ML20210S402
| ML20210S402 | |
| Person / Time | |
|---|---|
| Site: | Seabrook  |
| Issue date: | 03/31/1986 |
| From: | PUBLIC SERVICE CO. OF NEW HAMPSHIRE |
| To: | |
| Shared Package | |
| ML20210S398 | List: |
| References | |
| NUDOCS 8605210289 | |
| Download: ML20210S402 (18) | |
Text
-
RESPONSE TO NRC/LLNL REVIEW OF SEABROOK STATION PROBABILISTIC SAFETY ASSESSMENT March 1986 Prepared by: New Hampshire Yankee (NHY)
Yankee Atomic Electric Company (YAEC)
Pickard, Lowe and Carrick, Inc. (PLG)
NTS Structural Mechanics Associates, Inc. (SMA) 8605210289 860517 PDR ADOCK 05000443 A PDR
1 TABLE OF CONTENTS P, age,
1.0 INTRODUCTION
...................................................... 1 2.0
SUMMARY
RESPONSE.................................................. 3 3.0 RESPONSE TO STAFF
SUMMARY
REVIEW.................................. 9
4.0 REFERENCES
........................................................ 16 APPENDIX A: Response'to LLNL Draft Report 9
l l
1.0 INTRODUCTION
A full-scope, Level III PSA for Seabrook Station Units 1 and 2 began in l March 1982. This PSA was undertaken by the applicant as the first step of a risk management program to assess the public risks from postulated reactor accidents taking fully into account risk-sensitive factors unique to Seabrook Station and the site. As acknowledged by the NRC (Reference 8), the PSA was not a regulatory requirement to obtain a license. This PSA project culminated in the production of a comprehensive report, entitled, "The Seabrook Station Probabilistic Safety Assessment" (SSPSA) (Reference 1). The SSPSA was completed in December 1983 and submitted to the NRC for its information early in 1984. Also submitted to the NRC were technical and nontechnical summaries of the SSPSA findings (References 2 and 3).
The SSPSA was performed by Pickard, Lowe and Garrick, Inc. (PLG), and supported by several sub-contractors who performed supporting analyses in specialized areas. Prior to completion of the final draft report in December 1983, there were two full review cycles. These reviews were an integral part of comprehensive quality assurance procedures that were followed in the SSPSA (Reference 5). In addition to the man-years of effort expended by PLG and others to perform the SSPSA, Public Service Company of New Hampshire (PSNH),
and Yankee Atomic Electric Company (YAEC) performed critical reviews, verified assumptions regarding design and operational characteristics. The PSNH and YAEC effort included appropriate representation of design, engineering, operations, training, and management organizations.
In June 1984, NRC contracted with Lawrence Livermore National Laboratory (LLNL) to perform a review of the SSPSA. At the time, PSNH was focusing their efforts toward the solution of finar.cial problems associated with the construction of Seabrook Station. During this period, there were no financial resources and minimal manpower resources to devote to risk management programs and to support a NRC review of the SSPSA. At an early phase of the LLNL review, a list of questions was informally given to PSNH by haC on August 27, 1984 during a site visit to support the review effort.
While the NRC was officially notified by PSNH that it did not plan to extend its contract with PLC to support the review effort, PSNH did support the review by hosting a 3-day plant visit, providing a simulator demonstration.
supplying plant documentation and SSPSA supporting documentation (Reference 6), and supplying written answers to LLNL review questions (Reference 7). A copy of these answers was also given to the NRC in January 1985.
By way of its letter, dated April 4, 1985 (Reference 8), the NRC issued the draft LLNL report as well as a NRC staff summary report. These documents, however, do not appear to reflect or refer to the information and answers provided during and subsequent to the site visit as described above.
Since the issuance of the April 4, 1985, NRC letter, financial and
-manpower resource constraints have been resolved sufficiently to allow the risk management program to continue. As provided in Reference 4, this program has continued along several paths including its use to improve Technical Specifications.
As a result of our commitment to continue the risk management program, we believed it necessary to review the draft LLNL report and the accompanying NRC staff summary report and respond to the comments, questions, and issues raised in these documents. The enclosed report should be considered before the NRC reaches any conclusion regarding the accuracy or usefullness of the SSPSA, its models, results, and documentation.
A summary of our overall response is provided in Section 2. In Section 3, a response is made to the specific points raised in the NRC staff summary report. A full response to the LLNL report is provided in Appendix A. There is a direct numerical correlation between Appendix A section numbe'rs and the LLNL report except that an "A" precedes our Appendix A section numbers. This facilitates easy reference to the corresponding sections of the LLNL report.
i
- 9 J
2.0 SUtelARY RESPONSE Section 3 and Appendix A provide a point-by-point response for each identifiable technical comment in the two documents that describe the review effort: the NRC staff summary report and the LLNL report. The purpose of this section is to summarize our overall response to the review comments.
l Based on discussions with the NRC, we recognize that the SSPSA is viewed by the NRC as a good study, and that no technically significant criticisms have been found from the review. In view of the responses provided, our belief that the=SSPSA represents a significant advancement in I the state-of-the-art in PRA (including its documentation) has not been diminished, and, in fact, it has been strengthened.
Since the LLNL report is a draft report and because the lack of support from the report authors and principal investigators most likely created difficulties in reviewing and understanding the SSPSA, we intend to address some of the more fundamental issues raised in the report. It should be noted that the following is only intended by us to enhance further reviews of the l 'SSPSA and to supply clarifications for better understanding of the SSPSA and its methodology.
The SSPSA is a fully integrated, Level III PSA. TF # teport was never
, designed to be reviewed in fragments or reviewed as ILsugh it were a Level I PSA. In addition, individual sections of the report were never intenced to be reviewed as though they were separate, stand-alone documents. In fact, the way in which the SSPSA risk model was designed - as a fully integrated risk l model - is not really amenable to a-review that is artificially divided into
" internal" and " external" event portions. The division of a PRA into internal and external events analyses is an artifact of how PSAs were done in the past; i.e., they only considered the so-called internal events at first, and, subsequently, separate nonintegrated analyses of certain so-called external events were tacked on to enhance completeness.
The SSPSA, by contrast, consists of more fully integrated analyses of j accident sequences whose so-called internal'and external causes were Incorporated in a fully integrated fashion. A single set of event trees was
- 1
-. . . . _ _ . - , - , . . -_.,-.-_,......_,---...m -
_ _ _ . , _ - , . , _ . - . _ , . , . - .- ---,--..,_-..e
l.
used to analyze risk contributions from internal events, internal plant hazards and spatial interactions, and external initiating events. To fully understand the analysis of any event, it is necessary to follow the analysis through the plant model. Take, for example,.the Cable Spreading Room fire (Fire Scenario 2) that, in SSPSA Table 9.4-1 of Reference 1, is identified as leading to failure of both trains of the primary component cooling system. In SSPSA Table 5.4-1 and subsequent tables (Reference 1), it is clearly shown that this and other common cause initiating event scenarios were analyzed through a common set of auxiliary and main level event trees with appropriate conditional probability-input data to account for the damage done by the fire.
The reviewers also used the approach of comparing a method, result, or assumption made in the SSPSA to "other PSAs" or to " previous analyses" as the basis for judgments with regard to reasonableness, accuracy, acceptability, or degree of conservatism. While comparisons with other PSAs are an accepted and valid line of inquiry in a review, there are several reasons why such comparisons, in and of themselves, often provide misleading or wrong review conclusions. First of all, there is so much diversity in methods,
. assumptions, objectives, data and scope among published PSAs that it is nearly impossible to define a consensus or generally accepted yardstick for any item in a PSA using this approach. Second, even when analytical differences among PSAs are isolated, the tremendous degree of plant-to-plant variability in risk levels and risk-sensitive factors precludes the use of other PSAs as the sole yardstick to judge the reasonableness of a given PSA result. We do agree, however, that such comparisons can lead to valid review conclusions if they are supported by a careful review of the evidence presented in each case to support the differing analyses.
Some comments by the reviewers appear to question the acceptability of using PLG's unique methodology, the modularized event tree approach, over the fault tree-based methodology that has been used in past PSAs sponsored by the NRC. We believe that this was probably attributable to a lack of understanding of PLG's methodology, resulting from the inability of the reviewers to talk to the report authors. In addressing this issue, the closest thing to an objective evaluation of these differing methodologies we found was the PRA Procedure Guide (Reference 9). Both methodologies are covered in this guide and the comprehensive peer review associated with the l
production of this guide did not identify any inherent limitations or weaknesses of either approach that did not have a comparable counterpart in the other. Further, we hava convinced ourselves that the two methodologies are fundamentally equivalent, but differ in style, format, and practical implementation. We would also note that, to the best of our knowledge, a complete treatment of dependent events using an integrated model has only been completed thus far using the event tree-based methodology. However, we see no fundamental reason why the same scope cannot be handled using fault trees.
In summary, we have carefully considered the comments, questions, and remarks made in the LLNL and NRC staff summary reports. In view of the responses provided, we have concluded that the SSPSA utilized a PRA methodology that advanced the state-of-the-art in several key areas and represents a commendable first step in our ongoing risk management program.
We agree with Professor Rasmussen that it was the best documented PSA published to date.
We also agree with the Staff's conclusion that the SSPSA and its review did not identify any safety issues which merit immediate action. In addition, those technical comments which point to conservatisms and limitations in the current state-of-the-art in PSA are being considered in our ongoing risk management activities.
3.0 RESPONSE TO STAFF
SUMMARY
REVIEW We recognize the staff summary review is a direct result of the LLNL draft report and the staff did not apparently have the benefit of our prior responses to LLNL's questions. Our responses in this section focus on specific statements that seem inaccurate to us with references to specific responses in the LLNL repor t. Seventeen comments from the staff summary report (with the page number) are summarized below with our responses:
Comment 1 (Page 2)
Several modeling errors were found that indicate an incomplete or different understanding of interactions between plant systems or human beings (operators) and plant systems.
Response 1 There were some minor typos and errors identified, but nothing that significantly affects the results. Mostly, the LLNL review identified conservatisms. These will be considered during future risk management activities. It is clear after reviewing the LLNL report that we and our consultant have a correct and complete understanding of the Seabrook Station design, the modeling methodology, and interactions between systems. See A1.0 and responses in A1.1 and A1.2 and the rest of Appendix A.
Comment 2 (Page 3) .
Collapsing sequences and presenting results.
Response 2 We disagree with the grouping done by NRC and LLNL. A much more complete picture on risk contributors is presented in SSpSA Section 13.
_A.
)
Comment 3 (Page 5)
There is also a concern that the requirement to have each event on an event tree independent of the others has resulted in large and very complex trees which are difficult to follow and analyze. In addition, the large number of sequences, on the order of 100 times as many as in previous PSAs, effectively fragmented many accident scenarios which could be simply described as single sequences into a large number of sequences, so that the usefulness of the event tree sequences as a means to obtain engineering insights was lost.
Response 3 This comment gives us serious concerns because it was a conscious decision to model in detail and display important dependencies. Dependencies significantly impact the results of a PSA and should be explicitly modeled where practical. This enhanced visibility of dependencies is crucial to obtaining correct insights and can be seen from reviewing SSPSA Section 13.
Our personal preference is the detailed approach from which the real, practical insights can be derived.
In the PLG methodology, the full set of linked, modularized event trees and the system models for each node of those trees is comparable to the full set of linked fault trees used in the alternative approach to PSA. Both of these types of models are complex and difficult to review. In our opinion, PLC has done a better job in being able to modularize the plant model so that individual event tree modules can be reviewed separately. To aid in the presentation of this plant model, the SSPSA includes Event Sequence Diagrams (ESDs) which incorporate the physical plant response characteristics used to develop the event trees. The ESDs are relatively easy to review and have been reviewed by the plant operators as well as PSNH and YAEC engineering organizations. In the PLG approach, the event trees are a computational tool and are generated by computers from the ESDs.
The number of sequences was large in the SSPSA because of the more complete treatment of dependent events, and a more accurate representation of how the plant really works in comparison with most previous PSAs. However, it is not necessary for reviewers to trace all these sequences in the same
~7-
)
respect that it should not be necessary to review all the billions of cut sets in a linked fault tree PRA model. It should only be necessary to review the important sequences, and the several hundred important sequences have been appropriately summarized in SSPSA Section 13.
We believe that the presentations of sequences in SSPSA Sections 2 and 13.2 are less fragmented than normally found in PSAs. The SSPSA sequences are defined in terms of initiating events and subsystem states. By contrast, the usual approach is to present sequences in terms of initiating events and component minimal cut sets. We find the PLG approach to be less fragmer.ted and more supportive of engineering insights. But, in the development of these insights, it must be recognized that the event sequences are structured differently than in a conventional fault tree based model.
PLG carefully and deliberately chose the modularized event tree approach based on their experience in doing full scope Level III PRAs. An objective evaluation of these differing methodologies was the PRA Procedures Guide (Reference 9). Both methodologies are covered in this guide and the comprehensive peer review did not identify any inherent limitations or weaknesses of either approach that did not have a comparable counterpart in the other. We have also convinced ourselves that the two methodologies are fundamentally equivalent, but differ in style, format, and practical implementation. We also note that, to the best of our knowledge, a complete treatment of dependent events using an integrated model has only been completed thus far using the event tree based methodology. However, we see no fundamental reason why the same scope cannot be handled using fault trees.
Specific concerns raised by the reviewers, as linked to the methodology, are responded to on a case-by-case basis in Appendix A. See responses to 1.1-1, 3.0-1, 3.2-1, and other responses in Appendix A.
Comment 4 (Page 6)
Reactor coolant pump seal leakage model in SSPSA is compared to previous studies.
l Response 4 As stated in response to 3.2-38 in Appendix A, we do not consider previous simple analyses (possibly very conservative) performed on another plant and reviewed by LLNL to be adequate justification for concluding the SSPSA analysis is not reasonable. Also cee responses to 3.2-38, 3.2-39, 3.5-24, and 3.9-11 in Appendix A.
Comment 5 (Pane 7)
The concern is with the nonisolable break frequency assumed in the SSPSA Which is lower than those found in various other PSAs and PSA reviews.
Response 5 As discussed in the response to 3.1-5 in Appendix A, the reviewer did not understand how isolable and nonisolable LOCA were quantified. Upon careful consideration of this comment, we find the treatment of isolable LOCAs in the SSPSA to be correct.
Conumnt 6 (Pane 8)
Component cooling water failure is somewhat lower than those determined for other PRAs for similar plants (e.g. , Zion, Indian Point). It has not yet been determined whether the particular configuration of the CCW System at Seabrook has design features which would explain this difference, one aspect i
of the PSA worth noting is that while the study considers a total loss of the CCW System as an initiating event, it does not consider loss of a single train.
1 Response 6 The comment refers to the estimation of the loss of component cooling water initiating event. Significant differences between Seabrook Indian Point, and Zion, insofar as this system is concerned, explain part of the difference; the differences in approach to estimations of initiating event frequencies caused by support system failures probably explain the major part i of the differences noted. In Zion and Indian Point, this initiator was l.
_g_
1
- . - . , . - - - . .- . . . . ~ - . . . . . . - . - . .
l estimated based on generic and plant specific data which included generic and plant specific operating experience with no instances of total loss of component cooling. When frequencies are estimated based on no reported events, the resulting frequencies are driven by the size of the sample or amount of operating experience utilized in the analysis. Also, when using generic data, plant specific features are ignored. In the SSPSA, an enhanced approach was used based on a calculation from the system's models. We believe this approach is more realistic and adequately accounts for specific and unique factors.
We disagree with the statement that a loss of a single train of PCC was not considered. As provided in SSPSA Section 5.2, this event and many other support system failure modes were very carefully considered and qualitatively analyzed. The reviewers failed to mention that the result of this qualitative evaluation was the quantification of a larger number of initiating events, 58, than has previously been analyzed before. The loss of a single train of PCC is much less frequent than a similar event that was fully quantified; namely, a high frequency transient event followed by unavailability of a single train of PCC. The risk contribution from these sequences fully dominates those from the loss of a single PCC train initiator. Furthermore, it was understood that loss of a single train of PCC would not cause a plant trip, and therefore, does not constitute an initiating event. See responses to 3.1-4 and 8 in Appendix A.
Comment 7 (Page 9)
Using the new ATWS rule to provide guidance and information, some problems with the ATWS event tree were identified, in areas such as operator l recovery and credit for bleed and feed.
Response 7 f
i The ATWS event trees were developed in great detail to try to model how
- the plant and operators would actually behave and not the guidance of a new ATWS rule. The treatment of ATWS in the SSPSA was coasistent with the I
experienced events at Salem in 1983. See responses to 3.2-29 through 37 in Appendix A.
Comment 8 (Page 9)
The PSA gives credit to the possibility of operator action to effect manual reactor scram following automatic scram failure. This action, however, is not modeled explicitly on the tree; it is applied directly to the failure of RPS leading to ATWS. It is valid to consider this type of recovery, but an action of this import should have been included explicitly on the tree. It is also important to note that this recovery action can only be applied to electrical failures of the RPS, so that RPS failures should have been divided into electrical and mechanical failures as stated in the ATWS rule.
Response 3 As stated in response to 3.2-30 in Appendix A, the model is correct.
It is not necessary to model the operator action explicitly in the event tree. Also, the SSPSA analyses took advantage of the fact that mechanical failures make an insignificant contribution to the SSPS analyses (breakers dominate).
Comment 9 (Page 9)
The assumption that it is necessary for the operator to shut down the reactor after the initial phase of the ATWS is reasonable and consistent with the ATWS rule. However the Seabrook PSA assumes that this action must be taken within ten minutes, which appears to be conservative, etc.
Response 9 As stated in response to 3.2-35 in Appendix A, this assumption is probably conservative for most transient initiators. However, the ten-minute recovery window was directly supported by analyses provided in SSPSA Section 5.3 for the total loss of main feedwater initiator.
Comment 10 (Pane 10)
The PSA also assumed that it is possible to mitigate an ATWS by using-bleed-and-feed with HPI alone if emergency feedwater fails, etc.
Response 10 As stated in response to 3.2-37 in Appendix A, emergency boration is always required for success with bleed-and-feed and the analyses is based on the Westinghouse Emergency Response. Guides.
Conument 11 (Page 11)
Functional success criteria not clearly stated in many cases, include both conservative and optimistic examples and, in general, appeared to be inadequately documented.
Response 11 As stated in response to 3.3-1 in Appendix A, the success criteria are provided in the systems analyses (SSPSA Appendix D) and event sequence analyses (SSPSA Section 5.3). Also, some success criteria are based on FSAR and Westinghouse Emergency Response Guides both of which are familiar to NRC.
Conservative criteria were used when they did not unduly affect the results and when the development of more realistic criteria was judged not to be cost effective.
Comment 12 (Page 12)
- The treatment of common cause data was of some concern because of the exclusion of passive components and the use of very low beta factors (i.e.,
factors to account for common cause failures) for some components although no instance was identified that would significantly change the results.
l l
i I
Response 12 a
As stated in responses to 1.1-3 and 3.10-8 in Appendix A, the treatment of common cause is more complete than for any PSA we have seen. It is usually unnecessary to model passive failures due to their lower frequency of failure, and the SSPSA beta factors are based on data and are consistent with other beta factors derived from data.
Comment 13 (Page 12)
'It is important to note that sequences initiated by the tarious external events (not including LOOP) were not significant contributors and that only fire-initiated sequences appeared in the top 22 sequences. This is not entirely consistent with other PSA findings (such as those for Zion, Indian Point, and Millstone 3).
Response 13 No attempt was made to generate results consistent with other studies.
Upon inspection of the dominant core melt sequences in SSPSA Table 3.2-12 (all
-6 sequences greater than 10 / year), we find the following external events and internal plant hazards do appear: fires, earthquakes, floods, and truck crashes. In addition, the reviewers have apparently not distinguished between relative and absolute risk contributors. Even when comparisons are made consistently, there will be plant and site specific factors responsible for many of these differences. The reviewers did not provide any clues as to which of these causes is responsible for what portion of the difference.
Comment 14 (Page 12)
The methodologies used in the detailed assessments are generally reasonable and consistent with the state-of-the-art; however, there were notable disagreements in several areas.
N
. ~3 Response 14 We recommend that NRC explicitly identify important disagreements that are not explained in the LLNL report so that we may address these further.
Based on our review of the LLNL report, we could not identify significant differences, and most of the minor differene,es we believe are due to LLNL's unfamiliarity with Seabrook Station and the PRA methodology that was used.
Comment 15 (Page 13)
The methodology used in the evaluation of the frequency of the seismic hazard at Seabrook is consistent with the state-of-the-art of commercial PSAs. However, there is disagreement with numerous applications of the methodology in the PSA. ,
1 >
Rasponse 15
.These disagreements are insignificant, many seem to be incorrect opinions, some arguments are technically flawed, and the conclusions are overstated. See responses to 1.2-1 and 2 in Appendix A, and responses in A4.0 and A4.1.
(
s Comment 16 (Page 14)
Based on a preliminary review of the results of the PSA, the mean frequency of core melt value of 2.89E-5 per year appears to be high relative to the optimistic hazard curves used in the analysis. Seismic capacities for equipment in SSPSA appear low.
Response 16 This opinion about optimistic hazard curves is only one isolated opinion that may be considered conservative by most experts. We agree that seismic capacities are conservative. See responses to 1.2-2 and 3 in Appendix A, and A4.1.3.
Conument 17 (Page 15)
There is a concern, however, about the manner in which the fire-induced initiating events are processed through the plant matrix. It appears that these initiating events, which already include component or system failures, are being incorrectly combined with auxiliary and front-line event trees that have not explicitly considered these same failures. This concern has yet to be verified and evaluated.
Response 17 As stated in responses to 1.2-4 and 4.2-1 in Appendix A, fire-induced initiating events were properly processed through the plant model. Also see Section 2.0 of this main report.
O O
5.0 REFERENCES
- 1. Pickard, Lowe and Garrick, Inc., "Seabrook Station Probabilistic Safety Assessment," prepared for Public Service Company of New Hampshire and Yankee Atomic Electric Company, PLG-0300, December 1983.
- 2. Pickard, Lowe and Garrick, Inc., "Seabrook Station Probabilistic Safety Assessment: Technical Summary Report," prepared for Public Service Company of New Hampshire and Yankee Atomic Electric Company, PLG-0365 June 1984.
- 3. Pickard, Lowe and Garrick Inc., "Seabrook Station Probabilistic Safety Assessment: Summary Report," prepared for Public Service Company of New Hampshire and Yankee Atomic Electric Company, December 1983.
- 4. Fleming, K. N., J. H. Moody and K. L. Kiper, "The Seabrook PRA Viewed from Three Perspectives," presented at the International ANS/ ENS Topical Meeting on Probabilistic Safety Methods and Applications, San Francisco, California February 24-28, 1985.
- 5. Pickard, Lowe and Garrick, Inc., " Quality Assurance Manual," PLG-0223, July 11, 1983.
- 6. PSNH Letter (SBN-721), dated October 17, 1984, "Seabrook Station Probabilistic Safety Assessment (SSPSA)," and PSNH Letter (SSP-840718),
dated October 24, 1984 to LLNL.
- 7. PSNH Letter (SSP-850065), dated January 23, 1985 to LLNL.
- 8. USilRC Letter, dated April 4, 1985, "Seabrook PSA Review," G. W. Knighton to R. J. Harrison.
- 9. American Nuclear Society and Institute of Electrical and Electronic Engineers, "PRA Procedures Guide; A Guide to the Performance of Probabilictic Risk Assessments for Nuclear Power Plants," sponsored by the U.S. Nuclear Regulatory Commission and the Electric Power Research Institute, NUREG/CR-2300, April 1983.
- 10. Norman C. Rasmussen, Letter to Frank R. Hubbard, December 14, 1983.
f I
i I
i i
t