ML20196D840
| ML20196D840 | |
| Person / Time | |
|---|---|
| Issue date: | 01/21/1988 |
| From: | Stello V NRC OFFICE OF THE EXECUTIVE DIRECTOR FOR OPERATIONS (EDO) |
| To: | |
| References | |
| REF-GTECI-A-44, REF-GTECI-EL, TASK-A-44, TASK-OR, TASK-RIA, TASK-SE SECY-88-022, SECY-88-22, NUDOCS 8802180240 | |
| Download: ML20196D840 (486) | |
Text
{{#Wiki_filter:_ _ _ _ _ _ _ _
.esuno,g r
RULEMAKING ISSUE January 21, 1988 (Affirmation) SECY-88-22 For: The Commissioners From: Victor Stello, Jr. Executive Director for Operation's , 1
Subject:
FINAL STATION BLACK 0UT RULE, USI A-44 Purcose: To obtain Commission approval for publication of a Notice of Final Rulemaking on the subject of Station Blackout.
Background:
On March 21, 1986, a Notice of Proposed Rulemaking cn the subject of Station Blackout was published in the Federal Register. That Notice (Enclosure A) invited public comments regarding e propoced Station Blackout Rule (and the essociated draft Regulatory Guice), which would require that light-water-cooled nuclear. power plant; be capable of withstanding a loss of offsite and onsite emergency ac power for a specified ( duration and maintaloing reactor core cooling during that period. . The specified eration would be deterniaed .for each plant based on i compar al t:.e individual plant design with factors that have : identified as the main contributors to risk cf core melt resulting from station blackout. These factors are: (1) the redundancy of onsite emergency ac pcwer sources, (2) the reliability of the onsite emergency ac power sources, (3i the frequency of loss of offsite power and (4) the probable time needed to rest.cre offsite power. The Notice of Proposed Rulemaking proposed amending the regulations by adding a new 550.63.and b/ adding a new final paragraph to General Desian Criterion 17, Appendix A of 10CFR Part 50. Discussion: ' In response to the Notice of Proposed Rulemaking, 53 letters commenting on +he proposed rule were received. Forty-five of these were from the nuclear. industry, comprised of electric utilities, consortiums of. electric utilities, vendors, a trade association and an architect / engineering firm. Other letters were submitted by the Union of Concerned CONTACT: Warren Minners, RES, (492-3510) AlecjLjlerkiz, RES,_(492-3555) , , Q 2lh g W "/* i
. - m = r= -.
. l To The Commissioners -
S Scientists (UCS), the Department of Nuclear Safety of the State t of Illinois (IDNS), a representative of the Professional ' Reactor Operator Society, a citizens group, a consultant, and three individuals. UCS, IDNS and the citizens group supportel ; the Conmi:,sion's objective in the proposed rule, but did not t believe it went far enough to reduce the possibility of a i serious accident that could be initiated by a station blackout. , largely, the industry coments were opposed to generic . rulemaking to resolve the station blackout issue. The Nuclear ; Management and Resources Council (NUMARC) with the support of 39 industry letters submitted, along with its coments on the proposed rule, a set of industry initiatives.that it believed r would resolve this issue without rulemaking. l The staff has considered the coments received and has. prepared I a draft Federal Register Notice of Final Rulemaking (Enclosure , B). Thelupplementary Information Section of the Notice i includes discussion of the coments received and their i disposition in the final rule. The significant changes from i the proposed rule are: (1) the requirement for licensees to determine their plant's maximum station blackout coping capa-1 7 1 bility has been deleted (coping for an acceptable durati,on, as ' I specified in the final rule, would prceide adequate protection), (2) the concept of an "alternate ac source" will ; be accepted as demonstration of adequate station blackout coping capability, and (3) the withdrawal of the modification to GDC 17;.instead, the previously proposed change to GDC 17 l ] has been incorporated into $50.63. The proposed modification ' 4 to GDC 17 has been deleted so that it is clear that station i blackout would not be considered with other events usually ; associated with desie QA (Appendix B), EQ (n basis 50.49), andevents, seismic such as, single failure, design. As part of the public coment process, the Comissioners ) ! specifically requested coments on four issues when the i proposed rule was published. They are: , 1
- 1. Quality Classification of Modifications l 2. Whether the Backfit Analysis Adequ'ately Implements the i i
Backfit Rule. ' 4
- 3. Cost-Benefit and Whether $50.63 Meets the "Substantial l
, Increase in the Overall Protection of the Public Health 1 and Safety." )
- 4 Whether NRC Should Require Substant.ial Improvements in
^
Safety that Go Beyond TL Proposed in this Rulemaking. These issues are the first four subjects discussed under "Comments on the Proposed Rule" in Enclosure B. !
. l l
. l i
1 i' ! To The Comissioners . ! i
- e i
The Regulatory /Backfit Analysis for the Resolution of Unresolved Safety Issue (USI) .A-44, Station Blackout - l (NUREG-1109) has been revised somewhat to reflect the final i rule and information received during the public coment period. l It is pro' tid.J c3 Ot. e 5u.= C. Regulatory Guide 1.4651s l ! provided as Enclosure D_ and cresents a method acceptable to the ] staff to comply with the rule. The staff's technical findings -,
- for USI A-44, Evaluation of Station Blackout at Nuclear Pcwer l 1 Plants (NUREG-1032) are provided as Enclosure E. [
The ACRS reviewed the staff's proposed final resolution for the ' station blackout and issued their recomendations on June 9, i 1987 (Enclosure F). The ACRS recomended that a rule not be : issued, but that the staff continue to work with NUMARC on the ! technical aspects of industry's initiatives. ACRS further reccmended that the staff proceed with issuance of the final - rule if by September,1987 the staff determines that the NUMARC initiatives will not be effective or timely in reducing the risk from station blackout. The staff met with the ACRS on
- November 5.1987 and briefed the Comittee on the results of 4
w rking wi... the NUMARC/NUGSB0 group, and the development of' i l . NUMARC-8700. NUMARC also briefed the Committee on their
- expanded initiatives and NUMARC-8700. The ACRS Chairman ,
i indicated to the staff that this resolution was acceptable and ! Lhat there was no need for another ACRS letter. ; The Comittee to Review Generic Requirements (CRGR) considered { the station blackout issue at meeting No.115 on May 27,1937. ] In the m:nutes of that meeting dated June 23,1987(Enclosure i G), the CRGR recommended to the 600 that the proposed i j resolution for USI A 44 be approved; subject tn a number of ; 1 revisions recomended by the Ccmittee. The staff is in !
'greement with the revisions recommenced by the Cemittee, ano ;
nas modified the station blackout package accordingly, with the ; exception of Discussion Item No. 4. The staff believes that l l " this recomendation to have a review standard for the I acceptance of the specified blackout duration has been suitably l i, addressed in the standards incorporated into R.G. 1.155. ; By letter dated November 23, 1987, NUMARC submitted a report (NUMARC-8700, Guidelines and Technical Bases for NUMARC ! Initiatives Addressing Station Blackout at Light Water i l Reactors, Enclosure J) which provides guidance and ;
- %ethodologies which can be used by the licensees for I I
implementing the NUMARC initiatives. This report has been I ] reviewed by the staff and discussed with representatives of I.
- u. _.._. _ -_ _ _ ,.- - _ _ _ . _ . , , _
m
To The' Commissioners ' i NUMARC at a number of meetings. Consequently, the staff has referenced NUMARC-8700 in Regulatory Guide 1.155 as providing guidance acceptable to the staff for meeting the requirements of the final rule. Regulatory Guide 1.155 provides a cross-reference to NUMARC-8700 and notes where the regulatory guide takes precedence. USI A-44 is related to other generic issues. These incluee Generic Issue B-56, Diesel Generator Reliability; USI A-45, j Shutdown Decay Heat Removal Requirements; Generic Issue 23, Reactor Coolant Pump Seal Failures; and Generic Issue 128, 3 Electrical Power Reliability, which includes Generic Issue A-30, Adequacy of Safety-Related DC Power Supplies, Generic Issue 48, LC0 for Class IE Vital Instrument Buses in Operating Reactors, and Generic Issue 49, Interlocks and LCOs for Redundant Class IE Tie Greakers. The Regulatory /Backfit Analysis (NUREG-1109) discusses these relationships further. The resolution of Generic Issue B-56 is of particular relevance , to the resolution of USI A-44 because of the importance of diesel generator reliability in station blackout. Regulatory Guide 1.155 identifies a minimum diesel generator reliability ? level of 0.95 and the need for implementing a diesel generator . i reliability program to maintain this reliability level, or any 2 higher level that may have been used in the determination of . the coping duration required by the station blackout rule. In ; cases where sites do not meet the minimum reliability guidance ' provided in Regulatory Guide 1.155, the required coping duration must be further justified or increased to the ne.vt i highest duration level. Regulatory Guide 1.155 also icentifies , the major elements of the diesel generator reliability program l which should be implemented. The resolution.of Generic Issue B-56 will provide more explicit guidance for this reliability , program which will be included in revisions of Regulatory Guide
; 1- 108, "Periodic Testing of Diesel Generators Used as Onsite Electric Power Systems at Nuclear Power Picnts," and the .
i appropriate sections of the Standard Review Plan and Standard Technical. Specifications. Because Regulatory Guide 1.155 already includes basic guidance regarding minimum diesel generator reliability and the measures to be taken to achieve the necessary levels, the staff has concluded that *,he i resolution of USI A-44 need not be delayed pending final .
, resolution of Generic Issue B-56. The final resolution of B-56, which is scheduled for FY88, will provide turther assurance that the diesel generator rel'13bility will be maintained equal i to or above the levels selected for determi~ nation Of the I
required plant coping duration.
9 a To The Commissioners . - 5-It should be noted, based on all evidence that staff has on hand, that no of promulgation undue risk exists the station with,(,or blackout SBO)without, the rule. However, SB0 may still remain an important contributor to residual risk. This sBO rule will enhance satety by accident prevention and thereby reduce the likelihood of a core damage accident being caused by a station blackout occurrence. This does not mean however, that further enhancements in reducing the overall residual risk are not achievable by additional improvements in
, severe accident management, given the assumption that core damage occurs, whether from SB0 sequences or other causes (such as small or large LOCA sequences). Initiatives that prnvide such safety enhancements (through improvements of core damage management procedures) are currently being pursued apart from the SB0 rule. Therefore, this rule should be viewed as being in the same accident prevention context as the ATWS rule (950.62) and the fire protection rule (550.48). Such rules recognize multiple failure possibilities resulting from common cause effects that should be addressed. This concern has been recognized in the Introduction to. Appendix A of 10CFR50.
Although USI A-44 will be resolved with the. publication of the final rule, the related generic. issues should not be considered resolved as a consequence of this action. These related generic issues are being coordinated with the resolution of A-44. Any additional requirements or guidance contained .in the resoluttens of these generic issues will be consistent with the requirements of this station blackout rule and is not expected to cause licensees to revise analyses, procedures or equipment that were changed to comply with the station blackout rule. The corresponding Standard Review Plan sections and the Temporary Instructions for inspectors will be issued prior to 2 implementing the rule and. Regulatory Guide. Recommendation: We recomend that the Consnission:
- 1. Approve publication of the Federal Register Notice of Final Rulemaking provided as Enclosure B;
]
- 2. Note that NUREG-1109, Regulatory /Backfit Analysis for the Resolution of Unresolved Safety Issue A-44, Station Blackout (Enclosure C) will be placed in the Public ,
Document Room.
l
- 1 1
l l, i To The Commissioners . ! I l 3. Note that the NRC will issue Regulatory Guide 1.155 on ~ Station Blackout (Enclosure D) and NUREG-1032, Evaluation of Station B16cxout Accidents at Nuclear Power Plants , (EnclosureE). !
- 4. Certify, pursuant to the requirements of the Regulatory i Flexibility Act, 5 U.S.C. 605(b), that this rule will not have a significant economic imp ct on a westantial number of- small entities- B I
- 5. Note that neither an Environmental Assessment nor an TnVTronmental Assessment in support of a Finding of No -
Significant Impact are' required for this rulemaking action under the categorical exclusion provisions of : 651.22(c)(3)(ii and iii) involving recordkeeping and - reporting requirements; l
- 6. Note that the Office of Management and Budget has reviewed and approved the infomation collection ~ require-ments subject to the Paperwork Reduction Act of 1980;
- 7. Note that appropriate Congressional Committees will be !
informed by means of letters similar to that in , Enclosure H; i
- 8. Note that the Pu'lic u Notice shown in ' Enclosure I will be released.
OGC has no legal objection to the final package.
,~~~
f m l , ctor SteMo, Jr f ExecutiveDirecta[. for Operations i I I
Enclosures:
i See next page i
~
l i I l l
. 1
To The Commissioners .
Enclosures:
A Federal Register Notice of Proposed Rulemaking B Proposed Federal Register Notice of Final Rulemaking C NUREG-1109, Regulatory /Backfi* Analysis for the Resolution of Unresolved Safety Issue A-44, Station Biauuut D Regulatory Guide on Station Blackout (RG 1.155) , E NUREG-1032, Evaluation of Station Blackout Accidents at ' Nuclear Power Plants, Technical Findings Related to Unresolved Safety Issue A-44 F Letter from W. Kerr to L. W. Zech, Jr. datr.d June 9,1987 G Letter from E. L. Jordan to V. Stello, Jr. dated June 23, 1987 H Draft Congressional letter I Public Notice J NUMARC-8700, Guidelines and Technical Bases for NUMAP.C Initiatives Addressing Station Blackout at Light Water Reactors, November 20, 1987 Corranis sioners ' comments or consent should be provided directly to the Office of the Secretary by c.o.b. Fridav, February 12, 1988. Commission Staff Office commants, if any, should be submitted to the Commissioners NLT Wednesday, February 3, 1988, with an information copy to the Office of the Secretary. 'If the paper is of such a nature that it requires additional time for analytical review and comment, the Commissioners and the Secretariat should be apprised of when comments may be expected. This paper is tentatively scheduled for affirmation at an Open j Meeting during the Week of February 15, 1988. Please refer to l the appropriate Weekly Commiss. ton Schedule, when published, for l a specific date and time, , 1 DISTRIBUTION: Commissioners OGC (H Street) OI - OIA I GPA l REGIONAL OFFICES EDO l OGC (WF) i ACRS l ASLBP ASLAP SECY 4
6 6 9 $ e 0 e e 4 e 4 0 S4
- ENCLOSURE B 4
6 6 4 4 e e a l i e I i 1 e , i 1 i , - l 1
. -1
[7590-01)
- s. , . .
Enclosure A NUCLEAR REGULATORY COMMISSICN 10 CFR Part 50 Station Blackout AGENCY: Nuclear Regulatory Comission. ACTION: Proposed rule. '
SUMMARY
- The Nuclear Regulatory Cemission is proposing to amend its -
regulations to require th_at light-wat,er-cooled nuclear power plants be capable of withstanding a total loss of alternating current (AC) electric pcwer (called "station blackout") for a specified duration and to maintain reactor core cooling during that period. This proposed requirement is bas,ed on information developed under the Comission's study of Unresolved Safety 2ssue A-44, "Station Blackout." The proposed change is intended to provide ; turther assurance that a station blackout (loss of both offsite pcwer and onsite emergency AC power systems) will not adversely affect the public health and safety. , DATE: The coment period expires [fnsert a date 90 days t.fter the publication of this Notice of Proposed Rulemaking). Coments received af ter this date will be considercd if it is practical to do so, but assurance of , consideration cannot be given except as to comments received before this date. ! l ADDRESSES: Send coments to: The Secretary of the Cemission, U.S. Nuclear Regulatory Commission, Washington, DC 20555, Attention: Docieting and Service Branch. Copies of comments received may be examined and copied fer a fee at the NRC Public Document Room, 1717 H Street NW, Washington, DC. FOR FURTHER INFOR % TION CONTACT: Alan Rubin, Division of Safety Technology, Office of Nuclear Resctor Regulation, U.S. Nuclear Regulatory Comission, . M . nc 20155. Talachene! (301) 492-8303.
.g-s m SUPPLEMEhTARYINFORMATIdtl: The alternating current (AC) electN e power for essential and nonessential service in a nuclear power plant is supplied primarily by offsite power. Redundant onsite emergency AC power systems are also provided in the event that all offsite power sources are lott. These systems provide power for various safety systems includiac reactor core decay heat removal and containment heat removal which are es'sential for' preserving the integrity of the reactor core and' the containment building, respectively. The reactor core decay heat can also be ' removed for a lialted time period by safety systems that are independent of AC power. .
The term ' station blackcut' means the loss of offsite AC power to the essential and nonessential electrical buses concurrent with turbine trip and the unavailability of the redundant onsite emergency AC power systems (e.g., as a result of units out of service for maintenance or rspair, failure to e start on demand, or failure to continue to run after start). If a station blackout persists foF a sufficient time such that the capability of the AC-independent systems to remove decay heat is e'xceeded, core melt and containment failure could result. The Comission's existing regulations establish requirements for the design and testing of onsite and offsite electric pcwer systems that are intended to minimi:e the probability of losing all AC pcwer. See General' Design l Criteria 17 and 18, 10 CFR Part 50,' Appendix A. The existing regulations do not require explicitly that nuclear power plants be designed to assure that , l! the core can be cooled and the integrity of the reactor coolant pressure boundary can be maintained fer any specified period of loss of all AC power. As operating experience has accumulated, the concitrn has arisen that the t reliability of both the onsite and offsite emergency AC pcwer systems might
- be less than originally anticipated, even for designs that meet the l requirements of General Design C-iteria 17 and 18. Many operating
[ plants have experienced a total loss of offsite pcwer, and more occurrences f can be expected in the future. Also, operating experience with l i e i . I
. '3.- . f . c'nsite emergency power systems has included many instances when diesel generators failed to start. In a few cases, there has been a complete loss of both the offsite and the onsite AC power systems. During these events, AC power was restored in a short tim without any **ious consequ m et, l In 1975, the results of the Reactor Safety Study (WASH-1400) showed that station blackout could be an igertant contributor to the= total risk from - i' nuclear power plant accidents. Although this total risk was found to be small, the relative importance of the station blackout' accident was - established. Subsequently, the Comission designated the issue of stati,on blackout as an Unres'olved Safety Issus (USI); a Task Action Plan (TAP A-44) cas issued in July 1980, and work was initiated to determine whether additional safety requirementi were needed. Factors considered in the - analysis of risk from stat' ion blackout included: (1) the. likelihood and durati5n of the loss of offsite power, (2) the reliability of the onsite AC po'er w system, and (3) the potential for severe accident sequences after a loss of all AC pcwer, including consideration of the capability to remove core decay heat without AC power for a limited time period. The technical findings of the staff's studies of the station blackout issue are presented in NUREG-1032, "Evaluation of Station Blackout' Accidents - at Nuclear Pcwer Plants, Technical Findings Related to Unresolved Safety Issue A-44."III Additional information is provided in supporting contractor reports: NUREG/CR-3226, "Station Blackout Accident Analyses' published in - May 1983; NUREG/CR-2989,' ' Reliability of Emergency AC Pcwer Systems a~t Nuclear III NUREG-1032 was issued for public comment on . Copies of this' report are available for public inspection and ccpying for a fee at the NRC Public Document Room at 1717 H Street, NW, Washington, DC 20555. ' Free single copies of NUREG-1032 may be requested by writing to the Publication Services Section, Division of Technical Information and - Document Control, U.S. Nuclear Regulatery Comission, Washingten, DC 20555. -
- k. .
Power Plants" published in July 1983; and NUREG/CR-3992, "Collection and Evalu'ation of Complete and Partial Losses of Offsite Power at Nuclear ~ (2) The major results of these studies are j Peter Plants' publish 1d in . given below. I i
- Losses of offsite power can be characterized as those resulting from plant-centered faults, utility grid blackout, and severe weather-induced
- I . failures of offsite power sources. Based on operating experience, the frequency of total losses of offsite power in operating nuclear power l plants was found to be about one per 10 site-years. The median restoration time'was about one-half hour, and 90 percent of the offsite 1 power losses were restored in approximately 3 hours (NUREG/CR-3992). l i
- The review of a number of representative designs of onsite emergency AC pcwer systens has indicated a variety of potentially important failure
,y causes. However, no single improvement was identified that could result in a significant improvement in overall diesel generator reliability. Dath obtained frem operating experience shew that the typical individual emergency diesel generator failure rata is about 2.5 x 10'2 per demand.. , and that the emergency AC power system unav d ability for a plant which has two emergency diesel generators, one of which is required for decay heat removal, is about 2 X 10'3 per demand (NUREG/CR-2989).
- Given +he occurrence of a station blackout, the likelihood of rssultant core damage or core melt is dependent on the reliability and capability l 1
of decay heat removal systems that are not dependent on AC power. If i sufficient AC-independent capability exists, additional time will be available to restore AC power needed for long-tem cooling (NUREG/CR-3226). l (2) Copies of tbase documents are available for public inspection and copying for a fee at the NRC Public Document Roem at 1717 H Street, NW, Washingten, DC 20555. . Copies may also be purchased by calling (301) 492-9530 or by writing to the Publication Services Section, Division of Technical Infomation and Document Control. U.S. Nuclear Regulatory Cemission. l Washington, DC 20555, or purchased frem the National Technical l Information Service, Department of Comerce, 5285 Port Royal Road, Springfield, VA 22161. -
. -- ~ _ _ __
5
~
~ . , , . .
- It was determined by reviewing design, operational,.and site-dependent factors that the expected frequency of core damage resulting from station blackout events could be maintained near or belew 10-5 per reacter-year for any nuclear plant with readit, v H ev=M e d H:e! generator reliabilities, previded that the plant is designed to cope with station blackout for a specified duration. The duration for a specific plant is
- - based on a ecmparison of the plant's characteristics to those facters
. . .that have been identified as the main contributors to Msk from station -
- blackout (NUREG-1032).
As a result of the station blackout studies, improved guidance will be provided to licensees regarding maintaining minimimum emergency diesel generator reliability to minimize the probability of losing all AC power. ' In addition, the Commissior, is proposing to amend its regulations by adding a
. new $50.63 and by adding a new final paragraph to General Design Criterion
- 17, Appendix A of 10 CFR Part 50, to require that all nuclear pcwer plants be capable cf ceping with a statico blackout for seme specified period of time.
The period of time for a specific plant would be determined based on the existing capability of the plant as well as a comparison of the individual ; plant design with factors that have been identified as the = sin centributers to risk of core melt resulting from station blackcut. .: j
+-
These factors, which vary significantly frem plant to plant because of considerable differences in design of plant electric power systems as well as site-specific considerations, include: (1) redundancy of onsite emergency AC pcwer sources (i.e., number of sources minus the number needed for decay heat i removal), (2) reliability of onsite emergency AC power sources (usually diesel generators), (3) frequency of loss of offsite power, and (4) probable j time to restore offsite power. The frequency of loss of, and time to restere offsite power are related to grid and switchyard reliabilities, historical weather data for severe sterms, and the availability of nearby alternate power scurces (e.g., gas turbines). Experience has shewn that long duration offsite power outages are caused'primarily by severe storms (hurricanes, ice, snow,etc.). ' f
i l* 6 The objective of'the preposed rule is to reduce th'e risk of seveIe accidents resulting from station blackout by maintaining highly reliable AC electric power systems and, as additional defense-in-depth, assuring that plants can ' cope with a station blackout for some period of time. If the proposed rule is adopted, all licensees and applicants would be required to assess the capability of their plants to cope with a station blackout (i.e., determine ' h the amount of time'the plant can maintain core cooling and containment L integrity with AC power unavailable), and to nave procedures and training to cope with such an event. Plants would be required to be able to cope with a specified minimum duration station blackout selected on a plant-specific basis.' ' On the basis of station blackout studies conducted for USI A-44, and . presented in the reports referenced above, the NRC staff has developed a draft regulatory guide entitled "Station Blackout,*I3) which presents M guidance on,(1) maintaining a high level of reliability for emergency diesel generators, (2) developing procedures and training to restore offsite and onsite emergency AC power should either one or both beceme unavailable, and (3) selecting a plant-specific minimum duration for station blackout , capability to comply with the proposed amendment te General Design Criterien *
. 170 Application of the methods in this guide would result in selection of a 4-hour or 8-hour statien blackout duration, depending on the specific plant design and site-related characteristics. However, applicants and licensees could propose alternative methods to that specified in.the regulatory guide in order to justify other mini .:m durations for station blackout capability, l
l I3I A notice of availability and request for cements on the draft regulatery I guide will be published within a few days of this Notice of Proposed Rulemaking. Copies of the draft regulatory guide are available for public inspection and copying for a fee at the NRC Public Document Room at 1717 H Street, NW, Washington, DC 20555, and will be distributed to those on the autcmatic distribution list for draft regulatory guides. Free e single copies of the draft regulatory guide may be obtained by writing to l the U.S. Nuclear Regulatory Comission. Washington, DC 20555, Attention: Director, Divisien of Technical Information and Document Control.
c ,- ~ - .- .. . - _ _ _ . U ' i l- . l If the proposed rule and regulatory guide are issued, those plants with an i ) ! already low risk from station blackout would be required to withstand a i station blackout for a relatively short period of time and probably would j need few, if any," modifications as a result of the rule. Plants with j currently higher risk from station blackout would be required to withstand f somewhat longer duration blackouts. Depending on their existing capability. these pl. ants might also need to make modifications (such as increasing . l l:. !.- station battery capacity or condensate storage tank capacity) in order to lli cope with the longer station blackout duration. The proposed rule would l : require licensees to develop, in consultation with the Office of Nuclear .
'ReactorRegu1'ation, propose'dplantsp'ecificschedulisfokim'plementationof l l*
any needed modifications. J FINDING OF NO SIGNIFICANT ENVIRONMENTAL IMTf.CT: AVAILABILITY , L
, j t
The Commission has determined under the National Environmental Policy Act of l 1969, as amended, and the Comission's regulations in Subpart A of 10 CFR , Part 51, that this rule, if adopted, would not be 'a major Federal action ! j significantly affecting the quality of the human environment, and therefore ,. l i an environmental ig act statement is not required. There would not be any
! adverse environmental impacts as a result of the proposed rule for the -
j
- to11 ewing reascns: (1) there would be no additional radiological exposure -
t to the general public or plant employees, and (2) plant shutdown is not -- l required so there would be no additional environmental igacts as a result j ! of the need for replacement power. The environmental assessment and finding , of no significant impact on which this determination is based are available ! f l for inspection at the NRC Public Document Room, 1717 H Street NW, Washington,
! DC. Single copies of the environmental assessment and the finding of no l i significant impact are available from Mr. Karl Kniel, Office of Nuclear
- I Reactor Regulation,'U 5. Nuclear Regulatory Comission Washington, DC 20555 Telephone
- (301) 492-7359. .
l . i i .
I
.g. .
~~
PAPERWORK REDUCTION ACT STATEMENT i This proposed rule amends information collection requirements that are subject to the Paperwork Reduction Act of 1980 (44 U.S.C. 3501 et seq.). ' This rule has been submitted to the Office of Management and Budget for review and approval of the paperwork requirements. REGULATORY ANALYSIS Tha Comission has prepared a regulatory analysis for this regulation. The - analysis examines the costs and benefits of*the rufe as considered by the Comission. A copy of the regulatory analysis, NUREG-1109, For Cement, ' CRegulatory Analysis for the Resolution of Unresolved Safety Issue A-44, Statien Blackout,' is available for inspection and copying for a fee at the l NRC Puolic Document Room,-1717 H Street, NW, Washington, DC 20555. Free single copies of NUREG-1109 may be obtained by writing to the Division of Technical Information and Document Control, U.S. Nuclear Regulatory , Comission, Washington, DC 20b55. l I The Cemission requests public coment on the regulatory analysis. Coments on the draft analysis may be submitted to the NRC as indicated under the ADDRESSES heading.
. I REGULATORY FLEXIBILITY CERTIFICATION l In accordance with the Regulatory Flexibility Act of 1980, 5 U.S.C. 605(b),
the Cemission hereby certifies that this proposed rule, if premulgated, I cill not have a significant economic impact on a substantial number of small l entities. Inis proposed rule specifies that nuclear power plants be able te eithstand a total loss of AC pcwer for a specified time duration and maintain reactor core ecoling during that period. These facilities are e licensed under the provisions of 10 CFR 50.21(b) and 10 CFR 50.22. The companies that cwn these facilities do not fall within the secpe of 'small entities' as set forth in the Regulatory Flexibility Act er the small business size standards set forth in regulations issued by the Small
, Business Administration in 13 CFR Part 121.
m
, 9 ', -
w ' l LIST OF SUBJECT 5 IN 10 CFR PART 50 l I Antitrust, Classified information, Fire prevention Incorporation by i reference,Intergovernmentalrelations,Nuclearpowerplantsandreactors, Penalty Radiation protection, Reactor siting criteria, Reporting and j I recordkeeping requirements. 1 For the reasons set out in the preamble and under the authority of the l Atomic Energy Act of 1954, as amended, the Energy Reorganization Act of ; 1974, as amended, and 5 U.S.C. 553, notice is hereby given that adoption of , the' following ainendmen'ts to 10 CFR Part 50 is contemplated, i i PART 50 'DONESTIC LICENSING OF PRODUCTION AND UTILIZATION FACILITIES - 1.' The authority citation for Part 50 continues to read as.follows: i e ' Alf7HCRITY: Secs. 103, 104, 161, 182, 183, 186, 189, 68 Stat. 936, 937, 948, 953, 954, 955, 956, as amended, sec. 234, 83 Stat. 1244, as amended (42 U.S.C. 2133, 2134, 2201, 2232, 2233, 2236, 2239, 2282); cecs. 201, 202, 206, 88 Stat. 1242, 1244, 1246, as amended (42 U.S.C. 5841, 5842, 5646),.unless . othenvise noted. - Section 50.7 also issued under Pub. L. 95-601, sec. 10, 92 Stat. 2951 (42 U.S.C. 5851). Sections.50.57(d) 50.58, 50.91, and 50.92 also issued under l Pub. L. 97-415, 96 Stat. 2071, 2073 (42 U.S.C. 2133, 2239). Section 50.78 : I also issued under sec. 122, 68 Stat. 939 (42 U.S.C. 2152). Sections - i 50.80-50.81 also issued under sec. 184, 68 Stat. 954, as amended (42 U.S.C. 2234). Sections 50.100-50.102 also issued under sec. 186, 68 Stat. 955 (42 U.S.C. 2236). Fcr the purposes of sec. 223, 68 Stat. 958, as amended (42 U.S.C. 2273), (( 50.10(a), (b), and (c), 50.44, 50.46, 50.48, $U.54, and 50.80(a.) are issued under sec. 161b, 68 Stat. 948, as amended (42 U.S.C. 2201(b)); i e j
(( 50.10(b) and (c) and 50.54 are issued under sec. 1611, 68 Stat. 949, as amended (42 U.S.C. 2201(i)); and {$ 50.55(e), 50.59(b), 50.70, 50.71, 50.72, 50.73, and 50.78 are issued under sec. 1610, 68 Stat. 950, as amended (42 U.S.C. 2201(o)).
- 2. In $50.2, a definition of "station blackout" is added as a new ,
paragaph (y) to read as follows: 150.2 Definitions. e s * * (y) "Ctation blackout' means the complete loss of alternating current (AC) electric power to the essential and nonessential switchgear buses in a j nuclear power plant (i.e.; loss of the offsite electric power system concurrent with turbine trip and unavailability of the onsite emergency AC power system).
- 3. A new $50.63 is added to read as follows: ,
650.63 Loss of All Alternating Current Power. (a) Requirements. .E'ach light-water-cooled nuclear power plant li, censed to operate must be able to withstand and recover frem a station blackout as defined in $50.2 for a specified duration in accordance with the requirements in paragraph (e) of General Design Criterion 17 of Appendix A of this part. (b) Limitation of Scoce. Paragraphs (c) and (d) of this section do not apply to those plants licensed to operate prior to (insert the effective , date of this amendment] if the capability to withstand station blackout was l considered in the operating license proceeding and a specified duration was f ,- accepted as the licensing basis for the facility, j i s s
s" ~ (c) Implementation - Detennination et Station Blackout Duration. (1) For each light-water-cooled nuclear power plant licensed to operate onorbefore[inserttheeffectivedateofthisamendment],thelicensee shall submit to the Director of the Office of Nuclear Reactor Regulation by f, insert a date 270 days after after the effective date of this amendment]: (1) a detennination of the maximum duration for which the plant as currently designed is able to maintain core cooling and containment integrity in the event of a station blackout as defined in 150.2(y); (ii) a description of the procedures that have been 'est'ablished for station blackout events for the duration otennined in paragraph (c)(1)(i) of this section and,for recovery therefrom; , (iii) an ident'fication i of tha factor (s) that 1 mit the capability of the plant to cope with a station blackout for a longer time than that detennined in paragraph (c)(1)(1) of this section; .
.(iv) a proposed station blackout duration to be used in detennining compliance with paragraph (e) of General Design Criterion 17 of Appendix A of
' this part, including a justification for the selection based on: (1) the redundancy of the onsite emergency AC power sources, (2) the reliability of the onsite emergency AC.pewer sources, (3) the expected frequenegf loss . I of offsite power, and (4) the probable time needed to restore offsite power; , ) and 1 (v) an identification of the factors, if any, that limit the capability of the plant to meet the requirements of Criterion 17 for the specified station blackout duration proposed in the response to paragraph (c)(1)(iv) of this section. l
- r '
p ,
(2) After consideration of the information submitted in accordance with paragraph (c)(1) of this section, the Comission will notify the licensee of its determination of the specified station blackout duration to be used in determining ccmpliance with General Design Criterion 17 of Appendix A of this part. i ( ) _ , _ , ,d Imolementation - Schedule for Im lementino Ecuioment Modifications. .. ,_. _ , (1) For each light-water-cooled nuclear power plant licensed to operate on or before [ insert the effective date of this amendment), the licensee I shall,within180 days'ofthenotificationprovidedinaccordancewith paragraph (c)(2) of this section, submit to the Director of the Office of Nuclear Reactor Regulation r schedule for impluenting any equipment and procedure =edifications necessar3 to meet the requirements of General Design Criterion 17 of Appendix A of this part. This submitta11 bust include an g explanation of the schedule and a justification if the schedule does not provide for ccepletion of the nodifications within twc years of the . notification provided in accordance with paragrapa (c)(2) of this section. - (2) The licensee and the NRC staff shall mutually agree upon a final schedule for implementing modifications necessary to comply with the requirements of Criterion 17.
- 4. In Appendix A. General Design Criterion 17 is revised to read as follows:
I I l e M 6 s,
i : i
- , 1s . - . .
? . ! j . . I' APPENDIXA i !
~
General Design Criteria for Nuclear Power Plants
... 'I. Overall Requirements * *
- 4-. _
Criterion 17-Electric Power Systems. (a) An onsite electric power . I system and an offsite electric power system shall be provided to pemit ! functioningofskructures, systems,andcomponentsisiportanttosafety. The [ safety function for each system (essuming the other system is not functioning) shall,,be to provide sufficient capacity and capability to assure , that (1) specified acceptable fuel design limits and design conditions of the ! reacto~r coolant pressure boundary are not exceeded as a result of anticipated t operational occurrences and (2) the core is. cooled and containment. integrity _ and other vital functions are maintained in the event of postulated , accidents.
. t (b) The ensite electric pcwer supplies, including the batteries, and the ensite electric distribution system, shall have sufficient independence, l redundancy, and testability to perform their safety functions assuining a l single failure. ,
J (c) Electric power frem the transmission network to the onsite electric distribution system shall be supplied by two physically independent circuits j (not necessarily on separate rights of way) designed and located so as to minimize to the extent practical the likelihood of their.simultanecus failure under operating and postulated accident and environmental conditions. A switchyard conenon to both circuits is acceptable. Each of these circuits shall be designed to be available in sufficient 'ime following a loss of all onsite alternating current pcwer supplies and the other offsite electric ( '
- e
a ~- power circuit, to assure that specified acceptable fuel de31gn Timits and design conditions of the reacter coolant pressure boundary are not exceeded. One of these circuits shall be designed to be available within a few second: following a less-of-coolant accident to assure that core cooling, containment integrity, and other vitt.1 safety functions are maintained. (d) ' Provisions shall be included to minimi:e the prcbability of losing electric pcwer frem any of the remaining supplies as : result of, or coincident with, the loss of power generated by the nuclear power unit, the le8s of pcwer from the transmissicn natsork, or thp loss of power from the , onsite electric pcwer 'supp1'ies *
. (e) The reactor core and associated coolant, control, and erotection systems, including the station batteries, shall orovide sufficient cacacity and cacability to assure that the core is cooled and containment integrity is .._,-
Je maintained in the event of.a station blackout (as defined in %50.2(y)) fer
})[_asoecifiedduration. The following factors shall be considered in soecifvine the station blacknut duration: (1) the redundancy of the onsite emergency AC ooter sources, (2) the reliability of the onsite emergency AC cower sources, (3) the exoected frecuency of loss of offsite power, and (4) the erobable time needed to restore offsite eower.,_ ,__,,_ __ _, _
Dated at Washington ,DC, this day of 1984 For che Nuclear Regulatory Commission Samuel J. Chilk, Secretary of the Ccenission. f 8 Underlined text indicates proposed additional paragraph to GDC 17.
,(759'O01];.
1/15/8 F l
- ENCLOSURE B li Federal Register Notice _off Final Rulemakino l i
NUCLEAR REGULATORY COMMISSION l 10 CFR Part'50 l Station Blackout l AGENCY: Nuclear Regulatory Commission. l
't ACTION: Final rule.
SUMMARY
- The Nuclear Regulatory Comission is amending its regulations to l require that light-water-cooled nuclear power plants be capable of' withstanding i a total loss of alternating current (ac) elec'tric power (called "station black-out") for a specified duration and maintaining reactor core cooling during that periud. This requirement is based on information developed under the Commission's study of Unresolved Safety Issue A-44, "Station Blackout." The l amendment is intended to provide further assurance that a loss of both offsite l power ano ensite emergency ac power systems will rot adversely affect the public health anc safety.
EFFECTIVE DATE: l FOR FURTHER INFORMATION CONTACT: Aleck Serkiz, Division of Reactor and Plant Systems, Office of Nuclear Reactor Regulatory Research, U.S. Nuclear Regulatory Ccmmission, Washington, DC 20555. Telephone: (301)492-3555. 4
i l *2
- t F l SUPPLEMENTARY INFORMATION
- l i ' Background .
1 i i l The alternating current (ac) electric power for essertial and nonessential l
! service in a nuclear power plant is supplied primarily by offsite power.
Redundant onsite emergency ac power systems are also provided in the event th6t ! l
- all offsite power sources are lost. These systems provide power for various !
l safety functions, including reactor core decay heat removal and containment f i heat removal, which are essential fur preserving the integrity of the reactor ! j core and the containment building, respectively. The reactor core decay heat ! can also be removed for a limited time period by safety systems that are l independent of ac power. , j ! 4 . ) The term "station blackout" means the loss of offsite ac power to the e%ential ; $ and nonessential electrical buses concurrent witn turbine trip and the l } unavailability of the redundant onsite emergency ac power systems (e.g . as a j ! resuit of units out of service for maintenance or repair, failure to start on 1 l demand, or failure to continue to run after start). If a station blackout i persists for a time beyond the capability of the ac-independent systems to I remove decay heat, core melt and containment failure could result. The Commission's existing regulations establish requirements for the dcsign and j testing of onsite and offsite electric power systems that are intended to ! , reduce the probability'of losing all' ac power to an acceptable level. (See l General Design Criteria 17 and 18,10 CFR Part 50. Appendix A.) The existing regulations do not require explicitly that nuclear power plants be designed to l assure that core cooling can be maintained for any specified period of loss of I all ac power. Ll l 1 l As operating experience has accumulated, the concern has arisen that the [ ! reliability of both the onsite and offsite emergency ac power systems might be f less than originally anticipated, even for designs that meet the requirements i of General Design Criteria 17 and 18. Many' operating plants have experienced a l
- total loss of offsite power, and more occurrences can be expected in the' l l
).
. o (
~3'-
r future. Also, operating experience with cnsite emergency power systems has ; included nany. instances when diesel generators failed to start. In a few ! cases, there has been a complete loss of both the offsite and the ensite ac l power systems. During these events, ac power was restored in a short time ! without any serious consequences. I In 197S, the rasults of the Reactor Safety Study (WASH-1400) showed that l Stdtion bl4ckout could be an important contributor to the total risk from l nuclear power plant accidents. Although this total risk was found to be small, and not undue, the relative importance of the station blackout accident was established. Subsequently, the Comission designated the issue of station ! blackout as an Unresolved Safety Issue (USI); a Task Action plan (TAP A-44) was issued in July 1980, and studies were initiated to detennine whether additional ; safety requirements were needed. Factors considered in the. analysis of risk j from station blackout included: (1) the' likelihood and duration of the loss of l offsite power; (2) the reliability of the onsite ac power system; and (3) the l potential for severe accident sequences after a loss of all ac power, including consideration of the capability to remove core decay heat without ac power for ; a limited time period. , The technical findings of the staff's studies of the station olackout issue are l presented in NUREG-1032. "Evaluation of Station Blackout Accidents at Nuclear : Power Plants, Technical Findings Related to Unresolved Safety Issue A-44."II) Additional information is provided in supporting contractor reports:- l NUREG/CR-3226. "Station Blackout Accident Analyses" published in May 1983; j NUREG/CR-2989. Reliability of Emergency AC Power Systems at Nuclear Power l Plants" published in July 1983; NUREG/CR-3992 "Collection and Evaluation of Complete and Partial t.osses of Offsite Power at Nuclear Power Plants" published in February 1985; and NUREG-CR 4347, "Emergency Diesel Generator Operating IIIDraft NUREG-1032 was issued for public coment on June 15, 1985. , k e a
t ! o '
. l l
- i l t--
l Experience, 1981-1983" published in December 1985.(2) The major results of ; l these studies are given below. l
' Losses of offsite power can be characterized as thow resulting from ;
plant-centered faults, utility grid blackout, and severe weather-induced-failures of offsite power sources. Based on operating experience, the ; frequency of total losses of offsite power in operating nuclear power l plants was found to be about ene per 10 site-years. The median ; restoration time was about one-half hour, and 90 percent of the offsite l power losses were restored within approximately 3 hours (NUREG/CR-3992). f
'The review of a number of representative designs of onsite emergency ac i power systems has indicated a variety of potentially important failure l causes. However, no single improvement was identified that could result !
. in a significant improvement in overall diesel generator reliability. l Data obtained from operating experience in the period from 1976 to 1980 i showed that the typical individual emergency diesel generator failure l rate was about 2.5 x 10 4 per demand (i.e., one chance of failure in 40 i demands), and that the emergency ac power system unavailability for a plant which has two emergency diesel generators, one of which was ,
required for decay heat removal, was about 2 x 10'3 per cerand i (NUREG/CR-2989).
"Compared to the data in NUREG/CR-2989, updated estimates of emergency diesel generator failure rates indicated that diesel generator reliability has improved somewhat from 1976 to 1983. For the period 1981 to 1983, the mea') failure rate for all demands was about 2.0 x 10-2 per demand (i.e. , one chance of failure in 50 demands). However, the da'ta Copies of these NUREGS are available for public inspection and copying for a fee at the NRC Public Document Room at 1717 H Street, NW, Washington, DC 20555. Copies may also be purchased through the U.S, Government Printing Office by calling (202) 275-2060 or by writing to the Superintencent of Documents, U.S. Government Printing Office, P. O. Box 37082 Washington, DC l 20013-7082.
4 4
also indicate that the probability of diesel generator failures during actual demand.s (i.e., during losses of offsite power) is greater than that during surveillance tests (NOREG/CR-4347).
'Given the occurrence of a station blackout, the likelihood of resultant core damage or core melt is dependent on the reliability and capability of decay heat removal systems that are not dependent on ac power. If sufficient ac-independent capability exists, additional time will be available to restore ac power needed for long-term cooling (NUREG/CR-3226).
*It was cetermined by reviewing design, cperational, and site-cependent factors that the expected frequency of core damage resulting from station blackout events could be maintained near 10-5 per reactor-year with
-readily achievable diesel generator reliab,ilities, pro'vided that plants are designed to cope with station blackout for a specified duration, The duration for a specific pl6nt is based on a ccmparison of the plant's characteristics to those factors that have been identified as the main contributors to risk fecm statien blackout (NUREG-1032).
The staff's technical findings snow that station blackout (550) coes not pcse an uncue risk to public health and safety. The findings sumari:ed above ihow that: recovery from loss of offsite ;cwer occurs for the most part in less than 4 hours, emergency diesel generator reliability is high (i.e._ 0.95), and that given an SB0 the likelihood of core camage is more dependent on decay heat removal systems that are non ac cependent. However, plant design and operational characteristics, plus site dependent factors (such as anticipated weather conditions) introduce a level of variability which warrants a need for plant specific coping analyses to provide greater assurance that core cooling can be maintained until ac pcwer is restored. Thus the Commission believes that 10 CFR 50.63 will bring about a significant increase in protection to the public health and safety. As a result of $30 coping analyses, improved guidance will be provided to licensees regarding maintaining minimum emergency diesel generator reliability to minimize the probability of losing all ac
power. In addition, the Commissiw is amending its regulations by adding a new j 150.63 to require that all nuclear power plants be capable of coping with a station blackout for some specifiet eriod of time. The period of time for a specific plant will be detemined based on a comparison of the individual plant's design with factors that have been identified as the main contributors to risk of core damage resulting from station blackout. Th&se factors, which vary significantly from plant to plant because of considerable differences da design of plant electric power systems as well as site-specific considerat ' include: (1) redundancy of onsite emergency ac power sources (i.e., nun J sources minus the number needed for decay hest removal), (2) reliability of onsite emergency ac power sources (;sually ciesel generators), (3) frequency of loss of offsite power, and (4) prooable the to restore offsite power. The frequency of loss of and time to resbre, offsite power are related to grid and switchyard reliabi, W, historical weathar data for severe storms, and the availability of nearby ..arnate power sources (e.g., gas turbines). Experience has shown that long duration offsite power outages are caused prinarily by severe storms (hurricanes, ice, snow, etc.). The Objective of the rule is to recuce the risk of severe accidents resulting i f rom station blackout by maintaining highly reliable ac electric power systems and, as additional defense-in-depth, assuring that plants can cope nith a station blackout for some period of time. The rule requires all plants to be able to cope with a station blackout for a specified acceptable duration selected on a plant-specific basis. All licensees and applicants are required to assess the capability of their plants to cope with a station blackout (i.e., determine that the plant can maintain core cooling with ac pcwer unavailable l for an acceptable period of timc), and to have procedures and training to cope with such an event. Licensees may use an alternate ac power source, if that source reets specific criteria for independence and capacity, and can be shown to be available within one hour to cope with a station blackout. A coping
- analysis is not required for those plants that choose this al'ernate at l approach if the alternate ac can be demonstrated by test to be available to j power the shutdown busses within 10 minutes of tne onset of station blackout.
r-On the basis of station blackout studies conducted for USI A-44, and presented in the reports referenced above, the NRC staff has developed Regulatory Guide 1.155 entitled "Station Blackout,"(3) which presents guidance on (1) maintain-ing a high level of reliability for emergency diesel generators, (2) developing procedures and training to restore offsite and onsite emergency ac power should either one or both become unavailable, and (3) selecting a plant-specific acceptable station blackout duration which the plant would oe capable of sur-viving without core damage. Application of the methods in this guide would result in selection of an acceptable station blackout duration (e.g. , 2, 4, 8 or -16 hours) which depended on the specific plant design and site-related characteristics acceptable to the staff. However, applicants and licensees could propose alternative methods to that specified in the regulatory guide in order to justify other acceptable durations for station blackout capability. unavailable for an acceptable period of. time), and to have procedpres and trainin'g to cope with such an event. Licensees may use an alternate ac power source, if that source meets specific criteria for independence and capacity. and can be shown to be available within one hour to cope with a station blackout. A coping analysis is not required for those plants that ihoose this alternate ac approach if the alternate ac can be demonstrated by test to be l availaole to power the shutdown busses within 10 minutes of the onset of l station blackout. , On the basis of station blackout studies conducted for USI A-44, and presented in the reports referenced above, the NRC staff has developed Regulatbry Guide 1.155 entitled "Station Blackout,"(3) which presents guidance on (1) maintain-ing a high level of reliability for emergency diesel generators, (2) developing procedures and training to restore offsite and on, site emergency ac power should either one or both become unavailable, and (3) selecting a plant-specific (3) A notice of availability and request for comments on the draft regulatory guide was published in the Federal Register on April 3, 1986 (51 FR 11494). Free single copies of the regulatory guide may be obtained by writing to the Distribution Section Division of Information Support Services, U.S. Nuclear Regulatory Commission, Washington, DC 20555. 6
l t acceptable station blackout- duration which the plant would be capable of sur-viving without core damage. Application of the methods in this guide would result in selection of an acceptable station blackout duration (e.g., 2, 4, 8 or 16 hours) which depended on the specific plant design and site-related characteristics acceptable to the staff. However, applicants and licensees could propose alternative methods to that specified in the Ngulatory guide in order to justify other acceptable durations for station blackout capability. Additionally, the re~gulatory guide on station blackout presents guidance on quality assurance and specifications for alternate ac source (s) and non-safety
. related equipment required for coping with station blackout. The equipment installeo to meet the station blackout rule must be implemented such that it does not degrade the existing safety related systems. This is to be accomplished by making the non-safety related equipment independent to the extent practicable from existing safety related systems The guidance provided in the re'gulatory guide-illustrates the specifications that the staff would find acceptable for non-safety systems and equipment. The quality assurance guidanca for the non-safety related equipment for which there are no ~
existing NRC quality assurance requirements (e.g., Appendix B, Appendix R)
. embody the following elements: (1) design control and procurement document control, (2) instructions, procedures and drawings, (3) control of purchased material, equipment and services, (4) inspection, (5) test.and test control, (6) inspection, test and operating status, (7) non-conforming items, (8) corrective action, (9) Records, (10) Audits. NRC inspections will focus on the implementation and the effectiveness of these quality controls as described in the proposed regulatory guide.
Based on the rule and regulatory guide s those plants with an already low risk from station blackout would be required to withstand a station blackout for a relatively short period of time and orobtoly would need few, if any, modifi-cations as a result of the rule. Plantt with currently higher risk from station blackout would' be required tn withstand somewhat longer duration blackouts. Depending on their exi5 ting capability, these plants might need to make hardware modifications (such as increasing station battery capacity or condensate storage tank, capacity) in order to copie with 'the longer station O ?---- - - - - , .- , - , - , - , , , , , - ,,- , ,.,,m.v- -
- ---a- - * -w -, .- ,e-~, e ,- , , wm--m-
~
-9 - -
F l blackout duration. The rule requires that each ligh-water-cooled nuclear power plant licer~ed to operate must be able to withstand for a specified duration and recover from a station blackout. The rule requires each plant to perform a coping analysis and identify the coping duration, along with the basis therefore and a description of procedures established for coping and recovery. If modifications to equipment or plant procedures are necessary, these are to be' identified and a schedule provided for implementirig such changes, , It should be noted, based on all evidence that staff has on hand, that no undue risk exists wii.h, or without, the promulgation of the station blackout (S80) rule. However, SB0 may still remain an important contributor to residual risk. This $80 rule will enhance safety by accident prevention and thereby reduce the likelihood of a core damage accident being caused by a station blackout occurrence. This does not mean however, that further enhancements in reducing the.,overall residual risk are not achievable by additional improvements in severe accident management, given the assumption that core damage occurs, whether from SB0 sequences or other causes (such as small or large LOCA- . sequences). Initiatives that provide such safety enhancements (through . improvements of core damage management procedures) are currently being pursued apart from the SB0 rule. Therefore, this rule should be viewed as being in the same accident prevention context as the ATWS rule (650.62) t1d the fire protection rule (550.48). Such rules recognize multiple failure possibilities. resulting from common cause effects that should be addressed. This cor.cern has been recognized in the Introduction to Appendix A of 10CFR50. Proposed Rule On fiarch 21, 1986, the Commission published a propos3d rule in the i Federal Register (51 FR 9829) that would require (1) light-water-cooled nuclear power plarlts to be capable of coping with a station blackout for a specified . duration, and (2) licensees to determine the maximum duration for which their plants as currently designed are able to cope with a station blackout. A 90-day coment period expired on June 19, 1986. , t e w .,..m----m.e.-w.v,v4.---_ - -.,- p,, y, e, n -.-
F On April 3, 1986 (13 days after the proposed rule was published), the NRC published in the Federal Register (51 FR 11494) a notice of availability and request for coments on a draf t regulatory guide entitled "Station Blackout" (Task SI 501-4)". This draft guide provided guidance for licensees to comply with the proposed station blackout rule. Many ' !tters commenting on the proposed rule also included comments on the draft regulatory guide. Responses to these coments provided below address the public comments on the dra,ft guide as well as on the proposed rule. J Coments on the Proposed Rule The Comission received 53 letters comenting on the proposed rule.(#) Forty-five of these were from the nuclear industry, comprised of electric utilities, consortiums of electric utilities, vendors, a trade association, and an architect / engineering firm. Other letters were submitted by the Union of Concerned Scientists (UCS), the Department of Nuclear Safety of the State of Illinois (IDNS), a representative of the Professional Reactor Oper.ator Society, 4 a citizens group, a consultant, and three individuals. Largely, the industry comments were opposed to generic rulemaking to resolve the station blackout issue. The Nuclear Management and Resources Council (NUMARC), formerly the Nuclear Utilities Management and Resources Comittee, submitted, along with its comments en the proposed rule, a set of four industry initiatives that it believes would resolve this issue without rulemaking. Thirty-nine of the industry 1etters supported NUMARC's submittal. NUMARC proposed a fif th initia-tive (see item 21) by letter dated October 5, 1987. On the other hand, UCS, ! IONS, and the citizens group supported the Commission's objective in the proposed rule, but did not believe the rule and guidance associated with the rule went far enough to reduce the possibility of a serious accident that could be initiated by a total loss of alternating current (ac) power. (4) Copies of these letters are available for public inspection and copying for a fee at the NRC Public Room.at 1717 H Street, NW, Washington, DC. . - _ - -- .-- .= ._ .
- 11 - ,
Every letter was reviewed and considered by the staff in formulating the fidaT-resolution of USI.A-44. Because of the large number of comments, it was not practical.to prepare formal responses to each one separately. However, since many comments were on similar subjects, the discussi.on[ggd response to the comments has been grouped into the following subjects:
- 1. Quality Classificatinn of Madifications.
- 2. Whether the Backfit Analysis Adequately Implements the Backfit Rule.
- 3. Cost-Benefit and Whether 550.63 Meets the "Substantial Increase in the Overall Protection of the Public Health and Safety."
- 4. Whether NRC Should Require Substantial Improvements in Safety that Go Beyond Those Proposed in this Rulemaking.
- 5. The Need for Generic Rulemaking.
- 6. Applicability of the Proposed %50.63 to Specific Plants.
- 7. Plant-Specific Features and Capabilities.
- 8. - The Source Term Used to Estimate Consequences.
- 9. Specificity en the Extent of Required Copin,g Studies.
- 10. Acceptable Duration for Coping with a Station Blackout.
- 11. Credit for Alternate or Diverse AC Power Sources.
- 12. Trends on the Reliability of AC Power Sources.
- 11. Sharing of Emergency Diesel G5nerators Between Units at Multi-Unit Sites. .
- 14. Clarification of. the Definitions of Station Blackout and Diesel Generator Failure. ,
- 15. Specificity and Clarification of Requirements.
- 16. ,
Technical Comments on NUREG-1032.
- 17. Relationship of USI A-44 to Other NRC Generic Issues.
- 18. An Alternative of Plant-Specific Probabilistic Assessments.
- 19. Procedures and Operator Actions During Station Blackout.
(5) The .first four subjects are ones on which the Commissioners specifically requested public co'nments when the proposed rule was published. l { e -__ -__,_ _ ~
, ,,,-.w - . . - - . y - --. . - - -
. 7--_....,.-,- -
t-
- 20. Schedule Provisions in the Proposed 650.63.
- 21. Industry Initiatives The comments and responses to each of these subjects are presented on the following pages.
- 1. Quality Classification of Modifications The Cummission requested comments on whether the staff should give further consideration to upgrading to safety grade the plant modifications needed (if any) to meet the proposeo rule. Upgrading to safety grade would further ensure appropriate licensee attentien is paid to maintaining equipment in a high state of operability and reliability.
Comments - The prevailing view by industry on this subject is represented by the following comments submitted by NUMARC: Guality Classification is Unnecessary - Equipment used to prevent or respond to a station blackout should be sufficiently available and cperable to. meet its requireo function. To this extent, the Commission's desire that appropriate attention be paid to maintaining a sufficiently hign state of operability and reliability is hppropriate. The point of departure begins with the method for achieving this objective. Specifically, by itself, a'"safety gra-de" classification scheme does not solely equate with high states of equipment operability and reliabil!ity. Such classification systems too often can become a documentation exe$ cise more than a process for providing the requisite level of system functionality. Duquesne Light agreed with this view and expressed the following comments: Any plant modifications or additional eqpipment required to meet the proposed rule should not be specified sefety grade. For equipment which is to be manually started and placed in service for testing or in the
O n *
.- 13 .
event of a loss of power condition there is no necessity for specifying safety grade since adequate reliability can be obtained through normal surveillance testing and the proper maintenance of comercial power plant equipment. The cost difference in safety grade vs. comercial grade modifications is significant and must be emphasized. The opposite point of view was taken ty the IDNS. No credit should be given for the capability of equipment to respond to a station blackout unless that equipment was original ~y designed, constructed, inspected, performance tested, qualified, certified for the intended safety-related purpose, and the equipment is maintained to the highest industry safety standards. Gulf- States Utilities comented, The proposed rule does not provide, sufficient direction on the quality classification of plant modifircations that inay be required to meet the rule.
...the quality classification of plant modifications implemented to meet the proposed rule should be comensurate with classificaticn of the system they ,
support. Response - The proposed 150.63 does not specifically address the topic of safety classification of plant modifications; however, detailed guidance is provided in Regulatory Guide 1.155 dealing with quality assurance and eouipment specifications for non-safety related equipment. Any safety related equipment used either presently, or in modifications resulting from this rule, should meet the criteria currently applied to such equipment. The technical analyses performed for USI A-44 (NUREG-1032) show that plant-centered events'(ie. those events in which design and operational characteristics of the plant itself play a role in the likelihood of loss of l offsite power), and area - or weather - related events (e. . grid reliability )
~
or ex'ernal t influences on the grid) are the dominant causes of loss of offsite l power. Neither seismic events nor events related to single fajlure causes I I a
14 - r-were found to be major contributors to loss of offsite power. Therefore, both the staff's findings and public comments received do not support an explicit need for plant modifications for coping with station blackcut (580) to be seismically qualified. The substantial ~ increase in protection sougtet by this rule can be achieved by modifications which meet criteria somewhat less stringent than generally required by safety grade criteria. Safety rela +.ed equipment modifications to meet all safety grade related criteria would be more burdensome and expensive and would likely acnieve only a very small further. reduction in risk. The major contributors to the residual risk of loss of offsite power are adequately dealt with by modifications which conform to the quality assurance and equipment specification guidance provided in Regulatory Guide 1.155.
- 2. Whether the Backfit Analysis Adequately Implements the Backfit Rule In addition to comments un ,the merits of the proposed rule, the Commission specifically requested comments on whether the backfit analysis for this rule adequately implements the Backfit Rule, 10 CFR 50.109.
Comments - The Commission received two differing views in response to this request. On one hand, NUMARC expre'ssed the view that the proposed rule does not meet the backfit rule standard because the analysis of the factors set forth in $50.109(c) were not adequately considered by the staff. Speciffcally, NUMARC stated -- )
- 1. Installation and Continuing Costs Associated With the -
l Backfit Have Been Underestimated. l
. _ _ . _, ,..,,.y_ , _ ___ _, _ . . - . __. ,_y ,_ ,,,,. _ - _.,. _, ,,m, . , _ , . __,,,,,_y.,, , , . , , . . , .- __ ,~~ . , _ , - , , . - . - . - , , _ _ . _ . . , , _ , ,
. t-
- 2. Potential Impacts on Radiological Exposure of Facility Employees Should Be Further Addressed.
- 3. The Relationship to Proposed and Existing. Regulatory Requirements Should Be Considered Further.
- 4. Potential Impacts of Differences in Facility, Type, Design or Age Should Be Considered Further.
- 5. The Reduction in Risk from Offsite Releases to the Public Has Been Overestimated.
On the other hand, the Ohio Citizens for Responsible Energy (0CRE) and UCS commented that the backfit rule should not apply to the proposed rule. OCRE took-the position that "application of the backfit rule to [NRC] rulemakings
... is plainly illegal," and the Commission is not empowered to consider costs to licensees in deciding whether to impose new requirements. UCS commented -
that the cost benefit analysis should not be aoplied in this case because safety improvements are needed to secure compliance with existing NRC regu-lations, specifically General Design Criterion-17, Electric Power Systems
.(Appendix A to 10 CFR Part 50).
Response - NUMARC's' comments on the backfit analysis were taken into account by the staff in revising the draft version of hUREG-1109, and a separate appendix that addresses the factors in 550.109(c) was added to that report. All but Item 2 above are on the same subjects as letters 'from o.ther commenters and are discussed in more detail under subjects 3 (Item 1), 6 (Item 4), 8 (Item 5), and 17 (Item 3) in this section. NUMARC's Item 2, the potential impact on radiological exposure of facility employees, would need to be assessed in detail only if it were a major factor in the value-impact analysis. The effect of radiological exposure on facility employees, if any, would be extremely j small in comparison to the reduction in radiological exposurx to the public ; from accident avoidance. Therefore, this factor would have no impact on the
'overall value-impact analysis.
4
_ . - . ~. . ._ .__ - _ l
. i Contrary to OCRE's and UCS's coments, the Comission may subject the rulemaking proce u to internal controls. Moreover, the Comission is empowered to consider the costs of incremental safety improvements which go beyond the' !
level of safety necessary to ensure no undue risk to the 'public health and safety. See UCS, et al., v. NRC, D.C, Cir. Nos. 85-1757 and 86-1219 (August 4, 1987). The improvements embodied in sec. 50.63 go beyond the level of. safety-necessary to ensure no undue risk. Finally, contrary to USC's coment on GDC 17, new station blackout measures cannot be imposed on licensees as a matter of compliance with GDC 17, under the compliance exception in the backfit rule,10 , CFR 50.109(a)(4)(i). GDC 17 does not explicitly , require that each plant be , able to withstand station blackout for a specified time, or that each licensee perform a coping assessment and make whatever modifications may be necessary in the light of that assessment. Nor are any of these highly specific requirements logically compelled by any part of GDC 17. Moreover, GDC 17 ha: never.been interpreted by the staff or the Commission to c'ontain these specific requirements. Thus, to impose them under GDC 17 would amount to a backfit w'hich resulted from a new staff and Commission interpretation of GDC 17. The issue in this rulemaking is whether some additional protection is warranted i beyond that already provided. The Commission is entitled to inquire, and seek public ccmment, un whether additional safety measures should be imposed where , there is a substantial increase in the overall protection of public health and safety and the ccst of implementation is justified in view of this increaset 4 protection. !
- 3. Cost-Benefit Analysis and 'nhether 150.63. Meets the "Substantial Increase in the Overall Protection of the Public Health and Safety" Chairman Zech and Comissioner Roberts requested coments on the anaWe of cost benefit, value impact, and safety improvements and the station blackout standing on the overail risk (e.g., is the reduction of risk only a small j l percentage of the overall risk, or is it a major component of an already small l l
risk?) Chairman Zech and Comissioner Roberts were particularly interested in I specific coments assessing whether or not this proposal meets the "substantial-(
. . , ~ . _ _ , , _ _
_ . - _ _ - - - - - _ - , . _ . . - _ _ _ _ _ , , ~ , _ - _ _ _ . . . , , ~ _ - . _ . - _ - .
increase in the overall protection of the public health and safety..." threshold now required by the backfit rule. Comments - (A) One of the major coments by industry on the cost-benefit analysis was that the costs of implementing the proposed requirements have been underestimated. fiUMARC and the Atomic Industrial Forum (AIF) commented that
, the cost estimates for hardware modifications reported in liUREG/CR-3840, "Cost Analysis for Potential Modifications to Enhance the Ability of a fiuclear Plant to Endure Station Blackout," were too low. Comonwealth Edison and other utilities felt that performance of an analysis to determine the maximum duration a nuclear plant could cope with a station blackout would be substantially costlier than what is estimated in fiUREG-1109. Industry also expressed concern that the interpretations associated with the proposed rule could lead to substantial costs above those addressed by the tiRC staff in its backfit analysis. AIF tommented that "The estimate of 120 tiRC man-hours per plant [for tiRC review] ... appears inadeovate. to acccunt for technical review and evaluation of the determination of maximum coping capability and of the description of station blackout procedures which the rule would require each licensee tc submit."
(B) Several commenters expressed the view that the flRC failed to consider all tne risks as,sociated with a station blackcut in its value-impact assessment. UCS thought independent failures, in addition to failures that lead to a station blackout, should be included. One individual stated that "both f4RC reports [flVREG-1109 and fiUREG-1032] are completely deficient in that neither look at sabotage." OCRE commented that seismic events should also be considered. (C) With respect to safety improvements and overall risk, different points of view were expressed. On one hand,tiUMARC commented -- While the risk reduction might be large [for a] limited number of plants, the risk reduction associated with the majority of plants will be small. Thus, as a general ) matter, the reductions in risk offered by the proposed rule constitue a small ) j percentage of the overall risk, a risk which. is already small (and acceptable). l
.a
._ - ____ - . . =_ . . . . . -. -
l 18 - r AIF stated that there is no standard by which to conclude that "substantial additional protection will be realized." ; A different view was expressed by UCS who stated that "station blackout is , clearly a major component of the total risk posed by operating nuclear plants. The magnitude of the total risk is largely unkncwable due to the enormous uncertainty which surrounds probabilistic assessments." Response - (A) In order to adequately respond to industry's comments above, the ' staff and f4RC contractors reviewed the cost estimates associated with imple- ] menting the station blackout rule. Based on this review, the estimated costs l for hardware modifications were reviewed and are in the range of from 20 l percent to almost 140 percent greater than the estimates in tiUREG/CR-3840, , depending on the pecif.ic modification' considered. On average, the cost I estimates for hardware backfit were found to be approximately 80 percent l greater than estimated in t4UREG/CR-3840. However, the cost estimates in [
~
fiUREG/CR-3840 were not used by the staff.in the value-impact analysis in the draft version of tiUREG-1109 where estimates approximately 100 percent greater than*the tiUREG/CR-3840 estimates we're used, Therefore, the revised cost estimates used in the final value-impact analysis are not significantly different from the estimates used in the draft version. Industry's coments on the costs to assess a plant's capability to cope with a station blackout were based on the proposed rule that required an assessment of the maximum coping capability and the potentially unbounded nature of such an assessment. Based on public-comments, the Commissinn has revised the final i I rule to modify the . requirement for licensees to determine the maximum coping capability. (See response to public concents in subject number 9.) Instead, a ! coping assessment is required only for a specific duration. The cost for such j a study is estimated to be from 70 to 100 percent higher than the original estimates by the staff, and these revised costs are used in the final , value-impact analysis. . r
..n. .,-n- -,------,a.-,..-- ---,----nnw.,,+--..--,--.-m - .,;r..----,-,..- ,----,., n --,----n--m,,,-s-t-- - , --n.,
t-- The staff revised its estimate of the resource burden on NRC for review from 120 to 175 person-hours per reactor. This revision was based on technical review required for other comparable NRC activities. (B) The technical analyses performed for OSI A-44 indicated that the contribution to core damage frequency from independent failures, in addition to failures that must occur to get to a station blackout, is low. Likewise, results of USI A-44 studies and other probabilistic risk assessments have shown that, for station blackout sequences, the contribLtion to core damage frequency from seismic events is low. Sabotage cannot now be analyzed adequately on a proba.bilistic basis. Even though sabotage was not explicitly considered in the staff's value-impact analysis, it is discussed in NUREG-1109 under other considerations. These considerations support-the conclusion that a station blackout rule will provide : a substantial safety benefit. (C) The revised value-impact analytis performed for the resolution of USI A-44 indicates that there are substantial benefits in terms of reduced core damage frequsncy and reduced risk to the public that result from the station blackout rule, and the costs are warranted in light of these benefits. The best estimate for the overall value-impact ratio is 2,400 person-rem per million ! dollars. Even if those plants with the highest risk (and therefore the j greatest risk reduction) were not considered, the value-impact ratio for the remaining plants is still favorable (i.e. , about 1,500 person-rem per million dollars). ; Recent analyses performed for NUREG-1150, "Reactor Risk Reference Document," Draft for Coment, February 1987 indicate that station blackout is a dominant risk contributor to overall residual risk for most of the six plants analyzed.
~
These results support the coment by UCS in response to the Commissioner's
- request for coments on this subject.
b 4
- 4. Whether flRC Should Require Substantial Improvements in Safety that Go Beyond Those Proposed in this Rulemaking Commissioner Asselstine requested comments on whether the NRC should require substantial improvements in safety with respect to station blackout, like those being accomplished in some other countries, whicn can ce acnleved at reasonable cost and which go beyond those proposed in this rulemaking.
Comments - NRC received eight letters that included comments on this subject. Five of these were from the nuclear industry, none of which felt that the approach.to station blackout taken in European countries should be useo to justify safety improvements that go beyond the proposed Q50.63. The main justification for industry's argument is that foreign countries may have reasons for requiring activities that differ from, or exceed, those in the U.S. For example, Washington Public Power Supply Systems (WPPSS) convented, "It is not, apparent th'at the details of U.S. grid stabilities and onsite power reliabilities are substantially similar enough to those found abroad to warrant a simple adoption of these. [ European] measures." In another comment from industry on this subject, NUMARC stated that there are several reasons why many of the features for coping with a station blackout in new Frenen nuclear power plants may already exist at most U.S. plants. In fact, they said, "The French approach to station blackout aces not appear to depart significantly from current regulatory approaches in the U.S." Similarly, AIF stated, "The assertions of extensive station blackout coping capability at fc.cign (notably European) nuclear power plants are not sufficiently substantiated to serve as even part of the basis for the proposed requirements." Three other letters (UCS, OCRE and IDNS) supported the NRC rulemaking to require all plants to be able to cope with a station blackout, but urged the Comission to go beyond the proposed rule. IDNS stated that -- The goal of hol blackout to 10~gingper the expected is reactor-year frequency of core stringent. not sufficiently damage from Withstation - relatively modest modifications to the proposed rule, a frequency of 10'7 appears achievable at reasonable cost. Specifically, the rule should require no less than 20 hours decay heat removal capacity instead of only four or eight hours in the proposed rule, in the event of a blackout.
21 - . . t-Reponse.- The staff agrees with industry's comments that foreign countries may have . valid reasons for imposing requirements that differ from or exceed those in the U.S., For example, it appears that there is a higher frequency of losses ; of offsite power in France than in the U.S. This experience, along with French safety objectives, led the French to design their new standard nuclear power plants to be able _to. cope with a very long duration station blackout (i.e., up to three days). The French safety approach and their station blackout design feature.s are documented in NUREG-1206, "Analysis of French (Paluel) Pressurized Water Reactor Design Differences Compared to Current U.S. PWR Designs," June 1986. . I i The Commission believes that the staff has adequately considered foreign approaches in preventing core melt from station blackout in developing the j resolution of USI A-44 Although the rule requires plants to be able to cope with-station blackout for a specific duration, that duration is not specified , j in the rule. Guidance to determine an acceptable duration is included in the ! station blackout regulatory guide. This guidance should apply to most plants, l b'ut if there were adequate justification, different requirements (either more -!
- or less stringent than the regulatory guide) could be ;pplied to specific l plants. The use of alternate AC sources provides a means to achieve further l incremental decreases in core melt frequency. l 4
- 5. The Need for Generic Rulemaking l t
Coments - Five letters from the nuclear industry comented that generic rulemaking is not necessary to resolve the station blackout issue. Their l j reasons for this issue were as follows: A generic rulemaking is inappropriate since the historic number of sites experiencing a loss of all offsite power is small. (Texas Utilities) { The station blackout issue should be handled on a plant-specific basis and
- does not need to be resolved by generic rulemaking. Each plant has uni.que
- probability for a loss-of-power event based on transmission system,
. location of plant, and onsite power systems. (Duquesne Light) i l ) .
- ,n --
,-,.---,--..,,,v .
,,nn-,,--,----c .------,.-.,..---.,..-,-n --
,,.-,,,n,,,,.n,--,,,_-,,.,,,,,.,,,,--,,1 ,, ,,- , ~
The Commission need not pursue generic rulemaking in order to resolve a f non-generic issue. In the proposed station blackout rule, the number of plants of concern is acknowledged to be limited. (NUMARC) Station blackout has been found not to be a generic issue. Station blackout risk is plant specific and, according to the staff's own-analyses, the proposal reouirements are expected to result in modifications at no more than a few facilities, if at any. Requiring all licensees to undertake extensive analyses un, der the provisions of the proposed rules when only a small group of plants may have a need for ramedial action is not appropriate. (AIF) Response ~ - The Commission believes that a rule is appropriate to ensure that station blackout is addressed at all nuclear power plants. The plant-specific features that contribute to risk for station blackout (e.g., diesel generator configuration, probability of loss of offsite power) are considered by the staff in the station blackout regulatory guide to determine an acceptable coping duration for each plant. Even though not all sites have experienced a loss of offsite power, there is not sufficient assurance that such events would not occur in the futureI Since historic experience has shown that a total loss of offsite power occurs about once every 10 site-years, and many nuclear plants have operated for less than 10 years, it is not surprising that some plants have experienced a loss of offsite power while others have 'not. Even though it is likely that many plants will not need hardware modificatiens to comply with the rule, the assessment o,f station blackout coping capability for a spacific duration and implementation of associated procedures will effect a safety benefit for all plants. The "limited number of plants of concern" in NUMARC's letter refers to those plants having the highest risk from station blackout (i.e., those that would need hardware modifications). Without a plant specific assessment, these plants can not be identified. Even excluding these plants from consideration, the staff's analysis has shown that the improvements in safety associated with the rule are consistent with backfit considerations set forth in 550.109. a 6
t--
- 6. Applicability of the Proposed 650.63 to Specific Plants Comments - Four letters included comments or questions regarding the a'pplicability of the rule to specific plants. For example, does the rule apply to high temperature gas cooled reactors (i.e., Fort St. Vrain)? What about TMI-2 or plants that are near completion but will not have an operating license prior to the amendment's effective aate? Houst,on Power and Lighting Company wrote --
Proposed Section 50.63 provides schedular guidance for implementing . station blackout-related modifications on plants that already hold oper-ating licensees or will be licensed to operate prior to the effective date of the amencment. Plantt ,.S3 may be NT0L's [near-term operating license] but will not be licensea prior to the amendment's effective cate should be accorded the same compliance period under parts (c) and (d) of this section. Otherwise this proposed rule could be interpreted to imply that plants not licensed prior to the effective amendment date must comply with
.the rule and make_all necessary modif.ications prior to receiving an 0.L.
(operatinglicense]. The rule should be amended to address plants which are scheduled to receive an 0.L. within a short time following imple-mentation of this rule. . Response - Rather than identifying specific plants for which the rule does not apply, 550.63(a) specifies when it does apply (i.e., "each light-wa,ter-cooled nuclear power plant licensed to operate"). Since Fort St. Vrain is an HTGR, the generic rule would not apply. Station blackout will be considered individually for that plant based on its unique design. Since TMI-2 is not licensed to operate, likewise, the rule would not apply to that plant. Any plant licensed to operate after the date the rule becomes effective will comply with the same 270 day schedule for information submittal applied to plants previously licensed. This affords NTOLs the same compliance features as plants already licensed to operate. t a 9 0
- 24 .
- 7. Plant-Specific Features and Capabilities .
Comments - A number of utilities described plant-specific features and capabilities that reduced the risk posed by a station blackout event ccmpared i 1 i.o the starf's analysis. Examples of such features are given below, i l
' Availability of alternate, independent ac power sources such as diesel l generators, gas turbines, or nearby "black start" ac power sources.
- Extremely reliable uffsite power supplies because of. multiple -
right-of-ways or underground feeders to back up above ground transmission lines. i
' Dedicated shutdown systems and associated diesel generators to meet the
, fire protection requirements of Appendix R to 10 CFR Part 50.
i Common or shared systems between two units at multi-unit sites such as de power, auxiliary feedwater, or diesel generators. l 1 I i i Response - The analyses performed for USI A-44 clearly sticw that plant-specific i i features do affect the risk from station blackout, and the station blackout regulatory guide takes this into account in'providing guidance on different l acceptable coping durations depending on the cost significant of these features. Those plants with extremely reliable offsite and onsite ac power supplies need only have a very short (e.g., 2-hour) coping duration to ba i acceptable. Plants that have a dedicated shutdown system with its own inde-pendent power supply could take credit for this system to cope with a station blackout. The final rule and regulatory guide have been clarified to give. credit for alternate ac power supplies (see response to subject 11), t 1-Therefore, the Commission believes that for almost all sites, plant-specific j ' l differences have been adequately accounted for in the resolution of USI A-44, 1
.but the door is open to licensees who believe their plants have additional capability that should be considered by the staff in demonstrating compliance with the rule. -
l
- l
t--
- 8. The Source Term Used to Estimate Consequences Coments - Letters from flVMARC and others in the industry commented that the consequences of offsite releases that would result from a station blackout event are overestimated, and new source term information would lead to the prediction of much lower consequences for this event. Several commenters felt that the approach taken by the staff to estimate consequences of a station blackout event -- decreasing the estimated consequences of the SST1 siting >
source term from NUREG-CR/2723, "Estimates of the Financi.al Consequences of Nuclear Power Reactor Accidents" (September 1982), by a factor of three -- was improper. l AIF felt that "implementation of any requirements resulting from the resolution of USI A-44 should be deferred until the results of the source term research can be taken into account." They based this statement on the premise that if i the consequences used in the staff's value-impact analysis were reduced by a factor of 10, none of the alternatives would be feasible. UCS expressed a different point of view in their letter which said "... available evidence indicates that the consequences of an accident involving ; station blackout may be even worse than those estimated eith.er in WASH-1400 dr , the NRC's more recent studies." l
)
Response - IIRC has had an extensive research effort underway since about 1981 l 1 j to evaluate severe accident source terms. The staff has reviewed the results of this rerearch to take into account the public coments received on this subject. Since there is still a great deal of uncertainty regarding source terms and associated consequences, the staff revised its value-impact analysis for USI A-44 considering a range of estimates for consequences of a station blackout. The NRC research on severe accident source terms has resulted in the develop-ment of significant new analytical tools by tiRC contractors, as discussed in NUREG-0956, "Reassessment of the' Technical Bases for Estimating Source Terms," ,
. l -,-,n
F July 1986. The analytical methods. developed, generally referred to as the Source Term Code Package (STCP), have been used to analyze a number of severe accident sequences for five reference plants, namely: Peach Bottom, a BWR Mark i cesign; Sequoyah, a PWR ice condenser; Surry, a PWR with a sub-atmospheric containment; Grand Gulf, a BWR with a Mark III containment; and Zion, a PWR i with a large dry containment (NUREG-1150, "Reactor Risk Reference Document,' Draf t for Coment, February 1987). The results of these analyses show that releases from station blackout sequences can be expected to vary'significantly depending upon the plant and the specific sequence. Although generalizations are difficult, it appears that calculations using the STCP yield release fractions for most of the sequences range from about one third of an SST1 release (for the case of Surry, without condensation) to roughly one order of magnitude less than this. However, the uncertainties in our present understanding also do not preclude the possibility-of a large release, approaching that of the SST1 estimate. To determine the consequences in terms of person-rem, given the above range of release fractions, data taken from NUREG/CR-2723 indicate that the variations I , in person-rem associated with releases of magnitud.e SST1, SST2 and'SST3, are I virtually identical to the variations in latent cancer fatalities for the same three releases, Hence, the estimated change in latent' cancer fatalities with i 1 release fractions provides a reliable indication of change in person-rem as well. Table 10 in NUREG/CR-2723 presents variations in estimated latent cancer fatalities associated with changes in SST1 release fractions (for all elements except noble gases). This table shows that a release fraction of one third of an SST1 release would yield a value of about 50 percent of the latent cancer fatalities (and person-rem) of an SST1 release. Similarly, a release fraction of one third of an SST'1 release would yield an estimated person-rem of about 15 i percent of that associated with an SST1 release. Consequently, for value- , impact calculations, the staff estimated the range.of consequences of station e k--, g y-.,_m-__-_._ ... _ _ . . .- ,. _ _ _ , . _ . , , _
.,_,,,_y .,y _ , , . , , . . . , _ , , ....,...,.._-,,.,y_ y
27 - . r-- blackout, in terms of person-rem, to be from 0.15 to 0.5 of the estimated person-rem of an SST1' release. As noted, the original value-impact analysis was based on 0.3 times the estimated person-rem of an SST1 release. With regard to a possible delay in the resolution of USI A-44 until "better" source terms become available, key considerations appear to be when better sou.rce terms are likely to beceme available, and to what degree uncertainties in phenomenology as well as differences between investigators will be resolved. Although research on source terms is expected to continue well into the future, improvements in our knowledge are expected to be largely evolutionary beyond this point, in that the major phenomena appear to have been accounted for, at least in a first-order fashion, both in NRC as well as industry models. Resolution and narrowing of the remaining uncertainties would also. benefit from improved experiments and analytical models that are likely to bccome available gradually. For these -reasons, significantly better source terms than those presently available are likely to be forthcoming only after a number of years. Sin,ce the range of severe accident source terms and consequences suggested
. above from estimating station blackout sequences is sufficiently broad to cover likely improvements in source term kncwledge, the resolution of USI A-44 should not be delayed. '
- 9. Specificity on the Extent of Required Coping Studies Comments - Several letters by industry expressed ' concern that the studies necessary to demonstrate that a plant can cope with a station blackout are not well defined and could potentially be unbounded. These comments focused on two main points. First, the proposed rule required plants to determine the maximum duration the plant could cope with a station blackout, yet the draft regulatory guide included specific guidance on acceptable coping durations (e.g., 4 or 8 hours). Determining the maximum duration, rather than assessing the plant's capability for a spec'ific acceptable duration, could be an open-ended requirement. Along these lines, NUMARC stated --
5
- 9
- 4 t-Unless the required coping demonstration is specifically bounded by clearly stated definitions, assumptions, and criteria, there could conceivably be hundreds of supporting special effects analyses which licensees may have to consider as a result of the exercise of discretion ,
by individual staff reviewers. Under the rule as proposed, licensees cannot ascertain the ultimate requirements they will be expected to meet ,, (including the potential plant modifications they will neeo to make) to demonstrate compliance. , Second, industry also comme'nted on the potential open-endedness of analyses to determine the operability of equipment in environmental
~
conditions resulting from a station blackout (e.g., without heating, , ventilation, and air conditioning). Unless these analyses :ere well defined, industry felt the analyses could be much more costly than ,
. estimated by the staff. However, NUMARC made the following statement relating to the need for detailed prescriptive requirements by NRC that appears to contradict their earlier statement. <
l The point .... is not that regulations must be prs wriptive by their very f nature.' Prescriptive regulations, which outline in detail exactly what steps are required by licensees to satisfy a proposed regulation, are, in ! many instances, unnecessary and counterproductive. Response - With regard to the proposed' requirement that each plant determine its maximum duration for coping with station blackout, the staff agrees with f ] the industry coments . First of all, it would be difficult to adequately define "maximum duration" in this sense. Second, if licensees determine that their plants can cope with a station blackout for a specified duration and j restore AC power through an acceptable coping analysis, the additional safety benefit gained from simply the knowledge that a longer, or "maximum duration", coping duration exists is small. Third, the costs for assessing "maximum i duration" will be higher since more extensive analyses will be required to analyze a transient which would go beyond the coping analysis for a specified duration and recovery from station blackout.. Therefore, the rule and I f
, - - - - - . - - - , - , . . . _ - , , - , . - , . - . , - , n
- 29 .
t-regulatory guide have been revised accordingly to delete the requirement for licensees to determine a plant's maximum coping capability. With regard to the coments on assessments to determine eouipment operability during a station blackout, the staff feels strongly that such assessments are necessary to determine a plant's response to station blackout. By deleting the requirement to determine a plant's "maximum" coping capability, the assessment j of equipment operability would not be as costly as assumed by industry. Guidance on acceptable coping assessments is provided in the station blackout regulatory guide. Also, guidelines to evaluate the effects of loss of ventilation under ~ station blackout conditions are provided in Appendix E of nut 4 ARC-8700, Guidelines and Technical Bases for NUMARC Initiatives Addressing 1 Station Blackout at Light Water Reactors. These efforts provide additional definitions, criteria, and standards for licensees' assessments of equipment operability without the need for "prescriptive regulations" by NRC. : In order to evaluate further industry's coments on this subject, NRC requested . Sandia National Laboratories to identify specific tasks necessary to determine I operability of equipment during a station blackout, and estimate the cost to perform .hese tasks. Results of this study were used in the revised value-impact analysis performed for thi.s issue ("Equipment Operability Curing Station Blackout Events." NUREG/CR-4942). - f
- 10. Acceptable Duration for Coping with a Station Blackcut Coments - Several coments with differing views were directed at guidance in the draft regulatory guide on acceptable station blackout coping durations in order for plants to comply with the proposed rule.
Washington Public Power Supply comented that "it should be possible for certain utilities to demonstrate [an acceptable] zero hour blackout." One individual recomended "that a 30 minute period be 'a margin, and that no l duration under 4 hours be accepted by the staff." NucleDyne Engineering
- comented that "advanced reactors should require the capability to safely
) . le
withstand a station blackout of at least 8 hours," and IDNS wrcte that "the rule should require no less than 20 hours decay heat removal capability instead of only 4 or 8 hours." , Response - Although a diversity of comments was received on (his. subject, none
! provided supporting analysis or information to back up the' opinions expressed.
However, the staff did re-analyra the estimated risk from station blackout events for different plant- and site-related characteristics and revised its guidance on acceptable coping durations accordingly based on a goal of limiting ; the average contribution to core damage from station blackout to about 10_ per reactor-year. Most plants would still need a 4- or 8-hour coping capebility. l Those few plants with the most redundant ensite emergency ac power system, coincident with significantly lower than average expected frequency of loss of l offsite power would need only a 2-hour capability to be acceptable. Any plant with einimum redundancy in the onsite emergency ac power system coincident with low reliability and a significantly higher than average expected frequency of ; loss of offsite pcwer would need to substantially improve its ac power ; reliaoility or be able to cope with a station blackout for 16 hours. ' l
- 11. Credit for Alternate or Diverse AC Power Sources i
i Coments - Ten letters from the utility incustry commented that more credit snculd be allowed for the availability of alternate power sources such as o.1:ite gas turbines. The two coments below represent the utilities' 4 viewpoint. The station blackout rule should be clarified to allow credit for diverse and very reliable offsite power sources or diverse and very ' reliable onsite electrical generation. (Public Service Company of Colorado) l The option of providing an additional alternate source of ac power is ' eliminatedby[theproposedresolution]* The inconsistency in this opproach.can best be understood by considering an example at a generic nuclear power station. 4 n l . .
~
- 31 W
If the licensee were to provide an additional independent diesel generator capable of providing the necessary ac power to prevent station blackout, the licensee ... would sti.ll be required to withstand at least 4 hours without ac power. They would receive no credit for the additional diesel generator in the coping analysis. If the licensee were to use that same diesel engine to power a charging pump, even though it would be of less , significance to mitigation of reactor core damage than the diesel generator, the licensee could take credit for it in coping with the
- blackout. ,
Since a diesel charging pump will not provide for equipment loaoing flexibility, lighting, ventilation, instrumentation, etc., it is obviously of lower value than, an additional source of ac power. The fixed category approach taken in [the proposed resolution], however, will not permit -
.-taking credit for-the same diesel engine when used as a generator through {
l the actual reliability for the machine is the same. (Toledo Edison) i . Response - The proposed resolution did not intend to ignore the alternative of , adding additional pcwer sources or taking credit for such sources if they ; already exist. For example, as specified in the regulatory guide, if a licensee acded an emergency diesel generator to one of its plants that had minimum redundancy in the onsite emergency ac power sytem, the acceptable station blackout.ceping duration could be' reduced. For some plants, however, , adding' a diesel generator would not result in a reduction in the. acceptable coping duration, and the point made by Toledo Edison is a valid one. The rule and regulatory guide have been revised to clarify that alternate ac power ! sources are given credit to cope with a station blackout provided that certain
- criteria are met (e.g., independence, redundancy, high reliability, maintenance, and testing).
- 12. Trends on the Reliability of AC Power Sources l
Coments - Five letters included cocinents on the reliability of ac power sources. Four letters from industry feit that improved ac power reliability l . )
~
- ,32 - .
r-should be factored into the staff's technical analysis. Examples of these comments include the following:
... the frequenc decreasing..." Washington (y of loss of offsite Pohlie Pm power activities ar % pply System); has been
... offsite power availability in the absence of regulation has significantly improved over the past decade." (Southern California Edison Company);
-[NUREG/CR-4347]
... shows an improvement in diesel generator reliability over that shown in the earlier document [NUREG/CR-2989]." (General Elect-ic); and "Typically the reliability of onsite power systems increases during the l first few years following startup." (Gulf States Utilities)
IDNS on the other hand felt that potential vulnerabilities still exist in onsite emergency ac puwer systems, and licensees should demonstrate that they have'taken steps to reduce the probability of loss of ac power. l Response - The staff and its contractors have extensive'ly analyzed the industry ,
' experience and trends in ac power reliability as documented in NUREG-1032,
?!UREG/CR-2989, NUREG/CR-3992, and NUREG/CR-4347. Trends have shown that two ,
aspects of ac power reliability have improved somewhat -- the reduced frequency of losses of offsite power due to plant-centered events, and a slight I improvement in average diesel generator reliability from 1976 through 1983. - These factors have been taken into account in the staff's analyses and the resolution of USI A-44. However, data also demonstrate that there are practical limits on ac power reliability, and the defense-in-depth approach of ! being able to cope with a station blackout is warranted.
- 13. Sharing of Emergency Diesel Generators Between Units at Multi-Unit Sites.
Coments - Several letters from industry stated that some plants with two units on a site have the capability to crosstie electrical buses between units a,nd therefore have improved flexibility in providing ac power. Since the magnitude of the electrical loads neces,sary to provide core cooling during a station blackout is significantly less than that required for a design basis accident.
E it could be possible to provide ac power to both units at the site using only a single diesel generator. i Response - The proposed rule and draft regulatory guide do not prohibit the - r approach discussed above. If licensees can demonstrate that such crosstie capability exists; procedures are in place to accomplish the crosstie and shed - nonessential loads, if necessary; and no NRC regulations are violated (such as j j separation, minimum redundancy and independence), then credit would be given i for this capability as shown in the station blackout regulatory guide (e.g., ] reduced acceptable station blackout coping durations for greater diesel i generator redundancy). 14 Clarification of the Definitions of Station Blackout and Diesel Generator l Failures. , I Conhents - (A) Three letters from the utility industry recomended. that the j definition of station blackout in 550.2 should be clarified to exclude ac power l ] from the station batteries through inverters. This source of ac power from the ! ! station batteries would be available in the event of a logs of both the offsite f and cnsite emergency ac power sources (i.e., diesel generators). !
! (B) Several industry lettors commented that the definition of diesel generator l failure shouid be clarified, particularly with respect to the treatment of l
] short-term failures that can be recovered quickly. A letter from Sargent and. j Lundy Engineers comented that -- A definition of failure on demand for emergency diesel generators needs to l be provided. Under the context of a station blackout, a diesel generator ; i , which fails to start automatically upon detection of an offsite power l loss, but is successfully started manually from the main control room or j from the local control panel, should not be considered a failure on , j demand. i l I 1 . l . > } . l
i Response - (A) The staff agrees with comment A and revised the definition of station blackout accordingly. (8) Based on actual experience, failures of diesel generators to start due to failures in tne auto-start system make up less than 20 percent of all diesel generator failures. Therefore, discounting these failures would not have a significant impact of overall diesel generator reliability statistics. However, the staff agrees in principle with coment 8 and has clarified the statiori blackout regulatory guide so that auto-start failures of diesel generators need not be counted in determining the failur e role if the ciesel generatar is capable of being started manually immediately af ter it does not start autcmatically.
- 15. Specificity and Clarification of Requirements ,
Coments - Public coments were received regarding the specificity and clarifi-cation of the proposed rule and draft regulatory guide. These ranged from general to specific coments as the following two excerpts indicate: We are concerned that, if the proposed rul'e is adopted, the staff will prcmulgate regulatory guidance cr1teria which will be unrealistic and excessive, i.e., compounding the event with other accidents, imposing passive failure criteria, applying seismic, environmental qualificdon and other qualifications to equipment that could otherwise be used in response to such an event, etc. (Maine Yankee Atomic Power Company) Definitions of P1 and P2 [in Table 3 of the draf t Regulatory Guide] use frequency of extremely severe weather and severe weather interchangeably, thus craating confusion in the definition. (Washington Public Supply System) Response - Some of the coments on this subject relate to other subjects discussed elsewhere in this section. Some coments were quite specific while others were general in nature or expressed views that were not substantiated
l 7 with backup material. The staff has taken these coments into consideration and revised and clarified the rule and regulatory guide accordingly. Additiorial guidance is provided in tiUMARC-8700 which has been reviewed by the staff and referenced in the regulatory guide as providing a method the staff fir.ds acceptable for meeting the rule.
- 16. Technical Coments on tiUREG-1032 Coments - In addition to coments on the proposed rule and draft regulatory guide, several letters containea coments on the staff's araf t tecnnical report, fiUREG-1032, "Evaluation of Station Blackout Accidents at Nuclear Pcwer Plants."
Response - tiUREG-1032 was issued in draf t form for public ccment in t',ay 1985 g (50 ER 24332). The comments received were reviewed and considered by tne staff and resulted in a re-evaluation of the technical analysis. Details of the specific comments and responses are not presented here. Rather, tiUREG-1032 was revised extensively over the past year to address the public coments. In general, the overall conclusiens on the risk from station blackout events did not change significantly as a result of the re-analysis. One of the cajor changes resulting from the re-analysis was a revision to the def f ritict.s of plant characteristics, especially the clustering of plants into site and weather-related groups (Appendix A in fiUREG-1032). These changes are reflected in revisions to the guidance in the station blackout regulatory guide to determine plant-specific acceptable station blackout coping durations.
- 17. Relationship of USI A-44 to Other tiRC Generic Issues Comments - The major public coment regarding the relationship of USI A-44 to other f4RC generic safety issues was that the proposed rule may not be necessary or should be postponed because of ongoing work to resolve related generic issues. Some coments were general in nature such as the following one from Southern California Edison Company:
4
- -=
- 36 .
Promulgation of a final station blackout rulemaking at this time will F unnecessarily complicate the final resolution of related' generic technical issues... The NRC must develop and implement a program to coordinate the resolution of all power-related generic issues prior to finalizing any individual proposed rule. AIF suggested that the implementation of any requirements for statinn oiackout be deferred until the requirements from USI A-45, Shutdown Decay Heat Removal Requirements, are known and until the effect of source term-changes can be evaluated. NUMARC ment 0oned specific proposed and existing regulatory requirements that should be considered because they could reduce the need,for a station blackout rule (e.g., B-56, Diesel Generator Reliability ano Gl 23, Reactor Coolant Pump Seal Failures). Other related issues mentioned in the public comments were A-30, Adequacy of Safety Related CC Power Supplies, and implementation of safe shutdown facilities to meet the fire protection requirements of Appendix R. Response - The question that needs to be addressed is "shoulo a requirement be imposed now to reduce risk, or should it be postponed until related issues are resolved sometime in the future?" Potentially, this could result in sub-stantial delays and ther,eby not resolving generic safety issues in a timely manner. The staff has considered the resolution of USI A-44 in light of the related issues mentioned in the comments. Although these issues are identified as separate tasks within NRC, they are all managed in a well establisheo program that coordinates all related issues. A brief discussion of the most relevant issues is presented below. (Additional information is provided in NUREG-1109, "Regulatory Analysis for the Resolution of Unresolved Safety Issue A-44, Station Blackout.") Resolution of USI A-45 will occur at some time following issuance of the station blackout (580) rule (650.63) and after plant specific SB0 coping evaluations have been performed by licensees per NUMARC/NUGSB0 Initiative 5, utilizing guidelines provided in NUMARC-8700. Further, the resolution of US! A-45 is expected to be highly plant specific and focused on loss of decay heat removal considerations from oth'er causes beyond S80. Utilization will be maoe of A-44 evaluations (as applicable) and any plant equipment modification needs
i ' i identified from A-45 will be carefully evalua' ed t to maximize effective use of ,
- previously identified A-44 equipment needs. ,
J~ Maintaining emergency diesel generator _ reliability, the purpose of 0-56, is an integral part of the resolution of' USI A-44. However, the Commission believes that additional defense-in-depth will achieve a substantial increase in protec- ! tion to public health and safety. I j l
; The resolution of GI 23 (reactor coolant pump seal leakage) deals with loss of ^
RCS inventory and associated degraded core conditions. USI A-44 deals with 580 induced effects, which result in loss of AC power, thereby impacting a broader spectrum of plant ecuipment ana safety related functions. Although the l
! resolution of GI 23 will contribute to establishing a higher level of assur0nce -
t i j that seal leakage will be mi.nimized (thereby minimizing the need for power to : j replace water inventory losses over the SB0 duration and recovery phase),
, resolution of GI 23 by 1.tself will not address the broader scope of USI A-44 l safety concerns. -
l I e j Some licensees have implemented dedicated shutdown systems that are independent j
; of normal and emergency ac power to meet Appendix R requirements. If appli-
) cable, these features would be credited in the resolution of USI A-44 by . .
} providing the capability to cope with a station blackout. t Thus, the resolution of USI A-44 is coordinated with related generic issues, j and implementation of a final resolution should not be delayed further.
1 -(Response to comments on the effect of source term changes is included in . I subjectnumber8.) { 18. An Alternative of Plant-Specific Probabilistic Assessments 1 l
! Comments - Several utilities suggested that, in lieu of the requirements in the
{ rule, licensees should be permitted to submit plant-specific evaluations to l demonstrate that the frequency of core damage from station blackout events is
- j 10-5 per reactor-year or less. In a similar vein, the suggestion was made that 4
l
,, _-4_- _
. _ _ - . _ _ _ - - _ - _ _ _ _ _ Z ._._ u_ _ - _ . _ ___ _ _ _ __. _ _
[. *
- W NRC should specify a target level of reliability for ac power systems in order
- to satisfy NRC's crititria for core damage frequency. A'few licensees submitted limited probabilistic assessments to show that for some plants station blackout could have a very small probability of severe consequences.
?
Response - The Commission does not preclude licensees from submitting plant l specific probabilistic assessments to support a determination that station blackout would have a very small probability for causing core damage. However.
- the requirements of the rule must be met. The Comission would observe that .
the use of probabilistic assessments was important as input to the regulatory [ decisionmaking that culminated in the station blackout rule, and related
; guidance. As expressed in the Commission's Safety Goal policy statement of ; ! August 1986, the Comission has acquired a reasonable degree of confidence about the usefulness and value of probabilistic assessments in assisting regulatory'decisionmaking on complex safety issues. In short, such assessments are of value in complementing and focusing the more traditional and
, deterministic defense-in-depth approaches. On the other hand, any licensee ] must decide whether or not his plant specific AC power configuration'and other j l, related equipment is sufficiently unique to merit the _ conduct and submittal of j a probabilistic assessment as part of achieving ccmpliance to 550.63.- The l Commission's experience also indicates that probabilistic assessmeats are l resource intensive and these can be of marginal utility if their only end ; result is to delay rule compliance. I 1 1 1 I 1 1 7 9 1 _.___,,._.-_____.l_n_-...~_,-__._.a..__.___.,
r
- 19. Procedures and Operator Actions During Station Blackout Comments - (A) Several letters from industry commented that, in response to Generic Letter 81-04, "Emergency Procedures and Training for Station Blackout Events," dated February 21, 1981, utilities already have procedures in place to prepare plant operations for station blackout events. Owners groups have established generic guidance for station blackout operating procedures for licensees to use in developing plant-specific procedures. A representative of the Professional Reactor Operator Society, commented that --
Generic procedures are used by most operating facilities. These procedures are not carried into adequate depth of specific power plant operations. The industry has relied too heavily on generic procedures and
-has not given a real look at what specific steps must be taken.
Extrapolation of these procedures must be required.' Specific maintenance procedures must be established and followed. (B) Other comments on procedures rela'ted to the timeliness of operator actions, both inside and outside the control room. Houston Lighting and Power suggested that -- In Section 3.1 (Part 6), [of the regulatery guide] the first sentence . should be revised to read, ' Consideration should be given to' timely l operator actions both inside and outside of the control room that ...', so ! that credit can be taken for existing equipment that may not have ! l actuation and control from the control room. O ,
. 1
- 40 ,
- P-j Illinois Power Company recomended that --
! ... Section C.3.3 Iten 3.a. of the proposed regulatory guide should be + I 1 modified to read:
- a. The system should be capable of being actuated and controlled from -
the control room, or if other means of control are required (e.g., manual jumping of control logics or manual operation of valves), it should be demonstrated that .these steps can be carried out in a timely fashion, i j Response - (A) Licensees may take credit for station blackout procedures j already in place to comply with the station blackout rule. However, for the
- most part, these procedures were developed without having the benefit of a 1 j plant-specific atsessment to determine whether a plant could withstand a station blackout for a specific duration.- Therefore, these procedures may need -
to be modified af ter licensees have determined an acceptable station blackout f coping duration ano evaluated their plant's response to a station blackout of j 4 this duration. ! (B) The staff agrees with the coinments related to operator actions outside the control room, and the regulatory guide was revised accordingly. , 1 20. Schedule Provisions in the Proposed $50.63 l j Coments - Two letters contained coments on the proposed schedule in 950.63. : l OCRE felt the scheduling provisions in the proposed rule were far too generous. ! l One individual recomended that the schedule be modified to require licensees to submit, within 9 months of the date of the amendment, a list of l
- modifications along with a proposed schedule to implement those modifications.
[ (According to the proposed rule, licensees would not have to submit a schedule j for implementing equipment modifications until after tne staff received and l reviewed licensees' submittals on their plant's acceptable station ~ blackout ) ) duration.)
)
I i
,.-. .. 6 -_ ._ _ . . . . - - , - . . , . . ~ . , .
t-- Response - The staff agreed in part with these comments, and the schedule was revised accordingly. 650.63(c)(1)(iv) now requires that licensees submit within 9 months af ter the rule is issued a list of equipment modifications and a proposed schedule for implementing them. A final schedule would be developed after NRC has reviewed the licensees' submittal of their plant's acceptable station blackout duration. ,
- 21. Industry Initiatives Coments - In addition to comments on the proposed rule, NUMARC endorsed the following five initiatives
- to address the more important contributors to station blackout:
- 1. Each utility will review their site (s) against the criteria specified in NUREG-1109, and if the site (s) fall into the category of an eight-hour site after utilizing all power sources available, the utility will take actions to reduce the site (s) contribution to the overall risk of station blackout. Non-hardware changes will be made within one year. Hardware, changes will be made within a reasonable time thereafter.
- 2. Each utility will implement procedures at each of its site (s) for:
- a. coping with a station blackout event
- b. restoration of ac power following a station blackout event, and
- c. preparing the plant for severe weather conditions (e.g., '
hurricanes and tornados) to reduce the likelihood and consequences of a loss of offsite power and to reduce the : over,all risk of a station blackout event.
- 3. Each utility will, if applicable, reduce or eliminate cold fast-starts of emergency diesel generators for testing through changes to technical specifications or other appropriate means. :
i
- 4. Each utility will monitor emergency ac power unavailability utilizing ;
data utilities provide to INP0 on a regular basis. ;
- NUMARC initially proposed a set of four initiatives. The fifth initiative '
regarding the performance of a coping assessment was provided in l NUMARC-8700, which was submitted by le'tter from J. Opeka (NUMARC) to i T. Speis (RES) dated November'23, 1987. . i . . ~
- 5. Each utility will assess the ability of its plant (s) to cope witifT l station blackout. Plants utilizing alternate AC power.for station blackout response which can be shown by test to be available to i power the shutdown busses within 10 minutes of the onset of station l l
blackout do not need to perform any coping assessment. Remaining ; l alte'nate AC plants will assess their ability to cope for 1-hour, i ! Plants nnt utilizing an altarnm at sourca will a<sess their ability to cope for 4-hours. Factors identified which prevent l demonstrating the capability to cope for the appropriate curation l wi,ll be addressed through hardware and/or procedural changes so that successful demonstration is possible. I NUMARC previously opposed generic rulemaking and felt that the first four initiatives would resolve the station blackout issuc. . Response - These five initiatives now include many of the elements that are f included in the NRC resolution of USI A-44. The staff has followed up on the . NUMARC initiatives through a series of meetings in 1986 through 1987. The l result has been the development of NUMARC-8700 which provides guidelines and j criteria acceptable to the staff. The procedures in NUMARC-8700 has been referenced in Regulatory Gui,de 1.155 as providing guidance acceptable to the staff for meeting the ruTe. Table 1 in Regulatory Guide 1.155 provides a cross-reference to NUMARC-8700 and notes where the regulatory guide takes precedence, NUMARC's previous concerns have been aedressed in the development of RG 1.155 and NUMARC-8700 , Finding of no Significant Environmental Impact Availability The Commission has determined under the National Environmental Policy Act of 1969, 'as amended, and the Commission's rules in Subpart A of CFR Part 51, that this rule is not a major Federal action significantly affecting the quality of the human environment, and therefore, an environmental impset statement is not required. There are not any adverse environmental impacts as a result of the rule because there is no additional radiological exposure to the general public or plant employees, and plant shutdown is not required so there are no additional environmental impacts as a result of the need for replacement power. The environmental assessment and finding of .no significant impact on which this determination is based are available for inspection and copying for a fee at - l the NRC Public Document Room 1717 H Street, NW, Washington, DC. Single copies i of the environmental asseissment and the finding of no significant impact are 8 + 9
i k . l , 43 - i - p- . l 4 available from Mr. Warren Minners, Office of Nuclear Regulatory Research, U. S. ! j Nuclear Regulatory Commission, Washington, DC 20555, Telephone: (301) j 492-7827. l i Paperwork Reouction Act Statement ; l' This final rule amends information collection requirements that are subject to ' the Paperwork Reduction Act of 1980 (44 U.S.C. 3501 et seq.). These requirements were approved by the Office of Management and Budget approval 1 number 3150-0011. . Regulatory Analysis i The Commission has prepared a regulatory analysis on this final regulation. The ; i analysis examines the costs and benefits of the alternatives considered by the Connission. A copy of the regulatory analysis, NUREG-1109, "Regulatory / i .I
- Backfit Analysis for the Resolution of Unresolved Safety Issue A-44, Station Blackout is available for inspection and copying for a fee at the NRC Public Document Room,1717 H Street, NW, Washington, DC 20555. Copies of NUREG-1109 l
may be obtained by writing the Distribution Section, R'oom P-1304, division of i l lnformation Support Services, U. S. Nuclear Regulatory Comission, Wasnington, , j DC 20555. , j i - l Regulatory Flexibility Certification I ! i i As required by the Regulatory Flexibility Act (5 U.S.C. 605(b)), the Comission certifies that this rule does not have a significant economic impact on a !
- substantial number of small entities. The rule requires that nuclear power l plants be able to withstand a tota 1 loss of ac power for a specified time !
I duration and maintain reactor core cooling during that period. These
- facilities are licensed under the p'covisions of 10 CFR 50.21(b) and 10 CFR i 50.22. The companies that own these facilities do not fall withir- the scope of
! "small entities" as set forth in the Regulatory Flexibility Act or the small I business size standards set forth,in regulations issued by the'Small Business Administration'in 13 CFR Part'121. _..__.i,_ , _ _ , _ _ , ~ . . . - _ . . , - _ , _ - , - -
-,z - _ _ . _ _ _ ,
t 1 . i , l 1 r-- . List of Subjects in 10 CFR Part 50 i J Antitrust, Classified information, Fire prevention, Incorporation by reference, . L Integovernmental relations, Nuclear power plants and reactors, Penalty. l kac1ation protection, Reactor siting criteria, Reporting and recordkeeping requirements, i For the reasons set out in the preamble and under the authority of the Atomic l < . Energy Act of 1954, as amended, the Energy Reorganization Act-of 1974, as ' amended, and 5 U.S.C. 553, the NRC is adopting the following amendments to 10 f I CFR Part 50. Part 50 - Domestic Licensing of Production and Utilization Facilities i 1. The authority citatton for Part 50 is revised to read as f511ows: l AUTHORITY: Secs. 102, 103, 104, 105, 161, 182, 183, 186, 189, 68 Stat. 936, } l 937, 938, 948, 953, 954, 955, 956, as amended, sec. 234, 83 Stat. 1244, as ! 1 amended (42 U.S.C. 2132, 2133, 2134, 2135, 2201, 2232, 2233, 2236, 2239, 2282); L secs. 201, as amended, 202, 206, 88 Stat. 1242, as amended, 1244,1246,(42 ' U.S.C. 5841, 5842, 5846). Section 50.7 also issued under Pub. L. 9'5-601, sec.10, 92 Stat. 2951 t (42 U.S.C. 5851). Sections 50.10 also issued under secs. 101, 185, 68 Stat. ' s 936, 955, as amended (42 U.S.C. 2131, 2235); sec 102, Pub. L. 91-190, 83 Stat. 853 (42 U.S.C. 4332). Sections 50.23, 50.35, 50.55, 50.56 also issued uncer j sec.185, 68 Stat. 955 (42 U.S.C. 2235). Sections 50.33a, 50.55a and Appendix ' 0 also issued under sec. 102, Pub. L. 91-190, 83 Stat. 853 (42 U.S.C. 4332) Sections 50.34 and 50.54 also issued under sec. 204, SS Stat. 1245 (42 U.S.C.
! 5844). Sections 50.58, 50.91, and 50.92 also issued under Pub. L. 97-415, 96 l l Stat. 2073 (42 U.S.C. 2239). Section 50.78 also issued under sec. 122.68 Stat. ; ; 939 (42 U.S.C. 2152). Sections 50.80-50.81 also issued under sec. 184, 68 :
j Stat. 954, as amended (42 U.S.C. 2234). Section 50.103 also issued under sec. ! 108, 68 Stat. 955 (42 U.S.C. 2237). For the purposes of sec. 223, 68 Stat. 958, as amended (42 U.S.C. 2273); l 50.10(a), (b), and (c) and 50.44, 50.46, 50.48, 50.54, and 50.80(a) are issued ! I under sec.161b, 68 Stat. 948, as amended (42 U.S.C. 2201(b)); 50.10(b) and I (c), and 50.54 are issued under sec. 1611, 68 Stat. 949, as amended (42 U.S.C. 2201(1)); and 50.55(e), 50.59(b), 50.70, 50.71, 50.72, 50.73, and 50.78 are issued unde.r sec. 1610, 68 Stat. 950, as amended (42 U.S.C. 2201(o)). I k i t . 3
,- _~ --,---_n, , .- , .,.,,.,-,-,.1-- - - - - . , . - - - - . - - - - , - . - . - _2-.n-_,,-.-~.-.
1
- 2. In 150.2, definitions of "alternate ac source" and "station blackout" a f l
added in'the alphabetical sequence to read as follows: j 50.2 Definitions i "Alternate ac source" means an alternating current (ac) power source thi.t l is available to and located at or nearby a nuclear power plant and meets l the following requirements: (i) is connectable to but not normally ; connected to the offsite or onsite emergency ac power systems, (ii) has ; minimum potential for comon rpode failure with offsite power or the onsite emergency ac power sources, (iii) is available in a timely manner after ! the onset of station blackout, (iv) has sufficient capacity and [ reliability for operation of all systems required for coping with station [ blackcut and for the time required to bring and maintain the plant in saf.e I shutdown (non-DBA). ; i "Safe shutdown (non-0BA(design basis accident))" for station blackout means !
. bringing the plant to those shutdown conditions specified in plant i technical specifications as Hot Standby or Hot Shutdown, as appropriate (plants have the option of maintaining the P.CS at normal operating temperatures or at reduced temperatures). [
0 l j "Station blackout" means the complete loss of alternating current (ac) ] electric power to the essential and nonessential switchgear' buses in a j j nuclear power plant (i.e., loss of offsite electric power system ) ] concurrent with turbine trip and unavailability of the onsite emergency l l ac power system). Station blackout does not include the loss of ) available ac power to buses fed by station batteries through inverters or i by alternate ac sources as defined in this section, nor does it assume a . l ll concurrent single failure or design basis accident. At single unit sites, any emerge.ncy ac power source (s) in excess of the number required ) to meet minimum redundancy requirements (i.e' , single failure) for l ' safe shutdown (non-DBA) is assumed to be available and may be designated , as an alternate power source (s) provided the applicable requirements are j met. At multi-unit sites, where the combination of emergency ac power
i j . I . j '- l i T-
- sources exceeds the minimum redundancy requirements for safe shutdown i l (non-DBA) of all units, the rcmaining emergency ac power sources'may be l used as alternate ac power sources provided they meet the applicable l 3
requirements. If these criteria are not met, station blackout must be . 4 a>>umeo on all the units. ! r t l 3. A new $50.63 is added to read as follows: 3 i 1 150.63 Loss of all alternating current power. j (a) Requirements. Each light-water-cooleo nuclear power plant licensed to (
- operate must be able to withstand for a specified duration and recover from a l station blackout as defined in 150.2. The specified station blackout duration i shall be based on the following factors
- (1) the redundancy of the'onsite l
- emergency ac power sources, (2) the reliability of the onsite emergency ac
] power sources (3) the expected frequency of loss of offsite power, and (4) the I probable time needed to restore offsite power. The reactor core and. associated . coolant, control, and protection systems, including stati'on batteries, and any l .other necessary support systems, shall provide sufficient capacity and capaoility to assure that the core is cooled and appropriate containment j integrity is maintained in the event of a station blackout for the specifiec ! duratinn. The capability for coping with a station blackout of specifieo I duration shall be determined by an appropriate coping.analy:is. Utilities ar'e { ]
- expected to have the baseline assumptions, analyses and related information ;
j used in their coping evaluations available for NRC review. 1 i I (b) Limitation of Scope. Paragraphs (c) and (d) of this section do not apply { to those plants licensed to operate prior to [ insert the effective date of this l l amendment], it the capability to withstand station blackout was specifically l addressed in the operating license proceeding and was explicitly approved by l r j the NRC. j i . - 3, : F i i l
-._ m _ ; . __ L__.. .____._____.___._.J
4 !
~
l 1 - 47.. l F l (c) Implementation l i j (1) Information Submittal: For each light-water-cooled nuclear power plant l l licensed to operate on or before [ insert the effective date of this amendment], i i the licensee shall submit the information defined below to the Director of the
! Office of Nuclear Reactor Regulation by [ insert a date 270 days after t.he j effectivedateofthisamendment]: For each light-water-cooled nuclear power j i plant licensed to operate after the date of this arrandment, the same 270 day !
l schedule for information submittal applies after the date of license issuance. l l1 j (i) A proposeo station blackout duration to be used in determining ; compliance with paragraph (a) of this section, including a j j justification for the selection based on the four factors identified l l in paragraph (a) of this section. - l ! (ii)' A description of the procedures that have been established for i j station blackout events for the duration determined in paragraph ( l (c)(1)(1) of this section and for recovery therefrem; and ! l ! (iii) A list of modifications to equipment and associated j i procedures necessary, if any, to meet the requirements or i
. paragraph (a) of this section, for the specified station 3 blackout curation determined ir paragraph (c)(1)(i) of this '
l section, ano a proposed schedule for implementing the stateo l modifications. l (2) Alternate ac source: An alternate ac power source (s) as defined in i 550.2 will constitute acceptable capability to. withstand station blackout j- provided an analysis is performed which demonstrates that the plant has l this capability from onset of the station blackout until the alternate ac l source (s) and required shutdown equipment are started and lined up to 1 i operate. The time required for startup and ' alignment of the alternate ac )' power source (s) and this equipment shall be demonstrated by test. An l alternate ac source (s) serving a multiple unit site where onsite emergency 3 1 1.
r r-- ac sources are not shared between units shall have, as a minimum, the capacity and capability for coping with a station blackout in any of the units; at sites where onsite emergency ac sources are shared between units, the alternate ac source (s) shall have the capacity and capability as required to assure that 01 units can be brought to and maintained in safe shutdown (non-DBA) as defined in 950.2. If the alternate ac source (s) meets the above requirements and can be demonstrated by test to be available to power the shutdown busses'within 10 minutes of the onset of station blackout,' then no coping analysis is required. (J) Regulatory Assessment: After consideration of the information submitted in accordance with paragraph (c) (1) of this section, the Director, Office of Nuclear Reactor Regulatien, will notify the licensee of the Director's conclusions regarding the adequacy of the proposed specified station blackout duration, the proposed equipment modifications and procedures and the proposed schedule for implementing the procedures and modifications for compliance with paragraph (a) this section. (4) Implementation Schedule: For each light-water-cooled nuclear power plant 1.icensed to op,erate on or before [ insert the effective date of this amendment], the licensee shall, within 30 days of the notification providea in accordance with paragraph (c) (3) of this section, submit to the Director of the Office of - Nuclear Reactor Regulatirn a schedule comitment f or implementing any equipment and associated procedure acdificaticns necessary to meet the requirements of paragraph (a) of this section. This submittal must include an explanation of the schedule and a justification if the schedula does not p,rovide for completion of the modifications within two years of the notification provided in accordance with paragraph (c)(3) of this section. A final schedule for implementing modifications necessary to comply with the requirements of paragraph (a) of this section shall be established by the NRC staff in consultation and coordination with the licensee. Dated at Washington, DC, this day of 1988. For the Nuclear Regulatory Comission. Samuel J. Chilk Secretary of the Commission. m
BACKFIT ANALYSIS Analysis and Determination That The Rulemaking to kend 10 CFR 50 Concerning Station Blackout Complies With The Backfit Rule 10 CFR 50.109 The Commission's existing regulations establish requirements for the design and testing of onsite and offsite electrical power systems (10 CrR Part 50, Appendix A, General Design Criteria 17 and 18). However, as operating experi-ence has accumulated, the concern has arisen regarding the reliability of both the offsite and onsite emergency oc power systems. These systems provide power for various safety systems including reactor core decay heat removal and con-tainment heat removal which are essential for preserving the integrity of the reactor core and the containment building, respectively. In numerous instances emergency diesel generators have failed to start and run during tests conducted at operating plants. In addition, a number of operating plants have experienced a total loss of offsite electric power, and more such occurrences are expected. Existing regulations do not require explicitly that nuclear power plants be designed'to withstand the less of all ac power for any specified period. This issue has been studied by the staff as part of Unresolved Safety Issue (USI) A- M , "Statien Blackout." Both deterministic and probabilistic analyses were performed to cetermine the timing anc cdnsequences of various accident sequences and to identify the dominant factors affecting the likelihood of core melt accidents from station blackout. Although operational experience shows that the risk to public nealth and safety is not undue, these studies which I have evaluated plant design features and site dependant factors in detail show that blackout can be a significant contributor to the overall residual risk. Consequently, the Commission is amending its regulations to require that plants ) be capable of withstanding a total loss of ac power for a specified duration and to maintain reactor core cooling during that period. l l An analysis of the benefits and costs of implementing the station blackout rule is presented NUREG-1109, "Regulatory /BackfitA ' nalysis for the Resolution
l i I
. i 50 -
- i t
t--- t l of Unresolved Safety Issue A-44, Station Blackout."_ The estimated benefit j from implementing the station blacitout rule is a reduction in the frequency of l j core damage per reactor-year due to station blackout and the associated risk of l j offsite radioactive releases. The risk reduction for 100 operating reactors is j estimated to be 145,000 person-rems and supports the Commission's conclusion ;
- that 650.63 provides a substantial improvement in the level of public health j l and safety protection, t i !
1 The cost for licensees to comply with the rule would vary depending on the j existing capability of each plant to cope with a station blackout, as well as ! i the specified station blackout duration for that plant. The costs would be i
; primarily for licensees to assess the plant's capability to cope with a station i l blackout (2) to develop procedures, (3) to improve die wi generator reliabil- ) ity if the reliaoility fillis below certain levels. and (4) to retrofit plants j with additional components or systems, as necessary, to meet the requirements.,
) : 1 j The estimated total cost for 100 operating reactors to comply with the res0lu- [ ] tion of USI A-44 is about $60 million. The average cost per reactor would be i 1 around $600,000, ranging from 5350,000, if only a station blackout assessment j
; and procedures and training are necessary, to a maximum of about $4 million if l j substantial modifications are neeced, including requelification of a diesel l generator. !
l l J The overall value-impact. ratio, not including accident avoidance costs, is l about 2,400 persun-rems averted per million dollars. If the net cost, which i
- includes the cost savings from accident avoidance (i.e., cleanup and repair of i onsite damages and replacement power following an accident) were used, the f 1 .
1 ! l l . , Draft NUREG-1109 was issued for public comment in January 1986. Copies of i this report are available, for inspection and copying for a fee at the NRC Public Document Room, 1717 H Street, NW, Washington, DC 20555. . s 1 -
,--r- mev7 .-.-,----..,--.-,---v---- - - . . -y- y 7,,-, , , . ,, y._,-,,-,.,,---.--,-.------,p-..,.-- ---w , ,,,--.,-.w--,,.v-m---,ym,, ,.,.,,,,,,.,,,vw,y-my,we--v,.-,---,
t-overall value-impact ratio would improve significantly to about 6,100 person-rems averted per million dollars. These values, which exceed the'51000/ person-rem interim guidance provided by the Commission, support proceeding with the implementetion of $50.63. The preceding quantitative value-impact analysis was one of the factors considered in evaluating the rule, but other factors also playeo a part in the decision-making process. Probabilistic risk assessment (PRA) studies performed for this US!, as well as some plant-specific PRAs, have shown that station blackout can be a significant contributor to core melt frequency, and, with consideration of containment failure, station blackout events can represent an important contributor to reactor risk. In general, active systems required for containment heat removal are unavailable during station blackout. -Therefore, the offsite risk is higher from a core melt resulting from a station blackout than. it is from many other accident scenarios. Although there are licensing requirements and guidance directed at providing reliable offsite and onsite ac power, experience has shown that there are prac-tical limitations in en3uring the reliability of offsite and onsite emergency ac power systems. Potential vulnerabilities to common cause failures associated with design, operational, and environmental factors can affect ac power system reliability. For example, if potential common cause failures of emergency diesel generators exist (e.g.6 in service-water' or de power support systems), then the estimated core damage frequency from station blackout events can increase significantly. Also, even though recent data indicate that the average emergency diesel generator reliability has, improved slightly since 1976, these data also show that diesel generator failure rates during unplanned demand (e.g., following a loss of offsite power).were higher than that during surveillance tests. The estimated frequenc'y of core damage from station blackout events is directly proportional to the frequency of th'e initiating event. Estimates of station blackout frequencies for this USI were based on actual operational experience with credit given for trends showing a red'uction in the frequency of losse~s of offsite power resulting from plant-centered events. This is assumed to be a
t-- realistic indicator of future performance. An argument can be made that the future performance will be better than the past. For example, when problems with the offsite power grid arise, they are fixed and, therefore, grid reli-ability should improve. On the other hand, grid power failures may become more frequent because fewer plants are being built, and more power is being trans-mitted among regions, thus placing greater stress on transmission lines. A number of foreign countries, including France, Britain, Sweden, Germany and Belgium, have taken steps to reduce the risk from station blackout events. These steps include adding design features to enhance the capability of the plant to cope with a station blackout for a substantial period of time and/or adding redundant and diverse emergency ac power sources. The factors discussed above support the determination that additional defense in-depth provided by the ability of a plant to cope with station blackout for a specific duration would provide substantial increase in the overall protection of the public health and safety, and the direct and indirect costs of implemen-tation cre justified in view of this increased protection. The Ccmmission has considered how this backfit should be prioritized and scheduled in light of other regulatory activities ongoing at operating nuclear power plants. Station blackcut warrants a high priority raaking based on both its status as an "unresolved safety issue" and the results and conclusions reached in resolving this issue. As noted in the implementation section of the rule (550.63(c)(4)), the schedule for ec,uipment modification (if needed to mee the requirements of i the rulc) shall be established by the NRC staff in censultation and coordination with the licensee. Modifications that cannot be scheduled for ccmpletion within two years after NRC accepts the licensee's specified station l blackout duration must be justified by the licensee. The NRC retains the authority to determine the schedules for modifications. l l l l l t
~~ - .. _ .- --. .. +
j' . 3 ! Analysisof50.109(c) Factors i ! 1. Statement of the specific objectives that the backfit is designed to j achieve 2 The NRC staff has completed a review and evaluation of information developed since 1980 on Unresolved Safety Issue (USI) A-44, Station 1 Blackout. As a result of these efforts, the NRC is amanding 10 CFR J
- Part 50 by adding a new i 50.63, "Station Blackout".
I The objective of the station blackout rule is to reduce the risk of severe accidents associated with station blackout by making 5 cation blackout a i relatively small contributor to total core damage frequency. Specifically,
- the rule requires all light-water-cooled nuclear power plants to be able to j cope with a station blackout for a specified duracio.. .id to have
- procedures and training for such an ' event. A regulatory guide, to be I -
issued along with the rule, provides an acceptable method to determine the 4 - station blackout duration for each plant. The duration is to be determined I
- for each plant based on a comparison of the individual plant design with factors that have been identified as the main contributors to risk of core melt resulting from station blackout. These factors are (1) the redundancy
; of onsite emergency ac power sources, (2) the reliability of onsite emergency ac power sources. (3) the frequency of loss of offsite power, and (4) the probable time needed to restore offsite power. l i
't
- 2. General description of the activity required by the licensee or applicant '
l in order to complete the backfit - . i In order to comply with the resolution of USI A-44, licenser, will be l required to -- l Maintain the reliability of onsite emergency ac power sources at or ! above specified acceptable reliability levels. l . )
- 1 -
L __ . l
- o. -
1
. 54 - ;
w Develop procedures and training to restore ac power using nearby power l sources if the emergency ac power system and the normal offsite power sources are unavailable. Determine the duration that the plant should be able to withstand a : station blackout based on the factors specified in 650.63, "Station Blackout" and Regulatory Guide 1.155, "Station Blackout." t If available, an alternate ac power source, that meets specific criteria for independence and capacity, can be used to cope with a_ i station blackout. r Evaluate the plant's actual capability to withstand and recover from a j station blackout. This evaluation includes: ! [
- Verifying the adequacy of station battery power, condensate storage ,
tank capacity, and plant / instrument air for the station blackout duration.
- Varifying adequate reactor coolant pump seal integrity for the station blackout duration so that seal leakage due to lack of seal cooling would not result in a sufficient primary system coolant [
inventory reduction to lose.the ability to cool the core, i
- Verifying the operability of equipment needed to operate during a !
station blackout and the recovery from the blackout for j environmental conditions associated with total loss of ac power l (i.e., loss of heating, ventilation and air conditioning), i Depending on the plant's existing capability to cope with a station blackout, licensees may or may not need to backfit hardware modifica-tions (e.g., adding battery capacity) to comply with the rule. (See item 8 of this analysis for additional discussion.) Licensees will be i required to have pr.ocedures and training to cope with and recover from
, a station blackout. -
i
55 -
- 3. Potential change in the risk to the public from the accidental offsite &
release of radioactive material. Implementation of the station blackout rule will result in an estimated total risk reduction to the public ranging from 65,000 to 215,000 person-rems with a best estimate of about 145,000 person-rem. 4 Potential impact on radiological exposure of facility employees For 100 operating reactors, the estimated total reduction in occupational exposure resulting from reduced core damage. frequencies and associated post-accident cleanup and repair activities is 1,500 person-rem. No significant increase in occupational exposure is expected from operation and maintenance activities associated with the rule. Equipment additions and modifications contemplated do not require work in and around the
-reactor coolant system and therefore are not expected to result in significant radiation exposure.
S. Installation and continuing costs associated with the backfit, including' the cost of facility downtime or the cost of construction delay
.For 100 operating reactors, the total estimated cost associated with the station blackout rule ranges from 542 to $94 million with a best estimate of $60 mill' ion. This estimate breaks down as follows: -
Estimated number of Estimated total cost (million dollars) Activity reactors Best High Low - Assess plant's capability to 100 25 40 20 cope with station blackout Develop procedures and 100 10 15 5 training Improve diesel generator 10 2.5 4 1.5 reliability Requalify diesel generator 2 5.5 11 ' 2. 5
. Install hardware to increase 27 17 ,24 13 plant capability to cope with station blackout _ _
Totals- 60 94 42
- 6. The potential safety 1,ipact of changes in plant or operational complexity, including the relationship to proposed and existing regulatory requirements The rule requiring plants to be able to cope with a station blackout *houid not add to piant or operational complexity. The station blackout rule is closely related to several NRC generic programs and proposed and existing regulatory requirements as the following discussion indicates.
Generic Issue B-56, Diesel Generator Reliability The resolution of USI A-44 includes a regulatory guide on station blackout that specifies the following guidance on diesel generator reliability (RG 1.155, Sections C1.1. and 2): The reliable operation of the onsite emergency ac power sources should be ensured by a reliability program designed to monitor and maintain the reliability of each power source over time at a specified acceptable level and to improve the reliability if , that level is not achieved. The reliability program should include surveillance testing, target values fer maximum' failure rate, and a maintenance program. Surveillance testing should monitor performance so that if the actual failure rate exceeds the target level, corrective actions can be taken. The maximum emergency diesel generator failure rate for each diesel generator should be maintained at 0.05 failure per demand. However, for plants having an emergency ac power system [ configuration - requiring two-out-of-three diesel generators or having a total of two diesel generators shared between two units at a site], the emergency diesel generator failure rate for each diesel genera:Cr should be maintained at 0.025 failure per demand or less. The resolution of B-56 will provide specific guidance for use by the staff or industry to review the adequacy of diesel generator reliability programs consistent with the resolution of USI A-44 Generic Issue 23, Reactor Coolant Pump Seal Failures Reactor coolant pump (RCP) seal integrity is necessary for maintaining primary system inventory Auring. station blackout conditions, The , estimates of core damage frequency for station blackout events for
-- . ~ . . . .-- - ~ - .- - . _ . - - . . --
, . l
~
i ! )- r j " l l USI A-44 assumed that RCP seals would leak at a rate of 20 gallons per l minute. Results of analyses performed for GI 23 will provide the [ l information necessary to estimate RCp seal behavior during a [ ] station blackout. The industry coping analysis guidelines (NUMARC-8700) [ J recognize the possibility of leakages exceeding on assumed 25 gpm per pump and incorporate the need to reevaluate the plant specific coping analysis if the resolution of GI 23 identifies higher levels. l l l USI A-45, Shutdown Decay Heat Removal Requirements . I The overall objective of USI A-45 is to evaluate the adequacy of current ! licensing design requirements to ensure that the nuclear power plants do f not pose an unacceptable risk as a result of failure to remove shutdown !
! decay heat. The study includes an assessment of alternative means of l 4 !
l , . shutdown decay heat removal and of diverse "dedicated" systems for this purpose. Results will includ proposed recomendations regarding the l desirability of, and possible design requirements for, improvements in f existing systems or an alternative dedicated decay heat removal method. , ! , I i ! j The USI A-44 concern for maintaining adecuate core cooling under station l 3 blackout conditions can be considered a subset of the overall A-45 issue. l Hcwever, there are significant differences in scope between these two
, issues. USI A-44 deals with the probability of loss of ac power, the capability to remove decay heat using systems th't a do not require ac power, and the ability to restore ac power in a timely manner. USI A-45 l deals with the overall reliability 6f the decay heat rutoval function in l l terms of response to transients, small break loss-of-coolant accidents,
- and sp2cial emergencies such as fires, floods, seismic events, and sabotage.
1 J Although the recomendations that might result from the resolution of l USI A-45 are not yet final, some could affect the station blackout capa-bility, while others would not. Recommendations that involve a new or I l , improved decay heat removal system that is ac power dependent but that 1 1
\
s F i does not include its own dedicated ac power supply would have-no effect on' l US! A-44. Recomendations that involve an additional ac-independent decay l heat removal system would have a very mcdest effect of USI A-44. [ Recommendations that involve an additional decay heat removal system with l its own ac power supply would have a significant effect on .USI A-44. Such f a r.aw additional system would receive.the appropriate credit within the l USI A-44 resolution by either changing trie emergency ac power config- l l uration group or providing the ability to cope with' a station blackout for j an extended period of time. Well before plant modifications, if any, will l be implemented to comply with the station blackout rule, it is anticipated ; that the proposed technical resolution of US! A-45 will be published for , public coment. Those plants needing hardware modifications for station : [ blackout could be reevaluated before any actual modifications are made so j that any contemplated design changes resulting from the resolution of l USI A-45 can be considered at the same time. l l Generic Issue A-30, Adequacy of Safety-Related DC Power Supply l l The analysis performed for USI A-44 assumed that a high level of de power l system reliability would be maintained so that (1) de power system f failures would not be a significant contributor to losses of all ac power j and (2) should a station blackout occur, the probability of immediate de i
. power system failure would be low. Whereas Generic Issue A-30 focuses on enhancing battery reliability, the resolution of USI A-44 is aimed at i assuring adequate station battery capacity in the event of a station I
blackout of a specified duration. Therefore, these two issues are consistent and ctmpatible. i Fire Protection Prcgram
- 10 CFR 50.48 stat'es that each operating nuclear power plant shall have a fire protection plan that satisfies GDC 3. The fire protection features required to satisfy GDC 3 are specified in Appendix R to 10 CFR 50. They include certain provisions regarding alternative and dedicated shutdown t
j
t % r--- capability. To meet these provisions, some licensees have a'd ded, or plan to add, improved capability to restore power from offsite sources or onsite diesels for the shutdown system. A few plants have installed a safe shutdown facility for fire protection that includes a charging pump powered by its own independent ac power source. In the event of a station { blackout, this system can provide makeup capability to the primary coolant l system as well as reactor coolant pump seal cooling. Th'is could be a l significant benefit in terms of enhancing the ability of a plant to cope l with a station blackout. Plants that have added equipment to achieve ! alternate safe shut 6.wn in order to meet Appenoix R requirements could ! take credit for that equipment, if available, for coping with a station ; blackout event.
- 7. The estimated resource burden on the NRC associated with the backfit and
.the availability of such resources !
i The estimated total cost for NRC review of industry submittals required by the station blackout rule is'51.5 million based on submittals for 100 i reactors and an estimated average of 175 person-hours per reactor. l
- 8. The potential impact of differences in facility type, design, or age on the relevancy anc practicality of the backfit l The station blackout rule applies to all pressurized water reactors and j boiling water reactors. However, in determining an acceptable station ,
blackout coping capability for each plant, differences in plant charac-teristics relating to ac power reliability (e.g., number of emergency
' esel generators, the reliability of the offsite and on, site emergency ac di power systems) could result in different acceptable coping capabilities.
For example, plants with an already low risk from station blackout because of multiple, highly reliable ac power sources are required to withstand a station blackout for a relatively short period of time; and few, if any, hardware backfits would be required as a result of the rule.. Plants with currently higher risk from station blacko'ut are required to withstand somewhat longer duration blackouts; and, depending on their existing ,
~
capability, may need some modifications to achieve the longer station blackout capability.
- 9. Whether the backfit is interim or final and, if interim, the .iustification for imposing the backfit on an interim basis The station blackout rule is the final resolution of USI A-44; it is not an interim measure.
9 4 9 e O 4 e .
ENCLOSURE C us a-44 Eco exo WM U 11-12-87 Reculatory/Backfit Analysis for t,e ) Reso ution o" Unreso ved Sa"ety l A-M, Station 1 Issue B ac,<out i 4 4 __ m U.S. Nuclear Regulatory . Commission I Office of Nuclear Regulatory Research . Office of Nuclear Reactor Regulation 1 ; A. M. Rubin M* Ib ,
^
fl :s-( $ j I l 1
~
ABSTRACT Stationblackoutisthecompletelossofalternatingcurrent(ac)e'iectric power to the essential and nonessential buses in a nuclear power plant; it
*results when both offsite power and the onsite emergency ac power systems are unavailable. Because ::.9y safcty afste > ,equired for reactor core decay heat removal and containment heat removal depend on ac power, the consequences of a statien blackout could be severe. Because of the concern about the frequency of loss of offsite power, the number of failures of emergency diesel generators, and the potentially severe consequences of a loss of all ac power, "Station Blackout" was designated as Unresolved Safety Issue (USI) A-44.
This report presents the regulatory /backfit analysis for USI A-44. It includes (1) a summary ~of the issue, (2) the recommended technical resolution, (3) alter-native resolutions considered by'the Nuclear Regulatory Commission (NRC) staff, (4) an assessment of the benefits and costs of the recommended resolution, (5) the decision rationale, (6) the relationship between USI A-44 and other NRC programs and requirements, and (7) a backfit analysis demonstrating that the resolution of USI A-44 complies with the backfit rule (10 CFR 50.109). NUREG-1109 til a -. _
- 1 s-TABLE OF CONTENTS Page ABSTRACT..........................................................[..... iii DPEFACE.................................................... ............ ix ACKNOWLEDGMENTS............................................ .... xi EXECUTIVE
SUMMARY
........ xiii 1 STATEMENT OF THE PR0BLEM.............................. ............ 1 2
3 0BJECTIVES............................................ ............ ALTERNATIVE RESOLUTIONS............................................ 2
'2 3.1 Alternative (i)............................................... 2 3.2 Alternative (11).............................................. 5 3.3 Alternative (111)............................................. 5 3.4 Alternative (iv)........................... 5 3.5 Alternative (v)............. .............. ..................
.................. 14 4 CONSEQUENCES................. ..................................... 14
-4.1 Costs and Benefits of Ah rnativeResolutions................[ 14 4.1.1 Alternative (i)........................................ 14 4.1.2 AJternative (11)............................. ......... 26 4.1,3 Alternative (iii)............................ ... 26 4.1.4 Alternative (iv)....................................... ..... 27 4.1.5 Alternative (v).................................. ..... 27 4.2 Impacts on Other Requirements................................. 27 4.2.1 Generic Issue B-56, Diesel Generator Reliability....... 27 4~. 2. 2 USI A-45, Shutdown
- Decay Heat Removal Requirements..... 28 4.2.3 Generic Issue B-23, Reactor Coolan't Pump Seal Failures.
29 4.2.4 Generic Issue A-30, Adequacy of Safety-Related DC Power Supp1y........................................... 30 4.2.5 Regulatory Guide 1.108, Periodic Testing of Diese.1 Generator Units Used as Onsite Electric Power Systems at Nuclear Power Plantt. .............................. 30 4.2.6 Fire Protection Program for Nuclear Power Facilities... 31 4.2.7 Generic Issue L-124, Auxiliary Feedwater System Reliability............................................ 31 4.2.8 Multiplant Action Items B-23 and B-48, Degraded Grid Voltage and Adequacy of Station Electric Distribution Voltage................................................ 31 4.2.9 Severe Accident Program................................ 31 4.3 Constraints................................................... -32 NUREG-1109 v l .
8 TABLE OF CONTENTS (Continued) P_ay 5 DECISION RATIONALE................................................. 33 5.1 Commission's Safety Goa1s..................................... 34 5.2 Station Blackout Reports................................ ..... 36 5.2.1 NUREG-1032, Evaluation of Station Blackout Accidents at Nuclear Power Plants, Technical Findings Related to Unresolved Safety Issue A-44........................... 36 5.2.2 NUREG/CR-3225, Station Blackout, Accident Analyses...... 38 5.2.3 NUREG/CR-2989, Reliability of Emergency AC Power Systems at Nuclear Power P1 ants........................ 39 5.2.4 NUREG/C'R-4347, Emergency Diesel Generator Operating Experience, 1981-1983.................................. 39 5.2.5 NUREG/CR-3992, Collection and Evaluation of Complete and Partial Losses of Offsite Power at Nuclea Power P1 ants.......................................r.......... 40 6 IMPLEMENTATION..................................................... 41 6.1 Schedule for Implementing the Final Station Blackout Rule..... 41 6.2 Relationship to Other Existing or Proposed Requirements.......
- ~~
41 7 RerERENCeS......................................................... 42 APPENDICES . APPENDIX A BACKFIT ANALYSIS APPENDIX B WORKSHEETS FOR "0ST ESTIMATES NUREG-1109 vi i . .
LIST OF FIGURES
.P.a g_e 1 Schematic of electrically independent transmission line............ 10 2 Schematic of two switchyards electrically connected (one-unit site).............................................................. 11 3 Schematic of two switchyards electrically connected (two-unit.
site).......................................... . . . . . . . 11 4 Comparison of estimated station blackout core damage frequency before and after ru1e.............................................. 19 LIST OF TABLES 1 Acceptable' station blackout duration capability.................... 6 2 Emergency ac power configuration groups............................ 7 3 Offsite power design configuration groups.......................... 8 4 Definitions of independence of offsite power (I) groups............ 9 5 Definitions of severe weather (SW) groups.......................... 12 6 Definitions of severe weather recovery (SWR) groups................ 13 7 Definitions of extremely severe weather (ESW) groups............... 13 8 Estimated number of reactors having similar characteristics........ 17 9 E.xamples of reduction in frequency of core melt per reactor year... 18 10 Estimated costs for industry to com o f USI A-44. . . . . . . ._. . . . . . . . . .................................
. . . . . . ply wi th the resolution 21 11 Discounted present value of avoided onsite property damage for 100 reactors....................................................... 22 12 Value-impact summary for resolution of USI A-44.................... 23 13 Implementation schedule for final station blackout rule. . . . . . . . . . . . 42 NUREG-1109 vii p . _ _ . _ _ _ , , _ -.. --,.r- - - - --- .--r - - - - - - - - -
PREFACE This report presents the supporting value-impact analysis, backfit'a'n'alysis, and decision rationale for the resolution of USI A-44. The resolution itself con-sists of a rule that requires nuclear power plants to be able to cona with a station blackout for a specified period, and an associated regulatory guide that provides guidance on an acceptable means to comply with the rule. The NRC staff report that provides data and technical analyses suppcrting the resolution of this issue is published separately as NUREG-1032. NRC contractor NUREG/CR reports published under this task are listed in Section 5.2 of this report. The Conmission published a proposed station blackout rule in the Federal Register on March 21, 1986 (51 FR 9829) for public comment. In April 1986, the - NRC published a regulatory guide on station blackout for comment (Regulatory Guide 1.155). Previously, in January 1986, NRC published a draft version of this report (NUREG-1109) for comment. All public comments on this issue were reviewed and considered by the staff in formulating the final resolution of USI A-44 and this final version of NUREG-1109. Responses to the public com-ments are discussed in the supplementary information section of the Notice of Final Rulemaking for the Station Blackout Rule, which is to be published in the Federal Register. - Alan M. Rubin I e NUREG-1109 ix
- .n -
l ACKNOWLEDGMENTS
. . . . 1 The NRC staff members who provided the technical information and analytical '
data necessary to prepare this report are grate, fully acknowledged by 'the author. l They are especially - l i Patrick Baranowsky Joh.1 Flack Erasmia Lois l l l l e e NUREG-1109 xi , t
EXECUTIVE
SUMMARY
This report provides supporting information, including a cost-benefit' analysis and a backfit analysis, for the Nuclear Regulatory Commission's (NRC's) resolution of Unresolved Safety Issue (USI) A-44, "Station Blackout." Tha tarm "station blackout" refers to the complete loss of alternating current (ac) electric power to the essential and nonessential switchgear buses in a nuclear-power plant. Station blackout involves the loss of offsite power concurrent with turbine trip and the unavailability of the onsite emergency ac power system. Because many safety systems required for reactor core decay heat removal and containment heat removal depend on ac power, the consequences of station blackout could be severe. The NRC's concern about station blackout arose because of the accumulated ex- ' perience regarding the reliability of ac power supplies. In numerous instances emergency diesel generators have: failed to start and run during tests conducted ' at operating plants. In addition, a number of operating plants have experienced a total loss of offsite electric power, and more such occurrences are expected. In almost every one of these loss-of-offsite power events, the onsite emergency ac power supplies were available immediately to supply the power needed by vital
. safety equipment. However, in some instances, one of the redundant emergency Sower- supplies has been unavailable. In a few cases, there has been a complete l loss of ac power, but during these events, ac power was restored in a short time without any serious consequences.
The issue of station blackout involves the likelihood and duration of the loss of offsite power, the redundancy and reliability of onsite emergency ac power systems, and the potential for severe accident sequences after a loss of all ac power. These topics were investigated under USI Task Action Plan A-44.* In addition to identifying important factors and sequences that could lead to station blackout, the results indicated that actions could be takeri to reduce the risk from station blackout events. The issue is of concern for both boil-ing water reactors and. pressurized water reactors. The evaluation to resolve USI A-44 included deterministic and probabilistic analyses. Calculations to determine the timing and consequences of various accident sequences were performed,.and the dominant factors affecting station blackout likelihood,were identified. Using this information, simplified prob-abilistic accident sequence correlations were calculated to estimate the like-lihood of core melt accidents resulting from station blackout for different plant design, operational, and location factors. These quantitative estimates were used to give insights on the relative importance of various factors, and those insights, along with engineering judgment, were used to develop the resolution. Thus, the effects of variations in design, operations, and plant location on risk from station blackout events were used to reach a reasonably consistent level of risk in the recommendations developed. ,.
"The technical findings of these investigations are detailed in NUREG/CR-2989, NUREG/CR-3226, NUREG/CR-3992, NUREG/CR-4347, and NUREG-1032. .
NUREG-1109 xiii
o Although there are licensing requirements and' guidance"directed at providing reliable offsite and onsite ac power, experience'has shown that there are practical limitations in ensuring the reliability of offsite and onsite emer-gency ac power systems. Analyses have shown. that core damage frequency can be significantly reduced if a plant can withstand a total loss of ac power until l
. either offsite or onsite emergency ac power can be restored. -- 1 Because there is no requirement that plants be able to withstand a loss of both l the offsite and onsite emergency ac power systems, the resolution calls for i rulemaking to requira all .nlants to be abb t:, co;,c with a station blackout for a specified duration. Regulatory Guide 1.155 on station blackout describes a method acceptable to the NRC staff for complying with the rule, and specifies guidance on providing reliable ac electric power supplies. Plants with an already low risk from station blackout are required to withstand a station blackout for a relatively short period of time. These plants probably need few, if any, modifications as a result of the rule. Plants with a currently higher risk from station blackout are required to withstand blackouts of a some-what longer duration, and, depending on their existi,ng capability, might require modifications (such as increased' station battery capacity or condensate storage tank capacity) to meet this requirement. The staff has determined that these modifications are cost-effective in terms of reducing risk to the public.
The general objective of the resolution of USI A-44 is to re. duce the risk of severe accidents associated with station blackout by making station blackout a relatively small c~ontributor to total core damage frequency. Specific actions called for in the resolution include (1) maintaining highly reliable ac elec-tric power systems; (2) de loping procedures and training to restore offs.ite and onsite emergency ac p:..Nr should either one or both become unavailable; and (3) as additional defense-in-depth, ensuring that plants can cope with a staticn blackout for some period of time, based on the probability of occurrence of a station blackout at the site, as well as on the capability for restoring ac power for that site. The method to determine an acceptable station blackout duration capability is presented in the regulatory guide. Applications of this guide result in deter-minations that plants be able to withstand station blackouts from 2 to 16 hours, depending on the plant's specific design and si,te-related characteristics. Licensees may propose durations different from those specified in the regulatory guide, based on plant-specific factors relating to the reliability of ac power systems. e The benefit from implementing the rule and the regulatory guide is a reduction in the frequency of core damage per reactor year due to station blackout and the associated risk of offsite radioactive releases. The risk reduction for 100 operating reactors is estimated to be 145,000 pe'rson-rems., The cost for licensees to comply with the requirements varies depending on the
, existing. capability of each plant to cope with a station blackout, as well as the plant-specific station blackout duration determined. The costs are pr.i-marily to industry to assess the plant's capability to cope with a station blackout, to develop procedures, to improve diesel generator reliability if the reliability falls below certain levels, and to retrofit plants with additional components or systems, as necessary, to meet the. requirements.- -
NUREG-1109 xiv ~
. .f
The estimated total cost for 100 opdrating reactors to comply with the resolu-tion of USI A-44 is about $60 million. The average cost per reactor is esti-mated to be $600,000, ranging from $350,000 if only a station blackout assess-ment and procedures and training are necessary to a maximum of about $4 million , if substantial modifications are needed, including requalification of a diesel i generator. . _ . . l
- 1 The overall value-impact ratio. not including accident avoidance costs, is about l 2,400 person-rems averted per million dollars. If cost savings f om accident l avoidance (cleanup and repair of casita damages and replacement power) were l included, the overall value-impact ratio would improve significantly to about 1 6,100 person-rems averted per million dollars.
l Several NRC programs are related to'USI A-44, including Diesel Generator Relia- I bility (Generic Issue B-56), Reactor Coolant Pump Seal Failures (Generic Issue B-23), Safety-Related DC Power Supplies (Generic Issue A-30), and Shutdown Decay Heat Removal Requirements (USI A-45). These programs are closely co-ordinated within NRC and are compatible with the resolution of USI A-44. l 1 l a e t NUREG-1109 xy
REGULATORY /BACKFIT ANALYSIS FOR THE RESOLUTION OF UNRESOLVED SAFETY ISSUE A-44, STATION BLACK 0UT -- 1 STATEMENT OF THE PROBLEM "Station blackout" refers to the complete loss of alternating current (ac) electric power to the. essential and nonessential switchgear buses in a nuclear power plant. Station blackout involves the loss of offsite power concurrent with turbine trip and the unavailability of the onsite emergency ac power sys-tem. Because many safety systems required for reactor core decay heat removal and containment heat removal depend on ac power, the consequences of station blackout could be severe. . The concern of the Nuclear Regulatory Co.mmission (NRC) about station blackout arose because of the accumulated experience regarding the reliability of ac power supplies. In numerous instances emergency diesel generators have failed to start and run during tests conducted at operating plants. In addition, a number of operating plants have experienced a total loss of offsite electric power, and more occurrences are expected. In almost every one of these loss-of-offsite power events, the onsite emergency ac power supplies were available immediately to supply the power needed by vital safety equipment. However, in some instances, one of the redundant emergency power supplies has been unavail- - able. In a few cases, there has been a complete loss of ac power, but during i these' events, ac power was restored in a short time without any serious . consequences. The results of the Reactor Safety Study (NUREG-75/014) showed that for one of the two plants evaluated, a station blackout accident could be an important contributor to the total risk from nuclear power plant accidents. Although ) this total risk was found to be small, the relative importance of the station blackout accident was established. This finding and the accumulated diesel generator failure experience increased the concern about station blackout. The issue of station blackout involves *the likelihood and duration of losses of offsite power, the redundancy and reliability of onsite emergency ac power systems, and the potential for severe accident sequences after a loss'of all ac
~
power. These topicy were investigated under Unresolved Safety Issue (USI) Task Action Plan A-44, and the technical findings are reported in detail in NUREG/ CR-2989, NUREG/CR-3226, NUREG/CR-3992, NUREG/CR-4347, and NUREG-1032. In addi-tion to identifying important factors and sequences that could lead to. station blackout, the results indicated that estimated core damage
- frequencies from
- Analysis has shown that for postulated station blackout events, the difference between the estimated frequency of core damage and core melt is small because of the relatively low probability of recovering ac power ,and terminating an accident sequence after initial core damage, but before full core melt (NUREG-1032).
NUREG-1109 1 ,
station. blackout vary significantly for different plants but could be on the order of 10 4,per reactor. year for some plants. To reduce this risk, action should be taken to resolve the safety concern stemming from station blackout. The issue is of concern for both pressurized water reactors (PWRs) and boiling water reactors (BWRs). There is no requirement currently for plants to be able to cope with a station blackout. Existing requirements for offsite and onsite ac power systems are in General Design Criterion (GDC) 17, "Electric Power Systems," of Append S A to Part 50 of Title 10 M the Code of Fc 2.si Regulations (10 CFR 50). They are discussed in Sections 8.2, "Offsite Power Systems," and 8.3.1, "AC Power Sys-tems (Onsite)," of the NRC's "Standard Review Plan for the Safety Review of Nuclear Power Reactors" (SRP, NUREG-0800).. Testing of emergency diesel genera-tors is discussed in Regulatory Guide (RG) 1.108, "Periodic Testing of Diesel Generator Units Used as Onsite Electric Power Systems at Nuclear Power Plants." Separation and independence of electric power systems are discussed in RG 1.6, "Independence Between Redundant Standby (Onsite) Power Sources'and Between Their Distribution Systems," and ,RG 1.75, "Physical Independence of Electric Systems." SRP Sections.8.3.1 and 9.5.4 through 9.5.8 discuss maintenance and design provisions for the onsite emergency diesels. These licensing requirements and guidance are directed at providing reliable'offsite and onsite ac power. Experience has shown that there are practical limits in ensuring the rcliability of offsite and onsite emergency ac power systems. Analyses show that core damage frequency can be significantly reduced if a plant can withstand a total loss of ac power until either offsite or onsite emergency ac power can be restored.
- 2 OBJECTIVES The ge'neral objective of the requirements to resolve USI A-44 is to reduce tne risk of severe accidents associated with station blackout by making station blackout a relatively small contributor to the average frequency of core damage for the total population of plants. Specific actions called for in the resolu-tion include (1) maintaining highly reliable ac electric power systems; (2) de-veloping procedures and training to restore offsite and onsite emergency ac power should either one or both become unavailable; and (3) as additional defen:,c-in-depth, ensuring that plants.can cope with a station blackout for some pariod of tiae based on the probability of occurrence of a station blackout at the site as well as on the capability for restoring power for that site.
3 ALTERNATIVE RESOLUTIONS In developing the resolution of USI A-44, the staff considered four specific alternative courses of action. These are discussed below. 3.1 Alternative (i) To achieve the objectives stated in Section 2 above, the resolution of USI A-44 calls for specific guidance relating to the reliability of offsite and onsite. emergency ac power systems, as well as a requirement that plants be able to cope with a station blackout for a specific duration. The recommendations to resolve this issue are summarized as follows: NUREG-1109 2 _t _. . . _ _ , _ , . , . _ _ . _ . , . . . , _ . . . _
(1) The reliability of the onsite emergency ac p.ower sources should,be main-tained at or above specified acceptable reliability levels. (2) Procedures and training should be developed to restore emergency ac power and offsite power using nearby power sources if the emergency ac power system and the normal offsite power sys,tems are unavailable. --
. (3) Each nuclear power plant should be able to withstand and recover from a station blackout lasting a specified minimor d" :th .. I.:. A tcry Guide 1.155 entitled "Station Blackout"* provides a method for determin-ing an acceptacle plant-specific station blackout duration based on a comparison of a plant's characteristics to those factors that have been identified as the main contributors to risk from station-blackout. These factors include: (a) the redundancy of onsite emergency ac power sources (number of sources available for decay heat removal minus the number needed for decay heat removal), (b) the reliability of onsite emergency ac power sources (usually diesel generators), (c) the frequency of loss of offs'ite power, and (d) the probable time to restore offsite p m er.
The frequency and duration'of loss of offsite power.are related to grid and switchyard reliability, historical weather data for severe storms, and the availability of nearby alternate power sources (e.g., gas tur-bines). The staff has concluded (NUREG-1032) that long-duration offsite power outages are caused pr.imarily by severe storms (e.g., hurricanes, ice). .. (4) Each nuclear po.er plant should be evaluated to determine its capability to withstand and recover from a station blackout of a duration as deter-mined in (3) above. This evaluation should include such considerations as: - Verifying the adequacy of station battery power, condensate storage tank capacity, and plant / instrument air for the duration of a station blackout. Verifying the adequacy of reactor coolant pump seal integrity for the duration of a station blackout. This should be done by demonstrating, via experiment and/or analysis, that seal leakage due to a lack of seal cool.ing will not reduce the primary system coolant inventory to the degree that the ability to cool the core during station blackout is lost. Verifying that the equipment needed to operate during a station black-out and the recovery from the blackout wiil be able to operate under the environmental conditions associated with a total loss of ac power (i.e., loss'of heating, ventilation, and air conditioning).
- Single copies of this guide may be obtained by writing to the Distribution Ser-vices, Division of Information Support Services, U.S. Nuclear Regulatory Com-mission, Washington,' DC 205'55. .
. 4 NUREG-1109 3 .
, -(5) Ifitha plant's statie.. blackout captbility (as determined in (4)) is ,
significantly less than the minimum acceptable plant-specific station blackout duration determined in (3), modifications to the plant may be necessary to increase the time the plant is able to cope with a station blackout. The regulatory guide identifies specific factors to be consid-ered'if such modifications are necessary. . ... (6) Each nuclear power plant should have procedures and training to cope with
~
a station blackout and to restore normal long-term decay heat removal once ac power is restored. Because there is no requirement for plants to be able to withstand a loss of both the offsite and onsite emergency ac power systems, the resolution calls for rulemaking to require that all plants be able to cope with a station black-out for a specified duration. The regulatory guide describes a method acceptable to the NRC staff for complying with the rule, and specifies guidance on providing reliable ac electric power supplies. Plants with an already low risk from
^
station blackout are required to, withstand a station blackout for a relatively short period of time. These plants probably need few, if any, modi'ications as a result of the rule. Plants with currently higher risk from station blackout are required to withstand blackouts of somewhat longer duration, and, depending
~
on their existing capability, may require modifications (such as increasing station, battery capacity or condensate storage tank capacity). The staff has
-determined that these modifications are cost-effective in terms of reducing risk to the public.
The method to determine an acceptable station blackout duration capebility, as presented in the regulatory guide, is summarized below. The guide specifies minimum acceptable blackout durations that a plant should be capable of surviv-ing. The minimum duration is from 2 to 16 hours (see Table 1) depending on a plant's design and site-related characteristics. Most plants would fall in either the 4- or 8-hour group. Licensees may propose durati.ons different from those specified in Table 1. Such proposals should be based on plant-specific factors relating to the reliability of ac power systems, such as those discussed in .iUREG-1032, and would be reviewed by the NRC staff.
, Tables 2 through 7 provide the necessary detailed descriptions and definitions of the various factors used in Table 1. Table 2 identifies different levels of redundancy of the onsite emergency ac power system used to define the emer-gency ac power configuration groups in Table 1. Table 3 provides definitions of the three offsite power design characteristic groups used in Table 1. The groups are defined according to various combinations of the following factors:
(1) independence of offsite power (I), (2) severe weather (SW), (3) severe weather recovery (SWR), and (4) extremely severe weather (ESW). The definitions of the factors I, SW, SWR, and ESW are provided in Tables 4 through 7, respec-tively. A'fter identifying the appropriate groups from Tables 2 and 3 and the reliability level of the onsite emergency ac power sources, Table 1 can be used to determine the minimum acceptable station blackout duration capability (e.g, 4 or 8 hours) for each plant. The reliable operation of the onsite emergency ac power sources sho'uld be ensured by a reliability program designed to monitor and maintain reliability over time at a specified acceptable level and to improve the reliability if that level is not achieved.
- 4 e
NUREG-1109 4
i
'One examp1'e of an application of this method considers'a nuclear power plant that has (1) two diesel generators,' one of which is required for ac power for decay heat removal systems; (2) one switchyard and one alternate offsite power circuit, in addition to the normally energized offsite circuit to the Class IE buses; (3) an estimated frequency of loss of offsite power due to severe weather of 0.005 per site year; and (4) an annual expectation of storms at.tA4 site with winds greater than 125 miles per hour of 0.002 per year. On the basis of this information, this plant is in independence of offsite power group I3 (see Table 4), severe weather group SW2 (see Table 5), sevara wast.e- 5 recovery group SWR 2 (no enhanced recovery for severe weather, Table 6), and extremely severe weather group ESW3 (see Table 7). This combination of factors places the plant in offsite power design characteristic group P2 (see Table 3), Based on the number of diesel generators, the plant is in emergency ac power configuration group C. As indicated on Table 1, if the failure rate of each emergency diesel generator is maintained at 0.025 failure per demand or less, this plant should have the capability to withstand and recover from a station blackout lasting 4 hours or more. If the failure rate of each emergency diesel generator were between 0.025 and 0.05, the accep. table station blackout duration would increase to 8 hours. If the emergency die'sel generator failure rate were greater than 0.05, then steps should be taken to improve the. diesel generator reliability.
3.2 Alternative (ii) Alternative (ii) would treat plants uniformly by requiring all plants to be able to cope with station blackout of the same duration. 3.3 Alternative (iii) Alternative (iii) would require plants with the highest potential risk from sta-tion blackout to add either an additional emergency diesel generator or another ac-independent decay heat removal system. . 3.4 Alternative (iv) The Nuclear Utility Manar;ement and Resources Committee (NUMARC) endorsed the following industry initiatives to resolve the station blackout issue (letter from J. Miller to N. Palladino, 1986):
- 1. Each utility will review their site (s) against the criteria specified in NUREG-1109, and if the site (s) fall into the category of an eight-hour site after utilizing all power sources available, the utility will take actions to reduce the site (s) contribution to the overall risk of station ;
blackout. Non-hardware changes will be made within one year. Hardware changes will be made within a reasonable l time thereafter.
- 2. Each utility will implement procedures at each of its site (s) for: -
I
- a. coping with a station blackout event,
- b. restoration of AC power following a station bl.ackout event, and.
4 NUREG-1109 , S .
.\
Table 1 Acceptable station blackout duration capability - (hours)1 Offsite power design characteristic group 2 __ Maximum emergency diesel generator failure rate per demand P1 P2. D 't Emergency ac (EAC) power configuration group A3 0.025 2 4 4 0.05 2 4 8 EAC power configuration group B . 0.025 4 -4 4 0.05 4 4 8 EAC power configuration group C O.025 . 4 4 8 0.05 4 8 16 EAC power configuration group D 0.025 4 8 8 1The staff will consider variations from these times if jus-tification, including a cost-benefit analysis, is provided by the licensee. The methodology and sensitivity studies in NUREG-1032 are acceptable for this justification. 2See Table 3 to determina groups P1, P2, and P3. 3See Table 2 *to determine emergency ac power configuration group. Source: Regulatory Guide 1.155. l NUREG-1109 6 i
edP I
. Table'2 Emergency.ac power' configuration groups 1 No. of EAC power sources Emergency ac (EAC) required to operate ac-power configuration No. of EAC power powered decay heat remov.al sources 2 systems 3 group A 34 1 4 1 B 4 2 5 2 C 24 1 3s 1 D 28 1 3
' 2 4 3 5 3 1Special purpose dedicated diesel generato s, such as those asso-ciated with high' pressure core spray systscs at some BWRs, are not counted in the determination of EAC power configuration groups.
2If any of .the EAC power. sources are shared among units at a multi- - unit site, this is the total number of shared and dedicated sources for those units at the site. 3This number is based on all the ac loads required to remove decay heat (including ac powered decay heat removal systems) to achieve and maintain hot shutdown at all units at the site with offsite power unavailable. .
*For EAC power sources not shared with other units. ,
5For EAC power sources shared'with another unit at a multiunit site. 6For shared EAC @ wer sources in which each diesel generator is~ c'apable of providing ac power to core than one unit at a site concurrently. ' Source: Regulatory Guide 1.155. NUREG-1109- 7
o Tcble 3. Offsite pow;r design characterist,ic gr:ups ' Group Offsite power design characteristics I P1 Sites that have any combination of the following factors:, l Il SW2 SWR 3 ESW4 1 or 2 1 or 2 1 or 2 1 nr ? , 1 or 2 1 1 or 2 3 l 1 or 2 1 or 2 3 1
. i P2 All other sites not in group P1 or P3 P3 Sites that expect to experience a total loss of offsite I power caused by grid failures at a frequency equal to or I greater than once in 20 site years, unless the ::ita has procedures to recover ac power from reliable alternate (nonemergency) ac power sources within approximately 1/2 l hour following a grid failure, l E I Sites that have any combination of the following factors-
~ ~
I SW SWR ESW Any I 5 2 Any ESW Any I 1,2,3, or 4 1 or 2 5 Any I 5 1 Any ESW Any I 4 2 1,2,3, or 4 1 or 2 3 2 4 3 3 2 3 or 4 1See Table 4 for definitions of independence of offsite power (I) groups. 2See Table 5 for definitions of severe weather (SW) groups. 3See Table 6 for , definitions of severe weather recovery (SWR) groups. 4See Table 7 for definitions of extremely se' vere weather (ESW) ) groups. l Source: Regulatory Guide 1.155. l l
. 1 NUREG-1109 8
i j , Tcblo 4 Definitions of ind:p:nd:nch of offsite pow r (I) gr ups
- E I l g Catepry
. 1 2 3 o l s Independence of of f site I. 1. All of f site power sources are 1.a. All offsite power sources are connected to the plant through one U
O power sources connected to the plant through sultchyard.
- two er more switchyards er separate incoming transelssten or
~
lines, but at least one of the ac sources is electrically 1.b. All effsite power sources are connected to the plant threw 4 twa . Independent of the others, or more switchyards. and the switchyards are electrlcally connec I (The Independent 69-kV line (the 345- and 138-kV switchyards in figures 2 and 3 represent in figure 1 le representative this design feature.) of this design feature.) L er ' and g,
- 2. Automatic and manuel 2.a. Af ter less of the normal ac 2.a. After loss of the normal I 2.e. If the normal source of oc l transfer schemes for the source, oc power source, there le power falls, there er1s no i Class IE buses when the en automatic transfer of automatic transfers and i normal source of ac power (1) There is an automatic all safe-shutdowei buses one er more manuel transfers i falls and when the backup transfer of all safe- to one iir~aferred alte r- of all safe-sholdouse buses j sources of of f site power shutdown buses to a nate power source. If to preferred or alternate j fall. separate preferred . this source falls, there offsite power sources.
! a.
- The normal source of
- ac power is assumed (2) ^ There is an automatic transfers of power source 4
- er i to be the unit main transfer of all safe- to the reenlaing preferred
- generator. shutdowse buses to one er alternate of f atte power
- There is one automatic
- pre ferred power source. sourc e s. trans f e r and no manual
! If this preferred power transfer of all safe l a source falls ,there is shutdowet buses to one another automatic transfer preferred or one alternate to the remaining preferred i power sources er to alter-l 4 nate of f site power source. l 4
1 .r .c r i b. If the Class IE buses 4 2.b. Each safe-shutdown bcs is 2.b. The safe-shutdown buses are
! are normally designed. normally connected to a normally aligned to the same
{ the preferred separate preferred alter- preferred power source with alternate power note power source with either an .eutomatic or senval
- s ourc e s. automatic or manuel transfer to the reaalning ,
transfer capability pref erred alternate ac power
- between the preferred source.
! 6 alternete sources 1
i i Source: Regulatory Guide 1.155 i I i i
l
+
l l l H 1 A d A d u
,. 69 kV 161 k V ,
345 kV h N#%M v I y,%,%% NMNM NMMM NMe%% N%MM AUTOMATIC Mg yg MAIN TRANSFER
-----+
GENERATOR 1r if "
, N C' NC -
57 No ["Ivio~AilC no TRANSFER CLASS 1E NONSAFETY CLASS 1E NONSAFETY l [_ AUTOMATIC TRANSFER h , i 1 ( AUTOMATIC TRANSFER _ j ! l i Figure 1 Schematic of electrically independent transmission line e NUREG-1109 10 1
Y th tl 4k n n n n n S o 4 - E
- Hskv tse tv 4 '
E
%NA MM MM MM W HA k ,%s y y yt- *k $f NC NC NONSA F E TY NO NC N!M ETY NO
"*'N CLASS 1E CLASS IL CLASS 1E GENERATOR . CLASS 1E Olvi$JON 1 Olvis'O N 2 Olvi$lON 1 DivislON 2 e i i i A 4
!. _ _ fuyo_wayigT_a4_NstEi _ _ i ,________j l
L- _ _ _^FE"lT!.c La^NSJ E3 _ _ _ _ _ j Figure 2 Schematic of two switchyards electrically connected (one-unit site) d h - 6 h h h 500 kV 230kV
- f:,"
MM
- 1.-
I MMMSA MM MM MM MM MMMM GENERATOR 2 lf if V 4 U U U 'I NC NC NC TO NC TO NC TO NC TO NC NC GENERATOR 1 NONSAF ETY SOM E SOME SOME SOME NONSAFETY UNIT 2 UNIT 2 UNIT 2 UNIT 1 UNIT 1 UNIT 1 CLASS 1E CLASS 1E CLASS 1E CLASS 1E BUSES, BUSES, BUSES, BUSES, NO TO NO TO NO TO NO TO - OTHERS OTHERS OTHERS OTHERS Figure 3 Schematic of two switchyards electrically connected (two-unit site) NUREG-1109 11 i _
, i
, l Table 5 Definitions of severe weathir (SW) groups
. i Estimated frequency of loss of offsite power due SW group to severe weather, f* (per site year)
I f < 0.0033 2 0.0033 $ f < 0.010 3 0.010 $ f < 0.033 4 0.033 1 f < 0.10 5 0.10 $f .
*The estimated frequency of loss of offsite power due to severe weather, f, is determined by the following equation:
a f = (1.3 x 10 4)h 3 + (b)h2+ (0.012)h3+ (c)h 4 where h1 = annual expectation of snowfall for the site, in inches h2 = annual expectation of tornadoes (with wind speeds greater than or equal to 113 miles per hour (mph)) per square' mile at the site *
- 6 b = 12.5 for sites with transmission lines on two or more rights-of-way spreading out in different directions from the switchyard, or b = 72.3 for sites with transmission lines on one right of-way h3 = annual expectation of storms at the site with wind velocities between 75 and 124 mph h4 = annual expectation of hurricanes at the site c = 0*if switchyard is not vulnerable to salt spray
. , c = 0.78 if switchyard 3 vulnerable to salt spray The annual expectation of snowfall, tornadoes, and storms may be obtained from National Weather Service data from the weather station nearest the plant or by interpolation, if appropriate, between nearby weather stations. The basis for the empirical equation for the frequency of loss of offsite power due to severe weather, f, is given in NUREG-1032, Appendix A.
Source: P.egulatory Guide 1.155. NUREG-1109 12
-. i._ _ _ . - . - _. _
Table 6 Definitions of severe weather recovery (SWR) groups. SWR group Definition . 1 Sites with enhanced recovery (i.e , sites that .. j have the capability and procedures fortrestor-ing offsite (nonemergency) ac power to the - site within 2 hours following a loss of offsite power due to severe weather). 2 Sites without enhanced recovery; , t Source: RegulatoryGuide;1.155 Table 7 Definitions of extremely severt weather (ESW) groups Annual expectation of storms at a site with wind ! velocities equal to or greater than 125 miles ESW group per hour (e)" 1 e < 3.3 x 10 4
" ~
2 3.3 x 10 4 5 e < 1 x 10 3 j 3 1 x 10 3 $ e < 3.3 x 10 3 l 4 3.3 x 10 3 $ e < 1 x 10 2
.5 1 x 10 2 3, i "The annual expectation of storms may be obtained from Na- ,
tional Weather Service data from the weather station nearest the plant or by interpolation, if appropriate, between nearby weather stations. Source: Regulatory Guide 1.155. h e
*4 l NU. REG-1109 13 ,
- c. preparing the plant for severe weather conditions,.such as hurricanes and tornados to reduce the likelihood and consequences of a loss of offsite power and to reduce the overall risk of a station blackout event.
- 3. Each utility will, if applicable, reduce or eliminate cold -
~
fast-starts of emergency diesel generators for testing through changes to technical specifications or other appropriate means. A. Each utility will monitor emergency AC power unavailability utilizing data utilities provided to INPO (Institute of Nu-clear Power Operations) on a regular basis.
- 5. Each utility will assess the ability of its plant (s) to cope with a station bleckout. Plants utilizing alternate ac power for station blackout response which can be shown by test to be available to power the shutdown buses within 10 minutes of the onset of station blackout do not need to perform any coping assessment. Recai.lir.g' alternate ac plants will assess their ability to cooe for 1 hour. Plants not utilizing an alternate ac source will assess their ability to cope for 4 hours. Factors identified that prevent demonstrating the capability to cope for the apprcpriste di:retion will be addressed through hardware and/or procedural changes so that successful demonstration is possible. (Added in NUMARC-8700, transmitted by letter from J. Opeka to T. P. Speis, September 19, 1987.) .
The industry's initial four initiatives included some of the same elements that are included in the staff's resolution discussed in Section 3.1. Mcwever, the industry initiatives (1) did not include rulemaking, (2) did not require plants to be able to withstand a station blackout for a specified period of time, and (3) did not require any specific assessment of a plant's station blackout coping capability. With the addition of Initiative 5, industry has proposed to perform coping assessments for a specified period of time on.a plant specific basis.
- 3. 5 Alternative (v)
Under this alternative no action would be taken. 4
- CONSEQUENCES i !
4.1 Costs and Benefits of Alternative Resolutions i 1 . 4.1.1 Alternative (i) The benefit from implementing the station blackout rule and regulatory guide is a reduction in the frequency of core damage due to station blackout and the associated risk of offsite radioactive releases. The costs are primarily those incurred by industry (1) to assess the plant's capability to cope with a station blackout (2) to develop procedures, (3) to improve diesel generator reliability if the reliability falls below certain levels, and (4) to retrofit plants with additional components or system, as necessary, to meet the requirements. These are discussed in the followjng paragraphs. ' NUREG-1109 14 d
(1) Value: Risk Reduction Estimates ) To estimate the change in expected risk that the resolution of USI A-44 could effect, both the postulated radioactive exposure (in person-rems) that would result in the event of an accident and the reduction in frequency of core damage have been estimated. A simplified method to estimate public dose for value-impact analysis would use an "average" plant to estimate the consequences of station blackout and subsequent core damage for all plants. However, using a single value does not account for the M ffaraaras 4. :ff:it: ::nsequ.nces asso-ciated with differences in the sizes of reactors and with differences in the population densities around different sites. Because of the differences between sites and plant designs, it was not realistic to select a "typica? plant for analysis (using the value and impacts for that plant and then multiplying them by the total number of plants) to obtain an overall value-impact ratio. Instead, the staff used the mathod described below to estimate offsite consequences for use in this value-impact analysis. Results indicate that consequences r'ange,from 0.5 to 9 million person-rems per plant, with an average of about 2 million person-rems per plant. NUREG/CR-2723 gives estimates of offsite consequences of potential accidents at nuclear power plants. That report includes results of calculations for 91 sites in the United States that had reactors with operating licenses or construction permits. The actual distributions of population around the sites were used in calculating estimated t6tal population doses (in person-r' ems) for various fission product releases. The results include a scaling factor to account for different reactor power levels at the various sites. , The scaled results .(from NUREG/CR-2723) for release category SST1* (siting source term) were used to develop estimates of site-specific consequences for station blackout events. However, these results were not used directly in the value-impact analysis for several reasons. First, SST1 overestimates the fission product release for station blsekout events. Second, the consequences given in NUREG/CR-2723 include the entire population around the plant (i.e., an infinite radius), whereas Enclosure 1 of NRR Office Letter No. 16 (NRC, 1986) specifies that a 50-mile radius around the plant is to be used to calculate risk reduction estimates for value-impact analyses. Extensive research efforts by NRC and industry have been under way since about 1981 to evaluate severe accident source terms and are repo.rted in NUREG-0956, NUREG-1150, NUREG/C& 4624, and Industry Degraded Core Rulemaking.(IDCOR) tech-nical reports. Based on NRC's source term research, it appears that, for sta-tion blackout events, the release fractions for most plants would be roughly l 1/3 to 1/30 of the releases from the SST1 estimate. One reason for this reduc- I tion is that SST1.is an estimated upper bound assuming prompt containment failure; l
*Five release categories, denoted as SST1-SSTS, have been defined by NRC to represent a spectrum of five accident groups. Each category represents a dif ferent degree of core degradatior, and failure of containment safety features.
Group 1 SST1, is the most severe and involves a loss of all installed safety features and direct breach of containment, j ( NUREG-1109 - 15 i j
whereas'if a coro melt resulted froa station blackout, containment failure'would be delayed for a number of hours. Results of a sensitivity study in which the
~
consequences of a severe accident were estimated for reduced source terms indi-cate that if the SST1 release fraction were reduced by a factor of 3 (i.e. , 66 percent reduction in SST1 releases), the consequences in terms of person-rem would be reduced by about 50 percent (NUREG/CR-2723, Table 10). Likewise, if the SST1 releases were reduced by a factor of 30 (i.e., 97 percent reduction in SST1 releases), the estimated person-rem would be reduced by about 85 percent. Therefore, the high and low estimates for person-rem consequences for station blackout accidents used de M: .:.h.a ;... pod analys is are 0. o ano U. ib of the person-rem associated with SST1 releases, respectively. (These values correspond to reductions in SST1 release fractions by factors of 3 and 30, respectively.) A value of 0.33 of the SST1 person-rem was used as a best estimate for purposes of this analysis. Scalin'g factors '.:omparing offsite exposures within a 50-mile radius of a plant to that for an infinite radius are included in Table 3 of Sandia (1983). The total person-ram. exposure within.a 50-mile radius.is approximately 1/4 the person-rem exposure for an :,lini'te radius. This factor, in addition to the factor discussed above associated with reduced source terms, was used to scale the site-speci fic results f rom NUREG/CR-2723. To clarify the discussion above, an example calculation is given for an P45-MWe PWR (Calvert Cliffs). From Apoendix A of NUREG/CR-2723, the mean offsite effect conditional on release for the SST1 category is 3.61 x 10? person-rems. This number is multiplied b 0.33 to account for the smaller releases for station blackout events compared to SST1 releases and by 0.25 to account for the 50-mile radius (Sandia, 1983). The resulting offsite exposure from a station blackout event and subsequent core melt within a 50-mile radius of the plant is estimated to be about 3 million person rems. The reduction in frequency of core damage restrlting from the resolution of USI A-44 was estimated for each plant. Plant- and site-specific characteristics for a total of 100 reactors (which represent almost all of the currently operat-ing nuclear power plants) were used to develop these estimates. Table 8 presents an estimate of the number of reactors having the emergency ac power configurations and offsite power design characteristics identified in Tables 2 and 3, respec-ti,ely. The estimate of core damage frequency for each plant was based on a function of the plant's ability to cope with a station blackout (NUREG-1032). The staff a;sumed that all plants, as currently designed, can cope with a sta-tion blackout for 2diours. The reduction in core damage frequency per reactor-year for each plant then was estimated based on the plant meeting the accept-able 2 , 4 , 8 , or 16-hour station blackout duration depending on the plant's offsite power design group and its emergency ac power configuration (given in Table 1). Examples of the reduction in frequency of core damage per reactor year for three cases are presented in Table 9. Each of these examples is for a plant located in an area with average loss of offsite power duration and frequency. loe first example is typical of a plant with one redundant cmergency ac power system (e.g., ; one out of two diesel generatort, required for emergency ac power), and a failure ' rate of 0.023 failure per demand for each diesel generator. The second case, I i
\
l NUREG-1109 16
which is typical of a plant with Tess desiiable characteristics from a station blackout perspective (e.g., a minimum redundant emergency ac power system and below-average diesel generator reliability), has a reduction in frequency of core damage that .is significantly larger than the first example. The third case is for plants with more. favorable characteristics than in the first case and, therefore, a correspondingly lower reduction in core damage frequency. l A summary of the results of the analysis for station blabkout core damage fre-quency estimates is presented in Figure 4. h f'g ;. pi.. wi.= a comparison of the estimated number of react]rs versus various levels of core damage frequency ; before and.after implementation of the station blackout rule. The histogram ' that represents, estimates before the rule is implemented is based on the assur:p-tion that all plants have the capability to cope witn station blackout for only 2 hours. The estimated mean core damage frequency for this case is 4.2 x 10 5 per reactor year, with a range cf from about 0.4 x 10 5 to 30 x 10 5 per reactor-year. The mean core damage frequency for all plants after the rule is implemen-ted is estimated to be 1.6 x 10 5 per reactor year with a range of 0.3 x 10 6 to 7 x 10 5 per reactor year. Threre. fore, on an industry-wide basis, the estimated mean core damage frequency would'be reduced by 2.6 x 10 5 per reactor year. For each plant the estimated risk reduction from the resolution of USI A-44 was calculated by multiplying the reduction in core damage frequency per reactor-year by two factors: (1) the remaining life of the plant (assumed to be 25 years) and (2) the estimated public dose (in person-rems) that would result in th'e event of an accident. The reduction in person-rems for each plant was then summed to calculate the total estimated risk reduction. The high estimate of total dose reduction (on SST1 releases divided by 3) is 215,000 person-rems, the low estimate (based on.SST1 releases divided by 30) is 65,000 person-rems, and the best estimate is 143,000 person-rems (based on SST1 releases divided by 10). : Table 8 Estimated number of reactors having simitar characteristics Emergency ac power configuration group
- Group- A B C D Total
' Estimated, number 12' 25 47 16 100 of reactors -
Offsite power design characteristics ** Characteristic P1 P2 P3 Total Estimated number 30 60 10 100 l of reactors . l )
*See Table 2 for definition of emergency ac power con- l figuration groups. l
*MSee Table 3 to determine offsite power design charac-i teristics.
i NUREG-1109 17
6 Table 9 Examples of reduction iii frequency of core damage per reactor year Estimated core damage Estimated reduction in
. Plant frequency per core damage frequency characteristics reactor year per reactor year Plant with one of two 3.9 x 10 5 with 2-knov 2.1 x 10 5 emergency diesel generators station blackout (EDGs); EDG failure rate of capability
'0.025 failure per demand; and, loss of offsite power 1.8 x 10 5 with 4-hoor*
design characteristic station blackout group P2. capability Plant with two out of three 9.0 x 10 5 with 2-hour 8.4 x 10 5 EDGs; EDG failure rate of station blackout 0.05 failure per demand; and capability loss of offsite power design 0.6 x 10 5 with 8-hour
- characteristic group P2. '
station blackout capability Plant with one out of three 1.0 x 10 5 with 2-hour 0.6 x 10 5 EDGs;~EDG failure rate'of station blackout 0.025 failure per demand; capability and loss of offsite. power design characteristic 0.4 x 10 5 with 4-hour
- group P2. station blackout capability
*These times are the acceptable station blackout durations from 7able 1 for these example cases.
e 4 NUREG-1109 18 . ( . .
a
. W BEPORE nULs y
p MEDEN CDF . ME.AN COF
= 2.4 a 10 - 5/RY = 4.17 a 10"I/RY I
. m. .
8 0 l l g it-l I l se I
% =l 18075:
so-s' C i "s.! "coR M Ul.*e n ' " g n y l ,. gi s Q
~
\
g; l l !eh 3 i- , ; e v .l !
. k.i. $.b.! $ $ I o h. o3, 4 i s . . . . . . .,. r ir.
O,H.
!atasaeseasse2 a : R A
= ? -
i ? ? ? ? i i ? ?* A % : : : : 2
? ? ;
2
~ f ESTIMATED CORE oAMACE FRfCUENCY ( s 10-5 PER AuCTom.YMA)
(si Amn nutz x MfDtAN CCF
. = 1.1 a 10 - 5fn y 25 - i ,
a I 9 l uus CoF
- I l . i.si , 50-$ nY c i g m- 9 l
!. a B 16-L 1
1 lI
~
l l l *- i l* l l r
- $s ! l l p P
, 3
!. . . . . . . . . . i . ..,. 4, . . .
=?
a s.i? a e. a e a s. a e a 9 a a
?? ? i i * *
- A M
? ? ? ; 4j asTwArto Coat oAMAct FatoutNCY = 10-5 etm atAcrom.YEAni 0*: : : 2 =
~
Figure 4 Comparison of estimated station blackout (SBO) core damage frequency (CDF) before and after rule
- NUREG-1109 19
^
(2) Impacts: Cost Estimates The cost for licensees to comply with the requirements to resolve USI A-44 will vary depending on (1) the existing capability of each plant to cope with a sta-tion blackout and (2) the plant-specific acceptable minimum station blackout < coping duration as determined from Table 1. The staff anticipates that the ma- , jority of plants would be able to meet a 4-hour duration guideline without major hardware modifications. In addition to being able to withstand a 4-hour black-out, some plants may be capable of coping for longer periods without major modi-N ations. To meet = 0 h,.a guideline, licemees of some plants may have to increase the capacity of one or more of the following systems: station batteries, condensate storage tank, and instrument or compres.ied air. Shedding nonessent4! loads from the station batteries could be considered as an option to extend the time until battery depletion. Corresponding procedures for load shedding would > need to t,a incorporated in the plant-specific technical guidelines and emergency operating procedures for station blackout. If equipment needed to function c(uring a station blackout or the recovery from a blackout would not be expected to be operable because of environmental con-ditions associated with the station blackout (i.e., without heating, ventilat-ing, and air conditioning systems operating), then some modifications might be necessary. These could be (1) opening room or cabinet doors to increase natural circulation, (2) installing fans that can operate with available power supplies to increase forced circulation, or (3) relocating or replacing equip-ment. If option 2 or 3 above were necessary, then corresponding procedures would need to be incorporated in the plant-specific technical guidelines and emergency operating procedures for station blackout. Those plants that cannot verify adequate recctor coolant pump seal integrity for the station blackout duration may have to provide a method of reactor coolant pump seal cooling that is independent of the offsite and emergency onsite ac power supplies to maintain seal integrity and adequate reactor coolant inventory For example, the addition of an ac-independent charging pump or a steam-driven generator to power an existing charging pump could provide seal cooling during : a station blackout. ' Table 10 presents cost estimates of possible hardware modifications and pro-cedures that could result from implementation of the station blackout rule. Because the duration guidelines in the station blackout regulatory guide are , based on plant-specific features, and the capability of systems and components needed during a station blackout varies from plant to plant, the modifications in Table 10 may be needed at some but not all nuclear power plants. For each modification, the table identifies an estimated range of costs per plant, the estimated number of plants needing that modification, and the estimated total Cost. The estimated tctal cost for industry to comply with the resolution of USI A-44 is about $60 million. The estimated average cost per reactor is $600,000. l Best estimates of costs could range from $350,000, if only a stati6n blackout assessment and procedures and training were necessary, to a maximum of about
$4 million, if modifications 1 through 4 were needed (including requalification of a diesel generator). -
NUREG-1109 20
Table 10 Estimated cests fcr industry to comply with the resolution of USI A-441 E Est. no. Est. cost per - 5 of reactors reactor ($1000) Est. total cost ($1000).
? Potential needing .
Best Higte Low Best. High Low y modifications modifications est. est. est. est. est. est.
- 1. Assess plant's capability to cope with 100 250 400 200 25,000 40,000 20,000
. station blackout
- 2. Develop procedures and training 100 100 150 50 10,000 15,000 5,000
- 3. (a). Improve diesel gengrator reliability 10 250 400 150 2,500 4,000 1,500
. (b) Requalify a diesel. generator 2 2,800 5,500 1,250 5,600 11,000 2,500
- 4. Increase capability to cope with station blackout 2 .
(a) 4-hour plants add battery capacity 10 500 650 400 5,000 , 6,500 4,000 (b) 8-hour plants 17 ,.. ,
. (1) Add compressed air 40 60 30 680 1,020 510 (2) Add condensate storage tank 80 150 40 1,300 2,550 680
$ capacity (3) Add battery capacity 500 650 400 8,5f 0 11,050 6,800 (4) Replace equipment or add fans 80 140 30 1,300 2,380 510 a
r Subtotal (8-hour plants) - 100 . 1,000 500' 11,900 17,000 8,500 5; Add an ac-independent charging pump -- 1,500 2,5004 1,200 -- -- -- (non-seismic) capable of delivering 50 to 100 gpm te st. tor coolant pump seal i . TOTAL. COSTS 60,005 93,500 41,500 88ased on 100 reactors. See Appendix B for worksheets that provide the basis.for the cost astimates on this table. I 2 Detailed c6st estimates for these modifications are present,ed in NUREG/CR-3840 and revised estimates to that report (Science and Engineering Associates, 1986). 3It is assumed that reactor coolant pump seal integrity is sufficient to ensure core cooling for 8 hours or more; therefore, the charging phop would not be necessary. The results of Generic Issue B-23 will provide detailed information on expected pump seal behavior without seal cooling. (See Section 4.2 for fur.her discussion.) Estimated costs are provided here for perspective should such a system be considered necese.ary after Generic Issue B-23 results are available. CA seismically qualified and safety grade ac-independent charging pump would be much more e:: pensive and would not reduce the risk substantially more than a non-seismic m"P
~
~
t __ ____ _ _ _ _ _ _ _ _ _
Including costs of averted plant damag3 can significantly affect th] overall cost-benefit evaluation. To estimate the costs of averting plant damage and cleanup, the reduction in accident frequency was multiplied by the discounted onsite property costs. The following equations from NUREG/CR-3568 were used to make this calculation:
'~
v,, = NaFU
-rti )/r ] [1. r(t f-t j))g.,-rm) 2 U = C/m [(e where V,p = value of avoided onsite property damage N = number of affected facilities = 100 AF = reduction in accident frequency = 2.6 x 10 5/ reactor year V = present value of onsite property damage C = cleanup and repair costs = ,$1.2 billion t
f
= years remaining until end of plant life = 25 tg = years before reactor begins operation = 0 r = discount rate = 5% and 10%
m = period of time over which damage costs are paid out (recovery period in
, years) = 10 _. .
Using the above values, the present value of avoided onsite property damage is estimated to be $29 million. If avoided costs for replacement power are included (estimated in NUREG/CR-3568 to be $1.2 billion over 10 years), the estimated present value is $38 million. Table 11 summarizes the discounted present value of avoided onsite property damage for 10% and 5% discount rates. Table 11 Discounted present value of avoided onsite property damage for 100 reactors Discounted present value Avoided damage 10% discount rate 5% discount rate Cleanup and repair only $19 x 10s $40 x 108 Cleanup, repair, and $38 x 10s $80 x 108 replacement power ' (3) Value-Imoact Ratio Table 12 summarizes the total benefits and costs associated with the resolution of U$1 A-44 These include (1) public risk reduction due to avoided offsite releases associated with reduced accident frequencies; (2) increased occupational dose from implementation, and operation and maintenance activities, as well as-reduced occupational exposure from cleanup and repair because of, lower accident l frequency; (3) industry costs for implementation o'f modifications, operation NUREG-1109 ' 22 s
Table 12 Value-impact summary for reso1ution of USI A-44 Dose reduction (person-rems) Cost ($1,000) Best High Low Best High Low Parameter est, est, est. est, e rt.- est. Public health 143,000 215,000 65,000 Occupational exposure (accidental)1 1,500 1,500. 1,500 Occupational exposure (routine)2 NA Industry implementation 60,000 93,500 44,500 NRC implementation 3 ' 1,500 1,500 1,500 Total 144,500 216,500 66,500 61,500 95,000 43,000 Value-imoact ratioi ~ 2,400 5,000 700 (Public cose reduction _. divided by sum of NRC and industry costs - (person-rems /$108)) 1 Based on an estimated occupational radiation dose of 20,000 person-rems for post-accident cleanup and repair activities (NUREG/CR-3568). 2 No significant increase in occupational exposure i: expected from operation and maintenance or implementing the recommendations proposed in this resolution..
. Equipment additions and modifications contemplated do not require significant work in and around the reactor coolant system and therefore would not be expected to result in significant radiatinn exposure. NA = not affected.
38ased on an estimated 175 person-hours per reactor for NRC review (NUREG/CR-3568). , 4This does not take into account the additional benefit associated with avoided plant damage costs or replacement power costs resulting from reduced frequency of core damage. The cost for plant cleanup following a core damage accident is estimated to be $1.2 billion, and replacement power is estimated to ccst about
$500,000 per day (NR;, 1986). The estimated discounted present value of these avoided onsite costs is given in Table 11.
+
4 e k NUREG-1109 23
4 y and maintenance, and increased reporting requircirents; and (4) NRC costs for review of industry submittals. . The estimated total cost for industry to comply with the proposed rule is
$60 million. The total public risk reduction for 100 reactors over the remain-ing life of the plants is about 145,000 person-rems. The overall v.a.l.ue-impact ratio, not including onsite accident avoidance costs, is about 2,400 person-rems averte,d per million dollars. If cost savings to industry f,'om accident avoid-ance (cleanup and repair of onsite damages and replacement power) were included, the overall value-impact ratio would improve significantly. At a 10% d 2::nt rase, the present value of avoided cleanup, repair, and replacement power is approximately $38 million. If this benefit were taken into account, the overall value-impact ratio would be about 6,100 person-rems averted per million dollars.
For any particular plant, the value-impact ratio could vary significantly (either higher or lower) than the. ratio given above. However, even for plants that will not require equipment modifications to comply with the station blackout rule, the assessment of plant capability to cope with a station blackout is almost certain to result in improvements' in training and procedures to handle such an event. At a ratio of $1,000 per person-rem, a decrease in core damage frequency of only about 0.5 x 10 8 per reactor year is sufficient to justify a cost of
$350,000 for the station blackout assessment and procedures and training.
Improvements to enhance the capability of a plant to cope with a station black-out from 2 to 4 hours would effect such a reduction in core damage frequency for virtually all plants. - (4) Special Considerations The quantitative value-impact analysis discussed above used estimates for benefits (risk reduction) and costs associated with the resciution of USI A-44. While this is a useful approach to evaluate the resolution, other factors can and should play a part in the decision-making process. Although they are not quantified, other considerations that bear on the overall ccnclusions and recem-mendations to resolve USI A-44 are discussed below. Overall, these.considera-tions support the conclusion that additional defense in depth provided by the ability of a plant to cope with a station blackout for a specified duration is strongly recommended. Relative Ihiportance of Potential Station Blackout Events
- Probabilistic risk 4ssessment (PRA) studies performed for tnis USI, as well as a number of plant-specific PRAs, have shown that station blackout can be a sig-
) nificant contributor to core damage frequency, and, with the consideration of containment failure, station blackout events can represent an important contri- ' i butor to reactor risk. In general, active containment systems required for heat removal, pressure suppression, and radioactivity removal from the containment atmosphere following an accident are unavailable during a station blackout. Therefore, the offsite risk is higher from a core melt resulting from station blackout than it is from many other accident scenarios. . Source Term Re-Evaluation The consequence estimates for station blackout used in this value-impact analysis are consistent with the latest research by NRC on' source term re evaluation, s - NUREG-1109 24 I
The release fractions used-in this analysis are significantly lower than earlier estimates of source terms. Nevertheless, there is still considerable uncer- , tainty, and source term research is expected to continue in the future to improve l our knowledge of major phenomena and refine analytical.models. Given the range of release fractions used in this ana. lysis, it is unlikely that significantly better estimates agreed to by the staff and industry would be available for a number of years. In any event, the ability to cope with a station blackout for some period of time would make station blackout a small contributor to core damage frequency and would significantly reduce the risk associated with such events. Future Trends in Loss of Offsite Power Frequency The estimated frequency of core damage from station blackout events is directly proportional to the frequency of the initiating event. Estimates of station blackout frequencies for this USI were based on actual operating experience with credit given in the analysis for trends that show a reduction in the frequency of losses of offsite power result.ing from plant-centered events (NUREG-1032). This is assumed to be a realistic' indicator of future performance. An argument can be made that the future performance will be,better than the past. For example, when problems with the offsite power grid arise, they are fixed, and therefore, grid reliability should improve. On the other hand, grid power failures maj become more frequent because fewer plants are being built, and more power is being transmitted between regions,.thus placing greater stress on transmission lines. - Trends in Emergency Diesel Generator Performance . Recent data indicate that average emergency diesel g'enerator reliability on an industry-wide basis has been improving slightly since 1976 (NUREG/CR-4347,
, NSAC/108). These data are based on total valid failures and total valid starts including surveillance testing and unplanned demands (e.g. , followirfg a loss of offsite power). There are an insufficient number of unplanned demands at any one nuclear plant to determine. diesel generator reliability with high statistical confidence. Therefore, target diesel generator performance levels for USI A-44 are based primarily on surveillance tests. However, data show that the industry
' average diesel generator failure rate during unplanned demands was higher than that during surveillance tests (0.014 failure per demand for surveillance tests compared to 0.022 failure per demand during unplanned demands (NSAC/108)). Using diesel generator reliability based only on unplanned demands would lead to slightly higher estimates of core damage frequency than was used in this regulatory analysis and, therefore, a correspondingly larger estimated benefit resulting from the resolution of USI A-44. Common Cause Failures One factor that affects ac power system reliability is the vulnerability to com-mon cause failures associated with design, operational, and environmental factors. Existing industry and NRC standards and regulatory guides include specific design criteria and guidance on the independence of offsite power circuits and the in-dependence of, and limiting interactions between, diesel generator units at a nuclear station. In developing the resolution of USI A-44, the NRC staff assumed that, by adhering to such standards, licensees have' minimized, to the extent practical,singlep'ointvulnerabilitiesindesig;nandoperationthatcouldresult NUREG-1109 25 1
in a loss o'fall offsite power or all onsite emergency ac power. Results of sensitivity studies presented in NUREG-1032 indicate that if potential common cause failures of redundant emergency diesel generators exist (e.g., in service water or de power support systems), then estimated core damage frequencies can increase significantly. , Sabotage There have not been any total losses of offsite power or diesel generator fail- l nree att-ibuted te :abotage. T.'.e.cfore, sabotage was not considered explicitly j in the risk analysis for USI A-44. However, there was a sabotage event in 1986 l that caused three out of four 500-kV transmission lines at one site to be out of service for several hours. Thus sabotage could increase the probability of loss of offsite power. If saboteurs managed to simultaneously take out all , offsite power and/or emergency diesel generators, the resolution of USI A-44 I would provide additional defense-in-depth for a period of time to cope with such an event. i 1 4.1.2 Alternative (ii) ' The alternative of treating plants uniformly by' requiring all plants to be able to cope with the same station blackout duration has been considered. This simplified approach has the advantage of being potentially easier to implement, but it also has two major drawbacks. Eirst, operating nuclear power plants
. have significant differences in plant- and site-specific factors that contribute to risk from station blackout. This alternative would not take these known l factors into account. For example., plants that have a more redundant emergency l ac power system than other plants would not be given any credit for suth Teatures.
Second, requiring all plants to be able to cope with the same bi d out duration would result in one of two undesirable alternatives: (1) If a uniform duration of 4 hours or less were recommended, station blackout could still be a signif-icant contributor to total core damage frequency for some plants and, therefore, the objective of the requirements would not be met; and (2) if a uniform 8-hour j requirement were imposed, it would necessitate expenditures at scme plants that ' I would not be considered cost-effective in reducing the risk from station blackout events. Therefore, this alternative was not recommended. 4.1.3 Alternative.(iii) 1 Another possible alternative to the recommended action is to require plants l to install either an, additional emergency diesel generator or another ac-independent decay heat removal system. This alternative was not recommended for several reasons. First, the cost for either of these additions (from $10 to $30 million per plant) is much higher than the estimated cost for the I recommended resolution. The recommended approach is more cost-effective and meets the objective stated in Section 2. Second, the adequacy of present I requirements for decay heat removal systems is being studied under USI A-45, ! and any major hardware changes or additions to these systems should await the technical resolution of USI A-45. Third, experience indicates that there are i t practical limits to diesel generator reliability, including common cause fail- l ures of redundant divisions, and the recommended resolution provides greater i diversity and additional defense-in-depth. l l I l NUREG-1109 26 l
4.1.4 Alternative (iv) . The five initiatives proposed by NUMARC are very similar to the elements proposed by the staff for resolution of this issue. NUMARC's guidelines and technical bases for addressing the station blackout issue are presented in NUMARC-8700. The procedure in NUMARC-8700 has been referenced in Regulatory Guide 1.155 as providing an acceptable method to meet the requirements of the rule. Industry now finds the proposed rule and regulatory guide acceptable. 4.1.5 Alternative (v) This alternative would be to take no actions beyond those resulting from the NUMARC' initiatives endorsed by industry and the resolution of Generic Issue B-56 (see discussions in Sections 3.4, 4.1.4, and 4.2.1). Operating experience with diesel generator failures and losses of offsite power has raised a significant concern regarding the potential r$sk from a station blackout event. The use of this data base with relatiply straightforward application of PRA techniques indicates that station blackout e, vents could be a significant contributor to risk for many plants. The addit 1onal actions recommended for USI A-44 woule
~
significantly reduce the estimated frequency of, core damage associated with severe accidents from station blackout. Because the value-impact analysis has shown that it would be benefitial to implement these recommendations, the no-action alternative is not recommended. 4.2 Impacts on Other Requirements Several ongoing NRC generic programs and requirements that a're related to the resolution of USI A-44 are discussed below.- 4.2.1 Generic Issue B-56, Die'sel Generator Reliability The resolution of USI A-44 includes a regulatory guide on station blackout that specifies the following guidance on diesel generator reliability (Regulatory Guide 1.155, Sections C.1.1 and 2):
~
The reliable operation of the onsite emergency AC power sources should be ensured by a reliability program designed to monitor and maintain the reliability of each power source over time at a specified acceptable level and to improve the reliability if that level is not achieved. The reliability program should include surveillance testing, target values for maxieum failure rate, and a maintenance program. Surveil-lance testing should monitor performance so that if the actual failure rate exceeds the target level, corrective actions can be taken. The maximum emergency diesel generator failure rate for each diesel l generator should be maintained at or below 0.05 failure per demand. For plants having an emergency AC power system [ configuration requir-ing two-out-of-three diesel generators or having a total of two diesel generators shared between two units at a site], the emergency. diesel generator failure rate for each diesel generator should be maintained at 0.025 failure per demand or less.
.I NUREG-1109 27 n
In Genaric Letter 8d-15, dated July 2, 1984, the staff requested information from licensees.regarding proposed actions to improve and maintain diesel gener-ator reliability. The letter requested' specific information on three areas (1) reduction of cold fast-start surveillance tests for diesel generators (2) diesel generator reliability -- (3) the licensee's diesel generator reliability program, if any, and comments on the staff's example performance technical specifications for dies.el generator reliability A summary of the data and recommendations in response to Generic Letter 84-15 was published in NUREG/CR-4557. This information, along with other input, will be used in the resolution of Generic Issue B-56 to provide specific guid-ance for diesel generator reliability programs consistent with the resolution of USI A-44. l 4.2.2 USI A-45, Shutdown Decay Heat Removal Requirements The overall objective of USI A-4s is to evaluate the adequacy.of current licens- l ing requirements to ensure that nuclear power plants do not pose an unacceptable l risk as a result of failure to remove shutdown decay heat following transients i or small break loss-of-coolant accidents. The study includes an assessment of alternative means of improving shutdown decay heat removal and of an additional l "dedicated" system for this purpose. Results will include proposed recommenda-tions regarding the desirability of, and possible design requirements for, j improyements in existing systems or an additional dedicated decay heat removal ' system. , The USI A-44 concern for maintaining adequate core cooling under station black-out conditions can be considered a subset of the overall USI A-45 issue. How-ever, there are significant differences in scope between these two issues. USI A-44 deals with the probability of loss of ac power, the capability to remove decay heat using systems that do not require ac power, and the ability to restore ac power in a timely manner. USI A-45 deals with the overall reliability of the decay heat removal function in terms of response to transients, small break loss-of-coolant accidents, and special emergencies such as fires, floods, seismic events, and sabotage. Although the recommendations that might result from the resolution of USI A-45 are not yet final. some could affect the station blackout capability, while others would not. Pecommendations that involve a new or improved decay heat removal system that is ac power dependent but that does not include its own dedicated ac power supply would have no effect on USI A-44. Recommendations that involve an additional ac-independent decay heat removal system would have a very modest effect on USl A-44. Recommendations that involve an additional decay heat removal system that include its own ac power supply would have a significant effect on USI A-44. Such a new additional system would receive the appropriate credit within the USI A-44 resolution by either changing the emergency ac power configuration group or providing the ability to cope with a station blackout for an extended period of time. e
- NUREG-1109 28
. .- L . _ . . __. . _ . _ - . _
The resolution of USI A-44 would necessitate average expenditures of about
$600,000 per plant, with a range estimated to be from about'$350,000 to a maxi-mum of around $4 million. A resolutior for USI A-45 involving the addition of a dedicated.and independent sys. tem, such as an additional shutdown cooling , system with its own dedicated diesel generator, would be much more expensive, with an expenditure on the order of $50 to $100 million. However, such expen-ditures would resolve other concerns with respect to the decay heat removal function which will be delineated in a future regulatory analysis for USI A-45.
The resolution of these two issues is coordinated along two main lines. First, technical information resulting from both studies is shared among the major participants including NRC staff and contractors. In this way, the resolution of USI A-45 will take into account any modifications resulting from the reso-lution of USI A-44 that are applicable to the decay heat removal function. Second, the schedules are coordinated so that by the time a final rule on USI A-44 is published--and well before plant modifications, if any, would be imple-mented--it is anticipated that the proposed technical resolution of USI A-45 will be published for public comm,ent. The technichl summary findings report and the regulatory analysis for the pro-
~
posed resolution of USI A-45 are targeted to be issued for public comment in mid-1988. For plants needing hardware modifications to comply with the USI A-44 resolution, this schedule would permit a re-evaluation before any actual modific'ations are made so that any contemplated design changes following from the resolution of USI A-45 can be considered at the same time. 4.2.3 Generic Issue B-23, Reactor Coolant Pump Seal Failures The Task Action Plan for Generic Issue B-23 includes three tasks: (1) a review of seal failure coerating experience, (2) an assessment of the effects of loss of seal cooling or. reactor coolant pump (RCP) seal behavior, and (3) an evalua-tion of other causes of RCP seal failure such as mechanical and maintenance-induced failures. Only task 2 is closely related to USI A-44 because during a station blackout, systems that normally provide RCP seal cooling are unavail-able, and RCP seal integrity is necessary for maintaining primary system inventory under station blackout conditions. NRC and industry analyses of seal performance with loss of seal cooling are proceeding, but at this time the staff has not completed its recommendations to , resolve Generic Issue B-23. The estimates of core damage frequency for station blackout events in WUREG/CR-3226 assumed that the RCP seals would leak at a rate of 20 gallons per minute (gpm) per pump. Results of the analysis for l Generic Issue B-23 will provide the information necessary to determine seal I behavior and, likewise, a plant's ability to cope with a station blackout for a specified time. Should this analysis conclude that there is a significant prob-ability that RCP seals can leak at rates substantially higher than 20 gpm, then modifications such as an ac-independent RCP seal cooling system may be necessary to resolve Generic Issue B-23. If there is high probability that the RCP seals would not leak excessively during a station blackout, then no modifi-cations would be required. A cost-benefit analysis associated with the need i for an ac-independent seal cooling system would be included in the regulatory l analysis for Generic Issue B-23. l l NUREG-1109 29 l
4.2.4 Generic Issue A-30, Adequacy of Safety-Related DC Power Supply
- The analysis performed for USI A-44 (NUREG-1032) assumed that a high level of d,c power system reliability would be maintained so that (1) de power system failures would not be a significant contributor to losses of all ac power and (2) should a station blackout occur, the probability of immediate de power system failure would be low. Whereas Generic Issue A-30 focuses on enchancing battery reliability (e.g. , restricting interconnections between redundant de divisions, monitoring the readiness of the de power sy:, tem, specifyinq admin-istrative procedures and technical spet.ifications for surveillance testing and maintenance activities), the resolution of USI A-44 is aimed at ensuring ade-quate station battery capacity in the event of a station blackout of a specified duration. Generic Issue A-30 would provide additional assurance that station battery reliability is adequate and consistent with the assumptions on which USI A-44 is based. Therefore, these two issues are consistent and compatible.
4.2.5 Regulatory Guide 1.108, Periodic Testing of Diesel Generator Units Used as Onsite Electric Power S,ystems at Nuclear Power Plants Regulatory Guide 1.108 describes the currently acceptable method for complying with the Commission's regulations with regard to periodic testing of diesel generators to ensure that they will meet their availability requirements. This guide may need to be modified to be consistent with the proposed actions de-scribed in Section 4.2.1 above (Generic Issue B-56). Regulatory Guide 1.108 will be revised to be consistent with the resolutions of USI A-44 and Generic Issue'B-56. 4.2.6 Fire Protection Progr'am for Nuclear Power Facilities 10 CFR 50.48 state.s that each operating nuclear power plant shall have a fire protection plan that satisfies GDC 3. The fi're protection features required to satisfy GDC 3 are specified in Appendix R to 10 CFR 50 and in Branch Technical Position CHEB 9.5.1 (NUREG-0800). They include certain provisions regarding alternative and dedicated shutdown capability. To meet these provisions, some licensees have added, or plan to add, improved capability to restore power from offsite sources or onsite diesels for the shutdown system. A few plants have installed a safe shutdown facility for fire protection that includes a charging , pump powered by its own independent ac power source. In the event of a station blackout, this system can provide makeup capability to the primary coolant system as well as reactor coolant pump seal cooling. This could be a signifi-cant benefit in terws of enhancing the ability of a plant to cope with a station blackout. Because the plant modifications required for fire protection have already been specified, it would not be feasible to consider these modificatior.s together , with the requirements of USI A-44 However, credit would be given for improve- ,
- Generic Issue A-30 is being resolved as part'of Generic Issue B-128, Electrical Power Issues. Generic Issue A-30 is the only part of Generic Issue 8-128 that is closely related to USI A-44.
NUREG-1109 30 t
ments made for the fire protecti.on program in meeting the station blackout rule. For exam'ple, plants'that have added equipment to achieve alternate safe shutdown in order to meet Appendix R requirements could take credit for the equipment (if available) for coping with a station blackout event. 4.2.7 Generic Issue B-124, Auxiliary Feedwater System Reliability This issue has focused on the reliability of seven older PWRs that have two-train auxiliary feedwater systemc. Tha *+ has c:tabli:;had a ivview team
'which will perform reviews (including plant audits and walkdowns) to assess each of these plants on a case-by-case basis. Other relevant information such as auxiliary feedwater system reliability analyses will be considered in the staff reviews, as available. The staff may allow credit for compensating factors, such as feed and bleed capability, to justify acceptance of the two pump auxiliary feedwater systems, or may decide that hardware, procedural, and/or training modifications are necessary.
If the proposed resolution of Gerteric Issue B-124 requires the auxiliary feed-water system in several PWRs to be upgraded, this would most likely result in the addition of an auxiliary feedwater pump. The installation of a pump that is independent of ac power would be beneficial in handling station blackout accident sequences by providing additional reliability in the ac-independent decay heat removal system. Because all PWRs now have an auxiliary feedwater train that is independent of ac power, the requirement could be met by adding a motor-driven pump. Con ~sequently, the au?.iliary feedwater system upgrades could have no effect on the station blackout issue. - 4~. 2. 8 Multiplant Action Items B-23 and B-48, Degraded Grid Voltage and Adequa,cy of Station Electric Distribution Voltage These two multiplant action items have been under considaration by both the staff and licensees for several years. They relate to (1) sustained degraded voltage conditions at the offsite power sources, (2) interaction between the offsite and onsite emergency power systems, and (3) the acceptability of the voltage conditions on the station electric distribution systems with regard to potential overloading and starting transient problems. Licensees' responses to these concerns have consisted of verifying the adequacy of existing power systems or of upgrading the power systems. The modifications are designed to ensure that the power systems can perform their intended function and consequently would enhance their dependability. If additional power sources have been added to address these corfcerns, the plant would be placed in an improved category and may be required to withstand a blackout of lesser duration. In the resolu-tion of USI A-44, the staff is not recommending that work that has been done on these two action items be repeated. 4.2.9 Severe Accident Program Brookhaven National Laboratory (BNL) has proposed a set o'f preliminary guide-lines and criteria that could be used to assess the capability of huclear power
- plants to cope with severe accidents (for example, see BNL Technical Report A-3825R). This work was performed in support of the Implementation Plan for 4
NUREG-1109 31 .
. I
the. Commission's Severe Accident Policy State 2ent. The proposed guidelines cover a large number of potentially severe accident sequences., For station blackout ' events, the guidelines assume that plants will comply with the requirements in the station blackout rule. Therefore, the severe accident program and the resolution of USI A-44 are consistent and compatible. Require-ments for operating plants to comply with additional criteria beyond 4 hose in the station blackout rule would need to be justified in accordance with the backfit rule (10 CFR 50.109). . 1 4.3 Constraints The staff has reviewed current Commission regulations to determine if they provide a basis for implementation of the USI A-44 requirements. This review included (1) the Atomic Safety and Licensing Appeal Board Hearing (ALAB-603) on station blackout for St. Lucie Unit 2; (2) the Commission review of that hearing; (3) GDC 17, "Electric Power Systems"; and (4) the backfit rule (10 CFR 50.109). St. Lucie Unit 2 Atomic Saf,ety and Licensing Appeal Board Hearing In ALAB-603, the board took the position that station blackout should be con-sidered a design-basis event for St. Lucie Unit 2 because of the high frequency of such an event (10 4 to 10 5 per year at that site). As a result, the Appeal Board required St. Lucie Unit 2 to be capable of withstanding a total loss of ac power and to implement training and procedures to recover from station blackout. The Appeal Board went as far as to say, Our findings that s.tation blackout should be considered as'a design basis event for St. Lucie Unit 2 manifestly could be applied equally to Unit 1, already in operation at that site. By a parity of reasoning, this result may well also obtain at other nuclear plants on applicant's system, if not at most power reactors. Our jurisdiction, however, is limited to the
~
matter before us, licensing construction of St. Lucie 2. Soyond that, we can only alert the Commission to our concerns. The Commission upheld the Board's action on St. Lucie Unit 2. However, the Commission determined that ALAB-603 did not establish station blackout generically as a design-basis event. General Design Criterion 17 o GDC 17 states, in part, Provisions shall be included to minimize the probability of losing electric power from any of the remaining supplies as a result of, or coincident with, the loss of power generated by the nuclear power unit, the loss of power from the transmission network, or the loss of power from.the onsite electric power supplies. The intertt of GDC 17 is to require reliable offsite and onsite ac power systems. The ability to cope with the :oincident loss of both of these systems is not addressed explicit 1 /. a S NUREG-1109 32 4
*As a result of this review, the staff has concluded that there is a basis in the regulations fo'r the recommendations to improve the reliability of the off-site and onsite ac power. systems. However, because the coincident loss of both systems is not addressed explicity, a rule to require plants to be able to with-stand a total loss of ac power for a specified duration will provide further assurance that station blackout will not adversely affect the public tealth and safety.
Backfit Rule On September 20, 1985, the Commission published the backfit rule (10 CFR 50.109). This rule sets forth restrictions on imposing new requirements on currently licensed nuclear power plants and specifies standard procedures that must be applied to backfitting decisions. The backfit rule states, The Commission shall require a systematic and documented analysis pursuant to paragraph (c) of this section for backfits which it seeks to impose....(10 CFR,50.109(a)(2)) The Commission shall require the backfitting of a facility only when it determines, based on the analysis described in paragraph (c) of this section, that there is a substantial increase in the overall protection of the public health and safety or the common defense and security to be derived from the backfit and that the direct and
-indirect costs of-implementation ft;r that facility are justified in view of this increased protection. '(10 CFR 50.109(a)(3))
In order to reach this determination,' 10 CFR 50.109(c sets forth nine spe-cificfactorswhicharetobeconsideredintheanalys)isforthebackfitsit seeks to impose. These nine factors are among those discussed in the main body of this report. Appendix A provides a discussion summarizing each of these factors. The Commission also states in the backfit rule that "any other information relevant and material to the proposed backfit" will be considered. This report provides additional relevant information concerning the station blackout rulemaking. This analysis supports a determination that a substantial increase in the protection of the public health and safety will be derived from backfitting the requirements in the station blackout rule, and that the backfit is justified in view of the direct and indirect costs of implementing the rule. No other constraints have been identified that affect the resolution of USI A-44, 5 DECISIONRATIONA[E The evaluation to resolve USI A-44 included deterministic and probabilistic analyses. Calculations to determine the timing and consequences of various accident sequences were performed and the dominant factors affecting station blackout and-4347). likelihood were identified Using this information, (NUREG-1032 simplified and-3992, probabilistic acci
-3226, NUREG/CR-29 correlations were calculated to estimate the frequency of core damage resulting from station blackout events for different plant design, operational, and loca-tion factors. These quantitative estimates were used to give insights into the relative importance of various factors, and those insights, along with engineer-ing j0dgment, were us2d to develop the resolution'of USI A-44. By analyzing -
- .ne effect of variations in design, operations, and plant location on risk from-t i NUREG-1109 33
station blackout accidents, an attempt was cade to approach a reasonably con- l sistent, level of risk in the recommendations developed. ' A survey of probabilistic risk assessment studies showed that total core damage frequency from all dominant accident sequences ranged from 2 x 10 5 to 1 x 10 3 per reactor year, with a typical frequency of about 6 to 8 x 10 5 per reactor-year (NUREG/CR-3226). For those plants currently in operation or under con-struction, a value-impact analysis was performed to determine that the resolu-tion of USI A-44 is cost-effective. Implementation of the resolution will result in station blackout being a relatively small contr4"ter te total core Jameye frequency. (NUREG-1032 provides a more detailed C.iscussion of the anal-ysis of station blackout accident likelihood performed for this regulatory analysis.) 5.1 Commission's Safety Goals On August 4, 1986, the Commission published in the Federal Register a policy statement on "Safety Goals for the Operations of Nuclear Power Plants" (51 FR 28044). This policy statdment focuses on the risks to the public from nuclear power plant operation and establishes goals that broadly define an acceptable level of radiological risk. The discussion below addresses the resolution of USI A-44 in light of these goals. The two cualitative safety goals are: Individual members of the public should be provided a level of. pro-tection from the consequences'of nuclear power plant operation such that individuals bear no significant additional risk to life and health. Societal risks in life and health from nuclear power plant opera-tion should be comparable to or less than the risks of generating electricity by viable competing technologies and should not be a significant addition to other societal risk. The following quantitative objectives are used in determining achievement of the above safety goals: , l l The risk to an average individual in the vicinity of a nuclear power plant of prompt fatalities that might result from reactor accidents should not exceed one-tenth of one percent (0.1%) of the sum of prompt i fatality risks resulting from other accidents to which members of the : U.S. population are generally exposed. The risk to the population in the area near a nuclear power plant of cancer fatalities that might result from nuclear power plant operation should not exceed one-tenth of one percent (0.1%) of the sum of cancer fatality risks resulting from all other causes. Results of analyses published in NUREG-1150 for five plants (Surry, Zion, Sequoyah, Peach Bottom, and Grand Gulf) indicate that all five plants meet the risk criteria for prompt fatalities and latent cancer fatalities stated above, even considering the large uncertainties involved. Implementation of the station i . i l blackout rule will result in the average core damage frequency.from station , i l NUREG-1109 34 1
i
- i blackout events being in ap' proximately the range of frequencies estimated for station blackout for the five'NUREG-1150' plants. Therefore, the' station black- ,
out rule meets both of the Commission's qualitative safety goals. l The Commission also stated the fullnwing regulatory objective relating to the frequency of core damage accidents at nuclear power plants. -
- Severe core damage accidents can lead to more serious accidents with ,
the potential f
- M fa-threatening offsite releases of radiatten, for i evacuation of members of the public, and for contamination of public ,
property. Apart from their health and safety consequences, such acci- i
- dents can erode public confidence in the safety of' nuclear power and can lead to further instability and unpre'dictability for the industry.
- In order to avoid these adverse consequences, the Commission intends to continue to pursue a regulatory program that has as its objective providing reasonable assurance, giving appropriate consideration to the uncertainties involved, that a severe core damage accident will i not occur at a U.S. nuclear,
- power plant.
An estimate of the. total probability of core damage for the nuclear industry is beyond the scope of this regulatory analysis, but some perspectives on station ' blackout are presented here. The mean core damage frequency from station black- t out events before implementation of the station blackout rule is estimated to be 4.2 x 10 5 per reactor year. Thus, the probability of core damage frou l station blackout is about 0.12 (i.e., about 1 chance in 8 that station black- j out would result in severe core damage at one of 125 reactors over an assumed ' remaining 25 year life expectancy of these plants). Implementation of the F station blackout rule would reduce the estimated mean core damage frequency to 1.6 x 10.s per reactor year, and therefore, the estimated probability of a severe core damage accident from station blackout would be 0.05 (i.e., about I chance in 20 of severe core damage). Therefore, implementing the resolution of ., USI A-44 provides reasonable assurance that a severe core damage accident from ! station blackout will not occur at a U.S. nuclear power plant. 1 The Commission also proposed the following guideline for further staff l evaluation-q Consistent with the traditional defense-in-depth approach and the l accident mitigation philosophy requiring reliable performance of contr.inment systems, the overall mean frequency of a large release of radioactive materials to the environment from a reactor accident i j should.be less than 1 in 1,000,000 per year of reactor operation. I ! Given the current state of knowledge regarding containment performance and the large uncertainties with respect to the probability of containment failure fol- -
- lowing severe accident sequences, it is not possible to conclude that the safety performance guideline on the frequency of a large release would be met. This conclusion is based on the est'imated mean core damage frequency for station i, blackout events of 1.6 x 10 5 per reactor-band for the probability of early contain*ment year failure coupled with the ranging untertainty from about 0.05
- to 0.90 as reported in NUREG-1150. Since the potential for a high likelihood i of containment failure cannot be eliminated, the overall mean frequency of a large release of radioactivity of 10 8 per ' reactor year.cannot be ensured.
f e NUREG-1109 35 l -
~
. Additional rationale for implementing the stat;w., blacktut rule.and the rcgula-tory guide over other alternatives is discussed in the value-impact analysis (Section 4.1). This' action represents the staf f's position based on a compre-hensive analysis of the station blackout issue. This position includes all the requirements and guidance to resolve the station blackout issue. 5.2 Station Blackout Reports The studies and data on which this resolution is based are documented in NUREG-1032 and NUREG/CR-2989, -3226, -3992, and -4347. 5. :;-f:: :f th::= reports follow. 5.2.1 NUREG-1032, Evaluation of Station Blackout Accidents at Nuclear Power Plants, Technical Findings Related to Unresolved Safety Issue A-44 This report summarizes the results of technical studies performed in support of USI A-44 and identifies the dominant factors affecting the likelihood of station blackout accidents at nuclear power plants. These results are' based on operating experience data; analysis of several plant-specific probabilistic safety studies; and reliability, accident sequence, and consequence analyses performed in support of this unresolved safety issue. In summary the results show the following important characteristics of station blackout accidents. (1) The likelihood of-station blackout varies between plants with an estimated
, frequency ranging from approximately 10 5 to 10 3 per reactor year. A "typical" estimated frequency is on the order of 10 4 per reactor year.
(2) The capability of restoring offsite power in a timely manner can have a significant effect on accident consequences. (3) Onsite ac power system redundancy and Individual pcwe' supply reliability have the largest influence on station blackout accident frequency. . (4) The capability of the decay heat removal system to cope with long duration blackouts can be a dominant factor influencing the likelihood of core damage or core melt. (5) The estimated frequency of station blackout events resulting in core damage or core melt can range from approximately 10 8 to greater than 10 4 per reactor year. A "typical" core damage frequency estimate is 2 to 4 x 10 5 per reactor year. (6) The best information available indicates that containment failure by over-pressure may follow a station-blackout-induced core melt with smaller, low design pressure containments most susceptible to early failure. Some large, high design pressure containments may not fail by overpressure, or the failure time could be on the order of a day or more. - Losses of offsite power could b'e characterized as those resulting from plant-centered faults, utility grid blackout, or severe weather-induced failures of offsite power sources. The industry average frequency of total losses of of fsite power was determined to be about'l in 10 site years. The median restoration time was about 1/2 hour, and 90. percent of the losses were restored in NUREG-1109 36 6
O 3 hours or less. The factors that were identified as affecting the frequency and duration of offsite power losses are (1) design of preferred power distribution system, particularly the number and independence of offsite power circuits from the point.where they enter the site up to the safety buses - (2) opcrations that can compromise redundancy or independence of multiple off-site power sources, including human error (3) grid stability and security, and the ability to restore power to a nuclear plant site with a grid blackout (4) the hazard from, and susceptibility to, severe weather conditions th'at can cause loss of offsite power for extended periods A design and operating experience review, combined with a reliability analysis - i of the onsit'e, emergency ac power system, has shown that there are a variety of potentially important failure'causes. The typical unavailability of a two-division emergency ac power system is about 10 3 per demand, and the typical ; individual emergency diesel generator failure rate is about 2 x 10 2 per demand. The factors that were identified as affecting the emergency ac power system reliability during a loss of offsite power are '
, (1) -- power supply configuration redundancy >
(2) reliability of each power supply (3) dependence of the emergency ac power system on support of auxil.,iary' cool-i ing systems and control systems and the reliability'of th se support i systems (4) vulnerability to common cause failures associated with design, operational, and environmental factors I The likelihood of a station blackout progressing to core damage or core melt is dependent on the reliability and capability of decay heat removal systems that are not dependent on ac power. If sufficient capability exists, additional time will be available to permit an adequate opportunity to restore ac power to the many systems normally used to cool the core and remove decay heat. The most important. factors involving decay heat removal during a station blackout are (1) the starting reliability of systems required to remove. decay heat and maintain reactor coolant inventory : (2) the capacity and functionability of decay heat removal systems and aux-iliary or support systems that must remain functional during a station blackout (e.g., de power, condensate storage) (3) for PWRs, and BWRs without reactor coolant makeup capability during a station blackout, the magnitude of reactor coolant pump seal leakage I - 4 4 NUREG-1109 37
(4) for BWRs that remove decay heat to the suppression pool, the ability to maintain hppression pool integrity and operate heat removal systems at high pool temperatures during recirculation It was determined by reviewing design, operational, and location factors, that the expected core darnage frequency from station blackout could be maintained around 10 5 per reactor year or lower for almost all plants. The ability to cope with station blackout durations of 4 to 8 hours and emergency diesel generator reliabil'ities of 0.95 per demand or better would be necessary to reach this core dam:;e frequency level. 5.2.2 NUREG/CR-3226, Station Blackout Accident Analyses This report analyzes accident sequences following a postulated total loss of ac power to (1) determine the core damage frequencies from station blackout,
; (2) provide insights through sensitivity studies of important factors to consider for lowering the core melt frequency, and (3) provide perspectives on the. risks from such an event. Probabilisti,c safety analyses were done on four generic "base" plant configurations. Fadit trees of different systems and event trees of possible station blackout accident sequences were constructed for these plants. These event trees modeled three time periods including an initial time period for sequences resulting from unavailabilities on demand and longer time intervals in which other f ailures can occur such as depletion of de power, degradation of reactor coolant pump seals, or depletion of condensate storage
- tank supply. Data from the offsite and onsite power 3tudies (NUREG/CR-2989 and
-3992) as well as from licensee event reports and PRAs were used to quantify the accident' sequences. Lastly, containment fai. lure modes and timing were reviewed to calculate the risk to the public from station blackout.
For the "base" cases, the total core damage frequencies fr'om station blackout resulting from the dominant accident sequences were estimated to be in the range of 10 5 per reactor year. Plants with features different from the base case designs have different core damage frequencies, so sensitivity analyses were conducted. For example, the reliability and recovery of ac power from both the offsite and emergency onsite power systems have a direct impact on core damage frequencies. Depending on the expected frequency of station blackout at a plant and other factors, the frequency of core damage associated with loss of all ac power ranged from about 2 x 10 8 to greater than 10 4 per reactor year, In summary, results of the accident sequence analyses indicate that the follow-ing plant factors ase important when considering station blackout: (1) the effectiveness of actions to restore offsite power once it is lost
- (2) the degree of redundancy and reliability of the pergency onsite ac power system l
(3) the reliability of decay heat removal systems following loss of ac power (4) de power reliability and battery capacity including the availability of instrumentation and control for decay heat removal without ac power i
-(5) common service water dependencies between the emergency ac power source and the decay heat removal systems ,
i NUREG-1109 38
(6) the magnitude of reactor coolant pump seal leakage 'and the likelihood of a stuck-open relief valve during a station blackout (7) containment size and design pressure (8) operator training and available procedures -- 5.2.3 NUREG/CR-2989, Reliability of Emergency AC Power Systems at Nuclear Power Plants The purpose of this study was to estimate the reliabilities of representative onsite ac power systems and to estimate the costs of fixer to improve the re-liabilities of these systems. For this analysis, an initial design review of onsite ac power systems was done using Final Safety Analysis Reports (FSARs) for plants, plant schematics, and plant-specific procedures. The study included examining the following areas: switchyards, distribution systems, de power systems, diesel generators, support systems, and procedures. Historical data on diesel generator operating experience for the 5 year pariod from 1976 through 1980 were collected from licenses event reports and responses to questionnaires sent to licensees. Eighteen different configurations were identified, and representative plants were selected for a more detailed reliability analysis. This analysis involved constructing fault tree models for the onsite power systems and quantifying these fault trees with the data gathered on operating experience. The onsite system undependability (the probability that it will fail to start or fail to continue to run for the duration of an offsite power' outage) was calculated for ac power outages up to 30 hours after a loss of offsite power. Results of a sensitivity study were used to identify potentially important contributors to unreliability, and costs of improvements were estimated. Results showed that important contributors to onsite power undependability were independent diesel generator failure, common cause failure due to hardware failure or human error, unavailability because of scheduled maintenance, and cooling subsystem undependability. Reliability of onsite ac power systems varies
.from plant to plant. Depending on diesel generator configuration, the system unavailaoility ranged from 1.4 x 10 4 to 4.8 x 10 2 per demand. Significant variability exists so that any reliability improvements and the associated costs must be evaluated on a plant-specific basis.
5.2.4 NUREG/CR-4347,, Emergency Diesel Generator Operating Experience, 1981-1983 This report is an update of operating experience of emergency diesel generators reported in NUREG/CR-2989. Estimates of diesel generator failure rate during surveillance testing and during actual demands (e.g., unplanned demands follow-ing losses of offsite power or safety injection actuation signals) are presented. The data indicate that overall diesel generator performance has improved since 1976 with an overall median failure rate estimated to be 0.019 failure per demand. However, for the 1981 to 1983 period, the diesel generator failure rate during
' actual demands was 0.025 failure per demand--a rate higher than that for all demands (i.e., including surveillance tests). Data from NUREG/CR-2989 and -4347, along with results of an industry survey conducted by the Electric Power Research Institute (NSAC/108), were used in the staff's evaluation of risk from station blackout events (NUREG-1032).
4 NUREG-1109 - 39 5
5.2.5 NUREG/CR-3992,.Co11tetkon'andEvaluationofCompleteandPartialLosses
~
of Offsite Power at Nuclear Power Plant's This report describes and categorizes events involving complete or significant' partial losses of offsite power that-have occurred at nuclear power plants through 1983. The purposes of this study were to prov.ide an accurate data base to estimate frequencies and durations of lossis of offsite power and to under-stand how offsite power design features may affect these losses as well as the ability to restore offsite power. A parallel study documenting loss of offsite power experience through 1985 was y hl hhed by th? N':0!c2.' hfety A.ialysis Cem ter of the Electric Power Research Institute (NSAC/103). Data from both NUREG/ CR-3992 and NSAC/103 were used in the loss of offsite power analysis in NUREG-1032. Based on industry-wide data for the years 1959 through 1983, the frequency of loss of offsite power is about once every 10 site years. A total of 46 complete loss-of-offsite power events were documented, ranging in duration from a few minutes up to a maximum of almost 9 hours. In approximately half of these events, offsite power was restordd in 1/2 hour or less. Information for this study was collected from licensee event reports, responses to an NRC quos-tionnaire, and various reports prepared by the utilities. Most of the event descriptions in the licensee event reports and other documentation within the NRC files did not contain sufficiently detailed information for the purposes dis:ussed above. For example, in one case a licensee reported of fsite power restoration time to be 6 hours, but actually one offsite power source was re-stored in 8 minutes, and all offsite power was. restored in 6 hours. Because c restoratio.n of one source of offsite power terminates a loss of of fsite power, the documented description was not accurate enough. In some other cases, off-site power was available to be reconnected, but the plant operators did not reconnc-t it for some time after it was available. The time power was recon- ! nected was usually reported; however, the data that were actually needed were the times that power.was available for reconnection. Because of the need for more accurate data, additional information was obtained by contacting utility i engineers for better descriptions of the causes, sequen,ces of events, and the times and methods of restoring offsite power. Once these data were collected, the offsite power failures were identified as plant-centered or grid failures. In addition, the causes of the failures were attributed to weather, human error, design error, or hardware failure. The plant-centered failures were usually of shorter duration than the gric failures caused by severe wegther. For this reason, the weather-related events were . reviewed in detail. Offsite power design features were tabulated for most of the operating nuclear power plants to determine which ones significantly af fect of fsite power system reliability. The frequercy and duration of losses of offsite power caused by i severe weather are affected by the number of transmission lines and rights-of-way and the availability of alternate power sources (such as hydro, gas turbines. 1 or fossil units near the nuclear plant). Design features that may be important l
- for plant-centered losses of offsite power are the number of offsite power !
sources, the electrical independence of those sources, and the relay scheme for transferring power between offsite sources. ; i e NUREG-1109 40 t
- _ _ _ ,_, - . _ _ _ _ _ ~ __
l
~
ti IMPLEMENTATION .
- 1 6.1 Schedule for Implementino the Final Station Blackout Rule
! i The steps and schedule listed in Table 13 summarize the implementation schedule r in the station blackout rule (10 CFR 50.63(c) and (d)). Within 9 months after promulgation of the rule, licensees will submit to NRC (1) the duration for which the plant should be able to cope with a station blackout, (2) a justifi- > i cation for the duration, (3) a description of the procedures to cope with a
; station blackout for that duratiun, ena a) a nst of equipment modifications d
necessary, if any, to meet the specified station blackout duration. The staff will review the licensees' submittals and inform them of its conclusions i regarding the requirements of 10 CFR 50.63. Within 30 days of the staff's ! notification, the licensees will submit a schedule for implementing any l necessary equipment modifications to comply with the rule. ' The factors that must be considered to determine the minimum acceptable station blackout duration, as specified in 10 CFR 50.63(a), are
, relatively straightforward. In fact, licensees have reviewed their plants against these factors as part of an industry initiative supported by NUMARC.
Thus, this acceptable duration can be determined in approximately 1 or 2 months. Licensees will be required to perform plant-specific analyses to determine if the plant, as designed, can cope with a station blackout for the acceptable duration, and to determine what modi,fications, if any, are needed to meet the acceptable duration. These analyses could require 6 to 9 months to perform. ! Thus, it seems reasonable to require that the information be submitted to the ! NRC within 9 months after the date the final rule is issued. i The implementation of procedural changes to cope with a station blackout and diesel generator reliability improvements, if necessary, will be accomplished early in the schedule. Harcware backfits, if necessary, should be implemented j as soon as practical, based on scheduled plant shutdown, but no later than ] 2 years after the staff reviews a licensee's station blackout duration submittal. : A final schedule for implementation of design and associated procedural modifi-cations will be mutually agreed upon by the licensee and the NRC staff. Other schedules were considered; however, the staff believes the implementation schedule in Table 13 is achievable without unnecessary financial burden on - licensees for plant shutdown. The schedule allows reasonable time for the im-plementation of necessary hardware items to achieve a reduction in the risk of severe accidents associated with station blackout, yet achieves significant i benefits early on by requiring an assessment of a plant's station blackout capability and procedures and training to cope with such an event. Shorter or , less flexible schedules would be unnecessarily burdensome; longer schedules would delay necessary plant improvements. I 6.2 Relationship to Other Existino or Proposed Recuirements Several NRC programs are related to USI A-4a; these are discussed in Section 4.2, These programs are compatible with the resolution of USI A-44. i - 1 , NUREG-1109 41
Table 13, Implementation schedule for final station blackout. rule Time after Commission decision Activity to issue final rule (months) Issuance of final rule O Licensees' submittal of acceptable station 9 blackout uuiations to NRC: inct"diac description of procedures and list of modifications Staff notification of licensees of 15-33* conclusions regarding requirements Licensee's submittal o'f schedule for 16-34 implementing hardware modifications Completion of licensees' hardware ** modifications
*High priority plants - 15 months; last remaining plant - 33 months.
**Schedula to be agreed upon with NRC, but within 2 years of NRC review of sub-mittal, unless justification is submitted by the licensee for a later d, ate and the staff agrees. -
7 REFERENCES Brookhaven National Laboratory, "Prevention and Hitigation of Severe.Acci-dents in a BWR-4 With a Mark I Containment," Oraf t Technical Report A-3825R, October 1986. Letter from J. H. Miller, Jr. , Nuclear Utility Management and Human Resources Committee, to Chairman H. J. Palladino, NRC, June 17, 1986. Letter from J. Opeka, NUMARC, to T. P, Speis, NRC, "NUMARC-8700, ' Guidelines and Technical Bases for NUMARC Initiatives Addressing Station Blackout at Light Water Reactors,'" October 19, 1987. - NSAC/103, "Losses of Offsite Power at U.S. Nuclear Power Plants - All Years Through 1985," Nucidar Safety Analysis Center, Electric Power Research Insti-tute, May 1936. NSAC/108, "The Reliability of Emergency Diesel Generators at U.S. Nuclear Power Plants," Nuclear Safety Analysis Center, Electric Power Research Institute, September 1986. I i NUMARC-8700, "Guidelines and Technical Bases for NUMARC Initiatives Addressing Station Blackout at Light Water Reactors," Rev. 0.0, Nuclear Management and Resources Council, October 1987 (available frum the Nuclear Management and
, Resources Council, 1726 M Street, N.W., Suite 903, Washington, D.C. 20036). l 1
l l NUREG-1109 42 l
Sandia National Laboratory, "Value-Impact Calculation for Station Blackout Task Action Plan A-44," letter report to NRC, March 1983. Science and Engineering Associates, Inc., "Response to Industry Comments on Station Blackout Cost Estimates (NUREG/CR-3840)," letter report to NRC, Novemoer 12, 1986. -- U.S. Atomic Energy Commission, WASH-1400, "Reactor Safety Study," October 1975 i (also reissued as NUREG-75/014). , U.S. Nuclear Regulatory Commission, 51 FR 9829, "Station Blackout," March 21 I 1986.
~
-- , 51 FR 28044, "Safety Goals for the Operation of Nuclear Power Plants,"
August 14, 1986. i l
-- , Generic Letter 84-15, "Proposed Staff Actions To Improve and Maintain Diesel Generator Reliability," July 2, 1984., i
-- , "Regulatory Analysis Guidelines," NRR Office Letter No. 16, Revision 3, May 13, 1986. .
-- , NUREG-0800, "Standard Review Plan for the Review of Safety Analyses for !
Nuclear. Power Plants ,", July 1981. i
-- , NUREG-0956, "Reassessment of the Technical Bases for Estimating Source '
Terms," July 1986.
-- , NUREG-1032, "Evaluation of Station Blackout Accidents,at Nuclear Power ,
Plants, Technical Findings Related to Unresolved Safety Issue A-44," draft, ' May 1985.
-- , NUREG-1150, "Reactor Risk Reference Document," Draft for Comment, February 1987. -
L i ;
-- , NUREG/CR-2723 "Estimates of the Financial Consequences of Nuclear Power Reactor Accidents," September 1982.
l i l. t i 1 1 4
- NUREG-1109 43
. _ APPENDIX A BACKFIT ANALYSIS i , i l
4 1 1 1 I 1 1
. t l NUREG-1109 .
Appendix A l 1
APPENDIX A BACKFIT ANALYSIS
- Analysis and Determination That the Rulemaking To Amend 10 CFR 50 Concerning Station Blackout Complies With the Backfit kule 10 CFR 50.109 The Commiss, ion's existing regulations establish requirements for the design and testing of onsite and offsite electrical power systems (10 CFR 50, Appendix A, General Design Criteria 17 and 18). However, as operating experience has accumulated, the concern has arisen regarding the reliability of both the offsite and onsite emergency ac power systems. These systems provide power for various safety systems including reactor core decay heat removal and containment heat removal which are essential'for preserving the integrity of the reactor core and the containment building, respectively. In numerous instances emer-gency diesel generators have failed to start and run during tests conducted at operating plants. In addition, a number of operating plants have experienced a total loss of offsite electric power, and more such occurrences are expected.
Existing regulations do not require explicitly that nuclear power plants be designed to withstand the loss of all ac power for any specified period. This issue has been studied by the staff as part of Unresolved Safety Issue (USI) A-44, "Station Blackout." Both deterministic and probabilistic analyses were performed to determine the timing and consequences of various accident sequences and to identify the dominant f actors affecting the likelihood of core melt accidents from station blackout. Although operational experience shows that the risk to public health and safety is not undue, these studies, which have evaluated plant design features and site-dependent factors in detail, show that station blackout can be a significant contributor to the overall plant risk. Censequently, the Commission is amending its regulations to require that plants be capable of withstanding a total loss of ac power for a specified duration and to maintain reactor core cooling during that period. The estimated benefit from implementing the station blackout rule is a reduction in the frequency of core damage per reactor year due to station blackout and the associated risk of offsite radioactive releases. The risk reduction for 100' operating react 6rs is estimated to be 145,000 person-rems and supports the Commission's conclusion that 10 CFR 50.63 provides a substantial improvement in the level protection of public health and safety.
- The backfit analysis is included as an appendix to this report. It is intended to be a standalone document that minimizes the need to refer to a'dditional' documents by including sufficient detail to assess each consideration in the backfit rule (10 CFR 50.109). Therefore, the backfit analysis repeats much of what is already included in the main body of the report.
i NUREG-1109 1 Appendix A
}
The cost for licensees to comply cith the rule would vary depending on the exist-ing capability of each plant to cope with a station blackout, as well as the - specified sta' f on blackout duration for that plant. The costs would be primarily for licensees (1) to assess the plant's capability to cope with a station black-out, (2) to develop procedures, (3) to improve diesel generator reliability if the reliability falls below certain levels, and (4) to retrofit plants with > additional components or systems, as necessary, to meet the requirements. The estimated total cost for 100 operating reactors to comply with the resolu-tion of USI A-44 is about $60 million. .The average cost per reactor would be
.cund $600,000, ranging from $350,000 if only a station blackout assessment and procedures and training were necessary, to a maximum of about $4 million if substantial modifications were needed, including.requalification of a diesel generator.
The overall value-impact ratio, not including accident avoidance costs, is about 2,400 person-rems averted per million dollars. If the net cost, which includes the cost savings from accident avoidance (i.e., cleanup and repair of onsite damages and replacement power following an accident), were used, the overall value-impact ratio would improve significantly to about 6,100 person-rems averted per million dollars. These values, which exceed the 51,000/persor.-rem guidance provided by the Commission, support proceeding with the implementaticn of 10 CFR 50.63. The preceding quanti W ive value-impact analysis was one of the factors consideree in evaluating 16e rule, but other factors also played a part in the decision- . makin~g procM,s. Probatiilistic risk assessment (PRA) studies performed for this ' USI, as well as some plant-specific PRAs, have shown that station blackout can be a significant contributor to core melt frequency, and, with consideration of containment'f ailure, station blackout events can represent an important contrib-utor to reactor risk. In general, active systems required for containment heat removal are unavailable during station blackout. Therefore, the offsite risk is higher from a core melt resulting from a station blackout than it is from many other accident scenarios. Although there are licensing requirements and guidance directed at providing reliable offsite and onsite ac power, experience has shown that thare are prac-tical limitations in ensuring the reliability of offsite and onsite emergency aC power systems. Potential vulnerabilities to common cause failures associated with design, operational, and environmental factors can affect ac power system reliability. For example, if potential common cause failures of emergency die-sel generators exist (e.g. , in service-water or de power support systems), then the estimated core damage frequency from station blackout events can increase significantly. Also, even though recent data indicate that the average emergency diesel generator reliability has improved slightly since 1976, these data also show that diesel generator failure rates during unplanned demand (e.g. following a loss of offsite power) were higher than those during surveillance tests. The estimated frequency of core damage from station blackout events is directly propertional to the frequency of the initiating event. Estimates of station blackout frequencies for this USI were based on actual operational experience with credit given for trends showing a reduction in the frequency of losses of offsite power resulting from plant-centered events. This is assumed to be a NUREG-1109 2 Appendix A '
+
r
, . realistic indicator of future performance. An argument can be made that the
, future performance will be better than the past. For example, when problems . with the offsite power grid arise, they are fixed and, therefore, grid relia-bility should improve. On the other hand, grid power failures may become more
- frequent because fewer plants are being built, and more power is being trans-l mitted among regions, thus placing greater stress on transmission lines. !
l A number of foreign countries,' including France, Britain, Sweden, Germany, and I Belgium, have taken steps to reduce the risk from station blacko'ut events. These steps include adding design features to enhance the c@*1;ty vi the - 1 plant to cope with a station blackout for a substantial period of time and/or l adding redundant and diverse emergency ac power sources.
! The factors discussed above support the determination that additional defense '
in-depth provided by the ability of a plant to cope with station blackout for i a specific duration would provide a substantial increase in the overall protection of the public health and safety, and the direct and indirect costs of implemen-tation are justified in view of this increased protection. The Commission has considered how this backfit should be prioritized and scheduled in light of other regulatory activities ongoing at operating nuclear power plants. Station black-out warrants a high priority ranking b) sed on both its status as an "unresolved safety issue" and the results and conclusions reached in resolving this issue. As noted in the implementation section of the rule (10 CFR 50.63(c)(4)), the schedule for equipment modification (if needed to meet the requirements of the rule) shall be mutually agreed upon by the licensee and NRC. Modifications that cannot be schedule,d for completion within 2 years after NRC accepts the licensee's specified station blackout duration must be justified by the licensee. j Analysis of 10 CFR 50.109(c) Factors - (1) Statement of the sDecific objectives that the backfit is designed to acMeve I The NRC staff has completed a review and evaluation of information ] developed since 1980 on USI A-44, "Station Blackout." As a result of i these efforts, the NR0 is amending 10 CFR 50 by adding a new S 50.63,
,, "Station Blackout."
The objective of the station blackout rule is to reduce the risk of severe I accidents assogiated with station blackout by making station blackout a relatively small contributor to total core damage frequency. Specifically, the rule requires all light-water-cooled nuclear power plants to be able to cope with a station blackout for a specified duration and to have pro-cedures and training for such an event. A regulatory guide (Regulatory Guide 1.155), to be issued along with the rule, provides an acceptable l mcthod to determine the station blackout duration for ear.h plant. The ) duration is to be determined for each plant based on a comparison of the 1 individual plant design with factors that have been identified as the main contributors to risk of core melt resulting from station blackout. These factors are (1) the redundancy of onsite emergency ac power sources, (2) the reliability of onsite emergency ac power sources, (3) the fre-quency of loss of off, site power, and (4) the probable time needed to i - restore offsite power.
- NUREG-1109 3 Appendix A
'\ ; E __. __n_
\- ' 1 ., (2) General description of the activi 6 required by the licensee or applicant !
.in order to complete the backfit .
l In order to comply with the resolution of USI A-44, licensees will be required to
- Maintain the reliability of onsite emergency ac power sour'c'es at or above specified acceptable reliability levels. .
- Develop procedures and training to restire
- pr.1.r u:1..g c.corby p er sources if the emergency ac power system and the normal offsite power sources are unavailable.
Determine the duration that the plant should be able to withstand a station blackout based on the factors specified in 10 CFR 50.63, ,
"Station Blackout," and Regulatory Guide 1.155, "Station Blackout." ,
If available, an alternate ac power source, which meets specific , criteria for independerice and capacity, can be used to cope with a i station blackout. Evaluate the plant's actual capability to withstand and recever from a station blackout. This evaluation will include verifying the adequacy of station battery power, condensate storage tank capacity, and plant / instrument air for the station l blackout duration verifying adequate reactor coolant pump seal integrity for the station blackout duration so that seal leakage due to lack of seal cooling would not result in a sufficient primary system coolant inventory reduction to lose the ability to cool the cors verifying operability of equipment needed to operate during a station blackout for environmental conditions associated with total loss of ac power (i.e. , loss of heating, ventilation, and air conditioning) l Depending on the plant's existing capability to cope with a station ' black-out, licensees may or may not need to backfit hardware modifications (e.g., adding hattery capacity) to comply with the rule. (See item 8 of this analysis for additional discussion.) Licensees will be required to have procedures and training to cope with and recover from a station blackout. (3) Dotential change in the risk to the public from the accidental offsite j release of radioactive material l i Implementation of the station blackout rule will result in an, estimated l total risk reduction to the public ranging t' rom 65,000 to 215,000 person- , rems with a best estimate of about 145,000 person-rems. ! (4) Potentfaj_impactonradiologicalexposureoffacilityemployees I NUREG-1109 4 Appendix A O_
For' 100 operating reactors, the estimated total..reduct' ion in occupational exposure resulting from reduced core damage frequencies and associated post-accident cleanup and repair activities is 1,500 person-rems. No in-crease in occupational exposure is expected from operation and maintenance activities associated with the rule. Equipment additions and modifications contemplated do not require work in and around the reactor coolant system and therefore are not expected to result in significant radiation exposure. (5) Installation and continuing costs associated with the backfit, including the cost of f aci'i+ , t:.c .tt :: or the cost vi cum > Lruc c ion deiay For 100 operating reactors, the total estimated cost associated with the station blackout rule ranges from $42 to $94 million with a best estimate of $60 million. This estimate breaks down as follows: Estimated Estimated total cost number of (million dollars) Activity reactors Best est. High est. Low est. Assess plant's capability to 100 25 40 20 cope with station blackout Develop procedures and 100 10 15 5 training Improve diesel generator 10 2.5 4 1. 5 reliability Requalify diesel generator 2 5.5 11 2.5 Install hardware to increase 27 17 24 13 plant's capability to cope with station blackout Totals 60 94 42 (6) The ootential safety imoact of changes in plant or coerational complexity, including the relationship to orocosed and existing regulatory recuirements The rule requiring plants to be able to cope with a station-blackout should l not add to plant or operational complexity. The station blackout rule is closely' relateq to several NRC generic programs and proposed and existing regulatory requirements as the following discussion indicates. Generic Issue B-56, Diesel Generator Reli&bility The resolution of USI A-44 includes a regulatory guide on station blackout that specifies the following guidance on diesel generator reliability (Regulatory Guide 1.155, Sections C.1.1 and 2): The reliable operation of the onsite emergency ac power sources should be ensured by a reliability program designed to monitor ! and maintain the reliability of each power source over time at a !
.specified acceptable level and to improve the reliability if ' '
4 . NUREG-1109 , 5 Appendix A 1-l -
}
that level is not achieved. The reliability progra] should in-clude surveillance testing, target values for maximum failure rate, and a maintenance program. Surveillance testing should monitor performance so that if the actual failure rate exceeds the target level, corrective actions can be taken. The maximum emergency diesel generator failure rate for eah die-sel generator should be maintained at 0.05 failure per demand. However,'for plants having an emergency ac power system [config-uration requiring two-out-of-three diesel generatnes or Sving a total of two diesel generators shared between two units at a site), the emergency diesel generator failure rate for each die-sel generator should be maintained at 0.025 failure per demand or less. The resolution of B-56 will provide specific guidance for use by the staff or industry to review the adequacy of diesel generator reliability programs consistent with the resolution of USI A-44. s Generic Issue. B-23, Reactor Coolant Pump Seal Failures Reactor coolant pump (RCP) seal integrity is necessary for maintaining primary system inventory during station blackout conditions. The esti-mates of core damage frequency for station black'out events for USI A-44 assumed the.t RCP seals would leak at a rate of 20 gallons per minute.
.Results of analyses performed for Generic Issue B-23 will provide the information necessary to determine RCP seal behavior during a station blackout. Should this analysis conclude that there is a high probability that the RCP seals would not leak excessively during a station blackout, then no modifications would be require'd. If there is a significant pro-bability'that RCP seals can leak at rates substantially higher than 20 gallons per minute, then modifications such as an ac-independent RCP seal cooling system may be necessary to resolve Generic Issue B-23. Any proposed backfit resulting from the resolution of Generic Issue B-23 would need to comply with the backfit rule.
USI A-45,. Shutdown Decay Heat Removal Requirements The overall objective of USI A-45 is to evaluate.the adequacy of current licensing design requirements to ensure that the nuclear. power plants do not pose an unacceptable risk as a result of failure to remove shutdown decay heat. The study includes an assessment of alternative means of shut-down decay heat removal and of diverse "dedicated" systems for this purpose. Results will include proposed recommendations regarding the desirability of, and possible design requirements for', improvements in existir)g systems or'an alternative dedicated decay heat removal method. The USI A-44 concern for maintaining adequate core cooling under station blackout conditions can be considered a subset of the overall.USI A-45 issue. However, there are significant differences in scope between these two issues. USI A-44 deals with the probability of loss of ac p'ower, the capability to remove decay heat using systems that do not require ac power, and the ability to restore ac, power in a tilnely manner. USI A-45 NUREG-1109 6 Appendix A
deals with the overall reliability of th'e decay heat removal function in-terms.of response to transients, small break loss-of-coolant accidents, - and special emergencies such as fires, floods, seismic events, and sabotage. Although the recommendations that might result from the resolution of USI A-45 are not yet final, some could affect the station blackout capability, while others would not. Recommendations that involve a new or improved decay heat removal system that is ac power dependent but that does not includ. ; o uwn dedicar.eo ac power supply would have no effect on USI A-44. Recommendations that involve an additional ac-independent ! decay heat removal system would have a very modest effect on USI A-44. l Recommendations that involve an adriitional decay heat removal systen with its own ac power supply would have a significant effect on USI A-44 Such a new additional system would receive the appropriate credit within 1 the USI A-44 resolution by either changing the. emergency ac power config- l uration group or providing the ability to cope with a station blackout for an extended period of time. , Well before plant' modifications, if any, will be implemented to comply with the station blackout rule, it is anticipated that the proposed technical resolution of USI A-45 will be published for public comment. Those plants needing hardware modifications for station blackout could be re-evaluated before any actual modifications are made so that any contemplated design changes resulting from the resolution of USI A-45 can be considered at the same time. l Generic Issue A-30, Adequacy .of Safety-Rela.ted DC Power Supply The . analysis performed for USI A-44 assumed that a high level of de power ' system reliability would be maintained so that (1) de power system failures j would not be a significant contributor to losses of all ac power and j (2) should a station blackout occur, the probability of immediate de pov er system failure would be low. Whereas Generic Issue A-30 focuses on enhanc-ing battery reliability, the resolution of USI A-44 is aimed at en.suring adequate station battery capacity in the event of a station blackout of a specified duration. Therefore, these two issues are consistent and compatible. Fire Protection Program 10 CFR 50.48 states that each operating nuclear power plant shall have a fire protection plan that satisfies GDC 3. The fire protection features required to satisfy GDC 3 are specified in Appendix R to 10 CFR 50. They include certain provisions regarding alternative and dedicated shutdown capability. To meet these provisions, some licensees have added, or plan to add, improved capability to restore power from offsite sources or onsite diesels for the shutdown system. A few plants have installed a safe shut-down facility for fire protection that includes a charging pump powered by
.its own independent ac power source. In the event of a station blackout, this system can provide makeup capability to the primary cool' ant system as well as reactor coolant pump seal cooling. This could be a significant benefit in terms of enhancing the ability of a plant to cope with a station blackout. Plants that have added equipment to achieve al. ternate safe shutdown in order to meet Appendix R requirements could take credit for that equipment, if available, for coping with a station blackout event.
4 ' NUREG-1109 7 Appendix A
-o -_ - -
/7) The esticated resource 'urden b on the NRC associated w'ith the backfit and the availability of such resources The estimated total cost for NRC review of industry submittals required by the station blackout rule is $1.5 million based on submittals for 100 reactors and an estimated average of 175 person-hours per reactor. .
(8) The potential imoact of differences in facility type, design, or age on the relevancy and practicality of the backfit The station blackout rule applies to all pressurized water reactors and boiling water reactors. However, in determining an acceptable station blackout coping capability for each plant, differences in plant charac-teristics relating to ac power reliability (e.g., number of emergency diesel generators, the reliability of the offsite and onsite emergency ac power systems) could result in different acceptable coping capabilities. For example, plants with an already low risk from station blackout because of multiple, highly reliable ac power sources are required to withstand a station blackout for a. relatively short period of time, and few, if any, hardware backfits would be required as a result of the rule. Plants with currently higher risk from station blackout are required to withstand somewhat longer duration blackouts, and, depending on their existing capability, may need some modifications to achieve the longer station blackout capabilit,v. (9) Whether the backfit is interim or final and, if interim, the justification for imposing the backfit on an interim basis - The station blackout rule is the final resolution of USI A-44; it is not an interim measure. e i NUREG-1109 8 Appendix A
- e. ..
APPENDIX B WORKSHEETS FOR . COST ESTIMATES NUREG-1109 Appendix B
't APPENDIX B WORKSHEETS FOR COST ESTIMATES Section 4.1'of this report provides a summary of the estimated costs to industry and NRC associated with the resolution of.USI A-44. This appendix provides supplementary information to support these cost estimates. The estimates in the following worksheets are based on information from the following references: EG&G (1983), Science and Engineering Associates (1986), NRC (1986), and NUREG/ CR-3568, -3840, -4568, -4627, and -4942. The utility personnel cost used in these estimates is $100,000 per person year, including overhead and general and administrative expenses. References , EG&G, "Cost Analysis for Enhancement of DC Systems Reliability and Adequacy of Safety-Related DC Power Systems," EG&G Report RE&ET-6151, January 1983. Science and Engineering Associates, Inc., "Response to Industry Comments on Station Blackout Cost Estimates (NUREG/CR-3840)," letter report to NRC, November 12, 1986. - U.S. Nuclear Regulatory Commission, "Regulatory Analysis Guidelines," NRR Office Letter No. 16, Revision 3, May 13, 1986.
-- , NUREG/CR-3568, "A Handbook for Value-Impact Assessment," December 1983.
-- , NUREG/CR-3840, "Cost Analysis for Potential Modifications To Enhance the Ability of a Nuclear Power Plant To Endure Station Blackout," July 1984.
-- , NUREG/CR-4568, "A Handbook for Quick Cost Estimates," April 1986.
-- , NUREG/CR-4627, "Generic Cost Estimates," June 1986.
-- , NUREG/CR-4942, "Equipment Operability During Station Blackout Events,"
SAND 87-0750, Sandia National Laboratory, to be published. NUREG-1109 1
, Appendix B 4_
Worksheet'l Estieated cost to assess plant's capability'to cope. l With station blackout (SBO) Y Estimated resources Activity Person-months DoTlars Determine system capabilities (e.g. , 12 - batteries, instrument air, condensate storage tank, reactor coolant pump seals) Evaluat'e equipment operability Determine equipment / components 2 - necessary during SB0 Oetermine heat loads for : 6 - rooms / compartments Calculate environmental conditions 4 - during 580 Compare equipment design / operational 2 - - l
~
capability with predicted environ-mental conditions , Quality assurance 4 - Total 30 $250,000 o l 1
. i
\
NUREG-1109 2 Appendix B 9
Worksheet 2 Estimated cost to develop procedures an'd training for station blackout' Estimated resources Activity Person-months Vo'llars Develop procedures (includes writing, 3 $25,000 review, and approval) Training Initial training 3 $25,000 Annual update training 0.5/yr $5,000/yr Total training costs are calculated by the following equation which sums the initial training costs and the p/esent value of the annual training costs over the remaining plant lifetime. L (1 + D) -1 = $70,000 CTL = CIT + C AT
. .,0 (1 + D,') ,
where CTL = total training. costs CIT = initial training costs CAT = annual training costs . 0 = discount rate (10%) L = remaining plant lifetime (25 years) Therefore, adding the cost to develop procedures, the total cost for procedures and training is estimated to be $100,000. l l
. < i 4
NUREG-1109 3 Appendix B ,
se f Worksheet 0 Estimated , cost to improva diesel generaton
. reliability i i
Activity Estimated cost Reliability investigation $100,000 Equipment modifications $150,000
$250,000 l
Worksheet 4 Estimated cost to requalify a diesel generator Assuming that a plant would shut down for 5 days to requalify a diesel : generator, the replacement energy, cost (C R
) is the dominant cost associated j with this activity. CR can be calculated using the following equation: i l
CR=ExPxR : l where E = net electrical output (kWe) P = shutdown period (hours) i
. R = replacement energy cost ($/kWh)
The table below presents the data used to calculate the best, high,'and low estimates to requalify a diesel generator. 4 Value Paramater Best High low Net plant electrical outpost (kWe) 900,000 1,150,000 500,000 Shutdown period (hours) 120 120 120 Replacement ene,rgy cost ($/kWe)*. 0.026 0.040 , 0.020 Total cost (million dollars) 2.8 5.5 1. 2
- Costs from NUREG/CR-4568.
1 NUREG-1109 4 Appendix B l
1-15-88 [ ENCL OsWRE' D January 19D@ REGULATORY GUIDE 1.155 . STATION BLACKOUT (TASK SI 501-4) A. INTRODUCTION, , Criterion 17, "Electric Power Systems," of Appendix'A, "General Design Criteria for Nuclear Power Plants," to 10 CFR Part 50, "Domestic Licensing of Procuction and Utili:ation Facilfties," includes a requirement that an onsite electric power system and an offsite electric power system be provided to per-mit functioning of structures, systems, and components important to safety. The Commission has amended its. regulations in 10 CFR Part 50. Paragraph
~~
(a)',' "Requirements," of S 50.63, "Loss of All Alternating Current Power," requires that each light-water-cooled nuclear power plant be able to withstand and recover from a station blackout (i.e., loss of the offsite electric power system concurrent with reactor _ trip and unavailability of the onsite emergency ac electric power system) of a specified duration. Section 50.63 requires that, for the station blackout duration, the plant be capable of maintaining core cooling and appropriate containment integrity. It also identifies the. factors that must be considered in specifying the station blackout duration. Criterion 1, "Quality Standards and Records," of Appendix A to 10 CFR Part'50 includes a requirement for a quality Assurance program to provide - adequate assurance that structures, systems, and components important to safety will perform their safety functions. Criterion 18, "Inspection and Testing of Electric Power Systems," of Appendix A to 10 CFR Part 50 includes a requirement for appropriati periodic testing and inspection of electric power systems important to safety. 1 e a
The Advisory Committee on Reactor Safeguards has been consulted concerning this guide and has concurred in the regulatory position. This guide describes a method acceptable to the NRC staff for complying with the Commission regulation that requires nuclear power plants to be capable of coping with a station blackout for a specified duration. This guide applies to a n 11gnt-water-cooled nuclear power plants. Any information collection activities related to this regulatory guide are contained as requirements in the revision o,f 10 CFR Part 50 that provides the. regulatory basis for this guide. The information collection requirements in Part 50 have been cleared under the Office of Management and Budget Clear-ance No. 3150-0011. B. DISCUSSION The term "station blackout" . refers to the complete loss of alternating current electric power _to 'the essential and nonessential switchgear buses in a nuclear power plant. Stati.on blackout therefore involves the loss of off-site power concurrent with turbine trip and failure of the ensite emergency ac power system, but not the loss of available ac power to buses fed by station batteries through inverters or the loss of power from "alternate ac sources."
~
Station olackout and alternate ac source are defined in S 50.2. Because many safety systems recuired for reactor core decay heat removal and containment heat removal are dependent on at power, the consequences of station blackout ! could be severe. In the event of a station blackout, the capability to cool the reactor core would be dependent on the availability of systems that do not require ac power from the essential and nonessential switchgear buses and on the ability to restore ac power in a timely manner. The concern about station blackout, arose because of the accumulated experience regarding the reliability of ac power supplies. Many operating plants have experienced a total loss of offsite electric power, and more occurrences are expected in the future. In almost every one of these loss-of-offsite power events, the onsite emergency ac power supplies have been available immediately to supply the power needed by vital safety equipment. I However, in some instances, one of the redundant emergency ac power supplies has been unavailable. In a few cases there has been a complete loss of ac l power, but during these events, ac power was restored in a short time without
. 2 l 1
_-r* , . . _ , , _ _ _ _ . . . _ _ - . - . - . _ . . .-,--
any. serious consequences. In addition, there have been numerous instances when emergency diesel generators have failed to start and run in response to tests conducted at operating plants. l The results of the Reactor Safety Study (Ref. 1) showed'that, for one of the two plants evaluated, a station blackout event enuld be an important con-tributor to the total risk from nuclear power plant accidents. Although this total risk was found to be small, the relative imp'ortance of station blackout events was established. This finding and the accumulated diesel generator failure experience increased the concern about station blackout. In a Commission proceeoing addressing station blackout, it was determined that the issue should be analyzed to identify preventive or mitigative measures that can or should be taken. (See Florida Power & Light Company (St Lucie Nuclear Power Plant, Unit No. 2) ALAB-603, 12 NRC 30 (1980); modified CLI-81-12, 13 NRC 838 (1981).) Th'e issue of station blackout involves the likelihood and duration of the loss of offsite power, the redundancy and reliability of onsite emergency ac power systems, and the potential for severe accident sequences after a loss of all ac power. References 2 through 7 provide detailed analyses of these topics. Based on risk studies performed to date, the results indicate that estimated core melt frecuencies from station blackout vary considerably for different plants and could be a significant risk contributor for some plants. In order to reduce this risk, action should be taken to resolve the safety concern stemming from station blackout. The issue is of concern for both PWRs and BWRs. This guide primarily addresses the following three areas: (1) maintain-ing highly reliable ac electric power systems, (2) developing procedures and f and onsite emergency ac power should either one or training to restore of' site both become unavailable, and (3) ensuring that plants can cope with a station blackout for some period of time based on the probability of occurrence of a station blackout' at a site as well as the capability for restoring ac power in , a timely fashion for that site. 3 ,
l I
. One factor that affects ac power system reliability is the vulnerability-to common cause failures associated with design, operational, and environ-mental factors. Existing standards and regulatory guides include specific j design criteria and guidance on the independence of preferred (offsite) power circuits (see General Design Criterion 17, "Electric Power Systems," and Sec-tion 5.1.3 of o ference a 8) and the independence of and limitina interactions between diesel generator units at a nuclear station (see General Design Criterion 17, Regulatory Guide 1.6, "Independence Between Redundant Standby l 1
(Onsite) Power Sources and Between Their Distribution Systems," Regulatory i Guide 1.75, "Physical Independence of Electric Systems," and Reference 9). In -
]
developing the recommendations in this guide, the staff has assumed that, by adhering to such standards, licensees have minimized, to the extent practical, j single point vulnerabilities in design and operation that could result in a loss of all offsite power or all onsite emergency ac power. Onsite emergency ac power system unavailability can b,e affected by outages resulting from te:, ting and maintenance. Typically, this unavailabil-ity is about 0.007 (Reference 5), which is small compared to.the minimum em.er-gency diesel generator reliability specified in Regulatory Position 1.1 of l this regulatory guide (i.e., 0.95 or 0.975 reliability per demand). However, in some cases outages due to maintenance can be a significant contributor to emergency dies =1 generator unavailability. This contribution can be kept low l by having high quality test and maintenance procedures and by scheduling regu- j lar diesel generator maintenance at times when the reactor is shut down. Also, limiting ccccitions for operation in the technical specifications are designed to limit the diesel generator unavailability when the plant.is operat-ing. As long as the unavailability due to testing and maintenance is not excessive, the maximum emergency diesel generator failure rates for each diesel generator specified in Regulatory Position 1.1 would result in acceptable over-all reliability for the emergency ac power system. Based on S 50.63, all licensees and applicants are required to assess the capability of their plants _to maintain adequate core cooling and appropriate contai'nment integrity during a station blackout and to have procedures to cope with such an event. This guide presents a method acceptable to the NRC staff for determining the specified duration for which a plant should be able to 4
w'ithstand a station blackout'in accordance with these requirements. The appli-cation of this method results in selecting a minimum acceptable station black-out duration capability from 2 to 16 hours, depending on a comparison of the plant's characteristics with those factors that have been identified as signi-ficantly affecting the risk from station blackout. These factors include redundancy of the onsite emergency ac power system (i.e., the number of diesel generators available for decay heat removal minus the number needed for decay heat remova's), the reliability of onsite emergency ac power sources (e.g., diesel generators), the frequency of los's of offsite power, and the probable time to restore offsite power. Licensees may propose durations different from those specified in this guide. The basis for alternative durations would be predicated on plant- i specific factors relating to the reliability of ac power systems such as those ! discussed in Reference 2. :
-The information submitted to. comply with S 50.63 is also required to be j incorporated in an update to the FSAR in accordance with paragraph 50.71(e)(4).
It is expected that the applicant or licensee will have available for review, as required, the analyses and related information supporting the submittal. Concurrent with the development of this regulatory guide, and consistent with discussions with the NRC staff, the Nuclear Management and Resource Council (NUMARC) has developed guidelines and procedures for assessing station l blackout coping capability and duration for light water reactors (NUMARC-8700, Ref. 10). The NRC staff has reviewed these guidelines and analysis methods and concludes that NUMARC-8700 provides guidance for conformance to S 50.63 that is in large part identical to the guidance provided in this regulatory guide. Table 1 of this regulatory guide provides a section-by-section com-parison between Regulatory Guide 1.155 and NUMARC-8700. 'The use of NUMARC-8700 is further discussed in Section C, Regulatory Position, of this guide. C. REGULATORY POSITION This regulatory guide describes a means acceptable to the NRC staff for meeting the requirements of 5 50.63'of 10 CFR Part 50. NUMARC-8700 (Ref. 10) 5 T - -
also provides guidance acceptable to the staff for meeting these requirements. Table 1 provides a cross-reference to NUMARC-8700 and notes where the regulatory guide takes precedence.
- 1. ONSITE EMERGENCY AC POWER SOURCES (EMERGENCY DIESEL GENERATORS) 1.1 Emergency Diesel Generator Target Reliability _ Levels The minimum emergency diesel generator (EDG) reliability should be targeted at 0.95 per demand for each EDG for plants in emergency ac (EAC)
Groups A, B, and C and at 0.975 per demand for each EDG for plants in EAC Group C (see Table 2). These reliability levels will be considered minimum target reliabilities and each plant snould have an EDG reliability program containing the principal elements, or their equivalent, outlined in Regula-tory Position 1.2. Plants that select a target EDG reliability of 0.975 will use the higher level as the target in their EDG reliability programs. The EDG reliability for determining the coping duration for a station blackout will be determined as follows: ,
- 1. Calculate the most recent EDG reliability for each EDG based on the last 20, 50, and 100 demands using definitions and method-ology ir. Section 2 of NSAC-108, "Reliability of Emergency Diesel Generators at U.S. Nuclear Pcwer Plants" (Ref. 11), or equivalent.*
- 2. Calculate the nuclear unit "average" EDG reliability for the last 20, 50, and 100 demands by averaging the results from' step 1 above.
"This EDG reliability is not suitable for probabilistic risk analyses for design basis accidents because of the differing EDG start-reliability requirement that would be applicable for such probabilistic risk analyses. . 6
3'; Compare tha calculated'"average"~ nuclear unit EDG reliability from step 2 above against the fol. lowing criteria: Last 20 demands > 0.90 reliability
, Last 50 demands > 0.94 reliability Last 100 demands > 0.95 reliability 4 If the EAC group is A, B, or C AND any of the three evaluation criteria in step 3 are met, the nuclear unit may select an EDG reliability target of either 0.95 on 0.975 for determining the applicable coping duration from Table 2.
If the EAC group is 0 and any of the three evaluation criteria in step 3 are met, the allowed EDG reliability target is 0.975.
- 5. If the EAC group is A, B, or C and NONE of the selection criteria
. in step 3 are met, an EDG reliability level of 0.95 must be used for determining the applicable coping duration from Table 2. Addi-tionally, if the "averaged" nuclear unit EDG reliability is less .
than 0.90 based on the last 20 demands, the acceptability of a cop-ing dura ion based on an EDG reliability of 0.95 from Table 2 must be further justified.
\
If the EAC group is 0 and NONE of the three evaluation criteria in l step 3'are met, the required coping duration (derived by using Table 2) should be increased to the next highest coping level (i.e., 4 hours to 8 hours, 8 hours to 16 hours). 1.2 Reliability Procram The reliable operation.of onsite emergency ac power sources should be .l ensured by a reliability program designed to maintain and monitor the reliabil-ity level of each power source over time for assurance that the selected reli-ability levels are being achieved. An EDG reliability program would typically be composed of the following elements or activities (or their equivalent): 7 e
Individual EDG reliability target levels consistent with the pl. ant'
~
1. category and coping duration selected from Table 2. -
- 2. Surveillance testing and reliability monitoring programs designed to track EDG performance and to support maintenance activities.
- 3. A maintenance program that ensures that the target EOG reliability is being achieved and that provides a capability for failure anal-ysis and root-cause investigations.
- 4. An information and data collection system that services the elements of the reliability program and that monitors achieved EDG reliabil-ity levels against target values.
- 5. Identified responsibilities for the major program elements and a management oversight program for reviewing reliability levels being achieved and _ ensuring that the program is functioning properly.
1.3 Procedures for Restoring Emergency AC Power Guidelines and procedures for actions to restore emergency ac power when the emergency at power system is unavailable should be integrated with plant-specific technical guidelines and emergency operating procedures developeo using the emergency operating procedure upgrade program established in response to Supplement 1, "Requirements for Emergency Response Capability" (Generic Letter No. 82-33),1 to NUREG-0737, "Clarification of TMI Action Plan Require-ments" (Ref. 12). . IMocifications or additions to generic technical guidelines that are necessary to deal with a station blackout for the specific plant design should be identi-fied as deviations in the plant-specific technical guidelines as required by Supplement 1 to NUREG-0737 (Ref. 12) and outlined in NUREG-0899, "Guidelines for the Preparation of Emergency Operating Procedures" (Ref.-13), i 8
- 2. OFFSITE POWER Procedures should include the actions necessary to restore offsite power and use nearby power sources 2 when offsite power is unavailable. As a minimum, the following potential causes for loss of offsite power should be considered:
- Grid undervoltage and collapse
- Weather-induced power loss
- Preferred power distribution system faults 3 that could result in the loss of normal power to essential switchgear buses
- 3. ABILITY TO COPE WITH A STATION BLACK 0UT The ability to cope with a station blackout for a certain time provides additional defense-in-depth should both offsite and onsite emergency ac power systems fail concurrently. Regulatory Position 3.1 provides a method to determine an acceptable minimum time that a plant should be able to cope with a station blackout based on the probability of a station blackout at the site as well as the capability for restoring ac power for that site. Eacn nuclear power plant has the capability to remove decay heat and maintain appropriate containment integrity without ac power for a limited period of time. Regulatory Position 3.2 provices guidance for determining the length of time that a plant is actually able to cope with a station blackout. If the plant's actual station blackout capability is significantly less than the acceptable minimum
- duration, modifications may be necessary to extend the plant's ability to cope with a station blackout. Should plant modifications be necessary, Regulatory Position 3.3 provides guidance on making such modifications. Whether or not modifications are necessary, procedures and training for station blackout .
events should be provided according to the guidance in Regulatory-Position 3.4. 2This includes such items as nearby or onsite gas turbine generators, portable generators, hydro generators, and black-start fossil power plants. 3Includet, such failures as the distribution system hardware, switching and maintenance errors, and lightning-induced faults. l 9
r -~ - - -- 3.1 Minimum Acceptable Statio'n Blackout Duration Capability Each nuclear power plant should be able to withstand and recover from a station blackout lasting a specified minimum duration. The specified du-ation of statian olackout should be based on the following factors:
- 1. The redundancy of the onsite' emergency ac power system (i.e., the number of power sources.available minus the number needed for decay heat removal),
- 2. The reliability of each of the onsite emergency ac power sources (e.g., diesel generator), {
l
- 3. The expected frequency of loss of offsite power, and l l
- 4. The probable time needed to restore offsite power.
1 A method for determining an acceptable minimum station blackout duration c'apability as a function of the above site- and plant related characteris. tics is given in Table 2. Tables 3 through 8 provide the necessary detailed des-criptions and definitions of the various factors used in Table 2. Table 3 identifies cifferent levels of redundancy of the onsite emergency ac power '
' system used to define the emergency ac power configuration groups in Table 2.
Table 4 provides definitions of the three offsite power design characteristic groups useo in Table 2. The groups are defined according to various c'ombina-tions of tne following factors: (1) independence of offsite power (I), (2) severe weather (SW), (3) severe weather recovery (SWR), and (4) extremely severe weather (ESW). The definitions of the factors I, SW, SWR, and ESW are provided in Tables 5 through 8, respectively. After identifying the appro-priate groups from Tables 3 and 4 and the reliabilit'y level of the onsite emer-gency ac power sources (determined in accordance with Regulatory Position 1.1), Table 2.can be used to determine the acceptable minimum station blackout dura-tion capability for each plant. 10 ,
3.2 Evaluation of Plant-Soecific Station Blackout Caoability Each nuclear power plant should be evaluated to determine its capability to withstand and recover from a station blackout of the acceptable duration determined for that plant (see Regulatory Position 3.1). The following con-siderations should be included when determining the plant's capability to cope with a station blackout. 3.2.1. The evaluation should be performed assuming that the station blackout event occurs while the reacter is operating at 100% rated thermal power and has been at this power level for at least 100 days. 3.2.2. The capability of all systems and components necessary to provide core cooling and decay heat removal following a station blackout should be determined, including station battery capacity, condensate storage tank capac-ity, compressed air capacity, and instrumentation and control requirements. 3.2.3. The ability to maintain adequate reactor coolant system inventory to ensure that the core is cooled should,be' evaluated, taking into centidera-tion shrinkage, leakage from pump seals, and invc icory . loss from letdown or other normally open lines dependent on ac power for isolation. 3.2.4. The design adequacy and capability of equipment needed to cope with a station blackout for the required curation and recovery period should be addressed and evaluated as appropriate for the associated environmental conditions. This should include consideration as appropriate of the following:
- 1. Potential failures of equipment necessary to cope with the station blackout,
- 2. Potential environmental effects on the operability and reliability of equipment necessary to cope with the station blackout, including possible effects of fire protection systems,
- 3. Potential effects of other hazards, such as weather, on station blackout response equipment (e.g., auxiliary equipment to operate onsite buses or to recover EDGs and other equipment as needed),
11 4
- 4. Potential' habitability concerns for those areas that would require operator access.during the station b)ackout and recovery period.
Evaluations that have already been performed need not be' duplicated. For example, if safety-related equipment required during a total loss of ac power has been qualified to operate under environmental conditions exceeding those expected under a station blackout (e.g. , losc of heating, ventilation, and air conditioning), additional analyses need not be performed. Equipment will be considereo acceptable for station blackout temperature environments if an assessment bas been performed that provides reasonable assurance u.* the , reouired equipmeht will remain operable. - l 3.2.5. Consideration should be given to using available non-safety-related equipment as well as safety-related equipment, to cope with a station blackout provided such equipment meets the recommendations of Regulatory Posi- l tions 3.3.3 and 3.3.4. Onsite or nearby alternate ac (AAC) power sources that are independent and diverse from the normal Class 1E emergency ac power sources ( (e.g., gas turbine, separate diesel engine, steam supplies) will constitute an j acceptable station blackout coping capability provided an analysis is performed l
; that demonstrates the plant has this capability from the onset of station black- l out until the AAC power source or sources are started and lined up to operate }
l all equipment necessary to c' ope with station islackout for the required duration. In general, equipment required to copo with a station blackout during the first 3 hours should be available on the site. For equipment not located on j the site, consideration should be given to its availability and 3ccessibility f in tne time required, including consideration of weather conditions likely to i
; prevail during a loss of offsite power. [
~
If the AAC source or sources meet the recommendations of Section 3.3.5 i 1 and can be demonstrated by test to be available to power the snutdown busses within 10 minutes of the onset of station blackout, no coping analysis is j required. l l 3.2.6. Consideration should be given to timely operator actions inside { I or outside the control room that would increuse the length of time that the i .. I i 12 : i , ,
. . _ . - - , - , - -, - ,-~ ,- .. :,
- plant can cope with a station blackout provided'it can be demonstrated that these actions can be carried out in a timely fashion. For example, if station battery capacity is a limiting factor in coping with a' station blackout, shed-
- ding non essential loads on the batteries could extend the time until the battery is depleted. If load shedding or other operator actions are consid-ered, corresponding procedures should be incorporated into the plant-specific technical guidelines and emergency operating procedures.
3.2.7. The ability to maintain "appropriate containment integrity" should be addressed. "Appropriate containment integrity" for station blackout means that adequate containment integrity is ensured by providing the capability, independent of the pre'ferred and blacked-out unit's onsite emergency 'ac power suoplies, for valve position indication and closure for containment isolation valves that may be in the open position at the onset of a station blackout. The following valves are excluded from consideration: 2
- 1. Valves normally locked closed during operation
- 2. Vilves that fail closec on a loss of power
- 3. Check valves
- 4. Valves in nonradioactive closed-loop systems not expected to be breached in a station blackout (this does not include lines that communicate directly with containment atmosphere) and f t
- 5. Valves of less than 3" nominal diameter. l 3.3 Modifications To Code with Station Blackout i
If the plant's station blackout capability, as determined according to l the guidance in Regulatory Position 3.2, is significantly less than the minimum l acceptable plant-specific station blackout duration (as developed according to Regulatory Position 3.1 or as justified by the licensee or applicant on some , other basis and accepted by the staff), modifications to the plant may be necessary to extend the time the plant is able to cope with a station blackout. If modifications ar's needed, the following items shoul'd be considered: l3
~
3.3.1. If, after considering load shedding to extend the time until-battery depletion, battery capacity must be extended further to meet the station blackout duration recommended in Regulatory Position 3.1, it is consic-ered acceptable either to add batter *es or to add a charging system for the existing batteries that is independent of both the offsite and the blacked-out
'init's onsite emergency ac power systems, such as a riedicated diesel generator.
3.3.2. If the capacity of the condensate storage tank is not sufficient to remove decay heat for the station blackout duration recommenced in Regula-tory Position 3.1, a system meeting th~e requirements of Regulatory Position 3.5 to resupply the tank from an alternative water source is an acceptable means to increase its capacity provided any power source necessary to provide additional
=ater is independent of both the of fsite ano the olacked-cut unit's onsite emergency ac power systems.
3.3.3. If the compressed air capacity is not sufficient to remove decay heat anc to maintain appropriate containment integrity for the station blackout > duration recommended in Regulatory Position 3.1, a system to provide sufficient capacity from an alternative so.urce that meets Regulatory Position 3.5 is an acceptable means to increase the air capacity prov'ided any power source neces-sary to provide additional air is independent of both the offsite and the blacke.a out unit's onsite emergency ac power systems. 3.3.4 If a system is required for primary coplant enarging ano maxeuo, reactor coolant pump seal cooling or injection, decay heat removal, or maintain-ing appropriate containment integrity specifically to meet the station blackoQt duration recommended in Regulatory Position 3.1, the following criteria should be met:
- 1. The system should be capable of be.ing actuated and controlled from the control room, or if other means of control are required, it should be demonstrated that these steps can be carried out in a timely fashion, and
- 2. If the system must operate within,10 minutes of a loss of all ac power, it should be capable of being actuated from the control room. *
. 14 '
- 3.3.5. If an AAC power source is selected specifically for satisfying the requirements for station blackout, the design should meet the following crit'eria:
- 1. The AAC power source should not normally be directly connected to the preferred or the blacked-out unit's onsite emergency ac power system.
- 2. There should be a minimum potential for common cause failure with the preferred or the blacked-out unit's onsite emergency ac power sources. No single point vulnerability should' exist whereby a weather-related event or single active failure could disable any portion of the blacked-out unit's onsite emergency ac power sources or the preferred power sources and simul-taneously fail the AAC power. source.
- 3. The AAC power source should be available in a timely manner after the onset of stati.on blackout and have provisions to be manually connected to one or all of the redundant safety buses as required. The time required for making'this eq~uipment avail-
- able should not be more th'an 1 hour as demonstrated by test. 6 If the AAC power source can be demonstrated by test to bi !
available to power the shutdown busses within 10 minutes of the onset of station blackout, no coping analysis is required. 4 The AAC power source should have sufficient capacity to operate the systems necessary for coping with a station blackout for ; the time required to bring and maintain the plant in safe f shutdown.
- l S. The AAC power system should be inspected, maintained, and tested periodically to demonstrate operability and reliability. The reliability of the AAC power system should meet or exceed 95 percent as determined in accordance with NSAC-108 (Ref. 11) or equivalent methodology.
An AAC power source serving a multiple-unit site where onsite emergency ac sc,urces are not shared'between units sfiould have, as a minimum, the capac-ity and capability for coping with station blackout in any of the units. 15 , 9 4 .
, 3 At sites where onsite emergency sources are shared betw:en units the AAC power sources should have the capacity and captbility to ensure that al1 units can;bebroughtto.andmaintainedinsafeshutdown(i.e,thoseplan.tconditions
' defined in plant technical specifications as Hot Standby or Hot Shutdown, as appropriate). Plants have the option of maintaining the RCS at normal operating temperatures or at reduced temperatures.
Plants that have more than the required redundancy of emergancy ac con ~ ae for loss-of-offsite power conditions, on a per nuclear unit basis, may use one of the existing emergency sources as an AAC power source provided it meets the applicable criteria for an AAC source. Additionally, emergency diesel generators with 1-out of-2-shared and 2-out-of-3-shared ac power configurations may not be used as AAC power sources. 3.3.6. If a system or component is added specifically to meet the recom-mencations on station blackout duration in Regulatory Position 3.1, system walk downs and initial tests of new or .Sodified systems or critical components should be performed to verify that the modifications were performed properly. Failures of indded components that may be vulnerable to internal or external hazards within the design basis (e.g., seismic events) should not affect the operation of systems required for the design basis accident. , 3.3.7. A system or component added specifically to meet the recommenda-tions on station blackout duration in Regulatory Position 3.1 should be inspected, maintained, and tested periodically to demonstrate equipment opera-bility and reliability. '
- 3. 4 Procedures and Trainino To Cooe with Station Blackout Procedures 4 and training should include all operator actions necessary to cope with a station blackout for at least the duration de.termined according to Regulatory Position 3.1 and to restore normal long-term core cooling / decay heat removal once ac power is restored.
4 Procedures snould be integrated wii.h plant-specific technical guidelines and emergency operating procedures developed using the emergency operating proce-dure upgrade program established in response to Supplement 1 of NUREG-0737 (Ref. 12). The task analysis' portion of the emergency operating proced'ure upgrade program should include an analysis of instrumentation adequacy during a station blackout.
. . 16
)
3.5 Quality Assurance and Soecification Guidance for Station Blackout Eouicment That Is Not Sa'fety-Related Appendices A and B provide guidance on qua;ity assurance (QA) activities and specifications respectively ' " non-safety-related equipment used to meet the requirements of S 50.63 and not already covered by existing QA requirements in Appendix B or R of Part 50. Appropriate activities should be implemented i from among those listed in these appendices depending on whether the non-safety equipment is being added (new) or is existing. This QA guidance is
~
applicable to non-safety systems and equipment for meeting the requirements of S 50.63 of 10 CFR Part 50. The guidance on QA and specifications incorporates t a lesser degree of stringency by eliminating requirements for involvement of parties outside the normal line organization. NRC insoections will focus on tne implementation and effectiveness of the quality controls described in Appen-dices A and B. Additionally, the equipment installed to meet the station , blackout rule must be implemented such that it does not degrade the existing safety-relatet systems. This is to be accomplished by making the non-safety-related equipment as independent as practicable.from existing safety-related i systems. The n6n safety systems identified in Appendix B are acceptable to the NRC staff for responding to a station blackout, , l 9 D. IMPLEMENTATION l 1 l The purpose of this section is to provide information to applicants and licensees regarding the NRC staff's plans for using this regulatory guide. Except in those cases in which the applicant or licensee proposes an accept- l able alternative method for complying with specified portions of the Commis-
. sion's regulations,, the method described in this guide may be used in the -
i evaluation of submittals by applicants for construction permits and operating licenses (as appropriate) and will be used to evaluate licensees who are reauired to comply with 6 50.63, "Loss of All Alternating Current Power," of 10 CFR Part 50. i e e 8 17
Table 1 Cross-Reference Between Regulatory Guide 1.155 and NUMARC-8700 Degulatory Position in R.G. 1.155 Section in NUMARC-8706 i 1.1 3.2.3, 3.2.4
- 1. 2 Appendix 0
- 1. 3 4.2.1, 4.3.1 2 4.2.2, 4.3.2 3.1 3 3.2.1 2.2.1, 2.2.2 3.2.2 2.9, 7.2.1, 7.2.2, 7.2.3 3.2.3 --
2.5 - 3.2.4 2.7, 4.2.1, 4.2.2, 7.2.4, Appendices E and F ! 3.2.5 7.1.1, 7.1.2, Appenoices 8 and C 3.2.6 4.2.1, 4.3.1, 7.2.1, 7.2.2, 7.2.3 j 3.2.7 2.10, 7.2.5 i 3.3.1 . 7.2.2 , 3.3.2 7.2.1 3.3.3 None (Use Regulatory Guice 1.155)
- 3.3.4 2.3.1, Appendices A, B, and C 3.3.5 None (Use Regulatory Guide 1.155) 3.3.6 4.2.1(12), 4.3.1(12), Appendices A and B
,3.4 {
4 3.5 None (Use Regulatory Guide 1.155) Appendix A None (Use Regulatory Guide 1.155) Appendix B None (Use Regulatory Guide 1.155) e ] 18 .
- A
l 4 Table 2 Acceptable Station Blackout Duration Capability (hours)8 D Emergency AC Power Configuration Group A B C D. Offsite Power Design . Characteristic Group d 0.975 0.95 0.975 0.95 0.975 0.95 0.975 P1 2 2 4 4 4 4 4 P2 4 4 4 4 4 8 8 P3 - 4 8 4 8 8 16 8
' Variations from these times will be considered by the staf f if justification, including a cost-benefit analysis, is provided by the licensee. The methodol-ogy and sensitivity studies presented in NUREG-1032 (Ref. 2) are acceptable for use in this' justification.
b see Table 3 to cetermine emergency ac power configuratien groto. - c See Regulatory Position 1.1.
! d See Table 4 to determine groups P1, P2, and P3.
i
. I
- a. l 1
0 l l I 19 -
Tabl Q a Emergency AC Power Configuration Groups EAC Power NumDer of EAC Numoer of EAC Power Sources b Configuration Power Sources RequiredToOpersteAC-Dwgred Group Decay Heat. Removal Systems d A 3 1 4 1 B 4 2 i 5 2 C d 2' 3 1 T 2 I 1 3 2 4 3 !
. 5 3 a
Special-purpose dedicated diesel generators, such as those associateo with high pressure core spray systems at some BWRs, are not counteo in the oetermination of EAC power configuration groups, b If any of the EAC power sources are shared among units at a multi unit site, this is the total numoer of shared and dedicated sources for those units et the . site, c This number is based on all the ac loads required to remove decay heat (including ac powered decay heat removal systems) to achieve and maintain safe shutdown at all units at the site with offsite power unavailable. - i d For EAC power s'ources not shared with other units, i
'For EAC power sources shared with another unit at a multi unit site. r I
For shared EAC power sources in which each diesel generator is capable of pro-viding ac power to t. ore than one unit at a site concurrently. l . 20
. ]
Table 4 Offsite Power Design Characteristic Groups Group Offsite Power Design Characteristics Sites that have any combination of the following factors: C C d I SE SWR ESW P1 1 or 2 1 or 2 1 or 2 1 or 2 1 or 2 1 1 or 2 3 1 or 2 3 1 1 or 2 P2 All other sites not in P1 or P3. l Sites that expect to experience a total loss of offsite power caused by grid failures at a frequency equal to or greater than once in 20 site years, unless the site has procedures to recover ac power from reliable alternative
. (nonemergency) ac power sources within approximately l one-half hour following a grid failure.
9.C Sites that have any combination of the following factors: l P3 I SW SWR ESW i Any I 5 2 Any ESW Any I 1,2,3, or 4 1 or 2 5 Any I 5, 1 Any ESW Any I 4 2 1, 2, 3, or 4 1 or 2 3 2 4 3 3 2 3 or 4 a See Table 5 for definitions of independence of 'offsite power groups (I). b See Table 6 for definitions of severe weather groups (SW). C See Table 7 for definitions o- severe weather recovery groups (SWR). d See Table 8 for definitions of extremely severe weather groups (ESW). I 21
Tabit 5 Dlfsnitnon-_ cf Iedetesdenco of Offsite Power f. oi ,5 l .__ l l Cctegory l I . 2 3
- 1. Independence of 4.f f site All offWe power sources are 1.4.
power sources , { l. connected to the plant throuqts - All of f s s te power sources are connected to the plant through one swit(hyard. two or more swatohyard> or separate erw oming t ransenssion or lines, t>ut at least one of the ac sources is electrically 1. b. All of f s s te power sources are coronected to the plant through two independent of (f.c others, or more swstcf. yards, and the switchyards are electrically connected. (Ihe irufependent 6'J-6V line (Ibe 345- and 138-kV switchyardt in *igures 2 and 3 represent in Inqure I is representative this design feature.) of this drssyn feature.) L ,
** ( ""'I **I t
- 2. Automatic and manual 2.a. After loss of the normal ac 2.a.
7 Af ter loss of the starmal 2.a. If the acroal source of ac transfer schemes for the source, ac power source, there is pc wer f ails, there are no Class It buses when the an an.tomatic trans f er of at.tomatic transfers and normal source of ac power (1) 1bere as an automatic all safe-shutdowts buses f alls and wirin the backup transfer of all safe-one or more manual transfers to one preferred alter- of all safe shutdown buses sources of of' site power shutdown buses to a pate power source. If to preferred or alternate N fall. separate preferred N this source fails, there offsite power sources.
- alternate power source, may be one or more manual
- a. The normal source of ac power is assumed < (2) Ibere is an automatic transf ers of power source or to be the unit main transfer of all safe- to the remaining pseferred generator. shutdowns 1,uses to one or alternate ofIsite power lhere is one automatic
- preferred power source. sources. tr. nsfer and no manual If this preferred power transfer of all safe-source fails, there is sin tdown buses to one another automatic transfer preferred or c,ne alternate to the r emainirw; pref erred power sources or to alter- ,
a nate of f s s te power source. or or
- b. If the Class IE buses 2.b. Each safe-shutduwn bus is 2. b. lhe safe-shutdown buses are are normally designed normally connected to a normally aligned to the same to be tor.nected to the separate preferred alter- preferred power source with preferred alternate nate power source with either an automatic or manual power sources. automatic or manual transfer to the remaintruj transfer capability preferre.1 alternate ac power between the preferred source.
alternate sources
. _ _ _ _ _ _ . . _ _ - _ __m____.______m__ _ _ _ _ _ _ _ . _ _ _ _ _ _ _
Table 6 Definitions of Severe Weather Groups (SW) Estimated frequency of loss of offsite power due SW Group severe weather, fa (per site year) 1 f < 0.0033 i 2 0.0033 s f < 0.010 l 3 0.010 i f < 0.033 4 0.033 1 f < 0.10 5 0.10 sf l
'The estimated frequency of loss of offsite power due to severe weather, f, is determined by the foll.owing equation:
f = (1.3 x 10 4)h t + (b)h2 + (0.012)h3 + (c)h 4 j where hi = annual expectation of snowfall for the site, in inches h2 = annual expectation of tornadoes (with wind speeds greater than j or equal to 113 miles per hour) per square mile at the site ! b = 12.5 for sites with transmission lines on two or more rights-of-way spreading out in cifferent directions from the switchyard, or b = 72.3 for sites with transmission lines on one right-of way h3 = annual expectation' of storms at the site with wind velocities between 75 and 124 mph 1 h4 = annual expectation of hurricanes at the site - c = 0 if switchyard is rot vulnerable tn the effects of salt spray l c = 0.78 if switchyard is, s vulnerable to the effects of salt spray 6 The annual. expectation of snowf all, tt,;rnadoes, and storms may be obtained from National Weather Service data from the weather station nearest to the plant or by interpolation, if appropriate, between nearoy weather stations. The basis for the empirical equation for the frequency of loss of of fsite power due to' severe weather, f, is given in Appendix A to Reference 2. 23
. m_ ._.e _ _ . . . _ . . . _ ._ . _ . -
._ _ . . . _.r -. _
i
. :, l Table 7 f
Definitions of Severe Weather Recovery Groups (SWR) l i i : t
- SWR Group . Definition 1 Sites with enhanced recovery (i.e.. sites that have .
i t the capaDility and procedures for restoring offsite (nonemergency) ac power to the site within 2 hours following a loss of offsite pcwer due to severe weather). 1 'l
; 2 Sites without enhanced recovery.
1 8
- O i i
.i 4 I i l 1 1 t - ; 4 + 1 i i : 4 7 1 1 ) i j i' i
. r i
f l i [ k . ! 1
- l. .
1 .
^
I ~ 24 i , 1 I
a I
. . . o a .
Table 8 .
. i j
j Definitions of Extremely Severe Weather Groups (ESW) Annual expectation of storms at a site with wino , velocities equal to or greater than 125 miles ! ESW Group per hour-(e)* l 1 e < 3.3 x 10'4
~3 '
2 3.3 x 10'4 i e < 1 x 10 i i 3 3 , 3 1 x 10 i e < 3.3 x 10 l 4 3.3 x 10 ~3 1 e < 1 x 10 -2 , i l t ) .. 5 1.x 10-2 , , 7 l *The annual expectatic'n of storms may be obtained from National Weather , Service data from the weather station nearest to the plant, or by ' ' interpolation, if appropriate, between nearby weather stations, i t 4 f U i
\
l 1 < i t I I i l i 25 ! l _ I . - _ _ _ _ . _ _
g'. h h b h h -
,, gy isi kv 345 kV t
unws -
= .
.. I i u,w m M.v^ .
nm ee uw ^n?s"$;;',e a ev. uw : .? -- ----- A,N j GENERATOR if if 1r y AUTOM ATlc 9 NC NC TRANSF U NO NO CLASS 1E NONSAFETY CLASS 1E NONSAFETY l [, AUTOM ATIC TR ANSF ER $,f I i (, AUTOM ATIC TR ANSFER j Figure 1. Schematic diagram of electrically independent transmission line
. . . \
l e
- F43
l' *
- 6 h L h h t 6 & 6 g c e
'- - tu sv pg gy I .
WHA M NA MM WWA MM MM i t i f y u NONSAf TTY ho s'; we , acNsAFETY No c'. A 51 1 I Ct.A131 g CLA13it WAtN CLALS it DIY1510N 1 DivisiCN 2 GENtRATCR . DivisiCN 1 Otyt5tCN 2 i e
& 4 i i J
l !. _ _ fvIo."*.?iiT2'35Lt". _d------ L - - - - _^_uvew3Tg tn A,Nsgly , , ,, _. _ .) Figure 2. Schematic diagram of two switchyards electrically connected (ona unit site)
~P
et l l* k is it is is 6 3: j 230kV
. SOo kV l:
!+;
MM . l MM MM AW MM MM MM MMMM if if if If If CthERATOR 2 'I if 'f NC TO NC TO NCTO NC TO NC NC GENERATORI NC NC NONSA f (TY Sout SOME SOM E SOME NON$AFETY UNif 2 UNIT 2 UNIT 1 UNIT 1 UNIT 1 UNif 2 CLAS$ it CLA1511 CLASS 18 CLASS 1t SU$ts. BUSES. '8US E S. tusts. NO TO NO TO NOTO NOTO OTHE R$- QTHERS OTHERS OTHERS Figure 3. Schematic diagram of two switchyards electrically Connected (two-unit site) e 28
, REFERENCES
- 1. U.S. Nuclear Regulatory Commission, "Reactor Safety Study," WASH-1400, October 1975.1
- 2. U.S. Nuclear Regulatory Commission, "Evaluation of Station Blackout Acci-
< dents at Nuclear Power Plants, Technical Findings Related to Unresolved Safety Issue A-44," NUREG-1032, publication expected Novemoer 1987.1
- 3. A..M. Rubin, "Regulatory Analysis for the Resolution of Unresolved Safety Issue A-44, Station Blackout," U.S. Nuclear Regulatory Commission, NUREG-1109, publication expected November 1987.1 4 U.S. Nuclear Regulatory Commission, "Collection and Evaluation of Comolete and Partial Losses of Offsite Power at Nuclear Power Plants," NUREG/CR-3992 (ORNL/TM-9384), February 1985.1
- 5. U.S. Nuclear Regulatory Commission, "Reliability of Emergency AC Power System at Nuclear Power Plants," NUREG/CR-2989 (ORNL/TM-8545), July 1983.1 i 6. U.S. Nuclear Regulatory Commission, "Emergency Diesel Generator Operating i Experience, 1981-1983," NUREG/CR-4347 (ORNL/TM-9739), Decemoer 1985.1 ;
)
- 7. U.S. Nuclear Regulatory Commission, "Station Blackout Accicent Analyses (Part of NRC Task Action Plan A-44)," NUREG/CR-3226 (SAND 82-2150),
1 May 1983.1
.8. Institute of Electrical and Electronics Engineers, "IEEE Standard for l Preferred Power Supply for Nuclear Power Generating Stations," IEEE Std a 765-1983.2 l
i 'NRC puolications may be obtained from the Superintendent of Documents, U.S. j Government Printing Office, Post Office Box 37082, Washington, DC 20013-7082;
- or from the National Technical Information Service, Springfield, VA 22161.
2 Copies may be obtained from the Institute of Electrical and Electronics Engineers Service Center, 445 Hoes Lane, P.O. Box 1331, Piscataway, NJ 08855.
~
29
-n .- .- . . - - .
- l. '
- 9. Institute of Electrical and Electronics Engineers, "IEEE Standard Criteria l for Diesel-Generator Units Applied as Standby Power Supplies for' Nuclear i I
Power Generating Stations," IEEE Std 387-1984.2 1 l i
- 10. Nuclear Management and Resources Council, "Guidelines and Technical Bases for NUMARC Initiatives Addressing Station Blackout at Light Water ;
Reactors," NUMARC-8700, November 1987.J l l
- 11. Electric Power Research Institute, "Reliability of Emergency Diesel :
Generators at U.S. Nuclear Power Plants," NSAC-108, September 1986. 4 l l
- 12. U.S. Nuclear Regulatory Commission, "Clarification of THI Action Plan l Requirements: Requirements for Emergency Response Capability" (Generic Letter 82-33), Supplement 1 to NUREG-0737, January 1983.1
- 13. U.S. Nuclear Regulatory Commission, "Guidelines for the Preparation of Emergency Operating Procedures,"'NUREG-0899,' August 1982.1 1
l i
. i "Copies may De ootained from the Nuclear Management and Resources Council, , 1726 M Street NW., Washington, DC 20036.
4 Copies may be obtained f rom the Electric Power Researen Institute, Research ' Reports Center, P.O. Box 50490, Palo Alto, CA 94303. 30 i .
0 j . Appendix A - i i \ QUALITY ASSURANCE GUIDANCE FOR NON-SAFETY SYSTEMS AND EQUIPMENT. ; i The QA guidance provided here is applicable to non-safety systems and equipment used to meet the requirements of 5 50.63 and not already explicitly i l covered by existing QA requirements in 10 CFR Part 50 in Appendix B or R. Additionally,.non-safety equipment installed to meet the station blackout rule must be implemented so that i.t does not digrade the existing safety-related systems. This is accomplished by making the non-safety equipment as 4 independent as practicable from existing safety-related systems. The guidance provided in this section outlines an acceptable QA program for non-safety I equipment used for meeting the station blackout rule anc not alreaoy covered by existing QA requirements. Activities should be implemented from this section l as appropriate, depending on whether the equipment is being added (new) or is + i existing.
- 1. Design Control and Procurement Document Control 1
Measures should be established to e'nsure that all design-related guide- ; lines used in complying with 5 50.63 are included in design and procurement . q documents, and that deviations therefrom are controlled.
- 2. Instructiens. Procedures, and Drawines i
, i i Inspections, tests, administrative controls, and training necessary for , comoliance with 5 50.63 should be prescribed by occumented instructions, proce- l ] dures, and drawings and should be accomplished in accordance with these ; f' documents. + l t 'l 3. Control of Purchased Material; Equiement, and Services j l Measures should be established to ensure that purchased material, equic- l l ment, and services conform to the procurement documents. l l ! i 1 l j ; f i 31 '
-n----. ,,,- , ., ,,, .,, ,. , , _ , , . ,-___,-,_-,,---.nn.. . -, ,,w
1
- 4. Inspection .
g _A program for independent inspection of activities required to comply with 5 50.CJ should be established and executed by (or for) the organization performing the activity to verify conformance with documented installation drawings and test procedures for accomplishing the activisies. !
- 5. Testing and Test centrol i
, A test program should be established and implemented to ensure that test-ing is perform?d and verified by inspection and audit to demonstrate conform-once with design and system readiness requirements. The tests should be performed in accordance with written test procedures; test results should be l proDerly evaluated and acted on. l i
- 6. Inspection, Test, and Operating Status 4 <
Measures should be established to identify items that have satisfactorily passed required tests and inspections. '
- 7. Nonconformino Items ,
Measures should be established to control items that do not conform to specified requirements to prevent inadvertent use or installation.
- 8. Corrective Action l
1. Heasures should be established to ensure that failurec, malfunctions, H deficiencies, deviations, defective components, and nonconformances are i promptly identified, reported, and corrected. i - ! I i J i l
- 32 l 4
i _ . I
1
- 9. Records ',
Records should be prepared and mai.itained to furnish evidence t' hat the criteria enumerated above are being met for activities required to comply with 5 50.63. ' i ! 10. Audits I Audits should be conducted and documented to verify compliance with design and procurement documents, instructions, procedures, drawings, and inspection and test activities developed to comply with $ 50.63. 1 . I I i [ I j 4 i i l 1 i l ! 8 4 1 . ) 4 33 ___.____9.
- = - - - . - . ._
Appendix B Guidance Regarding system and Station Equipment Specificat. ions
'. Alte:nat:
Alternate AC Sources Battery '.ystems f Safety-Related Not required, but the existing Class IE. Not required, but tiie existing Class Equipment electrical systems must continue to meet IE battery systems must continue to (Compliance with all applicable safety related criteria. meet all applicable safety-related IEEE-279) criteria. Redundancy Not required. Not required. .. Diversity See Regulatory Position 3.3.4 of this guide. Not required. from existing , EDGs Independence Required if connected to Class IE buses. Separ- Required if connected to Class IE battery from existing ation to be provided by 2 circuit breakers in systems. Separation to be provided by 2 scfety related series (1 Class IE at the Class IE bus circuit breakers in series (1 Class IE systems- and I non-Class 10). at the Class-lE bus and I non-Class IE). Seismic Not required. tiot required. Qualification Environmental If normal cooling is lost, needed for station if normal cooling is lost, needed for Ccnsideration blackout event only and not for DBA conditions. station blackout ever.t only and not for Procedures shound be in place to effect the accident conditions. Procedures should the actions necessary to maintain acceptable be in place to effect the actions neces-
^
environmental, conditions for the required equip- sary to maintain acceptable environmental ment. See Regulatory Position 3.2.4. conditions for the required equipment. See Regulatory Position 3.2.4.
~
Appendix IL (Continued) , Alternate Alternate AC Sources Battery Systems , e l Capacity Specified in S 50.63 and Regulatory Posi- Specified in S 50.63 and Regulatory tion 3.3.4. Position 3.3.1. . Quality Indicated in Regulatory Position 3.5. Indicated in Regulatory Position 3.5. l Assurance . Icchnical should be consistent with the Interim Should be consistent with the Interim specification Commission Policy Statement on Tech- Commission Policy Statement on Tech-fer Maintenance. nical Specifications (Federal . nical Specifications (Federal i_iciting Condi- Register Notice 52 FR 3789) as Register Notice 52 FR 3789) as Lion, FSAR, etc. applicable. applicable. . u Hust meet system functional l instrumentation Must meet system functional requirements. cnd monitoring , requirements. Single failure Not required. Not required. , Common Cause Design should, to the extent practicable, Design should, to the extent practicable, ! minimize CCF between safety-related and minimize CCF between safety-related and Failure (CCF) non-safety-related systems. non-safety-related sistems. e l e I
Appendix B (Continued) - Water Delivery System
" (Alternative to Auxiliary feedwater Water Source (Existing . System, RCIC System, Condensate Storage Iank Instrument Air or Isolation Condenser orAlternative) (Compressed Air System) Make]p}
5:fety-Related Not required,I,ut the Not required, but the Not required, but the Equipment existing Class IE systems existing Class IE systems existing Class IE (Compliance with must continue to meet must' continue to meet all systems must continue IEEE-279) all applicable safety- . applicable safety related to meet all applicable related criteria. criteria. safety-related criteria. Redundancy Not required. Not required. Not required. Diversity m Not required. Not required. Not required. Independence Ensure that the existing Ensure that the existing Enstre that the existing from Safety- safety functions are not safety functions are not safe ty functions are not R21ated Systems compromised, including the compromised, including the congromised, including the
, capability to isolate capability to isolate capability to isolate components, subsystems, or components, subsystems, or components, subsystems, or piping, if necessary. piping, if necessary. piping, if necessary. .
Seismic Not required. Not required. Not required. Qualification e
-,,-.r.. _ - . . ., -g - _
.m -
Appendix 8 (Continued)
* ^
Water Delivery System { Alternative to Auxiliary feedwater WaterSource1 Existing System, RCIC System, Condensate Storage Iank Instrument Air or Isolation Condenser or Alternative) (Compressed Air System) Makeup) Er.vironmental Needed for station blackout Needed for station blackout Needed for station blackout Consideration . event only and not for DBA event only and not for DBA event only and not for DBA . conditions. See Regulatory conditions. See Regulatory conditions. 5,ee Regulatory Position 3.2.4. Procedures Position 3.2.4. Procedures Position 3.2.4. Procedures should be in place to effect should be in place to effect shoJld be in place to'effect the actions necessary to the actions necessary to the actions necessary to maintain acceptable environ- maintain acceptable environ- maintain acceptable environ-mental conditions for re- mental conditions for re- mental conditions for re-quired equipment. quired equipment. quired equipment. ti Capacity Capability.to provide Sufricient compressed The capacity to provide sufficient water for core air to components, as sufficient cooling water cooling in the event of a necessary, to ensure flow to ensure that station blackout for the that the core is cooled the core is cooled in specified duration to and appropriate containment the event of a station meet S 50.63 and this integrity is maintained for blackout.for the speci-regulatory guide. .the specified duration of fied duration to meet station blackout to meet S 50.63 and this regula- ~ S 50.63 and this regulatory tory guide tory guide. Quality As indicated in Regula- As indicated in Regulatory As indicated in Regulatory Assurance tory Position 3.5. Position 3.5. Position 3.5. . __ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ ___ m _ - _ - - - r w me- - % , . - - . . _ - - ,
l Appendix B (Continued) Wa'er Delivery System { Alternative to Auxiliary feedwater Water Source (Existing Sy. tem, RCTC System. .' Condensate Storage tank Instrument Air or isolation Condenser orAlternative{ (Compressed Air System) Makeup) Technical Should be consistent with the Should be consistent with the Should be consistent with the Specifications Interim Commission Policy Interim Commission Policy Interim Commission Policy' fer Maintenance. . Statement on Technical State' ment on Technical Stattaent on Technical 5:rveillance. Specifications (Federal Specifications (Federal Specifications (Federal Limiting Condi- Register Notice 52 FR 3789) Register Notice 52 FR 4789) Register Notice 52 FR 3789) Lion, FSAR, etc. as applicable. as applicable. as applicable. Instrumentation Must meet system functional Must meet system functional Must meet system func-cnd Monitoring requirements. requirements. tional requirements. Single failure Not required. Ndt required. . Not required. , ] Common fause Design should, to the extent Design should, to the extent Design should, to the extent Failure (CCF) practicable, minimize CCF practicable, minimize CCF practicable, minimize CCF between sofety-relat(d and between safety-related and between safety relatec and non safety-rel.ited systems. non-safety-related systems. non-safety related systems. e
_.m_ _ _ _ _ _ __ - . _ _ _ _ . _ ___ _ _ _ _ . __ ._. - ._. _ Appendix B (Continued) Instrumentation and Control Room Indica-tions ior VerificaLion of RCS Natural Circula-RCS Makeup System Isolation Condenser tion (PWRs and BWRs (PWRs and BWRs Without RCIC) (BWRs Without RCIC) Without RCIC) Safety-Related Not required, but the Not required, but the Not required, but the Equipment (Com- existing Class IE systems existing Class IE systems existing Class 1E systems pliance with must continue to meet all must' continue to meet all muit continue to meet all
9) applicable safety-related applicable safety-related applicable safety-related criteria. criteria. criteria.
y Not required. Not required. Not required.
~saty . Hot required. Not required. Not require'd.
i U' l Independence 1. Safety grade isolation 1. Safety grade isolation A malfunction of this from Safetv- devices required between devices between this instrumentation and
- C21ated Sy. ses this RCS makeup system system and existing monitoring system and existing safety- safety-related systems. should not affect the related makeup water systems. design safety function -
of any safety related ? 2. A malfunction of this non- 2. A malfunction of this instrumentation and safety grade makeup system non-safety-related sys- monitoring systems should not affect the tem should not affect the powared by onsite or design safety function of design safety function of offsite ac power any safety related systems, any safety-related systems. buses. Seismic Not regi. ired. Not required. Not required. Qualification
- . -,__r.__ - , . _ _ _ _ - _
i Appendix 8 (Continued) i Instrumentation and Con ~ trol Room Indica-
,, tions for Verification of 105 Natural Circula-RCS Makeup System Isolation Condenser tioa (PWRs and BWRs .
(PWRs and 8WRs Without RCIC) (8WRs Without RCIC) Wit *nout RCIC) Environmental Needed for station blackout Needed for station blackout Needed for station blackout Consideration event only and not for DBA event only and not for 08A event only and not for DBA conditions if normal cooling conditions if normal cooling conditions if normal cooling is lost. See Regulatory Posi- is lost. See Regulatory Posi- is 'ost. See Regulatory Posi-tion 3.2.4. Procedures should tion 3.2.4 Procedures should tion 3.2.4. Procedures should be in place to effect the be in place to effect the be n place to effect the act. ions necessary to maintain actions necessary-to maintain actions necessary to maintain I acceptable environmental condi- acceptable environmental condi- acceptable environmental condi< tior.s for the required tions for the required tions for the required equipment. equipment. equipment. f Capacity Sufficient RCS makeup so Provide sufficient capacity Provide sufficient instru- ! that core temperatures are for decay heat removal. Dur- mentation and control room in-I maintained at acceptably low ing the specified duration dications for parameters re-values considering a loss of of station blactout, the iso- quired for' verification of RCP water inventory through lation condenser pool side RCS aatural circulation dur-a postulated RCP seal failure requires a water makeup sys- ing '.he specified duration during the specified duration tem powered by sources in- of station blackout. of station blackout, with a dependent from onsite and minimum assumed RCP seal offsite ac buses. leakage of 20 gpa per RCP, unless a lower value is
-justified.
Quality As indicated in Regulatory As indicated in Regulatory As indicated in Regulatory Assurance Position 3.5. Position 3.5. Position 3.S. O e
,w- s-------v--m- - - - - - - ew--tw-3--m te+ +-w -, - m-- -
wt- -,-------s--e'----erv- t 7vt--T----te----ww----wwwwe e ur e-we m---*-,------n,--,--Te4,w------- rr4-t--+4t-+'r-e--=2 -4 w ---er- ms---==-T-ew ---*-*----t- awew* w-eww---r--
. -_ - -_. _ - . _. - _ _ _ - - _ -- = _ _ _ - - - . _ . - -. .- -_ _ _= __- - -.. _ _ = - _ - .. -
a. Oi!pendix B (Continued) < Instrumentation and Control Room Indica-
. tions for Verification of NTFNaturallircula-RCS Makeup System Isolation Condenser tion (PWRs and BWRs (PWRs and BWRs Without RCIC) {8WRsWithoutRCIC} iiithout RCIC)
Technical. h be consistent with the Should be consistent with the i Specifications for Should be consistent with the ommission Policy e 6 C M ssion Polig ( Interim Comnission Policy Maintenance, tatement on Technical Statement on Technical l Survelliance, Statement on Technical gPec cat ons (Federal Specifications (Federal Register Notice 52 FR 4789) -SP*cifications (Federal . Liciting Condi-Register Notice 52 FR 1789) Register Notice 52 FR 3789) tion
- FSAR* t' as applicable. '5 APPl icable. as applicable.
Instrumentation Most meet system functional Must meet system functional -------- 6 rnd Monitoring requirements. requirements. p ' Single Failure Not required. Not required. Not required. Common Cause Design should, to the Design should, to the Design should, to the extent practicable, exte t practicable, Failure (CCF) extent practicable, minirize CCF between safety-minimize CCF between safety- minimize CCF between safety-related and non-safety- related and non-safety- related and non-safety-related systems. related systems. related systems. \ p_ _ _ _ _ _ _ _ _ . - - __ _ ____ -.- __ , _ - , . - , . - ..-.,.,e
. , , - - - - ---,v. w- m - r--- , - --
- e. - . ~ . . % ._ r .m--c.., , . . . . . - - - - . y-- , .
VALUE/ IMPACT STATEMENT A separate value/ impact statement was not prepared for this regulatory guide. The regulatory analysis prepared for the station blackout rule (NUREG-1109) provides the regulatory basis for this guide and examines the, costs and honefits of the rule as isolemented by the guide. A c py of NUREG-1109 is available for inspection and copying for a fee at the NRC Public Document Room, 1717 H Street NW., Washington, DC 20555. Free single copies may be obtained upon written request to the Distribution Section, Room P-034, Division of Information Support Services, U.S. Nuclear Regulatory Commission. Washington, DC 20555. e
- 6 9
l 42
]
ENCLOSURE E us: a-44 soo exo WMG-W 11-12-87 e Evaluation of i Station B ackout Accidents
- i. at: Nuc, ear Power P' ants i
b
! ec7nica incings le atec to ; Unreso vec Sa"ety ssue A u-se e5 -.
85
<C
-ina Report .
1 wJ os o ::: 5" 5 . 5 U.S. Nuclear Regulatory 3 Commission i 1
$ Office of Nuclear Regulatory Research I g Office of Nuclear Reactor Regulation .
2 O P. W. Baranowsky
$ 1 4
g p ~%, .
.;i,Te('s q 3 (T
* $f/
A E o 2 2 e
d ABSTRACT "Station Blackout," which is the complete loss of alternating current (AC) elec-trical power in a nuclear power plant, has been designated as Unresolved Safety Issue A-44. Becau = winy safety systems required for reactor core decay heat removal and containment heat removal depend on AC power, the consequences of a station blackcut could be severe. This report documents the findings of techni-cal studies performed as part of the program to resolve this issue. The impor-tant factors analy:ed include: the frequency of loss of offsite power; the pro-bability that emergency or onsite AC power supplies would be unavailable; the capability and reliability of decay heat removal systems independent of AC power; and the likelihood that offsite power would be restored before systems that cannot operate for extended. periods without AC pcwer fail, thus resulting in core damage, This report also addresses effects of different designs, loca-tions, and operational features on the estimated frequency of core damage re-sulting from station blackout events. O e 4 4 D 4 9 t t 4 4 NUREG-1032 iii
.- - ._ _ ~
- f 1
, . l TABLE OF CONTENTS P&S2 ABSTRACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii LIST OF FIGURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . v i LIST OF TABLES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi i PREFACE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix , ACKNOWLEDGMENTS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi 1 EXECUTIVE
SUMMARY
. . . . . . . . . . . . . . . . . . . . . . . . .'. 1-1 2 INTRODUCTION AND TECHNICAL APPROACH . . . . . . . . . . . . . . . . . 2-1 3 LOSS OF OFFSITE POWER FREQUENQY AND OURATION. . . . . . . . . . . . . 3-1 4 RELIABILITY OF EMERGENCY AC POWER SUPPLIES. . . . . . . . . . . . . . 4-1 1
5 STATION BLACK 0UT FREQUENCY AND DURATION . . . . . . . . . . . . . . . 5-1 '. 6 ABILITY TO COPE WITH A STATION BLACKOUT . . . . . . . . . . . . . . . 6-1 7 ACCIDENT SEQUENCE ANALYSES. . . . . . . . . . . . . . . . . . . . . . 7-1 8 EVALUATION OF DOMINANT STATION BLACKOUT ACCIDENT CHARACTERISTICS. . . 8-1 9 RELATIONSHIP OF OTHER SAFETY ISSUES TO STATION BLACKOUT . . . . . . 9-1 10 REFERENCES. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1 APPENDIX A DEVELOPMENT OF LOSS-OF-OFFSITE-POWER FREQUENCY AND DURATION 4 RELATIONSHIPS 4- APPENDIX B EMERGENCY AC POWER RELIABILITY AND STATION BLACKOUT FREQUENCY:
- MODELING AND ANALYSIS RESULTS
) APPENDIX C STATION BLACK 0UT CORE DAMAGE LIKELIHOOD AND RISK j i I LIST OF FIGURES l 3.1 Diagram of offsite power system used in nuclear power plants . 3-2 3.2 Frequency of loss-of-offsite-power events exceeding j specified durations. . . . . . . . . . . . . . . . . . . . . . 3-4
- 3.3 Estimated frequency of loss-of-offsite power events exceeding ,
i specified durations for representative clusters. . . . . . . . 3-7 ! 4 3 4.1 Simplified 1-of-2 onsite AC power distribution system. . . . . 4-2 I 4.2 Onsite power system functional block diagram . . . . . . . . . 4*3 1 4.3a Histograms showing emergency diesel generator failure on demand for 1976 through 1982. . . . . . . . . . . ... . . 4-7 4.3b Histograms showing emergency diesel generator failure on demand for 1983 through 1985 . . . . . . . . . . . . . . . . . 4-8 4.4 Failure contribution by diesel generator subsystem . . . . . 4-9 4.5 Onsite AC system unavailability for 18 plants studied .' in NUREG/CR-2989 . . . . . . . . . . . . . . . . . . . . . . . 4-11 } .
. .4 i.
NUREG-1032 v {
e ! TABLE'0F CONTENTS (Continued) P,ag3 1 i 4.6 Percentage of emergency diesel generator failures repaired vs. time since failure . . . . . . . . . . . . . . . . . . . . 4-13 l 4.7 Generic emergency AC power unavailability as a function l of erargency diesel generator _(EDG) reliability. . . . . . . . 4-15 4.8 Generic emergency AC puwer unavailability as a function of ; individual diesel generator running reliability . ...... 4-16 5.1 Estimated frequency of station blackout exceectng specified durations for several representative offsite power clusters. . 5-2 5.2 Estimated frequency of station blackout' exceeding specified durations for several EDG reliability levels . . .'. . . . . . 5-3 5.3 Estimated frequency of station blackout exceeding specified durations for several emergency AC power configurations. . . . 5-4 7.1 Generic PWR event tree for station blackout. ......... 7-2 ! 7.2 Generic BWR event tree for station blackout (BWR-2 or 3) . . . 7-3 . 7.3 Generic BWR event tree for station blackout (BWR 4, 5, or 6) . 7-4 t 7.4 Time to core uncovery as a function of time at which ;
~
turbine-driven auxiliary feedwater train fails . . . . . . . . 7-7 7.5 , PWR station blackout accident sequence . . . . . . . . . . . . 7-9 l 7.6 BWR station blackout accident sequence , , . . . . . . . . . . 7-10 8.1 Sensitivity of estimated station blackout--core damage fre-quency to offsite power cluster, AC independent decay heat removal reliability, and station blackout coping capability. . 82 , 8.2 Sensitivity of estimated station blackout--core damage fre- . quency to emergency diesel generator reliability, AC-independent. decay heat removal reliability, and station black-out coping capability. . . . . . . . . . . . . . . . . . . . . 8-4 8.3 Sensitivity of estimated station blackout--core damage fre-quency to emergency AC power configurations, AC-independent decay beat removal reliability, and ste. tion blackout coping capability . . . . . . . , . . . . . . . . . . . . . . . . . . 8-5 ; 8.4 Sensitivity of estimated station blackout--core-damage fre-quer y tn reducing the common cause failure susceptibility of emergcncy diesel generators, their reliability, and station blackout coping capability .................. 86 8.5 . Estimated core damage frequency showing uncertainty range , for four reference plants. . . . . . . . . . . . . . . . . . . 8-8 l LIST OF TABLES . 1.1 Summary of station blackout program technics) results. . . 1-2 ; i 3.1 Total 1csses of offsite power at U.S. nuclear power plant sites, 1968 through 1985 . . . . . . . . . . . . . . . . . . . 3-3 ; 3.2 Characteristics of some loss of-of frite power-event clusters that affect longer duration outages. . . . . . . . . . . . . . 3-8 > b NUREG-1032 vi ! t
- i. _ _ .
1 i r 4 j
! , l i
TABLE,0F CONTENTS (Continued) - l tass i 4 i j 4 la Diesel generator start attempts and failures for tests and ; i actual demands from NUREG/CR-2989. . . . . . . . . . . . . . . 45 : l 4.lb Diesel generator start attempts and failures for tests and i j actual demands from EPRI study. .. . . . . . . . . . . . . . . 4-5 ! ! 4.2 Results of onsite power system reliability analysis reported ! l in NUREG/CR 2989. . . . . . . .. . . . . . . . . . . . . . . . 4-12 : ! 6.1 Effects of station blackout on plant decay heat removal ' functions. . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
'; 6.2 Possible factors limiting the ability to cope with a station blackout event . . . . . ................... 6-6 [
7.1 Estimated time to uncoyer core for station blackout sequences
! with initial failure of AC-independent decay heat removal
. systems and/or reactor coolant leaks . . . . . . . . . . . . . 7-6 ,
7.2 Summary of potentially dominant core damage accident i sequences. . . . . . . . . . . . . . . . . . . . . . . . . . . 7-12 , j 7.3 Containment performance and consequence results for
- station blackout sequences. . . . . . . . . . . . . . . . . . . 7-14
^
~
8.1 Sensitivity of estimated core damage frequency reduction ! for station blackout accidents with reactor coolant pump , I seal failure delay from 2 to 4 hours and 4 to 8 hours. . . . . 8-7 i i !' 9.1 Coupling between external (and internal) events and potential plant failures . . , , . . . . . . . . . . . . . . . . . . . 9-4 l i I i !
- i 1 i i t I
i i I [ i t i l l - i 1 . l i . t . * , NUREC 1032 vii 9 e
PREFACE This report represents the culmination of several technical studies undertaken by Nuclear Regulatory Commission (NRC) staff and contractors to place a reli-ability and risk perspective on Unresolved Safety Issue A-44, "Station Biack-out." The technical findings pue1 1shea in this report are intended to document the basis for future NRC regulatory activities that will be the resolution of this safety issue. The analyses, evaluations, and results presented are meant to provide a "best estimate" assessm'ent of the major contributors to the frequency of station blackout and the pr(cabilit'y of subsequent core damage. Most results are pre-sented.as point estimates and are intended for use in the quantitative regula-tory analyses that will be used to support a proposed resolution of this issue. The uncertainties in the quantita'tive analyses are large enough that rigorous application of these results should be made witn caution. However, the staff believes that the qualitative insights and conclusions are correct and useful : as guidance in determining what constitutes resolution of this issue. , l P.W. Baranowsky l l 1
- j NUREG-1032 ix
.. . - _ . - L . . ,.
ACKNOWLEDGMENTS The preparation of this report involved the technical contribution, review, and 4 comment of several individuals in addition to the principal author. The con-tributions of the following NRC staff members are hereby acknowledged and appreciation given: S. A. Bernstein J. H. Flack . J. W. Johnson L. E. Lancaster E.. Lois . D.'M. Rasmuson A. M. Rubin l a ! 1 NUREG-1032 , xi
1 EXECUTIVE
SUMMARY
Station iackout is the complete loss of alternating current (AC) electrical power to the essential and nonessential switchgear buses in a nuclear power plant. Because many safety systems required for reactor core cooling and con-tainment heat removal depend on AC power, the consequences of a station blackout could be severe. Existing regulations do not require explicitly that nuclear power plants be capable of withstanding a station blackout. In 1975, the "Reactor Safety Study" (NUREG-75/140) showed that station blackout could be an important contributor to the total risk from nuclear power plant accidents. In addition, as operating experience accumulated, the concern arose that the reliability of both the onsite and offsite emergency AC power systems might be less than originally an,ticipated. Thus, in 1979 the Nuclear Regulatory Commission (NRC) designated station blackout as an unresolved safety issue (USI); a task action plan for its resolution (TAP A-44) was issued in July 1980, and work was begun to determine whether additional safety requirements were needed. Technical studies performed to resolve this safety issue have identified the dominant factors affecting the likelihood of station blackout accidents at nuclear power plants. A. summary of the principal probabilistic results is in Table-1.1. These results are based on operating experience; tne results of several plant-specific probabilistic safety studiet; and reliability, accioent sequence, and consequence analyses performed as part, of TAP A-44. The results show the following important characteristics of station blackout accidents: (1) The variability of estimated station blackout likelihood is potentially large, ranging from approximately 10 5 to 10 3 per reactor year. A "typical" estimated frequency.is on the order of 10 4 per. reactor year. (2) The capability to restore offsite power in a timely manner (less than 8 hours) can have a significant effect on accident consequences. (3) The redundancy of onsite AC power systems and the reliability of indi-vidual power supplies have a 1crge influence on the likelihood of station I blackout events. (4) The capability of the decay heat removal system to cope with long duration blackouts (greater than 2 hours) can be a dominant factor influencing the likelihood of core damage or core melt for the accident sequence. (5) The estimated frequency of station blackout events that result in core damage or core melt can range from approximately 10 6 to greater than 10 4 per reactor year. A "typical" core damage frequency estimate is on the order of 10 5 per reactor year. I 4 NUREG-1032 1-1
r . Table 1.1 Summary of station blackout program technical results Parameter Value , Operational Experience Loss of offsite power (occurrence per year) Average 0.1 Range 0 to 0.4 Time to restore offsite power (hours) Median 0.6 90% restored 3.0 Emergency diesel generator reliability (per demand) - Average 0.98 Range 0.9 to 1.0 Median emergency diesel generator repair 8 , time (hours) _. Analytical Results Estimated range of unavailability of emergency 10 4 to 10 2
- AC power systems (per demand)
Estimated range of frequency of station blackout 10 5 - 10 3 (per year) Estimated range of frequency of core damage as a 10 5 - 10 4 result of station blackout (per year) (6) Information currently available indicates that containment failure as a result of overpressure may follow a station-blackout-induced core melt. Smaller, low-design pressure containments are most susceptible to early failure (possibly in less than 8 hours). Some large, high-design pressure containments may not fail as a result of overpressure, or if they do f ail, the failure time could be on the order of a day or more. The losses of offsite power can be categorized as those resulting from (1) plant-centered faults, (2) utility grid blackouts, and (3) fa'ilures of offsite power sources induced by severe weather. The industry average fre-quency of total losses of,offsite power was determined to be about 0.1 per site / year, and the median restoration time was about one-half hour. The fac-tors identified as affecting the frequency and duration of offsite power losses are e e NUREG-1032 1- 2 9-
(1) the design o'f preferred power distribution system, particularly the num-ber and independence of off, site power circuits from the point where they enter the site up to'the safety buses (2) operations that can compromise redundancy or independence of multiple of.f-site power sources, including human error (3) the reliability and security of the power grid, and the ability to restore power to a nuclear plant site with a grid blackout (4) the hazard from, and susceptibility to, severe weather conditions that can cause loss of offsite power for extended periods A review of the design and operating experience, combined with a reliability analysis of the onsite emergency AC power system, has shown that there are a variety of potentially important causes of failure. The typical unavailability of a two-division emergency AC power system is about 10 3 per demand, and the typical failure rate of individual emergency diesel generators is accut 2 x 10 2 per demand. The fact' ors identified as affecting emergency AC power system reliability during a loss of offsite power are (1) power supply configuration redundancy (2) reliability of each power supply (3) dependence of the emergency AC power system on support or auxil'iary cooling systems and control systems, and the reliability of those support systems (4) vulnerability to common cause failures associated with design, operational, and environmental factors The likelihood that a station blackout will progress to core damage or core melt is dependent on the reliability and capability of decay heat removal systems that are not dependent on AC power. If tne capability is sufficient, additional time will be available to restore AC power to the many systems normally used tc cool the core and remove decay heat. The most important factors relating to decay heat removal during a station blackout are
~
(1) the starting reliability of systems required to remove decay heat and maintain reactor coolant inventory (2) the capacity and ability to function of decay heat removal systems and auxiliary or support systems that must remain functiorial during a station blackout (e.g., direct current (DC) electrical power, condensate storage), l including effects of inoperable heating, ventilation, and air conditioning l (HVAC) systems l (3) for pr5ssurized water reactors (PWRs) and for boiling water reactors (BWRs) without reactor coolant makeup capability during a station blackout, the magnitude of reactor coolant pump seal leakage (4) for BWRs that remove decay heat to the suppression pool, the ability to' maintain suppression pool integrity and operate heat removal systems at high pool temperatures during recirculation NUREG-1032 1-3
- - - - - - - - , , , g e
t *
- (5) recovery of AC power including availability of alternate AC power sources On the basis of reviews of design, operation, .and location factors,' the staf f determined that the expected core melt. frequency from station blackout could be maintained around 10 5 per reactor year or lower for all plants. To reach this level of core melt frequency, a plant would have to be able to cope with sta-tion blackouts on the order of 2 to 4 and perhaps 8 hours long and have emergency diesel generator reliabilities of 0,95 per demand or better, with relatively Icw susceptibility to common cause failures.
4 k 9 G B e 5 6 e 4 I
- e NUREG-1032 1-4 1 ,
~
2 INTRODUCTION AND TECHNI, CAL APPROACH Station blackout refers to the complete loss of AC electrical power to the essential and nonessential switchgear buses in a nuclear power plant. Station blackout involves the loss of offsite power concurrent with the failure of the onsite emergency AC power system. It aoes not include the loss of available-AC power to buses fed by station batteries through inverters. Because many safety systems required for reactor core cooling, decay heat removal, and containment heat removal depend on AC power, the consequences of station blackout could be severe. The concern about station blackout is based on accumulated operating experience regarding the reliability of AC power supplies. A number of operating plants have experienced a total loss of offsite electrical power, and more such occur-rences are expected. During these loss-of-offsite power events, onsite emer-gency AC power sources were available to supply the power needed by vital safety equipment. However, in some instances one of the redundant emergency power supplies was unavailable, and in a few cases there was a complete loss of AC power. (During these events AC power was restored in a short time without any serious consequences.) In addition, there have been numerous instances at . operating plants in which emergency diesel generators failed to start and run during surveillance tests. For one of two plants evaluated, the Reactor Safety Study (NUREG-75/014-) showed that station blackout could be an importa.nt contributor to the total risk from nuclear power piant accidents. Although'this total risk was found to be small, the relative importance of the station blackout event was established. This finding, with the accumulated data on diesel generator failures, increased the concern about station blackout. An analysis of the risk from station blackout involves an assessment of (1) the likelihood and duration of the loss of offsite power, (2) the reliability of onsite AC power systems, and (3) the potential for severe accident sequences after a loss of all AC power. These topics were investigated under USI TAP A-44. This plan included the following major tasks: (1) Estimating the frequency of station blackout at operating U. 5. nuclear power plants. This analysis consisted of two parts estimating the frecuency of loss of offsite power for various plant locations estimating the probability that the onsite AC power sys' tem will fail to supply AC power for core cooling , (2) Determining plant responses to station blackout and the risk associated with station-blackout-initiated accident sequences. The scope of this investigation included i NUREG-1032 2-1
9
- reviewing shutdown cooling systems design and assessing their capa-bility and reliability during a prolonged station blackout
- reviewing containment designs and their ability to withstand tempera-ture and pressure buildup during a prolonged loss of AC power .
- estimating the probability of station blackout accident sequences for a spectrum of nuclear power plant designs The principal focus of TAP A-44 was the reliability of emergency AC power supplies. This approach m taken for several reasons. First, station black-c'.:t was identified as a USI primarily on the basis of the questions raised about the reliability of onsite emergency power supplies. Second, if safety improvements are required, it is easier to analyze, identify, and implement them for the onsite AC power system than for the offsite AC power supplies or for the AC-independent decay heat removal system. For example, offsite power ral; ability is dependent on : number of factors--such as regional electrh.ai.
grid stability, weather phenomena, and repair and restoration capability--that are difficult to analyze and to control. Also, the capability of a plant to withstand a station blackout depends on those decay heat removal systems, com-ponents, instruments, and controls that are independent of AC power. These features vary from plant to plant; thus considerable effort is required to analyze all of them or to ensure that the plants indeed have that capability. Third, significant progress has been made on improving operating PWRs by back-f tt;ng the auxiliary feedwater system to make it independent of AC power. In addition, under the TAP for USI A-45, "Shutdown Decay Heat Removal Require-ments," the adequacy of shutdown decay heat removal systems for nuclear power plants is being reviewed. Thus,thereliabilityofemergencyACpowersupplies is ct principal importance to 051 A-44 A preliminary screening analysis was done to identify plants most likely to suffer core damage as a result of a loss of all AC power. The intent was to survey the frequency and implication of station blackout events in operating plants and identify any plants with especially high risk that might require further analysis or action on an urgent basis. The initial results showed no such plants. Following this initial analysis, station blackout events were evaluated in more detail. Because the station blackout issue centers on concern about the relia-bility of AC power supplies, typical offsite and ' emergency AC power supplies were cvaluated and operating (failure) experience reviewed. This effort was limited to power supply availability and did not include an evaluation of the adequacy of power distribution design or power capacity requirements. Information on loss of offsite power was collected from licensee event reports (LERs), responses to an NRC questionnaire, and various reports prepared by industry sources. Most of the event descriptions in the LERs and-in other documentation in the NRC files did not contain sufficient information to pro-vide an accurate data base for estimating frequencies and durations of losses of offsite power. For example, in one case a licensee reported that offsite power was restored in 6 hours; in fact, one offsite power source was restored iii 8 minutes and all offsite power was restored in 6 hours. Because restoration of one source of offsite power terminates a loss .of offsite power, the li-censee's description was not accurate enough. In some other cases, although NUREG-1032 2-2
. )
offsite power was available to be reconnect'ed,.the' plant operators did not re-connect it for some time after it .was available because onsite power was avail-able. To obtain more accurate data, the NRC and Oak Ridge National Laboratory staff members worked closely with the Institute of Electrical and Electroni.cs Engineers (IEEE) and the Electric Power Research Institute (EPRI). These groups contacted utility engineers to get better descriptions of the causes and sequences of events, and the times and methods of restoring offsite power (Wykcof f, May and September 1986). To gain a perspective on consequences, station blackout event sequences and associated plant responses were analyzed. The Interim Reliability Evaluation Program (IREP) was one source of information for developing the shutdown cooling reliability models and accident scenarios needed for this evaluation. The Reactor Risk Reference Document (NUREG-1150) and supporting studies were a source of information f. - feveloping an updated perspective on containment failure and consequences associated with a station blackout accident. The following sections of this report summarize the results of the technical evaluations discussed above. Details of the technical assessments performed as. part of USI TAP A-44 are reported in NUREG/CR-2989, -3226, and -3992. Signifi-cant use was 'lso a made of NSAC/103 (Wyckoff, May 1986) and NSAC/108 (Wyckoff, September 1986) as well as other documents produced to assess various station blackout concerns which are appropriately referenced throughout this report. Technical evaluations in this report were derived from these references to coalesce that material and extend the analysis to obtain the broader insights and bases nedessary to risolve the . station blackout issue in an integral manner, considering plant differences. These supplemental analyses are described in Appendices A, B, and C of this report. 1 I I l 6 d NUREG-1032 2-3 l
e 3 LOSS OF OFFSITE POWER FREQUENCY AND OURAT10N The offsite or preferred power system at nuclear power plants consists of the following major components: two or more incoming power supplies from the grid one or more switchyards to allow routing and distribution of power within the plant one or more transformers to allow the reduction of voltage to levels needed for safety and non-safety systems within the plant distribution systems from the *.ransformers to the switchgear buses Figure 3.1 provides an example of an offsite power system design used for nuclear power plants. During normal operation, AC power is typically provided to the safety and non-safety buses from the main generator through the auxil-iary transformer; it may also be supplied directly through a startup trans-former. A minimum of two preferred power supply circuits must be provided. Sources of offsite power other than the grid may also be provided as alternate or backup sources of power. These may include nearby (or onsite) gas turbine generators, fossil power plants, and hydroelectric power facilities. A loss of offsite power is said to occ'ur when all sources of offsite power become un-available, causing safety buses to become deenergized and initiating an under-voltage signal. Some loss-of-offsite power transients will be very short--just long enough to allow switching from one failed source to another available source. Because of the short duration of this type of loss-of-offsite power transient, it is not of concern relative to station blackout. This type of loss-of-offsite power transient is better described as an interruption. How- l ever, if switching errors or failures of alternate sources of power compound I the situation and longer term repair, restoration, or actuation of alternate ' power sources is required, the loss-of-offsite power transient can.be signifi-cant. This type of loss-of-offsite power event is referred to as a total loss of offsite power,. Although total loss of offsite power is relatively infrequent at nuclear power plants, it has happened a number of times and a data base of information has been compiled (Wyckoff, May 1986; NUREG/CR-3992). Historically, a loss of off- < site power occurs about once per 10. site years. The typical duration of these l events is on the order of one-half hour. However, at some power plants the frequency of offsite power loss has been substantially greater than the average, l and at other plants the duration of offsite power outages has greatly exceeded the norm. Table 3.1 provides a summary of the data on total-loss-of-offsite-power events through 1985. Because design characteristics, operational features, and the location of nuclear powsr plants within different grids and meteorological areas can have - a significant effect on the likelihood and duration of loss-of-offsite power events, it was necessary to analyze the generic data in more detail. The data 4 NUREG-1032 3-1
\
o - l d d n a ' a d d d a I E 345av 134 h v i ) h%M - Ms'* hwM AwM MM i AAE M AA ' 1' NC IP NC 1' k kV
"N NONSAFETY NO NONSAFETY No CLASSIf CLASSlE GENERATOR CLASSlE CLA;5 "
OtvisiON 1 OlvisiON 2 DivislON 1 Olvi5 lot.
- 4 e i
I ' i i t _ _ _AU_TO_M A TI_C T_R A_NS_F E R_ _ _ ,' _ _ _ _ _ _ L _ _ _ _ _^2 79"' TLC La ^"5.' _ E ". __m_J 1 Figure 3.1 Diagram of offsite power system used . E in nuclear power plants 1 ! l
- NUREG-1032 3-2
~ . . , . .-. - . , - - . , - . - _ - , . . . . , , , . - . . _ . . . - - _ , - . . . , -. ,, , --- ,-._ . -
Table 3.1 Total losses of offsite power at-U.S. nuclear power plant sites, ~ 1968 through 1985 a
. Frequency of Median occurrence duration '
Type of event Number (yr 1)* (hours) Plant-centered 46 0.087 03 Grid 12 0.018 0.6 Weather 6 0.009 3.5** Total 64 0.114 0.6
*Through December 1985, 664 d te year: were used to compute the frequency of grid and weather events. Reactor critical site-years totaling 527 for the same period were used to compute the frequency of plant-centered events due to data screening.
(See Appendix A.) .
**The median value of 3.5 hours was obtained from a two-parameter Weibull curve fit of the data. The actual median is 4.5 hours. .
have been categorized into plant-centered events and area- or weather related events. Plant centered events are those in which the design' and operational characteristics of the plant i.tself play a role in the likelihood of the loss of offsite power. Area- or weather related events include those on which the reliability of the grid or external influences on the grid have an effect on the likelihood and duration of the loss of offsite power. The data show that plant-centered events account for the majority of the loss-of-offsite power events. The area- or weather-related events, although of lesser frequency, typically account for the longer duration outages with storms being the major factor. Figure 3.2 provides a plot of the frequency and duration of loss-of-offsite power events resulting from plant-centered faults, grid blackout, and severe weather based on past experience at nuclear plant sites. Appendix A to this report provides a more thorough discussion of the technical bases for the loss-of-offsite power frequency and duration characteristics discussed in the remainder of this section. Plant-centered failures typically involve hardware failures, design deficien- ! cies, human errors (maintenance and switching), 'and localized weather-induced faults (lightning and ice), or combinations of these types of failure. No strong correlation was found between the frequency of plant-centered loss-of- l offsite power events and any particular design factor. However, a modest cor- ! relation was observed between the duration of plant-centered loss of-offsite-power events and the independence and redundancy of offsite power circuits at a site. Ir. this regard, it has been observed that a site with several immediate , and delayed. access circuits will generally recover offsite power more promptly l
'NUREG-1032 3-3 l
a i l Data: 0.05 - O Total
~
j A Plant Centered h O Grid
.$ e Weather m
5 0.04 - - 6 A w O . k. cc A Plant Centered Total -
$ 0.03 0
0 C u. O 0 0.02 - - 2 w o C Grid 0.01 - A - O Severe Weather e 0.00 1 - 0.1 1.0 10 l DUR ATION (Hours) . Figure 3.2 Frequency of loss-of-offsite power events exceeding specified durations NUREG-1032 3-4
,, , t.-- _- - - -
I l l than a site with only the minimum requirements. However, recovery from the relatively high frequency plant-centered faults can be accomplished within a few hours. Plant location plays an important role in loss-of-offsite power events. Factors shown to be significant were (1) the reliability of the grid from which the ;
'uclear power plant draws its preferred power supply and (2) the likelihood of n !
severe weather that can cause damage to the grid distribution system and hence a loss of power to the plant. Traditionally, analyses have focused on grid reliability as a dominant factor in estimating loss of vTT:,it.e puwer at a plant site. However, a review of the historical data shows that approximately 19% of all loss-of offsite power events have been caused by grid problems; in fact, a large percentage of grid-related loss-of-offsite power events can be traced to one utility's system. The grid reliability of that system dominates the data, distorting the perspective on the contribution of grid failure to loss-of-offsite power frequency. This finding of overall grid reliability should not be unexpected when one recognizes that current distribution and dispatch systems are,well coordinated. Utilities,shed loads when possible ano generally prote'ct their grid from overloads and faQlts that could cause grid loss in the various day-to-day operations. Moreover, when there is a loss of power on the grid, the first activity that is usually undertaken is the restoration of power to the electric generation plants so that the grid may be restored to customers with appropriate power supplies. In fact, during the Northeast blackout of 1965, power was restored to a nuclear power plant in New England within about one-half an hour of the grid collapse, whi.le power was not restored to the entire grid for 24 hours or mare. With the exception of a few utility systems, large grid disturbances are rela-tively infrequent, and, again with few exceptions, the duration of power outages at power plants as a result of grid disturbances is relatively short. An iden-tified weakness in a system is usually corrected as soon as practical; it is the unidentified weaknesser that result in grid failures. In the absence of a his-torical trend, operating experience related to grid reliability is not necessar-ily an indication of future problems unless a known weakness has not been cor-rected. Because grics in the United States are generally very stable and system planning is directed at maintaining and improving that stability, grid reliabil-ity is usually not the principal indicator of the likelihood of loss of offsite power. Severe weather, such as local or area-wide storms, can disrupt incoming power supplies to the plant. In fact, a number of loss-of-offsite power events at nuclear power plants were weather related. These can be divided into two failure groups: (1) those in which the weather caused the event but did not affect the time to I restore power (2) those in which the weather initiated the event and caused ad' verse condi-tions over a sufficiently broad area such that power was not-or could not be restored for a long time The first group includes lightning and most other weather events that are not too ! severe. They can cause a loss of offsite power, but tneir severity generally d i NUREG-1032 3-5 I
7 does not contribute in~any significant way to long-duration losses of offsite power. These types of weather-related losses of offsite power have been treated as either plant-centered or grid-related losses of offsite power. The second
- group includes losses of offsite power as a result of severe weather such as
! hurricanes, high winds, snow and ice storms, and tornadoes. The expected loss-of-offsite power frequency of this group is relatively small. On the other hand, the likelihood of restoring offsite power quickly for this group is also rela-tively small. Although it is expected that the ac,tions of dispatch and plant personnel can influence substantially the duration of area-wide grid disturbances
+ hat cause a loss of offsite power, severe .codier conuttions--ano the expected duration of the resulting loss-of-offsite power events--cannot be influenced in the same way. Therefore, one would expect severe weatner to dominate the res-toration characteristics for long-duration outages. The redundancy, separation, and independence of the offsite power system may affect the likelihood of some weather-related losses such as those induced by tornado strikes. The depth of this study has not been sufficient to show the effectiveness of these design considerations on reducing the likelihood of other types of weather-related outages. ,
There is a potentially large va~iation in the annual expected frequency of loss-of-of fsite power events at dif ferent nuclear power plants, depending on their design and location. A large variation also has been observed in the duration of loss-of-offsite power events at different nuclear power plants. The expec-tion of long-duration outages is dominated by the likelihood of severe storms and, to a lesser extent, by the likelihood of grid blackout and the ability to resto~re power to the si'te during grid loss. Grid-related losses are important only when the frequency of occurrence greatly exceeds the national average. Appendix A describes the modeling and analyses performed by NRC staff to deter-mine the relationship between design and location and the frequency of and dura-tion of loss-of-offsite power events representative of most U.S. nuclear power plant sites. Figure 3.3 provides a plot of the expected frequency and duration for loss of offsite power for site, design, grid, and weather characteristics that have been found to "cluster" reasonably well. The factor that most predomi-nantly affects the characteristic groupings is severe weather. lable 3.2 pro-vides a definition of the site characteristics that make up the loss-of-offsite-power clusters shown. Appendix A includes additional discussicn of the charac-teristics of these clusters. 1 1 G NUREG-1032 3-6
1.0 , ,
, i i i 4 4 i T
! 0.1 --
~
in . - t . h Offsite ~- Power , U Cluster z w 0.01 -- 5 j 3 . . O 4 - w E C - w -
< 3 3 2 l A 0.001 .
b 3
. 5 1 -
0.0001 ' ' ' I I ' I I I ' 0 2 4 6 8 10 12 14 16 DUR ATION (Hours) Figure 3.3 Estimated frequency of loss-of offsite power events exceeding spec.ified durations for representative clusters 4 NUREG-1032 3-7 4 _ . - _ . - , - , _ - - . . - --....-y - . . _ _ . - . . , . _ _ , . , _-_.,_,-,7, _ - . . . .,,,_..__.----..m,,- - _ -,c,.. _ - - - . . . - , . - y -
o Table' 3.2 Characteristi,cs of some loss-of-offsite power-event clusters that affect longer duration outages Cluster Characteristics ; 1 Sites w'ith demonstrated high grid reliability and multiple sources of offsite power available through independent switch-yard circuits and low severe-weather hazards or design features to limit les: cf offsite power or hasten recovery from severe weather events. 2 Sites with demonstrated high grid reliability and low severe-weather hazards or moderate severe-weather hazards with design features to limit loss of offsite power or hasten recovery from severe-weather events, 3 Sites located in moderate to high severe-weather hazard areas and with limited design features to preclude loss of offsite l power or hasten recovery from severe-weather events. 4 Sites with known grid reliability problems and low to moderate , severe-weather hazards or design features to limit loss of I offsite power or hasten recovery from severe-weather events. l . 5 Sites located in a high severe-weather hazard area cnd without design features to preclude loss of offsite power or hasten ! . recovery from severe-weather events. l l l l l i l' l l l [ l l l NUREG-1032 3-8 l
4 RELIABILITY OF EMERGENCY AC POWER SUPPLIES The emergency AC power system provides an alternate or backup power supply to the offsite power sources. Figure 4.1 is a simplified one line diagram of a typical emergency AC power system. If the offsite power system is lost, an undervoltage condition will. w ist. nn the safety hse:, cc ring actuation of the emergency AC power system. The emergency AC power system provides sufficient functional capability and redundancy of the power requirements for the systems needed to mitigate the consequences of a design-basis accident. This typically includes a requirement to actuate emergency AC power supplies and make them available for loading within about 10 seconds after receiving an_ actuation signal. The emergency AC power system'also meets the single-failure criterion when applied to design-basis accidents. Emergency AC power is generally provided by diesel generator systems, although other sources such as gas turbine generators or hydroelectric power are used at some plar.ts. Because o/ the preponderance of diesel generator usage, that power supply type will be the principal focus of emergency AC power system discussions in this report. Figure 4.2 identifies the typical subsystems and support systems that are needed for successful operation of the emergency , diesel generator. Emergency AC power systems typically consist of two diesel generators, either one of which is sufficient to meet AC power load requirements for a design-basis accident. This configuration has been designated by its success criterion: one out of.two or more simply 1/2. In some cases, three or four or more diesel generators are used at single-unit sites, and in others, di'esel generators are shared at multi unit sites. These systems also can be described by their success criteria, or number of diesel generators required per number provided. However, for evaluating the station blackout issue, the success criterion will be defined as the number of diesel generators required to maintain a stable core cooling anc l decay heat removal condition with all offsite power sources unavailable. l The emergency AC power configurations that exist in the United States have been ! identified as follows: 1 (1) Emergency AC power supplies dedicated to one unit 1/2 1/3 1/4 2/4 (2) Emergency AC power supplies shared between two units ~ 1/2 2/3 2/4 2/5 3/5 . I NUREG-1032 4-1 . '
. ._ .. - ~ . . = . .~. - .. . -_
. 9 .
l l
-[
e 7 i
- t salu Of f $41t g Walk Of flitI Wall P0wta Wolf Poeta ll uw ww Mw w%
tutaCtaCT tu(ACEmCT SU$l SUS P r d 16 e T t ww wa I 4007 800, 1 T PIC a t , T1PIC AL 4060
- 040
, f,'g',' f -
,* l
- Stev6CE DCI DCI Wette )
tutactact- " tutactmCT DC I OC 3 i i ttCtmo , C *Clotte totasta C 0 Pts entants w Teamlf 0eute , 1 j 4 P i l . i ! L ! Figure 4.1 Simplified 1-of-2 onsite AC power distribution system l t 4 I i . ! NUREG-1032 - 4.- 2 - i 3
. - . , - - , , _ , , - . . . - , , ,. ~ ---,,.n.e. ,,..,,,,.m,, _
. . l l
I l p--_____________--_q
. S E 0VE N C E R gns ( pmEFEnnto P0wEm t e l OUTPU j OnEAKEA N l OC l OESEL CENERATOA f E SF A S g o w g ESFAS
/\/N /\
g TU'6L OA 6 ACITER I i COOLING NVAc l
= o' --
- .lSl'AU. l/
I I START SYSTEM i S C AVE N GIN G
#'A SYSTEM I l 50WNOARY I l ,
00VEANOA l l l I I : EINAUST I i l SHUTDOWH l i l l L _ - _ _ _ _ _ _ _ _ _ ,_J Figure 4.2 Onsite power system functional block diagram "ESFAS = engineered safety feature actuation system 4 NUREG-1032 4-3
(3) Emergency AC power supplies shared between three u its , . 3/8 (1/4 at one unit and 2/4 at 2 units with cross ties between 1 and 2 unit systems] Although a closer review of emergency AC power supply requirements may produce some variations on these configurations, they represent a wide variety in system success criteria for reliability evaluations. The design variability of emergency !.: ;; c.g.c y,ti.w L A ther complichi.ed wy dependencies on certain support systems that, by themselves, have a multitude of designs. These support systems include cuulic.g systems (air or water), DC power, and heating, ventilation, and air conditioning (HVAC) systems. Moreover, maintenance and testing activities vary considerably, which can affect the reli-ability of the emergency AC power system. Emergency AC power systems can be considered in two separate parts: power supplies and the power distribution system. In general it has been found tnat the individual components of the3 emergency AC power distribution system from the safety (switchgear) buses to the safety components are not significant con-tributors to the unavailability of AC' power in regard to the station blackout issue. This statemer,t is true because many independent, separate, and diverse distribution system components must fail to cause loss of all AC power to the safety systems. Although fires and earthquakes have the potential to cause such distribution system. failures, these hazards have been studied as separate safety
~
issue's,.and were not systematically assessed as part of the station blackout issue. Substantial operating experience data were investigated to identify and esti-mate important reliability characteristics of emergency diesel generators. , Initially, diesel generator reliability performance information was collectea from 45 nuclear power plants with 86 diesel generators (NUREG/CR-2989). A summary of the emergency diesel generator statistical data collected is pro-vided in Table 4.la. In addition, information regarding diesel generator out-ages and downtime was obtained from responses to TMI Action Plan (NUREG-0737) items from licensees of plants with 58 diesel generators, and more than 1500 licensee event reports (LERs) covering 5 years from 1976 through 1980 were re-viewed for failure information. Analysis of this operating experience showed that, on the average, diesel generators failed to start, load, or continue run-ning approximately 2 times out of every 100 demands. It was also observed that, during the actual loss-of-offsite-power events through 1983, there were 19 in-stances in which one or more diesel generators failed, operated in a degraded condition, or were otherwise unavailable. During most of these events, the degraded diesel generators were able to meet minimum performance requirements and failed units were promptly restored to an operable condition. This informa-tion was supplemented with data collected from licensee responses to Generic Letter 84-15 (NUREG/CR-4347) for the years 1981 and 1982. A more recent EPRI study (Wyckoff, September 1986) has provided emergency diesel generator failure-rate data for the years 1983 through 1985. Emergency diesel generator failure statistics derived from the EPRI data are shown in Table 4.lb. NUREG-1032 4-4
6 6 Table 4.la D'iesel generator start attempts and failures for tests and actual demands
- from NUREG/CR-2989 No. of Auto-auto- start Start No. of Fail- start fail-attempt No of fail- ures per fail- ures per Unavail- Unavail-category demands ures demand ures demand able abili.ty Test 13,665 253 0.019 55 0.004 ---
0.006 Loss of 100 5 0.05 3 0.03 3 0.03 offsite power ** All 539 14 0.026 5 0.009 3 0.006 emergency demands ; Failure to run: 2 4 x 10 3/hr***
"Summarizing the responses to diesel generator reliability questionnaires based on 45 nuclear power plants, with 86 diesel generators, for operating years 1976 through 1980. ,
** Updated from data reported in NUREG/CR-2989.
*** Based on 314 attempts at scheduled run time of 6 hours or more with 9 failures to run during these attempts.
Table 4.lb Diesel generator start attempts and failures for tests and actual demancs from EPRI study (Wyckoff, Sept. 1986). Start Failure attempt No. of No. of per Unavail-category demands ~ failures demand able All 22,180 260" 0.012 --- Emergency 424 3 0.0071 Loss of offsite 41 1 'O.024 1 power l Failure to run: 3.2 x 10 3 l
- Includes 39 failures identified from LERs and/or categorized as hon-failures in EPRI study (Wyckoff, Sept. 1986). .
NUREG-1032 4-5 4
Figures.4.3a and 4.3b provide histograms of emergency diese'l generator failures. on demand for 1976 through 1982 and 1983 through 1985, respectively. Although the average failure on demand observed is about 2 x 10 2, there is a significant spread from the highest to the lowest demand failure rate. The average failure rate and range have not changed substantially during this period. However, EPRI data show an average failure rate of 1.2 x 10 2 per demand. A review of the data has not identified any particular type of failure :s the most dominant. At least in part, the reasons for this are (1) that there are several different types of diesel generators with different support and auxillery system des';r-op aat.ing at nuclear power plants, and (2) that maintenance and test activities are not standardized within the nuclear industry. Figure 4.4 shows the percent-age contribution of failure by subsystem. In general, sufficient information was not available to add high confidence to the correlation of root f ailure causes with specific design and operational factors. The data indicate that approximately 80% of the failures are the result of hardware-related problems and 20% are the result of human error. These statements are not meant to imply that any one particular diesel gener-ator is susceptible to all possible failure modes with equal importance. It is more likely that a few specific defects may exist, and if these are not discovered and corrected, failures may occur. The failures observed can be classified into three general types: (1) design and hardware failures related to mechanical integrit'y or various failure modes in the diesel generator subsystems, such as fuel, cooling, starting, and actuation (2) operation and maintenance errors related to the correctne s and adequacy of procedures or training, and human factors including the potential for errors of commission and omission (3) failures that occur in suhport systems, or at interfaces with support systems and other systems, that can irvolve DC control power, service (or raw) water cooling, environmental control (air temperature and quality), and interf ace with the, normal AC power system (undervoltage relays) From 1976 through 1985 there were 145 instances in whict) multiple diesel gen-erators were simultaneously failed, unavailable, or showed some degradation. There were 22 instances classified as common cause failures of two or more diesel generators (see Appendix B). Multiple diesel generator failures can occur when a fault or degradation exists ' involving a common factor or dependency for two or more diesel generators. Multiple failures may also occur as a result of design and operai.ing deficien-cies similar to those previously mentioned; but in this caso degradation or failure occurs concurrently in multiple diesel units. For instance, a defec-tive crankshaf t design may be such that mechanical failure is hig'hly likely to occur after a certain amount of usage. If two or more diesel generators reach that usage level at nearly the same time, concurrent failures may result. As another example, defective maintenance procedures and training could result in human errors causing failure or simultaneous outages of two or more diesel units. l l NUREG-1032 4-6 l 1
9 0
.. m. =<
.) ..
.< 1976 m<
o . 1977 s. 1978
; ., ; s< - .
. u, .
> u - =<
j .< - j w.
.. . {s<
e g s. , - =< ;
; .. .u r, ; ,
E
. x< ,
.. x. s -
x,
*< ~
't ' * * * **
4 ,
.. e . . e ., ; . e . - .. . u . . ; . . . . . . . . ..,,,,.
..o.......o...... ..es.s. -- ..... .. : 6. e . . 3. ....,
3,
- m. . ,
a< 1979 *- 1980
- i< . -
b
=< .E <
E<mm,.,au 1 i ; E-ar e *
. E, 9*
!1 ! Y<
- e e !
Mi _ F1 i M m m t
- se M 1. e 7 A 3 :9 *t *
&; *) . - A
- a 4 '
se: gag , * ;a 86 ,,as
- ee:g 6g , e a, se ,,,,
e
- n. .,
. =< 1981 =. 1982 a M< 1 .
M' j w. j wa , j .. - r .. .
.i ..
- r. ..
,, ; =<
., .< .r 4 . ,, .
r1 h. .
- h. .
o...,.... -o. . . w , .. .. Figure 4.3a Histograms showing emergency diesel generator failure on demand for 1976 through 1982 NUREG-1032 4-7 . g \ -
P i l 1 I l no - 3m 100 so -
)
so - n - e
; eo -
i2 - e - x - m - se - - l . _ - i O I 4 6 i i i 4 4 i l 01 02 03 04 06 06 07 Os 09 10 > 10 PmC8 A8ILITY 08 sa,Lynt no - 3, "o 1985
,, _- im -
m - x - 5 - l . . 1 n - n - . a
- l e
m - .u gu - EW - e - e - m - m - x - m - 20 - - 30 - - m > ci 02 03 04 05 06 07 00 ' og 10$10 I 3 01 02 03 04 06 05 07 Os 09 10 > 10 Pmot AtiLITT 08 # AILyng PROS ASILITY OF F AILynt Figure 4.3b Histograms showing emergency diesel generator s failure on demand for 1983 through 1985 NUREG-1032 4-8
r! i 35 - . 1976'] so - - .- g 19> (2 25 - 2 O G
=
m 20 - O u 15 _ .: . . g -- , m
=
a . ,....
, 10 _
c: m - _ s 5 - 0
)
0 s t w A e F *e f k
~yfel
/ o p:E g n =
0 0
- 4 0 O
SUBSYSTEM 1 Figure 4,4 Failure contribution by diesel generator subsystem. e i NUREG-1032 4-9
l e Another type of common cause failure *is related to the existence of single,
. point vulnerabilities. Examples include a check vaive in a header of a cooling .
water supply, the unrecognized dependence on an obscure single control circuit ! or element, and the use of common fuel supplies and containers. Finally, common cause failures can be related to commonality of location witn regard to enviror. mental conditions for which adequate protection is not provided. These conditions can include fire, flood, dust, corrosive elements in the air, or temperature and humidity e.v.tnrc . In assessing the reliability of emergenc, ?C power systems, consideration was given to the fai bre modes, causes, and failure rates derived from the opera-tional data. Reliability analyses performed by Oak R'.dge National Laboratory (ORNt.) (NUREG/CR-2989) for 18 nuclear power plant AC power configurations and the plant-specific failure data were applied to derive typical system unavail-ability estimates. Figure 4.5 shows a histogram of the onsite AC power results for the 18 plants studied. The results of this ,,crk, summarized in Table 4.2, show thL diesel generator configyration studied, the calculated range of un-availability on demand, and the dominant failure causes for each group analyzed. Not surprisingly, for the least redundant system configuration, the independent diesel generator failure likelihood is the most dominant failure factor. As system redundancy is increased, common cause failures become more importan*. Common cause failures involving hardware failure, human error, and dependent system failures were .found to be important. l Although, for the most part, power supply outages resulting from testing and maintenance were nrt found to be large contributors to system unavailability, a few cases were identified in which extensive maintenance outages could cause significant system unavailability. The quality of test and, maintenance pro-cedures, however, can be an important factor affecting system reliability. Lower than average human-error-related diesel generator failures were observed j when procedures were clearly written and had a sufficient level of detail, in-cluding complete check lists so operations personnel could verify that normal values were properly indicated after maintenance. ; 1 The impact of dependent systems (such as service water cooling and DC power) on the reliability of the emergency AC power system varies from plant to plant. ' l The ORNL analyses did not go into detail on the reliability of those support , sy s tems'. However, failures of dependent systems that affect the emergency AC power system seem to be dominated by single point passive failures or human i error. An unreli W e support system can cause an unreliable AC power system. Because f.hese suppcrt and auxiliary systems also tend to be important for the operation of decay heat removal systems--and to some extent for the supply of normal AC power from the offsite power sources--single point vulnerabilities ard ' numan error failures in these systems have added importance. Another potentially important reliability parameter involves the 1ikelihood of a failed power supply (diesel) being restored to an operable state during a ! loss-of-AC power transient. A histogram based on emergency diesel generator . repair times following a failure is provided in Figure 4.6. The median repair time is approximately 8 hours. These data represent an aggragate for all types of failure modes, and, for the most part, they represent repair times during i j non-emergencies. Primarily these failures occurred during plant operation, Out some occurred during plant shutdown. Thep do not include autostart failures. - NUREG-1032 4-10
8-6- u 2
.c 4- .
c: c:: ! E ; 2* 2 l l l 0 , l' 3 3:10 3 1x10 2 3:10 2 1, ' ' ' 1 x10 3 x 10 1x10 UNAVAILABILTY
~
Figure 4.5 Onsite AC system unavailability for 18 plants studiec in NUREG/CR-2989 NUREG-1032 4-11
. e Table 4.2 Results of onsite powe'r system reliability. analysis -
reported in NUREG/CR-2989 Diesel generator Range of system unavail-configuration- ability per demand Dominant failure causes [of3 4.2 x 10 3 to 4.8 x 10 2 Independent diesel failure; human error CCF*. 1 of.2 1.1 x 10 3 to 6.8 x 10 3 Independent diesel failure; human error CCF. T&M** outages. 2 of 4 3.7 x 10 4 to 1.7 x 10 3 Human error and hardware CCF. 1 of 3 1.8 x 10 4 to 7,2 x 10 4 Human error, hardware, and service water CCF, indepen-dent diesel failure; OC
, power CCF.
2 of 5 1.4 x 10 4 to 2.5 x 10 3 ~ Human error, hardware, ; service water, and DC power CCF.
"CCF's common cause faiTures -
; **TLM = test and maintenance
*. a k
4 s 1 1 . NUREG-1032 4-12 1
-- - . , = . , - ~ ~ ~ . - - . - - - , ,, ,,-,,,.-------n, - . - - , - , - - . - - ...._--,1- . _,.
6 4 It ' i i 2 o , ,,
- 1. ,-
*3 e i:
L 5 y e o c. m w c + o -
.. 0 -
.c 4
2 F l f
.Hw 2 ) i '
- n o n 1. i,~
i me 5tnce ;iesei G : e'..- = ' ..' -
~.i i
1 i Figure 4.6 Percentage of emergency diesel generator failures repaired vs. time since failure Source: NUREG/CR-2989 . i l l
. i 2
NUREG-1032 4-13 l
o
- It is difficult to determine whether these' data overestimate,or underestimate the diesel generator repair time anticipated du' ring an emergency. There are reasons to believe that theta data overestimate the time required to repair a failed diesel generator during a station blackout. Because the typical limiting condition for operation (LCO) for a single diesel generator out of service is 72 hours or more, there is no urgency to restore a failed diesel generator as quickly as would be the case during a loss of all AC power. In addition, the LCO may not have been in force if the plant were shut down when a test failure occurred, which also would have lessened the urgancy fn' capir. Moreover, if a tailure did occur when alternate AC power sources were available, it might be seen as an opportune time to perform other routine maintenance on'the failed 01esel generator.
Conversely, the repair time could be underestimated by virtue of the confusion , that could occur during a station blackout event. Under stressful conditions, l human error is usually higher than it is under normal conditions. The d.iesel failure problem would have to be diagnn o d, neaded equipment wculd have to be obtained, and correct repair procedures would have to be followed; all this would have to be done undtr time' constraints and pressure, without AC power available. Also, maintena1ce and operations personnel resources would be ci-vidad between activities f(r restoring both offsite and emergency poser supplies. In addition to conducting tae plant-specific analyses, ORNL constructed generic models h different emerger cy AC power configurations. These generic mooels were .used to estimate systen reliability as a function of the important char-acteristics identified in tre plant-specific analyses. Typical system dep.end-encies and nominal values for common cause failures and procedural errors were assumed in the models, and sensitivity analyses were performed to determine tne importance of all the factors considered. Overall, the most important factors tended to be system redundancy and the re. liability of emergency diesel genera-l tors on demand. Not' surprisingly, it was found that common cause failure is i most important in highly redundant system configurations with hignly reliable (for independent failure causes) diesel generators. Based on these considerations, the NRC staff performed additional analyses of emergency AC pcwer system reliability to extend the quantitative results anc further e glore the sensitivities. Figure 4.7 shows the effect of varying emergency diesel generator reliability on emergency AC power system reliability for several configurations, both with and without common cause failure. The sensitivities of system reliability estimates on variations in diesel generator running reliability are shown in Figure 4.8. Additional results, parametric analyses, and details of the analytical model are provided in Appendix B. Thus, on the basis of a review of operating experience and reliability analyses, the following factors have been identified as being the largest contributors to AC power system unavailability: - (1) the configuration of the diesel generators in terms of the number avail-able and the number required for shutdown cooling (2) the reliability of diesel generators or other power sources used in the emergency AC power system NUREG-1032 4-14
~
10 ' _
~ With EDG Common Cause Failure
~
~ --- Without EDG Common Cause Failure
~
Emergency AC Configuration (2 of 3)
>. 3 v a2 __ 11 of 2i N N
O 2 \
= -
N 5 s N N
\
N E N N N N N \
$ \ (2 of di N N ~
g ' \
!ll 10 3 -- N N e
a - s%g% (1 of 3) N. C
< I
\g \
\
t - N S N \ s - N \
- N \
\ \
N \ N \
\ \
_ \
~ \
\
10 5 ' ! I I I ! 0.90 0.92 0.94 0.96 0.98 1.00 EDG RELI ABILITY Figure 4.7 Generic emergency AC power unavailability as a i function of emergency diesel generator (EDG) reliability l 1 4 NUREG-1032 4-15
P l l 10'i y -- - i p- ~ - -- p i i ,
~
Base Case Common Cause.
~
Failure to Run Rate . Common Cause Failure to - Run Rate is 0 N .
~
N N -N-N N b y - N N NN N
< \ N
=f N N y -
\ \ 2of3 -
< \
! N
=. N w -
N h, 10-3
\ s 1 of 2 -
4 U 2 - -- -
$ * === % 2 of 4 m - -
~
2 ~ ~
'--------- _ _ 1 of 3 1 I I I I I 10'd 0.980 0.984 0.988 0.992 0.996 1.000 ;
EDG RUNNING RELIABILITY Figure 4.8 Generic emergency AC power unavailability as a function of individual diesel generator running reliability - i l NUREG-1032 4-16
' ^
2 (3) the dependence.of the " power system on' support or auxiliary' systems used for actuation, contro; or cooling ' (4) the' vulnerability of the AC power system to common cause failure as a result of various design, human error, and internal or external environ-mental hazards l In general, it has been observed that problems with onsite emergency AC power systems are very plant-specific, and improvement in system reliability would have to be developed on a plant-by,-plant' basis'. b k f f I i 3 i 1 P i i I 1 l L j NUREG-1032 4-17 ' 4 a
e 5 STATION BLACKOUT FREQUENCY AND DURATION There have been several incidents at nuclear power plants that could be classi-fied as precursors to station blackout. In fact, there have been a few cases in which loss of offsite and emergency AC power supplies occurred simultaneously. However, none of these eicnt: prc.greised to be a significant safety concern. Many of these incidents occurred when plants were shut down or during refueling, W n station blackout concerns are much reduced and the LCO--in terms of num-bers of offsite and emergency AC power supplies available--are reduced. The lack of a significant number of station blackout events is not surprising when one considers past frequency of loss-of-offsite power events and the re-liability record of emergency AC power systems. As a result, it has bee'n necessary to estimate station blackout frequency by combining loss-of-offsite-power-event frequency and duration correlations with the emergency AC pc er reliability models. (Appendix B describes the methods used to derive station blackout frequency and duration estimates ) Figures 5.1 through 5.3 give the results of sensitivity analyses performed to determine the (ffect of design, location, and emergency AC power supplies relia-bility. Specifically, Figure 5.1 shows the effect of site location and offsite power' system design as r~epresented by offsite power clusters 1, 2, 3, and 4 (These clusters are defined in Section 3 and Appendix A.) These clusters were combined with a typical, two-diesel generator, emergency AC power system with a diesel generator reliability of 0.975. Cluster 2 is a close representation of the average of nuclear operating experience with regard to the frequency and duration of loss-of-offsite-power events.' Cluster 4 represents sites with rel-atively high severe-weather hazards and susceptibility to failure from those hazards. Cluster 3 has slightly lower severe-weather ha:ar'ds than cluster 4 Cluster 1 represents the combination of the more reliable offsite power desig-features and sites with. low severe weather hazards or low susceptibility to seve,re weather hazards. The estimated frequency of longer duration station blackouts is dependent on the likelihood of the more damaging and extensive losses of offsite power for which severe weather hazards have been identified as a principal contributor. (Note: Seismically induced loss of offsite power has not been included, but could be accounted for through a hazard evaluation and fragility analysis; this consideration is discussed in Section 9.) Figure 5.2 shows the effect of variations in emergency diesel generator reliabil-ity for the typical offsite system (cluster 2) and emergency AC power system (1/2 configuration). The. largest change in frequency per percentile change in diesel generator reliability is obtained when reliability levels a.re lowest (0.9). This is somewhat of an artifact of the model in which common cause fail-ure rates are kept constant. If there were no common cause failure'contribu-tions, or if common cause failure were correlated with the' independent failure rate of diesel generators (and it may be), the frequency reduction couio De pro-portional to the square of the percentile change in diesel reliability for the configuration analyzed. e NUREG-1032 5-1
. o 10 2 ; , i i i 1 5
. ~
. ~
~
1/2 EDG Configuration O.975 EDG Reliability 2 10'3 :- i D E c ~ T.i _ ~
@ _ ~
a:
$' ' O'*- ? - i c - .
zw - _ 2 . o 10 5 j Offsite Power :-
@ Cluster r -
2 4
' i:
w 10 6 E 3 5
~
2
- 1 S
-1 4
10'7 O 4 8 12 16 BLACKOUT DURATION (Hours) I e Figure 5.1 Estimated frequency of station blackout exceeding specified durat, ions for several representative offsite power clusters . I I I
- r. '
NUREG-1032 5-2 i i
4 10 2 ;; , , ; , i R
~
Offsite Power Cluster 2 _ 1/2 EDG Configuration f 10'3 i: 1 a ~ g . e _ g h
- 10'" 7
~5 O
2 . . w 3 . . O
$ 10 5 7 .
7 5 EDG E I C Reliability : r _ _
< ~ -
E. 0.9 P ' r.n 10'6 _ 0.95 w - _
; 0.975 0.99 -
! I f ' '
10'7 O 4 8 12 16 BLACKOUT DURATION (Hours) l Figure 5.2 Estimated frequency of station blackout exceeding specified durations for.several EDG reliability levels i NUREG-1032 5-3 l J
9 l i : 10 3 :: i i i ~ a - 3 - E Offsite Power Cluster 2 10 O.975 EDG Reliability ~3
? :-
3 : - v . - g . c:: _ E ,
- c. 10-5 ,
5 E a - g - AC Power Configuration - O '
=
W 10 b 2,3 : c _ 1/2
~
O [ .
~
~
l h - E 10'7 e 3 5 2/4 - 1/3 _ I l 8 i ' l 10 4 0 12 16 0 BLACKOUT DURATION (Hours) I Figure 5.3 Estimated frequency of station blackout exceeding specified durations for several emergency AC power configurations NUREG-1032 5-4
, Figure 5.3 shows the effect of emergency AC power configuration and success ' criteria. on station blackout frequency, using a diesel generator reliability of O.975' and a generic common cause failure rate. Again the effect of common cause failures on system reliability is t'o reduce the difference between the four configurations that would be. expected from simple redundancy considerations.
The results of the station blackout sensitivity analyses show that there is a potential for wide variation in frequency and duration, depending on location, design, and reliability. (Additional results are in Appendix B.) NUREG-1032 ' 5-5 .
^
i i I l t 6 ABILITY TO COPE WITH A STATION BLACKOUT L Station blackout is a serious concern because it has a large effect on the avail-ability of systems for removing decay heat. In both PWRs and BWRs, a substantial number of systems normally used to ceci the reactor are lost when AC power is not available. A loss of offsite power will usually result in the unavailability of the power conversion system and, in particular, an inability to operate the main feedwater system. Power to reactor coolant system recirculation pumps will also be lost, requiring that natural circulation be used for cooling to shutdewn con-
> ditions. When the loss of offsite power is compounced by a loss of the emer-gency AC power supplies, reactor core cooling and decay heat removal must ce accomplished by a limited set of systems that are steam driven, passive, or have other dedicated (or alternate) sources of power. Unless special provisions are i
made, the plant will have to be maintained in a "hot" mode (het chutdown or , possibly hot standby) until AC pcwer is restored. Table 6.1 lists which func-tions and systems for PWRs and BWRs would be lost and which would re ain avail-able during a st6 tion blackout event. Decay heat can be removec successfully, using the AC-independent systems identified, for a limited time, depending on functional capabilities, capacities, and procedural adequacy. For PWRs, decay heat can be removed by use of a steam-driven or dedicatec ciesel-driven train of the auxiliary feedwater system' (AFWS). Decay heat would be re-jected to the environment by the atmospheric dump valves (ADVs) or, if necessary, by the steam generator relief valves. Because residual heat removal systems; < reactor coolant makeup systems, and systems to control reactivity through boration would be incperable, the plant must ce maintained in a hot condition. I The plant's operating state (primary coolant pressure and temperature) woule ce maintained by manual operation of the AFWS and atmospheric steam dump valves. l ]' With primary coolant pumps Gnavailable, reactor core cooling would be achievec through natural circulation. ! If the AFWS can remain operable, and if primary coolant inventory can be maintained at a level adequate to maintain the core cooling / heat transport i loop to the steam generators, a PWR should be able to stay in this mode of decay heat removal for a substantial period of time. The amount of time that decay heat removal can be maintained in a PWR is generally limited by primary pressure boundary leakage and the capacity of certain support or auxiliary systems. The sources of potential leakage include reactor coolant pump - ' seals, unisolated letdown lines, and a stuck-open oilot-oper ated relief valve 1 (PORV). With provisions for manual isolation of letdown. lines and reduced frequency of PORV demands, the reactor coolant pump seal leakage rate is considered to be a potentially limiting factor for some designs. If the l leakage rate is low (on the order of several gallons per minute) f.his concern I is negligible. However, if seal leakage is on the order of 100 gpm or more, reactor coolant system inventory depletion will be a factor limiting decay heat removal for an extenced period of time. l l l 4 NUREG-1032 6-1 i _ - _ - _ . _ _ _ _ _ - - _ _ - - _ _ .__ _ _._ _ _ -. ,._ __ U
Table 6.I Effects of station blac'kout on plant decay heat removal functions Plant Functions (systems) Functions (systems) ! Type remaining lost ~ PWR Shutdown heat removal (steam- Shutdown heat removal (motor-driven auxiliary feedwater driven AFWS) ! iy,tas., (AF43), atmospheric ' dump valves) Long-term heat removal (residual heat removal (RHR)] Instrumentation and control Reactivity control (chemical) (DC power / converted AC volume and control system) power, compressed air reservoir) , Reactor coolant system (RCS) makeup > [high pressure injection syster.] Pressure and temperature control (pressurizer heaters / spray and l pilot-operated relief valves) Support systems (service / component cooling water systems; heating, ventilation, and air conditioning ; (HVAC); station air compressors] , l BWR, Shutdown heat removal Long-term heat removal (RHR) ; 2/3 (isolation condenser, fire water system) , RCS makeup (low-pressure cere : spray. system, feedwater cochn* injection system) j
. Instrumentation and control Support systems (service /
(DC power / converted AC component cooling water systems, , power, compressed air HVAC, statica air compressors) l reservoirs) l l BWR, Shutdown heat removal and RCS Long-term heat removal.(shutd6wn' 1 4-6 makeup (high pressure coolant cooling system, low pressure j injection or high pressure coolant recirculation system, core spray / reactor core suppression pool cooling system) isolation cooling systems) Instrumentation and control Support systems (service /compor.cnt (DC power / converted AC power, cooling water systemt. HVAC, compressed air reservoirs) station ~ air compressors) l i l 1 1 NUREG-1032 6-2 j
Natural circulation cooldown in PWRs has been successfully demonstrated by ac-tual operating experience. The process becomes more difficult with AC power I a unavailable because reactor coolant makeup systems, to accommodate system shrink- l age and pressurizer heaters or sprays to help control primary system coolant ; conditions, are inoperable. Nevertheless, analytical evaluations (Fletcher, : 1981) and experimental observations (Adams, et al. 1983) show that decay heat j removal can be achieved with the operational limitations associated with a sta- l tion blackout. In fact, core cooling is expected to preclude core melting even with significant voiding in the primary coolant system if the steam generator , is maintained as a h:ct sira. l , To assess station blackout, Bars have been divided into two functionally differ- i l ent classes: (1) those that use an isolation condenser cooling' system for decay l . heat removal and do not have a makeup capability independent of AC po.er (B.R-2 l and -3 designs), and (2) those with a reactor core isolation cooling (RCIC) sys- c i tem and either a steam-turbine-driven high pressure coolant injection (HPCI) sys- [ tem or high pressure core spray (HPCS) system with a dedicated diesel, any of ' i which is adequate to remove cecay neat from the core and Control water inventory t< fitions in the reactor vessel'(BWR-4, -5, and -6 designs). Because BWRs are oesigned as natural circulation reactors, at least at reduced power levels, the ; loss of reactor coolant recirculation poses nc special considerationi Moreover, i reactivity control during cooldoon is adequately maintained by control rod in-sertion, an action that would occur automatically on loss of all AC power. a The isolation condenser BWR has functional characteristics somewhat like that-
- of a'PWR during a station blackout in that normal makeup to the reactor coolant syst,em is lost along with the residual heat removal (RHR) system. The isolation condenser is essentially a passive system that is actuated by opening a conden- ;
t sate return valve; it transfers decay heat by natural circulation. The shell l side of the condenser is supplied with water from a diesel-driven pump. However, ! I replenishment of the existing reservoir of water in the isolation concenser is l j not reovired until 1 or 2 hours after actuation. It may al.so be possibl.e te j remove decay heat from this class of BWD,s by depressuri:ing the primary system ; i and using a special connection for a fire water pump to provide reactor coolant ; makeuc. This alternative wou'ic require much greater operator involvement. ' l' Some BWR-3 designs have acced !* ECIC system, giving makeup capacility to the AC-power-independent decay. heat removal capability of the isolation condenser cooling system.
- A large source of uncontrolled primary coolant leakage will limit the time the ;
isolation condenser cooling system can be effective. If no source of makeup is' provided, eventually enough inventory will be lost to uncover the core. A stuc k- ! open relief valve or the reactor coolant recirculation pump seal are potential ! sources.of such leakage. When isolation condenser ccoling has been established, ; 2 the need to maintain the operability of such auxiliary and support systems'as ! OC power and corpressed air is less for this type of BWR than it is for the PWR, ! ! However, these systems would eventually be needed to recover from the transient. I i BWRs with RCIC and'HPCI or HPCS can establish decay heat removal by discharging i i steam to the suppression pool th. rough relief valves and by making up lost coolant l l to the reactor vessel. Irr these BWR designs, decay heat is not removed to the i environment, but is stored in the suppression pool. For this type of BWR design, j . long-term heat removal in the form of suppression pool cooling or r.e'sidual heat { l removal, using low pressure coolant injection and recirculation heat transport i
- i d
l l NUREG-1032 6-3 l
. . H
- 9 loop's, is. lost during a station blackout. The tim'e that the plant can be main-tained in a safe condition without AC power' recovery is determined, i'n part, by the niaximum suppression pool temperature for which successful operation of decay neat removal systems can be ensured both during a station blackout event and when AC power is recovered. At high suppression pool temperatures (around 200*F),
unstable condensation loads may cause loss of containment suppression pool integ-rity. Another suppression pocl temperature limitation to be considered is the qualification temperature on the RCIC or HPCI pumps to be used during recircula-tion. Suppression pool temperatures may also be limited by net positive suction head (NPSH) pirc..cc.t; fu, r4. h. systems t equireo to ef fect recovery once AC power is restored. In general, all light water reactor (LWR) designs include the ability to remove decay heat for some period of time. The time depends on the capabilities ano capacities of support systems, such as the quantity and availability of water required for decay heat rejection, the capacity of DC power supplies and com-pressed air reservoirs, and the potential degradation of components as a result of environmental conditions that arise when heating, ventilation, and air condi-tioning (HVAC) systems are not operating. System capabilities and capacities are normally set so the system can provide its safety function during the spec-trum of design-basis accidents and anticipated operational transients, wnicn does net include station blackout. Perhaps the most important support system for both PWRs and BWRs is the DC pc-er supply. During a station blackout, unless special emergency systems are pro-vided,-battery charging capability is lost. Therefore, the capability of the DC system to provide power needed for instrumentation and control can be a sig-nificant time constraint on the ability of a plant to cope with a station black-out. DC power systems are generally designed for a certain capacity in the event of a design-basis accident with battery charging unavailable. However, the sys-tem loads required for decay heat removal during a total loss of AC power are somewhat less than the expected design-basis accident loaos on,the DC co er sys-tem. Therefere, most DC power systems in eperation today have the capacity to last longer during a station blackout than they woald be expected to last dur-ing a design-basis accident. Another important. factor in re' gard to decay heat removal during station blackout is the capacity of the condensate storage tank. Normally, this tank contains a sufficient amount of water to cool the reactor until the RHR system can be placed in operation. Because the RHR system is not available when all AC power is lost, the ability to cope with station blackout is a function of the concensate storage tank capacity. The ability to provide makeup to the condensate storage tank with systems and/or components that are independent of station AC power would extend this potentially limiting factor. Also, during a station blackout, there may be need to operate some pneumatic valves, such as a steam dump valve. Because AC power is not available, the statien air compressors will be lost. For this reason, local air reservoirs are normally provided to permit the valves to be operated foi a limited number of cycles. After the air supply is exhausted, these valves may have to be operated manually by the operations staff, or additional portable air tanks would have to be connected. NUREG-1032 6-4 i
4 j During a station blackout, normal plant HVAC would be unavai,lable. 'The equipment needed to operate during a station blackout and that required for recovery f rom a station blackout would have to operate in environmental conditions (e.g., temperature, pressure, humidity) that could occur as a result of the blackout. Otherwise, failures of necessary equipment could lead to loss of core cooling and decay heat removal during the blackout or failure to recover from the event when AC power is restored. The instrumentation and control elements of compo-nents required during station blackout are the most likely to be impacted by adverse environments. However, only limited equipment in the control room woule have to be operable, thus limiting equipment generatec heat loads in that loca-tion. The same would be true for equipment in auxiliary buildings and inside containment, although sensible heat from pre-existing sources could be consider- - 1 able. For control rooms and auxiliary buildings,. opening doors shoulc alloa enough heat to escape to maintain equipment in an acceptable operating environ-ment. Temperature-sensitive equipment located in normally enclosed cabinets that rely on HVAC systems to remove heat generated during normal operation could be subject to failure or degradation unless ventilation is provided. Most equip-ment in containment is designec to function in the more limiting environment associated with a design-basis loss-of coolant accident, and there, fore, ceuld be oxDected to function during a station blackout. Table 6.2 summari:es the design-related factors that have been identified as
- , potentially limiting the capability of LWRs to cope with a station blackout.
Actions ne'cessary to op.erate systems that are needed to establish and maintain decay heat removal and fully recover from a station blackoJt would not be routine. The operator would have somewhat less information and operational flexib'ility than is normally available curing most other transients requiring
; reactor coolcown. On the other hand, the loss of all AC power is an easily '
) diagnosed occurrence, although it is not always easily correctec. Ooerational staff activities would have to be directed at both reactor decay beat removal requirements and the restoration of AC power. These activities would include manual operations within the control room to control the ra*.e of core decay heat removal and special operations outside the contr'ol room. The latter woulo include repairing failed components, isolating sources of reacter 2 coolant leakage, conserving DC power through load stripping, making available 4 alternate makeup water supplies, hooking up compressed air bottles, and possibly starting local manual operation of some components. The success of these activ-ities would require preplanning, training, and procedures'. In addition, ade-quate lighting and co:r.munication would be required. Where local access is 1 necessary, security and working environment (pressure, temperature,, humidity, and radiation) could be limiting factors. i In PWRs, operators must control the rate at which the AFWS removes heat from the steam generators to maintain the proper pressure and temperature balance within the primary coolant system. This balance then allows adequate natural circulation and t')e maintenance of adequate water level in the pressurizer. Although analytical and experimental evidence suggests that natural circulation and adequate decay heat removal can be maintained when pressurizer level is lost (and, in fact, when a two-phase flow mixture exists in the reactor coolant system up to the point the reactor core is uncovered), these conditions woulc complicate actions. the recovery process and acc to the difficulty of operater recovery d NUREG-1032 6-5 1 l I
d Table 6.2 Possible factors limiting the ability d to cope with a station blackout event - 4 a Type of plant Limiting factor PWR BWR 2/3 BWR 4/5/6 RCS1 pump seal leakage X X , t RCS letdown / makeup and water X X chemistry control lines : t Stuck-cpen relief valve X X , ~ DC battery capa' city (instrumenta- X- X X tion and control) Compressed air (valve control) . X X X Decay heat re eval water supply X X X (condensate, firewater) Operating environment
. (temperature)
~'
Control room - X X X j (instrumentation and. control) Containment X I (suppression ; j pool, wetwell, t l drywell) , Auxiliary building X X i (HPCI3/RCIC4 l (AFWS2/ room) room) 4 > j 1RCS = reactor coolant system. ;
) 2AFWS = auxiliary feedwater system. i 1 3HPCI = high-pressure coolant injection. :
4RCIC = reactor core isolation cooling. . i , ' l l b . I s
) !
i l NUREG-1032 6-6 l
- l
I In BWRs, the isolation condenser appears to need less operator attention, i However, operators would have to ensure that automatic depressurization does { not occur and that the makeup system to the isolation condenser is operating i properly within approximately 2 hours of the loss of AC power. I.s BWRs with HPCI or HPCS and RCIC, the operator must control pressure and the level of i reactor coolant in the vessel. This requires actuation of m<keup and i relief systems, In all LWRs, operators would have to be prepared to deal with the effects of i the loss and restoration of AC power on plant control and safety system set , points to limit additional transient complications and ensure operability of l AC powered cooling systems. G S S e 4 NUREG-1032 6-7
u v 7 ACCIDENT SEQUENCE ANALYSES Accident sequence analyses have been performed to determine the accident pro-gression characteristics (Fletcher, 1981; NUREG/CR-1955; Schultz and Wagoner, 1982; and NUREG/CR-2182) and likelihood (NUREG/CR-3226) of a station blackout. Using fault trees and event trees, these analyses have identified functional and system failure characteristics of accident secuences. Reactor coolant sys-tem transient response analyses were used (1) to determine the capability of a plant to cope with station blackout and (2) for potentially important functional f ailures during a station blackout, to estimate ho much time would be as silable for AC power recovery before core damage and core melt. Considering the decay heat removal system capability recuirements anc the asso-ciated systems' reliability, fail.ure modes, and failure causes, three pnases ; of a station blackout transient Were identified. The first phase includes the ' need for prometly actua' ting decay heat removal systems and the potential for a l station blackout incuced loss-of-coolant accicent (LOCA), either of whien can ' result in a loss of core cooling within 1 to 2 hours. The second phase lasts l up to approximately 8 to 12 hours and includes operational limitations in the capability of continued decay heat removal considering limited capacities (such as DC power, condensate-storage tank) or interactive failure [fer example, hign temperature effects due to less of heating, ventilation, and air conditioning (HVAC)), and the potential for reactor coolant loss (such as, through pump seal leakage). During this period, the running reliability of the system is less important than the successful initial actuation of the AC-indepenaent cecay heat removal-systems. The third phase involves the need to eventually recover AC power and establish a stable, con.trollable mode of decay heat removal.
]
As ciscussed abose, consicering the systems anc functions available for the dif- i ferent PWR anc B'aR designs resulted in the development of three event trees for l the icentification of station blackout accident sequences. Figure 7.1 snoas the ! esent tree for FWRs; Figure 7.2 sho s it for Bars that use an isciation concen-ser; and Figure 7.3 for EWRs that have AC-independent makeup systems [ reactor or core isolation cooling (RCIC), hign-pressure core spray (HPCS), anc high-pressure coolant injection (HPCI)]. The event trees are characterized not only by the systemic and functional considerations important to station blac.kout accident secuences, but also by the phases of the transient that would affect the plant response and system operability for station blacsouts of various dur-ations. The event trees show the loss of all AC power as the initiating event and proceed through decay heat removal, reactor coolant inventory (integrity), and restoration of AC poner to enable operation of the normal decay heat re-moval and makeup systems. The accident sequence logic is similar for PWRs and those isolation-concenser BWRs that do not have the capability to.make up lost reactor coolant during a station blackout. These plants are susceptible to degraded core cooling as a result of relatively small losses of reactor cool-ant. The accident sequence logic is somewhat different for BWRs with reactor coolant makeup available during a station blackout. Most losses of reactor coolant caused by station blackout can be accommodated by the available reactor 4 NUREG-1032 7-1
.! , t- ; . -
- i _
u . oeu 7*a~ "* .,.y,* y u. u* 7'
- o _
_ 'C L r/L D l d L A n O .DD CO A T aPA tUV i l T I I CCI vtO E 4
. DR EMR I C
. E I TLLE TEE VS oK M ,
- tt o
rL T V51 RAOP N T P- M CAL N p l MA V N I OE vN I X OE tMA p E U r
.oEE EE TT I .O ( T S M S S . O q _
A CM S S C EtKI n. T M CNI CY CCT L q CY I S tE sR C W A5 SRET DI T AS ARM S O~. "~ c"_ ~o"~ o " ,, gv i*~. *=
' b Yeo .
Ye-h= . You h= oo .o Y e ,. s Oto . I awe.. n p hw g 2 *cne- .. Y ou=.-
., * $oeu Oc _
$cu - e- = .
- v 1 $rueu be jo -
e s on. . ceO s $ r u o .,= . b** b~ e,.ou=.4 naa. - Y o.=o = Yo=. - b1v Yc =o .
- 0, _
Yre~ _ na. - a
-eg, Y c o.=o Yco== - .
s o,.n m aC7es M,*e- ae3es*n }m o<e3+r ,9ee
- , .a g,O3 3anxoC r
, o :s -ss*-
e 2CmmOsnm dr;Ne 2E OewOM mon .
.. _ _ . . _ _ . _-_ .m. . _ . _ _ _ . _ _ _ - _ . - - ____ __ -___ . _ _ _ _ _ _ . - _ . . _ _ _ _ _ _ _ _,__. _ - . . _. __ _ _ _ _ _ _ _ _ - - _ _ - _ _ - - - - -
z . . C m m Q ~ o
- x 2 %'
.- a
=
t:- Station IItackout N
's = . - o o O to e e o o e m e v
N c [ e e
-s e
- DECAY MT.
) ,M _C REMOVAL g - ((SOLATION y COND.) u m c, I o o e ' 7 C s 3 e
- RCS INTEC. "
n s n' -- ~~ -
, ; AC TO VITAL
- or -
SYSTEMS Z 1^ C m
,M,, .
O < DECAY MT. N ett - REMOVAL 1W n 3 .
,C EXTENDED M e ,
e - TIME PERIOD w e M N s M - aCS IMIEC. [ ' O
-s u IN EXTENDED u o -
TIME PERIOD ,7 s se .e d w
- -a
= 0
- -- -- - AC TO VITAL 3
27 SYSTEMS 3 m y m 2 m a . m
- a n *
- O pr . .
AC RECOVEMD- e S
^ >
{ w
; DCS MAK Et;P/
NT. REMOVAL Z to E 7 9 n
- e N
O 4 4 4 4 4 e w 4 4 4 4 4 2 E B B B B B 4 4 4 4 31 E 3 3 3 E E E E w C O C C C C v
- .C. .C .C- -O - u u u u O O u u .e.
e
.e. w e e me o gggggggg
.o .o.
o - is Suoo ou eu .e-u o
.e
.=- oe u .e
- O O O O O O O O n O O n Q M U M O n O n O O O SEQUENCE M O M U M o M M M gggggg
1 t
~
0-2 hre. 212hre >12->24 hre, 2 $N a
$Yoo o-wo awo ao N sh>
sd
- 3 m-e U U. U. E "8 wE SEE U. "32 -w W
v w uu o U." 8 - > sww >
; "U
$w e5 e>
zwdw 30" ww o5 pr 82" a > E E E5 nu
, sw NE UY ud domf 0 0 us uGd O
" 08 no i
61 xv == <n sv-p s-> <a <ss , I (HCO) lugl lotl tagi (U2 1 (02) !* . I 182 3 or Taso ; TM81 Ct
. r i
TMBJ 01 I
-Success i TMB) en ,
-rellure small LOCA Tm0281 Of Small Tm02 82 01 ,
4 LvCA . TM73 8) CD TMUggB of l CO _ _ TmV 832 S n e l l TIC A TMU2 02 0 Of TMU2 028 , CD 5 = s t l Lic A Tug pgg 08 , s m a l l ti< A TmQg81 et i small TmCg 83 CK , l t.oc A l 3 , l TaOne ) CD S n e l l LOC A Tm01 U;8g 0E i 7501U;83 CD TmUgBg 08 1 l TMugag CD l Small LCC A TmUgCgMg CE i .
~
TmVgOga n CD l i 1 J Figure 7.3 Generic BWR event tree for station blackout (BWR-4, 5, or 6)
, Source: NUREG/CR-3226 l
NUREG-1032 7-4 e w- - - - - - . - , na - - , - - - - - ,aa . ----e-- -- -
) l.. . e coolant injection systems. Reactor coolant loss 4quivalent to that lost be-i cause of a stuck-opea relief valve can be accommodated by the RCIC systems. : l The HPCI or HPCS system can provide adequate makeup to cope with larger leaks. [ , All of the LWRs encompassed by the accident logic models are subject to the ; ! operational limitations for the longer duration blackouts as described pre- , i viously in Section 6. i The event trees end with a sequence outcome state designated as "OK," meaning I
- that stable, long term core cooling is achieved or achievable, or "CD," meaning j_ that an inadequate core cooling state is reached and some reactor core damage -
! can be expected. For the latter case, core damage can be expected to proceed j to core melt,if effective and timely measures to restore AC power and core j cooling are not taken or available. The potential difference between an acci- ; i dent sequence that ends in core camage and one that leads to core melt is deter- ' mined by evaluating the likelihooc of restoring core cooling and the cooling
; effectiveness from the onset of core damage to the time when irrevocable core i melting has begun. This latter time in the accident secuence progressicm is net
? well known because there are significant uncertainties in the moceling of core 4 melt phenomena. It has been estimated that the time bet.een the onset of core i da' age and time that a core n 1t would penetrate the reactor vessel is on the a oraer of 1 to 3 hours (NUREG/CR-1953, -2125). Consicering the low prooability that AC power would be restered curing this time period and the uncertainty in modeling this accident crocess, including the ability to terminate a core melt in crogress, it has been assumed that core melt would be the likely final out-2 come .in accident sequences that progress to core damage. k Detailed plant transient response analyses were performed to cover the spectrum l of sequences identified in the event trees (NUREG/CR-2161). The purposes of ! this work were (1) to better underrtand accident progression characteristics re- } lated to the timing of events and physical parameter values during the transient.
, and (2) to determine success states for systems, trains, components, and opera-
! tor acticns during station blachout sequences. The sequences were diviced into tnree groups: ! (1) f ailure of AC-inceper. cent decay heat removal with reactor coolant leakage J 1ess than Technical Specification upper limits (2) failure of reactor coolant system integrit'y (liquid or steam leaks) with j AC-independent decay heat removal systems operable ! (3) failure of AC-independent decay heat removal systems with loss of reactor } coolant system integrity 1 i Variations in system failure and actuation time; reactor coolant leak rate, and i operator actions were analyzed to determine both the potential for sequence . I outcomes with adequate (or inadequate) core cooling and the time in which j AC power must be recoverec to avoid core damage. - ! Table 7.1 shows the estimated time of core uncovery for station blackout se- ! quences with AC~ independent cecay heat removal systems not available. Plants i with Babcock and Wilcox (B1W)-type nuclear steam supply systems (N555), which l 1 nave a small steam generator secondary water inventory and, thus, the smallest heat capacity, would require the most prompt recovery to avoid core damage for this'particular seque'nce. For these plants, core uncovery was estimated to i 1 i NUREG-1032 7-5 'l
. i n l
- ~~' . .
. Table 7.1 Estimated time to uncover core for station .
blackout sequences with initial failure of AC-independent decay heat removal systems and/or reactor coolant leaks Sequence Core uncovery time (seennds) PWRs B&W CE W AFW failure 2715 6200 5800 Stuck-open PORV 3190 - 5040 100-gpm total leak 21070 - 27950 rate from reactor coolant pump seals . AFW failure and 2480 - 4800 stuck-open PORV BWRs GE HPCI/RCIC failure , 2300 HPC1/RCIC failure and 1680 stuck open SRV Source: Fletcher, 1981 occur witnin 1 hour. For plants with Westinghouse or Combustion-Engineering NSSS designs, core uncovery would taxe about 2 hours, as it would for a BWR-4 plant. Figure 7.4 shows how the core uncovery time is extended for sequences in which decay heat removal is initially successful but fails later during the accident. Estimates of the time core uncovery would take wi+h a stuck-open relief valve and other types of reactor coolant leakage are also provided in Table 7.1. For B'nRs with RCIC available (or HPCI or liPCS), adequate reactor coolant makeup is provided to mainta,in core cooling even with a stuck-open relief valve. The core uncovery time for PWRs would not be significantly shortened if a relief valve sticks open coincident w.ith the loss of the steam turbine-driven train of the auxiliary feedwater system (AFWS). This is because loss of the AFWS for decay heat removal usually results in primary system pres-sure relief, which removes decay heat almost equivalent to the energy loss of a stuck-open relief . valve with AC-independent decay heat removal, available. If a relief valve sticks open in a BWR without RCIC or in cases when the AC-independent decay heat removal systems are unavailable, the core uncovery time would be somewhat shortened. . NUREG-1032 , 7-6 ,
~ -
4 F' . l l l 1 h i Westinghouse I # E 4 - - - i 5
- 4 5
l O , B&W l t .. -
~
l d 2 ~ i
\
2 g , Assveing loss of offsite power, failure of all c diesci generators, technical specification
- 1eakage, turbine-driven auxiliary feeuwater I
(AFW) initially operates then fails.at a later ime. g l l l l 0 5 10 15 20 25 Tire of f..iiare of turbine. driven AFW (Hours) Figure 7.4 Time to core uncovery as a func'tien of time at which turbine-driven auxiliary feedwater train fails , Source: Fletcher, 1981. l NUREG-1032 7-7 f -
m - _ _ _ ._ _ l 3 i I j Complete accident progression analyses have been performed for several' key !
- station blackout sequences starting with the loss of offsite power through to i l core melt and containment failure. A time line presentation of a PWR sequence t
~
in which AFWS operation is initially successful but fails several hours into ' the transient it provided in Figure 7.5. Station blackout occurs at zero hours l (to). After the initial fluctuations in reactor coolant' system pressure, core i j outlet temperature, pressurizer level, core flow, and steam generator level, a ( 4 relatively stable period of decay heat removal with primary coolant natural cir- i
- culation follows. When AFW makeen to t.he <taam caneratea b
- :c.te: unavailable i in about 6 hours (tg), the steam generator level begins to drop, causing de- g creased heat transport from the primary coolant system. As the steam generator i dries out and beat transfer to the secondary system ceases, reactor coolant I pressure and cere outlet temperature rise. The reactor coolant temperature in- !
3 crease combinec with some voiding causes the pressurizer level to rise, and j l' there is relief to the containment. Continued voiding in the primary system l affects natural circulation flow, but core cooling is adequate to prevent melt- ! I ino until the core is uncovared (t:) Et about 9 heurt. At this point, the { pressurizer level has dropped because most of the primary system is voided. j j Wi. thin about 2 more hours (t3 ) th'e core has melted and penetrated the reactor i vessel, causing a containment pressure and temperature spike because of the i j rapid influx of steam and noncondensable gases from the melt. If containment i survives that spike, the continued release of decay heat and the generation of l 1 combustible and non-combustible gas will continue to load the containment. + Containment fai hre by overpressure in this sequence occurs about 19 hours into [ the accident (t4 ). - I i } Figure 7.6 shows a BWR station blackout accident sequence progression. In this l
) scenario for a SWR with Mark I containment, station blackout occurs at time !
zero (to). The reactor coolant system pressure and level are maintained within 1
}
limits by RCIC and/or HPCI and relief valve actuations, which also transfers t y decay heat to the suppression pool. Both the suppression pool and drywell tem- ! i perature begin to rise slowly; the latter is more affected by natural convec- ! j tion heat transport from the hot metal (vessel and piping) of tne primary systes ; A After 1 hour, when AC po.er restoration is not expected, the coerator begins a l controlled cepressurization of the primary system to about 100 psi. This also i causes a reduction in reactor coolant temperature from about 550*F to 350*F, ! which will reduce the heat load to the drywell as primary system metal compo- l
, nents are also cooled. The suppression pool temperature increase is only !
l slightly faster than it would have been without depressurization. Dryaeli pres- j i sure is also slowly increasing. At about 6 hours (t ), t DC power supplies are de- i pleted, and HPCI and RCIC are no longer operable. Primary coolant heatup foi- l
; lows, with increases in pressure and level uatil the safety-relief valve set i j point is reached. Continued core heatup causes continued release of steam; ! ] this eventually depletes the primary coolant inventory to the point that the !
4 level falls and the core is uncovered, about 2 hours after loss of makeup (t:). I Core temperatura then begins to rise rapidly, resulting in core melt and vessel j j penetration witnin another 2 or 3 hours (ta). During the core melt phase, containment pressure and temperature rise considerably so that--nearly coinci- ! dent with vessel penetration -containment failure occurs, either by less of electrical penetration integrity (shown at t ) or 4 b'y containment overpressure shortly thereafter, around 11 hours into tne accident. ; i i l 1
; NUREG-1032 7-8 I a
( l
c De:si e- f alluts of A.:WS (er DO ;;w e* des'et;;r.) Asector Coelant System Pressure L Fressurl:er Level k I _' a Core riew lL . Core cut:et $ ! Tem:erature , i St+am Generator
/
te e, : i ! Centainm s nt , Pressure
~
f Centaine ent -~ I tm; erst.re f = l
. Time thrsi 0 4 S .12 15 , : .- i
)
Ic 13 t; t3 ta i D Sewerce Esent __ j
' i to L a r s o f s ll A C = c e. e r j t3 A,r.','S f ails f o r D C p o w e r de;'e t e d) i t Core unces ery begins !
1 2 2, ter e s e e' ;o wa t:- . ! to C c e*s .- e .t !s s.re . 1 i i i Figure. 7.3 PWR station blackout accident sequence NUREG-1032 79 - i
I r
. # r RCIC/HPCI avallable , con:rellod .depressurita:!on - ':
I 1 i ! Reactor Vessel I Pressure __ , i -
. t I i Reacter Vessel i
! Level !
/ ;
l Core Temperature T / 3 l ) l Suppression Pool # : : Temperature ,
'== i l i j O r Qvell Temper 1ture .. . ,
- 3 ,w en pressure !
4 - i 1 '
- e .
I Time (hrs) 0 4 3 12 *i l
% t3 t 13 ta !
1- ' i l j Tim e Sequence Event
! to less of all AC power j i t3 OC power (b stteries) dep'eted . ,
i* t; Core uncevery bagins ! j t3 Reactor vessel penetratice, ' l l t4 Containment f ailure 1 l Figure 7.6 BWR station blackout accident sequence i
- j. - -
! NUREG 1032 7*10
e Estimates of the likelihood of these a'ccident sequences.were made to identify the potentially dominant contributors to the station blackout accident sequences (NUREG/CR-3226). Table 7.2 summarizes the results for the typical PWR and SWR. These results have been modified to account for better estimates of loss-of-offsite power frequency and duration derived since NUREG/CR-3226 was completed (see Appendix A). In addition'to identifying the dominant accident sequences and their likelibcods, the table also shows the major factors affecting the accident sequence frequency. For PWRs, an important contributor to the estimate of the likelihood core damage is the ability to restore AC power before the DC power needed to run the auxiliary feedwater system is lost or the condensate storage tank supplies are depleted. Another important contributor is the integ-rity of the reactor coolant system considering potential leaks from the reactor coolant pump seals following a station blackout. If reactor coolant pump seals leak and there is no way to supply makeup water to the reactor coolant system, the core will be uncovered. If reactor coolant pump seal leakage'is large (more than 100 gpm per pump), the core could be uncovered within a few hours. Smaller leak rates (a few gom Der pump) are not e limiting factor. Adequate coolant inventory would be available to allow continued core cooling for a day or more without the need fo makeup if other limitations (e.g., DC power) dic not exist. The analyses performed for this program (NUREG/CR-3226) snowed the reactor core was uncovered in approximately 8 hours, using the reactor coolant seal leakage information currently available (a leak rate of about 10 to 20 gpm per pump). For BWRs with isolation tondensers, a similar dominant failure moae exists. The failure of the DC power system is.less importra+ because the isolation condenser , system operates passively once it is activated; little operator action is.neces- ' sary ther'eafter. However, reactor coolant pump seal failure could cause deple-tion of reactor coolant inventory and, because the isolation condcrser SWR I typically does not have an AC power-independent makeup system, the reactor core ) could be uncovered. This sequence was estimated to result in core damage in about 8 to 12 hours. BWRs with HPCI and RCIC are capable of coping with reac-tor coolant system leaks equivalent to that resulti'ng from a stuck-open relief valve. However, they are subject to the effects of DC power depletion and other interactive f ailures associated with the lack of the ventilation system to main-tain HPCI and RCIC room temperature, and supp ession pool heatup phenomena j that can result in a loss of core cooling in about 8 to 12 hour: For this ; type of plant, unattenuated suppression pool temperature increases during a I statfor. blackout transient can be a problem becaus'e of the potential for un-stable condensation phenomena. These phenomena could cause containment struc-tural failure, with the potential for subsequent loss of reactor coolant from the suppression pool resulting in loss of recirculation capability. However, recent test data provided by General Electric in support of the BWR Owners Group suggest there is no unstable condensation regime (General Electric Topical Report NE00-30832). Perhaps more'important is the effect tnat high suppression pool temperature would have on HPCI pump's during recirculation. These pumps are not usually qualified for operation with fluid temperatures in excess of 160 F. In addition, NPSH requirements may not be satisfied if sup-pression pool temperatures exceed 200 F. d NUREG 032
. 7-11
Table -7.2 Summary of potentially dominant core ' damage accident sequences Time in which AC power must
- be recovered Generic OHR system / component to avoid core Typical core plant Seq;:rce centributors damage, hr demci. f c;;;..c, PWR TML8 1 Steam driven AFWS (al1 unavailable TML2B2 DC power or condensate 4 to 16 1 x 10 5 exhausted TMQ28 2 Resctor cociant pump 4 to 1G 14 1C 5 seal leak BWR TMuiB i Isolation condenser 1 to 2 2 x 10 C w/ isolation unavailable condenser TMQ3B i Stuck-open relfef 1 to 2 3 x 10 6 valve
.TMQ28 2 Reactor coolant pump 4 to 16 2 x 10 5 l
seal leak BWR TMU38 3 HPCI/RCIC 1 to 2 2x 10 6 w/HPCI- unavailable RCIC TMU;B., DC power or condensate 4 te 16 2 x 10 5 exhausted, compohent i operability limits exceeded (HPCI/RCIC) BWR TMU1B t HPCS/RCIC 1 to 2 5 x 10 7 1 w/HPCS- unsvailable : RCIC TMU;B 1 HPCS unavailable, DC r power or c'ndensate e , exhausted, component operability limits exceeded (RCIC) . d NUREG-1032 7-12
- * *r i--' -- - - . , * , , , , , ,, ,
For BWRs with HPCS, which has i.ts own AC and DC power systems, b6th the effects of depletion of the DC supply and reactor coolant leakage are minimal contrio-utors to' sequence core melt probability. However, suppression pool temperature limitations may cause some equipment operability problems during longer dura-tion station blackouts. In all of the accident sequences evaluated for this program, the early failure of decay heat removal because of the initial unreliability of these systems was a relatively small, but not insignificant, contributor to core melt frequency. This is not surprising, cecause, since the accident of Three Mile Island Unit 2 (TMI-2), most nuclear power plants have been required to have at least one AC-power-independent decay heat removal train available. However, very little has been done 6t nuclear power plants to determine the capability and reliability of systems during a sustained loss of AC power. Thus, it is not inconsi: tent that most of the dominant failure modes that have been identified are associated with the inability to operate decay heat removal systems because of support system failures or capacity limits on support and auxiliary systams needec to maintain decay heat renoval during station blackout. With the consideration of containment failure, station blackout events can ree-resent an imoortant contricutor to reactor risk. In general, active containment systems are unavailable during a station blackout event. These systems are usually required for pressure suppression through steam condensation to maintain the containment pressure below the appropriate limi t s and for the removal of radioactivity from the containment atmosphere following an accident. The time to containment failure after*the onset of core damage and the containment fail-ure mode is an important ' icr in determining fission product release and.ulti-mately public risk. Tatie 7.3 summarizes centainment failure insights derived from the analyses performed for the severe accident research program at the NRC (NUREG-1150). It shows the different tyces ef. containment, the estimated time of containment failure following the onset of core camage, and the consequences of containmert failure resulting from a station blackout accident. For the large, cry PWR containment, long-terr. tailure (by overpressure or basemat meltthrough) er no failure is more likely than early failure. The potential for early failure is principally associated with uncertainties in the phenomena related to "direct containment heating," as discussed in draft NUREG-1150. Because of its smaller volume and pressure capacity, the PWR ice condenser containment is less capable in handling steam or hydrogen combustion loads during station blackout accidents. In NUREG/CR-3226, it was estimated that the containment would fail.in about 1 or 2 hours for several possible reasons including hydrogen burn, steam pressure spike, or containment overpressure as a result of noncondensables and noncon-densed steam. The recent analyses show a lesser likelihood of containment fail-ure. Analyses performed as part of the Industry Degraded Core Rulemaking Program (IOCOR, 1984), show containment failure times of more than 1 day and significant reductions in perceived consequences. The BWR Mark I and II containments offer some pressure suppression capability during a station blackout accident, but after a core mclt, they may fail by one of several modes. Because of the small size of these containments, direct con-tact of molten core material with the containment wall has been identified as ' a potential failure mode. In addition, temperature-induced failure of penetra-tions or the steel containment structure has been identified as a potential threat. Absent effective containment venting strategies during station blackout,, NUREG-1032 7-13
a Tab 1'e 7.3 Containment perforEance and consequence results for station blackout accident sequences - Containment performance Probability Population dose Failure Timing Plant Senuence mod? Mean Range (hr) Mean Range sorrv Station Early 0.3 0-1 3 1E+07 4E6-2E7 blackout -- w/ seal LOCA Late <0.01 -- -- -- (SNNN)
- Basemat 0. 3 0-0.4 >24 2E+04 melt-thr0 ugh None O.37 0.01-0.6 N/A 2E+04 Station Early 0. 3 0-0.9 3 1E+07 4E6-2E7 blackout --
no seal LOCA Late <0.01 -- -- -- (TNNN)
- Basemat 0.2 0-0.5 >24 2E+04 ,
melt- ' through - None 0.4 0-0.9 N/A 2E+04 Zion Station Early 0.3
- 2 3E+07 blackout
- w/ seal LOCA Late 0.5 15 1E+07 (SE) *
- Basemat 0.16 >24 3E+04 melt-through None <0.01 --
N/A -- -- Station Early 0.2 3 3E+07 blackout . no seal LOCA Late <0.01 -- -- -- -- : (TEC) Basemat <0.01 -- -- -- -- melt- . . through None 0.7 N/A 3E+04 l See footnotes at end of table, 1 1 i I NUREG-1032 7-14
- - - , - , - ,, ,, ,e - .J ,
Table 7.3 (Continued) - Containment performance Probability Population dose Failure . Timing Plant Sequence mode Mean Rar.ge (hr) Mean Range Sequoyah Station Early 0.56
- 2 SE+06
- blackout w/ seal LOCA late 0.4 * **
- 2E+06 (52NNNN)
None 0.03
- N/A 1E+04
- Station Early 0.56 *'
3 SE+06
- blackout no seal LOCA Late - 0.4 * **
2E+06 * (TNNNN) None 0.01 N/A 1E+04
- Peach Station Early 0. 6 0.01-0.8 12 2E+07 3E6-4E7 Bottom- blackout
--slow Late 0.3 0.1-0.6 15 7E+06 2E6-1E7 (6-hr battery .
depletion) None 0.1 0.05-0.2 N/A 1E+04 * (TB) Station Early 0. 6 0.01-0.8 3 2E+07 3E6-4E7 blackout
--fast Late 0. 3 0.1-0.6 6 7E+06 2E6-1E7 (TEU/TEUX)
None 0.1 0.05-0.2 N/A 1E+04
- Grand Station Early 0. 3 0.25-0.4 12 9E+05 1ES-SE6 Gulf blackout
. --slo'w Late 0.6 0.5-0.7 **
6E+05 1E5-2E6 (6-br battery depletion None 0.1 0.05-0.15 N/A
- 3E+05 (TB)
Station Early 0. 3 0.25-0.4 3 7E+05 1E5-8E6 ; blackout
--fast Late 0. 6 0.5-0.7 **
SE+05 1E5-2E6 (TB0/TBUX) . None 0.1 0.05-0.15 N/A 3E+05
- l
*Not currently available from NUREG-1150 analyses.
** Dependent on timing of power restoration, spray operation, and hydrogen burning.
NOTE: N/A = not applicable. i i NUREG-1032 7-15
+
. y overpressure of the containment has also been predicted withi.n 5 to 15 hours. . (IDCOR estimates a Mark I c6ntainment will fail in about 18 hours as a result of temperature icadings.) Because these containments are generally inerted, hydrogen burn is not considered a likely failure mode. For Mark III contain-ments, which are low pressure, large volume containments, failure in about 20 hours has been estimated in NUREG-1150 analyses for late overpressure scenarios not involving hydrogen combustion. The IDCOR estimate is 47 hours for this type of containment failure. One item of interest shuu u ue outeu fur ouco one ice concenser containment and the Mark III containment, where hydrogen ignitors must be installed to meet hydrogen rule requirements and the post-Construction Permit Manufacturing Licensee (CPML) rule. For these containments, there is the potential that an inactive ignitor could be turned on following the restoration of AC po-er at a time when the hydrogen concentration is essentially at an eclosive level. This consieration has been accounted for in the probabilit,, and consequence estimates shown in Table 7.3. However, this potential problem can be addressed and somewnat suppressed througn proper procedures and by instructing the operators on how to control the hydrogen burning with ignitor systems following the restoration of AC power. Substantial uncertainties exist regarding containment performance during a core melt accident. Based on the best information available at this time, it can be seen that station blackout accidents can potentially result in substantial consequences However, the reader is cautioned that there are some technical disag'reements between NRC and IDCOR and that ongoing research could cause revision of these r.ecent findings. 6 j i NUREG-1032 7-16
8 EVALUATION OF DOMINANT STATION BLACK 0UT ACCIDENT CHARACTERISTICS The important factors that affect.the probability of station blackout accidents have been identified on the basis of the previous work presented on dcminant station blackout accident sequences. The principal parts of the station blackout sequence include: tha likelihood or frequency of loss of offsite power; the probability that the emergency or onsite AC power supplies will be unavailable; the capability and reliability of decay heat removal systems that must function during a loss of AC power; and-the likelihood that a source of offsite power will be restored before the core is damaged as a result of the loss of core cooling and the failure of systems that cannot operate withe.t AC power. Reactor type, by itself, has not been found to be a dominant factor.in determining like-lihood of core damage as a result of station blackout because the capabilities of auxiliary and support systems needed for decay heat removal during station blackout can vary considerably (and still meet' current safety requirements). The important factors in determining the likelihood of core damage as a result of station blackout are reliability of the AC power system (offsite and onsite) and the performance of these auxiliary systems (DC power, compressed air), as well as such plant characteristics as pump seal design, natural circulation capability, and suppression pool temperature effects. Because of these dif ferences. core damage frequency estimates for station blackout accident sequences could vary considerably. Therefore, the NRC staff analyzed the s'ensitivity of core damage frequency estimates to design varia-tions different from the reference plant analyses performed by Sandia National Laboratories (NUREG/CR-3226). The models used were based on insights obtained from previous studies; they are described in Appendix C. Stition blackout sequences were divided into two groups. The first included sequences involving the failure of AC-independent decay heat removal and, for plants without AC-independent makeup, loss of reactor cool &nt integrity at the onset of or soon after a station blackout. For these early core cooling failure sequences, AC power must be restored in 1 or 2 hours to avoid core damage and, ultimately core melt. The second group of sequences identified included failures during an extended station blackout of 4 to 8 hours or more. These failures include a smaller rate of reactor coolant loss, support system capacity limitations (e.g., batteries, makeup water inventory, compressed air), and other station blackout capability limitations in decay heat removal systems (e.g., natural circulation and suppression pool temperature limitations). Several sensitivity analyses have been performed by NRC staff to evaluate varia-tions in LWR plant designs for both decay heat removal capability and system reliability, including offsite power. Because the ability to cope with a sta-tion blackout may vary considerably, results are provided to show the effect of limitations in maintaining decay heat removal during sthtion blackouts of 2 to 16 hours. First, Figure 8.1 shows the sensitivity to offsite power system design and location as represente.d by different offsite power groups (clusters). The importance of higher frequency and long-duration losses of offsite power can be seen. It is also worthwhile to note that the highly reliable (redundant) AC-independent decay heat removal systems provide added value when ability to cope for long durations exists and very low core melt frequencies are estimated.
, 4 NUREG-1032 8-1 4
[-
. .r 10'3 _
~
~
1/2 AC Configuration 0.975 EDG Reliability AC independent DHR System O - E ? Train j d 10 i -- 2 Train E 5
\
s N Offsite g . _ \ Power N o Cluster 2
$ 10 5
\\
g\ c : N . E : N 4
- N
\\
s
< . N \\
h \ 3 0 w 10 6 \ gg 2 g : N u : N
\
\ 1
- \
N 10'7 16 O 4 8 12 STATION BLACKOUT CAPABILITY (Hours) Figure 8.1 Sensitivity of estimated station blackout--core damage frequency to offsite power cluster, AC-independent decay heat removal reliability, and station blackout coping capability NUREG-1032 8-2
, _ 1. _ - . . _ _ _ - . _ _ . _ _ _ _
l l i Figure 68.2 shows the relatiodship between various eme'rgency diesel generator reliability levels and estimated core damage frequency. A combination of reason-ably good diesel generator reliability and the ability to cope witn a station blackout lasting several hours results in estimated core damage frequencies on the order of 10 5 per year or less. The effect of a plant's emergency AC power ' configuration is shown in Figure 8.3. A substantial difference in core damage frequency may exist between plants with three emergency diesel generators, de-pending on the minimum number (1 or 2) needed to maintain core cooling and decay heat removal during a loss of offsite power. Again, frequancies drop rapidly as station blackout coping capabilities extend to cover longer AC power outages. Figure 8.4 shows the variations in emergency diesel generator failure rate from both independent =nd common causes. In this figure, common cause failures in support systems (e.g., service water, DC power) are estimated on the basis of the incustry experience (see Appendix B). These results show that estimated core damage frequency can be kept low by maintaining highly reliably emergency AC power systems. Estimated core damage frequencies as low as 10 S per year may be possible if the emergency AC power system is maintained in a high state of operational reliability and there is some capability of coping with an unlikely station blackout. The results described above and additional sensitivity analyses can be used to assess the effectiveness of certain strategies in dealing with station blackout concerns. For instance, if PWR reactor coolant pump seals were known to faii early during station blackout and the reactor coolant system leakage were the factoc limiting the abiki.ty to cope with Station blackout, core damage could occur 1 or 2 hours after the loss of AC power, even if the AC-independent decay heat removal system (the AFWS) were operating properly. Table 8.1 has been developed from the sensitivity analyses to show the effect of providing a "fix" to maintain reactor coolant pump seal integrity to allow successful core cooling for station blackouts from 2 to 4 and 4 to 8 hours. The results provided up to this time represent point estimates of probability or, more properly, frequency. NUREG/CR-3226 snows the ef fect of using leg nor-mal districutions to represent Dasic event probabilities on mean probability estimates, calculated medians, and uncertainty ranges: Wnen that work was cor-pleted, the magnitude of the uncertainty in the loss of offsite power frequency and duration estimates was not known. Because the uncertainty bounds are'now perceived to exceed those used in NUREG/.CR-3226, the accident sequence uncer-tainty ranges derived using the most recent uncertainty estimates for loss of offsite power frequency may be larger than previously estimated. The loss of offsite power frequency and duration estimates are most uncertain for the very low frequency, long duration losses of offsite power. The uncertainty on the probability of accident sequences which result from the shorter duration losses of offsite power should not be significantly different from the previous estimates. Some typical station blackout core damage probabilities and uncertainty ranges * ' representing a 90% confidence interval have been provided in Figure 8.5 for reference. The sequence mean is typically 3 to 8 times larger than the point estimate and the upper and lower bounds are typically within a factor of 5 to 20 of the median estimate. The large di'ference in point estimate and mean can be attributed to the use of a log-normal distribution. When secuences are combined into a single core damage probability, the proportional distance between mean and point estimate tends to' decrease somewhat, d NUREG-1032 8-3 ________________________._i__._m___________
10 2 _ { i , , , g Offsite Cluster 2 1/2 AC Configuration :
- p. -
v I 10'3 5 ? 3 : AC-independent DHR System E 1 Train C'
- 2 Trains - . ' c .
b 10 :-
> : 5 o : -
g - y - D - b \ \ EDG c 10 5 E N R elia bility ~g
$ 5 \ \ \ :
e - N N N 0.9 N - 2 -
\\ -
o [ N) 0.99 - 1 o - I~ ' ' ' ' 10'7I 0 4 8 12 16 STATION BLACKOUT CAPABILITY (Hours) ; Figure 8.2 Sensitivity of estimated station blackout--core damage frequency to emergency diesel generator relisbility, AC-independent decay heat removal reliability, and station blackout coping capability NUREG-1032 8-4
10 3 =
, , , , ;j 2
g Offsite Power Cluster 2 2 0.975 EDG Reliability - g -
.$. 10'd E-E E :
g _ e _
- _ \
F N O
> 10 5 N -
U E N AC Power E 2,
\ \ Con fi.g ura tion:
N N - o : N 0 NN s N : C
\\ N 2/3
- u. 10 6 Ng N
_ s 12 ; w -
\ N N.
O E
\ 2 N
f
\\ ~
C 10'7 W
\ \ 2 4 __
C : \ \N \ 1/3 : 8 : N : 8 ' ' 10 I I ' 0 4 8 12 16 STATION BLACKOUT DURATION (Hours) Figure 8.3 Sensitivity of estimated station blackout--core damage frequency to emergency AC power configurations, AC-independent decay heat removal reliability, and station blackout coping capability e NUREG-1032 8-5
. -. . _ _ _ . . - - . ~ _ _ _ - - . - - - . . _ _ - .
I l I I ! I 1 l 10'3 - 1 Offsite Power Cluster 2 1/2 AC Configuration
- AC Independent DHR System E
D 10 4 7 1 Train B :
- - - - 2 Train E
c e s - t
- 5 e_
e O 5$
$ 10 5 7 j [ j, .
3 : i e o 8" l l 3 e -
\ e c j C
N%- S 8 ! I E
\ \\ \Nt 0.975 (
0.990 l Nominal
$ 10'8 0 \ \ 0
\
~
\\ 0.990 b -
\ \ N % 0.975 Nominal 0.990 N 0.975
- 0
-0.990 10'7 O 4 8 12 16 l STATION BLACKOUT DURATION (Hours) j l
Figure 8.4 Sensitivity of estimated station blackout--core damage frequency to reducing the common cause failure susceptibility of emergency diesel generatcrs, their reliability, and station blackout coping capability , NUREG-1032 8-6
* ~
Tabit 8.I' Sensitivity o'f estimated core damage frequency reduction for station blackout accidents with reactor coolant pump seal failure delay from 2 to 4' hours and 4'to 8 hours . I Estimated core damage frequency (per reactor year) ! EDGR* = 0.025 EDGR = 0.05 Configuration and Cluster 2 to 4 hr 4 to 8 hr 2 to 4 hr 4 to 8 hr 1/2 configuration: 1 6.8 x 10 6 3.5 x 10 6 1.2 x 10 5 5.9 x 10 6 2 2.1 x 10 5 1.2 x 10 5 4.0 x 10 5 1.9 x 10 5 l 3 4.7 x 10 5 2.6 x 10 5 8.8 x 10 5 4.5 x 10 5 4 8.1 x 10 5 - 5.1 x 10.s 1.2 x 10 4 8.5 x 10 5 1/3 configuration: 1 2.4 x 10 6 9.9 x 10 7 2 7.7 x 10 6 3.2 x 10 6 3 1.8 x 10 5' 7.3 x 10 6 4 2.7 x 10 5 1.4 x 10 5 - t
*EDGR = emergency diesel generator unreliabilily (i.e., failure rate per demand) a The measure of risk associated with a station blackout accident can be obtainec by multiplying the estimated core damage likelihood by the estimated dose that would result from containment failure during the accident. The recovery of AC power during the accident would provide the potential for terminating core damage before core melt and the potential for reducing fission product releases by delaying containment failure or by actuating containment sprays before containment failure.
1 i 4 NUREG-1032
- 8-7 1
e . PWR with 1 steam BWR with 1 BWR with BWR with 3 Oriven AFW Train isolation Condense: , HPCI. RCIC HPCS. RCiG 10 l l
-i i,
3 l a ! f 10 -- -- l 5 C; ! . g C .. . . E O O n El E O C) , E o ap u qi O . z
$ 0 C O o C e
w 0 m L O O ql w a - 0 2 'q ) O O
< 1 C . . l y --
O .. j C y .. w 2 ~ h' Upper 95% Confidence Limit
- Mean j Median l 0 Point Valve l
-- Lower 58: Confidence Limit
- i E E E E E i E i E I 2 5 5 E S E E E $
3 2 2 2 2 2 2 2 2 2 M >- r > > > > r >- - ACCIDENT bEQUENCES Figure 8.5 Estimated core damage frequency showing uncertair.ty range for four reference plants Source: NUREG/CR-3226 NUREG-1032 8-8
l i 9 RELATIONSHIP OF OTHER SAFETY ISSUES TO STATION BLACKOUT. The implications of station blackout on several other safety issues were re-viewed for significance. These include: loss-of-coolant-accident initiators; anticipated transients without scram; external hazards, such as seismic events and severe weather; and internal hazards associated with fire or extreme environ-ments, such as flooding or high steam temperature resulting from pipe breaks within the plant. In general, it was concluded that, if the likelihood of sta-tion blackout were independent of any of these other safety considerations, the potential risk of a station alackout concurrent with one of these other safety concerns is very small. However, if as a result of common cause failure or in-teractive failure, the initiation of an accident by one of those other mechanisms described causes a station blackout, then the safety imolications of those safety issues on station blackout are fairly large. Each of these safety issues is dis-cussed below. ' 9.1 Loss-of-Coolant Accidents Loss-of-coolant accidents (LOCAs) induced by a station blackout transient have already been included in the accident sequence analyses described in Section 7; these will not be discussed further here. LOCAs concurrent with a loss of off-site power are usually included in the design basis of nuclear power plants in accordance with the general design criteria of Appendix A to 10 CFR 50. The likelihood of a LOCA followed by and concurrent with a station blackout has been cbnsidered and is discussed below. Although no strong coupling could be found between the initiation of a LOCA and a subsecuent failure of the offsite or onsite AC power system, one ;otential mechanism has bee
- identified. If a LOCA were to occur at a nuclear power plant, the reactor would trip; subsequently the turbine generator would be trippec and ,
a grid instability could folicw, or the site' could be isolated by switching ac-tivities in the switchyard to provide onsite safety-related or alternative sources of preferred power to the emergency power safety buses. Historical ex-perience collected about loss-of-offsite power events at nuclear power plants suggests that given a transient or an accident situation that would cause a trip of the turbine generator, the likelihood of a failure of the offsite power supply is on the order of 10 4 to 10 2, depending on the strength of the grid and the offsite power design at the site. Estimated LOCA frequencies range from 10 2 per reactor year for small loss-of-coolant accidents down to less than 10 4 per reactor year for large diameter pipe breaks. The frequency of small LOCAs is dominated by pump seal LOCAs on pressurized-water reactors and stuck open safety-relief valves on. boiling water reactors.
~
These situations do not require rapid actuation of AC powered emer-gency safety feature equipment and have been addressed previously. The most likely small LOCA that has not been incorporated in the station blackout acci-dent analyses is a small pipe break (less than 2 inches in diameter) with a frequency of about 10 3 per reactor year. h NUREG-1032 9-1
The low LOCA frequency combined with the likelihood of losing offsite power on turbinegeneratortripresultsinanestimatedfrequencyofoccurrenceranging per reactor year to 10 7 per reactor year. When this frequency is from 10-comb-ined with a conservative estimate of emergency AC power system,unreliability of 10 2 per demand, it is easily shown that accident sequences of this type re-present a small element of reactor risk (less than 10 7 per reactor year). The variability of the frequency of station blackout caused by a LOCA could ce e much as two orders of magnitude higher and still represent one of the smaller station blackout accident threats. Although, at this higher level, these G ei-cent > coulo represent a noticeable fraction of reactor risk. Large pipe break LOCAs with initiating frequencies on the order of 10 4 per reactor year combined with the probability of subsequent failure of all AC power do not a;; pear to represent an appreciable fraction of accident likelihood or public risk, at least in comparison to cther station blackout sequences.
- 9. 2 Anticipated Transients Without Scram Another safety consideration that was investigated is anticipated transients without scram. In this case, ths anticipated transient is a loss of offsite pc.er. If the probability of a loss of of f site power is taken as the generic average, 0.1 per year, and the probability of reactor scram failure is taken as the historical average, about 10 4 per demand, then the probability of a loss of offsite power followed by a failure to scram is about 10 5 This is a level of accident sequence likelihood that might be considered impc,rtant. However, in order for a . station blackout to occur, the onsite emergency AC power sy:te-also must fail. In the worst case, one might find an unreliability of the emer-gency AC power system of about 10 2 per demand. Thus, the frequency of an anti-
. cipated transient without scram involving loss of offsite power and a failure of the onsite emergency AC power system is on the order of 10 7 per reacter yecr or less. Even if the level of uncertainty were an order of maghitude higher, this accident secuence would not be of concern in comparison to the cominant station blackout accident sequences that have been identified. 9.3 Extreme Internal Environment A safety area in which there does appear to be a potential for station-blackcut-type accident sequences being induced by other causes involves fire and other extreme environments internal to a nuclear power plant. The concern associated I with internal environmental hazards is that their occurrence can represent a common cause accident initiator tnat also affects the ability to cope with tha . l incident. Specifically of concern is the likelihood of a fire, flood, or other extreme environmental condition generated by internal events that would cause a loss of all AC power. In general, for this to occur, portions of AC power systems must be in a common location where these hazards are present, or pro-tection barriers and AC power system design requirements must be insufficient to control the spread or failure resulting from these hazards. Therefore, the likelihood of internal hazards causing a station-blackout-type accident is heavily dependent on the plant's design and, in particular, on the location of equipment. If separation and internal environmental protection barriers are maintained, or adequate AC system design is provided, the likelihood of these internal environmental hazards causing a station-blackout-type accident would be very small, probably less than 10 6 per reactor year. On the other hand, if commonality of location or a lack of protection exists at.a plant, then the safety significance of these internal hazards would have to be evaluated for NUREG-1032 9-2
plant. damage susceptibility and likelihood of occurrence. The frequency of. occurrence of these hazards can be as high as once per'100 to once per 1,000 reactor years. Therefore, the vulnerability to station-blackout-type accidents resulting from these hazards can be of concern. 9.4 External Hazards Another potentially significant safety consideration that could be related to station blackout involves external hazards to the plant, particularly those resulting from seismic- and weather-induced failures. .To sta, a seismically induced loss of offsit.e power has not been observed at a nuclear power plant. Failure of offsite power because of severe weather has been observed at nuclear power plants; in fact, severe weather was included as a major factor in deter-mining the likely duration of an extended offsite power outage at nuclear power plants. as described in Section 3. The greatest potential for safety signifi-cance exists where there is a direct coupling or common cause failure associated between a transient-initiating external hazard causing loss of offsite power and the reliability of the onsite and offsite power systems. It can be expected that significant seismic and s'evere-weather events will cause a loss of the offsite power system. On the other hand, the plant, and in particular the emergency AC power system, is typically designed to withstand, or is protected from the effects of, these severe phenomena. Therefore, for severe external hazards that are within the design basis of the plant, the failure of the eme.gency AC power system can be considered as an independent failure event. For example, if the likelihood of a safe shutdown earthquake that could cause a loss of offsite power were approximately 10 3. per year or, less, and one assumes that it would take approximately 8 to 24 hours to restore offsite power from such an incident, then a typical estimate of core damage or core melt frequency as a result of a safe shutdown earthquake and a station blackout would be about 10 6 per reactor year or less. For severe weather, the likelihood of the weathe-r-induced failure of the offsite power system could be as high as 10 2 per year, and the outage could be expected to be on the order of several hours. Again, if the severe weatner event is within the design basis of the plant, the likelihood of a weather-induced station blackout accident causing core damage or core melt would be on the order of 10 5 per reactor year. Table 9.1 provides a summary of the typical internal and external accident hazards of a nuclear power plant and identifies some potential points of failure , that coulo result in a coupling.between these accident initiators and a station ' blackout. If such interactions or points of commonality do not exist, then it is concluded that the contribution of these accident initiators to station b l ac ko t *. accident secuences results in core melt frequencies that are no larger, and probably much less, than those previously considered. 1 l l l 4 NUREG-1032' 9-3
. _ _ 2_ _ _ .
4 e
, . 1 Table.9.1 Coupling between external (and internal) '
events'and potential plant failures Event Potential plant "weakness" Seismic Switchyard, control, non-seismically designed equipment 54"a, flaci Ar::: 'sith ..pitipic Jie: 3 ions, inadequate protection barriers Severe weather- Transmission lines and towers, switchyard, non-safety. structures e p b 0 e b l i 1 O e 4 NUREG-1032 94 . _e-,=-r, ,,r %m = %9 - -nv., ,---, , ,,m-ry = y-, - 9 e g- y p e e, geer y g,-ec+y + e e-
O 10 REFERENCES Adams, J. P., et al., "Natural Circulation Cooling Characteristics During PWR Accident Simulations," Second National Topical Meeting on Nuclear Reactor Ther-mal Hydraulics, January 11 to 14, 1983. Fletcher, C. D., "A Revised Summary of PWR Loss of Offsite Power Calculations," EGG-CAAD-5553, EG&G Idaho, .Inc., September 1981. General Electric Topical Report NE00-30832, "Elimination of Limits en BWR Sup-pression Pool Temperatures for SRV Discharge with Quenchers," December 1984. Industry Degraded Core Rulemaking Program (IDCOR), IOCOR Technical Summary Report, "Nuclear Power Plant Response to Severe Accidents," published.by Technology for Energy Corp., Kno).ville, Tennessee, November 1984. ' Schultz, R. R., and S. R. Wagoner, "The Station' Blackout Transient at the Browns Ferry Unit One Plant A Severe Accident Sequence Analysis," EGG-NTAP-6002, EG&G Inc., September 1982. ~ U. S. Nuclear Regulatory Commission, NUREG-75/140 "Reactor Safety Study," Octo-ber 1975 (formerly WASH-1400).
-- , NUREG-0737, "Clarification of TMI Action Plan Requirements," November 1980,.
1987. , NUREG-1150, "Reactor Risk Reference Document," Draft Yor Comment, February
-- , NUREG/CR-1988, F. E. Haskin, W. B. Murfin, J. B. Rivard, and J. L. Darby,, "Analysis of a Hypothetical Core Meltdown Accident Initiated by Loss of Offsite Power for the Zion 1 Press.urized Water Reactor," December 1981. -- , NUREG/CR-2132, D. H. Cook, S. R. Greene, R. M..Herrington, 5. A. Hodge, and D.
sis," O.November Yue, "Station 1981.Blackout at Browns Ferry Unit One - Accident Sequence Analy-
-- , NUREG/CR-2989, R. E. Battle and D. J. Campbell, "Reliability of Emergency AC Power Systems at Nuclear Power Plants," July 1983. -- , NUREG/CR-3226, A. M. Kolaczkowski and A. C. Payne, Jr. , "Station Blackout Accident Analyses (Part of NRC Task Action Plan A-44)," May 1983. -- , NUREG/CR.3992, R. E. Battle, "Collection and Evaluation of Complete and Partial losses of Offsite Power at Nuclear Power Plants," February 1985. -- , NUREG/CR-4347, R. E. Battle, "Emergency Diesel Generator Operating Experi-ence, 1981-1983," December 1985.
Wyckoff, H.,
"Losses of Offsite Power at U. S. Nuclear Power Plants--All Years Through 1985," NSAC/103, Electric Power Research Institute, May.1986.
4 - NUREG-1032 10-1 -
P Wyckoff, He ,
"Reliab'ility of Emergency Diesel Generators at U.S. Nuclear Power Plants," NSAC/108, Electric Power Research Institute, September 1986.
6 e
- e h
e 0 e NUREG-1032 10-2
APPENDIX A DEVELOPMENT OF LOSS-0F-0FFSITE-POWER FREQUENCY AND DURATION RELATIONSHIPS 4 S e >- e G G G I e i NUREG-1032
TABLE'0F CONTENTS Pace INTRODUCTION .......................................................... A-1 LOSS OF OFFSITE POWER FROM PLANT-CENTERED CAUSES ...................... A-5 GRID-RELATED LOSS OF 0FFSITE POWER ....... ............ ............... A-8 LOSS OF 0FFSITE POWER AS A RESULT OF SEVERE WEATHER ................... A-14 GENERIC LOS3-OF-OFFSITE-POWER CORRELATIONS ........... ................ A-24 REFERENCES ........................... ............................... A-37 LIST OF FIGURES A.1 Frequency of less-of-offsite power events exceeding specified durations..... ....... ........................................ .. A-3 A.2 Annual frequency of loss of offsite power. ....................... A-4 A.3 Estimated frequency of occurrence of plant-centered losses of offsite power exceeding specified durations ...................... A A.4 90% confidence limits for two categories of plant-centered . losses of offsite power ............ ........................ .
- . A-12 A.5 Restoration probabflity for grid-related losses of offsite power . A-15 A.6 Estimated frequency of occurrence of grid-related losses of offsite power exceeding specified. durations ...................... A-17 A.7 Weather hazard expectation histograms ............................ A-22 A.8 Restoration probability for severe weather-induced losses of-offsite power ............................................ . .. . A-25 A.9 Estimated frecuency of occurrence of severe-storm-induced losses of offsite. power exceeding specified durations ... ........ ... . A-27 A.10 Estimated frequency of losses of offsite power exceeding specifiec durations for Indian Point. ......................... ..... .. . A-30 A.11 Estimated frecuency of losses of offsite power exceeding specified durations for Zion ......../...................................... A-31 A.12 Estimated frequency of losses of offsite power exceeding specified durations for Shoreham .... ................... .................. ,
A-31 A.13 Estimated frequency of losses of offsite power exceeding specified durations for Millstone 3 ........................................ A-32 A.14 Estimated frequency of losses of offsite. power exceed.ing specified durations for Limerick ........................................... A-33 A.15 Estimated frequency of occurrence of losses of offsite power exceeding specified durations for nine offsite power clusters ... A-34 l LIST OF TABLES A.1 Summary of loss-of-offsite power experience ...................... A-2 A.2 Definitions of offsite power system design factors ............... A-6 A.3 Mean time to restore offsite power .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-7 l 1
.g ,
NUREG-1032 A-iii
. - . i l
7 l
. I TABLE OF CONTENTS (Continued) .
i Pace A.4 Data used for plant-centered loss-of-offsite power-duration curve fits ....................................................... A-9 A.5 Grid-related loss-of-offsite power frequency versus duration, through December 1983 .................................. A-13 A.6 Grid reliability / recovery ........................................ A-16 A.7 Severe weesner-1nduced losses of offsite power used in the analysis .............................. .......................... A-19 A.8 Severe-weather-inouced loss-of-offsite power frequency / recovery .. A-26 A.9 Extremely severe weather-induced loss-of-of fsite power frequency . A-28 i A.10* Identification of grid, offsite power system design, severe weather, and extremely severe weather factors included in l' cluster groups ................................................... A-35 A.11 Loss-of-offsite power frequency distribution per cluster group. A-16 + { l 4 i i 1 1 NUREG-1032 A-iv l
. _ _ _ .__ ___-_-__________________-__________________________I
e APPENDIX A . DEVELOPMENT OF LOSS-0F-OFFSITE-POWER FREQUENCY AND DURATION RELATIONSHIPS INTRODUCTION This appendix provides the details and results of analyses performed by NRC staff to develop the cause, frequency, and duration relationships for loss of offsite power at nuclear power plants. The purpose of this work was to develcp generic loss of offsite power . relationships that would allow differentiation of plant design, operational, and location factors that can significantly affect the expected frequency and duration of loss-of-offsite power events. Within this study, the loss of of' site power'has been defined as the interruption of the preferred power supply to the essential and nonessential switchgear buses neces-sitating or resulting in the use of emergency AC power supplies. A total loss l of offsite power is said to have occurred when non-emergency AC power sources become unavailable requiring some diagnosis or special recovery actions, includ-ing correcting switching errors, fixing or bypassing faulted equipment, or other-wise making available an_ alternate standby source of non emergency AC powcr. Although total loss of offsite power is a relatively infrequent occurrence at nuclear power plants, it has happened a number of times, and a data base of information has been' compiled (Wyckoff, 1986; NUREG/CR-3992). From these data and a review of relevant design and operational characteristics, the frequency I and duration relationships for loss-of-offsite power events at nuclear power plants have been developed. Historically, a loss of offsite power has occurred with a frequency of about once per 10 site years. The typical duration of these events has been on the order of one-half hour. However, at some power plants the frequency of loss of offsite power has been substantially higher than the average, and in other instances the duration of offsite power outages has been much longer than the norm, in some cases, licensees have and are taking correc-tive action to limit the recurrence of these longer and more frequent losses of offsite power. A summary of the data on the total loss-of-offsite power events is provided in Table A.1. Because design characteristics, operational features, and the loca-tion of nuclear power plants ~within different grids and meteorological areas can have a significant effect on the likelihood and duration of loss-of-offsite-power events, it was necessary to analyze the nuclear industry experience in more detail. The data have been categorized into plant-centered events and area- or weather-related events. Plant-centered events are those.in which the design and operational characteristics of the plant itself play a role in the likelihood or duration of the loss-of-offsite power event. Area or weather effects include the reliability of the grid and external influences on'the grid or at the site (such as severe weather) that have an effect on the likelihood and duration of the loss of offsite power. The data show that plant-centered events account for the majority of the loss-of-offsite power events. -Al.thouah . the area-blackout- and weather-related events are les frequent,theytypica$ly NUREG-1032 A-1 r w -- -
--r- -
,n -- , ---r , -n- -- - - ~ - - - ~ - --
i Table A.1 Summary of loss-of-offsite p'ower experience No. of events Frequency (yr 1). Category (> 4 hr)
,(> h hr)
Plant centered 46 0.087 (15) (0.028) Grid 12 0.018 (7) (0.011) tdeather 6 0.009 (6) (0.009) Total 64 0.114 (28) . (0.048) Note. The number of reactor-crit'ical site years through December 1985 is 527, and the number of site years is 664. , t account for the longer duration outages, with storms the major contributor *to ; lor.g outages. Because plant' centered events that occurred when reactors were : shut down were screened from the event count, reactor-critical site years were used to derive plant-centered event frequencies. Reactor-critical site years j are the number of years that reactors were at power conditions at the site.
~
Figure A.1 provides a plot of the frequency and duration of less-of-offsite- [
- power events resulting from plant-centered faults, grid bla-kout, and severe !
weather, based ori past experience at nuclear plant sites. The curves were ! developed by fitting data to a two parameter Weibull function of the following [ form- l t i.0 P j (t) = A LOP g e
~
("i t I) A where LOP g (t) is the frequency of losses of of f site power of type "i," which are equal to or greater than duration "t." That is, the recovery time equals A or exceeds "t" hours. The term LOP 4 is the frequency of ' occurrence of losses of offsite power of type "i," which have greater than zero duration. Parameters og and Sj are curve-shaping constants that vary accordi'ng to the data being curve fitted. Analyses were also performed to determine the trends in the frequency of loss of offsite power. Figure A.2 shows a plot of the rolling average loss of offsite power for nuclear plants included in Table A.1 and Figure A.1. These ; , results show that over a period of 20 years, from 1966 through 1985, th>t general i NUREG-1032 A-2
- -e- - , -
, --.,-r- .
., ~,-,.w.--,r,- - - - . - - , - - . . , - + .>w- -
l
- l I i j Data:
0.05 - O Total A Plant Centered M O Grid e V,
# Weather t 0 04 - . -
5 A w U 2
< A e
- 5. 0.03 .
Plant Cen.tered Total - U U C w - O o 0.02 - - 2
. W D
C u. Grid . A 0.01 - O Severe Weather e 0.00 1 - - 0.1 1.0 10 DURATION (Hours) Figure A.1 Frequency of loss-of-offsite power events exceeding specified durations . , NUREG-1032 A-3 ; 9
.,.,_,._---,g.-., _ . .
, , _ _ _ . ...e-, .,,,n_..__,__,n_._.,_._.-.-_,,.,,___.,,,,._,--,,,,,n. , , , .,m
i l l i M i i i i i 6 6 6 i i i 6 iI i i 6 i e i L
-- 1 Yr Averagr ;
Traveling 3 Yr Average . 2s - j
,m s I\
20 -
,s ; \ /\ -
~.
;\ I \ I\
;\ l
\ l 1 0,s -
\ \ I I ; I \ -
t I ; I - I . 8 \ I ' I \ E ' ,o \ l I
; I \ .
I \ \ I r-I \\ \ / \ l ; I \l \/ \^ l 1
\\
s- ' I \/ V \ / - I \\ Y \
\ \\ Y o
i i t i f i ! i i t i t iii i i t i i 1966 1970 1974 1978 1962 1965 YEAR 1 Figure A.2 Annual frequency,of loss of offsite power 9
! l NUREG-1032 A-4 ,,
trend has beerh toward ~ a reduction in loss-of-of f site-power f requency. However, that reduction in frequency has been modest. The results also show that fluc-tuations occur so that trends and averages indicated in any given interval of 2 or 3 years can be considerably different than the cumulative results. As of the end of 1985, the cumulative average frequency of loss of offsite power was about 0.1 while the trends from Figure A.2 indicate an industry-wide fre-quency variation ranging between 0.25 and 0.05 over the period. LOSS OF 0FFSITE POWER FROM PLANT-CENTERED CAUSES Plant-centered failures typically involve hardware failures, design deficiencios, human errors (in maintenance and switching), localized weather-inducad faults (lightning), or combinations of these failure types. Plant-centered failures can be recovered by switching or repairing faulted equipment at the site. An effort was made to screen out events that occurred when plants were shut down and offsite power configurations are not required to meet raquirements for avail-ability of imm.ediate and dalayed access circuits. For the plant-centered losses, an attempt was made to determine any correlation between offsite power design charact:ristics and frequency and duration of losses of offsite power. Two offsite poner design features were identified as poten-tially significant with regard to frequency and duration of loss of offsite power: (1) the independence of incoming offsite power sources and (2) the number of immediate and delayed access circuits anc their transfer schemes to the Class 1E buses. Table A.2 defines the design differences associated with these fea-
~
tures.' The designs of offsite power sources were further subdivided into grouos, and the number of shutco.n sources were subdivided into different possible de-sign combinations (NUREG/CR-3992). . ~ The relationship between the listec design features and the frequency of loss of offsite power was analyzed using the railure Rate Analysis Coce (FRAC) (NUREG/CR-2434) to correlate loss-of-offsite power frequency witn various design features. These analyses showed no statistically significant correlations be-tween frequency of plant-centered losses of offsite power and the design features analyzed. An analysis was also performed to determine if any relationship exists between offsite power design characteristics and the duration of losses of offsite power. Analyses were performed using the generalized linear model (GLM) procedure of. the Statistical Analysis System (SAS) (SAS Institute, 1979). .The data for all of the different design factors were analyzed to check for any statistical in-teractions using analysis of variance. One data point--a 5.83-hour restoration time for an event at the Calvert Cliffs plant on April 13, 1978--was found to cause a strong interactior). Without that event, there was no significant inter-action. The Calvert Cliffs event involved a latent design flaw that has since been corrected; it is not expected to typify future occurrences with regard to design feature, type of failure, or duration. With the data "corrected," the independence of offsite power sources was found to be an importanf determinant of the restoration time associated with plant-centered losses of offsite power. The number and type of transfer schemes were found to be less significant. It was concluded that various combinations of these design features could be used to define a set of design characteristics with different recovery times for plant-centered losses of offsite power. On the basis of this analysis and a , NUREG-1032 A-5
Table A.2 Definitions of offsite power system design ~ factors Majordesignfactor Design features A. Independence'of 1. All offsite power sources are, connected to the - offsite power plant through one switchyard.
- sources to the nuclear plant 2. All offsite power sources are connected to the plant through two or more switchyards, and the switchyards are electrically connected. ,
- 3. All offsite power sources are connected to the plant through two or more switchyards or separate incoming transmission lines, but at least one of the AC sources is electrically independent of the
, others.
B. Automatic and 1. If'the normal source of AC-power fails, there manual transfer are no automatic transfers and there is one or schemes for the more manual transfers to preferred or alternate Class 1E buses offsite poaer sources, when the normal source of AC 2. If the normal source of AC power fails, there is power fails and . one automatic transfer but no manual tran>fers wi'.en the backup to preferred or alternate offsite power sources, sources of offsite po.er fail a. All of the Class 1E buses in a unit are 4
. connected to the same preferred power m.rce ;
af ter tne automatic transfer of power snorces.
- b. The Class 1E buse: in a unit are connacted to separate offsite power sources after tne i autcmatic transfer of power sources.
- 3. Af ter loss of the normal AC power source, there is one automatic transfer. If this source fails, there may be one or more manual transfers of power
- sources to preferred or alternate offsite power sources. '
- a. All of the Class 1E buses in a unit are con-netted to one preferred power- source after i the first automatic transfer. l
- b. The Class 1E buses in a unit are connected to separate o'fsite power sources a,fter the first automatic transfer.
i i NUREG-1032 A-6 i l
Table A.2 (continued) , Majordesignfactor Design features
- 4. If the normal source of AC power fails, there is an automatic transfer to a preferred source of power. If this preferred source of power fails, there is an automatic transfer to another source of offsite power.
- a. All of the Class IE buses in a unit are connected to the same preferred pc er source after the first automatic transfer.
- b. The Class 1E buses in a unit are connected to separate offsite power sources after the first automatic transfer of po er sources.
review of the cesign features, the staff concluded (1) that plants with switch-yard designs that are normally operated as an interconnected system coulc be i separated, as a group, from those with designs offering electrical independence, ano (2) that sites with two or more alternate offsite power circuits (immediate or delayed access) in addition.to the normally energized power circuit to the Class 1E buses (offsite or unit generator source) could be grouped. Table A.3 shows design combinations obtained with the mean-time-to-repair (MTTR) values for each group. , Other groupincs can be derived that have at least some statistical significance and are physically valid. However, cata limitations and small differences in MTTR that occur for more detailed breakdowns suggest that the design grcups obtained represent a reasonable and valid compromise between ccmoletely generic and more design-specific breakdo ns. Table A.3 Mean time to restore offsite power Group designation Design factor" Mean time to restore 11 A1, A2, or A3 and B4 0.20 12 Al or A2 and B2b or B3 0.39 13 Al or A2 and El or B2a 0.78 "See Table A.2 for design features. - 1 k NUREG-1032 A-7 A
A plant-centered loss-of-offsite power-frequency-vs.-duration curve was devel-oped for each of the three design groups b'y' fitting the corresconding data to a two parameter Weibull distribution. A list of the data used for each curve fit is given in Table A.4. The actual curves generated by this analysis are in Fig-ure A.3. The curves show the probability and frequency of events that exceed a specified duration. Figure A.4 shows the 90% confidence limits for two of the correlations (Il and 13) derived using the extreme value theory. GRIO-RELATED LOSS OF 0FFSITE POWER Grid reliability has traditionally been the most ,r minent factor associated with a loss of offsite power at nuclear power plants. Yet, the historical data show that losses of offsite power as a result of grid-related problems account for no more than 19% of all losses of offsite power. Attempts to find charac-teristics to classify site, design, and location features that affect the expec-ted frequency of grid loss have not been successful. An investigat. ion into the various utility transmission and di.stribution system reliability characteristics was beyond the scope of this study. Such a study is likely to involve an ex-tensive state-of-the-art analysis of grid stability, the results of hich would be of questionable valicity considering limitations on current metnocology. In its place a more pragmatic and experience-based approach to estimating nuclear plant site susceptibility to grid loss was taken. Both frequency of grid loss and time to restore power were considered. It was recognized that the Florida Power and Light (FPL) grid has represented the upper end of utility grid failure frequency during the past 10 to 15 years, although some recent improvements seem to have been effective. Very fe.' other nuclear plant sites have experienced even one or two loss-of-offsite-po er events as a result of grid blackout The great majority of nuclear power plants have not experienced grid failure. A sys.temic weakness icentified af ter a grid failure is usually corrected as soon as possible. Thus, it is usually a new and previously unidentified systemic aeakness that results in future failures. Therefore, in the aosence or known and uncorrected systemic weaknesses, tne occasional, non-recurring type of grid failure may not be a good indicator of future trends within a utility system. With this in mind, tne FPL experience was separated f rom the balance of the U.S. nuclear utility experience to esti-mate grid-failure frequency Because a set'of design or location factors could not be identified that could effectively differentiate the expected reliability of the various utility grids, grid reliability was categorized by failure fre-quency ranges characterinic of past experience. The FPL experience suggests an upper end to the grid-failure frequency of once per 2 to 5 site years, although there have been recent improvements. In a few utility systems, the occasional grid failures have occurred at a frequency of about once per 10 to once per 20 site years. The national average is about once per 100 site years, excluding FPL experience. Table A.5 lists grid-related losses of offsite power and site-specific frequencies calculated from the data. Two grid undervoltage events are discussed in a footnote to the table. Although these events were not counted as grid failures, offsite power sources were momentarily unavail-able during these events. Two factors that have been identified as significant in determining the dura- I tion of grid-related losses of offsite power at nuclear power plant sites are: (1) the availability of adequate restoration procedures and (2) the availabil-ity of "black start" power sources that are able to supply power to a nuclear NUREG-1032 A-8 4
f Table A.4 Data used for- p'lant-centered loss of-offsite power-duration curve fits
- Group ** Plant Date Duration (hr)
Il Davis-Besse li/29/77 0.002 ! Nine Mile Point 11/17/73 0.003 Oconee 01/04/74' O.013 : Haddam Neck 07/19/72 0.017. ; Millstone 07/21/76 0.080 Haddam Neck 07/15/69 0.150 , Haddam Neck 08/01/84 0.167 i Susquehanna 07/26/84- 0.183 ; Monticello 04/27/81 0.250 Haddam Neck 06/26/76 0.270 Haddam-Neck 01/19/74 0.-330 Davis-Besse 10/15/79 0.430 , Haddam Neck - 04/27/68 0.480 Indian Point 2,3 06/03/80 0.500*** 12 Oyster Creek 09/08/73 0.003 l' Point Beach 04/27/74 0.020 Brunswick 03/26/75 0.070 Dresden 08/16/85 0.083 > Point Beach 02/05/71 0.130 . Turkey Point 02/12/84 0.250 i Turkey Point . 02/16/84 0.250 -i Beaver Valley 07/28/78 0.280 McGuire 08/21/84 0.334 Ginna 03/04/71 0.500 Ginna 10/21/73 'O.670 Prairie Island 07/15/80 1.030 ' Arkansas Nuclear One 09/16/78 1.480 l 13 San Onofre 11/22/80 0.004 Fort Calhoun 08/22/77 0.015 San Onofre 11/21/85 0.067 : Palo Verde 10/07/85 0.200 ' Palo Verde 10/03/85 0.400 ) Palisades 09/24/77 0.500 Quad Cities 06/22/82 0.570 Farley 09/16/77 0.900 Fort Calhoun 02/21/76 0.900 Palisades 09/02/71 0.930 Quad Cities 11/06/77 1.150 Indian Point 06/03/80 1.750*** i Farley 10/08/83 2.750 (See next page for footnotes) l d NUREG-1032 A-9 i l
)
Table A.4 - Footnotes "Not included in the duration analysis were the Palisades events of 11/25/77 and 12/11/77 (recurring failures), the Calvert Cliffs event of 04/13/78 (outlier), tha Big Rock Point event of 11/25/72 (insuf-ficient plant design information),.and the Crystal River event of 06/16/81, the Vermont Yankee event of 12/17/72 and tho Turkey Point event of 04/04/79 (incomplete reporting of duration).
** Group designations are explained in Table A.3.
""*The Indian Point event of C5/30/80 lasting 1.75 hours, included in Group 13, is also included as a 0.50-hour event in Group 11 on the basis that had the available gas turbine been employed, offsite power would most likely have been recovered in approximately 30 minutes.
, +.
e e NUREG-1032 A-10
i a e , i 4 4 s i l a a i . 4 .j i . . ....i 0.09 1.0 - 0.9 O
- c. 0.8 -
0.07 g 13 m - g 0.7 - - O 0.06 E e 12 y 2 0.6 - 0 E! 11 0.05 3 0 -
$ 0.5 - 2
[ - 0.04 z z O4 - 0.03 $ D 0.3 - 2_ 0.02
$ 0.2 -
O e o,1 _ - 0.01 1
' ' ' ' ' ' ' 'I ' '
0 '! - ' ' 0.01 0.1 o 1.0 10 DUR ATION (Hours) 1 )' Figure A,3 Estimated frequency of occurrence of plant-centered losses of. offsite power exceeding specified durations (for offsite power groups as shown in Table A.3) '
. 4 NUREG-1032 A-11 i
s
1 o s .
.ii,,;
iiiiiiii . i.i.i.r 1'0
~*% -
Curve Fits for Category 11 Curve Fits for Category 13 m 0.9
%g -
0.08 N N
\
@ 08
\ \h w -
0.07 b' s- 90% Confidence Y ~' Limits for 13 E 0.7 5
\ -
0.06 I N \ \ 06 a
\ \ \
n g\ - 0M-0 0.5 - N s m \ T
\
\
\ -
5 O CM M
\
2 04
\g \g
\, i e
\ \ -
0 03 W . 0.3 90% Confidence-Limits for 11
\\ -
'g "
\
E '\ \
<0 \
82 0.02
\
$ \ xN 0.1 -
\ \\ -
0 01 0 ' '
' ' ' ' ' ' ' ' ' ' 'l N '
NN 0 01 ' '5' 01 1.0 10 DUR ATION (Hours) Figure A.4 97ll; confidence li tits for two categories of plant centered losses of offsite power NUREG-1032 6-12 - s
Table A.5 Grid-related loss-of-offsite power frequency versus duration, through December 1983 Date of Duration Site frequency Site occurrence (hours) (per year) Turkey Point: 06/28/74 0.180 0.444 (6 events in 13.5' site years) 04/04/73 0.250 04/03/73 0.300 04/25/74 0.330 05/16/77* 1.030 05/16/77* 2.000 05/17/85 2.083 Indian Point: 07/20/72 0.920 0.126 (3 events in 23.8 site years) 07/13/77 4 6.470 11/09/65 ** St. Lucie: 05/14/78 0.130 0.20 (2 events in 9.8 site years) 05/16/77* 0.330 05/16/77* 1.50,0 Yankee Rowe: 11/09/65 O.550* 0.039 (1 event in 25.5 site years) 60 sites: none*** (no events in 0.3 to 26.3 site years) Total for 0.018 (12 events in 64 sites 664.4 site years) Total excluding 0.006 (4 events in FPL 664.4 site years)
"The Turkey Point and St. Lucie events of 05/16/77 were counted as one event for each plant for frequency calculations.
** Actual duration not reported.
***The undervoltage event at Millstone on 07/21/76 was treated as a plant-centered design problem; the undervoltage event at Quad Cities on 02/13/78 was treated as a degradation with a usable offsite power source available throughout the incident.
\
< l NUREG-1032 A-13 f
l
P
. power plant in isolation of a grid disturbance. Both of these factors 'can con-tribute to a significant reduction in the expected duration of grid-related losses of offsite power, as reported in the Indian Point Safety Study (Power Authority of the State of New York, 1982). In 1981 the NRC sent Generic Letter 81-04 to all nuclear power plant licensees requesting them to develop and implement procedures to enhance restoration of offsite power.
Responses to that generic letter have indicated that power could be preferentially restored to many nuclear power plant sites within 1 or 2 hours; even if the grid remained in a blackout conditian. The time to rastore offsite power following a grid failure can be estimated by past experience. However, if an appropriate set of procedures'is provided and power sources are available and capable of supplying power during grid blackout, a more prompt recovery may be possible. Human reliability and the availability of alternate power sources may limit the recovery potential to as low as 60% recovery in about an hour. If multiple reliable sources of power that can be isolated from a blacked-out grid are available, the potential may be as high as 95% recovery in less than one-hal.f hour. For this study, an of fsite-power-restoration likelihood of 80% wit'hin one-half hour of a grid failure was assumed for the analysis of plant sites w th enhanced recovery capabilities (e.g., pro-i cedures and at least one power source available for prompt recovery). The recovery probabilities for grid-related losses of offsite power were developed by fitting past operating data to a two parameter Weibull distribution. The data used in the curve fit are provided in Table A.S. Figure A.5 provides a curve showing the probability of not restoring offsite power versus the duration of losses of offsite power as a result of grid blackouts. It also shows the potential for improvement with enhanced recovery capability over past operating experience. The correlations for grid reliability and offsite power restoration were developed by combining the occurrence frequencies representative of operating experience and the calculated recovery probabilities. Table A.6 provides the grid failure frequency and duration groups obtained. Figure A.6 shows the dis-crete loss-of-offsite powar fre N ency and duration curves corresponding to the groups identified in Table A.6. LOSS OF OFFSITE POWER AS A RESULT OF SEVERE WEATHER Severe weather conditions, such as local or area-wide storms, have caused losses of offsite power at nuclear power plants. Weather-related causes of offsite power failure have been divided into two groups (1) those for which the weather caused the event but did not affect the time to restore power (2) those for which the weather initiated the event and created conditions so' that power was not or could not have been restored for a long time Group (1) includes lightning and most other weather events that do not cause severe or extensive physical damage at or near the site. They can cause a loss of offsite power, but their severity dces not contribute in any significant way to long-duration losses of offsite power. These types of weather-related off-site power outages are usually considered in the plant-centered or, possibly, the grid category. Group (2) includes losses of offsite power that result from NUREG-1032 A-14
,,ii , ,
. .,,,; - - i4 i
1.0 - 0 Data _ h 50.s - N -
- 0.8 -
# \ Normal Recovery h
g 0.7 -
. \ \\ 90% Confidence g
\ \
Limits for Normal' Recovery E0 86
\
m
\.
w 0.s - - C \ z 0.4 - Enhanced -
- u. Recovery i D 0.3 -
\ \ -
l 2 0.2 -
\ -
2 N N l
' O.1 -
N \* s. N' 0- ' ' ' ' ' ' ' ' ' ' ' ' O.01 0.1 1.0 10 DU R ATION (Hours) Figure A.5 Restoration probability for grid-related losses of of f site power 4 NUREG-1032 A-15
- - - - - - __ - - . _ _ . . . , . , , - -. , . - - . - - - . - , a
Table A.6 Gridreliability/rechvery Group Grid loss frequency, reliability recovery l Grid reliability-group (G): Frequency of grid loss: ! G1 Less than 1 per 60 site-years (0.01/ site year) G2 > 1 per 60 site years and i 1 per 20 site years : (0.03/ site year) ; G3 > 1 per 20 site years and
> 1 per 6 site years T0.1/siteyear)
G4 Greater than or equal to 1
.per 6 site years (0.3/ site year)
Recovery from grid 4 blackout group (R): Recovery capability:
.. R1 . Plant has capability and procedures ' *
- to recover offsite (nonemergency)
AC power to the site within 1/2 hour following a grid blackout. R2 All other plants not in R1. Grid reliability / Grid reliability Recovery from grid ', recovery g*oup (GR): group (G): blickout group (R): GR1 G1 R1 : GR2 G2 R1 GR3 . G3 R1 GR4 - G4 R1 GR5 G1 R2 GR6 G2 R2 i GR7 G3 R2 l e e i NUREG-1032 A-16
"- -4 - + - -----r r -r -
l 1 l 0.06 i i i i GR4 GR3 . Note: l 0.05 -
~
Grid Reliability / Recovery Groups GR 1 GR 7 Are Defined in Table A.6 j 0.04 - l k s \ G ' E G R7 h 0.03 - - O ) 2 GR6 w I 3 ' i 0 ' w , E 0.02 - GR2 0.01 - GR5 - 1 GR1 I 0.00 0.1 0.3 1.0 3.0 10.0 DURATION (Hours) Figure A.6 Estimated frequency of occurrence of grid-related losses of offsite power exceeding specified durations 4 NUREG-1032 A-17
-- ,.,n --_-,-,.,_.,,,...n -
, , , _ . _ , _ _ _ . . , _ , _ , , _ _ _ , _ . ,,,,,,,,_._.,,_,_,,,___,____n__,,__.,,______,_. .,,.
~
major storms, hurricanes, high winds, acc'umulations of snow and ice, and torna-does. The expected frequency of loss of offsite power of this group is rela-tively small; on the other hand, for this group the likelihood of restoring offsite power in a short time is also relatively small. To estimate the likelihood and duration of loss of offsite power as a result of severe weather, it is necessary to (1) identify the set of weather hazards to be conside'ed, r (2) determine the likelihood of failure for a given hazard inten-sin, end (3) determirm " e repair or restoration time for the various f:i R . modes associated with severe weather related power losses. Although utilities and regional power pools normally keep extensive data on transmission line, terminal, and customer outages from all causes, including weather, little information has been obtainable tnat can be used to derive the likelihood of loss of all offsite power at nuclear plants or for similarly designed incoming transmission lines and switchyards at non-nuclear plants. In light of this limitation, the objective of this study was to derive some general frequency and duration characteristics that could be applied to the design and location of nuclear power plant offsite power systems generically or on a case-by-case basis, considering specific susceptibility to the various weather hazards. The approach taken was to develop a range of loss-of-offsite power frequency and duration relationships based on weather hazard rate and past operating experience. First, data for all loss-of offsite power events involving both partial or total failures were reviewed. Weather-related total loss-of-offsite-power events and significant partial loss-of-offsite power events, such as those causing the complete loss of power to or from a switchyard, were included. These data are provided in Table A 7. Here again, as with grid reliability experience, this data base is too small to be used to derive plant location and design-dependent conclusions regarding tne expected.,freq'uency of loss of offsite power as a result of severe weather. Normally, regression analyses would be used to correlate failure rate, desigo fr. tors, and weather hazards. However, the losses of offsite power are so rare that the available data are too limited to take such an appec,acn. The method used to correlate loss-of-offsite power frequency to weather hazards is based on the assumption that the frequency of loss of of fsite power as a result. of severe-weather events is proportional to the weather hazard rates at a site. The weather hazard rat'e is a measure of the frequency of conditions that have the potential to cause loss of offsite power. The followina weather hazard rate indicators were selected: snow / ice: inches of snowfall per year tornado: frequency of tornadoes per year hurricane and wind: frequency of storms per year with wind speeds of tropical storm strength or greater These factors are called indicators because no mechanistic cause and effect analysis has been performed to associate their occurrence with a loss of offsite power. Rather, it has been observed that losses of offsite power have occurred when these types of weather conditions were present. For instance, winter and spring snowstorms, which can be measured according to inches of snowfall, also bring conditions involving ice accumulations on lines and terminals. Windy conditions may also accompany these storms. Thus, a hazard indicator of inches NUREG-1032 A-18
Table A.7 Severe-weather-induced losses of offsite power used in the analysis Duration Type loss / site Date (hours) Weather type Total losses of Offcite Power: Fort St. Vrain OE/17/82 1.75 Er-/ Ice Pilgrim 05/10/77 2.67 Snow / Ice Dresden 11/12/65 4.00 Tornado Millstone 08/10/76 5.00 Salt Spray .- Millstone 09/27/85 5.50 Salt Spray Pilgrim 02/06/78 8.90 Snow / Ice Major Partial losses of Offsite Power: Browns Ferry 03/01/80 Snow / Ice ' D. C. Cook 02/04/78 Snow / Ice Pilgrim 10/12/82 Salt Spray San Onofre 02/24/69 High Wind Brunswick 09/13/84 Hurricane / Wind Arkansas Nuclear One 02/22/75 Tornado Arkansas Nuclear One 04/07/80 Tornado Browns Ferry 04/03/74 Tornado of snowfall is merely a factor used to correlate loss-of-offsite power occur-rences wit.h locations most susceptible to winter and spring storms involving snow and ice accumulations and associated windy conditions. A similar situation exists with regard to tornado hazards. The expected fre-quency of tornadoes in the vicinity of the plant was used as a factor to cor-rela.te actual losses of offsite power resulting from tornado strikes. Hurricane and high wind conditions can cause losses of offsite power by blowing debris, falling trees, and other possible modes of falling lines and shorting terminals. Storms are classified as hurricanes when wind speeds sustain 75 mph. , The frequency of this wind speed was used as a correlation point to determine - the variability of hurricanes and high wind hazards at various locations (sites). , 1 A special subgroup was identified for hurricane and wind losses at plants ! adjacent to the seacoast or large bodies of salt water. This subgroup was - formed in response to experience at the Millstone and Pilgrim sites where i high winds associated with storms and hurricanes caused salt buildup on switch- ! yard. insulators, whir.h then resulted in arcing and faulting of the switchyard. l
\
By dividing the number of losses of offsite power that have occurred by the l cumulative historical weather hazards for each weather type at nuclear power l plant sites, an offsite power failure proportionality factor for each weather type was derived. This process can be represented as follows: 4 NUREG-1032 A-19
o Hg Pg= \ where P$= the proportionality factor for weather type "i" f Ng= i.h. observed number of offsite onwer losses as a result nf weather type "i" , H he cumulative weather hazard factor for weather type "i" jj = 'at site "j" ' Hj$ = hj$ ot) where h jj = the weather hazard ra e for type "i" weather at site "j" at) = the cumulative site years since commercial operation began at site "j" The expectation frequency of loss of offsite power can then be computed by Sj$ = P4 h jj where S jj is +.he estimated f requency of loss of of fsite power at site "j" for weather type "i", and P$ and hj$ are defined as before. Weather-induced f ailure proportionality f actors were derived using the data f rom Table A.7 and cumulative weather hazards data for U.S. nuclear power plant sites through 1985. The weather hazard factors for each site were derived from National Weather Service data where available (Batts et al. ,1980; National Oceanic ano Atmospheric Administration, 1980; Neumann et al., 1985; Shaefer et al., 1985; Simiu et al., 1979) and from site-specific.probat,ility calculations performed by the National Severe Storms Forecast Center. The proportionality factors froin hurricane /high wind and tornadoes were derived for several sub-groups to account for plant design or location features which may result in variations in the probability of offsite power losses resulting from these weather conditions. As discussed ptsviously, hurricane and high wind conditions which can induce salt spray to unprotected switchyard components near bodies of salt water were separated from other potential causes of hurricane /high wind induced losses of offsite power (e.g., falling trees and blowing debris). Since no total losses of offsite power were reported for the latter type of hurricane /high wind condi-tions, the median value of the chi-square for zero failures and two degrees of' freedom was used as a bound. I
- NUREG-1032 A-20 t .
A tornado ha'zards. loss-of-offsite-power proportionality factor was derived for plants with single or' closely spaced rights-of-way emanating from the plant and for plants with multiple, divergent rights-of-way. The data in Table A.7 in-volve losses of lines on single rights-of-way or multiple line losses on some but not all rights-of-way. Therefore, these data were used to derive the pro-portionality factor for sights with single or closely grouped rights-of-way. Since no occurrences of tornadoes causing total loss of offsite power at sites with multiple, divergent rights-of-way have been reported, the median value of the zero failure chi-square statistic was used to approximate this proportion-ality factor. On the basis of the analyses described above, the following weather-induced failure proportionality factors were derived: P 3fy = 1.3 x 10 4 inches of snowfall P = 1.2 x 10 2 for windspeeds t 75 mph H/W P 33
= 0.783 for windspeeds 1 50 mph P
T1
= 72.3 for single rights-of-way or equivalent P
T2
= 12.5 for multiple divergent rights-of-way where subscripts S/I = snow / ice, H/W = hurricane /high wind, SS = salt spray, and T1 and T2 refer to tornadoes. .
Normally this type of. correlation would be supported by a statistical validity test. As pointed out previously, because there have only been a few weather-related losses of offsite power at nuclear plants, the statistical validity could not be ascertained. However, as a test of the reasonableness of this formulation,aplotofcumulativeweatherhazardfactorforeachsite(Hj) versus total cumulative weather hazard factor tabulated for all applicable nuclear plant sites (IH ) 4was made, and the ' severe weather-related operating experience for both total and major partial loss-of-offsite power events was identified. A comparison was also made of the number of sites falling within subdivisions of the range of cumulative weather hazard factors. This informa-tion is provided in Figure A.7, where the number of losses of offsite power followed by a "T" represent total losses of offsite power and those followed by a "P" represent major partial losses of offsite power. Because frequency of loss of offsite power as a result of weather has been assumed to be proportional to the magnitude of weather hazards, the occurrence of weather-related losses of offsite power should favor the sites with the highest cumulative weather hazard. In general it does. . The events identified in Table A.7 are typified by durations of several hours. The fa'ilures are somewhat localized, able to be isolated, or repairable with modest effort. Design factors such as transmission ~line right-of way separation, structural strength of transmission and switchyard components, insulation from effects of adverse environments, and operational factors related to repair capa-bility or use of alternate, available power sources will impact the likelihood and duration of loss-of-offsite power events of this type. Events of this type will be referred to as severe-weather events throughout this appendix. 4 NUREG-1032 'A-21
l SNOW /lCE o
. 20 - - 10,000
- 4T ,
1P 15 - 7.500 I l e I w t 10 - - I 5.000 m - I 1 0 1P J
= ,
w
- =
!5 z
" ~i i
2.500
.-. l 0--- 0 1 2 10 10 103 H3 ,
HURRICANEcWIND/S ALT SPR AY TORNADOES 20 - - 20 20 - - 0 100 AT 2P 37 15 - W 3P 15 15 - - 0075 l - I l
}
l l- - l 0 m l W 10 - - 10 # 10 - - 0 050 l G - l G l ' m m _ C : o --- e ,3 e - w w <3 m := 3 5 - - 5 3 5 - - 0 025 m a 2 2
.-. H
- -- - -" I 0 0 0-- 0 000 0.1 10 10 8
10 3 10 2 1 Hg H7 Figure A.7 Weather hazard expectation histograms , ,
\
l NUREG-1032 A-22 i
None of the events identified in Table A.7 involved tornado or h'urricane/high wind conditions that severely damaged structural elements of all transmission and/or switchyard components of sources of offsite power to the plant. Although such an occurrence is rarely expected, many hours or days could be required to repair and restore offsite power. The frequency of these more extreme weather-related power losses can be esti-mated by determining the frequency of weather conditions that are severe enough to damage all offsite power sources. The same design fact m Mted above for the more repairable loss-of offsite-power events will determine the suscepti-bility, and thus frequency, or hazard rate, of weather conditions that could result in area-wide transmission and/or' switchyard failures. Based on the National Electric Safety Code, power plant tr'ansmission systems should be designed for wind speeds on the order of 125 mph. High wind speeds could cause extensive power trartsmission losses, although this will vary, depending on the specific design. Another potential hazard, tornado (es), must strike all rights-of-way or switchyards with sufficient intensity to damage the minimum number of components required to supply off, site power in order to cause a long-duration loss of offsite power. The proba'bility of equipment failure given the occur-rence of these extreme weather condit'ons is assumed to be unity, or nearly so; thus the likelihood of loss of offsite power can be approximated by the fre-quency of occurrence of the extreme weather condition. The frequencies of the extreme hurricane (known as great hurricanes) and high winds are available from National Weather Service data.
~
To es'timate the frequency of single or multiple tornado strikes damaging all transmission lines or switchyard components requires modeling of the offsite power transmission line geometry (Anders et al., 1984; Teles.et al., 1980) and using site / area data for tornado frequency, intensity, and direction. This type of mechanistic, probabilistic analysis was not performed as part of this work. A simpler approach was used. The frequency of tornadoes of intensity F2 or greater (> 113 mph wind speeds) striking at any point within the site was obtained. Since this frequency for tornado strikes can be considered to occur any where at the site, it has oeen used as the frequency of, tornado strikes at the switchyard or transformers. This represents the frequency of losses of offsite power as a result of tornado strikes that require significant repair effort and time. Since tornado strikes crossing all. rights of way are not included in this simplified approach, the frequencies estimated will under-predict the actual frequency of long-repair-time losses of offsite power as a result of tornado strikes. However, the repairable losses of offsite power resulting from tornado strikes have been included in the overall model pre-viously discussed, using the hazard and proportionality factor approach. And the median repair time of about 4 hours should adequately account for repairable tornado-associated losses in light of the overall uncertainty of the simplified modeling and analyses used. Events of the types discussed in the preceding two paragraphs are referred to as extreme weather events throughout this appendix. Although the frequency of these extremely severe weather events could be,as high as 0.01 per site year, it will more typically be less than 0.001 per site year. The time necessary to restore a source of offsite power for weather-related failures will depend on the severity of damage caused by the event. Major NUREG-1032 A-23
o structural damage can typically require 8 to 24 hours or longer for repair. Data obtained from the Mid-America Interpool Network (MAIN) and the Mid-Continental Area Pcwer Pool (MAPP) (MAIN, 1983; MAPP, 1983) indicate that'it takes on the order of 8 to 12 hours to restore transmission or terminal point outages that resulted from severe weather. For this study, nuclear power plant outage time data for losses of offsite power that resulted from severe weather wera used to estimate restoration likelihood for the less-than-catastrophically-damaging weather events. Data for total loss-of-offsite power events were fitted to e two parameter Weibull distribution and used to generate the restoration lih:lih::d curve shown in rigure A.8. Also shown in Figure A.8 is an example l of an "enhanced" recovery curve that can be used to differentiate plants with practicable. power restoration procedures for these weather types. The applica-bility of enhanced recovery shown depends on the capability and procedures to restore power within about 2 hours for a civen weather hazard. l l l An estimate of the total severe-weather-related frequency of loss of offsite ! power was derived by summing the values for each weather hazard type at all nuclear plant sites. Plant-speci.fic design or procedural details can af fect the estimated frequency of weathe'r-related losses of of fsite power. Therefore, an attempt was made to derive the range of possibili' ties rather than to provide site-specific estimates, it should be noted, however, that, because of a lack of data, not all weather ha:ards could be accounted for at every site. Moreover, some weather data extrapolations were necessary when data from weather stations near a site were not available. The frequency range derived was large, and determining where a part.icular site / design combination would fall in that range requir'es evaluation of the site-specific details identified previously. For the purpose of this work, the rangt was sub' divided into groups with approximately a factor of 3 difference in median frequency. The,subranges so derived are pro-vided in Table A.8. This partitioning allowed generic evaluation of the effects of severe weather ha:ard on loss-of-of fsite power frequency while at the same time providing perspective on the potential for plant-specific differences. Figure A.9 shows the severe weather frequency and duration combinations corres-ponding to the groups defined in Table A.8. For los:es of offsite power caused by extremely sivere weather--such as great I hurricanes, very high winds (greater than 125 mph), and major damage from ter-nado strikes to a switchyard--restoration of offsite power was not assumed to , occur before 24 hours after the start of the outage. The frequency breakdowns, i derived in a manner similar to that for severe weather, are provided in Table A.9. l l Again it must be noted that a site-specific assessment of the susceptibility to I these weather hazards must be performed to determine the site-specific expecta-tion frequency. , l GENERIC LOSS-OF-OFFSITE-POWER CORRELATIONS Combinations of design, grid, and weather factors derived in the previous sec-tions orovide a wide spectrum of possibilities for loss-of of fsite power f re-quency and duration. Each of these factors was subdivided to account for known or hypothetical but reasonable differences in frequency and duration; typically, a factor of 2 to 5 difference was maintained for these subdivisions. The intent was to develop a discrete set of frequency and duration groups that could account for actual and potential differences in both design and location (grid and wea-ther) for the spectrum of nuclear power plant sites. The frequency of losses NUREG-1032 A-24 _ _ _ _ _ . _ _ _ _ _ _ . . _ _ _ _ _ _ _ _ _ _ _ . _ _ . _ _ _ _ . _ _ _ . _ 4
I 4 4 4 4 3 ) II3(ll 4 4 1 I I l I I 3 I I I l 1.0 - e ata _ ec - t y 0.9 - o Normal Recovery
- c. #
$ 0.8 -
G D \ 90% Confidence o 0.7 - - F ~ Limits for Normal k C ' Recovery 0.6 - a \y k(\
$ 0.5 -
\
> \
w 0.4 - \ \ - o Enhanced / \ \
\
[ 0.3 Recovery \
\
! O.2 -
\, T\
l 0.1 -
\ -
N \ 0 O.1
' ' ' ' ' ' ' ' I ' ' ' 'I \'
1.0 10 100 DURATION (Hours) Figure A,8 Restoration probability for severe weather-induced losses of offsite power i l d NUREG-1032 A-25 i
. 1
9 Table A.8 Severe'-weather-induced loss-of-offsite-power, frequency / recovery. Group Duration combination Frequency of severe-weather-induced loss of offsite power 4, group (s): Frequency: 41 Lesc than 1 per 233 site years (0.002) 92 1/333 to 1/100 site years (0.005) 53 1/100 to 1/33 site years (0.02) 54 - 1/33 to 1/10 site years (0.05) 55 1/10 to 1/3 site-years (0.2) Recovery from severe-weather-
' induced loss-of-offsite power group (R): Recovery capability:
R1 Plant has capability and procedures to
- recover offsite (nonemergency) AC power
. - to the site within 2 hours following a severe-weather-induced loss of of f-site power.
R2 All otner plants not in R1, Severe-weather-induced loss-of-offsite power frequency / recovery group (SR): Frequency group (5): Recovery group (R): SR1 51 R1 , SR2 52 . R1 SR3 53 R1 SR4 54 R1 SRS 55 R1 SR6 51 R2 SR7 52 R2 SR8 53 R2 SR9 S4 R2 SR10 55 R2 e NUREG-1032 A-26
e 0.020 --
; i i i i
SR8 SR4 SR5 SR9 SR10 I SR3 y 0.015 - j
)
~
6
.T V)
E b 0.010 Noie:
, U See Table A.8 for 2 Definitions of SR1 SR10 D
0 w SR7 0.005 SR2 SR6 - SR1 0.000 I 0.1 0.3 1.0 3.0 10 30 DUR ATION (Hours) ' Figure A.9 Estimated frequency of occurrence of severe-stors-induced
, losses of offsite power exceeding specified. durations 4
NUREG-1032 A-27
, Table A.9 Extremely severe-weather-induced loss-of-offsite power ' frequency Extremely severe-weather-induced 4 loss-of-offsite power frequency group (SS) Frequency 551 Less than 1 per 3333 site year: (0.0002/ sit: ,::r) ~ SS2 > 1 per 3333 site yeai, .nd
< 1 per 1200 site years (0.0005/ site year) 553 > 1 per 1000 site years and l
< 1 per 333 site years (0.002/ site year) 554 -
> 1 per 333 site years and i 1 per 100 site years (0.005/ site year) 555 Greater than or equal to 1 per 100 site years (0.02/ site year) of offs'ite power lasting duration "t" or longer can be estimated t'y an appro- ,
.l priate combination of the correlations that were developed in this appendix and
- can be represented by the following equation:
A LOP (t)
- iI (t) + GR)(t) + SR k (t) ' 33 1 where I g(t) = the plant-centered loss-of-offsite power frequency correlation s defined in Table A.3 and Figure A.3 l
GR)(t) = the grid-related loss-of-effsite-power frequency correlation defined in Table A.6 and Figure A.6 3 SRk (t) = the severe-weather-related loss-of-offsite power frequency correlation defined in Table A.8 and figure A 9 - 4 SS t = the extremely severe-weather-related loss .of-of f site power l J frequency defined in Table A.9 [ The identification of the I g factor is the most straightforward because it is l based on configuration. As a first cut, the appropriate GR) factor can be ) identified by dividing nuclear sites in the United States into two categories: NUREG-1032 A-28
+
- t (1) FPt sites, approximated by GR3, GRt, or GR7, and (2) all .other sites repre- l senting average frequency o pection of grid failure, approximated by GR1 or GR4 The SRk and 55 factors &re not so easily identified because both design 3
specifics and hazard rate must be determined. It is possible, however, to bracket these factors with a range that can be used to judge importance of station blackout considerations using hazard rates and proportionality factors for severe weather and using the upper range of the estimated failure rate for extreme weather hazards. , A test of the loss-of-offsite-power correlations that were developed was made by comparison with plant-specific results from published probabilistic risk assessments (PRAs). Figures A.10 through A.14 provide these comparisons. The degree of conformity between the results from the published PRAs and results based on the models developed in this appendix varies. Reasonable agreement was achieved for Indian Point (with credit for nearby gas turbine generators), Shoreham, and Limerick._ The difference between the Indian Point PRA with credit for nearby gas turbine generators and this model is primarily due to the reliability associated with those power sources. In the Indian Point PRA, the combined reliability of the two gas turbine generators was on the order of 99%. In the model developed for this study, a fixed value for alternate offsite power sources of 80% was used. With regard to the Millstone PRA, the differences are primarily due to the use of data from other sites that do not appear to have the susceptibility to salt spray that the Millstone site has. In the model developec in this study the operating experience at sites other than Millstone, and to some extent Pilgrim, was not considered to be relevant and thus the two long losses of offsite power at the Millstone site contribute signific.antly to the estimated occurrence frequency of long-duration outages. The differences with the Zion PRA results could stem from one of several possibilities: design and proce-dural factors are more reliaote than assumed in the comparison; the Zion PRA results are optimistic; or the models and correlations derived for generic analyses have limitations when applied to scee plant-specific cases. Because l of these considerations, a' generic analysis must be used with caution in plant-specific applications. However, the generic models can usually provide good t
"ball park" results for generic applications and perspectives. Clearly the more details available and included in the models regarding design, procedures, alternate power sources, and' protection provided from severe weather condi-tions, the more likely that the generic results will closely equate to plant-specific results.
l l The development of a more limited number of generic loss-of-offsite power fre- l quency and duration relationships that could be used for regulatory analysis involved the clustering of the site / design factors to determine if combinations ) of these factors could be grouped into a more limited, but still representative, set. A set of five cluster groups was derived from the set of site
- design possibilities using the Fastclus procedure of the SAS package (SAS Institute, 1979). To limit the number of cluster groups, the clustering had to be based on loss-of-offsite power durations of 2 to 8 hours. Figure A.15 7 rov.h a {
plot of the cluster groups derived from this analysis, and Table A.10 identifies combinations of each of the four factors (GR, I, SR, and SS) included in the nine cluster groups. For example, a plant with GR1, II, SR1, and 552 would be ! in cluster group 1. Grid reliability groups were limited to GR1, GR3, GR5, and i GR7 to generate the clusters. Table A.11 provides a tabulatign of cluster mean, median, and range' values, i l NUREG-1032 A-29 O
. e .
m 0.10 g g g-Wit gas hout use 1 turbin e gen of n \ earb y erators l I I s / ndianP oin y 0.06 (mean )t PRA j),
$ I
/ ndia M g /
(mn Point RA P 5 3 edia ni s 3 5 0t- 0
. ** ,g*[
' p.s h use of \ - U by gas n r 0.02 e gene'a r tors n
PRA m ean) , (me (dia ns) Model
/ Model 0.00 1.0 -
- 2. 0 1 4.0 i DUR 8. 0 19 ATIO N(Ho urs ) 16.0
,10 exEstima ted . ceeding specififrequen y of c ' ed los ses a of A dur tions f . A-30 or Indian Pointoffsite power O
OR , y , y [0.04 - - E U 0 Zion PR A 3 0.02 - (means) - x
" /
Model
/
Zion PR A,, , (medians)
' ' l 0.00 i 0.5 1.0 2.0 4.0 8.0 16.0 DUR ATION (Hours)
Figure A.11 Estimated frequency of losses of offsite power exceeding specified durations for Zion i l 0.06 i y y l f 0 04 - t L O s Shoreham PR A 2 3 0.02 - -
= .s 3
I Model I I I 0.00 1.0 2.0 4.0 8.0 16.0 DUR ATION (Hourst Figure A.12 Estimated frequency of. losses of offsite power exceeding specified durations for Shoreham
! NUREG-1032 A-31
( .
b i i 4
- c. .
\
3 i 1 r 1 I i " i i $ 0.5 i ,
' I I .I i
O.4 - 4 i ! i 1 4 I
- i
>I 0.3 d 5 i a : > .a <
O , Z . l w ,
- D 3 0.2 - -
l 1 e : a w ; I l t i j Model - ! t l' 0.1 - - Millstone 3 PRA . 4 I l 0.0 - i 1.0 2,0 4.0 6.0 16.0 i DU R ATION IHoural i j Figure A.13 Estimated frequency of losses of offsite power 1 , exceeding specified durations for N111 stone 3 9 NUREG-1032 A-32 i . 1 _ . - - . - . . - . . . - _ _ - . _ . . _ , - . . _ . _ - - . - - - = . , . . - - , - - - . - - - - . . , . . , .
0.04 i i i 0.03 j Model - j Limerick PRA 5 h y 0.02 ~ ~ 2 5 e w 0.01 - - i 0.00 - I I ' l 1.0 2.0 4.0 8.0 i 16.0 ] . 1 DUR ATION (Hours) i . l Figure A.14 Estimated frequency of losses of offsite power 1
, exceeding specified durations for Limerick j s.
NUREG-1032 A-33
. , , ,- .--r.- ,
.._-n.,,--,_,_,,,,-a.wv.O,,,--.,..--,,__.,,n,,-,n.,w pp.-n,,_,n.ny_n, .
^
l O l 1 l l l I l 1.0 .
, l 3 i .
i i ; i i i -
~
i T
- 0.1 --
> . 8- --
e .
= -
=
in . 5 - Of f sit e - S e Power
> i Cluster ,
o I b 0.01 :- 5 _ 3 - C : 4 ~ g - e w e - 4 3 - E ' p 0.001 ::-
$ 5 3 C
1 : 0.0001 - ' I I ' ' I I I I 0 2 4 6 8 10 12 14 16 DURATION (Hours) Figure A.15 Estimated frequency of occurrence of losses of offsite
- power exceeding specified durations for nine offsite aower clusters .
HUREG-1032 A-34 4
, , . _ . . _ , . . . _ - . - , . . _ . _ _ _.,.,,,,-_..e-. _ r.,,,.,,- - - - - ._--, gor 7 , . , , , .,, __
/
Table A.10 Identification of grid (GR). offsite power system. - design (I), severe weathe'r (SR), and extremely severe weather (SS) factors included in five cluster groups Cluster group I GR- SR SS 1 1,2 1,3,5 1,2,6,7 1,2 1,2 1,3,5 1,6 3 1,2 1,3,5 3 1,2 2 1,2 1,3,5 8 1,2,3 1,2 1,3,5 4 1-4 1,2 1,3,5 2,3.7 3,4 1,2 1,3,5 1,6 4 3 1,3,5 1,2,6,7 1-4 3 : 1,3,5 3,8 1,2 3 1,3,5 3 3,4 3 1,3,5 -4 1-4 3 Same as 7 Same as Same as cluster 2 cluster 2 cluster and 1 and 1 2 and 1 4 1,2,3 1,3,5,7 1-9 5 1,2,3 1,3,5,7 5,9 1-4 1,2 1,3,5,7 8 4 3 1,3,5,7 8 3,4 5 1,2,3 1,3,5,7 10 1-5
^
O 9 8 e f 8 4 NUREG-1032 A-35
Table A.11 Loss-of-offsite power. frequency distribution per clust6r group Duration (hrs) Cluster group /value: 0 2 4 8 16 Cluster 1: Upper Bound 0.1895 0.0102 0.0050 0.0031 0.0022 hean 0.1157 0.0057 0.0027 0.0014 0.0007 Median 0.0845 0.0052 0.0025 0.0012 0.0005 Lower Bound 0.0812 0.0013 0.0005 0.0003 0.0002 Cluster 2: Upper Bound 0.2240 0.0271 0.0142 0.0077 0.0058 Mean 0.1297 0.0144 0.0075 0.0044 0.0027 Median 0.1040 0.0141 0.0070 0.0040 0.0022 Lower Bound 0.0812 : 0.0037 0.0026 0.0007 0.0002 Cluster 3: Upper Bound 0.2277 0.0447 0.0232 0.0104 0.0060 Mean 0.1892 0.0307 0.0159 0.0063 0.0024 Median 0.1798 0.0303 0.0153 0.0057 0.0017 Lower Bound 0.1749 0.0218 0.0113 , 0.0037 0.0006 Cluster 4: Upper Bound 0.3927 0.0909 0.0563 0.0340 0.0230 Mean 0.2113 0.0447 0.0273 0.0175 0.0126 Median 0.1978 0.0043 0.0253 0.0186 0.0080 ! Lower Bound 0.1010 0.0191 0.0140 0.0065 0.0023 ! Cluster 5: Upper Bourd 0.3927 0.1838 0.1242 0.0647 0.0287 Mean ' 0.3306 0.1504 0.1006 0.0477 0.0140 Median O.3343 0.1466 0.0970 0.0449 0.0123 Lower Bound 0.2792 0.1354 0.0909 'O.0412 0.0086 l b NUREG-1032 A-36 . W 6
Because design, grid', and Wather all play a role in the frequency and duration relationship for each cluster,.it is difficult to generalize about the dominant factors affecting loss of offsite power. It is possible to say that the higher frequency at longer duration groups (clusters) are most heavily influenced by weather hazard susceptibility. The highest frequency and duration correlation developed in this study (cluster 5) is driven by the high occurrence frequency (location) and susceptibility (design) to uit spray at coastal sites. REFERENCES Anders, G. J., P. L. Dandeno, and E. E. Neudorf, "Computation of Frequency of Right-of-Way Losses Due to Tornadoes," Paper 84WM0402, IEEE Winter Power Meet-ing, Dallas, Texas, January 1984. Batts, M. E., M. R. Cordes, L. R. Russell, J. R. Shaver, and E. Simiu, "Hurri-cane Wind Speecs in the United States," National Bureau of Standards, BSS 124, May 1980. Mid-America Interpol Network (MAfN) Transmission Outage Task Force, "Sumnary of MAIN Transmission Line Performar.ce for the Year 1982, 34C KV and 765 KV," September 1983. ' Mid-Continental Area Power Pool (MAPP) Transmission Reliability Task Force, "Mid-Continent Area Power Pool Bulk Transmission System Outage Repcrt (January 1977 - December 1982)," July 1983. National Oceanic and Atmospheric A einistration, ~ Comparative Climatic Data for the United State; throuch 1980; 1980. Neumann, C. J. N., G. W. Cry, E. L. Caso, and B. R. Jarbinen, "Tropical Cyclone of the North Atlantic Ocean, 1871-1980," National Oceanic and Atmospheric Administration, July 1985. . Power Authority of the State of New York and Consolidated Edison Company of New York (PASNY), "Indian Point Probabilistic Safety Study," 1982. Shaefer, J. T. , D. L. Kelley, and R. F. Abbey, "A Minimum Assumption Tornado Hazard Probability Model," National Oceanic and Atmospheric Administration, Technical Memorandum NWS NSSFC-8, may 1985. 1 Simiu, E. , J. Changery, J. J. Filliben, "Extreme Wind Speeds at 129 Stations ! in the Contiguous United States," National Bureau of Standards BSS 118, I March 1979. SAS (Statistical Analysis System ) Institute, Inc., "SAS Users Guide 1979 Edition," 1979. Teles, J. E., S. W. Anderson, and G. L. Landgren, "Tornadoes and Transmission Reliability Planning," in Proc. American Power Conference, Vol. 42, 1980. U'S. Nuclear Regulatory Commission Generic. Letter 81-04, "Emergency Procedures , .and Training for Station Blackout Events," February 25,.1981. l . { i 4 NUREG-1032 A-37
o
-- , NUREG/CR-2434, H. F. Monty, R. J. Beckman, C. R. McIntear, "FRAC (Failure Rate Analysis Code):' A Computer Program for Analysis of Variance of Failure Rates," March 1982.
-- , NUREG/CR-3992, R. E. Battle, "Collection and Evaluation of Complete and Partial Losses of Offsite Power at Nuclear Power Plants," February 1985.
Wyckoff, H. , "Losses of Offsite Power at U.S. Nuclear Power Plants All Years Through 1985," NSAC/103, Electric Power Research Institute, May 1986.
. w 9
9
+
1 O e 9 NUREG-1032' A-38 _.. _' -- , - - _ ~ , . , _ _ _ _ - _ _ ,, ., - . - - , ~ , -
APPENDIX B EMERGENCY AC POWER RELIABILITY AND STATION BLACKOUT FREQUENCY: MODELING AND ANALYSIS RESULTS
, *e 9
e e d
- NUREG-1032
. f
l . 1 l TAELE OF CONTENTS Page ELEMENTS.0F EMERGENCY AC POWER RELIABILITY M00EL........................ B-1 COMMON CAUSE FAILURE OF THE EMERGENCY AC POWER SYSTEM................... B-4 EMERGENCY AC POWER RELIABILITY EVALUATION............................... B-9 STATION BLACK 0UT FREQUENCY.............................................. B-15 REFERENCES.............................................................. B-19 LIST 0F FIGURES B.1 Emergency AC Power Unavailability as a Function of Individual EDG Reliability and Common Cause Failure To Start for Three Emergency AC Configurations........................................ B-11 B. 2 Emergency AC Power Unavailability as a Funciion of Out-of-Service-Unavailability for Three EDG Unreliabilities....................... B-12 B.3 Emergency AC Power Unavailability as a Function of Repair Time for Both Independent EDG Faults and Common Cause Failure To Start.. B-13 B.4 -Estimated Range of Emergency AC Power System Reliabi.lity for Different Diesel Generator Configurations.......,.................. B-14 B.5 Sensitivity of Station Blackout Results to Potential Variation in Plant-Centered Loss-of-Offsite-Power Frequency.................. B-17 B.6 Sensitivity of Station Blackout Results to Potential Variation in Grid-Related Los s-of-Of fsite-Power Frequency. . . . . . . . . . . . . . . . . . . . B-18 LIST OF TABLES B.1 Areas of Potential Common Cause Failure............... ............ B-5
.B . 2 Emergency Diesel Generator (EDG) Comron Cause Failures . . . . . . . . . . . B-6 B.3 Common Cause Failure Rate Parameter Estimates...................... B-8 NUREG-1032 B-iii e
- APPENDIX B EMERGENCY AC POWER RELIABILITY AND STATION BLACK 0UT FREQUENCY: MODELING AND ANALYSIS RESULTS This appendix provides the details and results of emergency AC power system reliability analyses and station blackout frequency / duration estimates. The models and analysis results were developed to confirm and extand the findings of a previous study (NUREG/CR-2989) and to be used in regulatory analyses.
Modeling has been done at a generic level, but it could be made plant-specific by adjusting failure rate parameters to reflect site location, system design, and operational factors. The term generic, as used here, is meant to imply that the insights derived are gen,erally applicable to a large number of plants. Modeling and component failure rate variations are used to account for plant differences in design and operational features that are most important to sys-tem reliability. Sensitivity analyses were used to explore the effect of design and operational differences on system reliability for a' realistic spectrum of differences. ELEMENTS OF EMERGENCY AC POWER RELIABILITY MODEL The diesel generators--including all the subsystems and the auxiliary systems required to start, load, and run the diesels--are the components that have the highest impact on system reliability. Specifically the following have been " identified as the largest contributors to AC power system availability: (1) diesel generator configuration (2) reliability of each diesel generator (3) vulnerability to common cause failure (4) support / auxiliary system dependence In general, the details of the emergency AC power distribution system design from the Class 1E engineered safety feature buses to the safety system compo-nents using emergency AC power have not been found to be important contributors to system unreliability. With this in mind, emergency diesel generators (EDGs), l i DC power supplies, and service water cooling systems were the principal system l elements included iri the emergency AC power reliability models. A relatively high level (super component) modeling approach was used that could account for l maj'r o differences in equipment configuration and support system dependencies l while using support system reliability estimates developed in other studies. Three generic emergency AC power system designs were selected as roughly repre-senting the spectrum of operating nuclear plant systems. These systems are de-scribed by the number of dies 1 generators in the system and the number required to maintain core cooling during a loss of offsite power. These generic systems have been designated 2/3, 1/2, 2/4, and 1/3, indicating the number of diesel generators required per number available. Some other configurations do exist, but, emergency AC power system reliability is generally encompassed and well characterized by the three systems modeled, especially if the variability of NUREG-1032 B-1
failurs rates of the major components and auxiliary systems is accounted for. Configurations with a higher degree of redundancy ana/or diversity are the exception, not the rule, in current U.S. designs. The simplified reliability logic models for the generic configurations were developed from fault trees and insights on what factors are important contributors to AC system reliability. The simplified logic models are provided below: RFAC1/2 = 1 - PEAR?/2
= 1 - [(PEDG)
+P CCF2/23 REAC1/3 = 1 - PEAC1/3
+ 3P
= 1 - [(PEDG) EDG PCCF2/3
- CCF3/3 3 REAC2/3 = 1 - PEAC2/3 s 1 - [3(PEDG) + 3P;CCF2/3 + PCCF3/3 3 REAC2/4 = 1 - PEAC3/4
+ 12P 3 a 1 - [4(PEDG) EDG PCCF2/4 + 6(PCCF2/4) + 4PCCF3/4 + PCCF4/4 Where R EACi/j is the AC power reliability of an "i" out of "j" diesel generator system, and P EACi/j is the probability that "i" out of "j" diesels will fail or be unavailable wh'en required, P EDG is the probability that a single diesel gen-erator will fail or be unavailable when required, and P CCFi/j is the probability that "i" out of "j" diesel generators will fail and be unavailable as a result of common causes when required.
A more complete logic model can be developed using Markov modeling techniques (Husseing, 1982) when failure and repair rates are exponentially distributed in time. However, the simplifications inherent to the models used are in keeping with the approach of accounting for dominant factors affecting system reliability. Both random independent component failures and common cause or dependent fail-ures are included in the model. Failure mode considerations included hardware faults and human errors for s' tart and run failures, component repair, and com-ponent out-of-service time for maintenance. The least detailed level of model- , ing was at the support systems, which vary considerably in design. These sys- j tems have been modeled in detail in several probabilistic risk assessments (PRAs). The reliabilities of the support systems were treated as a super com- I ponent or undeveloped event in the logic models with a failure rate indicative of results from other studies (NUREG/CR-3226). Failure to run was treated as a constant failure rate process, and emergency diesel generator repair was treated as a constant repair rate process. With NUREG-1032 B-2 I
these approximations, the prouability that a diesel generator will be unavail-able for I SB hours during a loss of offsite power lasting T LOP is given by "I II I I LOP SB
'A FTR t -t I SB R* A e e SB R dt PEDG = PFTS
- FTR o
where T R is the mean repair time and A is the failure-to-run rate. The FTR failure-to-start probe 'ity, PFTS, includcs the tandby demand failure like-lihood of the emergency diesel generator to start and load, plus the unavail-ability because of scheduled and unscheduled maintenance, and the probability that auxiliary systems will fail or be unavailable (odt of service) at the time of the demand. Although the second term of the equation can be. integrated easily, the integral is maintained for applications relating to estimating sta-tion blackout frequency and duration to follow. The probability of failure to start, load, and run for a time, I SB, ecause of common cause failures is developed similarly to that for independent failures. It is given by:
'I I I LOP'ISB
'A CCFTR t "
I !I SB CCFR
- SB CCFR PEDGCCF - PCCF.*
- dt
, ACCFTR
- Here, P represents the common cause failure-to-start probability, A CCFTR CCFTS represents the common cause failure-to-run rate, and I CCFR is the associated repair t1me constant.
For simplicity, the repair rate for auxiliary systems that are required for successful diesel operation has been assumed to be approximately equal to that of the emargency diesel generator. Double component out-of-service conditions limited by technical specification were eliminated from tne final expression through inspection. However, the possibility of such cutages occurring as a , result of human errors or simultaneous failures was treated as a common cause I unavailability contributor. Recall that the unreliability of a two diesel generator system was given by l PEAC2/2 * (PEDG)
+P CFF2/2 '
where (PEDG) =F1+F2+F3 1 i NUREG-1032 B-3
-,-m -.c., ,- ,,.,m.. - - - . , _ , . - - - - - - - - - , . - -
0 ar.d where F7 = (PFTS)
-t ~I ~A 8
SB I t SB A e FTR t -(t+1SB)/IR e dt F2 = 2PFTS R)rLOP o FTR "I SB
~I
!IR 'ILOP SB (ILOP
~I SB
~A t FTR 2 -(t 2+t SB -t i )/t R ~A t FTR 2 F3 = 2e (AFTR)2 e e dt2 e dt t
'o , )t i with a
PCCF2/2
- ECCFTS2/2 *
~A FLOP~ISB t -t I
~
A e CCFTR2/2 e SB IR dt
- J,
~
CCFTR2/2
. and -
PFTS
- 9EDG1
- UEDG1 + POC1 + P3yy PCCFTS
- OCCF2/2 + UCCF2/2 + POCCCF + PSWCCF where Q EDG1 is the probability of a diesel generator failing on demand, U EDG1 is the maintenance unavailability of the diesel generator, P DC1 is the proba-bility of DC power supply failure causing a diesel to fail on demand, and P ggy is the probability of a service water system failure causing a diesel generator failure on demand. Terms with subscript CCF represent common cause failure contributions. -
The term (UEDG1) is not allowed. It is accoun'.ed for in the term U CCF2/2* I" a similar manner, the correlations for three or four diesel generator systems requiring one or two diesels for success can be derived. CO MON CAUSE FAILURE OF THE EMERGENCY AC POWER SYSTEM There has been a concern for years that the reliability of redundant systems may be limited by single point and common cause; of failure resulting in simul-taneous unavailability of two or more trains. Several techniques for modeling NUREG-1032 B-4 e
and quantifying the major contributors and their likelihood have been, and con-tinue to be, developed. Some of these techniques are aimed at a qualitative evaluation of common cause failure potential (Rasmuson, 1982), while others are primarily used to estimate common cause failure likelihood (Fleming and Raabe, 1978). Existing techniques have been used in this study to model and quantify common cause failures on a generic level, with sensitivity analyses used to l evaluate realistic variations in common cause failure likelihood and the effect on emergency AC power reliability. Emergency diesel genarator oper:. ting axperience' for the years 1976 through 1980 I was reviewed and documented in NUREG/CR-2989. Other reviews [ Electric Power Research Institute (EPRI), 1982, and Steverson and Atwood, 1981] also sh]w relevant operating experience and analysis of common cause failures of emer- ! gency diesel generators. Based on information from these sources and limited I review througn 1985 of licensee event reports (LERs) dealing with common cause failures, an updated list and classification of multiple emergency diesel generator failures and outages has been prepared. When enough information exists, the common cause failures,can usually be identified as falling into one of four groups: (1) design /h'ardware, (2) operations / maintenance, (3) sup-port systems / dependence, and (4) external environment. A further breakdown of this classification scheme is provided in Table B.1. The list of common cause failures'taken from LERs is in Table B.2. In NUREG/CR-2989 these were classified somewhat more generally in two broad categories of hardware and ; human-error-related failures. These two categories were then classified more specifically into generic and plant specifi.c design groups and into generic human error or plant pr6cedure-specific human error. ' ' i Table B.1 Areas of potential common cause failure Common cause failure group Types of potential failures Design / hardware Mechanical / structural design inadequacy Subsystems (fuel, cooling, start, actuation) Environment (normal) - Operations / maintenance Inadequate procedur.ts Errors of omission / commission Wrong procedure Support / dependence systems DC control power Service water cooling EDG room heating, ventilation, and air conditioning Electrical interface
- External Fire Flood Severe weather Seismic Other internal environmental extremes NUREG-1032 B-5 -
1
. > 1 Table B.2 Emergency diesel generator (EDG) common cause failures j
~
l Date of LER Plant event number Description of event , ANO 08/27/79 79-016 Water in lube oil caused failure of two 09/11/79 79-017 EDGs 2 weeks apart. .^ 7.c i d 0;/10/77 77-037 Maintenance caused control systein 05/12/77 77-043 failures on both EDGs within 2 days. Browns Ferry 05/06/81 81-019 Left bank air start motors failed to 1, 2 05/06/81 81-020 start three EDGs. Browns Ferry 3 01/03/84 84-001 Clam shell movement on overchlorination failed emergency service water (ESW) coolers and three of four EDGs. i Brunswick 1, 2 01/04/77 77-001 Low lube oil pressure tripped two of four EDGs-after starting. Crystal River 3 01/04/79 --- Low ambient room temperature (28 F) failed both EDGs. Dresden 3 10/23/81 81-033 ESW' check valve' failures caused two of the three EDGs to trip on high temperature. Far. ley 1 09/13/77 77-026 Dirty air start circu:t failed two EDGs 09/16/77 77-027 within 3 days. Farley 1, 2 09/18/81 81-043 Scored cylinder linings failed two EDGs 09/27/81 81-067 9 days apart. FitzPatrick 02/07/85 85-003 ESW pump trip failed two EDGs. Millstone 2 05/15/77 77-020 Both EDG fuel supply valves found closed. North Anna 2 02/18/81 81-020 Batteries faileo surveillance test, caused both EDGs to be inoperable. North Anna 2 12/09/84 84-013 Damaged cylinders and high crankcase pressure failed both EDGs, caused unit shutdown. Peach Bottom 06/13/77 77-026 Air-start compressor trip caused two EDGs to fail while another was unavailable. Quad Cities 05/01/77 Improper ESW valve lineup degraded three EDGs. i l NUREG-1032 B-6
Table B.2 (Continued) Date of LER Plant event number Description of event Salem 1 07/30/77 77-059 Fuel rack lubrication leak and sub-s'equent linkage binding caused failure of;two EDGs. Salem 1 10/08/80 80-060 All three EDGs failed to start because of a misaligned service water valve. Operator disabled service water from train 2 while train 1 was down for maintenance. Sequoyah 1, 2 08/09/80 80-140 Operator error caused relay coils to fail on all EDGs. Susquehanna 01/21/85 , 85-002 Low ambient room temperature failed two EDGs. Vermont Yankee 10/22/84 84-022 Failed Zener diodes caused all EDGs to lock out. WNP-2. 07/09/84 84-008 Slip ring and bearing design weakness Caused failure of two EDGs. , Yankee Rowe 08/02/77 77-042 Sludge plugged cooling water radiator tubes caused failure of two EDGs
- Reported in PLG-400, Pickarc, Lowe and Garrick Inc.
Common cause failure ratas were estimated in NUREG/CR-2989 using the binomial failure rate (BFR) computer code (Atwood and Smith, 1982). The estimated common cause failure rates varied by about an order of magnitude depending on plant design and procedural dependencies. If individual emergency diesel generator reliability is maintained at or above industry average levels, common cause failure contributed on the order of one-half the system unavailability for the
~
less redundant configurations and most of the unavailability for the more redun-dant designs, especially when demand failure rates are low (<0.03). At lower reliability levels, independent diesel generator failures are the major contri-butor to the unavailab;lity of the onsite AC power system. l A technique that has been used to estimate the likelihood of emer'gency diesel generator common cause failure is the beta factor method (Fleming, 1975) and its extension known as the multiple Greek letter (MGL) method (Fleming and Kali.nowski, 1983). This method was used to estimate common cause failure rates from the updated LER review. Table B.3 provides the MGL parameter estimates and common cause failure rate estimates that were derived by the MGL method. It also compares these estimates with "generic" rates derived in NUREG/CR-2989 using the BFR method. Differences result more from data classification than from analytical method. 4 NUREG-1032 B-7
.( f *P
, - . _ . , 4 , _
Table B.3 Common cause failure rate parameter estimates Results of MGL method
- BFR method 2 EDG configuration: p = 0.035 PCCFTS.(2/2) = 5.7 x 10 4 7.1 x 10 4 PCCFTR (2/2) = 1.0 x 10 4/hr 3 EDG configuration: p = 0.087 y = 0.351 PCCFTS (2/3) = 4.62 x 10 4 5.6 x 10 4 PCCFTS (3/3) = 5.00 x 10 4 1.8 x 10 4 PCCFTR (2/3) = 8.19 x 10 5/hr P
QCFTR (3/3) = 8.85 x 10 5/hr 4 EDG configuration: S = 0.147 . y = 0.528 6 = 0.505 PCCFTS (2/4) = 3.79 x 10 4 PCCFTS (3/4) = 2.10 x 10 4
,CCFTS P (4/4) = 6.43 x 10 4 PCCFTR (2/4) = 6.71 x 10.s PCCFTR (3/4) = 3.71 x 10 5 PCCFTR (4/4) = 1.14 x 10 4
*The,following equations were used to perform the abcVe calculations:
PCCF (2/2) * @9 N PCCF (2/3) = PCCF (3/3) = ySQ P CCF(2/4)=(1-Y]B0 , P CCF (3/4) = (1-6 y 80 PCCF (4/4)
- OYOQ NUREG-1032 B-8 *
, - _ 8
EMERGENCY AC POWER RELIABILITY EVALUATION The reliability estimates for the generic emergency AC power systems were derived for instantaneous availability on demand and mission reliability, (The latter is the likelihood that emergency AC power will be available for a speci-fied mission length, such as the duration of a loss-of-offsite power event or for the duration of a test.) System reliability analysis parameters were selected to represent the average of the operating reactor population as well as the variations within that population. The onnul>Han avaraga and ranges for the system reliability analysis parameters are described below. (1) Emeroency Diesel Generator Failure To Start Based on data reported in NUREG/CR-2989 and NStC/108 (Wyckoff, 1986), the failure rate can vary considerably from plant to plant. The following probability of failure / demand rates have been identified: Average . 0.02 High O.08 Low 0.005 (2) Emergency Diesel Generator Failure To Run A constant failure rate of 0.0024 per hour was estimated in NUREG/CR-2989, while more recent data obtained from NSAC/108 and a review of LERs from 1983 through 1985 resulted in a revised estimate of 0.0032 per hour. For the period 1976 through 1985 the average was 0.0028 per hour. A range of
. 0.001 to 0.01 is reasonably representative of other published estimates (EPRI, 1982).
(3) Emergency Diesel Generator Reoair Time Approximately 50% of all diesel generator failures reported in NUREG/ CR-2989 were repaired within 8 hours. If two diesel generators failed as a result of independent causes and operators could diagnose the problems to select the quickest possible repair, in 50% of these cases, one of two i diesel generators would be repaired in approximately 4 hours. These two 1 cases have been used as representative of the repair rate. (4) Common Cause Failure ' Common cause. failure rates were obtained from NUREG/CR-2989 for diesel generator hardware and human-error-related causes; however, only failure- t to-start estimates were made in that study. Subsequently, the MGL method has been used to estimate generic common cause failure rates for both ' failure to start and failure to run. Human errors causing a simultaneous out-of-service state for two or more diesel generators were included in estimates of failure to start. The MGL estimates are consistent with the generic estimates made in NUREG/CR-2989. 1 The common cause failure rates, for support systems--such as DC power, service water, and component cooling water--were obtained from NUREG/CR-3226. l 4 NUREG-1032 B-9 l i
P (5) Comm'on Cause Failure Repair Rates for Components and Subsystems When the inadvertent removal from service of more than two diesel gener-ators is excluded, the failure mode and repair rates appear similar to those for independent failure causes. In this case, howaver, the same repair time could be expected for both units. For. inadvertent removal from service, repair (or restoration) can be accomplished usually in less than 1 hour and many times even more promptly (within minutes). Repair rates fc- hardware failure and mainten wea notagac have bec.9 bn :d en median repair times of 2 to 8 hours. The effect of system reliability parameter variations covering the realistic range was analyzed to determine the sensitivity within the generic models and the variability that is possible in plant-specific cases. The first sensitivity analysis shown in Figure 8.1 includes the effect of a mission time of 8 hours for various emergency diesel generator starting re-liability values and for variations in common cause failure rates by a factor o f 3. These results shcw that st'arting reliability of individual emergency diesel generators is most important when lower-than-average diesel generator performance exists or when system configurations represent nominal redundancy (e.g., 2/3 and 1/2). Common cause failures dominate system failure probability when individual diesel generator reliability levels are above average or when a higher level. of redundancy (2/4-and 1/3) is introduced. - Figure-B.2 shows the sensitivity of emergency AC power system unavailability as a function of individual diesel unavailability. Thi.s unavailability is due to out-of-service time for normal maintenance and for repairs necessary to fix incipient, degraded, or catastrophic failures of diesel generators which are detected by surveillance or other activities during normal plant operations. Only when the diesel generator out-of-service unavailability approaches or exceeds the starting failure rate does a significant effect on system unavail-ability becomt: a;. parent. Figure B.3 sh %s the AC power system unavailability variation as a function of diesel generator repair time for a mission time of 8 hours. This repair time represents the time it would take to repair 50% of all diesel generator failures during an actual demand situation assuming an exponential rate of repair. Also it has been assumed that sufficient resources and expertise are available to ensure selection of the diesel generator which can be repaired most qui,ckly. The most signiffeant affect on system unavailability is due to variations in common cause failure repair times especially where common cause failures are the dominant contribute to system unavailability (e.g., 1/3 system configuration). - The last sensitivity analysis performed is shown in Figure B.4. In this case the potential range of unavailability for emergency AC power systems was esti-mated by using combinations of above and below average reliability performance parameters discussed previously in this appendix. Not surprisingly, the range is large, especially for the more redundant configurations. l 1 i NUREG-1032 B-10
l i 1 10 _ _ Common Cause Failure to Start I l [ EDG --- 3x Base Value l Configuration Base Value
- (2 of 3) % % % --- 1/3x Base Value l
t~ %~% % d % tc
$ 10-2 __ N %s%N N g E - (1 of 2) % g
% N N
% % N g
% % N 2 -
N s N D % N 5 _ (2 0f 4) %=.,, '* % % %'N % i 3 '* % N 'N N N 2 o
\ N
% * %.D4 -
N ,
< N. N *=
10'3 -" ' kN
~
e - N %==== 1 i
%~%'%
- l N %. i
= = = ' * = = =.= I 10 ' ' l I I I I I 0.90 0.92 0.94 0.96
- 0.98 1.00 EDG RELIABillTY Figure B.1 Emergency AC power unavailability as a function of individual EDG reliability and common cause failure '
to start _for'three emergency AC configurations' NUREG-1032 B-11 w - , e - . - . . ,
r i f I i l l 10 2 i - 1 i . F. . _ EDG R -
$ 0.05 d
8 - _ *1/2 - 5 a - , 3 j 0.025
- = . .
m w 3 10'3 - 0 01 -,-======- o -
$- [ 0. 05 ='='" " ,1/3 4
- o o g - ==== ==="""" ""~"" """~" ~" '
0 025 ---= - - 1 U _ _ l z ' y ~
~ l r
w - ~ 2 w d I I I 10 0.005 0.015 0.025 l OUT OF SERVICE UNAVAILABILITY Figure B.2 Emergency AC power unavailability as a function of out-of-service unavailability for three EDG unreliabilities NUREG-1032 B-12 e 6
10 2 _ , , , _ Duration of Loss of Offsite Power _ is 8 Hours - Duration of Station Blackout is _ 4 Hours _ b Configuration ~ s
>1/2 y 10'3 T 8 hrs 7 4 hrs 5 .
2 hrs . 8 hrs 3 - c -
- c. -
g - 4
> 4 hrs G
z 10'4 7 > 1/3 T e : : e - 3 w - 2 hrs 10 5 I I I O 2 4 8 REPAIR TIME FOR INDEPENDENT EDG FAULTS (Hours) Figure B.3 Emergency AC power unavailability as a function of repair time for both independent EDG faults and common'cause failure to start d NUREG-1032 -B-13 l .
0 i o 4 10 = - == High Values '
~
Diesel _ Generator _ 4 k Base Values r Reliability Parameters 10' [ 8
~~
-- Low Values j t: -
=f m <> t >
~~
$ i 34 =-
~
E il
-~ *
< ~
z- --
-~
2 - m W 10 ' d =- 3 = o =
- c. .
o - 4 g .. 2 10 5 ;g-w - o m
=
w - 2 - w 10 -
=
10 4 I (2 of 3) (1 of 2) (2 of 4) (1 of 3) DIESEL GENERATOR CONFIGURATION l Figure B.4 Estimated range of emergency AC power system reliability for different diesel generator configurations NUREG-1032 B-14
STATION BLACKOUT FREQUENCY Station blackout has been defined as the loss of all AC power supplies from both offsite and safety related sources. Also, a station blackout must exist for sufficient time to incur core damage and result in containment failure if the sequence is to be of risk significance. Therefore, station blackout models incorporate duration as a parameter in frequency estimates. Although in some instances it is possible to have a station blackout initiated by failure of, or operational efforts associated with, DC control power, this type of event is more rare than the station blackout sequence beginning with loss of offsite power and followed by failure of the safety-related AC power supplies. DC power reliability is the subject of another generic safety issue, designated A-30, "Adequacy of Safety-Related DC Power Supplies." Station blackout frequency estimates can be made by combining the loss-of-offsite power models developed in Appendix A with the emergency AC power relia-bility models of this appendix. The loss-of-offsite power frequency and duration correlations were derived in Appendix A. In the derivations that follow, let ALOP(t) represent a loss-of-offsite power frequency correlation. The frequency of a station blackout is derived by combining the loss-of-offsite power duration (repair frequency with the rate of emergency AC power system failures of duration I ver the SB time period of interest-for which a loss of offsite and emergency AC power. . can occur. This is the same general approach that has been taken in other studies [ Evans and Parry, 1183; Power Authority of the State of New York (PASNY), 1982] to estimate the frequency of total losses of offsite and emer-gency AC power for risk analysis. For the 1/2 emergency ciesel generator configuration, the equation for the frequency of a station blackout lasting I SB or longer can be written as
^5B1/2(ISB)
- ALOP(ISB)(PFTS)
+ ALOP(ISB) PCCFTS2/2 *
'I !I
+ 2P SB R [ LOP'SB 'A FTR t -(t+t3g)/TR FTS
- J ALOP(t+tSB) AFTR *
- dt o
+ 2e 'SB I R ? LOP'SB 'ILOP'.SB
'A t FTR 2 -(t 2+I SB -t i )/t g A e
,o FTR e dt2 ti
-A t FTR 1 i ALOP(t ) AFTR '
i
-dt i l
1 f* LOP' SB 'A t t /t
# CCFTR2/2 SB CCFR A'OP(t+tSB)
L ACCFTR2/2e e dt 4 , l
. I NUREG-1032 B-15
d In a similar manner, the station blackout frequency equations for three and four diesel generator systems requiring one or two diesels for success can be i derived.
~
Analyses have been performed to estimate the sensitivity of station blackout frequencies and durations to various site characteristics. The loss-of-offsite-power cluster correlations developed in Appendix A were combined with the emergency AC power system reliability models using nominal values for emergency diasel ;c .; ster f ailure to itai t or d run, repair, ano common cause f ailure rates. Results are in the main report in Figures 5.1, 5.2, and 5.3. Additional analyses were performed to determine the sensitivity of station blackout results to potential variations in plant-centered loss-of-offsite-
' power frequency. Cluster correlations 2 and 4 (see Appendix A of this report) were selected. The plant-centered loss-of-offsite power frequency was varied from a high value of 0.15 to a low value of 0.04 This represents a reasonable variation in the plant-centered frequency based on actual operating experience.
Figure B.5 provides the results of these analyses. This figure shows that modest variations (factor of 2) in the plant-centered loss-of-offsite power frequency will have essentially no noticeable effect on results at sites dominated by weather-induced losses of offsite power (cluster 4). Only a small effect would be noticeable at sites which have a more typical blend of failure causes (cluster 2), and that effect is only noticeaole for short duration blackouts. Thus potential variations in plant-centered loss-of-offsite power
~
frequency will generally result in small changes in station blackout results when typical or more substantial contributions from grid and particularly weather exist. A'nother sensitivity analysis was performed to estimate the impact of variations in grid reliability and restoration capability. For cluster 4, grid loss fre-quencies of 0.01 and 0.1 per year were analyzed with enhanced recovery (see Appendix A). For cluster 2, the same frequencies were analyzed b'ut this time with normal recovery. The results are shown in Figure B.6. Potential varia- ' tions in grid-related loss-of-offsite power frequency have a small effect on the station blackout frequency and duration in most cases where typical or more substantial contributions from plant-centered and particularly weather exist. . l l l t
> NUREG-1032 B-16
6 10'3 .
- Plant Centered Lop Frequency (Events / Year)
_ .. - - 0.15 j k 0.069 2 k\ - - 0.04
'\
; ,0' :
. \. r\
p W \
- \
E w \
~
Offsite o \ Power y N Cluster
< 10 5 7 \ , l e : N '
z e N i
~
E y - i i i i 10 6 i 0 4 8 12 16 STATION BLACKOUT DURATION (Hours) l l l l Figure B.5 Sensitivity of station blackout results to potential variation in plant-centered loss-of-offsite power frequency j i l NUREG-1032 B-17
\
\
P ; 1 l l 1 i 1 10'3 , ;
', Grid Reliability Group G3 (0.1 Events / Site Yr)
> \
s - N -- G1 (0.01 Events / Site Yr) 5 4
\\ '
10
\-
O z
\
\ \ l s -
\
0
- w
- \ l l
3 O t U 5 W 10 7
.O f f sit e
. Power Z - Cluster 9 -
. 4 Q
a 2 10 4
' ' ' ' ' i 0 4 S 12 16 '
DURATION (Hours) Figure B.6 Sensitivity of station blackout results to potential variation in grid-related loss-of-offsite power frequency NUREG-1032 B-18
~
REFERENCES ~ Atwood, C. L., and W. J. Smith, "User's Guide to BFR, a Computer Cvde Based on
'the Binomial Failure Rate Common-Cause Model," EG&G Idaho Inc , EGG-FA-5502, July 1982.
Electric Power Research Institute (EPRI), "Diesel Generator Reliability at Nuclear Power Plants: ' Data and Preliminary Analysis," EPRI NP-2433, June 1982. Evans, H G. K., and G. W. Parry, "Quantification of the Contributien to Light Water Reactor Core Melt Frequency of Loss of Offsite Power," in R Miability Engineering, 6:43-45, 1983. Fleming, K. N., "A Reliability Model for Redundant Safety Systems," in Proceedings on the Sixth Annual Pittsburgh Conference on Modeling and Simulation, April 24, 1975. Fleming, K. N , and A. M. Kalinowski, "An Extension of the Beta Factor Method to Systems with High Levels of Redundancy," Pickard, Lowe and Garrick, Inc., PLG-0289, June 1983. Fleming, K. N. , and P. H. Raabe, "A Comparison of Three Methods for Quantitative Analysts of Common Cause Failures," U.S. Department of Energy Report GA-A-14568, General Ato.iic Company, National Technical Information Service, May 1978. Husseing, A. A., et al.,' "Unavailability of Redundant Diesel Generators in Nuclear Power Plants," in Reliability Engineirj,g, 3:109-169, 1982. Pickard, Lowe and Garrick, Inc., PLG-400, "Classification ana Analysis of Reactor Operating Experience Involving Dependent Event," prepared for Electric Po,,er Research Institute, Palo Alto, California, February 1986. Power Authority of the State of N'ew York (PASNY) and Consolidated Edison Company of New York, "Indian Point Probabilistic Safety Study," 1982. Rasmuson, D. M., et al., "Use of COMCAN III in System Design and Reliability Analysis," EG&G Idaho, Inc., EGG-2187, October 1982. Steverson, J. A., and C. L. Atwood, "Common Cause Failure Rate Estimates for i Diesel Generators in Nuclear Power Plants," EG&G Idaho, Inc. EGG-M-00681, ! National Technical Information Service, September 1981. . I U.S. Nuclear Regulatory Commission, NUREG/CR-2989, R. E.. Battle and D. J. Campbell, "Reliability of Emergency AC Power Systems at Auclear Power Plants," July 1983.
-- . NUREG/CR-3226, A. M. Kolaczkowski and A. C. Payne, Jr. , "Station Blackout Accident Analyses (Part of NRC Task Action Plan A-44)," May 1983.
Wyckof f, H. , "The Reliability of Emergency Diesel Generators at U.S. Nuclear Power Plants," NSAC/108, Electric Power Research Institue, September 1986. l
. d .
HUREG-1032 B-19 l
APPENDIX C STATION BLACKOUT CORE DAMAGE LI*'.ELIH000 AND RISK h e I 1 d NUREG-1032
TABLE OF CONTENTS _.Page STATION BLACKOUT CORE DAMAGE LIKELIH00D............................... C-1 STATION BLACK 0UT RISK.................... .. ..... .................. C-10 R E F E R E N C E S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C - 11 LIST OF TABLES 4 C.1 Summary of potentially dominant core damage a c c i d e n t s e q u e n c e s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C- 2 C.2 Decay heat removal failure prob 6bility for loss of core cooling early during station blackout....................... C-4 C.3 Estimated frecuency of early core cooling failure during station blackout, per reactor year........................ C-5 C.A Tabulated estimated values of total core damage frequency for station blackout accidents as a function of emergency diesel generator configuration, EDG unreliabflity, offsite power cluster, and. ability to cope with station blackout......... C-6 C.5 Compari son of results. with NUREG/CR-3226. . . . . . . . . . . . . . . . . . . . . . . . . C-10 t 1 i
)
i 1 I l NUREG-1032
, C-iii
APPENDIX C STATION BLACKOUT CORE DAMAGE LIKELIHOOD AND RISK This appendix provides a description of tha simn14fiad meth;d used to estimate station blackout core damage likelihood, and risks from station blackout tran-sients. The models and results are generic in nature and intended for use in regulatory analyses. The station blackout frequency estimation models described
*n Appendix B of this report were integrated into, sequences involving failure of decay heat removal systems with AC power unavailable, thus allowing the esti-mation of the frequency of core damage as a result'of station blackout events.
When core damage proceeds to core melt and containment failure, fission products may be released to the environs, causing risk to public health and safety. i Tha likelihood of station blackout transients involving core damage and the dominaat accident sequences have been identified by Kolatzkowski and Payne in hup'G/CR-3226, using event tree and fault tree analyses of several tyoical plant designs. However, the variability of station blackout frequency and dura-
. 'on was not evaluated systema;ically ir part of that work. In this appendix, the station blackout models have been ;ombined with the decay heat removal and core 4eoling failure sequences to obtain a more complete evaluation of the sen-sitivity of station blackout core damage likelihood and risk estimates to varia-tions in plant design.
STATION BLACKOUT CORE DAMAGE LIKELIHOOD The dominant station blackout secuences are provided in Table C.1. Both pres-surized water reactors (PVRs) and boiling water reactors (BWRs) have 5,equences that involve early core cooling 'ailure (essentially on demand) and time-dependent failures related to capacity, capability, and transient phenom-enclogical ' conditions associated wit' a loss of all AC power. For the dominant , accident sequences, the core damage times have been characterized as falling 1 into two groups: (1) a core da' mage time of 1 to 2 hours for the early core cooling failure types of sequences or (2) core damage in tne 2-to-16-hour range for the sequences involving capability and capacity limitations causing loss of core cooling during extendeo blackou'.s. Sequences involving longer duration blackouts than these have not been found to be nearly as important. Thermal hydrauli: analyses have been performed to determine event timing for both types of sequences (Fletcher, 1961; Schultz and Wagoner, 1982). In gen-eral, 't has taen estimated that it will take between 1 and 2 hours to uncover the ictor ce," following a station blackout and loss of all core cooling, and ms anota ' 10 2 hours for the reactor core to melt and penetrate the
~ '(- the cora is uncovered. If decay heat removal is initially
-w s *tation blackout and then is lost several hours into the I t' *- . >., ;' design limitations, the time to core uncovery and melt wi ~ "ce- txtended as a result of lower primary coolant temparatures an. re- U, >
heat levels. t 4 NUREG-1032 C-1 i
Table C.1 Summary of potentia.11y dominant core damage ac-:ident sequences, AC recovery Generic time to avoid plant type Sequent.e DHR system / component contributors core damagt (hr) PWR THL381 Steam-driven AFWS unavailable 1 to 2 (all) iML282 OC power or condensate exhausted 4 to 16 THQ2B 2 RCS pump seal leak 4 to 16 BWR THUiB3 Isolation conde*nser unavailable 1 to 2 w/ isolation condenser THQ3B i Stuck open relief valve .1 to 2 TMQ2B 2 RCS pump seal leak 4 to 16 BWR TMUiB3 HPCI/RCIC unavailable 1 to 2 w/HPCI-RCIC TMU2B2 ~ DC power or condensate exhausted, 4 to 16 component operability limits exceeded ('iPCI/RCIC) BWR TMutB i HPCS/RCIC' unavailable 1 to 2 w/HPCS-RCIC TMU2B2 HPCS unavailable, DC power or 4 to 16 condensate exhausted, cemponent
- operability limits exceeded (RCIC)
Notes: DHR = decay heat removal HPCS = high preisure core spray AFWS = auxiliary feedwater system RCIC = reactor core isolation cooling
- RCS = reactor coolant system HPCI = high pressure coolant in:,pectior.
The dominant accident seqt ences were modeled as either an early core cooling failure or as a subsequent loss of core cooling. In the former case, the like-lihood of the accident sequence is given by the probability of a station black-out combined with the probability of failure to maintain adequate core cocling or decay heat removal by AC-independent means long ernugh to cause core damage. For PWRs and most BWR-2 and -3 plants that do not have a makeup capability inde-pendent of AC power, there are two paths to inadequate core cooling early during station blackout. The first involves failure of the turbine-driven train of the auxiliary feedwater tystem (AFWS) in PWRs or failure of the isolation con-denser in the BWR-2 and -3 plants. Because neither of these reactor types has a makeup capability independent of AC power, the core will be uncoverad early by a major loss of reactor CNiant system (RCS) integrity such as a stuck-open NUREG-1032 C-2
relief valve or gross failure of reactor coolant pump seals, either of thich could result in leak rates upwards of several hundred gpm. BWRs with reactor core isolation cooling (RCIC) systems, steam turbine-driven high pressure cool-ant injection (HPCI) systems, or high pressure core spray (HPCS) systems with a dedicated diesel generator can cool the reactor core and have the potential to make up losses of coolant equal to or greater than those identified above. The latter type of sequence was modeled as the likelihood of a station blackout of a duration sufficient to exceed core cooling systems capabilities and allow core damage to occur. If decay heat removal is initially successful, if reactor coolant leakage rates do not e nped makeup capability, and if primary coolant inventory requirteents are met, operators should be able to establish a rela-tively stable decay heat removal mode. However, decay. heat removal capability during longer blackouts may be limited by the capacity of support systems such as DC power or compressed air, by reactor coolant leakage when makeup is unavail-able or insufficient, cr by thermal limitations on component operability as a result of the loss of. heating, ventilation, and air condationing systems. In light of the above discussion, the general form of the core damage accident likelihood equation considering both early phase and longer term decay heat removal failure is as follows: PSBCD = P SB(tt ) (PDHR/S3
- LOCA/SB) + PSB(t2 ) (1) where,P is the probability of core damage due to station blackout, PSB(t )
SBCD 2 is the probability of a station blackout of duration t t and tt is a time , sufficient for core damage to occur if all decay heat removal capability is ' lost at the onset of a station blackout. P DHR/SB is the pr bability of decay heat removal failure on demand given station blackout. P i s the LOCA/SB probability of a station-blackout-induced loss of reactor cool. ant integrity that would cause an early core cooling loss. P SB(t2 ) is the probabi'ity of a station blackout of duration t 2. where t 2 is a time sufficient for core damage to occur because decay huat ramoval capability limits are exceeded during an extended duration station blackout. In terms of the notation used to describe the dominant accident sequences for the various types of light watar reactors (LWRs) identified in Table C.1, the , equation can be written as follows: for PWRs: P SBCD = B ng + Q1) + BB2 i (2) for BWR 2/3s: + Q3) + BB2 (3) PSBCD = WB3 (Ut for BWR 4/5/6s: . PSBCD
- 3U1 1 + WB 2 (4)
TAe probabilities for (L2 + Q2), (U2 + Q2), and U2 have been .<et equal to 1.0, because the time of B2 was selected to represent loss of decay heat removal capability as a result of design limitations. The probability contribution to Qi from reactor coolant pump seals degradation during station blackout is not
- well known. Based on material reviewed in NUREG/CR-3226, the impact of' reactor
. 4 NUREG-1032 C-3
. . . - , - - -m.-,d, ,,.y- r.-, -.----..,,-.m--..--,e- ,.w., -..-m o-r-m,,-.,--., -e -~y<. -- e-, ,
I i
,. i coalent pump seal leakage was assumed to represent a potential limit on the TM8 2 type of sequences. .
The TMB portion of equations 2, 3 and 4 above can be estimated from the first term failure-to-start 3rtion of the station blackout equations in Appendix B of this report. The TM8 2 term of these equations can be estimated from the.com-plete station blackout equations in Appendix ~B. Probability estimates for L , i U2 and Q were derived from NUREG/CR-3226 and are summarized in Table C.2. Tabla c.? Decay heat remc'.si failure probability fur loss of core cooling early during station blackout Probability of Systen/ train / component failure Auxiliary feedwater systems 1stesmturbin$-driventrain 0.04 2 steam turbine-driven trains. 0.002 Isolation condenser 0.01 Stuck-open salety relief valve (BWR) 0.025 HPCI/RCIC ~ 0.005 HPCS/RCIC , 0.001 Estimated values of the early loss of core cooling term of equations 2, 3, and 4 are provided in Table C.3. This table shows the sensitivity of the estimated fr= @ ency of early core cooling failure during station blackout on loss-of-of f-site power _, characteristics (clusters 1 through 5), emergency AC power unre-liability (EDGR (i.e., failures per demand) and decay heat removal unreliability (DHR). The second term estimates of equations 2, 3, and 4 are the same as the station blackout frequency and duration assessments provided previously, given that t 2is defined. Beccuse the capability limitations vary from piant to plant, so will t 2. Some example estimates for the total core damage frequencies given capacity limitations which equate to station blackout durations of 2, 4, 8, anu 16 hours are provided in Table C.4. These estimates includa the early core cool-ing failure frequencies from Table C.3. The results in Tables C.3 and C.4 show that the frequency and duration probabil-ities of offsite power failures, emergency AC power configuration, and reliabil-ity of the diesels are the most important factors in limiting the likelihood of core damage. These results also show that the likelihcod of significant ccre damage may exist at some plants if the capability to cope 4 th station black-out of modest'durctions (2 to 8 hours) does not exist. Moreover, the results show that the demand reliability of AC-independent decay heat removal systems is important, but it is not the most dominant factor in limiting the likeli-hood of core damage for station blackout. , NUREG-1032 C-4
Table C.3 Esticated frequency of carly core cooling' failure during station blackout, per ' reactor year - Offsite power cluster DHR EDGR 1 2 3 4 5 1/2 EDG confiauration 0.05 0.1 2.5E-6 8.0E-6 1.9E-5 - 3.0E 5 9.0E-5 0.1 2.5E-6 8.0E-6 1.9E-5 3.0E-5 9.0E-5 0.05 1.0E-6 3.4E-6 7.5E-6 1.3E-5 3.8E-5 0.0?5 5.5E-7 1.9E-6 4.1E-6 7.5E-6 2.2E-5
. 0.01 4.0E-7 1.4E-6 2.8E-6 5.5E-6 1.5E-5 0.0i 0.1 5.0E-7 1.6E-6 3.7E-6 5.9E 1.8E-5 0.05 2.0E-7 6.7E-7 1.5E-6 2.5E-6 7.5E-6 0.025 1.1E-7 ,3.8E-7 8.2E-7 1.5E-6 . 4.3E-6 0.01 8.0E-8
- 2.7E-7 5.6E-7 1.1E-6 3.0E-6 0.005 0.1 2.5E-7 8.0E-7 1.9E-6 3.0E-6 9.0E-6 0.05 1.0E-7 3.4E-7 7.5E-7 1.3E-6 3.8E-6 0.025 5.5E-8 1.9E-7 4.1E-7 7.5E-7 2. 2 E- 6 0.01 4.0E-8 1.4E-7 2.8E-7 5.5E-7 1.5E-6
- 2/3 EDG configuration 0.05 0.1 7.0E-6 2.3E-5 5.0E-5 8.0E-5 2.5E-4
. 0.05 2.6E-6 8.5E-6 1.9E-5 3.1E-5 9.5E-5 0.025 1.3E-6 4.3E-6
.. 9.5E-6 1.7E-5 4.9E-5 '
O.01 8.5E-7 2.8E-6 6.0E-6 1.1E-5 3.2E-5 0.01 0.1 1.4E,6 4.5E-6 1.0E-S 1.6E-5 4.9E-5 O.05 5.2E-7 1.7E-6 3.8E-6 6.2E-6 1.9E-5 0.025 2.6E-7 8.6E-7 1.9E-6 3.3E-6 9.7E-6 0.01 1.7E-7 5.5E-7 1.2E-6 2.1E-6 6.3E-6 0.005 0.1 7.0E-7 2.3E-6 5.0E-6 8.0E-6 2.5E-5 0.05 2.6E-7 8.5E-7 1.9E-6
- 3.1E-6 9.5E-6 c
0.025 1.3E-7 4.3E-7 9.5E-7 1.7E-6 4.9E-6 0.01 8.5E-8 2.8E-7 6.0E-7 1.1E-6 3.2E-6 1/3 EDG configuration 1 0.05 0.1 3.6E-7 1.2E-6 2.6E-6 9.3E-6 1.3E-5 ! 0.05 1.8E-7 6.0E-7 1.3E-6 2.3E-6 6.5E-6 l 0.025 1.5E-7 4.9E-7' 1.1E-6 1.9E-6 5.5E-6 : 0.01 1.4E-7 4.6E-7 '1.0E-6 1.8E-6 5.0E-6 1 0.01 0.1 7.1E-8 2.3E-7 5.2E-7 6.GE-7 2.6E-6 0.05 3.6E-8 1.2E-7 2.6E-7 4.5E-7 1.3E-6 0.025 2.9E-8 9.7E-8 2.1E-7 3.7E-7 1.1E*6 O.01 2.7E-8 9.1E-8 2.0E-7 3.5E-7 1.0E-6 NUREG-1032 - C-5 l l
~
Tcbie C.3 , (continued) Offsite power cluster OHR EDGR 1 2 3 4 5 2/4 EDG configuration 0.01 0.1 2.3E-7 7.5E-7 1.7E-6 2.7E-6 8.3E-6 0.05 8.6E-8 2.8E-7 6 2F-7 1 1F-6 3.2E-6 0.025 5.7E-8 1.9E-7 - 4.1E-7 7.2E-7 1.SE-6 0.01 4.8E-8 1.6E-7 3.4E-7 6.1E-7 1.1E-6
, 0.005 0.1 1.2E-7 3 8E-7 8 SE-7 1.4E-6 4.2E-6 0.05 4.3E-8 1.4E-7 3 1E-7 5.5E-7 1.6E-6 0.025 2.9E-8 9.5E-7 1.1E-7. 3.6E-7 9.0E-7 0.01 2.4E-8 8.0E-7 1.7E-7 3.1E-7 5.5E-7 t
Table C.4 Tabulated estimated values of total core damage frequency for station blackout accidents as a function of emergency diesel generator configuration, EDG unreliability, offsite power cluster, and ability to cope with station blackout Offsite power clu' ster EDGR and t(hr) 1 2 3 4 5 1/2 AC configuration EDGR = 0.1 2 5.ll-5 1.7E-4 3.8E-4 6.1E-4 1.9E-3 4 2.0E-5 6.8E-5 1.5E-4 2.9E-4 9.0E-4 8 6.3E-6 2.2E-5 4.0E-5 1.0E-4 2.5E-4 16 5.CE-7 2.0E-6 2.4E-6 9.6E-6 1.2E-5 , to 2.4E-6 to 8.2E-6 to 1.6E-5 to 3.2E-5 to 8.4E'S l i EDGR = 0.05 2 2.1E-5 6.9E-5 1.5E-4 2.5E-4 7.7E-4 4 8.7E-6 2.9E-5 6.2E-5 1 3E-4 3.8E-4 8 2.8E-6 1.0E-5 1.7E-5 4.5E 5 1.1E-4 16 2.2E-7 9.1E-7 1.1E-6 4.4E-6 6.8E-6 to 1.0E-6 to 3.5E-6 to 6.7E-6 to 1.4E-5 to 3.5E-5 EDGR = 0.025 2 1.2E-5 3.9E-5 8.3E-5 1.6E-4 4.4E-4 4 5.2E-6 1.8E-5 3.6E-5 7.9E-5 2.2E-4 8 1.7E-6 6.1E-6 1.0E-5 2.8E-5 6.2E-5 l 16 1.4E-7 5.8E-7 6.3E-7 2.8E-6 4.2E-6 ) to 5.8E-7 to'2.0E-6 to 3.7E-6 to 8.6E-6 to 2.0,E-5 l l 1 NUREG-1032 C-6 1 t
4 Table C.4 (continosa) Offsite' power cluster ! EDGI and i i t(hr) 1 2 3 4 5
- 1/2 AC configuration
- EDGR = 0.01
- 2 8.3E-6 2.8E-5 5.7E-5 1.1E-4 3.1E-4 4 3.8E-6 1.3E-5 2.5E-5 5.9E-5 1.6E-4 8 1.3E-6 4.5E-6 7.1E-6 -2.1E-5 4.6E-5 16 1.1E-7 4.5E-7 4.7E-7 2.2E-6 3.2E-6
- to 4.1E-7 to 1.5E-6 to 2.6E-6 to 6.4E-6 to 1.5E-5 1/3 AC configuration ,
EDGR = 0.1 > 2 7.3E-6 2.4E-5 5.3E-5' 8.8E-5 2.7E-4 4 2.5E-6 8.1E-6 1.8E-5 3.5E-5 1.1E-4 8 5.9E-7 2.1E-6 3.8E-6 9.2E-6 2.3E-5 16 3.0E-8 1.1E-7 1.7E-7 5.0E-7 9.8E-7 . to 8.0E-7. . to 9.9E-7 to 2.2E-6~ to 3.8E-6 to 1.1E-5 i EDGR = 0.05 l 2 - 3.7E-6 1.2E-5 2.7E-5 4.6E-5 1.4E-4
- 4 1.3E-6 4.2E-6 9.2E-6 1.9E-5 5.6E-5
! 8 3.1E-7 1.1E-6 1.9E-6 4.8E-6 1.2E-5 < i 16 1. 5 E- 8 5.7E-8 8.6E-8 2.6E-7 5.0E-7 to 1.5E-7 to 5.1E-7 to 1.1E-6 to 2.0E-6 to 5.6E-6 EDGR = 0.025 2 3.0E-6 9.9E-6 2.2E-5 3.8E-5 1.1E-4 4 1.1E-6 3.6E-6 7.5E-6 1.6E-5 4.6E-5 ' S 2.6E-7 9.0E-7 1.5E-6 4.0E-6 9.7E-6
- 16 1.2E-8 4.8E-8 6.8E-8' 2.1E-7 4.1E-7 j to 1.2E-7 to 4.2E-7 to 8.7E-7 to 1.6E-6 to 4.5E-6 l l EDGR = 0.01
) 2 2.8E-6 9.3E-6 ~2.0E-5 3.6E-$ 1.1E-4 i t 4 9.7E-7 3.3E-6 6.9E-6 1.5E-5 4.3E-5 l
- 8 2.4E-7 8.3E-7 1.5E-6 3.7E-6 8.9E-6 i 1 16 1.1E-8 4.3E-8 6.4E-8 2.0E-7 3.8E-7 :
to 1.3E-7 'l to 3.9E-7 to 8.1E-7 to 1.5E-6 to 4.2E-6 ) - J NUREG-1032 C-7 j .
Table C.4 '(continued) Offsite power cluster t(hr) .1 2 3 . 4 5 2/3 AC configuration EDGR = 0.1 2 1.4E-4 4.6E-3 1.1E-3 1.7c-1 5.0E-3 4 5.4E-5 1.8E-4 4.1E-4 7.6E-4 2.4E-3 8 1.7E-5 5.8E-5 1.1E-4 2.6E-4 6.6E-4 16 1.3E-6 5.1E-6 6.4E-6 2.4E-5 .4.0E-5 to 6.5E-6 to 2.2E-5 to 4.5E-5 to 8.5E-5 to 2.3E-4 EDGR = 0.05 . 2 5.3E-5 1.8E-4 3.9E-4 6.4E-4 2.0E-3 4 2.1E-5 6.9E-5 1.6E-4 3.0E-4 9.4E-4 8 6.5E-6 2.3E-5 4.1E-5' 1.0E-4 2.6E-4 16 4.9E-7 2.0E-6 2.4E-6 9.4E-6 1.5E-5 to 2.5E-6 to 8.4E-6 to 1.7E-5 to 3.3E-5 to 8.7E-5 EDGR = 0.025 . 2 2.7E-5 8.9E-5 2.0E-4 3.4E-4 1.0E-3 .4 1.2E-3 3.7E-5 8.0E-5 2.7E-4 4.9E-4 8 3.4E-6 1.2E-5 2.1E-5 5.5E-5 . 1.3E-4 16 2.5E-7 1.0E-6 1.2E-6 4.9E-6 7.8E-6 to 1.3E-6 to 4.3E-6 to 8.5E-6 to 1.7E-5 to 4.5E-5 EDGR = 0.01 2 1.7E-5 5.1E-5 1.3E-4 2.2E-4 6.4E-4 4 7.3E-6 2.4E-5 5.1E-5 1.1E-4 3.1E-4 8 2.2E-6 7.7E-6 1.3E-5 3.6E-5 8.4E-5 16 1.6E-7 6.5E-7 7.6E-7 3.1E-6 4.9E-6 to 8.0E-7 to 2.8E-6 to 5.3E-6 to 1.1E-5 to 2.9E-5 2/4 AC tenfiguration EDGR = 0.1 2 2.4E-5 7.7E-5 3.5E-5 2.8E-4 8.5E-4 4 7.2E-6 2.5E-5 1.1E-5 1.1E-4 3.5E-4 8 1.8E-6 6.2E-6 2.1E-6 2.7E-5 7.0E-5 16 9.6E-7 3.4E-7 9.3E-8 1.5E-6 3.1E-6 to 9.8E-8 to 3.2E-6 to 1.4E-6 to 1.2E-5 to 3.5E 5 NUREG-1032 C-8
Table,C.4 (continued) Offsite power cluster EDGR and t(hr) 1 2 3 4 5 2/4 AC configuration EDGR = 0.05 2 8.8E-6 2.9E-5 6.3E-5 2.1E-4 3.3E-4 4 2.9E-6 1.0E-6 2.1E-5 4.2E-5 1.3E-4 8 6.5E-7 2.3E-6 4.1E-6 1.0E-5 2.5E-5 16 3.2E-8 1.2E-7 1.9E-7 5.2E-7 1.1E-6 to 3.6E-7 to 1.2E-6 to 2.6E-6 to 4.6E-6 to 1.3E-5 EDGR = 0.025 2 5.8E-6 2.0E-5 4.2E-5 7.3E-5 2.2E-4 4 1.9E-6 6.4E-6 1.4E-5 2.9E-5 8.2E-5 8 4.2E-7 1.5E-6 2.6E-6 6.5E-6 1.6E-5 16 2.0E-8 7.3E-8 1.2E-7 3.2E-7 6.6E-7 to 2.4E-7 to 7.9E-7 to 1.7E-6 to 3.1E-6 to 8.7E-6 EDGR = 0.01 . 2 4.8E-6 1.6E-5 3.6E-5 6.2E-5 1.8E-4 4 1.5E-6 5.3E-6 1.1E-5 2.4E-5 6.8E-5 8 2.5E-7 1.2E-6 2.1E-6 5.4E-6 1.3E-5 16 6.1E-9 5.8E-8 9.3E-8 2'. 5 E- 7 5.3E-7 , 1.6E-8 6.6E-7 1.4E-6 2.6E-6 7.2E-6 The point estimates obtained from HUREG/CR-3226 and a comparable plant design analyzed in this study are shown in Table C.S. The differences in results pri-marily result from lower less-of offsite power frequencies supported by most recent evaluations of the data (see Appendix A). The results provided up to this time represent point estimates of probability per year or, more properly, frequency. The effect on the mean probability estimates of using log-normal distributions to represent basic event probabil- , ities, calculated medians,'and uncertainty ranges was shown in NUREG/CR-3226. ' The sequence mean estimates derived in that document were typically 3 to 8 times larger than the point estimates, and the upper and lower bounds were typically within a factor of 5 to 20 of the median estimates. The large difference be- I tween point estimates and means can be attributed to the use of a log-normal distribution, l The potential effect of operator error causing loss of decay heat removal has not been found to be a large contributor, if adequate training and procedures exist. Another consideration that has not been found to be a significant factor is the difference in time to core uncovery for the various LWR designs on loss of all decay heat removal. .
- 4 l
NUREG-1032 'C-9 l
e Table C.5' Comparison of results with NUREG/CR-3226 . . Core damage frequency (per reactor year) Plant type and sequence NUREG/CR-3226 NUREG-1032 PWR with one steam-driven a N +cgia TML203 5 x 10 6 1.5 x 10 6 TMB 2 (L2 + Q2) 2 x 10 5 9.2 x 10 8 BWR with isolation cooling TM(Ui + Qt)B2 5 x 10 6 1.3 x 10 8 TMQ2B2 2 x 10 5 9.2 x 10 8 BWR with HPCI/RCIC THU281 2 x 10 6 1.9 x 10 7 , TNU2B2 - 2 x 10 5 9.2 x 10 6 BWR with HPCS/RCIC TMUi B 5 x 10 7 3.8 x 10 7 TMU22 B 1 x 10 8 5.2 x 10 6 Note: All B2 sequences except the BWR with HPCS/RCIC are assumed to result in loss of core cooling and decay heat removal in 6 hours from the start of station blackout for the NUREG-1032 results. Core damage - frequencies in this table (NUREG-1032 column) are based on offsite power cluster 2, 1/2 diesel generator configuration and 0.975 diesel generator reliability, i STATION BLACKOUT RISK
^ The potential risk associated with station blackout accidents can be e W mated '
by extending the core damage probabilistic results through to accident conse- i cuence estimates. The potential for terminating core damage before core melt and coping with core melt before containment failure is currently a matter of extensive research and evaluation. In most probabilistic risk assessments (PRAs), , the probability of core damage has been equated with core melt. Acknowledging that this is a possible conservative assumption, to estimate risk in these PRAs, , containment failure modes and probabilities are applied as if the core has melted. O e NUREG-1032 C-10
.g
REFERENCES Fletcher, C. D. , "A Revised Summary.of PWR Loss-of-Of fsite-Power Calculations," EG&G Idaho, Inc., EGG-CAAD-5553, September 1981. ; Schultz, R. R. and S', R. Wagoner, "The Station Blackout Transient at Browns - Ferry Unit One plant, A Severe Accident Sequence Analysis," EG&G Idaho, Inc., EGG-NTAP-6002, September 1982. j U. S. Nuclear Regulatory Commission, NUREG/CR-3226, A. M. Kolaczkowski and ! A. C. Payne, Jr., "Station Blackout Accident Analyses (Part of NRC Task Action Plan A-44)," May 1983. i i l
- N 4
a l I a ) 1 t 4 l NUREG-1032 C-11
- . - - - - - - - , , --e-.- - , - .,-------.-.y.w, . yw,,
- w,mv-w m
#mesg Seckford for Appropriato Actio
# Io, UNITED STATES e" % NUCLEAR REGULATO3Y COMMISSION Cys: Stello U y "'
i ADVISORY COMMITTEE ON REACTOR SAFEGUARDS a or
' '
- Rehm
. WW NGTON, D. C. 20$55 4..',,,*
June 9, 1987 . o on Jordan Murray Matt Taylor CFiles The Honorable Lando W Zech, Jr. Chaiman u.S. Nuclear Regulatory Cocinission Washington, D.C. 20555
Dear Chaiman Zech:
SUBJECT:
ACRS COMMENTS ON THE NRC STAFF PROPOSAL FOR THE RESOLUTION OF
- USI A-44, "STATION BLACXOUT" During the 326th meeting of the ACRS, June 4-6, 1987, and in our 325th met
- ting on Fay 7-9, 1987, we discussed the resolution of USI A-44, "Station Blackout," that is being proposed by the NRC Staff. We also discussed the Nuclear Utility Management and Resources Cecrnittee (NUMARC) initiatives directed at reducing the risk from "Station g2 Blackout." A Subecmittee meeting was also held to discuss this issue with the NRC Staff on May 6,1987. During these meetings, we had the benefit of presentations by representatives of the NRC Staff and NUMARC.
We also had the benefit of the documents referenced. , , Since March 30, 1982, rnembers of the ACRS have considered and discussed. this issue at nine meetings, and offered cements to the Executive. Director for Operations in letters dated July 13, 1983 and March 12, l 1985. The ACRS has been generally receptive to and supportive of the ! Staff's efforts in seeking resolution of the issue. We consider the proposed resolution of USI A-44, "Station Blackout," to bE workable, and We ConTBend the Staff for its efforts. However, we do not recorrnend issuance of the final rule at this time. We believe that the NUMARC initiatives may be a viable alternative for I dealing with this issue on an expeditious schedule and may require the l least expenditure of resources on the part of the industry. We believe that the electric utility industry has a strong incentive to deal with "Station Blackout." One shortcoming of the proposed NUMARC initiatives is the absence of a requirement for any assessment of a plant's ability to cope with station blackout for a specified length of time. A letter from NUMARC has advis6d us that they are developing a methodology to do this, but that ( industry-wide agreer:ent will have to be obtained. They expect that the ( development of their initiatives will be substantially completed by September of this year. ' ~ 87Q458
The Honorable Lando.W. Zech, Ur. June 9, 1987 We recomend that the Staff continue to work with NUMARC or the techni-cal aspects of the NUMARC efforts. If by September of this year it is detemined by the Staff th:t the NUMARC initiatives will not be effec-tive or timely in reducing the risk from "Station Blackout" to accept-able levels, or that the rt0 MARC initiati'.c Will bi: unduiy diHicult to evaluate on a plant-to-plant basis, we then recomend issuance of the final rule. Additional remarks by ACRS Members Glenn A. Reed and Charles J. Wylie are presented below. i Sincerely. - t William Kerr Chainnan , Additional Remarks by ACRS Members Glenn A. Reed and Charles J. Wylie We believe the NRC Staff has done a comendable job in bringing A-44 to resolution. However, we continue to support two previous ACRS letters (July 13, 1983 and March 12, 1985) recomending in part that A-44 g, implementat, ion should be integrated with A-45, "Shutdown Decay Heat . Removal Requirements." Un'ortunately A-45 has not arrived at the sare' j status, and the NRC Staff wishes to proceed now with a rule and guide on station blackout which deal with A-44 only. But, the root issue is not station blackout but rather decay heat removal to limit core melt risk to an appropriate level. We do not consider it in the best interest of nuclear safety to proceed now with an NRC rule and guide on station blackout, which could compro-mise future desirable and more effective action for decay heat removal. Since it appears that NUMARC-Nuclear Utilities Group on Station Blackout (NUGSBO) has also been moving fomard with an industry effort, and since the electric utilities should have premiere capahilities to upgrade vulnerabilities to station electrical blackout, we recomend NUMARC. NUGSB0 carry the ball, with NRC Staff interfacing and monitoring -- but without an NRC rule. This arrangement would leave the NRC e,mcompromised to act appropriately on A-45 when its resolution is completed. In our opinion there may be some outlier units for which it is more preferable to focus and expend funds on the root issue of decay heat removal without diverting effort to station blackout; and such focusing may be more hamonious with the backfit rule.
- I e
,,v .
The Honorable Lcndo W. Zech, Jr. June 9, 1987
References:
- 1. U.S. Nuclear Regulatory Comission. Federal Register Notice (51 FR 9829) for the proposed Station Blackout Rule (10 CFR 50.63),
published on March 21, 1986.
- 2. U.S. Nuclear Pegt letcry Cuide on "Station Blackout," dated March 30, 1987.
- 3. U.S. Nuclear Regulatory Comission, NUREG-1109, "Regulatory /Backfit Analysis for the Resolution of Unresolved Safety Issue A-44,"
submitted March 30, 1987. 4 U.S. Nuclear Regulatory Comission, NUREG-1032, "Evaluation of Station Blackout Accidents at Nuclear Power Plants," draft, submit-ted April 16, 1987.
- 5. U.S. Nuclear Regulatory Comission. NUREG/CR-3226, "Station Black-out Accident Analyses," dated May 1983.
. 6. U.S. Nuclear Regulatory Comission, NUREG/CR-2989. "Reliability of f Emergency AC Power Systems at Nuclear Power Plants, dated July 1983.
S e e e s S n
[ l'e, UNITED STATES l 8 % NUCLEAR REGULATORY COMMISSION 3 ,1 cAsmotow.o c.rosss
.jk, f June 23, 1987 l
I MEMORANDUM FOR: Victor Stello, or. Executive Director for Operations
. 1 FROM: Edward L. Jordan, Chaiman Ccenittee to Review Generic Requirements
SUBJECT:
MINUTES OF CRGR MEETING NUMBER 115 i The Comittee to Review Generic Requirements (CRGR) eet on Wednesday, May 27, 1987, f rom 1-5 p.=. A list of attendees for this :neeting is enclosed (Enclosure 1). The following items were addressed at the :neeting:
- 1. W. Minners (RES), P. Baranowsky (NRR), and A. Rubin (RES) presented for CRGR review the proposed final rule and regulatory guide resolving USl A-44, "Station Blackout." The CRGR reconmended EDO approval for p -
transmittal-to the Cossnission, subject to some changes in the documents that would be coordinated with the CRGR staff prior to transmittal to the EDO. The CRGR also recosmended that the rule not be implemented until certain additional implementation guidance for the staff is prepared and
. reviewed by the CRGR. Further, the CRGR recoemended that the staff's proposed fr:plementation schedule should be shortened. This matter is e discussed in Enclosure 2. ,
- 2. The proposed final rule amendrents to 10 CFR Parts 30, 40, 50, 51. 70, and 72 concerning general requirements for decocuissioning nuclear facilities, which were scheduled for review, were not reviewed at this meeting. The review was postponed until the next scheduled CRGR meeting. .
- 3. G. Arlotto (RES) and G. Millmar (RES) presented for CRGR review the proposed rule arendments to 10 CFR 50.55a, "Codes and Standards." The CRGR recocnended that the EDO approve issuance of the proposed amendtrents for public conment. This matter is discussed in Enclosure 3. ,
In accordance with the ED0's July 18,1983 directive concerning "Feedback and Closure on CRGR Reviews," a written response is required free the cognizant office to report agreement or disagreer.cnt with CRGR recosmendations in these minutes. The response, which is required within five working days after receipt of these t teting minutes, is to be forwarded to the CRGR Chairman and if there is disagret:nent with the CRGR recoemendations, to the EDO for decisionr.aking. 1
~ . 2-(( Questions concerning these meeting minutes should be referred to Tom Cox
~
(492-4148). - daard ordan, Chaire.an Comi t e to Review Generic Recia ements
Enclosures:
As stateo ec: Cocnission(5) SECY i Office Directors Regio'nal Acministrators CRGR Members W. Parler B. Sheron G. Arlotto W . I s O e
- I l
l
\ i
. l
--h*
- g1 h_ .
0 Enclosure 1 I-f ' LIST OF ATTENDEES ( .. CRGR MEETING NO. 115 a May 27, 1987 i : CRGR MEMBERS r E. Jordan R. Bernero ' T. Martin ' J. Scinto T. Speis J. Sniezek OTHERS J. Zerbe
. T. Cox J. Conran A. Rubin P. Baranowsky ;
K. Kniel B. Colmar . O. Jones A. Serkiz . M. El-Zeftawy J. Flack J. Larkins D M. Federline J. Austin e' M. Taylor J. Clifford R. Fenner P. Norian
- M. Maisch-
- W. Minners R. Bosnak S. Treby G. Millman G. Arlotto '
T. Dorian - i l
^ _n_
Enclosure 2 to the Minutes of CRGR Meeting No. 115 Proposed Final Resolution for U51 A-4A, "Station Blackout" May ' 2 7. l'38 7 ' t TOPIC i V. Minners (RES), P. Baranowsky -(RES), and A. Rubin (RES) presented for CRCR review the proposed final resolution for Unresolved Safety Issue (USI) A 44, "Station Blackout." The proposed resolution calls for amendmentr, to 10CFRou (includingan:dditiontoGDC-17 which would require that licensee)s and applicants:ano issuance (a) assess of an assoc the vulnerability of their plants to blackout (i.e. simultaneous loss of offsite AC power ar~ unavailability of onsite AC power), and (b) demonstrate the capability of their plants to cope with the effects of blackouts of specified duration if they occur. Copies of briefing slides used by the staff to guide their pre-sentations and discussions with the Comittee at this meeting are attached to this Enclosure. BACKGROUND The proposed resolution for USI A-44 war reviewed by CRGR earlier, at the draft stage, in Meeting Nos. 59, 61, and 60; the complete account of that starlier review and the resulting recomendations of the Coar:ittee are docu-mented in the minutes of Meeting No. 60 dated May 8, 1984. The current pack-A - age submitted for review by CRGR at this final stage was transmitted by memo-g H randuedatedApril6,1987}ew.R.-DentontoJ.E.Zerbe;thecurrentpackage included the following rev documents:
- 1. Enclosure 1 Proposed Federal Register Notice, dated March 30, 1987, (Response to public coments, proposed rule amendments,
, backfit analysis) .
- 2. Enclosure 2 Regulatory Guide, dated March 30, 1987, "Station Blackout"
- 3. Enclosure 3 NUREG-1109, undated, "Regulatory /Backfit Analysis for the Resolution of Unresolved Safety Issue USI A-44, Station
, Blackout"
- 4. Enclosure 4 WUREG-1032, undated, "Evaluation of Station Blackout Acci' dents at Nuclear Power Plants"
- 5. Enclosure 5 "Significant Changes to the USI A-44 Package,"
9 undated (circa March / April 1987) The Concission received 53 letters coenenting on the draft resolution package reviewed earlier by CRGR; those comments are summarized and responded to by the staff in the proposed Federal Register Notice (FRN) included in the cur-rent review package (Background Item 1 above). One of the public coment letters, from the Nuclear Utility Management and Resourcas Committee (NUMARC), put forward as a possible alternative to the staff's proposed resolution for USI A-44 four initiatives designed to address the more important contributors 4 ec
m - - - - - - - - - . - - - - - - to blackout. Those. initiatives we
/ t'ently operating nuclear power pla$ne endorsed broadly
) ts, and they have beenby pursued the utilities cur-by actively ( the utilities in couple of years. parallel with the staff's work-on this issue over the last The NUMARC ini iatives are included as one of the five possible alternative courses of etion examined by the staff in regulatory and backfit analyses done in connec 'on with USI 044; those analyses are sum-marized and documented in NUREG-1109 (Background Item 3 above). A method acceptable to the NRC staff for licensees to determine plant-specific blackout cooing durations for their facilities is provided in the proaosed Reg. Guide (Background Item 2 above) included in the current review paccage. Tac M a! studies fr..M b EC tu examine the most important paraseters of the station blackout issue (i.e., frequency of loss of offsite power probability that onsite AC will fail t.o provide power for core cooling; ca;pability and reli-ability of shutdown cooling syster:s during prolonged blackout; ability of containment to withstand pressure / temperature buildup during prolonged black-marIzedinNUREG-1032(Background, ItemSignificant 4above).out changesand probability made to of oc the USI'A-44 package since the Comittee's earlier review at the draf t staga are summarized in Background Item 5. Briefly, the staff's proposed resolution for USI A-44 includes: (a) amend. tents to 10CFRSO and Appendix A to Part 50 (General Design Criteria), which would require that all nuclear power plants be able to cope with a station blackout l for a s and (b)pecified duration and have procedures and training for such an event, issuance of a supporting Replatory Guide which would provide an ac-ceptable method for determining the station blackout duration for each plant. O ~ The staf f's analyses indicate that an improvement of about 2.6E-5 in the fre-h quency/ reactor year of core damage events will be realized by implementing the proposed A-44 fix (decreasing from about 4.2E-5 before fix to 1.6E 5 after fix). This corresponds to a be:t-estimate total averted risk benefit of about 145K person rem for a population of 100 reactors over their remaining lifetime g (about 30 years average). The cost of iaplementing the proposed fix is esti-riated by the staff to be about $600K per plant, for a total cost to the in-dustry of about $60M (i.e., 60 million dollars). The benefit / cost ratio for the proposed action, then is 2400 person-rem /$M (or about $420/ person-rem, compared with $1000/ person,-rem comonly used as the breakeven guideline). l DISCUSSION 1 Major points of discussion at this meeting regarding the proposed resolution for USI A-44 were as follows: ( 1.
- A major change in the A-44 package from the draft stage to the current version is that licensees would no longer be required to determine the maximtm duration that their plants could cope with blackout conditions.
Instead licensees would determine by applying the screening /categoriza-tionguIdanceinthe coping duration (i.e. proposed Station Blackout Reg. Luide, a specified
, 2 hours, 4 hours, 8 hours or 16 hours) appropriate for each facility. They would then be required to demonstrate by further analyses that each plant could actually cope with blackout conditions for that specified duration. The staff did not,.however, include in the re-vised package the proposed acceptance criteria / guidance (e.g. SRPs) that C would be used by staff reviewers for judging the acceptability of the O ~
r *
+
coping analyses t9 be submitted by the licensees e, der the proposed re-solution NRC inspe,ctorsor the 4nspection guidance tis (e.g t proposed rule. ,in determining ultimately' confonriance dcense)e;tohat the would be a In the absence of such criteria, the Comittee felt that the' proposed edping demonstration requirement is such too open-ended, and thatthestaff'fsestimateofcosttoimplementtheproposedfix(i.e., about $250K/ plant) is not verifiable. In this context, it was noted that the actual cost of analyses done by the St. Lucie ? spplicant to demon-strate a 4-hour blackout coping capability (after Station Blackout was made a design basis event by the Licensing Board icr that faci 14*y) ws: . said by NUGSSO to,be in the neighborhood of about $2 million. 4 The staff stated that the curred in that instance. y had no detailed knowle3;e of actual costs in-They were, however, generally aware of the cir-cumstances involved; and they said that the extensive analyses done by the licensee in that case i ses) were done in the proce(which included even some thermodynamic analy-specified by the Board. ss of demonstrating the 4-hour coping _ duration Extensive analyses were apparentl" done by the licensee in a futile modifications to theattempt plant. to avoid having to make significant physical The staff felt strongly that those circum-stances were not representative for the remaining plants that would be affected by this proposed blackout rule; and they stated categorically that the coping analyses envisioned in connection with the currently pro-posed USI A-44 resolution were not intended to be as extensive as those done by the St. Lucie applicant. p - f After auch discussion, the Comittee concluded that the A-44 package did not have to be held up from going fo Ward because of their concerns on this point; but they recomended that both the acceptance criteria and guidance to be used by staff reviewers (i.e., SRPs), :nd the guidance to be used by HRC inspectors (i.e., tis) in implementing the new rule should Le reviewed by the CRGR prior to implementation of any station blackout rule that is finally approved. The staff moreed with this're-comendation; RES and NRR will cooperate in this effort, and will under-take imediately the expeditious development of the acceptance criteria The Ccmission currently is not scheduled to consider this m late stanmer or early fall of this year; it was felt, therefore, that there is a good chance that the recomended criteria /guittance could be avail-able at the resolution time the Comission gives final consideration to the proposed package. 2. The credit to be given to "alternate" AC sources for coping with blackout wasanothermajorareaofdiscussionatthismeeting. This had been a major. point of coment by NUMARC in putting forward their initiatives as an alternative to the staff's approach for resolving A-44. The staff is willing to credit such AC sources for coping purposes; tut they haw had some difficulty in specifying detailed acceptance critaria i.e., what degree of independence, diversity, reliabilit AC sources to qualify as acequate for coping.y, Although etc. they have h req,uired not for such fully developed their thinking in this regard the st.tif indicated in these discussions, that a "swing" diesel gener,ator configuration would not qualify as an alternate AC source adequate for coping with blackout,
~ . 1
[ beca ( temsyse of its lack of independence from 'ne. normal safety related AC sys- ' and i'ts common-mode failure poten',ial. Generally., however, if an al-ternate source can be shown to be reliable, independent, and available , wighin ft ly. 10 minutes or so of the onset >f blackout, the staff will credit it The staff stated that such a plant would, in effect, fall into the so-called "zero hour" category that was the subject of much discussion with CRGR at the draft review stage. That is to say, a fully credited alter- 3 i nate AC capability will be considered to be ade ! required biceko d c Q ct additional coping analyses.; ability, without for a the plem.quate need for any de J. In discussing the utilities' reluctance to accept the proposed coping anlysis requirement (as indicated above in Discussion Item 1)7 the staff offered the view that a major concern underlying the utilities opposi-
? tion on this point was that the staff sight raise such extensive equip-ment oprability questions in the review of such analyses as to effee- ,
tively reopen the EQ issue. With respect to such concerns, the staff stated that, if the blackout coping capability claimed by a licensee relies on use of equipment that previously did not require any sort of environmental qualification, then its availability and operability in the blackout context would have to be reasonably established / demonstrated. This could be done by providing an evaluation of equipment character-istics and specifications vs. anticipated environmental conditions and
-- equipment loads that could result from blackout and by providing for administrative controls to reasonably assure ava,ilability of equipment
@ designated to be relied on in coping with blackout. The staff felt that the licensees' concerns regarding the likelihood of extensive environ-mental, qualification effort being required in connectio; with blackout were sisplaced.
o The CRGR staff noted that, in recent discussions with NUGSB0 represgnta-tives on this point, the concern expressed was that the extensive ceping analyses required under the staff's proposal would not actually fix any equip ent or procedural deficiency that contributed to station blackout potential. The emphasis in the NUMARC initiatives was on physical equip-ment and procedural improvements that would directly address olackout concerns; they felt that this represented the most effective and cost 1 beneficial expenditure of resources in addressing the blackout issue. { With respect to demonstration of blackout coping capability, the utili- 1 ties regardfelt(i.e. that staff's criteria for determining what was adequate in that ; detailed analyses) were too stringent, and more like what is : normally requ, ired to demonstrate adequacy of equipeent/ procedures _necessary to assure public health and safety. The staff has not claimed that any of the proposed USI A-44 fixes are necessary to assure safety; they have only said that such fixes provide significant improvement to t safety in a cost beneficial manner In view of the relative importance (thus indicated) of A-44 fixes in general the utilities believe that adequate demonstration of 2-hour, 4-hour ,etc be provided by simply meeting the criterla spe. coping cified capability by.the staff in should the proposed Station Blackott Reg. Guide for determining that a plant is a 2-hour plant, or 4 4-hour plant, etc. The Committee agreed generally with C the view that analyses in themselves do not fix equipment or procedural deficiencies that result in vulnerability to blackout. The staff ~
- - - - . - , - - . - . - . - . - - . . .., - ~ . . - . - -
(,. '
/ reiterated strongly however Uat the analyses'specified are required to provide,ahighlevelofassur,ancethatagivenplanthasthecapability
( , to cope with blackout conditions for the duration specified for that facility. The Committee asked whether the staff had fonsidered allowing i utilities to take credit for demonstrating operability of such equipment f by actual testing under simulated blackout conditions during a plant out-age. The staff responded that they would consider licensee proposals to demonstrate operability in that manner, and would revise the wording of the FRN to indicate this; but they would not require (or even'necessarily encourage) that approach. As a final point in regard to equipment operability cd reliability, and their relationship to the overs 11 demonstration of required cooing cap-ability, the Comittee noted that, although the staff had stated expli-citly at least once in the A 44 package that it was not intended that any
- equipment relied on for blackout coping must be safety grade or that full
- scopeAppendixBQArequirementsaustbeappliedtosuchequIpment(e.g.,
see proposed FRN at p. 12, last paragraph), the wording of the package in other places was,such as to suggest that comparably detailed and stringent QA requirements riight apply to such equipment. For example, the proposed FRN (at p.12, second to last paragraph) states that:
...the equipeent must meet certain quality assurance criteria to ensure a hich level of reliability and operaoility ourtry station _
blackout events." - A The Comittee comented that, because the objective of protosed rule is to D' further reduce risk in a cost beneficial sanner not to acifeve an accept-able level of risk where reasonable assurance o at is currently lack-ing), they agreed with the staff approach of not requiring equipment re-lied on for coping with blackout to be safety grade. In this context, the o Committee recomended that the staff clarify their intent with regard to intenced safety classificatien of, and QA require:ents for sucheduip- ' mentbyrevisingthewordingofthepackageinthesgecific, paragraphs I noted, to identify explicitly and unambiguously the certainQAcriteria" that the staff is referring to there. The Comittee also suggested that the remainder of the package be carefully reviewed for similar potentially confusing wording, and be revised as necessary to avoid possible confus-ion on this important point. The staff agreed that the wording cited was gotentially confusing and shen 1d be changed (e.g., by deleting the word certain" in the specific passcge cited, and by indicating more clearly that the level of treatment given to quality in the Station Blackout Reg. Guide and in draft ANS Standard 58.12 is representative of what is expec-ted by the staff for equi > ment relied on for coping with blackout). The l staff will also review otler pertinent sections of the A-44 package for l other such inconsistencies or ambiguities. I l 4. With regard to the proposed requirement specifying that the Director, NRR, must sake a detensination of the specified station blackout duration for each affected operating plant (see proposed FRN, p. 45, third paragraph), the Committee asked what standard is to be used by the Director in saking that determination. The staff responded that the operable standards are set forth in the proposed Station Blackout Reg. Guide in the guidance for categorizing existing plants (i.e. , as 2-hour, 4-hour, 8-hour or 16-hour l l
plants).
. Beyond those explicit deterministic standards, there is also the probabilisticcoredamagefrequencyobjectiveofabout10E-5whichunder-{
(.. lies the staff's overall approach to resolution of this is w e, as reflect-ed in NUREG-1032 and NUREG-1109. The Comittee agreed that either or both the required determination; but they also stated that th dard(s) must be incorporated explicitly into the rule that requires such a determination to be made. The staff a package to reflect this recomendation. greed to modify the wrding of the 5. Tha Committee questioned the staff regarding the proposed implementation schedule (see proposed FRN, p. 45, last two paragraphs). They noted that a stated objective of the NUMARC initiatives is to upgrade ali 8-hour plants into the 4-hour category within one year; while under the staff's proposed the 1990's. resolution the upgrading of affected plants could drag on into ,
. The Comittee recomended that NRR work out a more expedi-
. tiousthe with implementation schedule for their proposed resolution, consistent action:. general objective of reducing schedules for high priority generic 6.
The Comittee asked the staff to reaffirm that the wording in the next-to-last paragraph of the transmittal letter for this review package, and the wording in the proposed FRN (at p. 50, first paragraph), was intended to satisfy the requirement in 10CFR50.109 for an explicit finoing by the Director, NRR that a proposed backfit will provide 4 substantial increase
~
in the over.all protection of the public health and safety, and is justi-fied in view of the direct and indirect costs of implementing the back-fit. It was noted that the referenced wording actually states that the results of the staff's analyses in NUREG-1032 and NUREG-1109 succort such a determination determination. ,The staff agreed to verify that it was T6e ( c> Director's intent to make the required finding when the review package was transmitted more to CRGR, clearly reflect and to revise the wording of the pcckage to that intent. 7. The Comittee asked if the staff had concluded on the basis of actu analyses that it is safer to shutdown a plant in tne event of iminent severe weather (e.g., hurricane, tornade blizzard, etc. and rely on diesel shutdown generators conditions and/or offsite power so,urces for power)to raintain safe severe weather proce,dures in the A-44 context.as strongly suggested by the It was suggested in this context, in view of the problems that have been experienced with DG reli-ability and the expectation that offsite pcwer is likely to fail in the critical but operating at reduced power levels inThesuch circ staff on thisresponded question. that they had not done detailed comparative risk analyses Where such shutdown procedures exist, or in specific instances where shutdown actions have been taken in immine ther Situations (e.g. , during a hurricane Ost year), those procedures / l actions have been the result of licensees' evaluations of specific situa-tions and alternatives, specifically with to the licensees' the staff only deferring t6 or not objecting judgment. It was agreed that it should not
7 , f be assumeo automatically that shutdown of the reactor and reliance on.0G i (. power is the preferred course of action in all severe weather situations, l but that tnis question should be examined on a case basis; and this approach will be taken in implementing any approved resolution for USI A-44.
- 8. The Committee inquired where in the rule.is the concept of "alternate AC" sources .ddressed. Specifically, where.is the basis for the staff accept-ing a cualified alternate AC source as demonstration of adequata blackoot capability in lieu c' c.,a requirement for analyses to demonstrate the ability of a plant to cope for the specified duration (as indicated in Discussion Item 2 above). The steif responded that an interpretation of i factors (1)and(2)ofthefourfactorsmentionedinthenewproposedsec-l tion (e) of GDC-17 (see proposed FRN, at p. 47) might be considered the l basisfordoingso. The Comittee recommended that both the concept of 4 "alternate AC, and the provision for waiving the requirement for analy-ses to dem>.11 strate coping capability for the specified duratien if a fully ,
qualified afternate AC source is provided, should be included explicitly i in the proposed rule. (For alternate AC sources, as well as other black- I out coping equipment, "fully qualified" does not mean that the equipment must meet safety grade, Seismic I, Appendix B QA. requirements, etc.) The staff agreed to work out with OGC the appropriate wording changes needed to incorporate this recommendation by the Committee.
- 9. After auch_ discussion" of the proposed A-44 resolution with the staff the g Committee agreed that it appeared that, to the extent that the staff Is cost estimates are accurate and can be actually realized in practice, the costs involved in implementing the proposed resolution are justified. A major qualitative factor in the Comittee's conclusion in this regard was the observation that the AC electrical systems affect so pervasively plant operations.
" There is a high likelihood, therefore, that significant improvement in AC systems reliability and independence will provide a sig-nificani, improvement in safety. Assuming the proposed resolution for A-44 is approved and implemented as expected, the Committee inquired about the prospect of any further cost beneficial fixes being imposed under USI i A-45. The staff responded that, in view of the small residual risk levels l remaining af ter implementation of the proposed resolution for A-44 and !
other generic fixes imposed over the last few years, and in further view of the projected cost of the type of fixes that have been most seriously ! considend in working that issue, it is not clear at this time that the staff can propose further cost beneficial fixes under USI A-45. 10. The Committee felt that the wording of the last paragragh on p. 36-37 of I the proposed FRN is too negative with regard te the potential role and contribution of probabilistic analyses in better understanding the black-out issue, and with regard to the use of reliability goals in resolving important generic problems such as USI A-44. 3 They recommended that this ! wording be modified to reflect a more balanced agency view in this regard l prior to issuance of the proposed resolution package., The staff agreed to work with OGC in doing so. , I H e
v ~- j-11. The Committee noted that the proposed hetion Blackout Reg. Guide pro plants; but the FRN refers only to 4 nour mended that the wording of the proposed FRN They and recoe e.g., at pp. 23 26 and 28) be revised consistent so that the wording of the propose (d resolution throughout. pac The staff agreed to do so. 12. With reference to the wording of the 1 sat sentence of the second para-graph on p.14 of the proposed FRN, the Comittee asked if the staff were sure that no exemptions to GDC-17 had oeen approved b, the Commission fo any vperating plant, as suggested by the wording of that sentence. The staffofagreed ing to check the sentence in this point specifically and will adjust the word-tion status accurately. question, if necessary,, to reflect GDC-17 exemp
- 13. '
. The at age Comittee this pointnoted that OGC has not formally concutred in the A-44 p prior to final app;ioval and issuance of the proposed pa 14.
, In addition to the recomendations made in the preceding regarding a n ber of general kinds of changes that should be made to the proposed res tion package in various topical areas, the Comittee recomended also the provided torevisions following CRGR forto the wording of specific sections of the documents review:
a. Federal Register Notice, at p. 12, last sentence. Change to read as follows: '
"However, the equipment must sect the quality assurance !
criteria needed to establish an appropriate level of
~
reliability and operability during station blackout events." c> - (See also Discussion Iter 3 for indication of additional non- l specific wording changes needed to this.section of the FRN.)
- b. Federal Recister No+ ice Change to read as foTT6w,s:at p. 36, next-to-last and last paragraphs. I
" l
...However, the Comission recognizes that there may be potential drawbacks from relying on this approach on -
an industry-wide basis for tne reasons given below. One detrimental aspect...is that-it might lead to over emphasis on efforts to assess the adequacy of the anal ' sis, ' rather than concentrating on adequacy of the design. here can be too strong an emphasis on fine tuning the model...to achieve results directed maini toward meeting a numerical criterion....On balance, in i lementing... coals...."
; \
(See Discussion Ites 11 above, for context of this bcommendation.) { l 1
c. Federal Register Notice, at p. 44, under "(b) Limitation of Scope," 4 ( m Change the ending of the sentence to read as follows: f'
" ~
.... if the capability to withstand blackout was spoci-fically addressed in the operating license proceedip; and was explicitly approved by the NRC." l (Alternatively consider simply stating that these new requirements donotapplyI.ntheSt. Lucie plant, if that is what is really in-t e M by th: :rc'i.,g :,f thi = sn i. ion. )
- d. er Pnister Notice, at p. 45, last paragraph. Change to read as "A final schedule for implementing modifications...shall-be developed by the NRC staff in consultation and coordi-nat'on with the licensee."
(See Discussion Item 5 above for context of this recommendation.) e. Proposed Station Blackout Reg. Guide, at p. 6 and p. 11 (Footnote). Revise the wording referring to "plant specific technical guide-lines" to clarify that this actually means Emergency Operating Drocedures for the plants.
- f. Procosed Station Blackout Reg. Guide, at p. 8?
Clarify to indicate that references to "full power" mean that the reactor has operated long enough at 100% power to reach' equilibrium D Xenon conditions. RECOMMENDATICHS TO THE E On the basis of their overall review of this matter, including the presenta-tions and discussions at this meeting, the CRGR recommended to the EDO that the propcsed resolution for USI A-44 be approved for implementation, subject to a number of revisions recommended by the Committee, in particular the following: 1. The staff should ret,olve wording issues in several topical areas, and make specific revisions in several sections of the documents in the package, as indicated in the preceding Discussion Items.
- 2. (1 The staff should develop, and submit for review by CRGR, the a criteria and review / inspection guidance documents (i.e., SRPs
.E to be used by NRC reviewers and inspectors prior to implementing )
acticn finally ceding approved Discussions Items.for resolving USI A-44, as discussed in the pre-3. The staff should address explicitly in the body of the proposed rule the "alternate AC source" concept, and also make clear in the rule itself that f a fully qualified alternate AC source will be accepted as demonstration of adequate blar.kout coping capability in lieu of extensive analyses otherwise required by the proposed rule.
/ -
- 4. The. staff should develop in coordination with affectpd licensees ore expeditiousscheduiesfohTerallimplementationofItheprop resolu
- tion than are indicated in the current package. .
. O
?
I 4 i I e
~ ~ .O l
4 4 l .
\ -
I I
--m, ---w,,,,,,-.,,r, -, _ - - . ,
ENCLOSURE H SEE ATTACHED LIST
Dear Mr. Chairman:
Enclosed for the information of the Subcommittee on are cocies of: (1) the Federal Register Notice ror the final rule on Station Blackout, (2) Regulatory Guide 1.155 entitled "Stativ.. Blackout," (3) NUREG-1032 entitled "Evaluation of station Blackout Accidents a+. Nuclear Power Plants, Technical Findings Related to Unresolved Safety Issue { ' !. A-44," and (4) a supporting Regulatory /Backfit Analysis (NUREC-1109). I These documents serve as the staff's resolution of Task A-44, which has been identified as an "Unresolved Safety Issue" in the 1978 (1980 for A-45 through A-48) Annual Report pursuant to Section 210 of the Energy Reorganization Act of 1974. The final rule incorporates consideration of public comments received in response to th1F deral Reg.ister Notice of Proposed Rulemaking dated March 21, 1986 (51FR9829). O., The proposed rule requires all licensees and applicant:: 1) to assess the capability of their plants to cope with a station blackout (that is, determine that the plant could maintain core cooling and containment integrity with AC pcwer unavailable for a minimum specified time period); 2) to have procedures and training to cope with such an event; and 3) to make modifications, if necessary, to cope with an acceptable minimum duration station blackout. The implementation schedule stated in 10CFR50.63 will become effective immediately upon promulgation of the rule. Sincerely,
- Eric S. Beckjord, Director Office of Nuclear Regulatory Research
'-- y, v __ ____________m
~ . _ _ - - . - - --
Enclosure I - Public Notice NRC AD0 PTS FINAL RULE TO REQUIRE NUCLEAR POWER PLANTS TO BE CAPABLE OF ',iITHSTANDING "STATION BLACKOUT" The Nuclear Regulatory Commission has amended in egulatir.as to require that commercial nuclear power plants be capable of withstanding a total loss
~
of alternating current (AC) electric power--called "station blackout"--for a specified time and to maintain reactor cooling during that period. Previous regulations established requirements for the design and testing of onsite and offsite power sy3tems intended to minimize the probability of losing all AC power. -However, the previous regulations did not require explicitly that nuclear power plants be designed to assure that the reactor l core can be cooled for any specified period of loss of all AC power. l Station blackout has been studied as an unresolved safety issue since 1980 and results show that loss of offsite and onsite AC power systems can be an important contributor to the w erall plant risk. These systems provide power for various safety systems, including reactor decay heat removal and containment heat removal. If a station blackout persists'for a sufficient time so that the capability of the AC-independent systems (for example, batteries and steam-driven auxiliary feedwater systems) to remove N at decay is exceeded, core melt and containment failure could result. The final rule requires all licensees and applicants: 0
~
2-1) to assess 1!he capability of their plants to cope with"a station blackout (that is, determine that the plant could maintain core cooling and containment integrity with AC power unavailable for a minimum specified time perio'd); ' 2) to have procedures and training to cope with such an event; and 3) to make modifications, if necessary, to ecpe with an acceptable minimum duration station blackout. Written coament on the proposed rule were received in response to a Notice of Proposed Rulemaking published.in the Federal Register on March 21, 1986 (51FR9829). The comments have been taken into account in development of the final rule as described in t,he Fe'deral Register Notice of i Final Rulemaking, , 1988. e O
$ 4 4
9 4 _._-h_mh _____.__.______.___-___._.____.__-__'_.______
P o. sex 270
] s
?
*Y1
[ mw wie me ca
$m HARTPoRo.CoNNECTICVT 06W 0270 (2c3) 665 53r3 g
a 3 w m um-e i = =. - somsP.cessA ssreurvr voct ontMont I,70 AlI4140 A4D C8I8 A flC48 November 23, 1967 Mr. Themis-P. Spels Deputy Director for Generic and Regulatory Issues office of Nuclear Regulatory Research U.S. NUCLEAR REGULATORY 00MMISS10N Washington, D.C. 20555 Re: NUMARC-8700, "Guidelines and Technical Bases for NUMARC Initiatives Addressing Station Blackout at Light Water Reactors."
Dear Mr. Speis:
Enclosed with this letter are 10 copies of NUMARC-8700, "Guidelines and Technical Bases for NUMARC Onitiatives Addressing Station Blackout at Light Water Reactors," dated November 20, 1987. This document replaces the October 19, 1987 version previously provided to you. NUMARC-0700 provides guidance and methodologies that utilities will use to implement the Nuclear Management and Resources Council (NUMARC) station blackcut initiatives. Discussions with the NRC Staff indicate that this document essentially addresses the NRC's concerns with a station blackout event and provides a reduction in risk at least~ comparable to that associated with the proposed rule. It has been further indicated that this document will be viewed by the Staff as providing an acceptable means for meeting tha requirements of the proposed rule. - Consintent with past practice, we expect this transmittal will be placed in the public document toom. Very truly yours, - Jo n F. O eka, Chairman NUMARC SBC Working Group . cet Aleck Serkiz, Senior Task Manager i.eactor and Plant Safety Issues Branch J. F. Colvin, Executive Vice President NUMARC 4
~ ~
USI A-C4 EDO PKJ 11-20-87 j NUMARC.8700 ! GUIDELINES AND TECHNICAL BASES FOR NUMARC INITIATIVES ADDRESSING STATION BLACKOUT AT LIGHT WATER REACTORS d 6 NOVDtBER 20,1987 i O NUCLEAR MANAGEMENT AND RESOURCES COUNCIL 1 i e
- , , _ ,,3} - - - - - - . ,_m---- - - , -- - - -. ----
e. d NUMARC 8700 GUIDELINES AND TECHNICAL BASES FOR NUMARC INITIATIVES ADDRESSING STATION BLACKOUT AT LIGHT WATER REACTORS NOVEMBER 20,1987
\
NUCLEAR MANAGEMtINT AND RESOURCES COUNCIL l 1 e
~GUIDEQNES AND TECHN1 CAL DASES FOR NUMARC IhTTIATIVES NUMARC.8700 __ CONTENTS .
- 1. INTRODUCTION 1.1 GUIDANCE AND DOCUMENT STRUCTURE l-1 1.2 NUMARC INmATIVES 12 1.3 SUPPORTINO INFORMATION 13
- 2. GENERAL CRITERIA AND BASELINE ASSUMPTIONS 2.1 GENERAL CRITERIA 21 2.2 INmAL PLANT CONDITIONS 21 13 INTTIATLNG EVENT 22 2.4 STATION BLACKOUTTRANSIENT 26 2.5 REACTOR COOLANT INVENTORY LOSS 27 2.6 OPERATOR ACTION 2-8 2.7 EFFECTS OF LOSS OF VENTTLAT10N 28 2.8 SYSTEM CROSS TIE CAPABILITY 2 14 2.9 INSTRUMENTATION AND CONTROLS 2 14 2.10 CONTAINMENTISOLAT10N VALVES 2 15 2.11 HURRICANE PREPARATIONS 2 15
- 3. REQUIRED COPING DURATION CATEGORY 3.1 PROCEDURE OVERVIEW 31 3.2 PROCEDURE 3,1 3.2.1 Step One: Determine The Off site AC Power Design Charrteristic Group 32 3.2.2 Step Two: Classify The Emergency AC Power Supply System Configuration 3 13 3.23 Step Three: Determine The Calculated EDO Reliability 1 3 16 3.2.4 Step Four: Determine Allowed EDO Target Reliability t-17 l 3.2.5 Step Five: Determine Coping Duration Category 3 19 3.2.6 Required Ac:fon 3 19
. i 4.
STATION BLACKOUT RESPONSE PROCEDURES i 4.1 OVERVIEW 4-1 4.2 OPERATING PROCEDURES GUIDELINES 4-1 ' 4.2.1 Station Blackout Respoase Guidelines - Initiative 2.a 41 4.2.2 AC Power Restoration -Initiative 2.b 4.2.3 43 Severe Weather Guidelines - Initiative 2.c 4-t 4.3 SUPPORTTNG INFORMATION 4-5 4.3.1 Station Blackout Response Guidelines 4-5
(REEELINES AND TitCHNICAL BASES FOR NUMARC INTR!ATIVES y NUMARC.8700 - 4.3.2 AC Power Restoradon Guidelines 4 10 4.3.3 Sewee Weather Guidelines 4 12
- 5. COLD STARTS 3.1 DISCUSSION 51 5.2 ACTION 51
- 6. EMERGENCY AC POWER AVAILABILITY 6.1 DISCUSSION 61 6.2 ACTION 6-1
- 7. COPING WITH A STATION BLACKOUT EVENT 7.1 OVERVIEW 71 7.1.1 Coping Methods 71 7.1.2 Coping Duration 7-2 7.2 COPING ASSESSMENT 72 7.2.1 Condensats Inventory for Decay Heat Removal
- 72 7.2.2 Assessing ihe Class lE Battery Capacity 77 7.2.3 Compressed Air 7 10 7.2.4 Effects of Loss of Ventilation 7 12 7.2.5 Containment Isolation 7-20 APPENDICES A. DEFINmONS 1 B. ALERNATE AC POWER CRITERIA C. SAMPLE AAC CONFIGURATIONS D. EDO RELIABIIJTY PROGRAM E.
ANALYSIS OF THE EFFECTS OF LOSS OF VENTILATION UNDER STATION BLACKOUTCONDmONS . F. ASSESSMENTS OF EQUIPMENT OPERABILITY IN DOMINANT AREAS UNDER STATION BLACKOUTCONDmONS
- 0. REFERENCES .
I {
@t#DEUNES AND TECHNICAL BASES FOR NUllyf ARC INTTIATTVES .- NUMARC.4700 i
- 1. INTRODUCTION r
1.1 GUIDANCE AND DOCUMENT STRUCTURE T'm objective of this documens is to pmvide guldsnce and methodologies for implementing the Nuclear Management and Resources Council (NUMARC) stadon blackout inidatives. Section 1 provides an introduction and discussion of the initiatives. Section 2 provides a set of baseline assumptions concerning the course and nature of a station blackout. Each assumption is accompanied by a basis discussion. These assumptions define the major topics conceming station blackout which the initiatives are inunded to address. Section 3 provides guidance for determining the required coping duration category consistent with the NRC Staff"s dnft
~
Regulatory Guide 1.155. Section 4 provides guidelines for assuring plant specific procedures adequately address station blackout response. ~ Section 5 describes industn's attention to reduce cold starts of diesel generators during tesdng of emerge ' diesel genersters. i Section 6 describes industry's EDG unavailability monitoring prograrn. 1 Section 7 provides a simplified methodology for reviewing basic plant coping features. The appendices provide additional information concerning various topics: Appendix A pr rides definitions. Appendix B provides Alternate AC powercriteria. Appendix C provides sample AAC configurations. . Appendix D discusses an EDG performance program. Appendix E analyzes the effects ofloss of ventilation. Appendix F dese:ibes methods for assuring equipment opersbility under station blackout conditions. Appendix G proddes references. t 11 _ _ _ _ _ _ _ __ _ _ _ _ - . _ . . - _ _ _ .
NtTMAR3ORD <=d 1.2 NUMARC INITIATIVES Lais in 1985. NUMARC established a working group on stadon blackout to address USI A-44. ne Nuclear Utility Group on Station Blackout (NUGSBO) has provided the major portion of the technical support for the NUMARC station blackout working group. NUMARC determined that many of the concerns related to station blackout could be alleviated through industry initiatives to reduce overall station blackout risk. In light of these considerations, on June 10, 1986, the NUMARC executives endorsed four industry initiatives L. address the more important contributors to station blackout risk. Dese initiatives were described ta tre Commission by letter dated June 23,1986 which also forwarded coinments conceming the proposed st1 tion blackout rule. On October 22,1987, NUMARC approved one additional initiative and a modification to one of the original initiatives, ne initiatives are: (!) Initiative LA ~ RISK REDUCTION Each utility will review their site (s) against the criteria specified in NRCs revised draft Station Blackout Regulatory Guide, and if the site (s) fall into the categoty of an eight. hour or sixteen. hour site after utillzine all power sources available, the utility will take actions to reduce the site (s) contnbution to the overall risk of station blackout. Non. hardware changes will be made within one year. Hardware changes will be made within a reasonable time thereafter. Bis initiative was changed by the October 22,1987 NUMARC vote to reDect changes in NRCs criteria from those in . NUREG 1109 which were incorporated in the original Initiative 1. (2) initiative 2 ~ PROCEDURES Each utility will implement procedures at each of its site (s) for: (a) coping with a station blackout (b) restoration of AC power following a station blackout event: and. (c) preparing the plant for severe wcather conditions (e.g., hurricanes) to reduce the likelihood and consequences of a loss of off. site power and to reduce the overall risk of a station blackout event. l l l 12
7 v 7 CUIDEl.INES AND TECHNICAL BASES FOR NUMARC 1hlTIATIVES -
. NUMARC !?00 ~-
(3) InitiaNve 3 ~. COLD STARTS Each utility will, if applicable, reduce or eliminate cold fast staru of emergency diesel generators through changes to technical specifications or other appropriate means. (4) Initiative 4 - AC POWER AVAILABILITY Each utility will monitor emergency AC power unavailability, utilizing data provided to INPO on a regular basis. (3) Initiative 3 - COPING ASSESSSIENT Each utility will usess the ability of its plant (s) to cope with a station blackout. Plants utilizing alternate AC power for statioa blackout response which can be shown by test to be available to power the shutdown busses within 10 minutes of the onset of station blackout do not need to perform any coping assessment. Remaining altamate AC plants will assess their ability to cope for one. hour. Plants not utilizing an alternate AC source will usess their ability to cope for four hours. Factors identifled which prevent demonstradng the capability to cope for the appropriate duradon will be addressed through hardware and/or procedural changes so that successful demonstration is possible. 1.3 SUPPORTTNG INFORMATION Utilities are expected to ensure that the bueline assumptions are applicable to their plants. Further, utilities are expected to ensure that analyses and related information are available for review. l l l 4 l
. 1
GCIDELINES AND TECHNTCAL BASES FOR NUMARC INTTIATIVES . ,, NUMARC.8700 2 2 GENERAL CRITERIA AND BASELINE ASSUMPTIONS nis section contains general criteria and a listing of the base line assumpdons, a brief description of their bases, and appropriate references to source material.The topics in this section are: Section 11 - general criteria Section 2.2 - Initial plant conditions Section 13 - the inidating event Section 2.4 - station blackout transient Section 15 - reztor coolant pump inventory loss Section 2.6 - operator action Section 2.7 - effects of the loss of ventilation Section 2.8 - system cross. tie capability
- Section 2.9 - initamentation and controls Section 2.10 - containment isolation valves Section 2.11 - hurncane preparations.
2.1 GENERAL CRITERIA Procedures and equipment in light water reactors relied upon in a station blackout should ensure that satisfsetory performance of necessary decay heat removal systems is maintained for the required :tation blackout coping duration. For a PWR, an additional requirement is to keep the core covered. For a BWR, no more than a momentary core uncovery.is allowed. For both BWRs and PWRs, appropriate containment integrity should also be provided in a statier. blackout to the extent that isolation valves perform their intended function without AC power. 2.2 INITIAL PLANT CONDITIONS 2.2.1 Assumptions (1) De station hisckout event occurs whila the rextor is operating at 100% rated thermal power and has been at this power level for at least 100 days.
- l j
1 ( I*1
a I I l (2) Immediately prior to the postulated station blackout event, the reactor and supporting systems are within normal operating ranges for pressure, temperature, and water level. All plant equipment is either normally operating or ! available km the standby stam. ( 22.3 Basis (1) The potendalfor core damagefrom a stadon blackout is bounded by events initiatedpom 100% power due to the i j presence ofsubsaandaldecay heat. 1 Q) Trandents lainatedfrom normal operating conditions are considered most probable. l 2.3 INITIATING EVENT ' i 2.3.1 Assumptions (1) The inidating event is assumed to be a loss of off site power (I.OOP) at a plant site resulting from a switchyard related event due to random faults, or an extemal event, such as a grid disturbance, or a weather event I that affects the off site power system either throughout the grid or at the plant. ' LOOPS caused by fire, flood, or seismic activity are not espected to occur with sufficient frequency to requ( explicit criteria and are not considered. I l l i (2) 'The LOOP is assumed to affect all units at a plant site. At a mW unit site with normally dedicated eme AC power sources, station blackout la assumed to occur at only ons unit. At multi unit sites with normall { er gwy AC power sources, where the combination of AC sources saceeds the minimum redudancy taquireme j for normal safe shutdown (non DBA) of all units, the remaining emergency AC power sources may be u alternasive AC power sources provided they meet the alternate AC power criteria in Appendix B. If there are i a remaining emergency AC power sources in excess of the minimum redundancy requirements, station blackout l must be assumed to occur at all the units. J I (3) g Emergency AC (EAC) power sources are assumed to be available as Alterna:e AC power sources to coi . station blackout under the following conditions: i i (a) For the blacked-out unit, any emergency AC power source (s) In escen of the number l I necessary to meet minimum redundancy requirements (i.e. single failure) for safe j ! l j 22 j
. 4
uwur.une.s Anu TccumcAL NA5Es shutdown is assumed to be available and may be designated as an Alternate AC (AAC) power source (s) provided it mas the A AC erite is ernvided in Ae edit B. (b) For multi. unit sites EAC soutecs available from a non. blacked out unit, after assuming a single failure at the non. blacked out unit, may be designated as Alternate AC, if they meet the A AC eriferis emvided in Atwndit B and are capable of meeting the necessary shutdovm loads of both units. (4) No design basis reidents or other events are assumed to occur immediately prior to or during the stadon blsekout. 2 J.2 Basis (1) NRC analysis separates LOOP events into three categories: plans. centered, grid disturbance, and severe weather. Plant-centered events involve hardwarefailures, design depciencies, human errors in maintenance and switching, and localized weather inducedfaults, such as due to light..ing, salt spray. and ice. These plant. centered events reportedly occur as afrequency of 0.056 events per site. year, with a median duradon of 0J hour. Grid disturbance events have been shown to be of much lesser concernfor most plants. Events in this category reportedly have a frequency of 0.020 events per site. year, with a median duration of 0.7 hour. Severe weather events have a lesser experience with 0.011 events and a median duration of 2.6 hours. (Section 3 including Table 3.1, NUREG.1032) Seismic. fire, andfooding events include accident scenariosfor which current licensing requirements specify protective measures. For example, the potentialfar apre induced station blackout is extremely remote due to the efectiveness of currentpre protection programs and 10 CFR $0 Appendu R separation requirement: imposed on shutdown systens. In fxt, some plants installed an alternate or dedicated shutdown capability in response to Appendh R which may also be used to respond to a station blackout event. NRC analysis concludes that pre induced station blackout is not a generic concern, citing a station blackoutfrequency ofless thanper 1210'6 reactor.yearfor most plants. Consequently, station blackout events that may occur as a particular site involvin g pre initiators are nct likely to occur, and are not addressed in this document. The seismic andfooding issues are similar to thefire risk concern regarding the potentialfor causing station blackout. The Class !E power system is currently designed to withstand seismic events. Similarly,poodin protection is addressed in the plant's licensing basis. As a result, the potentialfor seismically-induced or pooding induced station blackout is on the same order aspre induced events, and are not addressed in this document. For these reasons, seismic.pcoding, andfire induced station blackout events are not addressed in these guide 23
uwunwana aau m.nmuL NmITUK (Appendh J,NUREGICR.3226) (2H3) The major contributor to overall station blackout risk is the likelihood oflosing off. site power and the duration of' power unavadability. n LOOP may occur as a result of a switchyard problem either afecting a sin gle unit, or possibly multiple units as a site. Alternatively, the cause of the LOOP may be a grid or area wide disturbance associated with severe weather condidons. Although these events are a much smallerfracdon of the total number of events (infact, weather-related events repre sent on the order of10% of all LOOPS experienced to date), they can be significant because of the longer time to restore ofsite powerfollowint such events. To be ccxervative, the LOOP is assumed to afect all units as a site. The next most importart contributor to station blackout risk for a given plant is low EDG availability. EDG availability va.ies among operating sites, based on the number of EDGs on site, the reliability to startfrom a standby state, the overall availability of the machine, and the potentialfor dependentfailures. Indntry EDG eliability to startfrom a standby state is typically in the range of 0.98 0.99. lt is very unlikely to have average EDG reliabilityfor au machines as a site below 0.95 over a sustained period. Consequently. the contribution of EDG reliability to station blackout risk h well below that of LOOPfor most plants. EDGfailures may also occur due to dependent causes (i.e., common cause events). Thesefailures may resul design or operanng deficiencies that mwufest themselves in a concurrentfadure. The potuntialfor i these def cien afecting au EDG for multiple unit sites is considered remote since most reactors have staggered operating c Staggered operating cycles also make it less likely that major maintenance activities are scheduled at the same time. Similarly, redundant units are often designed and constructed on independent schedules, with initial commercial operanon dates separate i by up to several years in nme. Generauy htgh EDG reliability and low dependentfailure rates provide a basisfor screening EDG config In support of this perspective NUGSB0 analyzed the likelihood offailure on demandfor standby systems, s for typical emergency AC power systems. The potentialfor simultaneouslyfailing two identical EDGs with each machine as industry averate reliability (i.e., approximately 2% averagefailure rate on demandfor each machin and nominal susceptibility to dependentfadure (I a. 2%) is approximately 4 73 210 . The likelihood of three identical EDGs simultaneouslyfailing is even lower. at about 4 4.1 x 10 for machsnes with 0.98 reliability. These results suggest that the potentialfor more than two EDGsfading at a unit is very low. Consequ assumin gfanlure of EDGs in excess of those requiredfor minsmum reduriancy is not necessary to assure that th ruk of a station blackout is su@ciently low. For multi wut sstes (assuming an EDG singlefailure at the non. 24
GUTDELINES AND TECHNICAL BASES FOR NIMARC INTUATIVES ; NtMARC 8700 blacked out unit), the marginal probability of an additionc! EDGfailure at the non blacked out unit is so low that the remaining EDGs are assumed available if they meet the applicable AAC criteria. Gne.out of two shared (11:S) and two ow of three shared (2/35) configurations do c.l meet Alternate AC power criteria. At single unit sites with EDG in acess of the number necessary to meet the minimum redundancy requirements (such as units with 3 or more diesels), these additional EDGs are candidates for Alternate AC. At multi unit sites, where the combinanon of emergency AC sources acceds the minimum redandancy requirementsfor normal safe shutdown (non DBA)for all units, the remaining emergency ACpower sources may be used as alternate AC power source: provided they meet the AAC power criteria ofAppendix B. The availability cf EDGs as an Alternate AC source may be assumed if the machine satisfles the Alternate A. Power source criteria provided in Appendix B. This includes criteria designed (1) to minimise the potentialfor dependentfailure events adversely afecting the Alternate ACpower source in station blackout scenarios, and (2) te provide requirementsfor power source availability. The Staf)'s stated objective of the proposed station blackout rule is to reduce the core damagefrequency due to station blackow to approximately 10'S per yearfor the average site. As provided in the proposed rule, this objective could be obtained by extending the current nominal two hour coping capability to four hours. Comparable safety benefits may existfrom the utilisation of an AAC power source. To investigate these benefits NUGSBO extended the emergency AC power system model to include the contribution of of site power system failurefrequency and power restoration. A composite LOOP duration dinribution was constructed based on the LOOP events reported in NUREG 1032. Assuming a LOOPfrequency of 0.1 per year, industry average powe-restoration distributions, a 1/3 EDG configuration. andfailure likelihoods of 2% for each machine and 2% dependentfailure, a swo hour coping capabdity yields a station blackout core damagefrequency of well below lod per year. Thisfrequency is below the threshold scught by the Stegin the station blackout rulemahng (Section 4, NUREG tC32; see also NUREG 1109, page 9 wherein the Staf assumes *... that all plants, as currendy designed, can cope with a station blackowfor 2 hours, and. with proper procedures and training, pl could cope with a 4 hour station blackow without having to make major modifications.") (4) The likelihood of a design basis accident or other event coincident with a station blackout is constdered remote and is not addressedin this document. ( 2- 5
, m <=
m 2.4 STATION BLACKOUT TRAN3 TENT 2.4.1 Assumptions (1) Following the loss of all off. site power, the reactor automatically trips with sufficient shutdown margin to maintain subetiticality at safe shutdown (i.e. hot standby or hot shutdown as appropriate). The event ends when AC power is restored to shutdown busses from any source. including Altsanase AC. (2) The main steam system valves (such as main steam Isolation valves, turbine stops, atmospheric dumps, etc.) necessary to maintain decay heat removal functions operate property. (3) Safety / Relief Valves (S/RVs) or Power Operated Relief Valves (PORVs) operate properly. Normal valve reseatint. is also assumed. (4) No independent failures, other than those causing the station blackout event. att assumed ta occur in the course of . the transient. The potential for mechanistic failures resulting from the loss of IIVAC in a station blackout event is addressed in Section 7 of this document. (5) AC power is assumed available to necessary shutdown equipment within four hcurs from either the off site os blacked out unit's Class IE sources or is available within one hour from an Alternate AC source. 2.4.2 11 asis il).l3) These assumptions outline some of the more important features of the station blackout transient. The basic consi,terations are a normal LOOP transient, proper unit trip with fWI rextidty inserrwn. and .ttSIV closure as appenpriate for the Josign of the plant. In .sJJition. the likelihood of PORV or SIRV malfunction in a statios blackout is on the Order of 12% (See Section 2. NUREGICR.1953; Section 2 and 6. NUREGICR.2132; an NUMEG.1032) (4) Imposing a.iditionalindependentfailures on the station blackout response capability has diminishing s sigasfcancefor most power plants. This is because the dominant accident contributors to a stanon blackout event generally invoin of. site power system reliability. the reliabslity and level of redundancy of the emettency AC powe system. and the stauan blackout coping capabstity, in that orJer. Since a number offattures must1.r oc: to result in a stanon blackout event, a.Liittonal intependentfattures are of seconJ.vy importance. The stanon Mackout response capabsk .'also depends on systens that are highly reliable due to the desits and masntenance standarJs use.t. Consequently. the rotennatfor variomfailure in these systens is !cw. Finally. the sgory efects of r 26
CUTDELINES AND TECHNICAL B ASES F ~ R NUMARC INITIATIVES f NUMARC 8700 capability to s are of most significance only if they are experienced early in the station blackout transient (i.e., primarily in thefirst 30 minutes). This potential has been addressed in NRC Stag analysis which estimates the probability of decay heat removal systemfailure early in a station blackout event to range from 0.001 for High Pressure Core Spray (HPCS)tRCIC combinations to 0.04 for a single steam turbine driven train auxillary feedwater system (AFW). These results underscore the lower significance of additional non mechanisticfailures in the station blackout scenario. (AppendLx C,panicularly Table C.2 NUREG 1032) (3) Historically, the vast majority of LOOP events are of short duration. NRC Staf analysis reports the median AC power restoration timefor all LOOP events to be about it2 hour, with of site power restoresiin approximately 3 hoursfor 90% of all events. Consequently, assuming afour hour restoration time addresses the bulk ofpostu!ated station blackout events. For AAC systems, ans hour is considered an acceptable period of time to lineup the AAC power source and restore power to a shutdown bus. (Of site power restoration times are takenfrom Supplementary information, Proposed Station Blackout Rule 31 FR 35. at 9830' 2.5 ' REACTOR COOi. ANT INVENTORY LOSS 2.5.1 Assumptions Soustes of expected PWR and BWR reactor coolant inventory loss include (1) normal system teskage, (2) losses frc letdown, and (3) losses due to reactot coolant pump seal leakage. Expected rates of reactor coolant inventory loss station blackout conditions do not result in core uncovering for a PWR in the four hour time period. Therefore, ma systems in addition to those currently available under blackout conditions are not required. There exists st..'ficient head to maintain core cooling under natural circulation. 2J.2 Basis - Normal system leakage is limited by technical specifications to a low rate. These rates are not assumed to increase unde . station blackout conditions. Emergency operating procedures developed in accordance with NSSS vendor Em Procedure Guidelines or individualplant analysis should be used to direct operators to take appropriate acnon. RCP leakage is assumed not to exceed 25 gym per pump for the duration of the station blackout event. However, this assumphon is currently the subject of a resolution program (NRC Generic issue 23). If thefinal resolution of Generic issue 23 results in higher RCP leakage rates, then the coping duration analy need to be reevalw: sed. 4 27
Umuuunsa ANU i s%nniCAL BA5E5 FOR NUMARC thrriATIVES iiiNLIMARC 4704 --- 0 I Generic NSSS vendor analyses and studies listed below show sktfor the asswned leakage rates core uncovery does not occur in thefew hout time period. These stu.:les also show that sufcient head ensts to maintain core cooling under natural circuluionfor a PWR. and that decay heat removal capability is maintainedfor a BWR. (1) Analyses submitted in response to the TMI accident and emergency procedure guidelines. : includingIEB 7943 NUREG4378,NUREG4660,andNUREG4737; (2) Analyses submitted in response to NRC Generic Letter 8144 concerning station b!ackow m e m pmcede n: C) C. D. Fletcher. *A Revised Summary of PWR Loss of Offsite Power Calculations *. EGG CAAD 3333. EGAG Idaho. September !981: (4) D. H. Cook. et. al..
- Station Blackow at Browns Ferry Unis One . Accident Sequence Analysis", NUREGICR 2182, 0ak Ridge National Laboratory, November i931; and G) A. M. Kolaczkowski and A. C. Payne, Jr.. "Station Blackout Accident Analyses".
NUREGICR 3226.Sandia Nations!I.aboratories.May 1983. 2.6 OPERATOR ACTION 1 t ; I 2.6.1 Assumptions 1 Operator accon is assumed to follow the Plant Operating Procedures for the underlying symptoms or identified event l scenatio associated with a statim blackout. 2.6.2 Basis NRC analyses supporting the proposed station blackout rulemaking assume that a reasonable set of operator actions
\ will occur. The governing document for def1ning operator actions is the plant's procedures. (Appendiz it.
NUREGICR 3226) ~ 8.7 EFFECTS OF LOSS OF VENTil.ATION 2.7.1 A ssumptions ' (1) Eeulement Oeeribility fnside Containment ' Temperatures resulting from the loss of ventilstion att enselotwd by the loss of coolant accident (1.OCA) and high enetty line break environmental profiles. t
- 2. $
EUTDELINES AND TECi!NICAL BASES FOR NUMARC IhTTIATIVES f NUMARC 8700 _ (2)' Eculement OMrsbiliev Outtide Centsinment (a) Areas containing equipment required to cope with a station blackout need only be evaluated if(a) the area is a dominant area of concem, and (b) the dominant area of concem has not been previously evaluated as a harsh environment due to a high or modente energy line break. De dominant areas of concem are: (i) HPC!/HPCS and RCIC tooms (BWR only) - decay heat removal equiprnent (ii) Steam driven AFW pump room (PWR only) - decay heat removal equipment (iii) Main steam tunnel (BWR only) - high temperature cutout for decay heat removal equipment. Assumptions conceming the potentiel for thermal induced equipment failure in a station blackout for the dominant aren of concem are sepanted into three distinct conditions bued on bulk air tempentures: conditien 1 Equipment located in Condition I rooms are considered to be of low concern with respect to elevated temperature effects and will likely require no special actions to assure openbility for a 4-hour station b:ackout'This condition is defined by a steady state tempenture of 120' F. Conditien 2 Equipment located in Condition 2 rooms generally require no forced cooling in order to usure operability for a 4 ' hour stadon blackout. If additional cooling is needed, such actions as opening doors may be sufficient to support equipment operation to mitigate a station blackout event. This condition is defined by a steady state tempenture of 150* F. Condition 3 Equipment located in Condition 3 rooms require pla .t specific treitment of the potential for thermal induced failure. Such treatment may include (1) further plant specific analysis, (2) providing forced cooling, and (3) replacement by equipment designed or qualified for the environment. NOTE: Plant procedures need to reflect the operator actions necessary to enhance cooling for rooms in above conditions. The control room complex (i.e., arcats) containing instrument indications and associated logic cabinets which control room operator relies upon to cope with a station blackout) is considered to be in Condition 1. cabinet doors, adequate air mixing is achieved to maintain intemal cabinet tempentures in equilibrium with (
q u%Luk> -c control room temperature. Therefore, cabinets containing instrumentation and controls required for achieving and maintaining safe shutdown in a station blackout are considered to be in Condition 1. As such, additional cooling may be provided in a station blackout by opening cabinet doors within 30 minutes of the event's onset. For multi unit control room complexes (i.e., arda(s) containing instrument ind! cations and associated logic cabinets which the control room operator relies upon to cope with a station blackout) where a portion of the HVAC is powered from the non. blacked out unit, no significant temperature rise above normal operating conditions is espected. For this situation, the effects of loss of ventilatica need not be considered further. (b) Loss of heating in the battery room does not result in a decrease in battery electrolyte tempcsature sufficient to warrant banary caprity concesn for a fout.hout period. (3) Centml Room thbitability Loss of cooling in the control room for a four hour period does not prevent the operators from performing necessary actions. 2,7.2 Basis (1) Emaimmt Creeabillevluido Cont 1ivmant No Josign basis accidents (DBAs) (i.e., LOCAs or steam line breaks) or beyond DBAs (i.e., resulting in core dantge) are assumed coincident with a station blackout. Therefore environmental concerns inside containment are limited to (!) loss of coolin g water, and (:) loss of ventilation systems. In both cases, no sudden enset of extreme temperature condisions or humidity is espected. Station blackout results in a slow heatup of containment due to loss of ventilation. Absent DBA conditions temperatures in a four. hour station blackout are expected.:o be bounded by thermiprof es il consideredfor the high energy line break events. The response of a largo. dry contassment to a station blackout was previously analysed in the course ofprepar Emergency Procedure Guidelines (see Westinghouse ECA 0.0). For two, three. andfour locp plants. assum KPM P*r Pump RCP seal leakage. containment temperature rues less than 13
- Ffrom the initial temperature.
Oskar PWR containments can be espected to perform within an acceptable thermal range, based on the relatsve volume of other containments to the farte dry containment. For example. ice condensers offer a somen has smaller amount offree volume. combined with several mullion pounds. mass ofice. t Even i sorint the coolin g caractiv of the ice baskets. containment heating is not expected to result in excess temperatures substantially greater than 30 60* F above norml operatint con &tions. These temperature increases are well below the itthermal pret es
- 10
GUIDELDfES AND TECHNICAL BASES FOR NUMARC INIT!AT!YES j NtJMARC 8700 1
~
establishedfor ice cosienser containments. i I For BWRs, ana. tes indicate that condiduns inside containment under station blackout conditions will be within , typical thermal linuu establishedfor equipment qualtycadonforpresswa suppression contavunents (e.g.. see letter from Mr. N. W. Curtis (Pennsylvania Power and Light Company) to Mr. A. Schwencer (NRC), dated l June 13,1982). t (2) Eaulement OnoraN11rv Durrido Containment --... - .. . .
?
(a) As with inssde containment, the temperatwo rise in a station blackout outside contesament over afour. hour period ( is not upected to acted conditions associated 4th a high or moderate energy line break. With reactor shutdown and station blackout inidation, a signipcant amount of equipment is de.energised with a resultant reduction in heat , load. ?rocess piping and other hlgh temperatwo surfaces do not eficiently transfer heat to air, particularly when forced ventilation is not present. Consequently, the potentialfor significant heatup is negligible in a four. hour remd. i L Under station blackout conditions, the efects of the loss of ventilation are less severe due to the associated loss of lighting ansAC powered equipment heat loads. The potentialfor mechanisticfailwes of systems and components due to loss of natiladon is dependent on the time requiredfor temperatwas to rise in closed rooms and cabinets. , Temperatwo buildup in a compartment is a slow process due to the normally large thermal tag associated with netwal connction and the loss of AC supplied heat sources. This large thermal tag allows sufpcient time for operator actions to supplement cooling in order to limit the thermal buildup. NUGSBO has analysed the potential for temperatwe buildup in closed rooms over afour how period. The results si.ow that opening doors early i e t station blackout (i.e.. within approximately 30 minutes) signspcantly limits any temperaturs rise due to lo ' forced wnalanon, i Occasionally, supplemental cooling measwes (such as opening doors to increase natural circulation and ventiladon) may confict wkh other safety or administrative considerations. For cample, procedwat require may uistfor koepingftre orfooding doors closed. Despite these procedwal considerations, openin g doors would be acceptable during a station blackout to increase natural circulationfor necessary shutdown instrumentation. Other techniques, such as using permanendy mounted small battery-operatedfans inside cabinets. could also b considered (Section 3 and Appendix 1 NUREGICR.3226). Condition 1 Condition I rooms are assumed to have a relatively smallpotentialfor thermally-inducedfailure - 4
;! 11 .
% awu-wueuwssusumutsuu J - -
f h S 2 LLW A J c5 ) s dwing afw hour station blackout. This assumption is based on operating esperie ces and studies i concerning the operability of variou classes of equipment exposed to elevated temperatures. I in a station blackow. forced coollag will be lost to most plant areas and the potential exists in Constion I arestfor bulk air temperatwas to rise up to 120 *F. For most mechanical and elecwical
- equipment and lasawussationfound in Condition i dominant areas. temperature rises up to 120
- F i would likely not adversely qfect operability.
ca.m. 2 l Condition 2 rooms are likely to include a relatively substantial heat generation source and a small
; room geometry. These conditions are more typical of roo=u containing steam driven makeup i
pumps, such as RCICS and AFWS which are generally qualifTed or designed to operate in elevated
! temperatures.
The NRC has considered equipment operability during station blackow conditions (see
, Jacobu (1987]). One of the concluiens of thl review is that certain classes of components (e.g.,
relays and switches) will likely remain operable in thermal environments of 130
- F to 200
- Ffor up to eight hours. While the Jacobu study was not estensive, the general assumption of equipment u
operabilityfor Condition 2 thermal environments is considered valid because (1) only afour hour station blackow event is considered, and (2) in practice, less than the fullfour hours would be j involved since there would be a period of thermal buildup during thefront end of the station l blackow aannent. i j Co.Srin.1 Condition 3 rooms represent classes of thermal environments whereplant spec @c consideration Ny b* GPProPrut*, { i Appendiz F provides a methodfor assessing the operability of equipment exposed to Condition 1. 2. and 3 i environments. l The operability of a representative set of conwol room complex (l.a.. area (s) containant instrument indications and associated logic cabinets which the control room operator relies upon to cope with a station blackout) cabinet equipment was established with actual experience involving loss of control room ventilation for several hours (see l Chiramal(19861). Durist this extended loss of ventilation event et McGuire. there was negligsble operability efects I \
)
- II
~
CUfDELDSS AND TECHNICAL BASES FOR kUMARCINIT!ATIVES 4 NUMARU8700 _ ) i 3 l on equipment or instrwnentadon. )1 (b) Battery capacity ls reduced if the electrolyte temperatwe drops significantly below design temperatures. Class 1E batteries are houed in seismic Category I structees, and are not typically subjected to the direct efects of the L external environment. Therefore, the temperatue decrease in the battery room la not signipcant one afour hour l } period. Also, the mass of battery electrolyte I andfcient to resist signipcant temperatue drops over a fow hour ( ) period due to lower battery room temperatwas since battery cell materials are not aficient thermal conductors. l Therefore, a decrease in battery capacisy due to temperature decreases in electrolyte under stados blackow conditions ; i does not warrantfwther consideratwn. i , . (3) Comrol Room Habitability Comrol room habitability is not an important contributor to station blackout risk, particularlyfor events of 4. hour durations. NUREG.1032 points out that the dominant accidem sequences involve either an early core coolingfailure l of a subsequnt loss of core cooling (see Appendix C. NUREG.1032for a more complete discussion of station i j blackout accident sequences). Both sequences are dominated by thefailure of automatic equipment to properly ( l function on demand. Even these events have failure probabi'ities ofless than 1% per event, repecting the i exceptionally high reliability of these systems and components. With respect to human error, such at due to i habitability concerns. NUREG 1032 snates: 'The potential efect ofoperator error causing loss ofdecay heat removal i j has not beenfound to be a large contribuor to core damagefrequency, yadequate emng and procedures exist."(d ' l NUREG.1032, page C.15). Since NUMARC laitiative 2, as provided in Section 4 guidelines, assures adequ - i 1 training and procedwes will uist the concern regarding operators' ability to perform cognitive task.t is intigmpe i i
~
i As to the expected environment within the control room, it has born shown that temperatwes are not likely to \ l 110* F should a station blackout event actually occur (Chiramal (19861). In the McGuire event discus Chiramal, habitability was never an issue. Studies suggest that long term occupancy in higher temperat J environments does not prevent performance of tasks of various difficulties (see Eichna (19451 and Humphrie l Imalls (19461for military applications). Such studies have been the basis of guutance in the heatint an i industry handbooks (e.g., ASHVE (1930] and ASHRAE (1983]). ASHRAE, in particular, cor~ elates temp humidity, and pressure and concludes that light work at 110* f and relative humidities up to 30*o would not be isolerable. l I I Before the station blackout eveM, it is assumed that the control room is at 73* F and about 35% relati Although temperature increases may be expected due to loss ofIIVAC, the relative humidity actually dec approximately 30% Guidance provided for military applications may establish a teshnical basis for dejT 4 _ _ _ _ . _ - . . - - - - , - - - - - , , , - " - - -~ ' ' ~ ~ ~ "
e i P
- habisability standardsfor pour plants in a station blackout. The operative standard. Mi!ATD.1472C. concludes Ihat
, a dry bulb temperature of !!O'F is tolerable for light work for afow hour period while dressed in conventional l r clothing asswning the relative hwnidity is approximately 30% less ofINAC would impose a slow heatup on the i control room. It is upected tMt steady state control room air temperatwes well be wl! below 110* Ffor most plants under loss ofINAC conditions. For the conservative case when it is assumed IMt a control room is initially at 73* F and aperiences an uponential temperatwo rise to a steady state i10* F should HVAC be lost in a station blackout, the bulk air temperatwo at ik and of theprst hour would be appro umately 97* F. At the end of the second l hour, the air temperaswe would be approximately 104*F. At the end of she third hour it would be approximately ; 10S
- F. Since it would take some timefor a control room to heatup once INAC is lost, tho operator is not egosed to the thermal limit for the duration of the event. Therefore, it is not aperted that operator actions would h impacted sigruficantly by projected ten peratwo and humidity conditions and.further that a dry bulb temperature of 110 *F appears to be a conservative limitfor control room habitability.
I 1 3.8 SYSTEM CROSS TIE CAPABILITY a, j 2.3.1 Assumptions , Under station blackout conditions it is assmed that multiunit sites with fluid or DC electrical system cross tie capability will be able to achieve and maintain safe shutdown in the affected unit by procedurally utilizing the unaffected unit's cross tied systems. Systems of thi unaffected unit must be electrically independent of the blacked out unit as
- appropriate in order to emiit their availability to bring the arTected unit to safe shutdown, i
! 2.3.2 Basis NRC analyses supporting other rulemakings (Lo., W CFR 30 Appendis R) permot multiunit sites to rely on cross cie \ capability offluid systens to bring the grfected wut to safe shutdown conditions.-
- l. r 1
1 2.9 INSTRUMENTATION AND CONTROLS i d 2.9.1 Assumptions , Actions specified in Emergency Procedure Guidelines for station blackout att gedicated on use ofinstrumentatica snd l l controls powered by vital buses supplied by station battenes. Appropnate actions will be taken by operations persentsel to assess plant status in the event of erratic performance or failure of shutdown instrumentation. I I j 2 14 i i
. . - - - - - - _ _ - - . .. - - , , . . - - - - _ - . - - . . ,n - . . . , ~, . _ _ _ - - _ . , , _ . . . . . - - - - - - - , -- - - ,,, . - ~ . , _
.r.. ,--
GUmWMD AND TECHNICAL BASES FOR NUMARC INITIATIVES . ; NUMARC4700 J, 23.2 Basis
- N555 emergency procedure guidelines identify instrumentation and controls requirements to achieve and maintain safe shutdown. Operator training includes Ihe use ofbacaap instrumentation and methodsfor identhkg erratic performance.
l 1 [ 2.10 CONTAINMENT ISOLATION VALVES 2.10.1 Assumptions Containment isolation valves either fall in the safe condition in accordance with the design bases of the plant or can be manually closed. * \ 2.10.2 Bases r 10 CFR SO General Design Criteria (OyC) $$ through 37 specify requirementsfor isolating piping systemspenetrating t contain nent. including reactor coolant pressure boundaries. These requirements callfor combination; af redundant locked closed and automatic isolation ulvesfor reactor coolant pressurs %undaries and any containment penetration Ilne directly connected to the containment atmosphere. In cases where um tic isolation valves are used, the GDC specipes that the valvesfail upon loss ofpower in a position which provsats greater safety. All other containment , penetration valves must meet the requirements cf the GDC by beint automade or locked closed. or capable ofremote , manut operason. l Most containment isolation valves are in the normally closed orfailed closed position during power operadon. These valves can also be closed manually. Loss of AC does not afect the design basesfor these valves. Some valves, such as MSIVs. charging and lesdown lines, and reactor water cleanup lines, are normally open. Typically, these valves are ; airmperated. failed closed valves ano do not need ACpower to close. A few DC operated containment isolation valves e.xist. such as valves in the thusdown cooling or residual heat removal systemt. These DC operated valves are normally l closed during power operanens. and generally are locked or have DC breaker controlpower removed by raeking aus the ' circuit breakerfor the valve operator. The position of these DC operated valves is not afected by the station blackout. 2.11 HURRICANE PREPARATIONS l 2.11.1 Assumptions Procedural actions taken in anticipation of the ef.'ects of a hurricane provide significant safety benefits and reduce the risk of a station blackout. Plants which are impa:ted in their "extremely severs weather" groupirt, primarily due to the l i 2 15 i
-~
m a effects of a husricane have a basis for classifying their "off site power design characteristic group" (P2*, or P3 *) in a lower group. 3.11.2 Bases NUMARC Guidelines in Section 4.23 specify actions to be taken to prepare a plant to cope with a station blackout due to an anticipated hurricane induced LOOP. These actions can be separated into two groups: (1) actions taken in the 84-hour penod prior to anticipated hurncane arrival, and (2) a commionent to be in safe shutdown two hours before the anticipated hurricane arrival at the site. These actions result in a coping categorisation consistent with Section 3.2.1. Part 1ElB) and Secdon 3.2.5 ofthese guidelines. Thefollowing aedons are importantfor achieving an enhanced coping capability under hurricane conditions: (1) Plant in safe shutdown at least two hours before the andcipated hurricane arrival at the site (Le., sustained winds in excess of 73 m.p.h.) so that major decay heat loads can be dissipated using non. emergency plant equipment prior to the occurrence ofa LOOP: (2) Enhancement and verificadon of EDG reliabilisy by prewarming, prelubricating. starting and load-testing (see, Secdon 4.23); (3) Topping of condensate storage tank inventory and placing battery systems on charge; auf, (4) Expediting the restorazion ofimportant plant systems and components needed to cope with a hurricane-inducedLOOP; and other actions as detailed in Sections 4.2.3 and 4.33. Such actions have the capability to enhance the copin capacityfor the reasons discussed below. The timing of anticipaiory actions is tied to hurricane tracking performed by both utilities and the National Weather Service. Hurricane eacking normally begins when wopical depressions arefirstdetectedfar out in the Atlantic Cce Forward motion does not normally accelerate until the hurricane approaches the Eastern seaboard or Gulf coast landfall, hurricaneforward speeds are generally below 35 knots. speeds that permit adequate tracking and w Continuous position informationfor hurricanes is provided to the National Hurricane Center by reconnaissance aircis and geostationary satellites, and are updated at six hour intervals. This tracking permits National Weather Service analysts to project the time and location oflandfalls and to issue hurricane watches and warningsfor afected are NWS (19871). Hurricane watches are issuedfor an area 36 hours prior to the expectation of hurricane conditions Hurricane warnings are issuedfor an area 24 hours prior to the expectation of wind speeds in excess of 7 the institution of a hurricane warning, plant operators will have suficient time to take action prior to hurricane arriv
- 2. 16
,GUTDELINES AN3 TECHNICAL BASES FOR NUMARC INITIATIVES g ?JUMARC.8100 __I During the 24 hourperiodprior to hurricane arrival,NUMARC staden blackout initiatives directplant operators to take at: ions to enhance the normal EDG reliability and coping capability. These actions include reviewing procedures, restoring systems and components to service, warming, lubricating, starting and load testing EDGs, increasing CST l levels, and charging batteries. The safety benefits ofered by these acticu resultfrom increased EAC availability, l above normal available coping resources (and extended coping times), and lower potentialfor operator errorfor l hurricane ennts. l i
With EDG testing in advance ofhurricane arrival, the average EDG will realize a reduction in EDGfailures up to 50% depending on mode offailure (i.e., stress versus demand), based on industry EDGfailure data reponedin NUREG-1032. l This data suggests that appro.umately 50% offailures can be repaired withinfour hours in non-emergency situations with normal stapIng. With 24 hours available, Figure 4.6 ofNUREG-1032 indicates up to 75% of EDGfailures may be repairable under normal conditions. Enhancement and veripcation of high EDG reliabilities is one of two major l improvements that can reduce the risk of a station blackout. The other isplant safe shutdown in suficient advance of an anticipated hurricane. induced LOOP to dump a signspcant ponion of the decay heat load. The relative amount of decay heat removed in a two hour period by the main condenser is approximately 60% of the energy generated in thefirstfour hoursfollowing shutdown. By removing this energy through the main condenser, the station blackout coping resources normally reservedfor processing this decay heat would be preserved, permitting lon ger coping timesfor afour hour water supply, i During the hurricane warning period, "topping-of* water supplies can also extend a normalfour hour water supply by , I several hours. For example increasing the condentate availablefor coping above a technical spectpcation level of 65% { to 100% available capacity can add several hours of coping time to a ratedfour hour capability. Topping of the condensate storage tank and placing the plant in a safe shutdown several hours before the hurricane induced LOOP reduces the likelihood of core damagefrom a subsequent station blackout event. - Actions are also available to extend the time to battery depletion in order to support enhanced coping. Analysis demonstrates thatfor a typical plant, pre hurricane actions :.1n efectively support enhanced coping capabilityfo hurricane events. With the plant in an early shutdown, cert tin loads would not be needed should a station blackout subsequently occur as a result of a hurricane induced LOOP. Further. other loads could reasonably be stripped initiation of a LOOP in order to extend the efectiveness o' the available charge. During early shutdown, many air-operated valve operations necessaryfor decay heat removalfollowing shutdown would{ also be accomplished while air compressors are available. These operations would result infewer air-operated valve 2 17
GMJsWAftJ1DJtNEO J. liRMKMOiG - o operations in a station blackout and longer coping capability involving this resource. In any event, air operated valves ucessaryfor shutdown can be manually operated or are equipped with backup meansfor ensuring proper positioning in a station bla:kout. The combined efects of these actions (i.e., implementation ofplant :pecific pre hurricane shutdown requirements and procedure:) provsde an eight-hour enhanced coping capability under anticipated hurricau condinont. e am l l 2 18
. c GIRDELINES AND TECHNICAL BASES FOR NUMARC INTTTATIVES E NUMARC4700 J
- 3. REQUIRED COPING DURATION CATEGORY l
3.1 PROCEDURE OVERVIEW This secdon provides a nwhodology for determining the required station blackout coping duration. 3.2 PROCEDURE Five steps are provided for determining the required coping duration category: Step 1 Determine the Off site AC Power Desien Characteristic Greue Plant weather, grid, and switchyard features are grouped into three categories of susceptibility to losing off site power labeled P1, P2, and P3. Step 2 Classify the EAC Power Sueciv System ConneurnHon he redundancy of the emergency AC power system is evaluated and classified among four available groups labeled A, B, C, and D. Step 3 I Det-mine the Calculated EDO R elisbitiev De current EDG reliability is determined consistent with NS AC 108 criteria. Step 4
. Determine the Allowed EDG Twer Reliabiliev -
Based on current EAC reliability, a method is provided for determining an acceptable EAC target reliability. Step 5 DeterTnine cocine DurEtion Reouir-ment Based on the allowed EDG target reliability determined in Step 4. a coping duration category is calculated. 1 l l u
pweassunu = 3.2.1 Step One: Determine The Off site AC Power Design Characteristic Group The objective of thisfirst step is to distinguish between sites having particular susceptibilities to losing of site power due to plant-centered. grid related, and weather related evenu. Three of sitepower design groups are provided: Pi - Sites characterised by redundant andindependent power sources that are coruidered less srxeptible to loss as a result ofplant-centered and weather-initiated events; 9 P2 - Sites whose of site power sources are less redundant or independent. or that are more suceptible to extended of site power losses due to weather initiated events or more frequent losses due to plant centered events; and, P3 - Sites whose of site power sources are (1) least redundant or independent combined with moderate severe weather potential, (2) most susceptible to' extended of-site power losses due to weather initiated or grid related events, or (3) susceptible to grid-related evenu. These categories are provided by the Stafin the draft station blackout regulatory guide and are designed t exluive. Further discussion concerning independence ofofsite sources is provided in Section 3.3.4 THERE ARE FIVE PARTS IN STEP ONE TO DETERMINING THE OFF SITE POWER D CHARACTERISTIC GROUP: PART 1.A DETERMINE THE SITE SUSCEPTIBlUTY TO GRID RELATED LOSS OF 0FFSITE. POWER EVENTS: PART 1.B EST1 MATED FREQUENCY OF LOSS OF OFF-SITE POWER DUE TO EXTREMELY SEVERE WEATHER (ESW GROUP); PART !.C DETERMINE THE ESTIMATED FREQUENCY OF LOSS OF OFF SITE POWER DUE TO SEVERE WEATHER (SW GROUP); PART 1.D EVALUATEINDEPENDENCE OF OFF SITE POWER SYSTEM (I GROUP): AND, 3- 2
. u l GUIDELINES AND TECHNICAL DASES FOR NUMARCINITIATIVES E NUMARCe8700 1
PART 1.E DETERMINE OFF SITE AC POWER DESIGN CHARACTERISTIC GROUP (P GROUP). Part 1.A: Determine Site Susceptibility to Grid Related Loss of Off site Power Events Grid related loss of ofsite power events are define,d as LOOPS that are strictly associated with the loss of the transmission and distribution system due to insuficient generating capacity, excessive loads, or dynamic instability. Although gridfailure may also be caused by otherfactors, such as severe weather conditions or brushfires, these events are not considered grid related since they were cawed by external events. The indatry averagefrequency of grid related events is approximately 0.020 per site year, with most events isolated to a few systems. According u) NUREG 1032. the average occurrencefor the majority of systems is about once per 100 site years. NUREG-1032 notes sites having afrequency of grid related events at the once per 20 site yearfrequency are limited to St. Lucie, Tur& Point, and Indian Point. Accordingly, no other sites are expected to exceed the Once site yearfrequency ofgrid related loss ofofsite power events. PLANTS SHOULD BE CLASSIFIED AS P3 SITES IF THE EXPECTED FREQUENCY BASED ON PRIOR EXPERIENCE OF GRID RELAU!D EVENTS EXCEEDS ONCE PER 20 YEARS. THIS.DOES NOT INCLUDE EVENTS OF LESS THAN 5 MINUTES DURATION. EVENTS OF LONGER DURATION MAY BE EXCLUDED IF THE RESULTS OF ANALYSIS CONCLUDES THE EVENT IS NOT SYMPTOMATIC OF UNDERLYING OR GROWING GRID INSTABILITY. PLANTS CLASSIFIED AS P3 SITES ON THE B ASIS OF GRID EXPERIENCE NEED NOT COMPLETE THE REMAINING PARTS OF THIS STEP IN ORDER TO DETERMINE COPING DURATION REQUIREMENTS.
LetnnloW3LJ 9 NUMARC 8700 M Part 1.B: Estimated Frequency of Loss of Off site Power Due to Extremely Severe Weather (ESW Group) The estimatedfrequency ofloss of of site power due to extremely severe weather is determined by the annual expectation of storms at the site with wind relacities greater than or equal to D5 mph. These events are normally associated with the occurrence ofgreat hurricanes where high windspeeds may cause widespread transmission system unavailabilityfor extended periods. Since electrical distribution systems are not designedfor these conditions, it is assumed that the occurrence ofsuch windspeeds will directly result in the loss ofoff site power. USE MEWOD *A" OR "B" BELOW TO DETERMINE WE ESTIMATED FREQUENCY OF LOSS OF OFF StrE POWER DUE TO EXTREMELY SEVERE WEATHER AT WE SITE AND SELECT AN ESW OROUP: A. Site specific data provides the most accurate source for calculating the annual frequency of storms with wind velocities greater than or equal to 125 mph, and can be used in calculating the estimated frequency of loss of off site power due to extremely severe weather. Once the frequency (e) is calculated, use Table 3-1 to assign the site to an ESW Group. Table 31 EXTREMELY SEVERE WEATHER GROUPS (ESW) ESW GROUP ANNUAL WINDSPEED EXPECTATION ll; 125 MPli 1 e < 3.3 is.4 1 3J u ts4 s e < 1 : 143 3 1 : 10 3 s e < 3J a 10-3 ) 4 3.3 : 16 3 s e < 1 a 10 2 5 1 141 s e 4 34
~
GUIDELINES AND TECHNICAL DASES FOR StSTARC INITIATIVES NUMARC 8700 B. If site data is not readily available to perform this calculation, the annual estimated frequency ofloss of off site power due to extremely severe weather may be derived from data recorded at local weather stations. Alternatively, a loss of off site power frequency estimate for extremely severe weather may ba rued on data obtained from the National Oceanic and Atmospheric Administration (NOAA). Site specific NOAA data is summarized in Table 3 2 along with the appropriate ESW Group. e 0 em 4
& a
GUIDELINES AND TECHNICE BASES FOR NUMARCINITIATIVES NUMARC.8700 ol
. 1 Table 3 2 .
1 Il EXTREMELY SEVERE WEATHER DATAa SITE STOR513 ESW SITE STORMS ESW 123 MPH + GROUP 123 MPH + GROUP ARKANSAS NUCLEAR ONE 0.0002 1 MONTICELLO 0.0003 I l ARNOU) 0.0008 2 NINE MU.E PONT 0.0001 1 BEAVER VALLEY a0001 { 1 NOR111 ANNA 0.0034 4 ' BELIH ONTE 0.0001 1 OCDNEE 0.0011 3 BIG ROCKIONT 0.0001 1 OYSTER CREEK 0.005 4 1 l BRAIDWOOD 0.001 3 PALISADES 0.0006 2 BROWNS TERRY 0.0001 1 PALO VERDE 0.00G4 2 BRUNSWICK 0.013 5 PEACI BOTTOM 0.0026 3 BYRON 0.0002 1 PERRY 0.0001 1 CALI.AWAY 0.0001 1 PQ.CRIM 0.0068 4 CALVERT CLTFS 0.0038 4 PONT BEACI 0.0036 4 CATAWDA 0.0011 3 PRAIRIE !SLAND 0.002 3 CLNTON a0002 1 QUAD OTIES 0.0002 I COMANO{E PEAK 0.0001 1 RANCHO SECD 0.0005 2 CCOK _ 0.0006 2 RIVG BEND 0.0068 4 COOPER 0.0014 3 ROBINSON 0.0036 4 CRYSTAL RIVER 0.006 4 SALEM 0.0038 4 ' DAVIS BESSE 0.0004 2 SAN CNOFRE 0.0001 1 DIABLO CANYON 0.0001 1 SEABROOK 0.0038 4 l DRESDEN 0.0001 1 SEQUOYAH 0.0007 2
)
FARLEY 0.002 3 SHOREHAM 0.01 5 iT.RMI 0.0001 1 SOUT11 TEXAS 0.012 5 FITZPATRICK 0.0001 1 ST LUCIE 0.017 5 TORT CAU!OUN 0.0014 3 SUMMER 0.0011 3 iORT ST. VRAIN 0.0001 1 SURRY 0.006 4 GNNA 0.0001 i SUSQUEllANNA 0.0018 3 CRAND GUI.P 0.004 4 , T1(REE MILE LSLAND 0 002 3 I1ADOAM NECK Q.01 5 TROJAN - l 0.0011 3 ilARRIS 0.01 5 TURKEY PONT 0.023 5 l IIATCH 0.0009 2 VERMONT YANKEE 0.0034 4 HOPE CtEEK 0.0038 4 VOGTI E 0.0006 2 IN0LAN PONT a0079 4 WATEFORD KEWAUNEC, 0.0068 4 0.0036 4 WATTS B AR 0.0001 1 LASALLE 0.0002 1 WNP.2 0.0001 1 L MERICK 0.002 3 WOLF CREEK 0.0003 1 MAINE YANKEE 0.0023 3 YANKEE ROWE 0.0056 4 MCCUIRE 0.0001 1 T.ICN 0.0001 1 MILLSTONE 0 012 5 Note (a): NRC STAFF PROVIDED Tile DATA IN TABLE 3 2 USING CLIMATOLOGICAL ' SOURCES CITED IN THE REFERENCES TO THIS PROCEDURE NUMARC flAS NOT VERIFlED Tile ACCURACY OF THIS DA,TA. 36
GUIDELINES AND TECHNICAL BASES FOR NUMARC INTTTATIVES 5 NUMARC.8700 Part IC: Determine the Estimated Frequency of Loss or Off site Power Due to Sever. Weather (SW Group) Fourfactors are ated to calculate the estimatedfrequency ofloss ofof site power due to severe weather: (1) Annual expecta: ion of snowfallfor the site, in inches [hj]; (2) Annual expectation of tornadoes of severity f2 or greater at the site (i.e., windspeeds greater than or equal to 113 milesper hour). in events per square mile [h 2 ]; (3) Annual expectation of storms for the site with wind velocities between 75 and 124 mph [h3 l: and. (4) Annual expectation of storms with significant salt sprayfor the site [h4 ].
~
Thesefactors are combinedin thefollowing relationship to yield the estimatedfrequency ofloss ofof site power due to severe wauher f= (13 x 10*4)
- h i + b*h2 + (1.2 x 10'2) h3 + c*h4 where:
b - 12.5for sites with multiple righis of way b - 72.3for sites with a angle right of way c = 0.78 ifsite is vulnerable to efects ofsalt spray c = 0for other sites
~
Sites which are determined to be susceptible to the effects of salt spray may remedy this situation thro procedures to minimize the loss of off site power. I i e
wemeuum eu a r.un.m.AL LAst.3 PUM NUM ANC INITTATIVE3 ' i DETERMINE THE ES'ITMNED FREQUENCY OF LOSS OF OFF. SITE POWER DUE TO SEVERE WEATHER AS FOLLOWS: A. Determine the total amount of snowfall in inches which falls on the site in any year. NOAA data for snowfall are provided in Table 3 3. Label the data used as h . t B. Determine the expected frequency of "f2+" tornadoes per square mile for the site using plant. specific data. NSSFC data are also provided in Table 3 3. Label the data used as h2-C. Determine the expected frequency or storms with ninds between 75 and 124 mph at the site. NOAA data are also provided in Table 3-3. Label the data used as h3 . D. Determine the, expected frequency of hurricanes and tropical storms with signif1 cant salt spray for the site. NOAA data for sites vulnerable to the effects of salt spray are also provided in Taele 3 3. Label the data used as h4. E. Calculate the estimated frequency of loss of off. site due to severe weather, f, in events per year. F. Use Table 3-4 to determine the Severe Weather Group (SW Group). 4 l t 38
GUIDELINES AND TECHNICAL BASES FOR NUM M1CIhTITATIVES 5 NUMARC 870h Table 3 3 SEVERE WEATIIER DATAb a wuu. Ici.wo sigaxs mww a muu. mi.wo sicixa mmm M M M M M M M M utANsAshmtucht 6 esd Os7 0 WTI nD 4 c:::t::: as a mD D 0257 as 0 Kh2M:LIPcNT n 0:n=3 as 0 tEAsuYAu!T c camr2 c3 0 NcrmA\NA - 15 C21:M7 C3 0 BSlICN11 4 02:3 Oc 0 CCN2 6 CE:2 at! O E:01Cc:uNT n came as O CTITacmI 11 can=3 es) 0 UA::STID C t=::3 03 0 FR!!Act! 4 C=ul U 0 U0%N3fB1T 4 0=415 cc 0 PALosH Z 0 0=E:8 11:5 0 IING 2 CIIr7 412 0 MACil0TDd 3 CCDCI Cm 0 It10.N 13 0=118 22 0 FJlli 18 Cmnd 13 0 CillAWAT 2 0 2:3 C3 0 P141N c C C5 0 c3 CADuTCJFI I CZE77 022 0 POlhT!DCi c tac! 11 0 CATAn1A 6 C=13 U2 0 RA322:.A,Q u 0 2 1713 13 0 ClNTm - M CEIS- il 0 QUA0CT23 40 C2H21 all 0 c:xANotnAt 4 an:3 c3 0 tuce:Ico 0 cana e: O c:ct u 0=to u o mu st.sD o can54 as: 0 CDCEI z 0=:a u 0 tes:N3m I can 23 0 c1TnAtmu 0 0=n3 o 0 1ALnt a can=3 css 0 Cast 3IEE! 2 OmII3 UI O 1A.N CNCFI! 0 0 n33 12:1 0 3AELOCA.W2C Camm 03 0 2A110c 0 02 01 D3 0 CAICLN C 0=tl C3 0 2000 Tall 4 Ocit:1 il 0 NCIT C 02n21 C3 0 21CIDuM 3 CIc1 23 0 tut 4 2 C3I311 C3 3CimliUAI 0 O C231 all 0 RT2?ATI:s e amm7 03 0 stucz o cmm) als o PCU CAlllCCI 3 CEi41 0 0 0 041 2 02:3 112 0 FCETIT.hN 3 0223 C3 1217 i 0 C234 M 0 Cren n em c3 0 st::g:e u 0=m2 cm O C2ANDO:L1 1 a=n2 c3 0 T12IIM:L1:2.AND - 15 cc::n om o luDCAM hTG U Cm329 C3 0 T10 % 7 Q2t:L4 114 0 FWl!3 I 22::::2 111 0 11.1XITPGNT 0 C2:2 111 tuTCl o c=c Oc 0 in.eTTAhu2 3 :=r271 au 0 o IcMCEI 2 cE=5 cas a w n !! c:tt::2 2 cm 0 MtAN PC NT 3 13 141 C3 0 WATEUCID 0 C2C2 23 0 GWAl.N2 4 022:M u 0 WATT:BAR 10 021C 01 0 1.A!A111 0 02 3 03 192 t xDtc 0 13 CIC:: C 0
- am=13 0::3 0 ncLIC2ax l0 cr213 c 0 MAN! TANG 2 '4 CEIQ C4 0 TANU210%1 3 02n3 C0 0 C 32 6 0232 C3 4 i
CUT'2,1 0 Z:CN c3:5 12 0 3 Ostu o til NOTE (b): NRC STAFF PROVIDED TiiE DATA IN TABLE 3 3 USING CLIMATOLOGICAL SOURCES CITED IN TiiE REFERENCES TO Til!S PROCEDURE. NUMARC HAS NOT VERIFIED Tile ACCURACY OF Tills DATA. < l
? . 1 otansLDGES AND TECHNICAI, BASES FOR NL%. ULC DRTIATIVES - Ntl MARC @A !
> I i
Table 3-4 ' SEVERE WEATHER GROUPS (SW) sw eaccp eenheATED FR3QUENCY OF Lose OF OFFETE POWER 1 f a team l 2 te000 g f
- thMee 3 ketse a t ee.asse 4 sense a r . use I kle a f l
Part 1D Evaluate Independence of Off.sita Power System (I Group) The potentialfor long dwados lou of $dte power annes can han a dgnfeau impact on station blackout risk and required coping deadons.Long deadan LDOP evens we arw4 mad with gridfailures du to severe wenher :.~.S.@r.: !- or unique transmisson systamfeatwes. Shorner dwaden LOOP aws: send ta be associand with spec $c switchy featwu. % features, la perdeular, er of special importance: (1) the L- ';-rhnce of the of dte power sevens 1 consaludng the preferred power supply to the shudewn buses on. sin, and (2) the power transfer schemes whe { normal ocurce ofACpoweris lost. \
% plant troupings are specped in this partfor clas#g the interface of the preferredpower supply to the safe shutdown bw 1]I2 and 13. The 11/2 group is charactertud byfentwas anaciated with greater independence and redundancy oftowru, and a more desirable imagfer scheme.13 stes how smpler, las destrable 4 ate power synsnt
\ and switchyard capabillass. The imponance of the use groupings becomes eunt when combsned with the po for losag of.tste power due to sawre and arremely rewre weathrr, 1 l l l 3 10 ._. _
OUTDELINES AND TECHNICAL DASES FOR NUMARC INITIATIVES E NISTARCo8700 THE OFF SITE POWER SYSTEM IS IN THE 11 GROUP IF: (1) A "XES* ANSWER CAN BE ASSIGNED TO CONDITION "A" BELOW, MD (2) A "XES* CAN BE ASSIONED TO ETTHER CONDTITONS "B(1)" .QR B(2)", BELOW. A. All off site power sousces are connected to the unit's safe shutdown buses through (1) one switchyard, or (2) two or more electrically. connected switchyards. B(1) The normal source of AC power is from the unit main generator and there are no automatic transfers and one or more manual transfers of all safe shutdown buses to preferred or alternate off site souttes. B(2) The normal source of AC power is from the unit main generator and there is one automatic transfer and no manual transfers of all safe shutdown buses to one preferred or one alternate off site power soutte. OTHERWISE THE SITE IS ASSIGNED TO THE 11Il GROUP.
~
l Part IE: Determine Off site AC Power Design Characteristic Group Site susceptibility to loss of of site power is separated into three basic groups, based on combinations offeatures. T determiningfeatures are: (1) independence ofof site power, (2) severe weather potential, measured either by experi or recurrence intervals, and (3) extremely severe weather potential. Thefollowing tables establish the of site power design characteristic group. A. REVIEW THE INDEPENDENCE OF OFF SITE POWER GROUP, SW GROUP AND ESW GROUP, AND ( 3 11 '
m - USE THE FOLLOWING TABLES TO DETERMINE THE OFF SITE AC POWER DESION CHARACHERISTIC GROUP. OFF SITE AC POWER DESIGN CHARACTERISTIC GROUP MATRIX 1 II/2 SITES 13 SITES Esw caour Esw caour 1 a 3 4 s 1 a 3 4 s 1 M M M #8 M M M M P8 M 1 S s n n n n n $ a n n n n n j s n n n n n s n n n n n ' o i o > p 4 PS P3 P3 P3 P3 4 PS P3 P3 P3 P3 s n n n n n s r3 n n n n Table 3 5a Table 34a 4 NOTE: Coastal plants are susceptible to long duration LOOPS as a result of extremely severe weather associated with hurricanes. As a result, plants with otherwise sufficient EDO reliability and conUguration and lower susceptibility to severe weather events may be in a higher coping duration , category solely due to the probability of a hurricane induced LOOP. i B. IF A PLANT IS'SUSCEPUBLE TO A HURRICANE INDUCED LOCiP AND HAS HURRICANE RESP PROCEDURES WHICH MEET THE GUIDELINES OF SECTION 4.2.3 OF THIS DOCUMENT, USE Tile ' FOLLOWING TABLES TO DETERMINE THE OFF SITE POWER DESIGN CHARACTERISTIC GRl
\
l . 4 i ) 3 12
- - - . - - . - --.~- ----- - ---
l
~
GUIDELINES AND TECHNICAL BASES FOR NUMARCIhTTIATIVES 5 NtJMARC 8700 9 OFF-SITE AC POWER DESIGN CHARACTERISTIC GROUP MATRIX For Hurricane Exposed Plants : l I1/2 SITES I3 SITES ' ESW GROUP ESW GROUP 1 2 3 4 5 1 2 3 4 5 t P1 n n m r3* i M M P2 P m
.. = _ . .
2 P1 P2* PS P2 P3* 2 P1 P2 P2 P2 P3*
. _ . . _ . _ = -.
a 3 PS P2 P3 M* P3 g 3 M M M M M O O p 4 P3 P3 P3 P3 P3 p 4 PS PS P3 P3 P3 I P3 PS P3 I P3 P3 P3 P3 PS P3 P3
' DENOTES srrt UPCRADE ATTRIItrrtD TO IMP 1,EMINTA110N OF PLANT SPECIT1C PRE.!TURR1 CANE 51TLTDOWN REQUIRptENTS AND PROCEDURES Wit!C11 PROVIDE AN EN!1ANCID 8. HOUR COPING CAPARI1JTY UNDEJL ANTICIPATED HURRICANE CONDIT!ONS.
Table 3 5b Table 34b 3.2.2 Step Two: Classify The Emergency AC Power Supply Systern Configuration After the likelihood oflosing of site power, the redundancy of the emergency AC power system is the next most ' imponant contributor to station blackout risk. With greater EAC system redundancy, the potentialfor station blackov: diminishes, as does the likelihood of core damage. The imponance of EAC redundancy is reflected in this procedu
'through the use offour distinct EAC configuration groups:
1 A - Characterized by highly redundant and independent EAC sources to safe shutdown equipment: B . Having better than typical redundant and independent EAC sources to safe shutdown
, equiPment; C .
Having typical redundant and independent EAC sources to safe shutdown equipment; a..d. D . Having the lowest level ofindependency and redundancy in EAC sources powering safe shutdown equipment. 4 w _ _
f 2 i
> l Placement in ou of the groups listed dependt on the nwnber ofEAC standby pour supplies available and the nwnber \
regtdred to operate AC pomred decay Asat removal equipment ucenary to achieve and maintain safe shutdown in e station blackow. Overall, the greater the level ofEAC redundancy, the less resmetxw are the station blackow coping \ dwanou and n eimum EDGfallwe raus before tonger coping duration are req: dred, or corrective action become neesmy The potendalfor szeen EACpower sources to be und at Alternate AC is drectly related to the e.nudng level of EAC redundancy, Sines EAC redsadancy is an important parameterfor determining station blackout coping duration categories EACpower neces relied upon as Alternate ACpower souces must not also be a:::.Jered vnen assesang the required copmg duradon, AccorEngly, thefollowmg processprecludes the us of an EAC powr source as both an input to determine the EAC 8703P and an Altsinate AC scures. This procen eliminates the potentialfor "double couning* the value of an indsvidual EAC power sowce, both as prr. suing th ; st:rion blackow, and in responding to in occurence. To illutrete thle point, consider a single unit site that has three EAC power xurces, and und.t only ou for safe shwdown. Thli si:e can be clanijted at either a ou.ca.of three site (EAC Group A); or a one-ow-of two site (EAC Group C) with the third EAC power source available an a potential Alternant AC power sowce, rfit meets the criteria for Alternate AC specytodin Appendis B. THIS STEP CONSISTS OF THREE PART3: PART 2.A DETERMINE THE NUMBER OF EAC POWER SUPPLIES NOT CREDITED AS ALTERNATE AC POWER SOURCESI PART 22 IDENTIFY THE SMALLEST NUMBER OF EAC l POWER SOURCES NECESSARY FOR SAFE SHUTDOWN,' AND, PART2.C' SELECT THE EAC POWER CONFIGURATION \ GROUP. 3 14 w -
-w - r-s- e-r --
M 1
, 1 Part 2.A Determine the Number of EAC Power Supplies Normally Ava!!able A.
sTNaf m ifNTT OR Mii'ri.UNTT 51T!Lt wfTH NORMAYI.Y DEDICATED POM SUPPLM.S Count the total number of standby power supplies (see Appeeds A) normally available to the bladtadent units afe shutdown equipment the are not being used as an Altenata AC power source. '
- 3. ML'T % UNIT STMLt WfTM NORM AT T Y IMARm POWER SUPPY fP4 - -
Count the etal number of dedicated and thand standby power supplies normally available to safe shutdown equipmset a sach sits that are not being used as an Altanate AC power source. Part 1.B Determine the Number of Necessary EAC Standby Power Supplies The number of EAC ssandby powr supplies requiredfor stados blackout is based on the AC loads needed at each unit to r* move dec2y hem (inclu a the heet generated by AC powered decay heat remod systems) in order to achieve ar.d maintain sge shwdown Mah of.sitepowr unavailable. The number ofEAC standby power sowcas necesary to operate s<r shutdown eqmpment any be less t forLOCA loads. The number of necessary EAC ste% power seeces should be determsned by accounting for ths ind shutdown loado, or igorredpom the stWs dodgn bitisfor operadng Claso 12 AC camament without of stt pome'. A. SINGLE UNIT ok MULTf.UNTT sTTFt wrry NORMAY I Y DETEAho POWEt sim" TTA Count the etal nuanber of EAC senadby power supplies necessary to operate safe shutdown eg a stadcQ blEkout on a pr unft bagja, B. Mfi% UNIT 3rf"et Wriv sHAnm NORMAr T Y POWER stJwtTPM Count the total number of EAC standby power supplies necessary to operats safe shutdown equipme a stados bladcout fcr all units at the sits. I 3 15
T l
-=- :.. -...___ 1-. --
Part 2.C Select the EAC Power Configuration Group USE THE TABLE PROVIDED BELOW TO SELECT THE EAC OROUP. Table SJ SHARED AND DEDICATED EAC GROUP SUPPLIES NECES5ARY SUPPLIES AVAILABLE FOR SAFE SHUTDOWN A 1 3 DEDICARD A 1 4 B 2 $ B 1 4 C 1 2 DEDICARD C 1 3 SHARED D 3 4 D 3 $ D 2 3 D - 1 2 SHARED Dedicated for EAC standby power sappilas not normally shared with other units at a site Shared for EAC standby power supplies in whidt some number are normally capable of providing AC power to safe ohntdown equipment at more than one unit at a site concurrently. .
- If any of the EAC power sources are normally shared among units at a mult1.unft rite, this is the total number of shared and dedicated sources for those units at the - - -
site. l 3.2.3 Step Thrbs Determias The Calculated EDG Rellability The unk EDG reliabulsy is nud in conpasetton with the ske's of dte power design characterhtics (i.e., M, P2, or N), and the EAC confsuradon (A, B, C, or D) to determine the uit's repared stadon blackout coping duratwn. The uit EDG reUabdhy it cakulated by aversging the indiddual EDG reliabillryfor the last 20,30, and 100 4smandsfor each machine. However, y the total number of valid demands is less than 100 (o.g., newly licensed plus, EDG which have udergono intensive masasenance or a reliability repalipcation program), the EDG reliability over the last 20, ad the lan 3C if trallaMe, can be averaged and compared to the evaluadon critada in Seedon 3.2.4. llthe untt's EDG reliability over the last 20 demands i.s > 0.90, or > 0.94 over the last 30 demands, then the unit may select an EDG rarget reliabsitty of either 0.93 or 0.975 as desasted in Seedon 1.2.4. 3 16 1
GUIDELINES AND TECHNICAL D ASES FOR NUMARC IhTTIATIVES - NUMARCo8700 y The objective of the three tier approach to reliability measurement is to provide greater depth of understanding regarding reliability trends. The 20-demand sample set is the most volatile, and ofers a very sensitive indication of EDG \ performance. Since this indicator moves with each incrementalfailure or success, it is not considered a reliable measure \ oflong term performance. Similarly, the 100-demand sample set ofers a tong term trend indication, while providing { limited insight to recent trends due to data smoothing efects. The 50-demand sample set bridges the two indicators while also providing an intermediate level. Taken together, the set ofindicators provides afairly complete picture of j EDG reliability. DE"NR MINE "THE CURRENT UNIT EDG RELT AB TLITY: (1) CALCULATE THE MOST RECENT EDG RELIABILT1Y FOR EA.Gi EDG B ASED ON THE LAST 20,50, AND 100 DEMANDS (USING NSAC.108 DEFINITIONS AND METHODOLOGY CONTAINED IN SECTION 2 OF THAT DOCUMENT OR EQUIVALENT). (2) CALCULATE THE NUCLEAR UNIT AVERAGE EDG RELIABILITY FOR THE LAST 20 DEMANDS BY AVERAGING 'IEE RESULTS FROM (1), ABOVE. CALCULATE THE NUCLEAR UNIT AVERAGE EDG RELIABILITY FOR THE LAST 50 DEMANDS BY AVERAGING THE RESULTS FROM (1), ABOVE. CALCULATE THE NUCLEAR UNIT AVERAGE EDG RELIABILITY FOR THE , LAST 100 DEMANDS BY AVERAGTNG THE RESULTS FROM (1), ABOVE. 3.2.4 Step Fourt Determine Allowed EDG Target Rell' ability - The minimum EDG reliabillsy should be targeted at 0.95 per demandper EDGfor plants in EAC Groups A, B, C 0.975 per demand per EDGforplants in EAC Group D. These reliability levels should be consider ed minim reliabilities. Each plant should establish an EDG Reliability Program as outlined in Appendix D io this document. Plants which select a target EDG reliability of 0.973 should utilite this target level in their reliability program. If diesel generator performancefalls below the target reliability level specified, action should be taken through an reliability program such as setforth in Appendix D to restore the target reliability level. The unit EDG reliabilityfor the last 20, $0, and 100 demands calculated in the previous step provides reliability usedin determining minimum required station blackout coping durations in the next step. ( 3 17 __ _-
m - e ALLOWED TARGEThuABILITIES ARE DETERMINED AS FOLLOWS: (I) COMPARE THE CALCULATED AVERAGE NUCLEAR UNIT EDG REUABILITY DETERMINED IN SECTION 3.2.3 TO WE CRITERIA BELOW: Evalunden Cdreda LAST 20 DEMANDS > 0.90 REUABILITY LAST 50 DEMANDS > 0.94 REUABIUTY LAST 100 DEMANDS > 0.95 REUABILITY (2) IF THE EAC GROUP IS A, B. OR C, A.tLD. ANY OF THE THREE EVALUATION CRITERIA IN SECTION 3.2.4, STEP FOUR, PART (1) ARE MET, WEN WE NUCLEAR UNIT MAY SELECT AN EDO RELIABILITY TARGET OF EITHER 0.95 OR 0.975 FOR DETERMINING THE REQUIRED STATION BLACKOUT COPING DURADON IF ME EAC GROUP IS D, AND ANY OF ME THREE EVALUATION CRITERIA IN SECTION 3.2.4, STEP FOUR, PART (1) ARE MET, THEN WE ALLOWED EDO RELIABILITY TARGET IS 0.975. (3) IF THE EAC GROUP IS A, B. OR C. AND NONE OF THE THREE EVALUATION CRITERIA IN SECTION 3.2.4, SEP FOUR, PART (1) ARE MET, THEN 0.95 SHOULD BE USED AS THE RELIABILITY TARGET FOR DETERMINING THE REQUIRED STATION BLACKOUT COPING DURATION, ADDITIONALLY, IF THE REL ABILITY IS LESS THAN 0.90 B ASED ON THE LAST 20 DEMANDS THEN ACCEPTABILITY OF THE COPING DURATION RESULTING FROM USING 0.95 MAY REQUIRE FURTHER JUSTIFICATION. IF THE EAC GROUP IS D AND NONE OF THE THREE EVALUATION CRITERIA IN PART (1) ARE MET, THE REQUIRED COPING DURATION CATEGORY CALCULATED IN SEP FIVE, SECTION 3.2.5 SHOULD BE INCREASED TO THE NEXT HIGHEST LEVEL (I.E., FOUR HOURS BECOMES EIGHT HOURS; EIGHT HOURS BECOMES 16 HOURS). 3 18
GUIDELINES AND TECHNICAL BASES FO R NUMARC INTTIATIVES f NUMARC.8700 ) 3.2.S Step 'Five: Determine Coping Duration Category USE THE TABLE PROVIDED BELOW TO DETERMINE THE COPING DURATION REQUIREMES"r IN HOURS: Table 3 8 ~ ' ~ ~ ~ - ' ' - ~ ~ ^ - ALLOWED EDG REQUIRED OFTSITE POWER EAC GROUP TARGET RELIABILITY COPING DURATION GROUP (From Section 3.2.2) (Per Demand) CATEGORY (From Section 3.2.1) (From Section 3.2.4) P1 A 0.950 2 Pl B 0.950 4 P1 C 0.950 4 P1 D 0.975 4 P2 A 0.950 4 P2 B 0.950 4 P2 C 0.975 4 P2 C 0.950 8
.. P2' C 0.950 4 P2 D 0.975 8 P2' D 0.975 4 P3 A 0.975 4 P3 A 0.950 8 P3' A 0.950 4 P3 B 0.975 4 P3 B 0.950 8 P3' B 0.950 4 P3 C 0.975 8 P3' C 0.975 4 P3 C 0.950 16 P3' C 0.950 8 P3 D 0.975 8 P3' -
D 0 975 4
- Denotes site upgrade attributable to implementation of plant specific pre hurricane shutdowi.
requirements and procedures which provide an enhanced coping capability under anticipated hurricane conditions. 3.2.6 Required Action Step Five (Section 3.23) yields one of thefour coping duration categories discussed in the NRC Station Blackout Regulatory Guide 1.155: two hours.four hours, eight hours. or 16. hours. Plants in the eight and 16. hour c\ should undenake actions to reduce risk consistent with NUMARC Station Blackout Initiative 1. ; l l
< i 1
3 19 l
eN THE FOLLOWING COURSES OF ACTION ARE AVAILABLE TO REDUCE THE ASSESSED RISK OF STATION BLACKOUT: (1) IMPLEMENT ACHON TO REDUCE THE REQUIRED COPING DURATION TO AT LEAST THE FOUR HOUR CATEGORY BY: (a) REVIEWING PLANT-SPECIFIC WEATHER DATA: (b) MODIFYING THE SWITCHYARD TO CHANGE THE t GROUP; AND/OR. (c) MODIFYING THE PLANTTO CHANGE THE EDO CONFIGURATION: AND/OR, (d) IMPROVING EDG RELIABILITY. (2) INSTALL OR UTILIZE AN EXISTING ALTERNATE AC POWER SOURCE WAT MEETS THE CRITERIA PROVIDED IN APPENDIX B. e G S 3-20
GUIDELINTS AND TECHNICAL BASES FOR NUMARC INITIATIVES f NUMARC.8700 -- 1
- 4. STATION BLACKOUT RESPONSE PROCEDURES l
4.1 OVERVIEW Most existing plant procedures are based on procedure guidelines generated by NSSS vendors or piant specific analysis, and provide'the operator with substantial direction for responding to a station blackout event. Plant procedures may also address power restoration and severe weater concerns. Actions that may not be addressed in existing procedures, but are important considerations during a station blackout, are addressed below, Udlities should review their plant procedures to assure these considerations are addressed. As provided by NUMARC Station Blackout Initiative 2, plant staffs should review, and revise as appropriate, their operating procedures using the technical bases and usociated guidelines provided in this document. Appropriate plant personnel should be trained on ahy new or revised procedures resulting from this initiative. 4.2 OPERATING PROCEDURES GUIDELINES 4.2.1 Station Blackout Response Guidelines (NUMARC Station Blackout Initiative 2.a) This section provides guidance for operator actions to be taken in a station blackout event. Section 4.3.1 contains l additional information and bases for the guidelines provided in this sectic.1. i These guidelines assume a single path to achieve and maintain safe shutdown conditions in a station blackout. In ! addition to repeated attempts at restoring AC power to a shutdown bus, the path consists of performing operatio designed to stabilize the plant using available equipment. Guideline (1) redecu attempts at AC power restoration which may be made from either the preferred or a standby (Class IE) power source. If an AAC power source is available, it l may also be used to restore power. Guidelines (2) through (13) address items to be considered in stabilizing the p until AC poweris restored. I (1) Plant procedures should identify site.specine actions necessary to restore off site or standby (Class lE) A sources. If an AAC power source is available,it should be started as soon as possible. Plants relying on AAC power sources should start the AAC power source and commence loading shutdown equipment within the first 41 _ . . - - - . - -
f bWBISTRO e
+
1 hour of a station blackout. - 1 (2) Plant procedures should specify actions necessary to assure that shutdown equipment (including support systems) necessary in a station blackout can operate without AC power. . (3) Plant procedures should recognize the importance of AFWS/HPCIS/HPCS/RCICS during the early stages of the event, and direct the operators to invest appropriate attention to assuring their continued, reliable operatire throughout the transient since this ensure: decay heat removal. (4) Plant procedures should identify the sources of potential reactor inventory loss and specify actions to prevent t limit significant loss. (5) Plant procedures should ensure that a flowpath is promptly established for makeup flow from the CST to the steam generatorynuclear boiler and identify backup water sources to de CST in order ofintended use. Additienally, plart prrrMnres should specify clear critaria for transferring to the next preferred source of water. (6) Plant T r<Mures should identify individual loads that need to be stripped from the plant DC buses (both Class IE and non-Class IE) for the purpose of conserving DC power. (7) Plant procedures should specify actions to permit appropriate containment isolation and safe shutdown vahe operations while AC power is unavailable. These actions may include: (a) providing addidonal bottled air or nitrogen at the valves; (b)' specifying manual valve operation to maintain shutdown (e.g., manual valve seating to reduce system losses) (c), ensuring appropriate containment integrity. - (8) Plant priscedures should identify the portable lighting necessary for ingress and egress to plant areas con shutdown or AAC equipment requiring manual operation. (9) Plant procedures should consider the effects of AC power loss on area access, as well as the need to gain other locked areas where remote equipment operation is necessary. (10) Plant procedures should consider loss of ventilation effects on specific energized equipment necessary fo shutdown (e.g., those containing internal electrical power supplies or other local heat sources that may b 42
CUIDELINES AND TECHNICAL BASES FOR NUMARC IhTTIATIVES f NUMARC.8700 h energized or present in a staden blackout). These procedures should address: (a) specific room or cabinet temperatures or symptoms (e.g., alarms or indication ofloss of cooling) readily identifiable by the operator, and the response the:reto; (b) methods for providing necessary ventilation and/or supplemental. cooling within 30 minutes; (c) the potendal need for operator acdon to override HPCIS/RCICS steam line isolation on high temperature; (d) opening cabinet doors containing instrumentation in control rooms necessary for safe shutdown ir$ a station blackout within 30 minutes, as required; and, (e) effects of actuation of fire protection features due to elevated temperature. (11) Plant procedures should consider habitability requirements at locations where operators will be required to perform manual operations. (12) Non-Class IE equipment relied upon to cope for the required station blackout coping duration should be addressed in a maintenance program. ~~ (13) Plant procedures should consider loss of heat tracing effects for equipment necessary to cope with a station blackout. Altemate steps, if needed, should be identified to supplement planned action. 4.2.2 AC Power Restoration (NUMARC Station Blackout Initiative 2.b) This section provides guidance for operations and load dispatcher personnel conceming the proper course of action for ' restoring AC power in a station blackout. Section 4.3.2 contains additional information and bases for the guidelines provided in this section. ' (1) Load dispatchers should give the highest possible priority to restoring power to nuclear units. Procedures and training should consider several potential methods of transmitting power from blackstart capable units to the nuclear plant. (2) Should incoming transmission lines to a nuclear power plant be damaged, high priority should be assigned to repair and restoration xtivities to at least one line capable of feeding shutdown equipment. (3) Repair crews engaging in power restoration activities for nuclear units should be given high priority for l manpower, equipment, and materiais, d 43
-) l o
(4) Portable AC generators should be designated as backup sources, if available, and directed to nuclear power plarit sites. Procedums should address pre. planned xtions and identify required equipment. (5) Once prefernd and/or standby (Class lE) AC power becomes available, station procedures should specify the sequence of cin:uit breaker opernions required to restore AC power to shutdown equipment. Any additional scdons such as pulling or replacing fuses should also be identided. 4.2.3 Severe Weather Guidelines (NUMARC Station Blackout initiative 2.c) This section provides guidance for operators to determine the proper course of action due to the onset of severe westle, particularly hurricanes. Se tion 4.3.3 contains additional information and bases (cr the guidelines provided in this section. The characteristics of hurricanes which allow them to be tracked provides advance waming and the opportunity for actions to put the plant into a shutdown condition. These actions can g:eatly reduce the consequences of a hurricane. induced LOOP with a subsequent station blackout. With suf0clent waming, actions may also be taken to enhance the reliability of AC powersources. Actions for Hurricane r (1) De plant procedures should identify site.specine actions necessary to prepare for the onset of a hurricane. Dese actions should be initiated when a hurricane waming is issued for the plant site area and should include: (a) inspecting the site for potential missiles and reducing this potential; (b) reviewing the adequacy of site staff to support operations and repair; (c) expediting the restoration of important plant systems and components to service; (d) wanning and lubricating standby (Class IE) AC power sources; (e) determining the status of Attemate AC soun:es (if available) and taking necessary actions to ensure their availability; (f) increasing CSTinventory: (g) placing battery chargers in service (if applicable); and. i (h) start and load test EDGs. (2) Utility procedures should identify additional plant support staff and the method of contacting them once a hurncane notice has been issued by the Nationsi Weather Service. I 44
GUIDELINES AND TECHNICAL BASES FOR NUMARC INTTIATIVES g NUMARC.8700 c (3) Plant procedures should specify actions necessary to ensure equipment required for station blackout response is available. (4) Piant procedures should address the following items prior to a humcane arrival at a site: (a) the site specific indicator should ensure that the plant would be in safe shutdown two hours before the anticipated hurricane arrival at the site (i.e., sustained windspeeds in excess of 73 mph); (b) operator review of station blackout procedures; and, (c) operator review of procedures to line up and operate the switchyard spraydown system (ifinstalled). The actions identified in items 1-4 above result in a coping categorization consistent with Section 3.2.1, Ptrt IE(B) and Section 3.2.5 of these guidelines. Actions for Tornado Plant procedures should identify site. specific actions necessary to prepare for the onset of a tornado. These actions should include: (a) inspecting the site for potential missiles and reducing this potential, and (b) expediting the restoration of important plant systems and components to service. 4.3 SUPPOR'ITNG INFORMATION 4.3.1 Station Blackout Response Guldelines This section provides the bases and related supplemental information for the operating procedure guidelines of Section 4.2.1. - (1) Plant procedures should identify site. specific actions necessary to restore ofsite or standby (Class 1E) ACpower sources. If an AAC power source is available it should be staned as soon as possible. Plants relying on AAC power sources should start the AAC power source and commence loading shutdown equipment within thefir:t hour ofa station blackout. These actions include: 4 O -
(a) Early ecmmitment of svsilable staff to restore AC eower His should occur within the first few minutes of a stadon blackout (b) Isof arine the shutdown but to be lended onto the A AC system t' rom theyn@g;ig g sueelv and blacked out unit's Class 1E newer tourens his can be achieved by circuit breaker operation, and pulling fuses at the switch;; tar dhbling circuit breaker control power or by manual interlocks. (c) Startine hd/or eterarine the A AC source for toadigg, (d) TransferrineJhe destensted shutdewn bus to the Aff.mitm. (2) Plant procedures should specify actions necessary to assure that shutdown equipment (including support systems) necessary in a station blackout can operats without AC power. Cooling functions provided by such systems as auxiliary building cooling water, service water, or component cooling water may be required in order for shutdown systems to perform their safety funcdon. For example, after TMI it was recognized that a steam driven auxiliary feedwater pump might have relied on component cooling or service water to cool the bearing lubricating oil rather than relying on sump cooling provided by pump discharge. Systems potentially supplemented in this manner may include component / auxiliary cooling wate l l sesvice water, and auxiliary / reactor building cooling water systems. (3) P! ant procedures should recognize the importance of AfWS/HPCISiHPCSIRCICS during the early stages event and direct the operators to invest appropriate attention to assuring .'ss continued, reliable operatior. throughout the trantient since this ensures decay heat removal. ~ The risk of core damage due to station blackout can be significantly reduced by assuring the availability o AFWS/NPCIS/HPCS/RCICS, particularly in the first 30 minutes to one hour of the event. A substantial portion of the decay and sensible reactor heat can be removed during this period. AFWS/HPCIS/HPCSeRCICS I availability can be assured by providing a reliable supply of condensate, monitoring turbine conditions (particularly tubricating oil flow and temperature), and maintaining nuclear boiler / steam generator water levels. His step helps to ensure that the core remains acequately covered and cooled during a station blackout event. (4) Plans procedures should idennfy the sources ofpotential reactor inventory loss, and specify actions to prevent 46
e c GUTDELINES AND TECHNICAL DASES FOR NUMARC BTTIATIVES f NUMARC 8700 - limit significant loss. Actions should be linked to clear symptoms of inventory loss (e.g., specific temperature readings provided by sensors in relief valve tail pipes), associated manual or DC motor driven isolation valves, and their location. Procedures should establish the priority for manual valve isoladen based on estimated inventory loss rates early in the event. If manual valves are used for leak isolation, they should be accessible, sufficiently lighted for access and use, and equipped with a handwheel, chriin, or reachrod. If valves are locked in position, keys or cutters should be available in the control room. Procedures should identify the location of valves, keys, and cutters. (3) Plant procedures should ensure that aflowpath is promptly establishedfor makeupJ7owfrom the CST to the steam generator / nuclear boiler and identify backup water sources to the CST in order of intended use. Additionally, plant procedures should specify clear criteriafor transferring to the next preferred source of water. All stored water sources may be assumed to be available in a station blackout at their nominal capacities,
' including water stored in non safety tanks. Alternate water delivery systems can be considered available on a case by case basis. In general, all condensate stcrage tanks should be used first. The main condenser may be assumed to be available if a pump can be operated and is capable of making up (1) to the AFW/HPCI/HPCS/RCIC pump suction with sufficient head and Dow, or (2) directly to a CST (safety or non safety). After the CSTs are exhausted, demineralized or berated water tanks may be used as appropriate. Hested torus water should be used only if sufficient NPSH can be established. Finally, when all other preferred water sources have been depleted, lower water quality sources may be pumped as makeup flow using available equipment (e.g. a diesel driven fire pump). Procedures should clearly specify the conditions when the operator is expected to resett to increasingly impure water sources.
(6) Plant procedures should identify individual loads that need to be strippedfrom she plant DC buses (both Class 1E and non-Class IE)for the purpose of conservin g DC power. DC power is needed in a station blackout for such loads as shutdown system instrumentation, EDG field flashing, circuit breaker operations, and motor driven valve operators. Emergency lighting may also be powered by safety-related batteries. However, for many plants, this lighting may have been supplemented by Appendix R and security lights, thereby a!!owing the emergency lighting load to be eliminated. Station blackout procedures should direct operators to conserve DC power during the event by stripping nonessential loads as soon as practical. Early load stripping can significantly extend the ava'ilability of the blacked-out unit's Class I?.
- 4. 9 __
gm ~ batteries. For plants with turning gear loaded on the batteries, stripping this load early in the transient can also significantly extend battery availability. In certain circumstances, AFW/HPCI/HPCS/RCIC operation may te extended by throttling flow to a constant rate, rather than by stroking valves in open. shut cycles. (7) Plant procedures should specify actions to permit appropriate containment isolation and safe shutdown valve operations while ACpoweris unavailable. Compressed air is used to operate (cycle) some valves used for decay heat removal and in reactor auxiliary systems (e.g. Identifying letdown valves or reactor water cleanup system valves that need to be closed). Valves requiring manual valve operations are identified in Section 7.2.3. Most containment isolation valves are in tin normally closed or failed c!csed po:ition during power operation. Many other classes of containment isolation valves are not t,f concern during a station blackout. Section 7.2.5 provides guidance on determining valves of concern which need to be capable of being closed. (8) Plant procedures should identify the portable lighiing necessaryfor ingress and egress to plant areas containing shutdown or AA C equipment requiring manual operation. - Areas requiring continuous occupancy for instrumentation monitoring or equipment operation may require portable lighting as necessaty to perform essential functions. Lighting provided to meet the requirements of Section IIIJ,10 CFR 50 Appendix R for achieving safe shutdown is generally adequate if it is independent of the prefened and emergency AC power system. ' (9) Plant procedures should consider the efects ofA: power loss on area access, as well as the need to gain other locked arear where remote equipment operution is necessary. At some plants, the security system may be adversely affected by the loss of the preferred or Class IE power supplies in a station blackout. In such cases, manual actions specified in station blackout response procedu may require additional actions to obtain access. (10) Plant procedures should consider loss of ventilation efects on specific energized equipment necessa shutdown (e.g., those containing internal electrical power supplies or other local heat sources that m energised or present in a station blackout). Station blackout procedures should idendfy specific actions to be taken to ensure that equipment failure do 48
GUIDELINES AN[DTECHNICAL BASES FOR NUMARCINITIAT!vEs ; N1) MARC.8700 e occur a a result of a loss of forced ventilation. Actions should be tied to either the actualloss of AC power or upon reaching certain tenteratures in the plant. Plant areas requiring additional cooling are likely to be locadons containing shuttowt: insttumentation and power supplies, turbine. driven decay heat removal equipment, and in the vicinity of the invecers. These areas include: steam driven AFW pump room, HPCIS/HPCS and RCICS pump rooms, the control room, and logic cabinets. Cooling may be accomplished by opening dcors to rooms and electronic and relay cabinets, and/or providing supplemental cooling. Air temperatures may be monitored during a station blackout event through the use of locally mounted thermometers inside cabinets and in plant areas where cooling may be needed. Altematively, procedures may direct the operator to take action to provide for alternate cooling in the event normal cooling is lost. Upon loss of these systems, or indication of temperatures outside the maximum normal range of values, the procedures should direct supplemental cooling be provided to the affected cabinet or area, and/or designate alternate means for monitoring system functions. For the limited cooling requirements of a cabinet containing power supplies for instrumentation, simply opening the bach doors is effective. For larger cooling loads, such as HPCIS/riPCS, RCICS, and AFWS pump rooms, portable engine-driven blowers may be considered during the transient to augment the natural circulation provided by opening doors. The necessary rate of air supply to these rooms may be estimated on the basis of rapidly turning over the room's air volume. 4 Temperatures in the HPCI pump room and/or steam tunnel for a BWR may reach levels which isolate HPCIS or ' RCICS steam lines to protect against a steam line break. Supplemental cooling or the capability to ovenide the I isolation feature may be necessar / at some plants. The procedures should identify the corrective action requ ifnecessary. j Actuation setpoints for fire protection systems are typically at 165 - 180 'F. it is expected that temperature rises due to loss of ventilatior during a station blackout will not be sufficiently high to initiate actuation of fire protection systems. Iflower fire protection system serpoints are used or temperatures are expected to exceed these temperatures during a station blackout, procedures should identify actions to avoid such inadvertent i actuations. l ) il!) Plant procedures should consider habitability requirements at locationr where operators will be required to perf
- manualoperations, j
l i ! u
e
~
Due to elevated temperatures in some locations where manual valve actions ate required, procedures should identify l the protective clothing or other equipment or actions necessary to protect the operator from high temperatures on l valve handwheels or other control equipment as appropriate. Control room habitability is discussed in I Section 2.7.2. t (12) Non Class JE equipment relied upon to copefor the required stadon blackout duradon should be addressed in a ; mintenanceprogram, i Typical maintenance programs for non Class 1E equipment consider vendor recommendations or other industry l programs for maintenance and surveillance activities as well as pcocurement for spare parts. Such programs provide i assurance of the application of appropriate quality standards providing an acceptable confidence in the availability of equipment. 4 P i (13) Plant procedures should corrider loss of heat tracing effectsfor equipment required to cope w:th a station blackout. , Alternate steps, Vneeded. should be identsfied to supplement planned action. i Heat tracing is used at some plants to ensure cold weather conditions do not result in freezing important piping and instrumentation systems with small diameter piping. Procedures should be reviewed to identify if any heat traced systems are re!!ed upon to cope with a station blackout. For example, addidoaal condensate makeup may be supplied from a system exposed to cold weather where heat tracing is needed to ensure control systems are i available, if any such systems are identified, additional backup sources of water not dependent on heat. tracing ; should be identified. Control rocm habitability is discussed in Section 2.7. t 4.3.2 AC Power Restoestloa Guidelines This section provides the bases and telated supplemental information for the ACrower restoration procedure guid of Section 4.2.2.
- i
] (1) lead dispatchers should give the highest possible priority to restoring power to nuclear units. Procedures o nd
- training should consider several potential methods of transmitting powerfrom blackstart capable units to the
\ nuclewplant. { i j During a complete loss of AC power, other power stations may be affected by the initiating event. Grid load dispatchers should give high priority to locating alternate transmission sources in order to restore power to th! affected nuclear unit. I i b 4 10 _ - _ _ . _ . , _ _ _ _ , . . - _ . _ _ . - _ _ _ _ . _ . _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ . _ _ - - - _ _i
CUTDELINES AND TECHNICAL BASES FOR NUMARC INTTIATIVES h NUMARC 8700 (2) Should incoming transmission lines to a nuclear power plant be damaged, high prianty should be assigned to repair and restoration activities to at least one line capable offeeding shutdown equipment. Multiple incoming transmission !!nes to a plant switchyard exist at most nuclear utilities. However, it is not necessary to restore all lines in order to feed the necessary shutdown equipment. Transmission line repair should be prioritized in such a way as to ensure that the most efficient manner of AC power restoradon is achieved. (3) Repair crews engaging in power restoration activitiesfor nuclear units should be given high priorityfor manpower, equipment, and materials. During severe weather conditions, repair activities will be compedng for repair resources and manpower. Proceduses should be implemented to ensure that repair crews are assigned on a priority basis to tasks related to power restoradon to nuclear units. Manpower, equipment, and materials should also be allocated to these crews on a priority basis. (4) Portable AC generators should be desigwed as backup sources if available and directed to nuclear power plant stes. Procedures should address pre planned actions and idennfy required equipment. The use of portable generators as backup sources of AC power, whether located on site or locally contracted, should be considered whenever possible. Procedures should be in place to instruct plant operations persennel conceming:
/a) backup generator location and contact personnel; (b) means of transporting portable generators from outside the plant (e.g., tractor trailer); and, -
i (c) location of equipment necessary to connect the backup generator to the plant's electrical system. (S) Once preferred and/or standby (Class lE) AC power becomes available. station procedures should specify the sequence of circuit breaker operations required to restore ACpower to shutdown equipment. Any additional actions such as pulling or replacingfares should also be identsjled. Numerous circuit breaker trips will likely occur in the event of a loss of AC power. Plant procedures should address breaker operation sequencing to facilitate AC power restoration as well as identify any additional operator
- 4. I1
1 9
~
l actions such as pulling or installing fuses. 4.3.3 Severe Weather Guidelines This section provides the bases and related supplemental information for the operating procedure guidelines of Section 4.2.3. Actions For Hurricane (1) The plant procedures should identify site specipe actions r.scessary to preparefor the onset of a hurricane. These actions should be initiated when a hurricane warning is issuedfor the plant site area. De likelihood of core damage due to station blackout can be significantly reduced by taking actions in anticipatien of a hurricane, ne National Weather Service issues hurricane warnings approximately 24 hours prior to the expected onset of hurricane conditions. This provides arnple time for verifying the availability of the Class IE and Alternate AC power sources and can reduce the potential for a station blackout should a hurricane cause the loss of off site power. If diesels are load tested, procedures should specify that they should be load tested sufficiently prior to the anticipated hurricane arrival at the site to preclude the possibility of common cause failure (resulting from l potential storm effects) involving the diesel generator and the preferred power supply. Similarly, enhancing the ability to respond to a station blackout event can further reduce the likelihood of core damage. Note that if the EDGs are load tested within a few hours of the expected hurricane arrival at the site, they should not be run in parallel with offsite power to preclude the potential for EDG loss upon the LOOP. (2) Utility procedures should identify additionalplant stadto be recalled in order to support the present staf a t means to contact Ihem once a hurricane notice has been issued by the Natiormt Weather Service. De normal plant operations staff may not be adequate to deal with the added activities necessary to mit effects of a hurricane. Utility procedures should be responsive to the need to recall additional personnel. (3) Plant procedures should specify actions necessary to ensure equipment requiredfor a possible station blackou \ awalable. With the onset of a severe weather conditions, the potential for a LOOP increases. It is, therefore, verify the availability and operability of equipment necessary for responding to a station blackout. An! 4 12
CtJTDELINES AND TECHNICAL BASES FOR NUMARC IhTTIATIVES f NUMARC.8700 y testing in progress should be completed as soon as practical and no unnecessary testing (i.e., testing not associated with surveillance requirements) started until the severe weather warning has been lifted. Equipment important to stadon blackout response should include but not be limited to: (a) Emergency diesel generators EDGs should be kept in a warm standby condition with circulating water and lubricating oil, if possible. Pre lubricating should also be accomplished if such means are provided. (b) Stadon batteries - Station, batteries should be checked to verify they are charged. (c) Decay Heat Removal Systems The status of systems supplied from DC or emergency AC power should be determined and appropriate actions should be taken to ensure the availability of such systems. (4) Plant procedures should address thefollowing itent prior to a hurri:ane arrival at a site:
.. (a) the site. specific indicator should ensure that the plant would be in safe shutdown two hours before the anticipated hurricane arrival at the site (i.e., sustained winspeeds in acess of 7.1 mph);
(b) operator review ofstation blackout procedures; and, (c) operator review ofprocedures to line up and operate the switchyard spraydown system (ifinstalled). The possibility of sustaining core damage from a station blackout can be greatly reduced if the plant has been placed in safe shutdown before the anticipated hurricane arrival at the site. Prior to the hurricane. induced LOOP, decay heat is removed by means of the feedwater pump supplying water to either the steam generator (PWR) or directly to the reactor (BWR) and thsn condensing sthe ' team that has been subsequently generated through the m condenser, i l Section 7 of these guidelines provides a methodology for determining the resources needed to cope with a 4. ho station blackout assuming the blackout occurred with the plant operating at 100% power, Removing decay he prior to the anticipated hurricane. induced LOOP can significandy extend these resources beyond four hou that is in a coping duration estegory in excess of four hours because of extremely severe weather associated with a hurricane can provide risk reduction equivalent to the enhanced coping duration genods by undertaking the noted in Section 4.2.3 to achieve an enhanced coping capability. 1 ( w _
- - - - - -. . . - . . . . ., . m . .n . sn u o n m De time to the anticipated hurricane arrival at the site can be estimated to allow sufficient time to extend the nominal 4 hour coping capability to the enhanced eight hour duration. For example, if an off. site power system's
, transmission towers are designed for hurricane force winds, the LOOP would not be expected prior to exceeding
, hunicane conditions.De expected arrival of hurricane conditions at a site can be estimated knowing the hurricane's location, the radius of hunicane force winds about the center, the forward speed of the storm, and its likely path.
His knowledge can be used to develop a site specific indicator. During a station bla:kout it would be necessary to commence plant shutdown independent of AC power. All personnel involved in the operation of the plant should review the appropriate procedures dealing with an A-independent shutdown. Specific duties, such as manual valve and breaker operations, should be assigned te eliminate confusion or duplication of tasks. Some utilities have installed spraydon systems to reduce salt spray accumulation on switchyard equipm severe weather. De alignment and operation of these systems should be reviewed by the appropriate plant personnel. Actions For Tornado Plantprocedures shouldidentify site spectpc actions necessary to preparefor the onset of a tornad.o. These a shouldinclude: (a) inspectin g the sitefor potential missiles and reducing this potential, and (b) expediting the restoration ofimportant plant systems and components to service. De warning associated with impending tornadoes may not be of sufficient duration to allow extensive a However, the above mentioned activities should be undertaken as a minimum as well as any addition may be deemed prudent by plant personnel. I 4 14
atnDELINES AND TECHNICAL B ASES FO R NUMARC INITIATIVES f NUMARC 4700
- 5. COLD STARTS 5.1 DISCUSSION l NUMARC Station Blackout Inidative 3 was stmetured to provide utility attention toward reducing, as much as ,
possible, cold starting of emergency diesel generators during test conditions, nis initiative was prompted by the NRC - Staff attention to this issue in NRC Generic Letter 84-15. 1 For this review, a cold start is considered to be an attempt to start an emergency diesel generator from ambient conditions without the presence of pre warmed circulating water or pre lubrication. A continuously pre warmed and pre lubed machine would not be considered to have cold starts. l 5.2 ACTION Each plant should ensure that emergency diese! generator tests are performed in a pre warmed and pre lubed condi except during an actual demand test required approximately once exh scheduled refueling outage unless the emerge diesel generator is normally pre warmed and pre lubricated. Plants with EDO cold starts more frequently than once e x scheduled refueling outage should either reduce the cold fast start frequency or provide justification for necessary starts. Mrnufacturer recommendations, operational requirements, or regulatory requirements are examples of act ept justifications. !f more frequent testing is currently required by technical specifications, consideradon should b applying for technical specification relief. - l ! I i M i 51 . __,
7- v GUIDE 1.INES AND TECHNICAL BASES FOR NUMARCINITIATIVES f 'NUMARC.8700 l
- 6. EMERGENCY AC POWER AVAILABILITY 6.1 DISCUSSION NUMARC Stadon Blackout Inidadve 4 calls for monitoring of plant emargency generator unavailability. Further anendon to a more comprehensive diesel generator reliability program is addressed in Appendix D of this document.
6.2 ACTION - Each plant, through participation in the industry. wide Plant Performance Indicator program that is managed by INPO, provides regular reports of diesel generator unavailability data. His 'other indicator
- in the Plant Performance Indicator Program is trended and provided to each plant semiannually. Through this Program each plant monitors plant specific dieseigenerator unavailability and can compare its performance to an Industry average.
o I i l bA
, x GUTDELINES AND TECHNICAL BASES FOR NUMARC TNTT!/.TIVES i NUMARC.8700
- 7. COPING WITH A STATION BLACKOUT EVENT 7.1 OVERVIEW This section provides an overview of a simplified assessment procedure for coping with a stadon blackout. There are five steps tn the procedura, addressing the following topics:
(1) Condensate inventory for decay heat removal; (2) Assessing the Class IE battery capacity; (3) Compressed air, (4) Effects ofloss of ventilation; and, (5) Containment isolation.
~
r The p~ocedure is structured to utilize information readily available from licensing documents (e.g., FSAR, licensing submittals), existing calculadons, purchase specifications, and drawings. For most units, no additional computation or analysis is anticipated. Plant specific analysis may be relied upon as supplemental to or in lieu of the coping assessment in Section 7.2 for the topics listed above. 7.1.1 Coping Methods For purposes of this assessment, coping methods are separated into two different approaches. The first is referred to as1 1 the *AC. Independent" approach. In this approach, plants rely on available process steam, DC power, and comprel to operate equipment necessary to achieve safe shutdown conditions (Le., Hot Standby or Hot Shutdown, as approp until off. site or emergency AC power is restored. A second approach is calTed the "Alterr. ate AC" approach. Th method is named for its use of equipment that is capable of being electrically isolated from the preferred off site and emergency on site AC power sources. Station blackout coping using the Altemate AC power approach would entail a short period of time in an AC independent state (up to one hour) while the operators initiate power from t source. Once power is available, the plant would transition to the Alternate AC state and provide decay heat removal antil off-site or emergency AC. power becomes available. The AC power sources used in the Alternate AC approach would be subject to the Apper dix B criteria including electrical isolation requirements in order to assure their availability in the event of a station blaca out. l Appendit A provides a definition of Alternate AC power sources. Appendix B provides detailed acceptance criteria b
6 Alternate AC power source. 7.1.2 Coping Duration AC. Independent plants must meet the requirements of this methodology for at least four hours (or at least two hours for plants in hath emergency AC group A and off site power group P1) Plants using an Alternate AC power source must assess their ability to cope for one hour. However, if an Alternate AC power source can be shown by test to be available within 10 minutes of the onset of station blackout, then no coping assessment is required. Available within 10 minutes means that circuit breakers necessary to bring power to safe shutdown buses are capable of being actuated in the control room within that period. 7.2 COP!NG ASSESSMENT 7.2.1 Condensate Inventory for Decay Heat Removal Discussion The purpose of this procedure is to ensure that each plant has adequate condensate inventory for decay heat removal during a station blackout for the required duration. De necessary condensate inventory is assessed by a bounding analysis. If this quanti ty is less than the Technical Specification minimum requirement for the condensate storage tank (CST), then the plant's cunent condensate inventory is adequate. If not. other sources of water that can be aligned and transferred under station blxkout conditions are idennfled and considered. Procedun - Step 1: Plant Rating Record in A the unit's licensed reactor output in A= megawatts thermal (Mwt) from the unit's operating license, 7*2
CUTDELINES AND TECHNICAL DASES F'iR NUMARC INITIATIVES f NUMARC 8706 I Step 2: Required Condensate Determine the number of gallons of water required for decay heat removal as follows: B= B = A*(22.12 GA!/MWt) + C If emergency opendng procedures do not require a primary system cooldown to minimize rextor coolant pump leakage or to maintain decay heat removal capability, then C - zero. If emergency operating procedures require a primary system cooldown to minimize rexter coolant pump seal leakage or to maintain decay heat removal capability, then C is the amount of water required to tupport the cooldown. Record the result as B. Step 5: Technical Specification for CST Volume D= Obtain the minimum permissible usable gallons of water in the CST as found in the unit's Technical Specifications. Record this value as D. Step 4: Review for Adequacy - CST Quantities Alone Compare the value of B with the value of D. (a) If B Is less than D, adequate e mdensate is available (b) Otherwise, continue to Step 5. - 1 l 1 Step 5: Additional Water Sources in this step, additional water sources are identified as backup condensate mdeup sources for decay heat rernoval. The following are examples of sources of water which may serve in this role: Hotwell Adjacent unit wr,ter sources Fire water tanks Cooling water pond ( 73 _
RTINIT!ATTVES f NUMARC 4700 # i River or lake water i NOTE: Plant procedures need to reflect actions and water sources relied upon in responding i to a station blackout event. The following criteria must be met prior to assuming the ovallability of any backup water sources: 1 (a) A physical connection and transfer capability is provided Independent of the preferred power supply and blacked out unit's Class IE AC power sources and capable of providing a source of water to the CST or the makeup pump suction. (b) Plant procedures must exist to accomplish this makeup to the CST, (c) The source must be be able to be connected before the CSTis empded. (d) After one hour, an AAC source may be used to provide power to pumps and valves if the equipment is powered from the AAC source. NOTE: Water relied on frora adjacent units at a multlunit site must be capable of being transferred to the blacked out unit without adversely affecting adequate decay heat reinoval activities at the non. blacked out unit. Recorti below the usable volurne of each additional source of water satisfying Criteria (a)-(d), above. Source 1: Amt. Water (gal.) Source 2: Amt. Water (gal.) Source h Amt. Water (gal.) _ Souste 4: Amt. Water (gal.) Total the amount of water from Sources 1 to 4 and record this E= amount after E. ! l l 74 -_ _ l
CUTDELINES AND TECHNICAL BASES FOR NUM ARC thTr!ATTVES @ NUMARC.4700 M Step 6: Condensate Available Sum the values of D and E. Record the result u F. F= (i.e. F.D+E) 4 Step 7: Test for Adequacy - With Backup Sources Compare the value of F to the value of B (a) If B Is less than F, adequate condensate is available. (b) If B Is greater than F, return to Step S and Identify additional water sources, s Supporting information This section provides the analytical basis for the thermal normalized condensate requirement presented in the condensate inventory procedure. The analysis determines the amount of water necessary to remove decay heat for a given duration. De amount of water is then normalized with respect to the thermal rating of the the reactor to obtain the thermal normalized condensate requirement. Analysis Figure 7 1 represents a FWR stearn generator or BWR reactor vessel with decay heat (Q'), an inlet mass now rate (m ' from the condensate storage tank (CST), and exit mass now rate (m ). e
~
i I e l
< l u '
GUIDELDMS AND TECHMCAL BASES FOR NUMARC IhTf!ATIVES f NUMARC4706 - Mass outdow L Decay Heat 4 _ Mass inflow Figure 71 Assuming steady state and adiabatic conditions, the equations of mass and energy conservation which describe this system are as follows: 4 l j mt m ,' . m Q' + m(hg . ma 'h, 0 , l ; Theso equations can be used to derive an expressica for the rate of change of mass in the CST (mCU): Q' = mik, . hg ) . dmcg7Idt (h, . hg ) The amount of condensate necessary to remove decay for a given duration (T)is then given by: T
- CST (0) . / Q1(hg . hg ) ds 0
l Resuits The right hand side of this equation is evaluated using the following assumptions: I 76 - _ - _ _ _
~ ~
GUTDELINES AND TECifNTCAL BASES FOR NUMARCINITIAT!vts @ NUMARC 8700 d the reactor has been operating at full power for 100 days decay heat is calculated using ANS standani ANS 5.1/N18.6
- there are no stuck open PORVs e
the inlet enthalpy corresponds to the enthalpy of saturated liquid at atmospheric pressure a the exit enthalpy corresponds to the enthalpy of saturated vapor-- approximately 1200 Btu /lbm for pressures between 100 and 1200 psia A fourth order Runge.Kutta scheme was used to Integrate this equation. 7.2.2 Assessing the Class IE Dattery Capacity Discussion - The purpose of this section is to ensure that each plant has adequate battery capacity to support decay heat removal during a station blackout for the required coping duration. This procedure offers tvo analytical methods that can be used to ensure sufficient capacity exits at each unit. IEEE STD485, or other desira cuis battery analysis updated as necessary to reflect current loads, should be used. The two alternatives are outlinal below. (a) Use an existing battery capaci:y calculation or perform one that " rifies sufficient coping capacity under station blackout conditions. - (b) Use an existing banery capacity calculation or perform one that verifies sufficient coping capacity by stripping loads in order to extend the battery life in a station blackout. i l NOTE: All calculations should use the lowest electrolyte temperature anticipated under normal operating conditions, { l i 4 I t 7*7 . __ _ _ _ - - - _ _ . _ _ _ _ __ .- ..
^
t o hocedary -
\
I Rattaev f anmelt , calculation ... % f_nad Strie ntn e Step 1: Review for Battery Adequacy Revkw an saladng bausry capacity ca'sulados for a stados blackout est or perform one for ember (a)or(b) bokm l (a) AC. Independents f6sr honra, I (b) Aheruste AC: one hosr. ! NOTE: U an existing battery exceeds the above capacity, the rated ' capacity should met be reduced solely on the bash of the above station blackov; criteria. Step 2: Review for Adequar.y . Withoet Load Stripplag Om ressla of Stop 1 to tbs basary manufacmrers capacity m~*% If sufficient capacity saista, no futer'acdca 14 required. Otherwise, 30 m the lead Stripping Cue. R a tt e r, c a n net t, Pat,nlatina ... With I nad Strinnin e _ Step 1: List DC Leeds to Be Stripped Llat loads on the Class IE basaries $at are not required to cope wit a station blackout and can be impped commenchg 30 minuans aftar the inidation of the stadon blackout everte l I k NOTE: Loads listed above to be stripped must be based es .settons refiscted la plant procedures and which can be accomplished under statics blechout ec:ditfora. Step 1: Adjnat Duty Cycle Cartas . Delete the loads listed in Step 1 from the unstripped load duty cycle curves in the battery capaty calculadon Recalculass the maximum section sina and fe!!ow me inspe used in the calculadon m assess Cass 15 batsery capacity. 78
' GUIDELINES AND TECHNICAL DASES FOR NUMARCINTTIATIVES f NUMARC.8700 d Step 3: Review for Adequacy - With Load Stripping Compare results of Step 2 to the battery manufacturer's capacity curves. If sufficient battery capacity exists with load shedding, no funher action is required. Othenvise, battery capacity (IEEE STD-485, or equivalent) must be extended funher to meet the required stadon blackout coping duration. Acceptable means for extending battesy capacity include the addition of batteries or the addition of a battery charging system for the existing batteries provided the source of power for the charging system is independent of both the preferred power source and the blacked out unit's Class IE power system. Assure that the required additional c::pacity is ach; ,ed. Supporting Information ne total DC power requirements for a four hour station blackout (one hour for AAC plants) depend on the required loads, their duration of operation. and the capacity of the batteries to hold a charge. De batteries' capacity varies with the rate of discharge, which also vanes with the loads. Consequently, the amount of energy recoverable from the batteries depends to a large measure en the rate of discharge usociated with the station blackou; response loads and initial electrolyte temperature, ne butery's ability to discharge stored energy is defined in a series of battery curves provided by the manufacturer. Capacity curves are generally provided for discharge periods ranging from five minutes to upwards of 16 hours, ne capacity of storage batteries varies with electrolya temperature, nis temperature depends on room temperatu which may vary in certain circumstances with the season of the year. Calculations should be performed assuming lowest temperature normally expected for the battery. The station blackout loads can be estimated from design basis accident loads since they are generally a subset of th loads. ney may be classified as being one of three categories: (1) continuous, (2) discontinuous, and (3) mo loads. Continuous loads are required for the duration of the station blackout event. Inverters and annunciators i r instrumentation and control are common examples of continuous loads. Discontinuous loads are required for durations throughout the event. Examples of these loads include motor operated valves and loads necess circuit breaker operadons. Momentary loads are of a temporary nature and are required only once or for a limited num of cycles. EDG field flashing is an example of a momentary load that should be considered when dete loads. l 79 l
.~ -
P Knowing the magnitude and timing of loads, it is possible to use the battery capacity curves provided for each plant to determine whether sufficient capacity is available for a four hour station blackout (one hour for AAC plants). The DC power requirements for a required stadon blackout may be estimated using the same methodology for which the plant is ilcansed. De generally accepted methodology is IEEE Recommended Practicefor String Large Lead Storage Baneriesfor Generaing Stadons and Sdstations (IEEE.STD485). IEEE.STD485 incorporates design margins for aging and temperature correction that are addressed in various other industry standards such as /EEE Recommended Pracdcefor Maintenance, Testing, and Replacement ofL.arge Stationary Type Power Plant and Sustation Lead Storage Barteries (IEEE.STD450). This methodology calculates battery load requirements for various sections of time. The magnitude of DC toads for each such section of time is referred to as the section size. Various section sites are calculated in order to construct a battery duty cycle. De battery is then sized to address the maximum section calculated for the entire duty cycle, 7.2.3 Compressed Air Discussion ne purpose of this section is to ensure that air operated valves required for decay heat removal have sufficient reserve t air or can be manually oprated under station blackout conditions for the specified duration, The loss of instrument air in a station blackout can be minimized through a strategy for operator actions. This procedure provides the requisite information , for developing that strategy. Procedure - Step 1: Identify Air Operated Valves Necessary for Decaf Heat Removal List below all aireperated valves that are required to be cycled during a station blackout. i i l
~
1 l l l r 7 10 !
u u wu.m ra n.,u i r.Lumm u-Step 2: Backup Air Supplies Review each valve listed and identify the valves that are not supplied with air within design pressure and moisture limits from at least one of the following sources for at least fot.t hours (one hour for AAC plants if the compressor is on the AAC supply, otherwise four hours). (a) Backup air systems (compressors with associated valves, Instruments etc.) that are: supplied from the adjacent unit Ofit is independent of the preferred and blacked out unit's Class IE power supply), or powered from Alternate AC power sources, or powered by DC power. (b) Backup local sources of compressed air or nitrogen located at the valves. Step 3: Criteria for Manual Operation For all valves not supplied by backup sources, determine whether they rr.eet all of the following critena for manual operation: (a) Procedures specify manual operation for valves in a station blackourt (b) Accessible in a station blackoutt (c) Identifiable in a station blackoutt (d) Necessary tools, reachrods, or chains are normally presenti (e) Appropriate indicatior and means for communication are provided; and, (f) Sufficient manpower .. available onshift to accomplish specified tasks 7 11
m Step 4: Review for Adequacy - Manual Valve Operation if all air operated valves required for decay heat removat have backup sources or may be manually operated in a station blackout, no further action is required. Othe wise, return to Step 2. NOTES Plant procedures need to reflect the manual actions and backup air supplies assumed to be relled upon la responding to a statlos blackout event. Supportihg information With the initiation of a station blackout, instrument air systems lose their air compressors and begin to depressunze. As the air headers bleed down, operability of the air operated valves also degrade ultimately resulting in their unavailability. With prolonged loss of insuument air systems, it is possible that decay heat removal and reactor coolant inventory may be adversely affected. ' De amount of air needed for decay heat removal depends on the expected number of valve cycles, the failure mode for air operated valves on the reactor coolant system boundary, and the ability to manually cycle or close air operated valves, Atmospheric dump valves on PWRs genettlly require air for prolonged operation. In contrast, most other valves, such as feedwater regulator valves, generaty fail L the "as is' position. Similarly, reactor coolant pressure boundary valves generally fail as.is, or closed, in order to limit reactor coolant inventory loss. Valves failing in such manner do not normally require repositioning in a station bl.tkout.
- 7.2.4 EFFECTS OF LOSS OF VENTILATION .
Discussian The purpose of this section is to determine the average steady state temperature in dominant areas contain necessary to achieve and maintain safe shutdown during a station blackout. Appendix E provides the basis for the procedure contained in this section. Dis temperature provides a reference point for reasonably assuring the oper of equipment needed to cope with a station blackout using the methodologies outlined in Appendia F. Plants unllzing an Altemate AC capability need not complete this review if the Altemare AC source is used to p ESF ventilation systems and is available within 10 minutes (see Section 7.1.2). I 7 12
~ N __ Procedure Step 1: Dominant Area Geometry Recordin A(1), A(2), A(3), and A(4), as appropriate, the estimated total room surface ares, excluding floors but including ceilings and walls, measuredin iguare matter, for the following rooms / quadrants (as applicable): (1) Stesm Driven AFW Pume Rcom (PWR \taly) -- -- A(1) = - - - - . - . (2) HPCIMDCS Rmm (BWRs ontv) A(2)= (3) RCTC Ronm (BWRs entv) A(3)= (4) Msin steim runnel (BWRt entvi A(4) = - - - - - - Step 2: Dominant Area Hest Generation Rates l Record in Q(1), Q(2), Q(3), and Q(4), u appropriate, the heat geaeration rates, measuredin Wattr, for the following roomuquadrants (u applicable)- l l (1) Steam Driven AFW Pume Room (PWRs ontvi , 1 Estimate the heat generation rate for this room / quadrant and enter in Q(1) Q(1)= (2) HPCTHPCS Ronm (BWRs entv1 Estimate the heat generation rate for this room / quadrant and enter in Q(2) Q(2)= 7 13
g o a - (3) RCTC' Room f BWRt ontvi Estimate the heat generadon rate for this rocrWquadrant and enter in Q(3) Q(3)= (4) Main utene runnel (EWRs ontvi Esdmate the heat generadon rule for the tunnel and enter in Q(4). no heat transfer i i correladon presented in Appendix E Is adequase to estimans the heat transfor from hot t ! l , steam pipes to the sumanding air. narmal radiation heat transfar may be neglected. Q(4) = - t 1 NOTE: See supporting information for the 'nethodology used to determine the genention rates for various equipment configurations. ' i Step Jt Determine the Wall Temperatures: , Determine the upper bound for wall temperature,la T, prior to loss of ventilation. A I temperaturn of 40* C (104' F) may be reasonable for nearly all rooms / quadrants, nis temperature is tasar used as ths initial air temperature for the roonvquadrant in Stepe 4 and 5. A different : j tempernaire may be used if it can be justifled based on actual measurement. It is assumed that the wa11 temperature does not change appreciably throughout the transient as shown in Appendix E (2.5* C or 4.3* F). 1 (1) Stesm Driven AFW Pume Room (PWRb I j T(1) = ~ (2) HPCIMPCS Room (BWRs ontvi
; T(2)= ; I (3) RCIC Room iBWRt ontv) l T(3)=
i i 1 J l 7 + 14
OtRDELINES AND TECHN; CAL BASES FOR NtNARC INITIATTVES d f Nt/ MARC 8700 (4) Main stesm tunnel (BWRt entv) T(4) = Step 4: Calculate the Steady State Roon: Temperature Following Loss of Ventilation Calculais the steady state ambient air temperature, he T, using Equation (E.18) for the following rooms / quadrants, assuming no additional cooling or natural circuladon to the outside environunc (1) Stesm Driven AFW Pume Room (PWRt entv) - - - -- Tg1) = (q(lyA(1))(N4) + T(1) = (2) HPCWPCS Rmm (BWRt entvi Tf 2) = [Q(2VA(2)l(N4) + T(2) = (3) Rcic Rmm (BWR, entv) Tf3) = (Q(3)/A(3))W4) + T(3) = (4) higheteim tunnel (BWRt en!v) Tf4) = (Q(4VA(4)lW4) + T(4) = Note that this equation is a simpt fled form of the complete steady state solution. Heat transfer coemclents and thermal properties have been evaluated in MKS units. Therefore, this dimensionally inconsistent equation is valid only with the units specified in Steps 1,2, and J. Step 5: Calculate the Effect of Opening Area Doors ifit is feasible to open a door during the event to allow removal of heat through natural circulation, perform the following steps to determine the effect of opening the door. 7 15
o
, j
$.1 Record in H(1), H(2). H(3), and H(4), as appropriate, the height o( the door, measund ia meten.
(1) Stesm Ddven AFW Pums Room (DWRt ontv) H(1) = ; i l i Q) MPCIMPCs Rem iBWRt eniv) H(2). (3) RCfC Ranm iBWR t eniv) H(3). l f (4) Main itesm tunnel (BWRs only) i H(4) = 1 5.2 . Record in W(1), W(2), W(3), and W(4), as appropriate , the width of the door measund la meten. (1) Stesm Driven AFW Pume Room fPWRt only) W(1) = ! 1 i l Q) HPCIMPCS Room f BWRs eniv) W(2)= l l
- (3) RCTC Roe m (BWRt ontvi
,W(3).
f l l (4) Main tresm tunnel fBWRt ontv) J W(4) = i l 5.3 Calculate the door factor F for the following roomst quadnnts: I 2, (1) Stesm Driven AFW Pume Room (PWRs entv)
- Fil) =H(lp2w(1) ,
) i i ! I l 4 ' 7 16
. o
. GUIDELINES AND TECHNICAL BASES FOR NUMARC INTT!ATIVES f NUMARC 4704 _
(2) E14f PCS Room (BWR s eniv) F(2) =H(2)N2w(2) (3) RCfC Room (BWRt entv) F(3) =H(3)3/2w(3) (4) Msin trasm runnel (BWRt eniv) -~ F(4) =H(4)3/2w(4) 5.4 Cakulate the steady. state ambient air tempemturs,in
- C, using Equadon (E.27) for the following rccms/ quadrants:
(1) Stesm Driven AFW Pume Rcom (PWRt entv) Tr(1)=4 + T(1) +[Q(1)3/4/ [A(1)3/4 + 16.18F(1)0.8653)) (2) MPCf 4fPCS Roem (BWRt ontv) . . Tf2)=4 + T(2) +[Q(2)3/4 / [A(2)3/4 + 16.18F(2)0J653)) (3) RCIC Room (BWRt only) - i / Tf3)=4 + T(3) +[Q(3)3/4 [A(3)3/4 + 16.18F(3)0.8653)) ' ] (4), Main tream tunnel (BWRt only) -
/
Tf4)=4 + T(4) +[Q(4)3/4 [A(4)3/4 + 16.18F(4)0.8653)) l Note that this equation is a simplifted form of the complete steady state solution. Heat transfer coefficients and thermal properties have been evaluated le MKS units. Therefore, this dimensionally inconsistent equation is valid only 1 with the units specified in Steps 1,2, and 3. I 1 4 7 . 4
g- a Step 6: Reasonable ,ssurance of Equipment Operability Use the methodologies in Appendix F to provide a basis that the equipment relied upon to cope with a station blackout will operate at the steady state temperatures determined in Steps 4 or 5 for the required duration. Supportinginformadon
' General Discussion Since station blackout is not considered to be a design basis event, reasonable assurance of equipment operability need not be provided to the same level of precision and detail req sired by 10 CFR 550.49 for safety related equipment located in harsh environments. For this reason, a representative analysis approach is provided, with attention concentrated on the few situations where equipment operability is especia!!y important to core cooling in a station blackout.
This procedure providas the results of representative analyses for such areas to be reviewed against. Plants that do not conform with the acceptance envelopes for thermal aditions may either perform plant specific analysis, provide additional assurance that equipment survivability can te assured, or provide altemative means of cooling in a station blackout. The representative analysis provided in this section addresses a limited set of plant areas deemed to be potentiall susceptihte to heatup upon loss of ventilation, such as would oc.:ur in a station blackout. Rese areas are defined by three factors:('l) their containing equipment normally required to function early in a stadon blackout to remove d heat (2) the presence of significant heat generation terms (after AC power is lost) relative to their frae volume (i.e prer.ess steam or DC electrical power supplies in small rooms or enclosures), and (3) the absence of heat removal capability in a station blackout without operator action. Dese areas and their respective equipment consist of: 1 1
. i (1) HPCI/HPCS and RCIC rooms (BWR on' -
decay heat removal equipment (2) Steam Driven AFW pump rooms (PWR only) - decay heat removalequipment (3) Main steam tunnel (BWR only) - high temperature cutout for decay heat removal equipment Area: not addressed in this list are viewed as posing a significantly reduced concern for a variety of reasons. Safe shutdown equipment in many plant areas is already qualified to operate in a harsh environment. The containment is oneI such harsh environment area. ne station blackout event is expected to be bounded by analyses previously perfor these areas. Other plant areas will not be exposed to significant heat generation terms since:(1) a station blackout 7 18
- . . - _ - -. . . - - _ . - . - ~ . - - _ - . . - . - - -.
GUIDELINES AND TECHNICAL BASES FOR NUM,ARCINITIATIVES g NUMARC 8700 d results in the elimination of process steam from most plant areas, or (2) these areas do not contain equipment required for decay heat removal. In addition, the loss of AC power will eliminate AC moto'rs, switchgear, and lighting from the list of heat generation sources. Finally, the equipment needed to function in a stadon blackout is limited to a turbine driven feedwater makeup system, atmospheric dump or steam relief valves, batteries, and a small set ofinstmmentation cabinets. The loss of ventilation concern is significantly reduced for plants using Alternate AC sources, provided these plants also easure that sufficient forced ventilation is available to safe shutdown equipment. For these plants, the period of ventilation loss would be limited to the time necessary to restore AC power from an Alternate AC source. This period is no greater than 1 hour, and during this time loss of ventilation is not anticipated to cause equipment problems. hig'hMotorv for Determinine Heat Generatien R stes To determine heat generation rates, it is necessary to evaluate electrical and steam equipment. (1) Electrical Equipment
~
identify the nameplate rating of the equipment; convert this rating to Watts, for example: (Nameplate in Horsepower) X (745.7) - watts (2) Steam driven Equipment - use standard formula to determine heat generation rates for the applicable i configuration, for example: Pipes Q-{0.1(0.4 + 15.7(T3 Tair)l/6 91/2 j D
+ 170.3(Ts -Tair)1/3 ](Ts Tair ) + 1.4E 7D(T's w
- Y )}L whee Q = the heat generation rate of the pipe in watts D - the diameter of the pipe in meters T s- the surface temperature of the pipe in *K Tair - the air temperature of the room at station blackout onset in*K L - the length of the pipe in meters l
i 1 7 19
e e c Pumps Q- 0.1( 2 + 37.0(T 3 -Taigl/4 D3/4) D(T s* Tair) 2
+ 1.4E 7 D (T3 4-Tairb where Q = the heat generation rate of the pump in watts D - the equivalent diameter of the pump in meters Tg - the surface temperature of the pump in *K Tair - the air temperature of the room at station blackout onset in 'K Note that. this equation models a pumps as a sphere. The equivalent diameter of the pump is determined by using the volume of space that is occupied by the pump to calculate the equivalent diameter of a sphere. This is accomplished by the following relationship:
D - (6* V/n)l/3 where V - volume occupied by the pump in meters cubed n - 3.1415927 7.2.5 Containment Isolation Discussion The purpose of this procedure la to ensure that appropriate containment integrity can be provided during a st blxkout event for the required duration. Appropriate containment integrity is defined such that the capability for valve position indication and closure of certain, containment isolation valves is provided independent of the preferred or Class IE power supplies. The containme isolation valves requiring this espability are valves that may be in the open posit in at the onset of a station blacko l Acceptable means of position indication includes local mechanical indication DC powered indication (includin AC powered indicators powered through inverters), and Alternate AC powered indication. Acceptable means of include manual operation, sir operation (including air operated valves that are mechanically closed on loss DC powered operation, and Altemate AC powered operation. 7 20 . _ __ _ . - _ - . _ _ _ _ - - ~ ~ - - - - - - -
Wmuoflij ME) 2BsilT4@% 00M990 R NUMARC IhTTIATIVES [NUMARC.8700 c Procedure Step 1: Valve Identification Review the list of containment isolation valves and exclude the following valves from consideration: (1) valvt.a normally locked closed during operadon; (2) valves that fail closed on loss of AC power or air; (3) check valves; (4) valves in non radioactive closed-loop systems not expected to be breached in a station blackout (with the exception of lines that communicate directly with the containment atmosphere); and. (5) all valves less than 3 inch nominal diameter. The remaining valves are the containment isolation valves of concem. Step 2: Containment Isolation Valves Requiring Manual Operation List valves from Step 1 that are of concern and which need to be operated to cope with a stadon blackout event for the required duration (i.e.,2 or 4-hours). Ensure that these valves can be operated independent of the preferred i and Class IE power supplies and have valve position indication (e.g., local mechanical, DC powered, or Alternate AC powered) that is independent of the preferred and blacked-out unit's Class IE power supplies.
- Step 3:
Containment Isolation Valves Requiring Closure Capability List valves from Stn 1 not identified in Step 2. Ensure ihat these valves can be closed independent of the preferred and Class lE power supplies and have valve position indication (e.g., local mechanical, DC powered, or Altemate AC powered) that is independent of the preferred and blacked.out unit's Class 1E power supplies. 7 21 ___ ____ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Uba%2AEL9AnrJ&nN/LB j NtJMARCi8700 9 APPENDIX A. DEFINITIONS Terms defined below were specifically developed for these guidelines and are of special importance to its use. ALTERNATE AC POWER SOURCE - An alternating current (AC) power source that is available to and located at or nearby a nuclear power plant and meets the following requirements: (i) is connectable to but not normally connected to the preferred or on site emergency AC power systems; (ii) has minimal potential for common cause failure with off site power or the on site AC power sourcest (iii) is available in a timely manner after the onset of station blackout; (iv) has sufficient capacity and reliability for operation of all systems necessary for coping with a station blackout and for the time required to bring and maintain the plant in safe shutdown (Hot Shutdown or Hot Standby, as appropriate); and, (v) is inspected, maintained, and tested periodically to demonsaste operability and reliability as set forth in Appendix B. PREFERRED POWER SUPPLY - that power supply from the transmission system to the Class lE distribution system which is preferred to furnish electric energy under accident or post accident conditions. IEEE STD 765; IEEE-STD 308: and NUREGICR 3992.page 2. REQUIRED COPINO DURATION the time between the onset of station blackout and the power to safe shutdown buses. SAFE SHUTDOWN For the pumose of this precedure safe shutdown is the plant conditions defined in pl specifications u Hot Standby or Hot Shutdown, as appropriate (plants have the option of maintaining the R normal operating temperatures or at reduced temperatures). SEVERE WEATHER the occurrence of annual average snowfall, tomado of F2 severity or greater, hurrica i spray potential, and wind speeds in excess of 75 mph.NUREG 1032. A1
)
STANDBY POWER SUPPLY the Class IE power supply that is selected to furnish electric energy to shutdown equipment when the preferred power supply is not available. Based on /EEE STD-308. STATION BLACKOUT - means the complete loss of attemating current (AC) electric power to the essential and nonessential switchgear buses in a nuclear power plant (i.e., loss of off site electric power system concurrent with turbine trip and unavailability of on site emergency AC power system). Station Blackout does not include the loss of available AC power to buses fed by station batteries through inverters or by Altemate AC power sources as defined in this appendh, nor does it assume a concurrent single failure or a design basis accident. At a multi unit site with normally dedicated emergency AC power sourtes, station blackout is assumed to occur in only one unit. At single unit sites, any emergency AC power source (s) in excess of the number required to meet the minimum redundancy requirements (i.e. single failure) for safe shutdown is assumed to be available and may be designated as an Alternate AC Power Source (s) provided it meets the Altemate AC power criteria in Appendix B. At multi unit sites with normally shared emergency AC power sources, where the combination of emergency AC sources exceeds the minimum redundancy requirements for normal safe shutdown (non DB A) of all units, the remaining emergency AC power sources may be used as alternative AC power scurces provided they meet the attemate AC power criteria in Appendix B. If there are no remaining emergency AC power sources in excess of the minimum redundanc requirements, station blackout must be assumed to occur at all the units. A.2
@EELINES AND TECHNICAL BASES FOR NUMARC INrr!ATIVES f NUMARC 8700 h 1
)
~
APPENDIX B. ALTERNATE AC POWER CRITERIA This appendix describes the criteria that must be met by a power supply in order to be classified as an Altemate AC power source. The criteria focus on ensuring that station blackout equipment is not unduly suscepdble to dependent failure by establishing independence of the AAC system from the emergency and non-Class IE AC power systems. AAC Power Source Criteria B.1 The AAC system and its components need not be designed to meet Cass IE or safety system requirements. If a Cass IE EDG is used as an Alternate AC power source, this existing Cass IE EDG must continue to meet all applicable safety related criteria. B.2 Unless otherwise provided in this criteria, the AAC system need not be protected against the effects of: (1) failure or misoperation of mechanical equipment, including (i) fire, (ii) pipe whip, (iii) jet impingement, (iv) water spt. (v) flooding from a pipe break,-(vi) radiation, pressurization, elevated temperature or humidity caused by high or medium energy pipe break, and (vii) missiles resulting from the failure of rotating equipment or high energy systems; or (2) seismic events. B.3 Components and subsystems shall be protected against the effects of likely weather related events that may the loss of off site power event. Protection may be provided by enclosing AAC components within structures that conform with the Uniform Building Code, and burying exposed electrical cable run between buildings (i.e., connections between the AAC power source and the shutdown busses). - BA Physical sepantion of AAC components from safety related components or equipment shall conform with the j sepantion criteria applicable for the unit's licensing basis. Connectability to AC Power Systems ! B.5 Failure of AAC components shall not adversely affect Cass IE AC power systems. B.6 Electricalisolation of AAC power shall be provided through an appropriate isolation device. If the AAC source connected to Class IE buses, isolation shall be provided by two circuit breakers in series (one Cass IE breaker or l BI -_ _ _ . . - .. - - --_. l
o the Cass lE bus and one non Cass lE breaker to protect the source). B.7 De AAC power source shall not normally be directly connected to the preferred or on site emergency AC power system for the unit affected by the blackout. In addition, the AAC system shall not be capable of automatic loading of shutdown equipment from the blacked-out unit unless licensed with such capability. Minimal Potential for Common Cause Failure B.8 There shall be minimal potential for common cause failure of the AAC power source (s). The following system features provide assurance that the minimal potential for common cause failure has been adequately addressed. (a) The AAC power system shall be equipped with 'a DC power source that is electrically independent from the blacked-out unit's preferred and Cass IE power system. (b) The AAC power system shall be equipped with an air start system, as applicable, that is independent of the preferred and the blacked out unit's preferred and Cass IE power supply.
. (c) The AAC power system shall be provided with a fuel oil supply, as applicable, that is separate from the fuel oil supply for We onsite emergency AC power system. A separate day tani supplied from a common storage tank is acceptable provided the fuel oil is sampled and analyzed consistent with applicable standards prior to transler to the day tank.
(d) If the AAC power source is an identical machine to We emergency onsite AC power source, active failures of the emergency AC power source shall be evaluated for applicability and corrective action taken to reduce subsequent fa lures, i (e) No single point vulnerability shall exist whereby a likely weather related event or single active failure could disable any portion of the onsite emergency AC power sotirees or the preferred power sourtes, and simultaneously fail the AAC power source (s). (O The AAC power system shall be capable of operating during and after a station blackout without any support systems powered from the preferred power supply, or the blacked out unit's Cass IE power sources affected by the event. (g) The portions of the AAC power system subjected to maintenance activities shall be tested prior to retuming the AAC power system to service. B2
[ dhtQluggj ggig3gHNICAL BASES FO R NUM ARC INTTIATIVES
@ NUMARC 8700 ~h Availability After Onset of Station Blackout B.9 De AAC power system shall be sized to carry the required shutdown loads for the required coping duration determined in Section 3.2.5, and be capable of maintaining voltage and frequency within limits consistent with established industry standards that will not degrade the performance of any shutdown system or component. At a multi unit site, except for 1/2 Shared or 2/3 emergency AC power configurations, an adjacent unit's Class IE power source may be used as an AAC power source for the blacked-out unit if it is capable of powering the required loads at both units.
Capacity and Rellability B.10 Unless otherwise governed by technical specifications, the AAC power source shall be started and brought to operating conditions that are consistent with its function ts an AAC source at intervals not longer than three months, following manufacturer's recommendations or in accordance with plant developed procedures. Once every refueling outage, a timed start (within the time period specified under blackout conditions) and rated load capacity I test shall be performed. B.11 Unless otherwise governed by technical specifications,' surveillance and maintenance procedures for the AAC system shall be implemented considering manufacturer's recommendations c,r in accordance with plant developed pocedures. B.12 Unless otherwise govemed by technical specifications, the AAC system shall be demonstrated by initial test to be capable of powering required shutdown equipment within one hour of a station blackout event. B.13 De Non Class IE AAC system should attempt to meet the target reliability and availability goals specified below, depending on normal system state. In this context, reliability and availability goals apply to the overall AAC system rather than individual machines, where a system may comprise more than one AAC power source (a) Systern Not Normallv Ooentad (Standby Systems) System reliability should be maintained at or above 0.95 per demand, as determined I in accordance with NSAC 108 methodology (or equivalent). (b) Systems Normally Oeersted (Online Svstems) Availability AAC systems normally online should attempt to be available to its associated unit at least 95% of the time the reactor is operating. Reliability No reliability targets or standards are established for online systems. ( B3
; NUMARC6 M ~]
~
( FBliuftitRG3 l l , APPENDIX C. SAMPLE AAC CONFIGURATIONS AAC Configuration JA: Non Class IE Power Source . SWITCHYARD 22 KY g =g,3 gy D--a = [] DEY1CE ,, 6.9 KV g,3 gy 6.9 KV V
.., xv BUS 0
T 0 runsixz cssrx4ro" wiis [] O 6., Kv ..
- T aUs LJ U
- ~m
~N W.
4.is XV N A 4.is KV l cussin c u ssin l
^
e44 . . " " 6 6" EoG 1111 % LliX% mos.C u ss o wy soci zoo, wy-40 VAC BUS 9 9 40 VAC DUS C-1
AAC Configuration 18: DG ! ass 15 or Non. Class IE , SWITCHYARD alt.C. u KV g Z:.1% DISCONNICT RXX g A9 KY (,gy DEVICE (, gy g, gy O sia m O O T runDiss Gsusnaroa exv y, BUS DUS
-C O l y% uxx y% uxx ,
NON lE lE NW its KY N% (14 Ky B 416 KV BUS A EDG CLASS E (16 KV BUS U L11XX (1a KY NON 6 m *Y EDG 1 EDG 2 h 4as v4C BUS aso y Ac aus C2
~
@ktM9fth /SiL9 tt3sliNES Dc0095@S SSWABs @$ih?ATIVES~ g NUMARC.8700 ]
AAC Configuralion 2A: Swing Diesel SWITCHYARD aux 22 xv i g m (3 gy otscoxxEc7 ,m g 69 xv DEVICE o gy g gy N# %%% %^A %4% o xv bus 0T 0 = TL'RBINE CENERATOR 0 0 oxv
. BUS r, r, l i_J tJ N0% Mv M04 Mv Q A cuss a E
O 4.i6 xv BUS uur Y Y uur My Eoc i g Eoc, wy **
- v c .Us
@EDG 3
. . c ,U, AAC SUPPLY C.3
V o A C Configuration 28: Dedicated Diesels with Cross.tle at Multiunit Site : I I UNIT 1 , m M2 i SWITCHYARD SWITCHYARD {
% l DLSCONNECT 345 KV % DESCONNECT 44 WV DEVICE g 23 KY % ogv1Cg g 12KY*
u xV m o xv auxg g M, s.s KV am MA M M ** M M uKV % e
'"Y gg g u xv l MA N To -
u uY LJ MAIN To u KV SUS g 0U3 u CY y [ g (, gy 4 ] l sus , sus 4.14 KV % NA NR 416 KY 46KYSUS 3 % 434 Ky sus 3 A 'la KY SUS N 44 KV 503 A .
=x ",,= ; =
ww -. w.
*v we -,w roo i mi i ese v4C 3U8 % 488 Y AC BUS
% M
$ w i s
g -
'w
.\
l l l C4
uusutLinu Anu g t,CitNICAL gy AAC Configuration JA: Nearby Power Source Connected to Non Class 1E Bus TR ANSMISSION LINES F1 TOM THE AAC UNTT ARE TO BE PROTECTED FROM EVENTS (T.G, SEVERE WEATIIER)TUAT COUI.D CAUSE LOSSES OF OFTSITE POWER TO THE NUCLEAR UNIT SWITCHYARD
; FOSSTU HYDRO I-31X%
u KV M
~
smm :n =gr'cr =n an VOLTAGE 09 KY <9 KV 6.9 KV ol o seus TURBINE GENERATOR o o <, K, gu, , 09 KV BUS N N U LJ cussa 9 9 ==, 416 KV BUS 4.16 KV BUS mn { YY uu% my ex , ex $ pg ~" 480 VAC BUS S 430 yAC DUS C5
______~ _ _ _ _ _ _ _ _ m - -- 4 o AAC Configuration 3B: Nearby Power Source Connected to a Class IE Bus TRANSMIS$!ON UNES FROM TH E MC UNTT A RE TO BE FROTECTED FROM EVENTS (E.(1 SEVERE WEATUER) TilAT COULD CAUSE Lo&5tJ OF OFF1tTE Powt2 TO THE NUCLEA A UnrT SWITCHYARD
, FOSSIU ,
i ilYDRO I E11Y. b1sTrTEM YOLTAGE kN g nxy i otsCosNEcf ,nzy
~
', KY DEVICE u Ky o KV g, gy tr 7 0 m.Jame. 0 0 ; ,xv
- m W LJ l
<>.Kv y
$$ (Tv M $ (Ev w
(16 KV stJ3 i gA - g3 (16 KV BUS CLAS3II CW IE M LLLXX. mu - , - wu - - 434 VAC BUS 9 430 VAC BUS _ _ }
eteuuma;eu a e.cnmun uA5F.5 FOR NWMRC TMTTFr!VE5' AAC Configuration 4A: Onsite IC Turbine Connected to a Non Class 1E us THE !C TUR3INE AND CABLES FROM THE !C TL1tBINE TO THE L9 KY BUS ARE TO DE PROTECTED FROM EYENTS(E.G 5EVERE WEATHER) THAT COULD CAUSE LOSSES OF OFTSITE POWER TO THE NUCLEAR UNIT.
, Ic i f"'
l TURDINE I 6 SWITCHYARD . -
-~
M cE h m a L9 KV KV g;w m 69 KV LS KV L9 KY ~
. L9 KV
, TURBINE GENERATOR
._ __... - _. DUS L, xv
- BUS O M a u L V L 'V CLASS IE
} A L16 W BUS
-y CLASS TE B
- U { YY D_
EDG1 EDG 2 O O 1 480 VAC BUS 480 VAC DUS C.7
uumun.nw nou i r.snmuau nasta run aumaxt. intilAltyt.s
- NMfA RC.8700 ~~ T AAC Configuration 4B: Onsite IC Turbine Connected to a Class 15 Bus T1TE !C TURBINE AND CABLDi FROM THE IC TUR BINE TO Tile 4.16 XV BUS ARE TO BE PROTECTED FltOM DTNTS(E.G SDIRE %TATilER)TilAT COULD CAUSE LOSSES OF OITSITE FO%D TO THE NUC1. EAR flNIT TUR INE - SWITCIIYARD U 5 9
uxv mxx m Dix-e m , L9KV 69 KV DD1CE (9gy 6.9 KV
< , K, BUS o o sims WRDINE GLNERATOR o <, x, l l BUS SYFIT51 YOLTAGE m l
=
W W
-O u 4.16 KV L L 9%" " g (16 KV BUS g cy=
hg y m - , - , m-Llih% m vic acS o v,c ous l C.8
@Gil!6 LINES AND TECHNICAL BASES FOR NUMARC INITIATIVES g NUMARC 8700 a APPENDIX D. EDG RELIABILITY PROGRAM i D.1 B ACKGROUND The NRC proposed resolution'to station blackout is based on a risk analysis presented in NUREG 1032. An important input parameter in the risk analysis is emergency diesel generator (EDG) reliability. While the NRC recognizes that the industry average EDG reliability is acceptably high, they are ccncerned that some plants have marginal machines and that current high reliability at some plants may degrade in the future. In order *.o ensure that EDO performance is maintained at a high level and improved for those machines that are currently marginal, the NRC is pursuing the resolution of Generic Issue B 56 Emergency Diesel GeneratorReliability. The NRC Staff maintains that the resolution of USI A 44 Station Blackour should include (1) che identification of target EDG re!! abilities and (2) the commitment to implement an EDG reliability program. An outline of a possible EDG reliability program to be developed under Generic Issue B 56 is described below. D.2 EDG RELIABILITY PROGRAM The reliable operation of on-site emergency AC power sources should be ensured by a re!! ability program. For emergency diesel gene' rators, such a program might be comprised of the following elements (or equivalent) (1) Establishment ofindividual EDG target reliability levels consistent with the planc category and coping duration determined in Secuon 3.2.5. (2) Surveillance testing and reliability monitoring programs designed to track EDG performance and also support maintenance activities. (3) A maintenance program which ensures that the target EDG reliability is being achieved and which also provides a capability for failure analysis and root cause investigations. (4) An information and data collection system capability which services the elements of the reliability program, and which monitors achieved EDG reliability levels against target values. D!
(5) Identified responsibilities for the major program elements and a management oversight program for reviewing reliability levels being achieved and assuring that the program is functioning properly. l I e 9 l o.2
Embhnstcutrug fthTLWE0 APPENDIX E: ANALYSIS OF THE EFFECTS OF LOSS OF VENTILATION UNDER STATION BLACKOUT CONDITIONS I i E.1 Introduction This appendix provides the technical basis for the methodology used in Section 7.2.4 to calculate 4-hour steady state temperatures for the dominant areas of concem.
- E.2 Dominant Areas of Concern Since normal ventilation is unavailable during a station blackout, equipment needed to achieve and maintain safe shutdown in a blackout may be subjected to elevated temperatures. Only a limited set of equipment, however, is needed to proyide core cooling and decay heat removal during a sta:fcn 'otackout. IAss of ventiladon concems are thus, limited to rooms and cabinets housing this equipment.
'Ihis approach focuses on rooms and plant areas labeled Dominant Areas of Concem. These rooms are limited to area.
that will have significant heat load in a station blackout, and also contain safe shutdown equipment. AC-driven equipment will not be operable in a station blac$out and process steam will not be in the plant. Similarly, only plant areas will contain safe shutdown equipment. For PWRs, the pump room for the steara driven auxillary feedwater system is the Dominant Area of Concern. The Dominant Areas of Concern in BWRs are the HPCI/HPCS and RCIC pump rooms and the main steam tunnel. In general, the size of RCIC turbines relative to AFW turbines, and relative room geometries make the RCIC results bounding. E.3 Analysis of Compartment Heatup Analytical models have been developed to estimate the temperature rise in compartments during a station blackout. this analysis, a lumped parameter model is used to calculate the average air temperature as a function of time of ventilation. 'The effect of mitigating xdons, such as opening doors to promote air circulation, are also considere E.I
E.3.1 Model Description A simple lumped parameter model of compartment hestup can be used to estimate the bulk air temperature as a function of time after loss of ventilation. The rate of change of the air temperature can be calculated by an energy balance if the appropriate heat sources and sinks can be described. An equation for the rate of change of the air temperature is given by: pep Vdra ijdt - Q,ou,c,, Qsinkt (El) 1 1 l where L f p is the air density; epis the constant pressure specific heat of dr; { Vis the volume of the compartment. l J De sources of heat conside'ed r are hot steam pipes, and to a lesser extent in a station blackout DC switchgear and
~
equipment.De heat from either b'are or insulated steam pipes is dissipated to the air and walls by natural convection and thermal radiation. Since the absorpdvity of air is very small, the heat dissipated by thermal radiation will be absorbed primarily by the concrete walls. Dere are two heat sinks available to remove heat from compartment air. concrete walls act as a large heat sink; and, compartment doors can be opened to remove heat by convection. Heat transfer to walls can be estimated by heat transfer coefficient correlations for natural convection along a vertical plate. Heat transfer to <.he walls via thermal radiation from steam pipes can be estimated if the temperature of the steam pipes and wall are known. Equation (E.1) can then be expanded to: pcpVdiairIdt - Qelec
- Opipe +0pm QwaH ~ Qbr (E*1) whert Q,t,e is the heat load from major DC electrical equipment; Opip, is the heat dissipated to the air from steam pipes by natural convection:
) E.2 1
M N&tUsibMSAM!Mf ES FO R NUM AR C INITIATIVES - NUMARCc8700 __ Opump is the heat dissipated to the air from steam driven pumps by natural convection; Qwall si the heat tmnsferred to walls from the air by natural convection; and, Odooris the heat convected out of compartment openings. Each term on the right hand side is discussed below. The heat dissipated to the air from electrical equipment for a particular compartment can be found by adding up the power dissipated by major DCloads. The heat transferred to the air from the steam pipes by natural convection can be estimated from the correlation for a long horizontal cylinder in a quiescent fluid. The heat transferred from steam driven pumps can be estimated from the correladon for a sphere in a quiescent fluid. The correlations for convective heat transfer rates of Churchill and Chu are used(Incropera (19811): For a cylinder: _ Nuo -(h pD)tk - CRd'g . (E3) where: Nup is the Nusse:t number hpis the heat transfer coefficient for free etnvection fmm a pipe; D is the diametet of the pipe; , & is the thermal conductivity of air; Rad si the Ray;eigh number based on the pipe diameter; and, C and a are empirical constants. l The Rayleigh numberis defined as: Rag - gpfT p ;pe.a T j,)&In W-0 E.3
q l where: - - g is gravitadonal secelerstion: A is the volumetric thermal expansion eccfficient; Tair is the bulk temperature of the sir; Tpip, is the tempersture of the pipe; cr is the thermsi diffusivity of sir; V is the kinemsde viscosity of air. ; l l Fcr a ideal gas,A = 1/Tair (based on sbsolute temperatures). 1 Churchill and Chu have recommended a single correlsdon for s wide Rayleigh number range (10 5 l l l Nun - f0.60 + - 0237 (Rag)lI6 )2 (E'S) [I + (0.539tPrf!!6]SI:7 where Pr is the Prandit number. l The convecdve hest transfer coefficient fer a cylinder can then be expressed as: 'l hp= (kid)[0.60 + 0221(Rag)ll6]2 (g.6) Similarly, for a sphere, t!Ie Nusselt number can be represented by: Nuo-2+ 0339(Rag)ll4 (y,y) [] +(0.469/PrfIl6)#'9 For Pr a 0.7 and Rad 1011 1 The convective hest trasfer cccfficient (cr a sphere em then be expressed as: t
, _ , _ ,_ - - , . -w, '_ * * +-h-
6LMLJLAULALTO3sL8tmMTIVES g NUMARC 8700 J h,-(k/D)(2 + 0.454(Rag)ll4] (E-8) Natural convection to the walls is described by the Churchill and Chu correlation for free conveedon for a vertical plate (Incropera (1981]). nis correlation is given by: hw-(k/L)l.825+ J24(Rg)lI6]2 (E.9) where Iis the height of the wall. ne Ra' gh number is based on L and the difference in temperature between the air and wall surfre: Rg= g6(Tg,- Tw gi)L3/av (E.10) The temperature of the inside wall surface also varies as a funcdon of time. An explicit finite difference model of one-dimensional transient heat conduedon in a plane wall can be used to describe the wall temperature. Bis model considers a time dependent heat flux to the wall as a boundary condition to be satisfied at each time step. A fine mesh is l used near the wall surface to accurately predict the temperature gradients resuldng from the heat Qux to the wall. Deep I into the wall, where temperature gradients are relatively small, a coarse mesh is employed. Application of this model to a typical room containing a heat Out of 80 KW, a total surface area of 514 m 2, and an 8 inch thick concrete wall resulted in a change in wall temperature of approximately 2.5 *C (4.5 'F) over a period of.1 hours. - The best flux specifying the boundary condition for the wall conduction model is the sum of the convective flux, found by use of(E.9), and the radiative flux from hot steam pipes, which is found using the Stefan Boltzmann law. Correlations have been developed to estimate heat flow through openings by convection.nese correlations are 1 applicable to the. compartment hestup scenario, where heat is convected from a room with a higher tentperature to a room with a lower temperature through an opening. The following correlation is suitable for the dimensionless l parameters associated with compartment heatup scenarios: l E.5
m c= hd. 2 (k/H)Gr#2P r (E l1) where the Grashof number Gr is based on the door height /lin the following manner. Gr = gH3 (Tg,. T,.)lv 2 Taye (E 12) The temperature of the outside air is denoted by T., , and ayT ,is the average of Tg, and T . Equation (E 2)can now be expanded to: Pcp M ,aitdt - Qelec + hp(Tg,)Ap(Tpipa T ai,) + hs(Tg,Ms(Tpm . Ter)
. h f ai ,, Twall)^w (Tg, . Tat) hg (Tg,) AjTalv . T ) (E 13) l This equation can be solved numerically for a particular geometry if the inidal condidons, namely the initial temperatures of the room air, walls, and outside air, are spec!6ed.
His steady state (i.e. dTai,/dt -0) solution to this equadon assuming no open doors can be dedved by setting Odoor -O. Equation (E 13) then becomes: 1 Qtotal - A f aj,, Twojj) A,(T ag, . Twajj) (E 14) where, Ototd. represents the total amount of heat deposited in the building.-
~
ne natural convection coefncient can be calculated with the correlation shown in equadon (E 9). For the range o temperatures under consideration (i.e.,22 500 C) the .325 term is much smaller than aJ24R j(1/6) and therefore can be neglected. Equation (E 9) becomes: h,-(kIL)(J24tRal)ll6;2 zg.g $) E. 6
eN c-Substituting in the Rayleigh number as defined in equadon (E.10): - hw .1k[gMTer-Twat)lavlI'# (E*16) Substituting this result into equadon (E.14) yields: Qgogg .1k(gplav]IIIAw( Tg,- Twgt)413 (E.11) Finally, for the temperature ranges being discussed:
.lk(gplav]II3 - 1 Hence, reaminging equation (E.17):
Tair = (Qtotau Aw)3/4 + Tgg (E18) This is the msult used in Step 4 of Section 7.2.4. Scaled experiments performed by Brown (1962] suggest the following correladon for predicting heat transfer coefficie through vertical openings: Qdoor= YPave pC tTai,-TJ (c.19) where , V' .2 W(g spipyl/2 l13/2 (E.20) pave - the t' tage of the densities of the air inside and outside of the room dp = the et% ge in density between the air inside and outside of the room j Cp= the specific heat of the room air at constant pressure T - the temperature of the air outside of the room t Tair - the temperature of the air inside of the room E.7
l W- the width of the door . N - the height of the door l g - the acceleration due to gravity It should be recognized that the Brown experiments are small scale and should be used with an understanding of theit underlying basis. Since air can be modeled as a perfect gas: pay, = P/2R(11T + 1fra i,) l l sp = PIR(1(T.,- 1(Tg,) where P. atmospheric pressure R = the universal gas constant Equation (E 19)can then be wTiben as: Qdoor .2 WH '2gII2 (2(Tai, T.J/(T, + Tair)Y' Pave Cp( Tai, T.J (E 21) For a typical RCIC toom numerical analysis predicts a rapid temperature buildup within the first half hour. The temperature willincrease by only a few degrees for the next three and one half hours where it then approaches steadyI state. This rapid thermal buildup appears to characterize room geometries for dominant areas of corcem. l Once a door is opened, analysis indicates the temperature of the room will d5 tease rapidly and approach stea conditions in approximately 20 minutes for similar room geometries. From this analysis, it is apparent that the time at ' which a door is opened past thiny minutes will have little effect on either the peak temperature or the final steady temperature that is achieved. For this reason the steady state solution of equation (E 2) will apply when calculating th final temperature for a four hour event. 'the steady state solution to equation (E.2)is: 0
- Qelec
- Opipe
- Opump* Qwall
- QJoor
- E3
. tmuiL%LUTSt9tnhuhKJ.%ElIH/9JFM!ALEtFuutButMiij j NTJMARC 8700 J Qa$c + Qpipe p+ Q ump " Qwa!! + Qdoor Qcotal- Q4 + Qdoor From Equadon (E 17)
Qwa!!- AwlTai, Twatt)4I3 Dafcss Qcotas - w A (T ai ,- Twatt)"' 3 g
+ .2 W H '2 II2 [2(Tai, T )t(T., + Tair)]II2 pm Cp tTg,TJ .
(E 22)
- By s6bstituting sT = Tair . T.,
and Ta - T , i Qgosal- AwsYI3 +.2 WH3I2 g1/2 pay, Cp (2)ll2((sT)3/2 1(sT + 2 Twatt)l!2) (E 23) After performing a Binomial expansion on the term (AT + 2 Twall)1/2, Equadon (E 23) becomes:
. ~
0 - -4 Twan Ototal- Quoral sT+wa n itAw sT'!3 ,
+A,sTII3 + 4 (.2WH3f2g if2)C p, Tl!2 p watt AT3!2 (E 24) i i
i This transcendental etluation cannot be solved explicitly for AT, although a numerical soludon is po results of this numerical soludon for a wide range ofinput parameters, a correlation can be developed th the actual solution as follows: 4 I E. 9
uantaimsw - c O 0 - A 84T +Cd7*3 + D477/3 +EdT3/2 (E 25) By solving this equation for WHE we find thac WH312,((A + bat CW3 DaTII3 )/ (4 9 ,,C TII2 p 4 )(.2til2)aT3/2) (E46) Where for the temperanus ranges considered: Pave'l Cp.g Therefore equation (E.26) becomes: WH3/2 -[(A + bat Cal *3.DaT7/3 )/ (4TIl24){.2gII2)sT3/2] This equation can be solved for vanous values of Qw, Aw, and AT, Several graphs of the results were plotted in to obtain a factor for AT based on WH3/2 using a power series curve fit of the data. The data used to develop these graphs is presented in Table E 1. l i o E 10
. Table E 1 Data Used for Power Series Curve Fit enemme (IEWS as teabag De4.TA T (*8El
- ::: 1:
- ::: 1:
- :::: 1:
- ::: 1:
- ::: 1:
- :::: 1:
The factor (16.18(Fd oor)0.8653) was incorporated into Equation (E.13) to obtain: Tate -(Q ogat/I4l((Aw y3 /4 + 16J8(Fgoor)M3] + Twati + 4 gg.27) where l Fgoo,- H3/2y This m!ationship has been shown to have a correlation coefficient (r2) e_ qual to 0.99. Since most heat tra I correlations contain r factors between 0.9 and 1.0, this correlation is well within acceptable limits. To a uncertaitties within this correlation a plot of temperatures obtained using equnion (E 27) was compare equation (E.23) with a specified temperature difference. It was found that, in general, equation (E.27) temperatures from 3 -3.5 *C lower than predicted fmm this plot. To account for this uncertainty a correction factor of 4'C was added. This is the result used in Step 5 of Section 7.2.4. Note that this equation is a simplified form complete siesdy state solution. Heat transfer coefficients and thermal properties have been evaluated in MKS Therefore, this dimensionally inconsistent equation is valid only with the equation parameters in the foll E 11
qm n o Qt otal - Watts Twall = 'K or *C (units of Tair will result accordingly) Aw - square meters H = meters W = meters By tasdng the sensidvity of equadon (E 26) it was found that this correladon is valid for the following parameter ranges: . 24000W < Q < 100000W 0 *C < AT < 50 *C Plots for a sample case that illustrates the results of Equations (E.23) and the corrected form of Equadon (E.27) are shown below: Scanorgram of Fooor WH(1'2) vs DELTA TOP E23 2 8< e 20'
- O e t ... .
I n. . 20< e T E y 18 < o , 18< e E * ' 2 1 ** 3 12 < e e O i 1 e i i O to 20 30 40 so 60 To Faoor WH(3r2) 0 E. 12
? C SeeMeem of Peoer WHfW81 vs. oeLTA Taup e27 se< .
- a. .
l 24' e l : ... -
, n. .
g i.. i.
!7 "-
- i,. .
"o 16 ao so 4'o s A ri reeer wwwa)
E.3.2 RCIC Pump Room with No Openings To provide an upper bound for the potential temperature rise which may be expected during a station blackout event. Equation (E.13) is solved with the assumption thatj A is zero - effectively representing a closed compartment. The RCIC room chosen for analysis by Jacobus et. al. [1986] has been reevaluated for comparison. The geometry and initia conditions are specified in Table E.2, below. 1 Table E 2 RCIC Room Geometry and Initial Conditions Wall Height 7.5 m Surface Area $14 m2 Volume 892 m3 Steam Pipe dia. .2 m Steam Pipe length 15.4 m initial AirTemp. 40* C (104' F) Initial Wall Temp. 40' C (104' F) Pipe Temp. (uninsula:ed) 238' C (550' F) Pipe Temp. (insulated) 93* C (200' F) Pipe Emissivity 0.8 Electric energy dissipated 63 KW E 13
m m o If the steam pipes are insulated the temperature rise will be smaller, since less heat will be convected to the air and a relatively smaller heat aux will strike the wall surface. Dis case is considered more representative than the case wit uninsulated steam pipes. Assuming insulated steam pipes, the calculated temperamre rise Is about 37' C (67' F hours, and about 38' C (72* F) after 3 hours. Dis result compares to the 44' C temperature rise obtained after 8 h by Jacobus. E.3.3 RCIC Pump Room with a Compartment Opening NUMARC has determined that the effect of opening doors to promote natural circulation is determined t compartments from reaching excessive temperatures during station blackout conditions. A heat transfer term ac for convection of heat to outside air has been included into the energy balance. Calculations have been made assuming that a 2m by Im door is opened one. half hour into the station and that heat transfer is described by (E.ll). It is also assumed that the now of exidng hot air is matched incoming cool air from outside. Outside air is assumed to be constant at 40' C (104* F). For the case w pipes, a temperature rise of 23' C (50' F), (using equation (E.27) 31.5 *C or 56,3 'F ), was obtained peak temperamre of 165' F is predicted by simulation at the time the door is opened. If two 2m one half hour into the event, a temperature rise of 23'C (41'F), (using equation (E.27) 25.7'C or 46.3 ' obtained after four hours. In comparison, a temperature rise of 37' C (67* F) was obtained for the s door closed. Seitsitivity analyses were performed to measure the effect of changes in the heat transfer correla convection through open doors. The heat transfer coefficient was reduced by 25% to accoun uncertainty associated with empirical heat transfer correlations. l.ittle effect on temperature rises after observed - reducing the heat transfer coefficient by 25% resulted in an increase in tempera Centigrade for the two cases just discussed. In conclusion, opening doors will reduce the temperature rise during station blackout to a operability can be assured to a sufficiently high level of confidence. For the etsmple case, the ' after four hours into a station blxkout can be reduced from 171* F to 155' F if a door is opened o event. If two doors are opened, the estimated temperature can be reduced to 146' F. Furthermore rooms will cool rather quickly after doors are opened, and peak temperatures will exist for only a few min E - 14
N h !
)
E.4 Nomenclature p-density (Kg/m3) Cp- constant pressure specific heat (KJ/Kg 'K) V - volume (m3) T4 a temperature of the air inside of the room (*K) T.,- temperature of the air outside of the room (*K) Twall - temperature of the room walls (*K) ' g - acceleration due to gravity (m/s2)
- expansion coefficient (1/*K)
, at - diffusivity (m2/s) v kinematic viscosity (m2/s) .
Aw - area of the wall (m2) L-length (m) 1 - height of the wall (m) W - width (m) H - height of the opening (m) D - diameter (m) Fdoor- door facter(mS/2) Q -heat transfer rate (W) k - thermal conductivity (W/m*K) - 2 hp)d.hw = convective heat transfercoefficients (W/m 'K) Rad,Ral - Rayleigh number (dimensionless) P - pressure (bar) R - universal gu constant (0.08314 (m3 b ar/Kmol 'K)) 2 r -correlation coefficient I l l l 1 i ( E - 15
)
4e c APPENDIX F: ASSESSMENTS OF EQUIPMENT OPERABILIT IN DOMINANT AREAS UNDER STATION BLACKOUT CONDITIONS F.1 Introduction This appendix outlines a methodology for providing reasonable assurance of the operability of equipment used to cope with a station blackout in the dominant areas of concern. The approaches identified in this appendix are discussed conceptually with additional details being developed as indicated below. Station blackout is not a design basis accident, and, therefore, is not subject to the requirements of 10 CFR 550.49 and the rigorous certificadon process for equipment operability. However, since stadon blackout coping equipment needs operate in order to achieve safe shutdown, reasonable assurance shou!d be provided that no thermal induced failures will result due to loss of forced ventilation. Station blackout environments in the dominant areas of conc containment are expected to experience increases in air temperature. The resulting temperatures are expecte from slight to moderate increases in temperature,in most cases not exceeding 150' F. Most equipment is expected to operate in these stadon blackout environments with no loss of function for the sho duration expected. (i.e.,4 hours). The basis for this general conclusion can be traced to previous studies performed, as well as plant operaung experience. The appmaches discussed in this appendix provide accep ' reaching this conclusion on a plant specific basis, in particular, the approaches justify removing classe (e.g., relays, switches) from further consideration and focusing attention on those components of concern. Th approaches may be used individually, or in combination in reaching a conclusion that an acceptable basis l exis i equipment operability in a station blackout environment. i 1 i Six approaches may be used to establish equipment operability in a station blackout: (1) equipment previously evaluated; (2) equipment design capability; Q) materials; (4) equipment inside instrumentation and control cabinets; (5) generic studies and experience; or, (6) plant specific experience and tests. F1
y -o o F.2 Equipment Previously Evaluated Equipment that is similar to equipment already qualifted under 10 CFR 550.49 need not be further evaluated if tlie stadon blackout environments do not exceed the qualificadon temperatures. F.3 Equipment Design Capability Equipment vendors generally provide a design temperature associated with the continuous operadon of their equipment. A margin may exist above design temperature which varies according to equipment class (e.g., smaller margins foi electronic equipment relative to electromechanical devices) and the expected operating conditions (e.g., temperature levels, dme at these elevated temperatures, duty cycle, etc.). For the stadon blackout coping duradon, equipment design and operational requirements should be reviewed in terms of the Condidons I,2, and 3 denned in Section 2.7 of this report. Reasonable assurance for equipment operability may be dete mined if the design temperature plus the margin fu the equipment or component class has been evaluated against the temperatures and consideradons in Conditions 1,2. and 3. Identincation of expected margins for various equipment or component classes is under development. Reasonable assurance for equipment operability is provided ifit is shown that the design temperature plus the expe margin for the equipment or component class does not exceed the bulk air temperature expected in a 4. hour station blackout. F.4 Materials - ne primary consideration for equipment operability in a stadon blackout is the potential for thermal. induced failure. Most materials used in plant equipment and components are not subject to physical or chemical changes in t temperatures expected to result in a station blackout. Materials or combinations of materials that are susceptible to 'signincant changes in these ranges will be identined and used to screen components that are potentially sensl station blackout conditions. Reasonable assurance for equipment operability is provided if it is shown that the station blackout copi does not contain materials that are susceptible to signincant physical or chemical changes in a station blacko l F2
g wtausuw c environment. . F.5 Equipment Inside Instrumentation and Control Cabinets Components located inside instrumentation and control cabinets are normally exposed to the heat generated by electrical power supplies. Most cabinets are not equipped with forced ventilation, relying, instead, on natural convection through louvers in the cabinet. Guidelines direct operators to open doors for cabinetsc 'ontaining energized equipment relied upon
*c cope with a station blackout within 30 minutes in order to provide more extensive mixing with the general area. 'Ihis action is expected to reduce the potential for building up higher air temperatures in the immediate vicinity of electrical and electronic equipment and components.
Reasonable assurance for equipment operability is provided ifit is shown that the station blackout coping equipment and components inside instrumentation and control cabinets with open doors will not be exposed to a thermal environment that exceeds normal operating conditions with the doors closed. F.6 Generic Studies and Experience l The current state of knowledge concerning equipment operability in elevated thermal environments provides a substantial basis for concluding that plant equipment can properly function in thermal environmenu above design conditions. Three recent studies support the conclusion that plant equipment can operate under loss of forced ventilation for periods longer than a four hour station blackouc ' (1) Letter Report on Equipment Operability During Station Blackout Events, M. J., Jacobut, V. F. Nicolette , and A. C. Payne, Sandia National Laboratories, (1986); and (2) Effects of Ambient Temperature on Electronic Components in Safery Related lastrumentation and Control Syrtems, M. Chiramal, AEOD/C604, United States Nuclear Regulatory Commission, (1986). The Jacobus report also found that certain c!ssses of equipment will not be affected when exposed to temperatur 1 150' F for eight hours or longer. The McGuire report concluded that an actual loss of ventilation event of a duration longer than four hours did not adversely affect the performance of equipment needed for safe shutdown. These studies can be used to support conclusions of equipment operability under elevated temperature conditions F. 3
v m D esdmated for the stadon blackout coping duradon. If the site specific app!! cation is not covered by the above data bue or other generic studies, then other sources of data sach as Licensee Event Reports (LERs), or the Nuclear Plant Reliability Data System (NPR DS) can be used to support conclusions of equipment operability ander elevated temperature condidons esdmated for the stadon blackout copit:f durstion. F.7 Plant Specific Experience and Tests Some plants have actua!!y experienced the effects of loss of ventilation or have studied the issue for specific applications. For such cues, reuenable usurance for equipment operability is provided if no failures of equipme).. needed to cope with a station blackout resulted from exposing the equipment to temperatures expected from a four hour station blackout during tests or operational events. 0 4 F4
s ; - g
~
APPENDIX G. REFERENCES ASHRAE (1985), ASHRAE #andbook, American Society of Headng, Rettigeradng, and Air Condidoning Engineet, ^ Inc., New York NY (1985). ASHVE (1950), ASHVE # eating Ventilating Airconditionint Guide American Society of Headng Ventilating Engineenng. New York NY (1950).
- B ARANOWSKY, P.W. [1985), Evaluation of Station Blackout Accidents at Nuclear Power Plants, NUREG 1032.
Office of Nuclear Regulatory Rescatch, Office of Nuclear Reactor Regulation, U.S. Nuclear Regulatory Commission, Washington, DC (1985). B ATTLE, R. (1985], Collection and Evaluation of Complete and Partial Usses of Of Site Power at Nuclear Power . Plants, NUREG/CR 3992, ORNUIN.9384. Oak Ridge Nadonal Laboratory, Oak Ridge, TN (1985). BROWN, W. G., AND SOLVASON, K. R. (1962], Natural Convection Throunh Reetaneular Oceninos in Partinent j Part I - Vertical Partitiont Int. J. Heat and Mass Transfer, V. 5, September 1962,-pp. 859-868. CHIRAMAL, M. (1986), Efects of Ambient Temperature on Electronic Components in Safety Related . lastrumentation Instrumentation and Control Systems. AEODIC604, United States Nuclear Regulatory . Commission, (Decembet,1986). COOK, D. H. (1981], Station Blackout at Browns Ferry Unit One Accident Sequence Analysis, hyREGICR.21SL Oak Ridge National Laboratory,(November 1981). EICHNA, L. W. (1945), The Ueeer Limits of Environments! Mest and Mumidity Tolersted bv Acetimstired Men. Workine in Het Environments. The Journal of industrial Hygiene and Technology, V. 27, (March 1945). FLETCHER, C. D. [1981], A Revised Summary of PWR Loss of Of-site Power Calculations. EGG CAAD 5553. : EG&G Idaho, (September 1981). G1
v - HASKIN, P. E. (1981), Analysis of a Hypothetical Core hieltdown Accident laidated by Loss of Of siteFowerfor the ; Zion.1 PWR, NUREG/CR 1988, Sandia National Laboratories, Albuquerque, NM (1981). HODGE, S. A. et sl. (1981), Station Blackout at Browns Ferry Unit One . Accident Sequence Analysis. NUREG/CR 2181 ORNI./NUREG/TM.455, Oak Ricge Natianal Laboratory, Oak Ridge, TN (1981). HUMPHREYS, C. M. AND IMALIS, O. (1946), Physioloalcal Resnonte of Subieets Eteosed to Minh 3((gstjw Temeertrures 2nd Elevated Mesn Rsdisn Temeerstures. ASHVE Transacdons, V 52,(1946). l IEEE.STD-450-1987 (1987), Recommended Practicefor Sfaintenance, Testing, and Replacement of Large Stationar.: Type Power Plant and Substation Lead Storage Batteries. The institute of Electrical and Electronic Engineers, New York, NY (1983). EEEE.STD-48$.1983 (1983), Recommended Practicefor Sizing Large Lead Storage Batteriesfor Generating Stations and Substations. The Institute of Electrical and Electronic Engineen, New York, NY (1983). INCR PERA, F. R. AND DEWITT, D. P. (1981), fundamentals of Heat Transfer. John Wiley and Sons, New York.
? N (1981).
JACOBUS, M. J., NICOLETTE, V. F., AND PAYNE, A. C., (1986), Letter Report on Equipment Operability During Station Blackout Events Sandia National Laboratories (1986). KOLACEKOWSK1, A.M., AND PAYNE, A.C. (1983), Station Blackout Accident Analyses (Part ofNRC Task Action Plan A 44), NUREG/CR.3226. Office of Nue:! ear Regulatory Research, Office of Nuclear Reactor ; Regulation, U.S. Nuclear Regulatory Commission, Washington, DC 4983). l NRC (1986), Draft Regulatory Guide. Stados Blackout. Task SI 501-4,31 Fed Ren. I1494,(March 1986). NWS (1987), National Hurricane Operation Plan Book. FCPM 12, National Weather Setvice, Washingt (May 1987). RUBIN A. (1986), Regulatory Analysis for the Resolution of Unresolved Safety issue A-44. Station Blackout. NUREG 1109, Office of Nuclear Reacer Regulation, U.S. Nuclear Regulatory Commission, Washing (19861. G-2
(bUIDEIRES AND TECHNICAL BASES F0R NUMARCINITIATIVES E NUMARC.8700 d SD,fTU, E. and SCANLAN, R. H. (1986), Wind Effects on Structures,2d Edition, Wiley interscience, New York, NY (1986). WYCKOFF, H. (1986], The Reliability of Emergency Diesel Generators at U.S. Nuclear Power Plants NSAC 108. Electric Power Research Instituts, (September 1986). WOG (1986), Reactor Coolant Pump Performance following a Loss of AC Power, WCAP.10541, Revision T Westinghouse Owners Group, (December 10,1986). I t I I i 1 i i l i 1 l i 4 i G 3
. _ _ _ _ _ _ . _ _ . _ __ _ _ . _ ._,}}