ML102150037

From kanterella
Revision as of 15:17, 13 November 2019 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Engineering Study 13-MS-B094, Revision 0
ML102150037
Person / Time
Site: Palo Verde  Arizona Public Service icon.png
Issue date: 07/22/2010
From:
Arizona Public Service Co
To:
Office of Nuclear Reactor Regulation
References
102-06228-DCM/RAS/DFS, TAC ME2842, TAC ME2843, TAC ME2844 13-MS-B094, Rev 0
Download: ML102150037 (31)


Text

Enclosure Response to RAI Relating to LAR to Change the TS to Support Crediting an Manual Operator Action to Isolate the RWT Attachment 2 Engineering Study 13-MS-B094, Revision 0

PALO VERDE DOCUMENT TITLE SHEET Q NUCLEAR GENERATING STATION Title /

Description:

Operator Action Time for RWT Isolation After RAS This Engineering Study establishes the design time for Operator action to initiate closure of RWT outlet MOVs JCHAHV0531 and JCHBHV0530 during transfer from ECCS injection to ECCS recirculation in support of DMWO 2938489 Revision 1 I I I I I I I I A 10CFR50.59 Applicability Determination:

This Engineering Study is to support DMWO 2938489 Revision 1 and clearly indicates so. The requirement for performing a Screening and/or Evaluation is defined in procedure 81DP-OEE10, Plant Modifications. No further 50.59 review is required per procedure 93DP-OLCI 7, Revision 4, A paragraph 2.1.6. Applicability Determination performed by J. Tolar.

Original Issue. See DMWO 2938489 Tolar"Jenny Tolar'Jenny N/A N/A N/A N/A N/A Bmwn'Jeffrey N/A Revision 1 for DIRC, 50.59 review, and (Z05640) (Z056.40) A(Z99888) o impact review. A A.

Document Electronically Available REV.

[_Yes REVISION LINo Preparer RE Second Party Mech. Civil Elec. I& C Independent Approval Verification Verification NO. DESCRIPTION Date Date Date Date Date Date Date Date Date CROSS DISCIPLINE REVIEW PV-E0076 Ver. 6 81TD-OEE10

Palo Verde Nuclear Generating Station Engineering Study No. 13-MS-B094 Units 1, 2 & 3 Revision 0

  • Page 2 of 21 Executive Summary During a 95002 inspection, NRC inspectors challenged the adequacy of the PVNGS piping design to prevent air entrainment from the Refueling Water Tank (RWT) to the Engineered Safety Features (ESF) pump suctions following a Loss of Coolant Accident (LOCA). It was subsequently determined that for a limited range of smaller break sizes, air could be entrained due to continued pump down of the RWT after the Recirculation Actuation Signal (RAS) and transfer of the ESF pump suction to the Emergency Recirculation Sump, given that the Combustion Engineering (CE) System 80 design does not have automatic isolation of the RWT outlet Motor Operated Valves (MOV). Air entrainment would be possible for these LOCAs because Containment pressure would be insufficient to give the Emergency Recirculation Sump the hydraulic advantage, and the ESF pumps could continue to draw down the RWT even after the suction is realigned by the RAS.

The design solution is being implemented by DMWO 2938489 Revision 1, which changes the PVNGS design and licensing basis to credit Operator action to close the RWT outlet MOVs after RAS for eliminating the potential for air entrainment. The action to close these valves after RAS already exists in the Emergency Operating Procedures (EOP), but the DMWO will make the action time critical. The DMWO scope also includes a License Amendment Request to change (increase) the RAS setpoint in the Technical Specifications. The new RAS setpoint will allow for the increased RWT transfer volume that is needed to provide sufficient time after RAS for this time-critical Operator action.

This Engineering Study establishes the design values for the Operator action time to initiate closure of the RWT outlet valves after RAS in accordance with ANSI/ANS-58.8-1984 guidance. These time durations are established for subsequent use in the design basis analysis for RWT transfer volume. This Study also documents simulator time tests that were performed using a random sample of PVNGS Operating crews.

The simulator time testing results demonstrate significant margin to the established design values. This Study is in support of changes being implemented by DMWO 2938489 Revision 1.

Palo Verde Nuclear Generating Station Engineering Study No. 13-MS-B094 Units 1, 2 & 3 Revision 0

" C- Page 3 of 21 List of Effective Pages Pages Revision All 0

Palo Verde Nuclear Generating Station Engineering Study No. 13-MS-B094 Units 1, 2 & 3 Revision 0 Page 4 of 21 Table of Contents Executive Summ ary ................. ........... I............................................................................................. 2 List of Effective Pages ............................................................................................................ 3 Table of Contents ............................................................................................................................. 4 1.0 Introduction and Purpose ......................................................................................................... 5 2.0 Evaluation ........................................................................................................................................ 6 2.1 Design and Licensing Basis ..... ..................................................................................... 6 2.2 Design Input .............................................................................................................. 6 2.3 M ethods ............................................................................................................................. 6 2.4 Assumptions ...................................................................................................................... 16 2.5 Margin Evaluation ........................................................................................................ 16 2.6 Industry / In-House Experience .................................................................................... 17 3.0 Conclusions.................................................................................................................................... 19 4.0 References ...................................................................................................................................... 20 5.0 Attachm ents ................................................................................................................................... 21 Attachm ent A - Simulator Tim e Testing ................................................................................. Al

  • k A Palo Verde Nuclear Generating Station Engineering Study No. 13-MS-B094 Units 1, 2 & 3 Revision 0 Page 5 of 21 1.0 Introduction and Purpose 1.1 Introduction Palo Verde Units 1, 2, and 3 were constructed in accordance with the CE Interface Requirements for the System 80 design, as augmented specifically for the Arizona Nuclear Power Project.

Requirements established for the Safety Injection (SI) and Containment Spray (CS) Systems specified that the junction of the ESF pump suction lines from the RWT and the Emergency Recirculation Sump be placed at an elevation of no less than 16 feet below the minimum Containment water level during a LOCA. The intent of this interface requirement is to ensure that air entrainment due to continued pump down of the RWT does not occur after the RAS and transfer of the ESF pump suction to the Emergency Recirculation Sump, allowing for the fact that the CE System 80 design does not have automatic isolation of the RWT outlet MOVs. Palo Verde implemented this interface requirement with the actual plant configuration providing almost 40 feet of elevation between the minimum Containment water level and the suction line junction.

During a 95002 inspection, NRC inspectors challenged the adequacy of this interface requirement to prevent air entrainment during the dynamic conditions of the drawdown period after the RAS is generated and before the RWT outlet MOVs are closed by the Operators (Ref. 4.5). Air entrainment in the ESF pump suction piping is a potential concern during scenarios where Containment pressure is insufficient to give the Emergency Recirculation Sump the hydraulic advantage and the ESF pumps continue to draw down the RWT even after the suction is realigned by the RAS. The dynamic conditions during the drawdown period were subsequently evaluated by Westinghouse and Fauske and Associates, Inc. to establish the potential for air entrainment (Ref. 4.21). This evaluation concluded that RWT suction flow terminates and full suction flow is provided by the Emergency Recirculation Sump prior to the point where significant (bulk) quantities of air are entrained in the RWT suction pipe. Though some air could be entrained, there would be no degradation of the ESF pump performance during suction transfer. Thus, operability of the SI and CS Systems was demonstrated. However, a mechanistic, quantitative analysis sufficient to support the intent of the original design basis of no entrained air was not established, so further evaluation to select and implement a design solution was required.

The selected design solution is implemented by DMWO 2938489 (Ref. 4.6), which changes the PVNGS design and licensing basis to credit Operator action to close the RWT outlet MOVs CH-531 and CH-530 after RAS for eliminating the potential for air entrainment. The action to close these valves after RAS already exists in the EOPs, but the DMWO will make the task time critical. The DMWO scope also includes a License Amendment Request to change (increase) the RAS setpoint in the Technical Specifications. The new RAS setpoint will allow for the increased RWT transfer volume that is needed to provide sufficient time after RAS for this time-critical Operator action.

1.2 Purpose The purpose of this Engineering Study is to establish the design values for Operator action time to initiate closure of the RWT outlet valves after RAS for subsequent use in the design basis analysis for RWT transfer volume (Ref. 4.8). This Study also documents simulator time tests that were performed using a random sample of PVNGS Operating crews to evaluate margin to the established design values. This Study is in support of changes being implemented by DMWO 2938489 Revision 1.

Palo Verde Nuclear Generating Station Engineering Study No. 13-MS-B094 Units 1, 2 & 3 Revision 0 Page 6 of 21 2.0 Evaluation 2.1 Design and Licensing Basis 2.1.1 The RWT water inventory between the RAS and the vortex breaker (transfer volume) must be sufficient to complete transfer of the ESF pump suctions from the tank to the Containment sump before the tank is drained and ESF pump damage occurs. This RWT transfer volume is sized based on the established design time for Operator action to close MOVs CH-531 and CH-530 after RAS and isolate the RWT from the ESF pump suctions (Ref. 4.8).

2.1.2 ANSI/ANS-58.8-1984 (Ref. 4.7) specifies time requirements that are to be met to receive credit in the safety analysis for Operator actions that initiate or control safety related functions. The criteria in this standard identify time intervals and other restrictions that provide an adequate safety margin for safety related system design and safety analyses of the design basis events. The time intervals specified in these criteria are minimum values which shall be provided in the plant design to permit credit for safety related Operator actions. The use of ANS/ANSI 58.81984 to establish design times for Operator actions is consistent with the current PVNGS licensing basis (Ref. 4.1, Section 15.6.3.2.2) and NRC Information Notice 97-78 discussions (Ref. 4.18).

2.2 Design Input 2.2.1 The guidance provided in ANSJJANS-58.8-1984 is used to determine the design time for Operator action to initiate closure of CH-531 and CH-530 after RAS.

2.2.2 The required Operator actions following RAS are taken from the Emergency Operating Procedures (Ref. 4.9, 4.10) as modified by revisions to be implemented by DMWO 2938489, Revision 1. The EOP revisions will: (a) add a Note that the action to close valves CH-531 and CH-530 after RAS is a time critical step; and (b) re-sequence the current step for completing the transfer to ECCS recirculation so that the action to close valves CH-531 and CH-530 will be taken prior to verification that the SI pump mini-flow valves are closed.

2.3 Methods 2.3.1 Determination of Operator Action Time Per ANSIIANS-58.8-1984 Determination of Operator Action Time The time intervals given in ANSJIANS-58.8-1984 are applied to determine the minimum time required for the Operator to initiate closure of the RWT outlet MOVs after RAS.

The standard describes two specific times, Time Test 1 and Time Test 2. Time Test 1 is defined as the time interval during which all nuclear safety related functions shall have been initiated by automatic protection systems. During this interval, it is assumed that the Operator verifies automatic responses, observes plant parameters, and plans subsequent actions in response to the design basis event. For a LOCA, this time interval starts at the first alarm indicating that a LOCA has occurred. For this evaluation, the start of Time Test 1 is taken as the Safety Injection Actuation Signal (SIAS). The Operator action to isolate the RWT following RAS occurs after the Time Test 1 interval.

Time Test 2 is used to determine action times after the Time Test 1 interval. Time Test 2 is defined as the conservative time delay that shall be allowed for the completion of each nuclear safety related Operator action. Each minimum Operator action time delay

Palo Verde Nuclear Generating Station Engineering Study No. 13-MS-B094 Units 1,2 & 3 Revision 0 Page 7 of 21 includes a fixed and a variable time. The fixed sub-interval allows for: (a) the receipt of prompting information that identifies the need for the action; and (b) the identification of appropriate action. In this instance, the prompting information that identifies the need for the action is the RAS alarm. During this sub-interval, the Operator receives and acknowledges the RAS alarm and performs the post-RAS verification steps that precede RWT isolation, which are ensuring that both LPSI pumps are stopped and ensuring that the ESF pump suction has shifted to the Containment. From Table 1 of ANSI/ANS-58.8, the fixed sub-interval is 5 minutes for a LOCA event. The variable sub-interval allows a minimum of one minute for each discrete manipulation required to complete a single Operator action. In this instance, two manipulations are required to complete the single Operator action to isolate the RWT from the ESF pump suctions: (a) close CH-53 1; and (b) close CH-530.

From this, the Operator action time (Time Test 2) is calculated as follows:

5 minutes + 1 minute + 1 minute = 7 minutes (Fixed sub-interval) (Variable sub-intervals)

In summary, the design value for Operator action to initiate closure of the first RWT isolation valve is 6 minutes after RAS and the action to initiate closure of the second RWT isolation valve is 7 minutes after RAS.

Evaluation of ANSI/ANS-58.8-1984 Bases and Assumptions Section 1.3 of ANSIIANS-58.8-1984 states that the criteria for the standard are based on the following five assumptions, which were evaluated for PVNGS as shown:

(1) Instrument displays are adequately and centrally located, as described in Sections 7, Availability and Reliability of Information and Controls and 8, Safety Analyses and Emergency Procedures, of these criteria, and are provided to alert and guide the Operator.

PVNGS Evaluation:

At the initiation of the event, there are a number of safety related alarms and indications in the Main Control Room to alert the Operating crew that a LOCA has occurred. For this evaluation, the start of the event is taken at the SIAS, which alarms at B05 on low Pressurizer pressure or high Containment pressure from any 2 of 4 Engineered Safety Feature Actuation System (ESFAS) input channels. The SIAS is a visible (high priority red) and audible alarm. The LOCA event and SIAS initiate a number of automatic actions with associated alarms and indications, including a reactor trip. At this point, the Operating crew would perform the Standard Post-Trip Actions and begin event diagnosis.

At the time of RAS, when the Operator action to isolate the RWT is required, the event has been diagnosed and required actions are clear. The task of verifying proper transition to recirculation and initiating manual isolation of the RWT per the EOPs requires the use of the following indications in the Main Control Room. These instruments and displays are associated with the ESF and SI Systems and are all safety related components:

RAS pre-trip annunciator, which alarms at window 5B06D on low RWT level from any 1 of 4 instrument channels (Ref. 4.12). For a valid alarm, the Alarm Response Procedure instructs the Operator to check and monitor the RWT level indicators CHA-LI-203A, CHB-LI-203B, CHC-LI-203C, and

Palo Verde Nuclear Generating Station Engineering Study No. 13-MS-B094 Units 1, 2 & 3 Revision 0 Page 8 of 21 CHD-LI-203D on B02. The RAS pre-trip alarm alerts the Operating crew that the RAS is approaching and to prepare for the time-critical action to isolate the RWT.

0 RAS annunciator, which alarms at B05 on RWT Level-Lo from any 2 of 4 ESFAS input channels. Each individual ESFAS input channel also alarms separately at window 5B06C and window 5B07A or 5B06B (Ref. 4.12). The RAS annunciator is a visible (high priority red) and audible alarm so as to ensure gaining the attention of the Operator. This alarm alerts the Operator that the time-critical action to isolate the RWT is required.

  • LPSI pump run/stop lights, which provide indication of run status for each pump on B02 (Ref. 4.14). These are the primary means to verify that the LPSI pumps are stopped by the RAS. Other available indications of LPSI pump run status include flow indicators FI-306/307 on B02 (Ref. 4.13) and the Safety Equipment Status System (SESS) display on B02. The SESS alarm is actuated if the LPSI pump is not stopped at the RAS (Ref. 4.14).
  • LPSI pump control switches JSIAHS0003 and JSIBHS0004 on B02 (Ref.

4.13). These are used to stop a running LPSI pump in the event that it did not stop at the RAS.

  • Containment Isolation Valve JSIAUVO673/674 and JSIBUVO675/676 status lights, which provide position indication for each RAS sump valve on B02 (Ref. 4.16). These are the primary means to verify that the valves are open by the RAS. Other available indications of valve position include the SESS display on B02. The SESS alarm is actuated if any valve does not open at the RAS.
  • Containment Isolation Valve control switches JSIAHS0673/674 and JSIBHS0675/676 (key operated) on B02 (Ref. 4.13). These are used to open a RAS sump valve in the event that it did not open at the RAS.
  • RWT Outlet Valve JCHAHV0531 and JCHBI-HV0530 status lights, which provide position indication for each valve on B02 (Ref. 4.15). These are the primary means to verify that the valves are in the fully open position (red light), stroking or in an intermediate position (red and green lights), or in the fully closed position (green light). The status lights provide clear indication that the Operator action to initiate closure of these valves has been accomplished (red and green lights). In addition, it is clear when the valves are fully closed (green light). Other available indications of valve position include any one of several dedicated Emergency Response Facility Data Acquisition and Display System (ERFDADS) monitors located throughout the Main Control Room. Note that the SESS display on B02 also provides CH-530/531 position indication. However, the function of this system is to alert the Operator if the valves are mis-positioned (closed) for Emergency Core Cooling System (ECCS) injection. Since these valves may be either open or closed after the RAS, Operator failure to close them after the RAS would not be alarmed.
  • RWT Outlet Valve control switches JCHAHS0531 and JCHBHS0530 (key operated) on B02 (Ref. 4.13). These are used to close the valves.

Palo Verde Nuclear Generating Station Engineering Study No. 13-MS-B094 Units 1, 2 & 3 Revision 0 Page 9 of 21 As noted above, except for the RAS pre-trip and RAS annunciators, all of the instruments and controls that are required to ensure successful transition to the recirculation mode and close CH-531 and CH-530 are located Board B02, which is dedicated to SI Systems. As Engineering Safety Features Actuation Signals, the RAS pre-trip and RAS annunciators are located on Control Board B05. Although B05 is situated across the horseshoe from B02, the alarm is located well above head level so that it is clearly visible from across the room. Thus, the designated Board Operator can accomplish the task from a single location inside the Control Room without any transit related delays. The system flow paths on Board B02 are schematically shown to promote awareness of system configuration and function. The two safety trains have identical device layout arrangements to facilitate rapid comparison between the identical, redundant trains. The displays for each train are color-coded to avoid confusion.

In summary, the instrument displays provide the Operator with clearly presented readout information at the required time to assess the need for isolating the RWT without making significant diagnoses. There are multiple safety related indications that a RAS has occurred, including visual (high priority red) and audible alarms to ensure gaining the attention of the Operator. The valve JCHAHV0531 and JCHBHV0530 position status lights provide sufficient indication that each action to close the valves has been correctly initiated.

The assumption that instrument displays are adequately and centrally located and are provided to alert and guide the Operator is verified.

(2) The plant has been designed to meet single failure criteria as specified in ANSI/ANS-51.1-1983, "Nuclear Safety Criteria for the Design of Stationary Pressurized Water Reactor Plants".

PVNGS Evaluation:

As described in Section 3.1 and Table 3.2-1 of the UFSAR (Ref. 4.1), the PVNGS units are designed in accordance with ANSI N18.2, "Nuclear Safety Criteria for the Design of Stationary Pressurized Water Reactor Plants". This standard was replaced by ANSIIANS-51.1-1983; however, PVNGS is not committed to ANSI/ANS-51.1.

Section 3.2.1 of ANSI/ANS-5 1.1 provides the single failure criterion and the specific rules governing its application. The single failure criterion requires that the plant be capable of achieving (1) emergency core reactivity control, (2) emergency core and containment heat removal, and (3) containment isolation, integrity, and atmosphere cleanup given an initiation occurrence plus an independent single failure of a nuclear safety related component in any one of the systems required to support directly or indirectly these three nuclear safety functions. The specific rules governing the application of single failures address location of the single failure, electrical equipment, fluid systems, dual purpose safety related systems, safety related systems not normally operating, plant condition determination, and allowable outage intervals. Though ANSI N18.2 does discuss single failure considerations, it does not contain a separate section describing application of the single failure criterion as is given in ANSI/ANS-5 1.1.

UFSAR Section 3.1 provides that the PVNGS unit designs comply with the NRC General Design Criteria, which include applicable single failure criteria. The UFSAR describes throughout that the design of safety systems includes consideration of the limiting single failure when evaluating minimum system performance.

Palo Verde Nuclear Generating Station Engineering Study No. 13-MS-B094 Units 1, 2 & 3 Revision 0 Page 10 of 21 UFSAR Section 15.0 describes the specific rules governing the application of single failures in the safety analyses to demonstrate that the overall plant response and performance will be acceptable should a design basis event occur. The PVNGS single failure design as described in the UFSAR has been approved by the NRC and is consistent with the stated purpose of ANSI/ANS-51.1-1983 to provide "a degree of assurance that, in their entirety, plants are designed and constructed so that they can be operated without undue risk to the health and safety of the public."

The assumption that the plant has been designed to meet single failure criteria as specified in ANSI/ANS-51.1-1983 is verified.

(3) Written emergency procedures are clear, complete, unambiguous, available, and used. The Operating Staff is familiar with the emergency procedures from use in the plant qualification and requalification programs.

PVNGS Evaluation:

The Operator actions will be controlled through written procedures for post-LOCA response (Refs. 4.9, 4.10). These procedures are an integral part of the plant qualification and requalification training programs.

As described in UFSAR 18.I.C, the Emergency Operating Procedures, which were developed from the generic Owner's Group guidelines presented in CEN-152, were reviewed by the NRC and verified to meet the human factors criteria of NUREG 0737 Supplement No. 1. The EOPs already include an action to close CH-531 and CH-530 as part of the transfer from ECCS injection to ECCS recirculation, but the action is currently not time critical. Thus, the procedures will be revised to: (a) add a Note to the current step that closes the RWT valves to emphasize its time-critical nature; and (b) re-sequence the current step for completing the transfer to ECCS recirculation so that the action to close valves CH-531 and CH-530 will be taken prior to verification that the SI pump mini-flow valves are closed. These changes, which will be implemented by DMWO 2938489, Revision 1, are discussed below.

Note that the results and conclusions of this Engineering Study are contingent upon implementation of the EOP revisions as evaluated (see Section 2.4, Assumptions). It is emphasized that this Engineering Study does not provide the justification for the proposed EOP revisions but only uses the modified steps as an input. Justification for the EOP changes will be provided separately as part of DMWO 2938489, Revision 1 implementation.

The first EOP change simply alerts the crew that isolation of the RWT must be completed in a timely manner to ensure continued operation of the ESF pumps. The crew will monitor RWT level during the ECCS injection phase as directed by the EOPs and will check well in advance of RAS that Containment level is rising as RWT level is lowering (Refs. 4.9, 4.10). The procedures provide for event diagnosis such that by the time the RAS occurs, the event has been identified and the required actions are clear. The RWT level checks provide ongoing visual indication that the RAS is approaching. As described above, at an RWT level of approximately 11%,

the RAS pre-trip function will actuate an alarm on Control Board B05, which can be generated by any 1 of 4 independent and safety grade instrument channels. The decreasing RWT level and RAS pre-trip alarm will prompt the crew to get into position and prepare for the upcoming time-critical action.

Palo Verde Nuclear Generating Station Engineering Study No. 13-MS-B094 Units 1, 2 & 3 Revision 0 Page 11 of 21 The second EOP change re-sequences the actions after RAS to close CH-531 and CH-530 sooner. The RAS initiates three automatic actions: (a) trips the LPSI pumps; (b) opens the RAS sump Containment Isolation Valves; and (c) closes the SI pump mini-flow recirculation valves. The current procedure step directs the Operator to verify all of these actuations and then to close the RWT outlet MOVs to complete the transfer to ECCS recirculation. However, the immediate closure of the mini-flow valves is not necessary to accomplish the heat removal or inventory control critical safety functions. Thus, to conserve time, the pump mini-flow valve position verification will be delayed until after the RWT outlet MOVs are closed.

It is noted that the timing of this action is critical to ensure successful ESF pump operation only for LOCAs within a limited range of smaller break sizes where Containment pressure is insufficient to give the Emergency Recirculation Sump the hydraulic advantage and the ESF pumps continue to draw down the RWT even after the suction is realigned by the RAS. For larger LOCAs, the Operator action to close CH-531 and CH-530 after RAS is not time critical since air entrainment is not a concern when Containment pressure is sufficient to stop flow from the RWT.

Despite this, the EOPs will dictate the same time-critical step for all LOCAs to relieve the Operator of the burden of having to distinguish between when the action is and is not necessary. It is recognized that the time from LOCA initiation to RAS will vary depending on the break size. However, the transition to recirculation is an event milestone that is preceded by a pre-trip alarm and accompanied by a high priority actuation alarm. Therefore, regardless of the time duration to RAS, the procedural direction and the cues to alert and prepare the crew for the time-critical action to isolate the RWT are the same.

The task of closing CH-531 and CH-530 after RAS is not new. The step has never been time critical; however, manual closure of those valves was an integral part of plant design, and the step has been in the EOPs since their original issue. The change that makes isolation of the RWT a time-critical action will be accompanied by a Technical Specification change to increase the RAS setpoint. The EOP revision, the design and licensing basis change with respect to the time-critical Operator action, and the Technical Specification change will all be implemented at the same time (DMWO 2938489, Revision 1). Licensed Operators will receive training in all of these changes prior to their implementation, and ongoing proficiency will be demonstrated during requalification in the simulator. The action will also be included in Procedure 40DP-9ZZ04 (Ref. 4.11), which provides: (1) a means to ensure that the time-critical actions within the scope of the procedure can be accomplished by plant personnel, (2) a means to document periodic validation of credited action times, and (3) a means to ensure that changes to the plant or to procedures or protocols do not invalidate the credited action times. It is noted that training for the crews that were time tested at the PVNGS simulator included only a pre-job briefing discussion of a draft Procedure 40EP-9EO03 (LOCA EOP), which included the changes that will be implemented by DMWO 2938489, Revision 1.

Even so, the time test results demonstrated that the Operating crews were able to complete the task well within the time criterion specified by the standard.

In summary, written procedures are clear, complete, unambiguous, available, and used, and the Operating Staff is familiar with the emergency procedures from use in the plant qualification and requalification programs. However, since the procedure

Palo Verde Nuclear Generating Station Engineering Study No. 13-MS-B094 Units 1, 2 & 3 Revision 0 Page 12 of 21 revisions as evaluated in this Study have not yet been implemented, this is a contingent assumption, see Section 2.4.

(4) A sufficient number of Shift Operators are available, based upon plant staffing requirements, to perform any nuclear safety related or required Operator actions.

PVNGS Evaluation:

The action to initiate closure of CH-531 and CH-530 after RAS requires only the Control Room staff. The PVNGS unit staffing requirements are described in Section 5.2.2 of the Technical Specifications (Ref. 4.2) and UFSAR Sections 13.1.2.3 and 18.1.A.1.3. From UFSAR Section 18.I.A.1.3, the normal staffing as discussed in UFSAR Section 13.1.2.3 and PVNGS administrative procedures meets or exceeds NUREG-0737 minimum requirements. From UFSAR Table 18.I.A-1, the PVNGS minimum shift crew is composed of a Shift Manager (SM), a Senior Reactor Operator (Control Room Supervisor), two Reactor Operators (RO), and two Auxiliary Operators (AO) for each operating unit and a minimum of two Shift Technical Advisors (STA) for the site.

During LOCA response, the Control Room Supervisor (CRS) directs the ROs in the Control Room and the AOs stationed outside the Control Room based on the EOPs.

The ROs are normally stationed at the Control Boards and designated as either the Primary or Secondary Operator. Typically, the Primary Operator is responsible for Control B02 where the required actions are taken. The SM and STA provide oversight and advisory technical support to the CRS.

The action to close CH-531 and CH-530 after RAS is performed by the Primary Operator at the direction of the CRS based on the Emergency Operating Procedures.

The Operator is already positioned at the Control Board and, thus, is available and on station to take the action. Making the step time critical does not introduce any new procedural actions or staffing requirements. Simulator testing has demonstrated that the Primary Operator can perform the required action within approximately 60 percent of the design time.

The assumption that a sufficient number of Shift Operators are available to perform the required Operator action is verified.

(5) The Operators are qualified in accordance with ANSI/ANS-3.1-1981.

PVNGS Evaluation:

From UFSAR Section 13.1.3.1, the PVNGS Technical Specifications, specific regulations, and the recommendations of Regulatory -Guide 1.8 (Personnel Selection and Training) and ANSI/ANS 3.1-1978 (Selection and Training of Nuclear Power Plant Personnel) are used as the basis for establishing minimum qualifications for nuclear power plant personnel, with exceptions and clarifications as noted. The PVNGS training program has been accepted by the NRC as documented in Section 13.1.3.1 of the PVNGS Safety Evaluation Report (Ref. 4.4) and is accredited by the Institute of Nuclear Power Operations (INPO).

The assumption that the Operators are qualified is verified.

2.3.2 Simulator Time Testing Time testing at the PVNGS simulator was performed to demonstrate margin to the established ANSI/ANS-58.8 design values. Note the design times provided in the

Palo Verde Nuclear Generating Station Engineering Study No. 13-MS-B094 Units 1, 2 & 3 Revision 0 Page 13 of 21 standard are alone sufficient for subsequent use in design basis analyses. However, the time testing was performed to confirm that the design values provide substantial margin.

Data was collected from 6 different licensed Operating crews selected at random, which constitutes a sample size of approximately 30 percent. Appendix A provides details of the simulator scenario and time test results. Each crew was presented with the same LOCA scenario and additional failure at RAS. The additional failure at RAS was included to consider potential complications that might occur during the transition from ECCS injection to ECCS recirculation. The particular failure of Train B RAS to actuate (beyond design basis) was selected because of its complexity in that: (a) multiple components were affected; and (b) the contingency action to manually actuate the RAS per the EOP was a built-in distracter since this action did not clear the fault.

The simulator testing demonstrated that a value of 3.33 minutes could be reasonably established as the maximum time after RAS to initiate closure of the first RWT isolation valve with 95% confidence. This provides significant margin to the design value of 6 minutes for this task. The simulator testing also demonstrated that a value of 4.30 minutes after RAS could be reasonably established as the maximum time to initiate closure of the second RWT isolation valve with 95% confidence. This provides significant margin to the design value of 7 minutes for this task.

2.3.3 Other Considerations Environmental / Habitability The task of verifying proper suction transfer for the ESF pumps from the RWT to the Emergency Recirculation Sump and manually closing CH-531 and CH-530 occurs entirely in the Main Control Room. As described in UFSAR Section 6.4, the Control Room habitability systems include missile protection, radiation shielding, radiation monitoring, air filtration, and heating, ventilation, and air conditioning systems, lighting, personnel support, and fire protection equipment. By design, the Control Room essential system is capable of maintaining the Control Room atmosphere within conditions suitable for prolonged occupancy throughout the duration of a LOCA. In addition, the radiation exposure of Control Room personnel throughout the event will not exceed 10CFR50, Appendix A, General Design Criterion 19 limits. Finally, the habitability systems provide the capability to detect and protect Control Room personnel from smoke and airborne radioactivity.

In summary, there are no environmental or habitability factors that would distract the Operator.

Ability to Recover from Credible Errors There are two possible errors that the Operator may commit during the performance of the required task: (a) the action may be performed too late; or (b) the action may be performed too early.

Action Performed Too Late The action to close CH-531 and CH-530 already exists in the EOPs, but it is not time critical. Introducing a time limit for the task introduces the potential for this Operator error. This error would occur after the RAS and, therefore, is only a potential concern with respect to ESF pump operation during ECCS recirculation. This error is of no consequence during LOCAs where Containment pressure is sufficient to stop flow from the RWT after the RAS since the RWT outlet MOVs do not need to be closed to prevent air entrainment during these events. However, if the LOCA is within the limited range of

" ikAI Palo Verde Nuclear Generating Station Engineering Study No. 13-MS-B094 Units 1, 2 & 3 Revision 0 Page 14 of 21 break sizes where air entrainment is a concern, then failure to close CH-531 and CH-530 in a timely manner may result in degradation of ESF pump performance. The likelihood that the Operator will commit this error is very low for the following reasons:

The key parameter that initiates the prompting information identifying the need for the action (RAS) is RWT level. This parameter can be monitored by more than one individual as it trends toward the RAS. In addition, the RAS pre-trip alarm will alert the Operators that the RAS is approaching. These safety grade indications and alarms enable the Operating crew to anticipate the RAS and prepare to take the required manual action once the RAS occurs.

" There are multiple indications that the RAS has occurred, including a visible (high priority red) and audible alarm. These safety grade indications and alarms enable the Operating crew to immediately identify that the RAS has occurred and begin to take required actions as directed by the EOPs.

  • The step to close valves CH-531 and CH-530 after RAS already exists in the EOPs, so the Operators are familiar with this manual action. The revised EOPs will alert the Operating crew that this is a time-critical step and be structured such that the action to close the RWT outlet valves CH-531 and CH-530 is taken as soon as possible after the RAS. This provides operational margin for completing the task.

" Time testing at the PVNGS simulator demonstrated that the Operators can complete the task within approximately 60 percent of the design time, even when the event is complicated by a concurrent malfunction at the RAS. This provides design margin for completing the task and gives the Operator significant time to recover from unanticipated delays without consequence.

  • Ongoing verification that this time-critical action can be accomplished by the Operating crews will be performed in accordance with Procedure 40DP-9ZZ04.

In summary, the system design features, procedural controls, and design and operational margin as described above enable the Operator to recover from unanticipated delays in closing the RWT outlet valves and preclude this Operator error.

In the unlikely event that the Operator performs this action too late, there is design margin in the established time limit as follows (Ref. 4.8):

" The required RWT transfer volume was established assuming maximum (runout) pump flow rates. The smaller break LOCAs where air entrainment is a potential concern would require less HPSI flow, and the pumps would be throttled to deliver much less than maximum flow. In addition, for smaller LOCAs where containment pressure is less than 5 psig and all other CS termination criteria are met, both CS pumps would be stopped per the EOPs (Step 21, Ref. 4.9). The reduced RWT pump down rate after the RAS would provide additional time for the Operator action to isolate the RWT.

" The required RWT transfer volume was established assuming pump down at the maximum rate after the RAS until both CH-531 and CH-530 are closed to isolate both ESF trains from the RWT. The reduction in flow when the first RWT discharge valve closes and one ESF train is isolated was conservatively

Palo Verde Nuclear Generating Station Engineering Study No. 13-MS-B094 Units 1, 2 & 3 Revision 0 Page 15 of 21 neglected. This reduced RWT pump down rate after the RAS would provide additional time for the Operator action to isolate the RWT.

The required RWT transfer volume was established based on both the Operator action time and the stroke time for valves CH-531 and CH-530. The analysis assumed a conservatively long stroke time for the valves to maximize the required transfer volume. The reduced stroke time for the valves would provide additional time for the Operator action to initiate closure of the valves.

Finally, it is noted that in the unlikely event that the Operator performs this action too late and it results in air entrainment in the ESF pump suction, previous Engineering evaluation concluded that RWT suction flow terminates and full suction flow is provided by the Emergency Recirculation Sump prior to the point where significant (bulk) quantities of air are entrained in the RWT suction pipe (Ref. 4.21) The evaluation demonstrated that though some air could be entrained, there is reasonable assurance that there would be no degradation of the ESF pump performance during suction transfer.

Though not design basis, this evaluation provides defense in depth against this Operator error.

Action Performed Too Early The RWT outlet MOVs could be closed prematurely either before RAS or after RAS but before a flow path from the Emergency Recirculation Sump is established. The action to close the valves already exists in the EOPs, but it is not time critical. Introducing a time limit for the task creates new time pressures for the Operator, which could increase the potential for this error. Closing the valves prematurely is of no consequence with respect to air entrainment since air entrainment is not a concern if the RWT is isolated from the ESF pump suction. The consequence of this error is potential degradation of ESF pump performance due to loss of suction water supply. The likelihood that the Operator will commit this error is very low for the following reasons:

" The key parameter (RWT level) can be monitored by more than one individual as it trends toward the initiating cue (RAS), which is accompanied by a visible (high priority red) and audible alarm. These safety grade indications and alarms clearly mark the transition to recirculation, which is when the manual action is required.

  • Early performance of the task before RAS would result in a SESS alarm as soon as either valve position switch registered "not fully open." This safety grade alarm provides immediate feedback to the Operating crew that the error has occurred. Once the valve is fully closed, the Operator could immediately reopen the valve in an attempt to minimize the affect on ESF pump performance in the affected train. Regardless of whether or not the affected train is recovered, the SESS alarm would immediately alert the Operating crew, and the Operator would not commit the same error on the redundant train.
  • The CRS will be directing the actions of the Control Room Operators based on the EOPs. With respect to the required action to isolate the RWT after RAS, the EOPs clearly describe the tasks and the sequence. There are no alarms to immediately alert the Operator that the valves have been closed prematurely after RAS. However, given that this error has potential consequences only if the RAS sump valves are not yet open, and given that the RAS sump valves open in less than 25 seconds (Ref. 4.19, 4.20) and the RWT outlet valves close in

Palo Verde Nuclear Generating Station Engineering Study No. 13-MS-B094 Units 1, 2 & 3 Revision 0 Page 16 of 21 approximately 30 seconds, early performance of the task after RAS cannot result in ESF pump degradation.

The RAS Containment Isolation Valve status lights provide clear indication of whether or not the ESF pump suction was aligned to the Emergency Recirculation Sump by the RAS. In addition, failure of any sump valve to open at the RAS would result in a SESS alarm. The EOP steps and these safety grade indications and alarms draw the attention of the Operating crew to the ESF pump suction lineup, which makes it very unlikely that the RWT outlet MOV will be closed prematurely after RAS in the event that a RAS valve fails to open. It is fundamental Operator knowledge that the suction supply to a running pump is not isolated without first aligning an alternate supply. Further, the EOPs direct that if an ESF train cannot be aligned to the sump (due to sump valve failure),

then the running pumps in that train are stopped. In this instance, the position of the RWT outlet valve in the failed train does not matter.

In summary, there are a number of system design features and procedural controls as described above to preclude this Operator error. Even in the unlikely event that the Operator commits this error before RAS, the crew receives immediate feedback that the error has occurred and could reverse the action once the valve is fully closed in an attempt to minimize the affect on ESF pump performance in the affected train. The immediate SESS alarm would alert the Operating crew, and the' Operator would not commit the same error on the redundant train. Thus, even if the affected ESF train could not be recovered, the event could be successfully mitigated by the redundant train.

2.4 Assumptions 2.4.1 It is assumed that changes to the LOCA and functional recovery EOP steps for transitioning from ECCS injection to ECCS recirculation and closing CH-531 and CH-530 are implemented as follows:

  • A Note is added to the current step that closes RWT outlet valves CH-531 and CH-530 after the RAS to emphasize its time-critical nature; and

" The current step for completing the transfer to ECCS recirculation is re-sequenced so that the action to close valves CH-531 and CH-530 is taken prior to verification that the SI pump mini-flow valves are closed.

2.4.2 It is assumed that the Operator action to initiate closure of CH-531 and CH-530 after RAS is included as a time critical action in Procedure 40DP-9ZZ04.

2.5 Margin Evaluation As stated in ANSI/ANS-58.8, the criteria set forth in the standard include conservative time intervals and other restrictions to provide an adequate safety margin for the purpose of nuclear safety system design and nuclear safety analysis of the design basis events. Though not quantified, there is margin in the design times of 6 minutes after RAS to initiate closure of the first RWT valve and 7 minutes after RAS to initiate closure of the second RWT valve that are established in Section 2.3.1.

The simulator testing demonstrated that a value of 3.33 minutes could be reasonably established as the maximum time after RAS to initiate closure of the first RWT isolation valve with 95%

confidence (Section 2.3.2). This provides significant margin to the design value of 6 minutes for this task.

  • L A Palo Verde Nuclear Generating Station Engineering Study No. 13-MS-B094 Units 1, 2 & 3 Revision 0 Page 17 of 21 The simulator testing demonstrated that a value of 4.30 minutes could be reasonably established as the maximum time after RAS to initiate closure of the second RWT isolation valve with 95%

confidence (Section 2.3.2). This provides significant margin to the design value of 7 minutes for this task.

Margin associated with establishing the required RWT transfer volume is evaluated in the applicable design basis analysis (Ref. 4.8).

2.6 Industry / In-House Experience NRC Information Notice 97-78 (Ref. 4.18) alerts addresses to instances where licensees have implemented changes to their facilities or operations that may inappropriately credit Operator actions in place of automated system or component actuations or altered Operator actions, including response times, previously described in their licensing basis. One of the cited examples was Salem Unit 2, where the NRC identified that the EOPs were revised to implement an essentially new switchover design. The change resulted in shorter required response times by Operators and, in certain cases, interruption of flow to the core. This modification changed the licensing basis previously approved by the NRC and was determined by the NRC to constitute an Unresolved Safety Question. Although Salem's EOPs provided contingency actions to deal with the failure of their Refueling Water Storage Tank to Residual Heat Removal pump suction valve to close, the simulator was not capable of modeling such a failure, and the crew evaluations to support the modified timeframe for switchover did not model or account for these additional contingency actions. Also, the Salem analysis failed to consider credible Operator errors of omission or commission that could affect the overall response time in carrying out the switchover evolution.

The Information Notice states that in those instances where licensees consider permanent changes to the facility that credit Operator actions, the NRC has relied on the guidance provided in ANSI/ANS-58.8-1984. This standard provides estimates of reasonable response times for Operator actions; however, licensees may use time intervals derived from independent sources provided they are based on analyses with consideration given to human performance. ANSI-58.8 also states that safety related actions may be performed by an Operator only where a single Operator error of one manipulation does not result in exceeding the design requirements for design basis events. Based on these guidelines, the NRC's reviews of licensees' analyses typically include, but are not limited to:

(1) the specific Operator actions required; (2) the potentially harsh or inhospitable environmental conditions expected; (3) a general discussion of the ingress/egress paths taken by Operators to accomplish functions; (4) the procedural guidance for the required actions; (5) the specific Operator training necessary to carry out actions, including any Operator qualifications required to carry out actions; (6) any additional support personnel and/or equipment required by the Operator to carry out actions; (7) a description of information required by the Control Room staff to determine whether such Operator action is required, including qualified instrumentation used to diagnose the situation and to verify that the required action has successfully been taken;

Palo Verde Nuclear Generating Station Engineering Study No. 13-MS-B094 Units 1, 2 & 3 Revision 0 Page 18 of 21 (8) the ability to recover from credible errors in performance of manual actions and the expected time required to make such a recovery; and (9) consideration of the risk significance of the proposed Operator actions.

Items 1 through 8 are addressed in Section 2.3, and Item 9 is addressed in Reference 4.22.

Palo Verde Nuclear Generating Station jq.4.. Engineering Study No. 13-MS-B094 Units 1, 2 & 3 Revision 0 Page 19 of 21 3.0 Conclusions The design value for Operator action to initiate closure of the first RWT outlet MOV is 6 minutes after RAS and the design value for initiating closure of the second RWT outlet MOV is 7 minutes after RAS (Section 2.3.1). These are the values to be used for Operator action time in the design basis analysis for RWT transfer volume (Ref. 4.8).

The simulator testing demonstrated substantial margin to these design times. Specifically, the testing determined that the values that could be reasonably established as the maximum time after RAS to initiate closure of the first and second RWT isolation valves with 95% confidence are 3.33 minutes and 4.30 minutes, respectively (Section 2.3.2).

Palo Verde Nuclear Generating Station Engineering Study No. 13-MS-B094 Units 1, 2 & 3 Revision 0 Page 20 of 21 4.0 References 4.1 PVNGS UFSAR, Revision 15 4.2 PVNGS Technical Specifications, Through Amendment No. 171 and 173 4.3 PVNGS Technical Requirements Manual, Revision 48 4.4 PVNGS Safety Evaluation Report (SER) and Supplements 1-12 4.5 CRDR 2835132 4.6 DMWO 2938489, Revision 1 4.7 ANSI/ANS-58.8-1984 4.8 Calculation 13-MC-CH-0201, Revision 7, Refueling Water Tank (RWT), Hold-up Tank (HT),

and Reactor Make-up Water Tank (RMWT) Sizing 4.9 Procedure 40EP-9EO03, Revision 26, Loss of Coolant Accident 4.10 Procedure 40EP-9EO09, Revision 40, Functional Recovery 4.11 Procedure 40DP-9ZZ04, Revision 0, Time Critical Action (TCA) Program 4.12 Procedure 40AL-9RK5B, Revision 9, Panel B05B Alarm Responses 4.13 Drawing 01/02/03-M-SIP-0001, Revision 42/38/36, P&I Diagram Safety Injection & Shutdown Cooling System 4.14 Drawing 01/02/03-E-SIB-0002, Revision 6/5/3, Elementary Diagram Safety Injection &

Shutdown Cooling System Low Pressure Safety Injection Pump 4.15 Drawing 01/02/03-E-CHB-0029, Revision 4/3/4, Elementary Diagram Chemical & Volume Control System RWT to Train Safety Injection Valves 1J-CHA-HV-531 and 1J-CHB-HV-530 4.16 Drawing 01/02/03-E-SIB-0021, Revision 10/7/5, Elementary Diagram Safety Injection System Containment Sump Isolation Valves 1J-SIA-UV-673 and IJ-SIA-UV-675; Drawing 01/02/03-E-SIB-0022, Revision 7/6/7, Elementary Diagram Safety Injection System Containment Sump Isolation Valves 1J-SIB-UV-674 and 1J-SIB-UV-676 4.17 CH DBM, Revision 18, Chemical Volume and Control System Design Basis Manual 4.18 NRC Information 97-78, Crediting of Operator Actions in Place of Automatic Actions and Modifications of Operator Actions, Including Response Times, dated October 23, 1997 4.19 Procedure 73ST-9SI03, Revision 26, SI Train A Valves - Inservice Test 4.20 Procedure 73ST-9SI04, Revision 25, SI Train B Valves - Inservice Test 4.21 SDOC N001-1900-01462, Revision 0; Fauske and Associates, Inc. Calculation FAI/05-107, Revision 1, Potential for Air Intrusion Following RAS 4.22 Engineering Study 13-NS-C089, Revision 0, PRA Evaluation of LPSI Pump Failing to Trip on RAS

Palo Verde Nuclear Generating Station Engineering Study No. 13-MS-B094 Units 1, 2 & 3 Revision 0 Page 21 of 21 5.0 Attachments Attachment A - Simulator Time Testing

Palo Verde Nuclear Generating Station Engineering Study No. 13-MS-B094 pe Units 1, 2 & 3 WP" Revision 0 Ir Attachment A Page AlI of A9 ATTACHMENT A SIMULATOR TIME TESTING

Palo Verde Nuclear Generating Station Engineering Study No. 13-MS-B094 Units 1, 2 & 3 Revision 0 Attachment A Page A2 of A9 1.0 Purpose The purpose of this simulator time testing is to collect data to support the DMWO 2938489 Revision 1 design and licensing basis change to credit the Operator action to manually close CH-531 and CH-530 after RAS. The time test results will be used to evaluate margin to the design values that were established for this task based on ANSI/ANS-58.8-1984 guidance.

2.0 Summary of Results RAS to Initiate Closure of First RAS to Initiate Closure of Second Crew RWT Isolation Valve [min] RWT Isolation Valve [min]

21 2.10 2.22 41 1.63 1.82 13 1.55 3.37 23 2.88 3.20 33 2.55 3.47 43 2.63 3.33 The mean time to initiate closure of the first RWT isolation valve is 2.23 minutes after RAS with a standard deviation of 0.55 minutes. Thus, a value of 3.33 minutes after RAS can be established as the maximum time with 95% confidence.

The mean time to initiate closure of the second RWT isolation valve is 2.90 minutes after RAS with a standard deviation of 0.70 minutes. Thus, a value of 4.30 minutes after RAS can be established as the maximum time with 95% confidence.

3.0 Simulator Scenario 3.1 Simulator Crew Pre-Job Brief The purpose of this scenario is to collect time data to support a future design and licensing basis change to credit the Operator action to manually isolate the RWT after RAS.

Current design and licensing basis credits the piping configuration and Containment pressure to close the RWT outlet check valves and stop flow from the RWT once the RAS sump valves open.

> NRC question and subsequent Engineering evaluation identified a limited range of smaller break sizes where the RWT outlet check valve may not close and flow from the RWT may continue after RAS.

> Design solution is to re-evaluate the required volume to be reserved in the RWT between the RAS and vortex breaker. (transfer volume) to ensure there is sufficient time to manually isolate the RWT per the EOP.

> Future design change will raise the RAS setpoint and change the design and licensing basis regarding RWT isolation - closing CH-530 / 531 will become a time critical task.

> Time test data will identify margin to design values used in analysis for sizing required RWT transfer volume.

Palo Verde Nuclear Generating Station Engineering Study No. 13-MS-B094 Units 1, 2 & 3 Revision 0 Attachment A Page A3 of A9

  • DRAFT Procedure 40EP-9EO03 is to be used for the time test.

> Adds "Note" to Step 56 that action to close CH-531 and CH-530 is time critical.

> Re-sequences Steps 56.c and 56.d to perform RWT isolation before verifying the pump miniflow isolation valves are closed (ensures RWT is isolated as quickly as possible).

  • Perform the procedure steps in the sequence listed.

0 Perform at "normal" pace with no extraordinary efforts to accelerate completion of the task.

  • Follow standard command and control protocol with the Control Room Supervisor directing and supervising the activities.
  • Verbal communications are to be performed with standard repeat back and confirmation format (3-legged exchanges).

3.2 Simulator Crew Turnover

" Unit was at MOC, 100% power, when about 45 minutes ago, a Large Break LOCA occurred in Containment; SPTAs were completed and LOCA EOP (40EP-9EO03) was entered.

" A-train CS pump was secured per the EOP (Step 18).

" Current procedure location is Step 54, awaiting RAS.

" All of the applicable procedure steps have been completed or handed out for completion.

" RWT level is -30% and dropping.

" SITs have emptied and been isolated.

" E-plan is all under control.

" Charging pumps are running off of the Spent Fuel Pool per Appendix 11.

" Emergency Diesel Generators have been running unloaded since the event began.

" SIAS load shed MCCs are re-energized.

3.3 Additional Failure The scenario included a failure of Train B to actuate at RAS. Thus, the Train B LPSI pump did not stop and valves JSIBUVO675 / 676 did not open at the RAS. Step 55.1 of the EOP says to manually actuate RAS if it was not actuated. However, the scenario was set up such that manual RAS actuation did not clear the fault. Step 56.a of the EOP says to ensure both LPSI pumps have stopped. To stop the B-train LPSI pump, the Operator takes Handswitch SIB-HS-4 to "Start",

and a SIAS over-ride occurs. Once this is done, the malfunction that is preventing the Train B RAS actuation is removed, and a full B-train RAS actuation will occur.

Note that this failure was not communicated with the Operating crews. Some crews attempted a manual RAS actuation per Step 55.1 (with no result) while others did not. In all instances, the fault was cleared by stopping the Train B LPSI pump per Step 56.a.

3.4 Operating Crew Sample Size and Selection Time data was collected for 6 different Operating crews, which represents a sample size of approximately 30 percent. The crews were randomly selected for testing during the 2009 Cycle 4 Licensed Operator Continuing Training. See the attached Time Test Data Sheets, pages B4-B9, for the specific crews and time test results.

4.0 References Licensed Operator Continuing Training LP Number NLR09 S0406 00

Palo Verde Nuclear Generating Station Engineering Study No. 13-MS-B094 Units 1, 2 & 3 Revision 0 Attachment A Page A4 of A9 Time Test Data Sheet Date: July 21, 2009 Operating Crew: 21 (2A)

Simulator Instructor: Greg Brown Data Collected by: Jenny Tolar Results: RAS to initiate closure of first RWT valve (Step 56.c): 2 minutes, 6 seconds RAS to initiate closure of second RWT valve (Step 56.c): 2 minutes, 13 seconds RAS to completion of transfer (Step 56.d): 3 minutes, 11 seconds Time Test Data:

Action 40EP-9EO03 Step Time (1)

RAS pre-trip alarm N/A 12:00:59 RAS alarm 55 12:02:49 B-train LPSI pump stopped 56.a Not Recorded Handswitch for CH-531 to Close 56.c 12:04:55 Handswitch for CH-530 to Close 56.c 12:05:02 ECCS suction transfer completed 56.d 12:06:00 (1)Control Room (simulator) clock was used

Palo Verde Nuclear Generating Station Engineering Study No. 13-MS-BO94 Units 1,2 & 3 Revision 0 Attachment A Page A5 of A9 Time Test Data Sheet Date: July 21, 2009 Operating Crew: 41 (4A)

Simulator Instructor: William Drey Data Collected by: Jenny Tolar Results: RAS to initiate closure of first RWT valve (Step 56.c): 1 minute, 38 seconds RAS to initiate closure of second RWT valve (Step 56.c): 1 minute, 49 seconds RAS to completion of transfer (Step 56.d): 2 minutes, 57 seconds Time Test Data:

Action 40EP-9EO03 Step J Time (1)

RAS pre-trip alarm N/A 17:04:20 RAS alarm 55 17:06:10 B-train LPSI pump stopped 56.a 17:07:00 Handswitch for CH-531 to Close 56.c 17:07:48 Handswitch for CH-530 to Close 56.c 17:07:59 EccS suction transfer completed 56.d 17:09:07 (1) Control Room (simulator)*clock was used

Palo Verde Nuclear Generating Station Engineering Study No. 13-MS-B094 Units 1, 2 & 3 Revision 0 Attachment A Page A6 of A9 Time Test Data Sheet Date: August 4, 2009 Operating Crew: 13 (lC)

Simulator Instructor: John Dedon Data Collected by: Eugene Montgomery Results: RAS to initiate closure of first RWT valve (Step 56.c): 1 minute, 33 seconds RAS to initiate closure of second RWT valve (Step 56.c): 3 minutes, 22 seconds (2)

RAS to completion of transfer (Step 56.d): 3 minutes, 22 seconds Time Test Data:

Action 40EP-9EO03 Step Time (1)

RAS pre-trip alarm N/A 11:46:25 RAS alarm 55 11:48:06 B-train LPSI pump stopped 56.a 11:48:28 Handswitch for CH-531 to Close 56.c 11:49:39 Handswitch for CH-530 to Close 56.c Not recorded (2)

ECCS suction transfer completed 56.d 11:51:28 (1) Control Room (simulator) clock was used (2) This time was not recorded; therefore, the time from RAS to completion of transfer (Step 56.d) is conservatively used.

Palo Verde Nuclear Generating Station Engineering Study No. 13-MS-B094 Units 1, 2 & 3 Revision 0 Attachment A Page A7 of A9 Time Test Data Sheet Date: August 4, 2009 Operating Crew: 23 (2C)

Simulator Instructor: William Drey Data Collected by: Jenny Tolar Results: RAS to initiate closure of first RWT valve (Step 56.c): 2 minutes, 53 seconds RAS to initiate closure of second RWT valve (Step 56.c): 3 minutes, 12 seconds RAS to completion of transfer (Step 56.d): 4 minutes, 20 seconds Time Test Data:

Action 40EP-9EO03 Step Time (1)

RAS pre-trip alarm N/A - 11:51:17 RAS alarm 55 11:53:08 B-train LPSI pump stopped 56.a 11:55:06 Handswitch for CH-531 to Close 56.c 11:56:01 Handswitch for CH-530 to Close 56.c. 11:56:20 ECCS suction transfer completed 56.d 11:57:28 (1) Control Room (simulator) clock was used

Palo Verde Nuclear Generating Station ý. i I , Engineering Study No. 13-MS-B094 Units 1, 2 & 3 Revision 0 Attachment A Page A8 of A9 Time Test Data Sheet Date: August 4, 2009 Operating Crew: 33 (3C)

Simulator Instructor: John Dedon Data Collected by: Eugene Montgomery Results: RAS to initiate closure of first RWT valve (Step 56.c): 2 minutes, 33 seconds RAS to initiate closure of second RWT valve (Step 56.c): 3 minutes, 28 seconds RAS to completion of transfer (Step 56.d): 6 minutes, 1 second Time Test Data:

Action 40EP-9EO03 Step Time (1)

RAS pre-trip alarm N/A 16:29:59 RAS alarm 55 16:31:50 B-train LPSI pump stopped 56.a 16:32:47 Handswitch for CH-530 to Close 56.c 16:34:23 Handswitch for CH-531 to Close 56.c 16:35:18 ECCS suction transfer completed 56.d 16:37:51 (1)Control Room (simulator) clock was used

9 Palo Verde Nuclear Generating Station Engineering Study No. 13-MS-B094 Units 1, 2 & 3 Revision 0 Attachment A Page A9 of A9 Time Test Data Sheet Date: August 4, 2009 Operating Crew: 43 (4C)

Simulator Instructor: William Drey Data Collected by: Jenny Tolar Results: RAS to initiate closure of first RWT valve (Step 56.c): 2 minutes, 38 seconds RAS to initiate closure of second RWT valve (Step 56.c): 3 minutes, 20 seconds RAS to completion of transfer (Step 56.d): 4 minutes, 53 seconds Time Test Data:

Action 40EP-9EO03 Step Time (1)

RAS pre-trip alarm N/A 16:53:57 RAS alarm 55 16:55:48 B-train LPSI pump stopped 56.a 16:57:26 Handswitch for CH-531 to Close 56.c 16:58:26 Handswitch for CH-530 to Close 56.c 16:59:08 ECCS suction transfer completed 56.d 17:00:41 (1)Control Room (simulator) clock was used