Text

Partially Deleted Commission Paper to Inform Commission of Aslab Decision
	ML20038A420
Person / Time
Issue date:	09/17/1980
From:	Bickwit; NRC ATOMIC SAFETY & LICENSING APPEAL PANEL (ASLAP)
To:	;
Shared Package
ML20038A409	List: ML20038A408; ML20038A410; ML20038A411; ML20038A412; ML20038A414; ML20038A415; ML20038A416; ML20038A417; ML20038A418; ML20038A419; ML20038A420; ML20038A421; ML20038A422; ML20038A423; ML20038A424; ML20038A426; ML20038A432; ML20038A434; ML20038A435; ML20038A436; ML20038A438; ML20038A439; ML20045E144; ML20045E180; ML20045E183; ML20045E186; ML20045E197; ML20045E207; ML20045E218; ML20045E226; ML20045E237; ML20045E245; ML20045E252; ML20045E789; ML20045E791; ML20045E794; ML20045E800; ML20045E805; ML20045E812; ML20045E817; ML20045E820; ML20045E822; ML20045E828; ML20045E831; ML20045E833; ML20045E835; ML20045E842; ML20045E846; ML20045E848; ML20045E850; ... further results
References
	FOIA-92-436, TASK-CA, TASK-SE SECY-A-80-140, NUDOCS 8110290525
	Download: ML20038A420 (10)
	v • d • e

'

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHIN GTON. D. C. 20555 ADJUDICATORY S M -A M 0_

September 17, 1980 COMMISSIONER ACTION The Commissioners Fy:

Leonard Bickwit, Jr.

From:

General Counsel REVIEW OF ALAB-603 (FLORIDA POWER AND LIGHT Subj ect :

COMPANY)

Lucie Nuclear Power Plant Unit No. 2.

Facility:

St.

To inform the Commission of an Appeal Board Furpose:

decision on which no party has pet,itioned for g,f review,fandwhich, in our opinion,

_a Review Time Expires:

September 29, 1980 (as extended).

In ALAB-603, the Appeal Board concluded its con-Summary:

sideration of the adequacy of electric power systems for Unit 2 of the St. Lucie nuclear plant.

The Appeal Board found that the total loss of on-site and off-site AC power must be considered a design basis event for this facil ity.

Consequently, it directed that the appli-include cant's Final Safety Ar.alysis Report must an analysis demonstrating.the plant's ability to and a detailed operate through such an event, training program for station operation during a blackout transient and for the restoration of The Board also noted that although AC power.

its reasoning is equally applicable to Unit 1 at St. Lucie, it had no jurisdiction regarding that facility.

Accordingly, the Board suggested that the Commission take expeditious measures to ensure that, for nuclear power facilities with a station blackout likelihood comparable to that of St. Lucie Unit 2, these plants and their operators are equipped to accommodate such an event in a manner that assures public health and CONTACT:

Sheldon L. Trubatch, OGC InformMicn in t. s te:c:d :.m depd b

63k-322k in accordar.ce vi,'.h the E sedo:r, c; lr.bmetion I

8//0 2 9 0 fz f vola.Act, exemp:tions - Y4; 92

1 2

6Y 5 1/ CIn our view, safety.

Moreoveffwe rechtmend that This proceeding on the adequacy of electric Discussion:

power systems for St. Lucie Unit 2 followed upon a letter from Robert Pollard to the Attor-ney General of the United States in which ques-tions were raised about the reliability of the off-site power grid serving the St. Lucie facil-Upon receipt of information on grid ity. 2/

stability and related matters, the Appeal Board decided to conduct an evidentiary hearing regarding the following issues:

(1) the St.

Lucie station's compliance with General Design Criterion 17; (2) the probability and consequences of simultaneous loss of off-site' and on-site AC power (blackout); (3) whether a blackout should be considered a design basis event; and (4) measures to decrease the probability or conse-quences of a blackout.

The Appeal Board's decisions on these issues are summarized and t

analyzed seriatim below.

General Design Criterion 17 This criterion establishes the basic require-ments for the availability of off-site and on-site electric power systems important for facility safety.

The Appeal Board focused on paragraph 3 of that criterion which requires electric power from the transmission network te

-1/

We note that the Chairman has already requested the staff to report on the current status of Task Action Plan A 44.

Because of Florida's peninsular shape, the applicant's grid 2/

can be connected to the grids of other utilities only to the north.

This circumstance, and the applicant's operating.

history, tend to confirm that the applicant's grid is not as reliable as the multiple-connected grids permitted by more favorable geographic locations.

6 -

3 the facility to be supplied by two physically independent circuits. }/

Lucie is connected to the power grid by St.

three independent circuits, but they all ter-The minate at the same substation -- Midway.

Appeal Board was concerned that this arrange-ment did not satisfy GDC-17 because all three circuits could fail simultaneously if the Midway substation failed.

i Staff's testimony distinguished failure of circuits connecting a facility to the power In grid from failure of the power grid itself.

staff's view, paragraph 3 of GDC-17 is intended to provide connections which are as reliable as the grid itself, but is not intended to reduce the probability of loss of off-site power as a result of grid failure. E/

The testimony showed that the. design minimized the likelihood of simultaneous failure of these circuits and exceeded GDC-17 requirements by providing three independent circuits instead of two, and by l

providing circuits which are immediately avail-able in the event of a loss-of-coolant accident.

GDC-17 also requires consideration of loss of off-site power resulting from failures unrelated te the connecting lines.

For this facility, the Appeal Board identified three other types failure of the Midway of off-site power losses':

substation; loss of connection between the Midway substation and the grid; and failure of the grid.

Staff testified that design of the Midway substation made very remote the possi-bility of a major accident which would damage The Appeal Board resolved to its own satisfaction its initial 3/

interpretation of paragraph one of the criterion which it-previously read to require essentially: fail-safe off-site the Based on testimony by the staff and applicant, the purpose of this paragraph is power.

Appeal Board determined that to ensure the availability of sufficient power to the plant's protective systems,.and that this purpose is implemented by in the censidering the on-site power system to be the backup oflossofoff-sitepower.{yebelievethat p.6 event

' _J Staff considers failure of the Midway substetion to be grid 1/

failure.

4 s.

the substation so extensively as to lead to a complete outage and that, in its view, St.-

Lucie's connection to the Midway substation satisfied GDC-17.

Loss of connection of the substation to the grid was more extensively considered by the Appeal Board because cn1 May 14,1978, a' series of events isolated the Midway substation from the applicant's grid and resulted in_a comple'te loss of off-site power to St. Lucie.

This incident led to inquiry into the feasibility of connecting St. Lucie to additional substations in the grid.

This option was not extensively studied by the staff or applicant because they believe that the geographic configuration of the Florida grid could render additional con-nections counter-productive.

Alternative connections considered by the applicant were found inferior to the present arrangement; and the staff agreed that these connections would not enhance system reliability because of the grid's configuration.

Finally, the Board considered the reliability of the applicant's grid.

Applicant and staff testified that: (1) a new line is being con-structed to tie applicant's grid to the Georgia Power Company's grid; (2) the Midway substation will be directly connected to the new Martin Eenerating station; (3) new procedures have been instituted to minimize grid operator errors; and (4) applicant has installed a new system control center that allows operators to nonitor grid switching from a central location.

Staff believes that the new system control center should prevent recurrence of operator confusion which led to an earlier grid failure.

The Appeal Board found that the configuration connecting St. Lucie to the grid satisfied GDC-17 because the special geographic circumstances of Florida's peninsular shape imply that addi-tional connections of St. Lucie to other sub-stations on the applicant's grid will not provide significant improvement in reliability.

Moreover, the Board found that St.-Lucie's connections tc the Midway substation satisfy GDC-17 because of the 1.ow probability of failure of that substation.

i

5 Finally, the Board found that applicant's steps to increase the reliability of its grid should be effective.

However, the Board found that even with applicant's improvements, a loss of off-site power must be expected with a pro-bability of 0.1 per year. r g, g-

- ' ~

Blackout _

The Appeal Board then proceeded to determine that the probability of a complete loss of on-site and off-site AC power, i.e.,

a blackout, is in the range of 10 4 to 10-5 per year. 5/'

These values are substantially greater than the threshold values in the Standard Review Plan (SRP) at which the staff requires analysis of the implications for plant integrity of certain off-site man-made hazards. 6/

Although station blackout is not an event to which the SRP explicitly applies these threshold values, the Appeal Board has extrapolated the SRP rationale and found that the probability of this event is sufficiently high that they ordered an analysis of the implications of a blackout event for St.

This estimate is based on the probability of off-site power 1/

failure and the probability of both diesel generators simul-taneously failing to start on demand.

Historical events show that the probability of off-site power failure is between 1 i

i Substantial testimony was received regard-and 0.1 per year.

ing diesel generator reliability'~

gy. #.

i

~

6/

Tr.e SEP values are 10-7 per year for a realistically cal-c__sted probability of occurrence and 10-6 per year for a

~

c:-nservatively calculated probability of occurrence.

)

l 6

t f

Lucie Unit No.

2. 7/

in our f

~

g/ 3

view, Consequences of a Blackout All blackouts do not lead to serious adverse Natural circulation will remove consequences.

steam-driven pumps from the core, decay heat can provide auxiliary feedwater, and the con-densate storage tank holds a sufficient volume of water to maintain the reactor at hot standby for at least 16 hours1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months .

The Appeal Board found as now designed includes most, that the plantof the systems and equipment required if not all, to maintain it in a safe configuration for the and that first few hours of station blackout, the probability of restoring AC power within four hours is acceptably low (less than 10-7)

-However, if operators are adequately trained.

because several significant questions'regarding plant behavior during' blackout remain unanswered, the Appeal Board ordered the applicant.to con-e detailed analysis of the plant's behavior duct during blackout to determine if new or revised systems are required.

Such an analysis would In reaching its conclusion, the Appeal Board rejected appli-

~7/

cant's contention that consideration of the simultaneous failure of both diesel generators to start violated the single-The Appeal Board noted that this criterion, failure criterion.

like all General Design Criteria, establishes only a minimum requirement which may.be superseded in the interests of public cafety in unusual situations. _In the-Appeal Board's view, such a situation is created by diesel generator unreliability.

Accordingly, the Appeal Board found that application of the single-failure criterion was not intended to apply to events having as large a probability as the failure of a single j

This-Appeal Board position was diesel generator to start.

initially formulated-in ALAB-543, in response to applicant's der its order initiating the notion to the Board to reconge hearing on grid stability. [jfe believe that gy.$

l

...=

1 7

also. furnish the' applicant with-.a basis for-establishing operator training and emergency procedures which.the-Appeal Board believes are' essential to brig ing the plant safely through a blackout. 8/ lIn our view,.

gy,(

.l i

~

Measures to Decrease the Probability or Consequences of Blackout

l The staff has been reviewing the generic-issue-of station blackout since 1977 under Task Action

-Plan A 44 Although its final report is not expected until 1982, staff has identifi'ed 1

several design and procedural improvements.

which'could minimize.the probability and consequences of blackout.

These include preoperational and periodic testing of' diesel generators as specified jLn Regulatory Guide 1.108,, provision of a heat' removal system capable of running without AC power, operating i

limits when power sources and safe. shutdown' systems are out of service, and development of emergency procedures for responses to blackouts.

St. Lucie Unit.2 has a steam-driven auxiliary feedwater system that~is completely independent of AC power.

Moreover, the Appeal Board-found that the applicant will-institute several miti-gating' measures includingi (1) compliance with Regulatory Guide 1.108; (2) imposition of cer-tain operating. limits; (3) development'of emer-gency blackout procedures; and (4)-inclusion of-blackouts in operator training.

.}

These circumstances, andithe modifications te the FSAR ordered by.the. Appeal Board, led it to approve the construction permit'as' modified.

Citing Power-Reactor' Corp. v. Electricians, 367 j

U.S. 396 (1961), the-Appeal Board. explained that approval of.the construction permit 1despite some unresolved safety concerns is_ consistent t

with the two-stage licensing process of the 8/

-The Appeal Board also: ordered the applicant to include in the ySAR a deta11e,1 training program and procedures for restoration-gk; 6 of AC power.

+

. =

9

. g

.t 8

.r, s.

8-4:.

Atomic Energy Act.

When applicant seeks-an

~

operating license it will be called upon to

-demonstrate that the Board's concerns have been gs,

taken care of.

.9

^

$nouropinion, h

t

)

i 6

I l

'l 1

J l

9 w-r 0'>

{

0" Re c or:me ndation_ :

f 3.rlu a s' F

L.-

-s i

Leonard Bickwit, Jr.

General Counsel

Attachment:

ALAB-603 Comissioners' coments should be provided directly to the Office of the Secretary by c.o.b. Monday, September 29, 1980.

Comission Staff Office coments, if any, should be submitted to the Comissioners with an informtion copy to the Office of the Secretary.

NLT September 23, 1980, If the paper is of such a nature that it requires additional time for analytical review and coment, the Comissioners and the Secretariat should be apprised of when coments may be expected.

DIS ~RIBUTION Comissioners Comission Staff Offices Secretariat 4

p

~

4 4

D UNITED STATES OF AMERICA 4,

NUCLEAR REGULATORY COMMISSION

,'4.

JUL 3 0 $03

r 6

0.ue :f *he Et27 ATOMIC SAFETY AND LICENSING APPEAL BOARD C::c e: 13erJ:e Br: :a Michael C. Farrar, Chairman 1

N iib Richard S.

Salzman Dr. W. Reed Johnson j

kV 80

)

In the Matter

)

Uly.

)

FLORIDA POWER & LIGHT COMPANY

)

Docket No. 50-389 CP

,,g (St. Lucie Nuclear Power Plant,

)

Unit No. 2)

)

-)

Messrs. Norman A.

Coll and Mario Villar, Miami, Florida, and Harold F.

Reis, Washington, D. C.,. for the Florida Power & Light Company, applicant.

Messrs. Terrence J.

Anderson, Coral Gables, Florida, and Martin Harold Hodder, Miami, Florida for Rowena E.

Roberts et al., intervenors.

Messrs. William J. Olmstead and William D.

Paton for the Nuclear Regulatory Commission staff.-

DECISICN July 30, 1980 (ALAB-603)

Introduction and Summary.

This decision disposes of-several cuestions addressed at an evidentiary hearing we conducted to consider the adequacy of electric power systems.

for Unit 2 of the St. Lucie. nuclear plant.

As recounted more fully in Part I (pp. 6-10, below), the hearing was necessary to

?

t

/

review matters that arose shortly after our affirmance of a Licensing Board decision authorizing issuance of a permit to Florida Power & Light Company to construct that plant.

Briefly, because of Florida's peninsular shape the applicant's electrical distribution system (grid) can be connected with the grids of other utilities only to the north.

This suggested

-- and the applicant's operating history tended to confirm --

that FP&L's grid might be less reliable than ones interconnected with multiple grids.

There was no indication, however, that the onsite emergency power system at St. Lucie had been designed to compensate for a lesser degree of grid stability and the Licensing Board had no occasion to explore the matter.

We therefore determined that further proceedings were necessary for that purpose and elected to conduct them ourselves.

In Part II we discuss the first of two major concerns explored at the hearing:

the St. Lucie station's compliance with General Design Criterion (GDC) 17, which deals with off-site and onsite electrical power systems.-

We review (a) the circuits connecting St. Lucie to the applicant's electrical crid (pp. 10-14); (b) the means by which offsite power to St.

Lucie may be or has been interrupted and the probability of such occurrences in the future (pp. 14-22); and (c) improvements I

4 now being undertaken to increase the reliability of the applicant's grid (pp. 23-25).

We conclude that: (1) the three circuits between St. Lucie and the' applicant's grid have been designed and located to minimize the likelihood of their simultaneous failure as GDC 17 requires; (2) the reliability of the applicant's electrical distribution system is improving; and (3) as elsewhere, loss of offsite power must neverthelets be anticipated during the operating life of St. Lucie Unit 2.

Part III (p. 29) addresses our second main concern, which proved to be of principal significance:

whether Unit 2 should be designed to withstand the events connected with J

a station blackout (i.e., complete loss of alternating current (AC) power).

First, in order to assess the need to design i

for a complete loss of AC power, we consider the reliability of the diesel generators used to supply emergency AC power onsite and the adequacy of the " single failure criterion" as applied to those generators (pp. 29-43).

We conclude that there is.a sufficiently high probability of station blackout to warrant protecting against it in designing the plant (i.e.,

to make it a " design basis" event).

Next, we trace the cir-cumstances that can be expected to follow a loss of all'AC power (pp. 44-53).

We conclude that although it appears that.

I o

i

i 4-the plant can accommodate a station blackout of some duration, a thorough analysis of the plant's behavior during such an event must be performed to ensure that this is true.

Third, we e:: amine the time required to reinstate some source of AC power, whether from offsite or by returning an onsite diesel generator to service (pp. 54-62).

We find the evidence to indicate that power can reasonably be expected to be restored soon enough that a station blackout will not result in core damage or undue hazard to the public health and safety.

But we emphasize our view that the plant's ability to survive a loss of AC power rests in large measure on the response of the operators.

This in turn depends on how well.they have been trained to maneuver through such an event and whether they have procedures to guide them in that abnormal operation.

The need for training and procedures extends also to those operations which may be necessary to restore AC power to the station following a blackout.

Finally, we turn to measures for decreasing the probability and consequences of a complete 1/

loss of AC power (pp. 62-68).

1/

In this connection, we note that the applicant has committed itself first, to test the reliability of

~~

its diesel generators initially and periodically in accordance with Regulatory Guide 1.108 (pp. 64-65); and second, to develop operating and training procedures for coping with a station blackout (pp.

66-67).

M 7

~

~~~

'~~

T :.

.J-...

- A summary of our ultimate findings and conclusions, to-gether with our order setting out the appropriate action to be taken, appears in Part IV (pp. 6 8-71).

Our finding that station blackout should be considered as a design basis event for St. Lucie Unit 2 manifestly could be applied equally to Unit 1, already in operation at that site.

By a parity of reasoning, this result may well also obtain at other nuclear plants on applicant's system, if not at most power reactors.

Our jurisdiction, however, is limited to the matter before us -- licensing construction of St. Lucie 2.

Beyond that, we can only alert the Commission to our concerns.

We are aware that the staff has been evaluating the sta-tion blackout scenario under Task Action Plan A-44.

This study was started in 1977, however, and according to the 1979 NRC Report to Congress its completion is not anticipated until 1982.

For the reasons developed in this opinion we believe the problem merits more immediate attention.

We theref ore re-spectf ully suggest to the Commission that, for nuclear power f acilities with a station blackout likelihood comparable to l

that of St. Lucie Unit 2, expeditious measures be taken to en-sure that these plants and their operators are equipped to ac-commodate such an event in a manner that assures public health and safety.

4

. I.

BACKGROUND Our involvement with these issues began in October 1977,-

when we affirmed the Licensing Board's initial decision authorizing the issuance of a construction permit for the facility."

Two weeks later, the NRC staff apprised us and the other parties cf allegations made by Robert D. Pollard (a former Commission staf f member) in a letter to the Attorney General of vhe United States.

Among other things, those al-legations questioned the reliability of the of fsite power grid serving the St. Lucie facility.

We amended our decision to retain jurisdiction over those questions and called upon the applicant and staff to supply certain inf ormation regarding them.

2/ ALAB-435, 6 NRC 541 (1977), affirming LBP-77-27, 5 NRC 1038 (1977).

In ALAB-435, we retained _ jurisdiction to explore further the issue of steam generator tube integrity.

6 NRC at 544-46.

Upon considerstion of additional inf ormat_on. we terminated that jurisdiction in ALAB-537, 9,NRC 407 (1979).

Still before us is the radon release issue, which is also pending in a number of other proceedings; that issue will be disposed of separately.

See. Philadelphia Electric Co...(Peach Bottom Atomic Power Station, Units 2' and 3), ALAB-480, 7 NRC 796 (1978),

j i

3/ The letter also suggested that the staff had improperly f ailed to alert the Licensing Board to the grid

~~

stability question.

The Commission investigated the matter and concluded that the staff's failure to include pertinent information in its Safety Evaluation Report (SER) for the j

facility was a result of confusion rather than willful misconduct.

See ALAB-537, 9 NRC at 408 and 412 (fns, j

5 and 16).

The allegations of weaknesses in the SER were one reason for our conducting an evidentiary hee. ring en crid stabilitv.

6.

Our review of the material submitted raised a number of questions.

The geographic configuration of the Florida peninsula obviously limits applicant's opportunities to connect its grid system with others.

This, it seemed, would make its electrical distribution system less reliable than one located whe:

greater interconnections are possible.

The Florida Power A L'a'1t Company's operating history appeared to confirm that observation.

This caused us to be concerned the onsite power systemis apparent lack of features de-about signed to compensate for the reduced reliability of offsite power.

Consequently, on March 10, 1978 we directed the parties to answer a number of questions about that apparent design inadequacy and to advise us whether they believed further proceedings were necessary, By June of 1978 we had received both the applicant's materials and the staff's reply.

The intervenors, private individuals residing in the St. Lucie area, filed no responsive inf ormation immediately.

Rather, on August 11, 1978 they moved to advance a ' new" contention on grid reliability and to suspend the construction permit pending completion of a hearing on that With issue.

The applicant and staff opposed both requests.

~ -!u d our leave, intervenors replied belatedly on January 30, 1979.

1 The substantial amount of information submitted by the i

parties convinced us that an evidentiary hearing was needed to explore our questions about the stability of Florida power and Light's electrical grid and the reliabil-ity of AC power 4/

for St. Lucie Unit 2.~~

We had several particular concerns:

(a) the implications of then recent grid disturbances (includ-ing a complete loss of offsite power on May 14, 1978); (b) the staff's opinion that offsite power was less assured for St.

Lucie than for nuclear plants in nonpeninsular areas,~

and (c) the lack of compensation for that situation in the design of the onsite power system.

We therefore ordered a hearing held before us on those concerns and directed the parties 6/

~~

to answer additional questions in preparation for it.

4/

We denied the intervenors ' motion for a stay and dis-missed as moot their motien to add a new contention on the. grid stability issue in light of our own prior decision to consider the matter.

Intervenors were told they would be given the opportunity to participate in the forthcoming hearing.

5/

Fitzpatrick Affidavit of June 12, 1978, pp. 5 -6.

_3/

See ALAS-537, supra, 9 NRC at 413-15.

l

-9 Briefly, our questions involved the St. Lucie station's compliance with General Design Criterion 17 (dealing with 7/

)

of fsite and onsite power system requirements);

an analysis 1

of the probability of and consequences that might result from a loss of offsite power with a simultaneous failure of onsite-power (in other words, a complete loss of AC power) ; whether that sequence of events should be gu'arded against in designing the

~

l plant (that is, whether it should be a " design basis" event) ;

the measures that might be taken to assure or increase system reliability during an " alert status"; and any ongoing or planned improvements that might enhance the reliability of the appli-cant's system.

We conducted a four-day evidentiary hearing in Florida in early December 1979.

The applicant and staff presented expert testimony and supporting exhibits; the intervenors restricted their participation to cross-examination 8/

witnessesT Based on the record established at the hearing, we have concluded that the St. Lucie station complies with 7 / See 10 C.F.R. Part 50, Appendix A (" General Design Criteria f or Nuclear Power Plants").

-~

JL/ Although the other parties submitted proposed findings for our consideration, the intervenors chose not to do so.

i i

i General Design Criterion 17.

Nev er thele ss, the probability and potential consequences of a complete loss of AC power at the site require that such.a:" station blackout" be treated as a design basis event with a11 that this entails.

An,elucida-tion of our; findings, conclusions,.and reasonin,g follows.

II.

GENERAL DESIGN CRITERION (GDC) 17

~

1.

This criterion establishes the basic requirement that both off site and onsite electrical power systems must be available to a nuclear plant to supply the electrical needs of structures, systems, and components important to 9/

saf ety7 Our primary concern was with the criterion's third paragraph. ' This states that (ellectric power from the transmission network to the onsite electric distribution system shall be supplied by two physically ind ependent circuits (not necessarily on separate rights of way) designed and 'acated so as to minimize to the, extent prw:.

si the likelihood of their simultaneous < ilure under operating and postulated accident

_9/

See fn.

7, supra.

11 -

i and environmental conditions.

A switchyard common to both circuits is acceptable.10/

19 We also raised a question about the first paragraph of the criterion which, read literally, appears "to establish an

~~

unattainable set of conditions for electrical power systems generally."

ALA3-537, 9 NRC at 414.

We initially read that paragraph to call for an assessment of the offsite power system that assumed the onsite power system was not func-tioning but, nevertheless, required sufficient electrical capacity to enable the plant to survive " anticipated operational occurrences -- one of which might reasonably be a loss of the off site power system itself.

The appli-cant's and staf f 's testimony, however, demonstrated that literal interpretation misconstrued the purpose of our GDC-17.

That purpose is to ensure that suf ficient power is available for the plant's protective systems to function.

The applicant's witness Mr. Flugger explained that the onsite power system is viewed as a " standby" system to provide elec-tricity when the of f site or " pref erred" power system is not available.

Flugger, fol. Tr. 483, at 4-5; see Regulatory Guide 1.32 (endorsing IEEE Standard 308-1974, which employs the " preferred" and " standby" terminology, as an adequate basis for compliance with GDC-17).

Mr. Fitzpatrick, a staf f witness, concurred, adding that our reading of GDC-17 would have the ef f ect of requiring a " single-f ailure-proof" of f-site power system.

This he characterized as "neither attainable nor within the purview of the NRC."

Fitzpatrick, j

fol. Tr. 624, at 12-13.

Finally, Mr. Flugger pointed out that, based on the safety analysis required at the con-struction permit stage by 10 CFR 50.34, limiting conditions

)

f or' operation would be established pursuant to 10 C.F.R. 950.36 and Regulatory Guide 1.93.

These would make operation of Unit 2 with both onsite diesel generators down a violation of the " Technical Specifications," i.e., contrary to the conditions of the f acility's operating license.

Flugger, fol. Tr. 483, at 5-6.

This would tend to minimize the risk posed by our literal reading of GDC-17.

The parties thus satisfied our concern.

We did not pursue the matter f

further and instructed them that there was no need to prepare findings on this question.

See Tr. 875-76.

1

. 11 /

As we noted in our April 5,1979 memorandum,~~

although three transmission lines connect the St. Lucie station to the applicant's grid, all three terminate at the same sub-station.

That substation, " Midway," is on the Florida mainland, across the Indian River from and ten miles west of the St. Lucie site on Hutchinson Island.

On May 14, 1978, all power at Midway was lost.

This strongly suggested to us that the three circuits were in fact susceptible to sim-ultaneous failure; hence our questions about whether the St. Lucie station complied with the foregoing requirements of GDC-17.

The applicant responded with the joint testimony of Ernest L. Sivans, Florida Power & Light Company's Vice President in charge of system pir.nning; Michel P. Armand, a supervising engineer responsible for the areas of reliability and system security in the company's system planning department; 12 /

~~

and Wilfred E. Coe, the applicant's director of power supply.

1__ /

ALAB-537, 9 NRC at 414.

L1,/

Armand, Bivans and Coe (hereinaf ter referred to as Armand et al.) fol. Tr. 45.

The staf f's witness on this subject was Robert G. Fitzpatrick, 13/

an NRC senior power systems engineer.

Mr. Fitzpatrick's

~~

work since 1974 has involved the-technical review of elec-trical systems.

The gravamen of their testimony was that the present system connecting St. Lucie to the Midway sub-14 /

station does satisfy Design Criterion 17.~-

Los s of off site power is expected to occur at least once LkJ' during the lif e cf a nuclear power plant; the goal of power system design is to minimize and accommodate rather than pre-clude the possible occurrence of that event.

In the staf f 's we have misconstrued the purpose of the.GDC-17 provision

view, to which we were ref erring.

The staff points out that its focus is directed at minimizing the possibility that the circuits connecting a nuclear power plant to the grid will all fail simultaneously; it is not aimed at reducing the likelihood that offsite power will LL/ Fitzpatrick, f ol. Tr. 624.

11/ Armand et al., fol. Tr. 45, pp. 3-8; Fitzpatrick, fol. Tr 767T, p.

3.

(L/ See 10 C.F.R. Part 50, Appendix A, which provides a-definition of " anticipated operational occurrence" that includes loss of offsite power as an event that.

is expected to occur at least once during the plant's operating life.

- 14 AfL/

be lost by reason of grid-failure.

Thus, from the standpoint of GDC-17, the important consideration for the connecting circuits is their reliability.

As long as they are as reliable as the of f site power system itself, where they connect to.that system is of " secondary concern."

2.

The testimony suggested three means by which offsite power to the St. Lucie station could become unavailable:

15_/ Fitzpatrick, fol. Tr. 624, p.

3.

Grid failure is addressed in the fourth paragraph of GDC-17, which. requires, among other things, the inclusion of provisions "to minimize the probabilityr of losing electric power from any of the remain-ing supplies as a result of, or coincident with, the loss of power.

. from the transmission network."

(1/ Fitzpatrick, fol. Tr. 624, p. 5.

The relationship between location and reliability of the connecting cir-cuits is illustrated by Mr. Fit: patrick's responses to our. questions concerning a hypothetical situation posed by us.

b'e aske.d.what night.be _rsquirei p,ursuant_.

to GDC-17 if some potentially serious hazard were present in the vicinity of the Midway substation, using as an example a railway terminal presenting a risk of fire f rom a heavy volume of traf fic in liquid propane.

The witness explained that,in those circumstances, termination of all three cir-cuits at Midway woulc not satisfy the criterion's require-ments.

This f ollows because running one or more of the lines to another substation would further increase the reliability of circuits (by reducing the likelihood of i

tneir simultaneous f ailure due to an event at Midway).

Mr. Fitzpatrick stressed that this was not the case h er e.

See Tr. 707-13.

15 -

simultaneous f ailure of the circuits connecting St. Lucie to Midway; loss of the Midway substation; and failure of i

the electrical grid itself.

We examine those three f ailure modes in an ef fort to judge the relative likeli-hood of their occurrence.

The parties did not specifically assess the probability of simultaneous f ailure of the three circuits connecting St.

Lucie to Midway.

Rather, they focused on the presence of f eatures designed to minimize that likelihood.

St. Lucie 1

is connected to the grid through the Midway substation by l

means of three 240 kV transmission lines (circuits) separated sufficiently to preclude their physical interf erence 18/

with one another.'""~

The circuits enter Midway in bays spaced 35 to 40 feet apart.

As shown in Figure 1 (on page 16),

within. Midway each 'of the three circuits is tied to the grid by means of two independent busses (separated by a distance20/

~

of about 150 f eet) through a " breaker-and-one-half" scheme.

This configuration provides that even if both 240 kV busses at Midway are lost, power coming directly from other sub-stations should remain available to St. Lucie along each g/ Armand et al.,

fol. Tr. 45, p. 7.

g/ Tr. 668.

20/ This configuration employs three breakers for every two circuits involved.

D.G. Fisk, Standard Handbook for Electrical Engineers (10th Ed.) at 10-89.

FIGURE 1 CIRCUITS CONNECTING ST. LUCIE TO MIDWAY To Malabar

/

f ST. LUCIE I

f liutchinson g("

Island l

Start-up MIDWAY 8

G e

3 t>T i

To Sherman To Indiantown To Okechobee To Ranch To llartman To Plumosus Adapted from Armand et al.,

fol. Tr. 45, Attachment 5.

I 4

' of the three connecting lines.

Substation components are protected so as not to disrupt one another; transformers are located about 150 feet apart in concrete reservoirs filled with gravel to contain any oil leakage and prevent the spread 21/

of possible fires.~~~

In fact, applicant and staff witnesses testified that the St. Lucie-Midway connection exceeded the basic requirements of GDC-17.

Three physically' independent 22 /

circuits exist instead of the requisite two.

And,-whereas GDC-17 requires one of those circuits to be designed to be available to supply offsite power to the onsite distribution within a few seconds following a loss-of-coolant accident, system the breaker-and-one-half scheme at St. Lucie makes two circuits immediately available.

Thus, the testimony indicates that the likelihood of simultaneous failure of the circuits has been minimiz ed.

The fact that there have been no simultaneous f ailures of the St. Lucie to Midway transmission lines confirms this.

In the staff's view, the May 14, 1978 loss of power from the Midway substation was an instance of grid unavailability (or separation of Midway from the grid) rather than a failure of the three circuits connecting St. Lucie to Midway, g/ Armand et_ al., fol. Tr. 45, pp. 6-7, Tr. 78-83, 229-31.

g/ Armand et al., fol. Tr. 45, p. 8; Fitzpatrick, fol.

l Tr. 624, pp. 3-4; Tr. 627-28.

2 626-27, 2/ Tr.

2f/ Fitzpatrick, fol. Tr. 624, p. 3.

25 / Ibid.

See the further discussion of this incident at p. 19, infra.

mewe--

,.mw-r 18 -

offsite power may nevertheless be lost in ways unrelated te the reliability of the connecting lines.

Termination of'all three circuits at Midway presents a risk of such loss caused by the failure of the substation itself.

Applicant's witnesses testified that the substations and transmission lines are de-signed to prevent outages resulting from-the effects of strong winds, lightning, and various forms of environmental contami-26/

nation, such as salt deposition.--

However, certain kinds of accidents (for example, a fire or heavy aircraft crash) con-ceivably might disable the Midway substation.

Mr. Bivans acknowledged that such incidents could be postulated, but doubted that fire alone would disable the entire substation.

He explained' that the worst kind of fire would be one in the auto trans-f ormers, and that the substation had been designed to minimize the 27/

likelihoed of such a fire starting or spreading.

In Mr. Bivans' judgment, the probability of a complete outage at 28/

Midway as a result of a major accident was "very remote."--

Similarly, Mr. Fitzpatrick testified that the staf f's accept-ance of the St. Lucie to Midway connection as satisfying 26/

Armand et al., fol. Tr. 45, p.

4: Tr. 274-75.

27/

Tr. 230-31.

_2_8/

Tr. 234.

_y..m_,_--..,.--,m-m m

GDC-17 hinged on the absence of any potentially serious threat to the three circuits in the vicinity of the Midway 29 /

substation.--

On May 14, 197 8, a series of events occurred which did isolate Midway from the applicant's grid and cut off all offsite power to St. Lucie.

While one of the transmission lines connecting Midway to the grid from the south was out of service for testing, an operator at another station made a switching error that caused a second line serving Midway to go out.

An improperly connected polarizing circuit at Midway then caused30 /

1 the remaining lines to trip, separating Midway from the grid -~

r As we mentioned (p. 17, supra), the staff characterized this as a grid f ailure rather than a simultaneous loss of all three lines from Midway to St. Lucie.

Our concern with the May 1978 incident prompted an inquiry j

i into the feasibility and advisability of supplementing the l

circuits between St. Lucie and Midway with a connection to a diff erent point on the grid. ~ Neither the applicant nor the staff studied those options extensively, how-ever.

In their judgment, the geographical configuration 19 / Tr. 707-710.

.a::

l,, ~~ l m

= Sa:.

,,so

....,.,s r

,.,,....,g (LJCT1t tC

=. - - -

,.,om.

.s.,o

.., r.

,.,s.

,.,~,., o

=,

..cd-..ie,l=a

[t7,, "",$in i 8

d d

3 d

s.,7 m" s.= t e

.w

..ic,o 1.ic.t.ic s.ic 3.,s., I

..,o..

, =,.

,., ~,,

,., o,., -

2., s.

,o

-~

,., g...

j,.,,,,,,,,

.,m.,

,., o,., -

... ~

= _-

,.,r.,

,,,e..,,,

,,, g.

..,,,,.. !,.,.,.,g i,,,.

,.,,, -. l,,s..,-

=

,.,..,o l,,,,

i.,,. m.

i. ie...e

3., s

2.,.

p.o~~

. - ~.--

... ~,.

=

v.

I R

%.e

1. lP /..

,.,0I,.,7I

>=oewe,ad - Opt a

,.,C"8 @

,, t... s t'd t.,P' 4

W,.a. T AW

,.,7 %

3. te. 24,d tt-N.

,,, e4 r. n

,. id,.,d g

8. A

,.,d.,,d

,. t I

I

.,Fd

,D S Ca.se Sh

'I

,.10 1

f

,.,C d,D

,.,7 1

p.,r..,s

,.,o l

,.,o

,.,g,

,.,o,

~,

SR EM ER in r p

, cWwn

..,r lm a

.., C=4hld

,,,DI

i.,dM R

1.,74 I

s.ie,e l

u,e,,,. ie s

i.,e,8 p

. o,

,,ig4,.

33,,,3,3,4

',,g

(""*,

f m

I

2.,P =,.,6

3. :-e 8

Ame.a*

t.,elma b,y,,,4,@4 1.,04

,.ih,s Osan

..,F fD r.<,

e 0

2.,ed,w a

,. icd...ird i.ig l

l,.,s.,.,

.,g t

,,,,,,., - l,.,-

..., ~.

j,.......,,,

m,. - _

,., ~,....

s.,0 mm

,,P.,,,g-4 4

w.

(

,,, F m A

,. ly te,.,9 0,.n CC I

TRANS,0 Rut R,

,.,0,4

,.,p,...,p,

,.,p, g,,,,

g,gg4mq 7

3,37,3,,,,4 g,g D=ms,Ca=ews. Pimad IIe

,s h.w.

,.,r,m m

,*,t' s,y,

. m i.. ww.e hiya.va

,y,

.,pl g.,e4 s

ta n..

M^

O d (t we O el I

4

,.tP.,.,g5 g,ip-1.,9 MA 8""'s

,****.A**

,., P - A

,..tS

,D3 sot.,0 d

5 Aft

,.,r,.,eI

..,d Otv,CI.,

m.a

,.,ca8 m m

,.,t,...,78

,.,e*

, e.r.r e

.so w

,. ig4m a kp e u

t,. r. m.

8 I

.,... s l

...~4

,,,..,,, l,,g,,,.g l

. +

l will have to be ' identified and satisfied in the interest of 74/

public safety' in ' unusual' situations "

For the reasons cited above, we conclude that the circumstances present here call for such additional measures.

The diesel generators employed for emergency onsite power can only be characterized.

as relatively unreliable pieces of equipment.

Blind reliance on the single f ailure criterion (that is, simple redundancy) does not provide an adequate degree of plant safety and public protection in this state of af fairs.

In short, the probability of a complete loss of AC power is in the range of 10-4 to 10-5 It is therefore unacceptably 1

)

high relative to accidents and other events considered in-credible for design purposes (which have a probability no

- 6 )',25/

greater than 10 i

Both the applicant and the staff have indicated, how-1 that the plant can accommodate a complete loss of AC ev er,

l power f or some period of time.

We now turn to their testi-1 l

many en what might follow a station blackout and how these j

i events determine the time available in which to restore some AC power source.

l 74/ ALA3-543, 9 NRC at 627 (footnote omitted).

-l l

75/ see p.

31, supra.

I L____

,,,. a

. ~ _..

1

. B.

Events That Tollow Loss of All AC Power The events associated with a loss of offsite and " normal" t

onsite AC power are described in Section 15.2.9 of the appli-cant's Preliminary Saf ety Analysis Report (PSAR).

Assuming a loss of of fsite power and concurrent turbine trip, the reactor is automatically shut down; hence normal onsite power,is lost.

Because power is lost to the reactor coolant 77/

and main f eedwater pumps,---

normal feedwater and reactor coolant flow ceases (PSAR, p.r 15. 2. 9 -1).

Nevertheless, natural circulation will remove decay heat from the core and 78/

transport it to the steam generators.---

There the heat is dissipated by boiling the residual water.

The steam generated in this process is initially released to the atmosphere via the 76/ Normal onsite AC power is provided by operation of the plant itself through transf ormers connected to the output of the turbine generators.

77/ The feedwater pumps supply water to the secondary side of the steam generato1?s which, in turn, afford the basic means for removing heat from the reactor cooling water (on the primary side).

78 / In a brief and very simplified sense, natural circulation occurs as a result of heat transf e.r from ~ the 1.1 to the cooling water.

This heats the coolant in the.ecre, causing it to expand.

This change in density leads to forces which, in a properly designed system, result in the circulation of coolant from the reactor core region through the steam generator where heat is removed.

The applicant r'eports that natural circulation capability has been verified by test results.

See PSAR, p.

5.3.5.

a 4

' automatic safety relief valves in the steam lines.

After diagnosing the situation, the operator will start the auxiliary feedwater flow and the steam flow will be relieved by operation (The PSAR of the power-operated atmospheric steam dump valves.

suggests th:Ls will be done within the first 15 minutes.)

The reactor operator will then be able to bring the plant to a standby" condition within 45 minutes of occurrence of the

" hot accident (ib id. ).

The sequence described in pSAR Section 15.2.9 assumes the diesel generators will be started and made available as intended.

As we have seen, however, it is sufficiently likely that both diesels would f ail to start on demand that we must Certain also consider what happens in those circumstances.

aspecrs of the loss of power transient can be accommodated with or without the diesels as a source of emergency power.

For example, if the diesels are available, auxiliary feed-water can bie provided by AC-powered pumps; otherwise, steam-79/

driven pumps that require no AC power can be used.

The

~~

steam-driven turbine pumps used to prov'ide a source of auxiliary f eedwater are designed to operate over a wide range Power for valve operation and other auxiliary fuhetions 79/

requirred for steam-driven pump operation is obtained from dhe station's DC battery power supplies (see PSAR, p.

7. 4-3).

Mr. Flugger tells us.that with proper utili-I

ation of these supplies, auxiliary feedwater operation can be maintained without AC power for nearly 25 hours2.893519e-4 days 0.00694 hours 4.133598e-5 weeks 9.5125e-6 months l

(Flugger, fol. Tr. 483, p.

19).

l l

l-

.. 80/

-~

of available steam.

The pumps are designed to provide the feedwater flow required under shutdown conditions (Tr.485).

Likewise, the excess steam generated from decay heat removal can be relieved by either the power operated etmospheric steam dump valves ~~81/

or, if power is unavailable, by the safety relief valves.

Liquid lost from the steam generators as a result of boiling is replenished through the auxiliary feedwater system from the condensate storage tank.

This tank has sufficient volume to allow the reactor to be maintained at hot standby for at least 16 hours1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months (Flugger, fol. Tr. 4 8 3, p. 18).

There are other substantial sources of water available onsite which could be used to 80/

Applicant's witness Mr. Flugger was not sure how low " avail-able steam pressure" could drop and the steam-driven turbines continue to operate (Tr. 499), but the PSAR (p. 10.5-1) in-dicates they can operate with c. s.aturated steam pressure as low as 50 psig.

81/

The pcwer requirement here is that needed to provide the signal to operate the pneumatic atmospheric dump valves (PSAR, p. 7.4-4).

Whether this belongs on DC battery power or not might be one question for further study.

Another is how many cycles of dump valve operation the air supply system can sustain before i. must be replenished.

Opera-tion of the plant air compressors, needed to replenish this supply, requires AC power.

It should be noted, how-ever, that the atmospheric dump valves will fail in the closed position upon loss of air (PSAR, p. 7.4-4).

In that event the relief valves, which are sized to handle more than 100 percent of the steam flow at full power, (FOOTNOTE CONTINUED ON NEXT PAGE)

. extead such operation (id. at pp.18-19).

Hence, the availability of water does not appear to be a ' limiting factor.

e

From the analyses provided, it appears that the plant can accommodate the early stages. of a total loss of AC power.

The staff suggested that the first components susceptible to failure in this sequence are the reactor coolant pump (RCP) 82/

These seals are designed to prevent leakage

~-

seals.

of primary coolant along the rotating shaft of the reactor To function properly they must be coole'd; it coolant pumps.

83/

is dbe loss of this cooling that may lead to their failure.

81/

(FOOTNOTE CONTINUED FROM PREVIOUS PAGE) will function to relieve steam pressure.

(PSAR, SA-4).

Thus it is not necessary to operate p.the dump valves because the safety valves will provide adequate relief.

However, Mr. Flugger tells us it is desirable to use the dump valves so that the operator can have some control over the system (Tr. 504).

82/

Fitzpatrick, fol. Tr. 624, pp. 17-18.

The RCP seal cooling system uses a controlled " bleed-83/

off" flow from the primary coolant through the seals

~~

and through a heat exchanger.

The normal controlled leak rate is 4 gpm (PSAR, p. 9.3-30).

The primary coolant bleed-of f flow is returned to the primary coolant by the charging pumps via the chemical and volume control system.

The three charging pumps can Heat is each operate at 44 gpm (PSAR, p. 9.3-42).

removed by component cooling water flowing across the It. is ' this secondary side of the' seal heat exchangers.

loss of coolant flow to the RCP seals to which we refer above.

.. Applicant's witness Mr. Flugger explained that an unprotected loss of coolant accident (LOCA) does not result from the postulated loss of all AC event.

There is no f ailure of the reactor coolant pressure boundary associated with this event.

A reactor coolant pump (RCP) seal can only yield very small and acceptable leak rates.

Unit 2 has more than adequate capability to remove decay heat, which is necessary to accommodate the postulated loss of all AC event.

There is suf fi-cient condensate to provide steam generator makeup for at least 16 hours1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months , the auxiliary feedwater pump is steam driven, auxiliary feedwater pump control and auxiliary feedwater system valves are DC powered, and the steam generators have sufficient inventory to allow the operator about 55 minutes to actuate auxiliary feedwater before steam generator dryout occurs.84/

The foregoing assumes that if a reactor coolant pump seal fails, the resultant leak rate will be " acceptably" 85/

small.-~

This in turn implies that the loss of prLeary c oolant from the reactor vessel is somehow being accommodated.

That would normally be accomplished by cperation of the charging pumps.

These return water from the volume control 8 4 / Flugg.er, fol. Tr. 483, p. 3 (citation omitted).

85/ Ibid.

An " acceptable" leak rate is one in which water is not lost in suf ficient quantity to uncover the reactor

~-

core or to affect it indirectly by impeding natural cir-culation.

A

. 86/

tank.

Charging pump operation requires AC power,

~

however, and thus would not be possible under black-out conditions.

Tr. 600.

The applicant provided an extensive description of I

the operation of the RCP seal system during normal operation and under accident conditions (Flugger, fol. Tr. 483, pp.14-17).

Under normal conditions with the reactor coolant pumps running, if cooling water (that is, component cooling water is lost to the RCP seals they could fail within flow) an hour or so (id. at p. 14).

Under the station blackout conditions we are postulating, however, the pumps do not instead they lose power and coast down rather continue to run; On the other hand, cooling water from the component quickly.

cooling system no longer flows to the seal heat exchangers and the seal temperatures rise from 180*F to 550'F (M. at The applicant expects the seals to remain functional

p. 15).

The charging pumps and volume control tank are part of 86/

the chemical and volume control system (CVCS) that is used to maintain primary coolant water at the appropriate volumetric level and chemical condition.

The pumps can be connected to the refueling water storage tank if required (see PSAR, p. 9.3-49).

This tank provides a substantial volume of water for plant use (see PSAR, p. 6.3-6).

. for at least 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months under such conditions.

But it also acknowledges that if the reactor coolant pumps should be restarted af ter such an event, seal leak rates will probably be higher than normal (ibid.).

For its part, the staff agreed that its earlier assess-ment (in which it estimated that only 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months would elapse following loss of all AC before the RCP seals might f ail) was conservative (Fitzpatrick, fol. Tr. 624, pp.17-18).

However, Mr. Fitzpatrick pointed out that "the staff was unwilling to attempt to extrapolate from the applicant's analysis" with-out receiving the results of a direct test of the RCP seals (id. at p. 18).

For this reason, th 3 staff is requiring the applicant to test a reactor coolant pump seal assembly to demonstrate its sealing capability during periods of station 87/

blackout conditions.--

The staff concluded that "[il f the 87/

Fitzpatrick, fol Tr. 624, pp. 20-21; Siegel, fol. Tr. 624, pp. 2-3; letter from Baer to Uhrig dated September 17, 1979, fol. Tr. 624 (directing the applicant to test an RCP seal and to include the test results in the Final Saf ety Analysis Report for Unit 2).

. m

m

- 51 leak rates through the [RCP] seals can be shown to provide at least four hours before sufficient (coolant) inventory is lost to stop natural circulation, the probability of losing 88/

natural circulation is less than 10" per year" (id...at p.,20).

The staff's assessment that the integrity of the reactor coolant pump. seals must be tested and confirmed prior to operation is just one illustration of the fact that there has not yet been a thorough analysis of the loss of E1/

all AC power transient.

Throughout the hearing, we raised a number of questions relating to certain design details involving component and system performance during 88/

This would occur when the water level falls below the primary coolant outlet pipes, which are above the level of the reactor core (see PSAR, Figure 4.1-1).

Thus, loss of natural circulation would precede uncovering of the core through leakage of coolant.

89/

We have received a preliminary notification (PNO-II-80-104 dated' June 11, 1980) and the related circular from the NRC Office of Inspection and Enforcement (IE Circular No.

80-15 dated June 20, 1980) both of which deal with an event involving an. accidental loss of RCP cooling and subsequent natural circulation cooldown which occurred at St. Lucie Unit 1 on June 11, 1980.

The circular reveals that following a sequence of events in which the component cooling water to the RCP seal heat exchangers was lost for about 1.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months (7 minutes of which was at power with the RCPs running), removal and visual exami-nation of the seals showed no signs of degradation.

The-seals have evidently been replaced.

Although this event was quite severe, it does not appear to us to have any immediate, direct bearing on the staff's position (which we accept) regarding the need for confirmatory testing of seal leak rates under severe conditions for extended time periods.

d

.+

++

gg

%N 1

+

IMAGE EVALUATION O

g

/

' 1 "*

db

',~ e

' N

TEST TARGET (MT-3)

/

w //

~

a&,

& x':

. hfo

\\

g,h4 "'

Ihy, Sk qq%'Y

< 4 lf 9

qp 1.0 J 22 u

2s l,l lnes jl i.s I.25 1.4 in 1.6

==

lll==

--- 15 0 m m 4-

.------6

f r

,s)

4.,Ao.

b),4 N

4/f c'

e o)777p g;p

' x

,.4 1

O&

A(g f, ' &

/j/j \\

o'@.

N%

%4 A

g it, 4 #

IMAGE EVAL.U ATION TEST TARGET (MT-3)

/;'jP eg,

\\/g i'

'i;9I#

$7[O 45Q 4

\\\\

ste

,.o s, m u I ",2 j$2.2 c_

Mrs 1

=-- 2 lpV=s 1.25 1.4 1.6

=

4.__. _. - - -

150mm d-6"

/4% pf'\\'\\

4}ph//

4+p;uf/g;

&p 0

d$

e x

m 3

w i v,p/;,,,,a

<p,g<w s

y %;,

o (c*

ll y

m 25 Aw.:

2

A

/ (g

+ A e

(-

,$ q, Af3 fls[% $,

4 IMAGE EVALUATION v

\\'

~h9' TEST TARGET (MT-3) e

/

${gff" g

/

g sk 4

1.0

'N *

" md M

{

,y hle=Sh=

l,l m

qLts

=e

'l.25 1.4

'lm.6 l

-=

_=

150mm 4------

4.__.._._._

6" es

I)!$'

N N)5'-

4' s &:,

, h y

.gm/)o\\o\\

a o,y 3-

s. o

'[

f g kt

hak

'4f

[h Op//

//

t ge

?

1]

t

.. that postulatec sequence of events, only to learn that further study is naeded.

For example, if the letdown line from the primary coolant is not automatically closed 90/

upon loss of al.'. AC power,- continued letdown flow would result in water loss because its return is contingent on operation of the charging pump.

Staff witness Mr. Baer agreed that without such an automatic closing the situation would be equivalent to a seal leakage.

Neither he nor the applicant's witness, Mr. Flugger, was able to state with 91/

certainty what would happen at St. Lucie Unit 2.--

Similarly, the parties were unsure of what effect shrinkage of the primary coolant water volume might have on their assessment of the 92/

time available to restore AC power.

Other examples 93/

involve the availability of instrumentation, lighting,--

and the source of power for the pressurizer power operated

--90/ Primary coolant is "let down" to the CICS to provide a path for purification and chemical and volume control.

__/ Tr. 586-87, 835.

91 92/ Tr. 894-500, 818-22.

Loss of liquid volume through a decrea:e in temperature caused, for-example, by excess cooling due to steam loss through open valves, is usually referred to as " shrinkage. "

93/ Tr. 488, 506, 766-68.

~. - -..

94/

relief valve.-

The parties were able to provide only partial answers to the questions in response to our probing.

The record discloses to us that St. Lucie Unit 2 as it is now designed includes most, if not all, of the systems and equipment required to maintain the plant in a safe con-figuration for the first few hours of a station blackout.

The steam-driven auxiliary feedwater pump and the feedwater train independent of AC power are the crucial items in this respect.

Nevertheless, a number of significant questions about specific aspects of the plant's behavior during a station blackout remain unanswered.

A thorough under-standing of this event (and its aftermath) is of obvious importance to the safe operation of a nuclear facility.. We therefore find that a detailed analysis of the plant's per-formance during a station blackout must be undertaken.

This would identify whether any new or revised systems are required to accommodate such a transient.

It would also furnish the basis for operator training and emergency procedures to bring the plant safely through it.

A g/

Tr. 502-503.

95/

This should come as no surprise.

As Mr. Flugger acknowl-edged (Tr. 514), station blackout was not a design basis event for St. Lucie Unit 2.

Many of the questions posed to the witnesses concerning this event were therefore being addressed for the first time.

e

e.

C.

Time Recuired to Restore AC Power As we have seen, following a station blackout there is a certain period of time available within which AC power may be restored before the plant presents a risk to the public health and safety.

The applicant provided an analysis in which it calculated the probability that some - g/

source of AC power will not be restored within a given time.

That analysis employed a probabilistic equation using numerical constants derived from the applicant's historical operating data.

The applicant's witness, Mr. Flugger, designated as P(T) the probability that AC power would not be restored by time T, as measured from the onset of a station blackout.

He then solved for P(T), combining the probability of having a loss of all AC power during any one year with the probability of not restoring AC power by time T.

Mr. Flugger's equation for P (T) consisted of six presumably independent probability terms:

P ( A), that offsite power is lost; P (B ), that the first diesel generator fails to start; P (C), that the second diesel

_9J/

Flugger, fol. Tr. 483, pp. 10-12.

y

= _

i

. 1 also fails to start; P (D), that offsite power is not repaired and returned to service by time T; P(E), that the first diesel is not repaired and returned to service by time T; and P (F),

that the second diesel is not repaired and returned to service by time T.

Thus the applicant's equation was as follows:

P(T) = P (A).P (B) P (C) P(D).P (E). P (F).

The information required to evaluate the first three terms has been discussed earlier, As did we, the applicant estimated the probability of loss of offsite power to be in 1

the range of 0.1 to 1.0 per year; hence, Mr. Flugger per-formed his calculations utilizing both those values.

He l

l l

assumed statistical independence for the failure of both i

employing a probability of 10-2 for the i

diesel generators, failure of each to start on demand (yielding a probability of 10-4 for their simultaneous failure).

For the three terms i

i involving restoration of AC power, Mr. Flugger used an expc-l nential f ormulation derived under the assumption that the probability of repair is proportional to the length of time 97f elapsed since failure.

The constants of proportionality

~-

(time constants) required for those three terms he derived o-/

Id. at 10-11.

i j-t from the applicant's historical data on the time required to restore offsite power or to return diesel generators to service.

Assuming a frequency of 0.1 per year for_ loss of offsite power, the probability of having a complete loss of AC power that lasts as long as 2.4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is 10-7 per year; substituting a frequency of 1.0 per year for the loss of i

offsite power, a corresponding value for P(T) of 10-7 per year is 3. 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

These results form the basis for the applicant's ano staff's conclusion that the probability of having a station blackout longer than four hours is acceptably low (i.e., less 7

~

than 10 per year).

They obviously depend upon the indivi-dual values chosen for the time required to restore AC power.

We therefore review the evidentiary basis for those values.

1.

Restoration of Offsite AC Power.

Based on operating data for the Florida Power & Light system from 1972 to the-time of the evidentiary hearing, the applicant identified four major system disturbances that resulted in twenty-two instances of loss of offsite power to its nuclear or fossil-fueled power 23'The times required to restore offsite power ranged plants.

n/

g. at p. 12.

jty Armand et al., fol. Tr. 45, p. 13 fn. 16, and Attachment 8; Flugger, fol. Tr. 483, p. 22.

j

from less than one minute to 77 minutes, with a mean res-toration time of some 26 minutes.

The applicant utilired a time constant of 1.6 hr.-l in assessing the probability that off site power would not be repaired and returned to service -

107 by a certain time.

This constant represents an average

-~

duration of 37 minutes for loss of all AC power and yields a 99.5 percent statistical confidence that the mean restoration time would not be greater than 37 minutes.

The applicant chose this value as a more conservative estimate than the actual average duration of 26 minutes (with a corresponding time 101/

constant of 2.3 hr.-1) for loss of offsite power 7 ~

In performing its statistical analysis, the applicant emitted data for an event involving its Turkey Point nuclear 102/In April of 1979, the failure of seven transmission plant.

circuits isolated that plant from the rest of the applicant's Because a system for a period of seme six or seven hours.

fossil-fueled plant at the Turkey Point site continued to provide an independent source of electric power to the nuclear concluded that the incident did not properly plant, the applicant i

100/ Flugger, fol Tr. 483, pp. 10-11.

101/

Armand et al.,

fol. Tr. 45, p. 13, fn 16; Fitzpatrick, fol. Tr. 624, p. 16.

10W Tr. 113-14, 580-82.

ML20038A420

Text

Attachment:

.a::

Navigation menu

Search