ML100980155
| ML100980155 | |
| Person / Time | |
|---|---|
| Site: | Browns Ferry  |
| Issue date: | 04/05/2010 |
| From: | Krich R Tennessee Valley Authority |
| To: | Document Control Desk, Office of Nuclear Reactor Regulation |
| References | |
| TVA-BFN-TS-468 | |
| Download: ML100980155 (122) | |
Text
Tennessee Valley Authority 1101 Market Street, LP 3R Chattanooga, Tennessee 37402-2801 R. M. Krich Vice President Nuclear Licensing April 5, 2010 10 CFR 50.90 TVA-BFN-TS-468 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, D.C. 20555-0001 Browns Ferry Nuclear Plant, Units 1, 2, and 3 Facility Operating License Nos. DPR-33, DPR-52, and DPR-68 NRC Docket Nos. 50-259, 50-260, and 50-296
Subject:
Responses to Requests for Additional Information Regarding Technical Specifications (TSs) Change TS-468 - Request to Extend Completion Time for TS 3.8.1 Required Action B.4 - Emergency Diesel Generators A, B, C, D, 3A, 3B, 3C, and 3D This letter is in response to a March 23, 2010 request for additional information regarding the proposed Technical Specifications (TSs) Change 468 for Browns Ferry Nuclear Plant Units 1, 2, and 3. The proposed change, which was submitted on February 18, 2010, revises the completion time for TS 3.8.1 Required Action B.4 for Unit 1 and 2 Emergency Diesel Generators (EDGs) A, B, C, and D; and Unit 3 EDGs 3A, 3B, 3C, and 3D.
The proposed change included a Probabilistic Risk Assessment (PRA) to support Tennessee Valley Authority's request to extend the proposed revised completion time for TS 3.8.1. During NRC's review of the proposed change, it was determined that additional information was required by the NRC staff in order to complete their evaluation.
Specifically, NRC requested the dispositions for the PRA peer review findings.
Subsequent to the March 23 request, NRC requested electrical one-line drawing showing the electrical distribution system down to the 480V level. Enclosures 1 and 2 provide the requested information.
There are no new regulatory commitments associated with this submittal. Please direct any questions concerning this'matter to Terry Cribbe at (423) 751-3850.
printed on recycled paper
U.S. Nuclear Regulatory Commission Page 2 April 5, 2010 I declare under penalty of perjury that the foregoing is true and correct. Executed on April 5, 2010.
Respectfully, R. M. Krich
Enclosures:
- 1. Disposition of Peer Review Findings for the PRA
- 2. Electrical Distribution System, Unit 0, Browns Ferry Nuclear Plant cc (Enclosures):
NRC Regional Administrator - Region II NRC Senior Resident Inspector - Browns Ferry Nuclear Plant State Health Officer - Alabama Department of Public Health RCB:TEC:RMK
ENCLOSURE I Browns Ferry Nuclear Plant, Units 1, 2, and 3 Technical Specifications (TS) Change 468 DISPOSITION OF PEER REVIEW FINDINGS FOR THE PRA
I-lZ several exampies touna Tor basis Tor signirIcance: Keep tiii systems are monitorea aaiiy ny operations.
lack of engineering analyses The SR expects that engineering They are alarmed so failures of these systems are regarding HVAC that could analyses will be performed to detected and corrected in a timely manner. Based on be justified by calcs. determine whether these this, an assumption is made that these systems are Condensate System statements are correct. properly charged with water at the time of an initiator.
Notebook (SY.01) assumes Based on operator interviews, no system has a leakage active ventilation is not Possible Resolution: great enough to create a water hammer condition required due to plant Perform analyses to validate these should its keep fill system fail after the scram. The only experience Core Spray statements. exception to this is the potential drain down of the RHR System Notebook (SY.04) loop if it is being used for SPC and a LOSP occurs. This assumes keep-fill system is condition is already modeled and discussed in the RHR not required. HPCI System notebook. Calculations are not needed for these Notebook (SY.07) assumes systems. The assumptions section for each applicable dependence on quad SY notebook was changed to reflect the above. The cooling for the remaining 20 operator interview was placed in the RHR, Core Spray, hours of post accident HPCI, RCIC and RHRSW system notebooks.
operation.
A consensus model is not available to guide the HVAC dependency issues. The intent of SY-B6 is to make sure adequate analysis exists to support removing modeled dependencies from systems. It is not the intent of SY-B6, or the ASME standard for that matter, to establish what analysis is needed to support plant operations and design. In the case of HVAC, adequate plant specific analysis is not available to remove room cooling dependencies from most equipment. Room heat-up calculations may be available, but realistic (non-EQ) equipment failure temperatures are not available. This situation is shared by many plants in the industry. The BFN model took the conservative approach and
required an HVAC dependency tor all equipment that could not be reasonably argued to not have the dependency.
The condensate and condensate booster pumps are not located in a room per say. They are in a long corridor that is continually open to the turbine building environment. These pumps have cooling air from fans ducted directly on the pumps. The system engineers and operators were interviewed and stated plant operational experience showed these pumps would operate for an extended length of time without that forced cooling. They concluded the pumps would survive for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> without forced cooling. An engineering analysis supporting a PRA model does not have to be a calculation and can be either quantitative or qualitative. In this case, this conclusion was based on a qualitative analysis the included plant walkdowns, expert opinion from both operators and engineers, and past plant operating experience. This is considered to be an acceptable analysis for the purpose of the BFN PRA model. The condensate SY notebook was embellished to more clearly reflect the above.
Generic unavailabilities are The data analysis notebook section 6.1.5, Generic used for two groups of It is required by the SR that the Industry Data, which states "NUREG/CR-6928 components but there is no use of generic unavailabilities be (Reference 7) is used as the primary source of data for justification provided accompanied by a justification component failure data because it is the most recent regarding the consistency of that the data is consistent with available data and is based on a significant effort to the data with BFN T&M the T&M philosophies of the trend and develop such distributions. The uncertainty philosophies. plant. distribution types used in this source are the beta distribution for demand failure probabilities (per Possible Resolution: demand) and the gamma distribution for failure rate Provide a discussion of the probabilities (per hour). These distributions are inputs consistency of the data with the to the CAFTA model reliability database using the mean plant T&M philosophies. from Reference 7 and a calculated variance of the beta and gamma distributions from Reference 7. Table 4 provides the generic industry data used in the BFN PRA and their assigned type codes. The type code maintenance process using the BFN database is described in Reference 11."
This discussion is addressed further in section 6.2 Component UA Data in the Data notebook. Section 6.2.6, Generic Unavailability Data, states "The unavailabilities of some components that do not have plant-specific data available were estimated from NUREG/CR-6928 (Reference 7). These events fall into two categories. The first category includes buses, distribution boards and distribution panels and uses the unavailability labeled "BAC-TM" in Table 6-1 of NUREG/CR-6928 (Reference 7). The second category includes battery chargers and uses the unavailability labeled "BCH-TM" in Table 6-1 of Reference 7. These unavailabilities are presented in Table 9 along with the
lognormal error tactor that is provided in Table b-1 ot Reference 7."
The two groups, BAC-TM & BCH-TM, require further justification that BFN T&M philosophies are consistent with the NUREG/CR-6928. NUREG/CR-6928 Table 6-1, Train UA data and results, defines BAC-TM is "Bus (AC)
Test or Maintenance" and BCH-TM is "Battery Charger Test or Maintenance". NUREG states that "Component/train UA is the probability that the component or train is unavailable to perform its safety function because of test or maintenance (TM) outages." The definition of "availability" and "unavailability" as used in the Maintenance Rule implementation is considered consistent allowing its use in the Data Analysis Notebook in Table 9. O-TI-346, Maintenance Rule Performance Indicator Monitoring, Trending, and Reporting - 10CFR50.65, is in compliance with NUMARC 93-01.
1-15 There is no discussion ot the Basis tor Signiticance: Additional discussion related to screening process tor screening process that is The process for screening of raw raw data was added to section 6.1.6 of Data notebook.'
performed (per staff input), failure information is not i.e., the rationale is not documented. It is accomplished justified. according to staff discussion but no justification is provided as required by this SR.
Possible Resolution:
Provide a description for the screening process used in the evaluation of raw failure data.
1-17 Reviewed DA.O1. The Basis for Significance: As it stands the ability to remove post maintenance source of demands is not Post-maintenance testing must be testing (PMT) from the database would require a discussed. Based upon excluded from the exposure data massive re-tool of the database to allow for discrete discussions with the PRA per the SR. removal of specific times. The ability to perform these staff, exposure is collected actions is limited due to the lack of interface between directly from plant data Possible Resolution: the Operations Logs and the PEDs system.
systems and is therefore Develop a means of identifying To quantify the amount of effect removal of potential actual component exposure. the post-maintenance related PMT from the demands the following actions were However, post-maintenance exposure and remove them from performed.
testing demands are also the data calculations.
included in these numbers and are not removed. Seven scenarios were analyzed with the CDF & LERF for each unit were compared.
Scenario #1: No change to the data Scenario #2: For each failures assumed 1 PMTs performed Scenario #3: For each failure assumed 2 PMTs performed Scenario #4: For each failure assumed 5 PMTs performed Scenario #5: For each failure assumed 10 PMTs performed Scenario #6: For each failure 20 PMTs performed Scenario #7: For each failure 100 PMTs performed
Note for Scenario 7 the number of demands on the HPCI/RCIC will be set to zero.
Summary of Results:
For Core Damage Frequency Unit 1 had the largest deviation from the baseline for all scenarios.
- Scenario 1: 0.00 percent change, baseline calculation
- Scenario 2: 0.03 percent change
- Scenario 3: 0.07 percent change
- Scenario 4: 0.18 percent change
- Scenario 5: 0.37 percent change
- Scenario 6: 0.82 percent change
- Scenario 7: 2.06 percent change The results show that without having an extremely unrealistic number of PMTs the data is not significantly skewed by the inclusion of the PMT data.
For Large Early Release Frequency, Unit 3 had the-largest deviation from the baseline for all scenarios
- Scenario 1: 0.00 percent change, baseline calculation
- Scenario 2: 0.01 percent change
- Scenario 3: 0.01 percent change
- Scenario 4: 0.03 percent change
- Scenario 5: 0.06 percent change
- Scenario 6: 0.12 percent change
- Scenario 7: 0.55 percent change The results show that even with an extremely unrealistic number of PMTs the data is not significantly skewed by the inclusion of the PMT data.
1-22 There is no discussion ot the Basis for Signiticance: A description ot the process to be applied in the use ot process to be applied in the All levels of capability in this SR surveillance test data has been incorporated in Section use of surveillance test data. indicate that the process for use 6.1.6 the Data Calculation notebook.
The use of this data is of surveillance data needs to required for situations in possess specific attributes. There which there is no MR data is no process defined.
available (for example), so a process for its use should be Possible Resolution:
in place. Provide a process for use of surveillance data that incorporates the requirements of this SR.
1-26* Test and maintenance basic Basis for Significance: Battery Boards are not taken out of service unless the event TMOPNLA2480000D Given than such a DC bus can be loads are transferred. The values of the TM events for for a DC bus uses a generic out of service while the plant is at SB-A, SB-B, SB-C, and SB-D have been set to zero.
value from NUREG/CR-6928 power for much longer than most for an AC bus. This number AC buses, one would expect the seems very low for a DC bus value associated with the DC bus that can be taken out of to be higher (not lower) than that service for significant of the AC bus.
amounts of time without forcing a shutdown. Possible Resolution:
Use plant specific data to determine the T/M unavailability for this DC bus. If no data is available, use a more justifiable generic value.
A
There is no discussion ot the LE-F2 is related to this F&O. The review ot the LERF contributors (ASME/ANS RA-Sa-review of the LERF SR is NOT met. 2009 Table 2-2.8-9) for reasonableness was performed contributors (ASME/ANS RA- as discussed in section 6.3.2.3 of the QU Notebook Sa-2009 Table 2-2.8-9) for Basis for Significance:
reasonableness per the A review of the reasonableness of review of the QU Notebook the results of the analysis of the and LE.01. contributors to LERF is required per the SR.
Possible Resolution:
Perform and document a review of the reasonableness of the contributors to LERF.
1-34 Additional attention should Basis tor Signiticance: cutset reviews have been pertormed. The intake be applied to significant The top accident sequence cutset structure model has been reworked.
cutsets to determine that for both CDF and LERF deals with the bases for the cutsets are clogging of the intake and includes consistent with modeling events that are very uncertain.
and operating philosophies. The attention given this cutset to minimize the uncertainty associated with the contributing basic events has not been sufficient. The approach to dealing with such important cutsets should assure that the contributors are understood and are supported by appropriate rigorous analyses and/or assessment.
Possible Resolution:
Make sure that the top cutsets (reviewed per the PRA :-
Procedures) are discussed and evaluated. During the quantification process make sure that an evaluation is performed in addition to capturing the results.
The sequence descriptions basis tor Signiticance: The phenomenology is discussed in the ATWS sequence generally include a The SR calls for identification of descriptions. The statement "There no description of the the phenomenological conditions phenomenological conditions identified" was removed sequences but the for each sequence. from the AS notebook.
phenomenological conditions created are not Possible Resolution: In addition, other phenomena are discussed as noted specifically identified. Some Include a listing of below:
references to phenomenological conditions that Loss of suction due to venting is discussed in 6.2.2 phenomenology are result for each sequence. Harsh environment is discussed in 6.2.4 provided but not consistently (e.g., ATWS sequence descriptions conclude with the statement "There no phenomenological conditions identified.")
I - I t 2-13 In Table B-1 of the HRA Basis for Significance: Identified CCF HFLs without screening values:
Notebook, HFL_1003_LT56A Given that the miscalibration has a HFL_1003CCFLTO056, HFL_1003CCFLTO058, has a value of 9E-04 which is higher value than the mechanical HFL_1003CCFLT0203, HFL_1068CCFPTLOPR, higher than the component failure it should be included as a HFL_2003CCFLT0056, HFL_2003CCFLT0058, failure of the same level valid failure more in the tree. One' HFL_2003CCFLT0203, HFL_2068CCFPTLOPR, transmitter yet it is not in level transmitter failing due to a HFL_3003CCFLTO056, HFL_3003CCFLTO058, the fault tree based on the hardware issue and a second due HFL_3003CCFLT0203, HFL_3068CCFPTLOPR.
common cause failure of all to miscalibration is a valid 4 level transmitters being in Table B-i of the BFN HRA Analysis notebook has been the fault tree (note 1 in Possible Resolution: updated to include changes to the PRA model.
table). The independent As the independent miscalibration miscalibration should be events to the fault tree included in the fault tree.
This is applicable to other precursor events also.
HFL_1003_CCFT0056 is Basis tor Signiticance: The F&O relates to all ot the pre-initiators that Common cause The pair CCFs will have a higher accounted for common miscalibration errors. Fault miscalibration of all 4 level value than the 4 of 4 event thus trees have been updated and HRA notebook has been transmitters, inspection of impact the results. revised to reflect this change. HFL 1003_LT56A, the fault tree shows that HFL_1003_LT56B, HFL_1003_LT56C, and specific pairs of failures (AC, Possible Resolution: HFL_1003_LT56D have been added to the model.
BD) would also cause a Calculate the pair CCFs and add to failure to initiate the logic. the fault tree These CCF pairs should be added to the model. This will apply to other miscalibration CCFs also.
-~ I.
2-17 In the fault tree, only the Basis for Significance Based upon recommendation of the peer review team reactor low level input is Because most initiators trigger the following resolution was created. Due to the high modeled for RPS. The other multiple RPS inputs failure of RPS number of diverse RPS inputs capable of generating a inputs that would be would be higher than its design reactor trip signal, an assumption has been inserted triggered by the initiators indicates and the ATWS into the RPS notebook that one of the signals will feeding the ATWS event contribution overstated. successfully generate a trip signal for each condition tree such as MSIV closure modeled. The low water level signal input to the RPS (MSIV closure), reactor Possible Resolution *has been removed fromthe model to facilitate this pressure (LOCAs SORVs), Model other appropriate RPS assumption. The RPS system notebook has been drywell pressure (SLOCA, inputs and link the appropriate updated to reflect the changes noted above.
SORV), Turbine valve ones to their initiating events.
position (GTRAN involving turbine trips) are not modeled. This is not a true representation of RPS's participation in reactivity control.
£ j ______________________ L __________________________________
Basis for Significance: Additional discussion related to T&M for Unit 1 was recent operational Using the limiteddata for Unit 1 added to section 6.2.5 of the Data Notebook. The experience, compared to without consideration that the maintenance unavailability data from Units 1, 2 and 3 is unit 2 and 3, there is no unit has limited data (less than a now pooled, as described in the revised Data notebook.
discussion in the data full cycle) likely skews the results. In addition, a review of the plant-specific unavailability notebook regarding the data showed that Unit I unavailabilities are generally limited unit 1 specific data. Possible Resolution: consistent with those from Unit 2 and Unit 3.
It appears that for TM the Examine the data used for the limited data was used Unit 1 analysis and ensure that directly and no any Unit I data used is in consideration of this taken. agreement with that of Units 2 and 3. Fully document and justify the data used for Unit 1. For example, discussion with the utility revealed that Unit 2/3 data was used for Unit 1 unavailability values. The text needs to be updated to reflect the actual method used
.4 4 t 2-23 In section 3.2.6.1 of the Given Priority 2 because model Failure of the operating unit totrip has been added to HVAC system notebook, it change may be required. the model as a failure mode of the standby unit.
states that the running ACU for unit 3 electric boards Basis for Significance must be tripped before the A breaker failing to provide standby unit can be started. tripped indication for a start Failure of this trip to occur is permissive can happen and this not reflected in the fault failure mode should be tree. Possible Resolution
- Include running ACU fail to trip (indicate as tripped) as a start failure for the standby ACU.
For SPC and LPCI, the LPCI Priority 2 is given because o1 the The injection valves do need to change position tor split injection valves and SPC potential for model changes. LPCI/SPC flow; two valves would have tofail to return valves are required to modulate or close in either path to fail either system.
reposition when swapping Basis for Significance: An operator interview was conducted to address this RHR modes, but this is not All active components should be issue. The common cause failure probability of two included in the model. The included in the failure modes of a MOV's to close is less than 1E-5. The RHR pump start RHR system notebook system. failure probability is approximately 1.4E-3. The failure indicates that these valves of two MOV's to close is less than 2 orders of need to close for the Possible Resolution: magnitude lower than another failure that would fail opposite function. However Add failure mode to the fault trees the system in a similar manner. Therefore, failure to in one location in the and clarify documentation close (or modulate) either the LPCI or SPC injection notebook it is indicated that path can be neglected. The RHR system notebook was flow can be split between modified to reflect this and the operator interview was LPCI and SPC. added.
2-35 The containment structural Basis for Significance: The LERF Notebook calculations are applicable to all analysis does not address All three unit containments must three Browns Ferry units. However, much of the the Unit 3 primary be addressed previous work, including industry studies has been containment ultimate based on BFN Unit 1. Thus, the plant description in capacity in section 6.3. Possible Resolution: Section 3 of the LERF Notebook which specifically Address the unit 3 containment applies to Unit 1 is supplemented with a discussion of ultimate capability, unit differences. The unit differences are examined from the perspective of LERF and it is concluded that the minor differences between the units do not impact I the LERF quantification.
The operator actions in the Basis for Significance: LERF HFEs have been updated in a manner consistent LERF analysis are not based SR requires the same level of rigor with the process used for Level 1 HFEs and are on that same type of HFE in HRA as in level 1. documented in the HRA notebook.
calculations used in the Level 1 analysis Possible Resolution:
Use the same HRA process as Level 1 for the LERF HFE events.
4 4 4 2-39 In the documentation for CIL Basis for Significance: Section A.2.2 of the LERF Notebook (LE.01 Appendix A) it states the a fault tree is Not describing the actual method has been revised to address this comment.
quantified and the resulting of quantifying the node can lead value is used in the to errors in use of the PRA.
quantification of the node.
Inspection of the fault tree Possible Resolution:
shows that the containment Correct the CIL writeup in the LERF isolation fault tree is notebook to correctly reflect the quantified with the node actual model and also better directly. Direct reflect the information in the quantification of node is the Primary Containment Isolation appropriate action. notebook.
2-4 Estimated values are Basis for Significance: Discussion was added to the Data notebook (section provided in table 10 of the The SR requires documenting the 6.2.7) explaining the rationale for the estimated TM data notebook but no rationale. This allows the thought events.
rationale is provided for process used to create the how they were obtained, estimate to be reviewed and validated.
Possible Resolution:
Provide rationale required by the I SR.
Systems models are not Basis for Significance: Systems models are now developed for LERF. The LERF developed for LERF. Systems models are needed to Analysis documentation has been revised to reflect the Documentation indicates properly reflect impact of specific updated to include descriptions of the LERF system split fraction values with no failures. It is believed that the models.
good basis for them. values being used arise from the previous LERF analysis.
Possible Resolution:
Create system models for relevant LERF functions and revise documentation accordingly.
2-6 The results of the data Basis for Significance: Added the following text to the Data Analysis notebook analysis are well Transparency and reproducibility in Section 6.1.6 documented but the are improved with better process process and intermediate descriptions. "BFN plant specific data has been compiled from the steps are not well described. plant database of functional failures collected for the For example in discussion Possible Resolution: Maintenance Rule. The BFN PRA database is linked to with the analyst the process Document the processes used to the Cause Determination Evaluation (CDE) Tracking by which the component perform the various data analyses. System. The CDE tracking system collects information failures go from the CAP This documentation should be at the site about what failures have occurred within the process to the MRule sufficient for a knowledgeable plant systems that are monitored by the Maintenance database and are extracted reviewer to understand the entire Rule. Not all events are related to a functional failure, from it to a PRA failure process from raw data to final as some CDE entries are related to degraded conditions screening tool to the table in results. or unavailability conditions. To better identify events the data notebook was are functional failures the BFN PRA database extracts described but the data only the relevant information from the database to notebook merely states the help make the judgment as to which type code each failures were extracted from failure should belong. For each CDE the Event CDE and the type codes Description and Root Cause are extracted to allow for assigned. analysis of the failure mode. If not enough information is present the EPIX number is also displayed to allow for I
more research into the failure event. Plant specific data for the period 1/1/2003 to 1/1/2008 was evaluated and used as input to the Bayesian analysis. "
Plant specitied uncertainties were identitied on Table from two general types of Sources of uncertainty must be A8-1 of the Quantification Notebook per SR QU-Eland issues, plant specific and identified and documented. QU-E2 of ASME RA-S 2005 Addendum B. Key modeling generic. Plant specific Possible Resolution uncertainties (e.g., HVAC dependencies and intake uncertainties and NUREG-1855 and EPRI 1016737 structure plugging) were addressed in Section 6.3.3 of assumptions should be provide an acceptable approach to the Quantification Notebook per SR QU-E4 of ASME RA-identified and documented identifying, documenting and S 2005 Addendum B. The requirements and procedures during the model characterizing sources of for characterizing generic and plant-specific modeling development. The generic uncertainty. Use this method or a uncertainties are specified in SR QU-E4 of ASME-ANS sources of uncertainty are similar method. RA-S 2009, RG 1.200, Revision 1, NUREG 1855,and EPRI-listed in EPRI Report 1016737. These requirements and procedures where 1016737 Table A-1. Both formalized shortly before the peer review for BFN. The types of uncertainties must additional requirements for ASME-ANS RA-S 2009 will be addressed for the base be implemented in the next revision of the BFN PRA model. model.
Examples of plant specific uncertainties include:
(1) ISLOCA valve failing to close after testing is not listed in the sources of uncertainty, nor is the conditional probability that the break is greater than 93 or 600 gpm.
(2) For Initiating Events, the factors affecting INTAKE initiating event is not included in the assumptions section, nor are any of the other assumptions in the
analysis.
(3) Specific assumptions for the detailed HFEs is not discussed, including assumptions made for timing of operator responses (versus analyzed or those observed on a simulator)
There is no evidence of an Basis for Significance: General Transient sequence GTRAN_5002 is a non-analysis for sequences that A CC Il/111 for SC-AS requires that IORV/SORV success sequence with successful go beyond the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> options other than assuming suppression pool cooling and long term HPCI or RCIC.
period to evaluate the sequences in which a stable state MAAP analysis show HPCI and RCIC can be successful appropriate treatment has not been reached in 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> for greater than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> with effective SPC. Drywell relative to the CC Il/111 goes to core damage. temperature, however, increases throughout this requirements for SC-A5. sequence due to heat transfer from the vessel and Possible Resolution: drywell piping (drywell fan coil units are not credited).
Perform and document an analysis MAAP analysis shows drywell temperature increases to, of sequences that do not achieve but does not surpass, 300 'F within a 36 hour4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> analysis a stable state in 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to time duration. The EOl's require the operators to determine which of the options emergency depressurize when drywell temperature presented in the SR would be a reaches 281 'F. This will fail HPCI and RCIC and prevent most appropriate disposition for further high pressure injection. This sequence was that sequence. Then change the analyzed by interviews with operators and review of PRA model accordingly. other non-MAAP analysis to determine 1) if the operators would emergency depressurize if there were no low pressure injection sources available, and 2) if the MAAP analysis was reasonable.
Operator interviews determined that the operators would emergency depressurize when instructed by the EOl's even if no low pressure injection systems were available. A review of General Electric calculation W79 040331 003 confirmed the conclusions drawn from the MAAP results. Since the calculation is GE Company Proprietary, the results are not presented here.
As a result of the above analysis, the sequence was changed to require successful low pressure injection for sequence success.
The quarterly SLC pump and Basis for Significance: A coincident maintenance term was added to the MOR valve operability test, which This is classified as a finding since that fails both trains of SLC. An interview was renders both trains of SLC it is a modeling deficiency that conducted with the system engineer who indicated the unavailable, is not modeled should be corrected. quarterly test Sl-4.4.4.a.1, Standby Liquid Control Pump with a coincident Functional Test takes both SLC trains out of service for maintenance term. Possible Resolution: 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> at the most. The T&M event reflects an
.Model a coincident unavailability unavailability of 4/8760, or 4.57E-4 /yr.
term for this maintenance configuration.
3-28 A detailed discussion of the Basis for Significance: Section 4.3 of the Quantification Notebook was quantification asymmetries This is an important part of the expanded to discuss unit differences that impact the (with respect to different quantification documentation quantification results.
units, system alignments, process.
etc) is not presented. 4.3 Unit differences Possible Resolution: This calculation documents the quantification of all A detailed discussion of the three BFN units. Unit differences are explicitly quantification asymmetries (with addressed in the system fault tree models. Some unit respect to different units, system differences have a significant impact on the alignments, etc) should be quantification results.
presented in the Quantification The HVAC dependencies on electrical boards have a Notebook. significant impact on the results. The Units 1 and 2 electrical boards are cooled by air conditioning units that depend on chillers. The Units 3 electrical boards are cooled by air conditioning units that depend on EECW.
3-31 The definitions for Basis for Significance: Section 6.3.2.4 of the Quantification Calculation was significant when presenting This issue causes the supporting updated to address the significance criteria for lists of important requirement QU-F6 not to be met. important equipment and operator actions.
equipment, operator actions, etc. do not always Possible Resolution:
conform to the strict ASME When presenting lists of standard definition of significant equipment strictly significant. Justifications for adhere to the ASME standard the alternatives used are definition or present a rationale not presented. for using an alternative.
3-32 There is no evidence that Basis for Significance: NEDP-26 Section 3.5.3 states that:
the PRA maintenance and This issue causes the SR to be Not update procedures are Met. PRA program self-assessments should be performed
'living'. Note that this may periodically by personnel cognizant of the PRA process, be due to the fact that the Possible Resolution: principles, and applications. PRA self assessments shall procedures are relatively As the procedure is implemented, use the current PRA MOR for the site being reviewed.
new and the BFN models are assemble evidence that this Self assessments shall be conducted in accordance with currently in the process of a process is active. Conduct SPP 1.6, "NPG Self Assessment and Benchmarking major upgrade. periodic self-assessments to Program."
ensure the process is being, maintained.
1-:54 I ne vKA conrIguraTion basIs Tor bignmcance: iituv-zo proviaes mne FKA conriguration controi control procedures lack This implementation detail is procedures. These procedures will be updated implementation details that important in maintaining a 'living' considering the BWROG generic Guidance Document.
assist the risk analyst in how PRA program.
to carry out the general requirements specified by Possible Resolution:
the procedures. Incorporate into this document or into a lower tier work instruction implementation details for the general requirements specified.
Consider the use of the BWROG generic Guidance in procedure:
BWROG PRA Configuration Control and General Maintenance Guidance Document Rl.do c
Scheduled manual IE-A7 is related to this F&O 6-15 suggests that manual shutdowns be included shutdowns (especially for met. as an initiator. Manual shutdowns have been refueling outages) should conservatively lumped together with automatic not be included in the Basis for Significance SCRAMs. There are no identifiable plant response statistical basis for the CRNM ASME Standard differences between automatic and manual shutdown scram initiator. This can Interpretation #5 (for FAQ 06- above low power situations. Low power manual lead to an overly 1060) states that normal shutdowns will be included in the Low conservative scram initiator controlled shutdowns should not Power/Shutdown PRA.
frequency. be included when counting initiating events. The current Note that CNRM practice at Browns Ferry regarding interpretation for FAQ 06- this item, therefore, does not 1060 (should non-forced meet the requirements of the manual trips which are part standard.
of the normal shutdown procedure be counted) Possible Resolution states that 'a normal Remove planned shutdowns from controlled shutdown would the SCRAM initiator data set.
not present the same challenges as a trip from full power if the manual trip was prompted by conditions other than the normal shutdown procedure which could occur at full power, it J
should be counted. &
The U2/U3 availability factor See response to F&O Task ID 29. The purpose of the may not be correct for Ul IE PRA is to provide a realistic estimate of risk for future frequency calculations. Additional justification is needed operations. The limited data for Unit I is for essentially Critical hours for Unit I are to use Unit 2/3 critical data for a new plant that had a number of scrams during the only available for about 8 Unit 1. The intent of the PRA is to restart process. The more recent data shows Unit 1 to months in 2007 (-82% reflect the as-operated plant, and be operating with a capacity factor similar to that of availability). it is not clear that Unit I will be Units 2 and 3.
operated in the future at a 95%
availability factor.
Possible Resolution Resolve or justify the discrepancy between Unit 2/3 and Unit 1 availability.
4-11 IE.01 (Initiating Events Basis for Significance Graphs of the prior and posterior distributions are Notebook) Table 22 shows IE-C4 requires justification of the added to the notebook as Appendix E. Each graph the difference between the selection of any informative prior contains the prior and posterior means for each prior and the posterior, one distribution used. Neither the updated distribution.
cannot tell whether the documentation nor the calculation prior distribution was files available provide that correct for the plant-specific justification.
data.
Possible Resolution Evaluate the prior distribution,'
plant-specific data and posterior distribution to determine whether the choice of informative prior distribution is correct.
4-12 it's not clear how the JE Basis for Significance: I The updated JE frequencies have been re-caiculated frequencies were updated. Neither the documentation nor using the appropriate distributions. These are Many of the priors are the available calculation files documented in the Initiating Events Notebook.
gamma, but all the posterior provide adequate information to distributions are Lognormal. determine whether the posterior The following statement was added to the IE notebook distributions are correctly in section 6.3.2:
calculated. The IE frequencies were updated using the CAFTA database bayes update feature. For each input prior Possible Resolution: distribution type (i.e. gamma, lognormal), the same Provide additional documentation distribution was selected as the output posterior of the Bayesian update process, distribution type.
including the software used, the input data, and the output files.
For example, as was done in Appendix 4 of the Data Analysis.
4-17 The documentation does HR-13 is related to this F&O. The The modeled operator actions have been added to the not provide a method to SR is NOT met. AS Notebook. Those actions for support systems that trace the operator actions affect all front line mitigating systems were not added identified in the Accident Basis for Significance: to the notebook.
Sequence Analysis to the The lack of operator action quantification of the actions designators in the identification or their incorporation in the phase makes the review of the model. No designators are HRA very difficult.
provided in the AS Analysis to identify the operator Possible Resolution:
actions. Provide operator action designators in the identification phase (e.g., AS Analysis).
Some operator actions Basis for Significance in general, model errors of omission in execution were assume that the execution Execution failure is a required part not modeled when execution entails a single action.
failure probability (Pe) is of the HEP calculation, and the Skipping the step in the procedure is already accounted including: argument for ignoring execution for in the cognitive portion; for a single execution step, HFA_0_ADSINHIBIT, failure is not necessarily it doesn't make sense to say that the step is not HFAO0 ATWSLEVEL, compelling, especially for skipped, but that the execution is not performed. There HFA_0024RCWINTAKE, maintaininglevel still could be a commission error in execution (that is, HFA_00271NTAKE, (HFAO0 ATWSLEVEL). Some of the trying to implement the action but doing it wrong),
HFA_01R2_LPI, actions for which Pe is not even if there is a single execution step. For the events HFA_1063SLCINJECT, considered are important to the listed, this is documented in the HRA Calculator files, HFA_00241FISOL overall results. except for HFAO0241FISOL which has been updated to include execution errors.
Example 1: Several operator Note 1: The explanation given for actions for ATWS scenarios no execution failure for (e.g., HFA_1063SLCINJECT: HFA 0 ATWSLEVEL describes the Failure to SLC actions required for starting SLC in response to an ATWS (H FA_1063SLCINJ ECT).
event) assume the execution failure probability Note 2: Cleaning debris from (Pe) is 0.0. traveling screens is not a simple action, an assumption, that if the Example 2: Operator action actions are started they are HFA_0024RCWINTAKE guaranteed to be completed in 1 (Failure to clear debris at hour, is not justified.
intake before reactor scram) assumes an execution error Possible Resolution of 0.0 based on the Include Pe in the quantification of following: 'Cleaning HFA_1063SLCINJECT, traveling screens does not HFA_0_ADSINHIBIT, relate to a series of manual HFA_0_ATWSLEVEL, actions, but to an effort HFA 0024RCWINTAKE and
among several operators. It HFA_0027INTAKE. Insure that is assumed that, if the action execution errors are considered is initiated within 1 hr, it will appropriately in other HEPs, as be successful.' The same well.
rationale is provided for no execution error in HFA_0027INTAKE.
The joint HEP for several Basis for Significance: Section 5.3.3.6 ot NUREG -1792 indicates that the total combined operator actions If the joint HEP for combined combine probability of all the HFEs in the same are too low and cannot be events is too low, sequence and accident sequence/cutset should not be less than a justified. Specifically, three overall results may be artificially justified value. A suggested value 1.0E-05 is provided combined actions have joint lowered, and the importance of based on potential dependent failure modes that are HEPs of less than 1E-7, and the operator actions may be not usually treated. The HRA Calculator currently eight are less than 1E-6. understated. provides the capability to explicitly calculate the joint Note that the HRA probability of dependent and independent post-acknowledges these low Possible Resolution: initiator HFEs in the same accident sequence/cutset:
combined HEPs, but does Establish a reasonable lower This methodology improvement reduces the need for a not enforce any lower bound for combined HFE threshold value. Overly conservative threshold values bound. Further, it states probabilities. Perform sensitivities have the potential for skewing the results.
that a sensitivity will be to determine the significance of performed in the this lower bound.
Quantification Notebook, but none is performed.
4-23 Several operator actions Basis for Significance: Detailed analysis has been performed for HFAs with that have RRW > 1.005 have These HFEs should be evaluated RRW > 1.005 and results are documented in the HRA HEPs with screening values. using a detailed analysis in notebook.
The HFEs are: accordance with the requirements HFAZOO74ALIG N_DWS of HR-G1.
(CDF/LERF), HFAZOO23IFISOL (CDF), HFAZO084CADALIGN Possible Resolution:
(CDF), Perform a detailed analysis of all HFAZOSPRAYMLOCA HFEs with RRW >1.005.
(LERF), HFAZOHCIINIT30 (LERF), and HFAZOO71CTLPOWER (LERF)
I
There are many operator Basis for Significance HFEs have been reviewed and detailed analyses have actions that use screening Without any real timing been performed for many HFEs that previously used values; see Table 8 of the information, it is not possible to screening values. In addition, timing analyses have HRA. None of these actions estimate, even at a screening been reviewed. Timing is based primarily on plant appear to use any level, the probability of operator specific MAAP calculations, timing from BFN simulator information to base the failure or success. exercises, or estimates from BFN operator interviews.
time available and the times In response to this comment, updated timing analysis to operator cues and Possible Resolution: has been re-reviewed by BFN operations staff and perform the actions are not Provide timing information for all additional changes have been incorporated.
documented. operator actions, including those All model changes are included in an update to the HRA HEPs estimated by using screening notebook.
values.
4-27 There are many "Misaligned Basis for Significance: The HFE HEP codes noted in the F&O were used in the HFE HEP Codes" assigned in The disposition of HFEs for non- previous model and were inadvertently left in the Appendix A of the HRA that screened potential misalignment documentation. Appendix A to the HRA notebook has are not carried through the events cannot be verified as been revised to correct errors allow traceability.
rest of the HRA or present in required by HR-Cl. The PRA group the PRA model (e.g., indicated that the Appendix would HARCI1, HAREA1, HAINH1, be updated.
and HARHR2).
Possible Resolution:
Provide traceability from Appendix A of the HRA to the remainder of the pre-initiator analysis and the PRA model.
Non-screened miscalibration Basis tor Signiticance: Appendix A has been updated to include the events are not provided The requirements of HR-Cl cannot designators for the non-screened miscalibration events.
with designators in be verified due to lack of Appendix A of the HRA. traceability from HRA Appendix A Thus HFEs associated with table to the rest of the pre-these miscalibration events initiator analysis.
cannot be readily determined. Possible Resolution:
For miscalibration events, provide traceability from Table A of the HRA to the remainder of the pre-initiator analysis and the PRA model.
I I I.
4-29 The list of activities Basis for Significance: A focused on review procedures in which systems reviewed in the HRA The review of procedures should between units was performed. No changes were made Appendix A table is primarily not be limited to one unit. to the preinitiators as a result of this review.
focused on Unit 2 or Unit 0 Differences between units may SRs and Sis. There are a few present additional pre-initiator Unit I procedures listed, but actions. Although the one it is not clear why certain example found would not likely procedures from Unit I are result in a pre-initiator, the point reviewed but not others. is that there are differences between the units' procedures.
More importantly, there do not appear to be any Unit 3 Possible Resolution:
procedures reviewed. A A more complete review of the sample review of one procedures for all three units is procedure between all three warranted. There should at least units (3.5.1.5(CS I)) found be a focus on procedures for that the Units 1/2 tests systems that may be different affected two relays that are between the units.
not tested in the Unit 3 procedure.
+ 1- t 4-31 There do not appear to be Basis for Significance: Activities from HR-Al and HR-A2 that affect redundant any ACTIVITIES that were HR-A3 requires identification of trains or diverse systems are identified in Table B-i of found in HR-Al and HR-A2 such activities, despite the fact Appendix B under the heading "Common cause identified as affecting that the HFEs may include events." These activities are all a result of redundant trains or diverse multiple components or trains. miscalibration events.
.systems.
Possible Resolution:
Identify and document activities from HR-Al and HR-A2 that affect redundant trains or diverse systems.
Several electrical system Priority 1 because model change is The EDG logic to start and load (close output breaker) boards are modeled to required. are currently modeled. The component description for receive power from multiple the circuit breaker component in Appendix A of sources ( e.g., normal and Basis for Significance: NUREG/CR-6928 states:
alternate buses, and/or Component boundaries for The circuit breaker (CBK) is defined as the breaker itself EDGs) without considering breakers do not include such and local instrumentation and control circuitry. External the need for undervoltage circuitry, based on NUREG/CR- equipment used to monitor under voltage, ground detection and operation 6928. Note that local circuitry and faults, differential faults, and other protection schemes circuitry for breakers and protection devices are included. for individual breakers are considered part of the EDGs. breaker.
Possible Resolution:
Review component boundaries External equipment used to monitor under voltage is and modeled events for automatic considered part of the breaker. The modeling of electrical bus transfers. automatic bus transfer in the BFN model contains both the normal supply breaker failure to open (FTO), and the alternate supply breaker failure to close (FTC).
Since both failure modes are included, and the data from NUREG/CR-6928 includes under voltage detection in the breaker boundary, the current modeling methodology is appropriate.
k -
The unavailability or failure Priority 2 because Model change is I he tailure oT the bus has been included in the 1I-N PKA of a bus is not considered in required. model. The applicable 4-kV shutdown board failure has the logic used to provide been added to gates UISDREC_A, U2_SDRECA, alternate electrical power Basis for Significance: U3_SDREC_A, UlSDRECB, U2_SDREC_B, supplies to other buses and Unavailability or failure of the U3_SDREC_B, UlSDREC_C U2_SDRECC, boards. Example: alternate power supply would U3_SDREC_C, UI_SDREC_D, U2_SDRECD, and UISDRECA is used to re- prevent being able to credit it as U3_SDRECD.
energize 4kV SD Board A an alternate source. Although the from 4kV SD Board 3A. failure probability of a bus is much However, the unavailability less than the failure probability of or failure of 4kV SD Board other equipment that could affect 3A does not fail the function the power transfer (e.g., breaker (it should). demand failure), the unavailability could be substantial, especially during an outage Possible Resolution:
Include unavailability and/or bus failures as appropriate, or justify not modeling due to low failure probability.
ie assumption that A HVAC Basis tor Signiticance: i ne running and standby tiags tor the HIVAC trains nave is normally running and B The assumption that one train is been changed to 0.5 to represent equal running times HVAC is in standby leads to always normally running (the for all trains.
skewed basic event HVAC, is only an example) does not importance's and non- reflect the plant operation, and To prevent non-sensical cutsets, the MUX logic was sensical cutsets. can result in skewed importance expanded to include all events under the unit start results or missing gates (any failure event that only occurs during a unit For example, with A HVAC cutsets/sequences (i.e., how start). In order to ensure proper application of the always running: would the results be different if failure of a unit to start, the AHU fails to start after a (1) The Loss of RMOV Board the other train were assumed to LOOP event was made unique by adding a "LOOP" to A importance is much higher be running?). the event name.
than RMOV Board B (10%
vs. 2.5%) Possible Resolution:
(2) Non-sensical cutsets Potential resolution isto remove exist, such as where RMOV flag settings for what train is Board A is in maintenance normally running, and use flag and B HVAC fails to start events to represent the fraction of (due to operator or time that a given train is running hardware failure). and standby (e.g., 0.5).
Instrument tap tailures Basis tor Significance The BFN IE notebook has been updated to retlect the (leaks) are screened in CDF contribution by itself is not a following discussion:
Section 6.2.3.8 on the basis metric that can be used to screen that the CDF contribution of initiators, per IE-C6. To calculate the value of an instrument line failure, the these is less than 2E- NUREG/CR-6928 value for a VSLOCA was utilized. The 9/[year]. Possible Resolution mean frequency of a VSLOCA in NUREG/CR-6928 is If instrument tap failures are to be 1.55E-03/yr. To estimate the fraction of VSLOCA Note: the initiating event screened, the criteria in IE-C6 initiators that is associated with instrument line document says that this need to be met, or they should be failures, NUREG/CR-5750 was utilized. Section 4.4.6 of meets IEscreening criteria included as initiating events. NUREG/CR-5750 discusses four events in the database; per IE-C4. This is now IE-C6 all four events were at PWR's. Two of the four events in RG 1.200 Rev. 2. were associated with instrument lines, one a steam generator tube leak, and one a drain line. Thus an instrument line break initiator can be characterized as a very small LOCA where 2 of 4 events are associated with instrument lines. The VSLOCA frequency was split by 0.5 resulting in a frequency of 7.75E-04. Note that the one event for VSLOCA utilized in NUREG/CR-6928 occurred in 1996 and was associated with a reactor recirculation pump seal leak.
Instrument line failures can have significant impact on plants with only two reference legs, as RCIC, HPCI, and feedwater can all be adversely affected. BFN, however, has four reference legs and is only marginally impacted by reference leg leak down. This is confirmed by industry studies which indicate that reference leg leak down with the BFN configuration does not pose a significant challenge to safe shutdown. In order for the instrument line failure to be a significant challenge to safe shutdown it would require failure of two
instrument lines which would occur at less than a 1E-6 frequency (7.75E-O4*7.75E-04 = 6.01E-07). If failure of one reference leg were to occur the operators would put the channel in a tripped condition. Thus if two reference legs were to fail it would take failure of another reference leg and failure of the operators to manually start the ECCS equipment and result in core damage.
4-40 A review of non-significant Basis for Significance: Dependency analysis has been re-performed and cutsets found many LOOP This is an example of non- results are documented in the HRA notebook.
cutsets that have significant cutsets that, had they combinations of two been reviewed, would have independent HFEs which uncovered the need to perform should have some level'of additional operator dependency dependency: analyses.
HFA_02114KVCRSTIE (Failure to cross-tie 4kV SD Possible Resolution:
Board) AND (1) Re-perform operator action HFA_023148OSDBTIE dependency analysis.
(Failure to provide alternate (2) Re-perform review of non-power to 480V SD Board). significant cutsets prior to finalizing and documenting results.
4-41 Offsite power recovery is Basis for Significance: The example cited is incorrect. If the breakers failed to applied in cutsets where it Recoveries should only be applied open, they would still be closed and available for offsite might not be possible. See to scenarios or cutsets where the power recovery.
U1 CDF cutset at 1.151E-08: recovery can be expected to be LOOP with common cause successful.
failure of shutdown board normal feeder breakers to Possible Resolution:
open. Review recovery logic/rules to ensure that recoveries are not applied to non-recoverable failures.
Basis for Significance: The EDG output breakers 1818, 1822, 1812, 1816, notebook says that EDG Apparent inconsistency in data 1838, 1842, 1832, and 1836 have been included within boundaries included the and component boundary the boundary of the EDG. The output breakers are no output breakers, but the DG definitions. longer explicitly modeled. The EDG system notebook system notebook and the and table 4 have been updated to reflect this change.
model have them as Possible Resolution:
separate events. NUREG/CR- Resolve discrepancy.
6928 lists breakers as WITHIN the boundary of the L
EDG. .1.
4-43 No dependency analysis is Basis for Significance: Since failure to depressurize prior to core damage is a performed between These two actions are in the same failure to properly follow/execute steps in the EOI-1 operator Action IR2 cutset, resulting in a combined flow chart while failure to depressurize after core melt (Operator fails to failure probability of 6.25E-8 considers failure to properly follow and execute steps depressurize after core (2.5E-4*2.5E-4). from the SAMG-1 flow chart, there is no dependency of damage) and the operator response for this action. Also, during HFA_0001HPRVD1 Possible Resolution: execution of the SAMGs, there will be additional (Operator fails to initiate A dependency analysis should be guidance/oversight from TSC personnel. This would depressurization [Level 1]). done between Level 1/Level 2 further reduce likelihood of Level I to Level 2 actions as well as Level 2/Level 2 dependencies.
actions. In general, there will be no dependencies between HFE's from Level 1 (EOIs) to Level 2/LERF(SAMGs).
This will be treated as an assumption in the analysis and documented in the assumption section of the HRA notebook.
4-45 Reviewed LE.01. Section 7.5 Basis tor Signiticance: Repair is credited in the LERF Model. Recovery ot implies that repair is The model is not consistent with offsite power is modeled in the Level 1 PRA and is considered within the CET the documentation. credited in the LERF model under in vessel recovery structure. However, there is (UxIVR2).
apparently no repair Possible Resolution:
credited in the model, Sequences should be reviewed including late recovery of and repair credited where offsite power. justified, in accordance with LEC3 (Cat II/111).
4-46 Long-term SBO events take Basis for Significance: Fault trees for Level 2 analysis have been added to the credit in the CET for Model fails to carry forward CAFTA model and are linked to the Level 1 fault trees.
establishing injection (TD2 dependencies from Level 1 to succeeds) and flooding Level 2 CET, allowing recoveries to containment (FD2 succeeds) be credited that are without recovering offsite power. Additional cutsets Possible Resolution:
are found with loss of all Fix L1/L2 interface.
HVAC and successful injection and core flooding in the CET. Additional cutsets are found with loss of intake and successful core flooding (which could be from RHRSW).
Split Fraction FD2 (Recover, Basis for Signiticance: HRA's have been quantified and are now documented restore, align RHRSW or RHR No analysis (detailed or screening) in the revised HRA notebook. Also, discussion has been (other unit) for injection for is performed to determine HEPs added to LE.01 Appendix A.
containment flood) is based for these split fractions.
on engineering judgment. Based containment event tree CETI failure of HEP for DW spray initiation Possible Resolution: containment, flooding does not result in a LERF in split fraction TD2 is 'set at Perform HRAs on actions for FD2 sequence. Consequently, HFAOFD2 is not a LERF contributor and need not be quantified in detail 1E-2.' I and TD2.
4-48 No credit is taken for Basis for Significance: Section 3.1.3 of LERF Notebook contains the following:
equipment survivability or LE-C21 implies credit be taken for human actions following equipment survivability following The equipment survivability assessment, based on a containment failure. containment failure, for Cat Il/Ill. review of the IDCOR Technical Report 17 (Reference 8),
is documented in the Structural Analysis Notebook for Possible Resolution: BFN Unit 1. As long as the drywell and torus are intact, REVIEW significant accident it is assumed that the environment in the reactor and progression sequences resulting in turbine buildings will not prevent the use of equipment a large early release to determine in those buildings. However, at the time of drywell if engineering analyses can failure, it is assumed in the Level 2 assessment that any support continued equipment active equipment in the torus room, adjacent corner operation or operator actions rooms, and anywhere else in the reactor building will after containment failure that not be available due to elevated temperature, could reduce. humidity, and radiation environments. Qualitatively, this equipment survivability assessment does not take any undue credit for the operation of equipment that is exposed to an extreme environment resulting from core damage and subsequent containment breach.
Several initiating event The generic and plant specific data were compared to frequencies are calculated identify any repeat events. Of these, one Partial-Loss of using data from NUREG/CR- Basis for Significance: Feedwater (PLFW) was found. This event was removed 6928 and performing a Incorrect application of Bayesian from the generic data source and the generic prior Bayesian update with plant- update process gamma distribution alpha and beta factors were specific data. However, recalculated. The results of the recalculation can be there are initiating events Possible Resolution: seen as follows:
that are common between Prior to updating, screen plant-NUREG/CR-6928 and the specific data from generic source Initiator Mean Value A B plant-specific data. It is (i.e., NUREG/CR-6928), or only Variance incorrect to perform a update with data more recent PLFW 4.5/168.8) = 8.59E-02 4.5 168.8 Bayesian update with than the generic data 4.5*(1/168.8)2 = 5.09E-04 identical data in the generic and plant-specific sources. In addition, there were six turbine trip events contained in both data sources. A similar recalculation would Examples: 6928 data have been done on the TT initiator; however, the TT includes 1 PLFW from BFN was chosen to be based solely on plant specific data U3 and 6 Turbine Trips from due in consideration of F&O Task ID 146.
BFN U2/U3.
In the case that the plant specific and generic data source time periods overlapped, and there were no plant specific failures, or the failures were outside the generic data period, the exposure time for the plant specific Bayesian update was chosen as the end of the generic and plant specific data period overlap and the end of the plant specific data period. This ensures that double counting of the zero failures in the generic and plant specific overlap does not occur. The following discussion has been included in the IE notebook in section 6.3.2.1:
In some cases, plant specitic initiators nave occurred that overlap with data provided by the generic data source, or there have been no plant specific initiating events that have occurred. For the case when the generic and plant specific data overlap, the plant specific events have been removed from the generic data and the BFN contribution to the reactor-critical years for the frequency have been removed, so they would not be double counted when the Bayesian update was performed. The generic prior frequency was then recalculated. For the case when no plant specific initiators occurred, but the generic and plant specific data period overlap, the Bayesian update exposure time was chosen as described in the following paragraph to avoid double counting the reactor-critical year contribution from BFN in the generic and plant specific data.
For these cases, when the Bayesian update was performed, the exposure time was selected as the time between.the end of the overlap (if any) of the generic data period and the plant specific data period and the end of the plant specific data period. Each data reference was reviewed for its data collection period and an exposure time calculated for each initiator. A capacity factor of 0.95 was assumed when determining the reactor-critical years in the Bayesian update exposure time. The results can be found in Table 21.
4-50 Although equipment Basis for Significance: Section 6.3.4.5 of the ISLOCA notebook discusses credit survivability beyond LE-ClO Cat i1/111 requirements are for isolating the LOCA before the ECCS pumps are equipment qualification to REVIEW significant sequences flooded. This is intended to reduce LERF. Credit is based limits is credited, there is no to determine if engineering on a review of the ISLOCA cutsets that indicate indication that significant analyses can be used to take sufficient time to depressurize the ISLOCA path to allow accident progression credit for additional equipment isolation. Depressurization is required to facilitate sequences were reviewed to operation beyond normal operation of isolation valves at lower differential determine if continued qualification limits to reduce LERF. pressure.
equipment operation could be credited to REDUCE LERF. Possible Resolution:
Review significant large early release sequences to determine where additional equipment credit may be taken.
4-51 Class3A (B,C)-006 LERF Basis for Significance: TD2 is successful if LPI, CS, AVI or DWS available. It is sequences are non-sensical. Sequence is invalid since DWS is not guaranteed that DWS is the available system. From In these sequences, TD2 assumed to work but at the same this perspective, a subsequent failure of DWS may still succeeds (i.e., DW Spray time be unavailable, be valid. The Boolean logic works itself out when the hardware is available and failure branch fault tree models are linked in the operator initiates injection Possible Resolution: accident sequence quantification.
per Table A.5.7-1) but DWS Review and correct CET.
fails later in the CET A review of.the old CETs indicates that the DWS top is (DWSALLSUP branch is really DWI which does not involve failure of DW sprays.
questioned). I It should only be asked if TD fails.
Separate nodal fault trees Basis for Significance: Single top for LERF has been added to fault trees and is are used to calculate node Certain requirements referenced now documented in LE.01 Appendix A.
split fractions, whose values in the SR from the Tables 2-2.7-are used in the CET. By 4(a),(b) and (c) are negatively using separate nodal fault affected by this method of trees and not including quantification: QU-A1, QU-B1O, them in a single top fault QU-Cl and QU-C3.
tree, the dependencies --
including sequence, support Possible Resolution:
and operator action -- are Consider using a single top event not explicitly captured and tree for quantifying LERF or the analyst must ensure that develop the required logic needed dependencies are to ensure-that dependencies are appropriately captured. properly accounted for.
Numerous examples of issues due to this method are provided in SRs LE-C7/C8 and LE-A4. 4- 4-4-54 The method used to Basis for Significance: LE.01 Appendix A has been revised to address this quantify split fractions was Split fraction values could not be comment.
very difficult to review and determined by the reviewer, and appears to be based on an descriptions for many split Fault tree events specific to the LERF analysis are old LERF model that is not fractions do not appear discussed and methodology to obtain split fractions has consistent with the current to be valid any more. been re-written.
Level 1 model. The split fraction fault trees were not Possible Resolution:
provided. Further, many of Review and update LE.01 the split fraction Appendix A, especially to remove descriptions provided in discussions or explanations that Appendix A of LE.01 do not no longer apply to the LERF appear to be current or are model.
no ionger usea in tne model.
.1. 4- 4 4-7 Initiating Event Frequencies Basis for Significance: Frequencies are now provided in section 6.3 of the BFN for Special Initiators (LOPA, A check on reasonableness and initiating events notebook for special initiators LOPA, LRCW, INTAKE and %DC) are explanation of differences for IE LRCW, INTAKE and %DC. A comparison to NUREG/CR-not provided in the Initiating frequencies is required by IE-C12. 6928 values is also included for the respective Event Analysis, and no If generic data is not applicable initiators.
comparison with generic due to plant specific features, that industry data for these should be so stated. If this initiators. comparison were done, some errors noted in the fault tree initiating event calculations may have been avoided.
Possible Resolution:
Compare special initiator frequencies with any applicable generic data and explain differences.
A 4
Section 6.3.2 ot the Basis tor Signiticance According to NURE(6/CR-5750, the learning period tor Initiating Event Analysis IE-C2 requires that excluded data new plants should be excluded when calculating discusses applying Unit 2/3 be justified. The case has not been initiating event frequencies. BFN Unit 1 is essentially a data to all three BFN units. made for excluding Unit 1 data. new plant. It was shutdown for over 20 yearsand had However, it is noted that a great deal of equipment replaced for the restart. BFN there have been 7 scrams in Possible Resolution Unit 1 had 5 scrams in the first 4.5 months of the short history of Unit 1 Provide additional details that operation. Since November 2007, BFN Unit 1 has had since re-start (-4800 critical justify: (1) excluding Unit 1 data, only one scram. This is on par with BFN Units 2 and 3.
hours). This may indicate and/or (2) applying Unit 2/3 data that U2/U3 data is not to Unit 1. As stated in Section 6.3.2 of the IE notebook "Between applicable to Unit 1, or that late 1984 and mid 1985, all 3 Units were shut down and Unit 1 data should be have undergone substantial changes to equipment, included in the population procedures, and operating and maintenance policies. It for all 3 units. was judged that the old data (prior to shutdown) are not applicable to BFN. Among the changes with the Without more information most significant impact was the 5% power uprate on the data (causes of applied to Unit 1 in May of 2007. The plant SCRAMs scrams, actions to prevent following the shutdown period have been graphed (see future scrams) and Appendix C) to show behavioral trends and determine additional Unit 1 history the time frame that most accurately represents the (performance in present operating conditions for the three units. An 2008/2009), it cannot be uncharacteristically high number of SCRAMs occurred determined whether it is in the year following the restart of Units 1 and 3; for correct to exclude Unit 1 this reason the data collection period has been limited data and/or apply Unit 2/3 to the years from 1997 through 2007, excluding data data to Unit 1. from Unit 1."
Also stated in Section 6.3.2.1 "All three units are similar in design (with respect to initiating events) and Unit 1 will be operated with the same procedures and management philosophy as the other units. Units 2
and 3 have established a significant operational history to assist in the development of appropriate initiating event frequencies for use in the plant PRA models. Due to the fact that Unit 1 has been out of service since 1985 there is not significant operational history. Hence, Unit 2 and Unit 3 data through December 2007 are pooled to form a pseudo plant specific database for Units 1, 2 and 3."
An assumption/uncertainty is also included which states "All three BFN units are similar in design (with respect to initiating events) and will be operated with the same procedures and management philosophy as the other units. Thus the Unit 2 and 3 combined data are used for all BFN units to calculate the initiating event frequency in the model."
Additional Unit 1 history (performance in 2008/2009) was not utilized because it was not available during the update of the IE notebook. During the next revision of the IE notebook this data will be re-evaluated to include data from Unit 1 which does not represent a "learning period".
The following discussion has been included in the IE notebook in section 6.3.2:
BFN Unit 1 was essentially a new plant following restart in May of 2007. It was shutdown for over 20 years and had a great deal of equipment replaced for the restart.
BFN Unit 1 had 5 scrams in the first 4.5 months of operation. According to NUREG/CR-5750, the learning
period tor new plants should be excluded when calculating initiating event frequencies.
Tables 8, 9, and 10 (of the Basis for Significance: Attachment 5 is created and added to the Data Analysis Data Notebook) list the Without the raw data there is no Notebook. The attachment contains a summary of plant-specific, generic, and way for a reviewer to validate the number of planned unavailability hours, unplanned estimated unavailabilities correctness of the plant-specific unavailabilityhours, total unavailability hours, required used in the model. maintenance hours and number of estimated maintenance events.
However, the raw data used to calculate the Possible Resolution:
unavailabilities in Table 8 Provide in an appendix the raw are not documented. data used to calculate the plant-specific maintenance unavailabilities.
5-3 The data analysis does not Basis for Significance: The plant-specific raw data was reviewed to identify appear to consider outlier The inclusion of outlier any outlier components; none were found. Discussion components. components can incorrectly was added to section 6.1.4 as an additional bullet.
impact the failure rate assigned to a component group. Such outlier components should be placed into a separate suitable component group.
Possible Resolution:
Add to Section 6.1.4 of DA.01 a discussion of how outlier components were analyzed. If outlier components were not analyzed, then add such a discussion and perform the required analysis.
DA.O1 does not discuss Basis tor Significance: Additional discussion related to Tech Specs for shared Technical Specifications of Changes in T/S requirements can systems was added to section 6.2.5. Coincident shared systems changing have an impact on the calculation maintenance events were addressed by reviewing work due to maintenance of T/M unavailabilites. week assessments as described in section 6.2.5 of the activities. Data notebook.
Possible Resolution:
Analyze and document the impacts of T/S changes in shared systems due to test and maintenance activities.
5-5 Section 6.3.2.4.1 of the Basis for Significance: A qualitative argument was added to the Accident Accident Sequence Analysis The omission of this sequence Sequence Notebook. It essentially says that the states that if Alternate Rod could result in an incorrectly-low frequency of an ATWS induced non-ATWS LOCA is less Insertion succeeds and CDF or cause the analyst to miss than the ASME standard recommended cutoff of 1E-7 either the recirculation important insight about the event. /yr.
pumps fail to trip of the SRVs fail to open, then a Possible Resolution:
non-ATWS LOCA occurs Either model the sequence which is not modeled in the explicitly or qualitatively justify its PRA. While this new LOCA omission in the Accident Sequence might be quantitatively Analysis.
insignificant, no qualitative argument is made to justify its omission.
5-7 Control power tor the Priority 1 because model change is Control power was placed under pump start gates tor RHRSW and RCW pumps is required. all pumps and air compressors where it was currently modeled such that determined that control power was not necessary to failure of control power will Basis for Significance: maintain a running pump.
result in failure of the - Currently the model pumps to continue running. overestimates the dependency on Typically, control power is control power.
only needed for starting the pump. Possible Resolution:
Move the DC control logic under the gate associated with RHRSW and RCW pump start. Review this also for other normally running pump fault trees.
6-1 HRA Method (Section Basis for Significance: Median values have been converted to mean values 6.2.2.1) applies ASEP values Systematic Error in determining and Table 5 has been updated to add the mean values.
as though they are mean the probability of HEPs using ASEP values. ASME Inquiry 08-506 on this says this is not Possible Resolution:
acceptable, and the values Apply ASEP method assuming the should be treated as Median point estimates are Median values Values.
CCF for Battery Chargers is Basis for Significance CCFs were not included in fault tree initiating events not included in the Initiating Can affect the loss of DC initiating with year-long mission times. As stated in Support Event Fault Tree for loss of 2 events by a factor of 10, System Initiating Events: Identification and DC buses, other than for the depending on how CCF is Quantification Guideline. EPRI, Palo Alto, CA, and U.S.
standby chargers (not in the calculated. Nuclear Regulatory Commission, Washington, D.C.:
yearly failure rate logic). 2008. 1016741: Current models and data for common Possible Resolution cause failure (CCF) of operating components are often Include CCF under the yearly based on minimal data that have been evaluated and failure rate logic or as a top event developed for use in a post-initiator, 24-hour mission for all loss of DC initiating events. time model (which typically involves some conservatism). While the conservatism may be acceptable for a 24-hour mission time, extrapolation of this data to model common cause failure frequencies for the year-long mission time used in initiating event modeling often results in frequencies exceeding those observed in industry experience.
Based on the above recommendation, CCF of battery chargers has not been added to the yearly failure rate logic in the Loss of 2 DC bus initiating events fault tree.
No changes to the model or the documentation are required.
6-11 For a multi-unit LOOP, Basis for Significance: The BFN PRA model has been updated to fail the cross-crosstie to another unit's Model change to remove the tie from the other unit's power when the IE is a multi-power is credited, even credit to electrically crosstie to unit LOOP. This was done by adding the multi-unit though the other unit is in a another unit would result in a CDF LOOP IE underneath gates Ux_SDREC_A, Ux_SDREC_B, LOOP and cannot provide increase for all three Ux_SDREC_C, and Ux_SDREC_D where x is 1, 2, or 3 power. designating the applicable unit. The unit Possible Resolution: differences/assumptions section of the EDG notebook Modify the model to account for has been updated to reflect this model change.
multiple unit LOOP events.
The impact of Surveillance Basis for Significance: The impact of surveillance procedures for the CS and Procedures is not included Unknown impact on the ISLOCA RHR injection paths are addressed in the third and in the ISLOCA Calculation. Frequency, without analyzing the fourth paragraphs of Section 6.3.1.7 of the ISLOCA For example, for Core Spray, specifics of the site procedure. If Notebook. The fourth paragraph and remaining Surveillances in the CS the procedure has the operator paragraphs of this section addresses the methodology Notebook indicate an MOV check downstream pressure (etc.) used to address the quantification of the surveillance opening every 92 days. The prior to opening the MOV, likely test impact.
likelihood of an ISLOCA there is minimal impact. However, during this MOV test is not given the ISLOCA has a large calculated in the ISLOCA IE impact on LERF, the impact could Fault Tree, including the be significant.
sequence where the check valve would have previously Possible Resolution:
failed prior to the Include the impact of Surveillance surveillance. Procedures in the ISLOCA Analysis.
6-16 The frequency of intake Basis for Significance An intake plugging event that causes a three unit scram plugging included in Changes in the values will have a and fails RCW was developed from plant specific data.
calculation for %1INTAKE significant impact on the overall This event was incorporated in the MOR and discussed calculation appears to have CDF results. in the initiating events notebook and the RCW no basis. %1INTAKE is the notebook. The event was also added to the accident most risk significant Possible Resolution sequence notebook.
initiating event, and the Provide a plant-specific basis for likelihood of an intake the frequency of intake structure blockage is a direct input to plugging.
the frequency calculation. II
6-17 System models do not Basis tor Signiticance: I ne write-up in tfe system notebooKs discussing tne appear to incorporate Review of experience from BFN level of SER, OER and LER reviews has been enhanced.
operating experience in and other plants does not appear There is no requirement in the ASME standard that developing the fault tree to be used in developing the fault requires a detailed listing or discussion of the generic or logic. RHR Service Water tree system logic or data. In some plant specific experience reviewed.
operating experience does cases, review of BFN OE is not not appear to be complete included in the notebooks.
or reviewed. HVAC Notebook says LERs and Possible Resolution:
OER was reviewed, but none Expand operating experience are listed (no evidence of review and account for any the review). Similarly for lessons learned in the PRA model.
120 VAC and others. CRD Notebook includes only a discussion of the BFN Fire, but no review of OE is presented.
HFEs are included in the Basis for Significance: The level control logic under Gate UxCND_G1i was System Models that do not The 0.1 screening appears to be improved to better accommodate the human action.
appear to be possible, given applied systematically, without the developed logic. For review of whether the operator Gate U3_IVOG72 models the operator allowing the example, HFA_0002RPV LVL action is possible. level to drop below the MSIV closure setpoint during an is included in the gate ATWS without bypassing the closure setpoint as U3_CND_G1i, even though Possible Resolution: directed by procedure. These actions are anded with logic under the AND gate Review HRA application of 0.1 the RPS failure so they will only be considered during would result in failure of screening, to ensure the HFEs are an ATWS. All three of these events have to happen for condensate which would possible for all possible logic the MSIVs to close (without hardware failure) during an not be recoverable. See also (under each AND gate) prior to ATWS. The current logic is correct.
gate U3 IVOG72 where the applying a 0.1 probability.
operator actions may not be Flood event %11F-TB-CW fails plant air and other possible, depending on the portions of the main condenser and condensate system failures in the system. The action HFA_0032MSIV_N2 models the cutsets. Also, event operator establishing Nitrogen backup to the outboard HFA_0032MSIV_N2 may not MSIVs in the event plant air fails. The flood fails PCS be applicable for sequences making the action moot; the flood initiator was involving %21F-TB-CW, removed from the logic.
which come up through gate U3_MSIVOTBD No other logic issues relating to HFE's with a .1 screening value were found.
Basis for Significance Screening of the loss of HVAC initiating event is based event is screened, based on Modeling changes have resulted in upon the current HVAC system notebook. Discussion of the 1995 PRA of the event. HVAC becoming one of the top 5 the 1995 PRA model was included to add additional It appears the model and systems in the present PRA. Based insight into the impact of loss of HVAC. Discussion of the assumptions for loss of on this, a loss of HVAC initiating the 1995 PRA model has been removed from the IE HVAC have changed, and event is likely to be significant as a notebook to avoid confusion in the future.
loss of HVAC as an initiating contributor to core damage, and event should not be should not be screened. The HVAC system notebook states "It is not expected screened. that failure of any of these systems will cause a scram Possible Resolution due to the long time available to repair them, provide a Add Loss of HVAC initiating events backup, or provide alternate room cooling.
to the analyzed events for the Additionally, many of the systems cool areas that do PRA. not have high heat loads during normal power operations or do not have equipment necessary for normal operation."
The IE notebook has been updated to state "The loss of important HVAC systems is well annunciated, and heat up calculations show that there is ample time for the operators to restore HVAC or-take procedurally guided steps to prevent unnecessary isolation or SCRAM.
Additionally, many of the systems cool areas that do not have high heat loads during normal power operations or do not have equipment necessary for normal operation. For additional discussion see the BFN PRA HVAC system notebook."
This meets ASME standard IE-C4 part c screening criteria which states "the resulting reactor shutdown is not an immediate occurrence. That is, the event does not require the plant to go to shutdown conditions until sufficient time has expired during which the initiating event conditions, with a high degree of certainty (based
on supporting calculations), are detected and corrected before normal plant operation is curtailed (either administratively or automatically)."
i I
Event STRPLISTIN_0750664, Basis tor Signiticance: i ne strainer plugging event was acaea tor IVILUL/A. All CS Suction Strainer Plugging, Affects multiple Initiating Events. SRVs discharge directly to the suppression pool, so a is only assumed for Large Pre-existing material in the Torus stuck open SRV could not dislodge material from the LOCA in the Model. The can also affect the strainer drywell.
phenomenon causing plugging likelihood.
plugging is not limited to large LOCA only, and is Possible Resolution:
possible on Medium LOCA, Include CS Suction Strainer failure SRV opening, etc. A question for all applicable LOCA events, was asked to the analyst on including SRV lift events. It is this, and the reference to possible to use different plugging the absence of permanently likelihood values for each LOCA installed air filters or other size.
sources in the drywell.
However, the debris, if present, would be swept into the suction strainer by any LOCA.
6-22 The Timing used for Basis for Significance: This action has been removed from the model.
recovery of Clogged Intake. Recovery value is significant to the appears to be based on results.
rough estimates, and without statistical basis, Possible Resolution:
such as historical Provide better basis for the intake information. A question was recovery HFE.
asked to the system analysts, and the response was that additional review of the basis is needed.
Additionally, the credit for recovery, including the use
of extra crew does not appear to be supported (does the procedure usually involve more than 1 crew member, and would that extra crew be supporting the initial operator or performing other actions).
4- 4
- 6-25 Event HFA_3003 P_START_A Basis for Significance: The human action HFA_3003PSTARTA is used in does not appear to be Significance is unknown, since every situation where a feedwater pump has to be applied correctly in the model modification is required in started. One of those cases is where the pump is model. A question was order to determine the impact. running and is tripped due to excessive feedwater flow.
asked of the analysts on the It is assumed the pump can still be operated but must logic, and the response Possible Resolution: be restarted. This gate is OR'd with a gate where the referred to gate Remove the requirement for feedwater pump is not running and either has to be U3_FWH_INITfor events excessive FW events only when started or is in T&M. This Human Action is used in that were FW recovery is not applying the HFE. tree also. There is no incorrect logic with this human credited. However, the logic action. No changes are necessary.
under gate U3_FWHG50 limits the operator failure event to only excessive FW events; resulting in no failures coming through for other events were FW is credited. &
b-2b The post-processing ot HEPs Basis tor Signiticance: The combination analysis has been revised to include appears not to account for Systematic issue with applying additional combinations. Results documented in the all dependencies in the dependencies. Likely if all HRA notebook.
HFEs. Numerous cutsets dependencies were accounted for, contain Combo events as the CDF would significantly well as other events post- increase.
processed into the cutsets.
A questions was submitted Possible Resolution:
to the Analyst, but the Recommend revising combination independence of all analysis to include additional combinations in the cutsets combinations that appear in the was not documented in the cutset results.
HRA notebook.
6-28 Basis for operator action Basis for Significance: HFA_0085ALIGNCST is used in fault trees for medium time (30 min) for Event provides over 5% of CDF. LOCA sequences. Thus, timing analysis has been HFA_0085ALIGNCST appears revised to reflect medium LOCAs. Two separate MAAP to be roughly estimated, as Possible Resolution: cases documented in the BFN Thermal Hydraulic is the time available (7 Provide more a more accurate Notebook (SC.02) are applicable and were considered hours). assessment for the timing for to define the total accident time window: MAAP HFA_0085ALIGNCST. CASE03 shows CST depletion at 5.8 hrs and MAAP CASE04 shows CST depletion at 6.9 hrs. The total time window has been reduced to 5.8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> based on the limiting MAAP case.
1 6-30 Dependencies between Basis for Significance: In general, dependencies between operator actions operator actions appear to Systematic error affecting around have been derived within the rules outlined in the HRA be non-conservatively 1/2 of the combo events, including Calculator. In one case, the dependency rules have applied. Mainly, the Zero combo 18. been over-ridden by a user defined rule. In this Dependence (ZD) between particular case, a note was added stating the reason for actions is commonly Possible Resolution: the over-ride.
applied, simply when one of Correct dependency analysis in the actions takes longer the HRA. "Need to depressurize would arise no less than 2 hr than 60 minutes. What after ability to initiate SPC would no longer permit use appears to be the mistake is of HPCI/RCIC after CST depletion." This statement is applying the last event tree under the dependency event tree and occurs for node in the Dependency combinations of HFA_0074HPSPC1, Failure to align RHR Event Tree. In this tree, if for suppression pool cooling (non-ATWS/IORV) and the stress of either HFE is HFA_O001HPRVD1, Failure to initiate reactor-vessel moderate or high, the upper depressurization (transient or ATWS). The timing for leg of the event tree is used. the cues implies that there should be a complete SO for combo 2, the HRA dependence, however the timing for HFA_OO74HPSPC1 assumes ZD, while the event occurs over 5.4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> and therefore there is no time tree would designate Low dependence. The cue comes in, but the required action Dependency. has such a long time in which to be accomplished, there is no dependence, hence zero dependence was manually chosen. The note in the calculator is sufficient to address the issue and the HRA notebook addresses this in section 6 just prior to section 7, conclusions.
I & .1.
6-34 Bistable failure rate is Basis for Significance: New type codes have been created for level controller applied to the following Failure rates for level controller fails on demand (LVCFD), flow controller fails on events: LEVEL CONTROLLER and flow controller are higher demand (FLCFD), and analog trip unit fails on demand FIC 71-0036A FAILS, HPCI than for bistable. (ATUFD). The new type codes use data for process logic FLOW CONTROLLER FIC 073- fails on demand (mean = 6.25E-04) instead of bistable 0033 FAIL, ANALOG TRIP Possible Resolution: fails on demand (mean = 5.44E-04). Common cause UNIT LS-3-208A FAILS TO Use the Level Controller, Flow groups Ux 00304BISFD8 (where x is the unit number)
ACTUATE controller and trip unit values have been renamed to Ux_00304ATUFD to reflect that ON DEMAND (and others). from NUREG/CR-6928 for these these common cause groups consist of analog trip events in the DB. units.
6-35 Assumptions in each system Basis for Significance: Assumptions made in the system notebooks were notebook are not Sources of uncertainty are used in summarized in the Assumptions section.
summarized in the the quantification of the final assumptions section. For results and are later used in example, in CRD notebook, applications.
the excluded components section is not summarized in Possible Resolution:
the assumptions section. As Review the assumptions listed in such, the system notebooks other parts of the system typically contain few notebooks, and add these to the assumptions. Assumption and Uncertainty Section of each system notebook.
Break Frequencies ISLOCA is a significant contributor were expanded to include calculation details for the calculated for the analysis to LERF ISLOCA break frequencies assuming a temperature of appear to be too low, in 600F.
comparison with other Possible Resolution:
pants. From NUREG/CR- Revise the conditional pipe break 5102, Appendix F, Table 2, frequencies to match industry the RHR and CS piping accepted values, based on use of would generally get a failure RCS temperature in the CS and probability of 2.65E-02 and RHR piping. Benchmarking of 2.54E-03 respectively. Other other plant methods and values reference documents used may be useful here. Include the should get similar results. overpressure/pipe break analysis The BFN analysis is (excel spreadsheet) as a part of supported by and Excel the reviewed system notebook.
Spreadsheet for the overpressure estimate, and this analysis is not included in the system notebook. In the excel spreadsheet it appears the temperature assumed for the CS and RHR analysis assumes room temperature, where as full RCS temperature is more appropriate.
6-41 Fuel oil transfer pumps to Priority I is given because a model NUREC3/CR-b928 states that the EDU boundary Istne refill the day tank are not is required. following:
part of the EDG boundary in NUREG/CR-6928. Basis for Significance: "The EDG boundary includes the diesel engine with all Issue with EDG Component components in the exhaust path, electrical generator, Boundary. generator exciter, output breaker, combustion air, lube oil systems, fuel oil system, and starting compressed air Possible Resolution: system, and local instrumentation and control circuitry.
Add separate failure of fuel oil However, the sequencer is not included. For the service transfer to the EDG Fault Tree water system providing cooling to the EDGs, only the Model. devices providing control of cooling flow to the EDG heat exchangers are included. Room heating and ventilating is not included."
The "fuel oil system" is interpreted as up to the fuel oil day tank including the fuel oil transfer pumps. Each EDG at BFN has a 550-gallon day tank that provides enough fuel to operate for 2-1/2 hours at full load. Fuel is then transferred from the 40,000-gallon 7-day diesel
-storage tank with the diesel fuel oil transfer pump to continue operation. There is one 40,000-gallon 7-day diesel storage tank for each diesel generator and it is included in the diesel generator boundary. The pumps that transfer fuel from the yard storage tank are outside the boundary and are not considered in the model.
PRA Process includes Basis tor Signiticance: MU-B3: "PRA changes shall be pertormed consistent discussion of PRA model Review of NEDP-26 does not with the previously defined SRs" changes, ASME include any requirements on the Requirements, etc. PRA model changes. Section 3.3 of NEDP-26 states:
However, there is not a NPG PRA Updates shall follow the guidelines requirement that the PRA Possible Resolution: established by the ASME RA-S-2002 Standard for update be performed in Recommend adding a statement Probabilistic Risk Assessment for Nuclear Power Plant accordance with the to NEDP-26 that the changes Applications for a minimum of a Category II previously defined SRs. should be performed to a similar assessment.
technical level as the original analysis, ensuring the Capability of Section 1-5.4 of ASME RA-Sa-2009 does not state or the PRA remains at a minimum to indicate that PRA changes are to be performed the same level of the original PRA. consistent with previously defined SRs. Given the statement in Section 3.3 of NEDP-26 we meet the statement: Changes to a PRA due to PRA maintenance and PRA upgrade shall meet the requirements of the Technical Requirements Section of each respective Part of the ASME PRA Standard.
4
- I.
6-46 NEDP-26 requires models to Basis for Significance: NEDP-26 Section 3.3 has been updated to state that +/-
be updated every other Risk reductions can have 10% of CDF or LERF refueling cycle or sooner if significant impacts to PRA estimated cumulative applications impact of plant configuration changes Possible Resolution:
exceeds +10% of CDF. There Modify requirements to + or - 10%
is no requirement to or provide separate guidance of perform updates when the when to modify the PRA when the risk impact is negative (a risk PRA results are going down.
reduction).
b-4 / I'JtLWP-LL requires moueis io tbasIs Tor bignITIcance: NEDP-26 Section 3.3 has been updated to state that +/-
be updated every other Changes in LERF can impact risk 10% of CDF or LERF.
refueling cycle or sooner if applications.
estimated cumulative impact of plant Possible Resolution:
configuration changes Add LERF requirements to the exceeds +10% of CDF. There change and update process.
is no requirement update with the LERF model is impacted.
6-48 In the ISLOCA Analysis, Table Basis for Significance: The events on Table 6-22 are described in Section 6-22 is applied to Check ISLOCA is significant for LERF 6.3.4.3 of the ISLOCA Notebook.
Valve Leakages. The factors considerations.
(e.g. leak >600 gpm).are Table 5-1 of NUREG/CR-6928 indicates that a small applied to Check Valve Possible Resolution: check valve internal leak is between 1 and 50 gpm and internal leak, large, from Remove credit for severity factors a large check valve internal leak is greater than 50 gpm.
NUREG/CR-6928. The data applied using Table 6-22 of the The frequency a large check valve internal leak is 0.02 in 6928 already includes a ISLOCA Notebook, including or 2% of the frequency of small check valve internal reduction from small leak events U*_ISLV41, 42, 43 events leak.
(1.48E-06/hr) to large leak and other similar events.
(2.96E-08/hr). The Figure 6-18 of the ISLOCA Notebook indicates that application of an additional frequency of exceeding a check valve internal leak is severity factor developed greater than 50 gpm is approximately 3.0e-08/yr. This is from a separate set of data relatively close to the NUREG/CR-6928 frequency of is inappropriate, and double 2.96e-08 for large check valve internal leak. It is counts the large to small concluded that Figure 6-18 can be used to calculate the leak severity factor ratio. conditional probabilities on Table 6-22.
Section 6.3.4.3 of the ISLOCA Notebook addresses the methodology used to calculate the values on Table 6-
- 22. The conditional probabilities were calculated by ý dividing the mean frequency of exceeding 600 gpm by the mean frequency for exceeding the relief capacity of the ISLOCA path. The relief capacity of the ISLOCA path translates to a check valve leakageranging from 52 gpm to 267 gpm, which corresponds to a large check valve internal leakage, as defined in NUREG/CR-6928.
It is therefore concluded that it is valid to use the NUREG/CR-6928 frequency of 2.96e-08 for large check valve internal leak in the model combined with
conditional probabilities provided on Table 6-22.
This is not a valid F&O
6-49 The %1IN TAKE initiating This F&U is given a Priority 1 since in intaKe plugging initiator that scrams all three units event is modeled in a model changes are required for and fails RCW was developed from plant specific data.
simplistic manner, and does the Intake Plugging event. This initiator replaces the current initiator estimate and not appear to represent the operator actions in the model. A conditional probability expected plant and Basis for Significance: event of the RHRSW/EECW system failure due to intake operating response. ON the %1INTAKE is the number 1 CDF plugging was developed that replaces the human action conservative side, the plant and LERF contributor. in the model. The model, along with the AS notebook, in many instances can IE notebook, RCW notebook, RHRSW notebook, and reduce power to extend the Possible Resolution: EECW notebook are changed accordingly.
time to clean the screens. Modify the model to include the On the non-conservative factors the affect risk, including side, there are possible power reductions, screen events that operator actions breakthroughs, operator actions (cleaning the screens) will causing screen break throughs, not prevent plugging, given and the likelihood that an event a very large amount of would occur where cleaning material plugging the intake. activities will not prevent Additionally, some events plugging. Other plants have could break through the typically assumed a single CCF screens causing plugging of event (much lower in frequency) the system.(Hx, strainers, or for plugging of all intakes, where.
pumps). The above events operator response for cleaning is have actually occurred at not possible, but with other other plants. sequences where partial plugging occurs.
The calculation of HPCI Basis tor Signiticance I he newer revision ot the -PKI pipe rupture trequency Steam Lines breaks (IE Pipe break in the HPCI line can data has not been made available to the public. The Section 6.2.3.8) does not affect RCIC and many other steam line break calculations will be revised and new appear to be reasonable, components, due to the HPCI data incorporated at the time the document is using older EPRI data and pump being open to other areas. released.
Wash-1400 data. The The modeling as documented resulting steam line break does not provide basis for DCD BFN-80-707 R19 states: Temperature detectors calculated is 4.55E-10/year, screening, and if reperformed, the shall be located in the HPCI equipment area and shall which does not compare analysis will likely result in orders initiate isolation before ambient room temperature with results from other of magnitude increases here. reaches the Environmental Qualification (EQ) plants. Using newer data, temperature limits for safety related devices located in the pipe break frequencies Possible Resolution this area. This statement with a reference to the would likely be 2-orders of Consider including a HELB for HPCI Design Criteria Document has been added to the IE magnitude higher. in the PRA. Also, look at the notebook.
Additionally, although the impact of the HPCI analysis with isolation valves may be respect to the RCIC. The generic MOV FTC value of 1.07E-03/demand is now available to eventually utilized.
isolate the break, the impact The HPCI MOV FTC CCF probability has been updated to of the break may have the value of 1.41E-02.
already occurred prior to isolation. The updated HPCI Steam Line Break value is 1.97E-09 /
year. However, this does not change the conclusion of Also, the generic MOV FTC the IE notebook to not include this IE in the BFN PRA value (from NUREG/CR- model.
6928) in Data Table 4 is 1.07E-03/demand.
Finally, the CCF probability used should be changed to the HPCI MOV FTC, with Alpha = 1.41E-02.
Some ot the MOVs credited Basis tor Signiticance: Credit tor MOV closure tor isolation during an ISLOCA in the ISLOCA Fault Tree are MOVs closing for ISLOCA are risk event is based on alarm procedural actions to reduce not tested to close against significant, with a RAW of greater RCS pressure as RCS inventory is discharged through full DP. These MOVs are not than 2. the break. Reduced differential pressure across the originally included in the MOVs allows for ISLOCA isolation prior to flooding the design as RCS isolation Possible Resolution: ECCS pumps. This clarification was added to the second valves. Examples include 74- Do not credit MOVs in the ISLOCA paragraph of Section 6.3.4.5 of the ISLOCA Calculation 55 and 74-66 (note: this is without verification the valves will Notebook.
not a complete list, but 2 of close against full DP of RCS 4 valves reviewed were not pressure.
in the MOVATs 89-10 The following alarms are in the control room on Panel program). 1-9-3:
Path Pressure Sensor Trip Point (psig)
Panel Alarm Core Spray Discharge I PS-75-24 400 PA-75-24 Core Spray Discharge II PS-75-52 400 PA-75-52 RHR Discharge I PS-74-51 400 PA-74-51 RHR Discharge II PS-74-65 400 PA-74-51 RHR Suction PS-74-93 100 PA-74-51 The alarm response procedures correctly identify the ISLOCA initiating paths as the probable cause and direct the operators to verify pressure on Panel 1-9-3. Then, alarm response procedure for PA 75 52 directs the operators to perform the following:
.1.__________________ ______________________ L __________________________________
-CHECK 1-FCV-75-53 and 1-FCV-75-54 closed, on Panel 1-9-3.
-REDUCE pressure by cycling CORE SPRAY SYS 11 TEST VALVE, 1-FCV 75-50.
-If alarm returns, CLOSE CORE SPRAY SYS II OUTBOARD INJECTION VALVE, 1 FCV-75-51 to protect low-pressure piping.
-REFER to T. S. 3.5.A.
The response for PA-75-24, core spray system I is similar to the above. The response for PA 74-51 refers to 2-01-74. If high pressure is on one of the discharge paths, the operators are instructed to throttle open the suppression pool path. The procedures do not instruct operatorsto close the outboard injection valves to protect low-pressure piping. If high pressure is not indicated in either discharge path, the operators are instructed to check RHR suction by requesting maintenance to connect a hose (1-1/4 inch) from the discharge of 1-74-666 (SD CLG SPLY HDR TEST) and then open 1 74-666 and crack open 1-74 665.
Whether the leak is'large (rupture with large initiator leak) or small (rupture with small initiator leak or no rupture but leakage > GLP) affects the plant response and determines the time required to flood the pumps in the reactor building. The relief valves discharge to sumps (CRW) in the reactor building corner rooms on Elevation 519'. There are temperature and level alarms in the control room. In fact, these alarms are entry conditions to the emergency operating instructions, which direct the operators to identify and isolate the leak as well as scram the reactor if required.
RWCU Break Frequency uses Basis for Significance: Leak and break detection is provided in the area o1 the HPCI break calculations, RWCU is at the bottom of the RWCU piping and components. According to OPL which includes closure of vessel and could result in core 171.013 Rev 17, leak detection is provided in the the isolation valve. In the uncovery if unmitigated. following areas: Main Steam Tunnel, Pipe Trench, "A" discussion, it says a leak in Pump Room, "B" Pump Room, East Wall Hx Room, and the HX causes isolation. Possible Resolution West Wall HX Room. There are 4 temperature switches However, breaks elsewhere Revise RWCU initiating events in each area for a total of 24 temperature switches.
would not. Therefore, the analysis. Actuation of any two of the temperature switches will HPCI calculation is not cause actuation of RWCU isolation valves FCV-69-1 and applicable. RWCU Line Case FCV-69-2 (as well as the return valve FCV-69-12). Based 3: Additionally, please on this information, the HPCI analysis cases 1 and 2 do provide justification that the apply to the RWCU HELB analysis as described in the isolation valves will be Initiating Events Analysis Notebook. This is stated in closed prior to flooding or the notebook as : The RWCU isolation valves are closed steam damage to the by the following signals:
surrounding area. a Low reactor water level (level 3) to protect the core in case of a break in RWCU System piping or equipment.
-High temperature in areas occupied by RWCU equipment and piping to isolate system in case of a piping break.
'-Standby Liquid Control System initiation to prevent removal of the boron by the ion exchange resin
-High temperature at the outlet of the NRHX (1407F, TIS-69-11) to protect the ion exchange resin from damage due to high temperature. An alarm is provided on Panel 9-4 from TIC-69-10
-Loss of RPS A willresult in an inboard and outboard Group 3 (RWCU) isolation. Loss of RPS B will result in an outboard Group 3 (RWCU) isolation For RWCU case three, the RWCU system DCD states the
RWCU isolation valves are environmentally qualified.
The RWCU isolation valves are the only credited PRA component in these rooms. Therefore, no changes to the documentation or the model are required.
LER 260-2003-02 involved a poor connection that Experience does not appear SR is not met. resulted in isolation of the HPCI steam supply due a to be reviewed in sensed high steam flow. This is not a new failure mode determining new failure Basis for Significance: and should be included in the HPCI fail to run data. The modes that may leave Appears to be a systematic error write-up in the system notebooks discussing the level equipment unavailable. For for all systems. of SER, OER and LER reviews has been enhanced. There example, HPCI notebook, is no requirement in the ASME standard that requires a 3.2.6.1 includes LER 260- Possible Resolution: detailed listing or discussion of the generic or plant 2003-02. The experience Add a review of plant specific or specific experience reviewed.
appears to be relevant but generic events involving human does not appear to be errors to see in anything treated further. Similar issue additional is identified.
with RCIC notebook experience. See also F&O on some system notebooks not including detailed discussion on OE.
K(w initiating event tsasIs Tor ýignirlcance: The rule-based recovery tile was moditied to address appears to be incorrectly Loss of RCW initiating event different conversion factors based on specific events reduced by factor appears to be reduced by a factor with annual exposures in the cutsets as follows:
RCWMTCF for combinations of 1E-02 from the actual where the reduction factor does not appear to be valid. Possible Resolution In particular, the event is Correct the fault tree initiating applied to cutsets event for Loss of RCW to get ADD RCW CONVERSION FACTOR containing common correct results.
transformer events. Also, reduction factor appears to be calculated incorrectly (1/365)**2.
- RESET
- CLEAR RECOVERY FLAGS**
- MAX RECOVERIES** 1
- CHANG EEVENTS* * +RCWMTCF1 -RCWMTCF
%ILRCW XRFFR1OXF_23600011E RCWMTCF SUMMER PROB
%1LRCW XRFFR2OXF 23600021E RCWMTCF SUMMERPROB
%1LRCW XRFFR3OXF 23600031E RCWMTCF SUMMER PROB
- CHANGEEVENTS** +RCWMTCF2 -RCWMTCF
%1LRCW XRFFR10XF_2430001BIE RCWMTCF
%1LRCW XRFFR20XF_2430002BIE RCWMTCF
%1LRCW XRFFR3OXF_2430003BIE RCWMTCF
%1LRCW XRFFR1OXF_23600011E RCWMTCF SPRINGFALLPROB
%lLRCW XRFFR2OXF_23600021E RCWMTCF SPRINGFALLPROB
%1LRCW XRFFR30XF_23600031E RCWMTCF SPRINGFALLPROB
- CHANGEEVENTS** +RCWMTCF3 -RCWMTCF
%lLRCW RCWMTCF
- CHANGEEVENTS** +RCWMTCF1 -RCWMTCF
%2LRCW XRFFR1OXF_23600011E RCWMTCF SUMMERPROB
%2LRCW XRFFR20XF_23600021E RCWMTCF SUMMERPROB
%2LRCW XRFFR3OXF_23600031E RCWMTCF SUMMERPROB
- CHANGEEVENTS** +RCWMTCF2 -RCWMTCF
%2LRCW XRFFRIOXF_2430001BIE RCWMTCF
%2LRCW XRFFR20XF_2430002BIE RCWMTCF
%2LRCW XRFFR30XF_2430003BIE RCWMTCFSPRINGFALLPROB
%2LRCW XRFFR20XF_23600021E RCWMTCF SPRINGFALLPROB
%2LRCW XRFFR30XF_23600031E RCWMTCF SPRINGFALLPROB
- CHANGEEVENTS** +RCWMTCF3 -RCWMTCF
%2LRCW RCWMTCF
- CHANGEEVENTS** +RCWMTCF1 -RCWMTCF
%3LRCW XRFFR1OXF_23600011E RCWMTCF SUMMERPROB
%3LRCW XRFFR20XF_23600021E RCWMTCF SUMMER PROB
%3LRCW XRFFR3OXF_23600031E RCWMTCF SUMMERPROB
- CHANGEEVENTS** +RCWMTCF2 -RCWMTCF
%3LRCW XRFFR1OXF_2430001BIE RCWMTCF
%3LRCW XRFFR20XF_2430002BIE RCWMTCF
%3LRCW XRFFR30XF_2430003BIE RCWMTCF
%3LRCW XRFFR1OXF_23600011E RCWMTCF SPRINGFALLPROB
%3LRCW XRFFR2OXF_23600021E RCWMTCF SPRINGFALLPROB
%3LRCW XRFFR30XF_23600031E RCWMTCF SPRINGFALLPROB
- CHANGEEVENTS** +RCWMTCF3 -RCWMTCF
%3LRCW RCWMTCF
'-5 wnere system moaeis atTect basis Tor ýignlflcance: vaunt trees Tor Levei z anaiysis nave Deen aaaea to ine the quantification of a CET The model does not appear to CAFTA model and are linked to the Level 1 fault trees.
top event, they are often explicitly account for the not included in the model. dependencies between Level 1 and Level 2 events as required by this SR.
Possible Resolution:
Incorporate the fault trees shown in the documentation into the model in order to capture Level 1 -
Level 2 dependencies instead of using single basic events.
7-6 Section 7.1 of LE.01 directly Basis for Significance: There were no plant specific contributors to LERF addresses those The SR requires the consideration identified.
contributors from the table, of unique plant issues.
but plant specific issues do not appear to be addressed. Possible Resolution:
Include discussion of plant specific issues that may contribute to LERF.
Where system models affe Basis for Significance: Fault trees for Level 2 analysis have been added to the the quantification of a CET The model does not appear to CAFTA model and are linked to the Level 1 fault trees.
top event, they are often explicitly account for the not included in the model. dependencies between Level 1 and Level 2 events as required by this SR.
Possible Resolution:
Incorporate the fault trees shown in the documentation into the model in order to capture Level 1 -
Level 2 dependencies instead of using single basic events.
7-6 Section 7.1 of LE.O1 directly Basis for Significance: There were no plant specific contributors to LERF addresses those The SR requires the consideration identified.
contributors from the table, of unique plant issues.
but plant specific issues do not appear to be addressed. Possible Resolution:
Include discussion of plant specific issues that may contribute to LERF.
The definition of Early Basis for Significance: Sections 6.1.2 and 6.1.3 have been added to the LERF appears to be inconsistent Definition of the timing of notebook to clarify the timing definition used and and may eliminate some accident sequences determines include information that shows the timing used for scenarios from whether a sequence can each scenario or group of scenarios based on the MAAP consideration for LERF. contribute to LERF. Timing based calculations.
from accident initiation will be different than timing from declaration of General Emergency.
Possible Resolution Clarify the timing definition used and include information that shows the timing used for each scenario or group of scenarios based on the MAAP calculations.
II-tV-A5b-UJt -or T1ooaing events tnat i ne spray ana TIooa Trequencies tor aij appiicaoie TIOOOS cannot result in the "major was combined.
flood" scenario due to limit in the flood source system inventory, the portion of the piping system failure frequencies for "major flood" should be combined with the "flood" scenario. In this case, only the "flood" impact should be modeled.
For example, the total frequency for the RBCCW flood on El. 593' or El. 565' of Reactor Building (derived from the total piping system failure frequency) was split into three portions based on the possible spill rate: major flood (> 2,000 gpm), flood (between 100 gpm and 2,000 gpm), and spray (up to 100 gpm). Even though the RBCCW could not cause the impact of a "major flood" because of the limited system inventory, the total flood frequency resulting from failure of the RBCCW piping system should be accounted for in modeling
mne KtsLLw-inaucea flooding scenario (by combining both the "major flood" frequency and the "flood" frequency for the "flood" scenario) since the RBCCW pipe dimension permits a spill rate in excess of 2,000 gpm.
IFEV-A6-01 Only generic data is used in Browns Ferry has no documented at-power flooding the estimation of pipe events. This documented in the Internal Flooding failure and flooding notebook.
frequencies including pressure boundary rupture and human-induced breach of boundary. No plant-specific operating experience is accounted for.
IFEV-A6-02 It appears that the data An assumption was added to the assumptions section used for the Circulating to address this. In essence, Browns Ferry is unique in Water expansion joint may that it has a very large lower area in the turbine not be consistent with the building that has to be flooded. This is because the latest version of EPRI data as lower areas of all three units' turbine areas are documented in EPRI report interconnected. Most plants only have to fill the area 1013141 (Reference 6). under a single turbine unit before significant damage is Additionally, it is not clear encountered. The time available to detect and mitigate why the analysis did not this accident is much greater for Browns Ferry. This consider the possibility of same condition also significantly reduces the difference "flood" scenario (i.e., leak between a "small" major flood and a "large" major rate between 100 gpm and flood.
2,000 gpm) for expansion joint failure (no justification was given in the IFPRA notebook). The most recent version of EPRI data represents the "major flood" resulting from expansion joint failure by two separate scenarios: one between 2,000 gpm and
10,000 gpm, and another one greater than 10,000 gpm. However, the BFN IFPRA only has one scenario for "major flood" representing a flood spill rate of more than 2,000 gpm.
Generic data was used to The reterenced table in section 6-5 was removed and a estimate the frequency of more detailed write-up provided for treatment of human-induced flooding maintenance induced flooding. This write-up also scenarios associated with discussed the TB flood example cited in Appendix G.
maintenance on the EECW/RCW system [Section 6.5 indicates 2 events for EECW in the Reactor Building (not accounted for in the BFN IFPRA result),
while Appendix G indicates I event for RCW in the Turbine Building (not clearly documented in Section 6.5)]. Systematic evaluation of all of the systems potentially susceptible to this type of flooding scenarios was not consistently provided.
Maintenance-related human-induced flooding scenarios are highly plant-specific and system-specific.
Using only sparse generic data cannot systematically identify vulnerable areas for human-induced flooding scenarios that may result during power operation; e.g., maintenance of the
conaenser water ooxes (opening of the manways for tube plugging), RBCCW heat exchanger maintenance (opening of the heat exchanger),
maintenance of the fire water pre-action/clapper valves, frequent maintenance on the chillers, etc. The description of analysis for operation/maintenance-related flood associated with condenser waterboxes given in the IFPRA notebook indicates that human-induced flood is extremely unlikely because of the local operator monitoring, etc.
However, with the same types of protection, human-induced flooding events resulting from condenser waterbox maintenance has actually occurred in the past at other plant. The description of analysis for operation/maintenance-related flood associated with EECW and A/C
equipment inaicates tnat human-induced flood is very unlikely because the system is rarely opened for maintenance and local operator monitoring of the proper isolation of chillers.
However, chiller maintenance is actually a quite frequent event. More thorough and better justifications should be considered, including the size of the possible human-induced leak/flood, etc.
II-LV-bL-UI it appears tnat not all OT tne All assumptions nave oeen aocumentea in tne assumptions used in the Assumptions section.
analysis were documented; e.g., the assumption that the pipe diameters and pipe lengths for the same systems at the same locations are approximately identical among the 3 units was used for some areas, but was not documented.
IFEV-B3-01 Sources of uncertainty and All assumptions were listed in the assumptions section.
relevant assumptions The uncertainty table was expanded to include more associated with potential discussion on potential uncertainties.
flood initiating events were not identified consistently.
Table 4-1 did not identify sources of uncertainty relative to the flood-induced risk contributors (e.g.,
frequencies of failure/leakage/rupture from the various flood sources, and other mitigation factors such as door failure likelihood, etc.).
Operator actions tor flood The HRA was better delineated in the tlooding report.
mitigation analyzed are not listed in Table F-i as stated in Section 6.8. Table 4 in Appendix H provides the description of two actions (i.e., Reactor Building major flood isolation, HFA_0_RXMAJORFLOOD; and isolation of major RCW flood in Turbine Building, HFA_024RCW-M with a HEP value of 1.0). The same HEP for HFA_0_RXMAJORFLOOD is used for all scenarios where this action is applied.
However, no analysis details (e.g., performance shaping factors such as timing, accessibility, etc.) were documented in the IFPRA notebook for either HFE.
Based on a word search, HFA_0_RXMAJORFLOOD was not found in any of the HRA notebooks. It is not clear what instrumentation was relied on for the detection of a flood event and for the identification of the flood source and the
location of the breach which are required to determine the specific isolation action to perform (e.g., the specific valves to close for the isolation of the breach).
IFQU-A6-01 The effects of flood on the The HRA's were better delineated in the flooding human actions modeled in report. Non-flooding HAs that could be impacted by the internal events PRA that flooding events were identified and modified are not directly related to accordingly.
flood mitigation (i.e.,
isolation of the flood) may not have been considered consistently. Only one human action event (HFAOO74UNITXTIE) is listed in Table 4 of Appendix H. It is not clear if this is the only non-flood human action in the PRA model for which no credit is taken due to the effects of the flood.
Typically, the effects of flood on these human actions may result in either an increase in the HEP (e.g.,
due to increase in stress, workload, etc.) or failure of the human action (i.e., no credit can be taken for the human action if it is an ex-control room action performed in an area affected by the flooding effects). Additionally, manual isolation action to terminate the flooding
scenario may not have been applied to all applicable scenarios where appropriate.
I IFQU-A7-01 The flood-induced CDF and Spray floods have been added and refined to more LERF for selected spray specific areas within the flood area if possible.
scenarios (e.g., such high CDF/LERF contribution scenarios as %IFSIRB565-ECS, %IFS2RB565-RCW,
%IFS3RB565-ECS,
%IFS3RB565-RCW, etc.) are probably conservative without considering some of the unique characteristics of water spray; e.g., portion of the piping system considered in the calculation of the spray frequency may be outside the spray impact range, equipment within the spray impact range (3600) may not be damaged simultaneously in the same spray scenario due to the directional nature of spray, equipment being sprayed on may not necessarily fail even if the component is not designed for water intrusion proof, etc.
- __________________________ d
IFQU-B8-01 The derivation of the XINIT Appendix H has been updated to include the basic input file and the XINIT events that are failed in the PRA model.
input information should be presented in the Internal Flood PRA notebook. Table 4 in Appendix H lists the impact of the flood scenarios (i.e., components failed and human failure events). However, the specific model elements affected by these flood impacts and incorporated into the PRA model are not documented in the IFPRA report (e.g., how the effects of the initiating event is modeled in the PRA).
IFQU-B2-01 Description should be Descriptions of flooding scenarios are provided in Table provided for each of the top 7 of the Flooding Notebook along with CDF and LERF (based on CDF/LERF contributions. Discussion of the top CDF/LERF flooding contribution) flooding scenarios has been included in the results section scenarios presented in the (Section 7.0).
results section.
IFQU-B3-01 Sources of uncertainty and All assumptions were listed in the assumptions section.
relevant assumptions The uncertainty table was expanded to include more associated with potential discussion on potential uncertainties.
flood initiating events were not identified consistently.
Table 4-1 did not identify sources of uncertainty relative to the flood-induced risk contributors (e.g.,
Failure probabilities of operator flood mitigation actions, impact of flooding scenarios on the HEPs associated with the non-flood operator actions included in the internal events PRA model, effects of the initiating event group selection for modeling the flooding scenarios in the PRA model. etc.).
IFSN-A1O-01 Flood scenarios resulting Analysis shows that at least 500,000 gal is required to from failure of the CST flood the RB519 level to a point where equipment is suction lines causing failure failed by submergence. The CST maximum volume is of RCIC or HPCI were not only 375,000 gal; therefore, this flood cannot fail enumerated in Tables 6-4, F- components due to submergence. Walk downs have 1, and Appendix H. Even if confirmed that all of the PRA components in the quads the water inventory in each are protected from sprays. The CST flooding scenario is CST is insufficient to cause therefore screened. This discussion has been added to PRA equipment damage in section xxx of the report.
the Reactor Building
basement due to water submergence, some PRA components could still be damaged by spray effects.
4 + I IFSN-A10-02 The use of the pre-action Discussions with the BFN fire protection engineer fire water system reduces determined that all of the preaction clapper valves for the likelihood of flooding the control bay are in the turbine building. Walk downs resulting from failure of the provided the pipe lengths and locations for these dry pipe segments and sections of fire protection piping in the reactor building.
spurious actuation. Initiators for these RB flood sources have been However, failure of the wet included. Turbine building elevation 565' is the only pipe segments (i.e., area that has the water charged sections of fire upstream of the pre- protection piping.
action/clapper valves) in the buildings evaluated could still lead to the water spray.
and submergence effects considering the "unlimited" supply of fire water. The wet pipe segments should be present in the Reactor Building, Turbine Building, and the Control Bay Corridor. No flood submergence scenarios resulting from Fire Water
piping system tailure are shown in Table 7, Appendix G, and Appendix H. Only spray scenarios resulting from the Fire Water piping system failure in the Turbine Building are considered in Table 7, Appendix G, and Appendix H.
IFSN-A1O-03 Consideration, analysis, or Walk downs were conducted for all three units.
documentation of the flood Initiators were developed for all three units for both scenarios do not appear to spray and submergence. This was reflected in the body be consistent between the 3 of the flooding report as well as in the appendices in a units. For example, The consistent manner.
initiating event frequency calculations in Appendix G only include flooding scenarios for Unit 1 and Unit 2 Raw Cooling Water on El.
593' in Reactor Building, while the walkdown sheet in Appendix A documents the Raw Cooling Water lines on El. 593' in the Unit 3 Reactor Building. However, Table 4 in Appendix H includes "major flood" scenarios resulting from Raw Cooling Water piping system failure on El. 593' in the Reactor Building for all 3 units.
Additionally, the spray effects were not considered for any of these "spray",
"flood", and "major flood" scenarios. "Spray" and "flood" scenarios were screened out even though PRA equipment could be damaged by the spray I
errects Lno proDaoinisuc basis provided to satisfy standard requirement IFEV-A8(b)]. Treatment of the spray effects for EECW line failure on El. 565' in the Unit 1 Reactor Building and for piping system failures in the Reactor Building suppression pool area is similar (i.e., "spray" and "flood" scenarios were screened out).
IFSN-A1O-04 Inconsistency exists The piping in the shutdown board room was found to between Table F-i, be drain piping from the roof. The shutdown board Appendix G and Appendix H rooms in the reactor building have no sources including for failure of the Raw drains thatmight allow propagation into the rooms.
Cooling Water piping system Documentation has been changed to reflect this.
in shutdown board room B on El. 593' in Reactor Building. Table F-1 indicates that both "flood" and "1spray" scenarios for the RCW line in the shutdown board room B on El. 593' in Unit 1 Reactor Building should be analyzed.
However, Appendix H only includes the frequencies for the "major flood" and "flood" scenarios for the RCW line in the shutdown board room B on El. 593' in Unit 1 Reactor Building.
Also, Table F-1 indicates that the "spray" and "major flood" scenarios resulting from failure of the RCW piping system in shutdown board room A on El. 621 in Unit 1 Reactor Building are not screened and should be analyzed. However, neither Appendix G nor Appendix H
included the analysis of flooding scenarios in shutdown board room A on El. 621 in Unit 1 Reactor Building.
IFSN-A12-01 Some of the rooms/zones Sources were located, components identified, and were qualitatively screened sprays assessed in all flood areas of the reactor out (in Table 6-4 and F-i) buildings, control bay, diesel generator buildings, and solely based on the intake pumping station. The turbine building spray was consideration of flood handled differently as discussed in the original flooding submergence (i.e., report.
insufficient flood volume);
I i.e., without considering the
possible damage potential by the spray effects.
.4 .4 IFSN-A12-02 DG building was screened Flooding in the DG building was evaluated in a manner out because flood damage consistent with the other plant areas. Initiators were to the DG equipment would included even if they did not cause a plant scram.
not lead to an automatic reactor scram or immediate plant shutdown (Section 6.4). This does not meet the requirement for IFSN-A12 in which an area is only screened out if flooding of the area would not cause an initiating event and would not cause damage to mitigating equipment. To screen out the DG flood areas in this case, justification should be provided to satisfy PRA standard requirement IFEV-AS(b). Damage to a major component (e.g., DG) due to spray resulting from failure of other equipment (piping associated with other
systems sucn as ttLvW) is typically not accounted for in the generic and plant-specific random failure rates of the affected component (Assumption 2 in Section 4.1).
IFSN-A12-03 RHRSW/EECW pump bays in Flooding in the pumping station was evaluated in a the Pumping Station were manner consistent with the other plant areas. initiators screened out because it was were included even if they did not cause a plant scram.
determined that there is no PRA impact (Section 6.4 and Tables 6-4 and F-i).
However, 3 of these pumps could be damaged if one bay is flooded. In accordance with PRA standard requirements IFSN-A12 and IFSN-A13, this flood area should be retained. Note that PRA standard requirement IFEV-A8(b) may not be applicable since multiple components are involved. I.
-~
IFSN-A12-04 Some of the flood sources in These sources were evaluated instead of being the Reactor Building were screened. Some of them were screened for other screened out (e.g., rupture reasons (i.e. all piping in area was insulated or of EECW piping) because sheathed) after this evaluation.
only limited PRA equipment is damaged (e.g., one loop of Core Spray, one loop of RHR, or RCIC) requiring no immediate plant shutdown (and would not cause an automatic scram). See Tables 6-4, F-i, and Appendix H. This does not j I
satisfy the PRA standard requirements IFSN-A12 and IFSN-A13. To allow screening of these flood areas, justification should be provided to satisfy PRA standard requirement IFEV-A8(b).
4 4 4 IFSN-A15-01 Spray scenario resulting The RBCCW line failures were evaluated further and not from failure of the RBCCW screened just because they may not cause a scram.
line was screened out based on the consideration that break is not large enough to cause failure of the RBCCW system and thus will not cause a reactor scram (Tables 6-4 and F-i). This is questionable because RBCCW is a closed loop system with no automatic makeup. Loss of inventory will result in failure of the RBCCW and thus a scram eventually due to impact to its loads.
j ______________________ ___________________________ a __________________________________________
Table 6-1 in Section 6.1 is Due to the number ot PRA components in the flood intended to also identify areas, they are now delineated in Appendix A and SSCs for each flood area. Appendix H of the report. They include the component However, no SSCs are listed ID numbers. A component location table, Appendix I, in this table. The only has also been included that delineates, in addition to section that includes the the component ID numbers, the component locations.
SSCs by location is in Table The main body of the report was changed to reflect 6-3C, Appendix A.2, and this.
Appendix H. However, the flood damage susceptible components listed in Table 6-3C are high level, descriptive (does not distinguish between MOVs/AOVs, etc. and does not include component IDs).
Both Table 6-3C and Appendix A.2 only include SSCs for locations that were walked down. Similarly, Appendix H does not include all flood areas either. The information related to SSCs should include the full component IDs (tag numbers), not just the train designation and descriptive name. Selected information collected during plant walkdowns should be documented in Appendix A
walkdown sheets (e.g.,
spray shield, whether the component is located within the spray impact range, etc.).
6 a
The effects ot high energy The High Energy Line Break analysis was pertormed line breaks for Main Steam, earlier for BFN for the power uprate. The HELB report Feedwater, RWCU, HPCI has been identified in the reference section for this steam supply line, and RCIC flooding report. That analysis was limited to break steam supply line (e.g., jet scenarios that were successfully isolated. Main steam impingement, high line and feedwater line breaks that are not successfully temperature/humidity, pipe isolated are treated in the non-flood PRA model with whip, etc.) are not fully break outside containment events that consider the addressed and accounted initiator frequencies based on line lengths.
for in the flood scenario analysis (see Section 6.5 under Initiating Events). The detrimental effects of the high energy line break could cause damage to cables and other equipment that would not otherwise be failed by water submergence and spray. Although this is a Capability Category III issue, it needs to be considered for such application as Risk-Informed Inservice Inspection of Piping. It is possible that the effects of high energy line breaks were already evaluated in the previous RI-ISI program completed for BFN.
i ne water spray effects may All spray scenarios from all sources have been not have been modeled considered and either modeled or justification provided consistently for all flooding for not modeling the spray source.
scenarios considered. In many instances, the decisions to not quantitatively evaluate the flooding scenarios were based on the consideration of PRA equipment damage due to water submergence only (i.e., without considering the damage effects of water spray). For example, only two flooding scenarios were quantitatively considered for the Control Bay, while there may be other spray damage scenarios that should have been quantitatively evaluated.
IFSN-A8-01 No actual consideration was The diesel generator tlood areas are served by large given in the evaluation for (24") drains to the outside so there are no propagation inter-area propagation paths through drains. The intake pumping station through drain lines or back rooms are not interconnected by drains so there are no flow through drain lines due propagation paths through drains. All of the reactor to failed back flow building drains go to the RB sumps on the 519 level.
prevention devices (e.g., Most of these drains interconnect on their way to the check valves or other sumps; however, the same areas have large open isolation valves). hatches or stairwells that go to the 519 level so the drains are immaterial. The only way the drains could cause a problem is if they backed up into a shutdown board room, and the shutdown board rooms do not have any floor drains. The turbine building drains are immaterial due to the way the flooding analysis is performed in that area.
.1.
IFSN-A9-01 A screening value of 0.1 is Flooding scenarios within the Control bay show used for the failure of the propagation from the '606 elevation to the stairwell door to the air conditioning and subsequently to the 593' corridor. At this level, the equipment room at El. 606 continued accumulation of flood water will release to in Control Bay (IF-CB593- the outside through the double door emergency exit DOOR for %IFM1CB606-AC). doors at the Unit 3 end of the corridor. However, a 0.1 Flooding in this room factor was applied to the failure of this emergency door (resulting from failure of the to release flood waters and to cause the propagation to EECW piping system) could the battery rooms and battery board rooms for the potentially cause water units. This factor of 0.1 is conservative given the glass accumulation to a height in double door emergency exit opens easily to the outside excess of several feet and the single doors to the adjacent rooms open according to the flood outward (into the CB corridor).
height analysis performed for 1CB606-ACM (Appendix E). Since this door opens outward from the room, the door could potentially fail with an internal flood height in excess of 1' to 4' (per EPRI draft final guideline for IFPRA). As such, the use of a screening value of 0.1 (without actual structural analysis of the door capability) for scenario
%IFM1CB606-AC is probably optimistic. For %IFL1CB606-AC, the flood accumulation in the room could potentially reach to more
than 2', which in principle could also cause failure of this door to withstand the static pressure from the flood.
& i
Flood height calculations for Two RB calculations were performed to obtain timing selected Control Bay for 2,000 gpm floods (upper limit for Flood) and 24,000 scenarios were provided in gpm floods (upper limit for Major Floods. These are the Appendix E. For Reactor only two calculations needed since all reactor building Building and Turbine breaks flow to the 519 level without submerging any Building, however, no other area that contains PRA equipment that could be calculations are provided to failed by submergence.
demonstrate that selected flood sources would not cause damage to PRA equipment due to flood immersion in the basement.
For example, it is indicated in the IFPRA notebook that neither CST has sufficient inventory to result in a flood height severe enough to cause failure of the PRA equipment located at the lowest level in the Reactor Building, but no actual analysis is provided to substantiate that conclusion.
Information collected during Additional walk downs were conducted and the walkdown should be documented. Plant studies and drawings were documented more fully and examined to locate all of the PRA components in flood consistently in the areas. The original walk down notes were archived at walkdown sheets [e.g., the the end of Appendix A and the main Appendix A tables type of doors (normally were used to identify all sources, components and open/closed egress door, flood area features regardless of how these items were fire door, door with card key identified.
entry, water tight submarine door, etc.), floor/wall/ceiling openings, sumps and sump capacity, sump level instrumentation, number, size, and condition of drains, equipment occupancy fraction, etc.]. There are some inconsistencies in the information related to these items presented between different sections of the report. For example, the walkdown sheets show no drain in the corridor area on El. 593' in the Control Bay.
However, the flood height evaluation in Appendix E shows 2 drains in this area.
Tables 6-1 and 6-2 provide a A complete list of flood sources for each flood area has list of the potential flooding been added for the reactor building, control bay, diesel sources. However, some of generator buildings and the intake pumping station.
the plant water and steam The Turbine building is being handled in a manner that systems (e.g., domestic does not require detailed listing of flood sources.
water/potable water/ Tables 6-1 and 6-2 have been updated. The sources sanitary water system, have also been listed in Appendix A.
chilled water system, hot water system, main steam, etc.) appear to be absent from the evaluation considered in these tables.
In addition, there is no documentation of the complete flood sources for locations that were not walked down (the flood sources documentation is geared to the walk down).
Flood sources need to be identified by location as the basis for developing flooding scenarios.
ENCLOSURE 2 Browns Ferry Nuclear Plant, Units 1, 2, and 3 Technical Specifications (TS) Change 468 ELECTRICAL DISTRIBUTION SYSTEM UNIT 0 BROWNS FERRY NUCLEAR PLANT
THIS PAGE IS AN, OVERSIZED DRAWING OR FIGURE, THAT CAN BE VIEWED AT THE RECORD TITLED:
"ELECTRICAL DISTRIBUTION SYSTEM, UNIT 0, BROWNS FERRY NUCLEAR PLANT" PIP-02-03 WITHIN THIS PACKAGE ... OR BY SEARCHING USING THE D-01X