ML20129H414
| ML20129H414 | |
| Person / Time | |
|---|---|
| Site: | South Texas  |
| Issue date: | 10/31/1996 |
| From: | NRC (Affiliation Not Assigned) |
| To: | |
| Shared Package | |
| ML20129H407 | List: |
| References | |
| NUDOCS 9611050224 | |
| Download: ML20129H414 (24) | |
Text
- -
pun p*
i UNITED STATES l
s j
NUCLEAR REGULATORY COMMISSION 2
WASHINGTON, D.C. 20666 4001
%,...~..,&
SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION l
RELATED TO AMENDMENT NOS. 85 AND 72 TO FACILITY OPERATING LICENSE NOS. NPF-76 AND NPF-80 HOUSTON LIGHTING & POWER COMPANY.
CITY PUBLIC SERVICE BOARD OF SAN ANTONIO CENTRAL POWER AND LIGHT COMPANY CITY OF AUSTIN. TEXAS DOCKET NOS. 50-498 AND 50-499 SOUTH TEXAS PROJECT. UNITS 1 AND 2
1.0 INTRODUCTION
By application dated May 1, 1995, as supplemented by letters dated June 22, August 28, November 22, and December 19, 1995, and January 4, 8 (two letters),
l and 23, June 27, July 9, August 8, and September 23, 1996, Houston Lighting &
I Power Company, et al., (the licensee) requested chanSes to the Technical Specifications (TSs) (Appendix A to Facility Operating License Nos. NPF-76 and NPF-80) for the South Texas Project, Units 1 and 2 (STPi.
The proposed changes would allow extension of the standby diesel geneiator (SDG) allowed outage time (A0T) to 14 days, and extension of the essential cooling water (ECW) lo(p and the essential chilled water (ECHW) loop allowed outage times to 7 days. The amendments also add to Administrative Controls a description of the Configuration Risk Management Program (CRMP) used to assess changes in core damage probability resulting from applicable plant configurations.
The purpose of these proposed changes is to obtain greater flexibility in the scheduling of preplanned preventive maintenance of the SDGs and the ECW and ECHW systems.
The August 8 and September 23, 1996, supplements provided clarifying l
information and did not change the initial no significant hazards consideration determination.
2.0 BACKGROUND
l l
The licensee's May 1, 1995, application up to and including the January 23, i
supplement, proposed allowing the extension of an SDG A0T for a cumulative of 21 days, once per train per cycle.
In addition, it proposed extending the A0T on each ECW loop for a cumulative of 7 days, once per train per cycle.
t I
9611050224 961031 PDR ADOCK 05000498 P
PDR l
l l
I i l l
Based on feedback from NRC, the licensee revised their application by letters dated June 27, July 9, August 8, and September 23, 1996. The proposed TS changes would now allow extension of the SDG allowed outage time from 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to 14 days, and extension of the ECW loop and the ECHW loop allowed outage times from 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to 7 days.
In the unlikely event that a second SDG should become inoperable during the 14-day A0T, there is also a proposed change to extend the allowed outage time for 2 inoperable SDGs from 2 to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.
If l
all 3 SDGs should become inoperable, the A0T would be the same as in the current TSs (2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />).
The new amendments would also add to.TS Administrative Controls a description of the CRMF used to assess changes in core damage probability resulting from applicable plant configurations. Revised Bases were also proposed consistent with the proposed TS changes.
3.0 PROPOSED CHANGE
S TS and Bases 3/4.7.4 - ECW System The licensee proposes extending the TS A0T for one inoperable ECW loop from 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to 7 days. The proposed Bases indicates that when an ECW loop is taken out of service, the impact on plant risk can be assessed by the licensee's CRMP.
TS and Bases 3/4.7.14 - ECHW System The licensee proposes extending the A0T for one inoperable ECHW loop from 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to 7 days. The proposed Bases indicates that when an ECHW loop is taken out of service, the impact on plant risk can be assessed by the licensee's CRMP.
TS and Bases 3/4.8.1 - AC Sources The licensee proposes extending the A0T for one inoperable SDG from 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to 14 days, and extending the A0T for 2 inoperable SDGs from 2 to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.
The licensee proposes that currently existing footnote 10 (which allows testing to be performed during power operation provided the other 2 SDGs are
. operable) would also apply to the 18-month SDG inspection, and proposes that a new footnote 11 (which allows that credit may be taken for events that satisfy any of these surveillance requirements) would apply to the demonstration of SDG operability.
The proposed Bases indicates that when a SDG is taken out of service, the impact on plant risk can be assessed by the licensee's CRMP. The proposed j
Bases also indicates that a single train onsite AC source can effectively j
mitigate all but the most severe events with operator action in some cases, I
that the events that cannot be mitigated by a single train onsite AC source l
are highly unlikely, and that the 18-month SDG inspection be conducted once l
per cycle.
l
j i
l Administrative Controls TS 6.8.3.k - CRMP The licensee proposes that the CRMP would assess changes in core damage frequency and cumulative core damage probability resulting from applicable plant configurations. The CRMP would include training of personnel, procedures for identifying plant configurations, the generation of risk profiles and the evaluation of risk against established thresholds, and provisions for evaluating changes in risk resulting from unplanned maintenance activities.
4.0 STAFF EVALUATION i
The staff evaluated the licensee's proposed amendment to the TSs using both deterministic analysis and probabilistic risk analysis (PRA) methods. The staff's deterministic analysis evaluated the capabilities of a single train of engineered safety features (ESF) equipment at STP to mitigate all design basis events. The results of this deterministic evaluation were then used by the staff to determine the safety impact of extending the A0Ts for one SDG, for one train of ECW, and for two trains of ESF equipment. The results of this deterministic evaluation showed that with only one train of ESF equipment j
available and allowing for some operator actions, the licensee would be able to mitigate all design basis events except for one particular large break loss-of-coolant accident (LOCA) scenario.
4.1.a Evaluation of the SDG A0T Extension STP is a two unit site originally built with three separate and redundant safety-related electrical power trains per unit.
Each of these three safety-
)
related power trains is backed up with its own onsite SDG, and any one of the three SDGs can provide sufficient power to safely shutdown its associated reactor and remove the reactor's decay heat for all risk significant core damage frequency (CDF) sequences identified in the STP plant-specific probability safety assessment (PSA).
In addition to the six Category I SDGs, the licensee also has available onsite other diesel generators which can be used to supply emergency power to the Technical Support Centers and balance of plant equipment.
In addition to the normal 345 kV sources of offsite power, the STP electrical design includes a 138 kV source of power from a radial line 1
out of Central Power and Light Company's Blessing Substation which can supply I
emergency power to Units 1 and 2 through a separate emergency transformer.
This emergency transformer is physically separated from both the Unit I and Unit 2 standby transformers by a minimum of 800 feet.
The licensee has stated that the SDGs will have performance goals set in accordance with 10 CFR 50.65, the Maintenance Rule, and that both diesel generator reliability and availability will be monitored and controlled in accordance with its maintenance rule performance goals.
The licensee's j
monitoring program will be used then to periodically evaluate the overall i
reliability and availability of the SDGs and to ensure that neither measure of j
performance significantly decreases before remedial actions are taken. The licensee's station blackout (SBO) reliability goal for SDGs is 0.975.
J
i l Each STP unit has three trains of ESF each backed up by its own SDG. Any one of the three Class IE SDGs per unit can be designated as an alternate AC power source (NRC 580 Safety Evaluation for STP dated July 24,1995). The licensee states that the circuit between the 138 kV offsite power source, via the emergency transformer,-and the onsite Class IE distribution system, and the technical support center diesel generator, will be functional and available prior to removing an SDG from service. The 138 kV offsite power source, via the emergency transformer, has a capacity greater than any SDG. The licensee states that it will verify at least once per shift that the emergency power transformer breaker alignment is correct and that power is available from the transformer. The above will be satisfied no matter which SDG the licensee removes from service.
The licensee stated that the maintenance activities in the-switchyard which could directly cause a loss of offsite power event will be prohibited unless required to ensure the continued reliability and availability of the offsite power sources. Transmission and Distribution personnel will be involved in this planning process to ensure all work to be performed is preplanned and no risk significant work is scheduled in the switchyard during the A0T. The licensee also stated that " current plant procedures will prevent voluntary entry into this LCO [ limiting condition for operation] during expected adverse weather conditions." The weather conditions included are hurricane, tornado, and flood watches and warnings.
In view of the capability of the design to mitigate all design basis events with two SDGs and the compensatory measures taken, during the A0T extension, as discussed above, the staff considers acceptable on a deterministic basis performing maintenance on the onsite emergency power sources during power operation.
4.1.b Evaluation of the A0T Extension for Two Inocerable SDGs In addition to requesting an A0T extension for one inoperable SDG, the licensee also has requested that the A0T for two inoperable SDGs be extended from 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The staff finds the proposed change to be acceptable for the following reason.
In the case of a more typical two train plant design if all onsite AC power is unavailable, then a 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> A0T is allowed as long as both offsite power sources continue to be available. At STP, with two of the three SDGs inoperable (for up to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />), an almost fully capable train of ESF equipment will be available to mitigate the consequences of postulated events. The staff evaluated the potential effects of having only one SDG available in Sections 4.3 through 4.6.
4.1.c Conclusions Reaardina the SDG A0T Extension On the basis of its review, the staff finds that the licensee's request for an SDG A0T extension of 14 days for each inoperable SDG is deterministically acceptable. The results of the staff's evaluation in Sections 4.3 through 4.6 show that in almost all cases, the safety systems powered from only one train
i t
, of onsite AC power are capable of mitigating the consequences of design basis events.
For a very few cases, proper and timely operator actions would be i
required to assure that selected safety systems performed their function.
Based on these findings, the licensee's request to extend the A0T for two inoperable SDGs from 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> is also deterministically acceptable.
4 l
4.2 Evaluation of the ECW and ECHW System A0T Extensions The ECW system ce *ists of three independent trains, any one of which can successfully mitigate all design basis accidents except for certain LOCA break sizes and locations as defined in Section 4.3.a.
Although the ECW system does not directly support high head safety injection (HHSI) pump operation, the ECW i
system does provide cooling water to the ECHW system which provides cooling water to the HHSI pump room coolers. Thus, the unavailability of an ECW train affects the unavailability of an ECHW train and a HHSI pump.
The ECW and ECHW systems can meet almost all their safety design bases with only one operable train, including all of the more probable accidents and anticipated operational occurrences as defined in Appendix A to 10 CFR Part
- 50. Therefore, the proposed A0T of 7 days is conservative and an appropriate value for the capability of the three train ECW and ECHW systems.
Based on its evaluation as described above and in Sections 4.3 through 4.6, the staff finds that the proposed change to increase the ECW and ECHW system A0Ts is consistent with previously approved A0Ts for cooling systems of similar capability (extra redundancy), provides added operational flexibility without compromising plant safety, is adequately supported by the licensee's i
risk assessment associated with the proposed change, and could potentially result in an overall decrease in plant shutdown risk due to increased availability of the ECW and ECHW systems during shutdown. These findings are also supported by the staff's review and evaluation of the licensee's PSA findings in Section 4.6 of this evaluation. The staff, therefore, concludes that the proposed changes to extend the ECW and ECHW system A0Ts are acceptable.
4.3 Evaluation of Safety Related Functions Affected by the SDG and ECW A0T Extensions The staff has reviewed the licensee's submittal for compliance with the requirements contained in 10 CFR 50.46, noting that a single failure of the emergency core cooling system (ECCS) does not have to be assumed to occur while one ECCS train is out-of-service under the A0T allowed by the TS action statement.
However, since the licensee's proposed changes involved extending i
some A0Ts significantly beyond that contained in standard TSs, the staff has evaluated the capability of a single train of ESF equipment at STP to mitigate the consequences of a design basis event to determine the safety impact of the proposed amendment. The events causing the greatest concern during the proposed extended A0Ts are the LOCA and the main steamline break (MSLB) accident. A deterministic assessment of these events assumes that there is a d
- I h
loss of offsite power coincident with the LOCA and that the breaks occur in the piping location that results in the greatest loss of inventory. The staff's deterministic evaluation of the proposed amendment included a review of the licensee's LOCA and MSLB accident analyses, and a review of the I
capability of the residual heat removal (RHR) system to provide long term cooling. The staff also evaluated how the auxiliary feedwater system, the component cooling water system, the fuel handling building filtration system, and equipment qualification would be affected by the licensee's proposed amendment request.
l l
4.3.a Loss-of-Coolant Accident (LOCA) l As per the January 4,1996, letter from the licensee, the design basis for STP is three ESF trains with consideration of a single failure. The LOCA analysis of record assumes the flow from one train of safety injection (SI) fails (single failure), flow from one train of SI goes out the break, and flow from the third train of SI injects into the reactor coolant system (RCS).
)
The proposed A0T extensions basically use the same action statement wording as in the current TSs, with the exception that the time to restore the inoperable component to operable status is increased.
For deterministic assessment a single failure is not considered when the plant is operating in an action statement.
However, the impact of excluding the single failure while in the action statement needs to be reviewed to ensure that there is no significant increase in the risk estimate for the plant.
The large break and small break LOCA analysis of record assumes a loss of I
offsite power, the break occurs in the cold leg of the RCS, one safety train fails to start, one train of safety injection flow goes out the break into containment and one train provides the required ECCS flow.
For the 14-day A0T, if a single failure is not assumed to occur when one ECCS train is inoperable, then the second ECCS train feeds the break, and the third ECCS train is available to inject sufficient ECCS flow into the RCS, consistent l
with STP's LOCA analysis. Therefore, the 14-day A0T being proposed will not impact the ability of the SI system to provide adequate cooling when no single failure is assumed and the SI system will continue to satisfy the ECCS cooling requirements of 10 CFR 50.46 for all RCS break sizes. The staff agrees with the licensee's assessment because with no additional single failure being assumed for the ECCS, the ECCS cooling capability is consistent with STP's LOCA analyses.
For the 24-hour A0T period, or the 14-day A0T period assuming a single failure of one diesel, circumstances exist wherein the available ECCS pumps may not be able to maintain core cooling.. Assuming a loss of offsite power, as required by 10 CFR 50.46, only one train of ECCS would remain available for cooling daring the 24-hour A0T period (or the 14-day period assuming the single failure of the diesel).
If the break is assumed to occur in the cold leg that l
the ECCS train is injecting into, all of the safety injection would go out the l
break into the containment and no core cooling would occur. Thus, sufficient I
CCCS cooling to meet the requirements of 10 CFR 50.46 cannot be assumed.
1
. t Therefore, using deterministic approach and postulating a LOCA, an extended A0T may not be supported.
Realistically, if a small break LOCA occurs while only one ECCS train is in operation (the 24-hour A0T or the 14-day A0T with a single failure), the i
licensee can depressurize and cooldown the plant using non-safety grade equipment by employing emergency operating procedures for post-accident i
depressurization and cooldown.
Based on the core exit thermocouple temperatures, OPOP05-E0-FRC1, " Response to Inadequate Core Cooling" and OPOP05-E0-FRC2, " Response to Degraded Core Cooling", the operator is directed i
to depressurize the RCS so that the accumulator and low head safety injection system can provide ECCS flow to supply core cooling.
These actions can be i
taken from the control room in a timely manner. The specific break sizes for l
which the procedures would be acceptable have not been specifir.d by the 1
l licensee.
1 l
4.3.b Main Steamline Break (MSLB1 The licensee's current Updated Final Safety Analysis Report (UFSAR) indicates I
that two trains of safety injection are required to mitigate the return to
)
power and to prevent the fuel from experiencing departure from nucleate boiling (DNB) following a MSLB. As per the licensee, with only one train available the possibility of return to power is increased slightly above the analyzed value. Assuming two safety injection trains are operable, the l
current calculated departure from nucleate boiling ratio (DNBR) for Unit 1, l
Cycle 5 and Unit 2, Cycle 5 is 2.61.nd 2.04, respectively. The acceptance limit is 1.495. There is significant amount of DNB margin to offset the DNB l
penalty associated with the potential increase in the reactor power due to l
only one operable safety injectiJn Win following a MSLB.
In a letter dated January 23, 1996, the licensee indicated that the results of I
its reevaluation confirms that DNB is not expected to occur following a MSLB with only one safety injection train operable.
Therefore, the acceptance i
criteria for a MSLB can ie satisfied by only one safety injection train operable.
4.3.c Loss of Charaina pumos There are only two trains of charging pumps at STP, powered from safety trains A and C.
If safety train B is the only safety train available, then the charging pumps would be unavailable. A loss of charging pumps would lead to the loss of seal injectim flow to the reactor coolant pump (RCP) seals.
Based on the licensee's ;abmittal, if there is a loss of RCP seal injection during a' loss of offsite power, the seal cooling can be accomplished by component cooling water (CCW) through the RCP thermal barrier and the CCW associated with safety train B will provide adequate CCW flow to the RCP l
thermal barrier to prevent seal damage.
Based on the above, we find that the i
RCP seal integrity could be maintained by only one operable diesel generator l
train.
I I
i 1
j i I
l i
l l
4.3.d RHR Heat Exchanaer Coolina via CCW and RHR System Lona-Term Coolina i
The licensee indicated that failure to isolate a non-essential header (see Section 4.3.f) would lead to reduced RHR heat exchanger cooling via CCW. The j
flow rate to the RHR heat exchangers is projected to be 85 percent to 90 percent of design flow and the peak CCW supply temperature to the ECCS components would be approximately 130*F. The licensee concluded that one i
train of CCW is sufficient to achieve safe shutdown of the plant because the i
STP units are designed so that hot standby is safe shutdown. This conclusion i
is consistent with the licensee's assessment documented in the STP docket.
Since the recovery of off-site power to the ESF bus is expected within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> l
per the licensee's SB0 analysis, more than one train of CCW will be available to reduce plant conditions to cold shutdown.
STP has the ability to provide long term cooling via the RHR system, which is i
not a part of the ECCS, or via the steam generator using auxiliary feedwater and atmospheric dump valves (ADVs).
During power operation, the RHR system is i
isolated from the RC3 by two motor operated valves. These valves prevent j
overpressurization of the RHR system, by the RCS, during power operation.
If l
there is a loss of AC power during power operation, the valves will remain i
closed. RHR function is only required during low pressure operation, at which j
time, the valves are required to be opened and re-closure of these valves is j
not a required safety function.
i If a LOCA occurs with loss of offsite power during the A0T, long term cooling j
is accomplished through the low-head safety injection (LHSI) system with suction from the containment sump, for a large break LOCA, or via the t
'uxiliary feedwater (AFW) and ADVs with heat removal through the steam j
generator, for a small break LOCA prior to RHR initiation. The above long i
term cooling function could be achieved with only one operable SDG. The AFW j
is supplied from a safety grade AFW storage tank with a minimum of 495,000 J
gallons of water. This water storage capacity is sufficient to support i
12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> of AFW operation during which the plant can remain in a hot standby j
condition for 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> and cooldown the RCS to 350*F, at the rate of 25'F/ hour.
After 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br />, a minimum of two SDGs must be made operable or offsite must be restored in order to initiate the RHR system for plant cold shutdown.
Since 1
off-site power (and therefore RHR) is expected to be recovered within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, j
the capabilities of AFW to perform heat removal is sufficient.
l 4.3.e Auxiliary Feedwater System (AFW) j i
One of the worst-case design basis feedwater system pipe break (with loss of offsite power (LOOP)) scenarios results in only the Train B AFW pump automatically feeding one steam generator (B). The AFW system has four AFW j
pumps (A, B, C and D) with the D pump being turbine driven while the other three are motor driven from their respective safety (SDG) bus (A, B and C).
l The automatic actuation circuits for both A and D pumps are powered from the i
A electrical train. The actuation circuits for the B and C pumps are powered i
from the B and C electrical trains, respectively. Therefore, under the analyzed scenario, SDG A is assumed to fail resulting in only AFW Trains B i
I
_g_
and C automatically starting and feeding Steam Generators B and C, respectively (note that the turbine-driven pump [0] could still be manually initiated). The feedwater system pipe break was assumed to occur at the C steam generator resulting in all the AFW flow from Pump C being fed to the faulty steam generator (exiting through the break). The acceptance limit for this scenario is that the pressurizer does not go solid within 30 minutes.
If SDG C is the only diesel being assumed available (under the 24-hour action statement of the proposed A0T period or with a single failure during the 14-day action statement) no AFW flow would be automatically delivered to an intact steam generator.
However, if this situation were to occur, ample time exists to realign the C pump to feed one of the intact steam generators to ensure no increase in consequences from this event.
In its July 9, 1996, submittal, the licensee indicated it would take 5 minutes for an operator to be dispatched to the isolation valve cubicle and another 10 minutes to perform the necessary valve manipulations to feed an intact steam generator. The staff concludes that these operator actions are acceptable to prevent a water solid pressurizer.
4.3.f Comoonent Coolina Water System (CCW)
The CCW system is a three train system. However, situations could occur with only one train available where the remaining train may not be able to supply design basis flow to all components without operator action.
In addition to the accident heat loads, there are two non-essential headers fed by all three trains of the CCW system. One is referred to as the common header and the other, the nonsafety header.
The common header provides cooling to the spent fuel pool cooling (SFPC) system while the nonsafety header provides cooling water to the boron recycle system (BRS), the letdown heat exchanger and other small nonessential loads, including the charging pumps.
None of the loads supplied by either of these non-essential headers are required for safe shutdown or to mitigate the consequences of any design basis accidents. There are two series motor operated isolation valves (MOVs) for each of these headers. One MOV on each line is powered by Train C, while the other is l
powered by Train A on the nonsafety header and Train B on the common header.
These valves are normally open and automatically close on an ESF signal to assure adequate flow'to required accident loads (RHR pumps and heat exchangers, and reactor containment fan coolers) in the event of accident conditions. Unless the one remaining operable electrical train is Train C, one of the headers would not isolate in the event of an ESF signal (assuming only one SDG is available). With only one CCW pump available (which occurs during the 24-hour SDG A0T, or if a single active failure is assumed during i
the 14-day SDG A01) and one of these headers unisolated, enough flow is diverted so that the accident loads may not receive the design CCW flow.
However, operator actions can be taken to manually close the affected M0V.
Since the operators will be aware of being in the LCO, they would also be aware of, and have procedures for necessary operator actions in the event an i
accident or transient occurs. This should increase the potential to restore design CCW flow to the required components.
Even if operator actions are not i
i taken to restore design basis CCW flow to the accident loads, the results are acceptable as described in Sections 4.3.c, 4.3.d and 4.4.a of this evaluation.
I
1 i
Therefore, the staff concludes that the CCW system is capable of handling all L
postulated events with one CCW train if credit is given for successful operator actions, i.e., manual valve operation. Note that operator actions are not required if the operable SDG is Train C since both nonessential l
headers would still automatically isolate on an ESF signal.
l 4.3.g Fuel Handlina Buildina (FHB) Filtration System l
l The licensee has identified that only two trains of FHB filtration are diesel generator backed (Trains A and B). Thus, if SDG C is the only available diesel generator, the capability for FHB filtration is assumed lost. During power operation, the primary safety function of the FHB filtration system is to mitigate the consequences of a design basis LOCA by ensuring that radioactive materials leaking from the ECCS equipment within the FHB following a LOCA are filtered prior to reaching the environment. Assuming that the entire FHB filtration system is made up of only two trains is a conservative l
assumption. The actual design has only two filter trains but uses three l
50 percent trains of exhaust fans to provide the required air flow through the i
filters.
Each train of exhaust fans is powered from a separate diesel generator backed bus (Trains A, B and C). Therefore, if SDG C was the only diesel generator available, one train of filtration is still available with l
the exception that there wculd be no power to the either of the heaters (Train A and B) in the flow path to the filter units. With no heaters available, the efficiency of the filtration units could be reduced if the moisture in the air stream reached a 70-percent-relative-humidity level or l
higher. Thus, calculated offsite dose limits could potentially be exceeded if the worst case LOCA were assumed. However, procedures are available to i
energize the Train B heaters from the C SDG. The current TSs provide an A0T of 7 days if one of the filter trains is inoperable for any reason, e.g., loss of one heater or loss of any one fan. This basically means that, for 7 days, the system does not meet the single failure criterion even without a LOOP.
The 7 days is based on a pure two train system (100 percent each) plus the fact that FHB filtration is not an ECCS function and, therefore, even a complete loss of function does not affect the CDF or the amount of core damage that can occur.
Based on the above, the staff concludes that A0Ts extensions for the SDGs are acceptable from the standpoint of potential FHB filtration system failure effects.
i 4.3.h Eauioment Oualification (EO)
For a main steam line break inside containment or a large break LOCA, the l
existing EQ licensing basis assumes two trains of containment spray and two trains of reactor containment fan coolers (RCFCs).
During the extended A0Ts for the SDGs (one operable for analysis purposes) this could be reduced to one i
train. The licensee reviewed the relevant analyses and concluded that I
adequate EQ margin exists to accommodate the resulting increase in temperature and pressure. Based on the licensee's conclusions, the required equipment is l
qualified for the resulting temperature and pressure profiles. Therefore, l
with only one SDG operating, a main steam line break inside containment or a f
large break LOCA does not result in exceeding the pressure and temperature EQ l
l
. l l
limits of the necessary equipment. However, in its August 28, 1995, submittal, the licensee indicated that for the large break LOCA, the EQ radiation dose limits inside containment may be exceeded if only one train of electrical equipment is available. Given the staff's experience that the radiation dose for which equipment is usually qualified is much higher than actual doses that are calculated to occur following a LOCA, the staff requested further clarification of the licensee's statement. The licensee clarified that the calculated post LOCA doses would increase (however, dose limits would not be exceeded) if only one train of containment spray and one train of RCFCs were assumed to operate.
By letter dated November 22, 1995, the licensee verified that the resulting expectant dose would still be below the EQ limits, and this is consistent with the staff's experience in this I
area. Therefore, the staff concludes that with only one diesel generator available, the conditions inside containment following a steam line break or a LOCA will not result in exceeding the EQ limits of equipment necessary to mitigate either of the assumed accidents.
4.3.1 Anticioated Transients Without Scram (ATWS) i The licensee indicated that two trains of AFW are included in the analysis of secondary heat removal following an ATWS. Three of the trains, A, B, C, are motor operated pump trains and one is a turbine driven pump train D.
The three motor driven pump trains receive an ESF signal to start from their respective safety trains, while AFW train D receives a start signal from safety train A.
l Since the start signals from the safety trains are backed up by plant j
batteries, an inoperable SDG would not render inoperable its associated safety l
train for generating a start signal to the AFW pump.
Therefore, under the conditions that there is only one operable SDG, a motor driven AFW pump and the turbine driven AFW pump will be operable to satisfy secondary heat removal requirements following an ATWS.
i l
l 4.3.j Conclusions Reaardino Safety Related Functions Affected by the SDG and l
ECW A0T Extensions The licensee has proposed to allow continued operation of STP for a period of up to 14 days with only two SDGs operable, for a period of 7 days with only two trains of ECW and ECHW operable, and for a period of up to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> with only one train of ESF equipment available. With only one train of ESF equipment out-of-service at STP, and provided that the two trains which l
remained available could mitigate all design basis events assuming a single failure, then an essentially unlimited A0T could be allowed for one train of ESF equipment based on the general design criteria for light water reactors contained in 10 CFR Part 50, Appendix A.
The design of STP, however, is such that if ~a particular small break LOCA in the cold leg should occur while only one train of ESF equipment is in operation, then the licensee would have to l
rely on operator actions to depressurize and cooldown the RCS, and if a particular large break LOCA in the cold leg were to occur, then the licensee 2
would not be able to mitigate the postulated accident.
2 i i
i In past cases involving individual plant designs, where the designs have included more redundancy than the required two train minimum (e.g., three pumps, where each pump is fully capable and redundant to the other two pumps),
a 30-day A0T has been allowed.
In the case of a more typical two train plant i
design, an A0T of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> is allowed when redundant ESF equipment becomes inoperable.
If both trains of ESF equipment for a two train plant design i
become inoperable, then an immediate shutdown is required.
For any plant design if all onsite AC power is unavailable, then a 2-hour A0T is allowed as long as offsite power continues to remain available. Therefore, with two operable trains of ESF equipment available, A0Ts from between 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> and 30 days can be justified for the STP design. This is based on STP's similarity to previously accepted designs and the A0Ts allowed for similar designs and the more typical two-train plant designs. The licensee's proposed 1
A0T extensions are within the time limits previously allowed.
Likewise, since an almost fully capable train of ESF equipment will be available to mitigate l
the consequences of any postulated event, the licensee's request to extend the A0T for operating with only one train of ESF equipment (one SDG) can also be 1
l justified based on STP's design.
)
The staff has performed a deterministic evaluation of the licensee's proposed amendment, using engineering judgement to evaluate the risk associated with l
single train operation of STP, and determined that the proposed amendment is acceptable.
Based on its review, the staff has concluded that the STP design i
has sufficient redundancy to allow the proposed A0T extensions and that the l
STP design will continue to meet the requirements of 10 CFR 50.46. The results of the staff's probabilistic risk analysis evaluation (Section 4.6) supports this deterministic evaluation and also finds that the proposed A0T j.
extensions are acceptable from an overall risk perspective.
t l
4.4 Imoact on Containment Desian Basis and Safety Functions i
4.4.a Desian Basis Accidents i
The design pressure and temperature for the containment structure is established based on consideration of a spectrum of pipe break sizes, break locations, initial reactor power levels, and possible single failures.
For STP,' loss of coolant accidents are limiting for peak containment pressure, and main steam line break accidents are limiting for maximum containment temperature.
In support of the requested TS amendment, the licensee i
considered the impact on containment response for the spectrum of accidents if i
the design basis pipe break were to occur at STP while one of the SDGs for i
that unit were in an extended outage, and showed that the design basis j
accident remains liolting.
2 i
The licensee confirmed that the containment spray trains share only the i
Refueling Water Storage Tank, the spray ring headers, and some piping to the
]
spray ring headers, and that there are no dependencies in electrical power, i
j instrumentation, or support systems across trains for the containment spray 1
system. Thus, for any combination of two diesel generators failed or out of j
service, one train of containment spray will remain available.
Two RCFCs i
i i
l i
i would be available given any one train of electrical power is in service.
However, TS 3.6.2.3 allows one RCFC to be inoperable.
In assessing the potential impact of the requested A0Ts on'the design basis, the licensee conservatively assumed one of the two RCFCs to be inoperable.
In addition to reducing the number of availabic containment spray trains and RCFCs from that assumed in the design basis accidet (DBA), unavailability of a second diesel will result in a temporary degradation in the performance of the operable _ spray train and RCFC. Specifically, the spray initiation time would increase by about 50 seconds because the same volume of spray pipe and spray ring headers would be filled by one pump rather than two. Also, if the diesel generator failures include the C train one of two CCW headers will not automatically isolate, resulting in a 10 percent decrease in flowrate and a 15*F increase in supply temperature to the operable RCFC (from design values) until the header is manually isolated. The licensee accounted for this degradation in safety system performance in their assessment of containment pressure and temperature response described below.
The DBA for peak containment pressure is a double-ended pump suction guillotine break with maximum safety injection and minimum containment heat removal (two of three trains of containment spray and three of six RCFCs operate). The peak calculated containment pressure for the DBA is 37.5 psig, and the containment design pressure is 56.5 psig. With only one train of containment spray and one RCFC in operation (and degraded as described above),
the licensee estimates the peak containment pressure for the design basis break to be 46 psig. The margin between peak calculated and design pressure is sufficient that peak pressure will remain below design for the entire spectrum of pipe breaks considered in the UFSAR if only one safety train is available. The staff concludes that the containment design pressure remains valid and would not be exceeded if the design basis pipe break were to occur at STP while one of the SDGs for that unit was in an extended outage, and a second SDG was unavailable.
The DBA for maximum containment temperature is a double-ended rupture of the main steam line with main steam isolation valve (MSIV) failure and maximum containment heat removal (three trains of containment spray and five of six RCFCs operate).
Peak calculated containment vapor temperature for the DBA is 323*F. The design temperature for the containment structure is 286*F, based on an analysis that assumes the peak vapor temperature is maintained for
. ith only one train of containment spray and one approximately 500 seconds.
W RCFC in operation (r.nd degraded as described above), the licensee estimates the maximum vapor temperature for the design basis break to be 329'F. The licensee also estimates that the calculated vapor temperatures exceed the i
design temperature for the containment structure (286*F) for approximately i
300 seconds. Although the maximum vapor temperature with one train of sprays operating is higher than assumed in the design basis assessment, the period of j
time that the vapor temperature exceeds the structure design temperature is much less than in the design basis assessment (300 versus 500 seconds), and offsets the slightly higher vapor temperature.
Because the temperature profile with one train operating is less severe than the temperature profile
! on which the structure design temperature is based, the staff concludes that i
the structure design temperature of 286*F remains bounding and would not be l
exceeded if the design basis pipe break were to occur at STP while one of the SDGs for that unit was in an extended outage, and a second SDG was unavailable.
4.4.b Containment Isolation Containment isolation of varicus systems is accomplished in STP by two of the three safety trains.
By letters dated August 28, and November 22, 1995, the l
licensee provided information regarding the ability to isolate containment given the loss of any two diesel generators. The licensee's assessment was I
based on a screening analysis of all containment penetrations that are required to isolate in the event of an accident, and a quantitative assessment of the containment isolation failure frequency with and without the requested A0Ts.
Through the screening analysis, the licensee determined that most of the penetrations have an air operated valve which will be closed by ESF actuation or fail closed on a loss of instrument air. The only required containment isolation lines with MOVs both inboard and outboard are the containment radiation monitoring line (supplied by safety Trains A and B) and RCP seal return lines (supplied by safety Trains B and C).
In both cases, these lines are small and emergency operating procedures contain instructions to manually isolate the lines using local, manually operated valves in the event of a loss of all AC power.
The licensee provided a comparison of the containment isolation failure frequency with and without the TS changes requested in their May 1, 1995, application (i.e., a cumulative SDG A0T of 21 days once per train per cycle, and a cumulative ECW A0T of 7 days once per train per cycle).
Containment isolation failure is defined in the PSA as a failure to close at least one valve in each containment penetration.
Failure to isolate small diameter and large diameter penetrations is modelled by separate top events in the PSA.
Risk from containment isolation failures is dominated by failure to isolate large diameter lines. The frequency of core damage with concurrent failure to isolate large diameter lines is 1.3 E-7 per reactor-year in the base case PSA l
(without the requested A0Ts). With the originally-requested A0Ts, the failure frequency would increase to 1.9 E-7 per reactor-year. Although this represents a 50 percent increase in isolation failure frequency, the increase is small in absolute terms. The licensee subsequently revised their application to limit the SDG A0T to 14 days rather than 21 days, as described i
in Section 3.0.
The impact of the revised TS changes on containment isolation l
failure frequency were not requantified but these changes would tend to reduce the frequency of containment failure below 1.9E-7 with the proposed A0Ts. The l
staff concludes that the increase in isolation failure frequency would remain small and is therefore acceptable.
(
i i
- In order to provide heightened awareness among the operating staff during the requested A0Ts and to prevent entry into the A0Ts while in an action statement associated with containment integrity or containment purge valves, the licensee committed to a number of compensatory measures related to plant operations prior to and during the requested A0Ts (Attachment 4 of the May 1, 1995, submittal). This includes a commitment that prior to commencement of maintenance under the proposed A0Ts, containment integrity will be verified to ensure containment isolation penetrations are in their proper alignments and the reactor containment building supplemental purge valves will be verified to be operable and in their proper alignment. Additionally, containment purges that sky be required during the A0Ts will be strictly controlled.
In a letter dated January 4, 1996, the licensee indicated that the requirement to perform this compensatory action is included in the administrative procedure that will be performed prior to each entry into the A0T action statements.
The staff concludes that the containment isolation function and the design criteria of General Design Criteria (GDC) 56, Appendix A to 10 CFR Part 50 will continue to be met if an accident occurs at STP while one SDG is in an i
extended A0T.
If an accident were to occur while two SDGs were inoperable, then automatic isolation of the containment radiation monitoring line l
(supplied by safety Trains A and B) or the RCP seal return lines (supplied by safety Trains B and C) is not guaranteed.
In both these cases, however, the i
lines are small and emergency operating procedures contain instructions to manually isolate the lines using local, manually operated valves in the event of a loss of all AC power.
Based on this fact, the staff concludes that the estimated increase in containment isolation failure frequency associated with the requested A0Ts would not represent a significant increase in the total j
risk for STP.
4.4.c Hydroaen Control STP has two trains of hydrogen recombiners.
Backup power to the recombiners is supplied by safety Trains B and C.
By letter dated November 22, 1995, the licensee provided an assessment of the ability to power the hydrogen recombiners from alternate power sources, given the loss of preferred power sources.
Entry into the proposed A0T action statements requires the Emergency Transformer and associated 138 kV transmission line to be available.
In the event of a loss of the preferred offsite power sources, the Emergency Transformer secondary may be aligned to any one of the three 4.16 kV ESF busses, including either bus powering a hydrogen recombiner.
In the event of an extended loss of all offsite power sources, including the Emergency Transformer, two ESF busses may be powered by a single standby diesel generator.
Plant Procedure 0 POP 04-AE-0001 defines the procedural steps for cross-connecting ESF Train B to either ESF Train A or C, and similar procedural steps would apply to cross-connection of any one ESF bus to either remaining ESF bus.
l The hydrogen recombiners would not be needed for at least 11 days following a postulated DBA. This would allow the licensee considerable time to either restore offsite power or to complete the necessary procedural steps needed to i
. realign the hydrogen recombiners to an operable SDG before hydrogen recombiner operation was required.
Based on the ability to power the hydrogen recombiners from alternate power sources, and the considerable time available to the licensee to realign the hydrogen recombiners to an operable power source before operation is required, the staff concludes that the hydrogen recombiner system would be available to perform its function if an accident were to occur at STP even if two SDGs for one unit were unavailable.
4.5.a Potential Radioloaical Conseauences of the Prooosed Amendment Extending the allowed outage times for the SDGs increases the chance that only one train of containment spray will be available during a large break LOCA.
The current DBA analysis assumes that a single failure will result in no less than two trains of spray remaining operable to remove radioactive iodine from the source term in the post-LOCA containment atmosphere (i.e., reduce the amount of radioactive iodine available for leakage from containment). With one of the three trains of containment spray out of service during an extended allowed outage, a single failure disabling a second train leaves only one train operable. The resulting reduced flow would negatively impact the ability of the Containment Spray System to mitigate the thyroid dose of l
individuals at the Exclusion Area Boundary (EAB) and the Low Population Zone j
(LPZ) as well as thyroid doses to operators within the control room.
Since containment spray is not credited for removing radioactive noble gas releases during a LOCA, the calculated whole body doses to these individuals are unchanged.
4.5.b Offsite Radioloaical Consecuences Operation of the Containment Spray System with a single train (e.g., single pump) will reduce the system pressure and flow. The effectiveness of the containment spray at removing iodine from the containment atmosphere is inversely proportional to the mean diameter of the liquid droplets in the spray. The current analysis is based on the droplet size distribution measured during spray nozzle testing at system design pressure and flow.
In lieu of providing a revised spray droplet size, the licensee's evaluation of the possible radiological impact of the extended SDG A0Ts takes no credit for the removal of elemental iodine by the containment spray. As discussed in a l
letter dated January 8,1996, only iodine removal by wall deposition was included.in the licensee's evaluation.
An elemental iodine deposition coefficient of 4.5 per hour was calculated using the methods and assumptions on page 6.5.2-10 of the NUREG-0800 Standard ReviewPjan,Rev.2(SRP). A conservatively bounded surface area of3 92,900 m, and a conservatively bounded net free volume of 100,808 m were used as the inputs to the elemental iodine removal coefficient calculation.
This initial deposition removal rate is assumed to continue until a decontamination factor (DF) of 100 is reached (i.e., the airborne l
concentration is one percent of its initial value).
The removal rate was then j
assumed to continue at a rate that is five percent of the initial removal rate i
until a decontamination factor of 200 is reached, at approximately 4.1 hours1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />
. after initiation of the DBA. No further elemental iodine removal is assumed.
Section 6.5.2 of the SRP limits the DF for elemental iodine to a maximum value of 200. This model for elemental iodine removal by surface wall deposition is consistent with the model for elemental iodine removal by wall deposition currently in the STP UFSAR and is conservative compared with the staff's guideline as specified in SRP 6.5.2, Revision 2.
Therefore, it is acceptable to the staff.
The staff performed an independent analysis of the thyroid doses resulting from a postulated LOCA during an extended diesel outage using the licensee's iodine removal model and the methods and assumptions in the SRP. The thyroid dose to individuals at the EAB and LPZ listed in the table below were calculated with the HABIT computer code.
Input parameters were taken from Table 15.5 on the " Safety Evaluation Related to the Operation of South Texas Project, Units 1 and 2" (NUREG-0781).
4.5.c Control Room Ooerator Doses By letter dated September 26, 1991, the NRC issued Amendment Nos. 28 and 19 to the STP operating licenses for Units 1 and 2, respectively. These amendments addressed an identified single failure of a heater in the control room ventilation system that resulted in control room operator DBA doses in excess of those previously analyzed. As described in the accompanying staff's Safety Evaluation (SE), the postulated heater failure reduces the iodine removal efficiency of the ventilation system charcoal filtration units.
The staff independently evaluated the radiological impact of the licensee's request to extend the SDG A0Ts on the habitability of the control room during a postulated DBA. Using input parameters taken from Table 6.1 of NUREG-0781, as modified by the September 26, 1991, SE, the thyroid doses to control room operators during the course of a postulated DBA were calculated with the HABIT computer code. The results are listed in the table below with the current DBA results and the associated acceptance criteria for comparison.
RADIOLOGICAL CONSEQUENCES OF A LOCA WITH ONE SDG INOPERABLE CURRENT BASIS PROPOSED ACCEPTANCE WHOLE BODY /
WHOLE BODY /
CRITERIA THYROID DOSE THYROID DOSE (REN)
(REN)
EA8 (0-2 hr) 3.6 / 165 3.6 / 199 25 / 300 LPZ (0-30 day) 1.3 / 74 1.3 / 88 25 / 300 CR (0-30 day) 3.1 / 17 3.1 / 30 5 / 30 i
l l
By letter dated January 4,1996, the licensee identified that if a LOCA during the proposed extended A0Ts resulted in a single operable train of control room l
ventilation, the current design could not maintain the required 1/8 inch
. l (water gauge) of positive pressure in the control room envelope with respect to adjacent areas. The staff questioned a statement in the January 4, 1996, letter regarding the ability of the ventilation system to maintain a positive pressure in the control room. The licensee conceded that the entire control room ventilation envelope may not be maintained at a positive pressure during single train operation. Testing of the control room ventilation system with only one train running in October 1994, resulted in a negative relative pressure (0.04 inch) in one equipment room within the control room envelope.
The requirement that the control room envelope be maintained at a positive pressure during an accident insures that any leakage will be clean air out of the control room. Without the assurance that the control room will remain at a relative positive pressure, the 10 cubic feet per minute (CFM) of unfiltered in-leakage (a standard assumption to account for opening and shutting doors) used in the staff's evaluation of this request (and the DBA in NUREG-0781) is invalid. The possibility exists therefore that operator thyroid doses could exceed the acceptance criteria of GDC 19 in Appendix A to 10 CFR Part 50 if a LOCA/ LOOP occurred and only a single train of control room ventilation was available. However, the current TSs provide an A0T of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> if two trains of control room ventilation are inoperable. Therefore, operation for up to 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> with only a single onsite power source, and its effect on control room ventilation, is bounded by current TSs.
4.5.d Conclusions Reaardina Radioloaical Conseauences The results of the staff's evaluation indicate that if a LOCA were to occur at one of the STP units while one of the SDGs for that unit was inoperable the siting criteria for radiation doses at the Exclusion Area Boundary and the Low Population Zone in 10 CFR Part 100 would still be met.
If a LOCA were to occur when only a single train of control room ventilation was operable, the possibility exists that operator thyroid doses would exceed the acceptance criteria of GDC 19 in Appendix A to 10 CFR Part 50. The staff has reviewed this possibility and determined it to be acceptable.
4.6 Evaluation of the Probabilistic Safety Analysis (PSA) Used to Support the Proposed Amendment The staff used a three-element approach in its evaluation of the risk associated with the proposed TS changes.
The first element was an evaluation of the impact on plant risk as expressed by the change in core damage frequency (delta CDF), the incremental core damage probability (delta CDP) and the impact on the large early release frequency (LERF) resulting from the increased A0Ts.
The second element was an evaluation of the licensee's process used to address potentially high risk configurations that could exist if equipment in addition to that associated with the changed A0Ts were to be taken out of service simultaneously, or other risk significant operational factors such as concurrent system or equipment testing were I
?
l.
I also involved. The objective of this part of the staff's review was to assure that appropriate restrictions on dominant risk-significant configurations associated with the changed A0T were considered in appropriate procedures.
The third element was an evaluation of the licensee's overall configuration risk management system to assure that adequate programs and procedures would be in place to identify and compensate for other potentially lower probability, but none the less risk significant, configurations resulting from maintenance and other operational activities.
Each of these three elements of the staff's evaluation is discussed separately below.
Element 1 - PSA Evaluation of A0T Extension The licensee stated in their submittals that the incremental risk associated with the proposed A0T extensions has been determined to be small.
In addition, the licensee stated that a risk assessment would be performed in accordance with the STP Configuration Risk Management Program, to determine if further restrictions are warranted while not meeting the LCO. The STP PSA, therefore, plays an important role in understanding and implementing the proposed A0T extensions at STP.
(a)
Evaluation of PSA Model. Data and Assumotions The STP PSA includes a Level 1 and Level 2 analysis, with external events. The Level 1 analysis used the large event tree /small fault tree methodology, which explicitly addressed system dependencies in the event trees.
Small fault trees were used to quantify the likelihood of system failure, which then provided input to the event tree nodes.
RISKMAN software was used to quantify the CDF.
The current PSA used fault trees for all system logic modelling, which is an improvement compared to the use of reliability block diagrams with some fault trees used in earlier versions of the PSA. Additionally, in the current PSA, common cause failures due to system dependencies were incorporated directly in the event tree logic using the Multiple Greek letter (MGL) method.
Data collection was performed through examination of generic and plant-specific sources. The latest set of data includes plant-specific experience related to plant trips at both units.
These data were l
incorporated into the PSA through a Bayesian updating process that utilized the PLG-0500 generic database. Additionally, where there was scarce initiating event frequency data, models and expert judgement were used to supplement available information.
Finally, the PSA credited the j
emergency transformer which had not been included in the previous PSA.
,r
i a
2 l
! STP personnel participated in evolution of the PSA, which included model development, data collection, and requantification of models with updated plant-specific data.
In addition to reviews performed by inhouse PSA engineers, reviews were also performed by an independent internal team consisting of personnel from the operations, training, and engineering backgrounds.
In 1991, the NRC staff completed an in-depth review of the STP PSA (see NUREG/CR-5606), and found the level of detail of the models "quite high and consistent with current start-of-the-art." A subsequent update of the PSA included a variety of CDF estimates for various assumptions regarding the rolling maintenance schedule and combinations of modified TS A0Ts and Surveillance Test Intervals (STIs). The PSA was again updated in March of 1995 to include the NRC staff-approved risk-based TS A0Ts and STIs, plant-specific equipment failure rate data, and incorporation of the emergency transformer into the model.
The staff concludes that the licensee's PSA can appropriately evaluate the impact of the proposed TS change on CDF and containment performance.
(b)
PSA Insiahts and Findinas i
For each LCO the licensee evaluated A0T-induced changes in the plant CDF, which also allowed for the determination of the corresponding incremental conditional core damage probability (ICCDP) during the A0T period. The Large Early Release Probability (LERP), defined in the licensee's submittal as a large (>3" diameter hole) and early containment failure or bypass that possesses a significant potential for short term health impact, was calculated for the modified A0T conditions of each LCO.
The licensee's PSA estimated the total STP-CDF to be approximately l
2E-5/yr based on 3 day A0Ts for the SDGs. To this total, station blackout (a subset of loss of offsite power events) contributed approximately 18%, or 4E-6/yr.
Sensitivity studies indicate that extending and completely utilizing SDG A0Ts of 14 days, and 21 days (a conservative assumption) would only increase the SBO-CDF contribution by approximately 7E-7/yr and 2E-6/yr respectively.
The resultant change in total CDF of less than 10% would continue to keep STP at the low end of the PWR spectrum, for both 580 induced CDF and total CDF.
Likewise the relatively small LERF of approximately SE-7/yr and small ICCDP of i
7E-7/yr when utilizing the expected average time associated with the A0T extension, indicate that change would have minimal risk significance.
The lack of sensitivity of SB0 risk to SDG-A0T extensions is primarily due to the redundancy in the STP emergency AC power design. Other
" qualitative" factors which further reduce the SB0 contribution to plant risk are discussed below.
Element 2 - Evaluation of LCO Confiauration Restrictions The licensee has produced approximately 300 pre-calculated configurational I
conditional CDF estimates used to estimate a large number of configuration
. risks. From this process, certain plant configurations were identified as being potentially risk-significant if entered during the A0T. These configurations dictated which equipment must be available while in the A0T.
This process is the second element of the three-element process, and specifies additional procedures that apply during the A0Ts.
Licensee procedures state that, for entry into the proposed LCOs with the i
proposed A0T extensions, certain actions need to be taken, or certain maintenance activities precluded. These activities, or conditions, are stipulated in the licensee's procedures for the A0T and listed below.
(a) The requirements for two (2) of the onsite power sources specified in Specification 3.8.1.1.b and the two (2) supporting ECW loops specified in Specification 3.7.4 are operable; l
(b) The circuits required by Specification 3.8.1.1.a are operable;
]
(c) The equipment specified by Action 3.8.1.1.d is operable; (d) The circuit between the 138 kV offsite transmission network, via the emergency transformer, and the onsite Class 1E Distribution System i
shall be functional and available; (e) The technical support center diesel generator and the positive displacement pump are functional and available; (f)
Planned maintenance on the equipment specified in Action 3.8.1.1.d j
is suspended; i
(g) Maintenance activities in the switchyard which could directly cause a loss of offsite power event will be prohibited unless required to l
ensure the continued reliability and availability of the offsite power sources.
In reflecting the additional element 2 constraints into the PSA, the top event for the positive displacement charging pump was modified by adding a new set of split fractions that apply only when the A0T is in effect.
These split fractions reflect the element 2 restrictions that during the A0T, scheduled l
maintenance would not be performed on the positive displacement charging pump and the technical support center diesel generator, i.e., programmatic requirements will be in effect as a prerequisite to the A0T to prevent deliberate unavailability of this equipment during this period.
(Note:
there still remains a failure rate for failure to start on demar.d to include any standby failures that may occur during this period.)
Element 3 - Other Confiauration Manaaement Provisions As required by the Maintenance Rule, the licensee will assess the overall impact on safety functions of performing maintenance activities, including the removal of any equipment f'/om service.
That is, prior to entry into the A0T, a PSA analysis of the " planned work configuration" will be performed, taking
. I into account the actual configuration of associated systems and trains.
Furthermore, the licensee (under element 2) has generated approximately 300 pre-calculated, configuration-specific conditional CDF (CCDF) estimates, which can be used to estimate a large number of configuration risks. These pre-calculated estimates will be augmented with additional configuration-specific CCDF estimates on an as-needed basis.
i The licensee's proposed Bases for the proposed A0T relaxations states that their Configuration Risk Management Program (CRMP) evaluates the impact on plant risk of equipment out of service. The licensee's CRMP will specify the process for assessing and monitoring changes in the core damage probability, or large early release probability, while in certain planned and unplanned maintenance configurations.
Procedures are in place to ensure that, immediately before and during entry into the subject Actions, the status of all associated systems and trains are reviewed for their impact on safety, taking into consideration the conditions expected as a result of modifying the A0Ts.
As part of the three-element approach, the licensee will perform risk profile analyses in conjunction with its CRMP, to ensure adequacy of safety functions before performing maintenance activities including removal of any equipment from service. This is addressed in the proposed Administrative Controls TS 6.8.3.k.
Administrative procedures require maintenance planners and schedular reviewers to meet at the beginning of each schedular week, to provide preliminary and adjusted interactive schedule inputs for risk profile generation prior to the initiation of planned maintenance activities. The procedure is to ensure minimal temporary CDF impact due to schedular planning.
l The staff concludes that the actions taken by the licensee are appropriate for i
addressing the concerns that simultaneous equipment outage and other operational considerations during the A0T could potentially result in risk-l 3
l significant configurations.
i Conclusions Reaardina the Licensee's Probabilistic Safety Analysis Used To Suonort the Proposed Amendment The staff finds that the licensee has:
(
1.
demonstrated that the calculated ICCDP and LERF are both relatively small, primarily because of substantial redundancy in system design, I
and robustness in containment severe accident mitigation capability,
- 2. -
implemented procedural restrictions that preclude entry into dominant risk-significant configurations during the extended A0T, and 3.
provided the necessary assurances that appropriate assessments of the overall impacts on safety functions will be performed prior to any maintenance or other operational activities, including removal of equipment from service and documentea these assurances in the TSs and Bases.
4
. In addition to the above restrictions, the licensee will remain aware of any potential severe weather conditions which could result in an extended loss of offsite power. Because of the STP site exposure to severe weather (ESW5 category under 580 Rule categorization), the licensee will utilize plant-specific pre-hurricane shutdown requirements and procedures which meet the guidelines of Section 4.2.3 of NUMARC 87-00.
These guidelines have been implemented according to the STP's Severe Weather Guidelines, OPOP04-ZO-0002, Revision 9.
The staff therefore, finds that the A0T of TS 3/4.8.1 (A.C. Sources) may be extended to 14 days subject to procedural requirements without a significant increase in risk. The staff also finds that the A0Ts of TS 3/4.7.4 (ECW l
System) and of 3/4.7.14 (ECHW System) may be extended to 7 days without a significant increase in risk.
The staff's findings have taken into consideration the licensee's commitment l
to the above discussed compensatory measures, including maintenance of an up-to-date PSA model, and adequacy of relevant portions of the licensee's program to meet the requirements of the Maintenance Rule.
5.0
SUMMARY
l The staff has evaluated the licensee's proposed changes for compliance with I
regulatory requirements as documented in this evaluation, and determined that they are acceptable. This determination had been based on:
(1) the need to maintain reliable safety systems; (2) consideration of the number of redundant trains of onsite emergency AC power available at STP (i.e., STP's three train design where in i
almost all cases the safety systems powered from only one train of onsite emergency AC power are capable of mitigating the consequences l
of design-basis events, as compared to a typical two train design system);
(3) implementation of compensatory measures to offset any reduction in defense-in-depth.
In addition, PRA insights indicate that the risk associated with extending the SDG, ECW, and ECHW system allowed outage times is small, and offset by the licensee's CRMP. The CRMP evaluates the impact on plant risk of equipment out of service, and ensures the availability of safety functions before performing maintenance activities including removal of any equipment from service.
6.0 STATE CONSULTATION
In accordance with the Commission's regulations, the Texas State official was notified of the proposed issuance of the amendments. The State official had l
no comments.
e 8
7.0 ENVIRONMENTAL CONSIDERATION
The amendments change a requirement with respect to installation or use of a facility component located within the restricted area as defined in 10 CFR Part 20 and change surveillance requirements. The NRC staff has determined that the amendments involve no significant increase in the amounts, and no l
significant change in the types, of any effluents that may be released I
offsite, and that there is no significant increase in individual or cumulative occupational radiation exposure. The Commission has previously issued a i
proposed finding that the amendments involve no significant hazards consideration, and there has been no public comment on such finding (61 FR l
40019). Accordingly, the amendment meets the eligibility criteria for categorical exclusion set forth in 10 CFR 51.22(c)(9).
Pursuant to 10 CFR 51.22(b) no environmental impact statement or environmental assessment need be
- prepared in connection with the issuance of the amendments.
l
8.0 CONCLUSION
The Commission has concluded, based on the considerations discussed above, that:
(1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such i
activities will be conducted in compliance with the Commission's regulations, j
and (3) the issuance of the amendments will not be inimical to the common defense and security or to the health and safety of the public.
Principal Contributors:
- 0. Chopra l
V. Beaston 1
R. Jenkins W. LeFave l
C. Liang S. Brewer i
R. Palla, Jr.
R. Pedersen J. Medoff M. Wohl l
'Date:
October 31, 1996 1
I i
.