Text

Forwards Results of NRC Review of Util Re Facility Blackout Core Melt Frequency.Usi A-44 & Generic Issue 23 Re Station Blackout Remains Largest Contributor to Mean Core Damage Frequency in Probabilistic Safety Study
	ML20211N632
Person / Time
Site:	Millstone
Issue date:	02/10/1987
From:	Harold Denton; Office of Nuclear Reactor Regulation
To:	Mroczka E; NORTHEAST NUCLEAR ENERGY CO.
References
	REF-GTECI-023, REF-GTECI-A-44, REF-GTECI-EL, REF-GTECI-NI, TASK-023, TASK-23, TASK-A-44, TASK-OR NUDOCS 8703020159
	Download: ML20211N632 (59)
	v • d • e

-

i o

%g* **%9[C UNITED STATES g

-[

- l WASHINGTON, D. C. 20655 p,

NUCLEAR REGULATORY COMMISSION e'

7, pgg 1g g Docket No.:

50-4?3 Mr. E. J. Mroczka Senior Vice President Nuclear Engineering and Operations Northeast Nuclear Energy Company Post Office Box 270 Hartford, CT 06141-0270 Deer Mr. Mroczka:

SURJECT: MILLSTONE NUCLEAR POWER STATION, UNIT 3 STATION RLACK0UT In Reference 1 the NRC staff reouested, pursuant to 10 CFR 50.54(f), that within 30 days Northeast Nuclear Energy Company (NNECO) furnish an evaluation of the staff's analysis and conclusions reoarding the risk of a statien blackout at Millstone Unit 3.

NNEC0, in Reference ?, requested an additional 60 days (until March 18, 1986) in which to respond.

In Reference 3 the staff granted NNECO's reouest for an extension and on March 18, la86 (Reference 4),

you transmitted the results of your evaluation of the staff's analysis and conclusions regarding the risks associated with station blackout at Millstone 3.

In that letter you concluded that this issue does not warrant immediate and individual action on the Millstone 3 docket in advance of thorouoh and deliberate generic resolution of this issue in the context of Unresolved Safety Issue (UST) A-44 and Generic Issue 23.

The NRC staff has completed its review of the information contained in your March 18, 1986 letter. Specifically, the staff has reevaluated Millstone 3 station blackout core melt frecuency based on your coments, and has detemined that station blackout remains the largest contributor to mean core damage frequency of Millstone 3 in the Millstone 3 Probabilistic Safety Study.

The results of the staff's review are contained in the risk evaluation previously prepared and included as Enclosure 1.

Accordingly, in order to reduce the apparent large contribution to risk due to station blackout, the following backfit actions have been identified for implementation at Millstone 3.

1.

Propose an appropriate license amendment, consistent with Station Procedures A0P 3560, Severe Weather Conditions and ONP 514A, Natural Occurrences to require cooldown of the reactor when the approach of a hurricane or another event with the potential for disrupting offsite power is anticipated.

2.

Review procedures for ensuring high reliability of the diesel generators, and propose improvements if and where appropriate.

O$$o@f t

l

f

3.

Specify in the station emeroency procedures the DC loads to be shed followina a station blackout and review other procedures for extending the period during which the plant can be maintained in a safe condition following a station blackout.

4.

Perform a thorough walkthrouah of the upgraded station blackout procedures. Give special attention to the procedure for manual operation of the SG atmospheric dump valves, the procedure for manual operation of the steam admission valve for the auxiliary feedwater system, and verification of the depletion time of the batteries used for emergencv lightino.

The Reculatory Analysis performed and included as Enclosure 2 to this letter demonstrates the need to implement these four actions at Millstone 3.

Please provide your schadule for implementation of these actions within 3p days of the date of this letter.

Action renardino installetion of an additional emeroency Generator and other more costly fixes considered in the December 18, 1985 Regulatory Analysis are being held in ahevance pending resolution of USI A-44.

Should you wish to appeal the NRC position regarding this backfit you may do so by writing to the Director, Nap with a copy to the Executive Director 'or Operations. Specific information concernino the appeal process to modify or withdraw a proposed backfit is containad in NRC Manual Chapter 0514. "NRC Program for Management of Plant Specific Backfittino at Operating Power Plants."

Sincerely, L

Parold R. Denton, Director Office of Nuclear Peactor Regulation

Enclosures:

As stated i

l

, 3.

Specify in the station emergency procedures the DC loads to be shed following a station blackout and review other procedures for extending the period during which the plant can be maintained in a safe condition following a station blackout.

4.

Perform a thorough walkthrough of the upgraded station blackout procedures. Give special attention to the procedure for manual operation of the SG atmospheric dump valves, the procedure for manual operation of the steam admission valve for the auxiliary feedwater system, and verfication of the depletion time of the batteries used for emergency lighting.

The Regulatory Analysis performed and included as Enclosure 2 to this letter demonstrates the need to implement these four actions at Millstone 3, Please provide your schedule for implementation of these actions within 30 days of the date of this letter.

Action regarding installation of an additional emergency cenerator and other more costly fixes considered in the December 18, 1985 Regulatory Analysis are being held in abeyance pending resolution of USI A-44.

Should you wish to appeal the NRC position regarding this backfit you may do so by writing to the Director, NRR with a copy to the Executive Director for Operations. Specific information concerning the appeal process to modify or withdraw a proposed backfit is contained in NRC Manual Chapter 0514, "NRC Program for Management of Plant Specific Backfitting at Operating Power Plants."

Sincerely, Orin :l Ecw y H. R. 0:ma Parold R. Denton, Director Office of Nuclear Reactor Regulation

Enclosures:

l As stated l

SEE PREVIOUS CONCURRENCE r

J$

PDfk,f DIjfD g TyhkPyRp NN -

DIR:

AD:

EDoo8tle:ss VNo6na R

mer PRDE on 1

12/31/86 12/,3[/

(17/ /86 g/f/86 86

3.

Specify in the station emergency procedures the DC loads to be shed following a station blackout and review other procedures for extending the period during which the plant can be maintained in a safe condition following a station blackout.

4.

Perform a thorough walkthrough of the upgraded station blackout procedures. Give special attention to the procedure for manual operation of the SG atmospheric dump valves, the procedure for manual operation of the steam admission valve for the auxiliary feedwater system, and verfication of the depletion time of the batteries used for emergency lighting.

Action regarding installation of an additional emergency generator and other more costly fixes considered in the December 18, 1985 Regulatory Analysis are being held in abeyance pending resolution of USI A-44.

The Regulatory Analysis performed and included as Enclosure 2 to this letter demonstrates the need to implement these four actions at Millstone 3.

Please provide your schedule for implementation of these actions within 30 days of the date of this letter.

Should you wish to appeal the NRC position regarding this backfit you may do so by writing to the Director, NRR with a copy to the Executive Director for Operations.

Specific information concerning the appeal process to modify or withdraw a proposed backfit is contained in NRC Manual Chapter 0514, "NRC Program for Management of Plant Specific Backfitting at Operatino Power Plants."

Sincerely, Parold R. Denton, Director Office of Nuclear Reactor Regulation

Enclosures:

[

As stated SEE PREVIOUS CONCURRENC E Ph h DIR:PD 5 AD:PWR-A NRR:DD DIR:NRR E No ittle:ss VNoon TNovak RVollmer PRDenton 12/8486 12 12/ /86 12/ /86 12/ /86

.. =.

(,*

DISTRIBUTION

.M7 NRC PDR LPDR TNovak PD#5 R/F JPartlow EJordan BGrimes l

EDoolittle l'-

11Rushbrook ACRS (10)

GKelly A0c514K TSpeis ARubin l

EDO HRDenton/RVollmer l

i 1

)

l t

A 5

s

i e

REFERENCES 1.

Letter from H. R. Denton to J. F. Opeka, dated December 18, 1985 2.

Letter fron J. F. Doeka to H. R. Denton, dated December 26, 1986 3.

Letter from T. M. Novak to J. F. Opeka, dated January 13, 1986 4.

Letter from J. F. Opeka to H. R. Denton, dated March 18, 1986 2

i s

,, - - - _. ~.... _ -.,,

O f

ENCI.0SURE 1 Mll.I. STONE NUCl. EAR POWEP STATION llNIT NO. 3 STATION Bl.ACK0tlT CORE MEI.T FREQUENCY PISK EVAL.UATION i

Y 4

?

ENCLOSURE 1

I 1

13 i

RISK EVALUATION STATION BLACK 0UT CORE MELT FREQUENCY AT MILLSTONE UNIT 3

1.0 INTRODUCTION

The draft risk evaluation report (ref.1, NUREG-1152, draft)*on the review of the Millstone 3 Probabilistic Safety Study found that station blackout was the most dominant contributor to the core damage frequency from internal events.

On the basis of this conclusion, coupled with the Hurricane Gloria loss of offsite power event, the NRC staff requested (ref. 2), pursuant to 10CFR50.54(f), that Northeast Utilities (NU) furnish an evaluation of the l

Staff's analysis and conclusions regarding the risk of a station blackout at Millstone Unit No. 3.

NU submitted its evaluation, and its own station blackout assessment, in ref. 3, dated March 18, 1986.

The present report provides the Reliability and Risk Assessment Branch's reply to NU's submittal, and describes our re-evaluation of the station blackout induced core melt frequency at M111 stone-3.

This report is limited to consideration of internal events only, and addresses only the core melt frequency, not the risk.

The NU station blackout assessment, ref. 3, also did

"'not address risk.

We note that, for Surry, which, like M111 stone-3, has a subatmospheric

}

containment, the preliminary SARRP risk analysis for NUREG-1150 shows large uncertainties in conditional consequences, given a core melt. While the uncertainties are due to a number of factors, the dominant factor is direct heating failure of containment for high pressure core melt sequences. The conditional probability of early containment failure ranges from 1% to 55%

with a mean value of about 20%, and a median value of about 10%.

In contrast, the staff evaluation of the Millstone-3 PRA assigned a 3% probablility to a large scale fission product release.

We have earlier, in ref. 4, presented an interim summary of our conclusions.

In this summary, our base case estimate of the core melt frequency from

The final revision of NUREG 1152 was published in June 1986

station blackout sequences was 8E-5/yr; in the present report this estimate is modified slightly to 9E-5/yr. The difference is a more careful, treatment of the contribution of the sequence consisting of station blackout, failure of the turbine-driven auxiliary feedwater pump, and failure to recover before core uncovery (call this sequence TMLB). We also reported the base case estimate of NU as 2.5E-6/yr, and noted that this did not include the contribution of the TMLB sequence. We estimated that, with the TMLB sequence included, the station-blackout core melt frequency would be 5E-6/yr, using NU data.

We have revised this estimate to 3E-6/yr, in the present report.

The primary reason for our previous overestimate, when NU data is used, is that we overestimated the contribution of the TMLB sequence. Secondarily, we have now corrected the NU model for an error (see Section 4.2) which tends to overestimate the station blackout core melt frequency.

In this report, we will use the term " grace time" to denote the duration of station blackout which the plant can withstand without core melt. The terms

" station blackout duration capability" and " coping time" have also been used for this concept, in other documents.

~

The model developed for NUREG-1152 takes into account both diesel generator failure to start and failure to run (i.e., failure during operation).

Common

,,, mode failure to start and common mode failure to run are included.

Repair of

'" diesel generators, and recovery of offsite power is included.

Limitations on grace time (station blackout duration capability) from battery depletion and reactor coolant pump seal leaks were considered.

In the present report, we retain the same basic model as in NUREG-1152, but have made some changes.

In particular, we follow NU in no longer treating the grace time as a function of the time after the loss-of-offsite power that the station blackout occurs. Moreover, we also follow NU in treating the grace l

time as a random variable.

These changes are discussed in detail in the body of the report.

In addition to these changes in the model, we have also made changes in the data used, compared to the data we used in NUREG-1152 (draft). The most important of these differences is in the curve of frequency of loss of offsite i

^

3-g power as a function of duration of the loss. Our present curve lies higher than our previous curve.

We agree with some of NU's comments, and disagree with others. These points of agreement and disagreement are discussed throughout the report.

Section 2 of this report discusses physical considerations, including the determination of the grace time probability distribution.

Section 3 discusses the data used, including that for the diesel generators and for the frequency of losses of offsite power of various durations.

Section 4 discusses aspects of the mathematical model.

Section 5 discusses the results of the re-evaluation. Section 6 is a summary.

Section 7 gives the references.

Appendix A is a glossary.of symbols used in NUREG-1152 (draft), ref. 1.

2.0 PHYSICAL CONSIDERATIONS 2.1 RCS Cooldown below 400* F We previously, in NUREG-1152(draft), assumed that if station blackout occurred 4 or more hours after the loss of offsite power, that the reactor coolant system would be cooled below 400 F in 4.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months after the loss of offsite power trip. That is to say, if some emergency electric power were available

" after the loss of offsite power trip, the operator would begin a cooldown of the primary system at some point after the trip. We had assumed that this cooldown would begin at two hours after the trip. The reason for choosing two hours was that the reactor coolant pumps (RCP) were unavailable, and two hours I

after unavailability of the reactor coolant pumps, it is our understanding that the operator would begin a cooldown.

If the reactor coolant system were cooled below 400 F by one half hour after the station blackout occurred, we assumed that the reactor coolant pump seal LOCA would not occur. We did not assume that this cooldown could occur under station blackout conditions. The assumption did not affect the contribution to the core melt frequency associated with the failure to start of both diesel generators, but only affected those terms involving failure to run of a diesel generator. Since the cooldown occurs while at least one diesel generator is available, in general a charging pump is available, and it would be possible to borate the

reactor coolant system and maintain pressure control while cooling down the primary.

Northeast Utilities, in ref. 3, seemed to misunderstand the nature of the assumption, and thought it applied to station blackout conditions.

Its pLrpose was not this, but to take credit for the fact that reactor coolant pump seal failure may be delayed, for those cases where reactor coolant system cooldown can take place between the time of the loss of offsite power trip and the onset of station blackout.

If the reactor coolant pump seal failure is delayed sufficiently, then other factors may control the grace time, such as the battery depletion time.

In our base case, we had assumed a battery depletion time of 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months .

However, now that less stringent assumptions on battery depletion times are being made, it may be less appropriate to take such credit.

Moreover, taking such credit implies that the plant operating procedures for loss of offsite j

power events are consistent with it, and these procedures evidently are not.

In addition, there is an admitted uncertainty in the amount of benefit to give for delayed seal failure if the reactor coolant system temperature is reduced to 400 F.

We therefore follow NU by removing this assumption.

,..2.2 Probability Distribution for Core Uncovery from Pump Seal LOCA i

Northeast Utilities objected to our assumption of a one hour core uncovery

~

time from a 300 gpm 1eak, and we concur that because of the depressurization j

of the reactor coolant system from the leak, core uncovery would not occur before 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months after the onset of the leak. However, we note that the maximum l

1eak possible from a RCP seal LOCA is 480 gpe, according to Westinghouse calculations (ref. 5), and in this case core uncovery would take place in not much over an hour.

Northeast Utilities, in appendix D to ref. 3, states that with failures of critical 0-rings in the No. I and No. 2 seals of a reactor coolant pump, the i

leak rate is 175 gpm. No mention of the No. 3 seal is made, but evidently no credit is given for this seal. The Westinghouse report, WCAP-10541 (rev. 1),

ref. 5, indicates (see Fig. 10-3) that there is an 87.5% probability of either r---w-rw-

---sw,---n.---,,

.---------.---------,---..-,--,.-.--a

,--v------------------..a..

-e

-.--n--------.----,-

5-t the No. 3 seal failing, or the critical 0-rings in this seal failing, given failure of the 0-rings in the other two seals.

For the case of failure of the 0-rings associated with the No. I and No. 2 seals, and failure of either the No. 3 0-rings or the No. 3 seal itself, we do not accept the assertion that the leak rate is 175 gpm, but believe that 350 gpm is a more reasonable estimate.

The reason for our rejection of the 175 gpm leak rate estimate is that this estimate appears to be based on an additivity of flow rate model used in chapter 10 of WCAP-10541 (rev. 1), ref. 5.

According to this model, a flow rate w is associated with the failure of the ith individual seal stage. The g

total flow rate for a combination of seals failed consists of the sum of the associated with the failed seals and a flow rate w, associated with the wg case where no seals are failed. This model has no theoretical basis.

If an 0-ring is failed, and not a seal, the model states that instead of for that seal, one adds a term f*w, where f is a factor adding a term wg g

obtained from a thermal-hydraulic analysis for the case of failure of the No.

~

1 seal 0-rings, all other seals and 0-rings intact. Thus, if all three 0-rings fail, the leak rate is given by this model as w=w,+f*(w w *3)

~

y 2 This model gives about 175 gpm for failure of all three sets of 0-rings.

However, with equal plausibility, one could estimate the flow rate with all 1

is the flow rate of 480 gpm three seals failed as w,+f*(w ~"o), where wt t

obtained when all three seals are failed. This yields about 350 gpm. Neither model is a reliable calculation of the flow rate, but the 350 gpm value at least does not make the additivity of flow rate assumption. We therefore j

i believe that the 175 gpm flow rate estimate for the case where all three 0-rings are failed is an underestimate.

We do not accept the statement made in Appendix D of ref. 3 that the probability of 0-ring extrusion is conservatively estimated by a uniform rate function over the period of 2 to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . The AECL report, NUREG/CR-4077 l

. _ _ =

6-(ref. 6), states that the elastomers currently used in Westinghouse pumps (elastomer material E515-80) typically fail in the two to four hour range, and this appears to be our best estimate.

It appears that NU used this assumption of a uniform rate function over the period of 2 to 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months to justify the 50%

probability of failure of the No. I seal 0-rings, and the (independent) 50%

probability of failure of the No. 2 seal 0-rings. This probability of failure is a time dependent function, but the probabilities used by NU for failure of the No.1 and No. 2 seals could be underestimates, given the results of the AECL tests.

On the other hand, the actual grace time distribution used by NU did not take credit,for depressurization and cooldown of the reactor coolant system in estimating the time to core uncovery for a particular size leak, and this is a j

conservative assumption tending to counterbalance the underestimate in the leak rate when the primary system is at full pressure.

In addition, i

depressurization and cooldown of the primary system will reduce the probability of a seal leak caused by elastomer failure.

We have an additional concern with the calculation of the probabilities of the various leak rates. The fluid passing through the No. 2 seal may be close to l

saturation, and under these conditions the seal may become unstable and " pop open". This changes the back pressure on seal No. I and may result in this seal also popping open, with the result that a large leak on the order of 350 gpm may occur. This concern has been raised by Charles Kittmer and others I

from AECL in a meeting on June 10, 1986 at the NRC. Although the No. 2 seal

' did not behave in this fashion in the French reactor coolant pump seal tests reported in WCAP-10541 (rev. 1), it is our understanding that the balance ratio for the 7 inch seals used in the French tests is more favorable than the balance ratio for the 8 inch seals, so that the No. 2 seal may not pop open in the French tests, but that the No. 2 seal in a Westinghouse RCP used in this country may pop open under station blackout conditions.

We estimate that the probability distribution used by NU for time to core uncovery from a reactor coolant pump seal LOCA is a reasonable estimate, provided credit can be given for depressurization and cooldown of the primary

[

system during station blackout, and provided the concern about the No. 2 seal i

,,_.,-._,.n.-y-m--,------~~,----------e--

--w-

--r-*-----~--v~--v--

~---

- - - - - - - - - - - - - - - - - - - - ~ ~ ^ ^ ' - - - - '

popping open can be resolved. Given these provisos, we believe that'the nonconservative assumptions made by NU are about canceled by the neglect of

~

credit for depressurization and cooldown.

We have provisionally accepted this capability of operator initiated cooldown and depressurization. However, we have some doubts as to this capability.

1 j

We do not know how the steam generator (SG) atmospheric dump valves are j

operated under station blackout conditions. Compressed air does not appear to j

be useable for depressurizing the steam generator secondary side, under station blackout conditions; there does not appear to be any way of manually operating the atmospheric dump valves from the control room.

Local manual operation of the atmospheric dump valves is possible, but we are unaware of the procedures for this. The station blackout procedures for M111 stone-3 (EOP 35, ECA-0.0, rev. 1) state (step 16b) that steam should be manually dumped, and, that failing, the steam should be dumped locally. But manually operating l

the SG atmospheric dump valves from the control room does not appear possible, i

so that the procedures appear deficient. The procedures also state that, I

failing manual operation of the SG atmospheric dump valves from the control g

lJ room, they should be operated inanually. This is in accordance with the Westinghouse Emergency Response Guideline for loss of all AC power (ECA 0.0, i

HP-REv. 1, Sept. 1, 1983). However, these guidelines also state that at this

'~ point the plant specific means for local operation of the SG atmospheric dump valves should be inserted, and this has not been done in the Millstone-3 procedures.

The detailed procedures for local manual operation of the SG atmospheric dump valves must address the issue of communication between the control room and the SG atmospheric dump valves.

It would be desirable to have a test of these procedures.

For example, the use of walkie-talkies may interfere with the instrumentation.

Sound powered telephones may be inadequate.

It may also be necessary to operate the steam-admission valve for the auxiliary feedwater system manually, to maintain the SG secondary side water level in the appropriate range. Here also the procedures for doing this should be made explicit, including issues of communication.

.g.

For our base case, we are assuming that the concerns about flashing of the fluid going through the No. 2 seal faces and subsequent popping open of the No. I and No. 2 seals will be resolved.

For our base case, our probability distribution for the (discrete) random variable describing the time to core uncovery from a reactor coolant pump seal leak is i

Time g core uncovery Probability 5.5 hrs

.25 11

.25 15

.50 i

This is the same distribution used by NU, but we are assuming that it is valid l

only if cooldown and depressurization of the primary coolant system is possible.

As a sensitivity study, we will consider the case where flashing of the fluid as it passes through the No. 2 seal results in a 350 gpm leak with a 100%

probability. We will also assume, for this sensitivity study, that cooldown l

and depressurization of the reactor coolant system is not possible, because of 1ack of compressed air (or exhaustion of nitrogen bottles) and because of no provision for local manual operation of the atmospheric dump valves. We

"' assume here that the leak begins at about 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months after the loss of offsite l

power, and that core uncovery takes place in another two hours, so that the i

grace time is 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months .

2.3 Probability Distribution for Battery Depletion Time We accept the probability distribution for the battery depletion time on the basis of ref. 7, for those batteries required for instrumentation and control.

However, the licensee has not addressed emergency lighting requirements.

It is our understanding that emergency lighting at M111 stone-3 is on l

self-contained battery packs with an 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months capacity.

If the batteries required for emergency lighting have only an 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months capacity, with no

)

substantial margin, and if there is no other alternative to this emergency lighting system, then this will affect the grace time distribution, since i

-g-otherwise there woJ$d be a substantial (37.5%) probability of a grace time of 11 hours1.273148e-4 days 0.00306 hours 1.818783e-5 weeks 4.1855e-6 months or more. This will be treated as a sensitivity issue.

If the emergency lignting is non-limiting, we accept the battery depletion time probability distribution of NU. This probability distribution is given by Battery Depletion Time Probability 4 hrs

.05 8

.45 12

.45 16

.05 2.4 Grace Time Distribution The probability distributions for the core uncovery time from the RCP seal leak and the battery depletion time determine the probability distribution for the grace time. The grace time is a random variable which is given by t = min (trcp.tbattery)'

g

' 'where t is the grace time, t is the core uncovery time from an RCP leak,

'~

g rcp and t is the battery depletion time. We have, battery pr{t >Tj=pr[trep>T)*pr{tbattery>T),

g which follows directly from the statement that the grace time is the minimum of the core uncovery time from the reactor coolant pump seal leak and the battery depletion time.

For our base case, we obtain I

_..____ __--- - _ _ -_ ~

Brace time probability 4 hrs

.05 5.5

.2375 8

.3375 11

.125 12

.225 15

.025 This probability distribution differs inconsequentially from the probability distribution function used by NU.

Note that we have given the probability for each individual discrete value of the grace time, while NU on page 73 of ref.

3 gives a cumulative distribution function.

NU coalesced the points at 11 and 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ; this very likely has no significant impact on the results.

for the sensitivity case of 100% chance of a 350 gpm leak, we have a fixed grace time of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months .

For the sensitivity case where emergency lighting prohibits a grace time in excess of 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months we obtain a probability distribution for the grace time given by grace time probability 4

.05 I

5.5

.2375 i

8

.7125 i

l Other sensitivity calculations will be performed: a fixed grace time of 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months , and a case where it is assumed that there is zero probability of a RCP seal leak, perhaps because of use of qualified elastomers and resolution of the other issues concerning the reactor coolant pump seal, or because an alternative means of cooling the RCP seals is implemented (e.g., a stram-l driven charging pump).

i i

l l

\\

11 i

3.0 DATA USED The differences in results between NU and RRAB arise primarily fr'om differences in the failure rates for the diesel generators, including common mode failure to start of the diesel generators, and from differences in the estimates of the frequencies of loss of offsite power of various durations.

The differences in the estimates of the frequencies of loss of offsite power are the most important, and these will be discussed first.

3.1 Frequencies of Losses of Offsite Power of Various Durations 3.1.1 Reply to NU comments We originally used a curve of frequency of losses of offsite power of greater than a specified duration which came from an earlier draft of NUREG-1032 (before the published draft-for-comment version). This accounts for the discrepancy noted by NU ( ref. 3) that our curve of frequency of loss of offsite power events exceeding a specified duration was higher than that given in NUREG-1032, draft for comment, ref. 8.

i However, the occurrence of the hurricane Gloria loss of offsite power event on September 27, 1985, coupled with the hurricane Belle loss of offsite power

'" event of August 10, 1976, indicates that the model used in ref. 8 is not applicable to the Millstone site. The probability of high winds causing loss of offsite power at Millstone is greater than at most other sites. The model in NUREG-1032, draft for comment, considers only wind speeds greater than 75 mph in estimating the contribution of high winds to the frequency of losses of offsite power; the frequency of losses of offsite power due to hurricanes and winds is modeled as.026/ incident times the frequency of wind speeds greater than 75 mph.

For the Millstone site, the frequency of winds exceeding 75 mph is about.03/yr (ref. 9, data for New London site), so that the NUREG-1032 model would predict a frequency of losses of offsite power from severe wine.

of.026 x.03/yr, or 8E-4/yr.

Yet, because of the problem of salt spray o~

insulators, the Millstone site has lost power twice in fifteen years from wind-related causes, an observed frequency of.133/yr, which is a factor of 170 higher than predicted by the NUREG-1032, draft for comment.

=_-_ __ -

We therefore believe that NUREG-1032, draft for comment, underpredicts the frequency of weather induced losses of offsite power at the Millstone site.

3.1.2 Comments on the NU estimate of the frequency of losses of offsite power greater than a specified duration Northeast Utilities used the following procedure to determine the frequency of loss of offsite power events with greater than a specified duration.

This frequency is the product of the frequency of losses of offsite power (of all durations) and the probability of nonrecovery of offsite power by a specified time after the onset of the loss of offsite power event.

For the frequency of losses.of offsite power, NU used plant specific data to perform a Bayesian epdate of a prior distribution for the frequency of losses of offsite power.

and obtained a mean frequency of.145/yr, not significantly different from the maximum likelihood estimate of two events in fifteen years, or.133/yr.

For the distribution of recovery times, NU used data on the recovery times for s

10 nuclear power plant sites within the same geographic region as Millstone.

(These plants belong to the Northeast Power coordinating Council). The problem with this approach is that it assumes a homogeneity amongst the ten sites, and this assurption does not appear to be valid. Only two sites (Millstone and Pilgd.n) in the Northeast Power Coordinating Council have

~

experienced losses of offsite power due to salt spray from stores. The j

Pilgrim plant has installed high pressure washing equipment for washing the switchyard insulato n, and, in addition, has made provision for the use of j

.another offsite power line which is less vulnerable to salt spray because it t

is further inland (irivate communication, Pat Baranowsky of RES).

Since the time of these changes at Pilgrim, it has not experienced a total loss of offsite power event.

This approach to the determination of the probability of nonrecovery as a function of time was used by Northeast Utilities in the Millstone Unit 1 PRA (ref. 10), but was updated by NU in its Millstone 3 station blackout submittal. NU added the Hurricane Gloria data point to the data used in the i

Millstone Unit 1 PRA (ref. 10).

NU estimated that, although power was not restored to unit 1 for 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months , and to unit 2 for 26 hours3.009259e-4 days 0.00722 hours 4.298942e-5 weeks 9.893e-6 months , that power could 1

- _ _ _ - _ _ = _ _

have been restored to unit 1 in 3.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months , and to unit 2 in 5.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months .

Millstone unit 3 was not operating at the time, but they estimated that the restoration could have been performed in 3.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months , for the hurricane Gloria event. Hence, in adding this point to the data base, they treated the event I

duration as 3.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months .

In the Millstone 3 Probabilistic Safety Study (see page 2.2-70 of ref. 11), the hurricane Belle loss of offsite power event, which actually caused a 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months loss of offsite power at Millstone unit 2, and an 11.5 hour5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months loss of offsite power at Millstone unit 1 (ref. 12, NSAC-80), was discarded from the data base because it was believed that the site had incorporated specific changes aimed at preventing this event from recurring.

l (NSAC-80 remarks that the switchyard had been re-insulated to protect against this problem.) We understand that this event was added back into the data i

base by Northeast Utility in the light of the Hurricane Gloria event.

Northeast Utilities, in its station blackout submittal (ref. 3), obtains a

]

probability that offsite power will not be restored within 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months of 16.4%.

Since NU estimates the frequencies of losses of offsite power of.145/yr (not in itself a bad estimate), this means that NU estimates the frequency of losses of offsite power of duration exceeding three hours at.145/yr x.164, or.024/yr. Yet both events at Millstone (the hurricane Gloria and Hurricane Belle events) had long restoration times, and would have had restoration times in excess of three hours even if 100% confidence were ascribed to the

,[estimatesoftimetheutilitysaysoffsitepowercouldhavebeenrestoredin i

if it were necessary. The site-specific data itself would yield a frequency of 2 events in 15 years, or.133/yr, for losses of offsite power in excess of 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months .

If the true frequency of losses of offsite power exceeding 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months were the value NU claims (.024/yr), then the probability of two or more losses (exceeding three hours) in 15 years would be,only 5%, so that it is inconsistent with site experience.

l Therefore, even if one accepts with 100% confidence the restoration times NU claims for the two weather-induced losses of offsite power at M111 stone-3, the loss of offsite power restoration curve used by NU would be inconsistent with plant experience, at least in the vicinity of three hours.

3.1.3 RRAB revised estimate of the frequency of losses of offsite power exceeding a specified duration For our estimate of the frequency of losses of offsite power exceeding a specified duration, we have also broken this frequency up into a product of the frequency of losses of offsite power of all durations and a nonrecovery probability.

For the estimate of the frequency of losses of offsite power, we have chosen an estimate based on the site-specific value of two losses in 15 years, which yields a (maximum-likelihood) estimate of.133/yr. We have neglected a very brief (5 minutes) loss ur offsite power at Millstone unit 2 which occurred on July 21, 1976. Our frequancy of losses of offsite power is really. intended to describe the frequency of severe weather-related losses of offsite power. These will dominate the risk.

1 We have estimated that there is a 50% chance of recovery within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months from a severe-weather, or salt spray induced loss of offsite power at M111 stone-3, and that there is 95% chance of recovery within 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months . We used a Weibull distribution to fit these points. Weibull distributions were used to fit the recovery time distribution in NUREG-1032, and were found to give reasonable fits to data. We note also that the distribution of wind speeds from tropical stores are frequently found to be well approximated by Weibull distributions (ref. 9). Thus, if, e.g., the restoration times were proportional to some

,[powerofthewindspeed,therestorationtimeswouldbeapproximatelyWeibull l

in form, for the longer restoration times.

i l

Our estimate of the frequency of losses of offsite power exceeding 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months is j

.05 x.133/yr, or.007/yr. This estimate is assumed to include the effects of l

winds greater than 125 mph, and of tornadoes. We note however that the frequency of tornadoes in Connecticut is 3E-4/yr/mi2 (ref. 13), and using the f

multiplier of 27 mi given in NUREG-1032 (draft for comment) to convert to 2

frequencies of losses of offsite power due to tornadoes yields.008/yr as the frequency of losses of offsite power due to tornadoes. The model in l

NUREG-1032 (draft for comment) for losses of offsite power due to tornadoes l

may be an overestimate for Millstone. The frequency of great hurricanes (wind speeds greater than 125 mph) for the Millstone area is about.01/yr, from NOAA documents, as reported by F. H. Clark in an unpublished draft document, I

i

_,_m-.__.r

.___,_m.__

9

" Losses of Offsite Power at Nuclear Power Plants".

For events such as great hurricanes or tornadoes, the model in NUREG-1032, draft for comment, ref. 8, assumes that offsite power cannot be restored before 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

Since our estimate of the frequency of losses of offsite power of greater than 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months is.007/yr, there is the potential for some moderate nonconservatism in our loss of offsite power nonrecovery curve, for extended outages on the order of 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months .

We note that NU estimates that for events such as Hurricane Gloria the loss of offsite power recovery time is 3.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months (best estimate). We have chosen a 50% chance of nonrecovery at 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months .

One reason for our choice is that the procedure suggested by NU has never been tested, so that the time to perform the task is not known accurately. The actual restoration tirse will depend on the intensity and duration of the storm.

In addition, the restoration procedure depends on the availability of line #348, in the switchyard (see fig. 3.1-1 of the NU submittal, ref. 3). There are no technical specifications on this line.

Figure 1 compares our curve of the proarbility of nonrecovery of offsite power

[

by time t (after the loss of offsite pr er trip) to that of NU, and also gives tM curves based on actual plant-specide experience. Since the estimates of the f r quency of losses of offsite power (of all durations) used by NU and e

~ RM3 h not differ significantly (.145/yr for NU and.133/yr for the staff) thest.:urves show the differences in the estimates of the frequencies of prolc hed outages between NU and RRAB. The curves of actual plant-specific experience were derived from the fact that Millstone unit 1 experienced an outage of 11.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months during the hurricane Belle event (see NSAC-80), and an outage of 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months during the hurricane Gloria event (see Appendix D to the N'J station blackout analysis, ref. 3). Millstone unit 2 experienced an outage of 24.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months during the Hurricane Belle event, and an outage of 26 hours3.009259e-4 days 0.00722 hours 4.298942e-5 weeks 9.893e-6 months during the Hurricane Gloria event. However, it is recognized that if it were necessary to restore offsite power earlier, it very likely would have been possible, and our estimate of the nonrecovery curve for loss of offsite power reflects this.

3.2 Failure Rates for the Diesel Generators, and Maintenance Unavailability

.I 3.2.1 Comments on the diesel generator failure rates used by NU i

By the term diesel generator failure rates we mean not only the failure to start prebabilities from independent causes, but also the cosuion mode failure i

to start, the failure rate for failure to continue running of the diesel generators, and the common mode failure to continue running'for the diesel generators.

NU has used, for the failure to start probabilities of an individual diesel i

generator, the plant-specific data for Millstone 1.

We see little justification for this. The diesel generators at Millstone 3 are of a different design (Colt-Pielstick diesels of French design, manufactured by l

Fairbanks-Morse) than the Fairbanks Morse diesel generators used at Millstone l

1, and of different power rating.

(The Millstone 3 diesels have a power rating of about 5 MW, and the Millstone 1 generators of about 3.3 MW.) We note that if NU had used plant-specific data for Millstone 2, instead of Millstone 1, the diesel generator failure to start rates would have been much 4

closer to the values we used.

(Millstone unit 2 diesel generators have a failure-to-start probability of.02/ demand, according to NUREG/CR-2989 (ref.

14), the Millstone unit I diesel generators have a failure-to-start

[ probability of.0067/ demand, and we are using generic data of.025/ demand.

NU believed that the common cause failure to start probability q that we used c

l was unrealistically high, and states that data sources such as NUREG/CR-2099 f

(ref.15) would yield q =2.6E-4, about a factor 4.2 less than the value of c

q =1.1E-3 we used. We have reviewed only briefly the way NU used the work of c

Atwood and Steverson (NUREG/CR-2099, ref. 15) to derive their estimate of q '

c We note that the model of Atwood assumes all failures are related to time in standby, and note that there are no starting-stress failures considered. This would overestimate the importance of staggered testing, assumed by NU to be valid for M111 stone-3, in reducing the common cause failure rate.

Furthermore, we note that NU used the failure rates calculated "with a demand present" in NUREG/CR-2099. That is to say, if a diesel generator was found to l

be unavailable during an inspection, but not a test, this failure was not 1

l

counted.

This clearly leads to an underestimate, as can be seen by considering the extreme example of the case where all failures are discovered during inspections, and the diesel generator always started successfully in the tests. Then one would obtain a zero failure rate by this method. Yet, if an accident were to occur between tests, there could be a substantial probability that the diesel generator was in a failed state.

For a model like that of Atwood, where standby failure rates are obtained essentially by dividing the number of failures by the time in standby, all failures should be counted. This effect is a factor of two. The effect of inclusion of starting stresses is more difficult to estimate, but is probably less than a factor of two. The two effects together do not therefore account for the entire discrepancy between the NU value of q and our value.

e The value of q we used in NUREG-1152 (draft) was derived from the probability c

of simultaneous failure of two diesel generators as given in NUREG/CR-2989 (ref. 14), and the probability of random independent failure. The probability of staultaneous failure as given in NUREG/CR-2989 included simultaneous failure from random independent failures of the two diesel generators. Our result is consistent with the recent work on dependent failures of Fleming and Mosleh, ref. 16.

NU used a rate for failure to continue running of the diesel generators of

.C 1.1E-3/hr, as opposed to the RRAB value of 3E-3/hr. The NU value is plant-specific for Millstone unit 1 and Connecticut Yankee. Again, we think it is more appropriate to use generic data since the diesel generators at Millstone 3 are of a different design than those used at Millstone unit 1 or Connecticut Yankee.

NU used, for maintenance, not the maintenance unavailability directly, but a frequency of maintenance A,, and a mean time to recover from maintenance,a,.

The mean time to recover from maintenance was 15 hours1.736111e-4 days 0.00417 hours 2.480159e-5 weeks 5.7075e-6 months , taken from NUREG-1152 (draft), and the frequency of maintenance used was 5.25E-5/hr, so that the maintenance unavailability, given by the product, is 7.9E-4.

This compares to the maintenance unavailability which NU reported for one of its operating plants (not specified) of 1.07E-3, and a generic maintenance unavailability of

.006, as given in NUREG/CR-2989 (ref. 14).

The value for maintenance

unavailability used by NU is about a factor of 7.5 lower than the generic value. We note further that, for Millstone unit 2, the maintenance unavailability was.025, for one of its diesel generators, and.022 for the other, according to NUREG/CR-2989, page 317. We believe it is more appropriate to use the generic maintenance unavailability of.006.

3.2.2 Diesel generator failure rates used by the staff in its re-evaluation We have not made large changes in the data we have used, relative to,the data we used in NUREG-1152 (draft). We are now, however, using directly assessments of generic failure rates from operating experience (primarily NUREG/CR-2989), instead of using the Probabilistic Safety Analysis Procedures Guide (NUREG/CR-2815, ref. 17) data, for certain items.

The source of the estimates is more traceable in this way. The changes are in no way significant.

We have changed the value of qf, the probability a diesel generator will fail to start, from.03 to.025, the value given in NUREG-2989, on p.xiii, for the industry average.

We have changed the value of A, the failure rate for failure to continue f

running of the diesel generators, from.003/hr to.0024/hr, the value given in

~

NUREG/CR-2989, on p. 28, for the industry average.

We have lef t unchanged the probability of common mode failure to start, q, at c

.the value 1.1E-3.

The recent analysis of reactor operating events involving dependent events by Fleming and Mosleh (ref.16, EPRI NP-3967) obtains a beta factor of.05 for diesel generators.

Combined with our value of qf we obtain j

q =pqf=.00125. This is sufficiently close to the value of.0011 we were using c

as to not require any change.

We have left unchanged the failure rate for common mode failure to continue l

running of the diesel generators. Our previous value was 9E-5/hr.

Using the beta factor of.0325 from the Midland Probabilistic Risk Assessment (ref.18,

p. E.1-76) and the above failure to run rate of.0024/hr would yield 7.8E-5/hr.

No change was, however, made.

19

^

We have left unchanged the maintenance unavailability of the diesel generators. The source of the value is NUREG/CR-2989, p. 28. As.we mentioned in section 3.2.1, we believe the use of generic values is appropriate here.

4.0 ASPECTS OF THE MATHEMATICAL MODEL i

The model in NUREG-1152 for the calculation of the station blackout core melt frequency distinguished five cases, according as to the way the onsite emergency AC system failed. These cases were:

case (a) Neither diesel generator is available at the time of loss of offsite power, either because both fail to start or because one fails to start and the other is in maintenance.

case (b) One diesel generator is in maintenance, the other fails while running i

case (c) One diesel fails to start and the other starts, then fails while running l

case (d) Both diesels start, then fail while running through common mode

... case (e) Both diesels start, the first diesel generator fails while running from independent causes, and the second diesel generator fails while running, from either independent causes, or a common mode shock.

i These cases will be referred to in the discussion below, and in Section 5.

Appendix A is a glossary of symbols used in NUREG-1152.

4.1 Reply to Comments of NU on the NUREG-1152 Model, and Comments on the NU Model NU commented that it is more appropriate to treat the grace time as a random I

variable and not as a fixed parameter, and we concur. We have modified our mathematical model to incorporate this change. Our base case for the grace time distribution, and the grace time distributions used in our sensitivity studies are discussed in section 2.4, with the bases for these distributions

given in sections 2.2 and 2.3.

We should like to point out, however, that the fixed grace time we had chosen before was not intended to be a co_nservative bounding estimate, but rather was our best estimate given our state of knowledge at the time.

NU commented that, in treating the terms involving maintenance unavailability we had implicitly assumed that the maintenance unavailability of one of the diesels is initiated concurrently with the loss of offsite power.

This comment is incorrect.

However, it is true that the expression we used for the 3

terms involving maintenance unavailability are only valid if the time to recover from maintenance is exponentially distributed.

Since such an assumption of an exponentially distributed maintenance time was made, there was no error in the staff formulation. We note that in NUREG-1152 (draft) the maintenance term associated with case (a) was neglected, in the numerical j

work.

The expressions NU uses for these terms are essentially correct and more general. There is a small error of no numerical consequence in their expressions for the terms involving maintenance unavailability. This error i-arises from the fact that NU used, for the probability a loss of offsite power would occur in a small time interval dt, the expression A '*P(~A t)dt, when n

n the expression should simply be A dt. The expression used by NU would imply n

that once a loss of offsite power occurs at a plant, it could never occur again.

The type of expression NU uses is only appropriate when recovery is not possible.

The time variable in the integral should really be reactor operating time.

The effect is trivial.

It is easy to see that the expression NU uses for the maintenance terms is equivalent to the expressions used in NUREG/CR-1152 (draft), for an exponentially distributed maintenance time.

The frequency of loss of offsite power events which occur while a diesel generator is in maintenance, and in which the diesel generator will not be repaired by a time I following the loss of offsite power event is, following the NU method, re P =A A O (t+t)dt 3 ns m

'e l

while the NUREG-1152 expression is P *A 9 O (*)*

2 nm m Now, Q,(t)= exp(-at), where a is the reciprocal of the mean maintenance time.

The quantity q,is the maintenance unavailability, and is related to A,and a by the expression q,=A,/a.

One easily obtains P =A A exp(-at)/a=P '

y nm 2

Thus, for an exponentially distributed maintenance time, the two expressions, are equivalent.

The result is somewhat paradoxical. The paradox is resolved by noting that a loss of offsite power is more likely to occur during a long i

maintenance outage than a short one.

For example, if there are two maintenance outages, one of two hours, and the other of 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months , and it is known that a loss of offsite power occurred during one of them, then 'it is ten times more likely to have occurred during the 20 hour2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months outage than during the 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months outage. This effect counterbalances the fact that the loss of offsite

- power may not occur at the beginning of the outage. These two effects completely balance for an exponential distribution. For a maintenance-time distribution which is not exponential, the general expression of NU for the terms involving maintenance can yield either a lower or higher estimate than I

~~~the formula used in NUREG-1152.

For example, for the maintenance-time distribution, l

Q,=.4*exp(-t/2)+.6*exp(-t/48),

the essentially exact expression of NU will yield a larger maintenance f

unavailability contribution to the core melt frequency than the expression used in NUREG-1152 (draft).

For example, for a grace time of 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months , and the l

above expression for Q,, the NU expression for the core melt frequency due to the part of case (a) associated with one diesel generator being down for maintenance is 60% higher than the value obtained from the formula used in NUREG-1152 (draft).

i

l The above expression for Q, is not too bad a representation of the l.

distribution for the maintenance time, since it yields a median value of about 9 hours1.041667e-4 days 0.0025 hours 1.488095e-5 weeks 3.4245e-6 months for the maintenance time, and a mean value of about 30 hours3.472222e-4 days 0.00833 hours 4.960317e-5 weeks 1.1415e-5 months . The mean repair time for a diesel generator is about 36 hrs, according to NUREG/CR-2989, p.314. The median value of the repair time for a diesel generator is about 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months , from the histogram of repair times on p. 319 of NUREG/CR-2989.

No use of this expression for Q,will be made however.

(If it were used it would have to be modified to take into account the fact that the plant is shut down if the allowed outage time of three days is exceeded.) The terms involving maintenance unavailability are too small a contributor, when I-generic data is used, to warrant such refinements.

There is a very minor error in the expression NU uses for case (b).

This case' evaluates the contribution to core melt frequency from the case where one diesel generator is in maintenance, a loss of offsite power occurs, a diesel i

[

generator later fails to run, and no source of AC electric power is recovered before the end of the grace period. The integral NU uses to evaluate this case is given on p. 66 of the NU station blackout assessment, ref. 3.

The l

factor A exp(-A x)dx which appears in this expression represents the f

f probability the diesel generator fails to run in the time interval (x,x+dx).

This factor should be A exp[-A (x-t)]dx.

The reason for this is that, in the f

f integral NU uses to evaluate case (b), the loss of offsite power occurs at time t.

Therefore, the elapsed time from the time the diesel is started to the f.ime it fails is x-t, and this is what should be used in the exponential in computing the probability the diesel generator fails in the time interval (x,x+dx).

The error is of no consequence numerically.

(

NU commented, for our case (d), that the factor exp(-2A w) appears incorrect.

g This case involves a loss of offsite power followed by common mode failure of both diesels to run. The factor is not incorrect; it accounts for the fact that if either diesel has failed previously from independent causes, then it fi cannot fail later from a common cause.

(The model assumes that terms associated with the failure of a diesel after loss of offsite power, repair of the diesel, and subsequent failure can he neglected). The omission of this factor has an absolutely negligible effect numerically.

-g3 a

NU used a different expression than we did, for case (e). This case involves failure to run of both diesels at different times, with the first failure from independent causes. (Of course, if the first diesel failed from a' common cause, then the second diesel would have also failed, and then could not have failed later.) The expression NU used is incorrect here, but incorrect in such a way as to overestimate the core melt frequency. As will be seen later, the effect is fairly sizeable, when considered as a percentage change for the case (e) term. NU overestimates the case (e) term by a factor of 5.45, but since the case (e) contribution to the station blackout core melt frequency is relatively small, the overestimate in the station blackout core melt frequency from this error is only about 20%, when NU data is used.

If, in our expression for case (e), we no longer use the split limits on the integral our expression becomes i

a

.w A exPC-A x)Qg(w-x+t)dxdw.

P =2A O (T)

A '*EI~A ")0 (#I) i f

d nf f

f n

e_ 0 0

The expression NU uses is i

l t

a.

P '=2A A **PC-A *)0 (*~*")0 I*")A **PI~A *)0 (*)d*d**

~

d n

f f

f n

f f

f i 0 _x where the dummy variable of integration t used by NU has been replaced by w to facilitate comparison with the expression we used. At first glance, the limits of integration appear different, but closer inspection shows that the region of integration is the same in both cases. The order in which the integration is performed is different, but the two expressions would be equivalent if the integrands were the same. The fact that some of the subscripts in the NU formula are f instead of i is of no numerical The reason some of the subscripts are i in the expression used consequence.

in NUREG-1152 is that the first failing diesel must fail from independent The difference that is important is the appearance of Q (*" ) I" causes.

n integral instead of Q (w+t).

The function Q (z) is the probability offsite n

n

power is not recovered by time z after the loss of offsite power.

In"the integral, the first diesel fails at time x and the second diesel fails at time w; t is the grace time. Hence, if offsite power is recovered by time w+t core melt is averted. The NU expression states that offsite power must be recovered by a time t after the first diesel has failed, in order to avert core melt, and this introduces an overestimate. This error was the only error leading to any numerical consequence, in the mathematical model used by NU, and the error is in the direction to overestimate the core melt frequency.

4.2 Model Used in the RRAB Re-evaluation The model used in the RRAB re-evaluation took into account the fact that it is desirable to treat the grace time as a random variable, instead of a fixed parameter, as was mentioned above. Again, section 2.4 discusses the grace time distribution we used for our base case, and the sensitivity cases, with supporting information given in sections 2.2 and 2.3.

As was mentioned in section 2.1, we are no longer giving credit for the avoidance of the reactor coolant pump seal LOCA, if the station blackout occurs four or more hours after the loss of offsite power begins.

Instead, we follow NU here.

The staff model calculates only a point estimate, using mean values for the basic event probabilities. This results in a very close approximation to the mean value of the station-blackout-induced core melt frequency.

In fact, the

.only terms where an error is introduced are for the cases involving random independent failure of the two diesels to start, or random independent failure of the two diesels to run. Here a small underestimate is made.

A correction 2

could be made here.

For case (a), there is'a term involving qf.

If we use E(x) to denote the expectation of an arbitrary random variable x, then if we had used Monte Carlo to propagate uncertainties, and then taken the mean of 2

the result, we would have obtained a result proportional to E(qf ) for this term, while the point estimate would have a result proportional to [E(qf)]2 for this term. However, we have E(qf )=[E(qf)]2+ var (qf),

2

~25-so that it would be possible to calculate the correction, given a knowledge of the variance of qf. A similar correction occurs for case (e).

Since the terms involving random independent failures are not the largest terms, these corrections are not important.

However, one of the calculations reported in section 5 consists of a comparison of the RRAB model and the NU model when the same data is used. The purpose of this calculation is to verify model and computer code consistency.

In this case, the correction was made. The term in case (a) which involves random independent failure of both diesels to start must be multiplied by a factor of 1.2 to take into account the fact that the point estimate of the core melt frequency based on mean values of the basic events is not the same as the mean value of the core melt frequency. This factor of 1.2 was derived by the above equation; the mean and variance of qf were given in the NU report. The corresponding factor for case (e), involving random independent failure of both diesels to run, was 1.9.

In all other respects, our model remains as it was for NUREG-1152 (draft).

5.0 RESULTS E THE RE-EVALUATION This section will give the results for the station-blackout induced core melt frequency for our base case, and for our sensitivity cases. We shall also make comparisons to the results given by NU in their Millstone 3 station blackout assessment, ref. 3.

l Up to this point, we have considered only those station bla:kout sequences associated with battery depletion or a RCP seal LOCA.

However, it is to be remembered that there is another sequence which leads to core melt under station blackout conditions. This is the sequence in which a station blackout occurs, the turbine-driven auxiliary feedwater system pump train fails, and AC power is not recovered within about one and a half hours.

Let us call this sequence TMLB. The probability of failure of the auxiliary feedwater system under station blackout conditions is given in the Millstone 3 Probabilistic Safety Study as.048.

It is easy to calculate the frequency of the TMLB sequence, by noting that the value of this frequency is the product of the conditional frequency of the sequence, given failure of the auxiliary feedwater system, times the probability of failure of the auxiliary feedwater system. But the conditional frequency is just the frequency of station blackouts of greater than 1.5 hour5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months i

duration, and can be calculated by the model we have been using.

Using this method, the contribution of terms involving failure to run of the diesel l

generators can be included.

l We obtain, when we use our estimates of the loss of offsite power frequency against duration curve, and our estimate of diesel generator failure rates, an estimate of 1.7E-5/yr for the frequency of the TMLB sequence. When NU data is used, we obtain 1.1E-6/yr for the estimated frequency of this sequence. NU did not consider this sequence in their station blackout assessment, ref. 3.

There are other loss of offsite power sequences, other than station blackout sequences.

For example, there are sequences involving failure of diesel generator A, motor-driven pump B in the AFW in maintenanca, and the turbine-driven AFW pump failing to start.

However, because feed and bleed

,~

will generally be available for these sequences, they will not make an important contribution to the core melt frequency.

'B fe ore giving the results for our base case and the sensitivity cases, we will give first the results of a comparison we have made between the NU results and the results we obtained with our model when we used NU data.

5.1 Results of Model Comparison When the Same Data is Used We here compare our model to that of NU, when NU data is used. The purpose was mutual verification of the two models and computer programs.

Every effort was made to obtain consistency. The same loss of offsite power frequency and nor. recovery curve was used, the same diesel generator failure rates, and the t

same grace time distribution. A correction to our results was made to account for the difference between the mean core melt frequency and the point estimate obtained by using mean probabilities of the basic events. We made the l

comparison on a case by case basis, where the cases refer to cases of section t

. ~ _ _ - _ _. _

4, such as the contribution of the case where one diesel generator i~s in maintenance, and the other diesel generator fails to run. The results we obtained for a case by case comparison of the annual frequencies were Case Mean Frequency (RRAB)

Mean Frequency (NU) a 9.67E-7 8.94E-7 b

1.22E-8 1.19E-8 c

1.04E-7 1.05E-7 d

9.53E-7 9.49E-7 l

e 9.96E-8 5.63E-7 (1.03E-7) 1 Total 2.14E-6 2.52E-6 (2.06E-6) i I

The number in parenthesis after the case (e) result is our correction of the error NU made in this case, as discussed in section 4.1.

The number in parenthesis after the total for NU is our correction of the NU result, for the error in case (e).

7 The 8% difference in case (a) is not understood, but is quite small.

It is very likely not due to the statistical error in the Monte Carlo calculations of NU, or to any other cause we could identify.

l

.T For the other cases, the differences can be easily accounted for by the numerical integration scheme we used, the statistical error in the Monte Carlo calculations of NU, the small errors made by the setting equal to unity of f

certain exponentials in our calculation, and the small errors in the exponentials made in certain terms by NU.

The TMLB sequence involving the unavailability of the turbine-driven AFW pump l

contributes 1.1E-6/yr here, so that with NU data we estimate a station blackout induced core melt frequency of 3E-6/yr.

l We note here that NU also presented the median result when the diesel generator fnilure to start from independent causes was increased to.025 per

demand from the.0067/ demand value they were using, but left the other diesel generator failure rates alone. The value they obtained here was 3.4E-6/yr.

5.2 Results for our base case and sensitivity cases The results for the station-blackout-induced core melt frequency for our base case and the sensitivity cases are given in the table below. These estimates are point estimates which closely approximate mean values, and include the contribution of the sequence involving failure of the AFW system.

CASE ANNUAL FREQUENCY 1.

Base Case 9E-5 2.

Estimate with our loss of 3E-5 offsite power recovery curve, our loss of offsite power frequency, base case grace time distribution, but NU i-diesel generator data t

.;,, 3.

Grace time fixed at 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months 2.1E-4 4.

Grace time fixed at 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months 8E-5 5.

Grace time fixed at 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months 4E-5 6.

Zero probability of RCP seal 7E-5 LOCA, otherwise like base case 7.

Maximum grace time of 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months 1.1E-4 from emergency lighting failure; smaller grace times possible; otherwise like base case

For comparison, NU obtained an estimate of 2.5E-6/yr for the station + blackout induced core melt frequency. As we have noted earlier, there was an error in the mathematical formulation of NU; when corrected, their estimate is 2.1E-6/yr. This estimate does not include the station blackout sequence involving failure of the AFW system (TMLB sequence). We estimate, with NU data, that the TMLB sequence has a frequency of 1.1E-6/yr.

Reviewing the various cases in the table above, case 1, the base case, has our best estimate of diesel generator failure rates and loss of offsite power frequency and recovery curve. The grace time distribution is that of NU, but we assume it is only valid if cooldown and depressurization of the primary system.were possible, while NU assumed it was valid without cooldown and depressurization.

As discussed in section 2, one reason for this is that we believe the leak rate from the RCP seals are underestimated for the case where the 0-rings for seals No. I and No. 2 are failed, and either the No. 3 seal, s

or the 0-rings for seal No. 3 are failed; the other reason is that the i

probability of 0-ring failure is somewhat underestimated without giving credit for depressurization and cooldown.

Case 2 is a sensitivity case to see the relative importance of the change in the loss of offsite power recovery curve from that NU used, and the importance of the diesel generator data.

Case 3, with the grace time fixed at 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , is presented to take into account the possibility, identified by AECL, as discussed in Section 2, that there may be a large leak from the RCP seal package caused by popping open of seal No. 2 followed by consequential popping open of seal No. 1, when the I

fluid passing through the No. 2 seal is close to saturation.

Failure of depressurization and cooldown was also assumed for this case.

Case 4, with the grace time fixed at 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months , is of interest because the draft regulatory guide on station blackout would not require a grace time greater l

than 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months , for any plant. We see that, for Millstone-3, we would estimate a core melt frequency of 8E-5/yr for this case.

Case 5, with a grace time fixed at 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months , shows the dependence on the grace 4

ti.e.

Case 6 is for the case where the problems with the reactor coolant, pump seals have been resolved. The change from the base case is not large (7E-5/yr instead of 9E-5/yr), when our data is used.

Case 7 incorporates the concern that emergency lighting may fail after 8 I

hours. As discussed in section 2.3, the reason is that the emergency lighting is on separate battery packs, and it is our understanding that these packs are rated at 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months ; if there is no additional margin, then this limits the maximum grace time.

Although a sensitivity case to see the effect of not being able to depressurize and cooldown under station blackout conditions was not run, everything else held constant, this would appear to an important consideration. Our concern here is that the atmospheric dump valves require compressed air, and we are not sure how they would be operated under station blackout conditions.

Local manual operation appears possible, but we are not I

sure of the adequacy of the procedures here. Our concerns are more fully described in Section 2.2.

J'Our concerns about emergency lighting and operator-initiated depressurization and cooldown may be resolved through continuing communication with the licensee.

We note that our results are not that sensitive to whether or not the emergency lighting capacity is 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months , or more than 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months .

However, this may be a consequence of the particular shape of the offsite power recovery curve we are using.

It would be prudent to verify the emergency lighting capacity.

6.0 St# NARY Our base case estimate of the station-blackout induced core melt frequency is Ia

31-

~

l 9E-5/yr. This compares to 2.5E-6/yr obtained by the licensee. When' corrected for an error, the licensee's result becomes 2.1E-6/yr, which is increased to 3E-6/yr by the addition of the frequency of the TMLB sequence involving failure of auxiliary feedwater, a sequence not included by NU in their station blackout submittal, ref. 3.

The major reasons for the differences between the result of NU and our base case result is the differences in our estimates of frequencies of losses of offsite power of various durations, and in differences in failure rates for the diesel generators, including the common cause failure rates.

As shown in section 3.1.2, even if one accepts the fact that in the hurricane Gloria'and hurricane Belle events offsite power could have been restored in 3.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months , the NU offsite power restoration curve is inconsistent with site-specific experience, at least in the vicinity of three hours.

There are several possible reasons why our base case estimate could be low.

The first of these is that we assumed that emergency lighting would not be a limit on the grace time (station blackout duration capability).

But emergency lighting is on separate batteries from those for instrumentation and control; although we have estimates of the battery lifetimes for the instrumentation

.:..and control batteries, we do not have estimates of the lifetime of the emergency lighting batteries.

Emergency lighting may therefore limit the j

maximum grace time.

One of the sensitivity studies discussed in Section 5.2 l

treats this by assuming a maximum grace time of 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months coming from the loss of emergency lighting at that time, with the possibility of smaller grace times from, for example, the RCP seal leak.

The second of these reasons is an increased probability of a large RCP seal leak, coming from the "pcpping open" of seal No. 2 followed by consequential i

l popping open of seal No. 1.

This is a concern raised by AECL, and discussed in section 2.2.

The third of these reasons is the fact that operator depressurization and l

cooldown of the primary system may not be possible from the control room, l

32-because of loss of compressed air for operation of the atmospheric dump valve.

Local manual operation appears possible, but we are uncertain as to the adequacy of the procedures here.

Section 4.2 discusses this m6re fully.

The concerns about emergency lighting and lack of ability for operator depressurization may be resolved through continuing communication with the licensee.

We note that if the grace time were a deterministic 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months that the core melt frequency would be 8E-5/yr, with our data. This is of interest because the draft regulatory guide en station blackout would not require a grace time greater than 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months .

The high estimated core melt frequency from station blackout at Millstone-3, from a deterministic standpoint, derives from the minimal on-site emergency AC power system coupled with a high site-specific frequency of losses of offsite power of extended duration.

i i

~ - - - - - - - - - - - - - - - - - - - - - -

- - - - - ' - - - - - - ' - - - - ~ ~ ~ ~ ~ '

~ - ~ ~ ~ ~ ' '

i i

r i

j FIGURE 1 li of f si't e power n o n recovery proba bility l

l 1.0

-"---------s--------

g LEGEND

'\\

/

l 'g 9-N nes4w. Unif2.

NU curve I

p

\\

Actual E@rwce

\\

(to=fges,hf4

__ RRAB curve ix i.o

.8-

\\

emn.,3.v< 6d

+

j g

.I c j p

\\

i e

.7-

\\

i l

o

\\

i u

\\

2'

.6-

\\

w y

i o

x

].

c-

\\

.5-n u

\\

e i

3

\\

mhtev6f

l 8-

.4-

\\

Acbt Oychce i

\\

(e outage ef it i Eff g

\\

one on.fege c f so be [

-tf lM

.3-

\\

i l%

0 N

k N

l x

le

.2 -

N I

i5 N

1 I

o N

.o N

1-N i

e 1

cm.

N s

O

- - - - - i - - - - -- -4 0

2 4

6 8

10 12 14 16 18 20 time t (hrs) after loss of offsite nnwer t rin j

~.

7.0 REFERENCES

1.

Millstone Unit 3 Risk Evaluation Report (Draft), NUREG-1152 U.S. Nuclear Regulatory Comission. October 17, 1985.

2.

Letter, H. R. Denton, to J. F. Opeka, dated December 18, 1985, on the subject of station blackout risk at Millstone 3.

4 3.

Letter J. F. Opeka to H. R. Denton, dated March 18, 1986 on the subject

" Millstone Nuclear Power Station, Unit 3 Response to Infomation 1

Requested Regarding Station Blackout".

4 4.

Memorandum from Themis P. Speis to Thomas M. Novak, dated June 17, 1986,

" Review of Northeast Utilities Response to Infomation Requested on l

Station Blackout at Millstone Unit 3.

5.

C. H. Campen and W. D. Tauche, " Reactor Coolant Pump Seal Perfomance Following a loss of All AC Power," Westinghouse Owners Group Report, WCAP-10541, Rev. 1 (Proprietary), April 1986.

6.

Charles A. Kittmer et al., " Reactor Coolant Pump Shaft Seal Behavior During Station Blackout," NUREG/CR-4077, AECL-MISC-305 April 1985.

l 7.

Memorandum from Faust Rosa to Frank Congel, dated May 21, 1986 on the subject of Millstone 3 battery depletion time.

8.

Evaluation of Station Blackout Accidents at Nuclear Power Plants.

NUREG-1032 (Draft for comment), U.S. Nuclear Regulatory Comission, May 1985.

'" 9.

M. J. Changery, " Historical Extreme Winds for the United States -

Atlantic and Gulf of Mexico Coastlines," NUREG/CR-2639, April 1982.

10. Millstone Unit 1 Probabilistic Safety Study, NUSCO-147, Northeast Utilities, July 1985, J. F. Opeka letter to J. A. Zwo11nski, July 21, 1985.

)

11. Millstone Unit 3 Probabilistic Safety Study W. G. Counsil letter te H. R. Denton, July 27, 1983.

12. Losses of Offsite Power at U.S. Nuclear Power Plants - All years through 1983, Nuclear Safety Analysis Center, NSAC-80 July 1984.

13. The Weather Almanac edited by James A. Ruffner and Frank E. Bair, Gale Research Co., Detroit Michigan, 1981, p. 77.

e 14.

R. E. Battle and D. J. Campbell, Oak' Ridge National Laboratory.

" Reliability of Emergency AC Power Systems at Nuclear Power Plants "

NUREG/CR-2989, ORLN/TM 8545, July 1983.

i l

C. L. Atwood and J. A. Steverson, Common Cause Fault Rates fo.r Diesel 15.

Estimates Based on Licensee Event Reports at U.S. Commercial Generators:

Nuclear Power Plants, 1976-1978, NUREG/CR-2099, June 1982.

K. N. Fleming and A. Mosleh, principal investigators, " Classification and 16.

Analysis of Reactor Operating Experience Involving Dependent Events,"

Electric Power Research Institute. EPRI NP-3967. June 1985.

I. A. Papazoglou and others, Brookhaven National Laboratory, 17.

"Probabilistic Safety Analysis Procedures Guide," NUREG 2815, BNL NUREG 51559, June 1984.

F. R. Hubbard III and others, " Midland Nuclear Plant Probabilistic Pisk 18.

Assessment," prepared by Pickard, Lowe and Garrick, Inc. for Consumers Power Company, May 1984.

l.*.*

Appendix A.

Glossary of S rtols used in NUREG-1152 i

Time Gill be measured from the instant of loss of offsite power. o'r from time of f ailure, as appropriate.

of the time axis.

The forrliulas that follow will indicate the nrigin P., ( t )

is the probability that the of(site power has been recovered by time t after the onset of its loss (symbol n designates electri-cal network); R (t) is the dis'tribution of recovery time.

g Q Il)*I'N (t) is the probability that the offsite power has not been restored n

n by time t.

Qg(t) is the probability of nonrecovery of a diese1' generator by tirne t af ter its failure, for either the failing-t+ start mode of failure or the failure-to-run mode,of failure, if these f ailures were from independent causes.

In the case of failure to run, the symbol Qg(t) may also be used.

O (t) is the probability of nonrecovery by time t from being in main-m tenance or test.

Q (t) is the probability of nonrecovery of a diesel generator b c

t af ter its failure, if it has failed from common cause. y time A

is the probability of a single diesel generator being in main-n tenance at time of demand.

4r is the probability of a single diesel generator failing to start l

on demand.

I 42 is the probability that both diesel generators fail to start on w-demand.

,I i

4 is the probability of common cause failure of both diesels c

starting.

A (t)=A is the failure rate for a running diesel generator.

l i

f g

I A (t)=A is the failure rate from a common cause event (or shock) that c

c will disable all running diesel.s.

i A =A -A is the failure rate for a running diesel from independent causes.

g g c I

(5 the grace time i

i A

is rate of loss of offsite power.

i I

l r

s ENCt.0SURE 2 Mil.l. STONE NUCl. EAR POWER STATION UNIT NO. 3 REGUI.ATORY ANAI.YSIS FOR IMPOSITION OF REQUIPEMENTS TO REDUCE Bl.ACK00T INDUCED CORE MEl.T FREQUENCY t

MILLSTONE UNIT 3 REGULATORY ANALYSIS FOR IMPOSITION OF REQUIREMENTS TO REDUCE BLACK 0UT INDUCED CORE MELT FRE0VENCY The items which follow correspond to the reouirements for backfit analysis specified in NRC Manual Chapter 0514, Paragraph 043.

1. A statement of the specific objective that ihe proposed backfit is designed to achieve. This should include a succinct dessription of the backfit proposed, and how it provides a substantial increase in overall protection.

RESPONSE: The specific objective of the proposed backfit is to minimize the impact of severe accidents at Millstone Unit 3 by reducing the station blackout contribution to ccre damage frequency and risk. The Millstone 3 Risk Evaluation Report (NUREG-115?) identified station blackout as the dominant contributor to core damage frequency from internal events. The Millstone site has experienced two lone duration losses of offsite power. The two events give the staff concern that action should be taken to reduce core melt frequency.

NUPEG-1157 did not factor into its analysis the Hurricane Gloria event, and used an underestimate of the frequency of long duration losses of offsite power, accordino to revised staff calculations which took into account the second weather-related loss of offsite power occurring at the plant, the Hurricane Gloria event. On the other hand, NUREG-1152 also made some assumptions which, on the basis of further information obtained about the reactor coolant pump seal issue and the battery depletion time at Millstone-3, turned out to be conservative. The two effects roughly cancelled. The staff's current best estimate of the station blackout core melt frequency at Millstone-3, and the basis for the estimate, are given in the July 11, 1986 memo from Speis to Novak, on this subject. This best estimate of the core melt frequency does not differ significantly from that given in NUREG-1152.

The proposed backfit, although an interim measure, provides substantial increase in overall protection by reducing the frequency of core damace resulting from loss of offsite power.

This memo transmitted the Risk Evaluation contained in Enclosure 1.

0 4 - '

The major cause of extended loss of offsite power is the fouling of switchgear by salt spray during high wind conditions; the winds need not be of hurricane force.

In the hurricane Gloria event sustained winds at the site ranged up to

~

58 mph, below hurricane force (74 mph). The backfit will require the ifcensee to shut down the unit when storm conditiens are predicted. With the reactor cooled down at the time of loss of offsite power, the probability will be lowar that a LOCA will occur due to reactor coolant pump seal failure.

The licensee will also be required to develop procedures for DC power conservation applicable during blackouts. This will extend the battery life and will reduce core melt frequency by extending the time period during which cooling of the primary system can be maintained without AC power.

Thirdly, the licensee will be required to adopt maintenance and test procedures which maximize diesel generator reliability. This will reduce the probability that a loss of offsite power will result in station blackout. The core melt frequency due to station blackout is roughly cut in half if the diesel generator failure rates are reduced in half, the precise reduction in core melt frequency depending on how much the probability of common mode failures is assumed to be reduced, civen a reduction in the failure rates for a single diesel generator.

Finally, in its review of blackout risk at Millstone unit 3, the staff noted snme apparent inadecuacies in station emergency procedures. The staff assessment of risk assumed that all specified steps could be accomplished.

Therefore the staff will require that the licensee conduct a walkthrough of procedures so that deficiencies can be corrected.

2. A general description of the activity that would be required by the licensee in order to complete the backfit.

PESPONSE: The licer,see will be required to take four actions:

a. Develop and propose a change to technical specifications to require cooldown of the unit when weather conditions are predicted which have a high probability of causing loss of offsite power. Especially, shutdown will be required in anticipation of the approach of hurricanes. The winds at the site during Hurricane Gloria were not of hurricane force: thus shutting down only when hurricane force winds are anticipated at the site will still result in e significant probability of a loss of offsite power with the plant operating,

b. Review loads on the station batteries and complete the section of the emergency operating procedures which specify station loads to be shed during loss of offsite power.

c. Review diesel generator maintenance and testing procedures and revise those procedures to reduce the failure rate. It is expected, for example, that more frequent testing and preventive maintenance of the diesel generators will be required.

d. Perform a walkthrouch of station emergency procedures applicable to station blackout. Modify procedures as necessary to ensure their workability.

In particular, ensure the workability of procedures for depressurizing the secondary side of the steam generators and maintaining them depressurized under station blackout conditions.

If it is possible to depressurize the steam cenerators from the control room under station blackout conditions, insert these steps explicitly in the procedures.

If it is not possible, modify the procedures to indicate that this is the case. Give explicitly the steps required for depressurizing, and maintaining at the desired pressure, the steam generators, using local actions, if these are required. The means of communication between the control room and the location of the valves used for depressurizing the steam generators should be given, and demonstrated to be operable, if such communication is required in order to be sure the appropriate pressure is reached and maintained. The availability of emergency ifqhting throughout the event should be considered.

..~

s..

, 3. The potential safety impact of changes in plant or operational complexity, including the relationship to proposed and existing regulatory reovirements.

RESPONSE: The proposed actions should not alter plant or operational complexity during normal operation. Although there could be a safety impact if the revision to the technical specifications were to cause an excessive number of premature shutdowns, this should be avoidable with careful wording of the license condition.

The anticipated actions should have no bearing on other proposed or existing regulatory recuirements at Millstone 3.

4. Whether the proposed backfit is interim or final and, if interim, the justification for imposino the proposed backfit on an interim basis.

RESP 0f!SE: The proposed backfit is interim. The staff review, in the form of the draft risk evaluation report (RER) submitted to the licensee for corment in October 1985, and the "Regu1~ tory Analysis on Reduction of Station Blackout Core Pelt Frequency at Millste e 3" transnitted on December 18, 1985, included consideration of two measure' ahich could result in sianificant reduction in the likelihood of core melt. (he two measures involved installations of a gas turbine and an additional diesel generator.

The staff is withholding action on these recomendations pending resolution of USI A-44. In recognition of the relatively high blackout related core melt frequency, however, these four actions are beino proposed as interim measures.

These interim measures are changes to station operatino procedures which have relatively high value/ cost factors.

5. A statement that describes the benefits to be achieved and the costs to be l

incurred. This statement should include consideration of at least the following factors. Information should be used to the extent that it is reasonably available, and a qualitative assessment of benefits may be trade in lieu of the quantitative analysis where it would provide more meaninoful insights, or is the only analysis practicable.

l

o.

5

a. The potential change in risk to the public from the accidental offsite

^

release of radioactive material.

RESPONSE: Station blackout is estimated by the staff in the RER to contribute about 30% of the societal dose due to internal events. Dependino on the assumptions made, e.g., conditional probability of hydrogen burn, of# site power recovery rate, and de-inerting of the containment atmosphere, the I

estimated mean dose per reactor year out to 50 miles from the plant can range from approximately 2 to 60 person-rems. (The staff's central estimate out to 50 miles is 7 person-rems per reactor year.) Out to 150 miles from the plant, i

the mean annual dose can range from about 8 to 200 person-rems. (The staff's central estimate out to 150 miles is about 26 person-rems per reactor year.)

While ordinarily CRAC calculations out to only 50 miles would be used in a backfit analysis value-impact assessment, New York City, its suburbs, and other densely populated areas lie beyond 50 miles but within 150 miles. This is significant because based on long term overpressure failure of containment, staff CRAC calculations estimate that downwind wholebody doses of 5 rem or more are quite possible for individuals living more than 50 miles from the site.

i The proposed actions will effect a reduction in risk of approximately 600 person rem over the life of the station. Most of this reduction will accrue from improving diesel generator reliability. (That action alone could reduce risk by about 470 person rem.) In making this calculation, no credit is taken j

for shutting down the unit under stonn conditions.

Station blackout leading to a reactor coolant pump (RCP) seal LOCA is the largest contributor in the draft Millstone RER to mean core damage frecuency.

Seal failure due to lack of seal cooling will not occur if reactor coolant system temperature is below 350 degrees F. It is not possible to reduce temperature to this range under blackout conditions. However it is possible to reduce temperature when there is ample warning that loss of offsite power is likely.

.s____

6-Hurricanes and other high winds are the principal cause of extended loss of offsite power at Millstone. If cooldown were achieved prior to loss of offsite power the RCP seal failure LOCA could be avoided and the annual core melt frequency could be reduced by about 70%. Using the earlier study value of mean annual risk of 26 person-rems within 150 miles of the plant, this would effect a reduction in exposure of about 5 person-rems per reactor year or about 200 person-rems during the remaining life of the station.

The capacity of the storage batteries influences the length of time for which coolino of the primary system can be provided after blackout and thus has some effect on core nelt frequency. During station blackout the batteries power safety equipment essential to shutdown and to maintain the station in hot standby condition. They also power DC loads of lesser reactor safety significance. Plackout procedures call for shedding of nonessential loads. The DSR0 review found that the specific loads to be shed have not yet been identified in the station blackout procedures. In commenting on the 12/18/85 regulatory analysis the Itcensee acknowledoed that additional conservation measures, such as stripping of additional DC loads and alternating the use of inverters on the batteries, could extend the battery life and thus the grace period; credit for this load shedding was taken in both NU's and the staff's base case (see memo, Speis to Novak, July 11,1986).

Conservation measures should result in a probability of 0.45 that the station should last as long as 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months . This should effect a reduction of about 10%

in the core melt frequency, reducino exposure by about 100 person-rems.

The low maroin in the design of the emergency power system at Millstone 3 is reflected in the predicted frequency of station blackout. The probabilistic core melt models are sensitive to diesel generator reliability.

a A reduction in the diesel generator failure rate by a factor of two will result in an approximately proportional reduction in the core melt frequency, the exact amount of the reduction depending on how much the common mode failure rate is assumed to be reduced.

(If the common mode failure rate is assumed to be cut in half, as well as the individual failure rates, then the reduction in the core melt frequency will be about 60% ; if the comon mode failure rate is not changed at all, but only the individual failure rates, then the core melt frecuency is reduced by about 33%.) The failure rate of the DGs at Millstone 1 and 2 are reported as 0.0067 and 0.02 failures / demand respectively. The staff used an averaoe value of 0.075 failures / demand for the Millstone 3 analysis based on a broader data base, noting that the diesel generators at Millstone 3 are of a different desion than those at the other units. The failure rate is recoonized as dependent on frecuency of testing and possibly on other maintenance procedures as well as on the design of the generator. Based on the broad rance of failure rates reported it should be possibic to achieve a 50% reduction in core melt frequency by improvino DG reliability at Millstone 3. Following the method of computation outlined above this should effect a reduction in risk of about 12 person-rems per year.

The OSR0 review of station blackout related risks revealed some inconsistencies in the station operating procedures. Although the staff analysis assumed that all blackout procedures would be implemented, it was noted that the procedures had not been tested and some appeared unworkable.

For example, it is not clear how manual relief of secondary steam pressure from the control room can be accomplished under station blackout conditions; the procedures state that this should be done, but does not give the steps to accomplish it.

(There are AC motor-operated valves in parallel with the atmospheric dump valves; this satisfies the recuirement that cold shutdown be capable of being reached with the use of safety-grade equipment only.

However, there is apparently no means of pressure relief, such as nitrogen bottles on the atmospheric dump valves, which is operable from the control room during station blackout conditions. Apparently local manual operation of the handwheels on the AC motor-operated valves is required.)

o

8 The base case assumes all steps in the procedures can be accomplished. The capability to control pressure in the secondary system is necessary to maintain the reactor in a depressurized cooled down condition. Otherwise, the primary coolant pump seal failure LOCA can not be totally avoided. Thus this one procedure must be workable to ensure that the benefit of shutdown in advance of stoms can be realized.

The core melt frecuency with all procedures implementable would be about 80%

of the frequency ottainable with the procedural deficiencies noted in the staff review. However, the benefit of reliable procedures should not be counted in addition to the benefit of shutdown in advance of storms since the benefit of shutdown in advance of stoms is not achievable without all procedures implemented,

b. The potential impact on radiological exposure of facility employees.

Also consider the effects on other ensite workers, due both to installation of procedural or hardware changes and to the effects of the chances, for the remaining life of the plant.

RESPONSE: Most of the work associated with the action is in areas of tne facility havino Inw radiation levels. The walkthrough would recuire an employee going to the location of the steam generator atmospheric dump valve and the steam admission valve for the auxiliary feedwater system. Access tc these locations should result in very low exposures,

c. The instellation and continuing costs associated with the backfit, including the cost of facility downtime or the cost of construction delay.

RESPONSF: The major cost in the action is the cost associated with increasing diesel generator reliability. The cost of increasino diesel generator reliability would include about one man month of professional time

,..o

.g.

1 -

J for an initial study and preparation of revised testino and maintenance procedures. DG testino involves about two manhours of time per test including recording and analysis of results. Thus as much as two additional man weeks per year might be expended in implementing revised procedures. Over the life of the station this would amount to about one and one half years of staff time. The total cost is estimated to be in the rance of $165,000.

i The other actions would involve initial costs but no continuino costs.

The cost of adding the stom condition shutdown to the technical

]

specifications would be limited to the cost of the license amendment since the procedure exists on less formal basis. Reviewing DC loads. Developing the load conservation program and revisino the station procedures would require about j

two weeks of professional staff time with a cost of about $5,000. The station walkthrough with an allowance for subsequent revisions to the station blackout j

procedures would require about two weeks of staff time with the cost of about

$5,000.

d. The estimated resource burden on the NRC associated with the proposed backfit, and the availability of such resources.

RESPONSF: Because of the extensive analysis of the station blackout issue at Millstone 3, very little additional staff burden will result from the proposed backfit. A license amendment will be required for the first action.

i This may require as much as 80 hnurs of staff time. The residents will review the other actions, which are updates and walkthrough of procedures. This should reouire no more than 74 hours8.564815e-4 days 0.0206 hours 1.223545e-4 weeks 2.8157e-5 months of staff time. This time demand can be accomodated with existing resources.

I

6. A consideration of important qualitative factors bearing on the need for the backfit at the particular facility, such as but not limited to, operational trends, significant plant events, management effectiveness, or j

results of perforrance reports such as the Systematic Assessment of Licensee Performance.

j

-10 RESPONSE: The Millstone site has experienced two long-duration losses of offsite power. The Millstone 3 Risk Evaluation Report (NUPEG-1152) identified station blackout as the dominant contributor to core damage frequency from internal events. The Millstone 3 emeroency power system meets all NRC regulatory requirements but with minimum margin. There are two emergency diesel generators at Millstone 3 with ro diversity, electrical crossties, or additional emergency power sources, as are found at plants near high population density sites such as Indian Point and Zion. The unusual experience with extended loss of offsite power is due to the coastal location. High winds produce a salt spray which has fouled switchyard systems contributing to the blackouts.

7. A statement affirming appropriate interoffice coordination related to the proposed backfit and the plan for implementation.

RESPONSE: Coordination with other offices has been limited to discussions with the resident inspectors since this backfit action is plant specific and is limited to a single unit. These actions have been discussed to the extent that the residents understand the ob.iectives of the actions.

8.The basis for requiring or permitting implementation on a particular schedule, includino sufficient information to demonstrate that the schedules are realistic and provide adequate time for in-depth engineering, evaluation, design, procurement, installation, testing, development of operatino procedures, and training of operators and other plant personnel as appropriate. For those plants with approved integrated schedules, the integrated scheduling process can be used for implementino this step and the following two procedural steps.

RESPONSE: NRC is asking the licensee to indicate the schedule by which the proposed steps could be accomplished. Because o' the nature of the requirements, the actions should not impact the schedule of other activities at the station. There are few regulatory actions underway. The licensee has responded to previous hRC requirements. Therefore, it is expected that the licensee will propose a reasonable and realistic schedule.

tv

.y&,

l

,r',

- O 11 l

Millstone 3doesnothaveanintegrateasc5eduie.

' ~ ' '

n.

9. A schedule for staff actions involvid'in implementation and verification of implementation of the backfit, as appropriate. "

Because of the snall staff heshirce requirement, the bahit does PESPONSE:

not require advance scheduling. It is ekpectrJ that the staff woulq' respond to applicantsubmittalsinaccordancewid[usualschedulino.

i

10. Importance of the proposed backfit considered in light of'other safety related activities undeiway at the proposed facility.

, - x,,

RESPONSE: This action is f.lewed as relativsly importan't in relation to other ongoing safety related activities at Millstone 3 because 'of il.e large reduction in risk it provides. Howser, it is expected that action of this backfit can be taken independently of other licensing activity ai'the station and therefore its implementation N&lle not impact other ongoing safety relateo activities at Millstone 3.

m,

_ 4*%

s so h

e t

/

O a

/.

/

6 i

f I

/,,

e

,,.------n-.---,,,,rn,-

,a n -- _,,, -,,

-,,n_n.,-n,

MILLSTONE UNIT 3 t

REGULATORY ANALYSIS FOR IMPOSITION OF REQUIREMENTS TO REDUCE BLACKOUT INDUCED CORE MELT FREQUENCY Statement of the Problem:

i The Millstone 3 Pisk Evaluation Report (NUREG-ll52) identified station blackout as f.ne dominant contributor to core damage frequency from internal events. The

~

Millstor;e 3 emergency power system meets all NRC regulatory requirements but with minimum margin. There are two emergency diesel generators at Millstone 3 with no diversity, electrical cross-ties, or additional emergency power sources,

,' as are found at plants near high population density sites such as Indian Point and Zion.

I j

Millstone has experienced two long duration losses of offsite power which are factored into the risk assessment. The two events give the staff concern

[

thkcactionssh'ouldbetakentoreducecoremeltfrequency.

w

[

Station blackout leading to a reactor coolant pump (RCP) seal LOCA is the largest contributor in the Draft Millstone 3 Risk Evaluation report (RER) to mean ccre dan ge frequency (staff estimates about lx10~4 per year). The staff estimetsd that station blackout contributes 50% of the core damage frequency dueIo/Nternalevents.

t

?

j St' bion blackout is estimated by the staff in the RER to contribute about 30% of tho societal dose due to internal events. Depending on the assumptions made, i

e.6.,c'unditionalprobabilityofhydrogenburn,offsitepowerrecoveryrate, c';d de-inerting of the containment atmosphere, the estimated mean dose per rmQr-year from station blackout out to 50 miles from the plant can range frm approximately 2 to 60 person-rem.

(The staff's central estimate out to I-50,Mlef is about 7 person-rem per reactor-year). Om *o 150 miles from the plht, the mean annual dose can range from about 8 to 200 person-rem.

(The staff's central estimate out to 150 miles is about 26 person-rem per reactor year). While ordinarily CRAC calculations out to only 50 miles would be usad

?

J

[

r t

k p

i

I

/

in a backfit analysis value-impact assessment, New York City, its suburbs, and other densely populated areas lie beyond 50 miles but within 150. miles. This is significant because based on long-tenn overpressure failure of containment, staff CRAC calculations estimate that downwind whote-body doses of 5 rem or more are quite possible for individuals living more than 50 miles from the site.

The staff review, in the fann of the draft risk evaluation repte+, (RER) sub-mitted to the licensee for cowent in October 1985 and the " Regulatory Analysis on Reduction of Station Blackout Core Melt Frequency at Millstone 3" trans-mitted on December 18, 1985, included consideration of two measures which would result in significant reduction in the likelihood of core melt. The two measures providing the significant reduction involved installations of a gas turbine and an additional diesel generators.

The staff is withholding action on these recomendations pending resolution of USI A-44.

In recognition of the relatively high blackout related core melt 1

frequency, however, four interim measures are being proposed.

These interim measures are changes to station operating procedures which have relatively high value/ cost factors.

Obfectives The general objective of proposing the actions at this time is to ensure that station procedures will minimize the impact of severe accfdents associated with station blackout by reducing the station blackout contribution to total core melt freouency and risk.

Alternatives The following actions were considered for meeting the ob.iective of reducing station blackout induced core melt frequency and risk.

(1)

Amend the Urit 3 license to require that the unit start cooling down when a hurricane is expected. The action shouM be initiated early enough so that primary coolant temperature will be less than 350 F by the time wind velocity at the site reaches hurricane force.

(ii)

Require adoption of maintenance and test procedures which improve diesel generator reliability.

(iii)

Require procedures to include DC power conservation measures and specify the DC loads to be shed during station blackout to ensure extended DC battery life.

(iv)

Require a walkthrough of station blackout operating procedures to ensure that they are workable.

(v)

Take no action.

Consequences Table 1 provides a summary of costs and benefits. The benefits are expressed as the ratio of the core melt frecuency after the recommended action to the currently pro,iected core melt frequency. The approximate reduction in exposure is based on the base case exposure due to blackout related core melt. This was estimated in the December 18, 1985, Regulatory Analysis to be 26 person-rem per reactor year out to 150 miles.

The estimated benefits and costs show a substantial increase in public health and safety. The costs are justified in view of the increased protection.

Costs and Benefits Action 1 - Station blackout leading to a reactor coolant pump (RCP) seal LOCA is the largest contributor in the Draft Millstone 3 RER to mean core damage frequency. Seal failure will not occur if reactor coolant system temperature is below 350*F at the time of blackout.

It is not possible to reduce temper-ature to this range under blackout conditions. However, it is possible to reduce temperature when there is ample warning that loss of offsite power, and thus blackout, is likely.

-.., - _.. _ _ ~,,

_ ~., _...

9 6

g Table 1 Summary of Value/ Impact Analysis Approximate Relative Reduction in Cost over Core Melt Exposure over Life of Frequency Life of Station Station person-rem dollars Base Case 1

w/ Storm shutdown 0.8 0

w/ Improved DG reliability 0.5 470 165K w/ Shedding all non-essential DC loads 0.9 100 SK w/ Procedural Walkthrough**

0.8 SK w/All 4 actions 0.4 430 175K No action **

1.1

(-100) 0

In the text it is noted that a reduction of 200 person-rem can be realized by shutting down in advance of hurricanes.

No credit is included in this table since the proposed action would merely incorporate the licensee practice as a license condition.

- Note that the staff risk assessment assumed the operating procedures would work.

If deficiencies in station blackout procedures are not corrected then the base case underestimates blackout related core melt frequency by about 10%. See narrative.

Hurricanes and other high winds are the principal cause of extended loss of offsite power at Millstone.

If cooldown were achieved prior to loss of offsite power the RCP seal LOCA could be avoided and the annual core melt frequency could be reduced by about 20%. Using the earlier study value of mean annual risk of 26 person-rem within 150 miles of the plant, this would effect a reduction in exposure of about 5 person-rem per reactor year or about 200 person-rem during the remaining life of the station.

Millstone has a site hurricane action plan which includes consideration of shutting down under hurricane warning conditions. The proposed action would formalize the process and ensure that shutdown occurs when appropriate. The cost of this action, therefore, is minimal.

k Action 2 - The low margin in the design of the emergency power system at Mill-stone 3 is reflected in the predicted frequency of station blackout. The proba-bilistic core melt models are sensitive to diesel generator reliability.

A reduction in the DG failure rate will result in an approximately proportional reduction in core melt frequency. The failure rate of the DGs at Millstone 1 and 2 are reported as 0.0067 and 0.02/ demand, respectively. The staff used an average value of 0.025 failures / demand based on a broader data base.

The failure rate is recognized to be dependent on frequency of testing and possibly on other maintenance procedures as well as on the design of the diesel generator. Based on the broad range of failure rates reported it should be possible to achieve a 50% reduction in core melt frequency by improving DG reliability at Millstone 3.

As computed under Action 1, this should effect a reduction in risk of about 12 person-rem per reactor year.

The cost of increasing diesel generator reliability would include about 1 man month of professional time for the initial study and preparation of revised testing and maintenance procedures. DG testing involves about two man hours of time per test including recording and analysis of results. Thus as much as two additional man weeks per year might be expended in implementing revised procedures. Over the life of the station this would amount to about one and one half years of staff time. The total cost is expected to be about $165,000.

1

Action 3 - The capacity of the storage batteries influences the length of time for which cooling of the primary system can be provided after blackout and thus has some effect on the core melt frequency. During station blackou.t. the batteries power safety equipment essential to shutdown and to maintain the station in hot standby condition. They also power DC loads of lesser reactor safety significance.

Blackout procedures call for shedding of non-essential loads. The DSRO review found that the loads to be shed have not yet been specified in the station operating procedures.

In connenting on the 12/18/85 Regulatory Analysis, the licensee acknowledged that additional conservation measures, such as stripping of additional DC loads and alternating the use of inverters on the batteries, could extend the battery life and thus the grace period.

Conservation measures should increase the probability of attair.ing an 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months battery life appreciably and should result in a probability of 0.45 that the station batteries would last as long as twelve hours. This should effect a reduction of about 10% in the core melt frequency.

The conservation measures are generally known but have not been incorporated in station procedures. There would be a modest cost for reviewing the DC loads, for developing the lead conservation program and for revising the station procedures.

It is estimated that this would require a maximum of two weeks of professional staff time.

Action 4 - The DSRO review of station blackout related risks revealed some inconsistencies in operating procedures. Although the staff analysis assumed that all blackout procedures would be implemented, it was noted that the procedures had not been tested and it appeared that some were unworkable.

Fcr example, the procedure for manual relief of secondary system pressure from the control room does not seem to be adequate during blackout conditions.

r d

The base case assumes all steps in the procedures can be accomplished. The capability to control pressure in the secondary system is necessary to main-tain the reactor in a depressurized cooled-down conditien. Otherwise, the primary coolant pump seal failure LOCA can not be totally avoided. Thus this i

one procedure must be workable to ensure that the benefit of shutdown in advance of hurricanes can be realized.

The core melt frequency with all procedures implementable would be about 80% of the frequency attainable with the procedural deficiencies noted in the stcff review. However, the benefit of reliable procedures should not be counted in addition to the benefit of Action 1.

The cost of the walkthrough with an allowance for subsequent revisions to the station blackout procedures should be approximately 2 man-weeks.

4 Cumulative Effect of All 4 Actions The effects of the actions can not be added directly. As noted above, the fourth action must be taken to attain the frequency computed for the base case and would serve to ensure the full benefit of the first action. Thus, no cumulative credit is taken for.this action. The 50% reduction in core melt frequency (CMF) from improved DG reliability is to be applied to the CMF after reduction by the storm shutdown option. Also, the base case assumed that shed-ding of non-essential loads from the batteries was accomplished.

If shutting down for storms were required, and strtion blackout procedures were improved with respect to ability to maintain the secondary side of SG's in a depressurized state, but no battery load shedding were performed, then the CMF would be 25%

higher than if the battery shedding procedures were implemented. The result is that about a sixty per cent reduction in core melt frequency might be expected by taking the four actions.

i 4

T'

-7 No-Action Alternative The staff analysis of core melt frequency assumed that the station ' procedures were valid and could be implemented. Actions 3 and 4 both would upgrade the procedures and ensure that they can be implemented.

If these two actions were not taken, there would be some risk that procedures would not be correct.

It is estimated that core melt frequericy could be as much as ten percent higher than the base case due to procedural deficiencies.

Potential Safety Impact The four proposed actions are revisions to station procedures which should be implementable without any negative safety impact.

Interim or Final Backfit This backfit is considered interim by the staff. Upon resolution of USI A-44 the staff may consider more effective measures to uporade the emergency power system at Millstone Unit 3.

Implementation l

The licensee with participation by the staff will determine the schedule for implementation.

i l

i

_

ML20211N632

Contents

Text

Enclosures:

Enclosures:

Enclosures:

1.0 INTRODUCTION

7.0 REFERENCES

Navigation menu

ML20211N632

Text

Enclosures:

Enclosures:

Enclosures:

1.0 INTRODUCTION

7.0 REFERENCES

Navigation menu

Search