NOC-AE-02001341, Response to Request for Additional Information (TAC Nos. MB3586 & MB3590)

From kanterella
Jump to navigation Jump to search

Response to Request for Additional Information (TAC Nos. MB3586 & MB3590)
ML022530089
Person / Time
Site: South Texas  STP Nuclear Operating Company icon.png
Issue date: 08/29/2002
From: Sheppard J
South Texas
To:
Document Control Desk, Office of Nuclear Reactor Regulation
References
NOC-AE-02001341, STI:31455994, TAC MB3586, TAC MB3590
Download: ML022530089 (12)
v  d  e


Text

Nuclear Operating Company South Teas Prope Ektnc Genrabn Station PO ox 289 adsorth. Tka 77483 *\A

--- V16 August 29, 2002 NOC-AE-02001341 10CFR50.90 U. S. Nuclear Regulatory Commission Attention: Document Control Desk One White Flint North 11555 Rockville Pike Rockville, MD 20852 South Texas Project Units 1 and 2 Docket Nos. STN 50-498; STN 50-499 Response to Request for Additional Information (TAC Nos. MB3586 and MB 3590)

Reference:

Letter, J. J. Sheppard to NRC Document Control Desk, "License Amendment Request - Proposed Amendment to Technical Specification 3.7.1.2," dated December 3,2001 (NOC-AE-01001196)

This letter submits our response to a request for additional information forwarded electronically by the NRC staff during their review of the referenced letter. If there are any questions regarding this submittal, please contact Mr. Scott Head at (361) 972-7136.

I declare under penalty of perjury that the foregoing is true and correct.

Executed on: August 29, 2002 J.J.iihep d Vice President & Assistant to the President & Chief Executive Officer jtc

Attachment:

Response to Request for Additional Information STI: 31455994

NOC-AE-02001341 Page 2 of 2 cc:

(paper copy) (electronic copy)

Ellis W. Merschoff A. H. Gutterman, Esquire Regional Administrator, Region IV Morgan, Lewis & Bockius LLP U.S. Nuclear Regulatory Commission 611 Ryan Plaza Drive, Suite 400 M. T. Hardt/W. C. Gunst Arlington, Texas 76011-8064 City Public Service U. S. Nuclear Regulatory Commission Mohan C. Thadani Attention: Document Control Desk U. S. Nuclear Regulatory Commission One White Flint North 11555 Rockville Pike R. L. Balcom Rockville, MD 20852 Reliant Energy, Inc.

Richard A. Ratliff A. Ramirez Bureau of Radiation Control City of Austin Texas Department of Health 1100 West 49th Street C. A. Johnson Austin, TX 78756-3189 AEP - Central Power and Light Company Cornelius F. O'Keefe Jon C. Wood U. S. Nuclear Regulatory Commission Matthews & Branscomb P. 0. Box 289, Mail Code: MN1 16 Wadsworth, TX 77483 C. M. Canady City of Austin Electric Utility Department 721 Barton Springs Road Austin, TX 78704

NOC-AE-02001341 Attachment Page I of 10 ATTACHMENT Response to Request for Additional Information The following information is submitted response to an NRC Staff request for additional information received electronically. The NRC question is reproduced in bold typeface just above the South Texas response.

Question 1 describes a "single failure vulnerability" of the auxiliary feedwater (AFW) system when required to respond to accidents addressed in UFSAR Chapter 15. The specific accident of interest is the loss of normal feedwater (LONF) coincident with a loss of offsite power (LOOP),

abbreviated LONF/LOOP. The worst case single failure for a LONFJLOOP is that Train "A" of the engineered safety features actuation system (ESFAS) fails, resulting in an automatic start signal not reaching AFW pumps "A" and "D" from the ESFAS. The current LONF/LOOP analysis assumes that:

"* the worst case single failure occurs

"* AFW is delivered automatically by two AFW pumps to two steam generators (SGs)

"* operator action is required within fifteen minutes after reactor trip to start a third AFW pump Credit has been taken in the LONF/LOOP analysis for the operator starting a third AFW pump, which is easily achieved from the control room. With three pumps operating, the AFW system provides sufficient flow that the capability of the SGs to dissipate core residual heat without water relief from the reactor coolant system (RCS) relief or safety valves is maintained. Thus, there is no longer a single failure vulnerability for the AFW system during a LONF/LOOP.

1. In your December 3, 2001 letter regarding proposed changes to Technical Specification 3.7.1.2, "Auxiliary Feedwater (AFW) System," you state that the proposed amendment better reflects the AFW four-train design by applying the same allowed outage time (AOT) for any inoperable motor-driven AFW pump (Pumps A, B, and C). However, the differences in the AOTs for the current AFW system TS are based on single failure vulnerabilities coupled with the fact that two AFW pumps were required to meet the acceptance criteria for some accident and transient analyses in Chapter 15 of the Updated Safety Analysis Report (USAR). Specifically, in the current analyses, two AFW pumps (three pumps based on your new analysis) are required to prevent the pressurizer from becoming solid following a loss of main feedwater (MFW) with or without offsite power; and the coincident single failure of the "A" Train actuation signal results in the failure to start of AFW Pumps A and D (turbine-driven). Therefore, whenever AFW Pump B or Pump C became inoperable, a single failure could result in the plant being outside its design basis (less than two pumps). However, with Pump A inoperable the single failure vulnerability did not exist. Hence, the justification for the differences in AOTs among the three motor-

NOC-AE-02001341 Attachment Page 2 of 10 driven pumps. Recognizing the above vulnerability, please provide the following additional information to justify your proposed change:

a. Given the above vulnerability, it does not appear that you have adequately addressed Position C.1 of Regulatory Guide (RG) 1.177, "An Approach for Plant Specific, Risk Informed Decisionmaking: Technical Specifications," in that you have not adequately justified why the change to a 28 day AOT is needed. Please identify the specific reasons for the proposed change and discuss how the proposed change will enhance plant safety or availability. (See Subsection II.A.3 of Standard Review Plan [SRP] Section 16.1, "Risk-Informed Decisionmaking:

Technical Specifications")

Response

It was decided in the early 1980s that maintaining a spare AFW pump motor was unnecessary because of the four-train AFW system design. At that time, two AFW pumps providing flow to two SGs would prevent the pressurizer from going water solid as a result of a LONFILOOP event.

The AFW pump motor vendor has verified that 14 days is the minimum time required to rewire a badly damaged motor. That is in addition to motor removal, transportation, reinstallation, and testing time. A total of 28 days is justifiable from the standpoint of actual time required to complete repairs and can be justified on a risk basis. Plant safety and availability are enhanced by avoiding unnecessary transients (i.e., shutting the plant down), and avoiding a request for enforcement discretion, which could be justified under the South Texas Project (STP)

Probabilistic Risk Assessment (PRA).

b. Assuming that you included the above single failure vulnerability in your risk assessment of the proposed change, how did you address the uncertainty associated with the capability of the pressurizer power-operated relief valves (PORVs) to pass water and continue to function?

Response

The concern with water challenge to the pressurizer PORVs comes from a LONF/LOOP event.

In this scenario, pressurizer level increases to water-solid, credit is not taken for the PORVs relieving, and the pressurizer safety valves are challenged. This is a design basis concern in that the pressurizer safety valves may not close after water relief. However, there is no single failure vulnerability identified that would affect the risk assessment.

Flow from only one AFW pump to its associated SG is required in the STP PRA in order to mitigate core damage from a LONF/LOOP event. Decay heat removal requires using SG power operated relief valves (PORVs) or SG safety valves in addition to the AFW flow requirement. If SG decay heat removal is unavailable, the PRA credits operator action to establish feed and bleed cooling of the reactor core using the safety injection system (one pump) and both pressurizer PORVs.

NOC-AE-02001341 Attachment Page 3 of 10 The PRA models the increased likelihood of water challenge to the pressurizer PORVs for LOOP or loss of onsite non-Class IE power. If the pressurizer PORVs are challenged, the PRA quantifies the likelihood of failure of the PORVs to re-close and operator failure to block the leaking PORV. For those sequences in which a PORV fails to re-close and is not isolated by operator action, a safety injection signal is expected and the PRA models plant response similar to a small LOCA response. The general success criteria for a small LOCA in the PRA are flow from one safety injection pump train, flow from one AFW train, and decay heat removal using the SG PORV.

In order to model the event of interest, event tree logic rules were modified to reflect a guaranteed challenge to the pressurizer PORVs if less than three AFW pumps were operating after a LONF event. This criterion was used whether or not offsite power remained available after the plant trip. Core damage frequency was not affected (<0.01% ACDF) using this change in plant logic. If the analysis were limited to those sequences that include LOOP, the change in core damage frequency would be even smaller.

The data used to develop the failure rates for PORVs (both open and re-close) comes from industry experience, including information presented in NUREG-1 150, and is updated using STP experience. The uncertainty in the underlying data is included in the distributions that represent the failure data.

c. In your application, you indicate that you will revise the USAR Chapter 15 analysis for loss of normal feedwater and loss of offsite power (LOOP) to take credit for starting a third motor-driven AFW pump within 15 minutes to avoid filling the pressurizer. Verify that following the failure of "A" Train actuation signal, AFW Pump A or Pump D can be manually started.

Response

Credit has been taken in the LONFILOOP analysis and in the UFSAR for the operator starting a third AFW pump. All four AFW pumps may be manually controlled from the control room and from the auxiliary shutdown panel. Status lights are provided at both locations to monitor the performance of each AFW pump. In the LONFILOOP analysis, starting a third pump is possible because the worst case single failure was not assumed to be in the starting circuit of either pump "A" or "D". The assumed failure was that the "A" and "D" AFW pumps did not receive an automatic signal to start.

Note: Questions 2 and 3 will be addressed together

NOC-AE-02001341 Attachment Page 4 of 10

2. Based on your discovery that you now need to take credit for three AFW pumps for a loss of MFW coupled with a LOOP, your proposed change to increase the AOTs for the motor-driven AFW pumps to 28 days appears to be based only on probabilistic risk assessment (PRA). Position C.2 of RG 1.177 specifies that strong technical bases rooted in traditional engineering and system analyses should be provided to support any TS change. It further specifies that TS change requests based on PRA alone should not be submitted for review. Because you now need 3 out of 4 AFW pumps to function to be consistent with your Chapter 15 analyses, provide technical justification for requesting an AOT for the motor-driven AFW pumps that is less conservative than your current TS and less conservative than the Westinghouse Standard Technical Specification (W-STS) for the AFW system.
3. In your description for the proposed changes, you indicate that the proposed increase in the AOT will "increase the allocation of maintenance time to more safety significant equipment." Based on the increased importance of your AFW pumps (3 out of 4) to prevent overfilling the pressurizer), there does not appear to be much equipment that is more safety-significant than the equipment associated with the AFW system (it is the first line of defense for the more probable initiating events).

The staff, therefore, believes that to maintain adequate defense-in depth and adequate safety margins, a change to a 72-hour AOT for motor-driven Pump A is the only change that is necessary and can be technically justified. Provide an engineering justification to support a 28-day AOT that is not just risk based and which discusses maintaining adequate defense in depth and adequate safety margins during the outage time. The justification should recognize that Chapter 15 events form part of the Bases for your plant technical specifications.

Response

The STP design provides defense in depth that goes beyond the safety systems assumed in the safety analysis. This robust design ensures that an event requiring a third train of AFW for mitigation is extremely unlikely.

The accident that requires a third train of AFW is the LONF event. This accident is classified as a Condition II event, i.e., a fault of moderate frequency. These events are anticipated to occur once a year. The acceptance criteria for a Condition II event are that the fault:

"* at worst, results in the reactor trip with the plant being capable of returning to operation

"* does not result in fuel rod failure or RCS or secondary system overpressurization

"* does not propagate to cause a more serious Condition III or Condition IV event The LONF does not impact the ability of the plant to return to operation, does not significantly challenge the fuel, and does not result in primary or secondary system overpressurization.

Therefore, the first two criteria stated above are satisfied with only two trains of AFW operating to mitigate the consequences of a LONF/LOOP. However, the LONF does have the potential to result in the pressurizer going water solid. Water relief through the pressurizer safety valves

NOC-AE-02001341 Attachment Page 5 of 10 might occur if the pressurizer were to go water solid. Water relief through the pressurizer safety valves might result in a stuck open valve and lead to a small break LOCA, which is a Condition III event. This would violate the third criterion stated above.

If the plant were in a 28-day AOT and a LONF were to occur, a conservatively assumed single failure would be the loss of one AFW train. There is no justification for assuming the worst case failure (ESF Train A) would occur while in the action statement. With one AFW pump out for maintenance and one failing to start, there would still be two AFW pumps operating. This would prevent core damage, although the pressurizer might go water solid. If this single failure did not occur, three trains of AFW would be available and the pressurizer would not go water solid.

The safety analysis for the LONF also assumes that mitigation of the event depends only on safety grade equipment. However, non-safety equipment is available that could eliminate the concern of the pressurizer going water solid, even with only two trains of AFW operating. The analysis conservatively assumes the following:

"* complete loss of normal feedwater flow

"* coincident loss of offsite power resulting from the reactor trip

"* immediate loss of letdown flow If any of the above events fail to occur, the pressurizer will not go water solid for the LONF with only two trains of AFW operating. In addition, a single Class 1E powered safety grade pressurizer PORV has sufficient capacity to ensure that the pressurizer pressure remains below the pressurizer safety setpoint. Therefore, operation of pressurizer PORV will ensure that the LONF event would not progress to a Condition III event.

Two possible scenarios could lead to the conditions described above during the proposed 28-day AOT:

1. Total LONF coincident with a LOOP, which causes a loss of instrument air, resulting in immediate loss of letdown. During the event one AFW motor-operated pump is out for maintenance (28-day AOT) and one of the three remaining AFW pumps fails to start, which challenges a pressurizer PORV to open, resulting in a Condition III event.

LONF frequency of occurrence 5.1 1E-02/yr Probability of a LOOP 6.20E-04 Probability of losing instrument air (letdown) 1.0 Probability of losing of third AFW pump 6.72E-02 Probability that pressurizer PORV fails to open 3.94E-05 Annual frequency 8.39E-11/yr Probability of scenario occurrence 6.43E-12

NOC-AE-02001341 Attachment Page 6 of 10

2. Same scenario as described above, but crediting operator action to recover instrument air and letdown.

LONF frequency of occurrence 5.11E-02/yr Probability of a LOOP 6.20E-04 Probability of losing instrument air (letdown) 1.45E-0 1 Probability of losing third AFW pump 6.72E-02 Probability that pressurizer PORV fails to open 3.94E-05 Annual frequency 1.22E-11/yr Probability of scenario occurrence 9.33E-13 Thus, the robust STP design ensures that violation of the Condition II event criteria is extremely unlikely and therefore not considered.

STPNOC is also considering the following compensatory actions to be incorporated for the 28 day AFW AOT:

"* Ensure the work schedule contains no planned maintenance on required systems, subsystems, trains, components, and devices that depend on or that affect the remaining AFW motor-driven pump trains.

"- Ensure the work schedule contains no planned maintenance activities in the switchyard that could directly cause a loss of offsite power event. Maintenance activities identified after the extended allowed outage time begins that are required to ensure the continued reliability and availability of the offsite power sources are permitted.

"* If the plant is in Mode 1, 2, or 3, then verify the work schedule contains no planned maintenance on the turbine-driven auxiliary feedwater pump.

"° Ensure the work schedule contains no planned maintenance that would result in the essential cooling water system and the systems it supports being declared non-functional.

"* Ensure the work schedule contains no planned maintenance that would result in an inoperable open containment penetration.

"* Ensure the work schedule contains no planned maintenance on switchgear IL or 1K (Unit

1) or switchgear 2L or 2K (Unit 2) in the affected unit.

"* Ensure the work schedule contains no planned maintenance on the 138 kV emergency transformer.

These are very similar to the compensatory actions taken in case of an extended AOT for a standby diesel generator, the essential cooling water system, or the essential chilled water system. Adoption of such compensatory actions will offset the increased risk of allowing a 28 day AOT and will be implemented when it is recognized that maintenance on a motor-driven AFW pump will last for more than 14 days.

NOC-AE-02001341 Attachment Page 7 of 10

4. Given the single failure vulnerability identified in RAI 1 coupled with the "Issue Discovery" described in your submittal (3 out of 4 AFW pumps needed to prevent pressurizer overfill), discuss how the AFW system meets its original design bases, including the single failure criterion.

Response

Licensing Basis and Design Basis The LONF event is classified as an ANSI Condition II event, a fault of moderate frequency.

Condition II occurrences include incidents, any one of which may occur during the calendar year for a particular plant.

The Standard Review Plan described in NUREG-0800 identifies the acceptance limits for the LONF. The applicable parameters are:

1. Pressure in the reactor coolant and main steam systems should be maintained below 110% of the design values.
2. Fuel cladding integrity shall be maintained by ensuring that the minimum DNBR remains above the 95/95 DNBR limit.
3. An incident of moderate frequency should not generate a more serious plant condition without other faults occurring independently.

Consistent with UFSAR Chapter 15 analysis requirements, the event must also consider the limiting single active failure and a LOOP coincident with reactor trip.

The DNBR aspects of the LONF event are bounded by other Condition II events. The complete LONF event does not result in an increase in reactor power and therefore does not result in fuel pellet melting. The rate of pressurizer pressure increase associated with this event is sufficiently slow that it does not exceed the capabilities of the SG and pressurizer PORVs and safety valves.

Therefore, fuel failure and over-pressurization of the RCS are not issues for this event.

The complete LONF event in conjunction with a LOOP will result in heating the primary system, which will result in an increase in pressurizer water level such that the pressurizer could become water solid. Safety valves comparable to the STP pressurizer safety valves were tested by EPRI (NUREG-0781, Supplement 4). Difficulties in valve closing were encountered from time to time during the cold-loop-seal tests. In most cases, galled guiding surfaces and damaged internal parts were discovered. Thus, after passing water, the STP pressurizer safety valves could become stuck open, leading to a small break LOCA, which is a Condition 111event. This propagation to a more serious fault would violate the acceptance criteria for a Condition II event.

The Class IE-powered, safety-related pressurizer PORVs are sized to keep RCS pressure below the pressurizer safety valve setpoint. However, the safety analysis does not take credit for the pressurizer PORVs. Therefore, the analysis for this event must show that the pressurizer does not become water solid.

NOC-AE-02001341 Attachment Page 8 of 10 Discussion of the Analysis The LONF accident could be initiated by events such as a pump failure, valve malfunction or a LOOP. The SG water inventory is reduced until a SG water level low-low signal is received. At that time, the reactor is automatically tripped and AFW is automatically initiated to the "B" and "C" steam generators within 60 seconds. The limiting single failure for this event is the failure of the "A" ESF actuation train, which would result in the failure of AFW trains "A" and "D" to automatically start. The limiting case also assumes a LOOP. The instrument air compressors are powered by non-safety power sources, so credit is not taken for instrument air, which results in the loss of letdown flow.

To preclude the pressurizer from becoming water solid, the operator must ensure AFW flow to at least three SGs. This is accomplished by manually starting either the "A" or "D" AFW pump from the control room. Taking credit for a 30-minute operator response time was evaluated under 10CFR50.59 and was found to not require prior NRC approval. The current Model E analysis assumes the action is completed in 30 minutes. For the current Delta 94 SG analysis, this response time for this action was reduced from 30 minutes to 15 minutes in order to ensure the pressurizer will not go water solid.

In support of the reduction in operator response time to perform this action assumed in the Delta 94 SG analysis, testing of the operators to perform this action within 15 minutes was demonstrated as part of the validation of the Revision 17 of Procedure OPOP05-EO-ESOI on the simulator. The validation continues to apply to the current version of the procedure (Rev. 18).

The validation package for the Revision 18 of procedure OPOP05-EO-ESO1 documents that no simulator validation was required for the changes associated with the transition from Revision 17 to Revision 18 of the procedure.

The results of the analysis show that the initiation of the third train of AFW terminates the rise of the pressurizer water volume. The peak pressurizer water volume of 2,006 ft3 occurs at 1881.6 seconds (31.36 minutes) for the Model E SG and 2,040 ft3 at 995 seconds (16.58 minutes) for the Delta 94 SG design. This is below the acceptance limit of 2,100 ft3, indicating the pressurizer is not water solid.

The results demonstrate that the pressurizer will not overfill for the limiting LONF scenario.

Thus, the plant meets the original design basis.

5. In a previous submittal dated February 1, 1990, you proposed a risk based revision to the AFW TS that would have increased the AOT for the AFW pumps from 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to 10 days. In Table 1, of Attachment 1 to that submittal, you indicated that the proposed change, combined with an increase in the surveillance interval from 31 days to 92 days, resulted in a 30.4 percent increase in the associated risk. Since that proposed change was based on needing only two AFW pumps to keep from going solid, explain why your current proposed change to a 28 day AOT (plus 3 pumps to keep from going solid) does not result in a greater than 30 percent change in the associated risk.

NOC-AE-02001341 Attachment Page 9 of 10

Response

The 1990 AFW Technical Specification change request was based on the PRA that existed in 1989. It used extremely conservative criteria for the effects of the AOT and the increased surveillance test interval increases. For example, all maintenance was assumed to require the full ten days and all demand failures were assumed to consist of standby failures, which resulted in a increase in the demand failure rate by a factor of three. Core damage frequency in the 1989 model was approximately 1E-04 per reactor year. The current core damage frequency is approximately 1.2E-05 per reactor year. The earlier PRA did not include plant-specific data for equipment failure, initiating events, and maintenance. The current PRA model includes plant specific data from more than 20 plant-years of operation. The earlier PRA did not credit alternate sources of offsite power through the emergency transformer; the current PRA does.

The earlier PRA did not include the effects of the aggressive on-line maintenance program explicitly in the PRA, which resulted in maintenance cross-product terms that affected the results significantly. The current PRA explicitly includes the effects of the aggressive on-line maintenance program, which when combined with the decrease in unplanned maintenance unavailability reduces the effects of the maintenance cross-product terms.

Although the overall PRA model structure has remained constant, model enhancements coupled with data updates have significantly reduced the total core damage frequency and the effects of AFW system unavailability to the total core damage frequency.

6. Please verify (and discuss why) the proposed changes, including the need for three pumps, have no significant effect on the AFW unavailability analysis in Chapter 1OA of your USAR.

Response

The reliability evaluation of the AFW system described in UFSAR Appendix 10A was performed in a manner consistent with NUREG-061 1. Although the failure data were derived from NUREG-0611, secondary sources of failure data were WASH-1400, NUREG/CR-1362, and the Zion Probabilistic Safety Assessment. The success criteria used for all three of the NUREG-0611 initiating events required that there be a minimum AFW flow of 500 gpm (i.e.,

flow from one AFW pump) delivered to at least one SG. The current requirement for three AFW pumps following a LONF/LOOP is based on providing sufficient cooling to the reactor coolant system to prevent the pressurizer from going water solid. The UFSAR Appendix 10A analysis does not evaluate prevention of the pressurizer going water solid.

The UFSAR Appendix 10A analysis was not an integrated probabilistic risk evaluation of the AFW system, although it did include standby diesel generator (SDG) unavailability and actuation signal unavailability. The analysis does not include the following major elements, which most contemporary PRA analyses include:

"* common cause failure

"* room cooling failure

"* other support system failures (e.g., SDG cooling water)

NOC-AE-02001341 Attachment Page 10 of 10 The South Texas Project has a Level I/Level 2 PRA that includes external events. The external events portion contains a fir6, fl6od, and seismic PRA analysis. The PRA has been structured to have a comprehensive treatment of common cause failures and plant configurations. A detailed human reliability analysis is also included. The PRA uses plant-specific information from approximately 20 years of operation. Like UFSAR Appendix I1A, the PRA success criterion is for only one of four AFW pump trains to operate and deliver flow to it's respective intact SG.

In spite of the identified limitations, the AFW unavailability (per demand) presented in UFSAR Appendix IOA is approximately the same as the AFW unavailability (per demand) under similar conditions in the STP PRA:

LONF/ILOOP Station Black Out UFSAR Appendix 1OA 2.93E-06 3.93E-02 Current STP PRA 1.85E-06 5.80E-02 PRA with proposed change 2.28E-06 5.80E-02 Note that one significant reason for the limited effect on core damage frequency from the proposed change to the Technical Specifications is that the steam-driven AFW pump is not affected by the proposed change.

Regardless of the differences in AFW unavailability, the proposed change results in a change of 1.512E-06 in core damage frequency, which meets the Regulatory Guide 1.174 definition of a small change.

Retrieved from "https://kanterella.com/w/index.php?title=NOC-AE-02001341,_Response_to_Request_for_Additional_Information_(TAC_Nos._MB3586_%26_MB3590)&oldid=2692821"