ML20112H532

From kanterella
Jump to navigation Jump to search
Final ASP Analysis - Diablo Canyon 1 (LER 275-00-004-01)
ML20112H532
Person / Time
Site: Diablo Canyon Pacific Gas & Electric icon.png
Issue date: 05/12/2020
From: Christopher Hunter
NRC/RES/DRA/PRB
To:
Hunter C (301) 415-1394
References
LER 275-00-004-01
Download: ML20112H532 (16)
v  d  e


Text

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER No. 275/00-004 1

Final Precursor Analysis Accident Sequence Precursor Program --- Office of Nuclear Regulatory Research Diablo Canyon Unit 1 Extended loss of offsite power to safety-related buses due to 12-kV bus fault Event Date: 05/15/2000 LER: 275/00-004-01 CCDP = 4x10-4 April 28, 2003 Event Summary On May 15, 2000, at 0025 PDT, Diablo Canyon Unit 1 was operating at 100% power when the unit tripped (Ref. 1). The unit tripped because of an electrical phase-to-phase fault on the 12-kV non-segregated phase bus between the unit Auxiliary Transformer (UAT) 1-1 and 12-kV Bus D and Bus E (see Figure 1). The fault was immediately sensed by phase differential protective relays which initiated a reactor trip.

Even though the unit tripped immediately, it took several seconds for the voltage to decay from the main generator. Consequently, electrical current from the generator continued to feed the fault, resulting in electrical arcing and catastrophic damage to the faulted bus bar and duct.

The electrical arcing damaged an adjacent 4-kV startup bus duct that feeds 4160-V Buses D, H, G, and F from Startup Transformer (SUT) 1-2. The damage to the 4-kV bus induced arcing in the 4-kV bus duct, resulting in a differential trip of SUT 1-2.

When Unit 1 tripped, the 4-kV buses lost their normal power supply via the UAT. When SUT 1-2 tripped, the 4-kV buses lost their startup supply. The loss of both power supplies to safety-related Buses F, G, and H caused the emergency diesel generators (EDGs) to start. Vital loads on 4-kV buses F, G, and H automatically sequenced onto their associated EDGs.

Startup Transformer 1-1 remained energized, supplying power to non-vital 12-kV loads consisting of the 4 reactor coolant pumps and one circulating water pump. The faults left non-vital 4-kV Buses D and E de-energized. Consequently, recognizing that the loss of non-vital 4-kV buses resulted in a loss of cooling to the running circulating water pump, the operators secured the pump before it overheated.

The onsite fire brigade entered the room and extinguished the fire with a CO2 extinguisher within minutes. During the event response, an engineer performed augmented monitoring of the EDGs. On May 16, at 0959 PDT (approximately 33 hours3.819444e-4 days <br />0.00917 hours <br />5.456349e-5 weeks <br />1.25565e-5 months <br /> after the unit trip), the licensee restored offsite power to vital and non-vital loads, and secured the EDGs.

Cause. The cause of the bus failure could not be conclusively determined because of the absence of evidence. The failed bus connection had vaporized. Several feet of conductor had burned or melted away. The licensee postulated that the immediate cause was a thermal failure of the bolted connection of the center conductor of the 12-kV bus bar.

LER 275/00-004 2

Recovery opportunity. As a result of this event, the vital and non-vital 4-kV buses were powered from the EDGs for approximately 33 hours3.819444e-4 days <br />0.00917 hours <br />5.456349e-5 weeks <br />1.25565e-5 months <br />. However, the NRC inspection team that reviewed this event determined that offsite power could have been recovered within 6.5 to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> (Ref. 2).

Analysis Results



Conditional core damage probability (CCDP). The CCDP for this reactor trip with an extended loss of offsite power to the vital 4-kV buses is 4.2 x 10-4.

In the Accident Sequence Precursor Program, precursors with CCDP greater than or equal to 1.0x10-4 are considered as important precursors.



Dominant sequence. Figures 1A and 1B show the dominant core damage sequence for this event, Station Blackout Sequence 19-09. This sequence includes the following:

Reactor trips successfully during LOOP Failure of all emergency AC power (all three EDGs);

Sufficient flow from auxiliary feedwater (AFW) system;



PORVs open during SBO;



RCP seals fail during LOOP; Operator fails to recover offsite power (seal LOCA).



Results tables.

Table 1 provides the conditional probability for the dominant sequences.

Table 2a provides the event tree sequence logic for the dominant sequences.

Table 2b defines the nomenclature used in Table 2a.

Table 3 provides the conditional cut sets for the dominant sequences.



Table 4 provides the definitions and probabilities for the modified and dominant basic events.

Modeling Assumptions



Assessment Summary: This event was modeled as an initiating event assessment using Revision 3 of the Diablo Canyon Standardized Plant Analysis Risk (SPAR) Model (Ref. 3).

The discussion below provides the bases for significant changes.



Basic event probability changes: Table 4 provides the basic events which were modified to reflect the event condition being analyzed. The bases for these changes are as follows:

Operator fails to recover offsite power before battery depletion (ACP-XHE-NOREC-BD). This value was set to 5.0E-02.

Operator fails to recover offsite power in short term (ACP-XHE-NOREC-ST). This value was set to TRUE.

Diesel Generator fails to run in long term - 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (EPS-DGN-FR-FTRL). This value was set to FALSE.

LER 275/00-004 1

This failure probability (OEP-XHE-NOREC-6H) had no impact on the CCDP.

3 Diesel Generator fails to run in medium term - 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br /> (EPS-DGN-FR-FTRM).

This value was set to FALSE.

Operator fails to recover offsite power within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> (OEP-XHE-NOREC-2H). This value was set to TRUE.

Operator fails to recover offsite power within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (OEP-XHE-NOREC-6H). This value was set to 9.5E-01.

Operator fails to recover offsite power (seal LOCA) (OEP-HE-NOREC-SL). This value was set to TRUE.

PORVs open during LOOP (PPR-SRV-CO-L). This value was set to 4.0E-02.

PORVs open during station blackout (PPR-SRV-CO-SBO). This value was set to 4.0E-02.

RCP seals fail without cooling and injection (RCP-MDP-LK-SEALS). This value was set to 2.2E-01.

Loss of Offsite Power Initiating Event (IE-LOOP). This value is set to 1.00.

All other initiating events are set to 0.00.

Non-recovery probabilities for offsite power: During the event, because of the damage to the bus bars, offsite power was unavailable to the emergency buses for 33 hours3.819444e-4 days <br />0.00917 hours <br />5.456349e-5 weeks <br />1.25565e-5 months <br />. However, based on the NRC inspection report (Ref. 2), and discussions with NRC inspectors (Ref. 4),

the operators could have recovered offsite power to the buses within approximately 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> (approximately 95% likelihood). Based on discussions with NRC inspectors, there was some likelihood (about 5% likelihood) of recovering power 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the event.

Therefore, the probability of non-recovery of offsite power within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (basic event OEP-XHE-NOREC-6H) was assigned a probability of 0.951. The probabilities of non-recovery of offsite power within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> and in the short-term (within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />) were assigned a probability of 1.0/TRUE (basic events OEP-XHE-NOREC-2H, OEP-XHE-NOREC-ST, and OEP-XHE-NOREC-SL).



Probability that PORVs open durin LOOP and SBO. The analysis recognized that the probability of challenging PORVs/SRVs was less than expected durin a loss of offsite power or station blackout event. Therefore the probabilities were reduced to 0.04 (PPR-SRV-CO-L and PPR-SRV-CO-SBO). Since the transient following LOOP introduced the need for the operator to intervene and control RCS pressure, there was some likelihood of a challenge to a PORV.

Probability of failing RCP seals when seal cooling is lost - In accordance with guidance provided in Reference 5, the Rhodes Model (described in Ref. 6) was used to estimate the probability of failure of the reactor coolant pump (RCP) seals. The RCPs at Diablo Canyon Unit 1 have improved Westinghouse seal assemblies. Based on the Rhodes Model, the probability of failing the RCP seals with improved Westinghouse seal assemblies (basic event RCP-MDP-LK-SEALS) is 0.22.

Probability of battery depletion before recovery offsite power - Based on information provided in calculations prepared by Pacific Gas and Electric Company (PGE), the battery

LER 275/00-004 2 According to the licensee (S. Weerakkody, U.S. NRC, private communication with A. Afzali, Pacific Gas and Electric, December 6, 2000), PGE Engineering Calculation 369-DC, Revision 0, batteries 11, 13 (Unit 1 batteries for F and H vital buses, respectively) will supply adequate voltage to operate required devices under station blackout case for 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> (i.e., no aid from battery chargers is credited). Battery 12 will do the same for 7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br />. The PRA model credits 7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br /> for the batteries. In consideration of the following two conservatisms, 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> was chosen as the battery depletion time for all batteries. The following two conservatisms are associated with the battery depletion time: Calculation 369-DC assumes a battery condition near the end of life (i.e., just before the need for battery replacement) and the battery depletion time calculation does not credit any load shedding. EOP ECA-0.0, "Loss of All Vital AC Power," Step 14, provides instructions to facilitate load shedding.

4 depletion time for Unit 1 is at least 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />.2 Based on the NRC inspection report (Ref. 2),

and discussions with NRC inspectors (Ref. 4), the operators could have recovered offsite power to the buses within approximately 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> (approximately 95% likelihood). Therefore, the probability of non-recovery of offsite power within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> (basic event OEP-XHE-NOREC-BD) is 0.05 (i.e., 5% likelihood that offsite power will not be recovered within 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />).

References

1. LER 275/00-004-01, Unit 1 Unusual Event Due to a 12 kV Bus Fault, August 30, 2000.
2. U.S. Nuclear Regulatory Commission Inspection Report Nos. 50-275-00-09; 50-323-00-09, July 31, 2000.
3. Idaho National Engineering and Environmental Laboratory, Standardized Plant Analysis Risk (SPAR) Model for Diablo Canyon Units 1 and 2, Revision 3.01, March 28, 2002.
4. Personal communications between W. Jones (U.S. NRC, Region II) and S. Weerakkody (U.S. NRC, Office of Nuclear Regulatory Research), January 11, 2001.
5. Memorandum from Ashok C. Thadani to William D. Travers, Closeout of Generic Safety Issue 23: Reactor Coolant Pump Seal Failure, U.S. Nuclear Regulatory Commission, November 8, 1999.

LER 275/00-004 5

Table 1. Conditional probabilities associated with the highest probability sequences.

Event tree name Sequence no.

Conditional core damage probability (CCDP)

Percent contribution LOOP 19-09 2.6E-004 61.9 LOOP 19-22 7.1E-005 16.9 LOOP 19-02 4.6E-005 11.0 Total (all sequences)(1) 4.2E-004 100

1. Total CCDP includes all sequences (including those not shown in this table).

Table 2a. Event tree sequence logic for dominant sequence.

Event tree name Sequence no.

Logic

(/ denotes success; see Table 2b for top event names)

LOOP 19-09

/RT-L EP / AFW /PORV-SBO SEALLOCA OP-SL Table 2b. Definitions of top events listed in Table 2a.

AFW No or insufficient auxiliary feedwater flow during loss of offsite power EP Failure of all trains of emergency power OP-SL Operator fails to recover offsite power (seal LOCA)

PORV-SBO PORVs/SRVs open during SBO RT-L Reactor fails to trip during loss of offsite power SEALLOCA RCP seals fail during LOOP Table 3. Conditional cut sets for the dominant sequence. (See Table 4 for definitions and probabilities for the basic events.)

CCDP Percent Contribution Minimum cut sets (of basic events)

Event Tree: LOOP, Sequence 19-09 2.0E-004 76.6 EPS-DGN-CF-ALL RCS-MDP-LK-SEALS

/PPR-SRV-CO-SBO 2.6E-004 (LOOp, Sequence 19-09 cutsets total) 4.2E-004 Total1

1. Total CCDP includes all cutsets (including those not shown in this table).

LER 275/00-004 6

Table 4. Definitions and probabilities for selected basic events.

Event Name Description Probability Modified ACP-XHE-NOREC-BD OPERATOR FAILS TO RECOVER OFFSITE POWER BEFORE BATTERY DEPLETION 5.0E-002 Yes1 ACP-XHE-NOREC-ST OPERATOR FAILS TO RECOVER OFFSITE POWER IN SHORT TERM TRUE Yes2 EPS-DGN-FR-FTRL DIESEL GENERATOR FAILS TO RUN - 24 HOURS FALSE Yes2 EPS-DGN-FR-FTRM DIESEL GENERATOR FAILS TO RUN - 16 HOURS FALSE Yes2 IE-LOOP LOSS OF OFFSITE POWER INITIATING EVENT 1.0E+000 Yes3 IE-LD11 LOSS OF DC POWER BUS 11 INITIATING EVENT 0.0E+000 Yes3 IE-LLOCA LARGE LOSS OF COOLANT ACCIDENT INITIATING EVENT 0.0E+000 Yes3 IE-MLOCA MEDIUM LOSS OF COOLANT ACCIDENT INIT. EVENT 0.0E+000 Yes3 IE-RHR-DIS-V RHR DISCHARGE ISLOCA OCCURS INITIATING EVENT 0.0E+000 Yes3 IE-RHR-HL-V RHR HOT LEG ISLOCA OCCURS INITIATING EVENT 0.0E+000 Yes3 IE-RHR-SUC-V RHR SUCTION ISLOCA OCCURS INITIATING EVENT 0.0E+000 Yes3 IE-SI-CLDIS-V SI COLD LEG ISLOCA INITIATING EVENT 0.0E+000 Yes3 IE-SI-HLDIS-V SI HOT LEG ISLOCA INITIATING EVENT 0.0E+000 Yes3 IE-SGTR STEAM GENERATOR TUBE RUPTURE INIT. EVENT 0.0E+000 Yes3 IE-SLOCA SMALL LOSS OF COOLANT ACCIDENT INITIATING EVENT 0.0E+000 Yes3 IE-TRANS TRANSIENT INITIATING EVENT 0.0E+000 Yes3 OEP-XHE-NOREC-2H OPERATOR FAILS TO RECOVER OFFSITE POWER WITHIN TWO HOURS TRUE Yes2 OEP-XHE-NOREC-6H OPERATOR FAILS TO RECOVER OFFSITE POWER WITHIN SIX HOURS 9.5E-001 Yes1 OEP-XHE-NOREC-SL OPERATOR FAILS TO RECOVER OFFSITE POWER BEFORE REACTOR COOLANT PUMP SEAL LOCA TRUE YES2 PPR-SRV-CO-L PORVs/SRVs OPEN DURING LOOP 4.0E-002 YES1 PPR-SRV-CO-SBO PORVs/SRVs OPEN DURING SBO 4.0E-002 YES1 RCS-MDP-LK-SEALS RCP SEALS FAIL W/O COOLING AND INJECTION 2.2E-001 Yes1 EPS-DGN-CF-ALL COMMON CAUSE FAILURE OF DIESEL GENERATORS 9.5E-004 NO NOTES:

1. Model update. See text Assumptions for basis.
2. Model update for TRUE or FALSE, as applicable to reflect event.
3. Initiating Events not effected by this IE-LOOP initiating event analysis were set to 0.

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER No. 275/00-004 7

HPR HIGH PRESSURE RECIRCULATION RHR RESIDUAL HEAT REMOVAL COOLDOWN RCS COOLDOWN SGCOOL SECONDARY COOLING RECOVERED OP-6H OFFSITE POWER REC IN 6 HRS OP-2H OFFSI TE POWER REC IN 2 HRS HPI HIGH PRESSURE INJECTION BLEED BLEED PORTION OF F&B COOLING PORV-RES PORVs CLOSE PORV-L NO PORVs OPEN AFW AUXILIARY FEEDW ATER SYSTEM EP EMERGENCY POWER RT-L REACTOR TRIP IE-LOOP LOSS OF OFFSITE POWER END-STATE 1

OK 2

OK 3

OK 4

OK 5

CD 6

OK 7

CD 8

OK 9

CD 1 0 CD 1 1 OK 1 2 OK 1 3 CD 1 4 OK 1 5 OK 1 6 CD 1 7 CD 1 8 CD 1 9 T SBO 2 0 CD Figure 1A LOOP Sequence 19-22 7

SENSITIVE - NOT FOR PUBLIC DISCLOSURE LER 275/00-004

S LER 275/00-004 8

HPR HIGH PRESSURE RECIRC RHR RESIDUAL HEAT REMOVAL COOLDOWN RCS COOLDOWN HPI HIGH PRESSURE INJECTION ACP-BD AC POWER RECOVERY BEFORE BAT DEPL OP-SL OFFSITE POWER REC DURING SEALLOCA SEALLOCA NO RCP SEAL LOCA ACP-ST SHORT TERM OFFSITE POWER RECOVERY PORV-RES PORVs CLOSE PORV-SBO NO PORVs OPEN AFW AUXILIARY FEEDWATER SYSTEM EP FAILURE OF EMERGENCY POWER END-STATE 1

OK 2

CD 3

OK 4

OK 5

CD 6

OK 7

CD 8

CD 9

CD 10 OK 11 CD 12 OK 13 OK 14 CD 15 OK 16 CD 17 CD 18 CD 19 OK 20 CD 21 OK 22 CD Figure 1B LOOP 19-09

LER 275/00-004 9

RESOLUTION OF LICENSEE COMMENTS TO PRELIMINARY PRECURSOR ANALYSIS -

DIABLO CANYON UNIT 1 LER 275/00004-1, 05/05/2000, EXTENDED LOSS OF OFFSITE POWER TO SAFETY-RELATED BUSES DUE TO 12kV BUS FAULT General Response:

In the resolution of the licensees comments, specifically listed below, the final analysis (attached) was done using the latest, validated Rev. 3 SPAR model. The results of the preliminary analysis (3.1 x 10-4) using the Rev. 2QA SPAR model (basis for licensee commented below) were similar to those obtained using the later Rev. 3 (4.2 x 10-4).

Licensees Comment #1:

During the initial phase of the plant response, the condenser was available and RCS pressure decreased immediately. Operators took steps necessary to transfer the pressurizer heaters to their backup vital power supply. This action was taken to prevent further depressurization of the RCS. This is important because the action shows that the power-operated relief valves (PORVs) could not have been challenged due to RCS over pressurization.

Response

The preliminary ASP analysis recognized that the probability of challenging the PORVs/SRVs was less than that expected during a typical loss of offsite power or station blackout event.

Therefore, it reduced the probability for the pressurizer PORVs/SRVs open (basic events PPR-SRV-CO-L, PPR-SRV-CO-SBO) event from 0.37 to 0.04. Since the transient introduced the need for the operator to intervene and control RCS pressure, there was some likelihood of a challenge on a PORV. Consequently, reducing this probability from 0.04 to zero is not appropriate. These base events were analyzed with the 0.04 value in the final ASP analysis using the Rev. 3 SPAR model. A sensitivity analysis with these base events set to zero resulted in no significant change to the risk.

Licensees Comment #2:

The addition of a maintenance out-of-service (OOS) contribution to the total random failure probability is not appropriate since none of the EDGs were OOS when the event occurred. If there had been an OOS EDG, the impact should have been calculated by failing the EDG for CCDP calculation.

Response

Even though the EDGs were not out-of-service during the event, there was a finite random probability that one diesel could have been out-of-service. Therefore, to be consistent with the standard ASP methods, the SPAR model assigned random failure probability to the EDG out-of-service event.

10 Licensees Comment #3 If the maintenance OOS contribution must be included, the ASP analysis approach is incorrect since only one EDG could have been OOS at the time of the event. Thus, the contribution of maintenance is overly conservative due to the inclusion of disallowed maintenance combinations.

Response

The SPAR Rev. 2QA model did not eliminate cutsets which have more than one basic events representing maintenance out-of-service events. This was acceptable due to the negligible impact of these mutually exclusive cutsets on the CCDP. Use of the Rev. 3 SPAR model showed no EDG maintenance out of service applicability to the dominant sequence cutsets.

When running the up-to-date version of SAPHIRE, these models do not allow mutually exclusive events to show up in the cutsets.

Licensees Comment #4:

The ASP analysis uses 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> (severe weather mission time) as the EDG mission time for calculating the EDG failure probability. This is unrealistic on the basis that even though during the actual event the EDG ran for 33 hours3.819444e-4 days <br />0.00917 hours <br />5.456349e-5 weeks <br />1.25565e-5 months <br />, it has been established that offsite power could have been restored within 6.5 to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br />. Additionally, offsite power was not lost; only the capability to supply offsite power to emergency buses was lost.

Once this capability was reestablished, offsite power recovery was possible. Therefore, 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> should be used as the EDG mission time.

Response

Based on our discussions with the RGN-IV, it was highly likely (about 95%) that offsite power could have been recovered within eight hours. There was a small probability that power would not have been recovered. Since that probability is small (about 5% at eight hours and decreasing with time), we changed the mission time for the EDGs from 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to eight hours.

In the Rev. 3 SPAR model, the comments concern is addressed by setting the EDG medium term (16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br />) and long term failure to run (24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />) as FALSE.

Licensees Comment #5:

The NUREG/CR-5500 failure probabilities for DCPP are estimated based on failure events that are reported in accordance with requirements in Regulatory Guide 1.108. This RG requires reporting of EDG operational anomalies that are not considered failures in a typical PRA model, especially for an SBO scenario. For example, the majority of reported DCPP EDG failures that occurred within the first hour of operation are due to failure of the EDGs to achieve stable voltage within 13 seconds of the start signal.

These failures are not applicable to an SBO scenario.

11

Response

We agree with the comment. However, note that NUREG/CR-5500s unreliability calculations has already distinguished between inoperability and loss of functionality.

Table B-4 of NUREG/CR-5500 identified four failures for Diablo Canyon 1 and three failures for Diablo Canyon 2. However, we screened these failures to determine whether they are applicable to loss of offsite power sequences. Therefore, as Table B-5 of NUREG/CR-5500 indicates we used only one failure from Diablo Canyon 1 and one failure from Diablo Canyon 2 to estimate EDG unreliabilities. The other five failures were screened out. In the final analysis, the revision 3 SPAR model used validated generic data for EDG failure probabilities, consistent with ASP analysis guidance.

Licensees Comment #6 NUREG/CR-5500 reports a significantly higher probability for Unit 1 EDGs during the first hour than for the Unit 2 EDGs. However, all six of the EDGs at DCPP are the same, and therefore vulnerable to the same failure mechanisms (hardware, maintenance and test procedures). Note that the NUREG reports very similar failure probabilities for the failure fail to start and the fail to run after the first hour failure modes. Thus, consistent with the DCPP PRA model, it is more realistic to combine EDG failure events for both units and calculate a single set of failure probability values for both the Unit 1 and Unit 2 EDGs.

Table 1 of this letter provides the EDG failure probability estimates used in the ASP analysis and the DCPP PRA model. The DCPP PRA estimates are plant-specific and cover events up to 1997. It is recommended that the DCPP PRA model values be used in the ASP analysis.

Response

NUREG/CR-5500 (Vol. 5) is based on industry operating experience data from 1987-1993. You proposed that we used plant-specific data which are more recent. We agreed to use the failure probabilities which you provided because:

Your data is based on experience up to 1997; Based on our telephone discussion with you on August 24, 2001 and the additional information provided to us via E-mail dated August 31, 2001, we determined that your data collection and analysis methods are consistent with those which were used in NUREG/CR-5500 ; and Based on our discussion with you on August 24, 1997 we determined that you have enough data to generate accurate plant-specific estimates.

Your proposed values are in general agreement with the recent data collected by NRC as reflected in the revised draft diesel failure rates.

12 In the final analysis, the Rev. 3 SPAR model used validated EDG probability data (see response to #5 above).

Licensees Comment #7:

The ASP analysis uses the CCF factors provided in NUREG/CR-5497. These factors are generic or average estimates and are conservative. The NUREG/CR-5497 factors are calculated based on the NUREG/CR-6268 data. The generic CCF factors do not take into account plant-specific features or attributes that would reduce the CCF failure probability of a particular plant. For example, the DCPP EDGs are air-cooled and are therefore not susceptible to service water-cooling system failures. Since a review of NUREG/CR-6268 data indicates that some of the EDG common cause failures are due to cooling water system failures, these CCFs are too conservative for the DCPP EDGs.

The DCPP CCF factors were calculated using the approach and data provided in NUREG/CR-6268 and are updated using plant-specific information. The CCF events are tailored to DCPP by taking into account plant-specific design features and current data.

This is recognized by NUREG/CR-6268 to be the preferred approach for CCF analysis.

Response

We agree that before calculating CCF factors the analysis should take into account the plant specific features such as lack of service water cooling at DCPPs diesels.

Therefore, for the fail-to-run failure mode, we eliminated the CCF events related to service-water related failures. As a result, the CCF Alpha factor changed from 2.11E-02 to 1.74E-02.

According your letter, DCPP PRA uses a Alpha CCF factor of 1.76E-02.

For the fail-to-start failure mode, there were no service water related events. We examined the list of CCF events which you had deleted (Ref. 4) and deleted two events from the database, since they were not applicable to Diablo Canyon 1. Consequently, the Alpha CCF factor changed from 1.66E-02 to 1.51E-02. You had recommended that we delete a large number of other CCF events. However, we did not delete them due to one of the following reasons:

Even though some components such as output breakers and the sequencers are modeled outside the diesel generator boundary in the Diablo Canyons PRA, they are included within the diesel component boundary in the SPAR models.

Even though there are some subjectivities involved when event are coded, they are coded using a consistent set of guidelines documented in Section 3 of NUREG/CR-6268 (Vol. 3).

In accordance with the guidance we use, when a CCF issue is discovered at a site with two units, two (rather than one) events is entered into the database.

In the final analysis, the revision 3 SPAR model was used where CCF data was the latest data.

Section 5 of the SPAR model (Ref. 5) describes the alpha factor method and Attachment E.

13 shows the calculation parameters. The common cause failure probability (SPAR MODEL Re.3) is approximately 30% lower than that used in the preliminary ASP analysis (SPAR Model Rev.

2QA).

Licensees Comment #8:

Using generic consideration of plant response, the Westinghouse Model estimates core uncovery in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> following an SBO-induced RCP seal LOCA event without RCS cooling. However, it is recognized by the NRC Staff that the contribution of RCP seal failure to core damage frequency is very plant-specific. Therefore, to perform a realistic analysis, it is more appropriate to use plant-specific information with respect to the core uncovery times.

The DCPP PRA model uses plant-specific Modular Accident Analysis Program (MAAP) runs, taking into account plant-specific emergency operating procedures (EOPs), to calculate core uncovery time. The DCPP MAAP model is realistic as compared to the conservative Westinghouse generic core uncovery analysis. A major difference between this generic model and the DCPP specific model is the injection of the accumulators.

The generic model assumes the RCS would be depressurized to approximately 600 psig, which prevents injection of the accumulators. The DCPP model, consistent with EOPs, credits depressurization to approximately 300 psig, which allows for the injection of inventory from all four accumulators. As a result, the DCPP MAPP run indicate that, with RCS depressurization, the time to core uncovery is approximately 15 hours1.736111e-4 days <br />0.00417 hours <br />2.480159e-5 weeks <br />5.7075e-6 months <br />.

Response

We reviewed the Westinghouse analysis documented in Revision 2 to WOG-10541.

Specifically, we investigated whether Westinghouses analysis credited the inventory in the accumulators in their calculations on time to core uncovery. Westinghouse had credited the discharging of the inventory of accumulators when they estimated the core uncovery time of approximately four hours. Therefore, the basis you have provided is not adequate to use a uncovery time of 15 hours1.736111e-4 days <br />0.00417 hours <br />2.480159e-5 weeks <br />5.7075e-6 months <br /> for Diablo Canyon. The final analysis used the Rev. 3 SPAR model with the base event Operator Fails to Recover Offsite Power (Seal Loca) set to TRUE, since the offsite power was unavailable for 6.5 to 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> (was FALSE in preliminary analysis).

Therefore, the dominant sequence cutset includes Seal LOCA.

Licensee Comment #9:

The ASP analysis asserts that for a stuck open PORV following a loss of power scenario, high-pressure recirculation via the low-pressure injection pumps (piggy-back mode) must be recovered within 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> to prevent core damage. The ASP analysis states that this assertion is based on the DCPP IPE Study. This assertion is unrealistic and inconsistent with the current DCPP PRA model, which is an updated model, based on the following:

The DCPP PRA model takes credit for refilling the refueling water storage tank (RWST).

14

Response

As described in our letter which requested your comments, additional systems, equipment, or specific recovery actions may be considered for incorporation into the analysis if documentation showing the viability and effectiveness of the equipment and methods such as procedures, results of thermal-hydraulic analyses, and operator training are provided.

Since we do not have the above information, refilling of the RWST could not be credited.

The 5-hour time window is the earliest that the switchover to high-pressure recirculation could occur and correspond to the time when RWST has approximately 30 percent inventory remaining. In calculating this 5-hour time window, the DCPP IPE analysis does not account for the remaining RWST inventory nor any other inventory.

Therefore, the time window is unrealistically short for the scenario under consideration.

Response

Without an analysis that shows the capability to successfully transfer to piggy-back cooling mode, the remaining RWST inventory cannot be credited.

Although a stuck open PORV event is normally treated similar to a small LOCA event, in reality the impact on the RCS is different. In the case of a stuck open PORV-induced LOCA, steam (as opposed to water) is released from the RCS. As a result, the RCS inventory mass loss rate for a stuck open PORV event is significantly less than that for a small LOCA event. Based on DCPP-specific analysis, the time to core uncovery for a stuck open PORV-induced LOCA, with no emergency core cooling system (ECCS) injection and with auxiliary feedwater available, is 13 hours1.50463e-4 days <br />0.00361 hours <br />2.149471e-5 weeks <br />4.9465e-6 months <br />.

Response

When a PORV sticks open, even though the mass flow rate is significantly less than a pipe break, core damage occurs within about two hours, as follows (Ref. 1, 2). When the PORV is able to release more energy than the decay heat, the RCS pressure will drop significantly.

As a result, the water in the RCS starts boiling. Consequently, fuel temperature will rapidly increase and core will damage. This situation has been analyzed for several plants and in each of those cases core damage occurred within a few hours (Ref. 1, 2).

In order to ensure that the analyses in Ref. 1,2 are applicable to Diablo Canyon, we checked with Diablo Canyon FSAR and determined that the capability of the PORVs (measured in Kg/MWt) is similar to some of the plants analyzed in References 1 and 2. Furthermore, based on discussions with cognizant NRC personnel (Ref. 3), the time of core damage for Diablo Canyon must be similar to those encountered at other plants.

15

Response

As described in our letter which requested your comments, additional systems, equipment, or specific recovery actions may be considered for incorporation into the analysis if documentation showing the viability and effectiveness of the equipment and methods such as procedures, results of thermal-hydraulic analyses, and operator training are provided.

Since we do not have the above information, refilling of the RWST could not be credited.

The 5-hour time window is the earliest that the switchover to high-pressure recirculation could occur and correspond to the time when RWST has approximately 30 percent inventory remaining. In calculating this 5-hour time window, the DCPP IPE analysis does not account for the remaining RWST inventory nor any other inventory.

Therefore, the time window is unrealistically short for the scenario under consideration.

Response

Without an analysis that shows the capability to successfully transfer to piggy-back cooling mode, the remaining RWST inventory cannot be credited.

Although a stuck open PORV event is normally treated similar to a small LOCA event, in reality the impact on the RCS is different. In the case of a stuck open PORV-induced LOCA, steam (as opposed to water) is released from the RCS. As a result, the RCS inventory mass loss rate for a stuck open PORV event is significantly less than that for a small LOCA event. Based on DCPP-specific analysis, the time to core uncovery for a stuck open PORV-induced LOCA, with no emergency core cooling system (ECCS) injection and with auxiliary feedwater available, is 13 hours1.50463e-4 days <br />0.00361 hours <br />2.149471e-5 weeks <br />4.9465e-6 months <br />.

Response

When a PORV sticks open, even though the mass flow rate is significantly less than a pipe break, core damage occurs within about two hours, as follows (Ref. 1, 2). When the PORV is able to release more energy than the decay heat, the RCS pressure will drop significantly.

As a result, the water in the RCS starts boiling. Consequently, fuel temperature will rapidly increase and core will damage. This situation has been analyzed for several plants and in each of those cases core damage occurred within a few hours (Ref. 1, 2).

In order to ensure that the analyses in Ref. 1,2 are applicable to Diablo Canyon, we checked with Diablo Canyon FSAR and determined that the capability of the PORVs (measured in Kg/MWt) is similar to some of the plants analyzed in References 1 and 2. Furthermore, based on discussions with cognizant NRC personnel (Ref. 3), the time of core damage for Diablo Canyon must be similar to those encountered at other plants.

During our discussions on August 24, 2001, you could not provide additional information to show why the time to core damage for Diablo Canyon should be significantly different from other four-loop Westinghouse reactors with similar PORV capability. Therefore, we continue to use two hours as time to core damage. Note that the final analysis using the Rev. 3 SPAR model resulted in no PORV open (i.e., failure) applicable to the dominant cutsets.

16 REFERENCES 1 Rosana Chambers et. al. Depressurization to mitigate Direct Containment Heating,,

Nuclear Technology, pp. 239-250, Nuclear Technology, December 1989,

2. NUREG/CR-5937, D.A. Brownson et. al., Intentional Depressurization Accident Management Strategy for Pressurized Water Reactors, April 1993.
3. Personal Communication between Sunil Weerakkody and Fuat Odar (NRC/RES), August 23, 2001.
4. E-mail communication from Ken Bych of Diablo Canyon to Sunil Weerakkody (NRC/RES),

August 31, 2001

5. Idaho National Laboratory, Standardized PLANT Analysis Risk (SPAR) Model for Diablo Canyon Units 1 and 2," Revision 3.01, March 28,2002
Retrieved from "https://kanterella.com/w/index.php?title=ML20112H532&oldid=4293196"