ML14058A057
ML14058A057 | |
Person / Time | |
---|---|
Site: | Oconee |
Issue date: | 02/19/2010 |
From: | Jeffrey Mitman Office of Nuclear Reactor Regulation |
To: | Lois James Office of Nuclear Reactor Regulation |
Shared Package | |
ML14055A421 | List:
|
References | |
FOIA/PA-2012-0325 | |
Download: ML14058A057 (14) | |
Text
v.
Mitman, Jeffrey From: Mitman, Jeffrey Y'" i4 .
Sent: Friday, February 19, 2J106:07 PM To: James, Lois
Subject:
RE: ACTION: please provide BC with latest version of the Oconee Risk Comparison paper by COB 2/19/10 Attachments: OFI - Delta Risk Assessment of Planned Mods(3).doc; Assessment of Planned Mods to Oconee.doc Lois, here are the latest version of the delta risk documents.
Jeff From: James, Lois ,
Sent: Friday, February 19, 2010 10:58 AM TO: Mitman, Jeffrey
Subject:
ACTION: please provide BC with latest version of the Oconee Risk Comparison paper by COB 2/19/10 Jeff, Please provide me with the latest version of the Oconee Risk Comparison paper that you have been reviewing/working with Walt Rogers. I am not sure it this will come up next week, but I would like to have it just in case.
Lois 1
OFI - Delta Risk Assessment of Planned Mods(3).doc OFIItUS-*Y - CrUR+*TY- Rt-AT' - tNL* WTION Assessment of Planned Modifications to Oconee's Risk Profile Executive Summary Duke Power Company has recently initiated several modifications to the Oconee Nuclear Site (ONS) to decrease the risk profile of the site. The purpose of this review is to characterize the risk benefits of these planned modifications and to contrast them with the potential risk benefit from increasing the flood protection of the shutdown facility (SSF) on the ONS. The analysis was performed using the Oconee SPAR model. The modifications considered include:
- Additional SSF protection against external floods
- Additional tornado missile protection for:
o main control room (MCR) o west penetration room o borated water storage tank (BWST) partial protection
- Additional internal events protection, by adding:
o protected service water pump (PSW) for secondary side heat removal o main steam isolation valves (MSIV)
" Additional high energy line break (HELB) protection from PSW and MSIVs for:
" main feedwater (MFW) o auxiliary steam line o main steam line (MSL) breaks
" Additional fire protection from PSW and MSIVs for:
o turbine generator o MFW As indicated by the above list of modifications, the new PSW system will have risk lowering benefits from internal events (e.g., turbine trips and steam generator tube ruptures) but it will also lower the risk from HELBs and fires. Likewise, the new MSIVs will lower risk not only from internal events but also from HELBs and fires.
The risk reductions from these modifications can be compared to the risk reduction from increasing the flood protection of the SSF from a Jocassee Dam failure and other external floods.
These valves are summarized in Table. 1 below. The details on the derivation of these values are given in the subsequent discussion.
Table I Risk Comparison of ONS Modifications Estimated Risk Modification Reduction (delta CDF per year)
Increase SSF Flood Protection 1.5E-4 Total of Currently Planned Modification (sum of values below) 8.1E-5 Tornado 6.8E-6 Internal Events 1.4E-5 HELB 1.OE-5 Fire 5.OE-5 1 of 9
OFI - Delta Risk Assessment of Planned Mods(3).doc Discussion of Probabilities SSF The SSF protects the ONS units from several different initiating events. However, the event of interest in this analysis is a flooding event which incapacitates the onsite and offsite AC electrical power systems and the turbine-driven auxiliary feedwater system (TDAFW). The most likely cause of this flood is a Jocassee Dam failure. The SSF is capable of cooling the core by maintaining sufficient water on the secondary side of the once-through steam generators (OTSGs). However, if the flood waters rise above the flood-wall surrounding the SSF, it too will fail. Currently, the flood wall will protect the SSF to a flood depth of 7.5 feet above site ground elevation.
The risk from a flood can be expressed as:
CDFf = IEFfX CCDPf (eq. 1-1)
Where:
CDFf = core damage frequency from flood IEFf = initiating event frequency of flood CCDPf = conditional core damage probability given a flood The CCDPI can be expressed as the sum of the probability of failure of the SSF from the flood overtopping the SSF flood wall and probability of the SSF failing from all other causes or:
CCDPf= Pfp+Po (eq. 1-2)
Where:
Pfp = probability of failure of SSF due to failure of SSF flood protection P. = probability of failure of SSF from all other causes Based on the Duke's only inundation study of record for the Jocassee Dam', the probability of a Jocassee Dam failure overtopping the SSF floodwall is 1.0. This inundation study gives an estimated flood height between 12.5 and 16.8 feet at the ONS from a random sunny day failure and a random failure combined with a probable maximum participation respectively. The Duke Individual Plant Examination for External Events (IPEEE) estimates the probability of failure for the SSF from all other causes Ps 0.27 . Thus the above calculations become:
CCDPf = Pl, + P. (eq. 1-3)
Where:
PfP= 1.0 P0 = 0.27 CCDPf= 1.0+0.27
'"Jocassee Hydro Project Dam Failure Inundation Study," December, 1992.
2 Duke Power Company, "IPEEE Submittal," December 21, 1995. The quantified probability is due mostly to human errors arising from several manual operator actions that need to be completed in order for the SSF to be successful to Mode 3.
2 of 9
OFI - Delta Risk Assessment of Planned Mods(3).doc However, probabilities are always in the range of 0.0 to 1.0. Therefore, the CCDPf can be no greater than 1.0. Thus:
CCDPf = 1.0 (eq. 1-4) -
To calculate the core damage frequency from a flood, we need to determine the initiating event frequency of a flood event using Equation 1-1 above. The NRC staff has estimated the failure probability of the Jocassee Dam as 2.OE-4 per year. The analyst assumed that there are no other significant contributors to the total flood frequency other than the Jocassee Dam failure.
Restating Equation 1-1 and substituting in the now known values, the core damage frequency is found:
CDFf IEFfX CCDPf (eq. 1-1)
Where:
IEFf 2.OE-4 per year CCDP= 1.0 Or:
CDFr = 2.OE-4 X 1.0
= 2.OE-4 per year To calculate the change (delta) in risk from a modification which improves the flood resistance capability of the SSF, we must determine the new core damage frequency from a modified SSF.
This change is risk is expressed as:
ACDF = CDFi- CDFm (eq. 1-5)
Where:
CDFm = IEFm X CCDPm (eq. 1-6)
Where the subscript "m" stands for the modified SSF values, and the core damage frequency for an unmodified plant (CDF1 ) is solved above. As the proposed modification has no impact on the Jocassee Dam itself, the initiating event frequency does not change, or:
IEFm = lEFt (eq. 1.:7)
= 2.OE-4 per year -
We can u&sb a modified Equation 1-3 to determine the conditional core damage probability of the modified SSF.
3 of g
OFI - Delta Risk Assessment of Planned Mods(3).doc "OF;C=AL UPE ONLY - ilFrMr TIlN, 8)U,.,,-,ELTED CCDPm = Prpm + Po (eq. 1-8)
Where:
Pfm = probability of failure of SSF from failure due to failure of SSF flood protection after modification P, = the probability of failure of the SSF from other causes remains unchanged
= 0.27 The expectation of the modification is that it will protect the SSF from flooding by increasing the height of the flood-wall, harden the SSF ventilation systems and by installing a water-tight door.
The weak link in this arrangement is the water-tight door, which is calculated to have a failure probability of 7.4E-3 per demand.3 Thus:
b)(7)(F)
(eq. 1-8)
Making the appropriate substitutions into Equation 1-6 yields a modified core damage frequency of:
(b)(7)(F)
(eq. 1-6)
And from equation 1-5, we can solve for the change in risk from the modification:
(b)(7)(F)
(eq. 1-5)
' US NRC-RES/EPRI, "Fire PRA Methodology for Nuclear Power Facilities," NUREG/CR-6850, Rev. 0, 11/2005, Table 11-3.
4 of 9
OFI - Delta Risk Assessment of Planned Mods(3).doc flFFICIAL U31 *LY S *T -RFI A.TED '.INFORM.ATIONI Tornado These modifications add additional protection to the main control room, the west penetration room and partial protection for the BWST. Without the modifications, the tornado core damage frequency (CDF) contribution is estimated at)1.3E-5 per year. Therefore, the maximum risk reduction can never exceed] 1.3E-5. tHowev~w, a number ot accident sequences will not be changed with these modifications. 1 hese sequences are estimated to contribute 5.5E-6 to core damage. Assuming for the sequences-that are affected, the modifications provide an order of magnitude improvemept- The core damage frequency from the altered accident sequences is revised downward from)7.47E-6 to 7.47E-7. *he overall risk improvement is in the range of:
ACDFt = CDFtb - CDFta (eq. 2-1)
Where:
ACDFt = delta risk from tornado modifications core damage risk from tornados base case I CDFtb = (from Oconee SPAR model)
= 1.3E-5 per year CDFw = core damage risk from tornados after modifications CDFtb = CDFt- CDFtu, (eq. 2-2)
Where:
CDFtuc = core damage risk from tornados in unchanged sequences
= 5.5E-6 per year CDFt, = core damage risk from tornados in changed sequences
= CDFtb - CDFIuc (eq. 2-3)
= (1.3E 5.5E-6) per year
= 7.5E-6 per year CDFtc,= core damage risk from tornados in changed sequences after modification CDFtX 0.1
= 7.5E-6X0.1
= 7.5E-7 per year CDFta= CDFtuc + CDFca (eq. 2-4)
= (5.5E-6 + 7.5E-7) per year
= 6.3E-6 per year ACDFt = CDFtb - CDFta (eq. 2-1)
= (1.3E 6.3E-6) per year
= 6.8E-6 per year 5 of 9
OFI - Delta Risk Assessment of Planned Mods(3).doc Internal Events The following calculations will use the "Bimbaum" risk importance measure of various systems, where Birnbaum is defined as the difference between the risk with the component failed and the risk with the component successful.
4 B= F(1)- F(0) (eq. 3-1)
Where:
B = Birnbaum of component i F(1) = Risk with the failure probability of component i set to 1.0 F(0) = Risk with the failure probability of component i set to 0.0 Protected Service Water System Duke is installing a new motor driven pump capable of providing secondary side heat removal to all three Oconee units. This system is called the Protected Service Water System. It will take suction from the CCW header and inject into each units steam generators. It Will have numerous power sources: Keowee underground, normal power and from the Lee Station via a dedicated line.
Oconee currently has a secondary side heat removal system called the tornado pump. This pump is in the internal events model. It is credited in a large number of different accident sequences. The PRA model indicates it has a Birnbaum of 2.OE-5 (test and maintenance for the pump). The NRC has never considered this estimate to be credible. The NRC estimates the true baseline Birnbaum for the tornado pump as:
Bt, = F(1)- F(0) (eq. 3-1)
Where:
Btp = Birnbaum of tornado pump F(1) = Risk with tornado pump set to 1.0 (failed)
Ro X Q (eq. 3-2)
Where:
Ro = Baseline risk from PRA model
= 2.OE-5 per year Q =?????
= 0.5 F(1) = 2.0E-5 per yearX 0.5
- 1.OE-5 per year F(0) = Risk with tornado pump set to 0.0 (successful)
= R XQ20 (eq. 3-3)
Where:
4 SAPHIRE Basics Course Book, January 2006, page 108.
6 of 9
OFI - Delta Risk Assessment of Planned Mods(3).doc 0 riF M UF OEWR O-1Y IWR E---E D INFO111ATK Q2 = ????
= 2.2E-2 F(O) = 2.OE-5 per year X 2.2E-2
- 4.4E-7 per year 131p F(1) -F(0) (eq. 3-1)
= (1.OE 4.4E-7) per year
- 9.6E-6 per year Duke is replacing the tornado pump with a more robust system called the protected service water (PSW) system, This system will be composed of a motor-driven pump which takes suction from the CCW header and is capable of discharging into all six of the Oconee steam generators. It will have numerous power sources from the Keowee Hydro Plant (both under and above ground) and the Lee Station via a dedicated transformer.
This new system will be far more reliable and its availability/reliability should be on the order of a motor-driven auxiliary feedwater (MDAFW) train. To estimate the current value of this new PSW system, the current mitigating system performance indicator (MSPI) data for MDAFW system was used:
Probability Component of failure 7E-4 = test and maintenance (T&M) probability for system 1E-3 = fails to start (FTS) probability 1.2E-4 = fails to run (FTR) probability for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (= 5E-6
- 24) 7E-4 = motor operated valve (MOV) fail to open probability 2.5E-3 = total estimated failure probability for the PSW system (sum of above values)
Total failure probability of the new PSW system is, therefore, estimated at 2.5E-3.
Fhe new PSW system is estimated to have an overall risk improvement in the range of
[I don't know what the next calculation is calculating!)
2.0E-5 (2.2E 2.5E-3) + 9.6E-6 4E-7 + 9.6E-6 1.4E-5 High Energy Line Break Protection Also, there is another facet of the internal events that has not been captured. It deals with HELB.
Previous analysis has not fully recognized turbine building HELB. There are three break types of concern - main feedwater (MFW) break failing safety-related 4160 VAC, auxiliary steam header failing safety-related 4160 VAC, and main steam line (MSL) break.
The assumptions for each of these three line breaks are as follows:
7 of 9
OFI - Delta Risk Assessment of Planned Mods(3).doc For a MFW break, the break occurs in the vicinity of the 4160 VAC, the main turbine control circuitry and main turbine bypass valves, and that the standby shutdown facility (SSF) fails.
- For an auxiliary steam line break, the SSF does not fail.
- For a MSL break, the break occurs in the vicinity of the 4160 VAC and fails the SSF.
[Walt, for the MSL and aux steam breaks, does the 4160 and main turbine controls also fail?]
[Walt, do all of the IEFs come from NUREG/CR-5750?]
MFW line break failing 4160 VAC 3.4E-3 = frequency of an MFW line break 0.2 = probability break is close to 4160 buses 1.6E-2 = probability of failure of emergency feedwater (EFW) cross tie and manual operation of TDAFW 1.1E-5 = conditional core damage probability (CCDP) of a MFW line break without new PSW and main steam line isolation valves (MSIV) 2.7E-8 = CCDP given an MFW line break with new PSW and without new MSIVs 1.4E-8 = CCDP given an MFW line break with PSW & MSIVs (credit SSF as high dependent HRA (0.5 failure probability))
Auxiliary steam line break failing 4160 VAC 9.9E-3 = frequency of auxiliary steam line break 1.8E-2 = probability break affects 4160 buses 1.7E-3 = probability break affects the EFW cross tie and manual operation of TDAFW and SSF 3.OE-7 = CCDP given an auxiliary steam line break without PSW/MSIVs given this result further analysis is not necessary - exclude Main steam line break The MSL break is the most difficult scenario because it requires the most assumptions. There are two effects of concern. The first is a direct piping interaction with turbine building supports causing building failure and steam/condensate effects on equipment below.
Without any rigorous evaluation, the analysis assumes the probability of a building failure given MSL break is 1% (1E-2). There is a 50% probability the MSL break occurs in the turbine building and a 50% probability it occurs in the auxiliary building. The probability of an MSL break is 1.OE-2 from NUREG/CR-5750.
1.0E-2 = frequency of an MSL break 0.5 = probability bi'eak occurs in the turbine building 1.OE-2 = probability break causes a building failure 5.OE-5 = CCDP without new PSW/MSIVs 3.8E-8 = CCDP given the PSW (2.5E-3) and new MSIVs (.3)
Caution: THIS MUST BE VIEWED AS JUST A VERY BROAD SCOPING ASSESSMENT 8 of 9
OFI - Delta Risk Assessment of Planned Mods(3).doc u ONLY uOFutI. - SECURiIY-RELAT." I,"FO*,;,MTIZO4 Fire The fire analyses are ongoing and continue to be fluid. The PSW system and the MSIVs will also provide additional protection for fires. This analysis indicates that the greatest benefit of these modifications will probably occur with turbine building fires. It is for these fires that damage the normal/emergency electrical distribution system or turbine bypass control circuits that the PSW/MSIVs will provide the greatest benefit. First, it must be understood that fire damage that causes severe and rapid depressurization of the secondary side and also fails the SSF. The primary-side cooldown empties the pressurizer and potentially challenges the power-operated relief valves (PORV) and the safety relief valves (SRV) as the primary side heats up. This is a very broad evaluation and does not try to capture all the details needed in such an analysis - just that a rapid depressurization causes a SSF failure.
Two fire types will be considered: 1) large unsuppressed TG fires and 2) MFW pump fires. Note all fire frequencies are derived from IMC 0609, Appendix F.
Turbine generator fire 1.7E-3 = frequency of a large oil fire 0.28 = probability of not suppressing the fire within 60 minutes 0.1 = probability the fire affects the turbine bypass valves failing the SSF 4.8E-5 = CCDP given a large turbine generator fire without the new PSW 1.2E-7 = CCDP with new PSW 3.6E-8 = CCDP with PSW and MSIVs (with MSIV closure SSF still viable)
MFW pump fire 3.3E-4 = frequency of fire from Spanish fire and approximate historical data 2.0 = number of pumps 2.OE-2 = probability of auto water suppression failure 0.3 = probability of SSF failure 4.OE-6 = CCDP given a MFW pump fire without new PSW 1.OE-8 = CCDP given a MFW pump fire with new PSW This gives an estimated 5E-5 risk improvement due to PSW and MSIVs from fire. -
Summary The total additional protection from the ongoing Oconee modifications is the sum of the above calculations which is summarized in the table below.
Tornado 6.8E-6 Internal Events 1.4E-5 HELB at least 1.OE-5 Fire 5.OE-5 TOTAL 8.1E-5 9 of 9
Aof Planned Mo First this is my perspective only - it does not in any way reflect any other individual's or groups views either internal or external to the NRC. The modifications I am considering in this review include:
" PSW: A motor driven pump capable of providing secondary side heat removal to all three units. This pump would take suction from the CCW header and have numerous power sources - Keowee underground, normal & the Lee Station via a dedicated transformer. This is the PSW System.
" MSIV: Main Steam Isolation Valves
" Tornado Protection:
" CR walls from tornado missiles
" West Penetration Room wall for tornado missiles
" Partial Protection of the BWST from tornado missiles Tornado - Without the modifications the tornado CDF contribution is10.3E-5 Therefore, the maximum risk reduction can never exceed 1.3E-5. However, a njjwnew-6o55 accident sequences will not be changed with these modifications. This is estimated at 55E-6 This is derived from an inspection of the top 250 cutsets and making a judgment whether the cutest will remain valid or be significantly altered by the modifications discussed above. The accompanying Xcel spreadsheet indicates in red which cutsets would be unaffected. Assuming for the sequences that are affected by the modifications, there will be a CDF improvemept of a magnitude. The altered accident sequences numerical result is mvised downward from 7.47E-6 to 7.47E-7 This would place the risk improvement in the range or)6.75E-6.
Internal Events - The internal events model already includes a secondary side heat removal system referred to as the Tornado Pump. It is credited in a large number of different accident sequences. It has a Birnbaum Importance Measure of 2.04E-5 (T&M for the PUMP). I have never considered the system as very credible and the true baseline CDF involving this system as-is is probably more on the order of:
2.04E-5 * (0.5 - 2.2E-2) = 9.75E-6 which is higher than presently calculated.
A Birnbaum provides the new CDF, given the basic event for the Importance Measure, is always failed (failure probability of 1.0). Another way of looking at the result is as one large cutset:
2.04E-5 {all other basic events in the cutset}
- 1.0 {failure probability of Tornado Pump}
= 2.04E-5 {CDF)
In the nominal case the T&M basic event failure probability is12.2E-2. 6o the CDF in the nominal case would be:
2.04E-5
- 2.2E-2 = 4.5E-7
As previously stated the licensee's nominal failure probability is too low and I am using 0.5.
Therefore, the nominal case is more on the order of 2.04E-5
- 0.5 = 1.02E-5 Or 1.02E 4.5E-7 = 9.75E-6 higher than assumed by the licensee Now, this new system will be far more reliable and its availability/reliability should be on the order of a MDAFW train. Using current MSPI data the failure probability can be estimated at:
(b)(7)(F) or 2.5E-3. The overall risk improvement would be in the range oI
{irnprovement over the licensee's nominal failure probability for the l'ornado Pumpl(b)(7)(F)
{additional improvement over where I assume the nominal case to really be}. Or:
(b)(7)(F)
Also, there is another facet of the internal events that has not been captured. It deals with HELB. Previous analysis has not fully recognized Turbine Bldg HELB. There are three break types of concern - MFW break failing 4160 VAC, Aux Steam Header failing 4160, Main Steam Break Assuming MFW breaks in the vicinity of the safety related 4160 VAC buses fail turbine control circuitry /bypass valves - this fails the SSF For MSLB assume all piping sections would fail SSF
- For AUX SLB none fail SSF MFWLB failing 4160 VAC 3.40E-03 [MFWLB]
- 0.2 [close to 4160 VAC]
- 1.60E-02 [EFW cross tie and manual operation of TDAFVV] = 1.09E-05 CDF without PSW/MSIVs With PSW the CDF drops to 2.72E-08 CDF {1.09E-5
- 2.5E-3(PSW failure probability))
& 1.36E-08 with PSW & MSIVs (credit SSF as hi dependent HRA (.5 failure Pr)). With MSIVs in place the unrestricted cooldown is abated allowing the SSF to become a viable mitigation strategy. Unfortunately, there will be an over-riding human dependency failure probability {two major human actions outside the MCR - (1) placing into service and operating the SSF & (2) opening the manual EFW cross tie valves and locally starting/operating the TDAFW pump) that will be significantly higher than the SSF hardware failures.
This indicates a 1 E-5 CDF improvement Aux Steam failing 4160 VAC 9.90E-03 [AUX SLB]
- 1.80E-02 [portion able to affect 4160 buses]
given this result further analysis is not necessary - exclude The MSLB in the Turbine Bldg is the most difficult with limited basiwp.which to derive a risk evaluation. There are two effects of most concern - direct piping interaction with Turbine Bldg supports causing building failure and steam/condensate effects on equipment below.
Without any rigorous evaluation set the Pr of building failure given MSLB @ 0.01 - 1%
50% inside Turbine Bldg vs. Aux Bldg & outside Usp 1 E-2 [MSLB frequency (Cr-5750)] as the total MSLB frequency 1.OOE-02
- 0.5
- 2.5E-3 (PSW failure Pr)
- MSIVs (.3 - this 0.3 is the SSF failure Pr since the SSIý will be viable at MSIV closure) = 3.75E-08 with PSW & MSIVs Fire - The fire analyses are ongoing and very fluid. I will indicate that the greatest benefit of these modifications will probably ocurr with Turbine Bldg fire. It is in these fires that damage to the normal/emergency electrical distribution system or turbine bypass control circuits that the PSW/MSIVs will provide the greatest benefit. First it must be understood that fire damage that causes severe, rapid depressurization of the secondary side fails the SSF. The primary side cool down empties the Pzr and potentially challenges the PORvs/SRVs as the primary heats up.
This is a very broad evaluation and does not try to capture all the details needed in such an analysis - just - rapid depressurization means SSF failure.
Two fire types will be considered: Large unsuppressed TG fire & MFW Pump fire.
1 - TG Fire [fire frequencies derived from 0609, Appendix F]
1.70E-03/yr (large oil fire)
- 0.28 (inability to suppress within 60 minutes)
- 0.1 (affects 4160 buses - judgment/guess) given a fire of this magnitude it causes Turbine Bypass Valves to open failing SSF = 4.76E-05 CDF without PSW 4.76E-5
- 2.50E-03 (PSW failure) = 1.19E-07 CDF with PSW 1 .19E-7
- 0.3 = 3.57E-08 CDF with PSW & MSIVs - with MSIV closure SSF still viable 4.76E 3.57E-8 = 4.75E-5 CDF Improvement 2 - MFW Pump Fire Use 3.30E-04 fire/pump using Spanish Fire & approx historical data for frequency 3.3E-4 fire/pump
- 2 pumps
- 0.02 Auto Water Suppression failure
- 0.3 SSF failure = 3.96E-06 CDF without PSW
3.96E-6
- 2.5E-3 = 9.9E-09 with PSW 3.96E 9.9E-9 = 3.95E-6 CDF Improvement This gives an estimate4 5E-5 (isk improvement due to PSW/MSIVs from fire.
Summary - What the Mods May Be Worth:
Tornado 6.75E-06 Internal Events 1.40E-05 Special HELB at least 1E-5 Fire 5.OOE-05 Summary 8.OOE-05