ML13308A087
| ML13308A087 | |
| Person / Time | |
|---|---|
| Site: | Palo Verde, Ginna, San Onofre, 05000000, 05000470 |
| Issue date: | 02/04/1982 |
| From: | Mattson R Office of Nuclear Reactor Regulation |
| To: | Eisenhut D Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML13308A086 | List: |
| References | |
| NUDOCS 8202250350 | |
| Download: ML13308A087 (36) | |
Text
Pk REGI
.ENCLOSURE 1
UNITED STATES A
NUCLEAR REGULATORY COMMISSION WASHINGTON. D. C. 20555 FE$ 0 4 1982
-EMORANDUM FOR:
Darrell G. Eisenhut, Director, Division of, Licensing, NRR 2
FROM:
Roger J. Mattson, Director, Divisfon of Systems Integration, NRR n3 3
SUBJECT:
TRANSMITTAL OF DRAFT PALO VERDE AND CESSAR SER SUPPLEMENT Enclosed are copies of our draft SER Supplements for Palo Verde and CESSAR.
They address the concerns raised by the ACRS letters of.December 15, 1981 involving the need for a reliable heat removal capability in view of the lack of a direct means to rapidly depressurize the primary system. The CESSAR and Palo Verde designs do not include PORVs to permit the feed and bleed method of cooling the way it is provided in other PWRs.
Our SER Supplements were prepared before the Ginna steam generator tube rupture incident of January 25, 1982 and represent our position at that time.
The Ginna incident has resulted in renewed'consideration being given to the possibility of' simultaneous steam generator tube ruptures in both steam generators. We are also reconsidering accident scenarios that could lead to simultaneous loss of coolant in the primary and secondary systems. These considerations require us. -to reexamine the possibility of feed.and bleed as an alternate method -of providing core cooling.
We are also interested in the use of the PORV to.gain control of primary system pressure to avoid challenges to the safety valves on a faulted steam generator, thereby reducing the frequency of releases of radioactivity following steam generator tube ruptures.
In addition, since the. preparation of our draft SER Supplements for Palo Verde and CESSAR we have been provided with new information by the Office of Nuclear Regulatory Research. The new information isin a memorandum on CE system reliability that bases its.analysis on the Accident Sequence Precursor Program.
The techniques used in this program-are somewhat controversial, and we are currently reviewing both the techniques and conclusions.
The memorandum prepared by Frank Rowsome and Joe Murphy of RES is dated January 29, 1982 and concerns the feed and bleed issue for CE reactor designs without PORVs.
It makes two conclusions concerning the reliability of the auxiliary feedwater system which are at variance with our draft SSERs.
We have these differences under review.
Contact:
R. Lobel X29463 8202250350 820208 PDR ADOCK 05000361 P.
Darrell G. Eisenhut
- 2 In view of the concerns discussed above we have evaluated the potential consequences of operation of San Onofre Units 2 and 3 at low power for the purpose of startup testing. We conclude that the risk of such opera tion is negligible because even-if feedwater were lost to the steam generator, boiling of the remaining steam generator inventory and heat tranifer to the containment atmosphere and structures would be sufficient to prevent overheating of the core.
Should a steam generator tube rupture event occur during this low power testing period, three factors would contribute to substantially reducing the risk to the public. First, there is sufficient time available for the operators to correct the loss of important safety systems needed to mitigate the event or to take alternate courses of action. Second, the fission product inventory during low power operation is very much less than during full power operation. Third, there is a reduction-in required capacity for mitigating systems at low power.
We suggest that the applicants of CESSAR System 80 and Palo Verde 1, 2 and 3, (perhaps in conjunction with other CE owners) perform a special study of the utility and competing risks of PORVs in the various accident scenarios and propose system modifications as appropriate to the concerns summarized in this memorandum.
Roger.
m tson, irector Division o Systems ntegration ENCLOSURES: -
SSER for CESSAR -
SSE for Palo Verde -
Memo fm Tedesco to Rowsome dtd 1/29/82 Memo fm Bernero to NRR Div. Dirs dtd 1/22/82
ATTACHMENT 1 SUPPLEMENTAL SAFETY EVALUATION FOR CESSAR (SYSTEM 80) FDA AUXILIARY SYSTEMS BRANCH ACRS CONCERN REGARDING RELIABILITY OF SHUTDOWN HEAT REMOVAL SYSTEM In the CESSAR Letter, the ACRS stated:
"In recent years, the availability of reliable shutdown heat removal capability for a wide range of transients has been recognized to be of great importance to safety. The System 80 design does not include capability for rapid, direct depressurization of the primary system or for any method of heat removal immediately.after shutdown which does not require use of the steam generators. In the present design, the steam generators must be operated for heat removal after shutdown when the primary system is at high pressure and temperature.. This places extra importance on the reliability of the auxiliary feedwater system used in connection with System 80 steam generators and extra requirements on the integrity of the steam generators. The ACRS believes that special attention should be given to these matters in connection with any plant employing the System 80 design. The Committee also believes that it may be useful to give consideration to the potential for adding valves of a size to facilitate rapid depressurization of the System 80 primary coolant system to allow more director methods of decay heat removal.
The Committee wishes to review this matter further with the cooperation of Combustion Engineering and the NRC Staff."
In order to fully respond to the concern, the staff position is presented in three parts as follows:
(1) auxiliary feedwater system reliability, (2) steam generator integrity and (3)'the need for additional primary system valves to facilitate direct rapid system depressurization for decay heat removal.
In regard to the ACRS concern for "extra importance on the reliability of the auxiliary feedwater system used in conjunction with System 80 steam generators", we will require that Combustion Engineering include an auxiliary feedwater system unavailability acceptance criterion as an interface in CESSAR to be satisfied by referencing applicants for their auxiliary feedwater system designs. The criterion will be the same as that identified in the Standard Review Plan (NUREG-0800), Section 10.4.9 for meeting General Design Criteria 34, Residual Heat Removal, and 44, Cooling Water as follows:
-4 "An acceptable AFWS should have an unavailability in the range 10 to
-5 10 per demand based on an analysis using methods and data presented in NUREG-0611 and NUREG-0635. Compensating factors such as other methods of accomplishing safety functions of the AFWS or other reliable methods for cooling the reactor core during abnormal conditions may be considered to justify a larger unavailability of the AFWS."
2
We conclude that this interface adequately addresses auxiliary feedwater system reliability for CESSAR reference plants.
In regard to the ACRS concern for "extra requirements on the integrity of the steam generators", the following is the staff position.
The System 80 steam generators incorporate multiple design features to minimize the instance of problems which have been identified to date in operating plants steam generators. These features inlcude improve ments in material of construction and fabrication techniques. We note that there is no operating experience associated with the Sytem 80 steam generators. Therefore, we know of no reason to impose additional require ments at this time for assuring their integrity. If operating experience indicates that additional requirements are warranted, we will incorporate them as necessary.
It should also be noted that the CESSAR SER (NUREG-0852) includes discussion and staff conclusion on steam generator integrity and certain aspects of steam generator performance as follows:
(a) Materials and fabrication and their acceptability against applicable ASME Codes and General Design Criteria are addressed in SER Section 5.4.2.1.
3
(b) Design features for prevention of damaging water hammer is addressed in SER Section 10.4.
(c) Secondary water chemistry is addressed in SER Section 10.3.1.
Based on the above, we conclude that the integrity of the System 80 steam generators is adequate to assure their availability for decay heat removal and that further requirements in this area are not necessary.
In regard to the ACRS concern for "consideration to the potential for adding valves of a size-to facilitiate rapid depressurization of the System 80 coolant system to allow more direct methods of decay heat removal," the following is the staff position in this matter.
BACKGROUND In some pressurized water reactors, an alternate method of decay heat removal has been identified in the event all feedwater to the steam generators is lost. This method of decay heat removal, termed "feed and bleed," involves coolant.addition to the primary system via the HPI pumps, and liquid discharge via either safety or relief valves.
To date, the loss of all feedwater is not an event required to be designed for by NRC regulations.
4
In order for feed and bleed to be avviable decay heat removal mechanism, the HPI system must be capable of injecting a sufficient quantity of coolant at the prevailing system pressures.
For plants without a manual depressurization capability (i.e., PORV system with enoughrelief capability to sufficiently depressurize the primary system), the prevailing system pressure folowing a loss of all feedwater will be the safety valve set pressure (usually 2500 psi).
Thus, in order to have a viable feed and bleed capability in plants without PORVs, the HPI pumps must be capable of injecting sufficient quantities of coolant at the safety valve set pressure. This implies the need for an HPI pump shutoff heat considerably above the safety valve set pressure.
For plants with HPI pumps that do not have shutoff heads above the safety r
valve set pressLe, a means to.manually depressurize the primary system to a pressure sufficiently below the HPI pump shutoff pressure in an acceptable amount of time would be necessary.
PORVs would typically be relied upon to provide this manual depressurization for viable "feed and bleed" capability.
CE SYSTEM 80 DESIGN The present Combustion Engineering (System 80) standard plant design does not include power-operated relief valves (PORVs). The HPI system employs the pumps with a shutoff pressure of'1750 psig. Thus, in the 5
event of a loss of all feedwater, the System 80 design does not have the capability to depressurize the primary system to below the HPI shutoff pressure. Thus, in this design, reliance cannot be placed on "feed and bleed" for decay heat removal.
STAFF POSITION While the staff recognizes the potential benefits of a feed and bleed capability, there are presently no design requirements or criteria which would require CE system 80 plants to install an alternate decay heat removal system independent of the steam generator system. The staff has recognized the need for reliable decay heat removal.
The staff acceptance criterion for auxiliary feedwater system (AFWS) reliability (as identified in SRP Sectin 10.4.9) is based on an acceptance of the mean value of the probability of core melt from feedwater transients that was derived in WASH-1400. The staff recognizes the limitations in WASH-1400 as delineated in previous statements. However, in using the study, we have taken the applicable component part which has an adequate data base for purposes'of comparison and applied a generally accepted fault tree technique uniformly to determine weaknesses in the AFWS design when compared with other plants. The staff decision on acceptability is not strictly based on meeting'an absolute value.. The staff has not discarded the deterministic acceptance criteria and requires.
that they also be satisfied.
This criterion has beenrequired of Palo Verde (the first System 80 design to be licensed) and will be satisfied 6
by all future System 80 plants (refer to Part 1 above).
Additional mitigating features available to satisfy the core melt risk probability would be evaluated on a plant specific basis.
This is discussed further in the Palo Verde SER Supplement addressing similar ACRS concerns.
Notwithstanding the present reliability requirements for AFW systems and overall decay heat removal capability, the staff has initiated work on the unresolved safety issue of decay heat removal reliability (USI A-45). A key element of this program will be an evaluation of risk reduction that would be afforded by a viable "feed and bleed" capability.
If it is concluded that a cost beneficial reduction in risk could be achieved by incorporating a "feed and bleed" capability in operating plants that presently do not have such a capability, then a backfit order would be considered.
However, until this study is completed, the staff concludes there is no need to require a "feed and bleed" capability be installed in System 80 plants since adequate heat removal system reliability will be assured by the AFWS reliability criterion as an interface requirement in CESSAR.
It is the staff position that the present AFW reliability criterion must be met by applicants of the CE System 80 design. Meeting this position provides a sufficiently low probability of core melt for this design, and further assures a reliable decay heat removal capability.
In summary, we conclude that the CESSAR System 80 design for decay heat removal conforms to applicable General Design Criteria and guidance and is sufficiently reliable to assure safe shutdown.
7
ATTACHMENT 2 SUPPLEMENTAL SAFETY EVALUATION FOR PALO VERDE NUCLEAR GENERATING STATION, UNITS 1, 2 AND 3 AUXILIARY SYSTEMS BRANCH ACRS CONCERN REGARDING RELIABILITY OF SHUTDOWN HEAT REMOVAL SYSTEM In the Palo Verde letter, the ACRS stated:
"In the Palo Verde design the primary system does not include capability for rapid, direct depressurization when the plant has been shut down.
This places extra importance on the reliability of the auxiliary feedwater system and makes it necessary that the NRC Staff and the Applicant assure the availability and dependability of this system for a wide variety of transients. It also places extra requirements on the continued integrity of the two steam generators as the only method of heat removal immediately after shutdown.
The ACRS recommends that the NRC Staff and the Arizona Public Service Company give additional attention to the matter of shutdown heat removal for Palo Verde and develop a detailed evaluation and justification for the position judged to be acceptable. The Committee wishes to be kept informed."
The following is the staff position on the above concern.
In regard to the ACRS concern for extra importance placed on the reliability of the AFWS in view of the lack of a rapid, direct deprpssurization capability for the primary
system, and the ACRS recommendation for a detailed evaluation and justification for the position judged to be acceptable, the following is the staff position on this matter.
In the Section 22 of the Palo Verde SER (NUREG-0857) under Item II.E.1.1 of the TMI-2 Requirements, we have identified the fact that the applicant submitted an AFWS reliability study in accordance with staff guidance.
The staff reviewed the study and determined that the AFWS met the system
-4
-5 unavailability acceptance criterion (10 to 10 per demand) for a loss of all feedwater as a result of a feedwater transient or loss of offiste power initiating events.
We also determined that the AFWS design met all deterministic criteria of Section 10.4.9 of the Standard Review Plan (NUREG-0800).
In addition, as the AFWS unavailability acceptance criterion is derived
-6 from a risk of core melt frequency of 5 x 10 per reactor year (Reactor Safety Study, WASH-1400) consideration was given to additional plant features available to bridge the gap from the AFWS system unreliability
-4
-5 acceptance criterion (10 to 10 per demand) to the core melt frequency
-6 (5 x 10 per reactor year). These mitigating features include a stable grid and long steam generator boil dry time (approximately 20 minutes) which alloWs for operator recovery. The grid and offsite power supply line arrangement at PaloVerde is comparable to most operating nuclear power plants. Thus, the frequency of occurence of a loss of offsite 2
power should be equivalent to the average assumed in past analyses, approximately 0.2 to 0.4 per reactor year. Further, the 20 minutes of steam generator water inventory after a loss of main feedwater allows time for plant operators to restore the AFWS should it fail initially, or restore offsite power and main feedwater. Previous estimates indicate approximately a 40% chance of restoring offsite power within 20 minutes.
These features provide additional confidence that the risk of core melt
-6 probability of 5 x 10 is not exceeded for an extended loss of feedwater condition.
Based on the above, we conclude that the Palo Verde AFWS meets the staff reliability acceptance criterion, and further that it is unlikely that
-6 the risk of core melt. probability of 5 x 10 will be exceeded as a result of feedwater transients.
In regard to the ACRS concern for "extra requirements on continued integrity of thetwo steam generators as the only method of heat removal immediately after shutdown," the following is the staff position.
The integrity of the System 80 steam generators has been reviewed by the staff and found to be acceptable. Refer to the CESSAR SER Supplement.
addressing ACRS concerns on this subject. Further, the Palo Verde SER (NUREG-0857).includes discussion on the acceptability of the following relative to steam generator integrity:
3.
.7.
9 a) The steam generator inservice inspection program is addressed in SER Section 5.4.2.1; b) *The secondary water chemistry monitoring and control program is addressed in SER Section 10.3.3; and c) Preoperational testing for steam generator/feedwater waterhammer prevention is addressed in SER Section 10.4.7.
Based on the above, we conclude that the Palo Verde steam generators provide a reliable means for shutdown decay heat removal without the need for additional requirements for assuring their continued integrity.
In summary, we conclude that the Palo Verde shutdown heat removal cap ability is sufficiently reliable and conforms to applicable General Design Criteria and guidance without further requirements.
4
ATTACIRf lENT 3 C'~UNI 1,i 0 S 11, I L.S "ItCLFAR HFtJ.A1OkY COr.1 Z'ISON WASHINGTON. D. C. 20555
.7 JAN M9192 f ENORANDUM FOR:
Bob Tedesco, Assistant Director for Licensing Division of Licensing, NRR Themis Speis, Assistant Director for Reactor Safety Division of Systems Integration, NRR FROM:
Frank H. Rowsome, Deputy Director Division of Risk Analysis, RES Joseph A. Murphy Reactor Risk Branch Division of Risk Analysis, RES
SUBJECT:
FEED AND BLEED ISSUE FOR CE APPLICANTS We have perfonned a quick and dirty analysis of the risk implications of CE designs that lack a capability for core cooling via HPI injection and deliberate ventihg of the reactor coolant system, in the absence of feedwater repl enishment.
We conclude that three classes of accidents may each be more frequent than the Commission's safety goal of 10-core melts per reactor year or less, and that the total core melt frequency for such plants could be of the order of 10-3 per year-or more. The three sequences are:
- 2. Loss of offsite power, one diesel failure disabling the motor driven AFW train, and failure of the turbine-driven AFW train.
erec inend the following upgrades to these designs
- 1.
Provide an assured "feed and bleed" capability.
- 2.
Provide that either diesel generator can energize a motor driven AFW train.
- 3.
Examine carefully and perhaps upgrade HPI reliability and/or reduce the frequency of very small LOCA's.
The economic incentives to make these improvements, derived from reduced risk of economic losses associated with core melts, are roughly:
Base Case.
Value
$22.3M Value
$13.4M Base Case with Base Case with Both.
Assured DG's Aligned to Both Feed and Bleed FW Motor Driven Pumps Value \\.$660,000 Value
$10.7M Assured Feed and Bleed 2 DG's +
2 AFW Trains Value
$15M Assured Feed and Bleed DG's 2 AFW Trains High-Reliability HPI
The base case plant is assumed to be incapable of feed and bleed cooling, only one diesel generator is assumed capable of energizing the safety related motor driven AFW train.
The turbine driven AFW train is AC-independent, but the non-safety grade motor-driven AFW train requires offsite power.
Industry average HPI reliability and S2-LOCA frequency is assumed.
The analysis that shows that S2D may be too frequent appl ies to other PWRs as well.
The attached paper describes the analysis.
Frank H. Rowsome, Deputy Director Division of Risk Analysis Office of Nuclear Regulatory Research Joseph A. Murphy Reactor Risk Branch Division of Risk Analysis Office of Nuclear Regulatory Research
Attachment:
As Stated cc: R. Bernero G. Burdick R. Mattson S. Hanauer M. Ernst A. Thadani RRB Staff RAB Staff
Feed and Bleed Issue for CE Applicants We understand that the current crop of CE license applicants are proposing that no pressurizer PORV's be installed, that the HPI shutoff head is to be well below the pressurizer safety valve setpoint (around 1400 psi), that high point vents provide no more than two 1" diameter remote-manual vents, and that the auxiliary feedwater systems will be composed of one AC-independent turbine driven pump, one AC-power train, and a third non-safety grade motor driven pump.
We have attempted a back-of-the-envelope PRA in order to evaluate the risk implications if these plants are incapable of "feed and bleed" cooling.
The results suggest that they may'fail to meet the Commission's safety'goal of a core melt frequency less than 10
/year and the present worth of a fix to enable assured feed and bleed cooling is of the order of $10 million or more per plant, based upon reduced financial risk alone.
We considered five groups of accident sequences: loss of main feedwater, loss of offsite power, very small LOCA, transient-induced small LOCA (late start of auxiliary feed water allows a lift o a pressurizer code safety valve which may stick open),
and station\\ blackout with restoration of AC power just before the point-of-no return. We did not consider main steam line breaks or ATWS, although in these sequences an assured feed and bleed capability could also enhance safety as well as in the sequences considered.
-2 The simple loss of main feedwater appears to be the dominant concern. For this sequence in a plant incapable of feed and bleed cooling, the frequency of core melt, X = X P(L), where X. is the frequency of critical (sustained) cm m M
failures of main feedwater, and P(L) is the probability of a critical failure of the auxiliary feedwater system.
WASH-1400 took the frequency of feedwater transients to be 3 per year,.with 99 out of one hundred such occurrences recoverable. There is reason to doubt both numbers.- Complete interruptions of main feedwater are more frequent than 3 per year during the life of the first core, while the plant is still being debugged, although many take place at startup or at low power when the decay heat level is too low to pose much risk. A mature plant has complete interruptions of main feedwater about once a year or less. The non-recovery factor of 10-2 applies to plants with simple feedwater controls, motor driven main feedwater pumps, and no major obstacles to feedwater restart after a trip. In large, modern plants with turbine-driven main feedwater pumps problems with feedwater restart are common, so a non-recovery factor of.3 to.1 is more reasonable. I judge that the frequency of non-restorable failures of main feedwater occurring from substantial (risky) initial power levels is roughly:
0 3 x 1 1
first core m
(01 x 10-, at maturity
-3 Auxiliary feedwater reliability is also uncertain. Data from the precursor program suggests that the PWR average experience has been a fail1ure probability of 1Q 3/demand. This average includes early-in-life experience as well as mature plant experience and two train as well as three train experience.
System reliability analyses have suggested that the best of the three train systems can approach - at maturity -
10-per demand. However, these analyses failed to consider some common mode failure mechanisms so they can be regarded as having an optimistic bias. It is not uncommon early in plant life to find instances of repeated, consistent, auxiliary feedwater pump failures while the system is beinj debugged in service. The record suggests that the failure probability of the AFWS is substantially higher during the first core than-in maturity. A system with two diverse safety grade AFW trains and a third full capacity non-safety grade train will probably achieve failure probabilities of:
-3+1 3 x 10- 3+
first core 1 x 10-4+1, at maturity These estimates result in loss-of-all-feedwater frequencies of:
0.9 x 10-3+1 4/yr, first core cm 1 x 10- 5+1.4/yr, at maturity The uncertainty range is thus:
2.3 x 1072 A
1 3.5 x 10-,
first core cm a
2.6 x 10-4 cm 3.9 x 10, at maturity
-4 Note that even at maturity this core melt sequence frequency may be higher than the Commission's criterion for all core melt frequencies dombined:
-4 Xcm 10-/yr, and that'the best estimate is that it will exceed the Commission's criterion during the first core. Note also that common causation of main and auxiliary feedwater failure due to, fires, floods, earthquakes, or sabotage has not been considered and might increase this sequence frequency. The Commission's guidelines on acceptable risk do not indicate how to treat uncertainties or higher-than-average estimates for the first core.. Nonetheless, I think it unwise to allow a single core melt accident sequence to be this probable. The provision of an assured feed and bleed capability would enable HPI to cool the core in these scenarios. Even with common mode and external hazards, this should be worth at least one decade, more likely two decades reduction. We recommend it.
Next let us consider loss of offsite power. The failure frequencies or probabilities are taken to be:
LOSP = 0.2/yr P non-recovery of offsite power within 30 min - 1 hr = 0.2/occurrence Thus XLOSP without recovery = 0.04/yr PDG 0.03/demand P 2DG = 0.003/demand, including common mode PAFW-turbine train= 0.1/demand AFW-motor train 0.01/demand
-5 Assume for convenience that diesel generator A is configured to energize the safety grade AFW motor driven train. As we shall see, the core melt frequency predictions are sensitive to whether or not diesel generator B can energize the non-safety grade AFW train or not. The event tree for loss of offsite power can be drawn:
DG's AFW okay no failures 1-4 melt at 4 x 106 /yr okay B fails 3
.03 10 melt at 1.2 x10-6/yr LOSP
.04 okay A fails
.1 or.001*
-4
.03
)melt at 1.2 x 10 /yr or 1.2 x 10-6/yr*
okay both fail
.003 melt at 1.2 x 10-5lyr
.1
- The higher failure rate applies if one of the diesel generators (we have called it B) cannot power a motor driven AFW train; the lower failure rate applies if both diesel generators can power a motor driven AFW train.
Note that the Commission safety goal of 10-4/yr for all core melt sequences may be violated by loss of offsite power and a single diesel generator failure if there is one diesel generator that cannot be aligned to energize a motor-driven AFW train. This high core melt frequency could be reduced to marginally acceptable value in either of two ways:
-6
- 1. Insure that either diesel generator can be aligned to energize a motor-driven AFW train by (i) providing a swing bus for the safety grade AFW pump, or (ii) providing an essential (diesel-.Vcked) power supply to the "non safety grade" AFW pump, or
- 2. Provide an assured feed and bleed capability so that the one operable diesel generator and its associated HPI train can cool the core.
The case.of full station blackout is considered later. The value of the feed-and-bleed fix can be inferred from the event tree for LOSP with this design:
-3 96 5__x_,melt at 2 x 10-8 /yr B fails C 0-3.
-28 03 5 x 10 >melt at 6 x 10 /yr LOSP
.04 A fails
.1 or.001 5 x 10-2
-6
.03 melt at 68x 10 or 6 x 10 /yr Both fail B melt at 1.2 x 10-5/yr
.. 1 Next let us consider very small (S2) LOCA. Instrument line breaks, steam generator tubeieuptures, charging pUmp line breaks, and gross reactor coolant pump seal failures have happehed a dozen or so times in 500 LWR-years, suggesting a challenge frequency of-3 10 2+5 /yr for S2LOGA excluding PORV LO-As.
They are less probable in the first yeer of srvice, so I will not single out first core numbers.
-7 In the CE plants, both feedwater and ECCS (HPI) are required for successful core cooling. Main feedwater may remain operable or be restartable in some of these. The probability of HPI failure on demand was found to be 8.6 x 10-3+.5 in Surry (WASH-1400). Most PWR PRAs are finding a failure probability for the whole multi-train HPI between 10-2 and 10-3/demand. We shall assume that the probability of HPI failure on demand is 5 x 10-3+./demand for the CE plants. A rough cut at frequency estimation suggests:
) success S2LOCA 3 x 1a0.5 2 e
)tmelt at9 x 3 x 10-+.,5 3+/-1 10-71. /yr 5 0melt at 1.5 x 10 yr The value of an assured feed and bleed capability here is to eliminate the need 6
for feedwater. This would eliminate the smaller (10- /yr) path to core melt without affecting the more promInent path via HPI failure. Note that small LOCA wth total HPI failure is predicted to result in a core melt frequency above the Commission goal for all core melts. The provision of feed and bleed capabi lity or of an improved AFW system will not help this.
It is a problem generic to PWRs and not unique to the CE designs. It appears that the high frequency of very small LOCA revealed by historical experience and the marginal HPI system reliabilities revealed by many PWR PRAs are combining to yield unacceptable core melt frequencies through S2D-type sequences. We suggest that NRR tackle this
-8 os effort s houlid be made t problem in two ways: First, a seri oad-scale attack onoud HIe fr qu n y f 2 LOCA' s. Se o d aaftdele a t ck o 11 re i b l t frequency of S2 tht instituted for AFW systems a probems terTM1 should be problems comparable to thatis initiated for all pWR'S.
- LOCA, ith and without a Next let us consider the transientinduce t of auxiliary feedwater PORV. A feedwater transient with a prompt autve. ow aadelayedwatar apressurizer relief valve.
sustra eayed sArt is assumed not tolift ap u
dred times as likely as a of AF, which may be roughly one hundr orecode safety) and the valve may failure, may lift a pressurizer valve stick open.
i one hundred challenges Sdatasuggestthat PORV's stick open roughly once io here of LER data sugges nd challenges.
and code safety valves once in a thousand mykoledge, although there was one valve have failed open spontaneouslys to m mand fault leading to an open instance (Crystal River NNI bus fault) of a coand t would successf ully PORV.
Since TMI I think it saf toass tat 100 instances of aPORsfllA close the PORV block valve in at least 99 out of a PORY we have (at maturity)
Safety Valve ithout Closed Prompt AF Late AFW okay okay 10 S LOCA at 10-6 F% transient
-2 2
-5 yr 10melt at 10 safety vave challenge)
-9 The core melt outcome from loss of all feedwater has already been considered.
The increment in the likelihood of S2 LOCA is negligible at 10 /yr. It can still be mitigated by HPI, if HPI works, as it will do in the vast majority of cases.
With a PORV we will get transient-inducedLOCA ten times as often (10-5 /yr) but the block valve can be expected to terminate all but 1 percent of these for a frequency of transient-induced and unisolated LOCA of 10 /yr. if anything, the PORV helps rather than aggravates what is a negligible contributor to the overall S2 frequency via transient-induced LOCA.
We should also consider the command fault LOCA's due to spurious "open" commands to a PORV. The frequency of occurrence is a sensitive function of the valve control logic design. It could be made as small as we wish by suitable reliability engineering.. If we consider the Crystal River experience as one failure in 300 PWR-years, we get an industry.average of 3x10 /yr for PORV command fault LOCA. Clearly, B&W did not do so well, but the combined experience of the three PWR vendors suggests that this frequency can easily experience o
-2+.5/r Icnld be'made much'less than the overall S2 frequency of 3x1O
/yr. I conclude that having a PORV or not having a PORV has a negligible effect on the likelihood of S2 LOCA or of the likelihood that S2 LOCA may lead to core melt, provided that system or component functional reliability is the only considerationa It goes without saying that this analysis is predicated upon a design with antici patory trips so that routine transients do not lift pressurizer relief valves, and that the operators are trained to close the PORV block valve when appropriate.
-10 There may also be a design adequacy issue. I feel uncomfortable with 1400 psi HPI pumps in plants without PORV's, even if the HPI and the AFW systems are highly reliable. Careful thermal hydraulic analyses together with thorough studies of plausible operator responses are necessary to verify that some S2 LOCA's will not lead to degraded steam generator heat transfer and RCS pressures over 1400 psi while the core uncovers, even with operable HPI and AFW trains. The high point vents and reactor coolant pumps may help here even though these plants do not have full feed and bleed capabi lity. However, these design adequacy issues are beyond the capability of this simplistic system reliability analysis.
Last, consider station blackout with AC recovery near the point of no return.
The event tree may be drawn as follows:
AFW Restore AC Restore AC LOSP EDG's (TDP)
Within 1 hr?
Within 2-6 hr?
okay success?
.2/ r-3 3x10-3 success?.el melt melt Blackout with successful auxiliary feedwater (turbine driven pump) can be requency of roughly 6x10-4/
yr The turbine.driven AF pump has expected at a frqec of roghy r
a finite success window, however. One of several factors will lead.to core melt.if AC power is not ultimately restored. These factors include:
(a) loss of reactor coolant inventory (blown RCP seals, etc.); (b) dead batteries (discharge or overheat); (c) high pump room temperatures (ng HVAC), or (d) depletion of condensate.
a shrte tie wndow to save ttut auxIliary feedwater leads to a ore tijYeof rouohly Blackout witho This can be expected at a frequency
.t core by AC recovery.
int-of-n the
- r.
b scenaro as the time to the be high, cor o5olr.
In eitherS the reactor coolat system pressure Iwill beh 6xap ro ch d/
r thtea t rhoeat s level 4 1 b core cooing pressurizer safetY valve set point)$ and the steam generators (around the pr o the active core.
Refling t the effectiveness falling toward the top o t be cent, depending upo s eae ators btmay not oban syfiste le~ g.A w
i l l b e n e c e s s a r y b u t m aro e u f c e ct o r c opant u
p Y w
re be n1e sa d the extent of reactor coolant system of refux ndesa ility to enable. PI to refll the reactort core damage feed and bleed capabit tdothe window for AC recovery withouton ofathe or mlt bY tens o mihuetend perh more. A quantitative evaluation Ofth fairy quck mi nuttes, perhaps more Aqun d debleed would require or melt by tens en e h t c u dbe saved by fe ted an ei oo f A fraction of melt sequencesth could be ysis o eeAC ledod r
rea extensive thermal hydraulic analysis and tna t
the o ikely A o thetmpron rensainv s ie
~w ti clear that the Most 1ie Cretrto restorati on vs time.
ontof no return. Thus, an upper bound o bleed is of i te ut uence frequency attributable to feed and b the order of 196 o
the CE designs
.r t p al concerns regarding the princiP To.summarize, erto be:
shutoff head and no PORV's ably h.igh.
Risk of core melt via loss of a sma mA be is questionable.
te design frvr 2
The adequacy of th eyaior isspes be cupled with operator beha This maybecul
-12
- 3. The reliability of the high pressure injection system may be unacceptably low, but the mere fact of an AFW requirement to mitigate ery small LOCA's - given design adequacy -
does not significantly degrade the reliability with which very small LOCA's may be mitigated.
- 4. It is important that either diesel generator be capable of energizing a motor driven AFW train given loss of offsite power.
Two questions remain to be answered: (1) what is it worth to equip these plants with feed and bleed capability? and (2) what are the attendant risks of the optional fixes?
As assessment of the value of the fix follows. Those core melt accident sequences for which a feed and bleed capability could save the core are likely to be well-contained; they do not entail common mode failure mechanisms which would defeat containment isolation, sprays, or fan coolers. Thus the utility's economic risk dominates.
Let us take the cost of such a core melt.event to be around $10 billion (low:
$2 billion for TMI's; high:
$100 billion for extensive shutdown orders).
The value in $ is essentially:
V($) ='AX (events per year) x C($ per event) x T(exposure time in years)
We can calculate a variety of AAcm differences from the following table:
- 3 With Feed Without Feed and Bleed cM dBand Bleed TML (first corel 9 x 110 6
TML (mature) 1 x 10
-4 1.8 x 10~
LOSP Case 2*
1.4 x 10-5 1.2 x 10-5 LOSP Case 2*
1.8 x 10
-4 1.509 x 10.5 x
S2D
- Case 1 - one of the diesel generators cannot energize a motor driven AFW train Case 2 - both diesel generators can energize a motor driven AFW train The economic incentives can be calculated by taking the exposure'time for the first core as one year and for mature operation as ten years. The economic incentive is essentially the reduction in the present worth (at startup) of projected monitary losses due to accidents. They are shown on the following diagram:.
TCase 1
$134M-Case 2 nooFF&B
-$23.3M
$10.7M Case 1.
$660,1000 Case 2!4
$15M Improve HP F&B&
Reliability
-14 This diagram can be understood as follows. Start with a CE plant that has no fped and bleed capability and only one diesel generator that can support a motor-driven auxiliary feedwater pump. It would be worth up to
$13.4M to enable the second diesel generator to power what is now the non safety grade AFW pump. It would be worth up to $22.3M to add feed and bleed capability, and so forth. The final "fix" has yet to be discussed. The value was arrived at by postulating design or operational changes such that the likelihood of an.S 2D core melt is reduced from 1.5x10-4/yr to 1.Ox1O /yr.
This might be achieved by either improving the reliability of HPI substantially, reducing the frequency of very small LOCA substantially, or some of each.
Now a feed and bleed capability could be achieved by installing suitably sized PORV's or by installing HPI pumps of very high head (over the pressurizer safety valve setpoint) or some of each. We have already examined the attendant risks of PORV addition. Care must be taken to design the control logic so that spurious "open" commands are rare, but it is safe to expect that this will be done well enough that the frequency of S LOCA is not significantly increased. The effect on transient-induced LOCA is not important (this frequency is negligble with or without a PORV) and is compensated by the possibility of isolating PORV-LOCA's with the block valve.
If the HPI can force open a pressure relief.valve (code safety or PORV in the pressurizer), then a spurious HPI actuation can cause a temporary, recoverable LOCA. Should the valve stick, we may have (without a block valve) a sustained LOCA. I assume that the operators will shut off HPI though not before a
-15 pressurizer valve opens the pressurizer quench tank rupture disk blows, and a small spill occurs. If the valve sticks open (and cannot be isolated),
the operators must restart HPI.
Spurious HPI actuations are quite common.
We assume here that the frequency of spurious HPI actuations which remain on long enough to challenge a pressurizer valve is one per year.
Borrowing from the prior analyses we can draw the following event trees for the high head HPI design:
Without PORV (or PORV left blocked)
Safety Valve Closes HPI Restart Upon HPI Shutoff small spill at 1./yr Spurious HPI Actuation J
1./yr 1large spill at 10 /yr 3
10-3
>core melt at 10- /yr With PORV installed and unblocked PORV Closes Upon Block Valve HPI Shutoff Closes HPI Restart
) small spill at 1/yr Spurious HPI Actuation small spill at 10-2/yr 1./yr 2
large spill at 10
/yr 10-2 3
10
?core melt at 10-7/lyr
-16 Note that if a PWR has a PORV and high head HPI, it is better to run with the block valve open, so the isolatable PORV can take the brunt of spurious HPI actuations as well as feedwater transient-induced LOCA's. Note also that the core melt sequences caused by spurious HPI actuation in plants with high head HPI is acceptably small-and can be made smaller still if the PORV only lifts (block valve left open). It is roughly balanced by comparable risk reductions in that for these designs, the PORV need not open to accommodate feed and bleed.
However, we should note that there is a real economic incentive to avoid the blown pressurizer quench tank rupture disk and the attendant small spills. If we assume a five day outage at one million dollars a day for small spills and a 100 day outage for a 1arge spill, then the present worth of expected losses due to spurious HPI actuation in these designs is:
6I 1 event/yr x 5x106 $/event x 10 year exposure = $50 million from the small, frequent spills with either design variant. For the large spills (unisolated LOCA) we have:
Without PORV:
10- 3/yr
($106 x 108 $/event x 10 yr=5 With PORV: 104/yr
$10 Thus utilities are subject to a significant incentive (present worth of projected losses of $50 million) either to employ HPI pumps that cannot lift a pressurizer relief valve or to go after improved prevention of spurious HPI actuations or both.
p..
-17 There appears to be no economic penalty (other than first cost) in providing 0
HPI pumps whose shutoff head is at normal RCS pressure, i.e., around 2250 psi.
In summary, then, this limited risk analysis cannot distinguish a difference in safety among the several ways to achieve feed and bleed capability: instalI one or more large PORV's, raise the HPI head above the pressurizer safety valve setpoint, or install a smaller PORV and raise the HPI head to near normal operating pressures. These choices must be made on the basis of design adequacy or thermal hydraulic considerations, preferably considering ATWS as well as the design to assure that verysmall LOCA's can be mitigated even though HPI or AFW may be late in starting or might be throttled temporarily by the operators. We have, however, found a plant availability incentive to avoid an HPI head so high that it can lift a pressurizer relief valve. No such penalty accrues to HPI designs with a shutoff heaA at the normal RCS pressure.
ITACHMENT 4 UNITED STATES o
NUCLEAR REGULATORY COMMISSION WASHINGTON, 0. C. 20555 January 22, 1982 MEMORANDUM FOR: 9. Eisenhut, DL, NRR S. Hanauer, DST, NRR R. Mattson, DSI, NRR C. Michelson, AEOD T. Murley, ROGR fl. Thompson, DHFS, NRR R. Vollmer, DE, NRR FROM:
Robert M. Bernero, Director Division of Risk Analysis Office of Nuclear Regulatory Research
SUBJECT:
ACCIDENT SEQUENCE PRECURSOR PROGRAM DRAFT 'EPORT The attached Accident Sequence Precursor report is currently being editedl by ORNL with expected publication in late March 1982. We are providing a limited distribution of the draft report for information purposes. The techniques and methodology used in the report are somewhat controversial.
For example, a question has been raised of whether the correct probabilities (absolute vs. cohditional) were calculated and used to determine severe core melt probability. We are reviewing this and other methodology questions within DRA. The Precursor Report tends to indicate a core melt probability higher than calculated in typical PRAs. The report i dicates core melt probability in the range of 10-3 /reactor/year vs. 10- /reactor/year for typical PRAs. The precursor program tentative findings were presented by ORNL (Joe Minarek) to NRC in meetings on 9/18/81 and 12/9/81. Two earlier draft versions of.this report were given limited distribution within NRC, the first in early 1981 and the second draft report was distributed following the 12/9/81 meeting. We have indicated to ORNL that we will provide them timely comments before report publication. Please provide us with any comments you may have on this report by February 20, 1982.
Robert M. Bernero, Director Division of Risk Analysis Office of Nuclear Regulatory Research Attachipent:
As Stated cc:
R. Dennig, AEOD D. Okrent, ACRS D. Ross, RES L. Tong, RES A. Thadani, RRAB, NRR
DRAFT NUREG/CR-2497 Volume 1 ORNL/NSIC-182 PRECURSORS TO POTENTIAL SEVERE CORE DAMAGE ACCIDENTS:
1969-1979 Joseph W..Minarick Casimir A. Kukielka Prepared for the U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research Under Interagency Agreements.DOE 40-551-75 and 40-552-75 NUCLEAR SAFETY INFORMATION CENTER NSIC
g ABSTRACT Descriptions of 170 operational events, reported as LERs, which oc curred at commercial light water reactor plants during 1969-1979 and which are considered to be potential precursors to severe core damage are pre 1ented, along with associated event trees and categorizations and' subse quent analyses. The report summarizes work in (1) the development of methods used to screen about 19,400 LER abstracts for potential precur sors, (2) the initial screening of those abstracts to determine which should be reviewed in detail, (3) the detailed review of those selected LERs which then yielded the 170 events, (4) the categorization of the 170 events, (5) the calculation of function failure estimates based on precur sor data, (6) the use of probability-of-severe core damage estimates to rank precursor events and the identification of 52 events considered sig nificant, (7) trends analyses of significant events, (8) the identifica tion of the other events of interest which occurred within one month of significant events, and (9) calculation of an estimate of severe core dam age probability per reactor year based on the event rankings.
DUE TO THE VOLUME OF THIS REPORT, ONLY THE ABSTRACT IS BEING SENT.
THE BODY OF THE REPORT IS AVAILABLE UPON REQUEST.