ML20132C136
Text
-
1
~
- a nt
[
/ ' E )I UNITED STATES
[
j NUCLEAR REGULATORY COMMISSION 7.
p WASHINGTON, D, C. 20555
- C**OV/
May 10, 1984 MEMORANDUM FOR:
Thomas M. Novak[hssistant Director for Licensing Division of Licensing Lester S. Rubenstein, Assistant Director for Core and Plant Systems Division of Systems Integration FROM:
Frank H. Rowsome, Assistant Director for Technology Division of Safety Technology
SUBJECT:
GRAND GULF VULNERABILITY TO CORE DAMAGE DUE TO TDI DIESEL FAILURES Art Buslik of RRAB has prepared the enclosed sensitivity study which relates the frequency of core damage due to loss-of-offsite power to the assumed reliability of the TDI emergency diesel generators. The assessment includes external events. Modest credit is given for the gas turbine generators MP&L has brought in as a compensatory measure.
We conclude that even if neither TDI diesel had any reliability at all, the core melt frequency at Grand Gulf would not loom large compared with that of many plants licensed to operate by the Comission. With one TDI diesel out of service and modest reliability in the other, the core melt frequency from station blackout would begin to approach the goal tentatively set for the resolution of USI A-44, " Station Blackout", better than that of many operating plants. With modest availability in both TDI diesels, the station would be substantially safer from station blackout than the numerical A-44 target would require.
As a result, the PRA supports the position that fu'11 power operation of Grand Gulf poses no undue risk even with one TDI diesel out of service and "
limited confidence in the reliability of the other TDI diesel generator.
Frank H. Rowsome. Assistant Director for Technology Division of Safety Technology
Enclosure:
As stated i
i cc w/ enclosure:
T. Speis A. Thadani A. Buslik M
muss e J. n
._l ENCLOSURE GRAND GULF STATION BLACK 0UT RISK ASSESSMENT I.
Introduction An assessment of the station blackout core melt frequency as a function of the failure probability per demand of the TDI diesel generators is reported herein.
As in all severe accident safety analyses, this analysis is built upon estimates of system success failure criteria and reliability estimates that are consistent with available evidence but not rigorously proven.
No formal, quantitative analysis of uncertainties has been undertaken.
The starting point for the analysis was the Grand Gulf RSSMAP (NUREG/CR-1659) but modifications to the analysis had to be made; in particular, we have added to the Grand Gulf analysis consideration of battery depletion after station blackout, treatment of gas turbines, and recent research sponsored to resolve the Unresolved Safety Issue A-44, " Station Blackout".
The organization of the remainder of this document is as follows:
f II.
Accident Sequence Delineation 4
III. Loss of Offsite Power frequency and Gas Turbine Reliability IV.
Mitigating Systems Analysis
. eampwe.*
FMyem-Mmsese npa'4In+e-+wn-e==**'N'Wi--=-Tu-=***='**
W'"*-
i V.
Dominant Accident Sequence Quantification VI.
Summary and Conclusions II.
Acciden't Sequence Delineation t
f Accident sequences of importance, in which the failures of the diesel
'l j
generators enter, are those initiated by loss of offsite power.
A large a
LOCA followed by loss of offsite power is not important because of its low probability.
In order to mitigate a loss of offsite power transient, one must satisfy the reactor subcriticality, core heat removal, and containment heat removal functions.
However, sequences in which reactor subcriticality fails (ATWS sequences) are not important because of their low probability.
A rough estimate of loss of offsite power induced ATWS events is.1/yr. x 1x10 5, or 1x10 s/yr.
This estimate is based on a.1/yr loss of offsite power frequency and 1x10 s/ demand as the probability of failure of the non-electrical portion of the reactor protection system.
If one of the TDI diesel generators starts, these sequences do not necessarily lead to core melt.
After a loss of offsite power, a safety relief valve (SRV) may fail to 1
]
close. This would result in a transient induced LOCA.
From a study of the a
j Grand-Gulf RSSMAP, it was found that sequences involving a stuck open SRV were similar to those without a stuck-open SRV, i.e., have similar mitigation requirements, but at a lower probability because of the added failure.
i
)
The small difference in time to overpressurize the containment (when containment heat removal is failed) between the case when a SRV is stuck open and when it is not stuck open is not significant.
Sequences involving a stuck-open SRV were therefore not discriminated from those sequences not involving stuck-open SRV's.
.,._,~,_,._1 3
. Successful core heat removal can be performed by:
(1) The High Pressure Core Spray System (HPCS)
(2) The Reactor Core Isolation Cooling System (RCICS)
,j (3) Depressurization of the reactor pressure vessel and use of either the Low Pressure Core Spray (LPCS) or the Low Pressure Coolant Injection System.
Core heat removal must be initiated within 30 minutes to prevent core uncovery.
Successful containment heat removal can be performed by use of the Residual Heat Removal System in either the suppression pool cooling mode or the steam condensing mode. Without containment heat removal, the containment is assumed to fail in about 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> from containment overpressure (see section on Residual Heat Removal System).
III.
Loss of Offsite Power frequency and Gas Turbine Reliability (a)
Loss of Offsite Power The frequencies of losses of offsite power for greater than certain i
specified times (in particular,1/2 hr., 6 hrs., and 30 hrs.) are important j
parameters in the analysis.
Use was made of the draft version of NUREG-1032 (Evaluation of Station Blackout Accidents at Nuclear Power Plants-Technical Findings Related to Unresolved Safety Issue A-44).
According to NUREG-1032, I
plants are divided into 3 categories, as far as the frequency of loss of s
~,e
offsite power events exceeding a certain specified time.
In order to determine the category to which a given plant belongs, one must know the grid reliability, the grid recovery capability, and the severe weather hazard cnara'cteristics of the plant. We assume here that there are no grid
]
stability problems at Grand Gulf (any problems associated with Florida plants are not considered pertinent), and that the plant has the capability and procedures to recover offsite AC power to the site within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> of a grid blackout. The severe weather hazard characteristics involve the frequency of non-tornado winds with (fastest mile) wind speeds greater than 125 mph.
The plant is assumed to be protected against tornados because it has an incoming transmission line not electrically connected to the switchyard (see NUREG-1032 for this criterion). The frequency of non-tornado winds exceeding 100 mph is only 10 4/yr according to a memo from William P. Gammill to Ashok Thadani, dated April 16, 1984 [
Subject:
Tornado and High Wind Frequencies at Grand Gulf Nuclear Station], Attachment 1.
With this frequency of high winds, and with the other assumptions we have made, Grand Gulf falls into the best category of plants as far as loss of offsite power is concerned. We obtain, from figure 3.2 of NUREG-1032:
t frequency of losses of offsite power exceeding 30 minutes =.07/yr frequency of losses of offsite power exceeding 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />
=.01/yr frequency of losses of offsite power exceeding 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />
=.001/yr
Seismically-induced losses of offsite power must be treated separately, since
the gas turbines which Mississippi Power and Light (MP&L) will install at the Grand Gulf site are not seismically qualified. According to a memo from Robert E. Jackson to Ashok Thadani, dated April 16, 1984 (Attachment 2), the Geoscience Branch does not " expect the chance of exceeding the SSE (peak acceleration or response spectrum) to be greater than 10 3 per year." We interpret this statement as stating that the median frequency of exceeding the SSE is not greater than 10 3/yr. We shall adopt 10 8/yr as our best estimate, or mean, frequency of occurrence of the SSE earthquake, and assume offsite power is lost due to-seismic events greater than or equal to the SSE.
(b) Gas Turbine We now consider the gas turbines.
Two out of three gas turbines can power sufficient loads on one division of the electrical power system to mitigate a loss of offsite power transient. We es'timate the failure probability (for starting and loading) of a single gas turbine as.1.
Because of the 2-out-of-3 success criterion, the failure probability of the gas turbine system, if the gas turbine failures were independent events, would be 3 (.1)2 =.03.
However, because of the manual actions required, and the possibility of common-mode failures, an estimate of.1 for failure of the gas turbine system seems more realistic; this estimate includes failure of
~
the breakers and synchronization circuits.
i 4
w
-->-*emee-l
IV.
Systems Analysis (a) RCIC System The RCIC sys' tem is independent of electric power, except for DC power coming from Division 1 of the electric power system.
Failure of the TDI diesel generator powering division 1 would result in depletion of the battery on division 1 in a period of time estimated at 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.
Failure of RCIC room cooling will not fail the RCIC system in the 6 hour6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> time period, according to the information we have received informally from MP&L.
The RCIC pump trips, not on high RCIC room temperature, but on high temperature differential accross the RCIC room cooler. With division 1 electric power failed, the room cooler is not functional and the temperature difference across the room cooler will be low, and not cause RCIC pump trip.
(b) HPCS The HPCS is powered by division 3 of the electric power system. The division 3 diesel generator is not a TDI diesel generator.
The DC power required by the HPCS for its control can be supplied by the division 3 diesel generator through the division 3 battery charger, or by the division 3 battery.
Although most instrumentation and control is powered by divisions 1 and 2 of the electric power-systenr-(EPS) there is adequate instrumentation and control for operation of the HPCS which depends only on division 3 of the EPS. The logic circuitry and sensors-to start the HPCS on low vessel water level (or high drywell pressure) and to stop the HPCS on high vessel water level (provided drywell pressure is not high) are powered by division 3 of the EPS.
From information received orally from MP&L there is a
meter in the control room, on a back panel, which gives the operators adequate knowledge of the vessel water level, and is powered by. division 3.
(The meter is not as accurate as those pcwered by divisions 1 and 2, but nevertheless is adequate.) The effects of an increase in drywell temperature on the accuracy of the vessel water level sensors was not investigated.
In the GESSAR plant, one of the concerns with a high drywell temperature was RPV level instrument reference leg boiloff.
However, one of the recommended operatnr actions for station blackout scenarios is to depressurize the reactor vessel; this reduces the saturation temperature in the reactor vessel with a resulting decrease in the temperature difference between the vessel water and the drywell, with a corresponding decrease in the heat transfer rate. The GE analysis indicates that high drywell temperature is not a problem for the GESSAR plant.
(c) Low Pressure emergency core cooling systems These systems require the division 1 or 2 diesel generators.
Either diesel generator is sufficient for success.
Depressurization of the reactor vessel is required within 30 minutes, for the use of the low pressure systems.
(d) Residual Heat Removal System The residual heat removal system is required to remove heat from the containment. Without containment heat removal the containment will fail in 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />, from overpressure, and core melt will follow. We note however that there are procedures at Grand Gulf for venting the containment.
It is not clear how this would be implemented under station blackout conditions.
No credit for venting the containment and avoiding overpressure failure was made in the present analysis.
I
,,.,s.y.,
.e m m
- e p.
The residual heat removal system requires division 1 or 2 diesel generators for success. We note however that (according to information received orally from MP&L) there is the possibility of using the division 3 diesel generator to power the' division 1 or 2 loads, by manual actions. We have not reviewed this, and are not giving credit for the possibility in the present analysis.
IV.
Dominant Accident Sequence Quantification The accident sequences of importance which are sensitive to the failure probabilities for the TDI diesels are:
(1) T(.5)
- GT
- U
- V (2) T(6)
- GT
- U1 *V (3) T(30)
- GT
- W
- NRE Here T(t) = event of loss of offsite power for a time greater than t hours.
Implies loss of power conversion system.
l GT = event of failure of gas turbine system U = failure of-both HPCS and RCIC to start within 30 minutes.
t U1 = event that HPCS and RCIC are failed at 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br />.
I
.~
,. '. - ~
~
^
j 9-l V = failure of the low pressure core cooling systems, which depend upon the TDI diesels when offsite power is unavailable W = failure of containment heat removal (residual heat removal) system.
This, too, depends upon the TDI diesels when offsite power is I
unavailable.
i NRE = failure of recovery of the gas turbines in 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br />, and failure of recovery by extraordinary measure, such as bringing in a diesel generator from offsite, in the 30 hours3.472222e-4 days <br />0.00833 hours <br />4.960317e-5 weeks <br />1.1415e-5 months <br /> available.
The cutsets of importance, as concerns the reliability of the TDI diesel generators, for accident sequence (1), are given by i
T(.5)
- GT
- EPS1 EPS2 R - (H+EPS3) where EPSN = failure of division N of the electric power system, N=1, 2, or
- 3. ^(N=1, 2 correspond to TDI diesel generators) i R = failure of the RCIC system H = hardware failures of the HPCS system 4
.- ~
~ ~ ' ' ^ '
- ~ ~ ~ ~ '
The cutsets of inportance for accident sequence (2) are given by T(6)
- GT * (H+EPS3)
- EPS1
- EPS2, because the RCIC pump is assumed to fail in 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> due to battery depletion.
1 The cutset of importance for accident sequence (3) is T(30)
- GT
- EPS1
- EPS2
- NRE I
Quantification must consider the fact that the gas turbines (and its required auxiliaries and support systems) are not seismically qualified. We have assumed the probability of failure of the gas turbines on a seismic event (greater than the SSE) is unity.
Moreover, we have assumed that a seismic event greater th'an the SSE will cause a loss of offsite power of duration in excess of thirty hours.
Quantification of the cutsets yields f(cm) =
f(T(.5)) P(GT) P(EPS1*EPS2) P(R)* P(H+EPS3) f(T(6)) P(GT) P(EPS1*EPS2) P(H+EPS3)
+
f(T(30)) P(GT) P(EPS1*EPS2) P(NRE)
+
f(sse) P(EPS1*EPS2) P(NRE)
+
f(sse) P(H+EPS3) P(EPS1*EPS2)
+
e.
.-e
=.
,-w,
- ~" ~~
1 11 -
Here f(cm) is the frequency of core melt due to the sequences in which failure of the TDI diesel generators is important, P (x) is the probability of the event x, f(T(t)) is the frequency of (non-seismically induced) loss of offsite power for a time greater than t hours, and f(sse) is the frequency of exceedence of the SSE.
The above expression for f(cm) neglects any common mode failure between division 3 and the two other divisions of the electric power system.
Numerical evaluation of the expression for f(cm) used the following values:
Event Probability (or frequency)
T(.5)
.07/yr.
T(6)
.01/yr.
T(30)
- 001'/yr.
T(sse) 001/yr.
EPS3
~
055 H
021 R
051 NRE 1
=
GT 1
The value for the probabilities of EPS 3, H, and R were taken from the Grand Gulf RSSMAP. The value of P(NRE) was chosen subjectively; the value for the as % ~,
-ange w 4,%.e.==e m
a r--e w+#
e
~
- .L.
~'
^
....-.L.. ~:.T.-- *
~
l '
frequencies of T(t), T(sse), and the probability of GT were discussed in the section on loss of offsite power.
Numerical quantification of the expression for f(cm) yields f(cm) = 2.9x10 4 x P (EPS1*EPS2)/yr The probability of failure of the division 1 and 2 diesel generators must include failure to run for a period of about 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> or so.
If a diesel generator were to run for only 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, and then fail, the core melt frequency conditional on this event would be almost identical to that obtained if the diesel generator did not work at all.
The reason for this is that the frequency of losses of offsite power exceeding 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> is not much different than the frequency of losses of offsite power exceeding 7 1
0 hours0 days <br />0 hours <br />0 weeks <br />0 months <br />.
P J!
The table below gives values of the core melt frequency f(cm) as a function of l
various assumed values for the failure probability of divisions 1 and 2 of the electric power system.
Failures of support systems to the diesel generators--
(batteries and service water cooling) contribute about.03 to the failure prob-i
.]
ability of EPS1 or EPS2, according to the Grand Gulf RSSMAP.
I.
I 77
m P(EPS1)
P(EPS2)
P(EPS1
- EPS2) f(cm) 1.0
.1
.1 3 x 10 sfyr
.1 1
.1 3 x 10 5
.1
.1
.01 3 x 10 s 1
1 1.0 3 x 10 4 For comparison purposes we note that core melt frequencies for many plants are now in the vicinity of 10 4/yr. The A-44 goal is about-1 x 10 5/yr or 2 x 10.sfyr for the core melt frequency from station blackout events.
Grand Gulf would be worse than the average plant' but not extremely poor, even if the TDI diesel generators had zero reliability.
If the TDI diesel generators both had a modest reliabiiity (P(EPSI) = P(EPS2) =.1) the Grand Gulf core melt frequency
(
would be quite good, from station blackout.
If one diesel generator had zero reliability and the other diesel generator had only a modest reliability lj (P(EPSI) = 1, P(EPS2) =.1), then the Grand Gulf station blackout frequency would l i
^
be 3 x 10.s/yr, which is larger than the station blackout goal of 2 x 10 s/yr, but not excessive - moreover, if the problems with the TDI diesel generators are resolved soon, the period of time for which this condition exists is a small fraction of the plant lifetime.
If one diesel generator were completely out of l
l I
I
-_.n..--
~ -
. ~.. - - -
- - - - +
--~m-~---
+ - ~ ~ -
~
L..~..
- =.-
~
c.
14 -
service for, say, 2 months, and the other diesel generator had a failure probability of.07 (so that P(EPSI) =.07 +.03 =.1), the core melt probability for station blackout for the two month period would be 3 x 10.s/yr x 2 months = 5 x 10 s, 12 months j
VI.
Summary A calculation of the core melt frequency due to sequences involving failures of the TDI diesel generators was performed, for the Grand Gulf Nuclear Power Plant. The core melt frequency obtained was ll 2.9 x 10 4 x P(EPS1*EPS2)/yr, where P(EPS1*EPS2) is the probability that both divisions 1 and 2 of the electric power system fail to start and run for about 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> after starting.
Divisions 1 and 2 are powered by the TDI diesel generators.
I
]
w*
e%,
. + *a-w+
weem e wepoe m m ***
- =+==**m**F+>
~ ~
,r
-.----,..r--,--
y-
.wy
,