ML20114E135

From kanterella
Jump to navigation Jump to search
Final ASP Analysis - Point Beach 1 and 2 (LER 266-01-005)
ML20114E135
Person / Time
Site: Point Beach  NextEra Energy icon.png
Issue date: 05/12/2020
From: Christopher Hunter
NRC/RES/DRA/PRB
To:
Hunter C (301) 415-1394
References
LER 266-01-005
Download: ML20114E135 (142)
v  d  e


Text

Final Precursor Analysis Accident Sequence Precursor ProgramOffice of Nuclear Regulatory Research Potential Common Mode Failure of All Auxiliary Feedwater Point Beach 1 and 2 Pumps CDP = 6x10-4 (Unit 1)

Event Date: 11/29/2001 LER: 266/01-005 CDP = 7x10-4 (Unit 2)

Condition Summary Description. This analysis involves a design deficiency in the auxiliary feedwater (AFW) pumps air-operated minimum flow recirculation valves. The valves fail closed on loss of instrument air, which, combined with inadequacies in plant emergency operating procedures, could potentially lead to pump deadhead conditions and a common mode, non-recoverable failure of the AFW pumps (Refs. 1 and 2).

Point Beach Nuclear Plant is a two-unit site served by a shared instrument air system. Each unit has a turbine-driven AFW pump (pumps 1P29 and 2P29), which can supply water to both steam generators. Additionally, the plant has two motor-driven AFW pumps (pumps P38A and P38B), each of which can be aligned to supply water to a steam generator in each unit (see Figure 1). Each AFW pump has a recirculation line with an air-operated valve that automatically opens, as necessary, to ensure minimum flow through the pump. The recirculation valves require instrument air to open, and fail closed on loss of instrument air. Prior to the discovery of this design deficiency, there were no backup air or nitrogen accumulators associated with these recirculation valves.

During some plant upset conditions, the AFW system actuates automatically to provide feedwater flow to the steam generators for decay heat removal. Depending on the event, overfeeding of the steam generators may occur, resulting in overfilling the steam generators or overcooling the reactor coolant system (RCS). This overfeeding situation requires AFW flow to be reduced. One preferred method used at Point Beach for reducing AFW flow is to throttle or close the AFW pumps' discharge or flow control valves rather than securing the pumps. To prevent pump deadheading conditions, the pumps minimum flow recirculation valves provide a flow path back to the condensate storage tanks. If a pump's recirculation valve fails closed due to loss of air to the valve while the pump's discharge or injection valve is closed, the pump would experience insufficient flow, resulting in pump overheating and damage, possibly within minutes.

The pressurizer power-operated relief valves (PORVs) are air operated. The original plant design did not provide for feed and bleed capability using the pressurizer PORVs following a loss of instrument air. Nitrogen accumulators for the PORVs were strictly for low-temperature overpressure-protection concerns during shutdown operations and have been procedurally isolated during power operations since 1979. Events involving loss of instrument air will also result in the loss of feed and bleed capability.

Condition duration. The condition has existed at both Point Beach units since original construction. Because the condition has existed for more than 1 year, the time for the condition 1

LER 266/01-005 assessment is 1 year. The period selected for the analysis is from November 30, 2000, to November 29, 2001, the date of discovery. 1 Recovery opportunities. Recovery opportunities examined in this analysis included the following:

- Restoration of sufficient AFW flow to prevent deadhead damage to the pumps prior to damaging all AFW pumps

- Recovery of instrument air to a pressurizer PORV to permit feed and bleed cooling

- Recovery of main feedwater given recovery of instrument air pressure Other conditions, failures, and unavailable equipment. Prior to the discovery of this condition on November 29, 2001, the utility had installed new orifices in the recirculation lines for both of the motor-driven AFW pumps (pumps P38A and P38B). Subsequently, the utility discovered that these orifices may quickly plug if service water, the alternate water supply for the AFW system, is used. (See Refs. 3 and 4.) In addition, the utility discovered that the recirculation valves for three of the four AFW pumps were supplied by a common de bus.

Failure of this bus could result in only one motor-driven pump being operable (Ref. 4). Other design issues are also discussed in the inspection report (Ref. 4). A review of these design issues determined that they would not significantly change the risk results presented in this precursor analysis. Therefore, these issues are not included in this analysis but are addressed in a separate analysis.

Analysis Results

  • lmportance 2 For each unit, the risk significance of the design deficiency in the AFW pumps air-operated minimum flow recirculation valves is determined by subtracting the nominal core damage probability (CDP) from the conditional core damage probability (CCDP).

Unit 1 Unit 2 conditional core damage probability (CCDP) - mean 6.3E-04 6.8E-04 nominal core damage probability (CDP) - mean 1.7E-05 1.8E-05 Importance (CDP):

95th percentile 1.3E-03 1.4E-03 point estimate 7.3E-04 7.9E-04 mean 6.1E-4 6.6E-04 th 5 percentile 2.1E-04 1.8E-04 1

The Accident Sequence Precursor Program limits the conditional assessment of risk to a 1-year period. For the time period selected, Unit 1 was critical for 7,680 hours0.00787 days <br />0.189 hours <br />0.00112 weeks <br />2.5874e-4 months <br /> and Unit 2 was critical for 8,316 hours0.00366 days <br />0.0878 hours <br />5.224868e-4 weeks <br />1.20238e-4 months <br />.

2 Since this condition did not involve an actual initiating event, the parameter of interest is the measure of the incremental increase between the conditional probability for the period in which the condition existed and the nominal probability for the same period but with the condition nonexistent and plant equipment available. This incremental increase or "importance" is determined by subtracting the CDP from the CCDP.

2

LER 266/01-005 The graph above presents the range of CDP for Point Beach Units 1 and 2. 3 Based on the mean values, this is an increase of 6.1E-04 to 6.6E-04 over the nominal CDP over the calendar year selected due to the potential failure of all of the AFW pumps when the pumps' recirculation valves fail closed and failure of feed and bleed capability following loss of instrument air. (Slight differences in the results between units are attributed to the differences in operating times during the 1-year condition period.)

  • Dominant sequences The four top sequences are seismic event, loss of service water, loss of offsite power, and loss of instrument air due to internal failure.

- Seismic event: A seismic event results in non-recoverable damage to the non-seismically qualified instrument air system. The simplified event tree, shown in Figure 2, was added to the model to allow for uncertainty calculations.

- Loss of service water: The events and important component failures in loss of service water Sequence 28 (shown in Figure 3) are:

  • failure of the AFW system (due to damage to the AFW pumps resulting from the loss of instrument air pressure caused by loss of cooling to the air compressors), and
  • failure to recover service water cooling to the air compressors, resulting in the inability to initiate feed and bleed cooling (due to loss of instrument air to the pressurizer PORVs) and The inability to initiate secondary cooling via the main feedwater system (due to loss of instrument air to a steam generator atmospheric dump valve and a feedwater regulating bypass valve).

- Loss of offsite power: The events and important component failures in loss of offsite power Sequence 18 (shown in Figure 4) are:

  • postulated loss of offsite power affecting both units,
  • successful operation of the emergency power system,
  • failure of the AFW system (due to damage to the AFW pumps resulting from the initial loss of instrument air pressure caused by loss of electric power to the air 3

A constrained non-informative prior was used to quantify industry experience on initiating event frequencies because it creates a diffuse distribution that accounts for the plant-to-plant variation in system reliability. The prior used a gamma distribution with a shape parameter (0.5), which causes the posterior mean to fall between the prior mean and the maximum likelihood estimate. Using this diffuse gamma distribution for initiating event frequencies causes the CDP confidence interval to be nearly an order of magnitude and the CDP point estimate to be higher than the mean.

3

LER 266/01-005 compressors and bleed down of air pressure), and

  • failure of feed and bleed cooling (due to operator failure to initiate feed and bleed cooling or the failure to recover instrument air).

- Loss of instrument air: The events and important component failures in loss of instrument Sequence 20 (shown in Figure 5) are:

  • postulated total loss of instrument air affecting both units,
  • failure of the AFW system (due to damage to the AFW pumps resulting from the loss of instrument air pressure), and
  • failure to recover instrument air pressure, resulting in the inability to initiate feed and bleed cooling (due to loss of instrument air to the pressurizer PORVs) and the inability to initiate secondary cooling via the main feedwater system (due to loss of instrument air to a steam generator atmospheric dump valve and a feedwater regulating bypass valve).
  • Results Tables

- The conditional probabilities of the dominant sequences are shown in Table 1.

- The event tree sequence logic for the dominant sequences is provided in Table 2a, and definitions of top events are provided in Table 2b.

- The conditional cut sets for the dominant sequences are provided in Table 3.

  • Analysts

- Analysts (ABS Consulting): Michelle Johnson (lead), David Campbell, Charles Mitchell

- NRC technical reviewers: Eli Goldfeiz, James Houghton, Gary DeMoss, Don Marksberry

- ABS Consulting technical review: Leonard Palko Modeling Details

  • Assessment Summary The design deficiency was modeled as an at-power condition assessment with all of the AFW pumps unavailable for 1 year for only those initiators that would involve loss of instrument air. These initiators include the following:
  • Loss of instrument air (LOlA) caused by internal failures in the instrument air system
  • Loss of offsite power (LOOP) to both units
  • Seismic event (LOIASEISMIC)

The Revision 3 standardized plant analysis risk (SPAR) model for Point Beach (Ref. 5) was 4

LER 266/01-005 used for this assessment. Event trees and associated fault trees, basic event probabilities, and initiating event frequencies were modified to reflect the condition being analyzed.

These condition modifications include the following:

  • Selection of initiators that would involve loss of instrument air, as noted above, including development of a simplified event tree for a seismic event
  • Modification of the LOOP initiating event frequency that includes only dual unit LOOPs
  • Accounting for the failure of all AFW pumps on the loss of instrument air In addition, the model was modified to reflect updates to the SPAR model. These update modifications include the following:
  • Updating initiating event frequencies for LOlA and LOSWS based on recent operating experience
  • Modifying the LOlA and LOSWS event trees to include the following:

New top events to account for the opportunities to recover instrument air and service water based on the operating experience New top events that credit the recovery of secondary cooling in certain sequences

  • Updating uncertainty distributions for failure probabilities and initiating event frequencies so that uncertainty analysis can be performed Modifications to the event tree and fault tree models and the bases for the changes are summarized below and discussed in detail in the attachments.

Two analyses were performed-one for Unit 1 and one for Unit 2-due to slight differences in operating time during the 12 months prior to the discovery of the condition.

  • Sequences of Interest

- Initiating events. Because of the vulnerability involving the fail-closed, air-operated valves on the AFW pumps' recirculation lines, loss of instrument air during AFW operations could result in total loss of the AFW system. During an initiating event in which AFW system flow is demanded, instrument air pressure could be lost due to causes that are independent of the initiating event or due to causes that share some dependency with the initiating event. It is the latter case that has the greater risk significance, which this analysis will examine.

The initiating events that result in both a loss of instrument air pressure and reactor trip are:

  • LOlA to both units due to component failures in the instrument air system (e.g.,

compressor failure);

  • LOOP to both units that results in loss of electric power to both the instrument air and service air compressors and loss of air pressure due to usage or bleed down; 5

LER 266/01-005

  • LOSWS to both units that results in loss of cooling water to both the instrument air and service air compressors, trip of the compressors on loss of cooling, and loss of air pressure due to usage or bleed down; and
  • a seismic event that results in non-recoverable damage to the nonqualified instrument air system (e.g., line failure).

- Sequence of events. For the four initiating events (LOlA, LOOP, LOSWS, and LOIASEISMIC) the following sequence of events leads to core damage:

  • Initiating event that causes the total loss of instrument air pressure and results in a manual or automatic reactor trip For LOlA initiating events, the control room likely receives a low pressure annunciator alarm (89 psig) as the first alarm, based on operating experience. The alarm would be expected shortly after the occurrence of the other initiating events
  • Secondary cooling lost due to low instrument air pressure to the balance of plant components (if not already lost due to loss of electric power, service water cooling, or seismic damage to non-seismic qualified structures and components)
  • All AFW pumps feeding the unit (two motor-driven pumps and one turbine-driven pump) automatically start on low-low steam generator level
  • Operators fail to recognize that the recirculation valves are closed upon loss of instrument air pressure. Instrument air pressure quickly degrades to the point (less than 40 psig) that the AFW pumps' recirculation valves fail closed (within 8 to 10 minutes)
  • Operators choose to throttle or close the discharge valves or flow control valves for all of the AFW pumps, resulting in deadhead of the AFW pumps. Plant conditions following the trip require AFW flow to be controlled within 4 minutes (due to overcooling transient) or 13 minutes (due to steam generator overfilling)
  • All AFW pumps fail within minutes due to deadhead conditions - pumps are not recoverable
  • Operators fail to recover instrument air pressure in time for the initiation of feed and bleed cooling (within 30 minutes). (The PORVs, needed for feed and bleed cooling, are not available because of insufficient instrument air pressure to operate the valves. For LOlA events, operators must recover failed components in the instrument air system and recover air pressure within 30 minutes to allow initiation of feed and bleed cooling. For LOSWS events, operators must recover service water cooling to the instrument air compressors and recover instrument air pressure within 30 minutes to allow initiation of feed and bleed cooling. For LOOP (non-station blackout) events, operators must manually restore electric power to the instrument air or service air compressors and recover instrument air pressure within 30 minutes to allow initiation of feed and bleed cooling. For seismic events, damage to the instrument air system is assumed to not be recoverable) 6

LER 266/01-005 Or operators fail to initiate short-term cooling (i.e., feed and bleed) or long-term cooling (i.e., secondary cooling, high-pressure recirculation, residual heat removal

[RHR])

  • Operators fail to recover instrument air pressure in time for recovery of secondary cooling via main feedwater (within 60 minutes). (Main feedwater is not available due to loss of electric power, loss of instrument air pressure, and/or loss of service water flow depending on the initiating event. For LOlA events, operators must recover failed components in the instrument air system and recover air pressure within 60 minutes to allow recovery of secondary cooling. For LOSWS events, operators must recover service water and instrument air pressure within 60 minutes to allow recovery of secondary cooling.)

Or operators fail to initiate long-term cooling (i.e., secondary cooling, high-pressure recirculation, RHR)

  • Plant-Specific System and Operational Considerations (Facts)

Details of plant-specific system design and operational considerations are provided in Attachment 1. These are the facts upon which assumption and model modifications are based. Details are provided for the following:

- AFW system design

- Feed and bleed cooling design

- Instrument air and service air system designs

- Control room indications

- Response to loss of instrument air

- AFW flow control

- Recovery of main feedwater

  • Important Assumptions Details of these assumptions are provided in Attachment 2.

- Operators fail to recognize that the recirculation valves are closed

- Operators close the discharge valves for all of the AFW pumps, resulting in deadheading of the AFW pumps

- No credit for operators detecting pump deadhead conditions (i.e., closed recirculation valves) and taking corrective actions to protect one or more AFW pumps

- No credit for leakage past either the closed recirculation valves or the closed discharge valves providing adequate flow through the AFW pumps to prevent pump damage

- No credit for the recovery of AFW pumps given failure due to deadheading conditions

- No credit for the recovery of nitrogen air bottles to the pressurizer PORVs

- No credit for the recovery of secondary cooling without instrument air or service water

  • Modifications to Event Trees and Fault Trees 7

LER 266/01-005

- Seismic-induced loss of instrument air. A new event tree (Figure 2) was added to the model to account for the seismic-induced loss of instrument air. This simplified tree has one top event with a single pseudo basic event set to TRUE. The tree is based on the assumption that a seismically induced loss of instrument air event is non-recoverable and, therefore, would lead directly to core damage (hence the pseudo-event set to TRUE).

- Loss of instrument air and loss of service water. The LOlA and LOSWS event trees were modified to include recovery of instrument air, service water, and main feedwater.

Recovery-related changes were made to related event and fault trees, and basic event non-recovery probabilities. These changes are refinements to the SPAR model; therefore, these modifications are applied to the base case and change case. Details of these modifications are provided in the addendum to the Point Beach SPAR Manual (Attachment 5).

  • Modifications to Basic Event Failure Probabilities Table 4 provides the basic event probabilities that were modified for this analysis. Changes are summarized below.

- Probability of common-cause failure of all AFW pumps (AFW-PMP-CF-ALL). The common-cause failure probability that all the AFW pumps would fail was set to TRUE for those sequences in which instrument air would be lost (i.e., LOOP, LOSWS, and LOlA).

This reflects the fact that given a LOOP, LOSWS, or LOlA initiating event, the AFW pumps would be damaged fairly quickly into the event and would not be recoverable.

- New basic events. New basic events were created for the new top events added to the LOlA and LOSWS event trees. Details of the failure probability estimates are provided in the addendum to the Point Beach SPAR Manual (See Attachment 5). These basic events are also listed in Table 4.

  • Modifications to Initiating Event Frequencies Table 41iststhe initiating event frequencies that were modified for this analysis. Changes are summarized below.

- Loss of offsite power initiating event (IE-LOOP). Because of the design of the instrument air and service air systems at Point Beach (redundant compressors and diverse power sources), loss of all four compressors due to a LOOP would only occur if power were lost to both units. Types of LOOPs that would involve both units include dual- unit, plant-centered LOOP; grid-related LOOP; and severe weather-related LOOP.

Operating experience data were reviewed to determine the frequency of plant-centered, dual-unit LOOP; grid-related LOOP; and severe weather-related LOOP. The mean frequency for IE-LOOP used in both the base case and change case is 8.8E-3/year (1.0E-6/hour). Details of the frequency calculation and the data used in the estimate are provided in Attachment 3.

- Seismically induced loss of instrument air (IE-SEISMIC). A seismically induced loss of instrument air was also considered as a contributor to core damage. A simplified event tree was created for this purpose (see Figure 2). The safe shutdown earthquake 8

LER 266/01-005 for Point Beach is 0.12 g and the operating basis earthquake is 0.06 g. Because the instrument air system piping design is less robust than ANSI B31.1 piping design, the instrument air system cannot be assumed to withstand any seismic event greater than 0.06 g, without either performing a seismic analysis of the piping design or conducting visual inspections of the piping to determine seismic tolerance. Therefore, the return frequency for seismic events that would result in a loss of instrument air is conservatively estimated at 3.1E-4/yr (3.5E-8/hour) based on the lowest estimated ground acceleration value (50 cm/sec2 or 0.05 g) at Point Beach from NUREG/CR-1488, Revised Livermore Seismic Hazard Estimates for 69 Nuclear Power Plant Sites East of the Rocky Mountains (Ref. 6). The mean frequency for this acceleration is 3.1E-4/yr. As the lowest site-specific value found in NUREG/CR-1488, this frequency is more appropriate than arbitrarily selecting the design basis earthquake, because no design value exists for instrument air system piping. The frequency of seismically induced core damage events for the base case is taken from the IPEEE (Ref. 7). The base case frequency is 1.5E-05/yr.

- Loss of instrument air (IE-LOlA) and loss of service water (IE-LOSWS) initiating events. The initiating event frequencies for IE-LOIA and IE-LOSWS were updated using recent operating experience. In both cases, total losses (to both units) are of interest because both systems are shared between units. Details of the frequency updates and the data used in the estimate are provided in the addendum to the Point Beach SPAR Manual (See Attachment 5).

- Initiating event frequency changes to eliminate unaffected sequences. Initiating events IE-LDC01, IE-LLOCA, IE-MLOCA, IE-SLOCA, IE-LOCCW, IE-RHR-DIS-V, IE RHR-SUC-V, IE-STGR, IE-SI-CLDIS-V, IE-SI-HLDIS-V, and IE-TRANS were set to FALSE in the base case and the change case to reflect the condition being analyzed.

The sequences associated with these initiating events have no shared dependencies with loss of instrument air; therefore, including them in the CDP and CCDP calculations with the common-cause failure of all AFW pumps (AFW-PMP-CF-ALL) to TRUE is not appropriate.

Furthermore, because the condition being analyzed does not impact the SPAR change case for these other initiating events (i.e., the base case and change case are identical),

there is no contribution to the delta CDP importance measure from these initiating events. Therefore, all accident sequences associated with these initiating events were removed from the GEM calculations by setting the frequencies for these initiators to FALSE in both the base and change cases.

  • Sensitivity Study- Potential Common-Mode Failure of All Auxiliary Feedwater Pumps Several sensitivity studies were performed to determine the effects of key assumptions on the CDP. These studies included the following cases: (1) varying likelihood that all AFW pumps would be failed on loss of recirculation flow, (2) varying the initiating event frequencies, and (3) reducing the likelihood that operators would fail to initiate feed and bleed cooling. As the results show (point estimate values for Unit 1), these sensitivity studies did not cause the CDP to fall outside the bounds of the 5th and 95th percentile of the best estimate.

- Failure of the AFW pumps. In the condition assessment, it was assumed that, early in the event, operators would throttle the discharge flow for all of the AFW pumps, resulting 9

LER 266/01-005 in the pumps operating in deadhead conditions. This would quickly lead to pump failure.

Several sensitivity cases were run varying the likelihood that operators would detect pump deadhead conditions and respond quickly enough to save at least one AFW pump.

- Initiation of feed and bleed cooling. For LOOP sequences, failure of the operator to initiate feed and bleed cooling is an important event. The probability for this event was derived using the human error worksheet. In the worksheet, the nominal failure probability for human action is 1.0E-3. Several sensitivity cases were run varying the failure probability for human action.

- Loss of instrument air and loss of service water. The initiating event frequencies for loss of instrument air and loss of service water were estimated using operating experience data (see Attachment 5). For both events, a gamma distribution was assumed and the mean value was used in the condition assessment for the event's frequency. Sensitivity cases were run using the 5th and 95th percentile values for the distributions as the event's frequency.

- Seismic event. For the condition assessment, the instrument air system was assumed to be unable to withstand any seismic event greater than the operating basis earthquake (0.06 g). The return frequency for seismic events that would result in a loss of instrument air is conservatively estimated at 3.1E-4/yr (3.5E-8/hour), based on a ground acceleration value of 50 cm/sec2 or 0.05 gat Point Beach from NUREG/CR-1488 (Ref.

6). The IPEEE for Point Beach identified the plant high confidence of a low probability of failure (HCLPF) capacity to be 0.16 g (Ref. 7). A sensitivity case was run using the return frequency for 0.15 g, nearest peak ground acceleration given in NUREG/CR-1488 (Ref. 6).

1 Importance Basic Event Value Description (CDP)

Failure of AFW Pumps Value used in condition assessment. Assumes all 1.0 7.3E-04 AFW pumps fail when run in deadhead conditions AFW-PMP-CF-ALL -

Common cause failure 0.75 6.1E-04 25% chance at least one AFW pump survives of all AFW pumps 0.5 5.0E-04 50% chance at least one AFW pump survives 0.1 3.1E-04 90% chance at least one AFW pump survives Initiation of Feed and Bleed Cooling Probability derived using human error worksheet.

2.0E-02 7.3E-04 (Nominal failure probability for human action HPI-XHE-XM-FB - is1.0E-3.) Value used in condition assessment Operator fails to initiate Assumes nominal failure probability for human 2.0E-03 5.8E-04 feed and bleed cooling action is 1.0E-4 Assumes nominal failure probability for human 2.0E-04 5.7E-04 action is 1.0E-5 10

LER 266/01-005 1

Importance Basic Event Value Description (CDP)

Loss of Instrument Air 9.0E-07/hr 7.3E-04 Mean. Value used in condition assessment IE-LOlA 3.54E-09/hr 6.0E-04 Lower bound (5%)

3.4E-06/hr 1.1E-03 Upper bound (95%)

Loss of Service Water 4.5E-08/hr 7.3E-04 Mean. Value used in condition assessment IE-LOSWS 1.83E-10/hr 5.6E-04 Lower bound (5%)

1.71E-07/hr 1.2E-03 Upper bound (95%)

Loss of Electric Power 1.0E-06/hr 7.3E-04 Mean. Value used in condition assessment IE-LOOP 4.0E-09/hr 5.6E-04 Lower bound (5%)

3.9E-06/hr 1.2E-03 Upper bound (95%)

Seismic Event Return frequency for 0.05 g (Ref. 7). Value used 3.5E-08/hr 7.3E-04 IE-SEISMIC for change case in condition assessment 7.5E-09/hr 5.1E-04 Return frequency for 0.15 g (Ref. 7)

Note:

1. Values given for importance (CDP) are point estimate values for Point Beach Unit 1.
  • Other Considerations In addition to the vulnerability identified in this event, another licensee event report (LER) identifies a potential for complete loss of AFW flow to Unit 1 due to fires in the AFW pump room (LER 266/01-006, Ref. 8) that also existed during the same time period. The likelihood of a damaging fire in the AFW pump room in conjunction with a failure of the fire sprinkler system is small in comparison to the loss of instrument air initiators. Therefore, fire effects were not included in this analysis.

References

1. LER 266/01-005, PRA Assessment of Auxiliary Feedwater System Reveals Procedural Vulnerability Related to Loss of Instrument Air, November 29, 2001 (ADAMS Accession No. ML020560352).
2. NRC Inspection Reports No. 50-266/01-17 and No. 50-301/01-17, February21, 2002 (ADAMS Accession No. ML020950889).
3. LER 266/02-003, Possible Common Mode Failure of AFW due to Partial Clogging of Recirculation Orifices, December 29, 2002 (ADAMS Accession No. ML030080291).
4. NRC Inspection Report No. 50-266/02-015 and 50-301/02-015, April 2, 2003 (ADAMS Accession No. ML03092011280).

11

LER 266/01-005

5. Scott T. Beck and Robert F. Buell, Standardized Plant Analysis Risk Model for Point Beach Units 1 and 2, Revision 3, Idaho National Engineering and Environmental Laboratory, September 2001.
6. Wisconsin Electric Power Company, Point Beach Nuclear Plant, Individual Plant Examination of External Events for Sever Accident Vulnerabilities, Summary Report, 1997.
7. LER 266/01-006, Appendix R Requirements Not Satisfied for Unanalyzed Fire Induced Damage to the Auxiliary Feedwater System, December 5, 2001 (ADAMS Accession No. ML020580395).
8. Wisconsin Electric Power Company, Point Beach Nuclear Plant- Units 1 and 2, Individual Plant Examination, revised December 1997.
9. Updated Final Safety Analysis Report for Point Beach.
10. Wisconsin Electric Power Company, Point Beach Nuclear Plant Critical Safety Procedure, CSP-H.1, "Response to Loss of Secondary Heat Sink," Rev. 21 (Unit 1),

Rev. 22 (Unit 2), 4/26/2001.

11. C. L. Atwood, et al., Evaluation of Loss of Offsite Power Events at Nuclear Power Plants:

1980-1996, NUREG/CR-5496, U.S. Nuclear Regulatory Commission, Washington, DG, November 1998.

12. C. L. Atwood, "Constrained Non-informative Priors in Risk Assessment," Journal of Reliability Engineering and System Safety, Vol. 53, Issue 1, pp. 37-46, 1996.
13. Dockets 50-266 and 50-301, Monthly Operating Reports, Point Beach Nuclear Power Plant, Units 1 and 2 (for the calendar month of December 2000), January 8, 2001 (ADAMS Accession No. ML010180121).
14. Dockets 50-266 and 50-301, Operating Licenses DPR-24 and DPR-27, Point Beach Nuclear Power Plant, Units 1 and 2, Monthly Operating Reports (for the calendar month of November 2001), December 7, 2001 (ADAMS Accession No. ML020150475).
15. Dockets 50-266 and 50-301, Point Beach Nuclear Plant, Units 1 and2, Review of Preliminary Accident Sequence Precursor Analysis of November 2001 Operational Condition (TAC No. MB7832), letter from A J. Cayia, Site Vice President, Nuclear Management Company, LLC, to the U.S. Nuclear Regulatory Commission, dated May 19, 2003 (ADAMS Accession No. ML0314902530).

12

LER 266/01-005 Table 1. Conditional probabilities associated with the dominant sequences (Unit 2).1 Conditional Core Event Tree Sequence Core Damage Importance Damage Probability (CDP) 2 3 Name No. 2 Probability (CDP)

(CCDP)

LOIASEISMIC 2 2.9E-04 1.4E-05 -

LOSWS 28 1.9E-04 4.8E-06 -

LOOP 18 1.7E-04 6.2E-07 -

LOlA 20 1.0E-04 1.4E-07 -

4 Total (all sequences)

Point Estimate 8.1E-04 2.1E-05 7.9E-04 Means 6.8E-04 1.8E-05 6.6E-04 5

95th Percentile 1.5E-03 4.7E-05 1.4E-03 5

5th Percentile 2.2E-05 4.7E-06 1.8E-05 Note:

1. File names: GEM 266-01-005 U1 1-7-2003 174000.wpd (for Unit 1 results) and GEM 266-01-005 U2 1-7-2003 173758.wpd (for Unit 2 results).
2. Core damage probabilities calculated using sequences for only those initiators having a shared dependency with the loss of instrument air. Core damage probabilities for sequences associated with initiators not having a shared dependency were not included.
3. Importance is calculated using the total CCDP and total CDP from all sequences. Sequence level importance measures are not additive.
4. Total CCDP and CDP includes all sequences (including those not shown in this table).
5. Values generated using the uncertainty analysis option in Saphire. Uncertainty method used was Monte Carlo with 8,000 histories.

Table 2a. Event tree sequence logic for the dominant sequences.

Event Tree Logic Sequence No.

Name ("/" denotes success; see Table 2b for top event names)

LOIASEISMIC 2 SEISMIC AIR-REC-SW-ST, /RT, /RCPSL-SWS, AFW, AIR-REC-SW-MT, AIR-REC-SW-LOSWS 28 LT LOOP 18 /RT-L, /EP, AFW, BLEED LOlA 20 AIR-REC-ST, /RT, AFW, AIR-REC-MT, AIR-REC-LT 13

LER 266/01-005 Table 2b. Definitions of fault trees listed in Table 2a.

AIR-REC-LT OPERATOR FAILS TO RECOVER INSTRUMENT AIR IN LONG TERM AIR-REC-MT OPERATOR FAILS TO RECOVER INSTRUMENT AIR IN MEDIUM TERM AIR-REC-ST OPERATOR FAILS TO RECOVER INSTRUMENT AIR IN SHORT TERM AIR-REC-SW- OPERATOR FAILS TO RECOVER SERVICE WATER (SW) TO INSTRUMENT AIR IN LT LONG TERM AIR-REC-SW- OPERATOR FAILS TO RECOVER SW TO INSTRUMENT AIR IN MEDIUM TERM MT AIR-REC-SW- OPERATOR FAILS TO RECOVER SW TO INSTRUMENT AIR IN SHORT TERM ST AFW NO OR INSUFFICIENT AUXILIARY FEEDWATER FLOW BLEED FAILURE TO PROVIDE BLEED PORTION OF FEED AND BLEED COOLING SEISMIC EVENT EP EMERGENCY POWER SYSTEM FAILURES RCPSL-SWS REACTOR COOLANT PUMP SEALS INTACT GIVEN LOSS OF SERVICE WATER RT REACTOR FAILS TO TRIP DURING TRANSIENT RT-L REACTOR FAILS TO TRIP DURING LOSS OF OFFSITE POWER Table 3. Conditional cut sets for dominant sequences (Unit 2).

Percent CCDP Minimal cut sets1 contribution Event Tree: LOIASEISMIC, Sequence 2 2.9E-04 100 SEISMIC Event Tree: LOSWS, Sequence 28 1.9E-04 100 AIR-XHE-RECOVERY-SW-ST AIR-XHE-RECOVERY-SW-MT AIR-XHE-RECOVERY-SW-LT Event Tree: LOOP, Sequence 18 1.7E-04 98.9 HPI-XHE-XM-FB Event Tree: LOlA, Sequence 20 1.0E-04 100 AIR-XHE-RECOVERY-ST AIR-XHE-RECOVERY-MT AIR-XHE-RECOVERY-LT Note:

1. See Table 4 for definitions and probabilities for the basic events.

14

LER 266/01-005 Table 4. Definitions and probabilities for modified or dominant basic events.

Probability/

Event Name Description Modified Frequency 1

ACP-XHE-NOREC- OPERATOR FAILS TO RECOVER OFFSITE 0.36 YES BD POWER BEFORE BATTERY DELETION 2

AFW-PMP-CF-ALL COMMON-CAUSE FAILURE OF AFW PUMPS TRUE YES 3,4 AIR-XHE- OPERATOR FAILS TO RECOVER INSTRUMENT 0.14 NEW RECOVERY-LT AIR IN LONG TERM GIVEN FAILURE TO RECOVER IN MEDIUM TERM 3,4 AIR-XHE- OPERATOR FAILS TO RECOVER INSTRUMENT 0.17 NEW RECOVERY-MT AIR IN MEDIUM TERM GIVEN FAILURE TO RECOVER IN SHORT TERM 3

AIR-XHE- OPERATOR FAILS TO RECOVER INSTRUMENT 0.58 NEW RECOVERY-ST AIR IN SHORT TERM 3,4 AIR-XHE- OPERATOR FAILS TO RECOVER SW TO 0.68 NEW RECOVERY-SW-LT INSTRUMENT AIR IN LONG TERM GIVEN FAILURE TO RECOVER IN MEDIUM TERM 3,4 AIR-XHE- OPERATOR FAILS TO RECOVER SW TO 0.83 NEW RECOVERY-SW-MT INSTRUMENT AIR IN MEDIUM TERM GIVEN FAILURE TO RECOVER IN SHORT TERM 3

AIR-XHE- OPERATOR FAILS TO RECOVER SW TO 0.88 NEW RECOVERY-SW-ST INSTRUMENT AIR IN SHORT TERM HPI-XHE-XM-FB OPERATOR FAILS TO INITIATE FEED AND 2.0E-02 NO BLEED COOLING 5

IE-LDC01 LOSS OF DC BUS INITIATING EVENT FALSE YES 5

IE-LLOCA LARGE LOSS-OF-COOLANT ACCIDENT (LOCA) FALSE YES INITIATING EVENT 5

IE-LOCCW LOSS OF COMPONENT COOLING WATER FALSE YES (LOCCW) INITIATING EVENT 1

IE-LOlA LOSS OF INSTRUMENT AIR INITIATING EVENT 9.0E-07/hr YES 6

IE-LOOP LOSS OF OFFSITE POWER INITIATING EVENT 1.0E-06/hr YES 1

IE-LOSWS LOSS OF SERVICE WATER INITIATING EVENT 4.5E-08/hr YES 5

IE-MLOCA MEDIUM LOCA INITIATING EVENT FALSE YES 5

IE-RHR-DIS-V RHR DISCHARGE VALVE INTERSYSTEM LOCA FALSE YES (ISLOCA) INITIATING EVENT 5

IE-RHR-SUC-V RHR SUCTION VALVE ISLOCA INITIATING EVENT FALSE YES 5

IE-SI-CLDIS-V SAFETY INJECTION (SI) COLD LEG ISLOCA FALSE YES INITIATING EVENT 5

IE-SI-HLDIS-V Sl HOT LEG ISLOCA INITIATING EVENT FALSE YES 7

IE-SEISMIC SEISMICALLY INDUCED LOSS OF INSTRUMENT 1.7E-09/hr YES AIR (base) 3.5E-08/hr (change) 5 IE-SLOCA SMALL LOCA INITIATING EVENT FALSE YES IE-STGR STEAM GENERATOR TUBE RUPTURE INITIATING FALSE YES5 EVENT 15

LER 266/01-005 Probability/

Event Name Description Modified Frequency 5

IE-TRANS TRANSIENT INITIATING EVENT FALSE YES 1

RCS-MDP-SEALS REACTOR COOLANT PUMP (RCP) SEALS FAIL 0.22 YES W/O COOLING AND INJECTION 1

RCS-MDP-SEALS2 RCP SEALS FAIL W/O COOLING AND INJECTION 0.22 YES GIVEN LOSWS OR LOCCW Notes:

1. Basic event/initiating event frequency to the base case model updated. See Attachment 5 for details.
2. Event changed to reflect event being analyzed.
3. Basic event added to update base case model. See Attachment 5 for details.
4. Conditional probability.
5. Initiating event frequencies were set to FALSE in the base case and the change case to reflect the condition being analyzed. The sequences associated with these initiating events have no shared dependencies with loss of instrument air; therefore, including them in the CDP and CCDP calculations with the common-cause failure of all AFW pumps (AFW-PMP-CF-ALL) to TRUE is not appropriate.
6. Initiating event frequency updated for event being analyzed. See Attachment 3 for event analysis and frequency calculation.
7. Initiating event frequency updated ) for event being analyzed. The return frequency for seismic events that would result in a loss of instrument air is conservatively estimated at 3.1E-4/yr based on the lowest estimated ground acceleration value (50 cm/sec2at Point Beach from NUREG/CR-1488, Revised Livermore Seismic Hazard Estimates for 69 Nuclear Power Plant Sites East of the Rocky Mountains (Ref. 6). Base case value of 1E-09/hr (1.5E-05/yr) was taken from Point Beach Units 1 and 2 Individual Plant Examination (Ref. 9).

16

LER 266/01-005 Figure removed during SUNSI review Figure 1 AFW System Simplified Diagram 17

LER 266/01-005 Figure 2 Seismically Induced Loss of Instrument Air Event Tree 18

LER 266/01-005 Figure 3 Loss of Service Water Event Tree 19

LER 266/01-005 Figure 4 Loss of Offsite Power Event Tree 20

LER 266/01-005 Figure 5 Loss of Instrument Air Event Tree 21

LER 266/01-005 Figure removed during SUNSI Review Figure 6 Instrument Air Simplified Flow Diagram 22

LER 266/01-005 Figure removed during SUNSI Review Figure 7 Service Air Simplified Flow Diagram 23

LER 266/01-005 Attachment 1 - Plant-specific System and Operational Considerations These are the facts upon which assumption and model modifications are based. Details are provided for the following:

- AFW system design

- Feed and bleed cooling design

- Instrument air and service air system designs

- Control room indications

- Plant response to loss of instrument air

- AFW flow control

- Recovery of main feedwater Information removed during SUNSI Review 24

LER 266/01-005 Information removed during SUNSI Review 25

LER 266/01-005 Information removed during SUNSI Review 26

LER 266/01-005 Attachment 2- Details of Important Assumptions This analysis includes several important assumptions. The assumptions and the bases for making these assumptions are described below.

  • Operators fail to recognize that the recirculation valves are closed. This assumptions is based on the following:

- EOP-0.1, Reactor Trip Response, does not provide any steps to caution the operator about the damage to AFW pumps during deadheading conditions-pump's minimum flow recirculating valves closed due to the loss of instrument air and the closure of the AFW flow control valves.

EOP-0.1, Reactor Trip Response, directed operators to control feedwater flow early in the procedure. EOP-0.1 was the procedure that operators would use for most transients. Response not obtained (RNO) column (Step 1.c of the procedure) directed operators to reduce feed flow if RCS temperatures were less than 547 degrees C)

Fahrenheit (F) and trending lower. Step 4.b directed operators to control feed flow to maintain steam generator levels between 29% and 69%. RNO (Step 4.b) directed operators to stop feed flow to intact steam generators if level continued to rise. If instrument air had been lost, damage would occur to the AFW pumps by these operator actions to control feedwater flow due to the low-flow conditions created. The team noted that procedure OM 4.3.1, AOP and EOP Writers' Guide, Step 5.4.2, stated, "A caution is used to present information regarding potential hazards to personnel or equipment associated with the subsequent step(s)." The emergency operating procedures steps did not provide any such cautions prior to November 30, 2001.

- The time that the AFW recirculation valves would fail closed due to the loss of instrument air could vary; however, time is on the order of 10 minutes or less.

Based on discussions with licensee engineering staff, the team determined that the time that the AFW recirculation valves would fail closed due to loss of instrument air could vary. The engineering staff had determined that the recirculation valves would begin to drift shut when instrument air header pressure was reduced to 40 psig and would be fully closed at 25 psig. The instrument air header pressure was nominally maintained at 100 psig with some variation due to cycling of air compressors. Based on observations of instrument air header pressure drop between cycling of air compressors, the engineering staff determined that the instrument air head pressure would drop approximately 13.5 pounds per square inch in 1 minute under normal loads. The engineering staff estimated that the AFW recirculation valves would begin to drift shut approximately 6 to 8 minutes after loss of all air compressors with complete valve closure 1 to 2 minutes thereafter. A loss of instrument air due to a leak in an airline versus a loss of air compressors would result in different bleed down rates, depending on the size of the break. Additionally, the instrument air bleed down rate could be faster due to greater demands on the instrument air system in response to the transient.

- The AFW recirculation valves could reposition at a time when an operator's attention would not be directly focused on the AFW pumps.

Based on discussions between the NRC and licensee personnel, as documented in the 27

LER 266/01-005 inspection report (Ref. 2), the preferred method for controlling AFW flow was by throttling or closing the AFW flow control valves (for the motor-driven AFW pumps) or discharge valves (for the turbine-driven AFW pumps) rather than securing the pumps. Section 14.1.12, "Loss of All AC Power to the Station Auxiliaries," of the original Final Facility Description and Safety Analysis Report (FFDSAR)" stated, "The reactor operator in the control room can monitor the steam generator water level and control the feedwater flow with remote-operated AFW control valves." The FFDSAR did not discuss securing AFW pumps as a means to control steam generator levels. In some loss of instrument air scenarios (e.g., those involving RCS overcooling), the recirculation valves could remain open at the time that operators throttle or close flow control and discharge valves due to remaining air header pressure. However, the recirculation valves would subsequently close due to decreasing air pressure. Consequently, the valves could reposition at a time when an operator's attention would not be directly focused on the AFW pumps (Ref. 2).

- Abnormal Operating Procedure (AOP)-58, Loss of Instrument Air, had steps that addressed the recirculating valves; however, the guidance appeared deep into the procedure.

Procedure AOP-58 provided operators with guidance for loss of instrument air.

However, during these transients, operators would typically be using emergency operating procedures, such as EOP-0.1, in their initial response to a transient. After plant conditions stabilized, abnormal operating procedures, such as AOP-58, would be used to restore equipment. AOP-58 has steps to secure open the AFW pump recirculation valves. However, guidance on securing open the valves does not appear until Step 1 of Attachment R, "Auxiliary Feed," located on page 36 of the procedure.

Operators were directed to Attachment R by Step 26 (located on page 14) of the procedure. Step 26 simply directed operators to check plant systems status per attachments A through Z. Consequently, although procedure AOP-58 had steps that addressed the failed closed recirculation valves, operators would likely not reopen the recirculation valves before damage occurred to the AFW pumps because they would be following the emergency operating procedures (Ref. 2).

  • Operators close the discharge valves for all of the AFW pumps resulting in deadheading of all AFW pumps. This assumptions is based on the following:

- As discussed above, the preferred method for controlling AFW flow was by throttling or closing the AFW flow control valves (for the motor-driven AFW pumps) or discharge valves (for the turbine-driven AFW pumps) rather than securing the pumps.

- As discussed above, EOP-0.1 did not provide guidance on how to reduce AFW flow.

- Operating experience demonstrated that operators would drastically reduce AFW flow within several minutes of pump start due to RCS overcooling under some transient conditions.

For example, on June 27, 2001, the Unit 2 reactor was manually tripped due to low and decreasing water level in the Unit 2 circulating water pump bay (reported in LER 05000301/2001-002-00). Due to subsequent low steam generator water levels, the Unit 2 turbine-driven AFW pump and both motor-driven AFW pumps initiated and began feeding the Unit 2 steam generators. Only one steam generator in a unit nominally 28

LER 266/01-005 requires 200 gpm feedwater flow for decay heat removal. However, with three AFW pumps running, approximately 800 gpm of feedwater flow (approximately four times the required flow) was provided to the Unit 2 steam generators. Consequently, the reactor coolant system was cooled down at an excessive rate. Approximately 3 minutes after the reactor was tripped, operators closed either the flow control valves or the discharge valves to stop flow from the motor-driven AFW pumps. Approximately 4 minutes after the reactor was tripped, operators closed the discharge valves from the Unit 2 turbine-driven AFW pump, stopping all AFW flow to the steam generators. The AFW pumps were not secured until approximately 8 minutes after the reactor was tripped when feed flow using main feedwater was partially restored. In this particular event, the AFW recirculation valves were functional because instrument air had not been lost. However, had instrument air not been available, as would happen in transients such as loss of instrument air, loss of offsite power, and loss of service water events, all AFW pumps could have been damaged (Ref. 2).

  • No credit for operators detecting pump deadhead conditions (i.e., closed recirculation valves) and taking corrective actions to protect one or more AFW pumps. This assumption is based on the following:

- As discussed above, EOP-0.1 does not caution operators about the potential to damage the AFW pumps during deadhead conditions.

- Operators have no indication of flow in the AFW pumps' recirculation lines. Indication is provided for AFW flow to individual steam generators and flow from each AFW pump.

However, the flow element for each AFW pump is located downstream of where the recirculation line branches off from the pump's discharge line. Therefore, indications of little or no flow for the AFW pumps would be expected with the pumps discharge or flow control valves throttled or closed (Ref. 2).

- As discussed above, AOP-58 had steps that address the failed closed recirculation valves; however, operators would likely not get to these steps until the AFW pumps had operated in deadhead conditions and damage occurred.

  • No credit for leakage past either the closed recirculation valves or the closed discharge or flow control valves providing adequate flow through the AFW pumps to prevent pump damage.

- In 1988, NMC installed modifications to increase the design minimum recirculation flow for the AFW pumps to 70 gallons per minute (gpm) for the motor-driven pumps and 100 gpm for the turbine-driven pumps. Previously, the minimum recirculation flow was 30 gpm, which the AFW pump vendor, Byron Jackson, indicated would be sufficient to prevent pump damage, based on pump heat up when on recirculation flow (Ref. 2).

Leakage past the AFW pump's closed recirculation valve or the closed discharge or flow control valve could provide enough flow to prevent pump damage. However, inclusion of component failures as success logic in a risk model is typically not done. The failure probability for an air-operated valve failing to close on demand is 1.0E-3; the failure probability for a motor-operated valve failing to close on demand is 3.0E-3. The likelihood that the air operated flow control valve or air-operated recirculation valve for one of the motor-driven AFW pumps fails to close on demand or the motor-operated discharge valve or air operated recirculation valve for the turbine-driven pump fails to close is 8.0E-3. Unless leakage past these valves, sufficient to prevent pump damage, 29

LER 266/01-005 normally occurs, the likelihood that the valves close when demanded, resulting in pump deadhead conditions, is 0.992.

  • No credit for recovery of AFW pumps given failure due to deadheading conditions.

This assumption is based on the following:

- The AFW recirculation lines were installed as part of original construction to ensure the pumps would have a flow path to prevent deadheading the pump, which would damage the pump. As indicated in the inspection report (Ref. 2), discussions with licensee engineering staff indicated that a pump could be damaged within minutes under insufficient flow condition due to lack of cooling.

- Damage to the pump and pump seals would be catastrophic.

  • No credit for the recovery of nitrogen air bottles to the pressurizer PORVs. This assumption is based on the following:

- The pressurizer PORVs are air-operated valves with a backup nitrogen supply.

However, since 1979, the backup nitrogen supply has been isolated, by procedure, during power operation. A containment entry is required to restore the backup nitrogen supply. Consequently, upon a loss of instrument air, the PORVs would not be available (Ref. 2).

- Containment entry during any one of the LOlA initiators would not be a normal plant evolution (would be considered a heroic action). Further, EOP-0.1 and CFP-H.1 do not provide the steps and cautions for such action.

  • No credit for recovery of secondary cooling without instrument air or service water.

This assumptions is based on the following:

- Critical Safety Procedure (CSP) - H.1, Response to Loss of Secondary Heat Sink, provides instructions for restoring secondary heat sink (Ref. 11). Because several valves in the secondary side system are air operated and because specific procedural guidance for restoring secondary side cooling when instrument air is not available is NOT provided in CSP-H.1, no credit for recovery of secondary cooling is taken when instrument air (or service water cooling to the instrument air or service air compressors) is not available.

30

LER 266/01-005 Attachment 3 - LOOP Initiating Event Frequency Estimate

  • Data sources. For this condition assessment, a frequency estimate for loss of instrument air due to LOOP events was developed that is based on events identified in NUREG/CR-5496, Evaluation of Loss of Offsite Power Events at Nuclear Power Plants: 1980- 1996 (Ref. 12), and updated to include LER data through 2002. A search of the Sequence Coding and Search System database was conducted to select LERs involving failures in the instrument air system for the years 1997 through 2002. The total time period reviewed is 1987-2002.
  • Review criteria. Because of the design for the instrument air and service air systems at Point Beach (redundant compressors and diverse power sources), loss of all four compressors due to a LOOP will only occur if power is lost to both units. The types of LOOP events that would involve both units include dual-unit, plant-centered LOOPs; grid-related LOOPs; and severe weather-related LOOPs. Other review criteria include the following:

- Causes of weather-related and grid-related LOOP events are independent of plant mode; therefore, both operating and shutdown experience were included.

- LOOP events that occurred when all units at the site were shut down were not included.

- LOOP caused by outage maintenance activity on one shutdown unit (even though the activity is not performed while the plant is operating) were included. This type of LOOP will be used to calculate a dual-unit, plant-centered LOOP frequency for the fraction of time that one unit at Point Beach is shut down.

- Hurricane-related LOOP events were not included.

  • Results. The results of the review of LOOP events during the 1987-2002 period are given in Table 3.1 below.

Table 3.1. Events selected for dual-unit LOOP frequency assessment.

LOOP Type No. Events LER(s)

Grid-related 1 395/89-012 333/88-011, 282/96-012, 346/98-006, 302/93-002, and

  • Weather-related 5 325/93-008 Dual-unit, plant-centered Both units operating 2 317/87-012 and 327/92-027 One unit shut down 1 334/93-013
  • Exclude: Pilgrim (outlier from NUREG/CR-5496); 2 of 3 events at Crystal River (302/93-002) caused by the same storm; hurricane events when plant was shut down prior to the hurricane-induced LOOP.

31

LER 266/01-005

  • Industry frequency calculation. The LOOP frequency is estimated by:

FLOOP = FGrid + FSevere Weather + FDual Where, FGrid =frequency of grid-related LOOPs FSevere Weather =frequency of weather-related LOOPs FDual = frequency of plant-centered, dual-unit LOOPs The total operating and shutdown time for all sites (single and multiunit sites) during 1987-2002 is 1,080 site calendar years, as shown in Table 3.2. The operating and shutdown time for only multiunit sites during the same time is 570.9 site calendar years. Using the criticality factor calculated in Table 3.3 of 0.78, the multiunit critical time is 0.78 x 570.9 calendar years = 445 critical years. Therefore, the mean frequency is:

FGrid = 1/1,018 yr = 9.8E-4/yr or 1.1E-7/hr FSevere Weather = 5/1,018 yr = 4.9E-3/yr or 5.6E-7/hr FDual = 3/445 yr = 6.7E-3/yr or 7.7E-7/hr The industry LOOP frequency (per site calendar year) is:

FLOOP = 1.1E-7/hr + 5.6E-7/hr +7.7E-7/hr = 1.4E-6/hr or 1.2E-2/yr

  • Point Beach plant-specific frequency calculation. In order to obtain a rigorous probability distribution for FLOOP a numeric analysis of each parameter would be required.

Since the number of events controls the uncertainty bounds, a reasonable distribution can be created from an approximate analysis for the purpose of ASP uncertainty analysis. The number of LOOP events (nine) and the industry LOOP frequency (1.2E-2/yr) are used to estimate a pseudo-exposure (732 years) so that a probability distribution can be created to express the uncertainty in the estimate.

The constrained noninformative prior distribution (Ref. 13) was used. The distribution is given by:

1

(, ) = ( 0.5, )

2 Grid reliability and severe weather frequency vary between plants, so the more diffuse prior distribution is appropriate. The Gamma distribution parameters (in years) of the prior are

=0.5 and =41. Performing a Bayesian update on the above distribution with Point Beach's 16 operating years without a LOOP event, the mean LOOP frequency for Point Beach is 8.8E-3/yr or 1.0E-6/hr. The Gamma distribution parameters of the posterior are

=0.5 and =57. The 5th percentile of this distribution is 3.5E-5/yr and the 95th percentile is 3.4E-2/yr.

Operating history at Point Beach for the time period from November 30, 2000, to November 29, 2001 (approximates the condition duration), shows that Unit 1 was critical for a total of 7,680 hours0.00787 days <br />0.189 hours <br />0.00112 weeks <br />2.5874e-4 months <br /> (for a criticality factor of 0.88) and shut down for a total of 1,080 hours9.259259e-4 days <br />0.0222 hours <br />1.322751e-4 weeks <br />3.044e-5 months <br />; 32

LER 266/01-005 and Unit 2 was critical for a total of 8,316 hours0.00366 days <br />0.0878 hours <br />5.224868e-4 weeks <br />1.20238e-4 months <br /> (for a criticality factor of 0.95) and shut down for a total of 444 hours0.00514 days <br />0.123 hours <br />7.34127e-4 weeks <br />1.68942e-4 months <br /> (Refs. 14 and 15).

Table 3.2. Commercial site calendar years- calendar years 1987-2002.1 2 3 Multi-unit Sites All Sites (site calendar years) (site calendar years)

Plant Name 1987-1995 1996-2002 1987-1995 1996-2002 (9 yrs) 7 yrs) (9 yrs) (7 yrs)

Arkansas 1 9 7 Arkansas 2 9 7 Beaver Valley 1 9 7 Beaver Valley 2 8.4 7 Big Rock Point 9 2 Braidwood 1 8.6 7 Braidwood2 7.8 7 Browns Ferry 1 Browns Ferry 2 9 7 Browns Ferry 3 9 7 Brunswick 1 9 7 Brunswick2 9 7 Byron 1 9 7 Byron 2 9 7 Callaway 9 7 Calvert Cliffs 1 9 7 Calvert Cliffs 2 9 7 Catawba 1 9 7 Catawba2 9 7 Clinton 1 8.8 7 Columbia 9 7 Comanche Peak 1 5.8 7 Comanche Peak 2 2.8 7 Cook 1 9 7 Cook 2 9 7 Cooper Station 9 7 Crystal River 3 6 7 Davis-Besse 9 7 Diablo Canyon 1 9 7 Diablo Canyon 2 9 7 Dresden 2 9 7 Dresden 3 9 7 Duane Arnold 9 7 Farley 1 9 7 Farley2 9 7 Fermi2 9 7 33

LER 266/01-005 2 3 Multi-unit Sites All Sites (site calendar years) (site calendar years)

Plant Name 1987-1995 1996-2002 1987-1995 1996-2002 (9 yrs) 7 yrs) (9 yrs) (7 yrs)

Fitzpatrick 9 7 Fort Calhoun 9 7 Fort St. Vrain 2.7 0 Ginna 9 7 Grand Gulf 9 7 Haddam Neck 9 1.2 Harris 9 7 Hatch 1 9 7 Hatch 2 9 7 Hope Creek 9 7 Indian Point 2 9 7 Indian Point 3 9 7 Kewaunee 9 7 Lacrosse 0.4 0 LaSalle 1 9 7 LaSalle 2 9 7 Limerick 1 9 7 Limerick2 6.4 7 Maine Yankee 9 1.7 McGuire 1 9 7 McGuire 2 9 7 Millstone 1 Millstone 2 9 7 Millstone 3 9 7 Monticello 9 7 Nine Mile Pt. 1 9 7 Nine Mile Pt. 2 8.6 7 North Anna 1 9 7 North Anna2 9 7 Oconee 1 9 7 Oconee 2 Oconee 3 9 7 Oyster Creek 9 7 Palisades 9 7 Palo Verde 1 9 7 Palo Verde 2 9 7 Palo Verde 3 Peach Bottom 2 9 7 Peach Bottom 3 9 7 Perry 9 7 34

LER 266/01-005 2 3 Multi-unit Sites All Sites (site calendar years) (site calendar years)

Plant Name 1987-1995 1996-2002 1987-1995 1996-2002 (9 yrs) 7 yrs) (9 yrs) (7 yrs)

Pilgrim 9 7 Point Beach 1 9 7 Point Beach 2 9 7 Prairie Island 1 9 7 Prairie Island 2 9 7 Quad Cities 1 9 7 Quad Cities 2 9 7 Rancho Seco 2.4 0 River Bend 9 7 Robinson 2 9 7 Salem 1 9 7 Salem 2 9 7 San Onofre 1 San Onofre 2 9 7 San Onofre 3 9 7 Seabrook 6.6 7 Sequoyah 1 9 7 Sequoyah 2 9 7 South Texas 1 7.8 7 South Texas 2 6.5 7 St. Lucie 1 9 7 St. Lucie 2 9 7 Summer 9 7 Surry 1 9 7 Surry2 9 7 Susquehanna 1 9 7 Susquehanna 2 9 7 Three Mile Island 1 9 7 Trojan 6 0 Turkey Point 3 9 7 Turkey Point 4 9 7 Vermont Yankee 9 7 Vogtle 1 8.8 7 Vogtle 2 6.8 7 Waterford 3 9 7 Watts Bar 1 0 6.6 Wolf Creek 9 7 Yankee-Rowe 5.2 0 Zion 1 9 2.4 Zion2 9 1.6 35

LER 266/01-005 2 3 Multi-unit Sites All Sites (site calendar years) (site calendar years)

Plant Name 1987-1995 1996-2002 1987-1995 1996-2002 (9 yrs) 7 yrs) (9 yrs) (7 yrs)

SUBTOTALS 317.3 253.6 618.1 461.9 TOTALS (site calendar years)

Multiunit sites 570.9 All sites 1080 Notes:

1. Sources: CY 1987-1995 from NUREG/CR-5750; CY 1996-2002 from "Precursors to Potential Severe Core Damage Accidents-Fiscal Year 1999," Appendix C, ADAMS Accession No. ML0216801631. CY 1996-2002 see Table 3.4.
2. For site calendar years for multiunit sites, only sites having more than one operating unit were included (single-unit sites were excluded). Site calendar time was based on time when second unit began operations.
3. For all site calendar years, each site is counted once. For multiunit sites, site calendar time is based on time when first unit began operations.

36

LER 266/01-005 Table 3.3. Industry average criticality factor- calendar years 1987-2001.

Year 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 1,2 Critical Hours PWR 417775.7 466182.3 461652.3 474942.9 504981.8 512763.6 491488.7 518225.2 518681.1 515809.3 463214.3 499729.5 529114.5 538829.8 546269.5 BWR 197489.5 199293.3 204484.8 231608.8 230335.2 221641.0 234735.5 233389.0 259566.2 249177.9 236965.5 239544.1 265672.3 277399.2 276843.9 TOTAL 615265.2 665475.6 666137.1 706551.7 735317.0 734404.6 726224.2 751614.2 778247.3 764987.2 700179.8 739273.6 794786.8 816229.0 823113.4 1,2 Critical Years PWR 47.69 53.07 52.70 54.22 57.65 58.37 56.11 59.16 59.21 58.72 52.88 57.05 60.40 61.34 62.36 BWR 22.54 22.69 23.34 26.44 26.29 25.23 26.80 26.64 29.63 28.37 27.05 27.35 30.33 31.58 31.60 TOTAL 70.24 75.76 76.04 80.66 83.94 83.61 82.90 85.80 88.84 87.09 79.93 84.39 90.73 92.92 93.96 2,3 Calendar Years TOTAL 105.34 108.34 110.40 111.89 112.00 111.37 109.91 110.00 110.00 108.50 106.50 104.20 104.00 104.00 104.00 Criticality factor TOTAL 0.67 0.70 0.69 0.72 0.75 0.75 0.75 0.78 0.81 0.80 0.75 0.81 0.87 0.89 0.90 TOTALS Critical Calendar Criticality Years Years Factor TOTAL 1256.81 1620.45 0.78 Notes:

1. Data from Idaho National Engineering and Environmental Laboratory's database (MORP1.DBF) which is based on licensee's monthly operating reports as of December 2002.
2. Data are included from critical date until permanent shutdown. Ft. St. Vrain critical hours are excluded.
3. Data from NUREG/CR-5750 for CY 1987-1995 (Ref.). Data calculated for CY 1996-2001; see Table 3-4.)

37

LER 266/01-005 Table 3.4. Data used to calculate reactor calendar years (CY 1996-2002).

Calendar Days 1996 1997 1998 1999 2000 2001 2002 Decommissioned Defuel 1

PWRs Date San Onofre 1 11/30/92 0 0 0 0 0 0 0 Trojan 11/09/92 0 0 0 0 0 0 0 Haddam Neck 12/5/96 339 0 0 0 0 0 0 Maine Yankee 6/23/97 365 174 0 0 0 0 0 Zion 1 4/28/97 365 118 0 0 0 0 0 Zion 2 2/26/98 365 365 57 0 0 0 0 Startup Initial Startup-PWRs 1 Date ComanchePeak2 8/3/93 365 365 365 365 365 365 365 Watts Bar 1 5/27/96 147 365 365 365 365 365 365 Operating-PWRs267 units x 365 24455 24455 24455 24455 24455 24455 24455 days =

Total PWR (reactor calendar 72.33 70.80 69.16 69.00 69.00 69.00 69.00 years)

Decommissioned Defuel 1

BWRs Date Big Rock 9/22/97 365 264 0 0 0 0 0 Millstone 1 11/19/95 50 0 0 0 0 0 0 Operating-BWRs35 units x 365 12775 12775 12775 12775 12775 12775 12775 days =

Total BWR (reactor 36.14 35.72 35.00 35.00 35.00 35.00 35.00 calendar years)

TOTAL (PWR + BWR) 108.5 106.5 104.2 104.0 104.0 104.0 104.0 Notes:

1. Startup date from NUREG-1350, "Information Digest." Defuel date from the NRC Status Reports. Dates for San Onofre 1 and Trojan are shutdown dates from NUREG-1350. Defuel date for Millstone 1 from letterNortheast Nuclear Energy to NRC dated 7/21/98.
2. Number of plants in operation (not shut down for decommissioning) during the end of FY-02 minus new plants that were started during the period.

38

LER 266/01-005 Attachment 4 - Resolution of Comments A letter from Nuclear Management Company, LLC (NMC) to the NRC dated May 19, 2003 (Ref.

16), describes NMC's review of and comments on the Preliminary Precursor Analysis of the condition reported in LER 266/01-005. The NRC has reviewed these comments and has the following responses:

Licensee's Comment 1: Page 1 - AFW pumps are listed as P39A and P39B. The correct designations are P38A and P38B.

Response: Text corrected to show correct pump designations.

Licensee's Comment 2: Page 2; 2"d paragraph - The "Importance" section states that, "the pumps' discharge valves fail closed..." following loss of instrument air (IA). The phrase should state that "the pumps' recirculation valves fail closed..."

Response: Text corrected to indicate that AFW pumps' recirculation valves fail closed on loss of instrument air.

Licensee's Comment 3: Page 3- "Seismic event": States that lA was assumed failed due to soldered joint failure. The analysis was not this detailed. The assumption was actually based upon the vast piping network that went through non-seismic structures that include block walls.

This comment also applies to page 5 under "Sequence of interest".

Response: Text modified to delete reference to "soldered joint failure."

Licensee's Comment 4: Page 6; 6th bulleted item - Operators fail to recover instrument air pressure in time before initiation of feed and bleed should include "seismic" as an initiator, but should not include "loss of offsite power" (LOOP).

Response: Text for this bulleted item modified to clarify conditions. Text added to indicate that for seismic events, the resulting damage to the instrument air system is assumed to not be recoverable. Text also added to clarify that for LOOP, non-SBO sequences, operators must manually restore electric power to the instrument air or station air compressors and instrument air pressure recovered before feed and bleed cooling can be initiated. In the LOOP event tree, this action is assumed to be part of the initiation of the "bleed" portion of feed and bleed cooling.

Licensee's Comment 5: Page 6; 7th bulleted item - Should read, "Main Feed Water not available with a loss of Service Water (SW) due to its dependency on Service Water in addition to the subsequent loss of lA with loss of SW."

Response: Text for this bulleted item modified to clarify conditions. Text added to indicate that main feedwater is unavailable and instrument air pressure and/or service water flow must be recovered to restore secondary cooling.

Licensee's Comment 6: Page 7; 4th bulleted item - Should read, "No credit for recovery of secondary cooling without instrument air or service water."

Response: Text for this bulleted item and text on page 27 in Attachment 2 were corrected to include need for service water.

39

LER 266/01-005 Licensee's General Comment: In both the PBNP and NRC ASP analyses, no credit was taken for operators discovering the closed recirculation valve. This remains a bounding assumption in that some uncertainty remains in the operators' ability to diagnose the pump failure and take action to prevent additional pump failure. Factors affecting this are the short duration time between pump failures and the high stress following the first and second pump failures.

Response: Agreed. Additional text added to "Important assumptions" section (page 7) and in , "Details of Important Assumptions," describing the assumption that operators fail to detect pump deadhead conditions in time to prevent damage to one or more AFW pumps.

This assumption is necessary because an accurate estimate of the likelihood of the operator failing to diagnose pump deadhead conditions in time to save one or more AFW pumps cannot be made. Although this assumption is conservative, it may not be overly conservative A memo from Cynthia D. Pederson, Director, Division of Reactor Safety (DRS), Region Ill, to Patrick Baranowsky, Chief, Operating Experience Risk Analysis Branch (OERAB), Division of Risk Analysis and Application (DRAA), Office of Nuclear Regulatory Research (RES) (dated May 22, 2003), provided review comments on the Preliminary Precursor Analysis of the condition reported in LER 266/01-005. The comments have been reviewed and following responses provided:

DRS Region Ill General Comment 1: The analysis report needs to consistently state that the Point Beach preferred method for controlling AFW flow was by throttling or closing the AFW flow control valves (for the motor-driven AFW pumps) or discharge valves (for the turbine-driven pump) rather than securing the pumps. Many sections of the report merely state that operators would close the AFW pumps' discharge or flow control valves.

Throttling the valves would yield the same insufficient recirculation flow to the pumps.

Response: Agreed. Text modified to indicate that operators could throttle AFW pumps' flow control valves as well as close the valves.

DRS Region Ill General Comment 2: For the loss of service water initiating event, only the TDAFW pump is assumed available. Both MDAFW and TDAFW pumps require service water for bearing cooling, but fire water is automatically supplied to the TDAFW pump. It wasn't clear in the report whether the ASP analysis credited only the TDAFW pump.

Response: Section 10.2.2. of the Point Beach FSAR indicates that the motor-driven AFW pumps' bearing oil is cooled by service water. For the turbine-driven AFW pumps, both the turbine and pump are normally cooled by service water with an alternate source of cooling water from the firewater system. During discussions between John Schroeder of Idaho National Engineering and Environmental Lab and Paul Knoespel of NMC, Mr. Knoespel indicated that the motor-driven pumps will operate satisfactorily without service water cooling. Therefore, the SPAR model correctly credits the motor-driven pumps during a loss of service water event.

DRS Region Ill Specific Comment 1: Page 1, second paragraph, last sentence should read, "Prior to November 30, 2001, there were no backup air or nitrogen accumulators associated with these recirculation valves." Since the identification of this design deficiency, the licensee has installed a backup air source for the recirculation valves. The ASP report makes a similar statement in Attachment 2 when discussing the EOPs that were subsequently changed.

40

LER 266/01-005 Response: Agreed. Text added to indicate that prior to the discovery of this design deficiency, no backup air or nitrogen accumulators were associated with the AFW pumps' recirculation valves.

DRS Region Ill Specific Comment 2: Page 2, "Importance" section: First sentence after the table should read ".pumps' minimum recirculation valve..." instead of "...pumps' discharge valve..."

Response: Agreed. Text corrected.

DRS Region Ill Specific Comment 3: Pages 3 and 4, "Dominant sequences" section, loss of service water and loss of instrument air: The failure to feed and bleed isn't really in sequence #28 or sequence #20; although, the failure to restore service water will lead to the failure to feed and bleed.

Response: Text modified to emphasize that failure to recover instrument air pressure or service water flow results in the inability to initiate feed and bleed cooling or secondary cooling.

DRS Region Ill Specific Comment 4: Page 5, "Sequence of interest," Initiating events: Due to a second preliminary RED finding in the AFW recirculation line (identified on October 29, 2002), the licensee has re-performed its seismic analysis and determined that the instrument air system will be able to withstand a safe shutdown earthquake. Would this ASP analysis have to consider this new licensee analysis?

Response: A seismically induced loss of instrument air is the largest contributor to the CCDP for the condition analyzed in this precursor analysis. If new seismic analyses show that the instrument air system would survive a seismic event, then this precursor analysis will be updated to remove the seismic initiating event. We are only aware of the utility's new seismic study on the condensate storage tanks.

A memo from Michael Tschiltz, Chief, Probabilistic Safety Assessment Branch, Division of Safety System Analysis (OSSA), Office of Nuclear Reactor Regulation (NRR), to Patrick Baranowsky, Chief, OERAB, DRAA, RES (dated May 19, 2003), provided peer review comments on the Preliminary Precursor Analysis of the condition reported in LER 266/01-005.

The comments have been reviewed and the following responses provided:

DSSA/NRR Comment 1: Assumptions of AFW pump failure: The current analysis assumes a pump failure probability of 1.0 given a loss of instrument air. In review of industry operating experience, similar issues at other Westinghouse plants have not been as significant when considering actual system performance. In particular, the attached LER (excerpts highlighted) documents an actual loss of AFW pump recirculation event at McGuire, unit 1 and indicates that leakage past closed flow control valves and/or AFW flow recirculation valves may be sufficient to prevent imminent AFW pump failure. Subsequent inspection of the AFW pumps revealed no damage even though the pumps operated from 20 to 60 minutes in the so called "deadhead" condition. The AFW pumps were multistage, horizontal centrifugal pumps (eight-stage motor driven pumps and a nine-stage turbine-driven pump). Note that the current McGuire AFW system uses automatic recirculation control (ARC) valves and is not dependent on the instrument air system (lAS). The ARC valves were installed after the event. Note also for Point Beach, the licensee's AFW pump 41

LER 266/01-005 vendor has indicated that 10 to 20 gallons per minute flow is sufficient to prevent imminent pump failure (similar to that of the McGuire experience).

An evaluation of the type of flow control valves and/or flow recirculation valves and their susceptibility to leakage under high AFW pump discharge pressure could provide higher confidence in the upper bound pump failure probabilities used in the ASP analysis.

Response: In 1988, NMC installed modifications to increase the design minimum recirculation flow for the AFW pumps to 70 gallons per minute (gpm) for the motor-driven pumps and 100 gpm for the turbine-driven pumps. Previously, the minimum recirculation flow was 30 gpm, which the AFW pump vendor, Byron Jackson, indicated would be sufficient to prevent pump damage, based on pump heat up when on recirculation flow (Ref. 2). For the concern analyzed, leakage past the AFW pump's closed recirculation valve or the closed discharge or flow control valve could provide enough flow to prevent pump damage. However, inclusion of component failures as success logic in a risk model is typically not done. The failure probability for an air operated valve failing to close on demand is 1.0E-3; the failure probability for a motor-operated valve failing to close on demand is 3.0E-3. The likelihood that the air-operated flow control valve or air-operated recirculation valve for one of the motor-driven AFW pumps fails to close on demand or the motor-operated discharge valve or air-operated recirculation valve for the turbine driven pump fails to close, preventing damage to at least one pump is 8.0E-3. Unless leakage past these valves, sufficient to prevent pump damage, normally occurs, the likelihood that the valves will meet their design intent and close when demanded, resulting in pump deadhead conditions is 0.992.

The following events demonstrate that damage may or may not occur when an AFW pump is run in deadhead conditions. An event occurred at McGuire Unit 1(LER 369/97-009) in which the AFW pumps were run for 20 to 60 minutes without adequate recirculation flow while the pumps' flow to the steam generators was throttled back. Leakage past valves (10 to 12 gpm) provided adequate flow to prevent pump damage. At Zion Unit 1 during pump performance testing (LER 295/90-002), the turbine-driven AFW pump was run in full deadhead conditions (with all discharge valves and the recirculation valve fully closed) for about 8 minutes, resulting in damage to the pump's impeller.

Several sensitivity cases were run varying the likelihood that all of the AFW pumps would fail. One case assumed that the likelihood that at least one AFW pump would be saved (not fail) was 90%. The increase in core damage probability (CDP) was reduced by 60%;

however, the CDP was greater than 1.0E-04.

DSSA/NRR Comment 2: Clarification of the seismic analysis section: The current discussion notes that the "design basis earthquake" is 0.06g. Our review of the licensee's IPEEE indicates that the "safe shutdown earthquake" is 0.12 g peak ground accelerations (PGA). Also, the relationship of the plant's existing lAS piping design to the cited ANSI standard should be explained. The context may be intuitive to those individuals who perform seismic evaluations; however, it is not obvious to the non-informed reader what the relationship to the standard means. It should be noted that the IPEEE indicated that the piping was determined to be "seismically weak" due to the long pipe runs. Should you choose to state this in the ASP analysis, it may be beneficial to note that no credit for instrument air is a conservative assumption and suffices to meet the IPEEE intent of identification of potential severe accident vulnerabilities. Such an assumption in ASP analysis may be overly conservative if attempting to quantify a best-estimate risk value.

42

LER 266/01-005 The seismic event tree and assumptions indicate that earthquakes exceeding event the lowest range reported in NUREG-1488 (50 cm/sec2) would result in core damage appears to be quite conservative. Review of the LLNL curve distribution for annual probability of exceedance versus peak ground accelerations reveals that for the Point Beach site, the probability distribution is skewed in favor of smaller magnitude earthquakes. The current assumption that exceeding even very small magnitude earthquakes would render lAS unavailable appears unjustified based on not meeting an ANSI pipe design-specification alone. Review of actual earthquake performance of nonnuclear power stations near the Lorna Prieta, California, 1989 earthquake epicenter (considered a strong earthquake) only sustained "minor" damage (see EQE Engineering report, The October 17, 1989 Lorna Prieta Earthquake).

Footnote 7 on Table 4 (ASP model basic event probabilities that were modified) states that the base case value for the seismic initiating event (IE) frequency was 1.5E-05/year and was taken from "the Point Beach Units 1 and 21ndividual Plant Examination (IPE)" update of 1997. This reported number appears to represent the base, nominal annualized seismic risk and not the seismic initiating event frequency.

Response: A seismically induced loss of instrument air was considered as a contributor to core damage. A seismic event is assumed to result in non-recoverable damage to the non-seismically qualified instrument air system, leading directly to core damage. A simplified event tree was created for this purpose (see Figure 2). The safe shutdown earthquake for Point Beach is 0.12 g and the operating basis earthquake is 0.06 g. Because the instrument air system piping design is less robust than ANSI B31.1 piping design, the instrument air system cannot be assumed to withstand any seismic event greater than 0.06 g, without either performing a seismic analysis of the piping design or conducting visual inspections of the piping to determine seismic tolerance. Therefore, the return frequency for seismic events that would result in a loss of instrument air is conservatively estimated at 3.1E-4/yr (3.5E-8/hour) based on the lowest estimated ground acceleration value (50 cm/sec2 or 0.05 g) at Point Beach from NUREG/CR-1488, Revised Livermore Seismic Hazard Estimates for 69 Nuclear Power Plant Sites East of the Rocky Mountains (Ref. 6). (The mean frequency for this acceleration is 3.1E-4/yr.) As the lowest site-specific value found in NUREG/CR-1488, this frequency is more appropriate than arbitrarily selecting the design basis earthquake, because no design value exists for instrument air system piping.

The frequency of seismically induced core damage events for the base case is taken from the IPEEE (Ref. 7). The base case frequency is 1.5E-05/yr. The operating basis earthquake leads directly to core damage (i.e., initiating event frequency= CDF), because the loss of instrument air results in loss of both the AFW system and PORVs. The IPE event tree for loss of instrument air shows that this sequence goes straight to core damage.

Comments were provided by Ian Jung in the Division of Regulatory Improvement Programs (DRIP), NRR to Don Marksberry, OERAB, DRAA, RES, via e-mail (dated March 11, 2003).

Responses to these comments are as follows:

DRIP/NRR Comment 1: The degraded condition identified at Point Beach 1&2 had a preliminary CCDP of 7E-4 in ASP. The difference between 1E-3 and 7E-4 is statistically insignificant. One could argue that one of the agency's strategic goals was not essentially met.

43

LER 266/01-005 Response: The analysis results (for Unit 2) gave a mean CCDP of 6.6E-4, with an upper bound (95%) of 1.4E-3 and a lower bound (5%) of 1.8E-5. Although this ASP analysis made every effort to determine "best estimate" risk results, conservative assumptions were made whenever more realistic conditions or assumptions could not be reliably predicted.

Conservative assumptions include the following: (1) operators fail to detect (or respond to) the failed closed recirculation valves on loss of instrument air, (2) operators fail to detect and respond to pump deadhead conditions, preventing damage to at least one AFW pump, and (3) the instrument air system catastrophically fails following a seismic event. These assumptions and the bases for making them are discussed in Attachment 2. Because conservative assumptions were made in several key areas, we are confident that the true risks values are bounded by the values presented.

DRIP/NRR Comment 2: lf the CCDP of 1E-3 in the agency's strategic goal is meant to include all risks, e.g., external initiating events and LP/SD (low power/shut down) events, RES should have included specific discussion on these contributors.

Response: The analysis considered all initiating events included in the SPAR model, plus external events. As stated in "Sequences of interest, Initiating events" (page 5), only those initiating events in which loss of instrument air is the direct result of the initiating event were considered when quantifying the CCDP. (Although the condition evaluated in this assessment [deadhead of the AFW pumps following loss of instrument air pressure] could result due to causes that are independent of the initiating event or due to causes that share some dependency with the initiating event, it is the latter case that has the greater risk significance.) The events considered were: loss of instrument air (due to equipment failure in the instrument air system), loss of service water (which results in loss of cooling water to the instrument air and service air compressors), loss of offsite power (which results in loss of electric power to the instrument air and service air compressors), and seismic events (which result in seismically induced failure of instrument air piping or components). When calculating the CCDP and CDP, the condition assessment used the number of hours that the unit 1 and unit 2 reactors were critical (critical hours were taken from Point Beach's monthly operating reports). This includes low power conditions. Risks during shutdown were not estimated because the fraction of time during shutdown because the period of time AFW would be needed was small.

DRIP/NRR Comment3: In terms of the use of the mean value with the uncertainty bounds, the two events with a similar mean value but with significantly different uncertainty distribution should be distinguished. Since the users of the ASP output would focus on the mean value, the use of uncertainty information should be done carefully.

Response: Agreed. No response required.

44

LER 266/01-005 45

LER 266/01-005 46

LER 266/01-005 47

LER 266/01-005 48

LER 266/01-005 49

LER 266/01-005 50

LER 266/01-005 51

LER 266/01-005 52

LER 266/01-005 53

LER 266/01-005 54

LER 266/01-005 55

LER 266/01-005 56

LER 266/01-005 57

LER 266/01-005 58

LER 266/01-005 59

LER 266/01-005 60

LER 266/01-005 61

LER 266/01-005 62

LER 266/01-005 63

LER 266/01-005 64

LER 266/01-005 65

LER 266/01-005 66

LER 266/01-005 67

LER 266/01-005 68

LER 266/01-005 69

LER 266/01-005 70

LER 266/01-005 71

LER 266/01-005 Table 3-1. Point Beach Units 1 and 2 PWR B system dependency matrix.

72

LER 266/01-005 73

LER 266/01-005 74

LER 266/01-005 Table 3.2. Point Beach Units 1 and 2 PWR B fault tree flag sets.

75

LER 266/01-005 76

LER 266/01-005 77

LER 266/01-005 78

LER 266/01-005 79

LER 266/01-005 80

LER 266/01-005 81

LER 266/01-005 82

LER 266/01-005 83

LER 266/01-005 84

LER 266/01-005 85

LER 266/01-005 86

LER 266/01-005 87

LER 266/01-005 88

LER 266/01-005 89

LER 266/01-005 90

LER 266/01-005 91

LER 266/01-005 92

LER 266/01-005 93

LER 266/01-005 94

LER 266/01-005 95

LER 266/01-005 96

LER 266/01-005 97

LER 266/01-005 98

LER 266/01-005 99

LER 266/01-005 100

LER 266/01-005 101

LER 266/01-005 102

LER 266/01-005 103

LER 266/01-005 104

LER 266/01-005 105

LER 266/01-005 106

LER 266/01-005 107

LER 266/01-005 108

LER 266/01-005 109

LER 266/01-005 110

LER 266/01-005 111

LER 266/01-005 112

LER 266/01-005 113

LER 266/01-005 114

LER 266/01-005 115

LER 266/01-005 116

LER 266/01-005 117

LER 266/01-005 118

LER 266/01-005 119

LER 266/01-005 120

LER 266/01-005 121

LER 266/01-005 122

LER 266/01-005 123

LER 266/01-005 124

LER 266/01-005 125

LER 266/01-005 126

LER 266/01-005 127

LER 266/01-005 128

LER 266/01-005 129

LER 266/01-005 130

LER 266/01-005 131

LER 266/01-005 132

LER 266/01-005 Information removed during SUNSI Review 133

LER 266/01-005 Information removed during SUNSI Review 134

LER 266/01-005 Information removed during SUNSI Review 135

LER 266/01-005 Information removed during SUNSI Review 136

LER 266/01-005 Information removed during SUNSI Review 137

LER 266/01-005 Information removed during SUNSI Review 138

LER 266/01-005 Information removed during SUNSI Review 139

LER 266/01-005 Information removed during SUNSI Review 140

LER 266/01-005 Information removed during SUNSI Review 141

LER 266/01-005 Information removed during SUNSI Review 142

Retrieved from "https://kanterella.com/w/index.php?title=ML20114E135&oldid=2941995"