Text

Risk Evaluation Report:An Overall Review and Evaluation of the Millstone Unit 3 Probabilistic Safety Study
	ML20211L953
Person / Time
Site:	Millstone
Issue date:	06/30/1986
From:	Barrett R, Buslik A, Kelly G; Office of Nuclear Reactor Regulation
To:	;
References
	NUREG-1152, NUDOCS 8607020205
	Download: ML20211L953 (128)
	v • d • e

. _ _ _ _ _ _

NUREG-1152 Millstone 3 Risk Evaluation Report An Overall Review and Evaluation of the Millstone Unit 3 Probabilistic Safety Study U.S. Nuclear Regulatory Commission Office of Nuclear Reactor Regulation G. Kelly, R. Barrett, A. Busiik

,p'""%,,

f .....

!!R7"888R88888222 P

PDR

'o 4 NOTICE Availability of Reference Materials Cited in NRC Publications Most documents cited in NRC publications will be available from one of the following sources:

1. The NRC Public Document Room,1717 H Street, N.W.

Washington, DC 20555

2. The Superintendent of Documents, U.S. Government Printing Office, Post Office Box 37082, Washington, DC 20013 7082

3. The National Technical Information Service, Springfield, VA 22161 Although the listing that follows represents the majority of documents cited in NRC publications, I

it is not intended to be exhaustive.

Referenced documents available for inspection and copying for a fee from the NRC Public Docu-ment Room include NRC correspondence and internal NRC memoranda; NRC Office of Inspection and Enforcement bulletins, circulars, information notices, inspection and investigation notices; Licensee Event Reports; vendor reports and correspondence; Commission papers;and applicant and licensee documents and correspondence.

The following documents in the NUREG series are available for purchase from the GPO Sales Program: formal NRC staff and contractor reports, NRC sponsored conference proceedings, and NRC booklets and brochures. Also available are Regulatory Guides, NRC regulations in the Code of Federal Regulations, and Nuclear Regulatory Commission Issuances.

Documents available from the National Technical information Service include NUREG series reports and technical reports prepared by other federal agencies and reports prepared by the Atomic Energy Commission, forerunner agency to the Nuclear Regulatory Commission.

Documents available from public and special technical libraries include all open literature items, such as books, juurnal and periodical articles, and transactions. Federal Register notices, federal and state legislation, and congressional reports can usually be obtained from these libraries.

Documents such as theses, dissertations, foreign reports and translations, and non NRC conference proceedings are available for purchase from the organization sponsoring the publication cited.

Single copies of NRC draft reports are available free, to the extent of supply, upon written request to the Division of Technical Information and Document Control, U.S. Nuclear Regulatory Com-mission, Washington, DC 20555.

Copies of industry codes and standards used in a substantive manner in the NRC regulatory process are maintained at the NRC Library, 7920 Norfolk Avenue, Bethesda, Maryland, and are available there for reference use by the public. Codes and standards are usually copyrighted and may be purchased from the originating organization or, if they are American National Standards, from the American National Standards Institute,1430 Broadway, New York, NY 10018.

NUREG-1152 1 Millstone 3 Risk Evaluation Report An Overall Review and Evaluation of the Millstone Unit 3 Probabilistic Safety Study Manuscript Completed: August 1985 Date Published: June 1986 G. Kelly, R. Barrett, A. Busiik Division of Safety Review and overught Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, D.C. 20555 g - %,

s.....i

ABSTRACT In 1981, the U.S. Nuclear Regulatory Commission (NRC) requested Northeast Utilities to perform a design-specific probabilistic safety study (PSS) for Millstone Nuclear Power Station, Unit No. 3 (Millstone 3). In 1983, Northeast Utilities submitted the Millstone 3 Probabilistic Safety Study for review by the NRC staff. The NRC staff prepared the Millstone 3 Risk Evaluation Report, which discusses the findings regarding the PSS. The PSS estimates that the mean annual core damage frequency due to internal and external events is 5x10 5 and 2x10 5, respectively. The NRC staff's Risk Evaluation Report estimates that the mean annual core damage frequency is about 2x10 4 for internal events and lies between 1x10 5 and 2x10 4 for external events. The NRC staff estimates that station blackout dominates internal and external event core damage frequen-cies. The staff recommends that Northeast Utilities perform an engineering anal-ysis on upgrading the diesel generator lube oil cooler anchorage system and on adding a manually operated, AC-independent containment spray system. The staff also recommends that Northeast Utilities prepare two emergency procedures (loss of room cooling and relay chatter due to an earthquake) to help reduce uncertainties. g (Subsequent to the completion of this document, Northeast Utilities and the NRC staff have continued a dialogue regarding station blackout from events other than earthquakes. Both Northeast Utilities and the staff have performed addi-tional evaluations, which have drawn their results closer together. Final re-quirements, if any, for the prevention or mitigation of station blackout from events other than earthquakes have not yet been determined.)

NUREG-1152 111

TABLE OF CONTENTS

_Page ABSTRACT ............................................................. iii ACKNOWLEDGMENTS ...................................................... ix ACRONYMS AND INITIALISMS ............................................. xi EXECUTIVE

SUMMARY

.................................................... xiii 1 INTRODUCTION .................................................... 1-1 1.1 Site and Plant Description.................................. 1-1 1.2 History of the Millstone 3 Probabilistic Safety Study . . . . . . 1-2

1. 3 Conduct of the Probabilistic Safety Study Review............ 1-3 1.4 Uses of the Millstone 3 Probabilistic Safety Study.......... 1-4 1.5 Conclusions................................................. 1-5 2 OVERALL REVIEW RESULTS........................................... 2-1 2.1 Accident Sequence Analysis.................................. 2-1 2.1.1 Important Contributors to Core Damage Frequency...... 2-1 2.1.2 Important Contributors to Risk....................... 2-4 2.2 Containment Analysis........................................ 2-6 2.3 Consequence Analysis and Risk Results....................... 2-7 2.3.1 Consequence Analysis ................................ 2-7 2.3.2 Risk Results......................................... 2-7 2.4 Uncertainties............................................... 2-8 2.4.1 Core Damage Frequency................................ 2-8 2.4.2 Containment Response................................. 2-10 2.4.3 Consequence Analysis................................. 2-11 3 DOMINANT ACCIDENT SEQUENCES...................................... 3-1 3.1 Dominant Internal Events.................................... 3-1 3.2 Dominant External Events.................................... 3-4 4 PERSPECTIVES ON MILLSTONE 3 RISK................................. 4-1 NUREG-1152 v

TABLE OF CONTENTS (Continued)

P_ ag 5 PLANT DESIGN PERSPECTIVES........................................ 5-1 5.1 Design Features Important to Safety.............. .......... 5-1 5.1.1 Primary System Loop Stop Valves ...... .............. 5-1 5.1.2 Auxiliary Feedwater System ......... ................ 5-1 5.1. 3 Refueling Water Storage Tank .......... .... ........ 5-2 5.1.4 Three Valves in Each Residual Heat Removal Suction Line ................................................ 5-2 5.1.5 High Pressure Recirculation ......................... 5-2 5.1.6 Containment Spray ................................... 5-3 5.1. 7 Containment ......................................... 5-3 5.1.8 Emergency Onsite Power System ...................... 5-3 5.1.9 Power Conversion System .................... ........ 5-3 5.1.10 DC Batteries ....................... ................ 5-4 5.1.11 Reactor Coolant Pump Seals .......................... 5-4 5.2 Plant Improvements Influenced by the Probabilistic Safety Study................................................ 5-4 5.3 Potential Engineering and Operational Improvements.......... 5-4 5.3.1 Design Improvements ................................. 5-5 5.3.2 Improvements in Procedures (Test, Maintenance, and Emergency)......... ............................. 5-30 5.3.3 Integrated Safety Assessment Program .............. . 5-31 6 REFERENCES ...................................................... 6-1 APPENDICES A P0TENTIAL AREAS OF IMPROVEMENT OF THE MILLSTONE 3 PROBABILISTIC SAFETY STUDY B RATE OF OCCURRENCE OF SEVERE CORE DAMAGE EVENTS DUE TO THE LOSS OF OFFSITE POWER INITIATOR FOR MILLSTONE 3 C CALCULATION OF FREQUENCY OF SEISMIC PLANT DAMAGE STATES D STAFF EVALUATION OF HAZARD CURVES FOR THE MILLSTONE SITE NUREG-1152 vi

TABLE OF CONTENTS (Continued)

LIST OF TABLES Page 2.1 Important Internal Event Contributors to Millstone 3 Mean Annual Core Damage Frequency................................. 2-12 2.2 Important External Event Contributors to Millstone 3 Mean Annual Core Damage Frequency................................. 2-13 2.3 Important Contributors to Risk (per Reactor-Year) at Millstone 3 From Internal Events (150 Miles)................. 2-14 2.4 Important Contributions to Risk (per Reactor year) at Millstone 3 Fren Seismic Events (150 Miles).................. 2-15 2.5 Breakdown of Risk (per Reactor-Year) b Containment Failure Mode (150 Miles) .....................y ....................... 2-16 26 Conditional Mean Value of Societal Consequences From Individual Containment Failure Modes (Regional) ........................ 2-17 2.7 Overall Estimates of Mean Severe Accident Risk (per Reactor-Year) for Millstone 3 (150 Miles) . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-18 4.1 Mean Regional Risk Estimates for Zion, Indian Point (IP),

Limerick, and Millstone 3 .. ................................ 4-1 5.1 Value-Impact Assessment for Station Blackout Related Pla Modifications (150 Miles) ..............................nt 5.2 Value-Impact Summary for Alternative (1) for Plant Lifetime..

..... 5-33 5-34

5. 3 Discounted Present Value of Avoided Onsite Property Damage... 5-35 5.4 Risk Summary (Base Case) for Station Blackout Caused by Earthquakes (Mean Annual Risk) ............................... 5-35 5.5 Value-Impact Assessment of Plant Modifications for Station Blackout Caused by Earthquakes (150 Miles) .................. 5-36 5.6 Value-Impact Summary for Alternative (1) for Plant Lifetime.. 5-38 5.7 Discounted Present Value of Avoided Onsite Property Damage (Million Dollars) ........................................... 5-39 5.8 Estimates of Seismically Induced Core Damage Annual Frequency From Relay Chstter for Millstone 3 .......................... 5-39 NUREG-1152 vii

ACKNOWLEDGEMENTS The authors of this report are G. Kelly Reliability and Risk Assessment Branch, Division of Safety Technology, NRC A. Busiik Reliability and Risk Assessment Branch, Division of Safety Technology, NRC R. Barrett Reactor Systems Branch, Division of Systems Integration, NRC The contributors to this repart are N. Chokshi Structural and Geotechnical Engineering Branch, Divison of Engineering, NRC A. Garcia Lawrence Livermore National Laboratory J. Reed Jack R. Benjamin & Associates, Inc.

P. Amico Applied Risk Technology Corporation A. Thadani Reliability and Risk Assessment Branch, Division of Safety Technology, NRC M. Khatib-Rahbar Brookhaven National Laboratory W. Pratt Brookhaven National Laboratory H. Ludewig Brookhaven National Laboratory S. Israel Reliability and Risk Assessment Branch, Division of Safety Technology, NRC L. Reiter Geosciences Branch, Division of Engineering, NRC P. Easley Accident Evaluation Branch, Division of Engineering, NRC J. Kimball Geosciences Branch, Division of Engineering, NRC P. Smith Lawrence Livermore National Laboratory M. McCann, Jr. Jack R. Benjamin & Associates, Inc.

P. R. Davis Consultant J. Chen Structural Geotechnical Engineering Branch, Division of Engineering, NRC Y. Li Mechanical Engineering Branch, Division of Engineering, NRC G. Apostolakis Consultant A. Lee Equipment Qualification Branch, Division of Engineering, NRC P. Kang Power Systems Branch, Division of Systems Integration, NRC R. Goel Auxiliary Systems Branch, Division of Systems Integration, NRC C. Graves Reactor Systems Branch, Division of Systems Integration, NRC R. Jachowski Environment and Hydrologic Engineering Branch, Division of Engineering, NRC M. Wangler Radiological Assessment Branch, Division of Systems Integration, NRC D. Bernreuter Lawrence Livermore National Laboratory T. McKone Lawrence Livermore National Laboratory To support the staff's overall evaluation, consultants - including those from Lawrence Livermore National Laboratory, Brookhaven National Laboratory, Applied Risk Technology Corporation, and Jack R. Benjamin & Associates, Inc., and P. R. Davis and G. Apostolakis - have performed independent reviews and analyses of the Millstone 3 Probabilistic Safety Study.

NUREG-1152 ix

l ACRONYMS AND INITIALISMS ASME American Society of Mechanical Engineers ATWS anticipated transient without scram BNL Brookhaven National Laboratory BWR boiling water reactor CCF common cause failure

CFR Code of Federal Regulations ECCS emergency ce cooling system EDG amergercy a "sel generator EGLS emergency generator load sequencer ESF engineered safety features GI generic issue HPIS high pressure injection system IP Indian Point IREP Interim Reliability Evaluation Program LLNL Lawrence Livermore National Laboratory LOCA loss of-coolant accident LOSP loss of offsite power LPIS low pressure injection system 1

MGAC mediah ground acceleration capacity MMI modified Mercalli intensity NEPA National Environmental Policy Act NRC U. S. Nuclear Regulatory Commission NSSS nuclear steam supply system PCS power conversion system PORV power operated relief valve PRA probabilistic risk assessment PSS Probabilistic Safety Study PWR pressurized water reactor QA quality assurance QSS quench spray system RCP reactor coolant pump RCS reactor coolant system RHR residual heat removal RPS reactor protection system RSS Reactor Safety Study RWST refueling water storage tank NUREG-1152 xi

ACRONYMS AND INITIALISMS (Continued)

SGTR steam generator tube rupture SHCP Seismic Hazard Characterization Project SMA Structural Mechanics Associates SRP Standard Review Plan SSE safe shutdown earthquake SWS service water system USI unresolved safety issue NUREG-1152 xii

EXECUTIVE

SUMMARY

In September 1981, Harold R. Denton, Director of the Office of Nuclear Reactor Regulation, U.S. Nuclear Regulatory Commission (NRC), requested that Northeast Utilities perform a design specific risk study for Millstone Nuclear Power Station, Unit No. 3 (Millstone 3), a four-loop Westinghouse pressurized water reactor (PWR) (3425 MWt) with a subatmospheric containment. The NRC staff (or staff) was to review this risk study before an operating license was issued.

The NRC staff requested that Northeast Utilities conduct its probabilistic risk assessment (PRA) using the type of methodology used in the Reactor Safety Study (RSS) reference plant (NUREG-75/014). The PRA was to take into account signifi-cant design and site differences between Millstone 3 and the RSS PWR plant.

In August 1983, Northeast Utilities submitted the Millstone 3 Probabilistic Safety Study (PSS). Significant revisions to the PSS (earthquake related) were submitted in April and November 1984. The PSS is a full-scope PRA that considers internal as well as external events (in particular, earthquakes and fire). The NRC staff initiated its review of the PSS in September 1983 with the help of the Lawrence Livermore National Laboratory and the Brookhaven Na-tional Laboratory. Their analyses are presented, respectively, in NUREG/CR-4142 and NUREG/CR-4143.

In the Millstone 3 PSS, Northeast Utilities estimates that the mean annual core damage frequenc.y due to internal and external events is about 5x10 5 and 2x10 5, respectively. In its review of the Millstone 3 PSS, the staff estimates that the mean annual core damage frequency is about 2x10 4 for internal events and lies between 1x10 5 and 2x10 4 for external events. The staff estimates that station blackout dominates internal and external event core damage frequency (contributes 70% and 85% of the mean frequency, respectively). The staff has determined that although cost effective improvements can be made at this time, there is no overriding reason to require resolution of station blackout at Millstone 3 prior to resolution of Unresolved Safety Issue A-44 (reducing the likelihood of core melt from station blackout). The staff believes, however, that there are cost-effective improvements in the prevention and mitigation of a station blackout caused by an earthquake beyond the safe shutdown earthquake.

The staff recommends that Northeast Utilities perform an engineering analysis of the costs, benefits, uncertainties, and competing risks of (1) upgrading the diesel generator lube oil cooler anchorage system and (2) adding a manually operated, AC-independent containment spray system. Regarding the anchorage system, unless Northeast Utilities can show that the anchorage system is sub-stantially stronger than shown in the PSS, the anchorage system must be improved.

Regarding the added containment spray system, if the engineering analysis shows that the staff estimate of the value of this improvement is not significantly changed when the potential downside is considered, then Northeast Utilities should install such a system.

The staff has examined the overall risk for Millstone 3 and the overall risk given by PRAs for other high population facilities (namely, Zion Nuclear Plant, Indian Point Station, and Limerick Generating Station). The staff has made no NUREG-1152 xiii

determination of whether disproportionate risk exists at Millstone 3. The staff does find that the risk estimates for Millstone 3 are generally similar to those for Zion, Indian Point, and Limerick. Given the uncertainties and differences in methodology, the staff can only conclude that the risk to the public posed by operation of Millstone 3 appears to be in the same range as that estimated for Zion, Indian Point, and Limerick and is not undue. The staff expects that the resolution of unresolved safety issues and generic issues such as reactor coolant pump seal loss-of-coolant accident, relay chatter (proposed), and decay heat re-moval will help reduce uncertainty and estimated risk.

As with any probabilistic safety review, there are limitations and uncertainties associated with the review and its results and conclusions. The staff found cer-tain weaknesses in the analyses given in the Millstone 3 PSS. Although some of the analyses were improved during the review, some areas could be improved by further analysis, such as (1) quantitative treatment of internal floods, (2) a more detailed review of intersystem dependencies, (3) consideration of the ef-fects of loss of room cooling, and (4) modeling of DC power. There is a large difference between the estimates of seismic hazard (frequency of a given ground acceleration) given by Northeast Utilities and those given by Lawrence Livermore National Laboratory (LLNL) in Draft Report NUREG/CR-3756. This difference was l

reduced somewhat in the final version of the LLNL report on the hazard curves for the Millstone site (UCID-20421). Although the revised PSS and the draft LLNL hazard curves (slightly more conservative than the final LLNL hazard curves) are used in this Risk Evaluation Report for Millstone 3, use of the final LLNL hazard curves will not alter any of the staff's recommendations.

NUREG-1152 xiv

1 INTRODUCTION l

I This report summarizes the results of the NRC staff's review of the Northeast Utilities' probabilistic safety study (PSS) on the Millstone 3 plant. The re-port presents the staff's insights with particular emphasis on dominant se-quences. It provides a limited comparison of Millstone 3 with other plants, discusses potential plant vulnerabilities, and makes recommendations about addi-tional protective measures. Conclusions drawn from the staff's review are dis-cussed in Section 1.5 of this report.

The results of the NRC staff's review of the Millstone 3 operating license application relative to the radiological safety review requirements of Title 10 of the Code of Federal Regulations (10 CFR) are reported in the Millstone 3 Safety Evaluation Report (NUREG-1031) and its supplements. The results of the NRC staff's assessment of the environmental impact associated with the operation of Millstone 3 pursuant to the National Environmental Policy Act of 1969 (NEPA) and 10 CFR 51 are reported in the NRC staff's Draft and Final Environmental Statements (NUREG-1064).

All frequency, probability, and risk estimates given in this report are mean values unless otherwise noted.

1.1 Site and Plant Description e The site, approximately 500 acres in area, is on the north shore of Long Island Sound and on the east side of Niantic Eay. It is located in the town of Waterford, Connecticut, about 3.2 miles west southwest of New London and about 40 miles southeast of Hartford. The surrounding area is primarily residential with some commercial and industrial uses.

Millstone 1 and 2 are already located on the site. Millstone 1 uses a single-cycle boiling water reactor (BWR) supplied by General Electric Company with a rated thermal power level of 2011 MW; the architect engineer was Ebasco Services, Incorporated. Millstone 2 uses a two-loop pressurized water reactor (PWR) sup-plied by Combustion Engineering, Inc., with a rated thermal power level of 2700 MW; the architect-engineer was Bechtel Power Corporation.

Millstone 3 uses a four-loop pressurized water-type nuclear steam supply system (NSSS) furnished by Westinghouse Electric Corporation and a turbine generator furnished by General Electric Company. The remainder of the unit, including a subatmospheric containment, was designed and constructed by Northeast Utilities with the assistance of its representative, Northeast Utilities Service Company, and its architect-engineer, Stone & Webster Engineering Corporation.

The core is designed for a warranted power output of 3411 MWt, which is the li-cense application rating. This output, combined with the reactor coolant pump heat output of 14 MWt, gives an NSSS warranted output of 3425 MWt. The design gross electrical output is 1209 MWe.

The Millstone 3 containment is a carbon steel-lined, reinforced concrete struc-ture with a net free volume of about 2.26 million cubic feet. The design NUREG-1152 1-1

pressure is 59.7 psia, and the estimated median failure pressure is 133 psia.

Millstone 3 utilizes the subatmospheric containment concept. During normal operation, containment pressure will be maintained between 9 and 12 psia.

The containment heat removal system includes a quench spray system (QSS) and an independent recirculation spray system. The QSS consists of two redundant i 100% capacity trains, each with a quench spray pump, a chemical injection system, and riser pipes leading to two common 360 quench spray headers. Each train draws water separately from the refueling water storage tank (RWST). The recir-culation spray system consists of two redundant 100% capacity trains, each with two recirculation pumps (one of the two may be used for core recirculation) with dedicated heat exchangers and riser pipes leading to two common 360 recircula-tion spray headers. Each train of the recirculation spray system takes suction separately from the containment emergency sump. Spray additive systems are pro-vided to enhance postaccident fission product removal.

The containment has fan coolers, but they are not designed for effective miti-gation of severe accidents.

The reactor cavity is constructed of basaltic concrete, a feature that minimizes the production of combustible and noncondensible gases during core-concrete interaction. The cavity is designed to be free of water at the time of reactor vessel failure for most accident sequences.

The plant incorporates hydrogen recombiners, but their rate of recombination is too slow to be of importance during severe accidents.

The containment is enclosed in a secondary enclosure building, which is equipped with a supplementary leak collection and release system provided for the miti-gation of radiological consequences of postulated design basis accidents in a which containment integrity is maintained.

The emergency core cooling system (ECCS) provides borated water to cool the reactor core following a loss-of-coolant accident. This is accomplished by the automatic injection of water from the four safety injection accumulators into the reactor coolant loops and by the automatic pumping of a portion of the RWST contents into the loops via the three charging pumps, the two safety injection pumps, and the two residual heat removal pumps. After the injection mode of emergency core cooling, long-term core cooling is maintained by recirculating the water from the containment sump by two of the four containment recircula-tion pumps through the containment recirculation coolers and into the reactor coolant loops via the high pressure injection pumps.

Offsite AC power for Millstone 3 is provided by four offsite transmission lines on two rights-of-way that run to a switchyard common to Units 1, 2, and 3.

There are two lines from the switchyard to Unit 3.

1. 2 History of the Millstone 3 Probabilistic Safety Study In early 1979, a staff report on population near commercial nuclear power plant sites (NUREG-0348) documented the population distribution around all U.S. nuclear l power stations within circles of various radii, such as 10, 30, and 50 miles,

! on the basis of the 1970 census. This report indicated that the region around Millstone was one of the eight densely populated site areas in the United States i NUREG-1152 1-2

that were identified as sites with "above average" potentially adverse features.

(Indian Point, Limerick, and Zion were identified as "substantially above aver-age.") The 1980 census indicated that the population statistics of the Millstone site were slightly over 100,000 persons within a 10-mile radius and 2.6 million within a 50-mile radius. Because of a combination of factors, which included the higher population densities and the proposed power levels, the staff consid-ered at that time (1981) that Millstone might be one of the plants whose opera-tion could represent a disproportionately high fraction of the total societal risk from reactor accidents. Therefore, in September 1981, the staff requested (Denton, 1981) that Northeast Utilities perform a design-specific risk study and compare that risk to the risk identified with the Reactor Safety Study (RSS) reference PWR plant (NUREG-75/014), as appropriate. The staff at the same time stated it intended to review the risk study by Northwest Utilities prior to is-suance of an operating license. The staff also discussed in SECY-81-25 its in-tention to identify and advise Northeast Utilities of special design considera-tions that should be taken into account on the basis of the results of the risk study.

The staff requested that Northeast Utilities conduct its probabilistic risk as-sessment (PRA) using RSS-type methodology, taking into account significant dif-ferences between the RSS plant and the Millstone 3 facility. Northeast Utilities also was asked to account for plant design differences and site-specific differ-ences between Millstone 3 and the RSS PWR plant.

Northeast Utilities had already begun in 1980 to develop a corporate plan that i committed it to perform a PRA for each of its plants. Northeast Utilities orig-i inally planned on completing the Millstone 3 PSS in the 1986-1987 time period.

In 1981, the staff called for submittal of the-Millstone 3 PSS 6 months after i submittal of the Millstone 3 Final Safety Analysis Report; this modified North-east Utilities' plan. Northeast Utilities committed to provide a full-scope PRA that would include internal and external initiators and estimates of the fre-quencies of various levels of offsite consequences.

Northeast Utilities performed a probabilistic safety study with the help of its consultants: Westinghouse Electric Corporation, Stone & Webster Engineering Corporation, Dames and Moore, and Structural Mechanics Associates. To help monitor the quality of the PSS, Northeast Utilities created a review board of risk study experts to critique the work. The Millstone 3 PSS was submitted to the staff in August 1983. Revised seismic analyses were submitted in April and 4 November 1984. Additional seismic sensitivity studies were provided in Decem-ber 1984, and a discussion of the capability of Millstone 3 to withstand an earthquake above the safe shutdown earthquake was submitted in November 1984. ;

1.3 Conduct of the Probabilistic Safety Study Review l

The NRC staff initiated its review of the PSS in September 1983. Lawrence j Livermore National Laboratory (LLNL) was contracted to help review the PSS up to the frequency of severe core damage, and Brookhaven National Laboratory (BNL) was contracted to help review the containment analysis. The major review objectives were to identify (1) the dominant accident sequences (2) major risk contributors (3) major omissions NUREG-1152 1-3

n The staf f, Northeast Utilities, and consultants for both interacted frequently in the PSS review process. Several public review meetings were held. In a

, series of meetings and letters, Northeast Utilities provided replies to NRC's and its contractor's questions on the PSS. Northeast Utilities' major modifi-cation to the Millstone 3 PSS was the complete revision of the seismic core damage analysis. The seismic hazard and fragilities were both reanalyzed and resubmitted. Besides the revised seismic hazard and fragilities submitted by Northeast Utilities, the staff's analysis considered the hazard curves for the Millstone site estimated in the LLNL draft report, NUREG/CR-3756. In April 1985,

! a final version of the LLNL report was published as LLNL repcrt UCID-20421.

This final report estimated the hazard curves to be slightly lower than those in the draft LLNL report, but still substantially higher than those given in 4

the revised PSS. Although the analysis in this Risk Evaluation Report for l Millstone 3 reflects the revised PSS and the draft LLNL hazard curves, use of the final LLNL rather than draft LLNL hazard curves will not alter any of the staff's recommendations.

On the basis of the information provided and the clarifications supplied at meetings with Northeast Utilities and during site visits, LLNL and BNL audited the PSS in specific areas to test the results against alternative assumptions and supplemental data. LLNL and BNL reviews were issued, respectively, as NUREG/CR-4142 and NUREG/CR-4143.

During the review of the Millstone 3 PSS, the staff's original objective was to determine whether Millstone 3 contributed a disproportionate share of the risk posed by reactors licensed to operate by the NRC. If the risk was found to be disproportionate, the staff planned to fashion a risk-reduction strategy that would bring the Millstone 3 risk into line with that of other plants licensed to operate. However, this decision logic had to be changed for the following reasons. The staff found that, because of (1) the different methods and techniques used in evaluating the risk at nuclear plants and (2) the varia-tion in depth and scope of review (e.g., some PRAs do not include external events), it is not feasible to make a meaningful direct comparison of risk as estimated by different PRAs. In particular, the results of many of the most recent PRAs, particularly those of Zion, Indian Point, and Limerick, suggest that earlier PRAs may have missed important contributors to risk by failing to include seismic, fire, flood, and wind accident initiators. Earlier PRAs were more conservative in their analysis of containment performance. Evidence sug-gests that quantitative, bottom-line risk comparisons between the Millstone 3 PSS and earlier PRAs of other plants may reflect important differences resulting from the use of different PRA methods.

These factors and others emerging in the evidence have led the staff to diver-sify the decision logic in its analyses, and to look at the need for plant design or procedural improvements in a variety of ways. The decision logic has been broadened to include quantitative and qualitative inquiries into interplant com-parative risk, absolute risk, and intraplant comparative risk. That is, the staff now compares the importance and character of the many severe accidents to which the plant might be subject.

1. 4 Uses of the Millstone 3 Probabilistic Safety Study Both the NRC and Northeast Utilities consider the Millstone 3 PSS to have impor-tant uses. The staff has used the PSS and its preliminary review of the PSS in NUNEG-1152 1-4

the Millstone 3 Draft and Final Environmental Statements (NUREG-1064). The staff's current perception of containment performance and offsite consequences of the dominant accident sequences would lead to much lower estimates of risk than those reported in the Final Environmental Statement for Millstone 3.

Where applicable, the staff has used insights and information from other PRAs to test the reasonableness of data and assumptions used in and conclusions resulting from the Millstone 3 PSS.

i Northeast Utilities has already made some design changes and gained some opera-tional insights that were influenced by the performance of the PSS. These changes are discussed in Section 5.2 of this report. Northeast Utilities has indicated (see Section 5.3.3) that it plans to (1) keep the Millstone 3 PSS up to date; (2) track actual plant experience (e.g., residual heat removal valve

] failure rates), not only for Millstone 3, but also for Units 1 and 2; (3) do cost / benefit calculations for proposed design changes using the PSS; (4) use the PSS lessons-learned in training operators; and (5) review test and main-tenance procedures on the basis of PSS insights.

Northeast Utilities, in response to a staff recommendation, has used the avail-able seismic hazard data and the fragility data from the PSS (along with the pertinent accident sequence information) to evaluate the capability of the Millstone 3 seismic design beyond the safe shutdown earthquake (SSE). Some important insights have been gained from this study regarding the available margins in the Millstone 3 seismic design beyond the SSE. The complete dis-cussion on the seismic design margin study will be presented in a supplement to the Millstone 3 Safety Evaluation Report.

The staff believes that it would be prudent to make additional improvements in the analysis presented in the Millstone 3 PSS to make it a useful tool in long-i term management decisionmaking and cost / benefit calculations. Discussions of areas of the PSS where improvements should be considered are given in Appen-dix A to this report.

The staff has made recommendations regarding improvements in design, procedures, and plant operation as discussed in Section 5.3. In considering the need for improvements, one can identify most vulnerabilities by studying the dominant core damage and risk sequences and by understanding the analytical bases behind these estimates including the data, models, assumptions, and uncertainties.

Two classes of risk reduction options can be considered: accident prevention and accident mitigation. Accident prevention is the reduction in frequency of severe core damage; accident mitigation is the reduction in the probability of a severe radioactive release if severe core damage has occurred.

1.5 Conclusions In recognition of the high population density around the Millstone site and the proposed power level, Northeast Utilities has performed a full-scope PRA and has developed perspectives on the safety significant areas of Millstone 3. The staff has completed its review of the Millstone 3 PSS and reports its findings in Sections 2 through 5 of this report. Section 5.3 discusses additional im-provements that would reduce the vulnerability of Millstone 3 to core damage i accidents and their consequences. The staff's conclusions are summarized as l follows:

NUREG-1152 1-5 l 1

- The staff finds that the core damage frequency estimates for Millstone 3 are similar to those for Zion, Indian Point, and Limerick.

- Because of differences in methods and scope, a precise, systematic compari-son of risk results from various PRAs is questionable.

- Because there are (1) significant differences in methods used to perform various PRAs, (2) important variations in design from plant to plant, and (3) large variations in population density around plant sites, the staff cannot make a determination whether operation of Millstone 3 will pose a disproportionate societal risk. Given the uncertainties and differences in methodology, the staff can only conclude that the risk to the public posed by operation of Millstone 3 appears to be in the same range as that estimated for Zion, Indian Point, and Limerick.

During the review of the dominant accident sequences from the PSS, the staff found no instances of noncompliance with the deterministic regulatory requirements.

The staff estimates that the core damage frequency from both internally and externally initiated events is dominated by the reactor coolant pump (RCP) seal loss-of-coolant accident (LOCA) induced by station blackout.

The staff in its review of the station blackout sequences estimated that they contribute about 50% of the mean internal event severe core damage frequency and over 85% of the mean external event severe core damage frequency.

The staf f estimates that the early fatality risk from internally initiated events is dominated by the interfacing LOCA sequence, or V-sequence, where a LOCA outside of containment occurs because of failures of valves in a re-sidual heat removal system suction line. Failure to isolate the high pres-sure reactor coolant system from the low pressure residual heat removal sys-tem fails the residual heat removal system. The staff estimates that the early fatality risk from external events is dominated by a low probability seismic event where the containment crane wall collapses, causing a large LOCA with immediate containment failure. Seismic events are estimated to contribute between 10% and 85% to overall mean early fatality risk depending on whether the PSS or Seismic Hazard Characterization Project (NUREG/CR-3756) seismic hazard curves are used. (Great caution should be exercised in any comparison of internal and external initiating events. The staff is not aware of any systematic study of the differences in sources and treatment of uncertainty for internal vs external events.)

Station blackout is the most important contributor to latent fatalities and person-rem per year for both internal and external events.

Reactor coolant pump seal LOCA behavior is an important factor in the fre-quency of core damage posed by station blackout for Millstone 3. The Millstone 3 designs of the emergency AC power system, the component cooling water system, and the service water system (each system is important in preventing RCP seal LOCA), although meeting NRC's minimum requirements, do not have the diversity and redundancy exhibited at the Zion and Indian ;

Point units.

I l NUREG-1152 1-6 1

i The staff believes that there are Millstone 3. plant-specific, cost-effective improvements (see Section 5.3.1) for preventing station blackouts not caused by an earthquake. However, there is no overriding reason to require reso-lution of station blackout at Millstone 3 prior to resolution of Unresolved Safety Issue A-44 (reduction of core melt frequency due to statica blackout).

}

The staff believes that there are cost-effective improvements.in prevention and mitigation of a station blackout caused by an earthquake beyond the SSE. The staff recommends that Northeast Utilities perform an engineering :

analysis of the costs, benefits, uncertainties, and competing risks of I upgrading the diesel generator lube oil cooler anchorage system. Unless i Northeast Utilities can show the anchorage system is substantially stronger than is claimed in the PSS, it must strengthen the_ system. The staff l

. similarly recommends that Northeast Utilities evaluate the feasibility of

! a manually operated, AC-independent containment spray system. The staff i and its contractors at BNL have evaluated mitigative devices for various 1 containment failure modes for Millstone 3 (see NUREG/CR-4143). The staff has concluded that it would not be cost beneficial to install a filtered l j containment vent; a fully automatic, redundant containment spray system; l or additional hydrogen control equipment.

The staff performed a scoping analysis of relay chatter caused by an earth-

, quake at Millstone 3 (see Sections 2.4 and 5.3.1). On the basis of this

! study, the staff recommends that Northeast Utilities develop operator '

I training and/or procedures to recover from earthquake-induced relay chatter.

i l -

The staff performed a scoping analysis (see Sections 2.4 and 5.3.1) of ,

I loss of room cooling. On the basis of this study, the staff recommends ;

that Northeast Utilities develop emergency procedures to recover cooling '

to selected rooms by alternative methods, i

Perhaps the most important benefit from the performance and review of the '

PSS is the safety improvement gained-(unquantifiable) because of the knowl-

edge gained by Northeast Utilities from the detailed, logical analyses

! required to integrate the PSS.

{

Northeast Utilities has already begun to establish integrated safety e

assessment and living PRA programs. The staff strongly concurs in this j idea and encourages Northeast Utilities' initiative.

The staff review determined that the PSS was limited or inadequate in the l following areas:

The review identified a significant omission in the PSS related to l the dependence on the vital DC system by the vital AC system, the

main electrical system, and the emergency generator load sequencer,

! which was not included on the corresponding fault trees. The staff-l was unable to determine the quantitative effect of this error because

!- of.its pervasiveness and the nature of the event tree-fault tree /

support system model, which makes requantification almost impossible.

The V-sequence, as analyzed in the PSS,'did not consider recovery from or mitigation of a degraded core condition. This is particularly NUREG-1152 1-7

_ _ fi _

significant because the V-sequence dominates estimated internal event early fatalities.

A qualitative screening analysis in the PSS concluded that internal

' flooding was an insignificant contributor to mean core melt frequency (8.5x10 7 per year). Without detailed assessments of flooding in susceptible, safety-related areas and in'the absence of an uncertainty analyses, the staff cannot make a determination about the impact of 4

internal flooding on core melt frequency at Millstone 3.

l l l l l

i NUREG-1152 1-8

2 OVERALL REVIEW RESULTS This section describes the staff's overall results obtained during its review of the Millstone 3 PSS. It separately discusses accident sequences, containment analysis, and consequences. Summaries of the largest core damage frequency and risk contributors, the risk breakdown by containment release category, and the overall risk are given in Tables 2.1 through 2.7 and 4.1.

2.1 Accident Sequence Analysis This section discusses, in a simplified manner, the largest contributors to core damage frequency and risk. A more detailed discussion of these sequences is given in Section 3 of this report.

2.1.1 Important Contributors to Core Damage Frequency This section discusses the most important contributors to core damage frequency.

The staff has grouped the important contributors by initiators for internal events and by individual sequences for external events. The largest internal event contributors to core damage frequency are summarized in Table 2.1. Con-tributors for external events are summarized in Table 2.2. Note that the most important contributors to core damage frequency are not always the most important contributors to risk.

2.1.1.1 Internal Event Core Damage Sequences Loss of Offsite Power (Station Blackout With Reactor Coolant Pump Seal LOCA)

The staff estimates that loss of offsite power is the most important initiating event at Millstone 3 with regard to mean core damage frequency (about 1x10 4 per year). The staff is especially interested in loss of offsite power for Millstone 3 because the site has already experienced an extended loss of offsite power during a hurri 7ne. A very severe hurricane potentially could disrupt offsite power for a ugnificant period (e.g. , over 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months ). Northeast Utilities estimates that loss of offsite power contributes about 1x10 5 per year to mean core damage frequency.

The most important loss of offsite power sequences are those in which onsite emergency AC power also fails, resulting in station blackout (see Section 3.1 for more details; Appendix B discusses how the staff estimated internally ini-tiated station blackout core damage frequency). The staff assumes (on the basis of the limited information available) that a station blackout that lasts more than 30 minutes will lead to an RCP seal LOCA. This assumption is different from that assumed in the PSS. The staff's calculations of station blackout include not only failure to start of the emergency diesel generators but also failure to run and battery depletion. The staff finds that diesel generator

~

failure to run makes a significant contribution to core damage frequency. The staff believes that the treatment of RCP :, cal failure by Northeast Utilities is in error and notes that Northeast Utilities did not consider failure to run of the diesel generators; moreover, Northeast Utilities used an unrealistically low value for the probability a diesel generator will fail to start.

NUREG-1152 2-1

Millstone 3 has less diversity and/or redundancy in emergency power than the Zion and Indian Point plants, both Westinghouse designs at high population density sites. Millstone 3 has two diesel generators for one unit, while Zion Units 2 and 3 have two dedicated diesel generators per unit plus a fifth swing diesel generator (they also have service water and component cooling water systems cross-connected between units) and Indian Point Units 2 and 3 each have three emergency diesel generators plus one onsite and two offsite gas turbine generators.

Loss of Feedwater-Type Events With and Without the Power Conversion System The staff's review determined that several initiating events (see Section 3.1 for details), which Northeast Utilities treated separately, could cause similar mitigation equipment to be activated and, in general, could cause the plant to respond in a similar manner. These initiators can be modeled on the loss of feedwater event tree and are considered by the staff to be loss of feedwater-type events, which are events that challenge the plant by requiring that decay heat be removed via alternative pathways.

Northeast Utilities' analysis of these events takes no credit for recovery and use of the power conversion system (PCS) to help remove decay heat following a reactor trip. After discussion with the operations personnel at Millstone 3, the staff gave some credit for recovery and use of the PCS (which lowered i.ts estimated core damage frequency).

The staff divides the loss of feedwater-type events into those for which re-covery of the PCS (to assist in removing decay heat) is possible and those for which it is not. The loss of feedwater-type sequences identified by Northeast Utilities have a total mean core damage frequency contribution of 2x10 s per year, which is the most important core damage frequency contributor in the Millstone 3 PSS. The staff's loss of feedwater-type sequences (see Section 3.1) have a total mean core damage frequency of 1x10 5 per year, which is an impor-tant contributor to core damage frequency, but the risk associated with these events is estimated to be very small. The difference between the staff's and Northeast Utilities' core damage frequency is due to the staff's giving credit for use of the PCS.

These analyses show that auxiliary feedwater must fail and either high pressure recirculation must fail or the operator must fail to establish feed and bleed for the loss of feedwater-type events to lead to core damage. The staff esti-mates that, for each of these events, containment sprays are available, which will significantly reduce the probability of containment failure and the magni-tude of resulting radiological releases.

Loss of a Vital AC Bus The total mean core damage frequencies (both a little less than 1x10 5 per year) estimated by Northeast Utilities and the staff for loss of a vital AC bus se-quences differ because of roundoff and slightly different initiating event fre-quencies (see Table 2.1). These analyses show that auxiliary feedwater must fail and either high pressure recirculation must fail or the operator must fail to establish feed and bleed for loss of a vital AC bus events to go to core damage. The staff estimates that, for each of these events, containment sprays are available. The staff considers these sequences to be small contributors to risk.

i NUREG-1152 2-2

l l

l I

Small LOCAS i

Northeast Utilities' analysis identifies only one small LOCA core damage sequence (1x10 8 per year). The staff's analysis identifies small LOCA sequences with a total mean core damage frequency contribution of 4x10 5 per year.

The staff's analyses of small LOCAs gives a higher total core damage frequency because of the following:

(1) The staff estimates include consideration of cognitive errors not contained in the Northeast Utilities' small LOCA analysis.

(2) The staff gives no credit for depressurizing the primary system to eliminate the need to go to high pressure recirculation because it is unaware of any calculations performed that demonstrate what percentage of small LOCAs do not require use of recirculation cooling. Northeast Utilities gives 99%

credit for depressurization. The staff realizes its position is conserva-tive and that some unknown percentage of small LOCA sequences in the PSS which the staff estimates to go to core damage may indeed be successful; absent analysis to determine the percentage of successful sequences, the staff has adopted the conservative assumption of no manual depressurization.

Small LOCA is a small contributor to core damage frequency for Northeast Util-ities and is an important contributor in the staff's analysis. In either case, the small LOCA initiator is estimated to represent a small contribution to risk, since there is a high probability that the containment accident-mitigating features are available.

2.1.1.2 External Event Core Damage Sequences

~

The Millstone 3 PSS analyzes two external events in detail: seismic and fire.

Northeast Utilities finds other external event initiators, such as internal or external flooding, extreme winds, and aircraft hazards (which were dealt with in much less detail), to be negligible core damage contributors. The staff and LLNL believe that the conclusion in the PSS "that external events other than seismic and fire are negligible contributors to risk" is highly uncertain.

(See Section 2.4 of this report.) Additional details on the staff's review of external events other than fire and seismic are given in LLNL's final report (NUREG/CR-4142) on its review of the Millstone 3 PSS.

Seismic Core Damage Sequences The original analysis in the PSS of seismic hazard (probability of exceeding a given ground acceleration) and fragilities (ability of equipment and structures to withstand seismic motion) was modified by Northeast Utilities in April and November 1984; the method of obtaining the seismic accident sequences and their frequencies was also modified. Northeast Utilities decreased its estimate of the median seismic hazard frequency and increased its estimate of the capacity of the structures and components to withstand seismic ground motion. The staff

' received draft seismic hazard curves from LLNL for the Millstone site as part of the Seismic Hazard Characterization Project (SHCP). The SHCP hazard curves are over'a factor of 10 higher than the revised hazard curves in the PSS. That is to say, as a general rule, the median frequency of exceedance of a given peak ground acceleration is 10 times higher according to the SHCP hazard curves i

l NUREG-1152 2-3

than according to the revised hazard curves in the PSS. The staff's estimate of seismic core damage frequency for Millstone 3 displays results in terms of the mean hazard curves of both the PSS and SHCP. The staff uses the curves as " lower" (PSS) and " higher" (SHCP) estimates of seismic hazard at the site.

They are both within the range of hazard curve uncertainty and give some insight as to the extent of this uncertainty. Other hazard estimates may not always fall in this range. Appendices C and D discuss the staff's seismic analysis in more detail.

The staff estimates the mean core damage frequency due to earthquakes for Millstone 3 to be about 6x10 8 per year using fragilities (slightly modified by the staff) from the PSS and the PSS hazard curves. In the latest revision to the Millstone 3 PSS, Northeast Utilities estimates the mean seismic core damage frequency also to be about 8x10 8 per year. Using the SHCP curves, the staff estimates Millstone 3 mean core damage frequency due to earthquakes to be 1x10 4 per year (see Table 2.2). The components and structures whose failures are controlling with regard to core damage frequency are the emergency diesel gener-ator oil cooler bolts, the emergency diesel generator enclosure, and the control building. See Appendix D for details of seismic failure modes, fragilities, hazard curves, and major contributors to core damage frequency and risk.

Fire-Related Core Damage Sequences A staff consultant, Lawrence Livermore National Laboratory (LLNL), provided a limited review of the fire analysis performed in the Millstone 3 PSS. The analy-sis by the staff's contractor did not uncover any major errors, but LLNL did believe it prudent to increase the assumed human error rate. The core damage frequency and risk contribution from fires are sensitive to the estimated human error rate. The staff concludes that fires have the potential to be significant contributors to core damage frequency and risk. The staff and Northeast Utili-ties estimate the mean annual frequency of core damage due to fires to be about 6x10 8 LLNL's review of the Millstone 3 PSS fire analysis determined that the most critical human error was the failure of an operator to man the auxiliary shut-down panel following a fire in the control room, instrument rack room, or cable spreading room. The mean error rate was estimated to be 1x10 3 by Northeast Utilities and 2x10 1 by LLNL. The staff estimated the mean human error rate to be 2x10 2, 2.1.2 Important Contributors to Risk This section provides an overview of the most important contributors to risk.

Risk is discussed by initiator for internal events, by individual sequence or component for the seismic events, and by rooms for fire. Risk results are sum-marized in Table 2.3 for internal initiators and in Table 2.4 for external sequences / components. It is worth noting that the only risk significant se-quences are ones where the containment fails, usually by overpressure caused by unavailability of containment sprays, by a hydrogen burn caused by de-inerting of the containment, or by containment bypass.

NUREG-1152 2-4

2.1.2.1 Internal Event Risk Contributors Loss of Offsite Power (Station Blackout With RCP Seal LOCA)

Station blackout is estimated to be a major risk contributor to latent fatalities as well as the largest contributor to core damage frequency (see Table 2.3).

The staff estimates that the frequency of station blackout events leading to core melt and containment failure is about 5x10 6 per year. A hydrogen burn is estimated to occur following de-inerting of the containment caused by either natural steam condensation or restoration of the sprays. The probability that the hydrogen burn will fail containment is highly uncertain because of uncer-tainties in the hydrogen concentration and burn efficiency. Additional details are given in Section 3.1.

Residual Heal Removal System LOCA (Event V)

The residual heat removal (RHR) system is a low pressure system used primarily to remove decay heat when primary system pressure and temperature are low.

An RHR LOCA can occur if, for example, either the suction or discharge valves fail open on one of the lines connecting the RHR system to the primary system.

These valves are interlocked with primary, system pressure, and the chance of a LOCA caused by these valves failing open is considered small, about 8x10 7 per year (staff estimate). The RHR suction lines are estimated to be most vul-nerable. An RHR LOCA is important because it could occur outside of containment, it is not readily isolable, and there is little warning time for evacuation.

An RHR LOCA is estimated to be the most important early fatality risk contri-butor for internal events. (See Table 2.3.) However, the V-sequence, as ana-lyzed in the PSS, did not consider recovery from a degraded core condition.

Although other PRAs also have not taken credit for recovery from such a situa-tion, the staff believes this may be an important conservatism. Furthermore, little credit was given for potential closure of the isolation valves or reten-tion of volatile fission products in the primary system or engineered safety features (ESF) building.

2.1.2.2 External Event Risk Contributors Seismic The most important contributors to seismic risk are the same if the hazard curves in either the PSS or SHCP are used (see Table 2.4). The important con-tributors to early fatalities are seismically induced failure of the containment crane wall, earthquake induced large LOCA with failure of injection to the core and the containment sprays, seismically induced station blackout with RCP seal LOCA (failure of diesel generator cooler bolts, collapse of the emergency diesel generator enclosure, or collapse of the control building), and seismically in-duced anticipated transients without scram (ATWS) (ATWS with refueling water storage tank failure). Failure of the containment crane wall causes a large LOCA, impaired or no ECCS injection, and simultaneous containment failure.

Station blackout and ATWS lead to an early core melt with no containment sprays available. The containment fails by late overpressure. The important contribu- i tors to latent fatalities from seismically induced events are station blackout i and AiWS as discussed above (see Table 2.4).

NUREG-1152 2-5

In re-estimating the seismic risk, the staff (1) used both the SHCP and PSS hazard curves and (2) made some improvements in the seismic risk calculational '

method. Amendment 3 to the PSS corrected earlier calculational errors by North-east Utilities and brought into agreement the staff's and Northeast Utilities' calculations of core damage frequency using the PSS hazard curves.

2.2 Containment Analysis

?

Because of the large volume and robust design of the containment, prompt fail-

ure caused by hydrogen burns or steam spikes are not considered credible. Steam explosions that fail the containment are also judged to be unlikely and are as-signed a conditional probability of 1 in 10,000 (10 4).

In the PSS, failure to isolate the containment in a severe accident is assigned i a very low probability (10 4). This is due to Northeast Utilities' assertion i that the containment will always be isolated before the accident because of the requirement to maintain subatmospheric pressure in accordance with a proposed limiting condition of operation in the Technical Specifications. Although the

staff is not convinced that the probability is as low as Northeast Utilities i assumes, it is confident that it is low enough to be a minimal contributor to

, risk.

i ,

For sequences in which containment sprays operate continuously, the containment j is not expected to fail, or if it does, it is by basemat meltthrough. The oper-l ation of sprays reduces the radiological source term to the point where offsite j consequences are minimal.

The risk dominant sequences are those in which containment sprays fail to oper-ate. If spray operation is not recovered, the containment can fail by gradual overpressurization. In most sequences the cavity under the reactor vessel is j dry, and overpressurization is caused by noncondensible gas generated during core-concrete interaction. Overpressure failure, if it is estimated to-occur, is calculated in most sequences to occur after about-I day.

I Failure due to hydrogen burns cannot be ruled out for sequences without con-

tinuous containment spray operation. Although the steam concentration early l in the accident is sufficient to inert the atmosphere, natural condensation

! can lead to de-inerting 6 or more hours after the vessel fails. The magnitude-

of the pressure rise and consequently the-probability that the containment will fail are sensitive to the time of de-inerting, the hydrogen concentration,-and the burn efficiency. Because of uncertainties in accident phenomenology and variations in random variables, the staff cannot estimate the final pressure l with eccuracy. However, assuming pessimistic values for the important param-eters, it is possible to fail the containment. -(See Section 3.1.-)

For station blackout. sequences, de-inerting and a resulting hydrogen burn can also result from actuation of the sprays caused by recovery of AC power. In this case, the sprays tend to reduce the burn pressure and suppress the radio-logical releases. (See Section 3.1.)

For containment bypass events, such as interfacing systems LOCAs and steam generator tube ruptures, the mode of radiological release is determined by the accident sequence.

NUREG-1152 2-6 l

The radiological source terms for each containment failure mode were determined using methods developed for the Reactor Safety Study. More recent information indicates that source terms for some of these failure modes could be much lower than calculated using those methods. The possible implications of those reduced source terms are discussed in Section 5.3.

The risk contribution of various containment failure modes is shown in Table 2.5 for both PSS and SHCP hazard curves.

2.3 Consequence Analysis and Risk Results 2.3.1 Consequence Analysis The risk estimates presented in this report are based on consequence analysis performed by.the NRC staff with the CRAC code. The radiological releases from each containment failure mode were dispersed to the environment in a manner dictated by the energy of the release and the meteorological patterns of the surrounding area. Public exposures were calculated on the basis of the local population distribution, the timing of the radiological release, the assumed patterns of evacuation and relocation, and various site data. Health effects were then estimated on the basis of the dose response models of the CRAC code.

Two evacuation / relocation modes were analyzed. In the first mode, for internal events, fires, and external events that do not disrupt transportation patterns, the people within 10 miles of the plant were assumed to evacuate at a rate of 2 miles per hour following a 1-hour delay after receiving warning. People outside the 10-mile radius were assumed to be selectively relocated away from radiological hot spots.

In the second mode, severe earthquakes were treated as regional disasters. No evacuation was assumed to occur, but after 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months people were assumed to selectively relocate away from the path of the plume.

The calculated conditional values of person-rem exposure and latent cancer fatalities were found to be reasonably insensitive to the timing of release or the assumed evacuation. However, these risk indicators would be sensitive to reductions in the radiological source term.

In contrast, the estimates of early fatalities were found to be very sensitive to both the warning time and the evacuation assumptions. For example, the con-ditional value of early fatalities for regional disasters with prompt contain-ment failure (containment crane wall collapse sequence) was found to be about 30 times as great as for the same event with early evacuation. The highest estimated conditional value of early fatalities was for the interfacing systems LOCA (V-sequence) because this event is assumed to result in releases with a virtually unattenuated source term and no warning time.

Conditional consequences for each containment failure mode (averaged over varying weather conditions) are reported in Table 2.6.

2.3.2 Risk Results The calculated overall risk estimates are presented in Table 2.7. Because the staff has two widely disparate estimates of seismic core damage frequency (PSS and SHCP) hazard curves, it. presents risk estimates based on both cases.

i NUREG-1152 2-7

2.4 Uncertainties Like any other probabilistic analysis, the Millstone 3 PSS contains large uncer-tainties. The staff is inclined to address this important subject because there is a tendency to focus on the numerical estimates without considering the uncer-tainties. In its discussions of comparative risks and dominant sequences, the staff summarizes the numerical results of its review. One should use caution in drawing conclusions from these numerical estimates because of the uncertain-ties associated with their derivation (models, data, etc) and the uncertainties associated with incompleteness. The more important use of this report, the staff believes, should be for the insights gained and the value of potential improvements considering these uncertainties.

2.4.1 Core Damage Frequency There are considerable uncertainties in the numerical estimates of core damage frequency and the completeness of the sequences identified as potentially impor-tant contributors. There are at least four areas from which this uncertainty comes: models, data, omissions, and computation. Examples of areas where modeling uncertainty is high include fire models (for example, no one can accu-rately predict the spread of fire, and no models adequately deal with the effect of hot gas layers; therefore, the numerical results from a probabilistic fire analysis should not be taken as absolutes), effects of multiple units at the Millstone site (failure of one unit might affect other units), effect of seismic aftershocks (analyses generally only modeled a single shock), internal flooding (the PSS did a qualitative rather than a quantitative review), effect of trans-portation of hazardous materials (consideration of all potential sources was not documented, screening criteria were not identified), success criteria (what is minimum equipment needed to achieve success), and dependencies (the methodol-ogy used in the PSS relies heavily on the modeler recognizing and remembering subtle dependencies and interfacas).

Use of the "large event tree-small fault tree" methodology where support states are defined for various conditions of initiating event occurrence and system or train availability made the review and requantification more difficult. NRC's contractor, LLNL, found it difficult to verify that intersystem dependencies received adequate treatment. This is largely due to the difficulty in identify-ing all the places a given component or fault tree enters into the larger model.

The staff found that some system models in the PSS were inadequate or incorrplete.

Examples of such system models include the DC power system (common cause failure (CCF) omitted; DC power not included in vital AC power, main electrical, or emergency generator load sequencer models; human error omitted), 120-V AC power system (CCF omitted), and emergency generator load sequencer system (CCF rate based on reactor protection system-failure rate; dependency of single sequencer on vital AC; and DC systems not accurately modeled).

Examples of areas where data uncertainties are large include CCF rates (little data), distributions of random variables (all assumed to be lognormal or log-uniform), equipment failure rates (little data for some equipment; generic data may or may not properly represent equipment failure rate), frequency of ini- 1 tiators, human error rates (perhaps largest uncertainty; positive operator i help is not adequately credited; it is unclear how one should credit operator

, help; operator error rates are uncertain), and seismic hazard (especially in the eastern United States) and fragilities. l NUREG-1152 2-8

4

The two seismic hazard estimates for the Millstone site (PSS and SHCP) exhibit wide ranges of uncertainty. Large uncertainties in seismic hazard estimates are not unusual (see, for example, NUREG-0967 and Reiter, 1983). The main cause of hazard estimate uncertainty comes from (1) the lack of understanding 4

of the nature and location of seismic zones in.the eastern United States and (2) the existence of only a short (about 300 years) historical record for the Millstone site. During the past 300 years, the actual ground motion believed

to have been experienced at the site was well below the SSE. There is no basis i at this time to judge whether the two hazard estimates for Millstone are correct j or whether they might represent strict upper or lower bounds for future esti-l mates. Because of these large uncertainties, care must be taken when making deci- .

sions based on numerical results.

i j The Millstone 3 PSS in general assumes that the testing interval for safety-

! related valves and pumps is once per month. The generic Technical Specifications for Westinghouse plants also assume a once per-month testing interval. However,

! recently, the testing interval in Section XI of the American Society of Mechanical i Engineers Boiler and Pressure Vessel Code (ASME Code), which deals with valve and pump testing, changed from monthly to quarterly. Northeast Utilities' sub-

mittal of its draft Technical Specifications embraces the 3-month test interval.

, If such a frequency change is incorporated in the final Millstone 3 Technical l Specifications, it could result in a three-fold increase in mean component

failure probabilities for failures that are time dependent. This would affect estimated unavailabilities for systems such as high pressure safety injection j and containment recirculation.

1 j Examples of areas where the PSS is incomplete include relay chatter caused by a i seismic event and loss of room cooling. The following are not ordinarily modeled

in a PRA: sabotage, design and construction errors (not readily quantifiable),

! equipment aging, seismic events causing a fire, and the effect of inadvertent j and widespread initiation of fire suppression equipment following a seismic event caused by the g-level or suspended dust. The effect of a seismic event on non-safety systems, which in turn may affect safety-related systems, was not i . fully considered in the PSS or its review.. Northeast Utilities has performed a l walkthrough inspection of the plant on this subject. However, the walkthrough j was conducted before the completion of construction.

t The staff currently is considering designating earthquake induced relay chatter a generic issue. Relay chatter can misalign equipment, instrumentation, and

circuit breakers. The staff performed scoping calculations (see Sec-t tion 5.3.1.3), which assumed that if relay chatter occurred and there was no

] operator intervention, then core damage could occur. Although the staff chose l relay chatter fragilities from three sources, the amount of data on relay fra-j gilities is limited. Using the PSS and SHCP hazard curves, the estimated mean

! annual core damage frequency for Millstone 3 due to relay chatter from an earth-i quake (assuming no operator intervention) ranges from 3x10 8 to 9x10 4 Because i this was a scoping calculation, relay chatter is not reflected in the staff's

, analysis of dominant core damage frequency and risk sequences. Section 5.3.1.3 j discusses potential improvements for. coping with relay chatter from earthquakes.

4 j Loss of room cooling was identified during the performance of the Midland Nuclear

Power Plant PRA to be such a significant contributor to core damage frequency i that Consumers Power Company modified the design of the Midland essential chilled

] water system. The staff performed a scoping analysis (see Section 5.3.1.4) of NUREG-1152 2-9

i loss of room cooling for Millstone 3. This analysis assumed that if room cooling was lost in a switchgear room or a pump room for 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , the equipment in that room would fail. There is considerable uncertainty in the heatup rate of rooms and the minimum temperature at which equipment will fail (we would expect this temperature to be above the design temperature). On the basis of the staff's simplified scoping analysis, the mean annual core damage frequency for loss of room cooling could be greater than 1x10 4 assuming no credit for alternative cooling strategies. For at least some safety significant rooms, such as the east switchgear room, Northeast Utilities has provided an alternative source of cooling. It may also be possible to cool some rooms by opening doors or bring-ing in fans with " elephant" hoses. Because this was a scoping calculation, loss of room cooling is not reflected in the staff's analysis of dominant core damage frequency and risk sequences. Section 5.3.1.4 discusses staff recommen-dations related to the loss of room cooling issue.

The Millstone 3 Safety Evaluation Report (NUREG-1031) has a confirmatory item regarding the capability of Millstone 3 to withstand earthquakes beyond the SSE.

In conjunction with the resolution of this item, the staff has prepared ques-tions for Northeast Utilities on the following areas: (1) fragility analyses of the service water pump house retaining wall and the emergency generator enclo-sure and (2) the effect of beach sand liquefication blocking the service water intake as the result of an earthquake. The staff has no reason to believe that resolution of these particular questions will change its recommendations in Section 5.3.

2.4.2 Containment Response The containment response to gradual overpressurization events is well under-stood, and variations within reason do not have a major effect on overall risk.

i The same is not true for hydrogen burns. For a sequence involving failure of containment sprays, the containment atmosphere that will be initially filled with steam may de-inert late in the accident because of condensation, resulting l in a large global hydrogen burn. If pessimistic assumptions about the important '

l parameters governing such an event are made, the staff estimates that the con-tainment could fail if the containment de-inerted 6 to 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months after vessel failure. The conditional consequences of such an event would be significant.

This containment failure mode is of particular importance for station blackout sequences, the largest contributors to core damage frequency.

i There is uncertainty in whether there is significant source term reduction from recovery of containment sprays following station blackout induced core melt and vessel failure. The containment may be only slightly steam inerted when sprays are recovered. Steam condensation could lead to a hydrogen burn before much scrubbing could be accomplished by the sprays.

There are three low probability failure modes that represent a source of some uncertainty.

First, the staff has assumed a mean conditional probability of 10 4 for prompt containment failure caused by steam explosions. This probability would have to be 10 2 or greater to become a significant contributor to early fatalities.

The best information currently available supports the assumption of a low, not a high, probability for this sequence.

l l

f NUREG-1152 2-10 l . . _ - _

i Second is the potential of early containment failure caused by direct heating of the containment atmosphere following high pressure failure of the reactor vessel. Here a significant fraction of the core is converted to aerosol and then lofted into the upper containment volume, where it rapidly transfers heat and chemical energy to the containment atmosphere. The NRC Containment Loads Working Group has shown that containment failure by this mechanism is possible, but it has not yet determined its likelihood. For this phenomenon to signifi-cantly alter its overall risk estimates, the staff would have to assign it a probability greater than 10 2 for high pressure sequences. Compared with other containment designs, the confined geometry of the Millstone 3 cavity would tend to reduce the dispersal of core debris. Consequently, the pressure rise result-ing from this mechanism is much less likely to fail the containment. Therefore, the staff has assumed that the direct heating failure mode is not a significant source of risk.

Third, the PSS assumes that the mean probability of failure to isolate the containment is 2x10 4 The fact that the containment must be maintained at subatmospheric pressure lends credence to the assumption that major preexisting vent paths will not occur. However, the staff considers it an important aspect of Millstone 3 operation to ensure this reliability of isolation. This question is discussed further in Section 5.3.3.

Uncertainties in the radiological source term are high, but the staff is con-fident that the source term estimates it has used are on the high side of the error bounds. Recent research on source term behavior has led to quantification of several mechanisms of source term reduction which the staff has not accounted for in its calculations. In general, the radiological release fractions the staff has used are representative of the higher limit of uncertainty in source ;

terms calculated with the more recent methods. The implications of this result are discussed further in Section 5.3.

More details on containment response are available in NUREG/CR-4143.

2.4.3 Consequence Analysis The uncertainties in the consequence analysis are discussed in the Millstone 3 Final Environmental Statement (NUREG-1064). The principal uncertainties relate to radionuclide release and dispersion, emergency response effectiveness, and dose response relationships. The magnitudes of these uncertainties have not been accurately quantified, but the uncertainties are generally estimr.+.ed as being greater than a factor of 10 but less than a factor of 100, t

I i

, NUREG-1152 2-11 l

E Table 2.1 Important internal event contributors to Millstone 3 y mean annual core damage frequency

i 68 G

Probabilistic Event Safety Study Review Differences Loss of offsite power (station 1x10 5 1x10 4 Staff included failure of diesel generators blackout with reactor coolant pump to run, used more realistic RCP seal LOCA (RCP) seal loss-of-coolant accident assumptions, used more realistic diesel (LOCA)) generator failure-to-start probabilities, used different recovery rates for loss of offsite power.

Loss of feedwater-type event 2x10 5 1x10 5 Staff analysis included recovery actions and use of power conversion system.

Loss of a vital AC bus 1x10 5 1x10 5

'?

M Small LOCA 1x10 8 4x10 s Staff gave no credit for reactor coolant system depressurization.

Loss of a vital DC bus 2x10 6 2x10 5 Staff used a higher frequency for loss of a vital DC bus.

Steam generator tube rupture (SGTR) 1x10 8 7x10 6 Staff used a different frequency for SGTR and added cognitive operator errors Anticipated transient without 2x10 8 5x10 6 Staff analysis follows ATWS rule regulatory scram (ATWS) analysis.

Total 5x10 5 2x10 4

Numbers have been rounded up.

4 z Table 2.2 Important external event contributors to Millstone 3 y mean annual core damage frequency *

?

O PSS SHCP

$ Seismic ** hazard curve hazard curve Small loss of-coolant accident (LOCA) with early core melt. 6x10 6 9x10 5 No containment cooling Station blackout with reactor coolant pump seal LOCA (due to failure of emergency diesel generator (EDG) oil cooler bolts, collapse of EDG enclosure, or collapse of control building) or anticipated transient without scram with failed refueling water storage tank (RWST)

Large LOCA with early core melt. All mitigating systems are 4x10 7 1x10 5 assumed failed Large LOCA with station blackout, or Large LOCA with control building failure, or

}

Large LOCA'with failed RWST LOCA with containment bypass. All mitigating systems are 2x10 7 4x10 6 assumed failed Containment crane wall collapse With PSS With staff human error human error Fire rate rate In control room, cable spreading room, or instrument rack room 2x10 6 3x10 6t with human error to man auxiliary shutdown panel In switchgear rooms 1x10 6 1x10 6

~In electrical tunnels 1x10 8 1x10 6 Other 1x10 s 1x10 6

Numbers have been rounded up.

- As calculated by the staff using modified fragilities from the PSS.

tA staff contractor, Lawrence Livermore National Laboratory, estimated as 2x10 5 NOTE: PSS = Probabilistic Safety Study;.SHCP = Seismic Hazard Characterization Project.

Table 2.3 Important contributors to risk (per reactor year) at Millstone 3 from internal events (150 miles)

Early Latent Initiator and additional failures fatalities fatalities Person-rem Station blackout with reactor coolant --

2x10 3 26 pump seal loss-of-coolant accident (LOCA)

Residual heat removal system LOCA 3x10 4 2x10 3 16 (V-sequence)

Steam generator tube rupture with 1x10 5 8x10 4 10 4

various operator errors Loss of a vital AC bus with loss --

8x10 4 15 of auxiliary feedwater and loss of either recirculation capability or feed and bleed and quench spray Incore instrument tube LOCA with loss --

3x10 4 3 of quench spray and recirculation pumps Loss of a single vital DC bus with --

5x10 4 6 loss of auxiliary feedwater, no feed and bleed, and no containment spray Large or medium LOCA with loss of --

3x10 4 4 recirculation capability 6

?

NUREG-1152 2-14

E Table 2.4 Important contributors to risk (per reactor year) at A Millstone 3 from seismic events (150 miles)

?

Early fatalities Latent fatalities Person-rem Components: grouped by plant response PSS SHCP PSS SHCP PSS SHCP Large LOCA, early core melt (Emergency diesel generator oil

cooler) * (LOSP) * (RCS piping)

(Emergency diesel generator building collapse) * (LOSP) * (RCS piping) 6x10 8 1x10 4 7x10 4 2x10 2 7 140

)

(RCS Piping) * (Control building failure)

(RCS piping) * (RWST) j 3 Small LOCA, early core melt (Emergency diesel generator oil 3 cooler) * (LOSP) I (Emergency diesel generator building collapse) * (LOSP)

\ 3x10 8 6x10 5 8x10 3 1x10 1 97 1632 (Control building failure by f collapse) * (LOSP)

(Core geometry distortion) *

(RWST)

(Control rod drive system) *

(RWST) >

Large LOCA, early melt with containment bypass (Containment crane wall collapse) 2x10 5 1x10 3 3x10 4 1x10 2 3 122 NOTES: PSS = Probabilistic Safety Study; SHCP = Seismic Hazard Characterization Project; LOCA = loss-of-coolant accident; LOSP = loss of offsite power; RCS = reactor coolant system; RWST = refueling water storage tank.

Use of "*" indicates that a combination of failures must occur for core damage to occur.

Table 2.5 Breakdown of risk (per reactor year) by containment failure mode (150 miles)

Seismic hazard Failure mode

Internal ** Fire PSS SHCP Early fatalities M1A 3x10 4 - - -

M1B 1x10 5 - - -

M4 - -

2x10 s 1x10 3 MS/6 - -

6x10 8 1x10 4 M7 - -

3x10 s 6x10 5 M6s Latent cancer deaths M1A 2x10 8 - - -

, M1B 8x10 4 - - -

l M4 - -

3x10 4 1x10 2 l M5/6 - -

7x10 4 2x10 2 M7 4x10 3 3x10 3 1x10 2 1x10 1 M6s 2x10 4 - - -

Public dose (person-rem) .

M1A 16 - - -

MIB 10 - - -

M4 - -

3 122 M5/6 - -

7 140 M7 53 45 103 1698 M6s 2 - - -

M1A = interfacing systems loss of-coolant accident; 1 M1B = steam generator tube rupture; M4 = failure to isolate

! containment; MS/6 = overpressure failure caused by hydrogen burns; M7 = late overpressure failure caused by, in part,

, natural condensation de-inerting; M6s = hydrogen burn l following recovery of sprays in station blackout.

- Staff central estimate.

NOTE: PSS = Probabilistic Safety Study; SHCP = Seismic Hazard

, Characterization Pro #ct.

t NUREG-1152 2-16 l _ _ _ .

2 Table 2.6 Conditional mean value of societal consequences from individual -

Ei containment failure modes (regional)

E h Containment failure mode **

R; Consequence Offsite category response

M1A M1B M2At M2Bt M4 M6 M7 M6s Early Evac-Reloc 420 4.3 0.17 6.6 9.6 8.8 0 'O fatalities Late Reloc - -

55 13 260 22 1.1 0 Latent cancer Evac-Reloc 2400 410 2800 4200 3000 2200 1400 27 death Late Reloc - -

3100 4600 3400 2500 1600 100 7

Person-rem Evac-Reloc 2x10*7 5x10*6 3x10+7 3x10+7 3x10*7 2x10+7 3x10++5

^

Late Reloc - -

3x10*7 3x10+7 4x10+7 2x10+*7 3x10 2x10*7 3x10 5 i

1 *" Evac-Loc" refers to' normal emergency response. " Late Reloc" refers to impaired emergency response because no of a seismic regional disaster.

J. **M1A = interfacing systems loss-of-coolant accident; M1B = steam generator tube rupture; M2A = early over-

'd pressure failure; M2B = prompt failure caused by steam explosion; M4 = failure to isolate containment; MS/6 = overpressure failure caused by hydrogen burns; M7 = late overpressure failure; M6s = hydrogen burn following recovery of sprays in station blackout. s a tEarly overpressure failure (M2A) and steam explosion (M2B) do not contribute significantly to risk because i of their low estimated frequency of occurrence.

J d

1 1

- - - - - - - - - - - - - - - - - m w - -

-.>-r

J Table 2.7 Overall estimates of mean severe accident risk (per reactor year) for Millstone 3 (150 miles)

Early latent Public dose Initiator fatalities fatalities (person-rem) ,

Internal 3x10 4 6x10 3 80 Fire --

3x10 3 45 Seismic PSS hazard curve 3x10 s 1x10 2 113 SHCP hazard curve 1x10 3 1x10 1 1960 Total (with PSS hazard) 4x10 4 2x10 2 238 Total (with SHCP hazard) 1x10 3 1x10 1 2085 NOTE: PSS = Probabilistic Safety Study; SHCP = Seismic Hazard Characterization Project.

1 I

1 i

t i

NUREG-1152 2-18

3 DOMINANT ACCIDENT SEQUENCES This section discusses in more detail some of the most important contributors to core damage frequency and risk and describes each sequence, what fails, and what is significant.

3.1 Dominant Internal Events Station Blackout A loss of offsite power leading to station blackout (all diesel generators lost and a reactor coolant pump (RCP) seal loss-of-coolant accident (LOCA)) is of substantial significance to safety because of the relatively high frequency of station blackout and the leaks that can occur from an RCP seal LOCA on loss of seal cooling. The loss of offsite power frequency at the Millstone site used in the staff's analysis is taken from draft NUREG-1032. Although the grid sta-bility at the Millstone site is average or better, Millstone 3 is on the Long Island Sound and is subject to potentially severe storms and hurricanes. The site has already experienced a loss of offsite power event caused by hurricane winds blowing salt spray onto the common switchyard. The salt spray shorted out the electrical insulators and offsite power was lost. The operators had considerable difficulty in restoring power. Northeast Utilities has stated that it has taken steps to remedy this failure mode. The staff is not sure to what degree the problem actually has been rectified. Therefore, the staff believes, at best, it can only credit Millstone 3 with an average loss of off-site power frequency.

Station blackout, if sufficiently long, leads to severe core damage. Without AC power, pumps cannot supply cooling flow to the seals on the RCP shaft, and the seals in each RCP are assumed to fail after about 30 minutes. The staff assumes that they leak at about 300 gpm (same value as that used in the Indian Point Probabilistic Safety Study) each for a total leak rate of 1200 gpm. (Recent calculations have raised the estimated maximum RCP seal leak rate from 300 gpm to 500 gpm. This change makes little difference in the staff's estimated core damage frequency.) If power is not restored, the core will uncover about an hour after the seal leak begins because there is no way to replenish the core inventory unless AC power is restored. The staff's model includes restora-tion of offsite AC power as well as repair and startup of an emergency diesel generator. (See Appendix B.)

In a station blackout, all high pressure emergency core cooling system equipment is inoperable because there is no AC power. Similarly, no quench spray (con-tainment spray) is initially available. Once the core uncovers at about 90 min-utes into the event, core damage is assumed to be extensive and rapid.

Overpressure failure of the containment is possible for station blackouts of more than a day's duration. That possibility is not considered in the base case for ,

containment failure because of the staff's assumption that offsite power will I be restored before that time. If the staff assumes that restoration of offsite power takes up to 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months , it calculates an increase of about a factor of three NUREG-1152 3-1

in mean annual person-rem. This and other sensitivity cases for the containment response to station blackout events are considered in Section 5.3.1.

The containment response to a station blackout in the staff's base case depends on the steam concentration in the containment atmosphere. After the core has melted and the reactor vessel has failed, the steam concentration will be high enough to inert the atmosphere against hydrogen burns, but not nearly high enough to overpressurize the containment. Later in the accident, the steam concentration will decrease because of restoration of the sprays or by natural condensation.

If a hydrogen burn occurs shortly after vessel failure, the hydrogen concentra-tion will be low, and the resulting pressure spike will not be expected to fail the containment. However, after vessel failure, the hydrogen concentration will increase gradually because of core-concrete interactions in the reactor cavity. If de-inerting due to condensation occurs more than 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months after vessel failure, containment failure due to hydrogen burn cannot be ruled out. Assuming pessimistic values for the most important parameters, the staff estimates a 15%

to 20% conditional probability of failure. However, for a wide range of credible scenarios, the staff estimates that there is little or no likelihood of contain-ment failure as a result of de-inerting due to condensation.

At the request of NRC, Northeast Utilities performed calculations to determine the magnitude of the radiological source term released as a result of a poten-tial hydrogen burn following actuation of containment spray. The calculations, performed with the CORRAL code, revealed that the short period of spray opera-tion required to de-inert the containment atmosphere (about 30 minutes) would be sufficient to reduce the suspended aerosol concentrations by at least two orders of magnitude. Consequently, although the containment could fail in this sequence, the radiological releases, and therefore the offsite consequences, have been determined to be very low. The conditional consequences of hydrogen burn failures following station blackout are low because the likelihood of con-tainment failure is low, and, in the case of burns due to recovery of sprays, because the radiological releases are low. Therefore, although the station blackout event is an important contributcr to core melt frequency, it contributes a much smaller fraction to severe accident risk.

Loss of Feedwater-Type Events Because the plant responds in a similar way to each of the following transients and because they can all be modeled on a loss of feedwater event tree, the staff calls the following loss of feedwater-type events: loss of main feedwater, loss of reactor coolant system flow, primary-to-secondary power mismatch, tur- ,

bine trip, reactor trip, and core power excursion. The final report (NUREG/

CR-4142) on Lawrence Livermore National Laboratory's review of the Millstone 3 PSS discusses this grouping in detail.

The staff's analysis of these events gives partial credit for the power conver-sion system being available. The power conversion system can'be used to cool down the primary system via the steam generators. The analysis performed in the PSS took no credit for use or restoration of the power conversion system after reactor trip because, as currently designed, the main feedwater system trips at Millstone 3 on every reactor trip. Auxiliary feedwater is always used to remove decay heat.

NUREG-1152 3-2

Loss of feedwater-type events have a total frequency of about 10 per year. For about 20% of these events, it is not possible to restore and restart the power conversicn system to help cool down the plant following reactor trip (usually because it would take too long to restore the power conversion system to an operable state). The staff has estimated that the most important loss of feedwater-type event sequence is one for which the power conversion system can-not be quickly restored. In this sequence, main feedwater is lost and auxiliary feedwater is called on but also fails. Therefore, no decay heat is removed by the secondary side, except for boil off of the steam generator inventory. The primary system pressure and temperature increase. To remove decay heat and maintain primary inventory (which otherwise would be depleted), the operator is supposed to establish primary feed and bleed by opening both power-operated re-lief valves (PORVs) and starting the high pressure injection pumps if they are not already started. In this sequence the operator fails to establish feed and bleed, either through operator error or by failure of one PORV path to open.

The core melts early, but containment sprays are operational. Under these cir-cumstances, the radiological releases to the environment are minimal, with the exception of a small probability (10 4) that the containment will not be iso-lated. In general, the risk from loss of feedwater-type events can be consid-ered small since the loss of feedwater-type sequences with higher frequencies all have containment sprays operable.

Small LOCAs Small LOCAs are estimated to occur with a mean frequency of about 4x10 3 per year. Northeast Utilities estimates that, for about 99% of the small LOCAs, cooldown and depressurization of the primary system will negate the need to go to high pressure recirculation. Although there already have been several small LOCAs at N Rs, none required use of the recirculation mode of core cooling, partly because each LOCA had a relatively small leak rate. The staff is un-aware of calculations that demonstrate that any particular percentage of small LOCAs would not require use of recirculation core cooling. Rather than guessing, perhaps optimistically, the staff gives no credit, at this time, for depressurizati6n.

In the most important small LOCA sequence, as estimated by the staff, high pres-sure recirculation is required but fails. There is a late core melt with recirculation containment sprays operational. The sprays limit containment pressure rise, and the offsite consequences of the event are quite benign.

RHR System LOCA t

The residual heat removal (RHR) system is a low pressure system designed to remove decay heat from the primary system. The RHR system takes suction from the hot legs, reduces primary fluid temperature via a heat exchanger, and dis-charges the primary fluid to the cold legs. The RHR system has two parallel suction paths. Three closed motor-operated valves in each suction line provide RHR isolation protection from full primary system pressure when at power. The ;

staff notes that Northeast Utilities has not yet submitted an analysis to justify I that the piping between the second and third isolation valves and the third I valve itself can withstand full primary system pressure. A relief valve between l l

the second and third valves may ameliorate the pressure requiremer.ts in that !

line segment. The staff assumes in its analysis that'only the first two valves l

are qualified. Three check valves, one motor-operated valve, and a small relief l

NUREG-1152 3-3

valve provide discharge line overpressure protection for each of the discharge lines.

An RHR LOCA (or V-sequence) occurs when any of the following happen: motor-driven isolatien valves in an RHR suction line fail open (because of sequential valve ruptures or rupture of or,e valve with the other valve actually open although indicating closed) or the three check valves and the closed motor-driven isola-tion valve in an RHR discharge line fail open. These failures would subject the low pressure RHR system to full primary system pressure. The RHR system would fail, causing a LOCA outside the containment.

Because the emergency core cooling system would not be able to maintain core inventory, early core melt would result. The RHR system LOCA is estimated to have a low mean frequency of occurrence (8x10 7 per year based on the two motor-driven isolation valves and their associated piping segments in each suc-tion line).

Following core melt, the noble gases and other volatile fission products would be released directly to the environment, with no benefit from the containment and with little or no warning to the public. Nonvolatile fission products would be retained in the fuel until after vessel failure and wculd not be released di-rectly. The prompt release of volatile radionuclides makes the V-sequence the largest contributor to early fatalities (with the possible exception of severe earthquakes) and a significant source of latent cancer fatalities. This esti-mate may be somewhat conservative because it gives no credit for mitigation of or recovery from a degraded core situation.

3.2 Dominant External Events Fire The state-of-the-art in probabilistic analysis of fires, at but, has very large uncertainties. In part this is due to the inability of any model to accurately predict how a fire will spread. It is the staff's opinion that a state-of-the-art probabilistic fire analysis can best be used to give insights into areas that may have a potential vulnerability not readily apparent from traditional deterministic analyses performed in Safety Analysis Reports.

The sequence of events following a fire that the staff's review finds most impor-tant involves a fire in either the rmt al room, the instrument rack room (which adjoins the control room), or th t bb .preading room (which is under the con-trol room). Fire in any one o' t 4 e !as can lead to the need to abandon the control room because of flames, smoke, n loss of control of vital equipment. If the control room is abandoned, the reactor can be shut down safely if the auxil-iary shutdown panel is manned. If the panel is not manned, core damage is as-sumed to occur and containment sprays are assumed to become inoperable.

The fire analysis by Northeast Utilities, the review by Lawrence Livermore National Laboratory (a staff contractor), and the review by the staff estimated the mean human error rate to man the auxiliary shutdown panel to be 0.001, 0.2, and 0.02, respectively. Human error rates are very controversial and subject to large un-certainties. If a mean human error rate of 0.2 is assumed (NUREG/CR-4142), fire is a very important contributor to latent fatalities. If a mean human error rate of 0.001 or 0.02 is assumed, fire becomes a much smaller contributor to latent fatalities.

NUREG-1152 3-4 l

Seismic The major contributors to mean seismic core damage frequency and latent fatalities are station blackout induced RCP seal LOCAs and ATWS events (see Table 2.4).

These events are small LOCAs with no containment cooling. The major contributors to early fatalities are from containment crane wall failure leading to a large LOCA with containment failure before core melt and from a large LOCA with failure of all mitigating systems. (See Appendices C and D for details of the staff's calculations.)

Seismically Induced Large LOCAs The dominant large break LOCA sequences caused by seismic initiators are all accompanied by a loss of containment cooling and hence are susceptible to late overpressure failure of the containment. However, Northeast Utilities' calcu-lations of containment response predict a period after core melt during which there is a flammable mixture in the containment. Northeast Utilities estimated that about 60% of these events would lead to hydrogen burn failures at about 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months after core melt. The staff has not changed this estimate, although it believes it is conservative.

In the containment crane wall collapse sequence, structural failure of the crane wall causes a large LOCA, loss of emergency core cooling system injection, and containment failure before core melt. For this type of failure, the number of early fatalities is significant because a large fraction of all the fission products is released with no warning.

Seismically induced large break LOCAs are significant contributors to the risk of latent cancer fatalities and overall public exposure (person-rem). The con-tainment crane wall collapse sequence is a large source of early fatalities, and with the upper-limit SHCP hazard curves, this sequence dominates the risk of early fatalities. (See Table 2.4.)

Seismically Induced Small LOCAs As with the large break LOCAs, small LOCAs caused by seismic initiators are accompanied by failure of containment sprays. In most cases the staff expects the containment to remain steam inerted throughout the event. However, there is a small risk of hydrogen burn due to de-inerting of the containment from natural condensation. If the containment does not fail by a hydrogen burn, it is assumed to fail about 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after the core melts because of slow overpres-surization from the core-concrete interaction. These are station blackout se-quences with no recovery of AC power. Core melt is due to an RCP seal LOCA or DC battery depletion.

The small LOCA sequences are significant contributors to all risk categories, even when calculated with the lower bound PSS hazard curves. With the SHCP hazard curves, the small LOCAs dominate the risk of latent fatalities and public exposure. (See Table 2.4 and Section 5.3.1.)

NUREG-1152 3-5

4 PERSPECTIVES ON MILLSTONE 3 RISK The NRC requested a probabilistic safety study for Millstone 3 primarily because of concern about the high population density in the vicinity of the site. As in the cases of Zion, Indian Point, and Limerick, the Commission wanted to as-certain whether Millstone 3 represents an undue portion of the risk of nuclear power. The staff has discussed the estimated risks for Millstone 3 along with those of Zion, Indian Point, and Limerick. These plants were chosen because they are located at high population sites, and because probabilistic safety studies for those plants, performed with a scope similar to that used for Millstone 3, have already been reviewed by the NRC staff.

The mean regional risk estimates for all seven units are presented in Table 4.1.

Millstone 3 risk estimates based on both the PSS and SHCP hazard curves are shown. The staff does not encourage direct comparison of bottom-line results of different PRAs. If a comparison is to be made, the PSS hazard curve results should be used because the same analysts developed the seismic hazard curves for the Zion, Indian Point, and Limerick PRAs; otherwise, differences in the analyst or methodology used might override plant differences. The mean estimated risk at Millstone 3, based on the SHCP hazard curve, is much higher, but the staff I

assumes that a reanalysis of the other plants with the SHCP seismic hazards l applicable to their sites could also yield higher risk estimates.

)

Given the uncertainties and differences in methodology, the staff can only con-clude that the risk to the public posed by operation of Millstone 3 appears to be in the same range as that estimated for Zion, Indian Point, and Limerick.

Some risk differences are certainly due to the use of a more precise and less conservative method of calculating core-concrete interaction at Millstone 3.

Some of it would also be due to the method used in calculating the radiological releases from station blackout at Millstone 3.

Table 4.1 Mean regional risk estimates for Zion, Indian Point (IP),

Limerick, and Millstone 3 Millstone 3 PSS- SHCP Zion

IP2** IP3** Limerickt seismic seismic Risk 1 and 2 1 and 2 hazard hazard Early fatalities 1x10 3 2x10 2 4x10 3 5x10 3 4x10 4 1x10 3 Latent cancer / 1x10 2 2x10 2 1x10 1 8x10 2 2x10 2 2x10 1 fatalities Person-rem 375 2600 1430 1000 '285 2459

Speis, 1985. ;

- Moore, 1983.

tNUREG-0974.

NOTE: PSS = Probabilistic Safety Study; SHCP = Seismic Hazard Characterization i Project. l l

NUREG-1152 4-1

5 PLANT DESIGN PERSPECTIVES The following sections discuss (1) key design features of Millstone 3 that can affect core damage frequency and risk, (2) plant improvements made by Northeast Utilities as a result of performing the PSS, and (3) potential engineering and procedural improvements the staff recommends on the basis of its review of the Millstone 3 PSS.

5.1 Design Features Important to Safety This section discusses some of the design features important to safety and notes if they are particularly beneficial or are potentially significant contributors to core damage frequency or risk. These design features are not listed in order of importance.

5.1.1 Primary System Loop Stop Valves Reactor coolant pump (RCP) seal LOCAs and steam generator tube ruptures (SGTRs) are two of the most frequent types of small LOCAs. One potential method of pre-venting an RCP seal LOCA from leading to core damage is to isolate the leak if only one RCP is involved. At Millstone 3 each of the four primary system loops has two loop stop valves - one between the RCP and the reactor vessel and one between the steam generator hot leg inlet and the reactor vessel. These valves can potentially be used to isolate an RCP seal LOCA. Should an SGTR lead to core damage, the loop stop valves potentially could be beneficial in isolating the faulted steam generator, thereby mitigating offsite consequences. Northeast Utilities has indicated orally to the staff that it intends to write emergency procedures to take advantage of the capabilities of the loop stop valves.

The staff should review these procedures to see if use of these valves may exac-erbate various transients or accidents or whether they can be closed against the differential pressures that would be experienced in severe accidents.

5.1.2 Auxiliary Feedwater System The auxiliary feedwater system is designed to remove decay heat if the main feedwater system is lost. This is significant because at Millstone 3 the main feedwater system (power conversion system) trips on every reactor trip. The auxiliary feedwater system maintains steam generator inventory during startup and cooldown when the plant is below about 15% power. The staff found the aux-iliary feedwater system to be well designed and believes it should have above average reliability. The auxiliary feedwater system consists of three trains:

two motor-driven and one turbine-driven; any one train is sufficient for system success.

l Even though the staff believes that the Millstone 3 auxiliary feedwater system l is well designed, failure of auxiliary feedwater contributes appreciably to the severe core damage frequency. If auxiliary feedwater were perfectly reliable, the staff's estimate of the mean frequency of core damage would be reduced by I about 5% (i.e., 1x10 5 per year). One principal reason for this contribution l 1

NUREG-1152 5-1 l

l

to core damage frequency is that some initiating events (e.g., loss of a vital AC bus) will fail a train of auxiliary feedwater. The other principal reason is that auxiliary feedwater is needed to mitigate transients in which the power conversion system is lost, and such transients have a relatively high frequency.

5.1. 3 Refueling Water Storage Tank The refueling water storage tank (RWST) provides borated water to the suction of the charging, high pressure injection, residual heat removal, and quench spray pumps. These pumps provide core and containment cooling during transients and accidents.

The RWST at Millstone 3 has a capacity of 1.2 million gallons. Because of this large volume (compared to a " normal" 350,000 gallon RWST), the Millstone opera-tors have significant additional time to respond to a LOCA or SGTR. This extra time can be used -to diagnose the event or repair malfunctioning equipment.

5.1.4 Three Valves in Each Residual Heat Removal Suction Line The residual heat removal (RHR) LOCA (V-sequence) is the largest contributor to early fatalities of any internally initiated event. The RHR LOCA occurs when isolation between the high pressure primary system and the low pressure RHR sys-tem is lost.

Many PWRs contain only two motor-driven isolation valves in series in each RHR suction line. Failure of both of these valves leads to a LOCA outside the con-tainment. At Millstone 3 there is a third valve in each RHR suction line and a relief valve between the second and third valves. This third valve may reduce the frequency of the V-sequence if it is shown that (1) the piping between the second and third valves and the third valve itself can withstand full primary system pressure or (2) that the relief valve limits the pressure in the piping between the second and third valves to a value which the piping and valve can withstand.

5.1.5 High Pressure Recirculation The high pressure recirculation system provides core cooling during the recircu-lation mode following a LOCA. Four recirculation pumps draw from a containment sump. Initially, all four pumps are automatically aligned to provide containment recirculation spray. Eventually, when the RWST is significantly depleted, any two of the four recirculation pumps are realigned to provide high pressure recirculation core cooling. The system is well designed insofar as recircula-tion to the core can be initiated before injection is complete. Nevertheless, failure of high pressure recirculation is found in many of the dominant accident sequences. The estimated mean frequency of core melt resulting from sequences in which high pressure recirculation fails is 3x10 5 per year. At Millstone 3 all four recirculation pumps start automatically 5 minutes after a containment depressurization actuation signal and are initially aligned to the containment

! spray recirculation system. Switchover from containment spray recirculation to high pressure. recirculation is not automatic. However, even if the human error probability were zero, the frequency of core melt sequences in which high pres-sure recirculation fails would change by less than 10%. Comrcon mode mechanical failures, if totally eliminated, would decrease the core melt sequence frequency by only 30% for sequences involving failure of high pressure recirculation.

NUREG-1152 5-2

5.1.6 Containment Spray At Millstone 3 the containment spray system includes the quench spray system and i

the recirculation spray system. Because the containment sprays are so effective in controlling containment pressure and reducing the radiological source term

-in the containment, many sequences contribute practically nothing to risk. For this reason, the containment sprays are considered to be one of the most effec-tive mitigative features of the containment design.

5.1.7 Containment A large majority of those sequences in which sprays are not in operation lead to late containment failure caused by slow overpressurization or late hydrogen burns. The probability of early overpressure failure, caused by a steam spike or hydrogen burns, has been shown to be a minimal contributor to risk except in the seismically induced large break LOCA sequence. This can be attributed to the large volume and high failure pressure of the containment. These features of the containment are important factors in reducing severe accident risk.

Given a core melt accident, the conditional probability of a failure to isolate the containment is considered to be very small because the plant operates in a subatmospheric mode. The reduction of this potentially important early release mode is a significant benefit of Millstone 3's subatmospheric containment design.

Because one of the dominant sources of risk is a slow overpressurization of the containment, any feature that delays that release will help to reduce the radio-logical releases. Two such features are (1) the dry cavity design, which pre-vents steam spikes in most accident sequences, and (2) the use of basaltic con-crete, which reduces the production of noncondensible gases.

5.1. 8 Emergency Onsite Power System Station blackout (loss of all offsite and onsite AC power) is the largest esti-mated core damage frequency contributor at Millstone 3. Even when offsite grid reliability can be improved through the concerted efforts of the utilities oper-ating the grid, for a particular plant, the quality of the emergency AC power system is frequently more significant in estimating station blackout frequency than the rate of loss of offsite power.

At Millstone 3, there are only two diesel generators. Given the validity of the staff's assumptions on RCP seal LOCA caused by station blackout, the reli-ability of the onsite AC power system is very important. Other plants, such as Zion 2 and 3, may have only two dedicated diesel generators per unit (plus a fifth swing diesel generator), but they have their service water and component cooling water systems cross-connected, which helps prevent loss of RCP seal cooling at either plant. At Indian Point each unit har, three emergency diesel generators. In addition, one onsite and two offsite gas turbine generators can supply the emergency AC power requirements.

5.1.9 Power Conversion System The power conversion system converts steam from the steam generators into

! electricity, condenses the steam to water, and returns it to the steam gener-ators. The system includes, in part, the steam supply system, the turbine, the l 1

i NUREG-1152 5-3

- . . - - .. __ l

condenser, and the condensate and main feedwater systems. At Millstone 3 the power conversion system, as currently designed, trips on reactor trip. Decay heat removal must then be accomplished by the auxiliary feedwater system. The staff's analysis of the PSS shows that loss of auxiliary feedwater is a frequent contributor to sequences where core damage occurs. Northeast Utilities has orally informed the staff that it intends to modify the plant to increase the availability of the power conversion system.

5.1.10 DC Batteries The DC battery system is very important to safety. Without DC power, many breakers cannot close, AC power might fail, and some instrumentation and control functions would be lost. The DC batteries are needed on loss of offsite power to flash the diesels and are needed on loss of all AC power to drive safety-related instrumentation and some valves. The staff believes the DC batteries should be credited with a discharge time of only 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months on the basis of input received from Northeast Utilities to date, while LLNL believes 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months as given in the PSS is more appropriate. If the contribution of the RCP seal LOCA to core damage frequency is reduced, DC battery depletion will assume more significance.

5.1.11 Reactor Coolant Pump Seals Concerns have been raised about the ability of reactor coolant pump seals to withstand a loss of seal cooling. The staff estimates that seal LOCAs induced by station blackout are the largest contributors to core damage frequency at Millstone 3.

5.2 Plant Improvements Influenced by the Probabilistic Safety Study The PRAs at Limerick and Indian Point influenced important design changes to reduce the estimated core damage frequency and risk. While preparing the PSS, Northeast Utilities identified two design errors:

(1) There was an input logic error in the emergency generator load sequencer (EGLS).

(2) The wrong AC power supply was connected to the EGLS.

These errors probably would have been discovered during preoperational testing, but their early identification and correction improved safety.

Besides these minor design changes, the PSS has identified the following criti-cal operator actions for Northeast Utilities: (1) early termination of quench spray to conserve RWST water in the event of a small LOCA with failure of re-circulation, (2) use of loop isolation valv'es in the long term for RCP seal LOCA and SGTR induced core melt, (3) alternative means of charging and safety injection pump cooling in the event of total loss of service water, and (4) the importance of monitoring containment sump level in the event of an incore in-strument tube rupture.

5.3 Potential Engineering and Operational Improvements l l

On the basis of its review, the staff has determined that there are design and '

procedural improvements which, if carried out at Millstone 3, would further l NUREG-1152 5-4

reduce the estimated core damage frequency, risk, and uncertainties. These recommendations include improvements in both prevention and mitigation. Preven-tion is important because it results in reducing both the expected onsite finan-cial consequences of core damage and a large part of estimated societal costs.

Accident mitigation is an extension of defense-in-depth in that even if the staff is seriously incorrect in its estimate of the frequency of core damage, the accident mitigation features would help prevent risk to the public.

The estimated costs of the various alternatives discussed in this section are not to be considered precise. The staff notes that substantial changes in costs will not change any of the recommendations. Core melt frequencies used in the following backfit analyses are developed in Sections 2.1.1, 3.1, and 3.2 and Appendices B and C of this report and in Sections 3.1 through 3.12 of NUREG/CR-4142. Accident consequences used in the backfit analyses are developed in Sections 2.1.2, 2.2, and 2.3 of this report and in NUREG/CR-4143.

5.3.1 Design Improvements 5.3.1.1 Station Blackout From Events Other Than Earthquakes 5.3.1.1.1 Statement of Problem The term " station blackout" refers to the complete loss of AC electric power to the essential and nonessential buses in a nuclear power plant. Station blackout, therefore, involves the loss of offsite power concurrent with the failure of the onsite emergency AC power system. Because many safety systems required for reactor core decay heat removal and containment heat removal are dependent on AC power, the consequences of station blackout could be severe.

In its review of the PSS, the staff finds that the Millstone 3 emergency power system, while meeting all of the staff's regulatory requirements, has a near-minimum design. There are two emergency diesel generators at Millstone 3 with no diversity, electrical cross-ties, or additional emergency power sources as are found at plants such as Indian Point and Zion, other high population density sites.

For Millstone 3, station blackout leading to a reactor coolant pump (RCP) seal LOCA is the largest contributor to mean core damage frequency (the staff esti-mates about 1x10 4 per year). The staff estimates that station blackout con-tributes 50% of the core damage frequency due to internal events.

The staff estimates that station blackout contributes about 30% of the societal dose due to internal events. Depending on the assumptions made (e.g., condi- l tional probability of hydrogen burn, offsite power recovery rate, and de-inerting '

due to condensation), the estimated mean dose per reactor year from station blackout out to 50 miles from the plant can range from about 2 to 60 person-rem.

(The staff's central estimate out to 50 miles is about 7 person-rem per reactor-year). Out to 150 miles from the plant, the mean annual dose can range from about 8 to 200 person rem. (The staff's central estimate out to 150 miles is about 26 person rem per reactor year.) Although CRAC calculations out to only 50 miles ordinarily would be used in a backfit analysis value-impact assessment, New York City, its suburbs, and other densely populated areas lie beyond 50 miles but within 150 miles. This is significant because staff CRAC calculations esti-mate that downwind whole-body doses of 5 rem or more are quite possible for 4

NUREG-1152 5-5

individuals living more than 50 miles from the site (based on long-term over-pressure failure of the containment).

Currently there is no requirement for plants to be able to cope with a total loss of AC power. Existing requirements for offsite and onsite AC power systems are contained in General Design Criterion 17 (10 CFR 50, Appendix A) and are discussed in Standard Review Plan (SRP) Sections 8.2 and 8.3.1 (NUREG-0800).

Periodic testing of emergency diesel generators is discussed in Regulatory Guide 1.108. SRP Section 9.5 discusses design and maintenance provisions for the onsite emergency diesels. All of the above licensing requirements and guidance are directed at providing reliable offsite and onsite AC power.

The staff is pursuing generic resolution of station blackout under Unresolved Safety Issue A-44 and generic resolution of reactor coolant pump seal failure under Generic Issue 23.

4 5.3.1.1.2 Uncertainties There are uncertainties related to the assumptions, equipment failure rates, omissions, modeling, human error, and other areas involved in _ estimating core damage frequency and risk attributable to station blackout. Some of these areas appear to be biased toward increasing or decreasing core damage frequency and risk. This section discusses both biases and uncertainties.

The following areas with associated uncertainty appear to be biased so that the staff believes the results given by their mean values may result in a conserva-tive estimate:

(1) One of the most important uncertainties in the estimation of station black-l out core damage frequency and risk is the RCP seal leak rate. The assumed i

average leek rate per pump for RCP seal LOCAs, once seal cooling is lost for some time following station blackout, will determine the time to core uncovery and core melt. The staff's analysis assumed a leak rate of 300 gpm per pump (same as that used in the Indian Point PSS) starting 30 minutes i after loss of cooling. Increasing the assumed leak rate would not change the staff's core damage or risk results. A leak rate of 50 gpm per pump would uncover the core about 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months after the leak began. If the leak rate could be dropped to 10 gpm per pump or less, it would take over 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months to uncover the core assuming no inventory makeup would be possible. Generic Issue 23 is seeking resolution of RCP seal failure.

The Westinghouse Owners Group on RCP seal failure has committed (no date determined) to replace

.the current 0-ring seals with seals of a composition more suited to with-stand the conditions (i.e., high temperature and pressure) they would ex-perience during a station blackout. Reactor coolant pump 0-ring failure is believed to be a significant contributor to catastrophic RCP seal fail-

ure during a station blackout.

(2) The staff's analysis does not take full credit for fission product agglom-eration that can accelerate the gravitational settling that will occur in the containment and that will continue to remove fission products from the l

containment atmosphere. This difference is a "new source term perception" based on the NAUA computer program, which has been benchmarked against experiments. This is an important bias because it may reduce by an order of magnitude the estimated releases on containment failure resulting from long term overpressure.

NUREG-1152 5-6 l

2 (3) The staff analysis assumes that depletion of the DC safety-related batteries under station blackout conditions leads to rapid core melt because the l operator will be without any instrumentation and control power for valves, relays, etc. The estimated core damage frequency is not sensitive to the time at which core damage occurs following battery depletion.

The following areas with associated uncertainty appear to lead to higher core damage frequency and risk estimates:

(1) Loss of room cooling (which itself can cause station blackout) is not in-cluded in the station blackout core damage frequency or risk results. The staff performed a scoping analysis that estimated the potential mean core damage frequency contribution from room cooling to be greater than 1x10 4 per year. The analysis did not consider operator recovery and assumed '

that switchgear failed if room cooling was lost for 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months . These may be very conservative assumptions.

(2) The following areas would tend to increase core damage frequency and risk for station blackout and could turn out to be the most important uncer-tainties: design and construction errors, omissions in the analysis, and sabotage. They are not readily quantifiable.

(3) The staff has estimated that early containment failure modes such as direct i heating will have a negligible effect on risk. If a 10% conditional prob-ability of early failure were assumed, the risk estimates would be increased by about an order of magnitude.

{

Areas with associated uncertainty that appear to have no particular bias are operator error / operator recovery and loss of offsite power frequency.

j 5.3.1.1.3 Sensitivity Analysis For station blackout events not caused by an earthquake, the staff evaluated a base case where, if de-inerting of the containment occurred because of natural condensation, the containment was estimated to fail 10% of the time; if de-inerting was due to spray recovery 6 or more hours after vessel failure, the containment was estimated to fail 50% of the time; and if AC power was unavail-

able for as long as 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , power was always assumed to be restored at 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . Battery depletion time was assumed to be 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months . The base case

! resulted in an estimated mean annual risk of 2 person-rem within 50 miles of the plant and 8 person-rem within 150 miles of the plant.

For the first alternative to the base case, the battery depletion time following station blackout was assumed to be 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months ; containment failure as a result of hydrogen burns following natural condensation was neglected; if de-inerting was l due to spray recovery 6 or more hours after vessel failure, the containment was estimated to fail 50% of the time; and if offsite/onsite power was unavailable for as long as 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months , power was always assumed restored at 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months . For the first alternative, the estimated mean annual risk was 7 person-rem within 50 miles of the plant and 26 person-rem within 150 miles of the plant. The staff considers this its central estimate of mean annual risk from non-earthquake induced station blackouts.

l NUREG-1152 5-7 l

-.,& ui u w - -,

The second alternative was the same as the base case, but all hydrogen burns (natural condensation or spray de-inerting) were assumed to fail the containment.

For the second alternative (more conservative case), the estimated mean annual risk was 16 person-rem within 50 miles of the plant and 70 person-rem within 150 miles of the plant.

For the third alternative (the most conservative case), a station blackout last-ing 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months after vessel failure was assumed to always cause a hydrogen burn that failed the containment. This resulted in an estimated mean annual risk of 59 person-rem within 50 miles of the plant and 200 person-rem within 150 miles of the plant.

5.3.1.1.4 Objectives The general objective of the potential fixes is to reduce the impact of severe accidents associated with station blackout by reducing the station blackout contribution to total core melt frequency and risk.

5.3.1.1.5 Alternatives The following approaches were considered as alternatives to meet the objective of reducing station blackout induced (non-earthquake events) core damage fre-ouency and risk.

(1) Add a diverse gas turbine generator (which can charge an emergency battery) and an enclosure capable of withstanding very high winds (e.g., 150 mph).

Add a self-cooling, high head, low volume electric pump (powered by the gas turbine generator) to supply coolant to the RCP seals.

(2) Add a redundant emergency diesel generator (which can charge an emergency battery) and an enclosure capable of withstanding very high winds (e.g.,

150 mph). Add a self-cooling, high head, low volume electric pump (powered by the added diesel generator) to supply coolant to the RCP seals.

(3) Upgrade emergency battery, instrument air, and auxiliary feedwater supply capacity to last at least 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months following station blackout.

(4) Add a steam-driven turbine generator to charge emergency batteries and power an added electric pump (self cooled) to supply coolant to the RCP seals.

(5) Take no action and await resolution of Unresolved Safety Isssue A-44 and Generic Issues 23 and 56 (proposed actions for enhancing diesel generator reliability).

Table 5.1 displays the value-impact analysis for each of the potential fixes out to 150 miles. The staff has used 150 miles rather than 50 miles in the value-impact analysis for several reasons:

, (1) Dense population areas lie beyond 50 miles but within 150 miles of the l Millstone site.

(2) CRAC calculations for events that result in late failure of the containment estimate that, for a significant fraction of the time, whole-body doses NUREG-1152 5-8

will exceed 5 person rem to individuals living more than 50 miles from the site.

(3) Most of the total estimated mean annual dose (even calculated out to 2000 miles) occurs to individuals living between 50 and 150 miles from the site. '

Table 5.2 provides a summary of benefits and costs for Alternative (1). These include (1) reduction in public risk due to avoided offsite releases associated with reduced accident frequencies; (2) increased occupational dose from imple-mentation and operation and maintenance activities, as well as reduced occupa-tional exposure from cleanup and repair because of lower accident frequency; (3) costs to Northeast Utilities for implementation of modifications and opera-

, tion and maintenance; (4) cost savings to Northeast Utilities from accident avoidance (onsite damage); and (5) NRC costs for review.

5.3.1.1.6 Value and Impact of Alternatives ALTERNATIVE (1) i This alternative fix would require installation of a non-Seismic Category I gas turbine generator in an enclosure designed to withstand very high winds (e.g. ,

150 mph). The turbine generator would be capable of providing sufficient AC power to run an electric pump to cool RCP seals and charge an emergency battery.

This alternative would also require installation of a non-Seismic Category I, self-cooled electric pump with high shutoff head and low volumetric capacity.

The value derived from implementing this potential fix would be a reduction in i

the estimated frequency of core melt due to station blackout and the associated risk of offsite radioactive releases. Primarily, Northeast Utilities, which wotid have to make the modifications, would be affected. The major advantages of this fix are that it would reduce the probability of an RCP seal LOCA, of battery depletion, and of common cause failure of the emergency AC power system.

Value 4

On the basis of its estimates for Millstone 3 of expected core damage frequency i.

(see Section 2.1 and Appendix C) and risk (see Sections 2.1.2 and 2.3) due to station blackout, the staff can estimate the range of incremental reduction in risk and core damage frequency associated with this alternative. Reduction in l core damage frequency for Alternative (1) is based on the assumption that the gas turbine generator (a diverse emergency power supply) will have a reliability of at least 0.95 and, therefore, will reduce core damage frequency by about an

{

order of magnitude.

In calculating "value," the staff has taken into account (as noted in Sec-

tions 2.2 and 2.3) that not every core melt sequence leads to containment fail-ure, and not every containment failure has the same estimated offsite conse-quences. The risk estimates used for this value-impact analysis are unique to the staff evaluation of Millstone 3. They differ from other plant-specific and generic risk analyses in part because of plant and site features and in part 3

because of assumptions used in the Millstone 3 review and this value-impact analysis.

i NUREG-1152 5-9 l

1

Impact The estimated cost to Northeast Utilities to implement this potential fix ranges from $0.7 million to $1.2 million based on costs given in NUREG/CR-3840, p. A-19.

The cost estimate includes hardware for a non-Seismic Category I gas turbine, a non-Seismic Category I electric pump (low flow, high head), and construction of an enclosure to house the gas turbine. The enclosure should be capable of with-standing very high winds (e.g., 150 mph). If installation of the turbine can be made inside an existing qualified structure, cost estimates would be lower.

Table 5.1 lists the estimated.ran;e in costs for each potential fix.

Including averted plant damage costs can significantly affect the overall cost-benefit evaluation. The effect of the proposed action on averting plant damage and cleanup costs has been estimated by multiplying the reduction in accident frequency by the discounted onsite property costs. The following equations from NUREG/CR-3568 were used to make this calculation:

Vgp

=AFU and U=(Ce -rtz i) [1 e -r(t f-t j)] (1-e-rm)

(mr )

where V

gp = value of avoided onsite property damage AF = reduction in accident frequency = 8x10 5 U = aresent value of onsite property damage C = cleanup, repair, and replacement costs = $4.3 billion ($2.5 billion for cleanup and repairs based on the assumed core melt being significantly worse than that at Three Mile Island, Unit 2, and $1.8 billion for replace-ment power based on NUREG/CR-3568) r = discount rate = 0.10 (10%)

tg = years before reactor begins operation = 0 tf = years remaining until end of plant life = 40 m = period of time over which damage costs are paid out (recovery period in years) = 10 The discounted present values are shown in Table 5.3.

Value-Impact Ratio Table 5.2 provides a summary of the benefits and costs associated with Alterna-tive (1). These include (1) reduction in pu.lic risk as a result of avoided off-site releases associated with reduced accident frequencies; (2) increased occu-pational dose from implementation and operation and maintenance activities, as well as reduced occupational exposure from cleanup and repair because of lower accident frequency; (3) costs to Nortboast Utilities for implementation and maintenance activities, as well as re aced occupational exposure from cleanup and repair because of lower accident t requear.y; (4) costs to Northeast Utilities for implementation of difications, cperation and maintenance, and increased reporting requirements, and (5) NRC costs for review of reports.

The estimated range of costs for Northeast Utilities to comply with Alterna-tive (1) is $0.7 million to $1.2 million based on NUREG/CR-3840. At a 10%

! NUREG-1152 5-10 i

I

discount rate, the present value of avoided cleanup, repair, and replacement power is approximately $2.1 million. Also, the public risk reduction over the 40 year life of the plant ranges from 280 to 7600 person-rem.

Alternative (1) is estimated to reduce the station blackout mean core damage frequency by 8x10 5 per year. The estimated incremental risk reduction for this alternative ranges from 7 to 190 person-rem per year depending on the scenario assumed. The estimated average cost per person-rem averted over the plant's 40 year lifetime is $630 per person-rem (geometric mean). This ratio may be low by as much as an order of magnitude. The staff's containment analysis conservatively treats fission product agglomeration and gravitational settling in containment.

If cost savings to Northeast Utilities from accident avoidance (cleanup and repair of onsite damages and replacment power) were included, the overall value-impact ratio would improve significantly. If this benefit were taken into account, the overall value-impact would show that estimated onsite savings are higher than estimated installation and operation costs.

ALTERNATIVE (2)

This alternative fix would require modifications similar to those in Alterna-tive (1) except that Northeast Utilities would install a non-Seismic Category I emergency diesel generator rather than a gas turbine generator. The major ad-vantage is that the utility already is experienced in operating and maintaining diesel generators. The major disadvantage is that the extra diesel generator does little to reduce the chance of a common cause failure of all diesel gen-erators. The estimated cost of Alternative (2) ranges from $0.6 million to

$0.8 million on the basis of cost estimates given on p. A-15 of NUREG/CR-3840.

Alternative (2) is estimated to reduce the station blackout core damage frequency by 1.5x10 5 per year on the basis of the limiting common cause failure rate for three diesel generators. The estimated incremental risk reduction for this alternative ranges from 1 to 36 person-rem per year. The estimated average cost per person-rem averted over the plant's 40 year life is $2900 per person-rem.

ALTERNATIVE (3)

Another alternative considered by the staff would have Northeast Utilities up-grade the capacity of emergency DC bus batteries, the instrument air system, and the water supply to the suction of the auxiliary feedwater pumps so that they would last at least 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months following a station blackout. In addition, emergency procedures and operator testing would be upgraded. The major advan-tages to these improvements are (1) the relative low cost and (2) if the fre-quency or magnitude of RCP seal LOCAs is reduced, DC battery depletion appears to be the next largest contributor to station blackout induced core damage fre-quency. The major disadvantage to this alternative is that it does nothing to prevent or mitigate an RCP seal LOCA. The estimated cost of Alternative (3) ranges from $0.3 million to $0.5 million on the basis of costs given on pp. A-5, C-2, and D-2 of NUREG/CR-3840. On the basis of a staff analysis of the effect of extending battery capacity to 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months , Alternative (3) is estimated to reduce station blackout core damage frequency by 1.1x10 5 per year. The estimated incremental risk reduction for this alternative ranges from 1 to 27 person-rem per year. The estimated average cost per person-rem averted over the plant's 40 year life is $1860 per person-rem.

NUREG-1152 5-11

ALTERNATIVE (4)

The fourth alternative would be to install a non-Seismic Category I, AC-independent, steam-driven turbine generator to charge the emergency batteries and power an added, self-cooled, motor-driven pump capable of delivering 50 to 100 gpm to reactor coolant pump seals. This potential fix is similar to that instituted in France to help prevent core melt caused by station blackout induced RCP seal failure and core melt caused by emergency battery depletion. The major advantages to this alternative are that it helps reduce both the frequency of station blackout and the probability of emergency battery depletion. The esti-mated cost of Alternative (4) ranges from $1.2 million to $1.7 million on the basis of costs given on p. B-6 of NUREG/CR-3840. Alternative (4) is estimated to reduce station blackout core damage frequency by 7x10 5 per year on the basis of an assumed reliability of 0.9 for the system. The estimated incremental risk reduction for this alternative ranges from 7 to 180 person rem per year. The estimated average cost per person rem averted over the plant's 40 year life is

$1005 per person-rer..

ALTERNATIVE (5)

This alternative would be to take no actions beyond those resulting from the proposed resolution of Unresolved Safety Issue A-44 And Generic Issues 56 and 23.

5.3.1.1.7 Effects on Other Requirements The following ongoing NRC generic programs and requirements are related to station blackout leading to core damage:

(1) Proposed Actions Based on Resolution of Unresolved Safety Issue (USI) A-44 for Reducing the Likelihood of Core Melt From Station Blackout The staff is considering recommendations to resolve USI A-44. Current proposals could require assurance that a plant like Millstone 3 could with-stand a 4 or 8-hour station blackout. On the basis of the best informa-tion available to the staff, including its review of Millstone 3 PSS, Millstone 3 cannot withstand an 8-hour station blackout. If the staff assumed that it would take 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months for seal leakage to begin and even if then each reactor coolant pump (there are four) only leaked at about 50 gpm (not the 300 gpm assumed in staff calculations), the core would uncover during the 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . The staff plans on seeking public comment on its pro-posed resolution of USI A-44 in 1986.

(2) Proposed Actions for Enhancing Reliability of Diesel Generators at '

Operating Plants, Generic Issue (GI) 56 The staff has requested and received information from licensees regarding diesel generator reliability and programs to improve or maintain the relia-bility. The staff will review these responses and make recommendations, if necessary. The staff plans on resolving GI 56 in 1986.

(3) Reactor Coolant Pump (RCP) Seal Failures, Generic Issue 23 The Task Action Plan for GI 23 identifies several tasks to resolve this issue, including a review of seal failure operating experience, an NUREG-1152 5-12

assessment of the effects of loss of seal cooling on RCP seal behavior, and an evaluation of other causes of RCP seal failure such as mechanical and maintenance-induced failures. NRC and industry are analyzing seal performance on loss t seal cooling. Because RCP seal integrity is neces-sary for maintaining primary system inventory under station blackout condi-tions, the results of this analysis will provide information to determine seal behavior and a plant's ability to cope with a station blackout for a specified time.

1 The Westinghouse Owners Group on RCP seal tailure is currently investigat-ing 0-ring seal materials that will have improved performance under station blackout conditions (high temperature and pressure). The Westinghouse Owners Group has committed to the NRC (Sheppard, 1985) to replace existing RCP 0 ring seals with more durable ones, but no specific deadline for com-pletion of this replacement has been set. The Owners Group has proposed to perform the seal replacements during future refueling outages.

(4) Adequacy of Safety-Related DC Power Supply, Generic Issue 30 The staff's proposed resolution of this issue specifies guidance for en-hancing the reliability of DC power supply systems. This guidance includes items such as restricting interconnections between redundant DC divisions, i

monitoring the readiness of the DC power system, and, establishing adminis-trative procedures and Technical Specifications for surveillance testing and maintenance activities.

Analyses performed for USI A-44 assumed that a high level of DC power sys-

, tem reliability would be maintained so that (a) DC power system failures would not be a significant contributor to losses of all AC power and (b) should a station blackout occur, the probability of immediate DC power system failure would be low. Whereas the proposed resolution of GI 30 focuses on enhancing battery reliability, the resolution of USI A-44 cur-rently under consideration is directed at ensuring adequate station battery, instrument air, and auxiliary feedwater supply capacity (including reli-ability and extension of time at load for a battery) in the event of a station blackout of a specified duration.

5.3.1.1.8 Occupational Exposure The staff does not anticipate that there would be any significant increase in occupational exposure if any of these potential fixes were implemented. Most of the equipment additions and modifications do not require significant work in and around the reactor coolant system and therefore would not be expected to result in significant radiation exposure. Most of the potential fixes would reduce the frequency of core melt per reactor year, thereby reducing the estimated' ,

occupational dose associated with cleanup activities from station blackout l accidents.

5.3.1.1.9 Recommendation The staff proposes to await resolution of USI A-44 and not to implement any of these alternatives now. The staff believes that requirements will be introduced in the near future to resolve USI A-44, which should reduce the estimated fre-quency of station blackout induced core melts (from non-earthquake induced NUREG-1152 5-13

. . .. - . . _ - . -. __ .. . ~_- . . --. . --.

I events) by about an order of magnitude. At a 10% discount rate, this would i represent a $2.1 million savings in avoided onsite property damage ($4.7 million i at 5%). At an estimated mean frequency of about 1x10 4 per year, the staf f does not consider the immediate resolution of a station blackout induced LOCA caused by events other than an earthquake to be compelling for Millstone 3.

In addition, most station blackout sequences are estimated to not fail the con-tainment and, therefore, have no appreciable offsite consequences. Those con-tainment failures calculated to occur are due to long-term containment overpres-sure or a hydrogen burn.

Therefore, the staff does not believe that immediate actions are warranted to ,

require Northeast Utilities to reduce the estimated frequency of station black-out induced core damage events caused by events other than earthquakes.

5.3.1.2 Station Blackout From Earthquakes 5.3.1.2.1 Statement of Problem The term " station blackout from earthquakes" refers to the complete loss of AC electric power to the essential and nonessential buses in a nuclear power plant as the result of an earthquake. Station blackout therefore involves the loss of offsite power (assumed in the staff's evaluation to occur with certainty for i ground accelerations above 0.2g) concurrent with the failure of the onsite emer-gency AC power system. Because many safety systems required for reactor core decay heat removal and containment heat removal are dependent on AC power, the consequences of station blackout could be severe. In its seismic analysis, the staff assumes that offsite power is not recoverable in a timely fashion once it is lost. The limiting equipment and structure failures, in order of estimated increasing capacity, are the diesel generator lube oil cooler bolts, the emer-gency diesel generator enclosure, and the control building. Once AC power is lost for an extended period, core melt is assumed to occur as a result of either

an RCP seal leak or depletion of the emergency batteries.

l For Millstone 3, station blackout (caused by an earthquake) leading to an RCP seal LOCA is the largest contributor to external event mean core damage frequency (staff estimates range from about 6x10 6 (PSS) to 9x10 5 (SHCP)* per year). The staff estimates that station blackout contributes over 85% of the core damage frequency due to external events.

l I' Assuming the core melt frequency is based on the PSS estimate of the hazard curve, the calculated dose is 20 person rem per reactor year within 50 miles of

, the site and 97 person-rem per reactor-year within 150 miles of the site. For the SHCP hazard curves, the corresponding dose estimates are 330 and 1632 person-rem per reactor year, respectively.

As discussed in Section 5.3.1.1, although ordinarily CRAC calculations are only

to 50 miles, because of the population distribution around the Millstone 3 site,

The SHCP curves used in this report are based on draft curves provided by LLNL in April 1984 (NUREG/CR-3756). Final curves (slightly less conservative) were published in April 1985 (UCID-20421). The staff's recommendations regarding earthquake induced events would not be altered if the final rather than draft curves were used.

NUREG-1152 5-14

the staff performed the backfit analysis value-impact assessment using CRAC l calculations out to 150 miles from the site.

Currently, there is no requirement for plants to be able to cope with a total i loss of AC power resulting from an earthquake beyond the SSE. Design bases for protection againt c earthquakes are given in General Design Criterion 2 and 10 CFR 100, Appendix A. Existing requirements for offsite and onsite AC power ,

systems are contained in General Design Criterion 17 and discussed in Standard

, Review Plan (SRP) Sections 8.2 and 8.3.1 (NUREG-0800). Periodic testing of emergency diesel generators is discussed in Regulatory Guide 1.108. SRP Sec-tion 9.5 discusses design and maintenance provisions for the onsite emergency diesel generators.

The staff is pursuing generic resolution of station blackout (including blackout caused by earthquakes up to the SSE) under USI A-44 and generic resolution of RCP seal failure under GI 23. There is no ongoing work related to station black-out caused by earthquakes beyond the SSE. Because of the extended period during j which power is assumed to be lost for earthquakes beyond the SSE (more than i 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months ) and the fact that USI A-44 does not address earthquakes beyond the SSE, the currently proposed resolutions to USI A-44 will not prevent core melt

. or significantly reduce offsite releases for station blackout induced LOCAs caused by earthquakes beyond the SSE.

i 5.3.1.2.2 Uncertainties In estimating station blackout core damage frequency and risk due to an earth-quake, the most significant areas of uncertainty are seismic hazard for the Millstone site and equipment and structure fragilities. The PSS and SHCP mean seismic hazard estimates differ by a factor of 10 or more (SHCP estimates are higher). The staff has no basis at this time to judge which of the two hazard estimates is more correct or whether they might represent strict upper or lower

, bounds for future estimates. These curves drive the external event results.

I Equipment and structure fragilities are the second most important area of uncer-tainty for station blackout caused by an earthquake. Other areas of uncertainty j in estimating station blackout core damage frequency include the omissions in ;

the analysis, design or construction errors, operator error / operator recovery, modeling errors or simplifications, and relay chatter. The staff is currently considering designating earthquake induced relay chatter a generic issue.

l A station blackout induced LOCA caused by earthquakes is driven by the assumed hazard curves. The contribution from RCP seal failure is not sensitive to the 1

estimated time between loss of seal cooling and seal failure because AC power

is not restored. The staff analysis assumes that depletion of the safety-related batteries under station blackout conditions would lead to rapid core damage because the operators would be without any instrumentation and control power for valves, relays, etc. The estimated core damage frequency is not sensitive to

! the time at which core damage occurs following battery depletion. i 5.3.1.2.3 Sensitivity Analysis t

i For station blackout events caused by an earthquake, the staff believe's that 1xtensive sensitivity studies are unwarranted. It believes that the variation n the seismic hazard curves provides information on the most likely range of core damage frequency and risk. Variation in parameters such as restoration of NUREG-1152 5-15 l

i i offsite power is overshadowed by seismic hazard and fragility considerations.

1 The staff's evaluation of station blackout caused by an earthquake assumed that

loss of offsite power occurred with surety at 0.2g (no restoration of offsite l power); if core melt occurred, the containment was assumed to fail late, either i by a hydrogen burn following de-inerting caused by natural condensation or by i overpressure from condensible and noncondensible gases. This case resulted in

a range of mean annual risk from 20 to 330 person-rem within 50 miles of the plant and 97 to 1632 person-rem within 150 miles of the plant (depending on the hazard curve used). Table 5.4 lists the station blackout (due to an earthquake) results within 50 and 150 miles of the plant for both the PSS and SHCP. hazard curves. See Sections 2.1.1.2, 2.1.2.2, and 3.2 and Appendices B and C for more i ' details.

5.3.1.2.4 Objectives i

The general objective of the potential fixes is to reduce the estimated core j damage frequency and risk from a station blackout caused by an earthquake.

i

! 5.3.1.2.5 Alternatives t

] Thefollowingapproacheswereconsideredasalternativestomeettheobjective

] of reducing core damage frequency and risk from a station blackout caused by an

earthquake.

4 i (1) Improve the anchorage system of the emergency diesel generator lube oil

! coolers so that it could withstand an earthquake significantly beyond

, the SSE.

F (2) Improve the capability of the emergency diesel generator enclosure and the i control building to withstand an earthquake significantly beyond the SSE.

l The emergency diesel generator lube oil cooler bolts are assumed improved. ,

(3) Add a filtered vent system to the containment capable of withstanding an earthquake significantly beyond the SSE.

(4) Add a dedicated AC-independent, RWST-independent containment spray system capable of withstanding an earthquake significantly beyond the SSE.

I (5) Add an AC-independent,. manually operated containment spray system capable

] of drawing water from a water source that is qualified to a very high j g-level.

j (6) Make no improvements.

! Table 5.5 displays the value-impact analysis for each of the potential fixes out to 150 miles. Table 5.6 provides a more detailed summary of benefits and !

costs for Alternative (1). These include (1) reduction in public risk resulting l from avoided offsite releases associated with reduced accident. frequencies; (2) increased occupational dose from implementation and operation and maintenance activities, as well as reduced occupational exposure from cleanup and repair because of lower accident frequency; (3) costs to Northeast Utilities for imple-mentation of modifications and operation and maintenance; (4) cost savings to l

] Northeast Utilities from accident avoidance (onsite damage); and (5) NRC costs 1 l for review.

NUREG-1152 5-16

5.3.1.2.6 Value and Impact of Alternatives ALTERNATIVE (1) i This alternative recommendation would improve the anchorage system for the emer-gency diesel generator lube oil coolers.

l The value from implementing the anchorage system .aodification is a reduction in i the estimated frequency of core melt due to station blackout caused by an earth-quake and in the associated risk of offsite radioactive releases. The impact is primarily on Northeast Utilities because it would have to make the anchorage modifications. The major advantages of anchorage modification are that it re-

, duces the conditional probability of loss of the emergency diesel generators 4 and is relatively inexpensive. Although modification is very cost effective, there is still considerable estimated risk associated with failures of other components and structures.

Value On the basis of its estimates for Millstone 3 of expected core damage frequency (see Section 2.1.1.2 and Appendices B and C) and risk (see Sections 2.1.2.2 and 2.3) due to station blackout caused by an earthquake, the staff can estimate the range of incremental reduction in risk and core damage frequency associated with this alternative. The estimated reduction in mean annual core damage fre-quency for Alternative (1) (ranges from 1x10 6 to 2x10 5) is based on the assumption that the improved anchorage system will eliminate this failure mode, r The estimated reduction in mean annual risk ranges from 16 to 375 person rem depending on the hazard curve considered.

Impact The estimated cost to Northeast Utilities to implement this potential fix (either modification or reanalysis) ranges from $0.05 million to $0.1 million.

Table 5.5 lists the estimated range in costs for each potential fix. These cost estimates are based on staff judgment, not on a detailed cost evaluation by the staff.

Including averted plant damage costs can significantly affect the overall cost-benefit evaluation. The effect of the proposed action on averting plant

damage and cleanup costs has been estimated by multiplying the reduction in accident frequency by the discounted onsite property costs. The equations from NUREG/CR-3568, discussed earlier, were used to make this calculation.

The discounted present values are shown in Table 5.7.

Value-Impact Ratio Table 5.6 provides a summary of the benefits and costs associated with Alterna-tive (1). These include (1) reduction in public risk resulting from avoided offsite releases associated with reduced accident frequencies; (2) increased occupational dose from implementation and operation and maintenance activities, 4 as well as reduced occupational exposure from cleanup and repair because of lower accident frequency; (3) costs to Northeast Utilities for implementation and maintenance activities, as well as reduced occupational exposure from NUREG-1152 5-17 i

cleanup and repair because of lower accident frequency; (4) costs to Northeast

Utilities for implementation of modifications, operation and maintenance, and increased reporting requirements; and (5) NRC costs for review of reports.

The estimated range of costs for Northeast Utilities to comply with Alterna-tive (1) is $0.05 million to $0.1 million. At a 10% discount rate, the present value of avoided cleanup, repair, and replacement power is approximately $26,000.

The public risk reduction over the 40 year life of the plant ranges from 640 to 15,000 person-rem. The range of the ratio of costs (arithmetic average of esti-mated cost) to person-rem averted over the life of the plant is from $117 (PSS) to $5 (SHCP). This ratio may be low by an order of magnitude because the staff did not take full credit for fission product agglomeration and gravitational

, settling in the containment. If cost savings to Northeast Utilities from acci-dent avoidance (cleanup and repair of onsite damages and replacement power) were included, the overall value-impact would show that estimated onsite savings significantly improved the value-impact ratio. Alternative (1) is estimated to incrementally reduce the annual station blackout mean core damage frequency due to earthquakes by 1x10 6 (PSS) or 2x10 5 (SHCP) per year. The estimated incre-mental risk reduction for this alternative ranges from 16 to 375 mean annual i person rem within 150 miles of the plant.

ALTERNATIVE (2)

This alternative would require improvement of the structural capacity (perhaps to a median fragility of 1.6g) of the emergency diesel generator (EDG) enclosure and the control building so that these structures could withstand an earthquake with peak ground accelerations considerably beyond the SSE. This alternative also assumes the diesel generator lube oil cooler bolts have already been im-

! proved. The major advantage to this fix is that it provides a substantial in-cremental reduction in estimated core damage frequency. The major disadvantage is the potentially high cost to reinforce these structures. The staff has not evaluated this cost in detail because the fragility analyses performed by North-east Utilities on these structures were simplified and probably conservative.

For scoping purposes the staff has assumed that it would cost between $10 million and $150 million to reinforce these structures. (It would be preferable to first improve the EDG enclosure because it has a lower estimated capacity and, therefore, contributes more to the estimated core damage frequency.) If Alter-native (2) were implemented, reduction in mean annual core damage frequency would be 4x10 6 for the PSS hazard curve or 5x10 5 for the SHCP hazard curve.

The estimated incremental risk reduction within 150 miles of the plant for this alternative ranges from 65 to 938 person-rem per year. Estimated average cost (arithmetic average) per person-rem averted over the plant's 40 year life ranges from $30,769 (PSS) to $2,132 (SHCP).

ALTERNATIVE (3)

Another alternative would be to add a filtered vent to the containment. This system would be decir.ad to withstand g *evels substantially in excess of the SSE (perhaps a mrdian fragility of 1.79 ). The major advantage to this poten-tial fix is that it would significantly reduce offsite consequences for station blackout and mary other core melt sequences, and perhaps would reduce some on-site cleanup co,ts (no credit given). The staff assumes the risk from station blackout caused by an earthquake would be reduced 90L The major disadvantages are the cost (estimated between $4 million and $20 million on the basis of P

i l NUREG-1152 5-18 1

l

__ , _ __~ _.___ _ _ _ _. _ _ .

t NUREG/CR-4143) and the lack of benefit in that this fix would do nothing to reduce core damage frequency. The estimated incremental risk reduction within 150 miles of the plant for this alternative ranges from 87 to 1470 person-rem per year. The estimated average cost (arithmetic mean) per person-rem averted 1 over the plant's 40 year life ranges from $6897 (PSS) to $410 (SHCP).

ALTERNATIVE (4) f Another alternative would be to add a dedicated, automatic, AC-independent,

RWST-independent containment spray system capable of withstanding an earthquake j significantly beyond the SSE (perhaps a median fragility of 1.5g). A direct-i drive diesel-driven pump spray system in conjunction with an upgraded RWST or l alternative water source (e.g., Long Island Sound) could supply the spray needs.

The major advantage of these improvements is a reduction in estimated offsite doses (assumed to be 90%). The major disadvantages are (1) the cost; (2) if the system draws from the Long Island Sound and if it should inadvertently initiate, 4 it would spray down the containment with salt water; (3) if following a station

! blackout the system did not start for 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months or more after vessel failure, l resulting deinerting of the containment could cause a hydrogen burn to occur (0.50 conditional probability of containment failure) which could fail the con-tainment earlier (which would limit the period for fission product decay, ag-glomeration, and deposition) than if it failed by overpressure; and (4) the AC-independent spray system has no impact on core damage frequency. The esti-mated cost of Alternative (4) ranges from $4 million to $15 million (based on NUREG/CR-4143). The estimated annual incremental risk reduction within 150 miles of the plant for this alternative ranges from 87 (PSS) to 1470 (SHCP) person-rem per year. The estimated average cost (arithmetic mean) per person-rem averted over the plant's 40 year life ranges from $5460 (PSS) to $325 (SHCP).

ALTERNATIVE (5)

Another alternative would be to add a manually operated, AC-independent contain-ment spray system capable of drawing suction from a water source that is quali-l fled to a very high g-level. This alternative assumes the diesel generator oil 4

cooler bolts already have been fixed. One potential source of pumping capability

] would be a fire truck permanently stationed on site. Given the long period of time available before onset of containment failure, a manually actuated system could be feasible, even in the event of a severe earthquake. The staff assumes the spray will be 90% effective in reducing released fission products.

The major advantages of this alternative are that (1) it is relatively inexpen-sive and simple, (2) it would prevent containment failure due to long term over-pressure, and (3) even if the containment failed (except perhaps by hydrogen explosion), it would substantially reduce offsite releases. The major disad-vantages are that (1) it is not automatic, (2) it has unknown reliability, and l (3) if actuation of the system were delayed beyond 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , it might cause a

hydrogen burn that would fail the containment. (There is a small chance that this failure could occur before sprays had a chance to significantly affect the i source term.) The estimated cost, based on engineering judgment, of Alterna-tive (5) ranges from $0.4 million to $2.0 million. The estimated risk reduction within 150 miles of the plant for this alternative ranges from 70 to 1131 person-rem per year (does not include potential for hydrogen burn failing the contain-

, ment). The estimated average cost (arithmetic mean) per person-rem averted over the plant's 40 year life ranges from $430 (PSS) to $27 (SHCP),

i

)

NUREG-1152 5 _ _ _ _ _. __ _ _. _ _ _. __. _ _ _ _ _ _

ALTERNATIVE (6)

This alternative would be to take no additional actions to prevent or mitigate station blackout caused by earthquakes beyond the SSE.

5.3.1.2.7 Effects on Other Requirements There are no ongoing NRC generic programs directly related to station blackout caused by earthquakes beyond the SSE.

5.3.1.2.8 Occupational Exposure The staff does not anticipate that there would be any significant increase in occupational exposure from implementing the recommendations proposed in this resolution. Most of the equipment additions and modifications contemplated do not require significant work in and around the reactor coolant system and there-fore would not be expected to result in significant radiation exposure. For those recommended actions that would reduce the frequency of core melt per reactor year, one could expect that the occupational dose associated with cleanup activities from station blackout accidents would be averted.

5.3.1.2.9 Recommendations (1) The staff finds that the failure mode related to the diesel generator lube oil coolers can potentially be eliminated from consideration by upgrading the anchorage system. The elimination of this failure mode will incre-mentally reduce the estimated mean frequency of core damage (See Table 5.5) by about 1x10 6 (PSS hazard curve) or 2x10 5 (SHCP hazard curve) per reactor-year. The staff's analysis indicates such improvement is cost beneficial. From a systems view, a critical f ailure mode in the doininant external event sequence contributing to core melt would be eliminated.

From an engineering view, it is likely that the seismic margin of the plant beyond the SSE will have been increased at a minor cost. Therefore, unless Northeast Utilities can demonstrate that the current anchorage system is substantially stronger than claimed in the Millstone 3 PSS, it should im-prove the anchorage system for the diesel generator lube oil coolers.

These improvements will provide a substantial benefit to public health and safety.

The staff estimates the cost to Northeast Utilities to implement Alterna-tive (1) (e.g. , improve diesel generator lube oil cooler bolts) will range from $0.05 million to $0.1 million. The range of costs is based on engi-neeringjudgment. The estimated mean annual risk will be reduced by 16 to 375 person-rem depending on the assumed hazard curve. The estimated aver-l age ratio of costs in dollars (excluding onsite cost aversion savings) to person-rem reduced over the 40 year plant lifetime ranges from $117 (PSS hazard curve) to $5 (SHCP hazard curve). (See Tables 5.5 and 5.6.) Even if the staff's belief is correct that this value may be low by an order of magnitude, this fix is still very cost effective.

(2) The staff recommends that Northeast Utilities perform an engindering feasi-bility analysis for a manually operated, seismically qualified (e.g., 1.5g median fragility or better) containment spray system that will draw from a water source that is qualified to a very high g-level. This analysis shall NUREG-1152 5-20

include, but not be limited to, engineering feasibility, cost estimates, uncertainties, consideration of competing risks, alternative recommendations (if any), and reliability estimates. Northeast Utilities is to provide to NRC within 2 years the rationale regarding its decision to implement (with schedule) or not implement this modification. The staff will review this decision on a plant-specific backfit basis or under the staff's generic severe accident review.

The staff's reasons for recommending Alternatives (1) and (5) over other alternatives are given below. The ratio of costs to person-rem averted for each alternative may be low by an order of magnitude because the staff did not give full credit to fission product agglomeration and gravitational settlirg in the containment.

(1) Alternatives (1) and (5) vs Alternative (2)

An improvement in the estimated capacity of the EDG enclosure and the control building could reduce the estimated mean core dama e frequency for station blackout events caused by core melt from 4x10- (PSS) to 5x10 5 (SHCP) per year. However, as discussed in NUREG/CR-4142, these fragilities (sliding of footing for the EDG enclosure and diaphragm failure for the control building) are based on simplifying assumptions.

Without detailed evaluations of these structures, the staff cannot estimate what modifications, if any, are warranted. Therefore, it cannot accurately estimate costs. It has chosen to use scoping costs (engineering judgment) ranging from $10 million to $150 million.

l Using these values, improvement of the building fragilities is not cost effective (see Table 5.5). Significant improvements in fragil-ities may cost much less (or much more) or, once analyzed in more detail, the potential incremental core damage reduction may be much smaller because the actual structural fragilities may be higher.

(2) Alternatives (1) and (5) vs Alternative (3)

Alternative (3) (a filtered vent for containments) is not effective in reducing core damage frequency; but it could be highly effective in reducing potential offsite releases resulting from a core melt accident. However, on the basis of recent studies (Draft NUREG-1037),

the staff has more confidence that the containment will not fail in less than 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months because of slow overpressure and in fact may not fail either for several days after the accident or at all.

The staff has not performed an engineering design analysis of this

, potential fix. Cost estimates for a filtered vented system vary

! widely. In a report by Dooley and others (1984), the cost of a fil-l tered vent was estimated to be about $4 million (a lower limit). A l filtered vent system (FILTRA) installed at Barsbeck in Sweden at a cost of about $20 million was a first of-a-kind system for two units.

It was not seismically qualified. Qualifying equipment to be safety i grade can significantly increase its cost. The staff has, therefore, I doubled its cost estimates for a filtered containment vent for l Millstone 3 to a range of $8 million to $40 million. The estimated '

average cost (arithmetic mean) per person-rem averted (over the 40 year plant life) ranges fror; $6897 (PSS) to $410 (SHCP).

i l

NUREG-1152 5-21

(3) Alternatives (1) and (5) vs Alternative (4)

Alternative (4) (an automatic, AC-independent, RWST-independent con-tainment spray system), if implemented, is estimated to significantly reduce the offsite doses from a core melt caused by station blackout following an earthquake (see Table 5.5). This alternative is not recommended for the following reasons:

(a) If water were drawn from the Long Island Sound, inadvertent initiation of the system could spray down the containment with salt water. Cleanup would be costly (downtime of several days at least) and might lead to long term equipment failure because of salt corrosion.

(b) If following vessel failure after a station blackout, system initiation is delayed more than 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , the spray might de-inert the containment and initiate a hydrogen burn (perhaps 10% of the time) that could fail the containment earlier than would occur as a result of long term containment overpressure. The staff would expect spray actuation, however, to significantly reduce the fission products in the containment atmosphere. A recent staff evaluation (Draft NUREG-1037) indicates that the contain-ment probably would not fail as a result of slow overpressure for 2 or 3 days and perhaps never, which would allow signifi-cant gravitational settlement and aerosol agglomeration in the containment.

(c) This potential fix does nothing to reduce the estimated core damage frequency.

The staff has not performed an engineering analysis to develop detailed cost estimates for this potential fix. However, a recent study (NUREG/CR-4143) estimated it would cost about $4 million to install such a system (nonseismically qualified) for a BWR Mark II containment.

. The staff believes these costs msy be underestimated in part because the equipment evaluated was not safety grade. For a scoping analysis and taking into account the quality of the equipment costed in NUREG/CR-4143, the staff has doubled the assumed cost of installing this system. The estimate ranges from $8 million to $30 million.

There is no core damage frequency reduction resulting from this fix.

The estimated average cost (arithmetic mean) per person-rem averted (over the 40 year plant life) ranges from $5460 (PSS) to $325 (SHCP).

As noted above, however, this ratio may be low by an order of magni-tudebecausethecontainmentmaybestrongerthanassumedinthe staff's analysis and because of the staff s perception that fission product agglomeration and gravitational settlement have been underestimated.

-(4) Alternatives (1) and (5) vs Alternative (6)

Alternative (6) would require no action. The staff in its review of the Millstone 3 PSS has estimated that station blackout caused by l

NUREG-1152 5-22

earthquakes contributes over 80% of the external event core damage frequency and from 45% to 80% of dose in terms of the mean annual person-rem from external events. Alternatives (1) and (5) are ways to reduce core damage frequency and risk. No generic programs at NRC currently address station blackout caused by earthquakes beyond the SSE.

The staff's reasons for recommending that Northeast Utilities pursue Alterna-tive (5) are given below.

Alternative (5) (a manually operated, seismically qualified (perhaps 1.6g median fragility) containment spray system, independent of the RWST), if implemented, is estimated to significantly reduce the offsite doses from a core melt caused by station blackout following an earthquake (see Table 5.5). The staff realizes that this system has some potential drawbacks because it must be operated manually following an earthquake, probably several times the SSE.

On the basis of engineering judgment (the staff has not performed an engineer-ing analysis to develop detailed cost estimates for this potential fix), the staff estimates that the cost for this system ranges between $0.4 million and

$2.0 million (and might include an onsite fire truck that would draw water from Long Island Sound). There could be an outside hookup to the existing quench spray / recirculation spray piping. The pumps would need to be able to pump against high pressure in the containment and line losses from the Sound to the contain-ment. The estimated average ratio (over the 40 year plant life) of costs to person rem reduced ranges from $430 to $27. Even if this ratio is low by an order of magnitude, it appears to be cost effective. As noted earlier, the staff proposes that Northeast Utilities perform an engineering analysis to determine the costs, benefits, and competing risks more accurately. This modification also has the capability to reduce the releases from core damage sequences other than station blackout that fail the containment (e.g., LOCA with complete fail-ure of the containment sump).

5.3.1.2.10 Implementation Northeast Utilities should analyze Alternatives (1) and (5) and report its find-ings and proposed actions to NRC within 2 years.

5.3.1.3 Relay Chatter 5.3.1.3.1 Statement of Problem In nuclear power plants many electrical relays are used to activate or deactivate equipment such as circuit breakers, pumps, and valves. Earthquake induced relay chatter is the rapid " opening" and " closing" of a relay as a result of seismic accelerations. Such a change of state (e.g., open to closed) could misalign equipment, instrumentation, and circuit breakers. Let us suppose that an earth-quake of sufficient magnitude occurred at the Millstone 3 site to cause relay chatter and loss of offsite power. In the control room, annunciators (not seis-mically qualified) might well be lost. Relay chatter might cause relays to lock into the wrong position (e.g., closed instead of open). This might open l or close circuit breakers, lock out the diesel generators or emergency core i 1 1

NUREG-1152 5-23 -

l

cooling system pumps, open or close valves, and start or stop pumps. The oper-ator might be without AC power, perhaps even without batteries if relay chatter opened the appropriate circuit breakers. Even with AC power available, relay chatter might have locked out pumps needed to cool the core, might have opened valves such as the pressurizer and steam generator power-operated relief valves (depleting primary and secondary system inventories), and might have opened valves that breach containment isolation. The operator might be unable to reset many of the relays from the control room. Operator action in different parts of the plant would, therefore, be required to realign the safety systems.

The performance of relays under seismic acceleration beyond the SSE, the status of safety systems, the information displayed to the operator, and subsequent corrective actions ar? difficult to assess in the absence of thorough analysis.

Of course, it should be noted that certain safety functions (e.g. , reactor scram) '

, would likely occur even if the relays were to chatter. The staff has performed l scoping calculations, recognizing the speculative nature of the above considera-tions, to determine the potential significance of such a sequence of events.

I The staff has performed a scoping analysis of relay chatter. Based on hazard curves for the Millstone site and conservative assumptions of operator action and success criteria, the staff's scoping estimate of mean core damage frequency due to relay chatter at Millstone 3 is greater than the range of 1x10 G (PSS hazard curve) to 1x10 4 (SHCP hazard curve) per year (see Table 5.8). Assuming 10% of the core melts due to relay chatter result in long term overpressure containment failure, the associated mean annual risk within 150 miles of the plant is greater than 17 or 170 person-rem, depending on the assumed hazard curve.

i '

Because the staff's evaluation of relay chatter is a scoping analysis, these results are not reflected in the values of overall core damage frequency er

, risk reported elsewhere in this report.

l 5.3.1.3.2 Uncertainties There are many areas of uncertainty associated with the staff's simplistic anal-ysis of relay chatter. The most important area is the assumption that once relay chatter begins, it is widespread and will lead to a core melt unless there is i

operator intervention.

The staff is unsure how widespread relay chatter actually would be during a large earthquake. At present test data are insufficient to develop a high degree of belief regarding fragility of relays. The amount of test data on the onset of relay chatter is small. Available test data have a wide spread of estimates.

In some cases the staff has found that relays, when they were originally tested (qualified to meet the SSE), were only tested in the energized state. When retested in the deenergized state, the relays changed state and locked in at g-levels lower than that which caused chattering when they were tested in the energized state. Information available to the operator on plant status will ;

, depend on whether circuit breakers inadvertently opened or closed because of l relay chatter, emergency diesel generators were locked out (causing station blackout), annunciators failed, and control panel status lights failed. The plant computer is not normally seismically qualified nor are strip recorders.

Some control room meters are not seismically qualified.

NUREG-1152 5-24

A second important area of uncertainty is the hazard curves used for the Millstone site. The PSS and SHCP* hazard curves have at least a factor of 10 difference between their medians.

5.3.1.3.3 Sensitivity Analysis The staff has estimated in a highly simplistic manner the potential for core damage due to seismically induced relay chatter. For seismic hazard values, the staff used the SHCP and PSS curves, which represent high and low estimates.

For relay fragility (due to chattering), the staff used the following three sources: (1) the median acceleration capacity found in the Zion PRA (0.6g peak ground acceleration, p c

=0.67), (2) the relay fragility from a report by Lambert (1984)(0.8g peak ground acceleration,cs =1.5), and (3) data in a letter from Counsil dated December 11, 1984 (0.88g peak ground acceleration, pc =0.49). The results are shown in Table 5.8. The table was constructed assuming that if there is relay chatter and the operator does not recover, core damage will occur.

To appreciate the significance of the potential for core damage, let us assume there is no operator recovery and that if relay chatter occurs, core damage will ensue. Then on the basis of the relay fragility estimates in Table 5.8, if an SSE of 0.17g were to occur, the staff estimates that a core melt would occur with a conditional probability range of 0.0004 to 0.13.

5.3.1.3.4 Objectives The general objective of the potential fixes is to reduce the estimated core damage frequency and risk associated with earthquake induced relay chatter.

5.3.1.3.5 Alternatives The following approaches were ccnsidered as alternatives to meet the objective of reducing core damage frequency and risk from relay chatter caused by an earthquake.

(1) Perform qualification tests to determine at what acceleration relays chatter. If relays in saf ety-related systems are considered too fragile, replace safety-significant ones with better qualified relays or qualified solic state equipment.

(2) Develop emergency procedures for dealing with earthquake induced relay chatter (e.g., define equipment needed to go to shutdown; determine if relay has a time delay; determine location of vulnerable relays; draw up a procedure stating the proper relay position and the order in which relays should be reset).

The SHCP curves used in this report are based on draft curves provided by LLNL in April 1984 (NUREG/CR-3756). Final curves (slightly less conservative) were published in April 1985 (UCID-20421). The staff's recommendations regarding earthquake induced events would not be altered if the final rather than the draft curves were used.

NUREG-1152 5-25

5.3.1.3.6 Value and Impact of Alternatives ALTERNATIVE (1)

This alternative fix would require seismic testing and possible replacement of relays in safety-significant systems. The value from implementing this poten-tial fix is a reduction in the estimated core melt frequency, risk, and uncer-tainty due to relay chatter. Northeast Utilities primarily would be affected because it would have to sponsor the test program and replace nonqualifying relays. If the qualification standards for the tests (g-level at which no relay chatter occurs) are sufficiently high, this program would effectively eliminate relay chatter as a potentially important core damage contributor. This would mean a range of reduction of more than 1x10 5 (PSS hazard curve) to 1x10 4 (SHCP hazard curve) per year in core melt frequency and a range of reduction of more than 17 to 170 person-rem per year based on the staff's scoping analysis and the hazard curve used. The staff has no estimate of the cost to test or replace relays.

ALTERNATIVE (2)

This alternative would require the development of emergency procedures for re-covery from earthquake induced relay chatter. Northeast Utilities would pri-marily be affected because it would have to write and implement the procedures.

Because relays can be reset in the control room or at other locations in the plant, even if relay chatter is severe when procedures are adequate, the opera-tors should be able to properly realign the plant. Implementation of these procedures would result in a range of reduction in the estimated mean annual core damage frequency and risk within 150 miles of the plant of 1x10 5 to 1x10 4 and 17 to 170 person-rem, respectively, depending on the hazard curve used. The staff estimates the cost of this alternative to be $200,000 on the basis of engineering judgment. The ratio of costs to person-rem averted over the 40 year plant lifetime ranges from $30 to $295.

5.3.1.3.7 Effect on Other Programs The staff is currently considering declaring relay chatter a generic issue.

Several ongoing activities are expected to provide information to better assess the significance of the relay-chatter issue.

(1) Under a contract from NRC, Future Resources Associates, Inc, is conducting a study to ascertain (a) whether detailed analysis of electrical, signal, control, and instrumentation failures can significantly improve the repre-sentativeness with which seismic PRAs model this aspect of important acci-dent sequences and (b) whether detailed analysis of operator response issues can significantly improve the representativeness with which seismic PRAs model this aspect of important accident sequences.

(2) As part of the Seismic Design Margins Program, the staff should develop a better understanding of the seismic margins in the existing plants in the eastern United States. Margin will be expressed in terms of how much larger must an earthquake be above the SSE before it compromises the safety of the plants. Judgments will be developed on the basis of existing data and j other relevant available information.

1 NUREG-1152 5-26 l

(3) The draft proposed requirements resulting from resolution of USI A-46,

" Seismic Qualification of Equipment in Operating Plants," although limited to accelerations to the SSE level, should provide significant useful in-formation that could be used in assessing the importance of earthquakes beyond the SSE level if this requirement is approved after internal NRC review.

5.3.1.3.8 Recommendation The staff recommends that Northeast Utilities write and implement emergency procedures to deal with earthquake induced relay chatter. Relays of concern are those in safety-significant systems. The staff believes implementation of Alternative (2) will significantly reduce the estimated core melt frequency and risk based on its scoping analysis. This improvement will provide a significant benefit to public health and safety.

Until further information is developed as discussed above, the staff believes that the implementation of emergency procedures dealing with relay chattcr will provide adequate protection to the health and safety of the public.

5.3.1.3.9 Implementation The procedures shall be written and implemented by the end of the first refuel-ing outage.

5.3.1.4 Loss of Room Cooling 5.3.1.4.1 Statement of Problem Loss of room cooling to small, closed rooms with significant electrical or mechanical heat loads could result in increased ambient room temperatures that could degrade safety equipment. Relays, breakers, motors, solid-state circuitry, and other electrical and mechanical equipment may fail or degrade if subjected to high temperatures for prolonged periods. For example, some solid-state equjpmentmaybegintomalfunctioniftheambienttemperaturereachesabout 105 F, and some relays may fail at about 140 F.

Electrical separation and fire protection requirements, especially for newer plants, have resulted in smaller, closed rooms. Room layouts for older nu-clear power plants tend to be more spacious, which allows for greater heat dissipation.

5.3.1.4.2 Sensitivity Analysis The staff's scoping analysis assumed that a 2-hour loss of room cooling would disable heat-sensitive equipment. The estimated mean annual core damage fre-quency is greater than 10 4 if no credit is taken for operator recovery, equip-ment repair, or alternative cooling (e.g., the east switchgear room can be cooled by service water if chilled water is lost). Northeast Utilities has indicated there also are potential alternative means of providing adequate room cooling to some rooms by using fans with " elephant hoses."

Rooms identified as having safety-related, heat-sensitive equipment included the east and west switchgear rooms, the instrument rack room, and the auxiliary NUREG-1152 5-27

4 i

, feedwater pump rooms. The staff's scoping analysis estimated a significant core damage. frequency increase from loss of the auxiliary feedwater pump room cooling in conjunction with loss of cooling to the switchgear rooms. Loss of

! the turbine-driven auxiliary feedwater pump due to loss of room cooling (if it actually would fail because of high ambient temperature) would indicate that the turbine-driven pump has an AC power dependency. As noted earlier, the scop-ing analysis assumed that equipment failed 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months after room cooling was lost.

l i Because the staff's evaluation of loss of room cooling is a scoping analysis, ;

these results are not reflected in the values of overall core damage frequency or risk reported elsewhere in this report.

! 5.3.1.4.3 Uncertainties Little data on chiller and fan failure rates are available. The failure rates

. have large uncertainties. The assumed time to failure after loss of room cool-i ing (2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months ) is probably conservative, but the degree of conservatism is un-known. Operator recovery would significantly reduce the estimated core damage frequency. No credit was given in the staff's analysis for such recovery or use of alternative cooling modes such as service water or fans. No heatup rate was calculated for individual rooms nor was the possibility of shedding loads (i.e., less heat generation).

5.3.1.4.4 Objectives The general objective is to reduce the estimated core damage frequency and risk associated with loss of room cooling to heat-sensitive, vital areas.

l 5.3.1.4.5 Alternatives The following approaches were considered as alternatives to meet the objective j of reducing core damage frequency and risk from loss of room cooling.

(1) Write and implement emergency procedures to deal with loss of room cooling to heat-sensitive, vital areas such as the switchgear, auxiliary feedwater j pump, and instrument rack rooms.'

! (2) Perform an engineering analysis of the effect of loss of room cooling to

. heat-sensitive, vital areas to determine the' margin in time and temperature i

that exists should room cooling be lost. On completion of this review, if the evaluation demonstrates significant risk exists, Northeast Utilities ,

should modify the plant in a cost effective manner to reduce the core f

damage contribution ensuing from loss of room cooling.

i 5.3.1.4.6 Value and Impact of Alternatives ALTERNATIVE (1)

This alternative would require writing and implementing emergency procedures to-deal with loss of room cooling to heat-sensitive, vital areas. The value from implementing this potential fix is a reduction in the estimated frequency of-core melt and the. associated risk of offsite radioactive releases due to loss

of room cooling. Northeast Utilities would primarily be affected because it would have to write and implement the procedures. -The major advantages of this i

I NUREG-1152 5-28

, . , _ 4 v-- g rr- p =r r- ywy,-evw -rr y >- -iey y- yv, -

e- ---g

fix are that it should significantly reduce the estimated core damage frequency due to loss of room cooling and that it is relatively inexpensive. The staff b@lieves this fix is cost effective even though there are large uncertainties in the analysis.

Value The staff believes that well-written emergency procedures which plant operators have been trained to follow can significantly reduce the estimated core damage frequency. Assuming core melt caused by loss of room cooling results in a 10%

chance of containment failure due to long term overpressure, the staff can esti-i mate the incremental reduction in risk and core damage frequency associated with this alternative. On the basis of the assumption that these procedures will reduce core damage frequency by an order of magnitude, this alternative results in a mean core damage reduction of up to 9x10 4 per year and a mean annual risk reduction within 150 miles of the plant of up to 1358 person-rem.

Impact The estimated cost to Northeast Utilities based on staff judgment is $200,000.

Value-Impact Ratio The ratio of costs to person-rem averted over the 40 year life of the plant is

$4. Even if this ratio is low by well over an order of magnitude, it appears to be cost effective.

ALTERNATIVE (2)

This alternative would have Northeast Utilities perform a detailed engineering review of the effect of loss of room cooling to heat-sensitive, vital areas such as the switchgear, auxiliary feedwater pump, and instrument rack rooms. On completion of the review, if the detailed evaluation demonstrates significant risk exists, Northeast Utilities would modify the plant in a cost-effective manner to reduce the core damage frequency contribution of loss of room cooling.

The cost of this review will depend on the detail of the review and any vulner-abilities discovered by Northeast Utilities. The major advantages to this alternative are (1) it would greatly reduce the uncertainty of the risks of loss of room cooling and (2) it would provide a better basis to estimate the frequency of core damage and risk due to loss of room cooling at Millstone 3.

The staff has no estimate for the cost of this evaluation.

j 5.3.1.4.7 Effect on Other Requirements There are no ongoing NRC generic activities directly related to loss of room cooling.

I 5.3.1.4.8 Recommendation ,

(1) The staff recommends that Northeast Utilities write and implement emergency procedures to deal with loss of room cooling to heat-sensitive, vital areas.

The staff believes implementation of Alternative (1) will significantly reduce the estimated mean annual frequency of core damage (a reduction of 9x10 4 per year in core damage frequency based on the staff's scoping analysis).

NUREG-1152 5-29

This improvement will provide a substantial benefit to public health and safety.

The staff estimates that the cost to Northeast Utilities to implement Alternative (1) will be be about $200,000. This cost is based on engineer-ing judgment.

(2) The staff does not recommend that Northeast Utilities perform a detailed engineering review of the effect of loss of room cooling at Millstone 3 to heat-sensitive, vital areas. Although it is possible such a review might prove to be cost beneficial, the staff believes that the implementa-tion of emergency procedures dealing with loss of room cooling will provide adequate protection to the health and safety of the public. Of course, Northeast Utilities may voluntarily conduct such an 7nalysis.

5.3.1.4.9 Implementation The procedures shall be written and implemented by the end of the first refuel-ing outage.

5.3.2 Improvements in Procedures (Test, Maintenance, and Emergency)

The review of the PSS has afforded important insights about areas for which emergency, test, and maintenance procedures must be both well written and well executed. Improvement in procedures is one of the most cost-effective ways of reducing core damage frequency and risk. Northeast Utilities should consider the insights gained from the PSS and the staff comments in this report in developing procedures. The following list highlights areas where staff analysis of the Millstone 3 PSS has indicated that emergency, test, or maintenance pro-cedures and training could make a significant difference in estimated core damage frequency or risk.

(1) Containment High Pressure Recirculation System (emergency, test, and main-tenance) - The containment high pressure recirculation system, operating in the emergency core cooling system recirculation mode, is an element of many of the core damage dominant cutsets. The containment recirculation pumps are tested infrequently (proposed for once every 3 months).

l -

(2) Auxiliary Feedwater System (emergency, test, and maintenance) - The auxil-iary feedwater system is an element of many of the core damage dominant cutsets.

l (3) Fires in Control Room, Instrument Rack Room, and Cable Spreading Room (emergency) - The staff found the estimates of risk from fire to be parti-l cularly sensitive to assumed human error rates. A fire in one of these rooms with unsuccessful manning of the emergency shutdown panel was assumed to lead to a potentially risk-significant core melt.

(4) Leak Testing all Residual Heat Removal (RHR) Isolation Valves (test and maintenance) - The Millstone 3 Safety Evaluation Report (NUREG-1031) states that in cases where three or more valves provide isolation between Class 1 and Class 2 piping, only two valves need to be leak tested. Because of the risk significance of an RHR LOCA (large contributor to early fatal-ities), all isolation valves in each RHR suction and discharge lines should be leak tested.

NUREG-1152 5-30

(5) Refueling Water Storage Tank (RWST) Refill With Borated Water (emergency) -

Discussions with Northeast Utilities have indicated that timely refilling of the RWST could prevent or mitigate various small and medium LOCAs. No credit for RWST refill was taken in the PSS.

(6) Mitigation of RHR LOCA (emergency) - The LLNL report on its review of the PSS (NUREG/CR-4142) discusses possible means of mitigating an RHR LOCA.

RHR intersystem LOCAs are the largest contributors to early fatalities among internally initiated events.

(7) Recovery of Main Feedwater (emergency) - Under the current design at Millstone 3, the power conversion system will always trip on a reactor trip. Timely recovery of the power conversion system (main feedwater) if auxiliary feedwater is disabled would provide additional redundancy for core heat removal. Northeast Utilities has indicated orally to the staff that it intends to seek procedural or design changes to reduce the fre-quency of loss of the power conversion system on a reactor trip.

(8) Loop Stop Valve Closure (emergency, test, and maintenance) - Under appro-priate circumstances, use of the primary system loop stop valves may be beneficial in reducing the offsite consequences of a steam generator tube rupture (SGTR) or in isolating a small reactor coolant pump seal failure.

(9) SGTR and Plant Depressurization (emergency) - Staff analysis of SGTRs in-dicates that operator error can be a significant contributor to increased offsite consequences.

(10) Post-Seismic Event Recovery (emergency) - Relay chatter may require many relays to be reset in a systematic manner following a strong seismic event.

(See Section 2.4.)

5.3.3 Integrated Safety Assessment Program Northeast Utilities has informed the staff that it intends to pursue an inte-grated safety assessment program for Millstone 3. The staff strongly encourages the utility's initiative. The program for Millstone 3 as designed includes the following areas:

(1) The utility has indicated that it will maintain the FSS as a "living" docu-ment. This indicates that the Millstone 3 PSS will be modified over the years as new data (e.g., frequency of component failures, human errors, i

or initiating events), models, or techniques become available.

(2) The Millstone 3 PSS is " installed" on a Northeast Utilities' in-house PRA-dedicated computer.

(3) The utility plans to use the "PSS lessons learned" in both classroom and simulator training of plant operators.

(4) The utility has indicated that it will review emergency and off-normal procedures in light of PSS insights.

(5) Startup and test procedures will be compared with the success criteria and modes of operation assumed in the PSS. If startup test results-do not meet i

NUREG-1152 5-31

their acceptance criteria, the significance of the deviation will be eval-uated and corrective action taken if necessary.

(6) The utility has indicated that the Millstone 3 Nuclear Review Board will include members knowledgeable about the PSS.

(7) The utility has indicated that it intends to use the "living" PSS in help-ing to make operational and safety support decisions.

The staff has continued to seek ways to best use the information and insights gleaned from the performance, use, and maintenance of a probabilistic safety study. The staff hopes that Northeast Utilities wi,ll continue to expand its current plan and thereby gain even greater benefits from the considerable effort it has invested in the Millstone 3 PSS. The following list outlines some areas the staff believes would be worthy of consideration by Northeast Utilities:

(1) Measures of importance regarding engineering and operations could be developed to help the utility to better appreciate areas such as evaluation of operational occurrences (at Millstone 3 and other plants), training of operators, evaluation of the safety significance of areas of potential non-compliance, safety significance of inspection report findings, and evalua-tion of Technical Specifications.

(2) Failure modes and effects analyses of the effect of human errors in the conduct of maintenance, surveillance, normal, and emergency procedures and Technical Specifications could be performed to help improve safety insights.

(3) Operations and maintenance personnel could be taught pattern recognition for the more vulnerable plant configurations based on the PSS.

(4) Results of any importance measure analyses could be made available to Northeast Utilities' quality assurance (QA) organization. The QA organi-zation may wish to seek a refocus of QA work or NRC audits.

The staff is interested in receiving ongoing PSS insights (as well as informa-tion on future PSS adaptations).

Northeast Utilities has indicated a desire to use results from the PSS when making certain management decisions or when discussing proposed design / procedural changes with the NRC. Because the staff, in general, finds the PSS to be a state-of-the-art risk assessment, it believes this is a potentially worthwhile step. There are areas, however, where the staff believes the PSS is optimistic (see Appendix A). The more the PSS is improved, the more confidence the staff will have in the applications of the PSS.

i l

NUREG-1152 5-32 I

i g Table'5.1 Value-impact assessment for station blackout related plant modifications.(150 miles) 3

'? Range **of incremental Estimated average ***

.U. Estimated

Incremental reduction reduction in exposure cost per person rem E? Potential costs in frequency of core (person-rem per ' averted over 40 yea.-

modifications ($million) melt per reactor year reactor year) life ($ per person-rem)

Add non-Seismic 0.7 to 1.2 8x10 5 7 to 190- 630

' Category I diverse (25) gas. turbine generator and enclosure. Add electric pump for-reactor coolant pump (RCP) seal cooling.

Add'non-Seismic 0.6 to 0.8 1.5x10 5 1 to 36 2900

' Category I emergency (5)

' diesel generator,and.

enclosure. Add u, electric pump for-f; . RCP seal cooling.

Increase capability 0.3 to 0.5 1.1x10 5 1 to 27 1860 to cope with station (3) blackout to 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months '

.by increasing capacity of batteries, instru-ment air,~and auxili-ary feedwaterl supply.

~ Add steam-driven' 1.2 to 1.7- 7x10 5 7 to 180 1005

turbine generator (23) to charge batteries and power an added

electric pump.to cool.RCP seals.

Costs developed from NUREG/CR-3840. .

- The range varies with the particular case assumed. . The number in parenthesis is the staff's central esti-

. mete out to 150 miles. <

'*** Based on geometric means'of the cost and the person-rem. averted.

-- ___. . __ . ~ ~ . -

Table 5.2 Value-impact summary for Alternative (1) for plant lifetime Dose reduction $ per range (person-rem) Cost person-rem Value-impact type (150 miles) ($1000) averted Public health 280 to 7600 Occupational exposure 4 (accidental)1 Occupational exposure NA (routine)2 Northeast Utilities 700 to 1200 implementation Northeast Utilities 34 to 60 operation 3 NRC implementation 4 7 Total 284 to 7600 742 to 1267 Value-Impact Ratios Averaged sum of NkC and 6658 Northeast Utilities costs divided by public dose reduction 1 Based ca an estimated occupational radiation dose of 40,000 person-rem for postaccident cleanup and repair activities (NRR Office Letter No. 16).

2No significant increase in occupational exposure is expected from operation and maintenance or implementation of the recommendations proposed in this resolution. Equipment additions and modifications contemplated do not re-quire significant work in and around the reactor coolant svstem and, there-fore, would not be expected to result in significant radiation exposure.

3 Assumes 5% of installation costs for operation and maintenance (from NUREG/CR-3840).

4 Based on an estimated 120 person-hours for NRC review.

sThis does not take into account the additional benefit associated with avoided plant damage costs or replacement power costs resulting from reduced frequency of core melt. The cost for plant cleanup following a core melt accident is estimated to be $2.5 billion, and replacement power is estimated to cost about $1.8 billion based on NUREG/CR-3568. The estimated discounted present value of these avoided onsite costs is given in Table 5.3.

6The estimate of $665 per person-rem is based on the geometric mean of the value divided by the geometric mean of the impact.

NOTE: NA = not affected.

.t NUREG-1152 5-34 i__ - _ - _

. . . ~ . .- - . - - . . - . - .

1 Table 5.3 Discounted present value of avoided onsite property damage 4

Avoided property damage 10% discount rate 5% discount rate Cleanup, repair, and $2.1 million $4.7 million replacement power Table 5.4 Risk summary (base case)

for station blackout caused

. by earthquakes (mean annual

risk) l Hazard curve Consequence category PSS SHCP Early fatalities 3x10 8 6x10 5 Latent fatalities <

50 miles 2x10 3 3x10 2 150 miles 8x10 3 1x10 1 l Person-rem

!- 50 miles 20 .330 150 miles 97 1632 NOTE: PSS = Probabilistic Safety Study; SHCP = Seismic Hazard Characteriza-tion Project. ;

4 i

k I

i i

NUREG-1152 5-35 1

! I

'l

- _ . . . , , . . . - - . , . , _ _ , _ . , _ , . . . _ .,_..m , . - . . _ , _

z Table 5.5 Value-impact assessment of plant modifications for station blackout caused by y earthquakes (150 miles)

?

O Range of incremental Range of incremental Estimated range of cost

$ reduction in frequency reduction in exposure per person-rem averted of core-melt per (person-rem per over 40 year life Estimated reactor year reactor year) ($ per person-rem)**

-Potential costs moditications ($million)* PSS SHCP PSS SHCP PSS SHCP Improve diesel .05 to .1 1x10 6 2x10 5 16 375 117 5 generator lube oil cooler anchorage.

Improve emergency 10 to 150 3x10 6 4x10 5*** 53 750 37735 2667 diesel generator enclosure and control building capacity.

ui Diesel generator _ lube de oil cooler anchorage

already assumed fixed.

Add filtered vent 8 to 40 0 0 87 1470 6897 410 to containment'.

Add fully automatic, 8 to 30 0 0 87 1470 5460 325 dedicated, AC-independent, refueling water storage tank independent contain-ment spray system.

See footnotes at end of table.

~

l i

}

gi Table 5.5 (Continued)

E

)$ Range of incremental Range of incremental Estimated range of cost tg reduction in frequency reduction in exposure per person-rem averted ha of core-melt per (person-rem per over 40 year life Estimated reactor year reactor year) ($ per person-rem)**

Potential costs modifications ($million)* PSS SHCP PSS SHCP PSS SHCP Add manually oper- 0.4 to 2.0 0 0 70 1131 430 27 rated containment spray system. Die-sel generator oil cooler anchorage is assumed already improved, on *These costs are to be.used for relative comparison only. No detailed staff evaluation was made to (j determine what design changes would be required to provide.these modifications. Costs were estimated by engineering judgment.

- Does not include onsite cost savings due to core melt frequency reduction. Value was calculated by dividing arithmetic average of costs by incremental. exposure reduction.

- - Includes fixing diesel generator lube oil cooler anchorage.

NOTE: PSS = Probabilistic Safety Study; SHCP = Seismic Hazard Characterization Project.

t

Table 5.6 Value-impact summary for Alternative (1) for plant lifetime

$ per person-rem Dose reduction range averted Value-impact (person-rem) Cost type (150 miles) ($1000) PSS SHCP Public health 640 (PSS) to 15,000 (SHCP)

Occupational exposure 1 (accidental)1 Occupational exposure NA (routine)2 Northeast Utilities 50 to 100 implementation l Northeast Utilities 2 to 5

operation a NRC implementation 4 7 Total 640 (PSS) to 15,000 (SHCP) 60 to 110 Value-Impact Ratio s Range of arithmetic 133 5 average of cost divided by person rem averted 1 Based on an estimated occupational radiation dose of 40,000 person-rem for post-accident cleanup and repair activities (NRR Office Letter No. 16).

2No significant increase in occupational exposure is expected from operation and maintenance or implementation of the recommendations pro ~ posed in this resolution.

Equipment additions and modifications contemplated do not require significant work in and around the reactor coolant system and, therefore, would not be expected to result in significant radiation exposure.

3 Assumes 5% of installation costs for operation and maintenance (from NUREG/CR-3840).

4 Based on an estimated 120 person-hours for NRC review.

5This does not take into account the additional benefit associated with avoided plant damage costs or replacement power costs resulting from reduced frequency of core melt. The cost for plant cleanup following a core melt accident is estimated to be $2.5 billion, and replacement power is estimated to cost about

$1.8 billion based on NUREG/CR-3568. The estimated discounted present value of these avoided onsite costs is given in Table 5.7.

NOTE: PSS = Probabilistic Safety Study; SHCP = Seismic Hazard Characterization Project; NA = not affected.

NUREG-1152 5-38

Table 5.7 Discounted present value of avoided onsite property damage (million dollars) 10% discount rate 5% discount rate Avoided property damage PSS SHCP PSS SHCP Cleanup, repair, and 0.026 0.53 0.058 1.2 replacement power NOTE: PSS = Probabilistic Safety Study; SHCP = Seismic Hazard Characterization Project.

Table 5.8 Estimates of seismically induced core damage annual frequency from relay chatter for Millstone 3 PSS hazard curves SHCP hazard curves Probability of nonrecovery Probability of nonrecovery Fragilities 1.0 0.5 0.1 1. 0 0.5 0.1 0.69 2x10 s 1x10 5 2x10 8 3x10 4 1x10 4 3x10 5 sc=0.67 0.8g 7x10 5 3x10 5 7x10 8 9x10 4 5x10 4 9x10 5 p =1.5 c

0.88g 3x10 8 1x10 8 3x10 7 5x10 5 2x10 5 5x10 8 pc=0.44 NOTE: PSS = Probabilistic Safety Study; SHCP = Seismic Hazard Characteriza-tion Project.

d l

l I

i I

l l

NUREG-1152 5-39 '

I l

l 6 REFERENCES Code of Federal Regulations, Title 10, " Energy," U.S. Government Printing Office, Washington, D.C. (contains General Design Criteria).

Counsil, W. G., Northeast Utilities, letter to B. J. Youngblood, HRC, " Response to Jack Benjamin & Associates Review Comments on Revised Millstone 3 Probabil-istic Safety Study Seismic Fragility and Response to Request for Additional Information on the PSS Seismic Analysis - Question 720.92," December 11, 1984.

Denton, H. R., NRC, letter to W. G. Counsil, Northeast Nuclear Energy Company,

" Risk Evaluation - Millstone, Unit No. 3," September 21, 1983.

Dooley, J. L. , et al. , RDA-TR-127303-001, " Mitigation Systems for Mark III Reactors," Preliminary Report, R & D Associates, May 1984.

Lambert, H., " Circuit Breaker Operation and Potential Failure Modes During an Earthquake: A Preliminary Investigation," Lawrence Livermore National Labor-atory, April 9, 1984.

Lawrence Livermore National Laboratory, UCID-20421, " Seismic Hazard Character-ization of the Eastern United States: Methodology and Interim Results for Ten Sites," April 1985.

Moore, J. E., NRC Counsel, to J. P. Gleason et al., Administrative Judges, NRC staff witness S. Acharya testimony on Commission Question 1 on Indian Point Units 1 and 2, January 24, 1983, P III.C.8 & 9, Tables III.C.6 and 7.

Reiter, L. , " Estimates of Seismic Hazard and Nuclear Power Plants in the U.S.," in Proceedincs of the Second CSNI Specialized Meeting on Probabilistic Methods in Seismic F,isk Assessment for Nuclear Power Plants, Livermore, California, May 16-18, 1983, pp. 105-118.

Sheppard, J. J., Chairman, Westinghouse Owners Group, letter to H. R. Denton, NRC, " Westinghouse Owners Group RCP Shaft Seal Behavior During Station Blackout,"

misdated January 4, 1984, actually submitted January 4, 1985.

i Speis, T., NRC, memorandum to H. R. Denton, " Recommendations Resulting From the Zion Risk Inquiry," August 1, 1985.

U.S. Nuclear Regulatory Commission, NRR Office Letter No. 16, Revision 2,

" Regulatory Analysis Guidelines," October 3,1984.

-- , NUREG-75/014, " Reactor Safety Study - An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants," October 1975.

I -- , NUREG-0348, " Demographic Statistics Pertaining to Nuclear Power Reactor !

l Sites," November 1979.

-- , NUREG-0800, " Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants - LWR Edition," July 1981.

NUREG-1152 6-1

, NUREG-0967, " Seismic Hazard Review for the Systematic Evaluation Program -

Use of-Probability in Decision Making," L. Reiter and R. E. Jackson, March 1983.

-- , NUREG-0974, " Final Environmental Statement Related to the Operation of Limerick' Generating Station, Units 1 and 2," April 1984.

-- , NUREG-1031, " Safety Evaluation Report Related to the Operation of Millstone Nuclear Power Station, Unit No. 3," July 1984; Supplement 1, March 1985; Supple-ment 2, September 1985; Supplement 3, November 1985; Supplement 4, November 1985.

-- , NUREG-1032, " Evaluation of Station Blackout Accidents at Nuclear Plants -

Technical Findings Related to Unresolved Safety Issue A-44," draft report, January 1985.

-- , NUREG-1037, " Containment Performance Working Group Report," draft report for comment, May 1985.

-- , NUREG-1064, " Draft Environmental Statement Related to the Operation of Millstone Nuclear Power Station, Unit No. 3," July 1984; " Final Environmental Statement Related to the Operation of Millstone Nuclear Power Station, Unit No. 3," December 1984.

-- , NUREG/CR-3568, " Handbook for Value-Impact Assessment," S. W. Heaberlin et al., Battelle Pacific Northwest Labs., December 1983.

-- , NUREG/CR-3756, " Seismic Hazard Characterization of the Eastern United States:

Methodology and Interim Results for Ten Sites," draft report, D. L. Bernreuter et al , Lawrence Livermore National Laboratcry, April 1984.

-- , NUREG/CR-3840, " Cost Analysis for Potential Modifications To Enhance the Ability of a Nuclear Power Plant to Ensure Station Blackout," R. A. Clark et al., Science and Engineering Associates, Inc., July 1984.

-- , NUREG/CR-4142, "A Review of the Millstone 3 Probabilistic Safety Study,"

A. Garcia et al., Lawrence Livermore National Laboratory, April 1986.

-- , NUREG/CR-4143, " Review and Evaluation of the Millstone 3 Probabilistic Safety Study: Containment Failure Modes, Radiological Source Terms and Offsite Consequences," M. Khatib-Rahbar et al. , Brookhaven National Laboratory, September 1985.

-- , SECY-81-25, Policy Issue Memorandum from W. J. Dircks to the Commissioners,

" Performance of Probabilistic Risk Assessment or Other Types of Special Analyses at High Population Density Sites," January 12, 1981.

4 NUREG-1152 6-2

1 APPENDIX A POTENTIAL AREAS OF IMPROVEMENT OF THE MILLSTONE 3 PROBABILISTIC SAFETY STUDY The Millstone 3 Probabilistic Safety Study (PSS) is a generally well-executed analysis of the strengths and potential weaknesses of Millstone 3. As with any PSS, some areas have been analyzed more completely than others. Some areas have been treated in a conservative manner because Northeast Utilities may have felt the additional effort necessary to accurately model the area was not jus- -

tified; others were treated, in the staff's judgment, nonconservatively (e.g.,

loss of offsite power initiators).

Northeast Utilities has indicated it intends to use the Millstone 3 PSS for plant support, which includes the following:

training operators about lessons learned by Northeast Utilities while preparing the PSS writing or reviewing emergency and startup procedures to reflect the knowledge gained while preparing the PSS providing input to Northeast Utilities decisions king process regarding the benefits and risks of proposed design or procedural improvements Northeast Utilities has also indicated the desire to make the Millstone 3 PSS a "living" study. The PSS is to be updated as design modifications are made or new data are available.

The staff commends Northeast Utilities' interest in using the PSS to improve the future operation of Millstone 3. After reviewing the PSS, the staff finds that there are additional areas of the PSS which, if improved, would reduce un-certainty in the results and further increase the usefulness of the Millstone 3 PSS. Staff comments cover two areas: improvement of existing analysis and addition of areas omitted in the Northeast Utilities analysis.

DC Power DC power is essential for plant operation. It provides the power for much of the instrumentation and control functions at Millstone 3. DC power is required to change the position of some safety significant breakers. Total loss of DC power is postulated to lead to core melt.

The frequency of losing the entire vital DC power system was defined in the Millstone 3 PSS as the frequency of losing a second vital DC source given that the other vital DC power source is already in an unavailable state. This fail-ure rate is calculated using a time-dependent reliability model which includes a time-dependent recovery model. The model treated the two channels as completely independent. No allowance was made for common cause failures. In addition, NUREG-1152 A-1 .

1

. ~ . . - . . . . . - . .

I l

i the system fault tree for vital DC power does not account for unavailability

, that stems from human error. The exclusion of these factors limits the utility

of the fault tree for estimating the frequency of damage states initiated by l vital DC power failures. Common cause failure and unavailability stemming from human error should be taken into account.

j The DC power system model in the PSS needs to be modified to include the possi-bility of the unavailability of DC power given loss of offsite power. The emer-gency diesel generators cannot flash their fields without DC power, so simul-taneous loss of DC and offsite power results in station blackout. The PSS provides no estimate of the unavailability of the vital AC and vital DC systems, on demand, for those cases where offsite power is unavailable.

Refueling Water Storage Tank Conservation and Restoration The PSS should better model the conservation of refueling water storage tank

, (RWST) inventory when appropriate (i.e. , if emergency procedures would lead the t

operator to attempt to conserve inventory). Northeast Utilities has indicated t it will write procedures on refilling and reborating the RWST for events such

, as small break loss-of-coolant accidents (LOCAs).

1 l

Reactor Coolant Pump Seal Failure Rate The analysis in the PSS of reactor coolant pump (RCP) seal failure due to loss of cooling (analyzed for station blackout) is in error. Northeast Utilities has agreed at meetings with the staff that the calculation is in error, but has not modified the PSS.

i Mission Time 1

The PSS assumes that 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months is sufficient mission time for the residual heat

, removal (RHR) system and service water system if a core damage accident has l occurred. The reasoning is that after 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , adequate offsite help is avail-j able and decay heat loads are lower than in the first few hours. Exploring j mission times beyond 1 day would be useful.

1 System Dependencies The Millstone 3 PSS uses support states to represent the dependencies of front-line systems on support systems. A major assumption in this method is that no

! subtle interfaces or interactions within or between the various support system trains exist. That is, the support system trains are truly independent and l affect only the associated front-line system trains. This is the design philo-sophy for the plant. However, other studies which have done more rigorous analysis of-support system interfaces through the propagation of the connections through detailed fault tree models (e.g., the Interim Reliability Analysis Program studies) have shown that this assumption is not always valid. Although no obvious deficiencies are evident in this area in the PSS, it is beyond the scope of the-staff's review to invest the required effort to determine if any-subtle dependencies were missed. -There is no easy way to determine if anything of significance was omitted. This would require using fully integrated fault

-trees for each accident sequence or performing a separate component level systems interaction study.

NUREG-1152 A-2

i. .-- . . - - . . -. -. . - . - . - - - - . . - . . - - . - -

4 l

1 Diesel Generator Failure Rate ,

The staff finds the diesel generator failure-to-start rate in the PSS is very '

optimistic.

Fire and Reactor Coolant Pump Seal LOCA The PSS fire analysis does not appear to consider that a fire disabling cooling capability to the reactor coolant pump (RCP) seals will lead to an RCP seal LOCA.

This was an important insight in the Indian Point probabilistic risk assessment.

The fire analysis should have taken into account the effects of the suppression ,

agents on equipment and the impact of earthquakes on fires and fire protection systems. The fire analysis should have addressed issues related to the response of equipment and cables to high heat fluxes and temperatures. ,

Main Electrical System and Human Error The main electrical system fault tree in the PSS does not consider human error.

The staff considers human error (in operation, testing, and maintenance) an important contributor to power failures.

120-V Vital AC System ;

An important exclusion from this fault tree is the treatment of common cause failures. The PSS states that no common cause failures were postulated for the vital AC system because such failures are included in those systems that depend on the vital AC system. However, such an assumption ignores the contribution of common buses, common design errors, common maintenance procedures, etc. , to the set of common cause failures for this system.

6 Failures in the vital AC system were not major contributors to risk in the Millstone PSS. Nonetheless, incorporation of common cause failures could become significant for cases in s:hich the probability of basic events may have changed.

Thus, the usefulness of 5is fault tree for uncertainty and sensitivity analyses may be limited until the:a problems can be corrected.

Emergency Generator Load Sequencer The major problem involves the failure to accurately model the dependence of a single sequencer on the corresponding vital AC and vital DC system. A major difficulty comes from the use of the output from the vital 120-V AC fault tree ,

as a substitute for the vital DC failure. The fault tree model does not deal ;

with the fact that, followiag a loss-of power accident, the emergency generator '

load sequencer (EGLS) would be the primary initial support system and that for the first 10 to 40 seconds following this event, it would be functioning with AC power unavailable on buses 34C and 34D.

l The unavailability of both EGLS cabinets is apparently dominated by common 1

cause failures. However, the common cause failure rate is based on the rate for the electrical portion of the reactor protection system (RPS) in NUREG-0460. l l This system was used to represent the EGLS because the RPS has an equal or greater diversity than the EGLS. This basis for sequencer common cause failure I appears weak and optimistic. ]

1 NUREG-1152 A-3 j 1

Many aspects of the load sequencer operations are not addressed in the PSS. In particular, the load sequencer performs functions that raise questions relative to the possibility of exacerbating accident conditions. The sequencer strips loads on plant safety buses when it receives a loss of offsite power signal.

During subsequent diesel generator startup, it blocks manual starts of safety equipment. When the diesel generator breaker closes, the sequencer begins to load the safety buses with safety equipment in a timed sequence and initiates manual trip blocks so that the equipment cannot be tripped.

Internal Flooding The staff judged the flood analysis to be incomplete and the results of the analysis to be speculative. A major limitation of the analysis is the absence of calculations for flow rates, drainage rates, and flood levels. Instead, the PSS presents a qualitative treatment of flood hazard and concludes that internal flooding is not a significant contributor to core melt. A particular concern is that the approach used could downgrade the importance of flooding in some zones. The uncertainties inherent in the PSS analysis indicate the results could be in error by orders of magnitude.

The risk assessment of internal flooding for Millstone 3 consisted of a qualita-tive evaluation in which specific scenarios were selected for further evaluation, and a quantitative evaluation where the frequency of exceeding various accident consequences was estimated. The qualitative analysis involved an evaluation of floor plans at various elevations to determine the critical safety-related components or systems that would be affected by a single flooding event. A

" scoping" analysis was used in the PSS to evaluate how frequently a flood would disable safety equipment. (See NUREG/CR-4142 for more details.) The most extensive analysis system currently available for assessing the risks associated with internal floods is the ESP-NOAH code package (NUREG/CR-2678). The flood risk analysis methods in this package are designed to identify and quantify flood impacts by using the results of the plant's systems analysis. ESP iden-tifies accident sequences and systems that can contribute to plant risk as a result of floo'ds. NOAH simulates the flooding of components in the fault tree.

The output of this simulation is the order of component submersion and flooded minimal cut sets, if any exist.

Service Water System Common Cause Failure As with DC power, the service water system (SWS) common cause failure rate in the PSS is calculated in a way that could (assuming appropriate values are used) give orte a reasonable estimate of common cause failure. However, this method gives no insights into potential causes of common cause failure. Loss of service water can lead to reactor trip, RCP seal failure, and loss of emergency core cooling capability. Northeast Utilities has submitted a calculation which is designed to demonstrate that cooling can be supplied (once-through cooling pro-vided by the component cooling water surge tank) for many hours to the pumps that provide RCP seal cooling, even if service water is lost.

V-Sequence The PSS does not ccnsider mitigation of or recovery frcm a degraded core condi-tion in conjunction with the V-sequence. A comprehensive review of this acci-dent and the corresponding PSS analysis identified some deficiencies in the PSS NUREG-1152 A-4

assessment. Problems with the assumed probability distribution were taken care of in the staff's requantification. Additional areas in which improvement can be made in the PSS relative to the assessment of the V-sequence accident are described below:

(1) There appear to be discrepancies in the pipe and valve configuration assumed in the PSS for the RHR suction. This portion of the RHR system was found to dominate the probability of a V-sequence accident. According to the PSS description, the accident would occur if both valves failed in either pump suction line. The rupture could occur inside the containment, but this is conservatively assumed not to occur in the PSS. (Rupture inside the containment would not lead to severe offsite consequences, since the containment barrier is not breached.)

The PSS indicates that a third valve exists in both RHR suction lines. On the basis of other plant designs, it seems likely that the transition from high to low pressure pipe would occur at the location of these valves rather than inside the containment. If this is the case, the probability of the V-sequence accident would be reduced dramatically because a third valve, normally locked closed, would have to fail. (The Stone & Webster drawing in the staff's possession does not indicate the design pressure transition point.) If low pressure pipe is located between the inside and outside valv'es (as implied in the PSE assessment), there is a possibility of a rup-ture outside the containment. However, depending on relative pipe segment lengths inside and outside the containment, the probability of an outside r9pture would be reduced over the PSS value.

(2) The PSS description of the progression of the V-sequence accident is very sketchy, and some of the results seem unusual. If the accident were to occur, it appears that the pipe would rupture in the RHR pump cubicle. A high energy blowdown process would follow rupture. This would likely cause pipe whipping and would generate high velocity debris in the pump cubicle.

It seems these events could disable the RHR pumps even though they would be commanded to start following the rupture. Furthermore, the hi 0h tem-perature steam environment would likely cause the pumps to fail, If the pumps operated under these conditions, they would very likely become flooded from the large amounts of water discharged to the area (from blowdown, accumulator discharge, high pressure injection system (HPIS), drain from the RWST to the break, and low pressure injection system (LPIS) flow).

If the LPIS pumps were to fail, the core may remain cooled from operation of the HPIS. The HPIS runout flow, assuming operation of both charging and safety injection pumps, is 1700 gpm. This is more than adequate to maintain core cooling. (In fact, the PSS states that one high pressure safety injection pump is sufficient to recover from a 6-inch LOCA). Assum-ing an RWST volume of 1.2 million gallons, the core would remain cool for 11.8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months if the drain from the RWST to the break location is either negligible or terminated by operator closure of valves between the RWST and RHR pump suction. If the operator throttles down the HPIS flow to conserve RWST water, an even longer time for sustained core cooling could be realized for this scenario.

(3) The scenarios described previously for the V-sequer.ce suggest that the accident could be terminated or mitigated. (None of these possibilities NUREG-1152 A-5

were explored in the PSS.) Because about 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months may exist before core uncovery occurs, it seems reasonable that an alternate source of water supply to the RWST could be obtained. If so, the HPIS could provide core cooling indefinitely, provided that these pumps do not become flooded from water injected into the RHR pump cubicle.

It also seems likely that the RHR rupture may become submerged early because of the large amounts of water delivered to the RHR pump cubicle (see Item 2 above). If the core melts while the pipe is submerged, a large fraction of the radionuclides released from the core would be expected to be secured in the water, greatly reducing the source term assumed for this accident.

Since only small floor drains were found in the RHR pump cubicle during the plant tour in December 1983, it seems likely that the pipe rupture location would be submerged, unless large openings exist in the pump cubicle below the rupture-sensitive piping, allowing spillover into adjacent areas.

Seismic The potential exists for the interaction of non-seismically qualified structures

, or components and seismically qualified, safety-related structures or components.

Non-seismically qualified structures could fail, fall, and impact the safety-related items in the plant. Northeast Utilities has performed a walkthrough inspection to assess this potential. However, the walkthrough was performed before plant construction was completed.

1 REFERENCES U.S. Nuclear Regulatory Commission, NUREG-0460, " Anticipated Transients Without Scram for Light Water Reactors," Vols. 1 and 2, April 1978; Vol. 3, December 1978; Vol. 4, March 1980.

-- , NUREG/CR-2678, " Flood Risk Analysis Methodology Development F.'oject,"

D. P. Wagner, M. L. Casada, and J. B. Fussell, Oak Ridge National Laboratory, July 1982.

-- , NUREG/CR-4142, "A Review of the Millstone 3 Probabilistic Safety Study,"

A. Garcia et at , Lawrence Livermore National Laboratory, April 1986.

NUREG-1152 A-6

APPENDIX B RATE OF OCCURRENCE OF SEVERE CORE DAMAGE EVENTS DUE TO THE LOSS OF 0FFSITE POWER INITIATOR FOR MILLSTONE 3 B.1 INTRODUCTION AND

SUMMARY

, In this appendix, the staff evaluates the frequency (rates of occurrence) of severe core damage events, from the loss of offsite power initiators for Millstone 3. The frequency of severe core damage from the loss of offsite power initiator is estimated at 8.2x10 5 per year.

Uncertainties are judged to be large, but have not been quantified. Sensitivity analyses to some of the assumptions are given.

The model used is based on the Marshall-01 kin model (Marshall and Olkin, 1967) for fatal shocks to.take into account diasel generator failure to run and com-mon cause failure to run of the diesel generators. Failures to start of the diesel generators and maintenance unavailability are also included. Recovery of diesel generators and of loss of offsite power is modeled. The ability of '

the plant to withstand station blackout (loss of all AC power) of limited dura-tion without severe core damage is modeled. The duration of the station blackout that can be withstood (the " grace time") without severe core damage depends on the time of initiation of the station blackout. For early times, the grace time depends on the time without seal cooling that the reactor coolant pump seals can withstand before failing; for later times, the grace time depends on the battery depletion time.

For later times, the reactor coolant pump seals are assumed not to fail because the reactor is assumed to cool down. The staff notes that failure to run of diesel generators was not modeled in the Millstone 3 Probabilistic Safety Study (PSS).

B.2 PHYSICAL CONSIDERATIONS The staff assumes that if all AC electric power is lost for a period I =1g hours, at any time within the first w g=4 hours after the loss of offsite power, that core melt occurs. If all AC electric power is lost for a period of 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months , at any time after the first 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months after loss of offsite power, then core melt occurs. The rationale for this is that the staff assumes a reactor coolant pump seal LOCA will occur after hour without electric power, if the reactor coolant temperature exceeds 400 F. The core will then uncover within another hour, unless power is restored. However, the staff assumes that the reactor operators will begin cooling down the reactor 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months after initiation of the loss of offsite power, and the reactor coolant temperature will be below 400 F i 4 hours after the loss of offsite power event. Thus, if all AC electric power l is lost after 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months into the event, the seal LOCA will not occur before the

! reactor coolant system is cooled below 400 F, and hence will not occur. The NUREG-1152 B-1

3-hour grace time for the station blackouts which begin 4 hcurs af ter loss of offsite power comes from an assumed battery depletion time of 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months .

The assumed battery depletion time of 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months used in the calculations is some-what larger than the present staff minimum estimate of 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , but less than the applicant's estimate of 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . (More precisely, the staff has no infor-mation to support a time greater than 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , at present, since the applicant has not supplied this information.) Sensitivity studies are performed in which an 8-hour battery depletion time is used. Severe core damage is assumed to occur after loss of DC power because of loss of instrumentation and control.

It is assumed that electric power will be restored with certainty 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after initiation of the loss of offsite power. However, one of the sensitivity studies considers the case in which electric power is not restored with certainty until 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months after initiation of the event.

Containment failure can occur by various mechanisms. First of all, a hydrogen burn sufficiently intense to cause containment failure may occur. For this to happen, the containment must first be de-inerted by the removal of water vapor from the containment atmosphere. De-inerting may occur from natural condensa-tion or as a consequence of electric power being restored and the containment sprays being actuated. (If de-inerting is due to containment spray actuation, the sprays will probably significantly reduce the source term: about 2 orders of magnitude.) In addition, a sufficiently large amount of hydrogen must have been produced so that the pressure rise produced by burning is sufficiently large to fail the containment. Although the amount of hydrogen produced after core melt may continue to rise, the amount of hydrogen that can burn is limited by the amount of oxygen in the containment; this depends on the preaccident containment pressure in the subatmospheric containment at Millstone 3.

Whether the containment fails on a hydrogen burn depends also on the efficiency of the burn in producing a pressure rise in the containment. Burns which are slow permit greater heat transfer from the containment atmosphere to the walls and to other materials of the containment, reducing the pressure rise. The staff estimates that if de-inerting occurs by natural condensation, then the probability of containment failure from a hydrogen burn which consumes all the oxygen in containment is 0.1; the burn here is considered relatively slow and inefficient. On the other hand, if de-inerting occurs because the containment sprays have been turned on, after a stoichiometric mixture of hydrogen and oxygen exists, the probability of containment failure is taken as 0.5, since the burn is considered more efficient.

The containment can also fail because of overpressure from steam and noncondens-able substances. For this to occur, the staff estimates that electric power must not be restored within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after core melt.

The staff estimates that the rate of hydrogen production is such that a stoi-chiometric mixture of hydrogen and oxygen exists after 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months . The calculations of containment failure assume no probability of containment failure if electric power is restored before 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months after core melt.

De-knorting by natural condensation (without sprays) is estimated to occur with unifcrm probability at any time between 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months . There is some cons?rvatism here, since it is possible that natural condensation will not occur at all.

NUREG-1152 B-2

B.3 DEFINITIONS Time will be measured from the instant of loss of offsite power, or from time of failure, as appropriate. The formulas that follow will indicate the origin of the time axis.

Rn (t) is the probability that the offsite power has been recovered by time t after the onset of its loss (symbol n designates electri-cal network); Rn (t) is the distribution of recovery time.

Qn (t)=1-Rn (t) is the probability that the offsite power has not been restored by time t.

Qf (t) is the probability of nonrecovery of a diesel generator by time t after its failure, for either the failing-to-start mode of failure or the failure-to-run mode of failure, if these failures were from independent causes. In the case of failure to run, the symbol Q$ (t) may also be used.

Q,(t) is the probability of nonrecovery by time t from being in main-tenance or test.

Qc (t) is the probability of nonrecovery of a diesel generator by time t after its failure, if it has failed from common cause.

q, is the probability of a single diesel generator being in main-tenance at time of demand.

qf is the probability of a single diesel generator failing to start on demand.

q2 is the probability that both diesel generators fail to start on demand.

q c is the probability of common cause failure of both diesels starting.

Af (t)=A f is the failure rate for a running diesel generator.

Ac (t)=A c is the failure rate from a common cause event (or shock) that will disable all running diesels.

Aj =A -A is the failure rate for a running diesel from independent causes.

f c w subdivides the time interval after the loss of offsite power.

For station blackouts beginning at times before wg , the grace time the plants can withstand a total loss of AC power before severe core damage occurs is determined by the reactor coolant pump seal failure; for times after wg , the grace time is deter-mined by battery depletion.

Ty is the grace time (see definition wg ) for station blackouts ini-tiated in the time interval 05t(w , where g

the reactor coolant NUREG-1152 B-3

i I

I pump seal failure is controlling. See Section B.2, " Physical Considerations" (this appendix).

T is the grace time for times t2wg, where the battery depletion is 2

controlling.

wy is the termination time used in the calculations; station black-outs initiated after time w are y assumed not to lead to core melt. For the base case, w y+T2 =24 hours. By 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after loss of offsite power, recovery of electric power by one means or another is assumed. In sensitivity calculations, it was assumed that power was not recovered with certainty until 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months after the loss of offsite power occurred.

A is rate of loss of offsite power.

n B.4 PARAMETER VALUES AND THEIR SOURCES (1) The frequencies Ann O (t) of losses of offsite power exceeding t hours were taken from Figure 14 of the final draft of NUREG-1032. (This figure applies specifically to Millstone 3.) This draft gives a range of values (called "model range"); the values of this appendix were chosen in the midpoint of this range. The table of values as used in this appendix are given in Table B.1. Beyond 16 hours1.851852e-4 days 0.00444 hours 2.645503e-5 weeks 6.088e-6 months (the cutoff value for the table in NUREG-1032),

a constant value of 0.004/ year was assumed, fornn A 9 (t), until 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

The values for Q f (t), Q,(t), Q c(t) were derived from values given in NUREG/CR-3226, p. 237. It was found that these values were fitted reason-ably well by exponential curves exp(-at). The values of a for Q f (t), Q ,(t),

and Q c ( ) **

Nonrecovery periods a Qf (t) 1/15-Q,(t) 1/15 Qc (t) 0.1

)

A somewhat better maintenance, fit could but the have results arebeen obtainedtoforthis insensitive Q,v(t),

alue.ncnrecovery from (2) q,was taken as 6x10 3 per demand from NUREG/CR-2989.

(,3) qf was taken as 3x10 2 per demand from NUREG/CR-2728, p. 128.

(4) qp was taken as 2x10 3 per demand rounded off from 1.9x10 3 as listed in NUREG/CR-2989, p. 42.

(5) q was c computed from q2 and qf to be 1.1x10 3, (6) A was taken as 3x10 3 per hour from NUREG/CR-2815, Table C.1, f

NUREG-1152 B-4

l (7) A was c

taken as 9x10 5 per hour as derived from the p factor of 0.03 (rounded from 0.0325) of the Midland Nuclear Plant Probabilistic Risk Assessment (Hubbard, 1984), Appendix E.1, p. 76.

(8) A =3x10 j 3-9x10 5~2.9x10 3 per hour.

(9) w =4g hours.

t 1was taken as 1.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months (see Section B.2).

12was taken as 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months (see Section B.2), coming from battery depletion time; in sensitivity studies, 1 was2 taken as S hours.

l B.5 ANALYSIS AND NUMERICAL RESULTS

]

B.5.1 Sequences Analyzed The rate of occurrence of severe core damage and the rate of occurrence of core damage with containment failure under various conditions were evaluated for five

" major" sequences at time of loss' of offsite power:

(1) Each of the diesels is unavailable either because of maintenance or failure to start.

(2) One diesel is in maintenance, the other diesel starts but fails while run-ning, leading ultimately to core melt.

(3) One diesel fails to start, the other diesel starts but fails while running, leading ultimately to core melt.

(4) Both diesels start but fail while running through common mode.

1 (5) Both diesels start, but the first failing diesel fails while running (from an independent random failure), and the second diesel fails while running (from either an independent or common cause).

B.5.2 Formulas The formulas below are developed to deal with the frequency (per year) of severe core damage from the loss of offsite power initiator. The symbol Pd*

be used to denote the annual frequency of severe core damage, from the loss of offsite power initiator. The numerical evaluation is for the base case, with a battery depletion time of 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months .

The derivation of the formulas follows rather directly from the physical model described above. A few explanations may make it easier for the reader to follow.

The contribution from terms involving the failure of a diesel generator, its repair, and subsequent failure are neglected. Except for case (1), all cases require integration. Because two different grace periods (each having a dif-ferent T) after loss of AC power are involved, two separate integrals are neces-sary. These will be designated by I and I .

l 2 Some f the formulas involve a factor of 2; this factor of 2 arises because there are two symmetric cases; either diesel generator A fails first or diesel generator B fails first.

NUREG-1152 B-5

l Cases (3) and (4) involve explicitly the shock model for common cause failure, l one that is equivalent to the Marshall-Olkin model for fatal shocks (Marshall l and Olkin, 1967). Shocks which cause both diesels to fail simultaneously arrive '

at a rate Ac and with density function for time of arrival Agxp(-Ac t). In addition, each diesel may fail from independent causes at a rate Ag and with density of failure times A jexp(-A gt). All arrivals of shocks and all arrival times of independent failures are completely independent. It is presumed that repairs on failed diesels from independent causes would be concurrent and the respective repair times would be statistically independent. This is also equivalent to repairing only the engine that would yield the earliest repair. !

For common mode failures, the same common repair time for both diesels was postulated.

The most complicated formula pertains to case (5), in which the first diesel failure is an independent diesel failure while running. Consider I y for case (5) (this might be more profitably read after looking at the respective formula). The variable of integration w represents the time when the "second" i diesel fails and thus creates the loss of all AC power. The second failure can l come about either as an " independent" f ailure or as a common cause failure; thus its failure rate is A . Failure of the first diesel in an interval (x, f

x+dx) has probability exp(-A fx)A gdx. The factor exp(-Afx) comes from the fact that neither a common cause failure nor an independent failure occurs before time x. If offsite power is lost at time zero, the first diesel generator fails at time =x, the second diesel generator fails at time =w (w>x), and core melt is assumed after a grace period =t l. Therefore, a core melt will occur unless either offsite power is restored before w+ty, or the first diesel generator is restored to service before w+t y -x, or the second diesel generator is restored to service before T 1 These restoration times are reflected in the Qs in the formula. In the computations, the exponential factors associated with the failure densities were taken as unity, introducing a slight conservatism.

Case (1) At the time of loss of offsite power, neither diesel generator is available either because both fail to start or because one fails to start and the other is in maintenance. I Pd "A n I(9f 9c ) E9f U1 )3 9 cc 0 (*1)l0nI*1 P2AnnO (*1)9fmf 9 0 (*1)0m (*1)

P =4.7x10 5 per year d

s

[ Note: The term involving q,was neglected in the numerical evaluation.]

Case (2) At the time of loss of offsite power, one diesel generator is in maintenance, the other fails while running.

Pd*An 2q,{Iy+I2 }

NUREG-1152 B-6

l l

where I y=Qf y(t ) f*0 Af exp(-Afw)Q,(w+T1)0 n (**I 1)dw and I 2*0f(*2) I wl A f**P(~Af ")0 m (*+I 2 30 n (**I 2 )*

Pd =3.0x10 6 per year Case (3) At the time of loss of offsite power, one diesel generator fails to start and the other starts, then fails while running.

Pd "An 2qf{Iy +I2 I where I y=Qf (Ty) f*0 A fexp(-A fw)Qf (w+ry)Q n (**I1)dw and I2*0f (*2) I Af exp(-Afw)Qf (W+T2 30 n (#I2)dw Pd =1.3x10 s per year Case (4) At the time of loss of offsite power, both diesel generators start, then fail while running through common mode.

Pd"An II1+I25 where I I"Oc (tl ) I Ac '*P(~Ac ")**P(~2Ai ")0n (#II)dw and I2*0c (*2) l Ac '*P(~Acw)exp(-2A$ w)Q n (**I2)

Pd =1.0x10 5 per year Case (5) At the time of loss of offsite power, both diesel generators start, the first diesel generator fails (from " independent causes") while running, and the second diesel generator fails while running, from either independent causes or a common mode shock.

NUREG-1152 B-7

P=A n 201 +Ip}

where I 1*0f (II ) I Af eXPC-Af W)Q n (#I1 ) Ai eXP(-Afx)Qg(w-x+ty)dxdw

[ Note: Q9=Q f for all practical purposes.]

12*0f (*2) Af **P(~Af

")0 n (#I 2) I A '*PC-A i *)0 f i

(*~**I2)dxdw P =8.3x10 6 per year d

The sum over the five cases yields P =8.2x10 s per year d

B. 5. 3 Sequences With Containment Failure and Sensitivity Calculations The mathematical formulation given above can be used to determine the frequency of events in which electric power is not restored for a time t , after core melt.

To do this, in the above formulas, (1) Rep 1 ace t 1 by t y+t,.

(2) Replace t p by t +t,.

2 (3) Replace wy by infinity, but assume, for the base' case (where power is restored with certainty 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months after loss of offsite power), that Qn (t)=0 for t>24 hours.

Suppose A 0n ep(t,) denotes the probability no electric power is restored for a period of at least t, hours after core melt. Let g(t) represent the density function for natural condensation of steam occurring in the containment. Then An fg(t,)Q,p(t,)dt, is the probability natural condensation occurs. According to the discussion in Section B.2, natural condensation occurs with equal likelihood at any time be-tween 6 and 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months , so that g(t)=1/14; the lower limit on the integral is 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months and the upper limit is 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months . The result obtained'must be multiplied by 0.1, the conditional probability _of containment failure after a hydrogen burn where de-inerting occurred by natural condensation.

The frequency of severe core damage events in~which containment failure occurred with the sprays on was calculated by computing the frequency of events in which power was lost for at least 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months after core melt, subtracting the probability ,

of a hydrogen burn caused by natural condensation, and multiplying by 0.5, the I conditional probability of containment failure.

I

4 A sensitivity calculation was performed in which electric power was not assumed to be restored within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months of the loss of offsite power, but rather, for the time interval between 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months and 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months A nn O (t) was taken as 0.004 per j year. Steam overpressure failure of containment was assumed at 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . De- l inerting caused by natural condensation was assumed not to take place. 1 Additional sensitivity calculations were run assuming the battery depletion time was 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months instead of 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months .

B.6 DISCUSSION OF UNCERTAINTIES Some of the uncertainties in the estimate are caused by (1) uncertainties in the frequency of losses of offsite power, and in the dis-tribution of times to recover offsite power (2) diesel generator reliability data (3) uncertainty concerning the behavior of reactor coolant pump seals on loss of cooling (4) uncertainty concerning the battery cepletion time (5) the assumptions concerning hydrogen burns after de-inerting by natural c.'ndensation of steam Among the assumptions concerning hydrogen burns are the assumptions of uniform probability of de-inerting by natural condensation between 6 and 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months after vessel failure, and the assumption of a 10% probability of containment failure, given a hydrogen burn. Note further that the frequency of core melts with con-tainment failures occurring after the sprays are turned on is reasonably sensi-tive to the assumptions made concerning de-inerting by naturai condensation of steam. The reason for this is the assumption that if a hydrogen burn occurs by natural condensation (and 90% of these are assumed not to fail containment), then a hydrogen burn after the sprays are turned on will not fail the containment.

The subtraction of the probability of a hydrogen burn caused by natural conden-sation causes about a factor of two decrease in the frequency of severe core damage with containment failure occurring after the sprays are turned on.

The staff used generic diesel generator reliablity data. There are wide varia-tions from plant to plant in diesel generator reliability, but since there are no plant-specific operating data, it is not possible to reduce this uncertainty.

The behavior of the reactor coolant pump (RCP) seals on loss of cooling of the seals is uncertain. The mechanism for the RCP seal leak on loss of cooling of the seals is overheating and failing of the 0-rings (secondary seals). The basis for the estimate that the 0-rings will fail after 1/2 hour without cooling is a chart in Parker Seals 0-Ring Handbook (January 1977). The chart is intended

! only as a rough guide. For ethylene propylene 0-rings, the time to failure of the 0-rings, as a function of temperature, is:

NUREG-1152 B-9 I

i i

Temperature Time 550 F 0.4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months 500 F 0.7 hours8.101852e-5 days 0.00194 hours 1.157407e-5 weeks 2.6635e-6 months 450 F 1.8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months 400 F 5.0 hours0 days 0 hours 0 weeks 0 months The approximation made in the calculation of severe core damage frequency is even more rough - it is assumed that if the reactor coolant system temperature is above 400 F, the seals will fail after 1/2 hour; below 400 F, they will not fail.

The magnitude of the RCP seal leak is assumed to be 300 gpm per pump, leading to a core uncovery time of about I hour after onset of the leak. The most recent position of the staff is that a leak of 500 gpm per pump would occur if a particular 0-ring were to fail, provided that no resistance to flow is given by the seals after failure of the 0-ring. Use of a 500 gpm leak rate would not significantly affect the results.

B.7 REFERENCES Hubbard III, F. R., et al., " Midland Nuclear Plant Probabilistic Risk Assess-ment," prepared by Pickard, Lowe, and Garrick, Inc. , for Consumers Power Company, May 1984.

Marshall, A. W. , and I. Olkin, "A Multivariate Exponential Distribution,"

Journal of the American Statistical Association, Vol. 62, pp.30-44, March 1967.

Parker Seals, Parker Seals 0-Ring Handbook, OR 5770, January 1977.

U.S. Nuclear Regulatory Commiscion, NUREG-1040, " Evaluation of Station Blackout Accidents at Nuclear Power Plants, Technical Findings Related to Unresolved Safety Issue A-44," draft for comment, May 1985.

-- , NUREG/CR-2728, " Interim Re' liability Evaluation Guide", D. D. Carlson et al. , Sandia National Laboratories, January 1983.

-- , NUREG/CR-2815, "Probabilistic Safety Analysis Procedures Guide,"

l I. A. Papazoglou et al. , Brookhaven National Laboratory, June 1984.

i

-- , NUREG/CR-2989, " Reliability of Emergency AC Power Systems at Nuclear Power Plants," R. E. Battle and D. J. Campbell, Oak Ridge National Laboratory, July 1983.

-- , NUREG/CR-3226, " Station Blackout Analyses," A. M. Kolaczkowski and A. C. Payne, Jr. , Sandia National Laboratories, May 1983.

l l

t i :

I NUREG-1152 B-10

Table B.1 Annual frequencies Ann9 (t) of losses of offsite power exceeding t hours, at Millstone 3 i

Ann9 (t) Ann9 (t) t (hrs) (per year) t (hrs) (per year) 1.0 0.038 6.5 0.008 1.5 0.029 7.0 0.008 2.0 0.025 7.5 0.007 2.5 0.021 8.0 0.007

, 3.0 0.018 8.5 0.006 3.5 0.015 9.0 0.006 4.0 0.013 9.5 0.005 4.5 0.012 11.5 0.005 5.0 0.011 12.0 0.004 5.5 0.010 24.0 0.004 6.0 0.009 Table B.2 Summary of results for frequencies of station blackout induced severe core damage, and severe core damage with containment failure, as a function of battery depletion time Battery depletion time t g Frequency 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months Used in base case Frequency of severe core damage 4.4x10 7/yr ~

3.3x10 7/yr with containment failure from hydrogen burn after de-inerting by. natural condensation Frequency of severe core damage 4.3x10 8/yr 3.4x10 8/yr with containment failure from hydrogen burn after sprays are turned on Used in central estimate Frequency of severe core damage 1.6x10 8/yr 1.0x10 sfyr with containment failure by steam overpressure, given electric power not restored for certainty for 48 hours5.555556e-4 days 0.0133 hours 7.936508e-5 weeks 1.8264e-5 months after loss of offsite' power Frequency of severe core damage 8.2x10 5/yr 7.1x10 5/yr i !

i

)

I NUREG-1152 B-11

APPENDIX C CALCULATION OF FREQUENCY OF SEISMIC PLANT DAMAGE STATES C.1 INTRODUCTION This appendix presents the staff's calculations of the frequencies of seismic-ally induced plant damage states. The appendix considers the calculation of the frequency of the seismic plant damage states, given the seismic hazard curves, and given the fragility parameters for the structures and components.

The fragility parameters are assessed in the report of NRC consultant, Lawrence Livermore National Laboratory (NUREG/CR-4142), and also, for the containment crane wall, in Appendix D of this report. Comparisons are presented to the results in the PSS, and also to results presented in a report prepared by Structural Mechanics Associates (SMA,1984) for Northeast Utilities, intended to determine the seismic design margin of the Millstone 3 plant.

Two sets of seismic hazard curves are used: those given in the Millstone 3 Probabilistic Safety Study (PSS) and those given for the Millstone site in the interim results of the Seismic Hazard Characterization Project (SHCP). In the staff's judgment (see Appendix D), the mean PSS hazard function is a low esti-mate of the seismic hazard function and the mean SHCP hazard function is a high estimate. The final SHCP results are not used in this appendix because they were supplied to the staff after the work for this appendix was performed.

These final SHCP curves still represent considerably higher estimates of the seismic hazard than the PSS curves.

Section C.2 of the appendix comments on the probabilistic seismic analysis in the PSS, and indicates in which ways the staff analysis differs from the analy-sis of Northeast Utilities. Section C.3 presents the staff analysis. Included (see Section C.3.1) are the hazard curves, as given in the PSS and as given by the SHCP, and their extrapolation to peak ground accelerations above those given in the PSS or the SHCP. Also included in Section C.3 is a brief discussion of the component and structure fragility parameters used in cases where they dif-fered from those used in the PSS; the calculational method for the mean proba-bility of failure of a component or structure; the identification of the domi-nant ways of obtaining each plant damage state; and finally, the computation of the mean frequency of each plant damage stnte. Section C.4 gives the results of the analysis. Section C.5 gi.ms some comparison to results of the SMA report (1984) on the seismic design margin at Millstone 3, as well as some results of I sensitivity studies reported in the SMA report. j C.2 COMMENTS ON THE PROBABILISTIC SEISMIC ANALYSIS IN THE PSS There have been considerable changes in the probabilistic seismic analysis in the PSS, since it was first submitted to the staff. In the most recent version, i

Amendment 3, four principal differences remain between the staff analysis and l

the analysis given in the PSS. Differences are l

NUREG-1152 C-1

(1) The seismic hazard curves used. As mentioned in Appendix D, the staff considers the mean hazard curve estimate in the PSS to be low.

(2) The truncation by Northeast Utilities of the seismic hazard curves at 0.8g, even in those cases where Dames and Moore, consultants to Northeast Utilities, indicated the curves were not to be truncated.

(3) The fragility parameters for the containment crane wall.

(4) The assignment by Northeast Utilities of sequences involving reactor cool-ant pump (RCP) seal loss-of-coolant accidents (LOCAs) to the transient, early-core-melt (TE) plant damage state. Because the staff estimate of the magnitude of RCP seal LOCAs (caused by loss of seal cooling) is larger, the staff assigned these sequences to the small LOCA, early-core-melt (SE) plant damage state.

The SMA report (1984) on seismic design margins used both the SHCP and the PSS hazard curves. Some results from that study are discussed in Section C.S.

C.3 STAFF ANALYSIS C.3.1 Hazard Curves used Two sets of hazard curves were used. The first set was given in Amendment 3 of the Millstone 3 PSS, and the second set was developed in the Seismic Hazard Characterization Project at Lawrence Livermore National Laboratory. There were ten hazard curves in the PSS set; the PSS assigned a probability (or degree of belief) to each of the curves. Dames and Moore, the consultants to Northeast Utilities who did the hazard analysis, intended four of the curves to be un-truncated. However, the hazard curves were given only for peak ground accele-rations below 1.0g. The staff extrapolated these curves by assuming that the hazard curves fit a lognormal distribution (i.e., the probability of exceeding a given peak ground acceleration was given by the area under the right tail of a lognormal distribution). A least-squares fit was used and was found to be good.. The values, for peak acceleration less than lg, are given in Table C.1, reproduced from Table 5 of the Dames and Moore report incorporated in the PSS.

The values obtained by extrapolation are given in Table C.2; only four of the PSS hazard carves have non-zero frequencies for exceeding Ig.

The SHCP hazard curves also were given only below lg, and had to be extrapolated.

Three curves were given, identified as the 15th percentile, 50th percentile, and 85th percentile. The probabilities of these curves were accordingly taken as 0.3, 0.4, and 0.3, respectively. That is to say, the 15th percentile hazard curve was considered to be representative of the hazard curves from the zeroth percentile to the 30th percentile, the 50th percentile hazard curve was repre-sentative of the hazard curve from the 30th percentile to the 70th percentile, and the 85th percentile curve was representative of the hazard' curves from the 70th percentile to the 100th percentile. Table C.3 gives the SHCP hazard curves, as supplied to the staff, and Table C.4 gives the extrapolation of these curves above 19 NUREG-1152 C-2

C.3.2 Component and Structure Fragility Parameters The component and structure fragility parameters used were those given in the PSS, except for the parameters associated with the containment crane wall, the core geometry, and the control rod drive mechanism. The fragility parameters (median ground acceleration capacity and the standard deviation of the logarithm of the acceleration capacity) of the containment crane wall were modified be-cause of changes in the estimate of the inelastic energy absorption capacity of the crane wall. The changes arose because of the dependence of the inelastic energy absorption capacity on earthquake magnitude. The change in the inelastic energy absorption capacity of the crane wall is related to the value of CDused in the calculation of the effective ductility, and is discussed in Appendix D.

The fragility parameters for the core geometry-distortion and control-rod-drive-mechanism failure modes of the reactor protection system were modified on the advice of the staff's consultant (Jack R. Renjamin Associates, Inc.). The .

changes involved were relatively small, a d had a very small effect on the results. Later information indicates that the fragility parameters for the

! core geometry and control rod drive mecinnism used by Northeast Utilities may be correct; however, since the changes have only a small effect, the results were not recomputed with the Northeast Utilities fragility parameters for the core geometry failure mode, or the control-rod-drive-mechanism failure mode.

1 Table C.4 gives the median ground acceleration capacities (MGACs) and standard deviation p c f the logarithm of the ground acceleration capacity for the con-trol rod drive mechanism, the core geometry, and the containment crane wall.

The quantity pc is the standard deviation of a composite random variable which includes the random variation in the ground acceleration capacity (for fixed MGAC) and the uncertainty in the MGAC. For all other structures and components, the fragility parameters of Northeast Utilities were used herein.

4 C.3.3 Mean Probability of Failure of a Component or Structure The probability of failure (or failure fraction) of a component or structure has a distribution given by Equation A-13 of Appendix 2-I of the PSS (Amend-ment 2). Using the failure fraction distribution of this equation, the mean failure fraction of a component or structure is given by p(a)=&[1n(a/Amed)Oc3 where A med is the MGAC, andc s is the standard deviation of the logarithm of the ground acceleration capacity, taking into account both uncertainty in the MGAC and the randomness of the ground acceleration capacity for a given median.

i C.3.4 Combinations of Failures Leading to the Plant Damage States and Computation of the Mean Frequency of Each Plant Damage State Accident sequences can be assigned to plant damage states in.such a way that all accident sequences assigned to the same plant damage state may be treated alike insofar as the behavior of the containment and the conditional probability j of a given release from the containment are concerned. In the estimate of seis-mic risk, four plant damage states are of importance. These are 1

NUREG-1152 C-3

(1) SE : small LOCA, early core melt, no containment sprays (2) AE : large LOCA, early core melt, no containment sprays (3) TE : transient, early core melt, no containment sprays (4) V-3 : large LOCA with containment failure before core melt, caused by containment crane wall failure; no containment sprays.

The most important sequences leading to SE are those involving station black-out. Failure of station batteries and an RCP seal LOCA are assumed to take place on extended station blackout. Because there is a high probability of loss of offsite power at a relatively low level of ground motion, loss of AC power is essentially equivalent to loss of the emergency onsite AC power sys-tem. Any one of the following failures leads to loss of emergency AC power:

(1) wall footing failure of emergency generator enclosure (2) failure of emergency diesel generator oil coolers (3) diaphragm failure of the control building (4) service water pump house failure by sliding Other ways of losing AC power are less probable.

Secondarily, anticipated transient without scram (ATWS) sequences with failure of containment spray were assigned to plant damage state SE; these primarily involve failure of the refueling water storage tank combined with either failure of the control rod drive mechanism or a distortion of core geometry leading to failure of the control rods to enter the core. (Station blackout combined with failure of the control rod drive mechanism or distortion of core geometry also leads to an ATWS, but this need not be considered since station blackout alone leads to state SE.)

The most important sequence leading to plant damage state TE was failure of the engineered safety features (ESF) building. This results in the failure of the feed and bleed process because components of the chemical and volume control system are housed in the E5'F building, and the auxiliary feedwater system fails because the auxiliary feedwater system is also housed in the ESF building. Be-cause component cooling water is still available, RCP seal cooling is still avaihble, and no RCP seal LOCA occurs.

The most important sequences leading to plant damage state AE are those that involve _a large pipe break in the reactor coolant system combined with either station blackout or failure of the refueling water storage tank. The most important failures leading to station blackout were discussed earlier, when plant damage state SE was considered.

Failure of the containment crane wall leads to plant damage state V-3.

Boolean expressions were written relating the plant damage states to the various combinations of structure / component failures that result in them.

Conditional mean probabilities of the various plant damage states, given the peak ground accelerations, were then calculated.

l NUREG-1152 C-4 l

These expressions for conditional mean probabilities took into account the over-lap terms. That is to say, the probability of A or 8 occurring is not P(A)+P(B),

but rather P(A)+P(B)-P(AB), where AB means that both A and B occur. Because the probabilities that components or structures will fail can be relatively large at high peak ground accelerations, these overlap terms P(AB) can be important. In addition, if, for example, a large LOCA occurs, the possibility of a small LOCA occurring is excluded. This was also taken into account, although approximately.

The following procedure was used.

If P g(SE/a), P g(V-3/a), P (TE/a),

g and P (AE/a) g represent the conditional proba-bility of plant damage states SE, V-3, TE, and AE, given a peak ground acceler-ation a, when no correction is made for the overlap between the cutsets associ-ated with the different plant damage states, then P(V-3/a)=Pg (V-3/a)

P(AE/a)=P g [AE/a][1-Pg (V-3/a)]

P(SE/a)=P g [SE/a][1-P g (AE/a)][1-P g (V-3/a)]

P(TE/a)=P o [TE/a][1-P g (SE/a)][1-P g (AE/a)][1-P g (V-3/a)]

Finally, the conditional probability of a given plant damage state, given a peak ground acceleration a, is combined with the frequency of earthquakes g(a)da in an acceleration range da about a to obtain the frequency of the plant damage state. For plant damage state X (X=SE, TE, V-3, or AE),

P(X)=fP(X/a)g(a)da If g(a) is obtained from the mean hazard curve, then P(X) is the mean frequency of plant damage state X.

C.4 RESULTS The mean frequencies of the most important seismically induced plant damage states, in the staff analysis, are given in Table C.6, for both the PSS hazard curves and the SHCP hazard curves. Table C.6 also offers for comparison, the results giu n in the PSS, Amendment 3, dated November 30, 1984. The staff notes that the largest changes come from differences in the hazard curves.

Using the SHCP hazard curves, a seismic core damage frequency of about 1x10 4 per year is obtained. As for the differences in results between the staff analysis and the PSS analysis, when the same hazard curves are used, the following comments can be made:

(1) The difference between the V-3 frequency in the staff analysis (1.7x10 7 per year) and in the PSS analysis (1.0x10 7 per year) is due primarily to the differences in the fragility parameters MGAC andcp , f r the contain-ment crane wall. The effects of truncation of the PSS hazard curves i above 0.8g, in the PSS analysis, were small. Truncation of the hazard I curves is more important when the SHCP hazard curves ara used.

(2) The TE frequency in the PSS analysis (5.7x10 8 per year) is close to the SE frequency in the staff analysis (5.5x10 6 per year). But the TE fre- !

quency in the staff analysis is two orders of magnitude smaller than the TE frequency in the PSS analysis. The reason for this is that sequences NUREG-1152 C-5

T i

i

! involving RCP seal LOCAs on station blackout were assigned to SE.in the

, staff analysis, and to TE in the PSS analysis. The reason why Northeast Utilities assigned RCP leaks to TE was its assumption, rejected by the ,

l staff, that the leak rates would be small. Both the PSS analysis and the -

< staff analysis assigned ATWS sequences to SE.

j. (3) The difference between the PSS analysis result of 6.5x10 7 per year for AE

i. and the staff analysis result of 4.7x10 7 per year for AE is due in part 1- to the inclusion of more failure modes in the PSS analysis. For example,

reactor vessel failure was included. However, there was also an unneces-

! sary conservatism in the PSS analysis: Service water ining failure was j treated as independent from service water pumphouse sl m in the PSS

! . seismic fault trees, but the fragility parameters for serv ice water piping

! failure were taken as equal to that of the service water pumphouse sliding i failure mode. This is a kind of overcounting and is conservative. The

, resolution of this small discrepancy was not pursued.

j l C.5 COMPARIS0NS TO RESULTS OF SEISMIC DESIGN MARGIN STUDY FOR MILLSTONE.3 l PERFORMED BY SMA i

The SMA report (1984) discusses the results of a program to determine the capa-i bility of the Millstone Nuclear Power Station, Unit 3, to withstand seismic j excitation above the. safe shutdown earthquake (SSE). This report estimates the

! frequencies of the seismic plant damage states usir.g both the Northeast Utili-l ties seismic hazard curves and the SHCP seismic hazard curves. The Boolean <

l expressions relating the plant damage states to the component and structural 4

failures are essentially the same in the SMA report and in the PSS. The prin-

cipal difference between the Boolean expressions of the SMA report (or of the j PSS) and the staff's is, as mentioned earlier, the assignment of sequences j involving RCP seal LOCAs to plant damage state TE in the SMA report, but to

, plant damage state SE in the staff analysis. The mean frequencies of the plant

! damage states agree between the PSS and the SMA report, when the Northeast ~

Utilities seismic hazard curves are used. But the SMA report also computes the

! frequencies of plant damage states with the interim SHCP hazard curves. It is

of interest to compare the results of the SMA report when the interim SHCP i hazard' curves are used to the corresponding results of the staff. The compari-son of the plant ~ damage state frequencies is given in Table C.7.

, In making the comparison between the frequencies of the plant damage states, as.

, calculated by the staff and as given in the SMA report, it should be noted that

the staff SE plant damage state is more like the TE plant damage state of'SMA i than the SE plant damage state, because sequences involving RCP seal LOCAs were j assigned to SE in the staff analysis, but to TE in the SMA analysis. .A more i precise comparison might be to compare the' sum of the SE and TE plant damage

! state frequencies. It is seen that the SMA results exceed staff results by a i factor of approximately two to approximately four, depending on the plant

} damage state.

i j One reason for this is a difference in the way the interim SHCP hazard curves .

j were used in the staff analysis and the SMA analysis. Three hazard curves were !

given in the interim SHCP report, corresponding to-the 15th, 50th, and 85th-percentiles. The staff used these curves directly, assigning weights of 30%,

j 40%, and 30%, respectively. On the other hand, SMA extrapolated and interpo-l lated (using fits -to a lognormal distribution) to obtain hazard curves corre-l sponding.to other percentiles (e.g., 95th percentile). The mean hazard curve NUREG-1152 C-6

- - . _ , . . . , , , , - - , . .--m..- . - - - - - - . . - . . - ~ + - - - - - - ~ ~ . . - - - ~ ~ ~ - - - - - , - ~ , - . + ~ , - - - - , . - - -

A l

I i

in the SMA analysis is therefore higher than the mean hazard curve in the staff i analysis (i.e., the frequency of exceeding a given peak ground acceleration is greater using the mean hazard curve of SMA than the mean hazard curve of the

! staff). The staff's method of deriving the mean hazard curve tends to under-estimate; the SMA estimate tends to overestimate (given the same interim SHCP curves.)

l Other differences between the staff analysis and the SMA analysis are differ-l ences in the fragility parameters of the containment crane wall. These differ-

. ences, however, tend to reduce the difference in plant damage state V-3 fre-

! quency between the staff analysis and the SMA analysis. That is, if the-SMA.

i fragility parameters for the containment crane wall were used in the staff l analysis, the frequency of the plant damage state V-3 would be less,.and the difference between the staff and SMA frequencies for plant damage state V-3 j would be greater.

! Another difference between the staff analysis and the SMA analysis when the

interim SHCP hazard curves are used is that there is a kind of overcounting of

failures in the SMA analysis; there is much less overcounting in the staff 1 analysis. For example, in the SMA analysis, if both the control rod drive i system and the diesel generator enclosure were to fail, the failure would con-tribute to both plant damage states SE and TE.

l The staff believes that its estimates of the mean frequencies of plant damage states when the interim SHCP curves are used are of adequate accuracy.

j The SMA report also estimated the fraction of the plant damage state frequency i coming from different acceleration ranges. The report finds that the major contribution to the median frequencies of plant damage state TE (which domi-nates the seismically induced core melt frequency in the SMA analysis) comes i from earthquakes with accelerations between 0.45g and 0.85g. The SMA report i gives the contribution to the median frequency of TE from accelerations less i than 0.45g as 17.7%, when the PSS hazard curves (labeled Dames & Moore in the SMA report) are used; when the interim SHCP hazard curves (labeled LLNL in the- .

l SMA report) are used, the contribution is 10.2%. Contributions to the mean frequencies of the SMA plant damage state TE are not given in the SMA report.

, These were obtained from M. K. Ravindra (one of the authors of the SMA report) i in a March 19, 1985, telephone call. Using the SHCP hazard curves, the contri-i bution to SMA plant damage state TE from peak ground accelerations less than j 0.45g was 28.4%; using the PSS hazard curves this contribution was 39.2%. As

stated before, although plant damage state TE dominates the seismic core melt

! frequency in the SMA report, SE dominates in the staff analysis. Therefore,

! the staff estimated the contribution from accelerations less than 0.45g to the mean frequency of plant damage state SE in its calculations. A correction had j to be made for the fact that offsite power may not be lost at low peak ground

accelerations. Once this correction was made, the contribution to the mean i frequency of plant damage state SE from accelerations below 0.45g wss 40% when the PSS hazard curves were used, and 34% when the interim SHCP curves were l used; this is in reasonable agreement with the results for TE obtained by SMA.

Below 0.3g, the contribution to the mean frequency of SE was 10% in the staff calculations when PSS hazard curves were used; the contribution was 8% when the interim SHCP curves were used.

NUREG-1152 C-7

- ~ -. . .- -. . . . -. - - _- . -.

I 4

The SMA report discusses sensitivity studies which are of interest in deter-mining the effects of various assumptions on the frequencies of the plant dam-age states, although they may not necessarily address the technical adequacy l of the assumptions in all cases.

i The SMA report finds that the truncation of the PSS hazard curves (at 0.6g, j 0.8g, and 1.0g) had only minor effects on the frequencies of the plant damage

_ states.

i

} .SMA also investigated the sensitivity of the plant damage state frequencies to i the ratio of the peak ground velocity to the peak effective ground acceleration assumed in the calculation of the fragility parameters for the service water pumphouse sliding failure mode. A negligible effect on the calculated plant damage state frequencies was obtained. Changes in the coefficient of sliding friction for the service water pumphouse also made a negligible change in the plant damage state frequencies.

In the calculations by both SMA and the staff, failures of dissimilar compo-

! nents were assumed independent. To evaluate the significance of this assump-i tion, SMA performed a calculation assuming complete dependence between the failures. Here it was assumed that the probability that either of two compo-

. nents fail is equal to the probability that the weakest component will fail.

That is:

P(A+B)= max (P(A),P(B))

The assumption of complete dependence will result in a lower estimate of the 3 frequency of a plant damage state when any of several single failures will .

. yield that plant damage state. (When components are arranged in series, the i independent failure assumption is more conservative than the dependent failure i assumption.') The SMA report (Table 4-3) compares, for-the PSS hazard curves, i the plant damage state frequencies under the two opposite assumptions of per-j < fectly independent component failures and perfectly dependent failures. For 4 plant damage state TE, the median frequency assuming completely dependent fail-ures is 2x10 8 per year, and assuming completely dependent failure,s is 4x10 7 per year, a factor of five less. The 95% confidence value, however, does not change. The staff evaluated, for state SE (the plant damage state of highest j frequency in the staff analysis), the effect on the mean frequency. Assuming j completely independent component failures, the mean frequency of plant damage

state SE is 5.6x10 8 per year when the PSS hazard curves are used* assuming i completely dependent component failures, the frequency.is 2.6x10 5 per year,.

l about a factor of two lower. When the interim SHCP hazard' curves were used, i a similar result was obtained: The mean frequency when dependent component

{ failures were assumed was about half the frequency when perfect independence was assumed.

l The SMA report discusses other sensitivity studies, including changing the j assumption that the different failure modes of a component are completely de-j pendent instead of completely independent; a negligible change in plant damage state frequencies was obtained.

I If piping is attached to a structure, and the structure slides, then.the piping

may fail. (Piping failure for buried piping was assumed to occur when buckling t

NUREG-1152 C-8 i

occurs.) The sliding displacement necessary to cause failure of attached piping was estimated to have a median value of 4 inches, in the base case studied by SMA. As a sensitivity study, the median sliding displacement necessary to cause piping failure was assumed to be 2 inches; the plant damage state fre-quencies were not significantly affected.

Thus, many of the sensitivity studies show that many of the assumptions do not have a significant effect on the frequency of the plant damage states. The uncertainties that result from uncertainties in the hazard curves are, however, large, as the results in Table C.6 show. Although as a single point estimate of the frequency, the mean frequency may be the best estimate, the large uncer-tainties mean that reliance cannot be based on any single point estimate, but the entire range of uncertainty must be considered in any decisionmaking.

! C.6 REFERENCES Structural Mechanics Associates, NTS/SMA 20601.01-R2, "A Program To Determine i the Capability of the Millstone 3 Nuclear Power Plant To Withstand Seismic Excitation Above the Design SSE," M. K. Ravindra et al., November 1984.

U.S. Nuclear Regulatory Commission, NUREG/CR-4142, "A Review of the Millstone 3 Probabilistic Safety Study," A. Garcia et al. , Lawrence Livermore National Laboratory, April 1986.

1 l

NUREG-1152 C-9 ;

l

_ _ _ _ . . _ _ _ _ _ _ . _ -_ - . . _ _ _ _ . _ _ _ _ _ . . _ . . _ _ _ _ . - _ . . _ _ ____._m .._.,_, _ _ ._ _ _ . ._

i

!! Table C.1 Annual frequencies of exceedance for PSS hazard curves m

,', Peak acceleration (cm/sec2 )

w Aggregate gy curve Probability 100 200 300 400 500 600 700 800 900 980 1 0.004 0.48x10 8 0.64x10 4 0.14x10 4 0.34x10 5 0.83x10 8 0.21x10 8 0.78x10 7 0.33x10 7 0.12x10 7 0.59x10.s 2 0.163 0.29x10 8 0.60x10 4 0.21x10 4 0.95x10 5 0.47x10 5 0.25x10 5 0.14x10 5 0.84x10 8 0.53x10.s 0.38x10 8 3 0.127 0.11x10 2 0.23x10 3 0.84x10 4 0.37x10 4 0.19x10 4 0.10x10 4 0.57x10 5 0.33x10 5 0.21x10 5 0.15x10 5 4 0.084 0.58x10 8 0.14x10 8 0.53x10 4 0.25x10 4 0.13x10

0.69x10 5 0.39x10 5 0.23x10 5 0.15x10 5 0.11x10 5 5 0.129 0.14x10 3 0.21x10 4 0.57x10 5 0.19x10 5 0.63x10 5 0.20x10.s 0.58x10 7 0 0 0 6 0.074 0.85x10 8 0.14x10 8 0.37x10 4 0.12x10

0.41x10 5 0.15x10.s 0.55x10.s 0 0 0 7 0.074 0.36x10 3 0.64x10

0.19x10

0.62x10 5 0.21x10 5 0.71x10.s 0.21x10 8 0 0 0 8 0.168 0.10x10 8 0.13x10 4 0.30x10 5 0.71x10.s 0.15x10 5 0 0 0 0 0

9 0.082 0.59x10 8 0.66x10 4 0.11x10 4 0.19x10.s 0.34x10 8 0 0 0 0 0 r3 e 10 0.095 0.33x10 3 0.49x10

0.11x10

0 27x10 5 0.6?x10.s 0 0 0 0 0

>4 o

NOTE: PSS = Probabilistic Safety Study.

)

t i

1 l

t i

+

4

'I

Table C.2 Annual frequencies of exceedence for PSS hazard curves, obtained by extrapolation Peak acceleration (cm/sec2 )

, Aggregate l curve Probability 1100 1200 1300 1400 1500 1

, 1 0.004 2.52x10 9 1.25x10 9 6.48x10 10 3.50x10 10 1.95x10 10 l

2 0.163 2.42x10 7 1.70x10 7 1.23x10 7 9.05x10 8 6.79x10 8 3 0.127 9.43x10 7 6.60x10 7 4.73x10 7 3.46x10 7 2.58x10 7 4 0.084 6.89x10 7 4.87x10 7 3.52x10 7 2.60x10 7 1.95x10 7 NOTE: PSS = Probabilistic Safety Study.

fable C.3 Annual frequencies of exceedance for SHCP hazard curves, for peak ground accelerations below Ig Peak acceleration (cm/sect )

, e Probability 100 200 300 400 500 600 700 800 900 980

, 1 0.3 8.2x10

1.2x10

3.3x10 5 1.27x10 5 5.5x10 8 2.75x10 8 1.4x10 8 7.8x10 7 4.4x10 ' 3.0x10 7 2 0.4 3.1x10 8 5.6x10 4 1.9x10

7.9x10 5 3.8x10.s 2.1x10 5 1.2x10 5 7.1x10.s 4.4x10 8 3.2x10.s 3 0.3 1.5x10 2 2.7x10-8 9.4x10

4.4x10 4 2.4x10 4 1.5x10

8.6x10 5 5.4x10 5 3.8x10.s 2.8x10 5 i

NOTE: $HCP = Seismic Hatard Characterization Project.

I Table C.4 Annual frequencies of exceedance, as obtained from extrapolation

of. SHCP hazard curves, for peak ground accelerations above lg i

Peak acceleration (cm/secz )

Aggregate curve Probability 1100 1200 1300 1400 1500 1 0.3 2.1x10 7 1.46x10 7 1.03x10 7 7.5x10 8 5.5x10 8

2 0.4 2.3x10 8 1.7x10 8 1.2x10 7 9.2x10 7 7.1x10 7 3 0.3 1.9x10 5 1.4x10 5 1.0x10 s 7.9x10 8 6.1x10 8 NOTE: SHCP = Seismic Hazard Characterization Project.

I NUREG-1152 C-11

Table'C.5 Fragility parameters - changes made'by staff Northeast Utilities i

Staff values values Structure or component MGAC sc MGAC S c Core geometry 0.87 0.45 0.99 0.45 Control rod drive mechanism 0.88 0.48 1.00 0.48 Containment crane wall 1.82 0.50 2.20 0.54 NOTE: MGAC = median ground acceleration capacity.

Table C.6 Mean frequency of seismically induced plant damage states Mean annual frequency i Staff analysis PSS analysis

Plant damage state SHCP hazard curves PSS hazard curves PSS hazard curves ;

V-3 4.1x10 6 1.7x10 7 1.0x10 7 ,

f AE 9.1x10 6 4.4x10 7 6.5x10 7 SE 8.7x10 5 5.5x10 8 1.9x10 6 ,.

J TE 9.1x10 7 5.8x10 8 5.7x10 6 Total 1x10 4 6x10 6 8x10 6

~

"PSS analysis" refers to Amendment 3 of the PSS, dated November 30', 1984.

Only the PSS hazard curves were used.

NOTE: SHCP = Seismic Hazard Characterization Project; PSS = Probabilistic Safety Study.

l l

i I

t i NUREG-1152 C-12

i- ,

l i Table C.7 Frequencies of the seismically induced.

plant damage states, using the interim SHCP hazard curves. Staff results compared to the results of SMA report Mean. annual frequency j Plant damage state Staff SMA report-V-3 4.1x10 6 9x10 6 4

AE 9.1x10 6 4x10 5 l SE 9.5x10 5 8x10 s i TE 9.6x10 7 2x10 4 i

Total 1x10 4 3x10 4 NOTE: 'SHCP = Seismic Hazard Characterization Project.

l 4

i 1

i i

I i

l 1 l

NUREG-1152 C-13 t

I ,,.. . - , . , . ,, - , . . . , , - , - .- ..-.- , , - - . , - , - , , , , . , - - , . . , , , , - - - - . , , . .. -

APPENDIX 0 STAFF EVALUATION OF HAZARD CURVES FOR THE MILLSTONE SITE D.1 SCOPE The Millstone 3 Probabilistic Safety Study (PSS) includes an estimate of the risk associated with seismically initiated external evenf.s which is based on both the probabilistic assessment of the seismic ground motion hazard and the proba-bilities of structural, mechanical, and equipment failure at Millstone 3. Staff comments are based on review of the seismic hazard study completed by Dames and Moore (1983), the seismological assumptions incorporated into the fragility analysis completed by Structural Mechanics Associates (1984), the review of the NRC's consultant Lawrence Livermore National Laboratory (Jack R. Benjamin & As-sociates, Inc.) (NUREG/CR-4142), Northeast Utilities' responses to staff questions on the PSS, and the staff's past experience in reviewing probabilistic estimates of earthquake hazard at other nuclear plant sites. Additionally, as part of the joint Office of Nuclear Research and Office of Nuclear Reactor Regulation Seismic Hazard Characterization Program (SHCP), specific probabilistic estimates are available for the Millstone site.* They will be compared with Northeast Utilities' estimates.

D.2 METHODOLOGY The source of the data needed to perform a probabilistic seismic hazard analysis is based largely on available earthquake catalogs. For the northeastern United States where the Millstone 3 site is located, the historical record of earth-quakes is the best available fo- the United States, extending back about 400 years for some areas. However, knowledge of the many input parameters required for a probabilistic seismic hazard analysis.is limited because in the eastern United States the causative mechanisms of earthquak s are not well known, and there exists only an extremely limited amount of instrumental strong motion recordings. This creates a fundamental problem in attempting to assess earthquake hazard, particularly from large earthquakes, thus creating large uncertainties in the final results.

The seismic hazard methodology used in the PSS is described by Cornell (1968, 1971) and McGuire (1976), and has been recently e, inaed by Yankee Atomic Elec-tric Company (Weston Geophysical Corp., 1983). TL methodology used is generally state-of-the-art. Similar to the methodology developed as part of the SHCP, the hazard methodology allows for the incorporation of uncertainties and alter-

native hypotheses on many of the hazard input parameters. The.se include seismic source zonation, earthquake occurrence rates and upper mapnitude cutoff, and

The discussion in this appendix is based on NRC's draft report, NUREG/CR-3756.

The final version of the report was issued in /pril 1985 as Lawrence Livermore National Laboratory (LNL) report UCID-20421. The use of the final hazard curves, although somewhat lower than the draft curves, will not alter the staff recommendations.

NUREG-1152 0-1

ground motion attenuation equations and their associated uncertainty. Each of these topics will be discussed in the evaluation section (Section D.3).

l The results, annual frequency of exceedance versus peak acceleration, of both the PSS and SHCP are shown in Figure D.1. This comparison shows that a large divergence exists between the two sets of results. As discussed in subsequent sections of this evaluation, the staff currently judges that the SHCP results for Millstone are likely to be reduced somewhat as a result of both expert panel feedback changes and peer review comments. Additionally, it is the staff's judgment that Northeast Utilities' hazard results represent a lower bound for this evaluation. This conclusion is based on staff judgment that weights assigned by Northeast Utilities' consultant, Dames and Moore, to some hazard input equations are not appropriate, and that more appropriate weights would -

systematically increase their hazard estimates.

The staff has presented core melt frequency and risk estimates calculated using both the PSS and the SHCP hazard results. The specific numerical results at-tained from using these two hazard estimates represent low and high estimates of core melt frequency and risk, respectively. This is not to say that hazard estimates by other experts will always fall in this range, as they may not; but, based on the information that the staff has available to date, it is the staff's judgment that the seismic hazard is within the range represented by the PSS and SHCP results.

D.3 EVALUATION ,

D.3.1 Seismic Zonation The staff finds that the zones presented by Northeast Utilities' consultant (Dames and Moore) are reasonable. Eight different sets of seismogenic zones were used; each had a subjective weight assigned to it. In general, the zones producing both the highest and lowest hazard have lower subjective weights, reflecting the more speculative nature of these models. Dames and Moore pre-sented sensitivity results showing the hazards associated with each zone. These results show that the hazards associated with the highest weighted zones are spread within about a factor of two to three compared with the total spread between zones of eight to ten. This would suggest that the hazard results are not very sensitive to the subjective weights assigned to the different zones unless large changes to the weights are made. Information compiled as part of the SHCP shows zonation for the northeastern United States that both overlaps and differs with that of Dames and Moore. However, it is the staff's judgment that the SHCP zonation, although somewhat different, does not contradict the subjective weights assigned by Dames and Moore on zonation.

D.3.2 Seismicity Parameters Dames and Moore calculated specific seismicity parameters using the available data from earthquake catalogs for each seismic source zone. The upper magnitude cutoff was generally selected assuming a 33% chance of being either (1) equal to the maximum historic earthquake, (2) equal to one-half magnitude larger than j

! the maximum historic earthquake, or (3) equal to one magnitude larger than the j l

maximum historic earthquake. '

Regarding the upper magnitude cutoff, the staff finds that the values assumed are generally adequate, although a weight of about 33% being equal to the NUREG-1152 D-2

l l

maximum historic earthquake may be overoptimistic considering the short history of seismicity. The upper magnitude cutoffs assumed for the host zones do not differ substantially from those compiled as part of the SHCP, and they reflect uncertainty by assuming a variety of sizes. The upper magnitude cutoff is a source of significant parameter uncertainty, and it is likely that substantial advances in understanding earthquake causality may be reeded to significantly improve the picture.

The seismic activity rates (a-value) and proportion of larger events to smaller events (b-value) were calculated for each zone. One critical assumption made by Dames and Moore is that the magnitude of events in the earthquake catalog can be estimated using two epicentral intensity-to-magnitude relationships, each subjectively weighted by 50L As noted in the staff's questions to North-east Utilities, the validity of one of these equations is uncertain. As shown '

in a sensitivity study by Northeast Utilities, the use of this equation produces hazard curves systematically lower (factor of 1.5 to 2.0) than the alternate epicentral intensity-to-magnitude relationship.

In response to staff questions, Northeast Utilities stated that the data from New England do not allow differentiation between the two epicentral intensity-to-magnitude equations and thus both should be weighted equally, The staff does not agree with this conclusion primarily because the equation in question

, assigns a modified Mercalli intensity (MMI) of about II-III for a magnitude of 2.0, when in fact a large percentage of magnitude 2.0 events are not felt.

j Although agreeing with Dames and Moore that this issue needs further work and clarification, the staff considers that the weight assigned to the equation in question should be substantially lower than 0.50. This difference is one reason that the staff would characterize the PSS hazard results as representing a low bound.

D.3.4 Ground Motion Attenuation Dames and Moore weighted four different attenuation equations equally and assumed one value for the uncertainty in the mean for each equation. Two of the four equations used are based on the intensity attenuation relationship of Klimkiewicz (1982). As shown in a sensitivity study, the two attenuation equations in ques-tion produce significantly (factors of two to three) lower hazard when compared with the others assumed. When compared with the information contained in the interim report for the SHCP, attenuation functions clearly account for a large percentage of the difference shown in Figure D.1. As noted in the staff's ques-tions to Northeast Utilities, the validity of this equation is uncertain, par-ticularly because its use results in estimates of eastern near source ground motion (distances less than about 50 km), which is equal to or lower than that estimated for the western United States.

In response to the staff questions, Northeast Utilities stated that it finds that the Klimkiewicz (1982) intensity attenuation relationship is appropriate.

The staff does not agree with Northeast Utilities that staff concerns, specif-ically that the data used by Klimkiewicz (1982) may be strongly influenced by intensities less than MMI=IV, have been addressed. Additionally, Weston Geo-physical has noted (Weston, 1983, Vol. 1, p. 138) that this intensity attenuation model may be low for near epicentral distances. Northeast Utilities did not address staff concerns regarding that comment.

NUREG-1152 0-3

l In response to staff questions, Northeast Utilities noted that several attenua-tion equations have been published that would predict more severe ground motion in the east compared with the west. None of these equations have been used by )

Northeast Utilities' consultant, Dames and Moore. Without further justification !

on Northeast Utilities' part, the staff must disagree with this practice. j l

On the basis of the above, the staff concludes that the weights on each of the i two attenuation equations which rely on the Klimkiewicz (1982) relationship should be substantially lower than 0.25. This is another reason why the staff would characterize the PSS hazard results as being too low.

As shown in Figure 0.1, the difference in the 50th percentile hazard curves (PSS and SHCP) gets larger as the peak acceleration increases. One factor contribut-ing to this noted difference is the limits on peak acceleration assumed by Dames and Moore (1984, Table 4). The topic of peak acceleration truncation is diffi-cult and controversial. There may be some merit to imposing a truncation on peak acceleration when a lognormal distribution is used because empirical data from the western United States may not fit the tails of this distribution.

However, it is the staff's present judgment that the truncation assumed by Dames and Moore is too severe. For example, using the Nuttli (1983) attenuation relationship for a magnitude 6.3 earthquake, the assumed truncation eliminates ground motion values above three standard deviations for distances less than about 45 km, above two standard deviations for distances less than about 25 km, and above the median for distances less than about 5 km. In the staff's judg-ment, a less severe truncation is more appropriate. This would have the effect of substantially increasing the Dames and Moore hazard results for accelerations in excess of about 0.60g.

D.3 5 Northeast Utilities' Comments on SCHP Results As requested by the staff, Northeast Utilities has provided comments regarding the SHCP hazard results shown in Figure D.1. It is Northeast Utilities' position that the SHCP results are conservative for Millstone because (1) the icwer bound magnitude (3.75) used for computations should have been higher (4.5 to 5.0),

(2) attenuation relationships may not have been used consistently from site to site, edversely affecting Millstone, and (3) rates of activity used by the seis-micity experts may have been assessed conservatively with respect to known seismicity.

Some of the concerns expressed above have merit and are being investigated as part of the feedback and peer review process of the SHCP. Other areas of clari-fication and change are also a part of the feedback precess for both the seis-micity and ground motion expert panels, and at this time it is not possible to quantify the specific effect for Millstone. The staff judges that the final SHCP results for Millstone are likely to be. lower than those displayed in Fig-ure 0.1. An example of a modification which illustrates a potential lowerin0 of the overall results was made by a number of the seismicity panel experts.

Lawrence Livermore National Laboratory (LLNL) originally modeled the earthquake recurrence statistics provided by the seismicity experts using a distribution which under certain circumstances was not linearly decreasing with increasing size of earthquakes. This topic was discussed in detail at the feedback meetin0.

June 1984, and a number of experts requested that this assumption be altered.

LLNL recommended that the truncated exponential distribution be used in these NUREG-1152 D-4

i i

}

1 i ,

I instances. Freliminary results of this modification indicate that the hazard ,

l curves will decrease for the experts who chose to use the truncated exponential

! recurrence distribution, although the specific change has yet to be quantified. !

The selection of the lower bound magnitude for the hazard computations is also ,

! controversial. Dames and Moore states that damage to engineered structures and ,

equipment is not known for earthquakes of magnitude less than about 5, regardless l of the ground motions th9se events generate. Dames and Moore also states that

, the use of 3.75 for the SHCP produces conservative hazard results, Opinions i vary regarding this topic. In general, the use of a magnitude 4.5 to 5.0 for the lower bound with respect to large ductile structures may be more appropriate.

However, if any component is thought to be sensitiv.e to shorter duration, high

! frequency ground motion, and thought to be an important contributor to risk, :

i then a smaller lower bound may be more appropriate. Dames and Moore ran a sen- -

i sitivity test showing the effect of increasing the lower bound from 3.75 to

, 4.5. For accelerations near 0.20g, the hazard would decrease by a factor of i 1.5 to 2.0; this decrease would be less than 1.5 for acceleration in excess of j above 0.4g. The staff does not find these differences significant when compared with the hazard differences displayed in Figure D.1, particularly at accelera-tions in excess of.0.4g. ,

Other modifications may also affect the results, particularly the uncertainty characterization. What this means is that the spread between the 15th and 85th' percentile hazard curves is likely to decrease more than any absolute change in i the 50th percentile hazard curve. It is for these reasons that specific numeri-cal results using the SHCP hazard curves shown in Figure D.1 should be portrayed as representing high estimates of core melt and fatalities. ,

f 0.3.6 Seismological Assumptions Incorporated Into Fragility Analysis i

i Structural Mechanics Associates (SMA) provided updated seismic fragilities of

) structures and components for the Millstone PSS (SMA, 1984). Critical seismo- i logical assumptions utilized in this process include the following:

l (1) A site-specific spectral shape for a magnitude 5.8 earthquake is adequate i to assess the original design spectra.

I l (2) The value of Cd (discussed more fully below) selected to calculate the f effective ductility is appropriate for seismic events contributing to the

seismic hazard and appropriate for the specific structure and components 1

at Millstone. :

l l (3) An estimated peak velocity of 28 inches per second per unit ground ac-l celeration is adequate to assess sliding-induced failure capacity, i

l As reported by Dames and Moore (1984) for accelerations around 0.17g, magnitudes j around 5.3 to 6.3 dominate the hazard. This appears to have strongly influenced j SMA in its selection of the spectral shape and the factor CD. In reviewing the actual median capacities of structures and components (PSS, Table 2.5.1-IA), it l is clear that accelerations in excess of 0.17g are important, and thus the sizes of earthquakes contributing to these large accelerations may be significantly larger than 5.3 to 6.3. Thus,-the validity of the spectral shape selection and l the~ assumed value of C =1.3, which is a magnitude-dependent factor'(discussed l D

l NUREG-1152 D-5

_ ~ . _ . ~ _ . - - _ - _ . - - . _ . _ _ _ _ _ . . _ _ _ _ - _ _ _ _ _ _ _ . . _ _

below), have been questioned by the staff. One additional key piece of informa-tion is that the fundamental frequencies of structures are generally 5.5 Hz and greater and that the scale factors calculated by SMA used to estimate C Dmay be frequency dependent (see discussion below).

In terms of the site-specific spectral shape assumed, if a larger average magni-tude was used, a broader band spectral shape would result. However, this may not be significant for the Millstone 3 site because the structural frequencies are high enough so that the large magnitude normalized spectral shape would be about equivalent to that assumed. The acceleration portion (frequencies above about 5 to 10 Hz) of the spectral shape assumed is thus judged to be appropriate.

The spectral shape assumed is nonconservative for frequencies less than about 4 Hz for larger magnitude earthquakes contributing to the hazard, but these frequencies appear to have little significance at the Millstone 3 site.

SMA (1984) has tabulated response spcctro scale factors used to calculate a factor C , which determines the d fective ductility for four different struc-D tural frequencies and two different magnitude ranges. This adjustment to the ductility is based on recent work by SMA (NUREG/CR-3805) where the ductility factor from nonlinear time history analysis is compared with that calculated using the Riddell-Newmark method (Riddel and Newmark, 1979). C adjusts the D

ductility (" effective ductility") so that the ductility factor from the Riddell-Newmark method is more accurately predicted. They selected CD=1.3 based on the scale factors for four frequencies (2, 3, 5, and 8 Hz) and the lower magni-tude range (4.5 to 6.0).

In response to a staff question, Northeast Utilities stated that earthquakes in the magnitude range of 5.3 to 6.3 dominate the hazard even for ground motions as large as 0.6g and higher, and that CDis considered to be frequency independ-ent. Northeast Utilities has used a magnitude 5.8 to represent this range.

The staff questions the validity of the above conclusion and has requested specific documentation of Northeast Utilities' response. The staff also notes that the magnitude range of 5.3 to 6.3 represents the m bmagnitude scale. An mb =6.3 is equal to an M s

=6.9 to 7.0 using the relationship of Nuttli (1983).

The magnitudes of events used in NUREG/CR-3805 to assess the factor C were D

divided into two ranges in the Millstone PSS (SMA, 1984). It is the staff's position that these ranges are more representative of the M3magnitude scale, and that for the Millstone PSS, a C D=0.70 based on the higher (rather than the lower) magnitude range should have been used.

One of NRC's consultants, John Reed (Jack R. Benjamin & Associates, Inc.), has stated that " based on a preliminary assessment, we observe that depending on the natural frequency of the structure, CD will vary at low frequencies, from a value greater than 1.0, implying greater effective ductility, to less than 1.0, or less effective ductility, for higher frequency structures. This observation is independent of both magnitude and ductility ratio." The potential dependence (or independence) of CD on frequency is very complex and has not been adequately NUREG-1152 0-6

i demonstrated by Northeast Utilities. Additionally, on the basis of the NRC consultant's and the staff's review, it appears as if the variability of C is D

large, for the time histories that SMA has used. It appears as if C mightD be lower if the scale factors for 5.3 or 8.5 Hz (the most important frequencies I for the Millstone 3) were used. I

As a result, the staff recommends that the factor C Dbe reduced from 1.3 to 0.70.

This value is more appropriate for the larger earthquakes contributing to the hazard. To reiterate, the variability in C is large. Thus, C =0.70 should be D D i viewed as a best estimate, not a limiting estimate. Table D.1 lists the revised fragilities wherein the staff has reduced the inelastic absorption factor in the SMA analysis. The staff recommends that these fragilities be used to cal-

! culate both core melt frequency and risk.

Additionally, work is needed to document the frequency dependency of the in-elastic energy absorption factor in more detail.

The validity of using 28 inches per second per unit ground acceleration (in./

sec/g) for the peak velocity over peak acceleration ratio has also been ques-tioned by both the NRC and its consultant (Jack R. Benjamin & Associates, Inc.).

This value is based on limited strong motion data for the western United States.

NUREG/CR-0098 recommends a value of 36 in./sec/g for rock and 48 in./sec/g for soil. The direct estimates for the Millstone site contained in the SHCP are also 35 to 45% larger than the value of 28 used. The value of 28 in./sec/g may 1 also be nonconservative considering ground motion attenuation differences be-l tween the eastern and western United States and the fact that the contribution j to the seismic hazard may be the result of large magnitude earthquakes. Addi-tionally, the size of earthquakes contributing to the acceleration portion of the response spectra may be different from those contributing to the velocity portion of the response spectra. Northeast Utilities has not specifically determined that this may be the case for the Millstone 3 site and has stated in a response to a staff question that 28 in./sec/g is conservative. Although it is current staff judgment that the factors of safety calculated for sliding-induced failure models are likely to be overestimated because the ground motion i assumption of 28 in./sec/g is a nonconservative best estimate, preliminary results of a sensitivity test performed by Northeast Utilities appear to indi-cate that core melt frequency is not sensitive to this assumption.

D.4 CONCLUSION The methodology used in the PSS to estimate the seismic hazard is adequate and the approach is well established. It has been used before to define hazard input for other probabilistic risk assessments. Although Northeast Utilities' consultants used their best judgment in defining the different parameters used l in the hazard and fragility models, the staff has concerns regarding the choice of several of the parameters and their effect on calculated hazard. They are (1) One of the magnitude-to-epicentral-intensity equations used by Dames and Moore defines too small a magnitude for lower intensities and produces systematically lower hazard.

NUREG-1152 D-7 i

(2) The use of the intensity attenuation equation of Klimkiewicz (1982) under-predicts near source ground motion and produces systematically lower hazard.

(3) The use of a magnitude range of 5.3 to 6.3 to represent the earthquakes that contribute the highest proportion to the seismic hazard may be in-correct for accelerations in excess of about 0.50g which appear to control core melt frequency. Thus, the value of C used to calculate effective D

ductility is overestimated by not taking into account these larger earth-quakes. Additionally, Northeast Utilities has not adequately demonstrated 4 that CDis frequency independent. The staff recommends that CD=0.70 be used to calculate fragilities. Table D.1 lists the three structural fra-gilities impacted by this change. l As shown in Figure D.1, seismic hazard curves are available for the Millstone {

site as part of the SHCP. These curves (SHCP) are preliminary in nature because !

the feedback process with the expert panels, who gave the necessary input, has I not been assessed yet. However, the staff currently recommends that these j curves, along with those of Northeast Utilities, be used as a representative l range of hazard and its uncertainties. The specific numerical results attained i by using these two hazard estimates represent low and high estimates of core melt frequency and risk. This is not to say that hazard estimates by other l experts will always fall in this range, as they may not; but, on the basis of I the information that the staff has available, the seismic hazard is jud 0ed to !

be within the range represented by the PSS and SHCP results. '

D.5 REFERENCES Cornell, C. A., " Engineering Seismic Risk Analysis," Bulletin of the Seismo-logical Society of America, Vol. 58, pp. 1583-1606, 1968.

-- , "Probabilistic Analysis of Damage to Structures Under Seismic Load," in D. P. Howells, I. P. Haigh, and C. Taylor, Editors, Dynamic Waves in Civil Engineering, Wiley Interscience, London, 1971. !

Dames and Moore, " Seismic Hazard and Design Spectra At Millstone Nuclear Power Plant Unit 3," October 1983.

-- , " Sensitivity of Seismic Hazard Results at Millstone to LLNL Study Assump-tions on Attenuation and Seismicity," June 1984.

Klimkiewicz, G. , " Reassessment of Ground Motion Attenuation Models for the I Northeast," Earthquake Notes, Vol. 53, No. 3, Eastern Sections, Seismological Society of America,1982.

Lawrence Livermore National Laboratory, UCID-20421 " Seismic' Hazard Characteri-zation of the Eastern United States: Methodology and Interim Results for Ten l Sites," April 1985.

McGuire, R. K. , " Fortran Computer Program for Seismic Risk Analysis," U.S.

Geological Survey, Open-File Report 76-67, 1976.

Nuttli, O. W., " Average Seismic Source-Parameter Relations for Mid-Plate Earth-quakes," Bulletin of the Seismological Society of America, Vol. 73, p. 519,1983.

I NUREG-1152 D-8

(

l 1_-_ .. . . - .- _

Riddell, R., and Newmark, N., UILU79-2016, " Statistical Analysis of the Response of Non-Linear Systems Subjected to Earthquakes," Department of Civil Engineering, Urbana, Illinois, August 1979.

Structural Mechanics Associates, Report NO. SMA 20601.04-R1-0, " Seismic Fragil-ities of Structures and Components at the Millstone 3 Nuclear Power Station,"

D. A. Wesley et al., 1984.

U.S. Nuclear Regulatory Commission, NUREG/CR-0098, " Development of Criteria for Seismic Review of Selected Nuclear Power Plants," N. M. Newmark and W. J. Hall,-Consulting Engineering Services, June 1978.

-- , NUREG/CR-3756, " Seismic Hazard Characterization of the Eastern United States: Methodology and Interim Results for Ten Sites," draft report, D. L. Bernreuter et al., Lawrence Livermore National Laboratory, April 1984.

-- , NUREG-CR/3805, " Engineering Characterization of Ground Motion. Task I:

Effects of Characteristics of Free-Field Motion on Structural Response,"

R. P. Kennedy et al., Structural Mechanics Associates, May 1984.

-- , NUREG/CR-4142, "A Review of the Millstone 3 Probabilistic Safety Study,"

A. Garcia et al. , Lawrence Livermore National Laboratory, April 1986.

Weston Geophysical Corp., " Seismological and Geological Studies, Miramichi Area

, New Brunswick and Central New Hampshire," prepared for Yankee Atomic Electric Company, Maine Yankee Atomic Power Company, Public Service Company of New Hampshire, Vermont Nuclear Power Corporation, 2 volumes, 1983.

t l

l t

i NUREG-1152 D-9

I i i i i i _

\

-\g Millstone 3 -

\ -

\ \

10-3

-k 1\

-\ _

i -

\g\\ % -

W _

\ \ \ _

\ 85 Fractile 4 \\ N

{10 \

\ 04 -

l

\ \

c

\ g N -

j -

\ g Ng -

04 50 Fractile

\ N s -

\ \% N

' x N N 10-5 _ 3

\ _

\ N N -

N N g84 Fractile-h \ \

N

! ) \ N s

_ \ \ _

j

\ \ 15 Fractile 16 Fractile g i

10-6 l l l i l 50 Fractile l sN l l

0 100 200 300 400 500 600 m Peak Acceleration (cm/sec2) i Figure D.1 Comparison of Northeast Utilities (PSS) and Seismic

Hazard Characterization Project (SHCP) hazard curves l

NUREG-1152 0-10

Table D.1 Revised fragilities (in gs)

Structure Median B E B c u r Containment crane wall 1.82 0.50 0.36 0.35 Auxiliary shear wall 1.15 0.32 0.38 0.50 Pumphouse shear wall 1.31 0.43 0.31 0.28 NUREG-1152 D-11 .

. __b

8 enc ,Omes 33s y g. guygg g;M iL e lutiT Om 7 COuesess'Og a waPOce I huwet A usspies er F#0C. #88 ror Mr. d ear #

(2 441 Eo'," '[ BIBUOGRAPHIC DATA SHEET .NUREG-1152 Sit IN5fnuCTiO45 0m Ts. anvense 2 TsTLE ANO suetsTLt 3LEaveeLahn Millstone 3 Risk Evaluation Report:

An Overall Review and Evaluation of the .

Millstone Unit 3 Probabilistic Safety Study I 4 Dau pteent w- uno g .O~,.

l u .R

aut-Oam August 1985 G1enn Kelly g . O. u at,Omi.ssutO

~~'- "^a Richard Barrett # l Arthur Busiik f June 1986

7. Pt**0muiNG ORGANe2aT EON es AWt ANO masL 4G AOomissis leCees e PROJECYt1 A&stwomm what huwstm Division of Safety Review and Over ight , ,,,, 0,, om a ,,, ,,u tm Office of Nuclear Reactor Regulatio U.S. Nuclear Regulatory Commission Washington, DC 20555 10 SPONSomeNG OmGAmilAfiOm mawa amo wastehG ADomESS ##ar e we te C s te Yvet OF mtPOmf nal See above D. PtmiOO COvt ate ssacaia.e e'es.es 12 $UPPLtwtNiamy NOTES In 1981, the U.S. Nuclear Regulatory Comm

$,sion IRC: requested Northeast Utilities to perform a design-specific probabilisti safety tudy (PSS) for Mill' stone Nuclear Power Station, Unit No. 3 (Millstone 3). In 1983, rtheast Utilities submitted the Millstone 3 Probabilistic Safety St y (PSS) for eview by the NRC staff. The NRC staff prepared the Millstone 3 Ris Evaluation Re rt, which discusses the findings regarding the PSS. The PSS timates that th frequency due to internal and extern events is 5x10 g ean annugl d 2x10 core damage

- , respectively.

The NRC staff's Risk Eva}uation Repo estimates that the ean annuag core damage frequency is about 2x10- for in'ter 1 events and lies bet n lx10- and 2x10-for external events. The NRC staff estimates that station b ckout dominates internal and external event core d age frequencies. The sta recommends that Northeast Utilities perform an en neering analysis on upgradi the diesel generator lube oil cooler anchora system and on adding a manua ly operated, AC-independent containment spray ystem. The staff also recommen that Northeast Utilities prepare two emergency ocedures (loss of room cooling a relay chatter due to an earthquake) to help r uce uncertainties.

.._t.... ...... ... _ m _ ..C_. Om.

l e v. = , .

PRA, Probabilistic Risk Assesspent, Probabilistic Safety Study, l core melt frequency, consequenge analysis, containment performance, unlimited )

external events, internal events, Millstone 3, risk, station blackout ,,c,,,,,,,,,,,,,,,,,,, j

e IDENTIFitms'O*EN thoto Te#MS l tien recorts l unclassified u ~u..tmO...GE.

, . ,m.C t

UNITE 3 STATES NUCLEAR RE7.ULATORY COMMISSION '"C,'o'.'rTy;&W',j^

WASHINGTON, D.C. 20666 .45,.

PIMMTeso G47 OFFICIAL BUSINESS PENALTY FOR PRIVATE USE,6300

$ Y y&

g1 @' pt gB ? 20

{g{~v s- t 9

l I

1

't

_ , _

ML20211L953

Contents

Text

SUMMARY

SUMMARY

SUMMARY

Navigation menu

ML20211L953

Text

SUMMARY

SUMMARY

SUMMARY

Navigation menu

Search