ML17300A600
| ML17300A600 | |
| Person / Time | |
|---|---|
| Site: | Palo Verde  |
| Issue date: | 10/09/1986 |
| From: | Harold Denton Office of Nuclear Reactor Regulation |
| To: | Van Brunt E ARIZONA PUBLIC SERVICE CO. (FORMERLY ARIZONA NUCLEAR |
| References | |
| NUDOCS 8610210328 | |
| Download: ML17300A600 (13) | |
Text
~
wCJ l
I Docket Nos.:
50-529 and 50-530 Mr. E.
E.
Van Brunt, Jr.
Executive Vice President Arizona Nuclear Power Project Post Office Box 52034 Phoenix, Arizona 85072-2034 I
Dear Mr. Van Brunt:
OCT s tgsg DIS IBUTION cet re NRC PDR LPDR NSIC PD7 Reading JLee MDavis EALicitra EJordan JPartlow BGrimes JSniezek TCox
DCrutchfield WRegan JClifford
Subject:
TESTING OF REMOTE SHUTDOWN CAPABILITY AT PALO VERDE, UNITS 2 AND 3 The purpose of this letter is to inform you that my staff has identified an issue relating to testing the remote shutdown capability at Palo Verde, Units 2 and 3.
They have become aware that you have not scheduled such a
test for Palo Verde, Units 2 and 3 as you have performed on Unit l.
The staff position regarding testing the remote shutdown capability at each unit of a nuclear plant is identified in Regulatory Guide 1.68.2, Revision 1, dated July 1978.
In the FSAR for Palo Verde, Units 1, 2 and 3, you took exception to this Regulatory Guide in that you stated such a test would not be performed at Units 2 and 3.
The fact that the staff did not address this exception to the Guide before issuing a license to Palo Verde, Unit 2, may be viewed as tacit approval of your position.
The staff maintains that integrated testing of the remote shutdown capability at each unit is required to confirm that capability.
In support of its position, the staff has provided the enclosed regulatory analysis in accordance with 10 CFR 50. 109 which justifies this plant specific backfit.
Therefore, you are to test the integrated remote shutdown capability at both Palo Verde, Units 2 and 3.
Within 30 days of receipt of this letter, please inform us of your intent with regard to this matter.
If you choose to appeal, it should be addressed to the Director, Office of Nuclear Reactor Regulation.
If you have, any questions regarding this letter, you should contact E. A. Licitra, the Licensing Project Manager for the Palo Verde project.
8610210328 861009 t
PDR ADOCK O5000529.
F PDRQ
Enclosure:
As stated Since ely, Ordinal
."i'rcpt by; Richard B, yolh Harold R. Denton, Director Office of Nuclear Reactor Regulation cc:
See next page
- Previous concurred on by:
PD7*
DIR:PD7*
EALicitra/yt GWKnighton 9/17/86 9/17/86 AD:DPLB*
DIR: DPLB*
DCrutchfield FMiraglia 9/23/86 9/26/86 NR NR RV er H
en on 1 /q/86 10/ P/86
II II t'
M
Mr. E.
E.
Van Brunt, Jr.
Arizona Nuclear Power Project Pal o Verde CC:
Arthur C. Gehr, Esq.
Snell 5 Wilmer 3100 Valley Center Phoenix, Arizona 85073 Mr. James M. Flenner, Chief Counsel Arizona Corporation Commission 1200 West Washington Phoenix, Arizona 85007 Charles R. Kocher, Esq. Assistant Council James'.
- Boeletto, Esq.
Southern California Edison Company P. 0.
Box 800
- Rosemead, California 91770 Mr. Mark Ginsberg Energy Director Office of Economic Planning and Development 1700 West Washington - 5th Floor Phoenix, Arizona 85007 Mr. Wayne Shirley Assistant Attorney General Bataan Memorial Building Santa Fe, New Mexico 87503 Mr. Roy Zimmerman U.S. Nuclear Regulatory Commission P. 0.
Box 239 Arlington, Arizona 85322 Ms. Patricia Lee Kourihan 6413 S. 26th Street Phoenix, Arizona 85040 Kenneth Berlin, Esq.
Winston E Strawn Suite 500 2550 M Street, NW Washington, DC 20037 Ms. Lynne Bernabei Government Accountability Project of the Institute for Policy Studies 1901 gue Street, NW Washington, DC 20009 Ms. Jill Morrison 522 E. Colgate Tempi, Arizona 85238 Mr. =Charles B. Brinkman, Manager Washington Nuclear Operations Combustion Engineering, Inc.
7910 Woodmont Avenue Suite 1310
- Bethesda, Maryland 20814 Mr. Ron Rayner P. 0.
Box 1509
- Goodyear, AZ 85338 Regional Administrator, Region V
U. S. Nuclear Regulatory Comnission 1450 Maria Lane Suite 210 Walnut Creek, California 94596
REGULATORY ANALYSIS FOR BACKFITTING POWER ASCENSION TESTING OF THE REMOTE SHUTDOWN CAPABILITY AT PALO VERDE, UNITS 2 AND 3 BACKGROUND GDC 19 and Appendix R require that equipment at appropriate locations outside the control room be provided to achieve a safe shutdown of the reactor.
Criterion XI of 10 CFR 50, Appendix B requires satisfactory performance of
- systems, components, and structures be demonstrated through an acceptable test program.
Regulatory Guides 1.68 and 1.68.2 provide staff guidance for performing that test program with 1.68.2 specifically addressing the remote shutdown capability.
In the FSAR for Palo Verde (all units) Arizona Public Service (APS) committed to Regulatory Guide 1.68.2 for demonstrating their remote shutdown capability for Unit 1 but took exception to testing the follow-on units, Units 2 and 3.
The exception is based upon the successful completion of power ascension testing of the remote shutdown capability of Unit 1, all three units at the Palo Verde site being identical, and the testing of individual components and systems associated with the remote shutdown panel on the follow-on units.
The staff in its licensing review of the Initial Test Program did not address this exception to Standard Review Plan 14.2.
This may be interperted as tacit approval of the exception taken by APS, even though the exception is contrary to an established staff position.
The staff maintains that power ascension testing of the remote shutdown capability is required to confirm that capability for each unit (per Regulatory Guide 1.68.2, Revision 1).
The verification of components and systems associated with the remote shutdown capability is only a prerequisite for that test and not a substitute.
The licensee should be required to either perform the test for each unit or show how the satisfactory operation of the remote shutdown panel will be confirmed following construction and installation.
ANALYSIS
~0b 'ective:
The objective of this backfit is to confirm during power ascension that each unit at Palo Verde can be safely shutdown to a hot standby condition from outside the control room.
This objective can be met by initiating a shutdown from the remote shutdown panel of each unit with the reactor at a moderate power level
(10-25K).
An increase in the overall protection of the public would be achieved by confirming that the construction and installation of the remote shutdown facility for the follow-on units meets the design objectives of the licensee and that in the remote event of a loss of control room capability the licensee can safely shutdown the plant.
Licensee Activit :
The licensee would be required to initiate a test of the remote shutdown capability from 10-25K power with the plant systems in a normal configuration, including operation of the turbine generator.
The minimum operating crew required should perform the test.
Data should be obtained to verify that the plant has achieved hot standby,and can be maintained stable in that mode for at least 30 minutes.
Potential Safet Im act:
The power ascension testing of the remote shutdown capability is a
one-time test and would not require changes in plant or operational complexity.
In addition, testing of the remote shutdown capability on Palo Verde, Unit I was performed without safety impact, and the staff would expect testing on Units 2 and 3 to have the same result.
Therefore, in the staff's judgment, there is no significant safety impact due to changes in plant or operational complexity.
I
~
Interim or Final Backfit:
This backfit is considered final by staff and will not result in additional requirements on the licensee.
Onsite Radiolo ical Ex osure Power ascension testing of the remote shutdown capability should be performed outside of high radiation areas.
Therefore, the staff expects no impact on the radiological exposure of Palo Verde employees.
Cost Benefit Anal sis Due to a number of considerations, it is quite difficult to arrive at meaningful cost/benefit estimates of this action.
These considerations include the lack of a plant specific probabilistic risk assessment (PRA),
and insufficient information on the impact of restricted testing on the remote shutdown panel reliability.
However, sufficient information is available to develop reasonable risk insights into the potential impact of inadequate shutdown panel testing.
Since no Palo Verde PRA was available, we utilized the Millstone 3 PRA conducted for Northeast Utilities and reviewed by Lawrence Livermore National Laboratory.
This study was useful since it modeled in some detail the function of the remote shutdown panel in responding to situations where control room function would be lost.
While the Millstone 3 Nuclear Steam Supply System (NSSS) is of Westinghouse design rather than Palo Verde's Combustion Engineering (CE)
NSSS, this does not pose serious problems for our study.
Accident scenarios requiring use of the remote shutdown panel are those involving fire damage to the control room, cabling or instrument areas.
Reactor fluid system design and response has little impact on accidents involvinq such fires.
Of more relevance would be the plant's containment response to a core damage event following a fire which knocks out plant control ability.
Both Millstone and Palo Verde utilize large dry containments which would be expected to perform roughly the same for a core damage event of this kind.
Since an equivalent fire risk assessment is not available for Palo Verde, we also utilized the Millstone probabi listic assessment fire analysis for developing our insights.
This study indicated that fire sequences were the only accidents requiring remote shutdown panel function.
These were identified in the Millstone PRA as TE sequences, and involved fire in the control room, instrument rack room, and cable spreading room.
After review of both the utility PRA and Livermore study, the staff concluded that the frequency of these TE sequences would be 3x10 per reactor year.
No mechanical failure modes of the remote shutdown panel were factored into this sequence quantification.
- Rather, only human failures to actuate the panel were considered.
The staff estimated the frequency of human failures of this nature to be 2xl0 per demand.
Assuming that the frequency of a fire-initiated core melt sequence for Palo Verde is approximately equivalent to that calculated for Millstone 3, our cost/benefit assessment requires a determination of likely remote shutdown panel failure due to causes other than human error.
As discussed in other sections of this regulatory analysis, Palo Verde does not plan to conduct full functional tests of these shutdown panels due to similarity to the Unit 1 panel, which was tested.
Engineering judgment would indicate that the lack of complete functional tests would result in some increased system unreliability, perhaps on the order of 1 to 5
percent.
This could be due to installation, calibration, or other system integration errors which could not be discovered without a full function test.
To supplement our engineering judgment estimates in this area, the staff also performed a very brief inspection of the test history in industry for remote shutdown panels.
Since required by Regulatory Guide 1.68.2, approximately 33 units have performed shutdown tests from outside the control room.
At least one of these tests, the June 27, 1986 test at Catawba 2, identified serious failures of shutdown panel capability.
Due to problems with the remote panel installation, control of the reactor was actually lost and rapid depressurization of the reactor ensued.
The plant was recovered when control was returned to the control room.
Based on the above failure, we would calculate a point estimate of approximately 3 percent for panel failure, from nonhuman sources.
Requantification of the TE fire sequences including this failure mode
-6 would yield an incremental core melt frequency of approximately 5x10 per reactor year.
Based upon our assumptions presented here, this value represents the core melt reduction worth of remote shutdown panel tests.
Both our engineering judgment and limited data review have indicated that mechanical panel failure rates without testing are at least equal to the assumed panel failure rates due to human error.
To arrive at our cost/benefit conclusions, the accident consequences must be considered.
The Millstone 3 PRA found the TE fire sequences resulted in core melt followed by late overpressure containment'failure.
Similar behavior would be expected by the Palo Verde large dry containment.
This fai lure mode was identified as Yi7 in the Nillstone PRA.
The conditional mean consequences at the Nillstone site for such a release were estimated to be 2xlO man-rem.
The core inventory is similar for the two 7
- reactors, but the population density and distribution are quite different.
Utilizing calculations from "Estimates'f the Financial Consequences of Nuclear Power Reactor Accidents,"
NUREG/CR-2723, we estimate that differences in site characteristics would result in approximately a factor of six reduction in population dose.
This would mean that a similar late overpressure N7 release at Palo Verde would result in conditional consequences of approximately 4.5xlO man-rem.
6
-6 Utilizing our incremental core melt frequency of 5x10 per reactor year, we find an expected risk increase of approximately 20 man-rem year, or 800 man-rem per unit over the 40 year lifetime of the plant.
h~ithout testing at either Unit 2 or 3, our risk increment is then 1600 man-rem ov'er the plant operating lifetime.
Costs to the licensee for performing remote shutdown panel tests should be negligible in that the licensee could perform this test during a power ascension stage of their power ascension test program currently underway, or at their next extended shutdown or refueling outage.
The cost of implementation should include test planning, performance, data collection and post-test analysis.
We estimate that at most two man-weeks of engineering support would be required along with 30 man-hours of operational support to perform the test.
Upper estimates of the test costs would, therefore, be under
$20,000 per unit.
Utilizing our previously calculated risk reduction worth from the tests of 800 man-rem per unit, we find a cost of $ 25 per man-rem.
This is well under the NRC guideline of $ 1000 per man-rem, and demonstrates that this backfit meets very favorable cost/benefit tests.
These results are based strictly on averted public dose considerations (with no discounting),
and do not take into consideration the considerable benefit to the utility for averted onsite costs due to a serious core melt accident.
The extremely favorable cost/benefit result on offsite public risk considerations
- alone, does not justify detailed onsite risk reduction calculations.
In summary, our study has shown a potential increased public risk, due to lack of remote shutdown panel testing, of approximately 800 man-rem per unit over the life of the plant.
Assuming that effective testing would eliminate the postulated failure mode (as did occur at Catawba) this public risk can be reduced at a cost of $ 25 per man-rem, and would appear to be a very beneficial action.
These conclusions were based upon the above stated assumptions that the fire sequence analysis for Palo Yerde, Units 2 and 3, would be somewhat similar to that assembled for Hillstone 3.
This is not an unreasonable assumption, in light of other recent PRAs which show external events such as fire to be an important element in plant risk studies.
NRC Resource Burden Costs to the NRC are estimated to be approximately one staff day for each unit.
This cost would include one Resident Inspector to witness the test
and examine the data.
The data should demonstrate achieving and maintaining hot standby.
ualitative Factors:
An evaluation of the Palo Verde operating experience covering the period following issuance of the full power license for Unit 1, and the period following issuance of the low power license for Unit 2 identified ten events significant enough to require further NRR follow-up and evaluation.
These events generally involved unplanned trips with additional equipment failures and unexpected complications.
Comparisons with other recently licensed CE plants have indicated that significant events at Unit 1 have been somewhat higher than at other CE plants.
One significant event at Unit 2 involved inadequate wiring connections on the loss of offsite power ESFAS modules which could have caused the ESFAS to mal function.
In addition, events involving the remote shutdown panels at Palo Verde, Unit 2 in July 1985, and Catawba Unit 2 in June
- 1986, add additional concern with the exception taken by APS.
At Palo Verde, Unit 2 during hot functional testing, an unknown person manipulated the remote shutdown
- panel, and initiated a plant shutdown.
Operators noticed a drop in RCS pressure and stopped the shutdown from the Hain Control Room while other operators took control of the remote shutdown panel.
On June 27,
- 1986, Catawba (Westinghouse Reactor) experienced a rapid cooldown event during a test of their remote shutdown capability.
This is thought to be as a
result of inadequate procedures,
- training, and mislabeled remote shutdown panel controls.
The Palo Verde event could have involved alterations or adjustments to the remote shutdown panel at Unit 2, and the problems with the Catawba remote shutdown panel could have gone unnoticed without testing.
The combination of these events with the operating experience at the Palo Verde units raises doubt as to the adequacy of verification of the remote shutdown capability for the Palo Verde follow-on units absent functional testing as discussed above.
Interoffice Coordina'tion:
fi Appropriate interoffice coordination has been performed.
Implementation for Unit 2 will be based upon approval of the backfit and a schedule proposed by the licensee for performing the test durina their current power ascension test program, a future extended shutdown, or next refueling outage.
Implementation for Unit 3 will be during their normal power ascension testing period.
Basis for Im lementation:
Licensee will determine the schedule for the test based upon the time required for developing appropriate procedures and integration with other planned activities.
Staff Action Schedules:
Notify licensee upon approval of backfit.
Region V audit should be
\\
performed during the test with a review of the verification data.
Backfit Im ortance:
The importance of this backfit in light of other safety related activities should be factored in the schedules for performing the test by the licensee.
a 4
t