ML20315A117

From kanterella
Jump to navigation Jump to search

DAEC-LIC504-Immediate-Determination-11-02
ML20315A117
Person / Time
Site: Duane Arnold NextEra Energy icon.png
Issue date: 12/25/2020
From: Matthew Leech, Alexander Schwab, Sunil Weerakkody, Antonios Zoulis
NRC/NRR/DRA
To: Mike Franovich
NRC/NRR/DRA
Sunil Weerakkody
References
Download: ML20315A117 (8)
v  d  e


Text

November 25, 2020 MEMORANDUM TO:

Michael X. Franovich, Director Division of Risk Assessment Office of Nuclear Reactor Regulation FROM:

Sunil Weerakkody, Senior Level Advisor

/RA/

Division of Risk Assessment Office of Nuclear Reactor Regulation Antonios Zoulis, Chief

/RA/

PRA Oversight Branch Division of Risk Assessment Office of Nuclear Reactor Regulation Matthew Leech, Reliability & Risk Analyst

/RA/

PRA Oversight Branch Division of Risk Assessment Office of Nuclear Reactor Regulation Alexander Schwab, Reliability & Risk Analyst /RA/

PRA Licensing Branch A Division of Risk Assessment Office of Nuclear Reactor Regulation

SUBJECT:

DETERMINATION OF THE NEED FOR PROMPT REGULATORY ACTIONS IN RESPONSE TO INSIGHTS GLEANED FROM DUANE ARNOLD NUCLEAR POWER PLANT I.

PURPOSE The purpose of this memo is to document the staffs initial assessment and recommendations based on potential generic aspects of a severe weather event that occurred at the Duane Arnold nuclear power plant (NPP). To guide its assessment, the staff used Office of Nuclear Reactor Regulations (NRR) Office Instruction LIC-504 entitled Integrated Risk-Informed Decision-Making Process for Emergent Issues, Revision 5.

II.

SUMMARY

OF EVENT:

On August 10, 2020, severe thunderstorms and high winds associated with a derecho caused a grid perturbation that resulted in an automatic start of both emergency diesel generators (EDGs) at the Duane Arnold NPP operated by Duane Arnold Energy Center (DAEC). EDGs did not CONTACT: Sunil Weerakkody, NRR/DRA 301-415-2870 immediately load on to their respective safety buses because offsite power remained available.

However, approximately 14 minutes later, a loss of offsite power (LOOP) occurred that resulted in a reactor trip. The output breakers for both EDGs automatically closed to reenergize the safety buses. The licensee declared an Unusual Event. All control rods successfully inserted.

Reactor inventory control was maintained by reactor core isolation cooling (RCIC) and the safety relief valves were used to remove decay heat to the torus. In summary, immediately after the event all safety systems responded as expected.

About 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> after the LOOP, the emergency service water (ESW) system that provides cooling water to the EDGs demonstrated signs of degradation in that the differential pressure across the strainers in both ESW trains began increasing. The high winds had resulted in increased debris loads to the ESW system, which caused clogging of the train B strainer and subsequent decrease of ESW flow. Operators successfully bypassed the train B strainer.

Therefore, EDG B did not experience any degradation. Operators restored offsite power to the safety buses approximately 25 hours2.893519e-4 days <br />0.00694 hours <br />4.133598e-5 weeks <br />9.5125e-6 months <br /> after the LOOP occurred.

In addition to the degradation of ESW described above, the derecho caused a small breach in the secondary containment rendering it inoperable but functional. The high winds resulted in minor damage to reactor, turbine, and FLEX buildings, along with more severe damage to the non-safety-related cooling towers thus demonstrating a derechos potential to introduce wide-spread damage to systems, components, and structures that are not protected from sustained high winds.

III.

BACKGROUND:

NRR Office Instruction LIC-504 enables NRR to conclude whether NRR must take regulatory actions in response to emerging issues using principles of risk-informed decision making.

Preliminary analysis performed by Region III senior reactor analyst in support of MD 8.3, NRC Incidence Investigation Program demonstrated that the event occurred at DAEC was risk significant. Preliminary analysis performed by the Office of Research (RES) in support of the Accident Sequence Precursor (ASP) program also showed the risk from the event as a potential significant precursor. Consequently, NRR concluded that it is appropriate to perform a LIC-504 analysis to determine whether the NRR Office Director should consider imposing additional regulatory actions using insights gained from DAEC derecho event and to evaluate any generic implications or vulnerabilities identified from the event.

The first step of LIC-504 instructs the staff to determine whether the NRR Office Director should consider taking prompt regulatory actions beyond those taken by U.S. Nuclear Regulatory Commissions (NRCs) regional office at the plant in which it occurred. We did not evaluate this issue because DAEC is maintaining Duane Arnold NPP in a shutdown status and informed NRC that it has no plans to restart. LIC-504 also instructs staff to evaluate whether NRR Office Director should consider taking prompt regulatory actions such as orders or interim compensatory measures for other NPPs based on insights gleaned from the event that occurred at DAEC. The discussions below are focused on that task.

IV.

EVALUATION CRITERIA:

We used three attributes delineated in LIC-504 to determine whether prompt regulatory actions such as issuing orders to shut down or establish interim compensatory measures are warranted based on insights gleaned to-date from the event that occurred at DAEC. Specifically, we examined the following:

A. Risk impact:

Does the risk impact as determined by the conditional core damage frequency (CCDF)

(i.e., increase in CDF because of the issue) or the conditional large early release frequency (CLERF) (i.e., increase in LERF because of the issue) exceed thresholds that require consideration of prompt regulatory actions such as orders or interim compensatory measures to other facilities?

B. Defense-in-Depth:

Does the DAEC event disclose significant degradation of defense-in-depth of sufficient significance to warrant the issuance of prompt regulatory actions such as orders or interim compensatory measures to other facilities?

C. Safety Margins:

Does the DAEC event disclose a significant loss of plant-wide safety margin that contributes to a facility-wide safety impact of sufficient significance to issue prompt regulatory actions such as orders or interim compensatory measures to other facilities?

V.

SUMMARY

OF EVALUATION A. Risk Impact We examined whether the risk impact is high enough to warrant prompt regulatory actions by using LIC-504 risk metrics below:

i.

Is the CCDF greater than 1x10-3/year?

ii.

Is the CLERF greater than or on the order of 1x10-4/year?

In order to assess the risk, we identified seven nuclear plants that may have elevated risk than on average for weather related LOOPs and may have potential for weather induced service water clogging. Specifically, we selected single unit sites that do not have dedicated alternate AC source such as a station blackout (SBO) diesel which could mitigate the risk from such events. Because the objective of this initial analysis is to determine whether CCDF exceeds 1x10-3/year for the given event or issue (i.e., a weather event causing both a LOOP and service water clogging issues), we used several simplifying conservatisms to expedite this analysis; we did not credit FLEX strategies, we assumed that offsite power could not be recovered after the event for a minimum of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, and to account for the challenge that DAEC faced when their ESW strainers clogged, our analysis adjusted the common-cause failure probability of a plants' service water strainers failing to 0.11 1 We used Accident Sequence Precursor database to investigate whether there have been any past events in which LOOPs coincidental with partial or full ESW have occurred. There were no events. Using Bayesian type evaluation, the frequency of such an event assuming a 1/2 failure in approximately 5000 reactor years is about 1x 10-4/year. Since the SBO frequency is ~ 5x10-3/year, 0.1 (>1x10-4/5x10-3 ~.02) is a conservative upper bound.

Summary of results for the seven NPPs are provided in Table 1.

Table 1: Summary of CCDF and CLERF for reference plants High-Level Characteristics CCDF (No credit for FLEX, no Offsite Power (OSP) recovery, Common Cause Failure (CCF) of loss of SW is 0.1)2 CLERF (no credit for FLEX, no OSP recovery, CCF of loss of SW is 0.1)

Plant 1 Westinghouse PWR 4.9E-4/year N/A Plant 2 PWR Combustion Engineering 4.8E-5/year N/A Plant 3 BWR4 with Mark 1 Containment 2.0E-6/year 2.0E-6/year Plant 4 Westinghouse PWR 2.3E-5/year N/A Plant 5 Westinghouse PWR 4.5E-4/year N/A Plant 6 BWR6 with Mark 3 Containment 2.2E-4/year 4.5E-5/year Plant 7 BWR4 with Mark 1 Containment 5.4E-6/year 5.4E-6/year Table 1 shows that even when bounding conservative estimates are made the CCDF of all seven plants have CCDFs below 1x10-3/year.

The CLERF values provided in Table 1 were computed using guidance in IMC 0609, Appendix H, Containment Integrity Significance Determination Process. The guidance in Appendix H does not evaluate Pressurized Water Reactor (PWR) containments for LERF for SBO sequences because it considers the contribution from LERF in those events to be much lower than the contribution from CDF. Because most of the accident sequences relating to weather related LOOP are SBO sequences, those sequences for a PWR would be late sequences and would not contribute to LERF. In those cases, N/A was used in Table 1. In summary, as noted in Table 1, DRA staff concluded that for both PWRs and BWRs, CLERF values are less that 1x10-4/year.

As a result of the derecho, the secondary containment at DAEC also incurred small damage (0.75-inch cut), rendering it inoperable but functional. The possibility of debris damage to the secondary containment cannot be accurately modelled using simplified plant analysis risk models, so that is not reflected in the values in Table 1. However, for several reasons, the staff concludes that potential small damage to secondary containment during the derecho at DAEC does not alter our recommendation with respect to CLERF. Specifically:

At DAEC, the secondary containment remained functional.

For Mark I containments Appendix H already assumes a LERF factor (ratio between LERF and CDF) of 1.0.

2 Estimate constitutes upper bounds.

For Mark III containments, the LERF factor is approximately 0.5 but contains conservatisms.

B. Defense-in-Depth For LIC-504 purposes, we assumed that facilities have defense-in-depth and examine whether the issue or event identifies significant degradation of defense-in-depth. To issue shutdown orders or interim compensatory measures, staff must demonstrate with relatively high certainty that operation of such plants poses undue risk to public. During a LIC-504 evaluation, staff must determine whether defense-in-depth was degraded and whether multiple barriers (fuel, containment, emergency response) are moderately to significantly impacted. We also examined whether functional redundancy or diversity is significantly compromised or a vulnerability to single failures is significantly increased.

The event that occurred at DAEC demonstrated that during a severe storm-induced LOOP event there is some likelihood of loss of ultimate heat sink and potential to contribute some (albeit, not significant) degradation to other key safety functions such as containment performance albeit to small degree because NPPs are already protected for these types of natural phenomena.

We further examined the dominant cutsets of each of the seven NPPs to glean additional insights on defense-in-depth. Based on that examination, we determined that each plant possessed defense-in-depth to maintain fission product barriers with one or more of the following:

Availability of RCIC system Availability of High-Pressure Coolant Injection (HPCI) System Availability of Turbine Driven Feedwater system Availability of a FLEX diesel that provides motive power to an injection system and power to control systems Availability of reactor coolant pump shutdown seals or alternate systems that minimizes loss of coolant during an SBO Ability to depressurize in combination with low power injection systems that do not rely on emergency diesels or offsite power Emergency procedures and operator training to maintain key safety functions and restore offsite power Based on the above, we do not recommend that the Office Director of NRR pursues immediate regulatory actions such as issuing shutdown orders or interim compensatory measures to US operating plants based on insights gleaned from the DAEC event based on defense-in-depth.

C. Safety Margin Section 2.1.2 of Regulatory Guide (RG) 1.174 provides an NRC interpretation of safety margins.

According to RG 1.174, with sufficient safety margins, (1) the codes and standards or their alternatives approved for use by the NRC are met, and (2) safety analysis acceptance criteria in the licensing basis (e.g., supporting analyses for the final safety analysis report) are met. When requesting amendments to licenses, a licensee may propose changes to provide sufficient margins to account for uncertainty in the analysis and data.

LIC-504 notes that the definition of safety margin in RG 1.174 should be applied to treatment of emerging issues with due consideration to the difference of purpose of LIC-504 compared to the purpose of license amendment requests. Appendix E of LIC-504 emphasizes factors that must be considered in drawing conclusions with respect to safety margins. These include:

1. Failure points - How close did parameters reach the failure point?
2. Cliff-edge effects - Could a small deviation in a parameter lead to abrupt failure?
3. Plant-wide impacts, as reflected by safety margin of core damage sequences.

For example, in determining whether a prompt regulatory action should be taken, LIC-504 instructs the analysts to consider the plantwide safety margin as reflected in the safety margin of core damage sequences. That is, significant degradation of the safety margin of a single component should not automatically lead one to conclude that an order should be issued to shut down a plant. Appendix E to LIC-504 goes on to state that if the PRA model accurately captures the degraded conditions effect on the failure probabilities, as opposed to using conservative assumptions (assuming that the component failed with a probability of 1.0 due to the degradation), then the model may be used effectively to evaluate the plantwide impact on safety margins resulting from the emerging issue.

Consideration of failure points:

Because offsite power was lost, availability of ESW became instrumental to maintain certain key safety functions. Both trains of ESW trains began degrading. However, the debris loading did not cause the ESW trains to reach its failure points. The flow in ESW train B was reaching its suction strainer high differential pressure alarm setpoint. However, required operator action (establishing bypass flow) maintained adequate system flow. With respect to failure points, another noteworthy consideration is the fact that the ESW systems are designed to support greater heat loads for accident conditions (e.g., LOOP\\LOCA scenarios) whereas the event under consideration for the purposes of the LIC-504 analysis is for LOOP scenarios.

Consideration of plant-wide safety margins as reflected by core damage sequences:

LIC-504, unlike RG 1.174, instructs staff to consider plant-wide safety margins in determining whether there was a significant degradation in safety margins. (To some extent, this analysis equates to examining defense-in-depth with a primary focus on fuel as the barrier). To that extent, staff examined the dominant cutsets generated for the seven analyzed plants. As pointed out under the discussion in defense-in-depth, each of the plants had at least one system that could reduce the likelihood of a core damage in the event of loss of ESW (e.g., RCIC, HPCI, Turbine driven Aux Feedwater). In addition, each of the seven NPPs assessed have additional diesels and mitigation strategies in response to orders issued by NRC after the Fukushima accident. Ability to bypass ESW strainers and recover offsite power are other defenses that were not quantitatively credited in calculating CCDFs for the seven NPPs.

Therefore, staff concluded that degree of degradation of safety margins does not justify issuance prompt regulatory actions based on safety margins.

VI.

CONCLUSION Based on the analysis of risk impact (as represented by CCDF, CLERF), defense-in-depth, and safety-margins, DRA staff does not recommend that Office Director of NRR pursue prompt regulatory actions such as issuing shutdown orders or interim compensatory measures to US operating plants. The staff is continuing its assessment of these issues during the second phase of the LIC-504 assessment. In the event we learn information that prompts us to change our conclusion, we will immediately inform you of that information.

SUBJECT:

DETERMINATION OF THE NEED FOR PROMPT REGULATORY ACTIONS IN RESPONSE TO INSIGHTS GLEANED FROM DUANE ARNOLD NUCLEAR POWER PLANT DATED: 11/25/2020 DISTRIBUTION:

NON-PUBLIC ADAMS Accession No.: ML20315A117 NRR-106 OFFICE NRR/DRA/APLA NRR/DRA/APOB NRR/DRA NRR/DRA/APOB: BC NRR/DRA: D NAME ASchwab*

MLeech*

SWeerakkody* AZoulis*

MFranovich*

DATE 11/17/2020 11/17/2020 11/25/2020 11/17/2020 11/30/2020 OFFICIAL AGENCY RECORD

Retrieved from "https://kanterella.com/w/index.php?title=ML20315A117&oldid=3829973"