ML20198A239

From kanterella
Jump to navigation Jump to search
Safety Evaluation Supporting Amend 179 to License DPR-35
ML20198A239
Person / Time
Site: Pilgrim
Issue date: 12/11/1998
From:
NRC (Affiliation Not Assigned)
To:
Shared Package
ML20198A237 List:
References
NUDOCS 9812160196
Download: ML20198A239 (19)
v  d  e


Text

_ _ _ _ _ _ _ _

Keou g

UNITED STATES g

j NUCLEAR REGULATORY COMMISSION t

WASHlHGTON, D.C. 20666-0001 SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO AMENDMENT NO.179 TO FACILITY OPERATING LICENSE NO. DPR 35 BOSTON EDISON COMPANY PILGRIM NUCLEAR POWER STATION DOCKET NO. 50-293

1.0 INTRODUCTION

On April 25,1996, the licensee requested an amendment to the Technical Specifications (TS) for the Pilgrim Nuclear Power Station (PNPS). The purpose of this amendment is to revise the definition of " operable-operability," revise the TS and associated " bases" section for TS 3.9.B.2 and 3.9.B.3 (" Auxiliary Electrical System"), TS 3.4.B.1 (" Standby Uquid Control System"), TS 3.7 B.1.a,c, and e, and 3.7.B.2.a, c, and e (" Standby Gas Treatment System and Control Room High Efficiency Air Filtration System"), and TS 4.5.F.1 (" Core and Containment Cooling Systems") and to delete TS 3.7.B.1.t (" Standby Gas Treatment System and Control Room High Efficiency Air Filtration System"). On February 10,1997, the Commission issued Amendment No.170 for the requested changes except for the changes to the allowed outage times for the emergency diesel generators (EDGs) and ac power sources as related to the TS and the associated " bases" section for TS 3.9.B.1 (" Auxiliary Electrical System") and TS 3.5.F.1 (" Core and Containment Cooling Systems"). This amendment covers proposed changes to TS Sections 3.5.F.1,4.5.F.1,3.9.B.1,3.9.B.4, and 3/4.5.F bases. The proposed change will extend the allowed outage time (AOT) for EDGs from 3 days to 14 days provided the station blackout diesel (SBO) is verified operable in accordance with Surveillance 4.5.F.2. On September 5,1996, the licensee responded to the staffs request for additional information (RAl) dated June 25,1996. In response to the staff's concerns expressed during telephone calls on December 2,1996, and January 10,1997, the licensee sent additional information in support of the proposed TS changes for the EDG AOT by letter dated August 8,1997. On September 24,1997, the licensee and staff discussed the proposed TS change, issues related to EDG maintenance practices, and the licensee's previous responses. The licensee addressed these issues by letter dated March 26,1998. On July 31,1998, the licensee submitted additionalinformation related to extending the AOT for the EDGs. Additionally, on August 24,1998, the licensee sent information concerning the proposed configuration risk management program (CRMP) and revised the limiting condition for operation (LCO) time to 48-hours when one EDG and a shutdown or startup transformer are inoperable.

h P

2 2.0 EVALUATION The staff's evaluations of the licensee's proposed changes to the TS follow-2.1 Proposed Chanae to TS Sections 3.5.F.1 and 4.5.F.1 The licensee proposed to change TS Sections 3.5.F.1 and 4.5.F.1. At present, TS Sections 3.5.F.1 anMS.F.1 read as follows:

LIMITING CONDITION FOR OPERATION SURVEILLANCE REQUIREMENT 3.5 CORE AND CONTAINMENT 4.5 CORE AND CONTAINMENT COOLING SYSTEMS (Cont.)

COOLING SYSTEMS (Cont.)

F.

Minimum Low Pressure Coolina F.

Minimum Low Pressure Coolina and Diesel Generator Availability and Diesel Generator Availability 1.

During any period when one diesel 1.

When it is determined that one diesel generator is inoperable, continued generator is inoperable, within 24 reactor operation is permissible hours, determine that the operable only during the succeeding 72 diesel generator is not inoperable due hours unless such diesel generator to a common cause failure, is sooner made operable, provided that all of the low pressure core QB and contair, ment cooling systems and the remaining diesel generator perform surveillance 4.9.A.1.a for the shall be operable. If this operable diesel generator, requirement cannot be met, an orderly shutdown shall be initiated AND and the reactor shall be placed in the Cold Shutdown Condition within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> and once every 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

thereafter, verify correct breaker alignment and indicated power availability for each offsite circuit.

4

7

- ~-

3 The amended TS Section will read as follows:

ILIMITING CONDITION FOR OPERATION SURVEILLANCE REQUIREMENT 3.5 CORE AND CONTAINMENT 4.5 CORE AND CONTAINMENT COOLING SYSTEMS (Cont.)

COOLING SYSTEMS (Cont.)

F.

Minimum Low Pressure Coolina and F.

Minimum Low Pressure Coolina and Diesel Generator Availability Diesel Generator Availability 1.

During any period when one 1.

When it is determined that one EDG emergency diesel generator (EDG)is is inoperable, within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, inoperable, continued reactor determine that the operable EDG is operation is permissible only during not inoperable due to a common the succeeding 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> unless such cause failure, EDG is sooner made operable, provided that all of the low pressure core and containment cooling systems shall be operable, and the perform surveillance 4.9.A.1.a for remaining EDG shall be operable in the operable EDG, accordance with 4.5.F.1. If this requirement cannot be met, an orderiy M

shutdown shall be initiated and the reactor shall be placed in the Cold within i hour and once every 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> Shutdown Condition within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

thereafter, verify correct breaker alignment and indicated power The 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> LCO can be extended to availability for each offsite circuit.

14 days provided, in addition to the above requirements, the Station 2.

Confirm the Station Black Out Diesel Blackout Diesel Generator is verified Generator (SBO-DG) has been operable in accordance with 4.5.F.2 demonstrated operable within the preceding 7 days 2

within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> of declaring an EDG inoperable, perform a surveillance to demonstrate that the SBO-DG is operable.

M within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> of demonstrating the SBO-DG operability as specified above and once every 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter, verify normal breaker configuration.

4 2.1.1 Deterministic Evaluation of EDG AOT Extension The licensee stated that TS 3.5.F.1 will be revised to increase the allowed outage time (AOT) for the emergency diesel generators (EDGs) from the currently allowed 3 days to 14 days.

The purpose of increasing the AOT for the EDGs to 14 days is to provide more flexibility for e

maintenance and repair of the EDGs. The staff granted an EDG AOT extension on the basis of plants having an additional source of ac power that meets or exceeds the requirements of an altemate ac (AAC) source as established by NUMARC-8700 and NRC Regulatory Guide (RG) 1.155. The licensee has a station blackout diesel generator (SBO-DG) to cope with an SBO event. This SBO DG will be utilized as a standby source of ac power during extended EDG maintenance. On June 25,1996, the staff sent a request for additionalinformation (RAl) containing several questions.

In response to Question 1, the licensee stated that scheduled periodic inspections and overhaul are performed together in accordance with Procedure 3.M.3-61.5, " Emergency Diesel Generatcr Refuci Outage Preventive Maintenance." The major oortions of this procedure cover the following areas:

wear indication measurements such as gear backlash, crankshaft deflection, and clearances rebuilding / inspecting the air start motors fuel injector cleaning and testing, fuel pump timing, and rack inspection generator inspection and insulation-resistance measurement a

Historically, it takes approximately 6 days to complete this procedure. These activities are performed once every 2 years. Use of limiting condition for operation (LCO) AOT is govemed by Procedure 1.2.2, " Administrative Operations Requirements," which limits LCO use to 50% of its total AOT. Hence, an AOT of 14 days is proposed.

Regarding Question 2a, the licensee stated that the current TS include an LCO that states that all of the low-pressure core and containment cooling systems are operable and the remaining EDG is operable. If this requirement cannot be met, an orderly shutdown shall be initiated and the reactor shall be placed in the cold shutdown condition within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The licensee stated that Surveillance 8.C.34, " Operations Technical Specification Requirements for inoperable Systems / Components," will be revised to include the SBO-DG as the AAC power supply.

Additionally, Procedure 1.2.2, " Administrative Operations Requirements," provides a positive measure to preclude subsequent maintenance / testing on redundant and backup equipment while the EDG is inoperable.

Regarding Question 2b, the licensee stated that the TS pages are revised to include compensatory measures for the AAC source before taking an EDG out of service for an extended period of time. These measures will require the AAC source to be verified operable either by confirming that it was demonstrated operable within the preceding 7 days or by performing a surveillance within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> of declaring an EDG inoperable and capable of i

5 being connected to the safety bus associated with the EDG to be taken out of service by verifying normal breaker configuration within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> of demonstrating the SBO-DG operability and once every 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter.

The staff expressed concem rega-ding the operability of the SBO-DG 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> after the loss of offsite power, since the auxiliaries of the SBO-DG are fed from the offsite power. The event described in Licensee Event Report (LER) 97-004-00, " Loss of Preferred Power and Oil Spill Due to Main Transformer Fault While Shutdown," included a failure of the SBO-DG to start. As a result, the licensee (1) implemented procedural enhancement to provide guidance to operators regarding startup and operation of the SBO-DG unloaded, and (2) completed a plant design change, PDC 97-14, " Revised Power Supply for SBO Diesel Auxiliaries," to provide an a!temate source of power to the SBO-DG auxiliaries to ensure startup and availability of the SBO-DG during partial or degraded offsite power conditions. The SBO DG auxiliaries will require approximately 58 kW. The attemate source of power will be provided from the 400 kW security diesel generator. The current loading on the security DG is approximately 256 kW and there is a sufficient margin to add the extra 58 kW without challenging the security diesel rating.

The SBO-DG battery is designed to carry the load for 7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br />. The SBO-DG battery charger is powered by the output of either the SBO-DG or security DG during loss of offsite power.

Regarding the target reliability of 95% for the SBO-DG, the staff noticed that adequate testing was not done to establish the target reliability of 95%. The staff has accepted 25 tests with one failure to estabUsh reliability of 95%. The licensee stated that 25 consecutive start and load run tests without a failure were completed on June 1997.

Additionally, the SBO-DG is within the scope of the maintenance rule. The licensee stated that performance of the SBO-DG is monitored against established criteria in accordance with the maintenance rule. Furthermore, the breakers that would be required to energize safety-related buses when the SBO DG is operable are included in the maintenance rule monitoring procedures. The licensee stated that these breakers have a good operating history and have proven to be highly reliable. They have position indication locally at the switchgear and in the control room. These breakers have spring charge indication lights on the outside of the switchgear door to indicate that the breaker's closing springs are charged and the breaker is ready to function on a demand signal. The breakers that interface between the SBO-DG,23 kV power source, and 4160 voit emergency buses are shown in Figure 1 (enclosed). Breakers 152-501 and 152-601 are safety related and undergo preventive maintenance every 2 years and overhaul every 6 years. Breakers 152-600,152-801 and 152-802 are not safety related and undergo preventive maintenance every 4 years and overhaul every 8 years.

Additionally, the SBO-DG is manually started and feeds one emergency bus through the same breakers used for the shutdown transformer. When the SBO-DG is required to feed a bus, the breaker to one emergency bus (A501 or A601) is manually opened and the SBO-DG is started.

Aligning the breakers for SBO-DG operation isolates one emergency bus from the shutdown transformer. This is undesirable beca.jse the shutdown transformeris capable of automatically supplying power to either emergency bus; whereas, the SBO-DG requires operator action and is capable of supplying only one emergency bus with 2000 kW. Therefore, Surveillance 4.5.2

_.r i

6 has been modified to require once every 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />, verify normal breaker configuration.

Modifying the surveillance in this manner assures the breakers are configured so the SBO-DG is capable of being connected to a safety bus without intermpting the normal function of the shutdown transformer.

In response to Questions 2c, d, e, and f, the licensee stated that LCO entry condition /nd the relationship of interfacing safety-related systems and important non-safety-related syst ms are j

addressed as operating philosophies in Procedure 1.2.2, Attachment 11, items [2), (3).. d (4).

Item [2] states that an LCO-Planned Maintenance action on-line is acceptable if it is expected that the reliability of the equipment will improve to such a degree that the overall r' k to the safe operation of the plant decreases. Item [3] indicates that scheduled rcpanted entry and exit from the LCO for the purpose of resetting the clock for AOT will not be allowed. Item (4) states that other maintenance and testing that increases the likelihood of a plant transient should be avoided. Confidence in the operability of the independent equipment that is redundant to (or diverse from) the affected equipment should be high.

In response to Question 3, the licensee stated that EDG overhauls are performed in accordance with Procedure 3.M.3-61.5. Any major components such as a govemor would only be replaced if its condition indicated that this was necessary. The EDG is not fully disassembled. The testing that would be conducted after the overhaul would be an extended surveillance of Procedure 8.9.1, " Manually start and load the EDGs." This procedure is currently performed monthly to satisfy TS 4.g.A.1.a. The licensee stated that fullload rejection tests are not routinely performed on EDGs at PNPS. However, following postulated replacement of a govemor, a fullload rejection test will be performed. Additionally, improper maintenance would be detected during post-work testing (PWT) before exiting the EDG LCO.

The potential for damage to other equipment is minimized by the progressive steps in the PWT process. Work that is not commonly performed is reviewed by the system engineer and the level of PWT is determined by the type of work that is being done. On March 26,1998, the licensee provided details of PWT steps, which included the following: (1) Preliminary Testing, (2) Functional Testing, (3) Pre-operational Testing, (4) Operational Test, (5) Load Rejection Test. The licensee stated that the philosophy behind PWT is to minimize the risk of damaging any equipment. These steps ensure that the component and system are functional. Any problems found would be corrected before proceeding to the next level of testing. The licensee stated that the level of PWT will ensure that no damage will occur to the emergency buses and associated connecting equipment as a result of improperly performed maintenance.

Furthermore, the licensee stated that no unacceptable voltage transients have occurred at PNPS as a result of improper maintenance activities. On March 25,1991, during monthly surveillance, the automatic voltage regulator on the Train B EDG failed; and as a result, the kW indication increased to approximately 3500 kW, the unit auxiliary transformer breaker to A6 tripped on Phase B overcurrent which caused lockout on bus AB, and the EDG shut down on overspeed and the EDG output breaker tripped. The voltage transient produced by this event had no negative effect on the 4160-V safety buses or loads, in response to Question 6, the licensee stated that EDG extended maintenance during degraded grid and extreme weather conditions is addressed in Procedure 1.2.2, Attachments 9

l l

7 and 11. Attachment 9 of Procedure 1.2.2 is modified to include that EDG LCO shall not be entered for planned maintenance while severe weather (e.g., hurricane or tomado) notices or wamings are in effect for the area in which PNPS is located. The nuclear watch engineer (NWE) has the authority to ensure that concurrent activities / conditions will not compromise plant safety or performance. The NWE's decision would be supported by senior plant management. All the guidelines in Procedure 1.2.2 support prudent scheduling taking into account all activities that would likely extend a given maintenance activity. Procedure 5.2.2 is modified to include plans to restore standby power quickly if necessary.

On the basis of the above review, the staff finds that the licensee satisfactorily resolved the staff's concems.

2.1.2 Risk Evaluation of the DG AOT Extension To gain a risk perspective, the staff used a three-tiered approach to evaluate the risk associated with the proposed amendment. The first tier evaluated the probabilistic risk assessment (PRA) model and the impact of tha change on plant operational risk. The second tier addressed the need to preclude potentially high-risk configurations, should additional equipment outages occur during the AOT period. The third tier evaluated the licensee's configuration risk management program (CRMP) to ensure that equipment removed from service before entering or during the proposed AOT will be appropriately assessed from a risk perspective. RG 1.177, "An Approach for Plant-Specific, Risk Informed Decision Making:

Technical Specifications," addresses each tier; the associated findings are discussed below.

Tier 1: PRA Evaluations of AOT Extensions The licensee used traditional PRA methodology to evaluate the requested AOT extension for EDGs. The Tier 1 NRC staff review of the licensee's PRA involved two aspects: (1) evaluation of the PRA model and application to the proposed AOT extension and (2) evaluation of PRA results and insights stemming from the application. The review did not warrant an assessment of any unconventional PRA practices or unique features that could significantly impact the PRA findings and conclusions.

(1) Evaluation of PRA Model and Application to the AOT Extension The staff focused its review on the capability of the licensee's PRA model to analyze the risk stemming from the proposed AOT changes for EDGs, and did not involve an in-depth review of the licensee's PRA. This review was based on the staff's initial screening process wherein the staff examined the licensee's intemal events PRA results, recent operational experience regarding loss of offsite power (LOOP) and EDG reliability and availability, and plant-specific features such as EDG configurations, offsite sources, and other systems critical to mitigation of a LOOP event. The staff concludes that the licensee's PRA results are reasonable, and the scope and depth of the PRA analysis support such a finding. Recent data for EDG and offsite ac power reliability and availability did not indicate any adverse trends. The EDGs and SBO-DG are fully capable of safely shutting down the plant given a LOOP.

7 __ _ __ _

e 8

The licensee's PRA includes both a Level 1 and a modified Level 2 analysis. For front end analysis, PNPS used a Level 1 PRA; the small event tree /large fault tree technique with fault i

tree linking was used, and accident sequence quantification was performed with the Cut Set and Fault Tree Analysis (CAFTA) computer code. The analysis modeled 23 initiating events exclusive of intemal flooding (also included) and dependencies that exist between initiating events and the associated mitigating systems. These initiators are consistent with those identified in previous PRAs.

Plant-specific data were used where possible for component failure rates and test / maintenance unavailabilities. Component unavailability estimates were derived for the period betwesn 01/01/81 and 09/30/89 with one major exception. The data for the high-pressure coolant injection (HPCI) and reactor core isolation cooling (RCIC) systems came from a 5-year moving average database for the period between 03/31/87 and 03/31/92. The data j

for these two systems were blended with the more recent data to reflect their improved availability since 1990. The data collection period of 01/01/81 to 09/30/89 was useo to ensure the equivalent of 5 full years of plant operation.

Generic component failure data were used if no plant-specific data were available. The primary source of generic component unavailability data was NUREG-CR-4550 (" Analysis of Core Damage Frequency Intemal Events Methodology"). Additional data were extracted from IEEE-500 (" Guide to the Collection and Presentation of Electrical, Electronic, Sensing, Component, and Mechanical Equipment Reliability Data for Nuclear Power Generating Stations," December 1983) and the " Technical Specification improvement Analysis for BWR Reactor Protection System," NEDC-30851P-A, GE Nuclear Energy,1988.

For common-cause failure analysis, a multiple Greek letter methodology was used. The analysis conservatively assumed that even with one EDG unavailable, a common-cause failure from the idled EDG contributed to core damage.

The two EDGs and the SBO-DG were treated as a group of three similar structures, systems, or components (SSCs). The analysis derived a beta factor of 6.7E-02 and a gamma factor 2.4E-02 for diesel failure-to-run, and a beta factor of 2.2E-02 and a gamma factor of 6.E-02 for diesel failure-to-start.

(2)

Evaluation of PRA Results and insights The staff estimates that, with the licensee-fumished annual average core damage frequency (CDF) associated with the proposed 14-day AOT of 2.87E-05 per year, an approximate ACDF is 3E-07per year, and is within the guidelines in RG 1.174, "An Approach for Using Probabilistic Risk Assessment in Risk-informed Decisions on Plant-Specific Changes to the Current Licensing Basis."

The baseline large early-release frequency (LERF) calculated by the licensee is 3.69E-06 per year, and for the proposed 14-day AOT is 3.73E-06 per year. The ALERF of 3.9E-08 per year is within the guidelines in RG 1.177.

9 The incremental conditional core damage probability (ICCDP) calculated by the licensee is 1.65E-07, well within the staff's guideline value of SE-07.

The incremental conditional large early release probability (ICLERP) was calculated to be 8.6E-09, also within guidelines contained in approved RG 1.177 (5E-08).

Additionally, the licensee will implement, before implementation of the extended (14-day) EDG AOT, a procedure that will prohibit entry into the AOT for scheduled maintenance purposes if severe weather conditions are expected.

In a licensee sensitivity analysis, an evaluation of the impact of revised LOOP initiating event frequencies was made on the original individual plant examination (IPE) model, without consideration of other performance updates and enhancements. The original IPE used frequencies of 0.475 per year and 0.142 per year, respectively, for loss of preferred offsite power (345 kV) and total LOOP. Using a revised frequency of 0.643 per year for loss of preferred offsite power, the CDF in the original IPE increased by about 8.5% (from 5.85E-05 per year to 6.35E-05 per year). Using a revised frequency of 0.135 per year for total LOOP, the onginal IPE CDF decreased by no more than about 1%.

On the basis of the preceding Tier 1 review and the related information presented, the staff concludes that the PRA model used for the proposed AOT extension for single inoperable EDGs is considered to be reasonable, and the risk impact of the change is small and supports the AOT extension.

Tier 2: Avoidance of Risk Significant Plant Configurations As previously stated, the licensee willimplement a procedure, before use of the EDG AOT, that will prohibit entry into an extended EDG AOT (14 days) for scheduled maintenance purposes if severe weather conditions are expected. This will reduce the likelihood of weather-related, risk-significant plant configurations.

The licensee will have TS Required Actions (3.5.1) for the following conditions:

(1)

During any period when one emergency diesel generator (EDG) is inoperable, continued reactor operation is permissible only during the succeeding 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> unless such EDG is sooner made operable, provided that all the low-pressure core and containment cooling systems shall be operable, and the remaining EDG shall be operable in accordance with Surveillance Requirement (SR) 4.5.F.1. If this requirement cannot be met, an orderly shutdown shall be initiated and the reactor shall be placed in the cold shutdown condition within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

The 72-hour AOT can be extended to 14 days provided that in addition to the above requirements, the station blackout diesel generator is verified operable in accordance with SR 4.5.F.2.

_y; 10 (2)

SR 4.5.F.2: Confirm the station blackout diesel generator (SBO-DG) has been demonstrated operable within the preceding 7 days or within 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> of declaring an EDG inoperable, perfonn a surveillance to demonstrate that the SBO DG is operable, and within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> of demonstrating the SBO-DG operability as specified above and once every 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> thereafter, verify normal breaker configuration.

The staff has concluded that these restrictions are necessary to preclude high-risk situations

. associated with having one EDG inoperable for more than 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br />.

Tier 3: Risk-informed Plant Configuration Management The licensee has provided reasonable assurance that risk-significant plant equipment outage configurations will not occur while the plant is subjected to the extended EDG AOT.

The licensee utilizes its CRMP to integrate the applicational capability of the " equipment out of service" (EOOS) risk monitor, which uses a Level 1, at-power, intemal events, PRA-informed methodology. EOOS facilitates planning and scheduling strategies to maximize equipment performance, reliability, and availability during the EDG extended AOT.

A Level 1 PRA supports the determination of CDF. A Level 2 PRA supports the determination of LERF. The licensee's Level 1, at-power, intamal-events PRA forms the basis for its EOOS monitor. The licensee's Level 1 modelincludes input to containment system event trees. This allows containment system dependencies to be identified by EOOS.

4 The scope of SSCs in the CRMP will include all SSCs modeled in the PRA as well as those SSCs deemed risk significant by the Maintenance Rule Expert Panel not modeled in the PRA.

As not all maintenance rule in-scope SSCs are modeled in EOOS, the EOOS calculation is only one tool available for assessing risk. Although the scope of the CRMP is as described, the portion of CRMP to which TS apply is limited to those SSCs for which risk-informed AOTs have been granted. Specifically, the CRMP must be used whenever the 14-day EDG LCO is entered.

The licensee uses the EOOS model to provide risk calculations for plant configurations. It allows plant personnel to calculate risk impacts of inoperable equipment combinations. For any identified plant configuration of SSCs modeled in the PRA, EOOS provides risk importance measures associated with the unavailable equipment as well as those SSCs still in

. service. The staff reviewed this portion of the process in detail during the maintenance rule inspection (IR 98-04 dated June 29,1998) with favorable results.

In addition to the previously mentioned risk-significant SSCs, the CRMP will include provisions to consider other applicable risk-significant contributors such as Level 2 issues and extemal events, qualitatively or quantitatively. The Level 2 issues relate to those accident sequences that lead to a large, eariy, unscrubbed release from containment. Accident sequences of concem are relatively fast acting, such as anticipated transients without scram (ATWS-type sequences,20%) and loss of high-pressure injection with either failure to depressurize (TQUX-

g 11 type sequences, 57%) or loss of low-pressure injection (TQUV-type sequences,23%). The EDGs are marginal contributors to TQUV type sequences and do not contribute to ATWS and TQUX sequences. Therefore, maintaining the availability of low-pressure injection systems at an optimum during the EDG AOT will adequately address Level 2 issues.

Extemal events of concem include severe weather and fire. The CRMP will ensure that appropriate attention is placed on scheduled maintenance activities when severe weather approaches or when activities are planned for areas with high fire hazards. Although not specifically included in the CRMP, the risk-importance measure capability of CRMP can be l

used to identify key equipment to protect.

As always, the qualitative assessment of the entire work scope by trained and experienced personnel will continue to play a key role in ensuring that scheduled work does not place the plant in an unsafe condition.

l By procedure, the licensee will require a risk assessment before removing equipment from j

service for planned maintenance activities. The requirement to perform a risk assessment following unplanned equipment failures will also be proceduralized. This requirement will apply to SSCs within the scope of the CRMP.

The PRA is periodically updated in accordance with the engineering design guide (SB03) to account for modifications to the plant as well as plant equipment performance. The EOOS program is updated following an update of the licensee's PRA model.

l The CRMP is intended as a means to understand the relative instantaneous risk level during a maintenance configuration. Currently, cumulative maintenance risk is limited to an acceptable level of conformance to the maintenance rule unavailability performance criteria.

Therefore, the staff concludes that the licensee's Tier 3 approach is reasonable for the purpose of the proposed extended EDG AOT. The staff expects the licensee to implement these TS changes in accordance with the three-tiered approach described above. The AOT extension will allow efficient scheduling of online maintenance within the boundaries established by implementing the maintenance rule. The licensee will monitor EDG performance in relation to the maintenance rule performance criteria. Therefore, application of implementation and monitoring strategies will help to ensure that extension of the TS EDG AOT does not degrade operational safety over time and that the risk incurred when an EDG is taken out of service is acceptable.

PRA Quality l

There were severallevels of review performed on the PRA. Initially, the licensee reviewed the consistency and correctness of the assumptions and results, with minor consultant contributions. This first level of review was done to ensure a complete technology acquisition by the licensee.

"U 1

12 An independent intomal peer review was performed to ensure content accuracy and to validate the PRA process and results. This peer review team consisted of seven individuals with backgrounds in PRA, engineering, operations, training, licensing, and management.

An external peer review of the PRA was also considered. The extemal review team consisted of five outside individuals with backgrounds in PRA, operations, reactor engineering, and thermal-hydraulics analysis. These individuals were associated with Yankee Atomic Electric, Northeast Utilities, New Hampshire Yankee, Tenera, and Gabor, Kenton, and Associates.

Routine PRA quality is ensured by application of Engineering Design Standard SBO3,

" Maintaining the Living PRA."

A general staff audit of the PRA did not indicate any irregularities in the SBO sequences. The staff's audit did not indicate any aspects of the accident initiation and progression analysis that would alter the licensee's change in CDF or LERF calculation results for this application.

2.1.3 Conclusion The staff has granted an EDG AOT extension on the basis of plants having an additional source of ac power that meets or exceeds the requirements of an AAC source as established by NUMARC-8700 and NRC RG 1.155. The licensee has an SBO-DG (AAC power source) to cope with an SBO event. This SBO-DG will be utilized as a standby source of ac power during an extended EDG maintenance. The licensee amended the TS to include the operability and connectability of the SBO-DG before entering an extended EDG AOT. Additionally, the compensatory measures being taken by the licensee during the extended EDG AOT will ensure that the safe-shutdown capability is available. In addition, the staff evaluated the EDG AOT extension from a risk perspective and concludes that the AOT extension will not result in a significant increase in plant risk. On the basis of the three-tiered approach, the staff finds the following:

The proposed EDG AOT modifications have only a minimal quan.itative impact on plant e

risk. The calculated ICCDP for a single EDG AOT is small, primarily because of the redundancy in EDG configuration and the availability of the SBO-DG.

The licensee has implemented a procedure that will prohibit entry into an extended e

EDG AOT for scheduled maintenance purposes if severe weather conditions or wamings are in effect. The licensee's procedure also includes several compensatory measures and normal plant practices that help avoid potentially high-risk configurations during the proposed extended EDG AOT.

The licensee has proposed a risk informed plant CRMP to assess the risk associated with the removal of equipment from service during the extended EDG AOT. The program provides the necessary assurances that appropriate assessments of plant-risk configurations using the EOOS software and PRA are sufficient to support the proposed AOT extension request for EDGs.

13 The staff concludes that the EDG AOT extension will result in a very small increase in plant risk.

i The licensee has a process for scheduling and controlling maintenance activities into which plant risk is incorporated that compensates for the small risk increase and uncertainty associated with the proposed AOT change. The staff, therefore, finds that the PRA insights support the proposed EDG AOT extension.

On the basis of this evaluation, the staff finds that the proposed EDG AOT extension from 3 days to 14 days is acceptable.

2.2 Proposed Chance to TS Section 3.9.B.1 The licensee proposed to change TS Section 3.9.B.1. At present, TS Section 3.9.B.1 reads as follows:

i From and after the date that incoming power is not available from the startup or shutdown transformer, continued reactor operation is permissible under this j

condition for seven days. During this period, both diesel generators and associated emergency buses must remain operable.

The amended TS Section would read:

From and after the date that incoming power is not available from the startup or shutdown transformer, continued reactor operation is permissible under this condition for:

l a.

3 days with the startup transformer inoperable 9.C b.

7 days with the shutdown transformer inoperable During this period, both diesel generators and associated emergency buses must remain operable.

Evaluation The licensee stated that TS Section 3.9.B.1 is divided into two individual AOTs, one for the startup transformer and the other for the shutdown transformer, based upon their contribution to '

risk in relation to the EDG 14-day AOT risk assessment analysis. The AOT for the startup transformer inoperable was reduced from 7 days to 3 days (TS 3.9.B.1.a) and the AOT for the shutdown transformer inoperable remained at 7 days (TS 3.9.B.1.b).

On the basis of its review, the staff finds that the proposed amendment is more conservative than the present TS, and therefore is acceptable.

l

.. - - - - ~,

y 14 1

2.3 Proposed Chanae to TS Section 3.9.B.4 The licensee proposed to change TS Section 3.9.B.4. At present, TS Section 3.9.B.4 reads as follows:

From and after the date that one of the diesel generators or associated emergency buses and either the shutdown or startup transformer power source are made or found to be inoperable for any reason, continued reactor operation is permissible in accordance with Specification 3.5.F, provided either of the following conditions are satisfied:

a.

The star *up transformer and both offsite 345 kV transmission lines are available and capable of automatically supplying auxiliary power to the emergency 4160 voit buses.

b.

A transmission line and associated shutdown transformer are available and capable of automatically supplying auxiliary power to the emergency 4160 volt buses.

The amended TS Section 3.9.B.4 would read as follows:

From and after the date that one of the diesel generators or associated emergency buses and either the shutdown or startup transformer power source are made or found to be inoperable for any reason, continued reactor operation is permissible for 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> provided:

a.

The startup transformer and both offsite 345 kV transmission lines are available and capable of automatically supplying auxiliary power to the emergency 4160 volt buses.

91 b.

The 23 kV transmission line and associated shutdown transformer are available and capable of automatically supplying auxiliary power to the emergency 4160 volt buses.

Evaluation The licensee stated that an additional reduction from 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> is proposed in the AOT for a simultaneous loss of both a startup transformer and an EDG (TS 3.9.B.4.b) or shutdown transformer and an EDG (TS 3.9.8.4.a) based upon the startup transformer's contribution to risk in relation to the EDG 14-day AOT risk assessment analysis and that two power sources have been removed from the associated bus. The proposed ac power equipment AOT change does not alter the ac power distribution configuration required for declaring the operability of systems / subsystems under the existing Specification 3.5.F, but more accurately reflects the AOTs based upon the individual risk contributors as determined by the PSA for the ac power equipment.

l

4 15 On the basis of its raview, the staff finds that the proposed amendment is more conservative than the present TS and therefore is acceptable.

2.4 Configuration Risk Management Program (CRMP)

The licensee has proposed a new TS 5.5.18, " Configuration Risk Management Program." The Configuration Risk Management Program (CRMP) provides a proceduralized risk-informed assessment to manage the risk associated with equipment inoperability. The program applies to technical specification structures, systems, or components for which a risk-informed allowed outage time has been granted. The proposed program includes the following elements:

a.

Provisions for the control and implementation of a Level 1, at power, internal events, PRA-informed methodology. The assessment shall be capable of evaluating the applicable plant configuration.

b.

Provisions for performing an assessment prior to entering the LCO Condition for preplanned activities.

c.

Provisions for performing an assessment after entering the LCO Condition for unplanned entry into the LCO Condition.

d.

Provisions for assessing the need for additional actions after the discovery of additional equipment out-of service conditions while in the LCO Condition.

e.

Provisions for considering other applicable risk significant contributors such as Le/el 2 issues and extemal events, qualitatively, or quantitatively.

In addition, the CRMP is used to assess changes in core damage frequency resulting from applicable plant configurations. The CRMP uses the EOOS software or, if necessary, the full PRA to aid in the risk assessment of online maintenance and to evaluate the change in risk from a component failure. The equipment out-of service risk monitor uses the plant probabilistic risk assessment model to evaluate the risk of removing equipment from service based on current plant configuration and equipment condition. The CRMP is used when an EDG is intentionally taken out of service for a planned activity excluding short duration activities (e.g., performing an air roll on the EDG prior to a routine surveillance). In addition, the CRMP is used for unplanned maintenance or repairs of an EDG.

The licensee has committed to implementation of the CRMP as described below.

The Configuration Risk Management Program (CRMP) includes the following key elements:

Key Element 1. Implementation of CRMP The intent of the CRMP is to implement (a)(3) of the Maintenance Rule (10 CFR 50.65) with respect to on-line maintenance for risk-informed technical specifications, with the following additions and clarifications:

a.

The scope of the structures, systems and components (SSCs) to be included in the CRMP will be those SSCs modeled in the licensee's plant PRA in addition to those

16 SSCs considered risk significant in accordance with the North Anna Maintenance Rule Program that are not modeled in the PRA.

b.

The CRMP is PRA informed, and may be in the form of eitbar an EOOS analysis, an on-line assessment, or a direct PRA assessment.

c.

CRMP will be invoked as follows for:

Risk-Informed inoperability: A risk assessment will be performed prior to entering the LCO Condition for preplanned activities. For unplanned entry into the LCO Condition, a risk assessment will be performed in accordance with plant procedures, utilizing the maintenance configuration matrix, augmented by appropriate engineering judgement.

Additional SSC inoperability and/or Loss of Functionality: When in the risk informed Completion Time, if an additional SSC within the scope of the CRMP becomes inoperable /non-functional, a risk assessment shall be performed in accordance with plant procedures.

d.

Tier 2 commitments apply for planned maintenance only, but will be evaluated as part of the Tier 3 assessment for unplanned occurrences.

Key Element 2. Control and Use of the CRMP a.

Plant modifications and procedure changes will be monitored, assessed, and dispositioned as part of the normal PRA update process:

Evaluation of changes in plant configuration or PRA model features can be dispositioned by implementing PRA model changes or by the qualitative assessment of the impact of the changes on the CRMP. This qualitative assessment recognizes that changes to the PRA take time to implement and that changes can be effectively compensated for without compromising the ability to make sound engineering judgments.

Limitations of the CRMP are identified and understood for each specific Completion Time extension.

b.

Procedures exist for the control and application of CRMP, including description of the process when outside the scope of the CRMP.

Key Element 3. Level 1 Risk-Informed Assessment i

The CRMP is based on a Level 1, at power, intemal events PRA model. The CRMP assessment may use any combination of quantitative and qualitative input. Quantitative assessments can include reference to EOOS, pre-existing calculations, or new PRA analyses.

a.

Quantitative assessments should be performed whenever necessary for sound decision making.

l

17 b.

When quantitative assessments are not necessary for sound decision making, or are beyond the scope of the PRA model, qualitative assessments will be performed.

Qualitative assessments will consider applicable, existing insights from quantitative assessments previously performed.

Key Element 4. Level 2 Issues /Extemal Events Extemal events and Level 2 issues are treated qualitatively and/or quantitatively.

The staff has reviewed the proposed CRMP TS 5.5.18, "Configuartion Risk Management Program," and concluded that the CRMP program provides the necessary assurances that appropriate assessments of plant risk configurations using the EOOS software, augmented by appropriate engineering judgment, are sufficient to support the proposed AOT extension request for EDGs. In addition, this TS is a new requirement providing additional or new requirements and is more conservative than the current TS. Based on the above we conclude that the proposed TS change is acceptable.

2.5 ADMINISTRATIVE CHANGES The licensee has reformatted TS 3.9 and 3.9.A to be consistent with TS 3.9.B. TS 3.9.B was modified by Amendment 170. The staff has reviewed these changes and agrees that these sections were only reformatted. The staff considers these changes adminstrative in nature and therefore, are acceptable.

2.6 EDITORIAL CHANGES TS pages B3/4.5-23 and 5.0-9 through 13 have been renumbered to B3/4.5-24 and 5.010 through 14 respectively. This is an editorial change and therefore, is acceptable.

2.7 BASES The licensee modified the bases sections for the action and surveillance to reflect the EDG AOT change from 3 days to 14 days. These changes are controlled by TS 5.5.6, " Technical Specifications Bases Control Program."

3.0

SUMMARY

On April 25,1996, the licensee requested an amendment to the TS for PNPS. On February 10, 1997, the Commission issued Amendment No.170 for the requested changes, except for the changes to the allowed outage times for the emergency diesel generators (EDGs) and ac power sources as related to the TS and the associated bases section for TS 3.9.B.1, " Auxiliary Electrical System," and TS 3.5.F.1, " Core and Containment Cocling Systems." This amendment covers proposed changes to TS Sections 3.5.F.1,4.5.F.1,3.9.B.1,3.9.8.4, and 3/4.5.F bases.

The staff has reviewed this request from deterministic and probabilistic standpoints and based on our review as discussed above, the staff concludes that the proposed TS changes are acceptable.

l 18

4.0 ENVIRONMENTAL CONSIDERATION

l

\\

The amendment changes a requirement with respect to installation or use of a facility component located within the restricted area as defined in 10 CFR Part 20. The NRC staff has l

determined that the amendment involves no significant increase in the amounts, and no significant change in the types, of any effluents that may be released offsite, and that there is no significant increase in individual or cumulative occupational radiation exposure. The Commission has previously issued a proposed finding that the amendment involves no significant hazards consideration, and there has been no public comment on such finding (63 FR 50934). Accordingly, the amendment meets the eligibility criteria for categorical exclusion I

set forth in 10 CFR 51.22(c)(9). Pursuant to 10 CFR 51.22(b) no environmental impact statement or environmental assessment need be prepared in connection with the issuance of the amendment.

5.0 CONCLUSION

The Commission has concluded, based on the considerations discussed above, that: (1) there is reasonable assurance that the health and safety of the public will not be endangered by operation in the proposed manner, (2) such activities will be conducted in compliance with the l

Commission's regulations, and (3) the issuance of the amendment will not be inimical to the common defense and security or to the health and safety of the public.

Principal Contributors: A. Pal M. Wohl Date: December 11, 1998 l

I l

l w

1

!.l.

23KY (SECONDARM

[3

~{

SWITCHYARD encreanzo)

SDT S**

wa mm i

23/4.16KV 1

ffM j

[] SOP-

[] Sol 345/23KV

.ctan Ae CAT suT

.cian t

i g

ws/

ww g

4.16KV

&me mme g

j

., 345/4.16KV g

~

{g g 23/4.16KV J

(

L l

S

)

((

S

[

[.~

E."

"3

[3 3

i A5 1

i Class IE 4.16KV.-

Main A6 i

[] ros sus Generator ClassIE 4.16KV Bus i

t3

, g,y ww

&M v= _.

}

4.16KV/480V, 4.16KV/480V i

[]

[3 B1 1

B2 aov 4sov FIGURE 1 ALTERNATE AC(AAC) CONFIGURATION NON CLASS 1E DIESEL GENERATOR '

FIGURE 1

--

Retrieved from "https://kanterella.com/w/index.php?title=ML20198A239&oldid=4103514"