ML17229A422
| ML17229A422 | |
| Person / Time | |
|---|---|
| Site: | Saint Lucie  |
| Issue date: | 07/21/1997 |
| From: | NRC (Affiliation Not Assigned) |
| To: | |
| Shared Package | |
| ML17229A414 | List: |
| References | |
| REF-GTECI-A-45, REF-GTECI-DC, TASK-A-45, TASK-OR GL-88-20, NUDOCS 9707290076 | |
| Download: ML17229A422 (9) | |
Text
ST. LUCIE, UNITS 1 AND 2, NUCLEAR POWER PLANT INDIVIDUALPLANT EXAMINATION STAFF EVALUATIONREPORT I. INTRODUCTION On December 9, 1993, the Florida Power and Light Company submitted the St. Lucie, Units 1 and 2, Individual Plant Evaluation (IPE) submittal in response to Generic Letter 88-20 and associated supplements.
On March 19, 1996 and November 4, 1996, the staff sent questions to the licensee requesting additional information. The licensee responded in transmittals dated May 23, 1996 and January 7, 1997.
A "Step 1" review of the St. Lucie IPE submittal was performed and involved the efforts of Brookhaven National Laboratory in the front-end, back-end, and human reliability analysis (HRA). The Step 1 review focused on whether the licensee's method was capable of identifying vulnerabilities.
Therefore, the review considered:
(1) the completeness of the information, and {2) the reasonableness of the results given the St. Lucie design, operation, and history. A more detailed review, a "Step 2" review, was not performed for this IPE submittal. A summary of staff's findings is provided below.
Details of the contractor's findings are in the technical evaluation report (TER) appended to this staff evaluation report (SER).
In accordance with Generic Letter 88-20, St. Lucie proposed to resolve Unresolved Safety Issue (USI) A-45, "Shutdown Decay Heat Removal Requirements."
No other specific USls or generic safety issues (GSls) were proposed for resolution as part of the St. Lucie IPE.
The submittal states that the licensee intends to maintain a "living"probabilistic risk assessment.
II. EVALUATION Both St. Lucie units are Combustion Engineering (CE) pressurized water reactors (PWRs) with large, dry containments.
Unit 1 began commercial operation in December 1976 and Unit 2 in August 1983.
The St. Lucie IPE reported an estimated a core damage frequency (CDF) of 2.3E-05 per reactor-year from internally initiated events for Unit 1 and 2.6E-05 per reactor-year for Unit 2, not including the contribution of less than 5E-07 from internal floods. The St.
Lucie CDFs compare reasonably with that of other CE PWR plants.
For Unit 1, loss of coolant accidents (LOCAs) contribute 53 percent to the CDF, transients corltribute 33 percent, interfacing systems LOCA (ISLOCA) contributes 8 percent, and steam generator tube rupture (SGTR) contributes 4 percent. Internal flooding, not included in the reported CDF, contributes less than 2 percent to the total. Anticipated transients without scram {ATWS)was estimated to be of the same order of magnitude as that for Unit 2, i.e.
9707290076 970721 Poa ADOCV. 0SO0033S P
'NCLOSURE
pt
V.
approximately 7 percent (the licensee did not report the exact value), based on a revised analysis.
For Unit 2, LOCAs contribute 49 percent to the CDF, transients contribute 31 percent, ISLOCA contributes 10 percent, AlWS contributes 7 percent, and SGTR contributes 3 percent.
As with Unit 1, internal flooding, not included in the reported CDF, contributes less than 2 percent to the total.
Based on an importance ranking, the systems whose failure contributes most to the estimated CDF are:
high pressure safety injection, emergency power, component cooling water, and auxiliary feedwater.
E The licensee's Level 1 analysis appears to have examined the significant initiating events and dominant accident sequences.
CE non-proprietary reports, the Final Safety Analysis Report, and plant-specific Modular Accident Analysis Program (MAAP) analyses were used to provide reasonable, sometimes bounding accident sequence success criteria.
Although the front-end analysis appeared
- adequate, the staff believes that some initiating event frequencies appeared low and some which relied on generic values should have received a plant-specific analysis.
An example is the initiating event frequency for loss of dc bus.
The licensee used a generic value for failure of a dc bus which is lower than NUREG-1150 (by an order of magnitude) and many other CE IPE submittals.
This transient contributed 10 percent to the CDF for Unit 1 and 5 percent to the CDF for Unit 2. Given the relative importance of this initiator to CDF, the staff believes'that the licensee should have performed a plant-specific analysis of this support system to search for failure modes not included in the generic failure data.
Examples of additional failure modes which might pertain to St. Lucie, but were not included in the generic value, include battery failure, blown fuses, loss of a distribution panel, and operator error in test/maintenance.
Another example of a potentially low initiating event frequency is that for small-small LOCAs, which account for about 30 percent of CDF at each unit. The St. Lucie frequency is lower than most other CE IPE submittals (by a factor of about three) and substantially lower (an order of magnitude) than the NUREG-1150 LOCA initiating event frequency for comparable breaks with similar success criteria., i.e., secondary side cooling required.
This may have an effect on the overall CDF magnitude but probably not on the listing of important sequences, since LOCAs already are prime contributors to CDF.
Based on the licensee's IPE process used to search for decay heat removal (DHR) vulnerabilities, and review of the St. Lucie plant-specific features, the staff finds the licensee's DHR evaluation consistent with the intent of the USI A-45 (DHR Reliability) resolution and is, therefore, acceptable.'he licensee performed an HRA to document and quantify potential failures in human-system interactions and to quantify human-initiated recovery of failure events.
The licensee considered both pre-and post-initiator human actions.
Pre-initiator human actions, such as failure to restore or properly align equipment after test or maintenance, and miscalibration of system logic instrumentation, may result in components being unavailable on demand during an initiating event.
For this portion of the HRA, the licensee used generic, screening values for these events. The St. Lucie IPE results indicate that some dominant sequences did contain miscalibration events.
While the values used appear acceptable, the fact that pre-initiators appeared in dominant accident sequences indicates that a more detailed analysis of the events would have been appropriate.
Post-initiator human actions are those required in response to initiating events or related systems failures.
The St. Lucie IPE modeled post-initiator response actions and recovery actions and their general approach seemed reasonable.
However, the staff has identified three weaknesses in the HRA analysis regarding these post-initiator human actions.
Thirteen post-initiator human actions (per unit) were quantified with a time-independent technique (most IPEs only modeled a few, if any, post-initiators in this fashion).
When a time-independent technique is employed, as was done here, the diagnosis and decision-making portion of the human action is ignored and this omission has the potential to over-estimate the likelihood of success, since the diagnosis portion of the task may not be trivial. Differences between these time-independent actions and others at St. Lucie where time was considered a factor were not easily discernable, so that it is not clear what basis was used to delineate between the various actions, i.e., it appears somewhat arbitrary.
For at least 3 of the 13 post-initiator human actions, it is not clear that time can be ignored in determining the resulting human error probabilities.
The operator actions to initiate once-through cooling, to manually initiate recirculation actuation components following loss of the automatic signal, and to secure the reactor coolant pumps after loss of seal cooling are relatively short time frame events.
For these actions, failure to consider time and failure to model diagnosis might lead to somewhat unrealistic values for St. Lucie. However, the staff does not believe that a vulnerability was masked because the actual assigned values did not appear extraordinarily low or inconsistent with values for similar events in other IPEs.
For the time-dependent human actions the licensee used the success likelihood index method which attempts to capture plant-specific performance shaping factors.
In the St. Lucie IPE, all success likelihood indices were left at their default values, thereby assuming that the plant is "average" in terms of its performance shaping factors.
The resulting human error probabilities may therefore be "generic" rather than plant-specific and may not adequately represent the actual plant personnel responses.
However, the licensee did attempt to reach some degree of realism in the HRA by including other parameters, such as stress, response type, and operator burden to reflect variations in the nature of events and their impact on operator performance.
The licensee identified these operator actions as important in the estimate of the CDF:
- 1. Operator failure to secure reactor coolant pumps following loss of seal cooling.
- 2. Operator common cause miscalibration of the refueling water tank level transmitter.
- 3. Operator failure to restore power to Unit 1 from Unit 2.
- 4. Operator failure to perform once through cooling for feed and bleed.
- 5. Operator failure to restore pump 1A or 1B after maintenance.
- 6. Operator failure to restore electrical equipment room fans following loss of offsite power.
The licensee's back-end analysis considered important severe accident phenomena.
The licensee evaluated and quantified the results of the severe accident progression through the use of a containment event tree and considered uncertainties in containment response through the use of sensitivity analyses.
However, in one instance, the staff believes that an additional sensitivity analysis should have been performed regarding the probability of in-vessel recovery since the licensee assumed a very high probability of in-vessel recovery due to ex-vessel cooling, i.e., a success probability of 0.9 for preventing vessel failure. Although the licensee indicated that containment failure would be only slightly affected by these assumptions, based on their limited sensitivity study of a single plant damage state, the staff believes the effect could be greater due to the high probability, at St. Lucie, of containment failure given vessel rupture.
Although the submittal indicates that outside consultants, as well as St. Lucie plant personnel, were involved in the peer review, it appears that the back-end portion was weak.
For example, the submittal labels as back-end findings results that are related to early and late containment failure probabilities, which are not based on the St. Lucie containment event tree quantiTications submitted in the IPE, but are, instead, generic results from other plants.
Also, some small LOCA (high pressure) sequences are erroneously grouped with large LOCA (low pressure) sequences into a low pressure plant damage state (PDS), thus potentially understating containment failure associated with high pressure challenges, such as high pressure melt ejection.
It does not appear to mask a vulnerability, however, because high (and intermediate) pressure PDSs already have been identified in the submittal as comprising the majority (66 percent) of CDF and the addition of the omitted sequences would contribute relatively little.
According to the licensee, the St. Lucie conditional containment failure probabilities are as follows: early containment failure is 1 percent with steam overpressurization the primary contributor, late containment failures is approximately 15 percent with core concrete interaction (i.e., overpressurization due to non-condensible gas) being the primary contributor, and bypass is approximately 12 percent with steam generator tube rupture and ISLOCA the contributors.
According to the licensee, the containment remains intact approximately 72 percent of the time.
Early radiological releases are dominated by station blackout (SBO) and late releases are dominated by small-small LOCA and SBO sequences.
The licensee's response to containment performance improvement program recommendations is consistent with the intent of Generic Letter 88-20 and associated Supplement 3.
Some insights and unique plant safety features identified by the licensee in the St. Lucie IPE include:
The plant has feed and bleed capability.
Unit 1 requires both power operator relief valves (PORVs) valves whereas Unit 2 only requires one (the other PORV is blocked closed).
The auxiliary feedwater pumps do not need the heating, ventilation, and air conditioning (HVAC) system because they are located outside.
HVAC is needed,
however, for many frontline and support systems, although the emergency diesels are self cooled.
3.
The motor driven main feedwater pump output is automatically matched to the decay heat level and they will continue to run for most transients.
4.
The dc batteries have an 8 hour9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> life assuming load shedding under station blackout conditions.
5.
The reactor coolant pumps are the 4-stage Byron-Jackson; no leakage was assumed iftripped within 10 minutes.
6.
Cross connection between the units is credited for the instrument air, auxiliary feedwater suction, and the emergency diesel generators.
7.
The pressure control success criteria for ATWS specifies 3700 psia as the limiting RCS pressure, in line with other CE plants.
The licensee defined a vulnerability as:
- 1. A failure which makes a disproportionately large contribution to the total CDF or significant release probabilities and, in turn, is considered significantly higher than those of PRAs for similar plants, or
- 2. A failure which has any unusual and significant impact on the total CDF or release probabilities.
Based on this definition, the licensee did not identify any vulnerabilities. One minor plant improvement, however, was identified and implemented:
more detailed steps were added to the written procedure allowing for makeup to the Unit 1 condensate storage tank, prior to depletion, from the Unit 2 tank.
III. CONCLUSION Based on the above findings, the staff notes that: (1) the licensee's IPE is complete with regard to the information requested by Generic Letter 88-20 (and associated guidance in NUREG-1335), and (2) the IPE results are reasonable given the St. Lucie nuclear power plant design, operation, and history. As a result, the staff concludes that the licensee's IPE process is capable of identifying the most likely severe accidents and severe accident vulnerabilities, and therefore, that the St. Lucie IPE for Units 1 and 2 has met the intent of Generic Letter 88-20.
It should be noted that the staffs review primarily focused on the licensee's ability to examine the St. Lucie nuclear power plant for severe accident vulnerabilities. Although certain aspects of the IPE were explored in more detail than others, the review was not intended to validate the accuracy of the licensee's detailed findings (or quantification estimates) that stemmed from the examination.
Therefore, this SER does not constitute NRC approval or endorsement of any IPE material for purposes other than those associated with meeting the intent of Generic Letter 88-20.
In addition, the staff has identified weaknesses in the front-end, HRA and back-end portions of the IPE which, we believe, limit its future usefulness.
APPENDIX CONTRACTOR TECHNICAL EVALUATIONREPORT