Text

Proposed Tech Specs,Extending Allowed Outage Time for EDG from 72 Hrs to Seven Days
	ML20091L156
Person / Time
Site:	Millstone
Issue date:	08/23/1995
From:	; NORTHEAST NUCLEAR ENERGY CO.
To:	;
Shared Package
ML20091L152	List: B15332, Application for Amend to License DPR-65,extending Allowed Outage Time for EDG from 72 Hrs to Seven Days; ML20091L156;
References
	NUDOCS 9508280376
	Download: ML20091L156 (62)
	v • d • e

___ _ _ . . _. _ _ . . _ _ _ . _ _ _ . .. _ _ _ _

1

~

^

, 6/14/94 3/4.8 ELECTRICAL POWER SYSTDi$

F4.3.1 A.C. SOURCES l RERATDs l

. LIMITING CO M ITION FOR OPERATION l

i 3.8.1.1 As a sininas, the following A.C. electrical power sources shall i be OPERABLE,: ,

! 1 i . a. Two physically independent circuits between the offsite trans-j mission network and the switchiard, and 4

6. Two separate and independent diesel generators each with a i separate fuel all supply tank containing a minimum of 12,000 l gallons of fuel. ,

i APPLICABILITY: MODES, 1, 2, 3 and 4.

1 i

EllQti: !

a. With one offsite circuit inoperable, demonstrate the OPERABILITY !

of the remaining A.C. sources by perfoming Surveillance i i Requirement 4.8.1.1.1 within I hour and at least once per j 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months thereafter. If either diesel generator has not been

successfully tested within the past 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , demonstrate its OPERABILITY by performing Surveillance Requirement 4.8.1.1.2.a.2 ;

separately for each such diesel generator within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

Restore the offsite circuit to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months i or be in at least NOT STANDBY within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and in i COLD SHUTDOWN within the following 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months .

?

! b. With one diesel generator inoperable, demonstrate the OPERABILITY of the A.C. offsite sources by performing

) Surveillance Requirement 4.8.1.1.1 within I hour and at least

! once per 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months thereafter; and if the diesel generator became f

inoperable due to any cause other than preplanned preventative

! saintenance or testing, demonstrate the OPERABILITY of the remaining OPERABLE diesel generator by performing Surveillance Requirement 4.8.1.1.2.a.1 within 24 tourt*: restore the diesel

~

generator to OPERABLE status withinL'EE;0-Der be in at least HOT STANDBY within the next 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months sfand in COLD SHUTDOWN within the following 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months . i 1

t

This test is required to be completed regardless of when the inoperable .

, diesel generator is restored to an OPERABLE status.

NILL 5 TONE - 1811T 2

3/48-1 Amendment No.d5,

'9508280376 95o823 U7' PDR ADOCK 05000336 P PDR

August 1. 1975 ,

3/4.8 ELECTRICAL POWER SYSTEMS

)

BASES i

The OPERABILITY of the A.C. and D.C. power sources and associated ..

distribution systems during operation ensures that sufficient power will . .. -

be available to supply the safety related equipment required for 1) the safe shutdown of the facility and 2) the mitigation and control of accident conditions within the facility. The minimum specified indepen-dent and redundant A.C. and D.C. power sources and distribution systems. :

satisfy the requirements of General Design Criteria 17 of Appendix "A" ,

g to 10 CFR 50. ,

The ACTION requirements specified for the levels of degradation of the power sources provide restriction upon continued facility operation connensurate with the level of degradation. The OPERABILITY of the power ;

sources are consistent with the initial condition assumptions of the accident analyses and are based upon maintaining at least one of each of the onsite A.C. and D.C. power sources and associated distribution systems OPERABLE during accident conditions coincident with an assumed loss of offsite power and single failure of the other onsite A.C. source.

. The OPERABILITY of the minimum specified A.C. and D.C. power sources and associated distribution systems during shutdown and refueling ensures :

that 1) the facility can be maintained in the shutdown or refueling condition for extended time periods and 2) sufficient instrumentation '

i

and control capability is available for monitoring and maintaining the '

j facility status.

b -

l, Et$erences

1. CE NPSD -9%, "croG Jo:at. AppituRens gep ,4 y g.,,,yey l, Diesel perahr ACT Ex+e.nsions," Arrit 1995.

l.

uwk.a Ado (4v. oms a cc.mpare 'D. mms, " grmd g g a a %.%+m eq as % ur ,

a ~ swp m2y w.

, MILLSTONE - UNIT 2 8 3/4 8-1 .

)

i

_ ._. - .- _ .-. -= _ - . . - . . _ _ -

i =

i i ,

J IN sE RT- A Ne. Comple b Mne cd seven (7) elays in ACT1oM lo.; who f one. Diesel % trak % IS inoperaMej iS bAscal on RsStr<sce L.$

' Re(setect.L According to -unc% '.:tur M 15 'Snrn:; y, operation may continue for a period that should not exceed 7 days when one DG is

inoserable. Reference 2 provides a series of deterministic and pro.)abilistic justifications for the Completion Times corresponding to 4 the periods in which continued power o>erations are allowed when one DG is inoperable. The remaining OPERAILE DG and offsite circuits are adequate to supply electrical power to the ensite Class IE Distribution System. The 7 day Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time ,

for repairs, and the low probability of a DBA occurring during this period.

W

& mm- -

, mp

2% C~LG _% .~e D w AR

, ;s J rg- wM -

4 i

k I

i, i

i 3

4 k

Docket'No. 50-336 ,

B15332 .]

1 1

i !

^

a T

4 L

1 1

I Attachment 4' ,

Millstone Nuclear Power Station, Unit No. 2 1

Proposed Revision to Technical Specifications Diesel Generator Allowed Outage Time Extension-Retyped Version of current Technical Specifications- ,

i

. s s

l l

J i

i i

4 4

August 1995 ,

i i

l

l l

l 3/4.8 ELECTRICAL POWER SYSTElli 3/4.8.1 A.C.' SOURCES l OPERATING LINITING CONDITION FOR OPERATION 1

3.8.1.1 As a minimum, the following A.C. electrical power sources shall be OPERABLE:

a. Two physically independent circuits between the offsite trans- -

mission network and the switchyard, and

b. Two separate and independent diesel generators each with a separate fuel oil supply tank containing a minimum of 12,000 gallons of fuel. ,

APPLICABILITY: MODES, 1, 2, 3 and 4. ,

" ACTION:

a. With one offsite circuit inoperable, demonstrate the OPERABILITY of the remaining A.C. sources by performing Surveillance Requirement 4.8.1.1.1 within I hour and at least once per 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months thereafter. If either diesel generator has not been successfully tested within the past 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , demonstrate its

< OPERABILITY by performing Surveillance Requirement 4.8.1.1.2.a.2 ,

separately for each such diesel generator within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

Restore the offsite circuit to OPERABLE status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months or be in at least HOT STANDBY within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months ,

b. With one diesel generator inoperable, demonstrate the OPERABILITY of the A.C. offsite sources by performing Surveillance Requirement 4.8.1.1.1 within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months and at least once per 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months thereafter; and if the diesel generator became inoperable due to any cause other than preplanned preventative maintenance or testing, demonstrate the OPERABILITY of the remaining OPERABLE diesel generator by performing Surveillance Requirement 4.8.1.1.2.a.2 within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months *; restore the diesel generator to OPERABLE status within 7 days or be in at least HOT l STANDBY within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and in COLD SHUTDOWN within the following 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months .

1

This test is required to be completed regardless of when the inoperable diesel generator is restored to an OPERABLE status.

NILLSTONE - UNIT 2 3/4 8-1 Amendment No. JJ, 0187 (([,

l l

l 1

3/4.8 ELECTRICAL POWER SYSTEMS 1

BASES i

The OPERABILITY of the A.C. and D.C. power sources and associated l distribution systems during operation ensures that sufficient power will ;

be available to su) ply the safety related equipment required for 1) the !

safe shutdown of tie facility and 2) the mitigation and control of accident conditions within the facility. The minimum specified indepen- 1 dent and redundant A.C. and D.C. power sources and distribution systems satisfy the requirements of General Design Criteria 17 of Appendix "A" to 10 CFR 50.

The ACTION requirements specified for the levels of degradation of the power sources provide restriction upon continued facility operation commensurate with the level of degradation. The OPERABILITY of the power sources are consistent with the initial condition assumptions of the accident analyses and are based upon maintaining at least one of each of

, the onsite A.C. and D.C. power sources and associated distribution systems OPERABLE during accident conditions coincident with an assumed loss of offsite power and single failure of the other onsite A.C. source.

3 The Completion Time of seven (7) days in ACTION b., when one diesel generator (DG) is inoperable, is based on Reference 1. According to Reference 1, operation may continue for a period that should not exceed 7 days when one DG is inoperable. Reference 2 provides a series of deterministic and probabilistic justifications for the Completion Times corresponding to the periods in which continued power operations are allowed when one DG is inoperable. The remaining OPERABLE DG and offsite circuits are adequate to supply electrical power to the onsite Class IE Distribution System. The 7 day Completion Time takes into account the capacity and capability of the remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

The increase in risk associated with taking the DG out of service for

preventive maintenance will be monitored and kept at an acceptable level (viz., considering other equipment that is out of service).

The OPERABILITY of the minimum specified A.C.and D.C. power sources and associated distribution systems during shutdown and refueling ensures

< that 1) the facility can be maintained in the shutdown or refueling condition for extended time periods and 2) sufficient instrumentatic, and control capability is available for monitoring and maintaining the facility status.

Referencet

1. D. G. Eisenhut letter To All Licensees of Operating Reactors, Applicants for an Operating License, and Holders of Construction Permits, " Proposed Staff Actions to Improve and Maintain Diesel Generater Reliability (Generic Letter 84-15)," dated July 2, 1984.

< 2. CE NPSD-996, "CE0G Joint Applications Report for Emergency Diesel Generator A0T Extensions," April 1995.

MILLSTONE - UNIT 2 B 3/4 8-1 Amendment No.

0188

Q r-M d COMBUSTION ENGINEERING OWNERS GROUP CE NPSD-996 Joint Applications Report for l

i

. Emergency Diesel Generators 1 l AOT Extension ;

1 J

i !

l Final Report

. CEOG TASK 836 prepared for the i

C-E OWNERS GROUP l May 1995

Copyright 1995 Combustion Engineering. Inc. All rights reserved ABB Combustion Engineering Nuclear Operations f%E9ES l l

l 1

LEGAL NOTICE

! This report was prepared as an account of work sponsored by the i Combustion Engineering Owners Group and ABB Combustion Engineering.

Neither Combustion Engineering, Inc. nor any person acting on its behalf:

i A. makes any warranty or representation, express or implied including i the warranties of fitness for a particular purpose or merchantability,

with respect to the accuracy, completeness, or usefulness of the

! information contained in this report, or that the use of any

! information, apparatus, method, or process disclosed in this report i may not infringe privately owned rights; or ,

i B. assumes any liabilities with respect to the use of, or for damages resulting from the use of, any information, apparatus, method or process disclosed in this report.

i i

Combustion Engineering, Inc.

i 4

s 3

i

+

7 -

i i

.- j

, TABLE OF CONTENTS !

+.

l p Section Page j 4

LIST OF TABLES iii j 1.0 L PURPOSE 1 1

d 2.0 SCOPE OF PRODOSED CHANGES TO TECHNICAL SPECIFICATIONS 1 4

3.0 BACKGROUND

2

' 4.0

SUMMARY

OF APPLICABLE TECHNICAL SPECIFICATIONS 4 j 4.1 Standard Technical Specifications 5

. 4.2 " Customized" Technical Specifications 5 1-l 5.0 SYSTEM DESCRIPTION AND OPERATING EXPERIENCE 6 5.1 System Description 6 j 5.2 Operating Experience 8 j, ,

l 5.2.1 Preventive Maintenance 8

! 5.2.2 SurveillanWresting of EDGs 11

. 5.2.3 Corrective Maintenance 11

5.2.4 Comments on EDG Unavailabilities 11 l 6.0 TECHNICAL JUSTIFICATION FOR AOT EXTENSION 12 1 6.1 Statement of Need 12

6.2 Assessment of Deterministic Factors 14 6.2.1 Station Blackout Rule 14 6.2.2 Brookhaven's Analysis of EDG Unavailability and l J

its Risk Impacts 15 l

1 i

i 4

4 c , .r

3 TABLE OF CONTENTS (cont'd) ,

1

~

I w pe :

'l l

4 6.3 Assessment of Risk 17 l 1 l 6.3.1 Overview 17

!' 6.3.2 Assessment of "At Power" Risk. 18 i 6.3.3 Assessment of Transition Risk 27 t 6.3.4 Assessment of Shutdown Risk 31 ;

i 6.3.4.1 Assessment of Risk Trade-off 31 :

6.3.4.2 Assessment of Enhanced EDG Reliability 32 i 6.3.5 Amnessment oflarge Early Release 35 >

6.3.6 Summary of Risk Assessment 37 i i 6.4 Compensatory Measures 37 ;

i 7.0 TECHNICAL JUSTIFICATION FOR STI EXTENSION 38 i i

8.0 PROPOSED MODIFICATIONS TO NUREG-1432 - 39 t

9.0

SUMMARY

AND CONCLUSIONS 39

10.0 REFERENCES

40 l t ATTACHMENT A A-1 1

" Mark-up" of NUREG-1432 SECTIONS 3,8.1 & B 3.8.1 i i

i[

]

W ,

s

i l

~

Ii J

?

+

- - . = _ - . . . - .- - . - - .. -._

4 r

LIST OF TABLES ,

d TaNe Page ;

3-1

SUMMARY

OF DG MANUFACTURER AND AOTs FOR CE PWRs 3 i 5.1-1 CONFIGURATIONS OF EMERGENCY ELECTRICAL SYSTEMS .

i FOR CE PWRS 6 4

5.1-2 ALTERNATE EMERGENCY POWER FOR ESSENTIAL SAFETY j SYSTEMS AND SBO BA'ITERY POWERED COPING TIME FOR CE PWRs 7 5.2-1 EDG UNAVAILABILITY AND UNRELIABILITY 10 >

l I

6.3.2-1 CEOG AOT CONDITIONAL CDF CONTRIBUTIONS FOR EDGs - CM 24 i

6.3.2-2 CEOG AOT CONDITIONAL CDF CONTRIBUTIONS FOR EDGs - PM 25 6.3.2-3 CEOG PROPOSED AVERAGE CDFs 26 i

6.3.3-1 TRANSITION RISK CONTRIBUTIONS FOR EDG CM 30 I

! 6.3.4.1-1 DAILY PLANT CORE DAMAGE PROBABILITY AT SHUTDOWN FOR A REPRESENTATIVE CE PWR 31 6.3.4.2-1 EDG MAINTENANCE VS. POTENTIAL IMPROVEMENTS '

IN EDG RELIABILITY 33 6.3.4.2-2

SUMMARY

OF ANALYSIS DATA 34 !

1 1

I l

l Ernergency Diesel Generator (EDG) AOT Extension 1.0 PURPOSE This report provides the results of an evaluation of the extension of the Allowed Outage Time (AOT) for a single Emergency Diesel Generator (EDG) from its present value to seven days.

The AOT is specified in the plant technical specifications. In addition, this report provides justifications for allowing the extension of this same AOT to 10 days on a "once-per-refueling 1 cycle" frequency. This AOT extension is sought to provide needed flexibility in the performance of both corrective and preventive maintenance during power operation. Furthermore, adoption of the proposed AOT extension reduces the risk of unscheduled plant shutdowns. Justification of this request is based on an integrated review and nueument of plant operations, deterministic / design basis factors and plant risk.

! This request for AOT extension is consistent with the objectives and the intent of the 10CFR50.65, Appendix A, "The Maintenance Rule" (Reference 1) and the draft staff guidance for incorporation of EDG reliability requirements within the hhintenance Rule (Reference 2).

That is, the Maintenance Rule will be the vehicle which controls the actual maintenance cycle

by defining unavailability and reliability performance criteria and assessing maintenance risk.

The requested AOT extension will allow efficient scheduling of maintenance within the boundaries established by implementing the Maintenance Rule. The CE plants are in the process

' of implementing the Maintenance Rule, and are presently setting targets for unavailability and reliability of systems and trains. Therefore, this effort is seen as timely, supportive and integral to the Maintenance Rule program.

2.0 SCOPE OF PROPOSED CHANGES TO TECHNICAL SPECIFICATIONS The proposed technical specification changes address revision of existing requirements for the i operation of the Emergency Diesel Generator subsystems. Specifically, the proposed changes in technical specification requirements are:

(1) In general, extend AOT for a single INOPERABLE EDG from [72] hours to 7 days.

(2) Provide a once per fuel cycle allowance for an AOT of 10 days for a single ,

INOPERABLE EDG.

1

e h

3.0 BACKGROUND

! In response to the NRC's initiative to improve plant safety while granting relief to utilities from !

) those requirements that are marginal to safety, the CEOG has undertaken a program of obtaining {

relief from overly restrictive *~haiM specifications. As part of this program, several technical ,

specification AOTs and STIs were identified for joint action.

i

. This report provides support for modifying the Technical Specifications for Electric Power i j Systems in order to extend the AM for a single emergency diesel generator during power 1

operation. The CE fleet of PWRs utilize one of two possible AOTs within the plant technical

specifications (See Table 3-1). More recently designed PWRs have a 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months AOT for the

EDG, whereas early CE PWRs have a seven day AOT. The intent of this report is to provide technicaljustification for the extension of the AOT for our more recent PWRs from a period of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to seven days. In addition, this document provides support for a one time per cycle !

j 10 day AOT extension for all CE PWRs. The intent of this modification to the AM is to l enhance overall plant safety by avoiding risks associated with unscheduled plant shutdowns and providing for increased flexibility in scheduling and performing necessary "on-line" maintenance

! and survai11=nm activities. In addition, adoption of the proposed AOT extension will provide l uniformity in this AM for CE PWRs with a minimura of two dedicated EDGs per Unit. !

) This report provides generic information supporting the proposed AOT changes, as well as, the j ====y plant specific information to demonstrate the impact of these changes on an individual plant basis. The supporting / analytical material contained within the document is considered .

, applicable to participating CEOG member utilities regardless of the category of their Plant

~ Technical Specifications. Utilities participating in this task include Maine Yankee, Palisades,

Ft. Calhoun Station, St. Lucie Units 1 and 2, Millstone Point 2, Waterford 3, ANO-2, San 1

! Onofre Units 2 and 3, and Palo Verde Units 1,2 and 3. Baltimore Gas and Electric's Calvert j Cliffs Units are in the process of upgrading their EDG capacity to include enhancM redundancy :

of their EDGs, and the addition of a station blackout diesel generator. Therefore, Baltimore Gas

and Electric is not participating in the plant specific aspects of this effort at this time.

i t

i i

4 I

2 i

i

I f

v d

! Table 3-1

SUMMARY

OF DIESEL GENERATOR MANUFACTURER AND ALLOWED OUTAGE TIMES FOR CE PWRs i Plant Manufacturer Tech Spec Type EDG AOT l (Days)

ANO-2 Fairbanks Morse Standard 3 j Calvert Cliffs 1 Standard 3 Calvert Cliffs 2 Standard 3 Ft. Calhoun General Motors Customized 7 Station ,

l Maine Yankee General Motors Customized 7*

Millstone 2 Fairbanks Morse Standard 3 Palisades Alco Customized 7 Palo Verde 1 Cooper Energy Services Standard 3*

Palo Verde 2 Standard 3*

Palo Verde 3 Standard 3*

San Onofre 2 General Motors Standard 3 San Onofre 3 General Motors Standard 3 St. Lucie 1 Standard 3*

St. Lucie 2 Standard 3*

4 Waterford 3 Cooper Energy Services Standard 3*

For these units, surveillance testing of an alternate EDG is not required when the other EDG is deliberately rendered inoperable in order to perform pre planned preventive maintenance d

4 3

4.0

SUMMARY

OF APPLICABLE TECHNICAL SPECIFICATIONS -

There are three distinct categories of Technical Specifications at CE NSSS plants.

The first category is the Standard Technical Specifications. Through February 1995, NUREG-0212, Revision 03, commonly referred to as " Standard Technical Specifications," has provided a model for the general structure and content of the approved technical specifications at all other domestic CE NSSS plants. .

The second category corresponds to the Improved Standard Technical Specifications (ISTS) guidance that is provided in NUREG-1432, Revision 0, dated September 1992. A licensing amendment submittal to change the Technical Specifications for San Onofre Nuclear Generation Station Units 2 & 3 so as to implement this guidance was submitted to the NRC in December 1993. Additionally, licensing amendment submittals are being developed that will modify the technical specifications for Palisades Station to implement the ISTS guidance.

The third category includes those technical specifications (TSs) that have structures other than those that are outlined in either NUREG-0212 or NUREG-1432. These TSs are generally referred to as " customized" technical specifications. The CE NSSS plants that currently have

" customized" technical specifications are: Palisades Station, Maine Yankee Station, and Ft.

Calhoun Station.

Each of these three categories of Technical Specifications includes operating requirements for the applicable plant's emergency diesel generators (EDGs).

Table 3-1 provides a summary of the diesel generator manufactarers and allowed outage times for CE PWRs.

t 3

4 4

4

l l

l .

4.1 Standard Technical Specifications j

'Ihe requirements for emergency dimi generators during power operations are embedded in the

! requirements for Electrical Power Systems in the standard technical specifications of NUREG-0212, Revision 03 and NUREG 1432, Revision 0.

1 l

LCO 3.8.1 of NUREG-1432 provides the following definition for a fully OPERABLE set of AC i sources for plant operations in Modes 1 through 4: ,

a. Two qualified circuits between the offsite transmission network and the on-site i Class 1E AC Electrical Power Distribution System; [and]

i j b. Two diesel generators (EDGs) each capable of supplying one train of the on-site

Class 1E AC Electrical Power Distribution System; and

c. Automatic load sequencers for Train A and Train B.

l i

Both LCO 3.8.1.1 of NUREG-0212, Revision 03 and LCO 3.8.1 of NUREG-1432, Revision l 0 (Attachment A) allow the continuation of power operation with one inoperable emergency j diwi generator for a maximum of 72 continuous hours.

i Additionally, LCO 3.8.1 of NUREG-1432 (Attachment A) includes a provision that allows l continued power operations for a maximum of six days when a contiguous series of different l

degradations of the full set of AC sources occurs. (An example is the case where one of the l 1

required offsite power circuits becomes inoperable at the same time that a diesel generator that I was previously inoperable is returned to an OPERABLE state.)

Following a diagnosis that an EDG is INOPERABLE, an assessment or test confirming that the 1

OPERABLE EDG is not subject to a common cause failure would be performed. If a common cause failure mode is suspected, the OPERABLE EDG must be declared INOPERABLE and l 1 actions mur,t be taken to restore one EDG to OPERABLE status in within a small number of l

! hours. Inability to return one EDG to OPERABLE status results in the entry into a more

restrictive LCO ACTION STATEMENT.

i 4 4.2 " Customized" Technical Specifications I i i f Customized technical specifications for the EDGs differ from the STS in the duration of the specified AOT and the details of the subsequent ACTION statements. Table 3-1 indicates which i'

) CE PWRs have customized technical specifications and lists their respective AOTs.

5 l 4 i l

l

l 5.0 SYSTEM DESCRIFI1ON AND OPERATING EXPERIENCE .

This section summarizes EDG configurations and operating experience for CE PWRs. Data contained in this Section is derived from a combination of sources including recent plant specific data and relevant data available from a recent EDG industry survey (Reference 3).

5.1 System Description The role of the EDG is to provide emergency power to essential safety systems in the event that !

all offsite power tources are lost. All CE PWRs with the exception of Calvert Cliffs Units I l and 2 employ two dedicated EDGs per plant. Calvert Cliffs is presently undergoing a plant upgrade to provide 2 class 1E diesels per unit with a shared non-class 1E seismically robust third EDG. A summary of current EDG configurations for CE PWRs is presented in Table 5.1-1.

Many CE PWRs include alternate means of providing power to some, if not all, essential safety systems. In general, CE PWRs residing on multiple unit sites are capable of being powered by some of the on-site power supplies of the other unit. In addition, in the Station Blackout Rule (10CFR50.63, Reference 4 ) implementation process, many CE PWRs have precured equipment designed to mitigate the consequences of a station blackout event. For example, at ANO, a

" swing" non-class 1E full capacity station blackout diesel that can support either unit has been installed. These plant features, along with the expected plant station blackout coping times are presented in Table 5.1-2.

Table 5.1 1 l CONFIGURATIONS OF EMERGENCY ELECTRICAL SYSTEMS FOR CE PWRS Plant No.of Dedicated Diesel EDGs Total No. of Units per unit shared Diesels M42 1 2 Nom 2

, Calvert Cliffs 1&2 2 1 1 3 Fort Calhoun Station 1 2 N/A 2 Maine Yankee 1 2 N/A 2 Mulstone 2 1 2 None 2 Palisades 1 2 N/A 2 Palo Verde 1,2 &3 3 2 None 6 San Onofre 2 & 3 2 2 None 4 St. Lucie 1 & 2 2 2* None 4 Waterford 3 1 2 N/A 2

Each generator has two engines 6

Table 5.1-2 ALTERNATE EMERGENCY POWER FOR ESSENTIAL SAFETY SYSTEMS AND STATION BLACKOUT BA'ITERY POWERED " COPING" TIMES FOR CE PWRS i

PLANT MULTIPLE BACKUP POWER UNIT SBO PLANT UNIT SITE SUPPLY CROSS-TIE COPING TIME

CAPABILITY (BATTERIES ONLY) thrs)

ANO-2 Y

swing

NW 1E Staden yes 8 sleekeut EDO oen provide power to ehher unho during e staden basekout Calvert Cliffs 1&2 Y A she EDO upgrade le in yes 8 '

progrees which wE result in 2 dediosted EDGE per unit and e

ewing" non-eless 1E bleek ut h EDG l 2

i Fort Calhoun Station N Fcs .mploye a beekup alf- N/A 4 1 md, AFw pump (AFw- ,

54) and a turbine driven AFW l pump (FW-10) to maintain

! feedwater evellebsty during en sao.

Maine Yankee N Appendus R DG-2 used as N/A 4 1 AAC Generater Millstone 2 Y The Mastone she includes a yes 12 14.4 Mw Combustion Turbine

se supply ential meety soods in the event of loss of i effeite power and so of EDG..

i l Palisades N NONE N/A 4 1

Palo Verde 1,2 &3 Y The Pelo Verde she includa yes 2*

Gee Turbine generatore to i usand sao apins tima to

! well beyond 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months .

I

San Onofre 2 & 3 Y Nominal eredit le taken for yes 4 s power from the oppeelte unit i dieses.

, St. Lucie 1 & 2 Y crem se betwan unho durins yes 4 (Unit 2) blackout. Tie capabaty wie non foty 4kw busees.

o (Unit 1)

Waterford 3 N None N/A 4

580 coping based on availability of alternate AC source.

{ 7 i

i 5.2 Operating Experience -

i

! The Emergency Diesel Generators provide on-site emergency ac power in the event that all i

offsite power sources are lost. As a consequence, the reliability of these on-site power sources

is an important factor in assuring the safety of light water reactors. As a result of this concern, the NRC established the Station Blackout Rule in 1988. In the implementation of this rule, the :

NRC (via Regulatory Guide 1.155, Reference 5) required that all LWRs ensure the reliability of the EDGs to be greater than either .95 or .975 depending on the specific plant class to which the unit was considered to belong. Plant class typically reflects various factors including (1) redundancy of on-site emergency ac power systems, (2) reliability of on-site emergency power sources, (3) frequency of loss of off-site power and (4) the probable time to restore off-power.

At the time of the SBO rule, unavailability of the EDGs throughout the domestic commercial ;

nuclear industry due to "on-line" maintenance was .007. As maintenance programs were implemented to improve EDG reliability, the on line out-of-service (OOS) unavailability of the EDG has increased industry-wide. A recent survey of EDG unavailability of power operation indicates that the mean unavailability of the EDG "at power" due to preventive and corrective maintenance (PM and CM) are .0118 and .0082 respectively. Correspondingly, the unreliability of the EDGs has decreased on an industry average from about 0.020 in the early 1980's to 0.014 in the 1988 to 1991 time frame (Reference 3). Reference 3 further postulated that the increase in reliability in recent years and the increase in unavailability due to maintenance may be related.

Table 5.2-1 provides a comparison of the individual and mean unavailabilities and unreliabilities of CE EDGs to their industry average. As a group, the EDGs at CE PWRs involved in this study have an average EDG "at power" unavailability below the industry average. No individual CE PWR can be considered an outlier.

5.2.1 Preventive Maintenance Most plants in the United States ( 95%) routinely carry out scheduled PM on EDGs during power operation (see Reference 3). Preventive maintenance (PM) for EDGs encompasses a variety of tasks including: ,

-Lubrication, Oil and Filter Changes

-Replacement of switches

-Calibration of equipment

-Component Cleaning

-Component Inspections

-Manufacturer upgrades A survey of CE PWRs indicates that preventive maintenance tasks, such as those listed, can take from 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months to more than 70 hours8.101852e-4 days 0.0194 hours 1.157407e-4 weeks 2.6635e-5 months to complete. While certain PM tasks can be performed without taking an EDG out of service (such as those involved with EDG equipment calibrations),

many PM tasks cannot be performed without declaring the applicable EDG out of service. The typical frequency of diesel generator maintenance for CE PWRs varies from less than once per 8

year (that is, no planned preventive maintenance) to about once every calendar quarter. The mean duration of maintenance tasks is currently less than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . This is generally consistent with the observed industry trends. Reference 3 indicates that the mean PM on an EDG was 24.6

l. hours with a standard deviation of 37.6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . This suggests that maintenance done at power 5

frequently exceed one-half of the AOT and in about one quarter of the occurrences exceed the typiical 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months AOT. This is particularly true, if a PM uncovers equipment degradation which would require further maintenance. At one site, the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months AOT has been approached on nine (9) separate occasions and exceeded once. This later event occurred during a weekend and l required a discretionary enforcement to continue plant operation.

I

On a yearly basis the amount of "on-line" preventive maintenance fcr EDGs varies from less

! than 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months to a maximum of about 200 hours0.00231 days 0.0556 hours 3.306878e-4 weeks 7.61e-5 months per EDG for CE PWRs with a 7 day AOT for i a single EDG, with the average per EDG PM equal to 135 hours0.00156 days 0.0375 hours 2.232143e-4 weeks 5.13675e-5 months . For CE plants with a 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months

. AOT, the average and maximum yearly PM per EDG are 100 and 140 hours0.00162 days 0.0389 hours 2.314815e-4 weeks 5.327e-5 months respectively. This level of "on-line" maintenance is consistent with United States industry average estimate

(Reference 3) of about 100 hours0.00116 days 0.0278 hours 1.653439e-4 weeks 3.805e-5 months per year.

1 i

i l

4 l

J i

f 4

9 i

I Table 5.2-1 EDG UNAVAILABILITY AND UNRELIABILITY -

PLANT EDG ID UNAVAILABILITY UNRFf1 ABILITY i I'

PM CM PM+CM l maisessmunr.

] .0041 ANO-2 B 0.0 .0041 i

A 0.0 .00188 .00188

.' .0033 PL Cabous Station DG-1 .0059 0.0009 .0068 DG.2 .0044 0.0009 .0053 <.0033 Maiwe Yaakse DG-13 .0126 .0077 .0203 i DG-1A .0134 .0012 .0146 unh 2 DG-A .00636 .00424 .0106 <.02*

DG-B .00636 .00424 .0106 <.02*

Palmados D01-1 .0105 .0109 .0214 4

> DGI-2 .00867 .0089 .01757 Palo Verde 1 IMDGAH01 .00936* .0051P .0145 * <.0l*

I IMDGBH02 .00936* .00519 .0145* <.01*

1 Palo Verde 2 2MDGBH01 .00936* .0051P .01455 <.01*

)

J 2MDGAH02 .00936* .0051P .0145" .03

I Palo Verds 3 i 3MDGAH01 .009368 .0051P .01455 <.Ol*

1 3MDGBH02 .00936* .0051F .0145" .03

l San Ooofn 2 DG3 .0046 .0031 .00767 <.02 DG2 .0046 .0031 .00767 <.02 i San Onofre 3 DG2 .0046 .0031 .00767 <.02 i DG3 0.0046 .0031 .00767 <.02

]

St. lacie 1 1A .0118 .0045 .0163 IB .00835 .0084 .0168 St. Imcie 2 2B .0157 .0009 .0166 2A .0109 .0000 .0109 Waterionl 3 B .0038 .0038 .0076 <.0l*

A .0008 .0008 .0016 <.0l*

CEOG MEAN DATA PLANTS WfDI 3 DAY AM .0069 .0038 .0107 PLANTS %TTH 7 DAY AM .0092 .0051 .0143 CEOG GROUP .0075 .0041 .0116 INDUSTRY NUREG/CR.5994 (MEAN) .0118 .0082 .020 .014

. Desa obtained from Refersace 6 3. Unrslaabihty data taka from Reference i

2. Avenge for all 6 unita 10 1

5.2.2 Sunemance/Tesdag of EDGs Surveillance testing of EDGs is typically performed as required in the plant technical specifications.

Industry average data confirms that the durations of EDG tests are typically short (on the order of l 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months ) and the total unavailability of an EDG is under 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months per year (See Reference 3).

5.2.3 Comedve Maintenance ;

Corrective maintenance refers to maintenance that is unscheduled and is therefore condition directed.

Such maintenance can occur when the EDG fails a surveillance test or a degradation in EDG performance is noted. This definition of CM includes conditions where the EDG can perform its safety function, as well as, cases where the safety function is affected. In either case of CM, the ,

t EDG would typically be considered to be INOPERABLE. The analysis presented in Section 6 assumes CM is performed due to inoperability of the EDG.

Industry survey data suggets that corrective maintenance is performed on an EDG at a mean !

frequency of 3.3 times per year with a mean duration of 23.3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months and a standard deviation of 46.7 hours8.101852e-5 days 0.00194 hours 1.157407e-5 weeks 2.6635e-6 months . The large uncertainty associated with CM clearly indicates the potential for EDG repair to exceed the existing 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months AOT. For the CEOG member utilities, the yearly unavailability due to CM is lower than 0.006 per year per EDG, regardless of the current AOT. This low value of CM reflects a high EDG reliability and the effectiveness of existing EDG maintenance programs.

, 5.2.4 Comments on EDG UnavaGabilities i !

, The CE fleet includes plants with both 3 and 7 day AOTs. Plants with 3 day AOTs have a mean j yearly scheduled maintenance unavailability of about 77 hours8.912037e-4 days 0.0214 hours 1.273148e-4 weeks 2.92985e-5 months per EDG per year compared to 132 l

l hours per EDG per year for plants with a 7 day EDG AOT. Both groups of plants show similar

yearly repair time outages for unscheduled maintenance (46 vs. 51 hours5.902778e-4 days 0.0142 hours 8.43254e-5 weeks 1.94055e-5 months ). In the future, all plants within the CE fleet are expected to set maximum maintenance rule targets for EDG unavailability

in the .025 .03 range (220 to 260 hrs per EDG per year). Therefore, adoption of a 7 day AOT for i

a single inoperable EDG is not expected to have a significant impact in overall EDG unavailability, i

i t

s a

e I

11 f

l I

4 6.0 TECHNICAL JUSTIFICATION FOR AOT EXTENSION

This section provides the technical bases for the request for the ACTr extension. The presentation of this information generally follows the guidance in the Handbook of Methods of Risk Analyses

m Technical Specifications (Reference 8 ),

i 6.1 Statement of Need

.l The EDGs provide on-site emergency alternating current (ac) electric power to a nuclear plant in the event all off-site power sources are lost. The importance of this equipment to plant safety has resulted in the " Station Blackout Rule", which among other features, required that the reliability of EDGs reliability be acceptably high. In the implementation process, Regulatory Guide 1.155

specified target reliability values of .95 and .975 depen 4nt upon a set of defined criteria. In

] response to meeting these reliability goals, many reactor sites implemented or extended EDG l surveillances and "on-line" PM activities.

The participating CEOG utilities request that the present EDG AOT be uniformly extended as follows:

(1) Extend AOT for a single INOPERABLE EDG from [72] hours to [7] days.

l' and, .

, (2) Provide a once per fuel cycle allowance for an AOT of 10 days for a single INOPERABLE EDG.

1 l - Implementation of this AOT modification will:

(1) Allow increased flexibility in the scheduling and performance of preventive

! maintenance l (2) Reduce the number of individual entries into LCO action statements by providing

! sufficient time to perform related maintenance tasks within a single entry.

i (3) Reduce stress on plant maintenance personnel by allowing adequate time to perform i

the more complicated maintenance activities (including those associated with EDG manufacturer recommended surveillances and upgrades)

(4) Enable the plant to minimize EDG operability restoration time by scheduling maintenance which de-emphasizes multiple simultaneous EDG tasks (resulting in potentially long associated restoration times). By emphasizing single or combined repairs and inspections, there will be shorter times for EDG restoration.

12

(

_m_ --__E

i

~

f (5) Allow the plant to better control maintenance tasks between power and shutdown operation thereby increasing EDG reliability both "at power" and in the early (risk dominant) stages of shutdown.

(6) Avert unplanned plant shutdown and minimize potential for requests for Notices of

, Enforcement Discretion (NOEDs). Risks incurred by unexpected plant shutdowns can be comparable to and often exceed those associated with continued power operation.

l (7) Improve EDG availability during shutdown modes.

! The mean EDG PM or CM is about I day with a standard deviation of nearly 2 days. Therefore, industry-wide, a large number of corrective maintenance events would be expected to challenge the existing 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months AOT. This difficulty has been noted at various CE sites. At one CE site, it was reported that the existing EDG AOT was nearly exceeded nine (9) times and, actually exceeded once

requiring a discretionary enforcement to continue plant operation.

Plants with existing 7 day AOTs report that their present EDG AOT is adequate for most EDG repairs. However, instances have occurred when a 7 day AOT is inadequate. Such an event occurred at a CEOG utility (Reference 11) which required a one time emergency change to the Technical Specifications extending the EDG AOT to 10 days to allow completion of repair of a cracked cylinder head. Implementation of a 10 day AOT on a once per cycle basis will allow the plant to continue operation while repairing a non-functional EDG. The once per cycle extension is not expected to expand the level of PM or CM to be performed at any plant. It is expected to provide margin to ensure that serious EDG degradations uncovered during equipment surveillance or a scheduled PM can be successfully completed without exceeding the plant LCO AC1' ION STATEMENT. "At power" operation provides a resource rich environment for accident management and minimizes the risk ofinitiating loss of power and loss of feedwater events that can accompany a forced shutdown. It is also possible that, under certain controlled conditions (such as availability of a full capacity " swing" EDG or alternate AC power source), the 10 day per cycle AOT extension may be entered following unanticipated delays encountered in performing a EDG preventive maintenance activity.

l l

l 13

~. l l

\

6.2 Annemenwnt of Deteruninistle Factors .

The Emergency Diesel Generators (EDGs) provide on-site alternating current (ac) electric power in the event that all off-site power sources are lost in a nuclear power plant.

A dediented diemi generator is the on-site standby ac power source for each angiaaared safety feature power supply bus. h the event of an accident with loss of off-site power, EDGs are designed to automatien11y connect to and power safeguards equipment. h addition, automatic load ;

segnaaelag assures that EDGs are canaefd to the plant ESFs in sufficient time to provide a safe plant shutdown. h the event ofloss of preferred power EDGs are intended to provide emergency backup power for the plant essential safety feature electrical loads until such time that the preferred j power supply is restored. :

Each CEOG plant's EDG configuration satisfies the requirements of Regulatory Guide 1.9. Each of the diesel generators is capable of starting, accelerating to rated speed and voltage, and coanacting to its respective engineered safety feature bus on detection of bus undervoltage within a specified period of time (i.e.10 - 15 seconds). Each diesel generator is capable of m-ghg i required loads within the loading sequence intervals assumed in the safety analyses, and continuing to operate until offsite power can be restored to the ESF buses. These capabilities exist, under a variety of initial conditions including the diesel generator being in standby with hot engine temperatures, the diesel generator being in standby with the engine at ambient conditions, or the diesel generator operating in the parallel test mode.

6.2.1 Station Blackout Rule The loss of off-site ac power to the essential and non-essential electrical buses concurrent with '

turbine trip and the unavailability of the redundant on-site emergency power system, i.e. EDGs, is termed " Station Blackout". Reliability of on-site power tources is an important factor in assuring an acceptable level of plant safety. h recognition of the importance of these on-site power sources the Station Blackout (SBO) Rule was established in 1988. Guidance for implementation of the SBO rule was defined in Regulatory Guide 1.155. Specifically, the SBO rule required the licensees to:

l

! 1. Ensure the reliability of the EDG was > 0.95 (or >0.975) dependent on plant specific

features.

2. Establish an EDG Reliability Program. ,

and, in the event of an SBO event l

3. Ensure that the plant has adequate coping capability.

l The station blackout (SBO) rule addressed the need for maintaining a highly reliable ac electrical j power system. At the time the rule was developed, the unavailability due to maintenance was 1~

14 i i 4

t P I

< l

estimated at 0.007. At that time it was recommended that EDGs be reliable and that maintenance unavailability be kept low by performing the maintenance at plant shutdown.

l Over the past decade the utilities have begun programs to improve the reliability of the EDGs via regular preventive maintenance. As a result oflengthening of the time between refuelings some of this maintenance was performed at power. Furthermore, recent shutdown risk assessments suggest j that shutdown risks are in general comparable to those of power cperation, resulting in questions i about the benefit of delaying PM on EDGs to shutdown conditions. This increase in "on-line" PM

has resulted in an increase in maintenance unavailability to 0.02 with a corresponding industry-wide j increase in EDG reliability from 0.98 to 0.986, i ,

6.2.2 Bmokhaven's Analysis of EDG Unavansirity and its Risk Impacts l 1

! The safety implications of performing EDG maintenance at power was investigated by Brookhaven National Imboratory (BNL). The BNL report (Reference 3), which is discussed below, inva'igdM:

1. The sensitivity of the plant core damage frequency (CDF) to maintenance and the

probability of failure to start and run on demand.

l l 2. The relative benefits of performing maintenance at power vs shutdown.

The analysis found that the increased CDF level during maintenance, as well as the duration of the j maintenance are important factors in the assessment of the risk impact of EDG unavailability due to maintenance. The integrated risk impact over the duration is calculated as the product of the increased CDF and the maintenance duration.

! It was concluded that during power operation, changes in CDF are more sensitive to failures to start and run than to EDG maintenance unavailability. Specifically, it was concluded that EDG failure i unavailability has a factor of 2.6 greater impact on the CDF than does the "at power" maintenance unavailability (Reference 6). Furthermore, an increase in unavailability to .02 per EDG per year had no significant impact on plant risk (i.e. CDF). If one presumes that the increase in maintenance j related unavailability is offset by a decrease in the failure to start and load-run unavailability, the i net impact on the CDF would be beneficial.

This report also developed insights for scheduling EDG preventive maintenance items (PMs). PMs were divided into three categories

i (1) Scheduled PMs that need to be performed at an interval less than 18 months, b (2) Scheduled PMs that need to be performed at an interval of 18 months or longer, l (3) Condition-directed PMs, based on test results, as needed to correct degradations of j equipment which may lead to failures.

J-j 15

l l

1 ..

l BNL recommended that short duration PMs be performed at power. Ionger duration PMs were recommended to be scheduled during the later portion of the refueling outage when the risk impact i is relatively low. Risks associated with EDO maintenance during the early, low inventory shutdown modes were found to be generally comparable to that of performing the maintenance at power. l l

For condition-directed PMs (and cms),'somewhat longer maintenance outages may be allowed during power operation since a plant shutdown, in this case, involves the additional risk of maneuvering to a safe shutdown state.

Insights obtained from this and associated efforts were presented in a memorandum for Thomas E.

Murley from Eric S. Beckjord in Research Information Letter Number 173 entitled " Risk-based Methods to Evaluate Requirements in Technical Specifications" (Reference 9). The memorandum stated that scheduling DG maintenance during power operation is risk neutral for preventive !

maintenances of short duration and they can be scheduled during power operation. ;

r Results of the CEOG plant specific analyses presented in Sections 6.3.2 through 6.3.5 are in general agreement with those of the BNL study. When the full scope of plant risk is considered, the risks incurred by extending the AOT for either corrective or preventive maintenance will be substantially offset by plant benefits associated with avoiding unnecessary plant transitions and/or by reducing risks during plant shutdown operations, improved EDG reliability upon entering shutdown, and implementation of compensatory measures. The combined CEOG results indicate that the risk of performing EDG maintenance at power varies from risk beneficial to risk neutral depending upon the duration and type of maintenance.

i 16

p .

. 6.3 Aemmemment of Risk 6.3.1 Orerview The purpose of this section is to provide an integrated assessment of the overall plant risk naaeintad with the adoption of the proposed AOT extension. 'Ihe methodology used to evaluate the EDG System AOT extension was based in part on a' draft version of the " Handbook of Methcxis for Risk-

Based Analyses of Technical Specifications" (Reference 8) and related industry guidance. As guidance for the acceptability of a Tech Spec modification, Reference 8 noted that any proposed l Tachnical Specification change (and the ultimate change package) should either: '

i (1) be risk neutral, OR (2) result in a decrease in plant risk (via " risk trade-off considerations"), OR

! (3) result in a negligible (to small) increase in plant risk. ;

AND

! (4) be needed for utility to more efficiently and/or more safely manage plant operations.

A statement of need has been provided in Section 6.1. This section addresses the risk aspects of l . the proposed AOT extension.

i

In this evaluation, a risk assessment of the EDG AOT extension is performed with consideration of l l associated "at power", " transition" and " shutdown". The assessment includes consideration of risk increase associated with potentialincreased EDG unavailability and the associated risk benefits due

to avoiding a forced mode transition, improvements in EDG reliabilig and performing the same maintenance at shutdown (see below).

l Section 6.3.2 provides an assessment of the increased risk associated with continued operation with i

a single EDG out of service (OOS) for preventive and corrective maintenance. The evaluation of

the "at power" risk increment resulting from the extended AOT was evaluated on a plant specific basis using the most current individual plant PSAs as their respective baselines. Plant specific

evaluations were performed by each participating utility. Results of these evaluations were then compared using appropriate risk measures as prescribed in Reference 8.

Section 6.3.3 assesses the risk of transitioning the plant from Mode 1 into a lower mode with a single EDG inoperable. The "at power" risk assessment presented in Section 6.3.2 provides an i evaluation of continued operation of the plant with an extended EDG AOT for the purpose of performing corrective maintenance on the EDG. A conservative lower bound estimate of this risk l

was evaluated by modifying the reactor trip core melt scenario for a representative CE PWR, Based i

on this analysis, a core damage probability for the plant shutdown was established and compared

to the single AOT risk associated with continued operation.

17 1

i

He relative risk of EDG PM for "at power" and "at shutdown" conditions is provided in Section .

6.3.4.1. Recent experience has shown that the risk of maintaining the reactor in a shutdown condition can rival that of power operation.

EDG PM programs have been effective in reducing EDG unavailability due to failure to start and load-run. Section 6.3.4.2 provides a demonstration of the risk reduction possible by implementing a planned "on-line" PM program. In that analysis a parametric study is perfonned to demonstrate the impact of modest (10 to 30%) improvements in EDG reliability on decreased plant risk.

For completeness, the impact of the extended A(yr on the plant large early release fraction is qualitatively nue==i. The assessment includes an evaluation of the events leading to large early fission product releases and the role of the EDG in the mitigation of those events. This assessment is presented in Section 6.3.5.

i 6.3.2 Assessment of "At Power" Risk l Methodology l This section provides an assessment of the increased risk associated with continued operation with j a single EDG out of service (OOS). The evaluation of the "at power" risk increment resulting from i the extended EDG AOT was evaluated on a plant specific basis using the most current individual I plant PSAs for their respective baselines. Plant specific evaluations were performed by each

participating utility. Results of these evaluations were then compared using the following risk j measures (from Reference 8):

i i Avemge Core Damage Frequency (CDF): The average CDP represents the frequency of l core-damage occurring. In a PSA, the CDF is obtained using mean unavailabilities for all

. standby-system components.

l Core Damage Probability (CDP): The CDP represents the probability of core-damage.

l occurring. Core-damage probability is approximated by multiplying core-damage frequency l by a time period.

Conditional Con-Damage Fnquency (CCDF): The Conditional CDF is the Core Damage i Frequency (CDF) conditional upon some event, such as the outage of equipment. Itis

calculated by re-quantifying the cutsets after adjusting the unavailabilities of those basic

events associated with the inoperable equipment.

4 4

i a

18 i

. Increase in Con Damage Frequency (ACDF): The increase in CDP represents the difference between the CCDF evaluated for one train of equipment unavailable minus the CCDF evaluated for one train of equipment always available. For the EDGs:

ACDF = Conditional CDFa a m - Conditional CDFa m W where CDF = Core Damage Frequency (per year) 4 Single AGF Risk Contributtan: The Single AOT Risk contribution is the increment in risk associated with a train being unavailable over a period of time (evaluated over either the full AOT, or over the actual maintenance duration). In terms of core damage, the Single :

l' AOT Risk Contribution is the increase in probability of core-damage occurring during the !

AOT, or outage time, from the baseline. The value is obtained by multiplying the increase j in the CDF by the AOT or outage time.

Single AOT Risk = ACDF x r where, ACDF = Increase in Core Damage Frequency (per year), and ,

j r = full AOT or actual maintenance duration (years) l l

, l Yearfy A0TRisk Contribution: The Yearly AOT risk contribution is the merease m average ,

yearly risk from a train being unavailable accounting for the average yearly frequency of the l AOT. It is the frequency of core-damage occurring per year due to the average number of l entries into the LCO Action Statement per year. The value is estimated as the product of ;

the Single AOT Risk Contribution and the average yearly frequency (f) of entering the ,

associated LCO Action Statement. Therefore:

i Yearly AOT Risk = Single AOT Risk x f l where f = frequency (events / year) j

, Incremental changes in these parameters are assessed to establish the risk impact of the Technical Specification change, b Calculation of Conditional CDF, Single and Yearly AOTRisk Contributions 4

Each CEOG utility used its current PSA to assess the Conditional CDF based on the condition that one EDG is unavailable. Each plant verified that the appropriate basic events are contained in the PSA cutsets used to determine the AOT risk contributions. This verification was performed as the first task in calculating the Conditional CDFs. If basic events had been filtered out of the PSA cutsets, one of the two methods descr; bed below were used to ensure the calculation of Conditional CDF was correct or conservative:

19 J f

- i i

s

1. Select the basic event for the failure mode of the e; --t with the highest failure .

yrvi idlity if the test / maintenance failure mode of the component had been filtered out; or i

l 2. Retrieve cutsets containing relevant basic events at the sequence level and merge them with the final PSA cutsets. l t !

l De Conditional CDP given i EDG is unavailable was obtained by performing the following steps: ;

1. Set basic event probability for the failure mode for an EDG equal to 1.0. :

i

2. Set any basic event probabilities for other failure modes for that train set equal to

]

O.0.

i, i

! 3. Set basic event probability for EDG unavailable due to test and maintenance equal to 0.0. .

4. For the case where the LCO Action Statement was prompted by need for Corrective I Maintenance (CM) (i.e., equipment failure), adjust the other train's corraeaaadia!

basic event common cause failure unavailability to the probability of failure given one ,

j train has failed (i.e., equal to the beta factor, #, for the Multiple Greek Imer j Method).

) For Preventive Maintenance (PM) (i.e., no equipment failure), set the failure rate of 4 5.

i the train remaining in service to the total single train failure rate (including both :

indapad=t and common cause failure data).

{

I 6. Requantify the PSA cutsets.

i The Conditional CDF was therefore ac===A for both CM and PM. The difference between the two l

values is a result of the aforementioned difference in treating common cause failure. It should be j noted that the definition of CM for use in the PSA is considerably more stringent than the pragmatic 4

TAGGED INOPERABLE definition of CM used in Section 5.0. In this context, CM refers to I maintenance performed on a component that cannot otherwise perform its safety function.

l The Conditional CDF given 1 EDG is never out for test or maintenance was obtained by setting the

! basic event probability for the failure mode for an EDG equal to 0.0, and requantifying the PSA '

j cutsets. No adjustment was made to common cause failure from the value used in the h==1iam PSA.

1 5

i j

De Conditional CDFs were evaluated for each EDG, and the most conservative result was used.

The Conditional CDP was then used to calculate the increase in CDF. He Single AUT Risk !

j Contribution for each plant was then calculated for the following cases- !

1 . ,

i 20 4

4 i

i

- Current full AOT,

- Proposed full AOT (both 7-day and once per cycle 10 day),

- Mean downtime for CM, and

!_ - Mean downtime for PM. l s ,

A mean downtime of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months / event was assumed for CM. For PM, the mean duration per event l was ~1~1*I by dividing the proposed downtime (unavailability target, hours / year /EDG) by the l proposed frequency of PM. A proposed downtime of 160 hours0.00185 days 0.0444 hours 2.645503e-4 weeks 6.088e-5 months / year /EDG and a frequency of 2.8

per year was assumed for PM. These values are mean values presented in Refemnce 3. Plants with

! actual data available used plant specific values. i j

The Single AOT Risk Contributions were then used to calculate the Yearly ACyr Risk Contributions (Single AOT Risk x frequency) based on each plant's actual frequency of entry into the AOT, for 1 both CM and PM. Plant specific frequencies were used in this calculation for CM and PM whenever available. If not available, maintenance frequencies were assumed to be 2.5 events / year i for CM, and 2.8 events / year for PM. If available data for downtime frequency did not distinguish between CM and PM, a split of 50/50 was conservatively assumed for CM/PM.

The overall Yearly AOT Risk Contribution is assumed to be the sum of the Yearly AOT Risk i Contribution due to CM and the Yearly AOT Risk Contribution due to PM. Tables 6.3.2-1 and l 6.3.2-2 provide the Conditional CDFs and the Single and Yearly AOT Risk Contributions for each !

plant for CM and PM, respectively.

l At many plants both EDGs may power different equipment and therefore risk predictions will not '

j be symmetric. In the current analyses, the risk measures presented are those of the " worst" (i.e.

most important) EDG.

Calculation ofAverage CDF l In order to calculate the Average CDF for the extended EDG AOT, a new value for EDG l unavailability due to test / maintenance was derived. A 2.5% unavailability was assumed, which

equates to a maintenance duration of 220 hours0.00255 days 0.0611 hours 3.637566e-4 weeks 8.371e-5 months per year per EDG. For plants with a maintenance

! schedule already in place or defined, then actual plant data was used in lieu of the above assumptions.

The impact on the PSA was then calculated to obtain the Average CDF for this new EDG l unavailability. This new Average CDF was then compared to the base case value in the plant's l PSA. Table 6.3.2-3 provides the proposed Average CDF and the base average CDF for each plant.

i 21 j !

1-5

. Results .

The results from each plant were asdmilated, and the Single AM and Yearly AOT Risks were calculated for each plant. Tables 6.3.2-1 through 6.3.2-3 present the results of these cases on a i plant specific basis, and summarizes the EDG AM CDF contributions for each plant. These risk

contributions include the Cnadidanni CDFs, Increase in CDF, Single AOT and Yearly AM risks for both CM and PM, based on full AOT and mean downtime, and current Average CDF and proposed Average CDP. ;

! The results for the conditional CDF and Single AOT risks presented in Table 6.3.2-1 are i conservative. SpiW1y, the evaluation of the conditional CDF for corrective maintenance j considers that the operable EDG is subject to a common cause failure for the entire duration of the i AOT. In several CEOG member plant technical specifications it is required that either an ,

j assessment of the absence of a common cause failure mechanism or an EDG start /run test be 1 . performed following discovery of the EDG inoperability. In practice, even when the technical t l specifications do not require a common mode failure assessment, it is likely that such an assessment j ' is performed upon the discovery of the cause of the EDG inoperability. Thus, plant operation with one EDG in CM, while the OPERABLE EDG has a high likelihM of common cause failure, would l

be restricted to a narrow time window which is considerably less than the full 7 day AM.

l For CM, most CE PWRs indicate that repair of a non-functional EDG results in an increase in i conditional core damage frequency (CCDF) from the baseline CDF by a factor ofless than 5. The ;

j increase in Single AOT Risk Contribution for all CE PWRs (from Table 6.3.2-1, Proposed Single .

AOT Risk based on a full 7 day AM - Current Single AOT Risk) varies from 0.0 (for plants that i already have a 7 day AOT for EDGs) to 2.16E-06. The increase in Single AOT Risk Contribution for a Single AOT Risk based on a 10 day AOT varies from 3.38E-07 to 3.78E-06.

l For all CE PWRs, declaring the EDG INOPERABLE and taking the EDG out of service for j maintenance increases the conditional CDF by a factor of between 1.5 and 4. The increase in Single ,

i AOT Risk Contribution for all CE PWRs (from Table 6.3.2-2, Proposed Single AOT Risk based l on a full 7 day AOT - Current Single AOT Risk) varies from 0.0 (for plants that already have a 7

[ day AOT for EDGs) to 1.38E-06. For a full 10 day AOT, the increase from Current to Proposed

Single AOT Risk Contribution varies from 2.09E-07 to 2.42E-06.

l l As will be shown in the following sections, these risks are offset by reductions in transition and 4

shutdown risks.

! Table 6.3.2-3 summarizes the impact of the proposed AOT extensions on the plant yearly core i damage frequencies. The change in the Average CDF due to increasing the EDG AOT varies from

, a factor of 1.01 to 1.078. When interpreting Table 6.3.2-3, it is important to note that some plants i evaluated their IPEs based on actual plant data and not on the full AOT, whereas the Proposed

Average CDFs presented in the table for all plants are based on the full proposed AOT. Two plants

(ANO-2 and FCS) that based their IPEs on actual EDG downtimes had recent plant histories with

{ very limited EDG PM. Therefore, the change factor for these plants is overestimated. A more

, 22 4

l

-. appropriate estimate of the change factor can be established by evaluating the baseline PRA PM at one full AOT per year. This value is presented in parenthesis for these plants.

Waterford Unit 3 indicates a higher impact on the CDF than other plants. This increased impact is primarily due a conservative treatment of the SBO event within the IPE. Specifically, the l Waterford-3 IPE assumes that all EDG failures occur at the time of loss of offsite power (i.e. all '

EDG failures are conservadvely assumed to be start failures). Even with this conservative modeling approach, Waterford-3 has a relatively low plant h=1ina CDF (1.54 x 104 per year). A preliminary evaluation of a more realistic approach to the treatment of EDG failures was performed .

to support this assessment. In this realistic method, the product of the EDG run failure probability :

density function and the offsite power non-recovery function was integrated over the mission time. l This accounts for the fact that EDG run failures can occur at any time during the mission time, '

) including late in the sequence when the probability that offsite power will be recovered is high.

i Using this realistic methodology, the expected CDF increase factor will reduce from 1.14 to 1.078 ,

(see Table 6.3.2-3). This translates to an absolute yearly risk increase of about 1 x 104 per year.

For Waterford-3 taking the EDG out for maintenance would result in an increase in CCDFs by a '

factor of about 7.2 for CM and 2.9 for PM. These risks are generally comparable to those associated with the CE group as a whole.

4 l

i 23

t l

l l Table 6.3.2-1 CEOG AOT CONDITIONAL CDF CONTRIBUTIONS FOR EDGs - Corrective Maintenance PARAMETER ANO-2 Fort Maine Millstone P=le Palo San St. Imcio St. Imeie Weserford Calloun Yankee 2 Verde Onofre 1 2 3 1,2, & 3 2&3 EDO Success Criteria l of 2 l ef 2 l of 2 l of 2 l of 2 l of 2 l of 2 l of 2 l of 2 l of 2 l Present AUT, days 3 7 7 3 7 3 3 3 3 3 Proposed AUT, days 7/10 7/10 7/10 7/10 7/10 7/10 7/10 7/10 7/10 7/10 Conditional CDP, per yr 1.26E44 5.28EE I.15E-04 9.43E-05 1.64E-04 2.43E44 5.92EE 5.9E-05 6.3E-05 1.56E-04 l (1 EDO unavailable)

Conditional CDP, per yr 3.27EE 1.17E E 7.36EE 3.24E4 5.00EE 4.58EE 2.69EE 2.lE-05 2.3EE 1.50E4 (1 EDO never out for T/M)

Increase in CDF, per yr 9.30E-05 A.llEE 4.14E-05 6.19EE 1.14E-04 1.97E-04 3.23EE 3.8EE 4.0EE 1.41E-04 Single AUT Risk, Current 7.65E-07 7.88E-07 7.94E-07 5.09E-07 2.19E4 1.62E4 2.65E.07 3.IE-07 3.3E-07 1.16E 4

Single AUT RiekJ %7 day l 1.78E4 7.88E.07? :i7.94E.07:

si.19E E - : 2.19EE f.7BE4$

3 6.19E-07! $7.3E47h $i.7E-072 k2.70EN165 Proposed . . . . _. . . . . . ...

11~~~~~T ~ ~ ~. ..m-- T TE- ? < , . . . . . - - - -

10 day 2.55E4 .:1.13E4 : ? 1.13E4: i1.70E 4 43.12E 4' r 5.40E4 18.85E47s. ? 1.0E46] }1.1E4;[ f1.55E40 Downtime Frequency, per yr 0.63 2.5 2.5 2.5 2.0 1.8 0.63 2.5 2.5 2.5 per diesel

Yearly AUT Risk, Curma, 4.78E-07 1.97E-06 1.98E-06 1.27E-06 4.37E4 2.92E4 1.66E-07 7.8E-07 8.2E-07 2.90E4 per yr/ diesel **

Yearly AUT Risk, 1.12E-06 1.97E-06 1.98E-06 2.97E4 4.37E4 6.81E4 3.87E-07 1.8E-06 1.9E4 6.76E-06 Proposed, per yr/ diesel **

Actual Duration, hre/ event *** 15 24 24 24 24 24 23.8 24 24 24 Single AUT Risk I.61E-07 1.13E-07 1.13E-07 1.70E-07 3.12E-07 5.40E-67 8.78E-08 1.0E-07 1.lE-07 3.86E-07 (based on actual data)

Yearly AUT Risk /yr/ diesel ** 1.00E-07 2.82E-07 2.54E-07 4.24E-07 6.25E-07 9.72E47 5.48E-08 2.6E47 2.7E-07 9.66E-07 (bened on actual data)

Generic dsta = 2.5 per yr per diceel

- Value presented for worst caso diesel

- - Generic data = 24 hra/ event 24

Table 6.3.2-3 CEOG PROPOSED AVERAGE CDFs PARAMETER ANO-2 Port Maine Millstone Pahendes Palo San St. Imeie St.1meis Waterfond Calhoun Yenirse 2 Verde Onofm 1 2 .3 1,2, & 3 2&3 EDG 5uccess Criteria 1 of 2 l of 2 t of 2 l of 2 l of 2 l of 2 l of 2 l ef 2 l ef 2 1 of 2 Present AUT, days 3 7 7 3 7 3 3 3 3 3 i Proposed AUT, days 7.*10 7/10 7/10 7/10 7/10 7/10 7/10 7/10 7/10 7/10 Proposed Downtime, hrelyr 219 220 235 168 240 220 220 264 264 200 Average CDP (base), per yr 3.28E-05 1.18EE 7.40E4 3.41E4 5.15E-05 4.74E-05 2.74E4 2.14E4 2.35E4 1.54E-05 Proposed Average CDP 3.50E-05" 1.27E4" 7.45EE 3.50E-05 5.28E-05 4.85EE 2.86E-05 2.2EE 2.4EE 1.75EE Change factor from beseline 1.07"* 1.08*" 1.01 1.03 1.03 1.02 1.04 1.02 1.02 1.14**

CDP (1.05) (1.02) (1.078)

Generne data = 220 hrulyr/ diesel

- The Proposed Average CDP is presented here is based on using the full AUT wherces the baseline IPE Average CDP wee based on octual plant data which had very little PM on line (see Table 5.2-1).

- - 7he Nurrbers in parenthesis represent % change from baseline IPE if the baseline IPE was evaluated over the fuH AUT.

- See page 25 for discussion of neults '

i 26

_ . _ _ _ . _ _ . _ . _ . __ . _ __ _._._ _._______...__._...___.___..._____._.--_..._..m.__

i

, r 1

Table 6.3.2-2 CEOG ACTF CONDITIONAL CDF CONTRIBUTIONS FOR EDGs - Preventive Maintenance PARAMETER ANO4 Post Meine Millseene Fehsedes Pelo Ben St. Laois St. Laeie Weseriosd comma Yanhoe 2 Venis- Onofie 1 2 3 1,2. A 3 2&3 4

4 EDG h Crieerie I of 2 1 of 2 1 of 2 1 of 2 i of 2 I of 2 I of 2 1 of 2 1 of 2 I of 2 i Presesa AUT, days 3 7 3 3 7 3 3 3 3 3 !

Propossd AUT, days 7/10 7/10 7/10 7/10 7/10 7/10 7/10 7/10 7/10 7/10 i Condstional CDP, pse yr 1.01E-04 3.7tE-05 1.13E 04 838E-05 1.57E-04 1.72E 04 5.4 tE-05 4.lE-45 4.7E45 6.hE45 (1 EDO unevedeble)

Conditional CDP, per yr 3.27E-05 1.17E-05 7.36E-05 3.24E-05 5.00E-05 4.58E-05 2.09E45 2.lE45 2.3E-05 1.50E-05 (1 EDO never out for TIM) i l Inesesse in CDP per yr 6.86E-05 2.54E-05 3.94E-05 5.34E45 1.07E-04 1.26E44 2.72E45 2.0E-05 2.4E-05 5.26E45 i

Single AUT Risk, Current 5.64E-07 4.87E-07 7.56E41 4.39EET 2.05E-06 1.04E-06 2.24EST 1.6E47 2OE4T 4.32EST

......m e. .. . . . .

. . . . y .. . .. .. ._ . , . _ . , . , . . . . . _ . ._ _

_ ~

L sigle AUT RiO, c.7 day l. j1.32E.06 -4.87E4T 17.56E4Tc $1.02E 06 2.05E.06 i2.42E46 5 ! 5.2250T ._s 3.85 07 i 7,4.6847 T 51.01E465

~

ii.88E.06 - j 6.96 4TI It'CBE46? ! !.465 063 [2.93E46 2

. 3 46 7 5.45E072 [$.48 GE#fI [l'.44E48 ^'

Downtirne Frequency, per ys* 2.0 2.8 2.8 2.8 4.0 3.0 1.25 2.8 2.8 2.8 Yearly AUT Risk, Current, per yr/ diesel ** 1.13E-06 1.36E.06 2.12E-06 1.23E46 8.21E46 3.llE46 2.79E-07 4.6E-07 5.5EST 1.21E-06 Yearly AUT Risk, Psoposed, per yr/ diesel ** 2.63E-06 1.36E-06 2.12E4 2.87E46 8.21E 06 7.26E46 6.52E4T 1.lE46 1.3E46 2.82E-06 Proposed Downsione !. t._.",F 192 160 175 144 192 160 114.75 240 240 140 Actual Duration hrs / event *= 96 57 63 51 48 53 92 86 86 50 Single AUT Risk 7.52E-07 1.66E-07 2.81E47 3.14E 07 5.86E4T 7.68E-07 2.85E 07 2.0E4T 2.4E4T 3.0DE47 (bened on actual duration)

Yearly ACT Risk /yr/ diesel ** 1.50E 06 4.64E-07 7.87E47 8.7BE4T 2.35E-06 2.31E46 3.56E4T 5.5E4T 6.6E4T 8.41E4T (based on actual duration)

Genene dona = 2.8 per yr per diesel *** Duration (hre/ense) = Psepened Dowsenne p..",.p , , (esosas/y>)

l **Vehme preessmed es. for worst sees diesel **** Gemene does = 220 : ",.. -

I 25

f.3.3 Assessment of Dansition Risk For any given AOT extension, there is theoretically an "at power" increase in risk nunciated

, with it. This increase may be negligible or significant. A complete approach to namesting the j change in risk accounts for the effects of avoided shutdown, or " transition risk". Transition Risk represents the risk associated with reducing power and going to hot or cold shutdown following equipment failure; in this case, one EDG unavailable. Transition risk is ofinterest in understanding the tradeoff between shutting down the plant and restoring the EDG to

operability while the plant continues operation. The risk of transitioning from "at power" to a shutdown mode must be balanced against the risk of continued operation and performing corrective maintenance while the plant is at power.

~

To illustrate this point, a representative CE PWR has performed an analysis for transition risk j associated with one inoperable EDG. The methodology and results obtained by this plant are presented below and are considered generically applicable to the other CE plants.

]

i i Methodology

(

The philosophy behind the transition risk analysis is that if a plant component becomes l unavailable, the CDF will increase since less equipment is now available to respond to a

transient if one were to occur. However, as long as the plant remains at power, this CDF is constant. At the point in time that a decision is made to shut down, the CDF increases since 4

a " transient" (manual shutdown) has now occurred, and the equipment is still out of service.

i The Core Damage Probability (CDP) associated with the risk of plant transition from plant full power operation to shutdown is obtained by modifying the " uncomplicated reactor trip" core

, damage scenario in the PSA model. In this evaluation the incremental risk is dominated by the i increased likelihood of loss of main feedwater and the reliance on auxiliary (and/or emergency)

feedwater to avert a core damage event. A cutset editor was used to adjust cutsets representing

, manual shutdown or miscellaneous plant trips to reflect the CDP associated with a forced

shutdown assuming one EDG is out of service and requantifying the PS A cutsets. Conservatisms that had been included in the base PSA model were deleted to reflect the greater control that the l plant staff has in the shutdown process. Specifically, the baseline PSA assumed total loss of

main feedwater (MFW) within 30 minutes of reactor trip. In the transition analysis, MFW was

! assumed to be recoverable following failure of Auxiliary Feedwater. A human error probability (value of 0.1) was added to cutsets that contained no basic events, including human actions, that

would cause MFW to be unavailable. The duration of the transition process was assumed to be 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months (6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months to hot standby and 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months to hot shutdown), and result in a Mode 3 or Mode 4 end state with core cooling provided via the steam generators.

! Additional human errors that would be associated with a detailed portrayal of the shutdown

' process and the entry into shutdown cooling were not includcd in order to establish a '

conservative lower bound assessment of the transition risk. Errors of commission, such as diversion of RCS flow during SDC valve alignment, are also not considered in this analysis.

27 i

t

I &

Such errors would add to the disadvantages of the shutdown alternative, and therefore, to include .

them would be non-conservative for the purpose of this comparison. Similarly, any transitional risks ==~ int ~i with the return to plant operation are conservatively =g1~ *~i.

Based on the above methodology the CDP associated with the lower mode transition was

calculated for the isyrwtative plant to be 1.00E-06. Results of transition risk analyses can be generalized for the other CE PWRs by assuming that the ratio of the CDP for Transition Risk

. to the baseline Average CDF is constant for all plants. The baseline CDFs were selected rather '

than the Conditional CDFs for the ratio between the other CE plants because the analysis for the j

icyistative plant indicated that transition risk was more a function ofless of MFW rather i

than a function of the specific equipment out of service.

3 That is, i A CDPa u = (CDFyCDF,,,,,

ACDPn w,,,,y j where:

ACDPa y = Incremental risk due to mode transition for plant !

1 CDFu = Baseline CDF for plant

CDF,,,, p = Representative plant baseline CDF CDPa w,,,,p Incremental risk due to mode transition for

=

l representative plant

The transition risk may be used to evaluate the relative risks of performing EDG repair at power to that of performing the same repair at some lower mode. The risk of continued operation for j the full duration of the AOT is bounded by the single AOT risk for CM (if a common cause

failure is suspected) and by the single AOT risk for PM when common cause failure can be

e ruled out. The comparable risk of the alternate maintenance option involves consideration of a four distinct risk components

i (1) Risk of remaining at power prior to initiating the lower mode transition.

i l This risk will vary depending on the ability of the staff to diagnose the EDG fault and (

4 the confidence of the operating staff to expeditiously complete the repair. The time ;

interval for power operation with a degraded component, prior to mode transition will -

vary from one to several days. ,

(2) Risk of lower mode transition.

z This risk is accumulated over a short time interval (approximately 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ).

3 (3) Risk of continued lower mode operation with an impaired EDG. .

1 i

28

l In this mode, the reactor is shutdown and the core is generating decay power only.

However, risks in this mode remain significant. Depending on the particular operational mode, resources to cope with plant transients will typically be less than at power. 'Ihese modes are cha =e'arivad by decreased restrictions on system operability, longer times for epider recovery actions, lower initiating frequency for pressure driven initiators (such as LOCA) and a greater frequency for plant transients such as those initiated by loss of offsite pawer and loss of main feedwater.

(4) Risk of return to power The power ascension procedure is a well controlled transient. Reference 8 c+ce?wHy dier=** that risks =acintad with this transition are greater than those associated with at power operation, but significantly below that associated with the initial lower mode transition (item 2).

The analysis of transition risk presented in this report quantifies only the risk oflower mode transition (item 2).

Results Table 6.3.3-1 presents the risk associated with transitioning the plant to a lower mode for each plant. The numbers in the table represent only the lower mode transition risk component of the '

transition sequence (item 2). The risk associated with the transition portion represents a sig'lificant fraction of the risk that would be incurred for a seven day "at power" (Single AOT Risk from Tables 6.3.2-1 and 6.3.2-2) EDG maintenance period.

When the risk at power and the risk at the lower mode of operation are comparable, then these results indicate that performing a 7 day EDG maintenance activity "at power" would be risk !

beneficial.

29

l Table 6.3.3-1 TRANSITION RISK CONTRIBUTIONS FOR EDG CM PLANT Transition Risk Contribution (ACDP)

ANO-2 6.92E-07 Fort Calhoun Station 2.49E-07 Maine Yankee 1.56E-06 Millstone 2 7.19E-07 Palisades 1.09E-06 Palo Verde 1,2 & 3 1.00E-06 San Onofre 2 & 3 5.78E-07 St. Lucie 1 4.5E-07 St. Lucie 2 5.0E-07

]

Waterford 3 3.25E-07 i

4 1

. 30

l 6.3.4 Assessment of Shutdown Risk 6.3.4.1 Assessment ofRisk-kadeof The risk of EDG maintenance at shutdown was investigated using the shutdown PSA of a CEOG participant. This study was directed at estimating the advantage of performing EDG maintenance at power by estimating the corollary impact of performing the same PM during

shutdown. Shutdown risks were evaluated for two shutdown configurations: Mode 5 mid-loop operation (representative of the early reduced inventory phase of the shutdown) and for a condition representative of a spent fuel pool operation with a complete fuel off-load. The impact of EDG PM was nuasced by analyzing the incremental reduction in core damage probability (CDP) when two EDGs are available vs. the plant operating state when one EDG is operable and available while the second EDG is undergoing maintenance. Recovery of offsite power was considered. However, recovery of failed or inoperable EDGs was assumed not to occur in time to avert core damage.

Results Results of this investigation are summarized in Table 6.3.5-1. The tabular information is presented in terms of the daily core damage probability. The daily CDP is assumed applicable anytime while the plant is in the shutdown mode analyzed.

Maintenance of the EDGs early in the shutdown operation and while the plant is at reduced inventory (e.g. mid-loop operation), results in an incremental risk of core damage equal to about 1.2 x 104 per day while the EDG is inoperable. In this instance, the high impact of the EDG is a result of the short time expected to core damage.12tc in the sequence the shutdown PSA predicts a similar trend for the EDG importance (1.7 x 104 per day). This later evaluation further assumed that once the fuel in the spent fuel pool uncovers (about 70 hours8.101852e-4 days 0.0194 hours 1.157407e-4 weeks 2.6635e-5 months into the event), efforts to refill the spent fuel pool would be unsuccessful. These events can be further i

complicated in that failure of fuel during shutdown can result in higher radiation exposures than similar events occurring at power in a closed containment.

i TABLE 6.3.4.1-1 DAILY PLANT CORE DAMAGE PROBABILITY AT SHUTDOWN FOR A REPRESENTATIVE CE PWR CONDITION NO PM 1 EDG IN PM INCREMENT IN (2 EDGs AVAILABLE) CDP REDUCED INVENTORY 1.04 X 104 2.26 X 104 1.2 X 104 (MID-LOOP)

SPENT FUEL POOL 5.1 X 10-7 4.36 X 104 3.8 X 104 31

Conclusion .

Early in the shutdown, risk of PM is generally equivalent to that for similar maintenance at power. At later times, incremental risks associated with EDG PM may be optimistically expect to be lower than what is reported in this assessment. However, these risks cannot be neglected and may be comparable to that of power operation.

6.3.4.2 Assessment ofEnhanced EDG Reliability Reference 2 noted that over the past several years "on-line" PM on EDGs has increased. During the same time interval, the unreliability of the EDGs has also decreased. While a precise relationship between the PM process and EDG reliability has not been established there appears to be a positive correlation between increased PM performed in recent years and the enhanced EDG reliability which has been observed. While not all PM activities will directly impact EDG reliability, certain PM originating from plant reliability improvement programs and including manufacturer suggested inspections and modifications do likely have a beneficial effect. This section explores the risk impact of small to modest increases in EDG reliability on risk "at power" and on risk during the early low inventory phases of a plant shutdown.

i "At Power" Risk Assessment i

i An analysis was performed to determine what increase in EDG reliability would be required in

order to offset the risk increment associated with 5 days (120 hrs) of "on line" maintenance.

l The five day interval generally bounds the average PM unavailability for the CE PWRs.

j Assumptions employed in the analysis are as follows:

1. The nominal EDG failure probability to start and load /run for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is .09 per demand,

! and i

j 2. The reliability benefit is realiwd for six months out of a year.

In this assessment the risk increment incurred by removing one EDG from service for a 5 day "at power" repair period was related to the integrated reduction in risk achieved by improving i the EDG reliability (reducing the failure to start and failure to load and run values) by 10,20 j and 30%.

1 Results of this assessment are summarized in Table 6.3.4-1. Comparing the risks of at power PM with risk reductions due to reliability improvements, it is apparent that a PM program that improves the average performance of the EDG by 15% offsets the risk of EDG unavailability due to PM.

I j 32

, l I

Table 6.3.4.2-1 i EDG MAINTENANCE VS. POTENTIAL IMPROVEMENTS IN EDG RELIABILITY 1

Yearly Risk Increase due to Risk Reduction at Power due to Reliability Improvement l 120 hrs of "at power" PM i

10 % 20 % 30 %

3.4 X 107 2.3 X 107 4.9 X 10-7 7 X 10-7 1

Shutdown Risk Assessment It has been shown in Section 6.3.4.1 that a modest improvement in EDG reliability from i performing PM probably offsets the contribution to the "at power" risk from having an EDG out i of service to perform the PM. A second benefit of performing on-line EDG Preventive

, Maintenance (PM) is that upon entering shutdown modes, the EDGs will have a greater

reliability than if maintenance had been done at the end of a refueling outage. To assess this ;

effect, it is assumed that "at power" PM will result in a 15% improvement in the EDG

reliability. In other words, the fact that the PM is performed several months closer to the time .

the EDG is needed is assumed to result in a 15% lower failure probability. ,

i Additional assumptions employed in this analysis are as follows:

i i 1. The only initiating event that is considered to be the EDG reliability is the Loss of Offsite Power.

2. Reduced inventory operation is assumed for 7 days 1

l 3. No other alternate ac is credited. l

! l

4. Core damage occurs 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months after LOOP.

i :

a

5. Recovery of offsite power is credited based on Reference 10. ;

The data used in the calculation is summarized in Table 6.3.4-2.

l 4

1 33

TABLE 6.3.4.2-2

SUMMARY

OF ANALYSIS DATA Probability of ED01 to Fall to start and Ioad (Base) Ph .014 4

1 1

Probability of EDG1 to Fail to Start and Lead (Given PM) PFM .012 i

Probability ofIoss of Offsite Power over the interval of Pm ,g reduced inventory OPERATION

Probability to Recover Off-site j

Power in 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months Pacra 0.58 d

i Common cause failure of EDG2

, given failure of ED01 E .05 1

i Applying these assumptions, the impact of EDG reliability improvement on the risk reduction at shutdown can be approximated. The ACDP for a shutdown with reduced inventory operation is approximated as:

l ACDP,% = P,(Ay(1-P,cy,)

R7EERE, Am = (Pg +Pyp)-(P,y)2_p,,(p) 34

_ ._. . . _. _ __ _ _ _ _ ____. _ _ _ __ _ _ _ . ~ ~ . _ _ . . . - -

, Substituting values from Table 6.3.4-2 into the above relation results in an estimated risk

- reduction benefit at shutdown of 2.6 x 10-7 For longer periods at reduced inventory, or if batteries are unavailable, the net risk benefit would correspondingly increase.

Assessment of Trade of between PM at power and improved EDG Reliability Parametric evaluations presented in sections 6.3.4.1 and 6.3.4.2 indicate that PM that results in modest improvements in EDG reliability over the long term can more than offset the short term risk from having an EDG out of service to perform the PM.

6.3.5 Assessment ofLage Early Release A review oflarge early release scenarios for the CE PWRs indicates that early releases arise as a result of one of the following class of scenarios:

1. Containment Bypass Events These events include interfacing system LOCAs and steam generator tube ruptures (SGTRs) with a concomitant loss of SG isolation (e.g. stuck open MSSV),

1

2. Severe Accidents accompanied by loss of containment isolation These events include any severe accident in conjunction with an initially unisolated containment.

3. Containment Failure associated with Energetic events in the Containment.

Events causing containment failure include those associated with the High Pressure Melt Ejection (HPME) phenomena (including direct containment heating (DCH)) and hydrogen conflagrations / detonations.

Of the three release categories, Class 1 tends to represert a large early release with potentially direct, unscrubbed fission products, to the environment. Class 2 events encompass a range of releases varying from early to late that may or may not be scrubbed. Class 3 events result in a high pressure failure of the containment, typically immediately upon or slightly after reactor vessel failure. Detailed I.evel 2 analyses for the plant condition with an increased availability

' of the EDG are not performed. However, assessment of the expected change in the large early release fraction was made by assessing the impact of the EDG availability on the above event categories.

35

Containment Bypass Ennts .

Events contained in this category are not expected to significantly rely on the EDG for event mitigation. Events included in this category are the large Interfacing System LOCA (i.e. failure of an SDC line). Testing and or maintenance of EDGs will not impact the ISLOCA frequency.

ISLOCAs are characterized by a continuous and unreplenished loss of RCS inventory and makeup. ' In these scenarios, core damage ultimately results following the depletion of reactor coolant. Thus, provided that a continuous indapandant water supply is not available during the aeddant, the ISLOCA will progress into early core damage regardless of the EDG availability. !

Severe Accidents accompanied by Loss of Containment Isolation i

Another event contributing to large early fission product releases could occur when an unmitigated severe accident occurs in conjunction with an initially unisolated containment.

Increased unavailability of the EDGs may result in a marginally greater frequency of core !'

damage events due to station blackout. Since the probability of the loss of containment isolation is low, the net impact of anhancad SBO coupled with a loss of containment isolation on the '

overall plant radiological releases is considered negligible.

Containment Failure associated with Energetic events in the Containment. l l 1 Class 3 events are dominated by RCS transients that occur at high pressure. These events are l

typically restricted to events that initiate as a station blackout or a loss of feedwater. An

! increased probability of SBO induced core melts will result in a proportional increase in the SBO contribution to large early radiation releases due to direct containment heating (DCH). As a result of the conservative treatment of DCH issues in many PSAs there is a noticeable l correlation between early containment failure induced by DCH and station blackout initiators.

l This relationship exists since DCH containment failure is a result of a high pressure melt ;

j ejection (HPME) at reactor vessel lower head failure, and that SBO events can lead to high pressure core melts. The fraction of SBO events leading to a high pressure core melt and subsequent HPME in practicality should be small when one considers the high propensity of hot leg / surge line creep failure occurring in advance of lower head failure.

! In this assessment, the impact of increased EDG maintenance unavailability on the Isrge early l releases was established by assuming that the increase in the yearly CDF (typically on the order

. of 1 to 10%) was totally due to an increase in unmitigated station blackout events. Furthermore, '

, it can be conservatively assumed for the CE plants involved in this study that less than 20% of SBO events result in large early containment failures. Therefore, increased EDG on-line maintenance will result in a small increase in large early containment failure scenarios.

i l

l 36 l

1

1 .

I

l. . 6.3.6 Summary of Risk Assessment I

The proposed increase in the EDO AOT was evaluated from the pmpective of various risks

! =@~1 with plant operation. For the plants evaluated, incorporation of the extended AOr l into the technical specification can potentially result in negligible to small increases in the "at j power" risk. However, when the full scope of plant risk is considered, the risks incurred by i extending the AOT for either corrective or preventive maintenance will be substantially offset

, by risk benefits == maw with avoiding unnwry plant transitions and/or by reducing risks

during plant shutdown operations, and imposition of limited restrictions for performing EDG l PMs.

i l The unavailability of one EDG was found to not significantly impact the three classes of events j that give rise to large early releases. These include containment bypass sequences, severe

accidents accompanied by loss of containment isolation, and containment failure due to energetic

! events in the containment. It is therefore concluded that increased unavailability of one EDG

. (as requested via Section 2) results in a negligible impact on the large early release probability l for CE PWRs.

' 'Ihe impact of implementation of the proposed extended AOT will vary from being risk beneficial to posing a negligible increase in plant risk. The precise impact will depend en the

specific circumstances of the entry into the LCO Action Statement.

i !

6.4 Compensatory Measures j l

i

, As part of implementing the Maintenance Rule, each CE PWR utility has developed or is in the '

l process of developing a method for configumtion control during maintenance. If maintenance

! is performed on a system / train concurrent with other maintenance, the impact on risk will be i evaluated prior to performing maintenance. Some plants achieve this via procedures which

! require that PSA evaluation is performed prior to performing maintenance. Other plants have a matrix showing the risk associated with different combinations of systems / trains unavailable due to maintenance. This matrix is used in planning the rolling maintenance schedule which is l part of implementing the Maintenance Rule.

I j The following conditions / restrictions are typical of those that will be imposed on the operator

governing "at-power" maintenance procedures: ,

l 1. Do not enter the LCO Condition for voluntary inoperability of an EDG if the auxiliary i systems for the diesel generator that will remain available are not fully operational (but do not require LCO entry for operability).

2. Do not voluntarily enter the EDG LCO if any component that can significantly increase plant risk is simultaneously expected to be out of se.wice.

l 37 4

E I

3. When performing extended EDG maintenance ensure that existing resident plant alternate -

AC power sources (e.g. " swing" DGs, combustion tmbines or independently powered

! FW pumps) are functional.

{ 4. Do not perform maintenance on components of the Electrical Distribution System (EDS)

(e.g., main transformer) that could significantly increase the likelihW of a LOOP initiating event while an EDG is out for maintenance. Minimize challenges to the EDO.

! 5. Do not perform maintenance on a diesel generator if an auxiliary feedwater pump and j associated support system and component are unavailable.

Additional operational restrictions and cautions may include the following: i

1. Schedule PM to coincide with favorable weather conditbas, e.g., not during " ice" or electrical storms which may induce LOOP. Consider preservation of the grid.

i 2. Put procedures or pre-planned activities defming restoration of equipment in place before d

PM is done.

4

3. Hold briefings with appropriate plant personnel to ensure they are aware of impact associated with taking an EDG out of service.

4. Ensure availability of replacement parts and special tools, and establish procedures prior to taking an EDG out of service.

i 5. Check safety-related equipment in division of operable EDG for proper alignment.

l 6. Restrict the removal of any equipment from service during EDG maintenance.

7. Restrict main switchyard activities (maintenance or re-configuration) to life-threatening

! or safety-threatening responses (i.e., responding to fires) while an EDG is inoperable for i l maintenance.

In addition to the above, when the one time 10 day AOT is to be exercised, the plant should take i

all reasonable efforts to not perform concurrent voluntary maintenance activities on other plant risk significant components and should restrict any unnecessary activities in the plant or the switchyard that can increase the risk of loss of off-site power. :

i

^

7.0 TECHNICAL JUSTIFICATION FOR STI EXTENSION EDG STI extensions are not within the scope of this effort.

2 38 t

l .

8.0 PROPOSED MODIFICATIONS TO NUREG-1432

! Attachment A includes proposed changes to NUREG-1432 Sections 3.8.1 and B 3.8.1 that

! correspond to the findings of this report.

i 9.0

SUMMARY

AND CONCLUSIONS i

j This report provides the results of an evaluation of the extension of the Allowed Outage Time (AUT) for one emergency diesel generator (EDG) contained within the current CE plant technical specifications, from its present value, to seven days. In addition, a once per cycle

AOT of 10 days for corrective maintenance is also requested. This AOT extension is sought to j provide needed flexibility in the performance of both corrective and preventive maintenance i during power operation. Justification of this request was based on an integrated review and i assessment of plant operations, deterministic / design basis factors, plant risk and EDG reliability.

! Results of this study demonstrate that the proposed AOT extension provides plant operational

flexibility while simultaneously adequately controlling overall plant risk.

i

The proposed increase in the EDG AOT to 7 days with a once per cycle 10 day AOT was evaluated from the perspective of various risks associated with plant operation. For the plants i evaluated, incorporation of the extended AOT into the technical specifications potentially results in small increases in the "at power" risk. However, when the full scope of plant risk is considered, the risks incurred by extending the AOT for either corrective or preventive maintenance will be substantially offset by plant benefits associated with avoiding unneceuary plant transitions and/or by reducing risks during plant shutdown operations, improved EDG reliability upon entering shutdown, and implementation of compensatory measures.

'Ihe unavailability of one EDG was found to not significantly impact the three classes of events that give rise to large early releases. These include containment bypass sequences, severe accidents accompanied by loss of containment isolation, and containment failure due to energetic events in the containment. It is concluded that increased unavailability of an EDG (as requested via Section 2) will result in a negligible impact on the large early release probability for CE PWRs.

39

i- .

i

10.0 REFERENCES

1. 10 CFR 50.65, Appendix A, "The Maintenance Rule".

j 2. SECY-93-044, " Resolution of Generic Safety Issue B-56, " Diesel Generator Reliability",

! letter to ACRS from J. Taylor (NRC), Enclosure 8 -

2

3. NUREG/CR-5944, " Emergency Diesel Generator: Maintenance and Failure Unavailability, and Their Risk Impacts", P. Samanta, et. al., BNL, November,1994.

4. 10 CFR 50.63 "Ioss of all Alternating Current Power".

5. Regulatory Guide 1.155, " Station Blackout", August,1988.

6. SECY-93-044, " Resolution of Generic Safety Issue B-56, " Diesel Generator Reliability",

letter to ACRS from J. Taylor (NRC)

]

~

7. Letter C. Shirake (NRC) to Cooper-Bessemer Working Group,

Subject:

Summary of

Nov. 22,1994, Meeting", December 15, 1994.

8. NUREG/CR-6141, BNL-NUREG-52398, " Handbook of Methods for Risk-Ravvf

Analyses of Technical Specifications", P. K. Samanta, I. S. Kim, T. Manhmo, and W.

E. Vesely, Published December 1994.

} 9. Memorandum for Thomas E. Murley from Eric S. Beckjord in Research Information letter Number 173 entitled " Risk-based Methods to Evaluate Requirements in Technical Specifications", January 6,1994.

10. Advanced Light Water Reactor Utility Requirements Document, Volume II "ALWR

, Evolutionary Plant", Chapter 1, Appendix A, PRA Key Assumptions and Groundrules i (KAG), prepared for EPRI, Rev. 3,11/91.

11. 14tter Zwolinski, J. A. (NRC) to Vandewalle, D. J., Re: Emergency Diesel Generator-l Limiting Condition for Operation, LS05-85-06-006, June 5,1985 e

1

1 4

I i

. l

+

l 1

I ATTACHMENT A

" Mark-up" of NUREG-1432 SECTIONS 3.8.1 & B 3.8.1 i

l A-1 i

l :

AC Sources-Operating 3.8.1

[-

4 .

ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME A. (continued) A.3 Restore [ required] 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months offsite circuit to OPERABLE status.- AND days from i

discovery of failure to meet LCO B. ---------NOTE--------- B.1 Perform SR 3.8.1.1 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months

Required Action B.3.1 for the OPERABLE

^

or B.3.2 shall be [ required] offsite AND

completed if this circuit (s).

. Condition is entered. Once per 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months j ---------------------- thereafter One [ required] DG AND j inoperable.

B.2 Declare required 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months from i

feature (s) supported discovery of 1 .,

by the inoperable OG Condition B inoperable when its concurrent with !

i redundant required inoperability of ,

, feature (s)is redundant i

inoperable. required feature (s) )

AND 4

i. B.3.1 Detennine OPERABLE [24] hours ;

DG(s)isnot

inoperable due to i common cause failure.

9E B.3.2 Perfonn SR 3.8.1.2 [24] hours

for OPERABLE DG(s). l AND i i (continued) !

l CEOG STS 3.8-2 Rev. O, 09/28/92

AC Sources-Operating 3.8.1 .' .

ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME I

\

B. (continued) B.4 Restore [ required] DG to OPERABLE status.

AND 75 days from discovery of failure to meet LCO C. Two [ required] offsite C.1 Declare required 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months from circuits inoperable. feature (s) inoperable discovery of when its redundant Condition C required feature (s) concurrent with is inoperable. inoperability of redundant required feature (s)

AND C.2 Restore one 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months

[ required) offsite circuit to OPERABLE status.

(continued)

CEOG STS 3.8-3 Rev. O,09/28/92

t 9 i

4 INSERT A NOTE On a once-per-refueling cycle frequency, the Completion Time for REQUIRED ACTION B.4 can be extended to "10 days AND 10 days from discovery of failure to meet LCO."

4 4

I 4

4 i

}

2

AC Sources-Operating B 3.8.1 BASES ACTIONS A.3 (continued) during any . single contiguous occurrence of failing to meet the LCO. If Condition A is entered while, for instance, a l

DG is inoperable, and that DG is subsequently returned ClO I

OPERABLE, the LCO may already have been not met for up to 5

~7da. . ..Z7 initiali-M This could failure to meetlead thetoLCO, a total to of llD>houfs7 restore since the offsite '

circuit. At this time, a DG could again become inoperable, the circuit restored OPERABLE, and an additional W _

for a total oOKdays) allowed prior to complete r(estoration of'the LCO. The%dayCompletionTimeprovides Op a limit on the time allowed in'a specified condition af ter discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between the 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months and X day Completion Time means that both O10 Lompletion Times Time restrictive Completion apply simultaneously, must be met. and the more As in Required Action A.2, the Completion Time allows for an exception to the normal " time zero" for beginning the allowed outage time " clock." This will result in establishing the " time zero" at the time that the LCO was

'iriitially not met, instead of at the time Condition A was

- entered.

B.1 To ensure a highly reliable power source remains with an inoperable DG, it is necessary to verify the availability of the offsite circuits on a more frequent basis. Since the Required Action only specifies "perforn," a failure of SR 3.8.1.1 acceptance criteria does not result in a Required o Action being not met. However, if a circuit fails to pass SR 3.8.1.1, it is inoperable. Upon offsite circuit inoperability, additional Conditions and Required Actions must then be entered.

B.2 Required Action B.2 is intended to provide assurance that a loss of offsite power, during the period that. a DG is inoperable, does not result in a complete loss of safety (continued)

CEOG STS B 3.8-7 Rev. O,09/28/92

i .

AC Sources-Operating B 3.8.1 i

BASES

ACTIONS B.3.1 and B.3.2 ;

(continued)

The Note in Condition B requires that Required Action B.3.1' or B.3.2 must be completed if Condition B is entered. The

~

intent is that all DG inoperabilities must be investigated for common cause failures regardless of how long the DG inoperability persists.

Required Action B.3.1 provides an allowance to avoid unnecessary testing of OPERABLE DGs. If it can be i detemined that the cause of the inoperable DG does not

exist on the OPERABLE DG, SR 3.8.1.2 does not have to be

) performed. If the cause of inoperability exists on other DG(s), the other DG(s) would be declared inoperable upon

! discovery and Condition E of LCO 3.8.1 would be entered.

! Once the failure is repaired, the common cause failure no j longer exists and Required Action B.3.1 is satisfied. If 1 the cause of the initial inoperable DG cannot be confimed

.not to exist on the remaining DG(s), perfomance of

SR 3.8.1.2 suffices to provide assurance of continued OPERABILITY of that DG.

According to Generic Letter 84-15 (Ref. 7), [24] hours is i

reasonable to confirm that the OPERABLE DG(s) is not l 'affected by the same problem as the inoperable DG.

4 B.4 According to ; -

1O N-:

2 ., __ 1.% W'. G); operation may continue in Condition B for a period that should not exceed

])J$c 4

g I'n Condition B, the remaining OPERABLE DG and offsite circuits are adequate to supp'y electrical power ,to the 7 onsite Class 1E Distribution System. The2>heGet.ompletion Time takes into account the capacity and capability of the 4

remaining AC sources, a reasonable time for repairs, and the low probability of a DBA occurring during this period.

i The second Completion Time for Required Action B.4 establishes a limit on the maximum time allowed for any l

combination of required AC power sources to be inoperable during any single contiguous occurrence of failing to meet the LCO. If Condition B is entered while, for instance, an !

offsite circuit is inoperable and that circuit is (continued)

CEOG STS B 3.8-9 Rev. O, 09/28/92 1

4 a

INSERT AA Additionally, Reference 14 states that operation may continue in Condition B for a maximum continuous period of 10 days on a once per refueling cycle frequency.

Reference 14 provides a series of deterministic and probabilistic justifications for the Completion Times corresponding to the periods in which continued power operations are allowed with Condition B.

e

wa.a-m,-, ___a

I

~

AC Sources-Operating i B 3.8.1 f

. i BASES ACTIONS B.4 (continued) subseq;2ntly returned OPERABLE, the LCO may already have been not met for up to 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . This could lead to a total m10 -ime, oL.Isa.ix :c, since initial failure to meet the LCO, to restore the OG. At this time, an offsite circuit could again become inoperable, the DG restor,ed OPERABLE. and an additional 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months (for a total ofMays) allowed prior to complete restoration of the LCO. The 7 Aav Completion Time provides a limit on time allowed in a specified condition 10 after discovery of failure to meet the LCO. This limit is considered reasonable for situations in which Conditions A and B are entered concurrently. The "AND" connector between ay Completion Times means that both Q -

the WandTimes conpletion M'pply a simultaneously, ano tne more -j 7 restrictive Completion Time must be met.

As in Required Action B.2, the Completion Time allows for an exception to the normal " time zero" for beginning the allowed time " clock." This will result in establishing the !

"t.ime zero" at the time that the LCO was initially not met, l i

instead of at the time Condition B was entered.

C.1 and C.2 Required Action C.1, which applies when two offsite circuits are inoperable, is intended to provide assurance that an event with a coincident single failure will not result in a complete loss of redundant required safety functions. The Completion Time for this failure of redundant required features is reduced to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months from that allowed for one train without offsite power (Required Action A.2). The rationale for the reduction to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is that Regulatory Guide 1.93 (Ref. 6) allows a Completion Time of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months for two required offsite circuits inoperable, based upon the assumption that two complete safety trains are OPERABLE.

When a concurrent redundant required feature failure exists, this assumption is not the case, and a shorter Completion Time of 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months is appropriate. These features are powered from redundant AC safety trains. This includes motor driven auxiliary feedwater pumps. Single train features, such as turbine driven auxiliary pumps, are not included in the list. ,

(continued) ;

B 3.8-10 Rev. O, 09/28/92 CEOG 55 l

l

i AC Sources-Operatina %

B 3.8.1 _

.~

BASES .

1 i

REFERENCES 3. Regulatory Guide 1.9, Rev. [3], [date] .

(continued)

4. FSAR, Chapter [6] .

l

5. FSAR, Chapter [15] .

6. Regulatory Guide 1.93, Rev. [ ], [date] .

7. Generic Letter 84-15.

8. 10 CFR 50, Appendix A, GDC 18.

9. Regulatory Guide 1.108, Rev. [1], [ August 1977] .

10. Regulatory Guide 1.137, Rev. [ ], [date] .

11. ANSI C84.1-1982.

12. ASME, Boiler and Pressure Vessel Code Section XI.

13. IEEE Standard 308-[1978].

ASE >

J 4

i e

i 4

CEOG STS B 3.8-33 Rev. O, 09/28/92

a ,-

d INSERT AB 1

14. CE NPSD-996, "CEOG Joint Applications Report for Emergency Diesel j Generator AOT Extension," April 1995 ,

a J

i 4

s u

5 i

E a

1 b

a I

s 2

e e v..

i h

i 4

I i

r 1

1

=

}

I l'

1 i.

N 5

4

1 l

Changes to EDG Joint Applications Report

1. Page 18, 6.3.2 Assessment of "At Power" Risk, Methodology: first paragraph: after the second sentence ("He evaluation of the "at power" risk increment resulting from the extended EDG AOT was evaluated on a plant specific basis using the most current individual plant's Probabilistic Safety Analysis (PS A) model for their respective baselines.") the following sentence should have been inserted which reads:

For consistency in comparison of results, Core Damage Frequencies (CDFs) presented represent internal events only, excluding internal floods.

2. Page 19, Increase in Core Damage Frequency definition: The terms "always available", and

" perfect" should be "not out for Test or Maintenance (T/M)". Definition should read:

Increase in Con Damage Frequency (ACDE): The increase in CDF represents the difference

' between the CCDF evaluated for one train of equipment unavailable minus the CCDF evaluated l

for one train of equipment not out for test or maintenance fr/M). For the EDGs:

l ACDF = Conditional CDFo ,,c,,,,- Conditional CDF,,,a .,,,, l where CDF = Core Damage Frequency (per year) ,

l

3. Page 19, A paragraph should have been inserted at the end of the Methodology subsection and prior to the Calculation of Conditional CDF, Single and Yearly AOTRisk Contributions subsection that reads:

The methodology used to calculate the above risk measures is presented below. For plants with PSAs that were quantified using RISKMAN methodology, equivalent steps were taken to meet the intent of the methodology presented below.

4. Page 20: Second to the last paragraph, first sentence: De word "never" should have been "not".

l-l ne sentence should read: He Conditional CDF given 1 EDG is not out for test or maintenance was obtained by setting the basic event probability for the failure mode for an EDG equal to 0.0, and requantifying the PSA cutsets.

5. Page 23, Last Paragraph, fifth line, the baseline CDF value should be 1.54E-05 per year rather than 1.54E 06 per year.

6. Pages 24 - 26, Tables 6.3.2-1 through 6.3.2-3 should be replaced by attached pages. His corrects a numerical value (Table 6.3.2-1, page 24, Waterford 3 Single AOT Risk, Proposed,10 day should be 3.86E-06 rather than 1.55E 06) as well as typographical errors.

7. Page 26, Last Footnote should refer to page 23 not page 25.

8. Page 31, Results, first sentence: " Table 6.3.5-1" should be " Table 6.3.4.1-1".

9. Page 32, "At Power" Risk Assessment, Last Paragraph, first sentence: " Table 6.3.4-1" should be

" Table 6.3.4.2-1".

10. Page 33, Shutdown Risk Assessment, Last Sentence: " Table 6.3.4-2" should be " Table 6.3.4.2-2".

11. Page 35, First Paragraph, first sentence: " Table 6.3.4-2" should be " Table 6.3.4.2-2".

_ _ _ _ - _ _ _ -

ML20091L156

Contents

Text

3.0 BACKGROUND

SUMMARY

SUMMARY

10.0 REFERENCES

SUMMARY

SUMMARY

3.0 BACKGROUND

SUMMARY

SUMMARY

SUMMARY

SUMMARY

10.0 REFERENCES

Subject:

Navigation menu

ML20091L156

Text

3.0 BACKGROUND

SUMMARY

SUMMARY

10.0 REFERENCES

SUMMARY

SUMMARY

3.0 BACKGROUND

SUMMARY

SUMMARY

SUMMARY

SUMMARY

10.0 REFERENCES

Subject:

Navigation menu

Search