ML070390040
| ML070390040 | |
| Person / Time | |
|---|---|
| Site: | Palo Verde  |
| Issue date: | 01/24/2007 |
| From: | James M. Levine Arizona Public Service Co |
| To: | Document Control Desk, NRC Region 4 |
| References | |
| 102-05636/JML/SAB/TNW/CJS, IR-06-012 | |
| Download: ML070390040 (11) | |
See also: IR 05000528/2006012
Text
LA subsidiary
of Pinnacle West Capital Corporation
James M. Levine Mail Station 7602 Palo Verde Nuclear Executive
Vice President
Tel (623) 393-5300 PO Box 52034 Generating
Station Generation
Fax (623) 393-6077 Phoenix, Arizona 85072-2034
102-05636-JMLJSAB/TNW/CJS
January 24, 2007 U.S. Nuclear Regulatory
Commission
ATTN: Document Control Desk Washington, DC 20555 Dear Sir: Subject: Palo Verde Nuclear Generating
Station (PVNGS)Units 1, 2 and 3 Docket Nos. STN 50-528, 50-529, and 50-530 APS Response to NRC Inspection
Report 05000528/2006012;
0500052912006012;
0500053012006012
In NRC Special Inspection
Report 2006012, dated December 6, 2006, the NRC documented
their examination
of activities
associated
with the PVNGS Unit 3, Train A, emergency
diesel generator (EDG) failures that occurred on July 25 and September
22, 2006. At a January 16, 2007 Regulatory
Conference
in Arlington, Texas, APS provided the NRC its perspective
on the facts and analytical
assumptions
relevant to determining
the safety significance
of the findings, in accordance
with the Inspection
Manual Chapter 0609.The purpose of this letter is to provide the additional
information
requested
by the NRC during the regulatory
conference.
The Enclosure
to this letter contains 7 questions
that were requested
at the close of the conference
and 4 additional
questions
that were part of the conference
general discussion.
There are no regulatory
commitments
in this letter.If you have any questions, please contact Thomas N. Weber at (623) 393-5764.Sincerely, JMLJSABITNW/CJS/gt
U.S. Nuclear Regulatory
Commission
ATTN: Document Control Desk APS Response to NRC Inspection
Report 05000528/2006012;
Page 2 Enclosure:
Additional
Information
Requested
at the January 16, 2007 NRC Regulatory
Conference
cc: B. S. Malleft M. B. Fields M. T. Markley G. G. Warnick NRC Region IV Regional Administrator
NRC NRR Project Manager NRC NRR Project Manager NRC Senior Resident Inspector
for PVNGS
ENCLOSURE Additional
Information
Requested
at the January 16, 2007 NRC Regulatory
Conference
NRC Question 1 Is it acceptable
to provide auxiliary
to a steam generator
after it has dried out?APS Response 1 Yes. The Unit 3 steam generators
are designed with an allowance
for feeding a hot dry steam generator
with cold feedwater.
APS asked ABB (the design authority
for the PVNGS Steam Generators)
about the maximum allowed flow rate for feedwater
to a hot dry steam generator.
The ABB response stated "the generators
are designed to handle seven cycles of adding 40 degrees F feedwater
at 1750 gpm." The information
was requested
to support development
of the PVNGS Emergency
Operating
Procedures.
This information
is documented
in ABB Inter-Office
Correspondence
V-MPS-91-163, dated, November 14, 1991.NRC Question 2 What reliability/unavailability
for the Gas Turbine Generators (GTGs) was assumed in the Probabilistic
Risk Analysis (PRA)? Provide the data that was used to obtain these values. Please indicate how buried cable reliability
is addressed
in the PRA.APS Response 2 GTG Reliability
Gas Turbine Generator (GTG) fail to start and fail to run probabilities
are Bayesian updated values based on the values in Advanced Light Water Reactor Requirements
Document (ALWR), Volume II, Chapter 1, Appendix A -PRA Key Assumptions
and Groundrules, Electric Power Research Institute, Revision 6, December 1993, pages A.A-67 and A.A-68. The number of GTG demands, accumulated
run time, and failures were collected
for the period of 1/1/1998 to 10/1/2004
and documented
in study 13-NS-C076, Plant Specific Reliability
Data for PRA Model, Revision 0, Appendix C: PRA Final Failures and Demands Report. The values were based on an actual count (they were not estimated).
For the given time period and system boundary, there were 6 failures (3 on GTG 1 and 3 on GTG 2) in 267 demands and 0 failures in 283 hours0.00328 days <br />0.0786 hours <br />4.679233e-4 weeks <br />1.076815e-4 months <br />. The final failure probabilities
were 2.5E-2 per demand and 4.2E-5 per hour.1
GTG Unavailability
GTG unavailability
is based on an actual count of unavailable
hours during the period 1/1/1999 through 12/31/2001
as documented
in study 13-NS-C064, Plant Specific Unavailability
Data for PRA Model, Revision 0, Appendix A: Individual
Parameter Unavailability
Listings Gas Turbine Generator.
There were 954.68 hours7.87037e-4 days <br />0.0189 hours <br />1.124339e-4 weeks <br />2.5874e-5 months <br /> unavailable
in the 26304 hour period for a probability
of 1.81 E-2.GTG UnderQround
Cable Reliability
The underground
cables between the GTGs and the units are modeled separately
from the GTGs. The cable is not direct buried but runs in an underground
conduit. Two three phase cables are used to supply power to each unit. The failure probability
is a Bayesian updated value based on the value in IEEE Standard 500-1984, IEEE Guide to the Collection
and Presentation
of Electrical, Electronic, Sensing Component
and Mechanical
Equipment
Reliability
Data for Nuclear-Power
Generating
Stations, Institute of Electrical
and Electronics
Engineers, Inc., December 13, 1983, Reaffirmed
1991, page 770. This value is multiplied
by the length of the cable (3475' for Unit 1, See note below) obtained from the Plant Data Management
System EDB Electrical
Database, since the IEEE value is given per 1000' cable length. Based on a search of EPIX/NPRDS, Failure Data Trending, and CRDRs, there were zero cable failures since the GTGs were installed.
In the search, 4 instances
were identified (CRDRs 2559098, 2564721, 2580013, and 2843631) where the results of megger testing was less than the service criteria but greater than the emergency
criteria.
These tests had been evaluated by Maintenance
Engineering
and it was determined
that since the as-found readings were greater than the emergency
allowed value, the cables would have been able to perform their function.
Appropriate
corrective
actions were taken in each case to restore the cables such that the service criteria were met.Engineering
Support provided a Maintenance
Rule Hours in Mode Summary Report for the date range of 9/27/1993 (date of first GTG isochronous
test) through 11/30/2006.
The exposure time was taken as the time spent in Modes 1 through 6 in each unit, for an exposure time of 334,836 hours0.00968 days <br />0.232 hours <br />0.00138 weeks <br />3.18098e-4 months <br /> for the 3 units. Since there are two cables per unit, the total exposure time is 669,672 hours0.00778 days <br />0.187 hours <br />0.00111 weeks <br />2.55696e-4 months <br />. From a unit perspective, a load test powering that unit's cables from the GTGs is performed
every 18 months per 40DP-9OP06, Operations
Department
Repetitive
Task Program, Task GT002. The Bayesian updated failure rate for one cable was 1.46E-2 per hour, for a failure probability
of a standby component
of 9.59E-3. Since there are two cables, the final probability
for the underground
GTG cable was 1.91 E-2 (equivalent
to an "OR" gate).Note: A single PRA model based on Unit 1 is used at PVNGS. Plant differences
are accounted
for when performing
specific applications.
Since a continuously
energized failure rate is being applied to a cable energized
only a very short period of its exposed life, the value is very conservative
and bounds all three units.2
NRC Question 3 Describe how the PRA handles the recovery of the Auxiliary
Feedwater (AF) Train "N" pump once the GTG is on line. What dependency
exists between getting GTG alignment
and AF "N" alignment?
APS Response 3 In a Station Blackout, restoration
of a motor-driven
AFW pump after alignment
of the GTGs is required if auxiliary
from the turbine driven pump is lost to the SGs and power is not available.
This scenario involves failure of both the Maintenance
of Vital Auxiliaries
and RCS Heat Removal safety functions.
As such, Operations
would be directed to the Functional
Recovery procedure
for this condition.
The Control Room Supervisor
retains the option to proceed with the Blackout procedure
with the understanding
that the mitigating
strategy (restoration
of power) will resolve both failed safety functions.
The procedure
actions are similar, and both direct Operations
to initially
restore power to PBA-S03 from a GTG, after determination
that offsite power and EDGs can not be restored within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />.Procedure
40EP-9EO09, Functional
Recovery, Section 8.0, Maintenance
of Vital Auxiliaries, Success path MVAC 3: GTGs, provides the instructions
to start and load the GTGs onto a Class 1E 4.16kV AC Bus. Step 8.7 directs performance
of Appendix 80"When NAN-S07 is energized, align GTG to PBA-S03 (BO)". Alternately
available
to Operations
is step 8.7.1 which directs performance
of Appendix 81 "When NAN-S07 is energized, Align GTGs to PBB-S04 (BO)". The equivalent
steps to align a GTG to a Class 1 E 4.16kV AC bus are provided in the Blackout procedure
40EP-9EO08, in steps 13 and 13.1.Standard Appendix 80 [81] (40EP-9EO10)
step 7 [9] completes
the actions necessary
to energize the Class 1 E 4.16kV AC bus PBA-S03 [PBB-S04].
At this time power is available
to start an AFW pump and initiate AFW flow to a SG. Step 9, of Appendix 80, directs an Operator [Licensed
Control Room Operator]
to check that AFA is being used to maintain at least one SG at 45%-60% NR level, else if the AFA pump is not available, then align and start AFN-P01 to restore SG level. Step 11, of Appendix 81, directs the Operator to start AFB-P01 to restore SG level.The Control Room Supervisor (CRS) has the responsibility
to manage the operator resources
during the event. The description
below reflects what would typically
be the assignments
made for power recovery and AFW recovery.
Specific assignments
may vary, but there are always two licensed control room operators
available
to perform the two main functions
of power recovery and AFW recovery without dependency
between the tasks. The tasks are also separated
in time, with power recovery required prior to AFW recovery for this scenario.
The same is true of the 4 Auxiliary
Operators.
The specific operator assigned to a task may vary, but sufficient
resources
exist to perform all the tasks without any dependency.
3
Actions necessary
to start and align the AFN-P01 pump or AFB-P01 pump are typically performed
by the Controls Operator from the Control Room. To initiate flow from the AFN-P01 pump, the Controls Operator must open the two (2) suction MOVs, open a Downcomer
Bypass MOV (one per SG), open the Downcomer
Isolation
valves (2 per SG), and start the pump. To initiate flow from the AFB-P01 pump, the Controls Operator must only start the pump, given the discharge
isolation
and regulation
valves are open due to the AFAS actuation.
The time to take these actions is less than 5 minutes.The Licensed Operators
are extensively
trained on these actions during various simulator
events. The detailed actions are not prescriptively
described
in the Emergency Operating
Procedures, but are simple and easily accomplished
by any control room operator as a result of their training.
Failure of the Controls Operator to initiate AFW flow to at least one SG would be immediately
recovered
by the Control Room Supervisor
and/or the STA. The Controls Operator typically
has no other dependent
responsibilities
for power restoration.
Initiation
of AFW for restoration
of the RCS Heat Removal safety function is the Control Operator's
primary focus, thus ample time is available
for proper diagnosis
and recovery.
The PRA does not model a specific HRA for failure to establish AFW flow after power is restored to a Class 1 E 4.16kV AC bus because the failure probability
for the AFW restoration
action is so low it is negligible
compared to the action to restore power.Recovery of the 4.16KV AC bus from a GTG is typically
performed
bythe Reactor Operator [Licensed
Control Room Operator]
with assistance
from an assigned Auxiliary Operator (AO), typically
the Area 4 AO and the Water Reclamation
Facility Operator.The assigned AO would have no responsibilities
for assisting
with the recovery of the assumed failed AFA-P01 pump, which is typically
assigned to a different
AO (Area 1).There are no required actions of the Controls Operator to support the power recovery actions, nor any actions of the Reactor Operator to support the AFW recovery actions, other than the standard actions to maintain cognizance
of critical system parameters.
No Auxiliary
Operators
are required for recovery of AFW after power has been restored to a 4.16kV AC bus. Actions to restore power and initiate AFW are considered
to have zero dependency.
NRC Question 4 Which EOP covers overriding
automatic
control (AFAS) and taking manual control of AF"A"? How soon does this happen based on simulator
experience?
This relates to the battery analysis assumption
that the AF isolation
valves do not continuously
cycle, as assumed in the design calculation.
APS Response 4 Procedure
40EP-9EO01, Standard Post Trip Actions, has the Secondary
Operator override AFAS valves to ensure feed flow is not excessive.
Operators
are trained to take manual control of the feed rate to preclude a SIAS, which would likely follow an AFAS, due to overcooling.
The operator will typically
initiate this action by starting AFA-4
P01 from control room panel B06, and establish
feed by opening the block valves and throttling
the regulation
valves. This would normally occur (assuming
a Station Blackout)
prior to an AFAS actuation.
The isolation
valves are left open and are not cycled and the only valve manipulations
are adjustments
to feed rate using the regulation
valves.In the event of an AFAS automatic
actuation, the operator will take control of feed rate, and not allow the regulation
valves to control level. The specific feed rate is not scripted, but the safety function is met when level in at least one steam generator
is increasing
towards its normal band as required by Procedure
Experience
in the simulator
is that operators~will
take manual control of AF in no longer than 10 minutes during a station blackout (SBO) event.Once level is recovered, the operator feeds at a rate sufficient
to makeup for level lost due to steaming out the Atmospheric
Dump Valves (ADVs).NRC Question 5 In the lower recovery path of the "Event Timelines
for Station Blackout @ t=0" slide of the presentation, APS provided times of 58 and 95 minutes for 'steam generator (SG)dryout' and 'latest SG makeup can be initiated'.
How does the PRA use these two values? What importance
is given to each value?APS Response 5 The 58 minute time is used in Loss of Offsite Power accident sequences
as the basis for the time to start and align the gas turbine generators.
The 95 minute time is not used for Loss of Offsite Power accident sequences.
The 95 minute time is used as the time available
for providing
feed to the steam generators
using the condensate
pumps for sequences
that do not include a Loss of Offsite Power. Thus the 95 minute time has no importance
in the K-1 relay significance
determination.
NRC Question 6 Provide the analysis that was done to extend the battery life from the 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> design requirement
to 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> for the PRA.APS Response 6 NUS-5058, Analysis of Station Blackout Accidents
at PVNGS-1, Yovan Lukic, NUS Corporation, November 1987, Section 4.1, "Description
of Top Events within the SBO event tree", subsection "Failure to Restore Power within 3 Hours", is the basis document for the 3 hour3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> battery life in the PVNGS PRA model. This source states: 5
Based on a review of 125 VDC bus loads typical to an SBO event and the 18 month and 60 months test of the DC batteries (Refs. 6 and 7), it is assessed that DC batteries
will last for at least 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> into an SBO event. The 60 month test established
that 1200 amp-hours
can be provided by each DC battery (PKA and PKB) before the 105 VDC battery under-voltage
condition is reached. Given a conservative
estimate of the battery loads during SBO, each battery would have to provide on the order of 1000 amp-hours
during the first 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> into an SBO event. This 20% excess in battery capacity is sufficient
to cover the power requirements
when the battery is operated at near 80% capacity (end-of-life).
It should be noted that batteries
with larger capacity (2415 amp-hours)
were installed since this change was implemented
in the PRA model.NRC Question 7 Provide updated analysis for seven hour battery capacity.APS Response 7 The updated analysis for seven hour battery capacity was provided to the NRC on January 19, 2007. This updated analysis reflects additional
capacity loss for the 'A'battery, which was recognized
following
the January 16, 2007 Regulatory
Conference.
This additional
battery capacity loss resulted in the total capacity loss being greater than 10 percent, which placed the 'A' battery in Technical
Specification
3.8.4.8, requiring
a 12 month surveillance
test, like the 'C' battery. This surveillance
test will be performed along with the 'C' battery test in the upcoming Unit 3 mid-cycle
outage. The updated analysis demonstrates
that the assumptions
for the risk significance
evaluation
remain valid, with margin.NRC Question 8 Did operator failure probabilities
for restoration
of the Emergency
Diesel Generator (EDG) include the potential
that operations
would fail to shut down the EDG as required if it started but the field did not flash, because of the lack of jacket cooling water?APS Response 8 Yes. APS considered
the operator failing to stop the EDG after the field did not flash.The step was not identified
as critical because the failure contribution
(-2E-4) was not a significant
contribution
to the total value of the HRA value for recovery of the EDG. HRA quantification
has a value of 5.8E-2 and 4DG-RECVR-K1-7-HR
has a value of 3.2E-3 (reference
13-NS-C081, App D).6
NRC Question 9 Who is relied upon to actually recover the EDG (maintenance, operations
or engineering
personnel)?
How is that accounted
for in your results?APS Response 9 The associated
HRA credited the recovery of K-1 relay contactor
by Electrical
Maintenance
personnel
with technical
support from Electrical
Maintenance
Engineering
personnel.
Operations
would immediately
know of the EDG output failure after the engine start by control room indication/alarms
as well as by Emergency
Response Facility Data Acquisition
Display System (ERFDADS)
flat line output. Operations
would not attempt to correct this condition
since no specific proceduralized
instructions
are readily available
to them. Electrical
Maintenance
personnel
and Electrical
Maintenance
Engineering
would be immediately
called (Maintenance
onsite 24/7). Maintenance
and Engineering
would have the primary responsibility
for recovery of the affected EDG after a loss of generator
output. If not onsite, Electrical
Maintenance
Engineering
personnel would be contacted
immediately
for technical
assistance
by phone or pager. Although the faulted EDG may not be running at the time when Maintenance
and/or Engineering
become involved, Maintenance
and Engineering
personnel
would be informed that the EDG started and ran without power output. Prior plant experience
is that it takes 2-3 hours to replace the K-1 contactor.
That repair action, however, is not required because recovery can be easily accomplished
by manual bypass (opening)
of the K-1 relay contactor.
Following
the involvement
of Electrical
Maintenance
personnel
and their Engineering
support, the time required for EDG 3A loss of output diagnosis
is estimated
at 5 to 10 minutes. It is based on operating
experience
at PVNGS (including
a recent failure in Unit 3) and engineering
knowledge
that when there is no voltage buildup at all by the generator
immediately
after an engine start, the most likely cause would be a failure of the field shorting (K-1) contactor.
No immediate
indications
of a K-1 problem would exist at the EDG with it in a shutdown condition, however, the plant ERFDADS computer (powered by uninterruptible
power supply E-NQN-D01)
monitors and records the voltage and frequency
buildup for each EDG start. Those records are preserved
for several hours. A data flat line showing no attempt at all to build up generator
output voltage would be a strong indicator
of a K-1 contactor
problem. In contrast, if the generator
rotor is spinning, the K-1 has dropped out properly and field flashing fails to occur, then generator
output voltage would still build up slowly due to its residual magnetism.
With the engine in a shutdown condition, Engineering
may advise Maintenance
to functionally
test the K-1 and field flash (FF) contactors
using the Manual Field Flash 7
(MFFPB) push button on the generator
control panel as long as 135 VDC control power was still available.
One wire inside the cabinet would have to be lifted and the 135 VDC FF breaker would have to be opened prior to the manual field flash test. This functional
test was recently used (7/26/2006
3A loss of output event) to verify that a newly installed
spare K-1 was working properly.The task of establishing
EDG 3A output is considered
a recovery action consistent
with RG 1.200, Table A-1. The following
justifications
are provided:* The failed K-1 relay would very likely be bypassed rather than repaired.
Bypass is particularly
easy to perform. The fault is recoverable
by a simple manual action of releasing
the K-1 contactor
reset latch after an engine start. After the 2nd EDG 3A no output failure (9/22/06), no equipment
was required to be replaced." Ease of diagnosis
is supported
by recent similar incidents
and adequate personnel
training, which includes K-1 relays." Responsible
plant personnel
are easily accessible
by pager or telephone." Ample time is available
for diagnosis
and action to bypass the failed relay contactor." No special tools are required for diagnosis
or relay bypass manual action, and there are no issues with accessibility.
- Plant personnel
responsible
for diagnosis
and bypass would not be subjected
to the potentially
high stress level facing the control room personnel." Flat line data for EDG voltage and frequency
on ERFDADS computer would quickly lead to the determination
that K-1 relay has malfunctioned.
NRC Question 10 Why did we not use the Unit 3 battery design calculation?
How does that affect the applicability
of the results to the Unit 3 battery?APS Response 10 The Unit 2 calculation
was used because it had been updated to reflect a number of implemented
design changes, which the existing Unit 3 calculation
had not yet incorporated.
The designs of the DC systems are quite similar in all three units, and one model was originally
used to represent
any of the units. Due to a desire to improve accuracy and the availability
of more powerful modeling tools, Palo Verde converted
the Class 1E DC system calculation
to unitized models in the mid-1 990's.A comparison
between the Unit 2 calculation
results to an updated Unit 3 computerized
model, which reflects the current configuration (though not yet finalized), was performed.
The load profiles are comparable
with only minor variations
due to nameplate
voltage ratings of motor operated valves and variations
due to differences
in cable lengths. Two of the auxiliary
feed water valves on Unit 3 were found to have lower voltages than the same valves in Unit 2, however, the valves have adequate 8
margin to accommodate
these voltage differences.
In light of the considerable
margins between the battery capacities
and the load demands of a 7-hour station blackout event (27 and 60 percent for the 'A' and 'C' batteries
respectively), the differences
between the designs of Unit 2 and 3 are insignificant
to the conclusions
of the evaluation
of the K-1 relay issue.NRC Question 11 Do the spikes in battery 'E' graph in presentation
slide "Empirical
Data 'E' Battery" correlate
with battery recharging?
APS Response 11 Yes. The first spike shown on the graph (November
7, 2004) is a result of the recharge of the battery under PMWO 2647054 and the second recharge was performed
under PMWO 2794319, on May 5, 2006.9