A05914, Forwards Comments on NRC Contractor Draft Rept Re Probabilistic Safety Study,Per NRC 860716 Request

From kanterella
Jump to navigation Jump to search
Forwards Comments on NRC Contractor Draft Rept Re Probabilistic Safety Study,Per NRC 860716 Request
ML20214N396
Person / Time
Site: Haddam Neck File:Connecticut Yankee Atomic Power Co icon.png
Issue date: 09/08/1986
From: Opeka J
CONNECTICUT YANKEE ATOMIC POWER CO.
To: Charemagne Grimes
Office of Nuclear Reactor Regulation
References
A05914, A5914, B12241, NUDOCS 8609160271
Download: ML20214N396 (43)
v  d  e


Text

-

(

4 ( -6 CONNECTICUT YANKEE ATOMIC POWER COMPANY

's  %

B E R L I N. CONNECTICUT g P O. Box 270 HARTFORD. CONNECTICUT 06141-0270 ftigoHONE September 8,1986 Docket No. 50-213 B12241 A05914 Of fice of Nuclear Reactor Regulation Attn: Mr. Christopher 1. Grimes, Director Integrated Safety Assessment Project Directorate Division of PWR Licensing - B U.S. Nuclear Regulatory Commission Washington, D.C. 20555 Ger tlemen:

Haddam Neck Plant Comments on Draf t NRC Review of the Haddam Neck Probabilistic Safety Study As part of the Haddam Neck ISAP effort, Northeast Utilities Service Company, on behalf of Connecticut Yankee Atomic Power Company, performed a Probabilistic Safety Study (PSS) of the Haddam Neck Plant. The results of this study were docketed to the NRC in a letter dated March 31,1986.(l) in a letter dated July 16, 1986,(2) we were requested to review and provide the Staff with comments on a draft report, prepared by an NRC contractor, on the Haddam Neck PSS. Initial comments were presented to and discussed with the NRC and its contractor in a meeting held on August 12, 1986. Attachment I to this letter documents our comments on the draf t report.

If you have any questions on this material, please feel free to contact my Staff.

Very truly yours, CONNECTICUT YANKEE ATOMIC POWER COMPANY

3. F W eka O Senior Vice President (I) 3. F. Opeka letter to C.1. Grimes, "Probabilistic Safety Study - Summary Report and Results," dated March 31, 1986.

(2) C.1. Grimes letter to R. M. Kacich," Request for Comments on Review of Probabilistic Safety Study," dated July 16,1986.

p I

8609160271 DR 860908 p ADOCK 05000213 PDR

e -6 Docket No. 50-213 Attachment 1 Connecticut Yankee Atomic Power Company Comments on Draf t NRC Review of the Haddam Neck Probabilistic Safety Study I

i 4

i-i September,1986 l

4 i

i l 0

~

t 4 l General Comments Northeast Utilities Service Company (NUSCO) believes that the purpose of the PSS review is to determine the accuracy, completeness, and correct representation of the risk associated with operation of the Haddam Neck Plant.

In this regard, there is concern that the attempt which is made in the draf t review to construct completely new and substantially larger models to replace those in the existing PSS is not the optimum path to accomplish the review. As a result of this, existing analysis which we conclude is technically accurate is replaced with new models containing unverified assumptions, some of which contradict known physical plant behavior and design features. Examples of this include:

o Assuming that spurious closure of the alternate MCC-5 feeder breaker will induce some kind of transient if the normal feeder breaker remains closed. As both incoming AC supplies would be in-phase there would be no transient.

o Equating the plant response to a stuck-open PORV (effective break area of approximately 0.013 f t2) with the response to an RCP seal failure (ef fective break area of approximately 0.001 f t2 ). These two classes of LOCAs have significantly different plant response and require dif ferent success criteria for mitigation.

o Equating the probability of mechanical spring loaded steam safety valves failing to remain closed with the probability of automatic steam bypass and dump valves (which are susceptible to control system faults) failing to remain closed.

These types of differences in interpretation would have been avoided had steps been taken to verify design features prior to initiating reanalysis.

In order to develop the current PSS, models NUSCO expended considerable resources in trying to gain a clear in-depth understanding of performance and plant system failure mode characteristics. From this perspective, we are concerned about proposed revisions to the current models (much less initiating development of alternate models) without verification that problems really do in f act exist in the current rnodels.

A number of assertions are made within the draf t PSS review report which suggest that highly inaccurate or inappropriate analysis was performed.

Examples include:

o an inadequate number of LOCA categories were analyzed o that Bleed and Feed core cooling actions were treated inconsistently and perhaps incorrectly.

It does not appear that any attempt was made to understand why certain LOCA categories were lumped together for simplification or why modeling of Bleed and Feed recovery actions is technically unnecessary for certain events. Had this been done, it likely would have been apparent that based on screening analysis,

sign'ificant event tree sirnplifications could be made without any impact on the

'repre:,entation of plant risk". This eliminates the need for dealing with event trees with upwards to a hundred end states as is alternately proposed.

Eliminating unnecessary rnodels which add nothing to the understanding or quantification of risk is efficient and is consistent with good PRA practice.

he general, CYAPCO and NUSCC stand by the reasonability, completeness, and correct representation of the risk estimated in the Connecticut Yankee PSS. We look forward to the opportunity to work with the NRC Staff in order to clarify their understanding of our work.

e 4 Par.e 2 5, Section 2.2.2 " Steam Generator Tube Rupture" "The frequency with which this event occurs at the Haddam Neck Power Plant is calculated based on generic data suggested in NUREG-0844 (5). In this report,

!au sing!c tube failures over 240 reactor years of experience are cited. This results in a steam generator tube rupture frequency of 1.7E-2 per year. In EPRI NP-2230 (6), for all PWRs at all powers eight steam generator leakage events in 213 years of operation are reported. Steam generator leakage in this report is defined as " excessive primary to secondary leakage in the steam generator."

Based on this data a mean frequency of 3.7E-2 per year is calculated."

Comments:

There is a significant difference between a steam generator tube rupture event and an orderly shutdown required by Technical Specifications or plant procedures due to excessive primary to secondary leakage. NUREG-0844 contained data pertaining to the frequency of steam generator tube ruptures rather than excessive primary to secondary leakage. The referenced EPRI report was prepared primarily for the purpose of estimating demands on reactor shutdown systems and not the quantification of different classes of primary to secondary leakage events. Equating excessive leakage events with steam generator tube rupture events inaccurately increases the frequency of tube rupture events to unrealistic levels.

i f

l i

t I

9 4 l

P_ age 2-7, Section 2.2.3 "LOCA Outside Containment" "Another initiator for this event which was not considered in the above analysis is the possibility of rupture of one of three orifices which are located right before the air operated valves."

Comments:

We agree with this comment and will consider modifications to the PSS in a future update.

i l

l l

I l

. s Paga_2-14, Section 2.3.4 - "Steamline Break Upstream of the Non-Return Valves" "There are two types of failures that contribute to the occurrence of this inutsator. These include the possibility of pipe rupture upstream of the four non-return valves and spurious opening of one or more steam generator safety valves.

In the PSS the pipe rupture contribution to this initiating event was calculated using a similar method as the main feedwater break frequency. Based on 64 pipe segments and a mean pipe segment failure rate of 8.4E-10, the frequency of steamline break upstream of the non-return valve due to pipe rupture was calculated to be 4.8E-4 per year.

The contribution from spurious opening of one of the sixteen steam generator safety valves was not evaluated in the PSS. The frequency of this event can be calculated using the following relationship:

FSR = 16 FSS FFC where FSR is the frequency of any of the steam generator safety relief valves getting stuck open; FSS is the frequency of spurious opening of the steam generator safety relief valves; FFC is the failure probability of the safety relief valves to close, given they have opened.

The frequency of spurious opening of steam generator safety relici valves, for all PWRs, at all power levels, excluding the first two years is 0.03 (6). The mean failure probability of safety relief valves to close, given they have opened, is 2.0E-2/ demand (7). Thus, the contribution from spurious opening of steam generator safety valves to the steamline break upstream of the non-return valve is 9.6E-3 per year. Adding this to the contribution from pipe rupture gives the total frequency of steamline break upstream of the non-return valve as 1.0E-2/ year."

Comments:

l These calculations are based'on a number of misinterpretations of EPRI NP-2230 data and result in an erroneous conclusion regarding the frequency of spurious operation of steam generator safety valves at the Haddam Neck Plant.

l (i) The data source used to develop spurious valve operation data is in fact for power operated relief valve failures, where control signals or power supply malfunctions resulted in spurious operation. Applying such statistics to mechanical spring loaded safety valves such as those at the Haddam Neck Plant is inappropriate. The statistics were generated from valves which do not exist in the design of the plant.

l i

. 5 (ii) The 0.01/yr frequency is the frequency of a plant event involving spurious operation of any stcain generator relief valve. Different types of PWR designs (ie: 2-loop, 3-loop, 4-loop) have different numbers of steam generator safety valves. The alternate calculations erroneously equated t!.e frequency of spurious valve operation per year to the frequency of any spurious operation event per year - and hence the multiplication by a factor of 16.

The result of these two errors is a gross overestimation of the frequency of steamline break type events by over two orders of magnitude.

As an additional comment, a steamline break upstream of the non-return valves difiers significantly from a spuriously lif ted safety valve in that it cannot be isolated. A spuriously lif ted mechamcal safety valve can be reclosed locally. If the frequency of this event is such that it is not a concern to estimating plant risk, then inerging such spurious valve operation (and neglecting their recovery) with stcamline breaks would be appropriate.

I

. s Par,e 4-18, Section 4.7.2 " Comments" "In the analysis of the long-term cooling mode for the RHR system, Northeast Utilities does not give credit to the " core deluge valves" as an alternate path for the RHR system injection. This means of injecting water into the core is used in other low pressure applications of the RHR system. This apparent omission results in a significantly increased RHR system unavailability in the long-term cooling mode. The dominant faults in the fault tree for this RHR mode of operaticn are listed as a failure of the suction or discharge valves. Crediting an additional injection path would effectively eliminate half of the system cut se ts."

Comments:

This is incorrect. Core deluge valves were modeled as an alternate path for RHR long-term cooling as noted on page 4.2-209 of the PSS.

i

-.~

e Page 2-19, Section 2.4 " Plant Specific Transient Initiators" "Among these, only MCC-5 was not modelled correctly. For MCC-5 it was found that the system fault tree did not model the premature closure of the supply b eaker from the alternate power source."

Comment:

Premature closure of the supply breaker from the alternate power source to MCC-5 would not cause a transient. The existing circuitry would reopen it.

Additionally, the preferred and alternate circuits are in phase.

f I

Page 3-3, Section 3.1.1 " Analysis of Random and Consequential Small LOCAs" "In the PSS, bleed-and-feed is inconsistently applied to the various small LOCAs (random and consequential) and secondary depressurization is not applied at all.

Adit.ona!!y, the operator response time allowed for the operator to initiate recirculation for these breaks at the lower end of the range is quite a bit shorter than the actual available time since it is based on the time available for the 2-inch diameter breaks. All of these assumptions could serve to distort the perceived core melt risk from these very small breaks because the success criteria are not reasonably consistent across the entire break size range."

Comments:

Bleed and Feed cooling was consistently applied to all small LOCAs. The initial screening quantification clearly indicated that in a number of event trees the unavailability of steam generator cooling was sufficiently low that the event tree nodes for bleed and feed cooling could be removed with no impact on the event tree quantification. Bleed and feed nodes were kept in event trees where it is important.

We believe that it is good PRA practice to develop event tree models to the level necessary to understand plant risk. Creating unduly large event tree models just to keep event trees looking similar but which do not provide any additional information on plant risk is an ineffective use of resources.

For consequential LOCAs the definition of the Operator Action Nodes OAS in fact were different arj depend on the path through the event trees. These differences are noted 19 the PSS text on event trees. Again the purpose of this was to reduce the nun 4ber of event tree nodes where such reduction has no measurable impact on' the results. This is a reasonable approach and is consistent with good Pli,\ practice.

t l

l l t I

?

I I

_ _ _ _ , y--, - - -

a e Page 3-3, Section 3.1.1 " Analysis of Random end Consequential Small LOCAs" "The solution to this problem is to divide the small LOCAs into two break size i ranges, the small LOCAs (3/4-inch to 2-inches) and the small-small LOCAs (3/8-  ;

inch to 3/'s-inch). This was done in the best estimate LOCA analysis but for l some reason was not carried through to the PSS. The small LOCA range would encompass random breaks only, and the success criteria would require high-pressure injection (HPSI or charging) for early core cooling and high-pressure recirculation for late core cooling. Methods for depressurizing and utilizing low pressure systems would not be credited because LOCA analysis indicates that the pressure could not be sufficiently lowered prior to core uncovery. In keeping with the LOCA analysis, steam generator cooling would not be required for this break size."

Comments:

The best estimate LOCA analysis was not performed to exclusively quantify the risk of small-small LOCAs. The PSS pointed out that, for the purposes of quantifying risk, there was no need to dif ferentiate between 3/8"- 3/4" LOCAs and 3/4" - 2" LOCAs based on decay heat removal requirements because the unavailability of steam generator cooling was sufficiently low. Again, the screening quantification indicated no measurable differences in risk between two separate event trees vs. a single event tree.

I I

l I

t

e = l l

Pag,e 3,-3, Section 3.1.1 "The small-small LOCA range would encompass both random breaks and consequential LOCAs caused by a stuck-open PORY or by RCP seal failure (see afsa Section 3.1.2). The LOCA analysis implies that the response for each of these LOCAs is virtually identical."

Comments:

The Best Estimate LOCA Analysis (Sections 2.3.6 and 6.6.1 of NUSCO-150) does not state that a stuck-open PORY and RCP seal failure would cause virtually identical plant response.

A PORY is equivalent to a 0.013 f t2 break. Without safety injection the core uncovery time is approximately 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />.

An RCP seat failure (all 4 RCPs) which is equivalent to roughly a 0.001 f t2 break, would result in core uncovery at 7.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> if steam generator cooling was atallable but with no RCS makeup, i

l l

f

. = .. _ - -.

P we Ltn Section 3.1.2 " Treatment of Consequential RCP Seal LOCA" "A problem related to the above discussion is the PSS treatm'ent of the consequential RCP seal LOCA. This event results from a loss of cooling to the RC.P seals, which causes seal failure and a subsequent LOCA. The design of the Haddam Neck RCP seals is such that the LOCA flow rate is limited to 50 gpm/ seal. For this reason, the PSS argues that in some ways the RCP seal LOCA is not a real LOCA at all, since the total potential flow rate is only 200 gpm if all four seals fail and may actually be lower. Any leak of less than 160 gpm does not co ne under the definition of a LOCA, since normal makeup to the charging system can provide this much flow. (It is stated in the initiating event section that the 3/3-inch diameter lower limit of the small LOCA range is based on this 160 gpm flow rate). Another point made by the PSS is that there are a number of mitigating factors which come into play even with a 200 gpm seal LOCA.

First, the operator can use loop isolation valves to stop the LOCA. Second, the difference between 200 gpm and 160 gpm is small and it would take a very long time to deplete the RWST and thus create the necessity for recirculation. For these reasons, the PSS assumes that if charging can be recovered af ter the seals iwe failed the result is the same as if the seals had not failed at all. That is, the event is treated like a transient instead of a LOCA. This occurs mostly in certain occurrences of the event " primary integrity" (PIT), where seal failure with charging recovery is considered success of PIT.

Based on the above discussion, it appears that treating an RCP seal LOCA as anything but a genuine small-small LOCA is overly optimistic, it appears clear thatplant the the " response size of thewouldbreak" befits likethe definition other small-small of a small-small LOCA and that LOCAs. Therefore recirculation must be considered because it would be required before the 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> sequence time cutoff. We recognize and understand the reluctance of the PSS to categorize and treat this event with the same restrictive success criteria it applied across the range of its small LOCA category; however, this problem would not have occurred if the PSS had divided the small LOCA range as discussed in Section 3.1.1. Since we have made that division and our small LOCA range more accurately fits the RCP seal LOCA than either the PSS small LOCA or the PSS RCP seal LOCA assumptions, the affected event trees have been modified so that the RCP seal LOCA is treated identically to the redefined

small-small LOCA."

Comments:

There is no technical basis for breaking up the small LOCA event tree if the

objective is to correctly estimate and characterize the risks associated with operation of this plant. The use of two separate event trees was also originally done by NUSCO but was condensed to a single event tree after preliminary j

screening quantification because the additional complexity had no effect on risk quantification and thus provided no additional insights into plant safety.

As noted earlier, with no make-up flow and 200 gpm total leakage from the 3

seals, about 7.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> are required before core uncovery occurs, if charging is 1 recovered prior to this time, RCS makeup can be provided at relatively low flow rates and the full Refueling Water Storage Tank inventory of 200,000 gallons i would be available, if the RCS remained at full pressure (which would not be the case), the RWST would provide a 17 hr makeup supply without need for recircula tion. Considering the depressurization effects it is more realistic that

. . _ _ . . . _. =_ _ . - - . _ . - . - - _ - - . - - . - - . . _ - _ - - _ .

j . .

j the RWST inventory would be sufficient for 30 to 40 hrs without need for recirculation. By then cold shutdown would have been attained. We conclude i that the existing analysis is valid.

l l

4 4

i i

j ..

1 i

i J

I t

I i

i 6

h

Page 3-5 Section 3.1.2 " Treatment of Consequential RCP Seal LOCA" "We are not satisfied with this treatment of the RCP seal LOCA. First, the values 160 gpm and 200 gpm are approximations (l) and, even with the uncertainties, indicate that the RCP LOCA falls clearly into the small LOCA idnge. Second, it is not reasonable to take the difference between 160 and 200 gpm and consider it(2) to be the flow rate from the RWST. That assumes that the normal charging lineup would be in place, with makeup being provided to the volume control tank. In actuality, the charging system would be initially lost (this must happen for the RCP seal LOCA to occur since charging also supplies seal injection) and the 200 gpm flow rate would trigger safety injection, which transfers charging suction to the RWST. Thus, the RWST flow rate would be the full 200 gpm, and the recirculation (3) switchover point would be reached in(W A little over eight hours. Finally, the ability of the operator to isolate the RCPs and thus terminate break flow is limited because complete isolation would interrupt flow to the steam generators, making SGC impossible."

Comments:

(1) We do not understand the intent of the first point related to 160 gpm and 200 gpm being approximations and that RCP LOCA falls into the small LOCA range.

(2) The second point inaccurately states that the difference between 160 and 200 gpm is the flow rate from the RWST. This is not stated in the Connecticut Yankee PSS.

The 200 gpm is obtained by multiplying the leak rate from a reactor coolant pump following a loss of cooling to the reactor coolant pump seals (50 gpm) by the number of reactor coolant pumps (4). The 50 gpm per reactor coolant pump is per the Facility Description and Safety Analysis Report, Section 5.1.4.2.

(3) As noted previously, the plant would be in cold shutdown prior to any need for recirculation and ,the time period is considerably longer than the 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> stated.

(4) Isolation of two leaking RCPs could double the time window and would still leave 2 steam generators available for cooling. Over the long term af ter decay heat levels have decreased three RCS loops could be isolated and the remaining steam generator could remove decay heat.

We affirm the validity of the analysis submitted.

Page_3-6, Section 3.1.3 "Need for Containment Heat Removal with Feed and Miaed" "The PSS assumes that containment heat removal (CHR) using either fans or sprays is required for bleed-and-feed (BAF) scenarios. This is despite the fact

,tha_t other recent PWR PRAs have shown that BAF followed by recirculation for RHR cooling is sufficient to prevent core melt without the use of CHR.

Additionally, the plant-specific LOCA analysis shows that the peak containment pressure during BAF without CHR is about 23 psi in the first 15 hours1.736111e-4 days <br />0.00417 hours <br />2.480159e-5 weeks <br />5.7075e-6 months <br />, a figure which is substantially lower than the containment failure pressure. The basis for the PSS assumption is that "an adequate pressure (differential) must be maintained between the PORY receiver air tank and (the) containment (in order) to keep the PORVs opened." The PSS does not define " adequate," nor does it state at what time af ter the initiation of BAF " adequate pressure"is lost.

The assumption is potentially conservative in that it appears that a time frame should exist during which switching to long-term cooling should arrest the pressure rise and prevent PORV closure. However, it also appears that the probability of losing CHR when BAF and long-term cooling are operating is very small due to the redundancy of CHR and to the extensive equipment sharing between long-term cooling and CHR. Thus, the inclusion of the need for CHR during BAF scenarios probably does not significantly affect the results, and thus a more detailed consideration of this need is not warranted at this time. Should our requantification indicate that the problem is significant, it will be given further consideration."

Comments:

A critical dependency appears to have been missed. The air operated PORVs in the Haddam Neck Plant require ambient (containment) air pressure to be less than 12.8 psig. If the ambient air pressure exceeds 12.8 psig, the PORVs will close, thus defeating use of PORVs for Bleed and Feed cooling. The fact that other recent PWR PRAs did not consider this effect is either a reflection of the fact that they employ different PORY designs or that the analysts failed to consider this dependency.

Without containment cooling, Bleed and Feed Cooling is calculated to result in pressures exceeding 12.8 psig in about 40 minutes. The assumptions used to derive the 12.8 psig value are conservative but representative.

I

Page 3-7, Section 3.2.1 "Large LOCA Event Tree" "We have reviewed the large LOCA event tree and find it to be a proper representation of plant response. Our only comment would be that the need to switch to two path recirculation to prevent boron precipitation is probably not justified. It is unlikely that sufficient boron precipitation to cause a problem would occur. However, this action is so simple and there is such a long time af ter the initiation of recirculation to perform it that it is not important to the results of the analysis."

Comments:

While we acknowledge the required actions are simple and available timeframes long, failure to achieve two path recirculation given success of everything else.

will result in the loss of coolable core geometry and eventual core melt.

o

Page 3-7, Section 3.2.3 "Small LOC A Event Tree" "As discussed in Section 3.1.1, we found that the analysis of small LOCAs should have been broken up into two size ranges and given success criteria as described in that section. Two trees have been developed to implement that conclusion."

Comments:

There is no technical basis for breaking up the small LOCA event tree if the objective is to correctly estimate and characterize the risks associated with operation of this plant. The use of two separate event trees was also originally done by us but was condensed to a single event tree after preliminary screening quantification because the additional complexity had no effect on risk quantification and thus provided no additional insights into plant safety.

In this regard, the single small LOCA event tree in the PSS identifies 24 sequences to be quantified as compared to the proposed 2 separate event trees with a total of 90 sequences to be quantified.

Pace 1-10. Section 3.2.3 "Small LOCA Event Tree" FIGURE 3.2 - SMALL-SMALL LOCA EVENT TREE l Comments:

In the additional event tree, a node addressing adverse break size and location was modeled in the small small LOCA (A 0.001 f2t ) event tree. The range of vulnerability to the break size and location issue is:

0.02 f t2 - 0.045 f t2 RCS Loop 2 Cold Leg XXX - 0.38 it2 Charging Line These should thus not be a BSL node.

d I e i

d 4

_ _ - . _ . _ . _ . . , _ _ . _ _ , _ - _ _ - . , -_ _ . _ . _ _ , _ _ _ , . . , . , -_.._,,__..___.__.r_ .____.___-__-m,..,_._._.__m , _-., . . . - , _ _... . . ,,

Page 3-11. Section 3.2.4 " Steam Generator Tube Rupture Event Tree" "The steam generator tube rupture event tree has a significant error pertaining to operator response under certain conditions. The error comes from assuming that, for all conditions, the operator will eventually come to a step in a p_rocedure which calls for determining whether SGTR exists and that the first actions taken will be in response to the SGTR. This supposition is reflected on the tree by the positioning of this operator response prior to the steam generator cooling event (SGC). The PSS states that the success criteria for SGC is dependent on whether detection and isolation has occurred, and assumes that this operator response is not dependent on whether SGC has succeeded. This statement is contrary to the actual sequence in which certain events occur. The failure et SGC is a critical preemptory failure in the symptom-oriented procedures. If steam generator cooling is not available and it is required (which is the case), the operator is instructed to go immediately to one of the emergency functional recovery procedures. This occurs long before any step would be reached which calls for the operator to determine if an SGTR has occurred. Once in this procedure, failure to establish SGC would cause the operator to initiate bleed-and-feed."

Comments:

There is no error in the Steam Generator Tube Rupture Event Tree. There is no reason requiring event tree nodes to be in chronological order.

If a particular event tree node is capable o.f defeating a number of success paths established via several predecessor nodes, reordering of the event tree nodes will result in a dramatic reduction in the number of sequences to be quantified. The PSS SGTR event tree results in 50 sequences versus the proposed 95 sequences.

Closer examination of the logic structure of the sequences would have shown that the PSS event tree with 50 sequences is logically consistent - but without using 95 repetitive sequences.

Page 3-12, Section 3.2.4 " Steam Generator Tube Rupture Event Tree" "Another timing problem we noted is that the consequential secondary steam leak event (SRV) appeared af ter the primary depressurization event (DEP) based can the assumption that successful DEP would prevent the secondary SRVs from ManJ.

i A review of the SGTR thermal-hydraulic analysis included with the PSS indicates that the valves will lif t very early following the SGTR, prior to the time DEP would occur. We have modified the tree by reversing the order of these events to properly reflect the timing sequence."

Comments:

It is true that the SRVs will always lif t. But whether it lif ts and sticks open is dependent on node DEP. This portion of the model is correct as is shown in the PSS.

f

__4 - -- > - _

e. .

Page 3-12,, Section 3.2.4

" Steam Generator Tube Rupture Event Tree"

" Finally, the PSS assumes that if the SRV fails (a secondary steam leak occurs) and the loop isolation valves are not closed, it is still possible to avert core melt

') c:,:..g long-term cooling (LTC). The thermal-hydraulic analysis provided in the MS ,is not suf ficient to justify this assumption. It is not clear how the RCS pressure can be reduced suf ficiently to preclude the continuous loss of coolant to a steain generator which is essentially at atmospheric pressure. This continuing loss should result in depletion of the RWST and eventual core melt in less than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The tree had been modified to take this into account and is shown in Figure 3.3."

Corninents:

These assertions are significantly in error. Node LTC is addressed only given success of depressurization in DEP.

Page 4-5 of the Connecticut Yankee Best Estimate LOCA Analysis notes that cic- 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> are available to depressurize the RCS.

Page 3-12 of NUREG-0844 notes that a 10-2 probability is reasonable for failure to depressurize the RCS before the RWST is exhausted (assuming a 5 hr time period is available).

t

Pace 3-12, Section 3.2.4 " Steam Generator Tube Rupture Event Tree" i

"In any case, it appears that once the SGC failure occurred, the procedures would result in the operator never reaching a step at which he would determine that an SGTR existed. In order to properly represent the sequence of events, the

SGC event has been moved up to before the operator response and the tree has been restructured."

Comments:

There is a logical reason why node SG2 is af ter node MSL. If the operator fails to isolate the faulted steam generator, the steam generator will overfill and carryover to the steam lines will fail a steam driven AFW pump. Hence node SG2 is conditional on node MSL.

The changes suggested are technically in error.

t 6

i 1

e

, , . --- ,, ,r m- ,-- - ,-.. .e- v-- ---

a- -- -, -- - - . ----es-- - , - - - - , -- -- - - - - - - - -- --- - - ---- ,

o o Page_ 3-14, Section 3.2.5 - "Steamline Break Upstream of the Non-Return Valves Event Tree" "If the intact steam generators are isolated from the break and cooling is provided through these steam generators, there should be no additional steam added to the containment and therefore the pressure would remain relatively low. It appears, then, that for these scenarios the assumption of the need for CHR is conservative, although it should be noted that no best estimate analysis was provided. It does not appear, however, that this assumption has a significant impact on the analysis. Therefore, we will not change the event tree structure at this time. However, if our requantification indicates that the effect of the assumption is greater than it appears, this issue will be investigated further."

Comments:

A critical dependency appears to have been overlooked. Without containment heat removal, the containment temperatures could exceed the temperature qualification of instrumentation needed to aid in event diagnosis and mitigation.

i

. l

Page 3-18,_Section 3.2.11 " Loss of DC Bus 2 Event Tree" "The only problem with the loss of DC bus 2 event tree is with respect to the event P1f(primary integrity). The general findings discussed in Sections 3.1.1 a ,d 2.1.2 regarding the treatment of RCP seal LOCAs and small LOCA plant response apply to this tree. The tree has been modified to take those findings into account. The revised tree is shown in Figure 3.5."

Comments:

The recommended changes are incorrect.

Failure of primary integrity (PIT) and charging does not automatically result in core melt as shown in Figure 3.5. Furthermore, loss of charging does not result in core melt. Operator Actions OA2 and 0A8 are inconsistent with the treatment of bleed and feed cooling in other event trees.

We stand by the accuracy and completeness of the original event tree in the PSS.

'r

Page 3-17, Section 3.2.13 " Loss of Ofisite Power and MCC-5 Event Tree" "The only problem with the loss of of fsite power and MCC-5 event tree is with respect to the event PIT (prirnary integrity). The general findings discussed in Sections 3.1.1 and 3.1.2 regarding the treatment of RCP seal LOCAs and small LOCA plant response apply to this tree. The tree has been modified to take those findings into account. The revised tree is shown in Figure 3.6."

Comments:

The excessively large alternate event tree proposed by the NRC with its 103 end point sequences (vs. the 5ts sequences in the PSS) contains a number of technical errors. As an example: failure to recover MCC-5 does not necessarily result in core melt as shown in Figure 3.6.

We stand by the original event tree model in the PSS.

i

1

, . 1

. 2. .

1 Page 3-20, Section 3.2.15 " Station AC Blackout Event Tree" l "In addition to this, this tree is inconsistent with the other LOSP trees in two ways. First, when recovery of main feedwater following recovery of offsite power was considered in the other trees, two events appeared: OA-17 (operator cognitive decision to recover main feedwater), and RMF (mechanical and procedural failures in recovering main feedwater). These events were not included on the station blackout tree but were lumped together with the recovery of of fsite power node since the failure to recover power was said to dominate the failure to recover main feedwater, in order to simplify the tree.

Even if this were the case, this inconsistency is confusing. Additionally, highlighting cognitive errors by modeling them on the event trees is an important tool in understanding plant response and combining them with other events would be counterproductive. Therefore, the tree has been modified to specifically identify these events."

Comments:

A: noted, the event tree in the PSS was simplified by combining nodes. A new event tree is proposed with 98 end points vs. the PSSs with only 22. In reviewing the event tree proposed (Figure 3.7) it should be noted that the same identical logic structure is repeated three times (sequences 41-58, 59-76 and 77-94) for no apparent purpose. Event trees construction in this fashion is not consistent with good PRA practice. We see no improvement in the proposed new model and thus we stand by our original work.

As an additional comment: in the review of the treatment of cognitive errer nodes on event trees in the Millstone Unit No.1 PSS it was stated on page 2-15 of Section 2.2:

"When these errors are properly evaluated, it makes no difference whether they are included independently on the tree or are incorporated at the system level."

Thus, there appears to be a contradiction between the reviews of the Millstone Unit No. I and Connecticut Yankee PSSs.

Pa.ge 3-22, _Section 3.2.16," Insufficient Flow of Service Water Event Tree" "Another comment is that no credit is given for bleed-and-feed cooling if AFWS fails. Granted, if service water is not eventually recovered prior to the need for

' . ,p r m cooling, the use of BAF would serve only to delay core m elt.

However, this ability to extend the time of core melt and credit for recovering service water within that time frame should have been considered. The tree has been modified to reflect this change. The revised event tree is shown in Figure 3.8."

Comments:

A uiL* cal dependency between the PORVs used for bleed-and-feed cooling and the ambient containment air pressure has been missed. Loss of service water would incapacitate the CARFANS resulting in a containment pressure that would close the PORVs in approximately 40 minutes af ter bleed-and-feed cooling was initiated. Hence we did not credit bleed-and-feed cooling for this particular event.

- , ,- - ,a -- , - -

.n - -- - - - . . ._ _

Pace 1-24, Figure 3.9 Comments:

Sequences 24 and 33 are incorrectly labeled as resulting in core melt. 't he proposed event tree model is incorrect.

l

Page 3-25, Figure 3.10 Comments:

Failure to recover MCC-5 does not necessarily imply core melt. The proposed event tree model is incorrect.

9 s.

is

~

)

.s

, /

.c -

N  %

l 9

?

s' d

a-4 9

vh 9

y m

4

?

o .

Page 3-2_6, Section 3.2.19 " Total Loss of DC Event Tree" "The major problem with the total loss of DC event tree is the assumption that a failure of the operator to control charging flow, which may result in a challenRe to the SRVs, will result in a core melt. The PSS admits this is a conservative assumption since the SRVs may not be challenged at all. Our review has further concluded that the conservatism of the assumption is a significant event if it is assumed that the SRVs do lif t, since it is by no means certain that they will fail to reseat. it would appear that the only difference between the case in which the operator fails to control charging and the case in which he succeeds is in the conditional probability of a consequential LOCA. In the case of operator failure, excess flow-induced opening and failure of an SRV to reseat would yield a higher consequential LOCA probability. The tree has been modified to reflect this conclusion."

Comments:

Contrary to what is stated, reducing charging flow is not the only action involved in 019. Page 4.2-122 of the PSS clearly states that:

" Node 019 represents the cognitive operator error to respond to a totalloss of DC power and reduce charging flow and then manually control the charging system."

If the operator fails to recognize the situation and what recovery steps must be taken for loss of DC power under these circumstances, core melt is likely.

, . 1

' s;

s. e ,

3

. . . . . _. ,-,,s _ . _ _ .

n

,Page 3-33, Figure 3.15_

- Comments:

This proposed alternate event tree has a number of logic errors. Node OA6 in the PSS aircady accounts for the combined MS4/ LIV effects.

e s f

3 s ,r i

  • t,,

n Y 'i W

'9 4

.i I

w.

1 \

4.

(  :

'\,

t*

w h

t i < w o i4  %  %

s g s

k

'w-ig 4.

N' e

t 1 k N e .-

,. . \g .

._, 3 ,

? v, +

4 s,..

f

, ' . \, '4 I' 4. g g 1.-

[., (A ,

b w

t

+

. . .b

- g . $' _ , _

o

,, _,_m- .. _ . _ - , . . _ _ _ .__ .,

Page 4-5, Section 4.1.2 " Comments" "The load shed logic for disconnecting the plant electrical system from the Offsite sources and the emergency 480V buses from those that are load-shedded is not explicitly modeled. The breakers that must open would not be tested except during refueling outages and could affect the probability of failure of one or both AC power trains."

Comments:

The technical bases for not including this logic in the fault tree models is as follows.

Following a loss of offsite power without a coincident LOCA, each electrical division will generate load shed signals for its associated 4160V emergency bus and two 480V buses. In order to incur any risk of overloading the diesel, all three of these load centers (i.e. buses) would have to fail to shed. Since each of these load centers has its own individual undervoltage relays and tripping scheme, it would require a triple failure to bring about this situation. For this reason, this failure mode is omitted from the fault tree.

An additional possibility for overloading the diesel is the failure to isolate the 4kV non-safety related loads from an emergency bus following a loss of normal power. The probability of this is exceedingly small because it would involve failure of the non-safety related bus isolation breakers to open and the individual non-safety related load supply breakers to open. Since these breakers and their control logic are independent of each other, double failures would be necessary.

For this reason, this type of failure mode is omitted from the fault tree.

l

, e a

Page 4-5, Sect _ ion 4.1.2 "Cointnents" "In modeling the diesel generator faults the analysts included the failure of the output breaker to close as part of the diesel generator fault. Based on the

.anner in which some faults are quantified (the manual loading circuitry is assurned never to be tested), it would appear that the output breaker is tested only during refueling outages. Inclusion of this failure in the diesel generator faults would not be appropriate if this is indeed the case."

Comrnents:

This is incorrect. The subject breaker is tested monthly per Surveillance Test SUR 3.1-17.

l l

I

-- -- - - . .-, ~- .

9 9 Page 4-5, Section 4.1.2 " Comments" "The need for room ventilation is not discussed in the PSS. Some ventilation may or may not be required in addition to the service water cooling that is required."

Comments:

Based on historical records, ventilation has never been a major contributor to diesel failure. The ventilation air intake dampers are tested monthly and the probability of ventilation failure is much less than the probability of diesel failure due to all causes. As an additional consideration, if ventilation were lost, the average duration of offsite power losses is such that room heat up would not be significant. If the duration were longer, opening of doors would be sufficient.

In addition, during the Systematic Evaluation Program conducted by the NRC on the Haddam Neck Plant, the NRC evaluated the emergency diesel generator ventilation system and in NUREG-0826 (Integrated Plant Safety Assessment Final tieport) concluded that the system was adequate and that no additional action on this topic was necessary.

o e 1 I

l Page 4-8, Section 4.2.3 "Other Observations" "The fault tree model did not include maintenance failures on the alternate power supply to MCC-5. Since this power source is not normally energized, maintenance and failure to restore af ter maintenance are possible failure modes.

The contribution of such errors should not be significant."

Comments:

Routine maintenance on electrical buses is not done, hence the comments are not valid.

Page 3-29, Section 3.2.24 " Consequential Steam Generator Tube Rupture (SGTR) Event Tree" "

"Th: p ob!cm with this event tree is similar to that with the random SGTR tree  !

(Section 3.2.4). That is, the sequence of events with respect to operator action and the conditions which affect these actions is not properly represented. Once again, this is due to the nature of operator response to a failure of steam generator cooling (SGC). When SGC is successful, the procedures will cause the operator to take actions which will lead him to isolate the faulted steam a generator secondary side and then eventually close the loop isolation valves.

This sequence is properly represented on the event tree. However, when SGC is failed, the procedures will immediately set the operator on a course which will lead him to establish bleed-and-feed cooling before he determines that a steamline break and SGTR exists. Only af ter he has done this will he proceed to isolate the faulted steam generator and primary loop."

Comments:

There is no reason to require that the event tree nodes be in chronological order.

As noted previously, when conditional probabilities are involved in the models, in many cases it is more efficient to alter the noding order. The changes recommended do nothing to impact quantification of risk except increase the number of accident sequences to be quantified from 24 up to 60.

Page 4-8, Section 4.3.1 " Comments" "A test interval, and therefore detection interval, of one week was used for all battery f aults. This interval is based on plant-specific test procedures used at Haddam Neck. However, the procedures do not appear to differ enough from industry norms to warrant such a reduction in the detection interval for all battery f aults, some of which will go undetected until the batteries are demanded either during a plant transient or a load test. Use of a longer detection interval would seem to be more appropriate for at least some of the battery faults."

Comments:

Our analysis considered both industry and Haddam Neck experience. Based upon a detailed review of observed failure modes, and the scope of current tests we conclude that for the purpose of estimating battery unavailability a one s eek detection interval is appropriate.

I l

Pae 4-10, Section 4.3.2 " Comments"

" Common cause faults for the batteries are not considered in the PSS. The utility claims their maintenance practices would eliminate all possible common cause f aults. Data on common cause battery f aults is limited, but there are indiu:lons that not all battery common cause faults are maintenance, i.e.,

human faults. The claim that common cause faults can be completely eliminated through good maintenance practices appears to be overly optimistic."

Comments:

A review of industry battery failure experience obtained from a computerized listing of LER summaries on file at the Nuclear Safety Information Center at ORNL (keywords: DC Power, Batteries, Chargers) indicates to the contrary that al common cause failures in batteries observed to date were due to poor maintenance practices such as:

o over-torquing lug nuts o inadequate terminal cleaning o overcharging Additional

References:

(1) "A Probabilistic Safety Analysis of DC Power Supply Requirements for Nuclear Power Plants," NUREG-0666, U.S. Nuclear Regulatory Commission, April 1981.

(2) " Quick Look At Licensee Event Reports of Batteries and Battery Chargers at U.S. Commercial Nuclear Power Plants, January 1, 1976 to December 31, 1981," EGG-EA-6074, Idaho National Engineering Laboratory, October 1982.

< w Page 4-20, Section 4.8.2 " Comments" "A review of the " charging system fault tree for vessel make-up after a loss of MCC-5, Control Air or Semi-vital AC" indicates that Northeast Utilities has

~ ltt~' the system unavailability contribution due to failure of a check valve on the charging system suction line from the RWST. In this case, the valve failure probability should increase the system unavailability valve from 5.3E-3 to 7.3E-3. This represents a 38% increase in the system unavailability. Due to this significant impact on the system reliability, it is recommended that this fault be included in the above fault tree."

Comments:

We agree and will consider modifications to the PSS in a future update.

I

Page 4-22, Section 4.8.3 "Other Observations" "In the same fault tree discussed in the above comment, the system unavailability value obtained for " loss of offsite power, one DC Bus, and one AC Bus" support state was 4.4E-2. However, if loss of the DC Bus is on a stand-by charging pump (Pump B), and loss of the AC Bus is on the normal running pump (Pump A), then, Pump A will trip on 1.OSP (since the DC Bus is available on this pump) but cannot be returned to operation since there is no AC power, the Pump B cannot be started (no DC power). As a result, both charging pumps will be out of service and therefore fail the charging system. Thus, the unavailability of charging system should be 1.0 in this case."

Comments:

The charging system unavailability reported for vessel make-up af ter a loss of MCC-5, control air, or semi-vital AC for the support state of loss of offsite power and loss of one DC bus and loss of one AC bus (See p. 4.2-146 of the PSS) is correct for support state 10. This support state addresses DC bus and AC bus failures af fccting the same charging system train.

As defined in Section 3.3 of the PSS (See p. 3.3.9), the scenario described in the comments is equivalent of support state 15 which represents a total loss of AC power, i.e. Station Blackout. If power were not recovered, charging unavailability would be 1.0 and was treated as such. Recovery of offsite power was only addressed in Event Tree 15, Station Blackout. For all other initiators for support state 15, charging is unavailable (Q=1.0).

I I .

o 's

  • Page 3-30, Figure 3.13 Comments:

The proposed alternate event tree has a number of logic errors. There is no need for the OA2/HPR nodes given the success of everything else because there would be no RCP seal f ailure. This results in 70 unnecessary sequences.

l

Retrieved from "https://kanterella.com/w/index.php?title=A05914,_Forwards_Comments_on_NRC_Contractor_Draft_Rept_Re_Probabilistic_Safety_Study,Per_NRC_860716_Request&oldid=3270319"