The impact of FLEX on outage risk: Part 1 (theory)

31 July 2014

Palo Verde has developed a plan for post-Fukushima modifications following US industry guidance. It found these changes generated extra outage safety and performance benefits. By Mike Powell, Kevin Graham and Jeff Taylor

Following the Fukushima Daiichi accident, the US Nuclear Regulatory Commission (NRC) issued order ES-12-049 [1] requiring nuclear plants in the US to implement mitigation strategies to cope with a beyond- design-basis external event.

The event is assumed to result in an extended loss of all AC power and loss of access to the ultimate heat sink for all units on the site, with no expectation of either returning. The initial phase requires installed equipment and on-site resources to be used to maintain or restore cooling capability for the core, containment and spent fuel pool (SFP). The transition phase requires the use of portable onsite equipment to provide sufficient cooling for these functions. The final phase requires the use of offsite resources to sustain these functions indefinitely.

The US commercial nuclear industry, working through the Nuclear Energy Institute (NEI), developed guidance for flexible and diverse strategies (hereafter referred to as FLEX) that would address the NRC order. NEI 12-06 [2] was developed and discussed with the NRC over several months, and after several drafts and many public meetings, was eventually approved by the NRC as Interim Staff Guidance (JLD- ISG-2012-01) [3] on 29 August 2012. Operating licence holders had to submit an "overall integrated plan" on how they would comply with the NRC order and guidance by 28 February 2013. They were then required to complete full implementation of the order within two refuelling cycles following submittal of their plan, or by 31 December 2016, whichever came first (see also 'Developing the FLEX plan', April 2013, pp. 21-3).

Palo Verde nuclear station is a three-unit site 50 miles west of Phoenix, Arizona, operated by Arizona Public Service Company (APS). All three units are two-loop Combustion Engineering System 80® designs, which are licensed for 60 years and will operate well past 2040. APS must implement the new requirements. Based on the outage schedules, Unit 1 will be the first to achieve full compliance, in the third quarter of 2014, Unit 3 will be compliant in the first quarter of 2015 and Unit 2 will be compliant by third quarter 2015.

APS completed the baseline coping capability in the engineering phase and established conceptual modifications (typical for PWRs) to comply with the FLEX order. To comply with the order and to provide diversity and defence-in-depth, a primary and alternate means of accomplishing each function is needed.

Modifications were made to:

  • The auxiliary feedwater system (AFW), to allow for primary and alternate steam generator injection with a FLEX pump (right-hand green line in Figure 1)
  • The high pressure safety injection (HPSI) system, to allow for primary and alternate reactor coolant system (RCS) makeup with a FLEX pump (yellow line above). If steam generators are not available (for example during an outage) the HPSI modification also would allow the SG injection FLEX pump to inject into the RCS (purple line)
  • Two new seismically-qualified pipes (primary and alternate) discharging into the spent fuel pool for makeup with a FLEX pump (red line above)
  • The 480V Class 1E load centres, to install primary and alternate FLEX junction boxes to allow for FLEX generator hookup
  • The 4160V Class 1E switchgear, to install primary and alternate FLEX connection (disconnects) to allow for FLEX generator hookup
  • A variety of tanks to allow suction and refilling of the condensate storage tank (CST) and the refuelling water tank (RWT).

In accordance with NEI 12-06, the FLEX strategies were designed assuming the reactor is at power, but the diverse and flexible approach to the strategies allows them to be implemented in essentially all plant states. While the FLEX strategies were not specifically designed for outage conditions (with the exception of RCS makeup (orange line above), which was designed to support core cooling during an outage), providing multiple connection points does help provide redundancy when installed plant equipment is out of service during an outage.

During at-power conditions, the portable equipment cannot be credited for recovery during the initial phase of the event (which lasts 36 hours at APS). However, during an outage, the FLEX portable equipment can be pre-deployed as long as it is within the allowed out-of-service time of the equipment as defined in NEI 12-06. This approach has been confirmed by an NRC-approved NEI position paper on the use of FLEX equipment in shutdown modes [4].

Using a combination of the FLEX modifications and the pre-deployment allowance, APS has made significant enhancements to reduce the outage risk profile and outage time. The following is a review of some of these approaches.

Palo Verde approach to managing outage risk

At Palo Verde, outage risk is communicated in terms of risk management action level (RMAL). From NUMARC 93-03 [5], risk management is accomplished by defining action levels and using risk management actions. These actions are specific to a given maintenance activity and vary depending on the magnitude and duration of the risk impact, the nature of the activity and other factors.
RMAL is a risk scale that provides a tool for station management to monitor and manage nuclear risk. By law [6] risk assessment must be performed for maintenance activities prior to performing the task. Having a scale is an excellent way for management to evaluate the risk level of the proposed activity in combination with other maintenance activities by reviewing the schedule and changing it if necessary.

The outage scale (shutdown risk) is a qualitative method based on managing safety functions via defence-in-depth. The latter refers to:

  • Providing systems, structures and components to back up shutdown safety functions using redundant, alternate or diverse methods
  • Scheduling outage activities in a manner that optimises safety system availability
  • Providing administrative controls that support or supplement the above elements.

Determination of the RMAL is based solely on the available mitigating equipment. The shutdown RMAL does not convey relative differences in plant risk due to plant operating state and time after shutdown. For example, the plant risk is greater with all mitigating equipment available at lowered pressuriser level then it is with all mitigating equipment available when pressuriser level is normal. But the defence-in-depth model concludes that both plant operating states have the same number of layers of safety.

The safety function RMAL value is based on N+1 criteria, where "N" is the safety-significant control needed to meet the safety function, and colour-coded as follows:

  • Green RMAL: N+2
  • Yellow RMAL: N+1
  • Orange RMAL: N
  • Red: 0 safety function success paths available

Although "N" meets the safety function, it lacks defence-in-depth and is an undesirable risk level, so it constitutes an orange RMAL. The minimum acceptable defence-in-depth is N+1, and this constitutes a yellow RMAL.

As a general philosophy, the Palo Verde expectation is to maintain green RMAL conditions. If a non-green condition cannot be avoided by rescheduling activities, work that affects the risk shall be completed as quickly as possible.


[1] US NRC Order EA-12-049, "Issuance of Order to Modify Licenses with Regard to Requirements for Mitigation Strategies for Beyond- Design-Basis External Events", March 12, 2012. [ADAMS Accession No.: ML 1205A736]
[2] NEI 12-06, Rev. 0, "Diverse and Flexible Coping Strategies (FLEX) Implementation Guide," August 2012.
[3] NRC JLD-ISG-2012-01, Rev. 0, "Compliance with Order EA-12- 049, Order Modifying Licenses with Regard to Requirements for Mitigation Strategies for Beyond-Design-Basis External Events," August 2012.
[4] Nuclear Energy Institute (NEI) "Position Paper: Shutdown/ Refueling Modes", September 18, 2013. [ADAMS Accession No.: ML13273A514]
[5] NUMARC 93-03, "Industry Guideline for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants", Revision 4A, April 2011. [ADAMS Accession No.: ML11116A198]
[6] US 10CFR50.65, "Requirements for monitoring the effectiveness of maintenance at nuclear power plants"

About the authors

Mike Powell, director, Fukushima Initiatives, and Kevin Graham, manager, Work Management Outage, Palo Verde Nuclear Generating Station; Jeff Taylor, product manager, Post-Fukushima Safety Enhancements for Westinghouse Electric Company

Figure 1

Privacy Policy
We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.