ML17228B183

From kanterella
Jump to navigation Jump to search
Joint Applications Rept for LPSI Sys AOT Extension.
ML17228B183
Person / Time
Site: Saint Lucie NextEra Energy icon.png
Issue date: 05/31/1995
From:
ABB COMBUSTION ENGINEERING NUCLEAR FUEL (FORMERLY, ASEA BROWN BOVERI, INC., C-E OPERATING PLANTS OWNERS GROUP
To:
Shared Package
ML17228B182 List:
References
CE-NPSD-995, NUDOCS 9506230235
Download: ML17228B183 (41)
v  d  e


Text

COMBUSTION ENGINEERING OWNERS GROUP CE NPSD-995 Joint Applications Report for Final Report GEOG TASK 836 prepared for the C-E OWNERS GROUP May 1995 o Copyright 1995 Combustion Engineering, Inc. All rights reserved llew KID QD ABB Combustion Engineerina Nuclear Operations 9508230235 950621 liQQDCID PDR ADOCK 05000335 PDR

LEGAL NOTICE This report was prepared as an account of work 'sponsored by the Combustion Engineering Owners Group and ABB Combustion Engineering.

Neither Combustion Engineering, Inc. nor any person acting on its behalf:

A. makes any warranty or representation, express or implied including the warranties of fitness for a particular purpose or merchantability, with respect to the accuracy, completeness, or usefulness of the

. information contained in this report, or that the use of any information, apparatus, method, or process disclosed in this report may not infringe privately owned rights; or B.. ', assumes any liabilities with respect to the use of, or for damages resulting from the use of, any information, apparatus, method or

.process disclosed in this report.

Combustion Engineering, Inc.

TABLE OF CONTEÃIS Section Page LIST OF TABLES 1.0, PURPOSE 2.0 SCOPE OF PROPOSED CHANGES TO TECHNICAL SPECIFICATIONS 1

3.0 BACKGROUND

4.0 SU?UQMRY OF APPLICABLE TECHNICAL SPECIFICATIONS 4.1 Standard Technical Specifications 4.2 "Customized" Technical Specifications 5.0 SYSTEM DESCRIPTION AND OPERATING EXPERIENCE 5.1 System Description 5.2 Operating Experience 5.2.1 Preventive Maintenance 5.2.2 Surveillance/Testing of LPSI System Valves 5.2.3 Corrective Maintenance 5.2.4 Related Licensing Actions 6.0 TECHNICAL JUSTIFICATION FOR AOT KCI'ENSION 10 6.1 Statement of Need 10 6.2 Assessment of Deterministic Factors 11 6.2.1 Thermal-Hydraulic Considerations 11 6.2.2 Radiological Release Considerations 14

TABLE OF COXHPGS (cont'd)

Section Page 6.3 Assessment of Risk 15 6.3.1 Overview 15 6.3.2 Assessment of "At Power" Risk 16 6.3.3 Assessment of Transition Risk 24 6.3.4 Assessment of Shutdown Risk 28 6.3.5 Assessment of Large Early Release 30 6.3.6 Summary of Risk Assessment 31 6.4 Compensatory Measures 32 7.0 TECHNICAL JUSTIFICATION FOR STI E3CI'ENSION 8.0 PROPOSED MODIFICATIONS TO NUREG-1432 9.0 SUhGVIARY AND CONCLUSIONS 34

10.0 REFERENCES

35 ATTACHMENTA A-1 "Mark-up" of NUREG-1432 SECTIONS 3.5.2 & 3 3.5.2

LIST OF TABLES Table 4.2-1 COMPARISON OF LPSI SYSTEM AOTs AMONG CE PWRs WITH CUSTOMIZED TECHNICAL SPECIFICATIONS COMPARISON OF MAIÃZENANCEREPAIR Tn~l FOR LPSI SYSTEM COMPONENI'S COMPARISON OF SECONDARY SIDE HEAT REMOVAL CAPABILITY 13 6.3.2-1 CEOG AOT CONDITIONALCDF CONTRIBUTIONS FOR LPSI - CM 21 6.3.2-2 CEOG AOT CONDITIONALCDF CONTRIBUTIONS FOR LPSI - PM 22 6.3.2-3 CEOG PROPOSED AVERAGE CDFs 23 6.3.3-1 'IRANSITIONRISK CONIRIBUTIONS FOR LPSI SYSTEM CM 27 6.3.4-1 EFFECTS OF IMPROVED LPSI RELIABILITYAT SHUTDOWN 29

LPSI System AOT Extension 1.0 PURPOSE This report provides the results of an evaluation of the extension of the Allowed Outage Time (AOT) for a single Low Pressure Safety Injection (LPSI) train from its present value (24 or 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />), to seven days. The AOT is contained within current technical specifications for each licensed CE NSSS. This AOT extension is sought to provide needed flexibility in the performance of both corrective and preventive maintenance during power operation.

Zustification of this request is based on an integrated review and assessment of plant operations, deteriniiiisticMesign basis factors and plant risk. Results of this study demonstrate that the proposed AOT extension provides plant operational flexibility while simultaneously reducing overall plant risk.

This request for AOT extension is consistent with the objectives and the intent of the Maintenance Rule (Reference 1). The Maintenance Rule willbe the vehicle which controls the maintenance cycle by defining unavailability performance criteria and assessing 'ctual maintenance risk. The AOT extension willallow efficient scheduling of maintenance within the boundaries established by implementing the Maintenance Rule. The CE plants are in the process of implementing the Maintenance Rule, and are presently setting targets for unavailability of systems and trains. Therefore, this effort is seen as timely, supportive and integral to the Maintenance Rule program.

2.0 SCOPE OF PROPOSED CHANGES TO TECHNICAL SPECIFICATIONS The proposed technical specification change addresses revising the existing AOT requirement for the operation of the Low Pressure Safety Injection (LPSI) subsystems of the Emergency Core Cooling System (ECCS). Specifically, it is proposed that the AOT for a single INOPERABLE LPSI train be extended from its present value (24 or 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, depending on the plant) to 7 days (168 hours0.00194 days <br />0.0467 hours <br />2.777778e-4 weeks <br />6.3924e-5 months <br />). For the purposes of this report, a LPSI train is defined as one pump, and two injection flow paths, including motor-operated valves (MOVs) operated by a common AC power source.

3.0 BACKGROUND

In response to the NRC's initiative to improve plant safety while granting relief to utilities from those requirements that are marginal to safety, the CEOG has undertaken a program of obtaining relief from overly restrictive technical specifications. As part of this program,.several technical" specification AOTs and STIs were identified for joint action.

This report provides support for modifying Technical Specifications concerning the Emergency Core Cooling System in order to provide an AOT for up to 7 days for one "INOPERABLE" LPSI train. The intent of this AOT extension is to enhance overall plant safety by avoiding potential unscheduled plant shutdowns and providing for increased flexibility,.in scheduling and performing maintenance and surveillance activities. This effort is being pursued as a joint

'EOG activity.

This report provides generic information supporting these changes, as well as the necessary. plant specific information to demonstrate the impact of these changes on an individual plant basis.

The supporting/analytical material contained within the document is considered applicable to all CEOG member utilities regardless of the category of their Plant Technical Specifications.

4.0 SUIVMARYOF APPLICABLE TECHNICAL SPECIFICATIONS There are three distinct categories of Technical Specifications at CE NSSS plants.

The first category is called the Standard Technical Specifications. Through February 1995, NUREG-0212, Revision 03, commonly referred to as "Standard Technical Specifications," has provided a model for the general structure and content of the approved technical specifications many of the domestic CE NSSS plants.

The second category corresponds to the Improved Standard Technical Specifications (ISTS) guidance that is provided in NUREG-1432, Revision 0, dated September 1992. A licensing amendment submittal to change the Technical Specifications for San Onofre Nuclear Generation Station Units 2 & 3 so as to implement this guidance was submitted to the NRC in December 1993. Additionally, licensing amendment submittals are being developed that will modify the technical specifications for Palisades to implement the ISTS guidance.

The third category includes those technical specifications (TSs) that have structures other than those that are outlined in either NUIkEG-0212 (Reference 2) or NUREG-1432 (Reference 3).

These TSs are generally referred to as "customized" technical specifications and are associated with the early CE PWRs. The CE NSSS plants that currently have "customized" technical specifications are: Palisades, Maine Yankee, and Ft. Calhoun Station.

Each of these three categories of Technical Specifications includes operating requirements for the Low Pressure Safety Injection (LPSI) subsystems.

4.1 Standard Technical Specifications The requirements for LPSI subsystems during power operations are embedded in the requirements for Emergency Core Cooling trains/subsystems in the standard technical specifications of NUREG-0212, Revision 03 and NUREG 1432, Revision 0. In LCO 3.5.2 of NMkEG-0212, Revision 03, each OPERABLE independent Emergency Core Cooling System subsystem includes one OPERABLE low-pressure safety injection pump.

LCO 3.5.2 of NMREG-1432 addresses two redundant, 100% capacity ECCS trains, each consisting of high pressure safety injection (HPSI), low pressure safety injection (LPSI), and charging subsystems.

Hence, any maintenance, repair or surveillance test that would render a LPSI subsystem inoperable would also result in the INOPERABILITY of the corresponding ECCS train/subsystem of the standard technical specifications.

The requirements of these same standard technical specifications allow the continuation of power operations with one inoperable ECCS train/subsystem for a maximum of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Hence, if a single ECCS train is rendered inoperable due to a set of factors that includes on-line

maintenance or repair of the components of a LPSI subsystem, the OPERABILITYof that ECCS train must be restored within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> (including the OPERABILlTY of the affected LPSI subsystem); or the plant must be shutdown and depressurized below the shutoff head of the HPSI pumps.

4 2 "CustomizecP Technical Speci6cations Customized technical specifications for the LPSI System differ from the STS in the duration of the specified AOT, the linkage between the LPSI and other ECCS AOTs and the details of the subsequent ACTION statements. For plants with Customized technical specifications, the defined AOTs for LPSI system out of Service (OOS) are presented in the Table 4.2-1.

Table 4.2-1 COMPARISON OF LPSI SYSTEM AOTs AMONG CE PWRs Wl'ZEi CUSTOMIZED TECHNICAL SPECIFICATIONS PLANT ALLOWED OUTAGE TIME (HRS)

Ft. Calhoun Station 24 Maine Yankee 72 Palisades

5.0 SYSTEM DESCMPTION AND OPERATING EXPERH<22fCE 5.1 System Description The LPSI System provides inventory to the RCS following a large Loss of Coolant Accident (LOCA). This inventory injection supplements the RCS inventory addition due to the SITs and aids in ensuring core cooling during the early stages of a large LOCA. In addition, many components of the LPSI System are shared with the shutdown cooling system. In that capacity, the LPSI pump and selected components serve to circulate water through the RCS and support long term core decay heat removal.

Safety Injection and Recirculation During an accident, the LPSI system is actuated by a Safety Injection Actuation Signal (SIAS).

The SIAS is automatically initiated upon a coincident two-out-of-four Pressurizer Pressure Low Signals or twit-of-four Containment Pressure High Signals. Safety Injection can also be manually initiated. Upon SIAS, the two LPSI puinps are automatically started and the injection valves are opened.

The LPSI pump then recirculates the Safety Injection water through the minimum recirculation valves until the RCS pressure becomes low enough to allow flow into the RCS. During the injection mode, the LPSI pumps take suction from a borated water source. The pumps discharge flow into the low pressure injection header which is connected to the RCS cold legs. The valve connecting the LPSI pump discharge to the shutdown cooling heat exchangers is locked closed during normal operation and remains closed during the safety injection mode.

Shutdown Cooling System During normal shutdown mode operation (Modes 4, 5 and 6), the components of the LPSI System are realigned to configure the Shutdown Cooling System (SDCS). In this configuration, the LPSI pump takes suction from the RCS hot leg, transports the hot RCS liquid through the SDC heat exchange and discharges cooler water into the RCS cold leg.

Por all CE PWRs, the containment spray pump can be used in place of an inoperable LPSI pump for the function of shutdown cooling. This would depend upon the accident / plant operating mode and would require a manual alignment.

5.2 Operating Experience

$.2.I Preventive Maintenance P'N)

In order to perform preventive maintenance during power operation, the plant must voluntarily enter into a Limiting Condition for Operation (LCO) action statement. The NRC has been aware of this practice and has issued an NRC Inspection Manual (Reference 4), providing the general safety principles that the NRC inspectors are to use in assessing the appropriateness of the utilities "on-line" maintenance activities and to ensure that proper use is made of the plant AOTs. In response to the NRC technical guidance statement, many nuclear utilities have voluntaoly adopted administrative guidelines for voluntary entry into an LCO ACTION statement. This administrative guidance typically requires that a plan must exist for completing the associated maintenance within a period that is considerably shorter than the duration of the

'llowed outage time (AOT) specified in the LCO ACTION statement. In addition, the risk associated with such maintenance is also assessed.

Operating experience has demonstrated that many types of preventive maintenance on LPSI train components (including post-maintenance verifications and tests) require a period of less than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Typical activities associated with preventive maintenance for a LPSI pump include:

- change of oil

- lubrication

- replacement/tightening of pachng

- bearing replacement Preventive maintenance activities (PMs) associated with valves within the LPSI system include:

h

- valve overhaul

- valve repacking Typically, pump PMs require less than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to complete and valve PMs can generally be performed in 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> or less.

When performed properly, preventive maintenance on single LPSI System components can be completed within the 3 day AOT which is available to most CE NSSS PWRs. However, the AOT extension would allow for more flexibilityin both performing and scheduling of the PM.

This will have a positive influence in limiting plant risk by:

(1) reducing the number of entries into LCO ACTION statements by allowing a more complete maintenance program during a single AOT, (2) reducing the need for simultaneous common system PM operations so as to allow expeditious return of the system to on-line status in the event of a site emergency, alld

(3) reducing time stress on the maintenance staff during shutdown by allowing adequate time to perform LPSI maintenance at power.

Preventive maintenance on LPSI subsystems that is postponed until the plant is in shutdown mode can limit the availability of operable standby SDC trains during a plant outage. Since the LPSI pump provides the primary motive force for core cooling during shutdown, the risk associated with this unavailability can exceed that associated with performing the equivalent maintenance at power. This issue is addressed in Section 6.3.

$.2.2 Surveillance/Testing ofLPSI System Valves The technical specifications require testing of several motor operated valves within the LPSI system. This testing may be performed either at power or during a plant shutdown.

Surveillance testing of the MOVs at power requires that the MOV operating torque and flow characteristics be within a specified band. Testing times can vary from under one hour to more than 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. Since this test can be performed so as to minimally disable a portion of the LPSI System, its actual impact on risk is negligible. This results from the fact that during most of the duration of the test (with the exception of the several minute stroke test) the valve position can be maintained in its emergency position.

Ifthere were a longer AOT, a larger block of valves could be tested in a defined time frame.

%ith longer AOTs, this concentration of testing can be performed in a more orderly fashion and with fewer individual entries into the plant LCO ACTION statements. An extended AOT will also provide sufficient time to correct any problems found as a result of the surveillance.

$.2.3 Corrective Maintenance (Clg Corrective maintenance in the LPSI System involves both pump and valve repair. In practice, the term corrective maintenance is typically used for the repair of a component resulting from an observable malfunction which may or may not compromise the ability of the system or component to perform its safety function. This terminology typically lumps corrective maintenance on LPSI pumps due to small oil/water leaks (which do not necessarily impair pump into the same category as more extreme failures such as a debilitating pump motor 'unction) failures.

Allutilities involved in this task have indicated mean LPSI pump repair times of under 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> with the longer repairs tahng up to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> (See Table 5.2-1). It is expected that failures that render the LPSI pump non-functional will be skewed to the higher repair times. Parts accessibility may further stretch the repair. Since many existing failures will be diagnosed following a component surveillance, insufficient time may be available in the AOT to assure task completion prior to exceeding the AOT.

Another class of LPSI System components that requires surveillance and periodic repair are the Motor Operated Valves (MOVs). Surveillance of these valves involves detailed testing procedures. During the testing, the AOT is entered and the valve is declared INOPERABLE.

In order for the valve to be considered OPERABLE, the valve characteristics must be measured to be within a specified band of torque, and flow. Ifthese parameters fall outside the defined bands, the MOVis technically considered INOPEIMBLEand must be repaired in the remainder of the AOT. Failure to repair and re-diagnose the valve as OPERABLE would result in the applicability of other LCO action requirements to bring the plant to a safe shutdown mode within a relatively short period of time or development of a Justification for Continued Operation (JCO). Past testing has resulted in the identification of a malfunctioning MOV which was repaired and declared OPERABLE within one hour of the expiration of the 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> AOT. Table 5.2-1 provides the comparison of maintenance repair times for LPSI components.. These examples illustrate that there is a need for a longer AOT.

$.2.4 Related Licensing Actions Over the past two years the industry has been applying results from PRA sensitivity studies as a basis for eliminating requirements that are marginal to safety. Elimination of requirements marginal to safety includes, among many other things, the relaxation of Technical Specifications (TS). Recently South Texas Project (STP) proposed 22 Technical Specification changes to the NRC for relaxation (Reference 5).

The TS changes requested by STP were of two types: extending allowed outage time (AOT) and extending Surveillance Test Intervals (STI). Of the 22 proposed TS changes, 6 were withdrawn by STP. Of the remaining 16 proposed changes, quantitative evaluations were performed by STP in support of 11 of them using the plant PSA model. Qualitative explanations are presented by STP for the remaining 5 to support the proposed extensions. The ECCS, including LPSI, HPSI and SIT, was among the systems for which TS relaxation was sought.

The AOT for the ECCS was requested to be extended from 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to 10 days; the NRC granted the extension to 7 days.

Table 5.2-1 COMPARISON OF MAIN'PENANCE REPAIR 'IIMES FOR LPSI SYSTEM COMPONENTS PLANT MEAN TIME TO REPAIR RANGE OF REPAIR (HR) TBKS Ft. Calhoun Station 13 hrs 1 br-23 hrs Maine Yankee 16.8 hrs 1.5 hrs - 32 hrs Palisades Calvert Cliffs 1 &2 11.8 hrs 3 -27 hrs Millstone 2 4.7 hrs not available St. Lucie1 &2 10.69 hrs < 1hr-72hrs ANO-2 Waterford 3 17.6 hrs 16.0 - 20.8 hrs San Onofre 2 &3 Palo Verde 1, 2 & 3 3.6 hrs 1.6 - 46.5 hrs Generic 11.1 hrs

  • Plant specific data is not available. Repair experience is expected to be similar to that of other CE PWRs.

6.0 TECHNICALJVSTIFICATION FOR AOT EXTENSION This section presents an integrated assessment of the proposed AOT extension. The focus of the assessment includes motivation and need for technical specification change, the impact of the change on the plant design basis event and a probabilistic risk assessment.

Section 6.1 presents a summary statement of the need for the AOT extension. The supporting information for this section has been previously presented in Section 5. Section 6.2 provides an assessment of deterministic factors, particularly those associated with the plant design basis.

The following sections generally follow the NRC guidance set forth in Reference 6 for risk based justification of changes to the technical specifications. The probabilistic risk assessment for this AOT extension is contained in Section 6.3, including consideration of risks of mode transition and plant shutdown.

Compensatory actions that may be applicable to this AOT extension are summarized in Section 6.4.

6.1 Statement of¹ed The primary role of LPSI trains during power operation is to contribute to the mitigation of a large LOCA. Its value in the post-LOCA core cooling process is established by a conservative set of rules set forth in 10 CFR 50.46. The frequency of the large LOCA event is on the order of 10 per year. In contrast, during shutdown, the operability of at least one LPSI pump and subtrain are required at all times for RCS heat removal. Thus, in this macroscopic view, performing preventive and corrective maintenance "at power" on LPSI trains contribute to an overall enhancement in plant safety by increasing the availability of LPSI pumps for shutdown cooling during Modes 3 through 6.

Much of the maintenance performed on a LPSI subtrain requires the subtrain to be tagged out for periods of less than one day. However, in some instances, corrective maintenance of the LPSI pump and valves and testing of valves may require taking one subtrain of the LPSI System out of service for more than several days. Recent experience has resulted in a MOV repair completed within'one hour of the existing AOT. Thus, repair within the existing AOT cannot be guaranteed and may result in an unscheduled plant shutdown, or request for a temporary exemption to allow continued plant operation. To avoid these outcomes, a less restrictive AOT is required.

From a practical viewpoint, a 7-day AOT would allow the maintenance staff flexibilityto more safely schedule maintenance and procedures. Based on a review of the maintenance requirements on the LPSI System for CE PWRs it was determined that a 7-day AOT would provide sufficient margin to effect most anticipated preventive, and corrective maintenance activities and "on-line" LPSI System valve surveillance tests.

10

62 Assessment of Deterministic Factors 6.2.1 17sennal-HyCkuulic Considemtions I.OC'A In the early 1970's, the NRC defined deterministic acceptance criteria (10CFR50.46) and prescriptive guidance (Appendix K to 10CFR50) for evaluating the performance of the Emergency Core Cooling System (ECCS) following a loss of coolant accident (LOCA).

The Emergency Core Cooling System (ECCS) acceptance criteria from 10 CFR 50.46 are the following:

a. Maximum fuel element cladding temperature is < 2200 Degrees Fahrenheit;
b. Maximum cladding oxidation is < 0.17 times the total cladding thickness before oxidation; C. Maximum hydrogen generation from a zirconium water reaction is ( 0.01 times the hypothetical amount that would be generated ifall of the metal in the cladding cylinders surrounding the fuel, excluding the cladding surrounding the plenum volume, were to react; and
d. The core is maintained in a eoolable geometry.

In order to meet these acceptance criteria, the designs of CE NSSS Emergency Core Cooling Systems have included the following elements:

1) A high pressure safety injection capability for providing delivery of coolant to the RCS during the early phase of the blowdown process, and matching boil-off to maintain inventory during the later phases following reflooding of the core;
2) A passive safety injection capability provided via Safety Injection Tanks (SITs) providing a one time, rapid inventory injection into the RCS as the RCS depressurizes below a low pressure setpoint; and
3) A low pressure coolant injection capability for providing high mass flow to the RCS at low RCS pressures.

These design elements and the corresponding system operability requirements in the Technical Specifications have been based on a limiting design basis'ccident scenario. This limiting scenario has been a large break LOCA in combination with a loss of offsite power and the "worst" single equipment failure.

11

To cope with the large loss of RCS inventory during a large LOCA an Emergency Core Cooling System consisting of a triad of water injection systems was devised. For CE PWRs, the components of the ECCS typically included 4 passively actuated SITs, two HPSI pumps and two LPSI pumps. The SITs were designed with the task of rapidly providing liquid inventory to reflood a voided core. The role of the HPSI pumps was primarily to supply inventory for smaller LOCAs and provide long term inventory control for the large break LOCAs. The results of analysis using prescriptive methods, defined in Appendix K to 10CFR50, showed that the anticipated performance of HPSI and SITs did not result in meeting the ECCS performance criteria. These analyses indicated a short lived need for an additional high volumetric flow pump. A major function of this pump was to replenish inventory conservatively predicted to be lost within the Appendix K framework.

Recent best estimate analyses for a typical PWR, Reference 7, confirmed that for large break LOCAs, incipient core melt can be prevented by operation of combinations of ECCS subsystems other than those that are currently defined in ECCS Operability requirements. In particular, the results of Reference 7 demonstrated that the operation of a single LPSI pump or the operation of one High Pressure Safety Injection (HPSI) pump and a single SIT could maintain the Appendix K criteria during a design base large LOCA scenario.

Additionally, new deterministic analyses of large break LOCA initiating events (up to break areas of 5 square feet) were performed for one plant in support of the Individual Plant Examination (IPE)/Probabilistic Safety Analyses (PSA), Reference 8. These analyses, performed using the CENTS code, showed that LPSI trains were not needed to successlly mitigate the consequences of such scenarios.

Steam Generator Tube Rupture (SGTR) Events Another role for the LPSI is in defining the end state for a design basis SGTR event with or without a concurrent loss of off-site power. In the design basis construction of this event, the HPSI functions to maintain the core covered at all times and the LPSI is required to effect shutdown cooling (SDC) and thereby terminate the event. SDC is initiated after the break has been isolated and the radioactive releases have been controlled.

In the event that one LPSI is out of service and the second LPSI fails, the operator can continue to control the event by steaming of the unaffected steam generator. This cooling mechanism can be maintained indefinitely provided condensate is available to the unaffected generator. Without considering condensate storage tank refill, CE plants have sufficient inventory to steam the affected steam generator for between six to more than 45 hours5.208333e-4 days <br />0.0125 hours <br />7.440476e-5 weeks <br />1.71225e-5 months <br />. Allplants have provisions in procedures for continued makeup to the condensate tank to prevent the depletion of the CST inventory. Many of the plants on multiple unit sites also have the ability to cross-connect condensate tanks for the various units. A summary of estimated times for CST inventory depletion following a SGTR without SDC is provided in Table 6.2.1-1. CE PWRs also have the ability to realign the containment spray pumps to provide RCS shutdown cooling capability.

12

Table 6.2.1-1 COMPARISON OF SECONDARY SIDE HEAT REMOVAL CAPABILITY PLANT THERMAL CONDENSATE STORAGE CONDENSATB STORAGB PROCBDURES CSTs OF POWER CAPACITY DEPLETION TIME TO MULTIPLE RATING RBPLBNISH UNIT SITES CONDENSATB CAN BB STORAGE CROSS-CONNECTED Ft. Calhoun Station 1500 MWt 350,000 gal (maximum useable) 45 hrs. w/o credit for refill of yes (to refill N/A EFWST or CST CST or BFWS'I)

Palisades 2530 MWt 100,000 gal (T.S. minimum) 8 hrs N/A Maine Yankee 2700 MWt 159,975 gal (maximum useable) 5+ hrs 525 gpm BFW fiow yes N/A (to refill DWS'I)

Calvert Cliffs 1 dt 2 2700 Mwt 150,000 gal per unit (T.S. > or equal to 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> yes minimum) - 300,000 gal shared St. Lucie 1 2700 Mwt 116,000 gal (T.S. minimum) approx. 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> yes St. Lucie 2 2700 Mwt 307,000 gal (T.S. minimum) > 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> yes available but not required Millstone 2 2700 Mwt 150,000 gal (T.S. minimum) 10 hrs at 300 gpm no ANO-2 2815 Mwt 160,000 gal g'.S. minimum) 5,5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> 485 gpm (for T.S. yes 400,000 (maximum) - EFW Q minimum) suction source is Service Water > 30 hrs (for maximum volume) and this source is infinite Waterford 3 3410 Mwt 170,000 gal (T.S. minimum) 9 hrs w/o backup water sources N/A Palo Verde 1, 2 43 3800 Mwt 300,000 gal (T.S. minimum) > 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> San Onofre 2 43 3410 Mwt 424,000 gal (I'.S. minimum) > 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />

6;2.2 Radiological Release Considemtions LOCA The design basis calculation of radiological consequences of the large LOCA are based on a combination of very conservative assumptions. The design basis for radiological releases following a LOCA is set forth in 10 CFR 100, "Reactor Site Criteria", and detailed in SRP 15.6.5, Reference 9. In practice the 10 CFR 100 radiation release criteria are achieved via reliance on the 1962 "source term" outlined in the Atomic Energy Commission Technical Information Document, TID-14844, "Calculation of Distance Factors for Power and Test Reactors" (Reference 10). This "Source Term" was not consistent with the low level of core damage expected with a Large LOCA. Instead, the Source Term was very conservatively based on a substantial meltdown of the core, and the fission product release to the containment.

Over the past 30 years, substantial information has been developed updating our knowledge about fission product release and transport during PWR severe accidents. This information is reflected in the new NRC source term defined in NUEEG-1465 (Reference 11). Assimilation of this information suggests that even when the dichotomy of a core melt driven source term is retained, the TID-14844 estimate of the Large LOCA fission product releases considerably overpredicts the severity of the fission product release to the public. This conclusion is based on the following:

Existing licensing methods assume fission products are released to the containment immediately upon the onset of the LOCA. In fact, only gases residing within the fuel gap (approximately 5% of the total volatile fission product inventory) will be released at the point of clad rupture (early in the transient).

The remainder of the fission products willenter the containment over the period of one half hour or more.

2) Existing licensing methods assume the composition of the iodine entering the containment is predominantly elemental (it is now believed to be in the particulate form). Sprays are less effective in removing elemental iodine than iodine in the particulate form. It is our current understanding that the iodine is predominantly (greater than 95%) released into the containment in the form of CsI which is particulate. Thus, spray effectiveness and gravitational settling would be enhanced and airborne releases from containment would decrease.

Thus, even if a Large LOCA were to occur in the presence of a compromised ECCS (i.e. no LPSI), core melting would not be expected and the actual fission product releases would remain within the existing 10 CFR 100 criteria. This issue is further considered in a probabilistic framework in Section 6.3.5.

14

Steam Generator Tube Ruptures (SGZZs)

Pollowing a SGTR, the plant can be maintained in a stable condition provided the affected steam generator is isolated, and the AFW system along with a supply of condensate is available to the intact steam generator. Under these conditions, core uncovery is not expected and radiological releases will not exceed that defined by the existing design basis. Obviously this can be done without the LPSI System being available.

6.3 Assessment of Risk 6.3.I Overview The purpose of this section is to provide an integrated assessment of the overall plant risk associated with the adoption of the proposed AOT extension. The methodology used to evaluate the LPSI System AOT extension was based in part on a draft version of the "Handbook of Methods for Risk-Based Analyses of Technical Specifications", Reference 6 and related industry guidance. As guidance for the acceptability of a Technical Specification modification, Reference 6 noted that any proposed Technical Specification change (and the ultimate change package) should either:

(1) be risk neutral, OR (2) result in a decrease in plant risk (via "risk trade-off considerations"), OR (3) result in a negligible (to small) increase in plant risk.

(4) be needed. by the utility to more efficiently and / or more safely manage plant operations.

A statement of need has been provided in Section 6.1. This section addresses the risk aspects of the proposed AOT extension.

In this evaluation, a risk assessment of the LPSI System AOT extension is performed with respect to consideration of associated "at power", "transition" and "shutdown" risks.

Section 6.3.2 provides an assessment of the increased risk associated with continued operation with a single LPSI train out of service (OOS). The evaluation of the "at power" risk increment resulting from the extended LPSI System AOT were evaluated on a plant specific basis using the most current individual plant's Probabilistic Safety Analysis (PSA) as their respective baselines. Plant specific evaluations were performed by each participating utility. Results of these evaluations were then compared using appropriate risk measures as prescribed in Reference 6.

15

Section 6.3.3 provides an assessment of risk of transitioning the plant from Mode 1 into a lower mode (e.g. Mode 4). The "at power" risk assessment presented in Section 6.3.2 provides an evaluation of continued operation of the plant with an extended LPSI System AOT for the purpose of performing corrective maintenance on the LPSI System. However, that assessment provides only one facet of the plant risk. For this evaluation, continuation of at power operation within the LCO ACTION statement is compared with the risk of proceeding with a plant shutdown. A conservative lower bound estimate of this risk was evaluated by modifying the reactor trip core melt scenario for a representative CE PWR. Based on this analysis, a core damage probability for the plant shutdown was established and compared to the single AOT risk associated with continued operation.

The risk comparison of LPSI System PM for "at power" and "at shutdown" conditions is provided in Section 6.3.4. Recent experience has shown that the risk of maintaining the reactor in a shutdown condition can be significant in comparison with that of power operation. This observation has resulted in a need to reassess maintenance practice to more appropriately apportion maintenance between power and shutdown operation. One goal of this particular AOT extension is to allow preventive maintenance and extended surveillances of the LPSI System while the plant is at power. This is a logical request in that many LPSI System components support the shutdown cooling system (which, in the lower modes, is the primary means of heat removal from the RCS). The role of the LPSI System at power is limited to responding to a large break LOCA or providing an alternate decay heat removal path (in conjunction with the auxiliary feedwater system).

For completeness, the impact of the extended AOT on the plant large early release fraction is qualitatively assessed. The assessment includes an evaluation of the events leading to large early fission product releases and the role of the LPSI System in the initiation and/or mitigation of those events. This assessment is presented in Section 6.3.5.

6.3.2 Assessment of "At Power'isk Methodology This section provides an assessment of the increased risk associated with continued operation with a single LPSI train out of service (OOS). The evaluation of the "at power" risk increment resulting from the extended LPSI System AOT was evaluated on a plant specific basis using the most current individual plant's Probabilistic Safety Analysis (PSA) model for their respective baselines. Plant specific evaluations were performed by each participating utility. Results of these evaluations were then compared using the following risk measures (from Reference 6):

Avemge Core Damage Frequency (CD': The average CDF represents the frequency of core-damage occurring. In a PSA, the CDF is obtained using mean unavailabilities for all standby-system components.

16

Core Damage Probability (CDP): The CDP represents the probability of core-damage occurring. Core-damage probability is approximated by multiplying core-damage frequency by a time period.

CondMonal Core-Bamage Frequency (CCDS): The Conditional CDF is the Core Damage Frequency (CDF) conditional upon some event, such as the outage of equipment. It is calculated by re-quantifying the cutsets after adjusting the unavailabilities of those basic events associated with the inoperable equipment.

Jncrease in Core Damage Frequency (ECDEl: The increase in CDF represents the difference between the CCDF evaluated for one train of equipment y~nv ~lhll; minus the CCDF evaluated for one train of equipment u f r r maintenance . For the LPSI System:

hCDE = Conditional CD'>

where CDF

- Conditional CD'~~ygg

= Core Damage Frequency (per year) fyg'pQ+

Single AOT Risk Contnbution: The Single AOT Risk contribution is the increment in risk associated with a train being unavailable over a period of time (evaluated over either the full AOT, or over the actual maintenance duration). In terms of core damage, the Single AOT Risk Contribution is the increase in probability of core-damage occurring during the AOT, or outage time, given a train is unavailable from when the train is not out for test or maintenance. The value is obtained by multiplying the increase in the CDF by the AOT or outage time.

Single AOT Risk = hCDF x r where, hCDF = Increase in Core Damage Frequency (per year), and r = full AOT or actual maintenance duration (years)

Yearly AOT Risk Contnbrdion: The Yearly'AOT risk contribution is the increase in average yearly risk from a train being unavailable accounting for the average yearly frequency of the AOT. It is the frequency of core-damage occurring per year due to the average number of entries into the LCO Action Statement per year. The value is estimated as the product of the Single AOT Risk Contribution and the average yearly frequency (f) of entering the associated LCO Action Statement. Therefore:

Yearly AOT Risk = Single AOT Risk x f where f = frequency (events/year) 17

Incremental changes in these parameters are assessed to establish the risk impact of the Technical Specification change.

Calculation of Conditional CDF, Single and Year@ AOTRisk Contributions Each CEOG utility used its current Probabilistic Safety Analysis (PSA) model to assess the Conditional CDF based on the condition that one LPSI train is unavailable. Each plant verified that the appropriate basic events are contained in the PSA cutsets used to determine the AOT risk contributions. This verification was performed as the first task in calculating the Conditional CDFs. If basic events had been filtered out of the PSA cutsets, one of the two methods described below were used to ensure the calculation of Conditional CDF was correct or conservative:

Select the basic event for the failure mode of the component with the highest if failure probability to represent the train the test/maintenance failure mode of the component had been filtered out; or

2. Retrieve cutsets containing relevant basic events at the sequence level and merge them with the final PSA cutsets.

The Conditional CDF given 1 LPSI train is ~nv~l~l was obtained by performing the following steps:

Set the basic event probability for the Mure mode for the selected component in the unavailable LPSI train equal to 1.0.

2. Set any basic event probabilities for other failure modes for that train equal to 0.0.
3. Set the basic event probability for the other LPSI train unavailable due to test/maintenance equal to 0.0.
4. For the case where the LCO Action Statement was prompted by need for Corrective Maintenance (CM) (i.e., equipment failure), adjust the basic event common cause failure unavailability corresponding to the train remauiing in service to the probability of Mure given one train has failed (i.e., equal to the beta factor, P, for the Multiple Greek Letter Method).
5. For Preventive Maintenance (PM) (i.e., no equipment failure), set the failure rate of the train remaining in service to the total single train failure rate (including both independent and common cause failure data).
6. Requantify the PSA cutsets.

18

This Conditional CDF was therefore assessed for both CM and PM. The difference between the two values is a result of the aforementioned difference in treating common cause failure.

It should be noted that the definition of CM for use in the PSA is considerable more stringent than the pragmatic TAGGED INOPERABLE definition of CM used in Section 5. In this context, CM refers to maintenance performed on a component that cannot otherwise perform its safety function.

The Conditional CDF given 1 LPSI train is r m 'n n was obtained by setting the basic event probability for the Mure mode for one LPSI train equal to 0.0 and requantifying the PSA cutsets. No adjustment was made to common cause failure from the value used in the baseline PSA model.

This Conditional CDF was effectively equal to the baseline CDF (i.e., the CDF resulting from the plant's current PSA model) for the LPSI System for all CE plants.

It was expected that the results would be symmetric for selecting either LPSI train to be out for maintenance. However, in cases where different modeling assumptions or data were associated with each LPSI train, the Conditional CDFs were evaluated for each train, and the most conservative result was used.

The Conditional CDF was then used to calculate the increase in CDF. The Single AOT Risk Contribution for each plant was calculated for the following cases:

- Current full AOT,

- Proposed full AOT,

- Mean downtime for CM, and

- Mean downtime for PM.

A value of 24 hours/event was assumed as an upper bound for the mean duration for a LPSI train CM (see Table 5.2-1). A value of 112 hour0.0013 days <br />0.0311 hours <br />1.851852e-4 weeks <br />4.2616e-5 months <br />s/event (2/3 of AOT) was assumed as an upper bound for the mean duration for a LPSI train PM unless actual plant data was available. The mean downtimes are presented in Table 6.3.2-1 and 6.3.2-2 for each plant.

The Single AOT Risk Contributions were then used to calculate the Yearly AOT Risk Contributions (Single AOT Risk x frequency), based on each plant's actual frequency of entry into the LCO Action Statement, for both CM and PM. Plant specific frequencies were used in this calculation for CM and PM. When detailed CM and PM breakdowns were not available, a split of the frequency was assumed to be 10%/90% for CM/PM, respectively. This split is based on actual data from a representative CE PWR which shows that about 10% of the total entries into the LPSI System LCO ACTION statement were due to equipment failure, the other 90% were preventive.

The overall Yearly AOT Risk Contribution is assumed to be the sum of the Yearly AOT Risk Contribution due to CM and the Yearly AOT Risk Contribution due to PM. Tables 6.3.2-1 and 19

6.3.2-2 provide the Conditional CDFs and the Single and Yearly AOT Risk Contributions for each plant for CM and PM, respectively.

Calculation ofAverage CDF In order to calculate the Average CDF for the extended LPSI System AOT, a new value for LPSI train unavailability due to test/maintenance was established. This unavailability was based on a maintenance duration of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for performing on-line corrective maintenance (conservatively estimated based on actual plant data for CE PWRs from Table 5.2-1), and a preventive maintenance program equal to the equivalent of a fullproposed AOT of 7 days (one-half the AOT twice a year). For plants with a maintenance schedule already in place or defined, then actual plant data was used in lieu of the above assumptions.

The impact on the PSA model was then calculated to obtain the Average CDF for this new LPSI System unavailability. This new Average CDF was then compared to the base case value from the plant's PSA model. Table 6.3.2-3 provides the proposed Average CDF and the base average CDF for each plant.

The results from each plant were assimilated, and the Single AOT and Yearly AOT Risks were calculated for each plant. Tables 6.3.2-1 through 6.3.2-3 present the results of these cases on a plant specific basis, and summarizes the LPSI System AOT CDF contributions for each plant.

These risk contributions include the Conditional CDFs, Increase in CDF, Single AOT and Yearly AOT risks for both CM and PM, based on full AOT and mean downtime, and current Average CDF and proposed Average CDF.

The Single AOT Risk Contribution for the full proposed AOT for all CE PWRs varies from negligible to 2.40E-06 for CM conditions and is has a maximum value of 2.1E-07 for PM.

Maximum increases of this level are small. As will be shown in the following sections, these risks are offset by reductions in transition and shutdown risks. Changes in the Average CDF due to increasing the LPSI AOT are insignificant (< 3%).

20

Table 6.3.2-1 CEOG AOT CONDITIONALCDF CONTRIBUTIONS FOR LPSI SYSTEM - Corrective Maintenance PARAMETER ANO-2 Calvert Fort Maine Millstone Palo San St. Lucid St. Lucis Waterford Cliffs Calhoun Yankee 2 Verde Onofxe I 2 3 1 852 1,2, Ec3 2Ec3 LPSI System Success Criteria 1 of 2 1 of 2 1 of2 1 of2* 1 of2 1 of2 1 of2 1 of2 1 of2 1 of2 1 of2 Cuncnt AOT, days Pmposcd AOT, days Conditional CDF, per yr 4.80E45 2.2IE44 1.18E45 1.52E44 1.59E44 5. 15E45 7.00E45 1.08E44 9.0E45 9.1E45 3.70E45 (1 LPSI tnLin unavailablc)

Conditional CDF, pcr yr 3.28E45 2.11E44 1~ 18E45 7.40E45 3.41E45 5.15E45 4.74E45 2.74E45 2.14E45 2.35E45 1.54E45 (1 LPSI train not out for T/M)

Increase in CDF, pcr yr 1.52E45 1.00E45 negligible 7.80E45 1.25E44 negligible 2.26E45 8.06E45 6.9E45 6.8E45 2.16E45 Single AOT Risk (Cunent full ACT) 1.25E47 8.22E48 -'egligible 6.41E47 6.84E47 negligible 1.86E47 6.62E47 5.7E47 1.78E47

.".'Stttgtd,'AN'.;;ask (P+jYa's'ed'fuge'4'OT)'"'2i92547,;-:,, e:,')'t92847 'ncghgible%; ;.","t"SOE46~!'<2 40E46."."" :,"-.'nejfijjble'::"';. :";",;,"4i33847~ i:I;55846

Ijl'::3E'46'.6E47 gi':.38%':::g4',':i4847"-

Downtime Frcliucncy, events/yr/tnun 0.33 0.92 0.33 0.32 0.33 0.33 0.06 0.5 0.5 0.33 Yearly AOT Risk (Cuncnt full AOT), 8.25E4$ 1.51E47 negligible 2.56E-08 4.38E47 negligible 1.23E47 7.29E-08 5.7E47 5.6E47 1. 17E47 per yr Yearly AOT Risk (Pmposcd full 1.93E47 3.53E47 negligible 5.98E48 1.53E46 negligible 2.86E47 1.70E47 1.3E46 1.3E46 2.73E47 AOT), pcr yr Mean DunLtion, Ius/cvcntse Single AOT Risk (for Mean Duration) 4.17E48 2.74E48 negligible 2.14E47 3.42E47 negligible 6.19E48 221E47 1.9E47 1.9E47 6.90E4$

Yearly AOT Risk (for Mean 2.75E48 5.04E4$ negligible 8.55E49 2.19E47 negligible 4.09E48 2.43E48 1.9E47 1.9E47 4.56E48 Duxation), per yr

  • In addition to 2 LPSI trains, Maine Yankee uses a swing pump which is not modeled in the PSA
  • s24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is assumed to be a bounding value based on historic data (see Table 5.2 1) 21

Table 6,3.2-2 CEOG AOT CONDITIONALCDF CONTRIBUTIONS FOR LPSI SYSTEM - Preventive Maintenance PARAMETER ANO-2 Calver Fort Maino Millstono Palisades Palo San St. Lucio St. Lucio Waterford Cliffs Calhoun Yankco 2 Verde Onofre I 2 3 1 Ec2 1,2,8t3 2//c3 LPSI System Success Criteria 1 of2 1 of2 1 of 2 1 of 2* 1 of2 1 of2 1 of 2 1 of2 1 of 2 1 of2 1 of2 Current AOI', days Pmposcd AOT, days Conditional CDF, per yr 3.70E45 2.18E44 1.18E45 7.94E45 4.35E45 5.15E45 4.80E45 3.31E45 3.2E45 3.2E45 1.61E45 (1 LPSI train unavailable)

Conditional CDF, per yr 2.11E44 1.18E45 3.41E45 5.15E45 4.74E45 2.74E45 2.14E45 2.35E45 1.54E45 (1 LPSI tnun not out for T/M)

Increase in CDF, per yr 4.20E46 7.00E46 ncgligiblo 5.40E46 9.40E46 negligible 6.00E47 5.70E46 1.1E45 8.5E46 7.00E47 Singlo AOT Risk (Cunent full AOT) 3.45E48 5.75E48 ncgligiblo 4A4E48 5.15E48 negligible 4.93E49 4.68E48 9E48 7E48 5.75E49 g4'<jjYi"A~OT',RTsk:'(Pwposedrfull'.'jYOT)"- -;','S~j06E4SN  :.'.-,'t,".04E47,.'" ~g!80FAVg ~~ncghybte:~~ !.:"'4".)SE48',;::,':,i",:'I:,'09E47.;"';:,;;."::,2 IE47:;,)

Downtime Frequency, cvcnts/yr/train 1.50 1.50 0.67 2.88 1.50 1.50 0.52 1.50 Yearly AOT Risk (Current full AOI), 1.04E47 4.60E47 ncgligiblo 5.95E48 2.97E47 negligible 1.48E48 4.83E48 3.6E47 2.8E47 1.73E48 pcf yr Yearly AOT Risk (Pmposed full 2.42E47 negligiblo 1.39E47 1.04E46 negligible 3.45E48 1.13E47 8.4E47 6.5E47 4.03E48 AOT), per yr Pmposcd Downtimo, hrs/yr/tnun 168 336 168 168 168 168 168 168 Mean DunLtion, tus/events+ 112 112 112 112 112 112 112 112 112 115 Singlo AOT Risk (for Mean Duration) 5.37E48 6.71E48 negligibl 6.90E48 1.20E47 ncgligiblo 7.67E49 7.29E48 1.4E47 1.1E47 9.19E49 Yearly AOT Risk (for Mean 1.61E47 5.37E47 ncgligib o 6.92E47 ncgligiblo 2.30E-08 7.51E48 5.6E47 4.3E47 2.76E48 Duration), per yr

+ In addition to 2 LPSI tnuns, Maino Yankee uses a swing pump which is not modclcd in the PSA

    • A mean duration of 112 hrs/cvcnt was conservatively assumed (2/3 of pmposed AOT) unless actual plant data availablo

Table 6.3.2-3 CEOG PROPOSED AVERAGE CDPS PARAMETER ANO-2 Calvczt Foxt Maine Millstono Palo San St. Lucio St. Lucio Watcxfoxd Cliffs Calhoun Yankee 2 Vczdo Onofm 1 2 3 1&2 1,2, &,3 2&3 LPSI System Success Czitczia . 1 of 2 1 of2 1 of 2 1 of2* 1 of 2, 1 of2 1 of2 1 of2 1of2 1 of2 1of2 Pmscnt AOT, days Pmposcd AOT, days Pmposcd Downtime, hzs/yrltzain 192 276 276 Avczage CDF (bae), pcr yr 3.28845 2.11844 1~ 18E45 7.40E45 3.41E45 5.15E45 4.74E45 2.74845 2.14E45 2.35E45 1.54E45 Pmposcd Avczagc. CDF, pcr yr 3.29E45 2.11844 1.18845 7.40845 3.45E45 5.15E45 4.74E45 2.78845 2.2845 2.4845 1.55E45

  • In addition to 2 LPSI tzains, Maine Yankee uses a swing pump which is not modclcd in thc PSA 23

6.3.3 Assessment of TiunsMon Risk For any given AOT extension, there is theoretically an "at power" increase in risk associated with it. This increase may be negligible or significant. A complete approach to assessing the change in risk accounts for the effects of avoided shutdown, or "transition risk". Transition Risk represents the risk associated with reducing power 'and going to hot or cold shutdown following equipment failure, in this case, one LPSI train being inoperable. Transition risk is of interest in understanding the tradeoff between shutting down the plant and restoring the LPSI train to operability while the plant continues operation. The risk of transitioning from "at power" to a shutdown mode must be balanced against the risk of continued operation and performing corrective maintenance while the plant is at power.

To illustrate this point, a representative CE PWR has performed an analysis for transition risk associated with one inoperable LPSI train. The methodology and results obtained by this plant are presented below and are considered generically applicable to the other CE plants.

Methodology The philosophy behind the transition risk analysis is that if a plant component becomes unavailable, the CDF will increase since less equipment is now available to respond to a transient if one were to occur. However, as long as the plant remains at power, this CDF is constant. At the point in time that a decision is made to shut down, the CDF increases since a "transient" (manual shutdown) has now occurred, and the equipment is still out of service.

The Core Damage Probability (CDP) associated with the risk of plant transition from plant full power operation to shutdown is obtained by modifying the "uncomplicated reactor trip" core damage scenario in the PSA model. In this evaluation the incremental risk is dominated by the increased likelihood of loss of main feedwater and the reliance on auxiliary (and/or emergency) feedwater to avert a core damage event. A cutset editor was used to adjust cutsets representing manual shutdown or miscellaneous plant trips to reflect the CDP associated with a forced shutdown assuming one LPSI train is out of service and requantifying the PSA cutsets.

Conservatisms that had been included in the base PSA model were deleted to reflect the greater control that the plant staff has in the shutdown process. Specifically, the baseline PSA assumed total loss of main feedwater (M&V)within 30 minutes of reactor trip. In the transition analysis, IVQ. W was assumed to be recoverable following failure of Auxiliary Feedwater. A human error probability (value of 0. 1) was added to cutsets that contained no basic events, including human actions, that would cause MFW to be uriavailable. The duration of the transition process was assumed to be 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> (6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> to hot standby and 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> to hot shutdown).

Additional human errors that would be associated with a detailed portrayal of the shutdown process and the entry into shutdown cooling were not included in order to establish a conservative lower bound assessment of the transition risk. Errors of commission, such as diversion of RCS flow during SDC valve alignment, are also not considered in this analysis.

24

Such errors would add to the disadvantages of the shutdown alternative, and therefore, to include them would be non-conservative for the purpose of this comparison.

Based on the above methodology the CDP associated with the lower mode transition was

'alculated for the representative plant to be 1.00E-06. Results of transition risk analyses can be generalized for the other CE PWRs by assuming that the ratio of the CDP for Transition Risk to the baseline Average CDF is constant for all plants. The baseline CDFs were selected rather than the Conditional CDFs for the ratio between the other CE plants because the analysis for the representative plant indicated that transition risk was.more a function of Loss of MI'W rather than a function of the specific equipment out of service.

That is, 4 CDP~~ = (CDF~/CDF~~* hCDP~, ~~

where:

hCDP~~ Incremental risk due to mode transition for plant CDF~ Baseline CDF for plant CDF~

CD'.,~~

~ Representative plant baseline CDF Incremental risk due to mode transition for representative plant The transition risk may be used to evaluate the relative risks of performing LPSI repair at power to that of performing the same repair at some lower mode. The risk of continued operation for the full duration of the AOT is bounded by the single AOT risk for CM (if a common cause failure is suspected) and by the single AOT risk for PM when common cause failure can be ruled out. The comparable risk of the alternate maintenance option involves consideration of four distinct risk components:

(1) Risk of remaining at power prior to initiating the lower mode transition.

This risk will vary depending on the ability of the staff to diagnose the LPSI fault and the confidence of the operating staff to expeditiously complete the repair. The time interval for power operation with a degraded component, prior to mode transition will vary from one to several days.

(2) Risk of lower mode transition.

This risk is accumulated over a short time interval (approximately 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />).

(3) Risk of continued lower mode operation with an impaired LPSI component.

In this mode, the reactor is shutdown and the core is generating decay power only.

However, risks in this mode remain significant. Depending on the particular operational mode, resources to cope with plant transients willtypically be less than at power. These modes are characterized by decreased restrictions on system operability, longer times for operator recovery actions, lower initiating frequency. for pressure driven initiators (such as LOCA) and a greater frequency for plant transients such as those initiated by loss of offsite power and loss of main feedwater.

(4) Risk of return to power The power ascension procedure is a well controlled transient. Reference 6 conceptually discusses that risks associated with this transition are greater than those associated with at power operation, but significantly below that associated with the initial lower mode transition (item 2).

The analysis of transition risk presented in this report quantifies only the risk of lower mode transition (item 2).

Table 6.3.3-1 presents the risk associated with transitioning the plant to a lower mode for each plant. The numbers in the table represent only the lower mode transition risk component of the transition sequence (item 2). The risk associated with the transition portion represents a significant fraction of the risk that would be incurred for a seven day "at power" (Single AOT Risk from Tables 6.3.2-1 and 6.3.2-2) LPSI train maintenance period.

When the risk at power and the risk at the lower mode of operation are comparable, then these results indicate that performing a 7 day LPSI train maintenance activity "at power" would be risk beneficial.

26

Table 6.3.3-1 TRANSITION RISK CORIRIBUTIONS FOR LPSI CM PLANT Transition Risk Contribution (ECDP)

ANO-2 6.92E-07 Calvert Cliffs 1 &2 4.45E-06 Fort Calhoun Station 2.49E-07 Maine Yankee 1.56E-06 Millstone 2 7.19E-07 Palisades 1.09E-06 Palo Verde 1, 2 &3 1.00E-06 San Onofre 2 &3 5.78E-07 St. Lucie 1 4.51E-07 St. Lucie 2 4.96E-07 Waterford 3 3.25E47 27

d.3.4 Assessment of Shutdown Risk The risk tradeoff for performing PM on the LPSI pump at power versus during shutdown was assessed by comparing the risk at shutdown associated with LPSI pump operation with incremental improvements in reliability associated with performing maintenance at power. The essence of this assessment was to perform a sensitivity analysis which evaluated the impact of improved reliability of the LPSI pump entering shutdown conditions given that maintenance was performed on the LPSI train at power prior to shutdown. As data is not available to quantify the improvement in reliability, sensitivity studies were chosen as the vehicle to quantify the risk associated with LPSI maintenance during shutdown. Given the fact that the frequency of requiring LPSI at power is on the order of 1 x 19 per year (the frequency of a Large LOCA event), whereas the frequency of requiring LPSI operability during shutdown is 1.0 per cycle, it is intuitive that improving the reliability of the LPSI system during shutdown should improve overall plant safety.

In summary, the premise underlying this study is that performing Preventive LPSI maintenance at power would improve the reliability of the LPSI pump entering shutdown.

This sensitivity study was performed for a representative CE plant and evaluated the impact on Core Damage Probability (CDP) over a seven day interval at the initiation of plant shutdown.

During this period the core is resident within the reactor vessel and reduced inventory shutdown operation (including "Mid-loop") is likely. To evaluate risk benefits associated with maintenance, improvements in LPSI pump reliability of 1%, 5% and 10% were parametrically evaluated. The CDP was then compared to the baseline CDP to obtain the change in risk from the base reliability.

Additional benefits of performing LPSI system maintenance at power, but not quantified in this effort are:

(1) Increased availability of maintenance staff for risk significant shutdown maintenance repairs, and (2) Reduced potential for errors of commission that may induce LPSI system failure during shutdown.

Assumptions For this analysis, the baseline Core Damage Probability (CDP~ is defined as the CDP associated with the present situation where maintenance on the LPSI train is done during shutdown. The Preventive Maintenance Core Damage Probability (CD',M) is defined as the CDP associated with the proposed situation where LPSI train maintenance is performed at power.

28

~~

aD P

The analysis assumes that as shutdown cooling is first initiated following reactor shutdown, two operating LPSI pumps are available for Shutdown Cooling (SDC). The evaluation is artificially restricted to a single 7 day reduced inventory period following shutdown entry. During this period core uncovery and core damage would occur shortly after loss of SDC. The only event leading to core damage was that resulting from a loss of SDC via failure of a LPSI pump.

No credit for recovery of pumps or use of backup pumps was assumed for this analysis. In addition, the analysis assumes that the first LPSI pump fails while operating halfway through the mission time (24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />); therefore, the second pump has a mission time equal to one-half that of the first pump (12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />). The base reliability of the LPSI pump of S.OE-OS/hr was selected as representative of CE PWRs. Consistent with the parametric evaluation, the improved X, was varied from S.OE-05/hr to 4.5E-OS/hr.

Conclusion Results of this study are presented in Table 6.3.4-1 below. The conclusion of the study is that CDP due to LPSI train unavailability is sensitive to even small changes in LPSI pump reliability.

The results showed that for a 1% improvement in pump reliability, the net CDP (CDP~-

CDP~ decreases by 8.61E-07. It is therefore concluded that the net impact of LPSI train PM at power is risk benefiicial.

Table 6.3.4-1 EFFECTS OF IMPROVED LPSI RELIABILITYAT SHU'H3OWN CHANGE IN X, BASE X, = S.OE-S/hr 1% 5% 10%

SHUIDOWN CDP 5.06E-OS 4.97E-OS 4.63E-OS 4.23E-OS (7 day interval) delta CDP 8.61E-07 4.23E46 8.28E-06 (CDPBASB - CDPPM) 29

6.3.5 Assessment of Large Ear1y Release A review of large early release scenarios for the CE PWRs indicates that early releases arise as a result of one of the following class of scenarios:

Containment Bypass Events These events'include interfacing system LOCAs and steam generator tube ruptures (SGTRs) with a concomitant loss of SG isolation (e.g. stuck open MSSV).

2. Severe Accidents accompanied by loss of containment isolation These events include any severe accident in conjunction with an initially unisolated containment.
3. Containment Failure associated with Energetic events in the Containment.

Events causing containment failure include those associated with the High Pressure Melt Ejection (HPME) phenomena (including direct containment heating (DCH)) and hydrogen conflagrations/detonations. F Of the three release categories, Class 1 tends to represent a large early release with potentially direct, unscrubbed fission products, to the environment. Class 2 events encompass a range of releases varying from early to late that may or may not be scrubbed. Class 3 events result in a high pressure failure of the containment, typically immediately upon or slightly after reactor vessel failure. Detailed Level 2 analyses for the plant condition with one LPSI train inoperable are not performed. However, assessment of the expected change in the large early release fraction was made by assessing the impact of the availability of the LPSI System on the above event categories.

Containment Bypass Events Events contained in this category that may rely on the LPSI for event mitigation include the Large Interfacing System LOCA (i.e. failure of an SDC line). Testing and or maintenance of containment isolation valves residing in the LPSI System are governed under the plant technical specifications. Arguments provided in this report are not intended to justify "at power" maintenance of these valves. Thus, no change in the ISLOCA frequency is expected.

ISLOCAs are characterized by a continuous and unreplenished loss of RCS inventory and makeup. In these scenarios, core damage ultimately results following the depletion of reactor coolant. Thus, provided that a continuous independent water supply is not available during the accident, the ISLOCA willprogress into early core damage regardless of the LPSI availability.

30

Severe Accidents accompanied by Loss of Containment Isolation Another event contributing to large early fission product releases could occur when an unmitigated large LOCA occurs in conjunction with an initially unisolated containment.

Significant fission product releases would not occur unless the containment atmosphere is unscrubbed (that is sprays are inoperable). This later combination of events is considered of very low probability and would not significantly increase with a decrease in LPSI pump availability.

Containment Failure associated with Znergetic events in the Containment.

Class 3 events are dominated by RCS transients that occur at high pressure. These events exclude those where LPSI System performance would be called for and therefore LPSI status is not a contributor to this event category. It is therefore concluded that increased unavailability of the LPSI System (as could potentially result as a consequence of an increased AOT) willhave a negligible impact on the large early release fraction for CE PWRs.

6.3.6 Summary of Risk Assessment The proposed increase in the LPSI System AOT to 7 days was evaluated from the perspective of various risks associated with plant operation. For the plants evaluated, incorporation of the extended AOT into the technical specification can potentially result in negligible to small increases in the "at power" risk. However, when the full scope of plant risk is considered, the risks incurred by extending the AOT for either corrective or preventive maintenance will be substantially offset by plant benefits associated with avoiding unnecessary plant transitions and/or by reducing risks during plant shutdown operations.

The unavailability of one train of LPSI was found to not significantly impact the three classes of events that give rise to large early releases. These include containment bypass sequences, severe accidents accompanied by loss of containment isolation, and containment failure due to energetic events in the containment. It is therefore concluded that increased unavailability of the LPSI System (as requested via Section 2) willresult in a negligible impact on the large early release probability for CE PWRs.

It is therefore concluded that the overall plant impact willbe either risk beneficial or, at the very least, risk neutral.

31

6.4 Compensatory Measims As part of implementing the Maintenance Rule, each CE PWR utility has developed or is in the process of developing a method for configuration control during maintenance. Ifmaintenance is performed on a system/train concurrent with other maintenance, the impact on risk will be evaluated prior to performing maintenance. Some plants achieve this via procedures which require that PSA evaluation is performed prior to performing maintenance. Other plants have a matrix showing the risk associated with different combinations of systems/trains unavailable due to maintenance. This matrix is used in planning the rolling maintenance schedule which is part of implementing the Maintenance Rule.

A qualitative review of potential interactions between the LPSI System and other plant systems that could amplify the impact of LPSI System unavailability was performed. Based on this review, implementation of extraordinary compensatory actions was not found necessary when a LPSI train is out of service for maintenance. However, for any "at power" maintenance, the goals should be expediency and safety. Typical actions to be taken during "at power" LPSI train maintenance and/or testing of LPSI valves are:

1. Verify that related equipment is not out of service which would amplify the effect of the unavailability of the LPSI System. This could include restricting maintenance to times when:
a. all SITs are operable
b. when all AFW sources are available Since the AOT for SITs is short, restricting the LPSI System maintenance during the time that any single SIT is in repair should not be burdensome.

Components of the LPSI system also support the shutdown cooling system. It is therefore, recommended that preventive maintenance not be scheduled to simultaneously compromise the heat removal capability of both the AFW and SDC System.

2. Verify that an alternate flowpath is available at the same time to accomplish the LPSI function, including support systems.
3. Conduct a briefing with appropriate plant personnel to ensure that they are aware of the impact associated with unavailable components and flowpaths.
4. Ifa maintenance action or repair is to be performed on the LPSI, pre-stage parts and tools to minimize outage time.
5. Consider actions which could be taken to return the affected LPSI train to functional use, ifnot full operability, if the need arises.

32

6. In repairing/testing components (particularly valves), define the appropriate valve position (open/closed) that provides the greater level of safety and "ifpractical" establish that position for the repair.
7. With the longer AOTs now available, an effort should be made to avoid inefficiently conducted multiple maintenance tasks on the same system that would result in a decreased ability to re-establish the system should it be necessary to do so.

7.0 TECHMCALJUSTIFlCATION FOR STI EXTENSION LPSI System STI extensions are not within the scope of this effort.

8.0 PROPOSED MODIFICATIONS TO NUREG-1432 J

Attachment A includes proposed changes to NUTMEG-1432 Sections 3.5.2 and B 3.5.2 that correspond to the findings of this report.

33

9.0

SUMMARY

AND CONCLUSIONS This report provides the results of an evaluation of the extension of the Allowed Outage Time (AOT) for a single Low Pressure Safety Injection (LPSI) Train contained within the current CE plant technical specifications, from its present value, to seven days. This AOT extension is sought to provide needed flexibility in the performance of both corrective and preventive maintenance during power operation. Justification of this request was based on an integrated review and assessment of plant operations, deterministiddesign basis factors and plant risk.

Results of this study demonstrate that the proposed AOT extension provides plant operational flexibilitywhile simultaneously reducing overall plant risk.

The proposed increase in the LPSI System AOT to 7 days was evaluated from the perspective of various risks associated with plant operation. For the plants evaluated, incorporation of the extended AOT into the technical specifications potentially results in negligible increases in the "at power" risk. However, when the full scope of plant risk is considered the risks incurred by extending the AOT for either corrective or preventive maintenance will be substantially offset by associated plant benefits associated with avoiding unnecessary plant transitions and/or by reducing risks during plant shutdown operations.

The unavailability of one train of LPSI was found to not significantly impact the three classes of events that give rise to large early releases. These include containment bypass sequences, severe accidents accompanied by loss of containment isolation, and containment failure due to energetic events in the containment. It is concluded that increased unavailability of the LPSI System (as requested via Section 2) will result in a negligible impact on the large early release probability for CE PWRs.

It is the overall conclusion of this evaluation that the plant impact for the requested AOT extension would be risk beneficiaL

10.0 RXX3<2EENCES 10 CFR 50.65, Appendix A, "The Maintenance Rule".

2. NU1EG-0212, "Revision 3, "Standard Technical Specifications for Combustion Engineering Pressurized Water Reactors", July 9, 1982.
3. NUREG-1432, "Standard Technical Specifications: Combustion Engineering Units",

September 1992.

4. NRC Inspection Manual Part 9900 Technical Guidance, "Maintenance-Voluntary Entry into Limiting Conditions for Operation Action Statements to Perform Maintenance",

1991.

5. "Technical Evaluation of South Texas Project (STP) Analysis for Technical Specification Modifications, P. Samanta, G. Martinez-Guridi, and W. Vesely, Technical Report ¹I 2591, dated 1-11-94.
6. NUREG/CR-6141, BNL-NUTMEG-52398, "Handbook of Methods for Risk-Based Analyses of Technical Specifications", P. K. Samanta, I. S. Kim, T. Muikamo, and W.

E. Vesely, Published December 1994.

7. LWW-02-094, Letter L. Ward (INEL) to Dr. F. Eltawila (NRC),

Subject:

"Use of MAAP to Support UtilityIPE In-Vessel and Ex-Vessel Accident Success Criteria", June 1994.

8. Fort Calhoun Station IPE Submittal Report, December 1993.
9. NUREG 0800, USNRC Standard Review Plan, Rev.2, July 1981.
10. TID 14844, "Calculation of Distance Factors for Power Reactor Sites", USAEC, 1962.
11. NUREG-1465, "Accident Source Terms for Light Water Reactors" (Final Draft), August, 1994.

35

e 0

Retrieved from "https://kanterella.com/w/index.php?title=ML17228B183&oldid=2436146"