ML15147A018
| ML15147A018 | |
| Person / Time | |
|---|---|
| Site: | Millstone  |
| Issue date: | 05/18/2015 |
| From: | Mark D. Sartain Dominion, Dominion Nuclear Connecticut |
| To: | Document Control Desk, Office of Nuclear Reactor Regulation |
| References | |
| 15-205, TAC MF4131 | |
| Download: ML15147A018 (20) | |
Text
"iODominion Dominion Nuclear Connecticut, Inc.
5000 Dominion Boulevard, Glen Allen, VA 23060 Web Address: www.dom.com U.S. Nuclear Regulatory Commission Attention: Document Control Desk Washington, DC 20555 May 18, 2015 Serial No.
NLOS/WDC Docket No.
License No.15-205 RO 50-423 NPF-49 DOMINION NUCLEAR CONNECTICUT, INC.
MILLSTONE POWER STATION UNIT 3 RESPONSE TO SECOND REQUEST FOR ADDITIONAL INFORMATION REGARDING LICENSE AMENDMENT REQUEST FOR IMPLEMENTATION OF WCAP-14333 AND WCAP-15376, REACTOR TRIP SYSTEM INSTRUMENTATION AND ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION TEST TIMES AND COMPLETION TIMES (TAC NO. MF4131)
By letter dated May 8, 2014 and supplemented by a letter dated August 8, 2014, Dominion Nuclear Connecticut, Inc. (DNC) submitted a license amendment request (LAR) for Millstone Power Station Unit 3 (MPS3). The proposed amendment would revise TS 3/4.3.1, "Reactor Trip System Instrumentation," and TS 3/4.3.2, "Engineered Safety Feature Actuation System Instrumentation." These proposed changes are based on Westinghouse Electric Company LLC topical reports WCAP-14333-P-A, Revision 1, "Probabilistic Risk Analysis of the RPS and ESFAS Test Times and Completion Times," and WCAP-15376-P-A, Revision 1, "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times." In an email dated September 22, 2014, the Nuclear Regulatory Commission (NRC) transmitted a request for additional information (RAI) to DNC related to the LAR. DNC responded to the RAI on October 16, 2014. In an email dated March 17, 2015, the NRC transmitted a second RAI.
The attachment to this letter provides DNC's response to the NRC's second RAI.
If you have any questions regarding this submittal, please contact Wanda Craft at (804) 273-4687.
Sincerely, Mark D. Sartain Vice President - Nuclear Engineering COMMONWEALTH OF VIRGINIA COUNTY OF HENRICO Vicki L. WIN NOTARY PUBLIC r
Commonep"t Of VirOilft Roo. *140542 mycomt~ftson Ma 31,1019~s The foregoing document was acknowledged before me, in and for the County and Commonwealth aforesaid, today by Mark D. Sartain, who is Vice President - Nuclear Engineering of Dominion Nuclear Connecticut, Inc.
He has affirmed before me that he is duly authorized to execute and file the foregoing document in behalf of that Company, and that the statements in the document are true to the best of his knowledge and belief.
Acknowledged before me this /8
'day
- ofZ, 2015.
My Commission Expires:
I-5,3-1 Notary Public
- iJL,
) )
Serial No.15-205 Docket No. 50-423 Page 2 of 2 Commitments made in this letter: None
Attachment:
Response to Second Request for Additional Information Regarding License Amendment Request for Implementation of WCAP-14333 and WCAP-15376, Reactor Trip System Instrumentation and Engineered Safety Feature Actuation System Instrumentation Test Times and Completion Times cc:
U.S. Nuclear Regulatory Commission Region I 2100 Renaissance Blvd, Suite 100 King of Prussia, PA 19406-2713 R. V. Guzman Senior Project Manager U.S. Nuclear Regulatory Commission One White Flint North, Mail Stop 08-C 2 11555 Rockville Pike Rockville, MD 20852-2738 NRC Senior Resident Inspector Millstone Power Station Director, Radiation Division Department of Energy and Environmental Protection 79 Elm Street Hartford, CT 06106-5127
Serial No.15-205 Docket No. 50-423 ATTACHMENT RESPONSE TO SECOND REQUEST FOR ADDITIONAL INFORMATION REGARDING LICENSE AMENDMENT REQUEST FOR IMPLEMENTATION OF WCAP-14333 AND WCAP-15376. REACTOR TRIP SYSTEM INSTRUMENTATION AND ENGINEERED SAFETY FEATURE ACTUATION SYSTEM INSTRUMENTATION TEST TIMES AND COMPLETION TIMES DOMINION NUCLEAR CONNECTICUT, INC.
MILLSTONE POWER STATION UNIT 3
Serial No.15-205 Docket No. 50-423 Attachment, Page 1 of 17 By letter dated May 8, 2014 and supplemented by a letter dated August 8, 2014, Dominion Nuclear Connecticut, Inc. (DNC) submitted a license amendment request (LAR) for Millstone Power Station Unit 3 (MPS3).
The proposed amendment would revise TS 3/4.3.1, "Reactor Trip System Instrumentation," and TS 3/4.3.2, "Engineered Safety Feature Actuation System Instrumentation." These proposed changes are based on Westinghouse Electric Company LLC topical reports WCAP-14333-P-A, Revision 1, "Probabilistic Risk Analysis of the RPS and ESFAS Test Times and Completion Times,"
and WCAP-15376-P-A, Revision 1, "Risk-Informed Assessment of the RTS and ESFAS Surveillance Test Intervals and Reactor Trip Breaker Test and Completion Times." In an email dated September 22, 2014, the Nuclear Regulatory Commission (NRC) transmitted a request for additional information (RAI) to DNC related to the LAR. DNC responded to the RAI on October 16, 2014. In an email dated March 17, 2015, the NRC transmitted a second RAI. This attachment provides DNC's response to the NRC's RAI.
Question 1 The license amendment request (LAR) identifies for both Westinghouse Commercial Atomic Power (WCAP)-14333 and WCAP-15376 application that Tier 2 restrictions do not apply when the bypass capability is being used:
" Page 15: "These restrictions do not apply when a logic train is being tested under the 4-hour bypass of TS 3.3.2 Action 14, or TS 3.3.2 Action 22."
" Pages 16 and 17: ".... with the exception of [Engineered Safety Feature Actuation System] ESFAS Functional Unit 2.c, "Containment Spray, Containment Pressure High-3," and ESFAS Functional Unit 3.b.3, "Containment Isolation, Phase B Isolation, Containment Pressure High-3. TS Action 17 requires that both of these functions be placed in bypass when inoperable."
" Page 17: "These restrictions do not apply when a RTB train is being tested under the 4-hour bypass for proposed TS 3.3.1 Action 10."
Please explain the basis for these conclusions. Is this Tier 2 conclusion regarding bypass capability a general conclusion for Tier 2 or is it applied only to those instances mentioned in the LAR?
DNC Response The statements on pages 15 and 17 regarding the Tier 2 restrictions not being applicable when a logic train or reactor trip breaker (RTB) is being tested in bypass is a general statement that means with the equipment already in bypass, additional failure causes do not have to be considered. These statements do not apply to the Tier 2 restrictions listed in Attachment 4 of the LAR.
The statement on pages 16 and 17 regarding the Tier 2 restrictions not being applicable when either ESFAS Function 2.c or 3.b.(3) is placed in bypass would have allowed some additional operational flexibility.
However, since this condition is not likely to
Serial No.15-205 Docket No. 50-423 Attachment, Page 2 of 17 occur, DNC is withdrawing the request for these exceptions.
Commitment 3 in of the LAR will be revised to remove the exception for ESFAS Functions 2.c and 3.b.(3). The revised commitment will read:
"DNC will implement administrative controls to ensure that activities that cause RTS and ESFAS master relays or slave relays in the available train to be unavailable, and activities that cause RTS and ESFAS analog channels to be unavailable, should not be scheduled when a logic train and RTB train is inoperable for maintenance."
Question 2 The LAR discusses WCAP-14333 and WCAP-15376 Tier 2 conclusions. Please clarify whether the licensee has performed a Tier 2 evaluation to confirm the WCAP Tier 2 conclusions. If Tier 2 restrictions other than those are identified by the licensee's evaluation, discuss the updated Tier 2 assessment.
DNC Response The Tier 2 restrictions were determined qualitatively using a defense-in-depth approach.
The accident scenarios that the out-of-service equipment is designed to mitigate were identified.
Scheduled maintenance is then restricted on the remaining equipment designed to mitigate those accident scenarios. For example, with an RTB inoperable and thus the likelihood of incurring an automatic transient without scram (ATWS) increased, scheduled maintenance on the functions credited with ATWS mitigation (i.e.,
RCS pressure relief, auxiliary feedwater (AFW) pumps, ATWS mitigating system actuation circuitry (AMSAC), turbine trip) will be restricted.
Similarly, with an ESFAS logic train inoperable and thus the automatic actuation capability of one emergency core cooling system (ECCS) train unavailable, scheduled maintenance that affects the automatic actuation of an ECCS component on the opposite train will be restricted.
Question 3 One important configuration identified in the NRC staff's safety evaluation for WCAP-15376 is when one logic cabinet and associated reactor trip breaker (RTB) are out-of-service simultaneously. If this configuration is allowed by the LAR, discuss whether this configuration at MPS3 is consistent with the WCAP-15376 Tier 1 and Tier 2 evaluation, or discuss any significant changes from the WCAP-15376 Tier I and Tier 2 conclusions.
DNC Response This configuration is addressed by the LAR when one logic cabinet and associated RTB are both inoperable during performance of the periodic solid state protection system (SSPS) operability test.
The Tier 2 restrictions listed in Attachment 4 will be
Serial No.15-205 Docket No. 50-423 Attachment, Page 3 of 17 implemented during the periodic SSPS operability test when a logic train and associated RTB are inoperable.
The Tier 2 restrictions of WCAP-14333 and WCAP-15376 were described in Sections 4.2.1 and 4.2.2 of the LAR and then combined into the commitments in Attachment 4 of the LAR. Upon review, the WCAP-15376 Tier 2 restriction regarding one logic cabinet being removed from service when an RTB is out of service was listed in the LAR in Section 4.2.2 using the word "or" rather than "and".
DNC considers that for the condition when both a logic cabinet and an RTB are out of service, the restrictions listed in Attachment 4, Commitment 3 of the LAR would apply. However, for clarity, and to more closely align with the wording in Section 8.5 of WCAP-15376, the wording of the commitments in Attachment 4 of the LAR will be revised. See the response to Question 4.
Question 4 The LAR Section 4.2.2 discusses a Tier 2 restriction which appears to be substantially different from the WCAP-15376 Tier 2 findings. WCAP-15376 Section 8.5 provides Tier 2 restrictions when an RTB is out of service. The LAR Section 4.2.2 Tier 2 as described in number 2 does not mention precluding activities when one logic train is unavailable.
Please justify why the WCAP-15376 Tier 2 restriction in Section 8.5 of the topical report regarding one logic cabinet being removed from service (second bullet) does not apply to MPS3 when an RTB is out of service, or propose a Tier 2 restriction consistent with WCAP-15376.
DNC Response The Tier 2 restrictions of WCAP-14333 and WCAP-15376 were described in Sections 4.2.1 and 4.2.2 of the LAR and then combined into the commitments in Attachment 4 of the LAR.
Upon review, WCAP-15376 Tier 2 restriction regarding one logic cabinet being removed from service when an RTB is out of service, was listed in the LAR in Section 4.2.2 using the word "or" rather than "and".
DNC considers that for the condition when both a logic cabinet and an RTB are out of service, the restrictions listed in Attachment 4, Commitment 3 of the LAR would apply. However, for clarity, and to more closely align with the wording in Section 8.5 of WCAP-15376, the wording of the commitments in Attachment 4 of the LAR will be revised. Commitment 1 aligns with the first bullet in Section 8.5 of WCAP-1 5376, Commitment 3 aligns with the second bullet in Section 8.5 of WCAP-15376, and Commitment 4 aligns with the third bullet in Section 8.5 of WCAP-15376. Commitment 2 is a restriction added to align with the MPS3 Tier 2 analysis described in the response to RAI Question 2. The revised commitments will read:
Serial No.15-205 Docket No. 50-423 Attachment, Page 4 of 17 Commitment DNC will implement administrative controls to ensure that activities that degrade the availability of the RCS pressure relief system, the auxiliary feedwater system, AMSAC, or turbine trip should not be scheduled when an RTB is inoperable for maintenance.
DNC will implement administrative controls to ensure that one complete ECCS train and its cooling systems (e.g., service water and component cooling water) that can be actuated automatically must be available when a logic train is inoperable for maintenance.
DNC will implement administrative controls to ensure that activities that cause RTS and ESFAS master relays or slave relays in the available train to be unavailable, and activities that cause RTS and ESFAS analog channels to be unavailable, should not be scheduled when a logic train and an RTB train is inoperable for maintenance.
DNC will implement administrative controls to ensure that activities that result in the inoperability of electrical systems (e.g., AC and DC power) that support the RCS pressure relief system, the AFW system, and AMSAC, turbine trip should not be scheduled when an RTB train is inoperable for maintenance.
DNC will implement administrative controls to ensure that activities that result in the inoperability of electrical systems (e.g., AC and DC power) that support the available train should not be scheduled when a logic train and an RTB train is inoperable for maintenance.
Question 5 The LAR states that there are no Tier 2 limitations when a slave relay, master relay, or analog channel is inoperable. This conclusion appears to be based on information provided in Tables Q11.1 and Q18.1 from a letter dated December 20, 1996, transmitting a response to a request for additional information regarding WCAP-14333 (Reference 7 in the LAR). The LAR provides justification for no Tier 2 restrictions for the quench spray system (QSS). However, Table Q18.1 shows that some systems, when assessed for maintenance of master or slave relays, have a relative increase in system importance with respect to the "no test or maintenance" column. Please explain why the relative importance of systems other than the QSS do not result in Tier 2 limitations when a slave relay, master relay, or analog channel is inoperable.
DNC Response DNC is following the WCAP-1 5376 analysis, which does not recommend establishing a Tier 2 requirement when only a master relay, slave relay, or analog channel test is
Serial No.15-205 Docket No. 50-423 Attachment, Page 5 of 17 being performed.
From a Tier 2 perspective, DNC will not allow maintenance on an opposite train ECCS function, or their support systems, or any system that mitigates an ATWS..
Question 6 The LAR Section 4.5.5 identified some fire area vulnerabilities. Describe the process the licensee follows to determine if Tier 2 or Tier 3 compensatory measures are needed for the LAR proposed changes with respect to fire-related risk.
DNC Response DNC has adopted the guidance provided in NUMARC 93-01, Revision 4A Section 11.3.4.3 when assessing fire risk within the 10 CFR 50.65(a)(4) process. The following two criteria are used to identify fire risk significant components:
- 1. Incorporate quantitative PRA insights
" Identify the components corresponding to random failure and test/maintenance basic events with internal events CDF RAW > 2.0.
Remove those components not listed on the Safe Shutdown Equipment List (SSEL).
" Remove those components that are Technical Specification limited (i.e., have an allowed outage time (AOT) < 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />) AND require transitioning to mode 5.
- 2. Incorporate qualitative insights based on fire mitigation strategy
" Identify components that, when removed from service, render the unit with no core damage mitigating success paths.
Remove those components that are Technical Specification limited (i.e., have an allowed outage time (AOT) <72 hours) AND require transitioning to mode 5.
For components that meet either criterion, Technical Requirements Manual actions are established when a fire risk significant component is removed from service for greater than 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Note that the reactor protection system (RPS) components affected by the proposed amendment are not fire risk significant and thus, any fire risk incurred would be due to the additional equipment removed from service.
Based on the fire risk significant criteria listed above, components only meeting criterion 1 are less risk significant than components meeting criterion 2 since redundant equipment would be available to mitigate fire scenarios where criterion 1-
Serial No.15-205 Docket No. 50-423 Attachment, Page 6 of 17 only components are out of service. Furthermore, the risk of these configurations is adequately managed by the TRM risk management actions. As a result, criterion 1-only components do not warrant additional Tier 2 or Tier 3 compensatory measures.
Alternatively, criterion 2 components provide the only available core damage mitigation success path for certain fire scenarios, and therefore have high fire risk significance due to the lack of redundancy. Consequently, components meeting criterion 2 are deemed reasonable candidates for developing a Tier 2 or Tier 3 compensatory measure.
The table below lists the fire risk significant components that could potentially be removed from service when an RTB and/or logic train is inoperable.
Fire Risk Significant Components Component ID Description 3FWA*TK1 DEMINERALIZED WATER STORAGE TANK 3EGS*EGA DIESEL GENERATOR 3EGS*EGA (includes support systems) 3EGS*EGB DIESEL GENERATOR 3EGS*EGB (includes support systems) 3RCS*PCV455A PORV 3RCS*PCV455A 3RCS*PCV456 PORV 3RCS*PCV456 3CCE*E1B CHARGING PUMP COOLING PUMP HEAT EXCHANGER 3CCE*E1 B (includes 3CCE*TV37B) 3CCE*P1B CHARGING PUMP COOLING PUMP 3CCE*P1B 3CHS*P3B CHARGING PUMP 3CHS*P3B 3CCE*E1A CHARGING PUMP COOLING PUMP HEAT EXCHANGER 3CCE*E1A (includes 3CCE*TV37A) 3CCE*P1A CHARGING PUMP COOLING PUMP 3CCE*P1A 3CHS*P3A CHARGING PUMP 3CHS*P3A 3SIH*P1A SIH PUMP 3SIH*P1A (includes 3SIH*V1 1, 3SIH*MV8814, 3SIH*MV8813) 3FWA*P2 TURBINE-DRIVEN AFW PUMP 3FWA*P2 3FWA*P1A MOTOR-DRIVEN AFW PUMP 3FWA*P1A (includes discharge and S/G supply check valves) 3FWA*P1B MOTOR-DRIVEN AFW PUMP 3FWA*P1B (includes discharge and S/G supply check valves)
Of the equipment listed, only the turbine driven AFW pump meets criterion 2.
The turbine driven AFW pump has already been included in the proposed Tier 2 restrictions (i.e., AFW system components will not be removed from service when an RTB is
Serial No.15-205 Docket No. 50-423 Attachment, Page 7 of 17 inoperable for maintenance).
As a result, no additional Tier 2 restrictions are recommended.
Question 7 The LAR notes that the licensee has developed and implemented the guidance in configuration risk management program (CRMP) at MPS3; however, the LAR does not conclude that the CRMP meets the guidance in Regulatory Guide (RG) 1.177, "An Approach for Plant-Specific, Risk-Informed Decision making: Technical Specifications,"
August 1998 (ADAMS Accession Number ML003740176). Please determine if the CRMP meets RG 1.177.
DNC Response DNC has developed and implemented the guidance in the configuration risk management program (CRMP) at MPS3 which meets the guidance in RG 1.177.
Question 8 In Page 18, the LAR states the following for planned maintenance activities in part:
"Work is not scheduled that is highly likely to exceed a [Technical Specification] TS or Technical Requirements Manual (TRM) [Completion Time] CT requiring a plant shutdown. For activities that are expected to exceed 50% of a TS CT, compensatory measures and contingency plans are considered to minimize [Structure, System, and Component] SSC unavailability and maximize SSC reliability." However, regarding the SSCs in WCAP-14333 and WCAP-15376, the expected maintenance is corrective rather than preventive. According to RG 1.177 CRMP key component 1, the CRMP is invoked in a time frame defined by the plant's Corrective Action Program (Criteria XVI of Appendix B, "Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants," to 10 CFR Part 50). It is not clear if the proposed timing of compensatory measures and contingency plans are consistent with the RG 1.177 guidance for CRMPs. Please explain.
DNC Response MPS procedures direct the shift manager on what to consider in response to an emergent condition, which includes whether a new risk assessment is required, and provide direction to the on-shift shift technical advisor and/or work week coordinator for performing an emergent risk assessment. The procedure states that "If conditions change such that an analysis previously performed is invalidated, then perform a re-analysis..... if any configuration will exceed its allowed configuration time, then propose Risk Management Actions to Operations,..."
Serial No.15-205 Docket No. 50-423 Attachment, Page 8 of 17 The procedures ensure the emergent risk assessment process will be performed in a time frame defined by the plant's Corrective Action Program (Criteria XVI of Appendix B, "Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants," to 10 CFR Part 50), consistent with the RG 1.177 guidance for CRMPs.
Question 9 In Page 19, for Tier 3 the LAR notes that "For Maintenance Rule high risk significant SSCs, the impact of the planned activity on the unavailability performance criteria is evaluated." The Technical Specification Task Force (TSTF)-411 and 418 programs were based on versions of Maintenance Rule guidance in Nuclear Management and Resources Council (NUMARC) 93-01 and RG 1.182 which have been superseded by NRC-endorsed NUMARC 93-0 1, Revision 4, guidance and RG 1.160. Please confirm the MPS3 Maintenance Rule evaluations follow the current NRC-endorsed NUMARC 93-01, Revision 4, guidance and RG 1.160.
DNC Response The Maintenance Rule evaluations for MPS3 follow the current NRC-endorsed NUMARC 93-01, Revision 4A guidance and RG 1.160, Revision 3.
Question 10 As noted in the LAR, Table 1, the WCAP-14333 used a transient frequency of 3.6, and the plant-specific frequency is 0.64 1. Please provide justification for the large difference.
DNC Response The ASME PRA Standard specifies (in supporting requirements IE-C1, C2, and C3) to:
Calculate the initiating event frequency accounting for relevant generic and plant-specific data unless it is justified that there are adequate plant-specific data to characterize the parameter value and its uncertainty.
When using plant-specific data, use the most recent applicable data to quantify the initiating event frequencies. Justify excluded data that is not considered to be either recent or applicable (e.g., provide evidence via design or operational change that the data are no longer applicable).
Serial No.15-205 Docket No. 50-423 Attachment, Page 9 of 17 Licensee Event Reports (LERs) from initial commercial operation April 23, 1986 through December 31, 2010 were searched for LERs related to plant scrams, trips, etc. The results are compiled in Table 1 below.
Table 1. List of MPS3 LERs Related to Plant Trips Date IE Description LER#
Power 04/23/1986 GPT 7
RX TRIP - LOW S/G LEVEL 3-86-032 05/09/1986 GPT 80 RX TRIP - LOSS OF CONDENSER VACUUM 3-86-035 07/24/1986 GPT 20 RX TRIP - LOW S/G LEVEL, FWI HI LEVEL 3-86-041 08/17/1986 GPT/SLB 11 RX TRIP - S/G LVL TRANSIENT COINCIDENT 3-86-048 WITH TURBINE BYPASS VALVE LEAK 08/17/1986 GPT 21 RX TRIP - S/G LVL TRANSIENT, FWI 3-86-049 09/06/1986 GPT 80 RX TRIP - S/G LOW LVL DUE TO FWI VLV 3-86-051 01/13/1987 GPT 100 RX TRIP - CIRC WATER PUMP TRIP 3-87-001 01/14/1987 RT 7
RX TRIP - ACC RESET OR SR CHANNEL 3-87-002 BLOCK 03/07/1987 GPT 100 RX TRIP - LOW S/G LVL, FAILED SOV 3-87-008 04/12/1987 GPT 66 RX TRIP - LOW S/G LVL, FRV AIR LEAK 3-87-020 04/12/1987 GPT 15 RX TRIP - LOW S/G LEVEL, FWI 3-87-021 05/07/1987 GPT 44 RX TRIP - LOW S/G LEVEL 3-87-025 05/14/1987 RT 69 RX TRIP - SPURIOUS RX TRIP BKR OPENING 3-87-026 DURING OPPOSITE TRAIN TESTING 06/05/1987 GPT 100 RX TRIP - LOSS OF BUS 34C 3-87-027 06/14/1987 GPT 100 RX TRIP - LOSS OF TURBINE LUBE OIL 3-87-031 PRESSURE 09/23/1987 GPT 100 RX TRIP - LOW S/G LEVEL DUE TO FAILED 3-87-034 SOV 02/10/1988 GPT 20 RX TRIP - FWI 3-88-009 04/13/1988 GPT 100 RX TRIP - LOW CONDENSER VACUUM 3-88-014 10/05/1988 GPT 100 RX TRIP - MSIV CLOSURE 3-88-023 10/22/1988 GPT 100 RX TRIP - LOW CONDENSER VACUUM 3-88-024 12/29/1988 GPT 75 RX TRIP - LOSS OF BUS 34B 3-88-028 05/06/1989 GPT 90 RX TRIP - MANUAL 3-89-008 05/11/1989 RT 100 RX TRIP - ROD DROP TEST 3-89-009 01/18/1990 GPT 100 RX TRIP - FW PUMP COUPLING FAILURE 3-90-005 03/09/1990 GPT 100 RX TRIP - HIGH GENERATOR STATOR 3-90-009 COOLING TEMP 03/30/1990 GPT 80 RX TRIP - IMMINENT LOSS OF CONDENSER 3-90-011 1_
VACUUM
Serial No.15-205 Docket No. 50-423 Attachment, Page 10 of 17 Table 1. List of MPS3 LERs Related to Plant Trips Date IE Description LER#
Power 04/16/1990 GPT 48 RX TRIP - LOSS OF CONDENSER VACUUM 3-90-013 05/10/1990 GPT 60 RX TRIP - LOSS OF CONDENSER VACUUM 3-90-014 06/06/1990 RT 100 RX TRIP - DROPPED CONTROL ROD 3-90-019 12/31/1990 SLB/PORV 86 RX TRIP - MSR DRAIN LINE RUPTURE/RCS 3-90-030 challenge PORV LIFT 06/09/1991 GPT 100 RX TRIP - SWITCHYARD RELAY 3-91-014 MALFUNCTION 04/05/1992 GPT 100 RX TRIP - CIRC WATER PUMP TRIP 3-92-011 11/05/1992 GPT 16 RX TRIP - LOSS OF NON-VITAL POWER 3-92-027 11/20/1992 GPT/PORV 100 RX TRIP - DEGRADED 120 VAC POWER 3-92-029 challenge SUPPLY TO EHC SYSTEM 03/31/1993 GPT/PORV 100 RX TRIP - LOW S/G LEVEL 3-93-004 challenge 09/08/1994 GPT/SLB 100 RX TRIP - MSIV CLOSURE 3-94-011 09/15/1998 GPT 100 RX TRIP - HIGH CONDENSATE 3-98-038 CONDUCTIVITY 10/28/1998 GPT 100 RX TRIP - HIGH CONDENSATE 3-98-043 CONDUCTIVITY 11/11/1998 GPT 89 RX TRIP - CIRC PUMP TRIP 3-98-044 12/11/1998 GPT 100 RX TRIP - MSIV CLOSURE 3-98-045 12/23/2002 GPT 100 RX TRIP - GENERATOR STATOR FAULT 3-03-001 04/17/2005 SPURIOUS-100 SIS-SSPS Failure 3-05-002 SI 09/29/2005 GPT 100 RX-TRIP - Loss of two CW Pumps Manual Trip 3-05-003 Rx 12/01/2005 GPT 38 RX-TRIP - Manual Turbine Trip caused RX Trip 3-05-005 10/11/2008 GPT 30 RX TRIP - Automatic Reactor Trip during 3-08-003 Shutdown for Refueling Outage 3R12 12/19/2009 GPT 100 RX TRIP - Automatic Reactor Trip due to a 3-09-002 Turbine Trip caused by Generator Output Electrical Fault 5/17/2010 GPT 17 RX TRIP - Automatic Reactor Trip on Lo-Lo 3-10-002 Steam Generator Level Expected improvement in industry performance related to reactor trips since 2000 (i.e.,
INPO benchmarking, NEI 99-02 initiating events cornerstone) justifies exclusion of performance data prior to 2000. The LERs listed in Table 1 are summarized in Table 2 by year to compare the performance difference. In the fourteen years from year 1986 to
Serial No.15-205 Docket No. 50-423 Attachment, Page 11 of 17 year 1999, there were 39 reactor trips. On average, there were 2.79 reactor trips per reactor year. In the eleven years from year 2000 to year 2010, there were 7 reactor trips. On average, there were 0.64 reactor trips per reactor year. Therefore, the plant specific data from year 2000 to year 2010 is used for the IE frequency update.
Table 2. Performance Comparison Year Number of Reactor Trips 1986 6
1987 10 1988 4
1989 2
1990 7
1991 1
1992 3
1993 1
1994 1
1995 0
1996 0
1997 0
1998 4
1999 0
2000 0
2001 0
2002 1
2003 0
2004 0
2005 3
2006 0
2007 0
2008 1
2009 1
2010 1
Total operation time from January 1, 2000 to December 31, 2010 is 88,863 hours0.00999 days <br />0.24 hours <br />0.00143 weeks <br />3.283715e-4 months <br />. Total outage time from January 1, 2000 to December 31, 2010 is 7,569 hours0.00659 days <br />0.158 hours <br />9.408069e-4 weeks <br />2.165045e-4 months <br />. The Capacity Factor is computed as follows:
Serial No.15-205 Docket No. 50-423 Attachment, Page 12 of 17 88863 The Capacity Factor = 88863+ 7569 = 92.15%
According to Table 1, there are 6 GPT events from year 2000 to year 2010 2n+l 2x6+1_
mean =
--211 - 5.91E - 01 per calendar year 2t 2xll or mean =5.91E - 01 / 0.9215 =6.41E - 01 per reactor year Question 11 WCAP-14333 and WCAP-15376 assumed that maintenance on master and slave relays, logic cabinets, and analog channels while at power occurs only after a component failure, and that preventive maintenance does not occur. The topical reports do not preclude the practice of at-power preventive maintenance but limits the total time a component is unavailable due to corrective or preventive maintenance to the values used in the analysis. Confirm the unavailability for components evaluated in WCAP-14333 and WCAP-15376 are consistent with the plant specific estimates at MPS3, and do not exceed those assumed in the analysis.
DNC Response The Shift Manager logs were reviewed for the past three years to compare actual unavailability times for the MPS3 components with the values for the components listed in the WCAP-15376 (i.e., those listed in Section 8.3.1 of the WCAP) and WCAP-14333 analysis. The plant-specific data is as follows:
- Logic cabinet test unavailability for the RTB:
Since January 1, 2012, the logic cabinet test unavailability has not exceeded 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for either train of SSPS in any two month period, which is within the WCAP value of 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for reactor trip breaker and 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for logic cabinet testing on a 2 month frequency.
" Analog channel test and calibration unavailability: MPS3 places the analog channel in trip during testing and calibration activities. Since January 1, 2012, the analog channel test unavailability has not exceeded 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> for any calendar quarter.
Since April 1, 2011, the analog channel calibration unavailability has not exceeded 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for any 18 month period.
These values are within the WCAP values for analog channel test and calibration unavailability.
- Master relay and logic cabinet test unavailability for AFW: Since January 1, 2012, master relay test unavailability for AFW exceeded 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> on one occasion (second quarter 2013 - 4.47 hours5.439815e-4 days <br />0.0131 hours <br />7.771164e-5 weeks <br />1.78835e-5 months <br />).
Otherwise, the master relay and logic cabinet test unavailability for AFW remained under 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> for the remaining calendar quarters.
Serial No.15-205 Docket No. 50-423 Attachment, Page 13 of 17 Overall, the average master relay and logic cabinet unavailability for AFW is within the WCAP values.
" Reactor trip breaker test unavailability:
Since January 1, 2012, the reactor trip breaker test unavailability has not exceeded 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> for either reactor trip breaker in any 2 month period which is within the WCAP values for reactor trip breaker test unavailability.
Reactor trip breaker maintenance unavailability: Since January 1, 2012, the reactor trip breaker maintenance unavailability has not exceeded 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> for either reactor trip breaker in any 1 year period, which is within the WCAP values for reactor trip breaker maintenance unavailability.
Note, as stated in the LAR, MPS3 performs reactor trip breaker maintenance during scheduled refueling outages.
Question 12 The LAR Table 1 provides a comparison between WCAP-14333 analysis assumptions and plant specific parameters. The comparison shows significant differences for slave relays (component test intervals) and reactor trip breakers (typical at-power maintenance intervals).
Explain whether the WCAP-14333 Tier I analysis remain bounding for these plant-specific values.
DNC Response The plant-specific values for MPS3 shown in Table 1 of Attachment 3 of the LAR are consistent with those of Vogtle Electric Generating Plant (Vogtle) as shown on Table 1 on page 297 (Enclosure 5, page E5-2) of WCAP-14333-P-A, Revision 1, Supplement 1 dated September 2003. Therefore, Vogtle's conclusion in Note 1 of Table 1 is applicable to MPS3. That is, with less testing being performed on some slave relays and reactor trip breakers, the unavailability of these components will be less than that assumed in the WCAP analysis. Since the MPS3 unavailability values are less than those used in the WCAP, the WCAP risk analysis is bounding with respect to MPS3.
Question 13 The LAR provides an assessment of seismic, high winds, floods and other external events from the IPEEE study. Please discuss your evaluation (qualitative or quantitative) for TSTF-411 and 418 based on the current plant design and operation with respect to seismic, high winds, floods and other external events, and discuss whether the WCAP-14333 and WCAP-15376 results remain bounding for the LAR proposed changes.
Serial No.15-205 Docket No. 50-423 Attachment, Page 14 of 17 DNC Response The evaluation of the impact of the proposed LAR with respect to external events risk was performed qualitatively. The evaluation focused on the effect that these events have on MPS3 and whether the plant relies on RPS/SSPS to mitigate the event. The most likely external events either lead to a loss of off-site power (LOOP) without any direct loss of mitigating equipment (i.e., reactor trips on LOOP and the mitigating equipment is available) or a forced shutdown in advance of adverse weather with intact RCS and no direct loss of mitigating equipment (i.e., operators trip the reactor and the mitigating equipment is available), and the frequency of these events is insignificant compared with the transient event frequency used in the WCAP analyses. Therefore, the Tier 1 WCAP analyses bound the external events contribution. With respect to the low probability/high consequence external events, both trains of mitigating equipment are rendered inoperable by these events and thus, these scenarios are not sensitive to configuration risk incurred by removal of SSPS equipment from service.
Question 14 WCAP-15376 and WCAP-14333 analyses are based on assumptions, some of which may be key assumptions. Discuss any significant plant-specific differences with respect to these key assumptions, and their significance to the proposed changes in the LAR.
DNC Response Section 8.3.2 of WCAP-15376 provides the assumptions, which are listed below along with the applicability to MPS3. There are no plant-specific differences from the WCAP key assumptions that would affect the analysis conclusion.
" Analog channel testing and calibration activities are performed in the bypassed state. All plants do not routinely test in bypass; but for those that do, this is representative, and for those that do not, this is conservative.
MPS3 performs the analog channel testing and calibration activities at power with the analog channel in trip, which as stated in the WCAP is conservative.
" Maintenance of the analog channels is performed in the bypassed state. This represents actual plant practice. Only corrective maintenance is performed at-power.
MPS3 places the analog channel in trip during corrective maintenance activities, which as stated in the WCAP is conservative.
" Testing of the logic prohibits automatic actuation of the entire associated train.
This is consistent with hardware design and is necessary to allow at-power
Serial No.15-205 Docket No. 50-423 Attachment, Page 15 of 17 testing.
The redundant train remains operable and capable of providing all protective features.
The MPS3 design is consistent with this WCAP assumption.
Maintenance of the logic cabinets is assumed to prohibit actuation of the entire associated train.
The MPS3 actual practice is consistent with this WCAP assumption.
" Testing of the reactor trip breakers prohibits actuation of the breaker in test. The bypass breaker corresponding to the affected breaker is placed into service and will be actuated by the logic cabinet in the unaffected train. This is consistent with actual practice.
The MPS3 actual practice is consistent with this WCAP assumption.
Maintenance of the reactor trip breakers prohibits actuation of the breaker in maintenance.
The bypass breaker corresponding to the affected breaker is placed into service and will be actuated by the logic cabinet in the unaffected train. This is consistent with actual practice.
The MPS3 actual practice is consistent with this WCAP assumption.
" Testing of the master relays prohibits actuation of the entire associated train.
This is consistent with the test circuitry provided for the master relays and represents actual practice.
The MPS3 actual practice is consistent with this WCAP assumption.
" Maintenance of the master relays makes the affected master relay and all associated slave relays inoperable.
This is consistent with the design of the actuation relays.
The MPS3 design is consistent with this WCAP assumption.
" The ESFAS signal is assumed to be unavailable if the equivalent relays, either master or slaves, in the redundant trains are unavailable. That is, if the relays that actuate the high head safety injection pumps in each train are unavailable, the ESF function is assumed to be unavailable. This is conservative, since partial system failures are equated to total system failures.
A less conservative approach, while appropriate, would require a significant increase in the complexity of the fault trees.
Serial No.15-205 Docket No. 50-423 Attachment, Page 16 of 17 This WCAP assumption pertains to the structure of the PRA model used for the WCAP analysis, and therefore, is not related to MPS3 design or operational practices.
Testing and maintenance of slave relays was modeled assuming that only the affected relay is inoperable.
This is consistent with actual practice and conservative.
In many cases, the test actuates the associated components; therefore, the components remain available. However, in some cases, actuation of the components is blocked rendering the components unavailable for automatic actuation. Since the latter test scheme represents the limiting case, it was used for the model.
This WCAP assumption pertains to the structure of the PRA model used for the WCAP analysis, and therefore, is not related to MPS3 design or operational practices.
The number of master and slave relays actuated by an ESFAS signal varies from signal to signal and is a function of the number of components required to be actuated.
Based on a review of several SSPS plant specific designs, the following is included in the models: Safety Injection, and Containment Spray and Phase B Isolation: two master relays each driving three slave relays.
The specific differences between the reference plant and MPS3 are:
Signal WCAP Assumption MPS3 Design Safety Injection Each actuation train has two Each actuation train has three master relays, each driving master relays driving a total of three slave relays.
ten slave relays, arranged such that two master relays drive four slave relays each, and one master relay drives two slave relays.
Containment Spray Each actuation train has two Containment Spray: Each and Phase B master relays, each driving actuation train has two master Isolation three slave relays.
relays with contacts in series, driving three slave relays.
Phase B Isolation: Each actuation train has one master relay, driving four slave relays.
The potential impact of plant-specific design variations is addressed by a previous assumption regarding the modeling of master and slave relays, which states that "The ESFAS signal is assumed to be unavailable if the equivalent relays, either master or slaves, in the redundant trains are unavailable.... This is conservative, since partial system failures are equated to total system failures."
l4 Serial No.15-205 Docket No. 50-423 Attachment, Page 17 of 17 Based on this assumption, a failure of one of the eight relays, two master or six slave, would result in failure to generate a Safety Injection signal for that ESFAS train. Although MPS3 has a higher total number of master/slave relays than the WCAP reference plant (i.e., 13 vs. 8), failure of any one of the 13 relays would not cause failure to generate a Safety Injection signal for the ESFAS train.
Consequently, the MPS3 design variation is bounded by the conservative relay modeling assumption.
- Steam line Isolation, Main Feedwater Isolation, and Auxiliary Feedwater Pump Start: one master relay driving two slave relays.
Main Steamline Isolation and Main Feedwater Isolation consist of one master relay driving two slave relays. Auxiliary Feedwater Pump Start consists of one master relay driving one slave relay.
The MPS3 design is consistent with the WCAP assumption.
Question 15 Explain whether the CRMP model at MPS3 provides modeling of the reactor trip and ESFAS systems and components addressed by WCAP-15376 and WCAP-14333 when performing Tier 3 evaluations. If the CRMP model does not model relevant signals and components, please describe how the CRMP evaluation is performed (e.g., the use of surrogates).
DNC Response The MPS3 CRMP model provides modeling of the reactor trip and ESFAS systems and components.
A test/maintenance term exists for both logic trains, which makes the reactor trip signal and automatic ECCS actuation for the affected train unavailable. In addition, the signal to each component that gets an automatic ECCS actuation signal can be made unavailable.