BVY-95-114, Provides Addl Info Re GL 88-20, IPE for Severe Accident Vulnerabilities 10CFR50.54(f)

From kanterella
Jump to navigation Jump to search
Provides Addl Info Re GL 88-20, IPE for Severe Accident Vulnerabilities 10CFR50.54(f)
ML20094E051
Person / Time
Site: Vermont Yankee Entergy icon.png
Issue date: 10/27/1995
From: Duffy J
VERMONT YANKEE NUCLEAR POWER CORP.
To:
NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM)
References
BVY-95-114, GL-88-20, NUDOCS 9511070040
Download: ML20094E051 (57)
v  d  e


Text

VERMONT YANKEE

. NUCLEAR POWER CORPORATION

. s Ferry Road, Brattleboro, VT 05301-7002 MPLY TO h[

ENGINEERING OFFICE 580 MAIN STREET BoLToN. M A 01740

. e (508) 77H711 October 27, 1995 BVY 95-114 United States Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555 h

References:

a. License No. DPR-28 (Docket No. 50-271)
b. Generic Let.ter 88-20, " Individual Plant Examination for Severe Accident Vulnerabilities - 10CFR50.54 (f)"
c. Letter, VYNPC to USNRC, BVY 93-139, December 21, 1993
d. Telecon, USNRC/VYNPC, May 2, 1995
e. Telecon, USNRC/VYNPC, May 11, 1995 e
f. Telecon, USNRC/VYNPC, May 23, 1995 2
g. Telecon, USNRC/VYNPC, May 31, 1995
h. Letter, USNRC/VYNPC, NVY 95-95, June 23, 1995

Subject:

Vermont Yankee Response to NRC Request for Additional Information Regarding Vermont Yankee's Individual Plant Examination (IPE)

Attachment A of this letter provides the additional information you requested in reference (h) regarding Vermont Yankee's Individual Plant Examination reference (c). The information provided encompasses both questions asked in reference (h) and clarifications reached in telephone conversations between NRC and VY (references d, e, f, and g). We appreciated these discussions with you and your reviewers, as they helped us focus our responses. l We trust this information is acceptable; however, should you have any further  ;

questions, please contact this office. '

Sincerely, VERMONT YANKEE NUCLEAR POWER CORPORATION 1

G James J. Duff)

Licensing Engineer i

l

( ~.; -p ,, 00 '

u;u ,

II 9511070040 951027 PDR ADOCK 05000271 P PDR

VERMONT YANKEE NUCLEAR POWER CORPORATION United States Nuclear Regulatory Commission October 27, 1995 Page 2 Attachment A' j C: .USNRC Region I Administrator USNRC Resident Inspector - VYNPS USNRC Project Manager - VYNPS I

t 2

i l

1 4

l 4

4 s

i-

ATTACIIMENT A Vermont Yankee Individual Plant Examination Response to NRC Request for Additional Information

Response to the Nuclear Regulatory Commission's Reauest for Additional Information on the Vermont Yankee Individual Plant Examination Submittal (Front End) 01: The spurious opening of Safety Relief Valves (SRVs) has been shown to be a significant contributor to Core Damage Frequency (CDF) in the Individual Plant Examinations (IPEs) of other Boiling Water Reactor 4 (BWR 4) plants. The frequency used in the Vermont Yankee IPE for spurious opening of an SRV as an initiating event (5.6E-3/ year) is significantly lower than that used in many BWR IPEs/and probabilistic risk assessments. Please provide the basis for the value used in the Vermont Yankee IPE.

A1: The IPE sums all transient sequences where SRVs fail to close after opening (modeled in event tree top event SC) to obtain the frequency of Inadvertent / Stuck Open Relief Valve (IORV) events. Thus, the frequency of 10RV events is determined by:

(i) the transient initiating event frequencies, and (ii) the failure probability for top event SC.

The basis for the transient initiating event frequencies is provided in Section 3.1.1.1 of the IPE. The basis for top event SC's failure probability is provided in Section 3.2.27 of the IPE.

l l

l l

l l

l urur I

Response to the Nuclear Regulatory Commission's Reouest for Additional Information on the Vermont Yankee Individual Plant Examination Submittal (Front End)

(Continued) 02: Please provide the definition used in the IPE for the onset of core damage. For example, the peak acceptable temperatures and the minimum acceptable long-term core collapsed water level. Please provide this information for both Loss-of-Coolant Accident (LOCA) and transient events.

A2: Core damage is assumed to occur when reactor water level is less than 1/3 core height and decreasing. The same definition is ased for Transient and LOCA events. Peak fuel temperatures are expected to exceed 1500*F under these conditions. ,

amn -_ _ -__ ____-______ __-__-_ __ __ --_ -__ __ -_____

ResDonse to the Nuclear Regulatory Commission's Request for Additional Information on the Vermont Yankee Individual Plant Examination Submittal (Front End)

(Continued) 03: Please discuss how alternate injection was credited for cases in which containment cooling systems failed but containment venting was successful. In particular, please discuss how alternate injection with  !

the Residual Heat' Removal Service Water (RHRSW) cross-tie was  !

considered, that is, for which types of sequences was this cross-tie  !

considered and under what conditions was credit taken for this cross-tie.

A3: For sequences involving failure of containment cooling and success of venting, we do not credit use of RHRSW for alternate injection to prevent core damage in the Front End analysis. For these sequences, only Control Rod. Drive and Condensate Transfer are modeled as alternate injection systems (see node AI in.the frontline event trees). ,

L j

l norsar  !

l i

l Response to the Nuclear Regulatory Commission's j Recuest for-Additional Information on the Vermont Yankee l Individual Plant Examination Submittal (Front End)

(Continued) 04: The model for mitigation of a small LOCA differs from that used in  !

typical BWR/4 PRAs and IPEs. The event tree for a small LOCA indicates I 1 that vessel pressure remains sufficiently high for continued operation of High Pressure Coolant Injection (HPCI) and Reactor Core Isolation j Cooling (RCIC) over the entire 24-hour mission time. The event tree for

a small LOCA requires alternate injection if containment cooling systems i fail and the containment is vented, but the treatment of the timing for i initiation of alternate injection with core cooling initially provided I by HPCI or RCIC is not clear.

4.

A4
Our model for mitigation of a small LOCA is similar to that used in
other BWR/4 PRAs and IPEs. For example, the NUREG-1150 analysis for a BWR/4 assumes that HPCI or RCIC is sufficient to provide core cooling ,
over the 24-hour mission time (see Figure 4.4-3, sequences 2 and 5 in

2 NUREG/CR-4550, Volume 4, Revision 1, Part 1, " Analysis of Core Damage j Frequency: Peach Bottom, Unit 2, Internal Events", August 1989).

1 i i i

i j' i

, )

}

}

i s

i mur d

l Response to the Nuclear Regulatory Commission's Recuest for Additional Information on the Vermont Yankee Individual Plant Examination Submittal (Front End)

(Continued) l 04a: We were unable to find LOCA sizes used in the IPE in your submittal.

Please provide the size ranges for steamline and waterline LOCAs used for small LOCAs, medium LOCAs, and large LOCAs.

A4a: LOCA sizes are defined in terms of the mitigating system requirements.

This is consistent with other BWR/4 PRAs. For example, Section 4.3.1 of NUREG/CR-4550 states:

"The large LOCA, labeled A, is a steam or liquid break in which the reactor vessel will rapidly depressurize... High pressure system injection flow rates are either inadequate to restore level or the high pressure turbine-driven systems cannot be run efficiently because of low steam pressure."

"The intermediate LOCA. labeled S1, is a steam or liquid break in which high pressure injection with the HPCI System is possible for a limited time period. This turbine-driven system can supply sufficient flow to the reactor until vessel pressure can no longer be maintained for successful HPCI operation. Low pressure injection must then be used to maintain water inventory in the core. Should HPCI fail initially, depressurization of the reactor vessel is required to allow for timely low pressure injection."

"The small LOCA, labeled S2, is small enough to allow for long-term successful mitigation by either HPCI or the RCIC System... Should both systems fail, depressurization is required for successful low pressure injection."

The size (in inches) and type (water or steam) of break are important l insofar as they affect:

(i) the system success criteria, (ii) the initiating event frequency, and (iii) the time window available for operator action.

Generic information is used for the LOCA system success criteria and the LOCA initiating event frequency, hence size information is not specified for these aspects of the IPE's LOCA models. Regarding time windows for operator action, the following are representative break sizes used in our plant-specific Modular Accident Analysis Program (MAAP) analysis:

Small LOCA: 0.08 ft2 (steam or water)

Medium LOCA: 0.50 ft2 (steam) large LOCA: 7.28 ft2 (water) i nzur l 1

l Response to the Nuclear Reculatory Commission's Reauest for Additional Information on the Vermont Yankee Individual Plant Examination Submittal (Front End)

(Continued) 04b: Provide the basis for assuming that RCIC or HPCI can operate over the  ;

24-hour mission time to mitigate a small LOCA without loss of adequate ,

steam supply pressure for driving the pump turbines.

A4b: The system success criteria for LOCAs is taken from NUREG/CR-4550 and NEDO-24708A (" Additional Information Required for NRC Staff Generic Report on Boiling Water Reactors". NE00-24708A, Revision 1, i December 1980). In both documents, HPCI or RCIC are identified as sufficient to provide core cooling for Small LOCAs. ,

k I

I l

4 l

i l

,4 I

i l l 4

R92\17 ~6" i

j

Response to the Nuclear Regulatory Commission's Reauest for Additional information on the Vermont Yankee Individual Plant Examination Submittal (Front End)

(Continued) 04c: Please discuss the time by which alternate injection is required relative to the timing of containmer.t venting at 59 psig for the case in which core cooling is initially provided by HPCI or RCIC and containment cooling systems fail. Since the suppression pool will approach temperatures of about 300'F under these venting conditions, specifically address the ability of HPCI and RCIC pumps to operate at these high temperatures. Also, please address the trip of RCIC at 25 psig turbine exhaust back pressure and how this RCIC limitation was modeled in the analysis.

A4c: Plant-specific MAAP calculations performed as part of the IPE show that.

- for the scenario of interest (i.e., core cooling initially provided by HPCI or RCIC and containment cooling systems fail):

t (i) The pressure at which the containment vent opens would not be reached until >24 hours.

(ii) The Condensate Storage Tank inventory is sufficient to support HPCI or RCIC injection for >24 hours.

(iii) The trip of RCIC on 25 psig turbine exhaust backpressure would not occur until about 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />, nnur - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - -

Response to the Nuclear Regulatory Commission's Reauest for Additional Information on the Vermont Yankee' Individual Plant Examination Submittal (Front End)

(Continued) 05: Please discuss how the IPE modeled the loss of Heating, Ventilation, and Air Conditioning (HVAC) for the Control Room. In particular, discuss how loss of Control Room cooling during the mitigative portion of an accident was considered and discuss any compensatory actions for providing Control Room cooling, if any, that were credited in the IPE model.

A5: The IPE did not explicitly model Control Room HVAC. Loss of control room HVAC was judged not to have a significant impact on the CDF since the control room is continuously manned and actions to restore ventilation or mitigate its loss, i .e.. open control room doors, panel and cabinet doors, etc., are easily accomplished. This approach is consistent with NUREG/CR-4550 which did not explicitly model loss of Control Room HVAC for Peach Bottom Unit 2.

R92\17 *O"

Response to the Nuclear Regulator _y Commission's Reouest for Additional Information on the Vermont Yankee Individual Plant Examination Submittal (Front End)

(Continued) 1 06: Please discuss whether or not closure of the recirculation line discharge valve in the intact loop was modeled as required for mitigation of a large LOCA. If it was not, please give the basis for why this measure was not required.

A6: The fault tree for the Low Pressure Coolant Injection (LFC1) mode of the RHR System (Section 3.2.2) identifies closure of the recirculation loop discharge valve (in the intact loop) as a basic event. We quantified

  • the fault tree twice, once with this basic event at its nominal value (1.2E-3) and once with the basic event value - 0. With one loop assumed failed due to the break, the LPCI system failure probability was calculated as:

7.6E 03 / demand with recirc discharge valve failure rate - 1.2E-3 6.4E-03 / demand with recirc discharge valve failure rate - 0 These values assume that all support systems for the intact loop are available. No dependencies are introduced by inclusion of this basic event in the fault tree, since the recirculation loop discharge valve shares the same support systems (for motive power and for actuation <

signals) as other valves in the corresponding LPCI loop. Based on these results, we conclude that the inclusion / exclusion of this valve has no significant impact on the IPE results.

4 r

s 0

4 onu .g.

... - --. - - - -. . - - . - . . - - - - . _ . . . _ . . . . .~ .. _- . - ..- _ -

Response to the Nuclear Reculatorv Commission's l

Reauest for Additional Information on the Vermont Yankee Individual Plant Examination Submittal (Front End)  :

(Continued) f 07a: Please address the following topics related to system characteristics as modeled in the IPE, The system description for service water is not clear on the need to j isolate nonessential service water for mitigation of an accident. At  ;

many plants, failure to isolate nonessential service water can i compromise the system performance for accident conditions. Please ,

explain whether or not isolatie; of service water nonessential loads is needed for successful accident t)'igation and how the need to isolate  ;

nonessential service water was w, aled, i A7a: The need to isolate nonessential Lervice Water loads depends on the number of Service Water pumps that are operating and the complement of essential and nonessential loads which require cooling. Based on ,

plant-specific calculations available at the time that the IPE was l' performed, the IPE assumed that two Service Water pumps were sufficient to support cooling needs of all essential and nonessential loads. (One pump may be sufficient if nonessential loads are isolated, but the analysis did not support this assumption at the time that the IPE was  :

performed, hence the IPE took no credit for this case.) The IPE also  !

noted that plant procedures direct the operators to isolate nonessentfal loads under certain conditions, and that this made the nonessential equipment (such as Feedwater and Condensate pumps) unavailable for accident mitigation. (Note that a recent design change, made subsequent to the IPE, provides automatic isolation of nonessential loads upon low Service Water header pressure.) Thus, the IPE assumed that:

(i) Two Service Water pumps were needed for success.

(ii) Nonessential loads are isolated when specified by plant procedures, ctusing the unavailability of the associated nom 1sential equipment.

1 anur - --. . _. -

Response to the Nuclear Reculatory Commission's Reauest for Additional information on the Vermont Yankee Individual Plant Examination Submittal (Front End) l (Continued)

J 07b: The system description for ac power states that the success criterion for ac power is success of both power trains. This success criterion is not supported by the event trees provided in the submittal. Please resolve the apparent discrepancy between the success criterion and the event tree logic.

A7b: The " success criteria" for ac power relates to the manner in which the i fault tree is quantified, For completeness of presentation in Section 3.2.19, the fault tree is presented as both trains "ANDed" together, hence the success criteria is " success of both trains". As discussed in Section 3,3, " Sequence Quantification", appropriate portions of this two-train fault tree were used to quantify the split fraction values used in the event tree analysis.

l i

i l

nuur  !

l 1

j

l i

l Response to the Nuclear Regulatory Commission's Request for Additional Information on the Vermont Yankee Individual Plant Examination Submittal (Front End)

(Continued) 07c: The submittal states that credit was taken for the use of alternate dc batteries for powering certain components during accidents. However, it is not clear from the discussions provided how the use of the alternate dc batteries was credited. Please explain how the alternate batteries were considered in the model, specifically addressing those components that were considered capable of being powered from these batteries, including any proceduralized operator actions that may be needed.

A7c: The use of the alternate de batteries is discussed in Section 3.1.4,

" Support System Event Trees". Battery AS-1 is discussed under top event S1. Battery S2 is discussed under top event S2.

Note that the fault tree model for AC power (IPE Section 3.2.19) models the use of " alternate" 125V DC power when the " normal" DC source fails.

However, quantification of the AC power model took no credit for use of

" alternate" DC sources (see IPE Section 3.2.19, "Model Assumptions").

)

l l

\

l l

I l

R920 7 Response to the Nuclear Regulatory Commission's Reauest for Additional Information on the Vermont Yankee Individual Plant Examination Submittal (Front End)

(Continued) 07d: The opening of SRVs and their subsequent f ailure to close has been shown to be an important contributor to CDF in other BWR IPEs and PRAs.

Considering the tolerances of SRV setpoints and the inertia of valve openings, please provide the basis for assuming that for transients in which the opening of an SRV is challenged, only the SRV opens. The number of SRVs that open affects the probability that an SRV will fail to reclose, resulting in a LOCA.

A7d: The IPE does not assume that only one SRV opens for transient events.

Rather, the iPE models the expected number of SRV epenings as discussed in Section 3.2.27.

I 1

l i

f anu7 I

ResDonse to the Nuclear Regulatory Commission's Recuest for Additional Information on the Vermont Yankee Individual Plant Examination Submittal (Front Er.d)

(Continued) 08: Please provide the CDF for each initiating event for the front end core i damage sequences.  ;

A8: The percentage of total C0F associated with each initiating event is as ,

follows:  !

Initiator  % of Total CDF Transient with Loss of Off-Site Power 20%  !

ATWS with Main Steam Isolation Valve (MSIV) Closure 14% l Transient with Loss of Feed and MSIV Closure 12%

Transient with Loss of DC Bus 2 11%  ;

Transient With Loss of DC Bus 1 10% >

Transient 8%

Transient with Loss of AC Bus 3 5%  !

Transient with Loss of AC Bus 4 5% ,

Inadvertent / Stuck Open Relief Valve 3%

ATWS with Loss of feed and MSIV Closure 3% l ATWS 3% t Transient with MSIV Closure 2%

Large LOCA 1% ,

Interfacing Systems LOCA 1% i Medium LOCA <1%

Transient with Loss of Service Water <1%

Small LOCA <1%

ATWS with Loss of Off-Site Power <1% ,

P S

i anur ,

l I

)

Resoonse to the Nuclear Regulatory Commission's

  • Reauest for Additional Information on the Vermont Yankee Individual Plant Examination Submittal (Front End)

(Continued) 09: Please address the following topics related to the procsdural enhancements and physical modifications discussed in the submittal.

A9: Section 6.1 of the IPE submittal identified plant-specific safety features. Section 6.2 identified plant improvements which were made during the time that the IPE was performed. While the improvements discussed in Section 6.2 were not initiated by IPE findings, IPE models and expertise were used to review these changes. Section 6.3 identified 13 procedural enhancements for further consideration by Vermont Yankee.

3 R92\17 i

Response to the Nuclear Regulatory Commission's Reouest for Additional Information on the Vermont Yankee Individual Plant Examination Submittal (Front End)

(Continued) 09a: The specific improvements that have been implemented, are being planned, or are under evaluation.

A9a: Of the 13 proposed procedural enhancements, Vermont Yankee has determined that 4 are not appropriate for incorporation into plant procedures. These are:

Proposed Enhancement: Line-up Core Spray to the Condensate Storage Tank when elevated torus water temperature exists.

Reason for Disposition: This requirement had been in earlier revisions of the Emergency Operating Procedures as a deviation, and was subsequently removed when adequate technical justification could not be provided to satisfy NRC inspectors.

Proposed Enhancement: Enhance Emergency Action Level (EAL) criteria for long-term loss of containment heat removal and long-term Station Blackout.

Reason for Disposition: These enlancements are being considered by the VY Emergency Planning Group as part of the industry effort for improving EAL criteria.

Proposed Enhancement: Under certain depressurization sequences, limit reactor depressurization to 200 psi to maintain HPCI/RCIC injection.

Reason for Disposition: This strategy had been considered and rejected by the BWROG Emergency Procedures Committee.

Proposed Enhancement: With proper evaluation, expand the use of drywell spray before Reactor Pressure Vessel failure.

Reason for Disposition: This strategy has been fully explored by the BWROG Emergency Procedures Committee and the appropriate guidance provided in the Emergency Procedure Guidelines.

l Rnu; l

ResDonse to the Nuclear Regulatory Commission's Reauest for Additional Information on the Vermont Yankee Individual Plant Examination Submittal (Front End)

(Continued) 09b: The status of each improvement. That is, whether the improvement has actually been implemented, is planned (with a scheduled implementation date), or is being evaluated.

A9b: All of the remaining enhancements either have been addressed or are currently being addressed by changes to plant procedures and/or training. These items have been assigned a due date of November 10, 1995 in the plant's commitment tracking system, mur 17-

_- . --- . . ._ - . . ~ . - - - . - . . .- - . _ . . . . . -

I l

Response to the Nuclear Regulatory Commission's Reouest for Additional Information on the Vermont Yankee Individual Plant Examination Submittal (Front End) ,

(Continued) 09c: The improvements that were credited in the reported C0F, A9c: None of these procedural enhancements was credited in the IPE. ,

i I

l R92\t? *10" l

1 l

Response to the Nuclear Regulatory Commission's I Reauest for Additional Information on the Vermont Yankee  !

Individual Plant Examination Submittal (Front End) i (Continued) l 1

09d: If available, the reduction to the CDF that would be realized from each plant improvement if the improvement was to be credited in the reported C0F, or the increase in the CDF if the credited improvement was to be removed from the reported CDF.

A9d: As noted in Section 6.2.2 of the IPE, these procedural improvements are not expected to cause a measurable reduction in Core Damage Frequency, anur 19-

Response to the Nuclear Regulatory Commission's Reouest for Additional Information on the Vermont Yankee Individual Plant Examination Submittal (Front End)

(Continued) 09e: The basis for each improvement. That is, whether it addressed a vulnerability, was otherwise identified from the IPE review, was developed as part of other NRC rulemaking, such as the station blackout rule, and so on.

A9e: As noted in Section 6.2, the basis for the proposed procedural enhancements is that they have the potential to enhance VY's defense-in-depth approach to safety.

Note that, while not discussed in Section 6.2, Vermont Yankee made a hardware change (subsequent to the IPE submittal) related to ARI/RPT diversity. However, the IPE assumed that the electrical scram system and ARI/RPT were sufficiently diverse to warrant modeling as

" independent" at the time that the IPE was performed. Thus, VY's implementation of this ARI/RPT diversity change did not change the IPE results. Rather, the change increased our confidence in the IPE's assumption of ARI/RPT independence from the electrical scram system.

l S

4 l

airsir I

Response to the Nuclear ReQulatory Commission's l Reauest for Additional Information on the Vermont Yankee l Individual Plant Examination Submittal (Front End) l 1

(Continued) 010: The discussion of loss of Decay Heat Removal (DHR) in the submittal uses l a restrictive definition for DHR, which is loss of containment heat I removal. However, as requested by NUREG-1335, the submittal should l provide a thorough discussion of the loss of DHR, including loss of core I cooling. In addition, NUREG-1335 requested that any vulnerabilities associated with the (DHR) function be specifically identified. Please provide this requested information concerning loss of DHR, specifically addressing loss of core cooling and any identified DHR vulnerabilities.

If available, please identify the related contributions to CDF of failures of specific systems and components (and operator actions) relied upon for core damage prevention.

A10: The potential for loss of core cooling was the primary focus of the Front End IPE. As such, the submittal's discussion of results for Core Damage Frequency (in Section 1, Section 3.3 and Section 3.4) is directly applicable. The submittal's vulnerability screening (in Section 3.4 and Section 6) is also directly applicable. As noted in Section 6, no vulnerabilities were identified. This conclusion applies to the decay heat removal function as well as to all other critical safety functions analyzed in the IPE.

Referring to the CDF results provided in Table 1.1 of the submittal, we note that:

a. About 1/3 of the total CDF comes from transient sequences involving loss of high pressure injection systems with failure to depressurize. The high pressure systems are Feedwater, HPCI and RCIC. The failure to depressurize is dominated by operator error since the IPE analysis assumes that Automatic Depressurization System (ADS) logic is inhibited (as prescribed by E0Ps).
b. About 14% of the total CDF comes from extended (i.e., >4 hours)

Station Blackout sequences where core cooling fails due battery depletion.

c. About 13% of the total CDF comes from ATWS sequences where failure of reactivity control causes containment failure and subsequent core damage.
d. About 9% of'the total CDF comes from transient sequences where all high pressure and low pressure core cooling systems fail. Because of the many injection systems available, most of these sequences involve failure of AC and/or DC support systems.

R9h11 *21-

l RgSDonse to the Nuclear Regulatory Commission's Reauest for Additional Information on the Vermont Yankee Individual Plant Examination Submittal (Front End)

(Continued)

e. About 7% of the total CDF comes from transient sequences where the containment heat removal function fails and the subsequent containment failure causes loss of core cooling.

I

f. About 5% of the total CDF comes from LOCA sequences. For about 3%, the loss of core cooling is caused by random failure of Emergency Core Cooling Systems (ECCS) and/or their required support systems. For about 2%, containment failure (and loss of ECCS) occurs due to failure of vapor suppression.

Additional information of the contribution of systems to CDF can be obtained by examining the accident sequence results provided in Table 3.4.1 of the submittal. Additional information on the contribution of components to system failure rates can be obtained from the fault trees i provided in Section 3.2 and from the discussion on "Quantification of i Unavailability of Systems" provided in Section 3.3.5. Additional information on the contribution of operator error to CDF is provided in our response to Question 10 below under " Human Reliability Analysis".

l l nsrsir l

ResDonse to the Nuclear Regulatory Commission's Reouest for Additional Information on the Vermont Yankee Individual Plant Examination Submittal (Front End)

(Continued) 011a: It is not clear in the submittal whether plant changes as a result of the station blackout rule were credited in the analysis. Please provide I the following information:

Identify whether plant changes (e.g., procedures for load shedding, alternate ac power) made in response to the blackout rule were credited in the IPE and, if so, specify what specific plant changes were credited.

Alla: Three equipment modifications were made by VY in response to the Station ,

Blackout Rule. These are: '

(i) Installation of an underground cable between the Vernon Hydro Station (the " alternate AC source") and the Vermont Yankee Nuclear Power Station. A new transformer capable of supplying the anticipated SB0 load was also installed.

(ii) Installation of an independent control voltage source for the Vernon Tie line breaker.

I (iii) Modification of the load shed circuitry affecting the Control Room air conditioner supply fan.

{ Only modification (ii) above was credited in the IPE.

1 4 ,

i 1

i i

i  ;

i l

l l

l l 1

1 R92\li .

Response to the Nuclear Regulatory Commission's Reauest for Additional Information on the Vermont Yankee Individual Plant Examination Submittal (Front End)

(Continued) 011b: If available, identify the total impact of these plant changes on the total plant CDF and on the station blackout CDF (i.e., reduction in total plant CDF and station blackout CDF).

A11b: The VY S80 modifications were reviewed by IPE analysts as part of the design change process. Based on this review, the changes were judged to have a positive impact on safety. However, the changes were not quantified for their impact on CDF because:

(i) The major benefit comes from the diversity of the " alternate" ac power source (i.e., a nearby hydro station) relative to the on-site emergency diesel generators. The Vernon Tie was an original safety feature of VY, and was only enhanced (not added) as a result of the SB0 Rule. Even before the SB0 enhancements, VY Control Room operators had the ability to power either of the two emergency buses with the Vernon Tie by closing two breakers from inside the Control Room.

(ii) The most significant improvement made to the Vernon Tie was burying the supply cable. This provides increased confidence in l the availability of power to Vermont Yankee under severe weather conditions. However, severe weather is an " external" event which is outside the scope of the IPE (severe weather events are being analyzed as part of VY's IPE for External Events, IPEEE).

(iii) The SB0 modifications were identified and either partially or fully implemented before the IPE was complete. Thus, a detailed analysis of the "before" and "after" CDF was not performed.

Rather, the IPE models were constructed to reflect the then-current (as of December 1993) plant configuration. The only IPE-significant enhancement not complete as of December 1993 was the burying of the supply cable which, as noted above, affects the IPEEE but not the IPE.

I urur i

.. . , = - - . . - - . ._, - _. _. . - . - . .-. -

ResDonse to the Nuclear Regulatory Commission's l Reouest for Additional Information on the Vermont Yankee Individual Plant Exam,ination Submittal (Front End)

(Continued) {

011c: If available, identify the impact of each individual plant change on the total plant CDF and on the station blackout CDF (i.e., reduction in 3 total plant CDF and station blackout CDF). l Alle: As noted above in (b), the impact on calculated CDF is not available.

Qualitatively, the most significant reduction in CDF is due to the Vernon Tie (which was an original plant design feature), and by comparison, the SB0 enhancements are judged to be relatively minor.

uru? f i

l i ResDonse to the Nuclear Regulatory Commission *1 Reauest for Additional Information on the Vermont Yankee Individual Plant Examination Submittal (Front End)

(Continued) 011d: Identify any other changes to the plant that have been implemented or planned to be implemented that are separate from those in response to the station blackout rule and that reduce the station blackout CDF.

Alld: Sections 6.1 and 6.2 of the IPE submittal identify other plant-specific features (separate from the SB0 Rule) that reduce the plant risk from SB0 events. These include:

(i) Alternate injection of river water to the reactor or to the crywell spray header using the diesel-fire pump, along with an auxiliary diesel generator (John Deere) to power the necessary valves.

(ii) Use of this same John Deere diesel generator to charge the station batteries under SB0 conditions, in order to provide the necessary de power for operation of the ADS valves (for reactor depressurization).

R92\li 1

i

' \

ResDonse to the Nuclear Regulatory Commission's '

i

Reauest for Additional'Information on the Vermont Yankee j individual Plant Examination Submittal (Front End) j i (Continued) '

i l

) Olle: Identify whether the changes in RAI 11 (d) are implemented or planned, i

l Alle: The plant specific features discussed in (d) above exist today and they

} existed at the time that the IPE was performed, i

i i

1 i

l '

l I

1 k

i l

4 i

i i

t i

k l l l i l l

. l unn l

.1-

I i

i i

i 8

ResDonse to the Nuclear ReQulatory Commission's Reauest for Additional Information on the Vermont Yankee Individual Plant Examination Submittal (Front End)

(Continued) 011f: Identify whether credit was taken for the changes in RAI 11 (d) in the

. IPE.

A11f: The plant specific features discussed in (d) above were credited in the IPE.

J 4

4 i

l unn Response to the Nuclear Reaulatory Commission's Reouest for Additional Information on the Vermont Yankee Individual Plant Examination Submittal (Front End)

(Continued) 0119: If available, identify the impact of the changes in RAI 11 (d) to the station blackout CDF.

Allg: The plant specific features discussed in (d) above existed at the time that the IPE was performed, hence the "before" and "after" CDF was not calculated. However, an estimate of these features

  • impact on CDF can be obtained from the Risk Achievement Worth (RAW). The RAW for these features (discussed in (d) above), taken together, is about 1.3. This result means that if these features were assumed to fail with a probability of 1.0 (i.e., if the features did not exist), the total CDF would be about 30% higher than the IPE-calculated baseline value.

arm _ _ _ _ - _ _ _ - _ _ _ - _ _ _ - _ - _ _ - _ _ _ _ _ _ _ _ -

Response to the Nuclear Regulator _y Commission's Reauest for Additional Information on the Vermont Yankee Individual Plant Examination Submittal (Front End)

(Continued) 012: The system descriptions do not address the John Deere Diesel Generator (DG). This DG is credited during station blackout for providing motive power for opening Motor Operated Valves (MOVs) to allow for injection with diesel driven fire water, and for providing de control power for keeping the SRVs open to maintain vessel pressure sufficiently low for long-term injection with low-pressure firewater. Please list all required support systems and interfaces for the John Deere diesel generator. Please describe how these dependencies and interfaces were accounted for in the IPE model. Please include a discussion of the need for, and modeling of, operator actions associated with the accident mitigation use of this DG.

A12: The John Deere diesel generator is described in Section 3.2.23 of the IPE submittal (" Alternate Injection from Fire System"). The dependencies are shown in the dependency matrix for " Alternate Injection from Fire System". Figure 3.2.238. As noted in this Figure, breaker repositioning can be accomplished locally without relying on de power, hence the only support system interface for use of the John Deere diesel generator is " operator action". The IPE modeling of this action is summarized in Table 3.3.3.2 of the IPE submittal (" Dynamic Operator ]

Actions"). As noted in this Table, the basic event identifier is J0PFIS01, the Human Error Probability is 1.3E-01, and this value was l calculated using the EPRI Method assuming a type CP1 action and a time l window of 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. The. time window is 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> because, as discussed under top event AI in the Transient event tree model (Section 3.1.2.4),

alternate injection using the diesel fire pump and John Deere diesel is l only credited if "early" injection is provided by HPCI or RCIC (the IPE l assumes that the station batteries will deplete in 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> under Station j Blackout conditions). l R9 ur ._ _ _ _ - _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _

Response to the Nuclear Regulatory Commission's Reouest for Additional Information on the Vermont Yankee Individual Plant Examination Submittal (Front End)

(Continued) 013: The Turbine Bypass System has 105 percent capability. Did the IPE analysis assume that if the plant response to load rejection is sufficiently rapid, the unit can remain at power? If so, please explain how this capability was considered in the model. Licensees of other plants with large bypass capability have stated that the attempt to stay at power, if it fails because of the rapidity of the load rejection, can result in increased challenges to SRVs. Please explain how the SRVs were modeled for such transients.

A13: The IPE did not assume that the plant would remain at-power during a load rejection. The plant scram history (Table 3.1.1.2 of the IPE submittal) was reviewed to develop the transient initiating event frequencies. As part of this review, several load rejections (all resulting in reactor scram) were identified and counted in the Transient initiating event frequency.

i 1

I I

mm 1

ResDonse to the Nuclear ReQulatory Commission's

{

Reauest for Additional Information on the Vermont Yankee Individual Plant Examination Submittal (Front End)

(Continued) i j 014: Please provide the truncation value(s) used f,r quantifying accident sequences.

A14: Accident sequences were quantified in two steps. First, all system fault trees were quantified using a truncation value of IE-08. The j resulting system failure probabilities were then used in quantification of the event tree models. The event tree models were quantified using a truncation value of 1E-13.

i 1

l 4

i i

i l

i I

3 t

a

, mm 4

Response to the Nuclear ReQulatory Commission's Reauest for Additional Information on the Vermont Yankee Individual Plant Examination Submittal (Front End)

(Continued) 015a: Please provide the following information related to quantification of component failures.

Summarize the process by which components were selected to be modeled with plant-specific data.

A15a: Section 3.3.2 of the IPE discusses the approach used for plant-specific data and analysis. Plant-specific evidence was considered for those components that were judged to be important contributors to the system function (major system level components) and whose component history could reasonably be retrieved from plant records. System models and plant specific evidence were discussed in review meetings (refer to IPE Section 5.2).

l I

4 i .

a i

l n:ur t

, ~.

}

Response to the Nuclear ReculatorY Commission's Reouest for Additional Information on the Vermont Yankee Individual Plant Examination Submittal (Front End)

(Continued) 015b: Summarize the process by which components were selected for common-cause failure consideration.

A15b: Section 3.3.4 of the IPE discusses the approach used for common-cause ,

failure modeling. Common-cause failure modeling was performed primarily intrasystem, for major redundant components where generic common-cause modeling parameters exists. Intersystem common cause modeling was also performed for selected components when there was little or no redundancy olthin a system. For example, common cause was modeled between the HPCI and RCIC turbine-driven pumps.

.i i

R92\17 .

_ , - + _

._ _ ._. _ _ _ __ . . _ _ _ _ _ _ _ - _ _ _ ~._.- ._. - .-. .__

l l

Response to the Nuclear Regulatory Commission's Reauest for Additional Information on the Vermont Yankee Individual Plant Examination Submittal (Front End)

(Continued) 015c: Discuss the source of data used to quantify test and maintenance outage durations and frequencies: if generic data were used, explain why ]

plant-specific data were not used. j

\

A15c: System unavailabilities due to test.and maintenance outages were quantified using both plant-specific and generic data. Test / maintenance l frequencies were developed from plant-specific evidence (i.e., equipment i history cards). However, each frequency was compared against the generic data and typically the higher value was used in the analysis.

Test and maintenance durations were obtained from the generic data because plant specific duration data was not reasonably retrievable.

One exception was the emergency diesel generators for which plant-specific outage duration data were available and were used.

i i

nuur (

l i

l Response to the Nuclear Regulatory Commission's Reauest for Additional Information on the Vermont Yankee Individual Plant Examination Submittal (Front End)

(Continued) 015d: The submittal noted that common-cause failure of the DGs has been experienced at Vermont Yankee. Please explain how this actual experience was used in the analysis for establishing the common-cause factors for these important components. If actual DG experience was not used, please explain the rationale for common-cause factors used.

A15d: We identified a common-cause failure event at Vermort Yankee which involved common-mode failure of the differential trip relays associated with the diesel generator output breakers. This failure caused inoperability of both emergency diesel generators. Given only one observed common cause event, we judged that the gentric common-cause modeling factor (i.e., a beta of approximately 0.07 ror diesel generators fail to start) was reasonable.

RHu ? .

Response to the Nuclear Regulatory Commission's Reauest for Additional Information on the Vermont Yankee j Individual Plant Examination Submittal (Back End) 01: The submittal shows that the containment flooding procedure actually leads to an increase in early containment failure and large releases.

Please comment on this insight (by providing a discussion of how the
conditional probability of early containment failure and releases was increased) and discuss whether there is a plan to implement possible changes to the containment flooding procedure.

A1: The sensitivity study for containment flooding is discussed in Section 4.6.3 of the IPE submittal. As discussed in this section, failure to implement the containment flooding procedure (as directed by the current E0Ps) causes about a 10% decrease in the Early/High release frequency because drywell venting (which is part of the containment flooding evolution) will not occur. Based on plant-specific MAAP calculations, opening of the Reactor Pressure Vessel (RPV) or drywell vent after core damage has occurred (for either primary pressure control or as part of containment flooding) was assumed to cause a High release.

{

The IPE also assumed an Early release whenever RPV or drywell venting occurred after core damage. The actual time of venting would depend on the accident sequence. and may not be "Early" since containment flooding is expected to take at least several hours to complete.

I The decision to vent would be made by the Vermont Yankee Site Recovery 4

Manager with aid from the Technical Support Center (TSC). Vermont Yankee currently has Accident Management Guidelines that are used to aid in the venting decision process. We expect that enhanced guidance will

be provided as part of Vermont Yankee's implementation of the BWROG
Accident Management Guidelines. While the BWR0G guidelines have not been finalized, we are participating in the development of these l guidelines which currently include an improved Containment Flooding strategy. This improved strategy allows the operating staff and TSC to implement containment flooding with or without RPV/drywell venting, based on the accident symptoms.

i f

nnui ,

1

Response to the Nuclear Regulatory Commission's Reouest for Addition 31 Information on the Vermont Yankee Individual Plant Examination Submittal (Back End) *

(Continued) 02: An intermediate temperatures (500*F 1 Temperature 1900'F), the submittal shows that the containment failure mode will most likely be leakage as a result of potential seal degradation. A failure pressure of 88 psig was assessed for this range of temperatures, and failure is expected to occur at the drywell head. However, the submittal does not explain how this value was calculated. Therefore, please explain the calculation of the failure pressure of 88 psig at intermediate temperatures. Also, please discuss the impact of elevated temperature upon the containment electrical and mechanical penetrations.

A2: To support the IPE assessment, Chicago Bridge and Iron (CBI) provided an l evaluation of the Vermont Yankee containment boundary capabilities at l elevated temperatures and pressures. The containment failure l characterization at intermediate temperatures (500-900 degrees F) is l

provided in Section 4.4.2.2 of the IPE submittal. As discussed in this l section, the drywell head flange seal material is expected to degrade significantly in this temperature range. The failure pressure was calculated as the minimum pressure required to overcome the bolt preload forces, neglecting the presence of gaskets or seals.

The VY containment failure characterization at elevated temperatures included a review of industry and NRC contractor evaluations. Both electrical and mechanical seal capabilities were considered. For electrical penetrations, the Sandia tests /models (NUREG/CR-3234, "The Potential for Containment Leak Paths Through Electrical Penetration Assemblies Under Severe Accident Conditions, July 1983: NUREG/CR-0076, Proceedings of the Third Workshop on Containment Integrity, " Leak Behavior Through EPA's Under Severe Accident Conditions". August 1986) indicate that the outer seal integrity is not challenged even at high drywell temperatures (e.g., 1800 degrees F). For mechanical penetrations, the effects of thermal expansion (especially on pipe penetrations and purge / vent valves) and loss of seal resi?iency (especially for drywell head, drywell equipment hatch, per sonnel hatch, and CRD removal hatch) were evaluated based primarily on the information provided in NUREG-1037. The results of this review indicated that the limiting location for leakage at elevated drywell temperatures was the drywell head, i

anur l l

Response to the Nuclear Regulatory Commission's Reauest for Additional Information on the Vermont Yankee Individual Plant Examination Submittal (Back End)  !

(Continued) 1 03: Section 4.6.1 (page 4.6-1) of the submittal discusses equipment survivability under severe accident conditions. The submittal states that cable connections (terminal links) were weak links exhibiting high f ailure rates at 200*F, and they were removed from safety systen However, there are no specific nodes in the Containment Event Tree (CET) that treat equipment failure under severe accident conditions, and the only equipment failure that appears to be treated is the possibility of drywell-to-wetwell vacuum breakers being stuck open during the course of a severe accident. Step 1 of Appendix A of NUREG-1335 states that "this discussion would address survivability under pressure, temperature, debris, and steam conditions expected during a severe accident."

Section 2.2.2.6 of NUREG-1335 states that " equipment environment should t;e assessed with the same temperature, pressure, humidity, and radiation environment predicted as a part of the accident progression analysis."

Please explain where and how in the analyses you have considered the impact of severe accident conditions in the containment (elevated tempereture, humidity, and radiation) upon equipment performance.

A3: The impact of a harsh (severe accident) environment on equipment performance was considered in modeling the Containment Event Tree nodes.

Special attention was paid to the following components located inside containment:

. Inboard MSIV pilot solenoid valves

. MSIV drain line Motor-0perated Valve (MOV)

. SRV pilot solenoid valves

. HPCI and RCIC inboard isolation MOVs

. RHR Shutdown Cooling MOV

- Cabling, connections and electrical penetrations and to the following components located in the Reactor Building:

. HPCI and RCIC pumps

. Instrumentation (Primary Containment and RPV Pressure / Level)

. ECCS injection valves (including RHRSW to RHR cross-tie valves and

" alternate injection" valves)

. Drywell vent valves

. RHR, RHRSW and Core Spray motor-driven pumps

. Outboard MSIV pilot solenoid valves urui Resoonse to the Nuclear Regulatory Commission's Reauest for Additional Information on the Vermont Yankee l Individual Plant Examination Submittal (Back End) l (Continued) l l

1

. Motor Control Centers j

. Cabling, connections and electrical penetrations Our analysis included a review of industry test data in order to establish equipment survivability limits. Plant specific MAAP calculations were perform 3d for each IPE accident sequence class (Class I, II, III IV and V) in order to establish the expected environmental conditions. These results were incorporated into the functional fault trees which were used to qur.ntify Containment Event Tree nodes. If equipment was not expected to survive under the severe accident conditions predicted by MAAP, then this equipment was assumed to fail when the corresponding Containment Event Tree node was quantified. The failure probabilities (" split fractions") for each event tree node (including Containment Event Tree nodes) are provided in Table 3.3.5.1 of the IPE submittal. For example, note that the split fraction values for nodes VD and VR are different for different types of accident sequences, due to equipment survivability issues.

i I

l R92\17 -4*

t m,- -

l l

l Response to the Nuclear Regulatory Commission's Reouest for Additional Information on the Vermont Yankee l Individual Plant Examination Submittal (Human Reliability Analysis) i 01: The "in-house" independent review is stated as consisting of a review of  ;

fault tree models by an appropriate cross section of plant disciplines  !

r.ot directly involved with the process being reviewed. This approach i appears to be of limited value for assuring that the Human Reliability Analysis (HRA) analytic techniques are correctly applied. In addition, the submittal identifies " ERIN" as the HRA consultant assisting the Vermont Yankee review team during the development of the Level 1 IPE but also lists " ERIN" (same individual) as performing the independent external review. Please describe what consideration was given, 1

including the steps taken, during the in-house independent review and/or j the external review process to assure that HRA analytical techniques

were accurately portrayed in the implementation of the THERP, EPRI, and TRC methods.

1 A1: The overall utility participation and review efforts are described in

. Section 5.0 of the IPE submittal. Of the many specific tasks performed

as part of the IPE, the two that are the subject of this question are

i l 1. Latent (before the accident) Human Reliability Analysis

2. Dynamic (during the accident) Human Reliability Analysis The Latent HRA was performed by Richard Turcotte (in-house) and reviewed

, by Kevin Burns (in-house). An additional review was performed by 1 Dr. E. T. Burns (ERIN), no relation to Kevin Burns, to assure that the 4 Technique for Human Error Pate Prediction (THERP) analytical techniques were accurately applied. Regarding Dr. Burns' qualifications: he performed the HRA for the Limerick and Shoreham PRAs, and he also i performed the HRA for the Limerick, Peach Bottom, Duane Arnold, and i Vermont Yankee IPEs. In addition, he has compared the effects of using l various HRA methodologies as part of the IDCOR IPEM development (see E.

4 T. Burns, " Human Error Probability Models in the BWR Individual Plant i Evaluation Methodology," 1988 IEEE Fourth Conference on Humcn Factors ,

! and Power Plants June 1988.) Dr. Burns has been the principal reviewer of the HRA to support the IPEs of Brunswick, Monticello, Millstone Point l 1 (original PRA), Cooper, Browns Ferry (original PRA), and Hope Creek (original PRA).

The Dynamic HRA was performed by ERIN. Several ERIN (an ,ubcontractor) personnel were involved, and all work was performed under the direction and review of Dr. Burns at ERIN. In addition, Kevin Burns (in-house) performed a detailed review of the dynamic HRA analysis and supporting i documentation, including the application of the EPRI and  !

Time-Reliability Correlation (TRC) methods. i I

l airsir l l

I I

Response to the Nuclear Regulatory Commission's Reauest for Additional Information on the Vermont Yankeg Individual Plant Examination Submittal (Human Reliability Analysis)

(Continued) 02: The submittal does not clearly discuss the process that was used to identify and select preinitiator human events involving miscalibration of instrumentation or the restoration or realignment of components (valves, control circuits, etc.) after maintenance and/or testing. The process used to identify and select these types of numan events may I include the review of procedures and discussions with appropriate plant personnel on interpretation and implementation of the plant's calibration procedures. To better understand the process used to identify and select preinitiator actions please provide the following:

a. A description of the process, with examples, that was used to identify human events involving miscalibration of instrumentation.
b. A description of the process, with examples, that was used to identify human actions involving failure to restore or realign a system or a component after test or maintenance.

A2: Section 3.3.3.1 summarizes the approach used to capture system unavailability due to pre-initiator human events (latent human errors).

Specific examples of such events modeled in the IPE are provided in Table 3.3.3.1. Selection of these events (which involve both miscalibration of instrumentation and failure to realign systems / components following maintenance or testing) was based on our review of:

a. General plant procedures (which control maintenance and repair activities, tagging and switching rules and practices, control of plant equipment and temporary modifications, requirements for post maintenance testing, and valve and breaker alignment identification).
b. Specific system procedures (which govern surveillance testing, calibration and functional testing, battery performance and

. discharge testing, and system level maintenance).

c. Actual maintenance, testing and calibration tasks for standby systems / components,
d. Control Room annunciators and operator rounds (i.e., whether or not misalignments are annunciated in the control room and/or the sufficiency of field checks / verifications).
e. Post-maintenance testing practices (i.e., whether or not post maintenance testing will likely detect a misalignment).

R9h11 ~2*

4 Response to the Nuclear Regulatory Commission's Reauest for Additional Infor:ation on the Vermont Yankee Individual Plant ' mination Submittal (Human Reliability Analysis)

(Continued) l

. 03: Section 3.3.3.1 of the submittal states that " gross errors during instrument calibration (error to the point where an instrument loop or entire logic does not function) is considered remote. For these systems (or subsystems) we have assigned a value of 1.00E-04 for the unavailability due to latent human error." Please provide a concise explanation of how the " assigned" value of 1.00E-04 was derived and include in your discussion what qualitative analysis was used to support the quantification.

A3: As shown in Table 3.3.3.1, for those latent human errors analyzed in detail with THERP, the resulting values are generally in the E-03 to E-04 range. Thus, when there were qualitative reasons to believe that a latent human error was even less likely (than another action which was quantified with THERP), a detailed analysis was not performed and a value of IE-04 was used.

l a

1 l

uzur I

i Response to the Nuclear Regulatory Commission's Reauest for Additional Information on the Vermont Yankee Individual Plant Examination Submittal (Human Reliability Analysis)

! (Continued) ,

l

! 04: The submittal is unclear on the process that was used to determine the

{ appropriateness of crediting the recovery factors associated with the j preinitiator human errors. That is, how was it determined that the >

considered recovery would indeed discover the error? For example, a  ;

} pump is taken out of service for maintenance. As part of this activity, l

the breakers of the associated MOVs are pulled. The post-maintenance 3

test of the pump, however, does not require operation.of one of the

{ valves. This test will not, therefore, discover the error, and this factor cannot be applied. Inappropriate use of these recovery factors has the potential to eliminate potential accident sequences. In a

addition, modifying the BHEP due to plant-specific recovery factors j should be justified. For example, this justification could include

. examination of procedures, interviews with plant personnel, examination I of administrative controls, and a walk-through of the procedures.

l Please provide a concise discussion of the justification and process that were used to determine the appropriateness of the recovery factors utilized.

A4: The potential for system recovery (discovery of the error or mistake) is based on system specific factors, such as whether or not the component / device is included in surveillance testing or in routine j operator surveillance with signoffs. Based on detailed review of plant i procedures and testing programs, surveillances were generally judged i effective in detecting gross errors which could adversely impact a

! system's reliability. One exception in the IPE is the Standby Liquid

{ Control (SLC) System. Misalignment of the SLC system after testing was ,

l conservatively assumed not discovered until the next routine  !

l surveillance test of the pumps (tested quarterly). This is because SLC 1

does not have remote indications of valve position, alarms, or automatic 1 realignment which would readily catch a misalignment. In this case, we j took no credit for earlier discovery via routine operations rounds.

i

?

4 1  ;

1 I

J i

l 1

i uru7 }

t I

Response to the Nuclear Regulatory Commission's Request for Additional Information en the Vermont Ytnkee Individual Plant Examination Submittal (Human Reliability Analysis)

(Continued) 05: The submittal is unclear on how dependency was considered for preinitiator actions. An important concern in HRA is the treatment of dependencies. Human performance is dependent on the sequence-specific response of the system and of the humans involved. The likelihood of the success of a given action is influenced by the success or failure of a preceding action, the performance of other team members in parallel or related actions, assumptions about the expected level of performance of other team members based on past experience, and so on. Accounting for dependency among top-level actions in a sequence is particularly important. The human error probability estimates for HRA are conditional probabilities. If dependencies are not specifically accounted for and llEPS are treated as independent, the probabilistic combination of HEPs can lead to an unrealistically low estimate of human performance overall (i.e., of the joint human error probability) and to a significant underestimate of risk. For example, a thorough examination of preinitiators in a NUREG-1150 plant (Peach Bottom) indicated that a single crew was performing the calibration of reactor pressure sensors in a single shift, which would result in a high dependence in the calibration of these sensors and the simultaneous failure of LPCI and Low Pressure Core Spray (LPCS) valves to open. It was also determined that the operators would fail to diagnose this cause. This analysis resulted in the identification of a dominant contributor in the NUREG-1150 analysis of Peach Bottom. Please explain how dependencies were accounted for in the assessment of preinitiatory errors at Vermont Yankee. If dependencies were not considered, please justify.

AS: In general, pre-initiator human errors are modeled as totally independent or totally dependent. If our review-indicated that there was a significant potential for dependency, then a total dependency was assumed. For example, consider the miscalibration or the failure to restore transmitters and logic associated with each emergency core cooling signal (including low reactor water level, low reactor pressure, and high drywell pressure). For each signal, the error is modeled as a total dependency by using a single basic event whose failure causes failure of the associated ECCS signal. This modeling makes all transmitters and logic components within a signal logic dependent on the success or failure of the calibration and restoration tasks.

nnur

-. ..--.-~.- . - - . - - - _ _ . . _ . - . - . - - - - _. - . __ -

! i l

Response to the Nuclear Regulatory Commission's a Reauest for Additional Information on the Vermont Yankee -
individual Plant Examination Submittal (Human Reliability An a l _y s i s )

i (Continued) 06: The TRC method is stated as being used to quantify post-initiator actions (dynamic / recovery) when the analyst (expert opinion) judged that j the EPRI method was inappropriate. The submittal is unclear as to what j the Verment Yankee specific criteria (bases) were for determining that

the TRC method should be used in lieu of the EPRI method. Please i discuss the basis used to determine when the EPRI method was or was not i appropriate.

i i A6: Table 3.3.3.2 of the IPE identifies the human error probability method

used to quantify each " dynamic" operater action. As noted in this j table, seven operator actions were quantified using the TRC method. The reason is discussed below.

l The HRA was performed in parallel with the development of fault tree and

, event tree models. Based on our first-cut trees, and our knowledge of other BWR PRAs, we identified dynamic operator actions that needed to be

quantified using HRA methods. For these actions, detailed information j to support use of the EPRI correlation was gathered in interviews with ,

1 plant personnel and from simulator observations. As our fault tree and l event tree models were finalized, some operator actions were added.

{ including the seven actions noted above. These actions were not

! believed to be especially risk significant, but were added for i j completeness. Use of the simpler TRC method was deemed more appropriate j for quantification of these seven actions because the detailed j information needed to use the EPRI correlation for these actions had not ,

i been gathered in the plant interviews. These actions are all clearly l l proceduralized and do not involve severe time constraints, hence we l l judged that use of the more detailed EPRI correlation would not have a i significant impact on the IPE results.

4 i l l

,1 i

unn i 1 I I 9

,- - - - -_.-.,.-,r .%._-- , , _

1 l

ResDonse to the Nuclear Regulatory Commission's Reouest for Additional Information on the Vermont Yankee Individual Plant Ex9mination Submittal (Human Reliability Analysis)

-(Continued) 07: The submittal is not clear as to the source of the base numbers used for P3 and P3 or what plant-specific factors were considered in selecting these values for calculating the total HEPs. For the following dynamic actions, please provide a concise explanation, by way of examples, of where source values were derived and the basis used for their selection:

. J0PFIS01

. UOPACM1FL

. YOPAC1FL

. TVUHVENTINGX A7: The actions are: '

J0PFIS01: Operator Initiates the Firewater System and John Deere Diesel Generator for Alternate Injection During SB0 Conditions U0PACM1FL: Operator Initiates Alternate Cooling Mode YOPAC1FL: Operator Establishes the Vernon Tie by Remotely Operated Breakers in the Control Room TVHUVENTINGX: Operator Fails to Control Containment Venting After

Rupture Disk Actuates l
P3 refers to non-recoverable mistakes associates with misdiagnosis, j procedures, etc. P3 refers to manipulative errors. For the above
actions, the values and basis for P and3 P3 are provided below.

J0PFIS01 i

j This action is proceduralized in plant procedure OT 3122 Appendix A.

l Because the action is required only under Station Blackout conditions i (when no other injection systems are operable), there is little l potential for misdiagnosis, and we used a characteristic value of P3-j 1E-04. A number of valve manipulations are required for firewater injection to the RPV, hence we judged that the manipulative error rate

! was relatively high, and we characterized P3 as 1E-01.

U0PACMIFL As discussed in note 4 to Table 3.3.3.2, this action was

quantified using a simplified method developed by EPRI. This method did l not require values for P3 and P3 .
airsir a e

i

. _. __ - - .- . - - _ _ _ _ - - . - _ . . - - . . - ~ . _ _ _ - _ . --

Response to the Nuclear Regulatory Commission's Reauest for Additional Information on the Vermont Yankee Individual Plant Examination Submittal (Human Reliability Analysis)

(Continued)

YOPACIFL This action is proceduralized (plant procedure OT 3122), and is well-practiced in simulator exercises. As such, the probability of misdiagnosis was judged to be small, and P3 was characterized as 1E-04.

The EPRI method recommends P3 values based upon past experimental data.

Since this action involves simple manipulation of breakers in the Control Room, the low end of the experimental results are judged applicable, and we assigned P3 - 1E-03.

TVHVVENTINGX The torus vent design at Vermont Yankee is " passive" in that the vent opens via a rupture disk at a predetermined pressure.

TVHVVENTING models the operator action to close the vent (after automatic opening) and to re-open the vent, in order to control containment pressure as specified by the VY E0Ps. For most accident sequences, this action would not be required until many hours after accident initiation, and the TSC would be expected to assist the Control Room operators in implementing the plant's venting guidelines. Based on our review of the VY E0Ps and venting guidelines, and based on interviews with the plant staff, we judged that there was a moderate potential for a misdiagnosis, estimated as Pi = 1E-02. Manipulative error associated with opening / closing of the vent valve was judged to be relatively small (i.e., approximately 1E-4 to 1E-3 and dominated by the misdiagnosis error).

i wnus l

Response to the Nuclear Regulator _y Commission's Reauest for Additional Information on the Vermont Yankee individual Plant Examination Submittal (Human Reliability Analysis)

(Continued) 08: The consideration of time is important in applying performance shaping factors and the submittal is not clear regarding how " required" time (i.e., the time needed to perform the action) was determined for the various post-initiator human events. The EPRI methodology, referenced in the submittal, notes that timing determines important factors that influence the operator's ability to diagnose the problem, decide what actions are appropriate, and complete those actions within the required  ;

time window. The referenced EPRI document identifies the importance of  ;

using plant-specific information when determining mean response time T4.

For each post-initiator human event examined, provide the time needed for the operator to diagnose and perform the actions and the bases for the time chosen. For example, were time walkdowns performed for time-critical actions and were assumptions about accessibility, availability of tools, and so on, verified by walk-through inspections or " simulations" of operator actions in the plant?

A8: Interviews with plant personnel were the main vehicle used to obtain the "reauired" time for post initiator operator actions and other insights into performance shaping factors. Information on accessibility and availability of tools was gathered at these interviews. Interviewees included Trainers, E0P Developers, Senior Reactor Operators, and Shif t Supervisors. Observations of simulator scenarios were used to confirm and supplement the interview results.

The values of T4 used in the EPRI correlation are averages of the times taken from the interviews. These values are provided below (see IPE Table 3.3.3.2 for a description of each action):

I anut t l

)

. - . . - - , - .. . . . . - . . . . . . . - - - - - - - - - - . - . . ~ -_- _

2 1

1 Response to the Nuclear Requiatory Commission's Reauest for Additional Information on the Vermont Yankee i Individual Plant Examination Submittal (Human Relia,hilit_y Analysis)

(Continued) i Action T,4, A0PHR1FL 1.4 min.

A0PHRSFL 1.7 min.

B0PLPCFL 5.0 min.

K0PATWS1FL 1.9 min, i LOPACTFL 4.5 min.

l COPLCSFL 5.0 min.

E0PADMFL 5.2 min.

i E0PADSFL 5.2 min.

i E0PEDIFL 3.0 min.

E0 PED 2FL 4.0 min.

E0PSM1FL 4.5 min.

E0PMD1FL 4.5 min.

ADINHIBITFL 2.0 min.

R0PN01FL 30.0 min.

1.4 min.

00P001FL '

RM0PBASE 30.0 min.

RM0PATWS 4.5 min.

j OPMSIVBP 11.0 min.

HOPCRDFL 1.5 min.

HOPALTINJFL 0.0 min.

J0PFIS01 20.0 min.

STOPCST1FL 30.0 min.

10PSLMCF 1.7 min.

10PSLMCS 1.7 min.

LCATWS1FL 3.0 min.

LCATWS2FL 3.2 min.

LIATWS1F1 3.0 min.

U0PVR1FL 33.2 min.

U0PVR2FL 8.2 min.

UOPVR3FL 8.2 min.

VROPERROR03 73.2 min.

CFHUN0EOP00X 30.0 min.

YOPACIFL 3.0 min.

j

~

ISOPSIGFL 10.0 min.

ISOPLLFL 10.0 min.

X0PRSAFL 3.5 min.

DVHUDWP-00X 30.0 min.

TVHUVENTINGX 25.0 min.

R92\17 RgsDonse to the Nuclear Regulatory Commission's Recuest for Additional Information on the Vermont Yankee Individual Plant Examination Submittal (Human Reliability Analysis)

(Continued) 09: It is not clear from the submittal how dependencies were addressed and treated in the post-initiator HRA. The performance of the operator is dependent on both the accident in progress and the past performance of the operator during the accident of concern. Improper treatment of l these dependencies can result in the elimination of potentially dominant l accident sequences and, therefore, the failure to identify significant  !

Please provide a concise discussion of and examples events.

illustrating how dependencies were addressed and treated in the post-initiator HRA such that important accident sequences were not eliminated. If the submittal did not address dependencies in the quantification, please justify. The discussion should address the following two points.

a. Human events are modeled in the fault trees as basic events, such as a failure to manually actuate a control. The probability of the operators performing this function is dependent on the accident in progress - what symptoms are occurring, what other activities are being performed (successfully and unsuccessfully),

and so on. When the sequences are quantified, this basic event can appear not only in different sequences but in different i combinations with different system failures. In addition, because the basic event can be multiplied by other human events when the sequences are quantified, it should be evaluated for dependent effects,

b. Human events are modeled in the event trees as top events. The probability of the operators performing this function is still dependent on the accident progression. The quantification of the human events needs to consider the different sequences and the other human events.

A9: Dependencies between post-initiator human actions were considered in the review of accident sequence modeling. Examples of actions that were considered totally dependent are provided below:

1. Manually initiate ADS. Manual initiation of ADS is required if the operator inhibited ADS earlier in the accident. Because there is a high probability that the operators will inhibit ADS per the E0Ps, the analysis assumed that ADS alWays needed manual initiation.
2. Drywell Spray. Operator action to spray the drywell is an effective means of vapor suppression for LOCA sequences where the break flow is not directed into the suppression pool (i.e., for utw - _

}

1 ResDonse to the Nuclear Reculatory Commission's

! Reauest for Additional Information on the Vermont Yankee l Individual Plant Examination Submittal (Human Reliability Analysis) 1 (Continued) t 1

l cases where a torus-to-drywell vacuum breaker sticks open, thereby i allowing break flow to pass from the drywell into the torus j airspace without being forced through the suppression pool). For i Small and Medium LOCAs, operator action to open the SRVs for RPV i depressurization is another effective means of vapor suppression

(since reactor steam is forced into the suppression pool through j the SRV T-quenchers). In our Small and Medium LOCA event trees, j the operator action to depressurize the RPV upon vapor suppression

] failure is evaluated before the operator action to spray the i drywell. Because these actions were judged to be dependent, we i

assumed that operator failure to depressurize leads to operator failure to spray the drywell.

l

! Finally, we note that many operator actions appear alone (i.e., not

! "ANDed" with other operator actions) in accident sequence cutsets. For

! example, any one of the following operator errors is assumed to lead to core damage in the ATWS event tree:

l

. Operator Fails to Initiate SLC j . Operator Fails to Inhibit ADS i

! . Operator fails to Depressurize on Heat Capacity Temperature Limit

! (HCTL) l . Operator Fails to Accomplish Level / Power Contro'l j . Operator Fails to Initiate Low Pressure Injection l

i l

l i

a i amu i e

i Response to the Nuclear Regulatory Commission's Reauest for Additional Information on the Vermont Yankee Individual Plant Examination Submittal (Human Reliability Analysis)

(Continued) 010: The submittal does not identify operator actions that are most important to CDF. Please describe the method used to evaluate the importance of human actions on CDF and provide a listing of those operator actions found to be important contributors to CDF.

A10: Several methods can be used to calculate the "importance" of an operator action. To identify the " contribution" of an operator error to the total Core Damage Frequency, we use the Fussell-Vesely Importance (FVI) measure. FVI measures the fraction of the total CDF in which the operator error appears as a contributing failure. Below we identify those operator errors modeled in the VY IPE whose calculated FVI is greater than 0.005 (listed in order of decreasing FVI):

Basic Event ID DescriDtion E0PADSFL Operator Fails to Open SRVs for Vessel Depressurization (Small .LOCAs and Transients)

J0PFIS01 Operator Fails to Initiate Firewater System and John Deere Diesel Generator for Alternate Injection (During SB0 Conditions)

UREC0VERSW Operator Fails to Recover Station Service Water and/or l RBCCW Cooling 10PSLMCF Operator Fails to Initiate SLC (Boron Injection) Given ,

Main Condenser is Unavailable (ATWS) j A0PHR1FL Operator Fails to Initiate HPCI/RCIC Systems (Small l LOCAs and Transients)

ADINHIBITFL Operator Fails to Inhibit ADS During an ATWS Event with Insufficient High Pressure Makeup UOPACM1FL Operator Fails to Initiate Alternate Cooling Mode E0PMD1FL Operator fails to Perform RPV Depressurization for Vapor Suppression (During Medium LOCA)

LIATWS1FL Operator Fails to Restore Low Pressure Injection after Level / Power Control (ATWS)

LCATWS1FL Operator Terminates and Prevents Injection Before RPV Depressurization (ATWS)

IHESLCFL Failure to Restore SLC System After Routine and Post Maintenance Flow Tests 1

anut . _ _ _ _ . . _ _ _ -_ _. - __ .- _,

i l Response to the Nuclear Reaulatory Commission's l Reauest for Additional Information on the Vermont Yankee j individual Plant Examination Submittal (Human Reliability Analysis) j (Continued)

\

Basic Event 10 Descriotion j W0PTBC01 Operator Fails to Start a TBCCW Pump from the Control j Room 00P001FL Operator Fails to Initiate / Control Feedwater and Condensate Systems (MSIV Closure Transient and
Small/ Medium LOCA) i j YOPACIFL Operator Fails to Establish Vernon Tie l ZOPBCPFL Operator fails to Restore AC Power to Battery Chargers j for D1 and D2 (during an LNP) Condition LCATWS2FL Operator Fails to Lower Water Level to TAF for Level / Power Control (ATWS) i 4

anur

Retrieved from "https://kanterella.com/w/index.php?title=BVY-95-114,_Provides_Addl_Info_Re_GL_88-20,_IPE_for_Severe_Accident_Vulnerabilities_10CFR50.54(f)&oldid=3489640"