ML19330C246
| ML19330C246 | |
| Person / Time | |
|---|---|
| Site: | Crystal River  |
| Issue date: | 07/03/1980 |
| From: | Oreilly P Office of Nuclear Reactor Regulation |
| To: | Jerome Murphy NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES) |
| References | |
| NUDOCS 8008080131 | |
| Download: ML19330C246 (7) | |
Text
.
O ( L
~
-~ : T{
r
'W THIS DOCUMENT CONTA 1_
P00R QUAUTY PAGES J
fo-3o 3 l
ME*,GiA.WITA FCR: Joseph Murphy. Procabilistic Analysis Staff Cffice of Nuclear Regulatory Research FRCM:
Patrick D. O'Reilly. Reliability and Risk Assassment Branch Division of Safety Technology,tdol SUS 'ECT:
ADDITICiAL CCNME:ITS REGARDING CRYSTAL RIVER 3 SAFETY STUDY REPORT In my June 15,1960 aancrandum I indicated that I aight have further cru==nts a the Crystal River 3 Safety Study report. Since I was away from tne office last week attanoing a training course I was unable to cocment then until now. However, I believe that scst of then were siscussed during the meetings you conducted on June U, and 13,1980 wita SAI snd FPC. Sesides a nu.mer of additicaal etwrnents Enclosures 1 and 2 also catata my original craments as ;;rovidea in :ay June 15, 1980 ammerandum.rE.crthe information cf these an distribution, Encicsame 1 catains suostantive coments regaroing the report, whereas Enclosure 2.
casists cf a number of editcrial ccaments cy.: sun SIGEDBY:
Patrics 0. O'E. illy Reliability and Risk Assessment Branch Divisico of Safety Technology Offica of Maclear Reactor Regulation Enclosures-As stated DISTISUTION
- p. & d %c.. M File ce;w/tgiclesare 1 NRR r/f A. Bemero RRAS r/f R. Matts a -
P. O'Reifly ~
F. Ecusan M. Ernst G. Edism S. Lstael F. Caffaan M. Cuantagham J. Curry F. Mannino L Crnstah J. Pittaae M. Taylor A. Thadaat l
l I
I l
emen.
RRAs-E,0,Qafily:ab l
sun u m om !7/ CI b0 l
l sec som sis 4 a.m sacu a2o.o 8b08080 /3/
~
g
~
+
L JUL 3 'aso '
ENCLOSURE 1 Comments on Crystal River-3 Safety Study Working Oraft - 5/9/80 General Coment: Define abbreviations the first time used.
Volume 1 - Main Report Page 2-3: Under item (1), second bullet, what is the basis for stating that it is considered extremely unlikely that the relief and/or safety valves (underline added) will fail to lift near their setpoints?
Under item (2), first bullet, provide the reference for the B&W analysis which shows that, if the EFS does not start automatically, the ocerator has approximately 20 minutes to manually start it to prevent the safety valves from lif ting.
It was cur impression that the PORV opens early in the case of a LOFW with failure of EFS to auto-start. This would imply that the safety valves would be challenged before 20 minutes into the transient.
Under Item (2), second bullet, according to the analysis reported in NUREG-0565, other operator acticn is required at about 40 minutes into the transient.
Was this additional operator action considered when the decision was made to eliminate this set of transient-induced LOCAs from consideration?
Under item (2), last paragraph, it is difficult to understand the statement about how the sequence can occur, especially in light of additional required operator action at 40 minutes, as discussed previously.
Pages 2-3 & 2-4: Under ATWS sequences resulting in core melt, we question the decision to omit these sequences from consideration. Our specific comments are as follows:
(1) Early B&W analyses (BAW-10099) showed the calculated pressures during an ATWS event to be quite high, in fact in excess of 4000 psig (these analyses did not assume any additional single failures).
(2) What are the bases for the conclusions that:
(a) RCS integrity will be maintained?
(b) Integrity of safety and relief valves will be maintained?
(c) Pump and vessel head seals will not fail?
(d) Steam generator _ tubes will not fail?
(e) Instruments will remain functional to guide operator actions?
(3) What discontinuities exist regarding item (2) and above and what inelastic analyses were performed?
i l
v V
JUL 3 1980-ENCLOSURE 1 2
(4) What is meant-by the statement, "Information supplied by B&W...,"
in the second bullet? Why wasn't NRR assistance in this matter requested, especially since we have extensively reviewed B&W-designed Pia response to ATWS events?
(5).Did the author-contractor also perform work for EPRI on this same subject? If so, there is a possible conflict of interest westion because EPRI has espoused the industry position on ATWS.
(6) Provide the basis for the conclusion that a comon mode failure that would disable the RPS (resulting in an ATWS event) has relatively low enough prcbability? What studies were conducted to determine which comon mode failures would fail the RPS as well as engineered safety features (e.g., the EFS)? What models were used to estimate the probabilities of these' event _s?
)
(7) Once the safety valves open during an ATWS event, since they will be exposed to high pressures (7400 psig) and an environment for which 1
they are not qualified, why have they been expected to reclose?
In other words, why have ATWS and failed-open safety valves been
~
1 treated as independent event.s?
(S)
In view of the recent event involving the scram system malfunction at the Browns Ferry Plant, how can it be concluded that ATWS sequences leading.to core melt can be omitted from further consideration without providing any bases (other than a statement that they are not significant contributors to risk) for such a conclusion?
Page 2-4: Why is Table 2.2 referred to first, before Table 2.1? Shculd put tables in same order as they are referred to in text.
Page 2-4: Second paragraph - Were any required automatic or manual actions considered? How much time was assumed for any such actions? What values were assumed for human error and on what basis? If a time limit was assumed for operator acticns, what was the basis for 'it? In these analyses, were longer steam generater dryout times used for the sequences involving loss of offsite power?
Page 2 8 54 2 What are the bases for the probabilites associated with the two human errors?
Page 2 8 54 23 -<- What is the basis for the probability value associated with the operator error in switching to circulation too soon?
Page 2 3456 What is the basis for the probability value associated with the operator failure to reconfigure valves for recirculation?
....,y-e.
4
_ a JUL 3 1990 ENCLOSURE 1 3
.Page 2-a: Second paragraph, items (A) and (B) - Where is the EFS steam admission valve shown on Figure 2.17 If it is not indicated on Figure 2.1, how can the conclusions. in these i~tems be reached?
Page 2-9: Fourth paragraph - Who is supposed to perform the sensitivity analysis mentioned in this paragraph and on what schedul_e?
Page 2-13: Figure 2.1 - How can the loss of offsite power sequence be an initiator? Regarding T2A T10~h1sn'tFigure2.1independentofthecontain-3 ment failure mode?
Page 3-1: Second bullec - where are the findings abcut SHA effects found in WASH-14007 This statement appears to conflict with the statement on page I-8 of Appen' dix I to WASH-1400 regarding SHA effectiveness.
Page 3-1: Third bullet - What is the basis for the conclusion that the ECF event on the large LOCA tree in WASH-1400 was based on extremely conservative assumptions regarding lack of functionability?
Page-3-1: Fourth bullet - How do you recencile this statement with item 3 on page 3-18? It appears that this report has done the same thing (namely assume that' transient-induced LOCAs caused by failure of Primay System Pressure Relief result in core melt) that it criticizes WASH-1400 for doing. Also see consnents regarding page 3-13.
Page 3-7:.First paragraph - Transient occurrence frequencies calculated using the data in EPRI-NP-801 are questionable because of the method used to tabulate the data. The interpretation of the EPRI data base is a point of controversy in the review of ATWS. Therefore, any results obtained using the EPRI data, including event sequence probabilities (see Section 4 coninents), may be suspect.
I Page 3-10: Last line at bottam of page - rest of text following "Section" is missing.
Page 3-15:
Items M & L - What is the basis for the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> requirement?
Page-3-16:
Item V - Why not use "HPI" instead of " charging"?
Page 3-17: Primary System Makeup - Why not use "HPI" instead of " makeup"?
Page 3-18: Item 3 - In the exception, what is the basis for the statement that, "the excess RCS pressure is not expected to be very great"? Also, failure of primary system pressure relief may result in a RCS r'upture with core melt, which was treated in WASH-1400 on the transient event tree as a core melt.
i
sluly y ENCLOSURE 1 4
Page 3-20: Items F, Z, & H ~.What is the basis for the 24 hcur requirement?
Page 3-23: Footnote - What is the basis for the conclusion that ATWS sequences were considered relatively unlikely to have a significant impact on total risk?
Page 3-24: Figure 3.1 - Why aren't branches with failure of primary pressure relief function-terminated as LOCA, since they lead to RCS rupture due to overpressurization?-
Page 4-1: Section 4.0 - Shouldn't some additional explanation be included about why use of the WAMCUT computer code causes differences in the quantifica-tion techniques? What is different about WAMCUT as opposed to the codes used in the WASH-1400 work?
Page 4-2: First paragraph - By whom were the failure modes mcnitcred? The.
NRC single failure criterion only addresses active failures.
It doe's not include passive failures in its current form.
Page 4-2: Third paragraph - Did the quantification of operatcr errors distinquish between actions where the operator has experience (e.g.,
initiation of EFS) and those actions where he has less experience? How was the time which the operator has for action in mitigating the events considered accounted for in the quantification? Were stress levels considered?
Page 4-3: Second paragraph - What is the basis for a coupling coefficient of 0.17
.Page 4-7: Third paragraph - Is this the basis for the 24-hour requirement in preceding sections?
Page 4-8: Second and third paragraphs - This discussion appears to address several coments made previously about Section 4.
Why doesn't it appear earlier in the section?
Page 4-10: Entire page - Isn't this material redundant to that in Section 37 Why repeat it here?
,l l
Page I-1: Volume 2, Part I, Bullets - There is no one-to-one correspondence between the bullet items and the majcr headings in Appendix I.
Page I-6: ECCS Recirculation Mode - In order to provide balance in Section I. 4.1, the three system descriptions preceding this paragraph should-be under the heading " injection mode."
Page I-7: Second paragraph - What does non-Jetsmic mean?
Page I-8: Section I.6 - Denote Section number.
-. - l
4 k
NU3 1980 ENCLOSURE 1 5
Volume 2, Part II General comment on quantification of fault trees:
It was extremely difficult and in some instances impossible, to follow the quantification of the fault trees for each system considered in the study. This was particularly true in cases where coupling was considered (e.g., Figure 0.3 on page 0-21).
The relationship between the fault trees and the acccmpanying quan':ificatiu:
tables and Soolean equations was not always clearly described. Since this treatment is a very important part of tne report, it should be expanded or at least clarified so that the reader can verify the quantification of the fault trees without ccnsiderable difficulty.
4 We agree with H. Ornstein's coments regarding the assessment of human errors and operator errors. We also agree with his comment regarding the use of actual plant test and maintenance data and the use of lower bound failure rata data (e.g., ESAS relay failure rate data) as a computational median to obtain unavailabilities.
Page II Step 10, What is the basis for this assumption when there is ample evidence fran LERs that tech specs are violated not infrequently?
Pages A-1 to A Appendix A - Based en the discussion between SAI and FPC on June 18, 1980, it is our understanding that this appendix will be revised to provide a reliability analysis of the RPS, not the control-grade anticipatory reactor trips. In the revision the following comments on Appendix A should be considered:
(1) Page A-9: Notes on CR0 Power Train - First bullet - Is it possible to reset the CR0 control panel without having reset the breaker? If so, was this considered in this study?
(2) Pages A-16, A-17: Figures A.3 (1/2 & 2/2) - How is the human error consisting of failure to reset the CR0 breaker after testing included in the simplified RPS fault tree?
with the RPS?
~
Are there any common mode failures associated (3) Page A-22: Figure A.4 (1/2) - Why does this figure differ from Figure A.3 (1/2):
Pag B-4: First paragraph - What does OGELS meant Page 3-24: First paragraph - Is equipment miscalibration the only comon-moce human error?
l l
Page C-22: Second level on fault tree - What type of gate should this be?
Page C-24: Second level on fault tree, rightmost branch - Same canment as page C-22 above.
)
t t :
JUL 3 Igea ENCLOSURE 1 6
Page 0-23: First level on tree - Shouldn't this be an "and" gat.e?
Page 0-28: Under Tcp Events, shouldn't the term on the left side of the fifth Boolean equation ce "MCC3AB"?
Page E-1: Third paragraph - Are there three pumps or five. pumps in the NSCCCS?
Page E-20: Second paragraph - The centribution of simultanecus hardware faults in both NSCCS pump train is a factor of two smaller than what?
(
Page G-4: Second bullet - Identify the figure referred to.
Page G-7: First bullet - What is the basis fer this statement?
Page P-2: First paragraph - Define the term "non-seismic".
Appendix P - General comment: How did the results of this study compare with tne reliability analysis of the EFS performed by B&W and FPC?
Page P-24: First sentence - Why wasn't failure of all AC power considered in this study? This event is considered in the auxTTTary feedwater system reliability ' study required of all PWR licensees through NRR's implementaticn of Action Item II.E.1.1 of the NRC's THI-2 Action Plan.
l
-,