Text

Safety Evaluation Supporting Exemption from GDC 17 Re Single Failure Criteria for Onsite Electric Power Supplies
	ML17139D313
Person / Time
Site:	Susquehanna
Issue date:	12/03/1985
From:	; Office of Nuclear Reactor Regulation
To:	;
Shared Package
ML17139D312	List: ML17139D313; ML17139D314;
References
	NUDOCS 8512110605
	Download: ML17139D313 (18)
	v • d • e

~~ AEVI

'Jp

+

0

=@%

I

~)

OO

+a*++

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D. C. 20555 SAFETY EVALUATIOfI BY TIIE OFFICE OF NUCLEAR REACTOR REGULATION SUPPORT E

EMP N

FR M GD -17 FACILITY OVER ING LIC NSE HOS. tiVF-14 AND NPF-22 PENNS L 'AtlI P

kLR ND LIGH COMP NY LUZERNE COUNTY, PENNSYLVANIA SUS UEHANNA STEAM ELEC RIC STATION UNITS 1 AND 2 SSES-1 SSES-2 DC NS.

-38 Introduction By letter dated December 21, 1984, the Pennsylvania Power and Light Company (the licensee) proposed changes to Technical Specifications 3.7. 1.2 and 3.8.1. 1.

The changes were proposed on a one time basis to allow the licensee to remove the 4 existing diesel generators (DG-A,B,C and D) one at a time, from service for an accumulated time of 60 days, i.e.,

an average of 15 days per diesel generator, which is much more than the limit of 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months (3 days) permitted by the present Technical Specifications.

The changes are needea in order to perform work on the connection of the power and control circuits to the new fifth diesel generator (DG-E) which is being installed at the Susquehanna Station.

The change would allow the Units to operate while the fifth diesel generator tie.-in work is being conducted.

The staff has found that approval of the proposed change to the Technical Specifications would also require the granting of an Exemption from GDC-17 along with the issuance of the amendment request.

Meeting the single failure criteria for onsite electric power supplies is required by 10 CFR 50, Appendix A, Criterion 17 which states:

"The onsite electric power supplies, including the batteries and the onsite electric distribution system, shall have sufficient independence, redundancy, and testability to perform their safety functions assuming a single failure.

The main purpose of the fifth diesel generator is to avoid a two unit shutdown, if one of the four existing diesel generator becomes inoperable.

The SSES Technical Specifications require plant shutdown within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months of declaring a diesel generator to be inoperable.

The fifth emergency diesel generator will be used as a replacement and will have the capability of supplying the emergency loads of any one of the four existing diesel generators.

As such, the main purpose of the fifth diesel generator is to allow maintenance to be performed on any one of the four existing diesel generators without the necessity for a two unit outage.

By letters dated July 1, 1985, August 7, 1985, August 23, 1985, and September 4,

1985 the licensee provided additional information in support of the proposed changes.

By letter dated September 23, 1985, the licensee requested the related one time exemption from GDC-17.

For evaluating the changes to the Technical Specifications and the acceptability of this Exemption, the staff reviewed the licensee's technical justifications for each change and also their justifications based on a Probabilistic Risk Assessment (PRA) study on the subject.

The staff also reviewed the reli-ability of the Offsite Power System as the preferred source of power to the plant safe shutdown systems; and the reliability of the existing diesel 8512110605 851203 PDR ADQCK 05000387 P

PDR generators to ascertain that, while one of them is taken out of service to complete the new diesel generator tie-in work under the extended Limiting Conditions for Operation (LCO), the remaining three will provide a reliable source of emergency power.

The tie-in work itself, including applicable procedures, was reviewed to demonstrate that this work will not degrade the operability of the safe shutdown systems, including the remaining diesel generators, while the plant continues to operate.

Included in this review was the adequacy of the post-modification testing for each diesel generator (i.e. testing before a diesel is returned to service and another one is taken out of service for the tie-in work).

The staff also reviewed the related plant Emergency Procedures, and operator training and knowledge, to verify that such procedures are adequate in dealing with a postulated emergency while in the extended LCO and that the operator would properly respond to the emergency.

The details of this review are discussed below.

Evaluation A.

Technical S ecification Chan es In order to determine the acceptability of this Exemption and its overall safety implications, it is important to understand the Technical Specification changes being made.

It is the change to the Technical Specifications (i.e. extending the diesel LCO for an INOPERABLE diesel) that has warranted this Exemption for SSES-1 and SSES-2.

The changes to the Technical Specifications are described below.

Action a. of TS 3.8.1.1 1.

The footnote associated with Action a. of TS 3.8. 1. 1 requires that prior to removing any diesel generator from service, in order to do work associated with tying-in the E diesel, Surveillance Requirement 4.8.1.1.2.a.4 will be performed during the previous 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

2.

TS 4.8. 1.1.2.a.4, is changed from testing 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months after the

LCO, to testing 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months after one diesel is removed from service.

3.

The subsequent testing frequency of 4.8.1.1.2.a.4 is changed from testing the diesels once every 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months to once every 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

4.

Action a. of 3.8.1.1 is changed from requiring diesel generator operability within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months of the LCO to a total time of 60 accumulated days for all four diesel generators.

Action b. of TS 3.8.1. 1 5.

The start of the first testing per TS 4.8.1.1.2.a.4 is changed from testing within 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months after the LCO to testing within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after the LCO.

6.

Same change as described in item 3 of Action a. above.

Action c.

TS 3.8.1.1 The words "except as noted in specification 3.7.1.2" have been added to alert the operators that the ESW pump associated with the inoperable diesel generator will not automatically start upon demand.

Action d. of TS 3.8.1.1 7.

The present TS requirements will be applicable during the fifth diesel generator tie-in work.

During a conference call on October 17, 1985 with the licensee it was determined that there was no basis to change the existing 3.8.1.1.d Technical Specification as it adequately covers the extended LCO conditions.

Action e. of TS 3.8.1.1 8.

The present TS requires surveillance 4.8.1.1.2.a.4 to be performed within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months and at least 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months thereafter; three of the diesels must be restored within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months or be in Hot Shutdown (HS) within the next 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months .

The changed TS requires surveillance 4.8.1.1.2.a.4 to be performed within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months ; at least three diesels must be operable within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months or be in HS within the next 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months .

9.

The present TS requires all four of the diesel generators to be restored to operable status within 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months .

The changed TS requires three diesels to be operable before following Action a.

Action a. of TS 3.7.1.2 10.

The footnote to TS 3.7.1.2 Action a.l. allows the Emergency Service Water (ESW) pump associated with the diesel taken out of service to remain inoperable until its associated diesel generator is returned to service.

The staff evaluation of the licensee's justification for the above changes is as follows:

1.

When a diesel is taken out of service for the purpose of tying in the E

diesel, the remaining three diesels will be tested for operability during

~

the previous 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

A certain fraction of a diesel generator's failure to start comes from failures to the diesel incurred while in standby status.

By successfully testing the diesel before the demand is required, the reliability of successful starts is inherently increased by decreasing the time in standby status.

This is also consistent with the operating practice which the licensee already employs.

2.

The 72 hour8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months testing frequency used when a diesel is taken out of service is based on Generic letter 84-15 (Reference

12) and on the present TS Table 4.8.1.1.2-1, Diesel Generator Test Schedule.

Generic letter 84-15, Item 1, encourages a reduction in cold fast starts as a means of pre-venting premature diesel engine degradation.

Table 4.8. 1. 1.2-1 prescribes the test frequency by the number of failures in the last 100 valid tests.

3.

4 ~

5.

6.

7.

8.

9.

10.

Under the worst case condition, the diesels would be required to be tested every 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months to prove operability.

This change is consistent with the recommendations of Generic letter 84-15 and the TS aiesel generator operability requirements.

Same justification and evaluation as item 2 above applies.

The TS change allows 60 days of accumulated diesel generator inoperability to accommodate tying in the E diesel.

It was estimated that approximately 15 days per diesel would be required to make all power control circuit connections.

The safety significance of having a diesel inoperable for 60 days was evaluated on a Probabilistic Risk Assessment (PPA) basis.

For the technical adequacy of justification of the PRA, refer to Section F. under the evaluation section of this report.

Changing the start of first testing from within 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months after the LCQ to within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is based on the fact that a diesel will not be taken out of service when an offsite circuit is already out of service.

The last diesel test will be within the previous 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months and therefore testing the diesels within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months adequately establishes reliability.

Same justification and evaluation as item 2 above applies.

No change in current technical specification.

The reduced testing (i.e.,

no testing every 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months thereafter) is consistenx with the recommendations of Generic Letter 84-15.

(see item 2. above).

Furthermore, the diesels would have been tested prior to but within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months of the LCO work and also tested every 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months after entering the LCO.

The diesels would be tested again within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months if two or more diesels become inoperable.

Therefore, the reduced testing is acceptable.

The change in the present TS reflects the fact that it will be normal, during the temporary TS change, for a diesel to be out of service.

The licensee has stated that removing a diesel generator does not affect the automatic transfer from the A to the B train of the ESW system.

The effect of the loss of the associated ESW pump on the associated systems is addressed by the PRA study.

This change poses no significant decrease in plant safety or its core cooling capability and is therefore acceptable.

Based on the above, the staff concludes that these TS changes are based on conservative principles, conform to applicable guidance on the subject, and are therefore acceptable.

In addition, the staff concludes that the licensee has taken appropriate measures to compensate for takirg a diesel out of service beyond the presently allowable 3 days and that a temporary exemption from the requirement to comply with the single failure criteria for onsite electric power supplies as stated in 10 CFR 50, Appendix A, Criterion 17 is acceptable.,

Reliabilit of Offsite Power S stem The offsite power system is the preferred power source for the plant.

The bulk power system (electrical grid) is the source of electrical energy for the offsite power system.

The safety function of the offsite power system is to furnish electrical energy to assure that the specified acceptable fuel design limits and design conditions of the reactor coolant pressure boundary will not be exceeded as a result of anticipated operational occurrences and that core cooling, containment integrity, and other vital dependent offsite circuits of sufficient capacity and capability supply electrical power to the onsite distribution system for Susquehanna Units I and 2 to provide for the above safety function.

In the unlikely event of a simultaneous loss of both offsite circuits, an onsite emergency power system, which is common and shared between Units I and 2, provides this function.

The staff had previously reviewed the design of these systems and had concluded that the design meets the requirements of General Design Criteria 5, 17 and 18 and is acceptable (Reference 7).

The offside power system is designed to provide a reliable source of power to the plant'safe shutdown systems.

The two separate sources of offsite power have sufficient separation and isolation so that no single event such as transformer failure or transmission line tower failure can cause simultaneous disruptions of both sources.

The licensee's plan for the bulk power system is in accordance with established bulk power planning criteria.

These criteria are based on the Reliability Principles and Standards of the Mid-Atlantic Area Council which is a regional reliability council of the National Electric Reliability Council.

Digital power flow and transient stability studies were conducted to demonstrate that the bulk power system is in compliance with these reliability criteria.

The digital power flow studies include an evaluation of all practical single contingencies, including double circuit power line outage conditions and several abnormal system disturbance conditions.

Transient stability studies show that, for various 230-kilovolt and 500-kilovolt system faults, system stability is maintained and satisfactory restoration of the system voltage occurs resulting in no interruptions of the offsite power supply system.

The loss of either Susquehanna Unit I or Unit 2 represents the loss of the largest single supply to the grid.

For the loss of either Susquehanna unit, grid stability and integrity are maintained (Reference 7).

Based on the results of the stability studies presented in the Final Safety Analysis Report, there is reasonable assurance that the ability of the Pennsylvania Power and Light Company grid to provide offsite power to the Susquehanna Steam Electric Station will not be impaired by the loss of the largest external single supply to the grid, the loss of the most critical transmission line, or the loss of a Susquehanna unit itsel f.

In the unlikely event of loss of offsite power.(LOOP), i.e., simultaneous loss of both offsite sources, procedures are in place to restore offsite power to the plant.

The restoration time depends upon the cause of the outage.

If no damage exists, the offsite power can be restored within minutes by automatic or supervisory switching operations.

In the event of a grid blackout, it is expected to restore the offsi.te power to the plant within 2 to 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months .

Finally, in most cases, the restoration is expected within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months (Reference 3 and 4).

In the unlikely event of a LOOP, the plant could still be safely shutdown using the onsite emergency power system and onsite batteries.

Of the 4

existing diesel generators in the onsite emergency power system, one is sufficient to place both units in the cold shutdown condition.

Three diesel generators provide sufficient power to place both units in cold shutdown conditions, following a simultaneous loss of offsite power and a design basis loss of coolant accident in one unit (Reference 4).

During the LCO work involving any of the 4 existing diesel gererators, the licensee will take all precautions to maintain the high reliability of the two offsite power sources.

Similarly, when a significant degradation of the reliability of the offsite power sources is expected, such as during severe weather conditions, the licensee will not undertake the tie-in work. If the tie-in work is already in progress under these conditions, the licensee will exit the LCO as expeditiously as practical (Reference 4).

These precautions will ensure maintaining the reliability of the offsite power system during the tie-in work.

In the unlikely, event of a station blackout (SBO), i.e.,

a simultaneous loss of both offsite and onsite alternating current power systems, the plant can sustain such an event for an estimated period of 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months using in place plant procedures (Reference 4 and 13).

8ased on the above, the staff concludes the reliability of the offsite power system is adequate for allowing the licensee to extend the existing LCO for the onsite electrical power sources on a one time basis, and that sufficient redundant methods exist to safely shutdown the plant in the event of anticipated operational occurrences or postulated accidents during the extended LCO.

Reliabilit of Installed Diesel Generators Reliability and capability of diesel generators for onsite Emergency Power Systems are required by 10 CFR 50, Appendix A, Criterion 17.

The four installed diesel s at Susquehanna demonstrated this reliability ard capability by successfully completing the test requirements of IEEE Standard 387-1977 (Reference 15).

Periodic on-going surveillance testing in accordance with Plant Technical Specifications will assure continued capability and reliability of the diesel generator systems.

During the first quarter of 1985, the NRC staff conducted a reliability evaluation of the Susquehanna diesel generators by reviewing the failure history of the diesels.

Conclusions reached during this study are that the present 0.99 diesel generator reliability is adequate, based upon only one valid failure in the last 100 starts (Reference 14).

Further review by the NRC Regional Office, of the subsequent operation and failure history of the diesels, confirms the reliability conclusions of this study.

A review of failure causes by the licensee with the diesel generator manufacturer has led to several changes which should further assure a continued high level of reliability.

Based upon the above, the staff concludes that the three remaining OPERABLE Susquehanna diesel generators will provide a reliable source of onsite emergency power during the this 60 day period in which the tie-in work will be performed.

D.

Work Performed Under the LCO Sequentially, one at a time, the four diesel generators will be taken out of service to modify power, control, and instrumentation circuitry such that the new 5th diesel generator can function as a manual swing spare for any one of the four existing diesels.

Work to be performed during the Limiting Conditions for Operation will be performed in accordance with licensee plant modification procedures.

The procedures include the following:

Yiodification of the diesel generators' KV power cubicles split the power bus bars such that incoming power from each diesel generator is routed through a

new dual circuit breaker cubicle and then to the safety related 4KV busses.

The work consists of removing bolted sections of bus bars in the 4

KV power cubicles and terminating power cables to the dual circuit breaker cubicle.

2.

Routing control, instrumentation and alarm circuits for each diesel generator such that they go through new switching cubicles which permit manual switching of these circuits such that the 5th diesel generator circuits assume the identity of any of the four existing diesels.

This work consists of determinating circuits in each diesel generator motor control center, engine and generator control cubicles.

Determinated cables will be pulled out of these cubicles and reterminated in new terminal boxes that are wired to the new switching cubicles.

New cables will be pulled into the cubicles to make up circuits at terminal points where other wiring was determinated earlier.

Additional alarm and indication circuits will be installed for the diesel generators'ircuit breakers.and transfer switches alignment information.

All work performed ivi11 be inspected,

tested, and verified in accordance with licensee procedures prior to declaring a modified diesel generator

operable, and returning it to service for plant operation.

Verification will include power, control, instrumentation and alarm circuits testing.

Verification also includes start-up and operation of each diesel including synchronizing and loading onto the grid.

The verification of operability must be completed prior to taking another diesel generator out of service for tie-in work.

The staff reviewed the modification packages and the applicable procedures and drawings, to verify that no adverse effects on the safety related systems will be caused by the LCO work.

The staff concluded that the work to be performed during the tie-in of the 5th diesel generator does not cause degradation of, or.adversely affect the ability of the other diesel generators or other safety related systems and equipment to perform their intended safety functions.

All work performed during the extended LCO is performed on diesel generator equipment and circuits that are both physically and electrically isolated from other safety related circuits and equipment.

This isolation assures no adverse effects on other plant safety related systems.

Based on the above, the staff concludes that the 5th diesel generator can be installed in accordance with the licensee's design modification packages and plant modification procedures without degrading other plant safety related systems.

Emer enc Procedures and 0 erator Trainin The licensee has developed sufficient emergency procedures to respond to a partial or complete loss of any or all sources of power to safe shutdown systems.

This includes situations involving loss of offsite power sources, onsite power sources, and a simultaneous loss of offside and onsite power sources (station blackout).

In the event of a station

blackout, the reactor core isolation cooling (RCIC) system, or high pressure coolant injection (HPCI) system can be used to provide make-up water to the reactor vessel for a period of 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months .

It is estimated that the plant can sustain a station blackout for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months using

RCIC, HPCI, and the diesel driven fire pump.

The staff has determined that the licensee has developed sufficient emergency procedures for these systems (Reference 4).

Additional emergency procedures did not have to be developed for the period of the LCO extension.

The existing emergency procedures already encompass these operational conditions.

The staff reviewed'elected samples of the procedures, to ascertain the adequacy of these emergency procedures dUring the LCO extension.

Operator training and knowledge related to these procedures was also reviewed.

Each was found to be adequate.

PRA Evaluation This portion of the staff's overall review gives the staff estimate of the increment in probability of severe core damage from this one-time Technical Specification change and related one-time exemption and gives the analysis in support of this estimate.

In reference 1,

PPhL estimated the increment in core melt probability from this one-tjme Technical Specification change and one-time exemption as 1.4xlG

the analysis supporting this estimate is given more completely in reference 3.

The staff has obtained a conservative estimate of 3x10 (or about 20 times larger than the licensee's estimate) for the increment in core melt probability from this temporary Technical Specification change and temporary exemption from GfC-17.

Of this, there is an estimated probability of about 2x10 that both units will e~perience severe core damage, and an estimated probability of lxl0 that unit 1 will experience severe core

damage, but not unit 2, with the same probability for unit 2 experiencing severe core damage, but not unit l.

Thus the probability thar. at least one o( the units will experience severe core 'damage is increased by 4x10

, by rhe temporary Technical Specification change and one time exemption.

This does not take into account the fact that, after the 5th diesel generator is connected, the frequency of severe core damage will be decreased so that the probability of severe core damage over the lifetime of the units would likely decrease.

The staff estimate of severe core damage is modeled on the analysis of loss of offsite power transients at the Shoreham Nuclear Power Station, as given in the BNL review of the Shoreham PRA (Reference 16).

(The Shoreham plant and the Susquehanna plant are both BMR-4 plants.)

In addition, information was obtained from the station blackout evaluation performed by PPSL for Susquehanna (Reference 17).

There are two major reasons for the difference in results in the staff analysis and the analysis given by the licensee in reference 3.

The first is the frequency of extended losses of offsite power.

The reference 3 analysis assumes that the frequency of losses of the offsite power exceeding 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months is Bx10 /yr.

The staff, basing its analysis on NUREG-1032, draft for comment (Reference 18), obtain~

a frequency of losses of offsite power exceeding 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months of 6x10

/yr, nearly two orders of magnitude higher.

The second major reason for the difference in estimates of the probability of severe core damage for this requested exemption is the inclusion of an additional sequence.

During station blackout the only reactor vessel water level indication available in the control room is narrow range indication.

These narrow range indicators will read higher than the true water level, because of flashing in the reference leg which occurs on the loss of drywell cooling.

Therefore, there is the potential for human error in excessive throttling of HPCI or RCIC, and core uncovery, or conversely, in excessive water flow to the reactor resultino in a level 8 trip, with subsequent failure in restart of the high pressure coolant injection system or the reactor core isolation cooling system.

The value for the human error was taken from the BNL analysis for Shoreham.

S stem Anal sis DC Sy stems At Susquehanna, there are both 125 VDC batteries, required for operation of the safety/relief valves in the relief mode, and 250 VDC batteries, required for operation of the High Pressure Coolant In-'ection (HPCI) and Reactor Core Isolation Cooling (RCIC) systems.

According to the Station Blackout Analysis and Test Plan of the licensee (Reference 17), the 125 VDC system is expected to last a minimum of 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

When these batter ies are exhausted it will be impossible to main-tain depressurization.

According to the same

document, the 250 VDC batteries, required for RCIC and HPCI operation, will last 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

According to informatior obtained informally from the licensee, the RCIC and HPCI systems also require 125 VDC, because Bailey controllers in these systems are on 125 VDC buses.

The Shoreham PRA made a similar statement for its battery lifetime, but BNL rejected the assumption, estimating the batteries would last only 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months , similar to the time batteries would last in other BMRs reviewed by BNL.

The staff has made the same assumption of a 10 hour1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months battery lifetime, for 250 VDC system.

Reference 17 indicates that the 125 VDC lifetime can be extended by transferring some of the emergency lighting loads by center-tapping the 250 VDC batteries and running temporary cables.

The staff has therefore assumed that the 125 VDC batteries will be available for 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months .

In estimating the life of the 250 VDC batteries, the number of trips/restarts of the RCIC system must be taken into account.

As mentioned above there is only narrow level indication of reactor vessel water level in the control

room, so that minimization of the number of trips/restarts of the RCIC system may be difficult but must be. taken into account.

Me note that because HPCI and RCIC are estimated to fail in a time frame on the order of 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months , according to the licensee, even if the 250 VOC batteries were to last longer, the estimated core melt probability (due to the one-time Technical Specification change and one-time exemption) would be essentially the same.

Diesel-driven Fire Pum As long as the reactor is depressurized, and as long as HPIC or RCIC is available for the first hour, then, after this time, the diesel-driven fire pump could be used to maintain core cooling.

However, the Shoreham PRA gave no credit for the use of the diesel-driven fire pump at Shoreham, because its use requires extensive operator action under high s.ress conditions.

The staff will also not give any credit for the diesel-driven fire pump for this case.

The staff notes, however, that the results are insensitive to the assumption that the diesel-driven fire pump will not be used successfully.

The reason is that the use of the diesel-driven fire pump requires maintenance of depressurization, and this requires the 125 VDC batteries.

As will be seen

below, one of the most important sequences involves a station blackout in excess of 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months .

Since the batteries are assumed to deplete in 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months , depressurization cannot be maintained in excess of 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months , and the diesel-driven fire pump cannot be used to mitigate this sequence.

Another important sequence involves prompt failure of HPCI and RCIC, under station bfackout conditions.

Th',s sequence also cannot be mitigated by the diesel-driven fire pump.

Onsite AC S stem The diesel generators depend o>> service water.

It turns out that the emergency service water (ESW) system is configured such that the failure of or unavailability, of diesel generators A and B will fail fans which cool the service water pumps.

The licensee has assumed that failure of these fans in effect will fail the service water pumps.

The staff has made the same assumption.

In addition, there are dependencies of certain valves in the service water sytem on diesel generators A and B.

With service water failed, the other diesel generators are failed consequentially.

It follows therefore that if diesel generator A is in maintenance and diesel 8 fails, or vice versa, then the other diesel generators will fail, according to the licensee's assumptions.

The licensee has, for simplicity, assumed in effect that the failure of or unavailability of any two diesel genreators leads to station blackout.

The staff has made the same assumption.

In addition, we shall take

.03 per demand as the failure-to-start probability for a diesel generator.

This is a typical, industry average value, given, e.g., in the IREP Procedures

Guide, NUREG/CR-2778.

Such a value may be conservative, for the present case.

The reason is that a certain fraction of the failures of diesel generators are related to the time in standby since the last test.

During LCO extension the remaining three diesel generators will be tested 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months before each diesel generator is taken out of service.

Thus the standby-related failures will be decreased.

Although there is some uncertainty as to the relative importance of the standby-related

failure, Mankamo and Pullekinen (Reference

19) state that the diesel generator failure probability is described mainly by the standby failure rate, and that the starting-stress-related failures are relatively small.

If this is the case, the failure probability of a diesel generator is overestimated in our analysis.

The possible conservatisms in the staff analysis are probably greatest in the staff's treatment of the failure probability of the onsite power system.

A nonconservatism in the staff's analysis is the neglect of sequences involving diesel generator failure to run.

Fre uenc of Losses of Offsite Power Exceedin a

S ecified Duration The staff follows the procedure in NUREG-1032, draft for comment, Reference 19, in determining the frequency of loss of offsite power exceeding a specified duration.

According to various characteristics. of the plant and its grid, the procedure in NUREG-1032 assigns a plant to a

cluster of plants, and then gives, for each cluster of plants, a frequency of losses of offsite power exceeding a specified duration.

The various plant characteristics are switchyard design, grid reliability and recovery characteristics, severe weather characteristics, and extermely severe weather characteristics.

The staff assumed that the plant is in the.

grouping with best switchyard design, and best orid reliability'nd recovery characteristics.

This assumption does not play a paramount role in the actual number because of the severe

weather, and extremely severe weather characteristics of the plant.

The following information, obtained from the Susquehanna FSAR (pages 2.3-3 to 2.3-6),

was needed for the computation of the severe weather indices used in t<UREG-1032, draft for comment:

(1)

There were 38 tornadoes within 50 miles of site, between 1950 and 1973.

(2)

The frequency of winds exceeding 74 miles per hour is.02/year.

(3)

There are between 40 and 50 inches of snow per year.

Therefore, the staff obtains the following weather hazards rates n

h(tornado)

= 2.1xl0 mi /yr h(wind)

=.02/year h(snow/ice)

= 45 inches/yr The expected frequencies of loss of offsite power from each weather related cause is given by the formula listed below:

S=ph,

where, from reference 18 P(tornado)

= 27 mi P(wind)

=.026/incide~t P(snow/ice)

= 1.8xlO

/inch of snow fall The staff obtains for the expected frequencies of losses of offsite power of each weather type, S(tornado)

=.005//yr S(wind)

= 5.2x10

/yr S(snow/ice)

=.008/yr The sum of the categories of S is.0142, which places Susquehanna in severe weather category S3.

The plant does not have the capability of recovering from a severe weather induced loss of offsite pow'er within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months .

It is therefore in recovery class 2, which places it in severe weather/recovery class SR6.

The tornado frequency places the plant in extremely severe weather category SS4.

With this assignment of the plant to S3 and SS4, Table A.10 of NUREG-1032, (draft for comments) indicates that Susquehanna is in cluster. 4.

This assumes we are interested in an average, year-round, frequency of loss of offsite power.

However, the actual outage will likely take place in the winter.

In this case, the severe weather/recovery class will still be SR6.

The frequency of losses of offsite power due to snow increases, and that due to high wind and tornadoes decreases.

However, the chance of a loss of offsite power due to extremely severe weather conditions (winds in excess of 125 mph) decreases.

Hevertheless, it is judged that even if one con-sidered that the diesel generator outage will likely take place in the January/February time frame, that Susquehanna is still assigned to cluster 4.

Using the assignment of the plant to cluster 4, valid for an average year-round frequency of losses of offsite power, the following frequencies of losses of offsite power exceeding t hours is obtained from Figure A. 14 of Reference 18:

1/2 hr 4 hrs 10 hrs

, Se uences and Their uantification fre uenc

.045/yr

.011/yr

.006/yr The staff has estimated the probability of severe core damage (due to the temporary Technical Specification change and one-time exemption from GDC-17) from the sequences judged most important.

The selection of the most important sequences was determined from an examination of the BNL review (Reference

16) of the Shoreham PRA.

The sequences we have selected contribute about 2/3 of the core melt frequency from the loss of offsite power initiator, in the BNL review of Shoreham.

The neglect of the other sequences constitutes a

non-conservative assumption.

We will first estimate the probability per year of severe core damage from loss of offsite power transients under the condition that one diesel generator is out of service.

Then, by multiplying by 60/365, we obtain the increase in core melt probability from the 60 day cumulative outage.

As discussed earlier the staff assumed that the diesel generator that is out of service is either d',esel generator A or B; if diesel generator A is out of service, and diesel generator B fails (or vice versa),

then station blackout follows.

Se uences Involvin Loss of Reactor Water Level Instrumentation The sequence is therefore quantified as follows, assuming diesel generator A is out of service:

frequency of loss of offsite power exceeding 1/2 hour:

.045/yr probability Diesel Generator B fails:

.03 probability of Human Error due. to loss of 'wide range water level instrumentation in control room:

.05

6. Bx10 /yr Sequence frequency At Susquehanna, under station blackout conditions, there is a loss of all reactor water level instrumentation in the control room, except for narrow r'ange water level indicators.

fioveover, the reference leg of these narrow range water level indicators may flash, so that the reactor water level indication will be higher than the true water level.

Under these circumstances, BNL estimated the conditional probability of core melt as

.05, and the staff has used this value.

If there is excessive throttling of the high pressure

system, the core will uncover.

If there is excessive flow to the reactor, there will be level 8 trips.

Each restart of the high pressure system represents a battery drain, and a

challenge to the high pressure system.

The staff notes that wide range water level indication will still be available outside the control room, at a local reactor building instrument rack (see

p. 2-5 of Reference 1/). If communication could be set up between this local reactor building instrument rack and control

room, and appropriate procedures followed, it would appear that the frequency of this sequence could be decreased.

Se uence Involvin HPCI/RCIC Prom t Failures The staff takes the probability of joint failure of HPCI and RCIC as.01, from the BNL review of Shoreham.

This value applies to the.0-2 hr time frame after offsite power is lost.

The quantification, again assuming that diesel generator A is out of service, is:

frequency of losses of offsite power exceeding 1/2 hr:

probility of Diesel Generator B failing to start:

probability that HPCI and RCIC fail Sequence frequency Station Blackout for 10 Hours

.045/yr

.03

.01 1.4x10

/yr As discussed, the staff has assumed a depletion time for the 125 VDC batteries and the 250 VDC batteries of 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months , but even if the 250 VDC batteries had a longer depletion time, the results would not be affected

much, because of failure of HPCI/RCIC due to lack of room cooling.

The quantification, again assuming that diesel generator A out of service:

frequency of loss of offsite power for greater than 10 probability Diesel Generator 8 fails:

failure to repair diesel generator in 10 hrs:

Sequence frequency hrs:

.006/yr

.03

.5 5

9X10 /yr Se uence Involvin Station Blackout for Between 4 and 10 Hours with Failure o

PCI and RCI in 1s ime eriod.

BNL, in its review of the Shoreham PRA, estimates a probability of 0. 13 for joint failure of HPCI and RCIC in*the 4 to 10 hour1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months time frame; the principal cause of this joint failure is premature battery failure.

The quantification, again assuming diesel generator A is out of service is then:

frequency of losses of offsite power for between 4 and

.0011-.006

=.005/yr probability that diesel generator 8 fails probability that HPCI/RCIC fails probability of nonrecovery of diesel generator Sequence frequency 10 hrs.

=

.03

=.13 7

1. 4x10

/yr

CI I

Increase in Core Vielt Probabilit from the 60 Da Cumulative Outa e

for the Diese1 Generators As mentioned

above, to determine this increase in core melt probability we must sum the above sequence frequencies and multiply by 60/365.

The staff has obtained a probability of 3x10 The 1~st two sequences lead to a double core melt; hence the part of the 3x10 corresponding to a double core melt is 1.7x10

, and the probability that Unit 1 will )ave a core melt, but not Unit 2, durirg the outage period, is 1.3x10 Conclusion Based on the above discussion in sections A-F, the HRC staff has concluded that the proposed temporary Exemption from 10 CFR 50, Appendix A, Criterion 17, is authorized by law, will not endanger life or property or the common defense and is otherwise in the public interest and should be granted.

Dated-'OEC C S SBS

References 2.

3.

4.

5.

6.

7.

8.

9.

10.

Licensee letter PLA-2346, Proposed Amendment NO. 58 to NPF-14 and Proposed Amendment No.

13 to NPF-22, N.W. Curtis to A. Schwencer December 21, 1984.

Licensee letter PLA-2501, Additional Information on item 1 above, N.W. Curtis to W.R. Butler, July 1, 1985.

Licensee letter PLA-2514, Additional Information on item 1 above, N.W. Curtis to W.R. Butler, August 7, 1985.

Licensee letter PLA-2523, Additional Information on item 1 above, N.W. Curtis to W.R. Butler, August 23, 1985.

Licensee letter PLA-2524, Revision 1 to item 1 above, N.W. Curtis to W.R. Butler, August 23, 1985.

SSES Final Safety Analysis Report, Revision 35, July 1984, Section 8.0, Electric Power.

NUREG-0776, Safety Evaluation Report related to the operation of Susquehanna Steam Electric Station, Units 1 and 2, April 1982, and its supplements.

NUREG-0800, Standard Review Plan, Revision 2, July 1981.

NUREG/CR-0550, Enhancement of Onsite Emergency Diesel Reliability February 1979.

Regulatory Guide 1.93, Availability of Electric Power Sources, December 1974.

12.

13.

14.

15.

Regulatory Guide

1. 108, Periodic Testing of Diesel Generator Units Used as Onsite Electric Power Systems at Nuclear Power Plants, Revision 1, August 1977.

Generic Letter 84-15, from Director, Division of Licensing, to all Licensees, Proposed Staff Actions to Improve Diesel Generator Reliability, July 2, 1984.

Licensee letter PLA-1136, Station Blackout Safety Analysis and Test

Plan, H.W. Curtis to A. Schwencer, June 15, 1982.

NRC Internal Memorandum, Evaluations of Susquehanna Diesel Generator

Failures, L.S. Rubenqtein to H.R. Denton, March 8, 1985.

Licensee letter PLA-958, Diesel Generator 300 Start Test, N.W. Curtis to A. Schwencer, January 18, 1982.

16.

D. Ilberg, K. Shiu, N. Hanan, E. Anavim, "A Review of the Shoreham Nuclear Power Station Probabilistic Risk Assessment,"

NUREG/ACR-4050, final draft, June 1985.

17.

Letter from N.W. Curtis, Pennsylvania Power and Light, to A. Schwencer, USNRC, June 15, 1982.

18.

P.W. Baranowsky, "Evaluation of Station Blackout Accident at Nuclear Power Plants,"

NUREG-1032, draft for comment, tray 1985.

19.

T. Nankamo and U. Pulkinnen, Nuclear Safety 23, January - February

1982,

p. 32,

ML17139D313

Text

Navigation menu

Search