ML17329A737
| ML17329A737 | |
| Person / Time | |
|---|---|
| Site: | Cook  |
| Issue date: | 12/23/1992 |
| From: | Bill Dean Office of Nuclear Reactor Regulation |
| To: | Fitzpatrick E INDIANA MICHIGAN POWER CO. (FORMERLY INDIANA & MICHIG |
| References | |
| TAC-M74398, TAC-M74399, NUDOCS 9212310096 | |
| Download: ML17329A737 (11) | |
Text
Docket Nos.
50-315 and 50-316 Hr.
E.
E. Fitzpatrick, Vice President Indiana Michigan Power Company c/o American Electric Power Service Corporation 1 Riverside Plaza
- Columbus, Ohio 43216
Dear Hr. Fitzpatrick:
December 23 1992
SUBJECT:
D. C.
COOK NUCLEAR PLANT, UNITS 1
AND 2 REQUEST FOR ADDITIONAL INFORMATION RELATING TO INDIVIDUALPLANT EXAMINATION (IPE)
SUBMITTAL (TAC NOS.
H74398 AND H74399)
In your letter dated Hay 1,
Cook, Units 1 and 2 to the NRC.
As part of the staff's ongoing review of your IPE, a
number of questions have arisen which require clarification or the submittal of additional information.
The questions are related to internal events analysis in the IPE and the containment performance improvement (CPI) program.
Please review these questions so that we can schedule a conference call in about a month to discuss your responses.
At the conclusion of this call, we can hopefully advise you regarding which questions will still require a formal written response.
We may also determine that a meeting or additional calls would be worthwhile in pursuing responses to the questions.
The questions are enclosed.
In either case, you are requested to provide a written response within 60 days.
If you have any questions, please contact me on (301) 504-1321.
Sincerely, illiam H. Dean, Sr. Project Manager Project Directorate III-1 Division of Reactor Projects III/IV/V Office of Nuclear Reactor Regulation
Enclosure:
As stated cc w/enclosure:
See attached service list DISTR I BUTION:
Docket File J.
Roe L. Harsh C. Ader R. Hernan ACRS (10)
L. Wheeler NRC 8 Local PDRs T. King H. Shuttleworth W. Hinners J.
Flack W. Shafer, R-III PDIII-1 Reading D.C.
Cook Plant File W.
Dean A. Thadani OGC R. Barrett OFFICE DATE PD III-1: LA HShuttl rth
/
92 PD III-1: PM WDean vsb (E A%92 PDII -1'PDr LHarsh lZ Z3 92 DOCUMENT NAME:
0174398.RAI 9212310096 921223 PDR
- DOCK 05000315 P
E.
E. Fitzpatrick Indiana Michigan Power Company CC:
Regional Administrator, Region III U.S. Nuclear Regulatory Commission 799 Roosevelt Road Glen Ellyn, Illinois 60137 Attorney General Department of Attorney General 525 West Ottawa Street
- Lansing, Michigan 48913 Township Supervisor Lake Township Hall post Office Box 818 Bridgman, Michigan 49106 Al Blind, Plant Manager Donald C.
Cook Nuclear Plant Post Office Box 458 Bridgman, Michigan 49106 U.S. Nuclear Regulatory Commission Resident Inspector Office 7700 Red Arrow Highway Stevensville, Michigan 49127 Gerald Charnoff, Esquire
- Shaw, Pittman, Potts and Trowbridge 2300 N Street, N.
W.
Washington DC 20037 Mayor, City of Bridgman Post Office Box 366 Bridgman, Michigan 49106 Special Assistant to the Governor Room 1 - State Capitol Lansing, Michigan 48909 Nuclear Facilities and Environmental Monitoring Section Office Division of Radiological Health Department of Public Health 3423 N.
Logan Street P. 0.
Box 30195
- Lansing, Michigan 48909 Donald C.
Cook Nuclear Plant Hr. S. Brewer American Electric Power Service Corporation 1 Riverside Plaza
- Columbus, Ohio 43216
ENCLOSURE STEP 1 IPE REVIEW UESTIONS OF D.C.
COOK IPE SUBMITTAL FRONT-END UESTIONS 2.
The discussion of initiator gr'oups listed in the IPE for special initiators include loss of essential service water, component cooling water and 250 VDC bus.
Discussion in Section 2.3 indicates that loss of control air and loss of 120 VAC bus were considered as potential initiators; however, these potential initiators are not addressed in Section 3. 1.1 of the submittal.
In addition, there is no discussion whether loss of HVAC was examined as a potential initiator.
Loss of these systems will typically result in a plant trip.
Provide a
discussion of the basis for why these support systems were not considered as initiators with subsequent event tree analysis.
The method for determining the RPS failure probability is not provided in the IPE. If generic RPS value of 3E-5 (NUREG-0460) is used with the Cook transient frequencies (3.8 and 1.2E-l), the resulting ATWS initiator frequencies are 1.1E-4 (Tra) and 3.6E-6 (Trs), respectively, which differs from the ATWS frequency provided in the submittal.
Provide discussion on how the ATWS frequency of 4.67E-5 was estimated and incorporated in the IPE analysis.
In addition, it is not clear from the IPE if the ATWS success criteria analysis considered the effects of the moderator temperature coefficient (HTC).
Provide a discussion of the rationale that core damage prevention is possible under ATWS conditions when an unfavorable NTC exists.
3.
NUREG-1335 requests that separate event trees, which may be needed to support special event analysis, be included in the IPE submittal.
Although an ISLOCA event tree was provided in your IPE submittal, the documentation is insufficient to determine the process used to determine the initiating frequency and associated mitigating actions.
Provide a
discussion (with simplified diagrams) of specific systems and components and their associated failure modes modeled for the ISLOCA initiator.
Include, for example, the configuration of residual heat removal
- system, check valves, motor operated valves, surveillance methods and frequency, independence of redundant
- systems, treatment of human errors associated with valve status, ability to isolate breaks, and note any administrative controls on NOVs.
Also note the verification of design rating of low pressure piping and components, and the potential for loss of critical mitigating systems due to flooding.
Tables
- 3. 1-2 through 3. 1-17 provide the equipment success criteria for successful accomplishment of each event tree top event.
The combinations of systems (or events) that are required to function to prevent core damage is not discussed.
Provide list of systemic success criteria for core damage prevention.
There is insufficient discussion in the submittal.with regard to the development of the accident sequences in the Event Tree Analysis to determine if the success criteria was properly applied for delineating the accident sequences.
Two examples:
(1) The definition provided in Section 3. l. 1.2. 1 for the SCS available transient indicates that SCS is available for decay heat removal, that is, main feedwater is available for mitigation. It would seem, therefore, that failure of SCS would be required before AFW is needed.
(2) The event tree of SCS available transient indicates that main feedwater can be successful after failure of OA5.
The success criteria table for SCS available defines OA5 as supply to at least 2 steam generators from at least one condensate booster pump.
The main feedwater pumps are typically high pressure pumps and in order to operate, generally require the condensate and condensate booster pumps to be functional.
Provide clarification as to why failure of OA5 (which would include failure of condensate booster pumps as one failure mechanism) does not fail main feedwater.
The manner in which an accident progresses can affect the ability of systems to continue to function or systems not yet demanded to be able to operate.
Insufficient discussion of the effects of the accident progression on the various accident sequences is provided in the IPE to determine if the Event Tree analysis accounted for phenomenological effects on the success criteria.
For example, environmental effects on equipment from the accident progression is not apparent.
Provide discussion on the different phenomena and their effects on the success criteria, particularly in relation to system performance.
The IPE estimated the contribution of core damage from station blackout to be approximately an order of magnitude less than what the staff estimated for resolution of USI A-44.
In order to facilitate our review, describe your blackout analysis, and the following aspects which we find important to understand your IPE effort:
reactor cooling pump (RCP) pump seal model
- employed, including timing of seal degradation and flow rates, impact of severe weather conditions (e.g.,
snow/ice conditions) which could result in extended losses of offsite power conditions, coping time, including estimates of battery and CST depletion
- times, treatment of recovery of offsite power and
- EDGs, treatment of EDG common cause failure, specifically the inclusion of higher order NGLs for a two diesel system ability to cross tie unit systems during single unit blackout conditions, treatment of mitigating actions or plant improvements that impacted the analysis.
In addition to station blackout, consideration of reactor cooling pump (RCP) seal failure is important, because of its impact on the determination of dominant sequences (i.e., transients vs.
LOCAs).
Concisely describe your treatment of RCP seal degradation and failure during loss of key support systems which could lead to loss of seal
9 cooling.
Include in your discussion, the timing of RCP seal degradation and seal flow rates, and any recovery actions or improvements that would enhance mitigation of RCP seal cooling accidents, e.g., ability to cross tie cooling water systems between units, use of the fire water system or other water systems as an alternate source of cooling, specific RCP seal improvements.
The dependency table indicates which systems the front-line and support systems are dependent on for operation.
The actual dependency or requirement that is needed for the system or component to be able to function on demand and to continue to function throughout the course of the accident is not provided.
For example, room cooling could be required for the AFW TDP because the following dependency exists:
(1) pump has a high room temperature trip and the room temperature in the accident is anticipated to exceed the trip temperature, or (2) pump will fail when room temperature exceeds design qualifications which is anticipated to be exceeded in the accident.
In this example, cooling is supplied to the AFW TDP room by the HVAC system which is AC dependent.
Therefore, although the AFW TDP is AC independent in the short term, it is AC dependent in the long term.
Documentation provided in the IPE is inadequate to determine if method used for identification of dependencies is sufficient such that subtle dependent failures would be found.
Provide a detailed discussion of the process that was used to identify dependencies with a list of systems and component dependencies.
10.
The level of detail to which a system is examined in the fault tree analysis will determine if any subtle failures exist and are found by the analyst.
This is particularly true in regards to logic or maintenance dependencies.
For example, some PWRs have steam generator isolation control systems that are designed to shut off feedwater given low secondary pressure.
An inadvertent blowdown of the steam generators could possible actuate the steam generator isolation control
- analyzed, then both the mechanisms of the inadvertent blowdown and the subsequent isolation of feedwater and AFW may not be modeled.
Another
- example, a room cooler is actuated from a thermostat.
The cooler is tested monthly, but the thermostat is not tested.
If the fault tree did not model to this level of detail, the above failure would be missed.
Provide discussion of level of detail that was used in fault tree analysis to ensure any subtle failures were identified.
ll.
Your submittal states that Unit 1 was found to be bounding for Unit 2.
Briefly,describe the Unit 1 features or operational attributes that cause this unit to be the bounding unit.
Also describe any inter-unit dependencies found to have an impact on the internal initiating event analysis.
List systems shared between the two units, and briefly describe how these shared systems were treated in the IPE.
12.
NUREG-1335 reporting guidelines requested the rationale if plant-specific experience was not utilized on a number of important items.
Provide the rationale for your use of generic data for batteries, electrical
- buses, breakers, circulating water, feedwater, and condensate
13.
booster pumps and check valves.
NUREG-1335 reporting guidelines requested that the types of common-cause failures considered in the analysis (both in the event tree sequences and in the system analysis) be reported.
Provide a list of the
~t ies of common cause failures (e.g., miscalibration of instrumentation, design deficiencies or manufacturing errors) that were considered in the IPE.
In addition, our review notes that in comparison to other studies (NUREG-1150, NUREG-1032),
some of the HGLs in table 3.3-6 appear low.
Briefly describe how these values were generated specifically for the
Also discuss the apparent application of 4 component MGLs on two component systems (e.g.,
one out of two EDGs).
14.
It is unclear from the discussion in IPE submittal where the "average" CCF was applied and how it was applied.
Provide complete list of CCF groups and identify where the average CCF was applied.
In addition, the conclusion (p7-I) that common cause failures are not a dominant contributor to core damage frequency, because individual component common cause contributors had not been modelled, may be misleading.
Discuss the extent to which operational data at Cook Units 182 (data at the individual component level) supports this conclusion.
15.
The application of internal flood methodology, with respect to identification and selection of flood sources, frequency estimates, mitigation actions, flood propagation to redundant safety related equipment, qualification of equipment exposed to spray, etc.,
can have a
significant impact on the perception of flood as a contributor to the core damage frequency.
In order for the staff to fully understand and appreciate your treatment of internal flood, concisely describe the integration of this initiator into your PRA, i.e., discuss the structure of the internal flood event tree employed and integration of the impact of flood into the fault tree analysis.
In addition, concisely discuss the rationale supporting the treatment, or assumptions (as appropriate),
of the following aspects of the internal flood analysis reported in the Cook IPE submittal, including the perception of these aspects with respect to their overall significance to core damage/early containment failure:
estimation of the flood frequency (e.g.,
length of pipe, etc.),
and the relationship of this frequency to the assumed 50X chance of one flood occurring over the lifetime of the plant.
(Also define lifetime of plant [years]).
the term "bounded" in the section on turbine building operating floor (pg 3.4-6.5),
inter-zone flood propagation due to back flooding through drains, open flood doors, penetration
- seals, etc.
spray or direct impingement of water on plant equipment, treatment of circulating water system expansion joints, and potential for circulating water pump trip, back flow through the
- break, and isolation capability.
16.
17.
18.
19.
20.
21 As per NUREG-1335, Section 2.3, also describe any strategies or potential improvements, and disposition of potential improvements, that stemmed from your treatment of internal flood in your IPE.
Per NUREG-1335 reporting guidelines, provide a concise discussion of the criteria used to define "vulnerability," list any vulnerabilities so identified, and the fundamental causes of each.
If explicit criteria had hot been developed, discuss the process used to evaluate the need for plant improvements during and upon completion of the
- IPE, and the level at which plant improvement were implemented.
Your IPE identified a unique containment failure mode which could result from containment overpressurization.
This failure mode leads to loss of all inventory available for ECCS recirculation and ultimately core damage.
What is the estimated contribution to core damage from this failure mode7 To what extent (positive and negative) has containment venting been considered as a strategy for preventing containment failure and associated core damage7 Page 3-5 of the IPE submittal states that the ice condenser was assumed to function as designed, and that the sequence involving ice condenser failure "would be below the cutoff frequency specified in NUREG-1335 as requiring further evaluation."
Note that NUREG-1335 did not specify a
"cutoff" frequency, but reporting criteria (see NUREG-1335, Appendix C, response to comments C.4.5 and C.4.6.
Please provide the rationale for excluding failure of the ice condenser.
As an initiating event, SGTR is an important contributor to Cook's core damage frequency (11.3X).
The IPE, however, does not appear to consider operator action to refill the RWST.
Discuss the consideration and need for refilling the RWST during SGTR events.
During mitigation of certain initiators, (e.g., station blackout, loss of CCW) system success criteria require operators to open steam generator
Opening the S/G PORVs will place a differential pressure across the S/G tubes and in effect, increase the likelihood of tube failure.
Discuss the consideration of subsequent tube rupture as part of these scenarios and potential impact on IPE results.
The estimated conditional probability of failure of feed and bleed in the Cook IPE submittal was given as 2. 19E-03.
What is the estimated reduction in overall core damage frequency from having feed and bleed capabilityl Had the benefit of feed and bleed in conjunction with refilling the
- RWST, been explored for SGTR and ISLOCA scenarios7 BACK-END UESTIONS It is stated in the IPE that the containment fails at the concrete basemat adjacent to the containment wall and results in a small rupture area.
It is further stated that a time delay occurs while water in
containment is being expelled out the "hole." It is assumed in the IPE that this time delay is 35 minutes for sequences without RWST and an hour for sequences with RWST.
The IPE notes that while water is being
- expelled, the containment pressure continues to increase.
Provide the containment pressurization rate before and after failure of the concrete basemat wall junction, and the sources of pressurization.
Given core melt, the Cook IPE estimated the conditional probability of containment failure on overpressurization to be 0.033.
Provide the estimated conditional probability of containment failure on overpressurization prior to core melt, and contribution of this failure mode to core damage.
Also discuss any consideration given to containment venting prior to core damage, i.e., potential benefit of venting.
Oocumentation in IPE submittal was insufficient to understand what was analyzed for failure of containment isolation.
The submittal only references that fluid lines were examined; the impact on containment isolation for failure of air and instrumentation lines were not reported.
Identify and discuss the contributors to containment isolation failure, i.e., isolation signal failure, valve failures (including purge valves),
degradation of valve seats, etc.
In response to generic Letter 88-20 Supplement 3, licensees with ice condenser containments are expected to evaluate the vulnerability to interruption of power to the hydrogen igniters as part of the IPE.
The Cook IPE submittal states that hydrogen combustion is not considered a
failure mode of the Cook Nuclear Plant containment.
With respect to your hydrogen ignitor analysis, describe the extent to which restoration of ac power and subsequent hydrogen combustion was considered.
Identify initial conditions, e.g.,
blackout, loss of OC, etc.,
walkdowns performed, important assumptions and rationale, codes exercised, potential for local pocketing and detonation, and any insights from other analyses as appropriate.
In the modeling of severe accidents, there is uncertainty with regard to the phenomena and therefore, the manner in which an accident will progress and subsequently impact containment performance and source term.
The assumptions associated with the various phenomena are varied among experts and the available modeling codes.
It is important, therefore, to be aware of the differences and uncertainties, particularly in relation to their impact on containment performance and source terms.
The staff notes that assumptions and conclusions in the Cook IPE are (1) primarily based on HAAP calculations and (2) differ from various "expert opinions" from other studies.
NUREG-1150 analysis of Sequoyah, for example, found late containment failure dominated by basemat meltthrough, and also found early containment failure, though
- small, a contributor.
It was not clear how these phenomenological differences (i.e., uncertainties) were accounted for in understanding the IPE results.
Although a formal uncertainty analysis is not
- required, describe how your IPE findings and conclusions accounted for phenomemological uncertainties and differences between your results and
those, for example, NUREG-II50.
The Cook IPE appears to assume that no concrete floor erosion occurs until there is a dry cavity; that is, the molten core is assumed to be completely quenched when there is any overlying water.
- However, Generic Letter 88-20, Appendix I states that both eoolable and noncoolable outcomes should be considered.
Provide the rationale for your assumptions with regard to core concrete interaction during wet cavity conditions.
A containment failure pressure distribution is provided in the submittal.
It is not clear,
- however, how the "uncertainty" of containment failure was considered in the study.
For example, given a
scenario that involves synergism between hydrogen combustion and other ongoing phenomena, was the 95/95 failure pressure utilized, or was the "mean" value utilizedf In either case, discuss insights gleaned from the analysis.
It is not clear in the documentation if the various phenomena, though concluded not to present a challenge'to containment integrity, could nonetheless challenge system or human response.
Provide discussion of how phenomenological effects were integrated into the CETs in regards to their potential impact on system and human response, particularly addressing the effects of environmental conditions on system performance.
Identify any important human actions related to the back-end analysis, and discuss how these actions were incorporated in the analysis.
Induced steam generator tube rupture (ISGTR) during severe accidents is an important primary system failure mode because of the potential for containment bypass.
In addition, the uncertainty with respect to SG tube integrity, evident in recent PWR operating experience, elevates the likelihood of ISGTR during severe accidents.
Describe the extent to which SGTR had been considered in the IPE.
The C-Hatrix, or containment matrix which displays the plant damage states verses the fractional contribution of the various failure modes (bypass, early failure, late failure, basemat melt-through, vessel breach w/o containment failure, no vessel breach) provides useful level II insights.
Has a C-Hatrix been developed?
If so, please provide.
The Cook IPE study did not result in the identification of any containment, or containment system vulnerabilities.
With respect to containment performance during accident conditions, and NUREG-1335 reporting guidelines which include a concise discussion of the criteria used to define vulnerabilities, provide a definition of vulnerability with respect to containment performance.
If no explicit definition had been developed, discuss the utilization of the level II insights in enhancing safety at the Cook facility, i.e., the process used to identify and implement improvements.
HRA UESTIONS I.
What process was used to identify the various operator actions modeled in the IPE and for which HEPs were estimated?
2.
The estimated HEPs for the various human errors appear to be extremely low; the majority of the errors have probabilities less than lE-3 (over 85X of the human actions listed in Table 3.3-5).
Human error probabilities of less than lE-4 imply a 'precision'f human behavior that is not known.
It is not clear how these values were estimated.
Provide discussion of several examples illustrating the derivation of the HEPs and basis for such low values.
3.
It is unclear in the IPE submittal how dependencies were accounted for in the quantification process.
This confusion appears for the human actions identified in the event trees and the faults trees.
First, it is not clear if the dependencies associated with the human actions identified in the event trees are modeled.
For example, for the small LOCA event tree, Operator Actions OA6 and PBF (which are top events) appear to be multiplied together in accident sequences 823 through 31.
This multiplication would result in a combined HEP of 2E-8 (6.23E-4*3.37E-5).
It is not clear how the dependency between these two human actions was considered.
- Second, in the various event trees, in several places the same operator action occurs and appears to be quantified in the core damage frequency estimation with the same probability of occurrence, that is, independent of the accident sequence.
For example, for a SGTR, Operator Action OA3 occurs in several of the accident sequences.
It appears that in the quantification the same probability value was used regardless of the sequence.
This application implies that every sequence progression is identical in those factors that would affect human performance.
Another example, for the PBF human action, the same probability appears to be used regardless of accident sequence for all the initiators.
It is realized that with symptom based EOPs the operator should not have to "diagnose" the event;
- however, the initiator will effect the success criteria, and therefore,,the timing, the manner in which the accident progresses.
These differences should impact the human performance.
It is not clear how the dependency of the action relative to the sequence was considered.
Last, operator actions are identified in the fault trees as basic events.
The assignment of the error probabilities appears to be independent of the accident sequence and independent of other operator actions.
It is not clear how the dependency relative to the accident and with other operator actions was considered.
When the fault trees are linked to form the accident sequences, the human action can appear in numerous places with a variety of different system or functional failures.
Applying the same HEP implies that the human behavior is independent of these failures.
In
- addition, when linking the fault trees, the potential exists for these operator actions to be multiplied.
Although the text states that dependencies are treated, this statement is not apparent in the documentation provided.
Provide a discussion on the details of how dependencies were treated addressing the examples described above.
NUREG-1335 states that "unless proper justification is provided.... all assumed or modeled recovery actions will have written procedures."
In the D.C.
Cook IPE, credit appears to be given for operator actions that are not proceduralized.
Provide a list of these actions and justification for each on why credit should be given for these actions.
It is not clear if and how the impact of "faulty" instrumentation was considered in the HRA. It is stated in the IPE that "it was assumed that the EOPs.... were adequate to address the transient symptoms and ensure that the operator provides the correct functional response."
This statement appears to also assume that the instrumentation and indications are functioning properly.
Provide clarification of this issue what was the impact of instrumentation and indication failures on the operator interaction mode12 In Table 3.3-5, there are numerous places where the time available for the operator action is N/A.
In regards to pre-initiator actions (e.g,.
failure to restore valve to proper position), it is clear why time would not be applicable.
Several of these human actions do not,
- however, appear to be pre-initiator actions.
Provide classification of human actions listed in Table 3.3-5 and provide rationale why time available is not applicable for the operator actions listed in Table 3.3-5.
Time available for various operator actions is provided; however, it is not clear if sufficient time is available to perform the required action.
Provide the time that is needed to perform the operator actions listed in Table 3.3-5 and the basis or rationale for these times (i.e.,
how were the times derived).
Performance shaping factors are provided in Table 3.3-3 of the submittal.
The bases for these factors are not provided; therefore, it is not apparent what factors (such as difficulty of task, accessibility and location of "component,",
degree of burden, etc.)
were considered in determining the performance shaping factors (e.g., stress level extremely high).
In addition, it appears that it was assumed that the performance shaping factors are not impacted by the accident sequence.
For example, since only one HEP was estimated for PBF, the stress level, for instance, was assumed to be the same for every accident sequence; that is, whether the accident involved a
LOCA, SGTR, transient and which systems are available and not available does not impact operator performance.
Provide the criteria that was used by the analyst in identifying and selecting the performance shaping factors listed in Table 3.3-3.
The submittal provides little discussion of the significance of human error.
Provide the estimated human error contribution (percent) to overall core damage frequency, and identify: (1) the most significant human errors with respect to that contribution, and (2) the most significant human actions with respect to the prevention of core damage.