Attachment 4, Application of PRA to STP Improved Tss, Inadvertently Ommitted from Original Submittal

ML20116A573
Person / Time
Site:	South Texas
Issue date:	06/27/1996
From:	HOUSTON LIGHTING & POWER CO.
To:
Shared Package
ML20116A569	List: ML20116A573 ST-HL-AE-5415, Forwards Attachment 4, Application of PRA to STP Improved Tss, to Proposed License Amend to Convert to Improved STS Format,Inadvertently Omitted from Original Submittal
References
NUDOCS 9607260159
Download: ML20116A573 (45)
v • d • e

Text

APPLICATION OF THE PROBABILISTIC SAFETY ASSESSMENT TO THE SOUTH TEXAS PROJECT IMPROVED TECHNICAL SPECIFICATIONS e

ADbKOhbb498 DR P

PDR Y

l l

l Executive Summary This Topical is submitted in support of the South Texas Project improved Technical Specifications. It describes the Probabilistic Safety Assessment technical bases for proposed allowed outage times used in the Improved Technical Specifications and how the Probabilistic Safety Assessment has been integrated into the management of the operations and maintenance of the South Texas Project.

Because of the rigor of the South Texas Project specific Probabilistic Safety Assessment and because of the commitment that station management has to the Probabilistic Safety Assessment as a station-wide comprehensive risk management tool, the Probabilistic Safety Assessment can be used with confidence to establish a risk-based technical basis forjustifying allowed outage times and surveillance test intervals for the Technical Specifications.

The South Texas Project Improved Technical Specifications take additional advantage of the

(

South Texas Project design with three separate Engineered Safeguards Features trains and other plant l

specific design features. The three trains of Engineered Safety Features provide the station with redundancy not present at two-train plants and can be used tojustify extended allowed outage times and surveillance test intervals. The South Texas Project Probabilistic Safety Assessment has been used as the basis for previous approved changes to allowed outage times and surveillance test intervals as i

documented in Amendment Nos. 59 and 47 to the South Texas Project Unit I and Unit 2 Operating Licenses, dated February 17,1994. This application of the Probabilistic Safety Assessment to the South Texas Project Improved Technical Specifications extends the methodology to be consistent with the EPRI Probabilistic Safety Assessment Applications Guide (TR-105396).

The South Texas Project Probabilistic Safety Assessment has been used to quantify the change in risk associated with the changes made in the Improved Technical Specifications. In conjunction with South Texas Project's On-Line Maintenance Program, the allowed outage times contained in the Improved Technical Specifications will be decreased based on the calculated risk levels of plant configurations existing at the time an event occurs requiring entry into a Technical Specification Limiting Condition of Operation. In this way, plant configuration risk can be managed and equipment j

j out-of-service durations can be established commensurate with their safety significance. These changes I

are consistent with the EPRI Probabilistic Safety Assessment Applications Guide (TR-105396) and demonstrate that the proposed Improved Technical Specifications support and enhance the safe and reliable operations of the South Texas Project, i

l l

W TOP _ EXEC. DOC 5/22/96 1

I I.

Introduction This report describes the Probabilistic Safety Assessment bases for the South Texas Project Improved Technical Specifications allowed outage times. It is organized by system, and the key parts have been incorporated into the South Texas Project Improved Technical Specifications Bases.

The South Texas Project Probabilistic Safety Assessment is the primary tool used in developing the Comprehensive Risk Management Program at the South Texas Project. The Comprehensive Risk Management Program brings together under a common process all of the critical operational and.

maintenance-related activities, including the Technical Specifications, Configuration Risk Management (i.e., On-Line Maintenance), Maintenance Rule implementation, Inservice Testing initiatives, Graded Quality Assurance, and other risk infonned, performance-based initiatives. By consistent and broad application of the Probabilistic Safety Assessment to significant site activities, plant reliability and safety.

can be optimized.

II.

Purpose / Scope The purpose of this Topical is to describe the Probabilistic Safety Assessment basis for the South Texas Project Improved Technical Specifications proposed required completion times, consistent with the South Texas Project three train Engineered Safety Feature design. The scope of this Topical applies to selected systems contained in the South Texas Project Improved Technical Specifications and which are also included within the scope of the South Texas Project Probabilistic Safety Assessment risk models.

j III.

Management Approach i

As noted in the introduction, the South Texas Project Probabilistic Safety Assessment is the common element of the station's Comprehensive Risk Management Program. The Probabilistic Safete Assessment is a state-of-the-art "living" document and accurately reflects the desigr..nd operation of the plant. It has been previously used tojustify extended allowed outage times and surveillance test intervals for the current South Texas Project Technical Specifications, and is the basis for the South Texas Project On-Line Maintenance and Graded Quality Assurance Programs. It has been used as the key element in implementation of the Maintenance Rule, and is regularly used to assess plant configurations for management of maintenance activities so that safety of operations is maintained at a high level.

The South Texas Project Probabilistic Safety Assessment has been extensively reviewed by the NRC and its contractors. The NRC staff approved the use of the probabilistic methodology of the Probabilistic Safety Assessment in its Safety Evaluation for the original extension of allowed outage times and surveillance test intervals. The South Texas Project Probabilistic Safety Assessment has also undergone substantial NRC scrutiny in the review of the South Texas Project Individual Plant Examination and proposed Technical Specification change to implement a 21-Day Special Test Exception for the Standby Diesel Generators.

i d

TOP EXEC. DOC 5/22/96 2

l l

l

l-B l

In converting the South Texas Project's current Technical Specifications to the Improved Technical SpeciGcations, the South Texas Project has the opportunity to revise the Technical Specifications to better represent the design of the plant and the capability of the three Engineered Safety Feature trains. South Texas Project Management has chosen to continue to use the Probabilistic Safety Assessment as the basis for thejustincation of the changes to the specifications.

The design basis of the South Texas Project is generally that the plant has three operable Engineered Safety Feature trains for mitigation of a Design Basis Event, which includes a loss of off-site.

power and a single failure. Initial Licensing Basis analysis has generally credited the operability of two of the three Engineered Safety Feature trains, assuming the single failure of one train. Consequently, the current Technical Specifications Y.ve very restrictive actions if two of the three trains are inoperable.

l The South Texas Project Probabilistic Safety Assessment, however, does not assume a loss of function if only one of the three trains is available. It shows there is a significant likelihood that a single train of a given system can perform its function, although it may be degraded. ~ Engineering analyses suppon the Probabilistic Safety Assessment model. Based on the Probabilistic Safety Assessment and the supporting Engineering analysis, the Improved Technical Specifications allow for operation for a limited l

time with only one of three trains operable for a given system.

]

The proposed completion times for one of three trains out-of-service are based on the time required for the conditional Core Damage Frequency to cross the non-risk significant threshold as described in the EPRI Probabilistic Safety Assessment Applications Guide (TR-105396), Figure 4-3. All l

of the calculated allowed outage time is allowed if the time is 7 days or less. Otherwise, the completion time is the nearest multiple of 7 days that does not exceed the threshold. The calculated allowed outage i

times for systems are proportional to their risk significance. In this regard, some systems' allowed

)

outage times calculate to extreme durations. It is not South Texas Project's policy or operational philosophy to permit extreme out-of-service durations for risk-related equipment. In cases where extreme allowed outage times have been calculated, an allowed outage time consistent with the South j

Texas Project's On-Line Maintenance Programs and good maintenance practices is recommended.

i Two of three trains out-of-service for an Engineered Safety Feature or Engineered Safety Feature support system is expected to occur very infrequently and only as a result of a rare involuntary event. In the case of two out of three trains out-of-service, the proposed completion times are based on the time required to cross the potentially risk significant threshold as described in the EPRI Probabilistic Safety

' Assessment Applications (TR-105396), Figure 4-3. As previously noted, such a condition will not be a planned maintenance evolution or be voluntarily entered.

i i

TOP EXEC. DOC 5/22/96 3

i l

1 i

)

IV. Technical Approach / Methodology

)

The technical approach used to calculate risk-based allowed outage times is based on the Configuration Risk Management Program at the South Texas Project. The Configuration Risk j

Management Program provides the incremental risk associated with a specific plant configuration. The plant configuration is determined by assessing the equipment out-of service that is within the scope of l

the Probabilistic Safety Assessment. Full scope Level 1 Probabilistic Safety Assessment quantifications i

t j

are performed for each specific plant configuration as applicable to the Probabilistic Safety Assessment.

~

The allowed outage time is based on the cumulative risk accrued up to the non-risk significant threshold for temporary conditions as defined in the EPRI Probabilistic Safety Assessment Applications Guide (TR-105396), Figure 4-3.

I This approach establishes the maximum allowed outage time (i.e., backstop) under the assumption that no other station equipment within the scope of the Probabilistic Safety Assessment is i

also out-of-service. In the event additional plant equipment is out-of-service concurrent with the subject j

system, the Configuration Risk Management Program is the risk management mechanism for calculating a reduced allowed outage time, which will be equal to or less than the associated backstop which j

accounts for the integrated effect of the multiple equipment outage. For those systems reaching the threshold prior to 7 days, the next standard time interval defined in the Technical Specifications is used.

1 Each evaluated system is presented in the " Technical Specification Specific" section of this Topical. A system specific risk profile is produced which defines the maximum allowed outage time based on core damage frequency.

l l

V.

Results/ Conclusions The results of this Topical indicate that the cumulative effects of all the calculated system-specific allowed outage times are acceptable and below the threshold of risk significance for temporary changes as defined in the EPRI Prababilistic Safety Assessment Applications Guide (TR-105396).

j Monitoring the cumulative effects of equipment out-of-service is already implemented at South Texas Project with its On-Line Maintenance program. The assessment of configuration risk allows a technical basis to be formed for evaluation of the combined effects of equipment out-of-service, and in so doing, provides a risk-informed approach which enhances safety and also supports important Maintenance Rule (10CFR50.65) requirements.

The allowed outage times calculated in this study support configuration risk management by reducing outage durations based on the station's level of defense-in-depth and the safety significance of sp, S equipment out-of-service. Furthermore, the allowed outage times calculated by this study and whica are further reduced, if required, under the On-Line Maintenance program allow incorporation of important feedback mechanisms to control allowed outage times based on accrued risk over extended periods of time. Based on the above proposed changes to allowed outage times, establishment of a risk-based technical basis has set appropriate allowed outage times which incorporate the effects of the South Texas Project's three train design.

TOP _ EXEC. DOC 5/22/96 4

j

1 Auxiliary Feedwater System (ITS Section 3.7.5) 1.

System / Function Description System Function: %e primary function of the Auxiliary Feedwater System is to supply feedwater to the secondary side of the steam generators during emergency operation to remove reactor core decay heat whenever the main feedwater supply is not available. During normal plant operation, the Auxiliary Feedwater System is in standby and functions as a backup to the main feedwater system during plant startup and hot shutdown (or hot standby) in the event the main feedwater system and/or the startup Steam Generator Feed Pump is not available. The Auxiliary Feedwater System also serves as the backup to the main feedwater system when achieving plant cold shutdown. In addition, the Auxiliary i

Feedwater System is used as the normal supply during cooldown and heatup when the Reactor Coolant System is below approximately 350'F. Also, the Auxiliary Feedwater System is used in lieu of the l

feedwater system if the steam generator pressure is less than deaerator pressure because the temperature of the water in the deaerator is hot enough to flash.

System Success Criteria: One of four Auxiliary Feedwater pump trains must operate and deliver flow to its respective steam generator with operator action to reduce steam pressure via its associated Power.

Operated Relief Valve. If steam relief through the Power Operated Relief Valve is not possible, then decay heat can be removed via one of four Auxiliary Feedwater pump trains, but cooldown may not be possible. For an Anticipated Transient Without Scram event, at least two of the four trains are required for success.

Potential of an Initiating Event: The Auxiliary Feedwater System is a standby system and failure of the system has no effect on continued operation of the plant. Inadvertent actuation will result in an overcooling transient.

Systems Supported: The Auxiliary Feedwater System provides functional support to the following systems:

Reactor Coolant System The Auxiliary Feedwater System has the capability to cool down the Reactor Coolant System at an average rate of 50'F/ hour with one reactor coolant pump in operation or approximately 25'F/ hour for natural circulation cooldown.

Residual Heat Removal System De Auxiliary Feedwater System has the capability to permit operation at hot standby for at least four hours followed by a steady cooldown to the Residual Heat Removal System cut-in temperature of 350*F.

~.

ITS_AFW. DOC 5/22/96 1

l Main Feedwater System ne Auxiliary Feedwater System supplies feedwater to the secondary side of the steam generators whenaver the Main Feedwater System is not available. He feedwater bypass line j

interfaces with the discharge line of the Auxiliary Feedwater pump allowing feedwater to enter the steam generator Auxiliary Feedwater nozzle during low load operation.

Steam Generator Blowdown System he Auxiliary Feedwater System is used to fill the steam generator during wet layup when the.

main feedwater system is not available, ne wet layup system removes water from the steam generator through the Auxiliary Feedwater nozzle for wet layup recirculation. Initiation of Auxiliary Feedwater automatically stops steam generator blowdown. His support function of l

Auxiliary Feedwater has no impact on the Probabilistic Safety Assessment model.

l He Auxiliary Feedwater System is supported by the following systems:

Class 1E 480 VAC Distribution System Class 1E 4.16 KV Class 1E 120 V Vital AC Power System and the Qualified Display Processing System i

Class 1E 125 VDC Control Power System Engineered Safety Feature Actuation System Main Steam System i

Main Steam Isolation Valve Cubicle HVAC System Auxiliary Feedwater Storage Tank Demineralized Water System l

Risk Significance: He risk significance of the Auxiliary Feedwater System has been addressed by the South Texas Project response to the Maintenance Rule. Because of the potentially large effect of the Auxiliary Feedwater System en accident consequences, this system has a high risk significance.

ITS_AFW. DOC 5/22/96 2

j

}

4 i

i 1

II.

Proposed Technical Specification Allowed Outage Time (Required Action Time)

Based on the assumed reliability, availability, and relative importance of the Auxiliary Feedwater System, the Probabilistic Safety Assessment can be used tojustify in Modes 1,2 and 3 one motor driven Auxiliary Feedwater train out-of-service for 7 days, the turbine-driven Auxiliary Feedwater train out-of-service for 7 days, two Auxiliary Feedwater trains out-of-service for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, and the

?

turbine-driven and one motor-driven Auxiliary Feedwater trains out-of-service for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.-

I Y

4 4

i l

i O

e ITS_AFW. DOC 5/22/96 3

- - - ~. - -. -... _.

... -. ~. -. -. ~.

.. -... ~..

4 III.

Quantification The cumulative risk significance for one or more Auxiliary Feedwater trains out-of-service is shown in the two graphs below. For one train out-of-service, the non-risk significant threshold (IE-6) is used to evaluate the incremental impact of the Technical Specification Allowed Outage Times. This is considered to be within the constraints of voluntary entries and is consistent with on-line maintenance activities at the South Texas Project. For two trains out-of-service, the potentially risk-significant threshold (IE-5) is used to evaluate the incremental impact since

. these conditions represent rare involuntary events. These thresholds are consistent with the.

EPRI Probabilistic Safety Assessment Application Guide.

l The first graph represents one and two trains of motor-driven Auxiliary Feedwater trains (i.e.,

Trains A, B and/or C). For one motor-driven pump train, an Allowed Outage Time of 7 days does not cross the non-risk significant threshold. For the case of two motor-driven pump trains,

[

a 1-day Allowed Outage Time is justified by crossing the potentially risk-significant threshold after 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

4 The second graph represents the Auxiliary Feedwater turbine-driven pump (Train D). Included

)

in this graph is the case for the turbine-driven pump train and a motor-driven pump train. For the turbine-driven pump train (Train D), an Allowed Outage Time of 7 days does not cross the non-risk significant threshold. For the case of the turbine-driven pump train and a single motor-j driven o train, a 1-day Allowed Outage Time is justified by crossing the potentially risk-sign".;-.- v. teshold after 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

l l

l I

l

~

-ITS_AFW. DOC 5/22/96 4

e wee

1.10E-05 _

/

Potentially Risk Siornficant Tiveshold 1.00E-05 eu F

9.00E-06 4

/ 4.7 Days for 2 MD Trains j 8.00E-06 5 j

fi, 7.00E-06 4

/

2 6.00E-06 5

/

/

5.00E-06 i

/

.x3 4.00E-06 j z

/

e

/

3.00E-06 2 f

45.7 Days for 1 MD Train f 2.00E-06 l /

1.00E-06 y/. _.

_ Nongk S,ignificant Threshold E

g 0.00E+00 1 0

5 10 15 20 25 Days j - - 1 MD Train of AF 2 MD Trains of AF I

-. Non Risk Threshold Potential Risk Threshold 1

1.10E-05 _.

Potentially Risk Significant Threshold,

1.00E-05 :

e E 9.00E-06 $

/

e

/#

S 8.00E-06 4 24.5 Days for a MD and TD Train 7.00E-06 4 E 6.00E-061

/-

w s 5.00E-06 2

/

x 4.00E-06 4 41.6 Days for the TD Train e

3.00E-061

/

l

$ 2.00E-06 I

/

Non Risk Significant Threshold 1.00E-06 m. A.'_. - -. _. _.

E i

m

0. 00 E + 00.L ?' - - - - - - - -

- - * ' - ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

U O

5 10 15 20 25 Days l

'-- -. AFW Train D

--- AFW Train D and 1 other AFTrain I

i-. Non Risk Threshold Potential RiskThreshold l

e ITS_AFW DOC 5/22/96 5

l Component Cooling Water System (ITS Section 3.7.7)

I.

System / Function Description System Function: The Component Cooli'ig Water System consists of three essentially identical trains l

of Component Cooling Water pumps, vr ves, and heat exchangers. At least one of the three trains is needed for accident mitigation. Non-essential Component Cooling Water loads receive cooling water 3 a common header and are isolated upon an Engineered Safety Feature signal. Essential loads h

thrt.

w ipplied on a train-by-train basis.

The Component Cooling Water System is exditeo in the Probabilistic Safety Assessment for: 1) removal of heat from selected components needed in normal plant operation; 2) forming an intemiediate barrier between the Essential Cooling Water System and systems handling potentially radioactive fluids; and 3) removal of heat from Engineered Safety Feature equipment following an accident or loss of offsite power.

System Success Criteria: One of the three Component Cooling Water System trains is required during norrM operations. During a Design Basis Accident two of the three Component Cooling Water System trains are required unless the non-Engineered Safety Feature loads are isolated, in which case only one of the three Component Cooling Water System trains are required.

Potential of an Initiating Event: The first effect from loss of all Component Cooling Water System heat removal is likely to be high vibrhtion and possible trips of the reactor coolant pumps. A low flow reactor trip will occur from a loss of one or more reactor coolant pumps. Loss of Component Cooling Water System heat removal will also cause overheating and damage to the centrifugal charging pumps.

Prolonged loss of Component Cooling Water System heat removal wuld cause a reactor coolant pump seal loss of coolant accident, because normal reactor coolant pump seal injection flow is lost when the Centrifugal Charging Pumps fail and Component Cooling Water System cools the reactor coolant pump thermal barriers. Failure of the Component Cooling Water System also disables the Reactor Containment Fan Coolers for emergency containment heat removal, Low Head Safety Injection in the recirculation mode, and the Residual Heat Removal heat exchangers for long term cooling.

Systems Supported: Systems supported by the Component Cooling Water System are listed below:

Engineered Safety Feature Loads Residual Heat Removal System The Component Cooling Water System supplies cooling water to the shell side of the Residual Heat Removal heat exchangers following a Design Basis Accident (Engineered Safety Feature function). During normal cooldown operation, the Residual Heat Removal pumps recirculate reactor coolant through the tube side. During Emergency Core Cooling System operation, water from either the Refueling Water Storage Tank or the con ainment sump flows, via the Low Head Safety Injection pumps, through the tube side. Credit is taken for cooling provided by the Residual Heat Removal heat exchangers only during long-term recirculation operation.

~.

1 ITS_CCW. DOC 5/22/%

l l

[

Reactor Containment Building IIVAC System The Component Cooling Water System provides cooling water to the Reactor Containment Fan l

Coolers following a Design Basis Accident or Loss of Offsite Power (Engineered Safety Feature function).

l Non-Encineered Safety Feature Loads t

Residual Heat Removal System ne Component Cooling Water System supplies cooling water to the shell side of the Residual Heat Removal heat exchangers during normal shutdown and also supplies cooling water to the Residual Heat Removal pump seal coolers.

Spent Fuel Pool Cooling and Cleanup System l

The Camponent Cooling Water System provides cooling water to the shell side of the spent fuel pool heat exchanger.

Chemical and Volume Control System De Component Cooling Water System supplies cooling water to the seal water heat exchanger, letdown heat exchanger, excess letdown heat exchanger, boric acid sample cooler, boron thermal regeneration system chiller, and the centrifugal charging pump lube oil coolers.

I Boron Recycle System The Boron Recycle System evaporator package is cooled by the Component Cooling Water System.

Reactor Coolant Pumps ne Component Cooling Water System supplies cooling water to the reactor coolant pump thermal barriers, upper and lower bearing oil coolers, and reactor coolant pump motor air coolers.

Liquid Waste Processing System He Component Cooling Water System provides cooling water to the Liquid Waste Processing l

System waste evaporator package and the Reactor Coolant Drain Tank heat exchanger.

l Primary Process Sampling System ne Component Cooling Water System provides cooling water to the sample coolers in the primary process sampling system sample coolers.

Mechanical Auxiliary Building HVAC System He Component Cooling Water System supplies cooling water to the centrifugal charging pump and positive displacement pump supplementary coolers.

l m

ITS_CCW. DOC 5/22/96 2

~

)

Post Accident Sampling System l

Re Component Cooling Water System provides cooling water to the post-accident sampling

]

coolers.

Steam Generator Blowdown System The Component Cooling Water System supplies cooling water to radiation monitor RT-8043 in l

the steam generator blowdown system.

l De Component Cooling Water System is supported by:

Essential Cooling Water System 4.16 KV bus 125 V DC bus Engineered Safety Features Actuation System l

Risk Significance: He risk significance of the Component Cooling Water System has been addressed by l

the South Texas Project m;ponse to the Maintenance Rule. Probabilistic Safety Assessment analysis of the l

effect of the Component Cooling Water System on accident consequences determined that this system has a l

medium risk significance.

i l

l I

ITS_CCW. DOC 5/22/96 3

. -. ~ _. ~... - -...

l 11.

Proposed Technical Specification Allowed Outage Time (Required Action Time)

Based on the assumed reliability, availability, and relative importance of the Component Cooling Water System, the Probabilistic Safety Assessment can be used tojustify, in Modes 1,2,3, and 4, one train out-of-service for 14 days, and two trains out-of-service for i day.

I l

l i

I L

i l

I t

i I

i 4

i l

ITS_CCW. DOC 5/22/96 4

L I

?

I

.. ~...,,

1 III.

Quantification The cumulative risk significance for one or more Component Cooling Water System trains out-of-service is shown in the graph below. For one train out-of-service, the non-risk significant threshold (IE-6) is used to evaluate the incremental impact of the Technical Specification Allowed Outage Times. This is considered to be within the constraints of voluntary entries and is consistent with on-line maintenance activities at the South Texas Project. For two trains out-of-service, the potentially risk-significant threshold (IE-5) is used to evaluate the incremental impact since these conditions represent rare involuntary events. These thresholds are consistent with the EPRI Probabilistic Safety Assessment Application Guide.

The graph represents cases for one and two trains of Component Cooling Water out-of-service.

For one train, an Allowed Outage Time of 14 days does not cross the non-risk significant threshold. For the case of two Component Cooling Water trains, a 1-day Allowed Outage Time isjustified by crossing the potentially risk-significant threshold after 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

1.10E-05 _

C Potentially Risk Significant Threshold 1.00E-05 ~

e

! 9.00E-06 4 5 8.00E-06 4 320.8 Days for 2 CCW Trains E 7.00E-06 i E 6.00E-06 l

~E 5.00E-061 i

1 cc r

j 3.00E-0G j 952.4 Days for 1 CCW Train f

4.00E-06.I e

, 2.00E-06 i 1.00E-06 h. _.

. _,,,_.,,,,,,.,,_,. _,_, Non Risk Significant Threshold 0.00E+00 0

5 10 15 20 25 Days i-....1 Train of CCW 2 Trains of CCW

- - Non RiskThreshold Potential Risk Threshold [

]

I i

ITS_CCW. DOC 5/22/96 5

(

t

i l

i 1

Control Room IIVAC System (ITS Section 3.7.11)

I.

System / Function Description System Function:- The Control Room HVAC provides environmental control for the control room i

area to maintain temperatures in a range comfortable for plant operators as well as in the qualified range for equipment operability.

l System Success Criterion: One or more of the Control Room HVAC trains operate.

. Port - e of an Initiating Event: Loss of the Control Room HVAC system is considered an initiating event by the South Texas Project Probabilistic Safety Assessment. On loss of Control I

Room HVAC, the control room HVAC envelope will heat up and is assumed to eventually cause the Solid State Protection System (located in the Relay Room) to fail or cause a spurious actuation of safety injection. The control room area heat up is expected to be slow enough that the operators can

{

either shut down the plant in an orderly way or provide alternate ways of maintaining the control i

i room temperature at an acceptable level.

l Systems Supported: The Control Room HVAC system supports the electrical and controls equipment l

located in the control room envelope (i.e., the control room, relay room, and computer room).

Risk Significance: The risk significance of the Control Room HVAC system has been addressed as a subset of the EAB HVAC system by the South Texas Project response to the Maintenance Rule. The l

Probabilistic Safety Assessment of the Control Room HVAC system for accident consequences j

determined that this system has a high risk significance.

j l

l 1

6 ITS_CRHV. DOC 5/22/96 1

1 1

+&

e

,-e-e v

w n

w--+-

e vv,--

_ _ _. - _. _.. _... - _ _ _ _ _ _ _. _ _ _. ~. - _ - _ _ _ _ _.. _ _ _.. _. _ _ _. - _.. _ _ _.

II.

Proposed TS Allowcd Outage Time (Required Action Time)

Based on the assumed reliability, availability, and relative importance of the Control Room HVAC

)

system, the Probabilistic Safety assessment can be used to justify one train out-of-service for 7 days, and two trains out-of-service for i day.

1 L

E i

t i

I t

h i

I h

I I

l l

I i

i i

l l

1 l

ITs_CRHV. DOC' 5/22/96 2

l l

l j

l f

j 111.

Quantification j

l The cumulative risk significance for one or more Control Room liVAC trains out-of-service is shown in the graoh below. For one train out-of-service, the non-risk significant threshold (IE-6) is used to evaluate se incremental impact of the Technical Specification Allowed Outzge times.

This is considered to be within the constraints of voluntary entries and is consistent with on-line maintenance activities at the South Texas Project. For two trains out-of-service, the potentially risk-significant threshold (IE-5) is used to evaluate the incremental impact since these conditions represent rare involuntary events. These thresholds are consistent with the EPRI Probabilistic Safety Assessment Application Guide.

The graph represents one and two trains of Control Room liVAC out-of-service. For one train, an Allowed Outage Time of 7 days does not cross the non-risk significant threshold. For the case of two Control Room IIVAC trains, a 1-day Allowed Outage Time is justified by crossing the potentially risk significant threshold after 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

1.10E-05.:- t e

1.00E-05 E i Potentially Risk Significant Tiveshold i

E 9.00E-06 5 8 y 8.00E-06 j f 1.1 Days for 2 CRHVAC Trains 1 7.00E-06 I i O 6.00E-06 4 I j

5.00E-06 I f i

4.00E-06 il e

5 3.00E-06 il 291.6 Days for 1 CRHVAC Train 3 2.00E-06 *l l

1.00E-06 ?)_. -.

Non Risk Signircant Tireshold 0.00E+00 I -

O 5

10 15 20 25 Days

..... 1 Train of CRHVAC 2 Trains of CRHVAC

-. Non Risk Threshold Potential Risk Threshold, 4

e ITS_CRHV. DOC 5/22/96 3

t Containment Spray System (ITS Section 3.6.6)

I.

System / Function Description System Function: The primary functions of the Containment Spray System are:.

=

1) Limit the Reactor Containment Building peak pressure to the design limits following a Loss of Coolant Accident or Main Steam Line Break when all other heat removal systems are operating at minimum capacity.

t

2) Reduce the quantity of airborne fission product iodine in the containment after a Loss of Coolant Accident to reduce the offsite doses to within limits when all other iodine removal systems are operating at minimum capacity.

The Probabilistic Safety Assessment analysis focuses on the airborne fission product removal and the long term containment decay heat removal functions of the Containment Spray System.

System Success Criteria: Success requires at least two trains of containment spray delivering flow to at least one spray header for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> following actuation for accidents requiring removal of containment heat by spray and reduction of airborne fission product iodine. For an event involving system failure of Low Head Safety injection and High Head Safety injection, success requires that at least one train of containment spray delivers flow to at least one spray header for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> following actuation. This is sufficient to inject water into the containment so that the Refueling Water Storage Tank water can be transferred to the containment sumps.

Potential of an Initiating Event: Inadvertent spray actuation will require shutdown of the unit to clean equipmentinside containment.

Systems Supported: The function of the Containment Spray System as modeled in the Probabilistic Safety Assessment is airborne fission product removal and long term containment heat removal. In practice, the Containment Spray System supports the following systems:

l Containment Building HVAC The Containment Spray System, by spraying water to the containment atmosphere, provides containment heat removal capability following accidents that are considered in the long term containment heat removal analysis.

j SafetyInjection System Stainless steel baskets located in the sump provide trisodium phosphate, which is required to ensure that the pH of the sump solution remains within its required post loss of coolant accident range.

l I

l i

s ITS_CS. DOC 5/22/96 1

_ _. ~ _ _ _ _ _... _

~ ~..

l.

l The Containment Spray System is supported by:

125 VDC l

4.16 KV bus j

480 V Motor Control Center j

Engineered Safety Feature Actuation System Refueling Water Storage Tank Safetyinjection System Risk Significance: He risk significance of the Containment Spray System has been addressed by the South l

Texas Project response to the Maintenance Rule. Probabilistic Safety Assessment analysis of the effect of l

the Containment Spray System on accident consequences determined that this system has a low risk j

significance, 1

I l

i i

i 4

i l

ITS_CS. DOC d/22/96 2

i

...... ~. -......-

-..--....-.. _ -. ~......... -

II.

Proposed Technical Specification Allowed Outage Time (Required Action Time)

Based on the assumed reliability, availability, and relative importance of the Containment Spray System, the Probabilistic Safety Assessment can be used tojustify for Modes 1,2,3 and 4 one train out-of-service for 28 days, and two trains for 7 days.

l l

i 9

I h

r i

i i

l l

i l

l l

e I

I 1

ITS CS. DOC 5/22/96 3

l 4

I t

q

>--c w.

c-y.

e m

~

g

.-,e e

IIL Quantification I

The South Texas Project Probabilistic Safety Assessment rnodels two functions of the I

Containment Spray system; 1) removal of airborne fission products and 2) if both Low and High Head Safety Injection pumps fail to inject, then the Containment Spray can transfer the Reactor Water Storage Tank water to the containment sump. Both of these functions have an effect on containment response to an accident and neither have an impact on the Core Damage Frequency.

The containment response ofinterest is the Large, Early Release Frequency which is defined as an event where there is a radioactive release (containment is vented to atmospheric conditions in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) involving the rapid unscrubbed release of airbome fission products to the environment with a large failure of containment. Removal of Containment Spray would affect the Large, Early Release Frequency for events involving early hydrogen burns and direct containment heating. In the Probabilistic Safety Assessment, it is assumed that the containment would be "inerted" if the sprays were not in operation. An "inerted" containment prevents hydrogen burn due to the steam over pressure inside containment. Operating Containment Spray pumps acts to reduce containment pressure via steam condensation. Thus, operating spray pumps tend to increase the likelihood of early hydrogen burn with a corresponding increase in the frequency of a Large, Early Release. The scenarios in the Probabilistic Safety Assessement for direct j

containment heating contribute 0.6% to the Large, Early Release Frequency given no planned l

maintenance activities. Therefore, the impact of direct containment heating has little impact on the Large, Early Release Frequency l

i l

The cumulative risk significance for one or more trains of Containment Spray out-of-service is show in the graph below for the change in the Core Damage Frequency. The threshold values are l

consistent with the EPRI Probabilistic Safety Assessment Application Guide. Since the Containment Spray System has little impact in the Probabilistic Safety Assessment, the Allowed j

Outage Times were determined using engineering judgment. Therefore, a train'out-of-service 1

time of 28 days results in no or little impact to the Core Damage or Large, Early Release l

Frequencies. The same argument is true for two trains of Containment Spray out-of-service for 7 days resulting in no or little impact to the Core Damage or Large, Early Release Frequencies.

I Potentia #y Risk Signiricant Threshold

}

infinite Days for 2 CS Trains i 7.00E-o6 6.00E.o6 6.00E 06 -

4.00EJHI 3.00E-06 Infinite Days for 1 CS Train Q

Non Risk Signincent Threshold 0.00E + 00 O

6 to 15 20 25 Days i-i d

i l """" 1 Train of CS ---- 2 Trains of CS - - - Non Risk Potential Risk l

Threshold Threshold l

1 l

ITS_CS. DOC 5/22/96 4

Essential Chilled Water System (ITS Section 3.7.10)

I.

System / Function Description System Function: The Essential Chilled Water System provides chilled water for air handling units to provide a suitable environment for personnel and Class lE equipment located in the Electrical Auxiliary Building, Mechanical Auxiliary Building, and the Fuel Handling Building.

He only Essential Chilled System loads analyzed by the Probabilistic Safety Assessment model of the Essential Chilled Water System are the Electrical Auxiliary Building Main Supply air handling units and the Essential Chiller area air handling units.

System Success Criterion: The Probabilistic Safety Assessment assumes for normal operating conditions that at least two trains of Essential Chilled Water provide 150 tons of chiller capacity each.

To adequately support safety injection, the Probabilistic Safety Assessment assumes the following support capacity from the Essential Chilled Water System:

ThreetrainsofSafetyInjection : 450 tons from at least two trains Two trains of SafetyInjection : 300 tons of which one train is adequate One train of Safety Injection

none required Potential of an Initiating Event: Degradation of the Essential Chilled Water System below the success criterion can result in higher control room and Electrical Auxiliary Building temperatures.

Unless alternate cooling is supplied for these areas, prolonged operation at elevated temperatures can result in equipment failures. Possible consequences include turbine trip or reactor trip. Worst case I

scenarios include room heat-up causing loss of IE AC power, which in turn causes a loss of Component Cooling Water and Chemical and Volume Control System, causing a Reactor Coolant Pump seal Loss of Coolant Accident with Emergency Core Cooling Systems disabled due to loss of AC power.

Systems Supported: He Essential Chilled Water System provides chilled water to air handling units for the following areas during upset and faulted conditions:

Electrical Auxiliary Building Main Supply j

Control Room Envelope Electrical Penetration Space Reactor Makeup Water Pump Cubicle in Mechanical Auxiliary Building Boric Acid Transfer Pump Cubicles in Mechanical Auxiliary Building Essential Chilled Water Area in Mechanical Auxiliary Building Chemical and Volume Control System Valve Cubicle in Mechanical Auxiliary Building Radiation Monitor Room in Mechanical Auxiliary Building Spent Fuel Pump Isolation Valve in Fuel Handling Building Containment Sump Isolation Valve in Fuel Handling Building Engineered Safety Feature Pump Cubicles in Fuel Handling Building l

ITS_ECH. D'.)C 5/22/96 1

l l

l

l l

The Essential Chilled Water System provides chilled water to the cooling coils of air handling units in the following areas during normal operation, including startup, cold shutdown, cooldown, hot standby, normal plant operation, and refueling:

Electrical Auxiliary Building Main Supply (safety-related)

Control Room Envelope (safety-related)

Mechanical Auxiliary Building (safety-related)

The Essential Chilled Water System is supported by the following:

l 480 V MCC 480 V Load Center 4.16 KV i

125 VDC l

Engineered Safety Features Actuation Signals l

Essential Cooling Water System l

• Risk Significance: The risk significance of the Essential Chilled Water system has been addressed by the South Texas Project response to the Maintenance Rule. Because of the potentially large effect of the Essential Chilled Water system on accident consequences, this system has a high risk significance.

l i

I a

f

(

e ITS_ECH, DOC 5/22/96 2

i l-II.

Proposed Technical Specification Allowed Outage Time (Required Action Time)

Based on the assumed reliability, availability and relative impodance of the Essential Chilled Water I

system, the Probabilistic Safety Assessment can be used tojustify, in modes I,2,3, and 4, one tram out-of senice for 7 days, and two trains out-of-service for i day.

1 l

I

{

{

l l

l l

l r

l 1

?!

ITS_ECH. DOC 5/22/96 3

1 t

l I

III.

Quantification i

The cumulative risk significance for one or more Essential Chilled Water trains out-of-service is shown in the graph below. For one train out-of-service, the non-risk significant threshold (IE-6) is used to evaluate the incremental impact of the Technical Specification Allowed Outage times.

This is considered to be within the constraints of voluntary entries and is consistent with on-line maintenance activities at the South Texas Project. For two trains out-of-service, the potentially i

risk-significant threshold (1E-5) is used to evaluate the incremental impact since these conditions I

represent rare involuntary events. These thresholds are consistent with the EPRI Probabilistic j

Safety Assessment Application Guide.

The graph represents one and two trains of Essential Chilled Water out-of-service. For one train, an Allowed Outage Time of 7 days does not cross the non-risk significant threshold. For the l

case of two Essential Chilled Water trains, a 1-day Allowed Outage Time isjustified by crossing i

the potentially risk significant threshold after 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

i 1.10E 1 I

/

Potentiany Risk Significant Threshold 1.00E-05 3

9.00E-06 4 f

5

/

8.00E-06 y

f 4.1 Days for 2 ECHW Trains

}

7.00E-06

[

j j

6.00E-06 j

/

l 5.00E-06

/

f 4.00E,06 4 t

1 3.00E-06 j /

22.7 Days for 1 ECHW Train 2.00E-06 $ [

u I

1.00E-06 % - - - - - - - - * " "" "--,,,,,,,,,,,,,,,.Non fbsk Significant Threshold

..... r. m.. -- -

= e L - - - - - - ' * * * " " ~ ~ ~ " * * *

• j 0.00E + 00 l

0 5

10 15 20 25 Days

""" 1 Train of ECHW ---- 2 Trains of

- - - Non Risk Potential Risk l

ECHW Threshold Threshold a

e e.

ITS,_ECH. DOC 5/22/96 4

_ ~ _ -

l l

l Essential Cooling Water System (ITS Section 3.7.8) l I.

System / Function Description System Function: The Essential Cooling Water System consists of three trains and provides cooling i

water to carry heat from safety-related components to the Essential Cooling Pond which acts as the i

Ultimate Heat Sink for the plant safety grade equipment.

i The Essential Cooling Water, either directly or by means ofintermediate systems, provides cooling required for safety-related components during and after a Loss of Coolant Accident, Loss of Offsite Power, or a Safe Shutdown Earthquake. Additionally, the Essential Cooling Water functions during normal operation and other non-emergency operating modes to transfer heat loads from serviced

]

components to the Essential Cooling Pond.

l System Success Criteria: One of the three Essential Cooling Water trains is required during normal l

operation and accident conditions. The Essential Cooling Water train continues to operate for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />

]

after the initiating event, or starts automatically or manually by operator action and operates for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after the initiating event, providing cooling water to the systems served.

Potential of an Initiating Event: Total loss of Essential Cooling Water is considered an initiating event. Loss of all Essential Cooling Water flow causes loss of heat removal from the Component Cooling Water. Loss of Component Cooling Water heat removal causes reactor coolant pump damage and charging pump damage. An automatic reactor trip will occur from reactor coolant pump failure.

Prolonged loss of Component Cooling Water heat removal can cause a reactor coolant pump seal LOCA from loss of normal seal injection flow and loss of thermal barrier cooling.

l Although failure of the Essential Cooling Water piping could cause significant flooding in the Mechanical Electrical Auxiliary Building, internal flooding analyses have shown this event has insignificant impact on risk.

l l

Systems Supported: He Essential Cooling Water System provides for the following:

Heat removal from plant equipment required for safe shutdown or design basis LOCA conditions. His equipment includes:

Component Cooling Water j

The Essential Cooling Water System supplies cooling water to the Component Cooling Water System heat exchangers. Although all three Essential Cooling Water trains are designed to operate initially, a minimum of one train is required to operate following a Design Basis Accident.

i ITS_ECW. DOC 5/22/96 1

Diesel Generator Jacket Water IIcat Exchangers The Essential Cooling Water System supplies cooling water to the Standby Diesel Generator jacket water heat exchangers. Although all three Essential Cooling Water trains are designed to

[

actuate initially, a minimum of one train is required to operate following a Design Basis i

Accident.

l l

Essential Chiller Condensers i

ne Essential Cooling Water System supplies cooling water to the Essential Chiller Condensers. Although all three Essential Cooling Water trains are designed to operate initially, l

a minimum of one train is required to operate followir; a Design Basis Accident, each train l

supplying two essential chiller condensers.

Component Cooling Water pump supplementary coolers

)

The Essential Cooling Water System supplies cooling water to the Component Cooling Water pump supplementary coolers. Although all three Essential Cooling Water trains are designed to operate initially, a minimum of one train is required to operate following a Design Basis Accident.

l Heat removal from certain plant equipment during normal operation. His equipment includes:

Component Cooling Water heat exchangen The Essential Cooling Water System supplies cooling water to the Component Cooling Water System heat exchangers. An Essential Cooling Water loop is required to operate whenever its corresponding Component Cooling Water loop is in operation.

Essential chiller condensen l

Re Essential Cooling Water System supplies cooling water to the Essential chiller condensers.

Two such condensers are supplied by one Essential Cooling Water train.

t

(

Component Cooling Water pump supplementary coolen The Essential Cooling Water System supplies cooling water to the Component Cooling Water System pump supplementary coolers. An Essential Cooling Water loop is required to operate whenever its corresponding Component Cooling Water loop is in operation.

He Essential Cooling Water System is supported by the following systems:

Class IE AC Power Class IE DC Power Solid State Protection System Engineered Safety Features Actuation Signals Essenti;l Cooling Water Intake Stmeture Instrument and Service Air System IWAC Risk Significance: De risk significance of the Essential Cooling Water System has been addressed by the South Texas Project response to the Maintenance Rule. Because of the potentially large effect of the Essential Cooling Water System on accident consequences, this system has a high risk signifigance.

ITS_ECW. DOC 5/22/96 2

II.

Proposed TS Allowed Outage Time (Required Action Time)

Based on the assumed reliability, availability, and relative importance of the Essential Cooling Water, the Probabilistic Safety Assessment can be used tojustify in Modes 1,2,3, and 4, one train l

outef-service for 7 days, and two trains out-of-service for i day.

t o

i

)

W ITS_ECW. DOC 5/22/96 3

I III.

Quantification The cumulative risk significance for one or more Essential Cooling Water trains out-of-service is shown in the graph below. For one train out-of-service, the non-risk significant threshold (IE-6) is used to evaluate the incremental impact of the Technical Specification Allowed Outage times.

This is considered to be within the constraints of voluntary entries and is consistent with on-line J

maintenance activities at the South Texas Project. For two trains out-of-service, the potentially risk-significant threshold (IE-5) is used to evaluate the incremental impact since these conditions represent rare involuntary events. These thresholds are consistent with the EPRI Probabilistic Safety Assessment Application Guide.

The graph represents one and two trains of Essential Cooling Water out-of-service. For one train, an Allowed Outage Time of 7 days does not cross the non-risk significant threshold. For j

the case of two Essential Cooling Water trains, a 1-day Allowed Outage Time is justified by l

crossing the potentially risk-significant threshold after 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

1.10E-05 f

E p

P tentially Risk Significant Threshold 1.00E-05

$ 9.00E-06 p

l 8 8.00E-06 i 2.2 Days for 2 ECW Trains i::

l

} 7.00E-06 2 G 6.00E-06 I f

w E 1 g

5.00E-06 9f e 4.00E-061 I

^

3.00E-06 I g 11.4 Days for 1 ECW Train l

_i 2.00E-06 li 1.00E-06 [l7 - - - -.

- w - *......

• NorrRifkTignificant Threshold i

3 i

o l

0.00E+00 l -- ----~~ " "

0 5

10 15 20 25 Days l

l..... 1 Train of ECW - - - 2 Trains of ECW -. fvon Risk Tiroshold Potensel Risk Tireshold l I

5 ITS_ECW. DOC 5/22/96 4

i

i Reactor Containment Fan Cooler System (ITS Section 3.6.6)

I.

System / Function Description l

System Function: The Reactor Containment Fan Coolers are a subsystem of the Reactor e

Containment Building HVAC systems. There are three trains in the Reactor Containment Fan Cooler system, each with two Reactor Containment Fan Cooler units. Each Reactor Containment Fan Cooler unit has discharge ductwork, cooling coil, fan and backdraft damper. Four return air risers with two independent sections of ring duct are shared by the Reactor Containment Fan Cooler t

l subsystem l

The Reactor Containment Fan Cooler train removes thermal energy from inside the Reactor l

Containment Building to reduce the containment atmosphere pressure and temperature following a j

Loss of Offsite Power or a Design Basis Accident. According to the Reactor Containment Building i

HVAC System Design Basis Document, operation of four of six Reactor Conainment Fan Cooler units (two of three trains), or three of six Reactor Containment Fan Cooler units (two of three trains) and two of three Containment Spray system trains are required to reduce the pressure and temperature of the Reactor Containment Building following a Design Basis Accident.

- The Probabilistic Safety Assessment credits the Reactor Containment Fan Coolers in loss of coolant l

accident situations to remove decay heat after recirculation switchover for high pressure recirculation scenarios where the low head Safety Injection pumps are unable to inject due to high RCS pressure.

In high pressure recirculation scenarios the Residual Heat Removal heat exchangers are not available since the Low Head Safety injection pumps are not able to inject into the RCS due to high RCS l

pressure. In these cases the High Head Safety injection pumps are used in conjunction with the j

l Reacter Containment Fan Coolers to remove core decay heat.

-Analyses have indicated that the Reactor Containment Fan Coolers can provide a method for-removing core decay heat during sump recirculation cooling scenarios. The High Head Safety Injection or Low Head Safety Injection pumps circulate water through the core to the containment l

- sump and the heated water is returned to the containment sump via the Loss of Coolant Accident break flow path or a Reactor Cc,olant System vent path (i.e., pressurizer Power Operated. Relief Valve or Reactor Pressure Vessel head vent lines). The Reactor Containment Fan Coolers remove heat from the saturated containment atmosphere and thus remove heat from the containment sump water and the core. For situations where high pressure recirculation is operating, the Reactor l

Containment Fan Coolers represent the largest heat removal mechanism within the Reactor l

Containment Building.

p System Success Criteria: In the South Texas Project Probabilistic Safety Assessment, one train of l

Reactor Containment Fan Coolers with cooling flow aligned to Component Cooling Water, is l

required to operate.

Potential of an Initiating Event: Loss of all Reactor Containment Fan Coolers does not immediately cause reactor or turbine trip, but if not restored Reactor Containment Building temperature increases could result in high containment pressure followed by reactor trip and safety injection actuation.

Systems Supported: The Reactor Containment Fan Cooler Subsystem operates during all modes of i

plant operating conditions to maintain temperature inside the containment. Air copling is also i

provided to :

ITS_RCFC. DOC 5/22/96 1

r-+

rww

,r, e.

sa----a ww,,

g r

--~-=~r

I h

j Reactor Coolant System (Reactor Coolant Pump and associated instrumentation) j Chemical and Volume Control System (Associated valves)

Residual lleat Removal ( Pump, Heat Exchanger, and associated valves) i The Reactor Containtnent Fan Cooler Subsystem is supponed by:

1 Component Cooling Water System Essential Chillers

{

Class IE AC Power Risk Significance: The risk significance of the Reactor Containment Fan Coolers has been addressed e

j by the South Texas Project response to the Maintenance Rule. Probabilistic Safety Assessment analysis i

of the Reactor Containment Fan Coolers for accident consequences determined that this system has a low risk significance.

i

}

i i

i

}

i i

4 1

I O

ITS_RCFC. DOC 5/22/96 2

... _.... _. _.. - - _ _. _ - -_ _. _ _ _ _ _ _. _. _. _. _ _.... _... _. ~..

m.-

4 i

L i

1, II.

~ Proposed Technical Specification Allowed Outage Time (Required Action Time)

Based on the assumed reliability, availability and relative importance of the Reactor Containment Fan Coolers, the Probabilistic Safety Assessment can be used tojustify, in modes 1,2,3 and 4, one l

4 train (two Reactor Containment Fan Coolers) out-of-service for 28 days, and two trains out-of-service for 7 days.

l i

)

I 1

)

i i

i h

h I

I 4

+

w O

ITS_RCFC. DOC 5/22/96 3

n

,m w

l IIL Quantification De South Texas Project Probabilistic Safety Assessment models two functions for the Reactor Containment Fan Coolers: 1) to remove heat from the containment atmosphere during the recirculation phase of safety injection and 2) to remove heat for long term containment response after a core damaging event. The first function can contribute to both Core Damage Frequency and containment response, while the second functions is strictly a function of containment response.

The Probabilistic Safety Assessment has shown that removal from service of a single or two trains of Reactor Containment Fan Coolers has no effect or little effect on the Core Damage Frequency.

The Reactor Containment Fan Coolers are modeled as a backup to the heat exchangers of the Residual Heat Removal system for iemoving heat from the containment atmo phere during recirculation phase of safety injection. Both of these systems, Residual Heat Removal and Reactor Containment Fan Coolers, have the same support systems for electrical power and heat transfer via the Component Cooling Water system. Herefore, failure of the support systems will fail the function for containment heat removal.

The containment response ofinterest is the Large, Early Release Frequency which is defined as an event where there is a radioactive release (containment is vented to atmospheric conditions in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) involving the rapid unscrubbed release of airborne fission products to the environment with a large failure of containment. Removal of the Reactor Containment Fan Coolers would affect the Large, Early Release Frequency for the direct containment heating event. The scenarios in the Probabilistic Safety Assessment for direct containment heating contribute 0.6%

to the Large, Early Release Frequency given no planned maintenance activities. Therefore, the impact of direct containment heating has little impact on the Large, Early Release Frequency The cumulative risk significance for one or more trains out-of service is shown in the graph below for the change in the Core Damage Frequency. He threshold values are consistent with the EPRI Probabilistic Safety Assessment Application Guide. Since the Reactor Containment Fan Coolers have little impact in the Probabilistic Safety Assessment the Allowed Outage Times were determined using engineering judgment. Therefore, a train out-of-service time of 28 days results in no or little impact to the Core Damage or Large, Early Release Frequencies. The same argument is true for two trains of Reactor Containment Fan Coolers out-of-service for 7 days resulting in no or little impact to the Core Damage or Large, Early Release Frequencies.

1.10E-06 PoemW Re spiricans theeshoid 1.00E 05 f

9.00E-06 f infinite Days for 2 RCFC Trains 8.00E-06 j 7.00E-06 j 6.00E 06 i 5.00E-06 1 4.00E-06 Infinite Days for 1 RCFC Train i

3.00E-06 4 2.OOE-06 f m ne sWent threshond 1.00E-06 0.00E + 00 0

6 to-16 20 25 Days

'*"" 1 Train of RCFC ---- 2 Trains of RCFC - - - Non Risk Potential Risk Threshold Threshold ITS_RCFC. DOC 5/22/96 4

f 1

I Residual IIcat Removal System (ITS Section 3.5.2)

I.

System / Function Description System Function: The Residual Heat Removal System transfers heat from the Reactor Coolant System to the Component Cooling Water System to reduce the temperature of the reactor coolant to the cold shutdown temperature at a controlled rate during the second phase of normal plant cooldown and maintains this temperature until the plant is started up again.

The flow path through the ResLlual Heat Removal heat exchangers serves as part of the Low Head Safety injection System during the injection and recirculation phases following a Loss of Coolant Accident.

The Probabilistic Safety Assessment system analysis models both functions of the Residual Heat Removal System.

System Success Criteria: At least one of the three Residual Heat Removal trains is put into service l

during nonnal and accident conditions to remove decay heat from the Reactor Coolant System. Also, a flow path through the Residual Heat Removal heat exchanger is available for one operating Low Head l

Safety injection pump train during recirculation following injection in response to a Loss of Coolant Accident.

l Potential of an Initiating Event: Nomial operation of the Residual Heat Removal System occurs after the plant has been shut down. Inadvenent operation of the Residual Heat Removal System during plant operation will not impact the Reactor Coolant System since the Reactor Coolant System pressure during plant operation is much higher than the Residual Heat Removal pump head. Inadvertent opening of both isolation Motor-Operated Valves in any of the inlet lines would overpressurize the Residual Heat Removal piping, possibly resulting in a medium or large break Loss of Coolant Accident.

Systems Supported: The following defines where systems interface with the Residual Heat Removal System and describes the functional support provided by the Residual Heat Removal System:

Reactor Coolant System The Residual Heat Removal System removes residual heat from the core and sensible heat from the Reactor Coolant System during plant cooldown and refueling operations (Operating i

Modes 4,5, and 6). Each Residual Heat Removal pump takes suction on a Reactor Coolant System loop hot leg and returns flow to the corresponding Reactor Coolant System loop cold leg.

ITS_RHR. DOC 5/22/96 1

r_----

Residual Heat Removal pumps B and C provide the capability of returning water from the reactor cavity to the Refueling Water Storage Tank. The Residual Heat Removal System inlet and outlet isolation valves serve as part of the Reactor Coolant Pressure Boundary between the Reactor Coolant System and Residual Heat Removal System.

Chemical and Volume Control System During plant heatup and cooldown, the Residual Heat Removal System provides a Reactor Coolant System purification flow into the Chemical and Volume Control System downstream of the letdown orifices. His path (from Residual Heat Removal System Train A or B) is placed in service approximately four hours after reactor shutdown when Reactor Coolant System pressure is too low to obtain adequate purification flow through the Chemical and Volume Control System letdown orifices. An attemate arrangement using a circulation pump (refueling water purification pump) located upstream of the Chemical and Volume Control System letdown heat exchanger is provided for use when the inlet pressure from the Residual Heat Removal System is sufficiently low. During this mode, the fluid is retumed to the Train A Residual Heat Removal pump suction from upstream of the volume control tank.

Safety Injection System The Residual Heat Removal System return lines serve as part of the Emergency Core Cooling System Low Head Safety injection lines during Safety Injection System cold-leg injection and recirculation phase following an accident.

The Residual Heat Removal System heat exchangers, valves, and piping serve as the Emergency Core Cooling System Low Head Safety Injection lines during Safety Injection system hot-leg recirculation. He flow circuit extends from the Low Head Safety Injection pumps discharge through the heat exchanger to the High Head Safety injection pump discharge piping connected to the Reactor Coolant System hot legs.

The Residual Heat Removal System is supported by:

480 V Load Center 480 V MCC 125 V DC Engineered Safety Feature Actuation System Instmment Air System Component Cooling Water System.

Risk Significance: The risk significance of the Residual Heat Removal system has been addressed by the South Texas Project response to the Maintenance Rule. The Probabilistic Safety Assessment analysis of the effect of the Residual Heat Removal system on accident consequences determined that this system has a medium risk significance.

ITS_RHR. DOC 5/22/96 2

?

II.

Proposed Technical Specification Allowed Outage Time (Required Action Time)

Based on the assumed reliability, availability, and relative importance of the Residual H at 1

Removal system, the Probabilistic Safety Assessment can be used to justify in Modes 1,2 and 3, i

l one Residual Heat Removal train out-of-service for 14 days and two Residual Heat Removal trains out-of-service for 7 days.

l l

l l

\\

l l

l l

l t

l l

l ITS_RHR. DOC 5/22/96 3

t I

III.

Quantineation The cumulative risk significance for one or more Residual Heat Removal trains out-of-service is shown in the graph below. For one train out-of service, the non-risk significant threshold (IE-6) is used to evaluate the incremental impact of the Technical Specification Allowed Outage times.

This is considered to be within the constraints of voluntary entries and is consistent with on-line maintenance activities at the South Texas Project. For two trains out-of-service, the potentially risk-significant threshold (IE-5) is used to evaluate the incremental impact since these conditions represent rare involuntary events. These thresholds are consistent with the EPRI Probabilistic Safety Assessment Application Guide.

The graph represents one and two trains of Residual Heat Removal out-of-service. For one train, an Allowed Outage Time of 14 days does not cross the non-risk significant threshold. For the case of two Residual Heat Removal trains, a 7-day Allowed Outage Time isjustified by crossing the potentially risk significant threshold after 7 days.

1.10E !

e 1.00E-05 Potentialty Risk Significant Threshold

$ 9.00E-06 d S

8.00E-06 J 393.3 Days for 2 RHR Traint

[ 7.00E-06 d 6.00E-06 4 5.00E-06 5 cc c

4.00E-06 1 e

3.00E-06 1,004.8 9ays for 1 RHR Train s 2.00E-06 E

1.00E-06

_ _,Non Risk SiggcantTgshold g

0.00E+00 0

5 10 15 20 25 Days j

. -... 1 Train o'f RHR

--. 2 Trains of RHR

- - Non Risk Threshold Potential Risk Threshold 9

ITS_RHR.. DOC 5/22/96 4

i Standby Diesel Generator System (ITS Sections 3.8.1 and 3.8.2)

I.

System / Function Description System Futetion: The function of the Standby Diesel Generator System is to serve as the source of electric power to the Engineered Safety Feature buses in the event of loss of offsite. power. The l

Standby Diesel Generator is capable of supplying sufficient power to the Engineered Safety Feature buses to safely shutdown the plant following loss of offsite power while at full power. The Standby Diesel Generator System is also capable of supplying sufficient power to the Engineered Safety Feature buses to power the Engineered Safety Feature equipment during and after a design basis accident with a concurrent or subsequent loss of offsite power.

System Success Criteria:. Each diesel generator must start automatically and operate continuously

)

=

to supply power to the respective Engineered Safety Feature buses for at least 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> following loss of offsite electrical power to the Engineered Safety Feature buses.

Potential of an Initiating Event: Loss of the diesel generators is not an initiating event.

Systems Supported: The Standby Died menerator System provides power to the Class IE 4.16kV AC Electric Power System in the event of a loss of offsite power. The Class lE 4.16kV AC Electric Power System provides electrical power to the Engineered Safety Feature components.

The Standby Diesel Generators are supported by:

Fuel Oil Storage and Transfer System Essential Cooling Water System Demineralized Water Makeup System Class IE 125 VDC Non-lE 125 VDC 480 V Motor Control Centers 120V AC Vital Power System Engineered Safety Features Actuation System Electrical Heat Tracing and Freez: Protection T. < stem Diesel Generator Building HVAC Risk Significance: Because of the potentially large effect of the standby diesel generators on accident

=

consequences, this system has a high r~sk significance.

1 l

ITS_SDG. DOC 5/22/96 1

i l

l II.

Proposed Technical Specification Allowed Outage Time (Required Action Time)

Based on the assumed reliability, availability, and relative importance of the AC Power Sources, the Probabilistic Safety Assessment can be used to justify, in Modes 1,2,3, and 4, one standby diesel generator out-of-service for 7 days, and two standby diesel generators out-of-service for I day (time to return one to service).

I I

f i

l i

I I

1 l

[

ITS_SDG. DOC 5/22/96 2

i

l III.

Quantification l

The cumulative risk significance for one or more Standby Diesel Generators out-of-service is shown in the graph below. For one train out-of-service, the non-risk significant threshold (IE-6) l is used to evaluate the incremental impact of the Technical Specification Allowed Outage times.

This is considered to be within the constraints of voluntary entries and is consistent with on-line maintenance activities at the South Texas Project. For two trains out-of-service, the potentially l

risk-significant threshold (IE-5) is used to evaluate the incremental impact since these conditions l

represent rare involuntary events. These thresholds are consistent with the EPRI Probabilistic l

Safety Assessment Application Guide.

The graph represents one and two trains of Standby Diesel Generators out-of-service. For one train, an Allowed Outage Time of 7 days does not cross the non-risk significant threshold. For j

the case of two Standby Diesel Generators, a 1-day Allowed Outage Time isjustified by crossing i

the potentially risk significant threshold after 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

1.10E-05 -j Potentially Risk Signiricant Threshold 9.00E-06 5 5

43.7 Days for 2 DG Trains j

8.00E-06

} 7.00E 06 l E

6.00E-061 5

5.00E-06 I

" ~~ ~ ~

a:

4.00E-06.s e

3.00E-06 I

'"'68.7 Days for 1 DG Train r

1.00E-06 w.

,,, s "

2.00E-06 2 p

E Non Risk Significa i k hreshold su 0.00E+00

- - ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ '.--

1 0

5 10 15 20 25 Days

.. -.. 1 Train of DG 2 Trains of DG

- - Non Risk Threshold Potentia RiskThreshold; t

1 F

4 ITS_SDG. DOC 5/22/96 3

Safety Injection System (ITS Section 3.5.2)

I.

System / Function Description System Function: The Safety Injection vstem consists of three trains of Low Head and High Head e

pumps with associated valves and p5 in standby readiness for injection into the Reactor Coolant System. Its function is to provide wentory control during Loss of Coolant Accident and Steam Generator Tube Rupture events when the primary inventory loss is at or below the pressure set point for the Safety Injection pumps.

The High Head Safety injection System i: credited in the Probabilistic Safety Assessment with functioning to provide inventory control during Loss of Coolant Accident and Steam Generator Tube Rupture events when the primary inventory loss is at high pressure and beyond the capacity of the normal charging system. The Probabilistic Safety Assessment also models its injection of cold water for bleed and feed cooling when no secondary heat removal is possible.

1 ne Low Head Safety Injection System is credited in the Probabilistic Safety Assessment with functioning to maintain the primary inventory level after a Loss of Coolant Accident when the primary pressure is below Low Head Safety Injection pump shutoff.

System Success Criteria: The system success criteria utilized in the Probabilistic Safety Assessment is one High Head train for small-break, and two High Head Safety Injection trains for medium-break, Loss of Coolant Accidents. Small break less of Coolant Accidents will require only one Low Head Safety injection pump; however, medium break and large break Loss of Coolant Accidents will require i

two Low Head Safety injection pump trains. One, two or three Low Head Safety Injection pumps start l

from standby, manually or automatically on an Safety injection signal, take suction from the common suction line, and discharge into the injection line, continuing operation for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

Potential of an Initiating Event: A pipe break downstream of the check valves in the Safety j

Injection lines will result n a large Loss of Coolant Accident. This event is subsumed in the Large i

Loss of Coolant Accident initiating event. Inadvertent actuation of two of the four Safety injection signals will result in a reactor trip but injection into the Reactor Coolant System will not occur since normal reactor operating pressures are higher than safety injection system design.

l l

Systems Supported: The Safety injection System provides the following support functions:

]

Reactor Coolant System j

nc Safety Injection isolation valves sem as part of the Reactor Coolant Pressure Boundary between the Reactor Coolant System and Safety Injection System. None of these valves are I

included in the Safety Injection System but are included in the Probabilistic Safety Assessment model of the Safety Injection Common system.

Containment Spray System ne Containment Spray pumps take suction from the Safety Injection System during the injection phase (from Refueling Water Storage Tank) and recirculation phase (from sump).

ITS_SI. DOC g

1

... -... ~

1 l

1 j

'Ihe Safety Injection System is supported by:

Class IE 480 V distribution System Class IE 4.16 KV auxiliary System Engineered Safety Feature Actuation System.

j Residual Heat Removal System l-Risk SigniFcanc : The risk significance of the safety injection system has been addressed by the l

f South Tens Project response to the Maintenance Rule. Because of the potentially large effect of the l

Safety Injection system on accident consequences, this system has a high risk significance.

{

I i

l

{

r I

t i

1 t

i i

1

\\

l ITS_SI. DOC S/22/96 2

1 L

I

l I

II.

Preposed Technical Specification Allowed Outage Time (Required Action Time)

Based on the assumed reliability, availabilitv, and relative importance of the Safety injection system, the Probabilistic Safety Assessmen' e 'n be used in Modes 1,2,3, and 4 tojustify one train of Safety injection out-of-service for 7 days, and two trains of Safety injection out-of-senice if one of them is restored to service within I day.

1 I

I f

l l

l l

l I

l l

l l

l l'

)

4 6

~

ITS_SI. DOC 5/22/96 3

4 i

6 4

l l

III.

Quantification The cumulative risk significance for one or more Safety injection trains out-of-service is shown in the graph below. For one train out-of-service, the non-risk significant threshold (IE-6) is used to evaluate the incremental impact of the Technical Specif ation Allowed Out. age times. This is considered to be within the constraints of voluntary entries and is consistent with on-line maintenance activities at the South Texas Project. For two trains out-of-service, the potentially risk-significant threshold (IE-5) is used to evaluate the incremental impact since these conditions represent rare involuntary events. These thresholds are consistent with the EPRI Probabilistic Safety Assessment Application Guide.

The graph represents one and two trains of Safety Injection out-of-service. For one train, an Allowed Outage Time of 7 days does not cross the non-risk significant threshold. For the case of two Safety Injection trains, a 1-day Allowed Outage Time isjustified by crossing the potentially risk-significant threshold after 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

l

. OE-M

/

i Fotentially Risk significant Threshold 8

1.00E-05 I

E 9.00E-06 f

8.00E-06

/

3.8 Days for 2 Si Trains

.b 7.00E #

vs

/

6.00E-06

/

l iE 5.00E '

j j

g 4.00E-06 e f

l 5

3.00E /

26.5 Days for 1 Si Train l

}

2.00E-06 i/

Non Risk significant Threshold 3

1.00E-06 -r- - - - - - - - -

0.00E + 00 I --^---'***************,,,,,,,,,,,,,,,,,,,,,.......m...-...

O 5

10 15 20 25 l

Days I

-"-" 1 Train of SI ---- 2 Trains of SI - - - Non Risk Potential Risk Threshold Threshold l

1 I

I f

k j

ITS_SI. DOC 5/22/96 4

]

4

-