ML042380243
| ML042380243 | |
| Person / Time | |
|---|---|
| Site: | Browns Ferry  |
| Issue date: | 08/31/2003 |
| From: | Engineering & Research, SE - Mech/NUC PSA Group |
| To: | Document Control Desk, Office of Nuclear Reactor Regulation |
| References | |
| S1329901-1423-062600 | |
| Download: ML042380243 (125) | |
Text
TENNESSEE VALLEY AUTHORITY SYSTEMS AND ANALYSIS BROWNS FERRY NUCLEAR PLANT PROBABILISTIC SAFETY ASSESSMENT CERTIFICATION AND PER RESOLUTION RO Prepared by:
G11 Engineering and Research, Inc.
2111 Palomar Airport Road, Suite 180 Carlsbad, CA 92009-1419 (760) 929-0870 R1 Prepared by: SE-Mech/Nuc PSA Group August 2003 S1329901-1423-062600 R1
TABLE OF CONTENTS Section Paae
1.0 INTRODUCTION
.................................................... 1-1 2.0 CERTIFICATION RESOLUTION SHEETS .................................................... 2-2 2.1 INITIATING EVENTS (IE) .................................................... 2-2 2.2 ACCIDENT SEQUENCES EVALUATION (AS) ............................... 2-5 2.3 THERMAL HYDRAULIC ANALYSIS (TH) .................................................... 2-13 2.4 SYSTEMS ANALYSIS (SY) ....................... ............................. 2-18 2.5 DATA ANALYSIS (DA) .................................................... 2-22
- 2.6 HUMAN RELIABILITY ANALYSIS (HR) .................................................... 2-29 2.7 DEPENDENCY ANALYSIS (DE) ......................................... 2-54 2.8 STRUCTURAL RESPONSE (ST) ...................... .............................. 2-57 2.9 QUANTIFICATION AND RESULTS INTERPRETATION (QU) ..... ................ 2-67 2.10 CONTAINMENT PERFORMANCE ANALYSIS (L2) .................................. 2-83 2.11 MAINTENANCE AND UPDATE PROCESS (MU) .................. ................ 2-112 3.0 PER EVALUATION ..................................................... 3-1 3.1 EVENT TREE PROBLEMS .................................................... 3-1 3.1.1 Event Tree Module ELECT12 .................................................... 3-1 3.1.2 Event Tree Module ELECT3 .................................................................. 3-1 3.1.3 Event Tree Module SIGL .................................................... 3-2 3.1.4 Event Tree Module MESUPT ................................. ................... 3-2 3.1.5 Event Tree Module HPGTET .................................................... 3-2 3.1.6 Event Tree Module CNTMT .................................................... 3-3 3.2 SYSTEM ANALYSES PROBLEMS ........................................ 3-3 3.2.1 Electric Power (EP) System Analysis ................................................... 3-3 3.2.2 Condensate System Analysis .................................................... 3-4 3.2.3 CRD System Analysis .................................................... 3-4 3.2.4 HPCI/RCIC System Analysis .................................................... 3-5 3.2.5 Plant Air System Analysis.................................................... 3-5 3.2.6 Primary Containment Isolation Analysis ............................................... 3-5 3.2.7 SRV System Analysis.................................................... 3-5 3.2.8 SGTS System Analysis .................. .................................. 3-6 3.2.9 Unit 3 Multi-unit Trip Logic Analysis .............................. 3-6 i S1329901-1423-062600 R1
3.2.10 RHR Logic Testing Analysis .............................. 3-7 3.2.11 Revision 2 Notebook Review .............................. 3-7 3.2.12 EHC Pump Analysis .............................. 3-7 3.2.13 ATWS Success Criteria Analysis .............................. 3-8 3.2.14 Plant Model Analysis ............ .................. 3-8 3.2.15 Unit 2 Model Analysis .. ............................ 3-8 3.3 BROWNS FERRY REPORTS .. ............................ 3-9 3.3.1 System Importance .............................. 3-9 3.3.2 Basis Event Importance .............................. 3-9 ii S1329901-1423-062600 RI
SECTION 1 INTRODUCTION Revision 0 This document is a compilation of responses to the BFN BWROG Certification and PER BFPER970822RO. The certification issues are the A and B facts and observations. These appear first in the document and are arranged in the same order as the certification report.
Revision 1 Updated this document to include the "Plant Responses or Resolution" to the
'Observation" and 'Possible Resolution" provided for the "Fact / Observation Regarding PSA Technical Elements".
1-1 S1329901-1423-062600 R1
SECTION 2 CERTIFICATION RESOLUTION SHEETS 2.1 INITIATING EVENTS (IE)
IE Fact / Observation Sheets follow:
S1329901-1423-062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element: IE Subelement: 9 Controlled shutdown is not included in the list of initiating events and it is not modeled with an event tree. Normal shut down - planned or unplanned - with successful scram, however, requires core cooling with ordinary systems (Main feed water) and residual heat removal system, or if they fail, the use of emergency cooling systems. Also S/R valves must operate if pressure regulation fails. Manual shut down has sometimes been done with emergency injection systems unavailable.
If the controlled shut down is modeled, it is possible to make studies in some situations, of whether or not the risk of shut down is higher than the risk of continued operation. This may be important in cases when the residual heat removal systems are failed.
According to the experience from TVO the continued operation and repair of failed systems during operation has in many cases less risk than shut down of the plant with failed RHR systems. Studies on this have been made in Finland since 1982, and in cooperation between Brookhaven National Laboratory and Avaplan Oy, since 1990.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Incorporate a special model for planned shut down with successful scram as the initiating event. The model should include the time from start of subcriticality until the plant is in stable state (24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />).
PLANT RESPONSE OR RESOLUTION A new initiating event, MSHTDN, was added to the model to represent controlled shutdowns.
NUREG/CR-5750 and plant-specific data were used to develop the initiating event frequency.
IE-6 S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element JE Subelement 14 The ISLOCA analysis does not address the SDC line.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION The SDC line should be documented regarding ISLOCA disposition.
PLANT RESPONSE OR RESOLUTION The ISLOCA analysis does, in fact, address and even quantifies the shutdown cooling line (SDC) as initiating event VS. Throughout most of the ISLOCA analysis, however, this line is referred to simply as "RHR suction path."
IE-18 S1329901-1423-062600 R1
2.2 ACCIDENT SEQUENCES EVALUATION (AS)
AS Fact / Observation Sheets follow:
S1329901-1423-062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element AS Subelement 7 There are places in the PSA where the availability of external injection to the RPV can prove to be very important in the accident progression analysis. These include the following:
- successful vent cases when CS or LPCI could be caused to fail in the vented unit by steam binding or loss of NPSH
. TW sequences in which RHRSW is unavailable and extended injection from another unit's torus could prolong recovery times (also modify TW-like sequences with core damage prior to containment failure above MPCWLL, 55 psig)
- torus breach cases with injection from other units (i.e., internal flood cases) -
(This may be included in the internal flood assessment already)
- LOCA cases with containment hardpipe vent LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Consideration of these water sources would allow a more realistic PSA evaluation (i.e.,
removal of some conservatisms) and the more realistic evaluation of vent importance.
PLANT RESPONSE OR RESOLUTION The torus breach cases do utilize injection from the other unit. There certainly is agreement that the availability of external injection would provide a more robust and more accurate model. However, the impact on the CDF or LERF would not be significant. The implementation of modeling external injection would further complicate an already complicated model (see QUF & Us egarding truncation). Given these considerations, the modeling of external injection is deferred.
AS-3 S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element AS Subelement 7 The treatment of CRD as the sole system required for successful injection appears to have been added to the model after the IPE submittal. The areas that need to be investigated to ensure that this is feasible are:
- T&H basis (NUREG/CR-3179) has a number of assumptions regarding alignment that need to be satisfied
- status of depressurization and its timing needs to be included (when does depressurization occur and is it consistent with the EOls?)
- success appears not to address the operator action to load CRD pumps on diesel buses for LOOP events even though the text indicates success would be allowed with the same split fraction(i.e., same HEP)
(See related F&Os for AS-9, SY-26 and TH-4)
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Establish the alignment, operator actions, performance shaping factors, thermal hydraulic calculations, flow rates, and timing needed for CRD success before including in the model.
PLANT RESPONSE OR RESOLUTION NUREG/CR-3179 was the basis for the original basis for modeling CRD as a sole injection source. In the PSA Revision 0 update, CRD was evaluated under the power uprate conditions using MAAP 4.0. This did call for a change to the old CRD model in terms of flowpaths. This is discussed in the Thermal Hydraulic Notebook (MAAP CRD3).
A single pump in the enhanced flow mode is sufficient after six hours and the vessel is being depressurized per the EOls. This is based on an analysis liquid flow required to remove decay heat at six hours and pump curves from NUREG/CR-3179.
The CRD is not credited in LOOP events.
AS-4 AS-4 S1329901-1423-062600 RI
FAC T/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element AS Subelement 9 The CRD system basis for adequate injection capability does not appear to be available for the Certification Team review. Substantial information is available from ORNL (NUREG/CR-3179) to indicate that CRD may be feasible as the sole injection source. The issues remaining are:
- specific alignment to be used
- the timing of the implementation of the alignment required
- the applicability of this assumptions ifsupport systems need to be restored to allow operability of this option
- the HEP used to characterize enhanced CRD flow is dependent on the ability to diagnose the need in anticipation of the low level
. The EOI Appendix is not clear on how or when the staff would diagnose the need for enhanced CRD flow, i.e., at Level 2 or Level 1 or TAF or immediately on every scram.
(See related F&O for AS-7)
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Ensure the CRD system capability is defined consistent with the accident sequence constraints. It is judged that enhanced CRD flow is a viable high pressure injection source at BFN. The analysis documentation or calculations should be updated to address these items.
PLANT RESPONSE OR RESOLU77ON The documentation has been updated to address these issues.
AS-5 S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element AS Subelement 17 There are sufficient ambiguities in the success criteria summary that a revised document clarifying the current model status is desirable. The issues include:
- All ATWS success criteria for high and low pressure injection (see also related F&O for AS subelement 16)
. High pressure injection capability with CRD success criteria (inconsistently quoted in Table A-3 compared with U2/U3 model)
. Low pressure injection success criteria (e.g., a potential problem is the adequacy of condensate for large LOCA)
. EECW success criteria (only EA,EB, EC, ED) are given as potential successes in Table A-4
. ARI success dependent on RPT for success not included (see related F&Os for DE-4 and QU-8)
- HPCI not a success for MLOCA unless low pressure systems are available long term LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Clarify each of the above success criteria issues and incorporate any changes in the model.
PLANT RESPONSE OR RESOLUTION These issues are addressed in the Success Criteria section of the Event Tree Notebook.
AS-1 2 S1329901-1423-062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element AS Subelement 18 There are some items associated with the incorporation of the EQ1s into the PSA model that could be revisited to ensure that they are accurately reflected. These include the following:
. Treatment of external injection when containment pressure is above the MPCWLLL (Maximum Primary Containment Water Level Limit)
- Evaluation of actions required to support CRD as the sole high pressure injection source.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Ensure the above actions are modeled consistent with EQ1s and training.
PLANT RESPONSE OR RESOLUTION
- MPCWLL is addressed in the BFN-EOls; e.g., EOI-RC/L-3, C1-2 and C5-1.
Given an ATWS, the control room crew would make the transition to C5-1 from EOI-RC/L-3. While in C5, the entry conditions remain in effect throughout the implementation of this procedure. It is a 'continuous action' monitored by the STA. Since the HRA focused on the E0I action statements, the MPWCLL was accounted for implicitly.
- The HRA Update explicitly addressed the MSIV closure on low RPV level during power/level control in response to ATWS. In response to Certification Issue HR-1 1.1, a new analysis file was developed using insights from reviews of C5.
- CRD as the sole HP-injection source. Addressed in E01-1 Step RC/L-4 and in Appendix 5B (of E01-1). The HRA Update did not include walkthrough or talk-through evaluations of the manual actions to implement enhanced CRD flow, however.
AS-1 3 S1329901-1423-062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element AS Subelement 19 Excessive LOCA Treatment places RPV rupture in the 0IAN PDS. This PDS appears to indicate that vapor suppression is not asked or is assumed always satisfied even for this event.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Reconsider treatment of RPV Rupture and Vapor Suppression.
PLANT RESPONSE OR RESOLUTION The LERF/Level 2 analysis has been revised. This initiator is mapped to LERF.
AS-1 4 S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element AS Subelement 21 The transfer of analysis between Level 1 and 2 is dependent on the consistent definition of the end of Level 1 in terms of when core damage occurs. The definition of core damage appears in the IPE document to be:
- p. 4.5-6 states that recovery actions before core uncovery are treated in Level 1.
Those between TAF and 1/3 core height are treated in Level 2.
- p. 4.8-7 of the IPE indicates that core damage assumed in Level 1 occurs at 6 hrs. for a certain SBO sequence while Level 2 assumes an additional 3 hrs is available before level reaches 1/3 core height and "real " core damage occurs.
Therefore, Level 2 analysis assumes this 3 hrs is available for AC power recovery. The 3 hrs seems to be a discrepancy between Level 1 and Level 2 in the definition of what constitutes core damage.
- p. 4.3-6 of the IPE defines the PDS for use in Level 2 in terms of ucore uncovery" implying (although not stating) that the transition from Level 1 to 2 occurs when the core is uncovered.
- Appendix A of the IPE (Table A-1) states prevention of core damage to be RPV water level above 1/3 core height and being recovered.
LEVEL OFSIGNIFICANCE B
POSSIBLE RESOLUTION It is believed there is a disconnect in where recoveries are to be accounted for. This may be related to definition of the transition between Level 1 and 2 or the definition of core damage.
PLANT RESPONSE OR RESOLUTION The interface between Level 1 and Level 2 is discussed in the LERF/Level 2 Notebook.
These discrepancies no longer exist.
AS-1 5 S1329901-1423-062600 R1
2.3 THERMAL HYDRAULIC ANALYSIS (TH)
TH Fact / Observation sheets follow:
S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element TH Subelement 4 High pressure injection adequacy is listed as accomplished by CRD.
Model appears to include CRD success in enhanced mode.
During the Certification visit, TVA performed MAAP calculations to demonstrate enhanced CRD success. The MAAP runs were not reviewed by the Certification Team.
(Also refer to related F&Os for AS-7, AS-9 and SY-26.)
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Provide technical basis for enhanced CRD success including:
- Initiation timing
- T&H calculation
- Timing required for operator action
- Operator interviews
- Training interpretation of procedures PLANT RESPONSE OR RESOLUTION The technical basis for initiation, the T & H calculation, and the timing for operator actions are established by MAAP analysis (see Thermal Hydraulic Analysis). Operator interview and training interpretations of procedures was not performed. However, HEPs reflect the current EOI guidance and timing.
TH-4 S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element TH Subelement 4 RCIC is listed as a success for small LOCA. This does not appear possible for 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> mission time because the small LOCA combined with RCIC operation will drop RPV steam pressure below that which RCIC can operate, well before 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Reconsider RCIC success criteria; NUREG/CR-4550 is not considered an adequate technical basis.
PLANT RESPONSE OR RESOLUTION RCIC is no longer credited as a long-term success path for small LOCAs TH-5 S1329901-1423-062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element TH Subelement 8 The SBQ evaluation for potential severe accidents is strongly dependent on the plant symptoms and plant conditions. The Certification Team was unable to find the deterministic calculations used to support SBO timing and accident sequence actions. The specific items of interest are the following for the entire 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> of the SBO before core damage is assumed.
- The drywell temperature for the SBO with 36 gpm + 25 gpm leakage relative to depressurization requirement at 2800F.
- The suppression pool temperature relative to HCTL requirement for depressurization
- RPV water level
- The RPV water level instrument response
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Assess and discuss the sequence effects on equipment operability for SBO response.
Including the margin to avoid emergency depressurization due to HCTL or high DW/T.
PLANT RESPONSE OR RESOLUTION Note that the BFN station blackout evaluation demonstrated the adequacy of all the items of interest for 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. The question then is the plant response for the next 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />. Neither the drywell temperature nor the HCTL is expected to reach depressurization setpoints until 8hours. The RPV water level instrumentation is expected to be available for the duration, with the operators controlling level using HPCI or RCIC in the first 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. No actions are required with respect to bypassing the high temperature trips for HPCI/RCIC during this 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> period. An extension of the assumed battery depletion time would likely involve such and action in addition to opening the HPCI/RCIC room door.
TH-7 TH-7 S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element TH Subelement 12 Section 3.1.3 of the IPE does not appear to acknowledge containment vent as a containment heat removal method.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Update documentation to identify the success criteria and basis for containment heat removal methods.
PLANT RESPONSE OR RESOLUTION The original IPE documentation did not acknowledge containment vent as a containment heat removal method. That is now documented in the Event Tree Notebook and the Pressure Suppression Pool Notebook.
TH-1 1 S1329901-1423-062600 RI
2.4 SYSTEMS ANALYSIS (SY)
SY Fact / Observation Sheet follow:
S1329901-1423-062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element SY Subelement 5 The description of some of the Unit 3 and Unit 1 cross ties do not appear to be current with the system notebook.
Examples include:
- P. 1-4 of RHR System Notebook says U-3 to U-2 cross tie for RPV injection is not currently available. TVA personnel indicated that it is currently available.
. P. 1-4 RHR System Notebook states U-3 to U-2 suppression pool cooling is not credited. TVA indicated this is included.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION The PSA documentation and model should be consistent and address the current as-built plant.
PLANT RESPONSE OR RESOLUTION The Notebooks have been corrected.
SY-5 S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element SY Subelement 13 There are three items that have been identified related to the modeled capacity that may be important to reevaluate to determine their impact on the PSA. These three items include the following:
- turbine bypass capacity in the ATWS model assumes 30% capacity while the FSAR on p. 11.5-1 states the capacity as 25%
- the SRV accumulator capacity is not demonstrated as capable of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> at a maximum leak rate and multiple actuations
- the battery capacity may be significantly longer than 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Ensure that the capacities used in the model are supported by referenced calculations.
PLANT RESPONSE OR RESOLUTION The turbine by-pass capacity is roughly 3 million pounds of steam per hour. This represents approximately 24% of normal steam flow at 3458 MWt.
The SRV accumulator capacity is only required for the 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> battery depletion time under SBO conditions. In other uses, the accumulators are not required.
The battery capacity may be significantly longer than 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />. Other PSAs have used longer times. However, no analysis exists to support this. The 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is supported by analysis per the station blackout response to NRC.
SY-1 3 S1329901-1423-062600 R1
FACT/OBSERVA TION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element SY Subelement 19 The split fraction assigned to RPS failure given a Loss of IA is lower than other initiators. This is judged to be inappropriate unless a low scram air header scram signal is installed at BFN.
This information was not available to the review team. If no low scram air header pressure trip is present, then the conditional probability may likely be substantially higher than even the 2.15E-5.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Adjust the quantification to acknowledge the precursor information and plant specific rectification if applicable and then document the basis.
PLANT RESPONSE OR RESOLUTION The specific split fraction is of little importance in ATWS sequences. The latest evaluation provided by NRC contractors (NUREG/CR-5500 Volume 3) uses a single value much lower than that used in the existing BFN analysis.
SY-1 9 S1329901-1423-062600 R1
2.5 DATA ANALYSIS (DA)
DA Fact / Observation sheets follow:
S1329901-1423 062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element DA Subelement 4 Generic data is used for all component independent component failures, except for emergency diesel generators. The lack of plant-specific operating information is seen as a major limitation on the acceptability of the PSA for applications.
LEVEL OF SIGNIFICANCE B (with caution - some applications may require updating component failure data until an overall update is accomplished)
POSSIBLE RESOLUTION Include plant-specific failure information from performance data collected for Maintenance Rule implementation in the next update of the PSA model(s).
PLANT RESPONSE OR RESOLUTION Plant specific failure information was developed from Maintenance Rule data.
DA-2 S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element DA Subelement 7 The availability of DC power to support accident response has been identified in some other PSAs as important. The unavailability of multiple DC supplies due to potential common cause failure (CCF) has also been identified and highlighted by the NRC in NUREG-0666.
There does not appear to be a CCF of two DC power supplies included in the analysis.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION NUREG-0666 should be reviewed to assess the importance of the CCF. In addition, the CCF should be added to the model.
PLANT RESPONSE OR RESOLUTION DC CCF data from NUREG-0666 was reviewed, parameters developed and added to the model.
DA-4 S1329901-1423-062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element DA Subelement 8 AEOD/INEL DATA applied to BFN will likely lead to an increase in the CCF contribution for the EECW pumps and diesel generators.
The EECW treatment of 6 pumps may result in a substantial change depending on how the grouping of the identical pumps is performed.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Consider reassessment of the key CCF contributors using the latest AEOD/INEL common cause data (see attached excerpts -12 pages)
PLANT RESPONSE OR RESOLU71ON The RHRSW and EECW pumps are a group of 12 pumps. Thus, the theoretical group size is
This partitioning is based on the fact the EECW pumps are normally operating and the RHRSW pumps are standby. A review of INEEUAEOD CCF database was the basis for this partitioning. Note that if the RHRSW swing pumps are used to supply EECW, the CCF for RHRSW pumps is already accounted for.
DA-5 S1329901-1423-062600 R1
FACT/OBSERVA TION REGARDING PSA TECHNICAL ELEMENTS OBSERVA TION Element DA Subelement 10 The six RCW pump from U2/U1 are included in one CCF group, while the four RCW pumps from U3 are included in a separate CCF group.
This does not appear to be justified. The pumps, their service condition, maintenance, and operating environment all appear to be identified with no good reason for separating them into different groups.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Include RCW pumps in the same CCF group.
PLANT RESPONSE OR RESOLUTION Common cause is included in the model for failure of the RCW pumps to run. A single common cause group is defined including the operating Unit 1, Unit 2, and Unit 3 pumps.
Failure of three of more RCW pumps is modeled as system failure, therefore common cause failures of any two pumps is modeled explicitly, and failure of any tree (or more) pumps is modeled as a single, global common cause event.
DA-7 S1329901-1423-062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element DA Subelement 14 The common cause diesel evaluation for one sequence (LOSP 1934) included the following:
GA1 = .09 GD2 = .09 GB4 = .16 GC4 = .4 DGC1 = .236 (Unit 3 CCF) 1.2E-4 The probability is reasonable; however, the MGL values for this model appear to be substantially lower than the most recent CCF from the NRC work at INEL (refer to earlier attached excerpts for Subelement DA-8).
PLG INEL B= X =X ifX>.03 7=.16 = .78 go= .4 go= .6
£ = .2 £= 1.0 (inferred)
There is no technical basis presented that would support the use of new or different models for the Unit 3 diesels, i.e., for them being from a different population requiring separate CCF treatment.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Modify the MGL parameters used in the diesel generation assessment.
PLANT RESPONSE OR RESOLUTION The MGL parameters were modified based on screening the INEEL CCF database.
DA-8 S1329901-1423-062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element DA Subelement 19 The maintenance unavailabilities are based on generic data.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Update generic maintenance unavailabilities in the model to be plant specific.
PLANT RESPONSE OR RESOLUTiON The maintenance data was updated based on data from the maintenance rule.
DA-1 2 S1329901-1423-062600 RI
2.6 HUMAN RELIABILITY ANALYSIS (HR)
HR Fact / Observations Sheets follow:
S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 5 Figures 3.2.1.23 (Fig. 3-3, 3-4) show that LPCI and CS are dependent on the RPV low pressure permissive interlock using the same pressure sensors.
No HEP for miscalibration of these sensors is included in the HRA. This appears to be a major oversight.
The low pressure permissive miscalibration or failure can result in preventing opening the CS and LPCI injection valves.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Include a common cause miscalibration error on the low pressure permissive interlock for LPCI/CS injection valves.
PLANT RESPONSE OR RESOLUTION The HRA Update includes an analysis of CS/LPCI miscalibration. See HRA Notebook, Section 2 and Attachment B.1.3 for details.
HR-3 HR-3 S1329901-1423-062600 Ri
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 9.1 Operator actions added in U-2/U-3 model:
- Establish Enhanced CRD Flow-HOCRD3 (2.3E-2)
- no technical basis provided
- inconsistent with existing T&H evaluation by ORNL
- fails to recognize need for local action or identify time required
- Open Hardened vent without AC Power Available - HOLP3 (6.1 E-3)
- Failure of this action is not judged to be adequately evaluated given the local actions required.
No technical basis presented.
LEVEL OFSIGNIFICANCE B
POSSIBLE RESOLUTION Remove benefit for these actions until operating staff input and time analysis is performed.
PLANT RESPONSE OR RESOLUTION Subelement HR9.la in HRA Notebook HOCRD3: See the document \TVA\N0047.doc.04/06/99 page 4-9 for details. The local manual steps required to align and adjust 1-FCV-85-I1 IA(B) using 2-PCV-85-11 are delineated in procedure 2-01-85, Section 8.24.3. The given HEP is a screening value.
Subelement HR9.1 b in HRA Notebook HOLP3: This action is addressed in \TVA\N0047.doc.04/06/99 page 4-10. The operator action represent local actions only and does not include detection or diagnosis of need for hardened vent. The given HEP is a screening value.
HR-5 S1329901-1423-062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 9 The HRA used for enhanced CRD flow evaluation is inconsistent with the timing and procedural requirements.
TIMING The operator action evaluation used in the enhanced CRD assessment is cited in the CRD notebook (p. 3-5) as OCRD2. In the ORCRD2 operator action to provide enhanced flow, the assertion is made that 45 minutes is available within which to accomplish the action (see IPE App. B). However, contrary to this the thermal hydraulic analysis ORNL- NUREG/CR-3179 assumes actions need to be taken in 10 minutes (refer to attached excerpts - 2 pages). The ORNL report is identified by TVA as the basis for the thermal hydraulic analysis. Based on the Certification Team walkdown, it was identified that one of the valves specified to operate for enhanced CRD flow is approximately 20 ft. above the floor. If this valve is credited in the PSA for cases involving local operation, the action has not been included in the HRA.
PROCEDURAL GUIDANCE The procedure included in the NUREG/CR-3179 for demonstrated success requires the steps on p. 64 of the subject report. This includes the local manual action in the reactor building for opening 85-527 within 10 minutes. The EOI App 5B steps (refer to attached excerpts - 4 pages) do not require this action as an immediate step and therefore the diagnosis and steps that may occur before this is even started may be long after 10 minutes.
LOOP OR OTHER SEQUENCES In addition, the LOOP sequences require other operator actions to enhance CRD flow that are not accounted for in the enhanced CRD flow HRA evaluation. This would appear to invalidate the application of the HEP to these other support system initiators.
DIAGNOSIS The diagnosis of the need for enhanced CRD is required from the operation staff to implement enhanced flow. This diagnosis has no clear symptoms that are guaranteed to allow identification within the 10 min. allowed by the referenced T&H calculations.
LEVEL OF SIGNIFICANCE B
HR-6 HR-6 S1329901-1423-062600 R1
FACT/OBSERVA TION REGARDING PSA TECHNICAL ELEMENTS POSSIBLE RESOLUTION The HRA used for enhanced CRD flow evaluation is inconsistent with the timing and procedural requirements. The PRA should be updated to account for these effects.
PLANT RESPONSE OR RESOLUTION Subelement 9.2 in HRA Notebook An artifact of FLIM. i.e., inadequate consideration of system line-window. The HRA Update recommended using a single QA - identifier for the operator action (QA). The 45 minute time window is now supported by MAAP analysis.
HR-6 S1329901-1423-062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 9 The operator actions added in the U2/U3 model appear not to have the technical basis for their values included:
- Open the hardened vent with ac power available at 1E -5
- Open the hardened vent without AC power available at 6.1E-3 using local manual actions in the reactor building LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Perform a specific HRA to support the HEP values for each of the operator actions added to the model and document the methods and the results.
PLANT RESPONSE OR RESOLUTION Subelement 9.3 in HRA Notebook refers to operator actions HOLP2 and HOLP3. The original HEP assigned HOLP2 was 3.3E-5. It did not account for the strong dependency on previous action in the accident sequence of concern. The PSA update reevaluated HOLP2 and assigned a new HEP- 1.43E-1 as documented in Section 4.3 of the HRA Notebook.
HR-8 S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 10 The HEP for bypassing the MSIV closure setpoint (Level 2) on low RPV level does not appear to include several important perfomiance shaping factors.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Include the MSIV closure assessment for all failure to scram events on a sequence by sequence basis.
This action could be evaluated based on:
- Manual time to perform -30 seconds to many minutes
- Keys and tools required
- Diagnosis needed
- Time to drop level below Level 1 is very rapid when the RPV injection is terminated
- Stress is high
- Level indication may be oscillating
- Some instrumentation may be misleading or failed.
- Direction to bypass the interlock is not given until BIIT is exceeded
- Without FW and HPCI, very little time is available PLANT RESPONSE OR RESOLUTION The HRA Update developed a new HEP for this operator action; see Attachment B.2.13.
HR-9 S1329901-1423-062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 11 MSIV Closure At Low Level Durina ATWS The operator action to bypass the Level 1 MSIV Closure interlock does not appear to address the symptoms and procedural guidance. Specifically, the interlock is not directed to be bypassed until after reaching BIIT. This is contrary to the assumption in the HRA timing evaluation. (Refer to related F&O for HR-1 0).
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Revise the HRA timing assumption.
PLANT RESPONSE OR RESOLUTION Subelement 11.1 in HRA Notebook MSIV interlock bypass is called out in procedure 2-C5-4, after reaching Boron Injection Initiation Temperature (B1 1T). A new analysis file was developed for operator action HOSVi; see Attachment B.2.13 in the HRA Notebook.
HR-10 H-S1329901-1423-062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 11 MPCWLL - - High containment pressure is not addressed in the evaluation of RPV injection under TW and ATWS.
The loss of containment heat removal sequence may have different release potential and different recovery probability depending on how and when core damage is induced relative to containment failure. Specifically, at high containment pressure, i.e., above 55 psig, external injection to the RPV is to be terminated per the Maximum Primary Containment Water Level Limit (MPCWLL) of the EOls.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Include containment pressure as a key symptom in evaluating RPV makeup under TW and ATWS conditions.
PLANT RESPONSE OR RESOLUTION Subelement 11.2 in HRA Notebook Our justification for not explicitly modeling operator actions to terminate external injection given containment pressure above the MPCWLL was based on reviews of the BFN-EOls.
The MPCWLL is an entry condition for the ATWS-response. As such the MPCWLL is a continuous action monitored by the STA. The EQ1s explicitly call out the MPCWLL in three different locations:
- MPCWLL is addressed in EOI-1 Step RC/L-3 and it is a concurrent action (if MPCWLL>
105 ft or SP pressure> 55 psig then stop external injection sources)
- MPCWLL again is addressed in C1 (Alternate Level Control) Step 2; the transition to C-1 is from EO1-1 Step RC/L-10
- Given an ATWS, the control room crew would make the transition to C5-1 from EOI-1 Step RC/L-3. Step C5-1 addresses MPCWLL. In C5-1, the 'condition-statements' in the box remain in effect throughout the implementation of this contingency.
In view of the structure of the EQ1s and the methodology for analyzing operator action, there would be ample opportunity to recover from missing a step in the procedures. Therefore, a risk contribution from missing such a step in the procedures was viewed as small.
HR-11 HR-ilS1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 11 The description of HOSV2 for failure of an interfacing valve assumes that indications are: (1) high temperature on pipe, and (2) paint smoke. It is judged that this will not be recognized in 2 min. The HEP should be close to 1.0 for the case cited. (Note this description is also inconsistent with its use in ISLOCA sequences.)
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Make HRA consistent with symptoms, time available, and sequence definition.
PLANT RESPONSE OR RESOLUTION Subelement 11.3 in HRA Notebook New HEPs were developed for split fractions V53 and V54 accounting for the sequence-specific human factors; see Attachments B.2.14 and B.2.15 in the HRA Notebook.
HR-12 S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 12 The HEP for containment vent operation is judged to be extremely low at
- all support-5E-5
- no AC---6E-3 These values are judged to be substantially below HEPs estimated elsewhere in BWR PSAs for similar actions. These HEPs may be appropriate but are believed to be suspect based on comparison within the industry for a difficult decision under high stress.
As an example, based on the Certification Team walkdown, manual alignment of vent valves requires climbing over the torus to reach the valves. This local manual action does not appear to be adequately treated in the HRA for "no AC power" cases.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Timing for the action is judged to be underestimated although it is believed to still be on the order of an hour or more. The trigger point is generally late in the sequence and the time when the action must be completed by is before the vent valves cannot be opened against the pressure differential. This time window is generally much less than the total TW window which is assumed in the HRA calculation.
PLANT RESPONSE OR RESOLU77ON Subelement 12.1 in HRA Notebook The HRA Notebook includes consideration of different data application schemes to offset the limitations of the FLIM methodology.
HR-1 3 S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 12 The assessment of ADS inhibit under failure to scram conditions could be refined to identify that the HEP varies with the number of injection systems available.
If HPCI, FW, and RCIC are initially injecting during a turbine trip event with a failure to scram, then the ADS inhibit success is considered to be greater than for an MSIV closure or Loss of FW case with no HPCI available. This distinction is not currently made.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION The most restrictive cases may have substantially higher HEPs. These should be included in the model.
PLANT RESPONSE OR RESOLU7iON Subelement 12.2 in HRA Notebook The HRA Update includes revised, sequence dependent HEPs; see Attachment B.2 for details.
HR-14 5R 1329901-1423-062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 14 New HEPs are identified in PLG 1112 (Section 4.3). These HEPs have the following potential problems associated with them:
a) HEPs are not presented nor is the input from operating staff b) Allowed time for action to take place is not identified c) Required time to take action is not identified d) Technical basis for times is not defined e) HOXD appears to be extremely optimistic and based on a daisy chain argument of assumptions and suppositions LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION The HEPs added in the most recent update need to be technically justified.
PLANT RESPONSE OR RESOLUTION HRA Notebook includes assumptions, justifications, and technical basis behind the derived HEPs.
HR-1 5 S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 16 HOSLI & HOSL2-SLC INITIATION (1) The basis for choosing 170°F(1 ) pool temperature as a criterion for SLC initiation is not provided.
(2) HOSL2: Cannot sustain 50% power for isolated reactor (FW is lost)
(3) HOSL1: 3 to 5 min. are not available to initiate SLC without also exceeding BIIT (11 0IF) which is the point where levelpower control would be initiated.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION It appears the HRA T&H is in need of revision to make it consistent with Rev. 4 EPGs.
PLANT RESPONSE OR RESOLUTION Subelement 16.1 in HRA Notebook The HRA Update develops operator response time-lines and system line-windows that reflect different cue-response strategies; see HRA Notebook, Attachment B.2 for details. New HEPs are based on 1100 F suppression pool temperature.
(') It appears the 170 0F may be an Design NPSH related item or the HCTL at 1000 psig. Neither of these are limits.
HR-17 S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 16 Define the changes made to the IPE Rev. 1 or IPE based on the changes to the EOls when Rev. 4 EPGs were incorporated.
LEVEL OFSIGNIFICANCE B
POSSIBLE RESOLUTION Substantial changes in operator instructions may have occurred but these do not seem to be documented.
PLANT RESPONSE OR RESOLUTION Subelement 16.2 in HRA Notebook The HRA Notebook includes a section on the Emergency Operating Instructions (EOIs) as currently implemented at BFN-2.
HR-1 8 S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 17 The isolation of an MOV without a breach in low pressure pipe would be an effective way to terminate a potential ISLOCA. However, the ISLOCA event sequence assumes that the pipe has broken and then the isolation is attempted. Therefore, there is an inconsistency in the way the HRA is derived and the way it is used in the accident sequence.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Modify the HEP to fit the sequence definition.(See related F&O for QU-1 8).
PLANT RESPONSE OR RESOLUTiON Subelement 17.1 in HRA Notebook The HRA Notebook includes six HEPs, one for each split fraction.
HR-19 S1329901-1423-062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 17 HOEE1 5 min. available to align swing RHRSW pump to EECW for distressed diesel.
Procedure is not defined in the HRA.
Training is not defined in the HRA.
There appears to be no technical basis to support an HEP of 5E-4. This is substantially lower than any time reliability correlation would yield for the multiple failure events occurring for the postulated scenario.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Re-evaluate the HEP considering explicit simulator experience, procedures, training, or other reasonable bases to support such a low value.
PLANT RESPONSE OR RESOLUTION Subelement 17.2 in HRA Notebook The HRA Notebook includes consideration of different data aggregation schemes to offset the limitations of the FLIM methodology. Operator action HOEE1-HOEE2 and the revised PSA model uses an HEP 1.6E-2. The procedures for operating the RHRSW swing pumps are 0-01-23 and 0-01-74 HR-20 S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 19 HOAD1 I HOAD2/HOSV1 These ATWS response HEPs appear to be developed assuming all injection is available to the RPV. However, for those accident sequences in which no high pressure injection at sufficient flow (FW or HPCI) is available, then the timing assumed for these events is overestimated by a substantial amount.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Provide the HEP to be used when FW and HPCI are unavailable for ATWS response to quantify ADS inhibit and bypass of the MSIV closure interlock.
PLANT RESPONSE OR RESOLU77ON Subelement 19.1 in HRA Notebook The HRA Notebook includes a discussion on sequence dependent operator actions taken in response to different ATWS scenarios.
HR-22 S1329901*1423-062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 19 ODWS There are only 2 values for the HEP for DW spray initiation:
- ATWS = 2.7E-2
- Non-ATWS = 9.9E-3 These HEPs do not appear to capture the accident sequence dependencies that may exist for a) LOCAs b) delayed SBO c) loss of RBCCW d) loss of vapor suppression In addition, the operator action can only be used in the pre-core damage portion of the sequence since spray symptoms vary dramatically during L2 severe accident progression.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Assess the applicability of the drywell spray initiation HEP to Level 1 sequences and Level 2.
PLANT RESPONSE OR RESOLUTION Subelement 19.2 in HRA Notebook These sequence dependencies were addressed as part of the BFN-2 PSA model quantification (March-May 2000).
HR-23 S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 19 HOSV1 Availability of the Main Condenser should have a strong dependence on the operator actions related to ATWS response. When the E0I direction is to terminate all RPV injection and lower RPV water level, this would likely require lowering level below the Level 1 MSIV closure set point. This HEP does not appear to be adequately accounted for.
The description of timing referenced under HOSV1 and used in the derivation of HOADI is inconsistent with the Rev. 4 EPGs, which do not specify the bypass of MSIV low level until after BIIT is reached.
Therefore, the available time is 30 sec. to 2 min. depending on the rate of level dropping once level power control is simultaneously implemented, not 12 to 14 min. assumed in the HRA.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION This will result in a substantial underestimation of the HEP for HOSV1 because the time available is likely less than the time required to implement the bypass.
The assessment of OSV1 at 2E-3 appears to be substantially lower than can be achieved with typical HRA techniques for:
. high stress (ATWS)
. limited time (< 2 min.)
. non-trivial action that requires access to a procedure and jumpers PLANT RESPONSE OR RESOLUTION Subelement 19.3 in HRA Notebook This event is a convoluted action. The HRA Notebook includes a section on the treatment of such actions.
HR-24 HR-24S11329901.1423-062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 20 Table 3.3.3-3, Database Variable HOCRD2 for Top Event CRD "Align and Operate Enhanced Flow CRDHS, Given Enhanced Mode is Required (HPCI/RCIC Failed)", shows 45 minutes available for the operator to take the specified action, without mentioning the time required to complete the action. Given the fact that this action may require considerable time to complete (cannot be performed only from the Control Room), the time constraints are more rigorous than the 45 minutes mentioned. The probability of about 1E-3 considered for failure of this action appears to be too low.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Document time required to align enhanced CRD flow, and verify the human error probability assigned to this event using the quantification process described in the IPE for Dynamic Human Actions.
PLANT RESPONSE OR RESOLUTION Timing for local steps has been established and documented in the HRA Notebook. The given HEP only accounts for remote operations in the Main Control Room.
HR-26 SI1329901-1423-062600 Ri
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 23 Two of the actions for MOV closure to isolate an ISLOCA, HOVS1 (HER = 0.0016) and HOVS2 (HER = 0.00423), appear to have low values for non-procedural actions, especially since these actions must be performed within two minutes.
LEVEL OFSIGNIFICANCE B
POSSIBLE RESOLUTION Reevaluate the HEPs.
PLANT RESPONSE OR RESOLUTION See comments on HR-17.1. Without proper justifications, the original HRA should have used 0.1 <HER< 0.01 HR-27 S1329901-1423-062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 26 The IPE documentation indicates that when multiple HEPs occur in the same sequence , then HEPs are adjusted to indicate potential lower reliability of the second HEP.
However, the sequences failure to initiate suppression pool cooling and failure to initiate vent contain a combined HEP of 3E-9 (7.8E-5
- 3.7E-5). Such an HEP is far below what is considered believable or credible. This indicates the latest U2/U3 model does not have the same controls on multiple HEP assessment as has been used in the past for the IPE.
LEVEL OF SIGNIFICANCE A
POSSIBLE RESOLUTION Ensure that multiple HEPs in the same sequence are addressed in the latest models.
PLANT RESPONSE OR RESOLUTION Subelement 26.1 in HRA Notebook The HRA Update presents the systematic approach to evaluating dependent operator actions.
Revised HEPs were developed as appropriate during the final PSA model quantification. The HRA Notebook Section 4.3 (pp 4-6 to 4-10) documents the evaluation of dependent operator actions.
HR-28 S1329901-1423-062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 27 Treatment of dependencies among multiple human actions in a given accident sequence (i.e.,
multiple human action top events in an event tree) can have a significant effect on the overall estimated impact of human performance for that sequence. In general, success or failure on a preceding action affects that error probability of success/failure on the subsequent action.
No documentation was found explaining those sequences that may have multiple HEPs and how these were accounted for.
(See related F&Os for HR-26.)
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Assess impacts of multiple HEPs in sequences.
PLANT RESPONSE OR RESOLUTION See HR-26 HR-31 S1329901-1423-062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element HR Subelement 28 The documentation for the individual HEPs for the IPE is performed well. The update process for the model also appears to be performed well. However, there are some documentation and interface issues that appear not to be fully addressed as the model has been updated.
These issues include the following HRA items:
- old IPE document is still active even though it appears to be out of date in some areas with the model
- document the technical basis for the newly added HEPs since the IPE completion (e.g., enhanced CRD, and venting)
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Provide a single set of documents that summarizes the current state of the model without contradictions or left over items not relevant to the current model.
PLANT RESPONSE OR RESOLUTION The new HRA Notebook is a controlled document.
HR-32 S1329901-1423-062600 R1
2.7 DEPENDENCY ANALYSIS (DE)
DE Fact / Observation sheets follow:
S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element DE Subelement 6 The models do not apparently include common cause miscalibration of key sensors (e.g., for the ECCS low pressure permissive).
(See related F&O for HR-5)
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Verify that this miscalibration action is not in the model and include if determined not to be modeled.
PLANT RESPONSE OR RESOLUTION This miscalibration was not in the model, but was evaluated and modeled.
DE-5 S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element DE Subelement 6 The PSA apparently does not model operator termination of injection of external injection due to Maximum Primary Containment Water Level Limits, as described in the E01s.
(See related F&O for AS-7, AS-1 8 and HR-1 1).
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Verify that this action is not in the model and include if determined not to be modeled.
PLANT RESPONSE OR RESOLUTION The Human Reliability analysis has been modified. It was not obvious that the previous analysis explicitly considered MPCWLL. The modified HRA analysis considered operator termination of injection.
DE-6 S1329901-1423-062600 RI
2.8 STRUCTURAL RESPONSE (ST)
ST Fact / Observation Sheets follow:
S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element ST Subelement 7 Containment The assessment of containment structural capability appears to not address the following items:
. The external ring header is not identified, discussed, or evaluated. This appears to be a potentially significant omission.
- The vent line bellows are assessed but it is unclear whether this analysis considers the maximum deflections possible when the torus is at 100 F, and the drywell is at 8002 F, and pressure is high, and the fact that it is a single ply.
- The wetwell pressure capability is not significantly different than the drywell but yet wetwell failure modes have been removed from consideration in the CET.
. Wetwell failure modes above the water line or below the water line can have significantly different consequences. This is not discussed.
. Hydrodynamic loading as it affects the wetwell capability. See 12-19.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Incorporate consideration of each of these issues in the PSA and document the resolution in a manner that will support future applications.
PLANT RESPONSE OR RESOLUTION
. The external ring header is not identified, discussed, or evaluated. This appears to be a potential significant omission.
Resoonse: The external ring header was not evaluated in detail since it was judged Continued on next page l PLANT RESPONSE OR RESOLUTION, (cont'd)
ST-5 S1329901-1423-062600 R1
by the analyst to not likely be a controlling mode of failure. Piping typically has much smaller r/t ratios with correspondingly higher internal pressure capacity than shells.
The Browns Ferry ring header provides the ECCs system with water and may be expected to closely follow the wetwell temperature during an accident sequence. The ring header is fabricated from 30-inch diameter extra strong (xs) carbon steel (assumed SA 106 Grade B) pipe. Using the methodology developed to estimate pipe burst pressures resulting from intersystem LOCA (ISLOCA) over-pressurization (Reference NUREG/CR-5603 and NUREG/CR-5862), median burst pressure of the ring header is expected to vary from about 1880 psig at 700F to about 2060 psig at 4000F with corresponding log normal standard deviations of 0.17 and 0.24, respectively. Valve bodies are generally thicker than the attached pipe with correspondingly higher burst capacities.
Some leakage due to over pressurization of the ring header could possibly result primarily through bolted bonnet flange prior to pipe burst. However, this leakage is expected to be negligible in the context of torus burst failure, and the Browns Ferry wetwell failure is expected to be controlled by failure of the torus as previously indicated.
The vent line bellows are assessed but it is unclear whether this analysis considers the maximum deflections possible when the torus is at 100 0F. and the drywell is at 800 0F, and the pressure is high, and the fact that it is a single p/Y.
Resnonse: The bellows are located inside the torus and may be expected to be at approximately torus temperature during an accident condition. Pressure inside the torus exerts external pressure on the bellows. It is well known that the Browns Ferry configuration of bellows inside the torus results in higher bellows capability. Therefore, the single ply Browns Ferry bellows is not a primary failure location unlike the 2-ply Peach Bottom bellows (outside torus) is a primary failure location. Drywell expansion and torus expansion both induce axial extensions in the bellows. At very high pressures and/or temperatures in the drywell, the deformation of the drywell tends to be restrained by the closure of the gap (2 3/16") between the drywell shell and the concrete biological shield wall. At the time the containment capacities for Browns Ferry were calculated, the time history pressure and the thermal conditions in the drywell and torus were not available for the various severe accident conditions assumed in the IPE. Therefore, the bellows failure modes were evaluated at various discrete Continued on next page temperatures corresponding to those of the torus, but assuming maximum drywell thermal and pressure deformation. The resulting (probably conservative) bellows failure pressures were all found to be well in excess of the torus failure pressures and were therefore found to not be controlling. The ST-5 S1329901-1423-062600 R1
fact that the bellows were single ply construction was known at the time the analysis was conducted and all capacities were based on analysis for a single ply configuration.
- The wetwell pressure capability is not significantly different than the drywell but yet wetwell failure modes have been removed from consideration in the CET.
Response: Failure of the drywell is expected to occur at a median membrane strain of the order of 3.5%. At shell deformations large enough to close the 2 3/16-inch gap between the shell and the shield wall concrete, this gap corresponds to a shell strain of approximately 1%. At strains above this value, the concrete reinforcing steel adds to the strength of the drywell pressure capacity and the results in median pressure capacities, which are higher than those of the wetwell. Based on shell strengths alone, the wetwell shell has considerably higher pressure capacity than the drywell shell calculated by strain failure analysis and as shown by the AMES Laboratory finite element analysis of the Browns Ferry drywell and wetwell shells. Hence, at low probabilities of failure (i.e., those corresponding to shell strains less than about 1% where no added strength is provided by the shield wall), the drywell has substantially lower capacities than corresponding wetwell values. This was accounted for in the analysis by the use of separate logarithmic standard deviations for the upper (including reinforcing steel effects) and for the lower strains (drywell shell only). Consequently at 4000F, the median capacity of the shell alone would be expected to be about 155 psig (compared to 199 psig for the wetwell) with a lognormal standard deviation of 0.20 (same as the wetwell).
Similar median failure pressures of 178 psig for the drywell vs. 229 psig for the wetwell exist at room temperature. Also, leakage past the drywell head flange occurs at pressures below wetwell failure pressures. Even though much of the risk may occur in this range of pressures and the drywell dominates the failure probability of the containment over this range, at the higher pressures the wetwell will dominate the failure probability of the containment. Consequently, the updated PSA Containment Event Tree (CET) has been modified to include both the wetwell and drywell failure modes.
. Wetwell failure modes above the water line or below the water line can have significantly different consequences. This is not discussed.
Continued on next page Resoonse: Event heading (WW) distinguishes the location of an overpressure failure in the wetwell for Class II and IV sequences. In terms of accident consequences, the failure location is important in determining the severity of release. A breach in the wetwell air space would result in release that may pass through the suppression pool. On the other hand, a failure below the water level may deplete the suppression pool water inventory and may result in lowering the water level to below the downcomers and the SRV T-quenchers.
ST-5 ST-5 S1329901-1423-062600 RI
This would impact the scrubbing capability of the suppression pool.
Hydrodynamic loading as it affects the wetwell capability (See L2- 19)
Response: A probabilistic evaluation of the hydrodynamic loads in the wetwell was outside the scope of the containment pressure evaluation for the IPE. In addition, as previously noted at the time that the containment pressure capacities were investigated, the pressure/temperature time histories for the various assumed accident scenarios were unavailable. Hence, all pressure capacities used in the Browns Ferry IPE were considered to be quasistatic with any minor membrane stress effects caused by hydrodynamic loads considered to be covered by the variabilities associated with the median pressure capacities.
The updated PSA model includes the wetwell failure modes. Containment dynamic loading limits used in the updated PSA are discussed in Section 1.3.3 of this notebook. This section defines containment failure for events that result in suppression pool temperatures above 2600 F with containment failure occurring as a result of 1) exceeding the calculated ultimate strength,
- 2) hydrodynamic loads, 3) by premature failure due to phenomena discussed in the section.
ST-5 S1329901-1423-062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element ST Subelement 7 The containment structural capability summarized in p. A-4 of the IPE appears to be at odds with the structural analysis presented in Section 4 of the IPE. The specific issues associated with the differences are as follows:
. 128 psi is used as the containment pressure capability as cited in P. A-4; however, Section 4 indicates pressures greater than 160 psig for containment.
. A special condition is listed on p. A-4 for ATWS. This condition is not further discussed to provide basis for determining containment failure location when 2402F in the pool is exceeded for failure to scram conditions.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Resolve containment capability assessment.
PLANT RESPONSE OR RESOLUTiON Element ST Subelement 7, page ST-8 states the following:
. The containment structural capability summarized in p. A-4 of the IPE appears to be at odds with the structural analysis presented in Section 4 of the IPE. The specific issues associated with the differences are as follows:
- 128 psi is used as the containment pressure capability as cited in p. A-4; however, Section 4 indicates pressures greater than 160 psig for containment.
Continued on next page
- A special condition is listed on p. A-4 for ATWS. This condition is not further discussed to provide basis for determining containment failure location when ST-6 S1329901-1423-062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS 2400 F in the pool is exceeded for failure to scram conditions.
Resnonse: These issues have been resolved in the updated PSA to assure consistency of the containment pressure capability with the structure analysis presented in the Structural Analysis Notebook. Section 1.3.3 of the notebook discusses the technical basis for the selection of 2600F as the equivalent bulk suppression pool temperature during an ATWS, above which containment integrity cannot be assured.
ST-6 S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element ST Subelement 8 The Level 2 MAAP runs appear to be structured to incorporate blowout panels in the steam tunnel, the RB to refuel floor, and the refuel floor to environment. During walkdowns it was determined the that the RB to refuel floor blowout panels are not installed but that the two volumes communicate directly via the equipment hatch. It is not known what impact this has on the MAAP runs or the Level 2.
LEVEL OFSIGNIFICANCE B
POSSIBLE RESOLUTION Address this issue specifically in the next update (running new MAAP cases to support assessments, as appropriate).
PLANT RESPONSE OR RESOLUTION The BFN IPE modeled the following three failure junctions in the reactor building:
Refuel floor blowout panels fail to the environment at 0.35 psi differential with an area of 3200 ft2.
Refuel floor blowout panels fail between El 639' and the refuel floor at 0.25 psi differential with an area of 400 ft2.
Steam tunnel to turbine building blowout at 0.625 psi differential with an area of 270 ft2. Due to the backdraft dampers on El. 565', the steam tunnel is lumped with El. 565'.
Table 2-1 summarizes the results of the MAAP analyses performed in support of the original IPE. This certification Facts/Observations focuses on the impact that the refueling floor blowout panels have on the Level 2 results.
Continued on next page At the time of containment failure, pressurization of the reactor building may cause the floor blowout panels (if installed) to fail and relieve pressure to the ST-7 S1329901-1423-062600 R1
refueling floor bay. This would possibly result in opening of the RFE blowout panels and release of radionuclides to the environment. For most of the cases in Table 2-1, the refueling floor blowout panels were predicted to open as a result of the pressurization of the reactor building. MAAP assumed that once the pressure threshold for the blowout panels was exceeded, the junction would open and remain open for the duration of the accident.
Two cases in Table 2-1 did not result in opening of the floor blowout panels.
Case PJH provided insights for loss of injection, depressurization using three SRVs, and drywell shell failure after vessel breach. Case PJHNSP modeled a break into the steam tunnel with subsequent failure of the junction leading into the turbine building. The source term for this case was large and would have not been impacted by the refueling floor blowout panels.
In summary, the cases run in support of the IPE assumed that the refueling floor blowout panels were installed and that a pressure difference of 0.25 psi was required to fail this junction. Failure of this junction occurred in all cases with the exception of the containment bypass events. The major contributors to the Large Early Release Frequency (LERF) are not affected by the floor blowout panels assumption.
The plant design no longer requires the refueling floor blowout panels to be in place and were not in place as observed by the Certification Team during their walkdown. Hence, the MAAP model that modeled the failure of the refueling floor blowout panels when the containment starts to pressurize (and fails at only 0.25 psi) is in fact representative of the current configuration of no floor blowout panels in place (essentially a hole exists in the floor) and the MAAP results produced for the IPE are still applicable.
Continued on next page ST-7 S1329901-1423-062600 R1
I PLANT RESPONSE OR RESOLUTION. (cont'd). I Table 2-1 Summary of Browns Ferry Reactor Building Analysis Hatch Steam Refuel RB DW Press Reactor Sequence Plugs Tunnel Floor Sprays Shell DW at BldgRat Comments Open Blowout Blowout On Failure Failure BldgDF PIHDEP of v _ _ 124 psla 1.1 Failure Into 639' PIHDL-F VI v 100 2.1 Into Torus room. H2 burn PIHDLV _ _ _ 57 9.2 Into Torus room PIHDEPV _ t122 1.1 Into 639' PIHDHB i111 12 Into 639' PIHNDP of I/ 94 5.3 Into Torus room, H2 burn OIA v _ 124 1.0 Into 639', H2 burn OIAU_ _ 57 82 Into Torus room MIA No failure due to DWS & SPC MIALF __ 63 2.2 Small rel to RB - DWS on PID VI 67 50 Into Torus room, H2 burn PIDNSP W W V 62 67 Into Torus room, H2 burn PIDVOL N/A No Vessel failure due to CRD NIH el 1 1 72 42 Fire sprays, H2 burn NIHNSP 1 1 69 117 PLF TW, no vessel failure MKC 1 _ 194 1 ATWS, Into 639' PJH _ _ 47 620 w fire sprays PJHNSP 1 46 4 Cont bypass. Turb bidg open VRHRI 1.6 Interfacing System LOCA ST-7 S1329901-1423-062600 R1
2.9 QUANTIFICATION AND RESULTS INTERPRETATION (QU)
QU Fact / Observation sheets follow:
S1329901-1423-062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element QU Subelement 7 The "saved sequence" model has a number of limitations when it comes to applications.
These limitations are well known to the PSA group; however, it would be desirable to document the limitations for both future members of the PSA or the users of the PSA such as the Maintenance Rule Expert Panel. These limitations include issues related to asymmetry in the model or in conditions related to truncation limits that lead to incorrect or misleading importance measures. In fact, importance measures for the base model appear to indicate symptoms of truncation effects (i.e., Risk Achievement Worths less than 1.0 and negative Fussell-Vesely values).
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Document the limitations of the saved sequence model.
PLANT RESPONSE OR RESOLUTION An analysis of truncation effect on CDF and the unaccounted for frequency was performed and documented. Cautions regarding symmetry were noted as limitation.
QU-1 S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element QU Subelement 9 There should be included, based on NUREG-0666, a common cause DC bus failure term that results in a higher conditional failure probability for the second DC bus given the first has failed.
(See related F&Os for DA-7).
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Assess CCF of DC power sources or buses and include in model if appropriate.
PLANT RESPONSE OR RESOLUTION Addressed in DA-7. The CCF of DC power sources has been included in the model.
OU-5 S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element QU Subelement 11 IVO / MCD Main Condenser availability is set at 0.9685, apparently regardless of initiating event turbine trip or loss of condenser vacuum or success or failure of RPS and RPT. (Neither IVO or MCD are sequence dependent).
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Ensure that the main condenser availability for accident sequences with initial condenser unavailability are appropriately accounted for.
PLANT RESPONSE OR RESOLUTION The main condenser availability for accident sequences with initial condenser unavailability are accounted for.
QU-6 S1329901-1423-062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element QU Subelement 11 Page 3.1.2-15 of IPE states SL and OAD need to fail to reach core damage. This would indicate that the accident sequence quantification for cases with ADS inhibit failure (OAD) under failure to scram conditions does not adequately address the SLC success sequences.
This combination should lead to a serious challenge to core integrity unless there are calculations and training guidance to avoid this condition.
This means ADS inhibit failure consequences are substantially underestimated. However, the example quantification of CIV*RPS=F*OAD=F indicates that SLC is not even asked in such sequences. Therefore, the text appears to be in error.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Revise model or technical basis to address the OAD failure under fail to scram conditions.
- OAD failure lead to core damage
- OAD is dependent on status of HPCI and Feedwater initially PLANT RESPONSE OR RESOLUTION The IPE text in the IPE was in error. OAD failure is sufficient to lead to core damage.
QU-7 S1329901-1423-062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element QU Subelement 11 The loss of containment heat removal sequences developed from the latest RISKMAN model (see attached - 5 pages) have the following characteristics that may impact the quantification:
- The top sequences include isolation initiators with RCIC and HPCI failed with probabilities 0.066 and 0.1 1, respectively.
- However, for the no RHR cases, RCIC and HPCI cannot provide adequate cooling. Therefore, there should be the same sequences with HPCI and RCIC success but with probabilities of 138 times higher. This would appear to result in sequences that could contribute noticeably to CDF.
- It does not appear that there is an operator error specified for vent failure
- It does not appear that any support system failures result in guaranteed failure of vent. It would seem that loss of PCA and loss of DC would lead to vent failure It appears that the main condenser recovery is applied to the cited cases. This recovery is considered suspect under certain sequences such as loss of condenser vacuum; the sequences with main condenser recovery considered could not be identified.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Ensure that the following are accounted for:
- HPCI/RCIC success sequences with loss of containment heat removal
- Operator failure to vent
- Support system failures for containment vent PLANT RESPONSE OR RESOLUTION See next page.
PLANT RESPONSE OR RESOLUTION, cont'd QU-8 S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS The model credits the use of the RHR crosstie to provide additional sources of RHR containment heat removal can be accomplished via the unit RHR. The RHR crosstie of the vent (HPCI/RCIC alignment to CST required). Operator failure to initiate the HWWV.
The top event for the HWWV includes the operator action. That top event does include boundary conditions for loss of support.
QU-8 S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element QU Subelement 11 Treatment of RPV injection under loss of containment heat removal sequences is not clear.
Sequences with HPCI and RCIC available are apparently assumed to lead to late containment failure (KPDS NLF). (This is not confirmed by the'latest model -- see related QU-11 F&O).
This is incorrect; HPCI and RCIC cannot operate until containment failure.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION HPCI/RCIC failures with loss of containment heat removal are small contributors. Success of these would be more important and need to be addressed.
PLANT RESPONSE OR RESOLUTION The loss of suppression pool cooling eliminates credit for long term operation of HPCI/RCIC.
If the hardened wetwell vent is implemented, HPCI/RCIC is not credited unless alternate suction via the CST is established.
QU-9 QU-9 S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element QU Subelement 15 The use of conservatisms in the IPE search for vulnerabilities is appropriate. However, in evolving the PSA to be used for risk-informed applications, overly conservative assumptions should be eliminated to avoid biasing the results. An example of a potentially conservative assumption relates to the treatment of containment vent under LOCA conditions. Apparently, there is an assumption that this function is not adequate for containment heat removal. The assumption continues by taking no credit for the alternate injection capability of the plant and specified in the E01s. These two assumptions result in core damage and the possibility of release to the environment. However, it would be better to include vent plus the induced LPCI/CS failures according to the EQ1s rather than to let LPCICS drive containment to high pressure before then causing core damage by another assumption regarding MPCWLL or containment failure at a different time and with different consequences. This is important in accident management insight investigation.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Removal of those conservatisms that are easily removed do not unnecessarily complicate the model, and could result in potential benefits in assessing applications such as accident management procedure development.
PLANT RESPONSE OR RESOLUT7ON A systematic search for conservatisms was not performed. However, during the update process, assumptions were reviewed for reasonableness and conservatisms. A relevant example is the treatment of battery boards 1, 2, and 3. The addition of common cause to the DC system required further work to remove conservatisms. A key element was BFN engineering input regarding the bases.
With respect to the specific example above, the LOCAs are such a small contribution that it did not warrant further consideration.
QU-1 1 S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element QU Subelement 18 The following BOP recoveries are quoted as used in the model [p. 4-7 of PLG 1112]:
Initiator Mean Recovery Value MSIV Closure 0.943 Loss of Condenser Vacuum 0.915 Turbine Trip without Bypass 0.858 Loss of Feedwater 0.700 Loss of Plant Air 0.874 Loss of Offsite Power 0.910 These recoveries appear optimistic and need to be supported by applicable data if they are to be used. No reference to their derivation is presented.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Provide reference and review all data to ensure that the BOP recovery is consistent with the assumptions of the PSA model.
PLANT RESPONSE OR RESOLUT7ON The information used to develop a basis for the recovery models came from two sources.
The first source was a review of pre-1985 operating experience at BFN. The plant response as reported in the operator's logs following selected initiators was reviewed to determine whether an attempt to restart the plant occurred within approximately four hours of the original initiator. The choice of four hours is consistent with the six hour mission time for the initial phase of HPCI/RCIC operation. If restart is not successful, the additional two hours of HPCI/RCIC operation would support cooldown activities. Such actions were interpreted as evidence that BOP equipment has been recovered. Data of this form were available for MSIV closure, Loss of Condenser Vacuum, Turbine Trip without Bypass, Loss of Feedwater, and Loss of Plant Air Initiators. Recovery was allowed given scram and HPCI or RCIC.
QU-1 4 S1329901-1423-062600 R1
PLANT RESPONSE OR RESOLUTION, Continued A second source of data was required to support the recovery of BOP following loss of offsite power. This information was adopted from the Peach Bottom Analysis of NUREG/CR-4550.
For loss of office power scenarios, recovery is considered if scram was successful, HPCI or RCIC was determined to be successful, and if power was restored in thirty minutes.
QU-1 4 S1329901-1423-062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element QU Subelement 18 The impact of EECW swing pump treatment in the PSA has been identified as an important feature of the plant and the model. The CDF increase associated with the failure of the swing pumps is a factor of 1.4. The three important aspects of the modeling of EECW that require diligence to ensure realism in the assessment are the following:
- the common cause grouping used to classify the EECW pumps
- the common cause failure probability of the EECW swing pumps given a loss of off-site power event and requirement to supply the diesels for starting
- the operator action to align the 2 EECW swing pumps to the appropriate header given failure of 3 of 4 of the EECW pumps can be performed with high reliability within 5 min. for all possible electrical alignments
- assurance that the 3 of 4 EECW pump success criteria applies to the LOOP case LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Include consideration and documentation 'of each of these considerations in the EECW model.
PLANT RESPONSE OR RESOLUTION
. The common cause grouping used to classify the EECW pumps is documented in the CCF analysis.
Continued on next page.
QU-1 5 S1329901-1423-062600 RI
PLANT RESPONSE OR RESOLUTION, cont'd
- The common cause failure probabilities of the EECW swing pumps given a loss off-site power and the requirement to supply the diesels for starting is contained in the CCF analysis.
. The operator action for alignment of the swing pumps is discussed in the Human Reliability Analysis (HRA) Notebook.
. The success criteria for EECW is two pumps in all cases. This is documented in the EECW System Notebook.
QU-1 5 S1329901-1423-062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element QU Subelement 18 Several items related to the treatment of ISLOCA could be reviewed to ensure that non-conservatisms have not crept into an otherwise excellent analysis. These items include the following:
- The SDC suction line does not appear to be examined. This is believed to have the potential to contribute to ISLOCA frequencies based on other PSAs.
- There is a significant probability of ISLOCA isolation that is included in the evaluation for many of the situations. This isolation is called a human action and it has values of:
- Large LOCA during T&M = 1.6E-3
- Large LOCA otherwise = 4.2E-3 These probabilities seem very low for operator actions to close an MOV that is not designed to close against the differential blowdown pressure. The MOV failure to isolate is no less than 4E-3 in addition to the HEP, and likely closer to 1.0.
The closure of these valves later in the sequence is tied to flooding of the ECCS pumps; however, the likely problem is that steam environment caused by the blowdown to the torus room would impact all corner rooms, i.e., they are not isolated from each other. This steam environment would also cause failure of the MOV used to isolate the break.
It is not clear whether the check valve has been included as a potential isolation mechanism that leads to successful isolation during the blowdown.
This appears to be conservatively neglected.
It appears these considerations have not been factored into the isolation assessment.
The HRA description is that the pipe does not fail within the 2 minutes required to diagnose that an unusual condition exists (i.e., no pipe break).
This appears inconsistent with the way the HEP is used in the ISLOCA sequence analysis. (See related F&Os for HR-i 1,-1 7)
QU-1 6 S1329901-1423-062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Reassess ISLOCA sequences based on the above.
PLANT RESPONSE OR RESOLUTION
. The SDC suction line was indeed examined. This, however, was not apparent from the wording in the IPE. The wording now clearly states the SDC line was examined.
- The ISLOCA analysis was reviewed. The conclusion reached was that the certification observations were correct. In the analysis of the core spray injection lines, credit was taken for closing a valve that is not designed to close against the differential pressure. The ISLOCA analysis in this area was compared against the Duane Arnold analysis. The piping diagrams and the analysis were reviewed. The salient portions of piping are identified. The non-conservatisms discovered in the BFN analysis are not in the DAEC analysis. The DAEC analysis does credit equipment and actions not credited in the BFN analysis. These include high and low pressure injection. The net result is frequencies lower than the BFN frequencies. Given the low frequency of the existing BFN analysis, it was not updated in this analysis. It is retained as a bounding analysis.
QU-1 6 S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element QU Subelement 21& 23 The unaccounted frequency due to truncation is unusually high. This leads to correspondingly large uncertainty in CDF and its components. One sensitivity run with lower truncation value of 1.OE-12 increased CDF by 39% (see attached - 3 pages) and decreased the ratio of unaccounted frequency to CDF to 12 (this ratio is typically near 0.1). Moreover, the resulting change in the importance measures of a number of top events do not appear to be insignificant. This quantification behavior has potential of producing skewed results for some applications and contributes a quantification uncertainty to CDF that is not negligible relative to traditional uncertainties.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION The impact of the large unaccounted frequency could be further explored by additional examination of the case already run and at least one more case (e.g., at 1.OE-1 1) to give data for a more accurate extrapolation, or resolve by studies already performed. In any case, the results of such examinations should be clearly documented as part of the PSA base model.
The potential also exists for a faster running model (culling of similar split fractions and removal of redundant logic rule statements) that may allow lower truncation value for the base model.
PLANT RESPONSE OR RESOLUTION A series of truncation sensitivity runs was made and documented in the Quantification Notebook. The truncation limits for the base model were chosen to satisfy a number of objectives: lower the unaccounted for frequency, a reasonable number of saved sequences, and a run time such that plant requests can be evaluated in a work day. Note that in PSA Revision 0, the unaccounted for frequency is lower and the model runs faster than the previous model. This was accomplished even with the integration of the Level 2/LERF event trees in the model. This was accomplished by simplifying and restructuring the event tree model. Given a fixed computer speed and hardware, further improvements are best accomplished by event tree restructuring and simplification. The most cost effective method for reducing the unaccounted for frequency is to lower the truncation frequency and run the model on a faster PC using the new RISKMAN for Windows software.
QU-1 8 S1329901-1423-062600 R1
2.10 CONTAINMENT PERFORMANCE ANALYSIS (L2)
This section presents the BWROG certification findings relevant to the Level 2 model.
There are no "A' level of significance findings, only B, C, and D. For the important findings, a detailed discussion follows dispositioning the finding.
L2 Fact / Observation Sheets follow:
S1329901-1423-062600 RI
FAC T/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 5 The use of CRD as a debris cooling source is not clear. The CRD flow rate is relatively low and is judged to be substantially below that needed for debris cooling.
The ability to ensure that CRD flow can enter the vessel via the CRD mechanisms is questionable as core melt progression proceeds. The CRD flow path for debris cooling injection should be identified in the nodal discussion of CRD success, along with the flow rate, and its technical basis.
Provide examples of differences in the accident progression based on CRD flow rate or remove CRD from the evaluation. MAAP or equivalent calculations to show the impact on release or timing.
LEVEL OF SIGNIFICANCE:
B POSSIBLE RESOLUTION Modify in-vessel recovery and debris cooling ex-vessel to eliminate or minimize credit for CRD unless there is a specific analysis to justify CRD flow through the FW line as adequate for either.
PLANT RESPONSE OR RESOLUTION The use of CRD as adequate for debris cooling either in-vessel or ex-vessel has been eliminated from the Level 2 model because of:
a) relatively low flow b) concern that the lines to the RPV may be blocked, clogged, or disrupted.
L2-2 S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 5 The time for in-vessel recovery in some cases is 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> or more (see p. 4.8-7 of IPE).
However, there is limited basis for assuming this length of time is justified. Current T&H modeling capability cannot justify such times between core damage and the time when RPV breach cannot be prevented.
(See related F&O for 12-24).
LEVEL OF SIGNIFICANCE:
B POSSIBLE RESOLUTION Reevaluate the time allowed for in-vessel recovery.
PLANT RESPONSE OR RESOLUTION This is an area of substantial uncertainty. There is evidence from ORNL BWRSAR and MELCOR calculations that times of 2 to 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> could be supported. However, the MAAP models would, in general, calculate relatively short times (- 1 to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />) during which restoration of flow could terminate core melt progression in-vessel. The BFN evaluation now treats this area of potential large uncertainty by selecting a time of approximately 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> as the time between core damage and the time when RPV breach due to core debris cannot be prevented by operator actions. This is consistent with MAAP evaluations and is supported by experimental evidence. Times out to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> or more could be justified in the future, but are not considered at present.
1-2-3 S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 7 RB to Torus Vacuum Breakers The elastomer used in the containment vacuum breaker check valve seal is not identified and the characteristics under high wetwell temperatures are not discussed. (The butterfly valves associated with this flow path are normally closed and they open on loss of air.)
During an SBO (and perhaps other severe accidents) the butterfly valves are likely to be open. If the seal could fail as a result of high wetwell temperatures, there could be a significant impact on the overall plant risk due to the large flow area associated with this failure path.
LEVEL OF SIGNIFICANCE:
B POSSIBLE RESOLUTION Determine the elastomer material in the vacuum breaker, its failure temperature, and other characteristics. Clarify the state of the butterfly valves during containment challenges.
Incorporate these features in the CETs and the containment isolation failure assessment.
PLANT RESPONSE OR RESOLUTION - see next page L2-5 S1329901-1423-062600 RI
PLANT RESPONSE OR RESOLUTION, cont'd The reactor building to torus Vacuum Breakers - i.e., the check valves and the butterfly AOVs have the following sealing material and failure temperatures:
Valve Material Seal Failure Temperature
. Check Valves None N/A
. Butterfly Valves Neoprene 4600 F The wetwell environment is generally well protected from high temperatures, i.e., the exceedingly high temperatures are present in the drywell during postulated core melt progression. A check of the severe accident code calculations from MAAP support the relatively low temperatures in the wetwell airspace (approximately 300F to 400F). The wetwell airspace isolation capability includes the vacuum breaker-line with a check valve and a butterfly valve. As discussed in the Section 2.4.6 of the updated Level 2 analysis, the check valve forms the primary isolation capability of the lines. The check valves do not have a temperature sensitive material at these wetwell temperatures. The Butterfly valves have a neoprene seal that NRC contractors have rated as having a failure temperature above 450F.
It is also noted that the Butterfly valves fail open for conditions such as SBO, LOOP, or loss of air scenarios. Therefore, for these sequences the Butterfly valve seal material is irrelevant.
For all other scenarios, the Butterfly valve's seal is considered adequate for the modest temperatures it will encounter as long as the suppression pool is not bypassed. For cases with the suppression pool bypassed, the wetwell airspace temperatures remain low enough to consider the seals intact.
19-5 S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 7 DW Spray Top Event 7 (DS)
The determination of DW spray initiation is difficult because it depends on containment parameters, sequence of events, timing, and operator response. Are these all accounted for in L1/L2 interface?
LEVEL OF SIGNIFICANCE:
B POSSIBLE RESOLUTION Review.
PLANT RESPONSE OR RESOLUTION The drywell spray initiation has been reevaluated to assess the sequence dependencies of the ability to procedurally initiate the drywell sprays. The results are as follows:
The BFN PSA update makes use of the latest EQ1s which are based on the BWROG upgrades referred to as the EPG/SAG revised procedural guidance. In these latest E01s, the initiation of DW sprays for conditions that could approach a severe accident has taken on a high priority. DW sprays are now initiated for the following conditions:
a) High Radiation SAMG-2 b) At RPV Breach determination (SAMG-1, Leg 1A)
In addition, continued DW spray operation is now allowed down to 0 psig in the containment instead of the 2 psig it had previously been limited to.
These features lead to an increased probability of successful drywell spray before RPV breach.
1-2-7 S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 7 Interface Issues
. Define core damage: Transition between Level 1 and 2 appears to be unclear and not necessarily based on a consistent definition of core damage.
. Define In-vessel recovery: Criteria and technical basis not provided.
. Define basis for ATWS success criteria: Containment condition at end of Level 1 is not defined.
. Define Containment capability: Torus capability is not evaluated for hydrodynamic loads (see related F&Os for ST-7 and L2-1 9).
LEVEL OF SIGNIFICANCE:
B POSSIBLE RESOLUTION Ensure that there is a consistent set of definitions and transition points from Level 1 to Level 2.
PLANT RESPONSE OR RESOLUTION Core Damage Core damage is defined as the failure of adequate core cooling. The failure of adequate core cooling is defined as the rapid increase in fuel clad temperature due to heating and Zircaloy-water reactions that lead to sudden deterioration of fuel clad integrity. For the purposes of the Level 1 PSA, a surrogate has been developed that can be used as a first approximation to define the onset of core damage. The onset of core damage is defined as the time at which more than two-thirds of the active fuel becomes uncovered, without sufficient injection available to recover the water level and consequential cooling quickly, i.e., water level below one-third core height and falling plus calculated peak core temperatures from MAAP greater than 1800 0F.
L2-8 S1329901-1423-062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS PLANT RESPONSE OR RESOLUTION, (cont'd)
In-Vessel Recovery Because of the large uncertainty in modeling in-vessel core melt progression, the probabilistic assessment uses a judgement of the time available during core melt progression during which the progression can be halted before RPV breach. The estimate of 40 min. to 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> is used for the time after core damage until a time when RPV breach cannot be prevented. This is judged to be conservative.
ATWS Success Criteria ATWS Success Criteria are based on satisfying a number of important criteria:
. RPV water level can be maintained sufficiently high to prevent core damage. This is treated as approximately 1/3 core height.
. RPV pressure can be maintained below Service Level C to prevent an induced LOCA and the failure of SLC as an adequate reactivity control measure.
. Torus hydrodynamic loads are adequate during the discharge of steam to the torus. A surrogate measure for this criteria is the use of a calculated bulk torus water temperature below 260 0F. This is described in more detail in newly created Section 5.3.
Hydrodynamic Loads During scenarios with high power discharge rates to the pool (i.e., ATWS scenario with failure to control RPV level near TAF) containment failure due to dynamic loading is assumed as the suppression pool temperature exceeds 2600F.
The assumption that the combination of these parameters is interpreted as leading to containment failure is based upon the following issues (see Appendix A of the Initiating Event Notebook):
. Effective condensation in the suppression pool may not occur at elevated suppression pool temperatures resulting in rapid containment pressurization
- Chugging loads may be unacceptable at these elevated temperatures
. Dynamic loading may be further aggravated by high torus water levels and high torus temperatures
- Drywell sprays from external sources may induce oscillation or chugging in containment in addition to increasing torus water level
- Reactor water level indication may be inadequate and RPV flooding could be required which can induce substantially more severe loads on containment
. Stuck open SRV discharge line vacuum breakers coupled with stuck open WW to DW vacuum breakers could result in direct and rapid containment pressurization L2-8 S1329901-1423-062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS PLANT RESPONSE OR RESOLUTION (cont'd)
Operator actions beyond his experience in the control room and at the simulator may create confusion and induce operator errors The operator action timing will be constrained by the requirement to keep to torus temperature below 2600 F when the Reactor is above decay heat levels, i.e., still producing substantial power and steam flow to the torus.
- Containment Capability: Towus capability under Hydrodynamic loads is to be included in model and in Section 5.3 as mentioned above.
1-2-8 S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 8 There are features of the EQ1s regarding containment flooding that do not appear to be reflected in the Level 2 evaluation:
- 1) Flooding would occur with external sources as quickly as feasible using LPCI from CST instead of suppression pool.
- 2) Injection to outside the RPV does not appear to be addressed.
- 3) Containment flooding could compromise the vapor suppression function and RPV debris discharge could occur at high or low pressure into a partially flooded containment (see related F&Os for 12-11 and 12-15).
- 4) RPV venting does not appear to be addressed.
- 5) Drywell vent cases appear to be treated as a late release. Given the rapid RHRSW injection capability, the drywell vent pressure or level could be reached at less than 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, making this an early release instead of a late release.
LEVEL OFSIGNIFICANCE B
POSSIBLE RESOLUTION The importance of including a LERF assessment as part of the PSA update has been identified previously; however, it is also important that potential contributors to the LERF are addressed.
PLANT RESPONSE OR RESOLUTION The EQ1s have been updated to the latest BWROG product, EPG/SAG. This product addresses a number of the important issues identified in the Certification F&O. These include:
. Limiting containment flooding to avoid compromising vapor suppression under certain degraded plant conditions.
. Limiting the use of RPV venting and delaying the timing of its use The BFN Level 2 update incorporates the latest EPG/SAG guidance as reflected in the BFN E01s and SAMGs. These revised procedures and guidance are then incorporated into the FC/FD node of the Level 2. Each of the items cited in the F&O are now addressed using the latest BFN EOI/SAMG guidance.
1-2-15 L2-15S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 11 A review of the Level 2 PSA indicated several areas where EOls could be reflected more precisely in the model or the documentation:
. Possibly missing a containment failure mode related to flooding and loss of vapor suppression (see related F&Os for 12-8 and 12-15)
. RPV vent not accounted for LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Include EOI directions regarding containment flooding and associated RPV venting in the Level 2.
PLANT RESPONSE OR RESOLUT7ON The latest EOI/SAMGs are used in the updated Level 2. These guidance documents address the issues raised and they are now included directly in the Level 2 assessment.
1-2-17 S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element 12 Subelement 11 The Level 2 assumes that the containment vent status has been predetermined in the Level 1 analysis. No operator action to open the vent is included in Level 2. It is judged that the HRA of vent opening cannot be treated solely in Level 1; it must be treated recognizing the symptoms (e.g., radiation and temperature) that occur in the core melt progression. Specifically, if radiation is present, it is judged that the venting HEP is increased from that compared with the case of no radiation present.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Incorporate split fractions in the Level 2 to account for increased reluctance of vent operation under high radiation conditions and high radiation that may affect assumed local actions.
PLANT RESPONSE OR RESOLUTION Containment Venting as part of a Level 2 analysis can have both positive and negative aspects:
. Early containment venting encountered at RPV breach due to high drywell pressure would result in release of fission products to the environment at the worst time -- and could be a LERF contributor. This probability will be included in the Level 2.
. Containment vent to provide containment heat removal is considered a long term action and its success or failure should not influence LERF calculations.
Containment venting is the result of long term accidents. These events do not lead to a LERF and are not included in the Level 2.
1-2-19 S1329901-1423-062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 11 Condensate/LOCA How can the condensate system be assured to have sufficient inventory to have water available for debris cooling? This impact should be reevaluated In terms of available inventory to provide effective debris cooling. This impact would need to be demonstrated via a MAAP or equivalent calculation in order to credit.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Remove credit for condensate debris cooling mechanism for LOCAs.
PLANT RESPONSE OR RESOLUTION Remove credit for condensate debris cooling mechanism for LOCAs.
In addition; debris cooling in-vessel or ex-vessel with the condensate system has not been credited in the updated Level 2 model.
L29-20 S1329901-1423-062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element: L2 Subelement: 14 The temperature tolerance of the containment (lower) access door seal has not been evaluated. If the seal leaks, a release path to the environment would be established rapidly after vessel melt-through, because the temperature in the drywell may be relatively high and the silicon or rubber seals tolerate typically 5000F.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Analyze the temperature tolerance of the containment access door, and since it is possible to leak after the vessel breach, take this release path into account.
PLANT RESPONSE OR RESOLUTION There are several conditions that may apply to the access door leak path. These include the following:
RPV breach into a dry containment creates a situation that likely leads to drywell shell melt-through. Leakage through access door seals would represent a negligible perturbation to this sequence.
RPV breach into a containment with water available to the debris. For this case, maintaining containment boundary requires maintaining the access door seals.
The BFN MAAP analysis indicated temperatures of 150OF after spray initiation.
For cases with water injection into a failed vessel there were no BFN-specific evaluations. However, there is a case in the BWR Accident Scenario Templates that show temperatures also in the range of 150OF if water is dumped to the RPV and drains out into the drywell after vessel failure.
1-2-21 S1329901-1423-062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element: L2 Subelement: 15 Only quasi-static pressure increase in the containment is analyzed. Ex-vessel steam explosions are not considered, though they are possible. Flooding of the drywell is not considered apparently because it takes too long time. However, operators may start flooding before vessel melt through, thus causing possible steam spiking or in the worst case, if the containment water level is high enough, steam explosion (see related F&Os for L2-8 and L2-11).
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Address above in the containment capability assessment.
PLANT RESPONSE OR RESOLUTION Core melt progression events that involve rapid containment pressurization due to either
. Steam explosion
. Rapid steam generation following RPV breach (particularly without vapor suppression)
These are addressed in the updated PSA as part of containment failure modes. (See Top Events CZ/CE and FC/FD as part of the containment event tree)
L2-23 S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 19 There may be an inconsistency between the Level 1 model and the assumed containment failure modes.
The definition of containment failure during an ATWS and its size and location should be identified. The attached discussion of ATWS induced dynamic loads is included for your use in considering the Browns Ferry specific evaluation. Attachment L2-19 provides some consideration regarding containment failure modes that may require consideration under ATWS conditions.
(See related F&Os for ST-7 and 12-7).
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION The containment failure mode for failure to scram events is key to LERF assessment and should be assigned consistent with the TVA evaluation of ATWS. The containment failure probability may more appropriately be assigned a failure probability of 1.0 for the wetwell. This means drywell failure is - 0.0. The wetwell air space failure probability would be 0.5 and the ECCS ring header failure probability would be 0.5 due to dynamic loads.
PLANT RESPONSE OR RESOLUTION The recommended containment failure modes are now included in the PSA update model.
These failure modes are then input to the MAAP models and the CET evaluation to determine the release categories and frequencies.
L2-27 S1329901-1423-062600 RI
L2-19 CONTAINMENT DYNAMIC LOADING LIMITS USED INTHE PROBABILISTIC EVALUATION L2-1 9.1 Introduction Postulated accident sequences cover a broad spectrum of events. The purpose of this section is to present the technical basis used in establishing the failure of the containment under postulated degraded conditions for which the following may be present:
- High suppression pool temperature with substantial continuous blowdown occurring (i.e., equivalent to greater than 6%power), or
. High suppression pool water levels coupled with LOCA - equivalent loads and the consequential hydrodynamic loads.
L2-1 9.2 Overview This summary identifies the issues that provide the technical basis for the selection of 2600 F as the equivalent bulk suppression pool temperature during an ATWS, above which containment integrity cannot be assured. This criterion is subject to substantial variation depending upon the availability of plant-specific and sequence-specific deterministic calculations. However, this criterion has been used in industry PSAs performed to date and the Utility Group on ATWS evaluation presented to the NRC.
The containment failure criterion (i.e., suppression pool temperature = 260 0F) used in the ATWS evaluation is intended to set the allowable operator action time to take effective mitigation actions for terminating an ATWS event. Subsequent to that time, it is assumed that the operator actions for complete mitigation and safe shutdown are confounded by degraded plant and instrumentation conditions. Containment failure occurs as a result of: (1) exceeding the calculated ultimate strength; (2) hydrodynamic loads; or (3)by premature failure due to the phenomena discussed in this section.
Information available that has led to the selection of 2600F as a point beyond which the current state-of-the-technology may not support assumptions regarding containment adequacy include the following:
- KWU and Caorso tests with "rams-head" quencher devices have shown smooth condensation (i.e., excessive vibration loads were not induced on the suppression chamber) at temperatures up to 140OF at elevated reactor pressures. For much lower reactor pressures the smooth condensation has been demonstrated up to 1900F.
- It appears that at low reactor pressures, smooth, complete condensation of saturated steam can be assured up to local temperatures of 2600 F when "T"-quencher devices are being used.
. Presently, dynamic loadings of sufficient magnitude to warrant concern regarding containment integrity have not been observed. However, it is judged that at elevated temperatures this concem, based on experimental evidence, may be relevant.
1-2-27 S1329901-1423-062600 R1
- Because of the lack of data for suppression pool temperatures above 2600 F and the anomalies that may accompany SRV discharge during ATWS scenarios, a calculated thermal equilibrium bulk suppression pool temperature of 2600F is used as a criterion in the evaluation of allowable operator action times during high power, high pressure ATWS conditions.
- In addition, other issues or phenomena exist under these postulated scenarios that may compromise critical containment functions which in turn make the containment vulnerable to alternate failure mechanisms.
One of the criteria included in the PSA ATWS analysis is the aforementioned value of 2600 F suppression pool temperature as a value above which ATWS mitigation is not considered achievable. Although it may be a worthwhile effort to pursue relaxing this criterion to make ATWS sequence evaluations as realistic as possible, it appears that the effort required to accomplish this objective would be substantial.
12-19.3 Discussion As the suppression pool temperature rises during the progression of an ATWS event, there are a number of containment phenomena that begin to affect the determination of an appropriate response for reaching a safe stable state. Some of these phenomena affect system operability while others may impact containment integrity. The following discussion attempts to address the specific phenomena and related issues, and the information available relative to the phenomena affected by high suppression pool temperatures during an ATWS.
The discussion is divided into three subsections:
- Section L2-19.4: Issues related directly to the 2600 F temperature criterion for calculated bulk suppression pool temperature
- Section L2-19.5: Related containment issues that could impact the criteria selection if 2600F is found too conservative
- Section L2-19.6: Tertiary ATWS Related Issues 12-19.4 Issues Related Directly to Selection of 2601F Bulk Suppression Pool Temperature L2-19.4.1 Issue I: Condensation Phenomena Introduction Currently, limited information exists in the engineering literature relative to two complex issues related to containment performance and capability. These issues can be summarized as follows:
- Whether the containment can withstand dynamic loads caused by high pressure blowdown at high suppression pool temperatures; and,
. Whether conditions could exist which would cause incomplete condensation; and consequently, vapor bypass to occur through the pool.
L2-27 S1329901-1423-062600 R1
A.A. Sonin states that SRV discharge line physical processes "...involve highly complex, often intermittent flow and transport processes, and accurate analysis of the dynamic flow problem from first principles is impractical if not impossible, given the present state of the art."
The intent of this issue discussion is to provide a brief synopsis of the current state of knowledge regarding these issues, attempt to qualitatively identify the experimental and analytical uncertainties associated with the research in these areas, and describe the 2600 F suppression pool temperature criterion which is an integral part of the ATWS probabilistic analysis.
History Previous research on BWR containments has indicated that SRV quencher devices successfully dampen pool dynamic loads and provide adequate condensation of high energy steam discharged to a pool for temperatures up to the range of 200OF Sonin has presented a model and supporting experimental data to indicate that the two questions previously posed regarding dynamic loads and complete condensation can be answered over an extended range of variables using previous analyses.
The range of variables investigated by Sonin extends those analyses or experiments to represent higher suppression pool temperatures. The range of variables used by Sonin to extend the applicability of past evaluations is characterized as follows:
- Small scale experiment
- Well mixed pool (i.e., no stratification)
- 50 psig steam discharge pressure
- Sonic discharge steam flow
- Saturated steam
- Pool temperatures of 2125F to 250SF
- No accounting for air clearing loads
. No non-condensible gas entrained in discharged steam
- Thermodynamic equilibrium exists between the airspace and the pool.
The small scale experiments of Sonin verified the analytic models using these input parameters.
The experiments indicated that:
'The dynamic pressures are strongly affected by the geometry of the exhaust nozzle. With a simulated typical quencher device operated at 200-600 kg/m2s based on exit area, maximum loads occurred at 25-30 K pool subcooling and were a factor of eight lower than those of a single-jet discharge with comparable exit area and mass flux."
1-2-27 S1329901-1423-062600 R1
- "Condensation is complete down to local subcoolings of the order of the present measuring accuracy of plus or minus I K. The process of pressurization of a closed pool by a submerged discharge occurs smoothly without dynamic instabilities or significant loads on the pool boundaries."
The uncertainty associated with the results of these small-scale experiments are only exacerbated when considering the effects on containment caused by SRV discharge of a steam-hydrogen mixture. Sonin states that upon core collapse during an ATWS scenario, the initial flow rate through the SRVs may be about 1.3 x 10 5 Ibm/min. steam mixed with 0.025 x 10 5 Ibm/mmin.
hydrogen which is discharged into an essentially equilibrated suppression pool system. Moreover, Sonin continues to conjecture that:
... the amount of non-condensible hydrogen which is mixed in with the steam may be sufficient to drastically reduce the steam condensation rate on the pool water. As a result, the steam in the mixture may not condense as it is discharged, as the Battelle code apparently assumes, but may instead pass through the pool together with the non-condensible hydrogen and enter the wetwell airspace directly. The consequence of this would be that the wetwell airspace would be pressurized much more rapidly at this point than the Battelle code is predicting.
BWROG Evaluation of SupDression Pool Temperature Limits The Sonin efforts indicate that the SRV quencher devices are effective in suppressing dynamic loads and assuring thorough steam condensation over the range of variables considered. Some of the open items that remain and which contribute to the imposed suppression pool temperature criterion of 2600 F for ATWS include the following:
- Lack of data representative of high pressure RPV blowdown into a pool at temperatures greater than 200OF (i.e., RPV saturated conditions with water temperature greater than 5000 F).
- Lack of data on the air clearing containment load effects at elevated pool temperatures.
- The lack of inclusion of non-condensibles (e.g., hydrogen which may result from clad damage during ATWS low water level operation) in these experiments that could result in the entrainment of steam in non-condensible bubbles, thereby, bypassing the suppression pool.
- Water slug flow causing SRV cycling as a result of power excursions. Such slug flow could then cause flashing of the superheated water within the discharge device.
- Pool stratification; whereby, participation of only a portion of the pool which is in thermal equilibrium during the blowdown is considered. (Refer to Issue II below.)
L2-27 12-27S1329901-1423-062600 R1
L2-19.4.2 Issue I1: Temperature Profile at the Quencher It is logical to question how there could be sufficient circulation around the approximately 350 ft.
circumference of the pool to justify the assumption of a well-mixed pool. Without such circulation, only water in the vicinity of a discharging T-quencher could act as a heat sink; incomplete condensation of SRV discharge would begin much sooner, and primary containment pressure would build up faster.
With T-quencher discharge at high flow into an uncirculated and nearly saturated suppression pool, it is possible that the local subcooling would be less than 200F and might be lost entirely, allowing direct bubble-through of steam into the wetwell atmosphere. Without any condensation of SRV discharge at operating pressure, it would take about 20 minutes to pressurize the primary containment from 74 psig to the primary containment failure pressure.
The suppression pool temperature local to the quencher device during SRV discharge has been shown in tests to be higher than the pool bulk temperature; the Sonin test results must be understood in the context of this information (i.e., the tests were performed under thermal equilibrium pool conditions and therefore are not representative of that anticipated in the real situation).
If a single SRV is being used to discharge the steam to the suppression pool, then the continuous discharge of steam into local areas can result in higher localized temperatures. This may result not only in vertical stratification, but also circumferential stratification around the wetwell. Such localized effects have been inferred to occur during SRV discharge through rams-head devices at elevated suppression pool temperatures with RHR pumps operating. Additionally, there were observed differences of 380F between bulk temperature and local temperatures surrounding T-quencher devices during the 1977 Monticello plant tests. Therefore, there may not be full participation of the pool in the thermodynamic heat transfer process during blowdown. Specifically, the local pool temperatures may govern the time to reach 300OF at the quencher because only a fraction of the suppression pool is participating in heat transfer from the blowdown (e.g., the time to achieve local pool temperature of 300OF may be equivalent to the time to reach 2600 F if we assume that the entire pool is in thermal equilibrium). Inthis case, 260 0F is not so much a limit as it is a surrogate pool temperature to be used in computer code calculations if the suppression pool model assumes thermal equilibrium to crudely estimate the time to reach actual temperatures of 300OF at the quencher device.
L2-27 S1329901-1423-062600 R1
L2-19.4.3 Issue III: Calculational Models The calculational models used in previous evaluations of the suppression pool temperature phenomena assume that smooth condensation of the discharged steam and complete thermal mixing occurs for the duration of the blowdown. Therefore, essentially the entire suppression pool volume is approximately at thermal equilibrium. The thermal equilibrium assumptions in the thermal hydraulic codes may underestimate the containment pressurization rate during an ATWS scenario for which pool stratification or steam bypass exists if the following conditions exist:
- High local temperatures,
- Less than thorough steam condensation,
- Entrainment of steam in non-condensible bubbles,
- Stratification of the pool either radially or vertically,
- Entrainment of water in high-flow and high-energy steam discharge.
L2-19.5 Related Issues Associated With Dearaded Containment Conditions That May Affect ATWS Sequence Evaluations Given that the issues discussed in the preceding section can be resolved, a new criterion must be selected for determining an acceptable time frame during which the operator has to take corrective action to prevent containment overpressure. The following issues should be addressed in selecting this new criterion.
L2-19.5.1 Issue IV: Drywell Sprays and Vacuum Breaker Performance Extended severe accident conditions for cases with control rods not inserted and power being produced and directed to the suppression pool may cause the following events to occur:
- RPV pressure cycling;
- SRVs and their tailpipe vacuum breakers opening and closing; and
. Drywell sprays may be operating from external sources or through the RHR heat exchangers, injecting cool water to the drywell.
Therefore, the drywell pressure may correspond to pool saturation temperature and then drop significantly below saturation pressure depending upon spray effectiveness.
These intermittent changes in SRV position and drywell to wetwell pressure differential may result in cycling the vacuum breakers on the: (1)SRV tail pipe; and (2)the wetwell to drywell interface.
The result of this cycling may facilitate direct pool bypass from SRVs via stuck open tailpipe vacuum breakers and stuck open wetwell to drywell vacuum breakers. (The situation with a stuck open SRV tailpipe vacuum breaker during ATWS conditions is analogous to a LOCA condition).
L2-19.5.2 Issue V: Containment Structural Integrity 1-2-27 S1329901-1423-062600 RI
There is some uncertainty regarding the ultimate internal pressure capability of containments. The uncertainty about the calculated ultimate failure strength of containment during energetic scenarios is related to accurately accounting for the following phenomena:
- Temperature effects on structural integrity
- Penetration interactions
- Structural discontinuities
- Hydrodynamic loads
- Sequence pressure and temperature traces Therefore, there is a likelihood that a containment failure could occur during ATWS conditions before reaching the estimated ultimate failure pressure which is usually calculated by a slow steady state increases in pressure.
L2-19.5.3 Issue VI: Cyclic Pressure The containment may be subjected to significant cyclic loads if drywell sprays (with the water being supplied from either external water sources or through the RHR heat exchangers) are used during operation at elevated pressures in containment during an ATWS condition.
L2-19.6 Tertiary ATWS Related Issues The following additional issues may have an impact on the relaxation of 2600 F as a criterion, or the selection of a comparable criterion as a measure of the time available for operator action. These issues are judged to be of lower probability.
L2-19.6.1 Issue VII: Primary System Status If during the postulated ATWS, failure of an SRV tail pipe or its vacuum breaker occurs due to loadings associated with high pool temperature, the steam flow would occur directly to the drywell.
Under such conditions, the condensation capability of the suppression pool, and the dynamic loading imposed on the containment by discharge to the suppression pool through the downcomers, could be significantly different and potentially more challenging than that associated with the SRV T-quencher devices. The issues related to suppression pool performance at elevated temperatures also need to include the possibility of non-condensable gases which may be entrained in the steam. (See also Issue IV.)
L2-19.6.2 Issue Vil: Elevated Pool Water Levels It may be possible during the postulated ATWS scenario for the suppression pool level to rise substantially if external water sources are employed for RPV inventory control as directed by the Rev. 4 BWROG EPGs. If the suppression pool level should encroach on the SRV tailpipe limit and the operator is unable to control water level or RPV pressure below these limits, then an SRV tailpipe failure in the wetwell airspace could induce a rapid containment pressurization event resulting in similar consequences as the conditions described in L2-19.6.1. In addition, 1-2-27 S1329901-1423-062600 RI
hydrodynamic loads at high pool levels can result in substantial loading of the torus. No available containment structural analysis has been performed regarding the torus capability under such hydrodynamic loads (i.e., high SRV discharge rates at elevated pool levels).
12-19.7 Summary The 2600F suppression pool temperature is considered to be a technically defensible limit in model calculations to estimate the containment structural adequacy under ATWS conditions.
1-2-27 S1329901-1423-062600 Ri
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 20 Early Scrub and Early HI DW FAIL: this release is characterized in the IPE text as large and early. However, neither large, or early are defined.
This release category (EARLY SCRUB) is 53% of total KRC (Key Release Category) frequency. This release category is said to have a number of conservatisms incorporated into the binning process. Therefore, there may be significant conservatisms affecting applications that are influencing these results.
. neglecting reactor building DF
. combining results from high and low RPV pressure cases LEVEL OF SIGNIFICANCE:
B POSSIBLE RESOLUTION To ensure applications are treated in a realistic manner, the conservatisms in the Level 2 binning should be removed.
PLANT RESPONSE OR RESOLUTION In general, scrubbed releases will not represent a High Radionuclide Release unless there are subsequent containment failures that cause bypass of the torus as a scrubbing path.
These conditions are reevaluated in the PSA update to ensure that the scrubbing failure modes are not HIGH releases unless they are aggravated by additional, more severe failure modes.
The IPE release categories are redefined to result in clear definition of LERF.
L2-41 S1329901-1423-062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 21 There appears to be substantial conservatisms built into the Release Groups defined in the Level 2. These Release Groups lump a substantial number of lower source term end states with the higher source term cases. While this is "conservative" and adequate for the IPE, it is not appropriate for a realistic best estimate assessment for use in applications. Some of the conservatisms that are lumped into the assessment include:
. ATWS sequences always fail the drywell
- Small size leakage failures are binned to large size releases (P.4.9-5 of IPE)
. Wet cases are binned to large release category (P.4.9-5 of IPE)
. No credit is taken for reactor building DF (Bill Mims)
Potential non-conservatisms:
- ATWS cases have an in-vessel recovery allowed.
Other Issues
. Large is not defined or justified; so it could easily be that more appropriate definition of what falls into Large would lead to a reasonable partitioning. This would make it consistent with the PSA Applications Guide.
. The timing associated with SBO events that do not cause release for many hours appear to be treated as early releases.
LEVEL OF SIGNIFICANCE:
B POSSIBLE RESOLUTION Make Level 2 as realistic as possible within the state of the technology, particularly in the above areas.
PLANT RESPONSE OR RESOLUTION The Level 2 has been converted to a LERF-only assessment consistent with the NRC Regulatory Guide Requirements, NUREG/CR-6595, and the PSA Applications Guide.
1-2-42 S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 22 LERF does not appear to be defined. There is no reference to the BFN Emergency Action Levels (EALs). The assessment of the EALs and their implication regarding timing could not be found by the Certification Team.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION Include consistent LERF definition and document the basis for timing definition based on the EALs. Develop an EAL basis for assigning timing of releases. This should include consideration of TW and delayed SBO sequences and their timing relative to the EALs.
PLANT RESPONSE OR RESOLUTION Completed.
1-2-43 S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 23 Timing The NLF KPDS (Key Plant Damage State) specifies that the timing is Late (L); however, there is no discussion of its interface with EALs and the timing is inconsistent with the definition of "EARLY" presented on P. 4.5-2 of the IPE.
Provide a consistent basis for the Level 2 end state definitions that will allow calculation of LERF consistent with the PSA Applications Guide.
(See related F&O for L2-22).
LEVEL OF SIGNIFICANCE:
B POSSIBLE RESOLUTION Confirm protective actions specified in EALs are reflected in LERF timing.
PLANT RESPONSE OR RESOLUTION Completed.
L2-44 S1329901-1423-062600 R1
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element L2 Subelement 24 Credit for in-vessel recovery should be reevaluated based on consistent definition of Level 1 end state and entry to Level 2.
(See related F&O for L2-5).
LEVEL OF SIGNIFICANCE:
B POSSIBLE RESOLUTION In-vessel recovery following core damage of 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> appears to be optimistic.
PLANT RESPONSE OR RESOLUTION In-vessel recovery is restricted to 40 min. - 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> following core damage.
1-2-45 S1329901-1423-062600 R1
2.11 MAINTENANCE AND UPDATE PROCESS (MU)
MU Fact / Observation Sheets follow:
L2-45 S1329901-1423-062600 RI
FACT/OBSERVATION REGARDING PSA TECHNICAL ELEMENTS OBSERVATION Element MU Subelement 6 Model Control The control of the RISKMAN model is not discussed.
LEVEL OF SIGNIFICANCE B
POSSIBLE RESOLUTION The same controls on the plant model should be applied to the computer software.
PLANT RESPONSE OR RESOLUTION 1-2-45 S1329901-1423-062600 R1
SECTION 3 PER EVALUATION The purpose of this section is to disposition the items of PER BFPER970822 RO.
3.1 EVENT TREE PROBLEMS The following problems were identified with the event trees and supporting documentation:
3.1.1 Event Tree Module ELECT12 Event tree module ELECT12 - top events MT-1, MT2 and MT3 have been removed from the event tree structure and various rule changes have been made. Also, diesel generator top events GB, GC, and GD have been re-ordered to address DG Aux. board dependencies. Top event ODSB has been added to recover support for DG C following failure of DG A, B and D Response: The event tree descriptions in the Event Tree Notebook reflect the deletion of the MT top events. The trees show the re-ordering of the diesel generator top events. Top ODSB is shown and discussed.
3.1.2 Event Tree Module ELECT3 Event Tree Module ELECT3 - the rule set has been modified (see conditions for interim variable ADOK). Also, diesel generator top events GF and GG have been re-ordered.
Note:
The treatment of electric power recovery is inconsistent between the two models.
BFNlU2M allows recovery only for 4kV shutdown boards B and D following failure of 500kV power, failure of the operator to transfer to 161kV sources and 3-1 51329901-1423-062600 RI
successful recovery at EPR30. Under these conditions, the BFNU3M model allows recovery of all 4kV shutdown boards.
Response: The re-ordering of the GF and GG top events is shown in the event trees.
The logic rule sets are also shown.
The "Note" is not longer applicable since the transfer to 161kV is automatic.
3.1.3 Event Tree Module SIGL Event Tree Module SIGL - top events LT1, LT2, LT3 and LT4 have been consolidated into top event LV and top events LM1, LM2, LM3, and LM4 have been replaced with LM in the event tree structure and corresponding rule changes have been made.
Response: The Event Tree Notebook shows the structure for the LT and LM top events and it shows the associated logic rules.
3.1.4 Event Tree Module MESUPT Event Tree Module MESUPT - various interim variables (e.g. logic rule changes) have been added to address EECW and RHRSW pump support. Also, not necessary conditions have been added to the RHRSW swing pumps.
Response: The Event Tree Notebook shows the complete set of logic rules for the MESUPT tree.
3.1.5 Event Tree Module HPGTET Event Tree Module HPGTET - the event tree structure has been changed to modify top event RVD to a binary (as opposed to a 3 outcome) top event. Various rule changes have been incorporated. including SLC logic changes.
3-2 S1329901-1423-062600 R1
Response: The latest HPGTET structure and rules are shown in the Event Tree Notebook.
3.1.6 Event Tree Module CNTMT Event Tree Module CNTMT - the rules for top event NCO have been revised to make them simpler.
Response: The NCD rules are now contained in the GTRANCDBIN tree. They are shown in the Event Tree Notebook.
3.2 SYSTEM ANALYSES PROBLEMS The following problems were identified with the system analyses (fault trees and supporting documentation):
3.2.1 Electric Power (EP) System Analysis The electric power system analysis does not currently incorporate diesel generator logic changes.
- 1. Diesel generator unavailabilities; are not consistent between Unit 1/2 and Unit 3 diesels.
- 2. Required changes include re-ordering 4kV shutdown boards.
- 3. Current documentation does not incorporate battery board changes for DG, DH.
Also, failure of the charger or the battery fails the top event when AC power is available, but only battery success is required following failure of AC power.
- 4. Diesel Generator Aux. boards should fail diesel generators in the event tree logic.
- 5. 480V shutdown boards 3A and 3B include additional unavailability (used in the Unit 2 model) for the Unit 3 evaluation. This causes approximately a factor of 4 increase in core spray contribution for the remaining train for initiating event LLC. This impact is less significant, but is still present, for other Unit 3 initiating events.
- 6. Discussion of top events MT1, MT2, and MT3 should be revised, since these top events have been removed from the model.
3-3 S1329901-1423-062600 R1
Response: 1) The diesel generator split fractions for the Unit 1/2 and Unit 3 diesels are based on the same intermediate top events in the Unit 2 model and in the Unit 3 model.
- 2) The event tree structure contains the correct order for the 4kV shutdown boards.
- 3) The documentation is now consistent with the model. With respect to the success criteria, the charger is not available given loss of AC power.
- 4) The relationship between the Diesel Aux boards and the diesel generators involves a feedback loop in which both are required for success of the other. Given the very high probability of Diesel Generator Failure compared with a hardware failure of the board, and the complexity of the model, the dependency was neglected.
- 5) The models for Unit 2 and Unit 3 are now equivalent in this respect.
- 6) The discussion for MT1, MT2, and MT3 was eliminated to reflect their deletion.
3.2.2 Condensate System Analysis The condensate system analysis notebook does not agree with the system fault tree.
Response: The notebook text and the fault tree are now consistent.
3.2.3 CRD System Analysis The CRD system analysis does not credit starting a second pump for split fractions CRD1 and CRD2.
- 1. The risk significant function for maintenance rule is 1 pump available. Analysis shows that this is adequate makeup for non-SORV cases when flow is through FCV-85-50, rather than the HCU charging header. This relaxes the CRD success criteria for enhanced flow.
- 2. Use of basic event flags to address short and long term enhanced flow in the fault tree is confusing.
Response: The analysis now credits starting a second pump. The flow path for CRD enhanced flow is via the bypass valves per MAAP evaluations. The flags to address short and long term were not modified.
3-4 S1329901-1423-062600 R1
3.2.4 HPCI/RCIC System Analysis The HPCI/RCIC long term operation top event (HPL) does not have common cause added (Error in previous system quantification).
Response: The HPCI/RCIC analysis for long term operation properly accounts for common cause.
3.2.5 Plant Air System Analysis The plant air system analysis does not have common cause for CAD (factor of 10 increase)
- 1. Also, system analysis documentation does not agree with master frequency file values (MFF more optimistic).
- 2. System model AIRR4 does not have split fractions PCAA and PCAB, which were developed for the multi-unit model Response: Common cause was added to CAD. The MFF is generated from the system models. The Plant Air model split fractions are consistent with the Unit 2 and Unit 3 models.
3.2.6 Primary Containment Isolation Analysis Primary containment isolation (see table on page 3-4) screens out RWCU isolation valves FCV-69-1 and FCV-69-2 due to being in a closed high pressure system. These valves are normally open and portions of RWCU are not high pressure.
Response: The system was not closed in that it is connected directly to the RPV.
However, the Containment Isolation function now models only large isolation failures and this line does not qualify.
3.2.7 SRV System Analysis 3-5 S1329901-1423-062600 R1
SRV failure rate used in system analysis is inaccurate (2 stage target rock failure rate of 1E-3, versus mechanical relief failure rate used in PSA - -1 E-4).
- 1. System model SRVR5 does not agree with system notebook.
- 2. The discussion of top event RVD is still for a 3 outcome top event. RVD is now a binary top event.
Response: As discussed in the SRV Notebook, the 1E-4 failure rate was retained to account for electrical actuation. The SRV System model is now part of the Unit 2 and Unit 3 models. The discussion of RVD is now correct with respect to the binary top.
3.2.8 SGTS System Analysis SGTS analysis documentation only refers to Unit 2 reactor building dampers (not Unit 3)
(i.e. the "Pre-Unit 3 restart" configuration).
Response: The SGTS analysis documentation has been revised to reflect the operation of Unit 3.
3.2.9 Unit 3 Multi-unit Trio Logic Analysis Treatment of Unit 3 multi-unit trip logic for cross connection of RHR to Unit 3 is overly conservative. Also, loss of RCW should not be modeled as tripping both units, since the system is normally operated in a unitized fashion.
Response: There is no statement of how the cross-connection is conservative. The analysis was redone and on Unit 3, total control of the valves is credited.
The loss of RCW is modeled as tripping both units. This is consistent with the common cause failures of the pumps in the system.
3-6 S1329901-1423-062600 R1
3.2.10 RHR Logic Testing Analysis RHR logic testing is incorrectly modeled as failing pump operation. Also, the text and the fault tree are inconsistent on the time required to perform these tests (24 versus 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> per loop). Only one of these test alignments fails pump operation. The remaining tests only fail automatic LPCI actuation. This contributes 90% of failure for pump C (D) following failure of pump A (B). Also. the equation for split faction RPB6 is wrong (should be RPX2AB/RPX1, not RPX2AC/RPX1). This would reduce RPB6 by a factor of 3 to 4.
Response: The fault tree and the text are now consistent. The modeling of testing was retained as a simplifying assumption. Modifying the test impacts would increase the complexity of the model, introducing additional top events and increasing the run time and possible unaccounted for frequency. It was judged to retain the testing modeling.
3.2.11 Revision 2 Notebook Review Rev 2 notebooks (SAI, EECW, RHRSW, CRDH) do not have alignment or cut set tables. These are necessary to document top events and split fractions that are evaluated with fault tree cut sets.
Response: The revised notebooks contain the alignment and cutset tables.
3.2.12 EHC PumD Analysis The EHC pumps are incorrectly modeled as though they were required to operate in order to trip the turbine. They should be included in the main turbine bypass valve operation top event.
Response: The EHC pumps are modeled because the top event includes a pressure challenge and bypass valve operation.
3-7 S1329901-1423-062600 R1
3.2.13 ATWS Success Criteria Analysis ATWS success criteria in the plant model do not include alignment for suppression pool cooling when dumping heat to the containment.
Response: The addition of suppression pool cooling would have a negligible effect on ATWS scenarios. It was not incorporated.
3.2.14 Plant Model Analysis The plant model incorrectly has the dominant scenario when CRD is not available in enhanced mode as all success, except that operator alignment of suppression pool cooling at OSP fails.
Response: Injection with CRD is not a stable state - the wetwell level will continue to rise and the operators will have to establish suppression pool cooling and low-pressure injection.
3.2.15 Unit 2 Model Analysis In the Unit 2 model, the control power supports for 4kV shutdown boards 3EA and 3ED are not implemented in the plant model.
- 1. Failure of battery board 1 does not fail 4kV shutdown board 3EA, but is incorporated as a common cause failure for the remaining Unit 3 boards.
- 2. Both models inconsistently model fuel oil for DG D as not necessary when shutdown bus 1 is available, but the associated diesel generator is impacted by success of shutdown bus 2 (i.e. both should refer to shutdown bus 2).
Response: The supports have been corrected, battery board 1 fails 4kV shutdown board 3EA, the fuel oil system is no longer represented by distinct top events but is included with the diesel generators.
3-8 S1329901-1423-062600 RI
3.3 BROWNS FERRY REPORTS It was discovered that Browns Ferry cannot currently generate the reports required to comply with SEP-9.5.8 (i.e. 'The following tables shall be included as a minimum' - see page 24 of SEP-9.5.8) for the zero maintenance model documentation:
3.3.1 System Imoortance System importance and worth cannot be generated through RISKMAN due to the extent of the BFN models and the limitations of the RISKMAN program, including associated site utilities to allow generation of top event and split fraction importance reports.
Response: Version 9.1 of RISKMAN allows generation of top event and split fraction importance reports.
3.3.2 Basis Event ImDortance Basic event importance and worth cannot be generated with the current model structure (i.e. due to the extent of the BFN models and the development of each system analysis within a separate RISKMAN model).
Response: The model now is capable of generating basic event importance measures.
3-9 S1329901-1423-062600 R1