Request for Additional Information, Review of Single Failure Analysis of Low Pressure Safety Injection Pumps for Minimum Required Refueling Water Tank (RWT) Transfer Volume

ML12229A125
Person / Time
Site:	Palo Verde
Issue date:	08/03/2012
From:	Mims D Arizona Public Service Co
To:	Document Control Desk, Office of Nuclear Reactor Regulation
References
102-06583-DCM/RAS/CJS
Download: ML12229A125 (25)
v • d • e

Text

ZA subsidiaryof Pinnacle West CapitalCorporation Dwight C. Mims Mail Station 7605 Palo Verde Nuclear Senior Vice President Tel. 623-393-5403 P.O. Box 52034 Generating Station Nuclear Regulatory and Oversight Fax 623-393-6077 Phoenix, Arizona 85072-2034 102-06583-DCM/RAS/CJS August 3, 2012 ATTN: Document Control Desk U.S. Nuclear Regulatory Commission Washington, DC 20555-0001

Dear Sirs:

Subject:

Palo Verde Nuclear Generating Station (PVNGS)

Units 1, 2, and 3 Docket Nos. STN 50-528, 50-529, and 50-530 Request for Additional Information, Review of Single Failure Analysis of Low Pressure Safety Injection Pumps for Minimum Required Refueling Water Tank (RWT) Transfer Volume By letter no. 102-06099, dated November 30, 2009 [Agencywide Documents Access and Management System (ADAMS) Accession No. ML093450485] and request for additional information response, letter number 102-06228, dated July 22, 2010 (ADAMS Accession No. ML102150036), Arizona Public Service Company (APS) submitted a license amendment request which was approved by the NRC staff by Amendment No.

182, dated November 24, 2010 (ADAMS Accession No. ML102710301).

By letter dated May 16, 2012 (ADAMS Accession No. ML121030640), the NRC issued a request for additional information (RAI) regarding this matter. APS contacted the NRC Project Manager on July 11, 2012, and received an extension until August 7, 2012. The enclosure to this letter contains the response to the RAI.

No commitments are being made to the NRC by this letter. Should you need further information regarding this response, please contact Russell A. Stroud, Licensing Section Leader, at (623) 393-5111.

Sincerely, DCM/RAS/CJS/hsc A member of the STARS (Strategic Teaming and Resource Sharing) Alliance Callaway 0 Comanche Peak 0 Diablo Canyon 0 Palo Verde 0 San Onofre 0 South Texas 9 Wolf Creek

Continuation Paqe 102-06583-DC M/RAS/CJS August 3, 2012 U.S. Nuclear Regulatory Commission RAI Response related to License Amendment 182 Page 2

Enclosure:

Response to Request for Additional Information, Review of Single Failure Analysis of Low Pressure Safety Injection Pumps for Minimum Required Refueling Water Tank Transfer Volume cc: E. E. Collins Jr. NRC Region IV Regional Administrator L. K. Gibson NRC NRR Project Manager for PVNGS M.A. Brown NRC Senior Resident Inspector for PVNGS

Enclosure Response to Request for Additional Information, Review of Single Failure Analysis of Low Pressure Safety Injection Pumps for Minimum Required Refueling Water Tank Transfer Volume Enclosure Includes:

Attachment 1: FIGURE 1 - Sketch of PVNGS RWIT Vortex Suppressors Attachment 2: FIGURE 2 - Sketch of PVNGS RWIT Vortex Suppressors Attachment 3: FIGURE 3 - Sketch of PVNGS RWT Vortex Suppressors : PVNGS Engineering Study 13-ES-A037, Revision 0, Fault Tree Analysis and Reliability Evaluation for Low Pressure Safety Injection (LPSI) Pump Trip at the RecirculationActuation Signal (RAS) : PVNGS Engineering Study 13-NS-C089, Revision 0, PRA Evaluation of LPSI Pump Failing to Trip on RAS

Enclosure Response to Request for Additional Information, Review of Single Failure Analysis of Low Pressure Safety Injection Pumps for Minimum Required Refueling Water Tank Transfer Volume Introduction By letter no. 102-06099, dated November 30, 2009 [Agencywide Documents Access and Management System (ADAMS) Accession No. ML093450485] and request for additional information response, letter number 102-06228, dated July 22, 2010 (ADAMS Accession No. ML102150036), Arizona Public Service Company (APS) submitted a license amendment request (LAR) for Palo Verde Nuclear Generating Station (PVNGS),

Units 1, 2, and 3. The LAR was approved by the U.S. Nuclear Regulatory Commission (NRC) staff by License Amendment (LA) No. 182, dated November 24, 2010 (ADAMS Accession No. ML102710301). LA 182 was implemented at PVNGS on January 26, 2011.

By letter dated May 16, 2012, (ADAMS Accession No. ML121030640) the NRC issued a request for additional information (RAI) regarding this matter. APS contacted the NRC Project Manager on July 11, 2012, and received an extension until August 7, 2012. This enclosure is the APS response to the NRC RAI.

The purpose of LA 182 was to resolve a long-standing issue (Inspection Report 2005-12, dated January 27, 2006, ADAMS Accession No. ML060300193) which questioned the adequacy of the original PVNGS design with regard to air entrainment from the Refueling Water Tank (RWT). Specifically, LA 182 modified the PVNGS design basis and current licensing basis, including the Technical Specification set-points for the RWT.

During the period following the 2006 inspection and until LA 182 was implemented, the justification for system operability did not rely upon manual actions. The justification was based upon an evaluation of the dynamic conditions during the RVWT drawdown period without crediting operator action to isolate the tank. The evaluation concluded that RVWT suction flow stops and transitions to full suction flow from the containment emergency recirculation sump(s) prior to the point where significant (bulk) quantities of air are entrained in the RWT suction pipe. Though some air could be entrained, there would be no degradation of the Emergency Core Cooling System (ECCS) pump performance during suction transfer.

A number of design alternatives were considered to address the potential for air entrainment from the RVVT. The LAR was the result of the assessment of the design options. The design alternatives considered included:

• Automatic closure of the RWT outlet valves

" Automatic containment spray system logic

" New larger capacity RWT

" Reconfiguration of the RWT over-flow line to increase RWT volume

" Raising the Recirculation Actuation Signal (RAS) set-point and minimum RWT level, modifying the RWT level instrumentation and vent line, excluding a single failure of a Low Pressure Safety Injection (LPSI) pump failing to trip on RAS, and 1

Enclosure Response to Request for Additional Information, Review of Single Failure Analysis of Low Pressure Safety Injection Pumps for Minimum Required Refueling Water Tank Transfer Volume crediting operator action to isolate the RWT outlet valves, as a time critical operator action Following extensive internal and external reviews, that addressed the reasonableness of the approach, the last alternative was selected. To implement the selected alternative and to support the LAR, APS completed:

" RAS reliability and Probabilistic Risk Assessment (PRA) studies (Studies 13-ES-A037 and 13-NS-C089, provided as Attachments 4 and 5 of this Enclosure).

• ANSI 58.8, Time Response Design Criteriafor Safety-Related OperatorActions, was used as the guidance document to establish the design time necessary for the time critical operator action to close the RWT outlet valves (included in Study 13-MS-B094, provided in APS letter dated July 22, 2010).

• Simulator tests were conducted utilizing a procedure consisting of a critical operator action to close the RWT outlet valves to validate margin to the design time (also included in Study 13-MS-B094).

The selected design alternative eliminated the potential for air entrainment by ensuring a larger transfer volume in the RWT. The design change demonstrated adequate operator action times and formed the basis for the LAR, which became LA 182. An objective of the LAR was to ensure a consistent, simple set of post-RAS operator actions for the full spectrum of loss of coolant accident (LOCA) break sizes. Air entrainment is only a concern for a limited range of smaller postulated LOCA break sizes for the following reasons:

" For large LOCAs, air entrainment is not a concern, even with a LPSI pump failure to trip, as the ECCS flow from the containment sump (due to containment pressure and physical elevations) would preclude continued pump-down of the RWT after RAS.

• For smaller LOCAs, the time to reach RAS can be long and could include manual trips of the Containment Spray (CS) and LPSI pumps in advance of the RAS, in accordance with the Emergency Operating Procedures (EOPs). A reduced pump flow rate increases the available operator action time to isolate the RWT after RAS.

• Some small break LOCAs do not result in containment spray injection due to containment pressure not reaching the CS actuation setpoint. For these scenarios, the pump-down rate after RAS is significantly reduced, providing additional time for operator action to isolate the RWT.

2

Enclosure Response to Request for Additional Information, Review of Single Failure Analysis of Low Pressure Safety Injection Pumps for Minimum Required Refueling Water Tank Transfer Volume Recognizing the impracticality of quantifying every potential break scenario and event progression, APS conservatively applied design assumptions and neglected other sources of margin, relative to air entrainment, as follows:

" Established RWT level such that it would not go below the vortex breakers as part of the design basis. This precludes any air entrainment, as compared to only ensuring non-damaging quantities of air entrainment.

" Assumed pump runout flow rates. For smaller break sizes where air entrainment could be a potential concern, pump flow rates would be less.

• Assumed operator action times based on industry guidance (ANS/ANSI-58.8-1984), which are conservative relative to actual times demonstrated at the PVNGS simulator.

" Assumed conservative stroke times for closure of RW-I- isolation valves.

• Ignored the timing of expected operator actions to trip the LPSI and CS pumps for some small break LOCAs prior to RAS.

" Once RAS has occurred and the containment emergency recirculation sump suction valves are opened, engineered safety feature (ESF) pump suction flow will begin to be split between the emergency recirculation sump and the RWT.

Any flow from the emergency recirculation sump will have the effect of providing greater operator action time to isolate the RWT outlet valves, because it would reduce the drawdown rate of the RWT.

APS recognized that for a fixed RWT volume, any change that would increase the transfer volume to address the air entrainment concern applicable to a limited range of smaller break sizes would also decrease the injection volume for all break sizes.

Considering the conservatisms described above and the robust LPSI pump trip circuit design demonstrated by engineering analysis, a LPSI pump single failure to trip on RAS was not included in the transfer volume sizing design basis.

NRC Request 1 Page 2 of the license amendment request (LAR) dated November 30, 2009 (ADAMS Accession No. ML093450485), stated that evaluation of the failure of a low pressure safety injection (LPSI) pump to "automatically stop, as designed, on a RAS [recirculation actuation signal] .... has a minimal probability of occurrence and its increased effect on risk to the plant is not significant. Therefore, the previously analyzed single failure remains the licensing basis bounding failure." The U.S. Nuclear Regulatory Commission (NRC) staff understands the licensee's views that the failure of the LPSI pump to 3

Enclosure Response to Request for Additional Information, Review of Single Failure Analysis of Low Pressure Safety Injection Pumps for Minimum Required Refueling Water Tank Transfer Volume automatically trip does not have to be considered as a single failure because it has a "minimal probability."

Title 10 of the Code of FederalRegulations (10 CFR), paragraph 50.55a(3)(h)(2),

"Protection systems," states that for nuclear power plants with construction permits issued after January 1, 1971, but before May 13, 1999, protection systems must meet the requirements stated in either Institute of Electrical and Electronics Engineers (IEEE)

Std. 279, "Criteria for Protection Systems for Nuclear Power Generating Stations," or in IEEE Std. 603-1991, "Criteria for Safety Systems for Nuclear Power Generating Stations," and the correction sheet dated January 30, 1995. SECY-05-0138, "Risk Informed and Performance-Based Alternatives to the Single-Failure Criterion," dated August 2, 2005 (ADAMS Accession No. ML051950619) "Guidance for Implementing the Single Failure Criterion," states that Regulatory Guide 1.53, Revision 2, "Application of the Single-Failure Criterion to Safety Systems," November 2003 (ADAMS Accession No. ML033220006), describes the application of the single failure criterion to safety systems and discusses related industry standards IEEE Std. 279-1971, IEEE Std. 603-1991, and IEEE Std. 379-2000. Standards 279 and 603 present minimum functional design standards for nuclear plant "protection" and "safety" respectively. Both standards require that safety systems satisfy the single failure criterion and refer to IEEE Std. 379 for guidance on applying the single failure criterion (Section 2.2 of Attachment to SECY-05-0138).

SECY-05-0138 further states that the IEEE standards provide guidance for systematically approaching the analysis of single failures to safety systems. They also offer guidance on selecting "credible" events and failures to include in these analyses.

Both IEEE Std. 603-1991 and IEEE Std. 379-2000 state that the single failure criterion is to be applied to "credible" events and failures, where probabilistic assessments may be used to assist in establishing credibility. IEEE Std. 379-2000 states a position on excluding particular failures from single-failure analysis, as follows:

A probabilistic assessment shall not be used in lieu of the single failure analysis.

However, reliability analysis, probability assessment, operating experience, engineering judgment, or a combination thereof, may be used to establish a basis for excluding a particular failure from the single failure analysis.

Please explain how not addressing the failure of the LPSI pump to trip on RAS is consistent with the regulations or, if you determine that your approach is not consistent with the regulations, then (a) describe your planned actions to bring your plants into compliance and (b) provide a commitment and schedule to achieve compliance.

APS Response to NRC Request 1 The limiting single failure with respect to RVVT transfer volume is described in the UFSAR as failure of an ESF train to realign to the containment sump at a RAS. A probabilistic assessment was used to establish a basis for excluding the particular 4

Enclosure Response to Request for Additional Information, Review of Single Failure Analysis of Low Pressure Safety Injection Pumps for Minimum Required Refueling Water Tank Transfer Volume failure of a LPSI pump to trip on a RAS such that the single failure analysis, as currently provided in the UFSAR, is unchanged.

Not including a single failure of the LPSI pump to trip on RAS is consistent with the regulations, as described in the following paragraphs. Because the APS approach is consistent with the regulations, no planned actions to bring PVNGS into compliance or commitments or schedules to achieve compliance are provided.

The PVNGS design and licensing was based, in part, on ANS-51.1/ANSI N18.2, 1973, Nuclear Safety Criteria for the Design of Stationary PressurizedWater ReactorPlants, which indicates that the single failure criterion is to be applied to engineered safety features systems, but lacks specific direction as to how single failure analyses are to be performed.

In addition to PVNGS licensing, the CE System 80 licensing process included consideration of the RWT volume transfer allowance during the time needed to complete the transfer process from injection to re-circulation (Response to NRC Question 400.22).

Following a Special Inspection (2004-14; dated January 5, 2005, ADAMS Accession No. ML050050287) related to the RAS sump piping not being maintained full of water, during a separate inspection (2005-12, dated January 27, 2006, ADAMS Accession No. ML060300193; see NCV 2005-12-01, Improper Design Control for ECCS Sump and RWT Swapover) the NRC questioned the adequacy of the PVNGS design with regard to air entrainment from the RWT. When addressing this NRC issue, APS wanted a consistent, simple set of post-RAS operator actions that would address the entire spectrum of LOCAs, including large and small breaks.

The design effort to address the inspection issue was performed with the benefit of the guidance of consensus standards that were finalized after PVNGS was licensed; specifically, ANS 51.7, 1976 (ANSI N658), Single Failure Criteriafor PWR Fluid Systems and ANSI/ANS 58.9, 1981, Single Failure Criteriafor Light Water Reactor Safety-Related Fluid Systems. Section 4 of these standards is entitled Exemptions and describes the process for the designer to justify not applying the single failure criterion.

Precedent has been that 'exemptions' implemented under these standards are not processed as regulatory exemptions pursuant to 10 CFR 50.12.

Precedents include ASME Code safety relief valves on the primary system, and, in certain cases, passive accumulators or 'safety injection tanks' that are used for mitigating large break LOCAs. These special cases are typically captured in the Technical Specifications and Bases, and approved by the NRC staff.

The APS LAR, which became LA 182, was intended to exclude a post-RAS single failure of a LPSI pump to trip. In addition, the LAR increased the levels in the RWT to establish greater margin. The approach used by APS is consistent with NRC guidance 5

Enclosure Response to Request for Additional Information, Review of Single Failure Analysis of Low Pressure Safety Injection Pumps for Minimum Required Refueling Water Tank Transfer Volume in SECY-05-0138, which provides guidance on using IEEE Standards 379-2000 and 603-1991 in single failure analyses. The APS basis for excluding a failure of a LPSI pump to trip on the RAS signal is based on the following:

• A realistic hydraulic analysis showing minimal impact to the unaffected train where only the High Pressure Safety Injection (HPSI) and CS pumps remain in operation after a RAS, as designed.

" A PRA showing that consequences of either a single or a dual train failure due to common-cause of both LPSI pumps to trip is insignificant [much less than 1E-7 core damage frequency (CDF) and no measureable change in large early release frequency (LERF)], even without crediting operator action.

" A margin evaluation of the operator action showing a high likelihood of operator success in isolating the RWT in sufficient time, given the modified RAS setpoint, to preclude air entrainment assuming a LPSI pump fails to trip.

Together, these factors provide a sufficient and diverse basis for excluding a single failure of a LPSI pump to trip on a RAS.

Testing of operating crews at the PVNGS simulator demonstrated that isolation of the RWT could be accomplished within the reduced time that would be available if the pump down rate included a LPSI pump operating at its maximum (runout) flow rate (i.e., single failure of a LPSI pump to trip is assumed). The operating crew simulator data provides additional assurance that the APS approach is protective of public health and safety.

The LAR approach is consistent with the regulations, specifically 10 CFR 50.55a(h)(2) and 10 CFR 50.55a(h)(3). Both regulations invoke IEEE Standard 603-1991. The regulations require that protection systems meet the requirements stated in either IEEE Standard 279 or IEEE Standard 603-1991.

The Single-Failure Criterion section of IEEE Standard 603-1991 (Section 5.1) references IEEE Standard 379-1988 for guidance on the application of the single-failure criterion. Both IEEE Standards 603-1991 and 379-1988 provide that a probabilistic assessment may be used to demonstrate that certain postulated failures need not be considered in the application of the single failure criterion.

Specifically, IEEE Standard 379-1988 (Section 6.3) states:

"The performance of a probabilistic assessment of safety systems may be used to demonstrate that certain postulated failures need not be considered in the performance of the single failure analysis. A probabilistic assessment is intended to eliminate consideration of events and failures that are not credible; it shall not be used in lieu of the single-failure analysis. ANS/IEEE Std 352-1987 provides guidance for probabilistic risk assessment."

6

Enclosure Response to Request for Additional Information, Review of Single Failure Analysis of Low Pressure Safety Injection Pumps for Minimum Required Refueling Water Tank Transfer Volume The PVNGS approach described in the LAR, of evaluating system single failures in failure modes and effects analysis and then using probabilistic assessments to eliminate consideration of the LPSI pump failure to trip event as not credible, is consistent with the regulations and the underlying industry standards. The approach is also consistent with the later standard (IEEE 379-2000) mentioned in RAI Request 1 and in SECY 0138.

IEEE Standard 379-1988 makes reference to IEEE Standard 352-1987 regarding fault tree analysis. The PRA performed for License Amendment 182 used PVNGS Internal Events PRA model, Revision 16. This PRA model is consistent with the guidance in IEEE Standard 352-1987 and has been assessed for quality consistent with NRC Regulatory Guide 1.200, Revision 1, as described in License Amendment 188, which approved Technical Specification Task Force (TSTF) Traveler 425, Revision 3, Relocate Surveillance Frequenciesto Licensee Control - Risk Informed Technical Specification Task Force (RITSTF) Initiative 5b, for PVNGS.

NRC Request 2 Please provide the actual stroke times for refueling water tank (RW-T) isolation valves CH-530 and CH-531 and explain how these times were determined. Please provide the times assumed in the analysis as described on page 11 of the LAR dated November 30, 2009.

APS Response to NRC Request 2 The close stroke times for the RWT isolation valves CH-530 and CH-531 for all three PVNGS Units are as shown below. These represent the time from hand switch operation (i.e., motor start) to torque switch trip as measured during the most recent Motor Operated Valve (MOV) diagnostic testing:

Valve Close Stroke Time

[secl 1-CH-530 28.2 1-CH-531 27.8 2-CH-530 27.5 2-CH-531 28.2 3-CH-530 28.3 3-CH-531 27.6 The stroke time assumed in the RVWT transfer volume sizing analysis is 1 minute per valve. This represents the time from hand switch operation to isolation of flow. Flow isolation occurs before torque switch trip.

7

Enclosure Response to Request for Additional Information, Review of Single Failure Analysis of Low Pressure Safety Injection Pumps for Minimum Required Refueling Water Tank Transfer Volume NRC Request 3 The allowable time for operator action is based on a minimum RWT level that precludes air entrainment. Page 12 of the LAR dated November 30, 2009, states that the RAS setpoint was established to ensure sufficient volume is available after an RAS to credit closure of the RWT discharge valves before the RWT vortex breaker becomes uncovered. Please (a) describe the vortex suppressors, (b) include a sketch of their installation in the RWTs, and (c) provide experimental evidence that establishes their effectiveness in preventing air entrainment.

APS Response to NRC Request 3 (a) The vortex suppressors are constructed of a wire cloth (screening) that is mounted between sections of stainless steel grating on all sides. The grating is 1/8" x 3/4" at 1-3/16" centers with crossbars at 4". The wire cloth in between the grating has a 0.09" opening. Both the wire cloth and the grating function to suppress the vortex.

The wire cloth provides a fine screen to catch particles that could be transported with the flow and also helps to impede any swirl flow that could potentially be induced in the RWT as the level decreases. The stainless steel grating provides a large "surface roughness" that projects into and interferes with any large scale circulation pattern, which disrupts coherent swirl that could be initiated during the RWT draindown. These vertical and horizontal protrusions on all sides of the vortex suppressor act to counter any significant vortex formation and 'gulping' of air when the level is above the suppressor device.

(b) See Figures 1-3 (Attachments 1, 2, and 3 of this submittal) for sketches of the installation of the vortex suppressors in the RWT.

(c) Experimental evidence that establishes the effectiveness of the vortex suppressors in preventing air entrainment is as follows:

1. NUREG/CR-2758, G.G. Weigand et al., A ParametricStudy of Containment Emergency Sump Performance, (SAND 82-0624), USNRC, July 1982, studied the influence of a cage-type vortex suppressor similar to that used in the Palo Verde RWT. These sump suction experiments used typical plant piping diameter and sump suction flow rates. It was observed that without the vortex suppressor in place, significant Type 6 vortices (full air core to intake) were developed that were sufficient to ingest air beneath the water surface and into the suction piping. With the vortex suppressor installed, the authors note that the only vortex that was observed was one of minor dimples that had no air ingestion associated with the vortices (Type 2 vortices).

The vortex suppressor used in the experiment was made from 1" floor grating.

However, the RWT vortex suppressor is fabricated of back-to-back sections 8

Enclosure Response to Request for Additional Information, Review of Single Failure Analysis of Low Pressure Safety Injection Pumps for Minimum Required Refueling Water Tank Transfer Volume of 3/4" grating (effectively 1-1/2") with wire cloth in between. Hence, the RWT vortex suppressor has both deeper 'vanes' to break up circulatory flows and wire screen to aid in limiting any vortex formation. Consequently, it is concluded that the RWT design is a more efficient vortex suppressor than those tested in the containment sump studies.

2. NUREG/CR-2759, M. S. Krein et al., A ParametricStudy of Containment Emergency Sump Performance: Results of Vertical Outlet Sump Test, USNRC, 1982, investigated the influence of a cage-type vortex suppressor for vertically downward suction flows. These vortex suppression tests were performed for the "single worst test for each of the two perturbed flow configurations." It was observed that the cage-type vortex suppressor, which was placed over each of the outlet pipes, reduced the average void fraction to zero and also reduced the average loss coefficient. Additionally, a second set of tests was performed using a vortex suppressor consisting of a single piece of 1-1/2" floor grating laid horizontally over the entire sump area. It was observed that the vortex suppressor reduced the average void fractions to zero in both horizontal suction cases.

The experimental data was obtained for a suction velocity of over 15 ft/sec, whereas the suction velocity for the Palo Verde RWT is nominally approximately 7 ft/sec. Even if a LPSI pump failed to trip, the suction velocity would be approximately 13 ft/sec, which is less than the tested values.

These experiments demonstrate that the flow impedance caused by the vertical vanes in the cage is sufficient to disrupt the circulatory flows needed for vortex formation. Since vortex formation typically begins at the surface and propagates downward, the closer the vanes are to the water surface, the more effective they become. Consequently, while these experiments were performed with the cage suppressor submerged by 2 and 5 feet, this influence on prevention of vortex generation would be applicable for submergence levels down to the top of the cage.

Given the similarity of the Palo Verde vortex suppressor design to the test apparatus and the observations from large-scale tests for two different suction configurations, it is concluded that the RWT vortex suppressors are effective in preventing air intrusion due to vortex formation.

NRC Request 4 While discussing LPSI pump failure to trip on RAS, page 16 of the LAR dated November 30, 2009, states, in part, that:

9

Enclosure Response to Request for Additional Information, Review of Single Failure Analysis of Low Pressure Safety Injection Pumps for Minimum Required Refueling Water Tank Transfer Volume The fault tree included all events or combination of events (including those in the operating environment) that could result in a failure mode in which one or more of the LPSI pumps fails to stop at a RAS .... Based on this fault tree analysis, the engineering evaluation determined the potential increase in core damage and large early release risk posed by the failure of a LPSI pump to trip on a RAS that could result in enough air being drawn into the suction of the ESF [Engineered Safety Features] pumps to render them unavailable.

a. Please state clearly if the analysis is based on one LPSI pump to trip on RAS or both. If it is one pump, please explain why both pumps cannot fail to trip on RAS.

If it is both pumps, please explain what the implications are where one pump was assumed to trip in the simulator runs.

b. Please describe the criteria used for determining the amount of air that would render ESF pumps unavailable.

c. Please describe the methodology used to analyze gas transport to determine the behavior of gas that reached the pumps.

d. The LAR dated November 30, 2009, seems to imply that the changes stated in the LAR are being implemented to preclude the potential for air entrainment in the Emergency Core Cooling System (ECCS) and Containment Spray (CS) pump suction piping from the RWT. There appears to be an inconsistency since the event tree description appeared to allow gas to reach pumps. Please explain.

APS Response to NRC Request 4

a. The PRA includes the potential that one or both LPSI pumps fail to trip on RAS, either due to independent random failures or due to a common cause. The PRA is based on realistic hydraulic analyses that indicate a LPSI pump failure to trip can only potentially impact the affected train, not the redundant train. The 95th percentile failure rates were used for the pump trip failures, and a conservative screening value was used for a common cause factor affecting both trains. In the PRA, the conservative modeling assumption was made that both ECCS and CS would fail if the respective LPSI pump of same train fails to trip. Thus, the results include combinations of failures with either one or both trains failing.

The PRA modeling is different than the simulator scenario, because the simulator modeling demonstrates the operators can mitigate the LPSI pump failure to trip by closing the RWT outlet valves in sufficient time. The PRA modeling does not take credit for the operator action to close the RWT outlet valves.

b. For the fault tree analysis, continued function of the ESF pumps is based on the results of a best estimate analysis, which evaluated the potential for air intrusion in the RWT suction piping during transfer of the ESF pump suction following a 10

Enclosure Response to Request for Additional Information, Review of Single Failure Analysis of Low Pressure Safety Injection Pumps for Minimum Required Refueling Water Tank Transfer Volume LOCA. The criterion for determining the amount of air that would render the ESF pumps unavailable in this analysis is an inlet void fraction of greater than 2 percent.

c. The analysis evaluated the dynamic hydraulic mechanisms associated with suction transfer, including the decrease in RWT water level, the potential for air intrusion into the suction pipe, the onset of open channel flow, deceleration and stagnation of the water flow in the RWT suction piping, and the long-term transfer of the suction flow to the containment sump. The analysis assumptions included maximum HPSI and CS pump flow rates (the LPSI pump was assumed to stop at RAS) and no containment over-pressure.

The analysis concluded from manometric analysis and the as-built plant configuration that the water level in the first down leg of the RVVT suction piping would never be completely voided. Hence, there is no condition in which the RVVT suction piping would be completely voided and air drawn into the pump suction header. However, there are dynamic conditions that could create two-phase flow patterns where bubbly flows could be produced that could transport air through parts of the suction piping.

As the water level drops below the vortex breaker, there is the potential for continual air flow to be supplied to the horizontal pipe, and the flow from the RW-IT begins to transition into open channel flow. With the onset of open channel flow, the gravity-driven flow from the RW-T must keep up with the flow demand of the pump or a separation region (kinematic shock) will develop in the first elbow where the flow turns from horizontal to vertical downward flow. With the kinematic shock formed, the water flow from the horizontal pipe into the vertical pipe initiates entrainment of air bubbles and recirculation as the waterfall enters the top of the water column. If some amount of air is eventually transferred downward to a sufficient depth, it could begin to enter the first horizontal piping segment after the vertical run.

Stratification of the flow can be assessed by comparing the translational velocity with the bubble rise velocity. If the vertical displacement due to the bubble rise velocity reaches the top of the pipe before the translational velocity would transfer this to the end of the pipe, then air would accumulate along the upper surface of the pipe. The analysis conservatively assumed that an air layer of 1 inch (5 times the calculated value) develops at the top of the horizontal piping segment after the vertical run and concluded that this air gap produces a 2 percent void fraction in the pipe. Hence, assuming that this conservatively large void fraction were transmitted to the pumps (thereby further assuming conservatively that the air and water have the same velocity), this void fraction would not render the ESF pumps unavailable.

11

Enclosure Response to Request for Additional Information, Review of Single Failure Analysis of Low Pressure Safety Injection Pumps for Minimum Required Refueling Water Tank Transfer Volume As stated above, the engineering analysis did not consider the additional flow rate from a LPSI pump since it assumed the pump stops at RAS. If a LPSI pump failed to trip at RAS, the amount of air transported to the ESF pump suction as evaluated would be affected. Thus, it is assumed for the fault tree analysis that the failed ESF train (with the running LPSI pump) is unavailable. However, since the Palo Verde design consists of one suction pipe from the RWT to the Train A ESF pumps and a separate suction pipe from the RWT to the Train B ESF pumps, the pump flow rate and gas transport evaluation for the unaffected train (with only a HPSI and CS pump running) would remain consistent with the analysis, which demonstrated that the pumps remain available.

d. The RWT setpoints are established in the design analyses to ensure suction transfer to the emergency recirculation sump before the water level in the RWT drops below the top of the vortex breaker, which precludes air entrainment from the RW-I-. The supporting PRA made the conservative assumption that air entrainment would occur if the LPSI pump did not trip, and that the air would result in failure of the pumps in that train. This was necessary to show any risk impact at all. It was not meant to represent the as-built plant, nor the modified plant. Thus, the PRA showed that even with this conservative modeling, the risk increase from air entrainment is very small.

NRC Request 5 Technical Specification Bases Section B 3.5.5 states:

The High Pressure Safety Injection (HPSI), Low Pressure Safety Injection (LPSI),

and containment spray pumps are provided with recirculation lines that ensure each pump can maintain minimum flow requirements when operating at shutoff head conditions. These lines discharge back to the RWT. The RW-T vents to the Fuel Building Ventilation System. When the suction for the HPSI and containment spray pumps is transferred to the containment sump, this flow path must be isolated to prevent a release of the containment sump contents to the RWT. If not isolated, this flow path could result in a release of contaminants to the atmosphere and the eventual loss of suction head for the ESF pumps.

It is not clear if the recirculation lines from the LPSI pumps also isolate when the suction of the LPSI pumps is transferred to the containment sump. Please explain if the LPSI recirculation lines are closed if an LPSI pump fails to trip.

APS Response to NRC Request 5 The LPSI pumps and their associated recirculation isolation valves within each division (there are two) are operated by different power sources and circuits within the same division. The RAS actions to trip the pump and close the isolation valve are actuated by 12

Enclosure Response to Request for Additional Information, Review of Single Failure Analysis of Low Pressure Safety Injection Pumps for Minimum Required Refueling Water Tank Transfer Volume different contacts on different relays within the Engineered Safety Features Actuation System (ESFAS). The ESFAS actuation relays located in the auxiliary relay cabinets are separated into a pump group and a valve group for each actuation signal. Each actuation relay is responsible for the operation of corresponding component(s). This design precludes a single relay or contact failure from affecting both of these components (one pump and one valve). There is a completely separate division for the other train; this includes another ESFAS cabinet with two more relays for controlling the other pump and its associated isolation valve. In summary, the RAS function to close the LPSI recirculation isolation valve would be unaffected by failure of a LPSI pump to trip.

NRC Request 6 Please provide the NRC staff with the analyses of the LPSI pump failure to trip and operator response performed in support of the amendment request.

APS Response to NRC Request 6 APS letter number 102-06228, dated July 22, 2010, provided Study 13-MS-B094, OperatorAction Time for RWT Isolation After RAS, in response to RAI number 6 from Email dated April 26, 2010.

The following studies referenced in the APS LAR, dated November 30, 2009 (letter number 102-06099) are provided as Attachments 4 and 5 of this submittal.

PVNGS Engineering Study 13-ES-A037, Revision 0, Fault Tree Analysis and Reliability Evaluation for Low Pressure Safety Injection (LPSI) Pump Trip at the Recirculation Actuation Signal (RAS), dated October 2, 2009 PVNGS Engineering Study 13-NS-C089, Revision 0, PRA Evaluation of LPSI Pump Failing to Trip on RAS, dated October 1, 2009 NRC Request 7 Please provide a summary of the fault tree analysis including the assumed split fractions used in the event trees.

APS Response to NRC Request 7 The fault trees for each of the two containment sumps failing to provide sufficient flow to its respective train of ECCS and Containment Spray consist of:

13

Enclosure Response to Request for Additional Information, Review of Single Failure Analysis of Low Pressure Safety Injection Pumps for Minimum Required Refueling Water Tank Transfer Volume

" Sump valve failure to open and remain open for the appropriate mission time (two MOVs and one check valve on each train)

• Failure of the ESFAS relays that open the sump MOVs

• Failures of the electrical power supplies to the sump MOVs

• Sump screen plugging (generic filter/strainer value from NUREG/CR-4550; Palo Verde has installed new sump screens to address GSI-191)

• Failure of the operator to close the RWT isolation valves if the check valves fail to seat (this is a common mode failure), which would allow containment pressure to push water back to the RWT (The Human Reliability Assessment for this action is based on back-flow, not air entrainment. The PRA did not credit operator action to prevent air entrainment.)

• Failure of the pump minimum flow recirculation to isolate on either train upon RAS (also a common mode failure), which would allow the running pump(s) to put water back into the RWT eventually draining the sumps causing loss of net positive suction head (NPSH)

" Events added for this analysis for failure of one or both LPSI pumps to trip on a RAS The LPSI pump trip failure is only modeled for large and medium-sized LOCAs, because RCS pressure remains high enough to preclude injection by the LPSI pumps during small LOCAs. (For PRA purposes, medium LOCA is a break size greater than 0.03 ft 2 area, or 1.38 inch equivalent diameter.)

No split fractions are used in the LOCA event trees, as PVNGS uses the linked fault tree methodology. All function events are success/failure nodes for the required systems, such as Safety Injection Tanks, High Pressure Safety Injection, Low Pressure Safety Injection, Containment Spray and Hot Leg Injection, where the respective system fault trees are used.

Overall, this is a conservative risk estimate, since:

• 9 5 th percentile values are used for the LPSI pump trip failure 0 A conservative common-cause failure probability of 0.1 was used (the alpha factor applied in the PRA model to similar pumps is 0.016)

• It assumes that failure of a LPSI pump to trip will definitely result in failure of ECCS and containment spray in that train due to air entrainment

• The LOCA frequency used in the PRA covers a larger break size range than is of concern for this failure

• No credit is taken for operator action to prevent air entrainment 14

Enclosure Response to Request for Additional Information, Review of Single Failure Analysis of Low Pressure Safety Injection Pumps for Minimum Required Refueling Water Tank Transfer Volume NRC Request 8 Section 0.5 of Appendix C to Inspection Manual 9900, "Use of Temporary Manual Action in Place of Automatic Action in Support of Operability," states:

Automatic action is frequently provided as a design feature specific to each SSC [systems, structures, and components] to ensure that specified safety functions will be accomplished. Limiting safety system settings for nuclear reactors are defined in 10 CFR Part 50.36, "Technical Specifications," as settings for automatic protective devices related to those variables having significant safety functions. Where a limiting safety system setting is specified for a variable on which a safety limit has been placed, the setting must be so chosen that automatic protective action will correct the abnormal situation before a safety limit is exceeded.

Accordingly, it is not appropriate to consider SSCs operable by taking credit for manual action in place of automatic action for protection of safety limits. This does not forbid operator action to put the plant in a safe condition, but operator action cannot be a substitute for automatic safety limit protection.

Credit for manual initiation of a specified safety function should be established as part of the licensing review of a facility. Although the licensing of specific facility designs includes consideration of automatic and manual action in the performance of specified safety functions, not all combinations of circumstances have been reviewed from an operability standpoint.

For situations where substitution of manual action for automatic action is proposed for an operability determination, the evaluation of manual action must focus on the physical differences between automatic and manual action and the ability of the manual action to accomplish the specified safety function or functions.... The licensee should have written procedures in place and personnel should be trained on the procedures before any manual action is substituted for the loss of an automatic action.... One reasonable test of the reliability and effectiveness of a manual action may be the approval of the manual action for the same function at a similar facility. Nevertheless, a manual action is expected to be a temporary measure and to promptly end when the automatic action is corrected in accordance with 10 CFR Part 50, Appendix B, and the licensee's corrective action program.

This implies that manual actions are appropriate when they are part of the current licensing basis (CLB). Hence, it is not appropriate to consider SSCs operable by taking credit for manual action in place of automatic action for protection of safety limits when the automatic action is part of the CLB.

15

Enclosure Response to Request for Additional Information, Review of Single Failure Analysis of Low Pressure Safety Injection Pumps for Minimum Required Refueling Water Tank Transfer Volume Please explain how the proposed manual actions are consistent with the above inspection manual statement.

APS Response to NRC Request 8 APS agrees that manual actions are appropriate when they are part of the current licensing basis (CLB). In addition, APS concurs that it is not appropriate to consider SSCs operable by taking credit for manual action in place of automatic action for protection of safety limits when the automatic action is part of the CLB.

The proposed manual actions are consistent with the above inspection manual statement in that the LAR process was used to alter the PVNGS CLB, pursuant to 10 CFR 50.90. The closure of the RWT isolation valves was not an automatic function and the original plant design relied on the physical piping configuration (passive design feature) for preventing air entrainment from the RWT. Further, during the period that the PVNGS design was being re-assessed, following Inspection Report 2005-12, dated January 27, 2006, the justification for operability did not rely upon manual actions, as described in the Introductionto these RAI Responses.

16

Enclosure Response to Request for Additional Information, Review of Single Failure Analysis of Low Pressure Safety Injection Pumps for Minimum Required Refueling Water Tank Transfer Volume Attachment 1 FIGURE 1 Sketch of PVNGS RWT Vortex Suppressors

FIGURE 1 Sketch of PVNGS RWT Vortex Suppressors

[Ref. Drawing 13-P-ZYA-O024 R16]

_______- .ECOA/D PZ47 DWS6/3-P-ZY-.022 TWAAKTOP .WPR ~ ,~2

&EL.J53"-,0-W-O02 /SOO, ) 4'g

]!p34 87F-!6'W00 FS-005 /4gDA6 ~ ~5.00 (5EE DWG i3-CZY.5 70ot FOR DE7.1)

-go EacuITOr 7o'f,3 E 7/OWZý 873O 71 7m W31e8olT2/ H-3 A-A W ro,ý-NA1914!. 2" RRED-

'r/'~4'rt OOY&

vejW-00E.

13-P--ZY4q-02Z 00\ P,-0oA,10 V, Re~

6- p z- 141kA'C854-1,\ \ ~ - ~ -P0) OOWT WEe N-OOF tc . rn , faiW T,-

1-E.159-9 10

-/ YW 004/0 W-00-WD17 i/ ~ 0W4 -POZY,-925, fOR LINES Cp -70( 70,7iW-0 7,,70T9,7i,//T! - WO0W 5-oo3

(~2N/W\ W-54 (W-00)3

\2001kO/ 709-/ICBA-lT W-035(4.-590)

J/-"AI-ED ,CPL6GSW 2-wo # CB8A(018)

• FOR CONT SEEf

• 5L1) Q r to 116 W-01 I0,C

Enclosure Response to Request for Additional Information, Review of Single Failure Analysis of Low Pressure Safety Injection Pumps for Minimum Required Refueling Water Tank Transfer Volume Attachment 2 FIGURE 2 Sketch of PVNGS RWT Vortex Suppressors

FIGURE 2 Sketch of PVNGS RWT Vortex Suppressors

[Ref. Drawing 13-C-ZYS-0711 R4]

JJIF~ fli-UCZ LJYVL.7.

6-704 - NCZ A --v" I ý/'I/O . STANDARD DESIGN DRAWING See As-Built Drawing Cross Reference Log for any Non-

")incorporated Deviations.

d;4~e WALL E!/O!

FOR CLARIT*Y

'F4J-FR C0417R'eW PWAV6Z (C#Ai - A7 q A1072-5:

ZLONT9'C'l A-OlVLZ (Cf'IV- 74104)

I.ZAlL lA/2S AAPZ- 5Y89Tz5M 0,//

L/A'LES56 N07TO OTllFRW/IS

/Y',vNADIC47e P1'.AI fW' 1$711 TVy 5Y443e .. RE 511/41 Be FL 6C TR/C,4ZZ )' /167 TAý'4CgFD SECf C T1O/ A 3.0 VFiVDOR SUPPLIED EQUIPMAE*/T

4. PROVI4E /;-0" I OA1ER PIPE FO,? FIELD4 D 7

5. 1" 51DE OF I'-A/ " 5 W. RED. CPL6. COUNTERBOREO

Enclosure Response to Request for Additional Information, Review of Single Failure Analysis of Low Pressure Safety Injection Pumps for Minimum Required Refueling Water Tank Transfer Volume Attachment 3 FIGURE 3 Sketch of PVNGS RWT Vortex Suppressors

FIGURE 3 Sketch of PVNGS RWT Vortex Suppressors

[Ref. Drawing 13-C-ZYS-0711 R4]

04 H CF 1 .1. TI P I'vvOTop

,teos'oo PLAN ANDOBOCCOLI

• NrOa~$tRAa/

S s/SO 3

a0" 22"'" -A*KO SOK.,0,/-GRACTING /ITH /LKCOVYR

@ý7PRECKOCD /AJL'?.4 7vp7 - - ~ROBBERMSOT 0-PLACyS SEW C*L. 9O- '

S ID E B KON T, 8 CKLA DE TAIL O0I

-rE / D RE. D-PKZY A

/

ENTIRE ASSECSALYSHALL E SCTA /0LESS $STEL AK/K$NALL MOTALLOW 0ARTOC1£S /IGKER C/AN M OPENING IN WIRPCLOTY COPASS,C TWGRR0000.

I/\ \I/ CGOSRBAPS P 4i LL-- - - -ý I/RECLOTN(8.8. E SIN BETLIEEN. FILLSD TO INSURENO SUPPAGC8[TCKE=N WIRE CLOTHANK:

GRATING.

TIOC/,O011-5/-

IOAR WIRC CIOC-COOS

/0/NC* ACKOUCS/OFACE 0

-, CL"OT/ CR3 AT OUSs/SC FACL OF TCR GRATING SAP.

DETAIL /-

3'.-/O'-o-