ML060550290

From kanterella
Jump to navigation Jump to search
Response to Request of Additional Information Generic Letter 88-20, Individual Plant Evaluation (IPE)
ML060550290
Person / Time
Site: Oyster Creek
Issue date: 10/01/1993
From: Keaten R W
GPU Nuclear Corp
To:
Document Control Desk, Office of Nuclear Reactor Regulation
Reckley W D, NRR, 415-1323
Shared Package
ML060550281 List:
References
5000-93-0063, C321-93-2259, GL-88-020, TAC M74443 NUDOCS 9310070329
Download: ML060550290 (47)
v  d  e


Text

_Zaire /<' 4.r- Nuclear GPU Nuclear Corporation One Upper Pond Road Parsippany, New Jersey 07054 201-316-7000 TELEX 136-482 Writers Direct Dial Numoer October 1, 1993 C321-93-2259 5000-93-0063 U. S. Nuclear Regulatory Commission Attention:

Document Control Desk Washington, D.C. 20555 Gentlemen:

Subject:

Oyster Creek Nuclear Generating Station (OCNGS]Operating License No. DPR-16 Docket No. 50-219 Generic Letter 88-20 (TAC No. M74443) -Ind Examination (IPE)Response to Request for Additional Information lividual Plant In response to the NRC staff's request- for additional information, dated July 30, 1993, Enclosure 1 of this, letter addresses each of the individual questions or concerns.Sirc.IY~Vice President land Director Technical Functions RWK/DJD/amc Enclosure cc: Administrator, Region I Oyster Creek NRC Project Manager Senior Resident Inspector ENCLOSURE I

OYSTER CREEK IPE RESPONSE TO NRC REQUEST FOR ADDITIONAL INFORMATION OYSTER CREEK IPE RESPONSE TO NRC REQUEST FOR ADDmONAL INFORMATION G-1. In addition to NUREG-1 150, seven other PRAs were reviewed.

However, the insights from these PRA reviews are not included in the submittal, nor compared against findings in the Oyster Creek IPE. How wenr these insights integrated into the Oyster Creek IPE effort?RESPONSE A list of some of the more significant insights gained as a result of the review of the seven studies listed in the OCIPE submittal report are provided below. These insights range from comparisons of results to examination of plant configurations.

and modeling techniques.

  • The TMI-1 Probabilistic Risk Assessment originally indicated that loss of control building ventilation was a dominant contributor to core damage frequency.

Subsequent room heatup testing showed that this was not the case. Consequently, the Oyster Creek PRA team initiated early room heatup testingto determine which rooms would require modeling of loss of ventilation.

See response to FE-B.* "Fermi-2 -Level I Probabilistic Risk Assessment Interim Report" (Reference B.3-1)interfacing system LOCA analysis was reviewed.

The same general approach for investigating interfacing systems LOCAs was employed in the Level 1 OCPRA.Also, an empirical method Ifor developing pipe break frequencies (Thomas Correlation, Reference 4-13) was adopted for initiating event frequency development.

  • The Beznau and TMI-1 studies served as a basis for the comparison with other methodologies for human action evaluation (Reference 6-5). In addition Fermi-2 and Pilgrim human action values were used for comparison of results (Level 1 OCPRA, Section 6, pages 6.3-5, -6 and References.6-14 and 6-6).* Level 1 OCPRA flooding analysis uses the Beaver Valley-2 pipe break frequencies which are largely based on WASH- 400 data (see page 10.2-4).* Discussions with Millstone risk analysis staff indicated that the highest frequency sequence was functionally the same as the OCPRA highest sequence with the exception that the OCPRA considered recovery of offsfte power based on a plant specific analysis.* A comparison of the Oyster Creek and Peach Bottom fractions of containment liner melt-through failures indicate that Oyster Creek's was significantly lower. This is primarily due to the concrete curb in the Oyster Creek drywell that tends to mitigate the impact of molten corium attack on the drywell shell (Level 2 OCPRA, Section 1.page 1-4).NRC-RESP 2 WSWl~s G-2. The rule-based methodology with large logic module is difficult to foilow, particularly without event trees for the front-end analysis.

Treatment of special sequences, such as ATIS events, are not transparent and without the event trees, it was not clear how the event sequence could be easily reviewed.

For the proposed plant changes and modifications, please explain how these changes will be incorporated into the model, and discuss the familiarity of the uLdlity staff with this methodology.

RESPONSE The above request is interpreted as three separate questions:

First, what is the best method for reviewing rules methodology based models? -Second, how will the proposed modifications be incorporated into the model? Third, how familiar is the utility Risk Analysis staff with this methodology?

1. The best method for reviewing a rules based model to determine the accident sequences which arise from a given initiating event is a three step process: a. Assemble the linked model split fraction assignment rules (General Transient, Small LOCA or Large LOCA).b. Review the split fraction assignment rules to assure that each split fraction contains the correct support systems and initiating event impacts. Review the interim variables to understand their definition and application. (e.g. Interim Variable SIC -Successful Isolation Condenser Shutdown).

--c. Review the assignment of the success rule. (For example, ATWS success is discussed in Section 8.2.1.6 of the Level 1 OCPRA, pages 8.2-11 through 8.2-16.)2. The recent addition of the alternate AC capability and a containment hardened vent were incorporated into the model (based on preliminary design descriptions) before submitting the IPE. The plant model developments for these modifications are described in Appendix 6.1 and Appendix F.25 of the Level- 1 OCPRA. Proposed changes to procedures, training and plant equipment resulting from the PRA that are being considered are discussed in Section 8.1.1 through 8.1.5 of the OCIPE Submittal Report These changes include: the addition of procedures for loss of offsite power, loss of DC power and response to reactor overfill transients.

When these procedures are implemented then the affect on the model will be examined and changes will be incorporated as appropriate.

Major changes to the results are not anticipated.

3. GPU Nuclear personnel were heavily involved in all aspects of the OCPRA. Section 7 (Plant Model Report) which describes the rule-based methodology as well as the plant model was exclusively authored by utility personnel.

In addition, Reference 7-65, *Use of Rule-Based Methodology to Develop and Quantify Event Trees", ANS Transactions, Volume 63, pages 271-273, June 1991 was co-authored by K T.Canavan of GPU Nuclear and Mitch A. Waller of Delta Prime, Incorporated.

Utility NRC-RESP 3 09116M8 personnel maintain membership on the computer code users group steering committee (RISKMAN Technology Group (RTG)) and use the computer software and methods to perform various case studies (Canavan, K T., "Sensitivity of the Oyster Creek PRA to Specific Modeling Assumptions", Probabilistic Safety Assessment International Topical Meeting, January 1993, pages 684-690) and to perform in-house analyses.

Utility personnel are also using this methodology in developing a seismic PRA modal for use in responding to Supplement 4 of Generic Letter 88-20.G-3. In conjunction with the above question G-2, please provide an example of actual quantification of the model.RESPONSE Actual quantifications of accident sequences are provided in the Level 1 OCPRA, Appendix C, Table C.5-2 titled "Detailed Usting of Split Fraction Status and Values".This table provides a detailed listing of the top event status, split fraction used, split fraction value and top event description for the top 20 core damage sequences.

A narrative description of the top 20 scenarios is also provided on pages C-28 through C-48 of Appendix C of the level 1 OCPRA.FE-1. Due to the methodology on the rules-modules approach, the contribution of common cause events to CDF can not be easily derived. Please discuss the significance of common cause events with respect to the core damage frequency, and include explicitly the treatment of diesel generator failure.RESPONSE In as far as the contribution of common cause events are derived, the rules based methods do not differ from the standard large event tree small fault tree approach.

With the exception of AC power, common cause failure groups are defined in Appendix F, Section F.XX.1 4 of each system analysis.

Section F.XX.1 5 (Results) and Table F.XX-5 present the results of the split faction evaluations including the common cause contributions to system failure. At the time the study was performed the RISKMAN software could not produce basic event importance, so the total affect of- common cause failure on core damage frequency was not provided.

However, new software has been used to generate this information for the top 50 common cause failure events (excluding diesel generators) which appears as Attachment 1 to this response.

We understand from our conference call on September 9, 1993 that this is sufficient to satisfy the staff's request.In the case of 4160 VAC power and the diesel generators, common cause is handled differently (see the Level 1 OCPRA, Appendix F.4), due to the need to model the 4160 VAC Bus I C and I D supplies from either I A or 1 B (non-essential power -offsite power available) or from diesel generators (essential power -loss of offside power). That is, common cause failures in this case are modeled between top events (4160 VAC buses/NRC-RESP 4 09/20/93 switchgear 1A, I B. 1 C and I D as; well as the diesel generators in the case of the failure of buses IC and I D).In each essential AC switchgear top event (EC/ED), an additional top event (EE), which encompasses both divisions of AC power, was generated.

This top event was used to answer the question, 'Given the failure of train 1, what is the probability of train 2 failure'?

Since diesel generator failure contributes significantly, the status (success or failure) of non-essential AC power (from buses 1A and 1 8) has significant impact on the calculation.

The four split fractions that were generated for this top event (failure of train 2 (top event ED)) were based on the availability of non-essential AC power to each train of essential power. This resulted in failure rates for the cases where:* offsfte power is available

-Split Fraction EDA* 4160 VAC Bus 1A is failed -Split Fraction EDB* 4160 VAC Bus 1 B is failed -Split Fraction EDC* offsite power is lost Split Fraction EDD These values were then used to generate the 'common cause' failure terms for top event ED as described on pages F.3-9 and F.3-10 of the Level 1 OCPRA. Table F.3-6 shows the calculation of the various split fractions for top event ED. --Of the four split fractions generated for top event EE, only EE4, which corresponds to the loss of both trains of non-essential power, is of concern to the comment at hand.This split fraction was used in the calculation of EDD, which is used in the plant model to account for the failure of division 2 essential AC power following a loss of both trains of non-essential power and a failure of- division 1 essential AC power. Under these conditions, the common cause failure of diesel generator 2 must be considered.

As noted on page F.3-14, failure af both diesel generators contributes 60.8% of the total failure rate for split fraction EE4, while failure of the available diesel generator when performing maintenance on the second unit contributes 20.5% of the total failure rate.As shown in Table F.3-5 (page F.3-17), common cause failure during diesel generator operation contributes 6.5% while common cause start failure contributes 2.5%. The reason for. this relatively low contribution can be seen from a comparison of diesel generator failure modes (Table F.3-4b). Plant specific beta values are actually lower than the independent failure rates and result in the lower contribution of common cause failures of the diesel generators (see Level 1 OCPRA, Appendix F, database variables, ZBDGSS, ZBDGSR, ZBDGS2, ZTEGSS, ZTDGS1 and ZTDGS2, Table F.3-4b).To summarize, the total diesel generator normalized importance is: NRC-RESP 5 09116M9 Normalized Diesel Generator Failure Mode Importance to CDF Common Cause Failure (start and run) 1.0%Start/Start Independent Failure 0.5%Start/Run Independent Failure 2.4%Run/Run Independent Failure 2.9%Maintenance/(Start or Run) Independent Failure 2.3%TOTAL Diesel Generator Failure Importance 9.1%FE-2. Although the bases for all success criteria were provided in the development process of the rules, there is no overall summary of the success criteria and it is not clear where the analyses diverged from the FSAR. For example, the success criteria for the core spray system in the FSAR chapter 15 analysis require two main pumps and one booster pump be operable.

However, the IPE assumes that only one main and one booster pump may be operable.

Per NUREG-1335, please provide the bases. for the success criteria.RESPONSE A detailed summary of the overall plant model success criteria (i.e. system functions required) is provided in Section 8 of the Level 1 OCPRA. In addition, the system level success criteria can be found in the individual system analysis sections of Appendix F, Section F.XX.2 titled uSuccess Criteria and Top Event Definition".

Where the system or plant model success criteria differ from existing accepted safety analyses appropriate justification is provided and referenced.

Only RELAPS/RETRAN computer codes are used in the development of thermal hydraulic analysis done in support of the Level 1 OCPRA (MMP was not used to develop Level 1 OCPRA success criteria).

In the case listed above, core spray success criteria, References F.1 0-16 and F.1 0-17 provide the justification for the one main and one booster pump success criterion.

A summary of the OCPRA success criteria is provided in Attachment 2 to this response to the request for additional information.

FE-3. Please explain and clarify the linkages between modules via the event sequence diagram (ESD). The loss of feedwater control module is transferred to ESO LT3c, which does not exist RESPONSE The ESDs represent the first step in the development of the plant logic model. Input is solicited from operations, maintenance, safety analysis, risk analysis and plant engineering using this format (S2ee Section 7.1.2 of the Level 1 OCPRA). This information serves as a guide in the development of the plant model modules. One-to-one correspondence between modules and individual ESDs does not necessarily exist.This is due to constraints imposed by the modeling process, such as the imposition of system and initiating event dependencies and the increased level of detail required in NRC-RESP 6 09/20193 the plant model modules. For example, the investigation of interfacing system LOCAs (Appendix B.3 of the Level 1 OCIPRA) is very detailed and results in the addition of an Initiating event (LBIO) and top event VS, whereas there is no ESD. Also, a single function In the ESDs may be represented by multiple top events in the plant model modules. Thus, the purpose of the ESDs is to help develop a broad picture of the system functions required and not to provide detailed 01inkages" between modules.The loss of feedwater control as well as general transient ESDs reference ESD LT3c which does not exist This is a typographical error and should read *LT34. The conditions which apply to enter long term ESD LT3 are: MSIVs closed, no condensate, no early condenser and the reactor is shutdown.FE-4. Please discuss the long term consequences of the loss of reactor building closed cooling water to the recirculation pump seal cooling and the potential for the LOCA during transient especially invoking station blackout.

To what extent has induced pump seal LOCA been considered in the station blackout analysis?RESPONSE The question above is interpreted as three questions.

First, what is the affect of the loss of the Reactor Building Closed Cooling Water (RBCCW) system following a station blackout?

Second, why is RBCCW not modeled as an Initiating event? Third, what is the affect of the independent failure of the RBCCW system following other initiating events?1. In the case of loss of offsite power the loss of RBCCW is assumed to result in insignificant increases in the loss of reactor coolant through the seals. This is due to the guaranteed trip of the recirculation pumps due to loss of power and the results of tests on the recirculation pumps seals that show only normal leakage ¶,2*Therefore, this event does not contribute to core damage and is not modeled.2. A loss of RBCCW coupled with a failure to trip recirculation pumps is required for a recirculation pump seal failure (i.e. with successful recirculation pump trip only normal reactor coolant leakage through the seals is expected 1 2). The frequency of this event (approximately axl 0 per year) was considered to be a small fraction of the small below core break LOCA inside containment (SBI) frequency of 7.8x1 O3 per year, and since its consequences are the same as SBI, it was considered to be bounded by the SBI initiator.

Therefore, this event is not separately modeled.

Reference:

"Performance of the CAN2A Recirculation Pump Seal Cartridge During Station Blackout, David B. Rhodes, AECL Research 2

Reference:

"Evaluation of Shaft-Seal Leakage under Station Blackout Conditions for the Reactor-Recirculation Pumps at NMP-1w, Greene, T. E. (MPR Associates), Inch, G. B., Niagara Mohawk Power Corporation NACARESP 7 09t16t9 It should be noted that the writeup in the Level 1 OCPRA, Section 7.2, page 7.2-25, was inadvertently left in the documentation from an earlier draft version and is inaccurate.

3. The independent failure of the RBCCW system following other initiating events can also result In a loss of cooling to the recirculation pump seals. If the initiating event did not result in the trip of recirculation pumps then operators would be required to do so. If operators fail then the result would be a loss of coolant through the recirculation pump seals. This event is also considered to be bounded by the small below core and inside the containment LOCA (SBI). If the transient or operators trip the recirculation pumps then only normal leakage Is expected through the seals'H.FE-6. The submittal, in its sensitrivty stuod concluded that relaxing assumptions for the EMRVs would reduce total CDF by 18% Pfease clarify and identify the assumptions for the 18%reduction.

RESPONSE The question above refers to Section 9.2.2.2 of the Level 1 OCPRA, entitled, EMRV Failure Mode. The initial assumption made in the Level I OCPRA -is that all EMRV failures to reclose result in a fully stuck open EMRV (100% maximum mass flow). To study the effect on the Level 1 OCPRA results, this assumption was adjusted to: all EMRV failures to reclose are partial reclosure failure (50% of full mass flow). Therefore, the impact on the model is an increase in the time available before core uncovery.

The increase in time affects only one initiating event: Loss of Offsite Power. Since the mass flow rate from the partially stuck open valve Is reduced by 50% the minimum time available for offsIte power recovery-increases from 30 minutes to one hour. The mathematical derivation on page 9.2-7 calculates the decrease in CDF.FE-6. The submittal stated that the failure data sources for Oyster Creek came from the operating experience (surveillance and operating procedures) and plant specific data over a period of approximately 11 years (1978-1989:

Tables 4.3.1 through 4.3.7).However, it appears that the vast majority of the failure data are generic data, and no specific discussions are presented in the submittal on the criteria for using plant specific and generic data, particularly Bayesian update of generic data. Please identify and discuss the rationale for instances in which generic data is used in lieu of available plant specific data.RESPONSE All generic data is Bayesian updated with plant specific data where such data is available.

The result of Bayesian updating of generic data with plant experience is the plant specific database.Table 4.3-7 and Table 4.4-6 of the Level 1 OCPRA contains 53 plant specific component failure rate distributions and 61 common cause distributions, respectfully.

Therefore, a total of 114 plant specific data distributions are developed.

NRC-RESP 8 0os/203 In contrast, Table 4.3-8 contains 79 generic Component failure rate distributions.

The remainder of Table 4.3-8 is comprised of 82 common cause and 7 generic human action distributions for a total of 148 total distributions.

The sum of all three tables produce the OCPRA database.

All plant specific failure rates are used In the system models. These include plant specific pump, heat exchanger, valve (motor, air, solenoid operated as well as relief, safety, MSIV and EMRV) failure data. Only in rare cases is generic data used where no plant specific data is available.

For example, no manual valve failures were discovered in the data gathering task. Due to the difficulty in accurately determining successful demands, no plant specific value was generated and a generic value was used.FE-7. The submittal does not provide rationale or justification forscreening out certain events.Please provide additional Information on the screening process of the following events: a. core spray failure following small LOCA to the reactor building (page 7.1-19, section 7.1.2.2 of the submittal).

b. feedwater line breaks outside' containment as an initiating event.C. line breaks at the bottom of the vessel, e g., CRD penetration and instrument lines, as an initiating event.RESPONSE (a.)The core spray failure following a small LOCA to the reactor building (page 7.1-19, Section 7.1.2.2 of the Level 1 OCIPRA) is not screened from consideration.

Rather, this event is modeled and assigned its independent failure rate. In addition to the rationale provided in Section 7.1.2.2, the core spray system is not assigned a guaranteed failure since the initiator SAORB is within the environmental qualification envelope.RESPONSE (b.)Feedwater line break frequency does not contribute significantly to the loss of feedwater and partial loss of leedwater initiating event frequencies (0.151 and 0.178, respectively) or the system unavailability of the feedwater system. On this basis the feedwater line break is not included in the internal events study. However, feedwater line breaks are considered in the internal flooding analysis. (See Section 10 of the Level 1 OCPRA).RESPONSE (c.)Une breaks at the bottom of the vessel, including CRD penetrations and Instrument lines, are considered bounded by the below core initiating events. CR0 penetrations and instrument lines breaks (as well as seal LOCAs) which occur inside containment are modeled as small below core and inside containment (SBI). Those lines (including CR0 and instrument lines) in which the break occurs outside the containment boundary are modeled as small below and outside containment (SBO) and evaluated in Appendix NRC-RESP 9 Osllaw#

B.3 of the Level 1 OCPRA report (specifically Section 6.3.1).Large line breaks at the bottom of the vessel (i.e. below the core) are modeled as the large below core LOCAs. Those large line breaks below the core and inside containment (LBI) are modeled as a recirculation line break. Those large below core breaks outside the primary containment boundary are modeled as the initiating event LBIO. This initiating event considers the overpressurization of the reactor water cleanup system and is evaluated in Appendix 6.3 of the Level 1 OCPRA (specifically Section 5.3.3).FE-8. Please identify those H/VAC systems assumed not to be required,.

and provide justification for the assumption (Section 2.1.4). Please provide fuirtherjustification for the assumption that HNAC failures are not initiating events. [initiating events are discussed in Section 2.1.3, guideline

  1. 1 of NUREG 1335.1 RESPONSE All HVAC systems which support functions modeled in the plant model modules are modeled except where not required either due to existing safety analysis ,pa those performed in support of the OCPRA.As stated in Section 5.2 on page 5.2-4 the control room HVAC systems were not modeled. Calculated control room heatup times, based on test data, indicated an excess of 21 hours2.430556e-4 days <br />0.00583 hours <br />3.472222e-5 weeks <br />7.9905e-6 months <br /> before design temperatures would be reached (References 5-5 and 5-). This time was judged sufficient to exclude HVAC from the model.Reactor Building comer room cooling is not modeled. The Oyster Creek FSAR states that corner room cooling is not required for long term operation of the containment spray and core spray systems (OCNGS FSAR, page 9.2-18).Ventilation systems for the 4160 VAC 1 C and 1 D Switchgear Rooms is not modeled based on loss of ventilation tests (GPUN Test Procedure

-TP 254/15, Rev 0 -MTX 26.12.2.6, WA/B/C Battery, MG and CID 4160 Switchgear Rooms Heatup Test) which indicate very small heatup rates and projected temperatures well below design.Ventilation systems for 125 VDC Battery Room B is conservatively modeled as affecting the availability of long term power from battery B. Temperature rises as a result of failed ventilation could be significant due to motor-generator sets in the room. In the case of Battery Room C, ventilation is not modeled. This is due to fact that the ventilation tests performed by GPUN (referenced above) indicated insignificant temperature rises with ventilation failed and the fact thalt the battery is the only equipment in the room and generally unaffected by temperature.

The 480 VAC Switchgear Rooms A and B ventilation is conservatively modeled. GPU Nuclear heatup tests (OCNGS Functional Test Procedure TP-254/114, Rev 0, w480 VAC Switchgear Room Heatup Tesr) indicated significant A and 6 room heatup rates. In most cases several hours would be available before reaching design temperatures and more time would be available before failure temperatures were reached. However, the NRC.RESP 10 09/1 6A failure of ventilation systems are conservatively modeled to result in switchgear failure.See Level 1 OCPRA, Appendix F, Section F.3.1 1, modeling assumption 7.FE-9. Please provide your rationale for limiting the discussion of DHR to ultimate heat removal, excluding discussions of injection/core cooling? [DHR is addressed in Section 2.1.6, guideline

  1. 4 of NUREG-1335.1 RESPONSE Section 2.1.6, guideline
  1. 4 of NUREG-1335 states, "A thorough discussion of the evaluation of the decay heat removal function because the adequacy of the decay heat removal capability at the plant for preventing severe accident situations is to be resolved within this examination program. Plants without feed-and-bleed capability should particularly address the capability of the plant to recover from loss of feedwater events (Refs. 13, 14, and 15). For purposes of the IPE, only power operation and hot standby need to be considered." Section 5.0 of the IPE Submittal Report, titled, "Unresolved Safety Issue A-45 -Shutdown Decay Heat Removal Requirements;" Indicates that The Level 1 PRA models successful mitigation as the various combinations of reactor vessel Inventory Makeup and the above decay heat removal rejection pathways." To elaborate, the sources of reactor vessel inventory makeup are, in order of priority: Feedwater, control rod drive (CRD), condensate, core spray and diesel driven fire protection.

FE-10. What are the size definitions (equivalent hole diameters) for the LOCA categories, including the distinction between water and steamline breaks? [Initiating events are discussed in Section 2.1.3, guideline

  1. 1 of NUREG-1335.1 RESPONSE The small loss of coolant accident in the OCPRA is defined as those break sizes which do not result in RPV depressurization such that automatic depressurization is necessary to allow for the injection of low pressure sources to cool the core (see Section 7.8 of the Level I OCPRA). For above core LOCAs (steam discharge) this is equivalent to approximately 0.02 ft 2 and for below core breaks (water discharge) approximately 0.20 ftz (OPM, Module 5, page 05-4).FE- 11. Were containment bypass sequences considered in the Master Logic, Dia gram? [Section 2.2 of NUREG-1335 discusses containment considerations.j Please explain.RESPONSE Yes. Figure 7.2-1 titled WMaster Logic Diagram" (page 7.2-10) illustrates the master logic diagram. Level D of the diagram specifies the safety functions which include"Insufficient Containment Isolation".

Insufficient containment isolation is assumed to include ISLOCAs which are discussed in Appendix B.3, primary containment isolation NRC-RESP 1 1 09/20193 top event development (Top Event PI) and the LOCAs which occur outside the primary containment pressure boundary.HF-1. Describe the HRA "In-houseO review and per NUREG-1335, the review team members that participated in the HRA review portions of the IPE.RESPONSE The independent in-house review group participated In the review of all aspects of the OCPRA including the Human Action Analysis.

The participants are as listed on page D-2 in Appendix D of the Level 1 OCPRA. Specific comments related to operator actions modeled can be found on page D-5, comment C) i; page D-6, comment 1; page D-7, comment 7 and 8; page D-49, comment 2; page D-1 1, comment 7; page D-1 2, comment 3; page D-1 3, comment 3. Independent consultant review comments on the HRA can be found on pages D-41 thru D-44.HF-2. It is not clear why operator actions were evaluated for inclusion or exclusion in the plant and system models. For example, containment flooding was identified by the independent review as an EOP-rquired action for "bottom breaks" in the comments Section (see p. D-6 in submittal.)

The resolution to this comment Implied that flooding"...is not required to establish or maintain stable shutdown conditions,....

and is not expected to significantty increase the likelihood of plant damage." However, the operator is instructed to take action by the EOPs,; an action excluded from the analysis.

Other IPEs have found that containmenm flooding can cause early containment failure if the molten core breaches the RPV with the RPV with he torus flooded (loss of pressure suppression).

Therefore, the analysis of this operator action helped these plants to identWy an area of concern in their EOPs. Was the potential downside of flooding containment identified?

If so, what is the rationale for screening out human actions associated with flooding containment?, From this example, please explain what criteria was used to assure that important operator actions were not excluded from the analysis.RESPONSE Emergency Operating.

Procedure (EOP) actions are modeled in the OCPRA with the exception which is noted in the example above. However, no credit is taken for detailed recovery actions such as attempts to insert control rods (following AiWS) or operation of core spray pumps following a loss of NPSH. The positive benefit of these actions are not modeled whereas the down-side is modeled in the operator confusion and distraction PSFs for performances of actions which inject liquid poison or recover NPSH by alternate injection.

In addition to the EOP actions modeled, supporting procedures are also reviewed for potential inclusion in the OCPRA. The governing criterion for inclusion in the study is that the action affects the possible outcome of the sequence of events whether this effect is positive or negative.

Many of the actions modeled in the OCPRA have down-sides which are explicitly treated. For example, action OM.operators take mode switch to shutdown, disables MSIV automatic closure on low pressure.

On the positive side, his action preserves the main condenser as a heat NRC-FESP 12 09/16W9 removal path. On the negative side, success of this action results in no automatic MSIV closure In the case where a small steamline break occurs .Such is the case for all actions modeled in the study.With regard to the specific example cited, the down-side of the containment flooding action was evaluated.

However, the event described in the question was not included in the analysis due to its low likelihood of occurrence.

That is, to have successful containment flooding, two injection paths must be available; one to cool the core and the other to flood containment.

The likelihood of the loss of both sources (which must occur for core damage) as well as the failure of all other vessel makeup sources (i.e.all injection source must fail or they are available for injection) is small in the time Interval when water level has increased above the drywell downcommers but is below the break location.

The available injection sources include CRD, feedwater, condensate, core spray and diesel driven fire protection.

HF-3. ft Is common practice to include pre-initiating events as part of the HRA Experience shows that this is an important aspect of the HRA because it provides an opportunity to examine and scrutinize plant ,riaintenance and calibration practices and identify additional areas forpotential improvements (Generic Letter 88-20, Section 2, examination process, page 2). The IPE states that the frequency of actions occurring prior to an initiating event are captured in the basic event equipment failure rates (p. 6-1) and consequently were not modeled explicitly (p. 5.4.3). However, the NUREG-1 150 experience (Peach Bottom) demonstrated that the analysis would have missed significant risk reduction events as well as significant risk increase events (summarized in NUREGICR-4450, VoL. 4, pgs. 1-3 & 4) had they not performed a detailed pre-initiating event analysis.

The licensee is requested to assure that important events were not overlooked by omitting a detailed modeling of the pre-initiator human errors.RESPONSE The NUREG/CR-4450, Vol. 4, pgs IV-1 82-184, Pre-Accident Errors states, "...few important pre-accident errors weire identified." and later lists only two cases.In case 1, Miscalibration of reactor pressure sensors, a range of 1 E-3 to 1 E-5 is listed as acceptable values to use. A 1 E4 value is used and produce plant damages states 0... in the E-8 range...".

In addition an the "Effect of using a 1 E-3 would be less than a factor of ten increase in the A and S1V plant damage states which are presently in the E-8 range...".

In case 2, failure to restore the correct standby alignment of the Standby Uquid Control (SLC) system after test, a range of 0.02 to 0.001 is indicated as acceptable.

A 0.01 value is used. No effect on the results is provided for this case. In contrast, the failure rate for the SLC system in the OCPRA ranges from 0.0175 to 0.0975.GPU Nuclear believes as stated in NUREG/CR-4450 that few pre-accident errors can be identified using HRA techniques and it is unlikely that any of these contribute significantly to total core damage frequency.

In many cases one could double count failures which are already accounted for in the database, such as the common cause NAC-RESP 13 09/1&Ws failure of sensors and the SLC system pump start For example, a failure in the database for SLC controllers in the wrong cube could be construed as a human pre-accident error. In the OCPRA this event is included In the common cause failures and resutts In a plant specific beta factor of 0.127. In conclusion, sufficient operator experience is available for the determination of pre-accident events and this data is considered more accurate and less uncertain than HRA analysis.HF-4. PerNUREG-1335, ...unless proper justirication is provided, all important recovery actions should have written procedures' (Appendix C, Section 9, Response to question 9.1, pg.C-19). The licensee, however, included 'non-procedure guided actions." Such an approach has the positive effect of identifying all possible ways of recovering safety system functions during an acciddet which is one of the objectives of the IPE. On the negative side, however, modeling rrany operator recovery actions in a PRA has the effect of driving the core damage frequency to very low estimates.

Unless a sensitvity is performed, such a method may mas* true plant capability to cope with severe accidents.

Discuss the significance of non-pro cedure guided actions modeled in the IPE to the total core damage frequency.

Also discuss the measures taken (or available) to assure consistency of the IPE with the available procedures and training for these actions.RESPONSE The operator actions modeled in the Level I OOPRA are procedurally guided except: 1. Recovery of Offsite Power (Appendix B.1)2. Recovery of Containment Heat Removal Actions (Appendix B.4)3. Top Event RS3 -Manual Reactor Scram (Appendix E, page E-1 31)4. Top Event ME -Manual MSIV Closure (Appendix E, page E-1 52)In the case of the recovery of offsite power actions (Level 1 OCPRA, Appendix B.1), no guidance was available at the time the study was performed.

In anticipation of the addition of the Alternate AC Capability modification a general guideline was used to estimate human error likelihood.

The Level 1 OCPRA conclusions and planned actions contain the commitment to develop these procedures (see IPE Submittal Report, Section 8.1.1 , page 8-2). The values for human error rate currently used in the study are considered conservative and subsequent updates of the Level I OCPRA would use more realistic values. A discussion of the sensitivity of the result to offsite power recovery is provided in Section 9.2.1 of the OCPRA Level 1 report.In the case of the recovery of containment heat removal (Level 1 OCPRA, Appendix B.4), no guidance was available at the time the study was developed for the recovery of DC power (assigned a 0.5 probability) or the recovery of instrument air (assigned a 0.06 failure rate). These two recoveries occur during a loss of containment heat removal scenario which is expected to develop over a significant period of time (greater than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> -Reference B.4-8 and B.4-9). Given the long term nature of the scenario the values chosen are considered to be reasonable estimates.

In addition, OCIPE Submittal report, Section 8.1.1, recommends the development of loss of DC power procedures which will address available options following a loss of DC power. Section NRC-RESP 14 09t16M9 9.2.3 of the Level 1 OCPRA contains sensitivity of the OCPRA results to the containment heat removal recoveries.

The value assigned to the DC power recovery models the potential for the cross-connect of battery A to supply certain station DC loads. The value assigned to the instrument air recovery is based on the likelihood of success of the gagging shut of a stuck open relief valve or the switch to alternate air driers. A discussion of the sensitity of the results to the recovery of containment heat removal is provided in Section 9.2.3 of the Level 1 OCPRA.In the case of split fraction RS3 guidance is available and operators are instructed to manually trip the reactor whenever a reactor trip should have occurred (i.e. normal post-trip action). The documentation in the Level 1 OCPRA report to the contrary is in error.The manual MSIV closure following high RPV level (top event ME) is not procedurally directed.

However, the purpose of this event in the model Is to ensure that MSIV closure is questioned either before or following carryover of RPV water into the main steamlines.^

This event is modeled pre-carryover, however failure is conservatively assumed to result in main steamline failure (steamline break) and therefore the model questions the automatic MSIV closure on low pressure.

Also, following main steamline failure, procedures do exist for the manual closure of MSIVs. Therefore, whether pre-carryover or following MSIV closure this action would have the same result on the MSIV isolation transient.

From a modeling standpoint this is equivalent to having a procedure for top event ME.HF-5 How were operator action dependencies accounted for in the human action analysis?(Question added in September 9, 1993 teleconference with NRC Staff)RESPONSE Operator action dependencies are accounted for by considering potential effects on human error rate of preceding unsuccessful actions (V22) and preceding and concurrent unrelated actions (V21). These performance shaping factors are discussed in Section 6.2.5.1 of the Level 1 OCPRA. To verify that dependencies were reasonably handled a sensitivity of multiple operator actions was performed. (See Section 6.4 of the Level 1 OCPRA). The conclusion of these evaluations (page 6.4-14) was that no dependent actions were incorrectly treated as independent in the study, and that the performance shaping factor approach was adequate.BE-1. Please provide a discussion of key uncertainties (phenomenological, systems, and operator actions) and their potential impact on the release categories.

RESPONSE Phenomenological Uncertainties:

The GKA EPRI report concerning recommended uncertainty analyses for IPE using MAAP 3.0B was studied and a certain approach was chosen based on a combination of parameters recommended in the above document which will give a conservative response in source term released.

The underlying reason was to reduce the confusion NRCO-RESP 15 09117193 due to the wide spectrum of uncertainties and focus on a conservative response.

We shall address each group of parameters identified in the above document and what we did to bound the uncertainties involved: 1. Containment Failure Mode: MAAP was not used to calculate containment failure mode and an outside analysis was done by EQE (Appendix A of the Level 2 OCPRA). The analysis was based on a probabilistic approach that Involved material uncertainties at different containment conditions, Tables (3-1, 2, 3, 4t, 5). Although this study showed that there is a probability of leakage through the drywell head flange, it has been assumed, for the source term calculation, that the containment failure mode is catastrophic in nature and would result in high and conservative source term.2. In-Vessel Phenomena

--' ---Hydrogen Generation and Fission Product Release and Revaporization The parameters chosen which will bound the uncertainties in hydrogen generation and source term release were the no blockage and the double side oxidation.

This choice will maximize hydrogen production and fission product release into the containment resulting In early containment failure and high source term release. Please see 03 and A3 on page D-4/D-5 of Appendix D of the Level 2 OCPRA where a discussion is presented to support the conclusion that these options will maximize fission product release.In this discussion conservatism means 'early containment failure and high source term release which would minimize evacuation time.-Lower Head Failure The mechanistic lower head failure model in MAAP was used which would fail the lower head a few seconds after core collapse.

This approach is conservative because fission product decay is reduced since in-vessel residence time is reduced and containment time to failure is reduced since it is challenged earlier.The uncertainties in other parameters involving eutectic melting temperature, latent heat of fusion and mass of steel consumed by core debris were not investigated.

The GKA EPRI document cited above does not recommend such investigation since the no blockage option would bound the amount of hydrogen generated and will demonstrate the impact of uncertainties in the core melt progression modeling on the overall plant response.3. Ex-Vessel Phenomena The applicable issues here are debris dispersal and distribution, debris coolability and fission product sources.NRCO-RESP 16 09/17193 The GKA guidance document cited above does not recommend any sensitivity analysis once the no blockage option is used, hence no sensitivity was done.Changing the drywell floor area was not found to be useful because debris spreading and corium concrete interaction are important In dry drywell floor scenarios and because these sequences (NIFW) were already in the early containment failure category a reduction in drywell floor area will not change such a classification (reduce time to failure).

The reactor building was not taken credit for in decontaminating fission products before exiting to the environment.

It is assumed here that the drywell catastrophic failure will quickly pressurize the reactor building and open blow-out panels (0.25 psig delta P needed), Please see 06, A6 and Q12, A12 on pages D-8, D-7 of Appendix D of the Level 2 OCPRA. This assumption also maximizes the source term released into the environment.

Based on the above discussion, modeling assumptions used would adequately bound uncertainties known in different parameters related to phenomenological issues.II. Systems and Operator Actions Uncertainties The Level 2 OCPRA utilizes a phenomenological containment event tree (CET). System and operator action uncertainties are considered in the Level 1 OCPRA. See Section 9 of the Level 1 OCPRA, Propagation of Data Uncertainties and Sensitivity Analyses.BE-2. Please provide the value for the conditional probability that the containment is not isolated and a discussion of the process used to-estimate its value.RESPONSE The conditional probability that the containment is not isolated is not separately calculated in the Level 1 PRA. Rather, the plant damage states are binned into four containment endstates which are: Intact, Bypassed, Failed Early and Failed Late. These endstates represent containment conditions at the time of core damage. In the case of containment bypassed (PDS xJxx) the containment isolation function may not have been required since the transient or LOCA may have resulted in a bypass of containment (i.e. interfacing system LOCA or LOCA outside containment).

However, this endstate would qualify as a containment un-isolated condition.

As indicated in Table 3.2-6 (page 3.2-14) of the Level 1 OCPRA, the containment bypass percentage is 6%.The containment failed early encdstate (PDS xKxx) is the result of the failure of the primary containment isolation function (top event PI) or the failure of the reactor scram function where containment is assumed to be unable to handle resulting heat loads.Therefore, this endstate is the result of both primary containment isolation failure and the early failure of containment due to ATWS. For Appendix C, Table C.4-2 the total containment unisolated and failed early CDF is the sum of the xJxx and xK= endcstates or 4.79x1 07 per year. This corresponds to a conditional containment unisolated and failed early frequency of 0.13.For additional information on the numerical results of the plant damage states see NRC-RESP 17 09116Ml Appendix C, Table C.4-2, page C-119 of the Level 1 OCPRA. For additional information on the process used to estimate endstate values see Section 8.3.1.2 and 8.3.3.2 of the Level 1 OCPRA.BE-3. The IPE does not account for recovery of electrical power Following core damage.Please discuss how the containment failure characterization would change ff power was restored.

ldenti*y and discuss any, negative effects of restoring electric power.RESPONSE It is assumed in the analysis that If power is not recovered (in SBO or LOSP) within one hour then the adverse conditions in the plant will limit its usage i i-- isrecovered later and was therefore assumed to be unavailable.

If, however, one would argue that there is a probability that it can be used once K Is recovered then if we follow the scenario NIFW which is a station blackout with independent DC failure then a restoration of power may prompt the operator to vent the containment as required by procedure.

This may not be a desirable action since it will result in early source term release which would be avoided if proper Accident Management Guidelines are in place. Also drywell sprays might be activated with corium in the drywell and it Is not clear how containment will respond to probable early steam de-inertion and/or steaming.

These issues are postponed to the AMG development phase when better tools will be available (MAAP4)that can take care of such effects.BE-4. What does "such scenarios" refer to in the middle of page 1-4 of the Level 2 PRA portion of the submittal report.RESPONSE"Such scenarios" refer to scenarios that involve molten corium spreading on the dry drywell floor. at vessel breach (worst conditions for liner melt-through).

The applicable scenario would be NIFW.BE-5. On page 8-2, first line, Level 2 PRA position of the submittal report, it is noted that the PDSs described as "Y" and ?Za (reactor building not isolated) are not represented.

Please explain why this is the case.RESPONSE The plant damage states which have the designators Or and "Z" in the fourth position do not appear in the Level 2 OCPRA since they are below the cutoff used in the determination of key plant damage states. It should be noted that plant damage states with OY and "ZN in the fourth position do appear in the Level 1 OCPRA results at much lower values (i.e. <5x10 9).BE-6. Is any credit taken for "passive mitigation" in the reactor building?

It appears that all relevant dominant release categories have a "B" designator (note page 1 1-3 of the Level 2 PRA), which indicates no credit. Please explain.NRC-RESP 18 09/20/93 RESPONSE No credit was taken for the reactor building.

Please see 06 and A6 on page D-6, 012 and Al 2 on page D-7 (Appendix D of the Level 2 OCPRA) for more details.BE-7. Is the tile of Table 12-12, page 12-16, of the Level 2 PRA portion of the submittal report correct? The table states that it is for early containment failure but it seems to be for late containment failure.RESPONSE The title is incorrect.

The table should read I... Late Containment Failures." BE-8. You state (page 4-2 of Submittal Report) that a.. Ono water to core debris" endstate contributes 8.75% to the total calculated core damage frequency." Further, you suggest that drywell sprays could potentially eliminate at least part of this contribution.

How do drywell sprays contribute to reducing core damage frequency?

RESPONSE -The core damage frequency of Oyster Creek contains an endstate for 8no water to core debrisV which is equal to 8.75% of the total calculated core damage frequency.

Part of this 8.75% is the result of the drywell spray failure to function and therefore failure to provide a wet drywell floor. In addition to the spray function, Oyster Creek drywell sprays also provide cooling (i.e. cdrywell sprays are the link to the ultimate heat sink via the emergency service water system). Without containment spray and the containment vent core damage is assumed to occur due to the catastrophic failure of containment (TW sequence).

Therefore, the success of the drywell spray system can potentially mitigate a fraction of these loss of containment heat removal (TWO) sequences.

BE-9. It is not clear how the information developed in the Level 1 (front end) section of the report is used in the Level 2 (back end) portion of the report. Please provide the basis for the quantification of the CETs for each of the seven KPDS, and split fractions used.RESPONSE The interface between Level 1 information and Level 2 is described in the Level 2 report.Section 8.1 on pages 8-1 and 6-2 where the selection of key plant damage states (KPDS) and the selection criteria are described.

The representative accident sequence for each KPDS is described in the remaining parts of Section 8, pages (S-2, 8-3, 8-4)together with the basis for this selection.

The CET quantification is described in Section 10 and the split fraction logic is shown in Table 1 0-1 page 10-15. Table 1G-2, page 10-19 through 10-22, shows the values of the split fractions used in each KPDS. The basis for those values is shown under "Description" column in the table. An explanation of the steps used in determining the release categories from the CET is documented in Appendix C.The split fractions for suppression pool bypass (top events S1 and S3 in Table 10-2)NRC-RESP 19 09116M9 are based on vacuum breaker cycling frequency for the relevant sequences as determined by MAAP. These cycles are documented in Table 10-3 for the relevant sequences and Sections 10.5 and 10.10 describes how the split fractions were calculated from these values. Containment failure split fractions calculation is shown in Sections 10.7, 10.12, 10.13. The basis for the remaining split fractions is discussed in the above table and/or in applicable top event description in Section 10.BE-10. On page 10-12 of the Level 2 PRA, you note that procedure-activated dirty venting via the diywell is activated as part of the representative sequence for the KPDS OJAU. The OJAU KPDS results in a containment bypass 100% of the time. What is the source term associated with this KPDS and what affect does venting have on the magnitude and timing of the source term?RESPONSE Please see page 11-10 of the Level 2 OCPRA (Section 11.3.7) for release category KRC6 which represents KPDS OJAU. The source term is shown in Figure 11-6 and the effects of venting is discussed In above section.BE-11. On page 7-4, the report states theat about half of the CDF is allocated to Wo-Vessel Breach", resulting in no radionucride releases.

Vessel breach (after core damage) is only prevented by either introducing fire protection water when the vessel is under low pressure or providing sufficient

  • control rod drive hydraulic system" flow when the vessel is under high pressure.

For both vessel injection modes, operator action is required.Thus, this operator-controlled cooling function appears to have a key bearing on the radionuclide release profile for Oyster Creek.Please discuss the sources of thte uncertainty associated with core cooling by these means after core damage and the implications of these uncertainties for the radionuclide release characterization.

On page 4-2, the report states that "MA4P was not used to investigate in-vessel recovery under damage core conditions

... where RETRANIRELAP5 results were mainly used where needed.& This implies that "No Vessel Breach" is related to those sequences where RETPAMIRELAP5 analysis showed that there was adequate core cooling to prevent fuel relocation.

This is different from the information on page 7-4. Please provide a discussion which clarifies the two "No Vessel Breach" approaches.

RESPONSE To clarify the inconsistent documentation on pages 4-2 and 7-4, the MAAP 3.08 computer code was used in the determination of in-vessel mitigation.

The RETRAN/RELAPS computer codes were used in the development of the Level 1 OCPRA success criteria only.The scenarios in which "No Vessel Breach" is assigned are those where fire protection NRC-RESP 20 09/20l93 injection (RPV at low pressure) or control rod drive flow (RPV at high pressure) is available.

In the low pressure case, fire protection injection, operator action to align the system for injection is necessary.

In the CRD case normal bypass flow (120 gpm) is sufficient for in-vessel mitigation and no operator action is required (Level 2 OCPRA, page 7-4).The thermal hydraulic analysis done in support of the in-vessel mitigation cases used the MAAP 3.06 computer code and show that adequate core cooling to prevent vessel breach is available.

Several factors contribute to the uncertainty of the mitigation endstate and resultant radionuclide release.One of the factors affecting the uncertainty of this method of core cobring is associated with the endstates PIFW and OIAU (the two endstates in which in-vessel recovery is applied).

The PIFW and OIAU. endstateuncertainty is illustrated in the Level 1 OCPRA, Section 9, Figure 9.1-1 and in tabular format on Table 9.1-1.The mean value of PIFW endstate is 2.23x1 04 with the 5th and 95th percentiles covering a range of approximately a factor of 20 (2.71 x107 and 5.52xl 06, respectively).

Contributing to this endstate distribution is the uncertainty associated with the operator action for fire protection injection.

This action was evaluated in the Level 1 OCPRA using an estimated 30 minutes to perform the action (before onset of core damage) and produced a frequency of 6.93x103.(It should be noted that the MAAP 3.06 analysis indicated that up to one hour was available before extensive fuel damage, Level 2 OCPRA, page 7-4.) In any case, even if fire protection injection was not successful and vessel breach eventually occurred at the low RPV pressure associated with this PDS, no increase in early containment failure fraction would be expected.The mean value of the OIALI endstate is 5.25x1 O with the 5th and 95th percentiles covering a range of approximately a factor of 8 (1.25x10 7 and 1.13x10o4, respectively).

The distributions of these endstates illustrate the uncertainty in the Level 1 OCPRA due to dispersions (uncertainties) in component and human action failure data.In addition to the uncertainty in the frequency of the in-vessel mitigation endstates (PIFW and OIAU), uncertainties involving fuel-coolant Interactions when cold fire protection water is sprayed on the hot core (after damage) also effect the radionuclide releases.

Despite the potential for Ifuel-coolant interactions t is believed that the vessel would remain intact with the majority of the source term remaining in the vessel or containment because level recovery is assured rather quickly with fire protection injection.

NRC.RESP 21 09WlIGW

.-- I .4 --1 .ATTACHMENT I COMMON CAUSE FAILURE IMPORTANCE TO TOTAL CORE DAMAGE FREQUENCY ATTACHMENT 1 Common Cause Failure Importance Report (Top 50 Common Cause Events)No. CCF Event CCF Event $Spit CCF Event Basic Event l Total Event l Normalized Total Name Description Fractions Value Importance I Importance Event Importance 1 (PMo3A Core Spray CS1 9.1762E-05 6.4058E-02 PM03B Booster CS2 9.1762E-05 1.1745E-03 PM03C Pumps CS3 9.1762E-05 1.1602E-03 PM03DI (deita) CS4 9.1762E-05 O.OOOOE+00 CS6 9.1762E-05 2.01I1E-04 CS7 9.1762E-05 2.9220E-04.

_ C08 9.1762E-05 3.7769E-09 6.6886E.02 3.47%2 [PMO1A Core Spray CS1 5.7515E-05 4.0151E-02 PMO1B Main CS2 5.7515E-05 7.3617E.04 PMO1C Pumps CS3 5.7515E-05 7.2720E-04 PMO1DJ (delta) CS4 5.7515E-05 0.OOOOE+00 CS6 5.7515E-05 1.2605E-04 CS7 5.751SE-05 1.8314E CS8 5.7515E-05 2.3673E-09 4.1923E-02 2.18%3 [MV034D Isolation Condenser IC1 9.1 524E05 9.7809E-03 MV035D Isolation valves IC2 9.1524E-45 4.9789E-05 failure to open IC3 9.1524E-05 5.6371E-06 (beta) IC4 9.1524E-05 O.OQOOE +00 9.8364E-03 0.51%4 [MV015 Core Spray CS1 9.0095E-06 6.2894E-03 MV040 Parallel Isolation CS2 9.0095E-06 1.1532E-04 MV021 Valves fall to open CS3 9.D095E-06 1.1391E-44 MV0411 (delta) CS4 9.0095E406 O.OOOOE +00 CS5 9.0095E-06 4.5369E-06 CS6 9.0095E-06 1 .9745E-05 CS7 9.0095E-06 2.8689E-05 CS8 9.0095E-06 3.7083E-10 6.5716E-03 0.34%5 [SP23BD Main steam low ME1 1.154E-04 3.4217E-03

.SP23DD] pressure switches ME2 1.1546E-04 6.8585E408 fail to operate (beta) 3.4217E-03 0.18%6 [SP23AD Main steam low ME1 1.1546E-04 3.4217E03 SP23CDJ pressure switches ME2 1.1546E-04 6.8585E-08 fail to operate (beta) .3.4217E-03 0.18%7 [PM03A Core Spray CS1 2.2238E-04 6.8351EE-05 PM03D0 Booster CS3 2.2238E404 2.8117E-03 Pumps CS4 2.2238E-04 O.OOOOE + 00 (beta) CS6 2.2238E-04 4.8737E-04 CS7 2.2238E-04 6.2783E406 CS8 2.2238E404 9.1533E09 3.3737E-03 0.18%CCF-8EI.XLS Page 1 9/10/93 A-17ACHMENT I Common Cause Failure Importance Report (Top 50 Common Cause Events)No. CCF Event CCF Event Split CCF Event Basic Event Total Event Normalized Total Name Description Fractions Value Importance Importance Event Imoortance 8 [PM03B Core Spray CS1 2.2238E-04 7.4814E-05 PM03C] Booster CS2 2.2238E-04 2.8464E-03 Pumps CS4 2.2238E-04 O.OO0OE+00 (beta) CS7 2.2238E.04 6.2747E-06 2.9274E-03 0.15%9 [PM03B Core Spray CS1 2.2238E-04 1.3156E-03 PM03DI Booster CS2 2.223BE-04 6.0429E-05 Pumps CS3 2.2238E-04 7.1979E-05 (beta) CS4 2.2238E-04 O.OOOOE+00 CS6 2.2238E-04 1.2401E-05 CS7 2.2238E-04 7.0813E-04 CS8 2.2238E-04 9.1533E-09 2.1686E-03 0.11%10 [VLSYS1 Core Spray CS1 2.8983E-06 2.0233E-03 VLSYS21 System 1 and 2 CS2 2.8983E406 3.7097E-05 Valves CS3 2.8983E-06 3.66452-05 (beta) CS4 2.8983E-06 0.0000E+00 CS5 -2.8g832E06 1.4595E-06 CS6 2.8983E-06 6.3520E406 CS7 2.8983E 06 9.2291 E-06.CS8 2.8983E-06 1.1929E-10 2.1141E-03 0.11%11 [PMO1A Core Spray CS1 1.3939E-04 2.2767E-05 PM01DI Main CS3 1.3939E-04 1.7624E-03 Pumps CS4 i.3939E-04 O.OOOOE+00 (beta) CS6 1.3939E-04 3.0549E-04 CS7 1.3939E-04 2.0375E-06 CS8 1.3939E-04 5.7372E-09 2.0927E-03 0.11%12 [PMO1AS DG fuel oil transfer EC2 3.5556E-04 2.0606E03 PM01 BS] pumps fadI to start_ (beta) 2.0606E-03 0.11%13 tPM01B Core Spray CS1 1.39392-04 2.2767E-05 PMOIC Main CS2 1.3939E-04 1.7841 E-03 Pumps CS4 1.3939E-04 O.OOOOE + 00 (beta) CS7 1.3939E204 2.0375E-06 1.8089E203 0.09%14 (NV03AD MSIVs fail to close ME1 5.3492E-05 1.5852E-03 NV04ADI on demand (beta) ME2 s.3492E-05 5.9952E-07 1.5858E-03 0.08%15 [NV03BD MSIVs fag to close ME1 5.3492E-05 1.5852E203 NV04BDO on demand (beta) ME2 5.3492E2-5 5.92E-07 1.5858E-03 0.08%16 [PM03A Core Spray CS1 2.2238E-04 1.3095E-03 PM03C] Booster CS2 2.2238E404 6.0443E-05 Pumps CS3 2.2238E-04 5.9520E-05 (beta) CS4 2.2238E-04 O.OOOOE+00 I CS6 2.2238E-04 1.0243E-05 1.4398E-03 0.07%CCF-BE.XLSP Page 2 9/10/93 A1-ACHMENT I Common Cause Failure Importance Report I __Top 50 Common Cause Events)No. CCF Event CCF Event Spilt CCF Event Basic Event Total Event Normalized Total Name Description Fractions Value Importance Importance Event Importance 17 (PMO1B Core Spray CS1 1.3939E-04 8.2465E-04 PM01 Di Main CS2 1.3989E-04 3.7878E405 Pumps CS3 1.3939E 04 4.5117E-05 (beta) CS4 1.3939E-04 0.0000E +00 CS6 1.3939E.04 7.7728E-06 CS7 1.3939E-04 4.4385E-04 CSS 1.3939E-04 5.7372E09 1.3593E-03 0.07%18 [PM01AR DG fuel oil transfer EC2 1.7256E-04 1.0000E.03 PM01BRI pumps fag to run (beta) _ 1.00OOE-03 0.05%19 [PMO1A Core Spray CS1 1.3939E-04 8.2088E-04 PMO1CI Main CS2 1.3939E404 3.7887E-05 Pumps CS3 1.3939E804 3.7308E-05 (beta)- CS4 1.3939E-04 0.0000E+00 CS6 1.3939E-04 6.4206E-06 9.0250-E04 0.05%20 [RLPM1A Core Spray CS1 *1.1845E.06 8.2689E-04 RLPM1B Relays CS2 1.1845E-06 1.5161E-05 RLPM1C (detla) CS3 1.184SE-06 1.4976E-05 RLPM1 D CS4 1.1845E-06 O.OOOOE+00 CS6 1.1845E-06 2.5960E-06 CS7 1.1845E-06 3.7718E-06 CS8 1.1845E-06 4.8755E-1 I 8.6339E-04 0.04%21 tSV591D Containment Vent OVI 5.2712E-05 7.2031E-04 SV595D] solenoid valves fail to open (beta) OV2 5.2712E-05 4.120tE-08 7.203sE-04 0.04%22 [SV591 D Containment Vent OVI 5.2712E-05 7.2031E-04 SV596DJ solenoid valves fail to open (beta) OV2 5.2712E-05 4.1201E-08 7.2035E-04 0.04%23 [SV592D Containment Vent OVI 5.2712E-05 7.2031 E-04 SV595DI solenoid valves fail to open (beta) OV2 5.2712E-05 4.1201 E08 7.2035E-04 0.04%24 [SV592D Containment Vent OV1 5.2712E-05 7.2031 E-04 SV596D0 solenoid valves fail to open (beta) OV2 6.2712E-05 4.1201E-08 7.2035E-04 0.04%25 [PM91AS Uquid Poison 811 5.8549E-04 3.7819E-04 PM91 BS] pumps fall to 512 5.8549E-04 0.0000E+00 start (beta) B13 5.8549E-04 2.3384E-04 B14 5.8549E-04 7.0599E-10 615 5.8549E-04 O.OOOOE + 00 616 5.8549E-04 O.OOOOE+00 6.1203E-04 0.03%CCF.BEI.XLS Page 3 9/10O!93 ATTACHMENT I Common Cause Failure Importance Report (Top 50 Common Cause Events)No. CCF Event CCF Event Split CCF Event j Basic Event Total Event Normalized Total Name Description Fractionl Value l Importance Importance Event Importance 26 fPM91AR Uquid Poison Bl1 5.4740E04 3.5359E-04 PM91BR) pumps fafi to B12 5.4740E-04 O.OOOOE+0O run (beta) 613 5.4740E-04 2.182E-04 B14 5.4740E-04 6.6007E-10 Bl5 5.4740E-04 0.OOOOE+0O

_ B16 5.4740E404 O.OOOOE+00 5.7221 E-04 0.03%27 [RL2730 MSIV actuation MEt 1.6877E-05 5.0015E-04 RL274D) relays fail (beta) ME2 1.6877E-05 1.0025E-08 5.0016E-04 0.03%28 [RL217D MSIV actuation ME1 1.6877E-05 5.0Q1E504 RL218DI relays fail (beta) ME2 1.6877E-45 1.0025E08 5.0016E-04 0.03%29 IRL173D MSIV actuation ME1 1.6877E405 5.0015E-04 RL174DJ relays fail (beta) ME2 1.6877E-05 1.0025E.08 5.0016E-04 0.03%30 [RL1 17D MSIV actuation ME1 1.6877E-05 5.0015E04 RLI1SDI relays fail (beta) ME2 1.68877E05 1.0025E-08 5.0016E-04 0.03%31 [AV092D Core Spray CS1 5.6986E407 3.9781E-04 AVQ93D Minimum Flow CS2 5.6986E-07 7.2939E-06 AV094D Valves CS3 5.6986E-07 7.2051E-06 AV095D] (delta) CS4 5.6986E-07 0.QOOOE+00 CS5 5.6986E-07 2.8696E-07 CS6 5.6986E.07 1 .2489E-06 CS7 5.6986E07 1.81 46E-06_ CS8 5.6986E-07 2.3455E-1 1 4.1 566E04 0.02%32 [PV18AD EMRV failure AD6 2.9005E05 O.QOQOE+0Q PV1SBD to open AD2 2.9005E-05 5.4327E-06 PVI8CD (delta) AD3 2.9005E405 3.6930E-04 PV18DD AD4 2.9005E405 2.9106E-05 PV18EDI AD5 2.9005E-45 3.0611 E-10 4.0384E-04 0.02%33 [PV18AD EMRV failure AD6 3.3934E-04 O.OOOOE+00 PVISBD) to open AD2 3.3934E 04 4.0431E.06 (beta) AD3 3.3934E404 2.6651 E04 AD4 3.3934E-04 2.100SE-05 ADS 3.3934E-04 2.2091E-10 2.9156E-04 0.02%34 [PV18AD EMRV failure AD6 3.3934E-04 0.0000E + 00 PVISCD] to open AD2 3.3934E-04 4.0277E.06 (beta) AD3 3.3934E-04 2.6651 E-04 AD4 3.3934E-04 2.1005E405 AD5 3.3934E04 2.2091E-10 2.9155E-04 0.02%CCF.BEI.XLS Page 4 9/10/93 ATTACHMENT I Common Cause Failure Importance Report (Top 60 Common Cause Events)No. CCF Event CCF Event Split lCCF Event Basic Event Total Event Normalized Total Name Descfiption Fractionsj Value Importance Importance Event Importance 35 [PV1SAD EMRV failure AD6 3.3934E-04 O.OOOOE+00 PV18EDJ to open AD2 3.3934E.04 4.0277E406 (beta) AD3 3.3934E-04 2.6661E-04 AD4 3.3934E04 2.1005E-05 AD5 3.3934E04 2.2091E-10 2.9155E 04 0.02%36 [PV18BD EMRV failure AD6 3.3934E04 0.0000E+00 PV18CD] to open AD2 3.3934E404 4.0124E-06 (beta) AD3 3.3934E-04 2.6651E-04 AD4 3.3934E-04 2.1006E-05

_ ADS 3.3934E.04 2.2091E-10 2.9153E04 0.02%37 [PV188D EMRV failure AD6 3.3934E-04 0.OOOOE+00 PV18ED] to open AD2 3.3934E-04 4.0124E-06 (beta) AD3 3.3934E-04 2.6651E-04 AD4 3.3934E-04 2.1005E-05 ADS 3.3934E-04 2.2091E-10 2.9153E.04 0.02%38 [PV18CD EMRV failure AD6- 3.3934E-04 0.0000E+00 PV18ED] to open AD2 3.3934E-04 3.9972E-06 (beta) AD3 -3.3934E04 2.6651E-04 AD4 3.3934E04 2.100SE-05

_ ADS 3.3934E-04 2.2091 E-10 2.9151 E-04 0.02%39 [PV18AD EMRV failure AD6 33934E-04 O.OOOOE+00 PV18DD] to open AD2 3.3934E-04 4.0463E^06 (beta) AD3 3.3934E-04 2.6464E-04 AD4 3.3934E-04 2.0857E-05 ADS 3.3934E-04 2.1936E-10 2.8954E.04 0.02%40 [PV18CD EMRV failure AD6 3.3934E-04 O.OOOOE+00 PV18DDj to open AD2 3.3934E-04 4.0155E-06 (beta) AD3 3.3934E-04 2.6464E-04 A04 3.3934E-04 2.0857E-05 ADS 3.3934E-04 2.1936E-10 2.8951 E04 0.02%41 [PV18DD EMRV failure AD6 3.3934E-04 O.OOOOE + 00 PV18ED] to open AD2 3.3934E-04 4.0155E-06 (beta) AD3 3.3934E-04 2.6464E-04 AD4 3.3934E-04 2.0857E-05 ADS 3.3934E-04 2.1936E-10 2.8951E-04 0.02%42 [PV1 8BD EMRV failure AD6 3.3934E-04 0.OOOQE+00 PV18DD3 to open AD2 3.3934E-04 4.0004E-06 (beta) AD3 3.3934E-04 2.6464E-04 AD4 3.3934E 04 2.0857E05_ ADS 3.3934E-04 2.1936E-10 2.8950E-04 0.02%CCF-BEI.XLS Page 5 9/10/93 i ArrACHMENT 1 Common Cause Failure Importance Report_ (Top 50 Common Cause Events)No. CCF Event CCF Event Split jCF Event Basic Event Total Event Normalized Total Name Description Fractions Value Importance Importance Event Importance

_. _ = c_43 [PM03C Core Spray CS1 2.2238E04 7.4828E-05 PMO3D] Booster CS2 2.2238E-04 6.0443E-05 Pumps CS3 2.223SE-04 7.1979E-05 (beta) CS4 2.2238E-04 Q.OOQOE+0Q CS6 22238E-04 1.2401 E-05 CS7 2.2238E-04 6.2783E-06 CS8 2.2238E04 9.1533E-09 2.2594E-04 0.01%44 [PM03A Core Spray CS1 2.2238E04 6.8337E-05 PM0381 Booster CS2 2.2238E404 6.0429E-05 Pumps CS3 2.2238E-04 5.9520E05 (beta) CS4 2.2238E-04 0.0000E+00 CS6 2.2238E-04 1 .0243E-05_ CS7 2.2238E-04 6.2747E-06 2.0481 E-04 0.01%45 [MVo21 Core Spray CS1 2.0784E-05 1.2296E-04 MV0411 Parallel Isolation CS2 2.0784E-05 5.6478E-06 Valves CS3 2.0784E-05 6.7272E-06 (beta) CS4 2.0784E-05 0.OOOOE+00 CSS 2.0784E-05 7.6281 E-09 CS6 2.0784E-05 1.1590E-06 CS7 2.0784E-05 6.6184E-05

.CS088 2.0784E-05 8.5548E-10 2.0269E-04 0.01%46 [PDOO1R Diesel Fire Pumps FP1 5.9388E-05 0.0000E+00 PD002R1 fail to run (beta) FP2 5.9388E-05 1.7912E-04 1.7912E-04 0.01%47 [PV18AD EMRV failure AD6 1.2187E-05 0.0000E+00 PV1 8BD to open AD2 1.21 87E-05 2.2826E-06 PV1i8CD (gamma) AD3 1.2187E-05 1.5517E-04 AD4 1.2187E-05 1.2229E-05 ADS 1.2187E-05 1.2862E-10 1.6968E-04 0.01%48 [PV18AD EMRV failure AD6 1.21 87E-05 0.0000E + 00 PV18BD to open AD2 1.21 87E-05 2.2826E-06 PV18DDj (gamma) AD3 1.2187E-05 1.5517E-04 , AD4 1.21 87E-05 1.2229E-05 AD5 1.2187E-05 1.2862E-10 1.6968E-04 0.01%49 [PV18AD EMRV failure AD6 1.2187E-05 0.0000O+00 PV18BD to open AD2 1.21 87E-05 2.2826E-06 PV18ED] (gamma) AD3 1.2187E-05 1.5517E-04 AD4 1.2187E-05 1.2229E-05 ADS 1.2187E-05 1.2862E-10 1.6968E-04 0.01%So [PV18AD EMRV failure AD6 1.2187E-05 0.0000E+00 PV18CD to open AD2 1.2187E-05 2.2826E-06 PV18DD] (gamma) AD3 1.2187E-05 1.5517E-04 AD4 1.21 87E-05 1.2229E-05

_ ADS 1.2187E-05 1.2862E-10 1.6968E-04 0.01%CCF.BEI.XLS Page 6 9/10/93 ATTACHMENT 2 OCPRA SUCCESS CRITERIA

SUMMARY

SUCCESS CRITERIA

SUMMARY

This attachment provides the OCPRA Level 1 success criteria in summary format. Detailed success criteria or the specific application of the criteria in the logic model are available in OCPRA Section 8. It should be noted that the success criteria provided gives the systems and functions required for successful mitigation of transients and LOCAs in the plant model logic. Any sequence of events which do not meet the requirements of success are assigned to core damage. For organizational and presentation purposes the success criteria are grouped and presented In the following tables.General Transient Success Criteria Page 2 (Initiators EPRH, PLOFW, RT, TT)General Transient (Loss of Main Heat Sink) Success Criteria Page 3 (Initiators CMSIV, LOLA, EPRL, LOCV, LOCW, LOFW and LOSP)Loss of Feedwater Control (RPV High Level) Success Criteria Page 6 (Initiator LOFC)ATWS Success Criteria Page 8 (Any Initiator and Top event RS Failure)Small LOCA Inside Containment Success Criteria Page 10 (Initiators SAI, IEMRV and S BI)Small LOCAs Above Core and Outside Containment Success Criteria Page 12 (Initiators SAOIC, SAOTB and SAORB)Small LOCAs Below Core and Outside Containment Success Criteria Page 13 (Initiator SBO)Large LOCAs Above Core and Inside Containment Success Criteria Page 14 (Initiators IADS, LAIMS and LAICS)Large LOCAs Below Core Success Criteria Page 14 (Initators LBI and LBIO)Large LOCA (Initator LAOMS) Success; Criteria Page 15 Large LOCA (Initiator LAOIC) Success Criteria Page 15 1 l General Transient Success Criteria Applies to EPRH, PLOFW, RT and TTRIP Initiating Events Function System Success Criteria Basis / Comments Required Reactor 125 or more control rods Reference F.6-8, 'Hot Zero Power Criticality Calculation".

Mitigation Trip insert Reactor scram failure transfers to the ATWS success criteria.RPV Level RPV Level Control Prevents RPV high water level excursion.

Level control failure Control results In a transfer to LOFC success criteria.SDV Isolation 2 of 2 SDVs Isolate Scram Discharge volume required to Isolate to prevent loss of coolant.AND Path 1 Mitigation Feedwater 1 of 3 Feedwater Pumps 5000 gpm -in excess of decay heat (UFSAR section 10.4.7).Path 1 T 2 of 9 nTBV oU eato ' Thie pt mods th mode!. fha normal crondootrn, To arbine Feedwater Bypass bypass valves must operate and control pressure.

In addition and all supports of TBV operation are required such as circ water, Turbine condenser vacuum. If these supports fall, transient success Bypass criteria Is as provided on loss of main heat sink.and Steam Relief 2 of 5 EMRVs open Relief valves required to open provided in reference 7-13, Steam Relief or "OCPRA: Opening EMRVs and Safety Valves". Conservatively 4 safety valves open all 2 of 2 EMRVs and 4 of 4 safety valves are required to close and to prevent drywell heatup and Inventory loss.2 of 2 EMRVs close or 4 of 4 safety valves close NOTE: Loss of the turbine bypass supports (circ water or condenser) results In Isolation transient (Loss of main heat sink) and utilizes those success criteria.2 General Transient (Loss of Main Heat Sink) Success Criteria Applies to CMSIV, LOIA, EPRL, LOCV, LOCW and LOFW Initiating Events Function System Success Criteria Basis / Comments Required Reactor 125 or more control rods insert Reference F.6-8, "Hot Zero Power Criticality Calculation".

Mitigation Protection Reactor scram failure transfers to the ATWS success criteria.RPV level RPV Water Level Control Prevents RPV high water level excursion.

Reactor level control control failure transfers to the LOFC success criteria.AND (Paths I or 2 or 3)Mitigation Isolation 1 of 2 ICs (with shell side Decay heat removal using isolation condensers (3.9% of Path 1 condenser makeup) rated thermal power, UFSAR section 6.3.1.1.3) with long term shell side makeup.Isolation S eam Re!'s! A W 6 EIADoI ° r^Re:l e valves required to opuir provieuU in reference 7-13, and or "OCPRA: Opening EMRVs and Safety Valves".Steam Relief 4 safety valves open Conservatively all 5 of 5 EMRVs and 4 of 4 safety valves are and and required to close.SDV Isolation All open EMRVs close and and MS Isolation All open safeties close SDV Isolation 2 of 2 SDVs Isolate SDV Isolation Prevents RPV inventory losses.Main Steam 1 of 2 MSIVs (in each Isolation condenser used for decay heat removal. MSIV Isolation steamline) close closure limits Inventory loss.OR 3

  • 1I General Transient (Loss of Main Heat Sink) Success Criteria Applies to CMSIV, LOIA, EPRL, LOCV, LOCW and LOFW Initiating Events Function l System u Succss Criteria I Basis / Comments Mitigation Isolation 1 of 2 Isolation Condensers Isolation Condensers used as short term decay heat Path 2 Condenser removal (3.9% of rated thermal power, UFSAR 6.3.1.1.3) path until CRD flow matches decay heat levels.Isolation Condenser CRD 1 of 2 pumps Long term makeup for decay heat removal through EMRVs and to containment.

CRD Steam Relief 4 of 5 EMRVs open Relief valves required to open provided In reference 7-13, and or , OCPRA: Opening EMRVs and Safety Valves".Steam Relief 4 safety valves open Conservatively all 5 of 5 EMRVs and 4 of 4 safety valves are and and required to close.Containment All open EMRVs close Want Ramnva! a.d All open safeties close SDV Isolation 2 of 2 SDVs isolate SDV isolation prevents RPV Inventory losses.Main Steam 1 of 2 MSIVs (in each Isolation condenser used for decay heat removal. MSIV Isolation steamline) close closure limits inventory loss.Containment 1 of 2 containment spray trains 1 of 2 containment spray trains sufficient (UFSAR, Section Heat or 6.2.2.2).

Containment vent sized to remove 1% decay heat Removal Containment Vent and directed by EOPs (UFSAR, Section 6.2.7). 1 of 3 SDC or trains sufficient for decay heat removal and is the system 1 of 3 trains of SDC design (USFAR 5.4.7 and OCPRA Appendix B.4).OR 4 General Transient (Loss of Main Heat Sink) Success Criteria Applies to CMSIV, LOIA, EPRt, LOCV, LOCW and LOFW Initiating Events Function System Success Criteria [ Basis / Comments Mitigation Feedwater 1 of 3 feedwater pumps Each source provides sufficient RPV Inventory makeup for Path 3 Conoensate or decay heat removal. Feedwater provides 5000 gpm of RPV Core Spray ADS (3 or more EMRVs) makeup, USFAR 10.4.7 (not applicable to the LOFW RPV Inventory and initiating event). Automatic depressurization required for low , and 1 of 3 condensate pumps pressure sources (condensate and core spray). ADS Steam Relief or success criteria provided by references UFSAR Table 15.6-2 and I main and 1 booster Core and EOP step DEP-1.4. Core spray (one main and one Containment spray pumps booster pump) success criteria from references F.10-16, Heat Removal F.10-17 and UFSAR page 6.3-2. Long term core spray success requires fire protection Injection for makeup to torus. SDV Isolation not required since Injection sources have Iona term makeup cnpabllity.

Steam 4 of 5 EMRVs open Relief valves required to open provided In reference 7-13, Relief or OCPRA: Opening EMRVs and Safety Valves". 5 of 5 4 safety valves open EMRVs and 4 of 4 safety valves are required to close.and All open EMRVs close and All open safeties close Containment 1 of 2 containment spray trains 1 of 2 containment spray trains sufficient (UFSAR, Section Heat or 6.2.2.2).

Containment vent sized to remove 1% decay heat Removal Containment Vent and directed by EOPs (UFSAR, Section 6.2.7). 1 of 3 SDC or trains sufficient for decay heat removal and is the system 1 of 3 trains of SDC design (USFAR 5.4.7 and OCPRA Appendix B.4).NOTE: Loss of ofisite power with failure of both diesel generators (station blackout) requires either restoration of power within one hour (OCPRA, Appendix B.1) or only success path 1 applies (i.e., Independent of AC power).5 l Loss of Feedwater Control (High RPV Water Level) Success CrIteria Applies to LOFC Initlating Event Only Function System Success Criteria Basis / Comments Required Reactor 125 or more control rods Insert Reference F.6-8, Hot Zero Power Criticality Calculation".

Mitigation Protection Reactor scram failure transfers to the ATWS success criteria.AND (Paths 1 or 2 or 3 or 4)Mitiation Operator Operators regain control of Following the failure of feedwater flow control operators Path 1 Action feedwater manually reduce feedwater flow. Success of this event Feedwater transfers to the general transient logic.Control OR Mltinatkon I Main I FAILURE of 2 of 2 MSIVs I High level excursion results In steam/water carryover Into Path 2 Steam In either steamlinp main steam lines. Main steamline break In turbine building Isolation or ' assumed to occur. Feedwater and core spray assumed to MS Isolation Failure FAILURE of 2 of 2 IC mitigate Induced LOCA. See also LAOMS (MSIV failure) or FAILURE Isolation Valves LAOIC (IC Isolation valve failure) success criteria.and In either IC ADS ADS 3 or more EMRVs open References USFAR Table 15.6-2 and EOP Step DEP-1.4.and Core Spray and Containment Core Spray 1 main and 1 booster pump Core spray success criteria provided In references F.10-16, Spray F.10-17 and UFSAR page 6.2-3.Containment 1 of 2 Containment Spray Trains Ultimate heat sink. USFAR Section 6.2.2.2.Spray OR 6 Loss of Feedwater Control (H~igh RPV Water Level) Success Critaria Applies to LOFC Initlating Event Only Function System Success Criteria Basis Comments Mitigation Main I of 2 MSIVs (both steamlines) close Isolates level excursion to RPV piping Inside containment.

Path 3 Steam Isolation and MS Isolation i IC steamline isolation and Feedwater 1 of 3 feedwater pumps 5000 gpm of high pressure makeup. (UFSAR 10.4.7)Steam Relief and Steam 4 of 5 EMRVs open Relief valves required to open provided In reference 7-13, C^ O,4 v .. ^ ~ 1 N*f~fl A. 1- I&Arnffl.

---A %a~ e,-ar --.. __.F w 'VU-t.1r %.# ...... 9u mnva Uma Sutel; Vailvwa. "Unule VUiVU3 or are assumed not to close and result In an Induced above and core LOCA Inside containment.

4 safety valves open Heat Removal Containment 1 of 2 Containment Spray pumps 1 of 2 containment spray trains sufficient (UFSAR Section Heat 6.2.2.2).

Containment vent sized to remove 1% decay heat Removal or and directed by EOPs (UFSAR Section 6.2.7). 1 of 3 SDC trains sufficient for decay heat removal and Is the system Containment Vent design (UFSAR section 5.4.7 and OCPRA Appendix 6.4).or 1 of 3 SDC Trains OR 7 Loss of Feedwater Control (High RPV Water Level) Success Criteria Applies to LOFC InItlating Event Only Function System Success Criteria Basis Comments Mitigation Steam Less than 4 EMRVs open Assumed to Induce a small or large break LOCA Inside Path 4 Relief containment.

Failure or Steam Relief i Less than 4 safety valves open and Containment 1 of 2 MSIVs (both steamlines) close Prevents Inventory loss outside primary containment Containment soltonand Isolation and _IC steamline isolation RF: 4autf .II we %J uWa;Uu puo1p1 redwaier -6uw gpm of high pressure makeup (small RPV Injection break) UFSAR 10.4.7 and core spray for low pressure and makeup (large break). One main and one booster pump and success criteria provided by references F.10-16. F.10-17 and 1 main and 1 booster CS pump UFSAR page 6.3-2.Containment Spray Containment 1 of 2 Containment Spray Trains USFAR Section 6.2.2.2.Spray 8 ATWS SUCCESS CRITERIA Function System Success Criteria Basis Comments Recirculation Sof 5 pumps trip TDR-671 -RELAP5 OC ATWS Analysis".

Reduces reactor Required Pump Trip (RPT) power from 100% to about 40%.ATWS Mitigation Uquid poison 1 of 2 pump trains UFSAR Section 9.3.5. Full power ATWS assumed.Functions (boron) injection i AND (Path 1 or 2 or 3)Mitigation Feedwater 1 of 3 feedwater pumps UFSAR section 10.4.7.(PATH 1)I.Feedwater Turbine Bypass 9 of 9 turbine bypass valves open Removes 40% of reactor nower 1IJFSAR *seCin 10.4.4'.and Turbine Bypass Steam Relief 4 of 5 EMRVs open Relieves 32% of reactor power (40% for all 5). UFSAR and section 5.2.2. Main steam relief Is only required until and reactor power Is less than turbine bypass capacity, Steam Relieffollowing recirc. pump trip.4 safety valves open or 8 safety valves open (after EMRV Failure)OR 9

___________

ATWS SUCCESS CRITERIA Function System Success Criteria Basis / Comments Operator Actions EOP Actions EOP required actions. TDR-671 --RELAP5 OC ATWS Mitigation Analysis".

PATH 2 Steam Relief 8 safety valves open Power mismatch until IC or CC heat removal Is adequate.One EMRV Is adequate for decay heat after shutdown.Level Control__apd Feedwater 1 of 3 feedwater pumps UFSAR Section 10.4.7. RPV makeup.Feedwater and Containment Main and backup pumps operate Maximum heat removal until reactor shutdown.

Heat Steam Relief Spray removal for FW/SO path.and Cont. Spray or Isolation Both ICs actuate, shell side USFAR Section 6.3.1.1.3.

Iso Cond Condenser makeup available OR Mitigation Operator Actions EOP Actions EOP required actions. TDR-671 -RELAP5 OC AiWS PATH 3 Analysis".Level Control Steam Relief 4 of 5 EMRVs open Relieves 32% of reactor power (40% for all 5). UFSAR and and section 5.2.2. Main steam relief Is only required until Steam Relief 4 safety valves open reactor power Isolation condenser heat removal ador capacity.aond 8 safety valves open IsoCond with CRD IC Both ICs actuate UFSAR Section 6.3.1.1.3.

makeup CRD Hydraulic 1 of 2 trains Makeup until reactor power below IC capability 10 I_______ Small Breaks Inside Containment (SAI, IEMRV, SBI)Function System Success Criteria Basis / Comments Required Reactor 125 or more control rods Insert Reference F.6-8, "Hot Zero Power Criticality Calculation".

Mitigation Protection No credit for simultaneous LOCA and ATWS mitigation.

AND (Path 1 or 2 or 3)Mitigation Feedwater 1 of 3 pumps run Each pump train delivers approx. 5000 gpm and Is In IPath I excess of small LOCA Inventory loss (UFSAR Section 10.4.7).Feedwater and Containment 1 of 2 Containment Spray Pumps 1 of 2 containment spray trains sufficient (UFSAR, Containment Heat or Section 6.2.2.2).

Containment vent sized to remove 1%Heat Removal Containment Venting decay heat and directed by EOPs (UFSAR, Section Removal or 6.2.7). 1 of 3 SDC trains sufficient for dn cy haet I1 of 3 trains of Shutdown cooling removal and Is the system design (USFAR 5.4.7 and._OCPRA Appendix 6.4).OR Mitigation Core Spray 1 main and 1 booster pump One main and one booster pump as per reference F.10-Path 2 16, F.10-17 and UFSAR page 6.3-2.Core Spray ADS 3 EMRVs open References EOP step DEP-1.4, UFSAR Table 15.6-2.and ADS and Containment Containment 1 of 2 Containment Spray Trains Sufficient for design basis as well as small LOCA Spray Spray containment heat removal. Maintains NPSH for core spray. UFSAR Section 6.2.2.2.11

  • 1I Small Breaks Inside Containment (SAI, IEMRV, SBI)Function System Success Criteria Basis I Comments OR Mitigation Condensate 1 of 3 pumps 5000 gpm capacity In excess of small LOCA Inventory Path 3 loss.Cndensate DS 3 EMRVs open .References EOP step DEP-1.4, UFSAR Table 15.6-2.and ADS and Containment Containment 1 of 2 Containment Spray Pumps I of 2 containment spray trains sufficient (UFSAR, Heat Heat or Section 6.2.2.2).

Containment vent sized to remove 1%Removal Removal Operator vents containment decay heat and directed by EOPs (UFSAR, Section or 6.2.71. 1 of 3 SDC trains suffldlant for decay heat 1 of 3 trains of shutdowq cooling removal and Is the system design (USFAR 5.4.7 and I___OCPRA Appendix B.4).12 Small Above Core Breaks Outside Containment (SAOIC, SAOTB. SAORB) S Function System Success Criteria Basis / Comment Required Reactor 125 or more control rods insert Reference F.6"8, "Hot Zero Power Criticality Calculation".

Mitigation Protectlon No credit taken for simultaneous LOCA and ATWS mitigation.

AND (Path 1 or 2 or 3)Mitigation Feedwater 1 of 3 pumps Feedwater system provides approx. 5000 gpm which Is In Path I excess of small LOCA capacity (UFSAR 10.4.7). CST provides long term makeup.Feedwater OR Mitigation Core Spray I main and I booster pump Core spray (one main and one booster pump) success Path 2 criteria from References F.10-16, F.10-17 and UFSAR ,_ page 6.3-2. Fire protection provides long term makeup.Core Spray ADS 3 EMRVs open Reference UFSAR Table 15.6-2 and EOP step DEP-1.4.ADS and Containment Containment 1 of 2 Containment Spray trains Containment spray or vent required since ADS discharges Heat Removal Heat or decay heat to containment.

1 of 2 containment spray Removal Containment Vent pumps UFSAR section 6.2.2.2. Containment vent sized to remove 1% decay heat and directed by EOPs (UFSAR section 6.2.7). Fire protection for long term makeup.13 Small Above Core Breaks Outside Containment (SAOIC, SAOTB, AORB) Suess Criria --l~~~~! ... t, ...........

Function System Success Criteria Basis / Comment OR Mitgation Condensate I of 3 pumps Condensate provides approx. 5000 gpm which Is In Path 4 excess of small break Inventory losses.Condensate ADS 3 EMRVs open Reference UFSAR Table 15.6-2 and EOP step DEP-1.4.and ADS and Containment 1 of 2 Containment Spray tralns Containment spray or vent required since ADS discharges Containment Heat or decay heat to containment.

1 of 2 containment spray Heat Removal Removal Containment Vent pumps UFSAR section 6.2.2.2. Containment vent sized to remove 1% decay heat and directed by EOPs (USFAR Section 6.2.7). CST sufficient for long term makeup.Small Below Core and Outside Containment (SBO) Success Cr1itria Function System Success Criteria Basis / Comment RPS 125 or more control rods Reference F.6-8, "Hot Zero Power Criticality Mitigation Insert Calculation'.

NO credit taken for mitigation of Path simultaneous LOCA and ATWS.Core Spray Core Spray 1 main and 1 booster pump References F.1 0-16, F.10-17 and UFSAR, page 6.2-3.and Fire protection provides long term makeup.ADS ADS 3 EMRVs open References EOP step DEP-1.4, UFSAR Table 15.6-2.-14 e C Bi Large Above Core Breaks Inside Containment PADS, LIJMSO LAICS) Success Criteria.

.Function System Success Criteria Basis / Comments Required RPS 125 or more control rods fleference F.6-8, "Hot Zero Power Criticality Calculation".

No Mitigation Insert credit taken for simultaneous mitigation of LOCA and ATWS.RPV 1 main and 1 booster Core spray success criteria given In refences F.10-16, F.10-Core Spray Inventory pump in either system 17 and UFSAR page 6.3-2. Core spray success (with (system 1 for LAICS) containment spray failure) requires makeup to the torus from and or fire protection.

Condensate provides 5000 gpm and since i Iof 3 condensate pumps break Is above core and reflood Is possible consider success Containment (in excess of core spray flow).Heat Containment 1 of 2 Containment Spray 1 of 2 containment spray trains sufficient (UFSAR, Section Heat or 6.2.2.2).

Containment vent sized to remove 1% decay heat Removal Removal Containment Vent and directed by EOPs (UFSAR, Section 6.2.7).Large Below Core LOCAs Success Criteria (LBI Design Basis- and 610- RBEDT Failure)-Function System [S ccess Criteria Basis / Comments Core Spray I main and 1 booster pump Core Spray success criteria per reference F.10-16, Core spray F.10-17 and UFSAR page 6.3-2. Long term makeup and from fire protection required when vent Is used for Containment containment heat removal.Heat Removal Containment 1 of 2 Containment Spray trains 1 of 2 containment spray trains sufficient (UFSAR, Heat or Section 6.2.2.2).

Containment vent sized to remove Removal Containment Vent 1% decay heat and directed by EOPs (UFSAR, Section 6.2.7).NOTE: Large below core Inside and to the RBEDT (event LBIO) requires successful reactor protection system since It is conservatively assumed that Insufficient voids will be created to prevent criticality.

15 Large Main Steamline Break Outdide Containmen OMS)l Function System Success Criteria Basis / Comments LAO MS RPS 125 or more control rods Reference F.6-8, "Hot Zero Power Criticality Mitigation Insert Calculation".

No credit taken for simultaneous Path LOCA and ATWS mitigation.

Core Spray Core Spray 1 main and 1 booster pump Steamline break allows reflood. Fire protection provides long term makeup. Core spray success criteria per reference F.10-16, F.10-17, and UFSAR page 6.3-2.Large IC Steamilne Break Outside Containment (LAOIC)Function System Success Criteria Basis / Comments LAOIC RPS 125 or more control rods Reference F.6-8, 'Hot Zero Power Criticality Mitigation insert Calculation".

No credit taken for simultaneous Path LOCA and ATWS mitigation.

Condensate Condensate 1 of 3 pumps Break location allows reflood. Long term makeup from CST sufficient for sate shutdown.16

Retrieved from "https://kanterella.com/w/index.php?title=ML060550290&oldid=1155499"