in the remainder of Section 1 of this Attachment. Section 2 provides an overview of the development history of the PRA since the PVNGS Individual Plant Examination (IPE) submittal in April of 1992. Section 3 describes the significant PRA open items. Section 4 lists the CEOG Technical Positions and describes the PVNGS position on each of these documents. Section 5 discusses the independent (external) reviews that have been performed on PRA. A summary of the significant issues and their status is provided.

1.1 Qualification of PRA Staff Risk analysts are qualified in accordance with the PVNGS Engineering Training Program, which meets the INPO requirements for a Systematic Approach to Training and 10 CFR 50.120.

1.2 PRA Procedures The PRA model is controlled by station procedure 7ODP-ORA03, PRA Model Control, Reference 6.1.

2

Attachment 2 to Enclosure 2 Extension of EDG AOT The PRA model is documented by way of Engineering Studies, which are controlled by station procedure 81 DP-4CC03, Engineering Studies, Reference 6.2.

PRA model documentation is maintained by the Nuclear Information Records Management Department in accordance with administrative controls meeting the requirements of Regulatory Guide 1.33, Reference 6.3.

1.3 Independent Reviews The Engineering Studies, which document the PRA, receive independent technical review, as required by station procedure 81 DP-OCCO5, Design and Technical Document Control, Reference 6.4.

1.4 PRA Configuration Control Program 1.4.1 PRA Open Items (Impacts)

To evaluate and track items that may lead to a change to the model or its documentation, an "impact review database" is maintained. Dispositions and change records are sent to Nuclear Information Records Management and maintained per the above mentioned requirements.

1.4.2 Monitoring Plant Changes Documents used in the development of the PRA are periodically compared to the station document database to identify revisions to referenced documents.

Documents that have been revised are then reviewed to determine if there is any impact to the model. Changes are identified and evaluated using the impact database and process described above.

1.4.3 PRA Updates Updates to the PRA model to incorporate changes required due to plant changes are typically made annually.

1.4.4 Software Quality Control Software, including Risk Spectrum', MAAP, etc., is verified and controlled in accordance with the PVNGS Non-process Software QA Program, station procedure 80DP-OCC01 (Reference 6.5); along with implementing procedures 8ODP-OCCO2, Non-process Qualified Software Development, Process and Upgrades (Reference 6.6); and 8ODP-OCCO6, Control and Use of Qualified Non-process Software and Data (Reference 6.7).

Electronic data and databases are controlled in accordance with station procedure 8ODP-OCCO6, Control and Use of Qualified Non-process Software and Data. The databases are stored in a controlled, limited access location.

Copies for use are required to be verified against the controlled version.

3

Attachment 2 to Enclosure 2 Extension of EDG AOT 1.5 Peer Reviews Section 5 of this Attachment describes the external independent reviews and their findings.

The nuclear industry has adopted a Probabilistic Safety Assessment (PSA) Peer Review Process originally developed by the Boiling Water Reactor Owners Group (BWROG). This original BWROG process was provided to the other owners' groups. In a cooperative undertaking, this process was modified by the Westinghouse Owners Group (WOG), the Babcox and Wilcox Owners Group (B&WOG) and the CEOG to be applicable to both Boiling Water Reactors (BWRs) and Pressurized Water Reactors (PWRs). The result is a common, consistent PRA peer review process that is applicable to any commercial nuclear power plant in the United States. At the same time, it is flexible enough to incorporate individual owners group programs to enhance the technical quality and adequacy of the plant PRAs.

CEOG performed a review of the Palo Verde PRA as part of the industry wide PRA quality initiative in November 1999.

1.6 CEOG Cross Comparison Process In 1995, the CEOG PSA Working Group funded the first in a series of five cross comparison review tasks to identify similarities and differences among CEOG member PRAs and where the results are perceived to be different, to investigate the potential causes for differences. Ingeneral, differences in PRA results were attributed to one of the following:

a) Plant specific design or operational differences.

b) Data selection.

c) Selection of success criteria.

d) PRA modeling assumptions and modeling philosophy.

The primary interest of this effort was to highlight areas where additional attention may be desirable as the PRA evolves. Besides the knowledge and insights gained through participation in this activity, the primary product was the identification of areas where additional guidance is required and the development of this guidance is discussed in Section 1.7.

1.6.1 PHASE 1: Comparison of Dominant Modeling Parameters and Results A methodical approach was used to compare the PRAs. The earliest comparison task (PHASE 1) focused on a review of overall PSA predictions and key inputs, such as selection of Initiating Event Frequencies (IEFs) and success criteria for selected initiating events. The plant-to-plant modeling variability and robustness was assessed for each initiating event by dividing the Initiating Event (IE) core damage probability by the IEF. This division yields the Conditional 4

Attachment 2 to Enclosure 2 Extension of EDG AOT Core Damage Probability (CCDP) for a particular event. Ideally, identically designed plants - identically modeled, will have equal CCDPs, even if the selected IEF for each plant were very different. Differences and similarities in CCDP were noted among the group. Plant uniqueness and key modeling assumptions impacting the results were identified to aid in understanding these differences. When no clear basis for difference was defined, the issue was tagged for future investigation.

1.6.2 PHASE 2: Comparison of PRA Data The PHASE 2 PRA comparison task was focused on identifying plant data used in various PRAs. The primary focus of the task was to identify any significant differences in input parameters (failure rates, probabilities and common cause factors) that may bias PRA predictions. This data collection in part supported the development and support of various Joint Applications. The data request was sufficiently global to highlight any important plant-to-plant differences.

Component data assembled and compared included demand and run-time failure rates for:

• Emergency Diesel Generators (EDGs)

• Batteries

• Motor-Driven Pumps

• Motor-Operated Valves (MOVs)

• Air-Operated Valves (AOVs)

• Check Valves

• Solenoid Valves (SOVs)

• Buses, Breakers and Relays Areas where plant differences occurred were noted for utility review.

1.6.3 PHASE 3: Comparison of Human Action Data PHASE 3 of this effort was focused on defining the human actions credited in the plant PRAs, the methodology used to establish the Human Error Probability (HEP) and the HEPs used for the various actions. A discussion of variability suggests that HEPs reflected plant culture, training, availability and clarity of proceduralized actions and elements involved in the HEP development methodology. Issues addressed in this comparison included:

• Selection of human actions to be modeled 5

Attachment 2 to Enclosure 2 Extension of EDG AOT

• Comparison of Risk Achievement Worth (RAW) of Top 10 human actions

• Operator action specific HEP comparison

• Treatment of pre-existing maintenance errors

• Modeling of recovery actions 1.6.4 PHASE 4: Comparison of Common Cause Modeling and Treatment of Dependencies This task was performed concurrently with PHASE 3 and had two distinct activities.

Common Cause Modelinq Assessment This phase consisted of a comparison of how common cause effects were incorporated into the plant PRAs. Specific items compared included:

• Selection of common cause methodology

• Elements considered in common cause assessment

• Common cause data This task resulted in recommendations for the minimum selection of common cause elements. This information was factored into the CEOG peer review process.

Treatment of Dependencies This task consisted of response to the following questions regarding:

• Pump dependencies on Heating, Ventilation and Air Conditioning (HVAC) and/or Component Cooling Water (CCW)

• Relationship between loss of Containment Heat Removal (CHR) and Safety Injection (SI)

• Treatment of Reactor Coolant Pump (RCP) seal failure

• Important electrical dependencies

• Existence of unique plant support systems Differences in the treatment of dependencies were identified and discussed among the Probabilistic Safety Assessment subcommittee (PSASC), and where possible, unique plant features driving dependencies were identified.

6

Attachment 2 to Enclosure 2 Extension of EDG AOT 1.6.5 PHASE 5: Comparison of Dominant Cutsets PHASE 5 is the last of the global comparison tasks performed by the group.

This effort required utilities to identify the top 100 accident sequences, or cutsets. These cutsets were compared to assess that all dominant risk contributors are considered.

The comparison process was evolutionary, in that, findings in earlier comparisons were often reviewed by members and, when appropriate, resulted in modeling changes. Even when PRA changes did not occur, philosophical modeling issues associated with selection of parameters and models were highlighted so that PRA results would be better understood.

1.6.6 IPEEE Comparison This effort was a comparison task to assess key insights gained from the Individual Plant Examination of External Events (IPEEE) assessments. As many members did not do full fire and seismic PRAs, only key insights and dominant initiators were identified and compared. Insights were generally consistent among member utilities. Comparisons indicated that actual external event risk values were likely distorted, since the simplified methodologies typically used in these assessments produced conservative results.

1.7 Combustion Engineering Owners Group (CEOG) Probabilistic Safety Analysis (PSA) Technical Positions CEOG PSA Technical Positions (Standards) and Guidelines were developed to either address a specific application need or were an outgrowth of the results of quality related tasks, such as the CEOG plant cross comparison, CEOG risk informed joint applications, and resolution of PRA issues raised by individual member utilities. Section 4 of this Attachment lists the CEOG Technical Positions and describes the Palo Verde position on each of these documents.

1.8 Continuous Quality Improvement Process The Palo Verde PRA has undergone considerable evolution since the original Individual Plant Examination (IPE) submittal on April 28, 1992. The history of the PRA model updates Isdescribed in Section 2. A strong level of commitment over the last thirteen years is demonstrated by this development history.

The Palo Verde PRA staff has been maintained at a level such that nearly all technical work is performed in-house by qualified staff with strong plant specific knowledge. The PRA Group consists of a supervisor, or Group Leader, one consulting engineer and six senior engineers. Five of these engineers held Senior Reactor Operator (SRO) Licenses or SRO certification on Palo Verde or other stations. The Engineering Support Group collects failure, success, unavailability and plant operating data for various plant needs, including the Maintenance Rule (10 CFR 50.65 (a)(4)) and the PRA.

7

Attachment 2 to Enclosure 2 Extension of EDG AOT The Palo Verde PRA Group has also actively participated in the industry peer review process. One engineer has participated in every CEOG peer review. This participation is an effective means of understanding the plant design differences and an excellent means of seeing the different modeling techniques.

2.0 PVNGS PRA Model 2.1 Model Overview Palo Verde uses the large fault tree/small event tree, also known as the linked fault tree, methodology. Basic failure events are modeled down to the component level.

Level 1 (Core Damage Frequency, or CDF) and Level 2 (Large Early Release Frequency only, or LERF) are fully developed. A Level 3 (Dose Consequence) analysis was done to support the Individual Plant Examination (IPE), but has not been maintained.

The Internal Events model consists of twenty-eight (28) initiating events, which proceed through their respective event trees. Failure branches are assigned a plant damage state (PDS) CM (Core Melt) or ATWS (Anticipated Transient Without Scram) and an appropriate Level 2 damage state. ATWS is modeled in separate event trees. Failure branches in the ATWS trees are also assigned CM and the appropriate Level 2 PDS. Core Melt is defined as initiation of sustained uncovery of the top of the active fuel.

Internal flooding was analyzed using a screening process for the IPE. That analysis is still considered to be valid. Internal flooding is not currently modeled using event and fault trees. PVNGS is participating in an industry task to develop a flood analysis methodology.

External events were examined as required by Generic Letter 88-20, Supplement 4, the IPE for External Events (IPEEE). None of the external events were analyzed by a fully developed PRA at that time. Recently, a full fire PRA was developed and incorporated into the PVNGS PRA model. Only buildings and external areas where a fire could not credibly interfere with normal plant operations were screened from consideration. No compartments within buildings that house plant equipment used for normal power production or emergency operations were screened out. There are approximately 135 fire initiating events. These proceed first through fire event trees, which determine potential fire damage states (FDS). Each FDS is then carried through an event tree mimicking the internal events event trees. CM, ATWS and Level 2 PDSs are assigned as in the internal events event trees.

Although a full Level 2 analysis was performed for the IPE, it has since been reduced to considering only Large Early Release Frequency (LERF) consistent with Regulatory Guide 1.174, which is of more relevance to actual public risk. The various CM sequences, both from the internal event and fire event trees, have been assigned to LERF damage states, of which there are approximately thirty (30) internal events and thirty (30) fire events.

8

Attachment 2 to Enclosure 2 Extension of EDG AOT Separate from the full power internal events analysis, the model has also been expanded to include Transition Risk, which covers Modes 2 and 3, along with Mode 4 steaming (prior to alignment of shutdown cooling), which was a CEOG initiative.

2.2 Palo Verde PRA Development History Numerous revisions to the PVNGS PRA model have been implemented since the IPE was submitted in 1992. These revisions include thousands of changes to event sequence and fault tree modeling, as well as data changes. Changes to the model and data are made in response to:

• Physical changes to the facility;

• Changes to operating and maintenance procedures, as well as administrative controls;

• Errors found in reviews of the model, or during its use; and

• Enhancements where experience has indicated that greater accuracy is needed to remove unnecessarily conservative assumptions.

Coincident with conversion of the PRA model from Unix-based software and platform to a Windows-based platform using Relcon's Risk Spectrum software in 1996, the model was completely rebuilt to ensure complete documentation and control of the model and associated software. This effort led to the following improvements:

• Equipment failure rates were updated with referenceable sources;

• Control circuit failure analyses were completely re-performed and documented;

• Initiating Event methodology was documented and the initiating events were recalculated and Bayesian-updated;

• Common cause failure methodology was re-performed and documented;

• Human Recovery Analysis was completely re-performed and documented based on current operating, maintenance, emergency and administrative control procedures;

• System modeling was reviewed and numerous updates made to such systems as Engineered Safety Features Actuation System (ESFAS), Auxiliary Feedwater, Low and High Pressure Safety Injection, Essential Spray Ponds (ultimate heat sink) and Chemical Volume and Control. Modeling of the non-class 1E electrical distribution systems was expanded to better capture power loss impact on non-class equipment credited in the model; 9

Attachment 2 to Enclosure 2 Extension of EDG AOT

• Changed the focus of Level 2 modeling to Large Early Release Frequency; and

• Since Risk Spectrum'has extensive documentation capability, all references to station and external documents are included within the PRA database. This allows periodic comparison to the station's document database to identify revision changes.

The following changes represent corrections and enhancements to the model that improve its fidelity and accuracy, but did not necessarily have a significant impact on CDF or LERF:

• Refined modeling of power distribution failures as initiating events to ensure completeness. Definite system boundaries were defined. The two initiators, Loss of Channel 'A' Vital AC and Loss of Channel 'B' Vital AC, were changed to capture all losses of power due to station equipment failure from the Startup Transformers, the 13.8kV, 4.16kV and 480VAC distribution systems to the battery chargers and the backup voltage regulators for the Vital AC system. A more recent change split this initiator into several pieces to better capture where in the distribution systems problems originate that lead to plant trips or shutdowns.

• Updated Human Recovery analysis, both to capture procedure changes and to ensure consistent and defensible modeling methodology.

• Added Reactor Coolant Pump (RCP) High Pressure Seal Cooler Rupture as an initiating event. This was identified as a potential containment bypass event.

• Improved Steam Generator Tube Rupture (SGTR) modeling as the industry and NRC have addressed this issue. The model now includes multiple tube rupture sequences and pressure-induced tube rupture sequences.

• Data update was performed in 1998. As more plant specific data has become available through failure data trending and Maintenance Rule requirements, failure rates for risk Important equipment have been Bayesian-updated. For most equipment included in the scope of the Maintenance Rule, plant specific unavailability values are used.

• Added more detail to the switchyard modeling to better assess maintenance activities.

• Removed Reactor Coolant Pump seal leakage modeling following Westinghouse evaluation of CE seal designs and acknowledgement of Palo Verde's unique design.

• Added thermally-induced SGTR following steam line break. This had no impact on results, but conforms to the industry standard.

10

Attachment 2 to Enclosure 2 Extension of EDG AOT Changes that had a significant impact on the Core Damage Frequency (CDF) or Large Early Release Frequency (LERF) are summarized below:

• Added modeling of the Station Blackout Gas Turbine Generators (GTGs), which were installed to address the Blackout Rule, 10 CFR 50.63. While the modeling of the GTGs was not credited in the IPE directly, it was used to address and close out USI A-45, which was included as part of the PVNGS GL 88-20 submittal.

• Dependence of Train 'A' Auxiliary Feedwater (AF) on room cooling was removed.

Best estimate room heatup calculations showed that temperature does not exceed the qualification temperature of the equipment. This improves the overall calculated reliability of the Auxiliary Feedwater system to better reflect the plant capability.

• Refined the GTG modeling to allow success with one GTG rather than requiring both for certain sequences. The GTGs have an output less than that of the Emergency Diesel Generators. One GTG is not capable of powering both an electric Auxiliary Feedwater Pump (AF) and a High Pressure Safety Injection (HPSI) pump, along with support equipment. Since most sequences only require AF, and not HPSI, one GTG is adequate for those sequences.

• Change of the test interval for Engineered Safety Features Actuation System (ESFAS) relay testing from 62 day to 9 month staggered as a result of a Technical Specification change. Resulting common cause failure value changes were also incorporated. This resulted in a significant increase in both CDF and LERF. At the urging of the PRA group, these test intervals were later shortened to quarterly for the relays associated with Auxiliary Feedwater injection valves.

This reduced CDF and LERF by about 10%.

• Credited an additional check valve in the charging line to remove conservatism in the containment penetration model. This change significantly reduced LERF.

• Removed Loss of Control Room HVAC as an initiating event. This event had been modeled in a highly conservative and unrealistic manner. Since the Control Room Is continuously manned, and since at least twelve hours are available before equipment failure temperatures would be reached, it would be virtually certain that either equipment could be repaired or temporary cooling could be established.

• Updated Initiating Event Frequencies (IEF) in 2001 resulting in significant decreases to Uncomplicated Reactor Trip and Turbine Trip frequencies. The definition of Uncomplicated Reactor Trip (called Miscellaneous Trip in the model) was narrowed to be consistent with the rest of the industry. Previously, all manual shutdowns, including for planned outages, were counted as initiators.

This in turn resulted in much lower CDF and LERF, and significantly affected importance measures.

11

Attachment 2 to Enclosure 2 Extension of EDG AOT

• Addition of the alternate offsite power supply to each Engineered Safety Features (ESF) bus. This plant feature had not been procedurally allowed due to Technical Specification interpretation.

• Physical plant change adding a redundant power supply to the Balance of Plant (BOP) ESFAS cabinet cooling fans. This change makes spurious load shed actuation much less likely.

• Added alignment of the GTGs to the initiating event trees for loss of offsite power to Train 'A' or 'B' 4.16 kV ESF bus. This provides a more realistic treatment of these initiators.

• Changed the treatment of the Loss of Instrument Air initiating event to allow use of low pressure condensate (alternate feedwater) in its mitigation. This was possible due to removal of an incorrect dependence of the Condensate system on Instrument Air.

• Reduced the Reactor Coolant Pump seal failure probability based on new information.

• Corrected modeling of spurious load shed. Certain failures had been incorrectly modeled as preventing closure of the Emergency Diesel Generator output breaker.

Internal Events CDF and LERF have varied significantly as the above changes were implemented. Compared to the IPE, CDF has decreased from 9.OE-5/yr to 1.27E-5/yr. LERF cannot be compared to the overall Level 2 value presented in the IPE, but compared to when it was first determined in 1998; it has decreased from 2.5E-6/yr to 1.57E-6/yr. When internal events and fire are quantified to the same truncation level, fire contributes about 24% to total CDF and 10% to total LERF.

These results are documented in Reference 6.9, Interim PRA Change Documentation.

3.0 Significant Open Item The below item is a significant open item associated with the current PRA that may impact the calculated CDF or LERF. Associated with this item is an impact. Impacts are used to track open issues within the PRA.

• Peer Review Facts and Observation (F&O) DA-04 noted that common cause failure data needs to be updated from the 1998 INEEL source used. This was classified as a Category A finding, but Erin Engineering in an independent assessment, said it could be a Category B. It is not expected to have a significant impact on the numerical results. Work to update common cause modeling is currently in progress.

12

Attachment 2 to Enclosure 2 Extension of EDG AOT 4.0 Combustion Engineering Owners Group Technical Positions 4.1 CEOG PSA Standard: Evaluation of the Initiating Event Frequency for the Loss of Coolant Accident This CEOG PSA Standard is no longer used; LOCA frequencies are based on NUREG/CR-5750, Reference 6.8. The NUREG values were used in lieu of the CEOG standard because the NUREG is a more recent document and more publicly available.

4.2 CEOG PSA Standard: Evaluation of the Initiating Event Frequency for Main Steam Line Break Events The CEOG standard is used as the basis for developing large steam and feedwater line break Initiating Event (IE)frequencies.

4.3 CEOG PSA Standard: Evaluation of the Initiating Event Frequency for Steam Generator Tube Runture (SGTR)

The CEOG standard is used as the basis for calculating the PVNGS SGTR frequency.

4.4 CEOG PSA Standard: Success Criteria for the Minimum Number of Safety Iniection Pathways Following Large and Small Break LOCAs for CE PWRs The CEOG standard is used.

4.5 CEOG PSA Standard: Best Estimate ATWS Scenarios and Success Criteria The CEOG standard is used.

4.6 CEOG PSA Standard: Evaluation of the Mechanical Scram Failure for ATWS Occurrence Freauencv The CEOG standard is used.

4.7 CEOG PSA Standard: Reactor Coolant Pump Seal Failure Probability Given a Loss of Seal Injection The CEOG standard was used in the development of RCP seal failure probability. Modeling showed that RCP seal failure is not a significant contributor to CDF or LERF under any circumstances. It was subsequently removed from the model.

4.8 CEOG PSA Standard: Evaluation of the Initiating Event Frequency for Reactor Vessel Rupture Reactor vessel rupture is not explicitly modeled Inthe PVNGS PRA. Its frequency is less that 1E-7/yr allowing it to be screened. It is not possible to mitigate the event, so modeling it provides no Insight. Palo Verde's reactor vessel is less susceptible to brittle fracture due to a lower than typical copper content in the steel alloy used for the vessel.

13

Attachment 2 to Enclosure 2 Extension of EDG AOT 5.0 Independent External Reviews

• Combustion Engineering Owners Group performed a review of the overall PRA modeling as part of the industry wide PRA quality initiative in November 1999.

All F&Os are addressed in PRA's Impact Database, as well as by the station's Corrective Action Program.

• Erin Engineering performed a review of Large Early Release Frequency methodology and results in December 2000.

• In early 2001, Erin Engineering reviewed all Category A and B Facts and Observations (F&Os) from the CEOG peer review. The results are as follows:

o Category A - 8 F&Os. 4 were closed and the responses deemed satisfactory, 3 were later closed. The one open issue is to update common cause data, which is mentioned in Section 3 of this Attachment.

(Erin noted that this could have been a Category B issue.)

o Category B - 26 F&Os. 7 were closed and the responses deemed satisfactory, 11 were later closed, 5 were judged to be Category C and are still open (all documentation issues), one was redundant to another F&O.

The two open items are lack of uncertainty analysis and lack of flooding analysis documentation. The flooding analysis is being addressed at this time. The lack of uncertainty analysis is being addressed by industry owners' groups.

6.0

References:

6.1 PVNGS Procedure 7ODP-ORA03, PRA Model Control 6.2 PVNGS Procedure 81 DP-4CC03, Engineering Studies 6.3 Regulatory Guide 1.33, Quality Assurance Program Requirements 6.4 PVNGS Procedure 81 DP-OCC05, Design and Technical Document Control 6.5 PVNGS Procedure 8ODP-OCCO1, PVNGS Non-process Software QA Program 6.6 PVNGS Procedure 8ODP-OCCO2, Non-process Qualified Software Development, Process and Upgrades 6.7 PVNGS Procedure 8ODP-OCCO6, Control and Use of Qualified Non-process Software and Data 6.8 NUREG/CR-5750, Rates of Initiating Events at U.S. Nuclear Power Plants: 1987-1995 6.9 PVNGS Engineering Study 13-NS-C029, Interim PRA Change Documentation, Rev 13.

14

Enclosure 3 MARKED-UP TECHNICAL SPECIFICATION PAGES

Pressurizer 3.4.9 3.4 REACTOR COOLANT SYSTEM (RCS) 3.4.9 Pressurizer LCO 3.4.9 The pressurizer shall be OPERABLE with:

a. Pressurizer water level > 27% and < 56%: and

b. Two groups of pressurizer heaters

£aressfurize Ž 12vJLE11W.

rum.JII UTuT~t~uIu UUWUVL~L 2Jo g75.jBl-::t,'.',iS-iVfi,;>.r HUYUWUF"UU I- AI APPLICABILITY: MODES 1, 2. and 3.

---

NOTE---------------------------

The pressurizer water level limit does not apply during:

a. THERMAL POWER ramp > 5% RTP per minute; or

b. THERMAL POWER step > 10% RTP.

ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. Pressurizer water A.1 Be in MODE 3 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> level not within with reactor limit. trip breakers open.

AND A.2 Be in MODE 4. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> B. One required group of B.1 Restore required 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> pressurizer heaters group of pressurizer inoperable. heaters to OPERABLE status.

(continued)

PALO VERDE UNITS 1.2,3 3.4.9-1 AMENDMENT NO.44

AC Sources - Operating 3.8.1 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. (continued) A.3 Restore required 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> offsite circuit to OPERABLE status. AND

-613 days from discovery of failure to meet LCO B. One DG inoperable. B.1 Perform SR 3.8.1 1 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> for the OPERABLE required offsite AND circuit(s).

Once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter AND B.2 Declare required 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> from feature(s) supported discovery of by the inoperable DG Condition B inoperable when its concurrent with redundant required inoperability of feature(s) is redundant inoperable. required feature(s)

AND B.3.1 Determine OPERABLE 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> DG is not inoperable due to common cause failure.

OR B.3.2 Perform SR 3.8.1.2 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for OPERABLE DG.

AND (continued)

PALO VERDE UNITS 1.2,3 3.8.1-2 AMENDMENT NO. -117

AC Sources - Operating 3.8.1 ACTIONS .

CONDITION REQUIRED ACTION COMPLETION TIME B. (continued) B.4 Restore DG s2 h 10uras to OPERABLE status.

AND

-6f- 1 days from discovery of failure to meet LCO C. Two required offsite C.1 Declare required 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> from circuits inoperable. feature(s) inoperable discovery of when its redundant Condition C required feature(s) concurrent with is inoperable. inoperability of redundant required feature(s)

AND C.2 Restore one required 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> offsite circuit to OPERABLE status.

(continued)

PALO VERDE UNITS 1.2,3 3.8.1-3 AMENDMENT NO.-H--

Diesel Fuel Oil. Lube Oil, and Starting Air 3.8.3 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME D. One or more DGs with D.1 Restore stored fuel 30 days new fuel oil oil properties to properties not within within limits.

imits.

E. One or more DGs with a E.1 Restore starting air 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> required starting air receiver pressure to receiver pressure Ž 230 psig.

< 230 psig and Ž 185 psig.

F. Required Action and F.1 Declare associated DG Immediately associated Completion inoperable.

Time not met.

NOTE----

OR Should the required starting air receiver pressure momentarily drop to <185 psig while starting the One or more DGs with DG on one air receiver only, then entry into diesel fuel oil, lube Condition F is not required.

oil, or starting air ------ ---------

subsystem inoperable for reasons other than Condition A. B. C. D.

or E.

SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.8.3.1 Verify each fuel oil storage tank contains 31 days

Ž 80% indicated fuel level.

(continued)

PALO VERDE UNITS 1,2.3 3.8.3-2 AMENDMENT NO. +1 Enclosure 4 REVISED TECHNICAL SPECIFICATION PAGES

Pressurizer 3.4.9 3.4 REACTOR COOLANT SYSTEM (RCS) 3.4.9 Pressurizer LCO 3.4.9 The pressurizer shall be OPERABLE with:

a. Pressurizer water level 2 27% and < 56%; and

b. Two groups of pressurizer heaters OPERABLE with the capacity of each group 2 125 kW.

I APPLICABILITY: MODES 1, 2. and 3.

---

NOTE---------------------------

The pressurizer water level limit does not apply during:

a. THERMAL POWER ramp > 5% RTP per minute; or

b. THERMAL POWER step > 10% RTP.

ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. Pressurizer water A.1 Be in MODE 3 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> level not within with reactor limit. trip breakers open.

AND A.2 Be in MODE 4. 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> B. One required group of B.1 Restore required 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> pressurizer heaters group of pressurizer inoperable. heaters to OPERABLE status.

(continued)

PALO VERDE UNITS 1,2,3 3.4.9-1 AMENDMENT NO. 44-,

AC Sources - Operating 3.8.1 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. (continued) A.3 Restore required 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> offsite circuit to OPERABLE status. AND 13 days from I discovery of failure to meet LCO B. One DG inoperable. B.1 Perform SR 3.8.1.1 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> for the OPERABLE required offsite AND circuit(s).

Once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter AND B.2 Declare required 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> from feature(s) supported discovery of by the inoperable DG Condition B inoperable when its concurrent with redundant required inoperability of feature(s) is redundant inoperable. required feature(s)

AND B.3.1 Determine OPERABLE 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> DG is not inoperable due to common cause failure.

OR B.3.2 Perform SR 3.8.1.2 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for OPERABLE DG.

AND (continued)

PALO VERDE UNITS 1.2.3 3.8. 1-2 AMENDMENT NO. 4-14.

AC Sources - Operating 3.8.1 ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME B. (continued) B.4 Restore DG 10 Days I to OPERABLE status.

AND 13 days from I discovery of failure to meet LCO C. Two required offsite C.1 Declare required 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> from circuits inoperable. feature(s) inoperable discovery of when its redundant Condition C required feature(s) concurrent with is inoperable. inoperability of redundant required feature(s)

AND C.2 Restore one required 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> offsite circuit to OPERABLE status.

(continued)

PALO VERDE UNITS 1,2,3 3.8.1-3 AMENDMENT NO. 444,

Diesel Fuel Oil, Lube Oil, and Starting Air 3.8.3 ACTIONS (continued)

CONDITION REQUIRED ACTION COMPLETION TIME D. One or more DGs with D.1 Restore stored fuel 30 days new fuel oil properties oil properties to not within limits. within limits.

E. One or more DGs with a E.1 Restore starting air 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> required starting air receiver pressure to receiver pressure Ž 230 psig.

< 230 psig and 2 185 psig.

F. Required Action and F.1 Declare associated DG Immediately associated Completion inoperable.

Time not met.

OR

---

NOTE---------

Should the required starting air receiver pressure momentarily drop to <185 psig while starting the DG on one air receiver only, then entry into Condition F is not required.

One or more DGs with diesel fuel oil, lube oil, or starting air subsystem inoperable for reasons other than Condition A. B. C. D, or E.

PALO VERDE UNITS 1,2.3 3.8.3-2 AMENDMENT NO. 444,

Diesel Fuel Oil. Lube Oil, and Starting Air 3.8.3 SURVEILLANCE REQUIREMENTS SURVEILLANCE FREQUENCY SR 3.8.3.1 Verify each fuel oil storage tank contains 31 days

Ž 80% indicated fuel level.

SR 3.8.3.2 Verify lubricating oil inventory is 31 days

Ž 2.5 inches visible in the sightglass.

SR 3.8.3.3 Verify fuel oil properties of new and In accordance stored fuel oil are tested in accordance with the Diesel with, and maintained within the limits of, Fuel Oil the Diesel Fuel Oil Testing Program. Testing Program SR 3.8.3.4 Verify each DG starting air receiver 31 days pressure is Ž 230 psig.

SR 3.8.3.5 Check for and remove accumulated water from 92 days each fuel oil storage tank.

PALO VERDE UNITS 1,2.3 3.8.3-3 AMENDMENT NO. 44-7-.

Enclosure 5 MARKED-UP TECHNICAL SPECIFICATION BASES PAGES (for information only)

Pressurizer B 3.4.9 B 3.4 REACTOR COOLANT SYSTEMS (RCS)

B 3.4.9 Pressurizer BASES BACKGROUND The pressurizer provides a point in the RCS where liquid and vapor are maintained in equilibrium under saturated conditions for pressure control purposes to prevent bulk boiling in the remainder of the RCS. Key functions include maintaining required primary system pressure during steady state operation and limiting the pressure changes caused by reactor coolant thermal expansion and contraction during normal load transients.

The pressure control components addressed by this LCO include the pressurizer water le h ue heaters and tei r backup heater controls;.rgnypol'or j Pressurizer safety valves nd pressurizer vents are addressed by LCO 3.4.10 "Pressurizer Safety Valves-MODES 1,2, and 3," LCO 3.4.11 "Pressurizer Safety Valves-MODE 4,"

and LCO 3.4.12 "Pressurizer Vents", respectively.

The maximum steady state water level limit has been established to ensure that a liquid to vapor interface exists to permit RCS pressure control, using the sprays and heaters during normal operation and proper pressure response for anticipated design basis transients. The maximum and minimum steady state water level limit serves two purposes:

a. Pressure control during normal operation maintains subcooled reactor coolant in the loops and thus in the preferred state for heat transport; and

b. By restricting the level to a maximum, expected transient reactor coolant volume increases (pressurizer insurge) will not cause excessive level changes that could result in degraded ability for pressure control.

The maximum steady state water level limit permits pressure control equipment to function as designed. The limit preserves the steam space during normal operation, thus, both sprays and heaters can operate to maintain the design operating pressure. The level limit also prevents filling the pressurizer (water solid) for anticipated design basis transients, thus ensuring that pressure relief devices (continued)

PALO VERDE UNITS 1,2.3 B 3.4.9-1 REVISION-ff

Pressurizer B 3.4.9 BASES BACKGROUND (pressurizer safety valves) can control pressure by (continued) steam relief rather than water relief. If the level limits were exceeded prior to a transient that creates a large pressurizer insurge volume leading to water relief, the maximum RCS pressure might exceed the Safety Limit of 2750 psia.

The minimum steady state water level in the pressurizer assures pressurizer heaters, which are required to achieve and maintain pressure control, remain covered with water to prevent failure, which could occur if the heaters were energized uncovered.

The requirement to have two groups of pressurizer heaters ensures that RCS pressure can be maintained. The pressurizer heaters maintain RCS pressure to keep the reactor coolant subcooled. Inability to control RCS pressure during natural circulation flow could result in loss of single phase flow and decreased capability to remove core decay heat.

APPLICABLE In MODES 1, 2, and 3. the LCO requirement for a steam bubble SAFETY ANALYSES is reflected implicitly in the accident analyses. No safety analyses are performed in lower MODES. All analyses performed from a critical reactor condition assume the existence of a steam bubble and saturated conditions in the pressurizer. In making this assumption, the analyses neglect the small fraction of noncondensable gases normally present.

An implicit initial condition assumption of the Safety Analyses is that the RCS is-operating at normal pressure.

The individual UFSAR Accident Analysis Sections must be reviewed to determine the assumed pressurizer heater operation during the transient. Steam generator tube rupture. for example, credits pressurizer class backup heaters to maintain adequate subcooling margin.

I No changestothis page I (continued)

PALO VERDE UNITS 1,2.3 B 3.4.9-2 REVISION 31

Pressurizer B 3.4.9 BASES APPLICABLE The Class lE pressurizer backup heaters are needed SAFETY ANALYSES to maintain subcooling in the long term during loss of (continued) ,ofte jg owe,,,D dso iZn D73 (IR~ 1).

NVG 0pdcIti NUyG-O737 R < The ifteAis t6 keepte reactor Wi coolant in a sub"oed condition with natural circulation at hot, high pressure conditions for an undefined, but extended, time period after a loss of offsite power. While loss of offsite power is a coincident occurrence assumed in the accident analyses, maintaining hot, high pressure conditions over an extended time period is not evaluated in the accident analyses. The pressurizer satisfies Criterion 2 and Criterion 3 of 10 CFR 50.36(c)(2)(ii).

LCO The LCO requirement for the pressurizer to be OPERABLE with water level 2 27% indicated level (425 cubic feet) and < 56%

indicated level (948 cubic feet) ensures that a steam bubble exists. Limiting the maximum operating water level preserves the steam space for pressure control. The LCO has been established to minimize the consequences of potential overpressure transients. Requiring the presence of a steam bubble is also consistent with analytical assumptions.

The LCO requires two groups o ABLE ,prssurizer.haters, ea.cj ith ;8,125, aAd Jt }I}.

,pcty pp

,&nrc:

1,1rn rn-it~~,$

amcpgc pY;;cr!zupp~yhe minimum hea er capaci y ris SU to maintain the RCS near normal operating pressure when accounting for heat losses through the pressurizer insulation. By maintaining the pressure near the operating conditions, a wide subcooling margin to saturation can be obtained inthe loops.

APPLICABILITY The need for pressure control is most pertinent when core heat can cause the greatest effect on RCS temperature resulting in the greatest effect on pressurizer level and RCS pressure control. Thus, Applicability has been designated for MODES 1 and 2. The Applicability is also provided for MODE 3. It is assumed pressurizer level is under steady state conditions. The purpose is to prevent solid water RCS operation during heatup and cooldown to avoid rapid pressure rises caused by normal operational (continued)

PALO VERDE UNITS 1.2,3 B 3.4.9-3 REVISION ;+-

Pressurizer B 3.4.9 BASES APPLICABILITY erturbation, such as reactor coolant pump startup. The (continued) FCO does not apply to MODE 5 (Loops Fi led) because LCO 3.4.13, "Low Temperature Overpressure Protection (LTOP)

System," applies. The LCO does not apply to MODES 5 and 6 with partial loop operation. Also, a Note has been added to indicate the limit on pressurizer level may be exceeded during short term operational transients such as a THERMAL POWER ramp increase of > 5% RTP per minute or a THERMAL POWER step increase of > 10% RTP.

Pof 11niTl, tions theseMOhES gives e great de and for maintaining the RCS in a hot pressurized condition with loop subcooling for an extended period. For MODES 4. 5. or 6. it is not necessary to control pressure (by heaters) to ensure loop subcooling for heat transfer when the Shutdown Cooling System is in service and therefore the LCO is not applicable.

ACTIONS A.1 and A.2 With pressurizer water level not within the limit, action must be taken to restore the plant to operation within the bounds of the safety analyses. To achieve this status, the unit must be brought to MODE 3. with the reactor trip breakers open, within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> and to MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.

This takes the plant out of the applicable MODES and restores the plant to operation within the bounds of the safety analyses.

Six hours is reasonable, based on operating experience, to reach MODE 3 from full power in an orderly manner and without challenging plant systems. Further pressure and temperature reduction to MODE 4 brings the plant to a MODE where the LCO is not applicable. The 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> time to reach the nonapplicable MODE is reasonable based on operating experience for that evolution.

(continued)

PALO VERDE UNITS 1.2,3 B 3.4.9-4 REVISION-e

AC Sources - Operating B 3.8.1 BASES ACTIONS A.3 (continued)

According to Regulatory Guide 1.93 (Ref. 6). operation may continue in Condition A for a period that should not exceed 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. With one offsite circuit inoperable, the reliability of the offsite system is degraded, and the potential for a loss of offsite power is increased, with attendant potential for a challenge to the unit safety systems. In this Condition, however, the remaining OPERABLE offsite circuit and DGs are adequate to supply electrical power to the onsite Class IE Distribution System.

The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs. and the low probability of a DBA occurring during this period.

The second Completion Time for Required Action A.3 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition A is entered while, for instance, a DG is inoperable, and that DG is subsequently returned ERAL.F e 0 may already have been not met for uo.to T~-hi 10 days. This could lead to a total of It-hine6-t 13 days, since initial failure to meet the LCO, to restore the offsite circuit. At this time, a DG could again become bj t circuit restored OPRBE and an additional a (tfO for a total of days) allowed prior to comp ete estoration of the LCO. .The -613 day Completion Time provides a limit on the time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> and FM day CompletionFTime means that both Completion Times apply simultaneously, and the more restrictive Completion Time must be met.

As in Required Action A.2, the Completion Time allows for an exception to the normal "time zero" for beginning the allowed outage time "clock." This will result in establishing the "time zero" at the time that the LCO was initially not met. instead of at the time Condition A was entered.

(continued)

PALO VERDE UN115 1,2,3 B 3.8.1 REVISIUN AC Sources - Operating B 3.8.1 BASES ACTIONS B.4 (continued)

In Condition B. the remaining OPERABLE DG and offsite circuits are adequate to supply electricalDower to_ .tht,,

onsite Class IE Distribution System. The + ay Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

The second Completion Time for Required Action B.4 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, an offsite circuit is inoperable and that circuit is subsequently returned OPERABLE, hheOLp may already have been not met f d"Ayur`

y. This could lead to a total of &:~VI3 4 s<'since hnitial failure to meet the LCO. to res oreesthe 0G. At this time, an offsite circuit could again become inoperable, the DG restored OPERABLE, and an additional 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> (for a total of 4216 days) allowed prior to complete restoration of the LCO. The 4&13 day Completion Time provides a limit on time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B endurr y The "N"cnetor between the -61Odyand 1 day Completion Times means that oth m.letion Times apply simultaneously, and the more restrictive Completion Time must be met.

As in Required Action B.2i the Completion Time allows for an exception to the normal "time zero" for beginning the allowed time "clock." This will result in establishing the "time zero" at the time that the LCO was initially not met, instead of at the time Condition B was entered.

(continued)

PALO VERDE UNITS 1,2,3 B 3.8.1-12 REVISION -2

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES ACTIONS D.1 (continued)

With the new fuel oil properties defined in the Bases for SR 3.8.3.3 not within the required limits, a period of 30 days is allowed for restoring the stored fuel oil properties. This period provides sufficient time to test the stored fuel oil to determine that the new fuel oil, when mixed with previously stored fuel oil, remains acceptable, or restore the stored fuel oil properties. This restoration may involve feed and bleed procedures, filtering, or combinations of these procedures. Even if a DG start and load was required during this time interval and the fuel oil properties were outside limits, there is a high likelihood that the DG would still be capable of performing its intended function.

E.1 Each DG is OPERABLE with one air receiver capable of delivering an operating pressure of 2 230 psig indicated.

Although there exist two independent and redundant starting air receivers per DG, only one starting air receiver is required for DG OPERABILITY. Each receiver is sized to accomplish 5 DG starts from its normal operating pressure of 250 psig, and each will start the DG in < 10 seconds with a minimum pressure of 185 psig. If the required starting air receiver is < 230 psig and 2 185 psig, the starting air system is degraded and a period of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is considered sufficient to complete restoration to the required pressure prior to declaring the DG inoperable. This 48-hour period is acceptable based on the minimum starting air capacity (2 185 psig), the fact that the DG start must be accomplished on the first attempt (there are no sequential starts in emergency mode). and the low probability of an event during this brief period. Calculation 13-JC-DG-203 (Ref. 9) supports the proposed values for receiver pressures.

F.1 With a Required Action and associated Completion Time not met, or one or more DGs with diesel fuel oil, lube oil, or starting air subsystem inoperable for reasons other than addressed by Conditions A through E, the associated DG may be incapable of performing its intended function and must be immediately declared inoperable.

No changes to this page (continued)

PALO VERDE UNITS 1,2,3 B 3.8.3-5 REVISION 27

Diesel Fuel Oil, Lube Oil, and Starting Air B 3.8.3 BASES ACTIONS F.1 (continued)

(continued)

SURVEILLANCE SR 3.8.3.1 REQUIREMENTS This SR provides verification that there is an adequate inventory of fuel oil in the storage tanks to support each DG's operation for 7 days at full load. The 7 day period is sufficient time to place the unit in a safe shutdown condition and to bring in replenishment fuel from an offsite location.

The 31 day Frequency is adequate to ensure that a sufficient supply of fuel oil is available, since low level alarms are provided and unit operators would be aware of any large uses of fuel oil during this period.

SR 3.8.3.2 This Surveillance ensures that sufficient lube oil inventory is available to support at least 7 days of full load operation for each DG. The 2.5 inches visible in the sightglass requirement is based on the DG manufacturer consumption values for the run time of the DG. Implicit in this SR is the requirement to verify the capability to transfer the lube oil from its storage location to the DG, (continued)

PALO VERDE UNITS 1.2.3 B 3.8.3-6 REVISION 27