Text

.

Vj

~

9

,9

.h-

' ' Ej s

4.

a s

T'

~

LMarch14!1989

[ProjectNo.'675?

~

j

]4 Mr.: A. E. Scherer, Director Nuclear Licensing 1 Combustion Engineering 1000 Prospect Hill Road.-

Windsor, Connecticut 06095-0500

Dear Mr. Scherer:

SUBJECT:

. STAFF COMMENTS RELATED TO THE CESSAR-DC BASE LINE PRA Enclosed for your information and use are the staff's comments related to -

.the CESSAR-DC baseline PRA th'at was submitted by letter ' dated January 22, 1988.-

j

'These comments should be taken into consideration during the development of

~

1 the PRA for the CESSAR-DC design. We propose a meeting be set up between the

~

NRC and your staff to discuss these comments.

If you have any questions -

regardingthismatter,pleasecontactmeat(301)492-1120.

Sincerely,

/s/

{

Thomas J. Kenyon, Project Manager Standardization and Non-Power Reactor Project Directorate Division of Reactor Projects III, IV, V and Special Projects Office of Nuclear Peactor Regulation

Enclosure:

i As stated j

cc:

See next page DISTRIBUTION:

Ih

.{CentraM11ed E. Hylton B. Grimes l

NRC PDR OGC ACRS(10) h Reading E. Jordan M. A. Cunningham

,f E. S. Chelliah T. Xenyon i

C#

P PM P

A D:PDSNP

'y T

on:cw E

on CMiller Oft 3 34 /89 3//U/89 3

89 g

8903210414 090314 PDR PROJ 675A PNU

I

.]

" ng#e UNITED STATES k-NUCLEAR REGULATORY COMMISSION

.y

_ t; E

WASHINGTON, D C. 20655 j

e March 14, 1989'

%.Rg

.No. 675 q

a I

Mr. A. E.Scherer, Director Nuclear Licensing Combustion Engineering 1000 Prospect Hill Road Windsor, Connecticut 06095-0500

Dear Mr. Scherer:

1

SUBJECT:

STAFF COMMENTS RELATED TO 'THE CESSAR-DC BASE LINE PRA j

4 0

Enclosed for your information and use are the staff's comments related to the CESSAR-DC baseline PRA that was submitted by letter dated January 22, 1988.

y

.These comments should be taken into consideration during the development of j

the PRA for the CESSAR-DC design. We propose a meeting be set up between the NRC and your staff to discuss these comments.

If you have any questions i

regarding this matter, please contact me at (301) 492-1120.

)

1 j

Sincerely, 1

/

b--

Thomas J.

Project Manager Standardization and Non-Power Reactor Project Directorate

]

Division of Reactor Projects III, IV, Y and Special Projects 1

Office of Nuclear Reactor Regulation

Enclosure:

As stated cc: See next page l

Combustion Engineering, Inc.

Project No. 675 l

Advanced CESSAR

-cc:

Mr.~C. B. Brinkman, Manager Washington Nuclear Operations

. Combustion Engineering, Inc.

Tj 7910 Woodmont. Avenue, Suite 1310 Bethesda, Maryland 20814 1

Dr. Michael Green Manager of Licensing Combustion Engineering 1000 Prospect Hill Road Post Office Box 500' Windsor, Connecticut- 06095-0500, l

'I

.. a i

4

[

ENCLOSURE Review of CESSAR System 80 PRA 1.

INTRODUCTION The System 80 PRA is being performed by Combustion Engineering. (CE) in support of the DOE design verification program. The PRA effort is being performed in two phases.

Phase 1 is a level one PRA based on the current design and is limited to internal events and includes uncertainty analysis.

Phase 2 will be a level two PRA that includes CESSAR System 80+ design j

modifications and bounding analyses on external events.

This report focusses on the results of an overview type of review by Brookhaven National Laboratory (BNL) of the products of the phase 1 of the System 80 PRA (due to the minimal documentation, a detailed review was not possible) in preparation for the Phase 2 effort.

l 2.

INITIATING EVENTS A comparison of the initiating events (IEs) analyzed in the System 80 PRA with those analyzed in the SP-90 PSS, NUREG-1150 and IREP for Calvert Cliffs showed that some initiating events have not been modelled in the System 80 PRA.

They are listed in Table 1.

The following are some comments on the initiating event analysis, Interfacing Systems LOCA - A recent BNL study (NUREC/CR-5102) a.

identified that ISL through accumulators (safety injection tanks for system 80 design) is the most dominant ISL core damage scenario.

Such ISLs were not considered in the System 80 PRA.

The PRA only analyzed ISta through the LPSI injection lines and the shutdown cooling suction lines. There are also several apparent errors in the CE analysis.

First, the definition of valve failure rate was misinterpreted in the derivation.

Second, the frequency of ISL was needed while the derivation for the probability that an ISL occurs in 18 months was provided.

It is not correct to simply use 18 months in the equation. January 31, 1989

. - +..

j I

Third, the test requirements of the isolation valves were not reflected in the derivation.

8 b.

Loss of Secondary Cooling - This category includes nuclear cooling water system, essential cooling water system, HVAC system, and essential spray pond system. The nuclear cooling water system provides cooling to the charging pumps and the RCP seals.

It also supports the HVAC system.

It appears that loss of.the nuclear cooling water system may lead to a RCP seal LOCA and the safety injection systems may become unavailable due to loss of pump room cooling.

Furthermore, this system receives its power from a non-vital ac bus and therefore, a loss of offsite power would make it inoperable.

However, it appears that RCP seal LOCA is considered only in the station blackout event tree.

Plant Operational States - The System 80 PRA only considered c.

initiating events that occur when the reactor is operating at full power. A recent BNL study (RUREC/CR-5015) found that the core damage frequency of a PWR at shutdown is approximately 5x10-5 per year. The dominant contributor coming from incidents occurring while the reactor is in the mid-loop condition.

The Westinghouse Owners Group identified a scenario at mid-loop operation that could lead to core uncovery in less than an hour. Therefore, a core damage frequency assessment for shutdown operations would be an appropriate addition to the PRA.

d.

Loss of Offsite Power - The System 80 PRA has two initiating events related to loss of offsite power (LOOP), 1) station blackout in which both diesel generators are unavailable, and 2) loss of offsite power in which at least one diesel generator is available.

The frequency of the latter was taken to be the same as that of a LOOP.

It is not known how diesel generator failure is modelled for this initiating event to ensure that only one diesel generator is allowed to fail.

Otherwise, the station blackout scenario would be double counted. January 31, 1989

f., * ;.

t

-,1 In ' summary,' we believe: that CE should address the following:

1.

. Treatment of the sequences that could be postulated during the shutdown mode, start up mode, refueling-operation,'and low power operation mode, as applicable.

2.

Modelling adequacy of test and maintenance requirements, if they are established.

3.

Modelling adequacy of the dependency between the initiating event and the mitigating system unavailability.

_j

'3.

METHOD 01DGY In quantifying the accident sequences, the System 80 PRA did not use the-fault tree linking approach.

Instead, an approach that calculates the conditional system failure probabilities was used. The. approach appears to be l

equivalent to the fault tree linking approach, although this was not verified by the review. However, whether or not the implementation of the approach is i

easier is questionable.

It appears that for a sequence with N system failures, the approach requires linking the fault trees for the first N-1 systems.

Therefore,-the savings in computing effort may be insignificant and may consequently require a lot more manual manipulation. Another drawback of the j

approach is that it does not generate cutsets at the component level for the 1

core damage frequency calculation. Without such cutsets,.it is not known how uncertainty analysis can be performed to properly account for the shared components.

Therefore, we believe that CE should provide, for at least one sequence, the difference between the estimated frequency results based upon conditional l

system failure probability estimates, and the estimated frequency results based j

l upon a fault tree linking approach at the sequence level.

1 January 31, 1989 w _ __.. - _ - - _ _ _ _.

• i

'l

'n.

4.

SYSTEM ANALYSIS AND ACCIDENT SEQUENCE ANALYSIS l

.The most dominant'. core damage sequence identified in the System 80 PRA a.

is a loss of offsite power followed by failure of the auxiliary.

feedwater system and operator failure to deliver alternate feedwater.

't ~

-One reason that this sequence yields a high core damage frequency is i

that feed and bleed is not available.

It appears that offsite power recovery is not modelled, however, no documentation of the recovery l

model was provided.

j The initiating event for this sequence was defined as a IDOP with at least'one diesel generator operating, the auxiliary feedwater system of System 80 has two motor-driven auxiliary feedwater pumps and one turbine-driven auxiliary feedwater pump. One of the notar-driven pumps is non-seismic category I, and is not supported by a vital ac bus.

It was stated in the System 80 PRA that no credit was taken for the non-seismic category I pump in the unavailability analysis of the l

system but the non-seismic category I pump was considered in the EW restoration analysis. BNL is not aware of any EW restoration analysis under a LOOP initiating event.

Page 7-31 of the System 80 PRA lists the unavailabilities of the EW system under different-boundary conditions. The unavailability with recovery given a LOOP is 1.47x10-3 Again, it is not known what type of recovery was modelled.

It appears that the diesel generator that supports the seismic cate-gory I motor-driven auxiliary feedwater pump is assumed available.

It is not clear how its failure is modelled.

BNL believes that the modelling of recovery of ac power availability l

f' from the onsite and offsite power sources at various time intervals is important in order to realistically estimate the core damage frequency contribution due to loss of offsite power including the total loss of ac power event.

Accordingly, we believe that CE should document the impact of modelling the recovery of ac power at various time intervals on the core damage frequency results. January 31, 1989

7 7:

x l.

n.

e s

t It is also not clear that the' transfer sequence involving! station; blackout and the PSV (primary safety valve) event is modelled' consistently in the'small LOCA event tree to account for the fact that

. station blackout had occurred. Therefore, we believe that CE should

-verify.the modelling consistency of the mitigating system failure probability based on the initiating event and the nature'of prior l

events in the sequence.

If Using the initiating event frequency for.1DOP, system unavailability of EWS, and the human factor analysis for alternate secondary heat removal, we can recalculate the frequency of the sequence. The

~

initiating event frequency has a median value of 4.5x10-s/ year and an error factor of three. This yields a mean of 7x10-8/ year. The human error probability for failure to align system for alternate secondary heat removal.is 1.28x10-1 Therefore, the sequence frequency would j

j$

become 7.0x10 s/ year

• 1.47x10-3

• 1.28x10'1 = 1. 32x10- 8 / year. This is different from that shown in Table 8.1-2 of the System 80 PRA, i.e., 3.45x10-5/ year.

b.

The System 80 design does not have PORVs and therefore feed and bleed is not possible upon a transient with loss of secondary heat removal.

Credit was taken in the System 80 PRA for use of the; condensate pumps as an alternate feedwater system. This reduced the. frequency of those~

scenarios in which feed and bleed would have been needed.

In small lhCA and SGTR event trees, credit was taken for depressurizing the l

primary system by rapid secondary cooling within 15 minutes, and using the low pressure injection system. Therefore, we believe that CE should provide the supporting analyses which were used in the PRA for the timing and effectiveness of such mode of core cooling.

I I

c.

CE should provide copies of the system and/or sequence models (such as fault trees) which were used in the PRA.

d.

The section on human reliability analysis discusses various operator actions.

It is not possible to determine where in the event tree or January 31, 1989

3

,.c

,,u.

7,.'

' fault tree some of the operator actions' belong. Therefore, we believe that CE should provide clear and easily followed' documentation so that

.the reviewer would be able to determine where in the event tree or fault tree some of the operator actions are modelled.

t

e..CE should document the success criteria and mission times used for the various initiating events and the bases on which they were used in the PRA.

f.

A dependency matrix is shown in the System 80 PRA to display the train-level dependencies among the systems. It is not known if all dependencies in the matrix are consistently modelled. For example, the ESF pump room cooling was found to be a dominant contributor to the' unavailability.of the ESF systems. Room cooling is provided by.

the HVAC system that is supported by the essential cooling water system and nuclear cooling water system. These support systems also support the diesel generators, battery room cooling, shutdown cooling system, RCP seals cooling, and the charging pumps. The descriptions

. of the dominant core damage sequences do not provide information on the contribution of these support systems.

g.

The System 80 PRA described the model used to assess the

~

unavailability of the auxiliary feedwater actuation signal (AFAS) conditional on failure of the RPS. Modelling such dependent failures is an improvement over the typical PRA methodology.

It is not known from the available documentation if other ESFAS signals also share bistables with the RPS.

If other similar dependencies exist, CE should provide a similar analysis to the one noted herein, h.

CE should provide additional documentation regarding the modelling of steam generator tube ruptures to address the following comments:

1.

CESSAR System 80 PRA stated that the event tree for steam generator tube rupture applies to multiple tube ruptures in both steam generators. This is not true. The event tree and its quantification apply only to a single tube rupture in one steam January 31, 1989 j

L l

.__u_-- - - -

i L

3*

~

l

~

generator. The success criteria for safety systems would be different if multiple tube rupture in both steam generators were assumed.

For example, secondary heat removal would be unavailable due to the need to' isolate the steam generators.

2.

It is not clear if t!.e potential impact of the initiating event on the auxiliary feedwater system was'modelled.

For example, the steam generator that contains the ruptured tube may get overfilled

~

by the leakage from the primary side, and the overflow'to the main steam line may diaable the turbine driven pump.

3.

Transfer from the SGTR event tree to ATWS event tree does not account for the fact that the SG tube rupture may impact on the mitigation of the ATWS.

Failure to model such impact would lead to non-conservative results.

l Table 1 Initiating Events not Modelled in System.80 PRA 1.

Loss of 480-V ac bus.

l 2.

Interfacing systems LOCA through safety injection tanks (accumulators).

3.

Loss of d: bus.

4.

Loss of secondary cooling, e.g., nuclear cooling water system.

5.

Combination of IEs, e.g., steam generator ruptures induced by ATWS.

6.

Loss of instrument air. January 31, 1989 l

l L