ML061710461
| ML061710461 | |
| Person / Time | |
|---|---|
| Site: | Palo Verde  |
| Issue date: | 06/10/2006 |
| From: | James M. Levine Arizona Public Service Co |
| To: | Document Control Desk, Office of Nuclear Reactor Regulation |
| References | |
| 102-05515-CDM/SAB/RJR, TAC MC9627, TAC MC9628, TAC MC9629 | |
| Download: ML061710461 (49) | |
Text
James M.Levine Mail Station 7605 Palo Verde Nuclear Executive Vice President Tel (623) 393-5300 PO Box 52034 Generating Station Generation Fax (623) 393-6077 Phoenix, Arizona 85072-2034 102-05515-CDM/SAB/RJR June 10, 2006 U.S. Nuclear Regulatory Commission Attn: Document Control Desk Washington, DC 20555-0001
References:
- 1. APS letter 102-05398-CDM/SAB/RJR, "Proposed Alternative to PVNGS' ASME Section XI Inservice Inspection Program for ASME Code Category B-F, B-J, C-F-I, and C-F-2 Piping (Relief Request 32)," dated January 16, 2006.
- 2. Letter from Nuclear Regulatory Commission to APS, "Palo Verde Nuclear Generating Station, Units 1, 2, and 3 - Request for Additional Information Regarding Risk-Informed Inservice Inspection Program Request (TAC NOS. MC9627, MC9628, AND MC9629),"
dated May 9, 2006.
Dear Sirs:
SUBJECT:
Palo Verde Nuclear Generating Station (PVNGS)
Units 1, 2 and 3 Docket Nos. STN 50-5281529/530 Response to the NRC Request for Additional Information Regarding Risk-Informed Inservice Inspection Program Request (TAC NOS.
In Reference 1, Arizona Public Service (APS) submitted proposed alternatives to section 50.55a(g) of Title 10 of the Code of FederalRegulations (10 CFR). Specifically, APS proposed using a risk-informed Inservice Inspection (ISI) program as an alternative to the current ISI program requirements of the American Society of Mechanical Engineers (ASME) Boiler and Pressure Vessel Code of record for Palo Verde Nuclear Generating Station, Units 1, 2, and 3.
On May 9, 2006, the NRC requested additional information be provided to complete the evaluation of the request. The NRC requested that this information be provide within 30 days of the issuance of Reference 2. In a telephone conversation on June 8, 2006, between T. N. Weber, APS, and M. B. Fields, NRC Project Manager, APS was granted A member of the STARS (Strategic Teaming and Resource Sharing) Alliance Callaway 0 Comanche Peak
- Diablo Canyon 0 Palo Verde 0 South Texas Project
- Wolf Creek 01
ATTN: Document Control Desk Page 2 U.S. NRC Response to the NRC Request for Additional Information Relief Request 32 a one week extension. The enclosure to this letter provides the APS response to the NRC's request.
This letter contains no new commitments and no revisions to existing commitments. If you have any questions about this change, please telephone Thomas N. Weber at (623) 393-5764.
Sincerely, CDM/SAB/RJR/gt
Enclosure:
Relief Request 32 - Response to the NRC Request for Additional Information cc: B. S. Mallett NRC Region IV Regional Administrator M. B. Fields NRC NRR Project Manager G. G. Warnick NRC Senior Resident Inspector for PVNGS
Enclosure Relief Request 32 Response to the NRC Request for Additional Information
Relief Request 32 - Response to the NRC Request for Additional Information NRC Question 1 Electric Power Research Institute Topical Report, TR-1 12657, Revision B-A, Revised Risk-Informed Inservice Inspection Procedure, establishes the methodology requiring inspections under the medium risk category when there are no degradation mechanisms identified and the consequence of pipe rupture is high. Explain how selection of zero welds from the medium risk Category 4 is acceptable, if a degradation mechanism were to be inadvertently overlooked.
APS Response Other than the charging system, the selection criteria for Risk Category 4 were met for all other systems. For the charging system, an additional inspection location was selected in a Risk Category 2 segment in lieu of selecting an inspection location in the Risk Category 4 segment on the same line. The affected portion of the charging system containing these two segments is depicted in Figure 1. The Risk Category 2 segment (1-CH-005) is shown in magenta while the Risk Category 4 segment (1-CH-004) is shown in blue. As can be seen in this figure, the two segments are adjacent to each other. The Risk Category 4 segment is located just beyond the affected region of the charging line that is potentially subjected to thermal transients (TT) when flow is restored after a loss of charging event. APS elected to choose an additional Risk Category 2 inspection location for examination from the region subject to TT, in lieu of making a Risk Category 4 selection in the unaffected piping section. This deviation in the selection process will not undermine the RI-ISI Program in the event that a degradation mechanism was to have been inadvertently overlooked. This is because the normal plant operating conditions are identical for the two segments. Furthermore, the materials are the same. Hence, any degradation mechanism that was inadvertently overlooked will affect both segments equally without any preference as to where it occurs. As such, the inspections performed on the Risk Category 2 segment that is subject to thermal fatigue will identify any unknown mechanisms without the need for the inspection of a location on the Risk Category 4 segment.
Page 1
F 21 7
0" I-CH-005
- 4.
o1 4 -- I.
~uNt ~
' -'I RL&M~..Nk I I)W~
II 44 tJHINl Q [
A~ ~ 4 r -ItARGVNf1 ',IN'(
Figure 1: Risk Category 2 and 4 Segments for the Unit I Charging Line co ,-I
Relief Request 32 - Response to the NRC Request for Additional Information NRC Question 2 Ifthe approach outlined in this request were followed, and no risk Category 4 welds were selected for the Charging System, when, if at all, would expansion examinations include any of the risk Category 4 welds in the Charging System?
APS Response Section 3.5.1, Additional Examination, of the APS request dated January 16, 2006, states that a root cause evaluation is required to be performed if any unacceptable flaw is found during examination. Scope expansion is required to encompass other like locations subject to the same root cause conditions. Ifthe root cause evaluation concludes that the degradation mechanism was not previously identified and it is determined that the failure mechanism may also affect the Risk Category 4 locations, then it is very possible that some of the current Risk Category 4 welds will be included in the scope expansion.
NRC Question 3 How will the specific locations be selected for the Risk Informed ISI program for the third period of the second 10-year ISI interval? Explain the process for deciding the number of locations to be selected for each risk category and system.
APS Response Prior to the development of the RI-ISI Program, APS had planned to inspect locations scheduled for examination using the currently approved ASME Section XI inspection program. Examination activities during refueling outages are planned far in advance. In general, only designated plant areas and components are accessible for examination during a given refueling outage, due to other ongoing plant maintenance and modification activities. Any location currently scheduled for examination in the third period by the current program will remain scheduled for examination in the third period if the location has also been selected for RI-ISI Program purposes. To complete the sample size, additional locations will be selected, if necessary, to achieve equal representation of the degradation mechanisms. Other factors such as accessibility and scaffolding requirements will also be factored into the selection process.
NRC Question 4 Tables 5-2-1, 5-2-2, and 5-2-3 include dissimilar metal welds in the reactor coolant system that do not identify Primary Water Stress Corrosion Cracking as a degradation mechanism. Please provide a description of the welds, including the size and material of the base metals and weld filler material, including, if appropriate, any butter material.
Page 3
Relief Request 32 - Response to the NRC Request for Additional Information APS Response Table 1 below provides a listing of the in-scope dissimilar metal weld locations at PVNGS. Each of these inspection locations contains Alloy 82/182 welds and is buttered with Alloy 82 material. Per EPRI TR-1 12657, the threshold temperature for Primary Water Stress Corrosion Cracking (PWSCC) to occur is 570'F. The temperature for a number of the dissimilar metal weld locations is below this threshold value and, as such, PWSCC was not assigned as an active degradation mechanism per the requirements of the current EPRI RI-ISI methodology.
Table 1: Dissimilar Metal Weld Locations Component IDs PWSCC System t 1U nit 2 Unit 3 Component Description Temp. F Assigned RC 5-34 5-34 5-34 . 12" pressurizer surge nozzle to safe end 653 0F YES RC 5-33 5-33 5-33 4" pressurizer spray nozzle to safe end 653°F YES 0
RC 5-29 5-29 5-29 6" pressurizer safety nozzle to safe end 653 F YES RC 5-31 5-31 5-31 6" pressurizer safety nozzle to safe end 653 0F YES 0
RC 5-30 5-30 5-30 6" pressurizer safety nozzle to safe end 653 F YES RC 5-32 5-32 5-32 6" pressurizer safety nozzle to safe end 653OF YES RC 6-4 6-10 6-10 12" pressurizer hot leg nozzle to safe end 61 1°F YES RC 6-11 6-11 6-11 16" SDC Loop I nozzle to safe end 611°F YES RC 7-9 7-9 7-9 16" SDC Loop 2 nozzle to safe end 61 1F YES 0
RC 9-11 9-11 9-11 3" pressurizer spray l A nozzle to safe end 554 F NO RC 8-18 8-18 8-18 2" drain line 1A nozzle to safe end 554 0F NO 0
RC 11-11 11-11 11-11 3" pressurizer spray IB nozzle to safe end 554 F NO RC 10-18 10-18 10-18 2" drain line IB nozzle to safe end 554 0F NO 0
RC 12-18 12-18 12-18 2" drain line 2A nozzle to safe end 554 F NO RC 14-18 14-18 14-18 2" drain line 2B nozzle to safe end 554 0F NO CH 13-11 13-11 13-11 2" charging nozzle to safe end 5540F NO 0
SI 9-10 9-10 9-10 14" SI IA nozzle to safe end weld 554 F NO SI 13-10 13-10 13-10 14" Sl 2A nozzle to safe end weld 5540F NO SI 11-10 11-10 11-10 14" SI IB nozzle to safe end weld 554TF NO S1 15-9 15-9 15-9 14" SI 2B nozzle to safe end weld 5540F NO It should be noted that MRP-139 "Material Reliability Program: - Primary System Piping Butt Weld Inspection and Evaluation Guideline" which provides inspection requirements for PWSCC susceptible butt welds has been published by the industry and it is required Page 4
Relief Request 32 - Response to the NRC Request for Additional Information to be implemented by all PWR owners. The requirements in this document will be used by PWR owners for inspection and management of PWSCC susceptible welds in their plants and will be used to supplement the RI-ISI Program selection process.
NRC Question 5 Regulatory Guide (RG) 1.178, "An Approach for Plant-Specific Risk-Informed Decision making for Inservice Inspection of Piping," Revision 1, dated September 2003, includes guidance on what should be included in risk informed ISI submittals, particularly in dealing with probabilistic risk assessment (PRA) issues. Specifically, on page 28 of RG 1.178, the following is stated regarding the information that should be included in a submittal:
A description of the staff and industry reviews performed on the PRA 1. Limitations, weakness, or improvements identified by the reviewers that could change the results of the PRA should be discussed. The resolution of the reviewer comments, or an explanation of the insensitivity of the analysis used to support the submittal to the comment, should be provided.
The January 16, 2006, submittal lists three independent reviews of the Palo Verde PRA conducted since the Individual Plant Examination. In addition to the information submitted and based on the submittal expectations of the current revision of RG 1.178, please provide a listing of all Combustion Engineering, Inc. Owners' Group Peer Assessment A and B level Facts and Observations and any weaknesses or limitations identified by ERIN Engineering and Research and by RELCON AB (that are considered to be equivalent to the A and B level Facts and Observations from the peer review),
along with the resolution of these items as they relate to the Risk-Informed ISI program analyses.
APS Response Provided in the enclosed attachment is a list of all of the A and B level Facts and Observations (F & 0) from the CEOG Peer Assessment, 35 in total. ERIN performed a review of the CEOG Peer Assessment and identified 1 additional category A F & 0 and 3 additional category B F & O's. The ERIN F & O's are located at the end of the 1InApril 2000, the Nuclear Energy Institute submitted a process (Letter to S.J. Collins, NRC) for peer review of licensee PRAs. Itwas submitted for staff review in the context of its use inbategorizing SSCs (structures, systems and components] with respect to special treatment requirements (i.e., supporting NRC's risk-informed proposed rulemaking to add new section 10 CFR 50.69, "Risk-Informed Categorization and Treatment of Structures, Systems, and Components" "Option 2" work (SECY-02-0176)). This process, when endorsed by the NRC, may also be of use in making licensing basis changes (as well as other regulatory activities not addressed here); if so, future revisions for this regulatory guide may endorse this certification process for this purpose.
Page 5
Relief Request 32 - Response to the NRC Request for Additional Information attachment and have been identified in the title with "ERIN FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS". Due to the nature of the ERIN review the Observation ID and element identification were not created. The RELCON AB review resulted in no F & O's. The plant response for each F & 0 reflects the resolution at the time the analysis for the Risk Informed ISI was performed. Subsequent to the analysis the PRA group has performed an additional update to the PVNGS model in 2005 (Made effective in January 2006). The result of this update is provided for additional information for those F&O's that were affected.
Page 6
Attachment Peer Assessment Fact/Observations
II CEO01 156AM~N~ PSA OBSERVATION (ID: IE-7 ) I Element IE I Subelement IE-12 The ISLOCA treatment for the shutdown cooling suction line appears to have some questionable assumptions. First, it is assumed that the LTOP valve would always open.
While this is the most likely scenario, the LTOP valve can fail to open. Qualitative arguments were made that should this happen, the resulting LOCA would be inside containment (primarily based on relative pipe lengths). This ignores the fact that the high stress points and stress concentration points are outside containment.
Furthermore, the shutdown cooling warmup crossover piping was not considered.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION The ISLOCA treatment should be expanded to include the scenario where the LTOP valve fails to open. This scenario is likely to be 2 orders of magnitude lower than the base scenario but would have higher releases so it should be addressed PLANT RESPONSE OR RESOLUTION Documentation was changed to provide the basis for not modeling the identified release path. Issue closed. (2000-84) The following statement was added to the documentation:
The scenario of low temperature over-pressure protection event will most likely lift the LTOP, leading to a 6" maximum break size due to being on a 6" line inside containment.
The shutdown cooling warm-up piping is located upstream of the third MOV and outside containment. It is a 10" line with a closed MOV that could potentially be subjected to RCS pressure on failure of the two upstream MOVs, and provides a greater length of piping outside containment. Failure of the MOV in the bypass line would result in pressurizing an even greater length of line outside containment. However, assuming the LTOP valves fails to open, the probability of Small Break LOCA outside containment is dependent on the mechanical failure of two MOVs, the LTOP, and the warm-up piping or the bypass valve. This probability is considered negligible.
CEOG~~~_ ~ EAARJN T SA.
T~~HiCALELEM NTIS OBSERVATION (ID: IE-8 ) I Element IE I Subelement IE-5 Loss of multiple vital 125 VDC and Loss of multiple vital 120 VAC buses are not considered as initiators.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Recommend evaluating Loss of multiple vital 125 VDC and Loss of multiple vital 120 VAC buses as initiators or provide justification why these are not appropriate initiators.
PLANT RESPONSE OR RESOLUTION No model change was required.
EPRI NP-2230 was used to initially select initiators and Transient 37 is Loss of Power to Necessary Plant Systems, for a transient that loses power to one or more components requiring a plant shutdown.
Each of the four channels of 125 VDC and 120 VAC vital buses (A, B, C & D) are independent of each other. Loss of any single 125 VDC or 120 VAC channel was conservatively assumed to eventually result in a manual reactor shutdown, thus was considered an initiator in the model (Study 13-NS-B060, At-power PRA System Study for Initiators) with a different impact for each. (Loss of 120 VAC channels C or D have minimal impact and thus were not modeled as initiators.) The remaining DC and AC channels remain modeled as support systems with their individual random failure modes in addition to the initiator. Common cause battery failures are also modeled in addition to the initiators (Study 13-NS-B063, PVNGS At-Power PRA Study for Generic, Bayesian Update, and Reliability Analysis). This adequately addresses the probability of occurrence of a concurrent electrical failure. Due to the independence of the power supplies, no combination of initiators is required to account for dependencies.
P$A-OBSERVATION (ID: AS-02) / Element AS I Subelement AS-04 A discussion of Reactor Vessel Rupture was not found. A fire PRA was not performed so accident sequences were not generated to capture the impact of a fire. Also there does not appear to be coding of locations for basic events. (FIVE methodology was used to assess fire impact. Internal flooding is also not specifically included in the accident sequences and no spatial data appears to have been developed (same could be used for fire and flooding). IDCORE methodology was used to perform flooding evaluation and this determined that there are no critical flooding areas.
LEVEL OF SIGNIFICANCE:
B POSSIBLE RESOLUTION A Fire PRA should be included as part of the modeling. Also a discussion of internal flooding evaluation results and reactor vessel rupture should be included in the final quantification calculation.
PLANT RESPONSE OR RESOLUTION Observation remains open due to the flooding documentation.
Reactor Vessel Rupture is discussed in 13NS-B060, AT-POWER PRA SYSTEM STUDY FOR INITIATORS.
The development of a Fire PRA was completed in 2001.
The internal flooding has no impact to the RI-ISI evaluation. Flooding analysis is performed within the RI-ISI evaluation.
CEOG, ~~QiEG~1. S OBSERVATION (ID: AS-03) / Element AS I Subelement: AS-6, AS-7, AS-8. AS-24 There are some differences between treatment of a small LOCA associated with a pipe break and an induced small LOCA (pressurizer safety valve reclosure) in the transient event trees. For example:
- In the small LOCA event tree, successful high pressure injection and recirculation lead to questioning whether containment heat removal is successful. In the Transient Type 2 and Transient Type 3 event trees, RCS integrity can be lost if pressurizer safety valves do not reset after lifting. In the sequences from these event trees where high pressure injection and recirculation are successful, the question relating to containment heat removal is not asked.
- In the small LOCA event tree, RCS depressurization and use of low pressure injection and recirculation are considered if high pressure injection or recirculation fail. In the Transient Type 2 and Transient Type 3 event trees, consideration of RCS depressurization and use of low pressure systems is not included because the likelihood of high pressure injection or high pressure recirculation are small. It would seem that this assumption should apply to both cases, or not.
LEVEL OFSIGNIFICANCE B - Inconsistent treatment of essentially the same LOCA conditions should be corrected or justified. The treatment of containment heat removal in the Transient Type 2 and Transient Type 3 event trees could affect the Level 2 results.
POSSIBLE RESOLUTION Determine the appropriate treatment of RCS depressurization/Ilow pressure system usage and containment heat removal, and make the treatment in the event trees consistent.
PLANT RESPONSE OR RESOLUTION The event trees are correct and no action is required.
For small break LOCA hole sizes greater than 2" with no secondary cooling, sufficient containment pressure could build up that containment cooling is required. The small break LOCA event tree conservatively treats all hole sizes as being critical and asks for containment cooling when high pressure safety injection and recirculation are successful but cool-down and depressurization are unsuccessful, therefore adding sufficient energy to reach containment failure before core melt. For non-LOCA initiators (Type 2 and 3 transients), secondary cooling (auxilliary feedwater or alternate feedwater) must be successful before RCS integrity is asked. So a high pressure safety injection and recirculation success will have a cooled down RCS and has no containment failure, therefore the containment cooling question is not required. Type 2 and 3 transients without secondary cooling lead to core melt prior to containment failure.
CEOG MOMTAMMM"M REGARDNG Ps A T100I-90 L ELEMENTS OBSERVATION (ID: AS-5 ) / Element AS I Subelement AS-24 The MAAP analyses used to support timing for human actions look only at a selected set of parameters of interest and neglect to look at the status of other systems which may affect timing and/or success criteria. One particular example is that the Turbine Bypass System is assumed to "always work" when evaluating the time available for recovery of AFW.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Review the assumptions for the MAAP cases used to set success criteria and to evaluate timing to ensure that none of the systems assumed to "always work" would affect the conclusions if assumed to be failed. (Note that the state of such systems could then be addressed in the event trees. The worst case success criteria and/or timing should not be used unless the underlying system failures are included in the model also.)
PLANT RESPONSE OR RESOLUTION No action is required.
The MAAP analyses did not model the Turbine Bypass System as "always working", as these valves were not in the MAAP model used. The ADVs are modeled, but were not credited in the MAAP runs. Only the secondary safety valves were "available" in the MAAP runs used to develop the timing for the AFW human actions. The HRAs respond to specific component failures and use timings developed from supporting MAAP cases associated with those component failures in conditions where the component would be called on to operate. The HRAs are not a safety function action intended to account for all combinations of plant conditions where the system may be called on to operate.
Inappropriate use would produce minimum cutsets with HRAs combined with basic events which violate the assumptions for the HRA. The cutsets were reviewed by the analyst when reviewing the model when initially constructed and an iterative process used to update the HRAs as needed when the model was constructed. Only the final HRAs and assumptions were documented in the HRA study. A review of unrecovered cutsets found only auxiliary feedwater train A recovery and auxiliary feedwater train N recovery in combination with turbine bypass system, and in all cases the ADVs or secondary safeties remained available for a valid recovery.
CIE A~ JQP~RDN PSA
¶ iiiALELEMENTS OBSERVATION (ID: SY-02) / Element SY I Subelement SY-1 There is no document that specifies the content, requirements, and formatting for each system study. This would aid external observers and newcomers in understand the intent of the system analysis documentation.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Make a standard format for the system studies.
PLANT RESPONSE OR RESOLUTION No additional actions are required.
Procedure 81 DP-4CC03, "Engineering Studies," Rev. 4, describes the format and preparation of engineering studies. Job Qualification Card No. ESP14-03-005 must also be completed in order to be the responsible engineer or independent verifier for engineering studies. Within the procedurally described format there is some flexibility for the actual content of the study, since there are a number of applications within engineering. Additional guidance is contained in the "Documentation User Manual," an electronic document internal to PRA, which provides a general outline for the content and organization of the PRA studies. The long-term goal is to integrate the information in the studies into the Risk Spectrum database, which will ensure consistent documentation. This integration is tracked for each study by existing assigned tasks.
C~QGS ~R~G~~iNPSA OBSERVATION (ID: SY-03) I Element SY I Subelement SY-3 Many of the assumptions contained in the AFW analysis address plant phenomena, but contain no plant references. For example, AF024, states no significant diversion paths were identified. But no detailed discussion is provided. There are several piping taps from the CST. From a walkdown some of these taps occur high in the tank, while others associated with the condensate transfer pumps are low in the tank. It is not clear that potential diversions through the condensate transfer pumps have been examined.
The drawings that illustrate the flow destination for the pumps are not referenced in the AFW system study: DGP-001, ECP-001, and EWP-001. It also appears that the assumptions themselves are not independently reviewed. As a result, the independent reviews of the system studies are not complete. Each individual assumption should have plant documentation and an independent review. The system study independent review would then only need to ensure that the assumption is applicable to and reflects the model itself. This appears to be what is done now, but without an independent review of the assumptions.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Independently review the assumptions and key inputs. Link plant documents directly to the assumptions and key inputs.
PLANT RESPONSE OR RESOLUTION Observation remains open (2000-86).
This is a method of documentation issue and not a model problem.
System studies contain the assumptions for the system and receive independent review, which is documented on the cover of the study. The observers utility documented their reviews for each assumption individually, but a difference in the method of documenting the review does not require an additional review of the assumptions and key inputs. Similarly, the references are provided at the end of the system study, while the observer recommends linking them individually. Again, the references are there, just not in a format allowing easy review by someone outside of the utility.
+iPSA SE 0_ENTS OBSERVATION (ID: SY-05 ) / Element SY I Subelement SY-4 It is difficult to verify that the systems are in agreement with the as-built conditions. The current software is only capable of displaying a two by three portion of the fault tree.
When attempting to verify the AFW system, only a sample of the fault tree was examined. From the portion examined no discrepancies were identified. There were no direct references between the fault tree supports and the plant drawings. For example the power supplies to the motor driven pumps are contained in the fault tree, but a plant drawing reference is not directly linked to this dependency. The back of the system study does provide a list of references, but the specific references are not linked to dependencies. Not only does this make review by outside personnel difficult, it makes internal independent reviews difficult as well.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Link dependencies directly to plant documentation.
PLANT RESPONSE OR RESOLUTION Observation remains open (2000-86).
This is a method of documentation issue and not a model problem.
The references are provided at the end of each of the system studies, while the observer recommends linking them individually to basic events, failure rates, assumptions, or fault trees. Again, the references are there, just not in a format allowing easy review by someone other than the preparer.
irEO'F WG Ii REGARDNGD PSA TEC1H-i i PL ELEMW NTS OBSERVATION (ID: SY-10) / Element SY I Subelement SY-20 Demand failures of batteries are not considered (i.e., ifthere is a demand for DC, battery failure is more likely). Only charger failures, bus faults, circuit breaker failures, battery faults, maintenance and failure to restore after maintenance are modeled.
LEVEL OF SIGNIFICANCE A
POSSIBLE RESOLUTION Demand failures should be considered.
PLANT RESPONSE OR RESOLUTION Issue closed. Demand and run events are modeled for batteries.
, NG PSA OBSERVATION (ID: SY-12) / Element SY I Subelement SY-18 Batteries C and D appear to have at least 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time prior to depletion. This results in instrumentation being available to adequately control AFW. The bases for the 24-hour mission time is not documented.
LEVEL OFSIGNIFICANCE A - Ifthe 24 mission is not confirmed (found to be less), then AFW flow control following the depletion of the batteries will be significantly challenged. This could result in a significant risk increase.
POSSIBLE RESOLUTION Determine the battery mission times and take appropriate actions based on the results.
PLANT RESPONSE OR RESOLUTION Issue closed.
The basis for the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> capacity for Batteries C and D was documented.
"Batteries PKCF-1 3 and PKDF-1 4 have the capacity to provide power to their loads for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Per CRDR 961002, they would have a load profile of 90 amps for 1 minute and 70 amps for 119 minutes. This load profile was extrapolated to extend to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> at 70 amps, for a total load of 1678.8 amps-hours on the battery. Per the Electrical Design Engineer, the new GNB battery is rated at 2415 amps-hours, which bounds the extrapolated load profile. Since the batteries are rated at 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> and therefore higher current loads than that in the extended load profile, the linear extrapolation is conservative."
CE~G IR 510 R, _0 PS$AN OBSERVATION (ID: SY-13) / Element SY I Subelement SY-17, SY-20 The control system study states that only single failures that cause the failure mode of interest are considered. For the AFAS generated signals, this results in modeling common cause only. Although this approach may provide a good estimate of the failure rate of these safety signals, it does not necessarily provide the confidence that the signals are appropriately modeled. For AFAS, it appears that since the AFW flow path valves must cycle that control system dependencies may have been missed. That is, normally ESFAS relays appeared to be locked-out following actuation, but for the AFAS valves, the relays need to react to the process system (S/G low and high level). It is likely that 120 VAC Vital Bus A and B are needed.
LEVEL OF SIGNIFICANCE B - Two buses would need to fail.
POSSIBLE RESOLUTION Add power dependencies.
PLANT RESPONSE OR RESOLUTION No additional control circuits need be modeled.
Per 40EP-9EO1 0, Standard Appendices, Rev. 15, Appendix 39 for AFB-P01, App. 40 for AFA-P01, App. 41 for AFN-P01, and App, 43 for condensate, auxiliary and alternate feedwater flow is throttled as an initial operator action in aligning flow to the steam generators. Feedwater flow is not controlled by cycling valves open and closed, although the design has the capacity to automatically maintain flow by cycling the class AFW isolation valves. The initial operator alignment throttles feedwater flow using a motor operated valve from the main control board, and flow and steam generator level are monitored on the main control board with manual adjustment of MOV position for decreasing steam rates due to decreasing decay heat. Since flow and steam generator level are being manually controlled by the RO, no additional control circuits need be modeled. The HRA for throttling flow is addressed under HR-04.
CEI iTIREGA RDjNGPSA OBSERVATION (ID: DA-01) / Element DA I Subelement DA-4 In quantifying the failure rate of the turbine driven AFW pump to start and run, failures were not considered based on modifications to prevent turbine overspeed trips due to excessive condensation in steam lines. That is, failures that occurred prior to 1995 (that were determined to be due to excessive condensation) were removed from consideration. A reduction in the impact of these failures would be more appropriate than eliminating these failures from consideration.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Review data analysis and consider modifying the start and run failure rates.
PLANT RESPONSE OR RESOLUTION No change to the model will be made.
Since 1/1/1995 to date there has been one AFA pump failure for all three units (CRDR 290019) which was an overspeed due to a governor valve failure in Unit 2, where the spring seat worked loose. There are no overspeed trips due to condensate in the steam lines since the plant modification. While taking a percentage reduction in failures when the modification was first installed would be appropriate, the five years of data on three plants accumulated to date is sufficient to show that excess condensate is no longer an expected failure mode and that it is appropriate to adjust the failure data by excluding these historical failures.
N0 GE A150GARD~GS ME DINtN OBSERVATION (ID: DA-02) /Element DA I Subelement DA-4 Currently for demanded components, the failure likelihood is assumed directly related to the surveillance interval. The equation used is 1-exp(-lambda*(interval)/2). This assumption is predicted on the assumption that the likelihood of failure on demand is purely proportional to the hourly failure likelihood. This is not necessarily true. Analysis should be done to ensure that the demand failure likelihoods are appropriately calculated. There are components of the demand failure rate that are not proportional to time such as shock and human errors.
LEVEL OFSIGNIFICANCE B
POSSIBLE RESOLUTION Examine plant specific data, estimate the fraction of a demand failure rate associated with shock/human error compared to idle failures.
PLANT RESPONSE OR RESOLUTION No changes are being made in response to this observation.
The PVNGS failure rates are based on data which was not differentiated between demand and time-related failures. When the data was Bayesian updated, an engineering judgment was made based on the data as to whether the failures were dominantly demand or time-related and a demand rate or failure rate was selected. To be able to split up the failures into demand and time-related categories would require binning of all the plant specific failures into these categories, a major investment of resources. It is indeterminate as to the impact on total CDF and LERF for the proposed use of both demand and time-related failure rates for all components, since these would be fractions of the existing failure rates. The proposed resolution to estimate the fraction of demand failure rate is no different in accuracy than the engineering judgment currently in place to use either a demand or time-related failure rate as predominate.
Based on availability of data, it will be considered during the next Bayesian update.
Subsequent to the ISI analysis a data update (moved to demand failure rates) was performed in 2005. The results of the update had a minimal change in CDF.
G 4MOG PSA OBSERVATION (ID: DA-04) / Element DA I Subelement DA-8 Following common cause factors are significantly lower then INEEL recommended values:
pumps gamma and delta factors EDG failure to start beta AFW pumps failure to run beta generic pumps - beta Note: these are based on generic sources therefore there is a concern that the values are significantly different from INEEL generic data. A sensitivity evaluation was performed which put these values to those similar to INEEL recommended values caused a CDF increase of approximately 7%.
LEVEL OF SIGNIFICANCE A
POSSIBLE RESOLUTION Use up to date values from INEEL or use INEEL database to derive new values.
(Note: the methodology used was done per acceptable "older" PLG standards and methodology. It is possible that the plant configurations make it less susceptible to common cause, but the values are being used across many systems for the pump MGL values.)
PLANT RESPONSE OR RESOLUTION No change to the model.
There would be approximately a 7% change in total CDF if CCs were updated. This increase is not enough to change a ranking of medium to high for the systems of concern in the RI-ISI evaluation.
Subsequent to the ISI analysis a model update to use the INEEL data and the new CC methodology were incorporated into the model. The change resulted in a decrease to both CDF and LERF; 11% for CDF and 27% for LERF.
rn1Ah~N~PSA OBSERVATION (ID: DA-06) / Element DA I Subelement DA-9 When grouping components together for data, are component specific data differences reviewed. (i.e. are a disproportionate number of failures attributed to one component but spread out over several)? Also are the numbers of demands/run hrs comparable.
LEVEL OFSIGNIFICANCE B
POSSIBLE RESOLUTION Document the process used.
PLANT RESPONSE OR RESOLUTION Observation remains open (2000-86).
Method of documentation and not a model problem.
Component differences were looked at when grouping components together during the Bayesian update and an engineering judgment made on where to divide the components into groups. This was not specifically documented in the study. The data was not categorized into demand and time-dependent failures (refer to DA-02).
Note: Subsequent to the ISI analysis, a model update of failure rates, probabilities and Bayesian updating (unavailability and initiating event frequencies were not updated, except loss of off-site power) resulted in a small change in CDF and 24% reduction in LERF to the Rev 13 version of the model.
CEO-G-F50W' Sý .iWWVOEARDN PSA, TEemIiMA1 ELEM NXTS OBSERVATION (ID: DA-07) / Element DA I Subelement DA-13 The NSAC document referenced in evaluating the LOP frequency and duration (NSAC-203, "Losses of Offsite Power at U.S. Nuclear Power Plants thru 1993") is not current.
More recent NSAC and EPRI documents are available as a reference source. These documents have the potential to increase the likelihood of offsite power recovery since LOP events and their duration have trended downward.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Update data used to support recovery from a loss of offsite power.
PLANT RESPONSE OR RESOLUTION Observation closed (2000-88).
Initiator was updated using the current data.
..... MPSA OBSERVATION (ID: DA-08) / Element DA I Subelement General Plant specific data was derived from a limited number of years data (1994 thru 1996)
LEVEL OFSIGNIFICANCE B
POSSIBLE RESOLUTION Consideration should be given to expanding the basis of the plant specific data.
PLANT RESPONSE OR RESOLUTION No additional actions are required.
It is intended to periodically Bayesian update the failure data every two cycles (3 years),
which will expand the plant specific data being used. Different reporting requirements existed in earlier years which makes it difficult to correlate the data to the current maintenance rule reporting criteria. So for consistency, earlier data is not being used.
Subsequent to the ISI analysis a model update of failure rates, probabilities and Bayesian updating (unavailability and initiating event frequencies were not updated, except LOOP) resulted in a small change in CDF and 24% reduction in LERF to the Rev 13 of the model. The plant data range used for the 2005 update was 1998 to 2004.
CWGJ _;PS OBSERVATION (ID: HR-01) / Element HR / Subelement HR-1, HR-14 Guidance effectively describes the quantification process. Two areas were identified for possible improvements:
- 1. The process and degree of operation input and review is not documented.
Operation input as described appears to be marginal. It was stated that operator input was always obtained for knowledge based actions and was obtained as required for complete skill and rule based actions. A better practice would be to have all actions developed with operator input.
- 2. The process for selecting HRAs was not described. A process is identified in SHARP. It appears that the SHARP process was not used. However, an undocumented, iterate process between the system analyst and the human action analyst appears to be adequate.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Consider improving the process for obtaining operator input.
PLANT RESPONSE OR RESOLUTION Observation resolved. Section 5.1.8 was added to HRA study.
- 1. Although not specifically called out in the study, operator input was obtained in developing HRAs. The PVNGS Emergency Procedures were followed closely to identify the required operator actions. Thus, the quantified operator actions are predominantly rule-based and skill-based. SRO training personnel and operator input was obtained for all the knowledge-based actions and was obtained as required for skill-based and rule-based actions.
- 2. The HRA study (13-NS-B62) describes the iterative process used to determine the HRA application and limitation / boundary.
CEOG~ ~ ~ M
~aAR[NPSAý kAL~RVA0 TEC5J7HN! CAA'LE' ELEMENTS OBSERVATION (ID: HR-03) I Element HR I Subelement HR-4, HR-5, HR-6, HR-7 In the HRA document (B62), Section 4.2, concludes that miscalibration and common cause miscalibration of critical sensors is negligible at PVNGS. This is not consistent with the results from other PRAs. Specifically, the first supporting paragraph of dedicated teams does not minimize exposure to common cause, it actually maximizes common cause. PVNGS's staff previously identified this item.
LEVEL OFSIGNIFICANCE B - Common cause calibration errors have been shown as being significant in other PRAs.
POSSIBLE RESOLUTION Assess the calibration and review process and add pre-initiator human errors as appropriate. Focus should be on instrumentation and control systems. Common cause data on human errors for these types of systems appears to be under-reported. In addition, modify the HRA documentation to remove the negligible statement.
PLANT RESPONSE OR RESOLUTION Observation resolved (1998-35)
Documented in the HRA study (1 3-NS-B62) addresses miscalibration of critical sensors.
Added HRA to emergency actuation equipment.
CE~JN~GARW NO PSA OBSERVATION (ID: HR-04) / Element HR I Subelement HR-9 It was stated in the opening presentations that the operators would take manual control of the AFW flow path globe valves. This action is not modeled. The current model appears not to include any action to control flow with the exception of local manual control.
LEVEL OFSIGNIFICANCE A - Effective control of AFW is important to avoid under or over fill.
POSSIBLE RESOLUTION Add human action to control AFW flow. Considered the various boundary conditions including whether indication is available and whether the AFAS control system is functioning as a backup to close the AFW flow gate valves.
PLANT RESPONSE OR RESOLUTION Observation resolved. No change to the model was made.
A note was added to the Human Recovery Action study. This failure was determined to not significantly impact the current value for AFA recovery. Per 40EP-9EO1 0, Standard Appendices, Rev. 15, Appendix 39 for AFB-P01, App. 40 for AFA-P01, App. 41 for AFN-P01, and App, 43 for condensate, auxiliary and alternate feedwater flow is throttled as an initial operator action in aligning flow to the steam generators. Current HRAs address failure to align AF or Alternate feedwater, since throttling flow is part of the initial alignment, the initial throttling action is accounted for in the existing HRAs for failure to align feed.
I ~FAI~[N~PSAA OBSERVATION (ID: HR-06) / Element HR I Subelement HR-20 The cycling of the AFW flow path globe and gate valves to maintain AFW flow is not modeled.
LEVEL OF SIGNIFICANCE A - The failure contribution of the valve cycling and of the control systems including their dependencies may result is a reduction in the calculated reliability of AFW.
POSSIBLE RESOLUTION Add the impact of the failure of flow control to the model.
PLANT RESPONSE OR RESOLUTION No changes are required Per 40EP-9EO1 0, Standard Appendices, Rev. 15, Appendix 39 for AFB-P01, App. 40 for AFA-P01, App. 41 for AFN-P01, and App, 43 for condensate, auxiliary and alternate feedwater flow is throttled as an initial operator action in aligning flow to the steam generators. Feedwater flow is not controlled by cycling valves open and closed or turning pumps on and off. The initial operator alignment throttles feedwater flow using a motor operated valve from the main control board, by the RO, and flow is maintained through monitoring flow and steam generator level on the main control board. Once initially throttled, the valve needs only minor adjustment for decreases in steam rate due to decreasing decay heat. Ifthe valve failed in this state, level change would be slow and the operator would have time to react to take local manual control of the valve, isolate the flowpath, or change to a different flowpath. Failure of the valve to be throttled is bounded by the fail to open or fail to remain open basic events for the valve.
.... CEOG* **ssiB g
- O #E*GALON:G'.rlPSA OBSERVATION (ID: HR-08) I Element HR I Subelement HR-25 A sensitivity study to determine human action dependencies was not performed nor documented with the PRA results. This is considered to be a good practice to ensure dependent human actions are not inappropriately used. A sensitivity analysis was performed during this review. No issues were noted.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Run model sensitivity runs failing the human actions to determine if any human actions are being applied independently in cutsets where a dependency exists. A methodology should also be developed to document and store sensitivity analysis.
PLANT RESPONSE OR RESOLUTION Observation closed. No issues were identified. Guidance provided in the PRA model guidelines During the assessment an evaluation was made with all HRAs set to "true" and the recovered cutsets were examined to ensure that no dependent operator actions were in the same cutset.
F I II je OBSERVATION (ID: HR-09 ) / Element HR I Subelement HR-20 Human Action (HA) 1AFN-MSIS ---- HR is failure of the operator to override MSIS and align the N pump. This action includes diagnosis error. The action 1AFN-MSIS-ND-HR, is a modification factor to remove the diagnosis component of 1AFN-MSIS---- HR.
In the the quantification of these two elements (13-NS-B62, p90 and 91) it it stated that IAFN-MSIS-ND-HR is to be used with 1AFN-MSIS ---- HR when it occurs in conjunction with failure to align or utilize the code pumps, i.e., in conjunction with another human action that had an equivalent diagnosis element. This is considered appropriate.
However, as seen in cutset 10 and others, these two HAs are being used together in cutsets which do not include another HA with the equivalent diagnosis element. This is inappropriate. In cutset 10, the initiator is loss of 125 VDC PKB-M42 which results in loss of one AFW pump, an MSIS, failure of the downcomer valves, failure of the turbine-driven AFW pump and the 1AFN-MSIS ---- HR/1AFN-MSIS-ND-HR combination. This does not appear to be appropriate because there is no other HA which includes the requisite diagnosis error. This is contrary to the stated application conditions in 13-NS-B62.
The above discussion also applies for the 1AFW-MFW----HR/IJAFW-MFW-ND-HR combination and any other equivalent combinations.
After looking at models in more detail, found that there was another Human Action in the chain. Direct solution of the trees would yield a cutset with two HEPs. A recovery analysis pattern removed the two related Human actions and replaced them with the pairings discussed above. The concept appears to be appropriate but the manner in which it is applied is confusing at least in this case.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Revise the recovery analysis pattern so that it replaces the two related Human Actions with a replacement human action that includes the appropriate joint diagnosis element.
PLANT RESPONSE OR RESOLUTION Observation resolved.
Corrected the recovery of the turbine driven auxiliary feedwater pump, which included corrections to the HRA recoveries. The cutsets were reviewed for inappropriate double HRAs as part of the revision, and a specific review of the top 100 cutsets was made to verify that the condition described in this observation no longer exists.
E- 76 M tJEGRf GP-SA 1~i~ ~ 'ELE, ENS kAJN OBSERVATION (ID: DE-02 ) / Element DE / Subelement DE-l, DE-3, DE-5 As mentioned earlier there is no guidance for the system analysis process. This applies to the dependency aspect of the process as well. Section 3.3 of a system study lists the dependencies associated with the system. In general, the table appears to completely describe the dependencies associated with the system. I did notice several cases in the HPSI system study where the component numbers were not identified: 1 PHAM37-480-1PW/GHLIA1-2, 1 PHBM38-480-1PW/GH12-9, 1SAARAS-TRA--1AT/GRASA-K405
[MOV 674], etc. In some cases, it was possible to determine the component dependency. In other cases, it was not. Each component and its associated dependency should be explicitly identified.
The dependencies associated with hot leg injection appear to be improperly identified.
MOV-321 should be 4PKCM43-125--I PW and MOV-331 should be 4PKDM44-125--
1PW.
The plant references for the dependencies are not directly linked to unique component dependencies. In stead, the references are listed in a single large mass in Appendix D.
In would probably save time and lead to better traceability if the references are directly associated with each dependency.
There are no plant references associated with the HVAC dependencies dedicated to the HPSI system. This applies to 1EWAECOOLWA--1OP, 1EWBECOOLWB--1OP, 1PHBM38-480-1 PW, 1SPAESPA---1 OP, etc. The plant references could be a simple as UFSAR text if direct failure is assumed to as complicated as design heat-up calculations.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Directly link dependencies to plant references and ensure all dependencies mention a component.
PLANT RESPONSE OR RESOLUTION Observation resolved.
Corrected issue on power source to MOV-321/331 No further changes are required to address this observation. The remaining generic issues described in this observation are dealt with under DE-1 0.
CFO~~~~~~~~iV
-- r - R W-N?¶~
-1 M9B 4ý VS 3 heA
,ra, I~ef-A-P RS A
_ LE-LEM NTS' OBSERVATION (ID: DE-05 ) / Element DE I Subelement DE-4 Although dependencies are identified in the system analysis, there is no dependency matrix. A dependency matrix is a valuable tool for reviewers and newcomers to the group. I believe that our evaluation of Accident Sequences would have been much more comprehensive with a dependency matrix. There are no plant references associated with the HVAC dependencies dedicated to the HPSI system. This applies to 1EWAECOOLWA--1 OP, 1 EWBECOOLWB--l OP, 1 PHBM38-480-1 PW, 1SPAESPA---
lOP, etc. The plant references could be a simple as UFSAR text if direct failure is assumed to as complicated as design heat-up calculations.
LEVEL OFSIGNIFICANCE B
POSSIBLE RESOLUTION Create a dependency matrix.
PLANT RESPONSE OR RESOLUTION Observation closed.
A dependency matrix was part of the original PVNGS IPE due to its use in PLG methodology for developing a PRA. Dependencies are documented in the individual System Studies with the source documents listed in the References section of these System Studies. While they are not specifically linked to make the job easier for an outside reviewer, the information is present. Guidelines were changed to include guidance in identifying dependencies when developing fault trees.
OBSERVATION (ID: DE-07 ) / Element DE I Subelement DE-7 In general, human actions across systems appear to treat dependency appropriately.
There are some cases where dependencies across system are not properly addressed.
RE-AFA-LOCAL is used redundantly to IALFW-2HRS-HR in sequences 7634, 14966, etc. (per C-29 Rev. 3).
LEVEL OF SIGNIFICANCE A
POSSIBLE RESOLUTION Directly incorporate RE-AFA-LOCAL in the fault tree such that other decay heat removal related actions will cause that action to fail.
PLANT RESPONSE OR RESOLUTION Observation closed Revised the recovery patterns to preclude recovery with Train A auxiliary feedwater of cutsets including other auxiliary feedwater or alternate feedwater HRA events.
PISA OBSERVATION (ID: DE-08 ) / Element DE I Subelement DE-7 Since the general rule is documented as one-recovery actions per sequence (B-062),
exceptions should be noted and justified. For example, the GT recovery and the AFW PP A recovery actions are credited redundantly. This is probably appropriate, but the paragraph in B-062 indicates this is not typically done. Therefore justifying the exceptions is probably appropriate.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION List acceptable redundant human actions.
PLANT RESPONSE OR RESOLUTION Observation closed.
As noted in the observation and study 13NS-B062, multiple dependent recoveries are not currently used. The recovery patterns are prioritized so that only the highest priority recovery is applied, preventing double recoveries.
OBSERVATION (ID: DE-10 ) / Element DE I Subelement DE-12, DE-13, DE-14 The documentation is considered marginal largely based on the lack of traceability of the system studies to plant documentation for each component dependency.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Directly link dependencies to plant references.
PLANT RESPONSE OR RESOLUTION Observation closed.
Dependencies are documented in the individual System Studies with the source documents listed in the References section of these System Studies. While they are not specifically linked to make the job easier for an outside reviewer, the information is present. No model error is documented in this observation. In developing new or modifying existing fault trees there is a need for consistent identification and documentation of dependencies. Guidelines were updated for the PRA analysts that will include guidance in identifying and documenting dependencies, which will be used as the model, is updated.
OBSERVATION (ID: QU-01 ) / Element QU I Subelement QU-1 The quantification report describes the quantification, but the process is difficult to follow unless knowledgeable about the code used and the specific steps to follow. It is sometimes hard to determine the basis for the delete term logic and the recovery patterns.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION APS should consider either adding a section to the quantification document to provide a high level, easy- to-follow, overview description of the quantification process with pointers to sections that define the basis for and provide the specifics of each individual quantification step. This is particularly important with respect to the delete term logic development and development of the recovery patterns as these to elements can have significant impact on the overall results.
PLANT RESPONSE OR RESOLUTION Observation open.
No impact to the RI-ISI evaluation.
Method of documentation and not a model problem.
The quantification steps are documented in studies 13-NS-B67and 13-NS-C29. The quantification is part of the Risk Spectrum software. The software and data are maintained on a controlled drive under procedure 70DP-ORA03. An explanation of how to use the software is in the "Risk Spectrum PSA Professional - Getting Started" handbook. An explanation of the calculations used to quantify the accident sequences is in the "Risk Spectrum Professional - Theory Manual." The table of recovery patterns includes a detailed description for each recovery. PRA analysts are trained on how to perform quantification and complete Job Qualification Card No. ESP14-01-003, "Accident Seauence Solution" as part of their trainina.
ANS OBSERVATION (ID: QU-03) / Element QU I Subelement QU-18, QU-19 Currently, RE-AFA-LOCAL is being used to recovery 1AFAP01-TPAFS. This is a hardware failure basic event. An evaluation should be done to determine the fraction of the basic event that is recoverable. This appears in numerous sequences (e.g. 7830 &
14989 [per C-29 Rev. 3]).
LEVEL OF SIGNIFICANCE A
POSSIBLE RESOLUTION All hardware failure recoveries should have a strong well-documented basis.
PLANT RESPONSE OR RESOLUTION Observation closed.
Currently it is an assumption in study 13NS-B091, AT-POWER PRA STUDY FOR APPLICATION OF CUTSET RECOVERY that AFAP01 TPAFS failures are recoverable.
This was based on a PRA review of PVNGS start failures not documented in the assumption. The model assumes that all turbine driven auxiliary feedwater pump start failures (TPAFS) are recoverable. This is consistent with pump operating history, as the pump has not had a non-recoverable start failure through the last failure data review.
Any non-recoverable start failures will be included in the calculation of TPAFR, which is not recoverable. This method of determining TPAFR and TPAFS prevents the need to apply an additional fraction to RE-AFA-LOCAL to account for non-recoverable start failures.
Failure of the trip and throttle valve (AFAHV0054) is not modeled separately, but is included in determining TPAFS and TPAFR. See study 13-NS-B063, PVNGS At-Power PRA Study for Generic, Bayesian Update, and Reliability Analysis for guidelines for determining proper classification of HV0054 failures.
if OBSERVATION (ID: QU-04) / Element QU I Subelement QU-18. QU-19 Currently, RE-AFA-LOCAL is inappropriately being used to recover some SOSV events.
The initial failure of the AFW Pump A causes a primary safety lift. The recovery of AFW Pump A would not prevent a lift. Therefore, RE-AFA-LOCAL should not be used when the primary safeties lift.
LEVEL OF SIGNIFICANCE A
POSSIBLE RESOLUTION The application of recovery factors should be reviewed to ensure the recoveries are appropriately modeled.
PLANT RESPONSE OR RESOLUTION Observation closed AFW fault tree was revised to delineate recoverable faults and tag them with a flag.
The recovery pattern now searches for the flag in the cutsets. Thus recovery of non-AF cutsets was eliminated.
-C:Bi]-NG PSAA OBSERVATION (ID: QU-05) / Element QU I Subelement QU-18, QU-19 It would probably be a good idea to delete the front *s in the recover search equations.
I did not find any instances where this caused a problem in the existing model, but it could be causing problems by accidentally selecting the middle of a basic event verses the beginning.
LEVEL OFSIGNIFICANCE B
POSSIBLE RESOLUTION Delete the front *'s in the searches.
PLANT RESPONSE OR RESOLUTION No change made.
The asterisks in the search fields are wild cards required to find all events with that pattern wherever they occur within the cutset. Some patterns intentionally search for portions of the event other than the beginning; e.g. '*TPAFS*". Thus deletion of the wild cards is not reasonable.
OBSERVATION (ID: QU-07) / Element QU I Subelement QU-25, QU-26. QU-28 Even though the data bases contain error factors and their code has the capability to easily perform numerical uncertainty analyses, APS did not perform any uncertainty analyses for this update of the PSA and they did not document any sensitivity studies on the impact of key assumptions as part of this PSA update.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION It is recommended that APS perform at least a simple numerical uncertainty analysis and sensitivity studies on key assumptions as part of their next update of the Palo Verde PSA.
PLANT RESPONSE OR RESOLUTION At the current time, uncertainty analyses will not be run on the updated PRA.
Sensitivity studies are performed as appropriate for specific applications and documented in the documentation for each application.
CEOG EGAR 1NG PSA OBSERVATION (ID: MU-03) / Element MU I Subelement MU-4 The types of changes tracked by the PRA and how this information is obtained are not specified in enough detail within the procedure.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Provide more detail within the procedure.
PLANT RESPONSE OR RESOLUTION Observation closed.
Procedure 70DP-ORA03 is updated consistent with the new software QA requirements.
It is intended to establish the basic process for impact review that must be followed to ensure software data control requirements are met. It is not intended to spell out the details of the process, such as how to get data from NIRM, what keywords are searched to capture changes, and how it is placed into the impact database. This level of information is more appropriate to a guideline. Guidelines for PRA analyst activities were developed.
l l~3. RE R~lNGPSA OBSERVATION (ID: MU-08) / Element MU I Subelement MU-11. MU-12 There is limited guidance on what needs to be considered for reevaluation when a significant change to the PRA models takes place.
LEVEL OFSIGNIFICANCE B
POSSIBLE RESOLUTION Provide more detail on the process that should be used to determine what documents/evaluations are impacted by a significant change to the model. Provide guidelines on when such documents/evaluations need to be modified.
PLANT RESPONSE OR RESOLUTION Observation closed. Guidance on determining impact to applications was included in the PRA analyst guidelines.
The current process places all updated information of the PRA model into study 13-NS-C29 or in revised studies issued in parallel with it. So there is no "gap" in documentation for the PRA and no need to accelerate changes to impacted PRA studies.
Identifying applications impacted by the high priority change. Currently there are few applications and engineering judgment is not unreasonable in evaluating when a PRA update requires the update of an application.
fPSA OBSERVATION (ID:) / Element I Subelement While the quantification documentation includes an excellent tracking of changes on the successive updates, it is lacking a discussion of insights such the importance of plant specific features that drive the results, sensitivity and uncertainty analysis insights, and an interpretation of the results of the risk importance analysis. There is no breakdown of accident classes and only very limited information on contribution of specific accident sequences to CDF and LERF, nor any interpretative discussion of the risk importance analysis to develop appropriate insights for accident management. The only insights given prominence are the sources of changes in results from the successive updates.
As such, the results summary seems to be written for the benefit of the PRA team and not to provide any insights on how to better manage the plant in terms of managing risks. An in-depth review and summary of results can often lead to the identification of conservatisms or other model deficiencies that could otherwise be over-looked. Ifthere was more interpretive discussion and development of insights for those responsible for managing the plant, the PRA team would likely be more active than it is today in pursuing risk informed applications. Although no specific impact on the PRA model has been cited, ERIN would propose a new issue at Priority Category B for this item.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION This is a documentation issue and has no impact on RI-ISI.
F RJ a p~i~f ~
OBSERVATION (ID:) / Element I Subelement The LERF results seem to be highly skewed by the conservatisms in the simplified NUREG LERF model: Containment failures due to severe accident challenges seem to make a larger than expected contribution to LERF while containment bypass events due to SGTR and ISLOCA make relatively small contributions. In the context of realistic state of the art Level 2 PRAs for PWRs with large dry containments, the LERF is typically dominated by containment bypass events such as unisolated SGTR and interfacing system LOCA while severe accident phenomena make normally only minor contributions. While the current results for PVNGS seem reasonable in light of the use of some conservative default split fractions that are part of NRC's simplified Level 2 methodology, there is no interpretive discussion provided in the results summary to provide this or any other perspective.
It does not appear that any credit was taken in the LERF evaluation for implementation of severe accident management procedures to reduce RCS pressure at time of core damage. We suspect that the relative contributions from severe accident phenomena are skewed towards the high side because the contributions from systemic causes such as bypass sequences from SGTR and interfacing systems LOCAs are more realistically evaluated. We were disappointed to see no real discussion or interpretation of the results for LERF and the LERF contributors. Although, the current models can be used to support LERF evaluations for risk informed applications, the relative importance of severe accident phenomena needs to be carefully qualified in any LERF sensitive PRA applications. ERIN would propose a new issue at Priority Category B for this item.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION Observation is open.
It is recognized that the approach chosen to estimate the contribution to LERF contains conservatisms which result in overestimating the contribution of containment breach. In light of the conservatisms to the results of the RI-ISI application the end result will be to add additional welds into the inspection sample. It is judged that adding more accuracy to the LERF modeling would not merit any significance and would not result in any significant reduction in the choice of weld selections.
OBSERVATION (ID:) / Element / Subelement The PVNGS PRA used generic and plant specific data to estimate some support system initiating event frequencies (NCW,TCW, PCW) ; the applicability of generic data for support systems is questioned; we recommend using a fault tree model supported by an appropriate systems analysis notebook for support system type initiators to ensure that plant specific factors have been considered and to more carefully consider whether the generic data is really applicable. The current documentation is traceable back to NUREG/CR-3862 but there is simply too much variability in plant designs for these systems. Current industry practice is to develop plant specific system models for most if not all support system initiators. On the one hand, the large error factors that have been assigned to the priors developed from industry data tend to soften the impact of the generic data. One the other hand, when the evidence is of the form of zero failures in T years, the selection of the prior tends to drive the posterior especially when the mean frequency is well below 1/T. ERIN would propose a new issue at Priority Category B for this item, and its resolution would make the certification issue here moot.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION The ISI evaluation was based upon a later version of study 13-NS-B060, At-power PRA System Study for Initiators, which contains a discussion of how generic initiators could be used for these events.
OBSERVATION (ID:) / Element I Subelement The evidence to support that there was a systematic search for plant specific events for consideration in the initiating events to be modeled is limited to a few sentences in the IE documentation and is extremely weak. This opens two questions: have all the plant specific and unique initiators been adequately considered in the baseline CDF, and given nothing to document this search, how will design changes that may influence the initiating event list be picked up? We believe that this issue was also raised in the earlier ERIN review [2] but it was not viewed at that time to be important enough to act on. The Peer Review team also identified this as an issue but they assigned a priority category C to the issue (See F&O IE-2). In other peer reviews this issue has come up fairly often and has been prioritized at Category A on some occasions and B on others but seldom as low as C. Plants that are getting good grades on initiating events almost always have a documented evaluation of specific and unique plant initiating events. In addition, in order to support PRA Capability Level II in the current version of the ASME PRA standard (corresponding to Certification Grade Level 3 for risk informed applications) such a documented systematic search is required. The current analysis and documentation puts too much weight on generic industry sources such as EPRI NP-2230 to establish the case for completeness.
Insights from other industry PRAs conclusively shows that there are important plant specific factors that influence not only the frequency but the possibility and importance of different initiating events. Hence, a documented plant specific analysis is required not only for the baseline PRA but in the evaluation of the impact of design and procedure changes that could influence the selection and frequency of specific initiating events. ERIN proposes to increase the priority on this item to Category A, which implies the highest priority resolution. You may anticipate real problems in risk informed applications with the NRC until this issue is resolved. Based on the existing documentation of the PRA and the good understanding of plant features by the PRA team, the effort required to put together some reasonable documentation in the form of an FMEA table is not expected to be prohibitive. In addition, in the maintenance and update process, the possibility that plant changes could influence the selection of initiating events, albeit infrequent, should be explicitly considered.
LEVEL OF SIGNIFICANCE A
POSSIBLE RESOLUTION PLANT RESPONSE OR RESOLUTION The ISI evaluation was based upon a latter version of study 13-NS-B060, At-power PRA System Study for Initiators, which contains a discussion of how plant specific initiators were determined.