Text

Forwards G Neils Transmiting Comments Re Resolution of USI A-45, Shutdown DHR Requirements. Ltr Should Be Placed in Generic Issue File Under USI A-45 in PDR
	ML20236F216
Person / Time
Issue date:	07/22/1987
From:	Mazetis G; NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES)
To:	Mcknight J; NRC OFFICE OF ADMINISTRATION & RESOURCES MANAGEMENT (ARM)
References
	REF-GTECI-A-45, REF-GTECI-NI, TASK-A-45, TASK-OR NUDOCS 8708030258
	Download: ML20236F216 (54)
	v • d • e

1 i

i i

'o UNITED STATES .

8" I,,g NUCLEAR REGULATORY COMMISSION )

5 ;p WASHINGTON, D C. 20555

%,****+/ JUL 2 21987 MEMORANDUM FOR: James C. McKnight, Technical Information Assistance Document Control Branch Division of Information Support fervices FROM: Gerald R. Mazetis, Section Leader Reactor and Plant Safety Issues Branch Division of Reactor and Plant Systems

SUBJECT:

LETTER FOR PLACEMENT IN THE PUBLIC DOCUMENT ROOM l

l We are providing a letter from Gerald Neils for placement in the Public l l Document Room (PDR). The enclosed letter transmits comments relative to the l resolution of Unresolved Safety Issue (USI) A-45 on " Shutdown Decay Heat Removal Requirements." Please place the enclosed letter in the generic issue file under USI A-45.

k' Gerald R. is, Section Leader l Reactor and lant Safety Issues Branch Division of Reactor and Plant Systems l

Enclosure:

Letter from Gerald Neils to Dr. David Ericson, Jr.

cc: w/o enclosure)

T. Speis B. Sheron W. Minners K. Kniel A. Marchese i

8708030258 070722 PDR GTECI GNIA-45 l PDR

eh -h Northem Stit:s Power C:mpIny

't I 414 Nicollet Mall Minneapohs. Minnesota 55401 Telephone (612) 330 5500 Dr. David Ericson, Jr.

Sandia National Laboratories Albuquerque, NM 87185

Dear Dave:

The NUMARC Working Group on Decay Heat Removal appreciates the opportunity to provide you with review comments on the six case studies developed by Sandia in support of the NRC's USI A-45 Program on Shutdown Decay Heat Removal Requirements. The NUHARC Technical Subcommittee has

designated DHR as an " active issue", and created a Working Group to study the issue and work cooperatively with the NRC toward its resolution. The Working Group is comprised of a highly qualified team of technical experts from ten different utilities. The Working Group membership represents every NSSS Owners Group, and every case study plant analyzed by the A-45 program. Two members of your Decay Heat Removal Technical Support Group (DHRTSG) are members of the Working Group.

We have conducted a reasonably thorough review of most sections of the six case studies. Our comments have been

. developed around a prior review of drafts of the first two case studies, conducted by EPRI in February 1986. Other industry comments have been incorporated in our letter.

Our principal observation on these case studies is that they present a very conservative bounding estimate of DHR risk for the sequences studied. The scope of analysis is considered sufficiently comprehensive for the purpose of evaluating DER risk and the value of the modification of primary interest to the NRC: the Dedicated Decay Heat Removal System. We believe the case studies have demonstrated with very high confidence that a Dedicated DHR System is not cost effective. Recognition of the conservatism in the studies adds additional support to the already wide margin of confidence in this conclusion.

This conclusion is not surprising. It is consistent with numerous recent studies of severe accident risk, and is consistent with the Commission's Severe Accident Policy Statement, which concluded that costly generic backfits are i

i Dr. David Ericson, Jr. l

' June 22, 1987 Page 2 i'

, l i

1 i

not justified to address severe accident risks. Your case !

r studies have reverified that conclusion. !

In the course of our review, we noted that some industry ]

comments provided to you in early 1986 have been addressed. In particular, " Alternative Value Impact" was ]

deleted, some additional recovery actions were considered i in the internal analyses, and excessive conservatism in the !

containment failure analysis was reduced in the case of PWR l large dry containments. We appreciate the fact that a lack >

of resources may have limited your ability to address more l of the industry comments.

Our technical comments on the case studies are organized l i

into five enclosures as noted below. Some important !

highlights and insights from our technical review are summarized here:

1. The analysis assumptions, data, and methods remain !

overly conservative. Insufficient consideration is given to all the levels of defense-in-depth inherent in the plant designs and procedures. In particular, the effective use of non-safety systems, and alternative sources of power and water are not properly credited.

Operator recovery actions, particularly when addressed ;

in emergency procedures, are not properly credited. {

Initiator frequencies and component failure data are ;

very conservative, as are system success criteria. l

2. The " external event" analyses are particularly )

unrealistic. No substantive changes are apparent in j the external analyses since the prior case study l drafts, and numerous problems with models, assumptions and data need correcting. Many of the external event models (e.g., fire, flood, wind, and lightning) appear j to make incredible assumptions and presume irresponsible behavior on the part of plant management. Virtually no consideration is given for any recovery action by plant operators. As you know, these concerns were expressed over one year ago during reviews of the first tPree draft reports. The case studies have concluded that on the average, these external event sequences contribute almost 60% to overall DHR risk. Our review concludes that the external event analyses fail to demonstrate that level of risk.

3. The containment failure and consequence analyses remain conservative. We believe that the effective

Dr. David Ericson, Jr.

June 22, 1987

'Page 3 1

l l

application of newer severe accident methods and source term technology would improve the usefulness of the l 1

case studies.

4. The case studies demonstrate that no fixes are cost l beneficial. That conclusion is demonstrated with high l confidence for the Dedicated System, but with less confidence for less expensive improvements. The case ;

j studies made worst case assumptions in order to " bound the problem". Bounding models are properly used when l it is adequate to show risk below a maximum value, and l when it is difficult to calculate a more precise number. Thus, a simplified, bounding model can be used to show no need for action. However, a bounding model A model which should not be used to justify action.

overstates risk also overstates the effect of each contributor to risk. This overstates the benefit when l a contributor to risk is eliminated, and inflates the , l value terms of the value-impact analyses. A more I realistic model is needed to justify changes via value- l I

impact analysis. For these reasons, the case studies should be considered a sufficient demonstration that l the dedicated DHR system is not an appropriate l modification. l,

5. We recommend that these case studies not be used for final regulatory decisions on these less expensive proposed modifications. (We do recognize the usefulness of the insights gained from your analyses of less expensive modifications, despite their lack of cost-effectiveness.) This recommendation is made for four reasons:

a. The overly conservative nature of the case studies was well-suited to evaluating the appropriateness of the Dedicated DHR System, but not well-suited for evaluating the appropriateness of more practical modifications that must be analyzed carefully and realistically. In general, we believe that many of the vulnerabilities identified by Sandia can be addressed more effectively by correcting the root cause of the problem, instead of improving the probability of success by adding more redundant equipment.

b. The practice of grouping large numbers of fixes into a " batch alternative" for purposes of value-impact analysis tends to obscure the value of proposals that could be potentially useful.

4 l

_. =-

June 22, 1987-s ,. ,Page 4 c

c. These less expensive modifications are very plant' specific. A decision to implement any DHR modifications would.need to be' preceded by a plant specific study, such as the' systematic assessment-required pursuant to_the Severe Accident Policy Statement. _Such.a study, if it identifies similar-vulnerabilities, should examine appropriate fixes individually.

d. We recognize that some practical improvements to DHR system reliability and performance are appropriate, despite the caae study calculations that show the evaluated' alternatives cannot be justified on a cost-benefit basis. Some practica.1 improvements probably could be justified if they were' evaluated incrementally using.best-estimate methods. .Other. practical improvements ~could~.be -

justified by utilities if they considered factors other than protecting public health.and safety, such as protecting. equipment, ease of operationsk '

plant availability, and investment for plant life extension. These factors are outside the purview of NRC regulatory responsibility, and are not-germane to the A-45 program.

6. The case studies include little of the data, problen areas, insights, and conclusions.from operating experience analysis of DHR systems, as. conducted by AEOD, INPO, and EPRI. Use of these resources would have added valuable insight to your research. :In fact, we believe that modifications to plant equipment and procedures, made as a result of operating experience 1 analysis since TMI, have.already eliminated much of.the l risk that was perceived to exist when the A-45 program began.

7. The case studies do not treat the "RHR Phase" i identified in the NRC's A-45 Task Action Plan. We believe that cold shutdown is an important consideration in overall DHR performance. ,

8. The discussion.in Chapter 7 of "Non-Quantifiable Benefits of DHR Modifications"'is overly speculative !

and does not contribute to your technical analyses.

.Similarly,.some of the conclusions in the final chapter appear-to overstate the marginal' benefits of the proposed modifications.

4

)

I f

~

Dr.-David Ericson, Jr.

June 22,11987

'Page 5 In order to better assess the DHR risk at'a selected case study plant using best estimate risk assessment methods, a -

reanalysis of the Point Beach Case Study has been ;

conducted. That study, sponsored by EPRI, the Westinghouse Owners Group-(WOG), and Wisconsin Electric Power concluded that core melt risk was about ten times lower, offsite consequences about three times lower, and plant improvement costs about two times higher than presented in the Point Beach Case Study._ The study is complete, and a final draft is being reviewed by WOG, Wisconsin Electric Power, and our NUMARC Working Group.

Despite the analyses' conservatism and the significant-problems with the external event approach, we believe the l

~

case studies have made a useful contribution to the resolution of A-45. From your research, we have gained the following insights:

1. Further confirmation that expensive hardware backfits i are not cost-effective. l

)

2. Further confirmation of the importance of reliable AC l power, and the need to achieve an effective resolution ;

of the Station Blackout issue. (The NUMARC Working i Group on SBO is working with NRC to this end.) !

3. Further confirmation of the importance of support systems, backup water and power sources, and effective !

plans for their use in emergencies.

4. Further confirmation that risk and corrective actions are very plant specific. l

5. Greater appreciation for the need to address the A-45 issue in the context of the Severe Accident Policy. We believe the Individual Plant Evaluations (IPEs) or the :

plant specific PRAs required to assess plant specific vulnerabilities by that policy, will encompass the areas of potential DHR vulnerability identified by your case studies. These PRAs and IPEs will allow for-incremental, individual evaluation of potential improvements at all plants.

In addition to the Severe Accident Policy Statement evaluations, we note that other regulatory programs are addressing individually many of the sources of risk highlighted by the case studies. These include A-44 (Station Blackout), A-46 (Seismic Qualification of Equipment), Seismic Margins Programs, and Appendix R (Fire

' ' Dr. David Ericson, Jr.

June 22, 1987 Page 6 Protection). Implementation of these will further obviate the need for additional requirements from the A-45 program. Further, it. appears that these programs will be completed, and most of their plant specific implementations will be near completion, before regulatory requirements from the A-45 program could be established.

Again our working group appreciated the opportunity to review your research, and we look forward to the l

opportunity to discuss your case studies with the NRC staff.

1 Sincerely yours, f

Gerald Neils, Chairman NUMARC Working Group on DHR GN/jph 3862NS7

Enclosures:

1. Comments on " Internal Analysis" (Chapter 2)

2. Comments on " External Analysis" (Chapter 3)

3. Comments on the Dedicated DHR System and Alternative Selection (Chapters 4-6)

4. Comments on Alternative Value Analysis, Uncertainty, and "Non-Quantifiable Values" (Chapters 7 and 8)

5. Comments on Value-Impact Analysis (Chapter 9) cc: NUMARC Working Group Members Themis Speis, NRC Andrew Marchese, NRC David Ward, ACRS l Brian Sheron, NRC j

i Karl Kneil, NRC I

s

']

l

ENCLOSURE 1 COMMENTS ON " INTERNAL ANALYSIS" This enclosure addresses the Chapter 2 analysis, and includes some points on cost-benefit analysis that relate directly to the alternatives proposed in !

Chapter 2. Also, many of the comments in this enclosure apply equally to

" external analysis" (Chapter 3).

1. A number of accident sequences that are analyzed as major contributors to j plant risk contain errors in sequence modeling that individually con-tribute a significant amount to an incorrect overall core melt I probability, even before recovery. These modeling errors typically involved an assumed concurrent loss of offsite power or loss of the Power Conversion System (PCS) that probably would not occur.

a. In all PWR and BWR sequences involving a small break loss of coolant accident (SBLOCA), the PCS is assumed to fail with a probability of one. Assuming a safety injection signal and plant trip, any plant with motor driven feedwater pumps normally will either not lose PCS, or lose it only momentarily. If motor driven feedwater pumps are isolated, they can be restored quickly, since offsite power is available. For BWRs, the condenser normally would not be lost during a SBLOCA. l

b. In all PWR sequences involving a " transient induced LOCA" (typically ,

scrams without loss of offsite power or without loss of feedwater) a l Power Operated Relief Valve (PORV) or Safety Relief Valve (SRV) is l assumed to be challenged with a probability of one (-7 times per i year), and then fail to shut 7% of the time. Both analyses and operating experience shows that a PORV is rarely if ever challenged following a scram. Even if the PORV is blocked, a normal scram will not challenge the SRVs. Thus, most sequences involving core melt due to stuck open PORV or SRV would not even occur.

399'7NSB5d 1-1

. i

. . 1_

l c'. A loss of a single AC bus is assumed to cause a loss of PCS with a probability of one. In some of these sequ9nces, it is not nbvious

. t Mt the loss of the bus will cause either a transient (scram) or the

i loss of PCS. For example, at Quad Cities, the loss of 4160 Bus 14-1 is assumed to cause a scram with a p"obability of one and a loss of PCS (non-recoverable) with a pr4 A 11ty of one, neither of which is expected to o: cur, At Cooper, the loss cf 4160 Bus IF is assumed to cause a scram with a probability of one and a loss of PCS (non-recoverable) with a probability of one. While a scram could occur, such a result is dependent on operational code and configuration.

Loss -t PCS is not anticipated. Both of these sequences are evaluated as the top internal risk. In reality, it is unlikely that these bus failures would begin to initiate the sequences described.

\

2. A major comment on the internal analysis sections is that plant operators l are still given insufficient credit for effectively utilizing all avail-able equipment, and for recovering failed equipment in a reasonable period of time. This loe probability of recovery enters the analysis via a l

number of conservative assumptions about what equipment can be used to handle a casualty, what operators can be expected to do, and what success criteria should be imposed. It also enters the analysis in many cases l because the limited scope of the model did not permit consideration of a variety of recovery options. The final case studies did give more con- i sideration for recovery actions than the 1985 drafts of the first two case J

studies. Nevertheless, this area remains a source of significant conser-vatism.

i

a. The scope of these case studies is limited with respect to the com-plete use of plant systems to prevent core damage or to mitigate consequences. This directly affects the type of plant modifications which can be proposed. Most proposed modifications add additional 1 safety grade redundancy to safety systems because in general the models consider only safety grade systems and their redundancy. Some l

examples of capabilities not considered or given adequate credit include:

3997NS85d 1-2

Interties and cross-connections between injection systems, RHR systems, and feedwater systems, with service water, fire mains, second unit systems, and other alternative sources of cooling.

Where-use of these systems is now considered, the case studies assign a probability of success that is very pessimistic, and out-of-line with other recent PRAs.

Electrical interties between existing AC and DC buses, or elec.

'trical ties to a second unit.

Alternate makeup water sources available on-site, in addition to the initial contents of CSTs, RWSTs, etc. Examples of alternate makeup sources include makeup water or demineralized water storage systems, spent fuel pools, secondary makeup from on-site wells, portable local supplies, and even condenser cooling water that could be used in steam generators in an emergency (some condenser cooling water sources are relatively pure, sucu as Lake Michigan at Point Beach). At Cooper, the RHR pump suction can be aligned to the external condensate storage tank. In the amount of time it takes to use up the primary makeup sources, these alternative sources of water usually could be hooked up or trucked in. Also, the CST and RWST is assumed to be instantaneously empty following any damage to it, so its contents cannot be used.

Portable equipment such as emergency generators, portable battery chargers, portable fans, portable air compressors, etc.

Non-safety grade systems.with significant reliability and DHR capacity. Such systems include: CVCS, Main Feedwater, Control Rod Drive Cooling, Reactor Water Cleanup, etc. Failure to credit charging pumps is a major source of conservatism in all PWR studies.

Proper credit for main feedwater (both initial availability and reasonable probability of recovery) is important in these case studies because some of the six plants (e.g., Point Beach, Quad 3997NS85d 1-3

Cities) have motor driven main feedwater pumps, which have higher reliability and availability than turbine-driven pumps. In a few sequences in studies on plants with motor-driven MFW, the entire

~

MFW system still is assumed to be lost permanently after a plant trip. This assumption is not supported by plant operating 1 practices and data.

Some of the above systems may not have sufficient capacity to handle all decay heat immediately after a plant scram from 100%

power, but they all can contribute significantly to DHR, and can )

postpone and often preclude the onset of core damage. A prime example of this is injection flow from the control rod drive (CRD) i pumps at Quad Cities and Cooper. Pages 7-10 (QC) and 7-7 (Cooper) state that no credit was given for the CRD system. In fact, CRD flow may be sufficient for DHR, even shortly after a scram. This capability is recognized as part of the Emergency Operating Procedure (EOP) Guidelines which have been reviewed and approved by NRC. Use of the standby CRD pump and maximizing CRD flow is addressed procedurally for vessel level emergencies. If flow is not quite adequate, then the small difference in CRD flow and boil- .

off rate, in combination with existing reactor vessel inventory, will delay core uncovery for a significant period of time, ,

permitting more opportunity for recovery of other injection !

systems.

- Recovery of the main condenser as a heat sink also is not credited adequately. (High non-recovery probability of 0.16 after 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months l is not supported.) Condenser recovery is a high priority action, i especially on BWRs, because it terminates suppression pool heatup and eliminates a potential challenge to containment.

All equipment (safety grade and non-safety grade) has a significant likelihood for success (at least for short periods of time) when operated beyond its design basis, or vendor guaranteed performance J lirits. For example,' pumps can operate for a short interval if j room cooling is lost, and for an extended interval if appropriate 3997NSB5d 1-4 l

I l

. o ventilation measures are taken (as simple as opening doors). A l

pump does not fail as soon as room temperature exceeds the manufacturer's recommended limit. FSAR or Tech. Spec.

qualification requirements are conservative limits intended to assure the full operability of safety equipment with great certainty. Operating that equipment outside those limits does not i imply immediate failure. j l

- The Point Beach case study observes that the gas turbine generator I I

at Point Beach is the diesel generator backup but it is not a safety system and thus it is not considered appropriate to recom-mend improving its reliability. This premise is disturbing because it assumes even if the reliability of a non-safety system can be improved, and doing so improves safety and reduces risk, PRA should not credit such improvements.

b. Many core damage sequences give little credit to the operator for l terminating and recovering from an event. Tables in Appendix B that l show probability for certain recovery actions after designated action periods are often unused in the real analysis, where most recovery actions generally are not credited. In comparison to the detailed modelling and analysis of plant hardware, little detailed analysis is l done of plant operations, and the training and procedures that support it. The lack of detailed analysis of operator actions seems to pre- l clude the option of improving procedures as an alternative to adding hardware. PRAs with detailed assessments of operator actions Often indicate that procedural changes are the me;t effective, and surely i

.most cost-effective, means to assure adequate safety. Other specific comments relative to the case studies' treatment of human error and recovery actions follow:

The probability for recovering an emergency diesel generator after failure to start is typically assumed to be zero, despite discus-sions of recovery enalysis that seem to indicate recovery is considered. An example of this is found in the Quad Cities study. The largest cutset (10-5 CMF) in sequence T1YZE assumes a 39$7NS85d 1-5

. loss of offsite power and a failure of EDG #1 and EDG #1-2. Core melt is assumed'to occur conservatively after four hours. Recovery

- of offsite power is credited, but recovery of either of the EDGs is not considered possible.

The probability of failing to recover from a loss of offsite power within four hours is assumed to be 0.1. This recovery probability l agrees generally with data presented in NSAC 103. However, the actual experience with longer losses of offsite power is very revealing. All losses of offsite power greater than one hour (15.

inU.S.reactorhistory)arediscussedindetailinNSAC103. ;

Every loss greater than four hours is ten or more years old, except one during hurricane Gloria in 1985. The affected plants in that event were shutdown in advance of peak storm conditions. .

Recurrence of all the older events of greater than four hours duration have been preebied by positive design modifications.

It is not appropriate for a particular core damage sequence in which a critical operator error or failure to act is the major ;

contribution to risk, to rely exclusively on a number for this probability from a generic human factors handbook. The specific training on that scenario, the specific guidance to deal with that situation in plant procedures, and the past historical performance in the same or very similar situations should be used in assessing operator response. These case studies do not do this. They give little consideration for the new emergency procedures at the plants. In cases where adequate training and procedures have been provided, it is inappropriate to penalize the operator arbitrarily with a ft.; tor of five multiplier on his error rate due to " stress" (e.g., failure to initiate " secondary blowdown"). Recognition of the existence of a problem (alerting the operator) is more likely to improve performance than to degrade it, if the operator has been trained properly.

Failed components can be recovered or at least accommodated. The long time periods associated with most DHR sequences make recovery 3997NS85d 1-6 4'

~

.likely, even if recovery requires some repair or simple replacement of equipment. Often a failed component will function properly when i tried a second time. Also, a failed component does not necessarily ;

have to be repaired for a function to be restored. Motor operated .

valves can be operated manually, circuits can be bypassed, battery cells jumpered, non-essential battery loads stripped, etc. I Turbine-driven pumps and some diesel generators can be started manually without DC power. j i

- Motor operated valves often can be repositioned from the control room if they fail to actuate automatically. If they cannot be ]

operated remotely, they can be operated locally. " Local faults" can be overridden or repaired. At Cooper, the failure of certain valves in the RBCCW and RBSW systems to operate automatically -

l (oftendueto"loca: faults"),contributedabout1.5X10-4 to core melt frequency (over 50% of the internal risk). The analysis generally assumed no operator action to position these valves )

properly (remote or local manual operation), and no possibility of l recoveryfromfailureofautomaticvalveoperation(evenwhenfour hours was deemed available). Over one million dollars for adding redundant or automatic valves was proposed, without evaluating the root cause or reason for automatic valve malfunction.

Equipment can be operated locally or at alternate control locations (e.g.,BWRADS). Also equipment does not fail simply because automatic control is lost. For example, BWR case studies assume j HPCI fails as soon as 125 VDC control power is lost. PWR case !

studies assume that AFW fails as soon as 125 VDC control power is lost, and that operators cannot feed a steam generator without level indication. No consideration is given for local control and ]

indirect means of monitoring equipment perfortnance. Also, a single integrated remote shutdown panel outside the control room is not the only alternative to all control room failures. Full access to plant structures and systems prior to or during early non-radioactive release sequences further improves the likelihood of successful local control and recovery.

3997NS85d 1-7 1

~

= An error, once committed, can be reversed and recovered. Most often this happens immediately after committing'the error because the operator typically is required by the procedure he was using to verify that the expected or desired response resulted. Thus, if the wrong pump is started or-the wrong valve opaned, the operator will usually observe and correct that error promptly. If not, symptom oriented procedures should guide operators through a series j of critical safety functions to find and correct problems.

Equipment failures and operator errors can be detected and recti- l fied faster than the assumed recognition and response times in the reports, especially if the plant operators have had specific train- ]

ing on that recovery action, and plant procedures support the .

, f prompt recognition and correction of the problem. For example, the Quad Cities case study assumes that the probability that operators will vent containment and start the safe shutdown pump for injec-tion within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months is only 20%. Cooper is assumed to conduct the same task with the diesel driven fire pump with only a 40% prob-ability. Other recent PRAs have determined that the probability of venting containment should be much higher than the case study assumption.

The case studies place a great deal of emphasis on time as an important variable for recovery probability. While this may be I consistent with current practice, very little consideration is !

given for other more important variables (training, procedures, ]

control room indications, experience level). Many failures can be prevented entirely by early operator recognition of abnormal opera-tion. (e.g.openingdoorstoroomswithelevatedtemperatures, shifting to an alternate pump when high temperature, leakage, or vibratirn problems are noted, etc.)

= The dominant internal event accident sequence at Point Beach is a small LOCA and failure of ECC recirculation. Because this sequence does not include utilizing existing systems to their full cap-399'7NS85d 1-8

i i' s' ]

1

' i ability, no consideration is given to allowing the operator to cool 1 down and depressurize the primary system using the auxiliary feed-water system and the turbine bypass. valves or ASDVs (secondary depressurization). Procedures direct operators to depressurize the primary system and limit leakage out the break. Plant cooldown is a much more desirable option than ECC recirculation. Failure to consider secondary depressurization, in combination with the exces-sive frequency assumed for PWR ',3LOCAs (see comment 3a and 3b, below), creates the incorrect assumption that sump recirculation is demanded twice a year industry-wide for PWRs. In reality, sump recirculation has never been demanded on a U.S. PWR. .,

- The studies assume that control room operators are capable of performing only one recovery action (or sometimes only one action in two hours). This assumption is inconsistent with industry and NRC policy on operator training and emergency procedure guidelines, in the sense that training and procedures were developed with the expectation that operators are capable of performing all the actions in these NRC-approved emergency procedures. Another ,

inconsistency created by this assumption is the fact that the case studies do not give credit for a second or third recovery action that already is specified in plant procedures, yet d_o give credit for a second or third recovery action if that action is proposed by Sandia as a fix. The restriction to one recovery action is j unrealistic, illogical, and should be removed from the studies.

= An incorrect impression is given by the case study presentation of operator recovery actions, by listing time dependent non-recovery probabilities for a broad range of sequences. In actuality most of the recoveries listed in Appendix B are never credited, because of the artificial prohibition on allowing the operator to perform more ,

1 than one recovery action. i

c. Much conservatism has been built into the analysis via assumptions with respect to sequence selection and success criteria. In general, FSAR-type success criteria were used which do not represent a best-4 399'7NS85d 1-9

________________-_______-___a

4 8 estimate of real performance capabilities and limitations. Some specific examples of conservative criteria include:

EDG success criteria are based on LBLOCA quick start FSAR criteria, 'i not the real requirements of the sequence being evaluated.

Closure of a component cooling water (CCW) valve to an RHR pump cooler at Point Beach is assumed to fail the entira RHR system and melt the core. In-the EPRI/WOG reanalysis, we found that CCW is not required for injection, and probably not required for recirculation. !

Two of two RHR pump trains are assumed required for SBLOCA.

. I

- Containment cooling system success criteria appear to be based on heat loads greater than a 2" break.

l

Two of two PORVs are required for ' successful' feed and bleed (it l

appears that one would be adequate in most situations at most plants with adequate injection, if best-estimate analyses are I

conducted). !

- Two of two ASDVs are required for ' successful' secondary blowdown (one would be adequate soon after shutdown).

Failure of pressurizer safety valves to open or to reshut appears to be based on the assumption that both PORVs are blocked. This appears to contribute to an excessive frequency of stuck open SRVs in sequences such as LOSP for which SRVs would not be challenged because the PORV would actuate first. In sequences not involving LOSP, such as a typical PWR scram, neither the PORV nor the SRV would be challenged, absent some other failure.

Two out of three emergency diesel generators at Quad Cities are assumed required to remove decay heat. This assumption is overly conservative. Any EDG at Quad Cities can be switched manually to 3997NS85d 1-10

y

~

either unit. Commonwealth Edison has studied this question 4 carefully and has_ determined that'one EOG has sufficient capacity to handle the necessary loads (including room cooling), and to hold )

suppression pool temperature below limits on both units. 1 I

l

- All. accidents initiated by losses of off-site power and special f emergencies are assumed to be coupled so that_a~ melt at one unit ]

' implies a melt at the.other. This success criterion is overly 1 conservative ~for some special emergencies, such as internal flood' ing. It is also overly conservative for LOSP events at Quad Cities.

because of the two out of three EDG criteria discussed above. The model first appears to assume that one out of three EDGs at Quad Cities can save only one of the two plants, then changes that j position by assuming that less than two EDGs will lead to core melt on both units.

.1

- Most success criteria only consider safety grade equipment operat-ing in standard modes. Thus, RWCU and CR0 pumps are no't modelled ]

as sources of makeup, portable equipment is_not modeled, etc.

BWR pool temperature limits and room temperature limits are unduly conservative. HPCI, RCIC, and LPCI pumps have been demonstrated to operate at elevated temperatures higher than the FSAR success criteria. We believe.that elevated pool temperature effects on pool structures no longer should be a regulatory issue, due to modifications that have been implemented. Failure of high pressure injection after four hours due to loss of service. water for room cooling is conservative. Other means of r6om cooling can be provided. For the Cooper analysis, failure of HPCI was assumed after only 20 minutes in some sequences.

The close linkage between DHR failure, ECCS failure, core melt, and

~

containment failure is inappropriate. DHR failure does not lead directly to either core melt or containment failure without the failure of a number of contingency op'tions. Likewise, containment failure or torus failure does not necessarily result'in DHR failure 3997NS85d 1 _ _ _ _ - _ - _ _ _ - _ - _ _ _ - _ - - _ _ _ - - _ - _ _

1 s 6 or ECCS failure. (e.g., for QC, FSAR pool temperature limits are not valid, external connections can be made to the RHRS, etc.) l Thus, a one-to-one correspondence between containment and core melt failure should not be assumed.

l

The case studies assume that the point in a sequence at which fuel begins to uncover is the point of no return, and that the severe j consequences modelled later in the report (containment failure, large source terms) will occur with a probability of one as soon as i i

core uncovery begins. This is not correct, since the post-uncovery restoration of AC power, injection systems, cooling systems, con-tainment cooling systems, etc., can prevent or significantly reduce the consequences. NUREG-1150 showed a risk redection of 25% from i recoveries after the start of core melt.

. 1 In summary, for analysis of events beyond the design basis, we believe that it is preferable to use the best estimates available for analysis assumptions, models, and methodology. If additional safety margin is 2 needed to account for uncertainty, it should be added at the end of the analysis. .

3. Some assumed initiator frequencies probably are too high. Specific examples of initiator frequencies that we question are:

a. .02 for small break LOCAs per reactor year. Two SBLOCAs per year industry-wide is not consistent with industry experience.

b. .011.for transient-induced SBLOCAs per reactor year, caused by stuck open safety valves and PORVs. This is not consistent with industry experience.

c. The assumed frequency for LOSP is generally consistent with data given in NSAC-103. However, NSAC-103 includes all LOSP data from all causes, including all external events. To predict a LOSP frequency in Chapter 2 of the Case Studies equivalent to NSAC-103, and then add to that risk the seismic, fire, flood, wind, and lightning induced LOSP 3997NS85d 1-12 ,

I a

l i

risk from Chapter 3 is " double-counting." ,

d. 7.1 transients per year in addition to those involving LOSP or LOFW is '

Scram above the current industry average by at least a factor of two.

reduction efforts have lowered the trarsient initiator frequency considerably.

l

4. Some component failure data are too conservative.

NSAC has

a. Emergency diesel unreliability is assumed to be 3.8E-2.

l conducted an exhaustive study of EDG reliability for the years 1983, In 1984, and 1985, and has reported the results in NSAC Report 108.

that report, overall EDG unreliability for all EDGs has been 1.4E-2 "

l l

for all starts, and 2.2E-2 for unplanned demands only. NRC, Brookhaven, and Oak Ridge National Lab studies agree with the NSAC '

results. Thus, the case study's assumed failure rate is 2-3 times more conservative than the operating data for a single EDG, and 7-10 times more conservative than the operating data for the independent failure of two EDGs, which is the necessary condition for most accident sequences involving EDG failure causing core melt.

1 i

Single battery failures are assumed to occur v.th a probability of j b.

1.8E-3. Based on other recent PRAs, this appears to be about a factor of 10 too high.

i

c. Common mode failure of batteries typically is assumed to be 4.4E-4 l

(9.6E-4 assumed at Point Beach). Other recent studies cf these sequences, such at HUREG-1150 cssign a frequency for common mode battery failure about 10 times 1 Ner. I

5. The common mode failures of pumps and valves are evaluated as major contributors to risk. At Point Beach, they combine to form the highest l

I contributor to core melt frequency in the internal analysis, contributing l

almost 4X10-5 cm/r-yr. All common mode failures were assumed to be irrecoverable, yet no modifications we're proposed since it wds unclear what the root causes really were and how to alleviate them. Other l

3997NS85d 1-13

examples of common mode failures which were considered irrecoverable in all case studies include common mode failure of batteries and emergency diesels. Following are some observations:

a. When applying generic 6 factors to a plant specific analysis, non-applicable contributions should first be screened out. The following guidance is from " Classification and Analysis of Reactor Operating Experience Involving Dependent Events", (EPRI-NP-3967, June 1985, page 5-4):

"Whenever possible, however, it is highly recommended that plant specific and design-specific common cause parameter estimates be developed. This requires an event-by-event screening... The ,

analysis...shows that design specific and mission specific considerations can give rise to substantial variations in common -

chuse parameter values about these generic and average values." .

.Such screening can also assist in identifying root causes and how to alleviate them.

(

b. Common cause sequences should be studied further to meet the case study objective: " ...to identify those vulnerabilities which con- j I

tribute something over 80% of the total SDHR core melt probability 'and then address possible modifications to reduce or eliminate them" (page 2-5). The root cause of common mode and common cause failures often can be identified and corrected without adding more diverse or redundant systems. Analyses of operating experience and an evaluation of performance of existing systems will be necessary to achieve this objective.

c. The case studies have extrapolated from a factors for the component or system involved by assuming that every common cause failure of a pump or valve is irrecoverable. This approach shoula se modified to include a probability for recovery.

AE0D's Case Study Report C504 on " Loss of Safety System function Events" identifies 133 such losses between 1981 and June 1984. Sixty-five percent of the total were personnel errors. Most of the events 3997NS85d 1-14

l l

were common cause failures due to pumps and valves. No event resulted in core melt. Of the 97 events for which event duration was reported, over 50% were recovered in the first hour, and over 75% were recovered j in less than 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months . One would expect even more favorable statistics -

if rapid recovery had been essential to reactor safety. The A-45 assumption that common mode failures cannot be recovered prior to core melt shows how an analysis can diverge from reality if it does not give sufficient weight to operating experience analysis. ;

d. In general, most case studies chose not to propose modifications for i CMF. . However, the last alternative (the Dedicated DHR System) is in i

effect the proposed modification, because the Dedicated DHR system is j considered to eliminate common cause failures as a source of core i melt. Thus, the conservative case study analysis of common mode failures inflates the core melt frequency (because CHF recovery is not allowed), and thus inflates the off-site averted dose and the on-site averted cost calculations for the Dedicated System. !

6. There are limited options available within the sets of proposed alterna-tives. The choice to lump a number of modifications into one alternative ]

rather than to evaluate a number of individual fixes amplifies the problem 1 and obscures the value of individual fixes.

The methods for performing value impact analysis are detailed in their attempts to assure that all values and impacts are identified. However, I the methods are not nearly as rigorous for assuring that once a set of l plant modifications has been identified, it is evaluated and selected I properly..

a. After performing a relatively detailed assessment of specific plant vulnerabilities and corresponding modifications, the modifications appear to be grouped arbitrarily for evaluation. We believe it is appropriate to consider each modification individually to obtain ;

additional insights into how plant safety can be improved on a cost effective basis.

4 3997NS85d 1-15

9.

- One of the most important aspects of value impact analysis.is deter-mining the appropriate value for various modifications. Often imple-menting one modification will reduce or even eliminate the value of another. Modifications should be evaluated in an incremental manner and in an integrated manner.

b. As an example of the problem of grouping individual fixes into larger

" batch-alternatives", consider the least expensive fix at Point Beach. In the Point Beach Case study, one of the two largest contri-butors to core melt frequency in the internal analysis was addressed with Modification #1: adding.an alarm. The cost-benefit ratio for this fix is likely the largest of all the proposals, but the reader does not know, cause that fix is lumped with six, seven, and ten other more expensive fixes for alternatives 1, 2, and 3, respec--

tively. In effect, expensive fixes are " carried" by practical, .

j inexpensive solutions in this grouping approach (although they are not i

" carried" sufficiently to be considered cost-beneficial).

7. Many of the proposed fixes may not be the best choice for a particular vulnerability. The proposed fix almost always focuses on the safety systems that failed to prevent core melt, and rarely focuses on the cause 3 of the sequence. In particular, the dominant SB0 sequences at BWRs should be analyzed with an objective of preventing LOSP; and SBLOCA sequences at PWRs should be analyzed with an objective of preventing SBLOCAs.

Preventive measures should receive some emphasis.

For a given vulnerability, an inexpensive fix was often overlooked while a l more expensive fix was proposed. Some examples are:

a. When the major contributor to risk was the unreliability of a compo-nent, the solution was to add a parallel component (pump or valve) instead of investigating the possibility of an improvement in relia-bility. ExamplesincludetheaddedvalvesatCooper(seecomment 2.b), the added BWST discharge valve and added LPI pump at ANO-1, and the third DG cooling water pump at Quad Cities.

3997NS85d 1-16

b. Potential common mode failure of.both batteries from gradual degrad-ation due.to over-charging was fixed by adding more batteries (dedi-cated to EDGs) instead of improving the monitoring and testing of batteries to prevent over-charge.

c. In the low probability sequence of long term Station Blackout of j sufficient duration to deplete the CST, an additional seismically f qualified and missile shielded CST with a minimum capacity of 270,000 l' gallons was proposed for Point' Beach. The likelihood of this sequence j J

1asting long enough to demand additional makeup warrants considera- J tions such as a makeup connection that would permit the use of service f water or lake water via the diesel drive fire pumps.for emergency steam generator makeup. Also, if seismically qualified tanks are l intended to address concerns expressed in Chapter 3 for large water j tank failures in beyond design basis earthquakes, then tank support improvements probably would be more cost effective than adding another tank.

d. Modification #4 at Quad Cities is the addition of more circuitry to

-1 permit the automatic transfer of ECCS control logic and circuit j breaker DC power loads. This capability is recommended for the situa- I tion in which one battery cannot provide DC control power to LPCI pump circuit breakers after that battery is depleted. Since this condition would not be reached for several hours after the simultaneous LOSP and EDG failure, it .seems reasonable that this transfer should be manual, not automatic. Also, an automatic transfer system would be expected to induce other risks from inadvertent actuation. Its installation probably would violate separation criteria. An adequate manual transfer capability S already installed.at each bus, and was much lets expensive than the $200K - $400K required for the proposed automatic transfer system.

For a given vulnerability, an inexpensive fix was proposed that would not work without additional investment. One example of this was the added direct piping to the AFWP at ANO-1 from the new CST. Because of NPSH problems with that proposal, an additional booster pump would be needed.

3997NS85d 1-17 i

1

8. Finally, limitations in the analytical models contribute to shortcomings

. in the case studies, especially from the perspective of the decision maker:

a. As previously discussed, many of the conservatism in the report, such as failure to consider non-safety systems, failure to consider operat-ing safety systems in modes for which they were not specifically analyzed in the FSAR, failure to consider reasonable or repeated recovery actions, etc., are the result of having a simple model that does not permit consideration of these factors.

b. Many assumptions are made and arbitrary numbers assigned to an initi-ator frequency or a recovery action without modeling the frequency or ,

action. This precludes getting the benefits of insights that might be gained from adjusting various assumed values or conducting sensitivity analyses on various assumptions which could then reveal practical l improvements. The result of this limitation is that a vulnerability l 1eads to only one possible fix--add another pump, valve, or entire train--because the model is incapable of revealing the actual system weakness. This same limitation hinders the ability to identify opera-tional improvements, because initiators and recovery actions are not modelled in sufficient detail to permit evaluating different opera-tional choices, procedural improvements, etc.

c. The model does not lend itself to evaiuating winerabilities by system--only by sequence. Thus it is not possible to answer questions such as, what is the overall contribution to risk from failure of the Auxiliary feedwater System?

d. Most sequences of importance to DHR involve at least 2-4 hours or longer before core damage could occur. hot only does this long time period permit many recovery options, but the constantly decreasing level of decay heat permits greater probability of success with progressively less equipment. The case study models should take this into consideration by adjusting the success criteria as a function of time after reactor shutdown or scram.

3997NS85d 1-18

i I

ENCLOSURE 2 j COMMENTS ON " EXTERNAL ANALYSIS" q

This enclosure addresses Chapter 3 analysis, and also includes some points on cost benefit analysis that relate directly to the alternatives proposed in j Chapter 3. This enclosure has not repeated observations regarding assumptions and approach which were presented in Enclosure 1 and are also applicable to i this enclosure. i

1. The principal comment on the external analyses is that many of the assumptions are incredible, and sometimes presume irresponsible behavior on the part of plant management and operating personnel. The fire, !

external flood, and lightning analyses are particularly incredible. <

2. Another important comment on the external analysis section is that it should give more consideration to reasonable mitigation and recovery actions. The same comments about recovery capabilities made previously l (what systems can be used to handle a casualty, what operators can be expected to do, and what success criteria should be imposed) also apply to the external analysis. Most external events precipitate internal events, which can be recovered as discussed in our comments in Enclosure 1. It appears that the internal analyses in all six case studies have been 1 adjusted to include some nominal recovery action, whereas the external analyses remain unchanged from the "no recovery" approach of 1985. j l

3. Much of the external analysis is addressed by ongoing plant-specific PRAs, and by other narrow-scope generic, programs that can treat individual l

external risks in greater depth than A-45. For example, the A-45 seismic j analysis covers much of the same ground that the A-46 program and the I t

industry's seismic margin and SQUG programs have addressed. Fire 4

{

protection has been addressed comprehensively by Appendix R. In both j cases, it appears that the A-45 studies are arriving at more conservative ;

conclusions than these other programs. The " Seismic Qualification of i l

Equipment" issue is being resolved (Generic Letters 87-02 and 87-03 j specify the A-46 resolution). The fire protection issue has been resolved by the Appendix R rulemaking. The required actions for these programs are being or have been implemented.

3997NS85e 2-1 l

)

. . i i

i'

4. An assumption in the analysis of external event initiators is that if a j conservative NRC guideline is exceeded, it results in the initiation of an {

event or failure of the equipment. For example, fire protection analyses -i have often required that fire suppression capabilities be designed to handle large hypothetical fire sources with high energy outputs. The case q studies' fire analyses used two bounding fire sources: a 30 gallon trash can of refuse and a 10 gallon spill of acetone. The analysis assumes that ,

these large fire sources will always exist in each space being analyzed ,

(seecomment8below). Thus, conservative design criteria have been used incorrectly as assured initiators. A similar approach was taken to the use of light,ing guidelines.

i

5. Examples of overly conservative initiator frequencies include: i l

1

a. Every earthquaNe of 3.75 magnitude Richter is assumed to always cause l a LOSP, plant trip, or SBLOCA. In fact, such a minor tremor has l extremely low energy, and would not be expected to initiate any of these events.

b. Ten significant fires are assumed to occur every year, industry-wide; one control room fire is assumed to occur every year, industry-wide; two cable spreading room fires are assumed to occur every three years, industry-wide, based on case study frequencies.

y

c. Off-site power will be lost one half of the time, and a DC bus will be 4 lost and cause core melt one tenth of the time when lightning storms hit near the plant.

6. Examples of expensive fixes for vulnerabilities, when a less expensive fix would have worked include:

a. Installing new fire suppression systems, relocating main battery dis-tribution buses, adding more battery chargers and inverters, water-proofing pumps and electrical panels; all instead of restricting large containers of acetone or other flammables in vulnerable fire areas.

3997NS85e 2-2

b. Installing a 3 hour3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months fire wall in the Point Beach service water pump room to prevent fire main spray from reaching the opposite service water trains, when an inexpensive splash shield would suffice. s

c. Although not proposed as an external vulnerability modification, the addition of an additional seismically qualified and missile shielded CST with a minimum capacity of 270,000 gallons at Point Beach for an internal event concern appears to be indirectly credited as a seismic upgrade. If so, upgraded tank supports would be more cost-effective.

7. Additional comments on the seismic analysis are: I

a. The plant response to a seismic event is very conservative. These ,

case studies assume:

- A probability of one that any earthquake, even insignificant ones (as low as 0.5 x SSE) will initiate a potential core melt sequence (either a small break LOCA at higher levels, or a loss of offsite poweroralossoffeedwateratlowerlevels). j

- That no initiating event can be reversed at the outset, e.g., even !

small earthquake-induced losses of offsite power or losses of feedwater cannot be restored.

- A probability of near one that an earthquake greater than 2-3 x SSE will invariably lead to core melt. For example, at Quad Cities, every level of earthquake intensity greater than 2 x SSE leads to core melt with a probability ranging from 93% to 136%. (Some seismically induced core melt frequencies are more likely than the earthquake itself! A similar situation exists at Point Beach.)

Thus, no recoveries are allowed in these earthquake sequences.

b. CST or RWST is assumed to fail catastrophically at about 0.2 g to 0.4 g (2-3 x SSE, depending on the plant), with no option given to use other sources of water or refill damaged tanks. No possibility of 3947NS85e 2-3

recovery of offsite power, emergency diesels, or DC power (e.g., from battery chargers) is considered. No credit is given for manually l opening DC-powered valves if batteries are not available. No credit is given for manually starting HPCI, RCIC, AFW, or diesel driven fire pumps. No credit is given for isolating pipe breaks.

c. EPRI has sponsored extensive research in support of the Seismic Qualification Utility Group (SQUG), which has in turn worked with the NRC toward resolution of the A-46' program. The NRC recognized the SQUG work in NUREG-1030. Extensive data has been collected,

~

documenting the experience of industrial facilities and fossil fueled power plants in actual earthquakes. This data has indicated a great degree of inherent seismic capability in mechanical and electrical equipment similar to that in nuclear power plants, even for .

earthquakes with high accelerations. The SQUG review included ;

facilities which survived earthquakes with accelerations in excess of i 0.5 g with essentially no damage to power plant type equipment (except ,

for switchyard damage). This is in sharp contrast to the case study results which predict virtual certainty of core melt at these-same levels. I

d. EPRI's Seismic Margin program has demonstrated an engineering methodology for evaluating earthquakes larger.than SSE. Practical guidelines and procedures for evaluation have been developed using i SQUG-type experience-based ruggedness data, and deterministic evalution techniques to arrive at HCLPF values for the plant. The HCLPF is the earthquake level for which there is a consensus of hip, ,

confidence of low probability of failure of structures and components !

needed for safe shutdown. Trial plant evaluations conducted to date reveal high confidence that safe shutdown can be maintained following earthquakes well beyond SSE. Weakest links have been identified, and only minor fixes have been proposed.

e. Of particular importance to the case study results are predictions of catastrophic failure of large water tanks (CSTs and RWSTs).

Experience indicates that properly anchored tanks have a high 39'97NS85e 2-4

. probability of surviving beyond-SSE earthquakes. Some unanchored or inadequately anchored tanks have failed, but there are cases where unanchored tanks have survived up to 0.5 g earthquakes. The location and severity of seismic damage to tanks is an important consideration, since a damaged tank may not lose its functional capability immediately or completely. The assumption that hundreds of thousands of gallons of water.would vanish at the beginning of the earthquake is not correct.

f. The scaling of soil structure interaction results (step 5) has been done frequently in PRAs but is not accepted widely.

i

g. Making point estimates and basing uncertainty on the hazard uncer-tainty (step 7), instead of integrating the hazard and fragility curves for each of the cut sets is reasonable for a quick look, but not for final decisions.

8. Additional comments on the fire analysis are:

I

a. The assumption that a ten gallon spill of acetone exists continuously with a probability of one in every part of the plant is totally unrealistic. This assumption presumes irresponsible plant management, ignores plant restrictions on transient combustibles, and suggests ,

that plant personnel would_ ignore such a spill when discovered, and ]

not clean it up. Most of the spaces where this spill is assumed to exist are occupied continuously (e.g., control room) or inspected j l frequently (e.g., cable spreading room). If the analyses assumed conservatively that a ten gallon spill of acetone occurred once every year in every space in the plant, and that it took an hour to clean up each spill, the core melt frequency due to acetone fires would be reduced by a factor of 10,000,

b. Any fire that initiates in a given fire zone is conservatively assumed to spread and destroy all equipment in that zone with a probability of one, unless suppressed. Fire suppression probabilities (both automatic and manual) are highly pessimistic.

3997NS85e 2-5 1

(We note that the assumptions of 8a and 8b are similar'to those required for fire hazards analyses under 10CFR 50.48'and Appendix R.

We believe these assumptions are unrealistic and inappropriate for .

'these case studies, but recognize that they are appropriate as a design standard for fire hazards analysis use, given the intent.and J structure of the underlying regulations. They are not appropriate-for these probabilistic~ analyses, which attempt to' quantify the residual risk of core melt after required fire protection modifications have been made.]

c. At Turkey Point, St. Lucie and Point Beach,.the assumption'is made that only safety injection and auxiliary feedwater. systems are capable of protecting the core after a fire. No credit ~1s given for use of> "

the charging system. It.is not clear that the entire Main Feedwater=

system would be' lost if a fire occurred in the cable spreading room or the 4160-switchgear room. The assumed probability of 0.1 that the operators would not line up the auxiliary shutdown panel prior to core melt at Turkey Point and St. Lucie is very pessimistic, and the likelihood that a turbine driven auxiliary feedwater pump'could not be started is overstated. In the 4160 switchgear room fire at Point l Beach, no credit was given for the turbine driven AFW' pump. None of j these fire studies considered the available inventory in the steam l generators, or the likelihood that motor-driven AFW would be' operable for a short period after the fire started (e.g. 15 minutes), to increase SG inventory. This use of available water would perrait at least two hours of secondary heat removal before feed and bleed became ,

necessary. {

d. The EPRI/WOG reanalysis of the AFW pump. room fire and.4160 switchgear fire reduced the core melt frequencies two orders of magnitude, down to 1.5 and 2.2 E-7 respectively. A CE reanalysis of the cable spreading room fire at St. Lucie reduced the core melt frequency- l almost four orders of magnitude to 6.7 E-9. These numbers are consistent with the fire analysis conducted by EPRI and Duke in the Oconee PRA.

3997NS85e 2-6 l

9. Comments on internal flooding:

l

a. EPRI has conducted'a detailed review of internal flooding risk-at ]

nuclear power plants. Based on operating experience, it appeared'that-

]

internal flooding was an'important issue. Risk was found to be very j plant specific, and usually was a matter of risk to plant investment rather than a reactor safety' issue. However, a methodology.was developed to review and inspect plant' systems for potential j vulne'rabilities.

b.. With regard to the case studies; only one plant was analyzed to exhibit significant risk from internal flooding: Point Beach. The scenario of concern was a service water pump house flood that failed all six service water pumps from spray from a ruptured fire water pipe. This analysis is excessively conservative in that it uses a .I rupture probability appropriate for all the piping in the room instead of the smaller frequency associated with a specific "T".. EPRI/WOG reanalysis of this scenario demonstrated that the frequency of this q event occurring is two order.s of magnitude. loser than the number assumed by the Sandia case' study. Further, because CCW is not required for high pressure injection, the flooding scenario modeled would not lead to immediate core melt anyway, since feed and bleed would be a viable option until recirculation.

i

10. Comments on external flooding:

a. External flooding risk is considered important by Sandia in four of the six case studies: Turkey Point and St. Lucie, due to storm surge i and wave action from tropical storms and hurricanes; and Cooper and ANO-1 due to low probability dam failures at peak flood conditions.

In all four cases, the warning time prior to arrival.at the plant of' high water.would be several days. In the case of dam breaks, high water conditions at the dam typically would develop slowly and be a matter of intense regional concern if the dam were threatened. If the

.]

dam breaks in this situation, the peak high water condition would'not

]

3997NS85e 2-7 t

, ' reach the plant for 15 hours1.736111e-4 days 0.00417 hours 2.480159e-5 weeks 5.7075e-6 months at ANO-1 and 3.5 d'ays-at Cooper. (The.

Cooper ~ study assumes the sequential failure of four' upstream dams, starting with Oahe, 540. miles upstream.) In the case of hurricanes at 1 St. Lucie and Turkey Point, the pending arrival of a storm to the region would be known for several days..and would be monitored ~ j closely. Extremely high water levels: created by storm surge develop j at a sufficiently slow rate during a' hurricane to permit ample' advance recognition that hurricane-induced flooding could occur. Even after the storm surge, almost 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months would elapse before potential core damage, assuming.no operator action. 1 d

i In all these studies, the risk analysis is conducted using the extreme assumption that the plant staff would continue'to operate the plant'at

. full power, aware that in a few more hours or days the plant could be ,

q flooded and reactor safety could be threstened. Each case study shows clearly that the plant would be alerted to the problem in time to .

4 respond to the situation and shut down the plant. Ecch case study acknowledges that if the plant was shutdown'when alerted to the high water condition, the core melt risk would be negligible. The entire 1 case for external flood risk'is built on the assumption that the 3 operating utility would intentionally put the plant ~at risk of core l damage with full knowledge of the developing problem.and full knowledge'of the consequences. Ample evidence exists in contrad'iction to that assumption. Both ANO-1 and Cooper have had procedures requiring plant shutdown.in case of flooding for many years.

Millstone and Brunswick were shutdown as a precautionary step prior to' arrival of hurricanes in the last two years. In neither case was there any risk of flooding. Because flooding develops more slowly and predictably than other storm related risks, the assumption that a .

plant would not shut down when faced with pending flooding capable of I reactor damage is not reasonable. No utility should be considered so negligent as to follow such an irresponsible course of action. Any analysis which presumes such negligen'ce without a sound technical basis is no.less irresponsible. For this reason alone this external flooding analysis is not credible, and should not be included in the.

case studies in its current form.

3997NS85e 2-8 1

b. The external flooding analysis contains many other examples of excessive conservatism. The assumed probability of catastrophic dam failure and the assumed probability of floods induced by extreme hurricane conditions are very conservative. At Turkey Point and St. Lucie, the water level required to do damage is 2-3 times higher than the worst historical flood levels ever recorded. At Cooper and ANO-1, the plant design basis exceeds the worst floods ever recorded on the Missouri and Arkansas Rivers by a wide margin.

c. All four case studies in question show that each plant has been designed conservatively to withstand extremely low probability, worst case flooding scenarios. In three cases, the plant design basis explicitly includes the scenario of concern in the case studies, and the plant was demonstrated to be protected in the FSAR. In the case of Cooper, the first of four sequential hypothetical dam breaks is over five hundred miles upstream, so the 3.5 day warning time and existing procedures to shut down the plant and barricade the installed doors must be given appropriate consideration.

d. The probabilistic flood hazard curves developed to predict the likelihood of extreme worst case flooding scenarios are very conservative. In general, the hazard curves were created by l developing a very conservative probabilistic estimate of the frequency l of worst possible flood conditions, and then superimposing a 20%

" subjective probability" that impossible conditions would occur, due to " uncertainty". In all four studies, " curve 5," which predicts a 20%chanceoffloodfrequency5-100timesworse(basedonuncertainty) than the worst case analysis, dominates the hazard and risk estimates.

l The case studies sometimes provide a point of comparison between this probabilistic model and other authoritative studies. In the case of Turkey Point, the Sandia model is five times more conservative than the flood Insurance Study (reference 6) results at 13 feet MLW. The insurance study doesn't consider floods above 13 feet MLW (highest actual flood level was 10.5 feet), so the Sandia risk quantification 399'7NSB5e 2-9

4 3

)

~

(that shows no significant risk until water level is above 19 feet) is beyond the range considered feasible by the insurance study. In the y case of St. Lucie, the Flood Insurance Study only considers-floods to f 10.2 feet MLW (highest actual flood level was 10.1 feet in 1928). 1 Again, Sandia's risk quantification shows no significant risk until water level is above 19 feet. Extrapolating the flood hazard curves for St. Lucie and Turkey Point shows that the St. Lucie model is f equally conservative (factor of five) over the Insurance Study. In j the case of Cooper, the Sandia model predicts a mean flood hazard l probability of reaching 903 feet (Probable Maximum Flood level) that !

is ten times higher than the probability used in the Cooper FSAR.

e. All the flooding studies give no credit for any recoveries or operator action other than recovery of offsite power. *

11. Comments on wind / missiles: 1

a. The only plant reported to have significant high wind vulnerability is Turkey Peint, primarily due to the hypothesized collapse of the tinit 2 )

l (fossil plat t) concrete chimney nearby. (The chimney is designed to withstandahurricane.) Conservative assumptions are made concerning j the likelihood that such a collapse would occur, that it would simultaneously destroy all emergency diesel generators and the condensate storage tank, or completely destroy the 480V switchgear room (which is beyond the arc of collapse for the chimney). At Turkey Point, this safety related equipment is protected in Class I structures with exterior walls and roofs at least 12 inches thick.

These structures were designed for a minimum loading corresponding to 145 mph wind speed, and were designed to resist the effects of a tornado. These structures were reviewed to assure no loss of function .

for tornado velocities up to 337 mph. The case study does not provide adequate information to show that these structures fail at the probabilities shown, or that all the equipment inside will be lost, given structural damage.

3997NS85e 2-10 l

u-_-----------_--------_--_-----_-_---__.------- - - - . -

b. As above in.the flood analysis, the plant is assumed to continue to operate at full. power despite advance warnings of hurricane winds or tornados. This assumption is not appropriate,'and credit should be given for the utility's procedures for responding to major storm threats.

No plant systems other than the Safety Injection and AFW systems are assumed capable of preventing core melt. The AFW system is conservatively assumed to fail if the batteries deplete. No consideration is given'for~the water inside the CST (assuming the chimneypuncturestheCSTroof),othersourcesofwater, existing $/G inventory, the charging system, standby feedwater pumps, five available black start diesels, feed and bleed, or any operator recovery actions other than recovery of offsite power.

12. Although lightning does not appear to be a major contributor to plant risk in these case studies, some comments on the lightning methodo1,ogy are appropriate. As in all other Chapter 3 analyses, the methodology is extremely conservative.

a. The analysis assumes that one strike out of every hundred will have a current greater than 200 KA and will be able to damage the plant. The basis for the 200 KA current causing damage is questionable.

NRC has never recommended protecting plants (designing them) to withstand a 200 KA strike. At one time'it was proposed to require 200 .j KA arrestors on the station transformers. However, 65 KA was the largest available and it was demonstrated that these are adequate. 65-KA arrestors are adequate to protect the transformers and keep damaging surges off the incoming lines. Overhead grounds go out and away from the arrestors a sufficient distance to prevent a direct strike on the incoming conductors that is not attenuated to a current that the arrestors can handle. The~NRC proposal to require 200 KA arrestors was based solely on the fact that 200 KA strikes have been measured. Most strikes are about 7 KA.

39$7NS8Se 2-11 1

y a e _.

b. The case studies assume that if a single system must be hit to lead to core melt (typically a DC power train), the assumed probability of

. such a critical hit causing core melt is one in ten lightning strikes on site. Although a methodology is provided to deal with the i protection afforded by multiple systems, the general assumption that one in ten strikes will cause core melt is illogical and excessively conservative. In fact, a plant with an external lightning protection system meeting one of the industrial lightning protection codes should withstand all strikes. l

c. The case studies claim that loss of offsite power is a fairly common occurrence during a powerful thunderstorm. Based on this observation, the studies assume that offsite power will be lost one-half of the time when lightr,ing storms effect the ilant. This assumption, , l combined with a very conservative model developed to predict how often !

lightning strikes hit a plant, creates predictions for loss of offsite l power frequency that are inconsistent with reality. At Point Beach, f the frequency of a ground flash hitting the site is given by (T)(Ng)(A) = 39.71 ground flashes per year. If half of these presumed ground flashes were to cause a loss of offsite power, then the Sandia methodology would predict (39.71 flashes) (15.2 site years) (0.5 LOSP events) = 302 LOSP year thru 1985 flash events due to lightning since the operating license date (10/70). In fact, there have been no lightning induced LOSP events in Point Beach history.

The case studies determined that the risk of core melt due to l

lightning is greatest at Turkey Point, where the frequency of a ground flash hitting the site is calculated using the Sandia model to be 272 flashes per year. (The model also predicts 272 flashes per year at St. Lucie.) If the Sandia model and assumptions were valid, one would expect 1822 LOSP events due to lightning at the Turkey Point site during the 13.4 site years through 1985. In fact there have been none.

3997NS85e 2-12 l

Applying the Sandia lightning model to the U.S. nuclear industry at large, one would expect tens of thousands of lightning induced LOSP events during the 664.9 site-years accumulated through the end of ,.

1985. Using Point Beach as a baseline', the Sandia model would predict 13,202 lightning induced LOSP events industry-wide through 1985.

Using Turkey Point, the model would predict 90,426 lightning induced LOSP events industry-wide through 1985. In fact, there have been four. (SeeNSAC-103,categorylaandIbevents). Since storm related LOSP events are often difficult to blame directly on lightning, we can compare the Sandia model to all weather related LOSP events in the history of U.S. nuclear power. -A total of 15 weather related LOSP events have occurred an 664.9 site years. Eight of those were insignificant; and mo t of the seven significant weather events occurred many years ago. In the few recent weather related events, the plant was shutdown prior to arrival of the storm. In the older events, positive design and procedural modifications have been made to prevent recurrence.

Finally, these weather related LOSP events are already included in the data used for internal plant analysis (Chapter 2), so the Chapter 3 analysis of lightning induced LOSP events represents double counting.

d. The lightning analysis makes very conservative assumptions about system and operating response if a lightning strike occurs. Random battery and DC bus failure frequencies are about a factor of ten too high. No credit was given for starting emergency diesels without DC power. No credit was given for battery chargers, or manual operecion of DC powered AFW valves. Continued availability of-PCS and Main l

Feedwater was not considered. Sincetheabovediscussion(11.c) I demonstrates that offsite power rarely will be lost in a lightning strike, this conservatism is crucial. The charging system and the plant's feed and bleed capability was not considered. Operator recovery actions were not considered, and the only plant recovery action considered was recovery of offsite power. (Onecurious exception to this comment is the Turkey Point analysis. The lightning 3977NS85e 2-13

.]

, , )

analysis in Chapter 3 was apparently redone to include recovery capability from the opposite unit, and operator action to manually operate valves. However, none of that work is reflected in the case study conclusions, t.lternative value analysis, and integrated value-impact analysis, where the old value of 2.6E-6 was retained.)

I

e. NSAC has studied the lightning issue and has found it to be significant. Lightning has caused many scrams (though very few losses l of offsite power), and occasionally has caused limited physical damage to plants. Although NSAC doesn't consider lightning to be a significant contributor to core melt risk, lightning protection is !

important for purposes of protection of equipment and prevention of plant challenges.

NSAC-41 demonstrates that the probability of lightning damage to the plant's internal systems is relatively independent of the location of the plant. (NSAC-103 data support this.) However, the probability of ,

damage is strongly dependent on the design of the lightning protection system. The case studies should have based the lightning risk potential on how well the plants meet a recognized lightning protection code, without including an artificial extrapolation to core melt. NFPA-78 is an example of an adequate industrial lightning code. Although it was not written for nuclear plants, NSAC is not aware of a damaging. strike at a plant meeting this code.

1 l

3997NS85e 2-14 i

- ENCLOSURE 3 COMMENTS ON DEDICATED DHR SYSTEM AND ALTERNATIVE SELECTION This enclosure comments on Case Study Chapter 4, which discusses the proposed Dedicated DHR System. It also includes comments of a general nature on alternative selection, integration, and impact analysis, covering material presented in Chapters 2-6.

1. The case studies appear to work too hard at making the Dedicated Shutdown Decay Heat Removal System look good. A variety of favorable assumptions, l analysis techniques, and qualitative arguments are used that accentuate l its benefits as a backfit.

a. The case studies make unduly optimistic and often unrealistic assump-tions about tne operation of the Dedicated DHRS and its immunity to l the sources of risk to which the rest of the plant is vulnerable. !

l

- The report assumes for the Dedicated DHR System that all the

! equipment and the structure containing the equipment are designed i

to withstand all special emergencies. With no analysis of the Dedicated DHRS against the external events of concern, it is assumed that the system is immune to every external risk.

1

It appears that different rules exist between the Dedicated Sys-

, tem's immunity to failure, in comparison with the analysis of the existing plant. For example, the fire analysis of the existing l plant assumes trash cans of refuse and 10 gallons of spilled l acetone to exist continuously in every space in the plant. In l contrast, this fire source that is assumed to always exist f throughout the rest of the plant is assumed to never exist near !

the Dedicated System. l

The case studies assume a SBLOCA frequency for the existing plant of .02 per reactor year, or 2 SBLOCAs per year throughout the in-dustry. In contrast, the Dedicated System piping, connections, i

3997NS85f 3-1 I i

I

'l

.,~ < J l

J and valve operations appear to be immune to any pipe break or other failure that would result in loss of' coolant. ..

= The case studies assume that power to the system will never be ';

lost as long as offsite power is available to.the site.

1

The Dedicated System appears to be immune to earthquakes of all l 1

1 magnitudes. While the existing CSTs and RWSTs are assumed to fail at the 1-2 SSE level, the Dedicated System's CST and RWST will not fail. Dedicated System piping arid tanks will not fail, so the Dedicated System is immune to internal flooding. The case studies l assume that lightning, external flooding,,high wind and tornado will selectively. damage the existing plant but leave the dedicated .

system unaffected. ,

f

b. The Dedicated System appears to be immune to common mode and dependent failures, and to be independent in every aspect of design and opera-tions from the remainder of the plant. These assumptions of. immunity are unrealistic from an operational perspective, as well as from the i external event perspective discussed above. Also, as discussed in.the sourcedocumentfortheDedicatedDHRSystem(NUREG/CR-2883),the l Dedicated System will use components similar to those in the rest of !

the plant, so some common mode failures would'be expected.

c. The operational simplicity of the unbuilt.and untested Dedicated System is not questioned by the studies. The conceptual system.is ]

assumed to always initiate automatically when needed and never actuate wnen not needed. These are inappropriate assumptions for a rumber of reasons. First, automatic initiation circuitry that can detect, evaluate, and initiate at various levels of severity for a variety of.

external events does not exist.- Second, if automatic actuation is based on physical plant parameters such as temperature, pressure, and water level, then operating experience with ECCS systems-shows that complex, redundant initiation and control logic will be required, and j that spurious, undesirable actuations of that system will occur. j Third, automatic control of that system will be complex, and will'be

. 1 3997NS85f 3-2

1 dependent on the type and severity of the initiating event. The l Dedicated Systems' control circuitry will have to ba smart, and be ;

capable of performing a variety of mode changes and control function changes during its 10 hour1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months unassisted run. Fourth, the difficulty in conducting full flow system testing of the Dedicated System has not l been considered. Fifth, the adverse ramifications of inadvertent l initiation, and complex operational interactions that can occur between Dedicated Systems and existing ECCS systems have not been considered. Finally, the increased possibility of plant scrams and i unreliability as a result of Dedicated System testing or inadvertent l actuation is a concern.

1

d. It appears that program scope limitations did not allow consideration of Dedicated System risks. i

- The scope of the A-45 program specifically excludes interfacing LOCAs. However, the Dedicated System would increase the risk of an interfacing LOCA by virtue of the added piping penetrations.

Control system failures of Dedicated System boundary valves could be a contributor. None of the other proposed modifications would contribute to increased risk from interfacing LOCAs.

The scope of the A-45 program specifically excludes special ;

issues, such as pressurized thermal shock, which are being studied l in depth elsewhere. However, the Dedicated System could increase l significantly the risk of a pressurized thermal shock event, especially if existing ECCS and new Dedicated Systems initiate j simultaneously. Hone of the other proposed modifications would l increase the -4,k of over-cooling or repressurization transients.

These low probability exclusions from A-45 analysis (interfacing LOCA and reactor vessel failure) are failure modes with higher potential j

public risk consequences. j i

e. Chapters 5, 7, and 11 (10 for BWRs) discuss a number of "unquantifiable" benefits of the Dedicated System. These arguments i

3997NSB5f 3-3 !

)

I

~

appear overstated. The contribution to core melt frequency by common mode failure and environmental qualification deficiencies are /

overstated, and result from modeling deficiencies and overly conservative assumptions.

f. The Dedicated System contribution to external event and sabotage protection has not been demonstrated, only assumed. The case studies performed a simple fault tree analysis of the components of the sys-tem, but did not conduct an analysis of the Dedicated System in the risk sequences for which the Dedicated System is intended to be most beneficial -- external event protection, sabotage protection, and overall integrated plant risk reduction.

g. The near $100 million dollar Dedicated System serves no useful purpose .

during normal operation or routine transient response.

h. The case studies discuss the European rationale for Dedicated DHR Systems. However, we believe the following quote puts the matter in perspective.

" Swiss nuclear safety authorities have asked the owners of three q older plants to add Dedicated emergency core cooling / decay heat I removal systems to their plants... Roland Naegelin, Director of the Swiss Federal Nuclear Safety Inspectorate,.said the request... )

reflects no safety deficiencies at the plants, only the author . ]

ities' goal of bringing safety equipment up to the current state of technology." (Nucleonics Week, September 5, 1985).

4

2. We recognize case studies also make a few conservative assumptions about the dedicated system that detract from its value. Some conservative failure frequencies are assumed, such as a diesel generator failure rate J that is high by a factor of 2-3. Operator actions to recover the system if it fails are not considered. The PWR case studies assume that both parts of the PWR Dedicated DHR system (HP injection and EFW) must work for system success, when one or the other would be sufficient.

I .

3997NSB5f 3-4

.. o ,

3. . The grouping process used to evaluate all the proposed fixes other than the Dedicated System introduces a number of problems and artificial constraints. The potential value of practical, inexpens'.ve fixes is obscured by this lumping approach. Comment 6 in enclosure 1 addresses ,

some of these problems for the internal analyses.

4. Many of the proposed fixes are not the best choice for a given j vulnerability. Examples were given in Enclosure 1 (comment 7) and i Enclosure 2 (comment 5). In general, the proposed fixes were based on adding redundancy to cover over a problem, instead of correcting the root l cause of the problem. These proposed fixes were generally more expensive i than what would have resulted from a root cause analysis.

5. None of the alternatives have been studied explicitly to determine if they ,

have introduced some detrimental impact on safety.

0

6. The EPRI/WOG reanalysis of the Point Beach Case Study includes a reassessment of the-installation costs of'all the proposed j modifications.. In general, the Sandia analyses underestimated these costs by about a factor of two. Also, most of the " alternative impact analysis" (costanalysis)wasconducted2yearsago,basedon1985 dollars. This also tends to underestimate the cost of the proposed fixes, albeit only slightly. i

7. Some of the most cost-effective alternatives proposed by Sandia have been installed since Sandia began their analysis, though not always for the reason presented in the case studies. Since Sandia analysis began, other modifications have been added to the case study plants that would affect the original model or the results. -This comment is not a criticism of the case studies, but a comment on the practical difficulty of any " snapshot" analysis of a moving target. In fact, Sandia has modified these final drafts of their analyses in a few cases to account for these actions, such as the installation of the safe shutdown pump at Quad Cities and the completion of Feed and Bleed procedures implementation at Turkey Point.

. However, other improvements have been made at the case study plants since the cutoff of Sandia analysis. Examples include new seismic batteries at 3997NS85f 3-5 l-

Point Beach, improved battery supports and electrical cabinet supports at most case study plants due to A-46 concerns, further fire protection upgrades and backup system modifications due to Appendix R, etc.

Ongoing work to make these changes creates problems in situations where Sandia assumed the fix was not installed for purposes of their risk assessment, but then chose not to estimate the_ cost of the fix since it was currently being installed. At Quad Cities, the seismic battery rack modification is being installed anyway, due to a previous commitment.

Therefore, it was assigned zero cost in the value-impact analysis. Yet, the study takes credit for the core melt improvement it provides for the alternatives of which it is a part. This biases the value of the alternative positively, while acknowledging no penalty for the cost.

Since the seismic racks are going in anyway, the base case core melt calculation should include them.

39b7NS85f 3-6

c ,_ ,_

+

ENCLOSURE 4 COMMENTS ON ALTERNATIVE VALUE ANALYSIS CONSEQUENCE ANALYSIS, UNCERTAINTY, AND "NON-QUANTIFIABLE VALUES" I

1. Much of our concern with the A-45 value impact approach is related to the assessment of off-site effects and public dose. This area was not the major influence on the bottom line value-impact calculations because on- i site averted costs dominated impact. However, the dose calculations still overstate the real health effects. It is' recognized that significant improvement has been made in this. area since the 1985 preliminary' case study drafts. These comments are directed at the revised analysis.

I

a. The core melt analysis in all case studies remains very con--

servative. The frequency is unrealistically high, and the onset of core uncovery appears to be synonymous with severe core melt.

b. Core melt still appears to be synonymous with catastrophic containment failure. The case studies appear to assume that a high percentage of core melt accident sequences end in containment failure. Recovery is not considered explicitly, despite the fact that the dominant failure mode is a late overpressure failure. Although e rly containment failure mode probabilities have been reduced for PWRs,'they remain conservative. BWR containment failure mode probabilities remain unchanged, and every BWR core melt is assumed to result in containment failure. Containment venting on BWRs is still not credited adequately. If venting were conducted earlier than assumed, it not.

only would reduce containment failure probabilities, but would reduce core melt probabilities as well. The case studies generally assume that over 95% of all containment failures are in the worst release categories, typically comprised of early, energetic containment failures, caused by early over-pressurization. This percentage is-unrealistically high, especially in a containment failure study that does not include the most energetic primary system failures such as ATWS and LBLOCA. It is unlikely that relatively slower DHR accident sequences could result almost exclusively in the containment failure modes with the highest source terms.

3997NS65h 4-1

l

Recent risk studies generally indicate that small consequence events are relatively more likely, while large consequence events are relatively less likely. For one BWR the difference between these two types of consequence events is approximately 2 orders of magnitude. This is in contrast with the Quad Cities report which j indicates in table 7.7, that QC-1, QC-2, and QC-3 represent over 99 percent of the release category probability. Thus, according )

to the Sandia model, over 99 percent of core damage / containment )

failure events at Quad Cities result in dose consequences which are a factor of 100 to 1000 worse than the more benign events.

Parallel arguments apply to the Point Beach Study. Less than five percent of the population dose in Table 7-5 comes from PWR release .

l categories 6 and 7 (late containment failures). Assignment of accident sequences to release categories should be revievied.

The study assumes an 18% chance of long-term overpressure failure (6) mode) regardless of the status of containment safeguards and containment heat removal. The containment failure probability should be correlated with whether containment safeguards are operational or rot. When they are operational, the chance of long-term overpressure failure could be mgligible (see Zion and Indian Point Probabilistic Safety Studies, IDCOR, etc.). On the other hano, for a sequence in which containment safeguards are not available a value higher than 18% may be appropriate.

c. The source terms are still high. The assutr.ed " baseline source term" of 0.3 x WASH-1400 is conservative, and higher than most current

...od e l s . In the case of large dry containments, best estimate source terms can be adjusted down by a fr.: tor of 10-100 or more from WASH-1400, based on published and peer-reviewed data. Analyses done by 10COR, Brookhaven (BMI-2104), Oraft NUREG 0956, and others show that using realistic treatments, the source terms would be less than values used in these case studies. Based on more current information on large dry containments, a more logical conclusion for multipliers to 3997NSB5h 4-2

,< '. l WASH-1400 release fractions to account for new research since 1975 would be 0.1 x WASH-1400 for early containment failure and 0.01 x WASH-1400 for late containment failures. Thus for the late ;

overpressure containment failure mode, which dominates when containment safeguards are not available, the release fractions are expected to be about a factor of 30 less than assumed in the PWR case studies.

d. The case studies do point out that 0.3 x WASH-1400 is not a best )

estimate, but a central estimate. If the case studies use source term l values that are not best estimates, then they should explain why the best technical information available is not used. The current expla-nation that the A-45 program will not endorse any particular source j term values is not adequate. The argument has been made that NRC cannot adjust previously assumed source terms until all the experts agree on what the new values should be. The Commission has taken that position with regard to revisions in licensing requirements. It appears that current policy would permit the use of best estimate source terms in PRA analysis, and in studies of safety alternatives such as these case studies. In matters as important as public risk estimates, the A-45 program should take advantage of the best techni-cal information available. Reticence because of the technical complexity of source term technology should be expressed in terms of j the degree of uncertainty about a best estimate value. l

2. The uncertainty discussion in Chapter 8 has not been integrated into the report analysis and conclusions. It appears that uncertainty analysis is not used in these case studies beyond the chapter written.to discuss the ,

uncertainty issue. The results of the uncertainty analysis do not say alternative 1 can be implemented with x% confidence that the net benefit will be positive, with y% confidence that the value impact ratio is greater than 1 or with 2% confidence that the plant change can be per-formed at less than $1000 per person rem. The uncertainty discussion essentially skirts the issue of source term uncertainty. Release estimates for large dry containment PWRs may be more uncertain than a factor of 10, the value considered in this study.

3997NS85h 4-3

.i

3. Chapter.7 contains a section entitled'"Non-Quantifiable Values" (Section It 7.3) which we believe should be deleted from the Case Studies.

contains numerous unsupported judgments and opinions, arid material of a highly speculative nature that is inconsistent with the purpose of the-case studies. The final chapter contains similar unsupported judgments.

The conclusions of the case studies should be limited to those findings that have been. demonstrated by analysis. Judgments about potential improvements in regulatory stability and the unquantifiable values of dedicated systems should be deferred to the NRC's final regulatory analysis.

l y

l

)

l l

3997NS85h 44

ENCLOSURE 5 COMMENTS ON VALUE IMPACT ANALYSIS This enclosure address the methodology and conclusions of Chapter 9

" Integrated Value Impact Analysis."

1. Many comments in prior enclosures relate to the value-impact analysis. In particular,

a. The conservative nature of the internal and external analysis, which resulted in unrealistically high core melt frequencies, will also tend to inflate the offsite doses and calculated benefits of fixes to reduce those doses. In the EPRI/WOG reanalysis of Point Beach, we found the case study core melt frequency to be a factor of ten too high.

b. The conservative nature of the consequence analysis, including both source term assumptions and release category assumptions, also tend to bias the value impact analysis. The EPRI/WOG reanalysis used a conservative consequence model equivalent to the IDCOR model, which predicted consequences about a factor of three lower than the case study.

c. The cost of installing these proposed fixes will likely be 50% to 100%

l higher than the predicted costs in the case studies,

d. The grouping of modifications into large batch alternatives for purposes of value impact analysis is not appropriate. It distorts the true picture by masking the value of potentially beneficial fixes.

Theoretically, it also creates the possibility that a worthless fix could be installed along with a group of beneficial ones. Utilities must be able to justify every modification made to a plant on its own merit. The Sandia approach makes careful decision making very difficult.

3997NS851 5-1

1

.. , l

2. Despite all the conservatism discussed above, the case studies show that none of the alternatives proposed can be considered cost-beneficial.

a. In particular, the Dedicated DHR System is clearly shown to be a very f poor investment in safety -- Sandia estimates between 1/34 and 24 l safety benefit for every dollar spent to install the system. Based on the results of the EPRI/WOG reanalysis of Point Beach, the cost-benefit ratio for the dedicated system is 100 times lower than shown I

in the Case Studies, based on offsite costs, meaning that such a system will provide roughly 1_( or less in safety benefit for every

$100 spent. )

b. The ultimate demonstration of the futility of installing a dedicated DHR system comes from a realistic examination of the radiation doses received. In the EPRI/WOG reanalysis of Point Beach, realistic i

estimates were made of the averted doses, as well as the installation, j operation, and maintenance doses associated with installing the f Dedicated DHR System. If one considers offsite averted dose only, personnel will receive 75 times more dose from installing and maintaining the system than will be averted offsite through projected risk reduction! If one considers both onsite and offsite averted doses, personnel will still receive 25 times more dose installing and maintaining the system than will be averted. The installation and maintenance doses are.real, the averted doses are statistical model projections.

3. The concept of including on-site averted costs in cost-benefit calculations is controversial. The current NRC policy as expressed by the Commission is not to include averted onsite costs in bottom-line results. However, the staff has recommended to the Commission that this policy be changed. Current guidance to the NRR staff (HRR Office Letter No. 16) states that estimates for such averted costs are to be developed and used in separately stated calculations, so that the results both with and without adjustment for averted plant-damage costs are readily apparent. It appears that the value impact methodology used is consistent with this NRR guidance in that calculations for both methods are displayed.

3997NS851 5-2

It would be useful to point out explicitly how averted on-site costs ,

dominate the off-site benefits. The value-impact ratio increases by }

almost a factor of three to five when averted on-site costs are included 'f in the calculations for the most cost-effective alternatives. If more f reasonable source terms were included, on-site risks would dominate the )

value of plant modifications even more. The averted on-site costs are always much higher than , the, averted off-site doses for every alternative at both plants (e.g., 1 502 = 2.5 for every alternative at Point Beach, and 15 /V2 = 1.8 for every alternative at Quad Cities.) This ratio shows j that averted on-site costs dominate averted off-site doses, even for the ]

i alternatives that are not cost effective. This conclusion is not obvious from the case studies, because of the way the value-impact calculations were performed. Averted on-site costs were treated as negative impacts or positive values. This causes value-impact ratios for expensive l alternatives to appear to change very little when averted on-site costs f are included.

I

4. The practice of classifying all costs (either positive--installation, or i

negative--averted on-site) as " impacts", and all doses (either beneficial- j

-averted, or detrimental--installation) as " values" creates confusion and I

misrepresents the true picture. Two examples of the problem are provided.

a. This methodology classifies all person-rem doset (exposures) as I

values.

i

1. Positive values refer to averted doses: l VIA = avertad onsite dose (due to reduced accident frequency and consequent need to clean up site, repair facility, etc.)

V2A = averted offsite dose (due to reduced expected value of public exposure) 3997NS851 5-3

2. Negative values refer to added doses: >

j V3A = added dose due to installation of modification I V4A = added dose due to O&M of modification over lifetime of plant (note that V4A could be either a (+) or (-) negative dose; (-) if modification actually reduces overall O&M dose for plant).

I

3. In combining these values into the overall offsite and lonsite + {

J offsite] results, the methodology considers V3A and V4A only in {

the [onsite + offsite] case (presumably since they are onsite s doses). This is an error; they should also be included in the i offsite case, because they are part of the " cost" of installing the modification and thus the " cost" of obtaining the averted ,

offsite dose. To put it another way, the only difference between the offsite results and the [onsite + offsite] results should be the averted onsite costs due to lowering the expected accident ,

frequency. The installation and O&M doses are not dependent upon j the reduction in accident frequency; they occur whether or not the modification causes a reduction in accident frequency. !

J

b. Strange things happen when all costs are considered impacts. In the case of Cooper, the installation costs were determined to be less than the onsite averted costs for three of the alternatives. The same j situation occurred for the first alternative at St. Lucie. This made it impossible to calculate a credible value-impact ratio for the case where onsite averted costs were included, because the ratio became a meaningless negative number.

5. A variety of conservative assumptions in the V-I model add to the problem of using it as a best-estimate decision tool.

a. The economic analyses utilize an assumed discount rate of 5%. This compares to an actual cost of capital presently being experienced by many nuclear utilities of approximately 15%. Discounting this value for inflation yields a time cost of approximately 10%. NRC's own 3997NS851 5-4

... , l l

i guidance for value impact analyses NUREG/CR-3568, also indicates that a value of 10% should be used for this parameter. The effect of using 5% is to make the value-impact ratios appear more favorable-(1.e.,

skewed towards justifying implementation) than they actually are.

b. Replacement power costs are more appropriately represented by a ten year long-term contract for power rather than the short term costs used in the case' studies. The long term costs would be about 30% 1 lower.

c. The inclusion of gross replacement power for a 10 year period appears l inappropriate. The value of the plant is not both the plant and its output, but rather one of the other. If the replacement power is l l included, it should be a net replacement power cost, that is, the cost {

of a long-term power contract with a wholesaler minus the total f production costs of power at the lost plant. Onsite costs should have been adjusted for insurance credits and for avoided future capital !

expenses at the plant.

d. The method for calculating total averted onsite costs contains a number of conservative assumptions. The one with the greatest impact on cost is created by an error in calculating the loss of remaining l- value of.the utility's investment. The method used double counts over l a ten year period immediately after the accident during which replacement power was bought and accounted for separately. This error inflates the value of lost investment by a factor of 2-3.

l j

l 3997NS851 5-5 l

\. _

ML20236F216

Contents

Text

SUBJECT:

Enclosure:

Dear Dave:

Enclosures:

Navigation menu

ML20236F216

Text

SUBJECT:

Enclosure:

Dear Dave:

Enclosures:

Navigation menu

Search