ML070390040: Difference between revisions
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 3: | Line 3: | ||
| issue date = 01/24/2007 | | issue date = 01/24/2007 | ||
| title = APS Response to NRC Inspection Report 05000528/2006012; 05000529/2006012; 05000530/2006012 | | title = APS Response to NRC Inspection Report 05000528/2006012; 05000529/2006012; 05000530/2006012 | ||
| author name = Levine J | | author name = Levine J | ||
| author affiliation = Arizona Public Service Co | | author affiliation = Arizona Public Service Co | ||
| addressee name = | | addressee name = | ||
| Line 14: | Line 14: | ||
| page count = 11 | | page count = 11 | ||
}} | }} | ||
=Text= | =Text= | ||
{{#Wiki_filter:LA | {{#Wiki_filter:LA subsidiaryof Pinnacle West CapitalCorporation James M. Levine Mail Station 7602 Palo Verde Nuclear Executive Vice President Tel (623) 393-5300 PO Box 52034 Generating Station Generation Fax (623) 393-6077 Phoenix, Arizona 85072-2034 102-05636-JMLJSAB/TNW/CJS January 24, 2007 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555 | ||
James M. Levine Mail Station 7602 Palo Verde Nuclear Executive | ==Dear Sir:== | ||
Vice President | |||
Tel (623) 393-5300 PO Box 52034 Generating | ==Subject:== | ||
Station Generation | Palo Verde Nuclear Generating Station (PVNGS) | ||
Fax (623) 393-6077 Phoenix, Arizona 85072-2034 | Units 1, 2 and 3 Docket Nos. STN 50-528, 50-529, and 50-530 APS Response to NRC Inspection Report 05000528/2006012; 0500052912006012; 0500053012006012 In NRC Special Inspection Report 2006012, dated December 6, 2006, the NRC documented their examination of activities associated with the PVNGS Unit 3, Train A, emergency diesel generator (EDG) failures that occurred on July 25 and September 22, 2006. At a January 16, 2007 Regulatory Conference in Arlington, Texas, APS provided the NRC its perspective on the facts and analytical assumptions relevant to determining the safety significance of the findings, in accordance with the Inspection Manual Chapter 0609. | ||
102-05636-JMLJSAB/TNW/CJS | The purpose of this letter is to provide the additional information requested by the NRC during the regulatory conference. The Enclosure to this letter contains 7 questions that were requested at the close of the conference and 4 additional questions that were part of the conference general discussion. There are no regulatory commitments in this letter. | ||
January 24, 2007 U.S. Nuclear Regulatory | If you have any questions, please contact Thomas N. Weber at (623) 393-5764. | ||
Commission | Sincerely, JMLJSABITNW/CJS/gt | ||
ATTN: Document Control Desk Washington, DC 20555 Dear Sir: Subject: Palo Verde Nuclear Generating | |||
Station (PVNGS)Units 1, 2 and 3 Docket Nos. STN 50-528, 50-529, and 50-530 APS Response to NRC Inspection | U.S. Nuclear Regulatory Commission ATTN: Document Control Desk APS Response to NRC Inspection Report 05000528/2006012; 05000529/2006012; 05000530/2006012 Page 2 | ||
Report 05000528/2006012; | |||
0500052912006012; | ==Enclosure:== | ||
0500053012006012 | Additional Information Requested at the January 16, 2007 NRC Regulatory Conference cc: B. S. Malleft NRC Region IV Regional Administrator M. B. Fields NRC NRR Project Manager M. T. Markley NRC NRR Project Manager G. G. Warnick NRC Senior Resident Inspector for PVNGS | ||
In NRC Special Inspection | |||
Report 2006012, dated December 6, 2006, the NRC documented | ENCLOSURE Additional Information Requested at the January 16, 2007 NRC Regulatory Conference NRC Question 1 Is it acceptable to provide auxiliary feedwater to a steam generator after it has dried out? | ||
their examination | APS Response 1 Yes. The Unit 3 steam generators are designed with an allowance for feeding a hot dry steam generator with cold feedwater. APS asked ABB (the design authority for the PVNGS Steam Generators) about the maximum allowed flow rate for feedwater to a hot dry steam generator. The ABB response stated "the generators are designed to handle seven cycles of adding 40 degrees F feedwater at 1750 gpm." The information was requested to support development of the PVNGS Emergency Operating Procedures. | ||
of activities | This information is documented in ABB Inter-Office Correspondence V-MPS-91-163, dated, November 14, 1991. | ||
associated | NRC Question 2 What reliability/unavailability for the Gas Turbine Generators (GTGs) was assumed in the Probabilistic Risk Analysis (PRA)? Provide the data that was used to obtain these values. Please indicate how buried cable reliability is addressed in the PRA. | ||
with the PVNGS Unit 3, Train A, emergency | APS Response 2 GTG Reliability Gas Turbine Generator (GTG) fail to start and fail to run probabilities are Bayesian updated values based on the values in Advanced Light Water ReactorRequirements Document (ALWR), Volume II, Chapter 1, Appendix A - PRA Key Assumptions and Groundrules, Electric Power Research Institute, Revision 6, December 1993, pages A.A-67 and A.A-68. The number of GTG demands, accumulated run time, and failures were collected for the period of 1/1/1998 to 10/1/2004 and documented in study 13-NS-C076, Plant Specific Reliability Data for PRA Model, Revision 0, Appendix C: PRA Final Failures and Demands Report. The values were based on an actual count (they were not estimated). For the given time period and system boundary, there were 6 failures (3 on GTG 1 and 3 on GTG 2) in 267 demands and 0 failures in 283 hours. The final failure probabilities were 2.5E-2 per demand and 4.2E-5 per hour. | ||
diesel generator (EDG) failures that occurred on July 25 and September | 1 | ||
22, 2006. At a January 16, 2007 Regulatory | |||
Conference | GTG Unavailability GTG unavailability is based on an actual count of unavailable hours during the period 1/1/1999 through 12/31/2001 as documented in study 13-NS-C064, Plant Specific UnavailabilityData for PRA Model, Revision 0, Appendix A: Individual Parameter Unavailability Listings Gas Turbine Generator. There were 954.68 hours unavailable in the 26304 hour period for a probability of 1.81 E-2. | ||
in Arlington, Texas, APS provided the NRC its perspective | GTG UnderQround Cable Reliability The underground cables between the GTGs and the units are modeled separately from the GTGs. The cable is not direct buried but runs in an underground conduit. Two three phase cables are used to supply power to each unit. The failure probability is a Bayesian updated value based on the value in IEEE Standard 500-1984, IEEE Guide to the Collection and Presentationof Electrical,Electronic, Sensing Component and MechanicalEquipment ReliabilityData for Nuclear-PowerGeneratingStations, Institute of Electrical and Electronics Engineers, Inc., December 13, 1983, Reaffirmed 1991, page 770. This value is multiplied by the length of the cable (3475' for Unit 1, See note below) obtained from the Plant Data Management System EDB ElectricalDatabase, since the IEEE value is given per 1000' cable length. Based on a search of EPIX/NPRDS, Failure Data Trending, and CRDRs, there were zero cable failures since the GTGs were installed. In the search, 4 instances were identified (CRDRs 2559098, 2564721, 2580013, and 2843631) where the results of megger testing was less than the service criteria but greater than the emergency criteria. These tests had been evaluated by Maintenance Engineering and it was determined that since the as-found readings were greater than the emergency allowed value, the cables would have been able to perform their function. Appropriate corrective actions were taken in each case to restore the cables such that the service criteria were met. | ||
on the facts and analytical | Engineering Support provided a Maintenance Rule Hours in Mode Summary Report for the date range of 9/27/1993 (date of first GTG isochronous test) through 11/30/2006. | ||
assumptions | The exposure time was taken as the time spent in Modes 1 through 6 in each unit, for an exposure time of 334,836 hours for the 3 units. Since there are two cables per unit, the total exposure time is 669,672 hours. From a unit perspective, a load test powering that unit's cables from the GTGs is performed every 18 months per 40DP-9OP06, OperationsDepartmentRepetitive Task Program,Task GT002. The Bayesian updated failure rate for one cable was 1.46E-2 per hour, for a failure probability of a standby component of 9.59E-3. Since there are two cables, the final probability for the underground GTG cable was 1.91 E-2 (equivalent to an "OR" gate). | ||
relevant to determining | Note: A single PRA model based on Unit 1 is used at PVNGS. Plant differences are accounted for when performing specific applications. Since a continuously energized failure rate is being applied to a cable energized only a very short period of its exposed life, the value is very conservative and bounds all three units. | ||
the safety significance | 2 | ||
of the findings, in accordance | |||
with the Inspection | NRC Question 3 Describe how the PRA handles the recovery of the Auxiliary Feedwater (AF) Train "N" pump once the GTG is on line. What dependency exists between getting GTG alignment and AF "N" alignment? | ||
Manual Chapter 0609.The purpose of this letter is to provide the additional | APS Response 3 In a Station Blackout, restoration of a motor-driven AFW pump after alignment of the GTGs is required if auxiliary feedwater from the turbine driven pump is lost to the SGs and power is not available. This scenario involves failure of both the Maintenance of Vital Auxiliaries and RCS Heat Removal safety functions. As such, Operations would be directed to the Functional Recovery procedure 40EP-9EO09 for this condition. The Control Room Supervisor retains the option to proceed with the Blackout procedure with the understanding that the mitigating strategy (restoration of power) will resolve both failed safety functions. The procedure actions are similar, and both direct Operations to initially restore power to PBA-S03 from a GTG, after determination that offsite power and EDGs can not be restored within 1 hour. | ||
information | Procedure 40EP-9EO09, FunctionalRecovery, Section 8.0, Maintenance of Vital Auxiliaries, Success path MVAC 3: GTGs, provides the instructions to start and load the GTGs onto a Class 1E 4.16kV AC Bus. Step 8.7 directs performance of Appendix 80 "When NAN-S07 is energized, align GTG to PBA-S03 (BO)". Alternately available to Operations is step 8.7.1 which directs performance of Appendix 81 "When NAN-S07 is energized, Align GTGs to PBB-S04 (BO)". The equivalent steps to align a GTG to a Class 1E 4.16kV AC bus are provided in the Blackout procedure 40EP-9EO08, in steps 13 and 13.1. | ||
requested | Standard Appendix 80 [81] (40EP-9EO10) step 7 [9] completes the actions necessary to energize the Class 1E 4.16kV AC bus PBA-S03 [PBB-S04]. At this time power is available to start an AFW pump and initiate AFW flow to a SG. Step 9, of Appendix 80, directs an Operator [Licensed Control Room Operator] to check that AFA is being used to maintain at least one SG at 45%-60% NR level, else if the AFA pump is not available, then align and start AFN-P01 to restore SG level. Step 11, of Appendix 81, directs the Operator to start AFB-P01 to restore SG level. | ||
by the NRC during the regulatory | The Control Room Supervisor (CRS) has the responsibility to manage the operator resources during the event. The description below reflects what would typically be the assignments made for power recovery and AFW recovery. Specific assignments may vary, but there are always two licensed control room operators available to perform the two main functions of power recovery and AFW recovery without dependency between the tasks. The tasks are also separated in time, with power recovery required prior to AFW recovery for this scenario. The same is true of the 4 Auxiliary Operators. The specific operator assigned to a task may vary, but sufficient resources exist to perform all the tasks without any dependency. | ||
conference. | 3 | ||
The Enclosure | |||
to this letter contains 7 questions | Actions necessary to start and align the AFN-P01 pump or AFB-P01 pump are typically performed by the Controls Operator from the Control Room. To initiate flow from the AFN-P01 pump, the Controls Operator must open the two (2) suction MOVs, open a Downcomer Bypass MOV (one per SG), open the Downcomer Isolation valves (2 per SG), and start the pump. To initiate flow from the AFB-P01 pump, the Controls Operator must only start the pump, given the discharge isolation and regulation valves are open due to the AFAS actuation. The time to take these actions is less than 5 minutes. | ||
that were requested | The Licensed Operators are extensively trained on these actions during various simulator events. The detailed actions are not prescriptively described in the Emergency Operating Procedures, but are simple and easily accomplished by any control room operator as a result of their training. Failure of the Controls Operator to initiate AFW flow to at least one SG would be immediately recovered by the Control Room Supervisor and/or the STA. The Controls Operator typically has no other dependent responsibilities for power restoration. Initiation of AFW for restoration of the RCS Heat Removal safety function is the Control Operator's primary focus, thus ample time is available for proper diagnosis and recovery. The PRA does not model a specific HRA for failure to establish AFW flow after power is restored to a Class 1E 4.16kV AC bus because the failure probability for the AFW restoration action is so low it is negligible compared to the action to restore power. | ||
at the close of the conference | Recovery of the 4.16KV AC bus from a GTG is typically performed bythe Reactor Operator [Licensed Control Room Operator] with assistance from an assigned Auxiliary Operator (AO), typically the Area 4 AO and the Water Reclamation Facility Operator. | ||
and 4 additional | The assigned AO would have no responsibilities for assisting with the recovery of the assumed failed AFA-P01 pump, which is typically assigned to a different AO (Area 1). | ||
questions | There are no required actions of the Controls Operator to support the power recovery actions, nor any actions of the Reactor Operator to support the AFW recovery actions, other than the standard actions to maintain cognizance of critical system parameters. | ||
that were part of the conference | No Auxiliary Operators are required for recovery of AFW after power has been restored to a 4.16kV AC bus. Actions to restore power and initiate AFW are considered to have zero dependency. | ||
general discussion. | NRC Question 4 Which EOP covers overriding automatic control (AFAS) and taking manual control of AF "A"? How soon does this happen based on simulator experience? This relates to the battery analysis assumption that the AF isolation valves do not continuously cycle, as assumed in the design calculation. | ||
There are no regulatory | APS Response 4 Procedure 40EP-9EO01, StandardPost Trip Actions, has the Secondary Operator override AFAS valves to ensure feed flow is not excessive. Operators are trained to take manual control of the feed rate to preclude a SIAS, which would likely follow an AFAS, due to overcooling. The operator will typically initiate this action by starting AFA-4 | ||
commitments | |||
in this letter.If you have any questions, please contact Thomas N. Weber at (623) 393-5764.Sincerely, JMLJSABITNW/CJS/gt | P01 from control room panel B06, and establish feed by opening the block valves and throttling the regulation valves. This would normally occur (assuming a Station Blackout) prior to an AFAS actuation. The isolation valves are left open and are not cycled and the only valve manipulations are adjustments to feed rate using the regulation valves. | ||
U.S. Nuclear Regulatory | In the event of an AFAS automatic actuation, the operator will take control of feed rate, and not allow the regulation valves to control level. The specific feed rate is not scripted, but the safety function is met when level in at least one steam generator is increasing towards its normal band as required by Procedure 40EP-9EO01. Experience in the simulator is that operators~will take manual control of AF in no longer than 10 minutes during a station blackout (SBO) event. | ||
Commission | Once level is recovered, the operator feeds at a rate sufficient to makeup for level lost due to steaming out the Atmospheric Dump Valves (ADVs). | ||
ATTN: Document Control Desk APS Response to NRC Inspection | NRC Question 5 In the lower recovery path of the "Event Timelines for Station Blackout @ t=0" slide of the presentation, APS provided times of 58 and 95 minutes for 'steam generator (SG) dryout' and 'latest SG makeup can be initiated'. How does the PRA use these two values? What importance is given to each value? | ||
Report 05000528/2006012; | APS Response 5 The 58 minute time is used in Loss of Offsite Power accident sequences as the basis for the time to start and align the gas turbine generators. The 95 minute time is not used for Loss of Offsite Power accident sequences. The 95 minute time is used as the time available for providing feed to the steam generators using the condensate pumps for sequences that do not include a Loss of Offsite Power. Thus the 95 minute time has no importance in the K-1 relay significance determination. | ||
05000529/2006012; | NRC Question 6 Provide the analysis that was done to extend the battery life from the 2 hour design requirement to 3 hours for the PRA. | ||
05000530/2006012 | APS Response 6 NUS-5058, Analysis of Station Blackout Accidents at PVNGS-1, Yovan Lukic, NUS Corporation, November 1987, Section 4.1, "Description of Top Events within the SBO event tree", subsection "Failure to Restore Power within 3 Hours", is the basis document for the 3 hour battery life in the PVNGS PRA model. This source states: | ||
Page 2 Enclosure: | 5 | ||
Additional | |||
Information | Based on a review of 125 VDC bus loads typical to an SBO event and the 18 month and 60 months test of the DC batteries (Refs. 6 and 7), it is assessed that DC batteries will last for at least 3 hours into an SBO event. The 60 month test established that 1200 amp-hours can be provided by each DC battery (PKA and PKB) before the 105 VDC battery under-voltage condition is reached. Given a conservative estimate of the battery loads during SBO, each battery would have to provide on the order of 1000 amp-hours during the first 3 hours into an SBO event. This 20% excess in battery capacity is sufficient to cover the power requirements when the battery is operated at near 80% capacity (end-of-life). | ||
Requested | It should be noted that batteries with larger capacity (2415 amp-hours) were installed since this change was implemented in the PRA model. | ||
at the January 16, 2007 NRC Regulatory | NRC Question 7 Provide updated analysis for seven hour battery capacity. | ||
Conference | APS Response 7 The updated analysis for seven hour battery capacity was provided to the NRC on January 19, 2007. This updated analysis reflects additional capacity loss for the 'A' battery, which was recognized following the January 16, 2007 Regulatory Conference. | ||
cc: B. S. Malleft M. B. Fields M. T. Markley G. G. Warnick NRC | This additional battery capacity loss resulted in the total capacity loss being greater than 10 percent, which placed the 'A' battery in Technical Specification 3.8.4.8, requiring a 12 month surveillance test, like the 'C' battery. This surveillance test will be performed along with the 'C' battery test in the upcoming Unit 3 mid-cycle outage. The updated analysis demonstrates that the assumptions for the risk significance evaluation remain valid, with margin. | ||
NRC Question 8 Did operator failure probabilities for restoration of the Emergency Diesel Generator (EDG) include the potential that operations would fail to shut down the EDG as required if it started but the field did not flash, because of the lack of jacket cooling water? | |||
for PVNGS | APS Response 8 Yes. APS considered the operator failing to stop the EDG after the field did not flash. | ||
ENCLOSURE Additional | The step was not identified as critical because the failure contribution (-2E-4) was not a significant contribution to the total value of the HRA value for recovery of the EDG. HRA quantification 4DG-RECVR-KI-1-HR has a value of 5.8E-2 and 4DG-RECVR-K1-7-HR has a value of 3.2E-3 (reference 13-NS-C081, App D). | ||
Information | 6 | ||
Requested | |||
at the January 16, 2007 NRC Regulatory | NRC Question 9 Who is relied upon to actually recover the EDG (maintenance, operations or engineering personnel)? How is that accounted for in your results? | ||
Conference | APS Response 9 The associated HRA credited the recovery of K-1 relay contactor by Electrical Maintenance personnel with technical support from Electrical Maintenance Engineering personnel. | ||
NRC Question 1 Is it acceptable | Operations would immediately know of the EDG output failure after the engine start by control room indication/alarms as well as by Emergency Response Facility Data Acquisition Display System (ERFDADS) flat line output. Operations would not attempt to correct this condition since no specific proceduralized instructions are readily available to them. Electrical Maintenance personnel and Electrical Maintenance Engineering would be immediately called (Maintenance onsite 24/7). Maintenance and Engineering would have the primary responsibility for recovery of the affected EDG after a loss of generator output. If not onsite, Electrical Maintenance Engineering personnel would be contacted immediately for technical assistance by phone or pager. Although the faulted EDG may not be running at the time when Maintenance and/or Engineering become involved, Maintenance and Engineering personnel would be informed that the EDG started and ran without power output. Prior plant experience is that it takes 2-3 hours to replace the K-1 contactor. That repair action, however, is not required because recovery can be easily accomplished by manual bypass (opening) of the K-1 relay contactor. | ||
to provide auxiliary | Following the involvement of Electrical Maintenance personnel and their Engineering support, the time required for EDG 3A loss of output diagnosis is estimated at 5 to 10 minutes. It is based on operating experience at PVNGS (including a recent failure in Unit 3) and engineering knowledge that when there is no voltage buildup at all by the generator immediately after an engine start, the most likely cause would be a failure of the field shorting (K-1) contactor. | ||
feedwater | No immediate indications of a K-1 problem would exist at the EDG with it in a shutdown condition, however, the plant ERFDADS computer (powered by uninterruptible power supply E-NQN-D01) monitors and records the voltage and frequency buildup for each EDG start. Those records are preserved for several hours. A data flat line showing no attempt at all to build up generator output voltage would be a strong indicator of a K-1 contactor problem. In contrast, if the generator rotor is spinning, the K-1 has dropped out properly and field flashing fails to occur, then generator output voltage would still build up slowly due to its residual magnetism. | ||
to a steam generator | With the engine in a shutdown condition, Engineering may advise Maintenance to functionally test the K-1 and field flash (FF) contactors using the Manual Field Flash 7 | ||
after it has dried out?APS Response 1 Yes. The Unit 3 steam generators | |||
are designed with an allowance | (MFFPB) push button on the generator control panel as long as 135 VDC control power was still available. One wire inside the cabinet would have to be lifted and the 135 VDC FF breaker would have to be opened prior to the manual field flash test. This functional test was recently used (7/26/2006 3A loss of output event) to verify that a newly installed spare K-1 was working properly. | ||
for feeding a hot dry steam generator | The task of establishing EDG 3A output is considered a recovery action consistent with RG 1.200, Table A-1. The following justifications are provided: | ||
with cold feedwater. | * The failed K-1 relay would very likely be bypassed rather than repaired. Bypass is particularly easy to perform. The fault is recoverable by a simple manual action of releasing the K-1 contactor reset latch after an engine start. After the 2nd EDG 3A no output failure (9/22/06), no equipment was required to be replaced. | ||
APS asked ABB (the design authority | " Ease of diagnosis is supported by recent similar incidents and adequate personnel training, which includes K-1 relays. | ||
for the PVNGS Steam Generators) | " Responsible plant personnel are easily accessible by pager or telephone. | ||
about the maximum allowed flow rate for feedwater | " Ample time is available for diagnosis and action to bypass the failed relay contactor. | ||
to a hot dry steam generator. | " No special tools are required for diagnosis or relay bypass manual action, and there are no issues with accessibility. | ||
The ABB response stated "the generators | * Plant personnel responsible for diagnosis and bypass would not be subjected to the potentially high stress level facing the control room personnel. | ||
are designed to handle seven cycles of adding 40 degrees F feedwater | " Flat line data for EDG voltage and frequency on ERFDADS computer would quickly lead to the determination that K-1 relay has malfunctioned. | ||
at 1750 gpm." The information | NRC Question 10 Why did we not use the Unit 3 battery design calculation? How does that affect the applicability of the results to the Unit 3 battery? | ||
was requested | APS Response 10 The Unit 2 calculation was used because it had been updated to reflect a number of implemented design changes, which the existing Unit 3 calculation had not yet incorporated. The designs of the DC systems are quite similar in all three units, and one model was originally used to represent any of the units. Due to a desire to improve accuracy and the availability of more powerful modeling tools, Palo Verde converted the Class 1E DC system calculation to unitized models in the mid-1 990's. | ||
to support development | A comparison between the Unit 2 calculation results to an updated Unit 3 computerized model, which reflects the current configuration (though not yet finalized), was performed. The load profiles are comparable with only minor variations due to nameplate voltage ratings of motor operated valves and variations due to differences in cable lengths. Two of the auxiliary feed water valves on Unit 3 were found to have lower voltages than the same valves in Unit 2, however, the valves have adequate 8 | ||
of the PVNGS Emergency | |||
Operating | margin to accommodate these voltage differences. In light of the considerable margins between the battery capacities and the load demands of a 7-hour station blackout event (27 and 60 percent for the 'A' and 'C' batteries respectively), the differences between the designs of Unit 2 and 3 are insignificant to the conclusions of the evaluation of the K-1 relay issue. | ||
Procedures. | NRC Question 11 Do the spikes in battery 'E' graph in presentation slide "Empirical Data 'E' Battery" correlate with battery recharging? | ||
This information | APS Response 11 Yes. The first spike shown on the graph (November 7, 2004) is a result of the recharge of the battery under PMWO 2647054 and the second recharge was performed under PMWO 2794319, on May 5, 2006. | ||
is documented | 9}} | ||
in ABB Inter-Office | |||
Correspondence | |||
V-MPS-91-163, dated, November 14, 1991.NRC Question 2 What reliability/unavailability | |||
for the Gas Turbine Generators (GTGs) was assumed in the Probabilistic | |||
Risk Analysis (PRA)? Provide the data that was used to obtain these values. Please indicate how buried cable reliability | |||
is addressed | |||
in the PRA.APS Response 2 GTG Reliability | |||
Gas Turbine Generator (GTG) fail to start and fail to run probabilities | |||
are Bayesian updated values based on the values in Advanced Light Water | |||
Document (ALWR), Volume II, Chapter 1, Appendix A -PRA Key Assumptions | |||
and Groundrules, Electric Power Research Institute, Revision 6, December 1993, pages A.A-67 and A.A-68. The number of GTG demands, accumulated | |||
run time, and failures were collected | |||
for the period of 1/1/1998 to 10/1/2004 | |||
and documented | |||
in study 13-NS-C076, Plant Specific Reliability | |||
Data for PRA Model, Revision 0, Appendix C: PRA Final Failures and Demands Report. The values were based on an actual count (they were not estimated). | |||
For the given time period and system boundary, there were 6 failures (3 on GTG 1 and 3 on GTG 2) in 267 demands and 0 failures in 283 hours. The final failure probabilities | |||
were 2.5E-2 per demand and 4.2E-5 per hour.1 | |||
GTG Unavailability | |||
GTG unavailability | |||
is based on an actual count of unavailable | |||
hours during the period 1/1/1999 through 12/31/2001 | |||
as documented | |||
in study 13-NS-C064, Plant Specific | |||
Parameter Unavailability | |||
Listings Gas Turbine Generator. | |||
There were 954.68 hours unavailable | |||
in the 26304 hour period for a probability | |||
of 1.81 E-2.GTG UnderQround | |||
Cable Reliability | |||
The underground | |||
cables between the GTGs and the units are modeled separately | |||
from the GTGs. The cable is not direct buried but runs in an underground | |||
conduit. Two three phase cables are used to supply power to each unit. The failure probability | |||
is a Bayesian updated value based on the value in IEEE Standard 500-1984, IEEE Guide to the Collection | |||
and | |||
and | |||
and Electronics | |||
Engineers, Inc., December 13, 1983, Reaffirmed | |||
1991, page 770. This value is multiplied | |||
by the length of the cable (3475' for Unit 1, See note below) obtained from the Plant Data Management | |||
System EDB | |||
In the search, 4 instances | |||
were identified (CRDRs 2559098, 2564721, 2580013, and 2843631) where the results of megger testing was less than the service criteria but greater than the emergency | |||
criteria. | |||
These tests had been evaluated by Maintenance | |||
Engineering | |||
and it was determined | |||
that since the as-found readings were greater than the emergency | |||
allowed value, the cables would have been able to perform their function. | |||
Appropriate | |||
corrective | |||
actions were taken in each case to restore the cables such that the service criteria were met.Engineering | |||
Support provided a Maintenance | |||
Rule Hours in Mode Summary Report for the date range of 9/27/1993 (date of first GTG isochronous | |||
test) through 11/30/2006. | |||
The exposure time was taken as the time spent in Modes 1 through 6 in each unit, for an exposure time of 334,836 hours for the 3 units. Since there are two cables per unit, the total exposure time is 669,672 hours. From a unit perspective, a load test powering that unit's cables from the GTGs is performed | |||
every 18 months per 40DP-9OP06, | |||
Task Program, Task GT002. The Bayesian updated failure rate for one cable was 1.46E-2 per hour, for a failure probability | |||
of a standby component | |||
of 9.59E-3. Since there are two cables, the final probability | |||
for the underground | |||
GTG cable was 1.91 E-2 (equivalent | |||
to an "OR" gate).Note: A single PRA model based on Unit 1 is used at PVNGS. Plant differences | |||
are accounted | |||
for when performing | |||
specific applications. | |||
Since a continuously | |||
energized failure rate is being applied to a cable energized | |||
only a very short period of its exposed life, the value is very conservative | |||
and bounds all three units.2 | |||
NRC Question 3 Describe how the PRA handles the recovery of the Auxiliary | |||
Feedwater (AF) Train "N" pump once the GTG is on line. What dependency | |||
exists between getting GTG alignment | |||
and AF "N" alignment? | |||
APS Response 3 In a Station Blackout, restoration | |||
of a motor-driven | |||
AFW pump after alignment | |||
of the GTGs is required if auxiliary | |||
feedwater | |||
from the turbine driven pump is lost to the SGs and power is not available. | |||
This scenario involves failure of both the Maintenance | |||
of Vital Auxiliaries | |||
and RCS Heat Removal safety functions. | |||
As such, Operations | |||
would be directed to the Functional | |||
Recovery procedure | |||
40EP-9EO09 | |||
for this condition. | |||
The Control Room Supervisor | |||
retains the option to proceed with the Blackout procedure | |||
with the understanding | |||
that the mitigating | |||
strategy (restoration | |||
of power) will resolve both failed safety functions. | |||
The procedure | |||
actions are similar, and both direct Operations | |||
to initially | |||
restore power to PBA-S03 from a GTG, after determination | |||
that offsite power and EDGs can not be restored within 1 hour.Procedure | |||
40EP-9EO09, | |||
of Vital Auxiliaries, Success path MVAC 3: GTGs, provides the instructions | |||
to start and load the GTGs onto a Class 1E 4.16kV AC Bus. Step 8.7 directs performance | |||
of Appendix 80"When NAN-S07 is energized, align GTG to PBA-S03 (BO)". Alternately | |||
available | |||
to Operations | |||
is step 8.7.1 which directs performance | |||
of Appendix 81 "When NAN-S07 is energized, Align GTGs to PBB-S04 (BO)". The equivalent | |||
steps to align a GTG to a Class | |||
40EP-9EO08, in steps 13 and 13.1.Standard Appendix 80 [81] (40EP-9EO10) | |||
step 7 [9] completes | |||
the actions necessary | |||
to energize the Class | |||
At this time power is available | |||
to start an AFW pump and initiate AFW flow to a SG. Step 9, of Appendix 80, directs an Operator [Licensed | |||
Control Room Operator] | |||
to check that AFA is being used to maintain at least one SG at 45%-60% NR level, else if the AFA pump is not available, then align and start AFN-P01 to restore SG level. Step 11, of Appendix 81, directs the Operator to start AFB-P01 to restore SG level.The Control Room Supervisor (CRS) has the responsibility | |||
to manage the operator resources | |||
during the event. The description | |||
below reflects what would typically | |||
be the assignments | |||
made for power recovery and AFW recovery. | |||
Specific assignments | |||
may vary, but there are always two licensed control room operators | |||
available | |||
to perform the two main functions | |||
of power recovery and AFW recovery without dependency | |||
between the tasks. The tasks are also separated | |||
in time, with power recovery required prior to AFW recovery for this scenario. | |||
The same is true of the 4 Auxiliary | |||
Operators. | |||
The specific operator assigned to a task may vary, but sufficient | |||
resources | |||
exist to perform all the tasks without any dependency. | |||
3 | |||
Actions necessary | |||
to start and align the AFN-P01 pump or AFB-P01 pump are typically performed | |||
by the Controls Operator from the Control Room. To initiate flow from the AFN-P01 pump, the Controls Operator must open the two (2) suction MOVs, open a Downcomer | |||
Bypass MOV (one per SG), open the Downcomer | |||
Isolation | |||
valves (2 per SG), and start the pump. To initiate flow from the AFB-P01 pump, the Controls Operator must only start the pump, given the discharge | |||
isolation | |||
and regulation | |||
valves are open due to the AFAS actuation. | |||
The time to take these actions is less than 5 minutes.The Licensed Operators | |||
are extensively | |||
trained on these actions during various simulator | |||
events. The detailed actions are not prescriptively | |||
described | |||
in the Emergency Operating | |||
Procedures, but are simple and easily accomplished | |||
by any control room operator as a result of their training. | |||
Failure of the Controls Operator to initiate AFW flow to at least one SG would be immediately | |||
recovered | |||
by the Control Room Supervisor | |||
and/or the STA. The Controls Operator typically | |||
has no other dependent | |||
responsibilities | |||
for power restoration. | |||
Initiation | |||
of AFW for restoration | |||
of the RCS Heat Removal safety function is the Control Operator's | |||
primary focus, thus ample time is available | |||
for proper diagnosis | |||
and recovery. | |||
The PRA does not model a specific HRA for failure to establish AFW flow after power is restored to a Class | |||
for the AFW restoration | |||
action is so low it is negligible | |||
compared to the action to restore power.Recovery of the 4.16KV AC bus from a GTG is typically | |||
performed | |||
bythe Reactor Operator [Licensed | |||
Control Room Operator] | |||
with assistance | |||
from an assigned Auxiliary Operator (AO), typically | |||
the Area 4 AO and the Water Reclamation | |||
Facility Operator.The assigned AO would have no responsibilities | |||
for assisting | |||
with the recovery of the assumed failed AFA-P01 pump, which is typically | |||
assigned to a different | |||
AO (Area 1).There are no required actions of the Controls Operator to support the power recovery actions, nor any actions of the Reactor Operator to support the AFW recovery actions, other than the standard actions to maintain cognizance | |||
of critical system parameters. | |||
No Auxiliary | |||
Operators | |||
are required for recovery of AFW after power has been restored to a 4.16kV AC bus. Actions to restore power and initiate AFW are considered | |||
to have zero dependency. | |||
NRC Question 4 Which EOP covers overriding | |||
automatic | |||
control (AFAS) and taking manual control of AF"A"? How soon does this happen based on simulator | |||
experience? | |||
This relates to the battery analysis assumption | |||
that the AF isolation | |||
valves do not continuously | |||
cycle, as assumed in the design calculation. | |||
APS Response 4 Procedure | |||
40EP-9EO01, | |||
Operator override AFAS valves to ensure feed flow is not excessive. | |||
Operators | |||
are trained to take manual control of the feed rate to preclude a SIAS, which would likely follow an AFAS, due to overcooling. | |||
The operator will typically | |||
initiate this action by starting AFA-4 | |||
P01 from control room panel B06, and establish | |||
feed by opening the block valves and throttling | |||
the regulation | |||
valves. This would normally occur (assuming | |||
a Station Blackout) | |||
prior to an AFAS actuation. | |||
The isolation | |||
valves are left open and are not cycled and the only valve manipulations | |||
are adjustments | |||
to feed rate using the regulation | |||
valves.In the event of an AFAS automatic | |||
actuation, the operator will take control of feed rate, and not allow the regulation | |||
valves to control level. The specific feed rate is not scripted, but the safety function is met when level in at least one steam generator | |||
is increasing | |||
towards its normal band as required by Procedure | |||
40EP-9EO01. | |||
Experience | |||
in the simulator | |||
is that operators~will | |||
take manual control of AF in no longer than 10 minutes during a station blackout (SBO) event.Once level is recovered, the operator feeds at a rate sufficient | |||
to makeup for level lost due to steaming out the Atmospheric | |||
Dump Valves (ADVs).NRC Question 5 In the lower recovery path of the "Event Timelines | |||
for Station Blackout @ t=0" slide of the presentation, APS provided times of 58 and 95 minutes for 'steam generator (SG)dryout' and 'latest SG makeup can be initiated'. | |||
How does the PRA use these two values? What importance | |||
is given to each value?APS Response 5 The 58 minute time is used in Loss of Offsite Power accident sequences | |||
as the basis for the time to start and align the gas turbine generators. | |||
The 95 minute time is not used for Loss of Offsite Power accident sequences. | |||
The 95 minute time is used as the time available | |||
for providing | |||
feed to the steam generators | |||
using the condensate | |||
pumps for sequences | |||
that do not include a Loss of Offsite Power. Thus the 95 minute time has no importance | |||
in the K-1 relay significance | |||
determination. | |||
NRC Question 6 Provide the analysis that was done to extend the battery life from the 2 hour design requirement | |||
to 3 hours for the PRA.APS Response 6 NUS-5058, Analysis of Station Blackout Accidents | |||
at PVNGS-1, Yovan Lukic, NUS Corporation, November 1987, Section 4.1, "Description | |||
of Top Events within the SBO event tree", subsection "Failure to Restore Power within 3 Hours", is the basis document for the 3 hour battery life in the PVNGS PRA model. This source states: 5 | |||
Based on a review of 125 VDC bus loads typical to an SBO event and the 18 month and 60 months test of the DC batteries (Refs. 6 and 7), it is assessed that DC batteries | |||
will last for at least 3 hours into an SBO event. The 60 month test established | |||
that 1200 amp-hours | |||
can be provided by each DC battery (PKA and PKB) before the 105 VDC battery under-voltage | |||
condition is reached. Given a conservative | |||
estimate of the battery loads during SBO, each battery would have to provide on the order of 1000 amp-hours | |||
during the first 3 hours into an SBO event. This 20% excess in battery capacity is sufficient | |||
to cover the power requirements | |||
when the battery is operated at near 80% capacity (end-of-life). | |||
It should be noted that batteries | |||
with larger capacity (2415 amp-hours) | |||
were installed since this change was implemented | |||
in the PRA model.NRC Question 7 Provide updated analysis for seven hour battery capacity.APS Response 7 The updated analysis for seven hour battery capacity was provided to the NRC on January 19, 2007. This updated analysis reflects additional | |||
capacity loss for the 'A'battery, which was recognized | |||
following | |||
the January 16, 2007 Regulatory | |||
Conference. | |||
This additional | |||
battery capacity loss resulted in the total capacity loss being greater than 10 percent, which placed the 'A' battery in Technical | |||
Specification | |||
3.8.4.8, requiring | |||
a 12 month surveillance | |||
test, like the 'C' battery. This surveillance | |||
test will be performed along with the 'C' battery test in the upcoming Unit 3 mid-cycle | |||
outage. The updated analysis demonstrates | |||
that the assumptions | |||
for the risk significance | |||
evaluation | |||
remain valid, with margin.NRC Question 8 Did operator failure probabilities | |||
for restoration | |||
of the Emergency | |||
Diesel Generator (EDG) include the potential | |||
that operations | |||
would fail to shut down the EDG as required if it started but the field did not flash, because of the lack of jacket cooling water?APS Response 8 Yes. APS considered | |||
the operator failing to stop the EDG after the field did not flash.The step was not identified | |||
as critical because the failure contribution | |||
(-2E-4) was not a significant | |||
contribution | |||
to the total value of the HRA value for recovery of the EDG. HRA quantification | |||
4DG-RECVR-KI-1-HR | |||
has a value of 5.8E-2 and 4DG-RECVR-K1-7-HR | |||
has a value of 3.2E-3 (reference | |||
13-NS-C081, App D).6 | |||
NRC Question 9 Who is relied upon to actually recover the EDG (maintenance, operations | |||
or engineering | |||
personnel)? | |||
How is that accounted | |||
for in your results?APS Response 9 The associated | |||
HRA credited the recovery of K-1 relay contactor | |||
by Electrical | |||
Maintenance | |||
personnel | |||
with technical | |||
support from Electrical | |||
Maintenance | |||
Engineering | |||
personnel. | |||
Operations | |||
would immediately | |||
know of the EDG output failure after the engine start by control room indication/alarms | |||
as well as by Emergency | |||
Response Facility Data Acquisition | |||
Display System (ERFDADS) | |||
flat line output. Operations | |||
would not attempt to correct this condition | |||
since no specific proceduralized | |||
instructions | |||
are readily available | |||
to them. Electrical | |||
Maintenance | |||
personnel | |||
and Electrical | |||
Maintenance | |||
Engineering | |||
would be immediately | |||
called (Maintenance | |||
onsite 24/7). Maintenance | |||
and Engineering | |||
would have the primary responsibility | |||
for recovery of the affected EDG after a loss of generator | |||
output. If not onsite, Electrical | |||
Maintenance | |||
Engineering | |||
personnel would be contacted | |||
immediately | |||
for technical | |||
assistance | |||
by phone or pager. Although the faulted EDG may not be running at the time when Maintenance | |||
and/or Engineering | |||
become involved, Maintenance | |||
and Engineering | |||
personnel | |||
would be informed that the EDG started and ran without power output. Prior plant experience | |||
is that it takes 2-3 hours to replace the K-1 contactor. | |||
That repair action, however, is not required because recovery can be easily accomplished | |||
by manual bypass (opening) | |||
of the K-1 relay contactor. | |||
Following | |||
the involvement | |||
of Electrical | |||
Maintenance | |||
personnel | |||
and their Engineering | |||
support, the time required for EDG 3A loss of output diagnosis | |||
is estimated | |||
at 5 to 10 minutes. It is based on operating | |||
experience | |||
at PVNGS (including | |||
a recent failure in Unit 3) and engineering | |||
knowledge | |||
that when there is no voltage buildup at all by the generator | |||
immediately | |||
after an engine start, the most likely cause would be a failure of the field shorting (K-1) contactor. | |||
No immediate | |||
indications | |||
of a K-1 problem would exist at the EDG with it in a shutdown condition, however, the plant ERFDADS computer (powered by uninterruptible | |||
power supply E-NQN-D01) | |||
monitors and records the voltage and frequency | |||
buildup for each EDG start. Those records are preserved | |||
for several hours. A data flat line showing no attempt at all to build up generator | |||
output voltage would be a strong indicator | |||
of a K-1 contactor | |||
problem. In contrast, if the generator | |||
rotor is spinning, the K-1 has dropped out properly and field flashing fails to occur, then generator | |||
output voltage would still build up slowly due to its residual magnetism. | |||
With the engine in a shutdown condition, Engineering | |||
may advise Maintenance | |||
to functionally | |||
test the K-1 and field flash (FF) contactors | |||
using the Manual Field Flash 7 | |||
(MFFPB) push button on the generator | |||
control panel as long as 135 VDC control power was still available. | |||
One wire inside the cabinet would have to be lifted and the 135 VDC FF breaker would have to be opened prior to the manual field flash test. This functional | |||
test was recently used (7/26/2006 | |||
3A loss of output event) to verify that a newly installed | |||
spare K-1 was working properly.The task of establishing | |||
EDG 3A output is considered | |||
a recovery action consistent | |||
with RG 1.200, Table A-1. The following | |||
justifications | |||
are provided:* The failed K-1 relay would very likely be bypassed rather than repaired. | |||
Bypass is particularly | |||
easy to perform. The fault is recoverable | |||
by a simple manual action of releasing | |||
the K-1 contactor | |||
reset latch after an engine start. After the 2nd EDG 3A no output failure (9/22/06), no equipment | |||
was required to be replaced." Ease of diagnosis | |||
is supported | |||
by recent similar incidents | |||
and adequate personnel | |||
training, which includes K-1 relays." Responsible | |||
plant personnel | |||
are easily accessible | |||
by pager or telephone." Ample time is available | |||
for diagnosis | |||
and action to bypass the failed relay contactor." No special tools are required for diagnosis | |||
or relay bypass manual action, and there are no issues with accessibility. | |||
* Plant personnel | |||
responsible | |||
for diagnosis | |||
and bypass would not be subjected | |||
to the potentially | |||
high stress level facing the control room personnel." Flat line data for EDG voltage and frequency | |||
on ERFDADS computer would quickly lead to the determination | |||
that K-1 relay has malfunctioned. | |||
NRC Question 10 Why did we not use the Unit 3 battery design calculation? | |||
How does that affect the applicability | |||
of the results to the Unit 3 battery?APS Response 10 The Unit 2 calculation | |||
was used because it had been updated to reflect a number of implemented | |||
design changes, which the existing Unit 3 calculation | |||
had not yet incorporated. | |||
The designs of the DC systems are quite similar in all three units, and one model was originally | |||
used to represent | |||
any of the units. Due to a desire to improve accuracy and the availability | |||
of more powerful modeling tools, Palo Verde converted | |||
the Class 1E DC system calculation | |||
to unitized models in the mid-1 990's.A comparison | |||
between the Unit 2 calculation | |||
results to an updated Unit 3 computerized | |||
model, which reflects the current configuration (though not yet finalized), was performed. | |||
The load profiles are comparable | |||
with only minor variations | |||
due to nameplate | |||
voltage ratings of motor operated valves and variations | |||
due to differences | |||
in cable lengths. Two of the auxiliary | |||
feed water valves on Unit 3 were found to have lower voltages than the same valves in Unit 2, however, the valves have adequate 8 | |||
margin to accommodate | |||
these voltage differences. | |||
In light of the considerable | |||
margins between the battery capacities | |||
and the load demands of a 7-hour station blackout event (27 and 60 percent for the 'A' and 'C' batteries | |||
respectively), the differences | |||
between the designs of Unit 2 and 3 are insignificant | |||
to the conclusions | |||
of the evaluation | |||
of the K-1 relay issue.NRC Question 11 Do the spikes in battery 'E' graph in presentation | |||
slide "Empirical | |||
Data 'E' Battery" correlate | |||
with battery recharging? | |||
APS Response 11 Yes. The first spike shown on the graph (November | |||
7, 2004) is a result of the recharge of the battery under PMWO 2647054 and the second recharge was performed | |||
under PMWO 2794319, on May 5, 2006.9 | |||
}} | |||
Latest revision as of 09:39, 23 November 2019
| ML070390040 | |
| Person / Time | |
|---|---|
| Site: | Palo Verde  |
| Issue date: | 01/24/2007 |
| From: | James M. Levine Arizona Public Service Co |
| To: | Document Control Desk, NRC Region 4 |
| References | |
| 102-05636/JML/SAB/TNW/CJS, IR-06-012 | |
| Download: ML070390040 (11) | |
Text
LA subsidiaryof Pinnacle West CapitalCorporation James M. Levine Mail Station 7602 Palo Verde Nuclear Executive Vice President Tel (623) 393-5300 PO Box 52034 Generating Station Generation Fax (623) 393-6077 Phoenix, Arizona 85072-2034 102-05636-JMLJSAB/TNW/CJS January 24, 2007 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555
Dear Sir:
Subject:
Palo Verde Nuclear Generating Station (PVNGS)
Units 1, 2 and 3 Docket Nos. STN 50-528, 50-529, and 50-530 APS Response to NRC Inspection Report 05000528/2006012; 0500052912006012; 0500053012006012 In NRC Special Inspection Report 2006012, dated December 6, 2006, the NRC documented their examination of activities associated with the PVNGS Unit 3, Train A, emergency diesel generator (EDG) failures that occurred on July 25 and September 22, 2006. At a January 16, 2007 Regulatory Conference in Arlington, Texas, APS provided the NRC its perspective on the facts and analytical assumptions relevant to determining the safety significance of the findings, in accordance with the Inspection Manual Chapter 0609.
The purpose of this letter is to provide the additional information requested by the NRC during the regulatory conference. The Enclosure to this letter contains 7 questions that were requested at the close of the conference and 4 additional questions that were part of the conference general discussion. There are no regulatory commitments in this letter.
If you have any questions, please contact Thomas N. Weber at (623) 393-5764.
Sincerely, JMLJSABITNW/CJS/gt
U.S. Nuclear Regulatory Commission ATTN: Document Control Desk APS Response to NRC Inspection Report 05000528/2006012; 05000529/2006012; 05000530/2006012 Page 2
Enclosure:
Additional Information Requested at the January 16, 2007 NRC Regulatory Conference cc: B. S. Malleft NRC Region IV Regional Administrator M. B. Fields NRC NRR Project Manager M. T. Markley NRC NRR Project Manager G. G. Warnick NRC Senior Resident Inspector for PVNGS
ENCLOSURE Additional Information Requested at the January 16, 2007 NRC Regulatory Conference NRC Question 1 Is it acceptable to provide auxiliary feedwater to a steam generator after it has dried out?
APS Response 1 Yes. The Unit 3 steam generators are designed with an allowance for feeding a hot dry steam generator with cold feedwater. APS asked ABB (the design authority for the PVNGS Steam Generators) about the maximum allowed flow rate for feedwater to a hot dry steam generator. The ABB response stated "the generators are designed to handle seven cycles of adding 40 degrees F feedwater at 1750 gpm." The information was requested to support development of the PVNGS Emergency Operating Procedures.
This information is documented in ABB Inter-Office Correspondence V-MPS-91-163, dated, November 14, 1991.
NRC Question 2 What reliability/unavailability for the Gas Turbine Generators (GTGs) was assumed in the Probabilistic Risk Analysis (PRA)? Provide the data that was used to obtain these values. Please indicate how buried cable reliability is addressed in the PRA.
APS Response 2 GTG Reliability Gas Turbine Generator (GTG) fail to start and fail to run probabilities are Bayesian updated values based on the values in Advanced Light Water ReactorRequirements Document (ALWR), Volume II, Chapter 1, Appendix A - PRA Key Assumptions and Groundrules, Electric Power Research Institute, Revision 6, December 1993, pages A.A-67 and A.A-68. The number of GTG demands, accumulated run time, and failures were collected for the period of 1/1/1998 to 10/1/2004 and documented in study 13-NS-C076, Plant Specific Reliability Data for PRA Model, Revision 0, Appendix C: PRA Final Failures and Demands Report. The values were based on an actual count (they were not estimated). For the given time period and system boundary, there were 6 failures (3 on GTG 1 and 3 on GTG 2) in 267 demands and 0 failures in 283 hours0.00328 days <br />0.0786 hours <br />4.679233e-4 weeks <br />1.076815e-4 months <br />. The final failure probabilities were 2.5E-2 per demand and 4.2E-5 per hour.
1
GTG Unavailability GTG unavailability is based on an actual count of unavailable hours during the period 1/1/1999 through 12/31/2001 as documented in study 13-NS-C064, Plant Specific UnavailabilityData for PRA Model, Revision 0, Appendix A: Individual Parameter Unavailability Listings Gas Turbine Generator. There were 954.68 hours7.87037e-4 days <br />0.0189 hours <br />1.124339e-4 weeks <br />2.5874e-5 months <br /> unavailable in the 26304 hour period for a probability of 1.81 E-2.
GTG UnderQround Cable Reliability The underground cables between the GTGs and the units are modeled separately from the GTGs. The cable is not direct buried but runs in an underground conduit. Two three phase cables are used to supply power to each unit. The failure probability is a Bayesian updated value based on the value in IEEE Standard 500-1984, IEEE Guide to the Collection and Presentationof Electrical,Electronic, Sensing Component and MechanicalEquipment ReliabilityData for Nuclear-PowerGeneratingStations, Institute of Electrical and Electronics Engineers, Inc., December 13, 1983, Reaffirmed 1991, page 770. This value is multiplied by the length of the cable (3475' for Unit 1, See note below) obtained from the Plant Data Management System EDB ElectricalDatabase, since the IEEE value is given per 1000' cable length. Based on a search of EPIX/NPRDS, Failure Data Trending, and CRDRs, there were zero cable failures since the GTGs were installed. In the search, 4 instances were identified (CRDRs 2559098, 2564721, 2580013, and 2843631) where the results of megger testing was less than the service criteria but greater than the emergency criteria. These tests had been evaluated by Maintenance Engineering and it was determined that since the as-found readings were greater than the emergency allowed value, the cables would have been able to perform their function. Appropriate corrective actions were taken in each case to restore the cables such that the service criteria were met.
Engineering Support provided a Maintenance Rule Hours in Mode Summary Report for the date range of 9/27/1993 (date of first GTG isochronous test) through 11/30/2006.
The exposure time was taken as the time spent in Modes 1 through 6 in each unit, for an exposure time of 334,836 hours0.00968 days <br />0.232 hours <br />0.00138 weeks <br />3.18098e-4 months <br /> for the 3 units. Since there are two cables per unit, the total exposure time is 669,672 hours0.00778 days <br />0.187 hours <br />0.00111 weeks <br />2.55696e-4 months <br />. From a unit perspective, a load test powering that unit's cables from the GTGs is performed every 18 months per 40DP-9OP06, OperationsDepartmentRepetitive Task Program,Task GT002. The Bayesian updated failure rate for one cable was 1.46E-2 per hour, for a failure probability of a standby component of 9.59E-3. Since there are two cables, the final probability for the underground GTG cable was 1.91 E-2 (equivalent to an "OR" gate).
Note: A single PRA model based on Unit 1 is used at PVNGS. Plant differences are accounted for when performing specific applications. Since a continuously energized failure rate is being applied to a cable energized only a very short period of its exposed life, the value is very conservative and bounds all three units.
2
NRC Question 3 Describe how the PRA handles the recovery of the Auxiliary Feedwater (AF) Train "N" pump once the GTG is on line. What dependency exists between getting GTG alignment and AF "N" alignment?
APS Response 3 In a Station Blackout, restoration of a motor-driven AFW pump after alignment of the GTGs is required if auxiliary feedwater from the turbine driven pump is lost to the SGs and power is not available. This scenario involves failure of both the Maintenance of Vital Auxiliaries and RCS Heat Removal safety functions. As such, Operations would be directed to the Functional Recovery procedure 40EP-9EO09 for this condition. The Control Room Supervisor retains the option to proceed with the Blackout procedure with the understanding that the mitigating strategy (restoration of power) will resolve both failed safety functions. The procedure actions are similar, and both direct Operations to initially restore power to PBA-S03 from a GTG, after determination that offsite power and EDGs can not be restored within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.
Procedure 40EP-9EO09, FunctionalRecovery, Section 8.0, Maintenance of Vital Auxiliaries, Success path MVAC 3: GTGs, provides the instructions to start and load the GTGs onto a Class 1E 4.16kV AC Bus. Step 8.7 directs performance of Appendix 80 "When NAN-S07 is energized, align GTG to PBA-S03 (BO)". Alternately available to Operations is step 8.7.1 which directs performance of Appendix 81 "When NAN-S07 is energized, Align GTGs to PBB-S04 (BO)". The equivalent steps to align a GTG to a Class 1E 4.16kV AC bus are provided in the Blackout procedure 40EP-9EO08, in steps 13 and 13.1.
Standard Appendix 80 [81] (40EP-9EO10) step 7 [9] completes the actions necessary to energize the Class 1E 4.16kV AC bus PBA-S03 [PBB-S04]. At this time power is available to start an AFW pump and initiate AFW flow to a SG. Step 9, of Appendix 80, directs an Operator [Licensed Control Room Operator] to check that AFA is being used to maintain at least one SG at 45%-60% NR level, else if the AFA pump is not available, then align and start AFN-P01 to restore SG level. Step 11, of Appendix 81, directs the Operator to start AFB-P01 to restore SG level.
The Control Room Supervisor (CRS) has the responsibility to manage the operator resources during the event. The description below reflects what would typically be the assignments made for power recovery and AFW recovery. Specific assignments may vary, but there are always two licensed control room operators available to perform the two main functions of power recovery and AFW recovery without dependency between the tasks. The tasks are also separated in time, with power recovery required prior to AFW recovery for this scenario. The same is true of the 4 Auxiliary Operators. The specific operator assigned to a task may vary, but sufficient resources exist to perform all the tasks without any dependency.
3
Actions necessary to start and align the AFN-P01 pump or AFB-P01 pump are typically performed by the Controls Operator from the Control Room. To initiate flow from the AFN-P01 pump, the Controls Operator must open the two (2) suction MOVs, open a Downcomer Bypass MOV (one per SG), open the Downcomer Isolation valves (2 per SG), and start the pump. To initiate flow from the AFB-P01 pump, the Controls Operator must only start the pump, given the discharge isolation and regulation valves are open due to the AFAS actuation. The time to take these actions is less than 5 minutes.
The Licensed Operators are extensively trained on these actions during various simulator events. The detailed actions are not prescriptively described in the Emergency Operating Procedures, but are simple and easily accomplished by any control room operator as a result of their training. Failure of the Controls Operator to initiate AFW flow to at least one SG would be immediately recovered by the Control Room Supervisor and/or the STA. The Controls Operator typically has no other dependent responsibilities for power restoration. Initiation of AFW for restoration of the RCS Heat Removal safety function is the Control Operator's primary focus, thus ample time is available for proper diagnosis and recovery. The PRA does not model a specific HRA for failure to establish AFW flow after power is restored to a Class 1E 4.16kV AC bus because the failure probability for the AFW restoration action is so low it is negligible compared to the action to restore power.
Recovery of the 4.16KV AC bus from a GTG is typically performed bythe Reactor Operator [Licensed Control Room Operator] with assistance from an assigned Auxiliary Operator (AO), typically the Area 4 AO and the Water Reclamation Facility Operator.
The assigned AO would have no responsibilities for assisting with the recovery of the assumed failed AFA-P01 pump, which is typically assigned to a different AO (Area 1).
There are no required actions of the Controls Operator to support the power recovery actions, nor any actions of the Reactor Operator to support the AFW recovery actions, other than the standard actions to maintain cognizance of critical system parameters.
No Auxiliary Operators are required for recovery of AFW after power has been restored to a 4.16kV AC bus. Actions to restore power and initiate AFW are considered to have zero dependency.
NRC Question 4 Which EOP covers overriding automatic control (AFAS) and taking manual control of AF "A"? How soon does this happen based on simulator experience? This relates to the battery analysis assumption that the AF isolation valves do not continuously cycle, as assumed in the design calculation.
APS Response 4 Procedure 40EP-9EO01, StandardPost Trip Actions, has the Secondary Operator override AFAS valves to ensure feed flow is not excessive. Operators are trained to take manual control of the feed rate to preclude a SIAS, which would likely follow an AFAS, due to overcooling. The operator will typically initiate this action by starting AFA-4
P01 from control room panel B06, and establish feed by opening the block valves and throttling the regulation valves. This would normally occur (assuming a Station Blackout) prior to an AFAS actuation. The isolation valves are left open and are not cycled and the only valve manipulations are adjustments to feed rate using the regulation valves.
In the event of an AFAS automatic actuation, the operator will take control of feed rate, and not allow the regulation valves to control level. The specific feed rate is not scripted, but the safety function is met when level in at least one steam generator is increasing towards its normal band as required by Procedure 40EP-9EO01. Experience in the simulator is that operators~will take manual control of AF in no longer than 10 minutes during a station blackout (SBO) event.
Once level is recovered, the operator feeds at a rate sufficient to makeup for level lost due to steaming out the Atmospheric Dump Valves (ADVs).
NRC Question 5 In the lower recovery path of the "Event Timelines for Station Blackout @ t=0" slide of the presentation, APS provided times of 58 and 95 minutes for 'steam generator (SG) dryout' and 'latest SG makeup can be initiated'. How does the PRA use these two values? What importance is given to each value?
APS Response 5 The 58 minute time is used in Loss of Offsite Power accident sequences as the basis for the time to start and align the gas turbine generators. The 95 minute time is not used for Loss of Offsite Power accident sequences. The 95 minute time is used as the time available for providing feed to the steam generators using the condensate pumps for sequences that do not include a Loss of Offsite Power. Thus the 95 minute time has no importance in the K-1 relay significance determination.
NRC Question 6 Provide the analysis that was done to extend the battery life from the 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> design requirement to 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> for the PRA.
APS Response 6 NUS-5058, Analysis of Station Blackout Accidents at PVNGS-1, Yovan Lukic, NUS Corporation, November 1987, Section 4.1, "Description of Top Events within the SBO event tree", subsection "Failure to Restore Power within 3 Hours", is the basis document for the 3 hour3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> battery life in the PVNGS PRA model. This source states:
5
Based on a review of 125 VDC bus loads typical to an SBO event and the 18 month and 60 months test of the DC batteries (Refs. 6 and 7), it is assessed that DC batteries will last for at least 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> into an SBO event. The 60 month test established that 1200 amp-hours can be provided by each DC battery (PKA and PKB) before the 105 VDC battery under-voltage condition is reached. Given a conservative estimate of the battery loads during SBO, each battery would have to provide on the order of 1000 amp-hours during the first 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> into an SBO event. This 20% excess in battery capacity is sufficient to cover the power requirements when the battery is operated at near 80% capacity (end-of-life).
It should be noted that batteries with larger capacity (2415 amp-hours) were installed since this change was implemented in the PRA model.
NRC Question 7 Provide updated analysis for seven hour battery capacity.
APS Response 7 The updated analysis for seven hour battery capacity was provided to the NRC on January 19, 2007. This updated analysis reflects additional capacity loss for the 'A' battery, which was recognized following the January 16, 2007 Regulatory Conference.
This additional battery capacity loss resulted in the total capacity loss being greater than 10 percent, which placed the 'A' battery in Technical Specification 3.8.4.8, requiring a 12 month surveillance test, like the 'C' battery. This surveillance test will be performed along with the 'C' battery test in the upcoming Unit 3 mid-cycle outage. The updated analysis demonstrates that the assumptions for the risk significance evaluation remain valid, with margin.
NRC Question 8 Did operator failure probabilities for restoration of the Emergency Diesel Generator (EDG) include the potential that operations would fail to shut down the EDG as required if it started but the field did not flash, because of the lack of jacket cooling water?
APS Response 8 Yes. APS considered the operator failing to stop the EDG after the field did not flash.
The step was not identified as critical because the failure contribution (-2E-4) was not a significant contribution to the total value of the HRA value for recovery of the EDG. HRA quantification 4DG-RECVR-KI-1-HR has a value of 5.8E-2 and 4DG-RECVR-K1-7-HR has a value of 3.2E-3 (reference 13-NS-C081, App D).
6
NRC Question 9 Who is relied upon to actually recover the EDG (maintenance, operations or engineering personnel)? How is that accounted for in your results?
APS Response 9 The associated HRA credited the recovery of K-1 relay contactor by Electrical Maintenance personnel with technical support from Electrical Maintenance Engineering personnel.
Operations would immediately know of the EDG output failure after the engine start by control room indication/alarms as well as by Emergency Response Facility Data Acquisition Display System (ERFDADS) flat line output. Operations would not attempt to correct this condition since no specific proceduralized instructions are readily available to them. Electrical Maintenance personnel and Electrical Maintenance Engineering would be immediately called (Maintenance onsite 24/7). Maintenance and Engineering would have the primary responsibility for recovery of the affected EDG after a loss of generator output. If not onsite, Electrical Maintenance Engineering personnel would be contacted immediately for technical assistance by phone or pager. Although the faulted EDG may not be running at the time when Maintenance and/or Engineering become involved, Maintenance and Engineering personnel would be informed that the EDG started and ran without power output. Prior plant experience is that it takes 2-3 hours to replace the K-1 contactor. That repair action, however, is not required because recovery can be easily accomplished by manual bypass (opening) of the K-1 relay contactor.
Following the involvement of Electrical Maintenance personnel and their Engineering support, the time required for EDG 3A loss of output diagnosis is estimated at 5 to 10 minutes. It is based on operating experience at PVNGS (including a recent failure in Unit 3) and engineering knowledge that when there is no voltage buildup at all by the generator immediately after an engine start, the most likely cause would be a failure of the field shorting (K-1) contactor.
No immediate indications of a K-1 problem would exist at the EDG with it in a shutdown condition, however, the plant ERFDADS computer (powered by uninterruptible power supply E-NQN-D01) monitors and records the voltage and frequency buildup for each EDG start. Those records are preserved for several hours. A data flat line showing no attempt at all to build up generator output voltage would be a strong indicator of a K-1 contactor problem. In contrast, if the generator rotor is spinning, the K-1 has dropped out properly and field flashing fails to occur, then generator output voltage would still build up slowly due to its residual magnetism.
With the engine in a shutdown condition, Engineering may advise Maintenance to functionally test the K-1 and field flash (FF) contactors using the Manual Field Flash 7
(MFFPB) push button on the generator control panel as long as 135 VDC control power was still available. One wire inside the cabinet would have to be lifted and the 135 VDC FF breaker would have to be opened prior to the manual field flash test. This functional test was recently used (7/26/2006 3A loss of output event) to verify that a newly installed spare K-1 was working properly.
The task of establishing EDG 3A output is considered a recovery action consistent with RG 1.200, Table A-1. The following justifications are provided:
- The failed K-1 relay would very likely be bypassed rather than repaired. Bypass is particularly easy to perform. The fault is recoverable by a simple manual action of releasing the K-1 contactor reset latch after an engine start. After the 2nd EDG 3A no output failure (9/22/06), no equipment was required to be replaced.
" Ease of diagnosis is supported by recent similar incidents and adequate personnel training, which includes K-1 relays.
" Responsible plant personnel are easily accessible by pager or telephone.
" Ample time is available for diagnosis and action to bypass the failed relay contactor.
" No special tools are required for diagnosis or relay bypass manual action, and there are no issues with accessibility.
- Plant personnel responsible for diagnosis and bypass would not be subjected to the potentially high stress level facing the control room personnel.
" Flat line data for EDG voltage and frequency on ERFDADS computer would quickly lead to the determination that K-1 relay has malfunctioned.
NRC Question 10 Why did we not use the Unit 3 battery design calculation? How does that affect the applicability of the results to the Unit 3 battery?
APS Response 10 The Unit 2 calculation was used because it had been updated to reflect a number of implemented design changes, which the existing Unit 3 calculation had not yet incorporated. The designs of the DC systems are quite similar in all three units, and one model was originally used to represent any of the units. Due to a desire to improve accuracy and the availability of more powerful modeling tools, Palo Verde converted the Class 1E DC system calculation to unitized models in the mid-1 990's.
A comparison between the Unit 2 calculation results to an updated Unit 3 computerized model, which reflects the current configuration (though not yet finalized), was performed. The load profiles are comparable with only minor variations due to nameplate voltage ratings of motor operated valves and variations due to differences in cable lengths. Two of the auxiliary feed water valves on Unit 3 were found to have lower voltages than the same valves in Unit 2, however, the valves have adequate 8
margin to accommodate these voltage differences. In light of the considerable margins between the battery capacities and the load demands of a 7-hour station blackout event (27 and 60 percent for the 'A' and 'C' batteries respectively), the differences between the designs of Unit 2 and 3 are insignificant to the conclusions of the evaluation of the K-1 relay issue.
NRC Question 11 Do the spikes in battery 'E' graph in presentation slide "Empirical Data 'E' Battery" correlate with battery recharging?
APS Response 11 Yes. The first spike shown on the graph (November 7, 2004) is a result of the recharge of the battery under PMWO 2647054 and the second recharge was performed under PMWO 2794319, on May 5, 2006.
9