Text

Responds to NRC 920520 Request for Addl Info Based on Review of 910913 Submittal of Ipe,In Response to Generic Ltr 88-20, IPE for Severe Accident Vulnerabilities
	ML20104A917
Person / Time
Site:	FitzPatrick
Issue date:	09/01/1992
From:	Ralph Beedle; POWER AUTHORITY OF THE STATE OF NEW YORK (NEW YORK
To:	; NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM)
References
	GL-88-20, JPN-92-046, JPN-92-46, TAC-M74411, NUDOCS 9209140256
	Download: ML20104A917 (91)
	v • d • e

- _ . . . - _ . .. .- -

t-123 Main St+eet . .

l' Wiute Pia;ni, NewWrk 10601 E 914 681 6846 i #> NewYorkPower a.isu. ...

4# Authority faira%"'T"'

September 1,1992 JPN-92-046

, U.S. Nuclear Regulatory Commission j- ATTN: Decument Control Desk U Mail Station P1 137 Washington, D.C. 20555

SUBJECT:

James A. FitzPatrick Nuclear Plant Docket No. 50-333 Individua! Plant Examination

}:

References:

1. NRC letter, B.C. McCabe to NYPA, dated May-20, .1992, l " Request For AdditionalInformation Regarding. Individual Plant.

Examination-James A.'FitzPatrick Nuclear Power Plant."

I

2. NYPA letter, R.E. Beedle to NRC, JPN-91-048, dated September 13,1991, providing the FitzPatrick IPE.

3. NRC Generic Letter 88-20" Individual Plant Examination for--

l Severe Accident Vulnerabilities," dated November 23,1988.

i l

Dear Sir:

The Authority's response to the NRC request for additionalinformation (Reference '1) regarding the Individual Plant Examination (IPE) for the ' James A.

FitzPatrick Nuclear Power Plant is provided in the attachment.;The NRC request -

was based on the review of the iPE report (Reference 2). The IPE was prepared in.

' response to Generic Letter 88-20 in which the NRC requested all utilities to perform a systematic examination of the nuclear power plants to identify plant . specific features which may constitute a vulnerability to severe accider.ts.

' Should you have any questions regarding this matter, please contact Mr. J.A. Gray, Jr.

Very truly_y urs,-

-w gg 4,

Ralph E. Beedle ~ N. 4

Attachment:

as stated >

cc: see next page t-I

-l 9209140256:920901 3 PDR. ADOCK'05000333 ); j-

.p. PDR _. ;j.

l 4

cc: U.S. Nuclear Regulatory Commission Region 1 475 Allendale Road King of Prussia, PA.19406 Office of the Resident inspector U.S. Nuclear Regulatory Commission P.O. Box 136 Lycoming, NY 13093 Mr. Brian C. McCabe Project Directorate 11-Division of Reactor Projects-l/ll U.S. Nuclear Regulatory Commission Mail Stop _14 B2 Washington, D.C. 20555 -

1 + ..

-a F

3..

1 j ._

c-A L.

v

.i-

! JAMES A. FITZPATRICK NUCLEAR POWER PLANT INDIVIDUAL. PLANT EXAMINATION (IPE)

L

RESPONSE TO REQUEST FOR ADDITIONAL INFORMATION (TAC No. M74411).

t

.I i

i l-i 1

i

~l 4

1 I ; ; _. , . . , . - __.-.....s. . . _ - , _ - . _ - - , - - . . . - . - . . .A ;-- - , , 2d -

t 1 Item 1 R_eeuest With regard to the peer-review process please provide:

(A) A summary of the in-house peer-review group findings, including recommended changes, and the disposition of recommendations. (NUREG-1335 notas the benefit of having the IPE reviewed in-house.)

(B) A listing of technical findings and recommendations of the 1 three outside consultants that reviewed the IPE and a discussioc of the disposition of any recommendations.

Response

The internal peer-review was performed in two. stages. First,.the methodology and guidelines document, individual system work packages (system descriptions, fault trees, and data), event trees, accident sequences, and other. analyses were reviewed by cognizant operations, maintenance, technical services, instrumentation and control, licensing, and training staff both at the plant and in the head office departments supporting the-plant. Second, an independent review team reviewed a draft of the IPE final report.

The review of individual work packages, etc., entailed the scrutiny of documents and plant site meetings to ensure the accuracy and adequacy cf the models used.- These reviews and meetings'were an integral part of-the information gathering process for the IPE. The consultationstware comprehensive and conducted to the satisfaction of.the authors of the1IPE and plant and other Authority staff.

The formal in-house independent review of the draft IPE' report was conducted by a review team comprising:-

E Herschel Specter--Technica? advisor to the Executive-Vice-

-President, Nuclear Generation (Chairman of the Review Committee)

As chairman-of the independent review committee, Mr. Specter coordinated the review and prepared a final report.-

E- George Wilverding--Manager, Nuclear Safety Evaluation; Chairman, Safety Review: Committee (SRC)

Mr. Wilverding focused on the comparison ofLJAF and Peach Bottom.

1

l u Frank Pesce--Director, Quality Assurance

. Mr. Pesce's review addressed conformance with NRC guidelines for the development of the IPE.

s Verne Childs--Senior Nuclear Licensing Engineer, JAF Mr. Childs' review focused on ensuring the accurate portrayal of systems, operating procedures, plant response to initiating events, and subtle dependencies.

The comments made by each member of the review team will now be summarized together with the response of the authors of the IPE to them, t

Eerschel Specter (Technica) =dvisor to the Executive vice President, Nuclear Generat LL The majority of Mr Specter's questions and comments were made to clarify statements made in.the draft report:

a " . . . . (how can the 10~*/ year cut-off value for sequence development be reconciled with the 10~' truncation value, espluding initiating event frequency, used in accident squence quantification?) . . ."

h Th2 104 cut-off value for sequence development was applied to gequences in which:

k o The probability of the first two or three events 4

(including the initiating event) was <10 / year o Additional failure events with-probabilities of 104 or

, less would have to occur to cause core damage.

Therefore while the 104/ year was quoted to curtail discussion of accident sequences in the IPE report, the cut-off value used to stop sequence development was actually 1048/ year or less. For example, sequences which entail a large LOCA (A) and loss of offsite power occasioned-by random failures (B1) start with a probability-of 6.73 x lod / year.(the product of lod / year _ (A) and 6.73 x 10 4 (B1)).

Because further events must be included in each sequence to cause core damage and these events have failure probabilities,of 10 4 to 104 , sequences containing the events A and B1 were developed no further. 1 The 10 # sequence probability,-excluding initiating event frequency, was the value used to truncate _ sequence quantification in the sequences developed.

2 j

iL ,

$'^ l

I l

! .E "(. .the assertion that *if containment fails before core

damage, a greater-release of_ fission products to_the.

environment occurs

is not always true.. For example, if the failure occurred in the wetwell air space, the releases.

would b.e less than those resulting from drywell-~ failure that

, occurred af ter reactor vessel failure) ."

5 The report was modified appropriately.

I "

E ... query the validity of certain dominant SBO' accident ,

sequences."

! These sequences were subsequently reevaluated with an additional emphasis on recovery actions.

l. a ^ "A decision to omit piping ruptures from system models

!- cannot apply to breaks that initiate I.,0cAs."

t

[- A correction was made to the text.

i L Frank Peace (Quality Assurance)

While Mr. Pasca-and his colleaguew.found--no: specific deficiencies-in the-contents of the report, t. hey did identify-- programmatic

weaknesses in the documentation-of. internal. reviews.and.the

[ control of-changes,-software and/ records. .The programmatic- ;

- weaknesses are based on the assertion that the IPE should.be

treated as a: safety-related document because of its use to-support decisions relating to safety.-~However,-the authors of- ,

i the JAF IPE took the position that without a NRC-mandated formal record program with attendant. quality program-requirements, the retention of all documents-essentia1 to an audit required in i

- Generic Letter-88-20 met-.all reasonable lr.equirements'..

[ Accordingly, no steps were taken to enhance documentation and control of changes, software and records.-

- Georae Wilverdina insammaer -Muclamr safety Evaluation)

! - Mr. Wilverding's' comments-wereiessentially: editorial-in' nature.

v l Yerne childs (Senior Nuclear Licensing Engineer. J1F)

L I

Mr childs'-review focused on the accuracy of-the' descriptions of "

L systems,rtheir functions, and/ behavior. For example,.he? pointed

. out-that:

o l

P l

I

'These rea p irements are further detailed in taaEG 1407, "Procedare and siamittet Guldence for the Irdiviesel -

Plant Enaminetten of Externet Events for Severe Accident vulnerabilities," Apperdix 0,.Pg 0 4.' Staff response ,

- to eusetten 1.5.

3-

5 Discharge of reactor coolant through the RHR-heat exchanger tube sheet gasket was not a feasible'V sequence (interface system LOCA).

a Success of high pressure coolant injection using RCIC with suction remaining on CST in small break LOCAs implied that RCIC provides reactor rake-up during, rather than after, containment venting, a The operator may be required to realign Joads supplied by

the 4.16-kV electric power system during full load testing of the EDGs as well as upon loss of a bus, a The double 4.16-kV bus tie / isolation breakers connecting safeguard buses to their non-safety-related normal supplies trip before, rather than upon, closure of the EDG output i breakers to prevent EDG overload and to separate the safety-related and nonsafety-related power distribution systems, In addition to'the internal peer-review, three outside experts also made a detailed review of a draft of the final IPE report.

The experts were:

m Dr. Norman C. Rasmussen, McAfee Professor of Engineering, Massachusetts' Institute Technology l

Professor Rasmussen provided an overview of the methodology, j the application of fault and event tree analysis, and

! confirmation of the " reasonableness" of the results when examined both in isolation and in comparison with Peach Bottom.

l C Dr. Gareth W. Parry, NUS Corporation l

l Dr. Parry confirmed the adequacy and applicability of the-accident sequences and reviewed the scope of the analysis of L

subtle dependencies and data.

5 Dr. Alan D. Swain L Dr. Swain validated'the human reliability analysis described in the draft' report with respect to its methodology and adequacy and-the accuracy of results.

The comments of these reviewers can be summarized as follows.

Professor Norman C. Rasmussen

. Professor Rasmussen summarized his comments by stating that he found the report to be "well laid out and clearly written. The 4

I

1 essential information ... seems to all be there." He did, however, pose a number of questions and remark upon specific changes that he felt would be desirable. Most of these questions and changes were editorial in nature and the text of the IPE report was changed to address them. Other changes and questions were technical. These changes and questions and their resolution are as follows:

[1] "Use of a 10' cut-off in the event sequences may cause concern unless you can show what is eliminated is much less (Chan) that what is kept."

As noted in the response to Mr Specter's comment, a cut-off of <10*/ year was used to curtail sequence development. In event sequence quantification, a sequence probability of 104 excluding initiating event frequency, was used for event sequence truncation. This cut off level ensured that the causes of at least 95 percent of the accident sequence frequency were computed.

[2] "You oliminated floods (as a potential cause or contributor to core damage) but also suggested some changes to the plant to better cope with floods. This seems somewhat inconsistent."

The internal flooding analysis did recommend that additional protection be provided to protect motor control centers BMCC1 (for RCIC) and BMCC2 (for HPCI) from spraying or splashing effects. These motor control centers are close to the stairways in the reactor building. This recommendation was retained as it provides a simple and inexpensive way to

, eliminate a potential minor contributor to causes of core l damage at JAF, regardless of the fact that its risk significance is low.

(3) "A core melt starts at 11 brs. so it is not clear that electricity recovered in 11 hours1.273148e-4 days 0.00306 hours 1.818783e-5 weeks 4.1855e-6 months will save the day. It seems to me that this may not be conservative... The probability of non-recovery of power is very important in determining (core damage frequency) . "

In the dominant sequences initiated by a loss of offsite power, recovery of offsite power was considered--a probability of 0.013 for the non-recovery of LOSP in 13 hours1.50463e-4 days 0.00361 hours 2.149471e-5 weeks 4.9465e-6 months was included for requantification. This time allowed for HPCI failure on battery depletion after 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months and core damage after 13 hours1.50463e-4 days 0.00361 hours 2.149471e-5 weeks 4.9465e-6 months . It was assumed that core cooling would be implemented rapidly after power recovery.

1 5

Dr.Gareth W. Parry Dr. Parry in his summary of comments upon the IPE stated that "the' project staff-are to be complimented on the thoroughness of 4

the analysis which will produce a high quality PRA. Because the team has done such a thorough job, I have relatively few comments to make that would significantly alter the results of the study, i.

although I do feel the core damage frequency is a little low."

Dr. Parry divided his comments into four main groups: accident sequence development, parameter estimation, sequence quantification and recovery analysis, and others. His non-editorial comments and their resolution follow.

Apcident Sequence Development (1) "In the ATWS event trees, the need for blowdown to maintain pool temperature below the HCTL has not'been addressed. The significance of depressurization is that it allows low

~

pressure-systems to inject. While there is an instruction to secure all injection other than SLC, CRD, and RCIC, if the operators forget a low pressure system such as condensate, they could after blowdown experience a sudden

, injection of cold water. This may not be a significant effect numerically, so I wouldn't change the trees right nov. However, it is worth discussing with training /

1 operations to stress the need to think of the condensate systems. Condensate is picked out because it -is (not) a safety system as such, and might be overlooked land was in the case of one simulator exercise that was observed, although not a t JAF) . " l

{ Because of.the low probability, the need for blowdown-and securing a low pressure injection systemLwas not addressed i explicitly in the event trees. Furthermore,_the Authority contends that the EOPs are clear and that level control procedures will mitigate any failure to secure the condensate system.

Parameter Estimates l [2] "The battery failure rate assumed a mission time model rather than a standby failure race."

The fault tree model was changed to reflect the use of a standby failure. rate.

(3). "The failure rotes for the diesel generator. . . as backed out from the CCF (common-cause failure) -rates appear to be very low compared to other assessments ( 10 4 for fails to start, and 10' for fails to run) . I think you ought to make sure that these are defendable."

6 l

The probability of a common-cause failure of four. diesel-generators to start was calculated as the product of-a probability of 1.15 x 10 4 the plant-specific _ independent failure to start probability for a single diesel generator, and a beta' factor of 0.038. _The common-cause. failure probability is therefore 4;37 x 10 4. The probability of a common-cause failure to start-four diesel-generators was calculated with a beta factor of'O.013; theLeommon-cause failure probability is_1.5 x 10 4. The beta factors were taken from NUREG/CR-4550, Volume 1, Revision 1, Table 6.2-1.

(4) "The CCF analysis, using.NUREG-1150 values 2c: <he common cause factors, is not a plant specific analysas. _ While-the numbers that result appear in the' right ballpark, the-vay-the analysis was done-does not give any insight into why.

CCFs at the-plant have such~1ov values. . I would-strongly:-

recommona thata:at some point, the staff shruld' review the data on-which these parameter estimatas are based...-

concentrating on failure mechanisms and defenses:to enable; the project staff to: give: plant-specific reasons why -the CCF .

probabilities are expected to be low."

This issue is addressed in detail in the: response to

-Item 13. In: summary,fthe basic methodology-employed in;the common-cause failure analysis was thac. described in NUREG/CR-4550, Volume 1,. Revision 1, Section:6 and is described in the JAF IPE, Volume.1, Section 3.2.3.3. To-account for potential'. common cause failures,oredundant components were systematically examined-and potsntial common-cause failures were-included.-in the system models at-appropriate levels. Becauseino JAF: plant-specific common-cause failure data werecidentified,-beta factors'from.

NUREG/CR-4550, Table 6.2-1 were used in-the1 development of all common-cause. failure probabilities except-those.for-battery; failures.

(5). "The ,use of actual train / component maintenance

. unavailability;rather than using values pooled across the system, gives rise-to an unwarranted model' asymmetry. IWhat

.is done in the JAF PRA l's-not otandard-PSA practice."

This issue-is addressed.iCdetail--in the response to Item:8.-

In summary, if altrain:is rendered unavailable by the >

removal:from service'of-certain components or: subsystems-s within theDtrain,.then the unavailability;of.the train occasioned by. tests land maintenance can be? calculated as the

-sum of= test.and maintenance unavailabilities of the-components or subsystems. . Estimatestof-trainTlevel unavailabilities= occasioned by; test and maintenance vere based-on the daily; plant status-reports (DSRs) issued _at!JAF-7 4

. .. .~ ~ _ - . .- -

L.

i- 1 1

I and_ supplemented 1by data from the plant logs and'the 1 maintenance-work order packages.- _The_ Authority believes that the use of actual train data is appropriate because l these data reflect real differences between_ trains.

Englance cuantification and Recovery Analysis

, .l

[6) "T1-33 (and ;others like:it) . The^ recovery action identified is recovery of offsite; power co re-establish the condensate system as an injection source.- since the principal cutsets are associatedc vith valve failures, manually opening these i valves would be a more appropriate recovery action s :given that it would take some time to restart the condensate.

systems."

[ The possibility of recovery in accident sequences associated ~

l~ with: valve failures-was re-evaluated with= credit taken for the manual opening of--valves as'a; recovery action. This i action:is described in the JAF IPE,_ Volume--2, Section '

! E3.3.1.1

{

t (7) "There-are many ATWSisequences'with multiple recovery actions ~(that) . . are f treated- as being independent. . .

l (However), : these recovery actions. . - are dependent. "

l l The ATWS. tree was restructured 'such thatLfailure to determine the'need to inject.SLC (event' C1) would preclude

_any subsequent: recovery associated withJpower control.

(8) "Use of;the 104 ' cutoff on sequences. .I?n -still a little-

, concerned about~ 1osing some contribution:to . core damage

, ' frequency, since with the,very'large-number _of basic events, caused-by a-more detailed decomposition than-^used:in more -

i '" standard" i PRA component boundaries,;-the combinatorial

. : factors could;nount:up."'

'This: concern--is addresse'd in-the responselto Professor Rasmussen's-comment (1). -

Miscellaneous Items

'(9) . "Some sensitivity studies would help. One: that vas

~

, .identifled was'the use:of a;four' hour rather than an elghtJ hour depletion time under_ SBOiconditions. 'The' allocation of' a sero probability to' the chance of the depletion time being.

less than eight' hours is too optimistic."

Sensitivity: studies werefperformed)for station blackout andi U for human

recovery events. :For_ station blackout,fthe mean: l core damage.frequencyJfromtinternal-;causesLis--dominated by 1 long-term _ station blackout sequences.-tThis freefuency was l

^

8-i=

\L . , _ , , _ _a u - ~ _ . , , , . . . - . . . . . _ _ , , . . . ~ . . , . . . . - . . . . . . _ _ . . - . . _ - _ , . . . . _ . _ . . . . . . . . . _ - _ _ -

. - . - . . .- - . - . . . - - - ~. . - ~ ~ . - --

1

) estimated assuming battery depletion in 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months and non-h -- recovery of offsite power.at 13. hours. .To determine the q sensitivity of internal core damage frequency to the battery !

j 4

I depletion time, two analyses were performed. In_these, the l core damage frequency resulting from: internal _causes was u recalculated assuming a) 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months battery depletion and non-

recovery of offsite power-atz8 hours: and b) 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months ' battery J depletion and non-recovery-of offsite: power at 11 hours1.273148e-4 days 0.00306 hours 1.818783e-5 weeks 4.1855e-6 months .

2 The results of these sensitivity analysis were presented in j the JAF IPE, Volume 1, Table 3.3.6.9. _It was concluded:

that the core damage frequency would rise from'1.92 x 10 4 to j 2.56 x 10 4 / year if-4 hour-battery depletion and non-4 recovery of.offsite power at 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months were assumed.

L (10] "The distributions on certain; basic event probabilities i produce random samples with values greater than unity..

V . Either use a distribution like: beta, or a much smaller error-

factor to remove this unwanted, and unphysical, figment of

. the analysis."

L l The few basic event probabilities with-high means and1 error >

factor were treated as point estimates in uncertainty.

l analysis to avoid errors.

L

i. [11] "The treatment of the battery as a backup to loss of battery;

!. chstgers in-the D.C. fault-treesIshould be looked at again.

The mission time for the battery ought to be the average repair time for a charger or, if this time is longer than

the depletion time, no credit should be-knken."

l- No credit was- taken in SBO sequences forithe possibic: repair of failed battery' chargers.

I

!- _Dr. Alan D. Swain

!: Dr.LSwain's comments focused-upon-'the" human reliability-

. assessment.- Dr. Swain stated that his1" initial =impressionLis

-largely: favorable... - obviously considerables t% 7ught: has been given to:the. influence of potential human = errors:on1the;iccident-

. sequences evaluated. There'seensito be; considerably more.

infornation'about the role ~of operators in this1PRAJthan in others'I have evaluated. loneioflthe nosttimpressive1 features of _;

the'HRA is the.use'of'information fron-simulator' exercises' representingLa-large-number-of. accident' sequences analyzed'in the-

.PRA."-

Dr~ Swain-also noted.that._"...the primary HRA'_methodLand data. bank-used'are those presented in NUREG/CR-4772,7 Accident Secuence

-Evaluation Proaram Human Reliability ~ Analysis Procedure.(ASEP HRAP).. The;use of-this generic procedure 71s; intended to provi_de- '

Emore conservatism in an'HRA.than would'beithe case-wore use made

~

9 t

d

- -.-.. .~- . .-.- --. . ,.- .v-. - , ~ . . - _ . , , , - - , _ ~ , - ~ , , ,- , .- a 1

of the more analytical methodology and data bank in NUREG/CR-1278, Handbook of Human Reliability Analysis With_ Emphasis on Nuclear Power Plant Apolications. Thus, even though there might be some uncertainty or disagreement among HRA experts as to levels of dependence and other performance aspects assessed in the JAF PRA, there is built in conservatism, which, in my opinion, is desirable in a risk assessment."

The built-in conservatism associated with the ASEP HRAP is an important aspect of the HRA performed for the JAF IPE as it serves to allay concerns about the human error probabilities (HEPs) used.

Dr swain asked mahy questions and made many comments. While some of these were essentially editorial or related to problems with traceability or the correction of small errors, others were of more technical import. The latter questions and comments and the Authority's response to them are as follows:

(1) "In the Peach Bottom PRA, the published HRA included a reluctance factor of 2 for activation of SLC. In my separate, unpublished HRA I felt this assessment was' inappropriate, based on interviews with trainers and operators."

l In the JAF IPE, the reluctance factor for operation of SLC was based on actual simulator experience and interviews with trainers and operators. An noted in the JAF IPE, Volume 2, Appendix E, Section E2.1.3, no reluctance to activate SLC was observed.

[2] "Use of different craws for calibration of redundant channels is recommended. Is this policy followed at JAF?

Was credit taken for such a policy? Is this explained somewhero? Reference here to some other section would be beloful."

The schedule for the calibration of redundant channels at JAF is designed to ensure that they are calibrated at different times and by different crews. This schedule applies to instrument functional test and calibration of trip units and-level and pressure switches, etc. Credit was taken in the IPE for the use of different crews to calibrate redundant channels.

(3) "Have operators been training to use the firewater system as ;

described, and does the EOP/AOP include this? Was PRA 1 credit given for this possibility? In general, I usually take the position that without adequate practice of operator recovery functions, there should be no credit given in the PRA. I hope this is covered elsewhere in the report."

10 l

0 4

6

.The operators have been trained to use the" fire water' system '

[ to inject-water into the core through the RHRSW A header as.

described.in OP-13. This notwithstanding, no-credit was taken in the JAF IPE for use-of_the firewater system.

i (4) "Do' system responses include human performance? I-note that human performance rarely appears in the system event trees beginning on;p 3-15.- This could be a cause for some criticism of the PRA'. The tendency now is to put important I operator terms into the system event trees, as vas done in

, the Grand Gulf PRA. Perhaps the document could state a few

l. words on this-point about how human performance-has been '

incorporated into the' event trees. Perhaps the absence of

. human performance terms i! more apparent than real."-

The event trees were modified'to include human actions.

(5) " Observations-(on the performance of the various operating-crews):are very useful;in a qualitative sense and.can-be-used as aIbasis to lower ^ or raise tho' tabled:HEPs- ini the ASEP HRAP. If this is what was done, some' detailed description- of-such adjustments should be made; so- that it

, can be' evaluated, i.e., so that:what was donofis traceable. -

l: one need^not' apologize:for using such qualitative-

information to adjust / estimated HEPs,^but:the procedure for-doing so-should be aescribed."

~

l

! No specific; rules-wereigenerated to apply these

observations. . Rather, observations were made to ensureDthat

! there were no deficiencies'that would undermine the I

determination of HEPs.- Whilelthe. quality'of the-crews

[ demonstratedJin simulatorsexercises provides a strong? basis

! for the HEPs derived using ASEP HRAP,3the findings' based on r observations.of their behavior in simulator-exercises were:

1 used conservatively.

l (6)' "Section-3.3.3.5, Pre-Accident HRA~Results and associated i tables:: Traceability is inadequate at this ' point in the- . .

document. Where 1s the source, e.g.,'ASEP table number ^and

'itsa number?I I'think this should go in the table, as Was done in the: Grand Gulf HRA. There is no way I can_ evaluate ,

these estimated HEPs vithout further information. 'Perhaps.

i /this =information comes;later in the' report. If so, .

- reference in Section 3.3.3.5 should-be;made-to the appropriateIplace.: -(As I later-discovered,.the HRA document

- does not include this necessary ^1ntornation. )" _ ,

A'new/ table for(the; pre-accident lresults.vas constructed and L- aniintroduction describingJtheitable was providedtfor

Section 3.3.3.5. ' Subsequently,-Dr Swain wrote,"I-did review each HEP calculation;' assuming'thatLthe'clainsifor-recoveryf

! factorszand'thaznumber'of activities assessed were:indeed 11-

?

5'

, .- z. - ... .,.z,....,_ .- , . . . - . _ . . - . - . . - . . - .:.--.... .-_.-w - ,

1 a 1 i l i

correct, and that these claims can be-substantiated in a

' clearer and more detailed 1 description-of-the underlying human activities for the task assessed. I found:each

[-

arithmetic calculation to be correct, but I emphasize this i is only a check on the arithmetic."

[7] " HEP (for miscalibration of; steam line high flow

' transmitters) is questionable.. There appear;to be some .;-

possible misapplications of the pre-accident assessment l

rules from the ASEP HRAP. If the'following: problems are

\'

only the resuit- of- inadequate: writteni communication, and the.

assessment of recovery factors and number of' critical i actions-is correct, then the assessed HEPLis OK._ At the l very least, considerably;more explanation ~1s needed.

l'

a. Under "AGZZVITIES," it looks like Activity c has Lgg critical actions- while Activity D has a different ly12-

! critical : actions . Isn't it true that any one or more.

l of - the four " adjustments" would be' considered a

' failure? ;If so, the equation !or the NHEP.for 23DPT-76~

would have a multiplier of 4 rather'than 2,;an increase in WHEP by-a factor of-2.

b. The terms-used in Activities C and D: confuse me:

1.

" adjust zero adjust,* " adjust zero,"andl" adjust. span adjust," which is used twice.

4 i c. Under " DEPENDENCY," item (1) - implies l to me that.

L Activity c applies to one component (e.g., 23DyT-76) while Activity D applies [to the other. component (e . g . ,

23DPT-7 7) . But in iten (2) it states that there is-1: only one: component. Very; confusing language.

j d. Under " RECOVERY," para 1;appe_ars:to'be claiming-too many recovery factors.

1) First, there is no; description of the: activity;

! involved in Step S.3.3.4 or in Step:5.4.3.4'which j are; supposed to " verify

thats the two separate steps in Activity c-and-the.tvo steps in. Activity-

~

-D were carried'out correctly.. What does " verify *

\. .

V mean?' Is some;kindJof real' test conducted, ori does the original- performer just ;1ook at:some l ',

displays to/see:whatLthe values are?. I do'not give-any recovery credit for:anel person checking his own activities unless [ these ' checking .

activities-are' separated from the original activities in:both time and space., I would need more' description'of what takes; place before

. allowing any; credit at all.

t 2). Second,-even if it were valid to allow credit for L

- 12

- - - , v4

- = . .,

-l

. 1 i: l

- optimum condition #2 (the PC test), it does .not V seem correct to also allow credit for Optimum" L ConditionI#3. This smacks-of double credita in my opinion. Also it does appear.that the "different i time and place" requirement'of TS-1 #4c(2) is not met. In short, I' fail to see'any rationale for any recovery credit from Optimum conditions'#2 and

#3. Obviously, some clarification'is needed here.

e. Paragraph 3 under " RECOVERY," claims credit for a daily check (Optimum -Condi tion 14) . No mention is-made of the use of a writtenc checkoff: list per TS-1-14d. If such a list were used for all~ daily checks,:this

information could be stated once'in'the introductory l information related to the pre-accident: HRA. Based;on

! oral ~information from Ms. JDrouin, I= shall assume that a

written-checkoff list is used,

f. If Optimum Condition #3 is notIcorrect,-but Optimum

Conditions #2: and 14 areIcorrect, the -result --is Case -'IX i- in T5-3. ForLthis case, the- HEF would be -identical- to the HEP assessed..

~

If only Optimum: Condition)f4 is^

correct, the HEP would have: to be increased.

i

g. It would be helpful to a reviewer to-include--the.

correct Case number :from ASEP HRAP Table ;S-3 l in the

section on " RECOVERY"-in'the HRA for each HEP.*-

The Authority's-response to each item raised.is as follows:

l

a. In both cases the tasks are . highly L related and ,

_ constitute-one step .i.n the written procedures. Thus, complete dependence was assumed.

E b. .This-terminology is usediin the-procedure.

{; c. The activities-apply?to each-ofJthe componentso

? '

d. 1. Admictedly this1was:confusings butithe. post-

! calibration checklis an' actual' calibration test

- directed by thefprocedure.:

E 2. The verification task ensures 1that1the^restoratior

] -of the component is. complete and?it,is checked-off

~

! .(written check list) by ajsecond individual.-rIn-

? addition,.there:are severallindicatorsLin-thei

- control roonLthat: aust clear after4 restoration 1 and' J

- these are also checked.

e. A written check-offLlist-isiused..

f. The HEP is correct.

l 13

,, .- .--. . _ , . _ , , , -._ .,. . _ . . . - , . .,- .._..,_-~i

a 5:-

r g. RFs applied to each step or component-were included in tables.

Finally, Dr Swain-noted that "The equation for the total c NHEP in'which any: error on the calibration of one component -

is assumed to carry over to the second component provides

,L conservatism, which many reviewers would find laudable."

{ [8] "Are the JAF ROs (reactor operators) required to memorize

the entry conditions"for the 10 JAF EOPs?; If so, how often V are they tested to ensure that: they really =bave memorized '

tho entry conditions?. I: note:that the first entry-in Table 3.3.3.2 assesses a negligible <1E-5' HEP for; entering-the-wrong EOP. Required memorizationLand frequent testing could provide a rationale:for this HEP. .Otherwise, why should a-reviewer believe the <1E-S?" -

i .

, Operators at'JAF are required'toimemorize thecentry- ~

, conditions toLthe EOPs and practice.them.at least monthly

> during" simulator exercises.

. [9] "Another concern:is the-appearanceIof an' arbitrary ~use of a.

+ factor;of S or a-factor of 10 reduction in the' nominal HEPs

obtained through use of'the methodologyInnd data: base in

, NUREG/CR-4772, - Accident Secuence Evaluation Proaram Human.

. Reliability Analysis Procedure (ASEP HRAP) . ; There are two i points to'be:made^here. First,_ insufficient rationale was .

l sometimes provided to justify a reduction inJthe nominal HEP. Second,!the ASEP:HRhP itself provides^for use of lower a bounds b ot nominal HEPs if sufficient- justification ;is.-

provided.*:

t .

l While.not strictlyfin--keepingiwith the/ASEP HRAP L methodology, reduction of' nominal:HEPs:byffactorsfof Scor:10

- was-not arbitraryi Lower-bound valuesiand; recovery; credits:

i in the ASEP HRAP methodology generally result in reductions by factors;of;5 or 10. In situations where=the'HEPss generated lwith ASEP HRAP resultod in values that seemed:

overlysconservative-given"the: circumstances-in which the

-human actionlis expected-to' occur,, judgement was used to l determine the reduction factor. Reductions 1were based 1on

.euch aspects 1asethe simplicity'of. accident conditions, quality of the-EOPs'with regard to the accident conditions,-

operator. training.and. familiarity with the accident scenario,'the' decision:and1 response time available, criticalityfofLthe action under consideration,=and-crew performance:during simulator: exercises.. . These issues were

': addressed;in-the introductionJto Appendix-E of:the-JAFJIPE,1 Volume 2,:.and each. reduction.was explicitly-justified;at the

, appropriate place in the text.

.i 14

..n. _...,a__ ..;,_.,.. .. - - - ._..L,__.,.___..-m.

i 4

(10) "Another concern was inappropriate use of Table 8-5 in the ASEP HRAP. In several cases, seemingly independent (or at least not fully dependent) human actions were assessed as ;

, the equivalent of one action, and a single HEP was assessed l for the entire set of actions. This simplifica tion could i lead to optimistic estimates of critical HEPs. This probism l is mitigated to some extent by-the fact that the generic HEPs in Table B-5 are deliberately conservative. j Part of this problem, at least for me as the reviewer, was the lack of sufficient documentation, especially drawings, information on specific training and practice provisions of critical tasks, minimum control room staffing and estimated times of arrival of other personnel-after the initiation of some accident sequence,-and so on, <> described more fully in-the attachment to this letter.

Ms. Drouin and her staff will make a more datalled evaluation of what does constitute a set of completely dependent actionc, and re-assess the resultant HEPs accordingly. We went over a few of the operator actions involved, and it was apparent to me that some grouping of actions would indeed be appropriate. It would also be most i

inappropriate, and grossly pessimistic, to consider each action to be completely independent, and assign a nominal ASEP HEP of 2E-2 to each such action."

, The resolution of what constitutes a completely dependent set of actions is not easy. The approach taken in tha JAF IPE was to group' actions and consider them dependent if the actions were " spelled out" in a. logical sequence in a

~

written procedure and if the actions were to be carried out to achieve a single goal, othar factors considered in

( determining whether complete dependence existed in a setaof i

actions were whether operators will double check the procedural actions, the simplicity of the actions and

-procedure being-followed, the time available,-and the apparent understanding of the procedure demonstrated by the operators during the plant walkthroughs. During discussions with Dr. Swain, agreement was not always reached concerning which actions should be considered dependent. Where-disagreements existed, justification for our position was-provided in the JAF IPE.

(11) "The treatment of error ' factors (EFs) is not that recommended in NUREG/CR-4772, the ASEP HRAP. It is stated that "In general,'if the desired HEP was a composite of severn1 HEPs, the' error factor selected was that-associated l with the dominant HEP." The ASEP HRAP'provides a computer l program for propagating the error bounds through an HRA .

i

{

event tree consisting of more than one HEP. The JAF method -l would result in a final EF than would be smaller than the EF i 15 j l

l-

derived by propagating the EF associated with each HEP in

some set of actions. Frankly, this does not really bother.

me, as I think too much has been made of error bounds.

Given the generic naturo of_the HEPs in the ASEP HRAP, the associated EPs are not to be considered accurate estimates.

In my work in HRA I preferred merely to use the median HEPs. '

With the data availabic for estimating HEPs, the careful statistical treatment of EFs provides verisimilitude that is most inappropriate."

Final EPs were determined as described in the text. The Authority agrees with Dr. Swain's comments regarding EPs and chose not to use the computer program for propagating error bounds.

h [12) "E2.1.2: I cannot tell from the document which operator is involved and what and where the displays are located. 'SAIC

information indicatus the RO is normally near Panel 09-5. I.

agree that-" failure to diagnose" can be ignored. However, if NUREG/CR-4772 is being used as-the HRA procedure and data base, rather than <1E S for failing to verify and^ initiate -

i ARI and RPT and to ove.iride ADS, it would be more appropriate to assess the HEP for these immediate actions from TB-1-19f and T8-S #10 (my shorthand notation for Table 8-1, item 19f, and Table 8-5, item #10), and use 1E-3 as the nominal HEP. .Then if one can justify (in -the document) the use of the lower bound, the revised HEP would

. be 1E-4. .In general, if one is using-the ASEP HRA Procedure, rather than simply maxe some untabled (sic) _

i estimate, it is preferable to; refer to some ASEP HRAP table and item number and make appropriate adjustments from that starting point."

In the JAF IPE,. Volume 2, Appendix E, it was noted,that when an HEP was-determined to be-negligible, itEwas' assigned a value of "<10 4 " and the "<" sign was dropped for' systems analysis purposeP< ASEP HRAP allows the assignment of-

" negligible"-HEPs.in some circumstances, e.g., Table 8-1, item 9 A negligible probability of failure is traditionally assigned a=value of 10 4 and the-differences in

" negligible" do not seem critical. Thus,_'the values were not= changed.

(13} "22.2.5.2: .I assume that AOP-37 has each if of the steps in V this' lengthy procedure' fully documented. not, the assumption of a ste~-by-step task would:be inappropriate.

- The taking of time nessurements in a simulation of the task is obviously far superior to taking someone's time

. estimates.- My problem here is the assessment of just >ne HEP for the entire task consisting of many apparently.

critical actions. I see many opportunities for errors of 16 6

.. - . ~ - . ., . ., n , , , . - . s

omission. If the task is not practiced, errors of commission could also occur. Without more familiarity with this task, all I can say is that I believe che assignment of a single HEP for all the critical actions taken together is probably too optimistic. I cannot agree with the HEP.' Note the first footnote in T8-5 which states, "The HEPs are for independent actions or independent sets of actions in which the actions making up the set can be judged to be completely dependent..." The assessment of one HEP is equivalent to saying that if one of the many actions is done, the others will all be done. To me, this is ne' credible. I would probably not think it reasonable to isess a .02 HEP for each critical action; there are bound to be some RFs and dependencies. But with the information I have, I cannot make a realistic assessment."

The Authority elected to stay with the assumption that all the actions were dependent. The general reasons for making such an asrumption are described in item (10) above.

Furthermore, while the times listed for task performance in the report are single operator times, a second operator would be double checking the performance and could assist in carrying out the actions. In addition, a maintenance crew would also be available. Given that the steps are clearly spelled out in the procedure and the fact that during the plant walkthroughs a reactor operator who had only been licensed for two days was found to be completely familiar with the procedure, it was felt that complete dependence was justified.

[14] "E2.3.S.1: Following is my original evaluation, which was based in part on a misunderstanding of the accident sequence: "It is difficult for me to try to evaluate the level of stress involved if things get so bad that depressurization is required. Obviously, the analysts assumed only a moderately-high stress level. I think more justification is needed for that assessment, especially in view of the use of the lower bound diagnosis BEPs assessed.

My strong impression is that the assessment is unduly optimistic." My misunderstanding indicates that further information and justification is needed in the text.

Mary Drouin pointed out that long before Emergency Depressurization would be required, the crew would have been trying to maintain level with all systems available. And with the accident sequences being assessed, the need for l rapid, full emergency depressurization would not liksly occur. I think this could be made clearer in both Figure E2.15 (p E-47) and in the related text. It seems to me-that two analyses could be made to assesa: (1) the probability that the full-scale, rapid depressurization would have to be done, and (2) given (1), the probability that it would not 17

i

be accomplished. Hoderately-high stress would be appropriate to (1), and extremely-high stress might well.be appropriate to (2).

I degardless of what is done, I still find no. good justification for using the lower bound HEPs from Figure 8-1 i in the ASEP HRAP."

The Authority contends that all operators are particularly I aware of the fact that they must depressurize to use the low pressure systems. .In addition, they are trained cxtensively to do this when the appropriate situation arises. Thus,-the lower bound was felt-to be appropriate.

[1S) "E3.3.1.1: I disagree with the first sentence. To me, this is analogous to-a statement made by an'NRC person at a

meeting of HRA specialists. He stated. unequivocally that it.

\ dona not matter how many annunciators are screaming for the operaturs* attention. He_ believed that the operators will simply ignore those thet are not relevant to tho' situation and concentrate on those that are relevant. Para 1 'in E3.3.1.1 explains'avay all problems. I find'it not to'be a credible statement. It we are talking about a large LOCA, rannaber that 'an extremely-high stress level is assessed from t = 0.

I In discussions with' Mary Drm.2n, she strongly believes that-my assessment of extremely-high stress for.a Large Doch is '

no longer appropriate so many years after NAsH-1400. %'his is obviously a judgment' call .; ;I ~ prefer; to stick with the extremely-high stress assessment. A large LOCA is never, I i repeat, never anticipated. "It just cannot happen here."

In my judgment, the incredulity effect will be great."

The Authority believes that there.are enoughjcues-available !

for the crew to determine that a: problem, exists. .our I experience with operating crews is that they attempt-to H l

diagnose problems and in this situation: there are simple cues available and 50 minutes'are available for the diagnosis. . Purthermore, extremely high stress was assessed for the LOCA. case.

I (16) "E3.4.1.2:. The nominal HEP of .02 seems OK, butlthe factor of'10 reduction is not' adequately justified. At the most,

- from the description of skill levels involved in - this task, only a factor of' S reduction can -be assessed per the ASEP.

HRJ.P."

This is clearly a . matter of judgement. However, given the simplicity of the task'and the training.the. operators receive to make sure the task is accomplished,'the reduction of 10 was felt to be appropriate.

1B

A t

y.

1 (11) "E3.6.1.1: The argument seems reasonable, but the diagnosis median HEP for 660 minutes in F8-1 is about 2E-S rather than ,

12-5."

Dr. Swain is-correct. The HEP was changed i-

! [18) "E3 . 6.1. 2 : The assessment of task type and stress level seem appropriate, but the use of a single / HEP for the combinaldon of several actions is not given an adequate ,

- rationale. Read thc;first' footnote'in T8-5."

L This task requires the operator.to open or close;a valve or l breaker. With onlylone or two' things-to do, dependence: -

i seems. appropriate. In addition,nwith up to.11 hours1.273148e-4 days 0.00306 hours 1.818783e-5 weeks 4.1855e-6 months

! available, there is likely to be: plenty of time to recognize any problems. However,obecauseLthe-actions are performed -

i outside the control-room, no_ credit.was given for:a_second check. ' Accordingly, the 0.02 value'used11sJconservative.

i Finally, in summarizing the technical-findings _and '

recommendations'made in the' peer-review; process, it should be noted that all members of the review team stated that.they did j not expect any of.thess.: comments to result in'a major-change to -

i the predictions and conclusions of the JAF'IPE.

I-i t

i P

. 1 F

1 i

r i 1

f oj l 19- D i

~

& ?r,, a v e- ar,-,mn,-,,,,-a~ ,e w,n--,,,-,c .wn,-s. .n w . r e s,.e, + =--+,c, _a-+,,-- ,-s. , s. mer- Aw.,c,._....

i l

, - i i- 11AR_1 i

E99991%

r Discuss the treatment of plant-specific-design and operational

provisions that assure the long te'rm mateupTeapability,to.the-condensate storage' tank (CST) in order to achieve the successful long term operation of the. High . Pressure Coolant- InjectionL (!!PCI)

, system.or the Reactor Core; Isolation Cooling.(RCIC) system 1(after its suction switched back to the CST: from the suppression: pool).

and the long1ters control Rod Drive (CRD) injection to the.

reactor vessel during:the' containment. venting' scenario.- !

-RasDonse F

.The ability to provide long-term make-up toLthe CST will be challenged in sequences initiated byfa"LOCA in whichicontainment ;

venting occurs.1 However,. only inismall-break;LOCALsequences isc this of: concern:13the= predicted. frequency of sequences initiated.

by.largeLand' intermediate-LOCAs in"whien containment venting occurs .is below the 10 / year cut-off frequency identifiedt by;the 4

Authority.~

A'small, 1-in.' break,.LOCA williresultJin-CST depletion in'

approximately.22 hours2.546296e-4 days 0.00611 hours 3.637566e-5 weeks 8.371e-6 months , atLwhich1 time.make-up to theLCST'is required. The1make-up capability is providedLby.the

- demineralized water" storage ?and transfer system and is: addressed in plant operating procedures.F-OP-6/7/25. 1These: procedures:

identify the; steps,by:which waterfis transferred:to:the-CRD; system and: CST--successful-implementationiofxthe-proceduresnby 1 plant: operators will1 assure continued make-up,toitheLCRD system i and CST.

-For sequencesEnot initiated byLa LOCAs thermalNhydraulic 1

. calculations performed using the? MARCH _ computer: code: predict that makerupLis notfrequired,duringscontainment~ venting'for operation.

-of-the HPCI, RCICc or CRDLsystems within'the!24 hour-mission

-time--CST; depletion 11sipredicted'to' occur afterg44 hours.

)

d-

- I.

}

20 u _

m

w I

Item 3 1 Request !

]

l With regard to the treatment of internal flooding,_ discuss the 1

IPE's-assessment of failure of the-check valves located inside r the drain system between two independent rooms having independent ;

l safety components. ;

RifA9 ARA The potential common-cause_ failure.of ECCS equipment caused by backflow through a stuck-open check valve-in.the equipment and floor drain system was addressed in the IPE. The issue is discussed in the JAP IPE, Volume II,; Appendix H, page H-74.

In summary,:the-analysis of this potential problem was_ performed in-response to Information Notice No. 83-44, Supplement 1 (August

[ 30,fl990)_ issued by the NRC. The analysis _ concluded-that' backflow'from al flooded east crescent into the west crescent .l would have'to persist:for 2 hr 4 min.-before redunda'nt ECCS equipment is_ damaged and that backflow from aLflooded west {

crescent intolthe east crescent would-hav'e to; persist.for 3 hr 33 'j j

min, befera redundant:ECCS equipment is-damaged.-L It is. highly.

probable-that flooding within the'crescenta would..be detected and .

stopped before damage ~ occurred--annunciators 1would alarm at panel )

09-4 in the control roomfon a hi gh w ta er level"in the reactor building sump. -Accordingly, the: probability of damage.to ECCS equipment as a result of-backflow through-thofequipment and floor drain systems was considered negligible.

1 j

q a

1 I

-21

...x._ _ - - - - _. - - - , - ._--.-_1 .aaN=' -

A Y i

It em _ _4 Request

[

^

Provide a concise discussion of the IPE's treatment of Power Conversion System (PCS) recovery (if it.Vould have been lost during the initial 30 minute period of the transient). Include in this discussion the dependency information between the condenser and the reopening of the MSIVs and bypass valves.

R1122nte No credit was taken for PCS recovery during the first 30 minutes of a transient. PCS recovery was considered only for those transients which progressed to long-term loss of containment _ heat removal accident sequences-(TW sequences). Table 3.4.1.1 of the

. JAP.IPE (pages 3-472 to'3-487) lists transients in which_ recovery -

of systems, components and operator actions was considered. The possibility of PCS recovery was considered in 19 sequences:

PCS rg,govery with in _ lD_119_4rl T2-13 T3A-3-T1-12 -

T3A-2-T2-13 PCS recovery within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months T2-4 T3A-2-T2-40-T3C-5 4

T2-17 T3A-2-T2-40-T3C-27 T2-21 -T3A-2-T2-40-T3C-33

, 'T2-40-T3C-5 T3A-3-T1-4

, T2-40-T3C-2'; T3B-9-T2 g T2-41-SI-7 T3B-9-T2-40-T3C-5 T3 A-2 -T2 -4 T3C-5 T3A-2-T2-17 T3C-27 4

The probabilities of non-recovery 'ctf the PCS within 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months and

f. 24Lhours are 0.06 and 0.007, respectively.=_These data were

, excerptad from NUREG/CR-4550, Volume-1; Revision.1, Table 8.2-10 and!are presented in-the JAF.IPE, Volume-_II,_Section E3.2, pages

- E-59 and E-60.

i TheLdependency between the rectoration of condenser _ vacuum-and tJ2e reopening of the_ MSIVs and bypass valves is addressed in_ the-

- following plant procedures:_

r OP-1: Nain Steam. System i- OP-9:- -Main Turbine OP-24C: Condenser Air Removal AOP-15: Recovery from'an Isolation AOP-31: Loss of Condenser' Vacuum, h '22

. __ -._ __ ..._ _ _ _ _ - . . . _ . _ . _ - .- .-- ._. _ . . . _ ._._____.s i;

E 1

-. 4 1

l

~

c !

l

-1 l' Item 5 f

L Reevest . ,

. . . .. . - . - i j Provide a concise discussion._of recovery of. failed Residual Heat Removal (RHR) pumps, Residual-Heat Removal Service Water (RHRSW) pumps, and Core Spray (CS) pumps-;due to common cause failures as ,

i documented'in Table 3.3.4.1 of the IPE. Include in this discussion the mission time versus1 recovery time involved for i

injection and long term decay heat removal, and the availability

of overriding equipsentfinvolved,-if'any.

Response

[ In the JAF IPE,'no creditswas takan/for the recovery-of_ failed-

- RHR,_-RHRSW and-core: spray pumps where'fallure is/ occasioned ~by -

4 common-cause fallures.:: Credit was7taken, howeve*, for-restoring'

! - RHR_ and RHRSW pumpsJin specific cut 1 sets derivedifor: accident sequencesEiniticted by the loss.oftac_ buses 10500/10600^or-

-. battery control _ boards BCB-A/B and a'ccompanied by;afloss;of-conta' ment heat-removal.-- In these cut sets,_one-set-of pumps -

i fail ~acause of:the: loss-of-power?-initiator and_other pumps'-~are unavallablelbecause--of post-maintenance restoration. errors; .In

~

F-these sequences,.the operator's_.would1have 11-hours:in which to F -

~y diagnose the - possible need' to restore RHR and' RHRSW pumps.: . The--

recovery actions are discussed in the JAFfIPE,:Volune>II, Appendix-E, Section E3.6,;page E-69.

l l- - .-

A g 9 1

s 4

S

.W -

q t . 23 m -s w- 9e + d.-ew-r e-- w gr4 -6 mar g "s--- e w --, dye r - # y w w y us drgwr-- +-e d w we =r- e ir a nr f -y- c /O'- is - ri e + e v., O -

! 1 i Item 6 :

LtK%3%

Discuss the treatment of DC loart shedding, if needed, following a i station blackout scenario, or loss of AC buses 10500 and 10600 .

, scenarios. Does Fitzpatrick take credit for additional batteries 1 for long term HPCI and RCIC initiation.and controls to avoid a

core damage event? If so, please describe treatment and justification for credit.

Renants ;

In the event of a station blackout or loss of 4.16-kV buses 10500 and 10600,. operators follow Abnormal operating Procedures F-AOP-

18/19/49 for loss of buses 10500,-10600 and station blackout, ,

4 respectively. In procedure F-AOP-49,' operators are specifically i

directed to shed de loads to extend battery _ life l u The de-powered lube oil pumps for both reactor feed. pump turbines, the main turbine, both recirculation motor - -

generator sets, and-the main generator seal oil pump are

secured.

I e Various emergency lighting panels =in the administration l' building, screenwr 1 house, reactor' building, theater bay, l

radwaste building, and the turbine buildiag electric bay are r either de-energized for the duration of the event or ,

l energized on an as-needed basis only.

l 5 The uninterruptible power supply FM Gr-generator set 15 l tripped after one hour into_the ev6nt.

, In procedures F-AOP-18/19, operators are' directed to monitor

station battery charge and remove de-loads as necessary to l prever.t excess discharge.

To c.sure the'most pessimittic-battery capacity situation was -

addressed, the JAF IPE.took no credit,for dc load shedding until 30 minutes had elapsed _frou the start of tu station blackout. -

This delay accommodates the time required for the. operators to -

i diagnose tho' problem and attempt restoration of ac power. -

MPCI and-RCIC were assumed to.becomeLunavailablu'upon-station battery depletion. No credit was-taken for use of alternate '

sources-of dc-and ac power'such as the LPCI independent.' power

~

supp1r system.419-V. batteries.and inverters because the use of i these power sources to prolong station battery life is.not addressed in any procedure, i

24 l

l LtAR_1 R1EM111 Provide a summary discussion of the process used to address pressurization of the wetwell air space following a postulated pige bteak event (subsequent to a successful scram or fail-to-scram event) in the Safety Relief Valve (SRV) discharge piping.

BMA9MR The SRV discharge pipes are used only following transients accompanied by the loss of the condenser as a heat sink. In the course of these events, the discharge pipes can break because of nonmechanistic failures or water hammer effects--should an SRV cycle successfully but the SRV discharge line vacuum breaker fall to open, water will be drawn from the torus into the discharge

'line causing a water hammar and possibly discharge pipe rupture.

Should the discharge pipes break in the wetwell air space, the wetwell will be overpressurized if the SRV on the failed line sticks open and if wetwell pressure is not reduced--intermittent discharges will not challenge wetwall integrity. Wetwell pressure will be reduced by operation of the torus sprays or by operation of the watwell-to-drywell vacuum breakers and initiation of the drywell sprays.

The probabilities of event sequences that result in over-pressurization of the wetwell were calculated. For nonsechanistic 4

failures, a median pipe break probability of 10 /hr/100 f t of pipe was assumed. This value was taken from WASH-1400 and applies to high energy piping in continuous use 2, Accepting this failure rate, the mean probability of nonnechanistic discharge pipe rupture is 2.04 x 10 4 for the assumed 24-hour mission time.

For a transient followed by a scram, discharge pipe rupture, and operation of three of the five vacuum breakers, the probability of watwell overpressurization can be calculated ac follows:

Eygni Mean Probability l Reactor scram with condenser 0.650/ year unavailable (T1+T2)

SRV discharge pipe rupture 2.04 x 10 4 Stucx-open SRV on failed line 0.102 i

I ln prMtice, because the discharge pipes are open to the torus, a look before treek f atture machenlee is l acre tibly then the dm4Le ended pultiottne break required to rapidly pressurlie the wetuell air space.

l lutEG/CR 4792 Irdicates that the probablLity of the dable ended pulllotine break is significantly toss then that of a toek bef ore break felture.

25

a operator failure to initiate 2.6 x 10" torus oe drywell sprays The resulting sequence probability is .'.d x 10'"/ year, a probability that falls bolcw the 10'/yr screening criterion adopted by the Authority for the elimination of sequences.

Should three of the five vacuum breakers fail, the probability of wetwell overpressurization will be reduced by a factor of lod.

Should discharge pipe failure be caused by water hammer, the probability of wetwell overpressurization can be calculated as follows:

4 Event Kgan Probability Reactor scram with condenser 0.650/yaar unavailable (T1+T2)

SRV discharge line vacuum 10 d breaker falls to open on demand conditional probability of water 0.1 hammer-induced pipe rupture Stuck-open SRV on fajled line 0.102 Operator failure to initiate 2.6 x 10 d torus or drywell sprays The resulting sequence probability is 1.7 x 10*/yr. This probability falls below the 10'*/yr screening criterion and accordingly was eliminated from consideration.

Pipe rupture subsequent to ATWS events will be of even less concern because of the lower probabilities of these initiating events--the probability of ATWS events is <10 /d year.

26

Item 8 Bicuest Describe the process used to estimate train level unavailability due to test and maintenance and human errors. Discuss the estimation of these components of train lovel unavailability for the Electrical System (transformer and inverters) and RHR System (injection mode, 1 pray mode, pool cooling mode and shutdown cooling mode) as examples of the application of the above process.

RenDogtg If a train is rendered unavailable by the removal from service of certain components or subsystems within the train, then the unavailability of the train occasioned by tests and maintenance can be calculated as the sum of test and maintenance unavailabilities of the components or subsystems.

Estimates of train level unavailabilities occasioned by test and maintenance were based on the daily plant status reports (DSRs) issued at JAF supplemented by data from the plant logs and the maintenance work order packages. The DSRs list all systems and components unavailable on a given, day, but, because they do not distinguish between test and maintenance unavailability, no distinction was made between them in the data used. The use of plant data in estimating unavailabilities is described in the JAF IPE, Volume 2, Appendices B and D.

Electrical system unavailabilities (i.e., the unavailabilities of 115-kV lines 3 and 4 and station transformers 71T-2 and 71T-3 described by basic events ACO-MAI-MA-115K3, ACO-MAI-MA-115K4, a ACO-MAI-MA-XFRT2, and ACO-MAI-MA-XFRT3, respectively) were calculated from the actual component / system out-of-service hours.

The unavailabilities of transformers 71T-2 and 71T-3 were addressed separately from line unavailabilities because the transformers can be fed from either 115-kV line.

RHR system unavailability was estimated from out-of-service hoitrs recorded for each component in the DSRs and other sources of plant data. The RHR system has two trains each of which has two pumps. Train and pump unavailabilities were depicted in the mutually exclusive basic events RHR-MAI-MA-LOOPA, RHR-MAI-MA-LOOPB, and LCI-MAI-MA-RP-3A/B/C/D.

In addition to these six basic events describing RNR system unavailability, six other basic event! depict the unavailability of equipment in the three-different nodes of RRR operation modeled: the low pressure coolant injection mode (basic events RHR-MAI-MA-LPCIA and RHR-MAI-MA-LPCIB), the suppression pool cooling mode (basic events RHR-MAI-MA-SPCLA and RHR-MAI-MA-27

~- . -

l d

1 SPCLB), and the containment spray mode (basic events RHR-MAI-MA-CSLPA and RHR-MAI-MA-CSLPB). The shutdown cooling mode of kHR operation was not modeled in the JAF IPE. Component out-of-

service hours were assigned to these unavailability events based on component usage in the various modes of oparation. The j allocation of components to the various unavailability events is depicted in Figures 8.1 and 8.2.

1 i The unavailability events were incorporated in the system fault trees as appropriate. For example, in the depiction of RHR/LPCI mode maintenance unavailability, the unavailability of train A in j the maintenance mode was represented by three events (Figure 8.3): the unavailability of components in loop A (RHR-MAI-MA-LOOPA); the unavailability of valves in the LPCI injection path (RHR-MAI-MA-LPCIA); and the unavailability of pumps P-3A and P-3C and their associated equipment. The unavailability of pumps P-3A e and P-3C is reprocented by an AND gate with basic events LCI-MDP-l MA-RP-3A and LCI-MDP-RP-3C as inputs. It will be noted that maintenance unavailability events are not duplicated.

Maintenance that would violate technical specifications (e.g.,

the simultaneous unavailability of both RHR trains) was eliminated from the cut sets during sequence quantification.

Unavailabilities occasioned by human error in tests and maintenance were estimated in a pre-accident human reliability analysis (HRA) that identified the appropriate man-machine interfaces and assigned nominal human error probability (NHEPs) to the selected tasks using the ASEP-HRAP methodology (NUREG/CR-4772)3 The pre-accident human error events are associated with the restoration of components to their proper positions or configuration after tests or maintenance. The first step in assigning NHEPs is to identify the critical human activities where errors may occur; these activities are then addressed in the system models. Examples of such activities are the restoration of a core spray pump to its normal operating condition after maintenance-or calibration of a pressure transmitter. Once these activities had been identified, they were assigned a basic human error probability (BHEP) of 0.03.

This BHEP represents a combination of a generic HEP of 0.02 for an error of omission and a generic HEP of 0.01 for an error of commission, with the conservative assumption that an error of commission is always possible if an error of omission does not occur.

The next steps involve identifying recovery factors (RFs) and dependence effects that influence the probability of human error.

Dependence effects are important when the probability of success (or failure) in one activity depends on whether success or Alan Swain, "Actdient Sequence Evaluation Program"N@hn Reliability Analysis Procedure," Prepared by landia National Laboratories for the U.S. Nuclear Regulatory Comission, WUREG/CR*OT2, February 1987 28 v - - -

failure has occurred in another. Pour factors were considered in

, determining whether dependencies existed in various operator j actions: the number of components to be restored, the component 4 configurations (series or parallel), the relative restoration

time, and the relative location of the components to be restored.

j Only zero and complete dependence were considered in the JAP IPE. ,

J r i RFs limit the undesirable consequences of human error by a?lowin9 ;

I for human redundancy, for compelling signals that notify i operators of an unavailable component, for post-maintenance or i j post-calibration tests, and for frequent checks and inspections. !

4 The RFs applied to each-step of a task allowed credit to be taken

! for post-maintenance or post-calibration check requirements, for i verification in which a second person directly verifies component

} status orithe original task performer verifies component status:

later at a different place.from the original verification 1- provided a written check-off list is used during the check, and j for a check of component status made each shift or. day if a j written check-off list is used. Both dependence effects and RTu >

3 must=be considered to obtain more realistic estinates of HEPs.

l Once the appropriate RFs and dependence effects were' identified,

pre-accident NHEPs were determined by adjusting the BHEPs of the l critical activities to reflect dependence effects

and RFs. For_ example, if the procedure-involved in calibrati.g a

pressure transmitter demanded a post-calibration test and written c verification of the test by another person, the BHEP of 0.03 ,

i would be adjusted by a-factor'of 0.01, resulting.in an NHEP of 1

0.0003. Once the NMEPs were obtained, they were incorporated-l' directly into the system fault trees. The handling of ;

restoration errors is described in more detail in the JAF IPE,- i

Volume 1, Section 3.3.3. ;

7

For the RHR system, restoration errors were modeled for each pump-in basic events LCI-XHE-RE-PM3AP, LCI-XHE-RE-PM3DP,.LCI-XHE-RE- '

PM3CP, and LCI-XHE-RE-PM3DP. Five components were modeled for

! each pump: pump, suction valves 10-MOV-13x and 10-MOV-15x, -

discharge valve RNR-45x, and manual minimum.flowfvalve RHR-28x.

j >

c A failure to restore.any of these five components will cause RHR

pump unavailability.

l l The probability of failing to1 restore 125-Vdc charger breakers l

L (basic events DCl-XHE-RE-CHGAD and DCl-XHE-RE-CHGBD) was-

estimated in a similar manner.. A failure to restore these i breakers ;af ter tests and maintenance ~ williresult in- a f ailure of-the chargers:to charge the-station. batteries.andfeventual battery

depletion.

o

?

L i

E 29

. 2-

^

__. 1 ...a.--. . ,_.c._._.-_.,.a_.._w._:;.,..__-_._ , w ~.a. a .,- ....~a _ ..

._4,

_ _.a -

d cU O D*~~ '!

[' 7.

_ h'frdP@!M4}Nn!?l.

a

e. w j 5I'

, . gg.js . M,.edip g ~..~+ e nn$y& . O;'.r.

9t 4. . m.. , . w.

, ; wung 0I 1

I l3 $g x! x;li

[xF]

g h.A"a

"" 8 2 4 -

I5 ! -

! !h l i l

M yy, ,

f zg Hj l

l V l +! ) E rr: g 8i ! m B B 2 I ---

1 ' I!D Dl! $

mI*

s I i a

< , 8 ;

x-ev a 9 2 o C g C l'll t '

3: D Il <

a a t,

9 g3 -

s e

m l l<' $

% SK g 5 Kg $

y .5 g < 5 p

DI" mE" j i i a

=

a ..- .

3e 3 e C

k oI" o

$ r$ e o

3

E g 1- o J <

1 l

' c.

o O

@I

, I .

E I

i %~ =

5 - =

i

/

/ .

I I -

-/ "$1 $

,1 d

c:

I d

, L' s " .

~

s

'p. * ,A A 3 6

( i ;y 5: :

sN fI g I e l

. s * ,i

$ O $l>

~

gg I Cx i

g -

l

.s , < 3 :

". I I l

30 l

,ma 4 --.a__42-sma .a 4- 4.- A.--.aa+# ,..-__a-.* a#-,%%4.%-A j_

-4_,m.m_._4 ,_s.,, 'E--*SA<wa 4a&+- Jn4 a "4ahA4 *>-=m.h-*-JS-A- + --d.e . 'a m e- mmm+h-hs e e ,., m.+ w-v.a e-wu i I 4 .

l o '

6

o l ~!

{

!~

i;

/

e es')

C4 c : r 8

a / oe --.d: s; i ,7.- h I

- xy -

_a S:i :

i 4

i l 1 I

g: E U f 61 = a i s. -

3

, - - - ~

g, . . -

% ! N

. w ,

2

If y i n a l er g i

a :

f DE ~

e g 5 w eXj SKg .

3

! N E

, 1 8 SIl *Ej i i a

e :g' =

a la:ll. o g l

m l

! E! . l. hl !

,xl- ,

g .

3 ,

! - - qar t)st ;g erg l g eg

[

t g ,gog r*

s N

3e ,

I I;IX ,

NIlg..I $

I

, , s a ,

orj I1

.glf_

a - 7, 8 i, '. -.p t !

t

{g s, sw e ~ !! *--- laIITdeh-~. I!tE9. ...

e

,, f!

l 31 l

.._._s.. - - . - . .. . .- . . . , . . - . . . _ - . - - . - --

]

1 l

l 5*

a 4

1 l

l

- ?

I so i oR l x

g -

_ t ,

P --

3

[ L -'

g I

_1 E 4 , a '

' 3 e l>

en

y J s

} <

~

l @ l! O -

5 E l s

P

. x E

c9 I ed

~

i S f

< h E i -

lg j!O '

l li E l 32 ,

i

( . ..--- . - . = . .- . _ - . - - - . = . - . - - .~. - _. - . - - -

1 i

I. ,

1 2

i i '

Item 9 l ;

Lequest -r j Provide a concise discussion of the treatment of mechanical j failure and the overall electrical failure of the Reactor j Protection System-(RPS) and basis for the probabilistic estimates '

including derivations used and applicability.

l

[ Response

! A fault tree model of the RPS and its supporting systems was

! constructed and quantified. This model addressed mechanical and ,

j~ electrical, randon and common-cause failures. Random mechanical faults modeled included a . failure to scram because of .the scram j discharge volume filling with water; common-cause mechanical-i' failures included the failurcLof two or more adjacent rods to-insert and failure-of-multiple scram discharga valves. Because of the redundancy of mechanical components within the RPS, the contribution.of randon-mechanical failures to the total RPS-I failure probability-is a factor.of-lod less than that>of the

! common-cause mechanical failures.: The probability of mechanical

failure of the RPS was calculated to.be 7 x 10 4. !

l Electricallfaults-modeled included transmitter, relay, and-pilot.

l valve solenoid failures in,both the RPS and the backup-alternate

j. rod insertion (ARI)-system. These electrical faults'had a-combined probability of 2.7 x 10 4.

In contrast, values of 10 4 and 2 x 10 were 4 assumed'in'NUREG/CR- '

4550 for failures. to ' scram because of mechanical and_ electrieel .

faults, respectively, at Peach' Bottom. _ W hile the former vals i is i: essentially the same as that calculated for JAF, the latter value

! is significantly higher. The higher probability of RPSffailure.

t

- because of electrical faults at Peach Bottom results from Peach ,

Bottom not having en= alternate-rod insertion (ARI). system at the time of the study. In the JAF IPE,'a total RPS= failure-i

_ probability of -10 4 was? assumed.-. 'This value' is slightly :more . _ ' '

conservative thanithat: calculated using the:faultitree models and~ >

1 is higher:than-the-value-of-4.6 x 10 4 reportednin the L"AMR -

i- Owner's Group...Ramponse to NRC Generic Letter a3-2a. Item 4.5.3",

NEDG-30844A,:Marchc1988.

i l-s 33'

.r h - . %- p...,,,+by

.r..< .-....,~% ~ . - . ..--.r-,-~ e, ,rvi., ,e .e- , n e.d. --

.a...- , , e S., s ., , ,,.y...-,ev

}.

1 4 .

I i

i Item 19 i

j' Request i ,

i Discuss the process used to treat unavailability of the coolant

[ injection function through the Control Rod Drive system to the reactor and the basis for the probabilistic estimates.

l

} Etanonse The con:rol rod drive (CRD) system-provides reactor coolant >

{ injection subsequent to the occurrence of a LOCA or transienti i .

! e As an alternative to the core spray and LPCI systems and the I RERSW cross-tie-in transients with stuck-open safety-rel.ief' 4

valve' events and intermediate LOCAs.

1 j u During_ containment venting if venting is required;for p containment-pressure. control.

l To inject reactor. coolant.during'containmenteventing,~it-was j assumed that no enhancement:of CRD system flow is required-

because venting occurs at a late stage in the. accident sequence j (after 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months )-by which time ~ lower-make-up flows match the j reactor decay heat. In particular

~

l' e one control rod drive (CRD) pump operating at'a system > flow l rate of 60 gpa will maintain adequate reactor water level l (2/3 core lovel) in large and' intermediate LOCAs, once the i reactor power' falls--provided.that core.make-up systems had

, previously operated-for lo hours.

l 1 s For_ transient scenarios in which continued reactor arke-up- i

! is required, one control rod drive (CRD) system.pur;.

operating e.t_60.qmm suffices to-provide reactor make-up.

after 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months have elapsed.

1 The-unavailability of the CRD systemEto provide. coolant injection

[ during. containment venting-is occasioned _by hardwareifmilures-and a

operatorierrors'in-failing to restore:manualtvalve 3 CAD-1768 to

its normally-open position;following maintenance ofLpump 3P-168

( and;failing:to-initiate the standby CRD: system pumpJ3P-168.for-_._

4 ^ operation if needed. The CRD.was'modeled'using a: fault tree;that-

. represents;the normal operating configuration,-with:CRD. pump 3P-16A,1 suction = filter 3F-2A^and dincharge'filteri3F-17A;in-service, and flow. control valve:3FCV-19A4 modulating CRDisystem' flow.- Six causes were identified for the;CRD' system-fault tree-top; event, .

,_ "CRD Fails ~to Provide AdequaterFlow To Reactor":--

e Insufficient,waterfsupply to the suction of1theLCRD system pumps m

34 v

,- , , . .-,.m. .;,.-G,,,.~_..- . a ., .c . . , .. . . - . . . . . . , _ , , , . - ~ - , ; . + a -. A '

i t

1

E Train A suction path hardware failures a Train A and B strainer failures 1 m Insufficient flow from CRD systems i u Insufficient flow from pump discharge path i a Insufficient flow from injection path.

These causes contribute to CRD system unavail1bility.

Quantification of the fault tree model led to an unavailability i of the CRD system of 7.56 x 1C A (JAF IPE, Volume 1, Table 3.3.6.1).

The CRD system can also be used in a post-accident recovery

- action as an alternative to the core spray and LPCI systems and the RHRSW crocs-tie in large and intermediate LOCAs and stuck-open safety relief valve events. In such a role, human error is expected to dominate the causes of CRD system unavailability though it. loss of offsite power has occurred, the loss of instrument air would preclude the use of the CRD system.

. Stuck open SRVs or'a LOCA cause a decrease in reactor pressure and an increased rate of reactor coolant inventory loss. If condensate is used to provide reactor make-up, it will eventually fail on inventory depletion. If HPCI is used, it will trip on low reactor pressure at 85 psia. In these circumstances, EOP-2 directs the-operators to use the core spray, LPCI or CRD systems to provide coolant make-up. Successful use of the CRD system will, however, require the enhancement of CRD flow by fully opening flow control valves 3FCV-19A/B by manual action from the control room.

The HEP for failing to increase CRD flow is equal to the sum of-the probability of failing to determine the need for CRD coolant make-up and the probability of failing to perform the action and than correct the arror. Both probabilities were estias,ted in the IPE as follows:

Operator Fails to Determine Need for Increased CRD Flow.

EOP-2 is being implemented and tho operators are instructed to maintain the water level within the-reactor pressure vessel. The EOP explicitly lists the systems, of which CRD is one, that can be used as coolant injection sources. The EOP does not, however, instruct the operators to increase CRD flow--they must make this determination.

The time availableito the operators to decide to increase CRD flow varb. i according to the- specific accident scenario:

35

5' 2

N 1

I E With an intermediate-size LOCA, the condensate system can ,

provide coolant make-up for approximately 40 minutes before

depleting the condenser hotwell inventory. . Alternatively, j HPCI can provide coolant make-up for approximately 47 1 minutes before it trips on low reactor steam pressure. Upon 4 the failure of the condensate or HPCI systems, more than 30 '

rinutes remain to increase CRD flow and reestablish coolant 4

injection. 3 I

e Witb. three stuck-open safety relief valves (SORVs), the i condensate system can provide coolant make-up for j approximately 200 minutes before depleting the condenser ,

, hotwell inventory. At this time, more than 60 minutes ;

remain to increase CRD flow and reestaDlish coolant injection.

! a With two SORVs, the condensate system can provide coolant make-up.for approximately 255 minutes before depleting the condenser hotwell inventory. Alternatively, HPCI can j provide coolant make-up for approximately 47 minutes before

! it trips on low reactor steam pressure. Upon the failure of the condensate or HPCI systems, more than 60 or 30 minutes, i respectively, remain to increase CRD flow and reestablish coolant injection, a With one SORV, the HPCI system can , de coolant make-up i for approximately 110 minutes before . rips on low reactor steam pressure. Alternatively, RCIC can provide coolant

! make-up for approximately 230 minutes before tripping on low

. steam pressure. Upon the failure of the HPCI of RCIC

systems, more than 60 minutes remain to increase-and reestablish coolant injection. ;

I j Accordingly, values of 10 4 and 10d'were assigned to the probability of failing to determine in 30 and 60 minutes, respectively, the need for increasing flow. These probabilities are median values with mean values of 1.6 x 10 4 and 1.6 x-10 4, respectively, and error factors of-.5.

10 Falla to Increase CRD Flow.

Once the operators have determined the need for increased CRD

' flow, the SS will' direct the RO to perform this task. This task

is performed in the-control room at the 09-5 panel. This task is. '

very straightforward--the RO ensures that the CRD flow control valve-19A/B is fully open by using a control panel' switch--and

, is assumed to be scep by-step with the operator'under moderately-high stress, i

Accordingly, a value of 0,02 was provisionally assigned-to the probability of failing to increase CRD flow. This probability is 36 t

_a m _-_,_..m -m,-,.----.--s , ,,,..,.,=ry -.,,.,we.,-

_,.c.. , , - . . - - . . < , v., , .,,.,,s ., . , , - - . ..- -9 ,.g.,-y-- g,

4 a median value with a mean value of 0.032 and error factor of 5.

The probability was then reduced by a factor of 10 because of the simplicity of this task.

88 Fails to__Qheck RO and Ensure Increased CRD Flow.

Once the SS has instructed the RO to increase CRD flow, the SS will expect confirmation from the RO that the task has been performed. Should this confirmation not be received, the SS will ask for verification. Once the SS has made this request, it is assumed that if the task has not already been performed, the SS will ensure that it will be.

The task of SS checking and correcting the RO is assumed to be )

step-by-step with the SS under moderately-high stress. :

Accordingly, a value of 0.2 was assigned to the probability of j the SS faillag to check and correct the situation. This probability is a median value with mean value of 0.32 and error factor of 5.

Additional details of the derivation of human error probabilities are provided in the JAF IPE, Volume 2, Appendix 2, Section E2.3.4. ,

l l

~

37

, . - . ,, . . , . . , . . . - . . . . . - . . , . . . . . . . . ~ . . _ . - , - .. - .:. - - -- .. - -.

-. - - _ . _ . _ - _ _ _ _ _ _ . _ . . . _ . . . _ _ _ . . _ . . _ _ _ ._ _ _ . . _ _ - ~ . _ _ . _ _ . _ . - . _ .

i i

L.

i lita 11

- Request i.

Discuss the process used to examine the nitrogen ventilation and

. purge valves as part of sequence development in addition'to any

individual systems analysis.

Response

l operation of the nitrogen ventilation and-purge system was l consider ed only for loss of containment' heat removal ~(TW). i i sequences.in which containment venting;is initiated. These are long-term sequences. . . Venting of the containment is accomplished ,

4 using AOP-35 " Post Accident Venting ~offthe-Primary Containment" ;

i which instructs the operator to vent-regardless of the

!. radiological consequences. This procedure is entered from EOP-4'

- ~" Primary Containment Control" before: containment pressure exceeds

. 44 psig. Sequence. development' required containment venting if g all modes of RHR operation. fail. Once the containment vent !

valves are opened, decay heat removal is achieved by boiling at

the suppression pool surface.- A-description of the nitrogen ventilation and purge system' analysis.is provided in the JAFf1PE, ;

Volume'1, Section 3.2.2.27. .

An insight gained'in the IPE wasfthat, in the event of loss'of'

all RHRSW pumps, the diesel-driven-fire water pump can be aligned-

to the discharge of RHRSW header A to remove decay heat from the RHR heat exchanger _ (JAF IPE, . Volume 1,~ Section 1.4.4) .

5 i-I 5

b 38 .

.~ a. - .a- -. . .,-.-.a. ,,

Item 12 Request Section 3.3.2.2 of the IPE acknowledges that the exposure time for various operating and standby components, and demand spectra (assigned cumulative number of demands for components) for standby components have been estimated for FitzPatrick. .Briefly describe the calculations made in estimating these two parameters in the Service Water system and the HPCI system.

Essoonas o The exposure times for various operating and standby components were estimated using data from the plant operating logs,_

operating procedures, and surveillance test procedures.

The service water system (SWS) normally operates at all times _ -

incluaing during plant outages. Accordingly, few demand-related basic events,were included in the SWS model other than the failure of non-operating redundant motor-driven pumps to start, the failure of ait-operated and check valves to open, and the failure of solenoid valves to energize. The demand failure probabilities for SWS components were based on; generic failure data. The operating hours for SWS pumps were approximated by the calendar hours and then used as the exposure hours.in calculations of time-related SWs failure rates (e.g., the failure of a pump'to continue running). Plant-specific failure rates were then determined by combining plant data with generic failure data in the Bayesian update process described ir. the JAF IPE, Volume 1,=Section 3.3.2.2.

For a standby system (such as the HPCI' system),ecomponent; exposure hours and demand: spectra;were estimated from detailed reviews of the shift supervisor and nuclear control: operator-logs, operating. procedures and surveillance test procedures.

These logs and procedures were used to_ develop detailed ~ accounts of the performance of each surveillance-test and' operating procedure. The resulting procedure performance records:and their summaries.'are shown in Tables.D.3) D.4, D.6fand D.7 in the JAF-IPE,' Volume 2, Appendix D.- ComponentLlevel demand matrices were then developed for.each procedure <(Tables D.5 andLD;8),Ldemand spectra for_each) component were estimated:from the. procedure performance summaries and its demand matrix, and. demand ~ spectra for a given component-type were;developedlby summing a11 demands-for components M that type. _The methodsfused are described-in-

<the JAF IPE,-Volume ~2, Appendix.B.

The-exposureLtimes used11n calculating'the probability of the HPCI pumps failing'to run'were estimated _from test data assuming.

~

a_ pump operation test duration-of 15 minutes.~-This: duration 1was' .

bksed on discussions with plant operators and maintenance staff._

39?

3 +

The overall exposure time in tests was calculated as the product

of the assumed test duration and the number of tests actually j performed. The cumulative hours the pumps were operated in non-

test conditions were extracted from plant logs and DSRs. The

{ total exposure time for the HPCI pumps was then obtained by summing the hours for both test and actual operation of the

pumps.

i 4

s i

i a

f 1

i 4

1 i

t t

i i

i 5

1

+

J 40 4

t

. .. -_ m., , v._ _y..,c..., , . . - . _ , ,y_, ,.. L, . . , . _ , ,.,_.,,,,,,m.,,...,,y.. _ , .._s_.,. ~'w,,. ,,,y ,. ,,. -

Item 13 Reavest Describe the process used to treat the following: (A) Cor. mon cause failure (fail-to-start mode) of two pumps, (B) Common cause failure (fail-to-continue-to-run mode) of two pumps, (C) Common cause failure (fail to-open on demand) of two MOVs, (D) Common cause failure of two LPCI batteries to supply power to their loads. Also, describe the treatment of plant-specific common cause factor estimates for two and three stuck-open failure mode of the SRVs.

Response

A common-cause failure is a simultaneous failure of equipment resulting from a shared cause. Industry experience shows that common-cause failures are rare; none were experienced at JAF prior to Cc tober 1906--a detailed review of plant information sources such as LERs, operator logs, maintenance work orders, and scram reports revealed no significant events that can be categorized as common-caur,e failures.

The basic methodology employed in the common-cause failure analysis was that described in NUREG/CR-4550, Volume 1, Revision

. 1, Section 6 &nd is described in the JAF IPE, Volume 1, Section

, 3.2.3.3. To accodnt for potential common-cause failures, redundant components were systematically examined and potential common-cause failures were included in the system models at appropriate levuls. Because no JAF plant-specific common-cause j failure data were identified, beta factors from NUREG/CR-4550, i Volume 1, Revision 1, Table 6.2-1 wert used in the development of

all common-cause failure probabilities except those for battery failures

s The beta factors for the common-cause failure of two pumps (fail-to-atart moda) were taken from Table 6.2.1 of the i

NUREG/CR-4550, Volkme 1, Revision 1. The beta factor of O.026 for ESW pumps and RHR service water pumps is the beta l factor used for starvice, water motor-drivan pumps in l

NUREG/CR-4550. The nets factor of 0.15 fc.* RHR and core spray pumps is the beta factor for low pressure coolant injection motor-driven pumps.

u The beta factors for the common-cause failure of two pumps (fail-to-continue-to-run mode) were based on the beta i factors for similar pumpis in the failure-to-start mode.

l These beta factors were taxen from Table 6.2.1 oC NUREG/CR-4550, Va'une 1, Revision 1, for CWS, F,SW, RBC, SWS, TBCLCS, condenst.e, condensate beoster and CRD pumps. The use of the beta factor for the failure-to start mode in the fail-41

to-continue-to-run mode is expected to be conservative.

m Common-Causes of the failure of two MOVs to open on demand were modeled in the JAF IPE for the following valves:

CSS-CCF-VF-2MOVS RHR containment spray injection valves LCI-CCF-VF-2MOVS LPCI injection valves LCS-CCF-VF-IMOVS Core spray injection valves RSW-CCF-VF-2MOVS RHR service water valves (for discharge side of RHR heat exchangers)

RSW-CCF-VF-2IJVS RHR service water valves (for cross-tie)

SPC-CCF-VF-2MOVS Suppression pool cooling valves ESW-CCF-CC-101AB ESW-MOV-101 A and B RBC-CC1'-CC-175AB RBC-MOV-175 A and B.

The beta factor of 0.088 is the beta factor for two MOVs falling to operate presented in Table 6.2"1 of NUREG/CR-4550, Volume 1, navision 1.

e The beta factor of 0.02 for the common-cause railure of two LPCI batteries to supply power to their loads was determined for the JAF d: power system configuration using Table 6 of the dc power study "A Probabilistic Safety Analysis of DC Power Requirements for Nuclear Power Plants," NUREG-0666, 1981.

The estimates of common-cause factors for two and three stuck-open SRVs were based on data for Peach Bottom (Table 4.9-1 of NUREG/CR-4550, Volume 4, Revision 1, Par" 1). In 1981 and 1982, two-stage SRVs replaced three-stage CRVs at JAF. Because of their simpler de;4cin, two-stage SRVs are much less prone to inadvertent opening than are three-stage SRVs. However, the common-cause failure data used in the JAF IPE are based on the three-stage SRVs installed at Peach Bottom. Two and 'chree stuck-open SRVs were explicitly modeled in the various event trees.

42

~_, . . -- - - --. . - -. _- _ . - -.. _ -- ._

i Item 14 Reauest Provide a discussion of the treatment of pressure locking of l

motor operated double disc gate valves and flexible wedge gate j valves (experienced at Fitzpatrick in 1988 and 1991,

respectively), and impact of corrective actions taken upon the

IPE results.

Response

The pressure locking of motor-operated double disc gate valves and flexibla wedge gate valves is described in LER-88-013-00, LER-91-006-00/LER-91-006-01, and LER-91-014-00.

2 The event described in LER-88-013-00 occurred during an outage as i part of the post-installation testing of a newly replaced valve l and was caused by misinte'pretation of valve specifications by :

~

the. valve manufacturer._ Accordingly, this specific event is not i relevant to the accident; scenarios investigated in the IPE. This notwithstanding, the.possible common-cause failure of. valves 10-MOV-26A/B was addressed in the fault tree models for JAF.

The events described in the other LERs are failures that would be incorporated in the updated failure rate database.to be created '

as part of the "living PRA" process- . While the common-cause

! failure to open.on demand of two valves used in the RHR/LPCI and 4

core spray modes.of operation and the common-cause miscalibration of reactor pressure-transmitters 2-3PT-52A/B/C/D sucht that all four valves used in the-RHR/LPCI and core spray modes of operation fail to-open were included in the fault trees developed for.the JAF IPE, the possible common-cause failure of all.four injection. valves to open on demand'because of the failure mechanisms described in Caese LERs-was not considered; Accordingly, this possibility too would be introduced into the- -

fault tree models in the living PRA program.

43

4 Item 15 Recuest Generic letter 88-20 requires licensees to certify that their IPE reflects current plant design arid operation. It is our understanding that the operational data provided in Appendix D has been utilized to determine plant specific hardware failure I rates only and for the limited period ot 1980 to 1586. Since 1986, many changes hava occurred, such as design "hanges, parts supplier changes, manufacturing specification chenges, equipment aging, etc., as well as changes in plant personnel training and the plant maintenance programs. This generates a question of whether the Fitzpatrick IPE addresses the current plant status.

Please provide a discussion of the impact of plant changes that have occurred since 1986 and the effect of failure rate estimates for the more current period. (Use referenvec as appropriate)

Risponse changes to plant design and operation are described in the modification packages, safety evaluation reports, and operating procedures. The JAF IPE reflected all modifications and operating procedures implemented prior to December 1990. These changen include several that enhance the operability and availability of systems and equipment: the ADS pneumatic supply system upgrade; the RHR suction valve interlock modification; the i standby liquid control system solution enrichment for ATWS modification; the installation of the ARI system; the crescent area cooling system modification; the use of firevater injection described in RHR nystem operating procedure OP .$.3; LPCI initiation Verification; the development of AOP-35 for post-accident venting of the primary containment, AOP-37 for boron injection using the CRD system, AOP-38 fcr EOP isolation /

interlock overrides, and AOP-49 for station blackout; the

! implementation of the EWR Owner's Group EPG revisiois 4; and the i

modification of surveillance test procedure FT-3J to ene.ure that one core spray train remains operable during the core spray initiation logic function test.

The impact on system reliability and availability of these changes and of changes in operator training and the plant maintenance program should be reflected in the frequency of scrans (i.e., initiating events) and equipment failure rate and unavailability data. All scrans that occurred between January 1976 and December 1989 were included in the initiating event data base used in the IPE--there were no statictical grounds for l excluding any data (JAF IPE, Volume 1, Section 3.3.1.1).

E erefore, it is only the component failure and unavailability database that can reasonably be regarded as not being folly reflective of current (1992) plant status.

44 I

The plant-specific hardware failura and unavailability data were taken from the 6 years of plant operation between 8/11/1980 and 9/30/1986. The data therefore represent plant conditions at the time sequence evaluation and systems analysis began (11/1986).

While we would assert this was an entirely reasonable approach, we acknowledge the desirability of maintaining an updated component failure and unavailability database and of using these updated data in the IPE. Accordingly, the Authority will do this in its "living PRA" program.

New plant data are not expected to have a great effect on the component failure data employed within the IPE; nor are they expected to dramatically affect the predicted core damage frequencies. The effect of new plant data will be limited because, as in all recent PRAs, the failure data used in the JAF IPE are an aggregation of plant failurs data and generic da*3 (JAF IPE, Volume 1, Section 3.3.2.2). This approach to the development af a plant-specific failure data base is adopted to provide a quantitatively consistent representation of expected equipment performance. With it, the use of generic data and the increased time span tor plant data will dampen the effects of any short term change in failure rates.

New plant data may, howe */er, change component and system unavailabilities significantly if tests and maintenance are performed more frequently, because the resulting test and maintenance unavailabilities are not subjected to a Bayesian update process prior to being used in system models.

This notwithstanding, the impact of changes to the predicted core danage frequency that might be occasioned by changes in equipment failure rates and unavailabilities has also been ahown to be limited. Sensitivity studies examining the effect of increased system unavailabilities have been performed and submitted to the NRC'. The studies concluded that only large increases in the unavailability of the emergency service water (ESW) system would serve to dramatically increase the predicted core damage frequency: whil.e a doubling of the unavailability of the ESW system will result in a 115 percent increase in the predicted core damage frequency, the doubling of the unavailability of other systems will result in increases in predicted core damage frequencies of less than 30 percent. _

NTPA letter, R.E. Beedte to T.E. Murley, dated May 28, 1992, respordino to a request for a review of the Fittpatrick IPE with respect to the htC's Otagnostic Evaluation Team (DET) Aeport.

45

Item 16 Rim! ult Fitzpatrick has a wealth of opetating experience from whicn to ,

update and improve generic human reliability estimates (which would othorvise reed to be utilized in the IPE). Please discuss the process used to capitalize on this experience, specifically with regard to the generation of human error probabilities (liEPs) !

and perception of human error in the overall results. l l

4 Responga l

Initiatina Event Data.

The initiating event frequencies used in the JAF IPE reflect all '

, scrams that occurred between January 1976 and December 1989.

Accordingly, haman errors that gave rise to scrams are included in plant-specific initiating event frequency calculations reported in the IPE.

Human Error in Pre-Accident Actign3 Historical information for human errors in pre-accident actions were utilized in the JAF-IPE. Scram reports and licensee event reports (LERs) were reviewed to identify incidents to which human

', errors contributed. The fault trees were then reviewed to ensure that the human errors involved were addressed within the appropr ste system fault trees. No attempt was made, however, to create a JAF plant-specific human error database utilizing these events. Instead, the ASEP-HRAP methodology was used with the additional conservatism that where dependencies could exist in test and maintenance errors, complete dependence was assumed. In assigning probabilities, several mitigating factors were considered:

n Recovery from human errors prior to accident occurrence is often possible given control room indications of valve position and the verification of component ststus that is performed each shift.

a Flow tests performed as part of post-maintenance te3 ting and the formal verification of equipment status by a second go 4on will significantly reduce the probability of failures to restore components to their pJoper configuration.

m The common-cause failure of instrumentation is made less i likely by an instrument test schedule that staggers '

instrument tests and ensures that the same work crew is not i responsible for all tests on a given set of instruments.

46

i Russan_grror in Post _-Accident ReJDonse and Recovg.rv Actig n The human error probabilicies (HEPs) employed in the JAF IPE were individually determined for each operator action. While the HEPs were based on predictions of the ASEP-HRAP methodology, the values determined were modified to take into account especially clear accident conditions and operator familiarity with them, operator simulator exercises, and the time available to decide upon a particular action and respond to it. Some examples of where ASEP-HRAP predictions were modified in response actions (actions that operators perform in response to plant conditions ,

and are generally demanded by the EOPs) follow, In reviewing !

these examples, it should be noted that, subsequent to the post- l TMI control room design review, significant improvements were i made in the labaling and functional demarcation of controls in the control room to eliminate human design deficiencies.

i In an ATWS scenario in which MSIVs are cpen. the probability W l that the reactor operator fails to initiate standby liquid control (SLC) wan provisionally assigned a median value of !

0.02 using the ASEP-HRAP methodology. This probability was then reduced by a factor of 10 to account for the immediacy of SLC initiation that is emphasized in JAF training and was substantiated by simulator exercises observed and discussions with the operators. This npplication of plant experience is described in the JAP IPE Volume 2, Appendix E, Section E2.1.3.2.

m In ATWS sconarios in which MSIVs are open, the probability that the operators fall to diagnose the need to overr$de MSIV isolation is determined in part by the time available to perform the override. To determine this time, reasurements were made in simulator exercises. The value for the probability selected from ASEP-HRAP was the lower bound value. The use of this value was justified under ASEP-HRAP guidelines because the accident sequence in i

question was well practiced and all simulator exercises

, indicated that operators recognize both the symptoms and need to override MSIV loolation. This application of plant experience la described in the JAP IPE, Volume 2, Appendix E, Section E2.1.4.1.

a In ATWS events with MSIVs closed, & low (<104 ) value was assigned to the probability of failing to enter EOPs. This low value van used b1cause of the many indications, alarms and annunciators that notify the operators of entry conditions for the EOPs. It was airo observed in simulator exercises that the cperators retrieved the EOPs after occurrence of an abnurnal event to confirm that EOP entry conditions are met. This application of plant experience is described in the JAF IPE, Volume 2, Appendix E, Section E2.2.1.

47

d 4 8 In ATWS events with MSIVs closed, the probability that the operators fail to determine the need for alternate boron irijection is determined in part by the time available to make the diagnosis and hence by the time recuired by the operator to actuate alternative boron injection. This time I

was measured by following an operator in the simulation of the task in the plant. This application of plant experience is described in the JAF 1PE, Appendix E, Sections E2.2.5.1 and E2.2.5.2.

a N In ATWS events with !!SIVs closed, the probabili<.y that the operators fail to provide primary containment control was provinionally assigned u median value of 0.02 using ASEP-

. HRAP quidelines and tables. This value was that. reduced by

a factor of 10 because the operators perform this task almost immediately upon a failure to scram, because of the censiderable time (approximTtely 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months ) available to actuato cuppression pool cooling, and because the actuation requires no complex actions and no interface with ihatrumentation. Similarly, the probability prc'/isionally assigned to the shift supervisor failing to check the operator and correct a failure to implement primary containment control was also reduced by a factor of 30.

These applications of plant experience are described in the JAF IPE, Volume 1, Appendix E, Sections E2.2.7.3 and E2.2.7.4.

E In normal transients or LOCAs, a failure to enter the proper EOPs was assigned a low value ( < 10 4

) because-the operators

, have memorized the entry conditions for the EOPS and the EOPs are practiced monthly in simulator exercises.

Furthermore, as noted above, the operators were observed in simulator exercises to retrieve the EOPs after the occurrence of an abnormal event to check if the entry conditions are met. This application of plant experience is described in the JAF IPE, Volume 2, Appendix E, Section E2.3.1.

M In normal transients or LOCAs, the value assigned from ASEP-HRAP to the probability that the operator fails to defeat HPCI auto-transfer on high torus level is reduced by a factor of 10 because of the relative simplicity of the incident and the tin.e available. This application of plant experience is described in the JAF IPE, Volume 2, Appendix E, Section E2.3.3.2.

m In normal transients or LOCAs, the value assigned using the ASEP-HRAP methodology to the probability that the operator fails to use the CRD "or coolant injection Was reduced by a factor'of 10 because of the simplicity of the task. This r application of plant experience is described in the JAF IPE, 48 l

l y -- w -e+,i

. .. _. - .- - -. - . . . .. ~ .. . . . - . _ ~ _ _ - _ -

l

) W The value assigned using ASEP-HRAP to the probabilit- that the reactor operator fails to depressurize the roa.r.or j vessel was reduced by a factor of 10 to account for the i simplicity of the task. This application of plant expericcce is described in the JAF IPE, Volume 2, Appendix E, Section E2.J.S.2. Similarly, the value assigned to tha probability that the shift supervisor tails to ensure that the reactor is depressurized was also reduced from the value derived using the ASEP-HRAF methodology. This application of plant experience is described in the JAF IPE, Volume 2, Appendix E, Section E2.3.5.3.

j

e .tn normal transients or LOCAs, the calculation of the i probability of failing to perform primary containment control relied extensively on plant data. The valuc for tho +

l HEP of the operator failing to vent locally was determined in part by the time required to complete the task. This j time was measured in the plant by observing an operator as i- he simulated the task. Furthermore, the HEP assigned to-

this task using ASEP-HRAP methodology was reduced by a l factor of 10 to account for the emphasis placed on the tash -

in training, the long time available, and the availability of additional personnel to accomplish the task when that ,

needs be done. This application of plant experience is

described in the JAF IPE, Volume 2, Appendix E, Section

E2.3.6.1. ,

' ASEP-KRAP predictions _were-also modified'for recovery actions.

Recovery action; are those that operators perform to recover from specific initiating events or component or system failures that -

i exacerbate the accidant. Such actions may include local manual i actions. An example of a modification based on plant data-and j experience fo1Aows: ,

! a Tha probability that operators fail to manually open the

, core spray or LPCI-injection valves as_part-of recovery ,

s actions was determined in part by the time required to manually open valves locally. This time was measured as an

operator simulated- the actions required at the plant. This application of plant experience is described'in t!un JAF IPE, Volume 2, Appendix E, Section E3.3.1.1.

49 i

c i

,,..,.4,. r,* . . , . .n r. w., , - -

.....,,,,,,__~,,y., y ,. , , , , . , , ,

,,,_7, %. _.%

_ r., ,,.y .,y, ,9..i----., p*- , y ge

4 I

LL9.M 17 R,qu e s t

! Please identify those instances in which performance shaping l factors (PSPs) are used to modify HEPs according to the difficulty of the tasks under analysis, and discuss the rationale for the PSF selection. It appears that the operator response to extremely difficult situations has been evaluated optimistically.

For example, for the Anticipated Transient Without Scram (ATWS)

. initiating event, where the operator has 1 to 3 minutes to recognize that it f- an ATVS, the operator murt entei EOP-2, follow EOP-2 to the point unere he is directed to enter EOP-3, enter EOP-3 and verify that he must initiate Alternate Rod Injections (ARI) and Recirculation pump Trip (RPT) and override ADS. The IPE, on the basis of Fitzpatrick's good operator training, assumes an HEP loss than 1E-5. Describe the PSPs used to accou;c for the stressful situation and the limited time for operator response.

RespRnta i

Tho Authority believes that the operator response was evaluated realistically and not optimistically. Tbis belief is based on numerous interviews and discucsions with the reactor operators, trainir.g and operatione personnel, and observations of operator performance in simulations of several different accident types.

The accidents simulated involved many types of failures so that an e,ccurate and realistic evaluation of operator response could be made.

The actions of concern in this discussion are "immediate" emergency actions that must be taken quickly following an abnormal event. While the operators are required to memorize the entry conditions ta the EOPs and the opernEors practice the actions frequently, they are trained to read each step in the

procedures prior to performance to ensure that no required action is omitted. Immediate actions are therefore simply operator actions that ure among the first steps in the EOPs and thus will be performed expeditiously.

For ATWS events, certain actions can be-classified ad immediate actions. They incluoe:

a Entering the EOP a Scramming the reactor (which directly enters the operator into the failure to scram EOP)

N Verifying ARI initiation and RPT 50

. l a Overriding ADS.

Verifying ARI and RPT occurrence and overriding ADS were treated as being completely dependent.

The initiating event coupled with a failure to scram will result in the entry conditions for EOP-2 (reactor control) being m_t.

j The shift supervisor at JAF does not retrieve this EOP: it is under glass at his station and ready ror implementation. The first direction and instruction for EOP-2 addresses whether a scram has occurred and directs a manual scram if it has not. The second decision point addresses whether all rods have been fully inserted. If more than one rod is not fully inserted, entry into EOP-3 is required.

At JAF, there are always at least two reactor operators in the control room: a senior reactor operator who serves as the shift supervisor and a second operator who is required to be at the main control panel (or " horse-shoe") at all times. The reactor operator at the main control panel in the horse-shoe will receive numerous and immediate indications that a failure to scram has occurred:

m A control rod " full-in" light display on panel 9-5 that indicates which centrol rods are fully inserted a A computer printout of control rod pocitions.

In addition, there are four shared recorders on the 9-5 panel that can display upto eight IRMs, six APRMs, or a combination of the two, SRM monitors and recorders, ARI controls and indications, RPS group lights, scram valve position indicators, and scram air header pressure indicators.

. The EPIC (emergency and plant information computer) monitors also display safety parameters and plant conditions. Three monitors are placed at the shift supervisor station, two at the nuclear control operator's desk, and two above the 965 panel. The displays are color-coded and highlight the EOP entry conditions and critical parametars within the EOP.

Given these indications and the fact that a reactor sc, Jam is an immediate and much practiced action, a probability of 104 s e e.m s reasonable for a failure to recognize an ATWS (or failure to scram) and then enter EOP-3. A task analysis of the shift supervisor and reactor operator failing to recognize that power is above 2.5 percent and that a failure to scram has occurred further justifies this probability. The events that must occur are as follows:

(1) Reactor operator fails to notice the control rod display.and 51 Y

. - . . ......~ . _ . - .~ _ - . . .. . . - . -- ~. - . - - .

)

4 .

1 I.

J power indicators (IRMs, APRMs, and SRMs)

!' (2) Shift supervisor fails to notice the above indicatie. and fails to notice indications on the EPIC display.

l [3] Operator fails to recognize that a scram is required ~ ( er.te r ,

j EOP-2) and fails to notice that a failure to scram has j occurred (enter EOP-3).

l Probabilities of 10'8,.10'3, and-10 4 were assigned to these steps

using Table 8-S in NUREG/CR-4772.

1

In performing the IPE, ovur.20 accident types were observed at j the JAF simulator.: In every case, regardless of the~ crew, the --

p cperator (shift. supervise,r) immediatoly entered the appropriate j' EOP and correctly;perfortbed--the immediate actions. Of these

simulated accidents, eight-were ATWS types.

I 4

l- '

3, 1.

i j

. i 1

i h

4 I'

i-i

52 f

f i

l

~. ._ .: .: ~

F ;

~

i-

' ten is .

4 1

L Blauest 5

The human reliability : analysis (HRA) is based on generic _ basic l human error probabilities (BHEPs) modified by recovery factors (RFs) "which limit undesirable consequences of human error by p allowing for human redundancy ..." (pg._3-379).-Thus the HRA

reduces the generic BHEP value of 0.03 through the'use of RF(s).

In the example given on page 3-379 for the calibration of a pressure transmitter,_the generic-value of 0.03 was used as the HEP.for this task for the typical _or nominal plant.iThe generic BHEP is then reduced by a factor of 0.01 to account'for_ post--

l calibration. testing and independent verifirstion. . We call your l ettention-to'page 5-6 of NUREG/CR-4772,whicn provides guidance.

l for the useLof-the methodology you have adopted. Please note-

! that Step 2 on.page 5-6 states that "No downward adjustment-(of

! the BHEP)- should - be made without~ a;_ more -thorough _ HRA of-- the kind -

specified in NUREG/CR-1278". It is-our understanding that the l BHEP value is assraed.tc a)readyLaccount for-normal 1 or typical L

" checks:& balancos" fcc op?"ator actions. !Therefore,-the .

L application of RFs~to fv' .ser reduce- the BHEP _value should--be-I based 9por orecedurcs, NA. techniques, independent verifications, maintenas.aa_ practices,'etc. which are significantlyesuperior to those typically found.in_the_ average or--nominal' plant. Please.

take a;samplefof.5 or 6_ nominal human error probabilities (NHEP) values from table 3.3.1 and discuss the RFivalues used to adjust the BHEP value and discuss' haw they.are supported by factors-for FitzPatrick which clearly-demonstrate that the Fitzpatrick-

l. " checks and balances" are significantlyfbetter than'those normally utilized in;the typical or nominal plant. . -

Response

The issue raisedLby this request is whether the-application of-JFs to the-BHEPs for.miscalibration and restoration eventsiin'the JAF IPE wasLjustified. The : reviewers refer; to- Step :2- on - page' 5-6 -

of1NUREG/CR-4772--and state that itris their. understanding that theiBHEP"is already"assumedLto accountLfor normal 1" checks:and-balances." This' perception, however,. represents.a misunderstanding'of the ASEP'HRAPf(l a ,1NUREG/CR-4772). .-Step.2 of- Table 5-1. (page 5_-6 ' of ' NUREG/CR-4 M 2)1 provides guidance on adjusting the BHEP. The statement lonLpagel5-6 that?"No downward-adjustment should-be made'without- ^

Tore-thorough'HRA...".is not

_ -related to the' application ofLRFs f rather to the-adjustment of-L the-initial BHEP (for exampler to' increasex the BHEP value ofRO.03 if: poor; human factor. conditions exist in~the plant).- Once 'the L FBHEP1-is selectedk the remaining stepsoin. Table 5-1 providei l guidanceEfor the application ofgRFs tolthe BHEP. The statement in questioni on page 5-6 :is therefore' only: a' caution against do nwards: adjustments of the:BHEP7and is. unrelated 1to the-

53

,.. ~ .. ,.,. _ _.2._

.a ; _ _, _..a . . _ . _.u..~u._._-._.__. .2

4 l application of specific RFs discussed in Step 4 on page 5-7 of l NUREG/CR-4772 and in Tables 5-2 and 5-3. This application of specific RFs is a critical and integral part of the ASEP HRAP (NUREG/CR-4772) methodology as is clearly demonstrated in 4

NUREG/CR-4550, Volume 6, and in Dr Swain's comments on the JAF i

IPE (Item (1)).

?

Examples of the way in which RFs and other aspects of the ASEP HRAP were applied to adjust the BHEPs for the JAF pre-accident

. HRA follow. It should be noted that, in his review, Dr Swain 4

concurred witn these values and that, in the IPE, the pre-accident HRA was augmented by observations of the instrument functional tests and calibration activities.

! Failure to Restore SLC after Test.

, IARA. Opere;or tests SLC, opening valves 11SLC-26/27/41. After the_ test, the operator.needs to restore each valve to its proper position.

Activities. This task involves the restoration of the valves to their proper position. Failure to close valves SLC-26/27 will result in a system flow diversion failure when the

system on demand. Therefore there are only two activities associated with this task: the closure of valves 11SLC-26/27.

I Dependency. Because restoration of the SLC requires that both activities associated with the task be completed successfully, dependence' effects are irrelevant and zero

dependence is assigned to the activities of this. task (see Table

.5-1, Item 9.a of NUREG/CR-4772).

Recovery. Independent verification of restoration <of valves 11SLC-26/27 is performed by a second person and a written record is made. Accordingly, Optimum condition #3 (see Table 5-3

[ .in NUREG/CR-4772) applies to both valves. A total recovery factor of 0.1 was taken for each' valve'.(see Table 5-3 in.

NUREG/CR-4772).

Nominal Human = Error Probability. The probability that the operator fails to close a valve is therefore:

l NHEPr = (BHEPu.x

RF) C (BHEPu.n * ' RF)

=

(0.03) * (0.1) *2 1

= 6 x 10-3 I

54

-- ,, - , , .,~,,n-,.-- .-. ,

I~ Miscalibration of E_CCS-A ATTS Instrumentation.

IA11 . operator calibrates the ECCS af log trrnsmitter trip system (ATTS) trip units using procedure ISP-175A. This procedure includes calibrating trip units 02-3-MTU-272A, 02 MTU-273A, 02-3-MTU-272C, 02-3-MTU-273C, 02-3-MTU-202A, and 02 MTU-202C. The other nine units are not relevant to the IPE analysis.

Agilvities. To calibrate ATTS trip units, the operator:

A. Performs a pre-calibration test to determina if the trip unit is calibrated (st p 5.6.1 in Proceduro ISP-17bA)

B. Determines the need for calibration by verifying the pre-calibration test (step 5.6.2 in.the procedure). If the operator fails to perform this step, it was assumed that the trip unit is out of calibration. '

C. Sets the stable current to 12 mA (step 5.6.2.4 of the procedure).

, D. Adjusts the meter to obtain a mid-scale setting (step 5.6.2.5 of the procedure).

It was assumed that if the operator successfully. performs activity B (i.e., Step'5.6.2), ten steps 5.6.2.1, 5.6.2.2, and 5.6.2.3 are performed (i.e., it was assumed that once the operator recognized the need for calibration, he will attempt to do it). Therefore, steps 5.6.2.1, 5.6.2.2,,and 5.6.2.3 were not addressed in determining the nom nal HEP.

Dependency.. Because the calibration of a single trip.

unit requires a anries of activities and'the failure of any one causes miscalibration, dependence effects are irrelevant and zero-dependence is assigned to the activities of'this task-(see Table 5-1, Item 9,a of NUREG/CR-4772).

Recoverv. Step 5.6.2.6 of the procedure requires that

-the operator verify Step 5.6.1-(i.e., activityEA). In essence, the operator performs a post-calibration test. In doing so, the operator is required to-write down the results of the

- verification on a checklist. Optimal' conditions-#2 and #3 therefore apply (Table 5-2 of NUREG/CR-4772) and a total recovery factor (RF) credit of 0.01 applies (Case-VIII, Table _5-3, NUREG/CR-4772).

In addition,_a daily check, structured to identify component operability, is performed. 'Accordingly, Optimal Condition #4 applies and an additional recovery credit can be given, reducing the total recovery factor to 0.001 (Case VII, Table 5-3, 55 U _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - - . -

NCREG/CR-4772).

Eominal Human Error Probabilily. The probability that the operator miscalibrates a trip unit is therefore:

NHEPrne. = RF * (BHEP,,,4 4 + BHEPAcme a +

BHEP,,,e 4 + BHEP,m,o) 4

=

(0.001) * (0.03

4)

= 1.2 x 10" In determining this nominal HEP, it was assumed that if th7 operator miscalibrates the first unit, he will also miscalibrate subsequent trip units because miscalibration is likely to indicate that the operator does not understand the process.

Therefore the probability that the operator miscalibrates all trip units is:

NHEP7 = 1.2 x 10 d Miscalibration of HPCI Steam Line Rich Flow Transmitters TA1X. Operator calibrates the HPCI steam line high flow transmitters using procedures ISP-226A/B. These procedures includes calibrating DPTs 23DPT-76 and 23DPT-77.

Activities. To calibrate pressure transmitters, the operator:

A. Adjusts zero for 0.98 Vdc for 23DPT-76 (step 5.3.3.2 of procedure ISP-226A) and adjust zero for 0.99 Vdc for 23DPT-77 (step 5.4.3.2 of procedure ISP-226B).

B. Adjusts span for 5.01 Vdc for 23DPT-76 (step 5.3.3.3 of procedure ISP-226A) and adjust span for 5.02 Vdc for 23DPT-77 (step 5.4.3.3 of procedure ISP-226B).

Bec&use technical specifications require that the instruments be calibrated regardless of whether calibration is required, pre-calibration tests and their verificatita are not applicable and were not considered in tae HEP evaluation.

Decendency. Because the calibration of a single DPT requires a series of Oct;vities and the failure of any one causes miscalibration, dependenew effects are irrelevant and zero dependence is assigned to the activities of this task (see Table 5-1, Item 9.a of NUREG/CR-4772).

Recoverv. Step 5.3.3.4 of procedures ISP-226A/B requires that the operator verify step 5.3.3.2 (i.e., activities A and B). In essence, therefore, the operator performs a post-l 56 1

calibration test. In doing se, the operator is required to write down the results of the verification on a checklist. Optimal conditions #2 and #3 therefore apply (Table 5-2 of NUREG/CR-4772) and a total recovery factor (RF) credit of 0.01 applies (Cat VIII, Table 5-3, NUREG/CR-4772).

In addition, a daily check, structured to identify compeneat operability, is performed. , ccordingly, Optimal Co;dition #4 applies and an additional recovery credit can be given, reducing the total recovery factor to 0.001 (Case VII, Table 5-3, ,

NUREG/CR-4772).

Nominal Human Error Probahility. The probability that the operator miscalibrates a pressure transaitter is therefore:

NHEPorr = RF * (BHEP,,,44 + BHEP3 ,,,,)

= ( 0. 001) * (0.03

2)

= 6 x 10 4 In determining this nominal HEP, it was assumed that if the operator miscalibrates the first transmitter, he will also miscalibrate the second transmitter because miscalibration is likely to indicate that the operator does not understand the process. Therefore the probability that the operator miscalibrates both transmitters is:

4 NHEPr = 6 . x 10 Miscalibration of HPCI Pump Suotion J,cnr Pressurs $ witch.

Task. Operator calibrates HPCI pump suction switch 23PS-84B using procedure IMP-23.9.

Activities. To calibrate pressure switch 23PS-84B, the operator:

A. Performs a pre-calibration test to determine if the switch is uiscalibrated (step 5.2.2.1 of procedure IMP-23.9).

B. Determines the need tor calibration by verifying the pre-calibration (step 5.2.2.2 of the procedure). If the operator fails to perform this step, it was assumed that the switch was miscalibrated.

C. Applias a decreasing pressure to trip point and adjust the pressure switch to increase or reduce pressure for 15 in.

(step 5.2.3.3).

D. Applies a decreasing pressure to in. (step 5.2.3.4).

57

. E. Increases the applied pressure and verify instrument resets

(step 5.2.3.5).

F. Increases the applied pressure to 0 in. (step 5.2.3.6).

Dependency. Because the calibration of a single switch requires a series of activities and the failure of anv one causes i miscalibration, depender.ce effects are irrelevant and'zero dependence is assigned to the activities of this task (see Table 5-1, Item 9.a of NUREG/CR-4772).

Ricove ty.. Step 5.3.3.8 of the procedure requires that the operator verify step 5.2.2 1 (i.e., activity A), In essence, i therefore, the operator performs a post-cali.1 ration test. In' doing so, the operator .is required to write down the results of

the verification on a checklist. Optimal Conditions #2 and #3 e therefore apply (Table 5-2 of NUREG/CR-4772) and a total recovery factor (RF) credit of 0.01 applies (Case VIII, Table 5-3, NUMEG/CR-4772).

Nominal Euman Error Probability. The probability that the operator.miscalibrates a switch is therefor :

NHEPn = RF * (BHEPu,,s + BHEPuwes +

BHEP4 . ,c.+ BHEP 4 . ,o +

BHEPu ,,e

+ BHEPu ,,)

=

(0.01) * (0.03

6) w 1.8 x 10'3 Miscalibration of Rtactor Protection System (RP8) Averact.

. Power Rance Monitor (APRM) Instrumentation.

4 Task. Operator calibrates RPS APRMs APRM-A to F using l procedure ISP-20-1.

Activitiet. To calibrate APRM instrumentation, the operator:

A. Performs a pre-calibration test to determine if the APRM instrument is miscalibrated (steps 5.2.2, 5.2.3, 5.2.4, 5.2.5, and 5.2.6 of procedure ISP-20-1).

B. Determines the need for calibration by verifying the pre-calibraticn (step 5.3 of the procedure). If the operator fails to perform this step, it'was assumed that the APRM instrument is out of calibration.

C. Adjust the power test potentiometer (Z36-R2) to the minimum position (step 5.3.1 of procedure).

l 58-

- -- w .,--4 , - - - - , e

i l',

l D. ' Momentarily short the front panel-meter (M1).and

. mechanically zero the meter.(stop 5.3.2).

}

f- E. Adjust-power test potentiometer.(Z36-R2) for:10 V.and adjust i Z31-R26 for a. meter indication'of 125 percant (stepL5.3.3 of j proceiure). ,

ll Denendency. Because the calibration of a-single APRM ,

requires a series of activities and the failuro of: any one causes miscalibration, dependence effects are irrelevant-and zero ,

dependence is assigned'to the activities of this task (see-Table p 5-1, Item 9.a of NUREG/CR-4772).

4

$ Recovely. . Step 5.3.4 of the; procedure. requires that the operator verify step'5.2.6, - In essence, therefore, the j operator performs a post-calibration test. - In doing so, the operator is' required to write down the results of the 1: verification on a checklist. Optimal Conditions-#2 andL#3 i_ therefore apply (Table 5-2 of'NUREG/CR-4772) and a' total' recovery

!! factor (RF) credit of 0.01; applies.(Case VIII, Table.5-3, ~

{~ NUREG/CR-4772).

i In addition, a daily check, structured to identifyfcomponent 4

operability, is performed. Accordingly,. Optimal. condition #4

{ applies and an additional recovery credit can be'given, reducing L the total recovery-factor to 0.001-(Case VII, Table 5-3, s NUREG/CR-4772).-

! ~

Nominal Human Error Probability. ~ The probability that j the operator miscalibrates a switch is therefore:-

t I NHEPn = RF_* (BHEPuw,3 + BHEPuggs +.

} BHEPuw,c + BHEPu 4 p +

!: BHEPum, 5)

=

L ( 0. 0 01)--- * .(0.03-*E5) i:

p

1.5--x 10 4 In-determining.this-nominal HEP, it was assumed thatlif the _

operator miscalibrates the first instrument,ohe willcalso!

- miscalibratelother_instrumentsLbecause miscalibration istlikely-l to-indicate-that the1 operator does not1 understand the process.. >

Therefore:the probability 1that-the operator miscalibrates'all

. instruments is:-

l' NHEPr y= .1. 5 - x lod p

l i-

~

h 59 i

e-- -e, 4 e . m e. , 4...,,v'..',..- a e +,ese, , -d . .s- p -, U , # 6sw.- w s -- c e, mm..., s- c gs. %-, v.

.,gs-,--%.., ,, +, ,rw.. s y y '. .e. my ,

Item 19 Raquest i Please describe and discuss your analysis of operational experience (i.e. LERS, training material and procedures updates, maintenance and surveillance test records, etc.) used to identify human error initiated events and common cause failures. ,

EMA991s With the exception of initiating events, no attempt was made to ~

integrate plant human error data into a plant-specific human.

error data base. Instead, an analysis of operating experience was made to identify potential human errors.- These errors were then explicitly depicted in the system fault tree models. 'The analysis of operating experience entailed the review of the LERs, scram reports, shi't supervisor and nuclear control operator logs, maintenance work requests, and the training department's system lesson plan. The role of plant experience in generating human error probabilities is described--in more detail in the response to Item 16.

As noted in the response to Item 13, no common-cause failures occurred at the plant-between August 1980 and September 1986. '

However, potential common-cause events identified from the review of operating experience were included in the system models. For example the fault trees modeled common-cause failures of four diesels and of two LPCI injection valves,'etc.

As noted in Item 16, observations of simulator performance and walkthroughs of respenso and recovery actions were also used in developing HEPs for post-accident response and recovery actions.

It should also be noted that the reactor operator training program at JAF now includes a lesson plan (NET-238.13) directly related to the JAF IPE. Furthermore, the training program is kept current'by addressing potential operator errors and common-cause failurss identified in LERs and other reports of operating experience from JAF and cther nuclear power plants.

60

~. - - - _ _ _ _ - _ - _ - _ _ _ - _ _ _ _ . - . - - _ _ _

y- . . - __ _ _. . _ _ _ _ _ _ . _ . _ . . ... _ _ _ _ . . . . .

j 1 J

s itsa'20

j. -

g,

- Rental

Please'specify the BHEP and any_RFs used to. estimate the

l. probability (NHEP) of_failuru to vent:the-watwelli(local- ~

operation) upon demand (i.e.-Containment Pressure 244 psig), and

}-

discuss-the' basis-for selection of the BHEP and RF, values.

3

' Relevant factors 4to be discussed incl'ude the EOP? covering

containment venting,Llocation and operator. access-to' vent Valves' and/or their controls',-training of the operators-required to l perform the venting _functionLas well as the1effect of: such

! factors as stress, time, and environmental conditions"such as-j.

^

temperature and radiation levels expected to exist in the l locality of the vent valve' controls.' .

i. ,

Response

b Wetwell-ventingqis normally initiated at_the primaryLcontainment -

, and purge ~ (PCP) panal located-in-the-relay;roon. . For; accident- -

! sequences in which active: power';is unavailable to the valves,-the _

-1 l: operator wouldclocally hand-wheel:the. valves open. 1 Venting:of

the: containment-is_ accomplished usingEAOP-35 " Post Accidenti

-Venting of.the Primary Containment ~."' _This-procedure. instructs l the operator toEvent the containment i regardlessiof the

radiological consequences.i The . procedure Els entered ;fron= EOF-4

[ " Primary Containment Control"Lbefore the1 containment pressure j exceeds.44.psig. .The operators'are:well(trained in:the p implementation of the EOPs.-- .Although ittwas not possible to e simulate,a scenario which_ led.to containment 2 venting,1-because-:of.

!' the long; duration of'TW' sequences, as_part of;the?HRA:thei P operators 1didi walk through the ; process; involved Ein) imph,menting -

- AOP-35 both from the: PCP panel and olocally ati eachEvalve.-

The controls-forfthe;wetwell andldrywell' vent. valves areJ1ocated=

,- - in~the~relaylroom onLpanel PCP.' -This area-is easilyfaccessible.

! from:the.~ control room and-is identified asia: mild: environment:for -

F :

' equipment' qualification purposes.; The-wetwel1Jvent valves-are-

,. -located in the1 reactor 1 building.on the-2721ft!alevation-just;

[' outside the reactor? building < air lock.- -This ar'alis" e accessible.

in'all1 accident' scenarios until core-. damage-occurs.' (No.: credit. -

[

- was.taken for-use of1the drywell ventivalves inicontainment=

' ' ~

venting.. -

The'aean HEP 4 forYfailure to vent-containment fronJthe relay room- s b i is 2.6'x 10 .with an error-factor of.10. .This' HEP was=

j _ calculated 5as'the.sua of.two terms: #

a- -The' probability that_the operators fail to determine-containsant-' control / venting is- needed; V

61 r

~

+%,-.. , , ,v , . , , - , , , - e- w,,,-.,,, -,e---.,e,#.-...sb-. u..-w u, . ~ - w w . w -- ~,.-,.,,,-,mme =----au. . . ~

E The product of the probability that the reactor operator fails to perform containment control / venting-and the probability that the shift supervisor fails to check the reactor operator and correct the failure to implement venting.

The probability that the operators fail to determine containment control / venting is needed was assigned a median value <10 4 and an error factor of 10. This probability is based on the ASEP/HRAP procedure (NUREG/CR-4772) and the fact that 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months are available to make this diagnosis. A mean probability of 0.0032 was assigned to the reactor operator failing to perform containment control or venting from the relay room. This probability is based on the fact that the task is relatively straightforward, is described step-by-step in AOP-35, and requires no complex actions on the part of the operator. A mean value of 0.5 was assigned to

the probability of the shift supervisor failing to check the RO and correct containment control by venting. This probability assumes a dynamic task with the shift supervisor under moderately high stress. Ths derivation of these-HEPs is detailed-in the JAF ISE, Volume 2, Appendix E, Section 2.2.7.

The mean HEP for failure to vent containment via local manual valve operation is 3.2 x 10 4 with an error factor of 10. This value was calculated assaming that the operators have already correctly diagnosed the need for containment venting. Local venting is assumed to be a step-by-step task with the operator under moderately high stress. The derivation of thic HEP is detailed in the JAF IPE, Volume 2, Appendix E, Section 2.3.6.1.

e i

i l

l l

j 62 l

l

Iten 21 Bequest Table 4.5.1.1 indicates an internal containment failure pressure for Peach Bottom !PB) of 150 psig. NUREG-1150 identifies an estimated mean failure pressure of 148 psig for PB. In Section

. 4.5.1 Static Over Pressure Containment Failure, you use a containment failure pressure of 159 psig for Peach Bottom and reduce it by 12-134 (to account for thinner vent line bellows at Fitzpatrick) to obtain a failure pressure of 140 psig for the Fitzpatrick IPE. Please provide your basis for using the 159 psig value as a basis for determining the estimated failure pressure rather than the 150 psig value from your comparison of Fitzpatrick vs. Peach Bottom Major Plant Features (Table 4.5.1.1) or the 148 psig value from NUREG 1150 (Vol.1, page 4-12). Use of the 148 or 150 psig values would result in an estimate of failure pressure for Fitzpatrick of about 130 psig.

Please discuss the effects of this lower value on the timing and probability of overpressure containment failures. In addition, Section 4.6.1-Selection of the_CEI seems to indicate that, in spite of the above comparison between PB and Fitzpatrick, the PB containment probabilities and failure modes were used in the FitzPatrick CET. Please clarify this statement and discuss the comparison of the two plants and how it has been used to assign values to the Fitzpatrick CET.

Response

The 148 psig internal containment failure pressure for Peach Bottc2 is that presented in NUREG-1150. The 150-psig value presented in Table 4.5.1.1 was taken from NUREG/CR-45S1 and presumably is 148 psig rounded up. The 159 psig containment failure pressure is the ultimate Peach Bottom Unit 2 co'tainment failure pressure predicted in the " Mark I Containment Severe Accident Analysis" performed by Chicago Bridge and Iron (CBI).

In the JAF IPE, the containment failure modes and probabilities derived for Peach Bottom were used. The justification for this is as follows:

e 5 An analysis performed by CBI , comparing the containment at JAF with that at Peach Bottom concluded that the "(JAF) containment is generally as strong (as) or stronger than the reference structure." In this analysis, CBI compared the materials of construction used in JAF and Pahch Bottom and examined the major structural components in the drywell and watwell at both plants. The areas examined included the:

'C11 Tectmical services Co. " Scoping Stucsy of Mark 1 Containment vesset," April 1991 63

Drywell head region

- Transition knuchle between the cylindrical and hemispherical portions of the containment structure Top and bottom cylindrical regions Top and botton halves of the wetwell Vent line bellow 2.

The study found that the top part of the torus shell and vent line bellows at JAF were thinner than at Peach Bottom.

As a result, CBI concluded that the thinner torus shsll would decrease the containment failure pressure by 2 pai and that the thinner vent line bellows may rasult in a 12 to 13 percent decrease in the bellows failure pressure compared to Peach Bottom. However, these differences are not expected to influence the ultimate containment failure pressure.

m Both plants are BWR4s with Mark I-containments. Therefore, containment failure characterizations (static overpressure failure, basemat ablation, isolation f allut us, drywell liner failure by contact with core debris, etc.) are not expected to differ.

Accordingly, the Authority decided that the containuent failure probabilities and modes assumed at Peach Bottom were appropriate for use in the JAF CET. This notwithstanding, a 140-psig containment failure pressure was assumed in the JAF IPE, to obtain conservative estimates of the time at which containment failure occurs--a lower containment failure _ pressure will result in containment failure occurring earlier. However, it must be noted that containment failure will still not occur until many hours after initiation of the accident. (The MARCH code predicts containment failure will occur at 29 hours3.356481e-4 days 0.00806 hours 4.794974e-5 weeks 1.10345e-5 months assuming a containment failure pressure of 132 psia).

A reduced containment failure pressure will also increase the i probability of drywell/wetwell overpressure failura and reduce the probability of failures attributable to wetwnll venting.

Nevertheless, the minor effects or. the timing and probability of overprossure containment failures will not materially change the accident progression insights gained or conclusions drawn in Volume 1, Sections 4.7.3 r_nd 7 of the JAF IPE.

l i

64 1

- . . . ~ . _ . . . _ _ _- . -. . . .

4 l

4 i

Ites 22

Rigvest Please clarify,the apparent.discrepancyfconcerning the amount of Zircalloy available. Tables 4.2.2.1 and 4.5.1.1 indicate a Zircalloy core inventory of 111,216 lb. However, Table 4.3.2.2 indicates a total core inventory of- 131',051 lb. Which value-is correct? Which value was used.in the IPE? In the event that the- =

, smaller value is incorrect and was used in the IPE, discuss the impact of the larger value.

BARE 10At

. Both values are correct. The value foundLin Table 4.2.2.1

(111,216 lb of zircalloy). reflects ths load design for fuel cycle i

U. The value found'in Table 4.5.1.1 (131,051 lb of zircalloy)

. reflects the original. reactor fuel: loading and was assumed to represent the maximum amount of zircalloy in any' future load cycle. The larger value was used in the !PE to ensure that '

calculations of hydrogen release were conservative.

L I

65

., n.m,1 ,'y-

-w,--,.,.y,, y, . , , , , w g ..e, ,m.. ,w,,,,,-,g . , , . . - , . ,.,,,w 4

Item 23 Renuest With regard to Section 4.5.4-Containment Isolation Svatem (CIg1 Failures please identify the CIS failure probability (s) used in the IPE, and contributors to CIS failure. Please identify the necessary failures for the three SBO bypass leak paths identified in Section 4.5.4 and provide the basis for your conclusion regarding their improbability.

, Besconse The only CIS failure probabilities used in the JAF IPE apply to the SBo bypass leak paths. In station blackout sequences with de power initially unavailable, three lines that penetrate primary

containment remain unisolated providing potential leak paths to the environment for gaseous fission products. These leak paths are

a Through the drywell sump (equipment drain) line to the radwaste system From the reactor water cleanup (RWCU) system into the RWCU pump room or RWCU cleanup filter room a Into the reactor building closed loop cooling system (MBCLCS) from the recirculation pumps.

The failures necessary to entablish a containment leakage path and the orobabilition of their occurrence are as follows.

Leakage through the drywell sump line requires that the drywell suup pump discharge line outboard isolation valve fail open. The valve is designed to fall closed on loss of instrument air or power. Given that the mean probabilit y cf a solenoid valve j failing to close on demand is 104 (NUREG/CR-4550 ASEP) and the core damage frequency occasioned by internal events at JAF is 1.92 x 10 year, the probability'of core damage and this valve failing to close is <10 /4 year. Accordingly, this leak path was eliminated from further consideration.

l The leak paths through the-RWCU and RBCLCS require that a breach '

of the system piping occur for a containment leakage path to exist because the RWCU and4 RBCLCS are closed systems inside containment. Given the 10 /hr/100 ft median probability of piping failur'; used in the JAF IPE,'the probability of a leakage path through the three lines is remote. Furthermore, as the resulting leakage paths involve small-size piping (<4 in.

diameter), the leaks would be insignificant.

66

m Lten 2A Recuest With regard to Section 4.5.S-Containment Electrical Penetration Failures, please provide plots of containment atmocphere temperature vs. time from the HAAP-3.0B analysis for accidents with Direct Containment Heating (DCH). Compare the electrical penetration environmental qualification temperatures tc the temperature profiles predicted for DCH events from the MAAP runs, and provide your basis for concluding that the probability of electrical penetration failures is so small that they need not be considered as a possible containment failure mods. Please identify and discuss the process used to treat any active or passive equipment located in the drywell which is assumed or required to function during DCH events.

B6sp0Dre Section 4.5.5 of the JAF IPE states " ... electrical penetration failures were not censidered to be a possible containmer.t failure mode." While this statement presents the conclusion of t!e Authority evaluation of electrical penetration failure, it is somewhat misleading in that it gives the impression that electrical penetration failures were dismissed without being modeled. In fact, to conservatively reflect previcus treatments (e . g. , NUREG-1150) , electrical penetration failures caused by extreme thermal environments were modeled in the JAF IPE as drywell failures rather than as separate containment failure modes. The probability of thermal failure of the electricsl penetrations is therefore accounted for in the JAF IPE in exactly the same way that it was accounted for in the Peach Bottom Level 2 PRA (NUREG/CR-4551, Volume 4, Revision 1, Part 2, Appendix A)--

thermal failure of the electrical penetrations was treated as an additional mode of drywell failure in evaluating the likelihood of containment failura and determining source terms.

Thermal failures of the containment are addressed in-the JAF containment event-tree (CCT). Question 128 of the CET asks "Does the containment fail at low pressure from temperature in the drywell?" Two outcomes for this que; tion are (1) LTCF -

" Late Thermal Containment Failure";'and (2) n:LTCF "no Late Thermal Containment Failure." Three cases define the circumstances under which this question is evaluated. The first case captures all accident sequences in which the containment has not failed prior to or as s consequence v* events at vessel breach and thus is still at high pressure (i.e., no venting has occurred). The second case captures all accident sequences in which thermal failure of the electrical penetrations would not be considered, either because there is no thermal load (and hence no thermal failure) or because a drywell failure had previously 67

occurred with any of the following conditions existing:

a There_is no vessel failure (i.e., the accident has been ,

arrested in the vessel and no reasonable mode =of electrical -

penetration _ failure can.be cited) e The containment has failed in the drywell (in which case thermal failure of electrical penetrations is moot) e A deep water pool covers the debris and cools escaping 1 gases (in which case no thermal load-would challenge the electrical penetrations).

The third casa captures thoseLsequences in which the wetwell-has failed and a significant' thermal load exists. In this'_ third case, the probability of thermal failure-is approximately_25 percent,7 this probabil ity=being theEvalue used;for Peach _ Bottom in NUREG/CR-4551,_ Volume 4', Revision 1.

i The wording of the request for Item 2411ndicates that.the L

reviewers believe that MAAP 3.0B! calculations were performed;to.

assess. containment 1 performance under-loads associated with-vessel-failure. MAAP-3.0B, was not used in the JAFfIPE. TheJprincipal-tool forLassessing__ plant-specific' containment loadsLat JAF, as-

~

indicated in Section 4.3.1 of-the:JAF IPE,'was1BWRSAR.

calculations. performed with_this code, supplem6nted:by an i

evaluation-of studies of-Mark I Gentrinaent_ performance, were used to quantify =therIPE back-eti model; Based on BWRSAR calculations, drywe111 temperature profiles after vessel breach prepared for all :five plant damage states._ (JAF LIPE, volumed 2, Appendix.I)7 predict temperatures lbelow;thatelectrical penetration environmental-qualification-temperaturesa 1The Authority, therefore,fconcluded that'drywellitemperatures1 anticipated.during-postulatedLeaverocaccidents shouldanot cause-the sealant material'to fail.. Subsequently,-the CONTAIN^1.12-computar' code was;used,te validate 1-this'conclusionn.LFigure 24.1-presents-the primary containment nodalization1used in2the-CONTAIN-analysis. '

The principal challenge-tooelectrical: penetrations (comes<from, molten core-concrete interactions that occurlin?the absence:of-a significant overlying water _ pool. _Because h'ot.gasesimparging- 4 through:the. molten debris will heatLtheLdrywell airspace,

drywell1 sprays are_theionly>effect1~ve. mechanism toicoolithe air.-

~However,:because the core damage; frequency-forfJAF:is dominated

by non-recovered station blackouts, 'drywell sprays .would riot- bei

'68

n7li i

{' .f .lF , * , * ' s :{.*I,- , m ' ;t' 4I :3:/' ; h a

=

< 8 4-g aC'8 ,

g .

n .y

'9 , g sa, nM o

L E

L .

6 g ~ C 3 .

st s .

u ,

u r "1 f

= .

L E

e 4- g a nWIu a 2' E

- ~

s s0 c

s uw t

Y e

'I

- em m cr t .

f 0 t f .

e. a ss fe 8' u 3 s., ;.,. a s.

u s. E L .':. -

.. n .,,

w. . {; r.

.I t . ,,~, ;w.

te s

h t

8 t u ....:,?s, .g

.... . ;,/..~p,. .. , 4 1 S i.

F 9

,....M't...,[s,.

-y.

. > .. x ,. . 4. ? /.,m.

- ^ ... . .

,,. .. h t L L

. : a- t t j?. .. 1 t m

n **

. .. . L. -

C C M ,

.z.+.

~. .-

.?". .. .

. - .*:,?* [' 6:. . { t . 7i. / ,.. .. /.:5r, .g.

j? *f

'/.1.Jg[?r;q m _ " - . - 3 Q, ; e ,.. . : ,. .a. . ...

,.. , ~ Y. . ;.,. . /..

. / * . * -

..e, e E 8

, M m n 3 INe

. 1 r - . --

, . .- GC ti.,

t e3 S r.

. -- t wl c, tt 34 OL ,

u.,

t i

,. . 8 u - E . d

.l'

fnL

- ~

- m/

9r s

3 -

g sT *g P

- c.

n o

s ,, 9 f

y T t

. .. _ .. a ',r C

M.

c a ,

fE ,,

C a 3 E 3g

g t .

a E n.

it a -

M-I 8

... iz y ,..

.. /~c 2

5 la

~?

. - - 9- g 1 o 1 1 d

o l%> y

.y g L 4 qD ..

-- ^ - 7. , E L.

t C - m C E

L E

t C N

.. .* ,- - .:7.(; .

. .. t

. l n

I, l ,.

. ;.. ..g.e W.,.mi

(.(... ._. * <..r.. . N .p.,,.. .u . I, ,

e

.' ,l' s /% ,. .

~

.g . . . ,t., %,:.p..

,.. . u,. * ;g :" ..- c* . ,

/; . m

,

n i . t v = v, am 3 . ia

.:,...[.,:{g*.r...~.,s*;..

4

,. s,

= a.c..

,D. !. ,..

,. 4; .,

.* : , , - {

.f. 2 .q. ..u * - ,; a t

' 5, n

,e $ 4.. e P.

s

.,,p . ,u f..- , . * : .

er v '9 o

m_a2 3 y/.

f,,.~. / 9

. .

k ': ,.1.[*j,.

! .' ss.

,.-; ,1 'x,. ~ .. 7 *

~~ ... . . .

f m n r s c, as . C l

,.~.1..

4 ;,

Q_ 4 a

,. p:, a ., .

s

t. a , a *f y

S .

.:. ,** ;3(, ,n.

, .;.., t r W .*

.. v*r. e a

Rp \ni C

m w *= ,av, mrfe E

u W yL L C s = , s e im

. ~ e s.

P C_ st E gSE S $

I_ ..,.

. . 7,e. . fg:.

. . - o. a.

v.rt.,. . - - r 0

t L_

t E g W .

L . .

i. - t * : P i

W a ..7, *i , !;/, ~ g;. '. ;y .:

l s

e a T H

Ia

, d ..

~. L t t a

N I

D 3 , ..

e.:r.[? . ; f, -

m m c A

@f p T lI

.l. ~.y _ aC .

.e *

i a , ~ .. ;f h,;. ' ,:;. .,, v^ o, f 3 (, h :y&&,;;. yf f t$ ;4'

. .h 'q 1

. .. - r.

N

y* .e .

u Y

.: . , . . .*. i.,y.jas h*... .

a

+. O x .,' 7 J .

O.... * ., M

..w.v <... ,*7 .

C

.e l c '.qtf fs. . . ,5.e ./ i. ~.r . ,

,.e* . %, q. .r?* . .,

.?

m.

[ :

,_- ;, 1 s 2 3 4

2, /.e ;f., J,, $. r.

wll ~ - ]j ,:;;. ., ..

~,. . t . t,

.siL

. ']"*

a . a , 4 v$' "* cE l0 -c

.. .- t T .

. ..:.. .,. . f .

f

. .. =.p. s, E

S E

l 2

. (

,.2 scD

. .,. . t

+ a#w#m t a r E

e r

. ; (

f. s g -. t -

s t - u v ".1 , g

- mje

. n f

tLeieLrw t

t t

u t

iF s

s , ewmmc v

a, g O :

n mO f s.

_ e me

@ m

'. y+ . - 4

e 1 4 -. '

O3- ;. .,

h>

t - In t

g

,,. . .f. i c C

...,[. ' p ..,% f; !

- * : y . '; v ' .,;g .. * . *, .

, .e . . . .,.,.. ;

i 2 3 .

?. f. vs -

$.,. y. *., . .

t 7. ' * . < ?;;.

+ ,; . , .

- et s.

.? , , a

.. . ~ 7 . .... .[. ,,', f. , .j p..

,: . 3a ra

,f ' e ; . .*#' .

..,,s .

5 f

e.

. t t

., f5 .e E

' ,. . , D D .F.

w r

* , ./- ; . * ,f t

+ s +o t

e u#3 E 4 m N 6 9- o - ,

t .

s. . k 2,-

+ *4 '0 0 ~ . - 't

. te t .

r.a nvea ..n. eev S.

t t t 4 4 3 0 t E 3

,.3 3 u $

a v pmO iD t - P t D u E E c.

s s . -

A

' a

, t t i 3

~ r s

t -

a s

r. 0 0 E t

s , t

. t E t

t u .

= C c C me

~

.j,.3lr. 2 r ,;', . cf . ttg& i2 L.j":i iil r. l: . '

l available in most accidents. Therefore, the CONTAIN 1.12 DCH analysis assumes the long-term high pressure accident progression calculated for plant damage state 1 by BRRSAR.

At vessel breach, t'.a sudden vessel depressurization which occurs when the first inc.crument tube fails results in a rapid rush of hot steam through the hot particle debris bed accumulated in the bottom head of the vessel. This steam immediately reacts with unoxidized zirconium producing large amounts of highly superheated hydrogen (Figure 24.2). Of particular interest is the fact that while the reactor system is depressurizing (Figures 24.2 and 24.3), essentially no steam flows out of the failed instrument tube. To produce a bounding calculation it was assumed that the hydrogen exiting the vessel during depressurization remains at the debris temperature for the entire blowdown--the energy evolved in the metal water reaction was assumed to heat the debris bed and the produced gas was assumed to follow the debris bed temperature. The results of this calculation are shown in Figure 24.4 and 24.5. The pressure rise (Figure 24.4) does not significantly impact containment integrity. Figure 24.5 shows that although the temperature increase in the reactor cavity cells (drywell in-pedestal 2 and 3 location) is significant, the temperature response elsewhere in the drywell is mild. In particular, the drywell temperature profile for drywell ex-pedestal 3, which includes all the electrical penetrations inside the drywell depicts temperatures lower than the electrical penetration environmental qualification temperatures of 340*F to 390*F. Therefore, the CONTAIN 1.12 results reaffirm the original conclusion that electrical penetrations failures are not considered to be_a possible containment failure mode.

Among other equipment failures, other then those of electrical penetrations, failure of the reactor pedestal and potential drywell bypass is the principal challenge frcm direct containment heating (DCH). The JAF IPE accounts for reactor pedestal failure in the same manner as did the Peach Mottom NURE3/CR-4551 analysis because the design is very similar. No other equipment Oailures are of importance because most of the active equipment in a BWR is outside containment. The notable exceptions to this are the safety / relief valves and parts of the reactor pressure, vessel lavel instrumentation but these items are irrelevant once the reactor vessel is breached.

70

9

BWRSAR Fitzpatrick High Press:re Seq.

200.00 -

180.00 -

.160.00 -

(.

(\ VESSEL FAILS g

g 140.00 -

N

.c J

_ 120.00 -' STEAM m

o

> 100.00 -

dD '.

80.00 -

b -

\

h 3C Q 60.00 - ..

5. i t

k ' IIYDROGEN I 40.00 - i 20.00 - RESSURE IN VESSEL BELOW 200 P ilA c '..

0.00 .

, ' ; ---- r - ,

1200.00 1300.00 1400.00 1500.00 1600.00 1~l90.00 1MS.00 - 1900M 2NG.00 21M.00 2200.00 TIME SINCE START OF ACCIDENT, MIN Figure 24.2 BWRSAR Fitzpatrick High Prussure Sequence-Flow out of Vessel

BWRSAR Fitzpttrick High Pressure Seq.

595.00 -

540.00 -

3 485.00 -

.w 6

" 430.00 -

R 0

u A 375.00 -

0 E

> 320.00 -

u o -

t g 265.00 -

M .

210.00 -

155.00 -

100.00 ,

~,

1200.00 1300.00 1400.00 1500 M 1600.00 1700.00 1800.00 1990.M 2000A0 21M.00 2200.#

TIME SINCE START OF ACCIDENT, MIN Figure 24.3 BWRSAR Fitzpatrick High Pressure Sequencs-Vessel Pressure

39,,, _

CONTAIN 1.2 Fitzprtrick DCH CcIcul: tion 84.00 -

~

prywen Volume 79.00 - l 5 . ,/

,,./..,*'"

l 's' 74.00 -

eg l ,s' m : ,

j ./ ,s'

~

@ 69.00.- . ./ '

w p/ Wetwell Volume G -

m '

/

8 '64.00 - .-

a 4 '

u _

C i

59.00 - ,/

b i C 54.00 - /

.O i U _

i

'49.00 ,

[

44.00 -

4 39.00 ,

i . ~~' I , .

s i

I I '

I 1

=

1 1250.00 1260.00 1270AJ 1280.00 .1290.00 1300.00 1310.00 1320.00 1330.00 1340.00 1350.00 Time Since Start of. Vessel Breach,' MIN Figure 24.4 CONTAIN Fitzpatrick DCH Calculation-Coritainment Pressure Profile

,l;l,\1 l

. 0 0

i 0 5

3

. 1 0

I 0 0

4

. 3 1

+

_ 0 0 e

- ~

I

) )

) 0 i!

0 '9 - .

- _ . 3 f

) ) )

' ) 3 9' 5 - -

3 o r

3 35 2 -

) ) 5 '8 4 5' .

1 P 0 6 _

oe 4 3 3 7 2 4 o . .

e 6 8 2 3 t

. _ r 2 2 o o t

t . u t o t

t o 3' 5' 3

. _ 0 t a

o o t .

0 n 24( ". ___ _ .

. r

'6 8 4 - . .

l t t 8

7 4 5 5' 2

( 3(

. 0 2 ine p i 2' 6 2 0 ~- "

3 t

l r 5 6 2 2

(

4

(

2

(

2

( (

1 3

( 1 l

d e

e c

a

~

1 MeTm u 3 2 t r t a e p -

- _ , t c 3 2 l a a s e nS

_ 0 h ne i l 3 l

a t s P d r _

0 c n c a = s hd _

t C

t s

s e

e r e P-e s

e i e A -.. -

l 0 at 1 ei n e e d p s -

P PaP n N - _ 3 r a J

e e P P- p e

.. 1 B no t

H x

- x-E x U I e w r.

Newynt C -

n s E E e . l C rW I .

D I i t I

e .

0 e n I l nlI .o l 6 si s o l l : I e e w y -

7 T__

l e e l

w y r p!IL.,I ' . . 0 t _

a, w _ 0 e a k ww y r - _

~

y .

pfD 7,I_ 3Vlu r - * -

c y y .

r ' -

1 c i

r r r D/ , '

3 n..

l D D, D il .! '

/ - f a t

/

/ f

/

I j/ f,! i.;g l

oC p / / / '/ \

J

- 0 9 tr C H

z : / ,t lilf'.

l i

t

/' / / f,N, f,, -

~

.~

a 0 aD 9

F / ,1 j/ / p.' .

2 t k 2

./ i \

_s /

Y l ;.-.

j .I t'

i-

- f,1,O~. -

1 S cn

/'

r_

t

/ ,\

i

/,

.j . ./

~

e pa c

1 N

5','

j .

f ,,. L / /A .

.- l

. 8 0 int i z

I %

\

j l- .

-- + 0 4S F

N

,\

o._ . ~ ~

. 2 A -

L *

/

. Ii ~.

- 1 eA I

T N 1,1

.\

e -

. j . . , ..-~ . -~9 .

mNT O q# js R

_ A.

./ / ,/.

0TO 0

i C .

C 1 il;;ell(i, , , :*

l 0 7 5 2

4 1

2 s

r

. 0 u g

, 0 :

_ i. 60 F

_ 2 1

0 L 0 q -

- m

_ 0 0 0 0 0 0 0 0 5

, 0 0 0 0 m 0 0 0 2 1

0 0 0 0 0

, 0 0 0 0 0

0 0 0 0 0

0 g 0 9 8 7 6 5 4 3 5 1

W @4.Q _.g ss&59 Ce I

ck . Cd 2

i)[ lLrlll[(L ,'

Lten 2 5 Becuest With regard to Section 4. 5. 6. 2-Containtnent Dtvwell Melt-throuch, ,

please discuss the consistency of your IPE insights with those described in draft NUREG/CR-5423, "The Probability of Liner Failure in a Mark-1 Containment", dated January 1990, (or the more recent final report dated August, 1991.) Discuss the effects of the insights from this most recent work upon the liner failure probabilities shown in Table 4.5.6.1.

Response

A major premise of the JAF back-end analysis was that JAF is very similar to Peach Bottom. In particular, only two important differences were identified that could affect the depth of debris contacting the liner and thus liner melt-through: core mass and dryvell sump size.

Several studies *J have concluded that the depth of debris contacting the liner is an important parameter affecting the likelihood of liner melt-through. Clearly for cases in which '

little debris'is released from the vessel and little or no debris reaches the liner, melt-through is highly unlikely or impossible.

However, if the depth of debris in contact with the liner is large (i.e., greater than 30 cm), the likelihood of liner melt-through is much greater. Two parameters that can aignificantly affect the depth of debris in contact with the liner are the mass of- corium released from the vessel and the drywell sump volt)me.

The sumps collect the debris and prevent it from spreading across the floor.

Table 4.5.1.1 of the JAF IPE-Volume 1, Section 4.5.1 shows that the JAF core is approximately'17 percent smaller than the Peach Bottom core, and thus the mass of core debris releaseo from the vessel following vessel failure will be lower for similar accident sequences. Table 4.5.1.1 also shows-the JAF drywell to be roughly the same size as the Peach Bottom drywell. Smaller potential releases into a similarly-sized drywell will result in shallower debris beds on the drywell floor in the JAF plant, and-thus the debris bed depth in contact with the liner will be lower.

Theof anous, T. G., Ed. e., "The Probability of Liner f at ture in e Mart.1 Centairwomt," MURfC/Ca.5423, the univeraity of Catifornia, Auguet l901.

hirgerdt, J. J. ard E. D. 64reeron, " TAC 20 studies of mark 1 Contalement Cermit Shett Melt fMrough,"

hMREC/Cta$126, Sandle National Laboratories, Augvst 1988.

75 4

w_ _ _ _ _ _ ~ _ . - _ - - _

t i s t .

Furthermore, the JAF drywell sumps have a larger capacity than *

, the Peach Bottom sumps (JAF drywell_ sumps have a depth of 4.ft i and a total free volume of 261.0. f t ; Peach Bottom drywell sumps 3

have a depth of 1.4 ft and a total free volume of 203.0 ft' ').

When more debris is confined to the sumps, less-is available to spread across the floor and contact the shell, reducing the total-debris height in contact tith the liner in hypothet'. cal accidents.

, The two differences between' JAP and Peach Bottom-would tend to '

i reduce the height of debris in contact:.with the liner and reduce

!- tha likelihood of liner melt-through at JAF. 'Given this

! assessment,: the Authority felt confident that the expert data

! from the NUREG-1150 analysis shown_in. Table 25.1 would.

y overestimate the frequency of large releases attributable to liner melt-through at JAF. However,-because this. issue is

controversial, NUREG-1150 data were applied.and-the

emrestimation of large releases accepted.

{. Table 25.1 Probsbilities of Dry it shett Failure' case 2 min 5 min 10 min Ih 2h 3h- 5h 10 h CCI '

n*9' 4 0.00 0.07 0.22- 0.32 0.53 0.34 0.34 0.34 0.35 net ,

b 0.09 0.19 0.39 0.51 0.53 0.54 0.54 0.54 0.54 .

Orr c 0.04 0 17 0.32 0.38 0.39 0.39 0.39 0.39 0.39 l Wet d 0.21 0.53 .071 0.79 0.80- 0.81 0.81 0.81 0.81 Dry e 0.21 0.38' O.51 0.60 0.61 '0.61 0.61 0.61' O.61 I ory 't -l

irdicates time (hours) when core concrete lateractiers become negligible.-

The-expert assessment of containment drywell melt-through was summarized into five cases for application to the JAF CET, the probability of dryvell liner failure being expressed as a- ~

function of the debris-flow rate, reactor-pressure vessel pressure, extent of metal oxidation, debris superheat, and 4 presence of water on the drywell floor. Thelfive cases addressed ;

in Table 25.1-are:

'Theofsticus, T. C., Ed. e., "The Proiaability of Liner Falture in e Mark ! Containannt,* SAtEG/CR 1423, page 23, The University of Callfornie,-Ausw t 1991.

'Muttr./CR-4551 volume 2 Part 11. - table 6-2, " probabilities of cryweit shet t Faltu-a." -

76 f

. -. - ~. - - - .. - . . . .. - .... - . . , .. - . . . - , . - ,

7 (a) Low and medium debris mass flow rates-with water on the dryvellifloor (b) Low and medium debris masc flow rates without water on:the-drywellafloor (c) High debris mass-flow rates:with water-on the.drywell floor (d) High: debris dess flow rates without water on tho drywell floor and with at least twosof the.other three parameters (reactor pressure. vessel pressure, percentage of metal, and debris superheat) high (e) High debris flow ratesEwithout-water on the drywell-floor and.at least two of the other three parameters: low.

Tha~ parameters were defined as-follows:

Debris mass flow rate: Low . (<50-kg/s)

Medium (50-to.100_kg/s)

=High l(>100 kg/s)

Water 1on drywell_ floor: Yes. (replenished). .

No =(not. replenished) ,

Reactor _ pressure: vessel High (1,000 psia)- -

pressure: Low (200' psia)

Percentage of metal: ;High' (65% zirconium)

Low- .(35%, zirconium)-

Debris superheat: High (>100K) q Lowo .(<100K)

Cases a and-c reflect:wat conditions within1the'drywell;?the-other-cases reflect dry conditions within theldrywell.- c .The' term "weta" implies a'significant--quantity of< water is present onsthe

- drywell; floor.-- For simplicityi:it: was : assumed that linerc aelt-through within;10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months of vessel breach'was a form of early drywellifailure and could resulttin a large-early1 release.. This treatment is1 conservative;but^ avoided-additional complexity in the source term model.=.lTaking that fallure probabilities at_10 hourstas being representative of1theJfailuratprobabilities applied inithe _ analysis,-the f ailure - probabilityf forf wet cases:

was; roughly 0.37_-1(the mean;of10.341andf0.39),'and the failure-probability.for dry cases was roughly 0.65 (the-mean of 0.50, 0.817and 0. 61) .

In-contrast, the'probabilistic methodology _ applied iniNUREG

/CR-5423 results;in= predictions 1that-liner: failure is " physically unreasonable" for the'wetncases,iwith fallure-probabilities in-4 77 l

1,

___.___i___.____m.__.i__.______.._._.__....

i i

l a

l the 10 d to 10* range. Liner failure for the dry cases was found i to be " virtually certain" with probabilities vary (nq from 0.63 to i 1.

Comparing NUREG/CR-5423 data with those used in the JAF IPE 1

indicates that the failure prooabilities applied in the JAF IPE for wet drywell cases are orders of magnitude higher than those proposed in NUREG/CR-5423 and that the failure probabilities for the dry cares are essentially the same (they are certainly equivalent given the large uncertainties surrounding this issue).

. It can therefore be asserted that the data used in the JAF IPE

! are conservative. Since the probabilities differ significantly for the wet. cases but not for she dry cases, we will only discuss i implications of the NUREG/CR-5423. data for the wet cases.

i Figure 4. 7.4. 5 in the JAF IPE clearly shows that the dominant j mode of-early~ containment failure for all plant damage states

(PDS)'is drywell melt-through. Thus, reducing the likelihood of drywell melt-through for: all wet cases would reduce the frequency of early releases. Given that Figure 4 7.4.3 in the JAF IPE shot. that sprays (a dominant source of water for the drywell 2

floor) are not'available (early or late) in roughly 60 percent of

' the PDS-1 sequences, and PDS-1 represents more than one-half of '

the total core damage frequency, it is clear that use cf

, NUREG/CR-5423 data will result in a marked decrease in.the

. probability of releases.

6 Finally, it will be recalled that the source termscthat result from drywell liner failure in accident sequences involving water on the floor will be lower than for sequences invo.lving a dry i drywell because the' water pool that quenches the debris-and-

prevents it from causing drywell liner';;ilure is'also very-effective at scrubbing fission p-oduct aerosols feom_ gaseous.

releases. Spray droplets would a3so mitigate releases.-

Theref_.% the source-terms for the flouded cases would not be in

i. the "high* category. Given reduced frequencies and source terms, the wet cases do not significantly-impact overall containment-response measures. -

I Howsvar, while the JAF'IPE would seem superficially _to be very

conservative in its-handling of the_failursa_of a wet drywell, the. adoption of NUREG/CR-54?.3 data may'be ineppropriate because-NUREG/CR-5423 did not' consider basemat/ ablation and failure of the drywell shell below the sumps--the presence of equipment sumps inside the pedestal was apparently. neglected. ' Debris depths exceeding 2 ft (actual sump heights &re 4 ft) are expected in the sumpe. This debris is less-likely to be cooled by_ water.

Localized molten core-concrete interactions (MCCI) may thus ablate the floor and possibly fail the contair, ment liner which_is only a few inches from the-bottom of the sumps.- Since this-failure mechanism was not considered in NUREG/CR-5423, the

78

-- ,-- .:---- , , - r c. , ,,,o~,am~, ,---n --mr .v e, e - p <r~<

f l

i Authority feels that the existing quantification of the likelihood of liner failure is appropriate given the levels of uncertainty surrounding the issue.

1 We can therefore conclude that although the use of NUREG/CR-5423 j data would significantly reduce the probability of early containment failure for all wet cases, the majority of accident 4

sequences (as determined by their cumulative frequency) are associated with a dry drywell and would not be affected by the

, new data. Because the failure data for dry cases presented in-NUREG/CR-5423 are essentially the same as the data applied in the JAF back-end analysis the frequency of-large early_ releases would not change significantly. Therefore, application of the new data l

=

vould reduce the early. failure frequency but not the overall severe accident response characterization. Furthermore, data from-NUREG/CR-5423 may not be aporopriate for JAF. In our 4 judgment, the. change in the11arge release frequency that would result from applying-the new data would not reprasent a l

significant improvement to the'JAF.' analysis, b.

i e'

t i

E 9

4 i

9 i

-79 1

t

, .- . _ _ .- .._-,,;,-,, , , . - m, . . , , , . . .,,,m,. , . ~ . . _ _ . - , _ - - - _ _ . , , ,

Item 26 Request on page 4-55 in the third line from the top c. the page, please identify the starting event for U e 24 hr. termination of the analysis of Core Concrete Intert : Jions (CCI), i.e. is the 24 hrs.

measured from the start of_ initiating event, core-damage, vessel failure or CCI?

Response

In the core damage sequences and potential CCIs described in the JAF IPE, all times are measured from the occurrence of the initiating event (i.e., in all_ dominant core damage sequences, the loss of offsite power event). CCIs are followed for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months

-after initiation of the accident sequence'cs th: release of fission products from containment-is essentially: complete within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

j k 80 1 4

i LLnn.21 Requtti Examination of Figures 4.7.4.3 and 4.7.4.5 seem to indicate that :

for PDS-1 thern is a probability of early containment failure of .

l 0.038 from some mechanism other than drywell melt through, dryvell over pressure rupture, or wetwell venting.- Is this ,

representative of containment bypass leaks (i.o. event V and/or containment isolation f ailure)? This unidentified mechanism mesms 8 to.have a frequency of 3.9 x 10 /yr and accounts for 2.1% lef all core melt events. Please clarify-this and discuss its significance.

Response

~

Figure 4.7.4.3 shows the impact of drywell spray operation upon the conditional probabilities of;early erntainment failure.- The figure therefore reflects all-the early containment failure ,

modes. However,-Figure 4.7.4.5-presents the conditional .

probabilities of only the three nominant early containment' ,

failure modes. The complete list of these. failure modes for PDS-1 is as follows: ,

containment Failure Mode Conditional Probability Drywell liner melt-through 0.528 .

Drywell rupture 0.135 4 Weten.i.1 venting 'O.075 Drywell head leak 0.019 Wetwell rupture 0.016 !

Wetwell leak 0.0022 Drywell. leak 0.0002 Total o.776- ;

No "V" sequence eventLor containment isolation failuralis listed'. -

l

{ -

L 1 i

i 81 3

, , - un--

a , + , . ,.w, e , k_. , ,, , ,; , 4-,,-g4,-e ,,-..,ye ,- n --m-, v- w , -- -..,4 y . m ey m _ ,

. l 4

Item 28 I Ray.aels ;

Generic Letter 88-20 Supplement 1, dated August 29, 1989, requests that BWR licensees with a Mark I containment design j i

addrass the specific Mark I containment Performance Improvements '

(CPIs) identified in the supplement to GL 88-20 and references 1 and 2 below. Please examine the suggested CPIs and provide your evaluation of the value/ impact associated with the suggested j improvements and any sensitivity with regard to estimated core i damage frequency. (Use references as appropriate.) '

Ramponse 4

BWR Mark I containment performance improvements, discussed in Generic Letter 88-20, Supplement 1, Vere considered in the JAF IPE. The following CPIs were examined:

s Emergency operating procedures (Pv~1sion 4 of the BWR Owners Group Emergency Procedure Guidelines) m Alternate water supply for vessel injection i

W Alternate water supply for drywell spray u Enhanced reactor pressure vessel depressurization system reliability a Containment venting.

The manner in which these were addressed in the IPE is as follows.

EEftcency.,3peratina Procedures (Enks).

The EOPs addressed in Revision 4 to the BWR Owners Group Emergency Procedure Guidelines (EPGs) were implemented at JAF in June, 1990 and were incorporated in the JAF IPE event and fault tree models. Because the EOPs reflect the latest generic NRC-approved actions for mitigating potential transients that go beyond the design basis of the plant, the core damage frequency (CDP) predicted is expected to be lower than the CDF based on previous EOPs.

Alternate Water Sucolv for vessel Iniection.

At JAF, tha fire protection system (FPS) can be cross-tied to the residual heat removal service water (RHRSW) "A" turn, can be cross-tied to the header which, in "A" RHR low pressure coolant injection (LPCI) path. The availability of this alternate 82 l

n I

injection path reduces the CDF associated with loss of injection accident sequences and delays core damage in station blackout sequences. In the JAF IPE study, this use of the FPS had little impact secause the dominant sequences initiated by A, si and T3C events in which vessel injection failed are dominated by the j .ailure of low pressure emergency core cooling system injection valves to open. Since the FPS uses the same path to inject coolant into the reactor, these failures will also preclude use of tne FPS to provide vessel injection.

Use of the FPS diesel-driven fire pump during a SBO event was

usscurt+d as a possi' ole mitigating action after battery depletion Jud lote of de power and the subsequent lous of high pressure coolant injection using high pressure coolant injection (HPCI) and reactor core isolation cooling (RCTC) systems. It was i

concluded that use of the FPS during SBO sequences could only delay accident progression as, without ac power recovery, the SRVs cannot maintain low reactor pressure and so assure continued FPS operation. Furthermore, even if reactor depressurization is assured through an alternate de power supply, without ac power recovery, systeme required for containment decay heat removal will still be unavailable. The resulting high containment pressures exerted on the SRVs will cause their closure. The subsequent rise in reactor vessel pressure to a value above the FPS pumps shutoff head precludes reactor vessel make-up.

Although the CPIs only address the use of an alternate water supply for vessel injection, other uses are possib?.e i r this supply. Loss of containment heat removal (TW) sequences that result from RHRSW pump failure can.be recovered by manually aligning the FPS pumps to the discharge of RHRSW header A to remove decay heat from RHR heat exchanger A. This use of the FPS reduces the probability of core damage in TW sequences. Whi10 the manual alignment of the FPS to the RHR system via thu RHRSW heater A la currently addressed la the procedures, it is only to provide an alternate reactor injection source. Therefore, the Authority is now considering modifying the procedures and operetor training to allow manual hlignment to the discharge of RHRSW header A.

Modification of the FPS to allow it to provide EDG jacket water cooling through the ESW system is also under consideration. This modification would reduce the SBO core damage frequency because the leading contributor to SBo events and internal CDP is the unavailability of the emergency service water (ESW) pumps and the resulting loss of cooling and failure of emergency diesel generators (EDGs).

83

Eltgrnate water Supp1v for Devvell spray, i It has yet to be resolved whether fire protection system pumps can provide the necessary discharge for adequate flow to the dryvell spray headers at JAF. Nevertheless, the JAF IPE did

, examine the benefits of drywell spray operation during the i accident progression and their effects on containment performance. The conclusions of this examination are summarized in the JAF IPE, Volume 1, Section 4.9.3. In summary, dryvell spray operation:

i a Reduces the probability of containment failure because water on the dryvell floor reduces the likelihood of drywall liner melt-through and, because the sprays reduce containment pressure, lessens the probability of static overpressurization.

e Delays containment failure by reducing the likelihood of drywoll liner melt-through. This delay will reduce the radiological source term because natural decontamination mechanisms will have more time to act prior to containment failure.

m Shifts the location of containment failure from drywell areas to the wetwell by reducing the likelihood of drywell liner melt-through. Again, this shift will reduce the radiological source term because releases from containment will be scrubbed by the suppression pool.

m Enhances fission product decontamination by direct scrubbing of fission product aerosols and increasing residence time within containment by decreasing pressures and thus the outflow rate from containment. The increased residence time enhrnces the effectiveness of natural decontamination mechanisms.

KRh5nced Reaclor Pressure vessel (R2y) DeDressurication System Reliability.

The effects of enhanced RPV depressurization nystem reliability were not directly quantified in the JAF IPE. However, the examination of the JAF plant damage state accident progressions and phenomena show the beneficial effects of enhanced RPV system reliability. For example, examination of the plant damage states indicates that RPV low pressure accident progressiens are less likely to reault in early containment failure--in PDS-2, a low-pressure SBo_ scenario, the conditional probability of early containment failure is 0.57 whereas in PDS-1 the probability of containment failure is 0.78. This difference arises because low pressure core melt progressions are less likely to result in containment failure at vessel breach than are high pressure melt progressions and are thus expected to reduce source terms by an 84

d i order of magnitude *.

i i The Authority has examined the provision of a portable generator l l to charge the de batteries and so ennance the reliability of the

RPV depressurization system and thus the ability of the plant to

cope with an SBo. It was felt, however, that a reduction in c0F i could be better achieved through other changes (e.g., use of a '

1 fire-water cross-tie to the ESW system to provide EDG jacket

] cooling).

4 Enhancements to RPV depressurization system reliability could i also increase the likelihood of maintaining r3 actor coolant injection. The ability to use low pressure core cooling systems

~

, to inject reactor coolant depends on the safety relief valves

, (SRVs) maintaining reactor vessel pressure below the shut-off head of the low pressure core cooling system pumps. However, in i TW sequences, the SRVs will not stay open because as containment i (drywell) pressure approaches the 80-psig pneumatic system pressure, the SRVs are forced closed. Subsequently, the reactor vessel will repressurize precluding make-up using low pressure l core cooling systems. This accident phenomenon also affects use

, of the FPS during an SBO event.

The Authority evaluated the feasibility of-increasing nitrogen

supply pressure above the containment failure pressure to sustain SRV operability in these scenarios. However, it was decided that other changes to reduce the CDF were more practical.

Containment Venting.

Containment venting was addressed in tne JAF IPE-as a means of preventing catastrophic containment failure and mitigating the consequences resulting from a severe core melt progression.

The JAF containment vent path consists of hard piping from the containment to the inlet transition piece of the standby gas treatment (SBGT) system filter train. Because this transition piece is located outside the reactor building pressure boundary, failure of the transition piece upon-containment venting will only fail the SBGT system. Loss of the SBGT system will not increase core damage-frequency. Therefore, the survivability and accessibility of vital plant equipment are not compromised-by releases within the SBGT room upon containment venting..

Containment venting:was examined for three types of accident sequences:.

Norschel Spector and Peter tieners,.als Mark 1 sheit f alture teetly laportant? Part Two,e Nucteer Engineering

.and Deelen 121 (1990) 647 458.

85 1

l

.. - , . - . . - - . . . . - . . - _ - ~ . , - , , .

l 1

i l

l~

i i

3 a Long-term loss of containment heat removal (TW) sequences i

p e Anticipated transient without scram (ATWS) sequences

) e Station blackout (SBO) sequences.

i i The containment venting scenarios for these sequences will now be

! described.

! kona-Tern _ Loss of Containment _Reat.. Removal (TW) i-seguencee.

l A plant transient with subsequent loss of normal decay heat 1- removal by both the turbine bypass valves (to the main condenser) and_residusi heat removal (RHR) system (suppression pool cooling, drywell spray, etc.) results in rising' containment pressure.

, Eventually (after 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months ), containment pressure approaches the 44-psig primary containment pressure _ limit-(PCPL). By venting the containment at this time using the wetwell venting pathway, containment overpressurization is prevented. The containment

-will remain vented.until a normal decay-heat removal pathway.is i

restored or the pressure is reduced.

If containment venting fails, the high containment pressure exerted on the SRVs will cause their closure. The reactor vessel pressure will'then rise above the~1ow pressure emergency _ core cooling system pump shut-off head. . Because high containment pressure will trip RCIC on high turbine exhaust pressure, core damage will ensue if HPCI is unavailable. Otherwise, containment '

failure will preceda core damage and-increasez the potential for core damage caused by the harsh reactor building environment.

Tne risk _importance of containment venting for the JAF IPE is calculated by comparing the total CDF with and-without containment venting. Assuming that containment overpressurization leads to a loss of-core. cooling, the following CDFs can be calculaced using JAF IPE'results:-

CDF, without venting = 2.72 x 10 4/yr.

CDF, with venting = 1. 92 x 10 4/yr. -

,The total CDF'resulting-fron-internal events is reduced byfa factor of 14=because of containment venting during TW: sequences--

venting _during TW sequences is an important mitigating action.

Antioimated Transient without' scram (ATWs) sequences.

+

Containment pressure-is expected to rise above the-PCPL at an 86

--a - - .. . -..---.-...-....,..--,-,.a. - . .

early stage in certain ATWS accident progressions. In the JAF IPE, containment vanting was considered only for those ATWS sequences in which successful boron injection (and honeo a lower reactor power level) and loss of long-term containment decay heat removal occur. Containment venting is ineffective in ATWS 1

sequences that involve boron injection failure because the resulting high reactor power level would exceed the capability of all containment vent paths. However, because the ATWS initiator >

frequency is low, the expected frequency of sequences requiring containment venting is low and therefore the impact of containment venting on the CDF predicted for ATWS events is negligible.

Et.At191LRIAER.9.93__lRE01 S amL9A9_93 A SBO involves a plant transient in which all sources of ac electrical power are unavailable. The reactor is shut down; only 4

the steam driven HPCI and RCIC systems are available for reactor icvel control. As with TW sequences, containment pressurization occurs slowly. Because the HPCI and RCIC systems depend on dc control power, battery depletion leads to their failure. Without ac power recovery, core water boil-off and core damage ensue.

Because the core melt progression and vessel breach occur before the PCPL is reached, containment venting is not performed.

Hownver, two containment venting strategies were considered in the JAF IPE containment performance analysis: the local alignment of wetvell venting during core degradation (in SB0 core degradation progressions, a 10 percent success rate was assumed) and wetwell venting when containment pressure exceeds the PCPL.

The impact of these two venting strategies on the JAF plant damage states accident progressions is compared in the JAF IPE, Volume 1, Section 4.9.3. The insights gained from this comparison are:

u Containment venting does not preclude drywell liner melt-

through.

a containment venting through the wetwell pathway is a controlled release intended to relieve containment pressure and prevent or delay gross containment rupture during and after vessel breach, u Wetwell venting will scrub the evolved gases in the suppression pool and reduce the fission products released from containment.

It should be noted, however, that because containment venting is itself defined as one mode of containment failure, the overall likelihood of containment failure increases when the operators can, and are instructed by procedure to, vent the containment if containment pressure reaches the PCPL.

87

LttA._11 Recuest Please discuss the containment walkdowns perforued to confirm that the IPE represents the as-built, as currently operated plant. Please identify the operations staff and level-2 experts who participated in containment walkdowns.

Responst A review of plant systems located inside containment identified no equipment or hardware that affected the containment back-end analysis. Therefore, efforts were concentrated on identifying fission product release paths that might bypass the containment or reactor buildirig. This entailed a detailed review of general arrangement, structural and floor planning drawings for the drywell, torus (wetwell) and reactor building (secondary containment) structures. In addition, the team spent one day performing a containment " walk-through" using a comprehensive laser-disk based photograph library. From these reviews, it was concluded th::: a violent interaction between core debriu and the torus water .nventory could occur if the downcomers were level to or slightly above the drywell floor elevation. To determine the position of the downcomars thoroughly, physical observation was required. In keeping with ALARA philosophy, containment walkdown by the entire level-2 team was deemed unnecessary and was therefore not performed. However, a containment walkdown was l performed by plant personnel to determine the height of the downcomers above the drywell floor.

In addition to the walkdowne performed specifically for the containment analysis, numerous walkdowns of the reactor building were performed as part of the level-1 internal flooding analysis.

These walkdowns paid particular attention to crescent area configuration and any open equipment hatchway pathway inside the reactor building. These walkdowns in turn proved useful in l identifying fission product release paths.

l l The level-2 experts who reviewed plant drawings and_the laser-l disk based photo library, were John Favara and Andrew Mihalik of the New York Power Authority and Chris Amos and Jay Weingardt of Science Applications International Corporation.

88

. .-. .

v t e Letter Sequence Request
TAC:M74411, (Open)
Initiation Request Acceptance... Administration Questions Answers Results Approval... Other:
MONTHYEAR1992-09-01 [Table View]

JPN-92-046, Responds to NRC 920520 Request for Addl Info Based on Review of 910913 Submittal of Ipe,In Response to Generic Ltr 88-20, IPE for Severe Accident Vulnerabilities

Text

SUBJECT:

References:

Dear Sir:

Attachment:

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Navigation menu

JPN-92-046, Responds to NRC 920520 Request for Addl Info Based on Review of 910913 Submittal of Ipe,In Response to Generic Ltr 88-20, IPE for Severe Accident Vulnerabilities

Text

SUBJECT:

References:

Dear Sir:

Attachment:

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Response

Navigation menu

Search