ML20244E494
| ML20244E494 | |
| Person / Time | |
|---|---|
| Issue date: | 11/24/1986 |
| From: | Harold Denton Office of Nuclear Reactor Regulation |
| To: | Sniezek J Committee To Review Generic Requirements |
| Shared Package | |
| ML20244D744 | List: |
| References | |
| FOIA-87-714, REF-GTECI-A-46, REF-GTECI-SC, TASK-A-46, TASK-OR NUDOCS 8612050036 | |
| Download: ML20244E494 (300) | |
Text
{{#Wiki_filter:___- . _ _ - _ - _ _ _ _ _ P1)iBB fqj[l NOV.2 4 1996-g MEMORANDUM FOR: James H. Sniezek, Chairman 1 Comittee to Review Generic. Requirements FROM:- Harold R. Denton, Director. Office of Nuclear Reactor Regulation
SUBJECT:
RESPONSE TO ENCLOSURE 3 0F MINUTES OF CRGR - MEETING NUMBER 98, DATED NOVEMBER 3, 1986 On November 10, we received the. subject CRGR meeting minutes related to USI-A-4ti. We have reviewed the minutes and the recomencations to the EDO included therein and have no objection to the five specific recommendations made. The A-46 CRGR package (generic letter, regulatory analysis and NUREG-1030) has been revised as recomended and it now states that the verification of seismic adequacy and the. correction of all resulting deficiencies as required-by the A-46 resolution is a backfit~as defined in 10 CFR 50.109. The revised A-46 CRGR package will be sent to you and OGC for review and concurrence as soon as Lit is ready. Weihave also reviewed the AE0D report and are negotiating with the AE0D staff-tto reach agreement on what actions should be taken on their concerns. It is our intention to adoress all ACRS concerns as stated in their letter dated September 17,.1986. We. intend to address these concerns outside the scope o' A-46.- We have initiated a program at Oak Ridge National Laboratory-to define the ACRS concerns and propose specific issues to address them.
.These proposed issues would be prioritized and resources assigned according to the priority.'
Original Sigr.ed By: Richd H. tixut Harold R. Denton, Director Office of Nuclear Reactor Regulation Distribution Central File J. Richardson , DSR0 Chron N. Anderson EIB Reading T. Y. Chang
~V. Stello, Jr. W. Olmstead H. Denton J. Conren
.R. Vollmer W. Schwink T. Speis J. Clifford
- 8. Sheron R. Fraley F. Hebdon R. Major R. Bosnak Official Copy ,
L EIB:DSRQ75:. EIB:D TYChang/am Q NAnde W M El RBo k 0 DDn BShtron DthSR0 TSpeis R 1mer D-enton
// //#/86 0 /1 /86 // //Y/86 pt /Q/86 /86 q 7)f/86 g /22//86
, m. -
_7 .
;- n ... ~.
g
'5l30l.VI. ,
,; . 3s ;$ -
-1 l
[7590-01)' Recehed w/Lir Dated . N. h Federal Register Notice of Final Rulemaking NUCLEAR REGULATORY COMMISSION 10 CFR Part 50 Station Blackout , AGENCY: Nuclear Regulatory Commission.
~
Final rule.
~ ACTION:
SUMMARY
- The Nuclear Regulatory Commission is amending its regulations'to require that light-water-cooled nuclear power plants be. capable of withstanding a total . loss of alternating current (ac) electric power (called " station- black-out") for a specified duration and maintaining reactor core cooling during that period. This requirement is based on information developed under the Commission!s study of Unresolved Safety Issue A-44, " Station. Blackout." Th'e amendment is intended to provide further assurance that a station ~ blackout (loss of both offsite power and onsite emergency ac power systems) will not: '!
adversely affect the public health and safety. ! EFFECTIVE DATE: FOR FURTHER INFORMATION CONTACT: Alan Rubin, Division of Safety Review and Oversight, Office of Nuclear Reactor Regulation, U.S. Nuclear Regulatory Commission, Washington, DC 20555, Telephone: (301) 492-8303. (* f - '
<O' e.
/*f .*f ul8
.g..
s .- /
'5 SUPPLEMENTARY INFORMATION:
Background
.The alternating current (ac) electric' power for essential.and nonessential
. service in a nuclear. power plant is supplied primarily by offsite' power.
Redundant onsite emergency ac power. systems are also prcvided in the' event that all offsite power sources are lost. These systems provide power for various safety functions, including reactor core decay heat removal and containment heat removal, which are-essential for preserving the integrity of the reactor. core and the containment building, respectively. The reactor core decay heat can also be-removed for a limited time period by safety systems that are independent of ac power.
.The term " station blackout" means the loss of offsite ac power to'the essential and nonessential electrical buses concurrent with turbine trip and.the unavailability of the redundant onsite emergency ac power systems (e.g., as a result of units out of service for maintenance or repair, failure'to start on demand, or failure to continue to run af ter start). If a station blackout persists for a time beyond the capability of the ac-independent systems to.
remove decay heat, core melt and containment failure could result. The. Commission's existing regulations establish requirements for~ the design and testing of onsite and offsite electric power systems that are intended to reduce the probability of losing all ac power to an acceptable level. (See General Design Criteria 17 and 18,10 CFR Part 50, Appendix A.) The existing regulations do not require explicitly that nuclear power plants be designed to assure that core cooling can be maintained for any specified period of loss of all ac power. As operating experience has accumulated, the concern has arisen that the reliability of both the onsite and offsite emergency ac power systems might be less than originally anticipated, even for designs that meet the requirements
, , s-of General Design Criteria 17 and 18. Many operating plants have experienced-a total loss of offsite power, and more occurrences can be expected in the~
future. Also, operating experience with onsite emergency power systems has included many instances when diesel generators failed to start. In a few cases, there has been a complete locs of both the offsite and the onsite ac power systems. During these events, ac power was restored in a short time without any serious consequences, In 1975, the results of the Reactor Safety Study (WASH-1400) showed that station blackout could be an important contributor to the total risk from nuclear power plant accidents. Although this total risk was found t be small, the relative importance of the station blackout accident was established. Subsequently, the Commission designated the issue of station blackout as an Unresolved Safety Issue (USI); a Task Action plan (TAP A-44) was issued in July 1980, and studies were initiated to determine whether additional safety requirements were needed. Factors considered in the analysis of risk from station blackout included: (1) the likelihood and duration of the loss of , offsite power; (2) the reliability of the onsite ac power system; and (3)' the potential for severe accident sequences after a loss of all ac power, including consideration of the capability to remove core decay heat without ac power for a limited time period. The technical findings of the staff's studies of the station blackout issue are presented in NUREG-1032, " Evaluation of Station Blackout Accidents at Nuclear Power Plants, Technical Findings Related to Unresolved Safety Issue A-44."(1) Additional information is provided in supporting contractor reports: NUREG/CR-3226, " Station Blackout Accident Analyses" published in May 1983; NUREG/CR-2989, Reliability of Emergency AC Power Systems at Nuclear Power l (1) Draft NUREG-1032 was issued for public comment on June 15, 1985. l l L - - - - - - _ _ - . - - - - -
l .. Plants" published in July 1983; NUREG/CR-3992 " Collection and Evaluation of Complete and Partial Losses of Offsite Power at Nuclear Power Plants" published' in February 1985; and NUREG-CR 4347, " Emergency Diesel Generator Operating Experience, 1981-1983" published in December 1985.(2) The major results of these studies are given below. Losses of offsite power can be characterized as those resulting from plant-centered faults, utility grid blackout, and severe weather-induced failures of offsite power sources. Based on operating experience, the frequency of total losses of offsite power in operating nuclear power olants was found to be about one per 10 site years. The median restoration time was about one-half hour, and 90 percent of the offsite power losses were restored within approximately 3 hours (NUREG/CR-3992). The review of a number of representative designs of onsite emergency ac power systems has indicated a variety of potentially important failure causes. However, no single improvement was identified that could result in a significant improvement in overall diesel generator reliability. Data obtained from operating experience in the period from 1976 to 1980 showed that the typical individual emergency diesel generator failure rate was about 2.5 x 10 -2 per demand (i.e., one chance of failure in 40 demands), and that the emergency ac power I system unavailability for a plant which has two emergency diesel generators, one of which was required for decay heat removal, was about 2 x 10 -3 per demand (NUREG/CR-2989). (2) Copies of these NUREGS are available for public inspection and copying for a fee at the NRC Public Document Room at 1717 H Street, NW, Washington, DC 20555. Copies may also be purchased through the U.S. Government Printing Office by calling (202) 275-2060 or by writing to the Superintendent of Documents, U.S. Government Printing Office, P. O. Box 37082, Washington, DC 20013-7082.
j
, o Compared to the data in NUREG/CR-2989, updated estimates of emergency diesel generator failure rates indicated that diesel generator reliability has improved somewhat from 1976 to 1983. For the period 1981 to 1983, the mean failure rate for all demands was about 2.0 x 10 ~2 per demand (i.e., one chance of failure in 50 demands).
However, the data also indicate that the probability of diesel generator failures during actual demands (i.e., during losses of offsite power) is greater than that during surveillance. tests (NUREG/CR-4347). Given the occurrence of a station blackout, the likelihood of resultant core d a ge or core melt is dependent on the reliability and capability of decay heat removal systems that are not dependent on ac power. If sufficient ac-independent capability exists, additional time will be available to restore ac power needed for long-term cooling (NUREG/CR-3226). It was determined by reviewing design, operational, and site-dependent factors that the expected frequency of core damage resulting from station blackout events could be maintained near 10-5 per reactor year with readily achievable diesel generator reliabilities, provided that plants are designed to cope with station blackout for a specified duration. The duration for a specific plant is based on a comparison of the plant's characteristics to those factors that have been identified as the main contributors to risk from station blackout (NUREG-1032).
\
As a result ef the station blackout studies, improved guidance will be provided to licensees regarding maintaining minimum emergency diesel generator reliability to minimize the probability of losing all ac powcr. In addition, the Commission is amending its regulations by adding a new 650.63 and by adding
i I a new final paragraph to General Design Criterion 17, Appendix A of 10 CFR Part 50, to require that all nuclear power plants be capable of coping with a j station blackout for some specified period of time. The period of time for a - specific plant will be determined based on a comparison of the individual plant's design with factors that have been identified as the main contributors I to risk of core damage resulting from station blackout. These factors, which vary significantly from plant to plant because of considerable differences in design of plant electric power systems as well as site-specific considerations, include: (1) redundancy of onsite emergency ac power sources (i.e., number of sources minus the number needed for decay heat removal), (2) reliability of onsite emergency ac power sources (usually diesel generators), (3) frequency of loss of offsite power, and (4) probable time to restore offsite power. The frequency of loss of, and time to restore, offsite power are related to grid and switchyard reliabilities, historical weather data for severe storms, and the availability of nearby alternate power sources (e.g., gas turbines). Experience has shown that long duration offsite power outages are caused primarily by severe storms (hurricanes, ice, snow, etc.). ! The objective of the rule is to reduce the risk of severe accidents resulting from station blackout by maintaining highly reliable ac electric power systems and, as additional defense-in-depth, assuring that plants can cope with a station blackout for some period of time. The rule requires all plants to be able to cope with a station blackout for a specified acceptable duration selected on a plant-specific basis. All licensees and applicants are required to assess the capability of their plants to cope with a station blackout . (i.e., determine that the plant can maintain core cooling with ac power unavailable for an acceptable period of time), and to have procedures and training to cope with such an event.
n ( .i On'the basis of station' blackout studies conducted for USI A-44, and presented in the reports referenced above,.the NRC staff has developed a draft regulatory-guide entitled " Station Blackout,"(3) which presents guidance on (1) main-taining'a high level of. reliability for emergency diesel generators, (2) developing procedures and training to restore offsite and onsite. emergency ac' power lshould either one or both become unavailable, and (3) selecting a plant-specific acceptable station blackout duration which the plant would be capable of surviving without' core damage. Application'of the methods in this guide would result in selection of an acceptable station blackout duration (e.g., 4 or 8 hours) depending.on the specific plant design and site related characteristics. However, applicants and licensees could propose alternative methods to that specified in the regulatory guide in order to justify other acceptable durations for station blackout capability. Based on the rule and regulatory guide, those plants with an already low risk from station blackvut' would be required to withstand a station blackout for a relatively short period of time and probably wou'd need few, if any, modifi-cations as a result of the rule. Plants with currently higher risk from station blackout would be required to withstand somewhat longer duration blackouts. Depending on their existing capability, these plants might need to make hardware modifications (such as increasing station battery capacity or condensate storage tank capacity) in order to cope with the longer station blackout duration. The rule requires licensees tc, develop, in consultation with the Office of Nuclear Reactor Regulation, plant-specific schedules for implementation, of any needed modifications. (3) A notice of availability and request for comments on the draft regulatory guide was published in the Federal Register on April 3, 1986 (51 FR 11494). Free single copies of the draft regulatory guide may be obtained by writing to the Distribution Section Division of Information Support Services, U.S. Nuclear Regulatory Commission, Washington, DC 20555.
o . I . 1 L q Proposed Rule On March 21, 1986, the Commission published a proposed rule in th'e
- Federal Register (51 FR 9829) that would require (1) light-water-cooled nuclear power plants to be capable of coping with a station blackout for a.specified duration, and (2) licensees to determine the maximum duration for which their i plants'as currently designed are able to cope with a statio;. blackout. -A 90-day comment period expired on. June 19, 1986.
On April 3,.1986 (13 days after the proposed rule was published), the NRC published in the Federal Register (51 FR 11494).a notice of availability and request for comments on a draf t regulatory guide entitled " Station Blackout" (Task SI 501-4). This draft guide provided guidanca for licensees to comply with the proposed station blackout rule. Many letters- comraenting or, the proposed rule also included comments on the draft regulatory guide. Responses to these comments provided below address the public comments on the draft guide-as well as on the proposed rule. Comments on the Proposed Rule The Commission received 53 letters commenting on the proposed rule.(4) Forty-five of these were from the nuclear industry, comprised of. electric utilities, consortiums of electric utilities, vendors, a trade association, and an architect / engineering firm. Other letters were submitted by the Union of. Concerned Scientists (UCS), the Department of Nuclear Safety of the State of Illinois (IDNS), a representative of the Professional Reactor Operator Society, a citizens group, a consultant, and three individuals. Largely, the industry (4) Copies of these letters are available for public inspection and copying for a fee at the NRC Public Room at 1717 H Street, NW, Washingten, DC. _______-______-_O
- 9-
,, r r
comments were opposed'to generic rulemaking to resolve the station blackout issue. The ' Nuclear Utilities Management: and Resources Committee. (NUM/RC) sub-mitted, along with its comments on the proposed rule, a set of. industry ini-tiatives that it believes would resolve this~ issue without rulemaking. Thirty-nine of the' industry letters supported NUMARC's submittal. On the other hand, UCS, IDNS, and the citizens group suppo~rted the Commission's objective in the proposed rule, but'did not believe the rule and guidance associated with the rule went far enough to reduce the possibility of a serious accident.that could be initiated by'a total loss of alternating current.(ac) power. L Every letter was reviewed and considered by the staff in formulating the final , resolution of USI A-44. Because of the large number of comments, it was not practical to prepare formal responses to each one separately. However, since many comments were on similar subjects, the discussion ~and response to the comments has been grouped into the following subjects:(5)
- 1. Quality. Classification of Modifications.
- 2. Whether the Backfit Analysis Adequately Implements the Backfit Rule.
- 3. Cost-Benefit and Whether $50.63 Meets the " Substantial Increase in.the Overall Protection of the Public Health and Safety."
- 4. Whether NRC Should Require Substantial Improvements in Safety that Go Beyond Those Proposed in this Rulemaking.
. 5. The Need for Generic Rulemaking, j
IN The first four subjects are ones on which the Commissioners specifically l requested public comments when the proposed rule was published. 1 I. i
9:4 ,
-;10 -
, s ,
@j $ f e,. . f '6. Applicability of the Proposed S50.631 to Specific Plants. O.
- 7. . Plant-Specific' Features and Capabilities.
ji" P }$ 8. The Source-Term Used to Estimate. Consequences.
- 9. Specificity on the Extent of Required Coping Studies.
- 10. _ Acceptable Duration for Coping with a Station Blackout.
- 11. -Credit for Alternate or Diverse AC Power Sources.
- 12. Trends on the Reliability of AC Power Sources.
- 13. Sharing of Emergency Diesel Generators Between Units at Multi-Unit-Sites.
- 14. Clarification of the Definitions of Station Blackout and l, Diesel Generator Failure.
- 15. Specificity and' Clarification of Requirements.
l 16. Technical Comments on NUREG-1032. l' 1 I 17. Relationship of USI A-44 to Other NRC Generic Issues. L ., 18. An Alternative of Plant-Specific Probabilistic Assessments. 1 19. Procedures and Operator Actions During Station. Blackout.
- 20. Schedule Provisions in the Proposed S50.63.
- 21. Industry Initiatives L
i
n The comments and responses to each of these subjects are presented on the foilowing pages.
- 1. Quality Classification of Modifications o
The Commission requested comments on whether the staff should give further
. consideration to upgrading to safety grade the plant modifications needed (if any) to meet the' proposed rule. Upgrading to safety grade would further ensure appropriate licensee attention is paid to maintaining equipment in a high state of operability and reliability.
Comments - The prevailing view by industry on this subject is represented by the following comments submitted by NUMARC: Quality Classification is Unnecessary - Equipment used to prevent or respond to a station blackout should be sufficiently available and operable to meet its required function. To this extent, the Commission'_s desire +5at appropriate attention be paid to maintaining a sufficiently high e. ate of operability and reliability is appropriate. The point of-departure begins with the method for achieving this objective. Specifically, by itself, a " safety grade" classification scheme does not solely equate with high states of equipment operability and reliability. Such classification systems too often can become a documentation exercise more than a process.for providing the requisite level of system functionality. Duquesne Light agreed with this view and expressed the following comments: Any plant modifications or additional equipment required to meet the proposed rule should not be specified safety grade. For equipment which is to be manually started and placed in service for testing or in the event of a loss of power condition there is no necessity for specifying safety grade since adequate reliability can be obtained through normal surveillance testing and the proper maintenance of commercial power plant equipment. The cost difference in safety grade vs. commercial grade modifications ~is significant and must be emphasized.
i
~j g n The opposite point of view was taken by the IDNS.
No credit should be given for the capability of equipment to-respond to a station blackout unless that equipment was originally designed, constructed, inspected, performance tested,' qualified, certified for the.
~ intended safety-related purpose, and the equipment is maintained to the highest industry safety standards.
Gulf States Utilities commented, The proposed rule does not provide sufficient direction on the quality classification of plant modifications that may be required to meet the rule. ...the quality classification of plant modifications implemented to meet the proposed rule should be commensurate with classification of the system they suppurt. Response - The proposed 650.63 does not specifically address'the topic of safety classification of modifications, but guidance is given in the regulatory guide on station blackout as well as in a draft American Nuclear Society standard, ANS 58.12 entitled, " Criteria for Establishing Response Capability for Loss of All AC Power (Station Blackout) at Light Water' Reactor Nuclear Power Plants," Draf t Revision 5, March 1987. Neither of these documents.specify that equipment modifications needed.to meet the proposed rule be safety grade. However, the equipment must meet certain quality assurance criteria to ensure a high level of reliability and operability during station blackout events. Based on technical analyses performed for USI A-44 and public comments received, there are insufficient bases to require that modifications be seismically qualified and/or meet the single failure criterion. Therefore, the Commission would not require that modifications to meet the station black-out rule be safety grade. However, the Commission believes that licensees should pay diligent attention to quality assurance, in order to maintain highly reliable equipment to comply with the station blackout rule.
- 2. Whether the Backfit Analysis Adequately Implements the Backfit Rule In addition to comments on the merits of the proposed rule, the Commission specifically requested comments on whether the backfit analysis for this rule adequately implements the Backfit Rule, 10 CFR 50.109.
Comments - The Commission received two differing views in response to this request. On one hand, NUMARC expressed the view that the proposed rule does not meet the backfit role standard because the analysis of the factors set forth in S50.109(c) were not adequately considered by the staff. Specifically, NUMARC stated --
- 1. Installation and Continuing Costs Associated With the Backfit Have Been Underestimated.
- 2. Potential Impacts on Radiological Exposure of Facility Employees Should Be further Addressed.
- 3. The Relationship to Proposed and Existing Regulatory Requirements should Be Considered Further.
- 4. Potential Impacts of Differences in Facility, Type, Design or Age Should Be Considered Further.
- 5. The Reduction in Risk from Offsite Releases to the Public Has Been Overestimated.
On the other hand, the Ohio Citizens for Responsible Energy (OCRE) and UCS commented that the backfit rule should not apply to the proposed rule. OCRE took the position that " application of the backfit rule to [NRC) rulemakings
.. is plainly illegal," and the Commission is not empowered to consider costs to licensees in deciding whether to impose new requirements. UCS commented that the cost benefit analysis should not be applied in this case because safety improvements are needed to secure compliance with existing NRC regu-lations, specifically General Design Criterion 17, Electric Power Systems (Appendix A to 10 CFR Part 50).
. _ _ _ - _ _ _ - . _ - _ - - - - - ~
e . > i Response - NUMARC s. comments on the backfit analysis were taken into account by the staff in revising the draft version of NUREG-1109,'and a separate appendix
-that. addresses the factors in 650.109(c) was added to that report. .All but item 2 above are on the same-subjects as letters from other commenters and are' discussed _in more detail under subjects 3 (Item 1), 6 (Item 4), 8 (Item 5)~, and 17 (Item 3) in this section. NUMARC's Item 2, the potential impact on radiological exposure of facility employees, would need to be assessed in detail only if.it were a major factor in the value-impact analysis.
The effect of radiological exposure on' facility employees, if any, would be extremely small in comparison to the reduction in radiological exposure to the public from accident avoidance. Therefore, this factor would have no impact on the overall value-impact analysis. In response to the OCRE's comments, the Commission follows a specific process by which rules are formally promulgated, but it is not prevented from imposing internal controls on the rulemaking process. For new requirements, the Commission believes that it is empowered to consider the costs of incremental safety improvements wherever those improvements go beyond the level of safety necessary to ensure no undue risk to the public and safety. GDC 17 requires that nuclear power plants have redundant and reliable electrical supply systems. Each. operating plant has such systems, and the Commission has made an adjudicative finding that all operating plants comply with GDC 17; otherwise, a license would not have been issued authorizing operation. ! The issue in this rulemaking is whether some additional protection is needed I beyond that already provided to comply with existing requirements. This does not imply that operating plants are unsafe. The Commission is entitled to inquire, and seek public comment, on whether additional safety measures should be imposed where the benefit to public health and safety outweighs the cost of
.the improvements.
i
e 15 - l t.m .. l4 L 3.' Cost-Benefit A' nalysis and Whether S50.63 Meets the '? Substantial Increase 7 L in the Overall Protection of the Public Health and Safety" Chairman Zech and Commissioner Roberts requested comments on the analysis of cost benefit, value. impact, and safety improvements and the station blackout standing on the overall risk (e.g. , is the reduction of risk only a small percentage of the overall risk, or is it a major component of an already small
. risk?) Chairman ~2ech and Commissioner Roberts were particularly interested in specific comments assessing' whether or not this proposal meets the " substantial increase.in the overall protection of the public health and safety..."-
threshold now required by the backfit rule. Comments - ( A) One of the major comments by industry on the cost-benefit analysis was, that the costs of implementing the proposed requirements have been underestimated. NUMARC and the Atomic Industrial Forum (AIF) commented that the cost estimates for hardware modifications reported in NUREG/CR-3840,
" Cost Analysis for Potential Modifications to Enhance the Ability of a. Nuclear Plant to Endure Station Blackout," were too low. Commonwealth Edison and other utilities felt that performance of an. analysis to determine the maximum duration a nuclear plant could cope with a station blackout would be substantially' costlier than what is estimated in NUREG-1109. Industry also expressed concern that the interpretations associated with the proposed rule could lead to sub-stantial costs above those addressed by the NRC staff in its backfit analysis.
AIF commented that "The estimate of 120 NRC man-hours per plant [for NRC review) ... appears inadequate to account for technical review and evaluation of the determination of maximum coping capability and of the description of
, station blackout procedures which the rule would require each licensee to submit."
h
u y Q:
. (B). Several: commenters expressed the' view that the NEC failed to consider all ithe risks associated with a station blackout in'its value-impact assessment.
3 UCS thought independent failures, in addition to- failures that lead to' a station blackout, should be included. One individual stated that "both NRC-reports [NUREG-1109 pnd NUREG-1032] are completely deficient-in that neither
~
- look at sabotage." OCRE commented that seismic events should also be considered.
(C) With respect to safety improvements and overall risk, different points of' view'were expressed. On one_ hand, NUMARC commented -- While the' risk reduction might be large [for a] limited number of plants. the risk reduction associated with the majority of plants will be small. Thus, as a general matter, the reductions in risk offered by the proposed rule constitue a small percentage of the overall risk, a risk which is-already small (and acceptable). AIF stated that there is no standard by which to conclude that " substantial additional protection will be realized." A different view was expressed by UCS who stated that " station blackout is clearly a major component of the total risk posed by operating nuclear plants. The magnitude of the total risk is largely unknowable due to the enormous uncertainty which surrounds probabilistic assessments." Response - (A) In order to-adequately respond to industry's comments above, the staff and NRC contractors reviewed the cost estimates associated with imple-menting the station blackout rule. Based on this review, the estimated' costs for hardware modifications were reviewed and are in the range of from 20 percent to almost 140 percent greater than the estimates in_NUREG/CR-3840, depending on the specific modification considered. On average, the cost estimates for hardware backfit were found to be approximately 80 percent
. greater than estimated in NUREG/CR-3840. However, the cost estimates in NUREG/CR-3840 were not used by the staff in the value-impact analysis in the draft version of NUREG-1109 where estimates approximately 100 percent greater a
u_______________ _ _ _ _ _ _ _ _ . . __ .I
. 17 than the NUREG/CR-3840 estimates were used. Therefore, the revised cost-estimates used in the final value-impsct analysis are not significantly L different from the estimates used in the draft version.
Industry's comments on the costs to assess a plant's capability to cope.with'a station blackout were based on the proposed rule that required an assessment of the maximum coping capability and the potentially unbounded nature of such an
- assessment. Based on public comments, the Commission has revised the final rule to modify the requirement for licensees to determine the maximum coping capability. (See response to public comments in subject number 9.) -Instead, a coping assessment is required only for a specific duration. The cost for such' a study is estimated to be from 70 to 100 percent higher than the original estimates by' the staf f, and these revised costs are used in the final value-ih, pact analysis.
The staff. revised its estimate of th.e resource burden on NRC for review from 120 to 175 person-hours per reactor. This revision was based on technical review required for other comparable NRC activities. (B) The technical analyses performed for USI A-44 indicated that the contribution, to core damage frequency from independent failures, in addition to failures that must occur to get to a station blackout, is low. Likewise, results of USI' A-44 studies and other probabilistic risk assessments have shown that, for station blackout sequences, the contribution to core damage frequency from seismic events is low. Sabotage can not be analyzed adequately on a probabilistic basis. Even though sabotage was not explicitly considered in the staff's value-impact analysis, it is discussed in NUREG-1109 under other considerations. These considerations support the conclusion that a station blac h ut rule will provide a substantial safety benefit.
l-
-(C) The revised value-impact analysis performed for-the resolution of USI A-44~
indicates that there'are substantial benefits in terms of reduced core damage
. frequency and reduced risk to'the public that' result from the station blackout
. rule, and.the costs'are warranted:in light of these benefits. The best
. estimate for the overall' value-impact ratio is 2,400 person-rem per million -
dollars. Even if those plants with the highest risk (and therefore the
~~
greatest r.isk reduction) were not considered, the value-impact ratio for the remaining plants is still favorable (i.e. , about 1,500 person-rem per million dollars). Recent' analyses performed for NUREG-1150, " Reactor Risk Reference Document," indicate that station blackout.is a dominant risk contributor to overall risk for most of the six plants analyzed. These results support the comment by UCS in response to the Commissioner's request for comments on this subject.
- 4. Whether NRC Should Require Substantial Improvements in Safety that Go Beyond Those Proposed in this Rulemaking Commissioner Asselstine requested comments on whether the NRC should require substantial improvements in safety with respect to station blackout, like those being accomplished in some other countries, which can be achieved at reasonable cost and which go.beyond those proposed in this rulemaking.
Comments - HRC received eight. letters that included comments on this subject. Five of these were from the nuclear industry, none of which felt that the approach to station blackout taken in European countries should be used to justify safety improvements that go beyond the proposed S50.63. The main justification for industry's argument is that foreign countries may have reasons for requiring activities that differ from, or' exceed, those in the U.S. for example, Washington Public Power Supply Systems (WPPSS) commented, "It is not apparent that the details of U.S. grid stabilities and onsite power reliabilities are substantially similar enough to those found abroad to warrant a simple adoption of these [ European] measures."
c
- In another comment from industry on this subject, NUMARC stated that there are
, several reasons why many of the'. features for coping with a station blackout in new French nuclear power plants may already exist at most U.S. plants. In
-fact, they said, ihe French approach to station blackout does not appear to depart significantly from current regulatory approache "a +he U.S." Similarly, AIF stated, "The assertions of extensive s.tation blackout coping capability at foreign (notably European) nuclear' power plants are not sufficiently substant-iated to serve as even part of-the basis for the proposed requirements."
Three other-letters (UCS, OCRE and IDNS) supported the NRC rulemaking to m require al'1 plants to.be able to cope with'a station blackout, but urged the Commission to go beyond.the proposed rule. -IDNS stated that -- The goal of ho] blackoutto10gingtheexpectedfrequencyofcoredamagefromstation per reactor year is.not sufficiently stringent. relatively modest modifications .to the proposed rule, a frequency of 10With .7 appears cchievable at reasonable cost. Specifically. the rule should require no less than' 20 hours decay heat removal capacity instead of' only four or eight hcurs in .the proposed rule, in the event of a blackout. Reponse - The staff agrees with industry's comments that foreign countries may have valid reasons for imposing requirements that differ from or exceed those in the U.S. For example, it appears that there is a higher frequency of tu ses of offsite power in France than in the U.S. This experience, along with French safety objectives, led the French to design their new standard nuclear power plants to be able to cope with a very long duration station blackout-(i.e., up to three days). The French safety approach and their station blackout design features are documented in NUREG-1206, " Analysis of French (Paluel) Pressurized Water Reactor Design Differences Compared to Current U.S. PWR Designs," June 1986. The Commission believes that the staff has adequately considered foreign approaches to station blackout in developing the resolution of USI A-44. It has not been shown that more stringent requirements would be cost beneficial. Although the rule requires plants to be able to cope with station blackout for a specific duration, that duration is not specified in the rule. Guidance to a
determine an acceptable duration is included in the station blackout regulatory guide. This guidance should apply to most plants, but if there were adequate p justification, different requirements (either more or less stringent than the regulatory guide) could be applied to specific plants.
- 5. The Need for Generic Rulemaking Comments - Five letters from the nuclear industry commented that generic l
rulemaking is not necessary to resolve the station blackout issue. Their reasons for this issue were as follows: A generic rulemaking is inappropriate since the historic number of sites experiencing a loss.of all offsite power is small. (Texas Utilities) The station blackout issue should be handled on a plant-specific basis and does not need to be resolved by generic rulemaking. Each plant has unique probability for a loss-of power event based on transmission system, location of plant, and onsite power systems. (Duquesne Light) The Commission need not pursue generic rulemaking in order to resolve a non generic issue. In the proposed station blackout rule, the number of plants of concern is acknowledged to be limited. (NUMARC) Station blackout has been found not to be a generic issue. Station blackout risk is plant specific and, according to the staff's own analyses, the proposal requirements are expected to result in modifications at no more than a few facilities, if at any. Requiring all licensees to undertake extensive analyses under the provisions of the proposed rules when only a small group of plants may have a need for remedial action is not appropriate. (AIF) Response - The Commission believes that a rule is appropriate to ensure that
, station blackout is addressed at all nuclear power plants. The plant-specific features that contribute to risk for station blackout (e.g. , diesel generator configuration, probability of loss of offsite power) are considered in the station blackout regulatory guide to determine an acceptable coping duration for each plant. Even though not all sites have experienced a loss of offsite power, there is not sufficient assurance that such events would not occur in the future. Since historic experience has shown that a total loss of
1 j l l l offsite power occurs about once every 10 site years, and many nuclear plants have operated for less than 10 years, it is not surprising that some plants have experienced a loss of offsite power while others have not. Even though it is likely that many plants will not need hardware modifications to comply with the rule, the assessment of station blackout coping capability for a specific duration and implementation of associated procedures will effect a safety benefit for all plants. The " limited number of plants of concern" in NUMARC's letter refers to those plants having the highest risk from station blackout (i.e., those that would need hardware modifications). Without a ' generically applied assessment, these plants can not be identified. Even excluding these plants from consideration, the staff's analysis has shown that the improvements in safety associated with the rule cre cost beneficial.
- 6. Applicability of the Proposed 950.63 to Specific Plants Comments - Four letters included comments or questions regarding the applicability of the rule to specific plants. For example, does the rule apply to high temperature gas cooled reactors (i.e., Fort St. Vrain)? What about THI-2 or plants that are near completion but will not have an operating license prior to the amendment's effective date? Houston Power and Lighting Company wrote --
Proposed Section 50.63 provides schedular guidance for implementing station blackout-related modifications on plants that already hold oper-ating licensees or will be licensed to operate prior to the effective date of the amendment. Plants who may be NT0L's [near-term operating license] but will not be licensed prior to the amendment's effective date should be accorded the same compliance period under parts (c) and (d) of this section. Otherwise this proposed rule could be interpreted to imply that plants not licensed prior to the effective amendment date must comply with the rule and make all necessary modifications prior to receiving an 0.L. [ operating license]. The rule should be amended to address plants which are scheduled to receivu an 0.L. within a short time following imple-mentation of this rule. Response - Rather than identifying specific plants for which the rule does not apply, 650.63(a) specifies when it does apply (i.e. , "each light-water-cooled nuclear power plant licensed to operate"). Since Fort St. Vrain is an l
~
HTGR, the' generic rule would not apply. Station blackout will be considered individually for that plant based on its unique design. Since TMI-2 is not licensed to operate, likewise, the rule would not apply'to that plant. A sentence has been added to $50.63(a) to take into account the comment on NT0Ls. Applicants for. operating licenses as of. the date the' rule is issued are required to comply with the rule on the same schedule as those plants already licensed to operate or before an operating license ~is issued, whichever is later.
- 7. Plant-Specific Features and Capabilities Comments - A number of utilities described plant-specific features and capabilities that reduced the risk posed by a station blackout event compared
( to the staff's analysis. Examples of such features are given below. Availability of alternate, independent ac power sources such as diesel generators, gas turbines, nr nearby " black start" ac power sources. Extremely reliable offsite power supplies because of multiple right-of-ways or underground feeders to back up above ground transmission lines. Dedicated shutdown systems and associated diesel generators to meet the fire protection requirements of Appendix R to 10 CFR Part 50. Common or shared systems between two units at multi-unit sites such as de power, auxiliary feedwater, or diesel generators. Response - The analyses performed for USI A-44 clearly show that plant-specific features do affect the risk from station blackout, and the station blackout regulatory guide takes this into account in providing guidance on different acceptable coping durations depending on the most significant of these
~
u o .- features. Those plants with extremely reliable offsite and onsite ac power supplies need only have a very short (e.g. , 2-hour) coping' duration-to be acceptable. Plants that have a dedicated shutdown system with its own inde-pendent power supply could-take credit for this' system to cope with a station blackout. The regulatory guide has been clarified to give credit for alternate ac power cupplies (see response to subject 11). Therefore, the Commission believes that for almost all sites, plant-specific differences have been
. adequately accounted for in the resolution of USI A-44, but the door is open to licensees who believe their plants have additional capability that should be considered by the staff in' demonstrating compliance with the rule.
- 8. The Source Term Used to Estimate Consequences Comments - Letters from NUMARC and others in the industry commented that the consequences of offsite releases that would result from a station blackout.
event are overestimated, and new source term information would lead to the prediction of much lower consequences for this event. Several commenters felt
. that the approach taken by the staff to estimate consequences of a station blackout event -- decreasing the estimated consequences of the SST1 siting source term from NUREG-CR/2723, " Estimates of the Financial Consequences of Nuclear Power Reactor Accidents" (September 1982), by a factor of three - was improper.
AIF felt that " implementation of any requirements resulting from the resolution of USI A-44 should be deferred until the results of the source term research can be taken into account." They based this statement on the premise that if the consequences used in the staff's value-impact analysis were reduced by a factor of 10, none of the alternatives would be feasible. UCS expressed a different point of view in their letter which said
... available evidence indicates that the consequences of an accident involving station blackout may be even worse than those estimated either in WASH-1400 or the NRC's more recent studies."
= _ - _ - _ - _ --- - __
Response - NRC .has had an extensive research effort underway since about 1981 to evaluate severe accident source terms. The staff has reviewed the results of this research to take into account the public comments received on this subject. Since there is still a great deal of uncertainty regarding source-terms and associated consequences, the staff revised its value-impact analysis for USI A-44. considering a range of estimates for consequences of a station blackout. The NRC research on severe accident source terms has resulted in the develop-ment of significant new analytical tools by NRC contractors, as discussed in NUREG-0956, " Reassessment of the Technical Bases for Estimating Source Terms," July 1986. The analytical methods developed, generally referred to as the Source Term Code Package (STCP), have been used to analyze a number of severe accident sequences for five. reference plants, namely: Peach Bottom, a BWR Mark I design; Sequoyah, a PWR ice condenser; Surry, a PWR with a sub atmo-spheric containment; Grand Gul.', a BWR with a Mark III containment; and Zion, a PWR with a large dry containment (NUREG-1150, " Reactor Risk Reference Document," Draft for Comment, February 1987). The results of these analyses show that releases from station blackout sequences can be expected to vary significantly depending upon the plant and the specific sequence. Although generalizations are difficult, it appears that calculations using the STCP yield release fractions for most of the sequences range from about one third of an SSTI release (for the case of Surry, without condensation) to roughly one order of magnitude less than this. However, the uncertainties in our present understanding also do not i preclude the possibility of a large release, approaching that of the $5T1 estimate. l To determine the consequences in terms of person-rem, given the above range of felease fractions, data taken from NUREG/CR-2723 indicate that the variations in person-rem associated with releases of magnitude SST1, SST2 and SST3, are virtually identical to the variations in latent cancer fatalities for the same l
~ ' 25 '-
i L three. releases. .Hence, the estimated change in latent cancer fatalities with release fractions provides a reliable. indication of change in person-rem as well. Table 10 in NUREG/CR-2723 presents variations in estimated latent cancer fatalities' associated with changes in SSTI release fractions (for all elements except noble gases). This table shows that a release fraction of one third'of an SST1 release would yield a value of about 50 percent of the latent cancer fatalities (and person-rem) of an SST1 release. Similarly, a release fraction-of one third.of an SST1 release would yield an estimated person-rem of about 15 percent of that associated with an SSTI release. Consequently, for value-impact calculations, the staff estimated the range of consequences of station blackout, in terms of person-rem, to be from 0.15 to 0.5 of the estimated person-rem of an SST1 release. As noted, the original value-impact analysis'was based on 0.3 times the estimated person rem of an SST1 release. With regard to a possible delay in the resolution of USI A-44 until "better" ' source terms become available, key considerations appear to be when better source terms are likely to become available, and to what degree uncertainties in phenomenology as well as differences between investigators will be resolved. Although researcn on source terms is expected to continue well into the future, improvements in our knowledge are expected to be largely evolutionary beyond this point, in that the major phenomena appear to have been accounted for, at least in a first-order fashion, both in NRC as well as industry models. Resolution and narrowing of the remaining uncertainties would also benefit from improved experiments and analytical models that are likely to become available gradually. For these reasons, significantly better source terms than those presently available are likely to oe forthcoming only after a number of years. Since the range of severe actit ant source terms and consequences suggested above from estimating stM s'n Mmeut sequences is sufficiently broad to cover likely improvements i,, sourc., term knowledge, the resolution of USI A-44 should not be delayed.
i .3
- 9. Specificity on the Extent of Required Coping Studies Comments - Several letters by industry expressed concern that the studies necessary to demonstrate that a plant can cope with a station blackout are not well defined and could potentially be unbounded. These comments focused on two main points. First, the proposed rule required plants to determine the maximum duration the plant could cope with a station blackout, yet the draft regulatory guide included specific guidance on acceptable coping durations (e.g., 4 or 8 hours). Determining the maximum duration, rather than assessing the plant's capability for a specific acceptable duration, could be an open-ended requirement. Along these lines, NUMARC stateo --
Unless the required coping demonstration is specifically bounded by clearly stated definitions, assumptions, and criteria, there could conceivably be hundreds of supporting special effects analyses which licensees may have to consider as a result of the exercise of discretion by individual staff reviewers. Under the rule as proposed, licensees cannot ascertain the ultimate requirements they will be expected to meet (including the potential plant modifications they will need to make) to demonstrate compliance. Second, it dustry also commented on the potential open-endedness of analyses to determine the operability of equipment in environmental conditions resulting from a station blackout (e.g., without heating, ventilation, and air condition-ing). Unless these analyses were well defined, industry felt the analyses could be much more costly than estimated by the staff. However, NUMARC made l the following statement relating to the need for detailed prescriptive require-ments by NRC that appears to contradict their earlier statement. The point .... is not that regulations must be prescriptive by their very nature. Prescriptive regulations, which outline in detail exactly what steps are required by licensees to satisfy a proposed regulation, are, in many instances, unnecessary and counterproductive. Response - With regard to proposed requirement to determine the plant's maximum duration for coping with station blackout, the staff agrees with the industry comments. First of all, it would be difficult to adequately define " maximum l l
i duration" in this sense. Second, as long as licensees determine that their-plants can cope with'a station blackout for a specified " acceptable" duration, the' additional safety benefits of further assessments are marginally smaller, but the costs could be significantly higher. Therefore, the rule'and regulatory guide have been revised accordingly to delete the requirement for
. licensees to determine a plant's maximum coping' capability.
With regard to the' comments on assessments to determine equipment operability
- during a station blackout, the staff feels strongly that._such assessments are necessary to determine.a plant's response to station blackout.. By deleting the requirement to determine a plants " max' mum" coping capability, the assessment of equipment operability would rot be as costly as. assumed by industry.
Guidance on acceptable coping assessments is provided.in the station-blackout-regulatory. guide. Also,. additional work was done by an American Nuclear Society working group to develop a draft standard ANS 58.12. " Criteria for Establishing. Response Capatiility for Loss of All ac Power (Station Blackout) at 1.ight Water Reactor Nuclear Power Plants." Efforts such as this could
- provide additional definitions, criteria, and standards for licensees' assessments of equipment operability without the need for " prescriptive regulations" by NRC.
In order to evaluate further industry's comments on this subject, NRC requasted I Sandia National Laboratories to identify specific tasks necessary to determine operability of equipment during a station blackout, and estimate the cost to perfom these tasks. Results of this study were used in the revised value-l; impact analysis performed for this issue (" Equipment Operability During Station [
- Blackout Events," SAND 87-0750).
II
- 10. Acceptable Duration for Coping with a Station Blackout Comments - Several comments with differing views were directed at guidance in the draft regulatory guide on acceptable station- blackout coping durations in order for plants to comply with the proposed rule.
L__--__________-_____ -_
Lj ,
-/28 -
p. j.
+
- p. ,
p L l' Washington Public Power Supply commented that "it should be possible for certain utilities to demonstrate [an acceptable] zero hour blackout." u One individual recommended."that a 30 minute period be a margin, and that no duration under 4 hours be accepted by the staff." NucleDyne Engineering commented that " advanced reactors should require the capability to safely u, withstand a station blackout of at least 8 hours," and IDNS wrote that "the. rule should require no less than 20 hours decay heat removal capability instead of only 4 or 8 hours." Response - Although a diversity of comments was received on this subject, none provided supporting analysis or information to back up the opinions expressed. However, the staff did re-analyze the estimated risk from station blackout-events for different plant and site related characteristics and revised its guidanc'e on acceptable coping durations accordingly based on a goal of limiting the average contribution to core damage from station blackout to about 10 5 per reactor-year. Most plants would still need a 4 or 8-hour coping
-capability. Those few plants with the most redundant onsite emergency ac power' system, coincident with significantly lower than average expected frequency of loss of offsite power would need only a 2-hour capability to be acceptable. Any plant with minimum redundancy in the onsite emergency ac power system coincident with low reliability and a significantly higher than average expected frequency of loss of offsite power would need to substantially improve its ac power reliability or be able to cope with a station blackout for more than 8 hours.
r
. 11. Credit for Alternate or Diverse AC Power Sources Comments - Ten letters from the utility industry commented that more credit should be allowed for the availability of alternate power sources such as 1 onsite gas turbines. The two comments below represent the utilities' viewpoint.
______ ________--_ _ __- -a
29'- The station blackout rule should be clarified to allow credit.for diverse and very reliable offsite power sources or. diverse and very reliable l
,onsite electrical generation. (Public Service Company of Colorado)
L The option of providing an additional alternate source of ac power is eliminated by [the proposed resolution). .The inconsistency in this approach nuclear can best power be understood by considering an example at a. generic-station. l If the licensee were_to provide an additional independent' diesel generator-capable of providing the necessary ac power to prevent station blackout, the licensee ... would still be required to withstand at least 4 hours without ac power. They would receive no credit for the additional diesel generator in the coping analysis. If the licensee were to use that same diesel-engine'to power a charging pump, even though it would be of less-significance to mitigation of reactor core damage than the diesel generator, the licensee could take credit for'it in coping with the blackout. Since a diesel charging pump will not provide for equipment loading flexibility, lighting, ventilation, instrumentation, etc., it is
.obviously of lower value than an additional source of ac power. The fixed category approach taken in [the proposed resolution], howcVer, will'not permit taking credit for the same diesel engine when used as a generator through the actua1' reliability for the machine is the same. (Toledo Edison)
Response - The proposed resolution did not intend to ignore the alternative of adding additional power sources or taking credit for such sources if they already exist. For example, as specified in the regulatory guide, if a licensee added an emergency diesel generator to. ort of its plants that had minimum redundancy in the onsite emergency ac power sytem, the acceptable station blackout coping duration could be reduced. For some plants, however, adding a diesel generator would not result in a reduction in the acceptable coping duration, and the point made by Toledo Edison is a valid one. The regulatory guide has been revised to clarify that alternate power sources may be given credit to comply with the rule provided that certain criteria are met (e.g., independence, diversity, high reliability, maintenance, and testing). (
l: *
.O
- 12. Trends on the Reliability of AC Power Sources Comments -'Five letters included comments on the reliability of ac power sources. Four letters from industry. felt that improved ac power reliability -
should be factored into the staff's technical analysis. Examples of these comments include the following:
"... the frequency of loss of offsite power activities has been decreasing..." (Washington Public Power Supply System);
... offsite power availability in the absence of regulation has significantly improved over the past decade." (Southern California Edison Company);
"[NUREG/CR-4347] ... shows an improvement in diesel generator reliability over that shown Electric); and in the earlier document [NUREG/CR-2989]." (General
" Typically the reliability of onsite power systems increases during the first few years following startup." (Gulf States Utilities)
IDNS on the other hand felt that potential vulnerabilities still exist in onsite emergency ac power systems, and licensees should demonstrate that they have taken steps to reduce the probability of loss of ac power. Response - The staff and its contractors have extensively analyzed the industry experience and trends in ac power reliability as documented in NUREG-1032, NUREG/CR-2989, NUREG/CR-3992, and NUREG/CR-4347. Trends have shown that two aspects of ac power reliability have improved somewhat -- the reduced frequency of losses of offsite power due to plant-centered events, and a slight improvement in average diesel generator reliability from 1976 through 1983. These factors have been taken into account in the staff's analyses and the resolution of USI A-44. However, data also demonstrate that there are practical limits on ac power reliability, and the defense-in-depth approach of being able to cope with a station blackout is warranted, i
y , f;; .
- 13. Sharing of Emergency Diesel Generators Between Units at Multi-Unit Sites.
Comments - Several letters from industry stated that some plants with;two units on a site have the capability to crosstie electrical buses between units and therefore have improved flexibility in providing ac power. Since the magnitude-of the electrical loads necessary to provide. core cooling during a station
~ , blackout is significantly'less than that required for a design basis accident, it could be possible to provide ac power to both units at the site using only a single diesel generator.
Response - The proposed rule and draft regulatory guide do not prohibit the approach discussed above. If licensees can demonstrate that such crosstie !' capability exists; procedures are in place to accomplish the crosstie and shed nonessential loads, if necessary; and no NRC regulations are violated (such as separation and independence), then credit would be given for this capability as shown in the station blackout regulatory guide (e.g. , reduced acceptable station blackout coping durations for greater diesel generator redundancy).
- 14. Clarification of the Definitions of Station Blackout and Diesel Generator Failures.
Comments.- (A) Three letters from the utility industry recommended that the definition of station blackout in 550.2 should be clarified to exclude ac power from the station batteries through inverters. This source of ac power from the station batteries would be available in the event of a loss of both the offsite and onsite emerger.cy ac power sources (i.e., diesel generators). (B) Several industry letters commented that the definition of diesel generator failure should be clarified, particularly with respect to the treatment of short-term failures that can be recovered quickly. A letter from Sargent and Lundy Engineers commented that --
A definition of failure on demand for emergency diesel generators needs to be provided. Under the context of a station blackout, a diesel generator which fails ~to start automatically upon detection of an offsite power loss, but. is successfully started manually from the main control room or from the local control panel, should not be considered a failure on demand. Response - (A) The staff agrees with comment A and revised the definition of station blackout accordingly. (B) Based on actual experience, failures of diesel generators to start due to failures in the auto-start system make up less than 20 percent of all diesel generator failures. Therefore, discounting these failures would not have a significant impact of overall diesel _ generator reliability statistics. However, the staff agrees in principle with comment 8 and has clarified the station blackout regulatory guide so that auto-start failures of diesel generators need not be counted in determining the failure rate if the diesel generator is capable of being started manually immediately after it does not start automatically.
- 15. Specificity and Clarification of Requirements Comments - Public comments were received regarding the specificity and clarifi-cation of the proposed rule and draf t regulatory guide. These ranged from general to specific comments as the following two excerpts indicate:
We are concerned that, if the proposed rule is adopted, the staff will promulgate regulatory guidance criteria which will be unrealistic and excessive, i.e., compounding the event with other accidents, imposing passive failure criteria, applying seismic, environmental qualification and other qualifications to equipment that could otherwise be used in response to such an event, etc. (Maine Yankee Atomic Power Company) Definitions of P1 and P2 [in Table 3 of the draft Regulatory Guide] use frequency of extremely severe weather and severe weather interchangeably, thus creating confusion in the definition. (Washington Public Supply System)
_ - _ - - . = _ _ _ _ _ _ _ __ _ _ _ - 33 -
- q. ..
if Response 'Some of the comments on this subject relate to other subjects discussed elsewhere in this section. Some comments were quite specific while others were general in nature or expressed views that were not substantiated with backup material. The staff has taken.thase comments into consideration and revised and clarified the rule and regulatory guide accordingly. Work, such as that undertaken by the American Nuclear Society to-develop an ANS standard on station blackout, could provide additional criteria and guidance for licensees to follow to comply with the station blackout rule. (See discussion in subject 9).
- 16. Technical Comments on NUREG-1032 Comments - In addition to comments on the proposed rule and draft regulatory
. guide, several letters contained comments on the staff's draf t technical report, NUREG-1032, " Evaluation of Station Blackout Accidents at Nuclear Power Plants."
Response - NUREG-1032 was issued in draft form for public comment in May 1985 (50FR24332). The comments received were reviewed and considered by the staff and resulted in a re-evaluation of the technical analysis. Details of the specific comments and responses are not presented here. Rather, an appendix will be added to the final version of NUREG-1032 to address the public comments. In general, the overall conclusions on the risk from station blackout events did not change significantly. One of the major changes resulting from the re-analysis was a revision to the definitions of plant characteristics, especially the clustering of plants into site and weather-related groups (Appendix A in NUREG-1032). These changes are reflected in revisions to the guidance in the station blackout regulatory guide to determine plant-specific acceptable station blackout coping durations. i
- 17. Relationship of USI A-44 to Other NRC Generic Issues Comments - The major public comment regarding the relationship of USI A-44 to other NRC generic safety issues was that the proposed rule may not be necessary or should be postponed because of ongoing work to resolve related generic issues.
Some comments were general in nature such as the following one from Southern California Edison Company: e Promulgation of a final station blackout rulemaking at this time will unnecessarily complicate the final resolution of related generic technical issues... The NRC must develop and implement a program to coordinate the resolution of all power related generic issues prior to finalizing any individual proposed rule. AIF suggested that the implementation of any requirements for station blackout be deferred until the requirements from USI A-45, Shutdown Decay Heat Removal Requirements, are known and until the'effect of source term changes can be evaluated. NUMARC mentioned specific proposed and existing regulatory requirements that should be considered because they could reduce the need for'a station blac'4Jt rule (e.g. , B-56, Diesel Generator Reliability and GI 23, Reactor Coolant Pump Seal Failures).- Other related issues mentioned in the public comments were A-30, Adequacy of Safety Related DC Power Supplies, and implementation of safe j ' shutdown facilities to-meet the fire protection requirements of Appendix R. Response - The question that needs to be addressed is "should a requirement be l
?mposed now to reduce risk, or should it be postponed until related issues are retolved sometime in the future?" Potentially, this could result in sub-stantiai & lays and thereby not resolving generic safety issues in a timely manner. The staff has considered the resolution of USI A-44 in light of L the related issues mentioned in the comments. Although these issues are identified as separate tasks within NRC, they are all managed in a well established program that coordinates all related issues. A brief discussion
l l of the most relevant issues is presented below. (Additional information is-r provided in NUREG-1109, " Regulatory Analysis for the Resolution of Unresolved j Safety Issue A-44, Station Blackout.") Although the recommendations that might result.from the resolution of USI A-45 have not yet been issued, only recommendations that involve new or improved decay heat removal. systems that are ac power independent or include a separate independent ac power supply would have an effect'on USI A-44. Such a new additional system would receive the appropriate credit within the USI A-44 resolution by either changing the emergency.ac power configuration group or providing the ability to cope with a station blackout. Well before plant modifications, if any, will be implemented to comply with the- station blackout rule, the proposed technical resolution of USI A-45 will be published for public comment. Those plants needing hardware modifications for station blackout could be reevaluated before any actual modifications are mede 'so that any contemplated design changes following from the resolution of USI A-45 can be considered at the same time. Maintaining emergency diesel generator reliability, the purpose of B-56, is an integral and necessary part of the resolution of USI A-44. However, the Commission believes that additional defense-in-depth is necessary to adequately protect the public health and safety. Likewise, the resolution of GI 23 is necessary to assure the adequacy of reactor coolant pump seal integrity in the event of a station blackout. Although the resolution of this issue is necessary, by itself it is not sufficient to ensure the adequate protection of the public health and safety from station blackout events. Some licensees have implemented dedicated shutdown systems that are independent of normal and emergency ac power to meet Appendix R requirements. If appli-cable, these features would be credited in the resolution of USI A-44 by providing the capability to cope with a station blackout.
v . _ _ - __-- _ _ _ - _ _ _ - _ _ as s Thus, the. resolution of USI A-44 is coordinated with related generic issues, and ' implementation of a final resolut' ion should not be _ delayed further. (Response to comments on the effect of source term changes is included in subject number 8.')
- 18. An Alternative of Plant-Specific Probabilistic Assessments Comments - Several utilities suggested that, in lieu of the requirements in the rule, licensees should be permitted to submit plant-specific evaluations to demonstrate that the frequency of core damage from station blackout events is 10 -5 per reactor year or less. In a similar vein, the suggestion was made '
that NRC should specify a target level 'of reliability for ac power systems in order to satisfy NRC's criteria for core damage frequency. A few licensees submitted limited probabilistic assessments to show that for some plants station blackout could neve a very small probability of severe consequences. Response - The Commission does not preclude licensees from submitting probabilistic assessments to support a determination that the plant's station blackout coping duration could be less than that specified in the regulatory guide on station blackout. However, the Commission recognizes the potential drawbacks of relying on this approach on an industry-wide basis for the reasons given below. One detrimental aspect of reliability-based regulation is that it tends to lead to much staff review of the reliability analysis and much discussion with licensees or applicants regarding the adequacy of the analysis in lieu of
- concentrating on the adequacy of the design. The Commission's experience shows that there is a strong emphasis on fine tuning the model and the data base in order to achieve results directed solely at meeting the numerical criterion.
Also, the Commission does not have any mechanism in place to assure that the reliability analysis would still be applicable over the life of the plant. The Commission's experience to date in implementing reliability goals and the
1
+
i uncertainties associated with the present state-of-the art in reliability and risk analysis, lead us to believe that defense-in-depth, via specific deterministic criteria, is still warranted. i
'19. Procedures and Operator Actions During Station Blackout i
Comments - (A) Several letters from industry commented that, in response to Generic Letter 81-04, " Emergency Procedures and Training for Station Blackout . Events," dated February 21, 1981, utilities already have procedures in place to prepare plant operations for station blackout events. Owner.s groups have established generic guidance for station blackout operating procedures for licensees to use in developing plant-specific procedures. A representative of the Professional Reector Operator Society, commented that -- Generic precedures are used by most operating facilities. These procedures are not carried into adequate depth of specific power plant operations. The industry has relied too heavily on generic procedures and has not given a real look at what specific steps must be taken. Extrapolation of these procedures must be required. Specific maintenance procedures must be established and followed. (B) Other comments on procedures related to the timeliness of operator actions, both i, side and outside the control room. Houston Lighting and Power suggested that -- In Section 3.1 (Part 6), [of the regulatory guide] the first sentence should be revised to read, ' Consideration should be given to timely operator actions both inside and outside of the control room that ...', so that credit can be taken for existing equipment that may not have actuation and control from the control room. Illinois Power Company recommended that --
... Section C.3.3, Item 3.a, of the proposed regulatory guide should be modified to read:
L . v
- a. The system should be capable of being actuated and controlled from the control room, or if other means of control are required (e.g. ,
manual jumping of control logics or manual cperation of valves), it should be demonstrated that these steps can be carried out in a timely fashion. {
}
I Response - (A) Licensees may take credit for station blackout procedures j already in place to comply with the station blackout rule. However, for the most part, these procedures were developed without having the benefit of a { plant-specific assessment to determine whether a plant could withstand a f station blackout for a specific duration. Therefore, these procedures may need ! to be modified after licensees have determined an acceptable station blackout coping duration and evaluated their plant's response to a station blackout of this duration. (B) The staff agrees with the comments related to operator actions outside the control room, and the regulatory guide was revised accordingly.
- 20. Schedule Provisions in the Proposed $50.63 Comments - Two letters contained comments on the proposed schedule in S50.63.
OCRE felt the scheduling provisions in the proposed rule were far too generous. One individual recommended that the schedule be modified to require licensees to submit, within 9 months of the date of the amendment, a list of modifications along with a proposed schedule to implement those modifications. (According to the proposed rule, licensees would not have to submit a schedule for implementing equipment modifications until after the staff received and reviewed licensees' submittals on their plant's acceptable station blackout duration.) Response - The staff agreed in part with these comments, and the schedule was I revised accordingly. S50.63(c)(iv) now requires that licensees submit within 9 months after the rule is issued a list of equipment modifications and a proposed schedule for implementing them. A final schedule would be developed after NRC has reviewed the licensees' submittal of their plant's acceptable station blackout duration.
- 21. Industry Initiatives 1
Comments - In addition to comments on the proposed rule, NUMARC endorsed the following four initiatives to address the more important contributors to station blackout: 1. Each utility will review their. site (s) against the criteria specified in NUREG-1109, and if the site (s) fall into the category of an eight-hour' site after utilizing all power sources available, the utility will take actions to reduce the site (s) contribution to the overall risk of station blackout. Non-hardware changes will be made within one year. Hardware changes will be made within a reasonable time thereafter. 2. Each utility will implement procedures at each of its site (s) for:
- a. coping with a station blackout event b.
.restoratica of ac power following a station blackout event, and c.
prepering the plant for severe weather conditions, such as hurricanes station blackoutand tornados event, to reduce the overall risk of a j 3. Each utility will, if applicable, reduce or eliminate cold fast-starts of_ emergency diesel . generators for testing through changes to technical specifications or other appropriate means. 4. Each utilities data utility will monitor emergency ac power unavailability utilizing provide to INPD on a regular basis. NUMARC opposed generic rulemaking and felt that these initiatives would resolve the station blackout issue. Response - These initiatives include some of the same elements that are included in the NRC resolution of USI A-44. However, at the time this response was written, details of the NUMARC initiatives were not available to the NRC staff. This made it difficult for the staff to evaluate the benefits of the industry program. For example, the industry initiatives do not include assessments to determine that plants can cope with a station blackout for any
E-l.- period of time. Even so; an attempt' was made to estimate the likely impact this initiative would have compared to the station blackout rule and regulatory guide. The largest risk reduction associated with.the industey program would probably j result from NUMARC's initiative ~ number one. Assuming that implementing this initiative would result in licensees taking actions to reduce the risk from station blackout for those plants that fall into the category of needing an 8-hour coping capability, the staff estimated the value-impact ratio for the remaining plants. The estimated total cost for these plants to comply with the resolution of USI A-44 is $42 million; the estimated reduction in risk to the public for these plants is 61,000 person rem; and therefore, the overall value-impact ratio is approximately 1,500 person-rem per million dollars. This analysis supports the conclusion that although the industry initiatives would provide benefits in terms of reducing risk from station blackout events, the recommended resolution provides greater benefits that are cost effective. Finding of no Significant Environmental Impact Availability The Commission has determined under the National Environmental Policy Act of 1969, as amended, and the Commission's rules in Subpart A of CFR Part 51, that this rule is not a major Federal action significantly affecting the quality of the human environment, and therefore, an environmental impact statement is not required. There are not any adverse environmental impacts as a result of the < rule because there is no additional radiological exposure to the general public or plant employees, and plant shutdown is not required so there are no additional environmental impacts as a result of the need for replacement power. The environmental assessment and finding of no significant impact on f which this determination is based ara available for inspection and copying for a fee at the NRC Public Document Room 1717 H Street, NW, Washington, DC. Single copies of the environmental assessment and the finding of no significant
h .. , o impact are.available from Mr. Warren Minners, Office of Nuclear Reactor Regulation, U. 5. Nuclear Regulatory Commission, Washington, DC 20555, Telephone: (301) 492-7827. Paperwork Reduction Act Statement This final rule amends information collection requirements that are subject to the Paperwork Reduction Act of 1980 (44 U.S.C. 3501 et seq.). These requirements were approved by the Office of Management and Budget approval number 3150-0011. Regulatory Analysis l The Commission has prepared a regulatory analysis on this final regulation. j The analysis examines the costs and benefits of the alternatives considered by ' the Commission. A copy of the' regulatory analysis, NUREG-1109 " Regulatory / Backfit Analysis for the Resolution of Unresolved Safety Issue A-44, Station Blackout is available for inspection and copying for a fee at the NRC Public Document Room, 1717 H Street, NW, Washington, DC 20555. Copies of NUREG-1109 may be obtained by writing the Distribution Section, Room P-1304, Division of Information Support Service; U. S. Nuclear Regulatory Commission, Was'ington, DC 20555. Regulatory Flexibility Certification As required by the Regulatory Flexibility Act (5 U.S.C. 605(b)), the Commission certifies that this rule does not have a significant economic impact on a substantial number of small entities. The rule requires that nuclear power plants be able to withstand a total loss of ac power for a specified time duration and maintain reactor core cooling during that period. These facilities are licensed under the provisions of 10 CFR 50.21(b) and 10 CFR 50.22. The companies that own these facilities do not fall within the scope of
"small entities" as set forth in the Regulatory Flexibility Act or the small business size standards set forth in regulations issued by the Small Business Administration in 13 CFR Part 121.
List of Subjects in 10 CFR Part 50 Antitrust, Classified information, Fire prevention, Incorporation by reference, Intergovernmental relations, Nuclear power plants and reactors, Penalty, ; Radiation ~ protection, Reactor siting criteria, Reporting and recordkceping requirements. l For the reasons set out in the preamble and under the authority of the Atomic Energy Act of 1954, as amended, the Energy Reorganization Act of 1974, as amended, and 5 U.S.C. 553, the NRC is adopting the following amendments to 10 CFR Part 50. Part 50 - Domestic Licensing of Production and Utilization Facilities
- 1. The authority citation for Part 50 is revised to read as follows:
AUTHORITY: Secs. 102, 103, 104, 105, 161, 182, 183, 186, 189, 68 Stat. 936, 937, 938, 948, 953, 954, 955, 956, as amended, sec. 234, 83 Stat. 1244, as amended (42 U.S.C. 2132, 2133, 2134, 2135, 2201, 2232,-2233, 2236, 2239, 2282); secs. 201, as amended, 202, 206, 88 Stat. 1242, as' amended, 1244, 1246, (42 U.S.C. 5841, 5842, 5846). i Section 50.7 also issued under Pub. L. 95-601, sec. 10, 92 Stat. ^351 (42 U.S.C. 5851). Sections 50.10 also issued under secs. 101, 185, b8 Stat. 936, 955, as amended (42 U.S.C. 2131, 2235); see 102, Pub. L. 91-190, 83 Stat. 853 (42 U.S.C. 4332). Sections 50.23, 50.35, 50.55, 50.56 also issued under.sec. 185, 68 Stat. 955 (42 U.S.C. 2235). Sections 50.33a, 50.55a and Appendix Q also issued under sec. 102, Pub. L. 91-190, 83 Stat. 853 (42 U.S.C. 4332) Sections 50.34 and 50.54 also issued under sec. 204, 88 Stat. 1245 (42
U.S.C. 5844). Sections 50.58, 50.91, and 50.92 also issued under Pub. L. 97-415, 96 Stat. 2073 (42 U.S.C. 2239). Section 50.78 also issued under sec. 122,68 Stat. 939 (42 U.S.C. 2152). Sections 50.80-50.81 also issued under sec. 184, 68 Stat. 954, as amended (42 U.S.C. 2234). Section 50.103 also issued under sec. 108, 68 Stat. 955 (42 U.S.C. 2237). For the purposes of sec. 223, 68 Stat. 958, as amended (42 U.S.C. 2273); 50.10(a), (b), and (c) and 50.44, 50.46, 50.48, 50.54, and 50.80(a) are issued under sec. 161b, 68 Stat. 948, as amended (42 U.S.C. 2201(b)); 50.10(b) and (c), and 50.54 are issued under sec. 1611, 68 Stat. 949, as amended (42 U.S.C. 2201(i)); and 50.55(e), 50.59(b), 50.70, 50.71, 50.72, 50.73, and 50.78 are issued under sec. 1610, 68 Stat. 950, as amended (42 U.S.C. 2201(o)).
- 2. In 950.2, a definition of " station blackout" is added in the alphabetical sequence to read as follows:
S50.2 Definitions
" Station blackout" means the complete loss of alternating current (ac) electric power to the essential and nonessential switchgear buses in a nuclear power plant (i.e., loss of power from the offsite electric power system concurrent with turbine trip and unavailability of the onsite emergency ac power system). Station blackout does not include the loss of available ac power to buses fed by station batteries through inverters. j
)
1
- 3. A new $50.63 is added to read as follows- '
i S50.63 Loss of all alternating current power. 1 I (a) Requirements. Each light-water-cooled nuclear power plant licensed to operate must be able to withstanc' and recover from a station blackout as i
)
l I
, . i defined in $50.2 for a specified duration in accordance with the requirements in paragraph (e) of. General Design Criterion 17 of Appendix A of this part. ')
Applicants for operating licenses as of [ insert the effect date of this. amend-ment] must comply with this rule on the'same schedule as those plants already licensed to operate or before an operating license is issued, whichever is _ later. (b) . Limitation of Scope. Para. graphs (c) and (d) of this section do not apply to those plants licensed to operate prior to [ insert the effective date of this amendment) if the capability to withstand station blackout was considered in the operating license proceeding and a specified duration was accepted as the licensing basis for the facility. (c) Implementation - Determination of Station Blackout Duration. (1) For each light-water-cooled nuclear power plant licensed to operate on or before [ insert the effective date of this amendment], the licensee shall submit to the Director of the Office of Nuclear Reactor Regulation by [ insert a date 270 days after the effective date of this amendment]: (i) A proposed station blackout duration to be used in determining compliance with paragraph (e) of General Design Criterion 17 of Appendix A of this part, including a justification for the selection based on -- (A) The redundancy of the onsite emergency ac power sources; (B) The reliability of the onsite emergency ac power sources; (C) The expected frequency of loss of offsite power; and (D) Tt., probable time needed to restore offsite power; (ii) An identification of the factors, if any, that limit the capability of tb* plant to meet the requirements of paragraph (e) of Criterion 17 for the specit ted station blackout duration proposed in the response to paragraph (c)(1)(i) of this section;
n , (iii) A description of the procedures that have been established for station blackout events for the duration determined in paragraph (c)(1)(i) of this section and for recovery therefrom; and (iv) A list of modifications to equipment and associated procedures necessary, if any, to meet the requirements of paragraph (e) of Criterion 17 for the specified station blackout duration determined in paragraph (c)(1)(i) of this section, and a proposed schedule for implementing the stated modifications. (2) Af ter consideration of the information submitted in accordance with . paragraph (c)(1) of this section, the Director, Office of Nuclear Reactor Regulation, will notify the licensee of the Director's determination of the specified station blackout duration to be used in determining compliance with-paragraph (e) of General Design Criterion 17 of Appendix A of this part. (d) Implementation - Schedule for Implementing Egeinment Modifications.
' (1) For each light-water-cooled nuclear power plant licensed to operate on or before [ insert the effective date of this amendment), the licensee shall, within 180 days of the notification provided in accordance with paragraph (c)(2) of this section, submit to the Director of the Office of Nuclear Reactor Regulation a schedule for implementing any equipment and associated procedure modifications necessary to meet the requirements of paragraph (e) of General Design Criterion 17 of Appendix A of this part. This submittal must include an explanation of the schedule and a justification if the schedule does not provide for completion of the modifications within two years of the notification provided in accordance with paragraph (c)(2) of this section.
(2) The licensee and the NRC staff shall mutually agree upon a final schedule for implementing modifications necessary to comply with the requirements of paragraph (e) of Criterion 17.
. 46 -
c . ?:
- 4. In Appendix A,' General Design' Criterion 17 is revised read as follows:
- APPENDIX A--General ~ Design Criteria for Nuclear Power Plants b II. Protection by Multiple Fission Product Barriers
* *
- 4
- Criterion 17-Electric power systems. (a) An onsite electric power-L' system and an:offsite electric power system shall be provided to permit functioning of structures, systems, and components important to safety. The safety function for each system (assum' g the other system is'not. functioning) shall be to provide sufficient caracity and capability to assure that~(1)-
specified acceptable fuel design limits and design conditions of the reactor
; coolant pressure boundary are not exceeded as a result of anticipated' operational occurrences and (2) the core is cooled and containment integrity and other vital functions are maintained in the event of postulated accidents.
(b). The onsite electric supplies, including the batteries, and onsite electric distribution system, shall have sufficient independence, redundancy, and testability to perform their safety functions assuming a single failure. (c) Clectric power from the transmission network to the onsite electric distribution system shall be supplied by two physically independent circuits
. (not necessarily on separate rights of way) designed and located so.as to minimize the extent practical the likelihood of their simultaneous failure under operating and postulated accident and environmental conditions. A switchyard common to both circuits is acceptable. Each of these circuits shall be designed to be available in sufficient time following a loss of all onsite alternating current power supplies and the other offsite electric power circuit, to assure that specific acceptable fuel design limits and design
p , c conditions of .the reactor coolant pressure boundary are not exceeded. One of these circuits shall be designed to be available within a few seconds following a loss-of-coolant accident to assure that core cooling, containment integrity, and other vital safety functions are maintained. (d) Provisions shall be included to minimize the probability of losing electric power from any of the remaining supplies as a ' result of,*or coincident, with, the loss of power generated by the nuclear power unit, the loss of power from the transmission network, or the Inss of power from the onsite electric power supplies. (e) The reactor core and associated coolant, control, and protection systems, including the station batteries, shall provide sufficient capacity and capability to assure that the core is cooled and containment integrity is maintained in the event of a station blackout (as defined in 550.2) for a specified duration. The following factors shall be considered in specifying j the station blackout duration: (1) the redundancy of the onsite emergency ac power sources, (2) the reliability of tne onsite emergency ac power sources, (3) the expected frequency of loss of offsite power, and (4) the probable g e needed to cestore offsite power. I Dated at Washirgton, DC, this day of _ 1987. For the Nuclear Regulatory Commission. i I Samuel J. Chilk ! Secretary of the Commission. Underlined text indicates additional praragraph to GDC 17. I
BACKFIT ANALYSIS Analysis and Determination'That The Rulemaking to Amend 10 CFR 50 Concerning Station Blackout Complies With The Backfit Rule 10 CFR 50.109 The Commission's existing regulations establish requirements for the design and testing of onsite and offsite' electrical power systems (10 CFR Part 50, Appendix A, General Design Criteria 17 and 18). However, as operating experi-ence has accumulated, the concern has arisen regarding the reliability of both the offsite and onsite emergency ac power systems. These systems provide power for various safety systems including reactor core decay heat removal and con-tainment heat removal which are essential for preserving the integrity of the reactor core and the containment building, respectively. In numerous instances emergency diesel generators have failed to start and run during tests conducted at operating plants. In addition,.a number of operating plants have experienced a total loss of offsite electric power, and more such occurrences are expected. Existing regulations de not reovire explicitly that nuclear power plants be designed to withstand the loss of all ac power for any specified period. This issue has been studied by the staff as part of Unresolved Safety Issue (USI) A-44, " Station Blackout." Both deterministic and probabilistic analyses were performed to determine the timing and consequences of various accident sequences'and to identify the dominant f actors- affecting the likelihood of core melt accidents from station blackout. These studies indicate that station blackout can be r significant contributor to the overall plant risk. Conse-quently, the Commission is amending its regulations to require that plants be capable of withstanding a total loss of ac power for a specified duration and to maintain reactor core cooling during that period. l-An analysis of the benefits and costs of implementing the station blackout rule is presented NUREG-1109, " Regulatory /Backfit Analysis for the Resolution 4 *
- 49.-
p 3< , I I of Unresolved Safety Issue A-44, Station Blackout."6 - The estimated benefit from implementing the station blackout rule is a reduction in the-freque%cy - p of core damage per reactor year due to station blackout and the associated 1 risk of offsite radioactive releases. The risk reduction for 100 operating reactors is. estimated to be 145,000 person-rems. The cost for licensees to comply witn the rule would vary depending on the existing capability of each plant to cope with a. station blackout, as well as the specified station blackout duration for that plant. The costs would be primarily for licensees to assess the plant's capability to cope with a station blackout, (2) to develop procedures, (3) to improve diesel generator reliability if the reliability falls below certain levels,.and (4) to retrofit plants with additional components or systems, as necessary, to meet the requirements. The estimated total cost for 100 operating reactors to comply with the resolu-tion of USI A-44 is about $60 million. The average cost per reactor would be around $600,000, ranging from $350,000, if only a station blackout assessment and procedures and training are necessary, to a maximum of about $4 million if substantial modifications are needed, including requalification of a diesel generator. The overall value-impact ratio, not including ac:ident avoidance costs, is about 2,400 person-rems averted per million dollars. If the net cost, which includes the cost savings from accident avoidance (i.e., cleanup and repair of onsite damages and replacement power following an accident) were used, the overall value-impact ratio would improve significantly to about 6,100 person-rems averted per million dollars. UDraft NUREG-1109 was issued for public comment in January 1986. Copies of this report are available for inspection and copying for a fee at the NRC Public Document Room, 1717 H Street, NW, Washington, DC 20555.
This analysis supports a determination that a substantial increase in the pro-tection of the public health and safety will be derived from backfitting the requirements in the station blackout rule, and the backfit is justified in view of the direct and indirect costs of implementing the rule. This does not imply that operating plants are unsafe. Rather, the rule will provide additional protection beyond that already provided to comply with currently existing re-quirements, and the benefit to public health and safety outweighs the cost of the improvements. The preceding quantitative value-impact analysis was one of the factors considered in evaluating the rule, but other factors also played a part in the decision-making process. Probab.ilistic risk assessment (PRA) studies performed for this USI, as well as some plant-specific PRAs, have shown that station blackout can be a significant contributor to core melt frequency, and, with consideration of contains at failure, station blackout events can represent an important contri-butor to reactor risk. In general, active systems required for containment heat removal are unavailable during station blackout. Therefore, the offsite risk is higher from a core melt resulting from a station blackout than it is from many other accident scenarios. Although there are licensing requirements and guidance directed at providing reliable offsite and onsite ac power, experience has shown that there are prac- l tical limitations in ensuring the reliability of offsite and onsite emergency ac power systems. Potential vulnerabilities to common cause failures associated with design, operational, and environmental factors can affect ac power system reliability. For example, if potential common cause failures of emergency die-sel generators exist (e.g. , in service-water or de power support systems), then the estimated core damage frequency from station blackout events can increase significantly. Also, evan though recent data indicate that the average emergency diesel generator reliabil'.cy has improved slightly since 1976, these data also show that diesel generator failure rates during unplanned demand (e.g., following. I a loss of offsite power) were higher than that during surveillance tests.
_ _ _ _ _ _ -- - ._ -_ - ___ _ _ _ _ - - _ _ - _ - - _ _ _ _ _ _ _ _ _ _ _ _ _ , _ - . ______ _-____ _ _ _ _ = _ _ l l l L
.f The estimated frequency of core damage from station blackout events is directly proportional to the frequency of the initiating event. Estimates of station blackout frequencies for this USI were based on actual operational experience with credit given for trends showing a reduction in the frequency of losses of offsite power resulting from plant-contered events. This is assumed to be a realistic indicator of future performance. An argument can be made that the
- l. future performance will be better than the past. % r example, when problems with the offrite power grid arise, they are fixed and, therefore, grid reli-ability should improve. On the other hand, grid power failures may become more frequent because fewer plants are being built, and more power is being trans-mitted among regions, thus placing greater stress on transmission lines.
A number of foreign countries, including France, Britain, Sweden, Germany and Belgium, have taken steps to reduce the risk from station blackout events. These steps include adding design features to enhance the capability of the plant to cope with a station blackout for a substantial period of time and/or adding redundant and diverse emergency ac power sources.
-The factors discussed above support the determination that additional defense in-depth provided by the ability of a plant to cope with station blackout for a specific duration would provide substantial increase in the overall protection of the public health and safety, and the direct and indirect costs of implemen-tation are justified in view of this increased protection. The Commission has considered how this backfit should be prioritized and scheduled in light of other regulatory activities ongoing at operating nuclear power plants. Station black-out warrants a high priority ranking based on both its status as an " unresolved safety issue" and the results and conclusions reached in resolving this issue.
As noted in the implementation section of the rule (650.63(d)), the schedule for equipment modification (if needed to meet the requirements of the rule) shall be mutually agreed upon by the licensee and NRC. Modifications that cannot be scheduled for completion within two years after NRC accepts the licensee's speci-fled station blackout duration must be justified by the licensee. _ _ _ . ___ _ a
Analysis of 50.109(c) Factors
- 1. Statement of the specific objectives that the backfit is designed to achieve The NRC staff has completed a review and evaluation of information developed over the past six years on Unresolved Safety Issue-(USI) A-44, Station Black-out. As a result of these efforts, the NRC is amending 10 CFR Part 50 by adding a new 6 50.63, " Station Blackout," and adding a new paragraph (e) to General Design Criterion (GDC) 17, " Electric Power Systems," in Appendix A.
The objective of the station blackout rule is to reduce the risk of severe accidents associated with station blackout by making station blackout a relatively small contributor to total core damage frequency. Specifically, the rule requires all light-water-cooled nuclear power plants to be able to cope with a station blackout for a specified duration and to have procedures and training for such an event. A regulatory guide, to be issued along with the rule, provides an acceptable method to determine the station blackout duration for each plant. The duration is to be determined for each plant based on a comparison of the individual plant design with factors that have been identified as the main contributors to risk of core melt resulting from station blackout. These factors are (1) the redundancy of onsite emergency ac power sources, (2) the reliability of onsite emergency ac power sources, (3) the frequency of loss of offsite power, and (4) the probable time needed to restore offsite power.
- 2. General description of the activity required by the li:ensee or applicant in order to complete the backfit In order to comply with the resolution of USI A-44, licensees will be required to --
Maintain the reliability of onsite emergency ac power sources at or above specified acceptable reliability levels.
Develop procedures and training to restore ac power using nearby power sources if the emergency ac power system and the normal offsite power sources are unavailable.
- Determine the duration that the plant should be able to withstand a station blackout based on the factors specified in paragraph (e) of GDC 17.
Evaluate the plant's actual capability to withstand and recover from a station blackout. This evaluation includes: Verifying the adequacy of station battery power, conuensate storage tank capacity, and plant / instrument air for the station blackout duration. Verifying adequate reactor coolant pump seal integrity for the station blackout duration so that seal leakage due to lack of seal cooling would not result in a sufficient primary system coolant inventory reduction to lose the ability to cool the core. Verifying the operability of equipment needed to operate during a station blackout and the recovery from the blackout for environ-mental conditions associated with total loss of ac power (i.e., loss of heating, ventilation and air conditioning).
- Depending on the plant's existing capability to cope with a station blackout, licensees may or may not need to backfit hardware modifica-tions (e.g., adding battery capacity) to comply with the rule. (See item 8 of this analysis for additional discussion.) Licensees will be required to have procedures and training to cope with and recover l
from a station blackout.
- 3. Potential change in the risk to the public from the accidental offsite release of radioactive material l
- , s- s Implementation of the station blackout rule will result in an estimated total risk reduction to the public ranging from '5,000 to 215,000 person-rems with a best estimate of about 145,000 person iem.
- 4. Potential impact on radiological exposure of facility employees For 100 operating reactors, the estimated total reduction in occupational exposure resulting from reduced core damage frequencies and associated post-accident cleanup and repair activities is 1,500 person-rem. No in-crease in occupational exposure is expected from operation and maintenance activities associated with the rule. Equipment additions and modifica-tions contemplated do not reouire work in and around thereactor coolant system and therefore are not expected to result in significant radiation exposure.
- 5. Installation and continuing costs associated with the backfit, including the cost of facility downtime or the cost of construction delay For 100 operating reactors, the total estimated cost associated with the station blackout rule ranges from $42 to $94 million with a best estiraate of $60 million. This estimate breaks down as follows:
Estimated number of Estimated total cost (million dollars) Activity reactors Best High Low Assess plant's capability to 100 25 40 20 cope with station blackout Develop procedures and 15 5 100 10 training Improve diesel generator 10 2.5 4 1.5 reliability Requalify diesel generator 2 5. 5 11 2.5 Install hardware to increase 27 17 24 13 plantps capability to cope with station blackout __ _ l Totals 60 94 42 l i l l l L __ _ _ ___J
-=. -__ _ . _ - - - _ - _ - _ _ - - - - - - _ _ -
,o ,
~
. .'4. ~ . ',
I
- 6. The-potential safety impact of changes in plant or. operational complexity, including the relationship to proposed and existing regulatory requirements-l The rule requiring plants'to be able to cope with a station blackout should not add to. plant or operational complexity. The station blackout rule'is closely related to several NRC generic programs and proposed and existing regulatory requirements as the following discussion indicates.
Generic Issue B-56, Diesel Generator Reliability The resolution of USI A-44 includes a regulatory guide on station black'out that specifies the following guidance on diesel generator reliability (Task SI 501-4, Sections C1.1. and 2): The reliable operation of the onsite emergency ac power sources should be ensured by a reliability program designed to monitor and maintain the reliability of each power source over time at a specified acceptable level and to improve the reliability if that level is not achieved. The reliability program should include surveillance testing, target values for maximum failure rate, and a maintenance program. Surveillance testing should monitor perfor-mance so that if the actual failure rate exceeds the target level, corrective actions can be taken.~ The maximum emergency diesel generator. failure rate for each diesel generator should be maintained at 0.05 failure per demand. However, for plants having an emergency ac power system [ configuration re-quiring two-out-of-three diesel generators or having a total-of
'two diesel generators shared between two units at a site], the emergency diesel generator failure rate for each diesel ger.trator should be maintained at 0.025 failure per demand or less.
The resolution of B-56 will provide specific guidance for use by the staff or industry to review the adequacy of diesel generator reliability programs consistent with the resolution of USI A-44. Generic Issue 23, Reactor Coolant Pump Seal Failorcs Reactor coolant pump (RCP) seal integrity is necessary for maintaining pri-mary system inventory during station blackout conditions. The estimates
I ). g
~
of core damage frequency for station blackout events for USI A-44 assumed-that ACP seals would leak at a rate of-20 gallons per minute. Results'of analyses perfcemed for GI 23 will provide the information necessary to determine RCP seal behavior during a station blhckout. Should this analysis conclude.that there.is a high probability that the RCP seals would not-leak' excessively during a station blackout, then no modifications would be required. If there is a significant probability that RCP seals can leak-at rates substantially higher than 20 gallons per minute, then modifit.ations such as an ac-independent RCP seal cooling system may be necessary to resolve GI 23. Any proposed backfit resulting from the resolution of GI 23 would need to comply with the backfit rule. USI A-45, Shutdown Decay Heat Removal Requirements The overall objective of USI A-45 is to evaluate the adequacy of current-licensing design requirements to ensure that the nut. lear power plants do not pose an unacceptable risk as a result of failure to' remove shutdown decay heat. The study incl < des an assessment of alternative means of shut-down decay heat removal and of diverse " dedicated" systems for this purpose. Results will include proposed recommendations regarding the desirability of, and possible design requirements fer, improvements .in existing systems or an alternative dedicated decay heat removal method. The USI A-44 concern for maintaining adequate core cooling under station blackout conditions can be considered a subset of the overall A-45 issue. However, there are significant differences in scope between these two issues. USI A-44 deals with the probability of loss of ac power, the capability to remove decay heat using systems that do not require ac power, and the abil-ity to restore ac power in a timely manner. USI A-45 deals with the overall reliability of the decay heat removal function in terms of response to transients, small break loss-of-coolant accidents, and special emergencies such as fires, floods, seismic events, and sabotage.
y '
- 57'-
- ;,;e Although the recommendations thatlmight result from the resolution of USI A-45 are not yet final, some could affect the' station blackout capa-bility, while others would not. commendations.that-involve a new or improved decay heat removal systeni that is ac. power dependent but- that does-not include its own dedicated ac. power supply would have no effect on USI A-44. Recommendations that involve an additional ac-independent-decay heat removal system would have a very modest effect of USI A-44.
Recommendations that involve an additional decay heat removal system with its own ac power supply would have a significant effect on USI A-44. Such a new additional' system would receive the appropriate credit within the USI A-44 resolution by either changing the emergency ac power config- , uration group or providing the ability to cope with a station blackout for an extended period of time. Well before plant modifications, if any, will be implemented to comply with the station blackout rule, the proposed. tech-nical resolution cf USI A-45 will be published for public comment. Those plants needing hardware modifications for station blackout could be reeval-uated before any actual modifications are made so that any contemplated design changes resulting from the resolution of USI A-45 can be considered at the same time. Generic Issue A-30, Adequacy of Safety-Related DC P ,er Supply The analysis performed for USI A-44 assumed that a high level of dc power system reliability would be maintained so that (1) de power system failures would not be a significant contributor to losses of all ac power and (2) should a station blackout occur, the probability of immediale de power system failure would be low. Whereas Generic Issue A-30 focuses on enhanc-ing battery reliability, the resolution of USI A-44 is aimed at assuring adequate station battery capacity in the event of a station blackout of a specified dur6 tion. Therefore, these two issues are consistent and compatible. (
,,w Fire Prote tion Program 10 CFR 50.48 states that each operating nuclear power plant shall have a fire protection plan that satisfies GDC 3. The fire protection features required to satisfy GDC 3 are' specified in Appendix R to 10 CFR 50. They include ~certain provisions regarding alternative and dedicated shutdown capability.
To meet these provisions, some licensees have added, or plan to add, improved capability to restore power from offsite sources or onsite diesels for the shutdown system. A few plants have installed a safe shut - down facility for fire protection that includes a charging pump powered by its own independent ac power source. In the event of a station blackout, this system can provide makeup capability to the primary coolant system as well as reactor coolant pump seal cooling. This cou'd be a significant benefit in terms of enhancing the ability of a plant to cope with a station blackout. Plants that have added equipment to achieve alternate safe shut-down in order to nivet Appendix R requirements could take credit for that equipment, if available, for coping with a station blackout event. 7. The estimated resource burden on the NRC associated with the backfit an the availability of such resources The estimated total cost for NRC review of industry submittals required by the station blackout rule is $1.5 million based on submittals for 100 1 reactors and an estimated average of 175 person-hours per reactor. 8. The potential impact of differences in facility type, design, or age on the relevancy and practicality of the backfit The station blackout rule applies to all pressurized water reacto',, and boiling water reactors. However, in determining an acceptable st
. . on blackout coping capability for each plant, differences in plant charac-teristics relating to ac power reliability (e.g., number of emergency diesel generators, the reliability of the offsite and onsite emergency ac
._ __ _ _ - - -- J
59 - .. gy? L I-power systems).could result in different acceptable coping capabilities. for example,' plants with an.already low risk.from station blackout because
.offmultiple', highly reliable ac power sources are required.to withstand a- ~
r H station blackout for'a.relatively short period of time; and few, if any; hardware backfits would be required as a result of the rule. Plants with' currently higher risk from station blackout are required to withstand-somewhat -longer duration blackouts; and, depending' on' their existing capability, may need some modifications toLachieve the longer-station blackout capability.
- 9. Whetherthebackfitisinterimorfinaland,ifinterim,thejustification.
for-imposing the backfit on an ir,terim basis The station blackout rule is the final resolution of USI A-44; it is not an' interim measure. l
' 'Y
_?.'.^ ol s 7 NUREG-1109 Eu ct ocoe t 3 i Regulatory Resolution /Backfit Analysis of Unresolved Safety fo Issue A-44, Station Blackout 1 U.S. Nuclear Regulatory Commission 8lll:::l2ll::::::::"L"J:;rsi" A. M. Rubin l
'N Uh
NUREG-1109 i Regulatory ! Resolution of /Backfit UnresolvedAnalysis Safety for the Issue A-44, Station Blackout f Manuscript Completed: A. M. Rubin Office of Nuclear Regulatory Research Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555
l; p# / t
-l i
l ABSTRACT
" Station Blackout" is the complete loss of alternating current (ac) electric '
power to the essential and nonessential buses in a nuclear power plant; it results when both offsite power and the onsite emergency ac power systems are unavail'able. Because many safety systems required for reactor core decay heat removal and containment heat removal depend on ac power, the consequences of a station blackout could be severe. Because of the concern about the frequency ! of loss of offsite power, the number of failures of emergency diesel generators, and the potentially severe consequences of a loss of all ac power, " Station Blackout" was designated as Unresolved Safety Issue (USI) A-44. This report presents the regulatory /backfit analysis for USI A-44. It includes:
.(1) a summary of the issue, (2) the recommended technical resolution, (3) alter-native resolutions considered by the Nuclear Regulatory Commission (NRC) staff, (4) an assessment of the benefits and costs of the recommended resolution, (5) the decision rationale, (6) the relationship between USI A-44 and othar NRC programs and requirements, and (7) a backfit analysis demonstrating that the resolution of USI A-44 complies with the Backfit Rule (10 CFR 50.109).
NUREG-1109 iii
/ c $ if .
.i
.. I i
)
r TABLE OF CONTENTS ABSTRACT.............................................................
.. iiii LIST OF TABLES............................... ............................ vi PREFACE................................................................. 'vii ACKN0WLEDGEMENTS........................................................ viii EXECUTIVE
SUMMARY
....................................................... ix. 1 STATEMENT OF THE PROBLEM................... ....................... -1 2 OBJECTIVES......................................................... '3 3 ALTERNATIVE RESOLUTIONS............................................ ~3
- 3.1 Alternative (i)............................................... 3 3.2 Alt
- native (11).............................................. 17 3,3 ' Alternative (iii)............................................. 17 3.4 Alternative (iv)............................................... 17.
- 3. 5 Alternative (v)............................................... 18.
4 CONSEQUENCES....................................................... 18 4.1 Costs and Benefits of Alternative Proposed Resolutions........ 18 4.1.1 Alternative (i)........................................ 18 4.1.2 Alternative (11)....................................... 34 4.1.3 Alternative (111)...................................... 34 4.1.4 Alternative (iv)....................................... 35 4.1.5 Alternative (v)........................................ 35 N'.IREG-1109 v
TABLE OF CONTENTS (Continued) P.*Le 4.2 Impacts on Other Requirements................................. 36
-l 4.2.1 Generic Issue B-56, Diesel Generator Reliability....... 36 4.2.2 USI A-45, Shutdown Decay Heat Psmova1' Requirements..... 37 4.2.3 Generic Issue B-23, Reacter Coolant Pump Seal Failures. 39 4.2.4 Generic Issue A-30, Adequacy of Safety-Related DC Power Supp1y...........................................
40 4.2.5 Regulatory Guide 1.108, Periodic Testing of Diesel Generator Units Used as Onsite Electric Power Systems at Nuclear Power P1 ants................................ 40 4.2.6 Fire Protection Program for Nuclear Power Facilities... 41 4.2.7 Generie. Issue 124, Auxiliary Feedwater System Reliability............................................ 41 4.2.8 Multiplant Action Items B-23 and B-48, Degraded Grid Voltage Adequacy of Station Electric Distribution Voltage................................................ 42 4.2.9 Severe Accident Program................................ 42 4.3 Constraints................................................... 42 5 DECISION RATIONALE................................................. 45 5.1 Commission's Safety Goa1s..................................... 45 5.2 Station Blackout Reports...................................... 47 5.2.1 NUREG-1032, Evaluation of Station Blackout Accidents at Nuclear Power Plants................................ 47
- 5. 2. 2 NUREG/CR-3226, Station Blackout Accident Analysis...... 50 5.2.3 NUREG/CR-2989, Reliability of Emergency AC Power Systems at Nuclear Power Plants........................ 52 5.2.4 NUREG/CR-4347, Emergency Die 3e1 Generator Operating Experience, 1981-1983.................................. 53 t l NUREG-1109 vi 1
TABLE OF-CONTENTS (Continued) PaSe 5.2.5 NUREG/CR-3992, Collection and Evaluation of Complete and Partial Losses of Offsite Power at Nuclear Power P1 ants................................................. 53 6 IMPLEMENTATION..................................................... 55 6.1 Schedule for Implementation of the Station Blackout Rule...... 55 6.2 Relationship to Other Existing or Proposed Requirements....... 56 7 REFERENCES......................................................... 56 APPENDICES APPENDIX A BACKFIT ANALYSIS APPENDIX B WORKSHEETS FOR COST ESTIMATES LIST OF TABLES Table Page 1 Acceptable station blackout duration capability.................... 7 2 Emergency ac power configuration groups. . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3 Offsite power design configuration groups.......................... 9 4 Definitions of independence of offsite power sources (I)........... 10
,. 5 Definitions of severe weather groups (SW) ......................... 11 6 Definitions of severe weather recovery groups (SWR) . . . . . . . . . . . . . . . 12 7 Definitions of extremely severe weather groups (ESW) .............. 13 8 Estimated number of reactors having similar characteristics........ 22 9 Examples of reduction in frequency of core melt per reactor year... 22 a 10 Estimated costs for industry to comply with the :
resolution of USI A-44............................................. 27 i NUREG-1109 vii l l [.. _ . _ . _ _ _ . _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _
1 3 n . LIST OF TABLES (Continued) - 1 "i Table-pg 11.- Discounted present value of avoided onsite_ property damage for l reactors....................................................... 1 100 29 i 12 Value-impact summary.for st6 tion blackout resolution............... 30 l I 13 Implementation schedule for final station blackout rule............ 55 LIST OF FIGURES F_iqure g 1 Schematic diagram. of electrically independent transmission line ... 14 2 Schematic diagram of two switchy.ards electrically connected
'(one-unit site) ................................................... 15 3 Schematic diagram of-two-switchyards electrically connected (two-unit site) ................................................... 16 4 Comparison of estimated station blackout. core damage frequency before and after rule ...,........................... ............. 24 NUREG-1109 viii
PREFACE This report presents the supporting value-in. pact analysis, backfit analysis'and decision rationale for-the resolution of USI A-44. The resolution itself con-sists of a rule that requires nuclear power plants to be able to cope with a station blackout for a specified period, and an associated regulatory guide that provides guidance on an acceptable means to comply with the rule. The NRC staff _ report that provides data and technical analyses supporting the resolution of this issue is published separately as NUREG-1032. Other NRC' contractor NUREG reports' published under this task are listed in the Reference section. The Commission published a proposed station blackout rule in the Federal Register on March 21, 1986 (51 FR 9629) for public comment. In April 1986, the NRC pub-lished a draft regulatory guide on station blackout for comment (Task 51-501-4). Previously, in January ~1906, NRC published a draft version of this report (NUREG-1109) for comment. All public comments on this issue were reviewed and considered by the staff in formulating the final resolution of USI A-44 and this final version of JL*.1EG-1109. Responses to the public comments are discussed in . the supplementary information section cf the Notice of Final Rulemaking for the Station Blackout Rule, which is to be published in the Federal Register. Alan M. Rubin i l l NUREG-1109 ix
ACKNOWLEDGEMENTS (to be added) NUREG-1109 x
I EXECUTIVE
SUMMARY
This report'provides supporting information, including a cost-benefit analysis and a backfit analysis, for the Nuclear Regulatory Commission's (NRC) resolution of Unresolved Safety Issue (USI) A-44, " Station Blackout." The term " station blackout" refers to the complete loss of alternating current (ac) electric power to the essential and nonessential switchgear buses in a nuclear power plant. Station blackout involves the loss of offsite power concurrent with turbine trip and the unavailability of the onsite emergency ac power system. Because many safety systems required for reactor core decay heat removal and containment heat removal depend on ac power, the consequences of station blackout could be severe. The NRC's concern about station blackout arose because of the accumulated ex-perience regarding the reliability of ac power supplies. In numerous instances
.. emergency diesel generators have failed to start and run during tests conducted at operating plants. In addition, a number of operating plants have experienced a total loss of offsite electric power, and more such occurrences are expected.
In almost every one of these loss-of-offsite power events, the onsite emergency ac power supplies were available immediately to supply the power needed by vital safety equipment. However, in some instances, one of the redundant emergency power supplies has been unavailable. In a few cases, there has been a complete loss of ac power, but during these events, ac power was restored in'a short time without any serious consequences. } The issue of station blackout involves the likelihood and duration of the loss { of offsite power, the redundancy and reliability of onsite emergency ac power h systems, and the potential for severe accident sequences after a loss of all ac power. These topics were investigated under Unresolved Safety Issue (USI) Task Action Plan A-44.* In addition to identifying important factors and sequences
*The technical findings of these investigations are detailed in NUREG/CR-2989, NUREG/CR-3226, NUREG/CR-3992, NUREG/CR-4347 and NUREG-1032.
NUREG-1109 xi
1 i that could lead to station blackout, the results indicated that actions could be taken to reduce the risk from station blackout events. The issue is of concern for both boiling water reactors (BWRs) and pressurized water reactors (PWRs). The evaluation to resolve USI A-44 included deterministic and p'robabilistic 1 analyses. Calculations to determine the timing and consequences of various - accident sequences were performed, and the dominant factors affecting station blackout likelihood were' identified. Using this information, simplified prob-abilist.ic accident sequence correlations were calculated to estimate the like-lihood of core melt accidents resulting frne 5tatioi; blackout for different plant design, operational, and location factors. These quantitative estimates were used to give insights on the relative importance of various factors, and those insights, along with engineering judgment, were used to develop the resolution. Thus, the effects of variations in design, operations, and plant location on risk from station blackout events were used to reach a rea-sonably consistent level of risk in the recommendations developed. Although there are licensing requirements and guidance directed at providing reliable offsite and onsite ac power, experience has shown that there are practical limitations in ensuring the reliability of offsite and onsite emer-gency ac power systems. Analyses have shown that core damage frequency can be significantly reduced if a plant can withstand a total loss of ac power until either offsite or onsite emergency ac power can be restored. Because there is no requirement that plants be able to withstand a loss of both the offsite and onsite emergency ac power syst' ems, the resolution calls for rulemaking to require all plants to be able to cope with a station blackout for a specified dorhtion. A regulatory guide on station blackout
- describes a '
method acceptable to the NRC staff for complying with the rule, and specifies guidance on providing reliable at electric power supplies. Plants with an already low risk from station blackout are required to withstand a station i
- Single copies of this regulatory guide may be obtained by writing to Distribution Services, Division of Information Support Services, U.S. NRC, Washington, DC, 20555.
NUREG-1109 xii
ep sy. Q, $$$ s v O N. , 61_ h-O '( , W, + IMAGE EVALUATION ,t h [/j // \ '" $k* TEST TARGET (MT-3) / ,f)y (p p,,,W/ R4,, / I.0 it in M m rn p"2 I: (n l,l f
- h=S l.3 L25 1.4 1.6 4- 150mm >
d 6" > t d?% ^%;t th A s n ,% S z .-. e.g> p,%,%
/As y ,p
~
f/ , o yy oy x
fr
/M v& g IMAGE EVALUATION o
O t & %a ' u#' //jg/'f /[44f3
//j/ TEST TARGET (MT-3) / ,
+ <,
l.0 W lt $s p~z t u: u l' N 1.8 1.25 1.4 1.6 4 150mm > d 6" -> A
,,, *%rz 3
,.7ppp
/4 zzzz
,, z o ,,,, ay 4
%,f/ ; 4p c%,
C%n'
0* &* l0 9e't&.%hto o
, e # n- IMAGE EVALUATION i.
,C, e%
Q
/// k/ TEST TARGET (MT-3) ., g l
+ <,
l l 1.0 E 84 W
;'l]LM l,l l "; llllM l.8 1.25 1.4 1.6 4 150mm >
d 6" >
/,q3////p4%
s$;g,$>j,,,?y%, off gy t ';x
p &)9 d o l k k# IMAGE EVALUATION ////gj , [D,
%'f9[# TEST TARGET (MT-3) k//f7l/gy)&
gy'/ 'kl/,,;'jf
///, ,f' (p + %
l.0 E 2 E31 F:W cn gn = l,l D bb 1l 1.8 i, 1.25 1.4 1.6 4 150mm > 4 6" > gnb %4ti, ++ 5</4A egy _ - - sp 3 Ay / y , %' // .,py o ep V ep
,5,
blackout for a relatively short period of time. These plants probably need few, if any, modifications as a result of the rule. Plants with a currently higher risk from station blackout are required to withstand blackouts of a some-what longer duration, and, depending on their existing capability,. might require modifications (such as increased station battery capacity or condensate storage tank capacity) to meet this requirement. The staff has determined that these modifications are cost-effective in terms of reducing risk to the public. The general objective of the resolution of USI A-44 is to reduce the risk of severe accidents associated with station blackout by making station blackout a relatively small contributor to total core damage frequency. Specific actions called for in the resolution include: (1) maintaining highly reliable ac elec-tric power systems; (2) developing procedures and training to restore offsite and onsite emergency ac power should either one or both become unavailable; and (3), as additional defense-in-depth, ensuring that plants can cope with a station blackout for some period of time; based on the probability of occurrence of a station blackout at the site, as well as on the capability for restoring ac power for that site. The methed to determine an acceptable station blackout duration capsbility is , presented in the regulatory guide. Applications of this guide result in deter-f minations that plants be able to withstand station b?ackouts of 2, 4 or 8 hours, depending on the plant's specific design and site-related characteristics. ' Licensees may propose durations different from those specified in the regulatory guide, based on plant-specific factors relating to the reliability of ac power systems. The benefit from implementing the rule and the regulatory guide is a reduction in the frequency of core damage per reactor year due to station blackout and the associated risk of offsite radioactive releases. The risk reduction for 100 operating reactors is estimated to be 145,000 person-rems, i The cost for licensees to comply with the requirements varies depending on the existing capability of each plant to cope with a station blackout, as well as the plant-specific station blackout duration determined. The costs are primarily to industry to assess the plant's capability to cope with a station blackout, NUREG-1109 xiii
e to develop procedures, to improve diesel-generator reliability if the reliability falls below certain levels, and to retrofit plants with additional components or systems, as necessary, to meet the requirements. The estimated total cost for 100 operating reactors to comply with the resolu-tion of USI A-44 is about $60 million. The average cost per reactor is esti-mated to be $600,000, ranging from $350,000, if only a station blackout assess-ment and procedures and training are necessary, to a maximum of about $4 million if substantial modifications are needed, including requalification of a diesel generator. The overall value-impact ratio, not including accident avoidance costs, is about l 2,400 person-rems averted per million dollars. If cost savings from accident i avoidance (cleanup and repair of onsite damages and replacement power) were included, the overall value-impact ratio would improve significantly to about 6,100 person-rems averted per million dollars. Several NRC programs are related to USI A-44, including Diesel Generator Relia-bility (8-56), Reactor Coolant Pump feal Failures (Generic Issue 23), Safety-Related DC Power Supplies (A-30), and Shutdown Decay Heat Removal Requirements (USI A-45). These programs are closely coordinated within NRC and are compatible with the resolution of USI A-44. l NtfREG-1109 xiv
1 I REGULATORY /BACKFIT ANALYSIS FOR THE RESOLUTION OF UNRESOLVED SAFETY ISSUE A-44, STATION BLACK 0UT
-1 STATEMENT OF THE PROBLEM
" Station blackout" refers to the complete loss of alternating current (ac) electric power to the essential and nonessential switchgear buses in a nuclear power plant. Station blackout involves the loss of offsite power concurrent with turbine trip and the unavailability of the onsite emergency ac power sys-tem. Because many safety systems required for reactor core decay heat removal and containment heat removal depend on ac power, the consequences of station blackout could be severe.
The concern of the Nuclear Regulatory Commission (NRC) about station blackout arose because of the accumulated experience regarding the reliability of ac power supplies. In numerous instances emergency diesel generators have failed to start and run during tests conducted at operating plants. In' addition, a number of operating plants have experienced a total loss of offsite electric power, and more occurrences are expected. In almost every one of these loss .# of-offsite power events, the onsite emergency ac power supplies were available-immediately to supply the power needed by vital safety equipment. However, in some instances., one of the redundant emergency pcwer supplies has been uncvail-able. In a few cases, there has been a complete loss of ac power, but during these events, ac power was restored in a short time without any serious consequences. I
. 1 i
The results of the Reactor Safety Study (NUREG-75/014) showed that for one of the two plants evaluated, a station blackout accident could be an important contributor to the total' risk from nuclear power plant accidents. Although ! this total risk was found to be small, the relative importance of the station blackout accident was established. This finding and the accumulated diesel l generator failure experience increased the concern about station blackout. NUREG-1109 1
)
i The issue of station blackout involves the likelihood and duration of losses of offsite power, the redundancy and reliability of onsite emergency ac power systems, and the potential for severe accident sequences after a loss of all ac , power. These topics were investigated under Unresolved Safety Issue (USI) Task Action Plan A-44, and the technical findings are reported in detail in NUREG/ CR-2989, NUREG/CR-3226, NUREG/CR-3992, NUREG/CR-4347, and NUREG-1032. In addi-l ' tion to identifying important factors and sequences that could lead to station blackout, the results indicated that estimated core damage
- frequencies from station blackout vary significantly for different plants but could be on the order of 10 4 per reactor year for some plants.
To reduce this risk, action should be taken to resolve the safety concern stemming from station blackout. The issue is of concern for both pressurized water reactors (PWRs) and boiling water reactors (BWRs). There is no requirement currently for plants to be able to cope with a station blackout. Existing requirements for offsite and onsite ac power systems are in General Design Criterion (GDC) 17, " Electric Power Systems," of Appendix A to Part 50 of Title 10 of the Code of Federal Regulations (10 CFR 50). They are discussed in Sections 8.2, "Offsite Power Systems," and 8.3.1, "AC Power Sys-tems (Onsite)," of the NRC's " Standard Review Plan for the Safety Review of Nuclear Power Reactors" (NUREG-0800). Testing of emergency diesel generators is discussed in Regulatory Guide (RG) 1.108, " Periodic Testing of Diesel Gen-erator Units Used as Onsite Electric Power Systems at Nuclear Power Plants." Separation and independence of electric power systems are discussed in RG 1.6,
" Independence Batween Redundant Standby (Onsite) Power Sources and Between 1
Their Distribution Systems," and RG 1.75, " Physical Independence of Electric i Systems." ) SRP Sections 8.3.1 and 9.5.4 through 9.5.8 discuss maintenance and i design provisions for the onsite emergency diesels. These licensing requirements and guidance are directed at providing reliable offsite and onsite ac power.
- Analysis has shown that for postulated station blackout events, the difference between the estimated frequency of core damage and core melt is small because.
of the relatively low probability of recovering ac power and terminating an accident sequence after initial core damage, but before full core melt ' (NUREG-1032). NUREG-1109 2
l i i Experience has shown that there are practical limits in ensuring the reliability of offsite and onsite emergency ac power systems. Analyses show that core { damage frequency can be significantly reduced if a plant can withstand a total I loss of ac power until either offsite or onsite emergency ac power can be ~ restored. l 2 OBJECTIVES The general objective of the requirements to resolve USI A-44 is to reduce the risk of severe accidents associated with station blackout by making station blackout a relatively small contributor to the average frequency of core damage for the total population of plants. Specific actions called for in the resolu-tion include: (1) maintaining highly reliable ac electric power systems; (2) de-veloping procedures and training to restore offsite and onsite emergency ac power should either one or both become unavailable; and (3) as additional defense-in-depth, ensuring that plants can cope with a station blackout for some period of time based on the probability of occurrence of a station blackout at the site as well as on the capability for restoring power for that site. 3 ALTERNATIVE RESOLUTIONS In developing the resolution of USI A-44, the staff considered four specific alternative courses of action. These are discussed below. 3.1 Alternative (i) To achieve the objectives stated in Section 2 above, the resolution of USI A-44 calls for specific guidance relating to the reliability of'offsite and onsite ! emergency ac power systems, as well as a requirement that plants be able to cope j with a station blackout for a specific duration. A summary of the recommenda- ! tions to resolve this issue is as follows: l
)
i (i) The reliability of the onsite emergency ac power sources should be main- 1 j tained at or above specified acceptable reliability levels. ( NUREG-1109 3
(ii) Procedures and training should be developed to restore emergency ac power and offsite power using nearby power sources if the emergency ac power system and the normal offsite power systems are unavailable. (iii) Each nuclear power plant should be able to withstand and recover from a station blackout lasting a specified minimum duration. A regulatory l guide entitled " Station Blackout"* provides a method for determining an acceptable plant specific station blackout duration based on a comparison of a plant's characteristics to those factors that have been identified as the main contributors to risk from station blackout. These factors include: (1) the redundancy of onsite emergency ac power sources (number of sources available for decay heat removal minus the number needed for decay heat removal), (2) the reliability of onsite emergency ac power sources (usually diesel generators), (3) the frequ icy of loss of offsite power, and (4) the probable time to restore offsite power. The frequency and duration of loss of offsite power are related to grid and switchyard reliability, historical weather data for severe storms, and the avail-ability of nearby alternate power sources (e.g., gas turbines). The staff has concluded (NUREG-1032) that long-duration offsite power outages are caused primarily by severe storms (e.g., hurricanes, ice). (iv) Each nuclear power plant should be evaluated to determine its capability to withstand and recover from a station blackout of a duration as deter-mined in (iii) above, as: This evaluation should include such considerations Verifying the adequacy of station battery power, condensate storage i tank capacity, and plant / instrument air for the duration of a station blackout. ! Verifying the adequacy of reactor coolant pump seal integrity for the duration of a station blackout. This should be done by demonstrating, via experiment and/or analysis, that seal leakage due to a lack of
- Single copies of this guide may be obtained by writing to the Distribution Ser-vices, Division of Information Support Services, USNRC, Washington, DC 20555.
NUREG-1109 4
seal cooling will not reduce the primary system coolant inventory to the degree that the ability to cool the core during station blackout is lost. Verifying that the equipment needed to operate during a station black-out and the recovery from the blackout will be able to operate under the environmental conditions associated with a total loss of ac power (i.e., loss of heating, ventilation, and air conditioning). (v) If the plant's station'olackout capability (as determined in (iv)) is significantly less than the minimum acceptable plant-specific station blackout duration determined in (iii), modifications to the plant may be necessary to increase the time the plant is able to cope with a station blackout. The regulatory guide identifies specific factors to be consid-ered if such modificeticas are necessary. (vi) Each nuclear power plant should have procedures and training to cope with. a station blackout and to restore normal long-term decay heat removal once ac power is restored. I Because there is no requirement for plants to be able to withstand a loss of both the offsite and onsite emergency ac power systems, the resolution calls t for rulemaking to require that all plants be able to cope with a station black-out for a specified duration. The regulatory guide describes a method acceptable to the NRC staff for complying with the rule, and specifies guidance on providing reliable at electric power supplies. Plants with an already low risk from station blackout are required to withstand a station blackout for a relatively short period of time. These plants probably need few, if any, modifications as a result of the rule. Plants with currently higher risk from station blackout are required to withstand blackouts of somewhat longer duration, and, depending on their existing capability, may require modifications (such as increasing station battery capacity or condensate storage tank capacity). The staff has ; deterwined that these modifications are cost-effective in terms of reducing risk to the public. NUREG-1109 5
1 The method to determine an acceptable station blackout duration capability, as presented in the regulatory guide, is summarized below. The guide specifies j minimum acceptable blackout durations which a plant should be capable of surviv-ing. { The minimum duration is from 2 to 16 hours (see Table 1) depending on a plant's design and site related characteristics. Most plants would fall in either the 4 or 8-hour group. Licensees may propose durations different from i those specified in Table 1. Such proposals should be based on plant specific factors relating to the reliability of ac power systems, such as those discussed in NUREG-1032, and would be reviewed by the NRC staff. j t Tables 2 through 7 provide the necessary detailed descriptions and definitions i of the various factors used in Table 1. Table 2 identifies different levels of redundancy of the onsite emergency ac power system used to Mine the emer-gency ac power configuration groups in Table 1. Table 3 provides definitions of the three offsite power design characteristic groups used in Table 1. The groups are defined according to various combinations of the following factors: (1) independence of offsite power (I), (2) severe weather (SW), (3) severe weather recovery (SWR), and (4) extremely severe weather (ESW). The definitions of the factors I, SW, SWR, and ESW are provided in Tables 4 through 7, respec-tively. After identifying the appropriate groups from Tables 2 and 3 and the reliability level of the onsite emergency ac power sources, Table I can be used to determine the minimum acceptable station blackout duration capability (e.g, 4 or 8 hours) for each plant. The reliable operation of the onsite emergency ac power sources should be ensured by a reliability program designed to monitor and maintain reliability over time at a specified acceptable level and to improve the reliability if that level is not achieved. i One example of an application of this method considers a nuclear power plant that has (1) two diesel generators, one of which is required for ac power for decay heat removal systems; (2) one switchyard and one alternate offsite power circuit, in addition to the normally energized offsite circuit to the Class IE buses; (3) an estimated frequency of loss of offsite power due to severe weather of .005 per site year; and (4) an annual expectation of storms at the site with
)
winds greater than 125 miles per hour of 0.002 per year. in the basis of this informati n, this plant is in independence-of offsite power group 13 (see Table 4) severe weather group SW2 (see Table 5), severe weather-recovery group SWR 2 (no enhanced recovery for severe weather, Table 6), and extremely-severe-( weather group ESW3 (see Table 7). This combination of factors places the plant NUREG-1109 6
Table 1 Acceptable Station Blackout Duration Capability (hours)" Emergency AC Power Configuration Group D A- B C D Maximum EDG Failure Rate Per Oemand Offsite Power Design Characteristic Group c 0.025 0.05 0.025 0.05 0.025 0.05 0.025 F'1 2 2 4 4 4 4 4 P2 4 4 4 4 4 8 -8 ) P3 4 8 4 8 8 16- 8 i a variations from these times will be considered by the staff if justification including a cost-benefit analysis, is provided by the licensee. The methodol- I ogy and sensitivity studies presented in NUREG-1032 (Ref. 2) are acceptable for use in this justification. i b See Table 2 to determine emergency ac power configuration group. C 5ee Table 3 to determine groups P1, P2 and P3. 7
Table 2 Emergency AC Power Configuration Groups a Emergency AC (EAC) NumbergfEACPower Number of EAC Power Sources. A
' Power Configuration Sources 4 Group RequiredtoOperateAC-Powgred Decay Heat Removal Systems A d 3 y 4 1 j
l u 8 4 2 5 2 C d 2' 3 3 1 J D < I 2 'l 3 2 ' 4 3 S 3 a special purpose dedicated diesel generators, such as those associated with high pressure core spray systems at some BWRs, are not counted in the determination of EAC power configuration groups. b l lf any of the EAC power sources are shared among units at a multi-unit site, this is the total number of shared and dedicated sources for those~ units at the site. c This number is based on all the ac loads required to remove decay heat (including AC powered decay heat removal systems) to achieve and maintain hot shutdown at all units at the site with offsite power unavailable. d For EAC power sources not shared with other units, i
'For EAC power sources shared with another unit at a multi-unit site.
I For shared EAC power sources in which each diesel generator is capable of pro-viding ac power to more than one unit at a site concurrently. 8
Table 3, Offsite Power Design Characteristic Groups Group Offsite Power Design Characteristics Sites that have any combination of the following factors: la gyb SWR c ESW d P1 1 or 2 1 or 2 1 or 2 1 or 2 1 or 2 1 1 or 2 3 1 or 2 3 1 1 or 2 P2 All other sites not in P1 or P3. Sites that have experienced, or could be expected to experience, a total loss of offsite power due to grid failures at a frequency equal to or greater than once in 20 site years; unless the site has procedures to recover-ac power from reliable alternate (non emergency) ac power sources within approximately one-half hour following a grid failure. E Sites that have any combination of the following factors: P3 1 SW SWR ESW Any I 5 2 Any I Any ESW Any I 1,2,3, or 4 1 or 2 5 b 1 Any I Any ESW 4 1 or 2 2 1,2,3 or 4 3 2 3 4 3 2
. 3 or 4 b"See Table 4 for definitions of independence of offsite power groups (I)
C See Table 5 for definitions of severe weather groups (SW) d See Table 6 for definitions of severe weather recovery groups (SWR) See Table 7 for definitions of extremely severe weather groups (ESW) 9
nd ft o eEr f o a s e cI og m h g h o gcs oumd .pI e. otl n user ti s o a eso er uar b h us Fi t u u i e rre sru eaue et os e h u o o yh coorcysat c nt Eh sacnt a r rl t rn erl a a real It r l ri h hl u ef ul l 3 e unma oo erC u f e t t at cn d n oenroaC sroesup e f r s or sot e oeor stf wesc e t n ti e a a nern o sno . a aoh rew) 3 nrs l d rah ug l i s l d ptd uv a at e aenoemt gi a tde Cee eoirl l p l cr mrat w is meuec t cff rst ea pep re o ,oF e rrbrr ecroor af u l e oh ssp)t d oe r u h eu edt sn e eer nt rr O n nh reo t norrf enna h t h t e2 e eeeN sis
,f f t(t i e t ef s f e f o nseeeream f f rrs r r h ss si inh hss rr ocrsspeetf o oae tl nnsncwt tl npe enn f r t r a d
r-o- t ddg s u f larrf iftt oocso aaf ero pihf flaroow Iftt p l ewaae epe l rorrn reh A aptt o prt e eri ' t t aF c cy e eh n o r n nci rs t e - - ) n nt r ei V w he . o ois e , m mk r s eo cre c cwd w sl r1 o- e r rp et pr sr ocl a e o r9 w ee a hi eu e e a pil uot f en f6 ocf t e T wrt r rey I a ahh caf a t anti sl nui re s r g p i. nsi s t tt ii c ( s se a
. s s t c amoe msf aags eh ckaf acrf nsi .Vif s t ef urie f t uft sk p e edi l t cecontFd s ) ot o f ae- 2n u c cnw aurrr a- no ft aomc8 g e
2 r u ras u mauouemons r omot tii r atl. a oul e aat or3 ei net u1 rs r o o ,V oes saeu h t ru e ua it uo ue G s ssk nn r nh aet en cenn aasogd r r rr8 d - e osorrT ee( erf h r m c ema rnar uome t sr eaertF s wi e e ea3 d h shi ewt h uoo t o f e o sph e i w w w y1 n ssol o od, ti t nol r uet wenh oh a opa .t o na bs sm se vt pn sb ohi t i P pr pcd f ef l s, rpt a t n orI ef reoVi ead aet re E oe e ey eia e boocrkt crl mruoc Ittf oe o sf t i ht t w sh rf - a xt u r eb r f ot c i s c i s -) st . ysd u 9t e- o oh du sda r e f I f s t s f e4 e. 5 l o rareor6 n
,emerse e et ow nt reo ers s e at seeo i rru v f f iw f r3 r ef f r f es rue e ,f r l ceff s t O o s oo u rcsesersh e uac h sser Cecss a 4 met f ernrnf ent r t r tl nf e nrnnd t e o l e l n l
l rT e h a t uaearwa p aeu l f arro aew enuaar n l A o Ao(f f orh reoroe eh o h oorra e b e A sttt pptt r f t s ift pp T cstt y s t c - T n e et f d e n t a a v f - ome-)oh e . e p rt i r oeoert re e au eVt e ct cf pr d e g e h pbshk a w erur oeu n r u s ,i t 9 n
- t o pcro cuaurt oe rt a
I a o ssf6e iosnsf rse f r reeo s h onc s ct o a seif o e t irt nr) t e aasd m esear1 n rnm c sl unep f odrih ro g s n r t d u n rnsd nrr oedee. ot er ttf ei o o a ao ne u ureeo srs i s yi cepst earf rnenue t lph sapeia c eeeah a gd r rnf rh T ri i cs ed e i n 1 e e ti edn1f r uaept o r o(tFi
,t -
s o h imh ni f w o ssps onh e p t wsti en i isr . ti t D sn erg l ahl eru o af yh ui ae tif eaef e t erol T gs mro asw co t rt l (i e retff inoV apk r ue i d o ea F d oh s e m gn c nt r rr - ov f t noi . ns e f et e1 si c ri rsii e ,f , w t6 t o e omtt r h hcsroci1V a n osce.et tl n e pi s kt l n wnelocae. in f iaw tf e- n l A ct il e o f arof afh9 e l o If t pomot6s L " n l r q es we oc spr re u esco f uas sb n f p e aE ou rI k -- i f t s t l s rbl scal ec f aau a ul oef
- o nCsh a t r f
o mel e s h anw ee dt meo _ cc n arow rh p nr on e y e u cf dt d o i eni r ns o e t sh as g pr aet f e ee mm sf t d w oenl o a nop th ei C I uch af A swf o j j
,l
Table 5 Definitions of Severe Weather Groups'(SW)- Estimated frequency of loss of offsite power due SW Group severe weather, af .(per site year) I f < 0.003 2 0.003 i f < 0.010 3 0.010 i f < 0.030 4 0,030 i f < 0.10 i i 5 0.10 if' a The estimated frequency of loss of offsite power due to severe weather, f, is determined by the following equation: f = (1.3 x 10~4)hy + (b)h2 + (0.012)h3 + (c)h4 where hy = annual expectation of snowfall for the site, in inches, i h 2 = or equal to 113 miles per hour) per square mile at the site, annual b = 12.5 for sites with transmission lines on two or more rights-of-way spreading out in different directions from the switchyard, or b = 72.3 for sites with transmission lines on one right-of way. h 3 = between 75 and 124 mph, andannual expectation of storms at the site with h4 = annual expectation of hurricanes at the site c = 0 if switchyard is not vulnerable to salt spray c = 0.78 if switchyard h vulnerable to salt spray L The annual expectation of snowfall, tornadoes, and storms may be obtained from National Weather Service data from the weather station nearest to the plant' or by interpolation, if appropriate, between nearby weather stations. The basis for the empirical equation for the frequency of loss of effsite power due to severe weather, f, is given in Reference 2, Appendix A. Il
Table 6 Definitions of Severe Weather Recovery Groups (SWR) . Definition SWR Group Sites with enhanced recovery (i.e., sites that have 1 the. capability and procedures for restoring offsite (non-emergency) ac power to the site within 2 hours following a loss of offsite power due to severe-weather.) Sites without enhanced recovery. 2 lL
l 4 J J Table 7 i Definitions of Extremely Severe Weather' Groups (ESW) { l 1 Annual expectation of storms at a site with wind -- velocities equal to or greater than 125 miles l ESW Group per hour (e)* 4
-j 1
e < 3'x 104
-1 2 -3 3 x 10'4 5 e < 1 x 10 3 1 x 10 -3 i e < 3 x 10 -3 4 3 x 10'3 1 e < 1 x 10 -2
]
5 1 x 10 -2 i, - i The annual expectation of storms may be obtained from National Weather Service data from the weather station nearest to the plant,' or by interpolation, if appropriate, between nearby weather stations. i i 13 i
a l l 1 4 1 4L 4L 4L AL n 69 kV 161 kV 345 kV
$:6 NN%%
v mm em MMMM NM MM AuTDMgie =yg =yg
,,,, __ _ _Tpg9 p GENERATOR if if NC NC jr jr AUTOMATIC r NO TRANSFER gr j NO '
CLASS 1E NONSAFETY CLASS 1E NONSAFETY l i (_ AUTOMATIC TRANSFER I h_f (_ AUTOMATIC TRANSFER _ j 7 l Figure 1. Schematic diagram of electrically independent transmission line l l 14 I j
______________-_-___ - m - umam-l l l A 6 h 6 h 6 n h h 4 E 345 kV g 138 k V E nw l Awa AwAw Awa ma AAAA OMAIN y NC CLASS 1E I NC CLASS 1E F l' 140NSAFETY NO CLASS 1E AAAA l NONSAFETY NO l GENERATOR CLASS 1E DIVISION 1 DIVISION 2 DIVISION 1 DIVISION 2 1 8 i i
& 4 l !. _ _ fuyo_MA]l{Tj AyS{E R, , , ,l, , , , , , , _ _ j L _ _ _ _ _^uTgugTLc LRA,NSFE3 , , s , _ j Figure 2.
Schematic diagram of two switchyards electrically connected (one-unit site) IF
h j h h h I f: 500 kV :~. 230 kV
. i.:
.+*
MM I MMMM MM MM MM MM MMMM GENER ATOR 2 If 1f if If l' l' If ' NC NC NC TO NC TO NC TO NC TO NC NC GENERATOR 1 NONSAFETY SOME SOME SOME SOME NONSAFETY UNIT 2 UNIT 2 UNIT 2 UNIT 1 UNIT 1 UNIT 1 CLASS 1E CLASS 1E CLASS 1E CLASS 1E BUSES, BUSES. BUSES, BUSES. l NOTO NOTO NOTO NO TO OTHERS OTHERS OTHEftS OTHERS Figure 3. Schematic diagram of two SwitchyardS electrically Connected (two-unit Site) 16
J in offsite power-design-characteristic group P2 (see Table 3). Based on the number of diesel generators, the plant is in emergency AC power configuration group C. As indicated on Table 1, if the failure rate of each emergency diesel generator is maintained at 0.025 failure per demand or less, this plant should have the capability to withstand and recover from a station blackout lasting 4 hours or more. If the failure rate of each emergency diesel generator were between 0.025 and 0 05, the acceptable station blackout duration would increase to 8 hours. If the emergency diesel generator failure rate were greater than 0.05, then steps should be taken to improve the diesel generator reliability.
- 3. 2 Alternative (ii)
Alternative (ii) would treat plants uniformly by requiring all plants to be able to cope with station blackout of the same duration. 3.3 Alternative (iii) Alternative (iii) would require plants with the highest potential risk from sta-tion blackout to add either an additional emergency diesel generator or another ac-independent decay heat removal system. 3.4 Alternative (iv) 1 The Nuclear Utility Management and Human Resources Committee (NUMARC) endorsed the following industry initiatives to resolve the station blackout issue (letter from J. Miller to N. Palladino,1986):
- 1. Each utility will review their site (s) against the criteria
- specified in NUREG-1109, and if the site (s) fall into the category of an eight-hour site after utilizing all power sources available, the utility will take actions to reduce the site (s) contribution to the overall risk of station blackout. Non-hardware changes will be made within one year. Hardware changes will be made within a reasonable time thereafter.
2. Each utility will implement procedures at each of its site (s) for: NUREG-1109 17
- a. coping with a station blackout event, i
- b. restoration of AC power following a station blackout event, and
- c. preparing the plant for severe weather conditions, such as hurricanes and tornados to reduce the likelihood and consequences of a loss of offsite power and to reduce the overall risk of a station blackout event.
- 3. Each utility will, if applicable, reduce or eliminate cold fast-starts of emergency diesel generators for testing through !
changes to technical specifications or other appropriate means.
- 4. Each utility will monitor emergency AC power unavailability utilizing data utilities provided to INP0 [ Institute of Nu-clear Power Operations) on a regular basis.
4 These initiatives include some of the same elements that are included in the j staff's resolution discussed in Section 3.1. However, the industry initiatives f (1) do not include rulemaking, (2) do not require plants to be able to withstand a station blackout for a specified period of time, and (3) do not require any specific assessment of a plant's station blackout coping capability. 3.5 Alternative (v) 1 Under this alternative no action would be taken. ! i 4 CONSEQUENCES 4.1 Costs and Benefits of Alternative Resolutions 4.1.1 Alternative (i) The benefit from implementing the station blackout rule and regulatory guide is a reduction in the frequency of core damage due to station blackout and the associated risk of offsite radioactive releases. The costs are primarily those incurred by industry (1) to assess the plant's capability to cope with a station blackout, (2) to develop procedures, (3) to improve diesel generator reliability if the reliability falls below certain levels, and (4) to retrofit plants with additional components or system, as necessary, to meet the requirements. These are discussed in the following paragraphs. NUREG-1109 18
i l J (1) Value: Risk Reduction Estimates l To estimate the change in expected risk that the resolution of USI A-44 could effect, both the postulated radioactive' exposure (in person-rems) that would-result in the event of an accident and the reduction in frequency of core damage have been estimated. A simplified method to estimate public dose for value-impact analysis would use an." average" plant to estimate the consequences of station blackout and subsequent core damage for all plants. However, using a single value does not account for the differences in offsite consequences asso-ciated with differences in the sizes of reactors and with differences in the population densities around different sites. Because of the differences between sites and plant designs,'it was not realistic to select a " typical" plant for analysis (using the value and impacts for that-plant and then multiplying them by the total number of plants) to obtain an overall value-impact ratio. Instead, the staff used the method described below ! to estimate offsite consequences for use in this value-impact analysis. Results indicate that consequences range from 0.5 to 9 million person-rems per plant, with an average of about 2 million person-rems per plant. NUREG/CR-2723 gives estimates of offsite consequences of potential accidents at nuclear power plants. That report includes results of calculations for 91 sites in the United States that had reactors with operating licenses or construction permits. The actual distributions of population around the sites were used in ! calculating estimated total population doses (in person-rems) for various fission product releases. The results include a scaling factor to account for different l reactor power levels au the various sites. The scaled results (from NUREG/CR-2723) for release category SST1* (siting source term) were used to develop estimates of site-specific consequences for station
- Five release categories, denoted as SST1-SST5, have been defined by NRC to represent a spectrum of five accident groups. Each category represents a j
different degree of core degradation and failure of containment safety features. j Group 1, SST1, is the most severe and involves a loss of all installed safety j features and direct breach of containment. ' NUREG-1109 19
blackout events. However, these results were not used directly in the value-impact analysis for several reasons. First, SST1 overestimates the fission product release for station blackout events. Second, the consequences given in NUREG/CR-2723 include the entire population around the plant (i.e., an infinite radius), whereas Enclosure 1 of NRR Office Letter No. 16 (NRC, 1986) specifies that a 50-mile radius around the plant is to be used to calculate risk reduction estimates for value-impact analyses. Extensive research efforts by NRC and industry have been under way since about 1981 to evaluate severe accident source terms and are reported in NUREG-0956, NUREG-1150, NUREG/CR-4624, and Industry Degraded Core Rulemaking (IDCOR) tech-nical reports. Based on NRC's source term research, it appears that, for sta-tion blackout events, the release fractions for most plants would be roughly 1/3 to 1/30 of the relen es from the SST1 estimate. One reason for this reduc-tion is that SST1 is an estimated upper bound assuming prompt containment failure whereas if a core melt resulted from station blackout, containment failure would be delayed for a number of hours. Results of a sensitivity study in which the consequences of a severe accident were estimated for reduced source terms indi-cate that if the SST1 release fraction were reduced by a factor of 3 (i.e., 66 percent reduction in SST1 releases), the consequences in terms of person rem would be reduced by about 50 percent (NUREG/CR-2723, Table 10). .Likewise, if the SST1 releases were reduced by a factor of 30 (i.e., 97 percent reduction in SST1 releases), the estimated person-rem would be reduced by about 85 percent. Therefore, the high and low estimates for person-rem consequences for station blackout accidents used in this value-impact analysis are 0.5 and 0.15 of the person rem associated with SST1 releases, respectively. (These values correspond l to reductions in SST1 release fractions by factors of 3 and 30 respectively.)- A value of 0.33 of the SST1 person rem was used as a best estimate for purposes of this analysis. Scaling factors comparing offsite exposures within a 50-mile radius of a piant to that for an infinite radius are included in Table 3 of Sandia The (1983). total person-rem exposure within a 50-mile radius is approximately 1/4 the person rem exposure for an infinite radius. This factor, in addition to the , factor discussed above associated with reduced source terms, was used to scale the site-specific results from NUREG/CR-2723. NUREG-1109 20
)
To clarify the discussion above, an example calculation is_given for an 845-MWe I PWR (Calvert Cliffs). From Append;x A of NUREG/CR-2723, the mean offsite effects
]
conditional on release for the SST1 category is 3.61 x 107 person-rems'. This number is multiplied by 0.33 to account for the smaller releases for sta-
)
tion blackout events compared to SST1 releases and by 0.25 to account for the 50-mile radius (Sandia, 1983). The resulting offsite exposure from a station blackout event and subsequent core melt within a 50-mile radius of the plant is estimated to be about 3 million person rems. The reduction in frequency of core damage resulting from the resolution of USI A-44 was estimated for each plant. ' Plant- and site-specific characteristics for a total of 100 reactors (which represent almost all of the currently operat-- ing nuclear power plants) were used to develop these estimates. Table 8 presents an estimate of the number of reactors having the' emergency ac power configurations and offsite power design characteristics identified in Tables 2 and 3 respec-tively. The estimate of core damage frequency for each plant was' based on a function of the plant's ability to cope with a station blackout (NUREG-1032). -I The staff assumed that all plants, as currently designed,;can cope with a sta-tion blackout for 2 hours. The reductions in core damage frequency per reactor-year for each plant then was estimated based on plants meeting the acceptable 2 , 4 , or B-hour station blackout duration depending on the plant's offsite power design group and its emergency ac power configuration (given in Table 1). Examples of the reduction in frequency of core damage per reactor year .for three cases are presented in Table 9. Each of these examples is for a plant located in an area with average loss of offsite power duration and frequency. The first example is typical of a plant with one redundant emergency ac power system (e.g., I one out of two diesel generators required for emergency ac power), and'a failure l rate of 0.025 failure per demand for each diesel generator. The second case, which is typical of a plant with less desirable characteristics from a station .{ blackout perspective (e.g., a minimum redundant emergency ac power system and below average diesel generator reliability), has a reduction in frequency of core damage that is significantly larger than the first example. The third case is for plants with more favorable characteristics than the first case and, therefore, a correspondingly lower reduction in core damage frequency. NUREG-1109 21
c Table 8 Est'imated number of reactors having similar-characteristics Emergency ac power configuration group * ; Group A B C D Total Estimated number 12 .25 47 16 100 cf reactors Offsite power design characteristics ** Characteristic - P1 P2. P3 Total ji Estimated number 30 60 10 100 of reactors
*See Table 2 for definition of emergency ac power con-figuration groups. .
**See Table 3 to determine offsite power design charac-teristics.
Table 9 Examples of reduction in frequency of core damage.per reactor year Estimated core damage Estimated reduction in Plant frequency per characteristics core damage frequency. reactor year per reactor year Plant with one of two 3.9 x 10 5 with 2-hour 2.1 x 10 5 emergency diesel generators' station blackout (EDGs); EDG failure rate of capability 0.025 failure per demand; and loss of offsite power 1.8 x 10 5 with 4-hour
- design characteristic station blackout group P2. capability '
Plant with two out of three 9.0 x 10 5 with 2-hour 8.4 x 10.s j EDGs; EDG failure rate of station blackout 0.05 failure per demand; and capability loss of offsite power design characteristics group P2. 0.6 x 10 5 with 8-hour * ,
, i station blackout capability Plant with one out of three 1.0 x 10 5 with 2-hour 0.6 x 10 5 EDGs; EDG failure rate of station blackout.
0.025 failure per demand; capability and loss of offsite power design characteristics - group P2. 0.4 x 10 5 with 4-hour
- station blackout.
capability
*These times are the acceptable station blackout durations from Table 1 for.
these example cases. NUREG-1109 22
A summary of the results of the analysis for station blackout core damage fre-quency estimates is presented in Figure 4. This figure presents a comparison of tre estimated number of reactors versus various levels of core damage frequency before and af ter implementation of the station blackout rule. The histogram that represents estimates before the rule is implented is based on the assump-tion that all plants have the capability to cope with station blackout for only 2 hours. The estimated mean core damage frequency for this case is 4.2 x 10 5 per reactor year, with a range of from about 0.4 x 10 5 to 30 x 10 5 per reactor-year. The mean core damage frequency for all plants after the rule is implemen-ted is estimated to be 1.6 x 10 5 per reacto, year with a range of 0.3 x 10 6 to 7 x 10 5 per reactor-year. Therefore, on an industry-wide basis, the estimated mean core damage frequency would be reduced by 2.6 x 10 5 per reactor year. For each plant the estimated risk reduction from the resolution of USI A-44 was cal-culated by multiplying the reduction in core damage frequency per reactor year by two factors: (1) the remaining life of the plant (assumed to be 25 years), and (2) the estimated public dose (in person rems) that would result in the event of an accident. The reduction in person rem for each plant was then summed to calcCate the total estimated risk reduction. The high estimate of total dose reduction (based on SSTI release fractions divided by three) is 215,000 person-rem; the low estimate (based on SSTI releases divided by 30) is 65,000 person rem, and the best estimate is 143,000 person rems (based on SST1 releases divided by 10). (2) Impacts: Cost Estimates The cost for iteensees to comply with the requirements to resolve USI A-44 will vary depending on (1) the existing capability of each plant to cope with a sta-tion blackout and (2) the plant specific acceptable minimum station blackout coping duration as determined from Table 1. The staff anticipates that the ma-jority of plants would be able to meet a 4-hour duration guideline without major hardware modifications. In addition to being able to withstand a 4-hour black-out, some plants may be capable of coping for longer periods without major modi-fications. To meet an 8-hour guideline, licensees of some plants nay have to increase the capacity of one or more of the following systems: station batteri%, conden. ate storage tank, and instrument or compressed air. Shedding nonessential NUREG-1109 23
(Al BEFORE CULE { 30 l I ' IM p MEDIAN CDF g EAN CDF
= 2.4 = 10 - 5/RY g = 4.17 m 10 - 5f gy
! I I i l
E* I I R I I W l I i e I g 15- l l 5 I NOTE: y ! Assuut$ PLANTS HAVE 2-HOUR 680 COPING CAPABILITY l I 5- ,
,?
C
!,,l ,
ll!;I,.,l.,lI..In.v.
, , , , , , , , , r . F e
o $k%k8k$%kk8%%% o r i ? ? a a i i = * * * ?
$0 N
*o o -
*o
- o e o
- o
- o e o N
- N n m m , e m m e e gaf 6 "
ESTIMATED CORE DAMAGE FREQUENCY ( x 10-5 PER REACTOR YEAR'l (B) AFTER RULE 30 MEDIAN CDF
= 1.1 x 10 - 5/RY 25 - l i
I 9 i
! lMEAN CDF g l { l = 1.61 x 10 - 5/RY m 20 - .
i O l u , i 5 s 1 i l l c ' g g 15- i' = giI
~ :
lF - 1 l $ 10- j j f 0 9
, ; i l, d 7 n < v ,
0 ". . . . . . . . . . . X$V$Q$R$9$R$t 6
- ii?
- o??
- o?i
- i
= * $$
? * ?
... A. .
$R R o - - N N mm ,o M o
- o
- o w e e o e 8 Eaf o
i ESTIMATED CORE DAMAGE FREQUENCY ( x 10-5 PER REACTOR YEAR) Figure 4 COMPARISON OF ESTIMATED STATION BLACKOUT (SBC; 1 CORE DAMAGE FREQUENCY (CDF) BEFORE AND AFTER RULE 2't
\
loads from the station batteries could be considered as an option to extend the time until battery depletion. Corresponding procedures for load shedding would j need to be incorporated in the plant-specific technical guidelines and emergency operating procedures for station blackout. { I i ( If equipment needed to function during a station blackout or the recovery from a blackout would not be expected to be operable due to environmental conditions associated with the station blackout (i.e., without heating, ventilating and air 4 conditioning systems operating), then some m; deifications may be necessary. These could be (1) opening room or cabinet doors to increase natural circulation, j (2) installing fans that can operate with available power supplies to increase l forced circulation, or (3) relocating or replacing equipment. If option 2 or 3 above were necessary, then corresponding procedures would need to be incorpo-rated in the plant-specific technical guidelines and emergency operating proce- 1 dures for station blackout. Those plants that cannot verify adequate reactor coolant pump seal integrity for the station blackout duration may have to provide a method of reactor coolant pump seal cooling that is independent of the offsite and emergency onsite ac power supplies to maintain seal integrity and adequate reactor coolant inventory. For example, the addition of an ac-independent charging pump or a steam-driven generator to power an existing charging pump could provide seal cooling during a station blackout. Table 10 presents cost estimates of possible hardware modifications and procedures that could result from implementation of the station blackout rule. Because the duration guidelines in the station blackout regulatory guide are based on plant specific features, and the capability of systems and components needed during a station blackout varies from plant to plant, the modifications in Table 10 may be needed at some but not all nuclear power plants. For each modi-fication, the table identifies an estimated range of costs per plant, the esti-mated number of plants needing that modification, and the estimated total cost. The estimated total cost for industry to comply with the resolution of USI A-44 is about $60 million. The estimated average cost per reactor is $600,000. Best estimates of costs could range from $350,000, if only a station blackout assessment, and procedures and training were necessary, to a maximum of about $4 million if modifications I throcgh 4 are needed (including requalification of a diesel generator). NUREG-1109 25
Table 10 Estimated costs for industry to comply with the resolution of USI A443 Est. no. Est. cost per of reactors reactor ($1000) Potential needing best high Low Est. total cost (53000) modifications Best High Low modifications est. est. est. est. est. est.
- 1. Assess plant's capa- 100 250 400 200 25,000 40,000 20,000 bility to cope with station blackout
- 2. Develop procedures 100 100 150 50 10,000 15,000 and training 5,000
- 3. (a) Improve diesel 10 250 400 generator 150 2,500 4,000 1,500 reliability (b) Requalify a 2 2,800 5,500 1,250 5,600 diesel 11,000 2,500 generator
- 4. Increase capability to cope with sta-tion blackout 2 (a) 4-hour plants 10 500 650 add battery 400 5,000 6,500 4,000 capacity (b) 8-hour plants 17 (1) Add com- 40 60 30 pressed 680 1,020 520 air (2) Add con- 80 150 densate 40 1,360 2,550 680 storage tank capecity (3) Add 500 650 400 8,500 battery 11,050 6,800 capacity (4) Replace 80 140 equipment 30 1,360 2,380 510 or add fans Subtotal (8-hour plants) ~'755 1,000 ~500 11,900 17,000 8,500
- 5. Add an ac-independent --
1,500 2,5004 1,200 -- -- charging pump (non- -- seismic) capable of delivering 50 to 100 gpm to reactor coolant pump seals 8 TOTAL COSTS 60,000 93,500 41,500 NUREG-1109 26
Table 10 (continued) 2 Based on 100 reactors. See Appendix B for worksheets that provide the basis for the cost estimates on this table. 20etailed cost estimates for these modifications are presented in NUREG/CR-3840 and revised estimates to that report (Science and Engineering Associates, 1986). 3It is assumed that reactor coolant pump seal integrity is sufficient to ensure core cooling for 8 hours or more; therefore the charging pump would not be necessary. The results of Generic Issue 23 will provide detailed information on expected pump seal behavior without seal cooling. (See Section 4.2 for further discussion.) Estimated costs are provided here for perspective should such a system be considered necessary after GI 23 results are available.
*A seismically qualified and safety grade ac-independent charging pump would be much more expensive and would not reduce the risk substantially more than a non-seismic pump.
Including costs of averted plant damage can significantly affect the overall cost-benefit evaluation. To estimate the costs of averting plant damage and cleanup, the reduction in accident frequency was multiplied by the discounted onsite property costs. The following equations from NUREG/CR-3568 were used to make this calculation: gp = NAFU V U = C/m [(e-rti )/r2 ) [1 e r(t f-t j)yy ,-rm) where V,p = value of avoided onsite property damage N = 1 number of affected facilities = 100 AF = reduction in accident frequency = 2.6 x 10 5/ reactor year U = present value of onsite property damage
=
C cleanup and repair costs = $1.2 billion
=
t f years remaining until end of plant life = 25
=
t g years before reactor begins operation = 0 r = discount rate = 10%/5% m = period of time over which damage costs are paid out (recovery period in years) = 10 NUREG-1109 27
Using the above values, the present value of avoided onsite property damage is estimated to be $19 million. If avoided costs for replacement power are included (estimated in NUREG/CR-3568 to be $1.2 billion over 10 years), the estimated present value is $38 million. Table 11 summarizes the discounted present value of avoided onsite property damage for 10% and 5% discount rates. Table 11 Discounted present value of avoided onsite property damage for 100 reactors Discounted present value Avoided damage 10% discount rate 5% discount rate Cleanup and repair only $19 x 106 $40 x 106 Cleanup, repair, and $38 x 106 replacement power $80 x 106 (3) Value-Impact Ratio Table 12 summarizes the total benefits and costs associated with the resolution of USI A-44. These include (1) public risk reduction due to avoided offsite releases associated with reduced accident frequencies; (2) increased occupational dose from implementation, and operation and maintenance activities, as well as reduced occupational exposure from cleanup and repair because of lower accident frequency; (3) industry costs for implementation of modifications, operation and maintenance, and increased reporting requirements; and (4) NRC costs for review of industry submittals. The estimated total cost for industry to comply with the proposed rule is
$60 nillion. The total public risk reduction for 100 reactors over the remain-ing life of the plants is about 145,000 person rems. The overall value-impact ratio, not including onsite accident avoidance costs, is about 2,400 person-rem averted per million dollars. j If cost savings to industry from accident avoid-l ance (cleanup and repair of onsite damages and replacement power) were included, the overall value-impact ratio would improve significantly. At a 10% discount rate, the present value of avoided cleanup, repair, and replacement power is NUREG-1109 28
_ __ __ _ ------- - --- - - - - - - ~ ~ ^ -
Table 12 Value-impact summary for resolution of USI A-44 Dose reduction (person-rems) Cost ($1,000) Best High Low Best High Low Parameter est. est. est. est, est. est. Public health 143,000 215,000 65,000 Occupational exposure (accidental)2 1,500 1,500 1,500 Occupational exposure (routine)2 NA Industry implementation 60,000 93,500 44,500 NRC implementation 3 1,500 1,500 1,500 Total 144,500 216,500 66,500 61,500 95,000 43,000 Value-impact ratio 4 2,400 5,000 700 (Public dose reduction divided by sum of NRC and industry costs (person-rems /$106)) IBased on an estimated occupational radiation dose of 20,000 person-rems for post-accident cleanup and repair activities (NUREG/CR-3568). 2No significant increase in occupational exposure is expected from operation and maintenance or implementing the recommendations proposed in this resolution. Equipment additions and modifications contemplated do not require significant work in and around the reactor coolant system and therefore would not be . expected to result in significant radiation exposure. NA = not affected. 3 Based on an estimated 175 person-hours per reactor for NRC review (NUREG/CR-3568). I
*This does not take into account tne additional benefit associated with avoided. I plant damage costs or replacement power costs resulting from reduced frequency of core damage. The cost for plant cleanup following a core damage accident is estimated to be $1.2 billion, and replacement power is estimated to cost about
$500,000 per day (NRC, 1986). The estimated discounted present value of these l avoided onsite costs is given in Table 11.
l NUREG-1109 29 i
approximately $38 m'1111on. If this benefit were taken into account, the overall value-impact ratio would be about 6,100 person-rem averted per million dollars. For any particular plant, the value-impact ratio cocid vary significantly-(either higher er lower) than the ratio given above. However, even for plants that will not require equipment modifications to comply with the station blackout rule, the assessment of plant capability to cope with a station blackout is almost certain to result in improvements in training and orocedures to handle such an event. At a ratio of $1,000 per person-rem, a decrease in core ' damage frequency of only about 0.5 x 10 6 per reactor year is sufficient to justify a cost of
$350,000 for the station blackout assessment, procedures and training. Improve-ments to enhance the capability of a plant to cope with a station blackout from 2 to 4 hours would effect such a reduction in core damage frequency for virtually all plants.
(4) Special Considerations The quantitative value-impact analysis discussed above used estimates for. benefits (risk reduction) and costs associated with the resolution of USI A-44. While this is a useful approach to evaluate the resolution, other factors can and should play a part in the decision-making process. Although they are not quantified, other considerations that bear on the overall conclusions and recom-mendations to resolve USI A-44 are discussed below. Overall, these considera-tions support the conclusion that additional defense in depth provided by the ability of a plant to cope with a station blackout for a specified duration is ; strongly recommended. l Relative Importance of Potential Station Blackout Events Probabilistic risk assessment (PRA) studies performed for this USI, as well as a number of plant specific PRAs, have shown that station blackout can be a sig- ' nificant contributor to core damage frequency, and, with the consideration of containment failure, station blackout events can represent an important.contri-butor to reactor risk. In general, active containment systems required for NUREG-1109 30 i
heat removal, pressure suppression, and radioactivity removal from the contain-ment atmosphere following an accident are unavailable during a station black-out. Therefore, the offsite risk is higher from a core melt resulting from station blackout than it is from many other accident scenarios. Source Term Re-Evaluation The consequence estimates for station blackout used in this value-impact analysis are consistent with the latest research by NRC on source term re-evaluation. The release fractions used in this analysis are significantly lower than earlier estimates of source terms. Nevertheless, there is still considerable uncer- ( tainty, and source term research is expected to continue in the future to improve our knowledge of major phenomena and refine analytical models. Given the range of release fractions used in this analysis, it is unlikely that significantly better estimates agreed to by the staff and industry would be available for a number of years. In any event, the ability to cope with a station blackout for some period of time would make station blackout a small contributor to core damage frequency and would significantly reduce the risk associated with such events. Future Trends in Loss of Offsite Power Frequency The estimated frequency of core damage from station blackout events is directly proportional to the frequency of the initiating event. Estimates of station j blackout frequencies for this USI were based on actual operating experience with credit given in the analysis for trends that show a reduction in the frequency ' of losses of offsite power resulting from plant-centered events (NUREG-1032). This is assumed to be a realistic indicator of future performance. An argument can be made that the future performance will be better than the past. For example, when problems with the offsite power grid arise, they are fixed, and therefore, grid reliability should improve. On the other hand, grid power l failures may become more frequent because fewer plants are being built, and 1 I more power is being transmitted between regions, thus placing greater stress on transmission lines. NUREG-1109 31 !
Trends in Emergency Diesel Generator Performance Recent data indicate that average emergency diesel generator reliability on an industry wide basis has been improving slightly since 1976 (NUREG/CR-4347, l NSAC/108). These data are based on total valid failures and total valid starts including surveillance testing and unplanned demands (e.g., following a loss of offsite power). There are an insufficient number of unplanned demands'at any one nuclear plant to determine diesel generator reliability with high statistical confidence. Therefore, target diesel generator performance levels for USI A-44 3 are based primarily on surveillance tests. However, data show that the industry average diesel generator failure rate during unplanned demands was higher than that during surveillance tests (0.014 failure per demand for surveillance tests compared to 0.022 failure per demand during unplanned demands (NSAC/108)). Using diesel generator reliability based only on unplanned demands would lead to slightly higher estimates of core damage frequency than was used in this. l regulatory analysis and, therefore, a correspondingly larger estimated benefit resulting from the resolution of USI A-44. i Common Cause Failures One factor that affects ac power system reliability is the vulnerability to com- ' mon cause failures associated with design, operational, and environmental factors. Existing industry and NRC standards and regulatory guides include specific design ! criteria and guidance on the independence of offsite power circuits and the in-dependence of, and limiting interactions between, uiesel generator. units at.a 4 nuclear station. In developing the resolution of USI A-44, the NRC staff assumed that, by adhering to such standards, licensees have minimized, to the extent practical, single point vulnerabilities in design and operation.that could result in a loss of all offsite power or all onsite emergency ac power. Results of sensitivity studies presented in NUREG-1032. indicate that if potential common cause failures of redundant emergency diesel generators exist (e.g., in service water or de power support systems), then estimated core damage frequencies can increase significantly. NUREG-1109 32
-l I
Sabotage I There have not been any total losses of offsite power or diesel generator fail- ! ures attributed to sabotage. Therefore, sabotage was not considered explicitly in the risk analysis for USI A-44. However, there was a sabotage event in 1986 that caused three out of four 500-kV transmission lines at one site to be out ; of service for several hours. Thus sabotage could increase the probability of j loss of offsite power. If saboteurs managed to simultaneously take out all offsite power and/or emergency diesel gererators, the resolution of USI A-44 :l would provide additional defense-in-depth for a period of time to cope with such an event. 4.1.2 Alternative (ii) The alternative of treating plants uniformly by requiring all plants to be able to copt with the same station blackout duration has been considered. This simplified approach has the advantage of being potentially easier to implement, but it also has two major drawbacks. First, operating nuclear power plants have significant differences in plant- and site-specific factors that contrib-ute to risk from station blackout. This alternative would not take these known factors into account. For example, plants that have a more redundant emergency ac power system than other plants would not be given any credit for such features. Secord, requiring all plants to be able to cope with the same blackout duration would result in one of two undesirable alternatives: (1) If a uniform duration of 4 hours or less were recommended, station blackout could.still be a signif-icant contributor to total are damage frequency for some plants and, therefore, the objective of the requirements would not be met; and (2) if a uniform 8-hour requirement were imposed, it would necessitate expenditures at some plants that would not be considered cost-effective in reducing the risk from station blackout events. Therefore, this alternative was not recommended, i 4.1.3 Alternative (iii) l Another possible alternative to the recommended action is to require plants to install either an additional emergency diesel generator or another ac-independent decay heat removal system. This alternative was not recommended NUREG-1109 33
I i for several reasons. First, the cost for either of these additions (from $10 to $30 million per plant) is much higher than- the estimated cost for the recommended resolution. The recommended approach is more cost effective and meets the objective stated in Section 2. Second, the adequacy of present i requirements for decay heat removal systems is being studied under USI A-45, and any major hardware changes or additions to these systems _ should await the technical resolution of USI A-45. Third, experience indicates that there are practical limits to diesel generator reliability, including common cause fail- ! ures of redundant divisions, and the recommended resolution provides greater diversity and additional defense-in-depth.
]
4.1.4 Alternative (iv) At the time this report was written, details of the NUMARC initiatives were not available to the NRC staff. This made it difficult for the staff to evaluate the benefits of the industry program. For example, the industry initiatives do not include assessments to determine that plants can cope with a station black- ) out for any period ~of time. Even so, an attempt was made to estimate the likely impact this initiative would have compared to the station blackout rule and regulatory guide. 1 The largest risk reduction associated with the industry program would probably result from NUMARC's initiative number one. f Assuming that implementing this initiative would result in licensees taking actions to reduce the risk from station blackout for those plants that fall into the category of needing an 8-hour coping capability, the staff estimated the value impact ratio for the remaining plants. The estimated total cost for these plants to comply with the ! resolution of USI'A-44 is $42 million; the estimated reduction in risk to the public for these plants is 61,000 person-rem; and therefore, the overall value i impact ratio is approximately 1,500 person rem per million dollars. This rough analysis supports the conclusion that although the industry initiatives would provide benefits in terms of reducing risk from station blackout events, the recommended resolution provides greater benefits that are cost effective. NUREG-1109 34
4.1.5 Alternative (v) This alternative would be to take no actions beyond those resulting from the NUMARC initiatives endorsed by industry and the resolution of Generic Issue B-56 (see discussions.in Sections 3.4, 4.1.4, and 4.2.1). Operating experience with diesel generator failures and losses of offsite power has raised a significant concern regarding the potential risk from a station blackout event. The use of this data base with relatively straightforward application of PRA techniques indicates that station blackout events could be a significant contributor to risk for many plants. The additional actions recommended for USI A-44 would significantly reduce the estimated frequency of core damage associated with severe accidents from station blackout. Because the value-impact analysis has' shown that it would be beneficial to implement these recommendations, the no-action alternative is not recommended. ) 4.2 Impacts on Other Requirements i Several ongoing NRC generic programs and requirements that are related to the resolution of USI A-44 are discussed below. l i 4.2.1 Generic Issue B-56, Diesel Generator Reliability i The resolution of USI A-44 includes a regulatory guide on station blackout that specifies the following guidance on diesel generator reliability (Task SI 501-4, Sections C.1.1 and 2): i , The reliable operation of the onsite emergency AC power sources should be ensured by a reliability program designed to monitor and maintain the reliability of each power source over time at a specified acceptable level and to improve the reliability if that level is not achieved. The reliability program should include surveillance testing, target values for maximum failure rate, and a maintenance program. Surveil-lance testing should monitor performance so that if the actual. failure- ; rate exceeds the target level, corrective actions can be taken. The maximum emergency diesel generator failure rate for each diesel generator should be maintained at or below 0.05 failure per demand. For plants having an emergency AC power system [ configuration requir-ing two-out-of-three diesel generators or having a total of two diesel generators shared between two units at a site), the emergency diesel generator failure rate for each diesel generator should be maintained at 0.025 failure per demand or less. I NUREG-1109 35 l 1 a-___--_-_-- %
In Generic Letter 84-15, dated July 2,1984, the staff requested information from licensees regarding proposed actions to improve and maintain diesel gener-ator reliability. The letter requested specific information on three areas l (1) reduction of cold fast start surveillance tests for diesel generators I (2) diesel generator reliability (3) the licensee's diesel generator reliability program, if any', ard comments on the staff's example performance technical specifications for diesel generator reliability , A summary of the data and recommendations in response to Generic Letter 84-15 l was published in NUREG/CR-4557. This information, along with other input, i l will be used in the resolution of B-56 to provide specific guidance for diesel j generator reliability programs consistent with the resolution of USI A-44.
)
l 4.2.2 USI A-45, Shutdown Decay Heat Removal Requirements I l The overall objective of USI A-45 is to evaluate the adequacy of current licens-
)
ing requirements to ensure that nuclear power plants do not pose an unacceptable risk as a result of failure to remove shutdown decay heet following transients or small break loss-of-coolant accidents. The study includes an assessment of alternative means of improving shutdown decay heat removal and of an additional
" dedicated" system for this purpose. Results will include proposed recommenda- I tions regarding the desirability of, and possible design requirements for, l
improvements in existing systems or an additional dedicated decay heat removal system. ' The USI A-44 concern for maintaining adequate core coaling under station black-out conditions can be considered a subset of the overall USI A-45 issue. How- < ever, there are significant differences in scope between these two issues. USI A-44 deals with the probability of loss of ac power, the capability to re-move decay heat using systems that do not require ac power, and the ability to i restore ac power in a timely manner. USI A-45 deals with the overall reliabil-ity of the decay heat removal function in terms of response to transients, small NUREG-1109 36
\
l break loss-of-coolant accidents, and special emergencies such as fires, floods, seismic events, and sabotage. Although the recommendations that might result from the resolution of USI A-45 are not yet final, some could affect the station blackout capability, while others would not. Recommendations that involve a new or improved decay heat . { removal system that is ac power dependent but that does not include its own dedicated ac power supply would have no effect on USI A-44. Recommendations i that involve an additional ac-independent decay heat removal system would have a very modest effect on USI A-44. Recommendations that involve an additional decay heat removal system that include its own ac power supply would have a significant effect on USI A-44. Such a new additional system would receive the appropriate credit within the USI A-44 resolution by either changing the emergency ac power configuration group or providing the ability to cope with a station blackout for an extended period of time. i The resolution of USI A-44 would necessitate average expenditures of about I
$600,000 per plant, with a re ge estimated to be from about $350,000 to a maxi-mum of around $4 million. A resolution for USI A-45 involving the addition of a dedicated and independent system, such as an additional shutdown cooling system with its own dedicated diesel generator, would be much more expensive, with an expenditure on the order of $50 to $100 million. However, such expenditures would resolve other concerns with respect to the decay heat re-moval function which will be delineated in a future regul'atory analysis for:
USI A-45. i The resolution of these two issues is coordinated along two main lines. First, technical information resulting from both studies is shared among the major participants including NRC staff and contractors. In this way, the resolution l i of USI A-45 will take into account any modifications resulting from the reso-lution of USI A-44 that are applicable to the decay heat removal function. Second, the schedules are coordinated so that by the time a final rule on USI A-44 is published- and well before plant modifications, if any, would be implemented--the proposed technical resolution of USI A-45 will be published for public comment. NUREG-1109 37 I
k The technical summary findings report and the regulatory analysis for the pro- { posed resolution of USI A-45 are targeted to be issued for public comment in 1 late 1987. For plants needing hardware modifications to comply with the USI j { A-44 resolution, this schedule would permit a re evaluation before any actual ) modifications are made so that any contemplated design changes following from the resolution of USI A-45 can be considered at the same time. 4.2.3 Generic Issue (GI) 23, Reactor Coolant Pump Seal failures The Task Action Plan for GI 23 includes three tasks, (1) a review of seal fail-ute operating experience, (2) an assessment of the effects of loss of seal cooling on reactor coolant pump (RCP) seal behavior, and (3) an evaluation of ' other causes of RCP seal failure such as mechanical and maintenance-induced failures. Only Task 2 is closely related to USI A-44 because during a eta-s tion blackout, systems that normally provide RCP seal cooling are unavailable, and RCP seal integrity is necessary for maintaining primary system inventory under station blackout conditions. NRC and industry analyses of seal performance with loss of seal cooling are proceeding, but at the time this report is being published, the staff has not completed its recommendations to resolve GI 23. The estimates of core damage frequency for station blackout events in NUREG/CR-3226 assumed that the RCP q seals would leak at a rate of 20 gallons per minute per pump. Results of the I analysis for GI 23 will provide the information necessary to determine seal i behavior and, likewise, a plant's ability to cope with a station blackout for a specified time. Should this analysis conclude that there is a significant pro-bability that RCP seals can leak at rates substantially higher than 20 gallons per minute, then modifications such as an ac-independent RCP seal cooling sys-tem may be necessary to resolve GI 23. If there is high probability that the RCP seals would not leak excessively during a sta^t. ion blackout, then no modifi-cations would be required. A cost benefit analysis associated with the need for an ac-independent seal cooling system would be included in the regulatory analysis for GI 23. NUREG-1109 38
1 4.2.4 Generic Issue A-30, Adequacy of Safety-Related DC Power Supply
- The analysis performed for USI A-44 (NUREG-1032) assumed that a high level of
)
de power system reliability would be maintained so that (1) de power system failures would not be a significant contributor to losses of all ac power and ] ' (2) should a station blackout occur, the probability of immediate de power
-system failure would be low.
Whereas Generic Issue A-30 focuses on enchancing battery reliability (e.g. , restricting interconnections between redundant de divisions, monitoring the readiness of'the de power system, specifying admin-istrative procedures and technical specifications for surveillance testing and maintenance activities), the resolution of USI-A-44 is aimed at assuring adequate station battery capacity in the event of a station blackout of a specified dura-tion. A-30 would provide additional assurance that station battery reliability - is adequate and consistent with the assumptions on which USI A-44 is based.There-i fore, these two issues are consistent and compatible. i
~
4.2.5 Regulatory Guide 1.108, Periodic Testing of Diesel Generator Units Used as Onsite Electric Power Systems at Nuclear Power Plants Regulatory Guide 1.108 describes the currently acceptable method for comply with the Commission's regulations with regard to periodic testing of diesel generators to ensure that they will meet their availability requirements. This guide may need to be modified to be consistent with the proposed actions de-scribed in Section 4.2.1 above (Generic Issue B-56). If necessary, Regulatory Guide USI A-44. 1.108 will be revised to be consistent with the resolutions of B l 4.2.6 Fire Protection Program for Nuclear Power Facilities i 10 CFR 50.48 states that each operating nuclear power plant shall have a fire protection plan that satisfies GDC 3. l The fire protection features requited to satisfy GDC 3 are specified in Appendix R to 10 CFR 50 and.in Branch Technical i
*Power Generic Issue A-30 is being resolved as part of Generic Issue 128, Electrical Issues.
USI A-44.~ A-30 is the only part of GI 128 that is closely related to ! NUREG-1109 ! 39 i
i Position CMEB 9.5,1. They include certain provisions regarding alternative and dedicated shutdown capability. To meet these provisions, some licensees have added, or plan to add, improved capability to restore power from offsite sources or onsite diesels for the shutdown system. A few plants have installed a safe shutdown facility for fire protection that includes a charging pump powered by its own independent ac power source. In the event of a station blackout, this system can provide makeup capability to the primary coolant system as well as reactor coolant pump seal cooling. This could be a significant benefit in terms of enhancing the ability of a plant to cope with a station blackout. Because the plant modifications required for fire protection have already been specified, it would not be feasible to consider these modifications together with the requirements of USI A-44. However, credit would be given for improve- - ments made for the fire protection program in meeting the station blackout rule. For example, plants that have added equipment to achieve alternate safe shutdown in order to meet Appendix R requirements, could take credit for the equipment ! (if available) for coping with a station blackout event. 4.2.7 Generic Issue 124, Auxiliary Feedwater System Reliability {
}
This issue has focused on the reliability of seven older PWRs that have two-train auxiliary feedwater systems. The staff has established a review team which will perform reviews (including plant audits and walkdowns) to assess each of these plants on a case-by-case basis. Other relevant information stch as ' auxiliary feedwater system reliability analyses will be considered in the staff reviews, as available. The staff may allow credit for compensating factors, such as feed and bleed capability, to justify acceptance of the two-pump AFW i systems, or may decide that hardware, procedural and/or training modifications are necessary. If the proposed resolution of Generic Issue 124 requires the auxiliary feed-water system in several PWRs to be upgraded, this would most likely result in the addition of an auxiliary feedwater pump. The installation of a pump that is independent of ac power would be beneficial in handling station blackout NUREG-1109 40
accident sequences by providing additional reliability in the ac-independent decay heat removal system. Because all PWRs now have an auxiliary feedwater train that is independent of ac power, the requirement could be met by adding a motor-driven pump. Consequently, the auxiliary feedwater system upgrades could have no effect on the station blackout issue. 4.2.8 Multiplant Action Items B-23 and B-48, Degraded Grid Voltage and Adequacy of Station Electric Distribution Voltage These two multiplant action items have been under consideration by both the staff and licensees for several years. They relate to: (1) sustained degraded voltage conditions at the offsite power sources, (2) interaction between the offsite and onsite emergency power systems, and (3) the acceptability of the voltage conditions on the station electric distribution systems with regard to potential overloading and starting transient problems. Licensees' responses to these concerns have consisted of verifying the adequacy of existing power systems or of upgrading the power systems. The modifications are designed to ensure that the power systems can perform their intended function and consequently would enhance their d?pendability. If adcitional power sources have been added to address these concerns, the plant would be placed in an improved category and may be required to withstand a blackout of lesser duration. In the resolu-tion of USI A-44, the staff is not recommending that work that has been done on these two action items be repeated. 4.2.9 Severe Accident Program Brookhaven National Laboratory has proposed a set of preliminary guidelines
' and criteria that could be used to assess the capability of nuclear power plants to cope with severe accidents (for example see BNL Technical Report A-3825R). This work was performed in support of the Implementation Plan for the Commission's Severe Accident Policy Statement. The proposed guidelines cover a large number of potentie.lly severe accident sequences. For station blackout events, the guidelines assume that plants will comply with the requirements in the station blackout rule. Therefore, the severe accident NUREG-1109 41
program and the resolution of USI A-44 are consistent and compatible. Require-ments for operating plants to comply with additional criteria beyond those in the station blackout rule would need to be justified in accordance with the back-fit rule (10 CFR 50.109). 4.3 Constraints The staff has reviewed current Commission regulations to determine.if they provide a basis for implementation of the USI A-44 requirements. This review included (1) the Atomic Safety and Licensing Appeal Board Hearing (ALAB-603) on station blackcut for St. Lucie Unit 2; (2) the Commission review of that hearing; (3) General Design Criterion (GDC) 17, Electric Power Systems; and (4) the-backfit rule (10 CFR 50.109). St. Lucie Unit 2 Atomic Safety and Licensing Appeal Board Hearing In ALAB-603, the board took the position that station blackout should be consid-ered a design basis event for St. Lucie 2 because of the high frequency of such an event (10 4 to 10 5 per year _ at that site). As a result, the Appeal Board required St. Lucie 2 to be capabb of withstanding a total loss of ac power and to implement training and procedures to recover from station blackout. The l Appeal Board went as far as to say -- Our findings that station blackout should be considered as a de-sign basis event for St. Lucie Unit 2 manifestly could be applied equally to Unit 1, already in operation at that site. By a parity of reasoning, this result may well also obtain at other nuclear plants on applicant's system, if not at most power reactors. Our jurisdiction, however, is limited to the matter before us, licens-ing construction of St. Lucie 2. Beyond that, we can only alert l , the Commission to our concerns. l l The Commission upheld the Board's action on St. Lucie 2. However, the Com-mission determined.that ALAB-603 did not establish station blackout generically-as a " design basis event." NUREG-1109 42
General Design Criterion 17 GDC 17 states, in part -- Provisions shall be included to minimize the probability of losing electric power from any of the remaining supplies as a result of, or coincident with, the loss of power generated by the nuclear power unit, the loss of power from the transmission network, or the loss of power from the onsite electric power supplies. The intent of GDC 17 is to require reliable offsite and onsite ac power sys - tems. The ability to cope with the coincident loss of both of these systems'is not addressed explicitly. I As a result of this review, the staff has concluded that there is a basis in the regulations for the recommendations to improve the reliability of the off-site and onsite ac power systems. However, because the coincident loss of both systems is not addressed explicity, a rule to require plants to be able to withstand a total loss of ac power for a specified duration will provide fur-ther assurance that station blackout will not adversely affect the public health and safety. 1 Backfit Rule On September 20, 1985, the Commission published the backfit rule (10 CFR 50.109). This rule sets forth restrictions on imposing new requirements on currently licensed nuclear power plants and specifies standard procedures that must be applied to backfitting decisions. The backfit rule states -- The Commission shall require a systematic and documented analysis
- pursuant to paragraph (:) of this section for backfits which it seeks to impose. [650.109(a)(2)]
The Commission shall require the backfitting of.a facility only when it determines, based upon the analysis described in paragraph (c) of [S50.109), that there is a substantial increase in the overall protection of the public health and safety or the common defense and security to be derived from the backfit and that the direct and indirect costs of implementation for that facility are justified in view of the increased protection. [S50.109(a)(3)] In order to reach this determination, Paragraph 650.109(c) sets forth nine spe-cific factors which are to be considered in the analysis for the backfits it NUREG-1109 43
seeks to impose. These nine factors are among those discussed in the main body of this report. Appendix A provides a discussion summarizing each of these factors. The Commission also states in the backfit rule that "any other informa-tion relevant and material to the proposed backfit" will be considered. This report provides additional relevant information concerning the station blackout rulemaking. This analysis supports a determination that a substantial increase in'the protection of the public health and safety will be derived from backfit-ting'the requirements in the station blackout rule, and that the backfit is-justified in view of the direct and indirect costs of implementing the rule. No other constraints have been identified that affect the resolution of USI A-44. 5 DECISION RATIONALE j The evaluation to resolve USI A-44 included deterministic and probabilistic analyses. Calculations to determine the timing and consequences of various i accident sequences were performed, and the dominant factors affecting station blackout likelihood were identified (NUREG-1032, and NUREG/CR-2989, -3992, -3226, and -4347). Using this information, simplified probabilistic accident sequence correlations were calculated to estimate the frequency of core damage resulting from station blackout events for different plant design, operational, and loca-tion factors. These quantitative estimates were used to give insights into the-relative importance of various factors, and those insights, along with engineer- i ing judgment, were used to develop the resolution of USI A-44. By analyzing the effect of variations in design, operations, and plant location on risk from station blackout accidents, an attempt was made to approach a reasonably con-sistent level of risk in the recommendations developed. i
)
A survey of probabilistic risk assessment studies showed that total core damage , l frequency from all dominant accident sequences ranged from 2 x "e5 to 1 x 10 8 per reactor year, with a typical frequency of about 6 to 8 x 10 5 per reactor-year (NUREG/CR-3226). ; For those plants currently in operation or under construc-l tion, a value-impact analysis was performed to determine that the resolution of . { NUREG-1109 l 44 i l 1 L________.___________________________________________. _ . _ . _ . . _ _ _ _ _ . . ___ _ ___ _ . . _ . _. I
USI A-44 is cost-effective. Implementation of the resolution will result in station blackout being a relatively small contributor to total core damage frequency. (NUREG-1032 provides a more detailed discussion of the analysis of station blackout accident likelihood performed for this regulatory analysis.) 5.1 Commission's Safety Goals On August 4, 1986, the Commission published in the Federal Register a policy statement on " Safety Goals for the Operations of Nuclear Power Plants" l (51 FR 28044). This policy statement focuses on the risks to the public from nuclear power plant operation and establishes goals that broadly define an acceptable level of radiological risk. The discussion below addresses the resolution of USI A-44 in light of these goals. I The two qualitative safety goals are: Individual members of the public should be provided a level of protection from the consequences of nuclear power plant opera-tion such that individuals bear no significant additional risk to life and health. Societal risks in life and health from nuclear power plant opera-tion should be comparable to or less than the risks of generating electricity by viable competing technologies and should not be a significant addition to other societal risk. The following quantitative objectives are used in determining achievement of the above safety goals: The risk to an average _ individual in the vicinity of a nuclear power plant of prompt fatalities that might result from reactor accidents should not exceed one-tenth of one percent (0.1%) of the sum of prompt fatality risks resulting from other accidents to which members of the U.S. population are generally exposed. The risk to the population in the area near a nuclear power plant of cancer fatalities that might result from nuclear power plant operation should not exceed one-tenth of one percent (0.1%) of the sum of cancer fatality risks resulting from all other causes. NUREG-1109 45
I Results of analyses published in NUREG-1150 for five plants (Surry, Zion, Sequoyah, Peach Bottom and Grand Gulf) indicate that all five plants meet the { risk criteria for prompt fatalities and latent cancer fatalities stated above, even considering the large uncertainties involved. Implementation of the station blackout rule will result in the average core damage frequency from station blackout events being in approximately the range of frequencies esti-mated for station blackout for the five NUREG-1150 plants. Therefore, the station blackout rule meets bot'; of the Commission's qualitative safety goals. The Commission also stated the following regulatory objective relating to the frequency of core damage accidents at nuclear power plants. Severe core damage accidents can lead to more serious accidents with
- the potential for life-threatening offsite releases of radiation, for evacuation of members of the public, and for contamination of public property.
Apart from their health and safety consequences, such acci-I dents can erode public confidence in the safety of nuclear power and can lead to further instability and unpredictability for the industry. In order to avoid these adverse consequences, the Commission intends-to continue to pursue a regulatory program that has as its objective providing reasonable assurance, giving appropriate consideration to the uncertainties involved, that a severe core damage accident will not occur at a U.S. nuclear power plant. An estimate of the total probability of core damage for the nuclear industry is beyond the scope of this regulatory analysis, but some perspectives on station blackout are presented here. The mean core damage frequency from station black-out events before implementation of the station blackout rule is estimated to be 4.2 x 10 5 per reactor year. Thus, the probability of core damage from station blackout is about 0.12 (i.e., about one chance in 8 that station black-out would result in severe core damage at one of 125 reactors over an assumed remaining 25 year life expectancy of these plants). Implementation of the sta-tion blackout rule would reduce the estimated mean core damage frequency to 1.6 x 10 5 i per reactor year, and therefore, the estimated probability of a severe core damage accident from station blackout would be 0.05 (i.e., about one chance in 20 of severe core damage). Therefore, implementing the resolution of USI l A-44 provides reasonable assurance that a a vere core damage accident from sta-tion blackout will not occur at a U.S. nuclear power plant. NUREG-1109 46 i
The Commission also proposed the following guideline for further staff i i evaluation: 1 Consistent with the traditional defense-in-depth approach and the accident mitigation philosophy requiring reliable performance of containment systems, the overall mean frequency of a large release , j of radioactive materials to the environment from a reactor accident should be less than 1 in 1,000,000 per year of reactor operation. ! Given the current state of knowledge regarding containment performance and the large uncertainties with respect to the probability of containment failure fol-lowing severe accident sequences, it is not possible to conclude that the safety l performance guideline on the frequency of a large release would be met. This I conclusion is based on the estimated mean core damage frequency for station blackout events of 1.6 x 10 5 per reactor year coupled with the uncertainty i band for the probability of early containment failure ranging from about 0.05 l to 0.90 as reported in NUREG-1150. Since the potential for a high likelihood f of containment failure cannot be eliminated, the overall mean frequency of a i large release of radioactivity of 10 8 per reactor year cannot be assured. I Additiona'l rationale for implementing the station blackout rule and the regula- ) tory guide over other alternatives is discussed in the value-impact analysis (Section 4.1). This action represents the staff's position based on a compre-hensive analysis of the station blackout issue. This position includes all the requirements and guidance to resolve the station blackout issue. l 5.2 Station Blackout Reports The studies and data on which this resolution is based are documented in ! NUREG-1032 and NUREG/CR-2989, -3226, -3992, and -4347. Summaries of these reports follow. 1 5.2.1 NUREG-1032, Evaluation of Station Blackout Accidents at Nuclear Power Plants, Technical Findings Related to Unresolved Safety Issue A-44 This report summarizes the results of technical studies performed in support < of USI A-44 and identifies the dominant factors affecting the likelihood of NUREG-1109 47
station blackout accidents at nuclear power plants. These results are based on operating experience data; analysis of several plant specific probabilistic safety studies; and reliability, accident sequence, and consequence analyses ) performed in support of this unresolved safety issue. In summary the results show the following important characteristics of station blackout accidents. (1) The likelihood of station blackout varies between plants with an estimated frequency ranging from approximately 10 6 to 10 8 per reactor year. A
" typical" estimated frequency is on the order of 10 4 per reactor year.
(2) The capability of restorin0 offsite power in a timely manner can have a significant effect on accident consequences. (3) Onsite ac power system redundancy and individual power supply reliability have the largest influence on station blackout accident frequency. (4) The capability of the decay heat removal system to cope with long duration blackouts can be a dominant factor influencing the likelihood of core damage or core melt. (5) The estimated frequency of station blackout events resulting in core damage or core melt can range from approximately 10 6 to greater than 10 4 per reactor year. A " typical" core damage frequency estimate is j 2 to 4 x 10 5 per reactor year. (6) The best information available indicates that containment failure by over-pressure may follow a station-blackout-induced core melt with smaller, low design pressure containments most susceptible to early failure. Some j large, high design pressure containments may not fail by overpressure, or the failure time could be on the order of a day or more. Losses of offsite power could be characterized as those resulting from plant-centered faults, utility grid blackout, or severe weather-induced failures of l 1 i i NUREG-1109 48 i l l j
offsite power sources. The industry average frequency of total losses of off-site power was determined to be about 1 in 10 site years. The median restora-tion time was about one-half hour, and 90 percent of the losses were restored in 3 hours or less. The factors that were identified as affecting the frequency-and duration of offsite power losses are -- (1) design of preferred power distribution system, particularly the number and independence of offsite power circuits from the point where they enter the site up to the safety buses (2) operations that can compromise redundancy or independence of multiple off-site power sources, including human error (3) grid stability and security, and the ability to restore power to a 1 nuclear plant site with a grid blackout i l (4) the hazard from, and susceptibility to, severe weather conditions that 1 can cause loss t,f offsite power for extended periods i A design and operating experience review, combined with a reliability analysis of the onsite, emergency ac power system, has shown that there are a variety of potentially important failure causes. The typical unavailability of a two-division emergency ac power system is about 10 8 per demand, and the typical individual emergency diesel generator failure rate is about 2 x 10 2 per demand. The factors that were identified as affecting the emergency ac power system l reliability during a loss of offsite power are -- (1) power supply configuration redundancy (2) reliability of each power supply 1 i (3) I dependence of the emergency ac power system on sup"
- modifications
- Schedule to be agreed upon with NRC, but within 2 years of NRC review of sub-mittal, unless justification is submitted by the licensee for a later date and l the staff agrees.
I NUREG-1109 55
The factors that must be considered to determine the minimum acceptable station blackout duration, as specified in the revision to Appendix A to GDC 17, are relatively straightforward. In fact, licensees have reviewed their plants against these factors as part of an industry initiative supported by NUMARC. Thus, this acceptable duration can be determined in approximately 1 or 2 months. i.icensees will be required to perform plant-specific analyses to determine if the plant, as designed, can cope with a station blackout for the acceptable. duration, and to determine what modifications, if any, are needed to meet the acceptable duration. These analyses could require 6 to 9 months to perform. ' Thus, it scams reasonable to require that the information be submitted to the l NRC within 9 months after the date the final rule is issued. l i The implementation of procedural changes to cope with a station blackout and i diesel generator reliability improvements, if necessary, will be accomplished early in the schedule. Hardware backfits, if necessary, should be implemented as soon as practical, based on scheduled plant shutdown, but no later than 2 j years after the staff reviews a licensee's station blackout duration submittal. l A final schedule for implementation of design and associated procedural modifi-cations will be mutually agreed upon by the licensee and the NRC staff. l Other schedules were considered; however, the staff believes the implementation schedule in Table 13 is achievable without unnecessary financial burden on ' licensees for plant shutdown. The schedule allows reasonable time for the im-plementation of necessary hardware items to achieve a reduction in the risk of severe accidents associated with station blackout, yet achieves significant benefits early on by requiring an assessment of a plant's station blackout capability and procedures and training to cope with such an event. Shorter or less flexible schedules would be unnecessarily burdensome; longer schedules would delay necessary plant improvements. 6.2 Relationship to Other Existing or Proposed Requirements Several NRC programs are related to USI A-44; these are discussed in Section 4.2. These programs are compatible with the resolution of USI A-44. NUREG-1109 56
7 REFERENCES Brookhaven National Laboratory, " Prevention and Mitigation of Severe Accidents In a BWR-4 With a Mark I Containment," Draft Technical Report A-3825R, October 1986. EG&G, " Cost Analysis for Enhancement of DC Systems Reliability ard Adequacy of Safety-Related DC Power Systems," EG&G Report RE&ET-6151, January 1983. i Sandia National Laboratory, "Value-Impact Calculation for Station Blackout Task A: tion Plan A-44," letter report to NRC, March 1983. Sandia National Laboratory, " Letter Report on Equipment Operability During Station Blackout Events," Draft, November 1986. Science and Engineering Associates, Inc., " Response to Industry Comments on Station Blackout Cost Estimates (NUREG/CR-3840)," letter report to NRC, November 12, 1986. U.S. Atomic Energy Commission, WASH-1400, " Reactor Safety Study," October 1975 (also reissued as NUREG-75/014). U.S. Nuclear Regulatory Commission, " Regulatory Analysis Guidelines," NRR Office Letter No. 16, Revision 3, May 13, 1986.
-- , NUREG-0800, " Standard Review Plan for the Review of Safety Analyses for Nuclear Power Plants," July 1981.
~
-- , NUREG-0956, " Reassessment of the Technical Bases for Estimating Source l Terms," July 1986.
-- , NUREG-1032, " Evaluation of Station Blackout Accidents at Nuclear Power i Plants, Technical Findings Related to Unresolved Safety Issue A-44," draft, May 1985.
NUREG-1109 57 w-_________. _ _ _ _ _ _
l -- , NUREG-1150, " Reactor Risk Reference Document," Draft for Comment, February 1987.
-- , MUREG/CR-2723, " Estimates of the Financial Consequences of Nuclear Power Reactor Accidents," September 1982.
-- , NUREG/CR-2989, " Reliability of Emergency AC Power Systems at Nuclear Power Plants," July 1983.
-- , NUREG/CR-3226, " Station Blackout Accident Analyses (Part of NRC Task Action Plan A-44)," May 1983.
-- , NUREG/CR-3568, "A Handbook for Value-Impact Assessment," December 1983. .
-- , NUREG/CR-3840, " Cost Analysis for Potential Modifications to Enhance the Ability of a Nuclear Power Plant to Endure Station Blackout," July 1984.
-- , NUREG/CR-3992, " Collection and Evaluation of Complete and Partial Losses of Offsite Power at Nuclear Power Plants," February 1985.
-- , NUREG/CR-4347, " Emergency Diesel Generator Operating Experience, 1981-1983," December 1985.
-- , NUREG/CR-4557, "A Review of Issues Related to Improving Nuclear Power Plant Diesel Generator Reliability," April 1986.
-- , NUREG/CR-4568, "A Handbook for Quick Cost Estimates," April 1986.
-- , NUREG/CR-4624, Volumes 1-6, " Radionuclides Release Calculations for Selected Severe Accident Scenarios," July 1986.
-- , NUREG/CR-4627, " Generic Cost Estimates," June 1986.
NSAC/103, " Losses of Offsite Power at U.S. Nuclear Power Plants - All Years ! Through 1985," May 1986. 1 NUREG-1109 58 I
NSAC/108, "The Reliability of Emergency Diesel Generators at U.S. Nuclear Power Plants," September 1986. Letter from J. H. Miller, Jr. , Nuclear Utility Management and Human Resources Committee, to Chairman N. J. Palladino, June 17, 1986. 1 O NUREG-1109 59
m ----_ _ _ . _ _ _ _ _ _ - - . _ _ _ . _ _ _ ___ __._, ,_ _ . _ _ , ._ i l l APPENDIX A - BACKFIT ANALYSIS 1 l i
l l APPENDIX A -BACKFIT ANALYSIS
- Analysis and Determination That The Rulemaking to Amend 10 CFR 50 Concerning Station Blackout Complies With The Backfit Rule 10 CFR 50.109 The Commission's existing regulations establish requirements for the design -
and testing of onsite and offsite electrical power systems (10 CFR Part 50, Appendix A, General Design Criteria 17 and 18). However, as operating experi-ence has accumulated, the concern has arisen regarding the reliability of both the offsite and onsite emergency ac power systems. These systems provide power for various safety systems including reactor core decay heat removal and con-tainment heat removal which are essential for preserving the integrity of the reactor core and the containment building, respectively. In numerous instances emergency diesel generators have failed to start and run during tests conducted at operating plants. In addition,.a number of operating plants have experienced a total loss of offsite electric power, and more such occurrences are~ expected. Existing regulations do not require explicitly that nuclear power plants be designed to withstand the loss of all ac power for any specified period. This issue has been studied by ti.e staff as part of Unresolved Safety Issue (USI) A-44, " Station Blackout." Both deterministic and probabilistic analyses were performed to determine the timing and consequences of various accident sequences and to identify the dominant factors affecting the likelihood of core melt accidents from station blackout. These studies indicate that station
. blackout can be a significant contributor to the overall plant risk. Conse-
' quently, the Commission is amending its regulations to require that plants be { capable of withstanding a total loss of ac power for a specified duration and to maintain reactor core cooling during that period. d The backfit analysis is included as an appendix to this report. It is intended to be a stand-alone document that minimizes the need to refer to additional l documents by including sufficient detail to assess each consideration in the backfit rule ( W CFR 50.109). Therefore, the backfit analysis repeats much of what is already included in the main body of the report. NUREG-1109 APP A 1 l
The estimated benefit from implementing the station blackout rule is a reduc-tion in the frequency of core damage per reactor year due to station blackout and the associated risk of offsite radioactive. releases. The risk reduction for 100 operating reactors is estimated to be 145,000 person rems. The cost for licensees to comply with the rule would vary depending on the existing capability of each plant to cope with a station blackout, as well as the specified station blackout duration for that plant. The costs would be primarily for licensees to assess the plant's capability to cope with a station blackout, (2) to develop procedures, (3) to improve diesel generator reliability if the reliability falls below certain levels, and (4) to retrofit plants with additional components or systems, as necessary, to meet the requirements. The estimated total cost for 100 operating reactors to comply with the resolu-- tion of USI A-44 is about $60 million. The average cost per reactor would be around $600,000, ranging from $350,000, if only a station blackout assessment and procedures and training are necessary, to a maximum of about $4 million if substantial modifications are needed, including requalification of a diesel generator. The overall value-impact ratio, not including accident avoidance costs, is about 2,400 person-rems averted per million dollars. If the net cost, which includes the cost savings from accident avoidance (i.e., cleanup and repair of onsite damages and replacement power following an accident) were used, the overall value-impact ratio would improve significantly to about 6,100 person-rems averted per million dollart.
. This analysis supports a determination that a substantial increase in the pro-tection of the public health and safety will be derived from backfitting the requirements in the station blackout rule, and the backfit is justified in view of the direct and indirect costs of implementing the rule. This does not imply that operating plants are unsafe. Rather, the rule will provide additional protection beyond that already provided to comply with currently existing re-quirements, and the benefit to public health and safety outweighs the cost of
- l. the improvements.
NUREG-1109 APP A 2 i
]
The preceding quantitative value-impact analysis was one of the factors considered in evaluating the rule, but other factors also played a part in the decision-making process. Probabilistic risk assessment (PRA) studies performed for this i US1, as well as some plant-specific PRAs, have shown that station blackout can be a significant contributor to core melt frequency, and, with consideration of containment failure, station blackout events can represent an important contri-butor to reactor. risk. In general, active systems required for containment heat removal are unavailable during station blackout. Therefore, the offsite. risk is higher from a core melt resulting from a station blackout than it is from i many other accident scenarios. Although there are licensing requirements and guidance directed at providing reliable offsite and onsite ac power, experience has shown that' there are prac-tical limitations in ensuring the reliability of offsite and onsite emergency ac power systems. Potential vulnerabilities to common cause failures associated 'i with design, operational, and environmental factors can affect ac power system I reliability. For example, if potential common cause failures of emergency die- j sei generators exist (e.g., in service-water or dc power support systems), then ) the estimated core damage frequency from station blackout events can increase ! significantly. Also, even though recent data indicate that the average emergency l diesel generator reliability has improved slightly since 1976, these data also show that diesel generator failure rates during unplanned demand (e.g., following a loss of offsite power) were higher than that during surveillance tests. The estimated frequency of core damage from station blackout events is directly proportional to the frequency of the initiating event. Estimates of station blackout frequencies for this USI were based on actual operational experience with credit given for trends showing a reduction in the frequency of losses of offsite power resulting from plant-centered events. This is assumed to be a realistic indicator of. future performance. An argument can be made that the future performance will be better than the past. For example, when problems with the offsite power grid arise, they are fixed and, therefore, grid reli-ability should improve. On the other hand, grid power failures may become more frequent because fewer plants are being built, and more power is being trans-mitted among regions, thus placing greater stress on transmission lines. NURLG-1109 APP A 3
A number of foreign countries,~ including France, Britain, Sweden, Germany and Belgium,-have taken steps to reduce the risk from station blackout events. These steps include adding design features to enhance the capability of the plant to cope with a station blackout for a substantial period of time and/or adding redundant and diverse emergency ac power sources. The factors discussed above support the determination that additional defense in-depth provided by the ability of a plant to cope with station bleckout for i a specific duration would provide substantial increase in the overall protection of the public health and safety, and the direct and indirect costs of implemen- 1 tation are justified in view of this increased-protection. The Commission has I' considered how this backfit should be prioritized and scheduled in light of other regulatory activities ongoing' at operating nuclear power plants. Station black- - out warrants a high priority ranking based on both its status as an " unresolved safety issue" and the results and conclusions' reached in resolving this issue. As noted in the implementation section of the rule (650.63(d)), the schedule for equipment modification (if needed to meet the requirements of the rule) shall be mutually agreed upon by the licensee and NRC. Modifications that cannot be scheduled for completion within two years af ter.NRC- accepts the licensee's speci-fled station blackout duration must be justified by the licensee. Analysis of 50.109(c) Factors 1. Statement of the specific objectives that the backfit is designed to achieve The NRC staff has completed a review and evaluation of info";;;ation developed over the past six years on Unresolved Safety Issue (USI) A-44, Station Black-out. As a result of these efforts, the NRC is amending 10 CFR Part 50 by ' adding a new S 50.63, " Station Blackout," and adding a new paragraph (e) to General Design Criterion (GDC) 17, " Electric Power Systems," in Appendix A. The objective of the station blackout rule is to reduce the risk of severe accidents associated with station blackout by making station blackout a relatively small contributor to total core damage frequency. Specifically, the rule requires all light-water cooled nuclear power plants to be able to NUREG-1109 APP A 4 t___ _-_ _ _ _ _ _ _ _ _ _ - - _ _ _ _ _ _ _ _ - _ - - = . - - - - -
cope with a station blackout for a specified duration and to have procedures and training for such an event. A. regulatory gulde, to be' issued along with the rule, provides.an acceptable method to determine the station blackout duration for each plant. The duration is to be determined for each plant based on a comparison of the individual-plant design with factors that have been identified as the main contributors to risk of. core melt resulting from-station blackout. These factors are (1) the redundancy of onsite emergency ac power sources, (2) the reliability of. onsite emergency ac' power sources, (3) the frequency of loss of offsite power, and (4)-the probable time needed to restore offsite power.
- 2. General description of the activity required by the licensee or applicant in order to complete the backfit In order to comply with the resolution of USI A-44, licensees will be required to -
Maintain the reliability of onsite emergency ac power sources at or above specified acceptable reliability levels. Develop procedures and training to restore ac power using nearby power sources if tK' eemergency ac power system and the normal offsite power sources are unavailable. I Determine the duration that the plant should be able to withstand a. l station blackout based on the factors specified in paragraph (e) of GDC 17. ' Evaluate the plant's actual capability to withstand and recover from l j a station blackout. This evaluation includes: i i Verifying the adequacy of station battery power, condensate ; storage tank capacity, and plant / instrument air for the station , blackout duration. i NL' REG-1109 APP A 5 I
_ ~~ l
.' Verifying adequate reactor coolant pump seal integrity for the station blackout duration so that seal leakage due to lack of f
i seal cooling would not result in a sufficient primary system coolant inventory reduction to lose the ability to cool the core. i Verifying the operability of equipment neec'ed to operate during . a station blackout and the recovery from the blackout for. environ- J' mental conditions associated with total loss'of,ac power (i.e., loss of heating,. ventilation and air conditioning). Depending on the plant's existing capability to cope with a station blackout, licensees may or may not need to backfit hardware modifica-tions (e.g., adding battery capacity) to comply with the rule. (See item 8 of this analysis for additional discussion.) Licensees will be required to have procedures and training to'copo with and recover from a station blackout. 3. Potential change in the risk to the public'from the' accidental offsite release of radioactive material Implementation of the station blackout rule will result in an estimated total risk reduction to the public ranging from 65,000 to 215,000 person-- rems with a best estimate of about 145,000 pe rs on- rem.-
- 4. i Potential impact on radiological exposure of facility employees 3 i
For 100 operating reactors, the estimated total reduction in occupational' ! exposure resulting from reduced core damage frequencies and. associated ~ post-accident cleanup and repair activities is 1,500 person rem. No in-crease in occupational exposure is expected from operation and maintenance activities associated with the rule. Equipment additions and modifica-tions contemplated do not require work in and around thereactor coolant system and therefore are not expected to result in significant radiation exposure. I NUREG-]l09 APP A 6
5. Installation and continuing costs associated with the backfit,. including the cost of facility downtime or the cost of construction delay-For 100 operating reactors, the total estimated cost associated with the station blackout rule ranges from $42 to $94 million with a best estimate of $60 million. This estimate breaks-down as'follows: Estimated number of Estimated total cost (million dollars) Activity reactors Best High- Low Assess plant's capability to 100 25 40. 20 cope with station blackout Develop procedures and 100- 10 15 5 training Improve diesel generator 10 2.5 :4 1.5 reliability Requalify diesel generator 2 5.5 11 2.5 Install hardware to increase 27 17 24 13 plantps capability to-cope with station blackout Totals 60 94 '42
- 6. 'I The potential safety impact of changes in plant or operational complexity, including the. relationship to proposed and existing regulatory requirements The rule requiring plants to be able to cope'with a station blackout should not add to plant or operational complexity. The station blackout rule is closely related to several NRC generic programs and proposed and existing l
' regulatory requirements as the following discussion indicates. !
'l Generic Issue B-56, Diesel Generator Reliability i
The resolution of USI A-44 includes a regulatory guide on' station blackout i that specifies the following guidance on diesel generator reliability ; (Task SI 501-4, Sections C1.1. and 2): The reliable operation of the onsite emergency ac power sources should be ensured by a reliability program designed to monitor NUREG-1109 APP A 7 l
and maintain'the reliability of each power source over time at a specified acceptable level and to improve the reliability if_ that level is not' achieved. The reliability program should_ include surveillance testing, target values for maximum failure rate, and a maintenance program. Surveillance testing should monitor perfor-mance so that if the actual failure rate exceeds the target level, corrective actions can be taken. The a tidum emergency diesel generator failure rate for each diesel geneic.:19 should be maintained at 0.05 failure per demand. However, for plants having an emergency ac power system [ configuration re-quiring two-out-of-three diesel generators or having a total of two diesel' generators shared between two units at a site], the emergency diesel generat9r failure rate for each diesel generator should be maintained at 0.025 failure per demand or less. The resolution of B-56 will provide specific guidance for use by the staff or industry to review the adequacy of diesel generator reliability programs consistent with the resolution of USI A-44. Generic Issue 23, Reactor Coolant Pump Seal Failures Reactor coolant pump (RCP) seal integrity is necessary for maintaining pri-mary system inventory during station blackout conditions. The estimates of core damage frequency for station blackout events for USI A-44 assumed-that RCP seals would leak at a rate of 20 gallons per minute. Results of analyses performed for GI 23 will provide the information necessary to determine RCP seal behavior during a station blackout, Should this analysis conclude that there is a high probability that the RCP' seals would not leak excessively during a station blackout, then no modifications would be required. If there is a significant probability that RCP seals can leak at rates substantially higher than 20 gallons per minute, then modifications such as an ac-independent RCP seal cooling system may be necessary to resolve GI 23. Any proposed backfit resulting from the resolution of: GI 23 would need to comply with the backfit rule. USI A-45, Shutdown Decay Heat Removal Requirements The overall objective of USI A-45 is to evaluate the adequacy of current licensing design requirements to ensure that the nuclear power plants do
)
not pose an unacceptable risk as a result of failure to remove' shutdown i NUREG-1109 APP A 8 ! l
decay heat. The study includes an assessment of alternative means of shut-down decay heat removal and of diverse " dedicated" systems for this purpose, Results will include proposed recommendations regarding the desirability of, and possible design requirements for, improvements in existing systen or an alternative dedicated decay heat removal method. The USI A-44 concern for maintaining adequate core cooling under station blackout conditions can be considered a subset of the overall A-45 is' sue. tiowever, there are significant differences in scope between these.two issues. USI A-44 deals with tne probability of loss of ac power, the capability to remove decay heat using systems that do not require ac power, and the abil-ity to restore ac power in a timely manner. USI A-45 deals with the overall reliability of the decay heat removal function in terms of response to transients, small break lot,s-of-coolant accidents, and speciL1 emergencies such as fires, floods, seismic events, and sabotage. Although the recommendations that might result from the resolution.of USI A-45 are not yet final, some could affect the station blackout capa - bility, while others would not. Recommendations that involve a new'or improved decay heat removal system that is ac power dependent but that does not include its own dedicated ac power supply would have no effect on USI A-44. Recommendations that-involve an additional ac-independent decay heat removal system would have a very modest effect of USI A-44. Recommendations that involve an additional decay heat removal system-with its own ac power supply would have a significant effect on USI A-44. Such a new additional system would receive the appropriate credit within the USI A-44 resolution by either changing the emergency ac power config-
. uration group or providing the ability to cope with a station blackout for an extended period of time. Well before plant modifications, if any, will be implemented to comply with the station blackout rule, the proposed tech-nical resolution of USI A-45 will be published for public comment. .Those plants needing hardware modifications for station blackout could be reeval-uated before any actual modifications are made so that any-contemplated design changes resulting from the resolution of USI A-45 can be considered at the same time.
NUREG-1109 APP A 9
l l Generic Issue A-30, Adequacy of Safety-Related DC Power Supp.ly The analysis performed for USI'A-44 assumed that a high level of'dc power system reliability would be maintained so that (1) dc' power system failures would not be a significant contributor to losses of all ac power. and (2) should a station blackout occur, the probability of immediate- de power system failure would be low. Whereas Generic Issue A-30 focuses on_'enhanc-ing battery reliability, the resolution of USI A-44 is aimed at assuring adequate station battery capacity in the event of a station blackout of a specified duration. Therefore, these two issues are consistent and compatible. I Fire Protection Program 10 CFR 50.48 states that each operating nuclear power plant shall have'a fire protection plan that satisfies GDC 3. The fire protection features required to satisfy GDC 3 are specified in Appendix R to 10 CFR 50. They include certain provisions regarding alternative and dedicated shutdown capability. To meet these provisions, some licensees have added, or plan \ to add, improved capability to restore power from'offsite sources or onsite diesels for the shutdown system. A few plants have installed a safe shut-down facility for fire protection that includes a charging pump powered by. its own independent ac power source. In the event of a station blackout, this system can provide makeup capability to the primary coolant system as well as reactor coolant pump seal cooling. This could be a significant benefit in terms of enhancing the ability of a plant to cope with a station blackout. Plants that have added equipment to achieve alternate safe shut-
~
down in order to meet Appendix R requirements could take credit for that-equipment, if available, for coping with a station blackout event. 7. The estimated resource burden on the- NRC associated with the backfit: and the availability of such resources The estimated total cost for NRC review of industry submittals required by the station blackout rule is $1.5 million based on submittals for 100 ' reactors and an estimated average of 175 person-hours per reactor. NUREG-1109 APP A 10 a
- 8. The potential impact of dif ferences in facility type, design, or age on -
the relevancy and practicality of the backfit The station blackout rule applies to a'll pressurized water reactors and boiling water reactors. However,.in determining an acceptable station blackout coping capability for each plant, differences in plant charac-teristics relating to ac power reliability (e.g. , number of emergency diesel generators, the reliability of the offsite and onsite emergency ac power systems) could result in different acceptable coping capabilities. For example, plants with an already low risk from station blackout because of niultiple, highly reliable ac power sources are required-to withstand a. station blackout for a relatively short period of time; and.few, if any, hardware backfits would be required as a result of the rule.- Plants with currently higher risk from station blackout are required to withstand somewhat longer duration blackouts; and, depending on their existing capability, may need some modifications to achieve the longer station blackout capability.
- 9. Whether the backfit is interim or final and, if-interim, the justification for imposing the backfit on an interim basis The station blackout rule is the final resolution of USI A-44; it is not an interim measure.
NUREG-1109 APP A 11 I
l l APPENDIX 8 - WORKSHEETS FOR COST ESTIMATES 4 i l l I i l i
APFENDIX 8 - WORKSHEETS FOR COST ESTIMATES Section 4.1 of this report provides a summary of the estimated costs to industry and NRC associated with the resolution of USI A-44. This appendix provides supplementary information to support these cost estimates. The estimates in the following worksheets are based on information from the following references: EG&G (1983), N'J REG /CR-3568, -3840, -4627, and -4568, U.S. NRC (1986), Sandia National Laboratory (1986), and Science and Engineering Associates (1986). The personnel costs for utility personnel used in these estimates is $100,000 per person year, including overhead and general and administrative expenses. 1 NUREG-1109 1
Worksheet 1 Estimated cost to assess plant's capability to cope with station blackout (580) Activity. Estimated person-months Determine system capabilities (-e.g., batteries, 12 instrument air, condensate storage tank, RCP seals) j Evaluate equipment operability Determine equipment / components necessary 2 during 5B0. Determine heat loads for rooms / compartments 6 Calculate environmental conditions during 580 4 Compare equipment design / operational capability 2 to predicted environmental conditions Quality assurance 4 Total 30 Total costs $250,000 NUREG-1109 2
Worksheet 2 Estimated cost to develop procedures and training for station blackout Activity Estimated resources Person-months Dollars Develop procedures (includes writing. -3 $25,000 review and approval) l Training Initial training 3 525,000 Annual update training 0.5/yr $5,000/yr Total training costs are calculated by the following equation which sums the initial training costs and the present value of the annual training costs over the remaining plant lifetime. L CTL = CIT + C AT = $ 0,000
, 0 (1 + DL )
where CTL = total training costs CIT = initial training costs CAT = annual training costs D
= discount rate (10%)
L
= remaining plant lifetime (25 years)
Therefore, adding the cost to develop procedures, the total cost for procedures and training is estimated to be $100,000. e NUREG-1109 3
n Worksheet 3 Estimated cost to improve diesel generator reliability Activity Estimated cost Reliability investigation $100,000 3 Equipment modifications $150,000
$250,000 Worksheet 4 Estimated cost to requalify a diesel generator 4 Assuming that a plant would shutdown for 5 days to requalify a diesel generator, the replacement energy cost (CR ) is the dominant cost associated with this activity. CR can be calculated using the following equation: i CR=ExPxR where E = net electrical output (kWe)
P = shutdown period (hours) R = replacement energy cost ($/kWh) 4 l 1 The table below presents the data used to calculate the best, high and low I estimates to requalify a diesel generator. Value Paramater Best High Low
, Net plant electrical outpost (kWe) 900,000 1,150,000 500,000 Shutdown period (hours) 120 120 120 Replacement energy cost ($/kWe)* .026 .040 .020 Total cost (million dollars) 2.8 5.5 1. 2
- Costs from NUREG CR/4568 NUREG-1109 4
E N c t. o S u K f 9 NUREG-1032 4 l j Evaluation o: Station Blackout Accicents ! at l\ uc ear Power P. ants Technical Findings Related to Unresolved Safety issue A-44 praft Report for Comment __ _ _ _ ___g Manuscript Completed: March 1985 Date Published: May 1985 P. W. Baranowsky Office of Nuclear Regulatory Research Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, D.C. 2T65
,~..
g 1 R3 - i
ABSTRACT
" Station Blackout," which is the complete loss of alternating current (AC) elec-trical power in a nuclear power plant, has been designated as Unresolved Safety Issue A-44. Because many safety systems required for reactor core decay heat removal and containment heat removal depend on AC power, the consequences of a station blackout could be severe. This report documents the findings of techni-cal studies performed as part of the program to resolve this issue. The impor-tant factors analyzed include: the frequency of loss of offsite power; the pro-bability that emergency or or. site AC power supplies would be unavailable; the capability and reliability of decay heat removal systems independent of AC power; and the likelihood that offsite power would be restored before systems that cannot operate for extended periods without AC power fail, thus resulting in core damage. This report also addresses effects of different designs, loca-tions, and operational features on the estimated frequency of core damage re-sulting from station blackout events.
t l l i NUREG-1032 iii e-______________-_ _
TABLE OF CONTENTS P"RE ABSTRACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii LIST OF FIGURES . . . . . . . . .................... vi LISTOFTABLES..................E.......... vii PREFACE ................................ ix l ACKNOWLEDGMENTS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi 1 EXECUTIVE
SUMMARY
, . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 2 INTRODUCTION AND TECHNICAL APPROACH . . . . . . . . . . . . . . . . . 2-1 3 LOSS OF 0FFSITE POWER FREQUENCY AND DURATION. . . . . . . . . . . . . .3-1 4 RELIABILITY OF EMERGENCY AC POWER SUPPLIES. . . . . . . . . . . . . . 4-1 !
5 STATION BLACK 0UT FREQUENCY AND DURATION . . . . . . . . . . . . . . . 5-1 6 ABILITY TO COPE WITH A STATION BLACK 0UT . . . . . . . . . . . . . . . 6-1 7 ACCIDENT SEQUENCE ANALYSES .
..................... 7-1 8 EVALUATION OF DOMINANT STATION BLACK 0UT ACCIDENT CHARACTERISTICS .. 8-1 9 RELATIONSHIP OF OTHER SAFETY ISSUES TO STATION BLACK 0UT ...... 9-1 9.1 Loss-of-Coolant Accidents ................... 9-1 9.2 Anticipated Transients Without Scram . . . . . . . . . . . . . . 9-2 9.3 Extreme Internal Environment . . . . .............. 9-3 9.4 Extreme Hazards . . . .
.................... 9-4 10 REFERENCES . . . . . . . . . .................... 10-1 t
APPENDIX A DEVELOPMENT OF LOSS OF 0FFSITE POWER FREQUENCY AND DURATION ' RELATIONSHIPS APPENDIX B EMERGENCY AC POWER RELIABILITY AND STATION BLACKOUT FREQUENCY: MODELING AND ANALYSIS RESULTS APPENDIX C STATION BLACKOUT CORE DAMAGE LIKELIH003 AND RISK NUREG-1032 v L--_------- _ -_- -_- -- - - - - - - - - - - - -
1.IST OF FIGURES 3 Figure i P_ag q 3.1 Diagram of offsite power system used in nuclear power plants . 3-2 3.2 Frequency of loss-of-offsite power events exceeding specified durations . . . . . . .
.............. 3-5 3.3 Estimated frequency of loss-of-offsite power events exceeding specified durations for representative clusters )
....... 3-9 4.1 Simplified 1-of-2 onsite AC power distribution s 4-2 4.2 Onsite power system functional block diagram . .ystem.
.... 4-3 4.3 Histograms showing emergency diesel generator failure i on demand for 1976 through 1982 ............... 4-7 4.4 Failure contribution by diesel generator subsystem . . . . . . 4-9 4.5 Onsite AC syster unavailability for 18 plants studied 4.6 in NUREG/CR-2989 . . . . . . . . . . . . . . . . . . . . . . . 4-11 Percentage of emergency diesel generator failures re vs. time since failure . . . . . . . . . . . . . . . paired
..... 4-14 4 4.,7 Generic emergency AC power unavailability as a function of emergency diesel generator (EDG) reliability ....... 4-16 4.8 Emergency AC power unavailability as a function of individual diesel generator running reliability . . . . . . . . . . . . . 4-17 5.1 Estimated frequency of station blackout exceeding specified j durations for several representative offsite power clusters 5-2 5.2 Estimated frequency of station blackout exceeding specified durations for several EDG reliability levels . . . . . . . . . 5-3 5.3 Estimated frequency of station blackout. exceeding specified durations for several emergency AC power configurations ... 5-4 7.1 Generic PWR event tree for station b'lackout .........
7.2 7-2 -) 7.3 Generic BWR event tree for station blackout (BWR-2 or 3) . . . 7-3 Generic BWR event tree for station blackout (BWR-4, 5 or 6) . 7-4 7.4 Time to core uncovery as a function of time at which turbine-driven auxiliary feedwater train fails . . . . . . . . 7-8 7.5 PWR station blackout accident sequence . . . . . . . . . . . . 7.6 7-10 BWR station blackout accident sequence . . . . . . . . . . . . 7-12 8.1 Sensitivity of estimated station blackout-core damage fre- i quency to offsite power cluster, AC-independent decay heat I removal reliability, and station blackout coping capability. . 8-3 i 8.2 Sensitivity of estimated station blackout-core damage fre-quency to EDG reliability, AC-independent decay heat removal reliability, and station blackout coping capability ..... 8-4 8.3 Sensitivity of estimated station blackout-core damage fre-quency to emergency AC power configurations, AC-independent decay heat removal reliability, and station blackout coping capability . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5 ! I NUREG-1032 vi 1
LIST OF FIGURES (Cont'd) Figure PaJiL' 8.4 Sensitivity of estimated station blackout-core damage fre-quency to reducing the common cause failure susceptibility of emergency diesel generators, their reliability, and station blackout coping capability . . . . . . . . . . . . . . . . . . 8-6
- 8. 5 Estimated core damage frequency showing uncertainty range for four reference plants ................... 8-9 LIST OF TABLES Table PaJL' 1.1 Summary of station blackout program technical results . . . . . 1-2 3.1 Total losses of offsite power at U.S. nuclear power plant sites, 1968 through 1983 . . . . . . . . . . .. . . . . . . . . 3-4
- 3. 2 Characteristics of some Inss-of-offsite power-event clusters that affect longer duration outages . . . . . . . . . . . . . . 3-10 4.1 Diesel generator start attempts and failures for tests and actual demands ......................... 4-6
- 4. 2 Results of onsite power system reliability analysis reported in NUREG/CR-2989 ....................... 4-12 6.1 Effects of station blackout on plant decay heat removal 6.2 functions . . . . . . . . . . . . . . . . . . . . . . . . . . .
Possible i stors limiting the ability to cope with a station 6-2 blackout event ........................ 6 ) 7.1 Estimated time to uncover core for station blackout sequences with initial failure of AC-independent decay heat removal systems and/or reactor coolant leaks ............. 7-7
- 7. 2 i Summary of potentially dominant core damage accident sequences . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-13 i
1 7.3 Containment failure insights ................. 7-16 i 7.4 Containment fission product release categories and failure ! mode probabilities for station blackout sequences . . . . . . . 7-18 8.1 Sensitivity of ertimated core damage frequency reduction ! for station black 3ut accidents with reactor coolant pump seal failure delay from 2 to 4 hours and 4 to 8 hours . . . . . 8-8 9.1 Coupling between external (and internal) events and potential I plant failures
........................ 9-5 i
I NUREG-1032 vii t
PREFACE This report represents the culmination of several technical studies undertaken by Nuclear Regulatory Commission (NRC) staff and contractors to place a reli-ability and risk perspective on Unresolved Safety Issue A-44, Station Blackout. The technical findings published in this draft are intended to document the basis for future NRC regulatory activities that will be the resolution of this sgtet) issue. The analyses, evaluations, and results presented are meant to provide a "best estimate" assessment of the major contributors to the frequency of station blackout and the probability of subsequent core damage. Most results are presented as point estimates and are intended for use in the quantitative regu-latory analyses that will be used to support a proposed resolution of this issue. The uncertainties in the quantitative analyses are large enough that rigorous application of these results should be madh with caution. However, the staff believes that the qualitative insights and conclusions are correct and useful as guidance in determining what constitutes resolution of this issue. The staff recognizes that any probabilistic safety analysis can benefit from the broadest review and comment. This is especially important when such an ! analysis . . is to be the basis for resolution of an Unresolved Safety Issue.
--~
P.W. Baranowsky NUREG-1032 ix
ACKNOWLEDGMENTS The preparation of this report involved the technical contribution, teview, and comment of several individuals in addition to the principal author. The con-tributions of the following NRC staff members are hereby acknowledged and appreciation given: J. M. Assuncao S. A. Bernstein Flou, 7 J. W. Johnson A. M. Kuritzky L. E. Lancaster h.W.hy#kt a D. M. Rasmuson A. M. Rubin NUREG-1032 xi
1 EXECUTIVE
SUMMARY
" Station blackout" is the complete loss of alternating current (AC) electrical power to the essential and nonessential switchgear buses in a nuclear power plant.
Because many safety systems required for reactor core cooling and containment heat removal depend on AC power, the consequence of,a station blackout could be severe. Existing regulations do not require explicitly that nuclear power plants' be capable of withstanding a station blackout. i In 1975, the Reactor Safety Study (NUREG-75/140) showed that station blackout could be an important contributor to the total risk from nuclear power plant accidents. In addition, as operating experience accumulated, the concern arose that the reliability of both the onsite and offsite emergency AC power systems might be less than originally anticipated. .Thus, in 1979 the Commission desig-nated station blackout as an Unresolved Safety Issue (USI); a Task Action Plan for its resolution (TAP A-44) was issued in July 1980, and work was begun to determine whether additional safety requirements were needed. Technical studies performed to resolve this safety issue have identified the dominant factors affecting the likelihood of station blackout accidents at nuclear power plants. A summary of the principal probabilistic results is in ) Table 1.1. These results are based on operating experience; the results of several plant specific probabilistic safety studies; and reliability, accident sequence, and consequence analyses performed as part of TAP A-44. 1 i The results show the following important characteristics of station blackout accidents: ' (1) The variability of estimated station blackout likelihood is potentially' large, ranging from approximately 10 5 to 10 8 per reactor year. A
" typical" estimated frequency is on the order of 10 4 per reactor year.
i (2) The capability to restore offsite power in a timely manner (less than 8 hours) can have a significant effect on accident consequences. ' NUREG-1032 1-1 l
Table 1.1 Summary of station blackout program technical results-Parameter Value Operational Experience . Loss of offsite power (occurrence per year) Average 0.1-Range O to 0.4 Time to. restore offsite power (hours) Median 0.( 90% restored 3.0 Emergency diesel generator reliability (per demand)- Average 0.98 Range 0.9 to 1.0-Median emergency diesel generator repair 8 time (hours) Analytical Results Estimated range of. unavailability of 10 4 to 10 2 emergency AC power systems (per demand) Estimated range of frequency of station blackout (per year) 10 5 - 10 3 Estimated range of frequency of core damage l as a result of station blackout (per year) ~10 6 - 10 4 l l NUREG-1032 1-2
i (3) The redundancy of onsite AC power systems and the reliability of indi-vidual power supplies have a large influence on the likelihood of station blackout events. (4) The capability of the decay z heat removal system to cope with long duration blackouts (greater than,4' hours) can be a dominant factor influencing the / likelihood of core damage or core melt for the accident sequence. (5) The estimated frequency of station blackout events that result in core damage or core melt can range from approximately 10 6 to greater than 10
- per reactor year. A " typical" core damage frequency estimate is on the order of 10 5 per reactor year.
(6) Information currently available indicates that containment failure as a result of overpressure may follow a station-blackout-induced core melt.
.$ Smaller, low-design pressure containments are most susceptible to early fP failure (possibly in less than 8 hours). Some large, high-design pressure Qh j containments may not fail as a result of overpressure, or if they do fail, the failure time could be on the order of a day or more.
The losses of offsite power can be categorized as those resulting from (1) plant-centered faults, (2) utility grid blackouts, and (3) failures of offsite power sources induced by severe weather. The industry average fre-quency of total losses of offsite power was determined to be about 0.1 per site / year, and the median restoration time was about one-half hour. The fac-tors identified as affecting the frequency and duration of offsite power losses are (1) the design of preferred power distribution system, particularly the num-ber and independence of offsite power circuits from the point where they enter the site up to the safety buses (2) operations that can compromise redundancy or independence of multiple off-site power sources, including human error NUREG-1032 1-3
(3) the reliability and security of the power grid, and the ability to restore power to a nuclear plant site with a grid blackout (4) the hazard from, and susceptibility to, severe weather conditions that can ctrbse loss of offsite power for extended periods A review of the design and operating experience, combined with a reliability analysis of the onsite emergency AC power system, has shown that there are a variety of potentially important causes of failure. The typical unavailability of a two-division emergency AC power system is about 10 3 per demand, and the typical failure rate of individual emergency diesel generators is about 2 x 10 2 per demand. The factors identified as affecting emergency AC power system reliability during a loss of offsite power are !
]
(1) power supply configuration redundancy i (2) reliability of each power supply 4 (3) dependence of the emergency AC power system on support or auxiliary cooling systems and control systems, or / N rd<d'M 7 ,[ 0<2 uppe I0' s/ S (4) vulnerability to common cause failures associated with design, operational, and environmental factors The likelihood that a station blackout will progress to core damage or core melt is dependert on the reliability and capability of decay heat removal sys'tems that are not dependent on AC power. If the capability is sufficient, additional time will be available to restore AC power to the many systems normally used to cool the core and remove decay heat. The most important i factors relating to decay heat removal during a station blackout are l (1) the starting reliability of systems required to remove decay heat and maintain reactor coolant inventory NUREG-1032 1-4
(2) the capacity and ability to function of decay heat. removal. systems and auxiliary or support systems that must remain functional during a station blackout H VA C s p ira n (e.g. , DC power, condensate storage) frs brb > ([er/: M wm l k (3) for pressurized water reactors (PWRs) and for boiling water reactors (BWRs) without reactor coolant makeup capability during a station blackout, the magnitude'of reactor coolant pump seal leakage (4) for BWRs that remove decay heat to the suppression pool, the ability to maintain suppression pool integrity and operate heat removal systems at high pool temperatures during recirculation On the basis of reviews of design, operation, and location' factors, the staff . determined that the expected core melt frequency from station blackout could be maintained around 10 5 per reactor year or lower for all plants. To reach this level of coreen melt frecuency, fAc a udh ef a plant would have to be able to cope with sta-tion blackouts-:t ,.c::t 4 Aand perhaps 8 hours long and have emergency diesel 1 generator reliabilities of 0.95 per demand or better, with relatively low sus-ceptibility to common cause failures. l NUREG-1032 1-5 L
2 INTRODUCTION AND TECHNICAL APPROACH
" Station blackout" refers to the complete loss of AC electrical power to the essential and nonessential buses in a nuclear power plant. Station blackout involves the loss of offsite power concurrent with the failure of the onsite emergency AC power system. Because many safety systems required for reactor core cooling, decay heat removal, and containment heat removal depend on AC power, the consequences of station blackout could be severe.
The concern about station blackout is based on accumulated operating experience regarding the reliability of AC power supplies. A number of operating plants have experienced a total loss of offsite electrical power, and more such occur-rences are expected. During these loss-of-offsite power events, onsite emer-gency AC power sources were available to supply the power needed by vital safety equipment. However, in some instances one of the redundant emergency power supplies was unavailable, and in a few cases there was a complete loss of AC power. (During these events, AC power was restored in a short time without any serious consequences.) In addition, there have been numerous instances at operating plants in which emergency diesel generators failed to start and run during surveillance tests. For one of two plants evaluated, the Reactor Safety Study (NUREG-75/014) showed that station blackout could be an important contributor to the total risk from nuclear power plant accidents. Although this total risk was found to be small, the relativc) importance of the station blackout event was established. This finding, with the accumulat'ed data on diesel generator failures, increased the concern about station blackout. An analysis of the risk from station blackout involves an assessment of (1) the likelihood and duration of the loss of offsite power, (2) the reliability of onsite AC power systems, and (3) the potential for severe accident sequences after a lost of all AC power. These topics were investigated under USI TAP A-44. This plan included the following major tasks: NUREG-1032 2-1
(1) Estimating the frequency of station blackout at operating U. 5. nuclear power plants. This analysis consisted of two parts estimating the frequency of loss of offsite power for various plant locations estimating the probability that the onsite AC power system will fail to supply AC power for core cooling (2) Determining plant responses to station blackout and the risk associated with station-blackout-initiated accident sequences. The scope of this investigation included reviewing the shutdown cooling system design and assessing its capa-bility and reliability during a prolonged station blackout reviewing the containment design and its ability to withstand tempera-ture and pressure buildup during a prolonged loss of AC power estimating the probability of station blackout accident sequences The principal focus of TAP A-44 was the reliability of emergency AC power supplies. This approach was taken for several reasons. First, station black-out was identified as a USI primarily on the basis of the questions raised about the reliability of onsite emergency power supplies. Second, if safety improvements are required, it is easier to analyze, identify, and implement them for the onsite AC power system than for the offsite AC power supplies or ' for the AC-independent decay heat removal system. For example, offsite power reliability is dependent on a number of factors--such as regional electrical grid stability, weather phenomena, and repair and restoration capability--that are difficult to analyze and to control. Also, the capability of a plant to withstand a station blackout depends on those decay heat removal systems, com-ponents, instruments, and controls that are independent of AC power. These features vary from plant to plant; thus considerable effort is required to I i NUREG-1032 2-2 4
analyze all of them or to ensure that the plants indeed have that capability. Third, significant progress has been made on improving operating PWRs by back-fitting the auxiliary feedwater system to make it independent of AC power. In addition, under the TAP for USI A-45, " Shutdown Decay Heat Removal Require-ments," the adequacy of shutdown decay heat removal systems for nuclear power plants is being reviewed. Thus, the reliability of emergency AC power supplies is of principal importance to USI A-44. A preliminary screening analysis was done to identify plants most likely to suffer core damage as a result of a loss of all AC power. The intent was to survey the frequency and implication of station blackout events in operating plants and identify any plants with especially high risk that might require further analysis or action on an urgent basis. The initial results showed no such plants. Following this initial analysis, station blackout events were evaluated in more detail. Because the station blackout issue centers on concern about the relia
- bility of AC power supplies, typical offsite and emergency AC power supplies were evaluated, and operating (failure) experience reviewed. This effort was limited to power supply availability and did not include an evaluation of the adequacy of power distribution adequacy or power capacity requirements.
Information on loss of offsite power was collected from licensee event report. (LERs), responses to a Nuclear Regulatory Commission (NRC) questionnaire, and various reports prepared by utilities. Most of the event descriptions in the LERs and in other documentation in the NRC files did not contain sufficient information to provide an accurate data base for estimating frequencies and durations of losses of offsite power. For example, in one case a licensee reported that offsite power was restered in 6 hours; in fact one offsite power source was restored in 8 minutes, and all offsite power was restored in 6 hours. Because restoration of one source of offsite power terminates a loss of offsite power, the licensee's description was not accurate enough. In some other cases, although offsite power was available to be reconnected, the plant operators did not reconnect it for some time after it was available because onsite power NUREG-1032 2-3
was available. To obtain more accurate data, the NRC and Oak Ridge National Lacoratory staff members worked closely with the Institute of . lectrical and . Electronics Engineers (IEEE) and the Electric Power Research Institute (EPRI). These groups contacted utility engineers to get better descriptions of the causes and sequences of events, and the times and methods of restoring offsite power (Wycoff, 1984). To gain a perspective on consequences, station blackout event sequences and associated plant responses were analyzed. The Interim Reliability Evaluation Program (IREP) was one source of information for developing the shutdown cooling reliability models and accident scenarios needed for this evaluation. The following sections of this report summarize the results of the technical evaluations discussed above. Details of the technical assessments are reported in NUREG/CR-2989, -3226, and -3992. Technical evaluations in this report were derived from these references to coalesce that material and extend the analysis to obtain the broader insights and bases necessary to resolve the station black-out issue in an integral manner, considering plant differences. These supple-mental analyses are described in Appendicies A, B, and C of this report. l NUREG-1032 2-4 ____ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -~
______-_-____--_.---_-_-_----7 1 1 l 3 LOSS OF 0FFSITE POWER FREQUENCY AND DURATION I The offsite or preferred power system at nuclear power plants consists of the following major components: { j i two or more incoming power supplies from the grid I one or more switchyards to allow routing and distribution of power within j the plant l one or more transformers to allow the reduction of voltage to levels needed for safety and non-safety systems within the plant distribution systems from the transformers to the switchgear buses 1 Figure 3.1 provides an example of an offsite power system design used for l nuclear power plants. During normal operation, AC power is typically provided to the safety and non-safety buses from the main generator through the auxil-iary transformer; it may also be supplied directly through a startup trans-former. A minimum of two preferred power supply circuits must be provided. I Sources of offsite power other than the grid may also be provided as alternate or backup sources of power. These may include nearby (or onsite) gas turbine generators, fossil power plents, and hydroelectric power facilities. A loss of offsite power is said to occur when all sources of offsite power become un-available, causing safety buses to become deenergizev and initiating an under-voltage signal. Some loss-of-offsite power transients will be very short--just 1 long enough to allow switching from one failed source to another available source. Because of the short duration of this type of loss-of-offsite power transient, it is not of concern relative to station blackout. This type of loss-of-offsite power transient is better described as an interruption. How- ! ever, if switching errors or failures of alternate sources of power compound the situation and longer term repair, restoration, or actuation of alternate i 4 NUREG-1032 3-1
t n d d d d d d d <L 2 E 345 hV 138 kV _ _ _ 4 A%NA
/MNA h%MA A%AM A%MA P
AAAA AAAA P NC NC PP l' F MAIN CLASS 1E CLASSIE NONSAFETY NO NONSAFETY NO GENERATOR DIVISION 1 DIV sl0N 2 CLAS51E CLASS 1E s e DIVISION 1 DIVISION ' 8 ' i l !. _ _ fup_uApg1_nAystEn _ _ 4 L___ _ _^F2"3fLc La^NS.f E jA
. _,,,_q_________;
Figure 3.1 Diagram of offsite power system used in nuclear power plants i t ! a HUREG-1032 3-2 _ --- ^ ' ~ ~ _ . _ - _ - _ - - - - - - - - - - - - - -
l i 1 power sources is required, the loss-of-offsite power transient can be signifi-cant. This type of loss-of-offsite power event is referred to as a total loss of offsite power. l 1 Although total loss of offsite power is relatively infrequent at nuclear power j I plants, it has happened a number of times, and a data base of information has l been compiled (Wyckoff, 1984; NUREG/CR-3992). Historically, a loss of offsite 1 1 power occurs about once per 10 site years. The typical duration of these events is on the order of one-half hour. However, at some power plants the frequency of offsite power loss has been substantially greater than the average, and at f other plants the duration of offsite power outages has greatly exceeded the ! norm. Table 3.1 provides a summary of the data on total-loss-of-offsite power events through 1983.
\
Because design characteristics, operational features, and the location of nuclear power plants within different grids and meteorological areas can have j a significant effect on the likelihood and duration of loss-of-offsite power f events, it was necessary to analyze the generic data in more detail. The data ) have been categorized into plant-centered events and area- or weather-related I events. Plant-centered events are those in which the design and operational characteristics of the plant itself play a role in the likelihood of the loss of offsite power. Area- or weather-related events include those on which the reliability of the grid or external influences on the grid have an effect on the likelihood and duration of the loss of offsite power. The data show that plant-centered events account for the majority of the loss-of-offsite-power events. The area- or weather-related station blackouts, although of ) lesser frequency, typically account for the longer duration outages with storms being the major factor. Figure 3.2 provides a plot of the frequency and dura-tion of loss-of-offsite power events due to plant-centered faults, grid black-out, and severe weather based on past experience at nuclear plant sites. Appendix A to this report provides a more thorough discussion of the technical bases for the loss-of-offsite power frequency and duration characteristics discussed in the remainder of this section. NUREG-1032 3-3 1
'TcM e, 3.\ ~i o k\ \our i o o ;M gsovacy oh E th E U . c. . woc \ecw p o ce. t g\u4
, R 6f N veugh .
t% Ef W. e o ,g, 1 <c4 v cS ok g. occuvvenee 1 p do <oM.e< cnbc.o.\'- S Ac Mc G# . Tt A oT - c o Treg r0 % 09 ~1 3 ! L,9sD \L .O\4 - . (. '- ua e AT A e R 6 .co7 5. f ^ rw\ 64 .to9 .I
~
4 toyo.\ c<A*ea.\-Skc sggs - v,m<,f
- r ra 6' 8 '
k<ock 7ece~hV
,vs 3.6is e ca
(""!S*Lfo&fyd,c ,, jf f v y.z%- Welf,f Ac5[sf.at't: 4 G /sur:.
. .?.. l
. t 4
-j 1
. . _ . _ M .. .
i 1
- - - - _ - - _ _ - - a
I I 0.06 -
~
Total r 8 j 0.04 -
~
is e S U 5 x
$ 0.03 -
Plant - ~
$ Centered O
u. O O 5 , l 3 0.02 - 0 ~ E Grid l 0.01 - Severe Weather l 0.00 ! - 0.1 1.0 10.0 DURATION (Houral Figure 3.2 Frequency of loss-of-offsite power events exceeding specified durations NUREG-1032 3-5
Plant-centered failures typically involve hardware failures, design deficien-cies, human errors (maintenance and switching), and localized weather-induced faults (lightning and ice) or combinations of these types Of failure. No strong correlation was found between the frequency of plant-centered loss-of-offsite power events and any particular design factor. However, a modest cor-relation was observed between the duration of plant-centered loss-of-offsite-power events and the independence and redundancy of offsite power circuits at a site. In this regard, it has been observed that a site with several immediate and delayed access circuits will generally recover offsite power more promptly than a site with only the minimum requirements. However, recovery from the relatively high frequency plant-centered faults can be accomplished within a few hours. Plant location plays an important role in loss-of-offsite power events. Factors shown to be significant were (1) the reliability of the grid from which the nuclear power plant draws its preferred power supply and (2) the likelihood of severe weather that can cause damage to the grid distribution system and hence a loss of power to the plant. Traditionally, analyses have focused on grid reliability as a dominant factor in estimating loss of offsite power at a plant , site. However, a review of the historical data shows that approximately - of ' all loss-of-offsite power events have been caused Dy grid problems, and, in fact, a large percentage of grid-related loss-of-offsite power events can be , traced to one utility's system. The grid reliability of that system dominates the data, distorting the perspective on the contribution of grid failure to loss of offsite power frequency. This finding of overall grid reliability should not be unexpected when one recognizes that current distribution and dispatch systems are well coordinated. Utilities shed loads when possible and genera?ly protect their grid from overloads and faults that could cause grid loss in the various day-to-day operations. Moreover, when there is a loss of power on the grid, the first activity that is usually undertaken is the resto-ration of power to the electric generation plants so that the grid may be re-150pterners -
/
stored3with appropriate power supplies. In fact, during the Northeast blackout of 1965, power was restored to a nuclear power plant in New England within about one-half an hour of the grid collapse, while power was not restored to the entire grid for 24 hours or more. NUREG-1032 3-6
With the exception of a few utility systems, large grid disturbances are rela-tively infrequent, and, again with few exceptions, the duration of power outages ! at power plants as a result of grid disturbances is relatively short. An identified weakness in a system is usually corrected as soon as practical; it is the unidentified weaknesses that result in grid failures. In the absence of a historical trend, operating experience related to grid reliability is not necessarily an indication of future problems unless a known weakness has~not been corrected. Because grids in the U.S. are generally very stable and system 3 planning is directed at maintaining and improving that stability, grid relia-bility is usually not the principal indicator of the likelihood of loss of offsite power. j i Severe weather, such as local or area-wide storms, can disrupt incoming power supplies to the plant. In fact, a number of loss-of-offsite power events' at nuclear power plants were weather-related. These can be divided into two failure groups i (1) those in which the weather caused the event but did not affect the time to j restore power 1 (2) those in which the weather initiated the event and caused adverse condi-tions over a sufficiently broad area such that power was not or could not be restored for a long time The first group includes lightning and most other weather events that are not I too severe. They can cause a loss of offsite power, but their severity gene- l rally does not contribute in any significant way to long-duration losses of offsite power. These types of weather-related losses of offsite power have been treated as either plant-centered or grid-related losses of offsite power. The second group includes losses of offsite power as a result of severe weather such as hurricanes, high winds, snow and ice storms, and tornadoes. The expected loss-of-offsite power frequency of this group is relatively small. On the other hand, the likelihood of restoring offsite power quickly for this group is also relatively small. Although it is expected that the actions of dispatch and plant personnel can influence substantially the duration of NUREG-1032 3-7
area wide grid disturbances that cause a loss of offsite power, severe weather conditions--and the expected duration of the resulting loss-of-offsite power events--cannot be influenced in the same way. Therefore, one would expect severe weather to dominate the restoration characteristics for long duration outages. The redundancy, separation, and independence of the offsite power system may affect the likelihood of some weather-related losses such as those induced by tornado strikes. The depth of this study has not been sufficient to show the effectiveness of these design considerations on reducing the likeli-hood of other types of weather-related outages. There is a potentially large variation in the annual expected frequency of loss-of-offsite power events at different nuclear power plants, d?pending on their design and location. A large variation also has been observed in the duration of loss of-offsite power events at different nuclear power plants. The expec- ' tion of long-duration outages is dominated by the likelihood of severe storms and, to a lesser extent, by the likelihood of grid blackout and the ability to restore power to the site during grid loss. Grid related losses are important only when the frequency of occurrence greatly exceeds the national average. Appendix A describes the modeling and analyses performed by NRC staff to deter-mine the relationship between design and location and the frequency of and dura-tion of loss of-offsite power events representative of most U.S. nuclear power plant sites. Figure 3.3 provides a plot of the expected frequency and duration for loss of offsite power for site, design, grid, and weather characteristics that have been found to " cluster" reasonably well. The factor that most predomi-nantly affects the characteristic groupings is severe weather. Table 3.2 pro-vides a definition of the site characteristics that make up the loss of-offsite-power clusters shown. Appendix A includes additional discussion of the charac-teristics of these clusters. I l NUREG-1032 3-8
.so .
d " Ol t') T LO m D d 0 0 4 + 0 W O Zp I f ll
.Y J
/ S Ww ll l ! +
DD O .3 lt i .l j l ~ WO [ .l l _ / M T j l l S kE i / -l / :
$ t t .
oc QOI.t. ; l . j I "I m l /lI
; I ' z OZ j '
I ~ Jo / / ,/ ,/ 5 O
- e es<
/ / / /
wT // i ! x
/ l 3 QD !? '? l *a
,o 2O / // /
4 '"# " o e.#'g,$- [,[.. .. Wg Z - d' d* '.:... -
)e o li e e -
' e n 9 8- 8 9
(8V3A-311S 83d) ADN30038J 031YHl1$3 3-S
- l l
i Table 3.2 Characteristics of some loss-of-offsite power-event clusters that affect longer duration outages Cluster Characteristics 2 Offsite Power Design Group II, 12, or 13*; located in an area of very low severe weather hazards or susceptibility to severe weather hazards is very low 4 Moderate to high severe weather hazard area and susceptibility 5 Very high severe weather hazard area and susceptibility 1 7 Average grid reliability and combinations of offsite power system design and severe weather hazard / susceptibility that most closely approximate the national average for nuclear plants
*See Appendix A for definitions of Design Groups II,12, and 13.
_4 g) ) l dk,ge # 3
}
l l 1 l l NUREG-1032 3-10 1
~
L reser 3. 2. I Sk .]e&A A an ana afAgb sewn.wulbx .h e4 aJ aiH~t A s en - d. peal s u d (li;O pv. .aAsy&uness[uc.. Aa frn sew _._ w~4, _ aa.A. ._ ._ . . _
- o. L { '-- O - (A Y W $ffA. --.. .. -- b ?V$ W. L4,) C.1 Y kod seas w;M .kEJ dsph,k1&ac/A }
Gss.s[4A dafeu..xzway.jan saae ' aaa@ ae ?asc or . . _ _ - - . . . - _ . . . . - . . . - .. 1 pa npp.-e. _ wp - e.p- e aul' da1. isenha . secu...ucalc_ adr x. dospn 6ns . C /s2 .lau-4-.. . a. . 4w.<. . x JaA-sav<y Ansa 'aJfa...
..oyGah am** . m geo-. .h- - e -. a 4>w..s euve wenf6Aapn/s .-.x. asa? art .t .ean
.bMalhr lM L- rrS A+ d Ass )1'?WlC...LGf{.olu r:L. yt homsam( f<Acpowe -ud oc 6L-ram 1
- S. SAs uit dea.skr[Apf p r;d ,<(M&$
s i J n i d d u . s n .- ;A uu laey( &ed nic ]$m, _auafss6dL suea w<Jh< 1 .n6.e o&cp 4 /ai 4 &u,t kgfkp.cgLnp<overy&.cemw<s,m.h li [#"
l
)
1 i I 4 RELIABILITY OF EMERGENCY AC POWER SUPPLIES i The emergency AC power system provides an alternate or backup power supply to I the offsite power sources. Figure 4.1 is a simplified one line diagram of a typical emergency AC power system. If the offsite power system is lost, an I undervoltage condition will exist on the safety buses, causing actuation of the emergency AC power system. The emergency AC power system provides sufficient functional capability and redundancy of the power requirements for the systems ' needed to mitigate the consequences of a design-basis accident. This typically includes a requirement to actuate emergency AC power supplies and make them available for loading within about 10 seconds after receiving an actuation signal. The emergency AC power system also meets the single-failure criterion when applied to design-basis accidents. Emergency AC power is generally provided by diesel generator systems, although other sources such as gas turbine generators or hydroelectric power are used at some plants. Because of the preponderance of diesel generator usage, that power supply type will be the principal focus of emergency AC power system discussions in this report. Figure 4.2 identifies the typical subsystems and support systems that are needed for successful operation of the emergency diesel generator. Emergency AC power systems typically consist of two diesel generators, either one of which is sufficient to meet AC power load requirements for a design-basis accident. This configuration has been designated by its success criterion: one out of two or more simply 1/2. In some cases, three or four or more diesel generators are used at single unit sites, and in others, diesel generators are shared at multi-unit sites. These systems also can be described by their success criteria, or number of diesel generators required per number provided. However, for evaluating the station blackout issue, the success criterion will be defined as the number of diesel generators required to maintain a stable core cooling and decay heat removal condition with all offsite power sources unavailable. 1 NUREG-1032 4-1
- 1 1
'i l
)
calm orpssit WAtw Of f $lt! UNIT P0wtm Unit Powsm I uw ww ww .ww CA C3 % LwtactaCY tWtaCENCY C3 su$t 305 2 < J l
.. n wg 480V TYPIC A L . d e py 1T P8C AL StartCt % toAo watta i SE AF8CE
/s DCI DC7 WATER 2 I" OI"E T ~
g (WthCtMCY DC 2 4tCEwp
@ CLC510DatAtta O
- OPEN satattm W
- 1RawSFoauta -
Figure 4.1 Simplified 1-of-2 onsite AC power distribution system i NUREG-1032 4-2
q-t". -j EMERCENCY / SEQUENCER _ PREF [nnt0 t SF At * - g DUS \ POWER l OUTPUT / OnEAKER N l DC l' DC - ESFAS - g, y f. DrE SEL GENERATOR ( f 1 DC
% i 3 l
1
/\/\ A l
l g FUEL OIL EXCITER COOLING - l VOLTAGE
- LUBE OIL l REGULATOR l
l l START SYSTEM i SCAVENGING
.,,,. I ^'a brunes,r l I H i
GOVERNOR l I . EXHAUST I i 1 l - SHUTDOWN
\ l i
L -
- _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ < )I Figure 4.2 Onsite power system functional block diagram
*ESFAS = engineered safety feature actuation system NUREG-1032 4-3
The emergency AC power configurations that exist in the U. S.'have been I identified as follows: (1) Emergency AC power supplies dedicated to one unit 1/2 1/3 l 1/4 2/4 (2) Emergency AC power supplies shared between two units 1/2 2/3 2/4 2/5 3/5 (3) Emergency AC power supplies shared between three units 3/8 C V4 ni m< vJ a. t w d Evuh idi no : lin b lw " ^ I" ' ' 'r ~ V Although a closer review of emergency AC power supply requirements may prod'uce some variations on these configurations, they represent a wide variety in system success criteria for reliability evaluations. j The design variability of emergency AC power systems is further complicated by dependencies on certain support' systems that, by themselves, have a multitude of designs. These support systems include cooling systems (air or water), DC power, and heating, ventilation, and air conditioning (HVAC) systems. Moreover, maintenance-and testing activities vary considerably, which can affect the reli-ability of the emergency AC power system. l l Emergency AC power systems can be considered in two separate parts: power !
]
supplies and the power distribution system. In general it has been found that j the individual components of the emergency AC power distribution system from j k NUREG-1032 4-4 i I j
the safety (switchgear) buses to the safety components are not significant con-tributors to the unavailability of AC power in regard to the station blackout issue. This statement is true because many independent, separate, and diverse distribution system components must fail to cause loss of all AC power to th'e' ' - safety systems. Although fires and earthquakes have the potential to cause such distribution system failures, these hazards have been studied as separate safety issues, and were not systematically assessed as part of the station blackout issue. Substantial operating experience data were investigated to idedtify and esti-mate important reliability characteristics of emergency diesel generators (NUREG/CR-2989). Diesel generator reliability performance information was collected from 45 nuclear power plants with 86 diesel generators. A summary of the emergency diesel generator statistical data collected is provided in Table 4.1. In addition, inforraation regarding diesel generator outages and downtime was obtained from responses to TMI Action Plan (NUREG-0737) items from licensees of plants with 58 diesel generators, and more than 1500 licensee event reports (LERs) covering the 5 year period from 1976 through 1980 were reviewed for failure information. Analysis of this operating experience showed that, on the average, dieset generators f ailed to start, load, or continue running approx-imately 2 times out of every 100 demands. It was also observed that during the actual loss-of-offsite power events through 1983 there were 19 instances in ) I which one or more diesel generators f ailed, operated in a degraded conditiun, ' or were otherwise unavailable. During most of these events, the degraded diesel generators were able to meet minimum performance requirements, and f ailed units were promptly restored to an operable condition. And, from 1976 through 1982, there were 45 multiple diesel generator outages identified, of which 11 were ; lassifie as common cause failures. ' U2 F#'M I4 IdN' W Is # /## '"'7^ ') { s pg fa dat be W fr itU MwM/S dhis /nws a evte reced E 1~ Figure 4.3 provides histograms of emergency diesel generat'or failures on demand l for 1976 through 1982. Although the average failure on demand observed is about i 2 x 10 2, there is a significant spread from the highest to the lowest demand { failure rate. The average failure rate and range have not changed substantially during this period. A review of the data has not identified any particular type of failure as the most dominant. At least in part, the reasons for this are (1) there are several different types of diesel generators, with different sup-port and auxiliary system designs, operating at nuclear power plants, and NUREG-1032 4-5
Table 4.1 Diesel generator start attempts and failures for tests and actual demands" rerm sli/A n A p -1 9 H No. of Auto-auto start Start No. of fail- start fail-attempt No. of fail- ures per fail- ures per Unavail- Unavail-category demands ures demand ures demand able ability Test 13,665 253 0.019 55 0.004 --- 0.006 Loss of 100 5 0.05 3 0.03 offsite 3 0.03 power ** All 539 14 0.026 5 0.009 emergency 3 0.006 demands Failure to run: 2.4 x 10 8/hr* * *
" Summarizing the responses to diesel generator reliability questionnaires based1976 years on 45 nuclear through power plants, with 86 diesel generators, for operating 1980.
i
** Updated from data reported in NUREG/CR-2989. *** Based on 314 attempts at scheduled run time of 6 hours or more with 9 failures to run during these attempts.
FKcAl M54c /05 5laf deJ> wd g/, J A;,La ya,Lg
'!Q c
-fw/xs ,xedemand jf// 2/?o3 2W 0/3 ~-
en<gy 403 2 .xd - Loss 4'i / 41f I cea Ract
} *acler 6 rvn : 3.2 N O~
- ruua 53 (~tm idu @ J /m LERv ad lef ix/ad.ed a N54c Iof pfus 1& eveah cafgen*z<d'as i w n & h e.s 4 Mdc i07.
H-(c
. g. g) .
e 1976
. .< 1977 .. 1978
&*< ; =.
r . ..
=
3 .' g
, e g .. ! ..
g .' mum [ .. D g .. t
*o' .
1 r .. , g ..g r .. E g z.". -
,! s. g
- a. m.
=' '
i.
.. 7
=
e
- f. ""1 M. .
i
- i. i. M..
.. A
. er .. e er . . . .. .
*.o...Sn,o...no.. e.o... n , n. ..n .. ..o. ... n, o ... u..
, .. 1979 .. 1990 j
... c g .. g ..
4
;j.... : l.. 2 s ;
e E. D' a
- r. ,,
r
- n. ,,
J h., . . .a
., .h., .A
. . , .. . . .A. . . .
. ., , ... '1
..o........... ,.n....c...... !
1 I 1 l l
. .. 198i . .. 1ssz 'j l
1 .. e i .. r ! i i .. ! ..
. .. r ..
s . . 4
= -
c .. -
, [. i
.. ,A 'i
~
th.. .. t...1 - T s! i 1
. . . J.r.. .. !s. . . .... .
. i j
............w.. o.......... ;
i.
'l i
i l Figure 4.3 Histograms showing emergency diesel generator ' failure on demand for 1976 through 1982 i NUREG-1032 4-7 i
(2) maintenance and test activities are not standardized within the nuclear.in-dustry. Figure 4.4 shows the percentage contribution of failure by subsystem. j In general, sufficient information was not available to ado high confidence to the correlation of root failure causes with specific design and operational factors. The data indicate that approximately 80% of the failures are the re-suit of hardware-related problems and 20% are the result of human error.- These statements are not meant to imply that any one particular diesel gene-rator is susceptible to all possible failure modes with equal importance. It is more likely that a few specific defects may exist, and if these.are not discovered and corrected, failures may occur. I The failures observed can be classified into three general types: (1) design and hardware failures related to mechanical integrity or various failure modes in the diesel generator. subsystems, such as fuel, cooling, starting, and actuation (2) cperation and maintenance errors related to the correctness and adequacy of procedures or training, and human factors including the potential for errors of commission and omission (3) failures that occur in support systems, or at interfaces with support systems and other systems, that can involve DC control power, service (or raw) water cooling, environmental control (air temperature and quality), and interface with the normal AC power system (UM" M 1 I * */ - Multiple diesel generator failures can occur when a fault or degradation exists involving a common factor or dependency for two or more diesel, generators. Multiple failures may also occur as a result of design and operating deficien - cies similar to those previously mentioned, but in this case degradation or failure occurs concurrently in multiple diesel units. For instance, a defac - tive crankshaft design may be such that mechanical failure is highly likely to occur af ter a certain amount of usage. If two or raore diesel generators reach that usage level at nearly the same time, concurrent failures may result. As l NUREG-1032 4-8
35 - 1276-80 30 - i!!s.gllli1981 82 _ = m 25 - z o
- P .
3 9 20 - x e y z - O . 7-u 15 _ : . w w . 3 . k 10 -
- u. :g4,:
?'
~
-l e" : : . g:s '
- :sg::.;
5 - - -
.. , Si , i,:MS
?.:
.. :2[
M.: w . j i
.! :M3:
- M89' :
O
-.i; . ,'
< l '
~
/
!Y./ J/ e .
SUBSYSTEM
/ / /
1 l figure 4.4 Failure contribution by diesel generator subsystem NUREG-1032 4-9
another example, defective maintenance procedures and training could result in human errors causing failure or simultaneous outages of two or more diesel ' units. Another type of common cause failure is related to the existence of single' point vulnerabilities. Examples include a check' valve in a header of a cooling water supply, the unrecognized dependence on an obscure single control circuit-or element,'and the use of common fuel- supplies and containers. Finally, common cause failures can be related to commonality of location with l regard to environmental conditions for which adequate protection is not provided.
' These conditions can include fire, flood, dust, corrosive elements in the air, or temperature and humidity extremes.
In assessing the reliability of emergency AC power systems, consideration was given to the f ailure modes, causes, and failure rates derived from the opera-tional data. Reliability analyses performed by Oak Ridge National Laboratory ; (ORNL) for 18 nuclear power plant AC power configurations and the plant specific failure data were applied to derive typical system unavailability estimates. ! Figure 4.5 shows a histogram of the onsite AC power results for the 18 plants studied. The results of this work, summarized in Table 4.2, show the diesel generator configuration studied, the calculated range of unavailability on demand, and the dominant failure causes for each group analyzed.- Not surpris-ingly, for the least redundant system configuration, the independent diesel generator failure likelihood is the most dominant failure factor. As system i redundancy is increased, common cause failures become more important.Common cause failures involving hardware failure, human error, and dependent system failures were found to be important, j Although, for the most part, power supply outages resulting from testing and maintenance were not found to be large contributors to system unavailability, a few cases were identifiet' in which extensive maintenance outages could cause i significant system unavailability. The quality of test and maintenance pro-cedures, however, can be an important factor affecting system re' liability. Lower than average human-error related diesel generator failures were observed ; when procedures were clearly written and had a sufficient level of detail, in-cluding complete check lists so operations personnel could verify that normal values were properly indicated after maintenance, NUREG-1032 4-10 i
8~ 6-N z 5 n. o 4-5 ao E D z 2 O 1x10 3x10 1x10'3 3x10'3 1x10-2 3x10-2 1x10~' UNAVAILABILITY Figure 4.5 Onsite AC system unavailability for 18 plants studied in NUREG/CR-2989 8 NUREG-1032 4-11
l Table'4.2
~
'Results of onsite power system reliability analysis reported in NUREG/CR-2989 4 1
Diesel generator Range of system unavail-configuration ability per demand Dominant. failure causes j 2 of 3 4.2 x 10 3 to 4.8 x 10 2' Independent diesel failure; human' error CCF*. 1 of 2 1.1 x 10 3 to 6.8 x 10 3 Independent diesel failure; human' error CCF*. T&M** outages. 2 of 4 3.7 x 10 4 to 1.7 x 10 3 Human error.and hardware CCF*. 1 of 3 1.8 x 10 4 to 7.2 x 10 4 Human error, hardware, and service water CCF, independent diesel failure; OC power CCF*. 2 of 5 1.4 x 10
- to 2.5 x 10 8 Human error, hardware, service water, and DC power CCF*.
*CCF = common cause failures o
**T&M = test and maintenance 4
4 NUREG-1032 4-12
i it The impact of dependent systems (such as service water cooling and direct cur- l rent (DC) power) on the reliability of the emergency AC power system varies { from plant to plant. The ORNL analyses did not go into detail on the relia-bility of those support systems. However, failures of dependent systems that affect the emergency AC power system seem to be dominated by single point pas-sive failures or human error. Antiighly unreliable support system can cause an i
-MgMy unreliable AC power system.
Because these support and auxiliary systems also tend to be important for the operation of decay heat removal systems--and to some extent for the supply of normal AC power from the offsite power sources-- single point vulnerabilities and human error failures'in these systems have added importance. Another potentially important reliability parameter involves the likelihood of a failed power supply (diesel) being restored to an operable state during a loss-of-AC power transient. A histogram based on emergency diesel generator repair times following a failure is provided in Figure 4.6. The median repair time is approximately 8 hours. These data represent an aggragate for all types of f ailure modes, and, for the most part, they represent repair times during non emergencies. Primarily these failures occurred during plant operation, but some occurred during plant shutdown. It is difficult to determine whether these data over estimate or under e the diesel generator repair time anticipated during an emergency. There are ! reasons to believe that these data over estimate the time required to repair a failed diesel generator during a station blackout. Because the typical limiting condition for operation (LCO) for a single diesel generator out of service is 72 hours or more, there is no urgency to restore a failed diesel generator as quickly as would be the case during a loss of all AC power. In addition, the LCO may not have been in force if the plant were shutdown when a test failure occurred, which would have lessened also the urgency for repair. Moreover, if a failure did occur when alternate AC power sources were available, it might be seen as an opportune time to perform other routine maintenance on the failed diesel generator. Conversely, the repair time could be under estimated by virtue of the confusion that could occur during a station blackout event. Under stress, human error is NUREG-1032 4-13 l -_ _ - _ _ - - - _ _ _ - - - - - - - - - - - - - - - - - - - 1
23 I
u -
It v 0 to m 0 i
^
W cn 1 3 a g __ E - v -
- c. , _
2 1 - I I I
- HF I 9 il 3) II to 1600 Time Since Diesel Gerierator Failure (l.ours)
Figure 4.6 Percentage of emergency diesel generator failures repaired vs. time since failure Source: NUREG/CR-2989 NUREG-1032 4-14
usually higher than it is under normal conditions. The diesel failure problem would have to be diagnosed, needed equipment would have to be obtained, and cor-rett repair procedures would have to be followed; all this would have to be done under time constraints and pressure, without AC power available. Also, main-tenance and operations personnel resources would be divided between activities for restoring both offsite and emergency power supplies. In addition to conducting the plant specific analyses, ORNL constructed generic models for different emergency AC power configurations. These generic models were used to estimate system reliability as a function of the important char-atteristics identified in the plant-specific analyses. Typical system depend-encies and nominal values for common cause failures and procedural errors were assumed in the models, and sensitivity analyses were performed to determine the importance of all the factors considered. Overall, the most important factors tended to be system redundancy and the reliability of emergency diesel genera-tors on demand. Not surprisingly, it was found that common cause failure is most important in highly redundant system configurations with highly reliable (for independent failure causes) diesel generators. Based on these considerations, the NRC staff performed additional analyses of emergency AC power system reliability to ext 9nd the quantitative results and further explore the sensitivities. Figure 4.7 shows the effect of varying emergency diesel generator reliability on emergency AC power system reliability for several configurations both with and without common cause failure. The sensitivities of system reliability estimates on variations in diesel generator running reliability are shown in Figure 4.8. Additional results, parametric analyses, and details of the analytical model are provided in Apnendix B. Thus, on the basis of a review of operating experience and reliability analyses, the following factors have been identified as being the largest contributors to AC power system availability: (1) the configuration of the diesel generators in terms of the number avail-able and the number required for shutdown cooling 1 i NUREG-1032 4-15
.m j P b O k
'O k
O k O [qj l O O O O ' O O O O $ !! I l I l a n n n n N N + + ,' O \\ \\\\ \' \
' z N N e e e e N N W
! e j l i l W i J l : ! I i i > l T
& T
- d t G 4 0 0 45
~ c$.4- / r" . -
li -- C *z .*' . .
/ /.e y /,/ ,s**' ..
y
\
x .A,/*
/l
/ i sl'/./ :j '. '
/'t s
?>F-4
. .i .. / /
,D
/
/ / l/ t lt i
.I
- ./ ./
s l . D
.%m <
O
- / i ./ i it / 3 l
\
i
/
l.L / .ll l
/l< / <w
/ 1
/
ax
/ l l l 'o l
l ll' llllll !l .!l/ i t j l /
/
Nw 9 Q l ll l I i - l l H l lt
/ l l l l ll' 1 / l .
l
.Q .
I 4 5 1 ) E 3 P f O ' O O O O* O O O ' O O. Alnl80hWNn 83M0d OV ADN3083W3
#-/6 s
.u.
.. f 3 1 -
9 i '
, , , < l , .' -..
/ ,
J i , . , --e
/
, i
^
i 8 '
.p g s , *
//.
- e
/ *
.i .
f I t
,i
~ ..
,ll l /
I f
,. -i, l
- - - ~-
/ ,,/ j .
t . . J' b l
+ j ,.
- l. [ $ ) e , ~
/ I ! l *
~
~
l ;
- 1 , .
* ;f 4
~
l t
# 41 . -
, I ,J e m.
f
=
). 1 o
- a I ; t
-i ,
r .y ;j . * '
~
! s .g 6 i e e /* i l .
l g ~~ y j s s Ns
! -l 1 ! ;
} .
> t! I i i .
- y i **
em SE'IM W N WI
- M 9 7% % e e , M .* h .6 gl W D W ces e. m 3
.e e.
*= ee y 'e _ ..
- m. _
H-17
(2) the reliability of diesel generators or other power sources used in the emergency AC power system (3) the dependence of the AC power system on support or auxiliary systems used for actuation, control, or cooling (4) the vulnerability of the AC power system to common cause failure as a result of various design, human error, and internal or external environ-mental hazards
~In general, it has been observed that' problems with onsite emergency AC power systems are very plant-specific, and improvement in system reliability would have to be developed on a plant-by plant basis.
.1 j
NUREG-1032 4-18 l
5 STATION BLACKOUT FREQUENCY AND DURATION There have been several incidents at nuclear power plants that could be classi-fied as precursors to station blackout. In fact, there have been a few cases in which loss of offsite and emergency AC power supplies occurred simultaneously. However, none of these events progressed to be a significant safety concern. Many of these incidents occurred when plants were shutdown or during refueling, when station blackout concerns are much reduced and the LCOs--in terms of num-bers of offsite and emergency AC power supplies available- are reduced. The lack of a significant number of station blackout events is not surprising when one considers past frequency of loss-of-offsite power events and the re-liability record'of emergency AC power systems. As a result, it has been necessary to estimate station blackout frequency by combining loss-of-offsite-power-event frequency and duration correlations with the emergency AC power reliability models. (Appendix B describes the methods used to derive station blackout frequency and duration estimates.) Figures 5.1 through 5.3 give the results of sensitivity analyses performed to determine'th'e effect of design, location, and emergency AC power supplies relia-bility. Specifically, Figure 5.1 shows the effect of site location and offsite , powersystemdesignasrepresentedbyoffsitepowerclusters2,Y,I,andI. / (These clusters are defined in Section 3 and Appendix A.) These clusters were combined with a typical, two-diesel generator, emergency AC power system with a diesel generator reliability of 0.975. Cluster #isacloserepresentation ' of the average of nuclear operating experience with regard to the frequency and duration of loss-of-offsite power events. Cluster2 / represents sites with re- # l latively high severe weather hazards and susceptibility to failure from those hazards. Cluster3 [hasslightlylowersevereweatherhazardsthancluster*f. / Clusterkrepresentsthecombinationofthemorereliableoffsitepowerdesign features and sites with low sever.e weather hazards or low susceptibility to severe weather hazards. The estimated frequency of longer duration station blackouts is dependent on the likelihood of the more damaging and extensive NUREG-1032 5-1 l
~ * * ' " - ~ . -- . .. - . ,
. . tg y
_.W p e l
-m .
9 I . J J k
\d / }..
~*s q e#'
O
- 9" .
> ,d .
m .- l .
,- - s Q l 3
7 ., .. ' f) 0') f / . ./
/
a- u-
.. S 3 i i ':/- .
.. o .,.
Q w0
.a .
's ,
* * *j
<- o I'
<; ry
- g 6 ,. // -- ,'.'
1
- /
iM C' .j e d. / // /' . 22 -
,jl - -
(
==== /
l l l'
- o -- A
,/ r. ,
t
/ ;, . ,_
/ .*
O, .f ~s i , >
, f a
** /
*/ ,. .
mm m
/ ,f
/ / ,e
.I
*== * ,' -
,. y g e '# , , o' /* .
g
/,' /,,' *, ,F
~
~, ./ p'*.,/
e a , / ,/ .. < . <
.i : ^- , ,- ,. ,.. ,'
l /' . . /
=
6= e u) - - C -
=
~
= , I 8 4 : [
. s' 'e w ,
*, % *g 2 4
e .s . . y [ '
- b C a' .a . . . b ra ..' 7 = -
A e S W 9 *.IB .eenn e gp 5-t
gy,es . . me o yaeeme9e e gl. e e e- me - *** 184=888. 84 w - .' 6e-e eh- e e. .g.,m e-D h e-air. eW8***M=*-** e s'u*
- 4 9m' e *=m ee-m em e *"P* **
b
- J. . .. . .
**In W
V LU hI
~
O
/ ea !
O
) En r e < ~
y ny ? ! I (y / 8
/ / * /
f <* "s
., i ,a
( , j
)
=
,/
-4 e
3 0 j #
/
/
/
~-
J
-e- ,
.'se PA 8 ( e
' * * ~
~. I N e W '
l e r
/ .. -
/ <.s eg j .,
~~
~
k- : i n - W _N t m m e ,/ -
! t - / / r - -
r O 7 7,; 1., 4-ns
! ,t t
/ /*1 ij; *~
*~~~
.A -
ij ""'N/
,, * / e-
/ , P
/
.'/ * * * '
*/ *
]
(O. . f C '
, ]
\ s ,r#
/ **
.i .
i
,a *
..a , , l
* . o 1
*/ ,/ / .,
l 1 ana.us i aumamma e **" N 8"* v'** g.m ammee mam ,m em., , .
'W' W* be' 8 g og e,,
A s.*a ,ew. e*, eums*' *e,e* ts e '..' . l A A ,*** .We w w ,_,,, g** f**, e*e
'W ese e e .e. .
w) ~ s
.m b
. . T
. v . .. s - .- ..
Y - .
,.4 gy M
g 5-3
a l 1 : l l
- i II W
; u, O
; i I
-o .
t : (A W cy ! e L
,0 "n .. ,
i ... 6: . e - . . ,
- La-=l F j ] / / / , -. ;
1
>Z ;
t 32o /
/
/
// i y (/) !
/
/ i !
s y , / / i sn7 U . 4 . e s ,LL., a & f l ./ f r j '. , / ,., 5 l
- _z L, : .-
f tu 4 l l , l ,i
' ~
, /, , .
y u_ < :. e s.. u / ,- / . . l
- e. ,
D __ Q Q' l d0 / ./ / V,' O _) T. / ,/ . ,/ I ", _ _% 5 WQei ;
/
/
ff L $6i li O i ., ! i
/ .f
/
,/ I i
A
,s I
~
i / / i s. . Z. l .
'1
< i
./ .
/ /.....-
u._ n ./ i
- / ,,i
, <._ i \
/ /...,.- *
.f
/ .-
,/ . '
O, e Yr V
/ l
-- ,i ,- ,
jf. ' . , / .. 1 .
- 1 I""" i T
s -
- 6 0 <'
1 , l I
' l D I mn WtI I . . . . ., .
.1 <,, , ....,..
. . . . . . , i s
i T* 9* 9"
$ f*
*% f% 98*
Q .R d l D Q 8. i - o a 6 5 - M o o o se n %-
,._. -y q ..
s. 6, hhk-dhh' bh h.hj l
.w, i 1.t.
.. .7(,, .aw n.a
_. ,- w. i vivo.(.;
.ti .
l 5-9
losses of offsite power for which severe weather hazards have been identified as a principal contributor. (Note: . Seismically induced loss of offsite power has not been included but could be accounted for through a hazard evaluation and fragility analysis; this consideration is discussed in Section 9.) Figure 5.2 shows the effect of variations in emergency diesel generator reliabil-ity for the typical offsite system (clusteri/) and emergency AC power system L-(1/2 configuration). The largest change in frequency per percentile change in diesel generator reliability is obtained when reliability levels are lowest (0.9). This is somewhat of an artifact of the model in which common cause fail-ure rates are kept constant. If there were no common cause failure contribu-tions, or if common cause failure were correlated with the independent failure rate of diesel generators (and it may be), the frequency reduction could be pro-portional to the square of the percentile change in diesel reliability for the configuration analyzed. Figure 5.3 shows the effect of emergency AC power configuration and success criteria on station blackout frequency, using a diesel generator reliability of 0.975 and a generic common cause failure rate. Again the effect of common cause failures on system reliability is to reduce the difference between the thse+(our' ' configurations that would be expected from simple redundancy considerations. stNN The results of the station blackout,qanalysis show that there is a potential for ' wide variation in frequency and duration, depending on location, design, and reliability. (Additional results are in Appendix B.)
?
l
\
NUREG-1032 5-5
6 ABILITY TO COPE WITH A STATION BLACK 0UT Station blackout is a serious concern because it has allarge effect on the avail-ability of systems for-removing decay heat. -In both PWRs and BWRs, a substantial number of systems normally.used to. cool the reactor are lost when AC power'is not. available. A loss of offsite power will usually result in the unavailability of l: the power conversion system and, in particular, an inability to opergte the main feedwater system. Power to reactor coolant system recirculation pumps'will also be lost, requiring that natural circulation be used'for cooling.to' shutdown con-ditions. When the loss of offsite power is compounded by a loss:of the emer-gency AC power supplies, reactor core cooling and decay heat removal must be' accomplished by a limited set of systems that are steam driven,: passive, or have other dedicated (or alternate) sources of. power. Unless special provisions are made, the plant will have to be maintained in a " hot" pode (hot shutdown or - possibly hot standby) until AC power is restored.- Table 6.1 lists which func-tions and systems for PWRs and BWRs would be lost and which would remain: avail-able'during a station blackout event. Decay heat can be' removed successfully, using the AC-independent' systems identified, for a limited time, depending on functional capabilities, capacities, and procedural. adequacy. For PWRs, decay heat can be removed by use of a steam-driven or dedicated diesel-driven train of the auxiliary feedwater system (AFWS). Decay heat would be re-jected to the environment by the atmospheric dump valves (ADVs) or, if necessary, by the steam generator relief valves. Because residual heat' removal systems, reactor coolant make-up systems, and systems to control reactivity through boration would be inoperable, the plant must be maintained in a hot condition. The' plant's operating state (primary coolant pressure 'and temperature) would be maintained by manual operation of the AFWS.and atmospheric steam dump valves. With primary coolant pumps unavailable, reactor core cooling would be achieved through natural circulation. If the AFWS can remain operable, and if primary coolant inventory can be maintained at a level adequate to maintain the core cooling / heat transport NUREG-1032 6-1
l l Table 6,1 Effects of station blackout on plant decay heat removal functions Plant Functions (systems) Functions (systems) Type remaining lost PWR Shutdown heat removal Shutdown heat removal (motor-(steam-driven AFWS, ADVs) driven AFWS) Long-term heat removal (RHR) Instrumentation and control (DC power / converted AC Reactivity control (chemical power, compressed air volume and control system reservoir) RCS makeup (high pressure injection system) Pressure and temperature control (pressurizer heaters / spray and pilot-operated relief valves) Support systems (service /componentcooling water systems, HVAC, station aircompressors) BWR, Shutdown heat removal 2/3 Long-term heat removal (RHR) (isolation condenser, fire water system) Reactor coolant system makeup (' low pressure core spray system, feedwater coolant injection system) Instrumentation and control Support systems (DC power / converted AC (service / component cooling power, compressed air water systems, HVAC, station reservoirs) air compressors) BWR, Shutdown heat removal and Long-term heat removal 4-6 reactor coolant system makeup (shutdown cooling system, (HPCI or HPCS/RCIC systems) low pressure coolant recirculation system, Instrumentation and control suppression pool cooling (DC power / converted AC system) power, compressed air reserviors) Support systems (service / component cooling water systems, HVAC,. station air compressors) NUREG-1032 6-2
I loop to the steam generators, a PWR should be able to stay in this mode of decay heat removal for a substantial period of time. The amount of time that decay heat removal can be maintained in a PWR is generally limited by pr pressure systems. boundary leakage and the capacity of-certain support or auxiliary The sources of potential leakage include reactor coolant pump seals, unisolated letdown lines, and a stuck-open pilot-operated relief valve (PORV). With provisions for manual isolation of letdown lines and reduced frequency of PORV demands, the reactor coolant pump seal leakage rate is considered to be a potentially limiting factor for some designs. If the l leakage rate is low (on the order of several gallons per minute) this concern is negligible. However, if seal leakage is on the order of 100 gpm or more, reactor coolant system inventory depletion will be a factor limiting decay heat removal for an extended period of time. Natural circulation cooldown in PWRs has been successfully demonstrated tual operating experience. The process becomes more difficult with AC power unavailable because reactor coolant makeup systems to accommodate system age and pressurizer heaters or sprays to help control primary system coolant conditions are inoperable. Nevertheless, analytical evaluations (Fletcher, 1981) and experiinental observations (Adams, et al.1983) show that decay heat can be achieved with the operational limitations associated with a station blac out. In fact, core cooling is expected to preclude core melting even with s cant voiding in the primary coolant system if the steam generator is maintained as a heat sink. To assess station blackout, BWRs have been divided into two functionall ent classes: (1) those that use an isolation condenser cooling system for dec heat removal and do not have a makeup capability independent of AC powe and -3 designs), and (2) those with a reactor core isolation cooling (RCIC) fi tem and either a steam-turbine-driven high pressure coolant injection (HP - tem or high pressure core spray (HPCS) system with a dedicatad diesel l
, any of
{ which is adequate to remove decay heat from the core and control wate conditions in the reactor vessel (BWR-4, -5, and -6 designs). , Because BWR, are 1 designed as natural circulation reactors, at least at reduced power ,levels the loss of reactor coolant recirculation poses no special consideration . Moreover, i NUREG-1032 6-3
reactivity control during cooldown is adequately maintained by control rod in-sertion, an action that would occur automatically on loss of all AC power. The isolation condenser BWR has functional characteristics somewhat like that of a PWR during a station blackout in that normal makeup to the reactor coolant system is lost along with the residual heat removal (RHR) system. The isolation condenser is essentially a passive system that is actuated by opening a conden-sate return valve; it transfers decay heat by natural circulation. The shell-side of the condenser is supplied with water from a diesel-driven pump. However, replenishment of the existing reservoir of water in the isolation condenser is not required until 1 or 2_ hours after actuation. It may also be possible to remove decay heat from this class of BWRs by depressurizing the primary system and using a special connection for a fire water pump to provide reactor coolant makeup. This alternative would require much greater operator involvement. Some BWR-3 designs have added an RCIC system, giving makeup capability to the AC power-independent decay heat removal capability of the isolation condenser cooling system. A large source of uncontrolled primary coolant leakage will limit the time the i isolatio'n condenser cooling system can be effective. If no source of makeup is 1 provided, eventually enough inventory will be lost to uncover the core. A stuck-open relief valve or the reactor coolant recirculation pump seal are potential , sources of such leakage. When isolation condenser cooling has been established, the need to maintain the operability of such auxiliary and support systems as DC power and compressed air is less for this type of BWR than it is for the PWR. l However, these systems would eventually be needed to recover from the transient. i l BWRs with RCIC and HPCI or HPCS can establish decay heat removal by discharging steam to the suppression pool through relief valves and by making up lost coolant to the reactor vessel. In these BWR designs, decay heat is not removed to the ' environment, but is stored in the suppression pool. For this type of BWR design, long-term heat removal in the form of suppression pool cooling or residual heat ' removal using low pressure coolant injection and recirculation heat transport loops is lost during a station blackout. The time that the plant can be main-tained in a safe condition without AC power recovery is determined, in part', by the maximum suppression pool temperature for which successful operation of decay NUREG-1032 6-4
l i l1 heat removal systems can be ensured both during a station blackout event and ) when AC power is recovered. At high suppression pool temperatures (around 200*F), l unstable condensation loads may cause loss of containment suppression pool integ- l 1 rity. Another suppression pool temperature limitation to be considered i's the ! qualification temperature on the RCIC or HPCI pumps to be used during recircula- f tion. Suppression pool temperatures may also be limited by net positive suction head (NPSH) requirements for pumps in systems required to effect recovery once j AC power is restored. 1 In general, all light-water reactor (LWR) designs include the ability to remove ' decay heat for some period of time. The time depends on the capabilities and capacities of support systems, such as the quantity and availability of water l required for decay heat rejection, the capacity of DC power supplies and compressed air reservoirs, and the potential degradation of components as a result of environmental conditions that arise when heating, ventilation, and air conditioning (HVAC) systems are not operating. System capabilities and capacities are normally set so the system can provide its safety function during the spectrum of design-basis acciaents and anticipated operational transients, which does not include station blackout. l Perhaps the most important support system for both PWRs and BWRs is the DC power supply. During a station blackout, unless special emergency systems are pro- l vided, battery charging capability is lost. Therefore, the capability of the DC system to provide power needed for instrumentation and control can be a sig-nificant time constraint on the ability of a plant to cope with a station black- , out. DC power systems are generally designed for a certain capacity in the event of a design-basis accident with battery charging unavailable. However, the sys-tem loads required for decay heat removal during a total loss of AC power are somewhat less than the expected design-basis accident loads on the DC power sys-tem. Therefore, most DC power systems in operation today have the capacity to last longer during a station blackout than they would be expected to last dur-ing a design-basis accident. Another important factor in regard to decay heat removal during station blackout is the capacity of the condensate storage tank. Normally, this tank contains a sufficient amount of water to cool the reactor until the RHR system can be placed NUREG-1032 6-5 L__---------
in operation. Because the RHR system is not available when all AC power is lost, the ability to cope with station blackout is a function of the condensate storage tank capacity. The ability to provide makeup to the condensate storage tank with systems and/or components that are independent of station AC power would extend this potentially limiting factor. Also, during a station blackout, there may be need to operate some pneumatic valves, such as the steam relief valve. Because AC power is not available, the station air compressors will be lost. For this reason, local air reservoirs are normally provided to permit the valves to be operated for a limited number of cycles. After the air supply is exhausted, these valves may have to be operated manually by the operations staff, or additional portable air tanks { would have to be connected, j l 4 During a station blackout, normal plant HVAC would be unavailable. The equipment needed to operate during a station blackout and that required for recovery from a station blackout would have to operate in environmental conditions (e.g., temperature, pressure; humidity) that could occur as a result of the blackout. Otherwise, failures of necessary equipment could lead to loss of core cooling { and decay heat removal during the blackout or failure to. recover from the event when AC power is restored. The instrumentation and control elements of compo-nents required during station blackout are the most likely to be impacted by adverse environments. However, only limited equipment in the control room would have to be operable, thus limiting equipment generated heat loads in that loca-tion. ; The same would be true for equipment in auxiliary buildings and inside containment, although sensible heat from preexisting sources could be consider-able. For control rooms and auxiliary buildings, opening doors should allow enough heat to escape to maintain equipment in an acceptable operating environ-ment. Temperature sensitive equipment located in normally enclosed cabinets that rely on HVAC systems to remove heat generated during normal operation could be subject to failure or degradation unless ventilation is provided. Most equip-ment in containment is designed to function in the more limiting environment associated with a design-basis loss-of-coolant accident, and therefore, could be expected to function during a station blackout. NUREG-1032 . 6-6
i J Table 6.2 summarizes the design-related factors that have been identified as potentially limiting the capability of LVRs to cope with a station blackout. 1 Actions necessary to operate systems that are needed to establish and maintain l s decay heat removal and fully recover from a station blackout would not be i routine. The operator would have somewhat less information and operational flexibility than is normally available during most other transients requiring reactor cooldown. On the other hand, the loss of all AC power is an easily I diagnosed occurrence, although it is not always easily cor'rected. Operational staff activities would have to be directed at both reactor decay heat removal requirements and the restoration of AC power. These activities would include manual operations within the control room to control the rate of core decay heat removal and special operations outside the control room. The latter would include repairing failed components, isolating sources of reactor coolant leakage, conserving DC power through load stripping, making available alternate makeup water supplies, hooking up compressed air bottles, and possibly I starting local manual operation of some components. The success of these acti-vities would require preplanning, training, and procedures. In addition, ade-quate lighting and communication would be required. Where local access is necessary, security and working environment (pressure, temperature, humidity, and radiation) could be limiting factors. In PWRs, operators must control the rate at which the AFWS removes heat from the steam generators to maintain the proper pressure and temperature balance within the primary coolant system. This balance then allows adequate natural circulation and the maintainance of adequate water level in the pressurizer. Although analytical and experimental evidence suggests that natural circulation ! and adequate decay heat removal can be maintained when pressurizer level is lost (and, in fact, when a two phase flow mixture exists in the reactor coolant system up to the point the reactor core is uncovered), these conditions would ' comolicate the recovery process and add to the difficulty of operator recovery actions.- , ' In BWRs, the isolation condenser appears to need less operator attention. i However, operators would have to ensure that automatic depressurization does l NUREG-1032 6-7
i l Table 6.2 Possible factors limiting the ability. i to cope with a station blackout event I I Type of plant Limiting factor PWR BWR 2/3 I BWR 4/5/6 j RCS pump seal leakage X X RCS letdown / makeup and water X X chemistry control lines j Stuck-open relief valve X X l DC battery capacity (instruments- X X X 4 l tion and control) Compressed air (valve control) X X X Decay heat removal water supply X X X (condensate, firewater) Operating environment (temperature)- Control room X X X ! (instrumentation and control) Containment X (suppression pool, wetwell, i drywell) Auxiliary building X X (AFWS/ room) (HPCI/RCIC roo.i) 4 1 1 l NUREG-1032 6-8
)
f I
i I not occur and that the makeup system to the isolation condenser is operating properly within approximately 2 hours of the loss of AC power. In BWRs with HPCI or HPCS and RCIC, the operator must control both pressure and the level of reactor coolant in the vessel. This requires actuation of both makeup and relief systems. In all LWRs, operators would have to be prepared to deal with the effects of the loss and restoration of AC power on plant control and safety system set points to' limit additional transient complications and ensure operability of AC powered cooling systems. j i l NUREG-1032 6-9
7 ACCIDENT SEQUENCE ANALYSES 1 Accident sequence analyses have been performed to determine the accident pro-gression characteristics (Fletcher,1981; NUREG/CR-1988, Schultz and Wagoner, 1982; and NUREG/CR-2182) and likelihood (NUREG/CR-3226) of a station blackout. Using fault trees and event trees, these analyses have identified functional and system failure characteristics of accident sequences. Reactor coolant sys-tem transient response analyses were used (1) to determine the capability of a plant to cope with station blackout and (2) for potentially important functional failures during a station blackout, to estimate how much time would be available for AC power recovery before core damage and core melt. Considering the decay heat removal system capability requirements and the asso-ciated systems' reliability, failure modes, and failure causes, three phases of a station blackout transient were identified. The first phase includes the need for promptly actuating decay heat removal systems and the potential for a station blackout induced loss-of-coolant accident (LOCA), either of which can l result in a loss of core cooling within I to 2 hours. The second phase lasts up to approximately 8 to 12 hours and includes operational limitations in the I capability of continued decay heat removal considering limited capacities (such as DC power, condensate storage tank) or interactive failure (for example, high temperature effects due to loss of HVAC), and the potential for reactor coolant loss (such as, through pump seal leakage). During this period, the running reliability of the system is less important than the successful initial actuation of the AC-independent decay heat removal systems. The third phase involves the need to eventually recover AC power and establish a stable, control- i lable mode of decay heat removal. As discussed above, considering the systems and functions available for the dif-4 ferent PWR and BWR designs resulted in the development of three event trees for i the identification of station blackout accident sequences. Figure 7.1 shows the event tree for PWRs; Figure 7.2 shows it for BWRs that use an isolation conden-ser; and Figure 7.3 for BWRs that have AC-independent makeup systems (RCIC, HPCS, l NUREG-1032 7-1 i
,!l)I 1((i' ll t
u o o s ** {? Y. . uI* . y;;*7
- 7 .-
k - C D a L D L E/L l B
. A N O .OD CO A RPA G T I COI T EUV n . E I .I0R EMR I VtO C E TL T V5 TLtE TEE VS OKM C Ct o RA N 1 RADP NTP M CAE N Nn
.i I OE VN IX OE EMR E EO t .VO TT .OEE EE TT R U UC a CM S S CMTM S M S S . Q QT t tE C CY 2EII CNI CY CCT E EU S SR R AS SRCT RIT AS ARM S SO Ggo
- 5 *" . ~ -J~ E** . 5"~ .* - e".
YE on YZ on Y *u oa ipn S
- e no Y*u
; ~ Y"e a : k, Y8=~ on . Y8=u no Y E= ~ on Y'u u_
e no go * ' I w5: k, on Y'uo3>= Y"uo3u no m5: k, Y2eo en Y3 o~ no
] 9'? e o on Y" e ~
. no w5: k, Y'n o o on Y' o3 ~ n0
)
mao * ~ " Ce3mn*" n . gsoe<e$ ,,. eM "$ ,g% O" E enEC# n n C1n* to **
- c$c)%O d NNm D
2y,m$ woUN YN
- l1 il1ll1
5 3 0-2 hre. 2-12 hrs. >l2->24 hre.
- A E N 8 g . z
.{$ d EDN
.! 0 25 ! b; Nh!! !5! E; N!! E Et Egod
- SU E "Uw SU $*" 58 3 shEuE!
srEs s vs Es! v5 vii !" !s (TMBo) I'll 80 18 881 1 (U21 to a l (821 (828 TMhD OK TMeg OK TM82 OK
-success
-reilure Small LacA TM0;$3 OK fn0282 CD fnU 25g OE tat e _ TnU 532 CD small tacA TnU20281 OK TMU2029g CD smalI tacA TM0180 OE ;
TM0 833 CD TMUgB0 DK TMUgD3 CD i Small LocA TMUgogBD OK TMU1 0181 CD I Figure 7.2 Generic BWR event tree for station blackout (BWR-2 or 3) Source: NUREG/CR-3226 ' NUREG-1032 7-3 i
5 0-2 hre. 2-12 hre >12->24 hre. I w u >
.2 go a $Eco Uno g f
ud
=
e a$ w 5 GMB 5%S 585 .
=g t g. 2855 -#5" 5. 505 o du
.3 e. v g 5 *- U **
- O *- 5 u 5 53
% 30 .: E 5:0'* . "W 0: U.g"4 a#
V" $ M g3 W5 E85i: W"C W: WW a 38 (Ugl toll 183) (U21 (02) (s z l (#23 f (TMBo) Tns, og TMag ot TM82 OE
-success CD TMe3
-reilure Small LOCA fng2 01 OK Small TM0 E22 OK LOCA TM0253 CD Twu 8 '"
21 TMU 833 CD Tuse"" Small tDCA _ TMU 0 8221 OE inUgoj sg CD 2 Small thCA TMggso Or small LOCA TMogsg OK
, Small TMog 32 ' OK LOCA TMog B3 CD 6
Small LDCA TM01 U82 1 OK I TMogU 923 CD ll . d TMUg60 OK TMUgsg CD I ~ small LOCA TMUgogso OR { .. TMUgOgBg CD figure 7.3 Generic BWR event tree for station black'out (BWR-4, 5, or 6) Source: NDREG/CR-3226 O NUREG41032 7-4 t l
l
,1 HPCI). The event trees are characterized not only by the systemic and func- i tional considerations important to station blackout accident sequences, but also by the phases of the transient that would affect the plant response and l system operability for station blackouts of various durations. The event trees I 1
show the loss of all AC power as the initiating event and proceed through decay j heat removal, reactor coolant inventory (integrity), and restoration of AC power i to enable operation of the normal decay heat removal and makeup systems. The accident sequence logic is similar for PWRs and those isolation-condenser BWRs i that do not have the capability to make up lost reactor coolant during a station . blackout. These plants are susceptible to degraded core cooling as a result of relatively small losses of reactor coolent. The accident sequence logic is some-what different for BWRs with reactor coolant makeup available during a station blackout. Most losses of reactor coolant caused by station blackout can be j accommodated by the available reactor coolant injection systems. Reactor cool- I ant loss equivalent to that lost because of a stuck open relief valve can be accommodated by the RCIC systems. The HPCI or HPCS system can provide adequate makeup to cope with larger leaks. All of the LWRs encompassed by the accident ( logic models are subject to the operational limitations for the longer duration blackouts as described previously in Section 6. The event trees end with a sequence outcome state designated as "0K," meaning that stable, long-term core cooling is achieved or achievable, or "CD," meaning that an inadequate core cooling state is reached and some reactor core damage can be expected. Fct the latter case, core damage can be expected to proceed s to core melt if effective and timely measures to restore AC power and core cooling are not taken or available. The potentisi difference between an acci-dent sequence that ends in core damage and one that leads to. core melt is deter-mined by evaluating the likelihood of restoring core cooling and the cooling
]
effectiveness from the onset of core damage to the time when irrevocable core j melting has begun. This latter time in the accident sequence progression is not-well known because there are significant uncertainties in the modeling of core melt phenomena. It has been estimated that the time between the onset of core damage and time that a core melt would penetrate the reactor vessel is on the I order of 1 to 3 hours (NUREG/CR-1988, -2128). Considering the low probability- ! that AC power would be restored during this time period and the uncertainty in i modeling this accident process, including the ability to terminate a core melt 4 NUREG-1032 7-5 i
1 in progress, it has been assumed that core melt would be the likely final out-come in accident sequences that progress to core damage. Detailed plant transient response analyses were performed to cover the spectrum of sequences identified in the event trees (NUREG/CR-2181). The purposes of this work were (1) to better understand accident progression characteristics re-lated to the timing of events and physical parameter values during the transienc, and (2) to determine success states for systems, trains, components, and opera-ter actions during station blackout sequences. The sequences were divided into three groups: (1) failure of AC-independent decay heat removal with reactor coolant leakage less than Technical Specification upper limits (2) failure of reactor coolant system integrity (liquid or steam leaks) with AC-independent decay heat removal systems operable (3) failure of AC-independent decay heat removal systems with loss of reactor coolant system integrity Variations in system failure and actuation time, reactor coolant leak rate, and operator actions were analyzed to determine both the potential for sequ&nce outcomes with adequate (or inadequate) core cooling and the time in which AC power must be recovered to avoid core damage. Table 7.1 shows the estimated time of core uncovery for station blackout se-quences with AC-independeri decay heat removal systems not available. Plants with Babcock and Wilcox (B&W)-type nuclear steam supply systems (N555), which have a small steam generator secondary water inventory and, thus, the smallest heat capacity, would require the most prompt recovery to avoid core damage for this particular sequence. For these plants, core uncovery was estimated to occur within 1 hour. For plants with Westinghouse or Combustion-Engineering NSSS designs, core uncovery would take about 2 hours, as it would for a BWR-4 plant. Figure 7.4 shows how the core uncovery time is extended for sequences in which decay heat removal is initially successful but fails later during the accident. Estimates of the time core uncovery would take with a stuck open NUREG-1032 7-6
.n Table 7.1 Estimated time to uncover core for station blackout sequences with initial failure of '
AC-independent decay heat removal systems and/or reactor coolant leaks Sequence Core uncovery time'(seconds) PWRs B&W- CE W ' I 1 AFW failure 2715 6200 5800 i Stuck-open PORV 3190 - 5040' 100 gpm total ' leak 21070 - 27950 rate from reactor i 1 coolant pump seals AFW failure and 2480 - 4800 stuck-open PORV : BWRs GE. ' HPCI/RCIC failure 2300 a HPCI/RCIC failure and 1680 stuck-open SRV Source: Fletcher, 1981 i i i
# 'l i
E 4'md NUREG-1032 7-7 1 -- - - - -
6 -
, , ; .g i 1 2 1 >
e Westinghouse t e
$ 4 -
J E o E 8 3 B&W i
?
a g .- T. , w I Assuming loss of offsite power, failure of all-h diesel generators, technical specification y 1eakage, turbine-driven auxiliary feedwater (AFW) initially operates then fails at a later
)
i
;- time. l I I I I 0 l 1
O 5 10- 15 20 25 l Time of failure of turbine-driven AFW (Hours) i Figure 7.4 Time to core uncovery as a function of time at which ' turbine-driven auxiliary feedwater train fails Source: Fletcher, 1981 t NUREG-1032 7-8
relief valve and other types or reactor coolant leakage are also provided in 1 Table 7.1. For BWR> with RCIC available (or HPCI or HPCS), adequate reactor j coolant makeup is provided to maintain core cooling even with a stuck-open relief valve. The core uncovery time for PWRs would not be significantly shortened if a relief valve sticks open coincident with the loss of the steam I turbine-driven train of the AFWS. This is because loss of the AFWS for decay J heat removal usually results in primary system pressure relief, which removes i decay heat almost equivalent to the energy loss of a stuck-open r.elief valve with AC-independent decay heat removal available. If a relief valve sticks open in a BWR without RCIC or in cases when the AC-independent decay heat removal systems are unavailable, the core uncove'ry time would be somewhat shortened. Complete accident progression analyses have been performed for several key station. blackout sequences starting with the loss of offsite power through to l core melt and containment failure. A time line presentation of a PWR sequence ! in which AFWS operation is initially successful but fails several hours into the transient is provided in Figure 7.5. Station blackout occurs at zero hours (to). After the initial fluctuations in reactor coolant system pressure, core 1 outlet temperature, pressurizer level, core flow, and steam generator level, a relatively stable period of decay heat removal with primary coolant natural cir-culation follows. When AFW makeup to the steam generator becomes unavailable in about 6 hours (t 3), the steam generator level begins to drop, causing de-creased heat transport from the primary " coolant system.' As the steam generator dries out and heat transfer to the secondary system ceases, reactor coolant pressure and core outlet temperature rise. The reacto'r coolant temperature in-- crease combined with some voiding causes the pressurizer level to rise, and there is relief to the containment. Continued voiding in the primary system affects natural circulation flow, but core cooling is adequate to prevent melt-ing until the core is uncovered (tz) at about 9 hours. At this point, the pres-surizer level has dropped because most of the primary' system.is voided. Within about 2 more hours ~ (ts) the core has melted and penetrated the reactor vessel, causing a containment pressure and temperature spike.because of the rapid in- ! flux of steam and noncondensable gases from the melt. If containment survives that spike, the continued release of decay heat and the generation of combustible ; and non-combustible gas will continue to load the containment. Containment fail-ure by overpressure in this sequence occurs about 19 hours into the accident. ' NUREG-1032 7-9 I l
Delayed failure of AFWS (or DC power depletion) 1 Reactor Coolant System Pressure L Pressurizer tevel k k Core Flow k _ Core Outlet Temperature 1 Steam Generator tevei / l Containment Pressure Containment -- Temperature 7
, e i Time (hrs) 0 4 8 .12 16 20 to t 3
t2 '3 '4 1 Time Sequence Event to Loss of all AC power ti AFWS fails (or DC power depleted) t2 Core uncovery begins t3 Reactor vessel penetration t, Containment failure i Figure 7.5 PWR station blackout accident sequence NUREG-1032 7-10
Figure 7.6 shows a BWR station blackout accident sequence progression. In this scenario for a BWR with Mark I containment, station blackout occurs at. time zero (to). The reactor coolant system pressure and level are maintained within limits by RCIC-and/or HPCI and relief valve actuations, which'also transfers decay heat to the suppression pool. Both the ~ suppression pool and drywell tem-perature begin to rise slowly; the latter.is more affected by natural convec-tion heat transport from the hot metal (vessel and piping) of the primary system. After 1 hour, when AC power restoration is.not expected, the operator begins a controlled depressurization of.the primary system to about'100 psi. This'also causes a reduction in reactor coolant temperature from about 550'F to 350*F, which will reduce the heat load to the drywell as primary ~ system metal compo-nents are also cooled. The suppression pool temperature increase is only slightly faster than it would have been'.without depressurization. Drywell pres-
'sure is also slowly increasing. At about.6 hours, DC power supplies are de-pleted, and HPCI and RCIC are no longer operable. Primary coolant heatup fol-lows, with increases in pressure and level until t'he safety-relief valve set i
i point is reached. Continued core heatup causes continued release of steam; this eventually depletes the primary coolant inventory to the point that the level falls and the core is uncovered, about.2 hours after loss of makeup'(tz). 1 Core temperature then begins to rise' rapidly,.resulting in core melt and vessel i penetration within another 2 or 3 h'o urs (ta). During the core melt phase, containment pressure and temperature rise considerably so that--nearly coinci-dent with vessel penetration--containment failure occurs, either by loss of . electrical penetration integrity (shown at t ) or by containment.over pressure shortly thereafter, around 11 hours into the accident. I Estimates of the likelihood of these accident sequences were made to identify
; the potentially dominant c' contributors to the station blackout accident sequences
, (NUREG/CR-3226). Table 7.2 summarizes the results for.the typical PWR and BWR. These results have been modified to account for better estimates of loss-of- ! j offsite power frequency and duration derived since NUREG/CR-3226 was completed (see Appendix A). In addition to identifying'the dominant accident sequences and their likelihoods, tha table also shows the major factors affecting the !
; accident sequence frequency. For PWRs, an important contributor to the estimate-j of the likelihood core damage is the ability to-restore AC power before the' DC power needed to run the auxiliary feedwater system is lost or the condensate l NUREG-1032 7-11 i
,l I
- i. i
RCIC/HPCI available, controlled depressurization Reector Vessel , Pressure k Reactor Vessel Level Core Temperature Suppression Pool # Temperature Drywell Temperature f Drywell Pressure e f Time (hrs) 0 4 8 12 16 t o tg t2 t 3 t4 Time Sequence Event t o Loss of all AC power t3 DC power (batteries) depleted t2 Core uncovery begins t3 Reactor vessel penetration t4 Containment failure Figure 7.6 BWR station blackout accident sequence NUREG-1032 7-12
c n e eu rq oe crf 8 5 8 5 7 8 8 5 8 l - - s. - - - - - - - ae cg 0 0 0 0 0 0 1 0 1 0 1 0 1 0 1 1 1 1 1 1 i a pm x x x x x x x x x x s ya e Td 5 1 1 2 3 2 2 2 5 1 c n r e h u q r e , e w e s o p g a t dm n Cea e Ard d e i h ve c cor c ico a h ec e wr d g nei 6 6 6 6 6 a ibo 2 1 1 2 2 1 2 1 2 1 m v a et a o o o o o o o o o o d ms i uo t t t t t t t t t t e Tmt 1 4 4 1 1 4 1 4 1 4 r o c s , t r d d n o e e e t a t t k l k t n n u e s a b a s re i b l u e a e us on m i b a l l l at od o r a h i hi rpe d t l x l a l xm emd y n i e a v a ei woe o a e a e e l oce l c v e s n v s e p ,cx l a t u l e t y e a t n a p a p l at) l Cd e i n u s m r v m b sic b De t e n u e u a nl I a ,t s n n S e p s f p l eiC l st e o W d n e i dbR i eui t o p m F A n o t n d e i l t n a v na/ orI a v l bhi am p o c a n e a a cec a axl c n l o r l n pP n l e f / e r o c o u roH u i y o m v o o n o o ( aet e i c n e c C t C vti y t r r o p I rnd I aal r s d e r i o r C eee C nsi a y w o t - o R wnd R unb) n u s m o t a k t / ooe / eaC s a p c l c c I ppe S SdrI S u R H t e C a e o s t u a e C P Cox mc C P C neC P o pR D S D R I S R H Dce H Hco( 2 _ 7 e
. c e n i 2 2 i i 2 i 2 i 2 l e B 8 B B B 8 B B B 8 b u 2 2 i i 2 i 2 i 2 a q L L Q u Q Q U U U U T e M M M M M M M M M M S T T T T T T T T T T n
o ir t e c as - - i l n I S rt ) oe C C en l sd PC PC na Rl Rin RHI RHI el Wa W/o W/C W/C Gp P( B wc B wR BwR lEhg 5w
storage tank supplies are depleted. Another important contributor is the integ-rity of the reactor coolant system considering potential leaks from the reactor coolant pump seals following a station blackout. If reactor coolant pump seals leak and there is no way to supply makeup water to the reactor coolant system, the core will be uncovered. If reactor coolant pump seal leakage is large (more than 100 gpm per pump), the core could be uncovered within a few hours. Smaller leak rates (a few gpm per pump) are not a limiting factor. Adequate coolant inventory would be available to allow continued core cooling for a day or more without the need for makeup if other limitations (e.g., DC power) did not exist. The analyses performed for this program (NUREG/CR-3226) showed the reactor core was uncovered in approximately 8 hours, using the reactor coolant seal leakage information currently available (a leak rate of about 10 to 20 gpm per pump). For BWRs with isolation condensers, a similar dominant failure mode exists. The failure of the DC power system is less important because the isolation condenser system operates pasrively once it is activated; little operator action is neces-sary thereafter. However, reactor coolant pump seal failure could cause deple-tion of reactor coolant inve_ntory and, because the isolation condenser BWR typically does not have an AC power-independent makeup system, the reactor core could be uncovered. This sequence was estimated to result in core damage in about 8 to 12 hours. BWRs with HPCI and RCIC are capable of coping with reac-tor coolant system leaks equivalent to that resulting from a stuck-open relief ' valve. However, they are subject to the effects of DC power depletion and other interactive failures associated with the lack of the ventilation system to main-tain HPCI and RCIC room temperature, and suppression pool heat up phenomena i that can result in a loss of core cooling in about 8 to 12 hours. For this type of plant, unattenuated suppression pool temperature increases during a station blackout transient can be a problem because of the potential for un-stable condensation phenomena. These phenomena could cause containment struc-tural failure, with the potential for subsequent loss of reactor coolant- from the suppression pool resulting in loss of recirculation capability. Perhaps more important is the effect that high suppression pool temperature would have on HPCI pumps during recirculation. These pumps are not usually qualified for operation with fluid temperatures in excess of 160*F. In addition, NPSH re-quirements may not be satisfied if suppression pool temperatures exceed 200*F. NUREG-1032 7-14
__ _ . __ _ _ _ _ _ _ . _ _ _ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ~ - - - ^ For BWRs with HPCS, which has its own AC and DC power syst. ems, both the effects of depletion of the DC supply and reactor coolant-leakage are minimal contri-butors to sequence core melt probability. However, suppression pool temperature limitations may cause some equipment operability problems during longer dura-tion station blackouts. In all of the accident sequences evaluated for this program, the early failure of decay heat removal because of the initial unreliability of these systems was a relatively small, but not insignificant, contributor to core melt frequency. This is not surprising, because, since the accident of Three Mile Island Unit 2 (TMI-2), most nuclear power plants have been required to have at least one AC-power-independent decay heat removal train available. However, very little has been done at nuclear power plants to determine the capability and reliabil-ity of systems during a sustained loss of AC power. Thus, it is not inconsis-tent that most of the dominant failure modes that have been identified are associated with the inability to operate decay heat removal systems because of support system failures or capacity limits on support and auxiliary systems needed to maintain
- decay heat removal during station blackout.
With the consideration of containment failure, station blackout events can re-present an important contributor to reactor risk. In general, active contain-ment systems are unavailable during a station blackout event. These systems are usually required for pressure suppression through steam condensation to maintain the containment pressure below the appropriate limits and for the re-moval of radioactivity from the containment atmosphere following an accident. The time to containment failure after the onset of core damage and the contain-ment failure mode is an important factor in determining fission product release and ultimately public risk. Table 7.3 summarizes containment failure insights derived from the analyses performed for this program and from a survey of analyses performed for other ! fprograms. It shows the different types of containment, the estimated time of containment failure following the onset of core damage, and the containment failure mode. The most recent estimates of containment performance derived from ongoing severe accident research by both NRC (NUREG-0900) and the Industry Degraded Core Rulemaking Program (IOCOR, 1984) may be cause for revision of the fk js6 pjh HUREG-1032
- 7-15
($O
Table 7.3 Containment failure insights Approximate time to containment failure . following onset of Most probable containment Containment type core damage failure modes. Ice condenser 1 hour- Hydrogen burn, steam spike-
~
2 hours ' Overpressure At or following AC Hydrogen burn recovery
- 27.5 hours See IDCOR, 1984 Subatmospheric 2 hours Hydrogen burn steam spike 6-12 hours Overpressure Following AC' recovery
- Hydrogen burn Large dry 10 hours Overpressure-Following'! AC recovery
- Hydrogen. burn J2 hours See IDC0R, 1984 Mark I, Mark II /2-4 hours Electrical penetration failure
, 4-8 hours Overpressure -
18 hours See IDCOR, 1984 Mark III i 10-15 hours Overpressure f
! I hour following AC Hydrogen burn.
recovery
- 47 hours See IDCOR,.1984,
- Depends on accident management strategy for hydrogen control.
o o
\ @
D ei NUREG-1032 7-16
1 4 o#r containment performance insights derived just a few years ago. For the large, dry PWR containment, long-term overpressure is the most likely failure m6de. Yet some evidence exists that some very strong large dry containmentsfmay not feil as a result of overpressure in station blackout accidents, bec,ause they can withstand the overpressure transient. The smaller PWR containments--like the subatmospheric or the ice condenser designs with lower desig/n pressure and ; smaller volume--are less capable of handling the pressure tran'sient and poten-tial hydrogen burn associated with a station blackout core.. melt accident. In l NUREG/CR-3226, it was estimated that the containment would fail in about 1 or 2 l hours for several possible reasons including hydrogen, burn, steam pressure spike, l or containment overpressure as a result of noncondensables and noncondensed steam. However, the recent IDCOR results show containment failure times of more than 1 day. , The BWR Mark I and II containments offer some pressure suppression capability during a station blackout accident, but a,fker a core melt, they may fail by one of two modes. Either mechanical or electrical fixtures in the penetrations may { fail because (1) they are not designe for the pressure and temperature that will follow, or (2) ultimately (in bout 5 to 8 hours), overpressure of the con- l tainment will occur. (IDCOR esti ates a Mark I containment will fail in about 18 hours.) Because these cont nments are generally inerted, hydrogen burn is not considered a likely fail e mode. For Mark III containments, which are low I pressure, large volume cont [inments, failure in 10 to 15 hours has been estimated ' in NUREG/CR-3226, principally by overpressure. The IDCOR estimate is 47 hours for this type of contai$ ment. One item of intere hould be noted for both the ice condenser containment and the Mark III co inment, where hydrogen ignitors must bo installed to meet hy-drogen rule re uf rements and the post-Construction Permit Manufacturing Licensee (CPHL) rule. For these containments, there is the potential that an inactive ignitor c id be turned on following the restoration of AC power at a time when the hyd gen concentration is essentially at an explosive level. However, this potent al problem can be mitigated through proper procedures and by instructing j the/ operators on how to control the hydrogen burning with ignitor systems follow-1 g the restoration of AC power. 7 I NUREG-1032 7-17 l 1 1
Table 7.4 correlates the fission product releas categories with the containment types and failure modes identified in Table .3. Table 7.4 also provides the 4 doses estimated to result from station bladkout accidents for the various different containment designs, includi g' recent IOCOR estimates. Substantial uncertainties exist r garding fission product transport in contain-ment during a core melt. Howe er, based on an understanding of the fission product transport process a known today, it can be seen that station blackout accidents can potential 1 result in substantial fission product releases. Again, the reader is caution that ongoing research could cause substantial-revision of these fission pr duct release fractions shown in Table 7.4.
/ \
/ gj
[ 46 6
\lh f}\
y9 0 u
'l z
NUREG-1032 7-18
Table 7.4 Containmentfissionproductreleasecategoriep/bndfailure modeprobabilitiesforstationblackoutseqynces Release category Containment type, failure pro,bability, and mode
- BWR Mark I Ice Sub-atmos- Large dry- Large dry-1, 2/3 condenser pheric fetcavity dry cavity 1 10 4 10 4(a) 10 4(a) 10 4(a) 10 4(a) 2 0.2(y') --
0.1(6,) 0.8(6,) 0.2(6,) 3 0.8(y) 0.99(60 ) 0.9(fy) 0.2(67 ) 0.2(63 )
/
4 -- 10 2(p) lois(p) 7.3 x 10 8(p) 7.3 x 10 8(p) 6 0.6(c) Total 5.5 x 106/ 5.3 x 105 5.4 x 108 4.9 x 108 2.1 x 108 person- 4.5 x 106 rems, - to 50 mi IDCOR 1.3 x 107/ 3 x 105 -- -- 8.2 x 105 results 2.4 x 104
*ContainmentFailur! Modes a - steam explos n y' - overprest re, direct atmospheric release
/
y-overp/ressure, release through reactor building . 6 - ov pressure, late 3 6* - overpressure resulting from steam spike at the time of vessel melt through 6[/overpressure with core debris bed fragmentation 0
,'p - containment leakage c - base mat melt through o
V/ f NUREG-1032 7-19
8 EVALUATION OF DOMINANT STATION BLACK 0UT ACCIDENT CHARACTERISTICS The important factors that affect the probability of station blackout accidents have been identified, on the basis of the previous work presented on dominant station blackout accident sequences. The principal parts of the station blackout sequence include: the likelihood or frequency of loss of offsite power; the probability that the emergency or onsite AC power supplies will be unavailable; the capability and reliability of decay heat removal rystems that must function during a loss of AC power; and the likelihood that a source of offsite power will be restored before the core is damaged as a result of the loss of core cooling and the failure of systems that cannot operate without AC power. Reactor type, by itself, has not been fuund to be a dominant factor in determining like-lihood of core damage as a result of station blackout because the capabilities of auxiliary and support systems needed for decay heat removal during station blackout can vary considerably (and still meet current safety requirements). The important factors in determining the likelihood of core damage as a result of station blackout are reliability of the AC power system (offsite and onsite) and the performance of these auxiliary systems (DC power, compressed air), as well as such plant characteristics as pump seal design, natural circulation capability, and suppression pool temperature effects. Because of these differences, core damage frequency estimates for station blackout accident sequences could vary considerably. Therefore, the NRC staff analyzed the sensitivity of core damage frequency estimates to design varia-tions different from the reference plant analyses performed by Sandia National Laboratories (NUREG/CR-3226). The models used were based on insights obtained from previous studies; they are described in Appendix C. Station blackout sequences were divided into two groups. The first included sequences involving the failure of AC-independent decay heat removal and, for plants without AC-independent makeup, loss of reactor coolant integrity at the onset of or soon after a station blackout. For these early core cooling failure sequences, AC power must be restored in 1 or 2 hours to avoid core damage and ultimately core melt. The second group of sequences identified included failures during an extended station blackout of 4 to 8 hours or more. These failures include a NUREG-1032 8-1
smaller rate of reactor coolant loss, support system capacity limitations (e.g., batteries, make up water inventory, compressed air), and other station blackout capability limitations in decay heat removal systems (e.g., natural circulation and suppression pool temperature limitations). Several sensitivity analyses have been performed by NRC staff to evaluate varia-tions in LWR plant designs for both decay heat removal capability and system reliability, including offsite power. Because the ability to cope with a station blackout may vary considerably, results are provided to show the bffect of limi-tations in maintaining decay heat removal during station blackouts of 2 to 16 hours. First, Figure 8.1 shows the sensitivity to offsite power system design and location as represented by different offsite power groups (clusters). The importance of higher frequency and long duration losses of offsite power can be seen. It is also worthwhile to note that the highly reliable (redundant) AC-independent decay heat removal systems provide added value when ability to cope for long durations exists and very low core melt frequencies are estimated. Figure 8.2 shows the relationship between various emergency diesel generator reliability levels and estimated core damage frequency. A combination of reason-ably good diesel generator reliability and the ability to cope with a several hour station blackout results in estimated core damage frequencies on the order of 10.s per year or less. The effect of a plant's emergency AC power configura-tion is shown in Figure 8.3. A substantial difference in core damage frequency may exist between plants with three emergency diesel generators, depending on the minimum number (1 or 2) needed to maintain core cooling and decay heat removal during a loss of offsite power. Again, frequencies drop rapidly as station blackout coping capabilities extend to cover longer AC power outages. Figure 8.4 shows the variations in emergency diesel generator failure rate from both independent and common causes. In this figure, common cause failures in support systems (e.g. , service water, DC power) are estimated on the basis of the industry experience (see Appendix B). These results show that estimated core damage frequency can be kept low by maintaining highly reliably emergency AC power systems. Estimated core damage frequencies as low as 10 8 per year may be possible if the emergency AC power system is maintained in a high state of operational reliability, and there is some capability of coping with an unlikely station blackout. NUREG-1032 8-2
oi ca i l ti I 1 ' I . I T ab ' . , n ra , r, ul 4 i
? ' .- .
g1 < e i e fR . , n _ u l' . oG qRen CD . E _
. C _ .
. A57 . .
o
. /
29 10 e i. g r t F R a _. . Hr_ _ eD u. g D __ . N N.
.N
. s
}
a . _
-.N NN -*
s
"~
g mdtu_. n -
- % N,N aI o. .
,NN NN ~~
k_. gN { D
~
Cca
- \ N ,
N'
. _. - N eAl
," ,LN'g N' N
( 3 - , r , r,B s q,,, \ ' N
. l o N'
{_ Cen t N' A y'g.' N. g,s t ,. A s N' si o gs s 2 N'\ '\,ss . s , s' f \,
\.t. 8 out a l
hN ' y CtS t ie . i vti o . t t s i sf nf g 1 0 1 0 eO _ ) )
. (
0 - ( 0 0 S o . 0 - I t ,. h
a u ..-- .. c c ug O
.y
.= EE -
e- , _ ' . . .: .= .
. .= .:
at om
. c sg y -
v .- .- .
- b
. f.{
C-l(*"e .' O .h mm .__ n,
..u u. ~u c ._
g .O . 0 _ - tu,
. o
,.~
y ,. . u
- o. . c, .,
n_ OM J._. .u t c l i i l ; Cr 0 J wa , i l i L
@IO L
I . . : l Li- . i-0 g -w] i.? N @w ujO .
. . ;is. .i .t.i
=-5 00 0 y! l
! '// / /./
t o! ! i
- .; c.t. 'r'.
b .a 9,
; . ./ ./:/
LLI m- 1
,i )t / \
%L/ I
;/$ l l././ /
T QT i 1 l; ! k l/ /.l I E l D . lll$// - CC i ' Q D (( C 'll/!/! t T .O p:/ Viji
- i. s.-
. i /. .
c.
/ tI.' -
OOub ' . < .. O w
//gv'./ ...8.g;9 .-
c.
%y w. i 2 c_. sx OC O! '
e: . .,.
.- V D - e - - - -
.>_ ( C c- - c o_
u v
^
=
c O
- n C
H O C. - - U. v V v 0 Q - . - r= Y .
.= .:
L . W .
,,.-,m..
=, -v y Ccc. ,-c.z.
o, c;.,,s..nn=~ c.
. ~
s
. e-; n,o,q.. -=.
M ,
l b Ca t a a a a ' < < < P i r r r i r i r r rl I I I I I I. t I I ee wR o y 1 1 2 2 2. 2 PG eE D c n ~l 1 1 1 1 t i5 ntiyofn .e 2 v,<.. 3 . 3 4 4 s7 f9 t
///,/ ,y / //
f O0 eitl o 1 1 o2 . I 1 2 2 uiaC br _ q C' ei auA rl D FeRt - e u- - g Ro- _ s ' _ s
.- N a H c- k-
'N '
,' s.,~ g mD a -
\~ \
a l D tB-n
' % N '
s s' s-
- s N(\
e n- - s ,, hh~ e do--
- NN
' x N'- g r ni- -
y Q s'\'s o et
- i. ,,\
C pt a-
\'
.# \
gg ,g - Y'.\- hN eS ,s1
.g s s'.g T f d o no-I t
y ~ - - ~
~ : . . ,
t
. i v Cd1 1 1 1
iAn0 0 0 0 _ t a0 - 0 0 0 _ i 0 0 0 s 0 n 0 n . e S -
~
.hn. - ;t B o M gi-..-
c ,'
n< g <nh n, ((E ?).
t
! 1n c
it
*e
's Ph
V . C .
~5 -. 'E _.
- - C 0 C C u O v ._ - .-
a w a
;g > ,
t . 2
*=
G2 O , P '. E '. '.i M
- c. a cO
.e
.g ; ..
- v. .t.r
,c,. t., . .,
0 c m 3 .
.e<
S. .:. oN c8
.e m J c .,.
e c J s ~ ,,
- s i i o - e O v, i l I i
'O.-- ;i
& a i ! ! i k WDL 0 -Ji '
Oi O O .: GL u
' ~
g,.
) : .: 11 ,* - .:
N
- p.i j llel .\ ,' j el - -
p3 ,"
/// /
CO 0 k 0 ) l . ;l ll// / LG6 ' wD Do. , ll l//,I./
/ , ,. ,
i Of (/) O! / / // l 5 . y03 N, i ll/ / / - C0 x l OO L 9 llll/// / . : jj'// /* ' u_ o o cl -
/4./
f
=
O E l 4-- C '. , .=
/ /9:
00 0: y ,
.;..c-h . w r ([) -
4
.-[ i. '
, , i
.2 o *O s g
'~ - - _ - -
O O O C u., v v v-C_ ,i cO - t_. V
.' 9 0 R;::' & =
g O v v g
- r. . i .a p- r. a : a 5. ,- s q r, a *.,r.. '
*. w 'st C ' g<* C J ""noL del te ~ Q v. ' e ii
?-6,
The results described above and additional sensitivity analyses'can be used to assess the effectiveness of certain strategies in dealing with station blackout concerns. For instance, if PWR reactor coolant pump seals were known to fail early during station blackout, and the reactor coolant system leakage were the f actor limiting the ability to cope with station blackout, core damage could occur 1 or 2 hours after the loss of AC power, even if the AC-independent decay heat removal system (the AFWS) were operating properly. Table 8.1 has been developed from the sensitivity analyses to show 'the effect of. providing -
"fix" to maintain reactor coolant pump seal integrity to allow successful core cooling for station blackouts of 4 and 8 hours.
The results provided up to this time represent point estimates of probability or, more properly, frequency. NUREG/CR-3226 shows the effe t of using log nor-mal distributions to' represent basic event probabilities on mean probability estimates, calculated medians, and uncertainty ranges. When that work was com-pleted, the magnitude of the uncertainty in the loss of offsite power frequency { and duration estimates was not known. Because the uncertainty bounds,are now perceived to exceed those used in NUREG/CR-3226, the accident sequence uncer-tainty ranges derived using the most recent uncertainty estimates for loss.of offsite power frequency may be larger than previously estimated. The loss of offsite power frequency and duration estimates are most uncertain for the very low frequency, long duration lossesof offsite power. The uncertainty on the probability of accident sequences which result from the shorter duration losses of offsite power should not be significantly different'from the previous estimates. Some typical station blackout core damage probabilities and uncertainty ranges
~
representing a 90% confidence interval have been provided in Figure 8.5 for reference. ' The sequence mean is typically 3 to 8 times larger than the point-estimate and the upper and lower bounds are typically within a factor of 5 to 20 of the median estimate. The large difference in point estimate and mean-can be attributed to the use of a log-normal distribution. When sequences are combined into a single core damage probability, the proportional distance between mean and point estimate tends to decrease somewhat. NUREG-1032 8-7 __ _ __ _ __ _ _ - - _ - _ - _ - - J
Table 8.1 Sensitivity of estimated core damage frequency reduction for station blackout accidents with reactor coolant pump seal failure delay from 2 to 4 hours and 4 to 8 hours Estimated core damage frequency (per reactor year) Cluster 1/2 configuration EDGR* = 0.025 EDGR = 0.05 g ... - 2 to 4 hk 4 to 8 hr 2 to 4 hr x 4 to 8 hr
\ /
,2 2.8E-6 1.2E-6 6'2E-6 2.5E-6 l #; 1.3E-5 6.0E-6 2.8E-5 1.3E-5 5 1.7E-5 1,5E-5 3.6E-5 3.0E-5 1/3 configuration gi
. 2 8.3E-7
\s 3.4E-7 g i !
( ,- 3.7E-6
\1.7E-6 ,
5' , 4.6E-6 4\0E-6 f I e
"EDGR = emergency diesel generator unreliability (i.e., failure rate per demand) f E DG R ' = 0.9 S e v& p o.o s
, 2 6Y W8 pty L/ t d l l 7 7xio *S S 2pg-S /,Vxd*Y A 0 * ""
5 l?,f40'# f,3 40 - S
$ % Xto~S 3VNcf
\
q 2.wo*S i, pio 'S 4.o wo- ' 2.?kci ~S g 2wo- S d wo" (* Vs 0%0craftM f v
- 2. 2.tgo 4 /,Wo* '
3 2.) yo 701/d' ' Y Ppp*0 Cxto* S Qvipd ly/0~ NUREG-1032 8-8
PWR with 1 steem BWR with 1 BWR with BWR with 10 3 Driven AFW Train isolation Condenser HPCl/RCIC HPCS/ RCIC 10 .. .. i c, o
'( $
g .. 8E () q) li U E () t > .- ti <f .. y ,, . _o o n .. 5 O () o .. o o () E () O o o o
< 0 l
o 10 - ' ' i "" E .. t> .. o 3 U .. s O'7 Upper 96% Confidence Limit
]
Mean Median O Point Valve
, ,,.s .- Lower 5% confidence Limit i m" d i i C i E i i J y 5 6 i f i f 5 y . 3 5 5 5 5 E E 5 5 3 ACCIDENT SEQUENCES '
l Figure 8.5 Estimated core damage frequency showing uncertainty I range for four reference plants Source: NUREG/CR-3226 l NUREG-1032 8-9 , e t
A measure of risk associated with station blackout accidents can be obtained by multiplying the estimated core damage likelihood by the estimated dose due to containment failure during a station blackout accident. The recovery of AC power during the accident would provide the potential for terminating core damage prior to core melt and the potential for reducing fission product re-leeses by delaying containment failure or actuation of containment sprays prior to containment failure. Some perspectives on estimated risk are provided in Appendix C. l l O I l i i n l l< l NOREG-1032 8-10
9 RELATIONSHIP OF OTHER SAFETY ISSUES TO STATION BLACK 0UT The implications of station blackout on several other safety issues were re-viewed for significance. These include: loss-of-coolant-accident initiators; anticipated transients withnut scram; external hazards, such as seismic events and severe weather; and internal hazards associated with fire or extreme environ-ments, such as flooding or high steam temperature resulting from pipe breaks
. within the plant. In general, it was concluded that if the likelihood of sta-tion blackout were independent of any of these other safety considerations, the
,.potential risk of r station blackout concurrent with one of those other safety concerns is very small. However, if as a result of common cause failure or in-teractive failure, the initiation of an accident by one of those other mechanisms described causes a station blackout, then the safety implications of those safety issues on station blackout are fairly large. Each of these safety issues is dis-cussed separately below.
9.1 Loss-of-Coolant Accidents Loss-of-coolant accidents (LOCAs) induced by a station blackout transient have already been included in the accident sequence analyses described in Section 7 above; these will not be discussed further here. LOCAs concurrent with a loss of offsite power are usually included in the design basis of nuclear power plants in accordance with the general design criteria of Appendix A to 10 CFR 50. The likelihood of a LOCA followed by and concurrent with a station blackout has been. considered and is discussed below. Although no strong coupling could be found between the initiation of a LOCA and a subsequent failure of the offsite or onsite AC power system, one potential mechanism has been identified. If a LOCA were to occur at a nuclear power plant, the reactor would trip; subsequently the turbine generator would be tripped and a grid instability could follow, or the site could be isolated by switching ac-tiivities in the switchyard to provide onsite safety-related or alternative l sources of preferred power to the emergency power safety buses. Historical ex-perience collected about loss-of-offsite power events at nuclear power plants NUREG-1032 9-1
1 l l I suggests that given a transient or an accident situation that would cause a trip of the turbine generator, the likelihood of a failure of the offsite power supply I is on the order of 10 4 to 10 2, depending on the strength of the grid and the offsite power design at the site. Estimated LOCA frequencies range from 10 2 per reactor year for small loss-of-coolant accidents down to less than 10 8 per reactor year for large diameter pipe breaks. The frequency of small LOCAs is dominated by pump seal LOCAs on pressurized water reactors and stuck open safety-relief valves nn boiling water reactors, situations that do not require rapid actuation of AC powered emergency safety feature equipment and that have been addressed previously. The most likely small LOCA that has not been incorporated in the station black-I out accident analyses is a small pipe break (less than 2 inches in diameter) with a frequency of about 10 3 per reactor year. l f The low LOCA frequency combined with the likelihood of losing offsite power on turbine generator trip results in an estimated frequency of occurrence ranging from 10 5 per reactor year to 10 7 per reactor year. When this frequency is combined with a conservative estimate of emergency AC power system unreliability of 10 8 per demand, it is easily shown that accident sequences of this type re-present a small element of reactor risk (less than 10 7 per reactor year). The variability of the frequency of station blackout caused by a LOCA could be as much as two orders of magnitude higher and still represent one of the smaller station blackout accident threats. Although, at this higher level, these acci- j dents could represent a noticeable fraction of reactor risk. Large pipe break LOCAs with initiating frequencies on the order of 10 4 per reactor year combined with the probability of subsequent failure of all AC power do not appear to represent an appreciable fraction of accident likelihood or public risk, at ' least in comparison to other station blackout sequences. 9.2 Anticipated Transients Without Scram i 1 Another safety consideration that was investigated is anticipated t-ansients without scram. In this case, the anticipated transient is a loss of offsite I power. If the probability of a loss of offsite power is taken as the generic i average, 0.1 per year, and the probability of reactor scram failure is taken as < NUREG-1032 9-2 1 i i
the historical average, about 10-4 per demand, then the probability of a loss of offsite power followed by a failure to scram is about 10 5 This is a level cf accident sequence likelihood that might be considered Important. However, in order for station blackout to occur, the onsite emergency AC power system must also fail. In the worst case, one might find an unreliability of the emer-gency AC power system of about 10 2 per demand. Thus, the frequency of an anti-cipated transient without scram involving loss of offsite power and a failure of the onsite emergency AC power system is on the order of 10 7 per reactor year or less. Even if the level of uncertainty were an order of magnitude higher, this accident sequence would not be of concern in comparison to the dominant station blackout accident sequences that have been identified. 9.3 Extreme Internal Environment A safety area in which there does appear to be a potential for station blackout type accident sequences being induced by other causes involves fire and other extreme environments, internal a a nuclear power plant. The concern associated with internal environmental hazards is that their occurrence can represent a common cause accident initiator that also affects the ability to cope with the incident. Specifically of concern is the likelihood of a fire, flood, or other extreme environmental conditions generated by internal events that would cause a loss of all AC power. In general, for this to occur portions of AC power systems must be in a common location where these hazards are present, or protection barriers and AC power system design requira m ts must be insufficient to control the spread or failure resulting from thet a hat ards. Therefore, the likelihood of internal hazards causing a station-olacnout-type accident is heavily depen-dent on the plant's design and, in particular, on the location of equipment. If separation and internal environmental protection barriers are maintained, or adequate AC system design is provided, the likelihood of these internal environ-mental hazards causing a station-blackout-type accident would be very small, probably less than 10 8 per reactr.r year. On the other hand, if commonality of location or a lack of protection a.r.ists at a plant, then the safety signific-ance of these internal hazards would have to be evaluated for plant damage susceptibility and likelihood of occurrence. The frequency of occurrence of
)
these hazards can be as high as once per one hundred to once per one thousand I I i NUREG-1032 9-3
1 l reactor years. Therefore, the vulnerability to station-blackout-type accidents ! due to these hazards can be of concern. 9.4 External Hazards Another potentially significant safety consideration that could be related to station blackout involves external hazards to the plant, particularly those resulting from seismic and weather-induced failures. To date, a seismically induced loss of offsite power has not been observed at a nuclear ' power plant. Failure of offsite power because of severe weather has been observed at nuclear power plants; in fact, severe weather was included as a major factor in deter-mining the likely duration of an extended offsite power outage at nuclear power plants, as described in Section 3. The greatest potential for safety signifi-cance exists where there is a direct coupling or common cause failure associated-between a transient-initiating external hazard causing loss of offsite power and the reliability of the onsite and offsite power. systems. It can be expected that significant seismic and severe weather events will cause a loss'of the offsite power spstem. On the other hand, the plant, and in particular the emergency AC. power system, is typically designed to withstand, or is protected { from the effects of, these severe phenomena. Therefore, for severe external hazards that are within the design basis of the plant, the failure of the emergency AC power system can be considered as an independent failure event. ( For example, if the likelihood of a safe shutdown earthquake that could cause a loss of offsite power were approximately 10 3 per year or less, and one ar,sumes a that it would take approximately 8 to 24 hours to restore offsite power from such an incident, then a typical estimate of core damage or core melt frequency due to a safe shutdown earthquake and a station blackout would be about 10.s per reactor year or less. For severe weather, the likelihood of the weather-induced failure of the offsite power system could be as high as 10 2 per year, and the outage could be expected to be on the order of several hours. Again, l if tt.e severe weather event is within the design basis of the plant, the like- I J l lihood of a weath6r-induced station blackout accident causing core damage or j ! core melt would be on the order of 10 5 per reactor year. i i Table 9.1 provides a summary of the typical internal and external accident ! hazards of a nuclear power plant and identifies some potential points of failure NUREG-1032 - 9-4
. . I
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . . _ _ i
Table 9.1 Coupling between external (and internal) events and potential plant failures Event Potential plar,t " eakness Seismic Switchyard, control, non-seismically designed equipment Fire, flood Areas with multiple divisions, inadequate protection barriers Severe weather Transmission Ifnes and towers, switchyard, non-safety structures e \ I j NUREG-1032 9-5 l i L _ _ _ _ _ _ _ _ _ _ _ _ _ - _ _ _ _ _ _ _ _ - _ _ _ _ _ - _ - _ _ _ _ _ _ _ _ _ _ _ _ _ - _ _ _ _ _ _ _ . _ - _ _ _ _ _ _ - _ _ _ _ _
, l that could result in a coupling between these accident initiators and a station i blackout. If such interactions or points of commonality do not exist, then it is concluded that the contribution of these accident initiators to station blackout accident sequences results in core melt frequencies that are no larger, and probably much less, than those previously considered.
h 1 l 1 NUREG-1032 9-6 ! 1
10 REFERENCES Adams, J. P., et al., " Natural Circulation Cooling Characteristics During PWR Accident Simulations," Second National Topical Meeting on Nuclear Reactor Ther-mal Hydraulics, January 11 to 14,1983. l Fletcher, C. D. , "A Revised Summary of PWR Loss of Offsite Power Calculations ~," EGG-CAAD-5553, EG&G Idaho, Inc., September 1981. Industry Degraded Core Rulemaking Program (IDCOR), IDCOR Technical Summary Report,
" Nuclear Power Plant Response to Severe Accidents'," published by T'echnology for Energy Corp., Knoxville, Tennessee, November 1984.
Schultz, R. R., and S. R. Wagoner, "The Station Blackout Transient at the Browns Ferry Unit One Plant A Severe Accident Sequence Analysis," EGG-NTAP-6002, EG&G Inc., September 1982. U. S. Nuclear Regulatory Commission, NUREG-75/140 " Reactor Safety Study," Octo-ber 1975 (formerly WASH-1400). l 1 l
-- , NUREG-0737, " Clarification of TMI Action Plan Requirements," November 1980.
-- , NUREG-0900, " Nuclear Power Plant Severe Accident Research," January 1983.
-- , NUREG/CR-1988, F. E. Haskin, W. B. Murfin, J. B. Rivard, and J. L. Darby,
" Analysis of a Hypothetical Core Meltdown Accident Initiated by Loss of Offsite Power for the Zion 1 Pressurized Water Reactor," December 1981.
-- , NUREG/CR-2182, D. H. Cook S. R. Greene, R, M. Herrington, S. A. Hodge, and D. D. Yue, " Station Blackout at Browns Ferry Unit One - Accident Sequence Analy-sis," November 1981.
-- , NUREG/CR-2989, R. E. Battle and D. J. Campbell, " Reliability of Emergency AC Power Systems at Nuclear Power Plants," July 1983.
NUREG-1032 10-1
v . --
-- , NUREG/CR-3226, A. M. Kolaczkowski and A. C. Payne, Jr. , " Station Blackout Accident Analyses (Part of NRC Task Action Plan A-44)," May 1983.
-- , NUREG/CR-3992, R. E. Battle, " Collection and Evaluation of Complete and Partial Losses of Offsite Power at Nuclear Power Plants," February 1985.
Wyckoff, H. , " Losses of Offsite Power at U. S. Nuclear Power Plants--All Years Through 1983," NSAC/80, Electric Power Research Institute, May 1984. . Diesel $c w n Vert a l O', 5. V'yeko$y A., "Rehd$ o { Smegeny Made.v (?wer Rbnfs" NS4C//02, Elufrt Pewer R<' son /s.%sh bG, ' S pfemb< /1'N, i l
. i I
I
> NUREG-1032 10-2
i APPENDIX A J l
- DEVELOPMENT OF LOSS OF 0FFSITE I'
POWER FREQUENCY AND DURATION RELATIONSHIPS T
)
I NUREG-1032 Appendix A-- __...i_.___ __ _ _ . _ _ _ m _ _ _ _ _ ._.i_m _. _._ _ __.
TABLE OF CONTENTS Pe2 INTRODUCTION .......................... .............................. A-1 LOSS OF OFFSITE POWER FROM PLANT-CENTERED CAUSES ...................... A-5 GRID-RELATED LOSS OF OFFSITE POWER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-12 LOSS OF OFFSITE POWER DUE TO SEVERE WEATHER ........................... A-19 GENERIC LOSS-OF-OFFSITE-POWER CORRELATIONS . . . . . . . . . . . . . . . . . . . . . . . , . . . . A-34 REFERENCES ............................................................ A-41 LIST OF FIGURES Ala. Frequency L ess e4ofe loss-of-offsite-
#nL e.wu anm / frepI . - - - - - - - . - O A.1 durations.................... power events exceeding specified
..................................... A-4 A.2a Estimated frequency sof occurrence of plant-centered losses of offsite power exceeding specified durations ...................... A-11 A.2b 90% confidence limits for two categories of plant-centered losses of offsite power .......................................... A-13
^ :- T; d :i V ;r,tn u t;. d
'.v.... ;f ;ff;it; ru .. G;r;;t: t h:.. .
30 mi u s uui n iv4 ..... 4 1^00 . ................... . . A 17 A.4 Restoration probability for grid-related losses of offsite power . A-18 A.5 Estimated frequency of occurrence of grid-related losses of offsite power exceeding specified durations ...................... A-21 A.6 Weather hazard expectation histograms . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-26 A. 7 Restoration probability for severe-weather-induced losses of offsite power .................................................... A-30 A.8 Estimated frequency of occurrence of severe-storm-induced losses of of fsi te power exceeding speci fied durations . . . . . . . . . . . . . . . . . . . A-32 A. 9 Estimated frequency of losses of offsite power axceedin specified durations for Indian Point.............................g............ A-36 A.10 Estimated frequency of losses of offsite power exceeding specified durations for Zion ..................................... A-37 A.11 Estimated frequency of losses of offsite power exceeding specified durations for Shoreham ................................. A-38 I A.12 Estimated frequency of losses of offsite power exceeding specified durations for Millstone 3 .............................. A-39 A.13 Estimated frequency of losses of offsite power exceeding speci fied durations for Lime rick . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-40 A.14 Estimated frequency of occurrence of losses of offsite power d exceeding specified durations- for nine of fsite- power clusters . .. . A LIST OF TABLES i
)
i A.1 Summary of loss-of-of fsite power experience . . . . . . . . . . . . . . . . . . . . . . A-3 A.2 Definitions of of fsite power system design factors . . . . . . . . . . . . . . . A- S A.3 Mean time to restore offsite power and statistical test values 1 for plant design groupings ....................................... A-9 l \ l NUREG-1032 \ A-iii 4 l
TABLE OF CONTENTS (Continued) Page t A.4 Data used for plant-centered loss-of-of power-duration curve fits .............................fsite
.......................... A-10 A. 5 Grid related loss-of offsite power frequency versus duration, through December 1983 .......
A.6 Grid reliability / recovery ............. .......................... A-16 A-20 A.7 Severe-weather-induced losses analysis . . . . . . . . . . . . . . . . . . . . . of of fsite power used in the A.8 .................................... A-23 A.9 Severe-weather-induced loss-of-offsite power frequency / recovery .. A-31 Extremely severe-weather-induced loss-of-offsite- A-33 A.10 Cluster correlation factors . . . . . . . . . . . . . . . . . . . . . power f requency .
..........,...... A-43 3.11 M:r.ti'f cat %r :f grid, Off:it; pc. ;r sys+== dar f;r., e.... e weath;r, :r.d e ar;.;;iy sevece-weether fedu.. : .. i .d.J : .. .. i r.;
Cluter--group; ......................7.......w:.
............. - A-44' l
i 1 1 NUREG-1032 A-iv i
APPENDIX A DEVELOPMENT OF LOSS OF 0FFSITE POWER FREQUENCY AND DURATION RELATIONSHIPS INTRODUCTION l 1-This appendix provides the details and results of analyses performed by NRC staff to develop the cause, frequency, and duration relationships for loss of offsite power at nuclear pcwer plants. The purpose of this work was to develop generic loss of offsite power relationships that would allow differentiation of plant design, operational, and location factors that can significantly affect the expected frequency and duration of loss of offsite power events. Within this study, the loss of offsite power has been defined as the interruption of the preferred power supply to the essential and nonessential switchgear buses neces-sitating or resulting in the use of emergency AC power supplies. . A total loss of offsite power is said to have occurred when non-emergency AC power sources become unavailable requiring some diagnosis or special recovery actions includ-ing correcting switching errors, fixing or bypassing faulted equipment, or other-wise making available an alternate standby source of non-emergency AC power. Although total loss of offsite power is a relatively infrequent occurrence at nuclear power plants, it has happened a number of times, and a data base of information has been compiled (Wyckoff, 1984; NUREG/CR-3992). From these data and a review of relevant design and operational characteristics, the frequency and duration relationships for loss of-offsite power events at nuclear power plants have been developed. Historically, a loss of offsite power has occurred with a frequency of about once per 10 site years. The typical duration of these events has been on the order of one-half hour. However, at some power plants the frequency of loss of offsite power has been substantially higher than the average, and in other instances the- duration of offsite power outages has been NUREG-1032 A-1 JL__ -_-__ _ J
much longer than the norm. In some cases, licensees have and are taking correc-tive action to limit the recurrence of these longer and more frequent losses of offsite power. A summary of the data on the total loss-of-offsite power events is provided in Table A.I. Because design characteristics, operational features, and the loca-tion of nuclear power plants within different grids and meteorological areas can have a significant effect on the likelihood and duration of loss-of-offsite-power events, it was necessary to analyze the nuclear industry experience in more detail. The data have been categorized into plant-centered events and area- or weather-related events. Plant-centered events are those in which the design and operational characteristics of the plant itself play a role in the likelihood or duration of the loss-of-offsite power event. Area or weather effects include the reliability of the grid and external influences on the grid or at the site (such as severe weather) that have an effect on the likelihood \ and duration of the loss of offsite power. The data show that plant-centered events account for the majority of the loss of offsite power events. Although the area-blackout- and weather-related events, are less frequent, they typically account for the longer duration outages, with storms the major contributor to long outages. Figure A.1 provides a plot of the frequency and duration of loss-of-offsite-power events resulting from plant-centered faults, grid blackout, and severe weather, based on past experience at nuclear plant sites. The curves were developed by fitting data to a two parameter Weibull function of the following form: 0
-(ag t 1)
ALOP i (t) = ALOP ' i where ALOPi(t) is the frequency of losses of offsite power of type "i," which are equal to or greater than duration "t." That is, the recovery time equals or exceeds "t" hours. The term A is the frequency of occurrence of losses 1 LOPi of offsite power of type "i," which have greater than zero duration. Parameters NUREG-1032 - A-2 _ _ , _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ~ - - '- - - - ~ ~ ' - ~ ~ - -
i . g\t A. , \ O. d ( e 'e < -( Oe. e Nedn E< ego wcq pu
~
( l { 'I2. kr ) ce$b*m\ 5 qeoc (. z. 'It k< )
'y w A -ce Ae<e.d % . O '2 i
(, t s ) (,o2.2) c.,r.tA - s 2. .oss (.1) (.co? ) We d e< (o .oo7 ( e) L.co,) Te4o.\ (, $t .to9 (. 2. 9 ) C.oA 3 ) Oombee o h ce*A cod s 4 e, 4 ecogh
,Dgce. be< 19 e:r
. k s a i ,qeag h g neeb av oy cAC qecu<4 ss (obA J_r , . . ,9 (C4
% M CA Cf s kIco ** S \ Co.fg C g\ cwa - cedtcA.c d e_v e w\-s' ; .9x W ecgvemeu wo.ted ow sAe geaa' g<-i A omd wen.N ex e.v em h-s . p I
'# * '**Me 4 W D mp em W h h A -3 _ _ . _. ._
l I l 1 i O l I Data 0.05 - O Total Total d Plant. Centered y Grid j i O severe Weather i j
$ 0.04 -
E O 5 b . N Plant - 5 sc Centered g l 5 0.03 - o _ 8 i i B ' G A 5 g 0.02 -
- i E
w
+ Grid g !
0.01
-Q geyer.
Weather 4 O i 1 0.00 1 0.1 1.0 10.0 DURATION (Hours) Figure A.1 Frequency of lots-of-offsite power events exceeding specified durations NUREG-1032 A-4 i 4
'l ogand $ 9 are curve-shaping constants that vary according to the data being I curve fitted.
3, :g; t LOSS OF 0FFSITE POWER FROM PLANT-CENTERED CAUSES Plant-centered failures typically involve hardware failures, design deficiencies,
, human errors,(in maintenance and switching), localized weather-induced faults (lightning), or combinations of these failure types. Plant-centered failures !
can be recovered by switching or repairing faulted equipment at the site. 3 For the plant-centered losses, an attempt'was made to determine any correlation j between offsite' power design c'naracteristics and frequency and duration of los-ses of offsite power. Two offsite power design features were identified as potentially significant with regard to frequency and duration of loss of off- I site power: (1) the independence of incoming offsite power sources and (2) the number of immediate and delayed access circuits and their" transfer schemes to the Class 1E buses. Table A.2 defines the design differences associated 'with - these features. The designs of offsite nower sources were further subdivided into groups, and the number of shutdown sources were subdivided into' different possible design combinations (NUREG/CR-3992). 1 The relationship between the listed design features and the frequency of loss 3 of offsite power was analyzed using the Failure Rate Analysis Code (FRAC) j (NUREG/CR-2434) to correlate loss-of-offsite power frequency with various . design features. These analyses showed no statistically significant correla-tions between frequency of plant-centered losses of offsite power and the 1 design features analyzed. i i An analysis was also performed to determine if a statistically significant rela-l tionship exists between offsite power design characteristics and the duration of losses of offsite power. An analysis of covariance was performed to deter-Line if there is'a. relationship-between frequency and duration, using the gen- ; i~ eralized linear model (GLM) procedure of the Statistical Analysis System (SAS) l (SAS Institute, 1979)). The Type IV sum of squares was used for all calcula-tions. No statistically significant relationship between frequency and NUREG-1032 A-5 W -
78:nr(p
/.lm:.7r: .?.u.' r 2 h o, ,y , h a v 1' $ d E n: r fc.
ke: /s m n:. i{ c (N16 >.. w e
;fya.b..
f* ute A.1 a. s luas a 4 af /de 16 - ver;n h:s / nfid r e o. r $ p ac k e ,$A/cpr.';.?Ws.
%d/c di an< Fpure.41. 7 ce t w //s c /!a d $ $
- s ve< c wo) of 20 crr fram /745 Mrs /WV' lle 1 oc/ a rede<<Gt sk Lon e(
%y,.<,rfheualdendet
-, e c.. n-a ana-m, .
Au 6,,, l.,iisa+t. x<c' e . x s 6 - 1 {i;- Wa l?~d/{deGe cG. :r n s aAdd' m e s <:, .. 41e#{ o( fao .r Sixe ihhicJe f&(.A w luc l a ur eem$tsretwd aV$c.[ A r(A s y W camWusj etztfaJ //4 vsatA. A/lfM< d c/ / W 6 ea, J G sx y l as d'c & & pace 19 eewI .aess&J ai JYe Mc fr w 6 den 4,p cn A 1 et ide,ri a uuto tu,4 ar'e varia G n rne drkeen O. 2 S ~f s.oe e< a; paa.g 1
~
j j s Asa.
E TI S D L N E L A .
\
%c3 o
=
'u%v% <c G _
s a E _ < 5 Q L _
\
R 5 u E , . 49 8 W Y f
/,
8 1 9 3
- OC l
/ .
1 8 P N 'v : 8 2 9 1 9 E E 1
.' 1 x' . 8 0 9 TU s
~
8 1 S Q
)
I
' : 19 9 7
E g y' 8 9 R 1 t t
\' : 7
\
9 7 F F i I I 1
'\ \
7 F l g I l / I I l 6 9 l
- 71 OL l
I I I I 9 5 A 1 I' # 7 i ' \
- 7 49 FU
; 1 i' t 1
\
a ON ~ s\
\
\'
9 3 1 7 N .. 2 91 7 S A
~
~ 9 1 S -
t' l \ l
\ \ '
1
. 09 7
O
- i\I I,qIg l 7 1
\.
i 9 9 L i \ I
,' I
\
t \ 1
\
\
6
\'i 8 91 E
g l 6 a 'l l E l' g Ig I l 9 7
- l I i III I.
1 6 A 6 91 6
$ : 9 F -
1
" s a
0 2 o s 0 1
" o gi # D5O8y hdg
Table A.2 Definitions of offsite power system design factors Major design factor Design features A. Independence of offsite power 1. All offsite power sources are sources to the nuclear power connected to the plant through plant one switchyard.
- 2. All offsite power sources are connected to the plant through two or more switchyards, and the switchyards are electrically connected.
- 3. All offsite power sources are connected to the plant through two or more switchyards or separate incoming transmission lines, but at least one of the AC sources is electrically independent of the others.
B. Automatic and manual transfer 1. If the normal source of AC power schemes for the Class IE buses fails, there are no automatic g when the normal source of AC transfers and one or more manual power fails and when the backup transfers to preferred or alter-sources of offsite power fail nate offsite power sources.
- 2. If the normal source of AC power fails, there is one automatic transfer but no manual transfers to prefer red or alternate off-site power sources.
- a. All of the Class IE buses in a unit are connected to the same preferred power source after the automatic transfer.of power sources.
- b. The Class IE buses in a unit are connected to separate offsite power sources after the auto-matic transfer of power sources.
)
- 3. I After loss of the normal AC power source, there is one auto-matic transfer. If this source fails, there may be one or more manual transfers of power sources to preferred or alter-nate offsite power sources, NUREG-1032 s A-6
Table A.2 (continued) Major design factor Design features
- a. All of the Class 1E buses in a unit are connected to one preferred power source after the first automatic transfer.
- b. The Class IE buses in a unit are connected to sepa-rate offsite power sources after the first automatic transfer.
h
- 4. If the normal source of AC power fails, there is an automatic transfer to a preferred source of power. If this preferred source of power fails, there is an automatic transfer to another source of offsite power.
i a. All of the Class IE buses in a unit are connected to the same preferred power source after the first automatic transfer.
- b. The Class IE buses in a unit are connected to sepa-rate offsite power sources after the first automatic transfer of power sources.
e l l NUREG-1032 A-7 _ _ _ _ _ _ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -~
i duration was found. Thus, no additional'covariance analyses were run. Subse-quently, the data for all of the different-design factors were' analyzed to check for any statistical interactions using analysis of variance. One data point--a 5.83-hour restoration time for an event at the Calvert' Cliffs plant on April 13, 1978--was found to cause a strong interaction. Without that event, there was no significant interaction. The Calvert Cliffs event involved a I latent. design flaw that has since been corrected; it is not expected to typify future occurrences with regard to' design featdre,. type of failure, or duration. With the data " corrected," the independence t f offsite power sources was found - to be a statistically'significant determinant of the restoration time' associated with plant-centered losses of offsite power. The number and type of transfer'. schemes were found to be less significant. _ It was concluded that various com--
.j binations of these design features could be used to ' define a set of design characteristics with a statistically different recovery. time for plant-centered losses of offsite power. On the basis of .this analysis and a review of the -
~
design features, the staff concluded (1) that olants with switchyard designs that j are normally operated as an interconnected system could be separated, as a group, from those with designs offering electrical independence, and (2) that sites with two or more alternate offsite power circuits (immediate or delayed ' access) in addition to the normally energized power circuit to the Class 1E buses (off-site or unit generator source) could be grouped. Table A.3 shows design combi-nations obtained with the mean time to repair (MTTR) values for each group and the ' statistical test values that were derived for this. grouping. Other groupings can be derived that are both statistically significant and physi' - cally valid. However, data limitations and small differences 'in MTTR that occur for more detailed breakdowns suggest that the design groups obtained represent a reasonable and valid compromise between completely generic and more design-
, specific breakdowns.
A plant-centered loss of-offsite power-frequency-vs.-duration curve was devel- .- oped for each of the N design groups by fitting the corresponding data to a two parameter Weibull distribution. A list of the data used for each curve fit is given in Table A.4. The actual curves generated by this analysis are in Fig-ure A.2a. The curves show the probability and frequency of events that exceed a NUREG-1032 A-8
- ~Th \; \ c. - A. 3 I C:<c sp weica ,A.%
' M% TI-c % j
%e _Gec '
It Al er . Z. o . 3 ( A\ ev A*2.) Cre d EA I I2 (M e< AO %d . 3 cg ( Eib er EP) It ] (As er A eJ') s.e d . ,,9 l (E,4 or E 2 n-) l
-tes4 'D ets a.A F vake. Tc F l
t Io.o k < Teck hr A 3.7 f- . o ?, o 4 totaa.c.4 % B L .7 7 .trs3 A*E .n , e n, R T e.& 'p< A s.e .ee,6 a .g e. s i.eo . i3n F<e y e ,d
- d"k ~ C " 'A \*"~
$~
e}y M - que< emk w a.< o.ogg l
?% ?. i y,t.Q.C .
0
. 1
=
J en
- A -7 .-
l
Table A.4 Data used for plant-centered loss-of-offsite power-duration curve fits
- Group Site Date Ouration (hr)
M1 Fitzpatrick 10/04/78 0. 04 Oconee 01/04/74 0 013** Fitzpatrick 03/27/79 .05 Millstone 07/21/76 0.08 Indian Point 2,3 06/03/80 0.50*** - 12 Nine Mile Point 11/17/73 0.003 Haddam Neck 07/19/7 0.017 Haddam Neck 07/15/.9 0.15** (A Haddam Neck 06/ /76 0.27 (T 1 Haddam Neck 08 9/74 0.33 1 Haddam Neck /27/68 0.48 E \ h I3 Davis Besse / 11/29/77 0.002** y i Oyster Creek
/ 09/08/73 0.003**
Point Beach 04/27/74 0.02**
./
U N !
' Brunswick 2 03/25/75 0.07 Monticello 04/27/81 0.25 4 Beaver Valley 07/28/78 0.28 Davis Besse 10/15/79 0.43 I Ginna 03/14/71 0.50 W Quad Cit s 06/22/82 0.57 Ginna 10/21/73 0.6i Prair Island 07/15/80 1.03 Qua Cities 11/06/77 1.15 Ar ansas-1 09/16/78 1.48 I4 San Onofre 11/22/80 0.004 i Fort Calhoun 08/22/77 0.015 Palisades 09/24/77 0.50 Farley 09/16/77 0.90 Fort Calhoun 02/21/76 0.90 MAlisade.s .09/.0247 F 0.93 Indian Point 06/03/80 1.75***
Farley 10/08/83 2.75
*Not included in the duration analysis were the Palisades events of 11/25/77 and 12/11/77 (recurring failures), the Calvert Cliffs event of 04/13/78 (outlier), the Big Rock Point event of 11/25/72 (insufficient plant design information), and the Crystal River event of 06/16/81, the Vermont Yankee event of 12/17/72, and the i Turkey Point event of 04/04/79 (incomplete reporting of duration).
**For events with unspecified durations of less than 1 minute, durations were assigned to facilitate the statistical analysis.
***The Indian Point event of 06/03/80 lasting 1.75 hours, included in Group 14, is also included as a 0.50 hour event in Group Il on the basis that had the available gas turbine been employed, offsite power would most likely have been recovered in approxi-mately 30 minutes.
.NUREG-1032 A-10
bsU tom e. A.4 tot a used pdwah pod- CMered , loss - o} - offs,Ae 9 ewe < co< ve. h44, PLANT DATE DURATION DAVIS-BESSE 11/29/77 0.002 NINE MILE POINT 11/17/73 0.003
- OCONEE 01/04/74 0.013 ,
HADDAM NECK 07/19/72 0.017 *
-{ g MILLSTONE 07/21/76 0.080 .
HADDAM NECK 07/15/69 0.150 HADDAM NECK 08/01/94 0.167 SUSQUEHANNA 07/26/84 0.183 MONTICELLO 04/27/81 0.250 HADDAM NECK 06/26/76 0.270 HADDAM NECK 01/19/74 0.330 DAVIS-BESSE 10/15/79 0.430 HADDAM NECK 04/27/68 0.480 INDIAN POINT 2,3 06/03/80 0.500 . PLANT DATE DURAT, ION . I OYSTER CREEK 09/08/73 0.003 POINT BEACH 04/27/7.4 0.020 BRUNSWICK 03/26/75 0.070 DRESDEN 08/16/85 0.083 3 POINT BEACH O2/05/71 0.130 TURKEY POINT 02/12/04 0.250 TURKEY POINT 02/16/84 0.250 BEAVER VALLEY 07/28/78 0.280 , MC6UIRE 08/21/04 0.334
- EINNA 03/04/71 0.500 BINMA 10/21/73 0.670 4 PRAIRIE ISLAND O//15/80 1.030 )
ARKANSAS NUCLEAR ONE 09/16/78 1.480 PLANT DATE DURATION SAN ONOFRE 11/22/80 0.004 FORT CALHOUN 08/22/77 0.015 - - SAN ONOFRE 11/21/85 0.067 PALO VERDE 10/07/85 0.200
][3 PALO VERDE PALISADES 10/03/85 09/24/77 0.400, 0.500 l
QUAD CITIES 06/22/82 0.570 i
. FARLEY 09/16/77 0.900 j FORT CALHOUN 02/21/76 0.900 1 PALISADES 09/02/71 0.930 I I
OUAD CITIES 11/04/77 1.150 INDI AN POINT 06/03/80 1.750 i F ARLEY 10/08/83 2.750 g r -
$wL O.L befk. 0 - \C3. 2.
l
,soA
g 1 n
,I'; *i9gSU >gy3= 5 t
t i 0
- e. 1 1 a '
d e p # -
- 2 3 o, e
c
- w a - - - " x
_ - - v . r e J, e a w o p e t) i3
. s fA f
e oe fb oa a s en si
- s
' on l
1 , l e. dh
- i i es r
a o i t es y T n es cp i l e - t w o nr ag i
, N' h t l pr x,
s e i f o A e 3 R ce 1 > U D nt ei Z rs rf T 1 bf
' 1 co c
- ' '. i l 1
s o a a
~ff e o(
ys cn
- i ao a
M fd N dd ee s ti af Nt . a mi ic t sp Es
- e. a 2
- e. s. s. ,
- s. s. * ,o .
s s e e e *- n 2 e -u A e l E s 2 8 ozEO$ E y= 8 h g.Oe r u g i F
~
1 ~
!m'.8" . y=
4 i specified duration. Figure A.2b shows the 90% confidence limits for two of the I correlations (11 and I4) derived using the extreme value theory. I t
~'wasrecognizedthatsome'ofNheloss-of-offsiteI$were[e$k.srepr'esente'da; p
la of experience and, as experience is gained and problems are solved.,the expected, frequency could drop. Figure A.3 shows the actual and median, smoothed plot of time between loss-of-offsite power events as a function of Mie event ' number. ThbfirstdatapointisthetimeinsiteyearsbetweenJhefirst s
' recorded loss oi offsite power and the second occurrence. The trend ap i
to show an increast in time between failures, or decrease f in/ requency. Visual ! pears inspection of the plot of the median smoothed time betwe failures indicates a reasonablebreakpointataboutthe7thoccurrence,whic[hroug
\
to January 1978. An anal'ysisx of variance showed that the mean loss-of-offsite power frequency as a result 'of\ plant centered events from 1978 to 1983 was f
! statistically different--showing a decrease of 30%--from the previous level Iforeventslastingone-halfhourhrlonger It should be noted, however, that ,!
i with the removal of the occurrence f t one event in 1977, statistical support to this teend would drop sub ntially. i The effect of experience was a o evaluate through an attempt to correlate pla t age and frequency of loss o offsite power. isual examination of these data - indicated a rather rando frequency of occurren based on plant age. l t The staff has conc ded that there probably nas been omedecreaseoftheloss-i ' 1 of-offsite power frequency for plant centered events at\ clear power plants as total nuclear ower plant operating experience has increase
, tional tim and evaluation will be needed to definitively showbutthatsomeaddi{
e permanence ( of such n observation. Nonetheless, the loss-of-offsite power fre ncy esti-
!' mates rovided later in this appendix are based on the reduced frequency f plant-
{ ce [ ered events (0.04 per site year versus the actually observed frequency l _ .056 per site year) obtained as a current best estimate. 3 GRID-RELATED LOSS OF OFFSITE POWER I Grid reliability has traditionally been the most prominant factor associated with a loss of offsite power at nuclear power plants. Yet, the historical data ' NUREG-1032 A-12
f i en 9 ( Yv? A.mewa3l A3N3nO3WA 4 . g'
% A 4 I e o. R 5 i n .t 1 1 i l i ' ,
i i i
- i' 4, g
# -fr :
. I o
m / -
/f. . .
bN ! -
!. /
f h 1A a-- -
/
y a
# , u ,
D Uj * / / Y e
~
/ / I' . Y de a ? / / / , '
g Os / ._ - O / / - "
/ / -
o 4 p / I Y./ A [ ~ ~
- f. / lt a h*
4"
\
/'
/ i T
- e i t
' / - +l s} H a*g. 0 5
- g
/ ,- a I
/ h
/ / Y"
- 5
/ . ,
7 *- a 1 / O - i I / aus
/ :
j .. - 8 u
./ _
g I; ;
' # ~
t . I i 1 1 o 1 1 I f 5
. .m m
.M N I *.. ** E
. g vamod missado oNivoissu 10N JO MDISY5oud E NUREG-1032 A-13
I I l show that losses of ffsite power as a result of grid-related problems account
/
for no more than of all losses of offsite power. Attempts to find charac- # teristics to classify site,- design, and location features that affect the expec- { ted frequency of grid loss have not been successful. An investigation into the various utility transmission and distribution system reliability characteristics was beyond the scope of this study. Such a study is likely to involve an ex-f tensive state-of-the-art analysis of grid stability, the results of which would I be of questionable validity considering limitations on current methodology. In its place a more pragmatic and experience-based approach to estimai.ing nuclear plant site susceptibility to grid loss was taken. Both frequency of grid loss and time to restore power were considered. l It was recognized that the Florida Power and Light (FPL) grid has represented the upper end of utility grid failure frequency during the past 10 to 15 years, although some recent improvements seem.to have been effet.tSve. Very few other nuclear plant sites have experienced even one or two loss-of-offsite power events as a result of grid blackout. The great majority of nuclear power plants have not experienced grid failure. A systemic weakness identified after a grid fail-i ure is usually corrected as soon as possible. Thus, it is usually a new and previously unidentified systemic weakness that results in future failures. Therefore, in the absence of known and uncorrected systemic weaknesses, the occa-sional, non-recurring type of grid failure may not be a good indicator of future trends within a utility system. With this in mind, the FPL experience was sepa-rated from the balance of the U.S. nuclear utility experience to estimate grid-failure frequency. Because a set of design or location factors could not be identified that could effectively differentiate the expected reliability of the various utility grids, grid reliability was categorized by failure frequency ranges characteristic of past experience. The FPL experience suggests an upper endtothegrid?failurefrequencyofonceper2tohsiteyears,althoughthere # have been recent improvements. In a few utility systems, the occasional grid 'I failures have occurred at a frequency of about once per 10 to once per 20 site- { years. The national average is about once per 100 site years, excluding FPL experience. Table A.5 lists grid-related losses of offsite power and site- ! specific frequencies calculated from the data. Two grio undarvoltage events are discussed in a footnote to the table. Although these events were not counted as NUREG-1032 A-15 E-- - - - - - - - - - - - - - - - _ - - - - - - - - - - _ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - l
Table A.5 Grid-related loss-of-offsite power frequency versus duration, through December 1983 Date of Duration Site frequency Site occurrence (hours) (per year) Turkey Point 04/03/73 0.30 0.446 (5 events in 04/04/73 0.25 - 11.4 site yerfs) 04/25/74 0.33 ,- 06/28/74 0.18 ,.- 05/16/74* 1.03 '. . - 05/16/77* 2.00 - j l u - Indian Point 11/19/65 ** O.15 (3 events in l 07/20/72 0.92 20 site years) 07/13/77 15. 4 7 d St. Lucie g '. 05/16/77*** 0.33 0.260 (2 events in 05/16/77"** 1.50 7.7 site years) M, 05/14/78 0.13 N' Yankee Rowe 11/19/65 0.65 0.044 (1 event in b 5 i 22.5 site years) g 47 sites nonet -- 0 (no events in u ,- 3.5 to 23.4 site-
,- years)
/
TotaVfor 0.020 (11 events in 52 s'ites (539 site years)
' Total 0.008 (4 events in
.' excluding FPL ~ " ' ' ~ ~ ~
~(520 site years)
"The Turkey Point events of 05/16/77 were counted as one event for frequency ca'iculations.
** Actual duration not reported.
***The St. Lucie events of 05/16/77 were counted as one event for frequency calculations.
~ tThe undervoltage event at Hillstone on 07/21/76 was treated as a plant- ! centered design problem; the undervoltage event at Quad Citier on 02/13/78 i was treated as a degradation with a useable offsite power source available throughout the incident. NUREG-1032 A-16
[hSN 'f 2p TO \O
- 1 -
Oc '# PLANT DATE DURATION a TURKEY POINT 06/28/74 0.100
- TURKEY POINT 04/04/73 0.250 0.444 ( (o c ut- M 5 4
TURLEY POINT TURI.EY POINT 04/03/73 04/25/74 0.300 0.330 g,g ,4 e . g gg )
~
5 TURV.EY POINT 05/16/77 # 1.030 6 1URKEY POINT 05/16/7788 2.000 7 TURKEY POINT C5/17/85 2.083 42 cord # PLANT DATE DURATION TIME g* g g ( g e.v%4p 1 INDIAN POINT 07/20/72 0.920
- 2 INDIAN POINT 07/13/77 6.'470 iA E E . 9 gik e - g e A <$ s)
G INDIAN POINT 11/09/65 2 1 ;". D C ,. 6 4* Racord# PLANT DATE DURATION TIME 1 ST. LUCIE 05/14/78 O.130 0.~2 C) ( 2 **
- M'
- ST. LUCIE 05/16/77 * = = 0. 330 (1 OF 2)*
3 ST. LUCIE 05/16/77*1.500 (2-OF 2)* $6 9T s'.4 e . wu e u th/ ' Record # PLANT DATE DURATION TIME 7 YANKEE ROWE 11/09/65 0.550 * , O E. *h (, s e a ss
- 2. c . r s. Ac geur )
60 sAes none. o ( ,, emed s ;~
. . 3 4e F.b.3 %dC- l Qeavt ) !
b k o.\ e- (" O,od ( sz e n dc. ^. l GA -
' y * ~e s s+ A c,4c.Sce:.)
y kQ (*\f EPL % st.+.A c Ac geus) ! I
grid failures, offsite power sources were momentarily unavailable during these events. Two factors which have been identified as significant in determining the dura-tion of grid-related losses of offsite power at nuclear power plant sites are: (1) the availability of adequate restoration procedures and (2) the availat,il-ity of " black start" power sources that are able to supply power to a nuclear power plant in isolation of a grid disturbance. Both of these factors can contribute to a significant reduction in the expected duration of grid-related losses of offsite power, as reported in the Indian Point Safety Study (PASNY, 1982). In 1981 the NRC sent a generic letter (NRC, 1981) to all nuclear power plant licensees requesting them to develop and implement procedures to enhance restoration of offsite power. Responses.to that generic letter have indicated that power could be preferentially restored to many nuclear power plant sites within 1 or 2 hours, even if the grid remained in a blackout condition. The time to restore offsite power following a grid-failure can be estimated by
~
past experience. However, if an appropriate set of procedures are provided and power sources are available and capable of supplying power during grid blackout, a more prompt recovery may be possible. Human reliability and the availability of alternate power sources may limit the recovery potential to as low as 60% recovery in about an hour. If multiple reliable sources of power that can be isolated from a blacked-out grid are available, the potential may be as high as 95% recovery in less than one-half hour. For this study, an offsite power-restoration likelihood of 80% within one-half hour of a grid failure was assumed for the analysis of plant sites with enhanced recovery capabilities (e.g., pro-cedures and at least one power source available for prompt recovery). The recovery probabilities for grid-related losses of offsite power were developed by fitting past operating data to a two parameter Weibull distribution. The data used in the curve fit are provided in Table A.S. Figure A.4 provides a curve showing the probability of not restoring offsite power versus the duration of losses of offsite power as a result of grid blackouts. It also shows the potential for improvement with enhanced recovery capability over past operating experience. NUREG-1032 A-17 _ - -- _ . _ _ _ _ _ _ _ _ _ _ _ - _ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ^ ^
lll l>lI 0 1 I 8 l A e a 8 cm r nr eo 8 e dN w i f noyr \I 6 p
# of e Csv r
\ e
- t io \ I t
a
%mce 0i \
i s t 9LR f a \ A 8 f D '
\ o
\
A \ A s f o
\
i \ s e
\ \ I 0
s
\ \ N' 1 s
' o .
\
\ \ '
l
\ A \ \
\ N '
)
d e s t
\ g .\ \g 8 r u a
\ o l
\ A \
\
k
\
\g\ 8 t
N h r e N A O d g 8 i
\ *'. %
I T r
\ A g 1 %
\\ \
\
\
s%s
\
k
% 8 U D
R f t y r o i
\ N, ,%g l
dy 1 i er I 0 b ce ' a s nv ao 8 b hc o ne ER 8 r 8 p n 8 o i 8 t a
. r o
t s e R 4 A e r 1
- - - 0 u 0 s. . 7 6 5 0 g 1
4 2 2 1 0 0 0 0 0 0 i 0 0 0 0 F 5@* 9b 0 s O c05E p0= 3 En2E a EMm? WON >A= l 1i!II l!l!l! ! l!l l
The correlations for grid reliability and offsite power restoration were developed by combining the occurrence frequencies representative of operating experience and the calculated recovery probabilities. Table A.6 provides the grid failure frequency and duration groups obtained. Figure A.5 shows the dis-crete loss-of-offsite power frequency and duration curves corresponding to the groups identified in Table A.6. 1 LOSS OF 0FFSITE POWER DUE TO SEVERE WEATHER , Severe weather conditions, such as local or area-wide storms, have caused losses of offsite power at nuclear power plants. Weather-related causes of offsite power failure have been divided into two groups (1) those for which the weather caused the event but did not affect the time to restore power (2) those for which the weather initiated the event and created conditions so that power was not or could not have been restored for a long time Group (1) includes lightning and most other weather events that do not cause severe or extensive physical damage at or near the site. They can cause a loss of offsite power, but their severity does not contribute in any significant way to long duration losses of offsite power. These types of weather-related off-site power outages are usually considered in the plant-centered or, possibly, the grid category. Group (2) includes losses of offsite power that result from major storms, hurricanes, high winds, accumulations of snow and ice, and torna-does. The expected frequency of loss of offsite power of this group is rela-tively small; on the other hand, for this group the likelihood of restoring offsite power in a short time is also relatively small. To estimate the likelihood and duration of loss of offsite power as a result of severe weather, it is necessary to (1) identify the set of weather hazards to be considered, (2) determine the likelihood of failure for a given hazard inten-sity, and (3) determine the repair or restoration time for the various failure NUREG-1032 A-19 _ _ __ _ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ' - - - - ~ -~ - - - - ~ ~
d Table A.6 Grid reliability / recovery 1 l Grid reliability (G) Grid reliability group (G) l Frequency of grid loss ! G1 I Less than 1 per 60' site years (0.01/ site year) G2
> 1 per 60 site years and' 7 1 per?30 site years '
(0.03/ site year) G3
> 1 per 20 site years and
< 1 per 6 site years TO.1/siteyear)
G4 Greater than or equal to 1 per 6 site years (0.3/ site year) Recovery (R) Recovery from grid blackout group (R) Recovery' capability R1 Plant has capability and procedures to recover offsite (non-emergency) AC power to the site within 1/2 hour following a grid blackout. R2 1 All other plants not in R1. Grid reliability / recovery (GR) Grid reliability / Grid reliability recovery group (GR) Recovery from grid group (G) blackout group (R) GR1 G1 R1 GR2
- G2 R1 GR3-G3 GR4 R1 G4 GR5 R1 G1 R2 GR6 G2 R2 GR7 G3 R2 I i
l i NUREG-1032 A-20
i l 0.06 l l l 0.06 -
\l Note:
Grid Re!! ability / Recovery Groups GR 1. GR 7 - Are Defined in Table A.6 GR4 GR3 GR7 0.04 4 5 b 0.03 - U z w D 0 w E 0.02 - GR6 GR2 0.01 - GR5 GR1
, 0.00 I I 0.1 0.3 1.0 3.0 10.0
, ,. DURATION (Hours)
, . .. ,7 --r-
,.. p . --- . -
, y - - .-:--
r
- n u
- c. .. s :1... . .
,i.T.-
. w. -
Figure A.5 . Estimated frequency <of occurrence o:f grid-related losses M ~~
'c'f,'offsite powef:' exceeding speciffed' durations '
, ,_ ' s;.7 - f,c'" -
m ,., . . , . , ,
".: .Y,:, * 'y, . * ', ;> Kx.;gj
*> H, b,4l , ,.,4f<;.' , .
h L;. ' 2k'*
. NUREG~10 14y.L.
y_;.z. .4J ) ::,p,.' Q:. '.f*,._,~s. .
,_ ' [l ,{.fQg 7- < * . ;r;_ 1 - -
modes associated with severe weather related power losses. Although utilities and regional power pools normally keep extensive data on transmission line, terminal, and customer outages from all causes, including weathers little infor-mation has been obtainable that can be used to derive the likelihood of loss of all offsite power at nuclear plants or for similarly designed incoming trans-mission lines and switchyards at non nuclear plants. In light of this limita-tion, the objective of this study was to derive some general frequency and duration characteristics that could be applied to the design and location of nuclear power plant offsite power systems gen'erically or on a case-by-case basis, considering specific susceptibility to the various weather hazards. The approach taken was to develop a range of loss-of-offsite power frequency and duration relationships based on weather hazard rate and past operating experience. First, data for all loss-of-offsite power events involving both partial or total failures were reviewed. Weather-related total loss-oi-offsite power events and significant partial loss-of-offsite power events, such as those causing the complete loss of power to or from a switchyard, were included. These data are provided in Table A.7. Here again, as with grid reliability experience, this data base is too small to be used to derive plant location and design-dependent conclusions regarding the expected frequency of loss of offsite power as a result of severe weather. Normally, regression analyses would be used to correlate failure rate, design
. factors, and weather hazards. However, the losses of offsite power are so rare l that the available data are too limited to take such an approach. The method taken to correlate loss-of offsite power frequency to weather hazards is Sp.h d Of ;'fied appr;9 sh?h- t: th:t t e r S r r'-te t- !-'!!!:r i t; er.J
+r
.0M,.
,e '
yg. w ;.r; e S =fr: typ ; ;f crthe- ( M ey :t ci., _t 9 in; x:=;d that the frequency of loss of offsite power as a result of severe weather events is proportional to the weather hazard rates at a site. The weather hazard rate is a measure of the frequency of conditions. ' that have the potential to cause loss of offsite power. The following weather hazard rate indicators were selected: NUREG-1032 A-22 l.
1 Yca 's it, A . 'l "Toko.\ t.oLLc& e C L's \ e Y'owev sk e %4 c h abe^ U"s d w e A t< Tge. Fo<( 04. v < u* m er /n l 92. \ . "I f Ecew/Tce. Ps\myIm or[to [77 2. 6 ~1 snow /Le-oe ae.t i, / vc / c.c 4. o n,, . .ao Ms \\ c k..e et/ so f, c s.co ' Ed r9<c.u - , M, \\ c k t e ew /2, f er wd q,.~ r.so
'E \ og s e m./e4/,t- ?.9 e s ros. > /ne t4cc)o< 7o.<Afa.\ s e tect e % ,e< l OKth
, b o.f *. n .:. ,
~ 03/os ) to teos /s ec.
t.c.. t o o'< e t loa /, e 5.m / sce. Vi i c., . . . so / ss ) e2. u s A 4 u. < h A O.,c{< e o /2.-I6% AIc W ' s*r A z<a,-a ,l A. . eslaIs+ r\. ,k e.w. . c /u ,.* l Ak w ec.' Roc k w- oc.c. o z./221, r tax \vc,^ sornado ST k o.v.co L tv c' e4[eqlro To( edo D u r.L T~CV v y os/D2/1 4 Toreo.de 4 1 1 \ i I I
.. _ . . . . I i
(1) snow / ice: inches of snowfall per year (2) tornado: frequency of tornadoes per square mile per year (3) hurricane and wind: frequency of storms per year with wind speeds exceed-ing approximately 75 mph I These factors are called indicators because no mechanistic cause and effect analysis has been performed. Rather, it has been observed that losses of off-site power have occurred when these types of weather conditions were present. Storms are classified as hurricanes when wind speeds reach 75 mph. The fre-quency of this wind speed was used as a correlation point to determine the variability of hurricanes and high wind hazards at various locations (sites). TNSECT (Q By dividing the number of losses of offsite power which have occurred by the , cumulative historical weather hazards for each weather type at nuclear power plant sites, an offsite power failure proportfor.ality factor for each weather type was derived. This process can be represented as follows: P i= "i where P9 = the proportionality factor for weather type "i" N9 = the observed number of offsite power losses as a result of weather type "1" H jt = the cumulative weather hazard factor for weather type "i"
, at site "j" Hjg = hjg 'Atj where h
jj = the weather hazard rate for type "i" weather at site "j" NUREG-1032 A-24 1
rNsesr e A s cc.; J c dy , cia , wa e vie.Hci' 4, 6fca,ne aa.d an,J 4es<s af phah a&ceaf 8 /& seacoast se be g bl< <c el sdafr. A =v6 roue Gr-t in yesp.u X .aycrwa a;t Mc #7 ids 6:e ad R w/ec< Aqd ands asSocid)$emi asX s/orms 6es a:d Nrnver>xs raard sd du;// e, .se.u//ed >> / />su4 reg euddd /$at rculEA 4 arewr as?/ lA;r 2rd. el/bsw.i4(/: i i As% i
1 Atj = the cumulative site years since commercial operation'beQa6 at I site"j" t i The expectation frequency of loss of offsite power can then be computed by 53g = Pghjg where S yg is the estimated frequency of loss of offsite power at site "j" for weather type "i", and P, and hjg are defined as before. On the basis of data from Table A.7 and cumulative weather hazards for U.S. nuclear plant sites through 1983, the following weather-induced failure proportionality factors were derived: Y P3fy =. l.h/6/ inches of snowfall -. PH/W *' *M# PT= l2, 6
- i b = o 7p3 g4 'ss seyc where subscripts S/I = snow / ice, H/W = hurricanes / wind, .md.T = tornadoes. The weather hazard factors for each site were derived from National Weather Service data (NUREG/CR-2639, -2890; Vigansky, 1980; National Oceanic and Atmospheric Administration, 1980) where available. If data for a particular weather type at a site were not available, the operating experience for that site was not included in the estimates.
Normally this type of correlation would be supported by a statistical validity l test. e'.s pointed out previously, because there have only been a few weather-related losses of offsite power at nuclear plants, the statistical validity could not be ascertained. However, as a test of the reasonableness of this formulation, a plot of cumulative weather hazard factor for each site (Hg ) versus total cumulative weather hazard factor tabulated for all applicable nuclear plant sites (IH )gwas made, and the severe weather-related operating experience for both total and major partial loss of offsite power events was identified. A comparison was also made of the number of sites falling within subdivisions of the range of cumulative weather hazard factors. This informa-tion is provided in Figure A.6, where the number of losses of offsite power , NUREG-1032 A-25
~
.h 7,
I SNOW / ICE
~
20 10.000 47 1P 1 _ 15 - 7.500 N 3 E 10 - - 5,000 y I o jp -
~
.i -
E i 5 -
"5 2.500
__ l 0 ----- 0
. 1 8 8 10 10 10 HS HURRICANE / WIND > 75 mph TORNADOES
~ ~
20 20 20 0.100 1T 2P IT
- 15 -
- 15 - 15 -
d - 0.075 N
- ""*" 2 N g - 2- 2 10 -
w-5 10 3 10 - - 0.050 l a z - l g .. J .I ==== 1
" 5 - - 2 5 5 - -
0.025 _ = =m q
- nom.m """
0--- 0 0- ---- ' O.000 0.1 1.0 10** 10-8 10-8 HH Hy figure A.6 Ee~atherhazardexpectationhistograms NUREG-1032 A-26
i followed by a "T" a "P" represent total losses of offsite power and those foll owed by represent major partial losses of offsite power. , Because frequency of ' loss of offsite power as a result of weather has been assumed nal to b to the magnitude of weather hazards, the occurrence of weather ses related of offsite power should favor the sites with the highest' cumulative weath hazard. In general it does. The events identified in Table A.7 are typified by durationsurs. . of several h The failures _are somewhat localized, able to be isolated, or repairab modest effort. - Design factors such as transmission line right-of way separation , structural strength of transmission and switchyard components, insula effects of adverse environments, and operational factors related bility or use of alternate, available power sources will impact o the like and duration of loss-of offsite power events of this' type. will be referred to as severe weather events throughout this appendfx I
~(
None of the events identified in Table A.7. involved g to wind conditions that severely damaged structural elements of all tra and/or switchyard compomnts of sources of offsite powerAlthough . to'the plant i such an occurrence is rarely expected, many hours or days could be repair and restore offsite power. ' a The frequency of these more extreme weather related esti- power losses c mated by determining the frequency of weather conditions ough that are seve to damage all offsite power _ sources. The.same design factors noted above for.- the more repairable loss of offsite power events will determine cepti- the sus bility, and thus frequency, or hazard rate, of weather conditions u that result in area wide transmission and/or switchyard failures. Based on the
. National Electric Safety Code, power plant transmission systems shou 'l designed for wind speeds on the order of 125 mph. !
High wind speeds'could cause I extensive power transmission losses, although this will vary, dependi specific design. - j Another potential hazard, tornado (es), must strike all rights-of way or switchyards with sufficient intensity' to damage the minimu! components required to supply offsite power in order to cause a long dura loss of offsite power. i The probability of equipment failure given the occur-rence of these extreme weather conditions is assumed to be unity, o 3 NUREG-1032 A-27 l l
thus the likelihood of loss of offsite power can be approximate'd by the fre-quency of occurrence of the extreme weather condition. The frequencies of the extreme hurricane (known as great hurricanes) and high winds are available from National Weather Service data. To estimate the frequency of single or multiple tornado strikes damaging all [ transmission lines or switchyards requires modeling of the offsite power trans- -- mission line geometry (Anders, Dandeno, and Neudorf, 1984; Teles, Anderson and Landgren,1980) and using site / area data for tornado frequency, intensity, and direction. This type of mechanistic, probabilistic analysis was not performed as part of this work. A simpler, i . i ; t.,p d approach was used. The
\ tornado related loss of offsite power frequency for a single r1gnt-of-way der,1vedi previous.ly was used.
However, using this approach, for some sites, the requency; of tornado-clused losses of cffsite power could be overestimated,b an order of
- magnitude or more e thetornadofrequencyislow,as,itisatmostsites, j this estimate will not make a ceable different q1 the computation of total
. loss-of-offsite power frequency. For * '
relatively high tornado frequency -- locations, the results may be mo'r ropriatel ated as a high, rather than i a best, estimate. For es of this work, the low es ' I ted frequency of tornado-caused s of offsite power was taken as " negligible Ered to [ jthehi > imate. This lower estimate would be indicative of sites w rans-ssion line rights of-way soreadina out in directio g optuse to each other. Events of the types discussed in the preceding two paragraphs are referred to as extreme weather events throughout this appendix, Although the frequency of these extremely severe weather events could be as high as 0.01 per site year, it will more typically be less than 0.001 per site year. The time necessary to restore a source of offsite power for weather-related failures will depend on the severity of damage caused by the event. Major structural damage can typically require 8 to 24 hours or longer for repair. Data obtained from the Mid-America Interpool Network (MAIN) and the Mid-Continental Area Power Pool (MAPP) (MAIN, 1983; MAPP, 1983) indicate that it takes on the order 'of 8 to 12 hours to restore transmission or terminal point outages that resulted from severe weather. For this study, nuclear power plant outage time data for losses of offsite power that resulted from severe weather NUREG-1032 A-28 _ , _ _ _ _ _ _ _ - - - - - - - - - " - - - - ~ - - ' _. __
ZNsen r .@_ . . . _ . ..
.. The 00 <+>.,l o f' %0 cut _ d ink &f_E2,... .
. scp d s. n w .s s p D .. s tc. + g I
. . ~g ._ >d2
.. a d u ...hG._ d e wo s_.dkM.
} ., 2 cn o 4 s fa k s. m n ...
..%.e.'Aa...ejW._
.be cm veh IJ s;p ;) is 4 a!-_/It-.-
ur.$s.Adexe o/ /s ci d A _ . _d Jrsnc aea / b cA en-L ... _ m ~fua
.. J/x is & A -
d den Ah cr.
//ml krMaa/L S$r r wbe a ko b b > $
.torJ, gGkc i < & G J A h e.. A T x!N
_. Es<c>< os a _ ,( w - .. a u te d<[ cixw]_W siw: $
-srst!ad' wBy&d k...jume,es_..rLA . . .
dle eZLt. 4::< Je&<h._ r- ml
. .
- 2ae.[ugdem in/c. Ma>wc l ou ..dstn of & pA du< W~&~rA$ir- .
sinkt-_Aea . n ,.u saa A6 ad
~:
swdd pr~ise h .. ey d6._ dad ~L... sal ,4d 6 ava'ca.__._ Lyczkhaur / W o?' do . s N ,s dddmn c_. L J .B- e<nada.essn rs._p m'aa .. . l A aum # sura Jak s/ /b ... ldL 46 7 o&/ /met & . a.,J - p.ca ar.ecs .
. .. _ mD 49e. N .dbD -
m.
. 49 83.W. -
p- .- a e an e .a. M mRm8lI>. .m.Wh.-
\
\
were used to estimate restoration likelihood for the less-than-catastrophically-damaging weather events. Data for total loss-of-offsite power events were fitted to a two parameter Weibull distribution and used to generate the restoration f { likelihood curve shown in Figure A.7. Also shown in Figure A.7 is an " enhanced" } recovery curve that can be used to differentiate plants with practicable power f restoration procedures for these weather types. The applicability of enhanced- 'l recovery would depend on the capability and procedures to restore power within about 2 hours for a given weather hazard. An estimate of the total severe weather-related frequency of loss of offsite power was derived by summing the values for each weather hazard type at all nuclear plant sites. Plant-specific design or procedural details can affect the estimated frequency of. weather-related losses of offsite power. Tiierefore, an attempt was made to derive the range of possibilities rather than to provide site-specific estimates. It should be noted, however, that, because of a lack of data, not all weather hazards could be accounted for at every site. Moreover, some weather data extrapolations were necessary when data from weather stations near a site were not available. The frequency range derived was large, and determining where a particular site / design combination would fall in that range i requires evaluation of the site-specific details identified previously. For the purpose of this work, the range was subdivided into groups with approximately a factor of 3 difference in median frequency. The subranges so derived are provided in Table A.8. This partitioning allowed generic evaluation of the effects of severe weather hazard on loss-of-offsite power frequency while at the same time providing perspective on tu potential for plant-specific differ-ences. Figure A.8 shows the severe weather frequency and duration combinations corresponding to the groups defined in Table A.8. For losses of offsite power caused by extremely severe weather such as great hurricanes, very high winds (greater than 125 mph), and major damage from tor-nadoes, restoration of offsite power was not assumed to occur before 24 hours after the start of the outage. The frequency breakdowns, derived in a sanner similar to that for severe weather, are provided in Table A.9. Again it must be noted that a site-specific assessment of the susceptibility to these weather hazards must be performed to determine the site-specific expectation frequency. NUREG-1032 A-29
~ ~ *~ ~ ~' ~
8 e B o.
. e-
.j
.]
is
~
,z c .u /
/ -
+
525 o ugg / - m
/ e r (E8 R a n:
'/ E 1
2 i
/ o }
5 8
/ 3
/ 2 4 E '
4 i ! 2 / - 8
=
E / ~ t z / -
.5,
/ 4 / -- i t
,/ 4 >ll.
r E 5a
/ fa E '
/ / 9 5
/ -
/
A
/ '**
/ j 2
8 t
/ 4 / .
/
/
/
/
/
s#
/e/ '
o u
/ / -
- b \
/ t' ~
/
/ /,# -
~
4 i
/ / ~
/ / it - '
/ / ti &
/ ,** i8
/
- 8
#,o LE -
/ 'Q
/ o
/s 5-0
/ o' e' a 4 #/ n i e t t t t t t t et e
a
* * * *
- 9 g" M o o o o o
'T *
- e o o". s-m WIMOd 311SddO DNIWO183W10N do Alnl8V90Wd 8 u
NUREG-1032 A-30
i Table A.8 Severe-weather-induced loss-of offsite power frequency / recovery l 1
)
i Severe weather-induced loss of-of fsite power frequency (5) j Frequency of severe weather-induced l Frequency group (S) loss of offsite power 1
" ~
- -i.ess tharl T per 350 site years I
(0.002/ site year) -
]
.52 .
r 350 site years and
< 1 per 120 site years l h . ite year) :
a { Greater than or e to 1 per 120 t~ site yeen (0.015/44te- } - l Recovery (R) i Recovery from severe-weather-induced loss-of-offsite power groups (R) Recovery capability 4 R1 I Plant has capability and procedures to recover offsite (non-emergency) AC {' power to the site within 2 hours following a severe-weather-induced ! { loss of offsite power. t i R2 All other plants not in R1 Severe-weather-induced loss-of offsite power frequency / recovery (SR) i Severe-weather-induced loss-of-offsite power frequency / recovery group (SR) Frequency group (S) Recovery group (R) SR1 51 R1 SR2 52 R1 SR3 53 R1
,' SR4 SRS St Rf SF6 Rg h W K se ss gs s so t sq ss 91 at ,
l
\
Si Less &* 1 ror S ss sifs
>)33 f. Ytoo sik M yu (.w2Y sz c.w s) f S3 y,w 4 yn sia f*S (.00 Sy y,3 % Yio sh(*rs Con SS
_ ){, - y, 5Heyars cA I. I: NUREG-1032 A-31 1
/
^
i 4 i o.oto. r 1 i--- 31 l j LR$ LEC $p I ses St3 $E# : o.015 - -- -" ' m }' l
. I -
s . i e \ 2 - i
.- c.cio -
\ -
6 U
= i i ,
E ' f.' S E o.cos.
. ?
C V.L
. C_
- o. coo -
c.1 c.3 1.0 l 3.0 x to.o t' go l , DUMATION (Houral . Figure A.8 Estimated frequency of occurrence of severe-storm-induced losses of offsite power exceeding specified durations NUREG-1032 A-32 1
Table A.9 Extremely severe weather-induced loss-of offsite power frequency Frequency groups (SS) Extremely severe-weather-induced loss-of-offsite power frequency SSI Less than 1 per 3l@B site years (0.0002/ site year) SS2
> 1 per 3h site years and
< 1 per 1800 site years (0.0005/ site year) 553 1 1 per IA00 site years and
< 1 per 3D site years (0.00Mf/ site year)
A 554 11 per 3FF site years and
< 1 per let site years (0.005/ site year) 555 -
Greater than or equal to 1 per 180 siteyears(0.Qg/siteyear)
\
I e l NUREG-1032 A-33
GENERIC LOSS-OF-OFFSITE-POWER CORRELATIONS Combinations of design, grid, and weather factors derived in the previous sec-tions provide a wide spectrum of possibilities for loss-of-offsite power fre-quency and duration. Each of these factors was subdivided to account for known or hypothetical but reasonable differences in frequency and duration; typically, a factor of 2 to 5 difference was maintained for these subdivisions. The. intent was to develop a discrete set of frequency and duration groups that could account for actual and potential' differences in both design and location (grid and weath-er) for the spectrum of nuclear power plant sites. The frequency of losses of i offsite power lasting duration "t" or longer can be estimated by appropriate combination of the correlations that were developed in this appendix and can be I represented by the fc11owing equation: ALOP(t) = I4 (t) + GRj (t) + SRk(t) + SS j where I j(t) = the plant-centered loss of offsite power frequency correlation defined in Table A.3 and Figure A.2, corrected to initial frequency of 0.04 per site year l GR j (t) = the grid related loss-of-offsite power frequency correlation defined in Table A.6 and Figure A.5 SRk (t) = the severe weather-related loss-of-offsite power frequency correlation defined in Table A.8 and Figure A.8 SSj = the extremely severe-weather-related loss-of-offsite power frequency defined in Table A.9 The identification of the 1 9factor is the most straightforward because it is based on configuration. As a first cut, the appropriate GR) factor can be (1) FPL {dentif. sitN,3GR7, gg d vig)ig glear sites in the U.S. into.two categories: ahd (2 all other sites representing average frequency expection of NUREG-1032 A-34
l l agravNG,0$4 grid failure,4GR1 or GRf. The SR k and.SS j factors are not so easily identified- because both design specifics and hazard rate must be determined. It is possi-ble, however, to bracket these. factors with a range that can be used to judge importance of station blackout considerations using hazard rates and proportion- , ality factors for severe weather, and using the upper range of the estimated" failure rate for extreme weather hazards. A test of the loss-of-offsite power. correlations that were developed was made by comparison with plant-specific results from published probabilistic risk assessments (PRAs). Figures A.9 through A.13 provide these comparisons. With the exception of the Zion PRA and Indian Point PRAs, giving credit for nearby gas turbine generators, the results show reasonable. agreement. The cross- q hatched areas represent the high and low estimate for extreme-weather-related losses of offsite power, except for Indian Point where site historic grid fail-ure frequency and generic estimates were used to develop the- ranges. The dif-ferences with the Zion PRA results could stem from one of several possibilities: design and procedural factors are more reliable than assumed in the comparison;- the Zion PRA results are optimistic; or the models and correlations derived for generic analyses have limitations when applied to some plant-specific cases. The difference with the Indian Point PRA results can be attributed to the high availability associated with nearby gas turbine generators. The utility has-placed special emphasis--including technical specifications--to maintain these . alternate power supplies in a high reliability state. Because of these consider- ' ations, a generic analysis must be used with caution in plant-specific appli-cations. However, the generic models can usually provide good " ball park"- results for generic applications and perspectives.- Clearly the more details available and included in the models regarding design, procedures alternate j power sources, and protection provided from severe weather conditions, the more likely that the generic results will closely' equate to' plant-specific results. I i The development of a more limited number of generic loss-of-offsite power fre-quency and duration relationships that could be used for regulatory analysis involved the clustering of the site / design factors to determine if combinations of these factors could be grouped into a more limited, but still representative, set. A set of cluster groups was derived from the set of site / design / possibilities using the Fastelus procedure of the SAS package (SAS Institute, i NUREG-1032 A-35 ,. l I L__________ - _ i
. . . I l
1 h <g'.e\ d O.10 - I l 0.08 -- Without use of nearby gas turbine generators t e l $ indian Point PRA (means) g 0.06 7 l , E 1 l g k Indien Point PRA (mediens) 5 4 g k Model Range , e 0.04 .. s\ 5 4 4
'*g.. k
,5 s,4
~
With use of
%g nearby ges. %,%,% h g
turbine generators , Indian (meens) ' ,,, ' ,I Point PRA (mediens) Model Range l 0.00 e l 1.0 2.0 4.0 8.0 16 0 DURATION (Hours) l l Figure A.9 Estimated frequency of losses of offsite power i exceeding specified durations for Indian Point i NUREG-1032 A-36 l'
I
,lo {c GC. p' e l
0.06 i t E l E 0.04 - l L l 4 5 o i 5 1 D n, gModel Range 0.02 - g*n***n**= a ng n, l ,%*
) Zion PRA l Zion PRA (mediansk (meanel ,,*=,,="==,,"==,,,""a
,, n, 0.00 , ,
0.5 1.0 2.0 4.0 8.0 16.0 DURATION (Houral j 1 Figure A.10 Estimated frequency of losses of offsite power i exceeding specified durations for Zion i, 1 1
. 1 NUREG-1032 A-37 ,
e____________-_-_-_____
I l ko z h 0.06 e l $ 0.04 - 5
. T Shorehem PRA 3
C i*g 0.M i ;, e Model Range i
, 0.00 ' ' ' .
1.0 2.0 4.0 8.0 16.0 l . DURATION (Hoursl l 1 . 1 l' 'l l I i 1 Figure A.11 ' Estimated frequency of losses of Offsite power i exceeding specified durations for Shoreham ! i l NUREG-1032 A-38 i !I I L_____-_-________-___
, [b 0.05 l
l 0.04 - I A 0.03 - t
$ MHistone 3 PRA
,E d.02 -
4 4*g b
% g'g 0.01 -
% *g
%g j .
\
N. __ enge *m 0.00 ' '
.....lu%' .%
t.0 2.0 4.0 8.0 16.0 l l DURATION IHours) ' Figure A.12 Estimated frequency of losses of offsite power-exceeding specified durations for Millstone 3 i' t I NUREG-1032 A-39
C L 0.04 s 0.03 - pLimerick PRA S I
$ n>>
1 I
}
~
k
> 0.02 3 g h S h g
g"t, l 5 I C q'g g Model Range hg
%g<< n ,>,
,t l
0.01 - 4'9 I l g'9 I
""m,a,,'%
t, t n ql,i, .... 0.00 f f ., 1.0 2.0 4.0 8.0 16.0 I DURATION (Hours) I Figure A.13 Estimated frequency of losses of offsite power exceeding specified durations for Limerick l 1 b NUREG-1032 A-40
1 1979). To limit the number of cluster groupg, the clustering had to be jbased on loss of offsite power durations of # to w hours. Figure A.14 provides a-plot of the cluster groups derived from this analysis, and Table A.10 identifies < L 'ntn; "J.;t s.m L :,. a d ; L:in ; op. Grid reliability groups were limited to ' f, 'to enerate the clusters. Tc h '. 11 ld;..^J :;; Eombi-f nations of each of the four factors (GR, I, SR, and SS) included i R Y nine
~
cluster groups. For example, a plant with GR1, II, SRI and 552 would be in ! giustergroupI / ~ l Because design, grid, and weather all play a role in the frequency and duration j relationship for each cluster, it is difficult to generalize about the dominant I factors affecting loss of offsite power. It is possible to say that the higher { frequency at longer duration groups (clusters) are most heavily influenced by weather hazard susceptibility. {it h C n r;r : 5 0 t: 0--"'-M tM t g d.eps' j o-kuv.n. n ai.. pion 6 nos 6nc wm '..;t'^r^'""" '***+4^^ - " "^ ~
' ~ ~ ^ g;)
J.id..._Jd _ _2 t i iThehighestfrequencyanddurationcorrelationdeveloped in this study (aum cluster f).MB dn h 'l dC dhv** c be I
'& & Gu@yNNlif Gfer $ go .9 d 6 MSb (s' Y S. f REFERENCES Anders, G. J. , P. L. Dandeno, and E. E. Neudorf, " Computation of Frequency of Right-of-Way Losses Due to Tornadoes," Paper 84WM0402, IEEE Winter Power Meet Dallas, Texas, January 1984.
Lauby, M. G. , et al. , " Effects of Pooling Weather Associated MAPP Bulk Transmis-sion Outage Data on Calculated Forced Outage Rates," Paper 84WM0410, presented at IEEE Winter Power Meeting, Dallas, Texas, January 1984. MAIN Transmission Outage Task Force, " Summary of MAIN Transmission Line Perfor-mance for the Year 1982, 345 KV and 765 KV," September 1983. MAPP Transmission Reliability Task Force, "Mid-Continent Area Power Pool Bulk Transmission System Outage Report (January 1977 - December 1982)," July 1983. National Oceanic and Atmospheric Administration, Comparative Clintic Data for the United States through 1980, 1980. NUREG-1032 A-41
f e N " N r') T 0 e X 0 0 4 +
]
0 0N Zp I t .? j t - E W (f) / jf i I DD l
!.T l -
OJ l1 li WD l il . Y ll l
& I Lt l l l! l c i
O .
/ ,,l LE I / I /
(/) :
# ~
OZ f /! ./ - JO / / / / : I aR f .i i l ,e: l lW 4 /
/ /
/ ! / !
HE /
/. / ! :
* <t D ya /
Ij./
,i
/
j
/ t'-
\
d -
) ..e / s pQ
(/)
/ .. .....
.....' - c,
,... ...../. ,,...
1 wZ 4 x..g. / t s . .... . e n (5
- : : .: : ::n : : : : : ::.: . : ; :::::: : : :
1 I 8 - 8 2 (8V3A-311S 83d) ADN30038.3 031YNLLS3 h -H'L l
Table A.10 Identification of grid (GR), offsite power system design (I), severe weather (SR),
- nd extremely severe weather (SS) factors included in cluster groups Z GR SR SS A /, 2, 3 l ii5 f,7 /0 /-S
%. G ,3 /;3,S,7 /~9 5 42,s '/ i3, S,7 Sf j / '/ 2 $ 3. S, 7 8 9 3 $$ 67 $ hf
- 3. Stmeos 7 Gnec as %< s:
Clus4r<q ctusleeq e/usfer auf tr %d5 %f 5 Y. // .t // 3, 5 G /,1, 3 62 l% i 5 4 f. - Y 42 /, % 5 A37 i/ 3Yi 62 l!< i S liG Y 3 1,3, s 42,6,7 t-z/ 3 Sf /, 2
/f }< 5 i 3 lSS ii 3 3, Y 3 /, Sf 5 // /--p'
- 6. /,1 l35 i 1 /,2, 4, 7 t1 i
/, 2. /, 3, 5 /,4 3 41 /ff f i 3 [L l 1
A-4S _ - - - - - - _ - - - - - - - i
Power Authority of the State of New York and Consolidated Edison Company of New York (PA5NY), " Indian Point Probabilistic Safety Study," 1982. SAS Institute, Inc., "SAS Users Guide 1979 Edition," 1979. Teles, J. E., S. W. Anderson, and G. L. Landgren, " Tornadoes and Transmission Reliability Planning," in Proc. American Power Conference, Vol. 42, 1980. U.S. Nuclear Regulatory Commission Generic Letter 81-04, " Emergency Procedures and Training for Station Blackout Events," February 25, 1981. 8
-- , NUREG/CR-2434, H. F. Monty, R. J. Beckman, C. R. McIntear, " FRAC (Failure Rate Analysis Code): A Computer Program for Analysis of Variance of Failure Rates," March 1982. -- , NUREG/CR-2639, M. J. Changery, " Historical Extreme Winds of the United States - Atlantic and Gulf of Mexico Coastlines," May 1982. -- , NUREG/CR-2890, M. J. Changery, " Historical Extreme Winds of the United States - Great Lakes and Adjacent Regions," August 1982. -- , NUREG/CR-3992, R. E. Battle, " Collection and Evaluation of Complete and Partial Losses of Offsite Power at Nuclear Power Plants," February 1985.
Vigansky, H. W. , " General Summary of Tornadoes,1980," in Climatological Data, National Summary, National Oceanic and Atmospheric Administration, Vol. 31, No. 13, 1980. Wyckoff, H.,
" Losses of Offsite Power at U.S. Nuclear Power Plants All Years Through 1983," NSAC/80, Electric Power Research Institute, May 1984. .
1 Del <te A- N dev 4 c17 NUREG-1032 A-48 i i _ - - _ - - - - - - - - - - - - - - - - '~ ' ~ ~ ' ^ ^ ~ '
APPENDIX B EMERGENCY AC POWER RELIABILITY AND STATION BLACK 0UT FREQUENCY: MODELING AND ANALYSIS RESULTS i 1 1 NUREG-1032 Appendix B 4
l { l I i i TABLE OF CONTENTS M : I ELEMENTS OF EMERGENCY AC POWER RELIABILITY MODEL ....................... B-1 { COMMON CAUSE FAILURE OF THE EMERGENCY AC POWER SYSTEM .................. B-6 EMERGENCY AC POWER RELIABILITY EVALUATION ............. B-10 STATION BLACK 0UT FRE REFERENCES .........Q.UENCY ............................ ................
................ B-19
.............................. .................... B-27 :
LIST OF FIGURES B.1 Emergency AC power unavailability as a function of individual EDG reliability and common cause failure to start for three . B.2 emergency AC configurations ....................................... B-14 Emergency AC power unavailability as a function of loss-of-offsite power duration and four station blackout durations ........ \ B.3 B-15 Engency AC power unavailability as a function of individual B.4 EDG reliability and comon cause failure to start .................. B-16 Emergency AC power unavailability as a function of individual diesel gene rator running reliability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-17 B.5 Emergency AC power unavailability as a function of repair time B.6 for independent diesel generator faults ..............~............. B-18 Estimated range of emergency AC power system reliabilit i different diesel generator configurations . . . . . . ... . . . . .y for B-20 i B.7 Estimated station blackout ............ l t blackout duration ........., frequency as a function of !
........................................ B-23 )
B.8 Estimated station blackout frequency as a function of blackout i duration for clusters 2, 4, and 7 (for 1/2 EDG configuration) ..... B-24 B.9 Estimated range of station blackout frequency as a function of ) blackout duration for four offsite power clusters ................. B-25 j B.10 Sensitivity of estimated station blackout frequency to diesel ! generator failure-to-start and failure-to run values .............. B-26 ' LIST OF TABLES B.1 Areas of potential common cause failure . . . . . . . . . . . . . . B.2 B-7 Emergency diesel generator common cause failures B.3 ......... B-8. Common cause failure rate parameter estimates . . . . . . . . . . . B-11 I ' NUREG-1032 B-fii
APPENDIX B EMERGENCY AC POWER RELIABILITY AND STATION BLACK 0UT FREQUENCY: MODELING AND ANLYSIS RESULTS In this appendix, the details and results of emergency AC power system relia-bility analyses and station blackout frequency / duration estimates are provided. The models and analysis results were developed to confirm and extend the find-ings of a previous study (NUREG/CR-2989) and to be used in regulatory analyses. Modeling has been done at a generic level, but it could be made plant-specific by adjusting failure rate parameters to reflect site location, system design, and operational factors. The term generic, as used here, is meant to imply that the insights derived are generally applicable to a large number of plants. Modeling and component failure rate variations are used to account for plant differences in design and operational features that are most important to sys-tem reliability. Sensitivity analyses were used to explore the effect of design and operational differences on system reliability for a realistic spectrum of differences. . ELEMENTS OF EMERGENCY AC POWER RELIABILITY MODEL The diesel generators--including all the subsystems and the auxiliary systems required to start, load, and run the diesels--are the components that have the highest impact on system reliability. Specifically the following have been identified as the largest contributors to AC power system availability: (1) diesel generator configuration (2) reliability of each diesel generator t l l (3) vulnerability to common cause failure NUREG-1032 B-1
(4) Support / auxiliary system dependence in general, the details of the emergency AC power distribution system design from the Class 1E engineered safety feature buses to the safety system compo-nents using emergency AC power have not been found to be important contributors to system unreliability. With this in mind, emergency diesel generators, DC power supplies, and service water cooling systems were the principal system elements included in the emergency AC power reliability models. A relatively high level (super component) modeling approach was used that could account for major differences in equipment configuration and support system dependencies while using support system reliability estimates developed in other studies. Three generic emergency AC power system designs were selected as roughly repre-senting the spectrum of operating nuclear plant systems. These systems are de-scribed by the number of diesel generators in the system and the number required to maintain core cooling during a loss of offsite power. These generic systems have been designated 2/3,1/2, and 1/3, indicating the number of diesel Cenera-tors required per number available. Some'other configurations do exist, but, emergency AC power system reliability is generally encompassed and well charac-terized by the three systems modeled especially if the variability of failure rates of the major components and auxiliary systems is accounted for. Configur-ations with a higher degree of redundancy and/or diversity are the exception, not the rule, in current U.S. designs. The simplified reliability logic models for the generic configurations were developed from fault trees and insights on what factors are important contributors to AC system reliability. The simplified logic models are provided below: REAC1/2 = 1 - PEAC1/2
=1-PEDG + PCCF2/2)
REAC1/3 = 1 - PEAC1/3 P
= 1 - (PEDG + 3PEDG CCF2/3 + PCCF3/3)
NEAC2/3 = 1 - PEAC2/3
=1-3PhDG+3PCCF2/3 + PCCF3/3 NUREG-1032 B-2
EACi/j is the AC power reliability of an "i" out of "j" diesel generator _ Where R system, and P EACi/j is the probability thati" out of "j" diesels will fail or be unavailable when required, P is the probability that a single diesel _ gen-EDG erator will fail or be unavailable when required, and PCCFi/j is:the probability' that "i" out of "j" diesel generators will fail and be unavailable as a result of common causes when required. -
- A more complete logic model can be developed using Markov modeling techniques
.(Husseing,1982) when failure and repair rates are exponentially distributed in time. However, the simplifications inherent to the models used are in keeping with the approach of accounting for dominant factors affecting system reliability.
Both random independent component failures and common cause or. dependent fail-ures are included in the model. Failure mode considerations included hardware
- faults and human errors for start and run failures, component repair,.and com-ponent out-of-service time for maintenance. The least detailed level of model-ing was at the support systems, which vary considerably in design. These sys-tems have been modeled in detail. in several probabilistic risk assessments l
(PRAs). The reliabilities of the support systems were treated as a super com-ponent or undeveloped event in the logic models with a failure ~ rate indicative-of results from other studies (NUREG/CR-3226). Failure to run was treated as a constant failure rate process, and emergency diesel generator repair was treated as a constant repair rate process.. With these approximations, the probability that a diesel generat.or will be unavail-able for I SB hours during a loss of offsite power lasting T is given by LOP PEDG = PFTS"T!SB
' N (TLOP - ISB t ,- g t+t 3 t R dt 0
NUREG-1032 B-3
l l where T R is the mean repair time'and AFTR is the failure-to-run rate. The failure to start probability, PFTS, includes the. standby demand failure.like-
- lihood of the emergency diesel generator to start and load, plus.the unavail-ability because of scheduled and unscheduled maintenance, and the' probability that auxiliary systems will fail or be unavailable (out of. service) at the time of the demand. Although the second term of the equation can be integrated' easily, the integral is maintained for applications relating to estimating sta-tion blackout frequency _and duration'to full'ow.
,The probability of failure to start, load,.and run for a time 158 because.of l common cause failures is developed similarly to that for independent failures.
It is given by: PEDGCCF = PCCFTS e SB['CCFR I ~I
+ P LOP SB T
ACCFTR e CCFTR D e'(t*T SB CCFR dt-JO Here, P CCFTS represents the common cause failure-to-start probability, A CCFTR represents the common cause failure-to-run rate, and T is the associated CCFR repair time constant. For simplicity, the repair rate for auxiliary systems that are required for
~
successful diesel operation has been assumed to be approximately equal to-that-of the emergency diesel generator. Double component out-of-service conditions limited by technical specification were eliminated from the final expression through inspection. However, the possibility of such outages occurring as a . result of human errors or simultaneous failures was treated as a common cause unavailability contributor. Recall that the unreliability of a two diesel generator system was approximated by PEAC1/2 ; PEDG + PCCF2/2 ' NUREG-1032 B-4 i e _ _ _ _ _ - - _ - _ _ _ - _ _ _ _ _ _ - _. _
l
.i I
where P[DG=F7+F2+F3 This approximation can be expanded by setting
]
Fy=PjTS e S R 1 I LOP
~I 1 SB I ~
F2=PFTS e S R A FTR e FTR',-(t+.t t SB *R dt-J0 W T r LOP ISB/1
-A FTR t t F3= A2 p e 2e'(12+ISB)T R dt2 eAFTR 1 dt y
'O JO with
~
PCCF2/2 = PCCFTS2/2 e SBft CCFR FILOP ISB i
+ A A
e CCFTR2/2 t ,-(t + ISB)f*CCFRdt CCFTR2/2 l and PFTS
- OEDG1 + UEDG1 + PDC 1 + P3py i
PCCFTS
- ECCF2/2 + UCCF 2/2 + PDCCCF + PSWCCF where Q EDG1 is the probability of a diesel generator failing on demand, U EDG1 is the maintenance unavailability of the diesel generator, P is the proba-DC1 bility of DC power supply failure causing a diesel to fail on demand, and P 3gy is the probability of a service water system failure causing a diesel generator failure on demand. Terms with subscript CCF represent common cause failure '
contributions. l The term (UEDGI) is not allowed. It is accounted for in the term UCCF2/2' I" a similar manner, the correlations for three diesel generator systems requiring i one or two diesels for success can be derived. NUREG-1032 B-5
COMMON CAUSE FAILURE OF THE EMERGENCY AC POWER SYSTEM There has been a concern for years that the reliability of redundant systems may be limited by single point and common causes of failure resulting in simul-taneous unavailability of two or more trains. Several techniques for modeling , and quantifying the major contributors and their likelihood have been, and con- ! tinue to be, developed. Some of these techniques are aimed at a qualitative evaluation of common cause failure potential (Rasmuson,1982), while others are primarily used to estimate common cause failure likelihood (Fleming and Raabe, 1978). Existing techniques have been used in this study to model and quantify common cause failures on a generic level, with sensitivity analyses used to evaluate realistic variations in comon cause failure likelihood and the effect on emergency AC power reliability. Emergency diesel generator operating experience for the years 1976 through 1980 was reviewed and documented in NUREG/CR-2989. Other reviews (EPRI, 1982, and Steverson and Atwood, 1981) also show relevant operating experience and analysis of common cause failures of emergency diesel generators. Based on information from these sources and a limited re-review of common cause candidate licensee event reports (LERs), an updated list and classification of multiple emergency diesel generator failures and outages has been prepared. When enough informa-tion exists, the c. m on cause failures can usually be identified as falling into one of four groups: (1) design / hardware, (2) operations / maintenance, (3) sup-port systems / dependencies, and (4) external environment. A further breakdown of this classification scheme is provided in Table B.1. The list of common cause failure candidates taken from LERs is in Table B.2. In NUREG/CR-2989 these were classified somewhat more generally in two broad categories of hard-ware and human error-related failures. These two categories were then classi-fied more specifically into generic and plant-specific design groups and into generic human error or plant procedure-specific human error. Common cause failure rates were estimated in NUREG/CR-2989 using the binomial I failure rate (BFR) computer code (Atwood and Smith,1982). The estimated common cause failure rates varied by about an order of magnitude depending on plant design and procedural dependencies. If individual emergency diesel generator NUREG-1032 B-6
Table B.1 Areas of potential common cause failure Common cause Types of failure group potential failures DESIGN / HARDWARE Mechanical / structural design inadequacy Subsystems (fuel, cooling, start, actuation) Environment (normal) OPERATIONS / MAINTENANCE Inadequate procedures Errors of ommission/ commission Wrong procedure DEPENDENCE / SUPPORT SYSTEMS DC control power Service water cooling EDG room HVAC Electrical interface EXTERNAL Fire Flood Severe weather Seismic Other internal environmental extremes 1 NUREG-1032 B-7
d 5
?
I l Table B.2 Emergency diesel generator (EDG) common cause failures Plant Date of LEE Description - Inumber event number of event of EDGs) ANO 08/27/79 79-016 Water in lube oil. 09/11/79 79-017 failed two1EDGs two weeks apart. 1
~
Arnold 05/10/77. 77-037' ' Maintenance caused J 05/12/77 77-043 control system failures on both'EDGs within two days. Browns Ferr y 05/05/81 81-019 Left bank air start !
- 1. 2 05/06/81 81-020 motors failed to start three EDGs.
Browns Ferry 01/03/84 84-001 Clam shell movement 3 on overchlorination failed ESW' coolers and three of four- '! EDGs;- BrunswicM 01/04/77 77-001 Low lube oil-pressure
- 1. 2 tripped two.of four.
EDGs after starting. Crystal River 01/04/79 --- Low ambient room i 3 temperature'(28 F1 failed both EDGs. ji Dresden 3 10/23/81 81-033 ESW check valve- 'k failures caused two of.the three.EDGs to trip..on high temp. Farley 1 09/13/77 77-026 Dirty air start I l 09/16/77 77-027 circuit, failed two EDGs within three
~
days.. Farley 1, 2 09/18/81 81-043 Scored cylinder' 09/27/81 { 81-067 linings failed two j EDGs nine days apart, i Fitzpatrick 02/07/85 85-003 ESN pump trip failed'
.two EDGs. ;
l l l -1
Mt1istone 2 05/15/77 77-020 Both EDG fuel supply valves found closed. North Anna 2 02/18/81 81-020 Batteries failed surveillance test. caused both EDGs to be inoperable. N rth Anna 2 12/09/84 84-013 Damaged cy1inders and high crankcase pressure failed both EDGs. caused unit shut down. Peach Bottom 06/13/77 77-026 Air-start compressor trip caused two EDGs te fail while another unavailable. Quad Cities 05/01/77
- Improper ESW valve lineup degraded three EDGs.
Salem 1 07/30/77 77-059 Fuel rack lubrication leak and subsequent linkage binding caused failure of two EDG. Salem i 10/08/80 80-060 All three EDGs failed to start because of a misaligned service water valve. Operator disabled service water from train 2 while train 1 was down for maintenance. Sequoyah 1. 2 08/09/80 80-140 Operator error caused relay coils to fail on all EDGs. Susquehanna 01/21/85 85-002 Low ambient room temperature failed two EDGs. Vermont Yankee 10/22/84 84-022 Failed Zener diodes caused all EDGs to lock out. WPN-2 07/09/84 84-008 Slip ring and bearing design weakness caused failure of two EDGs. 6 ib i _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ )
Yankee Rowe 08/02/77 77-042 Sludge plugged cooling water raditor tubes. failed two EDGs.
- Per.or ted in PLG-400.
i 1 i 1 i 1 1 4 4 l l 6 9c 1 E__________._
reliability is maintained.at or above industry average levels, common cause failure contributed on the order of one-half the system unavailability for the. less redundant configurations and most of the unavailability for the.more redun- ; dant designs, especially when demand. failure rates are low (<0.03). At lower reliability levels, independer.t diesel generator failures are the major contri-butor to the unavailability of the onsite AC power system. A technique that has been used to estimate the likelihood of e[nergency diesel generator common cause failure is- the beta factor method (Fleming,1975) and its extension known as the multiple Greek letter (MGL) method (Fleming and Kalinowski,1983). This method was used to estimate common cause failure rates from the updated LER review. Table B.3 provides the MGL parameter estimates and common cause failure rate estimates that were derived by the MGL method. It also compares these estimates with " generic" rates derived in NUREG/CR-2989 using the BFR method. Differences result more from data classification than ; from analytical method.
;i EMERGENCY AC POWER RELIABILITY EVALUATION The reliability estimates for the generic emergency AC power systems were -l derived for instantaneous availability on demand and mission reliability. (The latter is the likelihood that emergency AC power will be available for a speci-fled mission length, such as the duration of a loss of-offsite-power event or j for the duration of a test.) System reliability analysis parameters were !
selected to represent the average of the operating reactor population as well as the variations within that population. The population average and ranges for the system reliability analysis parameters are described below. 4 (1) Eneroency Diesel Generator Failure To Start Based on data reported in NUREG/CR-2989, the failure rate can vary con-sider, ably from plant to plant. The following failure rates have been ! identified: NUREG-1032 B-10
l l: l Ts\Ae ~e. ~c Ce u,, a nvs cre:.c r .. cake. gatoise_\$r,"\eee e=.4 Ls d 4 et, i vuevM e5 yrg g,ss#5 l mu acu\hsr= frm NMeVcR .n64 L ED La c,o 0 F
= .043 l f
-+' 7/*0~y ccw Tg (.z.l a.) 5 8.0 x 10 9ec n uz/O =
- s. ) x s o + / Aa. N/A 3 E D Ce t o kW
=
@ .093 T = 351 -
P cc.v r4 (.a./3) = T.4 x \O ~4 5,tV/o'Y Pcc 9rs c /c - co.o x so- * /,ppo-V l Pccw ra. (210 = 7.e x 10 -5 /a s n// i Pccere. C.s/ 3) = s . c x 10 /an # 41 4 Eo c, coev l
@= . \ S '7
.f= .3\3 S= .roo
~6- 11 a.
.. ______.___.___m___ _-__m- -----
TLb\c ' 3.3 (. eumboeb 4 E D Le 9cc.rr8 (t/4 )
' =
b . 7 x 10'
- hers (.3/4) = \ . s x ao-*
%, rg (. A I 4 ') = 4.5 xso-* .
Pccw v a.- (.2./ +) = % . 3 x s o- # 7cc.s e a. = l.1143 2. . I x s o-# 9ccw ra. (.$/4) = G. 4 x s er # 9 CcF (Ela)
- pQ Pccv (.210 - ( \ 's' ) S Q L
Pccv(313') = TpQ m e o ,43 - o-n sa s 3 . P c c.v ( 3/4 ) = 0- O '8 s' Q 3 J
?cc F (.4 /A') * "6YpQ 4
i B-il6 ; q
- _ . .- 7 _ _ _ _ - _ _ _ _ ,
(,co wacil 1 Tab \e. g 3'. E D L,. Amo exy, (, s g-w - sg E c ) . e i OOF FT5 FTK-E EA B ~ 7 (o 3 \ 3, \ 4\ 4 soo g4 e l f
) ~
i I
- B- llc -
.i
Probability of failure / demand Average 0.02 High 0.08 Low 0.005 (2) Emeroency Diesel Generator Failure To Run constant f e rate ort fruar enw .0024 5 er hour was e timated in NUREG/CR-2989. s $Iows range of 0.001 6 0.01 is roG % 6e c*0026
- asona y represen tive of other pubitshed estimates (EPRI, 1982).
(3) Emeroency Diesel Generator Repair Time Approximately 50% of all diesel generator. failures reported in NUREG/ CR-2989 were repaired within 8 hours. If two diesel generators failed as a result of independent causes, and operators could diagnose the problems to select the quickest possible repair, in 50% of these cases one of two diesel generators would be repaired in approximately 4 hours. These two cases have been used as representative of the repair rate. (4) Common Cause Failure Common cause failure rates were obtained from NUREG/CR-2989 for die generator hardware and human error-related causes; however only failure-to-start estimates were made in that study. Subsequently, the MGL method has been used to estimate generic common cause failure rates for both failure to start and failure to run. Human errors causing a simultaneous out-of-service state for two or more diesel generators were included in estimates of failure to start. The MGL estimates are consistent with the generic estimates made in NUREG/CR-2989. 1 The common cause failure rates, for support systems--such as DC power, service water and component cooling water- were obtained from NUREG/CR-3226. NUREG-1032 B-12 ___ - - - - - - - - - - - ~ ~~
(5) Common Cause Failure Repair Rates for Components and Subsystems When the inadvertent removal from service of more than two diesel gener-ators is excluded, the failure mode and repair rates appear similar to. those for independent failure causes. In this case, however, the same repair time could be expected for both units. For inadvertent removal from service, repair (or restoration) can be accomplished usually in less than I hour and many times even more promptly (within minutes). Repair rates for hardware failure and maintenance outages have been t,ased on median repair times of 2 to 8 hours. The effect of system reliability parameter variations covering the realistic range was analyzed to determine the sensitivity within the generic models and thevariabilitythatispossibleinplant-specificcases.(Thefollowingfactors were analyzed to determine the sensitivity of emergency AC power reliability': (1) emergency AC power system configuration
$J (2) diesel generator failure to start and to run f4 (3) diesel generator repair time (4)
/ I common cause failure rate to start and toftIn l )
/ '
(5) common cause failure repair rate / i , (6) duration of emergency AC power' failure and mission (loss of offsite power) length The results of the sensitivity analyses are provided in Figures B.1 through B.5. The sensitivit esult, are generally comparable to those obtained in NUREG/CR-2989 and everal PRAs. . Figure B.1 p ows that the starting reliability of emergency diesel generators is most important when lower than average diesel generator performance exists or when / system configurations represent nominal redundancy (e.g. , 2/3 and 1/2).
~
\
NUREG-1032 B-13
1 i i I I I Common Cause Failure to Start
- - === === 3x Base Value
- Base ValueA6.5 a 10')
\ -- . .--=== 1/3a Bes$ Value
~
N / DURATION OF LOSS OF OFFSITE POWER'IS 0 HOURS l DURATION OF STATION BLACKOUT 88 0 HOURS N s N,\x N s 1 10'8 "" E : s. E 5 s\ NN \ s\ N.' E
\
\\
\ \ CONFl ATION l \ %
/
N N
. 2of3
$ \
w
= \ \
r N % \ 10 3 -
~
\ \ -
- N l of 2
\g %
b s N N N, l
\ 4 i
i h l of 3
\
- N i
I 10 o.so c.s2 c.m o.se o.se 1.co INDIVIDUAL EDG RELIABILITY Figure B.1 Emergency AC power unavailability as a function of i individual EDG reliability and common cause failure - J to start for three emergency AC configurations NUREG-1032 B-14 I i j - _ - - _ _ _ - _ _ _ _ - _ _ _ _ _ _ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ l
' y I I I I I I I I I I 1 of 2 EDG CONFIGURATION
- -- = 1 of 3 EDG CONFIGURATION 0 hrs
~
2hm
- 4 hrs .
- 4
! 10 """
shes" u - 4 g 2 hre I
#,s# -
- # 4h "
/
s'$
/
/s' /
/
/ -
i
/
/
/
/
_ /
/ s hrs
# l
/
/
/ i'
/
3,4 i i l I I I I I i i I l s 2 4 e s to - 12 14 is is ao 22 - as ! LOSS OFFSITE POWER DURATION (hre) , l Figure B.2 Emergency AC power unavailability as a function of loss-of- - . offsite power duration for four stationtlackout durations I NUREG-1032 B-15 1
4 l
. 1 I I
/1 -
keYu Na$
- - - A- ... vaio. -
... value (6.s a 10'd1
-- 1/3x Sese Value -
~
\
%g DURATION OF LOSS OFFSI POWER IS 8 HOURS DURATION OF STATION CKOUT is 4 HOURS I
! N g i
,. _ N {
g E : s\ N N 5 E %Nss%.N \ N
> N N \
$ '\
- ) -
% g*%,N !
! a
/
N \g% EDG CONFIGURATION I g\s\N N 'N
~
u I l
\ N.
g \ 2.f3 E
\
I 10'3 k \ ~ l
/N
_ / \ % l of 2
~[ \ N % %
N % N
%-- A N,N l
N,N 1 ,
- \
\ t of 3
\ N
, N s .
4 1 1 I 10 I i c.so o.m o.se o.as o.m 1.00 INDIVIDUAL EDG RELIABILITY i Figure B.3 Emergency AC power unavailability as a function of individual ' EDG reliability and common cause failure to start - t NUREG-1032 8-16 l
i
.. 'i I I I I I
!. I I I I I,
Common Cause / ' Failure to Run /
< J
- - - 3xs..evde
- Base V us (14 x 104 per hour)
==== === ==== 1/3 ase Vefue i DURATION OF LOSS OFFSITE PO R IS S HOURS k DURATION OF STATION BLACKO T IS 4 HOURS 2 3 10 *=in C
3 N N l e i i %
% **==,,.%CONFIGURATION EDG
$ * % N N E \
l $
% N \ N
% \ 2 of 3 Ng**.=,, N ;
I o N N 5 10 4 "
\s%s\ .N N
\ t of 2" i
I su N b== %
~
/ N m
"= g
==
*==
""'***=====
"'a==
1 of 3
'== ,,
)
4 I I I I 10 I I I I I I c.seo 0.ss4 c.ses 0.9s2 0.ses 1.000 INDIVIDUAL DIESEL GENERATOR RUNNING RELIABILITY Figure B.4 Emergency AC power unavailability as a function of individual diesel generator running reliability NUREG-1022 8-17 L
1 I I I I I- 1 i 2 - j r- DURATION OF LOSS OFFSITE POWER IS 8 HOURS """ DURATsON OF STATION BLACKOUT IS 4 HOURS
, 1 of 2 EDG CONFIGURATION C
- t -
e 5 a pair Time for q Common Cause Faults i > - j
, s #p ====== 8 hrs 4 hrs E
y p.ss===== 2 hrs I 10
# ~
~
/ a* .s****
~
O l 4 -
/
b - 2 w
~
b
- I I i 1
,, I l3 0 2 4 6 8 10 12 l,
REPAIR TIME FOR INDEPENDENT DIESEL GENERATOR FAULTS (hrs) s Figure B.5 Emergency AC power unavailability as a function of repair time for independent diesel generator faults NUREG-1032 B-18
r Common cause. failures dominate system' failure probability when individual diese1I reliabilitylevelsareaboveaverageorwhenahigherlevelofredundancy(e.g..! j 1/3) is introduced. Also note that for the 1/3 configuration, common cause { failure of support systems (e.g. , service water, DC power) that are held con-stant in these analyses constrain the potential unavailability levels that can be achieved through improved diesel generator performance. Figure B.2 shows the effect of mission duration and mission success. 'For a longer mission time i (longer duration of loss of offsite power), the chance of mission success j (operation without failure) decreases., But, as the success criterion is eased (the duration of unavailability is,less than 2, 4, or 8 hours), the mission l reliability improves. There is a' factor of four difference in unreliability as system success criteria change from an unavailability of 2 to 8 hours for an , l8-hourlossofoffsitepower. The cases analyzed in Figure B.1 have been re-lanalyzedinFigureB.3. The latter analyses includes a mission time of 8 hours j and'an unavailability success criterion of not greater than 4 hours. A similar ! lanalysiswasperformedtoevaluatethesensitivityofrunningreliability (failurg-to-run rate), the results of which are shown in Figure B.4 Common causa failure'to run is seen as a lesser but not insignificant contributor to system u, reliability than the failure-to start common cause failure. The results are
'not overly sensitive to repair rates within the ranges identified, as evidenced by results provided in Figure B.5. Within the reliability performance ranges identified, there is potential for significant disparity of emergency, AC_pp.wer. ..
system reliability for any of the configurations analyzed. / Figure B.6 shows the estimated ra'nge of emergency AC power unavailability obtained by using combina-tions of above and below average reliability performance parameters. STATION BLACK 0UT FREQUENCY t Station blackout has been defined as the loss of all ac power supplies from both offsite and safety-related sources. Also, a station blackout must exist i I for sufficient time to incur core damage and resultant potential risk. There-fore, station blackout models incorporate duration as a parameter in frequency i estimates. Although in some instances it is possible to have a station black-out initiated by failure of, or operational errors associated with, DC control power, this type of event is more rare than the station blackout sequence beginning with loss of offsite power and followed by failure of the safety- '
- related AC power supplies. DC power reliability is the subject of another NUREG-1032 B-19
' i n.
. _,_ _- .j t
- a 9 M g-n 1
- _ s.
1 emnes i 2 A 4
. ; i
)'
e , F/ i
- l W LLl
.--i. -
y 1 f..) n - 1 n . , t mY ._ $'.
.N --
k_ 1 E
@O : ? i s.-
jI :a c :i l W b ! $!
! t_. '
1 g ll , i n.4- Z. i u v;
/.*,
/w.. l OzQ, ' -
..~
. I : ! c<, : =
44 : huume LL: ,
.y ,
i LL} f . i E l . Lt.1 i "m . . .,
- m. . .,, . , , , , ,.
4 c - - i j O
- O O -o o o .
l O* O O O O -' s
. O O O
~
ib O 9 : I v w
*
- 1
%g*, y I e -
6e
- J l
s ew .t [ *" 7- O. k h 8 IW 'h g
; f u l U O V il vi Y : 5)1 1 C*;lVd dy Gj Q .,(( j p ]
]
d 3 -2. 0 4 1 I _ _ __ _ _ _ - - - - _ _ _ _ _ _ - _ - - _ - - - _ - - - _ - - - - - - _ - - - - - - - -- - - - - - - - - - - -J
l generic safety issue, designated A-30, " Adequacy of Safety-Related DC Power Supplies." Station bla:kcut frequency estimates can be made by combining the loss-of-offsite power models developed in Appendix A with the emergency AC power relia-bility models of this appendix. Recall that the ;oss-of-offsite power frequency and duration correlation derived l 1 in Appendix A was a two parameter Weibull function of the form ALOP (t) = ALOP
- where Aggp, a, and $ are constants that can be derived for a specific combina- I tion of site location and design features. Subscripts have been dropped for convenience.
The frequency of a station blackout is derived by combining the loss-of-offsite power duration (repair) frequency with the rate of emergency , AC power system failures of duration Tgg over the time period of interest for which a loss of offsite and emergency AC power can occur. This is the same general approach that has been taken in other studies (Evans and Parry,1983; { PASNY,1982) to estimate the frequency of total losses of offsite and emergency ' AC power for risk analysis. For the 1/2 emergency diesel generator configura-tion, the equation for the frequency of a station blackout lasting t gg or longer can be written as
. 1 I
5 R
^ 581/2 (ISB)
- ALOP(ISB)PhTS.
~I
*ALOP (ISB) PCCFTS2/2 eS CCFR I
LOP . ISB
+2P FTS A top (t+TSB)AFTR dt 0
1 NUREG-1032 B-21
l A
- t T 2 ISBAFTR e FTR2e'(1 ~11+ISBft dt rtLOP ISB I LOP R
+2 J0 Jt 1 i ALOP (ty) AFTR e TR11 dt y
* ~I r LOP SB I
+ A A I LOP (t+ISB)ACCFTR CCFTRe".(t+I e SB CCFR dt' In a similar manner, the station blackout frequency equations for three diesel generator systems requiring one or two diesels for success can be derived. t i
Analyses have been performed to estimate station blackout frequencies.and dura- ; tions to study the sensitivity of these estimates to uncertainty in#certain dominant factors. As,a starting point, each loss of offsite pow'er cluster cor-
~
relation from Appendix A was combined with the emergency AC power system reli- '! ability models using nominal parameter values for emergericy diesel failure to start and run, repair, and common cause failure rates'. Then the estimated fre-quency of a station blackout lasting from 0 to)6 hours or longer was calcula-ted. The results for the 2/3, 1/2, and 1/3 piesel generator configurations are ; shown in Figure B.7. This figure shows t) rat wide variations in station blackout. frequency are possible depending on dieifel generator configuration and relia-bility,plantoffsitepowersystem, design,gridreliability,andsusceptibilityj to severe weather hazards. As tusensitivity, two modi'fied cluster correlations j I were developed with higher thari nominal grid unreliability; they were combined with the 1/2 emergency AC power co guration odel and produce the results in i Figure B.8. dVI ( ; ' pl Several analyses were performed to demonstrate the sensitivity of station
; blackout frequency estimates to variations in emergency diesel generator fail-ure rate for. both independent and common cause failures. Figure B.9 shows the effect of above average and below average failure rate estimates for the 1/2 configuration and several representative loss-of-offsite power frequency cor-relations. The 1/3 configuration has been similarly analyzed, and the results are provided in Figure B.10. .
NUREG-1032 6-22 __-__._________m.- _ _ _ _ _ _ _ _ - - _
l 10 3 _
~
s-r Cluster 8 ' 10-4 . N Cluster 9 f' l
/
N / N N ss { N '
> \
o g \ % %
% k g (
g N N Offsite g\ g%g Power { bi a: 10 5-s k
- u. g -
s s
%g\ \ %
[ g g %5
$E OU we 1 \ \
\
N
\
i og n N N.N'. N N
-\ N NN s 5 _ss N 5 ma Z~
N ,g s l j N4 9
\
\ '
g\'N N ,' N N N p % l
~
Ag _ / s
*h N g57 g
g N (%,
\, N )
., 6 '
10 7 -! %g
~.~ N 4 N, s N2 t N ,s's
/ _
1 of 2 )
's s 's'N, 3
---2 of 3 DG Configuration
....-1 of 3 'g'g N's* 72
! s,
' ' , ,'* 2, ,
l hk5 10-8 i E h 9 10 11 12 13 14 15 16 i i STATION BLACKOUT DURATION (hrs) Figure B.7 Estimated station blackout frequency as a function of blackout duration i ! NUREG-1032 B-23
10 ,
/ ~
i ,
'O ,'
s ,,
"9 /
/
-{\
si t 'iis'. N - i N f i i 's \
\ ', 's k%
3
- \ sss
\ 's Ns -
%g sg %% %
U . % 6 . 4\ \g s \ i 3 o
\gN 's N s
* . ss s %
%%% \ '
$ g g4 \
C - %%% \ l W 'g'g'g \
%4%
e ggg N OFFSITE r 10 4 "" ggs 4%' N POWER N CLUSTER 8 : N Y s s. 4
. r e
%s' 10
# -" / 's
- /, GR1 l
, . GR3 %g
/
,G R1, *%g%g 2
4 . 3 I I I I I I I I I I e i i l i I 2 4 6 8 10 12 14 16
, / 0 DURATION (hrs) l . Figure B.8 Estimated station blackout frequency as a function of blackout duration for clusters 2, 4, and 7 (for 1/2 EDG 5 configuration)
NUREG-1032 B-24 - I
i 10'I .
~
* \
1
** 3a Sese ' \
i Diesel Generator '-
~ Reliability d
> Base Value Parameters 4
> for Failure to Start and 3 .
. %x Base J
,' f i
1
,/ '
Cluster 8 ' i 6 / { ,/*
.L 10 4 .
3 'l 3 . i u . !
$ o .. !
so I 10 E
" j i
E
~
o .- \ i
'(
~ ;
==
Offsite < 4 Power '
' g .
Cluster
$ 4 > /
3 10 ":" , ,, C : "" w g .- , ti 4
~
10#::"
' ~
2 104 ., 1 of 2 Diesel Generator Configuration 1
/.
~
i
,/ I I i e i e i a g' 0 2 4 8 8 10 12 14 18 e
18 20 DURATION OF STATION BLACKOUT (houral i Figure B.9 Estimated range of station blackout frequency as a function of blackout duration for four offsite power clusters i j NUREG-1032 B-25 1
+ 10 3 Offsite Power 2 Cluster
.- in.
7
=
104
>- \s \ N o
2 's N y N g C ( 's,'*. N
* \s N (Offsite Power Cluster,
'N, N Multiplier for DG Values) ss '
', N s u
( 'N O{U ;% N 's- N (5,3) g$ 8 106 \ , s% s ,%* 10 7 -
\,\ \ #
Qg N **%,*% N (5,1/ 3) (7,3)
%- (4,1/3)
* \ (2,3) 10-8 ' ' '' ' ' ' ' (7,1/3) 0 2 4 6 8 10 12 14 16 STATION BLACKOUT DURATION (hrs)
Figure B.10 Sensitivity of estimated station blackout frequency to diesel generator failure-to-start and failure-to-run values NUREG-1032 B-26 .
;'7X DI LJ i.4 r .- .
REFERENCES i'~1 Atwood, C. L., and W. J. Smith, " User's Guide to BFR, a Computer Code Based on the Binomial Failure Rate Common-Cause Model," EG&G Idaho Inc., EGG-FA-5502, July 1982. Electric Power Research Institute (EPRI), " Diesel Generator Reliability at Nuclear Power Plants: Data and Preliminary Analysis," EPRI NP-2433, June 1982. Evans, M. G. K. , and G. W. Parry, "Quantification of the Contribution to Light ' Water Reactor Core Melt Frequency of Loss of Offsite Power," in Reliability Engineering, 6:43-45, 1983. Fleming, K. N. , "A Reliability Model for Redundant Safety Systems," in Procedings on the Sixth Annual Pittsburg Conference on Modeling and Simulation, April 24, 1975. Fleming, K. N. and A. M. Kalinowski, "An Extension of the Beta Factor Method to Systems with High Levels of Redundancy," Pickard, Lowe and Garrick, Inc. , PLG-0289, June 1983. Fleming, K. N. and P. H. Raabe, "A Comparison of Three Methods for Quantitative Analysis of Common Cause Failures," U.S. Department of Energy Report GA-A-14568, ,
! General Atomic Company, National Technical Information Service, May 1978.
; Husseing, A. A., et al., " Unavailability of Redundant Diesel Generators in I Nuclear Power Plants," in Reliability Engineering, 3:109-169, 1982.
Power Authority of the State of New York and Consolidated Edison Company of New York (PASNY), " Indian Point Probabilistic Safety Study," 1982. Rasmuson, D. M., et al., "Use of COMCAN III in System Design and Reliability j l Analysis," EG&G Idaho, Inc. , EGG-2187, October 1982. l
.1 1
NUREG-1032 B-27 I _ ___ . - _ - - _ - - -_ _ _- - .- I
y i e l Steverson, J. A., and C. L. Atwood, " Common Cause Failure Rate Estimates for Diesel Generators in Nuclear Power Plants," EG&G Idaho, Inc. EGG-M-00681, ft National Technical Information Service, September 1981. a U.S. Nuclear Regulatory Commission, NUREG/CR-2989, R. E. Battle and D. J. Campbell, " Reliability of Emergency AC. Power Systems at Nuclear Power Plants," July-1983. ; i l
-- , NUREG/CR-3226, A. M. Kolaczkowski and A. C. Payne, Jr. , " Station Blackout Accident Analyses (Part of NRC Task Action Plan A-44)," May 1983.
1 I i i e l NUREG-1032 B-28
APPENDIX C' STATION BLACK 0UT CORE DAMAGE LIKELIHOOD AND RISK-1 l l l l 1 l l e
'l l
1 I
;)
NUREG-1032 Sp C l - .. . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ __ __ - __
'i 3
TABLE OF CONTENTS
.Ea21 STATION BLACK 0UT CORE DAMAGE LIKELIH000.......................... C-1 i STATION BLACKOUT RISK............................................ C-15 )
REFERENCES....................................................... C-17 j LIST OF FIGURES l Figure C.1 Station blackout risk perspective for different containments................................................ C-18 LIST OF TABLES Table C.1 Summary of potentially dominant core damage accident sequences.......................................... C-2 C.2 Decay heat removal failure probability for loss of core cooling early during station blackout. . . . . . . . . . . . . . . . . . C-6 C.3 Estimated frequency of early core cooling failure during station blackout, per reactor year................... C-7 C. 4 Tabulated estimated values of total core damage frequency for station blackout accidents as a function of emergency I diesel generator configuration, EDG unreliability, offsite power cluster, and ability to cope with station blackout.... C-9 li C.S Comparison of results with NUREG/CR-3226. . . . . . . . . . . . . . . . . . . . C-16 )
- l NUREG-1032 C-tii !
)
p APPENDIX C STATION BLACKOUT CORE DAMAGE LIKELIHOOD AND RISK =
=_
This appendix provides a description of the simplified method used to estimate station blackout core damage likelihood, and risks from station blackout tran-sients. The models and results are generic in nature and intended for use in regulatory analyses. The station blackout frequency estimation models described -- in Appendix B of this report were integrated into sequences involving failure of decay heat removal systems with AC power unavailable, thus allowing the esti-mation of the frequency of core damage as a result of station blackout events. When core damage proceeds to core melt and containment failure, fission products may be released to the environs, causing risk to public health and safety. The likelihood of station blackout transients involving core damage and the dominant accident sequences have been identified by Kolaczkowski and Payne in NUREG/CR-3226, using event tree and fault tree analyses of several typical plant designs. However, the variability of station blackout frequency and dura-tion was not evaluated systematically as part of that work. In this appendix, the station blackout models have been combined with the decay heat removal and core cooling failure sequences to obtain a more complete evaluation of the sen-sitivity of station blackout core damage likelihood and risk estimates to varia-tions in plant design. STATION BLACK 0UT CORE DAMAGE LIKELIHOOD The dominant station blackout sequences are provided in Table C.1. Both pres-surized water reactors (PWRs) and boiling water reactors (BWRs) have sequences that involve early core cooling failure (essentially on demand) and time- ' dependent failures related to capacity, capability, and transient phenom-enological conditions associated with a loss of all AC power. For the dominant NUREG-1032 C-1 4
- - - - - - " ' - " ^ ^ ' ' ' ' _ _ _ _ _ _ _ _ _ _ _ _ . _ _ - _ - - - - - - - - - - - - - - ' - ~ ~ ~ ~ ~ ~ ~ - ~ ~ ~ ~
i J l Table C.1 Summary of potentially dominant core damage accident sequences ,
. l AC recovery !
Generic DHR system / component time to avoid i plant type Sequence contributors core damage, hr i PWR TMLtB3 Steam-driven AFWS unavailable 1 to 2 (all) l TML B 2 DC power or condensate exhausted 4 to 16 THQ2B2 RCS pump seal leak 4 to 16 l BWR TMU38 2 Isolation condenser unavailable I to 2 ( w/ isolation l condenser TMQiB2 Stuck open relief valve 1 to 2 THQ2B2 RCS pump seal leak 4 to 16 BWR TMU B 2 HPCS/RCIC unavailable 1 to C { w/HPCS- l RCIC l TMU22 B DC power or condensate exhausted, 4 to 16 component operability limits exceeded (HPCI/RCIC) BWR TMU2B1 HPCS/RCIC unavailable, 1 to 2 w/HPCS-F RCIC THU B 2 HPCS unavailable, DC power or 4 to 16 condensate exhausted, component operability limits exceeded (RCIC) Notes: DHR = decay heat removal HPCI = high pressure coolant inspection y AFWS = auxiliary feedwater system RCIC = reactor core isolation cooling RCS = reactor coolant system HPCS = high pressure core spray
)
NUREG-1032 C-2 - .m-_--__- .__m.m__ _ _ . _ - _ _ _ _ _ - _ _ _ _ _ - . _ _
a E I accident sequences, the core damage times have been characterized as falling into two groups: (1) a core damage time of 1 to 2 hours for the early core cooling failure types of sequences, or (2) core damage in the 2 to 16 hour range for the sequences involving capability and capacity limitations causing loss of core cooling during extended blackouts. Sequences involving longer duration blackouts than these have not been found to be nearly as important. Thermal hydraulic analyses have been performed to determine event timing for both types of sequences (Fletcher,1982; Schultz and Wagoner,1981).- In gen-eral, it has been estimated that it will take between 1 and 2 hours to uncover the reactor core following a station blackout and loss of all core cooling, and perhaps another 1 to 2 hours for the reactor core to melt and penetrate the reactor vessel after the core is uncovered. If decay heat removal is initially successful during station blackout and then is lost several hours into the , transient because of design limitations, the time to core uncovery and melt will be somewhat extended as a result of lower primary coolant temperatures J and reduced decay heat levels. The dominant accident sequences were modeled as either an early core cooling failure or as a subsequent loss of core cooling. In the former case, the like-lihood of the accident sequence is given by the probability of a station black-out combined with the probability of failure to maintain adequate core cooling or decay heat removal by AC-independent means long enough to cause core damage. For PWRs and most BWR-2 and -3 plants that do not have a makeup capabili , inde-f pendent of AC power, there are two paths to inadequate core cooling early during station blackout. The first involves . failure of the turbine-driven train of ! the auxiliary feedwater system in PWRs or failure of the isolation condenser in the BWR-2 and -3 plants. Because neither of these reactor types has a makeup capability independent of AC power, the core will be uncovered early by a major loss of reactor coolant system (RCS) integrity such as a stuck open relief value or gross failure of reactor coolarit pump seals, either of which could result in leak rates upwards of several hundred gpe. BWRs with reactor core isolation cooling (RCIC) systems, steam turbine-driven high pressure coolant injection (HPCI) systems, or high pressure core spray (HPCS) systems with a dedicated diesel generator can cool the reactor core and have the potential to make up NUREG-1032 C-3
\ .2 n losses of coolant equal to or greater than those identified above. I The latter type of sequence was modeled as the likelihood of a station blackout of a dura-tion sufficient to exceed core cooling systems capabilities and allow core damage to occur. If decay heat removal is initially successful, if reactor coolant leakage rates do not exceed makeup capability, and if primary coolant inventory requirements are met, operators should be able to establish a rela-tively stable decay heat removal mode. However, decay heat removal capability during longer blackouts may be limited by the capacity of support systems such as DC power or compressed air, by reactor coolant le,akage when makeup is unavail- . able or insufficient, or by thermal limitations on component operability as a result of the loss of heating, ventilation, and air conditioning systems. In light of the above discussion, the general form of the core damage accident l' likelihood equation considering both early phase ang! longer term decay heat removal failure is as follows: PSBCD = PSB Il l) (PDHR/SB + ELOCA/SB)2 + PSB(t ) (1) where P SBCD is the probability of core damage due to station blackout, P SB(tt ) I is the probability of a station blackout of duration t , and t i is a time i sufficient for core damage to occur if all decay heat removal capability is lost at the onset of a station blackout. PDHR/SB is the probability of decay y heat removal failure on demand given station blackout. 5 P LOCA/SB is the probability of a station-blackout-induced loss of reactor coolant integrity that would cause an early core cooling loss. P SB(t2 ) is the probability of a station blackout of iluration 2t , where2t is a time sufficient for core damage to occur because decay heat removal capability limits are exceeded during an extended duration station blackout. In terms of the notation used to describe the dominant accident sequences for f the various type of light water reactors (LWRs) identified in Table C.1, the equation can be written as follows: it i ;7 gj NUREG-1032 C-4 _ - - - - - - - - - - - - ~ ' ^ ~ - ~ ~ ~ ~ ~ ~ ~ ~' _ __ .__ _ __-
k fi& -
];
for PWRs: PSBCD = MB R +Q3)+MB2 (2) for BWR 2/3s: 01 ( i + Qi + PSBCD
- B2 (3) for BWR 4/5/6s: PSBCD = TMB Ut + TMB2 (4) 'l The probabilities for.(L2 + Q2), (U2 + Q2), and U2 have been set equal to 1.0, because the time of B2 was selected to represent loss of decay h' eat removal capability as a result of design limitations. The probability contribution to Qi from reactor coolant pump seals degradation during station blackout is not j well known. Based on material reviewed in NUREG/CR-3226, the impact of reactor ;
coolant pump seal leakage was assumed to represent a potential limit on the . . . TMB 2 type of sequences. h The TMB portion of equations 2, 3 and 4 above can be estimated from the first term failure-to-start portion of the station blackout equations in Appendix B. The TMB 2 term of these equations can be estimated from the complete station . blackout equations in Appendix B. Probability estimates for L , U3 and Qi were i 1 derived from NUREG/CR-3226 and are summarized in Table C.2. Estimated values of the early loss of core cooling term of equations 2, 3, and 4 are provided in Table C.3. This table shows the sensitivity of the estimated frequency of early core cooling failure during station blackout'on loss-of-offsite power characteristics (clusters 1 through5), emergency AC power unre- # liability (EDGR) (i.e., failures per demand) and decay heat removal unreliability l (DHR). The second term estimates of equations 2, 3, and 4 are the same as the l station blackout frequency and duration assessments provided previously, given I that t2 is defined. Because the capability limitations vary from plant to plant, so will t . 2Some example estinates for the total core damage frequencies given capacity limitations which equate to station blackout durations of 2, 4, 8, and ' 16 hours are provided in Table C.4. These estimates include the early core cool-ing failure frequencies from Table C.3. 1 o The results in Tables C.3 and C.4 show that the frequency and duration probabil-b; ities of uffsite power failures, emergency AC power configuration, and .
- NUREG-1032 C-5 '
4 l
t c.-
.'y .
Table C.2 Decay heat removal failure probability for. loss of core cooling early during station blackout i
~
Probability of failure System / train / component l- J Auxiliary feedwater systems l 1 steam turbine-driven train 0.04 2 steam turbine-driven trains 0.002 Isolation condenser 0.01 l . Stuck-open SRV (BWR) 0.025 HPCI/RCIC 0.005
- A HPCS/RCIC 0.001 i
. 1
$ i il i
i
'g 4
.s fb y
't
-[ NUREG-1032 C-6
,._ Tif B L E C. 3 '
l &LUS TE E - 1 I 1 8 3 DHg ED& E 4 5 l/Q, coa _FI6utnTlofJ 0.] Q f E-f l.( E -V l.3 E- 9 7 0 E-5 5.S E - 5 0 05 O. o 5 1.0 E-f 602mS 4.$E- 5 10 E-5 t.9 E - 5' O.o25 5 5 E-5 30E-5 9.VE-5 ).3 E -5 S.Sc-6 1 20E-f
- 0. o f S. 8 'E -5 9.GE-6 l.6t-5 C.0 E - d O. ) 'S.) E -5 5.12-5 R.(, E -5 , j. lf f - 5 /~l E -5 '
2.0E-f f. $, E - 5 65E~6 5. 0 E- d
- o. oS 4.q E- $
0.01 9.o 25 f. IE- 5 C. 0 C - C 4.YE-S 2. 5 E- S t.3 E - l 1 00/ 7 5E- d 4.0 E -6 5. 0 G -8 l. f E- $ l R *E - 6 D. I 2. 6 E-5 I.f e -5 1. 5 E- 5 70E-d 5.5E-6 005 10E-5' G. 0 E - d 9.g E - f s. O E - 6 2. 9 E - C O.005 0. 0 25 5 5E-6 B.0E-4 2.9 E- G l.3 E - G
. 9,5 g - :(
- 0. o I S.8 E - G 9.0'E-S j.SE-b (.0 E-5 C.0E-7 i
//S ConFIG(A E nn ON j l01 4 3.E-S 9.5E-5 9.)E-5 I. s G - 5 b.0 E- C
- o. o5 2. 2 E -5 f.tE-5 f. 0 E -5 g. o g - ( q.) E - f 0-05 O. 025 126-5 95E-C g.oE-S 4.) E - C 5 5 E ~ (a .
O. O I 16L-5 6. 0 G -6 'i.0 E - C 3.g g - G 3. 0 E - f
- 0. I 2 4 E-4 6. 0 e -C 4.g e - G R.S E-d I.s e -6 005 4. S E -C 2 4E-d 9.0 E - d l. 0 6-$ 8. R E - 7 O. O / /. 0 #5 3.5E-( /.S E-6. I..f E -s g. 2 E -7 6 5E-7
- b. 01 3. 2 E- 6 1. t E-f j.4E-6 7 6 E-V f.0E-7 O. ) 43E-6 9.5 E -l 9.IE-d I.SE-4 S. O E -7 0 05 22E~S l. 2 p. - f 10 E- d 5 0E- ? 41g-5 0.005 0.02 5 1. t E - G s.5&-5 t. 0 E - S 4.l E- V 3. 8 E -9 0 0/ ). 6 E - G 3 0 E 'f 70E-1 3.8E-T S.02- 7 C-7 , .
]It6LE 4. '5
~
~ ~ ' ' ~ ~
. . . _ cLusTE.]t E DGE,
._ d. .g 3 1 s DHq
.?/3 Co N FL 6 d C R'D o M
.I 7.5 E d '/.6E-4 3.p E- f 9.0 E - 4 l. t E- f
.oG 05 2. 4 E - 4 f. f E - 9 f.3 E - Y 7.0E-5 55E-5 015 14 E-f "f .5 E - 5 ; (.0 E - 5 S.3E-5 t.f E-5
.ol 9.5E-5 4 2 E-5 ' 3 8 E-6 9.0 E- 5 .l.5 E- 5
.I 1.s s - F 8se-5 I 7 7 E-5 4 0E'-5 3.6 E -5'
.ol .o5 5 . A'E -5 s.t s -5 9. 4 E -5 I. 4E -5 f. ) . E -5
.o es 3. v e -s 1.s t- s ' s. s t- 5 c.5E-( : 5gg-f
.o 1 I.7e-5 s.42-6 7. it e - 6 a.s E- $ S. O E-S i
i
.) 9.00-5 l.8E-5
~
q.5 2 - 5 ' 4. S E- 5 3.s E -5 06 9 9 E-5 f. ( E- 5 J. 3 5 - S 9 0 E-d 005 .o25 14E- 5 7.SE-G f.6E-l 3.8E-Cl5.6~~E- 2.6 5. C 0/ 8 52-6 48E-d 3.85-G 9.0E-l ll.5 E- G I' Lj4 fnNFl6U R WTlou I l16.0 5 -7 55 E-5 4
..I J.7 5 - 9 1. 0 s -5 i
.oS 05 s . 5 5 - 5 3.12- 5 3 7 E - 5 ).4E-5l33z-5 1. ) E - 5 l 096 S.8 E- 5 9.9 E-5 " ).t E - 5 9. 0 E - f I 7 0 E- 5 0/ S.S E- 5 }.gE- 5 [. 5 & -5 .'f.5 E - G f.0 E 5 i
! ! I
-l 532-5 1. t 5 -5 1.s E-3 9.sE-C 45 E- 6 0I
.oS 025 l.Is-5 76E-G C .4 E - G l5". B E-d' E. 9. n9E-f8 E ,
$. 8 E- E iB.5 E - 4 .il. 8 E- C 1l. 9 E - d 01 6.5 E- 6 3.6 E- 6 n 2.s E-6 ll.5E-G l1.R E- C
\ \
.I j. 7 E-5 s,0 5 -g l15 E -f l). O E - f 3. 3 E - C -
05 55E-6 s.2 x-G j 9 7 e -G I. 4 e - G l. I E- C 005 03 S 3 8 E-C 2.S E - G j.8E-G f,yB-y* }.0E-f 0/ 3.3 e-4 /. s E-6 . l.s e - 6 !y.5 e- t 6 0 E-(
! c-8 i
itE . ffE EEa . 9 z eE I
- 35*a6
- - 6S4 t
fE- 5_f ff - - - l f-
- 5 3 lt S . t. 3 t
~
fE - - - c_ - - - 1 E.l
>g- $4 E254
,b - 2E- -
- i
)
s6b4 g6 2.f54( - - I
. - - - % f2 . Et b3- -
. . t44 I 1EEe I S1 4pr EE I I -
s tE _o c 8 3 t. s n s 3* E12 _S 3 9 5I s 3 I 5 gs-55 S6 5s - - tt 4- - s E- cGo S- 95 - S1sc. 82 Ef 4- 5 s. o. $ nDt 4S. 22 5 8
$S Se f- * - l 1 -
E s6 yuE cf E c? - E E- E > a. n: ,t Fl- - la eani d 4 o- 3. S es te u ol 45 A 4i I G. 6- C
. 4. L.Efs-t - . -
- qsii l
f$t e
- s. s S.s5. 2 3E.
E 2 gpAa 1 n ul E eatb r - aa
- 1 $8 E. Sy 44 f sr t ud engn geia adf min
_. 9r S5 35. 5E - acor dcce E 2- 2 E a 3Vf Ee 5 ES 95 5 9. g s 48 e ) s 49- - 45- rtGu E g&-RM
- 3. o. - -
E1 1 E1E F.S ouDl
- - 1 1
' E E
- d. a '<-
1 - { - EEs -
. coE c l c k(
'9 /. 0 s r y5- E 6
4 t9- g. g 8. 6 s 8 - 6-9 aare W % 1A s.6 -
],6 e E tl ow y o sa -
E - obt o i
- t. s.
E3
- 5. s e8 g
t . ap nr
. r tR.
o s 7 ts l. fA Ca 9 9 f oee oint c t t ei
- i s sags t
- o. L s
. et f t usl f o 6 u . l _e L. ars uF F M I
C Y 1 s-5 d voe fi)l dR 5S C~ ? - e) D E - t r yD n t' Zo 9- 54 ( C VEp E2 aacE o w 5 f ' S Y S0 e 5 . men ( 31- f S. =-1 f S1- A E F E-/1
.o . - 1. R o - = Af- i ye t - g ya 9 P - -
- srrt t v
. ' I
; LIE 5E 5- '
E2 I 2
-R
--E EcF ~
i E E(E E- tt >S t9y E ,R g- eoei s dcei h t ml
* .?
ea a t)5 r 5. .SE S 4 , n u C , (3- - D 9,. 9. S. -t E e, o C. / j a r g 4lL,
. - - 5 E
- t ef ai aroiw F ss E f 9fG r S f.
l urnee F t. q /. E* t beorp o n O 9. f . 46 t. a pi n o T(t uc i 4 C e t ? 55 5 l b 4 - '. a 2e
- 3 - T 9z - fE-E .
E 33
- - 31 E4 S 9 *4 9. s.
EEE s- rR SeS oss$ 9
/
~
- - - s4 4+- 95A E Enz3 1
. l.s
.s
> - ErE~-ii9 l
5s t S ;5 - 5l 3- %2 s. '9. -s~6 l 4A
. 5. S r
EE e S s- 1a1 - r A o. 9 3. 3 5.sr . q 9 f, N
%b)
L t oA ?.Y 9 %; . 0S. 4 e i .' ~0 1 9 s g . _ p l g 2. 4 8 f j i
f .! C 4. % 2e399 E 9E ~ -
- - 1. f l, _
A ht- - - _ S0 0, y - - - D E- ~ - _
- 1. f. 5 4 6 : .
_52 3EE - 5 b - 1T- 5 3 5Sf .
.Af6
- 9 E EE2
- - 3R-EE~ _.
E Eg & _ 5. lO St 26.l. 2 19 2 9 St =. 1 23
$ ?. .
L. A}. 1 _
?
l
. 1 4d_ - 5-5 5m S. 5. $ .
gC c. E EE E- g-9 yyL 5, S-E E =
)-,L- 3f37 -
t. S 9 f 5.39f. y5
- 5- Q. R g
cGo
)' e3 5'.5 E6E \
f
- E eS- ; E ef - yuE nDt 4 D. i 3- 9- -
1 4 t
- f cf n
t- o./ EgSg g.g g
.E- .
_4 o. 5 9(E l9% E 4 f tc. $. 4 5y eani 9 t 3 l 3 g u 5 l K ll $g 1 g. qsii eatb r
- f sr
~
t u 1 engn 5S fy - v - - g ei a
- g - E E- -
SS. adf min n E E-E acor 33 ff E.p S. -9L*.1E- 2 j, 3 'i w $. U
-5J 99 S 40 d cce EE E-S3
- - a 3 - EE6 - - E Ef - TE r- -E~S 3
~
e rtGu
)
, f 9 3S 4 2 $, 5 f ouDl
/ 2 7f 5S E-gg 291 6 g
- 2 I
- 1. 4. B *6 Q _
. ?
7 r. 366 - SEE coE c l c k( 8 7 4E 4 }e F. 6 aare t . tl ow R 5 1 1 obt o y f u_ . R_ t nr C f oee C 6r oint t e u t s . sagst t et E i L _ l usl f C U ars k ' voe 4t 1 fi)l O E A EE 4 E E 2S ~ f-5 5- d e) d s 2 1 E t r yD 3- 4 4- E 2f R 53 f f - 0 94 f S $. aacE F s t P a 9 S.L_s 3E23 E96- E I - I. 3o - - - . i menye N e e- E- E2 EE-3 t - gy
- =
E (eE/1=. srrt E Y t 2. 4 - a. , 6 3 '-
- 5 5
.$ - $3R 98 !44 eoei t m
=t 3 . G g. s $-E E s= E pg GD T f 31 1 9 f 5 x- d cei & S I D 9 2. a 1 S . 50E 4 5 ea t ef g F e p aroiw N F 9Sa E 2.11 2 y. l t O e S urne b eorp o
- a pi n T(t u e 4 R
C O L Y e 33 - E
- 4
- '! S l
b tE 9 9- a I p, 339+R E y4E- T 2 S3. E EE-1 A- EEeE-3S-
? '- Ee-44I. f 321 E (s 8. - -
h I E . 534f5.- D. O .!- i 1 5QEE 59U3 t 70245 ;. l f 35 4 84 2 1 5.-1 - 3 M E2 s5 9 +9 . F f l1b6 l T 00 ith\,I L l 1 l iYl O948[1 : _l f)u 8 b _
D
! : l l g
g _ a:g - 4 CfC Vt L6C 6GG r_gE =- o E2-E - - - EE E c t Q.$f. 6Et - cGo t 5G.gq 3 1 F. 7. 5- 5~ A 93 S. 5. 3 563 - . . nDt 4 g b fsS49
- - - - ?, - - 3 g- c- c_ 77 E
= E -
529 yuE cf n ,t y g..3 r.Q 1 6, -f ~} 3 eani
- a. eel 79- y 4
t 44 . u ol
$. 6 3g g 6 r-c, . E t s 8 g. EsE - -
g f qf1 , qsii r
=
lj? es. g
- 0. *A.
eatb r aa o y tg3
- 9. 3. 1 3s f sr g3l t ud
_ engn (n > f g ei a d
$ _6 C EA adf min ,
. - - acor
' ' S -S* C . E'E-6 EE V f- d cce EE- S 0 S- 5S 06 a t 3' $. 6 . S. if 5 G35.l3- e ) s
/
i _ fCS1 4sA 0. s s - E p5 f d
- - EEs
- 3
. EE15 rtGu ouDl coEc
.E-E 3 - E e t i1- I 4
- I8 k(
- 3. t. -G61- 1 2 { S. .
C E E- 9. fi. C 2t g . S l c aare r S2Ett e. I l I
- 0. *l t
- 4. s.
3t Q . t. tl ow tI Qt obt oap S0 9 c. l9 t nr y . f oee r I 1 oi n t c t 5C6 !- fl- t ei* sagst v t 3 S- - - - $ E E E- 6 (-
~ et f u z,
e a EE CEE$ EE uslf o fS 531 5 t3 9 53 02 / 4SGS.f5-l ars eok
,c .
O t g a r At s I E EEt - -
> ~
E 0 EE C.22 1
)h
- - D
- ~ -
9 D 41 - EIE-s - - 7f 0 7 EEE$ o-Q
- d voe e) fi)l dRb G
a c e .
. . i.1f9 0 s .
6 61 <
- f. - f9 t r yD n 5.%f 5-E c fb2c - A9 - - 2-E EE - - = aacE o F EE g7 = EE-35 E
= l 9 '
1 E E men (i ye t
- e. L .
Qt [ t . 1 E L. I. t. k
. 9. D.
3n i t - gya s 1 4 3 6 srrtt l_ l o e o ei s G br A: L G f t, D t ml t 4 E dceih
&t u
o R+ 5 E 56 E 5d 5 b- _ ea t ef ai aroiw bt p r. r o E E5- 52E 4S 5 E E-5 EE l urnee l D d e e e t+590
- - 222 45 e 32 5
- E- 1 $.
l4
- 4~5OE.
- l1 beorp a pi no o 265- -
Ec S1 1 9f 5E 1 - - E E E- ~ T(t uc E j l 03.g6 5 I 3- - . . . 61 - d. D8,63 . - - r 5g pee
%K 9-47 - %f - .
'E E 13 FEE 4 o g3 2E 33 l .
ts 55 6. 1 C l
. t4 3S 3+
l e b A 5 a 5s- S5
- - S--
5 T ee LE Ea : r tS L1 I 4 t+5E03 fV4 5Sl
. . 94 - - +t5 . - -
- - - 53 - - - 91 EEE2I
. EEe- ect - - tee - 3IF- -
i
'd 8 $t. 1 s- .C 4 <a 96G 62n t1 i - . .l ;
t _. - . . - - . - . - - 3I 4 $s r'-
%2s te 1l CEE gf EE S. t.
Is
. . 3 s c' 3. f -
.A 4- g 9l ,
J2 lf - 4 - iI hc\ )f 9 pAU'l 4 l bllyg g i ; +N2Vf ft l )2 0Q' i { l
l _36' 4 S R. f. 5 E$ 67 :.. S9Z e E j$ 5f_ D. d.
- 9. 3 g. 7- Y
- p. ec-c 8
t f 4 E+ Q(
. S s g e-5
;1 r
g 9 2's'p G (. qf t 2 - 44 e _f - _ (. 35cE 66 2 1 g
/4 t i y9 y e_
g y s.
, o. 9 4 s. 3 3$9 T 9 1
. 5s /.
9 h
' l ;.' ,l r" q- ,i
$C -
S 56 5 S - cG t5- - - - G 5- EE nDt SE EE E E6- - yuE 9- -33E/. tn cf 95S.-
- - - 33 4548 l
- 1 fSlcA f.f Q -
n eani e EE - E- E 1_
- -l l
- ,IE E~24 f - E- e ;-L u o d qsii 1 t 8 0 -6K- d f I t -
B. rs. i 1- 5. gs. 3, t.2E r [A eatb
- t. 4. s E- E0
- 8. 4t E l
. g 1 r a 9 3 u t.
_T I. 6 - 1 1 9f 9 f. Ek 4 L sI 3 - f sr engn t ud gei a
-ll' .l l
- adf min aco
. dcc e
. . a
_ . e ) _ j _ . _ _ rtG u d . _ ouDl o
. , coE c i _ .
k( r _ . _ , l c c . aar e 9-55 55 5, 5- 5_ tl o w S w - C-6 .- S-C-E t obt oa E 8 EE 0 nr e E 3 2, S 5 0 5
'l 9- ~55.3 '/ S 0. A. L f oe e
_
- oint
_ o _ _5 e e/
+- -1. 4 S E e e_9_
- s 9
- - E6E 1 E e-
- 3. I~-t_ t ei sag s t
_ f A : et _ _ i _5 0 5B
. 4 s. 3. c 6 d usl f
- 9. 3$ s - 3.
9 _ / n - . S12 - J
- 4.
3 6 6. G 1
- f l e 2
e6 ars _ 9- a 5 fl - _ (
- e
.ts _8 o 0 E1 .
; s Eu voe
- f. S e 7. A S 2
_ t 9 fi )l o._ 3 1 d _ u n.
- u. 5. g R .. d t.1 31 y
O o 1 c e) t ryD _ c aac E u - = = men (
-s
-.u or m iye i.c
_ a _ a t - g d( o d srr t C d F
. ew o
m_ E D e p e eoe i dce i t m _.c _ ea t ef
..E ss
. a 3S- _
- 5
. s E- S- 5_ .
S s
- - l aro i urn
._3
% r. E e s2 E- _
S.n 4 't $. 8 4 s
'I + 1 s.32 S, 9 5 beo a pi n 4 e 3 -
I 38.o. T(t u 9 r o E e2t4r 9- .
' 3s3s6 E4- - 45~taA Es /. e al1 G eo ~-
, 13l 5L -
L. ). a. g L .
.8 5
1 C 9 - l5eE 423- 36 3d-4 - 4
. #, e e- 1S e r- Ee C u S. 3 -
$ s. p 7. e e 9 4 5. s.e 4 e. l b
. a T
5 53 C S- - s f-E 2 S-te 5 e E- e 39'3 E9 V'- 2 9 9 t'
- ~4
- s. o f4 5Es f.
&e6I 7.1 -
3eEC.9 E a, r - - E~e3 G - aeF31 Y s c $. t f- )
- 9. s- F i s3 L l
. 3is-
- t 73.S 9 e- 4e 4
/KS-s-a2 e c
- n. g s e t1 . 9. t p4 54- 1 .
9 t. s . l o
'sU K 4 8C ~
4ef i QV4t b - l
, ' 4 !L l
reliability of the diesels are the most important factors in limiting the likeli-hood of core damage. These results also show that the likelihood of sit ificant core damage may exist at some plants if the capability to cope with station black-out of modest durations (2 to 8 hours) does not exist. Moreover, the results show that the demand reliability of AC-independent decay heat removal system is important, but it is not the most dominant factor in limiting the like li-f hood of core damage for station blackout. 1 f i The point estimates obtained from NUREG/CR-3226 and a comparable p analyzed in this study are shown in Table C.S.
') The differences in results pri-marily result from lower loss of offsite power frequencies supported by most recent evaluations of the data (see Appendix A).
l The results provided up to this time represent point estimates of probabil i per year or, more properly, frequency. The effect on the mean probability f estimates of using log-normal distributions to represent basic event probabil-ities, calculated medians, and uncertainty ranges was shown in NUREC/CR-3 . The sequence mean estimates derived in that document were typically 3
}
1arger than the point estimates, and the upper and lower bounds wer
.y
- within a factor of 5 to 20 of the median estimates. The large difference bet-ween point estimates and means can be attributed to the use of a log normal distribution.
The potential effect of operator error causing loss of decay heat removal ha not been found to be a large contributor, if adequate training and procedures exist. y Another consideration that has not been found to be a significant factor is the difference in time to core uncovery on loss of all decay heat removal
) .
STATION BLACK 0UT RISK - j; 10 fro W g j4 g ( - HW2f&llSOihsfgS ! si
' 1 The potential risk associated with station blackout acciden by extending the core damage probabilistic resul Mimaud f-quence estimates. rough to accident conse- !
The potential for t '
; ating core damage before core melt and coping with core melt pri containment failure is currently a matter of
, extensive research a aluation.
the pro ' In most probabilistic risk assessments (PRAs),
]y ,
of core damage has been equated with core melt.
. Acknowledging
}$ .
) NUREG-1032 C-15
- 1
Table C.5 Comparison of results with NUREG/CR-3226 Core damage frequency (per reactor year) Plant type and sequence NUREG/CR-3226 NUREG-1032 PWR with one steam-driven AFW train Td4agafd
/, _f e
' , f
; TML2B2 5 x 10 5
[3x105 TMB 2 (L2 + Q2) 2 x 10 5 4 x 10 5
$ BWR with isolation cooling TH(U 2 + Q2)B 5 x 10 5
.h 3 x 10 8 TMQ2B 2 2 x 10.s '
.! 4 x 10 6 BWR with HPCI/RCIC TMU2B3 2 x 10 8 6 x 10 7 TMU22 B 2 x 10 5 4 x 10.s BWR with HPCS/RCIC g
TM0181 5 x 10 7 3 x 10 7 l TMU22 B 1 x 10.e 2 x 10 8 , Note: All B 2 sequences except the BWR with HPCS/RCIC are assumed to result in loss of core cooling and decay heat removal in 6 hours from the
.J* start of station blackout for the NUREG-1032 results. Core damage power clusterin this table (NUREG-1032 column) are based on offsite frequencies 1/2 diesel generator configuration and 0.975 diesel generator rel ability.
- i. $
i 1 h-' NUREG .1032 C-16 i ; ______m---- _ _ _ - _ _ _ _ _ _ _ - - - - - - - - - - - - - - - -
1 l
~
I that this is a possible conservative assumption, to estimate risk in these PRAs, l containment failure modes and probabilities are applied as if the core has melted.
' This type of approach was taken to develop a risk perspectiv n station black i out. However, the potential for accident management and evised consequence !
estimates emanating from current research are also sidered. f 4 The risk of a station blackout accident can e estimated by the product of the ,
.1 : core damage frequency and consequence o he accident. Figure C.1 shows the
.t . sensitivity of station blackout ace ent risks to containment type and effective-
." i ness. Risks are highest in seg ces in which core damage occurs after a i
] '
station blackout and then pr eeds to core melt and containment failure without' l actuation of containment prays (PWR, BWR Mark III) or when suppression pool scrubbing is ineffect e (BWR Mark I, II, III). With the actuation of contain-i ment sprays befor containment failure (if AC power is restored after core melt), risks are red d noticeably for plants with limited capability of coping with
!stationb kout (less than 8 hours). With effective fission product scrubbing by B suppression pools, risks are even further reduced.
However, suppression pool bypass or less effective scrubbing could cause less apparent risk reduction than indicated here. - REFERENCES Fletcher, C. D. , "A Revised Summary of PWR Loss-of-Offsite-Power Calculations," EG&G Idaho, Inc., EGG-CAAD-5553, Septemb'er 1981.
- n Schultz, R. R. and S. R. Wagoner, "The Station Blackout Transient at Browns l
' Ferry Unit One plant, A Severe Accident Sequence Analysis," EG&G Idaho, Inc. , j EGG-NTAP-6002, September 1982. l
*q U. S. Nuclear Regulatory Commission, NUREG/CR-3226, A. M. Kolaczkowski and l A. C. Payne, Jr. , " Station Blackout Accident Analyses (Part of NRC Task Action P1an A-44)," May 1983. '.4 ~
i NUREG-1032 C-17
I
- - No sprays with,.
AC recovery ,e
\ , Sprays acty.sted k \ \\\
on AC rec.overy
- Suppression pool. scrubbing
. --gt-Scrubbing and sprays
\ %N s-l
\ %N N i'
\ %\ N s'
\
g \ b y -u,.,........., ) 1 i g y Ns/N s 4 q O g-
! ,*.','". *""d
..a......
. c. --
4 l g _ h N, ~ % ';l.,*,*,7~~
.e
% N%
's's u.a ,,,
}
=
a - u,.. o,, w,v .. ri E u,.. .., um ...*,i . t E ,
$' 10 1 -
/ )
.!! /
E
/
/ '
/
\
/
/ - . . . . . . ,
M.rk Ill
-;: :: u.4 m 0' ' ' I t l 0 4 8 12 16 20 24 Capability of Coping with Station Blackout (hrs) ),
1 Figure C.1 Station blackout risk perspective for ' different containments ! l NUREG-1032 C-18
~
-____-_____L_. _ _ _ _ _ _ _ _
i l i ENCLOSURE 5 Significant Changes to the USI A-44 Package i k Federal Register Notice . l A discussion of public comments on the proposed rule and responses were added to the supplementary information section. The backfit analysis was revised to be a stand-alone document without the'need to refer to other references in the discussion of the nine factors'in the backfit rule (10 CFR 50.109). Station Blackout Rule (550.2) The definition of station blackout was clarified to exclude the loss of ac power from stat' ion batteries through inverters. (950.63 (c)) The station blackout rule no longer requires licensees to determine the maximum duration for which the plant as currently designed can cope with a station blackout, but only a specified acceptable duration. (550.63 (c) (iv)) The implementation schedule was modified'to require licensees to submit, within 9 months after the final rule, a proposed schedule for implementing hardware modifications.
)
I Station Blackout Regulatory Guide 1 1 l l (Section C.1.2) This section was clarified to indicate that the maximum failure rate applies to each diesel generator (rather than to the average for all diesel generators at the nuclear plant). 3
.i 4
j (Section C.3.1) The guidance to determine an acceptable station blackout duration was modified to reflect updated analyses performed.for NUREG-1032. Table 1 was modified to allow a duration of 2, as well as, 4 or 8 hours, where the 2-hour duration would be acceptable,only for the few plants having the most I redundancy in the onsite emergency ac power system coincident with the best offsite power characteristics. Table 2 was modified to add a separate group for plants with 2-out-of-4 and 2-out-of-5 diesel generator configuration. Table 3 was revised to include a third offsite power group, and the definitions of the groups were modified. Tables 4 through 7 were added to provide cleirer definitions of the site and switchyard characteristics needed to specify the-offsite power groups in Table 3. The equation to' estimate the frequency of losses of offsite power due to severe weather in Table 5 was modified.' Figures 1 through 3 were added for clarification of different switchyard designs specified in Table 4. (Section C.3.2) This section was revised to delete guidance related to ' determining the maximum duration that a plant could cope with a station blackout. Section C.3.1 contains guidance to determine an acceptable coping duration. (Section C.3.2.5) This paragraph was clarified to provide guidance on the use of separate onsite power sources for coping with a station blackout. NUREG-1109, Regulatory /Backfit Analysis (Section 3.1) The text and tables in this section were revised to correspond to the revisions to the station blackout rule and regulatory guide. (Section 3.4) A discussion of the NUMARC initiatives to resolve'the station blackout issue was added. (Section 4.1.1, Risk Reduction Estimates) The risk reduction estimates were updated to include estimates for 100 operating reactors (the draft NUREG-1109 94D
l l estimates were done for 67 reactors) and to take into account the effect of 4 revised source terms on consequences from severe accidents. A figure was I ' added to show estimates of core damage frequencies for plants before and after the station blackout rule. (Section 4.1.1, Cost Estimates) The cost estimates were updated to include estimates for 100 reactors. Also, estimates per reactor for various modifications and activities were revised based on additional work done in response to public comments. (Section 4.1.1, Value-Impact Ratio) This section was revised to reflect the updated estimates for costs and benefits discussed previously. (Section 4.1.1, S'pecial Considerations) This section was revised and expanded i to include discussions on trends in diesel generator reliability and sabotage. (Section 4.1.4) This section was added to present an estimate of the effect the NUMARC initiatives could have on the value-impact analysis for the j resolution of USI A-44. (Section 4.2) The discussion of impacts on other requirements and related i generic issues was updated to reflect the current status of these issues. j (Section 4.3) This section was updated to include a discussion of the backfit 4 rule. (Section 5) A discussion of the Commission's safety goals was added to this l section. A summary of NUREG/CR-4347 was added to this section, and the summary i of NUREG-1032 was revised to reflect the final version of that -eport. ' (Section 6) The implementation section was revised to reflect the schedule in the final rule. (Appendix A) This appendix was added to discuss the 9 items in the backfit rule.
(Appendix B) This appendix was added to provide worksheets and supplementary ' information for the cost estimates in Section 4.1 of the report. NUREG-1032 l The analyses in this report were revised to reflect recent data on ' losses of- ] \ , l offsite power and to respond to public comments. Updated. data on diesel generator reliability as well as losses of offsite power were included in the reanalysis. The re-clustering of plants into offsite power groups (Section 3 ! and Appendix A) is reflected in revisions to the station blackout regulatory guide. Tables, figures and text throughout.the report have been updated to reflect the revised analyses. , j i i 1 i 1 l 1 i i l e I s L_-____-___
l April 10, 1987 I J' Docket Nos.: 50-361 and 50-362 MEMORANDUM FOR: Harry Rood, Senior Project Manager-PWR Project Directorate No. 7 Division of PWR Licensing-B FROM: Dennis M. Crutchfield, Assistant Director I Division of PWR' Licensing-B
SUBJECT:
GENERIC LETTER 83-37, SOUTHERN CALIFORNIA EDISON, ITEMS II.B.1 and II.F.2 (TAC N05. ' 49.463, 54737, AND 54737) The enclosure contains the current status of Generic Letter 83-37, Items II.B.1 (Reactor Coolant System Vents), and II.F.2 (Instrumentation for Detection of Inadequate Core Cooling) for San Onofre Nuclear Generating - Station, Units 2 and 3. This work was done by INEL under conformance to Multiplant Action B-83. Dennis M. Crutchfield, Assistant Director Division of PWR Licensing-B
Enclosure:
As stated cc: R. Scholl D. Vassallo V. Benaroya Distribution: Docket Files F. A11enspach bB ant s CONTACT: F. Allenspach, FOB /DPLB 49-24921
/
F0B:DPLBf u h F08 A/ i F.Allendpach:js W./ n D. eld 04//c /87 04// O /87 04//g)/87 l OFFICIAL RECORD COPY h Z 424 R?! h ,
San Onofre Nuclear Generating Station, Units 2 and 3 Generic Letter 83-37 Items II.B.1 and II.F.2
- 1. DISCUSSION AND EVALUATION The licensee was requested to provide Technical Specifications for several different systems. Each of these proposals is discussed and evaluated in an indi/idual subsection below:
2.1 Reactor Coolant System Vents (II.B.1) The Generic Letter contains the following statement:
"At least one reactor coolant system vent path (consisting of at least two valves in series which are powered from emergency buses) shall be operable and closed at all times (except for cold shutdown and refueling) at each of the following locations:
- a. Reactor Vessel Head
- b. Pressurizer steam space
- c. Reactor coolant system high point "A typical Technical Specification for reactor coolant system vents is provided in Enclosure 3. For the plants using a powcr operated relief valve (PORV) as a reactor coolant system vent, the block valve is not required to be closed if the PORV is operable."
Evaluation: The licensee responded in the April 27, 1984, submittal by proposing Technical Specification 3/4.4.10, Amendment Application l No. 26 to Operation License NPF-10 for Sat, Onofre Nuclear Generating l
Station (SONGS) Unit 2 and Amendment Application No. 12 to Operating License NPF-15 for SONGS Unit 3. In this submittal, Attachments A (SONGS Unit 2) and B (SONGS Unit 3) differ only by valve designations between the two planth At least two valves are required to be connected in series for a l reactor vessel head vent path and a pressurizer steam space vent path. This deviates from the guidance in Generic Letter 83-37 in that no vent path was specified for an additional reactor coolant system high point vent. However, the NRC staff accepted this San Onofre design in Supplement 1 to the Safety Evaluation Report (SER). Although the proposed reactor vessel head vent path and pressurizer steam space vent path each have at least two valves in series, one series valve in each path has a third valve installed in parallel with it. At least one of the two parallel valves in each path is powered from an emergency bus. This complies with the Generic Letter 83-37 requirement that at l 1 east two valves be connected in series in each vent path, each powered i 1 from an emergency bus, provided the valve that is not on emergency power fails closed on loss of power, as indicated on the figure in Attachment C to the SCE submittal. San Onofre lecks vent path redundancy contrary to the Generic Letter Guidance. SCE's design choice has one of the series valves in each path common to both paths. Inoperability in one path immediately leads to inoperability in the other path. This is because the common series valve must be closed with power removed to meet the action guidance given in Generic Letter 83-37. SCE's Actions a and b recognize this as they require both vent paths to be closed with a single valve inoperability. Because of single valve inoperability effectively requires the entire system to be isolated, i.e., vent paths closed , with power removed from the valve actuators of all the valves, redundancy j of vent paths is lost. This loss of redundancy deviates from the f - _ - - _ - _ _ _ _ _ 1
i
}
U
?
intent of Generic Letter 83-37. . However, the NRC staff'previously l accepted this San Onofre design in Supplement 1 to the SER. l All three Actions, a, b,.and c, proposed by SCE deviate from the recommendations given in Enclosure 3 to Generic Letter 83-37 as follows:
'1. In SCE's Actions a.iii) and b.iii), continued operation is proposed until the next cold shutdown. Although these Actions were intended for single valve inoperability, for-the San Onofre design, single valve inoperability actually leads to both paths becoming inoperable. This deviates j l from the Generic Letter guidance. -This guidance states I that when more than one vent path is inoperable, 72 hours continued operation is permitted, followed by hot standby in the next 6 hours and cold shutdown in the next 30 hours. 1 SCE's argument for their proposed action time, erroneously ;
compares it to the Generic Letter _ guidance'of 30 days f operation, which is for one inoperable vent path. As cited I above, SCE's choice of multiple. interdependent paths and choice of action requirements results in immediate ~1oss of both paths when one path becomes inoperable. Regardless I of which Generic Letter guidance the operation time is being- ] compared to, i.e., either one or more than one inoperable ] vent path, SCE's proposed continued operation until the next i
. cold shutdown permits potentially prolonged periods of opera- ,
tion without the availability of a reactor coolant gas vent system. Another SCE justification for their action time is l that the reactor coolant gas' vent system is not required l for plant cooldown or for mitigating any design basis accident and that inadvertent operation or failure of a closed,
deenergized vent valve would be within the capacity of.the charging system. This justification is. inadequate as it does not recognize that the Generic Letter 83-37 guidance was written with these conditions already. assumed (see NUREG-0737, P.II.B.1-2 Items A(1) and A(4)).
- 2. SCE's Action c allowing an exception to 3.0.4 for entry into Modes 3, 2, and 1 also deviates from the Generic Letter guidance.
SCE's argument that the cold shutdown mode would be required for most repairs and that the exception would, therefore, allow them to return to power while complying with the Action is not an adequate justification. SCE's' argument that the. vent system is not required for cooldown or mitigation of any design basis accident is inadequate as noted in Item 1 above. SCE's argument that vent system failure resulting in inadvertent' opening of a-valve while complying with the Action, would only constitute excess RCS leakage, which is addressed by Specification 3/4.4.4.5.1, is also inadequate. . Leakage, in itself, is not the primary concern. The primary concern is the inoperability of the vent valves. The time required for potential repairs in the cold-shutdown mode while a consideration cannot by itself be the safety basis for an action time.- Again, the remaining items in SCE's argument are conditions that were generally assumed in ') NUREG-0737 from which the guidance in Generic Letter 83-37 was developed. The clear intent of Generic Letter 83-37 is to dis ' allow progression to higher power modes when the vent system is partially inoperable, and have any partial inoperability corrected within the times specified or follow the actions leading to cold. shutdown. . i In Action A, both SCE's Attachments A and B erroneously list valve HV0296A twice. The word " probability" is misspelled in the basis ! section. I l
SCE's proposed Applicability and Surveillance Requirements were reviewed and found to be consistent'with the Generic letter 83-37 requirements. As a result of the review of the material cited, the licensee needs to submit additional information to justify how the San Onofre proposed Technical Specifications meet the Generic Letter (Item II.B.1) guidance cr submit revised specification
- that meet the requirements.
2.2 Instrumentation for Detection of Inadequate Core Cooling (II.F.2)- l The Generic Letter contains the following statement:
"Subcooling margin monitors, core exist thermocouple, and a reactor coolant inventory tracking system (e.g., differential-pressure measurement system designed by Westinghouse, Heated l
l Junction Thermocouple System designed by Combustion Engineering, etc.) may be used to provide indication of the approach to, existence of, and recovery from inadequate core cooling (ICC). These instru-mentation should be operable during Power Operation, Startup, and ; Hot Shutdown mode of operation for each reactor.
"Subcooling margin monitors should have already been included in the present Technical Specifications. -Technical Specifications for core exit thermocouple and the reactor coolant inventory tracking system should be included with other accident monitoring instrumentation ~
in the present Technical Specifications. Four core-exit thermocouple in each core quadrant and two channels in the reactor coolant tracking system are required to be operable when the reactor is operating in any of the above mentioned modes. Minimum of two core-exit thermocouple 1 w_______-___. _ _ - _ .
in each quadrant and one channel in the reactor coolant tracking system should be operable at all times when'the reactor is operating in any of the above mentioned modes. Typical acceptable LCO'and surveillance requirements for accident monitoring instru-mentation are provided in Enclosure 3." Evaluation: - The licensee responded in the April 19, 1985, and July 1,_1985, submittals by proposing a' Technical Specification, Section 3/4.3.3.6, which added a Heated Junction Thermocouple (HJTC) System' Reactor Vessel Level Monitoring System (RVLMS), Amendment Application No. 31 to Facility Operating License NPF-10 and Amendment Application No. 17 to Facility Operating License NPF-15 for SONGS Units 2 and 3 respective-ly. A comparison of the licensee's response for the RYLMS to Generic j Letter 83-37 indicates that only the Actions deviate from the guidance. SCE permits continued operation (after 7 days operation with one less than the required number of channels or.after 48 hours operation with one less than the minimum number of channels) provided a Special Report is submitted to the Commission pursuant to Specifi- , cation 6.9.2 within 30 days following the event and outlining the cause of the inoperability and plans and schedule for restoring _the system to operable status. Generic Letter 83-37 recommends going into the hot i shutdown mode if repairs cannot be made after the 7-day or 48-hour , period. Although deviating from the Generic Letter guidance, SCE's ; Actions for the inoperability of the HJTC and clarification of I operability (four or more sensors operable, one sensor in the upper head and three sensors in the lower head) are consistent with the i a NRC's Staff's approval of the Combustion Engineering Owners Group proposed Technical Specifications'for the HJTC system. I 1 [
_7 For the subcooled margin meter SCE's specifications, Section 3/4.3.3.6 comply with the guidance in the Generic letter in all aspects (Limiting Conditions for Operations, Applicability, Actions and Surveillance Requirements). SCE's specifications for the core-exit thermocouple (TC) exceed the requirements of the guidance for " required number of channels" (seven TCs in the core quadrant versus the guidance of four TCs in the core quadrant), and for " minimum channels operable" (four TCs in the core quadrant versus the guidance of two TCs in the core quadrant). In all other aspects, SCE's specifications for core-exit thermocouple comply with the Generic Letter guidance. As a result of the review of the cited material, the licensee's response for Technical Specifications for Item II.F.2, inadequate 7 core cooling instrumentation, is judged to meet the requirements of the Generic Letter (as approved by the NRC staff for the Combustion Engineering Owners Group generic Technical Specification). i l 1 e
' ~
gg m q,. & !DJ HARMONA h . 2001 S ST REET, N W, SusTE 40 l WASHINGTON, D.C. SoOo9 uS6 - l OAeL Mc0REEvY HARMON TELEPHONE l' ELLYN m. WEISS N DIANE CURRAN DEAN R. YOUSLEY ANDREA C. FERSTER Q f[- M M j october 20, 1987 NN W INf0Rhs4Th , Director ACT REQUESI i Division of Rules and Records gg* 4 7 Of fice of Administration U. S. Nuclear Regulatory Commission
/ d -- A g h 1
Mashington, D.C.-20555 ; l RE: Freedom of Information Act Request
]
Dear Sir / Madam,
Pursuant to the federal Freedom of Information Act, I hereby request the following on behalf of the Union of Concerned Scientists:
- 1. All cost-benefit oc value-impact analyses done - since September,1985 in connection with 'the consideration by NRC staff of generic or site-specific backfits.
- 2. Any and all lists, compilations or other-identifications of potential generic 'or site-specific backfits under consid-eration by the NRC staff at any time since September,1985.
- 3. Any and all memoranda or other documents since. September 1985, from the Committee to Review Generic Esgmirements-("CRGR*) containing requests or directice to the NRC staff l
to perform, modify or reconsider value-ig ast or cost-benefit analyses. regarding any potential pic or site-specific kn& tit. y W '"
- 4. Any and all documents containing guidance, criteria or examples used by the NRC in deciding which generic ~or site-specific backfits are' appropriate for cost-benefit analyses under the backfit rule and which are not so. appropriate.
~
l l
.)
9g, jn 1 _k h - _ - ._-
" // 9l fW M_
1
H cxdN & WEISS 2-r eque s t. Please call me if you have any questions regarding this l 1 Very truly yours,
./
Ellyn N. Weiss HARMON & NEISS 2001 S Street, N.W. Suite 430 Washington, _D.C. 20009 General Counsel Union of Concerned Scientists 4
( R dPci;.
~
;. .,4 s
-[ ,\ UNITED STATES
'E e i NUCLEAR REGULATORY COMMISSION :
5 l W ASHING TON, D. C. 205b5 ' !
% a
' @ hh l
% '.... / 15 AUG 686 JID I James H. Sniezek, Director h/ p l MEMORANDUM FOR:
Regional Operations and Generic Requirements Staff FROM: Denwood F. Ross, Acting Director Office of Nuclear Regulatory Research
.. s
SUBJECT:
RESPONSMO CRGR COMMENTS CONCERNING " REVISION OF THE ECCS LTCONTAINED IN APPENDRLK AND SECTION 50.45.0F 10 CFR PART 50" (CRGR MEETINGG0. 913/23/86) This memorandum responds to CRGR's request of July 23, 1986 that the Of fice of. Research address three items pertaining to the proposed rule presented in the Commission Paper " Revision of the ECCS Rule contained in Appendix K and Section 50.46 of 10 CFR Part 50." This response'has been coordinated with NRR. In l addition, telephone conservation have been held with OGC. The items addressed are as follows: ;
- 1. Concerning the elimination of the Dougall-Rohsenow correlation as an acceptable feature of Appendix K:
- a. Why is it appropriate to allow plants to continue operation if we are stating that the correlation is non-conservative over certain
! regions? , b. What will happen to plants using the Dougall-Rohsenow correlation. if l we indicate that it is non-conservative and delete it from Appendix l K?
- 2. Are the reporting requirements of the proposed rule appropriate?
- a. Should every error be reported?
- b. Does the staff really want to impose a 60-day response requirement on itself?
l
- 3. The Director of the Office of Research must determine whether the proposed '
rule would result in any decrease in plant safety and result in substan-tial cost savings for the industry. a With respect to the first item, RES and NRR staff have met to consider four options related to the elimination of the Dougall-Rohsenow correlation as an j acceptable Appendix K feature. These options (Enclosure A)'have been enclosed i for CRGR discussion. Practical considerations led to agreement on the second ' option which permits existing Evaluation Models (EMS) to be " grandfathered" and removes the Dougall-Rohsenow correlation as a generally acceptable Appendix K feature. It is our judgement that currert ECCS EMS are sufficiently conserva-tive on the whole to permit continued use of the Dougall-Rohsenow correlation i in existing EMS. For future modifications to EMS, including error corrections, ; M 2 wl) n m Q j\
- < p sv rv'</
/ /ll; l
the impact of continued acceptability of the Dougall-Rohsenow correlation based on the overall conservatism of the evaluation model will be considered. If a new evaluation model is submitted, such as an EMS modified because of errors or model revisions, or a new computer code, the appliceility of the Dougall-Rohsenew correlation would have to be addressed. This approach permits phase out of the inappropriate use of this correlation while minimizing the impact to the licensee. For the present however, this option would leave an inconsistency in the rule. Section I.C.5a of Appendix K to Part 50 states that post-CHF heat transfer correlations shall be compared to data and that such comparisons "shall demonstrate that the correlation predicts values of heat transfer coefficient equal to or less than the mean value of the applicable experimental heat transfer data throughout the range of parameters for which the correlation is to be used." By allowing existing EMS to be grandfathered, there is a high probability that EMS using the Dougall-Rohsenow correlation do not meet the criteria of Section I.C.5.a. Enclosure B shows that the Dougall-Rohsenow significantly overpredicts heat transfer over a wide region. Because of this, RES would be more comfortable if an estimate of the degree of non-conservatism were obtained for each of the EMS which use the Dougall-Rohsenow correlation. However, the cost of such analses would be large, and we agree that we know reasonably well that currently approved EMS are sufficiently conservative. With respect to the second item identified by CRGR, both RES and NRR believe that the proposed reporting requirements are an improvement over the existing rule implementation which require the licensee to imediately resort and correct all errors, even though they may be very minor. Althougl NRR wants to be infomed imediately of all errors, they would like to allow flexibility in how quickly these errors are to be corrected. This is consistent with the wording of the proposed rule. On the other hand, RES believes that all errors should be noted and submitted to the agency on a regular basis. Immediate reporting of minor errors (less than 50*F effect on calculated peak cladding temperature and not exceeding 50.46b criteria) would not be a requirement. A comparison of the current rule reporting requirements to those of the proposed rule (including possible RES options) is provided in Enclosure C. With respect to CRGR's item 2(b), the sixty day response requirement on NRC staff pertains soley to NRC approval of the liceinee's schedule subsequent to its submittal and is therefore not excessively burdensome. Lastly, based on my review of the proposed rule and its regulatory analysis, it is my determination that the proposed rule would not result in any decrease in plant safety because the conservative safety limits of section 50.46(b) would not be reduced. However, the CRGR should be aware of the fact that the use of realistic calculational methods, as permitted under the proposed rule, ma allow licensees to operate their plants closer to the limits of 50.46(b) ythan l their current operational practice. Although this may not be considered a decrease in plant safety, it does represent a reduction in the margin intro-duced by the currently acceptable, yet overly conservative, calculational methods. On balance, using more realism should produce some safety benefits, albeit nonquantifiable. 1
I have also detennined that the proposed rule would result in substantial cost savings for the industry. On the average it is estimated that a plant able to upgrade total power by 5% as a result of the proposed rule, would experience . lifetime energy replacement cost savings having a present value of between $70 to $100 million dollars. It is expected that most Westinghouse plants could l benefit from the rule revision. It is estimated that 3-4 staff years will be required to review the generically based realistic evaluation models that might be submitted by vendors. Future staff resources will be adequate for this purpose. If you require any additional information prior to our next meeting concerning this issue, please contact Mr. Jose N. Reyes on 443-7890. 1 l Denwood F. Ross, Acting Director Office of Nuclear Regulatory Research
Enclosures:
A. NRR Dougall-Rohsenow Options , B. Comparison of Dougall-Rohsenow to l Experimental Data. l C. Comparison of Current and Proposed Rule Reporting Requirements. > 1 1
q i
)
ENCLOSURE A NRR OPTIONS PERTAINING TO USE OF THE DOUGALL-ROHSENOW CORRELATION OPTION 1 Retain the Dougall-Rohsenow as a generally acceptable correlation in Section 1 1.C.5 of Appendix K. _ l OPTION 2 1
" Grandfather" existing Evaluation Models. Delete the use of the Dougall-Rohsenow correlation in Section I.C.5 of Appendix K. For future modifications to existing evaluation models including error corrections consid- 1 er the impact of continued acceptability of the Dougall-Rohsenow correlation i based upon the overall conservatism of the model. If a new evaluation model were submitted, such as a new computer code, the applicability of the Dougall-Rohsenow correlation would have to be addressed.
OPTION 3 Grandfather existing evaluation models. Delete the use of Dougall-Rohsenow as { a generally acceptable correlation in Appendix K. For future evaluation models require licensees to demonstrate the acceptability of post-CHF' correlation. OPTION 4 Remove Dougall-Rohsenow from existing and future evaluation models. Use of Dougall-Rohsenow would have to be justified for every evaluation model. 1 ll I i i
1 i J I I i o 8 l J 0
=,0 0
h W e i
=8 1 e h u 'l 0o ~
~~
J O Q y k r
= S g %
O J 1 0 g O .. 4 8 O qw O = W O g , O m s O UU ~* q*O eQ 2 0 0 o > 0 9t e
%@0 8a C o .n g
e 00 C b 8 O e OO _. 1 o O o o o e e. a l O S 3 /5* S
#o $ o O -! - 5 . 3 ,,; $
a l O o
=
55 _s d d r 0 55 43 I g Sq cP 08 $5 _S! O i BB " ce a l 8 o oo a O 88 a e
- 59 o $$ "d o
om 55 00 O O o d *
. 4 Q , $, b'!
.a 4.
._ -s 8 E I
=
0*C S't 0t S*1 0't S*0 0'O Olivu AV8 H MON 3SHOW-11vDnOO ] i
~ .
S E R S H E O o E R T S L R D L O R u N U R E U t S O R E T R R I E I F R E R G T O D Y O D Y O N P E L P E L E P A O L T S N E S N V E H A R . O O R O O I R C R U O S P P T O N P R O T E O T A E L R - N E O R A R R A V R E R A R R RP H /T P H R AT E D E O E Y E S F S S F M S '_ _ D R A T
- A T N
- A .
I A L P 0 P O 0 T E V C 5 A E V S N O P O R t WDE ME CE >5SAEE S MS E o A X E X C N N O > T E R M O A B S A I T M P O 1 2 3 4 0
. 5 S . . )
I ) RF S BI
. S B ,
E * ( , F Y ( E P 0 S E
- L 5 5 Y 65 0 A 65 L
)
K 5 N 4
- ARE 5 0 0 5 R u>NA 54 t
i A 00 5 5 X O S E E I
)
S R P E R G R L R R G E - E G N E U M D O O N PI R N R I P R E E R F A O D S P P T R R E S' E E D D . F H F E C E u t 3 C A E O E E T 3 E C i 7 =- C L P R L C R 7 R L X H E D D N A U R E R S O U X O F D E P 0 E E 5
@F S
O U E 0 0 D E S E P 5 E S S H S R E SI H E R D S 6 C R . I C R D G C G N O 4 C O 4 S S O A N N S S N AA A I P E R Y R I A A Y CO 0 R 0 L T R IR H L T IH R , R 5 D E 5 A E E 2 C A C E 2 EP ( E N M T 7 N M T 7 R UD S S O lR A B L l E E U L I R 0 L A B L L E U L I R0 S N T P A P R S A C 5 A R S A C 5 OA N O L E R . . . . . . . . C T P P_ 1 234 1 234 N N E E E R te R I + R V U 0 . C S S F [ . uO A N N . F D I E uG
. E D T E N S
m_ m O G t I T D t N S LI . E N i T H A N F S S E E E i H H A E E L I T 0 T ) I I X I C T A E R 0 C A T R B P E 1 (N EI E T X P T E I A O E R C L E E R C D U T P R P ) N S A R O I Q E R A( S A R N S F D D E R w S E R T I M O E R R P I S N R N i O N 6 E O R ) E S G I R A ; t E R I R 4 E F E M B I ( S N N S F A i l E L K f I E L E LA 05 EN CO ELE R4 6 H Y. *0 I t U T E C A2 L D R E O L U P I L L G E F A L O L N MI 5 C N D T I O o N0 L N A > RC C HE P I L E R A R N S R S . . . S A 1 2 3 . . . C 1 2 3 C E D T E N S S E E R N t S E E R R R G A . U i D N D C l D A F E I R A H* T W C0 R T 2 O L P S A O N L A
> E R S
S E L R L G E O E N D R D A D P R E 0 H P C ll\! 1}}