Text

Joint Applications Rept for Safety Injection Tank Aot/Sti Extension
	ML20086L595
Person / Time
Site:	Fort Calhoun
Issue date:	05/31/1995
From:	; OMAHA PUBLIC POWER DISTRICT
To:	;
Shared Package
ML20086L589	List: LIC-95-0109, Forwards Application for Amends to License DPR-40,proposing Ts,By Allowing Up to 24 Hours to Restore Safety Injection Tank Operability If Inoperable.Also,Forwards, Joint Applications Rept for SIT Aot/Sti Extension; ML20086L592; ML20086L595;
References
	CE-NPSD-994, NUDOCS 9507210257
	Download: ML20086L595 (50)
	v • d • e

.

l 2.0 LIMITING CONDITIONS FOR OPERATION

~ 2.3 -

Emernency Core Cooling System (Continued).

i (2)

Modification of Minimum Reauirements.

i During power operation, the Minimum Requirements may be modified to allow one of the following conditions to be tme at any one time. If the system i

is not restored to meet the minimum requirements within the time period specified below, the reactor shall be placed in a hot shutdown condition within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . If the minimum requirements are not met within an additional 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months the reactor shall be placed in a cold shutdown condition within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

a.

One low-pressure safety injection pump may be inoperable provided the pump is restored to operable status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , b.

One high-pressure safety injection pt.mp may be inoperable provided the pump is restored to operable status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

c.

One shutdown heat exchanger and two of four component cooling water heat exchangers may be inoperable for a period of no more than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

d.

Any valves, interlocks or piping directly associated with one of the above components and required to function during accident conditions shall be deemed to be part of that component and shall meet the same requirements as listed for that component.

1 I

e.

Any valve, interlock or piping associated with the safety injection and shutdown cooling system which is not covered under d. above but which is required to function during accident conditions may be inoperable for a period of no more than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

4 f.

One safety injection tank may be inoperable foipeasons oths; thing orjh!below for a period of no more than c= Sc= 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

g.

Level and pressure instrumentation on one safety injection tank may be 1

Qoperable for a period hl One' safetp;injecti6E tsk[niaf(be"inopeirable ^dui (6(boron Yo6censition not within limits for a period of no.more thanJ2;hoursi t

i 9507210257 950711 2-21 Amendment

o. PDR ADDCK 05000285 PDR

i j

2.0 LIMITING CONDITIONS FOR OPERATION 2.3 Emereency Core Cooline System (Continued)

The operable status of the various systems and components is to be demonstrated by periodic tests. A large fraction of these tests will be performed while the reactor is operating in the power range.

If a component is found to be inoperable, it will be possible in most cases to effect repairs and restore the system to full operability within a relatively short time. For a single component to be inoperable does not negate the ability of the system to perform its function. If it develops that the inoperable component is not repaired within the specified allowable time period, or a second component in the same or related system is found to be inoperable, the reactor will initially be put in the hot shutdown condition to provide for reduction of cooling requirements after a postulated loss-of-coolant accident. This will also permit improved access for repairs in some cases.

After a limited time in hot shutdown, if the malfunction (s) is not corrected, the reactor will be placed in the cold shutdown condition utilizing normal shutdown and cooldown procedures. In the cold shutdown condition, release of fission products or damage of the fuel elements is not considered possible.

The plant operating procedures will require immediate action to effect repairs of an inoperable component and therefore in most cases repairs will be completed in less than the specified allowable repair times. The limiting times to repair are intended to assure that operability of the component will be restored promptly and yet allow sufficient time to effect repairs using safe and proper procedures.

Th'e time allosed'tolepsir aissfetylinjectionlinkiist(ss6d;infihe ilefarhiinistifund probabilistic analysss'of CE NPSD-9944".CEOGfJoint!Applicati_ons?ReportlforlSafetp Injection Tank AOT/ SIT; Extension," May 19956These analyses lconchidedlthat the overall risk impact;of the completion timesTire either: risk-beneficial or risk ne.uts31 1

M The requirement for core cooling in case of postulated loss-of-coolant accident while in the hot shutdown condition is significantly reduced below the requirements for a postulated loss-of-coolant accident during power operation. Putting the reactor in the hot shutdown condition reduces the consequences of a loss-of-coolant accident and i

also allows more free access to some of the engineered safeguards components in 1

order to effect repairs.

Failure to complete repairs within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months of going to the hot shutdown condition is considered indicative of a requirement for major maintenance and, therefore, in such a case, the reactor is to be put into the cold shutdown condition.

With respect to the core cooling function, there is functional redundancy over most of the range of break sizes.0" The LOCA analysis confirms adequate core cooling for the break spectrum up to and including the 32 inch double-ended break assuming the safety injection capability which most adversely affects accident consequences and are defined as follows. The entire contents of all four safety injection tanks are assumed to i

2-23 Amendment No. 32,39,47, U.S. Nuclear Regulatory Commission LIC-95-0109 1

ATTACHMENT B

)

1 i

i j

DISCUSSION, JUSTIFICATION AND NO SIGNIFICANT HAZARDS CONSIDERATION DISCUSSION AND JUSTIFICATION:

The Omaha Public Power District (OPPD) proposes the following revisions to the Fort Calhoun Station (FCS) Unit No. 1 Technical Specifications (TS) based on the Combustion Engineering Owners Group (CE0G) Joint Applications Report for Safety Injection Tank A0T/STI Extension, CE NPSD-994.

1.

The TS 2.3(2)f allowed outage time (A0T) for a safety injection tank (SIT) determined to be inoperable due to tank level or pressure or both outside prescribed limits is proposed to be, extended from one hour to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

The same A0T is applied to a SIT that is inoperable due to its isolation motor operated valve (MOV) being in other than the full open position.

2.

The A0T for a SIT whose boron concentration is not within limits is proposed to be extended from I hour to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . A new item (h) is proposed for addition to TS 2.3(2) to clarify this requirement.

3.

A raragraph is proposed for addition to the basis of TS 2.3.

The pa agraph will state the conclusion of CE NPSD-994 that the overall risk impact of the completion times listed above are either risk beneficial or risk neutral.

Exceptions to the CEOG ReDort OPPD is not proposing the following revisions that are included in CE NPSD-994:

1.

It is not proposed to revise the A0T for a SIT whose level or pressure or both cannot be verified due to malfunctioning instrumentation.

OPPD has previously requested this change based on Generic Letter 93-05 in an application for amendment dated May 8, 1995.

2.

It is not proposed to delete the surveillance requirement to verify boron concentration in a SIT within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months following an addition of 1%

or more volume.

The FCS TS do not contain this requirement.

1

i DISCUSSION AND JUSTIFICATION (CONTINUED):

BACKGROUND The SITS are passive pressure vessels partially filled with borated water and pressurized with a cover gas (nitrogen) to facilitate injection into the reactor vessel during the blowdown phase of a large break loss of coolant accident (LOCA).

This action provides inventory to assist in accomplishing the. refill stage following blowdown.

Each SIT is piped into an associated RCS cold leg via an emergency core l

cooling system (ECCS) line also utilized by high pressure safety injection and low pressure safety injection (HPSI and LPSI).

Each SIT is isolated from the RCS, during full pressure operations, by two series check valves.

Each SIT also has a normally deenergizea, open motor operated isolation valve utilized to isolate the SIT from the RCS during normal cooldown and depressurization evolutions. The SITS are described in the Fort Calhoun Station Unit No.1 Updated Safety Analysis Report, Chapter 6.2.3.5.

The SIT gas pressure and volume, water volume, and outlet pipe size are designed to allow three of the four SITS to inject the necessary volume to keep clad melt and zirc-water reaction within design assumptions following a

]

design basis LOCA. The design assumes the loss of inventory from one SIT via the LOCA break.

DISCUSSION OF CHANGE Industry operating experience has demonstrated that many of the causes of SIT inoperability have been diagnosed and corrected within a relatively. short period of time, but often longer than the existing one hour A0T.

In several cases, the diagnosis of an inoperable SIT has resulted in plant shutdowns. A review of this operating experience, when tempered with current probabilistic safety analysis (PSA) applications, led to questioning the risk differential between application of the current technical specification action statements, with their attendant transient risks, and an extended A0T with one SIT inoperable.

If a single SIT were to be diagnosed as inoperable due to tank level or pressure or both being outside the limits established in TS 2.3(1)c, or due to the associated isolation valve in other than the fully open position, the current action statement would allow one hour to restore the tank to within limits or transition the plant to hot shutdown within the following 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months .

The proposed change to TS 2.3(2)f would allow 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to restore operability prior to requiring a plant shutdown.

2 m

I DISCUSSION AND JUSTIFICATION (CONTINUED):

The Combustion Engineering Owners Group (CE0G) " Joint Applications Report for Safety Injection Tank A0T/STI Extension," CE NPSD-994, has demonstrated risk calculations associated with an A0T extension from one hour to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

The results of the analyses indicate that the single and yearly A0T risk contributions are negligible, and the average core damage frequency (CDF) is virtually unchanged. A similar risk assessment was performed to evaluate

" transition risk." Transition risk represents the risk associated with reducing power and going to hot or cold shutdown following equipment failure.

The results of this analysis indicate that the core damage probability (CDP) attributable to transition risk is larger than the CDP associated with continued operation of the plant at power with one SIT inoperable for the proposed A0T.

It is also proposed to revise the A0T to allow up to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months for a single SIT to be inoparable due solely to boron concentration being outside the specified limit for operability. With a SIT below the minimum boron concentration limit, the reduced concentration effects on core subcriticality during core reflooding following an accident are minor.

Boiling of the ECCS water in the core during reflood concentrates the boron in the saturated liquid that remains in the core.

In addition, the volume of the SIT is still available for injection. This proposed change is consistent with NUREG-1432, Revision 0, " Standard Technical Specifications, Combustion Engineering Plants," dated i

September 28, 1992.

It is the conclusion of the CE0G study that the overall plant impact of the proposed changes will be either risk beneficial or risk neutral 3

\\

BASIS FOR NO SIGNIFICANT HAZARDS CONSIDERATION:

The proposed changes do not involve significant hazards consideration because operation of Fort Calhoun Stetion (FCS) Unit No. 1 in accordance with these changes would not:

(1)

Involve a significant increase in the probability or consequences of an accident previously evaluated.

The safety injection tanks (Sits) are passive components in the emergency core cooling system. The SITS are not an accident initiator in any accident previously evaluated. Therefore, this change does not involve an increase in the probability of an accident previously evaluated.

SITS were designed to mitigate the consequences of a loss of coolant accident (LOCA).

These proposed changes do not affect any of the assumptions used in deterministic LOCA analysis.

Hence the consequences of accidents previously evaluated do not change.

In order to fully evaluate the affect of the SIT allowable outage time (A0T) extension, probabilistic safety analysis (PSA) methods were utilized.

The results of these analyses show no significant increase in the core damage frequency.

As a result, there would be no significant increase in the consequences of an accident previously evaluated.

These analyses are detailed in CE NPSD-994, " Combustion Engineering Owners Group Joint Applications Report for Safety Injection Tank A0T/STI Extension.

The A0T extension based upon boron concentration outside the prescribed limits does not involve a significant increase in the consequences of an accident as evaluated and approved by the NRC in NUREG-1432, " Standard Technical Specifications for Combustion Engineering Plants." This proposed change is applicable to FCS.

j i

Therefore, the proposed changes would not increase the probability or consequences of any accident previously evaluated.

(2)

Create the possibility of a new or different kind of accident from any accident previously evaluated.

There will be no physical alterations to the plant configuration, changes to setpoint values, or changes to the implementation of setpoints or limits as a result of these proposed changes.

Therefore, the proposed changes do not create the possibility of a new or different kind of accident from any previously evaluated.

4

BASIS FOR N0 SIGNIFICANT HAZARDS (CONTINUED):

(3)

Involve a significant reduction in a margin of safety.

The proposed changes do not affect the limiting conditions for operation or their bases that are used in the deterministic analyses to establish the margin of safety.

PSA evaluations were used to evaluate these changes.

These evaluations demonstrated that the changes are either risk neutral or risk beneficial. These evaluations are detailed in CE NPSD-994. Therefore, the proposed changes do not involve a significant reduction in the margin of safety.

Therefore, based on the above considerations, it is OPPD's position that this proposed amendment does not involve significant hazards considerations as defined by 10 CFR 50.92 and the proposed changes will not result in a condition which significantly alters the impact of the Station on the environment.

Thus, the proposed changes meet the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(9) and pursuant to 10 CFR 51.22(b) no environmental assessment need be prepared.

5

^O U.S. Nuclear Regulatory Comission LIC-95-0109 ATTACHMENT C i

i j

9

l 1

@,,n l

COMBUSTION ENGINEERING OWNERS GROUP CE NPSD-994 I

l Joint Applications Report l

for tlI Safety injection Tank I

g AOT/STI Extension ll g

Final Report CEOG TASK 836 I

prepared for the C-E OWNERS GROUP I

May 1995 l

E LEGAL NOTICE This report was prepared as an account of work sponsored by the Combustion Engineering Owners Group and ABB Combustion Engineering.

f Neither Combustion Engineering, Inc. nor any person acting on its behalf:

A.

makes any warranty or representation, express or implied including the warranties of fitness for a particular purpose or merchantability, with respect to the accuracy, completeness, or usefulness of the information contained in this report, or that the use of any information, apparatus, method, or process disclosed in this report may not infringe privately owned rights; or B.

assumes any liabilities with respect to the use of, or for damages resulting from the use of, any information, apparatus, method or process disclosed in this repart.

i i

l l

Combustion Engineering, Inc.

I I

Il

1 m

6/29/95 Errata SIT Joint Applications Report, CE hPSD-994 1.

Page 14, 6.3.2 Assessment of "At Power" Risk, Methodology: first paragraph: after the second sentence ("The evaluation of the "at power" risk increment resulting from the extended SIT AOT was evaluated on a plant specific basis using the most current individual plant's Probabilistic Safety Analysis (PSA) model.") the following sentence should have been inserted which reads:

For consistency in comparison of results, Core Damage Frequencies (CDFs) presented represent internal events only, excluding internal floods.

2.

Page 15 A paragraph should have been inserted at the end of the Methodology subsection and prior to the Calculation of Conditional CDF. Single and Yearly AOT Risk Contributions subsection that reads:

The methodology used to calculate the above risk measures is presented below. For r

plants with PSAs that were quantified using RISKMAN methodology, equivalent steps were taken to meet the intent of the methodology presented below.

3.

Pal;e 25. Section 6.5.1, Fir;t Sentence: should not include the words "non-risk related".

Sentence should read:

Section 7.4 of NUREG-1366 (Reference 1) provides the following justification for a specific AOT extension from I hour to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months ...

4.

Page 28, Section 9.1, First paragraph, should not include sentences 2 through 4.

Paragraph should read:

The PSA results from each of the CE PWRs show that the increment in risk at power due to one inoperable SIT is small for all plants. The major contributor to the differences in plant results for the SITS is the success criteria and frequency of a Large LOCA assumed in the PSA model. The results indicate that there is a lower risk to the plant by remaining at power to perform corrective maintenan::e than to shut down the plant to repair the inoperable SIT. Therefore_. it is concluded that extending the AOT for one inoperable SIT from 1 to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months would be risk beneficial.

5.

Page 18 Table 6.3.2-1: The numerical values for " Increase in CDF, per year," for St. Lucie 1 and St. Lucie 2, should have been 2.0E-04 rather than 2.2E-04.

{

TABLE OF CONTENTS ru LIST OF TABLES ii 1.0 PURPOSE 1

b 2.0 SCOPE OF PROPOSED CHANGES TECHNICAL SPECIFICATIONS 2

3.0 BACKGROUND

3 4.0

SUMMARY

OF APPLICABLE TECHNICAL SPECIFICATIONS 4

4.1 Standard Tdaial Specifications 4

4.2

" Customized" Technical Specifications 5

5.0 SYSTEM DESCRIPITON AND OPERATING EXPERIENCE 6

5.1 System Deswigion 6

{-

5.2 Operating Experi-7

{

6.0 TECHNICAL JUSTIFICATION FOR AOT EXTENSION 9

6.1 Statement of Need 9

[

6.2 Amenment of Determinimic Factors 10 6.2.1 Thermal-Hydraulic CnnaiA~ations 10

[

6.2.2 Radiological Release Considerations 11 6.3 Assessment of Risk 13 i

[

6.3.1 Overview 13 6.3.2 Assessment of "At Power" Risk 14

[-

6.3.3 Assessment of Transition Risk 20 6.3.4 Anemnent of Shutdown Risk 23 6.3.5 Maanment of Large Early Release 23

(.

6.3.6 Summary of Risk Assessment 24 6.4 Compensatory Measures 24

(

i 1

[

TABLE OF CONTENTS (cont'd)

Section Page p

L 6.5 Technical Justification for AOT Extension for p

L Plant Operation with a Functionally Operable SIT 25 6.5.1 SIT Tagged INOPERABLE due to Level and Prwme L

Instrumentation Matrunction 25 6.5.2 SIT Boron Concentration Out of Range 25 7.0 JUSTIFICATION FOR SURVEILLANCE TEST INTERVAL (STI)

MODIFICATION 26 r

8.0 PROPOSED MODIFICATIONS TO NUREG-1432 27 9.0

SUMMARY

AND CONCLUSIONS 28 9.1 Functionally INOPERABLE SIT 28

{

9.2 Functionally OPERABLE SIT 28

10.0 REFERENCES

29 ATTACHMENT A A-1

" Mark-up" of NUREG-1432 SECTIONS 3.5.1 & B 3.5.1

[

LIST OF TABLES Table Page

[

5.2-1 REQUIRED ENTRY INTO LCO ACTION STATEMENTS DUE TO SIT MALFUNCTIONS FOR CE PWRs 8

6.3.2-1 CEOG AOT CONDITIONAL CDF CONTRIBUTIONS FOR SITS - CM 18 6.3.2-2 CEOG PROPOSED AVERAGE CDFs 19 6.3.3-1 TRANSITION RISK CONTRIBUTIONS FOR SIT CM 22 4

u r

I Safety Injection Tank (SIT) AOT/STI Extension I

1.0 PURPOSE His report provides the results of an evaluation of specific relaxations in the existing Safety Injection Tank (SIT) boron surveillance requirements and the Allowed Outage Time (AOT).

These requirements and AOT are contained within the standard and " customized" technical specifications for any licensed CE NSSS. A two tiered extension of the existing SIT AOT (typically I hour) to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months for a non-functional SIT, and 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months for a " tagged" inoperable SIT that can otherwise complete its safety function is requested in order to provide the plant with sufficient time to diagnose and potentially repair minor SIT system malfunctions at power. He ability to perform this corrective maintenance at power can enhance plant safety by averting an unplanned plant shutdown.

Also, technical specification relaxation with regard to boron monitoring is sought in order to Clow better utilization of plant resources by reducing the number of unnecessary surveillance actions. This relaxation has been previously recommended by the NRC in NUREG-1366 (Reference 1).

Justification of these requests are based on a review and assessment of plant operations, deterministic and design basis considerations, and plant risk, as well as previous generic studies and conclusions drawn by NRC staff and contained within NUREG-1366 (Reference 1) and NUREG-1432, Revision 0 (Reference 2). The evaluation dinsW in this report concludes that the requested Technical Specification modifications are either risk neutral or enhance overall plant safety.

I This request for AOT extension is consistent with the objectives and the intent of the Maintennnce Rule (Reference 3). The Maintenance Rule will be the vehicle which controls the actual maintenance cycle by defining unavailability performance criteria and nsceuing l

maintenance risk. The AOT extension will allow efficient scheduling of maintenance within the boundaries established by implementing the Maintenance Rule. The CE plants are in the process of implementing the Maintennnce Rule, and are presently setting targets for unavailability of l

systems and trains. Therefore, this effort is seen as timely, supportive and integral to the Maintenance Rule program.

I 1

I

am l EI 2.0 SCOPE OF PROPOSED CHANGES TO TECHNICAL SPECIFICATION 1he proposed tehnimi specification changes address revising the ericina requirements for the ll operation of the Safety Injection Tanks (SITS). Speifim11y, the proposed changes to the technical specification requirements are:

(1)

In general, extend AOT for a single INOPERABLE SIT from I hour to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

For operating modes where at least three of the SITS are required to be OPERABLE, extend the AOT following a diagnosis of a single inoperable SIT from I hour to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

(2)

When a single SIT is INOPERABLE and that INOPERABILITY is due to l

either malfunctioning SIT water level instrnnwnt indication or malfunctioning SIT nitrogen overprissure pressure indication, or inadequate boron concentration, extend the AOT following the diagnosis of the single INOPERABLE SIT frca 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

This technical specification change with regard to SIT instrumentation failures was recommended in Section 7.4 of NUREG-1366, Accumulator Water level and Prcssure Channel Surveillance Reauirements (PWR). The relaxation in the boron g

concentration AOT has already been adopted in the Improved Standard Tehnia_1 E

Specifications. This change would add a new conditinnal Limi ing Cnnditian of t

Operation requirement that would address the case where a single SIT is inoperable AND the affected SIT's inoperability is caused by malfunctioning water level instrumentation, malftmetinning pressure instrumentation, or boron concentration. (The affected SIT is otherwise capable of performing its intended function.) The completion time for restoring the operability of the affected SIT will be 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

(3)

Modify boron concentration tehnical specification surveillance test interval (STI)

Fliminate tehnimi specifications surveillance requirements that require verification of boron concentration of safety injection tank inventory after a l

volume increase of 1% or more if the makeup water is from the refueling water storage tank (RWST) and the RWST boron concentration is equal to, or greater than the minimum boron concentration of the SIT. This change in surveillance l

test requirements has already been adopted in the Improved Standard Technical Specifications (ISTS),

2

I

3.0 BACKGROUND

In response to the NRC's initiative to improve plant safety while granting relief to utilities from those requirements that are marginal to safety, the CEOG has undertaken a program of obtaining relief from overly restrictive tachnim] specifications. As part of this program, several technical specification ACTS and STIs were identified forjoint action.

This document addresses the SIT portion of this Task, and provides support for modifying the I

SIT AOT and implementing the NUREG-1366 "line item improvement" with regard to boron concentration monitoring. This report provides generic information supporting these changes as well as the necemry plant specific information to demonstrate the impact of these changes g

for each of the CE plants. The support / analytical material contained within the document is considered applicable to all CEOG member utilities regardless of the category / type of their Plant Technical Specifications.

I I

I 3

i su )

E 4.0

SUMMARY

OF APPLICABLE TECHNICAL SPECIFICATIONS There are three distinct categories of Technical Specifications at CE NSSS plants.

The first category is called the Standard Technical Specifications. Through February 1995, NUREG-0212, Revision 03 commonly referred to as " Standard Technical Specifications" has provided a model for the general structure and content of the approved technical specifications at all other domestic CE NSSS plants.

The second category correepands to the Improved Standard Technical Specifications (ISTS) guidance that is provided in NUREG-1432, Revision 0, dated September 1992. A licensing amendment submittal to change the Terhniemi Specifications for San Onofre Nuclear Generation Station Units 2 & 3 to implement this gnidaner was submitted to the NRC in Dacemher 1993.

Additionally, licentmg amendment submittals are being developed that will modify the technical specincarions for Palisades Station to implement the ISTS guidance.

l The third category includes those technical specifications (TSs) that have structures other than those that are outlined in either NUREG-0212 (Reference 4) or NUREG-1432 (Reference 2).

These TSs are generally referred to as " customized" technical specifications. The CE NSSS plants that currently have " customized" technical specifications are: Palicadac Station, Maine Yankee Station, and Ft. Calhoun Station.

Each of these three categories of Technical Specifications includes m milar operating requirements for the Safety Injection Tanks (SITS).

4.1 Standard Technient Specifications Currently NUREG-0212, Revision 03 specifies the following required actions when a single SIT is " INOPERABLE":

APPLICABILITY:

MODES 1,2 and 3*

ACTION:

a.

With one safety injection tank inoperable, except as a result of a closed isolation valve, restore the inoperable tank to OPERABLE status within one hour or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and in HOT SHUTDOWN within the following 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

g b.

With one safety injection tank inoperable due to the isolation valve being closed, either immediately open the isolation valve or be in at least HOT STANDBY within one hour and be in HOT SHUTDOWN within the next 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months .

4 I!

v Ie The g**=* of NUREG 1432 Section 3.5.1 relaxes these requirements from NUREG 0212 in

('

the following ways:

1.

'Ihe allowed outage time for a single inoperable SIT due to that SIT's boron g

L concentration being outside the pfied band is extended from I hour to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

2.

'Ihe allowed outage time for a single inoperable SIT due to factors other than boron concentration (including indicatian that the SIT's isolation valve is not fully open) is extended from "immediate" restoration to I hour.

Among the factors that can result in a single SIT not being technically " OPERABLE" are the r

L following factors:

r a)

Malfunctions of pressure transmitters, pressure sensing lines, and pressure monitoring circuitry, b)

Malfunctions of level transmitters, level sensing lines, and level monitoring L

circuitry.

In Section 7.4 of NUREG-1366, the NRC staff states that an SIT (an " accumulator") would be "available to fulfill its safety function" at times when the SIT (" accumulator") is " technically r

innparnhle" due to the "inoperability of water level and pressure channelt".

l L

4.2 Custandzed Technical Spwiftentlane l

b i

Similar requirements to those identified in Section 4.1 exist for plants with customimi technical l

specifications. However, the format of the technical specification may be different as may be l

[

the detailed requirement. 'Ihe most noteworthy difference in this area is that for Maine Yankee.

SIT Allowed Outage Times at this plant allow a single SIT to be tachnically inoperable for up to 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months and isolated for up to one hour.

(

l

{

l 5

l l

L

5 5.0 SYSTEM DESCRIPTION AND OPERATING EXPERIENCE

5.1 System Description

The function of the Safety Injection Tank (SIT) system is to reflood the reactor core with borated water following a large break LOCA. 'Ibe relatively quick remnnte of the system and its passive nature serve to reliably minimize core damage until the SI pumps can provide adequate water for reactor cooling.

Each SIT train has one safety injection tank connected to an RCS cold leg. The tank is filled with borated water and psmized by nitrogen cover gas. SIT injection occurs anytime RCS pressure drops below cover gas pressure. The discharge piping of each tank inchvias a check l

valve followed by an isolation MOV which remains open during normal operation. Beyond these valves, an RCS pressure boundary check valve ensts along the injection pathway for each tank.

Depninon of OPEPABLE SIT In general, Technical Specification Limiting Conditions For Operation (LCOs) require that all SITS be OPERABLE whenever the plant is in power operation (Mode 1), transitioning to power g

operation (Mode 2) or in Mode 3 with RCS pressure greater than or equal to a daimtad value.

g This LCO is based on the assumption that when the plant is in any of these modes of operation, the SITS must have the same functionability that would be required for a LOCA at full rated El thermal power. In order to avoid entry into the LCO action statement, all SITS must be 3!

OPERABLE.

When the plant is in any of these listed modes of operation, an S1T is considered OPERABLE when the following conditions exist:

1) the associated isolation valve is fully open, 2) electric power has been interrupted to the motor for the nemeisted isolation valve, g

3) water inventory in the tank is within the assumed band E

4) the boric acid concentration of the water inventory of the tank is within the assumed band, g'

5) the nitrogen cover pressure within the tank is within the asmmed band.

m In the past, a justification for the short allowed outage time for a single SIT has been that the perceived severity of the consequences of not having all SITS avadable to provide passive injection during a design basis LOCA warranted the severity of this requirement. However, this short SlT AOT duration vras based solely on engineering judgment and not on any quantitative nurtsrnent of risk.

I_

6 I

While it is not the intent of this document to widen the technical specification OPERABILITY

[

limits for the SIT; it is important to note that for selected parm=tm, the assessment of SIT OPERABILITY is rather stringent. The SIT operational parameters are set by the design basis licensing Iarge Break LOCA analysis. Since the SITis a passive device and provides a limited y

function, operability has been restricted to mean that the equipment initial conditions are within a band supported by Ape K design basis analyses. In reality, the equipment can deviate mnMmbly from both inventory and pressure requirements without compromising the ability of the plant to adequately respond to a LOCA.

Inventory requirements are overstated.

e Appendix K analytical models are derived so as to over-estimate amount of liquid lost out the r

break and to underestimate the residual inventory in the RV lower plenum. Consequently, L

inventory discharge requirements are conservatively set at a high level. The nitrogen cover pressure essentially establishes the timing of the inventory injection. This would modestly r

influence the transient and perhaps result in a marginal fuel hot spot temperature increase.

L 5.2 Operating Experience r

(

Operating experience has demonstrated that many of the causes of SIT inoperability can be diagnosed and corrected within several hours of discovery but longer than a period of one hour r

from identification. In several instances, diagnosis of out-of-specification conditions have lead L

to plant shutdowns. A list of events that involved an SIT and required entry into associated LCO action statements is provided in Table 5.3-1 for CE PWRs.

r The review of this operating experience as well as a general review of existing PRA studies led to questioning the premise that a transition to a lower mode within I hour of the discovery of a factor makmg one SIT inoperable would provide greater reactor safety than repairing this factor with the plant at power.

[

In fact, a letter from the NRC to Houston Light & Power (Reference 9) provides an approved case where the allowed outage time for a single safety injection tank [ accumulator] was extended from I hour to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . A significant justification for this extension was that the rmking change in the calculated values of eW and maximum core damage frequency were negligible.

Previous determinations of the allowed outage time for a single Safety Injection Tank at CE NSSS plants have been based on engineering judgement using a sound knowledge of the role of each of the SITS in the plant design basis. Any new determination of this allowed outage time using probabilistic risk analysis must also include this consideration.

[

{

l

{

l

O O

Table 5.2-1 REQUIRED ENTRY INTO LCO ACTION STATEMENTS g

DUE TO SIT MALFUNCTIONS FOR CE PWRs E

PWR Date of Event Description of Event San Onofre 2 8/29/84 Nitrogen Cover Pressure ~*adad the limits of LCO 3.5.1, two SITS were declared

)

inoperable and LCO 3.0.3 was invoked.

San Onofre 2 1/28/86 Frwuw Limit Exceeded, LCO 3.0.3 entered.

San Onofre 3 7/25/87 LCO 3.5.1 entered due to SIT level instrumenaHon.

Palo Verde 2 7/17/86 Unit in Mode 4 (hot standby) when Tech Spec l

LCO 3.0.3 entered due to four (4) SITS declared INOPERABLE harane high level limit was exceeded based on wide range level ll indication.

Millstone 2 6/29/81 During routine power operation, inconsistency found between SIT Volume required by TS LCO 3.5.1.B and the indication available to determine SIT Operability.

San Onofre 2 12/23/83 SITS 007 and 010 exceeded their nitrogen pressure limit while SIT 008 was being filled.

Entered LCO 3.0.3.

San Onofre 3 1/25/83 During routine nitrogen pressurization of SIT 008, relief valve lifted (failed to reseat l,

following ovarsidnHan). Tank pressure dropped below allowable limits of LCO 3.5.1 and action statement A was invoked.

San Onofre 3 2/5/83 SIT tank volume and pressure outside l.,

allowable limits of LCO 3.5.1 and action statement A was invoked.

Il 8

b 6.0 TECHNICAL JUSTIFICATION FOR AOT EXTENSION L

'Ihis section provides an integrated assessment of the proposed extension of the SIT AOT from its currently defined value of I hour to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . This proposed AOT would be applicable in

(

the event an SIT is determined to be INOPERABLE and the cause of the inoperability has 33 been diagnosed as being caused solely by malfunctioning level or pressure menerement instrumentation (See item 1 of Section 2). A di='a' ion of the AUT extension for circnmenners r

L where the SIT is tagged INOPERABLE (based on Tedinimi Spadfiadons Criteria) but is otherwise functionalis presented in Section 6.5.

6.1 Stata-ant of Need As was briefly mentioned in Section 5.2, the repair of certain factors that result in the "inoperability" of a single safety injection tank can be completed within a relatively short period of no more than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

L Operating experience has demonstrated that the repair of such factors takes longer than the existing I hour allowed outage time that is typical of existing Technical Specifications for CE

[

NSSS plants that have not implemanted the gnidan~ of NUREG-1432.

The sections that follow show that the continued implementation of the arieing "I hour" AOT

{

may result in unn~*aary plant shutdowns. Since the increased risk of operating with a single SIT out of service is negligible (as described in the following sections), the associated plant maneuver to a shutdown condition will likely increase plant risk above that which would

[

otherwise exist if the repair of the cause of the "inoperability" was completed at power. A twenty-four hour AOT was considered mf&iant for the dingm4 of a potential SIT l

INOPERABLE condition and minor component repair.

l Additionally, Section 7.4 of NUREG-1366 identifies cases where entries into containment have been made at power to recalibrate a single SIT water level or pressure transmitter while a redundant, ind pandent instrument remained operable. In these cases, the containment entry was made in anticipation of a situation where both instruments were simultaneously in'=nble, resulting in an allowed outage time that was insufficient for remaining at power while performing repairs and recalibrations.

With a longer duration AUT for both mdundant instrument channals, there would be less need for containment entries at power solely for the l

recalibration of a single water level or pressure channel transmitter.

(

i 9

1 ml E!

6.2 Aa:eecment of Determinl@ Factors 6.2.1 11termal-Hydradic Considerations The functions of the Safety Injection Tanks (SITS) are to supply water to the reactor vessel during the blowdown phase of a loss of coolant accident (LOCA), and to' provide inventory to help accomplish the refill phase that follows thereafter.

The blowdown phase of a large break LOCA is the initial period of the transient during which the RCS departs from equilibrium conditions, and heat from fission product decay, hot internals, and the vessel continues to be tancfmed to the reactor coolant. The blowdown phase of the transient ends when the RCS pressure falls to a value apprmching that of the containment atmosphere.

The refill phase of a LOCA follows immediately after the blowdown phase. The core at the end of the blowdown phase is essentially in adinhatic heatup. In the refill phase, the balance of the inventory in the SITS is available to help fill the lower plenum and the reactor vessel downcomer to re-establish a coolant level at the bottom of the core and then to support reflood of the core l

with the addition of safety injection water.

Each SIT is a pressure vessel partially filled with borated water and pressurized with nitrogen gas. Each SIT is a passive component, since it is intended to perform its design function without operator or control action. Each SIT will start to discharge its contents to the RCS, if RCS g

pressure decreases below the SIT pressure.

3, 1

Each SIT is piped into one reactor coolant system (RCS) cold leg via the injection lines utilized by the Safety Injection (HPSI and LPSI) system. Each SIT is isolated from the RCS by a motor operated isolation valve and two check valves in series. The accariatad motor operated isolation valve for each SIT is normally open, with power removed from the valve motor to prevent g

inadvertent closure prior to or durmg an accident.

E Additionally, each of these isolation valves is interlocked with the pressurizer pressure instrumer,tation channele to ensure that the valves will automatically open as RCS pressure increases above SIT pressure and to prevent inadvertent closure prior to an accident. Each of these valves also receives a safety injection actuation signal (SIAS) to open. These features

]

ensure that these valves meet the requirements of the Institute of Electrical and Electronic 4

Engineers (IEEE) Standard 279-1971 for " operating bypasses" and that the SITS will be available for injection without reliance on operator action.

g The nitrogen gas and water volumes, nitrogen gas pressures, and outlet pipe sizes for each SIT are selected to allow the SITS together with the HPSI and LPSI systems to recover water inventory in the core before significant clad melting or zirconium water reaction can occur following a LOCA.

I 10 I

7.

b The SIT capacity is established such that the SITS provide adequate inventory to the downcomer

[

and facilitate the core recovery and refill pwcess. In particular, passive injection by all but one of the SITS is credited in design base analysis for large break LOCAs that are initiated at full rated thermal power conditions. He other SIT is assumed to be ineffective due to the break

[

location. The performance of SITS is cilen1=wl in accordance with Appendix K to 10CFR50 and, together with the HPSI and LPSI systems, ensures that the following Emergency Core Cooling System (ECCS) acceptance criteria of 10 CFR 50.46 are satisfied:

a.

Maximum fuel element cladding temperature is 12200 Degrees Fahrenheit; b.

Maximum c1*ing oxidation is 10.17 times the total claMing thickness before oxidation; c.

Maximum hydrogen generation from a zirconium water reaction is < 0.01 times the hypothetical amount that would be generated if all of the metal in the cladding cylinders surrounding the fuel, excluding the cladding surrounding the plenum volume, were to react; and d.

The core is maintained in a coolable geometry.

{

The above criteria were established in order to define a deterministic acceptance criteria that may be used by regulators in judging the acceptability of a given Emergency Core Cnaling System.

The methodology is defined in Appendix K to 10 CFR 50. This methodology conservatively represents LOCA thermohydraulic and hydrodynamic phenomenology to e=len1* fuel peak clad temperature.

As a result, this methodology overstates the realistic minimum equipment requirements for adequate repan~ to an event. Recent best estimate analyses for a typical

{

PWR (Reference 5) confirmed that for large break LOCAs, core melt can be prevented by either the operation of one Low Pressure Safety Injection (LPSI) pump or the operation of one High Pressure Safety Injection (HPSI) pump and a single SIT. While the precise equipment set for any specific CE PWR may vary, the design basis requirement for 1 LPSI train, I HPSI train, and all SITS to avert a core melt condition is very conservative.

6.2.2 Radiological Release Considerations ne design basis calculation of radiological consequences of the large LOCA are based on a combination of very conservative assumptions. The design basis for radiological releases following a LOCA is set forth in 10 CFR 100, " Reactor Site Criteria", and detailed in SRP 15.6.5 (Reference 6). In practice, the 10 CFR 100 radiation release criteria are achieved via

[

reliance on the 1%2 " source term" outlined in the Atomic Energy Commission Technical Information Document, TID-14844, " Calculation of Distance Factors for Power and Test Reactors" (Reference 7). His " Source Term" was not consistent with the low level of core

[

damage expected with a large LOCA. Instead, the Source Term was very conservatively defined based on a substantial meltdown of the core, and fission product release to the containment.

11

[

o E

Over the past 30 years, substantial information has been developed updating our knowledge about fission product release and transport during PWR severe accidents. This information is reflected in the new NRC source term defined in NUREG-1465 (Reference 8). A"imi1* ion of this information suggests that even when the dichotomy of a core melt driven source term is retained, the estimate of the Large LOCA fission product releases based on Reference 7 considerably overpredicts the severity of the fission product relme to the public.

This conclusion is based on the following:

1)

Current licensing methods assume fission products are released to the containment immediately upon the onset of the LOCA. In fact, only gases residing within the fuel gap (approximately 5 % of the total volatile fission product inventory) will be relenwi at the point of clad rupture (early in the transient). 'Ibe remainder of the fission products will enter the containment over the period of one half hour or l

more.

2)

Current licensing methods assume the composition of the iodine entering the containment is predommantly elemental (as was then believed to be the physical l

situation). Sprays are less effective in removing elemental iodine than iodme in the particulate form.

It is our current understanding that the iodme is predominantly (greater than 95%) relenwi into the containment in the form of Csl which is particulate. Thus, spray effectiveness and gravitational settling would be enhanced and airborne releases from containment would decrease.

Thus, even if a Large LOCA were to occur without the requisite design basis number of SITS, the actual fission product releases would be expected to be well within the existing 10 CFR 100 criteria. This issue is further considered in a probabilistic framework in Section 6.3.5.

I I

l 1

I 12 I

l 6.3 Aueament of Risk 1

6.3.1 Overview l

The purpose of this section is to provide an integrated assessment of the overall plant risk associated with adoption of the proposed AOT extension. The methodology used to evaluate the SIT AOT extension was based in part on a draft version of the " Handbook of Methods for Risk-I Based Analyses of Technical Specifications", Reference 10. As guidance for the acceptability of a Technical Specification modification, it was noted that any proposed Technical Specification change (and the ultimate change package) should either:

(1) be risk neutral, OR (2) result in a decrease in plant risk (via " risk trade-off considerations"), OR l

(3) result in a negligible (to small) increase in plant risk.

AND l

(4) be needed by the utility to more efficiently and/or more safely manage plant operations.

l A statement of need has been provided in Section 6.1. This section addresses the risk aspects of the proposed AOT extension.

3 In this evaluation, a risk assessment of the SIT AOT extension is performed with respect to associated "at power" and " transition" risks.

5 Section 6.3.2 provides an assessment of the increased risk associated with continued operation l

with a single SIT out of service (OOS). The evaluation of the "at power" risk increment I

resulting from the extended SIT AOT was evaluated on a plant specific basis using the most current individual plant's Probabilistic Safety Analysis (PSA) model for their respective baselines. Plant specific evaluations were performed by each participating utility. Results of these evaluations were then compared using appropriate risk measures as prescribed in Reference 10.

Section 6.3.3 provides an assessment of risk of transitioning the plant from Mode 1 into a lower mode (e.g. Mode 4). The "at power" risk assessment provides only one facet of the plant risk.

For this evaluation, continuation of at power operation with the LCO action statement is compared with the risk of proceedmg with a plant shutdown. A lower bound to this transition risk was evaluated by modifying the reactor trip core melt scenario for a representative CE PWR. Based on this analysis, a core damage probability for the plant shutdown was established and compared to the single AOT risk associated with continued ope 1ation, j

13

ml 0

For compk*ana", the impact of the extended AOT on the plant large early rdente fraction is qualitatively vaaa~!. The assessment ieindae an evaluation of the events lending to large early fission product relea es and the role of the SIT in the initiation and/or mitigation of those events.

His sneument is presented in Section 6.3.5.

6.3.2 Assessment of "At Power" Risk l

Methodology This section provides an assessment of the increased risk ="eint~t with continued operation with a single SIT out of service (OOS). De evaluation of the "at power" risk increment resulting from the extended SIT AOT was evaluated on a plant specific basis using the most current individual plant's Probabilistic Safety Analysis (PSA) model. Plant specific evaluations were performed by each particimting utility. Results of these evaluations were then compared using the following risk measures (from Reference 10):

Avenge Con Damage Fnquency (CDF): The average CDP represents the frequency of core-damage occurring.

In a PSA model, the CDF is obtaired using mean unavailabilities for all standby-system components.

Core Damage Pmbability (CDP): The CDP represents the probability of core-damage occurring.

Core-damage probability is approximated by multiplying core-damage frequency by a time period.

Waditional Con-Damage Ihquency (CCDF): The Conditional CDP is the Core Damage Frequency (CDF) conditional upon some event, such as the outage of equipment.

It is calenlar~i by re-quantifying the cutsets after adjusting the unavailabilities of those basic events nueintai with the inoperable equipment.

Incnase in Core Damage Fnguency (ACDF): The increase in CDP nyiwts the difference between the CCDF evaluated for one train of equipment unavailable minus the CCDF evaluated for one train of equipment not out for test or maintenance (T/M). For the SITS:

I ACDF = Conditional CDFa srrm - Conditional CDFa srr-s.,me when CDF = Cote Damage Frequency (per year)

I Single AOTRisk Contribution: The Single AOT Risk contribution is the increment in f,!

risk associated with a train being unavailable over a period of time (evaluated over either the full AOT, or over the actual maintenance duration). In terms of core damage, the Single AOT Risk Contribution is the increase in probability of core-damage occurring 1

during the AOT, or outage time, given a train is unavailable from when the train is not l

out for test er maintenance. The value is obtained by multiplying the increase in the CDF by the A9T or outti;e time.

Single AOT Risk = ACDF x r I

where, ACDF = Increase in Core Damage Frequency (per year), and 7 = full AOT or actual maintenance duration (yean)

Yeady AOT Risk Contribution: The Yearly AOT risk contribution is the increase in average yearly risk from a train being unavailable accounting for the average yearly frequency of the AOT. It is the frequency of core-damage occurring per year due to the average number of entries into the LCO Action Statement per year. The value is estimated as the product of the Single AOT Risk Contribution and the average yearly l

frequency (f) of entering the associated LCO Action Statement. Therefore:

Yearly AOT Risk = Single AOT Risk x f I

where f = frequency (events / year)

Incremental changes in these parameters are aseswA to establish the risk impact of the Technical Specification change.

h Cakulation of Conditional CDF, Single and Yearly AOTRisk Co uributions Each CEOG utility used its current Probabilistic Safety Analysis (PSA) model to assess the I

Conditional CDF based on the condition that one SIT is unavailable. Each plant verified that the appropriate basic events are contained in the PSA cutsets used to determine the AOT risk contributions. This verification was performed as the first task in calcolating the Conditional CDFs. If basic events had been filtered out of the PSA cutsets, one of the two methods described below were used to ensure the calculation of Conditional CDF was correct or conservative:

1.

Select the basic event for the failure mode of the component with the highest I

failure probability to represent the train if the test / maintenance failure mode of the component had been filtered out; or 2.

Retrieve cutsets containing relevant basic events at the sequence level and merge them with the fmal PSA cutsets.

I 15

E i

l;l De Conditional CDF given 1 SIT is ' unavailable was obtained by performing the following steps:

l 1.

Set the basic event probability for the failure mode for a component in the unavailable SIT train equal to 1.00, 1

2.

Set any basic event probabilities for other failure modes for that train equal to 0.0, and 3.

Requantify the PSA cutsets.

De Conditional CDF given 1 SIT is not out for test or maintenance was obtained by setting the basic event probability for the failure mode for one SIT equal to 0.0 and requantifying the PSA g

cutsets. This Cnnditinn21 CDF was effectively equal to the b=1ine CDF (CDF resulting from E

the plant's current PSA model) for the SITS for all CE plants.

It was expected that the results would be symmetric for selecting any one of the four SITS to be out for maintenance. However, in cases where different modeling assumptions or data were a"~ intM with each SIT, then the Conditional CDFs were evaluated for each SIT, and the most g

conservative result was used.

m he Conditional CDF was then used to calculate the increase in CDF and then the Single AOT Risk Contribution (Conditional CDF x full AOT) for each plant. The Single AOT was calculated based on the full AOT due to the short duration of the AOT; i.e., nothing less than full AOT was vs-M for maintenance duration for both the current and proposed Single AOT Risk calm 1=tions.

The Single AOT Risk Contribution was then used to calculate the Yearly AOT Risk Contribution (Single AOT Risk x frequency). Maintenance frequency was not expected to change based on an extended AOT, so the maintenance frequency for the proposed AOT is the same frequency as the current AOT. The frequency used for the Yearly AOT Risk Contribution calculation is l,

0.35 per year (total for all SITS). This value is based on actual data for entry into the SIT LCO Action Statement for a Irpresentative CE plant and is either conservative or accurate for each CE plant.

Table 6.3.2-1 provides the Conditional CDFs, and the Single and Yearly' AOT Risk Contributions for each plant.

l I

)

16

l Cnimbrion ofAverage CDF I

In order to calculate the Average CDF for the extended SIT AOT, a new value for SIT l

unavailability due to test / maintenance was established, which accounted for the performance of on-line corrective maintenance assuming a 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months maintenance duration (i.e., the full proposed SIT AOT). The PSA cutsets were then requantified based on this new unavailability to obtain the Average CDF for the new SIT unavailability of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months per year. This new Average CDF was then compared to the base case value from the plant's PSA model. Table 6.3.2-2 provides the proposed Average CDF and the base Average CDF for each plant.

Results I

The results from each plant were assimilated, and the Single AOT and Yearly AOT Risks were calculated for each plant. Tables 6.3.2-1 and 6.3.2-2 present the results of these cases on a I

plant specific basis, and summarizes the SIT AOT CDF contributions for each plant. These risk i

contributions include the Conditional CDFs, Increase in CDF, Single AOT and Yearly ACTF l

risks, and current and proposed Average CDFs.

Differences in results are primarily due to variations in Large LOCA initiating event frequency and the associated success criteria. Plants that used the large LOCA determimstic success criteria (i.e.; all SITS required to mitigate Large LOCA) combined with a high Large LOCA initiating event frequency (e.g.,5.0E-04 per year) in the PSA resulted in an overly conservative estimation of SIT importance. Even for plants with more stringent success criteria, the results of the analyses indicate that the Single and Yearly AOT Risk Contributions are negligible or small for all plants by extending the SIT AOT from 1 to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , and the Average CDF is virtually unchanged.

I I

I 17

Table 6.3.2-1 CEOG AOT CONDITIONAL CDF CONTRIBUTIONS FOR SITS - Corrective Maintenance l

PARAMETER ANO-2 Calvent Port Maine Milletone Palisades Palo San St. Lucie St. Lucie Waterford Cidfe Calhoun Yankee

2 Venie Onofre 1

2 3

1&2 1,2 & 3 2&3 SIT Succese Criteria 3of4 3 cf 4" 3 cf 3 to I of 2 to 2 of 3 to 3 ef 3 to 2 cf 3 to 3 of 4 to 3 of 4 3of4 S of 3 to unbmken unbeken unbmken unbmken unbmken unbmken unbroken lege lege lege lege**

lege lege lege Present AUT hrs 1

I I

I"*

I I

I i

1 Proposed AOT, hrs 24 24 24 24 24 24 24 24 24 24 24 Conditional CDP, per yr 4.12EE 5.53E-04 2.18E4 7.40E4 3.41EM 5.47E 05 4.88E4 4.02E-04 2.2E-04 2.2E-04 6.53E-05 (i STT unavailable)

Conditional CDP, per yr 3.28E4 2.llE-04 1.18E4 7.40E-05 3.4 t E-05 5.15E 05 4.74E-05 2.74B45 2.14E-05 2.35E-05 1.54E45 (1 SIT not out fer maintenance)

Increase in CDP per yr 8.38E-06 3.42E-04 1.00E E negligible negligible 3.20E-06 1.40E-06 3.75E-04 2.2E-04 2.2E-04 4.99E-05 Single AUT Riek (based on 9.57E.10 3.90E-08 1.14E 09 negligible negligible 3.65B.10 1.60E.10 4.28E48 2.3E48 2.3E48 5.70E-09 Current full AUT)

JSingkACT RiskIbeE on?

2[30E.08[ {9.378-07J. 12.74E.08! [nistigible) fnegligible] [8.77E U92%84E49] h_1.03E 06)j.M.35 07[

(5.SE.07[ N.37EM :

'. Pmposed full AUT)i-s n

^

Downtime Frequency, per yr 0.35"**

0.35""

0.35 *

0.35 *

0.35 *

0.35 *

0.35""

0.35""

0.35 *

0.35 *

0.35*

Yearly AUT Risk, per yr 3.35E.10 1.37E48 4.00E-10 negligible negligible 1.28E.10 5.59E-f l 1.50E-08 SE-09 8E-09 1.99E-09 (based on Current full AUT)

Yearly AUT Risk, per yr 8.04E-09 3.28E-07 9.59E-09 negligible negligible 3.07E-09 1.34E-09 3.59E-07 1.9E-07 1.9E-07 4.78E48 (based on Proposed full AUI)

SITS were not modeled in PSA, impact judged negligible due to success criteria

- Success criteria varice based on details of scenario

- - 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months for SIT out of speo

- - - Based on actual data for representative CE plant 18 b_

I I

m m

n O

O M

n n

n.

nn U

Table 6.3.2-2 CEOG PROPOSED AVERAGE CDFs PARAMETER ANO-2 Calven Port Meine MHissone Fehsedes Pelo San St. Lucio St. Imeie Wesederd Cliffe Calhoun Yankee

2 Verde Onofm 1

2 3

1&2 1,2 & 3 2&3 Sfr Succese criterie 3ef4 3 of 4**

3 of 3 to l ef 2 to 2 of 3 to 3 of 3 to 2 cf 3 to 3 of 4 to 3 ef 4 3 ef 4 S of 3 to unbroken unbroken unbroken unbroken unbroken unbroken unbroken lep bge bee lep**

lege bes lege Present AUT ha 1

1 1

1***

1 1

1 Proposed AUT, hre 24 24 24 24 24 24 24 24 24 24 24 Pmposed Downtime, hn/yr Assume Assome Assume Assume Assume Assume Assume Assume Assume Assame Assume 24 24 24 24 24 24 24 24 24 24 24 Average CDP, per yr 3.2BEM 2.llE-04 1.lBE M 7.40E4 3.4 tE45 5.15E-05 4.74E4 2.74E-05 2.14E4 2.35Em 1.54E4 (PSA case)

Average CDP, per yr 3.2BE-05 2.11E-04 1.lBE-05 7.40E4 3.41E-05 5.16E-05 4.74E-05 2.BSE-05 2.4E-05 2.6E-05 1.56E-05 (Proposed)

Sfre nem not modeled in PSA, impact judged negligible due to succese criteria

- Succees criterie varies bened on ddeile of scenano

- - 4 houn for SIT out of spec 1

l 19

OO 6.3.3 Assessment of Transition Risk For any given AOT extension, there is theoretically an "at power" increase in risk associated with it. This increase may be negligible or significant. A complete approach to assessmg the change in risk accounts for the effects of avoided shutdown, or " transition risk". Transition Risk represents the risk nwinted with reducing power and going to hot or cold shutdown following equipment failure, in this case, one SIT being inoperable. Transition risk is ofinterest in understanding the tradeoff between shutting down the plant and repairmg the SIT while the plant continues operation. The risk of transitioning from "at power" to a shutdown mode must l

be balanced against the risk of continued operation and performing corrective maintenance while-l the plant is at power.

l l

To illustrate this point, a representative CE PWR has performed an analysis for transition risk l

l assocuted with one inoperable SIT. The methodology and results obtained by this plant are l

presented below and are considered generically applicable to the other CE plants.

{

l Methodology The philosophy behind the transition risk analysis is that if a plant component becomes unavailable, the CDF will increase since less equipment is now available to respond to a transient if one were to occur. However, as long as the plant remains at power, this CDF is constant. At the point in time that a decision is made to shut down, the CDF increases since a " transient" (manual shutdown) has now occurred, and the equipment is still out of service.

The Core Damage Probability (CDP) associated with the risk of plant transition from plant full l

power operation to shutdown is obtained by modifymg the " uncomplicated reactor trip" core damage scenario in the PSA model. In this evaluation the incremental risk is dominatezi by the increased lilcelihnod ofloss of main feedwater and the reliance on auxiliary (and/or emergency) feedwater to avert a core damage event. A cutset editor was used to adjust cutsets representing manual shutdown or miwellaneous plant trips to reflect the CDP associsted with a forced shutdown assummg one SIT is out of service and requantifying the PSA cutsets. Conservatisms that had been included in the base PSA model were deleted to reflect the greater control that the plant staff has in the shutdown process. Specifically, the baseline PSA model assumed total loss of main feedwater (MFW) within 30 minutes of reactor trip. In the transition analysis, MFW was assumed to be recoverable following failure of Aux 1hary Feedwater. A human error probability (value of 0.1) was added to cutsets that contained no basic events, including human actions, that would cause MFW to be unavailable. The duration of the transition process was assumed to be 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months (6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months to hot standby and 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months to hot shutdown).

Additional human errors that would be associated with a detailed portrayal of the shutdown a

process and the entry into shutdown cooling were not included in order to establish a g

conservative lower bound assessment of the transition risk. Errors of commission, such as

(

diversion of RCS flow during SDC valve alignment, are also not considered in this analysis.

g l

l l

20

I Such errors would add to the disadvantages of the shutdown altemative, and therefore, to include j

them would be non-conservative for the purpose of this companson.

)

Based on the above methodology the CDP associated with the lower mode transition was calculated for the representative plant to be 1.00E-06. Results of transition risk analyses can be generalized for the other CE PWRs by assuming that the ratio of the CDP for Transition Risk to the haeline Average CDF is constant for all plants. The baseline CDFs were e1M~i rather than the Conditional CDFs for the ratio between the other CE plants because the analysis for the representative plant indiat~1 that transition risk was more a function of Loss of MFW rather than a function of the specific equipment out of service.Re ults of transition risk analyses can be generalized for the other CE PWRs by assuming that the ratio of the CDP for Transition Risk to the baseline Average CDF is constant for all plants.

That is, A CDPau = (CDFu/CDF,y

ACDE

,, g) where:

ACDPn p Incremental risk due to mode transition for plant

=

CDFu Baseline CDF for plant

=

CDF,,,, y Representative plant baseline CDF

=

CDP Incremental risk due to mode transition for

=

a,,,,,, g representative plant The transition risk may be used to evaluate the relative risks of performing SIT repair at power to that of performing the same repair at some lower mode. The risk of continued operation for the full duration of the AOT is bounded by the single AOT risk for CM. The comparable risk of the altemate maintenance option involves consideration of four distinct risk components:

(1) Risk of remaining at power prior to initiating the lower mode transition.

This risk will vary depending on the ability of the staff to diagnose the SIT fault.

(2) Risk oflower mode transition.

' Ibis risk is accumulated over a short time interval (approximately 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ).

(3) Risk of continued lower mode operation with an impaired SIT.

In this mode, the reactor is shutdown and the core is generating decay power only.

However, risks in this mode remain significant. Depending on the particular operational mode, resources to cope with plant transients will typically be less than at power. These modes are characterized by decreased restrictions on system operability, longer times for 21

.I I

am E

operator recovery actions, lower initiating frequency for pisme driven inirintnrs (such as LOCA) and a greater frequency for plant transients such as those initiated by loss of offsite power and loss of main feedwater.

l (4)

Risk of return to power The power ascension procedure is a. well controlled trnntimt.

Reference (10) conceptually diene-e that risks ="a-int ~i with this transttion are greater than those g

== Mat ~i with at power operation, but signifimatly below that nemat ~i with the initial g

lower mode transition (item 2).

The analysis of transition risk presented in this report quantifies only the risk oflower mode transition (item 2).

Results Table 6.3.3-1 presents the risk ascuintui with transitioning the plant to a lower mode for each gj plant. The numbers in the table represent only the lower mode transition risk component of the 5

trans; tion sequence (item 2). For all CE plants, the risk== Mat ~i with this transition portion is nearly equal to or a=~is that risk that would be incurred for a 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months "at power" (Single AOT Risk from Tables 6.3.2-1) SIT maintenance period. When the full mode transition process is considered, it is expected that SIT maintenance at power for the full 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months AOT is risk beneficial for all CE PWRs.

Table 6.3.3-1 TRANStr10N RISK CON 11t.IBUI10NS FOR SIT CM I

PLANT Transanon Risk Contribution (ACDP)

ANO-2 6.92E-07 1

Calvert Ciffs 1 & 2 4.45E 06 Fort Calhoun Station 2.49E-07 Maine Yankee 1.56E-06 MN-2 7.19E-07 Pahsades 1.09E 06 Palo Verde 1,2 & 3 1.00E-06 San Onofre 2 & 3 5.78E47 St. Lucie 1 4.51E-07 Y

St. Lucie 2 4.96E 07 E

Waterford 3 3.25E 07 22

I-I 6.3.4 Assessment of Shutdown Risk Shutdown risk benefits were not credited for the SIT AOT Ertendon request.

l 6.3.5 Assessment ofInge Early Release A review oflarge early release scenarios for the CE PWRs indicates that early releases arise as a result of one of the following classes of scenarios:

l 1.

Containment Bypass Events l

These events include interfacmg system LOCAs and steam generator tube ruptures (SGTRs) with a concomitant loss of SG isolation (e.g. stuck open MSSV).

2.

Severe Accidents accompanied by loss of containment isolation l

These events include any severe accident in conjunction with an initially unisolated containment.

l 3.

Containment Failure associated with Energetic events in the Containment.

l Events causing containment failure include those associated with the High Pressure Melt Ejection (HPME) phenomena including direct containment heating (DCH) and hydrogen conflagrations / detonations.

l Of the three release categories, Class 1 tends to represent a large early release with potentially direct, unscrubbed fission products, to the environment. Class 2 events encompass a range of l

releases varying from early to late that may or may not be scrubbed. Class 3 events result in a high p; essure failure of the containment, typically immediately upon or slightly after reactor vessel failure. Detailed Level 2 analyses for the plant condition with 1 potentially inoperable l

SIT have not been performed. However, assessment of the expected change in the large early release fraction was made by assessing the impact of one SIT on the above event categories.

Based on this review, it was established that inoperability of one SIT would not impact Class 1 events. These events are characterized by an irrecoverable loss of reactor inventory along with any makeup outside of containment. Core damage for these events is inevitable without a continuous permanent makeup water source. The availability of the SITS does not significantly alter the event progression. A smallincrease in Class 2 events could occur when an unmitigated large LOCA occurs in conjunction with an initially unisolated containment. Significant fission product releases would not occur unless the containment is unscrubbed (that is sprays are inoperable). This later combination of events is considered of very low probability. Class 3 i

events are dominated by RCS transients that occur at high pressure. These events exclude those where SIT performance would be called for and therefore SIT status is not a contributor to this event category. It is therefore concluded that increased unavailability of one SIT will result in a negligible impact on the large early release probability for CE PWRs.

23 a-m

EJ '

E' 6.3.6 S"~~ary ofRisk Assessment The major contnbutor to differences in plant results for the SITS is success criteria. Even for plants with more stringent success criteria, the results of the analyses indicate that there is only a small increase in risk by extending the SIT AOT from 1 to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

The results of this study also indicate that performing SIT maintenance at power versus at shutdown can result in a decrease in overall plant risk. This is because the CDP for continued operation of the plant at power with one SIT inoperable is less than the CDP associated with ll shutting down the plant.

Inoperability of the SIT was found to not sigmficantly impact the three classes of events that give rise to large early releases. These include containment bypass sequences, severe accidents accompanied by loss of containment isalation, and containment failure due to energetic events in the containment. It is therefore concluded that increased unavailability of the SIT will result in a negligible impact on the large early release probability for CE PWRs.

5 In conclusion, from a risk puspective, increasing the out of service (OOS) duration for a single g

SIT has a negligible impact on risk from either an instantaneous or cumulative (yearly) basis.

6s4 Compensatory Measures In addition to the information described above, each CEOG plant considered maintenance g

interactions or compensatory actions that could be performed if the change in risk due to the 5

extended AOT was not risk neutral. Because of the short AOT for the SITS, no extraordinary compensatory actions were determined to be required when one SIT is out of service for maintenance. However, as for any "at power" maintenance, the goals should be expediency and safety. Therefore, operability of the other SITS should be verified prior to taking the SIT out-of-service. Also, taking one SIT out-of-service should not coincide with the scheduled removal of additional ECCS plant components from service.

24

b

' 6.5 Tach = leal Justifie=8 tan for AOT Estandan for Plant Operation with a Fanctianany

[

" Operable" SIT nis section addresses two line item ral='adaas previously identified as generically +w,eble

[

in previous NRC documents. Dese changes are defined in item 2 of Section 2, and allow an extended AM of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months for conditions where the SIT is functional but an INOPERABLE tag is required due to either: 1) malfnardaning pressure or level instmmentatina or 2) the SIT

[

boron concentration is out of the technical specification limit. Relaxation of this AM due to inoperable level or pressure instrumentation has been recommended for implementation into the p

TSs by the NRC in Reference 1.

The rala== dan _ of AM requirements due to boron L4 cancentration in a single SIT has been reviewed generically by the NRC and ae-dad for use within the Improved Standard Tachaical SpariEradane (Reference 2). In either case, the SIT F

is functional and can perform its intended function throughout the extended AM. These TS L

retar=Han requests are dicenuad below.

6.5.1 SIT Tagged INOPERABLE due to Level and Pnssure instnanentation Malfunction Section 7.4 of NUREG-1366 (Reference 1) provides the following non-risk related justification

{

for a specific AOT extension from I hour to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months for a single SIT when that inoperability is caused solely by malfunctioning level instrumentation or solely by malfunctioning pressure instrumentation:

b "The combination of redundant level and pressure instrumentation [for any =pacine SIT]

may provide sufficient information so that it may not be worthwhile to always =- -9

{

to correct drift associated with one instrument if there were sufficient time to repair one in the event that a second one han=ma inoperable. Because these instruments do not initiate a safety action, it is reasonable to extend the allowable outage time for them.

[

The [NRC] staff, therefore, recommends that an additional condition be established for the specific case, where 'One accumulator is inoperable due to the inoperability of water level and pressure channels,' in which the completion time to restore the accumulator to

[

operable status will be 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . While technically inoperable, the accumulator would be available to fulfill its safety function during this time and, thus, this change would have a negligible increase on risk."

b 6.5.2 SITBown Concentmtion Out ofRange

[

In the Improved Standa-d Technical Specifications of NUREO-1432, the allowed outage time for one SIT is extended from 1 to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months when the "inoperability" of the subject SIT is due only to the boric acid concentration of the tank's contents being outside the <pacined band for

[

" OPERABILITY." Section B.3.5.1 of NUREG-1432 provides justification for this extension.

The AM extensions defined in this section apply to the identification of an INOPERABLE SIT which remains functionally capable of performing its safety function.

There are no contradictions between this argument and risk-related arguments for a general AOT of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months that are dicenuad in Section 6.

l 25 I

[] ;

E 7.0 JUSTIFICATION FOR SURVEILLANCE TEST INTERVAL (STI)

MODIFICATION Item 3 of Section 2 (SCOPE OF PROPOSED CHANGES TO TECHNICAL SPECIFICATIONS) proposes to modify the technimi specifications asociated with performing boron concentration observations when the source of SIT makeup water is from the RWST with a known boron concentration that is equal to or greater than the known boron concentration of the SIT. This technical specification change was origmally proposed by the NRC in Section 7.1 of NUREG-1366, Reference 1. Item 3 is considered generic to all CE PWRs.

ll The CEOG therefore endorses a recommendation that when plant-specific Technical Specifications are amended to implement the cumulative guidance of NUREG-1432, LCO 3.5.1 and Section 8.1.4 of this NUREG, the guidance in SR 3.5.1.4 of NUREG-1432 (Attachment A) should be implemented at the same time.

NUREG-0212, Revision 03 includes the following requirement in SR 4.5.1.1:

"b.

At least once per 31 days and within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months after each solution volume increase of greater than or equal to (1)% of tank volume by verifying the boron concentration of the safety injection tank solution."

The comparable Surveillance Requirement in NUREG-1432, SR 3.5.1.4 states, " Verify boron concentration in each SIT is.2. [1500] ppm and _< [2800] ppm." The specified frequency for g

this surveillance is:

E "31 days AND NOTE Only required to be perfonned l

for affected SIT I'

26

{

~

[:

Once within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months

['

after each solution volume increase of

> [1]% of tank volume

[

that is not the result of addition from the refueling water tank"

'Ihe removal of the requirement to sample the affected SITS for boron concentration within 6

[

hours of a volume transfer from the refueling water storage tank is supported by the following statement from Section 7.1 of NUREG-1366:

b

" Normal makeup to an accumulator [ safety injection tank] comes from the refueling water storage tank (RWST) which is also borated. No dilution can be caused by adding water from this source as long as the minimum concentration of boron in the RWST is greater than or equal to the minimum boron concentration in the accumulator."

Section 7.1 of NUREG-1366 goes on to state:

.m.

g It should not be ne**=ry to verify boron concentration of accumulator inventory after

{

a volume increase of 1% or more if the m=hm water is from the RWST and the minimum concentration of boron in the RWST is greater than or equal to the Ininimum boron concentration in the accumulator, the recent RWST sample was within

{

specification, and the RWST has not been diluted."

The bases commentary concerning SR 3.5.1.4 of NUREG-1432, Revision 0 suppors this

[_

recommendation when it states the following:

.... Sampling the affected SIT within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months after a 1% volume increase willidentify

[

whether in-leakage has caused a 14daa in boron concentration to below the required limit. It is not n~*==ry to verify boron concentration if the added water is from the RWT, because the water contained in the RWT is within the S1T boron concentration i

(

requirements. This is consistent with the recommandations of NUREG-1366..."

[

8.0 PROPOSED MODIFICATIONS 10 NUREG-1432 Attachment A includes proposed changes to NUREG-1432 Sections 3.5.1 and B 3.5.1 that

[

corispond to the findings of this report.

l 1

27 L

E 9.0

SUMMARY

AND CONCLUSIONS 9.1 Functionally INOPERABLE SIT The PSA results from each of the CE PWRs showed that the increment in risk at power due to one inoperable SIT is small for all plants. The range of results for Single AOT Risk based on l

the full proposed ACT of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months varied from negligible to 4.09E-08. The major contributor to any differences in plant results for the SITS is the success criteria assumed in the PSA model.

In companson, the increment in risk associated with transitioning the plant from at power to shutdown mode with one SIT inoperable is on the order of 1.00E-06. These results indicate that there is a lower risk to the plant by remaining at power to perform corrective maintenance than to shut down the plant to repair the inoperable SIT. Therefore, it is concluded that extending the AOT for one inoperable SIT from 1 to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months would be risk beneficial.

Recent best estimate analyses for a typical PWR (Reference 5) confirmed that for large break LOCAs, core melt can be prevented by either the operation of one Low Pressure Safety Injection (LPSI) pump or the operation of one High Pressure Safety Injection (HPSI) pump and a single SIT. While the precise equipment set for any specific CE PWR may vary, the design basis requirement for 1 LPSI train, I HPSI train, and all SITS to avert a core melt condition is very conservative.

While it is not the intent of this document to widen the technical specification OPERABILITY limits for the SIT, it is important to note that for selected parameters, the assessment of SIT OPERABILITY is rather stringent. The SIT operational parameters are set by the design basis.

Operating experience has demonstrated that many of the causes of SIT inoperability can be diagnosed and corrected within several hours of discovery but longer than a period of one hour from identification.

The restrictive nature of the present AOT has led to a number of entries into the LCO action l

statements and plant shutdowns. This report proposes that the SITInoperable AOT be extended a

to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . This time interval is believed to be sufficient to enable the plant personnel to properly diagnose the cause of the SIT malfunction and effect minor repairs. An evaluation of the deterministic and probabilistic effects of extending the AOT to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months indicates that the extension is either " risk beneficial" or at least " risk neutral".

9.2 Functionally OPERABLE SIT The CEOG endorses a recommendation that, when plant-specific Technical Specifications are amended, the cumulative guidance of NUREG-1432 LCO 3.5.1 and NUREG-1432 SR 3.5.1.4 (Attachment A) should be implemented simultaneously.

28

!l J

-mm

I

10.0 REFERENCES

I 1.

NUREG-1366, " Improvements to Technical Specifications Surveillance Requirements",

December 1992.

2.

NUREG-1432, " Standard Technical Specifications Combustion Engineering Plants",

September 1992.

3.

10 CFR 50.65, Appendix A, "The Maintenance Rule".

l 4.

NUREG-0212, " Revision 3, " Standard Technical Specifications for Combustion Engineering Pressurized Water Reactors", July 9,1982.

l 5.

LWW42-094, Letter from L. Ward (INEL) to Dr. F. Eltawila (NRC),

Subject:

"Use of MAAP to Support Utility IPE In Vessel and Ex-Vessel Accident Success Criteria",

June 1994.

I 6.

NUREG-0800, USNRC Standard Review Plan, Rev.2, July 1981.

7.

TID-14844, " Calculation of Distance Factors for Power Reactor Sites", USAEC,1%2.

8.

NUREG-1465, " Accident Source Terms for Light Water Reactors" (Final Draft), August, I

1994.

9.

Ixtter from Susan C. Black (NRC) to William T. Cottle (Houston Light & Power),

I

" Issuance of Amendment Nos. 59 and 47 to Facility Operating License Nos. NPF-76 and NPF-80 and Related Requests - South Texas Project, Units 1 and 2 (TAC Nos. M76048 and M76049)", March 17,1994.

I 10.

NUREG/CR-6141, BNL-NUREG-52398, " Handbook of Methods for Risk-Based Analyses of Technical Specifications", P. K. Samanta, I. S. Kim, T. Mankamo, and W.

E. Vesely, Published December 1994.

I

" Technical Evaluation of South Texas Project (STP) Analysis for Technical Specification 11.

Modifications", P. Samanta, G. Martinez-Guridi, and W. Vesely, Technical Report

L-2591, January 11, 1994.

I I

I 29

6 FL-FL r

ATTACIBIENT A L

" Mark-up" of NUREG-1432 SECTIONS 3.5.1 & B 3.5.1 F

6

[

nL rL E

E l

E E

[

E

[

A-1 i

F

SITS 3.5.1 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) l 3.5.1 SafetyinjectionTanks(SITS)

I LC0 3.5.1

[Four) SITS shall be OPERABLE.

I APPLICABILITY:

MODES 1 and 2, MODE 3 with pressurizer pressure n [700] psia.

ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME I

A.

One SIT inoperable due A.1 Restore boron 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to boron concentration concentration to l

not within limits.

within limits.

1NSEE)'~

A I

C[.OneSITinoperablefor f.1 Restore SIT to M 2.4-b oar S reasons other than OPERABLE status.

1 Condition or _

Required Action and

.1 Be in MODE 3.

6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months associated Completion Time of Condition A AND

~

I or B not met.

D, 3

f.2 Reduce pressurizer 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months p

a.

b/.TwoormoreSITs

.1 Enter LCO 3.0.3.

Irmediately inoperable.

I I

I CEOG STS 3.5-1 Rev. O,09/28/92 I

O O

I INSERT A B.

One SIT inoperable due B.1 Restore SIT to OPERABLE 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to inability to verify level status.

or pressure.

I I

I

SITS b

B 3.5.1

(

BASES ACTIONS A.1 (continued)

{

injection. Thus, 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months is allowed to return the boron concentration to within limits.

[-

33EU Ab \\

S j

41

[

If one is inoperable, for a reason other than on concentratio the SIT must be returned to OP LE status within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months .

this Condition, the r ired contents of

(

B ET M

's three SITS cannot bewumed to rea e core during a

/

LOCA. Due to the severi f

consequences should a LOCA occur in these conditions hour Completion Time to

[

open the valve, remov ower to t alve, or restore the proper water vol or nitrogen cover sure ensures that prompt actio 11 be taken to return the b etable accumul to OPERABLE status. The Completion min zes the exposure of the plant to a LOCA in the nditions.

b b

f.1andf.2

/

[

If the SIT cannot be restored to OPERABLE status within the associated Completion Time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within

{

6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and pressurizer pressure reduced to < 700 psia within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Times are reasonable, based on operating experience, to reach the required plant conditions from full power conditions in an orderly manner and without challenging plant systems.

L If more thtn one SIT is inoperable, the unit is in a r

i condition <>utside the accident analyses. Therefore, LCO 3.0.3 must be entered immediately.

(continued) l CEOG STS B 3.5-7 Rev.

O, 09/28/92

(

um E

l INSERT AA JL1 Section 7.4 of Reference 5, NUREG-1366, discusses surveillance requirements in g

technical specifications for the instrument channels used in the measurement of a

water level and pressure in SITS.

The following statement is made in Section 7.4 of Reference 5:

"The combination of redundant level and pressure instrumentation (for any single SIT] may provide sufficient information so that it may not be worthwhile to always attempt to correct drift associated with one instrument [with resulting radiation exposures during entry into l

containment] if there were sufficient time to repair one in the event that a second one became inoperable. Because these instruments do not initiate a safety action, it is reasonable to extend the allowable outage for them.

l

'Ibe (NRC] staff, therefore, recommends that an additional condition be established for the specific case, where "One accumulator (SIT] is inoperable due to the inoperability of water level and pressure channels,"

in which the completion time to restore the accumulator to operable status will be 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . While technically inoperable, the accumulator would be available to fulfill its safety function dming this time and, thus, this change l

would have a negligible increase in risk."

INSERT AB

_CJ If one SIT is inoperable, for a reason other than boron concentration or the inability to verify level or pressure, the SIT must be returned to OPERABLE status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . In this Condition, the required contents of three SITS cannot be assumed to reach the core during a LOCA as is assumed in 3

Appendix K to 10 CFR 50.

E 4

Reference 6 provides a series of deterministic and probabilistic findings that 3i support 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months as being either " risk beneficial" or " risk neutral" in comparison to El shorter periods for restoring the SIT to OPERABLE status. Reference 6 discusses best-estimate analysis that confirmed that, during large-break LOCA scenarios, core melt can be prevented by either operation of one I.ow Pressure Safety Injection (LPSI) pump or the operation of one High Pressure Safety Injection (HPSI) pump and a single SIT. Reference 6 also discusses plant-specific probabilistic analysis that evaluated the risk-impact of the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months recovery period in comparison to shorter recovery periods.

I!

I

SITS B 3.5.1 b

BASES (continued)

["

SURVEILLANCE SR 3.5.1.1 REQUIREMENTS I

Verification every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months that each SIT isolation valve is fully open, as indicated in the control room, ensures that SITS are available for injection and ensures timely r

discovery if a valve should be partially closed.

If an L

isolation valve is not fully open, the rate of injection to the RCS would be reduced. Although a motor operated valve should not change position with power removed, a closed L

valve could result in not meeting accident analysis e

assumptions. A 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency is considered reasonable in view of other administrative controls that ensure the unlikelihood of a mispositioned isolation valve.

{

SR 3.5.1.2 and SR 3.5.1.3 SIT borated water volume and nitrogen cover pressure should be verified to be within specified limits every 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months in

[

order to ensure adequate injection during a LOCA. Due to the static design of the SITS, a 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency usually allows the operator sufficient time to identify changes hefore the limits are reached. Operating experience has shown this Frequency to be appropriate for early detection and correction of off normal trends.

SR 3.5.1.4 Thirty-one days is reasonable for verification to detensine

[

that each SIT's boron concentration is within the required limits, because the static design of the SITS limits the ways in which the concentration can be changed. The 31 day

[

Frequency is adequate to identify changes that could occur from mechanisms such as stratification or inleakage.

Sampling the affected SIT within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months after a 1% volume

[

increase will identify whether inleakage has caused a reduction in boron concentration to below the required limit.

It is not necessary to verify boron concentration if the added water is from the RWT, because the water contained in the RWT is within the SIT boron concentration requirements. This is consistent with the reconnendations of NUREG-1366 (Ref. 5).

IN SERT A C.

(continued)

[

CEOG STS B 3.5-8 Rev.

O, 09/28/92 i

l

as 5:

INSERT AC

, Reference 6, and Reference 7.

I I

1 I

I I

f

f I

SITS

}

B 3.5.1 I

f BASES I

l SURVEILLANCE SR 3.5.1.5 REQUIREMENTS (continued)

Verification every 31 days that power is removed from each SIT isolation valve operator when the pressurizer pressure

}

is a 2000 psia ensures that an active failure could not I

result in the undetected closure of an SIT motor operated isolation valve.

If this were to occur, only two SITS would be available for injection, given a single failure i

coincident with a LOCA. Since installation and removal of I

power to the SIT isolation valve operators is conducted under administrative control, the 31 day Frequency was chosen to provide additional assurance that power is removed.

This SR allows power to be supplied to the motor operated isolation valves when RCS pressure is < 2000 psia, thus allowing operational flexibility by avoiding unnecessary delays to manipulate the breakers during unit startups or shutdowns.

Even with power supplied to the valves, inadvertent closure is prevented by the RCS pressure F~

interlock associated with the valves. Should closure of a valve occur in spite of the interlock, the SI signal E

provided to the valves would open a closed valve in the

, event of a LOCA.

p REFERENCES 1.

IEEE Standard 279-1971.

2.

FSAR, Section [6.3].

3.

10 CFR 50.46.

4.

FSAR, Chapter [15].

g g

5. M UREG-1366, E

E E

CEOG STS B 3.5-9 Rev.

O, 09/28/92 I

f i

O

=l I'

INSERT AD 1

6.

NRC Generic Letter 93-05, "Line-Item Technical Specifications g

Improvements To Reduce Surveillance Requirements For Testing During E

Power Operations," September 27,1993 7.

CE NPSD-994, "CEOG Joint Applications Report for Safety Injection Tank AOT/STI Extension," April 1995.

I I

I Ii I

ML20086L595

Contents

Text

3.0 BACKGROUND

SUMMARY

SUMMARY

10.0 REFERENCES

3.0 BACKGROUND

SUMMARY

5.1 System Description

SUMMARY

10.0 REFERENCES

Subject:

Navigation menu

ML20086L595

Text

3.0 BACKGROUND

SUMMARY

SUMMARY

10.0 REFERENCES

3.0 BACKGROUND

SUMMARY

5.1 System Description

SUMMARY

10.0 REFERENCES

Subject:

Navigation menu

Search