Text

Proposed Tech Specs Re Extension of Allowed Outage Time for an Inoperable Low Pressure SI Pump
	ML20091G360
Person / Time
Site:	Fort Calhoun
Issue date:	06/26/1995
From:	; OMAHA PUBLIC POWER DISTRICT
To:	;
Shared Package
ML20091G354	List: LIC-95-0112, Forwards Application for Amend to License DPR-40 Re Extension of Allowed Outage Time for an Inoperable LPSI Pump from 24 H to Seven Days; ML20091G360; ML20091G365;
References
	NUDOCS 9507100071
	Download: ML20091G360 (9)
	v • d • e

2.0 LIMITING CONDITIONS FOR OPERATION 2.3 Emercency Core Cooline System (Continued)

(2) Modification of Minimum Requirements During power operation, the Minimum Requirements may be modified to l allow one of the following conditions to be true at any one time. If the system )

is not restored to meet the minimum requirements within the time period specified below, the reactor shall be placed in a hot shutdown condition within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . If the minimum requirements are not met within an additional 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months the reactor shall be placed in a cold shutdown condition within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ,

a. One low-pressure safety injection pump may be perable ovided the pump is restored to operable status within 24 hc =7dafs.

b. One high-pressure safety injection pump may be perab e provided the pump is restored to operable status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

c. One shutdown heat exchanger and two of four component cooling water heat exchangers may be inoperable for a period of no more than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

d. Any valves, interlocks or piping directly associated with one of the above components and required to function during accident conditions shall be deemed to be part of that component and shall meet the same requirements as listed for that component.

e. Any valve, interlock or piping associated with the safety injection and shutdown cooling system which is not covered under d. above but which is required to function during accident conditions may be inoperable for a period of no more than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

f. One safety injection tank may be inoperable for a period of no more than one hour.

g. Level and pressure instmmentation on one safety injection tank may be inoperable for a period of one hour.

s 9507100071 950626 5 PDR ADOCK 0500 2-21 Amendment N . 49- !

\

2.0 LIMITING CONDITIONS FOR OPERATION 2.3 Emcreency Core Cooline System (Continued)

The operable status of the various systems and components is to be demonstrated by periodic tests. A large fraction of these tests will be performed while the reactor is operating in the power range.

If a component is found to be inoperable, it will be possible in most cases to effect repairs and restore the system to full operability within a relatively short time. For a single component to be inoperable does not negate the ability of the system to perform its function. If it develops that the inoperable component is not repaired within the !

specified allowable time period, or a second component in the same or related system I is found to be inoperable, the reactor will initially be put in the hot shutdown condition to provide for reduction of cooling requirements after a postulated loss-of-coolant accident. This will also permit improved access for repairs in some cases. l After a limited time in hot shutdown, if the malfunction (s) is not corrected, the i reactor will be placed in the cold shutdown condition utilizing normal shutdown and cooldown procedures. In the cold shutdown condition, release of fission products or damage of the fuel elements is not considered possible.

The plant operating procedures will require immediate action to effect repairs of an inoperable component and therefore in most cases repairs will be completed in less than the specified allowable repair times. The limiting times to repair are intended to assure that operability of the component will be restored promptly and yet allow The' time all6wed;to repair;a 16w presstires safstf;injecti6n pump;is based'onlthe de'terministic and probabilistic analyses"of CE NPSD 7 995NCEOGlJointfApplicatioiis Report 1for Low Pressure Safety Injection System AOT:ExtsnsioniMa'pfl995? These analfses concluded that thefoverall risk impact of ths c6mpletion time ~is;eithei risk 2

)

beneficial or risk' neutrals L

The requirement for core cooling in case of postulated loss-of-coolant accident while in the hot shutdown condition is significantly reduced below the requirements for a postulated loss-of-coolant accident during power operation. Putting the reactor in the i hot shutdown condition reduces the consequences of a loss-of-coolant accident and also allows more free access to some of the engineered safeguards components in order to effect repairs.

Failure to complete repairs within 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months of going to the hot shutdown condition is considered indicative of a requirement for major maintenance and, therefore, in such j a case, the reactor is to be put into the cold shutdown condition.

~

With respect to the core cooling function, there is functional redundancy over most of j the range of break sizes.*

! The LOCA analysis confirms adequate core cooling for the break spectrum up to and including the 32 inch double-ended break assuming the safety injection capability which most adversely affects accident consequences and are defined as follows. The

entire contents of all four safety injection tanks are assumed to j

j 2-23 Amendment No. 42,49, - 49,~ 4-- F

U.S. Nuclear Regulatory Comission LIC-95-0112 ATTACHMENT B

DISCUSSION, JUSTIFICATION AND NO SIGNIFICANT HAZARDS CONSIDERATION DISCUSSION AND JUSTIFICATION The Omaha Public Power District (0 PPD) proposes the following revisions to the Fort Calhoun Station (FCS) Unit No. 1 Technical Specifications (TS) i based on Combustion Engineering Owners Group (CE0G) Report CE NPSD-995,

" Joint Applications Report for Low Pressure Safety Injection System A0T Extension."

1. The TS 2.3(2)a allowed outage time (A0T) for a single low pressure .

1 safety injection (LPSI) pump is proposed to be extended from 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to seven (7) days.

2. OPPD proposes to add a paragraph to the Basis Section of TS 2.3, stating that the overall risk impact of the proposed A0T is either risk beneficial or risk neutral.

BACKGROUND The LPSI system and the high pressure safety injection (HPSI) system are subsystems of the emergency core cooling system (ECCS). The two LPSI pumps are high volume, low head centrifugal pumps designed to supplement the safety. injection tank (SIT) inventory in reflooding the reactor vessel to insure core cooling during the early stages of a large loss of coolant accident (LOCA).

The LPSI pumps take suction from the safety injection and refueling water tank (SIRWT), during the injection phase of a LOCA event, and pump the water through a common discharge header. After penetrating containment, the LPSI header splits into four injection paths, with individual injection valves. Once inside containment, the LPSI headers combine with HPSI and SIT discharge piping and direct flow through a common injection header into each of the four reactor coolant system cold legs and into the reactor vessel. When SIRWT level is drawn down by inventory transfer during the injection phase, a SIRWT tank low signal (STLS) initiates a recirculation actuation signal (RAS) that stops the LPSI pumps, and shifts suction of the ECCS pumps from the SIRWT to the containment sump. This is necessary to insure that adequate net positive suction head remains available for the HPSI pumps and containment spray pumps.

The LPSI system is also used in conjunction with a portion of the containment spray system for decay heat removal in the shutdown cooling alignment.

1

DISCUSSION AND JUSTIFICATION (CONTINUED):

DISCUSSION OF CHANGE The current FCS Unit No.1 Technical Specifications address the ECCS as individual components. TS 2.3(1)e requires that two independent LPSI pumps be operable. With one LPSI pump inoperable, the pump must be returned to operable status within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months or the plant must be placed in hot shutdown within the following 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The proposed change will allow up to seven (7) days to restore operability to a LPSI pump. The CE0G Report, CE NPSD-995, explores the proposed change utilizing current probabilistic safety 1 analysis (PSA) methodologies to address the changes in risk when compared with current TS time limitations.

The CEOG report reviewed the risk factors that are impacted by extending the A0T for a single LPSI pump from 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to seven (7) days, and determined that the increase in risk is negligible. In order to perform a more complete assessment of the overall change in risk, an accounting for :

avoided risks associated with reducing power and going to hot or cold l shutdown must also be considered. This " transition risk" is important in understanding the trade-off between shutting down the plant compared with restoring the LPSI pump to operability while at power. Also of interest in assessing overall plant risk is the risk avoided based on LPSI system maintenance while in cold shutdown. Every time the plant is placed in cold shutdown, the LPSI system is required for decay heat removal when in the shutdown cooling mode of operation. Any maintenance performed on the LPSI l system during shutdown cooling operations adds to the risk of a loss of shutdown cooling event. Therefore, performing LPSI system maintenance with the unit on-line, when the LPSI system is not normally in demand, represents a decrease in shutdown risk.

The results of this study concluded that the change in core damage frequency due to increasing the LPSI A0T from 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to seven (7) days is

insignificant. Additionally, when the reduction in transition and shutdown

' risks are considered, it can be shown that there is an overall reduction in plant risk. Thus, it is the conclusion of the study that the overall plant impact will be either risk beneficial or risk neutral.

I i

)

4 s

1 2

i 1

,, n ,

n . , , ,-.----..,---m -,--,-e-., ---.v,--, ,--a.- - - . , - - . , , . , ,<-,,,--.,n.,,, . , ,

1 BASIS FOR NO SIGNIFICANT HAZARDS CONSIDERATION:

The Omaha Public Power District (OPPD) proposes to revise Technical Specification (TS) 2.3(2)a by extending the allowed outage time (A0T) for a low pressure safety injection (LPSI) pump from 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to seven (7) days.

OPPD also proposes to add a paragraph to the Basis Section of TS 2.3, stating that the overall risk impact of the A0T is either risk beneficial or risk neutral . These proposed changes do not involve significant hazards considerations because operation of Fort Calhoun Station Unit No. 1 in accordance with these changes would not:

(1) Involve a significant increase in the probability or consequences of an accident previously evaluated.

The low pressure safety injection (LPSI) system is part of the emergency core cooling system. Inoperable LPSI components are not accident initiators in any accident previously evaluated. Therefore, these changes do not involve an increase in the probability of an accident previously evaluated.

The LPSI system is primarily designed to mitigate the consequences of a large loss of coolant accident (LOCA). These proposed changes do not affect any of the assumptions in the deterministic LOCA analysis.

Hence the consequences of accidents previously evaluated do not change.

In order to fully evaluate the LPSI allowed outage time (A0T) extension, probabilistic safety analysis (PSA) methods were utilized.

The results of these analyses show no significant increase in the core damage frequency. As a result, there would be no significant increase in the consequences of an accident previously evaluated.

These analyses are detailed in CE NPSD-995, " Combustion Engineering Owners Group Joint Applications Report for Low Pressure Safety Injection System A0T Extension." ,

i The CE0G report reviewed the risk factors that are impacted by extending the A0T for a single LPSI pump from 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to seven (7) days, and demonstrates that the increase in risk is negligible. In order to perform a more complete assessment of the overall change in risk, an accounting for avoided risks associated with reducing power and going to hot or cold shutdown was also considered. This

" transition risk" is important in understanding the trade-off between the risk of shutting down the plant compared with restoring a LPSI pump to operability while at power.

1 j 3 I

i

_ _ _ - ~ . . . ..-- - _ __ . . . _ - - - . - . - . _ , - , . . . . - .--.,

BASIS FOR NO SIGNIFICANT HAZARDS (CONTINUED): i In assessing overall plant rish, the risk avoided based on LPSI system maintenance while in cold shutdown must also be considered. ;

Every time the plant is placed in cold shutdown, the LPSI system is required for decay heat removal when in the shutdown cooling mode of a eration. Maintenance performed on the LPSI system during shutdown cooling operations may add to the risk of a loss of shutdown cooling event. Therefore, performing LPSI system maintenance with the unit on-line, when the LPSI system is not normally in demand, represents a decrease in shutdown risk.

The CE study concluded that the change in core damage frequency due to increasing the LPSI A0T from 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to seven (7) days is insignificant. Additionally, when the reduction in transition and shutdown risks are considered, it can be shown that there is an overall reduction in plant risk. Thus, it is the conclusion of the !

study that the overall plant impact will either be risk beneficial or risk neutral.

Therefore, the proposed changes would not increase the probability or consequences of an accident previously evaluated.

(2) Create the possibility of a new or different kind of accident from ,

any accident previously evaluated. !

l There will be no physical alterations to the plant configuration, changes to setpoint values, or changes to the implementation of setpoints or limits as a result of the proposed changes. Therefore, the proposed changes do not create the possibility of a new or different kind of accident from any previously evaluated.

(3) Involve a significant reduction in a margin of safety. ,

These proposed changes do not affect the limiting conditions for operation or their bases used in the deterministic analyses to establish the margin of safety. PSA evaluations were used to evaluate this change. These evaluations demonstrate that the changes are either risk neutral or risk beneficial. These evaluations are detailed in CE NPSD-995. Therefore, the proposed changes do not involve a significant reduction in the margin of safety.

1 i

j i

4

1 BASIS FOR N0 SIGNIFICANT HAZARDS (CONTINUED):

Therefore, based on the above considerations, it is OPPD's position that this amendment does not involve significant hazards considerations as defined by 10 CFR 50.92 and the proposed changes will not result in a condition which significantly alters the . impact of the Station on the environment. Thus, the proposed changes meet the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(9) and pursuant to 10 CFR 51.22(b) no environmental assessment need be prepared.

I i

4 4

i i 1 T

4 5

4

,,v --,- , , , .~. , _

l U.S. Nuclear Regulatory Commission LIC-95-0112

(

ATTACHMENT C

b tz M l h' COMBUSTION ENGINEERING OWNERS GROUP l CE NPSD-995 I

Joint Applications Report for I

I g

Low Pressure Safety injection I System AOT Extension I

Final Report CEOG TASK 836 l prepared for the C-E OWNERS GROUP g

May 1995 l

,g l

Copyright 1995 Combustion Engineering, Inc. All rights reserved ABB Combustion Engineering Nuclear Operations

I LEGAL NOTICE

~

This report was prepared as an account of work sponsored by the Combustion Engineering Owners Group and ABB Combustion Engineering.

l Neither Combustion Engineering, Inc. nor any person acting on its behalf:

A. makes any warranty or representation, express or implied including the warranties of fitness for a particular purpose or merchantability,

)

with respect to the accuracy, completeness, or usefulness of the j information contained in this report, or that the use of any g) information, apparatus, method, or process disclosed in this report 3i may not infringe privately owned rights; or B. assumes any liabilities with respect to the use of, or for damages resulting from the use of, any information, apparatus, method or process disclosed in this report.

l l

l

\

Combustion Engineering, Inc.

I

1 l

l l

TABLE OF CONTENTS I Section Page LIST OF TABLES iii 4

= 1.0 PURPOSE 1 2.0 SCOPE OF PROPOSED CHANGES TO TECHNICAL SPECIFICATIONS 1

3.0 BACKGROUND

2 4.0

SUMMARY

OF APPLICABLE TECHNICAL SPECIFICATIONS 3 l 4.1 4.2 Standard Technical Specifications

" Customized" TechniM Specifications 3

4 5.0 SYSTEM DESCRIPTION AND OPERATING EXPERIENCE 5 '

5.1 System Description 5 I 5.2 Operating Experience 6 5.2.1 Preventive Maintenance 6 I 5.2.2 Surveilhnm> Testing of LPSI System Valves 5.2.3 Corrective Maintenance 7

7 5.2.4 Related Licensing Actions 8 6.0 TECHNICAL JUSTIFICATION FOR AOT EXTENSION 10 6.1 Statement of Need 10 6.2 Assessment of Deterministic Factors 11 6.2.1 Thermal-Hydraulic Considerations 11 6.2.2 Radiological Release Considerations 14 I

i tI . _ -

I TABLE OF CONTENTS (cont'd)

Section Page 6.3 Assessment of Risk 15 I 6.3.1 Overview 6.3.2 As== ment of "At Power" Risk 6.3.3 Assessment of Transition Risk 15 16 24 6.3.4 Asteumant of Shutdown Risk 28 6.3.5 Assessment of Large Early Release 30 ,

6.3.6 Summary of Risk Assessment 31 l i

6.4 Compensatory Measures 32 I 7.0 TECHNICAL JUSTIFICATION FOR STI EXTENSION 33 l 8.0 PROPOSED MODIFICATIONS TO NUREG-1432 33 9.0

SUMMARY

AND CONCLUSIONS 34 I

10.0 REFERENCES

35 I ATTACHMENT A A-1

" Mark-up" of NUREG-1432 SECITONS 3.5.2 & B 3.5.2 I

I I

I i I

I

!I

1 l

LIST OF TABLES

, Table Page I 4.2-1 COMPARISON OF LPSI SYSTEM AGrs AMONG CE PWRs WTTH CUSTOMIZED TECHNICAL SPECIFICATIONS 4 I 5.2-1 COMPARISON OF MAINTENANCE REPAIR TIMES FOR LPSI SYSTEM COMPONENTS 9 l

l 6.2.1-1 COMPARISON OF SECONDARY SIDE HEAT REMOVAL CAPABIllTY 13 l 6.3.2-1 CEOG AOT CONDITIONAL CDF CONTRIBUTIONS FOR LPSI- CM 21 6.3.2-2 CEOG AUT CONDITIONAL CDF CONTRIBUTIONS FOR LPSI - PM 22 I 6.3.2-3 CEOG PROPOSED AVERAGE CDFs 23 l 6.3.3-1 TRANSITION RISK CONTRIBUTIONS FOR LPSI SYSTEM CM 27 6.3.4-1 EFFECTS OF IMPROVED LPSI RELIABILITY AT SHUTDOWN 29 I

I I

I i I ,

m !

l I

,I I . LPSI System AOT Extension I

1.0 PURPOSE I This report provides the results of an evaluation of the extension of the Allowed Outage Time (AOT) for a single Low Pressure Safety Injection (LPSI) train from its present value (24 or 72 I hours), to seven days. The AOT is contained within current technical specifications for each licensed CE NSSS. This AOT extension is sought to provide needed flexibility in the performance of both corrective and preventive maintenance during power operation.

Justification of this request is based on an integrated review and nuestment of plant operations, deterministic / design basis factors and plant risk. Results of this study demonstrate that the proposed AOT extension provides plant operational flexibility while simultaneously reducing I overall plant risk.

This request for AOT extension is consistent with the objectives and the intent of the I Maintenance Rule (Reference 1). The Maintenance Rule will be the vehicle which controls the actual maintenance cycle by defining unavailability performance criteria and nueuing I maintenance risk. The AOT extension will allow efficient scheduling of maintenance within the boundaries established by implementing the Maintenance Rule. The CE plants are in the process of implementing the Maintenance Rule, and are presently setting targets for unavailability of I systems and trains. Therefore, this effort is seen as timely, supportive and integral to the Mainten2nce Rule program.

2.0 SCOPE OF PROPOSED CHANGES TO TECHNICAL SPECIFICATIONS The proposed technical specification change addresses revising the existing AOT requirement for the operation of the Low Pressure Safety Injection (LPSI) subsystems of the Emergency Core Cooling System (ECCS). Specifically, it is proposed that the AOT for a single INOPERABLE l LPSI train be extended from its present value (24 or 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months , depending on the plant) to 7 days (168 hours0.00194 days 0.0467 hours 2.777778e-4 weeks 6.3924e-5 months ). For the purposes of this report, a LPSI train is defined as one pump, and two injection flow paths, including motor-operated valves (MOVs) operated by a common AC power source.

4 l i lI

!I

I

3.0 BACKGROUND

Il l In response to the NRC's initiative to improve plant safety while granting relief to utilities from those requirements that are marginal to safety, the CEOG has undertaken a program of obtaining l relief from overly restrictive technical specifications. As part of this program, several tachnical specification AOTs and STIs were identified forjoint action.

This report provides support for modifying Technimi Specifications concerning the Emergency Core Cnaling System in order to provide an AOT for up to 7 days for one " INOPERABLE" LPSI train. The intent of this AOT extension is to anh== overall plant safety by avoiding potential nn=ch~fuled plant shutdowns and providing for increased flexibility in ehertuling and gifviruing maintenance and survei11== activities. This effort is being pursued as a joint CEOG activity.

This report provides generic information wypurdng these changes, as well as the n-aary plant gacific information to demonstrate the impact of these changes on an individual plant basis.

The wyycidug/ analytical material contained within the document is considered applicable to all CEOG memhar utilities regardless of the category of their Plant Techniemi Specifications.

I' I; .

I I

I, O

I I

4.0

SUMMARY

OF APPLICABLE TECHNICAL SPECIFICATIONS

There are three distinct categories of Technical Spacinadons at CE NSSS plants.

l The first category is called the Standard Technical Specifications. Through February 1995,

g

NUREG-0212, Revision 03, commonly referred to as " Standard Technimi Specifications," has provided a model for the general structure and content of the approved technim1 specifications i many cf the domestic CE NSSS plants.

The second category corresponds to the Improved Standard Technical Specifications (ISTS) guidance that is provided in NUREG-1432, Revision 0, dated September 1992. A licensing jl j

! nmendment submittal to change the Technien1 Specifications for San Onofre Nuclear Generation Station Units 2 & 3 so as to implement this guidance was submitted to the NRC in Decamher

1993. Additionally, licensing amendment submittals are being developed that will modify the jl technical specifimHons for Palisades to implement the ISTS guidance.

j' l The third category includes those technical spHfimtions (TSs) that have structures other than those that are outlined in either NUREG-0212 (Reference 2) or NUREG-1432 (Reference 3).

These TSs are generally referred to as " customized" technical specifications and are necicad with the early CE PWRs. The CE NSSS plants that currently have " customized" technical

l j specifications are: Palisades, Maine Yankee, and Ft. Calhoun Station.

ig Each of these three categories of Technical Specifications includes operating requirements for ig the Low Pressure Safety Injection (LPSI) subsystems.

i 4.1 Standard Tachnimi Specifications The requirements for LPSI subsystems during power operations are embedded in the ig requirements for Emergency Core Cooling trains / subsystems in the standard technical iE specifications of NUREG-0212, Revision 03 and NUREG 1432, Revision 0. In LCO 3.5.2 of NUREG-0212, Revision 03, each OPERABLE independent Emergency Core Cooling System subsystem includes one OPERABLE low-pressure safety injection pump.

LCO 3.5.2 of NUREG-1432 addresses two redundant,100% capacity ECCS trains, each iE consisting of high pressure safety injection (HPSI), low pressure safety injection (LPSI), and

a charging subsystems.

i Hence, any maintenance, repair or surveillance test that would render a LPSI subsystem inoperable would also result in the INOPERABILITY of the corresponding ECCS train / subsystem of the standard technical specifications.

I The requirements of these same standard technical specifications allow the continuation of power

operations with one inoperable ECCS train / subsystem for a maximum of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . Hence, if a single ECCS train is rendered inoperabk due to a set of factors that includes on-line 3

I' maintenanm or repair of the components of a LPSI subsystem, the OPERABILITY of that ECCS train must be restored within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months (including the OPERABILITY of the affected LPSI

subsystem); or the plant must be shutdown and depmirimi below the shutoff head of the HPSI Pumps.

4.2 " Customized" Tehnical Specirx:stions l

, Customized tehnimi =peifications for the LPSI System differ from the STS in the duration of

the specified AOT, the linkage between the LPSI and other ECCS AOrs and the details of the subsequent ACITON statements. For plants with Customized tehnimi specifications, the j defined AOTs for LPSI system out of Service (OOS) are presented in the Table 4.2-1.

i Table 4.2-1 4

COMPARISON OF LPSI SYSTEM AOTs AMONG CE PWRs WITH

! CUSTOMT7Fn TECHNICAL SPECIFICATIONS PLANT ALLOWED OUTAGE TIME (HRS)

Ft. Calhoun Station 24 Mame Yankee 72 :

Palisades 24 i

1 I

I I

4 I

I 5.0 SYSTEM DESCRIFFION AND OPERATING EXPERIENCE 5.1 System Description De LPSI System provides inventory to the RCS following a large Loss of Coolant Accident I (LOCA). His inventory injection supplements the RCS inventory addition due to the SITS and aids in enwring core cooling during the early stages of a large LOCA. In addition, many components of the LPSI System are shared with the shutdown cooling system. In that capacity, the LPSI pump and selected cosiponents serve to circulate water through the RCS and support long term core decay heat removal.

l Sqfety Injection and Recirculation During an accident, the LPSI system is pat ~i by a Safety Injection A@=tian Signal (SIAS).

l The SIAS is automatically initiated upon a coincident two-out-of-four Praunrim Pres.wrc Low Signals or two-out-of-four Containment Pressure High Signals. Safety Injection can also be manually initiated. Upon SIAS, the two LPSI pumps are automatically started and the injection valves are opened.

The LPSI pump then recirculates the Safety Injection water through the minimum recirculation l valves until the RCS pressure becomes low enough to allow flow into the RCS. During the injection mode, the LPSI pumps take suction from a borated water source. The pumps discharge flow into the low pressure injection header which is connected to the RCS cold legs. The valve connecting the LPSI pump discharge to the shutdown cooling heat exchangers is locked closed during normal operation and remains closed during the safety injection mode.

Shutdown Cooling Synem I During normal shutdown mode operation (Modes 4, 5 and 6), the components of the LPSI System are realigned to configure the Shutdown Cooling System (SDCS). In this configuration, the LPSI pump takes suction from the RCS hot leg, transports the hot RCS liquid through the SDC heat exchanger and discharges cooler water into the RCS cold leg.

For all CE PWRs, the containment spray pump can be used in place of an inoperable LPSI pump I for the function of shutdown cooling. This would depend upon the accident / plant operating mode and would require a manual alignment.

I I

I 5

5.2 Operating Experience 5.2.1 Preventive Maintenance (PM)

In order to perform preventive maintenance during power operation, the plant must voluntarily enter into a Limiting Condition for Operation (LCO) action statement. The NRC has been aware of this practice and has issued an NRC Inspection Manual (Reference 4), providing the general l

safety principles that the NRC inepectors are to use in attetting the appropriateness of the utilities "on-line" maintenance activities and to ensure that proper use is made of the plant AOTs. In response to the NRC technical guidance statement, many nuclear utilities have l

voluntarily adopted nelminicnative guidelines for voluntary entry into an LCO ACI10N g statement. This nriministrative guidance typically requires that a plan must exist for completing g the associated maintenance within a period that is considerably shorter than the duration of the allowed outage time (AOT) specified in the LCO ACITON statement. In addition, the risk nMated with such maintenance is also neaued.

Operating experience has demonstrated that many types of preventive maintenance on LPSI train g components (including post-maintenance verifications and tests) require a period ofless than 24 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months . Typical activities associated with preventive maintenance for a LPSI pump include:

- change of oil

- lubrication

- repheament/ tightening of packing

- bearmg replacement Preventive maintenance activities (PMs) nMataA with valves within the LPSI system include:

- valve overhaul

- valve repacking l

Typically, pump PMs require less than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months to complete and valve PMs can generally be performed in 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months or less.

When performed properly, preventive maintenance on single LPSI System components can be completed within the 3 day AOT which is available to most CE NSSS PWRs. However, the AOT extension would allow for more flexibility in both performing and scheduling of the PM.

l, This will have a positive influence in limiting plant risk by:

(1) reducing the number of entries into LCO ACITON statements by allowing a more I

complete maintenance program during a single AOT, (2) reducing the need for simultaneous common system PM operations so as to allow expeditious return of the system to on-line status in the event of a site emergency, and l

I

(3) reducing time stress on the maintenance staff during shutdown by allowing adequate time to perform LPSI maintenance at power.

Preventive maintenance on LPSI subsystems that is postpanut until the plant is in shutdown I mode can limit the availability of operable standby SDC trains during a plant outage. Since the LPSI pump provides the primary motive force for core cooling during shutdown, the risk

=3 Mat ~i with this unavailability can exceed that aswiat~i with performing the equivalent maintenance at power. This issue is addressed in Section 6.3.

5.2.2 SurveHlance/A.ning ofI2SI System Valves I The technical specifications require testing of several motor operated valves within the LPSI system. This testing may be performed either at power or during a plant shutdown.

l Surveillance testing of the MOVs at power requires that the MOV operating torque and flow characteristics be within a specified band. Testing times can vary from under one hour to more than 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . Since this test can be performed so as to minimally disable a portion of the LPSI l System, its actual impact on risk is negligible. This results from the fact that during most of the duration of the test (with the exception of the several minute stroke test) the valve position can be maintained in its emergency position.

I If there were a longer AOT, a larger block of valves could be tested in a defined time frame.

With longer AOTs, this concentration of testing can be performed in a more orderly fashion and with fewer individual entries into the plant LCO ACTION statements. An extended AOT will also provide sufficient time to correct any problems found as a result of the surveillance.

S.2.3 Corrective Maintenance (CM).

Corrective maintenance in the LPSI System involves both pump and valve repair. kn practice, the term corrective maintenance is typically used for the repair of a component resulting from

, an observable malfunction which may or may not compromise the ability of the system or component to perform its safety function. This terminology typically lumps corrective maintenance on LPSI pumps due to small oil / water leaks (which do not necessarily impair pump ,

function) into the same category as more extreme failures such as a debilitating pump motor '

failures.

1 '

All utilities involved in this task have indicated mean LPSI pump repair times of under 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months with the longer repairs taking up to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months (See Table 5.2-1). It is expected that failures that render the LPSI pump non-functional will be skewed to the higher repair times. Parts acmsibility may further stretch the repair. Since many existing failures will be diagnosed l following a component surveillance, insufficient time may be available in the AOT to assure task completion prior to exceeding the AOT.

ig 7 15 l

l I

Another class of LPSI System components that requires surveillance and periodic repair are the l Motor Operated Valves (MOVs). Surveillance of these valves involves detailed testing procedures. During the testing, the AOT is entered and the valve is declared INOPERABLE.

In order for the valve to be considered OPERABLE, the valve characteristics must be measured to be within a specified band of torque, and flow. If these parameters fall outside the defined bands, the MOV is tachnically considered INOPERABLE and must be repaired in the remainder of the AOT. Failure to repair and re-diagnose the valve as OPERABLE would result in the applicability of other LCO action requirements to bring the plant to a safe shutdown mode within g a relatively short period of time or development of a Justification for Continued Operation 5 (JCO). Past testing has resulted in the identification of a malfunctioning MOV which was repaired and declared OPERABLE within one hour of the expiration of the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months AOT. Table 5.2-1 provides the comparison of maintenance repair times for LPSI components. These examples illustrate that there is a need for a longer AOT.

5.2.4 Relatedlicensing Actions Over the past two years the industry has been applying results from PRA sensitivity studies as a basis for eliminating requirements that are marginal to safety. Miminntion of requirements margmal to safety includes, among many other things, the relaxation of Technical Specifications (TS). Recently South Texas Project (STP) proposed 22 Technical Speification changes to the NRC for relaxation (Reference 5).

I The TS changes requested by STP were of two types: extending allowed outage time (AOT) l and extending Surveillance Test Intervals (STI). Of the 22 proposed TS changes, 6 were withdrawn by STP. Of the remaining 16 proposed changes, quantitative evaluations were performed by STP in support of 11 of them using the plant PSA model. Qualitative explanations are presented by STP for the remaming 5 to support the proposed extensions. The ECCS, including LPSI, HPSI and SIT, was among the systems for which TS relaxation was sought.

The AOT for the ECCS was requested to be extended from 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to 10 days; the NRC granted the extension to 7 days.

I l

I I

8 I

i l Table 5.2-1 COMPARISON OF MAINTENANCE REPAIR TIMES FOR i

LPSI SYSTEM COMPONENTS l PLANT MEAN TIME TO REPAIR RANGE OF REPAIR

(HR) TIMES l

Ft. Calhoun Station 13 hrs I hr - 23 hrs

Maine Yankee 16.8 hrs 1.5 hrs - 32 hrs Paliena,e *

i Calvert Cliffs 1 & 2 11.8 hrs 3 - 27 hrs l Millstone 2 4.7 hrs not available I

St. Lucie 1 & 2 10.69 hrs < 1 hr - 72 hrs ANO-2 *

l Waterford 3 17.6 hrs 16.0 - 20.8 hrs

San Onofre 2 & 3 *

1 Palo Verde 1, 2 & 3 3.6 hrs 1.6 - 46.5 hrs J

j Generic 11.1 hrs -

1

!I l

Plant specific data is not available. Repair experience is expected to be similar to that of other j CE PWRs.

I I 9

I 6.0 TECHNICAL JunmCATION FOR AOT EXTENSION

'Ihis section presents an integratM stesment of the proposed ACyr extension. The focus of the nuenment includes motivation and need for technical =parincaHan change, the impact of the change on the plant design basis event and a prahabilistic risk nuex< ment-l Section 6.1 presents a en= mary statement of the need for the AOT extension. The suggniing informatian for this section has been previously presented in Section 5. Section 6.2 provides an nuettment of deterministic factors, particularly those naaristM with the plant design basis.

The following sections generally follow the NRC guidance set forth in Reference 6 for risk E based justification of changes to the technical specifications. The probabilistic risk nueument g for this AOT extension is contained in Section 6.3, including consideration of risks of mode transition and plant shutdown.

Compensatnry actions that may be applicabic to this AOT extension are summh*ad in Section 6.4.

6.1 Statement of Need The primary role of LPSI trains during power operation is to contribute to the mitigation of a large LOCA. Its value in the post-LOCA core cooling process is established by a conservative set of rules set forth in 10 CFR 50.46. The frequency of the large LOCA event is on the order of 104 per year. In contrast, during shutdown, the operability of at least one LPSI pump and subtrain are required at all times for RCS heat removal. Thus, in this macroscopic view, performing preventive and corrective maintenance "at power" on LPSI trains contribute to an overall enhancement in plant safety by increasing the availability of LPSI pumps for shutdown cooling during Modes 3 through 6.

Much of the maintenance performed on a LPSI subtrain requires the subtrain to be tagged out for periods of less than one day. However, in some instances, corrective maintenance of the LPSI pump and valves and testing of valves may require taking one subtrain of the LPSI System out of service for more than several days. Recent erperience has resulted in a MOV repair completed within one hour of the existing AOT. Thus, repair within the existing AOT cannot be guaranteed and may result in an unscheduled plant shutdown, or request for a temporary exemption to allow continued plant operation. To avoid these outcomes, a less restrictive AOT l is required.

From a practical viewpoint, a 7-day AOT would allow the maintenance staff flexibility to more safely schedule maintenance and procedures. Based on a review of the maintenance requirements on the LPSI System for CE PWRs it was determined that a 7-day AOT would provide sufficient margm to effect most anticipated preventive, and corrective maintenance activities and "on-line" LPSI System valve surveillance tests.

10 g

I

4 6.2 Assessment of Determinide Factors 1

6.2.1 Dennal-Hydmulic Considemtions

LOCA In the early 1970's, the NRC defined deterministic acceptance criteria (10CFR50.46) and prescriptive guidance (Appendix K to 10CFR50) for evaluating the performance of the Emergency Core Cooling System (ECCS) following a loss of coolant accident (LOCA).

The Emergency Core Cocling System (ECCS) acceptance criteria from 10 CFR 50.46 are the lg following:

a. Maximum fuel element cladding temperature is 12200 Degrees Fahrenheit;

b. Maximum cladding oxidation is 10.17 times the total cladding thickness before

oxidation;

~I c. Maximum hydrogen generation from a zirconium water reaction is < 0.01 times i the hypothetical amount that would be generated if all of the metalin the claMing jl cylinders surrounding the fuel, excluding the cladding surrounding the plenum volume, were to react; and l d. The core is maintained in a coolable geometry.

In order to meet these acceptance criteria, the designs of CE NSSS Emergency Core Cooling l Systems have included the following elements:

1) A high pressure safety injection capability for providing delivery of coolant to the RCS during the early phase of the blowdown process, and matching boil-off to j maintain inventory during the later phases following reflooding of the core; i

j 2) A passive safety injection capability provided via Safety Injection Tanks (SITS) lg providing a one time, rapid inventory injection into the RCS as the RCS iE depressurizes below a low pressure setpoint; and

3) A low pressure coolant injection capability for providing high mass flow to the

RCS at low RCS pressures.

J

!E These design elements and the corresponding system operability requirements in the Technical Specifications have been based on a limiting design basis accident scenario. This limiting scenario has been a large break LOCA in combination with a loss of offsite power and the

" worst" single equipment failure.

11

1 l

To cope with the large loss of RCS inventory during a large LOCA an Emergency Core Cooling System consisting of a triad of water injection systems was devised. For CE PWRs, the components of the ECCS typically included 4 passively amted SITS, two HPSI pumps and two LPSI pumps. The SITS were designed with the task of rapidly providing liquid inventory to reflood a voided core. The role of the HPSI pumps was pnmarily to supply inventory for smaller LOCAs and provide long term inventory control for the large break LOCAs. The resu'ts of analysis using prescriptive methods, defined in Appendix K to 10CFR50, showed that the anticipated performance of HPSI and SITS did not result in meeting the ECCS performance critena. These analyses indicated a short lived need for an additional high volumetric flow pump. A major function of this pump was to replenish inventory conservatively predicted to be l

lost within the Appendix K framework.

Recent best Mtim'ta analyses for a typical PWR, Reference 7, confirmed that for large break LOCAs, incipient core melt can be prevented by operation of combinations of ECCS subsystems other than those that are currently defined in ECCS Operability requirements. In particular, the results of Reference 7 demonstrated that the operation of a single LPSI pump or the operation of one High Pressure Safety Injection (HPSI) pump and a single SIT could maintain the Appendix K criteria during a design base large LOCA scenario.

Additionally, new deterministic analyses of large break LOCA initiatmg events (up to break areas of 5 square feet) were performed for one plant in support of the Individual Plant Enmimtion (IPE)/Probabilistic Safety Analyses (PSA), Reference 8. These analyses, performed ,

using the CENTS code, showed that LPSI trains were not needed to successfully mitigate the l consequences of such scenarios.

Steen Generator Ikbe Rupture (SGTR) Evena Another role for the LPSI is in defining the end state for a design basis SGTR event with or without a concurrent loss of off-site power. In the design basis construction of this event, the HPSI functions to maintain the core covered at all times and the LPSI is required to effect shutdown cooling (SDC) and thereby termmate the event. SDC is initiated after the break has been isolated and the radioactive releases have been controlled.

In the event that one LPSIis out of service and the second LPSI fails, the operator can continue to control the event by steaming of the unaffected steam generator. This cooling mechanism can be maintained indefinitely provided condensate is available to the unaffected generator. Without l considering condensate storage tank refill, CE plants have sufficient inventory'to steam the affected steam generator for between six to more than 45 hours5.208333e-4 days 0.0125 hours 7.440476e-5 weeks 1.71225e-5 months . All plants have provisions in procedures for continued makeup to the condensate tank to prevent the depletion of the CST inventory. Many of the plants on multiple unit sites also have the ability to cross-connect condensate tanks for the various units. A summary of estimated times for CST inventory depletion following a SGTR without SDC is provided in Table 6.2.I-1. CE PWRs also have the ability to realign the containment spray pumps to provide RCS shutdown cooling capability.

12 I

Table 6.2.1-1 COMPARISON OF SECONDARY SIDE HEAT REMOVAL CAPABILITY PLANT THERMAL CONDENSATE STORAOB CONDENSATE STORAGE PROCEDURES CSTs OF POWER CAPACITY DEPLETION TIME TO MULTIPLE RATING REPLENISH UNIT SITES CONDENSATE CAN BB STORAOB CROSS-CONNECTED i Ft. Calhoun Station 1500 M Wt 350,000 gal (maximum useable) 45 hrs. w/o credit for refill of yes (to refill N/A EFWST or CST CST or EFWST)

Palisades 2530 M Wt 100,000 gal (T.S. minimum) 8 hrs yes N/A Maine Yankee 2700 M Wt 159,975 gal (maximum useable) 5+ hrs e 525 gpm EFW flow yes N/A (to refill DWST)

Calvert Cliffs 1 & 2 2700 Mwt 150,000 gal per unit (T.S. > or equal to 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months yes yes minimum) - 300,000 gal shared

St. Lucie 1 2700 Mwt 116,000 gal (T.S. minimum) approx.10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months yes yes 1

St. Lucie 2 2700 Mwt 307,000 gal (T.S. minimum) > 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months yes available but not required j Millstone 2 2700 Mwt 150,000 gal (T.S. minimum) 10 hrs at 300 gym yes no ANO-2 2815 Mwt 160,000 gal (T.S. minimum) 5.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months e 485 spm (for T.S. yes yes 400,000 (maximum) - EFW Q minimum) suction source is Service Water > 30 hrs (for maximum volume) and this source is infinite Waterford 3 3410 Mwt 170,000 gal (T.S. minimum) 9 hrs w/o backup water sources yes N/A I

Palo Verde 1,2 & 3 3800 Mwt 300,000 gal (T.S. minimum) > 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months yes yes San Onofre 2 & 3 3410 Mwt 424,000 gal (T.S. minimum) > 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months yes yes 4

l 13 i

1 l

6.2.2 Radiological Release Considerations LOCA The design basis calculation of radiological consequences of the large LOCA are based on a combination of very conservative assumptions. The design basis for radiological releases following a LOCA is set forth in 10 CFR 100, " Reactor Site Criteria", and detailed in SRP l1l 15.6.5, Reference 9. In practice the 10 CFR 100 radiation release criteria are achieved via reliance on the 1962 " source term" outlined in the Atomic Energy Commission Technien1 Information Daenment, TID-14844, " Calculation of Distance Factors for Power and Test Reactors" (Reference 10). This " Source Term" was not consistent with the low level of core damage emactad with a Large LOCA. Instead, the Source Term was very conservatively based on a substantial meltdown of the core, and the fission product release to the containment.

l Over the past 30 years, substantial information has been developed updating our knowledge about fission product relene and transport during PWR severe accidents. This information is l

reflected in the new NRC source term defined in NUREG-1465 (Reference 11). A"imilation g of this information suggests that even when the dichotomy of a core melt driven source term is g retained, the TID-14844 estimate of the Large LOCA fission product releases considerably overpredicts the severity of the fission product release to the public. This conclusion is based on the following:

1) Existmg licensing methods assume fission products are released to the g contamment immediataly upon the onset of the LOCA. In fact, only gases E residing within the fuel gap (approximately 5% of the total volatile fission product inventory) will be releawi at the point of clad rupture (early in the transient).

'Ihe remainder of the fission products will enter the containment over the period of one half hour or more.

2) Existing licensing methods assume the composition of the iodine entering the containment is predominantly elemental (it is now believed to be in the particulate form). Sprays are less effective in removing elementaliodine than iodine in the B particulate form. It is our current understanding that the iodine is predominantly E (greater than 95%) released into the containment in the form of CsI which is particulate. Thus, spray effectiveness and gravitational settling would be enhnneed and airborne releases from containment would decrease.

Thus, even if a Large LOCA were to occur in the presence of a compromised ECCS (i.e. no LPSI), core melting would not be expected and the actual fission product releases would remain within the existing 10 CFR 100 criteria. This issue is further considered in a probabilistic framework in Section 6.3.5.

I 14 I

Steen Generator ikbe Ruptures (SGTRs)

g Following a SGTR, the plant can be maintained in a stable condition provided the affected steam

m generator is isolated, and the AFW system along with a supply of condensate is available to the intact steam generator. Under these conditions, core uncovery is not expected and radiological releases will not exceed that defined by the existing design basis. Obviously this can be done without the LPSI System being available.

6.3 Amaamant of Risk 6.3.1 Overview The purpose of this section is to provide an integrated auenment of the overall plant risk eMatM with the adoption of the proposed AOT extension. The methodology used to evaluate the LPSI System AOT extension was based in part on a draft version of the " Handbook of Methods for Risk-Based Analyses of Technical Specifications", Reference 6 and related industry guidance. As guidance for the acceptability of a Technical Specification modification, Reference 6 noted that any proposed Technical Specification change (and the ultimate change package) should either:

l (1) be risk neutral, OR (2) result in a decrease in plant risk (via " risk trade-off considerations"), OR (3) result in a negligible (to small) increase in plant risk.

AND (4) be needed by the utility to more efficiently and / or more safely manage plant operations.

A statement of need has been provided in Section 6.1. This section addresses the risk aspects of the proposed AOT extension.

In this evaluation, a risk assessment of the LPSI System AOT extension is performed with respect to consideration of associated "at power", " transition" and " shutdown" risks.

Section 6.3.2 provides an nuenment of the increased risk nMatM with continued operation with a single LPSI train out of service (OOS). The evaluation of the "at power" risk increment resulting from the extended LPSI System AOT were evaluated on a plant specific basis using I the most current individual plant's Probabilistic Safety Analysis (PSA) as their respective baselines. Plant specific evaluations were performed by each participating utility. Results of these evaluations were then compared using appropriate risk measures as prescribed in Reference 6.

I 15 I

l Section 6.3.3 provides an assessment of risk of transitioning the plant from Mode 1 into a lower mode (e.g. Mode 4). The "at power" risk assessment presented in Section 6.3.2 provides an evaluation of continued operation of the plant with an extended LPSI System ACTT for the purpose of performing cuswtive maintenance on the LPSI System. However, that nue" ment provides only one facet of the plant risk. For this evaluation, continuation of at power operation within the LCO ACTION statement is compared with the risk of proceeding with a plant shutdown. A conservative lower bound estimate of this risk was evaluated by modifymg the l reactor trip core melt scenario for a representative CE PWR. Based on this analysis, a core damage probability for the plant shutdown was established and compared to the single AOT risk associated with continued operation.

l The risk comparison of LPSI System PM for "at power" and "at shutdown" conditions is provided in Section 6.3.4. Recent experience has shown that the risk of maintaining the reactor in a shutdown condition can be signi6 cant in companson with that of power operation. This observation has resulted in a need to reassess maintenance practice to more appivpriately apportion maintenance between power and shutdown operation. One goal of this particular AOT extension is to allow preventive maintenance and extended surveillances of the LPSI System while the plant is at power. This is a logical request in that many LPSI System components support the shutdown cooling system (which, in the lower modes, is the pnmary means of heat removal from the RCS). The role of the LPSI System at power is limited to responding to a large break LOCA or providing an alternate decay heat removal path (in conjunction with the auxiliary feedwater system).

For completeness, the impact of the extended AOT on the plant large early release fraction is qualitatively nW. The assessment includes an evaluation of the events lending to large early fission product releases and the role of the LPSI System in the initiation and/or mitigation of those events. This assessment is presented in Section 6.3.5.

6.3.2 Assessment of "At Power" Risk Methodology This section provides an assessment of the increased risk associated with continued operation with a single LPSI train out of service (OOS). The evaluation of the "at power" risk increment resulting from the extended LPSI System AOT was evaluated on a plant specific basis using the most current individual plant's Probabilistic Safety Analysis (PSA) model for their respective baschnes. Plant specific evaluations were performed by each participating utilit . Results of these evaluations were then compared using the following risk measures (from Reference 6):

Average Core Damage Frequency (CDF): The average CDP represents the frequency of core-<hunage occurnng. In a PSA, the CDF is obtained using mean unavailabilities for all standby-system components.

l 16 g

I

l l

Con Damage Fmbability (CDP): The CDP represents the probability of core-damage occurring. Core-damage probability is approximated by multiplying core-anmage frequency by a time period.

Conditional Cort-Damage Frequency (CCDF): The Conditional CDF is the Core Damage Frequency (CDF) conditional upon some event, such as the outage of l equipment. It is calculated by re-quantifying the cutsets after adjusting the unavailabilities of those basic events n@t~I with the inoperable equipment.

Increase in Core Damage Frequency (ACDE): The increase in CDP represents the difference between the CCDF evaluated for one train of equipment unavailable minus the l CCDF evaluated for one train of equipment not out for test or maintenance (T/h0. For the LPSI System:

ACDF = Conditional CDFo mam - Conditional aCDF ma e rm where CDF = Core Damage Frequency (per year)

Single AOT Risk Contribution: The Single AOT Risk contribution is the increment in risk associated with a train being unavailable over a period of time (evaluated over either

the full AOT, or over the actual maintenance duration). In terms of core damage, the lg Single AOT Risk Contribution is the increase in probability of core-damage occurring during the AOT, or outage time, given a train is unavailable from when the train is not Jl out for test or maintenance. The value is obtained by multiplying the increase in the CDF by the AOT or outage time, l

i Single AOT Risk = ACDF x r where, ACDF = Increase in Core Damage Frequency (per year), and r = full AOT or actual maintenance duration (years)

Yearly AOT Risk Contribution: The Yearly AOT risk contribution is the increase in

average yearly risk from a train being unavailable accounting for the average yearly frequency of the AOT. It is the frequency of core-damage occurring per year due to the average number of entries into the LCO Action Statement per year. The value is estimated as the product of the Single AOT Risk Contribution and the average yearly frequency (f) of entering the associated LCO Action Statement. Therefore

Yearly AOT Risk = Single AOT Risk x f where f = frequency (events / year) 17

Incremental changes in these parameters are neteccat to aetablich the risk impact of the Technical Spa ification change.

W"@n of Conditional CDF, Single and Yearly AOTRisk Contributions Each CEOG utility used its current Probabilistic Safety Analysis (PSA) model to assess the C=iih1 CDF based on the condition that one LPSI train is unavailable. Each plant verified that the .wivsh basic events are containst in the PSA cutsets used to determine the AUT risk contributions. This verification was performed as the first task in mim1 sting the C=iitiaani CDFs. If basic events had been filtered out of the PSA cutsets, one of the two methods described below were used to ensure the @1ation of Conditional CDF was correct or conservative:

1. Select the basic event for the failure mode of the companent with the highest failure probability to represent the train if the test /mnintenance failure mode of the component had been filtered out; or

2. Retrieve cutsets con +nining relevant basic events at the sequence level and merge them with the final PSA cutsets.

The Conditional CDF given 1 LPSI train is unavailable was obtained by performing the following steps:

1. Set the basic event probability for the failure mode for the =al~ tai component in the unavailable LPSI train equal to 1.0.

2. Set any basic event probabilities for other failure modes for that train equal to 0.0.

3. Set the basic event probability for the other LPSI train unavailable due to test / maintenance equal to 0.0.

4. For the case where the LCO Action Statement was prompted by need for Corrective Maintenance (CM) (i.e., equipment failure), adjust the basic event common cause failure unavailability corresponding to the train remaining in service to the probability of failure given one train has failed (i.e.", equal to the beta factor, #, for the Multiple Greek Letter Method).

5. For Preventive Maintenance (PM) (i.e., no equipment failure), set the failure rate of the train remaining in service to the total single train failure rate (including both independent and common cause failure data).

l

6. Requantify the PSA cutsets.

18

This Conditional CDP was therefore tsms* for both CM and PM. The difference between the two values is a result of the aforementioned difference in treating common cause failure.

It should be noted that the definition of CM for use in the PSA is considerable more stringent than the pragmatic TAGGED INOPERABLE definition of CM used in Section 5. In this context, CM refers to maintenance performed on a component that cannot otherwise perform its '

safety function.

The Conditional CDF given 1 LPSI train is not out for test or maintenance was obtained by I settmg the basic event probability for the failure mode for one LPSI train equal to 0.0 and requantifying the PSA cutsets. No adjustment was made to common cause failure from the value used in the baseline PSA model.

This Conditional CDF was effectively equal to the baseline CDF (i.e., the CDF resulting from the plant's current PSA model) for the LPSI System for all CE plants.

l It was expected that the results would be symmetric for selecting either LPSI train to be out for maintenance. However, in cases where different modeling assumptions or data were associated l with each LPSI train, the Conditional CDFs were evaluated for each train, and the most conservative result was used. l l The Conditional CDP was then used to calculate the increase in CDF. The Single AOT Risk Contribution for each plant was calculated for the following cases:

l - Current full AOT,

- Proposed full AOT,

- Mean downtime for CM, and

- Mean downtime for PM.

A value of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months / event was assumed as an upper bound for the mean duration for a LPSI train CM (see Table 5.2-1). A value of 112 hours0.0013 days 0.0311 hours 1.851852e-4 weeks 4.2616e-5 months / event (2/3 of AOT) was assumed as an upper bound for the mean duration for a LPSI train PM unless actual plant data was available. The ,

mi mean downtimes are presented in Table 6.3.2-1 and 6.3.2-2 for each plant.

E

The Single AOT Risk Contributions were then used to calculate the Yearly AOT Risk

Contributions (Single AOT Risk x frequency), based on each plant's actual frequency of entry l into the LCO Action Statement, for both CM and PM. Plant specific frequencies were used in this calculation for CM and PM. When detailed CM and PM breakdowns were not available,

g a split of the frequency was assumed to be 10%/90% for CM/PM, respectively. This split is ig based on actual data from a representative CE PWR which shows that about 10% of the total entries into the LPSI System LCO ACTION statement were due to equipment failure, the other l 90% were preventive.

The overall Yearly AOT Risk Contribution is assumed to be the sum of the Yearly AOT Risk

. Contribution due to CM and the Yearly AOT Risk Contribution due to PM. Tables 6.3.2-1 and 19 l

6.3.2-2 provide the Conditional CDFs and the Single end Yearly AOT Risk Contributions for each plant for CM and PM, respectively.

%dn@n ofAvemge CDF In order to m]m1* the Average CDF for the extended LPSI System AOT, a new value for LPSI train unavailability due to test /maintenanm was established. 'Ihis unavailability was based l

on a maintenne duration of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months for performing on-line corrective maintenaw (conservatively estimated based on actual plant data for CE PWRs from Table 5.2-1), and a preventive maintenanm program equal to the equivalent of a full pwposed ACYT of 7 days (one-half the AOT twice a year). For plants with a maintenance schedule already in place or defined, then actual plant data was used in lieu of the above assumptions.

The impact on the PSA model was then calculated to obtain the Average CDF for this new LPSI System unavailability. 'Ihis new Average CDP was then compared to the base case value from ,

the plant's PSA model. Table 6.3.2-3 provides the proposed Average CDF and the base average CDF for each plant.

The results from each plant were assimilated, and the Single AOT and Yearly AOT Risks were caleninteri for each plant. Tables 6.3.2-1 through 6.3.2-3 present the results of these cases on a plant specific basis, and summarizes the LPSI System AOT CDF contributions for each plant.

These risk contributions include the Conditional CDFs, Increase in CDF, Single AOT and Yearly AOT risks for both CM and PM, based on full ACyr and mean downtime, and current Average CDF and proposed Average CDF.

The Single A/JT Risk Contribution for the full proposed AOT for all CE PWRs varies from negligible to 2.40E-06 for CM conditions and is has a maximum value of 2.1E-07 for W.

Maximum increases of this level are small. As will be shown in the following sections, Gese risks are offs.t by reductions in transition and shutdown risks. Changes in the Average CDF due to increasing the LPSI ACyr are insignificant (< 3%).

l 1

I 20 gl

Table 6.3.2-1 CEOG AOT CONDITIONAL CDF CONTRIBUTIONS FOR LPSI SYSTEM - Corrective Maintenance PARAMETER ANO-2 Calvert Fort Maine Milletone Patiendes Palo San St.I.mcie St. I.meie Waterford Cliffe Calhoun Yankee 2 Verde Onofre I 2 3 1&2 1,2, & 3 2&3 LPSI system success Criteria lef2 1 of 2 1 of 2 1 of 2* 1 of 2 1 of 2 1 of 2 1 of 2 1 of 2 I of 2 1 of 2 Curant AUT, days 3 3 1 3 2 1 3 3 3 3 3 Proposed AUT, days 7 7 7 7 7 7 7 7 7 7 7 Conditional CDP, per yr 4.80E-05 2.2tE-04 1.18E-05 1.52E-04 1.598-04 5.15E-05 7.00E4 1.0BE-04 9.084 9.lE-05 3.70E4 (I LPSI train unavailable)

Conditional CDP, per yr 3.28EE 2.llE-04 1.18E 4 7.40E4 3.41E-05 5.15E.05 4.74E-05 2.74E4 2.14EE 2.35E-05 1.54E4 (I LPSI train not out for T/M) i Increase in CDF, per yr 1.52E-05 1.00E 4 negligible 7.80E-05 1.25E-04 negligible 2.26E-05 8.06E-05 6.9E-05 6.8E-05 2.16E-05 Single AUT Risk (Cunent full AUT) 1.25E-07 8.22E-08 negligible 6.41E-07 6.84E-07 negligible 1.86E-07 6.62B47 5.7E-07 5.6E-07 I.78E-07 Jgggggj "giM $N E92NM E$Mb I'NM $6 M f$$$N~$ $$NM Yk M 3 M3dM $ANM Downtime Frequency, evente/yr/ train 0.33 0.92 0.33 .02* 0.32 0.33 0.33 0.06 0.5 0.5 0.33 Yearly AUT Riek (Current full AUT), 8.25E-08 1.SiE.07 negligible 2.56E-08 4.38E-07 negligible 1.23E-07 7.29E-08 5.7E-07 5.6E-07 1.17E-07 per yr Yearly AUT Risk (Proposed full 1.93E-07 3.53E-07 negligible 5.98E-08 1.53E-06 negligible 2.86E47 1.7CE-07 1.3B-06 1.3E-06 2.73E-07 l AUT), per yr i Mean Duretion, hrs / event ** 24 24 24 24 24 24 24 24 24 24 28

Single AUT Risk (for Mean Duration) 4.17E-08 2.74E-08 negligible 2.14E-07 3.42E-07 negligible 6.19E-08 2.21E-c7 1.9E47 1.9E-07 6.90E-08 Yearly AUT Riek (for Mean 2.75E-08 5.04E-08 negligible 8.55E-09 2.19E-07 negligible 4.09E-08 2.43E-08 1.9E-07 1.9E-07 4.56E-06 Durstion), per yr 4

In addition to 2 LPSI traine, Maine Yankee uses a swing pump which is not modeled in the PSA

- 24 hours le assumed to be a bounding value based on luotone data (see Table 5.2-1) i l 21 '

l Table 6.3.2-2 CEOG AOT CONDITIONAL CDF CONTRIBUTIONS FOR LPSI SYSTEM - Preventive Maintenance PARAMETER ANO-2 Calvert Port Maine Millstone Palisades Palo San St. Imcie St. Imcie Waterfont Clif7s Calhoun Yankee 2 Verde Onofre 1 2 3 1&2 1,2, & 3 2&3 LPSI System Success criteria I of 2 I of 2 I of 2 Iof2* 1 of 2 I of 2 1 of 2 I of 2 1 of 2 I of 2 I of 2 Currert AUT, days 3 3 1 3 2 3 3 1 3 3 3 Proposed AUT, days 7 7 7 7 7 7 7 7 7 7 7 Conditional CDP, per yr 3.70E45 2.18E-04 1.18EE 7.94E-05 4.35EE 5.15EE 4.80EE 3.31B4 3.2E-05 3.2EE 1.6lE-05 (I LPSI train unavailable)

Conditional CDP, per yr 3.28EE 2.1IE-04 1.188 4 7.40EE 3.4 tE.05 5.15EM 4.74E4 2.74E-05 2.14E-05 2.35E45 1.54E45 (I LPSI train not out for T/M)

Increase in CDP, per yr 4.20E-06 7.00E-06 negligible 5.40E.06 9.40E-06 negligible 6.00E-07 5.70E-06 1. LEE 8.5E-06 7.00E-07 Single AUT Risk (Current full AGI') 3.45E-08 5.75E-08 negligible 4.44E-08 5.15E-08 negligible 4.93E-09 4.6BE-08 9E-08 7E-08 5.75E-09 55ingE OT RiskdStooed55' OT) /8.06Ed [1,34d.65 6601:1b16 $ LO4E.075 Th80E.07 sneh0Nb1h Nl135.08i $1[09B47 $235Es IOB.07!I fi.NBd5 Downtime Frequency, events /yr/ train 1.50 4.00 1.50 0.67 2.88 1.50 1.50 0.52 2,00' 2.00 1.50 Yearly AOT Risk (Curant full ACYT), l. ole-07 4.60E-07 negligible 5.95E-06 2.97E-07 negligible 1.4BE-08 4.83E-08 3.6EM 2.8E-07 1.73E-08 per yr Yearly AUT Risk (Proposed full 2.42E-07 1.07E-06 negligible 1.39E-07 1.04E-06 negligible 3.45E-08 1.13E-07 8.4E-UT 6.5E-67 4.03E-08 AUT), per yr Proposed Downtime, hrs /yr/ train 168 336 168 168 168 168 168 168 252 252 172 i Mean Duration, hrs / event ** 112 84 112 112 112 112 112 112 112 112 115 Single AUT Risk (for Mean Duration) 5.37E-08 6.71E-08 negligible 6.90E-08 1.20E-07 negligible 7.67E-09 7.29E-08 1.4E-07 1.lE-07 9.19E-09 Yearly AUT Risk (for Mean 1.61E-07 5.37E-07 negligible 9.25B-08 6.92E-07 negligible 2.30E-08 7.5 tE-08 5.6E-07 4.3E-UT 2.76E-08 Duration), per yr

In addition to 2 LPSI trains, Maine Yankee uses a swing pump which is not modeled in the PSA

- A mean duration of 112 hrs / event was conservatively assumed (2/3 of proposed AUT) unless actual plant data available 22

M M M M M i

Table 6.3.2-3 CEOG PROPOSED AVERAGE CDFs PARAMETER ANO-2 Calvert Port Maine Milletone Paheedes Palo San St.Imcie St. Imcie Waterfoni Cliffe callan Yankee 2 Verde Onofre 1 2 3 1&2 1,2, & 3 2&3 1

LPSI sfees *mecess Criteria 1 of 2 I of 2 1 of 2 I of 2* I of 2 l of 2 l of 2 l of 2 l of 2 l of 2 l of 2 Presert ACT, days 3 3 1 3 2 3 3 3 1 3 3 l

Proposed AUT, days 7 7 7 7 7 7 7 7 7 7 7 Proposed Downtime, hrs /yr/ train 192 360 192 192 192 192 192 192 276 276 200 Average CDP (base), per yr 3.28EE 2.llE-04 1.18E-05 7.40E-05 3.4 tE-05 5.15EE 4.74EE 2.74E-05 2.14EE 2.35E-05 1.54EE Pmposed Average CDP, per yr 3.29EE 2.llE-04 1.18E-05 7.40BE 3.45EE 5.15E-05 4.74E-05 2.78EE 2.2EE 2.4E-05 1.5SEE t

In addition to 2 LPSI traine, Maine Yankee uses a swing pump which is not modeled in the PSA

~

i t

i i

\

23

i l

l 6.3.3 Assessment of Thinsition Risk For any given AOT extension, there is theoretically an "at power" merease in risk associated with it. This increase may be negligible or significant. A complete approach to accetting the change in risk accounts for the effects of avoided shutdown, or " transition risk". Transition Risk represents the risk associated with reducing power and going to hot or cold shutdown following equipment failure, in this case, one LPSI train being inoperable. Transition risk is l

ofinterest in understanding the tradeoff between shutting down the plant and restoring the LPSI train to operability while the plant continues operation. The risk of transitioning from "at power" to a shutdown mode must be balanc~i against the risk of continued operation and.

performing corrective maintenance while the plant is at power.

To illustrate this point, a representative CE PWR has performed an analysis for transition risk associated with one inoperable LPSI train. The methodology and results obtained by this plant are presented below and are considered generically applicable to the other CE plants.

Methodology The philosophy behind the transition risk analysis is that if a plant component becomes unavailable, the CDF will increase since less equipment is now available to respond to a ;

trannent if one were to occur. However, as long as the plant remains at power, this CDF is constant. At the point in time that a decision is made to shut down, the CDF increases since a " transient" (manual shutdown) has now occurred, and the equipment is still out of service.

The Core Damage Probability (CDP) associated with the risk of plant transition from plant full power operation to shutdown is obtained by modifymg the " uncomplicated reactor trip" core damage scenario in the PSA model. In this evaluation the incremental risk is dominatui by the increased likehhood ofloss of main feedwater and the reliance on nuriliary (and/or emergency) feedwater to avert a core damage event. A cutset editor was used to adjust cutsets representing manual shutdown or micealinneous plant trips to reflect the CDP associated with a forced shutdown assuming one LPSI train is out of service and requantifymg the PSA cutsets.

Conservatisms that had been included in the base PSA model were deleted to reflect the greater control that the plant staff has in the shutdown process. Specifically, the baseline PSA assumed totalloss of main feedwater (MFW) within 30 minutes of reactor trip. In the transition analysis, MFW was assumed to be recoverable following failure of Aux 1hary Feedwater. A human error probability (value of 0.1) was added to cutsets that contained no basic events, including human actions, that would cause MFW to be unavailable. The duration of the transitioil process was assumed to be 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months (6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months to hot standby and 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months to hot shutdown).

Additional human errors that would be associated with a detailed portrayal of the shutdown process and the entry into shutdown cooling were not included in order to establish a conservative lower bound assessment of the transition risk. Errors of commission, such as diversion of RCS flow during SDC valve alignment, are also not considered in this analysis.

24

Such errors would add to the disadvantages of the shutdown alternative, and therefore, to include them would be nonhve for the purpose of this comparison.

E Based on the above methodolagy the CDP atwinted with the lower mode transitina was calculated for the wpi{='adve plant to be 1.00E-06. Results of transition risk analyses can

'I be generalized for the other CE PWRs by assuming that the ratio of the CDP for Transition Risk to the haelina Average CDF is constant for all plants. The h=1ine CDFs were selected rather than the Conditional CDFs for the ratio between the other CE plants because the analysis for the g representative plant indicated that transition risk was more a function of Loss of MFW rather than a function of the specific equipment out of service.

That is, A CDPmp = (CDFu/CDF,u

ACDPmw,p) where:

ACDPm> = Incremental risk due to mode transition for plant CDF , = Baseline CDF for plant CDF , , = Representative plant baseline CDF CDPnw , = Incremanin1 risk due to anode transition for repr==*=*ive plant The transition risk may be used to evaluate the relative risks of performing LPSI repair at power to that of performing the same repair at some lower mode. The risk of continued apar=dna for the full duration of the AOT is bounded by the single AM risk for CM (if a common cause

, failure is snW) and by the single AM risk for PM when common cause failure can be

! ruled out. The comparable risk of the alternate maintenance option involves consideration of

! ma four distinct risk components:

ig i (1) Risk of remaining at power prior to initiating the lower mode transition.

This risk will vary dapanding on the ability of the staff to diagnose the LPSI fault and j the conMaam of the operating staff to expeditiously complete the repair. The time

]g interval for power operation with a degraded comaanant, m prior to mode transition will lE vary from one to several days.

1 i (2) Risk oflower mode transition.

l l This risk is accumulated over a short time interval (approximately 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ).

i L

4 S

.- _ .-.._. _ - . - - . . .._--.... _ _ ..__ ...- ._._--- ~._....__.....~_ __.__ - . _ . .m- . _ ,- .._-.-.-.__...-..~_.,..-m... . _ . . . .

l i

1 (3) Risk of continued lower mode operation with an impaired LPSI component.

In this mode, the reactor is shutdown and the core is generatmg decay power only.

However, risks in this mode remain significant. Dependmg on the particular operational mode, resources to cope with plant transients will typically be less than'at power. These modes are char =Marimi by decreased restrictions on system operability, longer times for operator recovery actions, lower initiating frequency for piwmo driven initiators (such l as LOCA) and a greater frequency for plant transients such as those initiated by loss of offsite power and loss of main feedwater. ;

i (4) Risk of return to power l The power ascension procedure is a well controlled transient. Reference 6 conceptually !

dia,ma< that risks asMat~i with this transition are greater than those asMatad with I at power operation, but significantly below that nMat~i with the initial lower mode transition (item 2).

The analysis of transition risk presented in this report quantifies only the risk of lower mode I tranution (item 2).

Results Table 6.3.3-1 presents the risk uWat~i with transitioning the plant to a lower mode for each plant. The numbers in the table represent only the lower mode transition risk component of the transition sequence (item 2). The risk eMat~1 with the transition portion represents a significant fraction of the risk that would be incurred for a seven day "at power" (Single AOT Risk from Tables 6.3.2-1 and 6.3.2-2) LPSI train maintenance period.

When the risk at power and the risk at the lower mode of operation are comparable, then these results indicate that performing a 7 day LPSI train maintenance activity "at power" would be risk beneficial.

1 I

26

?

I ,

Table 6.3.3-1 TRANSITION RISK CONTRIBUTIONS FOR LPSI CM PLANT Transition Risk Contribution (ACDP)

ANO-2 6.92E-07 Calvert Cliffs 1 & 2 4.45E-06 Fort Calhoun Station 2.49E-07 Maine Yankee 1.56E-06 Millstone 2 7.19E-07 Palisades 1.09E-06 Palo Verde 1,2 & 3 1.00E-06 San Onofre 2 & 3 5.78E-07 St. Lucie 1 4.51E-07 I

St. Lucie 2 4.96E-07 Waterford 3 3.25E-07

l i l I l i

1 4

i j 27 i

s

_ _ _ . _ . - , . _ , . . . . . - , . , . , . . - . . ... . . , _ . _ _ _ . . . . , _ _ . . . , _ , , . , _ - . . _ _ . , . , . . _ . _ . . ~ , . .

6.3.4 Assesanent of Shutdown Risk i

The risk tradeoff for performing PM on the LPSI pump at power versus during shutdown was neueA by comparmg the risk at shutdown asMataA with LPSI pump operation with incremental improvements in reliability nMated with performing maintenance at power. 'Ibe essence of this anemnent was to perform a sensitivity analysis which evaluated the impact of improved reliability of the LPSI pump entering shutdown conditions given that maintenance was performed on the LPSI train at power prior to shutdown. As data is not available to quantify the improvement in rehability, sensitivity studies were chosen as the vehicle to quantify the risk nMataA with LPSI maintenance during shutdown. Given the fact that the frequency of requiring LPSI at power is on the order of 1 x 10d per year (the frequency of a large LOCA event), whereas the frequency of mquiring LPSI operability during shutdown is 1.0 per cycle, it is intuitive that improving the reliability of the LPSI system during shutdown should improve overall plant safety.

In summary, the premise underlying this study is that performing Preventive LPSI maintenance at power would improve the rehability of the LPSI pump entenng shutdown.

This sensitivity study was performed for a representative CE plant and evaluated the impact on Core Damage Probability (CDP) over a seven day interval at the initiation of plant shutdown.

During this period the core is resident within the reactor vessel and reduced inventory shutdown operation (including "Mid-loop") is likely. To evaluate risk benefits associated with maintenance, improvements in LPSI pump reliability of 1 %, 5% and 10% were parametrically

)

evaluated. The CDP was then compared to the baseline CDP to obtain the change in risk from the base rehability.

Additional benefits of performing LPSI system maintenance at power, but not quantified in this effort are:

(1) Increased availability of maintenance staff for :-isk significant shutdown maintenance repairs, and (2) Reduced potential for errors of commission that may induce LPSI system failure during shutdown.

I Asswnptions For this analysis, the baseline Core Damage Probability (CDPQ is defined as the CDP nMated with the present situation where maintenance on the LPSI train is done during shutdown. The Preventive Maintenance Core Damage Probability (CDPm) is defined as the CDP associated with the proposed situation where LPSI train maintenance is performed at power.

28

The analysis assumes that as shutdown cooling is first initiated following reactor shutdown, two operating LPSI pumps are available for Shutdown Cooling (SDC). The evaluation is artificially restricted to a single 7 day reduced inventory period following shutdown entry. During this

! period core uncovery and core damage would occur shortly after loss of SDC. The only event

, leadmg to core damage was that resulting from a loss of SDC via failure of a LPSI pump.

J No credit for recovery of pumps or use of backup pumps was assumed for this analysis. In addition, the analysis assumes that the first LPSI pump fails while operating halfway through the il l mission time (24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ); therefore, the second pump has a mission time equal to one-half that of the first pump (12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ). The base reliability of the LPSI pump (h) of 5.0E-05/hr was

! selected as representative of CE PWRs. Consistent with the parametric evaluation, the improved j N was varied from 5.0E-05/hr to 4.5E-05/hr.

Conclusion il Results of this study are presented in Table 6.3.4-1 below. The conclusion of the study is that CDP due to LPSI train unavailability is sensitive to even small changes in LPSIpump rehability.

The results showed that for a 1% improvement in pump reliability, the net CDP (CDPu -

2 CDPry decreases by 8.61E-07. It is therefore concluded that the net impact of LPSI train PM at power is risk beneficial.

, l 1

l Table 6.3.4-1 EFFECTS OF IMPROVED LPSI RELIABILITY AT SHUTDOWN CHANGEIN A I

I PARAMETER BASE A = 5.0E-5/hr 1% 5% 10 %

SHUTDOWN CDP 5.06E-05 4.97E-05 4.63E-05 4.23E-05 (7 day interval)

g delta CDP -

8.61E-07 4.23E-06 8.28E-06 l (CDPm - CDPru)

29 i

.!I

6.3.5 Assessment ofLarge Early Release A review oflarge early release scenarios for the CE PWRs indientae that early releases arise as a result cf one of the following class of scenarios:

l

1. Containment Bypass Events These events induda interf=dng system LOCAs and steam generator tube ruptures (SGTRs) with a concomitant loss of SG isolation (e.g. stuck open MSSV).

l

2. Severe Accidents accompanied by loss of containment isolation

'Ibese events include any severe accident in conjunction with an initially unisolated containment.

3. Containment Failure associated with Energetic events in the Containment.

Events causing containment failure include those acendatad with the High Pressure Melt Ejection (HPME) phenomena (including direct containment heating (DCH)) and hydrogen conflagrations / detonations.

Of the three release categories, Class I tends to represent a large early release with potentially 3 direct, unscrubbed fission products, to the environment. Class 2 events encompass a range of E relentet varying from early to late that may or may not be scrubbed. Class 3 events result in a high pressure failure of the containment, typically immediately upon or slightly after reactor vessel failure. Detailed Ievel 2 analyses for the plant condition with one LPSI train inoperable are not performed. However, assessment of the expected change in the large early release fraction was made by nueuing the impact of the availability of the LPSI System on the above event categories.

Containment Bypass Evena Events contained in this category that may rely on the LPSI for event mitigation include the Imge Interfacing System LOCA (i.e. failure of an SDC line). Testing and or maintenance of containment isolation valves residing in the LPSI System are governed under the plant tachnical specifications. Arguments provided in this report are not intended to justify' "at power" maintenance of these valves. Thus, no change in the ISLOCA frequency is expected.

ISLOCAs are charnetari? *A by a continuous and unrepleniched loss of RCS inventory and makeup. In these scenarios, core damage ultimately results following the depletion of reactor coolant. Thus, provided that a coatinuous independent water supply is not available during the l

accident, the ISLOCA will progiss into early core damage regardless of the LPSI availability.

30 g

I Severe Accidents accompanied by Loss of Containment Isolation I Another event contributing to large early fission product releases could occur when an unmitigated large LOCA occurs in conjunction with an initially unisolated containment.

Significant fission product releases would not occur unless the containment atmosphere is unscrubbed (that is sprays are inoperable). This later combination of events is enneidered of very low probability and would not significantly increase with a decrease in LPSI pump availability.

Containment Failure associated with Energetic events in the Containment.

I Class 3 events are dominatad by RCS tmnsients that occur at high pressure. These events exclude those where LPSI System performance would be called for and therefore LPSI status is not a contributor to this event category. It is therefore concluded that increased unavailability of the LPSI System (as could potentially result as a consequence of an increased ACyr) will have a negligible impact on the large early release fraction for CE PWRs.

6.3.6 Summary of Risk Assessment The proposed increase in the LPSI System AOT to 7 days was evaluated from the perspective of various risks =SenciataA with plant operation. For the plants evaluated, incorporation of the extended AOT into the tachnical specification can potentially result in negligible to small increases in the "at power" risk. However, when the full scope of plant risk is considered, the risks incurred by extending the AOT for either corrective or preventive maintenance will be substantially offset by plant benefits associated with avoiding unnecessary plant transitions and/or by reducing risks during plant shutdown operations.

The unavailability of one train of LPSI was found to not significantly impact the three classes of events that give rise to large early releases. These include contamment bypass sequences, severe accidents accompanied by loss of containment isolation, and containment failure due to energetic events in the containment. It is therefore concluded that increased unavailability of

)g the LPSI System (as requested via Section 2) will result in a negligible impact on the large early lE release probability for CE PWRs.

l It is therefore concluded that the overall plant impact will be either risk beneficial or, at the very i least, risk neutral.

t

!I 4

31 lI

i l

1 1

6.4 Compensatory Measures As part ofimplementing the Maintenance Rule, each CE PWR utility has developed or is in the process of developing a method for configuration control during maintenance. If maintenance is performed on a system / train concurrent with other maintenance, the impact on risk will be ll evaluated prior to psiviming maintenance. Some plants achieve this via procedures which require that PSA evaluation is performed prior to performing maintenance. Other plants have l;

a matnx showing the risk nW~I with different combinations of systems / trains unavailable due to maintenance. This matrix is used in phnning the rolling maintenance schedule which is part ofimplementing the Maintenance Rule.

A qualitative review of potential interactions between the LPSI System and other plant systems that could amplify the impact of LPSI System unavailability was performed. Based on this review, implementation of extraordinary compensatory actions was not found necessary when g a LPSI train is out of service for maintenance. However, for any "at power" maintenance, the g goals should be expediency and safety. Typical actions to be taken during "at power" LPSI train maintenance and/or testing of LPSI valves are:

1. Verify that related equipment is not out of service which would amplify the effect of the unavailability of the LPSI System. This could include restricting maintenance to times when:

a. all SITS are operable g

b. when all AFW sources are available m' Since the AOT for SITS is short, re*%g the LPSI System maintenance during g the time that any single SIT is in repair should not be burdensome. E Components of the LPSI system also support the shutdown cooling system. It is therefore, recommended that preventive maintenance not be scheduled to simultaneously compromise the heat removal capability of both the AFW and 2.

SDC System.

ll Verify that an alternate flowpath is available at the same time to accomplish the LPSI function, including support systems.

3. Conduct a briefing with appropriate plant personnel to ensure that they are aware of the impact associated with unavailable components and flowpaths.

4. If a maintenance action or repair is to be performed on the LPSI, pre-stage parts l and tools to minimize outage time. i

5. Consider actions which could be taken to return the affected LPSI train to functional use, if not full openbility, if the need arises. I 32

r I

6. In repairing / testing components (particularly valves), define the appropriate valve position (open/ closed) that provides the greater level of safety and "if practical" establish that position for the repair.

7. With the longer AOTs now available, an effort should be made to avoid I inefficiently conducted multiple maintenance tasks on the same system that would result in a decreased abHity to re-establish the system should it be necessary to do so.

7.0 TECHNICAL JUSTIFICATION FOR STI EXTENSION 5

LPSI System STI extensions are not within the scope of this effort.

1 i

8.0 PROPOSED MODIFICATIONS TO NUREG-1432 i

Attachment A incinM proposed changes to NUREG-1432 Sectic.s 3.5.2 and B 3.5.2 that correspond to the findings of this report.

lI

!I I 1 I

- I 4

I I 33 I _

9.0

SUMMARY

AND CONCLUSIONS l This report provides the results of an evaluation of the extension of the Allowed Outage Time (AOT) for a single Low Pressure Safety Injection (LPSI) Train contained within the current CE l plant tachnical specifications, from its present value, to seven days. This AOT extension is sought to provide needed flexibility in the performance of both corrective and preventive maintenance during power operation. Justification of this request was based on an integrated l

review and assmsment of plant operations, deterministic / design basis factors and plant risk.

Results of this study demonstrate that the proposed AOT extension provides plant operational flexibility while simultaneously reducing overall plant risk.

l The proposed increase in the LPSI System AOT to 7 days was evaluated from the perspective of various risks n<nciated with plant operation. For the plants evaluated, incorporation of the extended AOT into the technical specifications potentially results in negligible increases in the "at power" risk. However, when the full scope of plant risk is considered the risks incurred by extending the AOT for either corrective or preventive maintenance will be substantially offset by aunciatad plant benefits aunciated with avoiding unnecessary plant transitions and/or by g reducing risks during plant shutdown operations. 5 The unavailability of one train of LPSI was found to not significantly impact the three dasses 3:

of events that give rise to large early releases. These include containment bypass sequences, El severe accidents accompanied by loss of containment isolation, and containment failure due to energetic events in the containment. It is concluded that increased unavailability of the LPSI gl System (as requested via Section 2) will result in a negligible impact on the large early release Ei probability for CE PWRs. i It is the overall conclusion of this evaluation that the plant impact for the requested AOT ,

extension would be risk beneficial. l I

I II II

I 34 g,

I

10.0 REFERENCES

1. 10 CFR 50.65, Appendix A, "The Maintenance Rule".

2. NUREG-0212, " Revision 3, " Standard Technical Specifications for Combustion Engineering PEisM=i Water Reactors", July 9,1982.

3. NUREG-1432, " Standard Technical Specifications: Combustion Engineering Units",

g September 1992.

4. NRC InMon Manual Part 9900 Technical Guidance, " Maintenance-Voluntary Entry I into Limiting Conditions for Operation Action Statements to Perform Maintenance",

1991.

5. " Technical Evaluation of Somh Texas Project (STP) Analysis for Technical SpeciHcation .

Modifications", P. Samanta, G. Martinez-Guridi, and W. Vesely, Technical Report #L-2591, dated 1-11-94.

6. NUREG/CR-6141, BNL-NUREG-52398, " Handbook of Methods for Risk-Based Analyses of Technical Specifications", P. K. Samanta, L S. Kim, T. Mankamo, and W.

E. Vesely, Published December 1994.

7. LWW-02-094, letter L. Ward (INEL) to Dr. F. Eltawila (NRC),

Subject:

"Use of l MAAP to Support Utility IPE In-Vessel and Ex-Vessel Accident Success Criteria", June 1994.

8. Fort Calhoun Station IPE Submittal Report, December 1993.

9. NUREG 0800, USNRC Standard Review Plan, Rev.2, July 1981.

10. TID 14844, "C*nktion of Distance Factors for Power Reactor Sites", USAEC,1962.

11. NUREG-1465, " Accident Source Terms for Light Water Reactors" (Final Draft), August, i 1994. l l

I I

I 35 I-

i I

i l

i i

,i i

i i

ATTACfIMENT A j " Mark-up" of NUREG-1432 SECTIONS 3.5.2 & B 3.5.2 4

I i

I I

I A-1 I _ _ _ _ _ - . . -

ECCS-Operating I 3.5.2 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) 3.5.2 ECCS-Operating LCO 3.5.2 Two ECCS trains shall be OPERABLE. j I ~

APPLICABILITY: MODES 1 and 2, MODE 3 with pressurizer pressure a [1700] psia.

ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME I g,g-A.

s One or more trains ino rable.

A.1 mSIWn Restore M . M to OPERABLE status.

h 7 dA-YS S 'AND At lea 100% f the ECC low equiv nt t a single OP

. M CCS train avai.lable.

M l B t C '

j Required Action and 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months

)f.1 Be in MODE 3. !

associated Completion

Time not met. AND j T .2 Reduce pressurizer 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months a pressure to l

^

< [1700] psia.

'I

~

I .

,I I CE06 STS 3.5-4 Rev. O,09/28/92 I

INSERT A l

One LPSI subtrain inoperab',

INSERT B B. One or more ECCS B.1 Restore ECCS train (s) to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months trains inoperable due to OPERABLE status. g condition (s) other than E Condition A.

AND At least 100% of the ECCS flow equivalent to a single OPERABLE ECCS train available. ;

e I

I!

Il I

1

ECCS-Operating

. B 3.5.2 BASES ani.6. D ACTIONS A.1 f(continued)

OPERABLE sta 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . The ompletion Time is based on an NRC s

~

4 using a reliability evaluation an asonable amount o feet many An ECCS train is inoperable if it is not capable of delivering the design flow to the RCS. The individual components are inoperable if they are not capable of performing their design function, or if supporting systems are not available. !

The LCO requires the OPERABILITY of a number of independent subsystems. Due to the redundancy of trains and the diversity of subsystems, the inoperability of one component in a train does not render the ECCS incapable of performing its function. Nei ther does the inoperability of two I

'different components, each in a different train, necessari1v y g result in a loss of function for the ECCS. The intent *Bf- W./

- ~ Mitir ' to maintain a combination of OPERABLE M

equipment such that 100% of the ECCS flow equivalent to 100%

of a single OPERABLE train remains available. This allows increased flexibility in plant o f

opposite trains are inoperable. perations when components in i .D SEET :

)

gg An event accompanied by a loss of offsite power and the failure of an emergency DG can disable one ECCS train until power is restored. A reliability analysis (Ref. 4) has

! shown that the impact with one full ECCS train inoperable is 1

j. sufficiently small to justify continued operation for i 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

j Reference 5 describes situations in which one component, l such as a shutdown cooling total flow control valve, can i _

I disable both ECCS trains. I witn one or more compon

! i ch that 100% of the e u'

~

ow to a j single OPERABLE available, the facility is j in a condit e the acci e % Q fore, j

3M 1C0-3. . must be iimmediately entered. -~

.1 and .2 i

l If the inoperable train cannot be restored to' OPERABLE status within the associated Cewpietion Time, the plant must r

! (continued) k-

!- CEOG STS B 3.5-15 Rev. O, 09/28/92 lI _ - _ - _ _ _ _ _ _ _ _ _ _ _ _ _

1

~

INSERT AA each of Condidon A and Condition B are INSERT AB Each of Condition A and Condition B includes a combination of OPERABE equipment such that at least 100% of the ECCS flow equivalent to a single OPERABE ECCS train remains available.

Condition A addresses the specific condition where the only affected ECCS subsystem is a single LPSI subtrain. The availability of at least 100% of the ECCS flow equivalent to a single OPERABE ECCS train is implicit in the definition of Condition A.

If LCO 3.5.2 requirements are not met due only to the existence of Condition A, then the inoperable LPSI subtrain components must be returned to OPERABE status within seven (7) days of discovery of Condition A. This seven (7) day Completion Tune is based on the findinge of the determinictic and probabilistic analysis that are dimwed in Reference 6. Seven (7) days is a reasonable amount of time to perform many corrective and preventative maintenance items on the affected LPSI subtrain. Reference 6 concluded that the overall risk impact of this Completion Time was either risk-beneficial or risk-neutral.

Condition B addresses other scenrarios where :he availability of at least 100% of the ECCS flow equivalent to a single OPERABLE ECCS train exists but the full requirements of LCO 3.5.2 are not metr If Condition B exists, then inoperable components must be restored such that Condition B does not exist with 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months li, y of discovery. The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months Completion Tune is based on an NRC reliability study l (Ref. 4) and is a reasonable amount of time to effect many repairs.

INSERT AC ,

With one or more components inoperable such that 100% of the equivalent flow to a single OPERABE ECCS is not available, the facility is in a condition outside of the accident analyses. In such a situation, LCO 3.03 must be E immediately entered. E I

I

,. = _ _ - _ -- .- -- .- --- . . - - - - - - . - -.

l

! ECCS-Operating B 3.5.2 I BASES ACTIONS .1 and .2 (continued) j '

/

i be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least iE -

MODE 3 within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and pressurizer pressure reduced to i5 < 1700 psia within 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The allowed Completion Times i

are reasonable, based on operating experience, to reach the i required unit conditions from full power in an orderly j manner and without challenging unit systems.

i l

} SURVEILLANCE SR 3.5.2.1 4

REQUIREMENTS

} Verification of proper valve position ensures that the flow I path from the ECCS pumps to the RCS is maintained.

j Misalignment of these valves could render both ECCS trains inoperable. Securing these valves in position by removing power or by key locking the control in the correct position i

ensures that the valves cannot be inadvertently misaligned jlju

. or change position as the result of an active failure.

These valves are of the type described in Reference 5, which j

can disable the function of both ECCS trains and invalidate ths accident analysis. A 12 hour1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months Frequency is considered

!a -

reasonable in view of other administrative controls ensuring jg that a mispositioned valve is an unlikely possibility.

i. .

SR 3.5.2.2 i

{ ~

Verifying the correct alignment for manual, power operated, iE and automatic valves in the ECCS flow paths provides j5 assurance that the proper flow paths will exist for ECCS f

operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves were verified to be in the correct position

! prior to locking, sealing, or securing. A valve that receives an actuation signal is allowed to be in a E nonaccident position provided the valve automatically

E repositions within the proper stroke time. This Surveillance does not require any testing or valve lm -

manipulation. Rather, it involves verification that those valves capable of being mispositioned are in the correct

!l I

position.

g (continued) i3

CEOG STS B 3.5-16 Rev. O, 09/28/92

ECCS-Operating B 3.5.2 BASES ,

l SURVEILLANCE SR 3.5.2.10 (continued)

REQUIREMENTS outage, on the need to have access to the location, and on a the potential for unplanned transients if the Surveillance g were perfonned with the reactor at power. This Frequency is sufficient to detect abnormal degradation and is confirmed

- by operating experience.

l REFERENCES 1. 10 CFR 50, Appendix A GDC 35. .

2. 10 CFR 50.46.

3. FSAR, Chapter [6]. I

4. NRC Memorandum to V. Stello, Jr., from R. L. Baer,

" Recommended Interim Revisions to LCOs for ECCS l Components," December 1,1975.

34 SERT a bD

5. IE Information Notice No. 87-01, January 6,1987. g 5

1 l

~~~

I

~

CEOG STS B 3.5-19 Rev. O, 09/28/92

1 I

i

~ 1 INSERT AD !

6. CE NPSD-995, "CEOG Joint Applications Report for Low Pressure Safety Injection System AOT Extension," April 1995.

l I

< l I _

=-

I

~

I I

_ _ - _ - - . --___ - . - -__

ML20091G360

Contents

Text

3.0 BACKGROUND

SUMMARY

SUMMARY

10.0 REFERENCES

3.0 BACKGROUND

SUMMARY

SUMMARY

10.0 REFERENCES

Subject:

Navigation menu

ML20091G360

Text

3.0 BACKGROUND

SUMMARY

SUMMARY

10.0 REFERENCES

3.0 BACKGROUND

SUMMARY

SUMMARY

10.0 REFERENCES

Subject:

Navigation menu

Search