ML17333A050
| ML17333A050 | |
| Person / Time | |
|---|---|
| Site: | Palo Verde, 05000000, 05000470 |
| Issue date: | 02/04/1982 |
| From: | Mattson R Office of Nuclear Reactor Regulation |
| To: | Eisenhut D Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML17297B299 | List: |
| References | |
| NUDOCS 8202250357 | |
| Download: ML17333A050 (66) | |
Text
g>,>> <(III>'
c,"
P IIV no I
+ ~
~o UNITED STATES NUCLEAR REGULATORYCOMMISSION
. WASHINGTDt4, D, C. 20555 FE9 04 1982 ENCLOSURE 1
EMORANDUM FOR:
Darrell G. Eisenhut, Director, Division of Licensing, NRR FROM:
Roger J. Mattson, Director, Division of Systems Integration, NRR
SUBJECT:
TRANSMITTAL OF DRAFT PALO VERDE AND CESSAR SER SUPPLEMENT Enclosed are copi.es of ou" draft SER Supplements for Palo Verde and CESSAR.
They address the concerns rai sed by the ACRS letters of.December 15, 1981 involving the need for' reli'able heat removal capability in view of the lack of a direct means to rapidly.depressurize the primary system.
The CESSAR and Palo Verde designs do not include PORVs to permit the feed and bleed method of cooling the way it is provided in other PWRs.
Our SER Supplements were prepared b'efore the Ginna steam generator tube rupture incident of January 25, 1982 and represent oui position at that time..
The 'Ginna incident has resulted in renewed'consideration being given to the possibility of'imultaneous steam generator tube ruptures in both steam generator's.
We are also reconsidering accident scenarios that could lead to simultaneous loss of coolant in the primary and secondary systems.'hese considerations require us. to reexamine the possibility of feed and bleed as an alternate method of providing core cooling.
We are also interested in the
. use of the PORV to gain contr ol of primary system pressure to avoid challenges to the safety valves on a faulted'team generator, thereby reducing the frequency of releases of radioactivity following steam generator tube ruptures.
In addition, since the preparation of our -dra>t SER Supplements for Palo Verde and'ESSAR we have been provided with new information by the Office of Nuclear Regulatory Research.
The new information is. in a memorandum on CE system reliability that bases its.analysis on the Accident Sequ'ence Precursor Program.
The techniques used in this program-are somewhat controversial.,
and we are currently reviewing both the techniques.
and conclusions.
The memorandum prepared by Frank.Rowsome and Joe Murphy of RES is dated January 29, 1982 and concerns the feed and bleed issue for CE reactor designs without PORVs.
It makes two conclusions concerning the reliability,of ihe auxiliary-feedwater system which are a~ variance with our draft SSERs.
We have these-differences under review..
Contact:
R. Lobel X29463
~
~
Darrell G. Eisenhut 0
~
In view of the concerns discussed above we have evaluated the potential consequences of operation of San Onofre Units 2 and 3 at low power for the purpose of startup testing; Me conclude that the risk of such opera-tion is negligible because even if feedwater were lost to the steam generator, boiling of the remaining steam generator inventory and heat transfer to the containment atmosphere and structures would be sufficient to prevent overheating of the core.
Should a steam generator tube rupture event occur.during this low power tes iing period, three factors would contribute to substantially reducing the risk
~o the public.
First, there is sufficient time available for the operators to correct the loss of important safety systems needed to mitigate the event or to take alternate courses of action.
- Second, the fission product inventory during low power operation is very much less than during full power operation.
Third, there is a reduction in required-capacity for mitigating systems at low power.'e suggest that th'e applicants of CESSAR System 80 and Palo. Verde 1, 2 and 3, (perhaps in conjunction with other CE owners) perform a special study of the utility and competing risks'of PORVs in the various accident scenarios and propose system modifications as appropriate to the concerns summarized ip this memorandum.
Roaer N
tso irector n,
Division o Systems ntegration ENCLOSURES:
Attachment 1 - SSER for CESSAR Attachment 2 - SSE for Palo Verde Attachment 3 - Nemo fm Tedesco to Rowsome dtd 1/29/82 Attachment 4 - Nemo fm Bernero to HRR Div. Dirs dtd 1/22/82
0 0'
t,
ATTACHMENT 1 SUPPLEMENTAL SAFETY EVALUATION FOR CESSAR (SYSTEM 80)
FDA 4
AUXILIARYSYSTEMS BRANCH ACRS CONCERN REGARDING RELIABILITYOF SHUTDOW HEAT REMOVAL SYSTEM In the CESSAR Letter, she ACRS stated:
"In recent years, the availability of reliable shutdown heat removal capability for a wide range of transients has been recognized to be of great importance to safety.
The System 80 design. does not include capability for rapid, direct'epressurization of the primary system or for any method of heat removal imnediately.after shutdown which does not require use of the steam generators..
In the present
- hesign, the steam generators must be operated for heat removal after-shutdown when the primary system is at high pressure and temperature.
This places extra importance on the reliability of the auxiliary feedwater system used in connection with System'80 steam generators and extra requirements on the integrity of the steam generators.
The ACRS,believes that special attentioh should be given to these matters in connection with any plant I
employirig the System 80 design.
The'Committee.also believes that it may be useful to give consideration to the potential, for adding valves
'I of -a size to facilitate rapid depressurization.of';the System 80'primary coolant system to allow more director methods of decay heat removal.
The Committee wishes to review this-;aiatter, further With"the 'cooperation
)-
of Combustion Engineering and the >BC'taff;"=
V
l 0
~ '
4 1
I
~
~
s'n order to fully respond to the concern, the staff position is presented in three parts as follows:
(1) auxiliary feedwater system reliability,
{2) steam generator integrity and (3) the need for additional primary system valves to'acilitate direct rapid 'system depressurization for decay heat removal.
In regard to the ACRS concern for "extra importance on the reliability of the auxiliary feedwater system used in conjunction with System 80
'team generators"',
we will require that Combustion Engineering include an auxiliary feedwater system unavailability acceptance criterion as an interface in CESSAR to be satisfied by referencing applicants for their auxiliary feedwater system designs.
The criterion will be the
- same as that identified in the Standard Review Plan (NUREG-0800), Section 10.4.9 for meeting General Oesign Criteria 34, Residual Heat Removal, and 44, Cooling Mater as follows!
4 "An acceptable AFMS. should have anunavailability in the range 10 to
-5 10 per demand based on an analy"is using methods and data presented,.
in NUREG-0611 and NUREG-0635.
Compensating factors such as other methods of accomplishing safety functions of the AFMS or other reliable methods for cooling the reactor core during abnormal conditions may be considered to. justify. a larger unavailability of the AFMS."
I f
~
We conclude that this interface adequately addresses auxiliary feedwater system reliability for CESSAR reference plants.
In regard to the ACRS concern for "extra requirements on the integrity of the steam generators",
the following is the staff position.
The System 80 steam generators incorporate multiple design features to minimize the instance o
problems which have been identified to date in operating plants steam generators.
These features inlcude improve-generators.
Therefore, we know of no reason to impose additional require-ments at this time for assuring their integrity. If operating experience i,tional. requirements are warranted; we will incorporate
~ indlcates that add them as necessary.
ments in material of construction and fabrication techniques.
We note that there is no operating experience associated with the Sytem 80 steam
't should also be noted that the CESSAR SER (HUREG-0852) includes discussion and staff conclusion on steam generator integrity and certain aspects of steam generator performance as follows:
(a)
Materials and fabrication and their acceptability against applicable ASME Codes and General'Design Criteria are addressed in SER Section 5.4.2.1.
3
t 0
~ ~
(b)
Design features for prevention of damaging water hammer is addressed in SER Section 10.4.
(c)
Secondary water chemistry is addressed in SER Section 10.3.1.
Based on the above, we conclude that the integrity of the System 80 steam generators is adequate to assure their availability for decay heat removal and that turther requireme'nts in this area are not necessary.
In regard to the ACRS concern for "consideration to the potential for adding valves of a size -to facilitiate rapid depressurization of the System 80 coolant system to allow more direct methods of decay heat removal," the following is the staff position in. this matter.
BACKGROUND In some pressurized water reactors, an alternate method of decay heat removal has been identified in the event all feedwater to the steam generators is lost.
This method of decay heat removal, termed "feed and bleed," involves'oolant addition to the primary system,via the HPI pumps, and liquid discharge via either safety or relief valves.
To date, the loss of all feedwater,is not an event required to be designed for by hlRC, regulations.
/'
0 1t
In order for feed and bleed to be avviable decay heat removal mechanism, the HPI'ystem must be capable of in)ecting a sufficient quantity of coolant at the prevailing system pressures.
For plants without a manual depressurization capability (i.e.,
PORY system with. enough. relief capability to sufficiently depressurize the primary system),
the prevailing system pressure following a loss of'll feedwater will be the safety valve set pressure (usually 2500 psi).
Thus, in order to have a viable.feed and bleed capability in plants wi thout PORYs, the HPI pump's must be capable of injec ing sufficient quan i i uantities of coolant at the safety valve set pressure.
This implies the need for an HPI pump shutoff heat considerably above the safety
. valve set pressure.
I For plants with HPI pumps that do not have shutoff heads above the safety 4
valve set press',
a means to.manually depressurize the primary system to a pressure sufficiently below the HPI pump shutoff pressure in an acceptable amount of time would be necessary.
I PORYs would typically be relied upon to provide this manual depressurization for viable "feed and bleed" capability.
CE SYSTEM 80 DESIGN The present Combustion Engineering (Systaa 80) standard plant design does not include power-operated relief valves (PQRYs).
The HPI system It employs the pumps with a shutoff pressure 'of 1750 psig.
- Thus,
>n the 5
0
~
(
event, of a loss of all feedwater, the System 80 design does not have the capability to depressurize the primary system to below the HPI shutoff pressure.
Thus, in this design, reliance cannot be placed on "feed and bleed" for decay heat removal..
STAFF POSITION Mhile the staff recognizes the potential benefits of a feed and bleed capability, there are presently no design requirements or criteria which would require CE system 80 plants to install an alternate decay heat removal system independent of the steam generator system.
The staff has recognized the need for reliable decay heat removal.
The staff acceptance criterion for auxiliary feedwater system (AFWS) reliability o
(as identified in SRP Section 10.4.9) is based on an acceptance of the mean value of the probabili'ty of core melt from feedwater transients that was derived in MASH-1400.
The staff recognizes the limitations in MASH-1400 as delineated in previous statements.
However, in using the study; we have taken the applicable component part which has an adequate data base for purposes'f.
comparison and applied a generally accepted fault tree technique uniformly to determine weaknesses in the AFMS design ichen compared with other plants.,
The staff decision on acceptability is not strictly based on meeting'an absolute value..
The.
'staff has not discarded the det'erministic acceptance criteria and requires.
that they also be satisfied, This criterion has been. required of Palo Yerde (the first System 80 design to be licensed) and will be satisfied
0 I
A
by all future System 80 plants {refer to Part 1 above).
Additional mitigating features available to satisfy the core melt risk probability would be evaluated on a plant specific basis.
This is discussed further in the Palo Verde SER Supplement addressing similar ACRS concerns.
I Notwithstanding the present reliability requirements for AFM systems and overall decay heat removal capability, the staff has initiated work on the unresolved safety
',ssue of decay heat removal reliability {USI A-45).
A key element of this program will be an evaluation of risk reduction that would be afforded by a viable "feed and bleed" capability.
If it is concluded that a cost beneficial reduction in risk could be achieved by incorporating a "feed and bleed" capability in operating plants that presently do not have such a capability, then. a backfit.
order would be considered.
However, until this study is completed, the staff concludes there is no need to require a "feed and bleed" capability be installed in System 80 plants since adequate heat removal system reliability will be assured by the AFMS reliability criterion as an interface requirement in CESSAR.
It is the staff position that the present AFM reliability criterion.
must be met by applicants of the CE System 80 design.
Meeting this position provides a sufficiently low probability of core melt for this
- design, and further assures a reliable decay heat removal capability.
'I In summary, we conclude that, the CESSAR System 80 design for decay heat removal conforms to applicable General Oesign Criteria and guidance and is sufficiently reliable to assure safe shutdown.
I
ATTACHMENT 2 SUPPLEMENTAL SAFETY EVALUATION FOR PALO VERDE NUCLEAR GENERATING STATION, UNITS 1, 2 AND 3 AUXILIARYSYSTEMS BRANCH ACRS CONCERN REGARDING RELIABILITYOF SHUTDOMN HEAT REMOVAL SYSTEM t
In the Palo Verde letter, the ACRS stated:
"In the Palo Verde design the primary system does not include capability for rapid, direct depressurization when the plant has been shut down.
This places extra importance on the reliability of the auxiliary feedwater system and makes it necessary that the NRC Staff and the Applicant assure the availability and dependability of this system for a wide variety of transients.
It also'laces extra requirements on the continued integrity of the two steam generators as the only method of heat removal immediately after" shutdown.
The ACRS recommends that the NRC Staff and the Arizona Public Service Company. give additional attention to the matter of shutdown heal removal, for Palo Verde and develop a detailed evaluation and justi'fication for the position judged to be acceptable.
The Committee wishes to be kept informed."
'I The following is the staff position on the above concern.
In regard to the ACRS concern for extra importance placed on the reliability of 'the AFMS in view of the lack of a rapid, direct deprl.'ssurization capability fo'r.the primary
- system, and the ACRS r'ecommendation for a detailed evaluation and justification for the position judged to be acceptable, the following fs the staff position on this matter.
In the Section 22 of the Palo Verde SER (NUREG-0857) under Item II.E.l.l of the TMI-2 Requirements, we have identified the fact that the applicant submitted an AFMS reliability study in accordance with staff guidance.
The staff reviewed the "tudy and determined that the AFMS met the system
-4
-5 unavailability acceptance criterion (10
'to 10 per demand) for a loss of all feedwater as a 'result of a feedwater transient or loss of offiste power initiating events.
Me also determined that the AFMS design met all deterministic criteria of Section 10.4.9 of the S.andard Review Pl an (HUREG-0800).
P In addition, as the AFMS unavailability acceptance criterion is derived.
-6 from a risk of core melt frequency of 5 x 10 per reactor year (Reactor Safety Study, WASH-1400) consideration was given to additional plant features 'available to bridge the gap from the AFMS system unreliability
-4
-5 acceptance cr'iterion (10 to 10 per demand) to the core melt frequency
-.6 (5 x 10 per reactor year).
These mitigating features include a stable e
grid and long steam generator boil dry time (approximately 20 minutes) which allows for operator recovery.
The 'gri'd and offsite power supply line arrangement at Palo, Verde is comparable to most operating nuclear power plants.
- Thus, the frequency of occurence of a loss of offsite
, '2
(
0
4
. power should be equivalent to the average assumed in past analyses, approximately 0.2 to 0.4 per reactor year.
Further, the 20 minutes of steam generator water inventory after a loss of main feedwater allows time for plant operators to restore the AFMS should it fail initially, or restore offsite power hand main feedwater.
Previous estimates indicate approximately.
a 40o chance of restoring offsite power within 20 minutes.
These features provide additional confidence that Ehe risk of core melt
-6 probability of 5 x 10 is not exceeded for an extended loss of feedwater condition.
Based on the above, we conclude that the Palo Verde AFMS meets the staff reliability acceptance criterion. and further that it'is unlikely that
~ -6 the risk of core melt. probability of 5 x 10 will be exceeded as a
resul t of feedwa ter transi ents.
'L In regard to the ACRS concern for '"extra requirements on continued integrity of the,two steam generators as the only method of heat removal immediately after shutdown,"
the following is the staff position.
The integrity of the System 80 steam generators has been reviewed by the staff and found to be acceptable.
Refer to the CESSAR SER Supplement.
E addressing ACRS concerns on this subject.
- Further, the Pa1o Verde SER (NUREG-0857) includes discussion on the acceptability of,the following r'elative to steam generator. integrity:
I 4
3'
L
a)
The steam generator inservice inspection program is addressed in SER Section 5.4.2.1; b)
The secondary water chemistry monitoring and control program is addressed in SER Section 10.3.3; and c)
Preoperational testing for steam generator/feedwater waterhammer prevention is addressed in SER Section 10.4.7.
Based on the above, we conclude that the Palo Yerde steam generators provide a reliable means for shutdown decay heat removal without the need for additional requirements for assuring their continued integrity.
4 In summary, we conclude that the Palo Yerde shutdown heat removal cap-ability is sufficiently rel'iable and conforms to applicable General Design Criteria and guidance without further requirements.
4
ATTACllllENT 3 g 1 ~ i alp 4gl 0
- tir,
)
UNIlL0 sl'h I I.S
- !Ilctl-
- AR HL'r,UI.A1ol<Y cor.lf;lls~loM
'WASHINGTON, O. C. 20555
~ e ~
gag 29 1'.182 lIEMORANDUM FOR:
Bob Tedesco, Assistant Director for Licensing Division of Licensing, NRR Themis Speis, Assistant Director for Reactor Safety Division of Systems Integration, NRR FROM:
SUBJECT:
Frank H.
- Rowsome, Deputy Director Division of Risk Analysis, RES Joseph A. Murphy Reactor Risk Branch Division of Risk Analysis, RES FEED AND BLEED ISSUE FOR CE APPLICANTS We have perform'ed a quick and dirty analysis of the iisk implicat'.ons of CE designs that lack a capability for core cooling via HPI injection and deliberate ventihg of'he reactor coolant system, in the absence of feedwater replenishment.
We conclude that'three classes of accidents may each be more frequent than the Commission's safety goal o$ 10 core melts per reactor year or less, and that the total core melt frequency for such plants could be of the order of 10 per year or more.
The three
.sequences are:
l.
Transient and failure of all feedwater (not associated with loss of AC power)
(TML).
2.
Loss of offsite power, one diesel failure disabling the-motor driven AFW train, and failure of the turbine-driven AFW train.
'I
~ ~ %
V'I
!ie rec mmend the follow',ng upgrades to those designs.
1.
Provide an assured "Feed and bleed" capability.
2.
Provide that either diesel generator can energize a motor driven AFM train.
3.
Exa;.>inc car fully and perhaps upgrade HPI rel',ab lity and/or reduce the frequency of very small LOCA's.
The economic incentives to mat'e these improvements, derived from r duced r sk of economic losses associated with core melts, are roughly:
Base Case.
Value
$22.3M Value
$13.4M Base Case with
'ssured Feed and Bleed
, Base Case, with Both t
~ DG's Aligned to Both 4FW Votor Driven Pumps Value
$660,000 Value
$10.7M Assur d Feed and Bleed, 2 DG's ~
2 AFM Trains Value
$15M.
ssured.Feed and Bleed DG's
+"
AFM Train High-Reliability HPI e
H
r if)
+The has case plant is assumed to be incapable of feed and bleed 'cooling, only one d',esel generator is assumed capable of energizing the safety related motor driven AFH tra-;n.
The turbine driven AFH train is AC-independent, hut the non-safety grade motor-dr'iven AFM train requires offsite power.
industry average HPI. reliability and S -LOCA.frequency is assumed.
The analysis that shows that S<D m'ay be=too frequent applies to other Pl!Rs as well.
The attached pap r describes the analysis.
~-~ M AC Frank H. Rowsome, Deputy Director Division of Risk Analysis Office of i'luclear Regulatory Research Joseph A. t'turphy Reactor Risk.Branch Division of, Risk Analysis Office of Nuclear Regulatory Research
Attachment:
As Stated cc:
R. Bernero G. Burdick R. Hattson S.
Hanauer H. Ernst A. Thadani RRB Staff RAB Staff
Feed and Dleed Issue for CE Applicants We understand that the current crop of CE license applicants are proposing that no pressurizer PORY's be installed, that the HPI shutoff head is to be well below the pressurizer safety valve setpoint (around 1400 psi), that high point vents provide no more than two 1" diameter remote-manual
- vents, and that the auxiliary feedwater systens will be composed of one AC-independent turb ne driven
- pump, one AC-po>>er train, and a third non-safety grade retor driven pump.
We have attempted a back-of-the-envelope PRA in order to evaluate the risk implications if these plants are incapable of "feed and bleed" cool',ng.
The results suggest that they may'fail to meet the Commiss',on's.safety'oal of a core melt frequency less than 10
/year and the present worth of a fix to enable assured feed and bleed cooling is of the order of 510 million or 4
more per plant, based upon reduced financial risk alone.
he considered five groups of accident sequences:
loss of maih feedwater, loss of offsite power, very small LOCA, transient-induced small LOCA'late start of auxiliary feed-I water al.lows a liftof a pressurizer code safety valve which may stick open),
and station blackout with restora'tion of AC power just before the point-of-no-return.
We did not consider main steam 1',ne breaks or ASS, although in these
'sequences an assured feed and bleed capability could also enhance safety as well as in the sequences considered.
~'h
~
II
4 The simple 1oss of main feedwater appears to be the dominant concern.
For this sequence in a plant incapable of feed and bleed cooling, the frequency 1'f core melt,
),
=
X P(L), where
),
is. the frequency of critical (sustained) cm m
m failures of main feedwater, and P{L) is the probability of a critical failure of the auxi1iary feedwater system.
WASH-1400 took the frequency of feedwater transients'o be 3 per year, with 99 out of one hundred such occurrences recoverable.
There is reason to doubt both numbers.
Complete interruptions of main feedwater are more fr equent than 3 per year during the life'f the first core, while the plant is still being debugged, although many take place at startup or at low power when the decay heat level is too low to pose much risk.
A mature plant has complete interruptions of main feedwater about once a year or less.
The non-recovery factor of 10 applies to plants with simple feedwater controls, motor driven main feedwater
- pumps, and no major obstacles to feedwater restart, after a trip.
In large, modern plants with turbine-driven main feedwater pumps problems witn feedwater restart are
- common, so a non-recovery factor of.3 to
.1 is more reasonable.
I judge that the frequency of non-restorable failures of main feedwater occurring from substantial
{risky) ini ial power levels is
. roughly:
0.3 x 10+>, first core
+1 m
0.1 x 10-, at maturity
1 l
l l'
Auxiliary feedwater reliability is also uncertain.
Oata from the precursor program suggests that the PWR average experience has been a failure probability of 10.
/demand.
This average includes early-in-life experience as well as mature plant experience and two train as well as three train experience.
System reliability analyses have suggested that the best of the three train
-5 systems can approach - at maturity - 10 per demand.
- However, these analyses failed to consider some common mode failure mechanisms so they can be regarded as having an optimistic bias.
It is not uncommon early in plant life to find instances of repeated, consistent, auxiliary feedwater pump failures while the system is being debugged in service.
The record suggests that the failure probability of the AFWS is substantially higher during the first core than in maturity.
A system with two diverse safety grade AFW trains and a third full capacity non-safety grade train will probably achieve..failure probabilities of'.
3 x 10
, first core
-3+1 1 x 10,at maturity I
These estimates result in loss-of-all-feedwater frequencies of:
-3+1. 4 0.9 x 10. /yr, first core 1 x 10
/yr, at maturity The uncertainty ranoe is thus:
2.3 x 10.
~
X
~ 3.5 x 10
, first core 2.6 x 10
~
X
~ 3.9 x 10
, at maturity
-4
-7 cm
f
4 Note that even at maturity this core melt sequence frequency may be higher than the Commission's criterion fot all core melt frequencies combined:
4
~ 10 /yr, and that the best estimate is that it will exceed the Commission's criterion during the first. core.
Note also that common-causation of main and auxiliary feedwater failure due to. fires, floods, I
earthquakes, or sabotage has not been considered and might increase this sequence frequency.
The Commission's guidelines on'acceptable risk do not indicate how'o treat uncertainties or higher-than-average estimates for 'the first core..
Nonetheless, I think it unwise to allow a single core melt accident sequence to be this probable.
The provision of an assured feed and bleed capability would enable HPI to cool the core in these scenarios.
Even with common mode and, external
- hazards, this should be worth at least one decade, more likely two decades reduction..
Me recommend it.
Next let us consider loss of offsite power.
The failure frequencies or probabilities are taken to be:
~LOSP
- 0. 2/yr P non-recovery of offsste power within 30 min -
1 hr = 0.2/occurrence Thus
)
OS without recovery
= 0.04/yr POG
= 0.03/demand P2pG
- 0. 003/demand, incl uding common mode PAFM-turbine train I
gFN-motor train
- 0. Ol/demand
Assume for convenience that diesel generator A is configured to energize the safety grade AFM motor driven train.
As we shall see, the core melt frequency predictions are sensitive to whether or not diesel generator B
can energize the non-safety grade AFtt train or not.
The event tree for loss 'of offsite power can'be drawn:
DG's AFM LOSP no'fai1ures' fails
.03 okay 10..
okay 10 melt at 4 x 10
/yr r
meIt at 1.2 x10 /yr
'A'faiIs.
.03 I
both fail
. 003 okay
.I or.001" melt at 1.2 x 10
/yr or 1.2 x 10 6/yr*
okay.-
melt at 1.2 x 10
/yr
-5
- The higher failure rate applies if. one of the diesel generators (we have calIed it 8) cannot power a motor driven AFtt train; the lower failure. rate applies if both diesel generators can power a motor driven AFM rain.
Note that the Commission safety goal of 10 (yr for all core melt sequences may be violated by loss of'ffsite power and a single diesel generator fa'ilure if there
',s one diesel generator that cannot be aligned to energize a motor-driven AFM train.
This high core melt frequency-could be reduced to marginally
.'acceptable value in either of two ways:
k 1.
Insure that either diesel generator can be aligned to energize a
motor-driven AFM train by (i) providing a swing bus for the safety grade AFM pump, or (ii) providing an essential (diesel-)%eked) power supply to the "non safety grade" AFM pump, or 2.
Provide an assured feed and bleed capability so that the one operable diesel generator and its associated HPI train can cool the cove.
The case of full station blackout is considered later.'he value of the feed-and-bleed fix can be inferred from the event tree for LOSP with this design:
.04 no failures
.96 B fails
.03 A fails
.03 Both fail 10 10
.1 or.001 melt at 2 x 10 /yr 5
2 6. 10 '/y.
5x 10
-6 melt at 68x 10 or 6 x 10 /yr melt at l 2 x 10 5/y Next let us consider very small (S
) LOCA.
Instrument line breaks, steam generator tube. ruptures, charging pump line breaks, and. gross reactor coolant pump seal failures have happened a dozen or so times in 500 LMR-years, suggesting a
challenge frequency of 3 x 10 -'yr for S2LOCA excluding PORV LOCAs.
They
-2+. 5 are less probable in.the first year of service, so' will not single out first core numbers.
(
(
In the CE plants, both feedwater and ECCS (HPI) are required for successful core cooling.
Hain feedwater may remain operable or be restartable in some
\\'f these.
The probabili'ty of HPI failure on demand was found to be 8.6 x 10 -'n Surry (WASH-1400).
Host PWR PRAs are finding a failure probability for the whole multi-train HPI between 10 and 10
/demand.
We. shall a:sume that the probability of HPI failure on demand is 5 x 10
-/demand for the CE plants.
A rough cut at frequency estimation suggests:
'PI AFW success S2LOCA 10 2++'5 5 x 1'0 10 success 5
.3x10 ~
lt t9 10-7+1 -.S/yr melt at 1.5 x 10
/yr The value of an assured feed and bleed capability here is to eliminate the need for feedwater.
This would eliminate the smaller (10
/yr) path to core melt without.affecting the more prominent path via HPI failure.
Note that small LOCA
'"'th total HPI failure is predicted to result in a core melt frequency above the Commission goal for all core melts.
The provision of feed and bleed capabi-lity or of an.improved AFW system will not help this.
It is a problem generic to PWRs and not unique to the CE designs.
It appears that the high frequency of very small LOCA revealed by historical experience and the marginal HPI system reliabilities revealed by many PWR PRAs are combining to yield unacceptable core melt frequencies through S2D-type sequences.,
We suggest that NRR tackle this
C \\
F t
a serious effort should be made tg reduce the probl'em in two ways:
- mrs, a
d a broad-scale attack on HPI reliability frequency of S LOCA's.
Secon
, a roa-2 ituted for AFM systems after THI should be problems comparable to that inststu e
or initiated for all PWR's.
Next let us const er d
the. transient-induced small LOCA's with and without a rom t autostart of auxiliary feedwater PORY.
A feedwater transient with a prompt au 1 ft ssurizer relief valve.
However,r a dela ed start is assumed not to 1>
a pre y
s as likely as a sustained AFM of AFW, which may be roughly one hundred times 1
e (PORV or code safety) and the valve may fai,lure, may lift a pressurizer va Ye stick open.
rou hl once i'n one hundred challenges LER data suggest that'PORV's stick open roug y o and code safety valves once in a thousand ch g
hallen es.
Neither type of knowled e, although there was one valve have failed open spontaneously, to my know g,
NNI bus fault) of a comoand fault leadi'ng to an open instance (Crystal River PORY.
Since TNI I think it safe to assume that operator rators would successfully of 100 instances of a PORV-.LOCA.
close the PORY block valve in at least 99 out of Without a PORV we have {at maturity):
FM transient
. /yr Prompt AFW okay 10 saTety va ve challenge)
Late AFM 10 Safety Valve Closed okay
-6 S
LOCA at 10 /yr 2
melt at 10 /yr 1
I
~ -- The 'core melt outcome from loss of all feedwater has already been considered.
ible at 10 / r It can The increment in the likelihood of S LOCA is negligible at 10 /yr. It can still be mitigate y
d b HPI-f HPI works as it will do in the vast majority of S
cases.
ften 10 / r)
With a PORV we will get transient-induced LOCA ten times as often {10" /yr) but, the block valve can be expected'to terminate'all but 1 percent or these for a frequency of transient-induced and unisolated L
f y.
OCA of 10 / r. If I
~
~
~ anything, the.PORV helps 'rather than aggravates what is a negligible ed LOCA.
con. ributor to the overall S> frequency via transient-induce contri utor o
e o Ve should also consider the command.fault LOCA's due to spurious open ensitive function of comnands to a PORV.
The frequency of occurrence is a sensitive the valve control logic design.
It could be made as small as we wish by suitable reliability engineering.
If we consider the y
the Cr stal River experience as one failure in 300 PMR-years, we, get an industry average of 3x
,y of 3x10, r for PORV command fault LOCA.
Clearly, BN did not do so well, but the combined experience of the three PWR vendors suggests that this frequency can easily enc of 3x10
/yr.
I conclude
-2+.S be'made much'ess than the overall S< irequency a ne li ible effect on the likelihood that'aving a
PORV or not having a
PORV has a neg igi lead to core melt, provided 0
2 f S LOCA or of the likelihood that S<
LOCA may lit is the only consideration.,:It that system or cohponent functional reliabili y
~
~
edicated upon a design with antici-goes without saying that this analysis is pre ic t lift ressurizer relief valves, patory trips so that routine transients do no i
p PORV block valve when appropriate.
and that the operators are trained to close the
..-10-.
There may also be a design adequacy issue.
I feel uncomfortable with 1400 psi
'HPI pumps in plants without PORY's, even if the HPI 'and the AFM"systems are highly reliable.
Careful thermal hydraulic analyses together with
,horough studies of plausible operator responses are necessary to verify'hat some S
LOCA's will not lead to degraded steam generator heat transfer 2
and RCS pressures over 1400 psi while the core uncovers,'.even with operable HPI and AFW trains.
The high point vents and reactor coolant-pumps may help here even though these plants do not have full 'feed and bleed capabi-lity.
However, these design adequacy issues are beyond the capability of this simplistic system reliability analysis.
Last, consider station blackout with AC recovery near the point of no return.
E The event tree may b'e drawn as follows:
{TOP)
'Restore AC Within 1
hrP Restore AC Within 2-6 hr7
.2/ r 3xl 0 okay success
melt success?
melt
, ~
4 Blackout with su'ccessful auxiliary feedwater (turbine driven pump) can be
'expected at a. requency of roughly Gxl0 /yr.
The turbine driven AF pump, has
, a finite success window, however.
One of several factors will lead,to core
'melt.'if AC power is,not ultimately restored.
These -.actors. include:;
(a) loss of reactor coolant inventory (blown RCP seals,'tc.)",:,(b) dead. batteries (discharge or overheat);
(c) high pump-room temperatures,.{no HYAC) or (d)
=
E depletion'of condensate.
)>>
Blackout without auxiliary feedwater leads to a shorter time window to save the core by AC recovery.
This can be expected at a frequency of roughly 6x10
/yr.
In either scenario, as the time to the point-of-no-return for.
core cooling approaches, the reactor coojant system pressure will he high, (around the pressurizer safety valve set point}, and the level will be falling toward the top of the active core.
Refi lling the steam generators will be necessary but may not be sufficient, depending upon the effectiveness of reflux condensation'nd the extent of'eactor coolant system leakage.
A feed and bleed capability to enable HPI to refill the reactor coolant system fairly quickly might extend the window for AC recovery without core damage or melt by tens of minutes, perhaps'ore.
A quantitative evaluation of the fraction of melt sequences. that could be saved by feed and bleed would require extensive thermal hydraulic analysis and analysis of the likelihood of AC restoration vs time.
However, it is clear that the most. likely AC resioration times are before any point 'of no return.
- Thus, an upper bound on the improvement
-in the blackout melt sequence frequency attributable to feed and bleed is of the order of 19 /yr or less.
To summarize, the principal concerns regarding ihe CE designs with low HPI shutoff head and no PORY's appear to be:
l.
Risk of core melt via loss of all feedwater may be unacceptably high.
2.
.The adequacy of the design for Very small LOCA mitigation is questionable.
This may be coupled with.operator behavior issues.
~
~
~ ~ r 12>>
3.
The reliability of the high pressure injection system may be unacceptably low, but the mere fact of an AFM requirement to mitigate very small LOCA's - given design adequacy - does not significantly degrade the reliability with which very small LOCA's may be mitigated.
It is important that either diesel generator be capable of energizing a motor driven AFW train given loss of'ffsite power.
Two questions remain to be answered:
(1) what is it worth to equip these plants. with feed and bleed capability?
and (2) what are the attendant risks of the optional fixes?
As assessment, of the value of the fix follows.
Those core melt. accident sequences.
for which a feed and bleed capability could save the core are likely to be well-contained; they do not entail common mode failure mechanisms which would defeat containment isolation, sprays, or fan coolers.
Thus the utility's economic risk dominates.
Let us take the cost. of such
$2 billion.for Tl<I's; high:
value in $ is essentially:
a core melt event to be around
$10 billion (low:
$ 100 billion for extensive shutdown orders).
The 1
V($ )
= bX (events per year) x C($ per event) x T(exposure time i'n years)
Me can calculate a variety of aA differences from the following table:
~
~
'0
- -,13-cm Without Feed and 81eed:,:.,:
with Feed
': and Bleed THL (first core}
TML (mature}
LOSP Case 1*
LOSP Case 2*
S20 9x10.
1 x10
. 1.4x10~
1.8 x 10 1.509 x 10 9x 10 1 x10 18 x 10 5
1.2 x 10 1.5 x 10
- Case 1 - one of the diesel generators cannot energize a motor driven AFW train Case 2 - both diesel generators can energize a motor driven AFW train The economic incentives can be calculated by taking the exposure time for the first core as one. year and'or mature operation as ten years.. The economic incentive is essentially the reduction in the present worth (at startup) of projected monitary losses due to accidents.
They are shown on the following diagram:
Case 1
no F&B
$ 13.4H' Case 2
no F&B.
$23.3H
$ 10. 7H Case 1
.F&B '.; '660,000" "
Case 2
",F&B
$15M-improve HPI
.Reliability
\\
This diagram can be understood as follows.
Start with a CE plant that has
'o feed and bleed capability and only one diesel generator that can support a motor-driven auxiliary feedwater pump.
It would be worth up to
$13.4M to enable the second diesel generator to power what, is now the non-safety grade AFM pump.
wou It ould be worth up to
$22.3M to add feed and bleed capability, an so or d
o forth The final "fix" has yet to be discussed.
The value was arrived at by postulating design or operational changes such that 0 10 r.
the like i oo o
an 1'h d f S
D core melt is reduced from 1.5x10
/yr io 1.
x
/y.
0 This might e ac ieve y e b
h d b ither improving the reliability of HPI substantially, reducing the frequency of very small LOCA substantially, or some of each.
How a feed and bleed capability could'e achieved by installing suitably sized PORY's or by installing HPI'umps of very high head
{over the pressurizer safety valve.setpointj or some o
eac e
j f
h M
have'already examined the attendant risks of PORY addition.
Care must be taken to design the control logic so that spurious "open" commands are rare, u i i
b t t 's safe to expect that this will be done well enough that the frequency of S LOCA is not significantly increased.
The effect on transient-induced LOCA is not important (this frequency is negIlgble with.
or without a PORV) and is compensated by the possIbsl>ty o
t of isolating PORY-LOCA's wi.th the block valve.
If the HPI can force open a pressure rel>ef valve
{
e ve {code safety or PORY in the orar.
recoverabl e pressure'zer),
en a
)
th spurious HPI actuation can cause a te p
.y, LOCA.
Should the valve stick, we may, have (without a bl a bl ock valve) a sus tained LOCA.
I assume tgat the operators will,shut.off g
HPI thou h not, before a
r 4
I pressurizer valve opens, the pressurizer quench tank rupture disk blows, and a small spill occurs.
If the valve sticks open (and cannot be isolated),
\\'heoperators must restart HPI.
Spurious HPI. actuations are quite common.
Me assume here that the frequency of spurious HPI actuations which remain on long enough to challenge a pressurizer valve is one per year.
Borrowing from the prior analyses we can draw'he following event trees for the high head HPI de'sign:
Without PORY (or PORV left blocked)
Spurious HPI Actuation 1./yr Safety Valve Closes Upon HPI Shutoff10'PI Restart small spill at l./yr
'I large spill at 10 /yr 10 core melt at 10 /yr
-6 I
Block Valve Closes HPI Restart small spill at 1/yr With PORY installed,and unblocked
'ORV Closes Upon HPI Shutoff Spurious HPI Actuation l./yr 10-2 10 small spill at 10
/yr large spill at 10 /yr core melt at 10
/yr
I
~
~
' Note that if a PilR has a
PORY and high head HPI, it is better to run with the block valve open, so the isolatable PORV can take the brunt of spurious HPI actuations as well as feedwater transient-induced LOCA's.
Note also that the core melt sequences caused by spurious HPI actuation in plants with high head HPI is acceptably smal',. and can be made smaller still if the PORV only lifts (block valve left open).
It is roughly balanced by comparable risk reductions in that for these
- designs, the PORY need not open to accommodate feed and bleed.
- However, we should note that there is a real economic incentive to avoid the blown pressurizer quench tank rupture disk and the.'attendant small spills.'f we assume a five day outage at one million dollars a day for small spills and a 100 day outage for a large spill, then the present worth'of expected losses due to spurious HPI actuation in these designs is:
1 event/yr x 5x10
$/event x 10 year exposure
= $ 50 million from the 6
small, frequent spills with either design variant.
For the large spills (unisolated lOCA) we have:
Without PORV:
10
/yr Mith PORV:
10
/yr x 10
$/event x'10 yr;
$ 10
$ 10 1
Thus utilities are subject to a significant incentive (present worth of. projected losses of $ 50 million) either to employ HPI pumps that cannot lift a pressurizer relief valve or to go after improved prevention of spurious HPI actuations or both.
I)
I
1
~ There appears to be no economic penalty (other than first cost) in providing
/
HPI pumps whose shutoff head is at normal RCS pressure, i.e., around 2250 psi.
In sumnary, then, this limited risk analysis cannot distinguish a difference in safety among the several ways to achieve feed and bleed capability: 'nstall one or more large PORY's, raise the HPI head above the pressurizer safety valve setpoint, or install a smaller PORY and raise the HPI head to near normal operating pressures.
These choices must be made on the basis of design adequacy or thermal hydraulic considerations, preferably considering ASS as well as the design to assure that very. small LOCA's can be mitigated even thodgh. HPI or AFM may be late in starting or might be throttled temporarily by C
the operators.
Me have,
- however, found a plant availabili'ty incentive to avoid an HPI head so high that it can lift a pressurizer relief valve.
No such penalty accrues to HPI designs with a shutoff hea8 at the normal RCS I
pressure.
II