ML070390040: Difference between revisions
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
||
| Line 16: | Line 16: | ||
=Text= | =Text= | ||
{{#Wiki_filter:LA | {{#Wiki_filter:LA subsidiaryof Pinnacle West CapitalCorporation James M. Levine Mail Station 7602 Palo Verde Nuclear Executive Vice President Tel (623) 393-5300 PO Box 52034 Generating Station Generation Fax (623) 393-6077 Phoenix, Arizona 85072-2034 102-05636-JMLJSAB/TNW/CJS January 24, 2007 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555 | ||
==Dear Sir:== | ==Dear Sir:== | ||
==Subject:== | ==Subject:== | ||
Palo Verde Nuclear Generating Station (PVNGS)Units 1, 2 and 3 Docket Nos. STN 50-528, 50-529, and 50-530 APS Response to NRC Inspection Report 05000528/2006012; 0500052912006012; 0500053012006012 In NRC Special Inspection Report 2006012, dated December 6, 2006, the NRC documented their examination of activities associated with the PVNGS Unit 3, Train A, emergency diesel generator (EDG) failures that occurred on July 25 and September 22, 2006. At a January 16, 2007 Regulatory Conference in Arlington, Texas, APS provided the NRC its perspective on the facts and analytical assumptions relevant to determining the safety significance of the findings, in accordance with the Inspection Manual Chapter 0609.The purpose of this letter is to provide the additional information requested by the NRC during the regulatory conference. | Palo Verde Nuclear Generating Station (PVNGS) | ||
The Enclosure to this letter contains 7 questions that were requested at the close of the conference and 4 additional questions that were part of the conference general discussion. | Units 1, 2 and 3 Docket Nos. STN 50-528, 50-529, and 50-530 APS Response to NRC Inspection Report 05000528/2006012; 0500052912006012; 0500053012006012 In NRC Special Inspection Report 2006012, dated December 6, 2006, the NRC documented their examination of activities associated with the PVNGS Unit 3, Train A, emergency diesel generator (EDG) failures that occurred on July 25 and September 22, 2006. At a January 16, 2007 Regulatory Conference in Arlington, Texas, APS provided the NRC its perspective on the facts and analytical assumptions relevant to determining the safety significance of the findings, in accordance with the Inspection Manual Chapter 0609. | ||
There are no regulatory commitments in this letter.If you have any questions, please contact Thomas N. Weber at (623) 393-5764.Sincerely, JMLJSABITNW/CJS/gt U.S. Nuclear Regulatory Commission ATTN: Document Control Desk APS Response to NRC Inspection Report 05000528/2006012; 05000529/2006012; 05000530/2006012 Page 2 | The purpose of this letter is to provide the additional information requested by the NRC during the regulatory conference. The Enclosure to this letter contains 7 questions that were requested at the close of the conference and 4 additional questions that were part of the conference general discussion. There are no regulatory commitments in this letter. | ||
If you have any questions, please contact Thomas N. Weber at (623) 393-5764. | |||
Sincerely, JMLJSABITNW/CJS/gt | |||
U.S. Nuclear Regulatory Commission ATTN: Document Control Desk APS Response to NRC Inspection Report 05000528/2006012; 05000529/2006012; 05000530/2006012 Page 2 | |||
==Enclosure:== | ==Enclosure:== | ||
Additional Information Requested at the January 16, 2007 NRC Regulatory Conference cc: B. S. Malleft NRC Region IV Regional Administrator M. B. Fields NRC NRR Project Manager M. T. Markley NRC NRR Project Manager G. G. Warnick NRC Senior Resident Inspector for PVNGS | |||
ENCLOSURE Additional Information Requested at the January 16, 2007 NRC Regulatory Conference NRC Question 1 Is it acceptable to provide auxiliary feedwater to a steam generator after it has dried out? | |||
APS asked ABB (the design authority for the PVNGS Steam Generators) about the maximum allowed flow rate for feedwater to a hot dry steam generator. | APS Response 1 Yes. The Unit 3 steam generators are designed with an allowance for feeding a hot dry steam generator with cold feedwater. APS asked ABB (the design authority for the PVNGS Steam Generators) about the maximum allowed flow rate for feedwater to a hot dry steam generator. The ABB response stated "the generators are designed to handle seven cycles of adding 40 degrees F feedwater at 1750 gpm." The information was requested to support development of the PVNGS Emergency Operating Procedures. | ||
The ABB response stated "the generators are designed to handle seven cycles of adding 40 degrees F feedwater at 1750 gpm." The information was requested to support development of the PVNGS Emergency Operating Procedures. | This information is documented in ABB Inter-Office Correspondence V-MPS-91-163, dated, November 14, 1991. | ||
This information is documented in ABB Inter-Office Correspondence V-MPS-91-163, dated, November 14, 1991.NRC Question 2 What reliability/unavailability for the Gas Turbine Generators (GTGs) was assumed in the Probabilistic Risk Analysis (PRA)? Provide the data that was used to obtain these values. Please indicate how buried cable reliability is addressed in the PRA.APS Response 2 GTG Reliability Gas Turbine Generator (GTG) fail to start and fail to run probabilities are Bayesian updated values based on the values in Advanced Light Water | NRC Question 2 What reliability/unavailability for the Gas Turbine Generators (GTGs) was assumed in the Probabilistic Risk Analysis (PRA)? Provide the data that was used to obtain these values. Please indicate how buried cable reliability is addressed in the PRA. | ||
For the given time period and system boundary, there were 6 failures (3 on GTG 1 and 3 on GTG 2) in 267 demands and 0 failures in 283 hours. The final failure probabilities were 2.5E-2 per demand and 4.2E-5 per hour.1 GTG Unavailability GTG unavailability is based on an actual count of unavailable hours during the period 1/1/1999 through 12/31/2001 as documented in study 13-NS-C064, Plant Specific | APS Response 2 GTG Reliability Gas Turbine Generator (GTG) fail to start and fail to run probabilities are Bayesian updated values based on the values in Advanced Light Water ReactorRequirements Document (ALWR), Volume II, Chapter 1, Appendix A - PRA Key Assumptions and Groundrules, Electric Power Research Institute, Revision 6, December 1993, pages A.A-67 and A.A-68. The number of GTG demands, accumulated run time, and failures were collected for the period of 1/1/1998 to 10/1/2004 and documented in study 13-NS-C076, Plant Specific Reliability Data for PRA Model, Revision 0, Appendix C: PRA Final Failures and Demands Report. The values were based on an actual count (they were not estimated). For the given time period and system boundary, there were 6 failures (3 on GTG 1 and 3 on GTG 2) in 267 demands and 0 failures in 283 hours. The final failure probabilities were 2.5E-2 per demand and 4.2E-5 per hour. | ||
There were 954.68 hours unavailable in the 26304 hour period for a probability of 1.81 E-2.GTG UnderQround Cable Reliability The underground cables between the GTGs and the units are modeled separately from the GTGs. The cable is not direct buried but runs in an underground conduit. Two three phase cables are used to supply power to each unit. The failure probability is a Bayesian updated value based on the value in IEEE Standard 500-1984, IEEE Guide to the Collection and | 1 | ||
In the search, 4 instances were identified (CRDRs 2559098, 2564721, 2580013, and 2843631) where the results of megger testing was less than the service criteria but greater than the emergency criteria. | |||
These tests had been evaluated by Maintenance Engineering and it was determined that since the as-found readings were greater than the emergency allowed value, the cables would have been able to perform their function. | GTG Unavailability GTG unavailability is based on an actual count of unavailable hours during the period 1/1/1999 through 12/31/2001 as documented in study 13-NS-C064, Plant Specific UnavailabilityData for PRA Model, Revision 0, Appendix A: Individual Parameter Unavailability Listings Gas Turbine Generator. There were 954.68 hours unavailable in the 26304 hour period for a probability of 1.81 E-2. | ||
Appropriate corrective actions were taken in each case to restore the cables such that the service criteria were met.Engineering Support provided a Maintenance Rule Hours in Mode Summary Report for the date range of 9/27/1993 (date of first GTG isochronous test) through 11/30/2006. | GTG UnderQround Cable Reliability The underground cables between the GTGs and the units are modeled separately from the GTGs. The cable is not direct buried but runs in an underground conduit. Two three phase cables are used to supply power to each unit. The failure probability is a Bayesian updated value based on the value in IEEE Standard 500-1984, IEEE Guide to the Collection and Presentationof Electrical,Electronic, Sensing Component and MechanicalEquipment ReliabilityData for Nuclear-PowerGeneratingStations, Institute of Electrical and Electronics Engineers, Inc., December 13, 1983, Reaffirmed 1991, page 770. This value is multiplied by the length of the cable (3475' for Unit 1, See note below) obtained from the Plant Data Management System EDB ElectricalDatabase, since the IEEE value is given per 1000' cable length. Based on a search of EPIX/NPRDS, Failure Data Trending, and CRDRs, there were zero cable failures since the GTGs were installed. In the search, 4 instances were identified (CRDRs 2559098, 2564721, 2580013, and 2843631) where the results of megger testing was less than the service criteria but greater than the emergency criteria. These tests had been evaluated by Maintenance Engineering and it was determined that since the as-found readings were greater than the emergency allowed value, the cables would have been able to perform their function. Appropriate corrective actions were taken in each case to restore the cables such that the service criteria were met. | ||
The exposure time was taken as the time spent in Modes 1 through 6 in each unit, for an exposure time of 334,836 hours for the 3 units. Since there are two cables per unit, the total exposure time is 669,672 hours. From a unit perspective, a load test powering that unit's cables from the GTGs is performed every 18 months per 40DP-9OP06, | Engineering Support provided a Maintenance Rule Hours in Mode Summary Report for the date range of 9/27/1993 (date of first GTG isochronous test) through 11/30/2006. | ||
Since a continuously energized failure rate is being applied to a cable energized only a very short period of its exposed life, the value is very conservative and bounds all three units.2 NRC Question 3 Describe how the PRA handles the recovery of the Auxiliary Feedwater (AF) Train "N" pump once the GTG is on line. What dependency exists between getting GTG alignment and AF "N" alignment? | The exposure time was taken as the time spent in Modes 1 through 6 in each unit, for an exposure time of 334,836 hours for the 3 units. Since there are two cables per unit, the total exposure time is 669,672 hours. From a unit perspective, a load test powering that unit's cables from the GTGs is performed every 18 months per 40DP-9OP06, OperationsDepartmentRepetitive Task Program,Task GT002. The Bayesian updated failure rate for one cable was 1.46E-2 per hour, for a failure probability of a standby component of 9.59E-3. Since there are two cables, the final probability for the underground GTG cable was 1.91 E-2 (equivalent to an "OR" gate). | ||
APS Response 3 In a Station Blackout, restoration of a motor-driven AFW pump after alignment of the GTGs is required if auxiliary feedwater from the turbine driven pump is lost to the SGs and power is not available. | Note: A single PRA model based on Unit 1 is used at PVNGS. Plant differences are accounted for when performing specific applications. Since a continuously energized failure rate is being applied to a cable energized only a very short period of its exposed life, the value is very conservative and bounds all three units. | ||
This scenario involves failure of both the Maintenance of Vital Auxiliaries and RCS Heat Removal safety functions. | 2 | ||
As such, Operations would be directed to the Functional Recovery procedure 40EP-9EO09 for this condition. | |||
The Control Room Supervisor retains the option to proceed with the Blackout procedure with the understanding that the mitigating strategy (restoration of power) will resolve both failed safety functions. | NRC Question 3 Describe how the PRA handles the recovery of the Auxiliary Feedwater (AF) Train "N" pump once the GTG is on line. What dependency exists between getting GTG alignment and AF "N" alignment? | ||
The procedure actions are similar, and both direct Operations to initially restore power to PBA-S03 from a GTG, after determination that offsite power and EDGs can not be restored within 1 hour.Procedure 40EP-9EO09, | APS Response 3 In a Station Blackout, restoration of a motor-driven AFW pump after alignment of the GTGs is required if auxiliary feedwater from the turbine driven pump is lost to the SGs and power is not available. This scenario involves failure of both the Maintenance of Vital Auxiliaries and RCS Heat Removal safety functions. As such, Operations would be directed to the Functional Recovery procedure 40EP-9EO09 for this condition. The Control Room Supervisor retains the option to proceed with the Blackout procedure with the understanding that the mitigating strategy (restoration of power) will resolve both failed safety functions. The procedure actions are similar, and both direct Operations to initially restore power to PBA-S03 from a GTG, after determination that offsite power and EDGs can not be restored within 1 hour. | ||
At this time power is available to start an AFW pump and initiate AFW flow to a SG. Step 9, of Appendix 80, directs an Operator [Licensed Control Room Operator] | Procedure 40EP-9EO09, FunctionalRecovery, Section 8.0, Maintenance of Vital Auxiliaries, Success path MVAC 3: GTGs, provides the instructions to start and load the GTGs onto a Class 1E 4.16kV AC Bus. Step 8.7 directs performance of Appendix 80 "When NAN-S07 is energized, align GTG to PBA-S03 (BO)". Alternately available to Operations is step 8.7.1 which directs performance of Appendix 81 "When NAN-S07 is energized, Align GTGs to PBB-S04 (BO)". The equivalent steps to align a GTG to a Class 1E 4.16kV AC bus are provided in the Blackout procedure 40EP-9EO08, in steps 13 and 13.1. | ||
to check that AFA is being used to maintain at least one SG at 45%-60% NR level, else if the AFA pump is not available, then align and start AFN-P01 to restore SG level. Step 11, of Appendix 81, directs the Operator to start AFB-P01 to restore SG level.The Control Room Supervisor (CRS) has the responsibility to manage the operator resources during the event. The description below reflects what would typically be the assignments made for power recovery and AFW recovery. | Standard Appendix 80 [81] (40EP-9EO10) step 7 [9] completes the actions necessary to energize the Class 1E 4.16kV AC bus PBA-S03 [PBB-S04]. At this time power is available to start an AFW pump and initiate AFW flow to a SG. Step 9, of Appendix 80, directs an Operator [Licensed Control Room Operator] to check that AFA is being used to maintain at least one SG at 45%-60% NR level, else if the AFA pump is not available, then align and start AFN-P01 to restore SG level. Step 11, of Appendix 81, directs the Operator to start AFB-P01 to restore SG level. | ||
Specific assignments may vary, but there are always two licensed control room operators available to perform the two main functions of power recovery and AFW recovery without dependency between the tasks. The tasks are also separated in time, with power recovery required prior to AFW recovery for this scenario. | The Control Room Supervisor (CRS) has the responsibility to manage the operator resources during the event. The description below reflects what would typically be the assignments made for power recovery and AFW recovery. Specific assignments may vary, but there are always two licensed control room operators available to perform the two main functions of power recovery and AFW recovery without dependency between the tasks. The tasks are also separated in time, with power recovery required prior to AFW recovery for this scenario. The same is true of the 4 Auxiliary Operators. The specific operator assigned to a task may vary, but sufficient resources exist to perform all the tasks without any dependency. | ||
The same is true of the 4 Auxiliary Operators. | 3 | ||
The specific operator assigned to a task may vary, but sufficient resources exist to perform all the tasks without any dependency. | |||
3 Actions necessary to start and align the AFN-P01 pump or AFB-P01 pump are typically performed by the Controls Operator from the Control Room. To initiate flow from the AFN-P01 pump, the Controls Operator must open the two (2) suction MOVs, open a Downcomer Bypass MOV (one per SG), open the Downcomer Isolation valves (2 per SG), and start the pump. To initiate flow from the AFB-P01 pump, the Controls Operator must only start the pump, given the discharge isolation and regulation valves are open due to the AFAS actuation. | Actions necessary to start and align the AFN-P01 pump or AFB-P01 pump are typically performed by the Controls Operator from the Control Room. To initiate flow from the AFN-P01 pump, the Controls Operator must open the two (2) suction MOVs, open a Downcomer Bypass MOV (one per SG), open the Downcomer Isolation valves (2 per SG), and start the pump. To initiate flow from the AFB-P01 pump, the Controls Operator must only start the pump, given the discharge isolation and regulation valves are open due to the AFAS actuation. The time to take these actions is less than 5 minutes. | ||
The time to take these actions is less than 5 minutes.The Licensed Operators are extensively trained on these actions during various simulator events. The detailed actions are not prescriptively described in the Emergency Operating Procedures, but are simple and easily accomplished by any control room operator as a result of their training. | The Licensed Operators are extensively trained on these actions during various simulator events. The detailed actions are not prescriptively described in the Emergency Operating Procedures, but are simple and easily accomplished by any control room operator as a result of their training. Failure of the Controls Operator to initiate AFW flow to at least one SG would be immediately recovered by the Control Room Supervisor and/or the STA. The Controls Operator typically has no other dependent responsibilities for power restoration. Initiation of AFW for restoration of the RCS Heat Removal safety function is the Control Operator's primary focus, thus ample time is available for proper diagnosis and recovery. The PRA does not model a specific HRA for failure to establish AFW flow after power is restored to a Class 1E 4.16kV AC bus because the failure probability for the AFW restoration action is so low it is negligible compared to the action to restore power. | ||
Failure of the Controls Operator to initiate AFW flow to at least one SG would be immediately recovered by the Control Room Supervisor and/or the STA. The Controls Operator typically has no other dependent responsibilities for power restoration. | Recovery of the 4.16KV AC bus from a GTG is typically performed bythe Reactor Operator [Licensed Control Room Operator] with assistance from an assigned Auxiliary Operator (AO), typically the Area 4 AO and the Water Reclamation Facility Operator. | ||
Initiation of AFW for restoration of the RCS Heat Removal safety function is the Control Operator's primary focus, thus ample time is available for proper diagnosis and recovery. | The assigned AO would have no responsibilities for assisting with the recovery of the assumed failed AFA-P01 pump, which is typically assigned to a different AO (Area 1). | ||
The PRA does not model a specific HRA for failure to establish AFW flow after power is restored to a Class | There are no required actions of the Controls Operator to support the power recovery actions, nor any actions of the Reactor Operator to support the AFW recovery actions, other than the standard actions to maintain cognizance of critical system parameters. | ||
with assistance from an assigned Auxiliary Operator (AO), typically the Area 4 AO and the Water Reclamation Facility Operator.The assigned AO would have no responsibilities for assisting with the recovery of the assumed failed AFA-P01 pump, which is typically assigned to a different AO (Area 1).There are no required actions of the Controls Operator to support the power recovery actions, nor any actions of the Reactor Operator to support the AFW recovery actions, other than the standard actions to maintain cognizance of critical system parameters. | |||
No Auxiliary Operators are required for recovery of AFW after power has been restored to a 4.16kV AC bus. Actions to restore power and initiate AFW are considered to have zero dependency. | No Auxiliary Operators are required for recovery of AFW after power has been restored to a 4.16kV AC bus. Actions to restore power and initiate AFW are considered to have zero dependency. | ||
NRC Question 4 Which EOP covers overriding automatic control (AFAS) and taking manual control of AF"A"? How soon does this happen based on simulator experience? | NRC Question 4 Which EOP covers overriding automatic control (AFAS) and taking manual control of AF "A"? How soon does this happen based on simulator experience? This relates to the battery analysis assumption that the AF isolation valves do not continuously cycle, as assumed in the design calculation. | ||
This relates to the battery analysis assumption that the AF isolation valves do not continuously cycle, as assumed in the design calculation. | APS Response 4 Procedure 40EP-9EO01, StandardPost Trip Actions, has the Secondary Operator override AFAS valves to ensure feed flow is not excessive. Operators are trained to take manual control of the feed rate to preclude a SIAS, which would likely follow an AFAS, due to overcooling. The operator will typically initiate this action by starting AFA-4 | ||
APS Response 4 Procedure 40EP-9EO01, | |||
Operators are trained to take manual control of the feed rate to preclude a SIAS, which would likely follow an AFAS, due to overcooling. | P01 from control room panel B06, and establish feed by opening the block valves and throttling the regulation valves. This would normally occur (assuming a Station Blackout) prior to an AFAS actuation. The isolation valves are left open and are not cycled and the only valve manipulations are adjustments to feed rate using the regulation valves. | ||
The operator will typically initiate this action by starting AFA-4 P01 from control room panel B06, and establish feed by opening the block valves and throttling the regulation valves. This would normally occur (assuming a Station Blackout) prior to an AFAS actuation. | In the event of an AFAS automatic actuation, the operator will take control of feed rate, and not allow the regulation valves to control level. The specific feed rate is not scripted, but the safety function is met when level in at least one steam generator is increasing towards its normal band as required by Procedure 40EP-9EO01. Experience in the simulator is that operators~will take manual control of AF in no longer than 10 minutes during a station blackout (SBO) event. | ||
The isolation valves are left open and are not cycled and the only valve manipulations are adjustments to feed rate using the regulation valves.In the event of an AFAS automatic actuation, the operator will take control of feed rate, and not allow the regulation valves to control level. The specific feed rate is not scripted, but the safety function is met when level in at least one steam generator is increasing towards its normal band as required by Procedure 40EP-9EO01. | Once level is recovered, the operator feeds at a rate sufficient to makeup for level lost due to steaming out the Atmospheric Dump Valves (ADVs). | ||
Experience in the simulator is that operators~will take manual control of AF in no longer than 10 minutes during a station blackout (SBO) event.Once level is recovered, the operator feeds at a rate sufficient to makeup for level lost due to steaming out the Atmospheric Dump Valves (ADVs).NRC Question 5 In the lower recovery path of the "Event Timelines for Station Blackout @ t=0" slide of the presentation, APS provided times of 58 and 95 minutes for 'steam generator (SG)dryout' and 'latest SG makeup can be initiated'. | NRC Question 5 In the lower recovery path of the "Event Timelines for Station Blackout @ t=0" slide of the presentation, APS provided times of 58 and 95 minutes for 'steam generator (SG) dryout' and 'latest SG makeup can be initiated'. How does the PRA use these two values? What importance is given to each value? | ||
How does the PRA use these two values? What importance is given to each value?APS Response 5 The 58 minute time is used in Loss of Offsite Power accident sequences as the basis for the time to start and align the gas turbine generators. | APS Response 5 The 58 minute time is used in Loss of Offsite Power accident sequences as the basis for the time to start and align the gas turbine generators. The 95 minute time is not used for Loss of Offsite Power accident sequences. The 95 minute time is used as the time available for providing feed to the steam generators using the condensate pumps for sequences that do not include a Loss of Offsite Power. Thus the 95 minute time has no importance in the K-1 relay significance determination. | ||
The 95 minute time is not used for Loss of Offsite Power accident sequences. | NRC Question 6 Provide the analysis that was done to extend the battery life from the 2 hour design requirement to 3 hours for the PRA. | ||
The 95 minute time is used as the time available for providing feed to the steam generators using the condensate pumps for sequences that do not include a Loss of Offsite Power. Thus the 95 minute time has no importance in the K-1 relay significance determination. | APS Response 6 NUS-5058, Analysis of Station Blackout Accidents at PVNGS-1, Yovan Lukic, NUS Corporation, November 1987, Section 4.1, "Description of Top Events within the SBO event tree", subsection "Failure to Restore Power within 3 Hours", is the basis document for the 3 hour battery life in the PVNGS PRA model. This source states: | ||
NRC Question 6 Provide the analysis that was done to extend the battery life from the 2 hour design requirement to 3 hours for the PRA.APS Response 6 NUS-5058, Analysis of Station Blackout Accidents at PVNGS-1, Yovan Lukic, NUS Corporation, November 1987, Section 4.1, "Description of Top Events within the SBO event tree", subsection "Failure to Restore Power within 3 Hours", is the basis document for the 3 hour battery life in the PVNGS PRA model. This source states: 5 Based on a review of 125 VDC bus loads typical to an SBO event and the 18 month and 60 months test of the DC batteries (Refs. 6 and 7), it is assessed that DC batteries will last for at least 3 hours into an SBO event. The 60 month test established that 1200 amp-hours can be provided by each DC battery (PKA and PKB) before the 105 VDC battery under-voltage condition is reached. Given a conservative estimate of the battery loads during SBO, each battery would have to provide on the order of 1000 amp-hours during the first 3 hours into an SBO event. This 20% excess in battery capacity is sufficient to cover the power requirements when the battery is operated at near 80% capacity (end-of-life). | 5 | ||
It should be noted that batteries with larger capacity (2415 amp-hours) were installed since this change was implemented in the PRA model.NRC Question 7 Provide updated analysis for seven hour battery capacity.APS Response 7 The updated analysis for seven hour battery capacity was provided to the NRC on January 19, 2007. This updated analysis reflects additional capacity loss for the 'A'battery, which was recognized following the January 16, 2007 Regulatory Conference. | |||
This additional battery capacity loss resulted in the total capacity loss being greater than 10 percent, which placed the 'A' battery in Technical Specification 3.8.4.8, requiring a 12 month surveillance test, like the 'C' battery. This surveillance test will be performed along with the 'C' battery test in the upcoming Unit 3 mid-cycle outage. The updated analysis demonstrates that the assumptions for the risk significance evaluation remain valid, with margin.NRC Question 8 Did operator failure probabilities for restoration of the Emergency Diesel Generator (EDG) include the potential that operations would fail to shut down the EDG as required if it started but the field did not flash, because of the lack of jacket cooling water?APS Response 8 Yes. APS considered the operator failing to stop the EDG after the field did not flash.The step was not identified as critical because the failure contribution | Based on a review of 125 VDC bus loads typical to an SBO event and the 18 month and 60 months test of the DC batteries (Refs. 6 and 7), it is assessed that DC batteries will last for at least 3 hours into an SBO event. The 60 month test established that 1200 amp-hours can be provided by each DC battery (PKA and PKB) before the 105 VDC battery under-voltage condition is reached. Given a conservative estimate of the battery loads during SBO, each battery would have to provide on the order of 1000 amp-hours during the first 3 hours into an SBO event. This 20% excess in battery capacity is sufficient to cover the power requirements when the battery is operated at near 80% capacity (end-of-life). | ||
(-2E-4) was not a significant contribution to the total value of the HRA value for recovery of the EDG. HRA quantification 4DG-RECVR-KI-1-HR has a value of 5.8E-2 and 4DG-RECVR-K1-7-HR has a value of 3.2E-3 (reference 13-NS-C081, App D).6 NRC Question 9 Who is relied upon to actually recover the EDG (maintenance, operations or engineering personnel)? | It should be noted that batteries with larger capacity (2415 amp-hours) were installed since this change was implemented in the PRA model. | ||
How is that accounted for in your results?APS Response 9 The associated HRA credited the recovery of K-1 relay contactor by Electrical Maintenance personnel with technical support from Electrical Maintenance Engineering personnel. | NRC Question 7 Provide updated analysis for seven hour battery capacity. | ||
Operations would immediately know of the EDG output failure after the engine start by control room indication/alarms as well as by Emergency Response Facility Data Acquisition Display System (ERFDADS) flat line output. Operations would not attempt to correct this condition since no specific proceduralized instructions are readily available to them. Electrical Maintenance personnel and Electrical Maintenance Engineering would be immediately called (Maintenance onsite 24/7). Maintenance and Engineering would have the primary responsibility for recovery of the affected EDG after a loss of generator output. If not onsite, Electrical Maintenance Engineering personnel would be contacted immediately for technical assistance by phone or pager. Although the faulted EDG may not be running at the time when Maintenance and/or Engineering become involved, Maintenance and Engineering personnel would be informed that the EDG started and ran without power output. Prior plant experience is that it takes 2-3 hours to replace the K-1 contactor. | APS Response 7 The updated analysis for seven hour battery capacity was provided to the NRC on January 19, 2007. This updated analysis reflects additional capacity loss for the 'A' battery, which was recognized following the January 16, 2007 Regulatory Conference. | ||
That repair action, however, is not required because recovery can be easily accomplished by manual bypass (opening) of the K-1 relay contactor. | This additional battery capacity loss resulted in the total capacity loss being greater than 10 percent, which placed the 'A' battery in Technical Specification 3.8.4.8, requiring a 12 month surveillance test, like the 'C' battery. This surveillance test will be performed along with the 'C' battery test in the upcoming Unit 3 mid-cycle outage. The updated analysis demonstrates that the assumptions for the risk significance evaluation remain valid, with margin. | ||
NRC Question 8 Did operator failure probabilities for restoration of the Emergency Diesel Generator (EDG) include the potential that operations would fail to shut down the EDG as required if it started but the field did not flash, because of the lack of jacket cooling water? | |||
APS Response 8 Yes. APS considered the operator failing to stop the EDG after the field did not flash. | |||
The step was not identified as critical because the failure contribution (-2E-4) was not a significant contribution to the total value of the HRA value for recovery of the EDG. HRA quantification 4DG-RECVR-KI-1-HR has a value of 5.8E-2 and 4DG-RECVR-K1-7-HR has a value of 3.2E-3 (reference 13-NS-C081, App D). | |||
6 | |||
NRC Question 9 Who is relied upon to actually recover the EDG (maintenance, operations or engineering personnel)? How is that accounted for in your results? | |||
APS Response 9 The associated HRA credited the recovery of K-1 relay contactor by Electrical Maintenance personnel with technical support from Electrical Maintenance Engineering personnel. | |||
Operations would immediately know of the EDG output failure after the engine start by control room indication/alarms as well as by Emergency Response Facility Data Acquisition Display System (ERFDADS) flat line output. Operations would not attempt to correct this condition since no specific proceduralized instructions are readily available to them. Electrical Maintenance personnel and Electrical Maintenance Engineering would be immediately called (Maintenance onsite 24/7). Maintenance and Engineering would have the primary responsibility for recovery of the affected EDG after a loss of generator output. If not onsite, Electrical Maintenance Engineering personnel would be contacted immediately for technical assistance by phone or pager. Although the faulted EDG may not be running at the time when Maintenance and/or Engineering become involved, Maintenance and Engineering personnel would be informed that the EDG started and ran without power output. Prior plant experience is that it takes 2-3 hours to replace the K-1 contactor. That repair action, however, is not required because recovery can be easily accomplished by manual bypass (opening) of the K-1 relay contactor. | |||
Following the involvement of Electrical Maintenance personnel and their Engineering support, the time required for EDG 3A loss of output diagnosis is estimated at 5 to 10 minutes. It is based on operating experience at PVNGS (including a recent failure in Unit 3) and engineering knowledge that when there is no voltage buildup at all by the generator immediately after an engine start, the most likely cause would be a failure of the field shorting (K-1) contactor. | Following the involvement of Electrical Maintenance personnel and their Engineering support, the time required for EDG 3A loss of output diagnosis is estimated at 5 to 10 minutes. It is based on operating experience at PVNGS (including a recent failure in Unit 3) and engineering knowledge that when there is no voltage buildup at all by the generator immediately after an engine start, the most likely cause would be a failure of the field shorting (K-1) contactor. | ||
No immediate indications of a K-1 problem would exist at the EDG with it in a shutdown condition, however, the plant ERFDADS computer (powered by uninterruptible power supply E-NQN-D01) monitors and records the voltage and frequency buildup for each EDG start. Those records are preserved for several hours. A data flat line showing no attempt at all to build up generator output voltage would be a strong indicator of a K-1 contactor problem. In contrast, if the generator rotor is spinning, the K-1 has dropped out properly and field flashing fails to occur, then generator output voltage would still build up slowly due to its residual magnetism. | No immediate indications of a K-1 problem would exist at the EDG with it in a shutdown condition, however, the plant ERFDADS computer (powered by uninterruptible power supply E-NQN-D01) monitors and records the voltage and frequency buildup for each EDG start. Those records are preserved for several hours. A data flat line showing no attempt at all to build up generator output voltage would be a strong indicator of a K-1 contactor problem. In contrast, if the generator rotor is spinning, the K-1 has dropped out properly and field flashing fails to occur, then generator output voltage would still build up slowly due to its residual magnetism. | ||
With the engine in a shutdown condition, Engineering may advise Maintenance to functionally test the K-1 and field flash (FF) contactors using the Manual Field Flash 7 (MFFPB) push button on the generator control panel as long as 135 VDC control power was still available. | With the engine in a shutdown condition, Engineering may advise Maintenance to functionally test the K-1 and field flash (FF) contactors using the Manual Field Flash 7 | ||
One wire inside the cabinet would have to be lifted and the 135 VDC FF breaker would have to be opened prior to the manual field flash test. This functional test was recently used (7/26/2006 3A loss of output event) to verify that a newly installed spare K-1 was working properly.The task of establishing EDG 3A output is considered a recovery action consistent with RG 1.200, Table A-1. The following justifications are provided:* The failed K-1 relay would very likely be bypassed rather than repaired. | |||
Bypass is particularly easy to perform. The fault is recoverable by a simple manual action of releasing the K-1 contactor reset latch after an engine start. After the 2nd EDG 3A no output failure (9/22/06), no equipment was required to be replaced." Ease of diagnosis is supported by recent similar incidents and adequate personnel training, which includes K-1 relays." Responsible plant personnel are easily accessible by pager or telephone." Ample time is available for diagnosis and action to bypass the failed relay contactor." No special tools are required for diagnosis or relay bypass manual action, and there are no issues with accessibility. | (MFFPB) push button on the generator control panel as long as 135 VDC control power was still available. One wire inside the cabinet would have to be lifted and the 135 VDC FF breaker would have to be opened prior to the manual field flash test. This functional test was recently used (7/26/2006 3A loss of output event) to verify that a newly installed spare K-1 was working properly. | ||
* Plant personnel responsible for diagnosis and bypass would not be subjected to the potentially high stress level facing the control room personnel." Flat line data for EDG voltage and frequency on ERFDADS computer would quickly lead to the determination that K-1 relay has malfunctioned. | The task of establishing EDG 3A output is considered a recovery action consistent with RG 1.200, Table A-1. The following justifications are provided: | ||
NRC Question 10 Why did we not use the Unit 3 battery design calculation? | * The failed K-1 relay would very likely be bypassed rather than repaired. Bypass is particularly easy to perform. The fault is recoverable by a simple manual action of releasing the K-1 contactor reset latch after an engine start. After the 2nd EDG 3A no output failure (9/22/06), no equipment was required to be replaced. | ||
How does that affect the applicability of the results to the Unit 3 battery?APS Response 10 The Unit 2 calculation was used because it had been updated to reflect a number of implemented design changes, which the existing Unit 3 calculation had not yet incorporated. | " Ease of diagnosis is supported by recent similar incidents and adequate personnel training, which includes K-1 relays. | ||
The designs of the DC systems are quite similar in all three units, and one model was originally used to represent any of the units. Due to a desire to improve accuracy and the availability of more powerful modeling tools, Palo Verde converted the Class 1E DC system calculation to unitized models in the mid-1 990's.A comparison between the Unit 2 calculation results to an updated Unit 3 computerized model, which reflects the current configuration (though not yet finalized), was performed. | " Responsible plant personnel are easily accessible by pager or telephone. | ||
The load profiles are comparable with only minor variations due to nameplate voltage ratings of motor operated valves and variations due to differences in cable lengths. Two of the auxiliary feed water valves on Unit 3 were found to have lower voltages than the same valves in Unit 2, however, the valves have adequate 8 margin to accommodate these voltage differences. | " Ample time is available for diagnosis and action to bypass the failed relay contactor. | ||
In light of the considerable margins between the battery capacities and the load demands of a 7-hour station blackout event (27 and 60 percent for the 'A' and 'C' batteries respectively), the differences between the designs of Unit 2 and 3 are insignificant to the conclusions of the evaluation of the K-1 relay issue.NRC Question 11 Do the spikes in battery 'E' graph in presentation slide "Empirical Data 'E' Battery" correlate with battery recharging? | " No special tools are required for diagnosis or relay bypass manual action, and there are no issues with accessibility. | ||
APS Response 11 Yes. The first spike shown on the graph (November 7, 2004) is a result of the recharge of the battery under PMWO 2647054 and the second recharge was performed under PMWO 2794319, on May 5, 2006.9}} | * Plant personnel responsible for diagnosis and bypass would not be subjected to the potentially high stress level facing the control room personnel. | ||
" Flat line data for EDG voltage and frequency on ERFDADS computer would quickly lead to the determination that K-1 relay has malfunctioned. | |||
NRC Question 10 Why did we not use the Unit 3 battery design calculation? How does that affect the applicability of the results to the Unit 3 battery? | |||
APS Response 10 The Unit 2 calculation was used because it had been updated to reflect a number of implemented design changes, which the existing Unit 3 calculation had not yet incorporated. The designs of the DC systems are quite similar in all three units, and one model was originally used to represent any of the units. Due to a desire to improve accuracy and the availability of more powerful modeling tools, Palo Verde converted the Class 1E DC system calculation to unitized models in the mid-1 990's. | |||
A comparison between the Unit 2 calculation results to an updated Unit 3 computerized model, which reflects the current configuration (though not yet finalized), was performed. The load profiles are comparable with only minor variations due to nameplate voltage ratings of motor operated valves and variations due to differences in cable lengths. Two of the auxiliary feed water valves on Unit 3 were found to have lower voltages than the same valves in Unit 2, however, the valves have adequate 8 | |||
margin to accommodate these voltage differences. In light of the considerable margins between the battery capacities and the load demands of a 7-hour station blackout event (27 and 60 percent for the 'A' and 'C' batteries respectively), the differences between the designs of Unit 2 and 3 are insignificant to the conclusions of the evaluation of the K-1 relay issue. | |||
NRC Question 11 Do the spikes in battery 'E' graph in presentation slide "Empirical Data 'E' Battery" correlate with battery recharging? | |||
APS Response 11 Yes. The first spike shown on the graph (November 7, 2004) is a result of the recharge of the battery under PMWO 2647054 and the second recharge was performed under PMWO 2794319, on May 5, 2006. | |||
9}} | |||
Latest revision as of 09:39, 23 November 2019
| ML070390040 | |
| Person / Time | |
|---|---|
| Site: | Palo Verde  |
| Issue date: | 01/24/2007 |
| From: | James M. Levine Arizona Public Service Co |
| To: | Document Control Desk, NRC Region 4 |
| References | |
| 102-05636/JML/SAB/TNW/CJS, IR-06-012 | |
| Download: ML070390040 (11) | |
Text
LA subsidiaryof Pinnacle West CapitalCorporation James M. Levine Mail Station 7602 Palo Verde Nuclear Executive Vice President Tel (623) 393-5300 PO Box 52034 Generating Station Generation Fax (623) 393-6077 Phoenix, Arizona 85072-2034 102-05636-JMLJSAB/TNW/CJS January 24, 2007 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555
Dear Sir:
Subject:
Palo Verde Nuclear Generating Station (PVNGS)
Units 1, 2 and 3 Docket Nos. STN 50-528, 50-529, and 50-530 APS Response to NRC Inspection Report 05000528/2006012; 0500052912006012; 0500053012006012 In NRC Special Inspection Report 2006012, dated December 6, 2006, the NRC documented their examination of activities associated with the PVNGS Unit 3, Train A, emergency diesel generator (EDG) failures that occurred on July 25 and September 22, 2006. At a January 16, 2007 Regulatory Conference in Arlington, Texas, APS provided the NRC its perspective on the facts and analytical assumptions relevant to determining the safety significance of the findings, in accordance with the Inspection Manual Chapter 0609.
The purpose of this letter is to provide the additional information requested by the NRC during the regulatory conference. The Enclosure to this letter contains 7 questions that were requested at the close of the conference and 4 additional questions that were part of the conference general discussion. There are no regulatory commitments in this letter.
If you have any questions, please contact Thomas N. Weber at (623) 393-5764.
Sincerely, JMLJSABITNW/CJS/gt
U.S. Nuclear Regulatory Commission ATTN: Document Control Desk APS Response to NRC Inspection Report 05000528/2006012; 05000529/2006012; 05000530/2006012 Page 2
Enclosure:
Additional Information Requested at the January 16, 2007 NRC Regulatory Conference cc: B. S. Malleft NRC Region IV Regional Administrator M. B. Fields NRC NRR Project Manager M. T. Markley NRC NRR Project Manager G. G. Warnick NRC Senior Resident Inspector for PVNGS
ENCLOSURE Additional Information Requested at the January 16, 2007 NRC Regulatory Conference NRC Question 1 Is it acceptable to provide auxiliary feedwater to a steam generator after it has dried out?
APS Response 1 Yes. The Unit 3 steam generators are designed with an allowance for feeding a hot dry steam generator with cold feedwater. APS asked ABB (the design authority for the PVNGS Steam Generators) about the maximum allowed flow rate for feedwater to a hot dry steam generator. The ABB response stated "the generators are designed to handle seven cycles of adding 40 degrees F feedwater at 1750 gpm." The information was requested to support development of the PVNGS Emergency Operating Procedures.
This information is documented in ABB Inter-Office Correspondence V-MPS-91-163, dated, November 14, 1991.
NRC Question 2 What reliability/unavailability for the Gas Turbine Generators (GTGs) was assumed in the Probabilistic Risk Analysis (PRA)? Provide the data that was used to obtain these values. Please indicate how buried cable reliability is addressed in the PRA.
APS Response 2 GTG Reliability Gas Turbine Generator (GTG) fail to start and fail to run probabilities are Bayesian updated values based on the values in Advanced Light Water ReactorRequirements Document (ALWR), Volume II, Chapter 1, Appendix A - PRA Key Assumptions and Groundrules, Electric Power Research Institute, Revision 6, December 1993, pages A.A-67 and A.A-68. The number of GTG demands, accumulated run time, and failures were collected for the period of 1/1/1998 to 10/1/2004 and documented in study 13-NS-C076, Plant Specific Reliability Data for PRA Model, Revision 0, Appendix C: PRA Final Failures and Demands Report. The values were based on an actual count (they were not estimated). For the given time period and system boundary, there were 6 failures (3 on GTG 1 and 3 on GTG 2) in 267 demands and 0 failures in 283 hours0.00328 days <br />0.0786 hours <br />4.679233e-4 weeks <br />1.076815e-4 months <br />. The final failure probabilities were 2.5E-2 per demand and 4.2E-5 per hour.
1
GTG Unavailability GTG unavailability is based on an actual count of unavailable hours during the period 1/1/1999 through 12/31/2001 as documented in study 13-NS-C064, Plant Specific UnavailabilityData for PRA Model, Revision 0, Appendix A: Individual Parameter Unavailability Listings Gas Turbine Generator. There were 954.68 hours7.87037e-4 days <br />0.0189 hours <br />1.124339e-4 weeks <br />2.5874e-5 months <br /> unavailable in the 26304 hour period for a probability of 1.81 E-2.
GTG UnderQround Cable Reliability The underground cables between the GTGs and the units are modeled separately from the GTGs. The cable is not direct buried but runs in an underground conduit. Two three phase cables are used to supply power to each unit. The failure probability is a Bayesian updated value based on the value in IEEE Standard 500-1984, IEEE Guide to the Collection and Presentationof Electrical,Electronic, Sensing Component and MechanicalEquipment ReliabilityData for Nuclear-PowerGeneratingStations, Institute of Electrical and Electronics Engineers, Inc., December 13, 1983, Reaffirmed 1991, page 770. This value is multiplied by the length of the cable (3475' for Unit 1, See note below) obtained from the Plant Data Management System EDB ElectricalDatabase, since the IEEE value is given per 1000' cable length. Based on a search of EPIX/NPRDS, Failure Data Trending, and CRDRs, there were zero cable failures since the GTGs were installed. In the search, 4 instances were identified (CRDRs 2559098, 2564721, 2580013, and 2843631) where the results of megger testing was less than the service criteria but greater than the emergency criteria. These tests had been evaluated by Maintenance Engineering and it was determined that since the as-found readings were greater than the emergency allowed value, the cables would have been able to perform their function. Appropriate corrective actions were taken in each case to restore the cables such that the service criteria were met.
Engineering Support provided a Maintenance Rule Hours in Mode Summary Report for the date range of 9/27/1993 (date of first GTG isochronous test) through 11/30/2006.
The exposure time was taken as the time spent in Modes 1 through 6 in each unit, for an exposure time of 334,836 hours0.00968 days <br />0.232 hours <br />0.00138 weeks <br />3.18098e-4 months <br /> for the 3 units. Since there are two cables per unit, the total exposure time is 669,672 hours0.00778 days <br />0.187 hours <br />0.00111 weeks <br />2.55696e-4 months <br />. From a unit perspective, a load test powering that unit's cables from the GTGs is performed every 18 months per 40DP-9OP06, OperationsDepartmentRepetitive Task Program,Task GT002. The Bayesian updated failure rate for one cable was 1.46E-2 per hour, for a failure probability of a standby component of 9.59E-3. Since there are two cables, the final probability for the underground GTG cable was 1.91 E-2 (equivalent to an "OR" gate).
Note: A single PRA model based on Unit 1 is used at PVNGS. Plant differences are accounted for when performing specific applications. Since a continuously energized failure rate is being applied to a cable energized only a very short period of its exposed life, the value is very conservative and bounds all three units.
2
NRC Question 3 Describe how the PRA handles the recovery of the Auxiliary Feedwater (AF) Train "N" pump once the GTG is on line. What dependency exists between getting GTG alignment and AF "N" alignment?
APS Response 3 In a Station Blackout, restoration of a motor-driven AFW pump after alignment of the GTGs is required if auxiliary feedwater from the turbine driven pump is lost to the SGs and power is not available. This scenario involves failure of both the Maintenance of Vital Auxiliaries and RCS Heat Removal safety functions. As such, Operations would be directed to the Functional Recovery procedure 40EP-9EO09 for this condition. The Control Room Supervisor retains the option to proceed with the Blackout procedure with the understanding that the mitigating strategy (restoration of power) will resolve both failed safety functions. The procedure actions are similar, and both direct Operations to initially restore power to PBA-S03 from a GTG, after determination that offsite power and EDGs can not be restored within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.
Procedure 40EP-9EO09, FunctionalRecovery, Section 8.0, Maintenance of Vital Auxiliaries, Success path MVAC 3: GTGs, provides the instructions to start and load the GTGs onto a Class 1E 4.16kV AC Bus. Step 8.7 directs performance of Appendix 80 "When NAN-S07 is energized, align GTG to PBA-S03 (BO)". Alternately available to Operations is step 8.7.1 which directs performance of Appendix 81 "When NAN-S07 is energized, Align GTGs to PBB-S04 (BO)". The equivalent steps to align a GTG to a Class 1E 4.16kV AC bus are provided in the Blackout procedure 40EP-9EO08, in steps 13 and 13.1.
Standard Appendix 80 [81] (40EP-9EO10) step 7 [9] completes the actions necessary to energize the Class 1E 4.16kV AC bus PBA-S03 [PBB-S04]. At this time power is available to start an AFW pump and initiate AFW flow to a SG. Step 9, of Appendix 80, directs an Operator [Licensed Control Room Operator] to check that AFA is being used to maintain at least one SG at 45%-60% NR level, else if the AFA pump is not available, then align and start AFN-P01 to restore SG level. Step 11, of Appendix 81, directs the Operator to start AFB-P01 to restore SG level.
The Control Room Supervisor (CRS) has the responsibility to manage the operator resources during the event. The description below reflects what would typically be the assignments made for power recovery and AFW recovery. Specific assignments may vary, but there are always two licensed control room operators available to perform the two main functions of power recovery and AFW recovery without dependency between the tasks. The tasks are also separated in time, with power recovery required prior to AFW recovery for this scenario. The same is true of the 4 Auxiliary Operators. The specific operator assigned to a task may vary, but sufficient resources exist to perform all the tasks without any dependency.
3
Actions necessary to start and align the AFN-P01 pump or AFB-P01 pump are typically performed by the Controls Operator from the Control Room. To initiate flow from the AFN-P01 pump, the Controls Operator must open the two (2) suction MOVs, open a Downcomer Bypass MOV (one per SG), open the Downcomer Isolation valves (2 per SG), and start the pump. To initiate flow from the AFB-P01 pump, the Controls Operator must only start the pump, given the discharge isolation and regulation valves are open due to the AFAS actuation. The time to take these actions is less than 5 minutes.
The Licensed Operators are extensively trained on these actions during various simulator events. The detailed actions are not prescriptively described in the Emergency Operating Procedures, but are simple and easily accomplished by any control room operator as a result of their training. Failure of the Controls Operator to initiate AFW flow to at least one SG would be immediately recovered by the Control Room Supervisor and/or the STA. The Controls Operator typically has no other dependent responsibilities for power restoration. Initiation of AFW for restoration of the RCS Heat Removal safety function is the Control Operator's primary focus, thus ample time is available for proper diagnosis and recovery. The PRA does not model a specific HRA for failure to establish AFW flow after power is restored to a Class 1E 4.16kV AC bus because the failure probability for the AFW restoration action is so low it is negligible compared to the action to restore power.
Recovery of the 4.16KV AC bus from a GTG is typically performed bythe Reactor Operator [Licensed Control Room Operator] with assistance from an assigned Auxiliary Operator (AO), typically the Area 4 AO and the Water Reclamation Facility Operator.
The assigned AO would have no responsibilities for assisting with the recovery of the assumed failed AFA-P01 pump, which is typically assigned to a different AO (Area 1).
There are no required actions of the Controls Operator to support the power recovery actions, nor any actions of the Reactor Operator to support the AFW recovery actions, other than the standard actions to maintain cognizance of critical system parameters.
No Auxiliary Operators are required for recovery of AFW after power has been restored to a 4.16kV AC bus. Actions to restore power and initiate AFW are considered to have zero dependency.
NRC Question 4 Which EOP covers overriding automatic control (AFAS) and taking manual control of AF "A"? How soon does this happen based on simulator experience? This relates to the battery analysis assumption that the AF isolation valves do not continuously cycle, as assumed in the design calculation.
APS Response 4 Procedure 40EP-9EO01, StandardPost Trip Actions, has the Secondary Operator override AFAS valves to ensure feed flow is not excessive. Operators are trained to take manual control of the feed rate to preclude a SIAS, which would likely follow an AFAS, due to overcooling. The operator will typically initiate this action by starting AFA-4
P01 from control room panel B06, and establish feed by opening the block valves and throttling the regulation valves. This would normally occur (assuming a Station Blackout) prior to an AFAS actuation. The isolation valves are left open and are not cycled and the only valve manipulations are adjustments to feed rate using the regulation valves.
In the event of an AFAS automatic actuation, the operator will take control of feed rate, and not allow the regulation valves to control level. The specific feed rate is not scripted, but the safety function is met when level in at least one steam generator is increasing towards its normal band as required by Procedure 40EP-9EO01. Experience in the simulator is that operators~will take manual control of AF in no longer than 10 minutes during a station blackout (SBO) event.
Once level is recovered, the operator feeds at a rate sufficient to makeup for level lost due to steaming out the Atmospheric Dump Valves (ADVs).
NRC Question 5 In the lower recovery path of the "Event Timelines for Station Blackout @ t=0" slide of the presentation, APS provided times of 58 and 95 minutes for 'steam generator (SG) dryout' and 'latest SG makeup can be initiated'. How does the PRA use these two values? What importance is given to each value?
APS Response 5 The 58 minute time is used in Loss of Offsite Power accident sequences as the basis for the time to start and align the gas turbine generators. The 95 minute time is not used for Loss of Offsite Power accident sequences. The 95 minute time is used as the time available for providing feed to the steam generators using the condensate pumps for sequences that do not include a Loss of Offsite Power. Thus the 95 minute time has no importance in the K-1 relay significance determination.
NRC Question 6 Provide the analysis that was done to extend the battery life from the 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> design requirement to 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> for the PRA.
APS Response 6 NUS-5058, Analysis of Station Blackout Accidents at PVNGS-1, Yovan Lukic, NUS Corporation, November 1987, Section 4.1, "Description of Top Events within the SBO event tree", subsection "Failure to Restore Power within 3 Hours", is the basis document for the 3 hour3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> battery life in the PVNGS PRA model. This source states:
5
Based on a review of 125 VDC bus loads typical to an SBO event and the 18 month and 60 months test of the DC batteries (Refs. 6 and 7), it is assessed that DC batteries will last for at least 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> into an SBO event. The 60 month test established that 1200 amp-hours can be provided by each DC battery (PKA and PKB) before the 105 VDC battery under-voltage condition is reached. Given a conservative estimate of the battery loads during SBO, each battery would have to provide on the order of 1000 amp-hours during the first 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> into an SBO event. This 20% excess in battery capacity is sufficient to cover the power requirements when the battery is operated at near 80% capacity (end-of-life).
It should be noted that batteries with larger capacity (2415 amp-hours) were installed since this change was implemented in the PRA model.
NRC Question 7 Provide updated analysis for seven hour battery capacity.
APS Response 7 The updated analysis for seven hour battery capacity was provided to the NRC on January 19, 2007. This updated analysis reflects additional capacity loss for the 'A' battery, which was recognized following the January 16, 2007 Regulatory Conference.
This additional battery capacity loss resulted in the total capacity loss being greater than 10 percent, which placed the 'A' battery in Technical Specification 3.8.4.8, requiring a 12 month surveillance test, like the 'C' battery. This surveillance test will be performed along with the 'C' battery test in the upcoming Unit 3 mid-cycle outage. The updated analysis demonstrates that the assumptions for the risk significance evaluation remain valid, with margin.
NRC Question 8 Did operator failure probabilities for restoration of the Emergency Diesel Generator (EDG) include the potential that operations would fail to shut down the EDG as required if it started but the field did not flash, because of the lack of jacket cooling water?
APS Response 8 Yes. APS considered the operator failing to stop the EDG after the field did not flash.
The step was not identified as critical because the failure contribution (-2E-4) was not a significant contribution to the total value of the HRA value for recovery of the EDG. HRA quantification 4DG-RECVR-KI-1-HR has a value of 5.8E-2 and 4DG-RECVR-K1-7-HR has a value of 3.2E-3 (reference 13-NS-C081, App D).
6
NRC Question 9 Who is relied upon to actually recover the EDG (maintenance, operations or engineering personnel)? How is that accounted for in your results?
APS Response 9 The associated HRA credited the recovery of K-1 relay contactor by Electrical Maintenance personnel with technical support from Electrical Maintenance Engineering personnel.
Operations would immediately know of the EDG output failure after the engine start by control room indication/alarms as well as by Emergency Response Facility Data Acquisition Display System (ERFDADS) flat line output. Operations would not attempt to correct this condition since no specific proceduralized instructions are readily available to them. Electrical Maintenance personnel and Electrical Maintenance Engineering would be immediately called (Maintenance onsite 24/7). Maintenance and Engineering would have the primary responsibility for recovery of the affected EDG after a loss of generator output. If not onsite, Electrical Maintenance Engineering personnel would be contacted immediately for technical assistance by phone or pager. Although the faulted EDG may not be running at the time when Maintenance and/or Engineering become involved, Maintenance and Engineering personnel would be informed that the EDG started and ran without power output. Prior plant experience is that it takes 2-3 hours to replace the K-1 contactor. That repair action, however, is not required because recovery can be easily accomplished by manual bypass (opening) of the K-1 relay contactor.
Following the involvement of Electrical Maintenance personnel and their Engineering support, the time required for EDG 3A loss of output diagnosis is estimated at 5 to 10 minutes. It is based on operating experience at PVNGS (including a recent failure in Unit 3) and engineering knowledge that when there is no voltage buildup at all by the generator immediately after an engine start, the most likely cause would be a failure of the field shorting (K-1) contactor.
No immediate indications of a K-1 problem would exist at the EDG with it in a shutdown condition, however, the plant ERFDADS computer (powered by uninterruptible power supply E-NQN-D01) monitors and records the voltage and frequency buildup for each EDG start. Those records are preserved for several hours. A data flat line showing no attempt at all to build up generator output voltage would be a strong indicator of a K-1 contactor problem. In contrast, if the generator rotor is spinning, the K-1 has dropped out properly and field flashing fails to occur, then generator output voltage would still build up slowly due to its residual magnetism.
With the engine in a shutdown condition, Engineering may advise Maintenance to functionally test the K-1 and field flash (FF) contactors using the Manual Field Flash 7
(MFFPB) push button on the generator control panel as long as 135 VDC control power was still available. One wire inside the cabinet would have to be lifted and the 135 VDC FF breaker would have to be opened prior to the manual field flash test. This functional test was recently used (7/26/2006 3A loss of output event) to verify that a newly installed spare K-1 was working properly.
The task of establishing EDG 3A output is considered a recovery action consistent with RG 1.200, Table A-1. The following justifications are provided:
- The failed K-1 relay would very likely be bypassed rather than repaired. Bypass is particularly easy to perform. The fault is recoverable by a simple manual action of releasing the K-1 contactor reset latch after an engine start. After the 2nd EDG 3A no output failure (9/22/06), no equipment was required to be replaced.
" Ease of diagnosis is supported by recent similar incidents and adequate personnel training, which includes K-1 relays.
" Responsible plant personnel are easily accessible by pager or telephone.
" Ample time is available for diagnosis and action to bypass the failed relay contactor.
" No special tools are required for diagnosis or relay bypass manual action, and there are no issues with accessibility.
- Plant personnel responsible for diagnosis and bypass would not be subjected to the potentially high stress level facing the control room personnel.
" Flat line data for EDG voltage and frequency on ERFDADS computer would quickly lead to the determination that K-1 relay has malfunctioned.
NRC Question 10 Why did we not use the Unit 3 battery design calculation? How does that affect the applicability of the results to the Unit 3 battery?
APS Response 10 The Unit 2 calculation was used because it had been updated to reflect a number of implemented design changes, which the existing Unit 3 calculation had not yet incorporated. The designs of the DC systems are quite similar in all three units, and one model was originally used to represent any of the units. Due to a desire to improve accuracy and the availability of more powerful modeling tools, Palo Verde converted the Class 1E DC system calculation to unitized models in the mid-1 990's.
A comparison between the Unit 2 calculation results to an updated Unit 3 computerized model, which reflects the current configuration (though not yet finalized), was performed. The load profiles are comparable with only minor variations due to nameplate voltage ratings of motor operated valves and variations due to differences in cable lengths. Two of the auxiliary feed water valves on Unit 3 were found to have lower voltages than the same valves in Unit 2, however, the valves have adequate 8
margin to accommodate these voltage differences. In light of the considerable margins between the battery capacities and the load demands of a 7-hour station blackout event (27 and 60 percent for the 'A' and 'C' batteries respectively), the differences between the designs of Unit 2 and 3 are insignificant to the conclusions of the evaluation of the K-1 relay issue.
NRC Question 11 Do the spikes in battery 'E' graph in presentation slide "Empirical Data 'E' Battery" correlate with battery recharging?
APS Response 11 Yes. The first spike shown on the graph (November 7, 2004) is a result of the recharge of the battery under PMWO 2647054 and the second recharge was performed under PMWO 2794319, on May 5, 2006.
9