Text

Joint Applications Rept for Safety Injection Tank Aot/Sti Extension.
	ML17228B190
Person / Time
Site:	Saint Lucie
Issue date:	05/31/1995
From:	; ABB COMBUSTION ENGINEERING NUCLEAR FUEL (FORMERLY, ASEA BROWN BOVERI, INC., C-E OPERATING PLANTS OWNERS GROUP
To:	;
Shared Package
ML17228B188	List: ML17228B187; ML17228B189; ML17228B190;
References
	CE-NPSD-994, NUDOCS 9506280128
	Download: ML17228B190 (34)
	v • d • e

COMBUSTION ENGINEERING OWNERS GROUP CE NPSD-994 W/ PSLl ~ PSL l~'lLINc%eHS %laBIE 6 3.2 1)

Joint Applications Report for Safety Injection Tank AOT/STI. Extension Final Report GEOG TASK 836 prepared for the C-E OWNERS GROUP May 1995 e Copyright 1995 Combustion Engineering, Inc. All rights reserved llew ElD QD ABB Combustion Engineering Nuclear Operations liQQDQD 9506280128 950621 PDR ADOCK 05000335 P PDR

LEGAL NOTICE This report'was prepared as an account of work sponsored by the Combustion Engineering Owners Group and ABB Combustion Engineering.

Neither Combustion Engineering, Inc. nor any person acting on its behalf:

A. makes any warranty or representation, express or implied including the warranties of fitness for a,particular purpose or merchantability, with respect to the accuracy, completeness, or usefulness of the information contained in this report, or that the use of any information, apparatus, method, or process disclosed in this report may not infringe privately owned rights; or B. assumes any liabilities with respect to the use of, or for damages resulting from the use of, any information, apparatus, method or process disclosed in this report.

Combustion Engineering, Inc.

TABLE OF CONHPG'S Section Page LIST OF TABLES 1.0 PURPOSE 2.0 SCOPE OF PROPOSED CHANGES TECHNICAL SPECIFICATIONS 2

3.0 BACKGROUND

4.0 SUhQUlARY OF APPLICABLE TECHNICAL SPECIFICATIONS 4.1 Standard Technical Specifications 4.2, "Customized" Technical Specifications 5.0 SYSTEM DESCRIPTION AND OPERATING EXPERIENCE 5.1 System Description 5.2 Operating Experience 6.0 TECHNICAL JUSTIFICATION FOR AOT FZCZENSION 6.1 Statement of Need 9 6.2 Assessment of Deterministic Factors 10 6.2.1 Thermal-Hydraulic Considerations 10 6.2.2 Radiological Release Considerations 11 6.3 Assessment of Risk 13 6.3.1 Overview 13 6.3.2 Assessment of "At Power" Risk 14 6.3.3 Assessment of Transition Risk 20 6.3.4 Assessment of Shutdown Risk 23 6.3.5 Assessment of Large Early Release 23 6.3.6 Summary of Risk Assessment 24 6.4 Compensatory Measures 24

TABLE OF CONTENTS (cont'd)

Section Page 6.5 Technical Justification for AOT Extension for Plant Operation with a Functionally Operable SIT 25 6.5.1 SIT Tagged INOPHVLBLE due to Level and Pressure Instrumentation Malfunction 25 6.5.2 SIT Boron Concentration Out of Range 25 7.0 JUSTIFICATION FOR SURVEILLANCETEST IN'IERVAL(ST/

MODIFICATION 26 8.0 PROPOSED MODIFICATIONS TO NUREG-1432 27 9.0. SUMMITRY AND CONCLUSIONS 28 9.1 Functionally INOPERABLE SIT 28 9.2 Functionally OPERABLE SIT 28

10.0 REFERENCES

29 ATI'ACHMENTA A-1 "Mark-up" of NUREG-1432 SECTIONS 3.5.1 & B 3.5.1 LIST OF TABLES Table Page REQUIRED ENTRY INTO LCO ACTION STATEMENTS DUE TO SIT MALFUNCTIONS FOR CE PWRs 6.3.2-1 CEOG AOT CONDITIONALCDF CONTRIBUTIONS FOR SITs - CM 18 6.3.2-2 CEOG PROPOSED AVERAGE CDFs 19 6.3.3-1 TRANSITION RISK CONTRIBUTIONS FOR SIT CM 22

Safety Injection Tank (SIT) ROT/STI Extension 1.0 PUNG.'OSE This report provides the results of an evaluation of specific relaxations in the existing Safety Injection Tank (SIT) boron surveillance requirements and the Allowed Outage Time (AOT).

These requirements and AOT are contained within the standard and "customized" technical specifications for any licensed CE NSSS. A two tiered extension of the existing SIT AOT (typically 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months ) to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months for a non-functional SIT, and 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months for a "tagged" inoperable SIT that can otherwise complete its safety function is requested in order to provide the plant with sufficient time to diagnose and potentially repair minor SIT system malfunctions at power. The ability to perform this corrective maintenance at power can enhance plant safety by averting an unplanned plant shutdown.

Also, technical specification relaxation with regard to boron monitoring is sought in order to allow better utilization of plant resources by reducing the number of unnecessary surveillance actions. This relaxation has been previously recommended by the NRC in NUREG-1366 (Reference 1).

Justification of these requests are based on a review and assessment of plant operations, deterministic and design basis considerations, and plant risk, as well as previous generic studies and conclusions drawn by NRC staff and contained within NUREG-1366 (Reference 1) and NUREG-1432, Revision 0 (Reference 2). The evaluation discussed in this report concludes that the requested Technical Specification modifications are either risk neutral or enhance overall plant safety.

This request for AOT extension is consistent with the objectives and the intent of the Maintenance Rule (Reference 3). The Maintenance Rule willbe the vehicle which controls the actual maintenance cycle by defining unavailability performance criteria and assessing maintenance risk. The AOT extension willallow efficient scheduling of maintenance within the boundaries established by implementing the Maintenance Rule. The CE plants are in the process of implementing the Maintenance Rule, and are presently setting targets for unavailability of systems and trains. Therefore, this effort is seen as timely, supportive and integral to the Maintenance Rule program.

2.0 SCOPE OF PROPOSED CHANGES TO TECHNICAL SPECIFICATION The proposed technical specification changes address revising the existing requirements for the operation of the Safety Injection Tanks (SITs). Specifically, the proposed changes to the technical specification requirements are:

In general, extend AOT for a single INOPKl4kBLE SIT from 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

For operating modes where at least three of the SlTs are required to be OPERABLE, extend the AOT following a diagnosis of a single inoperable SIT from 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

(2) When a single SIT is INOPERABLE and that INOPERABILITYis due to either malfunctioning SIT water level instrument indication or malfunctioning SIT nitrogen overpressure pressure indication, or inadequate boron concentration, extend the AOT following the diagnosis of the single INOPF24L,BLE SIT from 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

This technical specification change with regard to SIT instrumentation failures was recommended in Section 7.4 of ICJREG-1366, A um la or Water vl r h n I rv ill ceR ir m n WR . Therelaxationintheboron concentration AOT has already been adopted in the Improved Standard Technical Specifications. This change would add a new conditional Limiting'Condition of Operation requirement that would address the case where a single SlT is inoperable AND the affected SIT's inoperability is caused by malfunctioning water level instrumentation, malfunctioning pressure instrumentation, or boron concentration. (The affected SIT is otherwise capable of performing its intended function.) The completion time for restoring the operability of the affected SIT will be 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

Modify boron concentration technical specification surveiHance test interval (STI)

Eliminate technical specifications surveillance requirements that require verification of boron concentration of safety injection tank inventory after a volume increase of 1% or more ifthe makeup water is from the refueling water storage tank (RWST) and the RWST boron concentration is equal to, or greater than the minimum boron concentration of the SIT. This change in surveillance test requirements has already been adopted in the Improved Standard Technical Specifications (ISTS).

3.0 BACKGROUND

In response to the NRC's initiative to improve plant safety while granting relief to utilities from those requirements that are marginal to safety, the CEOG has undertaken a program of obtaining relief from overly restrictive technical specifications. As part of this program, several technical specification AOTs and STIs were identified for joint action.

This document addresses the SIT portion of this Task, and provides support for modifying the SIT AOT and implementing the NUTMEG-1366 "line item improvement" with regard to boron concentration monitoring. This report provides generic information supporting these changes as well as the necessary plant specific information to demonstrate the impact of these changes for each of the CE plants. The support/analytical material contained within the document is considered applicable to all CEOG member utilities regardless of the category/type of their Plant Technical Specifications.

4.0 SUMGQtY OF APPLICABLE TECHNICAL SPECIFICATIONS There are three distinct categories of Technical Specifications at CE NSSS plants.

The first category is called the Standard Technical Specifications. Through February 1995, NUREG-0212, Revision 03 commonly referred to as "Standard Technical Specifications" has provided a model for the general structure and content of the approved technical specifications at all other domestic CE NSSS plants.

The second category corresponds to the Improved Standard Technical Specifications (ISTS) guidance that is provided in NUEEG-1432, Revision 0, dated September 1992. A licensing amendment submittal to change the Technical Specifications for San Onofre Nuclear Generation Station Units 2 & 3 to implement this guidance was submitted to the NRC in December 1993.

Additionally, licensing amendment submittals are being developed that willmodify the technical specifications for Palisades Station to implement the ISTS guidance.

The third category includes those technical specifications (TSs) that have structures other than those that are outlined in either NUREG-0212 (Reference 4) or NUREG-1432 (Reference 2).

These TSs are generally referred to as "customized" technical specifications. The CE NSSS plants that currently have "customized" technical specifications are: Palisades Station, Maine Yankee Station, and Ft. Calhoun Station.

Each of these three categories of Technical Specifications includes similar operating requirements for the Safety Injection Tanks (SITs).

4.1 Standard Technical Specifications Currently NUTMEG-0212, Revision 03 specifies the following required actions when a single SIT is "INOPERABLE":

ITY'ODES I, 2 d 3

~AI+~

a. With one safety injection tank inoperable, except as a result of a closed isolation valve, restore the inoperable tank to OPERABLE status within one hour or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and in HOT SEPTI'DOWN within the following 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

b. With one safety injection tank inoperable due to the isolation valve being closed, either immediately open the isolation valve or be in at least HOT STANDBYwithin one hour and be in HOT SHVZDOWN within the next 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months .

The guidance of NUREG 1432 Section 3.5.1 relaxes these requirements from NUREG-0212 in the following ways:

1. The allowed outage time for a single inoperable SIT due to that SIT's boron concentration being outside the specified band is extended from 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

2. The allowed outage time for a single inoperable SIT due to factors other than boron concentration (including indication that the SIT's isolation valve is not fully open) is extended from "immediate" restoration to 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months .

Among the factors that can result in a single SIT not being technically "OPERABLE" are the following factors:

a) Malfunctions of pressure transmitters, pressure sensing lines, and pressure monitoring circuitry, b) Malfunctions of level transmitters, level sensing lines, and level monitoring circuitry.

In Section 7.4 of NUREG-1366, the NRC staff states that an SIT (an "accumulator" ) would be "available to fulfillits safety function" at times when the SIT ("accumulator" ) is "technically inoperable" due to the "inoperability of water level and pressure channels".

4.2 Customized Technical Specifications Similar requirements to those identified in Section 4.1 exist for plants with customized technical specifications. However, the format of the technical specification may be different as may be the detailed requirement. The most noteworthy difference in this area is that for Maine Yankee.

SIT Allowed Outage Times at this plant allow a single SIT to be technically inoperable for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months and isolated for up to one hour.

5.0 SYSTEM DESCRlI. TION AND OPERATING EXPI<2EENCE 5.1 System Description The function of the Safety Injection Tank (SIT) system is to reflood the reactor core with borated water following a large break LOCA. The relatively quick response of the system and its passive nature serve to reliably minimize core damage until the SI pumps can provide adequate water for reactor cooling.

Each SIT train has one safety injection tank connected to an RCS cold leg. The tank is filled with borated water and pressurized by nitrogen cover gas. SIT injection occurs anytime RCS pressure drops below'over gas pressure. The discharge piping of each tank includes a check valve followed by an isolation MOV which remains open during normal operation. Beyond these valves, an RCS pressure boundary check valve exists along the injection pathway for each tank Definition of OPERABLE SIT In general, Technical Specification Limiting Conditions For Operation (LCOs) require that all SITs be OPPOSABLE whenever the plant is in power operation (Mode I), transitioning to power operation (Mode 2) or in Mode 3 with RCS pressure greater than or equal to a designated value.

This LCO is based on the assumption that when the plant is in any of these modes of operation, the SITs must have the same functionability that would be required for a LOCA at full rated thermal power. In order to avoid entry into the LCO action statement, all SITs must be OPERABLE.

When the plant is in any of these listed modes of operation, an SIT is considered OPERABLE when the following conditions exist: .

1) the associated isolation valve is fully open,

2) electric power has been interrupted to the motor for the associated isolation valve,

3) water inventory in the tank is within the assumed band

4) the boric acid concentration of the water inventory of the tank is within the assumed band,

5) the nitrogen cover pressure within the tank is within the assumed band.

In the past, a justification for the short allowed outage time for a single SIT has been that the perceived severity of the consequences of not having all SITs available to provide passive injection during a design basis LOCA warranted the severity of this requirement. However, this short SIT AOT duration was based solely on engineering judgment and not on any quantitative assessment of risk.

While it is not the intent of this document to widen the technical specification OPERABILITY limits for the SIT; it is important to note that for selected parameters, the assessment of SIT OPERABILITYis rather stringent. The SIT operational parameters are set by the design basis licensing Large Break LOCA analysis. Since the SIT is a passive device and provides a limited function, operability has been restricted to mean that the equipment initial conditions are within a band supported by Appendix K design basis analyses. In reality, the equipment can deviate considerably from both inventory and pressure requirements without compromising the ability of the plant to adequately respond to a LOCA. Inventory requirements are overstated.

Appendix K analytical models are derived so as to over-estimate amount of liquid lost out the break and to underestimate the residual inventory in the RV lower plenum. Consequently, inventory discharge requirements are conservatively set at a high level. The nitrogen cover pressure essentially establishes the timing of the inventory injection. This would modestly influence the transient and perhaps result in a marginal fuel hot spot temperature increase.

52 Operating Experience Operating experience has demonstrated that many of the causes of SIT inoperability can be diagnosed and corrected within several hours of discovery but longer than a period of one hour from identification. In several instances, diagnosis of out-of-specification conditions have lead to plant shutdowns. A list of events that involved an SIT and required entry into associated LCO action statements is provided in Table 5.3-1 for CE PWRs.

The review of this operating experience as well as a general review of existing PRA studies led to questioning the premise that a transition to a lower mode within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months of the discovery of a factor making one SIT inoperable would provide greater reactor safety than repairing this factor with the plant at power.

In fact, a letter from the NRC to Houston Light & Power (Reference 9) provides an approved case where the allowed outage time for a single safety injection tank [accumulator] was extended from 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . A significant justification for this extension was that the resulting change in the calculated values of expected and maximum core damage frequency were negligible.

Previous determinations of the allowed outage time for a single Safety Injection Tank at CE NSSS plants have been based on engineering judgement using a sound hiowledge of the role of each of the SITs in the plant design basis. Any new determination of this allowed outage time using probabilistic risk analysis must also include this consideration.

Table 5.2-1 REQUISXD EN'IRY INTO LCO ACTION STATEMENTS DUE TO SIT MALFUNCTIONS FOR CE PWRs Date of Event Description of Event San Onofre 2 8/29/84 Nitrogen Cover Pressure exceeded the limits of LCO 3.5.1, two SITS were declared inoperable and LCO 3.0.3 was invoked.

San Onofre 2 1/28/86 Pressure Limit Exceeded, LCO 3.0.3 entered.

San Onofre 3 7/25/87 LCO 3.5.1 entered due to SIT level instrumentation.

Palo Verde 2 7/17/86 Unit in Mode 4 (hot standby) when Tech Spec LCO 3.0.3 entered due to four (4) SITs declared INOPERABLE because high level limit was exceeded based on wide range level indication.

MiHstone 2 6/29/81 During routine power operation, inconsistency found between SIT Volume required by TS LCO 3.5.1.B and the indication available to determine SIT Operability.

San Onofre 2 12/23/83 SITs 007 and 010 exceeded their nitrogen pressure limit while SIT 008 was being fille.

Entered LCO 3.0.3.

San Onofre 3 1/25/83 During routine nitrogen pressurization of SIT 008, relief valve lifted (failed to reseat following overpressurization). Tank pressure dropped below allowable limits of LCO 3.5.1 and action statement A was invoked.

San Onofre 3 2/5/83 SIT tank volume and pressure outside allowable limits of LCO 3.5.1 and action statement A was invoked.

6.0 TECHNICALJUSTIFICATION FOR AOT EXTENSION This section provides an integrated. assessment of the proposed extension of the SIT AOT from its currently defined value of 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . This proposed AOT would be applicable in the event. an SIT is determined to be INOPERABLE and the cause of the inoperability has ~n been diagnosed as being caused solely by malfunctioning level or pressure measurement instrumentation (See item 1 of Section 2). A discussion of the AOT extension for circumstances where the SIT is tagged INOPERABLE (based on Technical Specifications Criteria) but is otherwise functional is presented in Section 6.5.

6.1 Statement of Need As was briefly mentioned in Section 5.2, the repair of certain factors that result in the "inoperability" of a single safety injection tank can be completed within a relatively short period of no more than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

Operating experience has demonstrated that the repair of such factors takes longer than the existing 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months allowed outage time that is typical of existing Technical Specifications for CE NSSS plants that have not implemented the guidance of NUREG-1432.

The sections that follow show that the continued implementation of the existing "1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months " AOT may result in unnecessary plant shutdowns. Since the increased risk of operating with a single SIT out of service is negligible (as described in the following sections), the associated plant maneuver to a shutdown condition will likely increase plant risk above that which would otherwise exist if the repair of the cause of the "inoperability" was completed at power. A twenty-four hour AOT was considered sufficient for the diagnosis of a potential SIT INOPERABLE condition and minor component repair.

Additionally, Section 7.4 of NUREG-1366 identifies cases where entries into containment have been made at power to recalibrate a single SIT water level or pressure transmitter while a redundant, independent instrument remained operable. In these cases, the containment entry was made in anticipation of a situation where both instruments were simultaneously inoperable, resulting in an allowed outage time that was insufficient for remaining at power while performing repairs and recalibrations. With a longer duration AOT for both redundant instrument channels, there would be less need for containment entries at power solely for the recalibration of a single water level or pressure channel transmitter.

6.2 Assessment of Deterministic Factors 6.2.I Thermal-Hydnmlic Considemtions The functions of the Safety Injection Tanks (SITs) are to supply water to the reactor vessel during the blowdown phase of a loss of coolant accident (LOCA), and to provide inventory to help accomplish the refill phase that follows thereafter.

The blowdown phase of a large break LOCA is the initial period of the transient during which the RCS departs from equilibrium conditions, and heat from fission product decay, hot internals, and the vessel continues to be transferred to the reactor coolant. The blowdown phase of the transient ends when the RCS pressure falls to a value approaching that of the containment atmosphere.

The refillphase of a LOCA follows immediately after the blowdown phase. The core at the end of the blowdown phase is essentially in adiabatic heatup. In the refill phase, the balance of the inventory in the SITs is available to help fillthe lower plenum and the reactor vessel downcomer to re-establish a coolant level at the bottom of the core and then to support reflood of the core with the addition of safety injection water.

Each SIT is a pressure vessel partially filled with borated water and pressurized with nitrogen gas. Each SIT is a passive component, since it is intended to perform its design function without operator or control action. Each SIT will start to discharge its contents to the RCS, if RCS pressure decreases below the SIT pressure.

Each SIT is piped into one reactor coolant system (RCS) cold leg via the injection lines utilized by the Safety Injection (HPSI and LPSI) system. Each SIT is isolated from the RCS by a motor operated isolation valve and two check valves in series. The associated motor operated isolation valve for each SIT is normally open, with power removed from the valve motor to prevent inadvertent closure prior to or during an accident.

Additionally, each of these isolation valves is interlocked with the pressurizer pressure instrumentation channels to ensure that the valves will automatically open as RCS pressure increases above SIT pressure and to prevent inadvertent closure prior to an accident. Each of these valves also receives a safety injection actuation signal (SIAS) to open. These features ensure that these valves meet the requirements of the Institute of Electrical and Electronic Engineers (IEEE) Standard 279-1971 for "operating bypasses" and that the SITs willbe available for injection without reliance on operator action.

The nitrogen gas and water volumes, nitrogen gas pressures, and outlet pipe sizes for each SIT are selected to allow the SITs together with the HPSI and LPSI systems to recover water inventory in the core before significant clad melting or zirconium water reaction can occur following a LOCA.

10

The SIT capacity is established such that the SITs provide adequate inventory to the downcomer and facilitate the core recovery and refill process. In particular, passive injection by all but one of the SITs is credited in design base analysis for large break LOCAs that are initiated at full rated thermal power conditions. The other SIT is assumed to be ineffective due to the break location. The performance of SITs is calculated in accordance with Appendix K to 10CFR50 and, together with the HPSI and LPSI systems, ensures that the following Emergency Core Cooling System (ECCS) acceptance criteria of 10 CFR 50.46 are satisfied:

a. Maximum fuel element cladding temperature is ( 2200 Degrees Fahrenheit; Maximum cladding oxidation is ( 0.17 times the total cladding thickness before oxidation; C. Maximum hydrogen generation from a zirconium water reaction is ( 0.01 times the hypothetical amount that would be generated ifall of the metal in the cladding cylinders surrounding the fuel, excluding the cladding surrounding the plenum volume, were to react; and

d. The core is maintained in a eoolable geometry.

The above criteria were established in order to define a deterministic acceptance criteria that may be used by regulators in judging the acceptability of a given Emergency Core Cooling System.

The methodology is defined in Appendix K to 10 CFR 50. This methodology conservatively represents LOCA. thermohydraulic and hydrodynamic phenomenology to calculate fuel peak clad temperature. As a result, this methodology overstates the realistic minimum equipment requirements for adequate response to an event. Recent best estimate analyses for a typical PWR (Reference 5) confirmed that for large break LOCAs, core melt can be prevented by either the operation of one Low Pressure Safety Injection (LPSI) pump or the operation of one High Pressure Safety Injection (HPSI) pump and a single SIT. While the precise equipment set for any specific CE PWR may vary, the design basis requirement for 1 LPSI train, 1 HPSI train, and all SITs to avert a core melt condition is very conservative.

6.2.2 Radiological Release Considerations The design basis calculation of radiological consequences of the large LOCA are based on a combination of very conservative assumptions. The design basis for radiological releases following a LOCA is set forth in 10 CFR 100, "Reactor Site Criteria", and detailed in SRP 15.6.5 (Reference 6). In practice, the 10 CFR 100 radiation release criteria are achieved via reliance on the 1962 "source term" outlined in the Atomic Energy Commission Technical Information Document, TID-14S44, "Calculation of Distance Factors for Power and Test Reactors" (Reference 7). This "Source Term" was not consistent with the low level of core damage expected with a Large LOCA. Instead, the Source Term was very conservatively defined based on a substantial meltdown of the core, and fission product release to the containment.

11

Over the past 30 years, substantial information has been developed updating our knowledge about fission product release and transport during PWR severe accidents. This information is refiected in the new NRC source term defined in NUREG-1465 (Reference 8). Assimilation of this information suggests that even when the dichotomy of a core melt driven source term is retained, the estimate of the Large LOCA fission product releases based on Reference 7 considerably overpredicts the severity of the fission product release to the public.

This conclusion is based on the following: fission

1) Current'licensing methods assume product are released to the containment immediately upon the onset of the LOCA. In fact, only gases residing within the fuel gap (approximately 5% of the total volatile fission product inventory) willbe released at the point of clad rupture (early in the transient). The remainder of the fission products will enter the containment over the period of one half hour or more.

2) Current licensing methods assume the composition of the iodine entering the containment is predominantly elemental (as was then believed to be the physical situation). Sprays are less effective in removing elemental iodine than iodine in the particulate form. It is our current understanding that the iodine is predominantly (greater than 95%) released into the containment in the form of CsI which is particulate. Thus, spray effectiveness and gravitational settling would be enhanced and airborne releases from containment would decrease.

Thus, even ifa Large LOCA were to occur without the requisite design basis number of SITs, the actual fission product releases would be expected to be well within the existing 10 CFR 100 criteria. This issue is further considered in a probabilistic framework in Section 6.3.5.

12

6.3 Assessment of Risk 6.3.1 Overdew The purpose of this section is to provide an integrated assessment of the overall plant risk associated with adoption of the proposed AOT extension. The methodology used to evaluate the SIT AOT extension was based in part on a draft version of the "Handbook of Methods for Risk-Based Analyses of Technical Specifications, Reference 10. As guidance for the acceptability of a Technical Specification modification, it was noted that any proposed Technical Specification change (and the ultimate change package) should either:

(1) be risk neutral, OR (2) result in a decrease in plant risk (via "risk trade-off considerations"), OR (3) result in a negligible (to small) increase in plant risk.

(4) be needed by the utility to more efficiently and/or more safely manage plant operations.

A statement of need has been provided in Section 6.1. This section addresses the risk aspects of the proposed AOT extension.

In this evaluation, a risk assessment of the SIT AOT extension is performed with respect to associated "at power" and "transition" risks.

Section 6.3.2 provides an assessment of the increased risk associated with continued operation with a single SIT out of service (OOS). The evaluation of the "at power" risk increment resulting from the extended SIT AOT was evaluated on a plant specific basis using the most current individual plant's Probabilistic Safety Analysis (PSA) model for their respective baselines. Plant specific evaluations were performed by each participating utility. Results of these evaluations were then compared using appropriate risk measures as prescribed in Reference 10.

Section 6.3.3 provides an assessment of risk of transitioning the plant from Mode 1 into a lower mode (e.g. Mode 4). The "at power" risk assessment provides only one facet of the plant risk.

For this evaluation, continuation of at power operation with the LCO action statement is compared with the risk of proceeding with a plant shutdown. A lower bound to this transition risk was evaluated by modifying the reactor trip core melt scenario for a representative CE PWR. Based on this analysis, a core damage probability for the plant shutdown was established and compared to the single AOT risk associated with continued operation.

13

For completeness, the impact of the extended AOT on the plant large early release fraction is qualitatively assessed. The assessment includes an evaluation of the events leading to large early fission product releases and the role of the SIT in the initiation and/or mitigation of those events.

This assessment is presented in Section 6.3.5.

6.3.2 Assessment of "At Power" Risk Methodology This section provides an assessment of the increased risk associated with continued operation with a single SIT out of service (OOS). The evaluation of the "at power" risk increment resulting from the extended SIT AOT was evaluated on a plant specific basis using the most current individual plant's Probabilistic Safety Analysis (PSA) model. Plant specific evaluations were performed by each participating utility. Results of these evaluations were then compared using the following risk measures (from Reference 10):

Average Core Damage Frequency (CDF): The average CDF represents the frequency of core-damage occurring. In a PSA model, the CDF is obtained using mean unavailabilities for all standby-system components.

Core Damage Probability (CDP): The CDP represents the probability of core-damage occurring. Core-damage probability is approximated by multiplying core-damage frequency by a time period.

Conditional Core-Damage Erequency (CCDig: The Conditional CDF is the Core Damage Frequency (CDF) conditional upon some event, such as the outage of equipment. It is calculated by re-quantifying the cutsets after adjusting the unavailabilities of those basic events associated with the inoperable equipment.

Increase in Core Damage Frequency (hCDg: The increase in CDF represents the difference between the CCDF evaluated for one train of equipment ~navailabl minus the CCDF evaluated for one train of equipment no ou f r te t r maintenance . For the SITs:

hCDE = Conditional CDF+ srrm~~>> - Conditional CD'iTuoc oaf tor Tfito where CDF = Core Damage Frequency (per year)

Single AOT Risk Contribution: The Single AOT Risk contribution is the increment in risk associated with a train being unavailable over a period of time (evaluated over either the full AOT, or over the actual maintenance duration). In terms of core damage, the Single AOT Risk Contribution is the increase in probability of core-damage occurring during the AOT, or outage time, given a train is unavailable from when the train is not

out for test or maintenance. The value is obtained by multiplying the increase in the CDF by the AOT or outage time.

Single AOT Risk = 4CDF x ~

where, 4CDF = Increase in Core Damage Frequency (per year), and r = full AOT or actual maintenance duration (years)

Yearly AOT Risk Contributio: The Yearly AOT risk contribution is the increase in average yearly risk from a train being unavailable accounting for the average yearly frequency of the AOT. It is the frequency of core-damage occurring per year due to the average number of entries into the LCO Action Statement per year. The value is estimated as the product of the Single AOT Risk Contribution and the average yearly frequency (f) of entering the associated LCO Action Statement. Therefore:

Yearly AOT Risk = Single AOT Risk x f where f = frequency (events/year)

Incremental changes in these parameters are assessed to establish the risk impact of the Technical Specification change.

Calculation of Conditional CDF, Single and Yearly AOT Risk Contributions Each CEOG utility used its current Probabilistic Safety Analysis (PSA) model to assess the Conditional CDF based on the condition that one SIT is unavailable. Each plant verified that the appropriate basic events are contained in the PSA cutsets used to determine the AOT risk contributions. This verification was performed as the first task in calculating the Conditional CDFs. If basic events had been filtered out of the PSA cutsets, one of the two methods described below were used to ensure the calculation of Conditional CDF was correct or conservative:

Select the basic event for the failure mode of the component with the highest if failure probability to represent the train the test/maintenance failure mode of the component had been filtered out; or

2. Retrieve cutsets containing relevant basic events at the sequence level and merge them with the final PSA cutsets.

15

The Conditional CDF given 1 SIT is ~n'mphil I was obtained by performing the following steps:

Set the basic event probability for the failure mode for a component in the unavailable SIT train equal to 1.00,

2. Set any basic event probabilities for other failure modes for that train equal to 0.0, and

3. Requantify the PSA cutsets.

The Conditional CDF given 1 SIT is n f r r maintenan was obtained by setting the basic event probability for the failure mode for one SIT equal to 0.0 and requantifying the PSA cutsets. This Conditional CDF was effectively equal to the baseline CDF (CDF resulting from the plant's current PSA model) for the SITs for all CE plants.

It was expected that the results would be symmetric for selecting any one of the four SITs to be out for maintenance. However, in cases where different modeling assumptions or data were associated with each SIT, then the Conditional CDFs were evaluated for each SIT, and the most conservative result was used.

The Conditional CDF was then used to calculate the increase in CDF and then the Single AOT Risk Contribution (Conditional CDF x full AOT) for each plant. The Single AOT was calculated based on the full AOT due to the short duration of the AOT; i.e., nothing less than full AOT was assumed for maintenance duration for both the current and proposed Single AOT Risk calculations.

The Single AOT Risk Contribution was then used to calculate the Yearly AOT Risk Contribution (Single AOT Risk x frequency). Maintenance frequency was not expected to change based on an extended AOT, so the maintenance frequency for the proposed AOT is the same frequency as the current AOT. The frequency used for the Yearly AOT Risk Contribution calculation is 0.35 per year (total for all SITs). This value is based on actual data for entry into the SIT LCO Action Statement for a representative CE plant and is either conservative or accurate for each CE plant.

Table 6.3.2-1 provides the Conditional CDFs, and the Single and Yearly AOT Risk Contributions for each plant.

16

Calculation ofAverage CDF In order to calculate the Average CDF for the extended SIT AOT, a new value for SIT unavailability due to test/maintenance was established, which accounted for the performance of on-line corrective maintenance assuming a 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months maintenance duration (i.e., the fullproposed SIT AOT). The PSA cutsets were then requantified based on this new unavailability to obtain the Average CDF for the new SIT unavailability of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months per year. This new Average CDF was then compared to the base case value from the plant's PSA model. Table 6.3.2-2 provides the proposed Average CDF and the base Average CDF for each plant.

Results The results from each plant were assimilated, and the Single AOT and Yearly AOT Risks were calculated for each plant. Tables 6.3.2-1 and 6.3.2-2 present the results of these cases on a plant specific basis, and summarizes'he SIT AOT CDF contributions for each plant. These risk contributions include the Conditional CDFs, Increase in CDF, Single AOT and Yearly AOT risks, and current and proposed Average CDFs.

Differences in results are primarily due to variations in Large LOCA initiating event frequency and the associated success criteria. Plants that used the Large LOCA deterministic success criteria (i.e.; all SITs required to mitigate Large LOCA) combined with a high Large LOCA initiating event frequency (e.g., 5.0E-04 per year) in the PSA resulted in an overly conservative estimation of SIT importance. Even for plants with more stringent success criteria, the results of the analyses indicate that the Single and Yearly AOT Risk Contributions are negligible or small for all plants by extending the SIT AOT from 1 to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , and the Average CDF is virtually unchanged.

17

Table 6.3.2-1 CEOG AOT CONDITIONALCDF CONTRIBUTIONS FOR SITs - Corrective Maintenance PARAMETER ANO-2 Calvert Fort Maino Millstono Palisades Palo San St. Lucia St. Lucio Waterford Cliffs Calhoun Yankee* 2 Vczde Onofm 1 2 3 1&2 1,2Ec3 2&,3 SIT Success Criteria 3of4 3of4** 3 of 3 to 1 of2to 2of3 to 3of3to 2of3 to 3of4to 3of4 3of4 3 of 3 to unbmkcn unbmken unbmkcn unbmkcn unbmkcn unbmken unbmken legs legs legs legs** legs legs legs Pzescnt AOT hzs 1 1 Pmposcd AOT, hzs 24 24 Conditional CDF, per yr 4.12E45 5.53E44 2.18~ 7AOE45 3.41E45 5.47E45 4.88E45 4.02E44 2.2E44 2.2E44 6.53E45 (1 SIT unavailable)

Conditional CDF,pcryr 3.28E45 2.11E44 1.18E45 7.40E45 3.41E45 5.15E45 4.74E45 2.74E45 2.14E45 2.35E45 (1 SH'ot out for maintenance)

Inczease in CDF, per yr 8.3&E46 3.42E44 1.00E45 negligible ncgligiblo 3.20E46 1.40E46 3.75E44 '4.99E45 N.OE-OO Single AOT Risk (based on 9.57E-10 3.90E48 1.14E49 negligible ncgligiblo 3.65E-10 1.60E-10 4.28E48 2.3E48 2.3E48 5.70E49 Current full AOT)

.-: ,':Siii'gl'e';.'p~-;.Rishi"'{based ion"".'" .""-.2'30BWe KR37E4V"""" "'."'74B4&".:> i:neghgib1o'".'."n'cghgiblo',"",'&8!77E49@ P3',"84Bj8.':g ~::1!03B46;:,: 'j~@l3Z 847 ~

. >m.. ': . ih"'c%

Downtime Frequency, per yr 0.35s*** 0.35**** 0.35**** Q 35sss>> Q 35sasa Q 35sssa 0 35ssse Q 35sasa Q 35ssse Q 35essa Yearly AOT Risk, pcr yr 3.35E-10 1.37E48 .QQE-10 negligiblo negligiblo 1.2&E-10 5.59E-11 1.50E48 &E49 1.99E49 (based on Current full AOI)

Yearly AOT Risk, pcr yr 8.04E49 3.2&E47 .59E-09 negligiblo ncgligiblo 3.07E49 1.34E49 3.59E47 1.9E47 1.9E47 4.78E48 (based on Proposed full AOT)

SITs wczo not modeled in PSA, impact judged negligible duo to success czitczia c* Success criteria varies based on details of scenario

ca 4 houzs for SIT out of speo

<<as* Based on actual data for zepzescntativo CE plant 18

Table 6.3.2-2 CEOG PROPOSED AVERAGE CDFS PARAMETER ANO-2 Calvert Fort Maine Millstone Palisades Palo San St. Lucio St. Lucio Waterford Cliffs Calhoun Yankee* 2 Verde Onofm I 2 3 1&,2 1,2%3 28@3 SIT Success Criteria 3of4 .3of4s* 3 of 3 to I of2to 2of3 to 3of3to 2of3 to 3of4to 3of4 3of4 3of3to unbmken unbroken unbmken unbmkcn unbmkcn unbmken unbmken legs legs legs Icgas* legs legs legs Present AOT hrs Pmposcd AOT, hrs Proposed Downtime, hrs/yr Assume 24 Average CDF, pcr yr 3.28E4)5 2.II'.18'.40E4)5 3.41E45 5. ISED 4.74E4)5 2.74E45 2. 14E45 2.35E45 1.54E45 (PSA case)

Average CDF, per yr 3.28E45 2. I I EM I. I SEES 7AOE45 3.4IE45 5.16E45 4.74E45 2.85E45 2.4E415 2.6E45 1.56E45 (Pmposcd)

SITs were not modeled in PSA, impact judged negligible due to success criteria

- Success criteria varies based on details of scenario as* 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for SIT out of spec 19

6.3.3 Assessment of Traiisition Risk For any given AOT extension, there is theoretically an "at power" increase in risk associated with it. This increase may be negligible or significant. A complete approach to assessing the change in risk accounts for the effects of avoided shutdown, or "transition risk". Transition Risk represents the risk associated with reducing power and going to hot or cold shutdown following equipment failure, in this case, one SIT being inoperable. Transition risk is of interest in understanding the tradeoff between shutting down the plant and repairing the SIT while the plant continues operation. The risk of transitioning from "at power" to a shutdown mode must be balanced against the risk of continued operation and performing corrective maintenance while the plant is at power.

To illustrate this point, a representative CE PWR has performed an analysis for transition risk associated with one inoperable SIT. The methodology and results obtained by this plant are presented below and are considered generically applicable to the other CE plants.

The philosophy behind the transition risk analysis is that if a plant component becomes unavailable, the CDF will increase since less equipment is now available to respond to a transient if one were to occur. However, as long as the plant remains at power, this CDF is constant. At the point in time that a decision is made to shut down, the CDF increases since a "transient" (manual shutdown) has now occurred, and the equipment is still out of service.

The Core Damage Probability (CDP) associated with the risk of plant transition from plant full power operation to shutdown is obtained by modifying the "uncomplicated reactor trip" core damage scenario in the PSA model. In this evaluation the incremental risk is dominated by the increased likelihood of loss of main feedwater and the reliance on auxiliary (and/or emergency) feedwater to avert a core damage event. A cutset editor was used to adjust cutsets representing manual shutdown or miscellaneous plant trips to reflect the CDP associated with a forced shutdown assuming one SIT is out of service and requantifying the PSA cutsets. Conservatisms that had been included in the base PSA model were deleted to reflect the greater control that the plant staff has in the shutdown process. Specifically, the baseline PSA model assumed total loss of main feedwater (MFW) within 30 minutes of reactor trip. In the transition analysis, MPiV was assumed to be recoverable following failure of Auxiliary Feedwater. A human error probability (value of 0.1) was added to cutsets that contained no basic events, including human actions, that would cause MFW to be unavailable. The duration of the transition process was assumed to be 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months (6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months to hot standby and 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months to hot shutdown).

Additional human errors that would be associated with a detailed portrayal of the shutdown process and the entry into shutdown cooling were not included in order to establish a conservative lower bound assessment of the transition risk. Errors of commission, such as diversion of RCS flow during SDC valve alignment, are also not considered in this analysis.

20

Such errors would add to the disadvantages of the shutdown alternative, and therefore, to include them would be non-conservative for the purpose of this comparison.

Based on the above methodology the CDP associated with the lower mode transition was calculated for the representative plant to be 1.00E-06. Results of transition risk analyses can be generalized for the other CE PWRs by assuming that the ratio of the CDP for Transition Risk to the baseline Average CDF is constant for all plants. The baseline CDFs were selected rather than the Conditional CDFs for the ratio between the other CE plants because the analysis for the representative plant indicated that transition risk was,more a function of Loss of MFW rather than a function of the specific equipment out of service. Results of transition risk analyses can be generalized for the other CE PWRs by assuming that the ratio of the CDP for Transition Risk to the baseline Average CDF is constant for all plants.

That is, 5 CDP~~ = (CDF~/CDF ~

hCDP~ f pgzpf) where:

~CDPmg Incremental risk due to mode transition for plant CDF~ Baseline CDF for plant CDF Representative plant baseline CDF CD'orry gaat Incremental risk due to mode transition for representative plant The transition risk may be used to evaluate the relative risks of performing SlT repair at power to that of performing the same repair at some lower mode. The risk of continued operation for the full duration of the AOT is bounded by the single AOT risk for CM. The comparable risk of the alternate maintenance option involves consideration of four distinct risk components:

(1) Risk of remaining at power prior to initiating the lower mode transition.

This risk will vary depending on the ability of the staff to diagnose the SIT fault.

(2) Risk of lower mode transition.

This risk is accumulated over a short time interval (approximately 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ).

(3) Risk of continued lower mode operation with an impaired SIT.

In this mode, the reactor is shutdown and the core is generating decay power only.

However, risks in this mode remain significant. Depending on the particular operational mode, resources to cope with plant transients willtypically be less than at power. These modes are characterized by decreased restrictions on system operability, longer times for 21

operator recovery actions, lower initiating frequency for pressure driven initiators (such as LOCA) and a greater frequency for plant transients such as those initiated by loss of offsite power and loss of main feedwater.

(4) Risk of return to power The power ascension procedure is a well controlled transient. Reference (10) conceptually discusses that risks associated with this transition are greater than those associated with at power operation, but significantly below that associated with the initial lower mode transition (item 2).

The analysis of transition risk presented in this report quantifies only the risk of lower mode transition (item 2).

Results Table 6.3.3-1 presents the risk associated with transitioning the plant to a lower mode for each plant. The numbers in the table represent only the lower mode transition risk component of the transition sequence (item 2). For all CE plants, the risk associated with this transition portion is nearly equal to or exceeds that risk that would be incurred for a 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months "at power" (Single AOT Risk from Tables 6.3.2-1) SIT maintenance period. When the full mode transition process is considered, it is expected that SIT maintenance at power for the full 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months AOT is risk beneficial for all CE PWRs.

Table 6.3.3-1 TRANSITION RISK CONTRIBUTIONS FOR SIT CM Transition Risk Contribution (ECDP) 6.92E<7 Calvert Cliffs 1 dh 2 4.45E46 Fort Calhoun Station 2.49E-07 Maine Yankee 1.56E46 h6llstone 2 7.19E47 Palisades 1.09M%

Palo Verde 1, 2 8h 3 1.00M)6 San Onofre 2 8h 3 5.78E47 St. Lucie 1 4.51E%7-St. Lucie 2 4.96E%7 Waterford 3 3.25E%7 22

6.3.4 Assessment of Shutdown Risk Shutdown risk benefits were not credited for the SIT AOT Extension request.

6.3.5 Assessment of Large Early Release A review of large early release scenarios for the CE PWRs indicates that early releases arise as a result of one of the following classes of scenarios:

1. Containment Bypass Events These events include interfacing system LOCAs and steam generator tube ruptures (SGTRs) with a concomitant loss of SG isolation (e.g. stuck open MSSV).

2. Severe Accidents accompanied by loss of containment isolation These events include any severe accident in conjunction with an initially unisolated containment.

3. Containment Failure associated with Energetic events in the Containment.

Events causing containment failure include those associated with the High Pressure Melt Ejection (HPME) phenomena including direct containment heating (DCH) and hydrogen conflagrations/detonations.

Of the three release categories, Class 1 tends to represent a large early release with potentially direct, unscrubbed fission products, to the environment. Class 2 events encompass a range of releases varying from early to late that may or may not be scrubbed. Class 3 events result in a high pressure failure of the containment, typically immediately upon or slightly after reactor vessel failure. Detailed Level 2 analyses for the plant condition with 1 potentially inoperable SIT have not been performed. However, assessment of the expected change in the large early release fraction was made by assessing the impact of one SIT on the above event categories.

Based on this review, it was established that inoperability of one SIT would not impact Class 1 events. These events are characterized by an irrecoverable loss of reactor inventory along with any makeup outside of containment. Core damage for these events is inevitable without a continuous permanent makeup water source. The availability of the SITs does not significantly alter the event progression. A small increase in Class 2 events could occur when an unmitigated large LOCA occurs in conjunction with an initially unisolated containment. Significant fission product releases would not occur unless, the containment is unscrubbed (that is sprays are inoperable). This later combination of events is considered of very low probability. Class 3 events are dominated by RCS transients that occur at high pressure. These events exclude those where SIT performance would be called for and therefore SIT status is not a contributor to this event category. It is therefore concluded that increased unavailability of one SIT will result in a negligible impact on the large early release probability for CE PWRs.

23

6.3.6 Summary of Risk Assessment The major contributor to differences in plant results for the SITs is success criteria. Even for plants with more stringent success criteria, the results of the analyses indicate that there is only a small increase in risk by extending the SIT AOT from I to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

The results of this study also indicate that performing SIT maintenance at power versus at shutdown can result in a decrease in overall plant risk. This is because the CDP for continued operation of the plant at power with one SIT inoperable is less than the CDP associated with shutting down the plant.

Inoperability of the SIT was found to not significantly impact the three classes of events that give rise to large early releases. These include containment bypass sequences, severe accidents accompanied by loss of containment isolation, and containment failure due to energetic events in the containment. It is therefore concluded that increased unavailability of the SIT willresult in a negligible impact on the large early release probability for CE PWRs.

In conclusion, from a risk perspective, increasing the out of service (OOS) duration for a single SIT has a negligible impact on risk from either an instantaneous or cumulative (yearly) basis.

6.4 Compensatory Measures In addition to the information described above, each CEOG plant considered maintenance interactions or compensatory actions that could be performed if the change in risk due to the extended AOT was not risk neutral. Because of the short AOT for the SITs, no extraordinary compensatory actions were determined to be required when one SIT is out of service for maintenance. However, as for any "at power" maintenance, the goals should be expediency and safety. Therefore, operability of the other SITs should be verified prior to taking the SIT out-of-service. Also, talang one SIT out-of-service should not coincide with the scheduled removal of additional ECCS plant components from service.

24

6.5 Technical Justification for AOT Extension for Plant Operation with a Functionally "Operable" SIT This section addresses two line item relaxations previously identified as generically acceptable in previous NRC documents. These changes are defined in item 2 of Section 2, and allow an extended AOT of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months for conditions where the SIT is functional but an INOPERABLE tag is required due to either: 1) malfunctioning pressure or level instrumentation or 2) the SIT boron concentration is out of the technical specification limit. Relaxation of this AOT due to inoperable level or pressure instrumentation has been recommended for implementation into the TSs by the NRC in Reference 1. The relaxation of AOT requirements due to boron concentration in a single SIT has been reviewed generically by the NRC and accepted for use within the Improved Standard Technical Specifications (Reference 2). In either case, the SIT is functional and can perform its intended function throughout the extended AOT. These TS relaxation requests are discussed below.

6.5.1 SIT Tagged INOPER4BLE due to Level and Pressure Instrumentation M~unction Section 7.4 of NUREG-1366 (Reference 1) provides the following non-risk related justification .

for a specific AOT extension from 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months for a single SIT when that inoperability is caused solely by malfunctioning level instrumentation or solely by malfunctioning pressure instrumentation:

"The combination of redundant level and pressure instrumentation [for any specific SIT]

may provide sufficient information so that it may not be worthwhile to always attempt to correct drift associated with one instrument ifthere were sufficient time to repair one in the event that a second one became inoperable. Because these instruments do not initiate a safety action, it is reasonable to extend the allowable outage time for them.

The [NRC] staff, therefore, recommends that an additional condition be established for the specific case, where One accumulator is inoperable due to the inoperability of water level and pressure channels,'n which the completion time to restore the accumulator to operable status will be 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . While technically inoperable, the accumulator would be available to fulfillits safety function during this time and, thus, this change would have a negligible increase on risk."

6.5.2 SIT Boron Concentration Out of Range In the Improved Standard Technical Specifications of NUREG-1432, the allowed outage time for one SIT is extended from 1 to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months when the "inoperability" of the subject SIT is due only to the boric acid concentration of the tank's contents being outside the specified band for "OPERABILITY." Section B.3.5.1 of NUREG-1432 provides justification for this extension.

I The AOT extensions defined in this section apply to the identification of an INOPERABLE SIT which remains functionally capable of performing its safety function. There are no contradictions between this argument and risk-related arguments for a general AOT of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months that are discussed in Section 6.

7.0 JUSTIFICATION FOR SURVEILLANCE TEST INTERVAL (STI)

MODIFICATION Item 3 of Section 2 (SCOPE OF PROPOSED CHANGES TO TECHNICAL SPECIFICATIONS) proposes to modify the technical specifications associated with performing boron concentration observations when the source of SIT makeup water is from the RWST with a known boron concentration that is equal to or greater than the known boron concentration of the SIT. This technical specification change was originally proposed by the NRC in Section 7.1 of NUREG-1366, Reference 1. Item 3 is considered generic to a11 CE PWRs.

The CEOG therefore endorses a recommendation that when plant-specific Technical Specifications are amended to implement the cumulative guidance of NUTMEG-1432, LCO 3.5.1 and Section 8.1.4 of this NUREG, the guidance in SR 3.5.1.4 of NUTMEG-1432 (Attachment A) should be implemented at the same time.

NUREG-0212, Revision 03 includes the following requirement in SR 4.5.1.1:

"b. At least once per 31 days and within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months after each solution volume increase of greater than or equal to (1)% of tank volume by verifying the boron concentration of the safety injection tank solution."

The comparable Surveillance Requirement in NUREG-1432, SR 3.5.1.4 states, "Verify boron concentration in each SIT is ) t'1500] ppm and ( l2800] ppm." The specified frequency for this surveillance is:

"31 days AND NOTE -

Only required to be performed for affected SIT 26

Once within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months after each solution volume increase of

> [1]% of tank volume that is not the result of addition from the refueling water tank" The removal of the requirement to sample the affected SITs for boron concentration within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months of a volume transfer from the refueling water storage tank is supported by the following statement from Section 7.1 of NUTMEG-1366:

"Normal makeup to an accumulator [safety injection tank] comes from the refueling water storage tank (RWST) which is also borated. No dilution can be caused by adding water from this source as long as the minimum concentration of boron in the RWST is greater than or equal to the minimum boron concentration in the accumulator."

Section 7.1 of NUREG-1366 goes on to state:

"Recommendation It should not be necessary to ver'ify boron concentration of accumulator inventory after a volume increase of 1% or more if the makeup water is from the RWST and the minimum concentration of boron in the RWST is greater than or equal to the minimum boron concentration in the accumulator, the recent RWST sample was within specification, and the RWST has not been diluted."

The bases commentary concerning SR 3.5.1.4 of NUIT-1432, Revision 0 supports this recommendation when it states the following:

.... Sampling the affected SIT within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months after a 1% volume increase will identify whether in-leakage has caused a reduction in boron concentration to below the required limit. It is not necessary to verify boron concentration if the added water is from the RWT, because the water contained in the RWT is within the SIT boron concentration requirements. This is consistent with the recommendations of NUTMEG-1366 ..."

8.0 PROPOSED MODIFICATIONS TO NUREG-1432 Attachment A includes proposed changes to NUREG-1432 Sections 3.5.1 and B 3.5.1 that correspond to the findings of this report.

27

9.0

SUMMARY

AND CONCLUSIONS 9.1 Functionally INOPERABLE SIT The PSA results from each of the CE PWRs showed that the increment in risk at power due to one inoperable SIT is small for all plants. The range of results for Single AOT Risk based on the full proposed AOT of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months varied from negligible to 4.09E-08. The major contributor to any differences in plant results for the SITs is the success criteria assumed in the PSA modeL In comparison, the increment in risk'associated with transitioning the plant from at power to shutdown mode with one SIT inoperable is on the order of 1.00E-06. These results indicate that there is a lower risk to the plant by remaining at power to perform corrective maintenance than to shut down the plant to repair the inoperable SIT. Therefore, it is concluded that extending the AOT for one inoperable SIT from 1 to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months would be risk beneficial.

Recent best estimate analyses for a typical PWR (Reference 5) confirmed that for large break LOCAs, core melt can be prevented by either the operation of one Low Pressure Safety Injection (LPSI) pump or the operation of one High Pressure Safety Injection (HPSI) pump and a single SIT. While the precise equipment set for any specific CE PWR may vary, the design basis requirement for 1 LPSI train, 1 HPSI train, and all SITs to avert a core melt condition is very conservative.

While it is not the intent of this document to widen the technical specification OPERABILITY for the SIT, it is important to note that for selected parameters, the assessment of SIT 'imits OPERABILITYis rather stringent: The SIT operational parameters are set by the design basis.

Operating experience has demonstrated that many of the causes of SIT inoperability can be diagnosed and corrected within several hours of discovery but longer than a period of one hour from identification.

The restrictive nature of the present AOT has led to a number of entries into the LCO action statements and plant shutdowns. This report proposes that the SIT Inoperable AOT be extended to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . This time interval is believed to be sufficient to enable the plant personnel to properly diagnose the cause of the SIT malfunction and effect minor repairs. An evaluation of the deterministic and probabilistic effects of extending the AOT to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months indicates that the extension is either "risk benefiicial" or at least "risk neutral".

9.2 Functionally OPERABLE SIT The CEOG endorses a recommendation that, when plant-specific Technical Specifications are amended, the cumulative guidance of NUREG-1432 LCO 3.5.1 and NUREG-1432 SR 3.5.1.4 (Attachment A) should be implemented simultaneously.

, 28

10.0 REHHUPTCES

1. NUREG-1366, "Improvements to Technical Specifications Surveillance Requirements",

December 1992.

2. NUREG-1432, "Standard Technical Specifications Combustion Engineering Plants",

September 1992.

3. 10 CFR 50.65, Appendix A, "The Maintenance Rule".

4. NUREG-0212, "Revision 3, "Standard Technical Specifications for Combustion Engineering Pressurized Water Reactors", July 9, 1982.

5. LWW-02-094, Letter from L. Ward (INEL) to Dr. F. Eltawila (NRC),

Subject:

"Use of MAAP to Support UtilityIPE In Vessel and Ex-Vessel Accident Success Criteria",

June 1994.

6. NUREG-0800, USNRC Standard Review Plan, Rev.2, July 1981.

7. TID-14844, "Calculation of Distance Factors for Power Reactor Sites", USAEC, 1962.

8. NUREG-1465, "Accident Source Terms for Light Water Reactors" (Final Draft), August, 1994.

9. Letter from Susan C. Black (NRC) to William T. Cottle (Houston Light Ec Power),

"Issuance of Amendment Nos. 59 and 47 to Facility Operating License Nos. NPF-76 and NPF-80 and Related Requests - South Texas Project, Units 1 and 2 (TAC Nos. M76048 and M76049)", March 17, 1994.

10. NUREG/CR-6141, BNL-NUREG-52398, "Handbook of Methods for Risk-Based Analyses of Technical Specifications", P. K. Samanta, I. S. Kim, T. Maiikamo, and W.

E. Vesely, Published December 1994.

11. "Technical Evaluation of South Texas Project (STP) Analysis for Technical Specification Modifications, P. Samanta, G. Martinez-Guridi, and W. Vesely, Technical Report

¹L-2591, January 11, 1994.

29

t

ML17228B190

Contents

Text

3.0 BACKGROUND

10.0 REFERENCES

3.0 BACKGROUND

SUMMARY

Subject:

Navigation menu

ML17228B190

Text

3.0 BACKGROUND

10.0 REFERENCES

3.0 BACKGROUND

SUMMARY

Subject:

Navigation menu

Search