Text

Joint Applications Rept for Safety Injection Tank Aot/Sti Extension
	ML20083Q926
Person / Time
Site:	Arkansas Nuclear
Issue date:	05/30/1995
From:	; ABB COMBUSTION ENGINEERING NUCLEAR FUEL (FORMERLY, ASEA BROWN BOVERI, INC.
To:	;
Shared Package
ML20083Q903	List: 2CAN059503, TS Change Request to Amend License NPF-6 Re Allowable Outage Time Extension for Safety Injection Tanks; ML20083Q911; ML20083Q926;
References
	CE-NPSD-994, NUDOCS 9505260250
	Download: ML20083Q926 (36)
	v • d • e

L

, )

i Q r-M i COMBUSTION ENGINEERING OWNERS GROUP l

CE NPSD-994 l

Joint Applications Report l l

for i l

l Safety injection Tank l

AOT/STI Extension Final Report CEOG TASK 836 prepared for the C-E OWNERS GROUP l

May 1995 l l

r

. \

d .

LEGAL NOTICE ,

This report was prepared as an account of work sponsored by the Combustion Engineering Owners Group and ABB Combustion Engineering.

Neither Combustion Engineering, Inc. nor any person acting on its behalf:

A. makes any warranty or representation, express or implied including the warranties of fitness for a particular purpose or merchantability, with respect to the accuracy, completeness, or usefulness of the information contained in this report, or that the use of any information, apparatus, method, or process disclosed in this report may not infringe privately owned rights; or B. assumes any liabilities with respect to the use of, or for damages resulting from the use of, any information, apparatus, method or process disclosed in this report.

Combustion Engineering, Inc. i l t

l

i TABLE OF CONTENTS ,

)

Section Page ,

LIST OF TABLFS ii 1.0 PURPOSE 1 2.0 SCOPE OF PROPOSED CHANGES TECHNICAL SPECIFICATIONS 2 ,

3.0 BACKGROUND

3 4.0

SUMMARY

OF APPLICABLE TECHNICAL SPECIFICATIONS 4 4.1 Standard Technical Specifications 4 4.2 " Customized" Technical Specifications 5 5.0 SYSTEM DESCRIFITON AND OPERATING EXPERIENCE 6 5.1 System Description 6 5.2 Operating Experience 7 6.0 TECHNICAL JUSTIFICATION FOR AOT EXTENSION 9 6.1 Statement of Need 9 6.2 Assessment of Deterministic Factors 10 6.2.1 Thermal-Hydraulic Considerations 10 6.2.2 Radiological Release Considerations 11 6.3 Assessment of Risk 13 6.3.1 Overview 13 6.3.2 Assessment of "At Power" Risk 14 6.3.3 Assessment of Transition Risk 20 6.3.4 Assessment of Shutdown Risk 23 6.3.5 Assessment of Large Early Release 23 6.3.6 Summary of Risk Assessment 24 6.4 Compensatory Measures 24 i

TABLE OF CONTENTS (cont'd)

Section Page 6.5 Technical Justification for AOT Extension for Plant Operation with a Functionally Operable SIT 25 6.5.1 SIT Tagged INOPERABLE due to Ievel and Pressure Instrumentation Malfunction 25 6.5.2 SIT Boron Concentration Out of Range 25 7.0 JUSTIFICATION FOR SURVEILIANCE TEST INTERVAL (STI)

MODIFICATION 26 8.0 PROPOSED MODIFICATIONS TO NUREG-1432 27 9.0

SUMMARY

AND CONCLUSIONS 28 9.1 Functionally INOPERABLE SIT 28 9.2 Functionally OPERABLE SIT 28 10.0 REFFl?ENCES 29 ATTACHMENT A A-1

" Mark-up" of NUREG-1432 SECTIONS 3.5.1 & B 3.5.1 LIST OF TABLES Table Page 5.2-1 REQUIRED ENTRY INTO LCO ACTION STATEMENTS DUE TO SIT MALFUNCTIONS FOR CE PWRs 8 6.3.2-1 CEOG AOT CONDITIONAL CDF CONTRIBUTIONS FOR SITS - CM 18 1

6.3.2-2 CEOG PROPOSED AVERAGE CDFs 19 I l

6.3.3-1 TRANSITION RISK CONTRIBUTIONS FOR SIT CM 22 ii

Safety Indection Tank (SIT) AOT/STI Extension .

1.0 PURPOSE .

This report provides the results of an evaluation of specific relaxations in the existing Safety Injection Tank (SIT) boron surveillance requirements and the Allowed Outage Time (A(yr).

These requirements and AOT are contained within the standard and " customized" technical specifications for any licensed CE NSSS. A two tiered extension of the existing SIT AOT (typically 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months ) to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months for a non-functional SIT, and 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months for a " tagged" inoperable SIT that can otherwise complete its safety function is requested in order to provide the plant with sufficient time to diagnose and potentially repair minor SIT system malfunctions at power. The ability to perform this corrective maintenance at power can enhance plant safety by averting an unplanned plant shutdown. .

Also, technical specification relaxation with regard to boron monitoring is sought in order to allow better utilization of plant resources by reducing the number of unnecessary survaihaw actions. This relaxation has been previously recommended by the NRC in NUREG-1366 (Reference 1).

Justification of these requests are based on a review and assessment of plant operations, deterministic and design basis considerations, and plant risk, as well as previous generic studies and conclusions drawn by NRC staff and contained within NUREG-1366 (Reference 1) and NUREG-1432, Revision 0 (Reference 2). He evaluation discussed in this report concludes that the requested Technical Specification modifications are either risk neutral or enhance overall plant safety.

This request for AOT extension is consistent with the objectives and the intent of the Maintenance Rule (Reference 3). The Maintenance Rule will be the vehicle which controls the actual maintenance cycle by defining unavailability performance criteria and nue==ing maintenance risk. De ACYr extension will allow efficient scheduling of maintenance within the boundaries established by implementing the Maintenance Rule. The CE plants are in the process of implementing the Maintenance Rule, and are presently setting targets for unavailability of systems and trains. Therefore, this effort is seen as timely, supportive and integral to the i

Maintenance Rule program.

i i

1

-m-.-- - - . , . . - - - -

O 2.0 SCOPE OF PROPOSED CHANGES 'ID TECHNICAL SPECIFICATION The proposed technical specification changes address revising the existing requirements for the operation of the Safety Injection Tanks (SITS). Specifically, the proposed changes to the technical spedfication requirements are:

(I) In general, extend AOT for a single INOPERABLE SIT from 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

For operating modes where at least three of the SITS are required to be OPERABLE, extend the AOT following a diagnosis of a single inoperable' SIT from I hour to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

(2) When a single SIT is INOPERABLE and that INOPERABILITY is due to either malfunctioning SIT water level instrument indication or malfunctioning SIT nitrogen overpressure pressure Indication, or inadequate boron concentration, extend the AOT following the diagnosis of the single INOPERABLE SIT from I hour to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

This technical specification change with regard to SIT instrumentation failures l was recommended in Section 7.4 of NUREG-1366, Accumulator Water I2 vel and )

Pressure Channel Surveillance Reauirements (PWR). The relaxation in the boron l concentration ACrr has already been adopted in the Improved Standard Technical Specifications. This change would add a new conditional Limiting Condition of Operation requirement that would address the case where a single SIT is inoperable AND the affected SIT's inoperability is caused by malfunctioning water level instrumentation, malfunctioning pressure instrumentation, or boron concentration. (The affected SIT is otherwise capable of performing its intended j function.) The completion time for restoring the operability of the affected SIT will be 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

(3) Modify boron concentration technical specification surveillance test interval (STI)

Eliminate technical specifications surveillance requirements that require verification of boron concentration of safety injection tank inventory after a volume increase of 1% or more if the makeup water is from the refueling water storage tank (RWST) and the RWST boron concentration is equal to, or greater than the minimum boron concentration of the SIT. This change in surveillance i test requirements has already been adopted in the Improved Standard Technical Specifications (ISTS).

.1 2 q l

l l

3.0 BACKGROUND

In response to the NRC's initiative to improve plant safety while granting relief to utilities from i those requirements that are marginal to safety, the CEOG has undertaken a program of obtaining ;

relief from overly restrictive technical specifications. As part of this program, several technical l specification AOTs and STIs were identified forjoint action.

This document addresses the SIT portion of this Task, and provides support for modifying the SIT A(yr and implementing the NUREG-1366 "line item improvement" with regard to boron concentration monitoring. This report provides generic information supporting these changes as well as the w=ary plant specific information to demonstrate the impact of these changes for each of the CE plants. The support / analytical material contained within the document is considered applicable to all CEOG member utilities regardless of the category / type of their Plant Technical Specifications.

l 3

1

4.0

SUMMARY

OF APPLICABLE TECHNICAL SPECIFICATIONS

, There are three distinct categories of Technical Specifications at CE NSSS plants.

i ne first category is called the Standard Technical Specifications. Through February 1995, NUREG 0212, Revision 03 commonly referred to as " Standard Technical Specifications" has provided a model for the general structure and content of the approved technical specifications at all other domestic CE NSSS plants.

The second category corra=paads to the Improved Standard Technical Specifications (ISTS) guidance that is provided in NUREG-1432, Revision 0, dated September 1992. A licensing amendment submittal to change the Technical Specifications for San Onofre Nuclear Generation Station Units 2 & 3 to implement this guidance was submitted to the NRC in December 1993.

Additionally, licensing amendment submittals are being developed that will modify the technical specifications for Palisades Station to implement the ISTS guidance.

The third category includes those technical specifications (TSs) that have structures other than those that are outlined in either NUREG-0212 (Reference 4) or NUREG-1432 (Reference 2).

Rese TSs are generally referred to as " customized" technical specifications. The CE NSSS plants that currently have " customized" technical specifications are: Palisades Station, Maine

- Yankee Station, and Ft. Calhoun Station.

Each of these three categories of Technical Specifications includes similar operating requirements for the Safety Injection Tanks (SITS).

4.1 Standard Technical Specifications Currently NUREG-0212, Revision 03 specifies the following required actions when a single SIT is " INOPERABLE":

APPLICABILrrY: MODES 1,2 and 3*

ACTION: l

a. With one safety injection tank inoperable, except as a result of a closed isolation valve, restore the inoperable tank to OPERABLE status within one hour or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and 1 in HOT SHUTDOWN within the following 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . ;

l

b. With one safety injection tank inoperable due to the isolation valve being l closed, either immediately open the isolation valve or be in at least HOT STANDBY within one hour and be in HOT SHUTDOWN within the next

, 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months .

4

The gala = of NUREG 1432 Section 3.5.1 relaxes these requirements from NUREG-0212 in the following ways:

1. The allowed outage time for a single inoperable SIT due to that SIT's boron concentration being outside the specified band is extended from I hour to 72 km.

2. The allowed outage time for a single inoperable SIT due to factors other than boron concentration (including indication that the SIT's isolation valve is not fully open) is extended from "immediate" restoration to I hour.

l Among the factors that can result in a single SIT not being technically " OPERABLE" are the

, following factors:

l a) Malfunctions of pressure transmitters, pressure sensing lines, and pressure monitoring circuitry, b) Malfunctions of level transmitters, level sensing lines, and level monitoring Circuitry.

In Section 7.4 of NUREG-1366, the NRC staff states that an SIT (an " accumulator") would be "available to fulfill its safety function" at times when the SIT (" accumulator") is " technically inoperable" due to the "inoperability of water level and pressure channels".

4.2 Customized Technical Specifications Similar requirements to those identified in Section 4.1 exist for plants with customized technical specifications. However, the format of the technical specification may be different as may be the detailed requirement. The most noteworthy difference in this area is that for Maine Yankee.

SIT Allowed Outage Times at this plant allow a single SIT to be technically inoperable for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months and isolated for up to one hour.

5

- i 3

5.0 SYSTEM DESCRIPTION AND OPERATING EXPERIENCE 5.1 Systema Description

'Ihe function of the SafetyInjection Tank (SIT) system is to reflood the reactor core with borated water following a large break LOCA. The relatively quick response of the system and its passive nature serve to reliably minimize core damage until the SI pumps can provide adequate water for reactor cooling.

l Each SIT train has one safety injection tank cana+1 to an RCS cold leg. The tank is filled with borated water and pressurized by nitrogen cover gas. SIT injection occurs anytime RCS pressure drops below cover gas pressure. The discharge piping of each tank includes a check valve followed by an isolation MOV which remains open during normal operation. Beyond these valves, an RCS pressure boundary check valve exists along the injection pathway for each l

tank.

1 Defnition of OPERABLE SIT In general, Technical Specification Limiting Conditions For Operation (LCOs) require that all l SITS be OPERABLE whenever the plant is in power operation (Mode 1), transitioning to power operation (Mode 2) or in Mode 3 with RCS pressure greater than or equal to a designated value.

This LCO is based on the assumption that when the plant is in any of these modes of operation, the SITS must have the same functionability that would be required for a LOCA at full rated thermal power. In order to avoid entry into the LCO action statement, all SITS must be OPERABLE.

When the plant is in any of these listed modes of operation, an SIT is considered OPERABLE

, when the following conditions exist:

I

1) the associated isolation valve is fully open,

2) electric power has been interrupted to the motor for the associated isolation valve,

3) water inventory in the tank is within the assumed band

4) the boric acid concentration of the water inventory of the tank is within the assumed band,

5) the nitrogen cover pressure within the tank is within the assumed band.

In the past, a justification for the short allowed outage time for a single SIT has been that the perceived severity of the consequences of not having all SITS available to provide passive injection during a design basis LOCA warranted the severity of this requirement. However, this short SIT AOT duration was based solely on engineering judgment and not on any quantitative nueument of risk.

6

While it is not the intent of this document to widen the technical specification OPERABIUTY limits for the SIT; it is important to note that for selected parameters, the n<wetment of SIT OPERABIIIIT is rather stringent. He SIT operational parameters are set by the design basis licensing Large Break LOCA analysis. Since the SIT is a passive device and provides a limited function, operability has been restricted to mean that the equipment initial conditions are within a band supported by Appendix K design basis analyses. In reality, the equipment can deviate considerably from both inventory and pressure requirements without compromising the ability of the plant to adequately respond to a LOCA. Inventory requirements are overstated.

Appendix K analytical models are derived so as to over-estimate amount of liquid lost out the break and to underestimate the residual inventory in the RV lower plenum. Consequently, inventory discharge requirements are conservatively set at a high level. The nitrogen cover pressure essentially establishes the timing of the inventory injection. This would modestly influence the transient and perhaps result in a marginal fuel hot spot temperature increase.

5.2 Operating Experience Operating experience has demonstrated that many of the causes of SIT inoperability can be diagnosed and corrected within several hours of discovery but longer than a period of one hour from identification. In several instances, diagnosis of out-of-specification conditions have lead to plant shutdowns. A list of events that involved an SIT and reqmred entry into ==viad LCO action statements is provided in Table 5.3-1 for CE PWRs.

The review of this operating experience as well as a general review of existing PRA studies led to questioning the premise that a transition to a lower mode within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months of the discovery of a factor makmg one SIT inoperable would provide greater reactor safety than repairing this factor with the plant at power.

In fact, a letter from the NRC to Houston Light & Power (Reference 9) provides an approved case where the allowed outage time for a single safety injection tank [ accumulator] was extended from I hour to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . A significant justification for this extension was that the resulting change in the calculated values of expected and maximum core damage frequency were negligible.

Previous determinations of the allowed outage time for a single Safety Injection Tank at CE NSSS plants have been based on engineering judgement using a sound knowledge of the role of each of the SITS in the plant design basis. Any new determination of this allowed outage time using probabilistic risk analysis must also include this consideration.

7 l

d Table 5.2-1 REQUIRED ENTRY INTO LCO ACITON STATEMENTS DUE TO SIT MALFUNCITONS FOR CE PWRs PWR Date of Event Description of Event San Onofre 2 8/29/84 Nitrogen Cover Pressure ex**d the limits of LCO 3.5.1, two SITS were declared inoperable and LCO 3.0.3 was invoked.

San Onofre 2 1/28/86 Pressure Limit Exceeded, LCO 3.0.3 entemi.

San Onofre 3 7/25/87 LCO 3.5.1 entered due to SIT level instrumentation.

Palo Verde 2 7/17/86 Unit in Mode 4 (hot standby) when Tech Spec LCO 3.0.3 entered due to four (4) SITS declared INOPERABLE because high level limit was exceeded based on wide range level indication.

Millstone 2 6/29/81 During routine power operation, inconsistency found between SIT Volume required by TS ,

LCO 3.5.1.B and the indication available to I determine SIT Operability.

San Onofre 2 12/23/83 SITS 007 and 010 exceeded their nitrogen pressure limit while SIT 008 was being filled.

Entered LCO 3.0.3.

San Onofre 3 1/25/83 During routine nitrogen pressurization of SIT 008, relief valve lifted (failed to rescat following overpressunzation). Tank pressure dropped below allowable limits of LCO 3.5.1 and action statement A was invoked.

San Oncfre 3 2/5/83 SIT tank volume and pressure outside allowable limits of LCO 3.5.1 and action statement A was invoked, a -

8

,. l 6.0 TECHNICAL JUSTIFICATION FOR AOT EXTENSION This section provides an integrated assessment of the proposed extension of the SIT AOT from its currently defined value of I hour to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . This proposed AOT would be applicable in the event an SIT is determined to be INOPERABLE and the cause of the inoperability has agi been diagnosed as being caused solely by malfunctioning level or pressure measurement instruinentation (See item 1 of Section 2). A discussion of the ACyr extension for circumstances i where the SIT is tagged INOPERABLE (based on Technical Specifications Criteria) but is otherwise functional is presented in Section 6.5.

4 6.1 Statement of Need As was briefly mentioned in Section 5.2, the repair of certain factors that result in the "inoperability" of a single safety injection tank can be completed within a relatively short period of no more than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

Operating experience has demonstrated that the repair of such factors takes longer than the existing I hour allowed outage time that is typical of existing Technical Specifications for CE NSSS plants that have not implemented the guidance of NUREG-1432.

The sections that follow sho*.y that the continued implementation of the existing "I hour" AOT may result in unnecessary plant shutdowns. Since the increased risk of operating with a single SIT out of service is negligible (as described in the following sections), the associated plant maneuver to a shutdown condition will likely increase plant risk above that which would otherwise exist if the repair of the cause of the "inoperability" was completed at power. A twenty-four hour AOT was considered sufficient for the diagnosis of a potential SIT INOPERABLE condition and minor component repair.

Additionally, Section 7.4 of NUREG-1366 identifies cases where entries into containment have been made at power to recalibrate a single SIT water level or pressure trensmitter while a redundant, independent instrument remained operable. In these cases, the containment entry was made in anticipation of a situation where both instruments were simultaneously inoperable, resulting in an allowed' outage time that was insufficient for remaining at power while performing repairs and recalibrations. With a longer duration AOT for both redundant instrument channels, there would be less need for containment entries at power solely for the ;

recalibration of a single water level or pressure channel transmitter. i 1

b 9

6.2 Am=====* of Deterministic Factors 6.2.1 Mrmal-Hydmulic Considentions The f=+ians of the Safety Injection Tanks (SITS) are to supply water to the reactor vessel durin5 the blowdown phase of a loss of coolant accident (LOCA), and to provide inventory to help accomplish the refill phase that follows thereafter.

The blowdown phase of a large break LOCA is the initial period of the transient during which the RCS departs from equilibrium conditions, and heat from fission product decay, hot internals, and the vessel continues to be transferred to the reactor coolant. The blowdown phase of the transient ends when the RCS pressure falls to a value approaching that of the containment atmosphere.

The refill phase of a LOCA follows immeriintely after the blowdown phase. He core at the end of the blowdown phase is essentially in adiabatic heatup. In the refill phase, the balance of the inventory in the SITS is available to help fill the lower plenum and the reactor vessel downcomer to re-establish a coolant level at the bottom of the core and then to support reflood of the core with the addition of safety injection water.

Each SIT is a pressure vessel partially filled with borated water and pressurized with nitrogen gas. Each SIT is a passive component, since it is intended to perform its design function without operator or control action. Each SIT will start to discharge its contents to the RCS, if RCS pressure decreases below the SIT pressure.

Each SIT is piped into one reactor coolant system (RCS) cold leg via the injection lines utilized by the Safety Injection (HPSI and LPSI) system. Each SIT is isolated from the RCS by a motor operated isolation valve and two check valves in series. De associated motor operated isolation valve for each SIT is normally open, with power removed from the valve motor to prevent inadvertent closure prior to or during an accident.

Additionally, each of these isolation valves is interlocked with the pressurizer pressure ,

instrumentation channels to ensure that the valves will automatically open as RCS pressure !

increases above SIT pressure and to prevent inadvertent closure prior to an accident. Each of these valves also receives a safety injection actuation signal (SIAS) to open. These features ensure that these valves meet the requirements of the Institute of Electrical and Electronic Engineers (IEEE) Standard 279-1971 for " operating bypasses" and that the SITS will be available for injection without reliance on operator action.

The nitrogen gas and water volumes, nitrogen gas pressures, and outlet pipe sizes for each SIT i are selected to allow the SITS together with the HPSI and LPSI systems to recover water inventory in the core before significant clad melting or zirconium water reaction can occur j following a LOCA. j 1

10

. ~ _ _ _ _ _ . _ __ . . _ _

d The SIT capacity is established such that the SITS provide adequate inventory to the downcomer and facilitate the core recovery and refill process. In particular, passive injection by all but one of the SITS is credited in design base analysis for large break LOCAs that are initiated at full rated thermal power conditions. The other SIT is assumed to be ineffective due to the break location. De performance of SITS is calculated in accordance with Appendix K to 10CFR50 and, together with the HPSI and LPSI systems, ensures that the following Emergency Core Cooling System (ECCS) au:eptance criteria of 10 CFR 50.46 are satisfied:

a. Maximum fuel element cladding temperature is 12200 Degrees Fahrenheit;

b. Maximum cladding oxidation is 10.17 times the total cladding thickness before oxidation;

c. Maximum hydrogen generation from a zirconium water reaction is < 0.01 times the hypothetical amount that would be generated if all of the metal in the cladding cylinders surrounding the fuel, excluding the cladding surrounding the plenum volume, were to react; and

d. The core is maintained in a coolable geometry.

The above criteria were established in order to define a deterministic acceptance criteria that may be used by regulators in judging the acceptability of a given Emergency Core Cooling System.

The methodology is defined in Appendix K to 10 CFR 50. This methodology conservatively j represents LOCA thermohydraulic and hydrodynamic phenomenology to calculate fuel peak clad 1 temperature. As a result, this methodology overstates the realistic minimum equipment l requirements for adequate response to an event. Recent best estimate analyses for a typical l PWR (Reference 5) confirmed that for large break LOCAs, core melt can be prevented by either the operation of one Low Pressure Safety Injection (LPSI) pump or the operation of one High Pressure Safety Injection (HPSI) pump and a single SIT. While the precise equipment set for any specific CE PWR may vary, the design basis requirement for 1 LPSI train,1 HPSI train, and all SITS to avert a core melt condition is very conservative.

6.2.2 Radiological Release Considemtions The design basis calculation of radiological consequences of the large LOCA are based on a combination of very conservative assumptions. The design basis for radiological releases following a LOCA is set forth in 10 CFR 100, " Reactor Site Criteria", and detailed in SRP 15.6.5 (Reference 6). In practice, the 10 CFR 100 radiation release criteria are achieved via reliance on the 1962 " source term" outlined in the Atomic Energy Commission Technical Information Document, TID-14844, " Calculation of Distance Fr# ors for Power and Test Reactors" (Reference 7). This " Source Term" was not consisto.n > ith the low level of core damage expected with a Large LOCA. Instead, the Source Tua was very conservatively defined based on a substantial meltdown of the core, and fission product release to the containment.

I1 E

A _ a a , ,

s__.n.---w-u - 1 u . .a .- ,-n a - .3.-- u Over the past 30 years, substantial information has been developed updating our knowledge )

about fission product release and transport during PWR severe =cAdants. His information is !

reflected in the new NRC source term defined in NUREG-1465 (Reference 8). Assirnilatinn of this information suggests that even when the dichotomy of a core melt driven source term is retained, the estimate of the Large LOCA fission product releases based on Reference 7 l considerably overpredicts the severity of the fission product release to the public.

His conclusion is based on the following:

1) Current licensing methods assume fission products are released to the containment hnmadiateJy upon the onset of the LOCA. In fact, only gases residing within the fuel gap (approximately 5 % of the total volatile fission product inventory) will be rele==i at the point of clad rupture (early in the transient). The remniadar of the ,

fission products will enter the containment over the period of one half hour or more.

2) Current licensing methods assume the composition of the iodine entering the containment is predominantly elemental (as was then believed to be the physical -

situation). Sprays are less effective in removing elemental iodine than iodine in the particulate form. It is our current understanding that the iodine is predominantly (greater than 95%) released into the containment in the form of Cal which is particulate. nus, spray effectiveness and gravitational settling would be enhanced and airborne releases from containment would decrease.

Thus, even if a Large LOCA were to occur without the requisite design basis number of SITS, ;

the actual fission product releases would be expected to be well within the existing 10 CFR 100 criteria. This issue is further considered in a probabilistic framework in Section 6.3.5.

t 12 4

,- l 6.3 Annemm=ck of Risk 6.3.1 Overview The purpose of this section is to provide an integrated assessment of the overall plant risk

=~ied with adoption of the proposed ACyr extension. The mathadology used to evaluate the SIT AOT extension was based in part on a draft version of the " Handbook of Methods for Risk-Based Analyses of Technical Specifications", Reference 10. As guidance for the acceptability of a Technical Specification modification, it was noted that any proposed Technical Specification change (and the ultimate change package) should either:

(1) be risk neutral, OR (2) result in a decrease in plant risk (via " risk trade-off considerations"), OR (3) result in a negligible (to small) increase in plant risk.

AND (4) be needed by the utility to more efficiently and/or more safely manage plant operations.

A statement of need has been provided in Section 6.1. This section addresses the risk aspects of the proposed AOT extension.

In this evaluation, a risk assessment of the SIT AOT extension is performed with respect to associated "at power" and " transition" risks.

Section 6.3.2 provides an assessment of the increased risk associated with continued operation with a single SIT out of service (OOS). The evaluation of the "at power" risk increment resulting from the extended SIT AOT was evaluated on a plant specific basis using the most current individual plant's Probabilistic Safety Analysis (PSA) model for their respective baselines. Plant specific evaluations were performed by each participating utility. Results of these evaluations were then compared using appropriate risk measures as prescribed in Reference 10.

Section 6.3.3 provides an assessment of risk of transitioning the plant from Mode 1 into a lower mode (e.g. Mode 4). The "at power" risk nueument provides only one facet of the plant risk.

For this evaluation, continuation of at power operation with the LCO action statement is compared with the risk of proceeding with a plant shutdown. A lower bound to this transition risk was evaluated by modifying the reactor trip core melt scenario for a representative CE PWR. Based on this analysis, a core damage probability for the plant shutdown was established and compared to the single AOT risk associated with continued operation.

13

., l i

For completeness, the impact of the extended ACT on the plant large early release fraction is l qualitatively =<ee<=1. The assessment includes an evaluation of the events leading to large early i fission product releases and the role of the SIT in the initiation and/or mitigation of those events.

This assessment is presented in Section 6.3.5.

6.3.2 Assessment of "At Power" Risk Methodology This section provides an assessment of the increased risk associated with continued operation with a single SIT out of service (OOS). He evaluation of the "at power" risk increment resulting from the extended SIT AOT was evaluated on a plant specific basis using the most current individual plant's Probabilistic Safety .halysis (PSA) model. Plant specific evaluations were performed by each participating utility. Results of these evaluations were then compared using the following risk measures (from Reference 10):

Avesse Core Damage hequency (CDF): The average CDP represents the frequency '

l of core-damage occurring. In a PSA model, the CDF is obtained using mean unavailabilities for all standby-system components.

l Con Damage Pmbability (CDP): The CDP represents the probability of core-damage '

occurring. Core-damage probability is approximated by multiplying core-damage i frequency by a time period.

Conditional Con-Damage Fnquency (CCDF): he Conditional CDF is the Core -

Damage Frequency (CDF) conditional upon some event, such as the outage of equipment. It is calculated by re-quantifying the cutsets after adjusting the unavailabilities of those basic events associated with the inoperable equipment.

Increase in Con Damage Fnquency (ACDF): The increase in CDP represents the difference between the CCDF evaluated for one train of equipment unavailable minus the CCDF evaluated for one train of equipment not out for test or maintenance (T/M). For the SITS:

ACDF = Conditional CDFa arrm - Conditional CDFo atw w s.,r=

where CDF = Core Damage Fnquency (per year)

Single AOTRisk Contdbution: The Single AOT Risk contribution is the increment in risk associated with a train being unavailable over a period of time (evaluated over either the full AOT, or over the actual maintenance duration). In terms of core damage, the Single AOT Risk Contribution is the increase in probability of core-damage occurring during the AOT, or outage time, given a train is unavailable from when the train is not 14 l

out for test or maintenance. The value is obtained by multiplying the increase in the ;

CDF by the ACTr or outage time. '

Single AOT Risk = ACDF x r where, ACDF = Incmase in Core Damage Frequency (per year), and l r = full AOT or actual mal =**aane* duration (years)

Yeady AOT Risk Ceardbudos: The Yearly AOT risk contribution is the increase in average yearly risk from a train being unavailable accounting for the average yearly.

frequency of the A(yr. It is the frequency of core-darnage occurring per year due to the .i average number of entries into the LCO Action Statement per year. He value is estimated as the product of the Single AOT Risk Contribution and the average yearly frequency (f) of entering the associated LCO Action Statement. Herefore:

Yearly AOT Risk = Single AOT Risk x f where f = frequency (events / year)

Incremental changes in these parameters are sueued to establish the risk impact of the Technical Specification change. i Cok!4Mn of Conditional CDF, Single and Yearly AOTRisk Contributions Each CEOG utility used its current Probabilistic Safety Analysis (PSA) model to assess the i Conditional CDF based on the condition that one SIT is unavailable. Each plant verified that the appropriate basic events are contained in the PSA cutsets used to determine the AOT risk contributions. This verification was performed as the first task in calculating the Conditional CDFs. If basic events had been filtered out of the PSA cutsets, one of the two methods described below were used to ensure the calculation of Conditional CDF was correct or conservative:

1. Select the basic event for the failure mode of the component with the highest f failure probability to represent the train if the test / maintenance failure mode of the component had been filtered out; or

2. Retrieve cutsets containing relevant basic events at the sequence level and merge them with the final PSA cutsets.

15

-v- v- 7v-y --ry-----r ymn vr vye p..w.,_._--.,,, , , _ _ _ _ _ _ _ _ _ _ _ _ _ .

. l l

l The Conditional CDF given 1 SIT is unavailable was obtained by performing the following steps:

1. Set the basic event probability for the failure mode for a component in the unavailable SIT train equal to 1.00, i

2. Set any basic event probabilities for other failure modes for that train equal to 0.0, and

3. Requantify the PSA cutsets. !

'Ihe Conditional CDP given 1 SIT is not out for test or maintenance was obtained by setting the ;

' basic event probability for the failure mode for one SIT equal to 0.0 and requantifying the PSA cutsets. This Conditional CDP was effectively equal to the baseline CDF (CDF resulting from the plant's current PSA model) for the SITS for all CE plants, i l

It was expected that the results would be symmetric fer selecting any one of the four SITS to be i out for maintenance. However, in cases where different modeling assumptions or data were !

associated with each SIT, then the Conditional CDFs were evaluated for each SIT, and the most ,

conservative result was used. '

The Conditional CDF was then used to calculate the increase in CDF and then the Single AOT Risk Contribution (Conditional CDF x full AOT) for each plant. The Single ACrr was calculated based on the full AOT due to the short dyration of the AOT; i.e., nothing less than full AOT was assumed for maintenance duration for both the current and proposed Single AOT ,

Risk calculations. l The Single AOT Risk Contribution was then used to calculate the Yearly A(7T Risk Contribution (Single AOT Risk x frequency). Maintenance frequency was not expected to change based on an extended AOT, so the maintenance frequency for the proposed AOT is the same frequency :

as the current AOT. The frequency used for the Yearly AOT Risk Contribution calculation is l 0.35 per year (total for all SITS). This value is based on actual data for entry into the SIT LCO l Action Statement for a representative CE plant and is either conservative or accurate for each CE plant. l Table 6.3.2-1 provides the Conditional CDFs, and the Single and Yearly AOT Risk Contributions for each plant.

l l

1 l

16 l

l I

i

Celein#n ofAnrage CDF In order to calculate the Average CDF for the extrided SIT AOT, a new value for SIT unavailability due to test / maintenance was established, which accounted for the performance of on-line corrective maintenance assuming a 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months raintenance duration (i.e., the full proposed SIT AOT). The PSA cutsets were then requantif.x! based on this ne anavailability to obtain the Average CDF for the new SIT unavailability of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months per year. This new Average CDF was then compared to the base case value frorr. the plant's PSA model. Table 6.3.2-2 provides the proposed Average CDF and the base Average CDF for each plant.

Results The results from each plant were assi ailated, and the Single AOT and Yearly AOT Risks were !

calculated for each plant. Tables /,.3.2-1 and 6.3.2-2 present the results of these cases on a plant specific basis, and summarins the SIT ACTr CDF contributions for each plant. These risk contributions include the Condhonal CDFs, Increase in CDF, Single AOT and Yearly ACTr !

risks, and current and proposrJ Average CDFs.

Differences in results are pimarily due to variations in Large LOCA initiating event frequency and the associated success criteria. Plants that used the Large LOCA deterministic success criteria (i.e.; all SITS nquired to mitigate Large LOCA) combined with a high Large LOCA initiating event frequeacy (e.g.,5.0E-04 per year) in the PSA resulted in an overly conservative estimation of SIT iriportance. Even for plants with more stringent success criteria, the results of the analyses irricate that the Single and Yearly AOT Risk Contributions are negligible or small for all pirats by extending the SIT AOT from 1 to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , and the Average CDF is virtually unchraged.

17

I t

Table 6.3.2-1 l CEOG AOT CONDITIONAL CDF CONTRIBUTIONS FOR SITS - Corrective Maintenance i

i l

PARAMETER ANO-2 Calvest Font Maine MiBusons Pohandam Palo San St. Lucie St. Emeis Wassefesd Cliffs Calhoun Yankee

2 Veede Onofre 1 2 3 1&2 1. 2 & 3 2&3 manu - m SIT success criteria 3 cf 4 3 of 4** 3 of 3 to l ef 2 ao 2 ef 3 to 3 af 3 to 2ef3ao 3 ef 4 to 3 ef 4 3 ef 4 3 ef 3 to unbroken unbecken unluchen unbroken unbeeken unbeeken t eschen less less less 1888** 1888 less V Present AUT hre 1 1 1 1** 1 1 1 1 1 1 1 Proposed AUT, hre 24 24 24 24 24 24 24 24 24 24 24 I

Conditional CDF, per yr 4.12EE 5.53E-04 2.18E4 7.40E-05 3.41E4 5.47EE 4.88E-05 4.0ZE44 2.2E-04 2.2E-04 6.53E-05 (1 STT unavailable) l Conditional CDP, per yr 3.28E4 2.11E44 1.18E4 7.40E-05 3.41E4 5.15E45 4.74E4 2.74E45 2.14E45 2.35E.05 1.54E-05 t (1 Sir not out for unaintenenee) i increase in CDP, per yr 8.30E-06 3.42E-04 1.00E4 negligible neghgible 3.20E-06 1.40E-06 3.75E-04 2.2E-04 2.2E-04 4.99E-05 I

Single AUT Risk (based on 9.57E-10 3.90E-OS 1.14E-09 neghgible maghshie 3.65E-10 1.60E-10 4.2SE-08 2.3E-05 2.3E.08 5.70E-Of Current full AUT)

FsinM Aar RisitM eN

~' Proposed full AUT)i '

2.30E 08) [9.37506 [2.74E-08]

negligMe negligibis ~ i3.77E49

^

i3.848 09j [1.0$E4$ [15E.07

^ 34 s.

M ;g3 ' " '

i(iSE4th

" ^*W hM

^ ';

i Downtime Fnequency, per yr 0.35 " 0.35 " 0.35 " 0.35= 0.35 " 0.35 " 6.35 " 0.35"" 0.35"e* 0.35= 0.35""

Yearly AOT Risk, per yr 3.35E-10 1.37E-08 4.00E-10 negligible neghshie 1.2SE-10 5.59E-11 1.50E4B SE-Of SE49 1.99E-Of (based on Cunent full AUT)

Yearly AUT Risk, per yr 8.04E-09 3.28E-07 9.59E-09 negligible neghanbie 3.07E49 1.34E49 3.59E-WT 1.9E-WT 1.9EE 4.78E4B (bened on Proposed full AUT)

SIra weve not modeled in PSA, isupact judged negligible due to -- creena

- s- criteria varies bened on d===n= of scenano

- - 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for SIT cut of spee

- - - Based on actual data for .,_ % CE pism k

18-b

_ . , _ , , .-- _ , , , _ _ . . , _ , , . ----y %--b.- -._m-- e r- - - . - - , - . - - - - ----r- -w -m-> - - + ---____+----P - *- _ __

Table 6.3.2-2 CEOG PROPOSED AVERAGE CDFs PARAMETER ANO-2 Calvert Fort Maine Millstone P 6.aam Palo Sea St. Useio R. beeie Wassefosd Cliffe Calhoua Yankee

2 Verde onofe 1 2 3 1&2 1,2 & 3 2&3 Sir s- Criseria 3cf4 3 ef 4** 3 of 3 to l of 2 to 2 cf 3 to 3 cf 3 so 2cf3to 3 ef 4 to 3 af 4 3ef4 3 ef 3 to unbecken unbroken unbachsen unbecksa unbroken unbeoben unbecken less less less les*** 1888 less less Present AUT hrs ! ! 1 1* I i 1 1 1 1 1 Proposed AUr, hre 24 24 24 24 24 24 24 24 24 24 24 Proposed Downurne, hrafyr Assume Asmane Assurne Assume Asmusne Assums Annano Assums A:m Asamno Assusne 24 24 24 24 24 24 24 24 04 24 24 Average CDP, per yr 3.28E-05 2.11E-04 1.18E-05 7.40E-05 3.4 tE4 5.15EE 4.74E4 2.74E4 2.14 E4 2.35E-05 1.54E-05 (PSA case)

Average CDP, per yr 3.2SEE 2.llE-04 1.18E4 7.40E4 3.41EE 5.16EE 4.74E4 2.85EE 2.4E45 2.6E-05 1.56EJIS (Proposed) _

Sfra were not modeled in PSA, impact judged negligible due to -- criteria e* Sa- criteria varies based on details of scenano

- - 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for Sir out of spec 19

L .

6.3.3 Aasessment of Transition Risk For any given AOT extension, there is theoretically an "at power" increase in risk associated with it. 'Ihis increase may be negligible or significant. A complete approach to ma**dng the change in risk accounts for the effects of avoided shutdown, or " transition risk". Transition .

Risk represents the risk associated with reducing power and going to hot or cold shutdown following equipment failure, in this case, one SIT being inoperable. Transition risk is ofinterest in understanding the tradeoff between shutting down the plant and repairing the SIT while the :

plant continues operation. The risk of transitioning from "at power" to a shutdown mode must be balanced against the risk of continued operation and performing corrective maintenance while the plant is at power.

To illustrate this point, a representative CE PWR has performed an analysis for transition risk

== maw with one inoperable SIT. The methodology and results obtained by this plant are presented below and are considered generically applicable to the other CE plants.

Methodology The philosophy behind the transition risk analysis is that if a plant component becomes i

unavailable, the CDF will increase since less equipment is now available to respond to a transient if one were to occur. However, as long as the plant remains at power, this CDF is constant. At the point in time that a decision is made to shut down, the CDF increases since a " transient" (manual shutdown) has now occurred, and the equipment is still out of service.

The Core Damage Probability (CDP) associated with the risk of plant transition from plant full power operation to shutdown is obtained by modifying the " uncomplicated reactor trip" core damage scenario in the PSA model. In this evaluation the incremental risk is dominated by the increased likelihood ofloss of main feedwater and the reliance on auxiliary (and/or emergency) feedwater to avert a core damage event. A cutset editor was used to adjust cutsets representing manual shutdown or miscellaneous plant trips to reflect the CDP associated with a forced shutdown assuming one SIT is out of service and requantifying the PSA cutsets. Conservatisms that had been included in the base PSA model were deleted to reflect the greater control that the plant staff has in the shutdown process. Specifically, the baseline PSA model assumed total loss of main feedwater (MFW) within 30 minutes of reactor trip. In the transition analysis, MFW was assumed to be recoverable following failure of Auxiliary Feedwater. A human error probability (value of 0.1) was added to cutsets that contained no basic events, including human actions, that would cause MFW to be unavailable. The duration of the transition process was assumed to be 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months (6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months to hot standby and 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months to hot shutdown).

Additional human errors that would be associated with a detailed portrayal of the shutdown process and the entry into shutdown cooling were not included in order to establish a conservative lower bound nueument of the transition risk. Errors of commission, such as diversion of RCS flow during SDC valve alignment, are also not considered in this analysis.

20

a '

o. ;

Such errors would add to the disadvantages of the shutdown alternative, and therefore, to include them would be non-conservative for the purpose of this comparison.

Based on the above methodology the CDP =Matad with the lower mode transition was calculated for the representative plant to be 1.00E-06. Results of transition risk analyses can be generalized for the other CE PWRs by assuming that the ratio of the CDP for Transition Risk ,

- to the baseline Average CDF is constant for all plants. The baseline CDFs were selected rather than the Conditional CDFs for the ratio between the other CE plants becnine the analysis for the

, representative plant indicatM that transition risk was more a function of Loss of MFW rather than a function of the specific equipment out of service.Results of transition risk analyses can be gener=1irM for the other CE PWRs by assuming that the ratio of the CDP for Transition Risk

to the baseline Average CDF is constant for all plants.

That is, '

A CDPau = (CDF%/CDF,,,,%

ACDPa w,,,,%)

where:

ACDPn u = Incremental risk due to mode transition for plant CDF% = Racellne CDF for plant CDF ,% = Representative plant basellne CDF CDPn w,,,,% = Incremental risk due to mode transition for representative plant The transition risk may be used to evaluate the relative risks of performing SIT repair at power ,

to that of performing the same repair at some lower mode. The risk of continued operation for the full duration of the AOT is bounded by the single AOT risk for CM. The comparable risk ,

of the alternate maintenance option involves consideration of four distinct risk components:

(1) Risk of remaining at power prior to initiating the lower mode transition.

This risk will vary depending on the ability of the staff to diagnose the SIT fault.

(2) Risk of lower mode transition.

This risk is accumulated over a short time interval (approximately 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ).

(3) Risk of continued lower mode operation with an impaired SIT.

l In this mode, the reactor is shutdown and the core is generating decay power only.

However, risks in this mode remain significant. Depending on the particular operational mode, resources to cope with plant transients will typically be less than at power. These modes are characterized by decreased restrictions on system operiollity, longer times for 21

1

. 1 l

operator recovery actions, lower initiating frequency for pressure driven initiators (such I as LOCA) and a greater frequency for plant transients such as those initintad by loss of offsite power and loss of main feedwater.

)

l (4) Risk of return to power

'Ihe power ascension procedure is a well controlled transient. Reference (10) caan~* ally die- that risks associated with this transition are greater than those associated with at power operation, but significantly below that associated with the initial lower mode transition (item 2).

The analysis of transition risk presented in this report quantifies only the risk of lower mode transition (item 2).

Results Table 6.3.3-1 presents the risk associated with transitioning the plant to a lower mode for each plant. The numbers in the table represent only the lower mode transition risk component of the transition sequence (item 2). For all CE plants, the risk associated with this transition portion is nearly equal to or exceeds that risk that would be incurred for a 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months "at power" (Single AOT Risk from Tables 6.3.2-1) SIT maintenance period. When the full mode transition process is considered, it is expected that SIT maintenance at power for the full 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months AOT is risk beneficial for all CE PWRs.

Table 6.3.3-1 TRANSITION RISK CONTRIBirr10NS FOR SIT CM PLANT Transition Risk Contribution (ACDP)

ANO-2 6.92E-07 Calvert Cliffs 1 & 2 4.45E-06 Fort Calhoun Station 2.49E-07 Maine Yankee 1.56E-06 Millstone 2 7.19E-07 Pahsades 1.09E-06 Palo Wrde 1,2 & 3 1.00E46 San Onofre 2 & 3 5.78E 07 St. Lucie 1 4.51E47 St. Lucie 2 4.96E-07 Waterford 3 3.25E-07 a

22 l

. ._ _ _ . _ . _ ._ _._. ~.

4 6.3.4 Assessment of Shutdown Risk i Shutdown risk benefits were not credited for the SIT AOT Extension request.

6.3.5 Assessment ofImre Eaty Release

! A review oflarge early release scenarios for the CE PWRs indicates that early releases arise as

, a result of one of the following Matee of scenarios:

1. Containment Bypass Events i

These events irelude. interfacing system LOCAs and steam generator tube i ruptures (SGTRs) with a concomitant loss of SG isolation (e.g. stuck open MSSV).

l j- 2. Severe Accidents accompanied by loss of containment isolation i

These events include any severe accident in conjunction with an initially

! unisolated containment.

i j- 3. Containment Failure ="ada'M with Energetic events in the Containment.

i

! Events causing containment failure include those =aada'M with the High i

Pressure Melt Ejection (HPME) phenomena including direct containment heating ,

(DCH) and hydrogen conflagrations / detonations.

j Of the three release categories, Class 1 tends to represent a large early release with potentially j direct, unscrubbed fission products, to the environment. Class 2 events encompass a range of releases varying from early to late that may or may not be scrubbed. Class 3 events result in a high pressure failure of the containment, typically immediately upon or slightly after reactor vessel failure. Detailed Level 2 analyses for the plant condition with I potentially inoperable ,

SIT have not been performed. However, new<tment of the expected change in the large early release fraction was made by newuing the impact of one SIT on the above event categories.

Based on this review, it was established that inoperability of one SIT would not impact Class 1 events. These events are characterized by an irrecoverable loss of reactor inventory along with any makeup outside of containment. Core damage for these events is inevitable without a continuous permanent makeup water source. The availability of the SITS does not significantly alter the event progression. A small increase in Class 2 events could occur when an unmitigated large LOCA occurs in conjunction with an initially unisolated containment. Significant fission product releases would not occur unless the containment is unscrubbed (that is sprays are inoperable). This later combination of events is considered of very low probability. Class 3 events are dominated by RCS transients that occur at high pressure. Thesc events exclude those where SIT performance would be called for and therefore SIT status is not a contributor to this event category. It is therefore concluded that increased unavailability of one SIT will result in a negligible impact on the large early release probability for CE PWRs.

23 w .

6.3.6 Summary of Jtisk Assessment ne major contributor to differences in plant results for the SITS is success criteria. Even for plants with more stringent success criteria, the results of the analyses indicate that there is only a small increase in risk by extending the SIT AOT from 1 to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

I The results of this study also indicate that performing SIT maintenance at power versus at )

shutdown can result in a decrease in overall plant risk. His is because the CDP for continued- l operation of the plant at power with one SIT inoperable is less than the CDP associated with shutting down the plant.

Incperability of the SIT was found to not significantly impact the three classes of events that give rise to large early releases. These include containment bypass sequences, severe accidents-accompanied by loss of containment isolation, and containment failure due to energetic events in the containment. It is therefore concluded that increased unavailability of the SIT will result in a negligible impact on the large early release probability for CE PWRs.

In conclusion, from a risk pspective, increasing the out of service (OOS) duration for a single SIT has a negligible impact on risk from either an instantaneous or cumulative (yearly) basis.

6.4 Compensatory Measures In addition to the information described above, each CEOG plant considered maintenance interactions or compensatory acts ins that could be performed if the change in risk due to the extended AOT was not risk neutn 1. Because of the short AOT for the SITS, no extraordinary compensatory actions were deter.nined to be required when one SIT is out of service for ,

maintenance. However, as for any "at power" maintenance, the goals should be expediency and safety. Therefore, operability of the other SITS should be verified prior to taking the SIT out-of-service. Also, taking one SIT out-of-service should not coincide with the scheduled removal of additional ECCS plant components from service.

24 t

4 6.5 Technical Justification for AOT Extension for Plant Operation with a Functionally

" Operable" SIT This section addresses two line item relaxations previously identified as generically acceptable in previous NRC documents. These changes are defined in item 2 of Section 2, and allow an extended ACyr of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months for conditions where the SIT is functional but an INOPERABLE tag is required due to either: 1) malfunctioning pressure or level instrumentation or 2) the SIT boron concentration is out of the technical specification limit. Relaxation of this AOT due to inoperable level or pressure instrumentation has been recommended for implementation into the TSs by the NRC in Reference 1. The rehntian of AOT requirements due to boron concentration in a single SIT has been reviewed genericWly by the NRC and accepted for use within the Improved Standard Technical Specifications (Reference 2). In either case, the SIT is functional and can perform its intended function throughout the extended AOT. These TS relaxation requests are discussed below.

6.5.1 SIT Tagged INOPERABLE due to Exvel and Pressure Instownentation Malfunction Section 7.4 of NUREG-1366 (Reference 1) provides the following non-risk related justification for a specific AOT extension from I hour to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months for a single SIT when that inoperability is caused solely by malfunctioning level instrumentation or solely by malfunctioning pressure instrumentation:

"The combination of redundant level and pressure instrumentation [for any specific SIT]

may provide sufficient information so that it may not be worthwhile to always attempt to correct drift associated with one instrument if there were sufficient time to repair one in the event that a second one became inoperable. Because these instruments do not initiate a safety action, it is reasonable to extend the allowable outage time for them.

The [NRC] staff, therefore, recommends that an additional condition be established for the specific case, where 'One accumulator is inoperable due to the inoperability of water level and pressure channels,' in which the completion time to restore the accumulator to operable status will be 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . While technically inoperable, the accumulator would be available to fulfill its safety function during this time and, thus, this change would have a negligible increase on risk."

6.5.2 SIT Boron Concentration Out of Range In the Improved Standard Technical Specifications of NUREG-1432, the allowed outage time for one SIT is extended from 1 to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months when the "inoperability" of the subject SIT is due only to the boric acid concentration of the tank's contents being outside the specified band for "OPERABIIJTY." Section B.3.5.1 of NUREG-1432 provides justification for this extension.

The AOT extensions defined in this section apply to the identification of an INOPERABLE SIT which remains functionally capable of performing its safety function. There are no contradictions between this argument and risk-related arguments for a general AOT of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months that are discussed in Section 6.

25 l l

s - , - m_ -= * --

7.0 JUSTIFICATION FOR SURVEILLANCE TEST INTERVAL (STI)

MODIFICATION Item 3 of Section 2 (SCOPE OF PROPOSED CHANGES TO TECHNICAL SPECIFICATIONS) proposes to modify the technical specifications associated with performing ,

l boron concentration observations when the source of SIT makeup water is from the RWST with l a known boron concentration that is equal to or greater than the known boron concentration of the SIT. This technical specification change was originally proposed by the NRC in Section 7.1 of NUREG-1366, Reference 1. Item 3 is considered generic to all CE PWRs.

The CEOG therefore endorses a recommendation that when plant-specific Technical Specifications are amended to implement the cumulative guidance of NUREG-1432, LCO 3.5.1 and Section 8.1.4 of this NUREG, the guidance in SR 3.5.1.4 of NUREG-1432 (Attachment A) should be implemented at the same time.

NUREG-0212, Revision 03 includes the following requirement in SR 4.5.1.1:

"b. At least once per 31 days and within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months after each solution volume increase of greater than or equal to (1)% of tank volume by verifying the boron concentration of the safety injection tank solution."

The comparable Surveillance Requirement in NUREG-1432, SR 3.5.1.4 states, " Verify boron concentration in each SIT is .2. [1500] ppm and .1 (2800] ppm." The specified frequency for this surveillance is:

"31 days ANI2

NOTE Only required to be performed for affected SIT 26

Once within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months after each solution volume increase of

> [1]% of tankvolume that is not the result of addition from the refueling water tank" The removal of the requirement to sample the affected SITS for boron concentration within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months of a volume transfer from the refueling water storage tank is supported by the following.

statement from Section 7.1 of NUREG-1366:

" Normal makeup to an accumulator [ safety injection tank] comes from the refueling water storage tank (RWST) which is also borated. No dilution can be caused by adding water from this source as long as the minimum concentration of boron in the RWST is greater than or equal to the minimum boron concentration in the accumulator."

Section 7.1 of NUREG-1366 goes on to state:

" Recommendation It should not be necessary to verify boron concentration of accumulator inventory aAer a volume increase of 1% or more if the makeup water is from the RWST and the minimum concentration of boron in the RWST is greater than or equal to the minimum boron concentration in the accumulator, the recent RWST sample was within specification, and the RWST has not been diluted."

The bases corimentary concerning SR 3.5.1.4 of NUREG-1432, Revision 0 supports this recommendation when.it states the following:

.... Sampling the affected SIT within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months after a 1% volume increase will identify whether ' .-leakage has caused a reduction in boron concentration to below the required limit. It is not necessary to verify boron concentration if the added water is from the RWT, because the water contained in the RWT is within the SIT boron concentration requirements. This is consistent with the recommendations of NUREG-1366 ..."

8.0 PROPOSED MODIFICATIONS TO NUREG-1432 .

Attachment A includes proposed changes to NUREG-1432 Sections 3.5.1 and B 3.5.1 that correspond to the findings of this report.

27

O 9.0

SUMMARY

AND CONCLUSIONS 9.1 Functionally INOPERABLE SIT The PSA results from each of the CE PWRs showed that the increment in risk at power due to one inoperable SIT is small for all plants. The range of results for Single AOT Risk based on the full proposed AOT of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months varied from negligible to 4.09E-08. The major contributor to any differences in plant results for the SITS is the === criteria assumed in the PSA model.

, In comparison, the increment in risk nav intM with transitioning the plant from at power to shutdown mode with one SIT inoperable is on the order of 1.00E-06. These results indicate that there is a lower risk to the plant by remaining at power to perform corrective maintenance than to shut down the plant to repair the inoperable SIT. Therefore, it is concluded that extending the AOT for one inoperable SIT from 1 to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months would be risk beneficial.

Recent best estimate analyses for a typical PWR (Reference 5) confirmed that for large break LOCAs, core melt can be prevented by either the operation of one Iow Pressure Safety Injection (LPSI) pump or the operation of one High Pressure Safety Injection (HPSI) pump and a single SIT. While the precise equipment set for any specific CE PWR may vary,'the design basis requirement for 1 LPSI train,1 HPSI train, and all SITS to avert a core melt condition is very conservative.

While it is not the intent of thb document to widen the technical specification OPERABILITY limits for the SIT, it is important to note that for selected parameters, the assessment of SIT OPERABILITY is rather stringent. The SIT operational parameters are set by the design basis.

Operating experience has demonstrated that many of the causes of SIT inoperability can be diagnosed and corrected within several hours of discovery but longer than a period of one hour from identification.

The restrictive nature of the present AOT has led to a number of entries into the LCO action statements and plant shutdowns. 'Ihis report proposes that the SIT Inoperable AOT be extended to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . This time interval is believed to be sufficient to enable the plant personnel to properly diagnose the cause of the SIT malfunction and effect minor repairs. An evaluation of the deterministic and probabilistic effects of extending the AOT to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months indicates that the extension is either " risk beneficial" or at least " risk neutral".

9.2 Functionally OPERABLE SIT The CEOG endorses a recommendation that, when plant-specific Technical Specifications are amended, the cumulative guidance of NUREG-1432 LCO 3.5.1 and NUREG-1432 SR 3.5.1.4 (Attachment A) should be implemented simultaneously.

1 28

r

10.0 REFERENCES

1. NUREG-1366, " Improvements to Technical Specifications Surveillance Requirements",

December 1992.

2. NUREG-1432, " Standard Technical Specifications Combustion Engineering Plants",

September 1992.

2

3. 10 CFR 50.65, Appendix A, "The Mair.tenance Rule".

4. NUREG-0212, " Revision 3, " Standard Technical Specifications for Combustion hginming Pressurized Water Reactors", July 9,1982.

5. LWW-02-094, Letter from L. Ward (INEL) to Dr. F. Eltawila (NRC),

Subject:

"Use '

of MAAP to Support Utility IPE In Vessel and Ex-Vessel Accident Success Criteria",

June 1994.

6. NUREG 0800, USNRC Standard Review Plan, Rev.2, July 1981.

7. TID-14844, " Calculation of Distance Factors for Power Reactor Sites", USAEC,1%2.

8. NUREG-1465, " Accident Soerce Terms for Light Water Reactors" (Final Draft), August, 1994

9. Letter from Susan C. Black (NRC) to William T. Cottle (Houston Light & Power),

" Issuance of Amendment Nos. 59 and 47 to Facility Operating License Nos. NPF-76 and NPF-80 and Related Requests - South Texas Project, Units 1 and 2 (TAC Nos. M76048 and M76049)", March 17,1994.

10. NUREG/CR-6141, BNL-NUREG-52398, " Handbook of Methods for Risk-Based Analyses of Technical Specifications", P. K. Samanta, I. S. Kim, T. Mankamo, and W.

E. Vesely, Published December 1994.

11. " Technical Evaluation of South Texas Project (STP) Analysis for Technical Specification Modifications", P. Samanta, G. Martinez-Guridi, and W. Vesely, Technical Report

L-2591, January 11, 1994.

29

9 52 ATTACHMENT A

" Mark-up" of NUREG-1432 SECTIONS 3.5.1 & B 3.5.1 l

l A-1

+

SITS 3.5.1 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) 3.5.1 Safety injection Tanks (SITS)

LCO 3.5.1 [Four] SITS shall be OPERABLE.

APPLICABILITY: MODES 1 and 2 MODE 3 with pressurizer pressure n (700] psia.

ACTIONS r-CONDITION REQUIRED ACTION COMPLETION TIME A. One SIT inoperable due A.1 Restore boron 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to boron concentration concentration to not within limits, within limits.

1NSW A >

C./. One SIT inoperable for h.1 Restore SIT to M 2.@ bcurS reasons other than OPERABLE status.

Condition r-

D Se in MODE 3. 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months D[. Required Action and associated Completion

/.1 Time of Condition A M!Q or B3not met. D, Reduce pressurizer 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months f.2 ps$a.

.1 Enter LCO 3.0.3. Inunediately b/. Two or more SITS inoperable.

l i

l l

CE00 STS 3.5-1 Rev. 0,09/28/92 l

l

l i

INSERT A B. One SIT inoperable due B.1 Restore SIT to OPERABLE 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to inability to verify level status, or pressure.

4

'l 1

d w- -

r ,

q

- $1Ts B 3.5.1 BASES ACTIONS A.1 (continued) injection. Thus, 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is allowed to return the boron concentration to within limits.

3 sarah J

If one is inoperable, for a reason other than on concentratio the SIT must be returned to OP LE status within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . his Condition, the r tred contents of umed to rea e core during a 3 E T yf)h <s three SITS cannot be LOCA. Due to the severi f consequences should a LOCA hour Completion Time to occur in these conditions open the valve, remov wer to t alve, or restore the proper water voi or nitrogen cover sure ensures that prompt actio 11 be taken to return the erable accumul to OPERABLE status. The Completion mi zes the exposure of the plant to a LOCA in th nditions.

.1 and .2

/ I If the SIT cannot be restored to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and pressurizer pressure reduced to < 700 psia within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems, t.

If more than one SIT is inoperable, the unit is in a condition outside the accident analyses. Therefore, LCO 3.0.3 must be entered imediately.

+

e (continued)

CE0G STS B 3.5-7 Rev. O,09/28/92 l

l

o. *

':r INSERT AA 1 l

11 Section 7.4 of Reference 5, NUREG-1366, discusses surveillance requirements in technical specifications for the instrument channels used in the measurement of water level and pressure in SITS.

The following statement is made in Section 7.4 of Reference 5:

"'The combination of redundant level and pressure instrumentation [for any single SIT] may provide sufficient information so that it may not be worthwhile to always attempt to correct drift associated with one instrument [ wit resulting radiation exposures during entry into containment) if there were sufficient time to repair one in the event that a second one became inoperable. Because these instruments do not initiate a safety action, it is reasonable to extend the allowable outage for them.

The [NRC) staff, therefore, recommends that an additional condition be established for the specific case, where "One accumulator [ SIT) is inoperable due to the inoperability of water level and pressure channels,"

in which the completion time to restore the accumulator to operable status will be 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . While technically inoperable, the accumulator would be available to fulfill its safety function during this time and, thus, this change would have a negligible increase in risk."

4 INSERT AB

.CJ If one SIT is inoperable, for a reason other than boron concentration or the inability to verify level or pressure, the SIT must be returned to OPERABW status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . In this Condition, the required contents of three SITS cannot be assumed to reach the core during a I.OCA as is assumed in Appendix K to 10 CFR 50.

3 Reference 6 provides a series of deterministic and probabilistic findings that support 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months as being either " risk beneficial" or " risk neutral" in comparison to

? shorter periods for rest'oring the SIT to OPERABE status. Reference 6 discusses best-estimate analysis hat confirmed that, during large-break LOCA scenarios, core melt can be prevented by either operation of one I.aw Pressure-Safety Injection (LPSI) pump or the operation of one High Pressure Safety Injection (HPSI) pump and a single SIT. Reference 6 also dl==** plant-speciEc probabilistic analysis that evaluated the risk-impact of the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months recovery period

'in comparison to shorter recovery periods.

d SITS B 3.5.1 BASES (continued)

SURVEILLANCE SR 3.5.1.1 REQUIREMENTS Verification every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months that each SIT isolation valve is fully open, as indicated in the control room, ensures that SITS are available for injection and ensures timely discovery if a valve should be part*ially closed. If an isolation valve is not fully osen, the rate of injection to the RCS would be reduced. Altiough a motor operated valve ,

should not change position with power removed, a closed valve could result in not meeting accident analysis assumptions. A 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency is considered reasonable in view of other administrative controls that ensure the unlikelihood of a mispositioned isolation valve.

SR 3.5.1.2 and SR 3.5.1.3 SIT borated water volume and nitrogen cover pressure should be verified to be within specified limits every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months in order to ensure adequate injection during a LOCA. Due to the static design of the SITS, a 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency usually allows the operator sufficient time to identify changes he, fore the limits are reached. Operating experience has-shown this Frequency to be appropriate for early detection and correction of off normal trends. P l

SR 3.5.1.4 ,

i

! Thirty-one days is reasonable for verification to determine that each SIT's boron concentration is within the required limits, because the static design of the SITS limits the ways in which the concentration can be changed. The 31 day Frequency is adequate to identify changes that ccild occur from mechanisms such as stratification or inleakage.

Sampling the affected SIT within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months after a 1% volume increase will identify whether inleakage has caused a reduction in boron concentration to be'.ow the required limit. It is not necessary to verify boron concentration if the added water is from the RWT, because the water contained in the RWT is within the SIT boron concentration .

requirements. This is consistent with the recomendations of NUREG-1366 (Ref. 5). .

TNSERTkC.

I (continued) l 1 l l CEOG STS B 3.5-8 Rev. O, 09/28/92 l

l l

4 INSERT AC

, Reference 6, and Reference 7.

i l

l

.-wy qe-y-- , - , - - - m- , ,-,,.,, . . ,,, _ , - - , -, .-,y,,,w...e-y------ynv-y--w-,-w w w , n>- aW-y,--- w

o i

$' SITS )

B 3.5.1 i

. BASES SURVEILLANCE SR 3.5.1.5 REQUIREMENTS (continued)

Verification every 31 days that power is removed from each .

SIT isolation valve operator when the pressurizer pressure is a 2000 psia ensures that an active failure could not result in the undetected closure of an SIT motor operated isolation valve. If this were to occur, only two SITS would be available for injection, given a single failure coincident with a LOCA. Since installation and removal of power to the SIT isolation valve operators is conducted under administrative control, the 31 day Frequency was chosen to provide additional assurance that power is removed.

This SR allows power to be supplied to the motor operated isolation valves when RCS pressure is < 2000 psia, thus allowing operational flexibility by avoiding unnecessary delays to manipulate the breakers during unit startups or shutdowns. Even with power supplied to the valves, inadvertent closure is prevented by the RCS pressure interlock associated with the valves. Should closure of a valve occur in spite of the interlock, the SI signal provided to the valves would open a closed valve in the

, event of a LOCA.

REFERENCES 1. IEEE Standard 279-1971.

2. FSAR, Section [6.3].

3. 10 CFR 50.46.

4. FSAR, Chapter (15]. December IT71

5. M UREG-1366, ,

B 3.5-9 Rev. O,09/28/92 CEOG STS

,. g

.i. '

\

J l

INSERT AD l

6. NRC Generic letter 93-05, "Line Item Technical Specifications Improvements To Reduce Surveillance Requirements For Testing During Power Operations," September 27,1993

7. CE NPSD-994,"CEOG Joint Applications Report for Safety Injection Tank AOT/STI Extension," April 1995. ,

o o F

t l

J

ML20083Q926

Contents

Text

3.0 BACKGROUND

SUMMARY

SUMMARY

3.0 BACKGROUND

SUMMARY

SUMMARY

10.0 REFERENCES

Subject:

Navigation menu

ML20083Q926

Text

3.0 BACKGROUND

SUMMARY

SUMMARY

3.0 BACKGROUND

SUMMARY

SUMMARY

10.0 REFERENCES

Subject:

Navigation menu

Search