ML021570127
| ML021570127 | |
| Person / Time | |
|---|---|
| Site: | Grand Gulf  |
| Issue date: | 06/05/2002 |
| From: | Rubin M NRC/NRR/DSSA/SPSB |
| To: | Holden C NRC/NRR/DE/EEIB |
| Wohl M. NRR/DSSA/SPSB, 415-1181 | |
| References | |
| -nr, RG-1.174, RG-1.177 | |
| Download: ML021570127 (9) | |
Text
June 5, 2002 MEMORANDUM TO: Cornelius F. Holden, Section Chief Electrical Engineering Section Electrical and Instrumentation and Controls Branch Division of Engineering FROM:
Mark P. Rubin, Section Chief/RA/
Safety Program Section Probabilistic Safety Assessment Branch Division of Systems Safety and Analysis
SUBJECT:
RISK MANAGEMENT SECTION OF SAFETY EVALUATION PERTAINING TO GRAND GULF NUCLEAR STATIONS PROPOSED AMENDMENT FOR 14 DAY ALLOWED OUTAGE TIMES FOR DIVISION 1 AND 2 EMERGENCY DIESEL GENERATORS Enclosed please find the Probabilistic Safety Assessment Branchs Risk Management section of the Safety Evaluation Pertaining to the Grand Gulf Nuclear Stations proposed license amendment for 14 day Allowed Outage Times for the Division 1 and Division 2 Emergency Diesel Generators. The SPSB staff finds this proposal acceptable on the condition that the risk metric results and conclusions using the PSA update confirm the findings from the interim PSA model or appropriate remedial measures are taken, since the licensees documented risk impacts will be within the guidelines of RG 1.177 and RG 1.174.
CONTACT: Millard L. Wohl, SPSB/DSSA/NRR 301-415-1181
June 5, 2002 MEMORANDUM TO Cornelius F. Holden, Section Chief Electrical Engineering Section Electrical and Instrumentation and Controls Branch Division of Engineering FROM:
Mark P. Rubin, Section Chief/RA/
Safety Program Section Probabilistic Safety Assessment Branch Division of Systems Safety and Analysis
SUBJECT:
RISK MANAGEMENT SECTION OF SAFETY EVALUATION PERTAINING TO GRAND GULF NUCLEAR STATIONS PROPOSED AMENDMENT FOR 14 DAY ALLOWED OUTAGE TIMES FOR DIVISION 1 AND 2 EMERGENCY DIESEL GENERATORS Enclosed please find the Probabilistic Safety Assessment Branchs Risk Management section of the Safety Evaluation Pertaining to the Grand Gulf Nuclear Stations proposed license amendment for 14 day Allowed Outage Times for the Division 1 and Division 2 Emergency Diesel Generators. The SPSB staff finds this proposal acceptable on the condition that the risk metric results and conclusions using the PSA update confirm the findings from the interim PSA model or appropriate remedial measures are taken, since the licensees documented risk impacts will be within the guidelines of RG 1.177 and RG 1.174.
CONTACT: Millard L. Wohl, SPSB/DSSA/NRR 301-415-1181 Distribution: SPSB r/f MWohl MRubin
- See previous concurrence G:\\\\spsb\\wohl\\GGNS14dd.wpd ML0215700127 NRR-096 OFFICE SPSB*
SC:SPSB NAME MWohl:nyc MRubin DATE 05/28/02 06/05/02 OFFICIAL RECORD COPY
PROBABILISTIC SAFETY ASSESSMENT INSIGHTS To assess the overall impact on plant safety of the proposed 14 day AOT for Division 1 and Division 2 DGs, a probabilistic safety assessment (PSA) was performed consistent with the guidance pertaining to risk-informed criteria specified in RG 1.177, An Approach for Plant-Specific Risk Informed Decisionmaking: Technical Specifications. The changes in average Core Damage Frequency (CDF) and average Large Early Release Frequency (LERF), as well as the Incremental Conditional Core Damage Probability (ICCDP) and Incremental Large Early Release Probability (ICLERP) resulting from the 14 day Allowed Outage Time were evaluated.
This evaluation included consideration of the Maintenance Rule (a)(4) Program established pursuant to 10 CFR 50.65 to control performance of other potentially high-risk tasks during a DG outage and consideration of specific compensatory measures to minimize risk. All of these elements were included in a risk evaluation performed using a three-tiered approach suggested in RG 1.177, as follows:
Tier 1-PSA Capability and Insights, Tier 2-Avoidance of Risk-Significant Plant Configurations, and Tier 3-Risk-Informed Configuration Risk Management.
Evaluations per each of these tiers are provided by the licensee in this section.
Tier 1-PSA Capability and Insights As previously noted, the licensees risk-informed support for the proposed to the DG AOT (for either Division 1 or Division 2) is based on PSA calculations performed to quantify the changes in the average CDF and LERF, and the values of the ICCDP and ICLERP. Resulting from the increased AOT.
The licensee computed the results of a risk evaluation for a 14 day DG AOT and compared them with the guidelines from RG 1.174 for changes in the annual average CDF and LERF and from RG 1.177 for Incremental Conditional Core Damage Probability (ICCDP) and Incremental Conditional Large Early Release Probability (ICLERP). The ICCDP and ICLERP evaluations were based on the Division 1 emergency diesel generator (DG A), which provides the upper bound limiting values for these risk metrics. The licensees values for the ICCDP and ICLERP illustrate that the proposed DG AOT change to 14 days has only a small quantitative impact on plant operating risk and result in an unquantified risk reduction due to non-maintenance at shutdown. The licensees risk evaluation results are tabulated below:
Risk Metric Guideline GGNS Results Delta CDF (ave.)
less than 1E-6/yr 2.73E-7/yr ICCDP less than 5E-7 2.15E-7 Delta LERF (ave.)
less than 1E-7/yr 1.04E-8/yr ICLERP less than 5E-8 8.32E-9 The above values of Delta CDF, ICCDP, Delta LERF, and ICLERP are reasonable and acceptable to the staff. There is also an unquantified risk reduction due to avoidance of non-planned maintenance of the DGs at shutdown.
Tier 2: Avoidance of Risk-Significant Plant Configurations The licensee has a Configuration Risk Management Program (CRMP) in place at GGNS in order to comply with 10 CFR 50.65, particularly with respect to paragraph (a)(4). This program provides assurance that risk-significant plant equipment configurations are precluded or minimized when plant equipment is removed from service. When a plant DG is removed from service, risk increases posed by potential combinations of equipment out of service will be managed, according to the licensee, in accordance with the CRMP program. Additional contingencies, which the licensee states will be administratively controlled, include:
1.
Weather conditions will be evaluated prior to entering an extended DG AOT for voluntary planned maintenance. An extended DG AOT will not be entered for voluntary planned maintenance purposes if official weather forecasts are predicting severe conditions (hurricane, tropical storm, tornado, or snow/ice storm) that could significantly threaten grid stability during the planned outage time.
2.
The condition of the offsite power supply and switchyard will be evaluated prior to enter-ing the extended AOT for planned maintenance.
3.
No elective maintenance will be scheduled within the switchyard that would challenge offsite power availability during the proposed extended DG AOT.
4.
Operating crews will be briefed on the DG work plan, with consideration given to key procedural actions that would be required in the event of a LOOP or SBO.
5.
High pressure injection systems (HPCS and RCIC) will not be taken out of service for planned maintenance while DG A (Division 1) or DG B (Division 2) is out of service for extended maintenance.
Additionally, the licensee emphasizes that it has the capability and procedures for cross-connecting the HPCS DG to either the Division 1 or Division 2 ESF bus. This capability is included in the PSA models used for the risk assessment.
The licensee states that while in the proposed extended DG AOT, additional elective equipment maintenance or testing that requires the equipment to be removed from service will be evaluated and activities that yield unacceptable results will be avoided. Cutsets were generated for DG A and B out of service individually. The licensee reviewed these cutsets for insights as to which systems or actions are most critical to avoid plant risk while a DG is out of service for extended maintenance. The cutsets were also reviewed to identify a list of in-service equipment that would be more important as a result of DG A or DG B being out of service.
For DG A, the primary systems included:
Offsite Power Supply Division 1 DC Power Supply Division 2 DC Power Supply Reactor Core Isolation Cooling (RCIC)
DG B (Division 2)
DG C (Division 3)
High Pressure Core Spray (HPCS)
Division 3 SSW Division 2 SSW For DG B, the primary systems included:
Offsite Power Supply Division 1 DC Power Supply Division 2 DC Power Supply Reactor Core Isolation Cooling (RCIC)
DG A (Division 1)
DG C (Division 3)
High Pressure Core Spray (HPCS)
Division 3 SSW Division 1 SSW The licensee states that Procedural and Technical Specification Controls are already in place which will ensure that these systems are not removed from service while a DG is out of service for extended maintenance. Most of these systems in an out-of-service condition would result in an Equipment out of Service (EOOS) color code of Red. The licensee states that they would not enter this level of risk voluntarily. A Red risk condition typically overlaps conditions prohibited by Technical Specifications or conditions requiring entry into a Technical Specification Action Statement. Plant General Manager or Designee notification is required upon entering a Red condition from emergent activities. If an entry into a Red condition occurs (e.g., due to equipment failures), the licensee would take steps to restore any equipment out-of-service for testing or maintenance that could improve overall plant safety. The licensee would take timely actions to reduce plant risk by either restoring inoperable or unavailable equipment or to put the plant in a lower power or shutdown state, taking into account risk associated with the transient required to achieve the lower power state, which could affect this decision.
Tier 3: Risk-Informed Configuration Risk Management Program Consistent with the last paragraph of the Maintenance Rule (10 CFR 50.65 (a)(4)), and as indicated above, the licensee has developed a program that they state ensures that the risk impact of out-of-service equipment is appropriately evaluated prior to performing a maintenance activity. The licensee procedures that govern this process are GGNS administrative procedure 01-S-18-6, Risk Assessment of Maintenance Activities, and the GGNS Shutdown Operations Protection Plan. Procedure 01-S-18-6 ensures that the risk from planned maintenance is evaluated and that maintenance activities are scheduled appropriately. This program requires an integrated review (i.e., both probabilistic and deterministic) to identify risk-significant plant equipment outage configurations. This review is required both during the work management process and for emergent conditions during normal plant operation. Appropriate consideration is given to equipment unavailability, operational activities such as testing or load dispatching, and weather conditions. This licensee program includes provisions for performing a configuration-dependent assessment of the overall impact on plant risk of proposed plant configurations prior to, and during, the performance of maintenance activities that remove equipment from service. Risk is re-assessed if an equipment failure/malfunction or emergent condition produces a plant configuration that has not been previously assessed.
For planned maintenance activities, the licensee performs a risk assessment of the proposed activities on plant safety prior to commencing the scheduled work. This assessment includes the following considerations:
- Maintenance activities that affect redundant and diverse structures, systems and com-ponents (SSCs) that provide backup for the same safety function are minimized.
- The potential for planned activities to cause a plant transient are reviewed and work on SSCs that would be required to mitigate the transient are avoided.
- Work is not scheduled that is likely to exceed a Technical Specifications or Technical Requirements Manual requirement (i.e., a licensee-controlled document containing requirements removed from the Technical Specifications (TS) as part of a conversion to the Improved Standard TS) Completion Time requiring a plant shutdown.
- For Maintenance Rule Program High Risk-Significant SSCs, the impact of the planned activity on the unavailability performance criteria is evaluated.
- Finally, a quantitative risk assessment is performed to ensure that the activity does not pose an unacceptable risk. This evaluation is performed using the Level 1 PSA model.
Planning and Scheduling and Operations reviews emergent work to ensure that it does not invalidate the assumptions made during the schedule development process. Prior to starting any work, the proposed work scope and schedule are critically reviewed to assure that plant safety and operations are consistent with management expectations.
FIRE PROTECTION The probability of plant fire events is not assessed for distinct plant activities such as DG maintenance. However, the licensees Fire Protection Program attempts to minimize fire risk through various design features and administrative controls that address fire prevention as well as mitigation. A description of the GGNS Fire Protection Program is provided in Appendix 9B of the GGNS USFAR. GGNS Administrative Procedure 01-S-10-1, Fire Protection Plan, prescribes the fire prevention and fire protection policies necessary to implement the approved Fire Protection Program. The program assures that an adequate balance of the defense-in-depth concept is maintained to minimize both the probability and consequences of damage due to fire throughout the GGNS site.
The Fire Protection Program uses a three-tiered approach:
- 1. The application of administrative controls to prevent fires from starting.
- 2. The use of active engineering design features to detect and suppress fires, limiting damage consequences of fires that do start.
- 3. The use of passive barriers in combination with the design of plant safety systems such that fires will not prevent essential plant safety functions from achieving and maintaining safe shutdown.
Fire prevention is accomplished primarily through application of the following procedures: S-03-4, Fire Protection: Control of Combustible Material-establishes requirements for the safe storage, transport, and use of combustibles in safety related areas and non-safety related areas of the plant. S-03-3, Fire Prevention: Control of Ignition Sources-establishes controls for hot work and any other potential ignition sources within the plant. S-03-8, Fire Watch Program-describes the responsibilities and duties of persons associated with assigning, documenting, and performing fire watch duties.
PSA MODEL DEVELOPMENT,QUALITY The licensees plant PSA model was first developed for the Individual Plant Examination (IPE) that was submitted to the staff by letter GNRO-92/00157 dated December 23, 1992, in response to Generic Letter 88-20, Individual Plant Examination for severe accident vulnerabilities. The staff issued its Safety Evaluation Report (SER) for the IPE by letter GNRI-96/00067 dated March 7, 1996, wherein the staff concluded that the licensees IPE submittal met the intent of Generic Letter 88-20, without identifying any major weaknesses.
An independent assessment of the licensees PSA has been completed to assure that it was comparable to those of other PSAs in use throughout the industry. This assessment applied the self-assessment process developed as part of the Boiling Water Reactor Owners Group (BWROG) PSA Peer Review Certification Program. The PSA Certification Team completed an inspection and review of the licensees PSA in August 1997 and completed a PSA Certification Report in November 1997. The models and methodology used in Revision 1 of the PSA were included in the PSA Certification review. The quality and completeness of the PSA documentation were also assessed. The certification team found that the PSA is fully capable of addressing issues such as those associated with extending the Division 1 and Division 2 DG AOTs from 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> to 14 days.
At the time of the DG AOT extension request, the licensees PSA was undergoing its second major revision. Changes being made include operational and hardware changes, as well as some methodology changes that impact the evaluation of offsite AC power recovery. The licensee states that this revision (Revision 2) is still in progress, but that the present DG AOT extension request evaluation was performed using an interim model, which captures the important model changes developed through September 2001. The licensee will reassess the evaluation when the PSA update is finalized to confirm the conclusions from the interim model.
The Licensee has committed to report to the staff if the conclusions are not confirmed and if this is the case, to take appropriate remedial measures.
The licensees Level 2 PSA model has not been revised since the original IPE submittal. An evaluation of the impact on LERF of the DG AOT extension was performed using the results of Sensitivity Case 1 of the IPE. This sensitivity more closely resembles the current version of the GGNS Emergency Procedures/Severe Accident Procedures with regard to the venting of the vessel through the MSIVs. Since the primary impact of the proposed AOT is on the core damage frequency associated with LOSP and SBO, the licensee estimates LERF based upon the fraction of large early releases associated with sequences initiated by a LOSP event.
EXTERNAL EVENTS By letter dated November 15, 1995, the licensee, Entergy Operations, Inc. (EOI) submitted its Individual Plant Examination for External Events (IPEEE) for GGNS. In the IPEEE, fire was addressed using fire PSA methods (i.e., EPRI TR-105928, Fire PRA Implementation Guide),
seismic impact was addressed using a seismic margins methodology, and other events were addressed by conforming to the 1975 Standard Review Plan (SRP). EOI received the staff Safety Evaluation Report by letter dated March 16, 2001, in which the staff concluded that the aspects of seismic events, fires, and high winds, floods and other (HFO) events were adequately addressed. Of the events considered, seismic and fire are the initiators with the most potential for an induced loss of offsite power. A loss of offsite power is relevant to the proposed changes because of the potential increase in DG unavailability.
SEISMIC GGNS was classified in NUREG-1407, Procedural and Submittal Guidance for the Individual Plant Examination of External Events (IPEEE) for Severe Accident Vulnerabilities, June, 1991",
as a reduced scope plant of low seismicity; emphasis was placed on conducting seismic walkdowns for the IPEEE. Thus, the licensee did not make a direct determination of the seismic loss of offsite power (LOOP) initiator frequency, but estimated it as follows: Ceramic insulators for offsite power transformers tend to be the most vulnerable components in the offsite power system during a seismic event. NUREG/CR-4550, Vol. 4, Rev. 1, Part 3, Analysis of Core Damage Frequency, Peach Bottom Unit 2, estimates the median peak ground acceleration at which these ceramic insulators are lost to be approximately 0.25g.
NUREG-1488, Revised Livermore Seismic Hazard Estimates for Sixty-Nine Nuclear Power Plants East of the Rocky Mountains, provides an estimate for annual probability of exceedance for peak ground acceleration of approximately 2 E-5 for GGNS and a ground acceleration of 0.25 g. The licensee thus estimates the seismic LOOP initiator frequency as 2.3 E-3/yr (3.9 E-2/yr x6 E-2, where 6 E-2 is the four hour non-recovery probability of offsite power). Even if the likelihood of non-recovery of offsite power were somewhat greater given a seismic event, the estimate and the relatively minor changes to the internal events PSA model, the licensee states that the impact of the proposed changes to seismic risk is very small. The staff agrees.
FIRE While the licensee used PSA techniques to develop CDFs associated with internal fires, the IPEEE results are still screening analyses and therefore are not directly comparable to the CDF results from the internal events PSA. The CDF values generated for the IPEEE were intended to show that the CDF is low enough that a vulnerability does not exist. The licensee did not develop the fire PSA to the same level of detail as the internal events PSA. Therefore, the fire CDF reported in the IPEEE should not be combined with, or directly compared with the internal events analysis. A review of the fire PSA scenarios indicates that approximately 14.6% of the fire CDF (1.3 E-6/r-yr) is associated with a fire-induced LOOP event. This compares with a 42.5% contribution (2.3 E-6/r-yr) from LOOP initiators for the base internal events PSA. These frequencies are relatively close, and since additional DG out-of-service time would primarily impact LOOP scenarios, the effect of the proposed change (14 day at-power AOT) on internal events risk is well-within the RG guidelines, there is no need for a quantitative evaluation of the impact on fire risk, which should also be within the RG guidelines.
HIGH WINDS AND TORNADOES The licensees IPEEE submittal states that all safety-related structures, except the Standby Service Water (SSW) system components, are protected against high winds, tornado wind loads, and tornado-generated missiles. The licensee that the SSW system components are not protected against postulated tornado-generated missiles. The guidance in NUREG-1407 is that if a plant meets the 1975 SRP criteria, high winds and tornados can be screened out as significant contributors to the total CDF. The licensee made use of fairly recent tornado data for 10 years (1985 through 1994). For the SSW components, a frequency assessment of tornado-generated missiles was performed. The licensee estimated this frequency to be 7.7 E-9/r-yr. This frequency is substantially lower than the NUREG-1407 criterion of 1.0 E-6/r-yr. The staff thus finds that the risk due to high winds and tornado-generated missiles is acceptable, conforming to the NUREG-1407 guidelines.
The staff concludes that the external events results were adequately complete and reasonable, considering the design and operation of the plant. The staff thus concludes that the aspects of seismic events, fires, and high winds and tornadoes (including missiles) were adequately addressed, and other external events were not of substantial consequence.
CONCLUSIONS The staff concludes that the impact on plant risk of allowing 14 day at-power Allowed Outage Times for the Grand Gulf Nuclear Plant Division 1 and Division 2 DGs is very small for both internal and external events. The staff thus recommends that the proposed 14 day Allowed Outage Times be allowed.