Joint Applications Rept for Emergency Diesel Generators AOT Extension

ML20083Q986
Person / Time
Site:	Arkansas Nuclear
Issue date:	05/30/1995
From:	ABB COMBUSTION ENGINEERING NUCLEAR FUEL (FORMERLY, ASEA BROWN BOVERI, INC.
To:
Shared Package
ML20083Q969	List: 2CAN059501, TS Change Request for Amend to License NPF-6 Re Emergency Diesel Generator AOT Extension ML20083Q976 ML20083Q986
References
CE-NPSD-996, NUDOCS 9505260276
Download: ML20083Q986 (60)
v • d • e

Text

.

l i

0wW hP COMBUSTION ENGINEERING OWNERS GROUP CE NPSD-996 Joint Applications Report for Emergency Diesel Generators AOT Extension.

Final Report CEOG TASK 836 prepared for the C-E OWNERS GROUP May 1995 l

e Copyright 1995 Combustion Engineering, Inc. All rights reserved E

ABB Combustion Engineering Nuclear Operations EEEE PR C O O 68 P PDR J

T LEGAL NOTICE This report was prepared as an account of work sponsored by the Combustion Engineering Owners Group and ABB Combustion Engineering.

Neither Combustion Engineering, Inc. nor any person acting on its behalf

A. makes any warranty or representation, express or implied including the warranties of fitness for a particular purpose or merchantability, with respect to the accuracy, completeness, or usefulness of the l information contained in this report, or that the use of any l information, apparatus, method, or process disclosed in this report i

may not infrmge privately owned rights; or  !

B. assumes any liabilities with respect to the use of, or for damages i j resulting from the use of, any information, apparatus, method or j process disclosed in this report.

I i

Combustion Engineering, Inc.

1

__._ _ _ _ __b

TABLE OF CONTENIS Section Page LIST OF TARTFR iii 1.0 PURPOSE 1 2.0 - SCOPE OF PROPOSED CHANGES TO TECHNICAL SPECIFICATIONS 1

3.0 BACKGROUND

2 4.0

SUMMARY

OF APPLICABLE TECHNICAL SPECIFICATIONS 4 4.1 Standard Tehaical Sneifiendons 5 4.2 "Customtzed" Tehaie=1 Specifications 5 5.0 SYSTEM DESCRIPTION AND OPERATING EXPERIENCE 6 5.1 System Description 6 5.2 Operating Experience 8 5.2.1 Preventive Maintenance 8 5.2.2 Surveillane-Iresting of EDGs 11 5.2.3 Corrective Maintenance 11 5.2.4 Comments on EDG Unavailabilities 11 6.0 TECHNICAL JUSTIFICATION FOR ACyr EXTENSION 12 6.1 Statement of Need 12 6.2 Assessment of Deterministic Factors 14 6.2.1 Station Blackout Rule 14 6.2.2 Brookhaven's Analysis of EDG Unavailability and its Risk Impacts 15 i

. l I

TABLE OF CONTENTS (cont'd) 4 Section Page 1

6.3 Annannment of Risk 17 6.3.1 Overview 17

'6.3.2 Assessment of "At Power" Risk 18 6.3.3 Assessment of Transition Risk 27 6.3.4 Annenament of Shutdown Risk 31 6.3.4.1 Assessment of Risk Trade-off 31 6.3.4.2 Assessment of Enhanced EDG Reliability 32 6.3.5 Annenament oflarge Early Release 35 6.3.6 Summary of Risk Assessment 37 6.4 Compen='ary Measures 37 7.0 TECHNICAL JUSTIFICATION FOR STI EXTENSION 38 8.0 PROPOSED MODIFICATIONS TO NUREG-1432 39 9.0

SUMMARY

AND CONCLUSIONS 39

10.0 REFERENCES

40 ATTACHMENT A A-1

" Mark-up" of NUREG-1432 SECTIONS 3.8.1 & B 3.8.1 ii

LIST OF TABLES Table Page 3-1

SUMMARY

OF DG MANUFACTURER AND AOTs FOR CE PWRs 3 .

5.1-1 CONFIGURATIONS OF EMERGENCY ELECTRICAL SYSTEMS FOR CE PWRS 6 5.1-2 ALTERNATE EMERGENCY POWER FOR ESSENTIAL SAFETY SYSTEMS AND SBO BATTERY POWERED COPING TIME FOR CE PWRs 7 5.2-1 EDO UNAVAILABILITY AND UNRELIABILITY 10 6.3.2-1 CEOG AM CONDITIONAL CDF CONTRIBImONS FOR EDGs - CM 24 6.3.2-2 CEOG AM CONDITIONAL CDF CONTRIBUTIONS FOR EDGs - PM 25 6.3.2-3 CEOG PROPOSED AVERAGE CDFs 26 6.3.3-1 TRANSITION RISK CONTRIBUTIONS FOR EDG CM 30 6.3.4.1-1 DAILY PLANT CORE DAMAGE PROBABILITY AT SHUTDOWN FOR A REPRESENTATIVE CE PWR 31 6.3.4.2-1 EDG MAINTENANCE VS. POTENTIAL IMPROVEMEN13 IN EDG RELIABILITY 33 6.3.4.2-2

SUMMARY

OF ANALYSIS DATA 34  ;

l l

l iii

Emergency Diesel Generator (EDG) AOT Extension 1.0 PURPOSE nis report provides the results of an evaluation of the extension of the Allowed Outage Time (AM) for a single Emergency Diesel Generator (EDG) from its present value to seven days.

The AOT is phd in the plant technical W%daas. In addition, this report provides justifications for allowing the extension of this same ACyr to 10 days on a "once-per-refueling

, cycle" frequency. His A(yr extension is sought to provide needed flexibility in the performance of both corrective and preventive maintenanm during power operation. Fwilsinore, adoption of the proposed ACyr extension reduces the risk of nwh~iuled plant shutdowns. Justification of this request is based on an integrated review and assessment of plant operations, determini=+ic/ design basis factors and plant risk.

This request for 03T extension is consistent with the objectives and the intent of the 10CFR50.65, Appendix A, "The Maintenance Rule" (Reference 1) and the draft staff guida-for incorporation of EDG reliability requirements within the Maintenance Rule (Reference 2).

nat is, the Maintenance Rule will be the vehicle which controls the actual maintenance cycle by defining unavailability and reliability performance criteria and assessing maintenance risk.

The requested AOT exten* ion will allow efficient scheduling of maintenance within the boundaries established by huplemanting the Maintenance Rule. The CE plants are in the process of implementing the Maintenance Rule, and are presently setting targets for unavailability and reliability of systems and trains. Therefore, this effort is seen as timely, supportive and integral to the Maintenance Rule program.

2.0 SCOPE OF PROPOSED CHANGES 'ID TECHNICAL SPECIFICATIONS The proposed technical specification changes address revision of existing requirements for the operation of the Emergency Diesel Generator subsystems. Specifically, the proposed changes in technical specification requirements are:

(1) In general, extend AOT for a single INOPERABLE EDG from [72] hours to 7 days.

l (2) Provide a once per fuel cycle allowance for an AOT of 10 days for a single l INOPERABLE EDG.

l l

1 l

l

1 I

3.0 BACKGROUND

In response to the NRC's initiative to improve plant safety while granting relief to v*ilitia from l those requirements that are marginal to safety, the CEOG has undertaken a program of obtaining relief from overly restrictive technient == isaa' ions. As part of this program, several technical ,

specification AMs and STIs were identified for joint action.

This report provides m.yysit for modifying the Technical Spacise=*iaan for Electric Power l Systems in order to extend the AM for a single emergency diesel generator during power 1 operation. 'Ihe CE fleet of PWRs utilize one of two possible AMs within the plant techaical specificadons (See Table 3-1). More recently da*ig=i PWRs have a 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> AM for the EDG, whereas early CE PWRs have a seven day AM. The intent of this report is to provide tachnleal justification for the extenninn of the AM for our more recent PWRs from a period of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to seven days. In addition, this document provides support for a one time per cycle )

10 day AOT extension for all CE PWRs. W intent of this modification to the AOT is to enhance overall plant safety by avoiding risks associated with unscheduled plant shutdowns and providing for increased flexibility in scheduling and performing -ry "on-line" maintenance and surveillance activities. In addition, adoption of the proposed AOT extension will provide uniformity in this AOT for CE PWRs with a minimum of two dedicated EDGs per Unit.

This report provides generic information supporting the proposed AOT changes, as well as, the ,

naca==ry plant spacin einformation to demonstrate the impact of these changes on an individual plant basis. N supporting / analytical material contained within the document is considered applicable to participating CEOG member utilities regardless of the category of their Plant .

Technical Specifications. Utilities participating in this task include Maine Yankee, Pn11anden, Ft. Calhoun Station, St. Lucie Units 1 and 2, Millstone Point 2, Waterford 3, ANO-2, San Onofre Units 2 and 3, and Palo Verde Units 1,2 and 3. Baltimore Gas and Electric's Calvert Cliffs Units are in the process of upgrading their EDG capacity to include enhaa=I redundancy of their EDGs, and the addition of a station blackout diesel generator. Therefore, Baltimote Gas and Electric is not participating in the plant specific aspects of this effort at this time.

2 e

Table 3-1

SUMMARY

OF DIESEL GENERATOR MANUFACTURER AND ALLOWED OUTAGE TIMES FOR CE PWRs Plant Manufacturer Tech Spec Type EDG AOT (Days)

ANO-2 Fairbanks Morse Standard 3 Calvert Cliffs 1 Standard 3 Calvert Cliffs 2 Standard 3 Ft. Calhoun General Motors Custont.i zed 7 Station Maine Yankee General Motors Customized 7*

Millstone 2 Fairbanks Morse Standard 3 Palisades Alco Customized 7 Palo Verde 1 Cooper Energy Services Standard 3*

Palo Verde 2 Standard 3*

Palo Verde 3 Standard 3*

San Onofre 2 General Motors Standard 3 San Onofre 3 General Motors Standard 3 St. Lucie 1 Standard 3*

St. Lucie 2 Standard 3*

Waterford 3 Cooper Energy Services Standard 3*

• For these units, surveillance testing of an alternate EDG is not required when the other EDG is deliberately rendered inoperable in order to perform pre-planned preventive maintenance.

1 3

l l

4.0

SUMMARY

OF APPLICABLE TECHNICAL SPECIFICATIONS ,

There are three distinct categories of Technia_1 SpfimHons at CE NSSS plants.

The first category is the Standard Tehnial Specifications. Through February 1995, NUREG-0212, Revision 03, commonly referred to as " Standard Tehnial Specifications," has provided a model for the general structure and content of the approved technical specifications at all other domestic CE NSSS plants.

The second category corresponds to the Improved Standard Technical Specifications (ISTS) guidance that is provided in NUREG-1432, Revision 0, dated September 1992. A licensing amendment submittal to change the Technimi Specifications for San Onofre Nuclear Generation Station Units 2 & 3 so as to implement this guidance was submitted to the NRC in D~*mhar 1993. Additionally, licensing amendment submittals are being developed that will modify the technical specifications for Pnli=% Station to implement the ISTS guidance.

The third category includes those **hnial specifications (TSs) that have structures other than those that are outlined in either NUREG-0212 or NUREG-1432. These TSs are generally referred to as " customized" technical specifications. The CE NSSS plants that currently have i

" customized" ta<hnim1 specifications are: Palisades Station, Maine Yankee Station, and Ft.

Calhoun Station.

Each of these three categories of Technical Specifications includes operating requirements for the applicable plant's emergency diesel generators (EDGs).

Table 3-1 provides a summary of the diesel generator manufacturers and allowed outage times for CE PWRs.

l l

I l

l l

I 4

l l

4.1 Standard Tachale=1 Speciftentlans

'Ite requirements for emergency diesel generators during power apaa'iaan are *=haMeJ in the requirements for Electrical Power Systems in the standard tenhnien1 enacifie='inae of NUREG-0212, Revision 03 and NUrFG 1432, Revision 0.

LCO 3.8.1 of NUREG-1432 provides the following definition for a fully OPERABLE set of AC sources for plant operatians in Modes 1 through 4:

a. Two qualified circuits between the offsite transrnianian network and the on-site Class 1E AC Electrical Power Distribution System; [and]

b. Two diesel generators (EDGs) each capable of supplying one train of the on-site Class 1E AC Electrical Power Distribution System; and

c. Automatic load sequencers for Train A and Train B.

Both LCO 3.8.1.1 of NUREG-0212, Revision 03 and LCO 3.8.1 of NUREG-1432, Revision 0 (Attachment A) allow the continuation of power operation with one inoperable emergency diesel generator for a maximum of 72 continuous hours.

Additionally, ILO 3.8.1 of NUREG-1432 (Attachment A) includes a provision that allows cont nued power operations for a maximum of six days when a contiguous series of different i

degradations of the full set of AC sources occurs. (An example is the case where one of the required offsite power circuits becomes inoperable at the same time that a diesel generator that was previously inoperable is mmusd to an OPERABLE state.)

Following a diagnosis that an EDO is INOPERABLE, an assessment or test confirming that the OPERABLE EDG is not subject to a common cause failure would be performed. If a common cause failure mode is spacLM, the OPERABLE EDG must be declared INOPERABLE and actions must be taken to restore one EDG to OPERABLE status in within a small number of hours. Inability to return one EDG to OPERABLE status results in the entry into a more restrictive 140 ACTION STATEMENT.

4.2 "Custamtwad" Technte=1 Spael&milons Customized technical specifications for the EDGs differ from the STS in the duration of the specified AM and the details of the subsequent ACTION statements. Table 3-1 indicates which CE PWRs have customized tarhaical <aarifie=' ions and lists their respective AMs.

5

.- . J

)

5.0 SYSTEM DESCRIPTION AND OPERATING EXPERIENCE

'Ihis section nummarizes EDG confis c h and opemting experience for CE PWRs. Data contained in this Section is derived from a combinarian of sources including recent plant Wne data and relevant data available from a recent EDG industry survey (Reference 3).

5.1 Systen Description The role of the EDG is to provide emergency power to amanntist safety systems in the event that all offsite power sources are lost. All CE PWRs with the exception of Calvert Cliffs Units 1 and 2 employ two dMicatM EDGs per plant. Calvert Cliffs is presently undergoing a plant upgrade to provide 2 class IE diesels per unit with a shared non-class IE eniamicaHy robust third EDG. A summary of current EDG configurations for CE PWRs is presented in Table 5.1-1.

Many CE PWRs include alternate means of providing power to some, if not all, essential safety systems. In general, CE PWRs Insiding on multiple unit sites are capable of being in. M by some of the on-site power supplies of the other unit. In addition,in the Station Blackout Rule (10CFR50.63, Reference 4 ) implementation process, many CE PWRs have inww d equipment hia, d to mitigate the consequences of a station blackout event. For example, at ANO, a

" swing" non-class 1E full capacity station blackout diesel that can ivyysit either unit has been installed. These plant features, along with the WM plant station blackout coping times are presented in Table 5.1-2.

Table 5.1-1 CONFIGUaATIONS OF EMERGENCY ELECTRICAL SYSTEMS POR CE PWRS Plant lNo.of Dedicated Ihesel EDGs Total No. of E Units per unit abared Diesels ANO-2 1 2 Noos 2 Calvert Cliffs 1&2 2 1 1 3 Fort Calhoun Stanon 1 2 N/A 2 Maine Yankee 1 2 N/A 2 Mill == 2 1 2 Nome 2 Paheedes 2 1 N/A 2 Palo Verde 1,2 A3 3 2 Noos 6 San Onofre 2 & 3 2 2 Nees 4 h

St. Lucie 1 & 2 2 2* Noos 4 Waterford 3 1 2 N/A 2

• Bach generator has two eassans 6

l Table 5.1-2 ALTERNATE EMERGENCY POWER'FOR ESSENTIAL SAFETY SYSTEMS AND STATION BLACKOUT BATTERY POWERED " COPING" TDWES FOR CE PWRS PLANT MULTIPLE BACKUP POWER UNIT 880 PLANT UNIT SITE SUPPLY CROSS TIE COPING TIME CAPABlWTY (BATTERIES ONLY) thrs)

ANO 2 Y

• swine

• Nmiam 1E station yes 8 sleekeut EDO sen provide power to ehher unho durine a stesen banekout j Calvert Cliffs 1&2 Y A ehe EDG upgrade ki ki yes 8 proerees whleh wm reeuit in 2 dodested EDes per wilt and e

• ewine* non-eines 1E banekout EDO Fort Calhoun Station N Pcs eniptove a bakw seN- N/A 4 poww.d, AFW punie IAFW-s4) and a turbine driven APW punip lFW-1ol to enobitein seedwater x " ~:, durine ,

en aso. 1 Maine Yankee N Appends R DG-2 used me N/A 4 AAc Generater Millstone 2 Y The Mastwo she inekadw a yes 12 14.4 Mw Conibueden Turbine to owpey essenmal seeny le de in the nt of sees of offehe power and less of EDGo.

Palisades N NONE N/A 4 Palo Verde 1,2 &3 Y Tim paie vnde she haiudes yes 2*

Gee Turbine emneratore to omend sao espine #enes to weg beyond 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.

San Onofre 2 & 3 Y Nwninal eredt le taken for yes 4 power frwn the e,pesien unh diesel.

St. Lucie 1 & 2 Y crees en betwan **e durino yes 4 (Unit 2) bioekeut. T'= espebaty wie non eaiety 4kw busees.

e IUnit il Waterford 3 N None N/A 4

' 580 copwig based on availability of alternate AC source.

7 l

l 5.2 Operating Experience The Emergency Diesel Generators provide on-site emergency ac power in the event that all offsite power sources are lost. As a consequence, the reliability of these on-site power sources is an important factor in assuring the safety ofliaht water reactors. As a result of this concern, the NRC established the Station Blackout Rule in 1988. In the implementation of this rule, the NRC (via Regulatory Guide 1.155, Reference 5) required that all LWRs ensure the reliability of the EDGs to be greater than either .95 or .975 dependmg on the specific plart class to which the unit was considered to belong. Plant class typically reflects various factors including (1) redundancy of on-site emergency ac power systems, (2) reliability of on-site emergency power sources, (3) frequency of loss of off-site power and (4) the probable time to restore off-power.

At the time of the SBO rule, unavailability of the EDGs throughout the domestic commercial nuclear industry due to "on-line" maintenance was .007. As maintenance programs were implemented to improve EDG re2 ability, the on line out-of-service (OOS) unavailability of the EDG has increased industry-wide. A recent smvey of EDG unavailability of power operation indicates that the mean unavailability of the EDG "at power" due to preventive and corrective maintenance (PM and CM) are .0118 and .0082 respectively. Correspondingly, the unreliability of the EDGs has decreased on an industry average from about 0.020 in the early 1980's to 0.014 in the 1988 to 1991 time frame (Reference 3). Reference 3 further postulated that the increase  :

in reliability in recent years and the increase in unavailability due to maintenance may be related. l Table 5.2-1 provides a comparison of the individual and mean unavailabilities and unreliabilities )

of CE EDGs to their industry average. As a group, the EDGs at CE PWRs involved in this I study have an average EDG "at power" unavailability below the industry average. No individual CE PWR can be considered an outlier.

S.2.1 Preventive hiaintenanca Most plants in the United Stat:s ( 95%) routinely carry out scheduled PM on EDGs during power operation (see Reference 3). Preventive maintenance (PM) for EDGs encompasses a I variety of tasks including:

-Lubrication, Oil and Filter Changes

-Replacement of switches

-Calibration of equipment

-Component Cleamng

-Component Inspections

-Manufacturer upgrades l A survey of CE PWRs indicates that preventive maintenance tasks, such as those listed, can take from 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> to more than 70 hours8.101852e-4 days <br />0.0194 hours <br />1.157407e-4 weeks <br />2.6635e-5 months <br /> to complete. While certain PM tasks can be performed ,

without taking an EDG out of service (such as those involved with EDG equipment calibrations),

many PM tasks cannot be performed without declaring the applicable EDG out of service. The typical frequency of diesel generator maintenance for CE PWRs varies from less than once per 8 i

year (that is, no planned preventive maintenance) to about once every calendar quarter. The mean duration of maintenance tasks is currently less than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. This is generally consistent with the observed industry trends. Reference 3 indicates that the mean PM on an EDG was 24.6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> with a standard deviation of 37.6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />. This suggests that maintenance done at power frequently mmi one-half of the AOT and in about one quarter of the occurrences exceed the typical 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> AOT. ' Ibis is particularly true, if a PM uncovers equipment degradatian which' would require further maintenance. At one site, the 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> AOT has been approached on nine (9) separate armions and exceeded once. This later event occurred during a weekend and required a discretionary enforcement to continue plant operation.

On a yearly basis the amount of "on-line" preventive maintenance for EDGs varies from less than I hour to a maximum of about 200 hours0.00231 days <br />0.0556 hours <br />3.306878e-4 weeks <br />7.61e-5 months <br /> per EDG for CE PWRs with a 7 day AOT for a single EDG, with the average per EDG PM equal to 135 hours0.00156 days <br />0.0375 hours <br />2.232143e-4 weeks <br />5.13675e-5 months <br />. For CE plants with a 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> AOT, the average and maximum yearly PM per EDG are 100 and 140 hours0.00162 days <br />0.0389 hours <br />2.314815e-4 weeks <br />5.327e-5 months <br /> respectively. This level of "on-line" maintenar,ce is consistent with United States industry average estimate (Reference 3) of about 100 hours0.00116 days <br />0.0278 hours <br />1.653439e-4 weeks <br />3.805e-5 months <br /> per year.

i I

l l

I j 9 l

l

i Table 5.21 EDG UNAVAILABIL2TY AND UNREIJABILITY PLANT EDG ID UNAVAILABILITY UNREllABILITY PM CM PM+CM ANO-2 3 0.0 .0041 .0041 A 0.0 .00188 .00188 R. raha- Station DG-1 .0059 0.0009 .0068 .0033 DG-2 .0044 0.0009 .0053 <.0033 Maine Yaakse DG.13 .0126 .0077 .0203 DG-1A .0134 .0012 .0146 Mha== 2 DG A .00G36 .00424 .0106 <.02*

DG-B .0006 .00424 .0106 <.02*

Pelaandw DGl.1 .0105 .0109 .0214 DGI-2 .00867 .0089 .01757 Palo Vwde ! IMDGAH01 .00936* .0051P .01458 <.01*

1MDGBH02 .00936* .0051P .0145 * <.0l*

Palo Vwde 2 2MDGBH01 .00936* .0051P .01458 <.01*

2MDGAH02 .00936" .0051P .0145" .03

• Palo Vwde 3 3MDGAH01 .009368 .0051P .01458 < .0l*

3MDGBH02 .00936" .0051P .01458 .03

• Sea Onofre 2 DG3 .0046 .0031 .00767 <.02 DG2 .0046 .0031 .00767 <.02 San Onofre 3 DG2 .0046 .0011 .00767 <.02 DG3 0.0046 .0031 .00767 <.02

k. Lucie 1 1A .0118 .0045 .0163 IB .00835 .0084 .0168 St. Imcie 2 2B .0157 .0009 .0166 2A .0109 .0000 .0109 I Waterford 3 B .0CD8 .0038 .0076 <.0l*

A .0008 .0008 .0016 <.01" CEOG MEAN DATA PLANIS WTTH 3 DAY ACT .0069 .0038 .0107 i PLANTS WTTH 7 DAY AUT .0092 .0351 .0143 CEOG GROUP .0075 .0041 .0116 l 1NDUriltY NUREG/CR-5994 (MEAN) .0118 .0082 .020 .014

. Dana *-a -d frusa kaistsace 6 3. Unrsunbalaxy dans saks fraso Raistsace ?

2. Average for all 6 uniaa i

10

. I 5.2.2 Survemance/ Testing qf EDGs ,

1 Surveilknee testing of EDGs is typically performed as required in the plant technical W~' ions. l Industry average data confirms that the durations of EDG tests are typically short (on the order of i 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />) and the total unavailability of an EDG is under 20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br /> per year (See Reference 3).  ;

5.2.3 Comesire Maintenance l

Corrective maintenance refers to maintenance that is upwhduled and is therefore conditian directed.

Such maintenance can occur when the EDG fails a surveillance test or a degradation in EDG  ;

performance is noted. This definition of CM includes conditions where the EDG can perform its l safety function, as well as, cases where the safety function is affected. In either case of CM, the EDG would typically be considered to be INOPERABLE. The analysis presented in Section 6 assumes CM is performed due to inoperability of the EDG, Industry survey data suggests that corrective maintenance is performed on an EDG at a mean frequency of 3.3 times per year with a mean duration of 23.3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> and a standard deviation of 46.7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br />. The large uncertainty associated with CM clearly indistae the potential for EDG repair to exceed the existing 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> AOT. For the CEOG mamhar utilities, the yearly unavailability due l to CM is lower than 0.006 per year per EDG, regardless of the current ACTT. This low value of CM reflects a high EDG reliability and the effectiveness of existing EDG maintenance programs.

5.2.4 Comments on EDG UnavaGabWties

1 The CE fleet includes plants with both 3 and 7 day AOrs. Plants with 3 day ACyrs have a snean yearly scheduled maintenance unavailability of about 77 hours8.912037e-4 days <br />0.0214 hours <br />1.273148e-4 weeks <br />2.92985e-5 months <br /> per EDG per year compared to 132 hours0.00153 days <br />0.0367 hours <br />2.18254e-4 weeks <br />5.0226e-5 months <br /> per EDG per year for plants with a 7 day EDG ACTT. Both groups of plants show similar '

I yearly repair time outages for imehaduled maintenance (46 vs. 51 hours5.902778e-4 days <br />0.0142 hours <br />8.43254e-5 weeks <br />1.94055e-5 months <br />). In the future, all plants within the CE fleet are expected to set maximum maintenance rule targets for EDG unavailability in the .025 .03 range (220 to 260 hrs per EDG per year). 'Iherefore, adoption of a 7 day AOT for a single inoperable EDG is not expected to have a significant impact in overall EDG unavailability.

l

\

11 l

6.0 TECHNICAL JUSTIFICATION FOR AOT EXTENSION ,

I This section provides the tachnient bases for the request for the ACyr extension. h presentation I

of this informatinn generally follows the guid== in the Handbook of Methods of Risk Analyses in Technical Spfi=*iaas (Reference 8 ).

6.1 St=*w of Need W EDGs provide on-site emergency alternating current (ac) electric power to a nuclear plant in the event all off-site power sources are lost. 'Ihe iv -scer of this equipment to plant safety has resulted in the "Statina Blacknut Rule", which among other features, zequired that the reliability of EDGs reliability be acceptably high. In the implementation process, Regulatory Guide 1.155 I specified target reliability values of .95 and .975 et upon a set of defined criteria. In I response to m*ing these reliability goals, many reactor sites implemented or extanded EDG ] '

surveillances and "on-line" PM activities.

The panidpating CEOG utilities request that the present EDG AOT be uniformly extended as follows:

(1) Extend AOT for a single INOPERABLE EDG from [72] hours to [7] days.

1 and, j l'

(2) Provide a once per fuel cycle allowance for an ACTr of 10 days for a single INOPERABLE EDG.

Implementation of this AOT modification will:

1 (1) Allow increased flexibility in the scheduling and performance of preventive maintenance . -1 (2) Reduce the number of individual entries into LCO action statements by providing sufficient time to perform related maintenance tasks within a single entry.

(3) Reduce stress on plant maintenance personnel by allowing adequate time to perform i the more complicated maintenance activities (including those ==v ia'~I with EDG manufacturer recommended surveillances and upgrades)

(4) Enable the plant to minimize EDG operability restoration time by scheduling maintenance which de-emphasizes multiple simultaneous EDG tasks (resulting in potentially long nunciated restoration times). By emph==inne single or combined repairs and inspections, there will be shorter times for EDG restoration.

1 12 l

l

. 1 (5) Allow the plant to better control maintenanem taaks between power and shutdown operation thereby increasing EDG reliability both "at power" and in the early (risk I

dominant) stages of shutdown.

I (6) Avert ....i.tard plant shutdown and minimize potential for requests for Notices of j Enforemment Discretion (NOEDs). Risks incurred by av# plant shutdowns -

I can be comparable to and often exceed those =*eacintM with continued power operation.

(7) Improve EDG availability during shutdown modes. I l

The mean EDG PM or CM is about 1 day with a standard deviation of nearly 2 days. Therefore, I industry-wide, a large number of corrective maintenance events would be arp~~I to ch.naage the I existing 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> A(7r. This difficulty has been noted at various CE sites. At one CE site, it was I reported that the existing EDG AOT was nearly arceMM nine (9) times and, actually exceeded once requiring a discretionary enforcement to continue plant operation.

Plants with erietiag 7 day AOTs report that their present EDG AOT is adequate for most EDG repairs. However, instances have ce.M when a 7 day AOT is inadequate. Such an event occurred at a CEOG utility (Reference 11) which required a one time emergency change to the Technical Specificatians extending the EDG ACyr to 10 days to allow completion of mpair of a cracked cylinder head. Implementation of a 10 day ACyr on a once per cycle basis will allow the plant to continue apa=h while repairing a non-functional EDG 'Ibe once per cycle extanninn is not expected to expand the level of PM or CM to be performed at any plant. It is W to provide margin to ensure that serious EDG degradations uncovered during equipment sury.m.ac. )

or a scheduled PM can be successfully completed without ex~~iiag the plant LCO ACTION  !

STATEMENT. "At power" operation provides a resource rich environment for accident I management and miaimi== the risk ofinitiating loss of power and loss of feedwater events that can l accompany a forced shutdown. It is also possible that, under certain controlled conditions (such as 1 availability of a full capacity " swing" EDG or alternate AC power source), the 10 day per cycle AOT extension may be entered following unanticipated delays encountered in performing a EDG preventive maintenance activity.

13

I

! 6.2 A=====wn* of Deterininlette Factors The Emergency Diesel Generators (EDGs) provide on-site alternating current (ac) electric power in the event that all off-site power sources are lost in a nuclear power plant. .

A dedicated diesel generator is the on-site standby ac power source for each engia% safety feature power supply bus. In the event of an nihat with loss of off-site power, EDGs are designed to automatically connect to and power safeguards equipment. In addition, automatic load sequencing assures that EDGs are connected to the plant ESFs in sufficient time to provide a safe plant shutdown. In the event ofloss of preferred power EDGs are intended to provide emergency backup power for the plant essential safety feature electrical loads until such time that the preferred power supply is restored.

Each CEOG plant's EDG configuration satisfies the requirements of Regulatory Guide 1.9. Each of the diesel generators is capable of startmg, accelerating to rated speed and voltage, and connecting to its respective engineered safety feature bus on detection of bus undervoltage within a specified period of time (i.e.10 - 15 seconds). Each diesel generator is capable of accepting required loads within the loading sequence intervals assumed in the safety analyses, and continuing to operate until offsite power can be restored to the ESF buses. These capabilities exist, under a j variety of initial conditions including the diesel generator being in standby with hot engine t

temperatures, the diesel generator being in standby with the engine at ambient conditions, or the diesel generator operating in the parallel test mode.

l 6.2.1 Station Blackout Rule The loss of off-site ac power to the essential and non-essential electrical buses concurrent with turbine trip and the unavailability of the redundant on-site emergency power system, i.e. EDGs, is termed " Station Blackout". Reliability of on-site power sources is an important factor in assuring an acceptable level of plant safety. In recognition of the importance of these on-site power sources the Station Blackout (SBO) Rule was established in 1988. Guidance for implementation of the SBO rule was defined in Regulatory Guide 1.155. Specifically, the SBO rule required the licensees to:

1. Ensure the reliability of the EDG was > 0.95 (or >0.975) dependent on plant specific features.

2. Establish an EDG Reliability Program.

and, in the event of an SBO event

3. Ensure that the plant has adequate coping capability.

The station blackout (SBO) rule addressed the need for maintaining a highly reliable ac electrical power system. At the time the rule was developed, the unavailability due to maintenance was 14

estimated at 0.007. At that time it was recommended that EDGs be reliable and that maintenance unavailability be kept low by performing the maintenance at plant shutdown.

Over the past decade the utilities have begun programs to improve the reliability of the EDGs via regular preventive maintenance. As a result oflengthening of the time between refuelings some of this maintenance was performed at power. Furthermore, recent shutdown risk nuruments suggest that shutdown risks are in general comparable to those of power operation, resulting in questions about the benefit of delaying PM on EDGs to shutdown conditions. This increase in "on-line" PM has resulted in an increase in maintenance unavailability to 0.02 with a corresponding industry-wide increase in EDG rehability from 0.98 to 0.986.

6.2.2 Brookhaven's Analysis of EDG Unavailabilty and its Risk Impacts The safety implications of performing EDG maintenance at power was investigated by Brookhaven National Laboratory (BNL). The BNL report (Reference 3), which is discuurd below, invectigated:

1. The sensitivity of the plant core damage frequency (CDF) to maintenance and the probability of failure to start and run on demand.

2. The relative benefits of performing maintenance at power vs shutdovm.

The analysis found that the increased CDF level during maintenance, as well as the duration of the maintenance are important factors in the assessment of the risk impact of EDG unavailability due to maintenance. The integrated risk impact over the duration is calculated as the product of the increased CDF and the maintenance duration.

It was concluded that dudng power opemtion, changes in CDF are more sensitive to failures to start and run than to EDG maintenance unavailability. Specifically, it was concluded that EDG failure unavailability has a factor of 2.6 greater impact on the CDF than does the "at power" maintenance unavailability (Reference 6). Furthermore, an increase in unavailability to .02 per EDG per year had no significant impact on plant risk (i.e. CDF). If one presumes that the increase in maintenance related unavailability is offset by a decrease in the failure to start and load-run unavailability, the net impact on the CDF would be beneficial. l This report also developed insights for scheduling EDG preventive maintenance items (PMs). PMs were divided into three categories:

(1) Scheduled PMs that need to be performed at an interval less than 18 months, (2) Scheduled PMs that need to be performed at an interval of 18 months or longer, (3) Condition-directed PMs, based on test results, as needed to correct degradations of j equipment which may lead to failures. 1 15

BNL recomr* that short duration PMs be performed at power. Imger duration PMs were recommended to be scheduled during the later portion of the refueling outage when the risk impact is relatively low. Risks associated with EDG maintenance during the early, low inventory shutdown modes were found to be generally comparable to that of performing the maintenance at power.

For condition-directed PMs (and cms), somewhat longer maintenance outages may be allowed during power operation since a plant shutdown, in this case, involves the additional risk of maneuvering to a safe shutdown state.

Insights obtained from this and ma-i=W efforts were presented in a memorandum for 'Ihomas E.

Murley from Eric S. Beckjord in Research Information I.etter Number 173 entitled " Risk-based Methods to Evaluate Requirements in Technical SMMons" (Reference 9). The memorandum stated that schedt. ling DG maintenance during power operation is risk neutral for preventive maintenances of short duration and they can be scheduled during power operation.

Results of the CEOG plant specific analyses presented in Sections 6.3.2 through 6.3.5 are in general agreement with those of the BNL study. When the full scope of plant risk is considered, the risks incurred by extending the AOT for either corrective or preventive ma'mtenance will be substantially offset by plant benefits associated with avoiding unnecessary plant transitions and/or by reducing risks during plant shutdown operations, improved EDG reliability upon entering shutdown, and implementation of compensatory measures. The combined CEOG results indicate that the risk of performing EDG maintenance at power varies from risk beneficial to risk neutral Wing upon the duration and type of maintenance.

16

6.3 A-nt of Risk 6.3.1 Overview The purpose of this section is to provide an integrated nuestment of the overall plant risk naar intart with the adoption of the proposed ACT extension. 'Ibe methodology used to evaluate the EDG System AOT extension was based in part on a draft version of the "Fansthook of Methods for Risk-Based Analyses of Technical Specifications" (Reference 8) and related industry guidance. As guidance for the acceptability of a Tech Spec modification, Reference 8 noted that any proposed Technica' Specification change (and the ultimate change package) should either:

(1) be risk neutral, OR (2) result in a decrease in plant risk (via " risk trade-off considerations"), OR (3) result in a negligible (to small) increase in plant risk.

AND (4) be needed for utility to more efficiently and/or more safely manage plant operations.

A statement of need has been provided in Section 6.1. This section addresses the risk aspects of the proposed AOT extension.

In this evaluation, a risk assessment of the EDG AOT extension is performed with consideration of n@t~i "at power", " transition" and " shutdown". The assessment includes <=idaration of risk increase associated with potential increased EDG unavailability and the n= ia'~i risk benefits due to avoiding a forced mode transition, improvements in EDG reliability and performing the same maintenance at shutdown (see below).

Section 6.3.2 provides an assessment of the increased risk associated with continued operation with a single EDG out of service (OOS) for preventive and corrective maintenance. The evaluation of the "at power" risk increment resulting from the extended AOT w2s evaluated on a plant specific basis using the most current individual plant PSAs as their respective baselines. Plant specific evaluations were performed by each participating utility. Results of these evaluations were then compared using appropriate risk measures as prescribed in Reference 8.

Section 6.3.3 aseset the risk of transitioning the plant from Mode 1 into a lower mode with a single EDG inoperable. The "at power" risk assessment presented in Section 6.3.2 provides an evaluation of continued operation of the plant with an extended EDG AOT for the purpose of

performing corrective maintenance on the EDG. A conservative lower bound estimate of this risk was evaluated by modifying the reactor trip core melt scenario for a representative CE PWR. Based on this analysis, a core damage probability for the plant shutdown was established and compared to the single AOT risk associated with continued operation.

17 i

I

De relative risk of EDG PM for "at power" and "at shutdown" conditions is provided in Section 6.3.4.1. Recent experience has shown that the risk of maintaining the reactor in a shutdown condition can rival that of power operation.

EDG PM programs have been effective in reducing EDG unavailability due to failure to start and load-run. Mon 6.3.4.2 provides a demonstration of the risk reduction possible by implementing i a planned "on-line" PM program. In that analysis e parametric study is performed to demonstate l the impact of modest (10 to 30%) improvements in EDG reliability on decreased plant risk. l For completeness, the impact of the extended AOT on the plant large early release fraction is qualitatively a"**=l. ne ==mernent includes an evaluation of the events leading to large early  ;

fission product releases and the role of the EDG in the mitigation of those events. His assessment '

is presented in Section 6.3.5.

l 6.3.2 Assessment of "At Power" Risk Methodology i

This section provides an assessment of the increased risk associated with continued operation with a single EDG out of service (OOS). The evaluation of the "at power" risk increment resulting from the extended EDG AOT was evaluated on a plant specific basis using the most current individual plant PSAs for their respective baselines. Plant specific evaluations were performed by each participating utility. Results of these evaluations were then compared using the following risk measures (from Reference 8):

Avemge Core Damage Frequency (CDF): The average CDF represents the frequency of core-damage occurring. In a PSA, the CDF is obtained using mr.an unavailabilities for all standby-system components.

Core Damage Probability (CDP): The CDP represents the probability of core-damage occurring. Core-damage probability is approximated by multiplying core-damage frequency i

by a time period.

Conditional Core-Damage Frequency (CCDF): The Conditional CDP is the Core Damage Frequency (CDF) conditional upon some event, such as the outage of equipment. Itis calculated by re-quantifying the cutsets after adjusting the unavailabilities of those basic events associated with the inoperable equipment.

18

l f' q 4

, Iscresar is Cm Damage Msquency (ACDF): The increase in CDF represents the difference between the CCDF evaluated for one train of equipment snailab]s minun the

. CCDF evaluated for one train of equipment alwavn av=itahle. For the EDGs:

j ACDF = candkinnel CDFo nos . ennaktnnel CDFa n ,

when CDF = Con Damage Frequency (per year)

Single AOT Risk Comiribucios: The Single AM Risk contribution is the increment in risk anariated with a train being unavailable over a period of time (evaluated over either the full AM, or over the actual maintenance duration). In terms of core damage, the Single AOT Risk Contribution is the increase in probability of core-damage &ning during the AM, or outage time, from the hawline. The value is obtained by multiplying the increase in the CDF by the AOT or outage time.

Single AOT Risk = ACDF x r where, ACDF = Incmase in Core Damage Frequency (per year), and r = full AOT or actual snelatan=nea duration (years)

Yearly AOTRisk Contribuffas: The Yearly AOT risk contribution is the increase in average yearly risk from a train being unavailable accounting for the average yearly frequency of the AOT. It is the fiequency of core-damage occurring per year due to the average number of entries into the LCO Action Statement per year. The value is estimated as the product of the Single AOT Risk Contribution and the average yearly frequency (f) of entering the associated LCO Action Statement. Therefore:

Yearly AOT Risk = Single AOT Risk x f where f = frequency (events / year)

Incremental changes in these parameters are assessed to establish the risk impact of the Technical Specification change.

CeledMon of Conditional CDF, Single and Yearly AOTRisk Contributions Each CEOG utility used its current PSA to assess the Conditional CDF based on the condition that one EDG is unavailable. Each plant verified that the yywydate basic events are contained in the PSA cutsets used to determine the AOT risk contributions. ' Ibis verification was performed as the first task in calculating the Conditional CDFs. If basic events had been filtered out of the PSA cutsets, one of the two methods described below were used to ensure the calculation of Conditional CDF was correct or conservative:

19

l i

O l 1

1. Select the basic event for the failure mode of the component with the highest failure prnhahility if the test /maintanans failure mode of the component had been filtered out; or

2. Retrieve cutsets containing relevant basic events at the sequence level and merge them with the final PSA cutsets.

He Conditional CDF given 1 EDG is unavailable was obtained by performing the following steps:

1. Set basic event probability for the failure mode for an EDG equal to 1.0.

2. Set any basic event probabilities for other failure modes for that train set equal to 0.0.

3. Set basic event probability for EDG unavailable due to test and maintenance equal to 0.0.

4. For the case where the LCO Action Statement was prompted by need for Corrective Maintenance (CM) (i.e., equipment failure), adjust the other train's coiiv.sponding basic event common cause failure unavailability to the probability of failure given one train has failed (i.e., equal to the beta factor, 4, for the Multiple Greek Letter Method).

5. For Preventive Maintenance (PM) (i.e., no equipment failure), set the failure rate of the train remniaing in service to the total single train failure rate (m* eluding both l independent and common cause failure data). l

6. Requantify the PSA cutsets.

The Conditional CDF was therefore new=wl for both CM and PM. The difference between the two values is a result of the aforementioned difference in treating common cause failure. It should be noted that the definition of CM for use in the PSA is considerably more stringent than the pragmatic TAGGED INOPERABLE definition of CM used in Section 5.0. In this context, CM refers to maintenance performed on a component that cannot otherwise perform its safety function.

The Conditional CDF given 1 EDG is never out for test or maintenance was obtained by setting the basic event probability for the failure mode fc,r an EDG equal to 0.0, and requantifying the PSA cutsets. No adjustment was made to common cause failure from the value used in the haeline PSA.

He Conditional CDFs were evaluated for each EDG, and the most conservative result was used.

The Conditional CDF was then used to calculate the increase in CDF. De Single AOT Risk Contribution for each plant was then calculated for the following cases:

20

- Current full AOT,

- Proposed full AOT (both 7-day and once per cycle 1Nay),

- Mean downtime for CM, and

- Mean downtime for PM.  !

A mean downtime of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> / event was assumed for CM. For PM, the mean duration per event was calculated by dividing the proposed downtime (unavailability target, hours / year /EDG) by the proposed frequency of PM. A proposed downtime of 160 hours0.00185 days <br />0.0444 hours <br />2.645503e-4 weeks <br />6.088e-5 months <br /> / year /EDG and a frequency of 2.8 per year was ==wmed for PM. 'Ihese values are mean values presented in Reference 3. Plants with actual data available used plant specific values.

The Single AM Risk Contributions were then used to m1 & 1** the Yearly AM Risk Contributions (Single AM Risk x frequency) based on each plant's actual frequency of entry into the AM, for

l' both CM and PM. Plant specific frequencies were used in this calm 1adon for CM and PM whenever available. If not available, maintenance frequencies were assumed to be 2.5 events / year for CM, and 2.8 events / year for PM. If available data for downtime frequency did not distinguish between CM and PM, a split of 50/50 was conservatively assumed for CM/PM.

j The overall Yearly AOT Risk Contribution is assumed to be the sum of the Yearly AOT Risk i '

Contribution due to CM and the Yearly AOT Risk Contribution due to PM. Tables 6.3.2-1 and 6.3.2-2 provide the Conditional CDFs and the Single and Yearly AOT Risk Contributions for each plant for CM and PM, respectively.

At many plants both EDGs may power different equipment and therefore risk predictions will not j be symmetric. In the current analyses, the risk measures presented are those of the " worst" (i.e.

most important) EDG.

Calculation ofAnrage CDF 1 i

In order to calculate the Average CDF for the extended EDG AOT, a new value for EDG l unavailability due to test / maintenance was derived. A 2.5% unavailability was assumed, which equates to a maintenance duration of 220 hours0.00255 days <br />0.0611 hours <br />3.637566e-4 weeks <br />8.371e-5 months <br /> per year per EDG. For plants with a maintenance  ;

schedule already in place or defined, then actual plant data was used in lieu of the above

' assumptions.

i The impact on the PSA was then calculated to obtain the Average CDF for this new EDG l unavailability. This new Average CDF was then compared to the base case value in the plant's PSA. Table 6.3.2-3 provides the proposed Average CDF and the base average CDF for each plant.

21 l

l

Results The results from each plant were assimilated, and the Single AOT and Yearly AM Risks were calculated for each plant. Tables 6.3.2-1 through 6.3.2-3 present the results of these cases on a plant specific basis, and summarizes the EDG AM CDF contributions for each rlant. These risk contributions include the Cnndidaa=1 CDFs, Increase in CDF, Single AOT and Yearly AM risks for both CM and PM, based on full AOT and mean downtime, and current Average CDF and proposed Average CDP.

The results for the conditional CDF and Single AM risks presented in Table 6.3.2-1 are conservative. Specifically, the evaluation of the conditional CDF for corrective maintenance considers that the operable EDG is subject to a common cause failure for the entire duration of the AOT. In several CEOG member plant technical neifiadons it is required that either an assessment of the absence of a common cause failure mechanism or an EDG start /run test be performed following discovery of the EDG inoperability. In practice, even when the technical specifications do not require a common mode failure sitenment, it is likely that such an assessment is performed upon the discovery of the cause of the EDG inoperability. Thus, plant operation with one EDG in CM, while the OPERABLE EDG has a high likelihuvi of common cause failure, would be restricted to a narrow time window which is considerably less than the full 7 day AOT.

For CM, most CE PWRs india? that repair of a non-functional EDG results in an increase in conditional core damage frequency (CCDF) from the hawlina CDF by a factor ofless than 5. The increase in Single AOT Risk Contribution for all CE PWRs (from Table 6.3.2-1, Proposed Single AOT Risk based on a full 7 day AOT - Current Single AM Risk) varies from 0.0 (for plants that already have a 7 day AOT for EDGs) to 2.16E-06. The increase in Single AOT Risk Contribution for a Single AOT Risk based on a 10 day AOT varies from 3.38E-07 to 3.78E-06.

For all CE PWRs, declaring the EDG INOPERABLE and taking the EDG out of service for maintenance increases the conditional CDF by a factor of between 1.5 and 4. 'Ihe increase in Single  !

AOT Risk Contribution for all CE PWRs (from Table 6.3.2-2, Proposed Single AOT Risk based j on a full 7 day AM - Current Single AOT Risk) varies from 0.0 (for plants that already have a 7 )

day AOT for EDGs) to 1.38E-06. For a full 10 day AOT, the increase from Current to Proposed Single AOT Risk Contribution varies from 2.09E-07 to 2.42E-06. l As will be shown in the following sections, these risks are offset by reductions in transition and  ;

shutdown risks.

Table 6.3.2-3 summarizes the impact of the proposed AM extensions on the plant yearly core l damage frequencies. The change in the Average CDF due to increasing the EDG AOT varies from j a factor of 1.01 to 1.078. When interpreting Table 6.3.2-3, it is important to note that some plants evaluated their IPEs based on actual plant data and not on the full AOT, whereas the Proposed  ;

Average CDFs presented in the table for all plants are based on the full proposed AOT. Two plants ]

(ANO-2 and FCS) that based their IPEs on actual EDG downtimes had recent plant histories with ,

very limited EDG PM. Therefore, the change factor for these plants is overestimated. A more 1 22

1

. I appropriate estimate of the change factor can be established by evaluating the hauline PRA PM at one full ACTT per year. His value is presented in parenthesis for these plants.

Waterford Unit 3 indicates a higher impact on the CDF than other plants, his increased impact is primarily due a conservative treatment of the SBO event within the IPE. Specifically, the Waterford-3 IPE assumes that all EDG failures occur at the time of loss of offsite power (i.e. all EDG failures are conservatively assumed to be start failures). Even with this conservative Waling approach, Waterford-3 has a relatively low plant h==1iam CDF (1.54 x 104 per year). A preliminary evaluation of a more realistic approach to the treatment of EDG failures was performed to support this nueument. In this realistic method, the product of the EDG run failure probability density function and the offsite power non-recovery function was integrated over the mimmian time.

This accounts for the fact that EDG run failures can occur at any time during the mission time, including late in the sequence when the probability that offsite power will be recovered is high.

Using this realistic methodology, the expected CDF increase factor will reduce from 1.14 to 1.078 (see Table 6.3.2-3). His trane1=tas to an absolute yearly risk increase of about 1 x 10' per year.

For Waterford-3 taking the EDG out for maintenance would result in an increase in CCDFs by a factor of about 7.2 for CM and 2.9 for PM. These risks are generally comparable to those associated with the CE group as a whole.

l 23

i Table 6.3.2-1 CEOG AOT CONDITIONAL CDF CONTRIBUTIONS FOR EDGs - Corrective Maintenance 1

PARAMETER ANO-2 Fort Maine Milhenne P.6.a.= Pelo San St.Imeis R. Imeie Weassford Calhnun Yankee 2 Veede Onofre 1 2 3 l 1,2, & 3 2&3  ;

I i EDG t- Crinerie l of 2 I cf 2 l of 2 l ef 2 l of 2 t e(2 l ef 2 l ef 2 l ef 2 l ef 2

. Present AUT, days 3 7 7 3 7 3 3 3 3 3 Proposed AUT, days 7/10 7/10 7/10 7/10 7/10 7/10 7/10 7/10 7/10 7/10 Condmonal CDP, per yr 1.26E.04 5.28E-05 1.15E44 9.43E-05 1.645 04 2.43E44 5.92E45 5.9E45 6.3E45 1.56E44 i (1 EDG unevedeble)

Conditional CDP, per yr 3.27EE I.17E-05 7.36E-05 3.24E-05 5.00E 4 4.58E45 2.69E-05 2.lE45 2.3E-05 1.50645 (1 EDG never out for T/M)

I increase in CDP per yr 9.30E4 4.IIEE 4.14E-05 6.19E45 1.14E-04 1.97E-04 3.23E-05 3.8E45 4.0845 1.41E44 i Single AUT Risk, Curreed 7.65E-07 7.88E-07 7.94E47 5.09E-07 2.19E-06 1.62E4 2.65E-07 3.lE4T 3.3E47 1.16E4 I)Singio A0T '~"

d) , (.7 dayj ft.78546. [7.885 07 3.948 07 it.19Edl65 $2[19E46" i $.78546 [U955d) $7.$E47. [7.78473 kl.10EEIEI Proposed --..-a g

,E N?

I

~

^ }h ' $. NIM 6 It'.I35 06' )N35065 ?1.70546; [3.12E216) [5.4506 i$.55547 y 11.154E3 ki.5$846 -

Dowraime Fregesney, per yr 0.63 2.5 2.5 2.5 2.0 1.8 0.63 2.5 2.5 2.5 per diesel

• 2 Yearly AUT Risk, Curvad, 4.78E-0T 1.97E46 1.98E46 1.27E-06 4.37E-06 2.92E-06 1.66E-0T 7.8EST 3.2EST 2.90E46 per yr/ diesel" <

Yearly AUT Risk, 1.12E4 1.97E-06 1.98E-06 2.97E46 4.37E46 6.8tE-06 3.87E-07 1.8E-06 1.9846 6.76E46 Proposed, per yr/ diesel" Actual Dusseion, hre/evere"* 15 24 24 24 24 24 23.8 24 24 24 Single AUT Risk 1.61E-07 1.13E-07 1.13E47 1.70E47 3.12E.07 5.40E-07 8.78E-08 1.0E47 1.lE-07 3.9684T (based on acemet dese)

Yearly AUT Ruk/yr/ diesel" 1.00EST 2.82E-07 2.84E47 4.24E47 6.25E-07 9.72E-07 5.48E-08 2.6E4T 2.7EST 9.66E47 (based on scount deae)

• Genene dein = 2.5 per yr per diesel

• • Value ,. " for worst esso diseel

• • • Genene desa = 24 hre/evest 24 .

l l Table 6.3.2-2 i

CEOG AOT CONDITIONAL CDF CONTRIBUTIONS FOR EDGs - Preventive Maintenance I

PARAMETER ANO.2 Fort Meine MiEssons Pahmadse Palo San St.laseis St. Lascie Weessised 3 Calhoun Yankee 2 Venie Onofre 1 2 3 j.

1,2, & 3 2&3

EDG 9 - Criteria l of 2. I of 2 t o(2 l ef 2 l of 2 l of 2 l of 2 l ef 2 l of 2 l ef 2 Puseet AUT, days 3 7 3 3 7 3 3 3 3 3 _

i l Propoemd AUT, days 7/10 7/10 7/10 7/10 7/10 7/10 7/10 7/10 7/10 7/10

Conditional CDP, per yr 1.0lE-04 3.71E4 1.13E-04 8.5BE-05 1.57E-04 1.72E-04 5.4 tE-05 4.1E4 4.7E45 6.76E4 (1 EDG unevesimble) i Conditional CDP, per yr 3.27E-05 1.17E-05 7.36E-05 3.24E45 5.00E-05 4.58E45 2.69E-05 2.lE45 2.3E45 1.50E-05 (1 EDO never eut for T/M)

Ineness in CDP, per yr 6.36E-05 2.54E-05 3.94E-05 5.34E-05 1 0TE-04 1.26E44 2.72E-05 2.0E45 2.4E45 5.26E45 Single AUT Risk, Corne4 5.64E4T 4.87EST 7.56EST 4.39E4F 2.05E4 1.04E 4 2.24E4T 1.6E47 2.8EST 4.32EST l Jr.Y31dgld Aci' Rk" nod 7 dsh 1 Ti.32E46: M.87E4T II.$584TI (1.E184 ' 2.G58 06 ?2.42646i 75.22B4 I5.854p} Id350T$ 60iR45Y 7

j 4 j Parcady{ .

j,,,, ,? ,,,,,,77 g,,,,, { g,g,,,,; T,,,3g,, {3.siEg } 7355.Si] ii.ss4Tfh f ishh yi.44sas ,  ;

Desmtirne Psequency, per yr* 2.0 2.8 2.8 2.8 4.0 3.0 1.25 2.8 2.8 2.8 Yearly AUT Risk, Current, per yr/ diesel ** 1.13E-06 1.36E.06 2.12E-06 1.23E46 8.2tE 06 3.IIE-06 2.79EST 4.6E4T 5.5EST 1.2tE-06 l

Yearly AUT Risk Propoemd, per yr/ diesel" 2.63E-06 1.36E-06 2.12E-06 2.87E-06 8.21E-06 7.26E-06 6.52E47 1.IE-06 1.3E46 2.82E-06

, t

[ Propoemd Downtune bruttremi/yr"* 192 160 175 144 192 160 114.75 240 240 140 Aceuel Durusson bru/evesa*** 96 57 63 51 48 53 92 06 06 50 Single AUT Risk 7.52E-07 1.66E-07 2.81E47 3.14EST 5.86E47 7.6BEST 2.85E-07 2.0847 2.4E47 3.00E-ST l (based on actual duretson)

Yearly AUT Risk /yr/ diesel" 1.50E-06 4.64E4T 7.87E47 8.78E-07 2.35E-06 2.3 tE46 3.56E4T 5.5E4T 6.6E47 8.4tE4T (based on actual duistion)

• onnene dama - 2.s per yr per diesel *" Durseson (hralevema) = Pseposed DouWune C .",.)E ,- - , (sveseslyd

• • Veless yseemsmed are for woest ease diesel **** Osnans emaa = 220 hen /yn/ diesel i

1

I i

Table 6.3.2-3 l CEOG PROPOSED AVERAGE CDFs '

PARAMETER ANO-2 Port Mains Milheens Ph Pelo see St. Immis R. Imeis Weemrfeed Calhanen Yankes 2 Verde Onofre 1 2 3

1. 2. & 3 2&3 EDG h criseris I of 2 l of 2 l ef 2 t of 2 t o(2 l ef 2 1 of 2 I of 2 l ef 2 l ef 2 1

) Present AUT. days 3 7 7 3 7 3 3 3 3 3 i

) Proposed AUT days 7/10 7/10 7/10 7/10 7/10 7/10 7/10 7/10 7/10 7/10 i Prepoemd Dewmanene, hrefyr 219 220 235 168 240 220 220 264 264 200 Average CDP (bass), per yr 3.28E-05 1.18E-05 7.40E45 3.4 tE-05 5.158-05 4.74E45 2.74E-05 2.14E45 2.35545 1.54E45 Propoemd Average CDP 3.50E45" 1.27E-05" 7.45E45 3.50E-05 5.28E45 4.85E-05 2.06E-05 2.2E-05 2.4E45 1.75845 Change factor front bensbne 1.UT" 1.0B*" 1.01 1.03 1.03 1.02 1.04 1.G2 1.02 1.14##

CDP (1.05) (1.02) (1.078) i

• Genene duas = 220 hrefyr/dienst

• • The Proyeesd Averego CDP is pseessmed here is bened on weing the Aill AUT wheeses the he=d== IPE Average CDP was bened on seemet ylent enes which had very Ibtle P94 on Ems (ess Tahls 5.2-1).

• The Noenbers in ;_ supeesesst % change froni bensiins IPE if the baseline IPE wee evalented over the fur AUT.

• • See peas 25 for d- of somshe 4

l 4

l 26 .

l .'

i l

l 6.3.3 Asressment qf Densition Jtisk For any given ACyr extannian, there is theoretically an "at power" increase in risk ===intM with it. This increase may be negligible or significant. A complete approach to assessing the change in risk accounts for the effects of avoided shutdown, or " transition risk". Tranntinn Risk asy.ats the risk associated with reducing power and going to hot or cold shutdown following equipment failure; in this case, one EDG unavailable. Transition risk is ofinterest in under=+=ading the tradeoff between shutting down the plant and raaring the EDG to operability while the plant continues operation. The risk of transitioning from "at power" to a shutdown mode must be balanced against the risk of continued operation and performing corrective maintenance while the plant is at power.

l To illustrate this point, a 1spiwtative CE PWR has performed an analysis for transition risk j associated with one inoperable EDG. The methodology and results obtained by this plant are  !

presented below and are considered generically applicable to the other CE plants.

Methodology The philosophy behind the transition risk analysis is that if a plant component becomes unavailable, the CDF will increase since less equipment is now available to respond to a transient if one were to occur. However, as long as the plant remains at power, this CDF is constant. At the point in time that a decision is made to shut down, the CDF increases since a " transient" (manual shutdown) has now occurred, and the equipment is still out of service. .

The Core Damage Probability (CDP) n== intM with the risk of plant transition from plant full power operation to shutdown is obtained by modifying the " uncomplicated reactor trip" core damage scenario in the PSA model. In this evaluation the incremental risk is dominated by the increased likalihand of loss of main feedwater and the reliance on auxiliary (and/or emergency) feedwater to avert a core damage event. A cutset editor was used to adjust cutsets representing manual shutdown or mi=11= nanus plant trips to reflect the CDP ===intM with a forced shutdown assuming one EDG is out of service and requantifying the PSA cutsets. Conservatisms that had been included in the base PSA model were deleted to reflect the greater control that the plant staff has in the shutdown process. Specifically, the baseline PSA assumed total loss of main feedwater (MFW) within 30 minutes of reactor trip. In the transition analysis, MFW was assumed to be recoverable following failure of Auxiliary Feedwater. A human error probability (value of 0.1) was added to cutsets that contained no basic events, including human actions, that would cause MFW to be unavailable. The duration of the transition pivcess was assumed to be 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> (6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> to hot standby and 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> to hot shutdown), and result in a Mode 3 or Mode 4 end state with core cooling provided via the steam generators.

Additional human errors that would be associated with a detailed portrayal of the shutdown process and the entry into shutdown cooling were not included in order to establish a conservative lower bound nueument of the transition risk. Errors of commission, such as diversion of RCS flow during SDC valve alignment, are also not considered in this analysis.

27

Such errors would add to the disadvantages of the shutdown alternative, and therefore, to include them would be non-conservative for the purpose of this comparison. Similarly, any transitional risks maneintM with the return to plant operation are conservatively neglected.

Based on the above methodology the CDP ===ein*M with the lower mode transition was calculated for the representative plant to be 1.00FA6. Results of transition risk analyses can be generalized for the other CE PWRs by assuming that the ratio of the CDP for Transition Risk to the baseline Average CDF is constant for all plants. The haealina CDFs were selected rather than the Conditional CDFs for the ratio Imw the other CE plants because the analysis for the representative plant indicated that transition risk was more a function ofI.oss of MFW rather than a function of the specific equipment out of service, i That is, A CDP, u = (CDFyCDF,p

• ACDPa ,,,,,,p) where:

I ACDPn p = Incremental risk due to mode transition for plant  !

CDF , = Rawlina CDF for plant l C D F,,,, p = Representative plant baseline CDF  !

C D P a ,,,,,,, , = Incrunental risk due to mode transition for representative plant The transition risk may be used to evaluate the relative risks of performing EDG repair at power to that of performing the same repair at some lower mode. The risk of continued operation for the full duration of the AOT is bounded by the single AOT risk for CM (if a common cause failure is swad) and by the single ACTr risk for PM when common cause failure can be ruled out. The comparable risk of the alternate maintenance option involves consideration of four distinct risk components:

(1) Risk of remaining at power prior to initiating the lower mode transition.

This risk will vary depending on the ability of the staff to diagnose the EDG fault and the confidence of the operatmg staff to expeditiously complete the repair. The time interval for power operation with a degraded component, prior to mode transition will vary from one to several days.

1 (2) Risk of lower mode transition. l l

This risk is accumulated over a short time interval (approximately 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />).

(3) Risk of continued lower mode operation with an impaired EDG.

28

In this mode, the reactor is shutdown and the core is generating decay power only.

However, risks in this mode remain eigninaat. DMia: on the particular operatinant mode, resources to cope with plant trannients will typically be less than at power. 'Ihese modes are characterized by decreased restrictions on system operability, longer times for operator recovery actions, lower initiating frequency for pressure driven initiators (such as LOCA) and a greater Asqw.cy for plant transients such as those initiated by loss of offsite power and loss of main feedwater. ,

(4) Risk of return to power The power senaneinn procedure is a well controlled trarinient. Reference 8 ~=~pa=lly discusses that risks associated with this transition are greater than those associated with at power operation, but mignisantly below that n<wintM with the initial lower mode transition (item 2).

The analysis of transition risk presented in this report quantifies only the risk of lower mode

, transition (item 2).

Resuks Table 6.3.3-1 presents the risk newinted with transitioning the plant to a lower mode for each plant. The numbers in the table ..y.w.t only the lower mode transition risk component of the transition sequence (item 2). The risk newintM with the transition portion represents a significant fraction of the risk that would be incurred for a seven day "at power" (Single ACT Risk from Tables 6.3.2-1 and 6.3.2-2) EDG maintenance period.

When the risk at power and the risk at the lower mode of operation are comparable, then these results indicate that performing a 7 day EDG maintenance activity "at power" would be risk i beneficial.

29 i

i

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ ~ . . . _ - . - - . . , _ . _ . _ . . . -. . . _ ~ _ -- . - . ,, ,...r._ ,,1

r i

Table 6.3.3-1 TRANSITION RISK CONTRIBUTIONS FOR EDG CM PLANT Transition Risk Contribution

@ CDP) i.i;0-2 6.92E-07 i

Fort Calhoun Station 2.49E-07 Maine Yankee 1.56E-06 Millstone 2 7.19E47 Palisades 1.09E-06 Palo Verde 1,2 & 3 1.00E-06 San Onofre 2 & 3 5.78E 07 St. Lucie 1 4.5E-07 St. Lucie 2 5.0E-07 l Wieduid 3 3.25E-07 l

30

I i.*

1 6.3.4 Assessment of Shutdown Risk

6.3.4.1 Assessment ofRisk-hadeof

! The risk of EDG maintenance at shutdown was inva%nwl using the shutdown PSA of a CEOG participant. This study was directed at estimating the advantage of performing EDG maintenance at power by estimating the corollary impact of performing the same PM during shutdown. Shutdown risks were evaluated for two shutdown configurations: Mode 5 mid-loop operation (representative of the early reduced inventory phase of the shutdown) and for a condition i pistative of a spent fuel pool operation with a complete fuel off-load. The impact of EDG PM was nuetwi by analyzing the incremental reduction in core damage probability (CDP) when two EDGs are available vs. the plant operating state when one EDG is operable and available while the second EDG is undergoing maintenance. Recovery of offsite power was considered. However, recovery of failed orinoperable EDGs was assumed not to occur in time to avert core damage.

Results Results of this investigation are summarized in Table 6.3.5-1. The tabular information is presented in terms of the daily core damage probability. The daily CDP is assumed applicable anytime while the plant is in the shutdown mode analyzed.

Maintenance of the EDGs early in the shutdown operation and while the plant is at reduced inventory (e.g. mid-loop operation), results in an incremental risk of core damage equal to about 1.2 x 104 per day while the EDG is inoperable. In this instance, the high impact of the EDG is a result of the short time expected to core damage. Late in the sequence the shutdown PSA predicts a similar trend for the EDG importance (1.7 x 104 per day). This later evaluation further assumed that once the fuel in the spent fuel pool uncovers (about 70 hours8.101852e-4 days <br />0.0194 hours <br />1.157407e-4 weeks <br />2.6635e-5 months <br /> into the event), efforts to refill the spent fuel pool would be unsnecenful. 'Ihese events can be further complicated in that failure of fuel during shutdown can result in higher radiation exposures than similar events occurring at power in a closed containment.

TABLE 6.3.4.1-1 DAILY PLANT CORE DAMAGE PROBABILITY AT SHUTDOWN FOR A REPRESENTATIVE CE PWR CONDITION NO PM 1 EDO IN PM INCREMENT M (2 EDGs AVAILABLE) CDP REDUCED INVENTORY 1.04 X 104 2.26 X 104 1.2 X 104 l (MID-LOOP) l SPENT FUEL POOL 5.1 X 104 4.36 X 104 3.8 X 104 31

Conclusion Early in the shutdown, risk of PM is generally equivalent to that for similar maintenance at power. At later times, incremental risks ==wintad with EDG PM may be optimieny expect to be lower than what is reported in this annenament- However, these risks cannot be neglected and may be comparable to that of power operation.

6.U.2 Assessment ofEnhanced EDG Reliability Reference 2 noted that over the past several year: "on-line" PM on EDGs has increased. During the same time interval, the unreliability of the EDGs has also decreased. While a precise relationship between the PM process and EDG reliability has not been established there appears to be a positive correlation between increased PM performed in recent years and the enhanced EDO reliability which has been observed. While not all PM activities will directly impact EDG reliability, certain PM originating from plant reliability improvement programs and including manufacturer suggested inWons and modifications do likely have a beneficial effect. '1his section explores the risk impact of small to modest increases in EDG reliability on risk "at power" and on rkk during the early low inventory phases of a plant shutdown.

"At Power" Risk Assessment An analysis was performed to determine what increase in EDG reliability would be required in  !

order to offset the risk increment newinted with 5 days (120 hrs) of "on line" maintenance. l The five day interval generally bounds the average PM unavailability for the CE PWRs. l Assumptions employed in the analysis are as follows:  !

1. The nominal EDG failure probability to start and load /run for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is .09 per demand, )

and

2. The reliability benefit is reali7ed for six months out of a year.

In this assessment the risk increment incurred by removing one EDG from service for a 5 day "at power" repair period was related to the integrated reduction in risk achieved by improving the EDG reliability (reducing the failure to start and failure to load and run values) by 10,20 and 30%.

Results of this assessment are summarized in Table 6.3.4-1. Comparing the risks of at power PM with risk reductions due to reliability improvements, it is apparent that a PM program that improves the average performance of the EDG by 15% offsets the risk of EDG unavailability due to PM.

32

e Table 6.3.4.2-1 EDG MAINTENANCE VS. PCTTENTIAL IMPROVEMENTS IN EDG RELIABILITY Yearly Risk Increase due to Risk Reduction at Power due to Reliability improvement 120 hrs of "at power" PM 10 % 20 % 30 %

3.4 X 107 2.3 X 1&7 4.9 X 177 7 X 177 Shutdown Risk Assessment It has been shown in Section 6.3.4.1 that a modest improvement in EDG reliability from performing PM probably offsets the contribution to the "at power" risk from having an EDG out of service to perform the PM. A second benefit of performing on-line EDG Preventive Maintenance (PM) is that upon entering shutdown modes, the EDGs will have a greater reliability than if maintenance had been done at the end of a refueling outage. To assess this effect, it is assumed that "at power" PM will result in a 15% improvement in the EDG reliability. In other words, the fact that the PM is performed several months closer to the time i the EDG is needed is e-m~i to result in a 15% lower failure probability.

Additional assumptions employed in this analysis are as follows:

l

1. dy initiating event that is considered to be DG reliability is the Loss of Offsite Power.

l

2. Reduced inventory operation is assumed for 7 days  !

l

3. No other alternate ac is credited.

I

4. Core damage occurs 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> after LOOP.

5. Recovery of offsite power is credited based on Reference 10.

f The data used in the calculation is summarized in Table 6.3.4-2. l 33

1 1

., l l

TABLE 6.3A.2 2

SUMMARY

OF ANALYSIS DATA  ;

Probabihty of ED01 to Fall to start and Imad (new) Pa== .014 Probability of EDG1 to Fail to Start and Imad (Oiven PM) Pru .012 Probabihty ofImes of Offsite Pour over the interval of PN

.004 reduced inventory OPERATION Probability to Recover Off-site Pour in 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> Pacu 0.58 Common cause failure of EDO2 given failure of EDG1 @ .05 Applying these assumptions, the impact of EDG reliability improvement on the risk reduction at shutdown can be approximated. The ACDP for a shutdown with reduced inventory operation is approximated as:

ACDP% =Pm(Ay(1-Pa)

WHERE, Azoo = (Pd +Pyp)-(P,,)2_pru(E) 34

Substituting values from Table 6.3.4-2 into the above relation results in an antimated risk reduction benefit at shutdown of 2.6 x 104 For longer periods at reduced inventory, or if batteries are unavailable, the net risk benefit would wi++g+ Sagly increase.

Assessment qf Trade etfbetween PM at power and impnmed EDG Reliability Parametric evaluatiana p.===4 in sections 6.3.4.1 and 6.3A.2 indiente that PM that results i

in modest improvements in EDG reliability over the long term can more than offset the short term risk from having an EDG out of service to g-form the PM.

6.3.5 Assessment oflarge Eady Release A review oflarge early release scenarios for the CE PWRs indicates that early relenws arise as a result of one of the following class of scenarios:

1. Containment Bypass Events These events include interfacing system LOCAs and steam generator tube l ruptures (SGTRs) with a concomitant loss of SG inalatian (e.g. stuck open '

MSSV), )

2. Severe Accidents accompanied by loss of containment isolation These events include any severe accident in conjunction with an initially unisolated containment.

3. Cantniament Failure associated with Energetic events in the Containment.

Events causing containment failure include those associated with the High Pressure Melt Ejection (HPME) phenomena (lactading direct contamment heating (DCH)) and hydrogen conflagrations / detonations.

Of the three release categories, Class 1 tends to represent a large early release with potentially direct, unscrubbed fission products, to the environment. Class 2 events encompass a range of 2 releases varying from early to late that may or may not be scrubbed. Class 3 events result in

) a high pressure failure of the containment, typically imnwliately upon or slightly after reactor vessel failure. Detailed level 2 analyses for the plant condition with an i W availability of the EDG are not performed. However, attemsment of the e tad ch.ffe in the large early release fraction was made by assauing the impact of the EDG availability on the above event categories.

35

i t

Containment Bypass Ewnts i l

Events contained in this category are not erp~ tad to significantly rely on the EDG for event i mitigation. Events included in this category are the I.arge Interfacing System LOCA (i.e. failure of an SDC line). Testing and or maintenance of EDGs will not impact the ISLOCA frequency.

ISLOCAs are characterized by a continuous and unreplenished loss of RCS inventory and makeup. In these scenarios, core damage ultimately results following the depletion of reactor coolant. - Thus, provided that a continuous indapaadaat water supply is not available during the accident, the ISLOCA will progress into early core damage regardless of the EDG availability.

Sewre Accidents accompanied by Isss of Containment Isolation l l

Another event contributing to large early fission product releneen could occur when an unmitigated severe accident occurs in conjunction with an initially unisolated containment.

Increased unavailability of the EDGs may result in a marginally greater frequency of core ,

damage events due to station blackout. Since the probability of the loss of containment isolation  !

is low, the net impact of anhnacad SBO coupled with a loss of containment isolation on the l overall plant radiological releases is considered negligible.

Containment Failure associated with Energetic events in the Containment.

Class 3 events are dominated by RCS transients that occur at high pressure. These events are typically restricted to events that initiate as a station blackout or a loss of feedwater. An increased probability of SBO induced core melts will result in a proportional increase in the SBO contribution to large early radiation releases due to direct containment heating (DCH). As a result of the conservative treatment of DCH issues in many PSAs there is a noticeable correlation between early containment failure induced by DCH and station blackout initiators.

This relationship exists since DCH containment failure is a result of a high pressure melt ejection (HPME) at reactor vessel lower head failure, and that SBO events can lead to high pressure core melts. The fraction of SBO events leading to a high pressure core melt and subsequent HPME in practicality should be small when one considers the high propensity of hot leg / surge line creep failure occurring in advance of lower head failure.

In this assessment, the impact of increased EDG maintenance unavailability on the large early releases was established by assuming that the increase in the yearly CDF (typically on the order  ;

of 1 to 10%) was totally due to an increase in unmitigated station blackout events. Furthermore, it can be conservatively assumed for the CE plants involved in this study that less the 20% of SBO events result in large early containment failures. Therefore, increased EDG on line maintenance will result in a small increase in large early containment failure scenarios.

36 l

l i

6.3.6 Summary of Risk Assessment I

The proposed increase in the EDG AOT was evaluated from the perspective of various risks associated with plant operation. For the plants evaluated, incorporation of the extended AOT )

into the technical specification can potentially result in negligible to small increases in the "at 1 power" risk. However, when the full scope of plant risk is considered, the risks incurred by extending the AOT for either corrective or preventive maintenance will be substantially offset by risk benefits associated with avoiding unnecessary plant transitions and/or by reducing risks during plant shutdown operations, and imposition of limited restrictions for performing EDG PMs.

The unavailability of one EDG was found to not significantly impact the three cbstec of events that give rise to large early releases. These include containment bypass sequences, severe accidents accompanied by loss of containment isolation, and containment failure due to energetic events in the cortainment. It is therefore concluded that increased unavailability of one EDG (as requested via Section 2) results in a negligible impact on the large early release probability for CE PWRs.

The impact of implementation of the proposed extended AOT will vary from being risk beneficial to posing a negligible increase in plant risk. The precise impact will depend on the specific circumstances of the entry into the LCO Action Statement.

6.4 Compensatory Measures As part of implementing the Maintenance Rule, each CE PWR utility has developed or is in the process of developing a method for configuration control during maintenance. If maintenance is performed on a system / train concurrent with other maintenance, the impact on risk will be evaluated prior to performing maintenance. Some plants achieve this via procedures which require that PSA evaluation is performed prior to performing maintenance. Other plants have a matrix showing the risk associated with different combinations of systems / trains unavailable due to maintenance. This matrix is used in phnmng the rolling maintenance schedule which is part of implementing the Maintenance Rule.

The following conditions / restrictions are typical of those that will be imposed on the operator governing 'at-power" maintenance procedures:

1. Do not enter the LCO Condition for voluntary inoperability of an EDG if the auxiliary systems for the diesel generator that will remain available are not fully operational (but do not require LCO entry for operability).

2. Do not voluntarily enter the EDG LCO if any component that can significantly increase plant risk is simultaneously expected to be out of service.

37

~

3. When performing extended EDG maintenance ensure that aiding remident plant alterrate AC power sources (e.g. ' swing" DGs, combustion turbines or indetly powered FW pumps) are functional.

4. Do not perform maintenance en components of the Electrical Distribution System (EDS)

(e.g., main transformer) that could significantly increase the likelihood of a LOOP initiating event while an EDG is out for maintenance. Minimize cha!!enges to the EDG.

5. Do not perform maintenance on a diesel generator if an anviliary feedwater pump and associated support system and component are unavailable.

Additional operational restrictions and cautions may include the following:

1. Schedule PM to coincide with favorable weather conditions, e.g., not during " ice" or electrical storms which may induce LOOP. Consider preservation of the grid.

2. Put procedures or pre-planned activities defming restoration of equipment in place before PM is done.

3. Hold briefmgs with appropriate plant personnel to ensum they are aware of impact associated with taking an EDG out of service.

4. Ensure availability of replacement parts and special tools, and establish procedures prior to taking an EDG out of service.

5. Check safety-related equipment in division of operable EDG for proper alignment.

6. Restrict the removal of any equipment from service during EDG maintenance.

7. Restrict main switchyard activities (maintenance or re-configuration) to life-threatening or safety-threatening responses (i.e., responding to fires) while an EDG is inoperable for maintenance.

In addition to the above, when the one time 10 day AOT is to be exercised, the plant should take all reasonable efforts to not perform concurrent voluntary maintenance activities on other plant risk significant components and should restrict any unn~-ry activities in the plant or the switchyard that can increase the risk of loss of off-site power.

7.0 TECHNICAL JUSTIFICATION FOR STI EXTENSION EDG STI extensions are not within the scope of this effort.

38 l

l

8.0 PROPOSED MODIMCATIONS TO NUREG-1432 Attachment A includes proposed changes to NUREG-1432 Sections 3.8.1 and B 3.8.1 that correspond to the findings of this report.

9.0

SUMMARY

AND CONCLUSIONS This report provides the results of an evaluation of the extension of the Allowed Outage Time (AOT) for one emergency diesel generator (EDG) contained within the current CE plant technical specifications, from its present value, to seven days. In addition, a once per cycle ACT of 10 days for corrective maintenance is also requested. This AOT extension is sought to provide needed flexibility in the performance of both corrective and preventive maintenance during power operation. Justification of this request was based on an integrated review and assessment of plant operations, deterministic / design basis factors, plant risk and EDG reliability.

Results of this study demonstrate that the proposed AOT extension provides plant operational flexibility while simultaneously adequately controlling overall plant risk.

The proposed increase in the EDG AOT to 7 days with a once per cycle 10 day ACT was evaluated from the perspective of various risks associated with plant operation. For the plants evaluated, incorporation of the extended AOT into the technical specifications potentially results in small increases in the "at power" risk. However, when the full scope of plant risk is considered, the risks incurred by extending the AOT for either corrective or preventive maintenance will be substantially offset by plant benefits associated with avoiding unnecessary plant transitions and/or by reducing risks during plant shutdown operations, improved EDG reliability upon entering shutdown, and implementation of compensatory measures.

The unavailability of one EDG was found to not significantly impact the three classes of events that give rise to large early releases. These include containment bypass sequences, severe accidents accompanied by loss of containment isolation, and containment failure due to energetic events in the containment. It is concluded that increased unavailability of an EDG (as requested via Section 2) will result in a negligible impact on the large early release probability for CE PWRs.

39

l

10.0 REFERENCES

1. 10 CFR 50.65, Appendix A, "The Maintenance Rule".

2. SECY-93 044, " Resolution of Generic Safety Issue B-56, " Diesel Gener2 tor Reliability",

letter to ACRS from J. Taylor (NRC), Felaanre 8 )

3. NUREG/CR-5944, "Espacy Diesel Generator: Maintenance and Failure Unavailability, and 'Iheir Risk Impacts", P. Samanta, et. al., BNL, November,1994.

4. 10 CFR 50.63 " Loss of all Alternating Current Power".

5. Regulatory Guide 1.155, " Station Blackout", August,1988.

6. SECY-93-044, " Resolution of Generic Safety Issue B-56, " Diesel Generator Reliability",

letter to ACRS from J. Taylor (NRC)

7. Ietter C. Shirake (NRC) to Cooper-Bessemer Working Group,

Subject:

Summary of Nov. 22,1994, Meeting", December 15, 1994.

8. NUREG/CR-6141, BNIeNUREG-52398, " Handbook of Methods for Risk-Based Analyses of Technical Specifications", P. K. Samanta, L S. Kim, T. Mankamo, and W. l E. Vesely, Published December 1994.

9. Memorandum for 'Ihomas E. Murley from Eric S. Beckjord in Research Information ,

Letter Number 173 entitled " Risk-based Methods to Evaluate Requirements in Technical Specifications", January 6,1994.

10. Advanced Light Water Reactor Utility Requirements Document, Volume II "ALWR Evolutionary Plant", Chapter 1, Appendix A, PRA Key Assumptions and Groundrules (KAG), prepared for EPRI, Rev. 3,11/91.

11. Letter Zwolinski, J. A. (NRC) to Vandewalle, D. J., Re: Emergency Diesel Generator- l Limiting Condition for Operation, LS05-85-06-006, June 5,1985 1

40

1 l

ATTAGIMENT A

-up" of NUREG-1432 SECTIONS 3.3.1 & B 3.8.1 A-1

I

+

AC Sources-Operatino  !

3.8.1  :

l ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. (continued) A.3 Restore (required] 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> offsite circuit to OPERABLE status. E days from discovery of .

failure to meet -

LC0 B, .........N0TE...---... B.1 Perfom SR 3.8.1.1 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> Required Action B.3.1 for the OPERABLE or B.3.2 shall be [ required [ offsite AND completed if this circuit (s).

Condition is entered. Once per 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />

...................... thereafter One [ required] DG M inoperable.

B.2 Declare required 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> from feature (s) supported discovery of by the inoperable DG Condition B inoperable when its concurrent with redundant required ir. operability of feature (s)is redundant inoperable. required feature (s) m B.3.1 Determine OPERABLE [24] hours DG(s) is not inoperable due to common cause failure.

98 B.3.2 Perform SR 3.8.1.2 [24] hours for OPERABLE DG(s).

M (continued)

CEOG STS 3.82 Rev. O, 09/28/92

AC Sources-Operating .

3.8.1'

• ACTIONS CONDITION REQtlIRED ACTION COMPLETION TIME y, 4 IN55tT B. (continued) 8.4 Restore [ required] DG to OPERABLE status.

DM cqS fdaysfrom discovery of failure to meet LC0 C. Two (required) offsite C.1 Declare required 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> from circuits inoperable, feature (s) inoperable discovery of when its redundant Condition C required feature (s) concurrent with is inoperable. inoperability of redundant required feature (s) atul

. C.2 Restore one 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />

[ required] offsite

circuit to OPERABLE status.

(continued)-

I 1

I i

l I

l l

CEOG STS 3.8-3 Rev. O, 09/28/92

INSERT A NOTE On a once-per-refueling cycle frequency, the Completion Time for REQUIRED ACTION B.4 can be extended to "10 days AND 10 days from discovery of failure to meet LCO."

l i

l l

l 1

AC Sources-Operating i

B 3.8.1 *i i

BASES 1

ACTIONS A.3 (continued) j during any single contiguous occurrence of failing to meet I the LCO. If Condition A is entered while, for instance, a DG is inoperable, and that DG is subsequently returned OPERABLE, the LCO may already have been not met for up to CD 7 . N This could lead to a total of 33D$teufs7 since '

initial failure to meet the LCO, to restore the offsite' circuit. . At this time, a DG could again become inoperable, the circuit restored OPERABLE, and an additional h (for a total nOKdays) allowed prior to complete The% day Completion Time provides Op restoration of'the LCO.

a limit on the time allowed in'a specified concitton af ter l

I discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "Afgl" connector between the 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> andXday Completion Time means that both t.ompietion Times apply simultaneously, and the more O10 restrictive Completion Time must be met.

As in Required Action A.2, the Completion Time allows for an exception to the normal " time zero" for beginning the allowed outage time " clock." This will result in establishing the " time zero" at the time that the LCO was

'iriitially not met, instead of at the time Condition A was

- entered.

fld To ensure a highly reliable power source remains with an l inoperable DG, it is necessary to verify the availability of the offsite circuits on a more frequent basis. Since the Required Action only specifies " perform," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required Action being not met. However, if a circuit fails to pass SR 3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions and Required Actions must then be entered, u 1 Required Action B.2 is intended to provide assurance that a loss of offsite power, during the period that a DG is inoperable, does not result in a complete loss of safety (continued)

CEOG STS B 3.8-7 Rev. O,09/28/92 i

,,._.-..~..m.__ _ ,_ , _ _ _ _ ~ . _ . _ . , . _ . . _ . ._

P

• AC Sources-Operating l i

8 3.8.1 BASES l

ACTIONS B.3.1 and 8.3.2 ,

The Note in Condition B requires that Required Action B.3.1 or B.3.2 must be completed if Condition B is entered. The intent is that all DG inoperabilities must be investigated for cosmon cause failures regardless of how long the DG i inoperability persists.

Required Action B.3.1 provides an allowance to avoid unnecessary testing of OPERABLE DGs. If it can be detemined that the cause of the inoperable DG does not i exist on the OPERABLE DG, SR 3.8.1.2 does not have to be performed. If the cause of inoperability exists on other DG(s), the other DG(s) would be declared inoperable upon discovery and Condition E of LCO 3.8.1 would be entered.

Once the failure is repaired, the conson cause failure no ,

longer exists and Required Action B.3.1 is satisfied. If I the cause of the initial inoperable DG cannot he confimed l

.not to exist on the remaining DG(s), perfomance of  ;

SR 3.8.1.2 suffices to provide assurance of continued ,

OPERABILITY of that DG. ,

According to Generic Letter 84-15 (Ref. 7), 24] hours is reasonable to confim that the OPERABLE DG(sj is not 1tffected by the same problem as the inoperable DG.

E.d According to E : ; M-i m __!.b

. 1.02 (^.'. S ; operation may continue in Condition B for a period that should not exceed ygf g

( I'n Condition B, the remaining OPERABLE DG and offsite circuits are adequate to supply electrical power,to the onsite Class 1E Distribution System. The 22=hsiic completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

The second Completion Time for Required Action B.4 establishes a limit on the maximum time allowed for any combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, an offsite circuit is inoperable and that circuit is (continued)

CEOG STS B 3.8-9 Rev. O, 09/28/92

INSERT AA Additionally, Reference 14 states that operation may continue in Condition B for a maximum continuous period of 10 days on a once per refueling cycle frequency.

Reference 14 provides a series of deterministic and probabilistic justifications for the Completion Tunes corresponding to the periods in which continued power operations are allowed with Condition B.

+

i l

l l

o

,* AC Sources-0paratino B 3.8.1

.i BASES l

ACTIONS L_4, (continued) subsequently returned OPERABLE, the LCO may already have been not met for up to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. This could lead to a total ,

m10 l

af331::hower, since initial failure to meet the LCO, to '

h., restore the DG, At this time, an offsite circuit could again become inoperable, the DG restorfd OPERABLE. and an ays) allowed prior to

~

additional 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> (for a total o complete restoration of the LCo. The,fav completion Time provides a limit on time allowed in a specified condition after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The 'A!E' connector between Q the 22::Aescind%av Completion Times means that both co6pletion Times apply simultaneously, ana tne wrc -j

.s fa restrictive Completion Time must be met.

As in Required Action B.2, the Completion Time allows for an exception to the normal " time zero" for beginning the allowed time " clock." This will result in establishing the

" time zero" at the time that the LC0 was initially not met, instead of at the time Condition B was entered.

C.1 and C.2 Required Action C.1, which applies when two offsite circuits are inoperable, is intended to provide assurance that an event with a coincident single failure will not result in a ,

complete loss of redundant required safety functions. The Completion Time for this failure of redundant required

. features is reduced to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> from that allowed for one train without offsite power (Required Action A.2). The rationale for the reduction to 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is that Regulatory >

Guide 1.93 (Ref. 6) allows a Completion Time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for two required offsite circuits inoperable, based upon the assumption that two complete safety trains are OPERABLE.

When a concurrent redundant required feature failure exists, e this assumption is not the case, and a shorter Completion Time of 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> is appropriate. These features are powered from redundant AC safety trains. This includes motor driven auxiliary feedwater pumps. Singir. train features, such as turbine driven auxiliary pumps, are not included in the list. ,

4 (continued) 8 3.8-10 Rev. O,09/28/92 CEOG S 3

AC Sources-Operatino '

B 3.8.1 BASES .

REFERENCES 3. Regulatory Guide 1.9, Rev. [3], [date] .

(continued) 4 FSAR, Chapter [6] .

5. FSAR, Chapter [15].

6. Regulatory Guide 1.93, Rev. [ ], [date] .

7. Generic Letter 84-15.

8. 10 CFR 50, Appendix A, GDC 18,

9. Regulatory Guide 1.108. Rev. [1], [ August 1977] .

10. Regulatory Guide 1.137, Rev. [ ], [date] .

11. ANSI C84.1-1982.

12. ASME, Boiler and Pressure Vessel Code,Section XI.

13. IEEE Standard 308-[1978].  ;

SET)

/_ . . .

l I

i l

CEOG STS B 3.8-33 Rev. O,09/28/92

INSERT AB

14. CE NPSD-996, "CEOG Joint Applications Report for Emergency Diesel Generator AOT Extension," April 1995

't 4

e 1

i I

l I

t

• . , - - - - . , .,