LIC-95-0223, Forwards Response to Request for Addl Info to Assist Closure of NRC Staff Review of Individual Plant Exam Submittal

From kanterella
Jump to navigation Jump to search

Forwards Response to Request for Addl Info to Assist Closure of NRC Staff Review of Individual Plant Exam Submittal
ML20094R491
Person / Time
Site: Fort Calhoun Omaha Public Power District icon.png
Issue date: 11/30/1995
From: Tira Patterson
OMAHA PUBLIC POWER DISTRICT
To:
NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM)
References
LIC-95-0223, LIC-95-223, TAC-M74412, NUDOCS 9512040426
Download: ML20094R491 (50)
v  d  e


Text

,

a D

Omaha Public Power District P.O. Box 399 Hwy,75- North of Pt.Calhoun Fort Calhoun, NE 680230399 402/636-2000 November 30, 1995 LIC-95-0223 U. S. Nuclear Regulatory Commission ATTN: Document Control Desk Mail Station P1-137 Washington, DC 20555 l

References:

1. Docket No. 50-285
2. Letter from 0 PPD (W. G. Gates) to NRC (Document Control Desk) dated December 1, 1993 (LIC-93-0278)
3. Letter from NRC (S. D. Bloom) to OPPD (T. L. Patterson) dated September 12, 1995

SUBJECT:

Response to Request for Additional Information (RAI) to Assist Closure of NRR Staff Review of Fort Calhoun Nuclear Plant Individual Plant Examination (IPE) Submittal (TAC No. M74412)

The Reference 3 RAI consisted of questions based on the Reference 2 IPE submittal. As noted in the RAI, some of these questions were discussed via telephone among the NRC and OPPD staffs on August 23, 1995. Attached please find the questions and OPPD responses.

Please contact me if you have any questions.

Sincerely, 00Y' T. L. Patterson Division Manager Nuclear Operations TLP/tcm Attachment c: Winston & Strawn (w/o attachment)

L. J. Callan, NRC Regional Administrator, Region IV W. C. Walker, NRC Senior Resident Inspector L. R. Wharton, NRC Project Manager 6550z.15 gi 45 m 9 9512040426 951130 l PDR ADOCK 05000285 P PDR

5 LIC-95-0223 Attachment Page 1 Omaha Public Power District Responses to l

NRC Reouest for Additional Informati2n Concernina the Fort Calhoun Station Individual Plant Examination (IPE) Procram i Question 1

The submittal is not clear regarding the date to which plant' operation and
procedures are represented by the IPE analysis (freeze date). In addition, the submittal does not indicate whether exceptions to the freeze date configuration were included in the analysis.

(a). Please identify the freeze date of the analysis.

(b)' Please identify any exceptions to the freeze date configuration.

(c) Please identify the effect of any freeze date exceptions on the estimate of the core damage frequency (CDF), both individually and collectively. i ReSD0nse 1 (a) A freeze date of February of 1989 was used for the IPE analysis. This was the freeze date that was used to develop the system notebooks. ,

(b) Modifications and Engineering Change Notices were reviewed after February 1989. No modificatior.s or Engineering Change Notices were identified that were detrimental tc plant CDF. One modification that was credited to the  ;

analysis was FW-54, the diesel-driven auxiliary feedwater pump.

(c) The Risk Achievement Worth for auxiliary feedwater pump FW-54 is 5.6.

As part of the commitment to maintain a living PRA, OPPD is modifying the l configuration control process to include controlling the status of the IPE model

.and supporting data files.

I l

1

-_--.-____-_--_.-__--___________--j

b-LIC-95-0223

Attachment Page 2 Question 2 Frequencies for the following initiating events are approximately an order of magnitude lower than corresponding data typically used in other IPE probabilistic risk- assessment- (PRA) studies:.. turbine trip, loss of main feedwater, medium loss-of-coolant accident (LOCA), and large LOCA. Also, although the submittal describes.the treatment of automatic scrams, it is not clear how manual scrams from full power were considered in the IPE.-

(a) Please discuss the quantification of the initiating events for turbine trip, loss of main feedwater, medium LOCA, and large LOCA, specifically addressing sources of data, methods used for quantification, and applicability to the Fort Calhoun plant.

(b) Please describe how manual scrams from full power were accounted for in the IPE.

Response 2 (a) Estimation of initiator frequencies was based on a review of the reactor trip history over the data analysis window (January 1, 1985 through December 31,1990; 4.73 Mode 1 years). A combination of generic and plant-specific experience (incorporated using Bayesian analysis) was used to estimate initiator frequencies.

T3 - Turbine Trip The-frequency of initiator T3 has been estimated using Bayesian methods.

The prior distribution is based on industry-wide data provided in NUREG/CR-3862, which is an update of earlier work performed as part of EPRI NP-2230. Table 1 lists the types of transients which are included within the boundary of initiator T3 and includes relevant statistical data from NUREG/CR-3862.

The prior distribution is assumed to be a gamma distribution with mean and variance equal to the pooled NUREG/CR-3862 data. The gamma distribution is a two-parameter distribution (parameters a and B); the parameters are related to the distribution's mean and variance as follows:

mean = --

E variance = "-- (1) 2 E

I l

i LIC-95-0223 Attachment Page 3 Table I shows the estimated parameter values, which have been calculated using Equation (1). Assuming that turbine trip events (n events in T years) follow a Poisson process, then the Bayesian posterior distribution is also a gamma distribution with parameters:

a' = a + n (2)

Q'=Q+T Thus, a' = 0.86 + 0 - 0.86 and B' = 0.52 + 4.73 - 5.25. Using Equation (1), the posterior mean and variance are, respectively, 0.164 and 0.0312.

i Table 1 DEVELOPMENT OF PRIOR DISTRIBUTION FOR T3 - TURBINE TRIP'

~

Average EPRI PWR Frequency Standant Category Description (/y) Deviation Variance (

33 Turbine trip, throttle 1.19 1.56 2.43 valve closure, EHC problems 34 Generator trip or generator 0.46 0.88 0.77 caused faults TOTAL 1.65 3.20 a 0.86 B 0.52 T4 - Loss of Main Feedwater The frequency of initiator T4 was estimated in the same manner as initiator T3. Table 2 lists the information relevant to development of i the prior distribution. The Bayesian posterior mean and variance are, respectively, 0.0205 and 0.00383.

LIC-95-0223 Attachment Page 4 Table 2-DEVELOPNENT OF PRIOR DISTRIBUTION FOR T4 - LOSS OF MAIN FEEDWATER..

Average

'EPRI PWR .

Frequency Standant Category Description (/y) Deviatfan Variance 16 Total loss of feedwater 0.16 0.51 0.26 flow (all loops) 24 Loss of condensate pumps 0.01 0.10 0.01 (all loops)

TOTAL 0.17 0.27 a 0.11 B 0.63 S. N. A - Loss of Coolant Accidents The estimation of LOCA frequencies was based upon a review of similar events defined in previous PRAs and safety studies. Table 3 identifies the sources that were reviewed, along with the LOCA frequency data that were obtained during the review.

Table 3 LOCA FREQUENCIES USED IN PREVIOUS PRAs Source Break Size Frequency Renarks NUREG/CR-4290 leak 2.30E-08 Based on fracture data for C-E DEGB 5.50E-14 mechanics; not cited in plants other PRAs NUREG/CR-4290 leak 1.10E-07 Based on fracture data for DEGB 4.40E-12 mechanics; not cited in Westinghouse other PRAs plants NREP > 6" 1.00E-04 Smallest category includes 2" to 6" 1.00E-03 LOCAs with equivalent

< 2" 1.00E-02 diameters < 0.5" Big Rock Point small 1.00E-03 PRA medium 1.00E-04 large 1.00E-05 Shoreham PRA 1" 8.00E-03 4" 3.00E-03 6" 7.00E-04

I LIC-95-0223 Attachment Page 5 Table 3 { continued)- "

LOCA FREQUENCIES USED.IN PREVIOUS PRAs Source Break Size Frequency Renarks' WASH-1400 small 1.00E-03 medium 3.00E-04 ,

large 1.00E-04 NUREG/CR-4550 < 0.5" 2.00E-02 0.5 to 2" 1.00E-03 2" to 6" 1.00E-03

> 6" 5.00E-04 Three LOCA-related initiating events, differentiated by equivalent break diameter, were defined for the FCS PRA project. Several factors were considered in developing the set of LOCA frequencies:

1. Terms such as "small" and "large" are design-specific, and cannot be
i. directly mapped onto the FCS LOCA categories. Such descriptions refer to distinct LOCA break categories as distinguished by plant success criteria. Thus, depending upon plant design, a LOCA break size of 2 inches may be a "small" LOCA in one plant and a " medium" LOCA in another.
2. The existing set of actual LOCA events at U.S. commercial nuclear power plants is small; hence, most of the data listed in Table 3 represents expert opinion. Accordingly, there was little to be gained by using complicated, statistically oriented schemes to calculate LOCA frequencies for the FCS PRA due to the inherent lack of precision in the input data.
3. An effort was made to provide consistent estimates of LOCA frequencies. In this context, the term " consistent" has two realizations. First, small LOCAs were judged to be more likely than large LOCAs; thus, the LOCA frequencies reflect an interconsistency.

Second, the likelihood of various LOCAs was compared to those of other FCS PRA initiators. (For example, high-energy line breaks in the main steam or main feedwater systems are analogous with medium LOCAs.) Thus, the FCS LOCA frequencies are intraconsistent with the other initiating event frequencies.

Table 4 lists the final FCS PRA LOCA frequencies.

I'

LIC-95-0223 Attachment Page 6 Table 4 FT. CALHOUN STATION PRA LOCA FREQUENCIES Break Size . Mean. . Log-Normal:

LOCA (in terms of success criteria); Yearly Error Factor Frequency S > 0.276" diameter; requires 1.00E-03 15.0 secondary heat sink and HPSI M requires HPSI, but no secondary 1.00E-04 15.0 heat sink A requires LPSI and SITS 1.00E-05 15.0 Sensitivity studies were performed for the initiating event frequencies and provide further assurance of the acceptability of the values used in the IPE submittal. These values will be reevaluated based upon the next data update. This evaluation will also include cross-comparison of initiating frequencies between the other Combustion Engineering nuclear plant responses.

(b) Manual scrams from full power were included in the frequency estimate for Reactor Trip (TI).

i Question 3 The submittal does not give a definition of core damage. Please define the term

" core damage" as it is used in the IPE.

Response 3 For the Fort Calhoun IPE, core damage is defined to be a condition where there is extensive physical damage to the core such that fuel assemblies would be disfigured either by mechanical fracturing or by melting, and removal of intact fuel assemblies or groups of assemblies could not be accomplished. In the FCS IPE, significant core damage is mechanistically defined to have occurred if a substantial portion of the core has been uncovered and a fuel cladding temperature of 2200*F or higher it reached in any node in the core as determined by a best-estimate thermal-hydraulic calculation. This definition ensures that the core will retain an intact coolable geometry. For many sequences, core damage is considered to have occurred if core uncovery occurred and core recovery was not anticipated because of equipment failures.

The definitions above are consistent with the definition of core damage presented in the EPRI PRA Key Assumptions and Ground rules, Appendix A to Chapter 1 of Volume II of the " Advanced Light Water Reactor Utility Requirements Document," I NP-6780-L, Rev. 3, November, 1991.  !

l l

LIC-95-0223 Attachment Page 7 Question 4 The IPE assumes that low-pressure safety injection pumps are not required for the mitigation of a large LOCA. Although flow from the high-pressure safety injection (HPSI) system ca match decay heat removal requirements in the long term, it is not clear how core damage can be prevented in the early phase of the accident with flow from one of three HPSI pumps and three of four accumulators as assumed in the IPE. Many other PWR IPE/PRA studies have assumed that LPSI pumps are required for mitigating large LOCA. Please give the basis for this portion of the IPE success criteria; specifically addressing the expected peak cladding temperature (if available) and the extent of any radionuclide release.

Response 4 The traditional NSSS design basis defines the Large LOCA success criteria as 1 HPSI,1 LPSI and 3 of the 4 SITS injecting into the intact loops. These success criteria arise from a stylized Large Break LOCA calculation intended to confirm the adequacy of the plant's ECCS. This calculation focuses on the most limiting fuel pin and includes many conservative and inconsistent assumptions which drive the PCT toward the acceptability limit of 2200*F.

Considerable experimentation in the area of LOCA related phenomenology and a better understanding of core decay heat rates suggests that substantial margin exists in the calculated temperatures during the blowdown and reflood phases of the LOCA. These conservatisms include:

o Overestimates of fuel pin decay heat o Selection of the most limiting fuel pin o Selection of most limiting break size, type and location o Conservative estimates of core heat transfer coefficients (based on small scale experiments) l o Minimal credit for residual water in the lower plenum following the blowdown phase of the event ,

o Excessive estimates of ECCS bypass i o Overestimates of steam binding via assumption of an RCP locked rotor, and assumed droplet carryover. )

o Neglect of cooling associated with entrained droplets causing the steam binding o Minimization of containment pressure The net impact of these assumptions is to artificially accelerate the fuel pin I heatup rate and delay core reflood recovery.

Conservatisms inherent in this methodology have been acknowledged for many years.

Large scale experiments have indicated that actual large break LOCAs would be subject to significantly greater post blowdown lower plenum mass accumulation' l and greater core heat transfer than are generated for the design basis calculation. This, is particularly significant for breaks in the upper range of j the large break spectrum, i l

l l

LIC-95-0223 '

Attachment Page 8 The role of the LPSI in the ECCS triad (HPSI, LPSI and SITS) is to provide inventory to refill a nearly voided reactor vessel following the blowdown phase of a large LOCA. The LPSI role is transitory and is not needed once the recirculation phase begins (about 20 minutes into the event). The actual need for the LPSI in this interval has also been questioned. For the smaller (higher probability) end of the large LOCA spectrum, the LPSI water predominately spills from the reactor vessel. For the double-ended pipe breach, the LPSI serves to refill the RCS and maintain the core covered. Calculations were performed for Fort Calhoun Station, using the "best estimate" CENTS computer code. An evaluation of LOCAs in the large break range (between 2 and 3.2 square feet) indicates that these LOCAs can be successfully mitigated with one HPSI and three of four SITS injecting into cold legs. This will maintain fuel clad temperatures below 1000'F. Higher temperatures may be possible for localized high power fuel pins. This result is generally consistent with results of another large LOCA evaluation reported by INELa for a PWR that indicated that 1 HPSI and a single SIT (accumulator) will limit core heatup and avert clad melting.

Releases of radiation to the public, even those where substantial core damage has occurred, will be small provided containment integrity is maintained. Because of the redundancy of containment heat removal systems at Fort Calhoun Station, virtually all transients causing injection of inventory into the RCS via the HPSI pump will also provide containment heat removal. Bounding (95* percentile) radiation releases following an unmitigated large LOCA (with an intact containment and sprays available) can be approximately established, from table 4.9.3.2 of the IPE submittal, to be under 1 Rem at the site boundary. A bounding estimate of the public dose for a recoverable large LOCA can be obtained by conservatively assuming that all fission gases contained in the fuel pin gas plena will be released early in the transient. This constitutes approximately 5% of the core inventory of iodine, cesium, and noble gases. Using this assumption, the public doses following a mitigated large LOCA (with substantial damage but without significant fuel pellet melting) would be less than 5% of the unmitigated release, or below .05 Rem.

References:

1. Glasser, H., Karwat, H., " Contributions of UPTF experiments to Understanding of Large LOCA," Nuclear Engineering and Design, Vol 145, 1993.
2. Murao, Y., "Large Scale Multidimensional Phenomena found in CCTF and SCTF Experiments," Huclear Engineering and Design, Vol 145, 1993.
3. Letter, Dr. L. Ward (INEL) to Dr. F. Eltawila (NRC), "Use of MAAP to Support Utility IPE In-Vessel and Ex-Vessel Accident Sequence Success Criteria," LWW-02-94.

I

!.- {

LIC-95-0223~  !

-Attachmerit l 1 -Page 9.

Ouestion 5 ..

~

The.IPE does not include total' loss of de power as an initiating event. Please give the reason for excluding this initiating event from the-IPE. j i

Response i  !

~

a 1 At FCS, failure of a single DC bus (at power) is sufficient to cause a plant-  !

trip, thus meeting the definition of an initiating event. Failure of a single i DC bus with a random failure of the other DC bus was explicitly. addressed-in the FCS IPE. An initiating event involving failure of both DC buses would suggest i

. the possibility of.a common cause failure mechanism that would de-energize both l l .DC' buses at power, causing a plant trip. A review of the methodology used in l F NUREG-IISO - (i .e. , NUREG/CR-4550, Vol. 1, Rev.-1, " Analysis of Core ~ Damage l

! Frequency: Internal Events Methodology") indicated that a failure of a single DC, -l

! ~ bus was sufficient to cause a plant trip and therefore should be incorporated as l an initiating event; however, a comon cause DC bus initiating event was not i L identified as a credible failure mechanism. . A review of the plant-specific data

  • l for FCS did not uncover any evidence to support a common cause failure of both DC buses as an initiating event. Further review of industry common cause data (i.e., EPRI TR-100382, "A Database of Common-Cause Events for Risk and j Reliability Applications,": June 1992)- did not indicate any new evidence to  ;
support this failure mechanism. This is also supported by the fact that both j

' buses are normally energized and never cross-tied at power, thus minimizing the  !

possibility of. any common cause failure mechanisms. Since the DC buses are  !

j functionally and physically separated, the likelihood of both DC buses l 1 simultaneously being de-energized at power is judged to be highly unlikely. l 2

L

Question 6 l 4
The submittal states that the interfacing-systems (ISLOCA) events represent l

! piping or valve failures. No mention is made of any consideration given in the l

{ IPE to failures of pump and valve seals and gaskets. Other IPE and PRA studies  !

have shown that seal and gasket failures are important contributors to ISLOCA i frequencies. Also, the analysis of the reactor coolant pump (RCP) seal cooler ISLOCA does not address the potential for losing high-pressure injection as a  !

i result of adverse environmental conditions created by the ISLOCA.  !

r (a) Please discuss the consideration given to failure of seals and gaskets in  !

the development of the IPE-ISLOCA models. If seals and gaskets have not been accounted for in the ISLOCA analysis, please provide justification.  !

(b) Please explain how it was determined that high-pressure injection could be i' made available for the RCP ' seal cooler ISLOCA given possible adverse i environmental effects of coolant discharged outside the containment.  ;

u 3 l

l l

LIC-95-0223 Attachment l Page 10 l Response 6 (a) Two of the ISL scenarios addressed in the IPE could impact the availability of the LPSI System. In both cases the ISL was limited to overpressurization of the downstream piping. It was concluded that the piping would fail before the LPSI pump seals would be exposed to RCS pressure.

The first ISL scenario (IlQ) involves four LPSI injection paths, each having two check valves and one normally closed motor-operated valve (MOV) in series. The LPSI header upstream of the LPSI loop injection valves (HCV-331, HCV-333, HCV-329, and HCV-327) is designed to withstand 600 psig. If two check valves and the MOV in any path were to fail, the '

overpressurization zone would be bounded by a locked closed valve (HCV-335), LPSI pump discharge check valves (SI-129 and SI-121), and a normally closed valve (HCV-341). The LPSI pump discharge line, including valves, is rated at 600 psig. It is postulated that if the two check valves and the MOV path were to fail, the discharge header would fail before the LPSI pump seals would be exposed to the RCS pressure. A relief valve (SI-187) is mounted on the LPSI injection header and protects the header from overpressurization. It was assumed that the relief valve does not have ,

sufficient capacity to preclude header overpressurization.  :

The second ISL scenario involving two LPSI suction motor-operated valves  ;

(12Q) addressed external leakage (i.e., through valve seals and gaskets) from the valve outside containment as well as the rupture of 12-inch LPSI outside containment. There are two containment isolation' valves (HCV-347 and HCV-348) in the line, one on each side of the containment boundary.

There are two relief valves on the header, one between the MOVs inside i containment and another downstream of the M0V outside containment. The first relief valve (SI-188) would vent leakage past the M0V located inside containment (HCV-348) to the Pressurizer Quench Tank which is also inside containment. Leakage from HCV-348 is therefore detectable and precludes a low volume leak failure of the first M0V. The second relief valve (SI-309) would vent the suction header in the event of leakage past the second M0V (HCV-347). If both M0Vs were to fail open, the overpressurization zone would be bounded by the locked closed LPSI pump isolation valves (SI-125 and SI-126), a locked closed manual valve (SI-180), and the normally closed alternate spent fuel pool cooling line. The suction line and associated valves are rated at 300 psig. It is postulated that if the two >

MOVs ruptured, the suction header would fail before the LPSI pump seals would be exposed to the RCS pressure.

(b) A third ISL scenario involves the CCW supply and return lines from the RCP seal coolers. The RCP seal cooler serves as the primary barrier between the high pressure Reactor Coolant system and the low pressure Component Cooling Water (CCW) system. If a pump cooler were to fail, the CCW components and piping in the CCW system (both inside and outside containment) would be overpressurized. The FCS flooding study indicates that a rupture of a CCW line outside containment would not result in

y n

~

l LIC-95-0223 4

Attachment Page 11-failure of the HPSI pumps. The CCW pumps and surge tank are. located in Room 69, elevation 1025' of the Auxiliary Building. The HPSI pumps are located in Rooms 21 and 22, elevation 971' of the Auxiliary Building. The adverse environmental effects of coolant discharged outside containment would not be expected to impact the operation of HPSI, because the likely location of rupture of CCW piping is relatively distant from the HPSI pump I rooms. Furthermore, the HPSI pumps are separate compartamts that can be isolated during the event. This ISL sequence is the only bypass sequence that depends on HPSI for mitigation.

Question 7 As . indicated on page 3.1-57 of the submittal, the consideration of RCP seal LOCAs-was -limited to primary system leak rates in excess of the charging makeup

. capacity'(120gpm). An RCP seal LOCA having a leak rate greater than 120 gpm is postulated to occur either as a result of failure of all four seals in one RCP, or comon cause failure of three or four seals in all RCPs. The model does not consider smaller leak rates, for example, a 35-gpm leak associated with the failure of three or four seals in a single RCP. The exclusion of smaller RCP.

seal LOCAs from the IPE model may underestimate the total CDF, For example, during a station blackout all of the electric-driven pumps will be disabled, as a result, charging flow and component cooling water will be disabled. The loss of component cooling water may in turn cause an RCP seal LOCA, possibly a LOCA

.less than 120 gpm. If an extended station blackout condition were to exist, the lack of makeup flow to the primary system would eventually cause core uncovery.

Please explain how it was ensured that a vulnerability or important CDF contribution was not missed because of the exclusion of RCP seal LOCAs less than 120 gpm.

ReSDonSe 7 In their evaluation of Station Blackout (5B0) in NUREG-1032, the NRC has postulated that under station blackout conditions with the loss of RCP seal cooling water flow, the seals would degrade and gross seal leakage might occur.

This postulation was based on the operating experience on hydrostatic RCP seals.

CE plants use seal packages with 3 or four stages of hydrodynamic seals to seal the RCP shaft. These hydrodynamic seals are significantly less subject to leakage than the hydrostatic seals. The FCS RCPs have 4 seal stages per assembly. Each of the seal stages is capable of operating at full system pressure.

Several tests have been performed to address the capability of the hydrodynamic seal assemblies to maintain integrity and limit seal leakage under loss of seal cooling / station blackout conditions. A station blackout test was run on a prototype seal assembly for one utility. This test was run for more than 50 hours5.787037e-4 days <br />0.0139 hours <br />8.267196e-5 weeks <br />1.9025e-5 months <br /> at steady state SB0 conditions: no shaft rotation, no cooling and plant operating temperature and pressure. Seal controlled leakage remained within

' normal limits (approximately I gpm) for the entire period. Another significant test was a 30-minute loss of cooling water test. In this case, the RCP shaft was

LIC-95-0223 Attachment Page 12 rotating, a more severe condition than for SBO. The' maximum controlled leakage was 2 gpm during this test. CE plants have also experienced 12 operational occurrences in which RCP seal cooling was lost for periods between 30 minutes and .

9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br />. In no case did the RCP seal leakage exceed 3 gpm. As described on page 3.1-51 of the submittal, one of these operational events occurred at Fort Calhoun In this event, cooling water flow was lost to the RCPs for 45 in early 1974.

minutes while the RCPs remained running. The RCP seals did not leak nor was there any known damage.

Based on the operational events and test information for the hydrodynamic RCP seals, OPPD and ABB/ Combustion Engineering contend that the hydrodynamic RCP seals used at Fort Calhoun will not exhibit any significant increase in RCP seal leakage during the time frames associated with SB0 conditions. However, OPPD conservatively addressed RCP seal LOCAs in the IPE. This model included several

. significant conservatisms. First, it was assumed that an RCP seal failure would occur at 90 minutes after the onset of SB0 conditions. This was based on NUREG-1150 assumptions which were, in turn, based on operating experience for hydrostatic seals, not hydrodynamic seals as used at Fort Calhoun. Second, the leak rates for failure of multiple stages were conservatively estimated. The leak rate for failure of 2 stages was based on an event in which two seal stages were mechanica11y' danaged (not due to loss of cooling). The leak rates for failure of 3 stages and failure of 4 stages were extrapolated from the value for failure of 2 stages, and the maximum leak rate of 3 gpm observed for an operational loss of cooling water flow event. Finally, generic common cause factors, # and y, were used to calculate the probability of multiple seal stage failures following a loss of seal cooling event. Given that there has never been a degradation of more than one seal stage following a loss of seal cooling event, these generic common mode failure factors are felt to be high, thus '

conservatively biasing the RCP seal LOCA probabilities.

Based on the above information, OPPD does not realistically expect the failure of more than a single RCP seal stage during the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> time frame of interest for an SB0 event. Thus, the maximum RCP seal leak rate during an SB0 event would be in the range of about 3 to 12 gpm. With leak rates of this magnitude, the core uncovery time would be in excess of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> from the onset of seal leakage.

'Ibe RCP seal model in the FCS IPE submittal presents a conservative treatment with respect to the estimation of core damage frequency and provides the appropriate insights with regard to this event.

Sensitivity analysis performed for the IPE confirmed the importance of RCP seals.

OPPD will continue to monitor developments related to the RCP seals based upon FCS experience, and through future owners group activities.

' LIC-95-0223 Attachment

- Page 13 Ouestion 8 The submittal'does not give a complete breakdown of CDF by initiating event. In Laddition, it does not.give the CDF contribution from station blackout.

(a) Please give the CDF contribution from each initiating event ~ listed in

. Table 3.8 of the submittal.-

(b) .Please give the station blackout' contribution to CDF.

Response 8 (a) The CDF contribution of each initiator is shown below.

CONTRIBUTION OF INITIATING EVENTS TO CDF (per year)

T1 1.09e T16 1.79e-07 T2 3.94e-09 T17 2.84e-07 T3 2.06e-07 T18 4.70e-07 T4 3.08e-08 T19 4.70e-07 T5A 1.63e-06 T20 4.75e-08 T5B 3.86e-06 T21 1.84e-08 T5C 3.64e-07 T22 6.39e-09 '

T50 7.79e-07 T23 9.33e-08 T6 1.86e-08 T24 5.50e-08 ,

T7 5.08e-08 T25 9.56e-09  ;

T8 <5.E-10 S 8.14e-07 i T9 5.05e-10 M 1.22e-07 f T10 <5.E-10 A 1.35e-07 i Til <5.E-10 R 7.60e-07 )

T12 3.96e-07 11 5.84e-08 )

T13 6.03e-08 12 2.96e-07 T14A 2.64e-08 I3 2.98e-07 T14B 5.91e-08 14 ,

2.32e-08 T15- 3.63e-08 i

(b) .The contribution of station blackout to CDF is 4.77E-06/yr.

i i

LIC-95-0223 Attachment Page 14 Question 9 The transmittal letter for the submittal states that a number of improvements, as well as minor modifications, were identified and implemented as a result of the analysis. It further states that future areas for plant improvement are also under consideration. Although Section 6.0 of the submittal describes improvements related to the IPE analysis, it is not clear that this description reflects the current plant ' status with regard to modifications and improvements.

Please clarify the information in the submittal by providing the following:

(a) the specific improvements that have been implemented, are being planned, or are under evaluation; (b) the status of each improvement, that is, whether the improvement has already been implemented, is planned (with scheduled implementation date), >

or is under evaluation; (c) the improvements that were credited (if any) in the reported CDF; (d) if available, the reduction in the CDF or the conditional containment ,

failure probability that would be realized from each plant improvement if the improvement was to be credited in the reported CDF (or containment ,

failure probability), or the increase in the CDF or the conditional i containment failure probability if the credited improvement was to be removed from the reported CDF (or containment failure probability); and (e) the basis for each improvement, that is, whether it addressed a vulnerability, was otherwise identified from the IPE review, or was 1 developed as part of other NRC rulemaking, such as the station blackout  !

rule.

ResDonse 9 (a)&(b) OPPD identified 4 plant improvements in Table 6-2 of the IPE submittal, as well as examples of plant support in Table 6-1, and unique safety features in Table 6-3.

Only the 4 items in Table 6-2 were considered as future improvements. These plant improvements and their status are contained in the following table. l I

l

- l

at l

LIC-95-0223.

Attachment l 1

Page 15  !

Status of Table 6-2 Plant Improvements l RCP Seal Cooler Completed. A door to allow operator access, EAR-93-026 for isolation of the seal cooler leakage as. {

soon as possible, has been installed.

Interfacing System LOCA Completed. The valve of concern (HCV-347).

was leak tested during the last outage and

EAR 93-069 '

will continue to be tested for leakage in the future.  ;

Existing 161 KV line Completed. hai galloping features were '

j incorporateo M the new 161 KV line.  ;

l Request for Removal of Door In progress. It was determined, after l- No. 971-1 in Room 23 reviewing the design basis for the water- l EAR 93-155 tight door, that the door should be closed ,

i for floods initiating within Room 23. The  !

i door should be left open for other floods. I Procedures are being revised to adjust the  ;

position of the door depending upon the  !

location of the flood. j j

(c),(d), & (e) i The completed RCP seal cooler EAR was credited in the submittal. The

value of the seal cooler LOCA was not related to CDF significantly or i directly, but was related more to a reduction in consequences to the plant and public by isolating the radiation source.

i Improvements for the shutdown cooling interfacing system LOCA were also  :

credited in the submittal. Leak testing HCV-347 reduced the total CDF by j i approximately 2.0%, or 2.0E-07/ year. However, the primary benefit of additional testing was substantial reduction in calculated off-site release associated with the ISLOCA.

The inclusion of anti-galloping features to increase the new line

reliability was not as significant as the addition of the new 161 KV line, j but was a suggested improvement by PRA that was low cost considering that i construction was underway. The risk impact of the new 161 KV line is currently being evaluated.

The internal flooding analysis assumed that the water-tight door to Room

. 23 was open. This provides significant benefit in the case of internal flooding since this room is at the lowest level of the Auxiliary Building and has a large volume. The open position of this door is a reasonable assumption, because the normal position is open and the door is not relied on to restrict access.during normal operating conditions. However, it was 4

w ---m- c --

LIC-95-0223 Attachment Page 16 determined that additional assurance that the Room 23 door remains open is appropriate. The open Room 23 door reduced the CDF due to internal flooding from approximately 2.0E-05/yr to 2.0E-06/yr.

The total core damage reduction from the four improvements was approximately 1.82E-05: 2.0E-07 for shutdown cooling interfacing system valve testing, and 1.80E-05 for the Room 23 door. All improvements were based upon insights from the IPE review.

OPPD is committed to continuing pursuit of cost-beneficial improvements based upon the current and future updated versions of the IPE.

Question 10 It is not clear in the submittal if plant changes due to the station blackout rule were credited in the analysis.

(a) Please state whether plant changes (e.g., procedures for load shedding, alternate ac power) made in response to the blackout rule were credited in the IPE and identify the specific plant changes that were credited.

(b) Please identify the total effect, if any, of these plant changes on the total plant CDF and to the station blackout CDF (i.e., reduction in total plant CDF and station blackout CDF).

(c) Please identify the effect, if any, of each individual plant change on the total plant CDF and to the station blackout CDF (i.e., reduction in total plant CDF and station blackout CDF).

(d) Please identify any other changes to the plant implemented or planned to be implemented and separate from those in response to the station blackout rule that reduce the station blackout CDF.

(e) Please state whether the changes in item d are implemented or planned.

(f) Please state whether credit was taken for the changes in item d in the IPE.

(g) Please identify the effect, if any, of the changes in item d on the station blackout CDF.

Response 10 The station blackout study, and any plant improvements that resulted, were essentially complete prior to the IPE submittal. Therefore, station blackout considerations are already included in the IPE. It would be difficult to back-calculate the quantitative impact of any station blackout improvements.

l I

LIC-95-0223 Attachment ,

Page 17

)

Question 11 The submittal indicates that a cut set frequency threshold of IE-9/yr or less was I applied to quantified flooding sequences. However, it does not indicate the accident sequence cut set threshold applied to the other portions of the front-end analysis. Please give the truncation value applied to accident sequence cut  ;

sets in the remaining portions of the front-end analysis. '

ResDonse 11 The truncation values or cutset frequency thresholds applied during the quantification of the FCS core damage sequences were determined on the basis of maximizing the number of unrecovered cutsets obtained in the solution process.

The measure used to assess the adequacy of the cutset frequency threshold is defined as the ratio of the unrecovered core damage sequence frequency to the sequence truncation value. A ratio of 1000 or more usually provides sufficient precision in the analysis process.

For many of the sequences quantified in the FCS IPE, selected events were assigned a value of 1.0 or 0.1 to maximize the number of cutsets during the fau" tree solution process. For small LOCA, medium LOCA, SGTR, and ISL sequence I3Q, the initiating events were assigned a probability of 1.0. For ATWS sequences, events KSIGNAL, KJUMPER, and KCR0DSMECH were assigned a value 0.1. For transient-induced LOCA (RCP seal failure), event RCPLEAK was assigned a value 1.0. Post-accident human failure events were assigned a value of 0.1 during the fault tree solution process. The unrecovered core damage frequencies reflect the pre-assigned values used for the fault tree solution process. After fault tree solution, the actual values were restored and used for final quantification.

This approach is valid if the events selected represent common multiplicative factors that appear in all cutsets of a given sequence group.

Table 5 provides a summary of the truncation values used during the quantification of the FCS core damage sequences. The table also includes ratios of unrecovered core damage sequence frequency to sequence truncation value. For most sequences, the ratios exceed 1000. Sequences having ratios less than 1000 are not significant contributors to core damage frequency. Table 6 provides a summary of recovered core damage frequency for sequences having a ratio less than 1000.

A major revision to the IPE model is currently in progress. A truncation analysis will be performed during quantification of this model.

=

j i

l i LIC-95-0223 Attachment Page 18 Table 5

SUMMARY

OF TRUNCATION VALUES USED FOR FCS QUANTIFICATION l UCDF/QTV l Quantification Unrecovered Core Number Of Sequence Group Sequence Truncation. Damage Frwquency Cutsets'..

^ Mame .Value (Q7V) (UCDF)

! OAUA 8.00e-07 1.97e-01 137 246,250

( Large LOCA 0AXA 4.80e-06 2.07e-01 132 43,125 l

OMU 8.00e-07 1.05e-01 173 131,250 OMX 4.80e-06 1.0le-01 139 21,042 OSBU 5.00e-07 1.12e-02 225 22,400 OSBF 5.00e-07 1.14e-02 240 22,800 I

OSBX 3.60e-06 1.02e-02 77 2,833 l

OSK 1.00e-07 2.71e-01 3 2,710,000 OSU 8.00e-07 1.05e-01 173 131,250 OSX 4.80e-06 1.46e-02 165 3,042 ORK 1.00e-07 2.71e-01 3 2,710,000 ORX 1.20e-06 4.08e-02 172 34,000 ORDX 3.00e-07 2.17e-02 188 72,333 SGTR ORBF 8.00e-07 1.83e-03 203 2,288 BRBX 3.60e-06 1.55e-03 77 431 ORUB 8.00e-07 2.49e-03 172 3,113 ORUD 8.00e-07 1.64e-02 367 20,500 ORUX 6.00e-07 6.22e-03 409 10,367

LIC-95-0223 Attachment Page 19 Table 5 SUNNARY OF TRUNCATION VALUES USED FOR FCS QUANTIFICATION

. UCDF/QTF:

Quantification Unrecovered Core Number Of

~ Sequence Group

' Sequence ' Truncation Damage frequency .Cutsets

'Name Value'(QTV) (UCUF)

OTKP 5.00e-07 3.26e-02 2703 65,200 OTKQ l.00e-07 1.72e-03 384 17,200 OTKC 1.00e-07 9.76e-03 4371 97,600 OTKB 5.00e-07 3.85e-06 924 8 Transient-Induced OTQU 4.00e-07 4.63e-04 377 1,158 LOCA (Stuck Open PORV) OTQX 2.00e-06 1.19e-05 64 6 OTQ2BU 5.00e-07 6.82e-03 1349 13,640

~ ~

Transient-Induced LOCA (RCP Seal OTQ2BX 2.50e-06 2.44e-03 708 976 OTQ2U 5.00e-07 3.26e-02 1948 65,200 OTQ2X 3.70e-06 2.17e-02 1033 5,865 GTBF 4.00e-07 1.92e-02 2612 48,000 Trans "ts (t $5 OTBX 3.20e-06 6.02e-03 649 1,881 9y pCS C99]jng)

OTX 1.00e-06 3.57e-02 2336 35,700 OllQ 1.00e-10 5.85e-08 112 585 Interfacing OI2Q l.00e-10 2.95e-07 7 2,950 Systems LOCA OI3QK 1.00e-10 2.71e-01 3 2,710,000,000 013QU 7.00e-07 1. Ole-01 624 144,286

i LIC-95-0223 Attachment Page 20 Table 5

SUMMARY

OF TRUNCATION VALUES USED FOR FCS QUANTIFICATION UCDF/Q7F -

Quantification Unrecovered Core Number Of Sequence Group Sequence Truncation Damage Frequency Cutsets Mane Value (QTV) (UCDF)

OI3QB 7.40e-07 1.08e-02 591 14,595 Interfacing OI3QD 1.00e-07 1.28e-01 1647 1,280,000 Systems LOCA (cont.) @l3QX 1.20e-06 3.30e-02 652 27,500 OI4Q 1.00e-11 2.32e-08 2 2,320 Table 6

SUMMARY

OF SEQUENCES WITH UCDF/QTV RATIOS LESS THAN 1000 Sequence Mane UCDF/QTV Recovered Core Damage Frequency ORBX 431 7.14e-11

@TKB 8 4.04e-11 '

@TQX 6 < 1.0E-10

@TQ2BX 976 6.33e-11

@11Q 585 5.84e-08 ,

LIC-95-0223 Attachment Page 21 Ouestion 12 The IPE modeled four separate categories of events representing loss of offsite power (LOSP): loss of 345 kV with 161 kV unavailable (plant-centered); loss of 161 kV with failure to fast transfer (plant-centered); grid-related LOSP; and weather-induced LOSP. According to the submittal, non-recovery probabilities for these LOSP initiating events are based on data from an Electric Power Research Institute (EPRI) document (EPRI 6780). However, the submittal does not provide a complete set of the LOSP non-recovery data used in the analysis. Please provide the IPE non-recovery data as a function of time for each of these four LOSP initiating events.

Response 12 A combination of plant-specific and generic data was used to develop offsite power non-recovery probabilities. Plant-specific and generic data were used to develop the non-recovery probabilities for a loss of 345 KV with 161 KV unavailable. Plant-specific data were used to develop the non-recovery probabilities for a loss of 161 KV with failure to fast transfer.

Table 7 provides a summary of offsite power nonrecovery probabilities for each of the four loss of offsite power categories defined for FCS.

A study is currently underway to determine the new offsite power reliability due to the installation of an additional 161 KV line to FCS. The results of this study will be incorporated into an update of the IPE model.

LIC-95-0223 Attachment Page 22 TABLE 7 FCS LOSS OF 0FFSITE POWER NONRECOVERY PROBA8ILITIES T5A T58 -

Time (hrs) Plant-Centered . Plant-Centered Grid-R lated Weather Related--

(Loss of 345 KV) (Loss of 161 KV).

0.00 1.00e+00 1.00e+00 1.00e+00 1.00e+00 0.20 8.20e-01 4.80e-01 8.30e-01 8.20e-01 0.40 6.60e-01 3.30e-01 7.10e-01 7.50e-01 0.60 5.20e-01 2.40e-01 6.10e-01 6.90e-01 0.80 4.00e-01 1.80e-01 5.30e-01 6.40e-01 1.00 3.10e-01 1.40e-01 4.60e-01 6.00e-01 2.00 8.00e-02 5.00e-02 2.40e-01 4.60e-01 3.00 2.00e-02 2.00e-02 1.30e-01 3.80e-01 4.00 5.00e-03 1.00e-02 7.00e-02 3.10e-01 5.00 1.00e-03 6.00e-03 4.00e-02 2.70e-01 6.00 3.00e-04 3.00e-03 2.00e-02 2.30e-01 7.00 5.00e-05 2.00e-03 1.00e-02 2.00e-01

_ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ m_.___ . - ,- - - , .

LIC-95-0223 Attachment.

Page 23 l Question 13 The submittal states that plant-specific component hardware data were gathered I for 16 systems modeled in the IPE analysis. However, only plant-specific data pertinent to the auxiliary feedwater system are presented in the submittal.

(a) Please give the plant-specific failure data gathered for the following components and failure modes: diesel generator - start and run; HPSI pump

- start and run; LPSI pump - start and run; raw water pump - start and run; component cooling water pump - start and run; emergency core cooling system motor-operated valve fail to open, fail to close; battery - failure frequency; battery charger failure frequency; and circuit breaker - fail to open, fail to close. ,

(b) For each of the components and failure modes identified above, please identify the source of data used to support the IPE analysis (plant- .

specific and/or generic).

(c) If any of the above component failure modes are based solely on generic i data, please provide justification.

l ResDonSe 13 Plant-specific data were used on all 16 systems modeled in the IPE. Generic data were used only when plant-specific data showed zero failures. A Bayesian update, i combining generic data with the plant-specific hours, was then performed for components with no failure. The auxiliary feedwater system data were submitted as an example of data for a system. All the systems' data were not sent because of the volume of the documentation.

As part of the commitment to maintain a living PRA, the data used for the IPE model will be updated periodically. It is expected that these updates will be completed in conjunction with the Maintenance Rule implementation team.

See the table on the next page for responses to (a) and (b).

(c) The only significant case in which generic data were used is the case of auxiliary feedwater pump FW-54. Thi: case is discussed in the response to '

question 14.

LIC-95-0223 Attachment Page 24 .;

SELECTED BASIC EVENT VALUES FROM THE FORT CALHOUN IPE j Fail to Fail to Run Fail to Fail to Failure Generic Plant Spec.

Start Open Close (*)

1. Diesel Generator 3.14E-03 x '

3.31E-03 x j

2. HPSI Pump 2.27E-03 x 2.88E-06 x
3. LPSI Pump 1.74E-03 x 1.68E-05 x
4. Raw Water Pump 5.66E-04 x  :

1.30E-04 x

5. Component Cooling Water Pump 8.84E-04 x 3.58E-06 x
6. Emergency Core 1.93E-03 x Cooling MOV 1.93E-03 x .j
7. Battery Charger 5.21E-03 x
8. Circuit Breaker 5.67E-03 x 5.67E-03 x f

(*) Generic data used because there were no failures, during the six-year data window, for plant specific components. A Bayesian update was performed with generic data and plant specific data.

L

- - _ _ _ _ ___ _ _ _ _ . ~ _ - . _ _ _ - _ - - . _ . . - _ _ _ _ - _ . . . _ _ . _ . _ . . _ _ _ _ - - _ . . , - - . . . . . _ . . ~ _ - . _ _ . - - . _ _ _ . . _ _ . .

~

LIC-95-0223'  :

Attachment Page 25  !

Question 14 i Please give the failure data used for the diesel-driven auxiliary feedwater pump  ;

and discuss how recent experience with pump vibration supports the IPE failure data used for this pump.  ;

Response 14 The diesel-driven auxiliary feedwater pump was declared to be in service since ,

August of 1990. The pump has been tested monthly since July of 1992. .

Due to in initial lack of long-term information on FW-54, generic data were used. :

Actual failure data for the pump were compared with the generic data .

a periodically. Actual and generic data are very comparable now that enough run time has been accumulated for FW-54. Although comparable to plant-specific data,  !

generic data are still used for FW-54 because they are somewhat more conservative and because vibration problems with the pump have been lessened but not '

, completely resolved.

The generic and actual numbers are as follows.

1 Generic Actual (8/90 thru 8/95)  ;

Fail to start 4.1E-02 2.8E-02 2 Fail to Run 1.8E-02 1.5E-02 OPPD considers FW-54 to be available to mitigate accidents if needed. Experience with the pump indicates that the pump could serve its intended function to supply water to the emergency feedwater storage tank (EFWST), or directly to the steam 4

generators, for the mission time needed to mitigate various accident scenarios.

Recognizing the importance of FW-54 to severe accident risk, OPPD plans to include a more detailed treatment of FW-54 in an upcoming IPE model revision.

This revision will also incorporate any changes related to ongoing engineering changes to this pump.

Question 15 ,

Table 6-1 of the submittal describes a plant enhancement involving the installation of a door to mitigate ISLOCA effects of an RCP seal cooler rupture.  !

(a) Please clarify this plant enhancement by identifying the location of this door and how closure of the door will isolate a rupture of the CCW boundary.

- - = _ .

LIC-95-0223

, Attachment Page 26 (b) Also, please identify the major equipment items that would be protected by ,

closing this door.

Response 15 ,

(a) One consequence of the RCP seal cooler ISLOCA is that it would create an environment in portions of the Auxiliary Building which would make operator access difficult or impossible. Of particular concern is the ability of the operators to gain access to the Raw Water backup valves for the shutdown cooling heat exchangers.

Prior to installation of the door, operators would have had to gain access to the area of the Raw Water backup valves by passing through an area affected by the.ISLOCA. Addition of the door provides an alternate route which would be far removed from the area of the ISLOCA.

(b) The purpose of the door is to provide an alternate route for operator access to the Raw Water backup valves for the shutdown cooling heat exchangers. The importance of this alternate route has decreased since submittal of the IPE. At that time, an air-operated containment isolation valve installed in the Component Cooling water line inside containment could not be credited to close and isolate the ISLOCA, because pressure in the pipe would have pushed the valve plug open against the actuator.

During the last refueling outage, this valve was rotated 180*. If an ISLOCA occurs, pressure will now force the valve plug closed against the seat. Thus, the probability has increased that this ISLOCA could be terminated remotely without the need for an operator to enter the Auxiliary Building.

Question 16 The submittal does not clearly discuss the process used to identify and select pre-initiator human events including those involving failure to properly restore instrumentation to service after test and maintenance, and miscalibration of instrumentation. The process used to identify and select these types of human events may include the review of procedures and discussions with appropriate plant personnel on interpretation and implementation of the plant's test, l maintenance, and calibration procedures.

(a) Please describe the process used to identify human events involving failure to properly restore to service after test and maintenance, and miscalibration of instrumentation.

(b) Please give examples illustrating this process.

)

i

.- -. . -.-. .- ..- - .. - - _ ~ - _. - . . . -

LIC-95-0223 Attachment Page 27 Response 16 Pre-initiators can be modeled with analogous hardware faults using 70R" logic, i In general,- the data tend to include human causes in the hardware-faults. Much  !

of the historical failure data (used as bases- for the PRA model) supplied insufficient information to allow an accurate root cause to be determined. For this reason, a datum necessarily ' includes the possibility of human-induced  !

failure. This suggests that the practice of identifying all possible - pre-  :

initiators " double counts" their quantitative influence. As a result, the IPE ,

did not model all possible pre-initiators. l i

The - specifically identified area of instrumentation-related pre-initiator.s is '

outside of thr; Generic Letter 88-20 IPE scope. These faults are not typically i modeled in PRA due to their non-dominance. Experience has shown that 1

-instrumentation per se is probably not a problem until an accident is postulated -

to ' progress into the' regime of accident management. A limited number of  !

instrumentation-related pre-initiators, identified during the screening for j initiating events, are included in the IPE model. For example, included is a  ;

comon cause failure of 4 Safety Injection and Refueling Water Storage Tank level indicators due to instrument miscalibrations.  !

Nevertheless, OPPD plans to further examine the potential for pre-initiator 2 errors to contribute to the inoperability of plant equipment. As part of the corrective actions following a recent diesel generator incident involving an i apparent pre-initiator error,- OPPD is analyzing the potential for pre-initiator .

events for risk-dominant equipment. The results of this evaluation will be included in a future update of the IPE model.  ;

Question 17 l It is not clear from the submittal what was the justification for the screening of pre-initiator human events to ensure that the screening process did not i eliminate potentially important human events and accident sequences. The l rationale presented for a screening probability value of 0.003 (for example, the  !

rationale provided on page 3.3-26 of the submittal that it is higher than

" typical" THERP analyses of IE-4 to IE-6) is not understood. For example, analyses of licensee event reports (LERs), such as those performed for failures  ;

of valves (e.g., NUREG/CR-1363, Rev.1), indicate that human-caused failures are about IE-3.

The concern is that, by using a value of 0.003 for screening purposes, the screening process could inadvertently cause important pre-initiator human events  :

to be eliminated from further analysis. For example, 'in the development of initial systems fault trees, it is common for different systems analysts to identify the same or similar human actions under different event labels. If the screening takes place without these events being explicitly recognized as the ,

same, it is possible to inadvertently eliminate important accident sequences,

' particularly when a screening value such as 0.003 is used.

L P

LIC-95-0223 Attachment Page 28 Please provide an additional discussion concerning the screening process used to ensure that important sequences and human events were not inappropriately screened out. Specifically, please discuss how the important human events were not erroneously eliminated by the use of such a screening value.

Response 17 As indicated in Response 16, the hardware data used in PRAs are considered to generally account for both hardware and pre-initiator human-induced errors.

Therefore, the modeling of separate pre-initiator human errors was generally not performed, so as to avoid " double-counting" failures associated with the equipment. Where pre-initiator errors were included, the value of 3E-03 is believed to be conservative with respect to a full analysis of each event when taking into consideration human redundancy and other performance shaping factors (PSFs). As indicated by NUREG/CR-1363, pre-initiator human errors are often found to be on the order of IE-03 or lower. Many are typically found to be on the order of IE-04 or lower as demonstrated by other analyses such as those performed for NUREG-ll50. Additionally, PRAs have found few pre-initiator events to be among the important contributing events to the results. All of these factors served to identify the use of 3E-03 as a " reasonable" screening value so as to avoid the unnecessarily detailed evaluation of too many human errors, while at the same time being sufficiently high so as not to miss any potentially important pre-initiator events.

With regard to the naming of one event with multiple names, it should be noted that it was not common for different analysts to identify the same event with different names / identifiers. Generally, the component was assigned to one system and was modeled as a component solely in that system. For example, if one system requires the loss of flow due to the closure of a valve in another system, this functional event becomes a " top" event requiring the modeler to model the loss of flow to the first system. In this manner, the linked fault tree methodology avoids that kind of PRA practice.

Ouestion 18 It is not clear from the submittal what plant-specific performance shaping factors were used for modifying nominal pre-initiator human error probabilities.

(a) Please provide a list of the plant-specific performance shaping factors and their associated values that were used to modify the nominal pre-initiator human error probabilities.

(b) Please include a description of the process used in the assessment of the performance shaping factors. For example, this description could include examination and walkthroughs of procedures, interviews with plant personnel, examination of administrative controls, and evaluations of displays and controls.

LIC-95-0223 Attachment Page 29 ReSDOnSS IS This question is related to the pre-initiator human failure event issue discussed in Questions 16 and 17. In addition to the responses provided for these questions,- it should be noted that plant-specific PSFs are not generically identified. In the methodology used at FCS, these factors are only identified a

on a specific event basis. As part of the process, applicable procedures were

identified and examined. In some cases, walkthroughs were performed in the plant of in the plant-referenced simulator. One of the authors of the plant E0Ps, who is a currently licensed SR0, led the PRA/HRA team that reviewed the procedures.

His experience and liaison abilities were irreplaceable in the HRA effort.

Question 19 In the analysis of pre-initiators, event KJUMPER (failure to remove reactor protection system interposing relay jumpers before going to full power operations) is assigned a probability of 1.3E-6. Actions with such low estimated values typically have associated characteristics such as redundant indications, independent operator checks, compelling signals or alarms.

Please explain, with example calculations, how such a low failure probability is to be achieved in practice at Fort Calhoun.

ResDonse 19 The following discussion is provided in lieu of an example calculation and should provide sufficient information to clarify the issue. The model includes an original error to leave the RPS interposing jumpers on (BHEP = 3E-03); the failure of the surveillance tester which is assumed to be independent of the originator (p = 3E-03); and the failure of the checker for the surveillance test performer which is set to moderate dependency (p = 1.4E-01). The answer is the conjunction or "anding" of these parameters / human actions, and results in a value of 1.26 x 10~8 . This answer is the result of some degree of redundancy coupled with an assumption of considerable independence.

Question 20 The submittal gives no description of the plant-specific experience of pre-initiator human events.

Please compare any operating experience associated with pre-initiator human events (e.g., data from LERs or other plant records) to the failure probabilities calculated in the HRA modeling. In other words, please describe to what degree the results of the modeling of pre-initiator human events represent experience at Fort Calhoun.

LIC-95-0223 Attachment Page 30 Response 20 Please see the response to Question 16.

Question 21 In Section 3.3.3.3, "HRA Quantification Methods," the submittal describes dependency guidelines for the time-independent HRA method. In particular, guidelines are given for assessing dependencies among plant personnel, such as the shift technical advisor (STA) and the shift supervisor.

(a) Please confirm that this set of dependencies was only used for post-initiator human events (b) Please describe the guidelines used in assessing of interpersonal dependencies used for pre-initiator human events.

In addition, in the discussion of dependencies among plant personnel, such as the STA and the shift supervisor, the submittal states that the guidelines may be varied in the case of specific analyses.

(a) Please identify during which (if any) events were the guidelines varied.

(b) Please describe how the dependencies were modeled in those event analyses.

(c) Please give the rationale for the changes from the guidelines.

ResDonse 21 Yes, the time-dependent dependencies are used only for post-initiators since the Time Response Core 11ation (TRC) is only used in this case. The pre-initiator dependencies are quantified with the standard THERP dependency (i.e., human redundancy) model. There were no specific analyses in which the guidelines were varied.

Question 22 Three different correlations of reliability of human response with time are described in the submittal. These are described as the " basic model," the " rule-based model" and the " verification model," in Section 3.3.3.3 of the submittal.

In the basic model, a median response time of 4 minutes is used; in the rule-based model, a 2-minute median response time; and in the verification model, a 1-minute median response time. The submittal discusses the use of the rule-based model as being applied to "any strong symptom-oriented rules within the E0Ps

[ emergency operating procedures]." This description is not clear.

(a) Please provide an additional discussion of how these different models were used in the analysis.

- . . - - . . _ . - - - . ~ . - - - . - - - -- -.- - -

l.

! LIC-95-0223 i Attachment

Page 31 I

l (b)' Please give the criteria for selecting the model used in an analysis of a particular human action event.

1 Response 22 l i i

! Swain followed up on the use of the triad of knowledge-based, rule-based, and J i skilled behaviors in his ASEP HRA guidelines (NUREG/CR-4772). He introduced a j rule-based TRC that differed from his TRC previously discussed in NUREG/CR-1278 i i (THERP). The newer curve is actually.the lower bound curve of the original TRC' i

found on page 8-5. This curve was to be applied when the symptomatic E0Ps are  ;

i in use along with other criteria. The OPPD .TRC system used the basic model for j most post-initiators with the exception of the major symptomatic . cues (e.g., .

! transitions among subprocedures such as the criteria for feed and bleed). ' These  ;

I latter symptomatic " rule following" cases were presumed more reliable due to 2

emphasis on training and simulation. For even more reliable actions, such as manual scram or the other early E0P system status checking, a third verification l l TRC was introduced which was more reliable than the rule-based curve.  ;

t i

! The use of a 4-minute median for the basic TRC, 2 for rule-based and I for i

verification, is a coincidence of fitting Swain's original NUREG/CR-1278 TRC to i i a lognormal distribution (preserving the 5th percentile), which results in l 4- approximately a 4-minute median. The ASEP rule-based TRC happens to fit a 2-  !

l minute median TRC. Hence, halving this curve's median became the justification  !

for halving tiie median of the verification curve. These median values meant that l

, the resulting three TRCs fell among the curves in publicly available simulator i i data (i.e., NUREG/CR-3010, RMIEP and the EdF data). The OPPD TRC methodology is explained in more detail in the " Human Reliability Analysis" by Dougherty and

Fragola, part of which is documented in the Fort Calhoun HRA. The use of this  ;

j sy:, tem is judgment bound, as are all HRA techniques.  ;

- l Question 23 l ,

i It is recognized, as indicated in the submittal, that the data used in time-  !

reliability-based HRA methods are essentially judgmental. The technique used in l the Fort Calhoun analysis is not unique in that regard. However, data from l simulation studies such as the EPRI operator reliability experiments (ORES) and  !

NRC's RMIEP (risk methodology integration and evaluation program) recovery actions described in NUREG/CR-4834 have indicated a potential for significantly

, longer median response times than those used in the submittal, particularly for

! the so-called " rule-based actions" that assume a 2-minute median response. If

, longer median response times are assumed or different time-reliability correlations are used, the probabilities of failure can increase significantly.

! (a) Please explain how the value for the time available for operator actions ,

l was selected to represent the range of detailed accident conditions l

. implicit in the sequences for which the value of " time available" was used i

! to calculate human error probabilities. For example, the value may I represent a bounding condition or may represent a more typical or mean ,

value, j

I 2 '

1-LIC-95-0223 Attachment Page 32 l (b) To the extent possible, please indicate the major sources of uncertainty in the estimates of the available time, particularly those that might significantly reduce estimates of the available time.

(c) Please illustrate your response by indicating the times available and the  !

bases for these times for the following events taken from Table 3.3.3.1:

  • OPER-4, " Human FailJre To Initiate Feed & Bleed (Transients Except T4)"

Response 23 Although time-reliability methods appear to be somewhat judgmental, there does exist some data that supports the methodology. The following discusses key 3 points in the methodology noted in the question. l (a) The estimates from the TRC are assumed to be means. The available time estimate is not an HRA product but comes from the sequence analysts, being  !

based in part on MAAP and other code calculations from the scenario in question.

(b) Uncertainty on this time may not have been represented explicitly.

However, the available time was deliberately kept reasonable but conservative to avoid being too optimistic.

i (c) OPER-10: 7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br /> are available to perform ex-control room actions, based upon time after a transient initiator to cooldown and depressurize RCS to shutdown cooling entry conditions. ,

OPER-4: 58 minutes are available to perform in-control room actions, l based upon time required to steam both steam generators below l 20% wide range for trips other than low steam generator level.  ;

l OPER-9: This event is classified as a slip. It is not considered time dependent since the required actions are in-control room and take minutes to implement. In contrast, the time available is the time required to deplete the inventory of the Safety Injection and Refueling Water Storage Tank, in the range of 4  ;

to 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br />. The challenge for the operating crew is to l identify the ruptured steam generator and correctly perform  !

the E0P steps which provide isolation.

OPPD plans to monitor licensed operator simulator training sessions as a means of further validating the human reliability analysis. Lessons learned from this .

activity will be incorporated into future updates of the IPE model. j

i-I LIC-95-0223 Attachment Page 33 Question 24 The description of the analysis of particular post-initiator human events is very limited. In one instance where sufficient data are supplied to verify the

, probability of failure for a particular event, there appears to be an error. In particular, the probability of operator action OPER-8, " Human Failure To Initiate Feed-and-Bleed during SLOCA," is quantified as 9.1E-6 in the submittal (see Table 3.3.3.1). On the basis of the infonnation in Figure 3.10, the event consists of an unburdened action with a time available of 25 minutes. Preliminary check calculations indicate, in fact, that action OPER-8 may have been quantified using the " verification" time / reliability model, whereas Table 3.3.3.1 indicates that this action is a " type 4" action; a rule-based action taken in the control room.

Failure of an unburdened rule-based action within 25 minutes is estimated to be approximately 1E-4. Such a value would be more consistent with other time / reliability based methods.

To be assured that the appropriate time / reliability based models were used in the analysis of human actions, please describe the analyses of those operator actions listed as significant in the sensitivity analyses in Section 3.4.5.

Response 24 The scaling and size of Figure 3.3.3.5 does not allow for precise estimates to be read off the figure. However, a crude estimate can be made three quarters of

< the way between 10 and 100 which appears to yield a value of 10~6 off the leftmost curve, i.e., the rule, no burden curve, which supports the calculation.

Using the formulation on p. 3.3-32, yields a normal variate of -4.285 which corresponds to a cumulative probtbility, the BHEP, of approximately 10'h which

is the answer given on the ORCA spreadsheet. Note that there is no verification TRC on the figure and the availab'e time is 58 minutes instead of the 25 minute value assumed by the reviewer. lhis indicates that rules are very effective if

(a) time is forgoing (which an hour is); and, (b) there is no burden (which there should not be when the RCS already has a leak--the Crystal River event showed this to be plausible) 4 Notice that Figure 3.3.3.3 shows the effects of burden on the calculation. For

, the same available time, but a burdened once through cooling, the mean is 2.3 x 10, or 2.4 orders of magnitude a greater failure rate.

Question 25 l In the . illustration of the "SAIC TRC" in comparison with publicly available i simulator data (Figure 3.3.3.5), the shading appears to indicate "public data" l representing failure probabilities as low as 10 for times as short as 0.5 1 minute, l

- _. _ ._. l

LIC-95-0223 Attachment Page 34 (a) Please identify the sources of such data.

(b) Please describe how they are relevant to the analysis of post-initiator human actions whose reliability models they are being claimed to support.

Response 25 Very reliable reflex verifications can take only seconds. For example, the RMIEP data show that the manual scram of a reactor that has (or should have) automatically scrammed can be this reliable. For example, a verification with a median of 6 seconds (0.1 minute) and an EF of 1.3 (3.2 would definitely be too large) would yield a probability of failure of 5.09 x 10* for 30 seconds (0.5 minutes) which is less than the example value. The calculation is highly sensitive to the input parameters and this is one of several reasons that verifications are not typically quantified in this manner. (SAIC has only recently examined the potential reliability of motor skills enough to quantify their reliability. Coincidentally, the BHEP suggested for screening skills is 1.0E-5.)

Question 26 The analysis of dependencies between time-dependent events is not clearly described in Section 3.3.3. In particular, the discussion of time factors on Page 3.3-40, item 4, is not understood.

(a) Please give an expanded discussion of this issue, and illustrate your response with examples if more than one post-initiator human event has been modeled in an accident sequence.

(b) Please include a summary of those sequences where multiple post-initiator human events are incorporated and the overall probabilities of the human events in combination.

ResDonse 26 (a) The application of recovery in the analysis was based on the E0Ps or other procedures applicable to the scenario of interest. It follows the use of continuing alternatives typical of FCS and other PWR E0Ps. If a recovery action fails, the cue will persist and be followed by additional cues. In addition, the E0Ps will direct the operators to try other alternatives.

It is important to note that the attempt at the prior recovery action used up time, the value of which was estimated from discussions with operators.

The lost time was subtracted from the total available time to reflect the time available for the next logical step. In this additional manner, the model was made " time dependent."

An example of this process is the operator response to a station blackout.

The operating crew would attempt to restore off-site power. If this

-=

LIC-95-0223 l Attachment  !

Page 35  !

failed, the crew would need to replenish the Emergency Feedwater Storage Tank within approximately 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> after the initiator. Both of these recovery actions are included in the station blackout sequences.

(b) The following combinations of recoveries were used for sequence TX, transient initiator with loss of long-term decay heat removal. Each recovery event is listed, followed by the combined recovery probability.

[0PERATOR FAILS TO MANUALLY TRIP 4160 V BREAKER] AND [ FAILURE TO RESTORE POWER AND INITIATE FEED-AND-BLEED] 7.20E-03

[0PERATOR FAILS TO USE FW-54 FOR MAKEUP TO EFWST) AND [ FAILURE TO RESTORE OFF-SITE POWER AND INITIATE FEED-AND-BLEED] I.74E-04

[0PERATOR FAILS TO USE FW-54 FOR MAKEUP TO EFWST) AND [0PERATOR FAILS TO MANUALLY TRIP 4160 V BREAKER] AND [ FAILURE TO RESTORE ELECTRICAL POWER (345 KV AVAILABLE)] 3.45E-05

[0PERATOR FAILS TO PROVIDE MAKEUP TO EFWST VIA FIRE PUMP HOOKUP] AND

[ FAILURE TO FILL EFWST WITH CONDENSATE PUMP AFTER OFF-SITE POWER

RESTORATION (345 KV AVAILABLE)] 1.23E-03

[0PERATOR FAILS TO MANUALLY TRIP 4160 V BREAKER] AND [ FAILURE TO RESTORE OFF-SITE ELECTRICAL POWER (345 KV AVAILABLE)] 6.35E-03 Question 27  !

In the description of LOCA sequences in the submittal, several human actions are

, identified that are not discussed (or even listed) in the analysis of human actions (Section 3.3.3). A review of the fault trees (Figures 3.36 - 3.42) associated with the ISLOCA indicates that the following human events were omitted from Table 3.3.3.1:

OPER-60, -61, -65, -70, -71, and -101 Please review your analysis of ISLOCA events and list all human events included in that analysis, together with their assigned probabilities and the bases for those assigned probabilities.

Response 27 The 13Q ISLOCA, rupture of the RCP seal cooler, is the only ISLOCA which was considered mitigable. The following human failure events were included in the

final IPE model for this initiator
,

OPER-60, " Operator Fails to Isolate Leak by Closing HCV-438B or 438D from Control Room;" 1.50E-03; in-control room slip; quantified with SAIC TRC system

LIC-95-0223 Attachment Page 36 OPER-65, " Operator Fails to Isolate Leak by Handjacking HCV-4380 Closed;" 1.57E-04; ex-control room slip with mean response time of 15 minutes; quantified with 4 SAIC TRC system 4 OPER-70, " Operator Fails to Depressurize RCS in Response to Interfacing System  ;

LOCA;" 2.10E-04; in-control room slip; quantified with SAIC TRC system OPER-71, " Operator Fails to Depressurize RCS to Atmospheric Pressure in Response to Interfacing System LOCA;" 1.00; assumed in model to fail OPER-101, " Operator Fails to Achieve Shutdown Cooling (Interfacing LOCA);" 7.21E .

04; in-control room slip; quantified with SAIC TRC system l Question 28 1

In the analysis of internal flooding events (Section 3.3.6), several human '

actions are identified that are not discussed in the analysis of human actions (Section3.3.3). For example, in the analysis of internal flooding events, item 26 on page 3.3-70 states: " Human error and non-recovery events were examined and  :

j the internal events probabilities for these human events were adjusted upwards  :

as required based on the perceived scenario effects on human performance."

In addition, the description of important flood-related accident sequences in i 4

Section 3.3.6.3, several human events are identified as contributors to several l sequences. It is not clear from the submittal (because of the brevity of the 1

descriptions of human events) whether these human events are listed in Table 3.3.3.1. ,

1 (a) For the sake of clarity, please describe all flood-related human events,

, including the basis for the assignment of probabilities of these events.

, (b) Please include a list of those internal human events that were adjusted, the adjusted probabilities, and the basis for the adjustments.

1 Response 28 l

The following table describes the human reliability events modified or created l to support the IPEEE internal flood analysis.

(a) Event XSIRWT was created especially for the flood analysis and was not used in the IPE internal analysis. Event XSIRWT was given a screening value of 0.1 based upon the variety of means available to operations and the unlikely need for operators to enter flooded areas to accomplish the recovery.

~

(b) Those recovery events that were used in the IPE internal analysis were adjusted as shown in the table according to the difficulty of the recovery and the flooding hazards involved.

1 i

I LIC-95-0223

. Attachment i i Page 37 .

1 i

FLOOD ANALYSIS HRA EVENT PROBABILITY CHANGES j Event Description Level 1 Flood Basis for Chan0e to 4 Probability - Probability Level 1 Probability

EHFFEOP-02 Loss of offsite 3.01E-02 3.01E-01 Entry into
power and failure to flooded area -

reload bus IC3A per hampers recovery.  ;

i E0P-2.

j EHFMBATTLD Operator fails to 2.10E-03 1 Entry into ,

, minimize de loads on flooded area ,

1 battery #1 and #2. Judged unlikely. i j IHFFCAIC Operator fails to 1.10E-05 1 Entry into  ;

start compressor CA- flooded area .

IC. Judged unlikely.  !

1 KHU56AC Operator fails to 9.06E-03 1 Entry into  !

reload hvac to Room flooded ,

j 56/56a,given switchgear area ,

! inverter fails. not possible.  !

I f KHUSI Operator fails to 9.00E-03 1 Entry into l

! shed SI loads and flooded i

cool switchgear switchgear area i

. rooms after not possible.  !

4 safeguards actuation, j j OPER-10 Human fails to 2.06E-02 2.06E-01 Entry into t achieve shutdown flooded area j cooling. hampers recovery.

i WHFFRWBKUP Operator fails to 7.21E-04 7.21E-03 Entry into i line up RW backup flooded area i fl ow. hampers recovery.

l J i

XFIREPUMP Operator fails to 6.97E-03 6.97E-02 Entry into

! align Fire Pump to flooded area 1- CCW Hxs. hampers recovery.

XSIRWT Operator fails to Not used 1.00E-01 Screening value.  !

i makeup to SIRWT - in Level Entry into ,

after RAS failure 1 flooded area n91  :

occurs.' required.

I j' l 1

i i

T  %

-. - . . .. - . . - - - . ~ _ _ - _ . - -

l l

LIC-95-0223

-Attachment  :

Page 38  ;

Question 29 l 1

. The submittal is not clear as to what kinds of recovery-type act ions were j considered. These actions can include those performed to recover a specific  :

failure or fault and for which procedures may not have been established. For.

example, suppose the E0P directive instructs the operator to maintain level using i system x, but the system fails to function and the operator attempts to recover  !

it. This action - diagnosing the failure and then deciding on a course of action  !

to " recover" the failed system - is a recovery type action. j (a) Please submit a list of the recovery actions considered in the analysis, i and indicate whether they are actions for which procedures have been established and what evaluations were performed to ensure that the  ;

necessary actions can be accomplished within the available time. l 1

(b) Please illustrate your response with two examples indicating how such  !

events were quantified.

Response 29  !

(a) The term " recovery action" is loosely defined. In fact, any post-initiator action can be considered a recovery action. Typically, any action whose i failure was modeled was proceduralized in the E0Ps or in other appropriate i procedures. The only exception would be manual or remote restart attempts which amount to common sense remedies of some system faults. j The recovery strategy never counts on the actual repair of failed i Instead, functional substitution is the hallmark of equipment or systems.

the symptomatic E0Ps and the remedy of any failed success path. In general, all major remedies are proceduralized. However, it should be 1

noted that accident management might require more innovation and this was generally not modeled.

l (b) The following two recovery actions illustrate the analysis process which was used in the IPE.

1 4

OPER-4. " Human Failure to Initiate Feed & Bleed": Decay heat removal, via l feeding and steaming of the steam generators, has failed. This has caused  :

failure of a safety function in the applicable E0P.

The operating crew 7 enters the functional recovery procedure E0P-20 and, referring to the resource assessment tree, initiates feed-and-bleed cooling. ..

i t XFIREPUMP, " Operator Fails to Align Fire Pump to CCW Hxs": The plant has -

tripped and Raw Water has failed. This has caused failure of a safety .i

~

function'in the applicable E0P. The operating crew enters the functional

' recovery procedure E0P-20, which refers them to Abnormal Operating 4

Procedure A0P-18, " Loss of Raw Water." A0P-18 directs the crew to provide backup to the Component Cooling Water (CCW) heat exchangers using the fire water system.

5 i

Q LIC-95-0223 Atta:hment Page 39 Question 30 For the-containment event trees, the submittal describes the analysis of the recovery of containment spray systems, event SPRAYRECOV (Section 4.6.9.1.3). In the analysis of event SPRAYRECOV for events where containment spray is operable but not operating (containment spray status "CS0" in the plant damage state 4 definitions in Table 4.3.1.3), the probability of the containment spray system i being started is assigned a value of 1.0 (i.e., the probability of failing to start the containment spray system is 0). It is not clear from the description whether the containment spray system is started automatically or manually in this event.

(a) If the initiation is manual, please describe the procedures and operator training associated with this action, and explain why failure to perform this action is negligible.

(b) Alternatively, please describe what would be the consequence in terms of risk of assigning a possibly more realistic probability of failure to this

event (e.g., 0.1).

ResDonse 30 (a) The containment spray status "CS0" in the plant damage state definitions

, means that at the or.;et of core damage the containment spray system is fully functional but has not been actuated because the containment pressure is below the safety system actuation setpoint, generally because of the operation of the containment heat removal system. Thus, it is expected that the containment spray system would be actuated due to the increase in containment pressure following vessel breach. Failure of the containment spray system following vessel breach, given that it is fully available at the onset of core damage, can be expressed as:

[((Failure of automatic containment spray actuation system)

AND (Failure to manually actuate the containment spray system)) OR (Failure of containment spray system to actuate at vessel breach given that it is known to be available at the onset of core damage approximately 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> earlier)]

Based on the above expression, failure of the containment spray system following vessel breach, given that it is fully available at the onset of core damage, was judged to be negligible (on the order of IE-4). This reflects the fact that no credible mechanisms exist that would be expected to disable the containment spray. Furthermore, the resulting steam spike at vessel breach would trigger the containment spray actuation signal.

Thus, the basic event, SPRAYREC0V, was assigned a value of 1.0 for PDSs with the containment spray status *CSO."

(b) Based on the above response to Question 30(a), the assignment of a value of 1.0 for the probability that the containment spray system is started is judged to be realistic.

LIC-95-0223 Attachment Page 40 Question 31 Table 5.3.2, of the submittal does not indicate any comments associated with HRA.

Please confirm that the external peer-review process included the HRA methods and results.

ResDonse 31 The external peer-review process did include the HRA methods and results.

Question 32 Section 3.4-11 of the submittal describes how the IPE team screened the front-end results using the guidelines in NUMARC 91-04 to identify possible core damage and containment bypass vulnerabilities applicable to Fort Calhoun. Section 7 of the submittal notes that the IPE team found no vulnerabilities at Fort Calhoun.

Because it was not clear from the submittal, please describe whether and how the IPE team screened the back-end results to identify possible containment vulnerabilities applicable to Fort Calhoun.

Response 32  !

As discussed in Section 3.4-11 of the submittal, the IPE team retained all sequences that met the guidelines in NUMARC 91-04. In performing the containment performance analyses, all retained core damage sequences were coupled with the containment safeguards sequences to generate Plant Accident Sequences (PASS).

All PASS with a frequency of greater than or equal to 1.0E-09, or which covered potential vulnerabilities, were then mapped into Plant Damage States (PDSs). All PDSs were then mapped into release classes by being propagated through the containment event tree. All release classes with a frequency greater than 5.0E-10 were used in the calculation of risk. The filter probabilities were set such that all potentially important sequences were retained. The retained Release Classes were reviewed for potential containment vulnerabilities. Section 4.7.3 on pages 4.7-41, -42, and -43 discuss the release classes and the review for containment vulnerabilities. This section, in conjunction with Section 3.4-11, provides the basis for the statement in Section 7 that the IPE team found no plant unique severe accident vulnerabilities.

Question 31 Figure 4.7.2.4, page 4.7-51 of the submittal, shows that isolation failures, including steam generator tube ruptures (SGTRs), contribute to 5.64 percent of the total CDF at Fort Calhoun. Many PRAs categorize SGTRs as separate from containment isolation failures and as containment bypass events.

l.

. LIC-95-0223 Attachment >

, Page 41 ,

(a) Please describe the process.used to determine the frequency of isolation +

failures other than SGTRs.  !

(b) Please give the containment failure size and the corresponding release  !

rate assumed "or isolation failures.

Response 33 f .-

(a) The loss of containment isolation is considered to be possible. due to the

failure to close. containment isolation valves. Loss of containment l isolation is explicitly modeled in the. containment safeguards fault tree, and is calculated during quantification of that tree.
j a

(b) As discussed in section 4.8 of the submittal, the isotopic content of the  !

i release for each release class was calculated using. CES0R-FCS. The containment isolation failures other than SGTRs essentially fell into two  ;

release classes: one involving isolation failures with containment spray F available, and one involving isolation failures without containment spray available. In both cases, CES0R-FCS used desi basis containment pressure and an isolation failure area of 0.2 ft'gnwhen calculating the releases. In section 4.5.2.2 of the submittal, direct containment isolation failures were defined as leakage from containment at a rate exceeding 15 volume percent per day at design pressure levels. These two  !

definitions are consistent.

i Question 34 In applying the one-di'nensional heat transfer calculation results for the multi- I dimensional, external cooling of the reactor vessel bottom head, the IPE l submittal states the following (page 4.2-5): "while the net impact of I multidimensional effects is detrimental to the cooling process, the resulting <

stresses will still be approximately represented by the bounding 50% [of decay heat] downward heat flux calculations shown in Figure 4.2.1.3."

Please describe the mechanisms removing the remaining 50 percent of decay heat that is not transferred downward.

Response 34

.The energy in the lower head molten mass, which is not transferred downward through the lower head RPV walls, is radiated upwards to the core shroud, upper plenum structures and the reactor vessel inner walls. Heat transfer analyses of a molten pool contained within a flooded RPV have been performed by several investigators. Typical analyses are presented in References 1 through 3 below.

j

_ ._ _ . - - .- __ ._ _ ~ _._ . _ _ _ _ _ . _ .

1 I '

'LIC-95-0223

' Attachment-Page 42 l References

1. " External Cooling of a Reactor Vessel Under Severe ' Accident' Conditions,"  ;
Henry, R.E., Fauske, H.K., Nuclear Engineering and Design, Vol 139, page _

l

'31-43,1993. j I

4 2.- "Effect of External Flooding on Retention of Core Material'in a BWR Lower Head," Dhir, K., Park, H., ANS Transactions, November, 1993. i j

i
3. "Thennal Analyses of a Reactor Vessel Lower Head with Core Relocation and +

3

External Boiling Heat Transfer," O'Brien, J.E., Hawkes, G.L., AlChE  ;

Symposium Series, Heat Transfer . Minneapolis, MN, 1991. r

Ouestion 35' .

3 LTable 4.3.2.1 of the submittal shows the mapping of plant accident sequences into i

three PDS bins
' bin 1, bin 2, and bin 3. However, these bins are not defined. j 1 .Please define ' these bins and indicate what bearing they have on accident '
progressions at Fort Calhoun. j

[ Response 35

The Plant Accident Sequences (PASS) listed in column 1 of Table 4.3.2.1 of the submittal are the result of coupling the core damage sequences to the containment t

safeguards sequences. In general, each PAS maps into only one Plant Damage State ,

(PDS), although a given PDS may have more than one PAS mapped into it. During 4 the PAS to PDS mapping process, it was determined that for a few PASS, primarily due'to timing issues, part of the PAS would map to one PDS and part of the PAS i would map to into another PDS. To display _ the PASS that had mapped into multiple PDSs,~what was originally a single PDS bin column in Table 4.3.2.1 was split into 4 three sets of PDS bin columns. The column labeled "8IN 1" presents the PDS

. number for the first PDS that the PAS mapped into, and the column labeled "FRQ

! 1" presents the associated part of the PAS frequency applicable to that PDS.

j~ Likewise, the column labeled " BIN 2" presents the PDS number for the second PDS that the PAS mapped into, and the column labeled "FRQ 2" presents the associated

. part of the PAS frequency' applicable to that PDS. Subsequent column pairs present any other PDSs and the associated part of the PAS frequency that the PAS mapped.into. For most PASS, only the " BIN'1" and "FRQ 1" columns are filled in because, as discussed above, most PASS map to one and only one PDS.

Question 36

-Section 4.1.2.7, page 4.1-29 of the submittal, states:

~ An engineering analysis (EA-FC-92-26) was done to determine the ability of instrument and power cable to withstand extreme temperature. The cables are rated from the manufacturer to be able to survive 100 hours0.00116 days <br />0.0278 hours <br />1.653439e-4 weeks <br />3.805e-5 months <br /> at 266 *F. Testing was also i

. l

l l

LIC-95-0223 Attachment Page 43 done to determine that cables could withstand 700 *F for a short period of time such as would occur with hydrogen burn.

Please discuss the survival of other pieces of equipment necessary to mitigate core damage and radionuclide releases under the harsh environments of severe accidents that are possible at Fort Calhoun.

Rgsoonse 36 Equipment / instruments necessary to aid the operator in mitigating core damage are

~

qualified to function in harsh environments closely approximating those expected for a recoverable core damage sequence. This includes qualification of safety related equipment and instruments within the containment to operate at pressures above 75 psia and temperatures in excess of 288 F. Equipment qualification to harsh radiation environments includes exposure to radionuclide sources associated with a maximum credible accident. Radiation levels based on this event traditionally correspond to a partially molten core.

The primary equipment / components necessary to mitigate the radiological consequences of a severe accident include:

(a) containment penetrations (electrical and mechanical); and, (b) containment heat removal equipment

-containment sprays

-containment fan cooler units.

The equipment qualification of containment penetrations is discussed in Section 4.3.2.4. FCS penetration seals are expected to survive for sequences where containment failure is not otherwise expected.

Operation of either the containment spray system or the fan cooler units is essential to ensure containment integrity following a severe accident. For the containment spray system, the spray valves and pumps for the system are located outside the containment and therefore are not subject to harsh environments.

The fan coolers are recirculation heat exchangers located within the containment.

FCS has two containment cooling units and two containment cooling and filtering units. These units are qualified for operation in high radiation environments.

Operation of the fan coolers will control the containment atmosphere; therefore, the steady thermal environment under which these units operate will not challenge the equipment. The ability of air cooler units to survive rapid thermal ,

transients, such as that associated with a hydrogen burn, has been demonstrated  !

at THI-2. In that event fan coolers remained operational during and following a hydrogen burn within the containment. While the risk significance of the availability of the fan coolers is considered small, the overall issue of equipment survivability during severe core damage events will be considered during the accident management implementation program at FCS.

__ .- _ - . .~__ _ . _ - _ _ _ . - _ _ ._. __ .

,4 ^i I

4 LIC-95-0223  ;

1' Attachment Page 44 I

Question 37  !

4 '

Section 4.2.2.1.2.3, page 4.2-20 of the submittal, notes that operator activation i of the power-operated relief valve (PORV) was. assessed not only to be.possible ,

but highly likely at Fort Calhoun. However, in contrast, Section 4.6.4.1, page i 4.6-5, states the following: "Since no procedures currently exist to ensure-the operator depressurizes the Reactor Coolant System (RCS) to minimize RCS pressure j prior to vessel break, the operator use of the PORV was neglected."

! -(a) Please explain this apparent discrepancy. ,

(b). What is the sensitivity of the radiological release results, assuming that  ;

the operator successfully depressurizes the RCS. ,

(c) Please identify any other operator, recovery, or mitigation actions that  !

. .are important for the back-end analysis and describe how they were

evaluated. i i -

!'i Rg3ponse 37 -3 Section 4.2 presents an overview of the severe accident phenomenology issues and  !

l a deterministic assessment of their applicability to Fort Calhoun. The intent j of Section 4.2.2.1.2.3 was to show that use of the PORVs was a viable means of j

.depressurizing the RCS prior to vessel breach. The valves have sufficient  !

capacity and operators could be reasonably expected to open these valves given l

, the indication of a high pressure core damage sequence. However, because 4 specific procedures for opening the PORVs given a high pressure core damage i sequence do not currently exist, this would be a knowledge-based action. It is  !

4 intuitively felt that this action would be reasonably likely given the  :

conditions. However, for the probabilistic assessment quantification of the t

> Containment Event Tree, it was conservatively assumed that the operators would  ;

i- not open the PORVs to depressurize the RCS because of the lack of procedures 3 (N0PORVDP set to 1.0). Guidance on PORV operation during severe core dmage i 4

events will be incoporated into plant-specific accident management procedures.  !

l A sensitivity study was performed to evaluate the impact of assuming a 50% chance f

- that the operators would open the PORVs to depressurize the RCS. This resulted i in a slight increase in the intact non-vessel breach sequences and a slight  !

decrease in early containment failures due to EVSE. Although not specifically i evaluated,- it is reasonably obvious that a reduction in the fraction of l containment failures would result in at least a slight decrease in releases.  !

This sensitivity case is discussed in Section 4.10.1 of the submittal.  !

t There were five other operator recovery or mitigation actions that were included l in' the back-end analyses. These actions and the submittal sections that discuss  !

their quantificafion are listed in the following table. A sensitivity study  !

involving two of these actions was performed. This sensitivity study is discussed in submittal section 4.10.6.

i o______________ _ _ .- - s

a LIC-95-0223 Attachment Page 45 l

i Response 37 Additional Operator Recovery or Mitigation Actions in Back-end Analyses Operator Action Event Name Submittal Section Discussing Quantification Containment Heat Removal Not NCHREC0V 4.6.7.1.2 (p. 4.6-36)

Recovered Power Is Recovered Late in RESPARK 4.6.7.1.10 (p. 4.6-39) the Accident High Pressure ECCS Recovered SHP-SISI 4.6.5.1.6 (p. 4.6-13)

, During Core Melt Low Pressure ECCS Recovered SLP-SISI 4.6.5.1.7 (p. 4.6-14) ,

Durin1 Core Melt ,

Contaiiment Sprays Recovered SPRAYREC0V 4.6.9.1.3 (p. 4.6-47) i Question 38 Table 4.8.2.4, pages 4.8-19 through 4.8-22, lists, with extensive descriptions, 1

the Fort Calhoun dominant release cla::ses. Because many release classes are listed in this table, it is difficult to relate the overall effect of different plant damage states to containment performance.

In order to understand the effect of RCS pressure at the onset of core damage, i please provide the frequency of releases in terms of early, late, and containment 3

intact for the accident sequences with RCS pressures in the ranges "at SRV

~

(safety relief valve) pressure," "high," " intermediate," and " low."

Response 38 Table 4.7.1.1 in the IPE presents the PDS contributions to each release class frequency. In order to compile the information requested in Question 38, Table 4.3.1.3 from the IPE was used to categorize the release class frequencies with respect to RCS pressure at the onset of core damage. Table 4.3.1.3 provides each PDS and its corresponding RCS Pressure, Leak Rate, S/G Status, Core Melt Timing, Containment Spray Status, Containment Heat Removal Status, Cavity Status, and Containment Isolation Status. The RCS pressures identified in this table are referenced as either high, medium, or low, designated in the table as "HIGH,"

"MED," or " LOW," respectively. Question 38 refers to the category of RCS pressure as "at SRV (safety relief valve) pressure," which corresponds to the HIGH RCS pressure category and the CRV (cycling relief valve) Leak Rate Category in Table 4.3.1.3.

Tables 4.7.1.1 and 4.3.1.3 from the IPE were thus combined to create the table below, which correlates the effect of RCS pressure at the onset of core damage

LIC-95-0223 Attachment Page 46 with the release class categories. The table presents the general release classes, associated release class frequency, and a breakdown of the release class frequencies based on RCS pressure at the onset of core melt. The RCS pressure categories are "HIGH - CRV," "HIGH," " MEDIUM," and " LOW."

CONTAINMENT RELEASE RCS PRESSURE AT ONSET OF CORE MELT STATUS CLASS (Release Classes) FREQ. HIGH - CRV HIGH MEDIUM LOW RC 1 Intact 8.16E-06 4.53 E-06 3.35E-08 3.49E-06 1.08E-07 Containment RC 2 Basemat 1.21 E-10 - - -

1.21 E-10 Melt-through RC 3 Late 3.82E-06 2.80E-06 4.19E-07 5.98E-07 -

Overpressure Rupture RC 4 Early Rupture 2.21 E-07 1.67E-07 9.07E-09 4.47 E-08 4.03E-10 RC 5 Alpha Mode 2.15E-09 7.49E-10 5.96E-11 4.00E-10 9.41 E-10 Failure RC 6 Containment 7.70E-07 1.03E-08 6.17E-07 1.43E-07 -

Isolation RC 7 V-Sequence 6.74 E-07 - -

3.79 E-07 2.95E-07 TOTAL 1.36E-05 7.50E-06 1.08E-06 4.66E-06 4.04 E-07  !

l Oues.t_bn 39 l As a result of the containment performance improvement program, recommendations )

were made for licensees to consider it as part of the IPE process. These <

recommendations were identified in Generic Letter 88-20, Supplement 3. The l recommendation applicable to Fort Calhoun is as follows: " Licensees with dry containments are expected to evaluate containment and equipment vulnerabilities to localized hydrogen combustion and the need for improvements (including accident management procedures) as part of the IPE."

(a) Please describe the way in which you responded to the above recommendation, the plant improvements identified, if any, and your plan ,

to implement the improvements. l (b) Please describe the criteria used to determine if implementation of CPI I program recommendations was warranted. I (c) Please give the technical bases for the plant improvements or the technical bases for determining that no plant improvements were needed.

b LIC-95-0223 <

Attachment j Page 47

\

(d) Please include a listing of all potential equipment vulnerabilities to localized H 2combustion.

Response 39 The containment structure was walked down and prints were reviewed to determine if there were hydrogen " pockets" where hydrogen could cause equipment needed for accident mitigation to be damaged. No vulnerabilities were found, i.e., no

" pockets" were found where damage to equipment would occur. ,

Question 40 The following requests for information are applicable to the containment strength evaluation results reported in the submittal:

(a) Section 4.1.2.1, page 4.1-8, does not give a definition of high confidence of low probability of failure (HCLPF). Please give your definition of HCLPF.

(b) Section 4.1.2.1 notes that the Fort Calhoun containment has a median failure pressure of 190 psig; Table 4.1.2, page 4.1-13, lists it as 215 psig. Please explain this apparent discrepancy.

(c) Table 4.1.2 lists the median failure pressures of the Fort Calhoun, Surry, and Zion containments as 215, 120, and 134 psig, respectively, which indicates that the Fort Calhoun containment outperforms those of Surry and Zion by significant margins. Please describe the particular structural characteristics of the Fort Calhoun containment that causes it to outperform those of Surry and Zion.

(d) Figure 4.4.3-10, page 4.4-23, shows three containment fragility curves with 95 percent, 50 percent and 5 percent confidence levels for the bending failure of the containment structure (all mode: included). Please state which fragility curve was used to determine the failure probability of the containment.

(e) Section 4.4.3, page 4.4-5, notes that the containment capacity under overpressure load was evaluated by performing finite element analysis and that " local models" were developed to evaluate the areas of the penetrations.

  • Please explain these local models noting whether they were finite element models, and the methodologies and failure criteria used.
  • Please give the criterion used to determine the failure of the containment using the global finite element model.
s
  • f
i

) LIC-95-0223 I j

Attachment

- Page 48

Response 40 j

, t j (a) For ' the containment strength evaluation with respect to. accidental- 1 l- ' overpressure, high confidence low probability of . failure . (HCLPF) is l l defined as a 95 percent confidence level of 5 percent probability of.  !

failure.  ;

-(b) The median failure pressure for the FCS containment is.obtained from the i containment overpressure fragility curves presented in Figure 4.4.3-10, i i- page 4.4-23. - Specifically, the median failure pressure was selected as {

the 504 failure probability point on the 50% confidence line. The correct j

. value for the median pressure is 215 psig. This pressure should appear in i

! .the text of Section 4.1.2.1.  !

(c) Several things contribute. to. the differences noted between .the' various  !'

1. studies with one being differences in the structural characteristics of
the containments. Both Fort Calhoun and Zion are prestressed i l~

containments, while Surry is a conventional reinforced structure. j l Further, Zion uses a standard prestressing system (BBRV 90 1/4") with one F layer of hoop tendons and two layers of meridional tendons. The  !

prestressing system for the cylinder for the Fort Calhoun containment  !

! consists of four layers of helical tendons. l t i

The governing failure mode for Surry is at the discontinuity of the j
dome / cylinder junction; for Zion and Fort Calhoun it is due to membrane j
failure at the mid-height of the cylinder. Due to the presence of the j i ring girders to anchor the prestressing tendons, the dome / cylinder i
junction is stronger for both Zion and Fort Calhoun compared to Surry.  ;

i  !

L Some additional constructional details of Zion and Fort Calhoun are given  !

in the following table (this data was not available for Surry).  !

! Item Fort Calhoun Zion 4 =

i Jnside Diameter (feet) 110 140 i i

j- Cylinder. Thickness (feet) 3.875 3.5  ;

) Liner Thickness (inches) .25 .25 l I

i Dome Thickness (feet) 3.0 2.67 Base Mat. Thickness (feet) 12.0 9.0 j 1 Conventional Reinforcement Meridional: #10 Meridional: #11 of Cylinder at Midheight bars 914" bars 910.5" Hoop:

j .. Hoop: #11 bars @ 8" #11 bars 9 10.5"  ;

p Inside Height (feet) 137.375 212 l l

l o j

. I 1

i

. 'ii . _ _ _ . . - _.n ~ _ . _ _ ...c ._

i

  • l LIC-95-0223 i Attachment Page 49 Considering the governing failure mode for Zion and Fort Calhoun, a qualitative assessment considering hoop tension due to pressure for a  ;

thin-walled cylinder (remote from discontinuities) can be made (a - Pr/t, i where P - pressure, r - radius, and t - thickness) which indicates a 38% l higher stress (linear behavior) for Zion for each unit of pressure compared to Fort Calhoun.

Additionally, it should be noted that conventional reinforcement in the hoop direction for Fort Calhoun is slightly greater than for Zion.

(d) The 50% confidence line was selected for use in determining the failure probability of the containment. ,

(e) Local three-dimensional finite element models were developed to evaluate the electrical and mechanical penetration area, and the equipment hatch .

and personnel hatch penetrations. Boundary conditions and loading were applied consistent with displacements from the global model. Failure  !

criteria were based on yielding of the liner, reinforcement, and structural steel members. It should be noted that these models were used to evaluate structural behavior only.

i The criterion used to determine failure of the global model was based on  ;

tension failure of the tendons and yielding of the reinforcement and  !

liner. Material strengths were determined based on test data from Nebraska Testing Laboratory.

i l

I i

I l

!

Retrieved from "https://kanterella.com/w/index.php?title=LIC-95-0223,_Forwards_Response_to_Request_for_Addl_Info_to_Assist_Closure_of_NRC_Staff_Review_of_Individual_Plant_Exam_Submittal&oldid=3488411"