ML20094H331
| ML20094H331 | |
| Person / Time | |
|---|---|
| Site: | Millstone  |
| Issue date: | 11/03/1995 |
| From: | NORTHEAST NUCLEAR ENERGY CO. |
| To: | |
| Shared Package | |
| ML20094H322 | List: |
| References | |
| NUDOCS 9511140125 | |
| Download: ML20094H331 (15) | |
Text
- - . - . ,- .. .-- -. ..
February 14, 1992 1.NQE1 l
tIHTTING CONDITIONS FOR OPERATION AND SURVElllANCE RE0VIREMENTS j SECTION
.PAEE i 3/4.4.2 SAFETY VALVES .................................. 3/4 4-2 3 6.4.3 RELIEF VALVES .................................. 3/4 4-3 3/4.4.4 PRESSURIZER .................................... 3/4 4-4 i 3/4.4.5 STEAM GENERATORS ............................... 3/4 4-5 3/4.4.6 REACTOR COOLANT SYSTEM LEAKAGE ................. 3/4 4-8 Leakage Detection Systems ...................... 3/4 4-8 ,
Re actor Cool ant System Leakage . . . . . . . . . . . . . . . . . 3/4 4-9 i
3/4.4.7 CHEMISTRY ...................................... 3/4 4-10 3/4.4.8 SPECIFIC ACTIVITY .............................. 3/4 4-13
{
3/4.4.9 PRESSURE / TEMPERATURE LIMITS .................... 3/4 4-17 '
Re actor Cool ant System . . . . . . . . . . . . . . . . . . . . . . . . . 3/4 4-17 i Pressurizer .................................... 3/4 4-21 Overpressure Protection Systems ................ 3/4 4-21a 3/4.4.10 STRUCTURAL INTEGRITY ........................... 3/4 4-22 3/4.4.11 REACTOR COOLANT SYSTEM VENTS ................... 3/4 4-23 3/4.5 EMERGENCY CODE COOLING SYSTEW.S (ECCS) 3/4.5.1 SAFETY INJECTION TANK ........ ................ 3/4 5-1 3/4.5.2 ECCS X"?c T a - T avg - 7 N4 ................. 3/4 5-3 3/4.5.3 ECCS SUBSYSTEMS - T,yg < 300*F ................. 3/4 5-7 3/4 5.4 REFUELING WATER STORAGE TANK ................... 3/4 5 8 9511140125 951103 PDR ADDCK 05000336 P PDR MfLLSTONE - UNIT 2 VI Amendment No. JE, 72, JE,4 ~53 mt o> 14
A .J_... - . . a_s-+ ._ 4 - - - = r-._.i _. A 4 4 l
i l
i February 15,1995 IllDI.X BASES l l
1 SECTION A E.A_GE l l
3/4.4 REACTOR COOLANT SYSTEM I 3/4.4.1 COOLANT LOOPS AND COOLANT CIRCULATION . . . . . . . . . B 3/4 4-1 !
3/4.4.2 SAFETY VALVES ....... ............. B 3/4 4-1 3/4.4.3 RELIEF VALVES . . . . . . . . . . . . . . . . . . . . . B 3/4 4-2 3/4.4.4 PRESSURIZER ........ ............. B 3/4 4-2a I 3/4.4.5 STEAM GENERATORS ...... ............. B 3/4 4-2a 3/4.4.6 REACTOR COOLANT SYSTEM LEAKAGE ............ B 3/4 4-3 3/4.4.7 CHEMISTRY . . ....... ............. B 3/4 4-4 3/4.4.8 SPECIFIC ACTIVITY . . . . . . . . . . . . . . . . . . . B 3/4 4-4 ;
3/4.4.9 PRESSURE / TEMPERATURE LIMITS . . . . . . . . . . . . . . B 3/4 4-5 3/4.4.10 STRUCTURh INTEGRITY . . ............... B 3/4 4-7 j 3/4.4.11 REACTOR COOLANT SYSTEM VENTS ............. B 3/4 4-8 3/4.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) 3/4.5.1 SAFETY INJECTION TANKS . ...............
. B 3/4 5-1 3/4.5.2 and 3/4.5.3 ECCS SUBSYSTO;; TP^!U.S . . . . . . . ..... B 3/4 5-1 3/4.5.4 REFUELING WATER STORAGE TANK (RWST) . . . . ..... B 3/4 5 @ I 1
3/4.6 CONTAINMENT SYSTEMS 3/4.6.1 PRIMARY CONTAINMENT . . . . . . . . . . . . . . . . . . B 3/4 6-1 3/4.6.2 DEPRESSURIZATION AND COOLING SYSTEMS . . . . ..... B 3/4 6-3 3/4.6.3 CONTAINMENT ISOLATION VALVES ............. B 3/4 6-3 3/4.6.4 COMBUSTIBLE GAS CONTROL . . . . . . . . . . . . . . . . B 3/4 6-4 3/4.6.5 SECONDARY CONTAINMENT . . . . . . . . . . . . . . . . . 'B 3/4 6-5 MILLSTONE - UNIT 2 XII Amendment No. JJ, JJ, 77, JJJ, JJJ,185 012G-fi.9 )-l
l l
.May 12, 1979 j g...
s EMERGENCY CORE COOLING SYSTEMS l -yn.d e j ECCS StfBSYSitMS - T,,, t 300*F 5
LIMITING CONDITION FOR OPERATION l, -
i
-tea m 3.5.2 Two separate and independent ECCS 4eboyotems shall be OPERABLE l
! with each p te,ets comprised of: .
h-i a. One OPERABLE high-pressure safety injection pump.
- b. One OPERABLE low-pressum safety injection pump.
i c. A separate and independent OPERABLE flow path capable of taking suction from the refueling water storage tank on a l safety injection actuation signal and automatically trans-i ferring suction to the containment sump on a sump recircu-j lation actuation signal, and a
- d. One OPERABLE charging pump with a separate and independent #f OPERABLE flow path from an OPERABLE Boric Acid Storage Tank via either an OPERABLE Boric Acid Pump or a gravity feed connection. ., g C a , b Q ,,,,
mt.4., .o .oasuste t PSI. wasvmn ecmkr A D APPLICABILITY: MODES 1, 2 and 3*. s a u n n , a ranatt , w o u.s r s es M = --
g;,
With one ECCS . Leiets inoperable? =:t:= th: =:;:r:::P " 'a "
iu*****#
b y.
sub:y:t:- t: ^^E"f*' E :t:t : ::ithir. '" h== ;r 5: ir "" WW **
SE" XTA dthin th: n=t 12 h==. utmo n Les y
d, g. In the event the ECCS is actuated and injects water into ttie
/ Reactor Coolant System, a Special Report shall be prepared and submitted to the Comission pursuant to Specification 6.9.2 within 90 days describing the circumstances of the actuation and the total accumulated actuation cycles to date'.
e With pressurizer pressure t 1750 psia. _ r l r
C.. LAMA rt%AOe0, ACitCMS a. oc k aA cSscNwArc0 cweU5n .
h m o+ + w.+ 69 Wer %G 12. tm [
MILLSTONE - UNIT 2 3/4 5-3
3/4.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) June 16,1992 BASES
( 3/4.5.1 SAFETY INJECTION TANKS l The OPERABILITY of each of the RCS safety injection tanks ensures that a sufficient volume of borated water will be immediately forced into the reactor core through each of the cold legs in the event the RCS pressure falls below l i
the pressure of the safety injection tanks. This initial surge of water into the core provides the initial cooling mechanism during large RCS pipe ruptures.
The limits on safety injection tank volume, boron concentration and pressure ensure that the assumptions used for safety injection tank injection in the accident analysis are met. ;
The limit of one hour for operation with an inoperable safety injection tank minimizes the time exposure of the plant to a LOCA event occurring concurrent with failure of an additional safety injection tank which may result in unacceptable peak cladding temperatures. j m es .
3/4.5.2 and 3/4.5.3 ECCS SU0SYST =3 g b, s TheOPERABILITYoftwoseparateandind/pe ent ECCS 52;ysts. ; ensures that sufficient emergency core cooling capabi'ity will be available in the event of a LOCA assuming the loss of one M Jt= through any single failure ,
I consideration. Either operating in conjunction with the safety injection tanks is capable of supplying sufficient core cooling to limit the peak cladding temperatures within acceptable limits for all postulated break sizes ranging from the dou sie ended break of the largest RCS cold leg pipe downward.
+w The trisodium phosphate dodecahydrate (TSP) stored in dissolving baskets located in the containment basement is provided to minimize the possibility of corrosion cracking of certain metal components during operation of the ECCS following a LOCA. The TSP provides this protection by dissolving in the sump water and causing its final pH to be raised to 2 7.0. This determination l assumes the RCS, the SI tanks. mad the RWtT P Tt a mavimum horon i
concentratina of 2400 poaL The requirement to dissolve a reprewntative ;
.ampie of ISP in a sample of RWST water provides assurance that the stored TSP will dissolve in borated water at the postulated-post LOCA temperatures. The ECCS leak rate surveillance requirements assure that the leakage rates assumed for the system outside containment during the recirculation phase will not be exceeded.
[ The Surveillance Requirements provided to ensure OPERABILITY of each component ensures that at a minimum, the assumptions used in the accident analyses are L
met and that subsystem OPERABILITY is maintained. The purpose of the HPSI and LPSI pumps differential pressure test on recirculation ensures that the have not degraded to a point where the accident analysis would be l i
pump adverse (s)ly impacted.The actual inputs into the safety analysis for HPSI and pumps differential pressure (discharge-suction) when running on LPSI recirculation are 1209 and 150 psi, respectively. The acceptance criteria in I the Technical Specifications were adjusted upward to account for instrument uncertainties and drift.
MILLSTONE - UNIT 2 B 3/4 5-1 AmendmentNo.k,((,159 9933
QERT -
l The bases for ACTIONS a. and b. are as follow:
If conditions are such that only a single ECCS train is inoperable due to F
the inoperability of the corresponding LPSI subtrain, then the inoperable -- - 1 i LPSI subtrain components must be returned to OPERABLE status within L . ._- 7 days.. This 7 day completion time is based on the findings of the
- deterministic and probabilistic analysis that are discussed in i Reference 5. Seven days is a reasonable amount of time to perform
~ ~ ' many corrective and preventative maintenance items on the affected LPSI l subtrain, and the risk impact of a 7 day completion time is neglegible.
i If an ECCS train is inoperable due to causes other than the sole l - - - inoperability of the corresponding LPSI subtrain, then the inoperable components must be returned to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />.
l An ECCS train is inoperable if it is not capable of delivering the design ,
flow to the RCS. The individual components are inoperable if they are i not capable of perfoming their design function, or if supporting systems !
are not available. j The LC0 requires the OPERABILITY of a number of independent subsystems. l Due to the redundancy of trains and the diversity of subsysteins, the ;
inoperability of one component in a train does not render the ECCS incapable of performing its function. .
The condition associated with ACTION a. addresses the specific condition !
- where the only affected ECCS component is a single LPSI subsystem. The l availability of at least 100% of the ECCS flow equivalent to a single '
OPERABLE ECCS train in this case is assumed as a result of the ;
availability of other subsystems in the ECCS train. !
)
The condition associated with ACTION b. addresses other scenarios where the full requirements of LCO 3.5.2 are not met. For this case, inoperable components must be restored within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />.
The bases for ACTION c. are as follow:
If the inoperable train cannot be restored to OPERABLE status within the associated completion time, the plant must be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 9 within Mours. -
. The allowed completion times are reasonable, based on operating experience, to reach the required unit conditions from full power in an orderly manner and without challenging unit systems.
- wi m. + w w w.-eng ee e ee y . ,
___m-*
February 15,1995 EMERGENCY CORE COOLING SYSTEMS BASES l
The purpose of the ECCS throttle valve surveillance requirements is to provide assurance that proper ECCS flows will be maintained .in the event of a LOCA.
Naintenance of proper flow resistance and pressure drop in the piping system to each injection point is necessary to: (1) prevent total pump flow from exceeding runout conditions when the system is in its minimum resistance configuration, (2) provide the proper flow split between injection points in accordance with the assumptions used in the ECCS-LOCA analyses, and (3) provide an acceptable level of total ECCS flow to all injection points equal to or above that assumed in the ECCS-LOCA analyses.
Only one HPSI pump may be OPERABLE in MODE 4 with RCS temperatures less than or equal to 275'F due to the restricted relief capacity with Low-Temperature Overpressure Protection System. To reduce shutdown risk by having additional pumping capacity readily available, a HPSI pump may be made inoperable but available at short notice by shutting its discharge valve with the key lock on the control panel.
3/4.5.4 REFUELING WATER STORAGE TANK (RWST)
The OPERABILITY of the RWST as part of the ECCS ensures that a sufficient supply of borated water is available for injection by the ECCS in the event of
' g a LOCA. The limits on RWST minimum volume and boron concentration ensure that
- 1) sufficient water is available within containment to permit recirculation D cooling flow to the core, and 2) the reactor will remain suberitical in the cold condition following mixing of the RWST and the RCS water volumes with all control rods inserted except for the most reactive control assembly. These assumptions are consistent with the LOCA analyses.
MILLSTONE - UNIT 2 8 3/4 6-2 Amendment No. g , JM ,185 esse
I
- ~
- - . .. .. .. .-. . W . . - . . . - .
REFERENCES
- 2. 10 CFR 50.46.
~'~
- 3. FSAR, Chapter 6.
- 4. IE Information Notice No. 87-01, January 6, 1987.
- 5. CE NPSD-1995, "
CE0G Joint Applications Report for Low Pressure Safety Injection System A0T Extension, M / 1995.
- o. *
~ + w . -
.-+ .-eew.e+ -=e w-w,- m- .e e -+-wwe *-weM " * * " N^**""-
-.ee* . . . m ... . ,, .i 4 . e-- . *e - ***
- .s. ww., m , w e . ee- er es-- *- -
- we
~
l l
1 l
l r.,g -m
Docket No. 50-336 B15335 P
Attachment 4 Millstone Nuclear Power Station, Unit No. 2 Retyped Fages i i
l i
)
l l
l l
i l
1 November 1995 l
1 l
._ _ _ . _ . -_~ _ . _ ._... ._. - . . _ _ _ . _.._. __
._____....__...___y 1
llEEE LIMITING COM ITIONS FOR OPERATION A M SURVEILLANCE REQUIREMENTS
- SECTION PAGE
) 3/4.4.2 SAFETY VALVES . . . . . . . . . . . . . . . . . . . . . 3/4 4-2 3/4.4.3 RELIEF VALVES . . . . . . . . . . . . . . . . . . . . . 3/4 4-3
- 3/4.4.4 PRESSURIZER . . . . . . . . . . . . . . . . . . . . . . 3/4 4-4
- 3/4.4.5 STEAM GENERATORS . . . . . . . . . . . . . . . . . . . 3/4 4-5 i 3/4.4.6 REACTOR COOLANT SYSTEM LEAXAGE . . . . . . . . . . . . 3/4 4-8 i Leakage Detection Systems . . . . . . . . . . . . . . 3/4 4-8 Reactor Coolant System Leakage . . . . . . . . . . . . 3/4 4-9 3/4.4.7 CH EM I STRY . . . . . . . . . . . . . . . . . . . . . . . 3/4 4 - 10 3/4.4.8 SPECIFIC ACTIVITY . . . . . . . . . . . . . . . . . . . 3/4 4-13 3/4.4.9 PRESSURE / TEMPERATURE LIMITS . . . . . . . . . . . . . 3/4 4 - 17 Reactor Coolant System . . . . . . . . . . . . . . . . 3/4 4 - 17 Pressurizer . . . . . . . . . . . . . . . . . . . . . 3/4 4 - 21 Overpressure Protection Systems. . . . . . . . . . . . 3/4 4-21a 3/4.4.10 STRUCTURAL INTEGRITY . . . . . . . . . . . . . . . . . 3/4 4 - 2 2 3/4.4.11 REACTOR COOLANT SYSTEM VENTS . . . . . . . . . . . . . 3/4 4 - 23 3/4.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) 3/4.5.1 SAFETY INJECTION TANKS . . . . . . . . . . . . . . . . 3/4 5-1 3/4.5.2 ECCS TRAINS - T., 1 300*F . . . . . . . . . . . . . . 3/4 5-3 3/4.5.3 ECCS SUBSYSTEMS - T ,< 300*F . . . . . . . . . . . . 3/4 5-7 3/4 5.4 REFUELING WATER STORAGE TANK . . . . . . . . . . . . . 3/4 5-8 !
MILLSTONE - UNIT 2 VI Amendment No. JJ 77. JJJ, JJJ, 0226
l IIREX BASES SECTION PA(iE 3/4.4 REACTOR COOLANT SYSTEM !
i l
3/4.4.1 COOLANT LOOPS AND COOLANT CIRCULATION . . . . . . . . . B 3/4 4-1 3/4.4.2 SAFETY VALVES .................... B3/44-1 3/4.4.3 RELIEF VALVES . . . . . . . . . . . . . . . . . . . . . B 3/4 4-2 3/4.4.4 PRESSURIZER ..................... B 3/4 4-2a
~
3/4.4.5 STEAM GENERATORS ................... B3/4'4-2a 1 3/4.4.6 REACTOR COOLANT SYSTEM LEAKAGE ............ B 3/4 4-3 3/4.4.7 CHEMISTRY ...................... B 3/4 4-4 3/4.4.8 SPECIFIC ACTIVITY . . . . . . . . . . . . . . . . . . . B 3/4 4-4 3/4.4.9 PRESSURE / TEMPERATURE LIMITS . . . . . . . . . . . . . . B 3/4 4-5 3/4.4.10 STRUCTURAL INTEGRITY ,................
B3/44-7 3/4.4.11 REACTOR COOLANT SYSTEM VENTS ............. B 3/4 4-8 3/4.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) 3/4.5.1 SAFETY INJECTION TANKS ................ B 3/4 5-1 3/4.5.2 and 3/4.5.3 ECCS TRAINS ................. B 3/4 5-1 3/4.5.4 REFUELING WATER STORAGE TANK (RWST) ......... B 3/4 5-4 3/4.6 CONTAINMENT SYSTEMS 3/4.6.1 PRIMARY CONTAINMENT . . . . . . . . . . . . . . . . . . B 3/4 6-1 3/4.6.2 DEPRESSURIZATION AND COOLING SYSTEMS ......... B 3/4 6-3 3/4.6.3 CONTAINMENT ISOLATION VALVES ............. B 3/4 6-3 i 3/4.6.4 COMBUSTIBLE GAS CONTROL . . . . . . . . . . . . . . . B 3/4 6-4 !
3/4.6.5 SECONDARY CONTAINMENT . . . . . . . . . . . . . . . . . B 3/4 6-5 MILLSTONE - UNIT 2 XII Amendment No. JJ JJ, 77, 777. JJJ.
nat 177,
-- - _ _ _ .~- - - - - -- - _ . - . - . - - - - - - . - - .- _ _
3/4.5 ENERGENCY CORE C0OLING SYSTEMS (ECCS1 BASES 3/4.5.1 SAFETY INJECTION TANKS The OPERABILITY of each of the RCS safety injection tanks ensures that a sufficient volume of borated water will be immediately forced into the reactor core through each of the cold legs in the event the RCS pressure falls below the pressure of the safety injection tanks. This initial surge of water into the core provides the initial cooling mechanism during large RCS pipe ruptures.
The limits on safety injection tank volume, boron concentration and pressure t
ensure that the assumptions used for safety injection tank injection in the accident analysis are met.
The limit of one hour for operation with an inoperable safety injection tank minimizes the time exposure of the plant to a LOCA event occurring concurrent with failure of an additional safety injection tank which may result in unacceptable peak cladding temperatures.
3/4.5.2 and 3/4.5.3 ECCS TRAINS The OPERABILITY of two separate and independent ECCS trains ensures that sufficient emergency core cooling capability will be available in the event of a LOCA assuming the loss of one train through any single failure consideration. Either train operating in conjunction with the safety injection tanks is capable of supplying sufficient core cooling ta limit the peak cladding temperatures within acceptable limits for all postulated break sizes ranging from the double ended break of the largest RCS cold leg pipe downward.
The trisodium phosphate dodecahydrate (TSP) stored in dissolving baskets located in the containment basement is provided to minimize the possibility of corrosion cracking of certain metal components during operation of the ECCS following a LOCA. The TSP provides this protection by dissolving in the sump water and causing its final pH to be raised to 2 7.0. This determination assumes the RCS, the SI tanks, and the RWST are at a maximum boron j concentration of 2400 ppe. The requirement to dissolve a representative sample of TSP in a sample of RWST water provides assurance that the stored TSP will dissolve in borated water at the postulated-post LOCA temperatures. The .
ECCS leak rate surveillance requirements assure that the leakage rates assumed !
for the system outside containment during the recirculation phase will not be exceeded.
The bases for ACTIONS a. and b. are as follow:
If conditions are such that only a single ECCS train is inoperable due to the inoperability of the corresponding LPSI subtrain, then the inoperable LPSI subtrain components must be returned to OPERABLE status within 7 days. This 7 day completion time is based on the findings of the deterministic and probabilistic analysis that are discussed in Reference 5. Seven days is a reasonable amount of time to perform NILLSTONE - UNIT 2 B 3/4 5-1 Amendment No. 77, 0184
l ENERGENCY CORE C0OLING SYSTENS l
ECCS TRAINS - T.,, 1 300*F l
LINITING CONDITION FOR OPERATION 3.5.2 Two separate and independent ECCS trains shall be OPERABLE with each train comprised of:
- a. One OPERABLE high-pressure safety injection pump, 1
- b. One OPERABLE low-pressure safety injection pump,
- c. A separate and independent OPERABLE flow path capable of taking suction from the refueling water storage tank on a safety injection actuation signal and automatically trans-ferring suction to the containment sump on a sump recircu-lation actuation signal, and
- d. One OPERABLE charging pump with a separate and independent OPERABLE flow path from an OPERABLE Boric Acid Storage Tank via either an OPERABLE Boric Acid Pump or a gravity feed connection.
APPLICABILITY: N0 DES 1, 2 and 3*.
ACTION:
P. With one ECCS train inoperable due only to an inoperable LPSI subsystem, restore subsystem to OPERABLE status within 7 days.
- b. With one ECCS train inoperable due to other than an inoperable LPSI subsystem restore the inoperable train to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />.
- c. With required ACTIONS a. or b. and associated completion times not met be in N0DE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />.
- d. In the event the ECCS is actuated and injects water into the Reactor Coolant System, a Special Report shall be prepared and submitted to the Commission pursuant to Specification 6.9.2 within 90 days describing the circumstances of the actuation i and the total accumulated actuation cycles to date.
- With pressurizer pressure 1 1750 psia.
NILLSTONE - UNIT 2 3/4 5-3 Amendment No. 57, 0186
EMERGENCY CORE C0OLING SYSTEMS (ECCS) l l
BASES (cont'd.) l l
many corrective and preventative maintenance items on the affected LPSI )
subtrain, and the risk impact of a 7 day completion time is neglegible. l If an ECCS train is inoperable due to causes other than the sole inoperability of the corresponding LPSI subtrain, then the inoperable' ;
components must be returned to OPERABLE status within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />.
An ECCS train is inoperable.if it is not capable of delivering the design flow to the RCS. The individual components are inoperable if they are i not capable of performing their design function, or if supporting systems are not available.
The LC0 requires the OPERABILITY of a number of independent subsystems. !
Due to the redundancy of trains and the diversity of subsystems, the inoperability of one component in a train does not render the ECCS incapable of performing its function.
The condition associated with ACTION a. addresses the specific condition where the only affected ECCS component is a single LPSI subsystem. The availability of at least 100% of the ECCS flow equivalent to a single OPERABLE ECCS train in this case is assumed as a result of the availability of other subsystems in the ECCS train. ;
1 The condition associated with ACTION b. addresses other scenarios where I the full requirements of LC0 3.5.2 are not met. For this case, inoperable components must be restored within 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br />.
The bases for ACTION c. are as follow:
If the inoperable train cannot be restored to OPERABLE status within the associated completion time, the plant must be brought to a MODE in which the LC0 does not apply. To achieve this status, the plant must be brought to at least MODE 4 within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed completion times are reasonable, based on operating experience, to reach the required unit conditions from full power in an orderly manner and without challenging unit systems.
i The Surveillance Requirements provided to ensure OPERABILITY of each component l ensures that at a minimum, the assumptions used in the accident analyses are i met and that subsystem OPERABILITY is maintained. The purpose of the HPSI and LPSI pumps differential pressure test on recirculation ensures that the ,
pump (s) have not degraded to a point where the accident ' analysis would be j adversely. impacted. The actual inputs into the safety analysis for HPSI and l LPSI pumps differential pressure (discharge-suction) when running on !
recirculation are 1209 and 150 psi, respectively. The acceptance criteria in the Technical Specifications were adjusted upward to account for instrument ;
uncertainties and drift. l MIgLSTONE-UNIT 2 B 3/4 5-2 Amendment No. JJ, J77
,, =r,.- - . _ _ , _
. _ , - _ , - -.~
EMERGENCY CORE C0OLING SYSTEMS (ECCS)
]
BASES (cont'd.)
The purpose of the ECCS throttle valve surveillance requirements is to provide assurance that proper ECCS flows will be maintained in the event of a LOCA.
Maintenance of proper flow resistance and pressure drop in the piping system to each injection point is necessary to: (1) prevent total pump flow from exceeding runout conditions when the system is in its minimum resistance configuration,(2) provide the proper flow split between injection points in accordance with the assumptions used in the ECCS-LOCA analyses, and (3) provide an acceptable level of total ECCS flow to all injection points equal to or above that assumed in the ECCS-LOCA analyses.
Only one HPSI pump may be OPERABLE in MODE 4 with RCS temperatures less than or equal to 275'F due to the restricted relief capacity with Low-Temperature Overpressure Protection System. To reduce shutdown risk by having additional pumping capacity readily available, a HPSI pump may be made inoperable but available at short notice by shutting-its discharge valve with the key lock on the control panel.
REFERENCES
- 2. 10 CFR 50.46.
- 3. FSAR, Chapter 6.
- 4. IE Information Notice No. 87-01, January 6, 1987.
- 5. CE NPSD-1995, "CE0G Joint Applications Report for Low Pressure Safety Injection System A0T Extension," May 1995.
3/4.5.4 REFUELING WATER STORAGE TANK (RWST)
The OPERABILITY of the RWST as part of the ECCS ensures that a sufficient supply of borated water is available for injection by the ECCS in the event of a LOCA. The limits on RWST minimum volume and boron concentration ensure that
- 1) sufficient water is available within containment to permit recirculation cooling flow to the core, and 2) the reactor will remain subcritical in the cold condition following mixing of the RWST and the RCS water volumes with all control rods inserted except for the most reactive control assembly. These assumptions are consistent with the LOCA analyses.
{
NILLSTONE - UNIT 2 B 3/4 5-3 Amendment No. (p, 17),
0188
i l
i Docket No. 50-336 B15335 l Attachment 5 Millstone Nuclear Power Station, Unit No. 2 Low Pressure Safety Injection System AOT Extension ,
t 1
I l
l
)
l l
November 1995
- a. m hn COMBUSTION ENGINEERING OWNERS GROUP CE NPSD-995 1
Joint Applications Report for Low Pressure Safety injection System AOT Extension Final Report CEOG TASK 836 prepared for the C-E OWNERS GROUP May 1995
- Copyright 1995 Combustion Engineering, Inc. All rights reserved ARH ABB Combustion Engineering Nuclear Operations 7%EEEE i 6 ^;Q c .9 Cl ? 6 1) g '
l l
LEGAL NOTICE l l
This report was prepared as an account of work sponsored by the Combustion Engineering Owners Group and ABB Combustion Engineering.
Neither Combustion Engineering, Inc. nor any person acting on its behalf:
A. makes any warranty or representation, express or implied including !
the warranties of fitness for a particular purpose or merchantability, with respect to the accuracy, completeness, or usefulness of the i information contained in this report, or that the use of any :
information, apparatus, method, or process disclosed in this report j may not infringe privately owned rights; or B. assumes any liabilities with respect to the use of, or for damages resulting from the use of, any information, apparatus, method or i process disclosed in this report.
t i
Combustion Engineering, Inc.
c
i l
TABLE OF CONTENTS Section Page j i
l LIST OF TART FR iii 1.0 PURPOSE 1 l 1
2.0 SCOPE OF PROPOSED CHANGES TO TECHNICAL SPECIFICATIONS 1 1
3.0 BACKGROUND
2 4.0
SUMMARY
OF APPLICABLE TECHNICAL SPECIFICATIONS 3 4.1 Standard Technical Speci%dans 3 4.2 "O3=*ami=d" Technical Specifications 4 5.0 SYSTEM DESCRIPTION AND OPERATING EXPERIENCE 5 1
5.1 System Description 5 5.2 Operating Experience 6 ;
5.2.1 Preventive Maintenance 6 5.2.2 SurvaiHnaWresting of LPSI System Valves 7 5.2.3 Corrective Maintenance 7 5.2.4 Pelated Ilcensing Actions 8 I 6.0 TECHNICAL JUSTIFICATION FOR AOT EXTENSION 10 6.1 Statement of Need 10 6.2 Assessment of Deterministic Factors 11 6.2.1 Thermal-Hydraulic Considerations 11 6.2.2 Radiological Release Considerations 14 I
i 1
i
TABLE OF CONTENTS (cont'd) l Section Page ,
I i
6.3 ' Assessment of Risk 15 6.3.1 Overview 15 6.3.2 Assessment of "At Power" Risk 16 6.3.3 Assessment of Transition Risk 24 6.3.4 Assessment of Shutdown Risk 28 l 6.3.5 Assessment ofIarge Early Release 30 l 6.3.6 Summary of Risk As-ament 31 6.4 Compensatory Measures 32 7.0 TECHNICAL JUSTIFICATION FOR STI EXTENSION 33 I 1
8.0 PROPOSED MODIFICATIONS TO NUREG-1432 33 1 9.0
SUMMARY
AND CONCLUSIONS 34 1
10.0 REFERENCES
35 A'ITACHMENT A A-1 !
" Mark-up" of NUREG-1432 SECITONS 3.5.2 & B 3.5.2 1 1
ii
LIST OF TABLES Table Page 4.2-1 COMPARISON OF LPSI SYSTEM AOTs AMONG CE PWRs WITH CUSTOMIZED TECHNICAL SPECIFICATIONS 4 5.2-1 COMPARISON OF MAINTENANCE REPAIR TIMES FOR LPSI SYSTEM COMPONENTS 9 i
6.2.1-1 COMPARISON OF SECONDARY SIDE HEAT REMOVAL CAPABILITY 13 6.3.2-1 CEOG AUT CONDITIONAL CDF CONTRIBUTIONS FOR LPSI - CM 21 6.3.2-2 CEOG AOT CONDITIONAL CDF CONTRIBUTIONS FOR LPSI- PM 22 6.3.2-3 CEOG PROPOSED AVERAGE CDFs 23 6.3.3-1 TRANSITION RISK CONTRIBUTIONS FOR LPSI SYSTEM CM 27 6.3.4-1 EFFECTS OF IMPROVED LPSI RELIABILITY AT SHUTDOWN 29 iii
l 1.0 PURPOSE l t
This report provides the results of an evaluation of the extension of the Allowed Outage Time (AUT) for a single Low Pressure Safety Injection (LPSI) train from its present value (24 or 72 )
hours), to seven days. The AUT is contained within current technien1 specifications for each i licensed CE NSSS. This AUT extension is sought to provide needed flexibility in the performance of both corrective and preventive maintenanm during power apar=daa_. l Justification of this request is based on an integrated review and manenament of plant operations, L - Ndesign basis factors and plant risk. Results of this study demonstrate that the .I '
proposed AOr extension provides plant operational flexibility while simultaneously reducing overall plant risk.
This request for AUT extension is mneittent with the objectives and the intent of the Maintenance Rule (Reference 1). 'Ihe Maintenance Rule will be the vehicle which controls the actual maintenance cycle by ddaia: unavailability performance criteria and assessing maintenance risk. 'Ihe AOT extentinn will allow efficient scheduling of maintenance within the boundaries established by imalamandag the Maintenance Rule. The CE plants are in the process of implementing the Maintenance Rule, and are presently setting targets for unavailability of systems and trains. 'Iberefore, this effort is seen as timely, supportive and integral to the Maintenance Rule program.
2.0 SCOPE OF PROPOSED CHANGES 'IO TECHNICAL SPECIFICATIONS The proposed tachnical specification change addresses revising the existing AOT requirement for the operation of the Iow Pressure Safety Injection (LPSI) subsystems of the Emergency Core Celing System (ECCS). Specifically, it is proposed that the AUT for a single INOPERABLE LPSI train be extended from its present value (24 or 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />, dapanding on the plant) to 7 days (168 hours0.00194 days <br />0.0467 hours <br />2.777778e-4 weeks <br />6.3924e-5 months <br />). For the purposes of this report, a LPSI train is defined as one pump, and two injection flow paths, including motor-operated valves (MOVs) operated by a common AC power source.
1
l l
l
3.0 BACKGROUND
l In response to the NRC's initiative to improve plant safety while granting relief to utilities from those requirements that are marginal to safety, the CEOG has undertaken a program of obtaining relief from overly restrictive technical apacineations. As part of this program, several technical
=pacifie=6on A(yrs and STIs were identified forjoint action.
This report provides support for modifying Tachaica_1 Specifications concerning the Emergency Core Cnaling System in order to provide an AOT for up to 7 days for one " INOPERABLE" LPSI train. The intent of this AOT extension is to enhance overall plant safety by avoiding potential unelwiuled plant shutdowns and providing for increased flexibility in schaduling and performing maintenance and surveillance activities. This effort is being pursued as a joint CEOG activity.
This report provides generic information muyperdng these changes, as well as the naceeenry plant enacific information to demonstrate the impact of these changes on an individual plant basis.
The supporting / analytical material contained within the document is considered applicable to all CEOG member utilities regardless of the category of their Plant Technical Specifications.
l 2
SUMMARY
OF APPLICABLE TECHNICAL SPECIFICATIONS 4.0 2
Dere are three distinct categories of Technical Specifications at CE NSSS plants.
i h first category is entlad the Standard Technical Specifications. Through February 1995,
. NUREG-0212, Revision 03, commonly referred to as " Standard Technical Specificatians," has provided a model for the general structure and content of the approved technical pfiendaas many of the domestic CE NSSS plants.
h wmnd category wu@ to the Improved Standard Technical Specificatiana (ISTS) g=idaara that is provided in NUREG-1432, Revision 0, dated opta=har 1992. A li-:=kg amendment submittal to change the Technical Speifie= dons for San Onofre Nuclear Generation Station Units 2 & 3 so as to implement this g=idaaca was submitted to the NRC in December 1993. Additionally, licensing amendment submittals are being developed that will modify the technical aneifiendaas for Palisadan to implement the ISTS guidance.
The third category includes those **haical _=aeifientions (TSs) that have structures other than those that are outlined in either NUREG-0212 (Reference 2) or NUREG-1432 (Reference 3).
These TSs are generally referred to as " customized" *ehnical specifications and are associated with the early CE PWRs. He CE NSSS plants that currently have " customized" technical specifications are: Palindes, Mainc Yankee, and Ft. Calhoun Station.
Each of these three categories of Technical Specifications includes operating requirements for the I.ow Pressure Safety Injection (LPSI) subsystems.
4.1 Standard Technient Spelfications h requirements for LPSI subsystems during power operations are embedded in the requirements for Emergency Core Cooling trains / subsystems in the standard 'ehaica1 -
specificadaa3 of NUREG-0212, Revision 03 and NUREG 1432, Revision O. In LCO 3.5.2 of NUREG-0212, Revision 03, each OPERABLE indapandant Emergency Core Cnaling System subsystem includes one OPERABLE low-pressure safety injection pump.
, LCO 3.5.2 of NUREG-1432 addresses two redundant,100% capacity ECCS trains, each consisting of high pressure safety injection (HPSI), low pressure safety injection (LPSI), and charging subsystems.
Hence, any maintenance, repair or surveillance test that would render a LPSI subsystem inoperable would also result in the INOPERABILITY of the corresponding ECCS j train / subsystem of the standard technical specifications.
h requirements of these same standard tachaical specifications allow the continuation of power operations with one inoperable ECCS train / subsystem for a maximum of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />. Hence, if a single ECCS train is rendered inoperable due to a set of factors that includes on-line 3
-. _=. .-... - .. . . . - - - . . . . - . . - - . . . . - - - - _ _ . . _ . - - -.. .- .
l' maintenance or repair of the components of a LPSI subsystem, the OPERABILITY of that ECCS train must be restored within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> (including the OPERABILITY of the affected LPSI subsystem); or the plant must be shutdown and depressurized below the shutoff head of the HPSI Pumps. j 4.2 "C==tamlad" Tach = lent Speelfications Customized technical specifications for the LPSI System differ from the STS in the duration of the pfied ACTT, the linkage between the LPSI and other ECCS AOTs and the details of the subsequent ACTION statements. For plants with Customized technical specifications, the defined AOTs for IESI system out of Service (OOS) are presented in the Table 4.2-1.
Table 4.2-1 COMPARISON OF LPSI SYSTEM AOTs AMONG CE PWRs WITH CUSTOMT7FD TECHNICAL SPECIFICATIONS PLANT ALLOWED OUTAGE TIME (HRS)
Ft. Calhoun Station 24 Maine Yankee 72 l Pali
- 24 i 4
r 5.0 SYSTEM DESCRIPITON AND OPERATING EXPERIENCE i
5.1 Synena Description The LPSI System provides inventory to the RCS following a large Loss of Coolant Accident (LOCA). This inventory injection supplements the RCS inventory addition due to the SITS and aids in ensuring core cooling during the early stages of a large LOCA. In addition, many components of the LPSI System are shared with the shutdown cooling system. In that capacity, the LPSI pump and selected components serve to circulate water through the RCS and support long, term core decay heat removal.
Scfety Infection and Recirculation During an Mdant, the LPSI system is actuated by a Safety Injection Amdan Signal (SIAS).
The SIAS is automatienlly initiated upon a middaat two-out-of-four Pressurizer Pressure Iow
!!ignals or two-out-of-four Containment Pressure High Signals. Safety Injection can also be nianually initiated. Upon SIAS, the two LPSI pumps are automatically started and the injection valves are opened.
ne LPSI pump then recirculates the Safety Injection water through the minimum recirculation valves until the RCS pressure becomes low enough to allow flow into the RCS. During the injection mode, the LPSIpumps take suction from a borated water source. The pumps discharge flow into the low pressure injection header which is connected to the RCS cold legs. The valve connecting the LPSI pump discharge to the shutdown cooling heat exchangers is locked closed during normal operation and remains closed during the safety injection mode.
Shutdown Cooling System During normal shutdown mode operation (Modes 4, 5 and 6), the components of the LPSI System are realigned to configure the Shutdown Cooling System (SDCS). In this configuration, the LPSI pump takes suction from the RCS hot leg, transports the hot RCS liquid through the SDC heat exchanger and discharges cooler water into the RCS cold leg.
For all CE PWRs, the containment spray pump can be used in place of an inoperable LPSI pump for the function of shutdown cooling. His would depend upon the accident / plant operating mode and would require a manual alignment.
5
- -. - . . . - . . - ~ - . . . _ _ _ - . - . - - - . - - - . - . - . - . . . - .- - - . - -..
1 1
i l 1
5.2 Operating Experience 5.3.1 Pmentire Maintenance (PM)
In order to perform preventive maintenanm during power operation, the plant must voluntarily enter into a Ilmiting Condition for Operation (LCO) action statement. The NRC has been aware of this practi~ and has issued an NRC Inspection Manual (Reference 4), providing the general safety principles that the NRC iaY+:t:rs are to use in assessing the approprint-" of the utilities "on-line" maintenance activities and to ensure that proper use is made of the plant AOTs. In response to the NRC technical guidance statement, many nuclear utilities have voluntarily adopted administrative guidelines for voluntary entry into an LCO ACTION statement. This administrative gnidaa~ typically r.guires that a plan must exist for completing the associated maintenance within a period that is considerably shorter than the duration of the allowed outage time (AOT) pfied in the LCO ACTION statenwit. In addition, the risk neewinted with such maintenance is also ===a-d.
i' Operating experience has demonstrated that many types of pmventive maintenace on LPSI train components (iac1Miag post-maintanmaar verifications and tests) require a period ofless than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Typical activities associated with preventive maintenance for a LPSI pump include:
- change of oil
- lubrication
- replacement /tigh*aning of narleing
- bearing replacement Preventive maintenance activities (PMs) associated with valves within the LPSI system include:
- valve overhaul
- valve repacking Typically, pump PMs require less than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to complete and valve PMs can generally be performed in 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> or less.
When performed properly, preventive maintenance on single LPSI System components can be completed within the 3 day AOT which is available to most CE NSSS PWRs. However, the A(yr extension would allow for more flexibility in both performing and scheduling of the PM.
This will have a positive influence in limiting plant risk by:
(1) reducing the number of entries into LCO ACTION statements by allowing a more complete maintenance program during e ringle ACyr, (2) reducing the need for simultaneous common system PM operations so as to allow expeditious return of the system to on-line status in the event of a site emergency, and 6
i l l
! (3) reducing time stress on the maintenance staff during shutdown by allowing l adequate time to perform LPSI maintenance at power.
4 l' Preventive maintenance on LPSI subsystems that is postponed until the plant is in shutdnwn i mode can limit the availability of operable standby SDC trains during a plant outage. Since the
- LPSI pump provides the primary motive force for core maling during shutdown, the risk j menaria*M with this unavailability can exceed that naarintM with performing the equivalent j maintenance at power. This issue is addressed in Section 6.3.
i 5.2.2 Sunemance/ Testing ofLPSI System Valus
'Ihe technient enacificatiaan require testing of several motor operated valves within the LPSI system. This testing may be performed either at power or during a plant shutdown.
Surveillance testing of the MOVs at power requires that the MOV operating torque and flow characteristics be within a specified band. ' Testing times can vary from under one hour to more than 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. Since this test can be performed so as to minimally disable a portion of the LPSI System, its actual impact on risk is negligible. This results from the fact that during most of the duration of the test (with the exception of the several minute stroke test) the valve position can be maintained in its emergency position.
If there were a longer AOT, a larger block of valves could be tested in a defined time frame.
With longer ACyrs, this concentration of testing can be performed in a more orderly fashion and with fewer individual entries into the plant LCO ACTION statements. An extended ACT will ,
also provide sufficient time to correct any problems found as a result of the surveillanne. l 5.2.3 Corrwetin Maintenance (CM)
Corrective maintenance in the LPSI System involves both pump and valve repair. In prae +ie* ,
the term corrective maintenance is typically used for the repair of a component resulting from an observable malfunction which may or may not compromise the ability of the system or component to perform its safety function. This terminolory typically lumps corrective maintenance on LPSI pumps due to small oil / water leaks (which do not naea-ily impair pump function) into the same category as more extreme failures such as a debilitating pump motor failures.
All utilities involved in this task have indicated mean LPSI pump repair times of under 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> with the longer repairs taking up to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> (See Table 5.2-1). It is expected that failures that render the LPSI pump non-functional will be skewed to the higher repair times. Parts accessibility may further stretch the repair. Since many existing failures will be diagnosed following a component surveillance, insufficient time may be available in the AOT to assure task completion prior to exWing the AOT.
7
l !
Another class of LPSI System components that requires surveillaa~ and periodic repair are the Motor Operated Valves (MOVs). Surveillance of these valves involves detailed testing ,
procedures. During the testing, the AM is entered and the valve is declared INOPERABLE. ;
In order for the valve to be considered OPERART E, the valve cimza&ilstics must be measured to be within a =arinal band of torque, and flow. If these parameters fall outside the defined !
bands, the MOV is technically considered INOPERABLE and must be repaired in the remainder of the AM. Failure to repair and re diagaa- the valve as OPERARIR would result in the '
applicability of other LCO action requirements to bring the plant to a safe shutdown mode within ,
a relatively short period of time or development of a Justificatinn for Continued Operation (JCO). Past testing has resulted in the identification of a malfnaatianing MOV which was repaired and declared OPERABLE within one hour of the expiration of the 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> AM. Table ,
5.2-1 provides the comparison of maintenance repair times for LPSI components. 'Ihese examples illustrate that there is a need for a longer AM.
5.2.4 JtelatedIlcensing Actions i
Over the past two years the industry has been applying results from PRA sensitivity studies as l a basis for elimiandag requirements that are marginal to safety. Elimination of requirements l marginal to safety includes, among many other things, the relaxation of Technical Sparine =+iaas (TS). Recently South Texas Project (STP) proposed 22 Tarhaie=1 Specification changes to the NRC for reinuntian (Reference 5). i The TS changes requested by STP were of two types: extending allowed outage time (AOT) l and extaadia: Surveillanna Test Intervals (STI). Of the 22 proposed TS changes, 6 were withdrawn by STP. Of the remaining 16 proposed changes, quantitative evaluations were performed by STP in support of 11 of them using the plant PSA model. Qualitative arpinaatians are presented by STP for the remaining 5 to support the proposed extensions. 'Ihe ECCS, including LPSI, HPSI and SIT, was among the systems for which TS relaxation was sought.
The AM for the ECCS was requested to be extended from 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to 10 days; the NRC i granted the extension to 7 days.
8
I i
Table 5.2-1 3
COMPARISON OF MAINTENANCE REPAIR TIMES FOR LPSI SYSTEM COMPONENTS
! PLANT MEAN TIME TO REPAIR RANGE OF REPAIR i
(HR) TIMES i Ft. Calhoun Station 13 hrs I hr - 23 hrs Maine Yankee 16.8 hrs 1.5 hrs - 32 hrs Palisades *
- Calvert Cliffs 1 & 2 11.8 hrs 3 - 27 hrs Millstone 2 4.7 hrs not available l
St. Lucie 1 & 2 10.69 hrs < 1 hr - 72 hrs ANO-2 *
- Waterford 3 17.6 hrs 16.0 - 20.8 hrs San Onofre 2 & 3 *
- Palo Verde 1, 2 & 3 3.6 hrs 1.6 - 46.5 hrs Generic 11.1 hrs -
- Plant specific data is not available. Repair experience is expected to be similar to that of other CE PWRs.
9
6.0 TECHNICAL JUSTIFICATION FOR AOT EXTENSION his section presents an ingaM annenament of the proposed A(yr extension. The focus of the annenament includes motivation and need for technical pfie=+ian change, the impact of the change on the plant design basis event and a pd =Nii=*ie risk assessment. 4 Section 6.1 presents a summary statement of the need for the AOT extennian. The supporting information for this section has been previously presented in Section 5. Section 6.2 provides ,
an annenament of deterministic factors, particularly those menacintai with the plant design basis.
De following sections generally follow the NRC gwance set forth in Reference 6 for risk ,
based justification of changes to the technien1 specificatians. The probabilistic risk assessment for this AOT extannian is contained in Section 6.3, iaelading consideration of risks of mode transition and plant shutdown.
Ca====a'ary actions that may be applicable to this AOT extension are summarized in Section 6.4.
i 6.1 Stata==ent of Need ;
The primary role of LPSI trains during power operation is to contribute to the mitigation of a large LOCA. Its value in the post-LOCA core cooling process is established by a conservative set of rules set forth in 10 CFR 50.46. The frequency of the large LOCA event is on the order i of 10d per year. In contrast, during shutdown, the operability of at least one LPSI pump and !
subtrain are required at all times for RCS heat removal. Thus, in this macroscopic view, {
performing gadive and corrective maintenance "at power" on LPSI trains contribute to an j overall anhancement in plant safety by increasing the availability of LPSI pumps for shutdown i caaling during Modes 3 through 6. j Much of the maintenance performed on a LPSI subtrain requires the subtrain to be tagged out for periods of less than one day. However, in sc,me instances, corrective maintenance of the '
LPSI pump and valves and testing of valves may require taking one subtrain of the LPSI System out of service for more than several days. Recent experience has resulted in a MOV repair completed within one hour of the existing AOT. Thus, repair within the existing AOT cannot be guaranteed and may result in an unscheduled plant shutdown, or request for a temporary exemption to allow continued plant operation. To avoid these outcomes, a less restrictive AOT is required.
From a practical viewpoint, a 7-day AOT would allow the maintenance staff flexibility to more safely schedule maintenance and procedures. Based on a review of the maintenance requirements on the LPSI System for CE PWRs it was determined that a 7-day AOT would provide sufficient margin to effect most anticipated preventive, and corrective maintenance activities and "on-line" LPSI System valve surveillance tests.
10
- _ _ _ _ . - __ - ~. - -
To cope with the large loss of RCS inventory during a large IDCA an Emergency Core C=1iag System maai=*ia of a triad of water injection systems was devised. For CE PWRs, the components of the ECCS typically included 4 passively me*nntM SITS, two HPSI pumps and two LPSI pumps. The SITS were designed with the task of rapidly providing liquid inventory to reflood a voided core. 'Ihe role of the HPSI pumps was primarily to supply inventory for smaller LOCAs and provide long term inventory control for the large break LOCAs. The results of analysis using prescriptive methods, defined in Appandir K to 10CFR50, showed that the andiW performance of HPSI and SITS did not result in meeting the ECCS performance criteria. These analyses irvlicatM a short lived need for an additional high volumetric flow pump. A major function of this pump was to replenish inventory conservatively predicted to be l lost within the Appandir K framework. J 1
Recent best estimate analyses for a typical PWR, Reference 7, confirmed that for large break i LOCAs, incipient core melt can be prevented by operation of combinations of ECCS subsystems other than those that are currently defined in ECCS Operability requirements. In particular, the results of Reference 7 demonstrated that the operation of a single LPSI pump or the apa= dan of one High Pressure Safety Injection (HPSI) pump and a single SIT could mainti.in the Appendix K criteria during a design base large LOCA scenario.
Additionally, new deterministic analyses of large break LOCA initiating events (up to break areas of 5 square feet) were performed for one plant in support of the Individual Plant Fxaminatinn (IPE)/Probabilistic Safety Analyses (PSA), Reference 8. These analyses, performed using the CENTS code, showed that LPSI trains were not needed to successfully mitigate the consequences of such scenarios.
Steen Generator Ikbe Ruptwe (SG7R) Events Another role for the LPSI is in defining the end state for a design basis SGTR event with or without a concurrent loss of off-site power. In the design basis construction of this event, the HPSI functions to maintain the core covered at all times and the LPSI is required to effect shutdown cooling (SDC) and thereby terminate the event. SDC is initiated after the break has been isolated and the radioactive releases have been controlled.
In the event that one LPSIis out of service and the second LPSI fails, the operator can continue to control the event by steaming of the unaffected steam generator. This cooling mechanism can be maintained indefinitely provided condensate is available to the unaffected generator. Without considering condensate storage tank refill, CE plants have sufficient inventory to steam the affected steam generator for between six to more than 45 hours5.208333e-4 days <br />0.0125 hours <br />7.440476e-5 weeks <br />1.71225e-5 months <br />. All plants have provisions in procedures for continued makeup to the condensate tank to prevent the depletion of the CST inventory. Many of the plants on multiple unit sites also have the ability to cross-connect madan=ata tanks for the various units. A summary of estimated times for CST inventory depletion following a SGTR without SDC is provided in Table 6.2.1-1. CE PWRs also have the ability to realign the containment spray pumps to provide RCS shutdown cooling capability.
12
t 6.2 Aasmannent of Determinlette Factors 6.L1 knnal-HydmuBc Considemtions LOCA ,
In the early 1970's, the NRC defined determialetic =e~ptaa~ criteria (10CFR50.46) and prescriptive guidance (A,Wir K to 10CFR50) for evaluating the performance of the Emergency Core CMing System (ECCS) following a loss of coolant accident (LOCA).
He Emergency Core Celing System (ECCS) acceptance criteria from 10 CFR 50.46 are the following:
- a. Maximum fuel element cladding temperature is 5 2200 Degrees Fahrenheit;
- b. Maximum cladding oxidation is 10.17 times the total cladding thickness before ,
oxidation; i
- c. Maximum hydrogen generation from a zirconium water reaction is < 0.01 times the hypAWa1 amount that would be generated if all of the metalin the cladding '
cylinders surr=ading the fuel, excluding the cladding surrounding the plenum :
volume, were to react; and
- d. He core is maintained in a coolable geometry.
In order to meet these acceptance criteria, the designs of CE NSSS Emergency Core CMing Systems have included the following elements:
- 1) A high pressure safety injection capability for providing delivery of coolant to the RCS during the early phase of the blowdown process, and ==tching boil-off to maintain inventory during the later phases following reflooding of the core;
- 2) A passive safety injection capability provided via Safety Injection Tanks (SITS) !
providing a one time, rapid inventory injection into the RCS as the RCS depressurizes below a low pressure setpoint; and
- 3) A low pressure coolant injection capability for providing high mass flow to the l RCS at low RCS pressures.
These design elements and the ccirsponding system operability requirements in the Technical Specifications have been based on a limiting design basis accident scenario. This limiting scenario has been a large break LOCA in combination with a loss of offsite power and the
" worst" single equipment failure.
11
t i
Table 6.2.1-1 COMPARISON OF SBCONDARY SIDE HEAT REMOVAL CAPABILITY ;
PLANT THERMAL CONDENSATE STORAOB CONDENSATE STORAGE PROCEDURBS CSTs OF
- POWER CAPACflT DEPLETION TIME TO MULTIFIE !
RATING REPLENISH UNIT SITES j CONDENSATE CAN BE l
- STORAGE CROSS- !
CONNBCTED Pt. Calhoun Station 1500 MWt 350,000 gal (maximum ussable) 45 hrs. w/o credit for refill of yes (to refill N/A l EFWST or CST CST or EFWST)
Palisades 2530 MWt 100,000 gal (TJ. minimum) 8 hre yes N/A Maine Yankee 2700 M Wt 159,975 gal (maximum useable) 5+ hrs G 525 gym EFW flow yes N/A (se refill DWST) :
Calvert Cliffs 1 & 2 2700 Mwt 150,000 gal per unit (T.S. > or equal to 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> yes yes minimum) - 300,000 gal shared St. Lucie 1 2700 Mwt 116,000 gal (T.S. minimum) approx.10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> yes yes l St. Lucie 2 2700 Mwt 307,000 gal (T.S. minimum) > 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> yes avadable but act required 7
Millstone 2 2700 Mwt 150,000 gal U.S. minimum) 10 hrs at 300 spa yes no :
ANO-2 2815 Mwt 160,000 gal (r.S. minimum) 5.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> G 485 gym (for T.S. yes yes !
400,000 (maximum)- EFW Q minimum) l a
section source is Service Weser > 30 hrs (for maximum volume) I and this source is infinite Waterford 3 3410 Mwt 170,000 gal U.S. minimum) 9 br w/o backup water sources yes N/A Palo Verde 1,2 & 3 3800 Mwt 300,000 gal (T.S. minimum) > 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> yes yes l t
San Onofre 2 & 3 3410 Mwt 424,000 gal (T.S. minimum) > 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> yes yes I i
i 13 i
! i i
6.2.2 Radiological Release Considentions i
! LOC 4 i
l The design basis c.tmiation of radiological consequences of the large LOCA are based on a j combination of very conservative a-ma+ ions. The design basis for radialagical releases '
i following a IACA is set forth in 10 CFR 100, " Reactor Site Criteria", and detailed in SRP l 15.6.5, Reference 9. In practice the 10 CFR 100 radiatinn release criteria are achieved via j reliance on the 1%2 " source term" outlined in the Atomic Energy Commission Technical
- Information Document, TID-14844, "Calenistian of Distance Factors for Power and Test i Reactors" (Reference 10). This " Source Term" was not enneistant with the low level of core
- damage arnaa+=d with a large LOCA. Instead, the Source Term was very conservatively based l on a substantial meltdown of the core, and the fission product release to the containment.
I
! Over the past 30 years, substantial information has been developed updating our knowledge i
about fission product release and transport during PWR severe acciderits. 'Ihis informatinn is l reflected in the new NRC source term defined in NUREG-1465 (Reference 11). ' Assirpilatinn j of this informatinn suggests that even when the dichotomy of a core melt driven source term is -
i retained, the TID-14844 estimate of the Iarge LOCA fission product releases considerably l j.
overpredicts the severity of the fission product release to the public. This conclusion is based on the following:
i
- 1) Erieing li=eing methods assume fission products are released to the
- containment immerlintaly upon the onset of the LOCA. In fact, only gases residing within the fuel gap (approxim=+aly 5 % of the total vn1 stile fission product l inventory) will be relemwi at the point of clad rupture (early in the transient).
- 'Ihe rernminder of the fission products will enter the containment over the period i of one half hour or more.
i l 2) Krieing licensing methods assume the composition of the iodine entering the containment is predominantly elemental (it is now believed to be in the particulate j form). Sprays are less effective in removing elementaliodine than iodine in the l particulate form. It is our current understanding that the iodine is predominantly l (greater than 95%) rele==i into the containment in the form of Csl which is j particulate. Thus, spray effectiveness and gravitational settling would be
- enhanced and airborne releases from containment would decrease.
1 Thus, even if a large LOCA were to occur in the presence of a compromised ECCS (i.e. no
- LPSI), core melting would not be expected and the actual fission product releases would remain within the existing 10 CFR 100 criteria. This issue is further considered in a probabilistic framework in Section 6.3.5.
I 1
1 i
i 14 e
a 1
i _ _ . . _ . _ _ _ _ _ __ _ ._
i l 4-Steam Generator 7kbe Ruptures (SGTRs) i Following a SGTR, the plant can be maintainad in a stable condition provided the affected steam generator is isolated, and the AFW system along with a supply of condensate is available to the j intact steam generator. Under these conditions, core uncovery is not expected and radiological
! releases will not exceed that defined by the arieting design basis. Obviously this can be done i without the LPSI System being available.
- 6.3 Amma-wne of Risk 1
1 I
2 6.3.1 Overview l i
., 1 l The purpose of this section is to provide an integr=W assessment of the overall plant risk l j nav iatad with the adoption of the proposed AUT extension. The methodology used to evaluate
- the LPSI System AOT extension was based in part on a draft version of the " Handbook of i Methods for Risk-Based Analyses of Technien1 Specifications", Reference 6 and related indust!) ;
j gnidanca. As guidaaca for the ampi.bility of a Technical Specificatinn modification, Reference i 1
! 6 noted that any proposed Technical Specification change (and the ultimate change package) 2 shoold either:
(1) be risk neutral, OR (2) result in a decrease in plant risk (via " risk trade-off considerations"), OR (3) result in a negligible (to small) increase in plant risk.
AND (4) be needed by the utility to more efficiently and / or more safely manage plant operations.
A statement of need has been provided in Section 6.1. This section addresses the risk aspects of the proposed AOT extension.
In this evaluation, a risk assessment of the LPSI System AOT cxtension is performed with respect to consideration of associated "at power", " transition" and " shutdown" risks.
Section 6.3.2 provides an assessment of the increased risk as-v iatad with continued operation with a single LPSI train out of service (OOS). The evaluation of the "at power" risk increment resulting from the extended LPSI System AOT were evaluated on a plant specific basis using the most current individual plant's Probabilistic Safety Analysis (PSA) as their respective haealinae. Plant specific evaluations were performed by each participating utility. Results of these evaluations were then compared using appropriate risk measures as prescribed in Reference 6.
15
Section 6.3.3 provides an nuenment of risk of transitioning the plant from Mode 1 into a lower mode (e.g. Mode 4). h "at power" risk manenament presented in Section 6.3.2 provides an evaluation of continued operation of the plant with an extended LPSI System AUT for the purpose of performing corrective maintenance on the LPSI System. However, that assessment provides only one facet of the plant risk. For this evaluatinn, continuation of at power operation within the LCO ACTION statement is corup.ied with the risk of ye ="% with a plant shutdown. A conservative lower bound estimate of this risk was evaluated by modifying the reactor trip core melt acenario for a representative CE PWR. Based on this analysis, a core damage probability for the plant shutdown was established and compared to the single AOT risk mancintM with continued operation.
The risk comparison of LPSI System PM for "at power" and "at shutdown" conditions is provided in Section 6.3.4. Recent experience has shown that the risk of maintaining the reactor in a shutdown condition can be significant in comparison with that of power apar=*iaa. ' Ibis observation has resulted in a need to reassess maintenance pradim to more appropriately apportion maintenance octween power and shutdown operation. One goal of this particular AOT extension is to allow preventive maintenance and extendM surveillances of the LPSI System while the plant is at power. This is a logical request in that many LPSI System components support the shutdown cooling system (which, in the lower modes, is the primary means of heat removal from the RCS). The role of the LPSI System at power is limited to ramanding to a large break LOCA or providing an alternate decay heat removal path (in conjunction with the auxiliary feedwater system).
i For completeness, the impact of the extended AUT on the plant large early release fraction is l qualitatively assessed. 'Ihe manenament includes an evaluation of the events leading to large early j fission product releases and the role of the LPSI System in the initiation and/or mitigation of i those events. This assessment is presented in Section 6.3.5. )
6.3.2 Assessment of "At P6wer" Risk Methodology 1
l
'Ihis section provides an nuemament of the increased risk asMatM with continued operation 4
with a single LPSI train out of service (OOS). 'Ihe evaluation of the "at power" risk increment resulting from the extended LPSI System AOT was evaluated on a plant specific basis using the most current individual plant's Probabilistic Safety Analysis (PSA) model for their ispective h = 1inen. Plant specific evaluations were performed by each participating utility. Results of these evaluations were then compared using the following risk measures (from Reference 6):
AFemge Core Damage Fnguency (CDF): The average CDF represents the frequency of core-damage occurring. In a PSA, the CDF is obtained using mean unavailabilities for all standby-system components.
16 i
Com Danage Pmba6Eity (CDP): The CDP iepiwts the probability of core-damage occurring. Core-damage probability is approximated by multiplying core-damage frequency by a time period.
Condklonal Con-Danage F>rquency (CCDF): The Conditional CDP is the Core j Damage Frequency (CDF) conditional upon some event, such as the outage of l equipment. It is calculated by re<1uantifying the cutsets after adjusting the unavailabilities of those basic events =s~i=tM with the inoperable equipment. l l
Isemase in Corr Damage F equency (ACDF): 'Ihe increase in CDF represents the difference between the CCDF evaluated for one train of equipment unavailable minus the i CCDF evaluated for one train of equipment not out for test or maintenance fr/M. For I the LPSI System: l ACDF = Conditional CDFa um a m - Conditional CDFa um a a s.,me where CDF = Core Damage Frequency (per year)
Simgle AOTRisk Contribution: 'Ihe Single AOT Risk contribution is the increment in risk ==winted with a train being unavailable over a period of time (evaluated over either the full AOT, or over the actual maintenance duration). In terms of core damage, the Single ACyr Risk Contribution is the increase in probability of core-damage occurring during the AOT, or outage time, given a train is unavailable from when the train is not out for test or maintenance. The value is obtained by multiplying the increase in the CDF by the AOT or outage time.
Single AOT Risk = ACDF x r where, ACDF = Increase in Core Damage Frequency (per year), and r = full AOT or actual maintenance duration (years) l Yearfy AOT Risk Contribution: The Yearly'AOT risk contribution is the increase in j average yearly risk from a train being unavailable accounting for the average yearly l frigiency of the AOT. It is the frequency of core-damage occurring per year due to the average number of entries into the LCO Action Statement per year. The value is estimated as the product of the Single A(yr Risk Contribution and the average yearly frequency (f) of entering the associated LCO Action Statement. Therefore:
Yearly AOT Risk = Single AOT Risk x f where f = frequency (events / year) 17
I i
l Incremental changes in these parameters are named to establish the risk impact of the Technical i Sphdaa change. '
Calculation of Conditional CDF, Single and Yearly AOTRisk Contributions Each CEOG utility used its current Probabilistic Safety Analysis (PSA) model to assess the 1 ennditinnal CDF based on the condition that one LPSI train is unavailable. Each plant verified I that the appropriate basic events are contained in the PSA cutsets used to determine the AUT l risk contributions. This veri %daa was performed as the first task in antaaladag the j Conditional CDFs. If basic events had been filteral out of the PSA cutsets, one of the two l methods described below were used to ensure the calculation of Conditional CDF was correct or conservative:
- 1. Select the basic event for the failure mode of the c+ri-: mt with the highest failure probability to represent the train if the test / maintenance failure mode of the component had been filtered out; or
- 2. Retrieve cutsets containing relevant basic events at the sequence level and merge them with the final PSA cutsets.
'Ihe Conditional CDF given 1 LPSI train is unavailable was obtained by performing the following steps:
- 1. Set the basic event probability for the failure mode for the selected component in the unavailable LPSI train equal to 1.0.
- 2. Set any basic event probabilities for other failure modes for that train equal to 0.0.
- 3. Set the basic event probability for the other LPSI train unavailable due to test / maintenance equal to 0.0. ;
i
- 4. For-the case where the LCO Action Statement was prompted by need for Corrective Maintenance (CM) (i.e., equipment failure), adjust the basic event common cause failure unavailability corresponding to the train remaining in service to the probability of failure given one train has failed (i.e., equal to the beta factor, #, for the Multiple Greek Ietter Method).
- 5. For Preventive Maintenance (PM) (i.e., no equipment failure), set the failure rate of the train remaining in service to the total single train failure rate (including both independent and common cause failure data).
- 6. Requantify the PSA cutsets.
18 l
'Ihis Conditional CDP was therefore =====d for both CM and PM. The difference between the two values is a result of the aforementioned difference in treating common cause failure.
It should be noted that the definition of CM for use in the PSA is considerable more stringent than the pragmatic TAGGED INOPERABLE definition of CM used in Section 5. In this context, CM refers to maintenance performed on a component that cannot otherwise perform its i safety function. l The Conditional CDF given 1 LPSI train is not out for test or maintenance was obtained by setting the basic event probability for the failure mode for one LPSI train equal to 0.0 and ,
requantifying the PSA cutsets. No adjustment was made to common cause failure from the value l used in the baseline PSA model. ;
l This Conditional CDP was effectively equal to the baseline CDF (i.e., the CDF resulting from !
the plant's current PSA model) for the LPSI System for all CE plants. I It was err = L~1 that the results would be symmetric for selecting either LPSI train to be out for maintenance. However, in cases where different =*11ag ==snmations or data were menacintad I with each LPSI train, the Conditional CDFs were evaluated for each train, and the most l conservative result was used.
The Conditional CDF was then used to =1cn1=* the increase in CDF. The Single AM Risk Contribution for each plant was calculated for the following cases:
1
- Current full AM,
- Proposed full AM,
- Mean downtime for CM, and
- Mean downtime for PM.
A value of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> / event was assumed as en upper bound for the mean duration for a LPSI train CM (see Table 5.2-1). A value of 112 hours0.0013 days <br />0.0311 hours <br />1.851852e-4 weeks <br />4.2616e-5 months <br /> / event (2/3 of AOT) was assumed as an upper bound for the mean duration for a LPSI train PM unless actual plant data was available. 'Ihe mean downtimes are presented in Table 6.3.2-1 and 6.3.2-2 for each plant.
The Single AOT Risk Contributions were then used to calculate the Yearly AM Risk Contributions (Single AM Risk x frequency), based on each plant's actual frequency of entry into the LCO Action Statement, for both CM and PM. Plant specific frequencies were used in this enten1= tion for CM and PM When detailed CM and PM breakdowns were not available, a split of the frequency was assumed to be 10%/90% for CM/PM, respectively. This split is based on actual data from a repimitative CE PWR which shows that about 10% of the total entries into the LPSI System LCO ACTION statement were due to equipment failure, the other 90% were preventive.
The overall Yearly AOT Risk Contribution is assumed to be the sum of the Yearly AOT Risk Contribution due to CM and the Yearly AM Risk Contribution due to PM. Tables 6.3.2-1 and 19
6.3.2-2 provide the Conditional CDFs and the Single and Yearly AOT Risk Contributions for each plant for CM and PM, respectively.
]
C&h&= ofAwrage CDF In order to calculate the Average CDF for the extended LPSI System AM, a new value for !
LPSI train unavailability due to test /maintem- was established. 'Ihis unavailability was based on a mainteme duration of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for performing on-line corrective maintenance (conservatively estimated based on actual plant data for CE PWRs from Table 5.2-1), and a preventive maintenance program equal to the equivalent of a full proposed AOT of 7 days (one- !
- half the AM twice a year). For plants with a maintenance schedule already in place or defined, ,
then actual plant data was used in lieu of the above assumptions. l The impact on the PSA model was then calculated to obtain the Average CDF for this new LPSI System unavailability. This new Average CDF was then compared to the base case value from l the plant's PSA model. Table 6.3.2-3 provides the proposed Average CDF and the base average CDF for each plant.
Results The results from each plant were assimilated, and the Single AOT and Yearly AOT Risks were j calculated for each plant. Tables 6.3.2-1 through 6.3.2-3 present the results of these cases on a plant specific basis, and summarizes the LPSI System AOT CDF contributions for each plant.
These risk contributions include the Conditional CDFs, Increase in CDF, Single AOT and Yearly AOT risks for both CM and PM, based on full AM and mean downtime, and current Average CDF and proposed Average CDF.
The Single AM Risk Contribution for the full proposed AOT for all CE PWRs varies from
=;11eihle to 2.40FA6 for CM conditions and is has a maximum value of 2.1Fe07 for PM.
Maximum increases of this level are small. As will be shown in the following sections, these risks are offset by reductions in transition and shutdown risks. Changes in the Average CDF due to increasing the LPSI AM are insignificant (< 3%). )
i
)
I l
l 20
I i
Table 6.3.2-1 CEOG AOT CONDITIONAL CDF CONTRIBUTIONS FOR LPSI SYSTEM - Corrective Maintenance f
PARAMETER ANO-2 Calvest Post Maine Millanone Pabsedse Palo San St. I.mcie St.Imcie Wassefosd i Cliffe Csaioun Yanlose 2 Venie Onofie 1 2 3 1&2 1. 2, & 3 2&3 LPSI System h Criteria l of 2 l of 2 l of 2 l ef 2* t of 2 l of 2 l ef 2 l ef 2 l ef 2 l of 2 l ef 2 Current AUT, days 3 3 1 3 2 1 3 3 3 3 3 Proposed AUT, days 7 7 7 7 7 7 7 7 7 7 7 Conditional CDP. per yr 4.80E-05 2.2iE-04 1.18E-05 1.52E-04 1.59E-04 5.15E-05 7.00E 05 1.08E 04 9.0E-05 9.lE4 3.70E-05 (I LPSI train unevenlable)
Conditional CDP, per yr 3.28E-05 2.llE-04 1.18E-05 7.40E 05 3.4tE-05 5.15E-05 4.74E4 2.74E-05 2.14E4 2.35E-05 1.54E 4 (I Li'SI train not out for T/M)
Increase in CDP. per yr 1.52E-05 1.00E-05 neghgeble 7.80E-05 1.25E-04 noghgible 2.26E-05 8.06E 05 6.9EE 6.8E-05 2.16E-05 Single AUT Risk (current fuH ADI) 1.25E-07 8.22E-05 neghgible 6.41E-07 6.84E-07 negligible 1.06E-07 6.62E-07 5.7E-07 5.6E-07 1.78E-07 f5ikE Of Rd(Proposed hell Of)'I i2 925 07 6i.92 EMF 1i ' negBguile Yi M 2.415 06 mingligible $d.33EIEFT (U5E.NE 2115063 $lMM MIN [!
Downtime Frequency, events /yrAnun 0.33 0.92 0.33 .02* 0.32 0.33 0.33 - 0.06 0.5 0.5 0.33 Yearly AUT Risk (Current full AOr), 8.2SE-08 1.5tE-07 neghgible 2.56E-08 4.38E-07 neghgible 1.23E-07 7.29E-08 5.7E-07 5.6E-07 1.17E-07 Per yr .l Yearly AUT Risk (Proposed fuH 1.93E-07 3.53E-07 neghgible 5.98Em 1.53E 4 neghgeble 2.86E-07 1.70E-07 1.3E-06 1.3E4 2.73E-07 AUT), per yr i Mean Durshon, hrs / event ** 24 24 24 24 24 24 24 24 24 24 28 i
Single AUT Risk (for Mean Duruhon) 4.17E-rd 2.74E-08 meshgible 2.14E-07 3.42E-07 noghgible 6.19Em 2.21E-07 1.9E-0T 1.9E-07 6.90E-08 Yearly ACT Risk (for Mean 2.753-08 5.04E-08 meghgible 8.55E-09 2.19E-01 asshgible 4.09E-05 2.43E-08 1.9E-07 1.9E-07 4.56E 08 Duration), per yr
- t
- 24 hours is assemed to be a bounihng vekse based on husene date (ese Tobis 5.2-1) .
I I
21 l
Table 6.3.2-2 CEOG AOT CONDITIONAL CDF CONTRIBUTIONS FOR LPSI SYSTEM - Preventive Maintenance PARAMETER ANO-2 Calvert Fort Maine Minstone Pehsedes Palo San St. Imcio St. Emeis Waaerfoni Cliffe Calhoun Yankee 2 Venie Onorm 1 2 3 m g- .
1A2 f,2, A. 3 2&3 LPSI System Success Criteria 1 of 2 1 of 2 1 of 2 1 of 2* 1 of 2 1 of 2 1 of 2 I of 2 1 of 2 1 of 2 I or2 Curant AUT, days 3 3 1 3 2 1 3 3 3 3 3 Proposed AUT, days 7 7 7 7 7 7 7 7 7 7 7 Conditional CDP, per yr 3.70E4 2.18E-04 1.18E-05 7.94E4 4.35EE 5.15EE 4.80E4 3.3tE-05 3.2EE 3.2E-05 1.61E-05 (I LPSI train unavailable)
Conditionni CDP, per yr 3.28E4 2.11E-04 1.18E4 7.40E4 3.41E-05 5.15E-05 4.74E-05 2.74E-05 2.14E4 2.35E-05 1.54E4 (I LPSI train not out fort /M) increase in CDP, per yr 4.20E-06 7.00E4 negligik 5.40E-06 9.40E-06 negligible 6.00E-07 5.70E-06 1.lE-05 8.5E-06 7.00E-07 l
l Single AUT Risk (Current full AUT) 3.45E-08 5.75E-08 negligible 4.44E-08 5.15E-08 negligiW 4.93E-09 4.68E-08 9E-08 7E48 5.75E-09 3 Single ACIT Risk (Pmposed full 3UI)5 506EM [134E.67l snegliMIM% ET.04E 071 ft.80E.07 dkligiblN 25.15E.083 N200E-07$ $23E.4rN 61ME.IN Wi(3kBM$
Downtime Frequency, events /yr/ train 1.50 4.00 1.50 0.67 2.88 1.50 1.50 0.52 2.00 2.00 1.50 Yearly AUT Risk (Curant full AOT), 1.04E-07 4.60E-07 negligik 5.95E-08 2.97E-07 negligible 1.48E-08 4.83E-08 3.6E-07 2.8E-07 1.73E-08 per yr Yearly AUT Risk (Proposed full 2.42E-07 1.07E-06 negligible 1.39E-07 1.04E-06 negligik 3.45E-08 1.13E-07 8.4E-07 6.5E-ST 4.03E-08 AUT), per yr l Proposed Downtime, hrs /yr/tmin 168 336 168 168 168 168 168 168 252 252 172 Mean Duration, hrs / event ** 112 84 112 112 112 112 112 112 112 112 115 Single AUT Risk (for Mean Duration) 5.37E-08 6.71E-08 negligible 6.90E-08 1.20E-07 negligible 7.67E-09 7.29E-08 1.4E.07 1.lE-07 9.19E-09 Yearly AUT Risk (for Mean 1.6t E-07 5.37E-07 negligible 9.25E-08 6.92E-07 neghgible 2.30E-08 7.51E-08 5.6E-07 4.3E p* 2.%%08 Duration), per yr l
- A mean duration of 112 hre/ event was -- .C, assumed (2/3 of proposed AUI) unless actual plant data evadable 22 l
L__ _ - _ - _____ _ _ _ _ _ _ _ _ _ _ _ _ _ - - _ - _ _ _ _ - - _ - _ _ _ _ - _ _ _ - - - - _ _ .- -
i Table 6.3.2-3 CEOG PROPOSED AVERAGE CDFs PARAMETER ANO-2 Calvest Port kleine N Palmedes Pale San St. Imeis R. Lesie Weassiesd Cliffe CeBooun Yenises 2 Vesde Onofse 1 2 3' i 1&2 1. 2. & 3 2&3 LPSI System h- Criterie 1 ef 2 1 of 2 1d2 1 d2* Id2 1d2 1d2 1d2 1d2 1d2 1d2 Pmment AUT, daye 3 3 1 3 2 1 3 3 3 3 3 i Proposed AOT. days 7 7 7 7 7 7 7 7 7 7 7 Pseposed Downtene, hre/yrArman 192 360 192 192 192 192 192 192 2M 2N 200 Averego CDP (base), per yr 3.28E4 2.llE-04 1.18E 4 7.40E4 3.41E4 5.155 05 4.74E-05 2.74E4 2.14B4 - 2.35E-05 1.54E-05 Proposed Average CDP, per yr 3.29E4 2.11E-04 1.18E-05 7.40E4 3.45E45 5.15E4 4.74E-05 2.78E-05 2.28 4 2.4E 05 1.55E45 i
-f 23
\
i l 1
s l
l l 6.3.3 Assessment of1hsnsiden Risk l l
l For any given AOT extension, there is theoretically an "at power" increase in risk newintM i with it. This increase may be negligible or significant. A complete approach to neme<ing the change in risk accounts for the effects of avoided shutdown, or " transition risk". Transition Risk mm the risk associated with reducing power and going to hot or cold shutdown ,
following equipment failure, in this case, one LPSI train being inoperable. Transition risk is ofinterest in undeeding the tradeoff between shutting down the plant and rearing the LPSI train to operability while the plant continues operation. The risk of transitioning from "at l power" to a shutdown mode must be balanced against the risk of continued apar=+ian and !
performing corrective maintenance while the plant is at power. j l
To illustrate this point, a representative CE PWR has performed an analysis for transition risk I newintM with one inoperable LPSI train. 'Ihe methodology and results obtained by this plant are presented below and are considered ganarica11y applicable to the other CE plants.
Methodology The philosophy behind the transition risk analysis is that if a plant component becomes unavailable, the CDP will increase since less equipment is now available to respond to a i transient if one were to occur. However, as long as the plant remains at power, this CDF is constant. At the point in time that a decision is made to shut down, the CDF increases since a " transient" (manual shutdown) has now occurred, and the equipment is still out of service. ;
The Core Damage Probability (CDP) ==aciatM with the risk of plant transition from plant full power operation to shutdown is obtained by modifying the " uncomplicated reactor trip" core damage scenario in the PSA model. In this evaluation the incremental risk is dominated by the increased likelihood ofloss of main feedwater and the reliance on auxiliary (and/or emergency) feedwater to avert a core damage event. A cutset editor was used to adjust cutsets representing manual shutdown or miscellaneous plant trips to reflect the CDP associated with a forced shutdown assuming one IESI train is out of service and requantifying the PSA cutsets.
Conservatisms that had been included in the base PSA model were deleted to reflect the greater control that the plant staff has in the shutdown process. Specifically, the baseline PSA assumed totalloss of main feedwater (MFW) within 30 minutes of reactor trip. In the transition analysis, MFW was assumed to be recoverable following failure of Auxiliary Feedwater. A human error probability (value of 0.1) was added to cutsets that contained no basic events, including human actions, that would cause MFW to be unavailable. 'Ihe duration of the transition process was assumed to be 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> (6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> to hot standby and 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> to hot shutdown).
Additional human errors that would be associr.ted with a detailed portrayal of the shutdown process and the entry into shutdown cooling were not included in order to establish a conservative lower bound assessment of the transition risk. Errors of commission, such as diversion of RCS flow during SDC valve alignment, are also not considered in this analysis.
24
Such errors would add to the disadvantages of the shutdown alternative, and therefore, to include them would be non-conservative for the purpose of this comparison.
Based on the above methodology the CDP newintM with the lower mode transition was calculated for the representative plant to be 1.00E-06. Results of trantidan risk analyses can be generalized for the other CE PWRs by assuming that the ratio of the CDP for Trapaitinn Risk to the hawline Average CDF is constant for all plants. The bneline CDFs were selected rather than the Conditional CDFs for the ratio between the other CE plants because the analysis for the representative plant intiicatM that transition risk was more a function ofIoss of MFW rather than a function of the specific equipment out of service.
'Ihat is, A CDPnu = (CDFu/CDF,u
- ACDPms u) where:
ACDP,u = Incremental risk due to mode transition for plant CDFu = Raseline CDF for plant C D F,,,, , = Representative plant baseline CDF C D P n s,,,,,, u = Incremental risk due to mode tranalflan for aprw=*fve plant The transition risk may be used to evaluate the relative risks of performing LPSI repair at pcwer j to that of performing the same repair at some lower mode. The risk of continued <=ratiaa_ for i the full duration of the ACrr is bounded by the single AOT risk for CM (if a common cause failure is snWM) and by the single AOT risk for PM when common cause failure can be ruled out. 'Ihe comparable risk of the alternate maintenance option involves consicleration of four distinct risk components:
l l
(1) Risk of remaining at power prior to initiating the lower mode transition.
]
This risk will vary depanding on the ability of the staff to diagnose the LPSI fault and the confidence of the operating staff to expeditiously complete the repair. The time interval for power operation with a degraded component, prior to mode transition will vary from one to several days.
(2) Risk oflower mode transition.
This risk is accumulated over a short time interval (approximately 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />).
25
i (3) Risk of continued lower mode operation with an impaired LPSI component.
l In this mode, the reactor is shutdown and the core is generating decay power only.
l However, risks in this mode remain significant. Dwia: on the particular operational i mode, resources to cope with plant transients will typically be less than at power. These
- maries are characterized by decreased restrictions on system operability, longer times for
! operator recovery actions, lower initiating frequency for pressure driven initiators (such l as LOCA) and a greater frequency for plant transients such as those irltiated by loss of offsite power and loss of main feedwater.
(4) Risk of return to power
'Ihe power ascension procedure is a well controlled transient. Reference 6 conceptually discusses that risks associated with this transition are greater than those associated with at power operation, but significantly below that associated with the initiallower mode transition (item 2).
The analysis of transition risk presented in this report quantifies only the risk of lower mode transition (item 2).
Resuks Table 6.3.3-1 presents the risk ===acintal with transitioning the plant to a lower mode for each plant. The numbers in the table represent only the lower mode transition risk component of the transition sequence (item 2). The risk ==aari='~i with the transition portion represents a significant fraction of the risk that would be incurred for a seven day "at power" (Single AOT Risk from Tables 6.3.2-1 and 6.3.2-2) LPSI train maintenance period.
When the risk at power and the risk at the lower mode of operation are comparable, then these results indicate that performing a 7 day LPSI train maintenance activity "at power" would be risk beneficial.
26
i Table 6.3.3-1 TRANSITION RISK CONTRIBUTIONS FOR LPSI CM PLANT Transition Risk Contribution (ACDP)
ANO-2 6.92E-07 Calvert Cliffs 1 & 2 4.45E-06 Fort Calhoun Station 2.49E-07 Maine Yankee 1.56E-06 Millstone 2 7.19E-07 Palisades 1.09E-06 Palo Verde 1,2 & 3 1.00E-06 San Onofre 2 & 3 0.78E-07 St. Lucie 1 4.51E-07 St. Lucie 2 4.96E-07 Waterford 3 3.25E-07 I l
1 27
i t
6.3.4 Assesanent of Shutdown Risk
. The risk tradeoff for performing PM on the LPSI pump at power versus during shutdown was nue<*M by comparing the risk at shutdown associated with LPSI pump operation with incremental improvements in reliability newintM with performing maintenance at power. 'Ihe i eneance of this assessment was to perform a sensitivity analysis which evaluated the impact of j improved reliability of the IESI pump entering shutdown conditions given that maintenance was l performed on the LPSI train at power prior to shutdown. As data is not available to quantify l the improvement in reliability, sensitivity studies were chosen as the vehicle to quantify the risk n<wintM with LPSI maintenance during shutdown. Given the fact that the frequency of l requiring LPSI at power is on the order of 1 x 104 per year (the frequency of a Imrge IDCA event), whereas the frequency of requiring LPSI operability during shutdown is 1.0 per cycle, it is intuitive that improving the reliability of the LPSI system during shutdown should improve ;
overall plant safety.
In summary, the premise underlying this study is that performing Preventive LPSI maintenance at power would improve the reliability of the LPSI pump entering shutdown.
This sensitivity study was performed for a ispia.tative CE plant and evaluated the impact on Core Damage Probability (CDP) over a seven day interval at the initiation of plant shutdown.
During this period the core is resident within the reactor vessel and reduced inventory shutdown operation (including "Mid-loop") is likely. To evaluate risk benefits associated with maintenance, improvements in LPSI pump reliability of 1%, 5% and 10% were parametrically evaluated. The CDP was then compared to the baseline CDP to obtain the e:hange in risk from the base reliability.
Additional benefits of performing LPSI system maintenance at power, but not quantified in this effort are:
(1) Increased availability of maintenance staff for risk significant shutdown maintenance repairs, and (2) Reduced patentin1 for errors of commission that may induce LPSI system failure during shutdown.
Assumptions For this analysis, the b~ lina Core Damage Probability (CDP.,,,) is defined as the CDP !
associated with the present situation where maintenance on the LPSI train is done during i shutdown. The Preventive Maintenance Core Damage Probability (CDPm) is defined as the CDP associated with the proposed situation where LPSI train maintenance is performed at i power.
I 28
The analysis assumes that as shutdown cooling is first initiated following reactor shutdown, two operating LPSI pumps are available for Shutdown Cnaling (SDC). The evaluation is artificially restricted to a single 7 day reduced inventory period following shutdown entry. During this
, period core uncovery and core damage would occur shortly after loss of SDC. The only event leading to core damage was that resulting from a loss of SDC via failure of a LPSI pump.
No credit for recovery of pumps or use of backup pumps was assumed for this analysis. In addition, the analysis assumes that the first LPSIpump fails while operating halfway through the mininn time (24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />); therefore, the second pump has a mission time equal to one-half that of the first pump (12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />). 'Ihe base reliability of the LPSI pump (A,) of 5.0E45/hr was selected as representative of CE PWRs. Consistent with the parametric evaluation, the improved X, was varied from 5.0E-05/hr to 4.5E-05/hr.
Conclusion Results of this study are presented in Table 6.3.4-1 below. The conclusion of the study is that CDP due to LPSI train unavailability is sensitive to even small changes in LPSI pump reliability.
The results showed that for a 1% improvement in pump reliability, the net CDP (CDP.,,,-
CDP,u) decreases by 8.61E-07. It is therefore concluded that the net impact of LPSI train PM at power is risk beneficial.
Table 6.3.4-1 EFFECTS OF IMPROVED LPSI RELIABILITY AT SHUTDOWN CHANGEIN A, PARAMETER BASE A, = 5.0E-5/hr 1% 5% 10 %
SHUTDOWN CDP 5.06E-05 4.97E-05 4.63E-05 4.23E-05 (7 day interval) delta CDP -
8.61E-07 4.23E-06 8.28E-06 (CDPma - CDP,u) 29
. _ _ . . _ . _ _ ____ _. . . _ . _ _ _ ~ _ _ _ . _ . _ . . _ _ . . _ _ _ _ . _ . _ _
4 6.3.5 Assesament qfLarge Early Release 4
~ A review oflarge early release scenarios for the CE PWRs indienten that early releases arise as a result of one of the following class of scenarios-
- 1. Containment Bypass Events ,
These events include iniaf.cirig system LOCAs and steam generator tube i ruptures (SGTRs) with a concomitant loss of SG isolation (e.g. stuck open MSSV).
- 2. Severe Meidants accompanied by loss of containment isolation These events include any' severe Mdant in conjunction with an initially ,
unisolated containment.
- 3. Containment Failure associated with Energetic events in the Containment.
Events causing containment failure include those meancintM with the High Pressure Melt Ejection (HPME) phenomena (induding direct containment heating ,
(DCH)) and hydrogen conflagrations / detonations.
Of the three release categories, Class I tends to represent a large early release with potentially direct, unscrubbed fission products, to the environment. Class 2 events encompass a range of releases varying from early to late that may or may not be scrubbed. Class 3 events result in a high pressure failure of the containment, typically imrnadintely upon or slightly after reactor vessel failure. Detailad I.svel 2 analyses for the plant condition with one LPSI train inoperable am not performed. However, assessment of the expaetad change in the large early release ,
fraction was made by assessing the impact of the availability of the LPSI System on the above event categories.
Conta nent Bypass Emus Events contained in this category that may rely on the LPSI for event mitigation include the Large Interfacing System LOCA (i.e. failure of an SDC line). Testing and or maintenance of containment isolation valves residing in the LPSI System are governed under the plant technical specifications. Arguments provided in this report are not intended to justify "at power" maintenance of these valves. Thus, no change in the ISLOCA frequency is expected.
ISLOCAs are characterized by a continuous and unreplenished loss of RCS inventory ano makeup. In these scenarios, core damage ultimately results following the depletion of reactor coolant. Thus, provided that a continuous independent water supply is not available during the accident, the ISLOCA will progress into early core damage regardless of the LPSI availability.
30
l
- 1 i
i Sewre Accidents accompanied by Loss of Containment Isolation l l
l l Another event contributing to large early fission product releases could occur when an ;
i unmitigated large LOCA occurs in conjunction with an initially unisolated containment. l Signi%at fission product releases would not occur unless the containment straa*phare is I unscrubbed (that is sprays are inaparnble). 'Ihis later combination of events is considered of
- very low probability and would not significantly increase with a decrease in LPSI pump j availability. ;
i Containment Fallwe ass &e**d with Energetic ennts in the Containment. ,
j Class 3 events are dominated by RCS transients that occur at high pressure. 'Ihese events
, exclude those where LPSI System performance would be called for and therefore LPSI status
! is not a contributor to this event category. It is therefore concluded that increased unavailability of the LPSI System (as could potentially result as a consequence of an increased AOT) will have i a negligible impact on the large early release fraction for CE PWRs. '
i l 6.3.6 Su==my of Jtisk Assessment The proposed increase in the LPSI System AOT to 7 days was evaluated from the j-.peedve of various risks associated with plant operation. For the plants evaluated, incorporation of the extended AOT into the tee,hnical specification can potentially result in negligible to small ,
increases in the "at power" risk. However, when the full scope of plant risk is considered, the i risks incurred by extendmg the ACTT for either corrective or preventive maintenance will be substantially offset by plant benefits associated with avoiding nan ==ry plant transitions and/or by reducing risks during plant shutdown operations.
The unavailability of one train of LPSI was found to not significantly impact the three classes of events that give rise to large early releases. These include containment bypass sequences, severe accidents accompanied by loss of containment isolation, and containment failure due to energetic events in the containment. It is therefore concluded that increased unavailability of the LPSI System (as requested via Section 2) will result in a negligible impact on the large early release probability for CE PWRs.
It is therefore concluded that the overall plant impact will be either risk beneficial or, at the very least, risk neutral.
i l
l l
l 31 1
V 6.4 Compensatory Measures As part ofimplementing the Maintenance Rule, each CE PWR utility has dml i d or is in the process of developing a method for configuration control during maintenance. If maintenance is performed on a system / train concurrent with other maintenance, the impact on risk will be evaluated prior to performing maintenance. Some plants achieve this via procedures which require that PSA evaluation is performed prior to performing maintenance. Other plants have a matrix showing the risk anaciated with different combinations of systems / trains unavailable due to maintenance. His matrix is used in planning the rolling maintenance schedule which is part ofimplementing the Maintenance Rule.
A qualitative review of potential interactions between the LPSI System and other plant systems that could amplify the impact of LPSI System unavailability was performed. Based on this ;
review, implementation of extraordhiary compaamary actions was not found necennary when a LPSI train is out of service for maintenance. However, for any "at power" maintenance, the goals should be erpuHancy and safety. Typical actions to be taken during "at power" LPSI train maintenance and/or testing of LPSI valves are:
- 1. Verify that related equipment is not out of service which would amplify the effect of the unavailability of the LPSI System. This could include restricting maintenance to times when:
- a. all SITS are operable
- b. when all AFW sources are available Since the AOr for SITS is short, restricting the LPSI System maintenance during the time that any single SIT is in repair should not be burdensome.
Components of the LPSI system also support the shutdown cooling system. It is therefore, recommended that preventive maintenance not be scheduled to simultarmously compromise the heat removal capability of both the AFW and SDC System.
- 2. Verify that an alternate flowpath is available at the same time to accomplish the LPSI function, including support systems.
- 3. Conduct a briefing with appropriate plant personnel to ensure that they are aware of the impact associated with unavailable components and flowpaths.
4
- 4. If a maintenance action or repair is to be performed on the LPSI, pre-stage parts and tools to minimize outage time.
- 5. Consider actions which could be taken to return the affected LPSI train to funcHanal use, if not full operability, if the need arises.
32
9.0
SUMMARY
AND CONCLUSIONS This report provides the results of an evaluation of the extension of the Allowed Outage Time (AOT) for a single I.ow Pressure Safety Injection (LPSI) Train contained within the current CE plant technical specifications, from its present value, to seven days. This AOT extension is sought to provide needed flexibility in the performance of both corrective and preventive maintenance during power operation. Justification of this request was based on an integrated review and menemmt of plant operations, deterministic / design basis factors and plant risk.
Results of this study demonstrate that the proposed AOT extension provides plant operational flexibility while simultan-My reducing overall plant risk.
The proposed increase in the LPSI System AOT to 7 days was evaluated from the perspective i of various risks associated with plant operation. For the plants evaluated, incorporation of the extended AOT into the technical specifications potentially results in negligible increases in the "at power" risk. However, when the full scope of plant risk is considered the risks incurred by extending the AOT for either corrective or preventive maintenance will be substantially offset by aWatM plant benefits =WatM with avoiding unnecessary plant transitions and/or by reducing risks during plant shutdown operations.
The unavailability of one train of LPSI was found to not significantly impact the three clases of events that give rise to large early releases. These include containment bypass sequences, severe accidents accompanied by loss of containment isolation, and containment failure due to energetic events in the containment. It is concluded that increased unavailability of the LPSI System (as requested via Section 2) will result in a negligible impact on the large early release probability for CE PWRs.
It is the overall conclusion of this evaluation that the plant impact for the requested AOT extension would be risk beneficial. i 34
l k
- 6. In r== iring / testing components (particularly valves), define the .yymydate valve i position (open/ closed) that provides the greater level of safety and "if practical" establish that position for the repair.
! 7. With the longer AOTs now available, an effort should be made to avoid
! inefficiently conducted multiple maintenance tasks on the same system that would result in a decreased ability to re establish the system should it be -=ry to k m.
i 7.0 TECHNICAL JUSTIHCATION FOR STI EXTENSION j
! I LPSI System STI extensions are not within the scope of this effort.
l 8.0 PROPOSED MODIHCATIONS TO NUREG-1432 Attachment A incW,a proposed changes to NUREG-1432 Sections 3.5.2 and B 3.5.2 that correspond to the findings of this report.
l 1
33 i
i
10.0 REFERENCES
- 1. 10 CFR 50.65, Appendix A, "The Maintenance Rule".
J
- 2. NUREG-0212, " Revision 3, " Standard T~hnW Specifications for Combustion EngiWag Pressurized Water Reactors", July 9,1982.
- 3. NUREG-1432, " Standard Technical Specifications: Combustion Engineering Units",
September 1992.
1
- 4. NRC TaWM Manual Part 9900 Technical Gnid=w, " Maintenance-Voluntary Entry into Ilmiting Conditions for Operation Action Statements to Perform Maintenance",
1991.
- 5. " Technical Evaluation of South Texas Project (STP) Analysis for Technical Specification Madifications", P. Samanta, G. Martinez-Guridi, and W. Vesely, Technical Report #L-2591, dated 1-11-94.
- 6. NUREG/CR-6141, BNIeNUREG-52398, " Handbook of Methods for Risk-Based Analyses of Technical Specifications", P. K. Samanta, I. S. Kim, T. Mankamo, and W.
E. Vesely, Published D~mh- 1994.
- 7. LWW-02-094, Letter L. Ward (INEL) to Dr. F. Eltawila (NRC),
Subject:
"Use of MAAP to Support Utility IPE In-Vessel and Ex-Vessel Accident Success Criteria", June 1994.
- 8. Fort Calhoun Station IPE Submittal Report, December 1993.
- 9. NUREG 0800, USNRC Standard Review Plan, Rev.2, July 1981.
- 10. TID 14844, " Calculation of Distance Factors for Power Reactor Sites", USAEC,1%2.
- 11. NUREG-1465, " Accident Source Terms for Light Water Reactors" (Final Draft), August, 1994.
35 i
ATTACHMENT A
" Mark-up" of NUREG-1432 SECTIONS 3.5.2 & B 3.5.2 i
A-1
ECCS-Operating 3.5.2 3.5 EMERGENCY CORE COOLING SYSTEMS (ECCS) 3.5.2 ECCS-Operating LCO 3.5.2 Two ECCS trains shall be OPERABLE.
APPLICABILITY: MODES 1 and 2, MODE 3 with pressurizer pressure t [1700] psia.
ACTIONS CONDITION REQUIRED ACTION COMPLETION TIME sdbn "7 da.ys A. .'One, or more trains A.1 Restore trasefe$ to h g.g- ino rable. OPERABLE status.
A
'm At lea 100% f the ECC low equiv nt t a single OP CCS train available.
t l 9 e l
)I. Required Action and g.1 Be in MODE 3. 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> associated Completion ,
E Time not met. l I' .2 Reduce pressurizer 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> pressure to
< (1700] psia.
l CE06 STS 3.5 4 Rev. O, 09/28/92
l INSERT A l l
One LPSI subtrain inoperable.
~
INSERT B '
B. One or more ECCS B.1 Restore ECCS train (s) to 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> trains inoperable due to OPERABLE status.
condition (s) other than Condition A.
At least 100% of the ECCS flow equivalent to a single OPERABLE ECCS train available.
l l
ECCS-Operating
. B 3.5.2 BASES ani ACTIONS A.1 f(conu.B.17 nued)
W 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. The Time is based on an NRC s 4 using a reliability
- evaluation a asonable amount o feet many e .
An ECCS train is inoperable if it is not capable of delivering the design flow to the RCS. The individual components are inoperable if they are not capable of performing their design function, or if supporting systems are not available.
The LCO requires the OPERABILITY of a number of independent subsystems. Due to the redundancy of trains and the diversity of subsystems, the inoperability of one component in a train does not render the ECCS incapable of performing its function. Neither does the inoperability of two ,
'different components, each in a different train, necessari1vp i result in a loss of function for the ECCS. The intent *Bf W/
3 Intc:eamd444ende to maintain a combination of OPERABLE l M equipment such that 100% of the ECCS flow equivalent to 100% l of a single OPERABLE train remains available. This allows -
increased flexibility in plant operations when components in l
' opposite trains are inoperable. t
'DJSERTI -
i gg 'An event accompanied by a loss of offsite power and the failure of an emergency DG can disable one ECCS train until i
power is restored. A reliability analysis (Ref. 4) has shown that the impact with one full ECCS train inoperable is sufficiently small to justify continued operation for y 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.
Reference 5 describes situations in which one component, such as a shutdown cooling total flow control valve, can _
disable both ECCS trains. I mtn one or more compon
- ch that 100% of the e ow to a single OPERABLE . ' = %. available, the facility is e
.1 and .2 If the inoperable train cannot be restored to ' OPERABLE l status within the associated Completion Time, the plant must j (continued)
CEOG STS B 3.5-15 Rev. O, 09/28/92 ;
1
.l l
INSERT AA each of Condition A and Condition B are l l
INSERT AB Each of Condition A and Condition B includes a combination of OPERABE equipment such that at least 100% of the ECCS flow equivalent to a single OPERABE ECCS train remnim available.
Condition A addresses the specific condition where the only affected ECCS l subsystem is a single LPSI subtrain. The availability of at least 100% of the ECCS flow equivalent to a single OPERABG ECCS train is implicit in the definition of Condition A.
If LCO 3.5.2 requirements are not met due only to the existence of Condition A,
{
then the inoperable LPSI subtrain components must be returned to OPERABE '
status within seven (7) days of discovery of Condition A. This seven (7) day Completion Tune is based on the findings of the deterministic and probabilistic i analysis that are dLeued in Reference 6. Seven (7) days is a reasonable amount of time to perform many corrective and preventative maintenance items on the affected LPSI subtrain. Reference 6 concluded that the overall risk impact of this Completion Tune was either risk-beneficial or risk-neutral.
Condition B addresses other scenrarios where the availability of at least 100% of the ECCS flow equivalent to a single OPERABE ECCS train exists but the full
- requirements of LCO 3.5.2 are not met., If Condition B exists, then inoperable components must be restored such that Condition B does not exist with 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> of discovery. The 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> Completion Time is based on an NRC reliability study (Ref. 4) and is a reasonable amount of time to effect many repairs.
INSERT AC With one or more components inoperable such that 100% of the equivalent flow to a single OPERABE ECCS is not available, the facility is in a condition
, outside of the accident analyses. In such a situation, LCO 3.03 must be immediately entered. ;
i
, r -
ECCS-Operating B 3.5.2 BASES ACTIONS
.1 and .2 (continued)
/
be brought to a MODE in which the LCO does not apply. To achieve this status, the plant must be brought to at least MODE 3 within 6 hcurs and pressurizer pressure reduced to
< 1700 psia within 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />. The allowed Completion Times are reasonable, based on cperating experience, to reach the required unit conditions from full power in an orderly manner and without challenging unit systems.
SURVEILLANCE SR 3.5.2.1 REQUIREMENTS Verification of proper valve position ensures that the flow path from the ECCS pumps to the RCS is maintained.
Misalignment of these valves could render both ECCS trains inoperable. Securing these valves in position by removing power or by key locking the control in the correct position ensures that the valves cannot be inadvertently misaligned
. or change position as the result of an active failure.
These valves are of the type described in Reference 5, which can disable the function of both ECCS trains and invalidate the accident analysis. A 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> Frequency is considered a
reasonable in view of other administrative controls ensuring j that a mispositioned valve is an unlikely possibility. '
SR 3.5.2.2 Verifying the correct alignment for manual, power operated, r and automatic valves in the ECCS flow paths provides i
assurance that the proper flow paths will exist for ECCS i operation. This SR does not apply to valves that are locked, sealed, or otherwise secured in position, since these valves were verified to be in the correct position prior to locking, sealing, or securing. A valve that receives an actuation signal is allowed to be in a nonaccident position provided the valve automatically repositions within the proper stroke time. This Surveillance does not require any testing or valve manipulation. Rather, it involves verification that those valves capable of being mispositioned are in the correct position.
(continued)
CEOG STS 8 3.5-16 Rev. O, 09/28/92
j ECCS-Operating
- B 3.5.2
- BASES 4
i
!' SURVEILLANCE SR 3.5.2.10 (continued)
REQUIREMENTS l outage, on the need to have access to the location, and on )
the potential for unplanned transients if the Surveillance I were performed with the reactor at power. This Frequency is j sufficient to detect abnonnal degradation and is confirmed j
_ by operating experience.
I REFERENCES 1. 10 CFR 50, Appendix A, GOC 35. .
- 2. 10 CFR 50.46.
- 3. FSAR, Chapter [6].
- 4. NRC Memorandum to V. Stello, Jr., from R. L. Baer,
" Recommended Interim Revisions to LCOs for ECCS Components," December 1, 1975.
3xsERT 5. IE Information Notice No. 87-01, January 6,1987.
g !
t I
'tw l
l CE0G STS 8 3.5-19 Rev. 0, 09/28/92
I -
i INSERT AD
- 6. NPSD-995, " OG Joint Applications Report for Low Pressure Safety Injection System AOT Extension," April 1995.
4 Y
k_________ - -