ML20083J994
ML20083J994 | |
Person / Time | |
---|---|
Site: | South Texas |
Issue date: | 04/30/1995 |
From: | HOUSTON LIGHTING & POWER CO. |
To: | |
Shared Package | |
ML20083J995 | List: |
References | |
NUDOCS 9505090001 | |
Download: ML20083J994 (81) | |
Text
{{#Wiki_filter:l SOUTH TEXAS PROJECT l ELECTRIC GENERATING STATION l EVALUATION OF THE PROPOSED SPECIAL TEST EXCEPTION FOR DIESEL GENERATOR AND ESSENTIAL COOLING WATER MAINTENANCE i i APRIL 1995 : PREPARED BY ! HOUSTON LIGHTING & POWER ! COMPANY , R ADO K O O 8 o
l l TABLE OF CONTENTS
! 1. Purpose and Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 -1 J
1' 1.1 Background & Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 1.1-1 1.2 Chronology of Risk-Based Technical Specification Evaluations At STPEGS................................................ 1.2 ) 1.3 Summary of Requested STE Change to Diesel Generator and ) Essential Cooling Water AOTs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3 1 l 1.4 Impact of Proposed Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4-1 1.5 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.5-1 i
- 2. Technical Approach for Evaluating the Proposed Special Test Exception . . . . . . . . . . . . . . 2-1 ,
2.1 Decision Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 -1 l 2.1.1 Risk-Based Decision Criteria ........................... 2.1-1 2.1.2 Interpretation of Risk Estimates . . . . . . . . . . . . . . . . . . . . . . . . 2.1 3 2.2 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2-1 2.2.1 Basic Approach to Treatment of Test and Maintenance lmpacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2-1 2.2.2 Risk Modeling of AOT Change . . . . . . . . . . . . . . . . . . . . . . . . . 2.2-3 2.3 Current Plant PS A Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3 1 ! 2.3.1 New Technical Specifications .......................... 2.3-1 2.3.2 Update of the PSA Plant Specific and Generic Da ta Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3-2 2.3.3 Model for Emergency Transformer . . . . . . . . . . . . . . . . . . . . . . . 2.3-2 .I 2.3.4 Treatment of Letdown Line Isolation Failures . . . . . . . . . . . . . . . . 2.3-2 : 2.3.5 Enhancements for Basic Event importance ................. 2.3 3 ; 2.3.6 Changes to Rolling Maintenance Profile . . . . . . . . . . . . . . . . . . . . 2.3-3 2.4 Model Enhancements for Evaluating Special Test Exception Request ...... 2.4 1 - 2.4.1 Changes to Rolling Maintenance Profile . . . . . . . . . . . . . . . . . . . . 2.4-1 2.4.2 Modeling of Compensatory Measures . . . . . . . . . . . . . . . . . . . . 2.4-1 r 2.4.3 - Risk Profile of Planned Maintenance Program . . . . . . . . . . . . . . . . 2.4-3 ' 2.5 Analysis of Data Pertinent to This Submission . . . . . . . . . . . . . . . . . . . . . . 2.5-1 2.6 Impact on Plant Safety Basis ................................. 2.6-1 2.7 R e f ere nc es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.7- 1
- 3. Results of Risk-Based Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 -1 ;
3.1 Quantitative Results ...................................... 3.1-1 3.1.1 Impact on DG System Unavailability . . . . . . . . . . . . . . . . . . . . . . 3.1-2 3.1.2 Impact on ECW System Unavailability . . . . . . . . . . . . . . . . . . . . . 3.1-3 , 3.1.3 Impact on Core Damage Frequency ...................... 3.1-4 . 3.1.4 Impact on Release Frequencies . . . . . . . . . . . . . . . . . . . . . . . . 3.1-5 3.1.5 Evaluation of the Rolling Maintenance Program - Ris k Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 6 3.2 Qualitative Evaluation of Proposed STE . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1-7 3.2.1 Unquantified Reduction in Shutdown Risk . . . . . . . . . . . . . . . . . 3.1-7 . 3.2.2 Compensatory Actions That Were Not Quantified . . . . . . . . . .. . . 3.1-7 3.2.3 Quantified Compensatory Measures . . . . . . . . . . . . . . . . . . . . . 3.1 8 ; 4 . Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1 ACM eMp15wportuechapes.det (Apn125.1995) l i
l i UST OF FIGURES 2.1 1 Proposed STE impact on CDF and Risk Threshold . . . . . . . . . . . . . . . . . . . 2.1 6 J 2.1 Comparison of STPEGS Core Damage Frequencies . . . . . . . . . . . . . . . . . . . 2.1-7 1 2.2-1 Flow Chart for Level 1 Quantification . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2-12 i 2.5-1 Comparison of Distributions for Diesel Generator Failure Rates . . . . . . . . . . 2.5-6 , 3.1-1 1993 Version of Rolling Maintenance Risk Profile .................. 3.1-14 3.1-2 1995 Version of Rolling Maintenance Risk Profile of 1st Half - Without ' Proposed STE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1-15 3.1-3 1995 Version of Rolling Maintenance Risk Profile of 2nd Half -Without . Proposed STE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1-16 l 3.1 4 1995 Version of Rolling Maintenance Risk Profile of 1st Half - With Proposed AOT Change and Compensatory Actions . . . . . . . . . . . . . . . . . . . . . . . . 3.1-17 i I t P k i 6 k e ACM a:wt 5vepoet\techspas.dg1 1 (Ap.* 24,1995) ll
UST OF TABLES l 1-1 Summary of Proposed Special Test Exception to the Technical Specification . 1.5-3 i' 2.2 1 Modeling of Test, Maintenance, and Normal Alignments in Updated Level 2 PSA/IPE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2-7 ; 2.3 1 Summary of Requested and NRC Approved Technical Specification Changes from August 1993 Submittal . . . . . . . . . . . . . . . . . . 2.3-4 l 2.4 1 Summary of Proposed Special Test Exception to the Technical Specification . 2.4 6 2.4-2 Typical 24-Week Work Control Schedule . . . . . . . . . . . . . . . . . . . . . . . . 2.4-7 ; 2.4-3 Summary of STP PSA Models and Refinements to Evaluate Planned Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.4-8 ; 2.5 1 Comparison of Generic and Plant Specific Data for Estimation l of Selected Component Failure Rates . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.5-5 : 3.1-1 Impact of Model Changes and Proposed Special Test Exception on DG System Failure Frequency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1-9 ; 3.1-2 Impact of Model Changes and Proposed Special Test Exception on ECW , System Failure Frequency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1-10 3.1 3 Impact of Model Changes and Proposed Special Test Exception on Annual l Average Core Damage Frequency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1-11 3.1 4 Impact of PSA Model and Proposed Special Test Exception on the Frequency ! of Major Release Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1-12 3.1 5 Planned Maintenance States for the Rolling Maintenance Risk ' Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 - 1 3 P i l i I i ACM dW16Vepomtechapec.dg1 (Apre 24,1995l jjj l
- 1. PURPOSE AND SCOPE Houston Lighting & Power (HL&P) Co. is proposing changes to the South Texas Project (STP)
Technical Specifications (3/4.10.8) concerning the emergency Diesel Generators (DG) and the Essential Cooling Water (ECW) systems, included in this submittalis a summary of changes and updates to STP's Probabilistic Safety Assessment (PSA) models since these models were last used by the NRC to evaluate changes to the STP Technical Specifications in August 1993 (Ref.1.13). Some of these changes have occurred due to NRC approval of the proposed Technical Specification changes (Reference 1-15) and incorporation of plant specific data. Section 1.1 of this submittal provides the background and objectives for the proposed changes. Section 1.2 provides the summary of changes to STP's PSA. The proposed changes are discussed in Section 1.3 and a qualitative analysis of the changes is presented in Section 1.4. Section 2 documents the technical approach followed in this evaluation, which produced the results and conclusions that are documented in Sections 3 and 4, respectively. Acu ew isv.-neei_u a, :.. inni 11
l l l
1.1 BACKGROUND
& OBJECTIVES l i
The primary objective of this report is to perform a risk-based evaluation for a proposed change to , South Texas Project (STP) Technical Specification 3/4.10.8 concerning a Special Test Exception l (STE) for the Emergency Diesel Generators and Essential Cooling Water Systems. The proposed change would permit concurrent planned maintenance to be performed on each DG and ECW train within a special allowed outage time (AOT) once per fuel cycle. Compensating measures to offset the temporary risk impact of taking these components out of service are discussed in Section 1.3 of this submittal. The proposed Special Test Exception would extend ECW and DG System AOTs for each train to 7 days and 21 days, respectively, once per refueling cycle. The current 72 hour AOT j for both systems would be retained for other planned maintenance activities during the rolling maintenance cycle (voluntary LCO entry) and all unplanned and corrective maintenance (involuntary LCO entry). As a result of the proposed change, some of the preventative maintenance for the ECW and DG systems currently being performed during refueling outages could be performed with the plant at power. Considering the risk impact of the proposed change, the requested STE would : I not result in a significant increase in the risk of a severe core drmage event in fact, the net effect of the proposed change should be an improvement in plant safety and an opportunity to increase I the effectiveness of the maintenance program. This is due to the increased likelihood that the ECW and DG systems will be available during shutdown conditions and an enhanced station focus on equipment within the scope of the proposed STE relative to the scope of equipment within a refueling outage. This risk-based evaluation makes use of an updated version of the STP Probabilistic Safety Assessment and Individual Plant Examination (Level 2 PSA/IPE). This update to the Level 2 PSA/IPE accounts for NRC approved changes to the Technical Specifications resulting from the previous Risk Based Evaluation of Technical Specifications (Reference 1-13), an incorporation of complete ; and current plant specific data, and changes necessary to address compensatory measures identified to minimize temporary risk increases resulting from plant operation for longer periods with a Diesel Generator and its associated Essential Cooling Water train out of service. Consistent with the objectives of Reference 1-13, the primary motivations behind this request stem from a desire to achieve a more balanced allocation of component maintenance tasks between full power operation period 3 and refueling outages, the need to account for unique plant features at STPEGS, which, in comtinstion with the application of standard Westinghouse QLV) Technical Specifications (Reference 1-4), have led to an undue burden on the resources required to test and maintain plant equipment. The current Technical Specifications fail to account for additional plant redundancy that is beyond that provided in other domestic Westinghouse PWRs. STPEGS has at Acu msw.mmeser m:4.ms 1.1 1 i _ _ + - . _ . _ _ _ _ _ +
least three electrically independent and physically separated Engineered Safeguards Features (ESF) trains of equipment to provide basic safety functions. For accident sequences that have previously been determined to control the risk of a severe core damage event at STPEGS, only one such train is required to protect core and plant integrity. For some safety functions, four independent trains of safety-grade equipment have been provided. In addition, unlike many plants there are alternative sources of electric power in addition to the basic offsite power network and the three trains of emergency Diesel Generators, that could prevent a severe accident even if all of these primary sources of electric power were unavailable. These electric power sources include a separate supply of offsite power that can be routed through the Emergency Transformer and additional Diesel Generators for the Technical Support Center (TSC) and Balance of Plant (BOP) equipment. The standard W_ Technical Specifications, which generally provide the basis for the STPEGS Technical Specifications, were developed for two-train designs that preceded STPEGS. With one safety train out of service, the STPEGS units now fall within a plant configuration with two independent trains still operational, which is the normal operating configuration for other y( plants. STPEGS has three separate and redundant safety related mechanical-fluid and electric power trains which are backed up with on-site power supplied from three emergency ESF Diesel Generators as well as a number of non-safety related Diesel Generators. Any one of the ESF DGs can provide sufficient power to safely shutdown and remove decay heat from the reactor for all risk significant sequences. The combination of the added STPEGS plant redundancy, the scope of components included in the in-Service Testing (IST) program which are tested to determine system acceptance criteria (i.e., operability per Technical Specification 4.0.5) for American Society of Mechanical Engineers (ASME) Section XI compliance, vendor requirements (i.e., preventive maintenance activities), the need to meet system availability goals established by the Institute for Nuclear Power Operations (INPO), and the standard two-train W Technical Specifications, combine to create an additional burden on STPEGS in terms of the resources and costs of testing and maintaining three or four trains of safety equipment. This combination of factors also has the undesirable consequence of increasing the likelihood of perturbing the optimal safety configuration of plant equipment to perform test and maintenance tasks during power operation and during refueling outages. The probability of the inadvertent introduction of human-induced equipment failures resulting from errors in test and maintenance, however sma!!, is also increased due to higher frequency of station operators reconfiguring plant system / equipment from its optimal state of readiness. The current Technical Specifications prevent the realization of one of the primary benefits that the added third train of redundancy was intended to provide; that is, the increased flexibility to maintain Acu wm, m. i_.m an,* .. ism 1.1 2
equipment without impacting power generation of the plant. The use of added redundancy to reduce the likelihood of Technical Specifications-imposed plant outages is widely employed in Western European plants by application of a design principle known as the "N-2" rule. In Switzerland, for example, plants routinely take single trains of safety equipment out of service once each year to perform planned maintenance for up to several weeks duration with no Technical Specification restrictions on power operation unless a second train is out of service concurrently. STPEGS has made the investment in the additional hardware to meet this rule for most accident conditions. Although the NRC has granted some relief for other three train sys; ems in the 1993 request for changes, STPEGS does not currently realize the intended benefit of this added redundancy in the case of some safety-related mechanical-fluid systems or on-site electric pcwer capability. Since the standard _W Technical Specifications were used to establish the current Technical Specifications at STPEGS, a state-of-the-art plant-specific Level 1 PSA was developed (Reference 1- , 5). The Level 1 PSA was reviewed and accepted by the NRC as documented in its safety evaluation report (SER) dated January 21,1992 (Reference 1-6). The Level 1 PSA was initiated unilaterally and was completed prior to the NRC requirements to perform individual plant exLminations (Reference 1-7). Even though the plant was originally built with significant margins beyond the requirements of the General Design Criteria, additional plant hardware and operational enhancements were made to reduce the contributions of the ranking risk contributors that were identified in the Level 1 PSA. These changes included one to provide a capability to prevent Reactor Coolant Pump Seal LOCA conditions during a loss of offsite power event when all three emergency Diesel Generators (i.e., all three safety trains) are postulated to fail. Since the Level 1 PSA was performed based on a design freeze date of October 1988, a review of plant design changes and other performance parameters (e.g., reactor trips) resulted in an update to the Level 1 PSA to reflect the plant design configuration at about one year prior to the IPE submittal This review of design and plant parameter changes was incorporated into the Level 2 ; PSA/IPE with a new design freeze date of April 1991. The Level 2 PSA/IPE was submitted to the NRC as an IPE and IPEEE submittalin August 1992 and it was this same model that provided the primary basis for the Risk-Based Evaluation of Technical Specifications that was submitted to the NRC in August 1993 (Reference 1-13) followed by NRC approval of revised Technical Specifications in January 1994 (Reference 1-15). There were some selected model refinements added in the 1993 submittal to address the risk impacts of Technical Specification changes and to improve the treatment of modeling the risk impacts of planned maintenance during the rolling maintenance cycle. Acu ce,1w.p r46esi_u: wa n. msi 1.1-3
.. , . _. . __ _ _ _ _ . . ~ _ - - - __. . I t l The PSA models previously used in NRC submittels were based primarily on generic data with some. { limited plant specific data for initiating event frequencies and planned maintenance unavailability' l added at the time of the 1992 lPE submittal. Since then, plant specific data for component failure i rates and both planned and unplanned maintenance unavailability has been collected and analyzed j through the period from commercial operation through 1992 for both Units 1 and 2. This submittal reflects the most cwrent version of the PSA models and includes plant specific data, the current Technical Specifications, the requested Technical Specification changes to the Special Test j Exceptions (STE) section for DG and ECW, and a number of proposed compensating measures that would minimize any temporary risk increases during the requested 7/21 day ECW/DG maintenance ! i periods. t The objectives of this updated risk-based evaluation of the proposed STE section for ECW and DG systems are to: l l e Evaluate and justify a specific change to the STE section of the Technical Specifications to obtain the operational flexibility that is made possible by the use of three safety related ESF systems at STPEGS. ; I e Perform this specific change to the ECW and DG AOTs under the constraints of specific l compensatory measures that are described in Section 1.3 below, which will become prerequisites to utilizing the proposed STE, and taking credit for additional hardware features l which have not previously been evaluated (i.e., Emergency Transformer). ; l e Achieve a more optimum balance between the positive impacts of testing and maintaining j equipment and the negative effects of disturbing equipment from service and entering less than-optimal plant configurations. e Achieve a better calance of the allocation of maintenance activities from the refueling [ outages to plant operation and provide an enhancement to the maintenance program with j respect to safety. In view of the need to maintain important mechanical-fluid support and { AC power supplies during plant outages, as well as plant operation, and the higher number i of competing activities during refueling outages, the transfer of some of the Diesel I Generator and Essential Cooling Water planned maintenance to at-power operation should , have a net positive impact on plant safety by levelizing risk across all plant conditions and j enhancing the effectiveness of the preventive maintenance by minimizing competing time factors, j
)
l l Acu ewtsv.pomsseet_ur tApni 4.isesi 1.1 4
i
- \
* . Delineate the separate risk impacts of planned and unplanned maintenance and thereby - provide sufficient information to support the risk optimization of the planned maintenance program. This optimization has the goal of affecting changes to the test and maintenance -
activities within the proposed STE in such a manner that no significant, adverse risk impacts will result. This risk-based evaluation of Diesel Generator and Essential Cooling Water Special Test Exception of the Technical Specifications is an extension of the already NRC approved risk-based Technical j Specifications (Reference 1 15). The NRC has conducted an in-depth review of the Level 1 PSA. j Several Level 1 PSA updates have been made to meet the IPE requirements and to support the l ongoing risk management program at STPEGS. The latest update to the STP PSA model includes ; the NRC approved Risk-Based Technical Specifications, updating with Plant Specific Data, , i incorporating the Emergency Transformer into the model, and additions to the model to permit the - consideration of compensating measures that will minimize the temporary increases in the rolling [ risk profile associated with the 7/21 day ECW/DG maintenance outages. l V t t P l l t i acu swisv.porisses1_Aos iAn e 24.tessi 1.1 5 l
1.2 CHRONOLOGY OF RISK-BASED TECHNICAL SPECIFICATION EVALUATIONS AT STPEGS The following key events highlight the chronology of the risk-based evaluation of Technical Specifications at STPEGS:
- By letter dated April 14,1989 (Reference 1-8), Houston Lighting & Power Company (HL&P) submitted the STP Level 1 Probabilistic Safety Assessment (Level 1 PSA) Summary Report.
In that letter, HL&P informed the NRC that the Level 1 PSA would be used as a basis for proposing certain changes to the plant's Technical Specifications.
- Subsequently, the NRC requested a copy of the entire Level 1 PSA report, and, by letter dated June 15,1989 (Reference 1-9), HL&P submitted the STP Level 1 PSA to the NRC.
- By letter dated February 1,1990, HL&P submitted amendments for Operating Licenses NPF-76 and NPF-80 for 22 changes to the STPEGS Units 1 and 2 Technical Specifications, pursuant to 10CFR50.90, based on Level 1 PSA analyses (Reference 1-1).
- Later in 1990,1991 & 1992 the proposed Technical Specification changee for 6 systems were withdrawn, leaving 16 plant systems with proposed Technical Specification changes for consideration by the NRC.
- In August 1991, the NRC contractor's [Sandia National Laboratory (SNL)] review of the Level 1 PSA was completed as documented in NUREG\CR-5606 (Reference 1-10).
- The NRC lssued its SER on the Level 1 PSA on January 21,1992. The SER concluded that
...the PSA is a state-of-the-art Level 1 risk assessment." Furthermore, the SER stated that the NRC review indicated that "...there is no unique outlier that contributes significantly to the overall mean core damage frequency at the South Texas Project...." The SER documented the NRC's acceptance that the core damage frequency estimate in the Level 1 PSA of 1.7 x 10 per year represented an acceptable baseline value. This established the baseline value against which to judge the acceptability of impacts of the proposed changes to Technical Specifications as stated in HL&P correspondence dated April 14,1989 (Reference 1-6).
- On July 23,1992, a meeting was held between HL&P and NRC to discuss the review of the Risk-Based Evaluation of Technical Specifications, which was submitted .a February 1990.
Acu ewisv mn ei_u: w.,* 4. t us: 1.2-1
e 1 -; . 4 l A' t this meeting,'it was agreed that the updated probabilistic models used for the IPE that iwas currently nearing completion would be used to update the risk-based evaluation to - , j- ensure that the conclusions reached in the SER were sti5 valid. The NRC issued a request l for additional information (RAl) following that meeting via letter dated August 18,1992, i f
; (Reference 1-12).
l
-e . HL&P provided a response to the August 18,1992 RAI on November 11,1992, and this response is Reference 1 11.
e in August 1992, HL&P submitted the STP Level 2 PSA/IPE (Reference 1-12) in response to [ NRC Generic Letter No. 88 20 (Reference 1-12). In this report, the Level 1 PSA'results . ! were updated to p ovide a more realistic and up-to-date estimate of the mean core damage frequency of 4.4 x 10-5 per year. In the STP Level 2 PSAMPE, some conservatisms in the original Level 1 PSA were eliminated and some plant-specific data were incorporated, but I the baseline assumptions with respect to AOTs and STis were maintained consistent with _ the current Technical Specifications and with the Level 1 PSA. l t e in December 1992, a meeting was held at STPEGS between the NRC and HL&P At that meeting HL&P indicated that some enhancements and corrections were being incorporated into the STP risk models for rebaselining the IPE results. The NRC indicated that the rebaselining could introduce new uncertainties about the impact of the proposed Technical j Specifications and further requested that the analyses be performed using the Level 2 i PSA/IPE results. ! i e At NRC direction, Brookhaven National Laboratories (BNL) acquired PLG's RISKMAN* - Version 3.08 software, training in the use of that software and the STP PSA models from j the Level 2 PSAMPE that were developed in RISKMAN*, BNL then performed independent evaluations of the proposed Technical Specification changes to support their review. l
- In May 1993, NRC !ssued a request for additional information (Reference 1-3) to support j :
their review of the Technical Specification submittal. The response to that RAI was in Reference 1 13. i I e in August 1993, HL&P submitted a Risk-Based Evaluation of Technical Specifications for 16 , modifications to allowed outage times (AOT) and surveillance test intervals (STI). i l i a ewn- m.c_u: m2..mo 1.2 2 s-- - u - ,,, e... , -. e.,-..-,.~ - , m- . --, , a ~, ~, -----
I l 1 o- Subsequently, in January 1994, the NRC issued Amendment Nos. 59 and 47 to Facility Operating License Nos. NPF-76 and NPF-80 for STPEGS units 1 and 2, approving most of
, the requested changes in AOTs and STis in the Technical Specifications for 10 systems (Reference 1-15).
e Currently, this submittal is made to the NRC for extending the Diesel Generator planned maintenance AOT from 72 hours to 21 days once per Diesel Generator per refueling cycle concurrent with the Essential Cooling Water train planned maintenance AOT from 72 hours to 7 days once per ECW train per refueling cycle. The requantification of the risk-based evaluation of the Technical Specification's Special Test Exception section using the updated Level 2 PSA/IPE models has now been completed and is included in this report. Aeu awnesec__w saca se.ussi 1.2-3
i I l 1.3
SUMMARY
OF REQUESTED STE CHANGE TO DIESEL GENERATOR AND l ESSENTIAL COOUNG WATER AOTs This section provides a brief discussion of the current Diesel Generator and Essential Cooling Water Technical Specifications and the proposed STE change (See Table 1-1). A marked-up copy of the current Technicel Specifications is provided in Appendix A. The justifications for these changes are found in Section 3 using the evaluation criteria and technical approach in Section 2. 1.3.1 Diesel Generator The current AOT for the DG system per Technical Specification 3/4.8.1 is 72 hours for any of the three emergency Diesel Generator units being declared out of service during power operation. If two or more emergency Diesel Generators are out of service at the same time, then Technical Specification 3.8.1.1.f is entered, and if a!! but one is not returned to service within 2 hours of this condition being entered, a plant shutdown is required. Under the proposed change, there wi!! be a Special Test Exception that will only be permitted once per Diesel Generator per refueling cycle for the purpose of planned maintenance. This Special Test Exception will allow an extension of the present 72 hour AOT to 21 days. In addition to the restriction on the frequency for this Special Test Exception, there will be a number of compensatory measures which will be Limiting Conditions of this Test Exception that will offset the temporary risk increases associated with removing a DG from service. 1.3.2 Essential Cooling Water The current AOT for the ECW system per Technical Specification 3/4.7.4 is 72 hours for any of the three ECW trains being declared out of service during power operation. If two or more ECW trains are out of service at the same time, then Technical Specification 3.0.3 is entered, and if all but one is not returned to service within 1 hour of this condition being entered, a plant shutdown is required. Under the proposed change, there will be a Special Test Exception that will only be permitted once per ECW train per refueling cycle for the purpose of planned maintenance. This Special Test Exception will allow an extension of the present 72 h Jur AOT to 7 days. In addition to the restriction on the frequency for this special AOT, there will be a number of compensatory measures which will be Limiting Conditions of this Special Test Exception that will offset the j temporary risk increases associated with removing a ECW train from service. l 1 i 1 > u ewswomesso_a m :4. ussi 1.3-1 j
F' 1.3.3 Compensatory Measures These Limiting Conditions and compensating measures which will be in effect prior to and during the Special Test Exception include: i
- 1. No planned special testing (required Technical Specification surveillance testing excluded) or maintenance activities will be performed on the other two safety trains of equipment during the Special Test Exception period.
- 2. Prior to commencement of maintenance under the Special Test Exception AOTs, <
performance tests will be perform d on the following equipment items to verify functionality during this period: the TSC Diesel Generator, and the Positive Displacement Charging Pump. Furthermore, these equipment items will remain functional and available throughout the STE duration and no planned maintenance or other testing of these equipment items will be allowed.
- 3. The turbine driven Auxiliary Feedwater pump train will be OPERABLE throughnut the STE duration.
- 4. Cross train Technical Specification surveillance activities scheduled to occur during the STE will be reviewed for impact prior to the STE and rescheduled as appropriate.
- 5. Prior to comtv,encement of maintenance under the proposed STE, containment integrity will be verified to ensure containment isolation penetrations are in their proper alignments. The reactor containment building supplemental purge valves will be verified to be OPERABLE and in their proper alignment . Additionally, containment purges that may be required during the STE will be strictly controlled.
- 6. The Emergency Transformer will be functional and available duri@ the STE.
I
- 7. Work in the switchyard will be strictly controlled. Switchyard activities which could ,
1 adversely affect the supply of electric power to the ESF busses will be prohibited
- 8. The above compensatory measures will be discussed at the Daily Communication and Teamwork meeting to reinforce the importance of the compensatory measures during the extended ECW and DG AOTs and to ensure compliance with them and heighten station personnel awareness. I Acu ewuv.wnne_m u,v u. ino 1.3-2
t
- 9. After ECW returned to service, no planned special testing or maintenance activities will be j performed on this safety train of equipment during the remainder of the Special Test l Exception period.
The above compensatory measures are intended to offset the risk impacts of taking a Diesel Generator and associated Essential Cooling Water train out of service and are consistent with a risk neutral strategy for using the PSA model to optimize the plant Technical Specifications that was a key element of the 1993 submittal. i J [ i I l 1 t A 9 ewism m'seet__2c m v4. u's: 1.3-3
1.4 IMPACT OF PROPOSED CHANGES The incrementalincrease in risk associated with incorporation of the requested Special Test Exception of 21 and 7 day AOTs for the emergency Diesel Generators and Essential Cooling Water, respectively, in combination with the compensatory actions listed previously is shown by the results of th!s submittal to be insignificant. In fact, other changes that have been made to the base case PSA model since the last Risk-Based Evaluation of Technical Specifications submittal, such as the incorporation of plant specific data and the capability to supply power via the emergency transformer have made greater impacts than those that result from the requested change. The numerical results are discussed in more detail in Section 3. The impact of the changes that result from the current request primarily are associated with the increased AOTs, the accompanying compensatory measures, and changes to the planned maintenance program that are intended to effect a risk optimization and a more balanced planned maintenance program. The increased AOT changes result in an increase of 11% from the average Core Damage Frequency (CDF) of the STP PSA base case model that has been updated in this submittal with plant specific data and the emergency transformer. This net result of the DG and ECW AOT changes is not considered a significant increase in the station's overall risk levels. STP has the capability to monitor actual plant risk profiles and could track cumulative risk values against target values. When considering the positive effects of removing a significant amount of Diesel Generator and Essential Cooling Water maintenance from the refueling outages relative to shutdown risk in a qualitative manner, our evaluation indicates that the net effect of all the proposed changes i will be that the overall risk impact is less than the 11% CDF increase for at-power conditions since shutdown risk is reduced. The PSA models will continue to be periodically updated to account for plant changes and trends in equipment performance as evidenced by the development of plant-specific data. i Unplanned simultaneous train outages resulting from the STE AOTs (e.g., overlappine, of one train AOT from one week into another train AOT during the next week) are considered to be unlikely for the current case and do not increase significantly with the requested 21 and 7 day AOTs. Simultaneous train outages are not allowed by Technical Specifications and will not be permitted for scheduled maintenance (i.e., no voluntary entry), thus they are not included in the rolling maintenance profile. In fact, no planned maintenance or testing (except required surveillance testing) which could affect the operability of the non-affected trains or other selected equipment j that are key to preventing a station blackout sequence will be allowed. Also, each non-affected train will be operable throughout the duration of the STE. It should be noted that this submittal also extends the time constraint associated with Technical Specification 3.8.1.1.d to 24 hours to allow cu ewisv.wmasi_wa w 24. mu 1.4 1
f l proper diagnosis and corrective actions to be developed or implemented in the unlikely event that multiple train functional failures occur. There are other impacts that are recognized, but were not quantified in this submittal. First, more time and flexibility to perform planned maintenance without interfering with plant refueling outage tasks are expected to result in qualitative improvements in the identification of root causes and implementation of corrective measures. Second, the use of risk-based approaches, similar to this submittal, to optimize the maintenance program provides added assurances that the priorities for assigning station resources to emergent work and maintenance backlog items are set to address the equipment with high risk importaccr first. Third, a reduced workload during refueling outages to conduct test and maintenance activities should improve the likelihood that testing and maintenance activities are conducted free of errors and inefficiencies. Finally, the removal of some planned maintenance tasks for the Diesel Generator and Essential Cooling Water systems from the refueling outage schedules willincrease the availability of the Diesel Generator and Essential Cooling Water systems during these outages. Since the RHR system and all other means of decay heat removal during Modes 4,5 and 6 are dependent on the ECW system and AC power from the busses supported by the emergency Diesel Generators, this fact will result in an unquantified reduction in risk of a severe accident during shutdown conditions. Since a plant specific PSA model of shutdown condition 2 is not available, this effect could not be quantified. But it is not difficult to see that the effect is a reduction in the shutdown risk levels. Hence, the combined effects of all of these measures are expected to result in long-term improvement in equipment performance, material condition, and in reductions in risk levels below those currently estimatei Acu swisvem:54si_u m re. isisi 1.4 2
4 l
=
1.5 REFERENCES
HL&P submittal dated February 1,1990 to the U. S. Nuclear Regulatory Commission, f 1-1 l
" Proposed Amendment to the Unit 1 and 2 Technical Specifications Based on Probabilistic - f Risk Analyses," ST-HL-AE-3283.
1 E- '12 This reference number is not used. l l 1-3 U.S. Nuclear Regulatory Commission, " Request for Additional Information Regarding Re* l of the Proposed Changes to the South Texas Technical Specifications," letter from 'l Lawrence E. Kokajko to William Cottle, dated May 19,1993. 'l i 1-4 U.S. Nuclear Regulatory Commission, NUREG-0452, " Standard Technical Specifications for ; Westinghouse Pressurized Water Reactors," October 1984. l 15 PLG, Inc., " South Texas Project Probabilistic Safety Assessment," prepared for Houston -l Lighting & Power Company, PLG-0675, Volumes 19, May 1989. ; i 16 Letter from G.F. Dick, U.S. Nuclear Regulatory Commission, to D.P. Hall, Houston Lighting S
& Power Company, " Safety Evaluation by the Office of Nuclear Reactor Regulation Related f to the Probabilistic Safety Analysis Evaluation, South Texas Project, Units 1 and 2 (Docket !
Nos. 50-498 and 50-499)," January 21,1992. ! 1-7 U.S. Nuclear Regulatory Commission, Generic Letter 88-20, Individual Plant Examinations, < Supplements 1-4. ; 1-8 HL&P submittal dated April 14,1989 to the U.S. Nuclear Regulatory Commission, " South j Texas Project Probabilistic Assessment Summary Report," prepared by Pickard, Lowe, and ! Garrick, Inc., for Houston Lighting & Power Company, PLG-0700, ST-HL AE-3059. ! I l 19 HL&P submittal dated June 15,1989 to the U. S. Nuclear Regulatory Commission, " South Texas Project Probabilistic Safety Assessment Report," prepared by Pickard, Lowe, and Garrick, Inc., for Houston Lighting & Power Company, ST-HL-AE 3137. 1-10 ' U.S. Nuclear Regulatory Commission, NUREG/CR-5606, "A Review of the South Texas Project Probabilistic Safety Analysis for Accident Frequency Estimates and Containment Binning," Sandia National Laboratories, August 1991. Acu swismorm ei_m m,,e : . ms: 1.5-1
~'
p 1 11 .. HL&P submsttal dated November 11,1992 to the U. S. Nuclear Regulatory Commission,
" Request for Additional information Regarding Review of the Proposed Changes to the ' South Texas Project Technical Specifications," ST-HL-AE-4261.
1-12 HL&P submittal dated August 28,1992 to the U. S. Nuclear Regulatory Commission,
" South Texas Project Level 2 Probabilistic Safety Assessment and Individual Plant Examination Report," prepared by Houston Lighting & Power Company with assistance from Pickard, Lowe, and Garrick, Inc., ST-HL-AE-4193.
1 13 HL&P submittal dated August 1993 to the U.S. Nuclear Regulatory Commission, " Risk-Based Evaluation of Technical Specifications," ST-HL-AE-4544. 1-14 HL&P, "lPE Plant Specific Data Closure," Jan. 31995, ST-HS-HS-30797. 1-15 USNRC, " Issuance of Amendment Nos. 59 and 47 to Facility Operating License Nos. NPF-76 and NPF-80 and Related Relief Requests - South Texas Projects, Units 1 and 2 (TAC Nos. M76048 and M76049)," February 1994. 1 16 USNRC, "Probabilistic Safety Assessment, South Texas Project, Units 1 and 2 (TAC Nos. M73009 and M73010)," January 1992. 1-17 USNRC, " Evaluation of Probabilistic Safety Analysis - External Events for South Texas - Project, Units 1 and 2 (TAC Nos. M73009 and M73010)," August 1993. uw . m i - . _ m m i..i..u 1.5 2 t
I j Table 1-1. Sumnvary of Proposed Special Test Exception to the Technical Specifications Technical System Current Technical n:;:::f Technical Remarks , Specification Specifications Specificatsens ! AOT SU AOT SD (Deys) (Days) (Days) (Days) Diesel Gorerator (DG) 3 N/C 21 days N/C 21 days used 3/4.10.8 or 3 once per DG per days (1) refueling cycle Essential Cooling Water 3 N/C 7 days or N/C 7 days used once , (ECW) 3 days (2) per ECW train per refueling cycle Notes: ! N/C No change proposed. (1) 21 days once per DG per refueling cycle for planned maintenance and 3 days per occurrence for other planned and unplanned maintenance. (2) 7 days once per ECW train per refueling cycle for planned maintenance and 3 days per occurrence for other l planned and unplanned maintenance. , i I i l l l l l l 1 Acu swisv.p-esseei . tor w re. issu 1.5-3
i l
- 2. TECHNICAL APPROACH FOR EVALUATING THE PROPOSED SPECIAL TEST EXCEPTION 1
This section describes the technical approach to performing a risk-based evaluation of a proposed STE relative to changing the Diesel Generator and Essential Cooling Water system AOTs. This includes the decision criteria that were used by STPEGS to judge the acceptability of the proposed i changes and the methods and models that were employed to measure the impacts of the change against the criteria.
+
e 9 i ACM d W15hport9660 1,.kO2 2 LApre 24.1995) 2-1
2.1 DECISION CRITERIA , i 2.1.1 Risk Based Decision Criteria , The decision criteria that were used by STPEGS to judge the acceptability of the proposed Special j Test Exception for the Diesel Generator and Essential Cooling Water systems were derived from Risk-Based Evaluation of Technical Specifications submitted August 1993 (Reference 2-9), and the ) recognition that the Technical Specifications are part of the operational controls on the reliability ; and availability performance of plant systems that are essential to perform critical safety functions. Success in maintaining these safety functions is synonymous with maintaining the integrity of the reactor core and the integrity of the containment. From this, we derive a very simple and easy-to-implement decision criterion: Changes to the Technical Specifications are acceptable if and only if they do not result in a significant increase in the risks associated with a severe accident. Some of the plant systems serve to protect the integrity of the reactor core. These include the reactor trip, core and ret.ctor coolant system heat removal, and reactor coolant inventory and
- pressure control systems. Other systems serve to protect the integrity of the containment and to protect against the formation of containment bypass release paths. Some auxiliary systems support both core and containment functions. To address the above decision criterion quantitatively, the l following risk measures are used in this evaluation: ;
- Core Damage Frequency (CDF). The annual average frequency of a severe core damage accident, as defined and quantified in the STP PSA is currently baselined with a mean value of 2.07 x 10-5 per year. These results were derived from a plant specific STP Level 2 PSA l model that has been updated since the previous Risk-Based Evaluation of Technical Specifications was submitted in August 1993. This update was obtained by incorporating ;
Risk-Based Technical Specifications that were approved by the NRC in January,1994, a comprehensive update of plant specific data through 1992 plant operation experience, and additional modeling enhancements described in section 2.4.3, some of which were needed to model compensatory measures to offset negative risk impacts of the proposed change. Acceptance of the proposed change is based on the fact that the increase in the annual average core damage frequency is insignificant. One component of this frequency is the conditional frequency of core damage given the Diesel Generator or Essential Cooling Water System is out of service. Plots of this quantity are best seen by using a risk profile" that presents the time dependent behavior of this conditional frequency as the plant Acu maisv mng:-i.m LAprH N,1H5) 2.1 1
configuration changes with time (Figure 2.1-1). In addition to measuring the risk impacts of the proposed STE in terms of the annual average accident frequencies, these time dependent risk profiles are separately examined as well as the integrated or cumulative risk over periods of DG and ECW systems unavailability. Figure 2.1-1 represents the estimated relative and incremental risk during the STE based on average core damage frequency model estimates. The figure shows that the cumulative risk is less than the threshold proposed in Reference 2-12 based on a work window scheduled to ~75% of the total STE window. ; Should the entire STE window be used, the average core damage frequency model predicts that the incremental risk would equal the threshold on the 13th day and rise only slightly 7 above the threshold (to 1.03E-6) for the entire 21 day period.
- Large, Early Release Frequency (LERF). The annual average frequency of a severe core damage accident accompanied by a large, early release as defined and quantified in the current STP PSA is 3.49 x 104 per year. This class of accident sequences includes postulated containment bypass and early containment failures that are of sufficient size to produce relatively large releases of radioactive material within several hours of the time that core debris would be expected to be released from the reactor vesselinto the containment. .
The more specific definition of LERF that was used in the IPE case is a breach of at least 3" in diameter in the containment boundary occurring within 4 hours of vessel breach during a severe core darme event that is nut arrested within the reactor vessel. The proposed change can be accepted only when the increase in the LERF is insignificant. When used together, these measures provide the ability to identify changes that could, in principle, ! be acceptable from a core damage point of view but unacceptable from a containment integrity perspective. Some changes might have no impact on core damage frequency whatsoever, but could adversely impact the early release frequency at the same time. These measures also provide the ability to assess the potentialimpacts to both plant safety and public health / safety in accordance with NRC safety goals. i in the technical approach that was employed to evaluate the impacts of the proposed AOT change on risk levels, the primary focus of the calculations is on core damage frequency. Because of the extensive PSA analyses that have been performed for this plant, there is already a deep
]
understanding of the most important sequences leading to core damage as well as the more limited set that contribute to a large early release. This insight permits that most of this risk-based evaluation can be carried out with the Level 1 PSA model that determines core damage and plant damage state frequencies. Examination of the sequences and the plant damage state results preclude the need to use the full linked Level 2 models (i.e., containment performance) for all but the finalintegrated quantification. Hence, most of the analyses in this submittal are performed with I Acu awuvemnac21.u2 iApa n. insi 2.1 2 1
i i
- the Level 1 model and changes are first examined in terms of their impact on core' damage - frequency. Then, changes that are found to have an acceptable result for CDF are evaluated to ;
y . ensure that none create unacceptable LERF results. This is accomplished by examining the plant damage state results and by performing a single integrated analysis with the Linked Level 1/2 event , trees, which are all quantified within RISKMAN'. l 2.1.2 Interpretatka of Risk Estimatas l In judging whether a computed CDF change is considered "significant" or "inshnificant," there are several factors that need to be considered. One is that any estimate of CDF or LERF involves ' ; significant uncertainties due to uncertainties inherent in the understanding of the causes and characteristics of rare events. To some extent, numerical estimates can be made of the variation in ; the results due to specific and quantifiable sources of uncertainty such as those in parameter ! estimates for initiating event frequencies, component failure rates, maintenance unavailabilities and common cause parameters, and certain aspects of modeling uncertainty. There are other sources of f uncertainty that are either not quantified or are simply unquantifiable without the use of considerable engineering judgment. , There is an important limitation in the current submittal with respect to the risks of severe j accidents. The current STP PSA models account only for accident sequences that could initiate ! from power operation states. In a cunservative interpretation of the results, there is a reasonable l basis to assume that the PSA covers Modes 1, 2 and 3; however, the shutdown modes 4, 5, 6, and core offload are not addressed in the PSA quantifications. Hence, the full risk-based evaluation of this proposed change to the Technical Specifications can be based on only a qualitative evaluation ! for shutdown states. Efforts to extend the PSA to shutdown states have only recently begun at 1 STPEGS. It is clear that by showing that if the potential increases in severe accident risk during power operation are insignificant, then there should be a not decrease in overall risk for this particular STE change. The reason for this is that removing the 21/7 day preventative DG/ECW 2 maintenance periods from the shutdown / refueling modes can only result in a reduction in risk from shutdown states. This is due to three factors: First, the outages will be shorter due to less competing work to perform in addition to the fuel offload and reload; Second, since all active decay heat removal systems during outages are dependent on electric power, their unavailability due to DG/ECW maintenance during outages will be reduced substantially su::h that scenarios like the 1991 Vogtle event will be much less likely; And third, since the 21/7 day DG/ECW maintenance will be done with no competing test, maintenance or refueling activities that could reduce its , effectiveness or lead to human induced initiating events through interference of these activities, there is a reasonable expectation that the maintenance effectiveness would be enhanced. When all of these factors are taken into account, HL&P predicts that reductions in the risk of severe Acu ewm mssmenvor us 4. tem 2.1-3
accidents during shutdown should result from this change, and that these benefits would contribute to offsetting the smallincrease in risk during power operations. Another factor that must be accounted for in judging the acceptability of a result that is expressed in terms of CDF and LERF estimates is the variability of the results of a "Living PSA" program and the principle that a PSA result is dependent on the state of knowledge of the PSA team when the result was obtained. Thus, any PSA estimate must be essentially time and date stamped, and the configuration of the plant and its relationship to the PSA model carefully understood and documented. To date, three sets of PSA results that have been presented to the NRC for STPEGS: one submitted in 1989 from the initial Level 1 PSA of internal and external events with a mean annual average CDF estimate of 1.7 x 10 per year, a second one submitted in 1992 to meet the IPE requirements from the Level 2 PSA/IPE with a CDF estimate of 4.4 x 10-5 per year, and an update of the PSA that was reported in the August 1993 Technica: Specifications submittal with a variety of CDF estimates for different assumptions regarding the rolling maintenance profile and different combinations of modified Technical Specifications (See Figure 2.1-2). Future PSA updates will produce more accurate CDF estimates with less uncertainty as more knowledge about the plant and its performance characteristics become known and the PSA methods and databases continue to improve. Other important positive factors, which are difficult to quantify, that must be considered in judging acceptability are improved equipment performance and reduced potential for human error. For these reasons, the relative values in evaluating risk impacts are much more meaningful than their absolute values. The uncertainty and variability of CDF and LERF estimates make it impractical to prescribe hard numerical criteria for acceptability of plant changes. The risk profile shown in Figure 2.1-1 illustrates the impact of the proposed STE for DG/ECW on CDF and its relation to the risk threshold established from the Nuclear Energy Institute PSA Applications Guide (Reference 2-12). As can be seen from Figure 2.1-1, the criteria for potential risk significance (i.e.,1E-5 per Reference 2-12)is not satisfied. In other words, under the constraints of the compensatory measures, the risk associatad with the STE for the longer DG/ECW AOTs are offset by managed risk reduction efforts. Managing the cumulative risk associated with the STE for the DG/ECW AOT's ensures that risk significant precursors are avoided, and in the event of unplanned maintenance on other plant equipment, the magnitude of the instantaneous CDF that could occur is limited. l l in the final analysis, a judgment must be made about whether a given change is to be regarded as significant. The need for this judgment is not unique in the use of PSA to evaluate safety significance. This application of judgment is not entirely different from that which is called for in ! the interpretation of IPE results for the purpose of identifying potential vulnerabilities. However, ACM dW1' apomtidg2-1.kC2 (Aprd 24,1995) 2.1-4
i despite the need for judgment in interpreting the results, the use of the current PSA models for STP
\
provides the best available means of determining whether potentially unacceptable risk factors have been introduced by any of the proposed changes. j As a final note on the use of numerical risk estimate to verify the acceptability of the DG/ECW STE, it is STPEGS practice to use the PSA models and risk-based evaluation of planned maintenance practices to find ways to optimize those practices with respect to risk. The requested 21/7 day DG/ECW AOT for planned maintenance on a once per train per operating cycle basis will have compensatory measures associated with it. These are described in Section 1.3 and include the ; stipulation that the requested STE will be used for planned maintenance only. Unplanned and planned maintenance occurring within the normal rolling maintenance program will still be monitored by the 72 hour AOT. Furthermore, the Emergency Transformer, the Turbine Driven Auxiliary Feedwater Pump, the TSC DG, and the PDP must be functional and available for the duration of the STE. This practice of using the PSA model as a risk management tool has already led to substantial design and procedure changes to improve safety at STPEGS even before the IPE requirement to address potential severe accident vulnerabilities. Already, the focus on the possible risk impact of proposed changes to the Technical Specifications has increased the awareness of the risk aspects of the entire maintenance program at STPEGS. Such awareness is expected to support future efforts to further optimize plant operation and maintenance practices at STPEGS as part of a comprehensive, and fully integrated risk management program. ACM dDg15vepom96dg2-1 A02 (Apr# 24,19961 2.1-5 ,
Estimated Risk Profile for Proposed 21 Day DG & 7 Day ECW AOT 10 - E NormoRaed Annual CDF =1 1 S 8- . b o 6-3Eo i 3 4-No Risk Significant 3 Extended ECW AOT intenance 2- Extended DG AOT a _ 0
= - a * - * * * =
- e : e e s e s e s e a a n n x =
Days 2.00E@ -- 1.80EM -- w 1.60E@ -
& 1 ACEM --
C l 1.20EM - l
.w Non-Risk Significant Theshold g 1,00E 4 8 8 .00E47 r &
l
} s.00ec7 -- ! .mo7 -
u 2.00E47 - 0.00E+00 0- 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 ( Days Figure 2.1-1 Proposed STE impact on CDF ond Risk Threshold i 2.1-6 I
i IlliI I I I i Illil i I I i Illii l I I i lillI I I i 11111 1 I I I 111111 I I 3 lilli l I lll111 I I I i i lilli I I 11ll 11 I I I Sh
$$L@
, ll1111 I I I illii l i I i Ill!I I I I i lilll I I I I lill I l l 1 I lillI I I I I tilll I I I I lillI I I I lilll I I I I Ill!I I I I 8_ lilli I I I I illli l i I yj lill! I l i I 11111 I I I ~,2 11ll l 1 l l I 111111 I I lll1l i I I I llll l l l l s IlliI I i l l llll 1 I I I I Illil l I I i 11ll l l 1 I I l lilll I I I I Illil i I e lilll I I I I lill i l I s8 lilli i l l I lilli I I g3 , i lilli i l l l lll11 l 1 -S .!!! 7 l 111I I I I l l Ilil: I I c
*2 lilli i i I I Illii I I I I '~
11111 l l I I llll 1 l I I I 11l l l l lll11 l l I I i Illi l l I I I !!ll l I b l lilll I I I I ll11 I I }h S h lll11 I I I lill I i $"
~ 8 lill i l 1 1 I ll1111 2 tilli l i l I lilll I i i i y m
lll111 I I I lilll i l i I liliI I I I I llilI I I I I
- 11111 1 I I I gj 3 IlllI I I I I Ej g 111I I I I I I .c illlI I I i 1 . . . . . . . . . 8, j 11111 1 I I I ,11 l l l 1 I 1 1 E i 6 4 H i $
a a d $ . .: g
- QDOA/4 USA 3) ADU6nb88 660uJDQ GJ00 86016AY lOnUU( g e
i
i 2.2 METHODOLOGY The purpose of this section is to describe the methodology that was used to measure the risk impacts of the proposed Special Test Exception to the Diesel Generator and Essential Cooling Water j systems. The methodology for evaluating risk impacts is composed of measuring the risk impact of the proposed outage duration on the CDF and LERF. T To understand more easily the methodology for evaluating the change to the AOT,it is first {' necessary to understand the way in which various maintenance configurations which impact system performance are modeled in the PSA. The basic approach to modeling test and maintenance i interactions is summarized in Section 2.2.1, followed by the particular approaches to modeling AOT l change in Section 2.2.2. . 2.2.1 Basic Appoach to Treatment of Test and Maintenance impacts The event tree linking methodology employed in the PSA is described in Section 2.3 of the STP Level 2 PSA/IPE report (Reference 1-12). The primary software used for computations is ! RISKMAN* Version 6.0 (Reference 2-1). Quantification of the PSA modelis done in several stages as illustrated in Figure 2.2-1. First, generic and plant-specific evidence is used to develop a , database of input parameters for the quantification. These database parameters include maintenance frequencies and durations, the initiating event frequencies that are developed directly 1 from data, component failure rates, and common cause parameters. System fault trees are then f used to compute system and subsystem level results for support system initiating event frequencies . s and failure frequencies in response to all of the initiating events. These results are, in turn, used to quotify the frequencies of the accident sequences in the event trees. The quantified event trees f result in the generation of a sequence database and an important sequence model, which can be : used to perform sensitivity and uncertainty analyses. The sequence database is also used to develop a number of risk importance factors that support the development of engineering insights into the main risk contributors and the key sensitivities in the results. Within this overall computational framework, the basic procedure that was followed to evaluate the l risk impacts of the proposed STE for DG/ECW is as follows
- 1. The AOT impact on the initiating event frequencies is usually evaluated for Technical Specification changes. In this evaluation, there are no direct impacts of DG AOT change on initiating event frequencies due to the extended DG AOT for the duration of the STE. The ;
availability of on-site power generation is affected; however, on-site power is asked only in i ACM d \dg ISveporn93dg2-2s 007 (Aprd 2( 1995) 2.2-1
l l situations where a loss of offsite power has occurred. The ESF DGs auto actuate on an undervoltage condition sensed on the 4.16 KV ESF Busses. Undervoltage to the class 1E 4.16 KV Bus which, from an initiating event standpoint, occurs on a Loss of Offsite Power. With regard to the ECW system, there is an impact on initiating event frequencies due to the proposed STE. Thus, the ECW system models were appropriately revised to account for the change in initiating event frequency.
- 2. The AOT impact was ovaluated to account for changes in the associated availability of the DG and ECW systems, in response to initiating events, again using the methods described in Section 2.2.2.
- 3. The full set of Level 1 event trees from the updated version of STP Level 2 PSA/IPE study were used to determine the impact of the system-level changes on the CDF. This model includes the NRC @ proved Risk-Based Technical Specifications and Plant Specific Data update.
- 4. To ensure that the proposed STE change relative to DG and ECW does not result in j unacceptable impacts on containment performance, the linked Level 1 and 2 event trees with all model refinements identified to date were used to evaluate impacts on LERF. The linked Level 1 and Level 2 trees were evaluated with the current and proposed Technical Specifications to provide a final check on whether any of the more recent model refinements have any impact on the results of Step 3 above as well as to ensure that unacceptable results for LERF do not result.
System fault trees and plant level event trees were used to model all causes of system unavailability and support system initiating event frequencies, including several test and maintenance interactions, independent and common cause hardware failures, and human errors. These contributions included:
- Unavailability during Maintenance. This is the direct effect of taking equipment out of service for either planned or unplanned maintenance. Each is modeled as the product of the maintenance frequency and duration. Planned maintenance includes preventive maintenance that is needed to meet manufacturer requirements and those instances of corrective maintenance that are amenable to a planned maintenance outage. This occurs when a discovered fault is minor enough to defer the tagout ntil the next planned equipment outage. Unplanned maintenance includes those remaining instances of corrective maintenance in which a separate AOT is entered to repair equipment that is tagged out of service when the problem is discovered.
ACM d \dg-15Vepom95dg2-2 y 007 (April 24,1995) 2.2-2
..______________________________---_________________u
q W l l
- UnavausbRity During Testing. This is the direct effect of taking equiprnent out of service for i regularly planned testing including surveillance testing when it must be realigned to verify l
safety function that cannot be checked in an operational configuration. Much plant 3 equipment at STPEGS can be tested without incurrir.g this functional unavailability. !
*' Test-induced Maintenance. This interaction covern the case in which a planned test results -
in a failure that requires repair. As a result, the equipment is out of service for unplanned [ maintenance. l t A summary of the specific alignments and interactions for the DG snd ECW systems is provided in l Table 2.2-1. The probability equations, database variable names, and mean point estimates, are provided as part of Appendix B. l f I 2.2.2 Risk Modeling of Allowed Outage Time (AOT) Changes .[ 2.2.2.1 Impacts of AOTs I t The plant monitors an AOT when a component within the scope of the Technical Specifications. j becomes inoperable such that the' Limiting Condition for Operation (LCO) is not' satisfied.- This j condition occurs when the system-
'i
- Has failed and is being repaired;i.e.,in unplanned corrective maintenance.
- ls purposely taken out of service for testing or planned maintenance. !
I Note that many system components can be tested without rendering the system unavailable.. In l
-i i
either of the two cases, some portion of the impacted system is no longer available to accomplish its safety function, should a demand occur, and the required safety function must be accomplished ! with the systems or trains that remain operational. Even with the reduced redundancy, the plant i safety systems are still fully capable of satisfying the safety basis on which the plant is designed, i but the ability to absorb further failures is reduced. The intent of the AOT is to limit the period of 'i time over which the reduced redundancy is permitted to exist while the plant remains in the. j operating mode to which the LCO applies. ]
-i ' ' An AOT is permitted in recognition that the plant has been designed to provide the required safety functions despite the unavailability of single trains of safety systems. This permits the plant staff to keep the plant in sound working order and to minimize disruptive mode changes, which involve risk impacts of their own. Therefore, the selection of AOT durations should account for:
ACM 43dg-15Wrort\95dg2 2.007 (Aprd 24,1995) 2.2 3
o 1 j e Design features of the plant that permet flexible response to initiating events during periods of reduced redundancy relative to its fully operational state. I e Change in the risk while the plant is operating and the component is down. .j i e Change in the risk due to the shutdown of the plant while the conponent is down. e Flexibility provided by the AOT to enable the plant staff to accomplish comprehensive l maintenance activities prior to returning the system / component to service, in other words, l; longer AOTs encourage more thorough investigation of root causes that could lead to the , prevention of a recurrence of the failure, as opposed to the repair of the immediate problem 1 within a limited time frame to prevent inducing a transient associated with shutdown. f i e The plant approach to unplanned / planned maintenance, and the administrative procedures used to control outages for planned maintenance. ! 2.2.2.2 Risk Measures Selected for Evaluation l The change in the average CDF produced by the AOT change is the selected measure of risk for .f systems designed to mitigate against core damage. This measure produces an assessment of risk l that accounts for l e The frequency that planned maintenance occurs per year, e The anticipated change in the duration of that planned maintenance that will result from the i AOT extension, and I f i e The response of the remaining operational systems that will be challenged by initiating events during the conditions of the STE. The change in the average annual CDF is calculated using the PSA risk models which incorporate recently approved Technical Specification changes, Plant Specific Data, and Emergency i Transformer. The basic modelis described in References 2-8, 210, and 2-13. i t I 1 ACM d hig-15veporn95dg2-2 007 (AprH 24,1995) 2.2-4 : i
i 2.2.2.3 Quantifying Impacts of the Proposed STE for DGECW Systems l The approach to modeling the change in the unavailability due to the proposed STE is to account for l the impact of the AOT extension on the duration of DG and ECW planned maintenance outages. There are 3 planned maintenance outages scheduled for each DG and ECW train during an operating cycle, of which only one will be an extended DGECW AOT of 21/7 days, respectively. The duration for the other two planned DGECW outages is based on a review of the Operability Tracking Log as limited by the present AOT of 72 hours. This review indicates the current planned DGECW outages have a mean duration of 46.2/39.2 hours, respectively. Note that this data represents maintenance durations with the plant at-power. These results are expected since the Technical Specifications require plant shutdown at the end of the current 72 hour AOT. Since the STP PSA modelis based on two 12-week maintenance cycles for planned maintenance activities, some model changes are required to incorporate a 21/7 day DGECW AOT with appropriate compensatory actions. All three DGs have planned maintenance once during the two 12-week maintenance cycles; one of the DGs will have the planncd maintenance for the 21 day AOT while the other two are still based on the 72 hour AOT. Likewise, a similar condition exists for ECW except that it will only have a 7 day AOT. Also, one of the compensatory measures is to ensure that the Emergency Transformer is functional prior to entering the STE. This approach correctly models and accounts for those quantifiable compensatory actions required with the proposed STE. Section 2.4.2 provides more detail of the aforementioned changes 2.2.2.4 Unquantified Impacts of AOT Changes
- Indirect Effects on initiating Event Frequencies. For this submittal, the 21 day DG planned maintenance outage duration for the proposed STE does not directly impact any initiating event frequencies but could contribute to an increased likelihood of core damage given that a Loss of Offsite Power initiating event occurs. This is not the case for the 7 day ECW planned maintenance outage duration for the proposed STE. The extended ECW AOT impacts certain initiating event frequencies and therefore the affected initiating events have ,
1 been adjusted appropriately. It is for this reason that specific compensatory measures have l been identified and evaluated (See Section 3.2 for a discussion on compensatory measures).
- The extension to DGECW AOT under the STE conditions is being sought to avoid having to shutdown or otherwise induce a transient on the plant due to administrative constraints imposed by Technical Specifications. The shutdown transient is a challenge to the plant, and it could be considered a reactor trip event with the failed system unavailable, but without the negative impact of sudden power l ACM d Wg 15veport\95dg2-2,007 (April 24,1995) 2,2 5
=-
l 'S' e
; I decrease, as it requires the plant coolant systems to continue operating under , l - conditions different from normal full power conditions. However, no credit is taken' f
for this in the Level 1 PSA, Level 2 PSA/!PE, or the Risk-Based Evaluation of -
- 1" .
Technical Specification model because controlled shutdown from power is not l normally included in the database for reactor trip events since the slow process . j results in no sudden changes of state. In addition, the controlled shutdown will' j result in a smaller amount of decay heat once full shutdown is reached. ; h l 1
- The proposed STE which modifies Tech Spec 3.8.1.1.d provides a proper framework to minimize the likelihood that if additional failures were to occur with the reactor at power, a trip or forced reactor shutdown could occur, by providing a reasonable but expeditious amount of time to evaluate emergent plant conditions and determine an f optimal safety or risk solution. Events that cause immediate trips are already in the ,
initiating event database or modeled in the support systems initiating event 'models. j Additional failures that do not trip the reactor but do require shutdown would be .; accomplished'under controlled conditions with the same impact as above.
.l e Risk of Contro5ed Shutdown. There are risks involved with initiating transients to conform - l with AOTs. The act of power descension does alter the equilibrium operating conditions of I the plant and requires systems to operate under a different set of conditions, which f C
combines to produce its own likelihood of a core damage event, should certain safety ! i systems fail. This' likelihood could be approximated by the conditional core damage ! frequency, given a reactor trip with the system under question unavailable and given no failure modes associated with sudden power reduction. However, the necessary j constituents to perform a risk-based evaluation of these effects are not included in the current submission. As stated above, mode changes required by an inability to achieve an j LCO within an AOT will be controlled power reductions. The risks associated with these . ,j types of transients are not now modeled explicitly in the Level 2 PSA/IPE because the plant
.l 1s designed to undergo controlled power changes that proouce no undue risk. j e increase in initiating Events during Controlled Shutdown. Initiating events that occur during controlled transients are accounted for in the at-power initiating event frequencies. To the degree that the frequency of initiating events could increase during transients, longer AOTs ;
may provide additional risk benefit by reducing the frequency of transients imposed by - l Technical Specification action statements. There is evidence that plant trips could occur- ! during power reductions. l I ACM d hig-15Veport\95dg2-2s 007 (AprG 24.1995) 2.2-6
, . _ . _ . _ _ . . , _ _ . - _ _ - _ ._ -. _.~. _ . . _ _ . . _ . . _ . _ . ~ ,
Table 2.2-1 (Page 1 of 5). Modeling of Test, Maintenance, and Normel Alignments in Updated Level 2 PSA/IPE Top Planned Correctwo Test-induced System
- Status Testing Romerk Event Maintenance Mamtenance Maintenance ECW WA Run No Yes' No No '1 of 2 Purr, Room fans WB Off Yes Yes* No No Planned maintenance accounts for concummt maintenance on thesel Generator, ECW, and ECH.
WC Standby No Yes" Yes No " Train Maintenance CCW KA Run No No No No (CC) , KB Off Yes No No No KC Standby No Yes Yes No ECCS PA Standby Yes Yes Yes No Maintenance and testing activities affecting Common all train A ECCS equipment. (SI) PB Standby Yes Yes Yes No Maintenance and testing activities affecting all train B ECCS equement. PZ Standby Yes Yes Yes No Maintenance and testing activities affecting all train C ECCS equement. ECCS RA Standby No Yes Yes No Sump recirculation valve. 1 Recirculation RB Standby No Yes Yes No Sump recirculation valve. RC Stancby No Yes Yes No Sump recirculation valve.
'Two-letter codes used as official plant designations are given in parenthesis. Please see Page 5 for acronym def'mitions.
Acu 4.gtsw eri essa 2 2_.co? s (Aprii 24.1995) 2.2-7
. wW &
Table 2.2-1 (Page 2 of 51. Modeling of Test, Masntenance, and Normal Alignments in STP Level 2 PSA/IPE Top Planned Correetwo Test-induced System
- Status Testing Romerk Event Memtenance Mesntenance Maevtonance HHSI HA Standby No Yes Yes No HB Standby No Yes Yes No HC Standby No Yes Yes No EAB HVAC FA Run No No No No (HE)
FB Run No No No No FC Standby No Yes No No DM(A) Standby No Yes No No DM(B) Standby No Yes No No DM(C) Standby No Yes No No RCFC CF(A) Run No Yes No No CF(B) Run No Yes No No CF(C) -Standby No Yes No No AFW CD(A), Standby Yes Yes No No Motor dnven pump train. (AF) AF(A) CD(B), Standby Yes Yes No No Motor-dnven pump train. AF(B)
'Two-letter codes used as official plant designations are given in parenthesis. Please see Page 5 for acronym dermitions.
ACM d. big-15Veport%. , ' 2_.007 (April 24,1995) 2.2-8 _ _ _ . _ _ . . _ _ _ _ . . . _ . _ . - _ . _ . _ _ _ _ . _ . _ . . . _ . . _ _ -- . . . ~ . . ~. __ . _ _ . _ , _ . . . _ _ _. _ . _ . _ . _ . - . . _-. -. __.___ _
Table 2.2-1 (Page 3 of 51. Modeling of Test, Maentenance, and Normel Alignments in STP Level 2 PSA/IPE Top Planned Correctnre Test-induced System
- Status Testeg Romerk Event Maintenance Mantenance Maintenance AFW CD(C), Standby Yes Yes No No Motor-dnven pump train.
(AF) AF(C) (continued) CD(D) Standby Yes Yes No No Turbine-dnven pump train. AF(D) LHSI LA Standby No Yes No Yes Test for RHR heat exchanger train A. LB Standby No Yes No Yes Test for RHR heat exchanger train B. LC Standby No Yes No Yes Test for RHR heat exchanger train C. RHR RX(A), Standby No Yes No No (RH) OC(A) RX(B). Standby No Yes No No OC(B) RX(C), Standby No Yes No No OC(C) Contain- CS(A) Standby No Yes No Yes Test for full flow pump test. ment Spray CS(B) Standby No Yes No Yes Test for full flow pump test. l (CS) CS(C) Standby No Yes No Yes Test for full flow pump test.
'Two-letter codes used as official plant designations are given in parenthesis. Please see Page 5 for acronym definitions.
Acu 4. sis-isveporossag2-2_.co7 tArrin 24. i,ss) 2.2-9
Table 2.2-1 (Page 4 of 5). Modeling of Test, Maintenance, and Normel Alignments in STP Level 2 PSA/IPE Top Planned Correetwo Test 4miuced System
- Status Testing Romerk Event Mamtenance Mesntenance Maintenance ECH CL(A) Run No No No No Planned maintenance modeled in ECW.
(CH) CL(B) Standby No No No No Planned maintenance modeled in ECW. CL(C) Standby No Yes Yes No Planned maintenance modeled in ECW. CVCS CH(A) Standby No Yes No Yes Testing on CCW train C. (CV) CH(B) Run No No No No PD Standby No Yes No No includes maintenance on PD pump and TSC Diesel Generator. DGS GA Standby Yes Yes Yes Yes (DG) GB Standby Yes Yes Yes Yes GC Standby Yes Yes Yes Yes DC Power DA Standby No Yes No No Maintenance on charger. I DB Standby No Yes No No Maintenance on charger. DC Standby No Yes No No Maintenance on charger. l
'Two-letter codes used as official plant designations are given in parenthesis. Please see Page 5 for acronym definit' ens.
ACM d hig-15Wport\95dg2-2 007 (Aguil 24.1995) 2.2-10 i
+ . .
Table 2.2-1 (Page 5 of 5). Modeling of Test, Maintenance, and Normal Alignments in STP Level 2 PSA/IPE Top Planned Corrective Test-induced System' Status Testes Hemark Event Mamtenance Maintenance Maintenance ESFAS, Vital IA Standby No Yes No Yes AC, QDPS IB Standby No Yes No Yes IC Stancby No Yes No Yes 4 SSPS SS(R) Standby No Yes No Yes (SP) SS(S) Standby No Yes No Yes
*Two-letter codes used as official plant designations are given in parenthesis. The following acronyms are used in this table:
, AFW auxiliary feedwater system ESFAS engineered safety features actuation system CCW component cooling water system HHSI high head safetyinjection system CVCS chemical and volume control system HVAC heating, ventilation, and air conditionmg system DGS diesel generator system LHSI low head safetyinjection system EAB electric auxiliary building RCFC reactor contenment fan cooler system ECCS emergency core cooling system RHR residual heat removal system ECH essential chilled water system QDPS qualifimi display processing system ECW essential cooling water system SSPS solid state protection system ACM d.%Ig-13Verort\95dg2-2 007 (Apra 24,1995) 2.2-11
.- = .-
I
)
i l l Plant- ) Specific Data , If Data Generic PRA O Analysis Database Model r , Performance-Specialized Shaping Factors PRA Database < ; V lI II External hternal Rre System Flood Models and Flood Fault Trees ReMilW Models Models i I I I r 1I
, e f
initiating- Event Tree Event Split Fraction Frequencies Values w a w ,
, , 1I Event Level 1 Sequence 3 Sequence Definition Quantification t '
Level 1 Sequence Database Point Estimates
> Results, Contributors, II importance Measures important Sequence Model 1f Uncertainty Distributions, Sensitivities Figure 2.21 Flow Chart for Level 1 Quantification ACM d W15'vepoff@5dg2A 007 (ApfE 24.1995)
2.3 CURRENT PLANT PSA MODEL The status of the STPEGS continually evolving PSA model was last reported to the NRC in the 1993 Risk-Based Evaluation of Technical Specifications (Reference 2-9), which upon review by the NRC, has provided the basis for amending the Technical Specifications in a number of systems. The chsnges made since that submittal to the model can be described in two parts. The first part consists of a number of changes made for a variety of purposes in support of the living PSA program that provides a rebaseline of the PSA with the revised Technical Specifications as well as the recently compiled plant specific data on equipment performance. These changes are described below. The second part of the model update consists of thoso particular changes made to the PSA model to specifically address the requested STE change to the Diesel Generator and Essential Cooling Water systems as well as the associated compensatory measures. These variations on the baseline model are described in Section 2.4. The results of the model updates are presented in Section 3. The current March 1995 Rebaselined PSA model, which is being referred to as STPPSA395, is a continuation of the ongoing updating process for the STPEGS Probabilistic Safety Assessrnent and is the baseline model used for this analysis. The modelis based on the STP integrated model developed and used in the August 1993 submittal to the USNRC of STPEGS Risk-Based Evaluation of Technical Specifications (Reference 2-9). The following highlights the major changes that were made to perform this new baseline model. 2.3.1 New Technical Specifications in response to Reference 2-9, the NRC approved 10 of the requested 16 Risk-Based Technical Specifications and granted partial relief on 4 other Technical Specifications (Reference 211). Table 2.3-1 provides a list of the Technical Specifications requested by HL&P in August 1993 and approved by the NRC in January 1994. Hence one update task performed % s to incorporate the particular set of Technical Specification changes approved by the NRC which are now a part of the current operating license. These changes were made by adjusting the systems models to account for NRC approved AOTs and STis by making adjustments to the associated maintenance duration and frequency distributions as appropriate. This in turn resulted in changes to the system split fractions and initiating event frequencies. Acu .w nm rmom.m e n. msi 2.3-1
i 2.3.2 Update of the PSA Plant 0pecific and Generic Data Base ' in 1993 and 1994 there was a major effort to collect and analyze plant specific data at Units 1 and
- 2. Since the units were involved in a long outage in 1993 and part of 1994, the data analysis was taken from the beginning of commercial operation for the respective units through 1992 which l accounted for about 5 unit years of operating experience. The plant specific data was used in the Bayesian update procedure contained in the RISKMAN* Version 5.2 software to update the generic distributions that had been used in the previous versions of the STP PSA models. The 1993 submittal used plant specific data only for initiating event frequencies and planned maintenance durations. The current submittal adds 5 years worth of experience to the estimates of component failure rates, as well as both planned and unplaced maintenance unavailabilities. The generic distributions used for the Bayesian updates in this stGdy are the same as those used in the 1993 submittal except that a more recent set of industry data is used here to get the most up to date generic evidence on the performance of cmergency diesel generators. More discussion on the data base update is presented in Section 2.5.
2.3.3 Model for Emergency Transformer The previous PSA models did not distinguish between different types of loss of offsite power events with respect to the availability of offsite power supplied via the Station Emergency Transformer. This transformer is supplied with offsite power via a different electrical grid source than the normally supplied power frorr, the standby transformers or the unit auxiliary transformers from the main transformers. The current model was revised to consider two types of loss of offsite power, those that do and do not impact the supply of electric power to the Emergency Transformer during at-power conditions. This results in a more realistic treatment of station blackout with or without the approval of the requested technical specification change. This refinement was incorporated by adding a new event tree top event for the Emergency Transformer (Top Event EX) and by reclassifying the industry data on offsite power losses to quantify two different types of loss of offsite power events. 2.3.4 Treatment of Letdown Une isolation Failures in a recent PSA application to address fire protection issues, some enhancements were identified for the treatment of letdown isolation failures in the basic event and fault tree system models that have been in use since the 1989 Level 1 PSA. This has resulted in some changes to the systems models Acw swiswwmassi_n m aa. nes) 2.3-2
for letdown isolation, the success criteria, and associated event tree rule files for these sequences. As a result of these changes, the treatment of these sequences is more consistent with that for the small LOCA sequences in terms of the capabilities to provide adequate makeup and reactor coolant system heat removal. 2.3.9 Enhancements for Basic Event importance There were additional changes made to the current baseline PSA model to support other PSA applications that require risk importance measures of individual basic events. Although this capability was available before, the new changes eliminate some model asymmetries that had previou:;ly been included for simplification that prevented the examination of separate importance leve!s for identical redundant trains. This change has no impact on the annual average CDF. 2.3.6 Changes to Rolling Maintene tct Profile Realistic modeling of the STP rolling planned maintenance and testing schedule was first introduced into the STP PSA models as part of the 1993 Risk-Based Evaluation of Technical Specifications (Reference 2-9). In the original Level 1 PSA completed in 1989, planned maintenance was modeled in a conservative way by the addition of special planned maintenance unavailability terms to selected event tree split fraction models. In Reference 2-9, a special top event was added to the PSA which was incorporated into the STPPMT model, to model all the maintenance states in the rolling maintenance profile. Each of thess maintenance states was characterized by an average time duration fraction, a specific set of equipment out of service, and a set of rules to prevent the model from computing a probability of two or more planned maintenance states occurring simultaneously (simultaneous occurrence of two maintenance states would define a new maintenance state), in the March 1995 Rebaselined model, STPPSA395, this rolling maintenance model was modified to more accurately reflect current plant practice and experience with the time needed to complete maintenance tasks. The previous and current models permit the overlap of planned (voluntary LCO entry) and unplanned maintenance (involuntary LCO entry) and conservatively neglect the effects of Technical Specifications 3.0.3 which would reduce the time that such conditions could last in i comparison with the maintenance durations assumed in the model. acu swsv.wrssaem_m wa r .msi 2.3 3 l l
Table 2.3-1 Summary of Requested and NRC Approved Technical Specification Changes from August 1993 Submittal Technical System 1993 Submittal Proposed (O'd) Approved Changes Specification AOT CHANGE I STiCHANGE AOT CHANGE STICHANGE i 3.1.2.4 CVCS,i.e.: Charging Purrps 10 Days (3 Days) NC 7 Days N/C 4.3.1 Reactor Protection N/C 97(62) N/C 92 4.3.2 ESFAS N/C 92(62) N/C 92 3.4.2.2 Pressurizer Safety Valves 1 Hour (15 Mini N/C 1 Hour N/C 3.5.1 Accumulators 12 Hours (I Hour) N/C 12 Hours N/C 3.5.2 Emergancy Core Cooling 10 Days (3 Days) N/C 7 Days N/C 3/4.5.6 Residu9 *rwat Removal 10 Days (3 Days) 184(92) 7 Days 184 4.6.1.7 f,ontainment Ventilation N/C 92 (31) N/C 31 (Derved) 3/4.6.2.1 "ontainment Spray to Days (3 Days) 184(92) 7 Days 184 3/4.6.2.3 React::: Containment Fan Cooler ( RCFC) 10 Days (3 Days) 92(31) 7 Days 92 3.6.3 Containment isolation 24 Hours (4 Hours) N/C 24 Hours N/C 3.7.1.1 Steam Gen. Safety Relief Valves 24 Hours (4 Hours) N/C 24 Hours N/C 3.7.3 Component Cooling Water 10 Days (3 Days) N/C 7 Days N/C 3/4.7.7 Control Room HVAC (1) 92 (30) (2) 92 4.7.13 Electrical Auxiliary Building HVAC 24 lburs ( 12 Hours) N/C 12 Hours (Derwed) N/C 3.7.14 Essential Chilled Water 10 Days (3 Days) N/C 3 Days (Denm0 N/C Notes: N/C No change proposed (1) Ten deys for the first inoperable train of control room HVAC and 72 hours for the second train of three in Modes 1-4. (2) Derved ten days for the first inoperable train of control room HVAC and approved 72 hours for the second train of three in Modes 1-4. Acu dweiswperossegrai tor (A,,e rs.ises 2.3-4 _ _ _ _ _ _ _ _ _ _ - - . - - - . - - - . .-. - - . - -, - . .-. . _ . . - . . .-. - . - . _ - - , . - . . - . - . . . . _ . . ~ - - .
2.4 MODEL ENHANCEMENTS FOR EVALUATING SPECIAL TEST EXCEPTION REQUEST This section describes additional model enhancements and sensitivity cases of the March 1995 Rebaselined (STPPSA395) model to quantify the impact of the proposed STE for the DG and ECW systems. The variation on this model to account for the requested change and compensatory measures is referred to as STPPSA495. A summary of the requested change and the proposed STE is provided in Section 1.3 and also is summarized here in Table 2.41. To be able to quantify the risk impacts of the proposed change to the Technical Specifications the following changes to the model were required: 2.4.1 Changes to Rolling Maintenance Profile As noted in Section 2.3, the model used to evaluate the proposed STE (STPPSA495) explicitly treats the rolling maintenance profile, which would be impacted by the incorporation of the 21/7 day maintenance outage for each DG/ECW train once per refueling cycle. This Diesel Generator maintenance outage is assumed to last exactly 21 days (although the actual scheduled work will be less than 21 days) commencing at the start of a normally scheduled train outage. A typical train outage removes from service a set of equipment in the same electrical division as the Diesel Generator, which usually includes associated trains of the essential cooling water (ECW), component cooling water (CCW), ECCS, RHR, essential chilled water, rnd containment spray systems. As requested in the proposed STE this train outage is assumed to last exactly 7 days (although the actual work scheduled would be less than 7 days). After the 7 day outage, all ECW train related equipment is returned to service except for the associated Diesel Generator which remains out of service for the next 14 days. The rest of the planned maintenance profile is identical to that assumed in the baseline model, STPPSA395. More details on the rolling maintenance profile are provided in Section 2.4.4. 2.4.2 Modeling of Compensatory Measures While the 21/7 day DG/ECW STE is entered, the fr.,fowing compensatory measures will be followed:
- 1. No planned testing (excluding required Technical Specification surveillance testing) or maintenance activities which could affect equipment operability will be performed on the other two safety trains of equipment supported by the other trains of Diesel Generators during the Special Test Exception period.
ACM d Wp 15tepartt95dg24gkC2 (AprH 24,1995) 2.4-1
< . t ' The PSA model pernts unplanned maintenance to occur for all equ'ement in the 'other l . . I safety trains at the same frequency and duration as in the normal alignment with no j equipment out of service.' Equipment within the affected train during the STE is also modeled as being OPERA 81.E for 7 days end 14 days as equ'pment is returned to service. l For example, once ECW is returned to service the remaining train equipment will not be !
1 removed from service for planned maintenance.
-{
f-
- 2. Prior to commencement of the DG/ECW maintenance under the Special Test Exception of f
21/7 day AOT, performance tests will be performed on the following equ'pment items to verify functionality during this period: The TSC diesel generator and the positive ' l displacement charging pump. Furthermore, there will be no planned maintenance or other
]
testing of these equipment items during the STE period. The turbine driven Auxiliary - J Feedwater pump train will also be OPERABLE throughout the STE period. Additionally, ! switchyard work will be strictly controlled during the period that the STE is in effect. The only part of this that is credited is that the top event (PD) for the positive displacement
-l charging pump was modified by adding a new set of split fractions that apply only when the ~ j STE period is in effect. These split fractions zero out the maintenance unavailability of the f
PD charging pump and the technical support center diesel generator. This is justified
.l because there will be programmatic requirements as a prerequisite to the STE to prevent the j deliberate unavailability of this equipment during this period. There is still a fail to start on f
demand failure rate applied to pick up any standby failures that may occur during this l period. A similar approach was considered for the turbine driven auxiliary feedwater' pump l but the maintenance unavailability contribution for this item was too small to justify the l resulting complications to the PSA models. l i
- 3. . During the period under the STE when one emergency Diesel Generator is out of service, the j affected unit's Emergency Transformer winding will be administratively dedicated to the l emergency bus normally supported by this Diesel Generator. The Emergency Transformer can supply power to the affected bus even during most loss of offsite power events.
As noted in Section 2.3, the Emergency Transformer capability was added to the current baseline rr.odel (STPPSA395).
-l Acu sw tsrepatsesde:4,Aos o (Apru te,1eesi 2.4-2 !
l 2.4.3 Risk Profile of Planned Maintenance Program The purpose of this section is to present the technical approach to evaluate the proposed STE in terms of the resulting impact on the rolling maintenance profile. The results of this evaluation are presented in Section 3.3. An important related purpose is to provide a basis for identifying ways to reduce the risk levels associated with planned maintenance with the plant at-power that can offset any small increases that may be introduced as a result of increased DG/ECW AOT during the STE. The specific objectives of this section are to: , e Describe the planned maintenance schedule for all equipment in the current model, STPPSA395. This includes a typical maintenance cycle of 24 weeks that reflects improvements to the availability of certain plant systems.
- Present the technical approach used to determine the time dependent risk profile of the planned maintenance cycle and to predict the changes to the annual average core damage frequency.
- Provide typical risk profile for the STE outage with proposed compensatory measures.
2.4.3.1 Description of STPEGS Planned Maintenance Program Planned maintenance and testing activities that are needed to meet vendor requirements and Technical Specification requirements have been accomplished at STPEGS according to a rolling maintenance schedule. In each of these maintenance cycles, all corrective / planned maintenance activities are scheduled, together with any required Technical Specifications surveillance testing nrcording to a predetermined schedule. According to this schedule, the plant evolves through a sequence of configurations (i.e., maintenance states) with a specific set of equipment (i.e., a safety-train) taken out of service or placed into an appropriate condition for test or maintenance purposes, interspersed with the nominal state in which all equipment is in its normal configuration. While the beginning of each new configuration occurs according to a preplanned schedule, the duration of each test or maintenance configuration is variable and depends on the time required to complete the necessary work and to perform all tests needed to ensure that the equipment has been restored to the correct operability state up to the constraints identified by the Technical Specification's Allowed Outage Time (AOT). Superimposed on this sequence of planned test and maintenance states of variable duration are randomly occurring events in which equipment is removed from service for unplanned maintenance. Acu o ew uwme 4_rer mura :4. um 2.4-3
L The need for such unplanned maintenance can occur as a result of failures of normally operating equipment, routine inspections and walk-throughs, and test-induced demand of standby equipment that results in failure on demand and entry into a Limiting Condition of Operation (LCO). : Because the periods set aside for planned maintenance are used to conduct both preventative maintenance as well as minor corrective maintenance (i.e., items that can be deferred until the next ! scheduled maintenance period such as minor adjustments), it is preferred to distinguish planned ! versus unplanned maintenance rather than preventative versus corrective maintenance for the , purpose of defining different time phases and unique plant alignments. Both planned and unplanned maintenance activities are performed with the plant at-power and are constrained by the AOTs in the Technical Specifications. In all cases, any surveillance testing required by the Technical ! Specifications is accomplished at the conclusion of the planned and unplanned maintenance period to prove the equipment operable. The same process would also be employed under the constraints of the proposed STE. An 31 work control schedule that has been used at STPEGS is briefly described in Table 2.4 2. In each of the weeks of the rolling maintenance cycle are the specific systems and trains of , equipment that are regularly scheduled. Only in certain cases is equipment actually taken out of service for planned maintenance and these cases are listed. In addition, some equipment sets are maintained in parallel, especially in cases where the equipment are functionally interdependent such that there is a " risk shadowing" effect in which the risk impacts are only the result of the limiting . equipment. The time period in which any item of equipment is unavailable is variable, constrained f by the AOTs and typically ranges between one and two days. Hence, any given equipment is out l of service for only a small fraction of the week it is scheduled to be maintained. The impact of the planned maintenance program on risk would be much greater if each equipment item were maintained independently, i As far as the STP risk model is concerned, essentially all the incremental increase in risk is due to the unavailability of equipment in the planned maintenance program. This is seen in weeks for which single trains of systems, found in the STPPSA395 model to be important in terms of their contributions to risk i.e., essential cooling water, diesel-generators, chilled water trains, safety injection trains and auxiliary feedwater, are taken out of service. The use of the risk profiles provides an important feedback mechanism to optimizing equipment availability and reliability. The amount of planned maintenance is driven by manufacturers' recommendations and considerations of equipment performance. In the previous Risk-Based Evaluation of Technical Specifications there was an attempt to measure the downside impacts of taking the equipment out of service (Reference 2-9). The STE could obviate the need for Acu awin.pames4 8:4.6 4Aprii 4. iees> 2.4-4
. .a
\
performing some of the preventive maintenance outages presently scheduled as a part of the rolling maintenance cycle. That will support the optimization of the reliability and availability over both at-power and shutdown conditions by maintaining the present at-power risk levels and improving the availability of these systems during shutdown. , t A comparison of the various models that have evolved through the STP living PSA program with respect to the modeling of maintenance is provided in Table 2.4 3. l s l i I e L { i ACM d we -tsv.p-esso o r4,Ao e4,,a *4. um 2.4-5
l I 1 Table 2.4-1. Summary of Proposed Special Test Exception to the Technical Specifications 3 Technical System Cunent Technical 7.u::f Technical Remarks Specification Specificatums Specifications : AOT STI ACT STI (Days) (Days) (Days) (Days) l Diesel Generator (DG) 3 N/C 21 days N/C 21 days used 3/4.10.8 or 3 once por DG per days (1) refueling cycle Essential Cooling Water 3 N/C 7 days or N/C 7 days used once (ECW) 3 days (2) per ECW per refueling cycle Notes: N/C No change proposed. (1) 21 days once per DG per refueling cycle for planned maintenance and 3 days per event for other planned and unplanned maintenance. (2) 7 days once per ECW train per refueling cycle for planned maintenance and 3 days per event for other planned and unplanned maintenance. I L
}
l I I I ACM e Wp-19tapart\95dO24..kO2 (April 24,1995) 2.4 6 j
TABLE 2.4-2 TYPICAL 24-WEEK WORK CONTROL SCHEDULE' WEEK 1 2 3 4 5 6 7 8 9 10 11 12 TRAIN A B C D A B C D A B C D SYSTEM EW AM3 CV AM3 lA EW AM3 AF AM3 IA EW Normal CC SF AF SP CV CC SP MS SP AF CC Alignments LHSI SP HF DJ AF LHSI RS !A SF HF LHSI Only CS DJ VA HF CS DJ IA CS RH VA RH VA DJ RH PK IA PK IA VA PK DG DG SF DG CH CH CH HE IA HE HE WEEK 13 14 15 16 17 18 19 20 21 22 23 24 TRAIN A B C D A B C D A B C D SYSTEM CC AM3 CV AM3 IA CC AM3 IA AM3 IA CC Normal LHSI SF AF SP CV LHS! SP AF SP HF LHSI Alignments CS SP DJ AF CS RS SF AF CS Only RH DJ VA RH DJ IA RH PK VA PK VA DJ PK CH IA CH IA VA CH HE IA SF HE HE
- In general, the work activities scheduled during train outages are corrective maintenance (non-LCO related), planned maintenance, and operability testing via surveillance activities. Equipment are taken out of service only for a limited time during the week.
Acu 4:wisv.portwsdors_. tor morn 24, toes 2.4-7
TABLE 2.4-3.
SUMMARY
OF STP PSA MODELS AND REFINEMENTS TO EVALUATE PLAlelED MAINTENANCE PSA Software Name Desenption Support System initiators Rest of Model Modeling of Planned Modeling of AOT and Maentenance STis STPPSA Model used for PLG's mainframe PLG's Mainframe Separate PM alignments Models Reference STPPSA (1989) and software. software for ECW (DG), ECCS, Technical original Technical AFW, and CCW, PM Specifications. Specifications modeled independently; evaluation. durations set to 60 hours for all PM. STP Level 2 Model used for IPE Same as STP PSA. Converted to PC-based Same as STP PSA except Models Reference PSA/IPE submittal and adopted RISKMAN Version plant data used for ECW Technical as baseline for 3.08. maintenance duration. Specifications. evaluating current Technical Specifications submittal. STPMOD Refinement of STP Same as STP PSA with Same as STP Level 2 Same as STP Level 2 Models Reference Level 2 PSA/IPE model new cutsets added for PSA except rules file PSA/IPE. Technical for evaluation of PM. cross train support problem with AFW Specifications, systems. corrected. STPNPM Variation of STPMOD Same as STPMOD. Same as STPMOD. No planned maintenance Models Reference with all PM alignments included. Technical removed. Specifications. STPPMT New model of 24- Converted to RISKMAN Converted to Uses separate event tree Models Requested week planned Version 4.1. RISKMAN Version 4.1. top event to model all Changes to AOTs and maintenance cycle and planned maintenance STis on 16 Systems l requested TS changes alignments exclusively. in 16 systems. I STPPSA395 Includes 24 week Converted to RISKMAN Converted to Same approach as with Models the NRC ! maintenance cycle Version 5.2. R!SKMAN Version 5.2. STPPMT with different approved and current with 5.6 yrs of Plant states to reflect current Tech Specs. l Specific Data. plant practice. I i l ACM dW15Veport\95dg24,.kO2 (Apr5 24.1995) 2.4-8
wM TABLE 2.4-3.
SUMMARY
OF STP PSA MODELS AND REFCMENTS TO EVALUATE PUU9dED MAINTENANCE PSA Software Name Desenption Support System initiators Rest of Model Modeling of Planned Modeling of AOT and Maintenance STis STPPSA495 Sr..e as STPPSA395 Same as STPPSA395 Same as STPPSA395 Same as GTPPSA395 Same as STPPSA395 with requested ECW/DG AOT change and compensatory measures. ACM dWtsveportss5dg24_.ko2 (April 24.1995 2.4-9
l l l 2.5 ANALYSIS OF DATA PERTINENT TO THIS SUBMISSION The risk assessments supporting this submission utilize a PSA data base that incorporates the best evidence available from plant specific experience as well as industry experience that is reflected in a generic data base provided by PLG. The generic data includes over 150 reactor-years of experience with 14 light water reactor units as collected and analyzed in various PSAs performed by PLG, Inc. on those reactors. The STP plant specific data is based on 5.6 operating years of plant data from ! both Units 1 and 2. As a result of the data project, the STPEGS PSA RISKMAN* Database was updated using information from the following sources: i e NPRDS - A query of the NPRDS database provided the majority of the failure data. This data which represents components for STP was then evaluated against those components modeled in the STP PSA. For components in the PSA and not in the NPRDS, a review of work requested was performed.
- Work Requests - A review of work requested was performed for failure data on PSA components not included in the NPRDS database.
- Equipment Surveillances - Success data for standby equipment was primarily derived from surveillance tests.
- Operability Tracking Log - The Operability Tracking Log (OTL) provided the information on train allowed outage durations, while the Equipment Clearance Orders (ECO) databass provided the ,
maintenance frequencies and durations on an equipment basis. In addition to the data update, several system models wer's updated to reflect actual maintenance practices ar.d current Technical Specifications (see section 2.4.3). The purpose of the update to the plant specific data was to enhance the generic data in order to provide a more accurate model , reflecting actual experience data and to ensure that no vulnerabilities have been exposed based on l plant specific equipment history. This update incorporated a combined experience of 5.6 reactor-years from both units. Maintenance data during shutdown was excluded since the PSA models are ACM dMg-1Svaport 95dg25&8 k02 (April 24,1995) 2.5-1 l l i _______________.___________I
at-power models. The generic database variables were updated with plant specific data using Bayesian Methodology. The strength of evidence from plant specific data in the risk quantificatinns supporting this submittal is much greater than in the 1993 submittal as the timing of the current submittal permitted the incorporation of data collected and analyzed during 1993 and 1994. The 1993 submittal utilized plant specific data only for estimation of the initiating event frequencies and for characterizing planned maintenance durations. In this submittal, plant specific data was also incorporated into the estimation of component failure rates and both planned and unplanned maintenance frequencies and out of service times. Also,in view of the criticalimportance of getting the best available evidence for estimation of Diesel Generator failure rates, the generic data base for this item (that has been unchanged at STP since the 1989 Level 1 PSA was submitted to the NRC) was also updated to reflect more recent industry experience. When the plant specific data update was performed, the resulting experience was used to update the uncertainty probability distributions using a Bayesian update process. The result is a large number of changes to the parameter distributions as the plant specific experience is incorporated. A limited comparison of the updated and generic distributions for selected components together with the raw numerical data that was collected is presented in Table 2.5-1. The components selected for this table include those with particularly high risk importance for STP and the principal component that is one of the subjects of the requested Special Test Exception, the on-site emergency Diesel Generators. The other listed components include the technical support center diesel generator, the positive displacement charging pump, and the turbine driven auxiliary feedwater pump. This table includes the raw data collected for STP for the commercial operational experience through 1992, several different failure rate values computed from this data and the generic industry data, and several failure rate ratios selected to show how the plant specific and generic sources of information compare. In view of the importance of the Diesel Generator components in this submittal, the generic distributions were also updated for this component to account for more recent experience at other plants. The previous and updated generic mean values for the associated failure rates are compared in Columns 6 and 7. As can be seen in this j comparison the revised generic means are either the same or slightly lower than the previous values. Column 10 of this Table includes the mean failure rates used in the PSA model supporting this submittal as a result of a Bayesian update of the revised generic distributions with STP specific
- We 15vw=vssaarsas ac: *d 28. '"5) 2.5-2 l
i data. The data used in previous PSA analyses submitted to the NRC for these failure rates are the old generic values in Column 6. Upon examination of Column 11, it is seen that the net effects of the data updates is a reduction in the mean values of each of the emergency Diesel Generator failure rates of about 30% to 40% a 26% reduction in the failure rate for tue turbine driven auxiliary feedwater pump fail to run and little or no change in the remaining failure rates in this table. Even though the changes are small, it is a goal to have this PSA evaluation anchored into the best available plant specific and generic data that is available. The updated mean values of the PSA parameters sometimes are greater and sometimes are less than those of the original generic distributions. There are several hundred parameters in the data base supporting the STP PSA models and no overall trend has been identified in the individual parameter updates. However, when the quantity of plant specific data is significant, as it is M the case of 5 years worth of data, the dispersion of the updated distributions is always reduced. For an average plant, there is expected to be equal probabilities that the plant equipment will perform better or worse than the " average" equipment in the generic industry data base. Hence, the point estimate failure rates observed in the plant specific data can be expected to be located virtually anywhere along the generic uncertainty distribution for that parameter. However, wherever that experience lies, as a result of the properties of Bayes' Theorem, the resulting distribution will be narrower than the generic, reflecting greater evidence to support the estimate. An example Bayesian update of the failure rate parameters is presented in Figure 2.5-1 which shows the behavior for the emergency Diesel Generator failure to start failure rate. The updated distribution is narrower than either the previous or recently updated generic distributions and its central value is approximately located near the point estimate of the plant specific experience of 10 failures in 752 start attempts for a point estimate failure rate of .0133 failures per start attempt. This reduction in the dispersion of the updated distributions, everything else being equal, also has the effect of reducing the means of the uncertainty distributions since the influence of the upper tails of these typically skewed right distributions is reduced. Hence, even if the plant equipment performs close to the average plant's performance, the availability of significant quantities of plant specific data by itself will result in reductions in the means of the parameter distributions. As a result of this, the development of parameter distributions with reduced dispersion will have a ACM d Wp 1Svaport\95dg251L6 kc2 (Apr# 24,1ees) 2.5-3
tendency to reduce the mean core damage frequency, which is primarily determined by these distribution means. Hence even if every updated distribution were to collapse around the center of the generic distributions, the resulting means would be reduced. Important elements of the data base are the parameter values for comrnon cause failures that were developed by STP as part of the original Level 1 PSA completed in 1989. Those common cause parameters were developed from a generic data base of common cause events and made plant specific according to the procedures set forth in NUREG/CR-4780. When following thess procedures plant specific factors are incorporated even though the original data comes from other
]
plants. When the STP plant specific data was collected for component failure rates, no common ; cause events for the PSA model components were observed, even though a number of independent l failures were identified for most component groups. In principle, a Bayesian update could have been performed to reflect this evidence in the e:,timation of the " beta factor values", however, ; conservatively, this update was not perform-4 If this plant specific evidence on common cause f events were so incorporated, tit. snean core damage frequencies would be even lower than quoted in this submittal. The impact of the changes to the data base is one of the factors that is considered in interpreting the results in Section 3. ' r 3 ACM dMg itveportJ5dg26&$ kO2 (Apdl 24.1995) 2.5-4 . h
l Table 2.5-1 Comparison of Generic and Plant Specific Data for Estimation of Selected Component Failure Rates i f COMPONENT FA! LUBE MODE NO.OF DEMANDS STP POINT OLD GENERIC NEW RATIO RATIO UPDATED RATIO STP FAILURES OR HOURS ESTIMATE MEAN GENERIC P.EJOLD P.EJ NEW STP MEAN UPDATED / (PREVIOUS MEAN GENERIC GENERIC (CURRENT OLD GENERIC STP MODEU MEAN MEAN MODEU MEAN EMERGENCY DIESEL Fall TO START to 752 1.33E-02 2.14E-02 2.15E-02 0.62 0.62 1.30E-02 0.61 GENERATOR EMERGENCY DIESEL Fall TO RUN 6 464 1.29E-02 1.69E-02 7.81E-03 0.77 1.66 1.13E-02 0.67 GENERATOR 1ST HR EMERGENCY DIESEL FAIL TO RUN 4 2151 1.86E-03 2.50E-03 2.27E-03 0.74 0.82 1.70E-03 0.68 GENERATOR >1 HR TSC DIESEL GENERATOR Fall TO START 1 26 3.85E-02 2.14E-02 2.15E-02 1.80 1.79 2.36E-02 1.10 TSC DIESEL GENERATOR Fall TO RUN 1 26 3.85E-02 1.69E-02 7.81E-03 2.28 4.92 1.41E-02 0.83 1ST HR TD AUXILLARY Fall TO START 4 106 3.77E-02 3.30E-02 2.15E-02 1.14 1.76 3.37E-02 1.02 FEEDWATER PUMP TD AUXILIARY FAIL TO RUN O 132 0.00E + 00 1.03E-03 7.81E-03 0.00 0.00 7.64E-04 0.74 FEEDWATER PUMP PD CHARGING PUMP FAIL TO START 0 3 0.00E + 00 3.30E-03 3.30E-03 0.00 0.00 3.20E-03 0.97 PD CHARGING PUMP Fall TO RUN O 15 0.00E + 00 3.40E-05 3.40E-05 0.00 0.00 3.40E-05 1.00 I l ACM d.Wg-15WeportiS5dg25&8 kO2 (Apra 24,1995) 2.5-5
x l 4 STP POINT ESTIMATE = 1.33E-2 LEGEND STP UPDATE MEAN = 1.30E-2 STP UPDATED
-- OLD GENERIC NEW GENERIC U
GENERIC MEAN (OLD) = 2.14E-2 GENEMC MEAN (NEW) = 2.15E-2 E. z i us 1 O N 2
$ U t
m O ac EL l' q
', Ms *s % \
s's'
// ,% / / % \- // \\ / ,s'/ / \}'k . ._.-er.M I / . . ....I . . ...Al ' . -.. .....
10-4 10 3 10-2 10-1 1 Figure 2.5-1. Comparison of Distributions for Diesel Generator Failure Rates 2.5-6
l l l l 2.6 IMPACT ON PLANT SAFETY BASIS
)
The proposed Special Test Exception does not change the physical configuration of the plant or its ] capability to respond as designed.
- The configuration proposed for this STE is allowed by the existing Technical Specifications.
This change request simply requests an extension of the times under which the allowed outages may exist. i Based on this, it is concluded that the safety basis of the design as presented in the UFSAR remains the same. The only impact of the requested change is to potentially change the likelihood of pla..' conditions with an ECW and its associated DG out of service. This impact has been rigorously considered in the risk-based PSA analyses included in this submittal for evaluating the proposed change. Consequently, no engineering calculations are required to support this submission. 1 ACM dMg-15Veport\$5dg25&S kC2 (Apru 24,1995) 2.6-1
s, J Mf'. ,-.-r-LA C3 n,-'* '4-'*" "*
- 1'-'" 'b84"- ' ~ 41 *-+ 2 -O'*+ + " " -4 " d*' . .-24 E
2.7 REFERENCES
l l
, 21 - PLG,Inc., "RISKMAN': PRA Workstation Software", Release 6.4, proprietary.
l 22 PLG,Inc.," Database for Probabilistic Risk Assessment of Light Water Nuclear Power Plants," PLG-0500, Volumes 1-9, 1991. 2-3 ' USNRC," Severe Accident Risks: An Assessment for Five U.S. Nuclear Power Plants, Final j Summary Report", NUREG-1150, December 1990. l 2-4 A. Mosleh et al.,* Procedures for Treating Common Cause Failures in Safety and Reliability- { Studies. Procedural Framework and Examples," PLG,Inc.,NUREG/CR-4780,Vol.1, EPRI NP- ; 5613, January 1988. j i 2-5 USNRC," Individual Plant Examination: Submittal Guidance, Final Report", NUREG-1335, ! August 1989. l i 2-6 USNRC, "Modeling Tirne to Recovery and leitiating Event Frequency for Loss of Off-Site l Power Incidents at Nuclear Power Plants," NUREG/CR-5032, January 1988). 27 K. N. Fleming and Wee Tee Loh, " Risk impact of Maintenance Configurations at STPEGS," ! PLG 0917 (Revision 2), May 1993. l l 2-8 A. C. Moldenhauer, " Documentation for updating STPPMT with NRC approved Risk-Based l Technical Specification Changes," ST-HS-HS-30221, November 1994. 29 HL&P submittal to the U.S. Nuclear Regulatory Commission, " Risk-Based Evaluation of l Technical Specifications," ST-HL-AE-4544, August 1993. l 2 10 HL&P, "lPE Plant Specific Data Closure,". ST-HS-HS-30797, January 1995, Plant Specific l Data Report. I 2-11 USNRC, " Issuance of Amendment Nos. 59 and 47 to Facility Operating License Nos. NPF- 'l 76 and NPF 80 and Related Relief Requests - South Texas Project, Units 1 and 2 (TAC Nos. j M76048 and M76049)," February 1994. l 2 12 Electric Power Research Institute, " Draft PSA Applications Guide," Revision H,1994. . 2 13 PLG, Inc., " South Texas Diesel Generator AOT Submittal Review," PLG-P794, February, -l I 1995. h i i ACM dW15veportvef_2 7.002 (Apr0 24,1995) 2.7-1
1
- 3. RESULTS OF RISK-BASED EVALUATION !
The results of this risk-based evaluation are presented in two parts. In Section 3.1, the quantitative results are presented, followed by Section 3.2 which contains the qualitative evaluation of factors that either were not or could not be quantified. 3.1 Ouantitative Results The quantitative results of this risk-based evaluation of the proposed Special Test Exception (STE) are developed at several different levels to provide a full analysis of the different impacts of the increase in the DG/ECW AOT and the effect of the incorporation of compensating measures. The levels evaluated correspond to the system and p: ant levelimpacts of the proposed STE. The plant levelimpacts are also evaluated for the time dependent variations in CDF based on the maintent,nce states resulting from the proposed STE. Specifically, the components of the results include the separate impacts of the proposed STE change on: e Emergency Diesel Generator System Failure Frequency (System Level) e Essential Cooling Water System Failure Frequency (System level) e Annual Average Core Damage Frequency (Plant Level) e Annual Average Large Early Release Frequency (Plant Level) e Conditional CDF Pmfile thmugh the Rolling Maintenance Cycle (Time Depertest) : For each of the above components, there are several sets of results. One set of results shows the change in calculated CDF through previous vintages of PSA models (i.e., from the 1989 Level 1 PSA up through the IPE and including this submittal). The remaining sets of results utilize the new March 1995 l Rebaselined PSA model (STPPSA395) to evaluate the impact of the proposed STE at system and plant l levels, as well as the time dependent risk profile analyses. I in Section 3.1.1, the impacts of these changes on the Emergency Diesel Generator system failure I frequency are discussed using results selected from the system models of the PSA. A similar discussion of this change on the Essential Cooling Water system failure frequency is given in Section 3.1.2. The perspective from the point of view of the annual average core damage frequency is I examined in Section 3.1.3. In Section 3.1.4, the impacts of the proposed change on the LERF and other release types are examined. I Acu awism-rweiner w rs.iem 3.1-1
- i l As was done in the 1993 submittal, the core damage frequency is quantified in the time dependent j profile that shows how the conditional core damage frequency changes' when equipment is taken out of service and plant configurations are changed to effect compensatory measures during the rolhng j i maintenance profile. The time dependent risk profiles are evaluated both with and without the j proposed STE The rolling maintenance profile impacts are examined in Section 3.1.5.
.l l
l 3.1.1 frvpact on Diesel Generator System Unavailability , The system unavailability change, resulting from the proposed STE,is presented in Table 3.1-1. The '! reliability characteristics of the Diev! Generator system itself are not assumed to be changed as a result of the requested AOT change. The only performance parameter for the DG system that will be j impacted is the fraction of time during plant operation that the system spends in different configurations. There should be no obvious impacts on equipment performance as evidenced by changes in the component and system failure rates because the requested change will simply redistribute the amount of maintenance that is being performed from the refueling outages to the plant ! operation period. l The quantity shown in the last column of this table is the time averaged failure frequency of the DG , system to start or fail to continue running for an assumed 24 hour period, given that all the DG support ! systems are available, based on data and system models from the PSA. Compared are three sets of ! data: one corresponding to the vintage of the model at the time of the i993 Risk-Based Evaluation of j Technical Specifications, one for the March 1995 Rebaselined Model without the requested changes, ! and one set from the Rebaselined Model with the requested changes. Also presented are the data used ! r to estimate the fraction of time the DG system spends in different planned maintenance states. This l data is based on plant specific data and has been revised to reflect current plant maintenance program f practices, and the conditional failure frequencies of the three train system given these planned maintenance configurations. We select 24 weeks because the planned maintenance cycle repeats itself every 24 weeks dur'mg power operation. To simulate the proposed change it is assumed that there is one DG out for exactly 21 days, the length requested by the proposed STE, and two other occasions ; lasting about 40 hours each where there is a DG removed as part of the normal train outages that are l part of the rolling maintenance program. l l Using this time averaged system failure frequency as a yardstick, we see from this table that the impact [ of the Rebaselined Modelis a reduction of the system failure frequency by about a factor of 5. This is ! t primarily due to the update of the failure rate and unplanned maintenance unavailability data base that j is discussed in Sections 2.3 and 2.5 For each DG, there have been small reductions to the failure rates for each of three DG failure modes: the failure to start, the failure to run during the first hour, and the Acw caemwnenon e n.mu 3.1-2 i
l failure to run for later hours as shown in Table 2.5-1. Since system failure requires failure of all three diesels in the normal configuration and failure of two during a planned maintenance configuration, these individual failure effects are compounded for the most important cutsets while the 24 hour mission time compounds the changes to the hourly failure rates. The principal reason for this change is that STPEGS operating experience with the Diesel Generators has been better than implicitly assumed by application of PLG generic data in the previous PSA models. In comparing the updated DG failure frequencies with and without the proposed change, the effect of increasing the planned maintenance duration by approximately a factor of 4 results in only a 70% increase in the average failure frequency of the DG system. This is arrived at by comparing outage durations for one train of Diesel Generators by replacing one 40 hour normal LCO train outage with an assumed 21 day DG outage once per 24 week period. The impact of the failure frequencies on the on-site power availability function is very small compared to the underlying uncertainties. This is due to the system success criteria which is satisfied even with one train out of service, since there are two remaining Diesel Generators available and for all risk sensitive sequences only one DG is required to prevent a severe accident. Additionally, the incorporation of the Emergency Transformer into the base risk models lessens the effect of Diesel Generator unavailability by providing an additional redundant source of power capable of energizing an entire ESF equipment train. 3.1.2 Impact on Essential Cooling Water System Unavailability The system unavailability change resulting from the proposed STE is presented in Table 3.12. The reliability characteristics o the ECW system itself are not assumed to be changed as a result of the requested AOT change. The only two performance parameters for the ECW system impacted by the STE are the fraction of time during plant operation that the system spends in different configurations and the initiating event frequency for loss of ECW. There should be no obvious impacts on equipment performance as evidenced by changes in the component and system failure rates because the requested change will simply redistribute the amount of maintenance that is being performed from the refueling outages to the plant operation period. The quantity shown in the last column of Table 3.1-2 is the time average failure frequency of the ECW j system to run or fail to start running, given that all the ECW support system are available, based on l data and system models from the PSA. This data is based on plant specific data and has been revised to reflect current plant maintenance program practices, and the conditional failure frequencies of the three train system given these planned maintenance configurations. 24 weeks are selected because the maintenance cycle repeats itself every 24 weeks during power operation. To simulate the proposed change it is assumed that there is one ECW train out for exactly 7 days, the length requested by the i Acu e we 16v ponta-s5= act (Aped 24. teesi 3.1-3
i I proposed STE, and two other occasions lasting about 40 hours each where there is an ECW train removed as part of the normal train outages that are part of the rolling maintenance program. Using this time averaged system failure frequency as a yardstick, we see from this table that the impact of the Rebaselined Model to the 1993 Risk-Based modelis a reduction of the system failure frequency by about 93%. This is primarily due to the update of the failure rates and unplanned maintenance l unavailability data base as discussed in Sections 2.3 and 2.5. In comparing the updated ECW failure ; frequencies with and without the proposed STE, the effect of increasing the planned maintenance duration by approximately a factor of 2 results in a 33% increase in the average failure frequency of the ; ECW system. This increase in the system level failure frequency is expected and reflects the impact of ! i plant specific data. ! 3.1.3 Impact on Core Damage Frequency . The next risk measure selected for evaluating the impact of the proposed STE is the average annual core damage frequency. The changes in the average annual CDF due to the various model updates and the proposed STE are given in Table 3.1-3. As seen in this table there has been a continual trend downward in the progressively updated versions of the PSA models through the current Rebaselined Model. This trend is due to a combination of factors including the removal of some of the original model conservatisms, incorporation of plant specific data, steps taken by STPEGS management to reduce or eliminate sources of risk that were highlighted in earlier versions of the PSA model, and the [ incorporation of STP design features not included in previous risk models. , i As seen in Table 3.1-3, the net impacts of the outage durations allowed by the STE and the j compensating measures that were explicitly addressed in the PSA model, as described in Section 2.4, represent an insignificant increase in the annual average core damage frequency. This illustrates that ; the combination of increased risk model accuracy and data, which more closely reflects STP's current design and performance levels, and the associated compensating measures result in significantly ; reducing the impact of the longer DGEW AOTs. This provides a visible indication that the objective of combining the proposed 21/7 day DGECW AOT with compensating measures in a manner to make the change essentially result in a risk neutral" condition was achieved. As shown in the previous section, ; the 21/7 day DGECW AOT only impacts the system level failure frequency by 70% and 33%, { respectively. The impact is much smaller on the annual average core damage frequency for several f reasons. First, the Diesel Generators do not realistically have to operate for 24 hours because of the { high probability that offsite power would be recovered earlier. Second, the principal compensating ! measures that are in place to counteract the direct impacts on DGECW system performance do not j directly impact the DGECW system f ailure frequency, but tend to reduce the chance of concurrent ! l failures of other redundant DGECW equipment trains. As a result, the impact of the proposed changes j acu ew uw m.esuo e s. msi 3.1-4 1
i on the annual average CDF is much smaller than the impact on the system failure frequency. Since the impacts at the system level are already quite small, the CDF impacts are truly insignificant. l 3.1.4 Impact on Release Frequencies l To evaluate the impact of the proposed Technical Specification change on the large early release frequency (LERF) and other major release types, a calculation was performed by linking the front end Level 1 PSA event sequence models to the containment event tree model to provide an ! integrated and linked Level 1/2 event sequence quantification using the RISKMAN Version 6.0 ; software. This was not done for all the cases of the Level 1 event tree analysis, but was performed as a final confirmation that the outage durations for the proposed STE do not introduce any new 1 containment performance vulnerabilities. Following the procedure used in the STP Level 2 PSA/IPE, the accident sequences from the combined Level 1 and Level 2 event trees were grouped into four major release types. Group I is used to compute the LERF, which is one of the risk acceptance criteria for judging the acceptability of the proposed STE. As defined in this model, a large early release involves a containment failure or bypass of at least 3"in diameter that develops during a core damage event within 4 hours of vessel breach. A comparison of the LERF results between the current evaluation and the IPE results is made in Table 3.14. As noted in the IPE submittal, the LERF was found to be extremely small for STPEGS owing to several design features. These include a high containment pressure capacity and added redundancy in containment isolation valves that would have to leak or rupture to produce an interfacing system LOCA sequence. I 1 i As seen in Table 3.1-4, the LERF has been very small and a small fraction of the CDF in all of the PSA evaluations performed to date and will remain acceptably low assuming the acceptance of the proposed STE. The principalinteraction between the electric power systems and sequences involving large early release are associated with station blackout sequences which contribute to the frequency of high pressure core damage events and degrade the containment isolation system by reducing the operability of motor operated valves in the containment isolation system, in principle, changes to the electric power systems could change the LERF. However the principal changes seen i in the updated results are a reduction in the frequency of station blackout sequences due to the incorporation of the Emergency Transformer and plant specific data into the estimates of Diesel Generator failure rates and the better than average performance of this equipment at STPEGS. These positive changes far overshadow the possible negative impacts of the requested STE, and hence the requested change does not have a significant impact on the decision criteila associated with LERF and containment performance. acu es, .,twires.ier i4,,a 24,inesi 3.1-5
3.1.5 Evaluation of the Rolling Maintenance Program Risk Profile , The purpose of this section is to evaluate the impact of the outage durations requested in the proposed STE on the results of the time-dependent risk profile of the STPEGS planned maintenance program. Results of the t:me dependent risk profile were first reported to the NRC as part of the 1993 Risk-Based Evaluation. Since then, these time dependent profiles have become a regular part of the maintenance - planning process at STPEGS and have been generated on a weekly basis to help evaluate the risk impacts of the planned maintenance program. The time dependent risk profiles presented here are consistent with the corresponding annual average CDF cases described in the previous section. In the 1993 submittal of the Risk-Based Evaluation of Technical Specifications, the impact of the 12 and 24 week maintenance cycles were presented (Reference 1-13). That submittal demonstrated that the combined positive effects of optimized maintenance planning (maintenance cycles) in conjunction with some model refinements had a positive risk effect that offset the previously requested risk-based changes in AOTs and STis. The most accurate representation of the ro ling maintenance profile from that submittalis reproduced here as Figure 3.1-1. The profile is repeated every 24 weeks that the plant is at power operation due to differences in the alternato 12-week maintenance schedule shown in the profile. An updated profile, based on importance measures from the average CDF case,is presented in Figure 3.12 which accurately reflect the current maintenance plan. The current profile includes a total of 7 maintenance states with equipment out of service and the base case corresponding to no planned maintenance on components included within the scope of the PSA in progress. The contribution from unscheduled and unplanned maintenance is averaged over time and included in the updated profile. The current profile is more simplified with a large fraction of the planned maintenance performed in train outages such as that indicated by Maintenance State B1. The second portion of the rolling 24-week maintenance cycle is shown in Figure 3.1-3. In Figure 3.1-4 the 21/7 day special DG/ECW outage begins by overlapping with one of the train outages for 7 days and for the remainder of the 14 days with only the DG out of service for planned maintenance. As seen in Figure 2.1-1, the time dependent risk profile over the 21 day cutage period remains less than the 1E-6 threshold until the 19th day and is still within the guidelines for assessing non-quantifiable factors based on the EPRl/NEl PSA Applications Guide (Reference 2-12) for a i temporary condition at the end of the STE window. A more detailed description of the planned maintenance states for the updated risk profiles including those with the scope of the proposed STE is provided in Table 3.1-5. Aeu misenon me a n. ins 3.1-6
3.2 Qualitative Evaluation of Proposed STE 3.2.1 Unquantified Reduction in Shutdown Risk As shown above the increase in risks of severe accidents during power operation brought about by moving a great deal of the DG/ECW train maintenance that is normally done during refueling outages to power operation is insignificant. There is a corresponding decrease in the risk of severe accidents initiated at shutdown because the fraction of time during an outage with at least one DG or ECW train out of service will be greatly reduced. Essentially 63 days worth of DG and 21 days of ECW train maintenance is being moved out of the outages so that the availability of AC power and safety-related cooling water for critical safety functions during the outages will be higher. Also, the effectiveness of maintenance during the STE period is expected to be improved with the removal of competing plant maintenance and refueling tasks. A more balanced workload on the maintenance personnel should also improve performance, and improved equipment performance and availability should be the sole beneficiary. Meanwhile, the proposed STE should provide a positive impact toward achieving that goal. 3.2.2 Compensatory Actions That Were Not Quantified The following sections describe ccmpensatory measures that are not quantified in this study. These unquantified compensatory measures are intended to further reduce the likelihood of initiating events which would challenge safety equipment during the time the DG/ECW trains would be out of service.
- Work in the switchyard will be strictly controlled. This provides additional assurance that maintenance activities or other events that could cause a loss of offsite power initiating event are minimized. However the same loss of offsite power initiating event frequencies were used during the extended DG outage.
- Daily briefs from management to plant personnel during the STE maintenance period.
This provides management and plant personnel with a tool to express the importance of maintaining the operable status of safety trains and the importance on how work in the switchyard can adversely effect the plant.
- Cross train Technical Specification surveillance activities scheduled to occur during the STE will be reviewed for impact prior to the STE and corrected as appropriate.
- Prior to commencement of maintenance under the proposed STE, performance tests will be performed on the following equipment items to verify functionality during this period:
The TSC Diesel Generator and the Positive Displacement Charging Pump. acu wiw.wtweson m.o.ms> 3.1-7
e Prior to commencement of maintenance under the proposed STE, containment integrity will be verified to ensure containment isolation penetrations are in their proper ; alignments. The reactor containment building supplemental purge valves will be verified to be OPERABLE and in their proper alignment . Additionally, containment purges that may be required during the STE will be strictly controlled. 3.2.3 Quantified Compensatory Measures The following is a list of compensatory measures that are quantified with regards to the proposed STE: e No planned maintenance shall be done on the other two safety trains. The STP PSA l model has been configured to model the other two safety trains remaining operable. In i this regard, the planned maintenance unavailability contribu: ions were removed from the operable trains. If one of the other two trains has an unexpected failure causing the j train not to be able to perform its intended function, then entry into Technical Speedication 3.10.8.a is required. However, the PSA models conservatively assume single train AOTs as opposed to the AOTs permitted under 3.10.8.a conditions in that the second train out of service is given the same maintenance durations as permitted by single train outage AOTs. Aeu evs-c,esoor e ruses > 3.1-8 1
(_ _ _ _ . -- . ._ _ - .. . .
?
i Table 3.1-1 Impact of Model Changes and Proposed Special Test Exception on DG System Failure Frequency [ l Result Case Planned Maintenance Fraction of 24-Week Conditional DG System Uncondstenal DG
- Status Cycle in Planned Failure Frequency Given System Failure Maintenance Status Status Frequency * ,
1993 Risk-Based Normal Diesel Train Outage .034 1.89E-2 " ! Evaluation (STPPMT) ! 4 No Diesel Out-of-Service .966 4.3 8E-3 " ' - Average Unavailability 4.88E-3 ; j March 1995 Rebaseline Normal Diesel Train Outage .029 6.15E-3 * * ! (STPPSA395) No Diesel Out-of-Service .971 7.4 4 E-4 * " Average Unavailability 9.03E-4 1995 PSA With 21-day Diesel Train Outage .125 6.15E-3 *
- Proposed Changes ,
(STPPSA495) Normal Diesel Train Outage .020 6.15E-3 *
- No Diesel Out-of-Service .855 7.4 4 E-4 " '
Average Unavailabdity 1.53E-3 Defined as time averaged Frequency of all Three Emergency Diesel Generators failing to start or to continue operation for 24 hours after a random demand due to any combination of planned or unplanned maintenance, independent or common cause failures to start or run, and given all Diesel Generator support systems are available.
" Split Fraction G2 used for condition with one train out of service "* Split Fraction G3 used for normal condition with no train out of service '
Acu dwiswpormessa.ko2 (Apes 24. isss 3.1-9
i i I .I. I Table 3.1-2 Impact of Model Changes and Proposed Special Test Exception on ECW System Failure Frequency l I ; i Result Case Planned Maintenan<,e Fraction of 24-Week Conditional ECW System Unconditional ECW Status Cycle in Planned Failure Frequency Given System Failure . i Maintenance Status Status Frequency
- J 1993 Risk-Based Normal ECW Train .034 2.75E-5" Evaiuation (STPPMT) Outage i
, No ECW Out-of-Service .966 7.4 6E-7 ' ' '
j
- Average Unavailability 1.66E-6 March 1995 Rebaseline Normal ECW Train .029 1.2 5E-6 ' '
(STPPSA395) Outage No ECW Out-of-Service .971 8.2 0E-8 ' " ] Average Unavailability 1.16E-7 1 1995 PSA with 7 Day ECW Outage .042 1.2 5E-6 * ' Proposed Changes _ (STPPSA495) Normal ECW Train .020 1.2 5E-6 * ' j i Outage No ECW Out-of-Service .938 8. 2 0E-8 ' " Defined as time averaged Frequency of all Three ECW Trains failing to start or to continue operation for 24 hours after a random demand due to any combination of planned or unplanned maintenance, inde,endent or common cause failures to start or run, and given al! ECW support systems are available.
** Split Fraction W21 used for condition with one train out-of-service *** Split Fraction W31 used for normal condition with no train out of service Acu swiswp.m.ssoor m re. isss 3.1-10
Table 3.1-3 Impact of Model Changes and Proposed Special Test Exception on Annual Average Core Damage Frequency Result Case Annual Average Mean Fraction of 1989 Result Fraccon of March 1995 Core Damege Frequency
- Robaseline Result 1989 Level 1 PSA 1.7E-4 1.00 8.21 1992 Level 2 PSA/IPE 4.4E-5 0.26 2.13 Submittal 1993 Risk Based Evaluation 3.6E-5 0.21 1.74 (STPPMT)
March 1995 Rebaseline 2.07E-5 0.12 1.00 (STPPSA395) 1995 PSA With Proposed 2.30E-5 0.14 1.11 Changes (STPPSA495)
- Averaged over the time dependent 24 week rolling maintenance profile; mean of the average CDF uncertainty probability distribution acu ewis%:soon m e 4.nssi 3.1-11
Table 3.1-4 Impact of PSA Model and Proposed Special Test Exception on the Frequency of Major Release Groups Accident Frequency Major Release Group ( per year) 1992 Level 2 PSA/IPE 1993 Risk Based 1995 PSA With Fraction of 1992 Submittal EvaluaSn ISTPPMT) Proposed Changes Risk Based (STPPSA495) Evaluation 1 - Large Early Containment Failure 9.89E-7 1.3E-6 5.07E-7 0.51 or Bypass 11 - Small Early Containment Failure 6.67E-6 7.9E-6 5.56E-6 0.83 or Bypass ill - Late Containment Failure 1.08E-5 1.1 E-5 1.39E-6 0.54 IV - Intact Containment 2.56E-5 2.7E-5 1.35E-5 0.52 Total Core Damage 4.41E-5 4.7E-5 2.10E-5 0.48 1' Acu ewiswesoon m as.tsm 3.1-12
Table 3.1-5 Planned Maintenance States for the Rolling Maintenance Risk Profile Maintenance Equipment Out of Service Nunter of Average Duration Frequency per 18 Conditional Core Ratio Conditional State for Planned Maintenance Symmetncal (Hours) Month Operation Demoge CDF{ state)/Condt Period per Frequency Cases Modeled lonel CDF(MO)
- by This State Symmetrical Train MS3C1 Charging Pump Train A, 2 34.9 6 4.41E-5 2.05 Aux. Feedwater Train A,C MS681 Train B of DG, Essential 2 39.6 3 5.93E-5 2.74 Cooling Water Essential Chilled Water, Component Cooling Water, Low Head Safety injection, RHR, CB Spray MS682 Train B of Essential Chilled 3 36 3 4.85E-5 2.24 Water, Component Cooling Water, Low Head Safety
~ Injection, RHR, CB Spray MS684 Train B of Aux. Feedwater 1 21.6 6 4.06E-5 1.88 MS8D1 Train D of Aux. Feedwater 1 21.6 6 4.37E-5 2.02 MS15D Train B DG 1 336 1 2.29E-5 1.06 MS15A Train A DG 1 336 1 2.38E-5 1.10 MS15C Train C DG 1 336 1 2.05E-5 0.95 MSECW Train of DG, ECW, ECH, 1 168 3 6.18E-5 2.85 CCW, LHSI, RHR, CS
- Occurs all the time the other states are not in effect l
acu #wiswnoen m:4 ins: 3.1-13 l - . - - - - - . - - - . - . . _ , - - . . . . - . . -
2 l e 1 c y _ C _ e _ c . n a . n . e
~
C t . N~ l n A- o . M^ M k e e . W- - l 9 4
- _ 2 l ~
a
\_
i c p - y T N - I E - A L r e R - C t T Y r W C a u F A D _ E C N I Q t T A s i N f E T o 4 1 .. . l 6 N e I A l i f 1 _ B M o r 3
) N- ~ _ O P .
T A-m' N k I s
~ S i R
K
~
E E e W c
- n a .
n . e t n - S i C a - V M
- C l 3 g WH n CC i l
l C. E. o WFW R CAI; f o E, S GH n DL i o
- s r _
e - V -
. 3
_ 9 A_ 9
-- 1 N_
A . 1 m- - - -
- 0 -
1 5 4 3 2 1 0 3
>O38 ! $ ! u, OME2$z e r
u ig F
- 2 _
1 e m l
- - - - cy . - -_ - - C _ - - - - e c _ - - - - n _
a n e 0 t 1 l n .
- o M . - - - k e - - - e _ - - - W- _ -
B 4
- - n - - 2 - - ia T
r _- -
. 8 i cr . - - W - - E e L
C n f A - Y e . C G - E - _ C f n-l
- - - N A
a H
- ia-T r - - N E
t s 5 1 - W_ T
- F - - N 1 f 1 .
A : 6 IA o
- D-T M e 3 - - - - E l i
f H o
- - T _
P r
- - O T
N k _ I i s
- - - S K R E
E e W W c _ W,
- - - n _
CS F A, : 4 a
- C. C, - V /- - n WHC C t e _ - C E, - /> - l n
o
- E, S t
G M
- D - - - g / - - -
n n
- i oi o l
l
- - - - R t p
i 2 f o ec _
- - - - nx oE _
i
- - - st s r .
ee
- - - - VT _ - - - - 5 9 e d . - - A- - 9 1
so p
- 0 2- o r 1 P 5 4 3 2 1 0 3t u
yz$8=CO 2$ EO oa41$z E e r uh o . t gi i F W
a
._ - _ _ - - l e
c y C _- e l 3 2 cn
- _ _ A- - a n - - t e
n i a
- _ _ A - M k - _ _ - e - _ B n
ia
\- -
1 W-e
- _ _ r - - '
2 4 T 2 W F i cr
- _ _ A - -
e
- _ _ E n
_ L C e
- _ _ - - Y G \ C - - _\ - - E f l
n C a
- _ jo - - N H r
9 A
- _ - - N d q
1 E T n 6 1
- _ - - N 2 -
f 1
- _ _ - - IA o 3
_ D_ - M E l e Y __ - f i H T o
- S _ _ - - r C, O P T - H _ _ - - N k C - -
I i s
- E, _ _ -
S R I K S 7 E E e W, - - l 1 W c
- C _ _ 1 - n C a
_ _ - - n
- e W
F - - t nn A, - io ai t
- _ _V - - - Mp C - _ - - gce > - i l
n Ex l 5 ot R s e l 1 f
- _ _ - - oi l ~ - _ - - na i
oi c
- _ _ - - s e r
ep
- _ _/ - - VS - _ _ - - 5 9 ed - _ _ - - 9 s 1 o . p iI 3
1 3- or 1 P 5 4 3 2 l O 3t u 3@EGbs o<k$cO oms x <2@z e r uh o t gi i F W
h t i _ l 2 W- _ 1
- - - - l e - - - - cy _ - - - C .
e
- - - - cn . - - - - a n
t e . l 0 1 i n o Y4
- - - M - - B - k e - - n-ia - e . - - T r -
W-4
- W-F A - 2 -
i cr 8 l e n
- E - - 4 L e - ia n\- -
C Y C G
- - T r - - E f C f o - -M - - N A H - - -A - - N E
t s 7 T 1 1
- _D - - N f -
l 6 A I o 1 e M l 3
- - 4 - - E H
i f o
- - T r - - P O
T k N s A I i
- - - S R K e - - W F \- -
E E W cn
- - A - - 4 a n
l
- V. - - e C
W - t n
- CS - i a - - C.
W CHC. M
- - - - g C E. n .
E. S t
- G - - -
i l n D dT l oo eO - i
- - - Rt p
dAn - l 2 f oe - eG- nc oEx t
- - E xD - > - i st - - - - r s - VT ee a -
l
- - - - 5 9i a -
9 c
- - - - 1 e p
r I r -
. 0 4- S 1 d -
5 4 3 2 1 0 3 es .
> zEG5 hko EO 8NE2gz eo r
up i gro F P
- 4. CONCLUSIONS The objective of this study is to provide a risk basis for justifying a Special Test Exception that would extend the allowed outage times for the DG and ECW systems once per train per refueling cycle at STPEGS. The requested STE change does not modify any plant hardware or operational procedures. It simply changes the time frame in which existing authorized activities can be performed. Consequently, the design basis of the plant is unaffected, and, therefore, risk-based analysis can be an appropriate decision basis.
The risk basis is anchored to the results of Houston Lighting and Power Company's (HL&P) state-of-the-art and plant-specific PSA model, which has been reviewed by the NRC. This model was updated and extended to Level 2 standards to meet the IPE requirements contained in Generic Letter 88-20. It was further refined and updated to provide the assessment of the risk impacts of test and maintenance activities at STPEGS and to provide the information requested by the NRC for reviewing the risk-based evaluation of Technical Specifications submitted in 1993. The STPEGS and the NRC staff mutually agreed to use STP Level 2 PSA/IPE as the baseline for the risk-based evaluation of Technical Specifications. It is now further updated and enhanced in this submittal to incorporate revision to Technical Specifications granted by the NRC and to incorporate plant specific failure data, and other plant features not previously included (i.e., emergency transformer). This submittalis an extension of that baseline to reflect the current licensing basis at STPEGS. The L2 PSA/IPE mean core damage frequency (CDF) was found to be about 4.4E-5 per ; reactor year. The mean large early release frequency (LERF) was found to be about 9.9E-7 per reactor year in the L2 PSA/IPE. The decision criteria used in this evaluation is to accept only those changes that do not result in a significant increase in CDF or in the LERF. In addition to the proposed STE, the planned l maintenance program is being procedurally modified and is explicitly accounted for in this submittal j with the intention of reducing risk levels and achieving equipment performance improvements that are cost effective. This has been demonstrated by the combined effects of maintaining at-power i i risk levels below that which was reported for GNL 88-20 and implementing improvements in outage schs- Mqg which willincrease the overall availability of on-site power sources during shutdown conditions. The results in Section 3 show that through the combination of the proposed technical specification change, the incorporation of quantified compensatory measures, the incorporation of plant features not previously credited in the PSA, and the incorporation of plant specific data (which more closely reflects the current plant experience), there are no significant increases in CDF or LERF over those reported in the STP Level 2 PSA/IPE submission or the previous risk based evaluation of ACM dAdr15\ report \95dg4_.003 (April 24,1995) 4-1
Technical Specifications. The effect of all the changes has resulted in a small net decrease in CDF and LERF. The current mean point estimates of CDF and LERF for the new base case plus the proposed STE are 2.30E-5 and 5.07E-7 per year, respectively. Hence, the proposed technical specification changes meet the decision criteria selected for this evaluation. Moreover, this submittal continues to document plant-specific risk basis for evaluation of Technical Specifications for those systems and equipment modeled in the PSA, including those for which changes are not currently proposed. l i The requested change provides plant operations and maintenanco personnel additional flexibility to plan DG/ECW train maintenance, testing, and troubleshooting activities, and optimize overall plant conditions from a risk perspective, while avoiding administrative requirements for power reduction transients that could increase the potential for plant trips which challenge safety systems. It is anticipated that unquantified benefits to the plant's operations and maintenance activP.ies relative to the DG/ECW systems will also be realized by the proposed STE. These benefit s are expected to be reflected by better root cause analysis, enhanced corrective actions implementatior, reduced , potential for human errors, increased maintenance effectiveness, and improved equipmont performance. The impact of all the above effects is expected to contribute to long term reductions in risk to the public, which can be confirmed as future performance data is collected and trended. This submission is both well justified and prudent. It fully meets all applicable requirements and additional NRC information requests. The STPEGS units have been designed with additional redundancy to provide flexibility to the plant staff to accomplish well planned and executed maintenance and corrective actions. However, to date the benefits provided by the investment in the additional redundancy has resulted only in additional maintenance burdens. Approval of the proposed STE can help to alleviate this burden and to permit the realization of the benefits originally intended from the additional redundancy. Therefore, HL&P requests expeditious consideration and I approval of the proposed Special Test Exception. l 4 ACM dAdg 15ireport\95dg4_.003 (April 25,1995) 42 i}}