ML121030640: Difference between revisions
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
StriderTol (talk | contribs) (StriderTol Bot change) |
||
(6 intermediate revisions by the same user not shown) | |||
Line 2: | Line 2: | ||
| number = ML121030640 | | number = ML121030640 | ||
| issue date = 05/16/2012 | | issue date = 05/16/2012 | ||
| title = | | title = Request for Additional Information, Review of Single Failure Analysis of Low Pressure Safety Injection Pumps for Minimum Required Refueling Water Tank Transfer Volume | ||
| author name = Singal B | | author name = Singal B | ||
| author affiliation = NRC/NRR/DORL/LPLIV | | author affiliation = NRC/NRR/DORL/LPLIV | ||
| addressee name = Edington R | | addressee name = Edington R | ||
| addressee affiliation = Arizona Public Service Co | | addressee affiliation = Arizona Public Service Co | ||
| docket = 05000528, 05000529, 05000530 | | docket = 05000528, 05000529, 05000530 | ||
Line 18: | Line 18: | ||
=Text= | =Text= | ||
{{#Wiki_filter:UNITED NUCLEAR REGULATORY WASHINGTON. D.C. 20555*0001 May 16, 2012 Mr. Randall K. Edington Executive Vice President Nuclearl Chief Nuclear Officer Mail Station 7602 Arizona Public Service Company P.O. Box 52034 Phoenix, AZ 85072-2034 PALO VERDE NUCLEAR GENERATING STATION, UNITS 1. 2, AND REQUEST FOR ADDITIONAL INFORMATION, REVIEW OF SINGLE FAILURE ANALYSIS OF LOW PRESSURE SAFETY INJECTION PUMPS FOR MINIMUM REQUIRED REFUELING WATER TANK TRANSFER VOLUME (TAC NOS. ME8284, ME8285, AND ME8286) Dear Mr. Edington: During an inspection in 2011, the U.S. Nuclear Regulatory Commission (NRC) Region IV staff identified an issue with the analysis of the minimum required refueling water tank transfer volume for the Palo Verde Nuclear Generating Station (PVNGS), Units 1, 2. and 3. The NRC inspection questioned whether the analysis performed by Arizona Public Service Company (APS, the licensee) adequately addressed the single failure of low pressure safety injection (LPSI) pumps to trip on a recirculation actuation signal. The licensee's response was that the single failure of LPSI pumps to trip on a recirculation actuation signal was identified and discussed in the license amendment request dated November 30, 2009 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML093450485). and the analysis was approved by the NRC staff for PVNGS. Units 1, 2, and 3, by Amendment No. 182, dated November 24,2010 (ADAMS Accession No. | {{#Wiki_filter:UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON. D.C. 20555*0001 May 16, 2012 Mr. Randall K. Edington Executive Vice President Nuclearl Chief Nuclear Officer Mail Station 7602 Arizona Public Service Company P.O. Box 52034 Phoenix, AZ 85072-2034 | ||
R. Edington -2 If you have any questions, please contact me at (301) 415-3016 or via e-mail at Balwant.Singal@nrc.gov. Sincerely, Balwant K. Singal, Senior Project Manager Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. STN 50-528, STN 50-529, and STN 50-530 Enclosure: As stated cc w/encl: Distribution via Listserv REQUEST FOR ADDITIONAL INFORMATION REVIEW OF SINGLE FAILURE ANALYSIS OF LOW PRESSURE SAFETY INJECTION PUMPS FOR MINIMUM REQUIRED REFUELING WATER TANK TRANSFER VOLUME PALO VERDE NUCLEAR GENERATING STATION. UNITS 1. 2. AND 3 DOCKET NOS. STN 50-528. STN 50-529. AND STN 50-530 Page 2 of the license amendment request (LAR) dated November 30, 2009 (ADAMS Accession No. ML093450485), stated that evaluation of the failure of a low pressure safety injection (LPSI) pump to "automatically stop, as designed, on a RAS [recirculation actuation signal]. .... has a minimal probability of occurrence and its increased effect on risk to the plant is not significant. Therefore, the previously analyzed single failure remains the licensing basis bounding failure." The U.S. Nuclear Regulatory Commission (NRC) staff understands the licensee's views that the failure of the LPSI pump to automatically trip does not have to be considered as a single failure because it has a "minimal probability." Title 10 of the Code of Federal Regulations (10 CFR), paragraph 50.55a(3)(h)(2), "Protection systems," states that for nuclear power plants with construction permits issued after January 1, 1971, but before May 13, 1999, protection systems must meet the requirements stated in either Institute of Electrical and Electronics Engineers (IEEE) Std. 279, "Criteria for Protection Systems for Nuclear Power Generating Stations," or in IEEE Std. 603-1991, "Criteria for Safety Systems for Nuclear Power Generating Stations," and the correction sheet dated January 30, 1995. SECY-05-0138, Informed and Performance-Based Alternatives to the Single-Failure Criterion," dated August 2,2005 (ADAMS Accession No. ML051950619) "Guidance for Implementing the Single Failure Criterion."} states that Regulatory Guide 1.53, Revision 2, "Application of the Single-Failure Criterion to Safety Systems," November 2003 (ADAMS Accession No. ML033220006), describes the application of the single failure criterion to safety systems and discusses related industry standards IEEE Std. 279-1971, IEEE Std. 603-1991, and IEEE Std. 379-2000. Standards 279 and 603 present minimum functional design standards for nuclear plant "protection" and "safety" respectively. Both standards require that safety systems satisfy the single failure criterion and refer to IEEE Std. 379 for guidance on applying the single failure criterion (Section 2.2 of Attachment to 0138). SECY | |||
-used to assist in establishing credibility. IEEE Std. 379-2000 states a position on excluding particular failures from single-failure analysis, as follows: A probabilistic assessment shall not be used in lieu of the single failure analysis. However, reliability analysis, probability assessment, operating experience, engineering judgment, or a combination thereof, may be used to establish a basis for excluding a particular failure from the single failure analysis. Please explain how not addressing the failure of the LPSI pump to trip on RAS is consistent with the regulations or, if you determine that your approach is not consistent with the regulations, then (a) describe your planned actions to bring your plants into compliance and (b) provide a commitment and schedule to achieve compliance. Please provide the actual stroke times for refueling water tank (RWT) isolation valves CH-530 and CH-531 and explain how these times were determined. Please provide the times assumed in the analysis as described on page 11 of the LAR dated November 30, 2009. The allowable time for operator action is based on a minimum RWT level that precludes air entrainment. Page 12 of the LAR dated November 30, 2009, states that the RAS setpoint was established to ensure sufficient volume is available after an RAS to credit closure of the RWT discharge valves before the RWT vortex breaker becomes uncovered. Please (a) describe the vortex suppressors, (b) include a sketch of their installation in the RWTs, and (c) provide experimental evidence that establishes their effectiveness in preventing air entrainment. While discussing LPSI pump failure to trip on RAS, page 16 of the LAR dated November 30, 2009, states, in part, that The fault tree included all events or combination of events (including those in the operating environment) that could result in a failure mode in which one or more of the LPSI pumps fails to stop at a RAS .... Based on this fault tree analysis, the engineering evaluation determined the potential increase in core damage and large early release risk posed by the failure of a LPSI pump to trip on a RAS that could result in enough air being drawn into the suction of the ESF [Engineered Safety Features] pumps to render them unavailable. Please state clearly if the analysis is based on one LPSI pump to trip on RAS or both. If it is one pump, please explain why both pumps cannot fail to trip on RAS. If it is both pumps, please explain what the implications are where one pump was assumed to trip in the simulator runs. Please describe the criteria used for determining the amount of air that would render ESF pumps unavailable. | ==SUBJECT:== | ||
-3 Please describe the methodology used to analyze gas transport to determine the behavior of gas that reached the pumps. The LAR dated November 30,2009, seems to imply that the changes stated in the LAR are being implemented to preclude the potential for air entrainment in the Emergency Core Cooling System (ECCS) and Containment Spray (CS) pump suction piping from the RWT. There appears to be an inconsistency since the event tree description appeared to allow gas to reach pumps. Please explain. Technical Specification Bases Section B 3.5.5 states The High Pressure Safety Injection (HPSI), Low Pressure Safety Injection (LPSI), and containment spray pumps are provided with recirculation lines that ensure each pump can maintain minimum flow requirements when operating at shutoff head conditions. These lines discharge back to the RWT. The RWT vents to the Fuel Building Ventilation System. When the suction for the HPSI and containment spray pumps is transferred to the containment sump, this flow path must be isolated to prevent a release of the containment sump contents to the RWT. If not isolated, this flow path could result in a release of contaminants to the atmosphere and the eventual loss of suction head for the ESF pumps. It is not clear if the recirculation lines from the LPSI pumps also isolate when the suction of the LPSI pumps is transferred to the containment sump. Please explain if the LPSI recirculation lines are closed if an LPSI pump fails to trip. Please provide the NRC staff with the analyses of the LPSI pump failure to trip and operator response performed in support of the amendment request. Please provide a summary of the fault tree analysis including the assumed split fractions used in the event trees. Section C.5 of Appendix C to Inspection Manual 9900, "Use of Temporary Manual Action in Place of Automatic Action in Support of Operability," states Automatic action is frequently provided as a design feature specific to each SSC [systems, structures, and components] to ensure that specified safety functions will be accomplished. Limiting safety system settings for nuclear reactors are defined in 10 CFR Part 50.36, "Technical Specifications," as settings for automatic protective devices related to those variables having significant safety functions. Where a limiting safety system setting is specified for a variable on which a safety limit has been placed, the setting must be so chosen that automatic protective action will correct the abnormal situation before a safety limit is exceeded. Accordingly, it is not appropriate to consider SSCs operable by taking credit for manual action in place of automatic action for protection of safety limits. This does not forbid operator action to put the plant in a | PALO VERDE NUCLEAR GENERATING STATION, UNITS 1. 2, AND 3 REQUEST FOR ADDITIONAL INFORMATION, REVIEW OF SINGLE FAILURE ANALYSIS OF LOW PRESSURE SAFETY INJECTION PUMPS FOR MINIMUM REQUIRED REFUELING WATER TANK TRANSFER VOLUME (TAC NOS. ME8284, ME8285, AND ME8286) | ||
-4 safe condition, but operator action cannot be a substitute for automatic safety limit protection. Credit for manual initiation of a specified safety function should be established as part of the licensing review of a facility. Although the licensing of specific facility designs includes consideration of automatic and manual action in the performance of specified safety functions, not all combinations of circumstances have been reviewed from an operability standpoint. For situations where substitution of manual action for automatic action is proposed for an operability determination, the evaluation of manual action must focus on the physical differences between automatic and manual action and the ability of the manual action to accomplish the specified safety function or functions.... The licensee should have written procedures in place and personnel should be trained on the procedures before any manual action is substituted for the loss of an automatic action .... One reasonable test of the reliability and effectiveness of a manual action may be the approval of the manual action for the same function at a similar facility. Nevertheless, a manual action is expected to be a temporary measure and to promptly end when the automatic action is corrected in accordance with 10 CFR Part 50, Appendix B, and the licensee's corrective action program. This implies that manual actions are appropriate when they are part of the current licensing basis (CLB). Hence, it is not appropriate to consider SSCs operable by taking credit for manual action in place of automatic action for protection of safety limits when the automatic action is part of the CLB. Please explain how the proposed manual actions are consistent with the above inspection manual statement. | |||
R. Edington If you have any questions, please contact me at (301) 415-3016 or via e-mail at Balwant.Singal@nrc.gov. | ==Dear Mr. Edington:== | ||
}} | |||
During an inspection in 2011, the U.S. Nuclear Regulatory Commission (NRC) Region IV staff identified an issue with the analysis of the minimum required refueling water tank transfer volume for the Palo Verde Nuclear Generating Station (PVNGS), Units 1, 2. and 3. The NRC inspection questioned whether the analysis performed by Arizona Public Service Company (APS, the licensee) adequately addressed the single failure of low pressure safety injection (LPSI) pumps to trip on a recirculation actuation signal. The licensee's response was that the single failure of LPSI pumps to trip on a recirculation actuation signal was identified and discussed in the license amendment request dated November 30, 2009 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML093450485). and the analysis was approved by the NRC staff for PVNGS. Units 1, 2, and 3, by Amendment No. 182, dated November 24,2010 (ADAMS Accession No. ML102710301). Upon further review, the NRC staff concluded that the staff did not specifically review the LPSI pump single failure justification provided in License Amendment No. 182 and has questions regarding that portion of the licensee's analysis. | |||
The NRC staff is concerned that the LPSI pump single failure justification provided in the license amendment request did not provide sufficient information for the staff to reach a conclusion of reasonable assurance on this issue, and that the NRC would likely have issued a request for additional information (RAI) regarding this matter. The NRC staff plans to re-examine its review of the issue of single failure of LPSI pumps to trip on a recirculation actuation signal and notified the licensee of its concerns on March 20. 2012. APS agreed to address the RAI and reconcile NRC staff's concerns. | |||
The NRC staff's RAI is provided in the enclosure to this letter. Please provide your response within 60 days from the date of this letter. Also, please advise us if a clarification conference call is needed before submitting your response. | |||
R. Edington -2 If you have any questions, please contact me at (301) 415-3016 or via e-mail at Balwant.Singal@nrc.gov. | |||
Sincerely, Balwant K. Singal, Senior Project Manager Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. STN 50-528, STN 50-529, and STN 50-530 | |||
==Enclosure:== | |||
As stated cc w/encl: Distribution via Listserv | |||
REQUEST FOR ADDITIONAL INFORMATION REVIEW OF SINGLE FAILURE ANALYSIS OF LOW PRESSURE SAFETY INJECTION PUMPS FOR MINIMUM REQUIRED REFUELING WATER TANK TRANSFER VOLUME PALO VERDE NUCLEAR GENERATING STATION. UNITS 1. 2. AND 3 DOCKET NOS. STN 50-528. STN 50-529. AND STN 50-530 | |||
: 1. Page 2 of the license amendment request (LAR) dated November 30, 2009 (ADAMS Accession No. ML093450485), stated that evaluation of the failure of a low pressure safety injection (LPSI) pump to "automatically stop, as designed, on a RAS [recirculation actuation signal]. .... has a minimal probability of occurrence and its increased effect on risk to the plant is not significant. Therefore, the previously analyzed single failure remains the licensing basis bounding failure." The U.S. Nuclear Regulatory Commission (NRC) staff understands the licensee's views that the failure of the LPSI pump to automatically trip does not have to be considered as a single failure because it has a "minimal probability." | |||
Title 10 of the Code of Federal Regulations (10 CFR), paragraph 50.55a(3)(h)(2), | |||
"Protection systems," states that for nuclear power plants with construction permits issued after January 1, 1971, but before May 13, 1999, protection systems must meet the requirements stated in either Institute of Electrical and Electronics Engineers (IEEE) | |||
Std. 279, "Criteria for Protection Systems for Nuclear Power Generating Stations," or in IEEE Std. 603-1991, "Criteria for Safety Systems for Nuclear Power Generating Stations," and the correction sheet dated January 30, 1995. SECY-05-0138, "Risk Informed and Performance-Based Alternatives to the Single-Failure Criterion," dated August 2,2005 (ADAMS Accession No. ML051950619) "Guidance for Implementing the Single Failure Criterion."} states that Regulatory Guide 1.53, Revision 2, "Application of the Single-Failure Criterion to Safety Systems," November 2003 (ADAMS Accession No. ML033220006), describes the application of the single failure criterion to safety systems and discusses related industry standards IEEE Std. 279-1971, IEEE Std. 603-1991, and IEEE Std. 379-2000. Standards 279 and 603 present minimum functional design standards for nuclear plant "protection" and "safety" respectively. Both standards require that safety systems satisfy the single failure criterion and refer to IEEE Std. 379 for guidance on applying the single failure criterion (Section 2.2 of Attachment to SECY-05 0138). | |||
SECY 0138 further states that the IEEE standards provide guidance for systematically approaching the analysis of single failures to safety systems. They also offer guidance on selecting "credible" events and failures to include in these analyses. | |||
Both IEEE Std. 603-1991 and IEEE Std. 379-2000 state that the single failure criterion is to be applied to "credible" events and failures, where probabilistic assessments may be Enclosure | |||
- 2 used to assist in establishing credibility. IEEE Std. 379-2000 states a position on excluding particular failures from single-failure analysis, as follows: | |||
A probabilistic assessment shall not be used in lieu of the single failure analysis. However, reliability analysis, probability assessment, operating experience, engineering judgment, or a combination thereof, may be used to establish a basis for excluding a particular failure from the single failure analysis. | |||
Please explain how not addressing the failure of the LPSI pump to trip on RAS is consistent with the regulations or, if you determine that your approach is not consistent with the regulations, then (a) describe your planned actions to bring your plants into compliance and (b) provide a commitment and schedule to achieve compliance. | |||
: 2. Please provide the actual stroke times for refueling water tank (RWT) isolation valves CH-530 and CH-531 and explain how these times were determined. Please provide the times assumed in the analysis as described on page 11 of the LAR dated November 30, 2009. | |||
: 3. The allowable time for operator action is based on a minimum RWT level that precludes air entrainment. Page 12 of the LAR dated November 30, 2009, states that the RAS setpoint was established to ensure sufficient volume is available after an RAS to credit closure of the RWT discharge valves before the RWT vortex breaker becomes uncovered. Please (a) describe the vortex suppressors, (b) include a sketch of their installation in the RWTs, and (c) provide experimental evidence that establishes their effectiveness in preventing air entrainment. | |||
: 4. While discussing LPSI pump failure to trip on RAS, page 16 of the LAR dated November 30, 2009, states, in part, that The fault tree included all events or combination of events (including those in the operating environment) that could result in a failure mode in which one or more of the LPSI pumps fails to stop at a RAS .... Based on this fault tree analysis, the engineering evaluation determined the potential increase in core damage and large early release risk posed by the failure of a LPSI pump to trip on a RAS that could result in enough air being drawn into the suction of the ESF [Engineered Safety Features] | |||
pumps to render them unavailable. | |||
: a. Please state clearly if the analysis is based on one LPSI pump to trip on RAS or both. If it is one pump, please explain why both pumps cannot fail to trip on RAS. | |||
If it is both pumps, please explain what the implications are where one pump was assumed to trip in the simulator runs. | |||
: b. Please describe the criteria used for determining the amount of air that would render ESF pumps unavailable. | |||
-3 | |||
: c. Please describe the methodology used to analyze gas transport to determine the behavior of gas that reached the pumps. | |||
: d. The LAR dated November 30,2009, seems to imply that the changes stated in the LAR are being implemented to preclude the potential for air entrainment in the Emergency Core Cooling System (ECCS) and Containment Spray (CS) pump suction piping from the RWT. There appears to be an inconsistency since the event tree description appeared to allow gas to reach pumps. Please explain. | |||
: 5. Technical Specification Bases Section B 3.5.5 states The High Pressure Safety Injection (HPSI), Low Pressure Safety Injection (LPSI), and containment spray pumps are provided with recirculation lines that ensure each pump can maintain minimum flow requirements when operating at shutoff head conditions. These lines discharge back to the RWT. The RWT vents to the Fuel Building Ventilation System. When the suction for the HPSI and containment spray pumps is transferred to the containment sump, this flow path must be isolated to prevent a release of the containment sump contents to the RWT. If not isolated, this flow path could result in a release of contaminants to the atmosphere and the eventual loss of suction head for the ESF pumps. | |||
It is not clear if the recirculation lines from the LPSI pumps also isolate when the suction of the LPSI pumps is transferred to the containment sump. Please explain if the LPSI recirculation lines are closed if an LPSI pump fails to trip. | |||
: 6. Please provide the NRC staff with the analyses of the LPSI pump failure to trip and operator response performed in support of the amendment request. | |||
: 7. Please provide a summary of the fault tree analysis including the assumed split fractions used in the event trees. | |||
: 8. Section C.5 of Appendix C to Inspection Manual 9900, "Use of Temporary Manual Action in Place of Automatic Action in Support of Operability," states Automatic action is frequently provided as a design feature specific to each SSC [systems, structures, and components] to ensure that specified safety functions will be accomplished. Limiting safety system settings for nuclear reactors are defined in 10 CFR Part 50.36, "Technical Specifications," as settings for automatic protective devices related to those variables having significant safety functions. Where a limiting safety system setting is specified for a variable on which a safety limit has been placed, the setting must be so chosen that automatic protective action will correct the abnormal situation before a safety limit is exceeded. | |||
Accordingly, it is not appropriate to consider SSCs operable by taking credit for manual action in place of automatic action for protection of safety limits. This does not forbid operator action to put the plant in a | |||
-4 safe condition, but operator action cannot be a substitute for automatic safety limit protection. | |||
Credit for manual initiation of a specified safety function should be established as part of the licensing review of a facility. Although the licensing of specific facility designs includes consideration of automatic and manual action in the performance of specified safety functions, not all combinations of circumstances have been reviewed from an operability standpoint. | |||
For situations where substitution of manual action for automatic action is proposed for an operability determination, the evaluation of manual action must focus on the physical differences between automatic and manual action and the ability of the manual action to accomplish the specified safety function or functions.... The licensee should have written procedures in place and personnel should be trained on the procedures before any manual action is substituted for the loss of an automatic action .... One reasonable test of the reliability and effectiveness of a manual action may be the approval of the manual action for the same function at a similar facility. Nevertheless, a manual action is expected to be a temporary measure and to promptly end when the automatic action is corrected in accordance with 10 CFR Part 50, Appendix B, and the licensee's corrective action program. | |||
This implies that manual actions are appropriate when they are part of the current licensing basis (CLB). Hence, it is not appropriate to consider SSCs operable by taking credit for manual action in place of automatic action for protection of safety limits when the automatic action is part of the CLB. | |||
Please explain how the proposed manual actions are consistent with the above inspection manual statement. | |||
R. Edington -2 If you have any questions, please contact me at (301) 415-3016 or via e-mail at Balwant.Singal@nrc.gov. | |||
Sincerely, IRA by N. Kalyanam forI Balwant K. Singal, Senior Project Manager Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. STN 50-528, STN 50-529, and STN 50-530 | |||
==Enclosure:== | |||
As stated cc w/encl: Distribution via Listserv DISTRIBUTION: | |||
PUBLIC RidsNrrLAJBurkhardt Resource LPLIV r/f RidsNrrPMPaloVerde Resource RidsAcrsAcnw_MailCTR Resource RidsOgcRp Resource RidsNrrDorlLpl4 Resource RidsRgn4MailCenter Resource RidsNrrDraAhpb Resource GLapinsky, NRR/DRAlAHPB RidsNrrDssSrxb Resource WLyon, NRR/DSS/SRXB RidsNrrDraApla Resource JGall, NRR/DSS/SRXB ADAMS Accession No. ML121030640 OFFICE NRR/DORULPL4/PM NRR/DORU NRR/DSS/SRXB/BC NAME BSingal JBurkhardt AUlses* | |||
DATE 4/13/12 4/13/12 4/11112 N RR/DRAlAPLAlBC NRR/DORULPL4/BC NRR/DORULPL4/PM DHarrison MMarkley BSingal (NKalyanam for) 5/15/12 5/16/12 5/16/12 OFFICIAL RECORD COpy}} |
Latest revision as of 16:16, 20 March 2020
ML121030640 | |
Person / Time | |
---|---|
Site: | Palo Verde |
Issue date: | 05/16/2012 |
From: | Balwant Singal Plant Licensing Branch IV |
To: | Edington R Arizona Public Service Co |
Singal, Balwant, 415-3016, NRR/DORL/LPL4 | |
References | |
TAC ME8284, TAC ME8285, TAC ME8286 | |
Download: ML121030640 (7) | |
Text
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON. D.C. 20555*0001 May 16, 2012 Mr. Randall K. Edington Executive Vice President Nuclearl Chief Nuclear Officer Mail Station 7602 Arizona Public Service Company P.O. Box 52034 Phoenix, AZ 85072-2034
SUBJECT:
PALO VERDE NUCLEAR GENERATING STATION, UNITS 1. 2, AND 3 REQUEST FOR ADDITIONAL INFORMATION, REVIEW OF SINGLE FAILURE ANALYSIS OF LOW PRESSURE SAFETY INJECTION PUMPS FOR MINIMUM REQUIRED REFUELING WATER TANK TRANSFER VOLUME (TAC NOS. ME8284, ME8285, AND ME8286)
Dear Mr. Edington:
During an inspection in 2011, the U.S. Nuclear Regulatory Commission (NRC) Region IV staff identified an issue with the analysis of the minimum required refueling water tank transfer volume for the Palo Verde Nuclear Generating Station (PVNGS), Units 1, 2. and 3. The NRC inspection questioned whether the analysis performed by Arizona Public Service Company (APS, the licensee) adequately addressed the single failure of low pressure safety injection (LPSI) pumps to trip on a recirculation actuation signal. The licensee's response was that the single failure of LPSI pumps to trip on a recirculation actuation signal was identified and discussed in the license amendment request dated November 30, 2009 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML093450485). and the analysis was approved by the NRC staff for PVNGS. Units 1, 2, and 3, by Amendment No. 182, dated November 24,2010 (ADAMS Accession No. ML102710301). Upon further review, the NRC staff concluded that the staff did not specifically review the LPSI pump single failure justification provided in License Amendment No. 182 and has questions regarding that portion of the licensee's analysis.
The NRC staff is concerned that the LPSI pump single failure justification provided in the license amendment request did not provide sufficient information for the staff to reach a conclusion of reasonable assurance on this issue, and that the NRC would likely have issued a request for additional information (RAI) regarding this matter. The NRC staff plans to re-examine its review of the issue of single failure of LPSI pumps to trip on a recirculation actuation signal and notified the licensee of its concerns on March 20. 2012. APS agreed to address the RAI and reconcile NRC staff's concerns.
The NRC staff's RAI is provided in the enclosure to this letter. Please provide your response within 60 days from the date of this letter. Also, please advise us if a clarification conference call is needed before submitting your response.
R. Edington -2 If you have any questions, please contact me at (301) 415-3016 or via e-mail at Balwant.Singal@nrc.gov.
Sincerely, Balwant K. Singal, Senior Project Manager Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. STN 50-528, STN 50-529, and STN 50-530
Enclosure:
As stated cc w/encl: Distribution via Listserv
REQUEST FOR ADDITIONAL INFORMATION REVIEW OF SINGLE FAILURE ANALYSIS OF LOW PRESSURE SAFETY INJECTION PUMPS FOR MINIMUM REQUIRED REFUELING WATER TANK TRANSFER VOLUME PALO VERDE NUCLEAR GENERATING STATION. UNITS 1. 2. AND 3 DOCKET NOS. STN 50-528. STN 50-529. AND STN 50-530
- 1. Page 2 of the license amendment request (LAR) dated November 30, 2009 (ADAMS Accession No. ML093450485), stated that evaluation of the failure of a low pressure safety injection (LPSI) pump to "automatically stop, as designed, on a RAS [recirculation actuation signal]. .... has a minimal probability of occurrence and its increased effect on risk to the plant is not significant. Therefore, the previously analyzed single failure remains the licensing basis bounding failure." The U.S. Nuclear Regulatory Commission (NRC) staff understands the licensee's views that the failure of the LPSI pump to automatically trip does not have to be considered as a single failure because it has a "minimal probability."
Title 10 of the Code of Federal Regulations (10 CFR), paragraph 50.55a(3)(h)(2),
"Protection systems," states that for nuclear power plants with construction permits issued after January 1, 1971, but before May 13, 1999, protection systems must meet the requirements stated in either Institute of Electrical and Electronics Engineers (IEEE)
Std. 279, "Criteria for Protection Systems for Nuclear Power Generating Stations," or in IEEE Std. 603-1991, "Criteria for Safety Systems for Nuclear Power Generating Stations," and the correction sheet dated January 30, 1995. SECY-05-0138, "Risk Informed and Performance-Based Alternatives to the Single-Failure Criterion," dated August 2,2005 (ADAMS Accession No. ML051950619) "Guidance for Implementing the Single Failure Criterion."} states that Regulatory Guide 1.53, Revision 2, "Application of the Single-Failure Criterion to Safety Systems," November 2003 (ADAMS Accession No. ML033220006), describes the application of the single failure criterion to safety systems and discusses related industry standards IEEE Std. 279-1971, IEEE Std. 603-1991, and IEEE Std. 379-2000. Standards 279 and 603 present minimum functional design standards for nuclear plant "protection" and "safety" respectively. Both standards require that safety systems satisfy the single failure criterion and refer to IEEE Std. 379 for guidance on applying the single failure criterion (Section 2.2 of Attachment to SECY-05 0138).
SECY 0138 further states that the IEEE standards provide guidance for systematically approaching the analysis of single failures to safety systems. They also offer guidance on selecting "credible" events and failures to include in these analyses.
Both IEEE Std. 603-1991 and IEEE Std. 379-2000 state that the single failure criterion is to be applied to "credible" events and failures, where probabilistic assessments may be Enclosure
- 2 used to assist in establishing credibility. IEEE Std. 379-2000 states a position on excluding particular failures from single-failure analysis, as follows:
A probabilistic assessment shall not be used in lieu of the single failure analysis. However, reliability analysis, probability assessment, operating experience, engineering judgment, or a combination thereof, may be used to establish a basis for excluding a particular failure from the single failure analysis.
Please explain how not addressing the failure of the LPSI pump to trip on RAS is consistent with the regulations or, if you determine that your approach is not consistent with the regulations, then (a) describe your planned actions to bring your plants into compliance and (b) provide a commitment and schedule to achieve compliance.
- 2. Please provide the actual stroke times for refueling water tank (RWT) isolation valves CH-530 and CH-531 and explain how these times were determined. Please provide the times assumed in the analysis as described on page 11 of the LAR dated November 30, 2009.
- 3. The allowable time for operator action is based on a minimum RWT level that precludes air entrainment. Page 12 of the LAR dated November 30, 2009, states that the RAS setpoint was established to ensure sufficient volume is available after an RAS to credit closure of the RWT discharge valves before the RWT vortex breaker becomes uncovered. Please (a) describe the vortex suppressors, (b) include a sketch of their installation in the RWTs, and (c) provide experimental evidence that establishes their effectiveness in preventing air entrainment.
- 4. While discussing LPSI pump failure to trip on RAS, page 16 of the LAR dated November 30, 2009, states, in part, that The fault tree included all events or combination of events (including those in the operating environment) that could result in a failure mode in which one or more of the LPSI pumps fails to stop at a RAS .... Based on this fault tree analysis, the engineering evaluation determined the potential increase in core damage and large early release risk posed by the failure of a LPSI pump to trip on a RAS that could result in enough air being drawn into the suction of the ESF [Engineered Safety Features]
pumps to render them unavailable.
- a. Please state clearly if the analysis is based on one LPSI pump to trip on RAS or both. If it is one pump, please explain why both pumps cannot fail to trip on RAS.
If it is both pumps, please explain what the implications are where one pump was assumed to trip in the simulator runs.
- b. Please describe the criteria used for determining the amount of air that would render ESF pumps unavailable.
-3
- c. Please describe the methodology used to analyze gas transport to determine the behavior of gas that reached the pumps.
- d. The LAR dated November 30,2009, seems to imply that the changes stated in the LAR are being implemented to preclude the potential for air entrainment in the Emergency Core Cooling System (ECCS) and Containment Spray (CS) pump suction piping from the RWT. There appears to be an inconsistency since the event tree description appeared to allow gas to reach pumps. Please explain.
- 5. Technical Specification Bases Section B 3.5.5 states The High Pressure Safety Injection (HPSI), Low Pressure Safety Injection (LPSI), and containment spray pumps are provided with recirculation lines that ensure each pump can maintain minimum flow requirements when operating at shutoff head conditions. These lines discharge back to the RWT. The RWT vents to the Fuel Building Ventilation System. When the suction for the HPSI and containment spray pumps is transferred to the containment sump, this flow path must be isolated to prevent a release of the containment sump contents to the RWT. If not isolated, this flow path could result in a release of contaminants to the atmosphere and the eventual loss of suction head for the ESF pumps.
It is not clear if the recirculation lines from the LPSI pumps also isolate when the suction of the LPSI pumps is transferred to the containment sump. Please explain if the LPSI recirculation lines are closed if an LPSI pump fails to trip.
- 6. Please provide the NRC staff with the analyses of the LPSI pump failure to trip and operator response performed in support of the amendment request.
- 7. Please provide a summary of the fault tree analysis including the assumed split fractions used in the event trees.
- 8. Section C.5 of Appendix C to Inspection Manual 9900, "Use of Temporary Manual Action in Place of Automatic Action in Support of Operability," states Automatic action is frequently provided as a design feature specific to each SSC [systems, structures, and components] to ensure that specified safety functions will be accomplished. Limiting safety system settings for nuclear reactors are defined in 10 CFR Part 50.36, "Technical Specifications," as settings for automatic protective devices related to those variables having significant safety functions. Where a limiting safety system setting is specified for a variable on which a safety limit has been placed, the setting must be so chosen that automatic protective action will correct the abnormal situation before a safety limit is exceeded.
Accordingly, it is not appropriate to consider SSCs operable by taking credit for manual action in place of automatic action for protection of safety limits. This does not forbid operator action to put the plant in a
-4 safe condition, but operator action cannot be a substitute for automatic safety limit protection.
Credit for manual initiation of a specified safety function should be established as part of the licensing review of a facility. Although the licensing of specific facility designs includes consideration of automatic and manual action in the performance of specified safety functions, not all combinations of circumstances have been reviewed from an operability standpoint.
For situations where substitution of manual action for automatic action is proposed for an operability determination, the evaluation of manual action must focus on the physical differences between automatic and manual action and the ability of the manual action to accomplish the specified safety function or functions.... The licensee should have written procedures in place and personnel should be trained on the procedures before any manual action is substituted for the loss of an automatic action .... One reasonable test of the reliability and effectiveness of a manual action may be the approval of the manual action for the same function at a similar facility. Nevertheless, a manual action is expected to be a temporary measure and to promptly end when the automatic action is corrected in accordance with 10 CFR Part 50, Appendix B, and the licensee's corrective action program.
This implies that manual actions are appropriate when they are part of the current licensing basis (CLB). Hence, it is not appropriate to consider SSCs operable by taking credit for manual action in place of automatic action for protection of safety limits when the automatic action is part of the CLB.
Please explain how the proposed manual actions are consistent with the above inspection manual statement.
R. Edington -2 If you have any questions, please contact me at (301) 415-3016 or via e-mail at Balwant.Singal@nrc.gov.
Sincerely, IRA by N. Kalyanam forI Balwant K. Singal, Senior Project Manager Plant Licensing Branch IV Division of Operating Reactor Licensing Office of Nuclear Reactor Regulation Docket Nos. STN 50-528, STN 50-529, and STN 50-530
Enclosure:
As stated cc w/encl: Distribution via Listserv DISTRIBUTION:
PUBLIC RidsNrrLAJBurkhardt Resource LPLIV r/f RidsNrrPMPaloVerde Resource RidsAcrsAcnw_MailCTR Resource RidsOgcRp Resource RidsNrrDorlLpl4 Resource RidsRgn4MailCenter Resource RidsNrrDraAhpb Resource GLapinsky, NRR/DRAlAHPB RidsNrrDssSrxb Resource WLyon, NRR/DSS/SRXB RidsNrrDraApla Resource JGall, NRR/DSS/SRXB ADAMS Accession No. ML121030640 OFFICE NRR/DORULPL4/PM NRR/DORU NRR/DSS/SRXB/BC NAME BSingal JBurkhardt AUlses*
DATE 4/13/12 4/13/12 4/11112 N RR/DRAlAPLAlBC NRR/DORULPL4/BC NRR/DORULPL4/PM DHarrison MMarkley BSingal (NKalyanam for) 5/15/12 5/16/12 5/16/12 OFFICIAL RECORD COpy