ML060550285

From kanterella
Jump to navigation Jump to search
Response to Generic Letter 88-20, Individual Plant Examination for Severe Accident Vulnerabilities (IPE)
ML060550285
Person / Time
Site: Oyster Creek
Issue date: 08/14/1992
From: J. J. Barton
GPU Nuclear Corp
To:
Document Control Desk, Office of Nuclear Reactor Regulation
Reckley W, NRR, 415-1323
Shared Package
ML060550281 List:
References
C321-92-2201 NUDOCS 9208280377
Download: ML060550285 (121)
v  d  e


Text

7 77*6 t/

7

/

t r--P 6

(,f47

/

pX

~

a:GPU

.lucear Corporation

  • hI~uc'hIeam.

Post Office Box 388

  • U~U E~~ERoute 9 South

-Forked River, New Jersey 08731-0388 609 971-4000

.4~

Writer's Direct Dial Number:

August 14, 1992 C321-92-2201

_U. S. Nuclear Regulatory Commission Attention:

Document Control Dcsk Washington,.D.C. 20555 Gentlemen:

Subject:

Oyster Creek Nuclear Generating Station (OCNGS)

Operating License No. DPR-16 Docket No. 50-219 Response to Generic Letter 88-20, "Individual Plant Examinations for Severe Accident Vulnerabilities (IPE)"

In response to the subject generic letter, enclosed are the following reports:

-1.

Oyster Creek IPE Submittal Report

2. Oyster Creek Probablistic Risk Assessment (Level 1), 6 Volumes
3. Oyster Creek Probabilistic Risk Assessment (Level 2), Volume 1 of 1 UThe Level I and 2 Probabilistic Risk Assessments (PRAs) were conducted in accordance with the guidance contained in Generic Letter 88-20 and NUREG-1335.

The analyses were conducted on the plant as it was configured in 1989 with the following planned 14R modifications:

1. An interconnection to the combustion turbine generators on the adjacent Forked River Site to provide an alternate AC power source.
2. A hard-piped containment vent system.

The IPE report addresses specific issues identified by the NRC staff in the generic letter, including the containment performance issues and USI-A45, Decay Heat Removal Requirements.

$, 2000 4\\

8280004920814 Corporation is a Subsidiary of Genrral Public Utilities Corporation PDR2 ADOCK Od Q iO219

~ 4~R 1U 11 I I1 1

M

il_-j-

- '-

k.

.A "

" I 

'4' I

t A

C321 2201 Page 2 As indicated in the IPE Report, no vulnerabilities to severe accidents were identified. A number of potentially cost-effective improvements were identified for consideration to further enhance reactor safety.

These improvements are being evaluated and are currently being planned for implementation by completion of the 15R outage, with the exception of the portable DC generator and associated equipment. The feasibility of implementation of the portable DC generator will be considered and a decision on its implementation will be reached by the 15R refueling outage.

Final scheduling for implementation for all identified improvements, as appropriate, will be in accordance with the OCN6S Integrated Schedule.

If you have any questions on this information, please contact us.

Sincerely,

.J..

0t Ve P eident and Director te reek Nuclear Generating Station JJB/DJD/amk ENCLOSURES 1.

2.

3.

Oyster Creek Oyster Creek Oyster Creek IPE Submittal Probabilistic Probabilistic Report Assessment (Level 1), 6 Volumes Risk Assessment (Level 2), Volume I of 1 cc:

Administrator, Region I, (w/Enclosure I only)

NRC. Resident Inspector, (w/Enclosure, All)

Mr. Alex Dromerick, Jr. - Project Manager, (w/Enclosure I only)

J. Butler, NUMARC, (w/Enclosure I only)

See ML060550287

.,

Aio I.

I Slub OlItt81 RePorI Junze 1992 9208280381 920814 PDR ADOCK 05000219 P-PDR

-, I a

OYSTER CREEK IPE SUBMITTAL REPORT JUNE 1992

TABLE OF CONTENTS 1.0 Introduction....................

... 1-1 1.1 IPE Approach and Scope.

1-1 1.2 IPETeam.1-1 1.3 Plant Documentation Sources.1-1 1.4 Plant Familiarization.1-2 1.5 Independent Review...............................

1-3 2.0 Rnependets Summary.......................................................

2-,1-1.6 Other PRAs Reviewed.1-3 1.7 Report Organization.1-4 2.0 Results Summary..2-1 2.1 Level 1 Analysis Results.2-1 2.1.1 Initiating Event Importance to Core Damage Frequency.2-2 2.1.2 System (or Top Event) Importance to Core Damage Frequency.2-3 2.1.3 Operator Action Importance to Total Core Damage Frequency.2-4 2.1.4 Individual Sequence Importance to Core Damage Frequency.2-5 2.2 Internal Flooding Results.2-6 2.3 Level 2 Analysis Results.2-7 3.0 Application of the Generic Letter Screening Process......

3-1 3.1 Reportable Sequences.3-1 3.2 Vulnerability Screening.3-2 4.0 Containment Performance Improvement (CPI) Issues 4-1 4.1 Alternative Water Supply for Drr'well Spray/Vessel Injection.4-1 4.2 Enhanced Reactor Pressure Vessel (RPV) Depressurization System Reliability... 4-4 4.3 Emergency Procedures and Training.4-5 5.0 Unresolved Safety Issue A Shutdown Decay Heat Removal Requirements.5-1 6.0 Other Unresolved Safety Issues (USs) 6-1 6.1 Unresolved Safety Issue A System Interaction in Nuclear Power Plants 6-1 6.2 Unresolved Safety Issue A Safety Implications of Control Systems.6-3 7.0 Generic Safety Issues (GSIs) 7-1 7.1 GI-101 BWR Water Level Redundancy..............................

7-1 7.2 GI-1 05 Interfacing System LOCA at BWRs..............................

7-4 Q

IPE i

05/29/92 l

Lot-; l Is III TABLE OF CONTENTS (Continued) 8.0 Conclusions and Planned Actions..........................

8.1 Level 1 PRA........................................

8.1.1 Loss of Offsite Power..........................

8.1.2 DC Power...................................

8.1.3 Containment Spray/Emergency Service Water........

8.1.4 Reactor Feedwater Control (RPV high level excursion)..

8.1.5 Operator Action Error Rates......................

8.2 Level 2 PRA........................................

8.3 Schedule for Implementation...........................

8-1 8-1 8-2 8-2 8-3 8-3 8-4 8-4 8-5 9.0 References...................................

9-1 Appendix A, Contributors to System Failure..................................

A-1 Appendix B, Contributors to Operator Error Rates.................

B-1 IPE 05/29/92 U.

UST CF TABLES Table 1.1-1 Comparison of NUREG-1335 and OCPRA Report Formats.....

......... 1-5 Table 2.1-1 Table 2.1-2 Table 2.1-3 Table 2.1-4 Table 2.1-5 Table 2.2-1 Table 2.3-1 Initiating Event Importance (Top 10 Contributors).......

.............. 2-2 Top Event Importance (Ranked by Independent Failure).....

.......... 2-3 Operator Action Importance to Total CDF.........

................. 2-4 Individual Operator Action Importance............

................. 2-5 Top Ten OCPRA Core Damage Sequences.........

................ 2-6 Summary of Internal Flooding Results............

................. 2-7 General Release Category Groups.

2-7 UST OF: FIGURES Figure 2.1-1 Calculated Total Core Damage Frequency.........................

2-1

[PE iii 05/29/92

1.0 Introduction The GPU Nuclear response to Generic Letter ES-20, Individual Plant Examination', Supplement 1 is comprised of three reports:

1.

The IPE Submittal Report

2.

The Oyster, Creek Probabilistic Risk Assessment (Level 1)

3.

The Oyster Creek Probabilistic Risk Assessment (Level 2)

The IPE Submittal Report (this report) serves as an overview summary of the methods and results of the level 1 and 2 PRAs, provides a cross reference ("roadmap"), for locating appropriate sections of the level 1 PRA with respect to the requested IPE submittal format, and provides the documentation of the GPU Nuclear response to specific Issues such as the loss of decay heat removal issue and resolution of selected USIs and GSMs.

It also contains conclusions, recommendations and planned actions emanating from the IPE and planned schedules for their implementation.

1.1 IPE Approach and Scope GPU Nuclear Corporation chose to respond to Generic Letter 88-20,'Supplemient I by performing level 1 and 2 PRAs for the Oyster Creek Nuclear Generating Station. The PRAs utilize state of the art techniques of the Large event tree - small fault tree methodology.. Recent advances In personal compiter speed and calculational ability hias allowed for the logic of the plant model to be entered as logic statements and eliminates the need for pictorial event trees. These logic statements (referred to as Orules files' or 'modules') can be directly linked eliminating the need for support states.

Details on the methods used In the OCPRA in the development and quantification of the plant model are presented In Section 7.1 of the level I PRA report.

The level I and 2 PRAs are considered full scope PRAs for Internal events. A separate analysis using screening techniques was conducted for internal floods and is documented in Section 10 of the' level 1 PRA report.

1.2 IPE Team The study was conducted in a manner that maximized the use of in-house personnel., GPUN in-house 'PRA analysts, engineers and operators w o are familiar with the details `of the design, controls, procedures, and system configurations wereheaily Involvediin the afnalysis as well as the technical review. PLG Inc., as principal coniractor, developed initial approaches on much of the analysis as well as provided guidance and assistance in using the PC software package, RISKMAN.-

The makeup of the team differed depending upon the-specific task or portion of the study Involved. A complete listing of, participants is provided for each major work element In the Acknowledgement section in the level 1 and 2 I'RA reports.

1.3 Plant Documentation Sources The development of the level 1 and 2 PRAs required the collection and review of many sources WPE 1 1 05/291.92

of plant information and documentation. These sources Included:

Final Updated Safety Analysis Report (FSAR). The FSAR was used In the development of the plant model with emphasis on the plant response! to design basis accidents. Also, the FSAR was used to determine the original list of systems to be modeled.

Operation Plant Manual (OPM). The OPM provides details on system design, operation and controls and was used extensively in the development of the individual systems analyses and in the determination of system dependencies.

Emergency Operating Procedures (EOP). Emergency operating procedures were used In the development of the plant model and operator action analysis..

System Surveillance, Abnormal and Operating Procedures were used in the development of the individual system analyses'as well as for the collection of system demands in the data analysis task. Abnormal and operating procedures were used in the human action analysis task.

Piping and Instrument Diagrams (P&lDs) and Electrical Diagrams were used In the system analyses as well as In determination of system dependencies.

Transient Assessment Reports (TIRs) 'were used in the development of the plant model (actual data on plant response to transients) as well as the data analysis task (actual trip data).

Maintenance Work Orders (MWOs) and Switching and Tagging Requests were used In the data analysis task to provide plant specific component maintenance and failure data.

TechnicalData Reports (TDRs) and ThermalHydra3ulic Calculations were used in the development of success criteria and integrated plant response to off normal events.

Each section of the level 1 and 2 PRAs contain a list of the references used to develop the analysis.

1.4 Plant Familiarization Engineering knowledge of plant systems and integrated plant response to off-normal events are essential elements of a PRA. The OCPRA team performed waikdowns of Oyster Creek at various points in the project to'assure correct modeling of the plant and plant systems. Walkdowns early in the project assured familiarization of the OCPRA team with the general arrangement of the plant and plant systems. Walkdowns were also performed in support of the systems analysis, human action analysis, plant modeling and the Internal flooding analysis tasks.

General Walkdowns.

The firstpwaikdownsperformed by the -OCPRA team consisted of generalized walkdowns to familiarize the team with the arrangement of the site and plant systems.

Systems Analysis Walkdowns. The first step in the preparation of the qualitative system analyses is the development of the system workbooks (Appendix F). System workbooks are developed using all available documentation of the system including, FSAR, system descriptions (OPMs),

plant procedures (maintenance, testing, operation and abnormal), system drawings and plant IPE 1-12 05/29/92

walkdowns. Following the review of all pertinent Information, plant walkdowns were performed by the responsible GPU systems analyst., These walkdowns were often performed with the assistance of knowledgeable plant engineers, STAs, and operations personnel. Also, system engineers responsible for the review of the OCPRA systems regularly walkdown the systems for which they are responsible.

Human Action Walkdowns. The OCPRA team members responsible for the performance of the human action analysis task performed walkdowns to familiarize themselves with the operator actions modeled in the OCPRA as well as lo verify operator action questionnaires.

These walkdowns were performed with experienced operations personnel.

Plant Model Walkdowns. Knowledge of the integrated plant response to off-normal events is essential in assuring the validity of the plant model. Walkdowns were performed to verify impacts of initiating events, system interactions and system dependencies.

Internal Flooding Analysis Walkdowns. Initial wralkdowns were performed In the internal flooding analysis to verify component locations, collect source information, determine propagation paths and determine flooding Impacts. Subsequent walkdowns determined the potential for flood mitigation including verification of flooding impacts, drain system mitigation and operator Intervention.

Containment Walkdown.

A walkdown of the containment was conducted to verify pertinent containment features and configurations. A videotape of the reactor vessel pedestal area and drywell was made and used for reference during performance of the level 2 PRA analyslsO 1.5 Independent Review Level 1 PRA Two Independent reviews of the level 1 study were performed: one conducted by an independent In-house review group consisting of managers of key organizations, and one performed by an external consultant. The purpose of the independent In-house review was to ensure the accuracy of the documentation and to validate the PRA process and Its results. The external consultant review was conducted to ensure that proper PFA techniques were employed and that key Issues were addressed. The results of these reviews are provided in Appendix D of the level 1 report.

Level 2 PRA Two independent reviews of the level 2 study were also performed: one conducted by an Independent in-house review group consisting of managers and senior engineers from key organizations, and one performed by an external consultant. The results of these reviews are provided in Appendix D of the level 2 PRA report.

1.6 Other PRAs Reviewed A number of other PRAs were reviewed In conjunction with different parts of the study. The purpose of these reviews was to gain some knowledge of the approaches taken on certain issues in other studies and to compare results.

Generally, these reviews were not fully IPE 1-3 05/29/92

comprehensive or done in great depth, but were sufficiently detailed to grasp the essentials of the approaches and the conclusions or results. The principle contractor for the study, PLG Inc.,

had extensive experience In performing PRAs and in reviewing other PRAs, and this experience and added perspective was applied to this study. Other PRAs reviewed included:

NUREG-150, Peach Bottom and Grand Gulf Fermi Beznau TMI-1 Beaver Valley 2 Shoreham Millstone I Pilgrim In addition various NSAC reports, and specifically NSAC-1 52,,EPRI PRA Repository" were selectively reviewed;:as were many NUREG reports and ANS Transactions.

Specific references that apply directly to various portions of the analyses are listed In their respective sections in the level 1 and 2 reports.

1.7 Report Organization The level 1 PRA effort was begun prior to the Issuance of Generic Letter 88-20, Supplement 1 therefore, the report organization differs from that described In NUREG-1 335. A *Roadmapi which compares the NUREG-1 335 format and the applicable sections of this report and the level 1 PRA report is provided in Table 1.1-1.

The level 2 PRA report Is organized using the NUREG-1 335 suggested format.

IPE 1-4 05/29192

Table 1.1-1 Comparison of NUREG-1335 and OCPRA Report Formats NUREG-1335 I

IPE Report Ohio report)

-1 OCPRA (Level 1)

I

1. Executive Summary 1.1 Background !and Objectives 12 Plant Familiarization 1.3 Overall Methodology 1.4 Summary of Major Findings
2. Examination Process Section 2.0 Risk Model Development Process Section 2.0 Results Summary I.

zi -1..I I

..1 Section 3.0 Major Results AppendcixC Detailed Results I

2.1 Introduction 2.2 Conformance with Generic Letter and Supporting Materials Section 2.0 Risk Model Development Process Section 1.1 [PE Approach and Scope Section 1.2 JPE Team Section 1.3 Plant Documentation Sources Section 1.4 Plant Famillarbzation Section 1.5 Independent Review Section,1.6 Other PRAs Reviewed Section 1.7 Report Organizaticn ALL 2.3 General Methodology Section 2.0 Risk Model Development Process Section 4.1 Overvlew of the Data Analysis Process Section 5.1 Ove'irview and Scope of System Analysis Section 6.1 Operator Action Analysis Approach Section 7.1 Introduction to the Plant Model Section 8.1 Introduction to Endstates Section 9.1 Introduction to Uncertainty-Propagation Soction 10.1 Introduction to the Internal Flooding, -

Analysis 2A Information Assembly

3. Front-End Analysis,

3.1 Accident Sequence Delineation 3.1.1 ' Initiating Events 3.1.2 Front-.ine Event Trees Section 1.3 Plant Documentation Sources Section 1.4 Piant FamIliarlzationl Section 1.6 Other' PAs,' Revi ew ed' Section 7.2 Definition of Initiating Events Section 7.5 General TransIent Module Section 7.6 Loss-of Feedwater Control Section 7.7 Long Term General Transient Module Section 7.8 Small LOCA Module Section 7.9 Large LOCA Module Section 7.10 Long Term LOCA Response IPE I -'

05/29/92

HUREG-1 335 IPE Report (this report)

OCPRA (Level 1)

NUREG-1335 IPE Report (this report)

I I

OCPRA (Level 1) l 3.2L3 Special Event Trees Section 7.11 F1Rcoveiy Module 3.1 A Support System Event Trees Section 7.4 Support System Module 3.1.5 Sequence Grouping and Backend Interface Section 8 Plant Model Endstates 32 System Analysis Section 5 System Analysis 32.1 System Descriptions Appendix F Individual System Analyses 322 System Analysis fault trees) 32.3 System Dependencies (dependence matrices) 3.3 Sequence Quantification Appendix F Individual System Analyses Appendix F Individual System Analyses Section 7.3 Dependence Matrices 3.3.1. List of Generic Data Section 4 Data Analysis 3.32 Plant Specific Data and Analysis Section 4 Data Analysis L

3.3.3 Human Failure Data (generic and plant specific)

Section 6 Human Action Analysis 3.3.4 Common Cause Failure Data Section 4A Common Cause Failure Parameters 3.3.5 Ouantification of Unavailability of Systems and Functions Appendix F Individual System Analyses 3.3.6 Generation of Support System States and their Probabilities Not applicable In methodology used In OCPRA quantification.

.- T=

3.3.7 Quantification of Sequence Frequencies Appendix C.5 Individual Sequence Imrportance to

' I CDF 3.3.8 Internal Flooding Analysis Section 10 Internal Flooding Analysis 1 1 -

I 3.4 Results and Screening Process Section 2.0 Results Summaly

,~.,

R Section 3.0 Major Results

~

1 ~ I -~,

3.4.1 Application of Generic Section 3.0 Application of the Generic Appendix C Detailed Results Letter Screening

'Ltter Screening Process Process Section 3.1 Reportable Sequences IPE 1-6 05/29192

NUREG1335 IPE Report (this rfeprI) 3.42 Vulnerability Section 32 Vulnerability Screoning Screening 3.4.3 Decay Heat Removal Section 5.0 Unresolved Safety issue Evaluation A Shutdown Decay Heat Removal Requirements 3.4.4 USI and GSI Section 6.0 Other Unresolved Safety Screening Issues (USls)

Section 7.0 Generic Safety iesues (GSis)

5. Utility Participation and Section 12 IPE Team Internal Review Team I1 I

OCPRA (Level 1)

I Section 1.1 Background and Objectives IAcknowledgement Page 5.1 IPE Program Organization 5.2 Composition of Independent Review Team 5.3 Areas of Review and Major Comments Acknowledgement Page Section 1.5 Independent FUeiew Appendix D Independent Review 5.4 Resolution of Comments

6. Plant Improvements and Unique Safety Features Conclusions and Planned Actions I __________________________________________________________________
7. Summary and Conclusions (including proposed resolution of USIs and GSWs Section 5.0 Unresolved Safety Issue A-45 Section 6.0 Other Unresolved Safety Issues Section 7.0 Generic Safety Isiues Section 8.0 Conclusions and Planned Actions Section 3.0 Major Results IPE 1-7 05129192

2.0 Results Summary The major results of this study are provided in Section 3 and Appendix C of the level 1 PRA report and Section 12 of the level 2 PRA report. Salient points are excerpted below.

2.1 Level 1 Analysis Results The calculated mean core damage frequency due to internal Initiators in this study is 3.69x1 0 per year. The uncertainty due to dispersion in the Input data, that is, uncertainty in the failure rate database, and human action error rates are reflected in Figure 2.1-1.

Figure 2.1-1 Calculated Total Core Damage Frequency 1.00 I p

R 0

B A

B I

L I

T y

0.50 0.00.

=X 1.OOE-07 1.OOE -

1.OOE-05 1.OOE-04 CORE DAMAGE FREQUENCY Adetailed discussion of the uncertainty In the calculated total CDF Is provided In Sectio 9 of level 1 PRA report, how~ver Figure 2.1 -1 depicfr; that the Uncertainty due to' inu daarslsI acalculated core damage fr-e-quecy (CDF) bew e

3 l

~

c n ence) and98210 e

ep (95% confidence). The p

ntestate mn t frequency Is calculated to be 3.69x1 o per year.

[PE 2-1 05/29/92

2.1.1 Initiating Event Importance to Core Darmage Frequency There are a total of 28 initiating event groups modeled In the level I PRA. These are described In detail in Section 7.2 of the level 1 report. These Initiating event groups can be categorized Into three general types:

General Transient (15). Events that lead lo a demand for a turbine or reactor trip but are not a loss of coolant accident.

Small Loss of Coolant Accidents (6). Loss of coolant accidents small enough to require ADS actuation to depressurize the reactor vessel to ensure adequate core cooling using low pressure Injection systems.

Large Loss of Coolant Accidents (7). Loss of coolant accidents large enough not to require ADS actuation to depressurize the reactor vessel to allow adequate core cooling' using low pressure Injection systems.'

A breakdown of the individual Initiating events by importance is given In Table 2.1-1 for the top 1b0 contributors.

Table 2.1 -1 Initiating Event Impiortance (Top IO Contributors)

Description Initiator Core Damage Percent

-Designator j

Frequency Contribution Loss of Offsite Power LOSP 1.21x104-32.8%

Turbine Trip TT 4.85x10r 7 13.1%

Reactor Trip RT 2.83x1 0'7 7.7%

MSIV Closure CMSIV 2.56x1 X

6.9%

Total Loss of Feedwater LOFW 2.09x1 0-7 5.7%.

Loss of Condenser Vacuum LOCv 1.48x1 4.0%

Loss of TBCCW LOTB 1.47x1 0 7 4.0%

Loss of Intake Structure LOIS 1.20x1 3;3%

Electric Pressure Regulator Failure EPRL 1.1 9x1 07 3.2%

(Sensing Low)

X Large, Below Core Inside Containment LBI 1.O8xl0, 2.9%

`TOTAL' lp 10 Contributors)

ABOVE 3.08x1 0 83.6'%

IPE 2-2 05/29/92

2.1.2 System (or Top Event) Importance to Core Damage Frequency System importance provides the relative contributions of the systems modeled In the level 1 PRA to total core damage frequency. System top events reflect the individual functions modeled in the level 1 PRA. Split fractions developed for each top event provide the probability of failure of a system to function as defined in the system success criteria (see Section 5 of the level 1..

report).

Twenty-five (25) systems are modeled In the level 1 PRA. Individual system availability results are provided in Appendix F of the level 1 report. These systems (in addition to other special analyses) resulted In the development, of 59 top events or system functions. Table 2.1-2 illustrates the top ten system contributors to the total CDF and percentages of independent failure.

Table 2.1-2 Top Event importance (Ranked by Independent Failure)

Description Percent l

.{

<,CDF**.l EMRV Closure 48%

4160 VAC essential Bus I [)

37%

4160 VAC essential Bus 1C 37%

125 VDC Bus C 33%

125 VDC Bus B 31%

Recovery from Loss of OffsIte Power 26%

Core Spray 21%

Reactor Scram 6%,

4160 VAC Bus 1A 5%

4160 VAC Bus I B 4:%0 The percent CDF listed Is that percentage resulting from the summation of the frequency of all sequences involving failure of the top event. It represents the percentage decrease in the CDF that would result If the top event failure rate could be made zero.: The sum of all percentages is greater than 1005-because more than one top event failure will typically occur in any given core damag'e' sequene.'

IPE 2-3 05/29/92

2.1.3 Operator Action Importance to Total Core Damage Frequency This section describes the Importance of operator actions to total core damage frequency. The operator actions modeled in the level 1 PRA, rangle from the normal post trip control of the plant, to Emergency Operating Procedure actions, to recovery from systemic or functional failures.

Detailed operator action failure rates are provided In Section 6 of the level 1 report.

Of the 66 separate operator actions modeled, many are functionally similar but have varying support systems out of service or 'changes In time available for performance of the action. For example, four (4) separate operator actions were modeled for the injection of boron following failure of the reactor trip function. Therefore, In actuality, there'are only'34 functionally different operator actions.

All of the modeled operator actions contribute approximately 21% of the total CDF. That Is: I these actions could be made perfect (zero error rate) the total CDF would be reduced by 21%.

The operator actions are grouped into nine (9) general categories. These are presented below with their respective contributions to the total core damage frequency:

Table 2.143 Operator Action Importance to Total CDF Group Description

- Percent Number

[

CDF 1

Operator Actions During Normal 2.1%

Plant Trip Response-2 Operator Actions to Maintain IC 1.5%

Makeup 3

Operator Actions to Establish RPV 4.3%

Injection 4

Operator Actions to Remove 4.3%

Containment'Heat 5

Operator Actions to Mitigate 2.3%

_Reactor Sc ram 'Failure (ATWS) 6 Operator Response to Support 2.6%

System Failures-7 Operator Response to1Recover 0.4%

.from Actuation Logic Failures 8

Operator Actions to Recover jfrpm,,-

0.5%

Errors or Failures 9

Operator Actions to Recover 2.7%

Containment Heat Removal IPE 24 05/29/92

Table 2.1-4 provides the top ten specifid'operator actions in order of decreasing importance to total CDF.

Table 2.1-4 Individual Operator Action Importance Group Description of 1

Total Number Failed Operator Actions CDF Contribution 4

Initiation of Containment 2.76%

Cooling 3

Core Spray (Manual Initiate or 2.70%

Injection with fire protection) 9 Recovery of DC power 2.50%/c 6

Recovery of Offsite Power 2.20%

2 Initiation of IC makeup 1.51%

4 Containment Venting 1.47%h 3

Manual Initiation of ADS 1.23%

5 Initiation of Boron Injection 1.22%

V Following ATWS 5

Level and Power Control 1.08%

Following ATWS '_-_'

1 Control of Post Tirip RPV Level 1.03%

9 2.1.4 Individual Sequence Importance to Core Damage Frequency The Individual sequence importance to the total core damage frequency provides, in ranked order, the sequences which contribute signific;antly to the total core damage frequency.

This Information provides insights Into plant specific behavior following Initiating events which result in core damage.

This perspective also reflects the initiating event' importance and system importance highlighted in previous sub-sections.

Table 2.1-5 provides the top ten sequences of the level 1 PRA with their frequency, percent of total CDF, and cumulative percent of total CDF.

IPE 2-5 05/29/92

Table 2.1-5 Top Ten OCPRA Core Damage Sequences Description Sequence Percent of Cumulative l Frequency Total Percent of

[CDF Total CDF Loss of all AC power (station 7.69x10-7 20.8%

21%

blackout) with failure of an EMRV to reclose.

Turbine trip with loss of all DC power.

2.59xl 0 7.0%

28%

Reactor trip with loss of all DC power.

2.1 O0x1 7 5.7%

34%

Inadvertent MSIV closure with loss of 1.23x10 3.3%

37%

all DC power.

Loss of offsite power with EMRV 1.1 6x1 07 3.2%

40%

failure to close and core spray failure.

Loss of TBCCW with EMRV failure to 1.04x10:7 2.8%

43%

close and core spray failure. '__._-_A Large below core loss of coblan t with 9.61 xl 09 2.6%

45%

failure of core spray. '

'_x RWCU Overpressurization with core 7.25x19 2.0%

47%

spray failure.

.=________

Loss of intake flow with EMRV failure 7.24x1& 0 2.0%

49%

to close and core spray failure.

Loss of condenser vacuum with loss

6.52x1 0 1.8%.

51%

of all DC power.

A0 2.2 Internal Flooding Results The level1 flooding analysi '(Section 10 of the Iivel 1 report) made the observation that no flood' could be identified which resulted In 'core damage due to the impacts of the flood alone. This then required each of the floods of interest to' be quantified through the a revised version of the level 1 plant model, as opposed to estimating specific core damage frequencies for each scenario manually, as had been done in flooding analyses for some other plants.

Therefore, flooding frequencies were generate`d for 24 potentially significant floods, as detailed in Sections 10.5 (reactor building), 10.6 (turbine building) and 10.8 (other areas) of the level I report. Of these, 17 can occur in the reactor building and 7 can occur in the turbine building.

Due to the approximate nature of the flooding data' and the approximations made in these calculations, the results described below are judged to represent a bounding calculation, rather than the less approximate (that is, more rigorous) results shown for the Internal event model, as described in Section 3 of the level 1 report. In other words, the point estimate mean value of 1PE 2-6 05/29/92

core damage frequency due to internal floods is expected to be no higher than that shown below. At this bounding value, core damage due to internal flooding represents approximately 5% of the level 1 core damage frequency.

Overall, the damage frequency results from internal flooding initiators can be summarized as shown In Table 2.2-1, below.

Table 2.2-1 Summary of Internal Flooding Results Plant Damage Frequency Core from Floods In the:

Total Damage Reactor l

Turbine Building Building Frequency 4.60x1 lr8 1.62x1 0f a2.08x1 07 Percent 22%

78%

100%

of Total 2.3 Level 2 Analysis Results Detailed analysis results are presented in Section 12 In the level 2 PRA report. In summary the Individual release categories are binned Into six major groups. See Table 2.3-1 below. Hi Table 2.3-1 General FRelease Category Groups General Release l Description Percentage of.,

Category Group CDF Analyzed*

IA Large, Early Containment Failures 15.8 IB Bypasses 7.3 11 Small, Early Containment Failures 0.06 Ill Late Containment Failures 26.3 IV Long-Term, Contained Releases 0.00 (containment intact following vessel breach)

V Vessel Breach Prevented 50.4

  • CDF Analyzed = 3.1 7x1 04 per reactor year As can be seen from this table, large early containment failures account for 15.8% of the CDF analyzed. Late containment failures account for 26.3% of analyzed CDF, and vessel breach is expected to be prevented in 50.4% of the CDF analyzed. Containment bypass (2.11 xi per reactor year) accounts for 7.3% of the analyzed CDF.

IPE 21-7 05/29/92

3.0 Application of the Generic Letter Screening Process The Oyster Creek PRA utilized a plant modeling approach that produces systemic core damage sequences. Therefore, the reporting guidelines in Section 2.1.6 of NUREG-1335 for systemic sequences were used.

3.1 Reportable Sequences The top ten systemic sequences which represent 51% of the total calculated core damage frequency are reported in summary fashion In Section 2.0 above and in Section 3.2.5a in the level 1 PRA report. A list of the top 100 scenarios.(.s-equences) which represent 82% of the calculated core damage frequency are provided in table C.5-1 In Appendix C of the level 1 report. Detailed narrative descriptions of 26 of the most Important scenarios are provided In Sections C.5.1 through C.5.26 in Appendix C of the level 1 report.

Regarding the reporting guidelines In NUREG-l335 for systemic core damage sequences, the following points are noted:

1.

The top 100 sequences are reported in the level 1 PRA report.

2.

Only the top six sequences have frequencies greater than 1x1 07 per reactor year. See Table 2.11-5.

3.

Four sequences contribute more than 1x1 04 per reactor year to containment bypass frequency:

Sequence No. 8 -

Sequence No. 22-Sequence No. 23-Sequence No. 25-RWCU overpressurization with core spray failure (7.25x1i04 per reactor year).

Loss of offsfte power with SDV failure to Isolate and core spray failure (2.68x10 8 per reactor year).

ISLOCA overpressurlzation of core spray with failure of core spray and feedwater (2.48x1 0 per reactor year).

Loss of feedwater with SDV failure to isolate and failure of ADS (2.1 8x1 04 per reactor year).

All sequences are binned into plant damage states (PDSs) according to endstate characteristics.

Then a set of key plant damage states is selected for input (initiators) to a containment event tree (CET) which is phenomenologically based. Thei core damage sequences selected to represent each key PDS are described in Section 8 of the level 2 report. The CET sequences contributing IPE 3-1 05129/92

to each release category are provided in Section 12 of the level 2 PRA report. All sequences with frequencies above 1x1i 01 per reactor year are reported.

3.2 Vulnerability Screening A vulnerability is defined as any core damage sequence that exceeds lx104 per reactor year, or any containment bypass sequence or large early comtainment failure sequence that exceeds 1x1i 4 per reactor year.

No vulnerabilities were found. However, a number of potential areas for low cost Improvements were Identified that could enhance overall reactor safety. These areas were Identified by a review of:

1.

The detailed results contained in the level 1 and 2 PRA reports.

2.

The contributors to system unavailability contained In Appendix F of the level 1 PRA report.

3.

The contributors to operator action error rates In Section 6 of the level 1 PRA report.

The results of the reviews for items 2 and 3 are contained in Appendices A and B respectively of this report. The conclusions and planned actions from the above reviews are provided In Section 8 of this report IPE 1 3, 05/29192

4.0 Containment Performance Improvement (CPI) Issues In Enclosure 2 to Supplement 1 of Generic Letter 88-20, the NRC staff identified certain containment performance improvements that could reduce the vulnerability of the-Mark I containment to severe accident challenges, and requested. licensees, to consider these improvements as part of the IPE. The specific Improvements which the NRC staff requested to.

be considered are listed below:

Alternative Water Supply for Drywell Spray/Yessel Injection Enhanced Reactor Pressure Vessel (RFV) Depressurization System Reliability Emergency Procedures and Training The desirability of each of these Improvements was evaluated for Oyster Creek. The results of the evaluations are reported in the following subsections.

4.1 Alternative Water Supply for Drywell SprayNessel Injection The staff stated in Enclosure 2 of Supplement 1 to Generic Letter 88-20 that:

An important improvement would be to employ a backup. or alternate supply of water and a pumping capability that is independent of normal and emergency AC power. By connecting this source to the low pressure residual heat, removal system (RHR) as well as t4o the existing drwywel,,sprays, water could be delivered either into the reactor vessel or into the drywefl, by use of,the appropriate valving arrangement.

An alternate source of water injection into the reactor vessel would greatly reduce,.

the likelihood of core melt due to station blackout or loss of long-term: decay heat removal, as well as provide significant accident management capability.

WaterOfor the drywell spraysqwould als o

proide significiant lmitigative capability to

-cool core debris; to cool the containmhent steel shell to delay r prqvKent its failure, and scrub airborne particulae.fission products from, the atmosphere.,

A review 'of some BWR Mark I facilities indicates that most plants have one or more diesel drivenpumps, which could be used to provide an alternate wter supply.

The flow rate using this backup water system may be significantly!ess, than the design flow, for d, e sprays. The potential benefit of modifying the spray,.

headers to assure a spray were compared to having water run out the spray nozzles. Fission product removal in the-small cowded voleyr in Whic. the sprays.

would be effective was Judged to be small compared with the berieflt of having all water pool on top of the core debris.

IPE 4-1 05129/92

A. Response: Alternative Water SunplV f6r Vessel Injection The Oyster Creek Nuclear Generating Station (OCNGS) currently has a low pressure fire protection water system which is Independent of normal and emergency power. This system consists of two redundant diesel driven pumps which supply the fire protection suppression water to Oyster Creek.

Existing connections of the fire protection header to the core spray system can provide vessel inventory makeup in long-term station blackout scenarios following successful manual manipulation of several valves. Both divisions of core spray have a connection to the fire protection water header. Both the hardware and operator actions associated with the cross-tie of fire protection water to core spray are modeled in the level 1 PRA performed for Oyster Creek, and thus the results reflect the benefits of this feature.

It should be noted that In many accident sequences the fire protection cross-tie was conservatively assumed to take: place too9 late to prevent core'damage but timely enough and sufficient to prevent vessel breach. This phenomena Is modeled in the level 2 PRA In which an In-vessel recovery event for those sequences In which the fire protection system was successfully aligned to the low pressure core spray. In vessel recovery Is addressed by top event VB in the level 2 PRA.

B. Response: Alternative Water Suon2v for Drswell Srrav The OCNGS has no alternative water supply for the 'drywell spray system. The staff has stated that the benefits of a connection 'of fire protection water to the drywell spray system are: provide a capability to cool core' debris,to cool the containment steel shell to delay or prevent its failure, and scrub airborne particulate fission products.

The results of the level 1 OCPRA Indicate that those core damage scenarios which result Inno water to the core debris" account for 3.23x1 O' per reactor year of the total core damage frequency of 3.69x104' per reactor year. "Therefore, the no water to core 'debris" endstate contributes 8.75% to the total calculated core damage frequency.' The addition of a connection between the fire protection 'system to the :dyell sprays would not result In the complete elimination of this contribution.^' In fact, te sizable fraction of thisl percentage Is a result of the failure of the fire protection pumps to operate and operators failure to align the system. Also, model conservatisms contribute an additional sizable fraction of this percentage. Therefore the addition of a connection between the fire prroteclion water system and the drywell spray system would not significantly reduce the contribution o the "no water to core debris endstate. In fact, the decrease in contribution'of the endstate "no Water to core debris" as a result of the proposed modification would likely be less than 1x1i07, or less'than 2%Y of the total 8.75% contribution.

The addition of a connectionbetweenthe fire rotection watersystem and the dryWell'spray system would provide no reduction in total core damage frequency since the fire protection The contribution of "no water to core debris" Is determined by the addition of the contributions of all "xxHx" and "xxGx" plant damage states from Table C.4-2.

IPE 4-.2 05/29/92

injection through the core spray system' is already available. In actuality, the reduction In CDF would be zero since the additional flow paths for fire protection water would not provide water to the in-vessel core. The Incremental Improvement in the ability to cool core debris ex-vessel is judged to minimal since core damage and subsequent vessel breach would allow fire protection injection through core spray to exit the bottom of the reactor vessel through the same path as the exiting corium and therefore provide water tothe debris.o Additionally, since the existing fire protection water system is significantly lower In design flowrate than the drywell spray header, exiting water would not develop a full spray distribution, rather It would run out of the spray nozzles. Without a fully developed spray, the capability to cool the containment shell Is greatly reduced. It is highly likely that fire protection water exiting the hole In the vessel left by the exiting corium would provide,a comparable degree of containment shell cooling because the drywell would rapidly filll to the height of the torus downcomers. Also, without a fully developed containment spray, fission product scrubbing effectiveness would be greatly reduced.

Despite these -shortcomings, several options for Implementing this Improvement were investigated.

Installation of an extension "1ol the fire protection piping to the containment spray system upstream of the existing pump manual Isolation and check' valves, and the addition of two remotely operated motor or air operated valves.

Manual operation of one of these valves and remote operation of a second isolation valve with extension of the fire'protection piping.

to the containment spray'system upstream of the containment spray pump manual isolation and check valves.

Entirely local manual operation of both valves with extension of the fire protetion piping tothe econl:ainment spray system upstream of the containment spray pump, manual isolation and check valves.

The most likely sequences in which fiire protectlon,water injection through the drywell sprays Is necessary are ong term station blackout events. The'first two options which utilize moto ror air operated valves would not provide assurance that the system could be operated following these events and therefore, are not analyzed further.

The third option, entirely manual operation, wouid be acceptable for mitigaton in these scenarios, however, the local manual operation of these valves would most likely occur post core damage and radiological dose would be a significant factor and thus shielding would be required as part of this modification. The costs of this modification would be expected to be quite high.

In summary, the installation of a connection, between the fire-protection water system and the drywell sprays is judged to hav,minimal;,,bbiine it due to the fact that It woul hav no impact on total core damage frequency and -only a minorimpact on the availability of water to core debris, containment shel cooling and fission product scrubbing. Because of these minimal benefits and the anticipated high costs, it was concluded that the modification would not be cost beneficial.

IPE 4 -3 05/29192

OCPRA

References:

1.

Section 8, Plant Model Endstates, Section 8.3, Plant Damage States

2.

Appendix C, Detailed Results, Appendix C.5, Plant Damage State Importance

3.

Appendix F, System Analyses, Appendix F.5, Core Spray System

4.

Appendix F, System Analyses, Appendix F.19, Fire Protection System Analysis 4.2 Enhanced Reactor Pressure Vessel.(RPV) Depressurization System Reliablity In Enclosure 2, to Supplement 1 of Generic Letter 88-20 the staff has defined a containment Improvement entitled OEnhanced Reactor Pressure Vessel (RPV) Depressurization System Reliability". The staff further states that:

The Automatic Depressurization System (ADS) consists of relief valves which can manually operated to depressurize the reactor coolant system. Actuation of the ADS valves requires DC power and pneumatficsupply. In an extended. tation blackout after station batteries have been depleted the ADS would not be available and the reactor would be re-pressuried. With enhanced RPV depressurization system reliability, depressurzation of the reactor coolant system would have a greater degree of assurance. Together with a low pressure alternate source of water Injection'Into the reactor vessel,,te major 'benefit of eanced depressurization reliability would be to provide an additional source of core cooling which could signlHicantiy redu the ikeliood of high pressure severe accidents, such as from the short-term station blackout-Another Important benefit is In the area of accident mitigation. Reduced reactor pressure would greaty ireduce the possibility of core debris being expelled under high pressure, given a core melt and failure of the reactor pressure vessel.

Enhanced RPV depressurization system reliabiity, would also delay. containment failure and reduce the quantty and ype of fissiont products ultimately released to the environment In order to Increase th'e reliability of the RPV depressurization system, assurnce of electrical power beyond,the requirements of existing regulations may be necessary. Performance of cables needs to be reviewed for temperature capability during severe accidents as well as the capacity of the pnumti supply.

Response: Enhanced Reactor Vessel Deoressurization System Reliabil

Response

The Oyter Creek Nuclear GeneratingStatipn AUlomaic iDepesurization,System (ADS) consIsts of five electromatic relief valves which may be manually operated to depressurize the reactor pressure vessel (only three of the five need to open to ensure successful ADS). The system Is designed such that only DC power is required for Is operation; no pneumatics are required.

IPE 44 05/29/92

In extended station blackout scenarios, the batteries are not expected to be depleted for at least three hours. The likelihood of an extended station blackout is significantly reduced by an alternate AC source connection which is scheduled for implementation in the 14R refueling outage. The current system design and the planned addition of an alternate AC source are judged to provide an enhanced RPV depressurization system reliability at Oyster Creek.

4.3 Emergency Procedures and Training In Enclosure 2 of Supplement I of Generic Letter 88-20 the staff has defined a containment performance improvement entitled mEmergency Procedures and Training". The staff states:

NRC has recently reviewed and approved Revision 4 of the BWR Owners Group EPGs (General Electric Topical Report NED O31331, BWR Owner's Group "Emergency Procedure Guidelines, Revision 4,0 March 1987).

Revision 4 to the BWR Owners Group EPG is a significant improvement over early versions in that they continue to be based on symptoms, they have been simplified, and all open items from previous versions have been resolved. The BWR EPGs extend well beyond design bases and include many actions appropriate for severe accident management The improvement to EPGs is only as good as the plant specific EOP X implementation and the training that operators receive on the use the improved procedures. The NRC staff encourages licensees to implement Revision 4 of the EPGs and recognize the need for proper Implementation and training of operators.

Response: Emergency Procedures and Traini m-The Oyster Creek Nuclear Generating Station has implemented Revision 4 of the EPGs. These procedures are trained on extensively and as such this CPI issue is considered implemented.

The operator actions associated with these procedures are modeled in the PRA. See Section 6, Human Action Analysis, of the level 1 PRA report.

IPE 4;-5 05129/92

5.0 Unresolved Safety Issue A Shutdown Decay Heat Removal Requirements Generic Letter 88-20 states that TYou should ensure that your IPE paricularly Identifies decay heat removal vulnerabilities.0, and consider the decay heat removal Insights provided in Appendix 5 of the generic letter. The response to the Unresolved Safety Issue A-45 is given below.

Response: Unresolved Safety Issue A-45 The loss of decay heat removal at Oyster Creek requires the failure of the following decay heat rejection paths:

Decay Heat Removal Through the Main Condenser. This path Is the normal path for decay heat removal and normal shutdown. Use of this decay heat removal path requires that MSIVs are open and that the main condenser and its support systems are available.

Decay Heat Removal Through the Isolation Condenser. This decay heat removal path is utilized following reactor isolation transients where either the main condenser is unavailable or MSIVs are closed. This path requires successful initiation of 1 of 2 isolation condensers and successful long term shell side makeup -from either the crondensate transfer system of the fire protection water system. In this path, decay heat is discharged to the atmosphere via boil-off of shell side inventory.

Decay Heat Removal Through Containment Spray/Emergency Service Water.

Should the Isolation condensers or their support fail, core decay heat is discharge into the containment through the operation of relief or safety valves or through the break in the event a LOCA has occurred. The decay heat is removed by the containment spray/emergency service water system to the Intake canal.

Decay Heat Removal Through the Hardened Vent. This decay heat removal path utilizes the hardened vent system following the failure of the containment spray/emergency service water system when decay heat Is being rejected to the containment.

Decay heat is discharged to the atmosphere via the hardened vent piping and the plant stack.

The level 1 PRA models successful mitigation as the various combinations of reactor vessel inventory makeup and the above decay heat removal rejection pathways. Section 8.2 of the level 1 report presents the complete success endstate paths. Minimal credit is taken for human action recoveries. Appendix B.4 outlines the recovery of containment heat removal. Section 7.11 (Recovery Module) of the level 1 report identilies the application of the recovery In the plant model.

Failure to remove decay heat is reflected in the level 1 PRA damage states which consist of the designator xLHx where the Xx represents any character and the ULH" represents the loss of all containment decay heat removal. Therefore, the sum of the uxLHxh damage states represents IPE 5-1 05/29/9q2

the probability that core damage would occur due to the failure of the decay heat removal function. This value is given In Appendix C of The level 1 report, Table C.4-2, as 1.46x1 O7 per reactor year and represents 3.96% of the total calculated core damage frequency. This value Is considered low and thus A-45 Is considered closed.

OCPRA

References:

1. Plant Model, Section 7.1 1, Recovery Module
2.

Endstate Assignment, Section 8.3, Plant Damage States

3.

Recovery from a Loss of Containment Heat Removal, Appendix B.4

4.

Detailed Results, Appendix C.4, Plant Damage State Importance

5.

System Analysis, Appendix F.25, Containment Vent IPE 5-2 05/29/92

6.0 Other Unresolved Safety Issues (USIs)

NUREG-0933 was reviewed to determine those unresolved and generic safety issues which were treatable by probabilistic techniques.

The following unresolved safety issues (USIs) were determined to be directly treatable by PRA techniques and could be readily addressed by the Oyster Creek PRA models and/or results:

A-1 7 System Interaction in Nuclear Power Plants A-47 Safety Implications of Control Systems The above issues are treated separately In the sub-sections below. In some cases the -issues are treated by reference to specific sections of t0heOCPRA. In other cases additional analysis was required to address the issue and this analysis appears in-the individual subsections.

6.1 Unresolved Safety Issue A-1 7 - System Interaction In Nuclear Power Plants Generic Leiter 89-17 entitled, Resolution of Unlresolved Safety Issue A-1 7, Systems Interactions in Nuclear Power, Plants' informs licensees and applicants of the final resolution of A-i17...IJn enclosure i the staff outlines the actions required.by the licensees. The actions which are appropriate to Oyster Creek and treatable by F'iRA techniques, as stated in the generic letter are given-below. It should also be noted that Generic Safety Issue 77, 'Flooding of Safety Equipment Compartments by Backfiow through Floor Drains has been subsumed into USIA-47 and is also -

addressed In the following paragraphs.

(a) Wattr Intrusion and Floodina From Internal Sources As part of the resolution of USI A-17, the staff has identified that watertintrusion and flooding of equipment from Internal plant sources may result in risk signic7apnt adverse systems, interaction. Such events could cause a transient and could also disable the equipment needed to mitigate the consequence of the event. The appendix to NUREG-1174 (reference 1) provides insights regaraing plant vulnerabilities to flooding and water intrusion from internalplant sources. It is 'excpected that these'in~sights will be considered in implementing Generic Letter 88-20 [Individual Plant Examination (IPE)],which icludeqs, an assessment of internal flooding.

The staff continuesand states:

(c) Probabilistic Risk Ahalvses or Other Systematic Plant Reviews

  • Existing'Plants~

The Commission's Severe Accident Policy, 50 FR 32128 (August 8, 1985), calls for all existing plants to perform a plant specific search for vulnerabilities. Such searches, referred to as individual plant examinations (IPEs), involve a systematic plant review (which could be a PRA-type analysis). NRC is issuing guidance for performing such IPE 6-1 05/29192

reviews. One subject area to be treated by the IPEs is common-cause failures (or dependent failures). USI A-17 recognizes tha3tASIs are a subset of this broader subject area and, therefore, is providing for the dissemination of the' insights gained In the A-17 program for use in the IPE work.

A. Resolution: Water Intrusion and Floodina from Internal Sources The level 1 OCPRA contains a screening analysis of the probability of core damage to internal flooding. This analysis is presented In Section 10 of the level I PRA. The upper bound of core damage frequency due to Internal flooding at Oyster Creek Is 2.08xl 07 per reactor year. The analysis considered the frequency of internal pipe breaks and the effect of the resulting flood and Its propagation.

Thle frequency'of the floods and resulting' failed systems (impacts) were Incorporated Into a flooding version' of the Internal events model. Umited credit is assessed for mitigation in the form of operator actions. No vilnerabilities were Identified In the Oyster Creek flooding analysis.

Also, part of the Oyster Creek bounding flooding analysis, backflow through floor drains (previously, Generic Issue 77, Flooding 'of Safety Equi pment Compartments by Back-Flow Through Floor Drains) was considered. During Phase 2 Definition of Flooding InItiating Events, component and source location Information wassused to'define the Internal flooding Initiating events includingoassociated propagation paths aid Impacted equipment. Th'e propagationpaths included the potential for backflow through drainage pathways. Also, Phase 4 -

Mitigation of Significant Flooding Scenarios' investigated the potential for the mitigation of individual flooding scenarios and included credit for drainage system Isolation and op'erator'intervention. The probability of drainage Isolation failure was also incorporated into the flooding study.

No vulnerabilities were Identified. Although flooding events do not contribute significantly to total calculated core damage frequency a recommendation for a change to plant procedures Is expected to improve operator response to internal flooding events. See Conclusions and Planned Actions' section of this report.

B. Resolution: ::>Probabilistic Risk Analyses or 0ther Svstematic Plant Reviews The Oyster Creek PRA analyzes the effect of common-cause failures extensively. Plant specific data is collected on components modeled in the OCPRA and commonin cause failures were also investigated on a plant specific basis. Plant specific data collection consisted of the review of maintenance work orders, switching and tagging requests, licensee event report (LERs) and transient assessment reports (TARs). Details on the plant specific and generic data as well as methodology used in the assessment of common-cause data are presented in Section 4 of the level 1 PRA report. Each system of the PRA (Appendix F.1 through F.25) presents the application of plant specific and common-cause failures. On the basis of the above, this issue is considered closed.

IPE ^' '

6-2 05/29/92

OCPRA

References:

1. Section 10, Internal Flooding Analysis, all sub-sections
2.

Section 4, Data Analysis, all sub-sections

3.

Appendix F, Individual System Analyses, 1F.1 through F.25 6.2 Unresolved Safety Issue A Safety lImplications of Control Systems Generic letter 89-19 entitled, Request for Action: Related to Resolution of Unresolved Safety Issue A47, 'Safety Implications of Control Systems in LWR Nuclear Power Plants" Pursuant to 10 CFR 50.54(f) states:

As a result of the technical resolution of USI A-47, "Safety Implications of Control Systems In LWR Nuclear Power Plants", the NRC has concluded that protection should.-be provided for certain control system failures and that selected emergency procedures should be modified to assure that plant transients resulting from control system failures do not compromise public safety.

The staff further states:

... all BWR plants should provide automatic reactor vessel overfill protection, and thkt plant procedures and technical specifications for all plants should Include provisions to verify periodically the operability of the overfill protection and to assure that automatic overfill protection Is available to mitigate main feedwater overfill events during reactor power operation....

Resolution: Unresolved Safety Issue A-47 The level 1 OCPRA plant model addresses reactor overfill events. Both an initiating event entitled "Loss of Feedwater Control (LOFC)" and a top event "Control of Feedwater (RF)" are assessed.

The initiator Is modeled as the result of a failure of the main feedwater control system while at power operation.

The top event models the failure of feedwater control system (low level setdown) following all other initiators modeled in the PRA. The initiating event (LOFC) and the failure of the top event (RF) result in a demand for the automatic closure of the MSIVs on either high steamline flow or low steamline pressure. The automatic MSIV closure on high flow is the assumed result of two phase flow passing through the steamline venturis. Should this fall to cause automatic closure of the MSIVs, the main steamline pipe downstream of the MSIV is assumed to rupture due to the loads associated with two phase flow through the steamline. The rupture of the steamline creates a demand for lhe automatic closure of MSIVs on low steamline pressure.

Following a loss of feedwater control and failure of the MSIVs to close a loss of coolant outside the containment is assumed to occur. Spatial Impacts of the Induced loss of coolant accident are in turn 'assumed to result in the loss of safety related equipment either In the reactor or IPE 6-3 05/29192

turbine buildings. Details of the modeling of the loss of feedwater control initiator are available in Section 7.6 of the level 1 PRA report.

The level 1 PRA reports total calculated core damage due to this induced loss of coolant accident as 8.38x10 per reactor year (PRA level 1 report Table C.1 -1 a) from the loss of feedwater control (LOFC) initiating event and 4.06x1048 per reactor year from failure of top event RF2 for a total core damage frequency due to overfill events of 1.24x1 O7 per reactor year. This corresponds to approximately 3.4% of the total calculated core damage frequency. While the contribution to core damage frequency is low, the likelihood of the initiating event and the failure of the operator to recover before significant damage to the main steam lines (estimated to be approximately 3x1 CO per reactor year3) Is judged to be high enough to warrant plant changes.

Therefore, while the loss of feedwater control Is not considered a vulnerability from -a core damage standpoint, the transient could pose a cAnsiderable economic loss in terms of damaged equipment and unit down time. Therefore, Oyster Creek currently plans to install a Reactor Overfill Protection System (ROPS) In 15R refueling outage.

OCPRA

References:

1. Section 7.6, Loss of Feedwater Control Module
2.

Section 7.5, General Transient Module, Top Event RF

3. Section 3, Major Results
4. Appendix C, Detailed Results 2.

2 Contribution of top event RF Is calcu lated by multiplying' Its indepenide-nt top evenht

-~~~~

importance from Table C.2-1 (Appendix C of the level 1 PRA report) by the total core damage frequency (1.1% of 3.69x-Estimate based on the product of LOFC initiator frequenc'ny anird split fraction RF1 (operator fails to recover from-fee'dwaler regulator' valve lockup).

I

-4 05-i/2--9192 -R IPE 6-4 05/29/92

7.0 Generic Safety Issues (GSIs)

NUREG-0933 was also reviewed to determine which generic safety issues (GSIs) were treatable by probabilistic techniques. The following generic safety issues (GSls) were determined, to be treatable by PRA techniques, and could be readily addressed by the Oyster-Creek PRA models and/or results:

GM-1 01 BWR Water Level Redundancy Gl-1 05 Interfacing System LOCA at IBWRs The above generic safety Issues (GSIs) are addressed in individual sub-sections below.

7.1 GI-1 01 BWR Water Level Redundancy The staff has Indicated in NUREG-0933, Supplement 10, that a break in a single-water level Instrument reference line will cause a false.5high,, level Indiciation and willresult, In all instrumentation which utilize that reference column to indicate full scale high. The subsequent transient may occur without safety system actuation, Also, a single failure of the second reference column may completely disable safety systems.

The Oyster Creek reactor vessel water level measurement emnploys two general systems: a cold leg system and a heated reference leg system with each of these systems containing two reference legs. Several reactor water level subsystems are associated with the two reference leg system. These are:

.-Cold Reference Leo Heated Reference Lea Wide range GEMAC level Low.vessel level Narrow range (GEMAC) level Control room vessel level Barton lowevel Low-Low lessel level Fuel zone level These subsystems utilize different differenitial pressure and level transmitters And actuate various':'

Oyster Creek systems including Indication, ECCS, turbine and reactor protection systems and feedwater control. The cold and heated reference leg water level measurement systems are_

discussed under individual headings below.

Cold Reference Leg System All GEMAC instruments are connected to the cold reference leg system. The wide range GEMAC provides level indication in the control room in the range of 70 to 430 inches above the top of active fuel (TAF).

No automatic actuations are associated with the wide range vessel level GEMAC instrument (LT 1A12). Two narrow range level GEMAC instrurmenitsprovide indication in the range of 90 to 186 inches above TAF: In the control`

roiom -'on panel 4F (feedwater controller) and on panels 5F/6F.

The two narrow range level instruments utilize the cold reference leg system and are density compensated. The narrow range GEMAC instruments provide input to the feedwater control system.

IPE 7-1 05/29/92

The low-low-low level Barton instruments (REl8A through RE18bD) provide indication on instrument racks RKO1 and RK02 in the range of 5S to 206 inches above TAF. The Bartons input level signals to various control and logic circuits to initiate the following actions: RBCCW to drywell isolation and Automatic Depressurization System"(ADS) actuation as well as low-low-low level alarms. The Barton instruments utilize the cold leg'reference system.

The fuel zone 1level instruments are off during normal power operation and have no indication or automatic actions associated with them and as such they are not discussed further In this analysis.

Given the above configuration a cold reference leg failure will cause GEMAC Instruments to Indicate high which will result in a feedwater ruriback and subsequent reactor trip on vessel low level sensed on the heated reference leg level system. All RPS and ECCS systems remain unaffected by the failure of the cold leg vessel levil measurement system and the plant response to the transient is similar to that of a partial loss of feedwater event. Coincident failure of the heated leg reference system Is accounted for in the OCPRA model by the top event RL which models failure of low-low level logic sensors, transmitters and relays. Other'actuation system failures are also modeled in the OCPRA-Including the failure of htfgh RPV pressure (at top event PR) and high dryweIf pressure (at top event DP).' As such this event is, considered accounted for by the partial loss of feedwater initiator in the level 1 OCPRA (See page 7.2-6) which contributes a calculated core damage, frequency of 7.80x104 per reactor year or 2.1% of total CDF. (See Table C.1-la of the level-1 OCPRA).'-

Heated Reference Leg System The low reactor water vessel level instruments (RE05A and B) provide level Indication in the control room over the range of 85 to 185' inches above TAF. These instruments support a turbine trip at 175 inches above TAF and a reactor scram (and low level alarm) at 138 inches above TAF.

The low level instruments utilize the heated reference leg system.

-level::, -

I" The control room vessel level Instruments (RE4)5/19A and B) provide analog Indication In the control room (panels 5F/6F and 1 8R and 19R) over the range of 85 to 185 inches above TAF.

A digital indicator on panel 4F indicates over the same range. These instruments are supplied by the mevariablea nd reference legs (heatedleg re celeg sysm) s t w vessel level instruments and provide an automatic turbine trip (at 175 inches) and a reactor tip '(and low level alarm) 'at 138 iniche's.--

^-

The low low level instruments (RE-02A through D) provide level indication in the control room (panels 18R and 19R) over the range of 85 to 185 inches above TAF. These instruments automatically actuate the following:

Core SpraySystem Reactor Isolation Recirculation' Purmp Trip Standby Gai'Treatment System-Isolation Condenser '

Diesel Generator Start Alternate Rod Insertion (ARI)

IPE 7-2 05/29/92

These instruments are supplied by the Same variable and refetence legs (heated leg reference system) as the instruments RE05NB, 1 9A/B.

Given the above configuration of the Oyster Creek reactor vessel level measurement systems a heated leg reference leg failure will result in flashing of theareference leg such that all instrument subsystems will read offscale high. An automatic turbine trip (at a sensed reactor water level of 175 inches above TAF) will result in an automatic reactor trip on turbine stop valve closure.

Although tvo channels of actuation logic are failed due to the single reference line failure, RPS and ECCS equipment which actuates on low low RPV level will automatically actuate on the remaining two channels.

A single failure of the remaining channels would disable ECCS automatic actuation, however the main feadwater psystqe

,and levele Indication (GEMAC subsystems) remain available. Isolation condensers Initiate following the :pressure spike due to the closure of the turbine stop valves (high pressure actuation logic remains unaffected by the loss of the heated leg reference system).

Therefore, a heated reference leg failure and a single failure will not result in core damage.

Following El heated reference leg failure, without an additiona I single failure, EpCS systems will automatically actuate and, In any scenario, manual operator a ctionto initiate ECOS systems remains an option. Since the loss of reactor coolant from the reference line remains within the capability of the CRD, and the CRD system remains available during this event, the heated reference leg failure most closely resembles a turbine trip with coincident degradation of the low low level actuation logic.

The frequency of a turbine trip coincident with a random failure of the reactor low lowlevel. Ioic is modeled with the turbine trip initiating event contributing approximately 13.1% or 4.85x1 0 to total core damage frequency. The independent failure contribution of the reactor low low level logic to total core damage frequency is Insignificant (09 ).,.

However,. the level.1-OCPRA does-not specifficallyvmodel turbine trip witdhheated leg reference.

line break (i.e. with coincident degradation of the low low level,ogic).

Therefore, a requantification of the OCPRA model was performed for the turbine trip initiating event with the reactor low low level logic (top event RL) conservatively set to a guaranteed failure. Although the probability, order and composition of individual sequences did change as a result of the requantification,.the total calculated core damage frequency.did not change..

None of the significant contributors or conclusions were altered be y the model run. XA.s such this' transient is considered bounded by the original OCPRA and no vulnerabilities have been identified. This issue is considered closed.

OCPRA

References:

1. Section 7.2, Definition of Initiating Events, Page 7.2-6.
2. AppendlixC,-Detailed Results,-Table C.1-1,;

A.

3. Section 7.3, Dependence Matrices,.Table 7.3-10.

IPE 7'-3 05/29/92

72 G1.05 Interfacing System LOCA at BWRs Appendix B.3 of the OCPRA, Interfacing Systems LOCA Analysis (ISLOCA), presents the methods and results of the Oyster Creek plant specific ISLOCA analysis. The OCPRA interfacing loss of coolant analysis found two systems4 which have the potential to create an ISLOCA. These are:-

Core Spray Reactor Water Cleanup System (RWNCU)

The OCPRA ISLOCA analysis determined the frequency of the various potential failures and incorporated these frequencies and impacts Into the plant model in the form of initiating events.

A summary of the findings are presented below:

Core Spray The core spray system has-a design pressure of 400 psig. The boundary for the design pressure change'to RPV design pressure occurs at the (normally open) common discharge valve for each loop, with the parallel'Isolation valves acting' as the actual pressure boundary between RPV and core spray system pressure.

The system is normally lined up with both parallel isolation valves closed in each loop. Parallel isolation valve failure is mitigated by the presence of parallel testable check valves, both of which must seat to isolate the system from reactor operating pressure if either parallel isolation valve fails.

Following failure of at least one parallel isolation valve and at least one testable check valve to seat, system overpressurization protection Is provided through a 2 inch relief valve, which relieves to the reactor building equipment drain tank. Overflow of this tank can lead to spatial interactions with equipment in the southwest corner room.,

The initiating event, small below core and outside the drywell LOCA (SBO), is incorporated into the plant model. The probability of an ISLOCA;;due to failure of the core spray system due to overpressurization (SBO) is 2.86x16

' perireactor year. The potential for the' core spray system to rupture is also analyzed. See Appendix B.3, Section B.3.4 of the level 1 PRA report for the calculation' of the total SBO frequenrcy' calclation.

Reactor Water Cleanup System (RWCU)

The reactor water cleanup system has a design pressure of 150 psig. Following failure of the pressure regulating valve and the automatic system isolation function the system will Unisolated LOCAs which are not induced by'overpressurizatio nsuch as unisolated LOCAs outside the containment and the scram discharge volume (SDV) faliure to isolate (discussed in Appendix B.3) are not considered ISLOCAs, rather they are considered isolation failures and are incorporated into the model as containment bypass events.

IPE 7-4 05/29/92

overpressurize. The subsequent failure of the reactor water cleanup system due to overpressure results In three possible outcomes.

The first outcome of RWCU overpressurization Is the discharge of reactor coolant to both the reactor building equipment drain tank through a one Inch relief and to the torus through a six inch relief valve. Due to the unique combinations of impacts for the discharge of reactor coolant to the reactor-building' (RBEDT is located in the southwest comer room) and the large discharge to the torus, 'the initiating event defined as a large below core LOCA inside/outside containment (LBIO) consisting of RWCU overpressurization, was incorporated into the plant model. The' frequency of LBIO initiating event is 8.23x104 per reactor year (point estimate) or 8.37x1 0 per reactor year (monte carlo calculation). See Section B.3.3 of Appendix 6.3 of the level I PRA report.

The second outcome of RWCU overpressurization is the discharge to the torus with failure of the one Inch relief valve. This RWCU overpressurization impacts the plant in a similar manner to the large below core LOCA and inside the containment.

However, due -to its low frequency of occurrence (2.7x1 C@) this event is presented for Information only and not considered in the plant model.

The third outcorme of RWCU overpressurization Is the failure of system piping (due to the failure of adequate relief). However, due to the low frequency of occurrence of this event (1.08x1 0.12) it is presented for information only and not considered In the plant model.

Total Interfacing System LOCA (ISLOCA) Frequency An interfacing system LOCA Is defined as a loss of coolant due to the failure of low pressure system piping due to the pressurization by high pressure systems. In the Oyster Creek model, these ISLOCAs do not Include loss of coolant accidents which are outside the containment and not due to overpressurization. Initiating events for unisolated LOCAs and SDV failure to isolate are not included. Therefore, the frequency of ISLOCAs at Oyster Creek is equal to the sum of:

Core Spray System Overpressurization (SBO)

Discharge to RBEDT 2.86xlO6 Piping or Pump Seal Failure 5.58x1 011 Reactor Water Cleanup System Overpressurization (LBIO)

Discharge to Torus and RBEDT 8.23x1 04 Discharge to Torus Only 2.70x1 04 System Rupture 1.08x1 012 llTTL ISLOCA FREQUENCY 1.1 1 xi0 lr The ISLOCA frequency is incorporated In the plant model as contributors to the small below core and outside (SBO) and large above and below core (LBIO) LOCA initiating events.

IPE 7-5 05/29192

ISLOCA Contribution to Total Core Damage Frequency The contribution of ISLOCA to the total core damage frequency Is calculated by the sum of the SBO LOCA (due to core spray system overpressiurization)and the LBIO LOCA contributions.

The contribution of the SBO Initiator to total calculated 'core damage is 2.64x1 per reactor year or 0.7% of total core damage frequency. The contribution of the tBIO initiator to total core damage frequency is'equal to;7.70x10 per reactor year or 2.1% of total core damage frequency.

Therefore, the total contribution of ISLOCA to core damage frequency Is:

SBO (due to core spray system Dverpressurization) + LBIO =

2.64x104 + 7'.70x10r =

1.03x107 per reactor year or 2.8% of total0CDF No vulnerabilities were Identified and as such this Issue Is considered closed.

OCPRA

References:

1. Appendix B.3, Interfacing -Systems LOCA Analysis.
2. Appendix C, Detailed Results, Tables C.1-1 b and c.

IPE 7-45 05/29/92

8.0 Conclusions and Planned Actions This section presents the level 1 and 2 PRA conclusions and planned actions in individual subsections below.

8.1 Level 1 PRA The results of this study indicate a total calculated point estimate'mrean core damage frequency from Internal Initiators from at power conditions to be 3.69x10 0 per year, which is comparable to other BWRs. Generaliy, this 'reasonably low value',is concluded to be due to the many ways (success paths) available to cool the core 'at Oyster Creek. In addition to the normal heat rejection paths to the main condenser under post trip conditions, the plant Is equipped with two redundant Isolation condensers (ICs) which Initicate Independent of ACpower in the event of reactor'isolation.

Multiple makeup sources,condensate transfer-and fire protectionwater (supplied from electric driven or diesel driven fire pumps) make this a very reliable longaterm means of removing decay heat. If ICs become unavailable, EMRVs can be used to reject heat to the torus for extended periods without cooling. With torus cooling and an RPV injection source this heat rejection path can be maintained indefinitely. Even without cooling, a hard piped vent (planned for Installation in 1 4R) can be used to protect from a containment overpressure and Is sized to remove sufficient decay heat to preclude core damage provided oa RPY makeup source is available. Under LOCA conditions, two fully redundant core spray systems can be used. Other -makeup sources includeffeedwater, and under low RPV pressure conditions the condensate system can provide makeup through the feedwate r syste or fire protection water can be Injected through the core spray system. This versatility provides numerous success paths for cooling the core, all of which have been incorporated into the procedures.' In addition, operators are trained extensively on their use.

The study found that losses of offsite power events are Important contributors to core damage frequency. This Is ameliorated, to someextrent, by a reasonably reliable onsite system and an alternate AC source (combustion turbines located on the' Forked'River site),which can be used (after 14R):In the event ofastation bIackout.

The study also affirms the importance of DC 'power as the source of control power for much of the plant equipment. While DC sources are generally reliable, the consequences of their failure are very difficult to cope with, and thus battery maintenance and mqonitoring continue to be important.

The ADS valves (EMRVs) are DC operated and require no air. Therefore, their operation Is not degraded under elevated pressure conditions inside thed'8rywell. However, failure of these valves to close is an important contributor to total CDF, and thus their maintenance must be regarded as a priority In maintaining plant safety. The results of this study also re-emphasize the importance of reactor isolation modes where heat Is rejected to the torus through EM RVs and.

then removed by-containnm-e'nit spray/ESW system. While this cooling mode is aviable backup -

to the main -condens'er "and the Isolation conensers^, there is little bakup iffIt should fail.

Venting of the conitainrni't w'ould be the ony altearnative at thapotand whileth"is is'feasiblei It is not a preferred cooling-mode. Therefore, maintaining a reliable containment spray/ESW system is important.

IPE 8-11 05/29/92

ATWS Is not a major contributor to total CDF because of modifications to the plant to improve reactor scram system reliability and the mitigative operator actions which have been Incorporated into the Emergency Operating Procedures (EOPs). This study also showed that the EOPs are well thought out, incorporated in the operations staffs' philosophy, and provide a number of options for dealing with degraded core cooling conditions.

The most likely ways to experience a severe accident Involve multiple AC electrical plant failures coupled with-an EMRV failure to close. Other likely ways are transients of various kinds coupled with multiple DC power failures. Overall however, It is concluded that the totl core damage (severe accident) likelihood due to Internally initiated events Is reasonably small, and that no vulnerabilities exist.

Hdowever, a review of the detailed results and the contributors to Individual system unavailability and operator action error rates Indicates that certain, low cost improvements could be implemented that would improve overall reactor safety. These planned actions are described below.

8.1.1 Loss of Offsite Power The loss of offsite power Initiating-eivent contributes 33% tothe total calculated core damage frequency. The risk profile due to the Yfamilym of loss of offsite power events consists of both short and long term losses of ofisite power. Short terr losses of offsite power followed by other failures such as the common cause failure of both diesel generators combined wth EMRV failure to reclose or other ECMS systems failure contribute significantly to the risk profile. Long term losses of ofisite power concurrent with failures of diesel generators and ECCS systems combined with battery depletion result In eventual core damage.

A station blackout technical basis document Is under development. This document Is to serve as the basis for the creation of a station blackout procedure. Completion of the station blackout technical basis report and the creation of an Oyster Creek plan t specf integrated loss of ofisite power procedure (larger In scope than the original station blackout procedure) could provide improved operator coping ability In loss,of ofIsite power events.

This procedure will be completed and will Include provisions for:

RecoverinJg offste power or onsite sources and appropriately aligning or cross-tieing buses to power critical equipment.

  • The startup and alignment of the alternate AC capability.,

8.1.2 DC Power The failure of all DC power events contribute sigificantly to total core dage frequency.

ong term los's of DC powe'r folloWinrg station blackout eventst s also a~ sIgnificant contributor to the risk profile. Following a long te rm statigonblackout the eventual depletion of C batteries contribute~s significantly to the OCPRA risk profile. Sev"eryal actions 6could increase operators ability to cope with loss of all DC power events and reduce the contribution of DC power failures to total core damage frequency.

IPE 8-2 05/29192

1. A loss of all DC power procedure will be developed and coordinated with the Integrated loss of all AC power procedure. It will Include guidance on the cross connection of essential loads to the 'A' battery.
2. A portable DC generator and equipment necessary to supply essential-loads will be considered for procurement. If procured, it will be staged and procedurally directed for use In coping with long term losses of DC power.

8.1.3 Containment Spray/Emergency Service Water Based on the observations In Section 11 of Appendix A of this report, the following actions are planned:

1. Since the operator plays a major role In successful Initiation of the containment spray system, these actions will be emphasized In training.
2. Changes to the coordination of preventive maintenance on the containment spray system could result in decreased outage time. Therefore, containment spray heat exchanger, containment spray pumps, ESW pump preventive maintenance should be coordinated to coincide with planned refueling outages. For example, planned refueling outages will include the replacement of heat exchanger anodes and cleaning as needed. In cases where maintenance must be performed during operation on a single component In the system (which results In the unavailability of an entire system) other system preventive maintenance tasks will be considered and scheduled to be performed during this same outage time If possible.
3. Efforts to reduce the likelihood of heat:^exchanger blockage will continue.

Removal of the damaged sections of the ESW pipe coating and the chlorination system modification have been major Improvements. Further enhancements to the chlorination system (to chlorinate E. larger segment of the system) that are planned for the next refueling outage will be completed-as scheduled.

8.1.4 Reactor Feedwater Control (RPV high level excursion)

Based on the observations In Section 13 of Appendix A of this report, the following action Is planned:

The loss of feedwater control or high level excursion contributes less than 2% to the total c're damage frequency, however high level excursions represent potentially severe transients and may possibly proceed to main steam line failure in the most severe cases.IThe planned modification to post trip reactorfeedwater control system (Reactor Overfill Protedtion System (ROPS))

scheduled for Implementation In 1 5R is expected to substantially decrease the risk of reactor vessel high level excursions, and thus will be implemented as scheduled.

IPE 08/11/92

8.1.5 Operator Action Error Rates Based on the observations In Appendix B of this report, the following actions will be reviewed and considered for appropriate Implementation. Refer to Appendix E of the level 1 PRA report for specifics on each, operator action.

1. Consider the development of specific procedures, guidance and training on reactor overfill transients, specifically for operator actions (OFI and ME2).
2. During operator training point out that consistently successful performance of the following actions can positively affect overall core damage risk as determined by the PRA.
a.

Operator Injects through core spray with fire protection during loss of all AC power (CS5)

b.

Operator lines up fire water injection through core spray during LOCA conditions outside containment (unisolated LOCA) (FS1)

c.

Operator Inhibits ADS and controls level near TAF during ATWS with FW available and condenser failed with EMRV/SV closure

(.L2)

d.

Operator inhibits ADS during AiWS with FW failed and EMRV/SV

, closure (012)

e.

Operator manually re-energizes bus 1 Al/I B and re-starts at least one TBCCW pump following a loss of offsie power (TB5)

f.

Operator trips reactor after TT Ilailure (high level) (RS3)

g.

operator secures or Isolates condensate transfer header to reactor -

building within 1 to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> after condensate transfer supply line break In the reactor building (FTB)

h.

Operator trips plant and Isolates feedwater following feedwater line break in the trunnion room (FTD) 8.2 Level 2 PRA The results of the study Indicate that a'reasonably low fraction of the CDF analyzed (15.8%)

would result In large early failure of containment. The likelihood of containment bypass is 2.1lxio '.per lreactor year or,7.3% of analyzed CDF. Late containmentfallures -constitute 2.3%

of analyzed CDF which Is, considered a cornservative result because no -post-vessel breach recoveries were modeled. Approximately half (50.4%) of the analyzed CDF Is due to sequences that are recoverable in-vessel, thus no containment breach would be expected to occur.

FPE 8-4 08111/92

The study highlights the importance of certain containment features to the mitigation of severe accidents. The drywell floor concrete curb is a main contributor in reducing the likelihood of a liner melt-through, and the structural upgrades to the torus in the early 1980's improved Its pressure capacity by 25%. The sandbed region of the drywell has experienced some thinning due to corrosion and was determined to be the limiting location with respect to pressure capacity. Drywell head lift was judged to be a slightly less likely overpressure failure mode, but this conclusion is sensitive to assumptions made In the analysis.

The earliest release would be expected to take place no sooner than two hours after an accident.

The largest (worst) release would be due to a containment bypass scenario involving failure of the scram discharge volume to Isolate. Such a release would occur some 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> after the accident.

Because of the relatively 16w frequencies associated with the various containment failure modes, no specific hardware modifications or changes to existing procedures beyond those identified in the level 1 analysis are planned at this time. The level 2 PRA will be used as a major Input to the development of accident management guidelines.

8.3 Schedule for Implementation All of the actions identified In Section 8.1 are planned for completion prior to startup from refueling outage 155R, except item 8.1.2.2. Item 8.1.2.2 will be considered and a decision reached on its Implementation prior to refueling outage 15R.

IPE 8-5 08/11/92

9.0 References 9-1 GPU Nuclear, Memorandum, Inclusion of Generic Issues In the OCPRA, J. S. Wetmore to R. A. Pinelli, 5430-88-0059, October 12, 1988.

9-2 Nuclear Regulatory Commission, Initiation of the Individual Plant Examination for Severe Accident Vulnerabilities - 10 CFR 50.54 - Generic Letter 88-20, Supplement No. 1, August 29,1989.

9-3 Nuclear Regulatory Commission, Request for Action Related to Resolution of Unresolved Safety Issue A-47 "Safety Implication cf Control Systems In LWR Nuclear Power Plants" Pursuant to 10 CFR 50.54(f) - Generic Letter 89-19, September 20, 1989.

9-4 Nuclear Regulatory Commission, Individual Plant Examination for Severe Accident Vulnerabilities - 10 CFR 50.54(), Generic Letter Number 88-20, November 23, 1988.

9-5 Nuclear Regulatory Commission, Accident Management Strategles for Consideration in the Individual Plant Examination Process - Generic Letter 88-20, Supplement No. 2, April 4, 1990.

9-6 9-7 9-8 9-9 9-10 9-11 9-12 9-13 Nuclear Regulatory Commission, Prioritization Supplement Number 1, July 1984.

Nuclear Regulatory Commission, Prioritization Supplement Number 2, January 1985.

Nuclear Regulatory Commission, Priorltization Supplement Number 3, July 1985.

Nuclear Regulatory Commission, Priorifization Supplement Number 4, February 1986.

Nuclear Regulatory Commission, Prioritization Supplement Number 5, September 1986.

Nuclear Regulatory Commission, Prioritization Supplement Number 6, December 31, 11986.

Nuclear Regulatory Commission, Prioritization Supplement Number 7, April 1988.

Nuclear Regulatory Commission, Priorttization Supplement Number 8, November 1988.

of Generic of Generic of Generic of Generic of Generic of Generic of Generic of Generic Safety Issuos, Safety Issues, Safety Issues, Safety Issues, Safety Issues, Safety Issues, Safety Issues, Safety Issues, NUREG-0933, NUREG-0933, NUREG-0933, NUREG-0933, NUREG-0933, NUREG-0933, NUREG-0933, NUREG-0933, 9-14 Nuclear Regulatory Commission, Prioritization of Supplement Number 9, April 1989.

Generic Safety Issues, NUREG-0933, IPE 8-1 05/29/92

9-15 Nuclear Regulatory Commission, Prioritization of Generic Safety Issues, NUREG-0933, Supplement Number 10, December 1989.

9-16 Nuclear Regulatory Commission, Prioritization of Generic Safety Issues, NUREG-0933, Supplement Number 11, July 1990.

9-17 Nuclear Regulatory Commission, Prioritization of Generic Safety Issues, NUREG-0933, Supplement Number 12, January 1990.

9-18 Nuclear Regulatory Commission, SECY-99-260, Shutdown Decay Heat Removal Requirements (USI A-45), September 13, 1988.

9-19 Oyster Creek Nuclear Generating Station, Operations Plant Manual, Volume 8, Module 55, Reactor Vessel Instrumentation System, Revision 2, November 28, 1989.

9-20 Nuclear Regulatory Commission, Resolution of Unresolved Safety Issue A-1 7, Systems Interactions in 'Nuclear Power Plants (Gsneric Letter 89-18), September 6, 1989.

9-21 Nuclear Regulatory Commission, Evalua1tion of Safety Implications of Control Systems in LWR Nuclear Power Plants, NUREG-1217, AprIl 1988.

nt

,pl,98 9-22 Nuclear Regulatory Commission, Regulatory Analysis for Proposed Resolution of USI A-47, NUREG-1218, April 1988.

9-23 Nuclear Regulatory Commission, Indivi'dual Plant Examination: Submittal Guidance, NUREG-1335, August 1989.

9-24 Nuclear Regulatory Commission, Shutdown Decay Heat Removal Analysis of a General Electric BWR3/Mark I, NUREG/CR-4448, March 1987.

9-25 GPU Nuclear, Piping and Instrument Diagram, Reactor Vessel Level/Pressure/Temperature Instruments, 148F712, Revision 23, July 3, 1991.

IPE 9-.12 05/29/92

APPENDIX A CONTRIBUTORS TO SYSTEM FAILURE

TABLE OF CONTENTS

1.

Isolation Condenser (Appendix F.1).............................

A-3

2.

Turbine Trip and Bypass (Appendix F.2).........................

A-5

3.

AC Electric Power (Appendix F.3)..............................

A-7

4.

125 VDC Power (Appendix F.4)...............................

A-12

5.

ESF Actuation Systems (ESFAS - Appendix F.5)..................

A-15

6.

Reactor Protection System (Appendix F.6).......................

A-17

7.

Service Water (Appendix F.7).................................

A-19

8.

Turbine Building Closed Cooling Water (Appendix F.8).....

A-21

9.

Main and IC Steam Isolation (Appendix F.9)......................

A-23

10.

Core Spray (Appendix F.1O0)..................................

A-26

11.

ContainmentSpray/ESW(AppendixF.11)

A-29

12.

Recirculation Pump Trip (Appendix F.12)........................

A-32

13.

Condensate and Feedwater (Appendix F.1 3).....................

A-34

14.

Circulating Water (Appendix F.14).....

A-38

15.

Automatic Depressurization (Appendix F.15).....................

A-40

16.

Standby Uquid Control (Appendlix F.1 6)..........................

A-42

17.

Primary Containment Isolation (Appendix F.1 7).

A-44

18.

Standby Gas Treatment (Appendix F.1 8)........................

A-46

19.

Fire Protection (Appendix F.19)...............................

A-48

20.

Condensate Transfer (Appendix F.20).

A-50

21.

Instrument Air (Appendix F.21)................................

A-52

22.

Control Rod Hydraulics (Appendix F.22).........................

A-54

23.

Reactor Building Isolation (Appendix F.23).......................

A-56

24.

Main Steam Safety and Relief Valves (Appendix F.24).....

A-58

25.

Containment Vent (Appendix F.25)............................

A-60 IPE

'A,_

05/29/92

Ust of Tables Table 1 Table 2 Table 3 Table 3a Table 3b Table 4 Table 5 Table 6 Table 7 Table 8 Table 9 Table 9a Table 10 Table 1 1 Table 12 Table 13 Table 13a Table 14 Table 15 Table 16 Table 17 Table 1 8 Table 19 Table 20 Table 21 Table 22 Table 23 Table 24 Table 24a Table 25 Isolation Condenser System Contributors................

Turbine Trip and Bypass Contributors..........................

Non-Essential AC Power Contributors.......................

Essential Bus 1C Contributors................................

Essential Bus 1 D Contributors...............................

125 VDC Power System Contributors...........................

ESF Actuation System (ESFAS) Contributors.....................

Reactor Protection System Contributors.........................

Service Water System Contribul:ors............................

Standby Gas Treatment System Contributors.....................

Main Steam Isolation System Contributors.......................

IC Isolation System Contributors..............................

Core Spray System Contributors..............................

Containment Spray System Contributors........................

Reactor Recirculation Pump Trip Contributors....................

Condensate and Feedwater System Contributors.................

RPV Level Control System Contributors.........................

Circulating Water System Contrilbutors..........................

Automatic Depressurization System Contributors..................

Lquid Poison Injection System Contributors.....................

Primary Containment Isolation System Contributors................

Standby Gas Treatment System Contributors.....................

Fire Protection System Contributors............................

Condensate Transfer System Contributors.......................

Instrument Air System Contributors............................

CRD Hydraulic System Contriburtors...........................

Reactor Building Isolation System Contributors...................

Main Steam Safety Valve Contributors..........................

EMRV Contributors........................................

Containment Vent System Contributors.........................

A-4 A-6 A-9 A-10 A-11 A-14 A-16 A-18 A-20 A-22 A-24 A-25 A-28 A-31 A-33 A-36 A-37 A-39 A-41 A-43 A-45 A-47 A-49 A-51 A-53 A-55 A-57 A-59 A-59 A-61 IPE A-iij 05/29/92

' Introduction The purpose of this document is to present a summary of major system analysis results, and to provide a list of insights and observations on the significant contributors to system unavailability of the 25 systems modeled in the level 1 PRA. This document contains recommendations for improvements and serves as input to the Conclusions and Planned Actions section of the IPE Submittal Report (Section 8.0). The format of the individual system summaries is as follows:

System name and top event System contribution to total core damage frequency Narrative description of the significant contributors to system unavailability Observations

-Recommendations Summary Tables (by top event)

System name and top event The systemr name provides the name of the system and the corresponding level 1 PRA Appendix F section number. These names occasionally differ from plant nomenclature due to system boundary and PRA modeling simplifications and restrictions.

Therefore, system functions which are more appropriately modeled together from a PRA perspective appear within a single system analysis. Th is, freq ue ntly results In multiple topp events being analyzed within a single -systems analysis.

These top events are described, in the introductory paragraphs.

Additional Information on any system or top event Is available in Appendix F of the level 1 PRA report.

System contribution to core damage is provided to give a perspective on the relative Importance of the system within the plant model.

The percentage given is the sum of the frequency of each sequence in which the top event (split fraction) are failed, divided by the total core damage frequency. This results in a total core damage frequency due to all top events of more than 100%, since, due to the redundancy of the Oyster Creek design, all sequences contain more than one failed top event (split fraction).

Narrative description of significant contributors to system unavailability presents the narrative description of the major contributors to system unavailability as well as any assumptions, conditions or observations which impact Its contribution to total core damage frequency. The narratives-typically describe hardware contributors, maintenance outage time, manual actuation and partial loss of support systems where appropriate.

Hardware contributors contain those components of the system which significantly contribute to system failure rate. Several sub-sections are used to present each significant contribution IPE A,-1 05/29/92

separately.

Maintenance-outage time presents the contribution of system maintenance to system unaIvailability and the conditions under which maintenance most significantly contributes to overall system unavailability.

Manual actuation presents the conditions under which the system Is expected to be manually operated and the contributions (operator survey results) which contribute significantly to the calculation of the operator error rate.

Partial loss of support presents the affect (shift in contributors) of degraded support system operation, such as the loss of one division of electric power.

Observations. This section provides a list of Insights and observations regarding the significant contributors to system unavailability.

Recommnendations. This section provides recommendations to improve system availability. This section Includes only those recommendations which would result In changes in maintenance practices, procedures, training or hardware modifications that are deemed necessary, based on the observaons regarding systm unavailability.

Summary tables (by top event) provide the core damage contributions due to each of the individual split fractions., These tables also show the relative contributions of various significant contributors to system; failureunder the various analyzed conditions. The significance of each of these contributors is discussed In the narrative section.

IPE A-:2 05/29/92

1. Isolation'Condenser (Appendix F.1)

A. System Contributors. The Isolation condenser (IC) system Is analyzed as OCPRA top event IC. Failure of this top event contributes 0.6% toltotal CDF. See Table 1.

1. Valve fallure. Condensate return valve failure dominates (96%) IC failure rate with both ICs available (ICI) and significantly impacts (60%) IC failure when only one IC Is available or following reactor trip failure (requiring both ICs to actuate).'
2. Isolation condenser failure. Independent IC failure (heat exchanger blockage or fouling) contributes slightly (4%6) to system failure with both ICs available and contributes 28% of system failure when one IC is available or following reactor trip failure.
3. Maintenance outage time. System failure while performing maintenance on one" train Is a significant (11 %) contributor For split fractions following failure of 41 60V bus 1 C or 1 D or following reactor trip failure.
4. Manual actuation. Following failure of IC actuation logic (high RPV pressure or lowlow RPV water level), manual IC actuation Is required (IC4). This split fraction is dominated (99%) by operator action failure.
5. Partial loss of support. The loss of one train of support (41 60V bus 1 C or 1 D, split fraction IC2) results In an increase in system failure rate by a ffactor of-approximately 30.

This also reduces the relative Impact of the dominant contributor to system failure (valve failure), shifting failure rate contribution towards IC failure (28%) and maintenance outage time (11%).

6. ATWS conditions. Following reactor trip failure (ATWS), 2 of 2 ICs are required to actuate (IC3). The contributions to this split fraction are similar to those when only one train is available (IC2). The more stringent success criteria for this case effectively doubles system failure rate from 1C2.'

B. Observations. The following observations can be noted by inspection of above:

1. Due to the relatively low failure rate of the components in this system, -condensate return valve failure to open contributes significantly to all cases with automatic actuation.
2. Operatorfailureto actuate isolation condensers dominates systemfailure following failure of actuation logic. Due to the reliability of the actuation logic system, this does not contribute measurably to core damage frequency.
3. Highlights the continued Importance of maintenance on condensate return valves.

C. Recommendations. None.

IPE A-3 05129/92

Table 1 Isolation Condenser System Contributors Split Split Fraction Relative Failure Rate Contribution Split Fraction Total Fraction Description Contribution Failure Return IC failure Operator Maintenance All to Damage Rate

Valve, action outage time, other Frequency:

_ '_"___failurfailure

-ailure failures

IC1 Automatic actuatlon of 1 of 95.7%

4.0%

0.3%

0.50%

1.00x104 2 isolation condensers IC2 Automatic actuation of 1 of 60.9%:

27.8%

10.9%

0.4%

0.06%

3.01x103 1 Isolation condenser 1Z IC3 Automatic actuation of 2 of 60.3%

28.2%

11.4%

0.2%

0.01%

5.92x10J 2 isolatlon condensers durlng ATWS iC4 Manual IC actuation 0.9%

98.9%

0.2%

0.00%

1.01 XlO l

following logic. failure j l I

I l

Total system contribution-to core damage frequency 0.57% [

IPE A-4 05/29/92

2. Turbine Trip and Bypass (Appendix F.2)

A. System Contributors. The, turbine trip and bypass functions are modeled In OCPRA top events TT, BV and BT.

These top events contribute a total of 0.6% of core damage frequency. See Table 2.

1. Valve failure. Valve failure contributes significantly (13 to 35%) to turbine trip failure split fractions and dominates the turbine bypass valve trip split fraction (BTI

- 98%). This also dominates (99%) turbine bypass valve operation following reactor trip failure (ATWS), which requires 9 of 9 valves to open.

2. EPR failure. Electric pressure regulator (EPR) failure dominates automatic turbine trip (split fractions TT1 -'64% and TT2 - 62%), as well as turbine bypass valve operation following reactor trip (split fraction BV1 - 76%).
3. Manual actuation. Operator response to trip the turbine has a dominant (83%)

effect on split fraction TT3. The evaluations for this action show a relatively broad range (factor of 39). All but two operators evaluated this action as skill based, (performed from memory) as opposed to rule based (performed with procedures In hand).

B. Observations. The following observations can be noted by inspection above:

1. Due to the overall reliability of the hardware in these systems, EPR failure contributes significantly to system failure under normal conditions.
2. Individual valve failure to close dorninates the turbine bypass system failure rates for loss of condenser vacuum and ATW'S cases. This only contributes measurably to core damage frequency following Iciss' of condenser vacuum, primarily due to the overall reliability of the reactor trip system.
3. Operator failure to trip the turbine dominates thedturbine trip: failure rate following failure of actuation logic.

Due to the overallIreliability of the, actuation logic system, this does not measurably Impact core damage frequency.-

4. Highlights the continued importance of maintenance 'on turbine -stop and control valves.

C. Recommendations. None.

WPE

,-5 05/29/92

Table 2 Turbine Trip and Bypass Contributors Spit Split Fraction Relative Failure Rate Contribution Split Fraction Total Fraction Description Contribution Failure Stop and EPR Operator All to Damag e Rate control failure action other Frequency valve failure falue failure

__=

TT1 Turbine trip or stop valves close 35.2%

63.6%

1.2%

0.10%

2.36x104 following reactorgtrip X_.

TT2 Turbine trip on high RPV water 34.4%

62.0%

3.6%

0.04%

2.42X1 04 level TT3 Manual turbine trip 12.7%s 83.3%

4.0% T000%

1.20x1 0-2 BT1 Turbine bypass valves close on 98.4%

16%

00242%

1.54x10.2 loss of vacuum, BV1 2 of 9 turbine bypass valves open 23.8%

75.7%0.5%

0.00%

1.98x10 4 I

following reactor-tripI' BV2 All turbine bypass valves open

.<98.8%

0.6%

0.6%

0.00%

1.35x1 02 following reactor trip failure C

A i_'_;

Total system contribution to ore damage frequency 0.56%/O IIPE A-6 05/29/92

3. AC Electric Power (Appendix F.3)

A. System Contributors. Independent failures of the AC electric power systems are analyzed in top events EA, EB, EC and ED. The failure or these top events, represent the failure of 4160 VAC buses IA, 1 B, 1 C and 1 D and associated switchgear, respectively. The failure of these top events appear in a total of 45% of core damage scenarios. See Tables 3, 3a and 3b.

1. Circuit breaker failure. Circuit breaker failure dominates (98%) the non-essential switchgear failure "rates and impacts (35Yo) the esseintial switchgear failure rates In the cases where all support is available (split fractions ECI and ED1).,

In the case of non-essential power, this is partially due to the requirement to separate both non-essential buses,1A and 1 B from thle main 'trtansformer following plant trip and reconnect the bus supplies to the startup transformers.

This type of failure also dominates essential bus failure during turbine building flooding events (split fractions EC3 and ED5), primarily, due to the assumed requirement to separate the 1 A1 and 1B1 motor control centers dueto grounding.,

Otherwise, loss of the entire bus is assumed.

2. Fan failure. Fan failure contributes slignlficantly'(60%) to essential swltchpgear failure when all support is available (split'fractions ECi, EDi and EDA)., This Is assumed to cause room overheating and failure of electronic components primarily due to transformer heat load. The exposure time for this failure is assumed to be 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, since the operator logs require these spaceis to be toured twice per shift (assumption 7 of the AC Power system analysis).
3. Partial loss of support. Due to the ireliance on diesel generators, the loss of 6ofsite power results inan'increase in'system' failure rate by a factor 'of approximately two decades (a factor of 100). This' also shifts the dominant contributor to system failure to diesel enerator operation.'
4. Bus failure. Independent bus failures contributes significantly '(35%) to split fractions EC' arid EDi only.
5. Diesel generator failure.

Diesel generator failure dominates (91%) the independent failure of essential switchgear following loss of ofisite power (split fractions EC2, ED2 and EDD). Also, 'these are the only system split fractions which significantily Imrpact core damiage frequency.

The failure 'of diesel generators is currently dominated by' runtme 'failures (approximately 70%), with the remaining contribUtion primarily due to diesel stait failures. These runtime failures have been segmented into failure during the first hour 'and failure during the remining 7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br /> of the mission time. This is conservative since the recovery of offsfte power only includes recoveries within 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, such that a successful diesel generator would only have to run for 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> IPE A-7 05/29/92

for success. Loss of offsite power recovery is analyzed in Appendix B.1 of the level 1 report.

B. Observations. The following observations can be noted by inspection of the AC electrical power system analysis results and significant contributors:

1. Circuit breaker failure to transfer dominates the failure of non-essential buses 1 A and 1 B, primarily due to the need to transfer power to the startup transformers following plant trip. Both split fractions EM1 and EBA (independent failure of non-essential power to transfer, simulating a loss of offsite power) contribute measurably (2 to 3%) to core damage frequency.
2. Ventilation fan failure contributes slgnhificantly tothe ;Independent failure of essential buses 1 C and 1 D iihen offslte pow.er is.available. Due'to the impact that failure of these buses has 'on plant systbrms, this form of failure does contribute slightly to core.damage frequency.
3. Diesel generator failure domin'ates essential bus 1 C and 1 D failure following loss of offsite power or 'failure of buses 1NI B. These split 'fractions contribute' significantly (15 to 20%) to core damage frequency, primarily due to the impact of the loss -of offsIte power Initiating event. Th.e significance of diesel generator failure is partially. due to the conservative treatment of diesel generator mission time for success.
4. Highlights the.contnued importance of maintenance on the diesel generators and circuit breakers.

C. Recommendations. Thelossof,offsite powier initiating event contributes, 33% to the total calculated core damage frequency. The risk profile due to the. ifamily;" of loss of offsite power events consists of both short and long tem losses of offsitepower. Short term. losses of offsite power followed by other failures suh as,,the common causefailure-of both diesel generators combined with EMRV failure to reclose or other ECCS systems failure contribute significantly to the risk profile. Lqng termr.losses of offslte power concurrent with failures of diesel generators and ECCS systems combined with battery depl etion result in eventual core damage.

A station blackout technical basis document Is under development. This document Is to serve as tie basis for the' creatio'n of a station blackout procedure. Completion of the station blackout technical basis report and the creation of an0 yster Cree kplant specific Integrated loss of offsite power procedure (larger in scope than the original station blackout procedure) could provide Improved operator, coping, bllity,in loss of offsite power events.

lt is recommended that, this p;rocecdrur e

include proovisiqons for,

  • Recovering offsite power or onsite sou'rces andappropriately aligning or cross-tieing buses to power.critical equipment.
  • The startup and alignment of the alternate AC capability.

IPE A-13 05129/92

Table 3 Non-Essential AC Power Contributors Split Split Fraction Relative Failure Rate Contribution Split Fraction Total Fraction Description Contribution Failure Circuit Transformer All to Damage Rate breaker failure other Frequency failure failures EA1 Failure of bus 1A 97.9%

1.6%

0.5%

2.51%

2.33x10 4 EBI Failure of bus I B 97.9%

1.6%

0.5%

0.27%Y 2.1 6x1 0-EBA Failure of bus 1 B, given 99.9%

0.1%

2.16%

7.00xl 0.2 (EFI) failure of bus IA I

Total system contribution "to core damage frequency 4.94%

IPE-A-9 05/29/92

Table 3a Essential Bus 1C Contributors Split Split Fraction Relative Failure Rate Contribution Split Fraction Total Fraction Description ContributIon Failure Fan Bus Circuit Diesel All to Damage Rate failure failure breaker generator other Frequency failure failure failures EC Bus 1C failure with 1A 59.6%

34.8%

5.3%

0.3%

1.73%

3.69x1 04 success EC2 Bus 1C failure after loss of 2.1%

1.1%

2.7%

91.2%

3.0%

18.30%

5.84x10.2 bus IA EC3 Bus 1C failure during 23.3%

1.7%

69.9%

5.1%

See note 9.50x1 04 turbine building flooding Total system contribution to core damage frequency 20.03%

Note:

Split fraction EC3 is used only In the internal flooding analysis, which was done as a screening analysis only (see SectionI10 of the level 1 PRA report). It Is listed here for completeness.

IPE A-10 05/29/92

Table 3b Essential Bus 1 D Contributors Split Split Fraction Relative Failure Rate Contribution Split Fraction Total Fraction.

Description Contribution:

Failure Fan Bus:

Crcuit Diesel

All, to Damage Rate failure failure' breaker generator other Frequency

_____I.____

failure failure' failures ED 1

Bus 1D failure'with 1 D0 59.6%

34.8%,

5.3%

0.3%

1.73%

5.90xi 04 success ED2 Bus-1 D failure after loss of 2.1%

1.1%

2.7%

91.2%

3.0%

18.30%

5.82x1 o2 bus 1B:

ED5 Bus 1D failure during 37.7%

6.8% -55.4%

0.1%

See note

1.17x1 0 l turbine building-flooding. :_

9__1_.__

'-i ou8 ;v fulture iiter-i05S o

_Z.

19.1%s 3.4s 0.00%G'

5. 3x (EEl) bus1C I.o'o

.9.

3.4%

0.00l' EDD

' Bus 10 failure after loss of l1.7% 1 1.4%

2.1%

92.5%

.2.3%

0.00%

6.58x1 O (EE4)

,- :"buses A, lBand1 C

l_____l__

Total system contribution to core damage frequenc MOM____

20.03%

Note:

Split fraction ED5 is used only In the Internal flooding-analysis, which was done as a screening analysis only (see Section 10 of the level 1 PRA report). It is listed here.-for completeness.-

IPE A-11 05/29/92

4. 125 VDC Power (Appendix F.4)

A. System Contributors. The 125 VDC power system is modeled in OCPRA top events DB, DC, XB and XC. Failure of these top evenis contributes a total of 31 % of core damage scenarios, all due to failure of top events DB and DC. See Table 4.

1. Battery failure. Short term DC bus failure Is dominated (93%) by battery failure, either on initial demand or during the 3 hour3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> time horizon defined for short term operation. This failure is due to the failure of battery capacity on demand (based on failure during test discharge surveillance testing).

Since the design of the Oyster Creek electric power system requires system re-alignment to the startup transformers following plant trip, at least a momentary discharge Is expected, during which time the battery output would be-expected to dip slightly. This is conservative In that the failure data is more representative of a longer term discharge of the battery, but is a customary plant modeling technique. Even though battery A could be cross-connecte'd to battery B loads for some failure scenarios, it Is not credited In this analysis (see Assumption 6 In the system analysis). Model changes that would take these factors Into account would not be expected to change the basic conclusion that1b'attery failure represents a significant contributor to the risk profile at Oyster Creek.

2. Battery charger failure.

Long term DC bus failure is dominated by battery charger failure during the assigned 22 hour2.546296e-4 days <br />0.00611 hours <br />3.637566e-5 weeks <br />8.371e-6 months <br /> mission' time.

Alignment of the backup battery charger Is not currently modeled (see assumption 8 In the DC Power system analysis). Nevertheless, tihe long term loss of DC power (split fractions XB1 and XC1) do not contribute measurably to core damage frequency.

B. Observations. The following observations can be'noted by inspection of the DC electrical power system analysis results andsignificant contributors:

1. Battery failure on, demand dominates short term system failure, which contributes significantly (15 to 20%) to core damage frequency.

This may be partially mitigated by the analysis of battery failures, thoughindustry data is sparse In this area (i.e. the specific conditions of battery failure). Also, due to the Impact of DC bus C on containment heat removal recovery of this system is modeled in Appendix B.4 of the level 1 PRA report.

2. Battery charger failure dominates long-term system failure.

Due to the less rigorous requirements for DC power several hours' after plant trip from power, particularly after 'short term actuation of frontline response systems, this does not measurably impaict core damage frequencdy.

0

3. The above results highlight the contin ued importance of battery and DC bus/panel maintenance.

IPE A-1.'

05129/92

C. Recommendations. The failure of all DC powerevents contribute, significantly to total core damage frequency. Long term loss of DC power following station blackout events Is also a significant contributor to the risk profile. Following a long term station blackout the eventual depletion of DC batteries contributes significantly to the OCPRA risk profile. Several actions are recommended which could increase operators ability to cope with loss of all DC power events and reduce the contribution of DC, power failures to total core damage frequency.

1. Develop a loss of all DC power procedure, coordinated with the Integrated loss of all AC power procedure (see AC Power system contributors). This procedure should Include guidance on the cross connection of essential loads to the A battery.
2. Consider procuring, staging and procedurally directing the use of a portable DC generator and equipment necessary to supply essential loads for coping with long term losses of DC power.

FPE A-1 3 08/1 1/92

Table 4 125 VDC Power System Contributors Spilt Splt Fraction Relative Failure Rate Contribution Split Total Fraction Description Fraction

Failure, f

Contrilbution Rate Battery Bus Circuit Battery

All to Damage failure failure breaker charger other Frequency failure failure failures DB1 125 VDC bus B short term 92.2%

2.1%

5.7%

0.0%

15.00%

5.64x1 W,.

DC1 125 VDC bus C short term 93.1%

2.1%

4.8%

0.0%

15.90%

5.58x10.

XB1 Long term DC bus B 1.5%

98.2%

0.3%

0.00%

8.78x10o XC1 Long term DC bus C 2.9%

97.0%

0.1%

0.00%

4.37x10ll Total system contribution to core damage freluency 30.90%

IPE A-14 08/11/92 f-

5. ESF Actuation Systems (ESFAS - Appendix F.5)

A. System Contributors. The ESF actuation logic systems are modeled in OCPRA top events PR (high RPV pressure), RL'(low-low RPV wVater level) and DP (high-drywell pressure). These top events contribute a total of 3.0% to core damage frequency. See Table 5.

1. Sensor failure. Active sensor failure dominates,(74 to 99.9o) actuation logic failures for the cases with both trains of DC power support available.
2. Partial loss of support. The loss of one train of support (125 VDC bus B or C) results in an Increase in system failure rate by a factor of approximately 60 to 180.

This also shifts the dominant contributor-to system failure towards failure while In test alignment.

3. Test alignment. System failure rates are dominated (79 to 92%) by test alignment whenever one train of DC'power is unavailable. This Is due to the assumption that the affected components are disabled during testing, as allowed by Technical Specifications for up to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />, after which the affected channel must be placed, In a tripped condition (see Page F.5-6 of Appendix F).

B. Observations. The following observations can be drawn by Inspection of the ESF actuation system analysis results and significant contributors:

1. Sensor failure dominates all split fractions with both trains of DC power available.

Due to Its impact on plant system actuation, only failure of low-low RPV water level contributes more than % to core damage frequency.-

2. Time spent In testing alignment on the unaffected train dominates system failure following failure of one train of DC power. This is partially due to-the conservative assumption that the channel In test is riot placed in a tripped condition, until this is required by TechnicalSpecifications (2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> per channel per month).

C. Recommendations. None.,--

IPE A.-i 05/29/92

Table 5 ESF Actuation System (ESFAS) Contributors Split Split Fraction Relative Failure Rate Contribution Split Fraction Total Fraction Description T

Contribution Failure Sensor Test

Relay, All to Damage Rate failure alignment failure' other Frequency time

[failures PR1 High RPV pressure 99.9%

0.1%

0.00%

8.42xI 0-actuation with all support available PR2 High RPV pressure 8.2%

91.8% 0 0.0%

0.64%

5.97x1 0-3 actuation with one 125 VDC bus available RL1 Low-low RPV water level 83.2%

12.9%0i 3.9%

1.36%

1.1 4x1 04 logic with all support RL2 Low-low RPV water level 7.5%

.85.0%

7.3%

0.2%

0.02%

6.92x10,l logic with one 125 VDC bus available lDP1 High drywell pressure logic" 73.6%

23.9%

2.5%

0.50%

9.90x1m0l with all support available e DP2 High dryweli pressure logic 7.0%

79I%

3.5%

0.3%

0.50%

6.45x1 0-3 with one.125 VDC bus available Total system contribution to core damage frequency 3.02%

IPE A-16 05/29/92

6. Reactor Protection System, (Appendix F.6)

A. System Contributors. The reactor protection system (RPS) Is modeled in OCPRA top event RS. Failure of this top event contributes a total of 2.8% to core damage frequency. See Table 6.

1. Control rod failure. Control rod failure dominates (59 to 72%) the cases where the automatic reactor trip function is available (split fractions RS1, RS2 and RS5).

Due to the large amount of redundancy In the system, this is dominated by the global failure term (i.e. individual failure of control rods does not measurably contribute, compared to the possibility of a common mode failure mechanism).

2. Air operated valve failure.. Failure of the scram 'outlet valves to operate contributes between 22 and 28% of system failure rate following automatic reactor trip. Again, this form of failure is dominated by common mode failure.'
3. Manual actuation. Due to the relative reliability of the reactor trip system, manual operator actuation of the system dominates split fractions RS3 (100%) and 'RS4
4. Partial loss of support. Loss of instrument air has virtually no impact-on the failure rates for the reactor trip system (compare RS1 and RS2). Loss of support to the alternate rod Injectionr (ARI) system has a minor impact (approximately a 20% Increase) on system failure rate.

B. Observations. The following observations can be 'drawn by inspection of the'reactor trip system analysis results and significant contributors:

1. Due to overall system reliability, global common cause failure of control rods to -

insert dominates the automatic system actuation split fractions. Of these cases, RS1, which is currently evaluated at.1.68x1 06, is the only split fraction that contributes materially (2.7%) to core damage frequency.

2. Operator failure dominates this failure rate following failure of actuation logic. Due to the overall reliability of the actuation logic system, this does not measurably Impact core damage frequency.

C. Recommendations. None.

IPE A-1 7 05/29192

Table 6 Reactor Protection System Contributors Split Split Fractioni Relative Failure Rate Contribution Splt Fraction Total Fraction Description Contribution Failure

'Control Air Operator Relay All to Damage Rate failure

- valve falure failures

[

failure RS1 Reactor scram with all support 72.1%

27.7%

0.2%

2.74%

1.68x10 available RS2 Reactor scram following loss of 72.2°%

27.7%6 0.3%

-0.06%

11.68x1 4 instrument air RS3 Manual scram following turbine 100%

0.0%

0.00%

3.50x1 T2 l failure to trip

.___._._-_I_

RS4 Manual reactor scram following 0.1%

.9%

0.0%

0.01%

2.00x10-3 actuation logic failure I--

I I III RS5 Reactor scram following failure of 59.1%

227%

16.3%

1.9%

0.00%

2.05x1i r support to alternate rod injection.

(A RI)

-i_

Total system contribution to core damage frequency 2.81%

IPE A-1 8 05/29/92

7. Service Waler (Appendix Fl)

A. System Contributors. The service water system is analyzed as top event SW. 'Failure of this top event contributes a total of less than 0.1 % of core damage frequency. See Table 7.

1. Manual actuation. Operator action to start the standby pump following failure of the running pump has a measurable impact (6 to 11%.°) on split fractions SW1 and SW2 (offsite power available). From Table 6.3-4 (Page 6.3-29), this action has a relatively broad distribution (range between estimates of a factor of 67) between evaluators.
2. Partial loss of support. The loss of power to the running service water pump (SW2) Increases system failure rate by approximately a factor of 100. This also shifts the dominant failure contribution to maintenance on the available pump (64%).
3. Pump failure. Pump failure dominates system failure rate for the all 'support available case and following loss of offsite power, where both pumps would receive a start signal on diesel generator start. Due to the overall reliability of this system, this does not measurably impact core damage frequency.

B. Observations. The following observations can be drawn by inspection of the' service water system analysis results and significant contributors:

1. Pump failure dominates system failure rates when all support is available or following loss of offsIte power. Neither of these cases contribute measurably to core damage frequency.
2. System maintenance alignment contributes -significantly to system failure rate-when only one train is available (i.e. maintenance is being performed on'the unaffected train). Again, this does not materially impact core damage frequency.

C. Recommendations. None.

IPE A-19 05/29/92

Table 7 Service Water System Contributors Split Split Fraction Relative Failure Rate Contribution Spilt Fraction Total Fraction Description Contribution Failure Pump

-Operator Maintenance.

All to Damage,

Rate, failure action '.

alignment, other Frequency 1 o 2 s failure time failures SWI 1 of 2 service water pumps 91.86.4%

1.8%

0.00%

2.21 x104 with all support available SW2 1 service water pump 237%

11.1%

164.1%

1.1%

'^0.05%

2.31xl02 available SW3 1 of 2 service water pumps 98.4%

1.6%

' 0.00%.

5.27xi 0 following loss of offsite l_ _ _ _ _ _ _

p o w e r

_' ^

_' _ _ _ _ _l Total system contribution to core damage frequency 0.05%

IPE A-20 05/29/92

8. Turbine Building Closed Cooling Water (Appendix F.8)

A. System Contributors.

The turbine building closed cooling water,(TBCCW) system is modeled in OCPRA top event TB. Failure of this top event contributes 0.2% of total core damage frequency. See Table 8.

1. Heat exchanger failure. Heat exchanger failure (blockage, fouling or rupture) dominates (72%) the case where all support available (1TB1).
2. Partial loss of support. The loss of one train, of support (41,BVbus 10C or 1 D, split fractions TB2 and TB3) results In an increase In system failure rate by a factor of 3 (TB2) to 300 (TB3). This also shifts the largest contributor to system failure due to the failure of the opposing check valve to reseat (TB21) and the dominant contributor to pump maintenance on the remaining pump for TB3 (91%).
3. Manual alignment.

Operator action to align the TBCCW heat exchangers to service water cooling is analyzed In TB4 and T365 (following loss of offsite power).

B. Observations. The following observations can be noted by inspection of the turbine building closed cooling water system analysis results and significant contributors:

1. Heat exchanger failure dominates system failure fate when all support is available.

2a Failure of the discharge check valve to close on the failed pump contributes significantly to system failure following loss of bus 1 D.

3. Maintenance on the available pump dominates system failure following loss of bus 10C.

1~~~

C.

4. Operator failure dominates system failure rate following both loss of circulating water cooling to the heat exchangers and following loss of offsite power.'

Due to the overall reliability of the TBCCW system and the Oyster Creek plant design, none of these split fractions contribute materially to core damage frequency.

C. Recom'mendations. None.'

IPE A-21 05/29/92

Table 8 Standby Gas Treatment System Contributors

'Split Split Fraction Relative Failure Rate Contribution Spit Total Fraction Description Fraction Failure Contribution Rate Heat' Manual Check Pump Maint.

All to Damage exchanger valve valve failure align.

other Frequency failure transfer failure time failures

_ _ _ __ closed TB13All support available 72.7%

26.1%

_ 1.2%

0.00%

7.78x1 04 TB2 1 of 2 TBCCW pumps after 17.7%

7.4%

43.5%

29.2%

2.2%

0.00%

2.88x104 loss of bus 1 D TB3 1 TBCCW pump after loss.

0.2%

0.5%

8.7%

90.6%

0.0%

0.09%

2.70x1 of bus IC TB4 Manual.alignment to 1 00% of failure rate due to failure of operator action 0.03%

9.01xl&

SeviAce.

-a4t aftr I-s of::

circulating water TB5 Manual TBCCW restart 100% of failure rate due to failure of operator action 0.04%

2.00x104 and alIgnment to service water cooling during loss of offsite power Total system contributloh to core damrage frequenc 0.16%

IPE A-22 05/29/92'

9. Main and IC Steam Isolation (Appendix F.9)

A. System Contributors.

The main and isolation condenser steam isolation systems are analyzed as OCPRA top events MS, ME and.Ml. -The independent failure of these top events contribute a total of 1.0% to core damage frequency. See Table 9 and 9a.

It is assumed (see Assumption 4 in the system analysis) that instrument air is not required to maintain the MSIVs closed following system isolation.

1. Valve failure. Valve failure to close dominates (99.8%) the failure rate for MSIV closure on low-low RPV water level and MSIV closure during a high RPV water level excursion (86%).

In the case of closure during high RPV water level excursion, the operator acts to backup sensor failure for the assumed high flow condition as RPV water level approaches the main steamlines.

Valve failure Is also the most significant failure mode for IC isolation.

2. Relay failure. Relay failure Is the dominant failure mode for MSIV failure to close on low steamline pressure (ME1).
3. Manual actuation. Operator response Is modeled in split fractions ME2, M12 'and MS3. Of these, M12 (IC isolation on high RPV water level) was judged to be a skill based action (performed from memory, then verified by procedure) by all evaluators (see Page 6.3-17). The action to close MSIVs on lowering RPV water level following failure of low-ow level "actuation logic (MS3) was evaluated by 7 operators as a skill based action. The remaining 3 operators identified this as a rule based action, which would be performed with procedures in hand.

B. Observations. The following observations can be drawn by inspection of the main and IC steam isolation system analysis results and significant contributors:

1. Valve failure to close and actuation relay failure contribute significantly to both analyzed conditions for IC isolation.
2. The overall core damage frequency contribution for these systems is small.

C. Recommendations. None.

IPE A.-23 05/29/92

Table 9 Main Steam Isolation System Contributors Split Split Fraction Relative Failure Rate Contribution Splt Fraction Total Fraction Description r

Contribution to Failure Valve failur Relay

' Operator I All other damage Frequency Rate to close falur laction failure failures ME1 MSIV closure on low 26.3%

73.3%"

0.4%

0.63%

4.07x104 steam line pressure withy all support available

__ God ME2 Manual MSIV closure 86.3%

12.8%

0.9%

0.00%

1.24x104 during high level excursion MS1 MSIV closure on low-low 99.8%

0.2%

0.00%

9 1.08x1 07 RPV water level with all support available i,,:_-:,:.C___X_

MS3 Manual MSlV closure on 1 701.

.%V 1

x1 0

lowering RPV water level,

I l

Total system contribution to core damage frequency 0.84%

[

I WPE '

A-24 05/29/92

Table 9a IC Isolation System Contributors Split Split Fraction, Relative Failure Rate Contribution Split Fraction Total Fraction' Description tribution to Failure Valve Pressure Relay failure All other Damage Frequency Rate failure to switch failures close failureu__

MI1 IC Isolation on high steam 43.7%

31.1%

24.3%

0.9%

0.00%

1.22x104 flow M12 IC Isolation on high RPV

63.

0%

2.6%%

33.1%

1.3%

0.21%

1.26x104 water, level 1Ttal system contribution to core damage frequency 021%

Note:

Ai Mi2 cutsels require failure of operator action ZHEM12, I above.

In addition to the hardware listed IPE A-25 05129192

10. Core Spray (Appendix F.10)

A. System Contributors. The core spray system Is modeled in OCPRA top event CS. Failure of this top event contributes a total of 117.0% to core damage frequency. This system analysis also accounts for the capability to cross connect fire protection to inject to the reactor vessel through core spray (split fraction CS5). See Table 10.

1. Pump start failure. Pump start failure dominates the failure of the core spray system for all cases involving automatic actuation (split fractions CS1, CS2 and CS3) following plant trip. For the cases with core spray piping failure (split fractions CS7 and CSO), pump start failure contributes significantly (63%/6) to system failure only when one main and one booster pump are available. The data for this mode of failure are in line with industry averages.
2. Manual actuation. Operator response has a dominant effect on split fractions CS4, CS5 and CS6.
3. Partial loss of support. The loss of one train of support (41 60V bus 1 C or 1 D, split fractions CS2, CS3, CS6 and CS8) re sults In an increase in syste m failure rate by a factor of approximately 2 to 5. Due to the dominance of pump start failures for CS1, CS2 and CS3 and the supply of one main and one booster pump In each loop from each division of essential AC power, this does not result in a shift in system contributors, though a shift does, occur in the case of core spray line break (shifting the dominant contributor from guaranteed failure while performing maintenance on the intact train to pump start failure).
4. Valve failure. Failure of the parallel or the serial Inject valves contributes less than 9% to all split fractions analyzed. This type of failure is of note since "supercomponents" were used to model these components. The individual failure of any single piece of equipment within these groupings is therefore not separately identified within the system cause table.

For those cases with degraded support available to the parallel inject valves (I.e.

power available to only 1 of 2 valves -see assumption 10 in the system analysis),

two main and two booster pumps are also failed, which causes the relative contribution to system failure due to valve failure to drop to 2.4% for split fractions CS2 and CS3.

5. Maintenance outage time. Since each core spray subsystem has one main and one booster pump powered from each essential 4160 VAC bus, system failure due to train maintenance only appears as a significant contributor for cases with core spray line failure In the opposite loop (i.e. split fractions CS7 (83%G) and CS8 (34%)).
6. Alignment to Inject with fire protection. While operator alignment to Inject through core spray with fire protection (split fraction CS5) is only modeled for those cases with all core spray pumps failed due to loss of motive power (failure IPE A-26 05/29/92

of 4160 VAC buses 1C and 1 D); the dominance of pump start failure for split fractions CSi, 0S2 and CS3 indicates that this alignment may also be a viable accident management mitigation strategy following independent failure of core spray pumps to start. The extremely broad variance between operator evaluations for this-action, however, Including two evaluations as guaranteed failure, indicate that successful completion of this action, particularly before fuel cladding perforation and substantial core degradation is questionable. As noted above, though, this may be an effective means of providing long term cooling water flow to core debris.

it should be noted that this action would only be taken following site blackout scenarios with loss of RPV Inventory (i.e. with stuck open EMRV or IC failure).

Otherwise, the operator would align fire protection to provide IC makeup, rather than Inject fire pond water Into the reactor vessel. Both of these actions are addressed by existing EOPs.

B. Observations. The following observations can be made by inspection of the core spray system analysis results and significant contributors:

1. Pump start failure dominates the cases where automatic actuation takes place with both loops intact. Of these, split fraction CS1 contributes significantly (11.7%)

to core damage frequency.

2. Operator failure to actuate the system dominates the cases where actuation logic is not available and both loops are Intact.
3. Maintenance time on the available train contributes significantly to system failure when one loop is failed due to pipe break.
4. Existing EOPs address injection with fire protection water as a backup to the core spray system.

C. Recommendations. None.

IPE

,-27 05/29192

Table 10 Core Spray System Contributors Split Split Fraction Relative Failure Rate Contribution Split Fraction Total Fraction Description Contribution Failure Pump Operator Valve Maint.

All to Damage Rate start action failure outage other Frequency failure failure j

time failures CS1 RPV injection with 1 of 2 main 89.3%

8.9%

1.8%

11.70%

1.77x1 04 and booster pumps in either loop with all support available i

CS2 RPV Injection with 4160 VAC bus 96.5%

2.4%

1.1%

1.14%

9.27x1o0 1 C failed (fails one main and one booster pump In each loop) 0S3 Similar to CS2 with 4160 VAC bus 96.4%

2.4%

1.2%

1.22%

9.88x1 04 1 D failed (1C available)

CS4 Manual actuation with all support 1.7%

97.9%

0.4%:

0.00%

8.18x1 ll available

L l _

ICS5 Manual alignment of fire 99.5%

0.5%

0.88%

1.91 x02 protection to inject to the RPV after failure of buses 1 C and 1 D i

.._I_._._

CS6 Manual actuation after failure of 10.4%

89.1%

0.5%

1.78%

8.98x1 04 bus 1C or iD

-?

i.

-_.l__

CS7 Injection with second loop after 68%

8.7%

83.1%

1.4%

2.00%

9.05x1 04 failure of core spray line'

,.:_lI CS8 Similar to CS7 with 4160 bus 10 61 %

1.70%

34.3%

0.9%

0.00%

2.1 9x102ll or 1 D failed,

Total system contributlon to core damage frequency 17.02%

I IPE A-28 05/29/92

11. Containmern Spray/ESW (Appendix F.1 1)

A. System Contributors. Containment spray and emergency service water (ESW) are analyzed as a single top event (CC). Failure of this top event contributes a-total of 4.0% to core damage frequency. See Table 11.

1. Manual actuation. The system is modeled as a manual start only design. This significantly affects the system failure rate and Its impact on the plant model, since operator failure to properly actuate the system Is a significant contributor to virtually all of the split fractions analyzed.

Operator response has a dominant (95% or more) effect on split fractions CC3, CC4 and CC5. From Table 6.3-5, the actions for operator actuation of torus cooling (dynamic test) (CC3 and CC4) have fairly close agreement (0.005 versus 0.007), whereas operator actuation of containment sprays had an overall mean failure rate approximately twice as high (0.013).

2. Partial loss of supporL The loss of one train of support (4160V bus 1C or 1 D, split fractions CC7, CC8 and CC9) results In an increase In system failure rate by a factor of 2 to 3. This also shlfts the dominant contributors to-system failure:

towards heat exchanger blockage (approximately 20%) and maintenance outage time (approximately 40%). The contribution due to guaranteed failure} while performing maintenance on the unaffected system Is artificially high due to the conservative modeling assumptions (see Maintenance outage time, below).

3. Heat exchanger blockage. Heat exchanger blockage contributes less than 3%

to total system failure rate for those conditions with both trains available, primarily due to the availability of a redundant train.

For those split fractions with loss of 41 60V bus 1 C or 1 D, the loss of one train of containment spray/ESW pump effectively removes this redundancy, such that the two heat exchangers In the operable trains must continue to operate throughout the mission time of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The design of the containment spray system prevents Isolation of a single heat exchanger for cleaning with 'the other remaining in operation. In other words, blockage of a single heat exchanger will fail the heat removal capability of the affected train.

It should be noted.that the system data records 7 failures, 4 of which occurred during a single period of two months..Following this period, a significant amount (but not all) of the protective coating Initially installed in the ESW piping was removed.. Continued observation of component data over time may justify lower component failure rates.

4. Maintenance outage time. System failure while performing. maintenance on one train is the most significant contributor following failure of 4160V bus 1C or 1 D.

This is primarily due to the model simplification of evaluating the system for only one maintenance alignment and conservatively assuming that the system is failed IPE A-29 05/29/92

whenever the assigned train Is in maintenance and either 41 60V bus 1 C or 1 D is not available. This model simplification effectively doubles system failure due to train maintenance outages, a conservatism that is addressed in Appendix B.4 (recovery from loss of containment heat removal) of the level 1 PRA report.

Also, the Oyster Creek maintenance duration data are rather high, compared to the Industry.

Therefore, reducing system and component maintenance and outage times could significantly Improve system failure rates for the cases with one train of support failed.

B. Observations. The. following observations can be made by inspection of the containment spray/emergency service water system analysis results and significant contributors:

1. Operator action failure dominates system failure rate for the cases where both trains are available. The containment spray/ESW system failure rate Is dominated by operator failure to actuate the system for split fractions with both trains available (CC3, CC4 and CC5).
2. Maintenance outage time on the available train,, heat exchanger blockage and operator failure all contribute significantly to system failure rate following-loss of bus 1C Cor I D.
3. Overall, the heat exchanger failure rate is higher than the industry average, predominantly due to the occurrence of a relatively large number of blockages during a two month period several years ago.

C. Recommendations.

1. Since the operator plays a-major role In successful Initiation of the containment spray system, these actions should be emphasized-in training.
2. Changes to the coordination of preventive maintenance-on the containment spray system could.- result in decreased,.outage tirne. I Containment' spray heat exchanger, containment spray pumps, ESW pump preventive maintenance should be coordinated to coincide with planned refueling outages. For example, all planned refueling outages could include the replacement of heat exchanger anodes and cleaning. In cases where maintenance-must be performed on -a single component In the system (which results Jin the unavailability of an entire system)-other system preventive maintenance tasks should be performed during this same outage time.
3. Efforts to; reduce the likelihood, of heat exchanger blockage should continue. -

Removal of the damaged sections of the ESW pipe coating and the cdorination system modification have been major Improvements. Further enhancements to the chlorination system (to chlorinate a larger segment of the system)'that are planned for the next refueling outage should be completed as scheduled.

IPE A-30 05/2!9/92

Table 11 Containment Spray System Contributors Split Split Fraction Relative Failure Rate Contribution Split Fraction Total Fraction Description Contribution Failure Operator Heat Pump.

Maintenance All to Damage Rate "Raction exchanger start

outage time other:

Frequency failure blockage failure failures CC3 Operator starts 95.8%

2.4%

1:4%

0.02%

1.87x10r containment spray to cool torus (IC successful with failure of makeup) ;..

^

CC4 Operator starts

-95.9%

2.0%

2.1%

0.64%

2.07x102 containment spray to cool torus after IC failure 005 Mpnhml F.RWr-fnntAlnmant 9q50%

n.0%

O

,ooA I

0 317x1 fl spray actuation_(1 of 2) l l-l_l l

CC6 Manual actuation during 55.7%i T 2.0%,

37.2%Y 5.0%

0.02%

2.87x10'2 l reactor trip failure - main l and backup pumps required

^

_.:___^_____l CC7 Similar to CC3 with 4160V 33.0%N

22.7%

2.2%,

40.8%

1.3%

0.02%

5.25x1 02 buslCor1Dfailed l

^

l l^.

008 Similar to CC4 with 4160V -35.9% T 21.9%

2.6%

39`4%

0.2%

1.46%

5.44xl 02 bus 1C or 1,failed

__;-l___
-

CC9 Similar to cc5 with,41t60V 26.7%

25.0%

2.9%

45.0%

i0.3%

0.50%

4.76x1 0.2

_ l bus 10C or 1D failed

,l l__________

Total system contributiontocoredamage frequency-,

4.02%

^

IPE PEA-31 05/29/92

12. Recirculation Pumrp Trip (Appendix F.12)

A. System Contributoro. The automatic trip of the reactor recirculation pumps on IC actuation (high RPV pressure and low-low RPV water level) Is modeled In OCPRA top event RP. This top event also Includes the trip of all 5 recirculation pumps during reactor trip failure (ATWS) conditions. None of the Individual split fractions for this system contribute significantly (more than 0.00%) to core damage. See Table 12.

1. Circuit breaker failure.

System failure during automatic operation (RP1) is dominated (97%) by failure of any recirc:ulation pump supply circuit breaker to open. This Is conservative in that It more than doubles the system failure rate for cases In which reactor trip is successful (see assumption 3 In the system analysis). Following reactor trip, only the Au and ZEN recirculation pumps would be required to trip to prevent IC Isolation on high condensate return flow.

While this affects the Individual system failure rate, it does not materially affect plant model resuits, since split fraction R!P1 contributes 0.00% to core damage.

2. Relay failure. The alternate actuation logic path from relays 1K19, 1S. 20, 2IK19 and 2K20 Is ri6t modeled (see assumption 5 In the system analysis). Since relay failure contributes 1.2% of system failure rate for automatic actuation (split fraction RP1), this does' not materially affect the results for this system.
3. Manual actuation. Operator response has dominant (87%) effect on split fraction RP2, Which Is used whenever IC actuation logic, which also trips the recirculation pumps, fails. Of the 11 evaluations for this action, 5 operators evaluated this as a skill based action (performed from memory, then verified with procedures), -as opposed to rule based (refer to the procedure before Performing the action).
4. Reactor trip failure (ATWS).

It should be noted that the manual action for operator trip of the reactor recirculation pumps-includes the manual actuation of liquid poison (boron) Injection following failure of reactor trip. This is due to the close linkage between successful reactor trip and the timing constraints on liquid poison Injection. This evaluation is conservative for the non-AIMS case.

B. Observations. The following observations can be drawn by inspection of the above results:

1. System failure rate Is dominated by circuit breaker failure when actuation logic is available.
2. Operator failure dominates system failurejfollowing failure of IC actuation logic.
3. Continued emphasis on circuit breaker maintenance is appropriate.

C. Recommendations. None.

FPE A-32 05/29/92

Table 12 Reactor Recirculation Pump Trip Contributors Split Split Fraction Relative Failure Rate Contribution Split Fraction Total Fraction Description Contribution Failure

-Circuit :".Trip Valve Operator All to Damage Rate breaker coi failure action l other Frequency

_.__-'_-x_

failure failure ______jfailure_ _failures

.RP1-Automatic trip of 5 Of 5.reactor 97.0%

1.5%

1.2%

0.3%

0.00%

2.82x1lO7 (RP3) recirculatiori pumtps 'on 'hi gh RPV pressure or low-low RPV water:

le.vel.

RP2 Recirculatlon'pump trip following 12.8%

86.8%

0.4%

0.00%

2.54x1 0

-,failureofIC actuation logic;,

(manual actuation)

Total system contribution to, core" dmage frequency IPE A-33 05/29/92

13. Condensate and Feedwater (Appendix F.13)

A. System Contributors. Independent failures of the condensate and feedwater systems are analyzed in top events CP and FW, respectively. The independent failure of these top events contribute a total of less than 0.1 % to core darmage frequency. See Table 13.

RPV water level control is separately analyzed in top events RF and OF, which contribute a total of 1.36% to core damage frequency. See Table 1 3a.

1. Blockage of steam seal exhauster. Since the steam seal exhauster represents a single common point In the system flow path, blockage "of flow through this component will significantly degrade condensate makeup'capability. Blockage of this component dominates (96%) condensate system failure with all support available (split fraction CP1) and contributes 26% to system failure following loss of bus 1A.

Manual valve transfer Is also Included in the failure of this flow path. This failure contributes 4% of system failure In the all support available case (split fraction CPm).

Due to the extremely high reliability of the condensate system, this mode of failure does not measurably impact plant model results.

2. Partial loss of support. The loss of one train of support (4160V bus 1 C or 1 D, split fractions CP2, CP3, FW2 and FW3) results in an increase In system failure rate by a factor of approximately 3 to 5. This also shifts the dominant contributors to system failure towards pump train failure and maintenance outage time on the unaffected components.

This mode of failure Increases the joint condensate/feedwater system failure rate from 4.89x104 with all support available to 3.1 3x104 following failure,of 4160 VAC bus 1 A and 2.58x10 after failure of bus 1 B.:. Accordingly, feedwwater failure after loss of bus 1 B (split fraction FW3) Is the only condition under which this system contributes measurably (0.04%) to total core' damage frequency.

3. Pump train failure.

Pump train faillure contributes significantly (73%A) to condensate system failure following failure of bus AA and dominates (99%)

feedwater system failure for the all support available case and following failure of bus 1A. This mode of failure includes pumptfailure with failure of the'associated discharge check valve to close, as well as inadvertent discharge valve closure and common mode pump failure between trains.

4. Maintenance outage time. System failure while performing maintenance on one train is the most significant contributor for split fractions following failure of 41 60V bus 1 B. This is primarily due to the loss of supply power to 2 of the 3 system trains, causing a guaranteed failure condition whenever the remaining train is undergoing maintenance. This contributes 78% of condensate system failure rate IPE A-34 05129192

and 96% of feedwater system filfure rate. Due to the overall reliability of these systems and the redundancy of the overall plant design, this does not significantly impact core damage frequency.

5. RPV water level control failures (Table 13a). Operator response Is assumed to be required for long term RPV water level control, with or without successful operation of the low level setdown system. If the level setdown system functions properly, the operator has significantly more time available in which to respond before flooding the IC steamlines and hazarding main steamline carryover.

This response has a dominant impact on split fractions RF1 (98%), RF2 (88%) and OFR (88%).

Since the operator response to a high FIPV level excursion or feedwater regulating valve lockup includes tripping all 3 feedwater pumps, failure of any of the supply circuit.breakers to trip contributes 12%X to system failure. This is conservative in that the operator would not have to tip all 3 pumps for success, but only the pump with the failed regulating valve. 'This has a minimal (less than 0.3%) effect on core damage frequency.

B. Observations. The following observations' can be made by Inspection of the condensate and feedwater system analysis results and significant contributors:

9

1. Due to overall system reliability, the condensate system failure rate is dominated by flow blockage When all support Is available (CP1).
2. Pump failure dominates feedwater system failure when all support Is available and both condensate and feedwater system failure rates following loss of 4160 VAC bus 1A.,
3. Train maintenance dominates both condensate and feedwater system failure following. failure of bus 1 B.
4. Operator failure dominates RPV level control failure for all cases.,

C. Recommendations. Although the feedwater and condensate system as well as RPV level control do not contribute significantly to the total calculated core'damage frequency they do represent significant challenges tooperators ability to mitigate or prevent a transient.

The loss of feedwater control or high -level excursion contributes less than 2% to the total f" " "

-,a --

_` _ "i Ie

-I

-a e

1 I

core damage fre uency, however high level excursions represent potentially severe transients and may possibly proceed to-main steam line failure in,themost severe cases. The planned modification to post trip reactor feedwater control system (Reactor Overfill Protection System (ROPS)) scheduled for Implementation In 1 S5R Is expected to substantially decrease the risk of reactor vessel high level excursions, and thus should be implemented as scheduled.

FPE A-35 05/29/92

Table 13 Condensate and Feedwater System Contributors Split.

,Split Fraction Relative Failure Rate Contribution Split Fraction Total "Fraction.Description Contribution Failure Steam Manual Pump Maintenance All to Damage:

Rate exhauster transfer I

fallures blockage c closed CP1 1 of 3 eondensate pumps 95.7%

4.0%

0.3%

0.00%

4.89x1:0 with all support available CP2 1'.of.2 condensate pumps 26.1 %

73.2% '

0.7%

0.00%

1.79x1 l after failure of'4160'VAC bus 1 A (1B Bavailable)

CP3 1 condensate pump 2.1%

19.1%

78.5%

0.3%

0.00%

2.20x104

.available aiter loss of 41u VAC.bus'11B (-A available)

FW1 1 of 3feedwater pumps 99.2%

0.8%

0.00%

9.57x1109 with.all-support (including condensate). available FW2 1 of'2 feedwater.-pumps

. 99.9% :

0.1%

0.00%

1.34x10

'afterfailure of,-41160 vAC bus fIA (I B available)

FW3 1 feedwater pump 3.4%

96.5%

0.1%

0.04%9 1.36x104 avail'able after loss of 4160 VAC :bus 1 B (IA available)

Total system contribution to core damage frequency 0.04%

IPE A-36 05/29/92

Table 1 3a RPV Level Control System Contributors Split Split Fraction Relative Failure Rate Contribution Split Fraction Total Fraction Description Contribution Failure Operator Level Circuit All to Damage Rate action control breaker other Frequency failure failure failure failures RFI Long term post-trip RPV 98.3%

1.7%

0.0%

1.00%

5.09x1 4 level control with all support available RF2 Recovery of level control 88.5%

11.5%

0.0%

0.05%

1.70x102 after regulating valve lockup

^

OF Recovery from high RPV 8815%

1.5%

0.0%

0.31%

1.70xl 0.2 water level initiating event

-A Total system contribution to core damge frequency 13%

IPE A-37 IPE A-3705129192

14. Circulating Waider (Appendix F.1 4)

A. System Contributors. The circulating water system Is modeled In OCPRA top' event CW.

Failure of this top event contributes a total of less than 0.1% of core damage frequency. See Table 14.

1. Partial loss of support. The loss of one train of support (41 60V bus 1 A or 1 B, split fractions CW2 and CW4) results !in an Increase In system failure rate by several decades. For CW4, this also shifts the dominant contributor to system failure to maintenance outage time. Due to the overall reliability of the system and plant design, though, this does not haVe a significant impact on core damage frequency.
2. Maintenance outage time. System failure while performing maintenance on one train is the most significant contributor for the. non-reactor trip split fraction' following failure of bus 1A or 1 B. This Is primarily due to the success requirement for both pumps to be available. Otherwise, system failure is assumed. This contributes 98% of system failure rate for CW4.

B. Observations. The following observations can be made by inspection of the circulating water system analysis results and significant contributors:

1. Discharge valve failure dominates system failure rate when all support Is -available.
2. Pump failure contributes significantly to system failure rate following loss of power from 4160 VAC bus IA or I B.
3. Train maintenance dominates system failure rate for non-reactor trip events with failure of bus 1A or 1 B (CW4).

C. Recommendations. None.

[PE A-38 05/29/92

Table 14 Circulating Water System Contributors Split Split Fraction helatiie Faliure Rate Contribution Split Fraction Total Fraction Description Contribution Failure Pump Discharge Maint.

All to Damage Rate failure valve outage other Frequency fallure to time failures close,.

CW1 1 of 4 circulating water pumps-13.6 86.3%

01%

0.00%

1.29x10 "with all support available.

CW2 1

iof 2 circulating water pumrps'"`

55.7%

43.8%

0.5%

0.00%O 2.1 6x1 0 after failure of - A or 1 B ' '.

CW3 2of 4 circulating water pumps.

21.7%

78.2%

0.1%

0.00%

6.35x1 0 after non-reactor trip events with

.a!!

r ppo' availablci ___

CW4 21 Of 2 circulating water pumps, 1.17%,

92 0 O 0.03%

1.51 xi 0F2 after non-reactor trip events with 1 1 1 failure of 4160 VAC bus 1A.orflB I.

._,.;_i.,

Total system contribution to core' damage frequency 0.03%

=

IPE A-39 05/29/92

15. Automatic. Depressurization (Appendix F.1 5)

A. System Contributors. The automatic depressurization system (ADS) Is analyzed as top event AD.

This top event includes manual (emergency) depressurization, as well as automatic system actuation and contributes a total of 2.5% to CDF. See Table 15.

1. EMRV failure to open. Due to overall system reliability when all support Is available, EMRVfailure to open contributes significantly (90%) to split fraction ADI.

This mode of failure also contributes 31% to system failure during manual actuation (emergency depressurization) on low RPV water level (split fractions AD4 and AD5).

2. Manual actuation. Manual system actuation Is modeled under 3 conditions; Emergency depressurization on lowering RPV water level following IC failure to actuate (AD3).

Emergency depressurization on lowering RPV water level following failure of IC makeup (AD4).

Emergency depressurization on high suppression pool temperature (AD5).

Operator response has a significant (67%) effect on split fractions AD3 and AD4 and a dominant (95%h) Impact on AD5. This Is partially due to the allowance for

,the redundant and diverse Indication available to the operator on lowering RPV water level (see note on Page F.1 5-6), which was not applied to AD5, since this action would only be performed on Increasing suppression pool:, temperature.

3. Partial loss of support The loss of one train of support (125 VDC bus B or C, split fraction AD2) results in an increase, in system failure rate by a factor of approximately 9. This also shifts the dominant contributors to, system failure towards actuation logic failure (1%) and transfeir relay fa-lure (25%).

B. Observations. The following observations--can be made, by inspection of ADS system analysis results and significant contributors:

1. Due to overall system reliability, system failure rate Is dominated by EMRV failure to open when all support Is available."
2. Actuation logic failure dominates system failure rate following loss of one division of 125 VDC power (AD2).
3. Operator failure dominates system failure rate for all manual actuation cases (AD3, AD4 and AD5).

C. Recommendations: None.

IPE A-40 05/29/92

Table 15 Automatic Depressurization System Contributors

. Split Split Fraction Relative Failure Rate Contribution Split Fraction Total Fraction

,DescripUon Contribution Failure EMRV j

Logic Transfer Operator All.

to Damage Rate failure to failure rela failure failure other Frequency W m open ;

failure failures',

ADI Automatic ADS actuation 90.1%

7.0%

2.9%

0.02%

1.03x10' (ADS) with all: support available__

AD2 Automatic ADS actuation 11.4%

71.5%

24.6%

0.5%

0.64%

4.1 8x10 with one 125 VDC bus failed AD3 Manuai depressurization 31.2%

6.6%

2.2%

1'.36%

1.35x1 01 after IC failure

_'__r_,_

AD4 Manual, depressurization.31.2%

66.6X 2.2.%

.1 03l after CRD and ICmakeup failure :.

< -i:_.

AD5 Manual depressurizatlon 4.2%,

l 95.2%X 0.6%

0.50%

.9.45x1 ll ll:on hlghsuppression pool 11 __

lu__

temperature l

,l

__Z-.

III Total system contribution "to core. damage frequency 2.54%

IPE A41 '

'4 05/29/92

16. Standby Uquld Control (Appendix F.16)

A. System Contributors. The standby liquid control (SLC) or liquid poison systemn's modeled in OCPRA top event BI. Failure of this top event contributes a total of 2.3% to core damage frequency. See Table 16.

1. Manual actuation. Manual operator actuation of the system dominates the cases where both trains are available (split fractions 611 (52%) and B13 (65%)).
2. Partial loss of support. The loss of one train of support (41 60V bus 1C or 1 D, split fractions B12, B14-and1 B16) results In' an' increase In system failure rate by a factor of approximately 5. This shifts the dominant system contributors to pump failures (more than 70% of system failure rate).
3. Pump failure. Pump failure to start or run forthe 2 hour2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> mission time'contributes more than 20% for all split fractions. This is primarily due to the relatively high plant specific lailure rate. Plant data collection Included common mode failure (control fuse failure) of both trains during surveillance testing, which increases the failure rate for split fractions with both trains available.

Following failure of one train of support, pump failure contributes more than 70%

of system failure, primarily due to the relatively high failure rate for pumps of this type. Also, this mode of failure contributes more than 70% to both hardware only cases evaluated (615 and B16)i-where 'the operator action Is included'in split fraction RP2.

4. Maintenance outage time and test'alignment. Test alignment only contributes more than 5% to system failure when both trains of support are available. -

Otherwise, neither testing or maintenance contribute more than5% of system failure rate for any analyzed condition. It should be noted that recovery from test alignment is not modeled (see assumption 7 in the system analysis), though an operator would be stationed near the equipment while performing this test.

B. Observations. The following observations cian' be noted by' inspection results above:

1. Operator failure to actuate liquid poison Injection in time to prevent core damage contributes significantly to ssterm failure when both trains are available (B13 and!

B 13).

2. Pump failure contributes more than 70% of system failure rate for all other cases.
3. This highlights the importance of continued monitoring of the SLC relief valves to ensure the new valves perform as expected.

C. Recommendations. None.

FPE A-42 05/29/92

Table 16 Uquid 'Poison Injection System Contributors Split Split Fraction Relative Failure Rate Contribution Split Fraction Total Fraction Description Contribution Failure Operator Pump Test Maint.

All to Damagb Rate action failure alignment ' outage other Frequency failure

[

time time __Jfailures B11 Operator starts 1 of 2 trains of 51.5% 1 32.9Yo 7.8%

7.8%

1.75x1 0.2 liquid poison (boron) Injection with turbine bypass available B12 Similar to 811 with 1 train available 12.7%

78.1%

.1.6%

4.1%

4.5%

0.00%

8.65x10O B13 Operator starts 1 of 2 trains of 65.3%/

' 23.4% /

5.%

5.6%

1.02%

2.45x1 o2 liquid poison with no turbine bypass 814 Similar to Bi3 with 1 train avallable 18.3%

72.9%

1.5%

3.8%

3.5%

0.00%

9.25x10' B15 1 of 2 trains of liquid poison 70.6%

16.1%

13.3%

0.00%

l8.49x1 0l injection start after manual recirculation pump trip due to logic failure B16 Similar to B15 with 1 train available 89.3%

1.8%

4.7%

4.2%

0.00%

l7.56x1 02 Total system contribution to core damage frequency 2.27%Yo IPE A-43 05/29/92

17. Primary Containmenit Isolation (Appendix F.1 7)

A. System Contributors. The primary containment Isolation system Is analyzed as top' event PI. Failure of this top event appears in a total of 0.4% of core damage frequency. See Table 17.

1. Manual actuation. Operator responses has a dominant (92%) effect on split fraction P12.
2. Partial loss of support The loss of actuation logic requires manual system actuation, which increases system failure rate by approximnately a factor of 8.
3. Valve failures. Valve failures, particularly solenoid valve failure (84%), dominate (96% total) the system failure rate when automatic actuation logic Is available.'

For manual actuation (Pp2), valve failure only contributes 8.1% of total system failure rate.

B. Observations.

The following observations can be made by Inspection of the primary containment isolation system analysis results and significant contributors:

1. The failure of primary containment isolation is dominated by solenoid valve failure when actuation logic Is available.
2. Following failure of actuation logic (P12), system failure rate Is dominated by operator failure.

Since the Independent failure of this system does not significantly contribute to the PRA scenario database, further attention to system failure is not indicated.

C. Recommendations. None.

IPE A-44 05129/92

Table 17 PrimaryContainment Isolation System Contributors Spit Split Fraction Relative Failure Rate Contribution Split Fraction

Total, Fraction Description, Contribution Failure Operator Solenoid Air All to Damage

'Rate action valve

operated, other Frequency failure failure valve failures

__aifailure, Pil Automatic containment 84.0%

12.4%

3.6%

0.04%

1.21 x1 l

Isolation P12 Manual containment 92.5%

.3%

1.8%

1.2%

0.35%

1.62x1 02 Isolation from the control room Total system contribution to core damage frequency 0.39%

IPE A-45 05/29/92

18. Standby Gas Treatment (Appendix F.1 8)

A. System Contributors. The standby gas treatment system is modeled in OCPRA top event SG. Failure of this top event appears in less than 0.1% of total core damage frequency.

Since this system determines the filtering and release point of reactor building exhaust, it does not directly impact core damage, but appears only In the results due to Independent system failure in scenarios with existing core damage (predominantly In scenarios following loss of one train of system support from 4160 VAC bus 1 C or I D). See Table 18.

Manual actuation of this system is included In reactor building Isolation top event RI.

1. Partial loss of support. The loss of one train of support (41 60V bus 1 C or 1 D, split fractions SG2 and SG3) results In an Increase in system failure rate by a factor of almost 100. This also shifts the dominant contributor to system failure due to the available train being in maintenance (82%).

The difference between split fractions SC32 and SG3 Is based on the assumption that train A Is selected as the lead train (see Assumption 4 In the system,analysIs).

Therefore, split fraction SG2 includes the failure rate for the low flow switch for train A.

2. Fan failure. Failure of the standby gas treatment fans to start and run contributes 78% of system failure rate when power is available to both trains (split fraction SG1). Following loss of power to one train (split fractions SG2 and SG3), the contribution of fan failure drops to 12% of system failure rate.
3. Maintenance outage time. The unavailability of one train due to maintenance contributes significantly (82%) to systern failure following loss of power to the other train. While recovery from this condition before system actuation is possible, it has not been separately analyzed due to the small contribution of this system to core damage frequency.

B. Observations. The following observations can be made by Inspection of the standby gas treatment system analysis results and significant contributors.

1. Fan failure dominates system failure rate when both trains are available (SG1).
2. System failure due to maintenance on 'the unaffected train dominates system failure rate following failure of 4160 VAC bus 1 C or 1 D (SG2 and SG3).

C. Recommendations. None.

IPE A-46 05/29/92

Table 18 Standby Gas Treatment System Contributors Split Split Fraction Relative Failure Rate Contribution Split Fraction Total Fraction Description r

Contribution Failure Fan Supply Maint.

All toDamage Rate failure damper outage j other Frequency I failure time failures SG1 1 of 2 trains with all, support 78.0%

15.7%

6.3%

0.00%

2.74x104 available SG2 Train 2 following loss of support 12.0%

e 3.9%

81.5%

2.6%

0.04%

- 1.61 x02 to train 1 SG3 Train. 1 following loss of support 12.1%

3.9%

82.8%

5.1%

0.02%

1.59x10 to train_2 2 Total system contribution to core damage frequency 0.06%

IPE A-47

'05/29/92

19. Fire Protection (Appendix F.1 9)

A. System Contributors. The fire protection system Is analyzed as OCPRA top event FP. The independent failure of this top event contributes a total of 0.5% to core damage frequency.

See Table 19.

1. Diesel driven pump failure. Cutsets with diesel driven pump failure dominate (97 to 98%) system failure. This Is due to the relatively high failure rates of diesel driven components.
2. Partial loss of supporL The loss of offsite power (split fraction FP2), which falls motive power to the redundant fire pump, Increases system failure rate-by approximately a factor of 90, but does not shift the relative contributions significantly.
3. Manual system alignment Operator failure to align the redundant fire pump does not measurably impact the failure rate for this system.

B. Observations. The following observations can be made by Inspection of the fire protection system analysis results and significant contributors.

The Independent failure of the fire protection system does not materially affect plant model results. System failure rate Is dominated by failure of the diesel driven pumps, both due to the general failure rate of diesel driven equipment.

C. Recommendations. None.

IPE A-48 05/29/92

Table 19 Fire Protection System Contributors Split Split Fraction Relative Failure Rate 'Contribution Split Fraction Total Fraction Description Contribution Failure Diesel driven pump All other to Damage Rate f.a iur failures Frequency FP1 '

All support available M

97.1%

2.9%

0.03%

1.39x1 05 FP2 Loss-of offsite power 97.8%

l 2.2%

0.43%

9.22x104 (redundant firebpump) j Total system contribution to core damage frequency 0.46% '

IPE A-49 05/29/92

20. Condensate Transfer (Appendix F.20)

A. System Contributors. The condensate transfer system Is modeled in OCPRA top events CT (condensate transfer), MU (makeup to the Isolation condenser) and ST (CST availability).

Failure of these top events contribute a total of 1.7% to core damage frequency. See Table 20.

1. Pump start failure. Pump start failure contributes more than half (58%)pf system failure rate for the condensate transfer system (split fraction CT1). Due to the relatively low failure rate for this system, this does not measurably Impact plant model results.
2. Manual valve failure. Manual valve transfer closed contributes more than a third (38%) of condensate transfer system failure (split fraction CT1). Again, due to the relatively low failure rate for this system, this does not measurably Impact plant model results.
3. Manual actuation. Operator response has a dominant (99%) Impaction split fractions MU1 and MU2.
4. Partial loss of support. The loss of condensate transfer for IC makeup has a minor Impact on the failure rate of top event MU, primarily because this top event has a very long response time and Is dominated by failure of the operator action for both split fractions. Also, recovery of the condensate transfer pumps, which would require the operator to locally reset the supply breaker, is not modeled following loss of offsite power.
5. Air operated valve failure.

Failure cf the hotwell makeup and reject valves dominates (78%) condensate storage tank failure rate. Due to the reliability, of this system, this does not significantly Impact plant model results.

B. Observations. The following observations can be made by inspection of the condensate transfer system analysis results and significant contributors.,'

1. Only IC makeup contributes materially to core damage frequency, primarily due to the requirement for operator action. Due to the amount of time available to the operator, transit to the area and manual local valve operation does not materially impact the results (compare MU1 and MU2).
2. Pump failure and manual valve transfer closed both contribute significanty to the failure rate for the condensate transfer system.
3. CST failure rate is dominated by failure of air operated control valves.

C. Recommendations. None.

IPE A-50 05/29/92

Table 20 Condensate Transfer System Contributors Split Split Fraction Relative Failure Rate Contribution Split Total Fraction Description Fraction Failure rrContribution Rate Pump Manual Operator.

Air All to Damage failure valve action operated other Frequency transfer failure valve failures

_closed failure,

CT1 Condensate transfer system 58.5%:

37.0/'

4.5%

0.00%

1.31x104 MUl IC makeup from condensate 99.4%

0.6%.

0.25%

4.02x10 transfer MU2 IC makeup from fire protection 99.0%

1.0%

1.40%

4.04x104 lr'....qT qvial1 ML STI

'T ale 1.70%

l1-5 Total system contributon to core damage frequency' 1.'70%

IPE A-51 05/29/92

21. Instrument Air (Appendiix F.21)

A. System Contributors. The instrument air system Is analyzed as top event IA. Independent failure of this top event contributes a total of 0.2%h to core damage frequency. See Table 21.

1. Stuck Open relief valve. Due to the removal of check valve Internals to facilitate component maintenance, any of 7 relief valves opening and sticking open will depressurize the instrument air system with no recovery available until the failed valve Is reset or gagged or the receiver Isolated. This mode of failure contributes nearly half (49%) of system failure rate when all support Is available (IA1 ) and 19%

of system failure when support is lost to one of the operable air compressors.

2. Manual operation. Operator action Is required following loss of offsIte power (iA3) and to align fire protection to provide compressor cooling following loss of TBCCW (IA4). This form of failure dominates both failure rates (71% and 80%,

respectively).

3. Partial loss of support. The loss of one train of support (41 60V bus 1 C or 1 D, split fraction iA2) results in an Increase in system failure rate by a factor of approximately 2. This also shifts the most significant contributor to system failure to compressor failure.

Also, it Is assumed that, when power is; lost, it is lost to the running or lead air compressor, requiring the standby air compressor to start for system success.

This assumption contributes 17% of the! compressor failure term shown in Table 21 for iA2.

4. Air drier blockage. Air drier blockage.or failure to shift properly Into dryout alignment contributes nearly a third (32%) of system failure when all support is available. This failure could be partially' recovered by operator alignment of air driers C and D after failure of air driers A and B, but was not modeled.

B. Observations. The following observations can be made by inspection-of the Instrument air system analysis results and significant contributors.

1. The conservative modeling of the Instrument air system does not significantly impact plant model results.
2. System failure due to Inadvertent relief valve operation does not significantly impact core damage frequency. Howevier, this situation can.present a significant challenge to operators to prevent a plant transient. This highlights the continued Importance of preventative maintenance on relief valv es.

C. Recommendations. None.

IPE A-52 05/29/92

Table 21 Instrument Air System Contributors Split Split Fraction Relativ6 Failure Rate Contribution Spli Fraction Total Fraction Description T

Contribution Failure Relief Air Compressor Operator

' All to Damage:

Rate valve drier failure action other Frequency operation failure"[

failure Jfailures IA 1 of 2 available air 49.4%

32.3%

0.9%

17.4%

-0.00%

2.12x1 04 compressors A_:_.

IA2 I of 1 available air 18.6%

12.2%

50.3%

18.9%

0.01%

5.61x1&

compressor after loss of support to second unit.

1A3 Manual restart following 5.4%

3.5%

14.4%

71.4%

5.3%

0.04%

1.96x1.2l loss of oftsite power with I Dl.S.DVV UVdOcIIUIJ IA4 Manual alignment to fire 3.7/o 2.4%

9.9%

80.4%

3.6%

0.11%

2.86x104 protection after loss of I.

TotCCW Toa s

rbto ocr amg rqec

.6 IPE A-53 05/29/92

22. Control Rod Hydraulics (Appendix F.22)

A. System Contributors. The use of the control rod hydraulic (CRD) system to provide reactor vessel makeup after plant trip is modeled In OCPRA top event CD. Independent failure of this system contributes a total of 0.1% of core damage frequency. See Table 22.

1. Manual alignment Operator alignment of the test bypass valve, which Is assumed to be required for system success, dominates (98%):the cases where 2 CRD pumps are available (CD1 and C0D2). For split fractions with one pump available, operator response contributes 25% (CD3) and 28% (CD4), respectively, of system failure rate.
2. Partial loss of support. Loss of support to a CRD pump following failure of 4160 VAC bus 1 C or 1 D increases system failure rate by a factor of 4 to 5, primarily due to failure while in maintenance, as described below.
3. Maintenance outage time. Maintenance outage time has a pronounced Impact on the split fractions with only one CRD pump available (CD3 and CD4), with contributions of 63% and 509%, respectively, of total system failure rate.
4. CRD pump failure. Pump failure does not significantly contribute to any of the analyzed system configurations, though this' does contribute'up to 5.7% of total system failure rate for split fraction CD4.E
5. Strainer blockage.

System failure due to'strainer blockage only contributes significantly to split fraction CD4 (1 0%). For all other analyzed alignments, this mode of failure contributes less than 1%, of system failure rate.

B. Observations. The following observations can be made by Inspection of the control rod drive hydraulic system analysis results and significant contributors.

1. Operator failure dominates system failure rate when both CRD pumps are,

available (CD1 and CD2).

2. Pump maintenance outage time contributes significantly to system failure rate for cases when only one CRD pump is available.

Overall, independent failure of the CFID hydraulic system, including manual operator alignment of the test bypass valve, does not materially impact plant model results.

C. Recommendations. None.

IPE A-'54 05/29/92

Table 22 CRD Hydraulic System Contributors Split Split Fraction Relative Failure Rate Contribution Split Fraction Total Fraction Description Contribution Failure Operator Malnt.

CRD Strainer All to Damage; Rate action outage pump blockage other Frequency failure time failure failures CD1 Both CRD pumps available (1 98.6% _

0.5%

0.6%

0.3%

0O.08%

5.07x10" running) and operator opens test bypass valve CD2 1 of 2 CRD pumps start after loss 97.5%

1.4%

0.6%

0.5%

0.02%

5.13x104 of power and operator opens test l ___ _ _

bypass CD3 1 of 1 CRD pump starts after loss 24.7%

62.7%

4.6%

0.8%

7.2%

0.02%

1.99x1 o-2 of nowar and faiMlre nf Ir 10 n in and operator opens test bypass valve CD4 Running pump loses power, 27.7%

50.2%

5.7%

9.6%

6.8%

0.00%

2.49x102 operator starts standby pump and l________

opens test bypass valve L___l_

Total system contribution to core damage frequency 0.12%

IPE A-55 05/29/92

23. Reactor Building isolation (Appendix F.23)

A. System Contributors. Reactor building Isolation Is modeled In OCPRA top event RI. The failure of this top event occurs In scenarios; that contribute a total of less than 0.1 % to core damage frequency. It should be noted that the failure of this system does not lead to core damage, but determines the status of secondary containment for radioactive release considerations. See Table 23.

1. Air operated valve fallure."Due to the predominance of air operated valves in the reactor building isolation system, this mode of failure dominates (99%) the split fractions with actuation logic available (RI1 and Ri2).
2. Manual actuation. Following failure of actuation logic, manual isolation of the reactor building from the control room contributes 98% to split fraction R13.

B. Observations. The following observations can be made by inspection of the reactor building Isolation system analysis results and significant contributors.

1. Valve failure dominates system failure rate when all support is available and following loss of instrument air.
2. Operator failure dominates system failure rate following failure of actuation logic (R13).

C. Recommendations. None.:

IPE A-56 05/29/92

Table 23 Reactor Building Isolation System Contributors Split Split Fraction Relative Failure Rate Split Fraction Total Fraction Description Contribution Contribution Failure A to Damage

'Rate Air Operator,.All

,Feqec operated action other Feun valve failure failures

,Xfailure [

j Rl Reactor building Isolation 98.5%

1.5%

0.01%

2.09x1 4 with all support available R12 Reactor building isolation 99.6%

0.4%

0.00%'

2.06x14 after loss of Instrument air R13 Manual reactor building, 2.2%

97.8%

0.0%

0.00%

9.21 x1 Isolation Total system contribution to core damage frequency 0.01%

I I]

IPE A-57 05/29/92

24. Main Steam Safety and Relief Valves (Appendix F..24)

A. System Contributors. The main steam safety valves and EMRVs are modeled in OCPRA top events SO, SR, VO and VR. Failure of these top events contribute a total of 25.7% to core damage frequency, primarily due to Independent failure of EMRV reclosure at top event VR (24.8%/). See Table 24 and 24a.

1. Valve failures. Valve failure dominates (98% or more) all analyzed split fractions for this system.
2. Success criteria. Since It Is uncertain that a second EMRV would not open when V01 Is questioned, the success criteria, for valve reclosure Include an additional valve, above the number required to initially open. Also, It Is assumed that any valve failure will result In uncontrolled reactor vessel depressurization (i.e. the valve falls full open, as opposed to a partially closed state or failure to fully reseat).

These assumptions (see Assumptions 11 and 2 In the system analysis) effectively double the system failure rate for split fraction VR1 and contributes 20% to the failure rate for split fraction VR2. Since each of these split fractions have a pronounced impact on the plant model and core damage frequency, this assumption also has a pronounced effect.

B. Observations. The following observations can be made by inspection of the main steam relief system analysis results and significant contributors.

Valve -failure dominates system failure rate or all cases and highlights the importance of continued preventative maintenance of the relief valves.

Recommendations. None.

IPE A-58

-05/29/92

Table 24 Main Steam Safety Valve Contributors Split Split Fraction

Relative Failure Rate Contribution Split Fraction Total Fraction Description Contribution Failure Common :cause l Safety valve to Damage Rate failure to open fails to close Frequency

_Sol 14 of 9 safety valves open 100%

-0.00%

1.07x1 0~

S02 7 of 9 safety valves open 100%

0.00%

3.17x10 5 SRI 4 of 4 open safety valves reclose 100%

0.48%

1.15x10 2 SR2 6 of 8 open safety valves reclose 100%6 0.30%

2.30x 0-2 Total system contribution to core damage-frequency 0.78%

Table 24a EMRV Contributors Split Split Fraction Relative Failure Rate Split Fraction Total Fraction Description Contributlon'p Contribution Failure

EMRV IPressure -

All t

aae Rt failure switch otherl Frequenc:

failure failures Vol 1 of 5 EMRisopen' 99.9%

0.1%

0.00%

2.92x10i V02 4 of 5: EMRVs open 97.6%

1.6%:

0.%

0.16%

7.52xl 03 VR1 2 of 2 open EMRVs reclose I97.8 2.2%

0.0%

17.60%

2.49x104 VR2 5 of 5 open EMRVs reclose 97.8%

1.8%

0.4%

7,16%

6.21 xl 0.2:

Total system contributionlto core damage frequency 24.92%

IPE A-59 05/29192

25. Containment 'Vent (Appendix F.25)

A. System Contributors. The containment vent system is analyzed in CPRA top' event OV.

Independent failure of this system contributes a total of 1.1% to core damage frequency. See Table 25.

The recovery from containment vent failure due to loss, of support systems Is modeled in top event RV.

1.

Solenoid valve failure. Solenoid valve failure dominates (63%A).system failure when both torus and drywell vent paths are available (i.e. no core damage present

- OVI). Following core damage, when 'only the vent path through the torus air space is used (to preserve suppression pool scrubbing), solenoid valve failure contributes 20% of system failure rate.

2. Operator alignment of vert. Operatoir failure to align the torus vent dominates (74%) system failure following core darnage (0V2).0 Operator evaluations of this action (Page 6.3-28) show a relatively broad distribution, with a range of 49 between high and low estimates for this action. This Is believed to be partially due to operator hesitation to provide a, vent path from the primary containmenit following core damage, even with suppression pool scrubbing of fission products.

The evaluations for containment vent before core damage (OV1) show somewhat closer agreement, with a range of 16 between high and low estimates. Dueito the extremely long time available to perform this action, this failure rate was adjusted by a factor of 0.1 to account for the presence of the relieving shifts and off site direction during this time in the scenario.

B. Observations. The following observations can be made by Inspection of the containment vent system analysis results and significant contributors.:

1. Solenoid valve failure dominates system failure rate whenall, support Is available and core damage has not yet occurred,,
2. Operator failure dominates system failure rate following core damage.

C. Recommendations. None.

IPE A-4S0 05/29/92

Table 25 Containment Vent System Contributors Split Split Fraction Relative Failure Rate Contribution Split Fraction Total Fraction Description Contribution Failure Solenoid Operator Relay Air operated All to Damage Rate valve action failure valve failure other Frequency failure failure failures OVi Operator vents 63.0%

15.8%

12.6%

8.4%

0.2%

1.08%

1.71 x1 04 containment to relieve pressure OV2 Operator vents torus air 19.6%

73.6%

3.9%

2.6%

0.3%

0.00%

2.31x10.2 space following core damage Total system contribution to core damage frequency 1.08%

IPE A-61 05/29/92

APPENDIX B CONTRIBUTORS TO OPERATOR ACTION ERROR RATES

TABLE OF CONTENTS B.1 Performance Shaping Factors.........................................

B-1 B.2 Results of Performance Shaping Factor Review...........................

B-3 B.2.1 Operator controls/trips feedwater during high RPV water level excursion (OF1)........................................

B-3 B.2.2 Operator trips reactor after TT failure (high level) (RS3).....

B-3 B.2.3 Operator manually closes MSI~fs after failing to control RPV water level (high) at top event RF (ME2)....

B-3 B.2.4 Operator injects through core spray with fire protection during loss of all AC power (CS5)....................................

B4 B.2.5 Operator lines up fire water Injection through core spray during LOCA conditions outside containment (unisolated LOCA) (FS1)....

B-5 B.2.6 Operator inhibits ADS and controls level near TAF during ATWS with FW available and condenser failed with EMRV/SV closure (OL2)....

B-5 B.2.7 Operator inhibits ADS during ATWS with FW failed and EMRV/SV closure (0L3).......................................

B-6 B.2.8 Operator manually re-energizes; bus 1A1/1 B and re-starts at least one TBCCW pump following a loss of offsite power (TB5)....

B-6 B.2.9 Operator secures or isolates condensate transfer header to reactor building within 1 to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> after condensate transfer supply line break in the reactor building (FTB).....................

B-7 B.2.1 0 Operator trips plant and isolates feedwater following feedwater line break in the trunnion room (FTD)...........................

B-7 B.3 Summary of Recommendations..........................

B-8 IPE B-i 05/29/92

B. CONTRIBUTORS TO OPERATOR ACTION ERROR RATES The purpose of this appendix is to report the results of a review of the human action analyses to determine If any outlier performance shaping factors (PSFs) exist which may Indicate a potential for possible changes to procedures, operator Interfaces, training or personnel available to improve operator response.

Collectively, the actions of plant operators at Oyster Creek have an estimated contribution of 21%

to total core damage frequency. No single operator actionpcontributes more than 3%. Thus It is not expected that improvements in an individual human error rate would have dramatic effects on the calculated core damage frequency. Nevertheless, a separate review of the human action surveys was performed to determine If any outlier PSFs exist In Individual operator opinions, which may indicate areas where Incremental Improvement in error rates could be achieved.

The review of the PSFs was performed by'insppction of Table 6.3-4, Performance Shaping Factor Results and Table 6.3-5, Sumrnary of Human Action Results from the level.1 PRA. Those actions which contain outlier PSFs which may indicate Inadequate time available, procedures, training or indications (especially those actions with guaranteed failure) are described in subsection B.2 below.

B.1 Performance Shaping Factors The performance shaping factors (PSFs) used for the OCPRA operator action evaluation can be grouped Into the following major categories:

Time related factors Operator training and experience Procedural direction available to the operator Plant indications,--

7 Personnel availability' Consequences associated with the action, These major factors can then be broken down Into the following performance shaping factors:.-

Time available Actual time available to complete the action (VI).

Perceived time available to diagnose the problem and Identify the correct response (V2).

Perceived time available to complete the action (V3).

Training and experience In identifying the need to perform the action (VW).

In diagnosing the need to perform the action (V9).

.In performing the action (Vi 0).

IPE F3 1 05/99

Indications Initial indications (V1 3).

Later indications (Vi 4).

Procedural direction Procedural direction available in the given scenario (Vi 1).

Non-scehario related procedures available to direct the action (V12).

Personnel availability Adequacy of manning In the control room, both Initially (VI 5) and later (V30), relative to performing the required action In time.

Adequacy of manning outside the c ontrol room, both initially (Vi 6) and later (VI 7).

Consequences associated with the action Consequences of performing the action - to the plant (V5) and to the operators (V6).

Consequences"of falling to perform the action - to the plant (Vi9) and to the operators (V20).

Operator confusion Preceding related successful actions' (m.

Preceding related unsuccessful actions (V21).:

Number of preceding and concurrent unrelated actions in progress while the operators are performring' the required action (V22).

The Individual performance shaping factors used,, variable designations, and associated reference values are shown In Figure 6.2-1 In the level 1 PRA report. Each of the above performance shaping factor categories-is discussed in more detail In Section 6.1 in the level 1 PRA report IPE 13-,2 05/29192

B.2 Results of Performance Shaping Factor Review This subsection presents those operator acticins which were judged to have moutlierm PSFs that indicate a potential for improvements to procedures, training or operator interfaces. This review included an investigation of each shaping factor at either extreme end of the scale (typically 0 to 10, as indicated in Table,6.3-4 of the level 1 OCPRA report). The detailed operator action descriptions-are located in Appendix E of the level 1 OCPRA report.

B.2.1 Operator controls/trips feedwater during high RPV water level excursion (OF1)

A.

Description. On a loss of feedwater control transient (flow failed high), the operator identifies the transient and takes positive action to prevent covering IC and main steam lines. The assumed rate of level increase for this action is 15 inches per minute until turbine trip at 175 inches.

B.

Observations.

1.

This action may not be as clearly directed by plant procedures (VI 1) as the other post-trip Immediate actions.

2.

Personnel outside the control room arrive too late to assist in performance of action (VI 6 and VI 7).

C.

Recommendation.

Consider Increased training emphasis on high' level excursion mitigation including simulator exercises.

B.2.2 Operator trips reactor after TT failure (high level) (RS3)

A.

Description. Operator manually scrams reactor after failure of the main turbine trip on high RPV level.

B.

Observations.

1.

A marginally adequate 'amount of tme Is available to perform the action (Vi, V2 and V3).

2.

Minimal procedural guidance is 'available for this action (V1i).

C.

Recommendation. Consider procedural enhancements.

B.2.3 Operator manually co e MSIVs after fallin0g to control R:P wvter level (high) at top event RF (ME2)

A.

Description.

Operator manually closes Mis before, flooding RPV steamline penetrations after failure to control RPV water level. This action is not procedurally directed.

IPE B -3 05/29/92

B.

Observations.

1.

A marginally adequate amount of time Is available to perform the action (Vi, V2 and V3).

2.

No procedural guidance Is available for this action (Vi 1).

C.

Recommendation. Consider procedural enhancements and training to direct MSIVs closure on'severe high level excursions.

B.2.4 Operator injects through core spray with tire protection during loss of allAC power (CS5)

A.

Description.

Following a plant trip with loss of injection, operator lines up for Fire Protection Water Injection through core spray lines and Injection valves. This action Includes manual operation of at least one of the following sets of manual valves:

Iniects at Close Ooen' Loop I Booster Pump Suction V-20-91 (Z2)

V-2083 (6")

Loop 11 Booster Pump Discharge V-20-90 (2")

V-,0-82(6')

Note that ECCS procedure 308 also has the operator depressurize the RPV below 137 psig before Initiating fire protection water Injection. This step, appears with those listed in the EOP (LR-5), but only after level has dropped to 0 Inches TAF.

This action Is assumed to take place following a loss of both divisions of vital AC power (core spray failed due to loss of support). Depressurization will be possible with EMRVs, but only until either station batteries discharge or vital power Is regained through recovery of offsite power or at least one diesel generator.

B.

Observations.

1.

Operators perceive a potential for consequences to the plant (V5, primarily

-due to the Introduction of fire pond water into the reactor vessel).

2.

Operators expect severe consequences to the plant if the action Is not performed (V19).

3.

The variance between evaluations for this actiont Is extremely broad (factor of 1100 between highest and lowest evaluation), primarily due to two of the 14 evaluations with Insufficient time available to complete the action (VI)

-and to perfor mthe"action,once-the 'decision i as been made to perform the action (V3). This indicates a greater amount of uncertainty as to the requirements to perform this action, particularly during loss of all AC power conditions, than for some other actions evaluated.

IPE Be-05/29/92

C.

Recommendation. Consider increased training emphasis on this action, particularly in station blackout events where an EMFIV may be stuck open.

B.2.5 Operator lines up fire water injection through core spray during LOCA conditions outside containment (unisolated LOC;A) (FSI)

A.

Description. Operator lines up for fire protection water Injection through core spray lines and injection valves. This action involves the manual manipulation of the same manual valves as for the action above.

B.

Observations.

1.

Operators perceive a potential for consequences to the plant (V5, primarily due to the introduction of fire pond water into the reactor vessel).

2.

Ope'rators expect severe consequences to the plant if the action is not performed (Vi9).

3.

The Individual evaluations for this action showed a very broad variance (factor of 167 between highest and lowest evaluation), with agreement between group, averages that was consistent with other actions evaluated.

This was primarily due to one evaluation that was more than a decade below the next lowest evaluation. This evaluation included 16 (of 21) shaping factors evaluated at the extreme, end of the scale.

C.

Recommendation.

Consider increased -training emphasis on this action including

.simulator exercises.

B.2.6 Operator inhibits ADS and controls level near TAF during ATWS with FW available and condenser failed with EMRV/SV closurei (0L2)

A.

Description. During an ATWS with loss of main condenser heat sink, the control room operator Inhibits ADS by placing ADS timer switch to RESET-,as directed by Power/Level Control (EOPs), (After successful boron injection and recirculation pump trip). The operator then lowers reactor water level to the top of active fuel by terminating and preventing all injection except boron and CRD until water level reaches 0 Inches TAF.

Note: ADS actuation was noted as a frequent occurrence in simulator training by one crew member (i.e. timer was NOT successfully reset). Other crew members had difficulty

'inhibiting ADS when intentionally lowering RPV waer level.

B.

Observations.

1.

A marginally adequate amount of time Is available to perform the action (VI, V2 and V3).

IPE 13-5 05/29/92

2.

There Is a potential for consequences to the plant (V5).

3.

Severe consequences are expected to the plant If the action Is not performed (Vi 9).

4.

The broad variance between operator evaluations for this action (factoi of 321 between highest and lowest evaluation) reflects two (of 12) evaluations as having Insufficient time to complete the action (V1).

C.

Recommendation. Consider increased training emphasis at the simulator exercises.

B.2.7 Operator inhibits ADS during ATWS wftIh FW failed and EMRVWSV closure (0O3)

A.

Description. During an ATWS with feedœNater available, the control room operator inhibits ADS by placing the timer switch to RESET, as directed by the EOPs. MSIV closure Is assumed successful, Isolating turbine bypass. Boron injection and recirculation pump trip are aliso assumed successful.

B.

Observations.

1.

A marginally adequate amount of time' Is available to perform the action (VI, V2 and V3).

2.

There is a potential for consequences to the plant (V5).

3.

Severe consequences "are expected to the plant If the'action Is not performed (V19).

4.

The broad variance between operator evaluations for this action (factor of 212 between highest and lowest evaluation) reflects on"e evaluation (of 12) as having Insufficient time to correctly diagnose the action (V2 = 0),

resulting in guaranteed failure.,

C.

Recommendation. Consider increased traininrig emphasis at the simulator.

B.2.8 Operator manually re-energizes bus 1AliB and re-starts at least one TBCCW pump following a loss of offsite power (TBS)

A.

Description. Following0a loss of offsite power and restoration of bus 1A1/1 BI and service water, the operator manually shifts heat exchanger cooling to service water following failure of circulating water. Time available to perform the action Is dependent on the loss of TBCCW to cool the condensate pump motors and plant air compressors.

B.

Observations.

1.

A marginally adequate amount of time is available to perform the action IPE B-6 05/29/92

(Vi, V2 and V3).

2.

The extremely broad variance between evaluations for this action (factor of 2280 between highest and lowest evaluation)'sh-ows broad uncertainty between operators concerning the performance of this action.

One operator evaluated this action as a guaranteed failure due to inadequate time to perform the action following the decisionlto perform the action (V3). Only one other evaluation resulted In an error rate of more than 0.05 for this action. This other'evaluation Incliuded a slightly greater amount of time to perform the action (Vs).

C.

Recornmendation. Consider increased training emphasis at the simulator.

B.2.9 Operator secures or isolates condensate transfer header to reactor building within I to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> after condensate transfer supply line break In the reactor building (FTB)

A.

Description. Following a condensate fne -failure' (rupture or-large eak) in the reactor building, operators secures or Isolates condensate transfer flow to the affected header within 1 to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.

C B.

Observations.

1.

Minimal procedural guidance Is available for this' action (V 1i).

C.

Recommendation. Consider adding procedural guidance and training.

B.2. 10 Operator trips plant and isolates feedwhater following feedwater line break In the trunnion

--room (FntD)oi

-- o' -

22 -0 '-H-;h A.

Description.

Following a feedwateir line break In the trunnion room, control room operators trips the plant and isolates feedwater flow into the reactor.

B.

Observations.

1.

A marginally adequate amount of time is -available to perform the action (V1. V2 andV3)

K

2.

There Is a potential for consequences to the plant (V5) for performing this action. The plant consequences, are partially due to the Induced loss of feedwater caused by performing this action.

3.

Minimal procedural guidance is available for this action (VIi).

4.

The evaluations for this action Indicated a relatively broad variance (factor of 81 between highest and lowest evaluation). This was" patially due to the broad uncertainty between operators as to the type of action this FPE 1B-7 06124/92

involved.

5 assessed this as a skill based action, which would be performed from memory, then verified with procedures.-

4 assessed this as a rule based action, which would be performed with procedures In hand.

The remaining 5, operators evaluated this action as knowledge based,^for which no written procedural guidance is available (see VI I above).

C.

Recommendation. Consider enhanced procedural guidance and training.

B.3 Summary of Recommendations The following recommendations are made based on Inspection of the above results:

1.

ConsIder the development of specific procedures, guidance-and training on reactor overfill transients, specifically for operator actions (OF1 and ME2).

2.

During operator training point out that consistently successful performance of the following actions can positively affect overall core damage risk as determined by the PRA.

a.

Operator Injects through core spray with fire protection during loss of all AC power (CS5)

b.

Operator lines up fire water Injection through core spray during -LOCA conditions outside containment (unisolated LOCA) (FS1)

c.

Operator inhibits ADS and controls level nearTAP during ATWS with FW available and condenser failld with EMRV/SV closure (0O.2)

d.

Operator inhibits ADS during AIWS with FW failed and EMRV/SV closure

e.

Operator manually re-energLwes bus 1A/i1B and re-starts at least one TBCCW pump following a loss of offsite power (T5.

f.

Operator trips 'reactor after Tr, failure (igh level) (R 3)

9.

Operator secures or isolates condensate transfer header to reactor building within.1 to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> -after condensate-transfer supply line break in the reactor building (FTB)

h.
.Operator trips plant and isolates feedwater following feedwater 0fne break inthe trunnion room(FTD)

IPE B-8 06124/92

Retrieved from "https://kanterella.com/w/index.php?title=ML060550285&oldid=5369532"