DCL-08-057, Response to Request for Additional Information on License Amendment Request 07-04, Proposed Technical Specifications Change to Relocate Surveillance Test Intervals to a Licensee-Controlled Program (Risk Informed Technical ...
ML081980057 | |
Person / Time | |
---|---|
Site: | Diablo Canyon |
Issue date: | 07/08/2008 |
From: | Becker J Pacific Gas & Electric Co |
To: | Document Control Desk, Office of Nuclear Reactor Regulation |
References | |
DCL-08-057, LAR 07-04 | |
Download: ML081980057 (20) | |
Text
t PacificGas and ElectricCompany' James R. Becker Diablo Canyon Power Plant Site Vice President and Mail Code 104/5/502 Station Director P. 0. Box 56 Avila Beach, CA 93424 July 8, 2008 805.545.3462 Internal: 691.3462 Fax: 805.545.4234 PG&E Letter DCL-08-057 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, DC 20555-0001 Docket No. 50-275, OL-DPR-80 Docket No. 50-323, OL-DPR-82 Diablo Canyon Units 1 and 2 Response to Request for Additional Information on, "License Amendment Request 07-04, Proposed Technical Specifications Chanqe to Relocate Surveillance Test Intervals to a Licensee-Controlled Program (Risk Informed Technical Specifications Initiative 5b)"
References:
- 1. PG&E Letter DCL-07-097, "License Amendment Request 07-04, Proposed Technical Specifications Change to Relocate Surveillance Test Intervals to a Licensee-Controlled Program (Risk Informed Technical Specifications Initiative 5b)," dated October 15, 2007
- 2. NRC letter to PG&E, "Diablo Canyon Units 1 and 2 - Request for Additional Information Regarding Proposed Technical Specification Change to Relocate Surveillance Test Intervals to a Licensee-Controlled Program (Risk Informed Technical Specifications Initiative 5b) (TAC Nos. MD6994 and MD6995)," dated June 13, 2008
Dear Commissioners and Staff:
By letter DCL-07-097, dated October 15, 2007 (Reference 1), Pacific Gas and Electric Company (PG&E) submitted License Amendment Request (LAR) 07-04, "Proposed Technical Specifications Change to Relocate Surveillance Test Intervals to a Licensee-Controlled Program (Risk Informed Technical Specifications Initiative 5b)." In this LAR, PG&E proposed to relocate all periodic surveillance frequencies from the technical specifications (TS), and place the frequencies under licensee control in accordance with a new program, the Surveillance Frequency Control Program. This proposed change was submitted as a pilot submittal in support of Risk Informed TS Initiative 5b, "Relocate Surveillance Test Intervals to Licensee Control."
By letter dated June 13, 2008 (Reference 2), the NRC requested additional information required to complete review of LAR 07-04. PG&E's response to that request is enclosed.
A member of the STARS (Strategic Teaming and Resource Sharing) ALliance X00/
Callaway . Comanche Peak
- Diablo Canyon
- Palo Verde
- South Texas Project
- Wolf Creek
Document Control Desk PG&E Letter DCL-08-057 July 8, 2008 Page 2 This information does not affect the results of the technical evaluation or the no significant hazards consideration determination, previously transmitted in Reference 1.
PG&E makes no regulatory commitments (as defined by NEI 99-04) in this letter.
If you have any questions, or require additional information, please contact Stan Ketelsen at (805) 545-4720.
I state under penalty of perjury that the foregoing is true and correct.
Executed on July 8, 2008.
Sincerely, James R. Becker Site Vice Presidentand Station Director tcg/4231 Enclosure cc: Gary W. Butner, Acting Branch Chief, California Department of Public Health Elmo E. Collins, NRC Region IV Michael S. Peck, NRC Senior Resident Inspector Diablo Distribution cc/enc: Alan B. Wang, Project Manager NRR A member of the STARS (Strategic Teaming and Resource Sharing) Alliance Callaway
- Comanche Peak
- Diablo Canyon
- Palo Verde
- South Texas Project
- Wolf Creek
Enclosure PG&E Letter DCL-08-057 Response to Request for Additional Information, "License Amendment Request 07-04, Proposed Technical Specifications Change to Relocate Surveillance Test Intervals to a Licensee-Controlled Program (Risk Informed Technical Specifications Initiative 5b)"
NRC Question #1 Section 3.0 of your request identified the requirement, imposed by the staff in its safety evaluation for document NuclearEnergy Institute (NEI) 04-10 for the implementation of risk-informed technical specification [TS] initiative 5B, to submit documentation with regardto probabilisticrisk assessment (PRA) technical adequacyper the requirementsof Regulatory Guide (RG) 1.200, Section 4.2.
Please provide this information.
PG&E Response:
The application of Initiative 5b at the Diablo Canyon Power Plant (DCPP) requires that Pacific Gas and Electric Company (PG&E):
- Justify any elements of the Regulatory Guide 1.200, "An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities," Revision 1 (NRC 2007) Standard, that have not been met in the DCPP PRA by performing sensitivity studies that demonstrate the accident sequences or contributors significant to the application have not changed.
" Identify key assumptions and approximations relevant to the application in question.
- Provide a justification of why the change does not impact the application's PRA results if a plant design or operational change has an impact on elements of the DCPP PRA model and the change has not been incorporated into the model.
Identification of the parts of the PRA that do not meet the required capability category/grade has been performed. Determination of the impact this has on each Initiative 5b application is being made during the evaluation process.
Because of the broad scope of potential Initiative 5b applications and the fact that the impact of assumptions differs from application to application, PG&E will address each of the requirements necessary to demonstrate technical adequacy on an application specific basis. This approach is consistent with the requirements in Regulatory Guide 1.200, Section 4.2, and the Pressurized Water Reactor Owners Group position on the issue.
1
Enclosure PG&E Letter DCL-08-057 Additionally, the DCPP PRA is a living PRA that is maintained through a periodic review and update process. The DCPP PRA model was developed in 1988, and has been updated in 1991, 1993, 1995, 1997, 2000, 2001, and 2006. Enclosure 5 to License Amendment Request (LAR) 07-04 describes a few major enhancements to the PRA model. In addition, other changes have been made to further refine the model (e.g., separation of vital DC power into early and late components).
Peer Reviews and Self-Assessments Peer Review (Certification) of the DCPP PRA model, using the Westinghouse Owners Group (WOG) Peer Review Certification Guidelines, was performed in May 2000. On the basis of its evaluation, the Certification Team determined that, with certain facts and observations (F&Os) addressed, the technical adequacy of all elements of the PRA would be sufficient to support risk significance evaluations with defense-in-depth input, for RI applications. The two "A" F&Os, related to the human reliability analysis (HRA) were addressed by upgrading the methodology used for the evaluation. The upgraded HRA was recently subjected to a focused peer review. The follow-on peer review process is to meet the intent of Section 6 of the ASME 2005 PRA Standard (Reference 4), and use NEI 05-04, "Process for Performing Follow-on PRA Peer Reviews Using the American Society of Mechanical Engineers (ASME) PRA Standard," as a framework to perform the peer review of the upgraded HRA. Although the HRA update included a pre-initiator analysis, that portion of the analysis was not considered an upgrade since the process and quantitative method, i.e., THERP, used in the update is similar to the pre-initiator analysis performed previously. Therefore the update was not reviewed against supporting requirements HLR-HR-A through HLR-HR-D. Post-initiator high level requirements HLR-HR-E and most of HLR-HR-F also did not apply to this follow-on peer review since the HRA update did not upgrade the process used for identification or definitions of operator actions. Table 1 summarizes the peer review team member conclusions for the follow-on HRA peer review. A summary tabulation of these new F&Os is presented below in Table 2. All the findings of this focused review will be addressed prior to implementation of the proposed TS changes either by modifying the model or treatment of the issue via a sensitivity study.
The "B" F&Os from the WOG Peer Review have also been addressed during model updates in support of LARs to extend the completion times for the emergency diesel generators and several emergency core cooling system components, and mitigating systems performance index calculations.
In addition to the WOG Peer Review, threeý recent limited scope.and independent assessments of the DCPP PRA Level 1 and Level 2 PRA models have been performed by leading industry PRA experts (ERIN Engineering, Scientech/Jacobsen Engineering, and Westinghouse). All these gap analyses were performed with respect to the high level requirements and supporting requirements (SR) in ASME 2
Enclosure PG&E Letter DCL-08-057 Standard RA-Sb-2005, "Standard for Probabilistic Risk Assessment for Nuclear Power Plant Applications" (ASME 2005), accounting for NRC interpretations of these requirements per Appendix A and Appendix B of Regulatory Guide 1.200.
One aim of these self-assessments was to identify SR for which the DCPP PRA may not meet the RA-Sb-2005 Capability Category II requirements (CC-Il).
Capability Category II is generally viewed, for a given SR, as sufficient capability for most currently envisioned risk-informed applications, and therefore is a good metric for self-assessment. However, meeting Capability Category II does not guarantee adequacy of the PRA for any particular application, and failing to meet Category II does not imply that the PRA is inadequate for a particular application. Section 3 of the ASME PRA Standard and various application-specific Regulatory Guides provide additional guidance with regard to selection of requisite capability levels for particular PRA attributes for applications.
The assessment by ERIN Engineering covered the technical elements for which requirements are specified in the ASME PRA Standard for Level 1 Internal Events at Power PRAs, with the exception of internal flooding and large early-release frequency (LERF). The results of this assessment and PG&E's responses are provided in Table 3.
The assessment by Scientech/Jacobsen Engineering was performed for the internal flooding hazard. The main concerns with this assessment are associated with:
(1) the lack of a documented walkdown confirming the assumptions utilized in the analysis, (2) a general lack of proper justification and clarity in the application of the qualitative screening criteria, (3) the need to account for the potential impact of floods on human errors included in the internal events analysis when analyzing flood scenarios, and (4) the lack of consideration of the impact of isolating flood sources.
PG&E intends to update the internal flooding calculations in 2009. However, based on the plant configurations, location of PRA credited components, elevations of the buildings in comparison with the major flood sources, and the numerous ways that water will migrate to lower elevations and finally to the outdoors, the impact of the above concerns on the conclusions of the current study and conclusions of its application will be negligible. Nevertheless, PG&E will address the impact of all the above concerns on the system under consideration prior to the application of the proposed request.
The assessment by Westinghouse was performed to determine how LERF modeling limitations will affect the Initiative 5b application. The documentation reviewed for assessment included the DCPP Individual Plant Examination (IPE), DCPP containment fragility assessment, regeneration of the Level 2 Model, updated Level 2 split fraction assessments, DCPP TI-SGTR performance assessments, and the most recent LERF quantification results. Additionally, the results of past peer reviews were also considered.
3
Enclosure PG&E Letter DCL-08-057 The focus of this review was to: (1) assess the status of existing peer review comments, (2) identify areas of excess conservatism, and (3) identify open issues and existing model limitations that may affect risk assessment of components involved in an Initiative 5b Surveillance Test Interval (STI) extension program. Of particular interest to the LERF model for the Initiative 5b application is the containment isolation valve model. The objective of the Initiative 5b review was to disposition the approach for the expected application, or to recommend an alternative modeling practice.
The PRA was also evaluated with respect to Capability Category II, and deviations from the Capability Category II supporting requirements (except documentation) were identified and dispositioned to ensure that these issues will not negatively impact the Initiative 5b STI extension program. In instances when the model did not fully meet all the criteria for the SR (to Capability Category II where applicable), but meets ASME Capability Category I for that SR, an explanation of how the intent of the SR is met for Initiative 5b application was provided. The two major areas of concern for this assessment were conservatism in the model and the treatment of uncertainty. PG&E plans to address all concerns, including these major concerns in 2009 and prior to implementation of the results of the assessment, for the systems under consideration for the STI extension program. However, the impact of these concerns on the risk-insights is negligible because the conservative nature of the results only would result in less flexibility for changing potential surveillance frequencies.
A discussion of self-assessment findings is provided above. As stated in of LAR 07-04, the DCPRA-1 988 was a full-scope Level 1 PRA that evaluated internal and external events. The NRC reviewed the Long Term Seismic Program (LTSP), and issued Supplement No. 34 to NUREG-0675 in June 1991, accepting the DCPRA-1988. Brookhaven National Laboratory performed the primary review of the DCPRA-1 988 for the NRC; their review is documented in NUREG/CR-5726.
NRC Question #2 Section 3.0 of your request identified the requirement,imposed by the NRC staff in its safety evaluation for document NEI 04-10 for implementation of risk-informed technicalspecifications initiative 5B, to submit documentation with regard to:
(a) the quality characteristicsof PRA models for which NRC-endorsed standards do not exist, per the requirementsof RG 1.200, Sections 1.2 and 1.3, and (b) the justification for the methods to be applied for assessing the risk contributionfor those sources of risk not addressed by PRA models.
Please provide this information.
4
Enclosure PG&E Letter DCL-08-057 PG&E Response:
NRC endorsed standards do not yet exist for seismic or fire PRAs. The following addresses the technical adequacy of the seismic and fire PRA models according to Regulatory Guide 1.200, Sections 1.2 and 1.3.
Seismic PRA Model PG&E used both the safety factor method as well as the probabilistic earthquake response analysis method to assess the impact of the seismic hazard. The main elements of a seismic PRA are the seismic hazard evaluation, structure and component fragility analysis, plant logic analysis, and event tree quantification. A summary of each of these elements of the risk assessment is provided below.
- The seismic hazard evaluation provides DCPP-specific seismic hazard levels and the probable frequency of occurrence. These are reduced to six seismic initiating events, each with a unique probable frequency of occurrence and a corresponding uncertainty distribution.
" The structure and component fragility analysis provides unique fragility curves, defined by the median ground spectral acceleration capacities multiplied by the product of randomness and uncertainty variables.
- The seismic plant logic analysis determines the consequence of various structural and component failures. This logic is added to the event trees used in the general transient event trees developed for the internal events PRA, as used in the IPE report. The event trees used for general transients were expanded and modified to account for seismic events. For example, a seismic component and structure event tree was added to the general transient event trees to provide a means to evaluate and map seismic failures.
Almost all nonsafety-related components and systems (e.g., main feedwater system) were assumed to fail with probability of 1.0. However, the seismically-induced loss of all offsite power is probabilistically treated and is based on the 230kV switchyard seismic fragility (a nonsafety-related system), which is significantly stronger than the 500kV switchyard seismic fragility.
The results of the original PRA model were:
- Internal 1.30E-4
" Seismic 3.7E-5 The current results are:
- Internal 1.08E-5
- Seismic 3.77E-5 5
Enclosure PG&E Letter DCL-08-057 The original contribution of seismic hazard to core damage frequency was significantly less than the contribution from the internal events. However, the current contribution is almost the same. This change in the results is partially due to the fact that almost all elements of the internal events analysis have been updated several times, whereas only some elements of the seismic PRA have been updated (e.g., fragility or hazard curves have not been updated). However, since the uncertainty in those elements that have not been updated is significantly greater than the uncertainty in the internal events hazards contribution, the impact of these nonupdated segments of the seismic PRA does not have a significant impact on the overall insights gained from the application of the seismic PRA model.
As with any external event analysis, walkdowns are a very important part of the technical accuracy of a seismic PRA. The original DCPP seismic PRA was developed as part of the LTSP, during the construction and licensing process. As part of the plant design and construction, extensive plant walkdowns were performed to determine structural and equipment seismic capability and detailed documentation of the walkdowns was developed. Additionally, as part of the LTSP, a seismic fragility plant walkdown was conducted by fragility and PRA analysts. The walkdown included an examination of Design Class II items that could lead to failure of Design Class I items (systems interaction program). No Design Class il items were found that could fail and put a safety-related component out of service.
An additional plant walkdown was conducted by NRC Staff and consultants as part of the LTSP in March 1988. The walkdown emphasized the seismic risk-important components and structures, and primarily focused on identifying potential failure modes.
Additionally, a confirmatory Individual Plant Examination for External Events (IPEEE)-
seismic plant walkdown was performed. The primary purposes of the walkdown were to:
" Understand failure modes and fragilities of lowest capacity structures and components,
" Walkdown components/structures that have been significantly modified since completion of LTSP (for example, safety-related block walls, sixth diesel generator, steam generator blowdown modifications),
- Review the potential for seismic/fire interactions,
- Review the potential for seismically induced floods and possible impact,
- Review containment performance/containment integrity issues, and
.0 Provide confirmation of the as-built, as-operated plant 6
Enclosure PG&E Letter DCL-08-057 The following personnel were involved in the seismic walkdown:
PRA Senior Engineer PRA IPEEE Seismic Lead Engineer PRA IPEEE Fire Lead Engineer Civil Engineer Equipment Qualification Engineer A walkdown checklist was developed, partly based on the criteria identified in the Electric Power Research Institute (EPRI) seismic margin document. The walkdown confirmed the reasonableness of the identified failure modes, as well as the consequences of failure.
The indirect impact of seismic events was also addressed. For example, the internal flooding scenarios were reviewed and none was determined to present unique seismic problems. Additionally, a number of the seismic top events include contributing causes of piping failure or other component failures which considers potential seismic flooding scenarios.
Seismically-induced fires were covered as part of the IPEEE study using the EPRI-suggested response to the Sandia Fire Risk Scoping Study issue related to seismic/fire interactions consists of the following three aspects:
- Seismically induced fires
. Seismic actuation of fire suppression systems
- Seismic degradation of fire suppression systems This treatment of the seismically-induced fires, although not probabilistic, is acceptable to the US NRC.
The IPEEE fire walkdown included a seismic/fire component. This portion of the walkdown activities verified, through visual examination, the pertinent details in identified fire areas relevant to each of the three aspects identified above.
Another important factor to consider in evaluation of seismic events is the impact of the earthquake-induced actuation of many alarms. The human actions that must be performed following a seismic event were analyzed using the results of the nonseismic estimates made for the internal events analysis. The values for the nonseismic human action failure rates were multiplied by a factor greater than one to!
account for lower success rates that may follow a seismic event. Seismic events may produce psychological stresses different than those following other initiating events.
The human action multiplication factors only account for the operator response. The fragility of the actuation equipment and of the equipment to be actuated is accounted for separately in the system analysis.
7
Enclosure PG&E Letter DCL-08-057 Although an industry-wide acceptable HRA model has not been developed, PG&E developed a three multiplication factors method to deal with seismic impact on human error probability (HEP): (1) one for seismic events with spectral accelerations less than 1.75g, (2) one for spectral accelerations between 1.75 and 2.5g, and (3) one for spectral accelerations greater than 2.5g. The multiplication factor for spectral accelerations less than 1.75g is typically 1.0. This means that the seismic event may initiate a transient (i.e., cause reactor and turbine trip and affect the performance of some hardware), but it will not significantly affect operator performance; this is treated like any other initiating event. For spectral accelerations between 1.75 and 2.5g, the operator may be disconcerted and confused by equipment and structure movement taking place around him/her, but he/she is unlikely to be physically affected. A multiplication factor of 5 typically was assigned to error rates for seismic events within this range. For spectral accelerations greater than 2.5g, the operator may be even more anxious and may be physically affected. The operator may be knocked down or knocked against something; things may fall on him/her, or the atmosphere may be clouded by dust limiting visibility. It is not expected that operators will be trapped or otherwise disabled by falling objects. A multiplication factor of 30 was used for these cases. These three multiplication factors were used for all significant human actions.
For less significant human actions, the largest multiplication factor, 30, was applied at all acceleration levels to simplify the model in a conservative manner.
Additionally, the availability of access routes has been evaluated in the event operators are required to perform local actions. This evaluation was performed by checking all of the operator routes to remotely actuated equipment for potential blockage resulting from a seismic event. No operator routes were judged as likely to be blocked.
In general:
" Recovery of damaged components is not considered in the DCPP seismic PRA.
" The correlation of damage between systems is not evaluated.
- The secondary effects were not directly addressed. However, secondary effects were considered as part of the qualification of components and structures (e.g., the raw water reservoir as a back up to the condensate storage tank).
Fire PRA Model Similar to PRA models for other hazards, the acceptable quality of a fire PRA is dependent on its intended application, and it is not practical to define specific quality requirements for every possible application. This section will provide a short general description of the DCPP fire PRA quality. For a specific application of Initiative 5b, PG&E will demonstrate the acceptability of its fire PRA quality by:
8
Enclosure PG&E Letter DCL-08-057
" Identifying those attributes of the fire PRA that are relevant for the system under consideration, and
- Addressing any limitations of the fire PRA model that may impact the risk insights for the particular system.
Technical Proficiency The original fire PRA model was developed as part of the LTSP project, and was reviewed by the NRC consultants. The review described the DCPP fire PRA model as a state-of-the-art model. This model was updated to support the 1993 IPEEE.
Currently, the fire PRA model is being upgraded based on the current state-of-the-art approaches and guidance to support transitioning the fire protection program to the NFPA-805 standard. PG&E intends to use this upgraded fire PRA model to generate the risk insights for all the systems that would have their test frequency changed using the Initiative 5b process, prior to implementation of the change. The upgraded fire PRA is expected to go through the peer review process in September/October 2008. However, in January 2008, the in-progress upgraded fire PRA model was used to pilot the fire PRA peer review. The results of the fire PRA peer review pilot process are provided below. Since the upgraded fire PRA model was not finalized, the resulting technical proficiency of the DCPP fire PRA model is described in terms of:
- The required modules of a fire PRA model, and
" Peer review team assessment of these modules.
A fire PRA model consists of several modules that are put together to represent the progress of a fire event from its initiation to its termination. These modules are:
Fire Initiation/Response Modules - This module includes the elements of the fire model that identify the fire initiator(s) and response of the fire protection features to the fire initiator.
PG&E has developed its fire initiation (fire frequency) submodule based on the NUREG/CR-6850 guidance and data. At the time of the peer review this submodule was complete. The reviewers found in general work had been performed in accordance with the NUREG. Two recommendations for improvement were to consider a Bayesian analysis of emergency diesel generator room fires to account for the two plant specific events (Unit 1 auxiliary transformer fire in 1995 and Unit 1 12kV bus fire in 2000), and to address one specific concern associated with the transient fire frequencies.
The DCPP fire response submodule has also been developed based on the NUREG/CR-6850 guidance incorporating generic and plant specific data on detection system, suppression and brigade response. The peer reviewers had no specific findings on this submodule.
9
Enclosure PG&E Letter DCL-08-057 Fire Growth Module - This module includes those elements that address fire growth by using deterministic evaluations. The module interacts closely with the fire initiation/response module to develop a complete and realistic picture of the consequences of the product of combustion generated from a fire initiator (develop fire scenarios).
PG&E is developing the fire growth module based on the NUREG/CR-6850 and NUREG 1805 guidance and methodology. At the time of the peer review, the overall approach, including the multi-compartment analysis, was developed.
However, implementation was not complete (approximately 20 of the 40 nonscreened fire areas had been evaluated). The reviewers determined that the analysis characterized the factors which influence the time and extent of damage and the time to damage. There were two findings; one related to the lack of consideration (as yet) of ignition source fire growth characteristics, and the second related to the need to justify the effectiveness of fire wraps.
Conditional Core Damage Probability (Conditional Large Early Release Probability) Module - This module includes several submodules that are used to identify plant initial response to a fire event (fire-induced initiating event) and to address the impact of a fire on the equipment credited for safe shutdown (implicitly (e.g., auxiliary feedwater pump) or explicitly (e.g., instrumentation used for operator action)). A list of all the submodules for this module is not provided here. However, a limited discussion of each submodule quality is provided here.
Initiating Event Identification - PG&E has developed its fire initiating event model in accordance with NUREG/CR 6850, and at the time of the review, this work was complete The reviewers found that the work had been performed in a systematic manner accounting for spurious actuations and had no significant findings.
Mitigatingq System and Instrumentation - PG&E has identified equipment and instrumentation to be addressed in the fire PRA model in accordance with NUREG/CR 6850. This submodule was complete at the time of the review. The reviewers found that the identification of equipment had been performed and documented in a systematic manner including a thorough review of spurious actuations. The reviewers identified two specific issues associated with the need to justify and document the exclusion of certain nonrisk significant equipment from the model and the possible impact of spurious actuation on success criteria.
Cable Selection - PG&E has performed cable selection in accordance with NUREG/CR 6850. This effort was complete at the time of the review. The reviewers found all aspects of this submodule represent best practice and in some cases go beyond the ASME Capability Category III requirements. For 10
Enclosure PG&E Letter DCL-08-057 example the analysis considers all potential circuit impacts and does not limit the number of possible hot shorts considered Fire PRA Plant Response Model - PG&E has developed a plant response model in accordance with NUREG/CR 6850. The work has been exceptionally challenging given the structure of the RISKMAN software which embodies the DCPP PRA. This work was complete at the time of the review. The reviewers found that the model includes fire-induced initiating events and the impact on accident mitigating system equipment and human errors that are appropriate based on the extent of fire damage. Furthermore, the review determined that the model is capable of calculating core damage frequency and LERF and that the spurious event review is sufficiently extensive to capture all spurious operation combinations that are significant to the plant response model.
Fire HRA - PG&E has piloted the development of the EPRI fire HRA approach which explicitly accounts for fire impacts related to stress, time and degraded plant monitoring instrumentation. The fire HRA screening analysis (albeit fairly detailed) was complete at the time of the review. The reviewers did not report any significant findings related to the method or its implementation.
Quantification - The quantification submodule is being performed in accordance with the requirements of the ASME PRA standard (HLR-FQ/QU). PG&E had performed quantitative screening of all fire compartments and quantification of 60 or more detailed fire scenarios atthe time of the review. The-reviewers had no significant findings related to this submodule but noted that the review could not be completed until sensitivity and uncertainty submodules are performed.
Control Room, Structural Steel Integrity, Seismic Fire interactions, and Uncertainty Analysis - None of these modules were sufficiently developed to perform a meaningful review.
The upgraded fire PRA model is currently being developed. The fire PRA model relevance will be maintained by enhancing the current PRA Model Maintenance Program such that changes to the programmatic, hardware, and configuration to the plant are monitored and reflected in the fire PRA model. The attributes of such a program will include sections that:
Provide a description of controls for documentation and monitoring of each specific component of the fire PRA model.
Provide guidance on the development, implementation and maintenance of the quality assurance program in addition to training and qualification of the technical staff Provide guidance on performing and documenting risk-informed updates (i.e.,
updates based on the relative perceived risk importance of a change) to reflect changes in plant design features, plant procedures, equipment 11
Enclosure PG&E Letter DCL-08-057 performance, examination/test results, and plant specific/industry failure information.
Provide guidance on assessing the effectiveness of management processes and adequacy of technical approach. Such assessment must include self-assessments as well as peer review.
In summary the overall DCPP Fire PRA Model Maintenance Program will contain the following major elements, and contain all the phases of the fire PRA;
" Monitoring Program 0 Maintenance Program
- Configuration Control Program 12
Enclosure PG&E Letter DCL-08-057 Table 1 - Summary of High Level Requirements for Human Reliability Analysis High Level Requirement Summary of High Level Summary of Assessed Capability for PRA Number Requirement HLR-HR-A Systematic process used to Outside the scope of review identify routine actions which may impact equipment availability HLR-HR-B Screening of events based on Outside the scope of review plant-specific operational practices.
HLR-HR-C Impact of failure of activities Outside the scope of review characterized as Human Failure Events (HFEs)
HLR-HR-D Assessment of probabilities use Outside the scope of review systematic process HLR-HR-E Set of operator responses Outside the scope of review established using systematic review of relevant procedures HLR-HR-F Failure to perform required Definitions of the post-initiator HFEs analyzed are provided and much of the actions represented by HFEs details about the associated sequences are contained in various fields of the HRA calculator. However, the HFEs are not sufficiently defined for an independent analyst to easily replicate the analysis. The accident scenario descriptions should be enhanced to describe succinctly the sequence actually analyzed including: (1) the preceding and concurrentactions and other events, (2) the accident sequence specific cues, a general definition of the desired operator response, and (3) the success criteria which is then used to define the time window available. Whether failures to perform required actions were appropriately identified prior to quantification was not within the scope of this review.
13
Enclosure PG&E Letter DCL-08-057 Table 1 - Summary of High Level Requirements for Human Reliability Analysis High Level Requirement Summary of High Level Summary of Assessed Capability for PRA Number Requirement HLR-HR-G Assessment of probabilities uses A systematic process has been adopted for quantifying the HEPs for well-defined and self-consistent post-initiator operator actions. The-methodology used is capable of process. addressing many important performance shaping factors (though not all those listed in HR-G3) and interaction dependency considerations. Some methodology assumptions are not clearly explained. While references for the response time assumed available are provided for each action, closer inspection reveals that the indicated reference is not always traceable to thermal/hydraulic analyses or simulations. Enough other inputs to the analysis are questioned to suggest that the HRA calculator inputs should be reviewed at the same time as the analysis is updated to the latest plant procedures.
The dependency analysis needs to explicitly list the factors considered in the assessment.
HLR-HR-H Recovery actions modeled only The model recovery actions appear to be plausible and feasible and were if plausible and feasible. considered in the dependency analysis. A review of the action evaluations is needed to assure that the procedural guidance is explicit for the tasks credited, and that critical steps are all included in the evaluation of execution errors. Like post-trip actions, the sufficiency of manpower available to perform the recovery actions was not considered.
The determination as to whether recovery actions are sufficiently included to provide a realistic evaluation'of.the most important accident sequences was not within the scope of this review.
HLR-HR-I Documentation. The HRA calculator provides a structured format for documenting the evaluation of individual actions. Areas for improving the documentation of these evaluations suitable for peer review, upgrades, and applications have been identified. Better integration of the dependency analysis results with the HRA calculator outputs would improve incorporation of the HRA into the accident sequence model.
A number of key analysis assumptions are described in the methodology writeup. These should be compared with the latest EPRI guidance on use of the cause based decision tree approach. Key sources of uncertainty associated with the human reliability analysis are not discussed.
14
Enclosure PG&E Letter DCL-08-057 Table 2 - Summary of New Fact & Observation Sheets with Contingent or Superior Levels of Significance Fact & Fact & Fact & Fact& Fact&
Observation Observation Observation Observation Observation Sheets with Sheets with Sheets with Sheets with "A" Level of "B" Level of "C" Level of "D" Level of Sheets with Significance Significance Significance Significance "S" Rating HR-G4-1 HR-F2-1 HR-F2-3 -
HR-F2-2 HR-G2-1 HR-G2-2 HR-G3-3 HR-G3-1 HR-G6-1 HR-G3-2 HR-G9-1 HR-G3-4 HR-12-1 HR-G7-1 HR-13-1 HR-G7-2 HR-H2-1 15
Enclosure PG&E Letter DCL-08-057 Table 3 Summary of Suggested Disposition Actions from the DCPRA Gap Analysis Applicable 1 1
- ASME SRs Description Action Priority( 1 ) (2)y Resolution 1 IE-A7 IE-A7 is met at Capability Category I; precursors are not directly factored into the LOW Initiating Event calculation file was model. However, this may be a pessimistic assessment, since insights gained updated to include discussion of from past precursors has been incorporated, so Capability Category II could be screening of precursor events appropriate. The set of initiating events modeled is believed to adequately represent the spectrum of applicable industry experience, and it is unlikely that not meeting Capability Category II for this SR would have an impact on applications of the PRA. Consider adding a discussion of how initiating event precursors should be addressed to either the H.1.6 calc or to PRA update guidance.
2 IE-A10, IE- IE-A10 is Not Met. The treatment of dual unit initiators should be reviewed, and MED-HIGH but Initiating Event calculation file was B5, SC-A4a, the documentation of the basis for the current treatment, or an update, should be Application-Specific updated to include discussion of SY-Al 1 developed. (potentially High for plant response to dual-unit initiators RITS 5b and similar) 3 SC-A6, SC- While SR SC-A6, SC-B1, SC-B3 are judged to be met, the issues in LOW (depending The Anticipated Transient without B1, SC-B3 C-significance F&Os DA-7 and TH-4 might have significance to particular on applications) Scram (F&O DA-7) and Pressurized applications. The impact of these should be considered on an application- Thermal Shock issues (under TH-4) specific basis until resolved. have been resolved and pertinent calculation file has been updated.
4- SY-A20 To meet SR SY-A20, a confirmation that credited systems, structures, and LOW-MED This issue has been addressed and components (SSCs) are able to operate in all modeled accident scenarios, (depending on documented in the pertinent including those where SSC design basis conditions may be exceeded, is needed. applications) calculation file.
16
Enclosure PG&E Letter DCL-08-057 Table 3 Summary of Suggested Disposition Actions from the DCPRA Gap Analysis Applicable 1 (
- ASME SRs Description Action Priority( 1 )' (2) Resolution 5 HR-D4 HR-D4 is met with one exception, lack of an established maximum credit for LOW Following the peer review process, recovery in the pre-initiator HEPs. Although a maximum credit is not assigned, the HRA model was updated using excessive credit is not taken for recovery. Therefore, this SR has been judged to the latest industry tool (EPRI's HRA be adequately met. However, this issue could easily be addressed in the calculator). The updated HRA was documentation. subjected to a focused peer review in 2007, and the reviewers comments are planned to be resolved in 2009. This finding will be addressed as part of responding to the focused peer review's comments. Meanwhile for any risk-informed applications, the finding will be addressed via sensitivity analysis.
6 HR-G4 HR-G4 does not appear to be met. The bases for HEP timing success criteria MED-HIGH but Following the peer review process, analyses are not adequately specified in Calc G.2; times are specified but the Application-Specific the HRA model was updated using bases for the times are unclear in the calc. (They may be documented in the (High for RITS 5b the latest industry tool (EPRI's HRA HRA Calculator.) (This assessment is based on information available prior to the and similar) calculator). The updated HRA was re-peer review of the HRA.) subjected to a focused peer review in 2007 and the reviewers comments are planned to be resolved in 2009. This finding will be addressed as part of responding to the focused peer review's comments. Meanwhile for any risk-informed applications, the finding will be addressed via sensitivity analysis.
17
I Enclosure PG&E Letter DCL-08-057 "Table 3 Summary of Suggested Disposition Actions from the DCPRA Gap Analysis Applicable
- ASME SRs Description Action Priority(1 )'(2) Resolution 7 HR-G5 HR-G5 does not appear to be met. The validation of human action timing is MED-HIGH but Following the peer review process, unclear. Calc G.2 refers to operator interviews for required times, but it is unclear Application-Specific the HRA model was updated using as to what this covers. (This assessment is based on information available prior (High for Risk the latest industry tool (EPRI's HRA to the re-peer review of the HRA.) Informed Technical calculator). The updated HRA was Specification subjected to a focused peer review Initiative 5b and in 2007, and the reviewers similar) comments are planned to be resolved in 2009. This finding will be addressed as part of responding to the focused peer review's comments. Meanwhile for any risk-informed applications, the finding will be addressed via sensitivity analysis.
8 DA-D2 DA-D2 is currently NA since there are no instances of failure events with no LOW Under consideration but no affect on applicable generic data. Consideration should be given to developing a process the application.
for estimating data for which there is no generic data source, consistent with the DA-D2 requirements, for future application.
9 DA-D7 DA-D7 is currently NA since there are no instances where existing plant LOW Under consideration but no affect on experience data are no longer applicable. Consideration should be given to the application.
developing a process/guidance for dealing with data that are no longer applicable, consistent with the DA-D7 requirements, for future application.
10 QU-D4 QU-D4 is Not Met. Consideration should be given to adopting a sampling MED, possibly Discussion of the review of process for review of nondominant sequences as part of the model quantification. higher on an nonsignificant sequences has been Application-Specific included in the pertinent calculation basis (High for file.
RITS 5b and similar) 18