ML100980155
| ML100980155 | |
| Person / Time | |
|---|---|
| Site: | Browns Ferry  |
| Issue date: | 04/05/2010 |
| From: | Krich R Tennessee Valley Authority |
| To: | Document Control Desk, Office of Nuclear Reactor Regulation |
| References | |
| TVA-BFN-TS-468 | |
| Download: ML100980155 (122) | |
Text
Tennessee Valley Authority 1101 Market Street, LP 3R Chattanooga, Tennessee 37402-2801 R. M. Krich Vice President Nuclear Licensing April 5, 2010 10 CFR 50.90 TVA-BFN-TS-468 U.S. Nuclear Regulatory Commission ATTN: Document Control Desk Washington, D.C. 20555-0001 Browns Ferry Nuclear Plant, Units 1, 2, and 3 Facility Operating License Nos. DPR-33, DPR-52, and DPR-68 NRC Docket Nos. 50-259, 50-260, and 50-296
Subject:
Responses to Requests for Additional Information Regarding Technical Specifications (TSs) Change TS-468 - Request to Extend Completion Time for TS 3.8.1 Required Action B.4 - Emergency Diesel Generators A, B, C, D, 3A, 3B, 3C, and 3D This letter is in response to a March 23, 2010 request for additional information regarding the proposed Technical Specifications (TSs) Change 468 for Browns Ferry Nuclear Plant Units 1, 2, and 3. The proposed change, which was submitted on February 18, 2010, revises the completion time for TS 3.8.1 Required Action B.4 for Unit 1 and 2 Emergency Diesel Generators (EDGs) A, B, C, and D; and Unit 3 EDGs 3A, 3B, 3C, and 3D.
The proposed change included a Probabilistic Risk Assessment (PRA) to support Tennessee Valley Authority's request to extend the proposed revised completion time for TS 3.8.1. During NRC's review of the proposed change, it was determined that additional information was required by the NRC staff in order to complete their evaluation.
Specifically, NRC requested the dispositions for the PRA peer review findings.
Subsequent to the March 23 request, NRC requested electrical one-line drawing showing the electrical distribution system down to the 480V level. Enclosures 1 and 2 provide the requested information.
There are no new regulatory commitments associated with this submittal. Please direct any questions concerning this'matter to Terry Cribbe at (423) 751-3850.
printed on recycled paper
U.S. Nuclear Regulatory Commission Page 2 April 5, 2010 I declare under penalty of perjury that the foregoing is true and correct. Executed on April 5, 2010.
Respectfully, R. M. Krich
Enclosures:
- 1.
Disposition of Peer Review Findings for the PRA
- 2.
Electrical Distribution System, Unit 0, Browns Ferry Nuclear Plant cc (Enclosures):
NRC Regional Administrator - Region II NRC Senior Resident Inspector - Browns Ferry Nuclear Plant State Health Officer - Alabama Department of Public Health RCB:TEC:RMK
ENCLOSURE I Browns Ferry Nuclear Plant, Units 1, 2, and 3 Technical Specifications (TS) Change 468 DISPOSITION OF PEER REVIEW FINDINGS FOR THE PRA
I-lZ several exampies touna Tor lack of engineering analyses regarding HVAC that could be justified by calcs.
Condensate System Notebook (SY.01) assumes active ventilation is not required due to plant experience Core Spray System Notebook (SY.04) assumes keep-fill system is not required. HPCI System Notebook (SY.07) assumes dependence on quad cooling for the remaining 20 hours2.314815e-4 days <br />0.00556 hours <br />3.306878e-5 weeks <br />7.61e-6 months <br /> of post accident operation.
basis Tor signirIcance:
The SR expects that engineering analyses will be performed to determine whether these statements are correct.
Possible Resolution:
Perform analyses to validate these statements.
Keep tiii systems are monitorea aaiiy ny operations.
They are alarmed so failures of these systems are detected and corrected in a timely manner. Based on this, an assumption is made that these systems are properly charged with water at the time of an initiator.
Based on operator interviews, no system has a leakage great enough to create a water hammer condition should its keep fill system fail after the scram. The only exception to this is the potential drain down of the RHR loop if it is being used for SPC and a LOSP occurs. This condition is already modeled and discussed in the RHR notebook. Calculations are not needed for these systems. The assumptions section for each applicable SY notebook was changed to reflect the above. The operator interview was placed in the RHR, Core Spray, HPCI, RCIC and RHRSW system notebooks.
A consensus model is not available to guide the HVAC dependency issues. The intent of SY-B6 is to make sure adequate analysis exists to support removing modeled dependencies from systems. It is not the intent of SY-B6, or the ASME standard for that matter, to establish what analysis is needed to support plant operations and design. In the case of HVAC, adequate plant specific analysis is not available to remove room cooling dependencies from most equipment. Room heat-up calculations may be available, but realistic (non-EQ) equipment failure temperatures are not available. This situation is shared by many plants in the industry. The BFN model took the conservative approach and
required an HVAC dependency tor all equipment that could not be reasonably argued to not have the dependency.
The condensate and condensate booster pumps are not located in a room per say. They are in a long corridor that is continually open to the turbine building environment. These pumps have cooling air from fans ducted directly on the pumps. The system engineers and operators were interviewed and stated plant operational experience showed these pumps would operate for an extended length of time without that forced cooling. They concluded the pumps would survive for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> without forced cooling. An engineering analysis supporting a PRA model does not have to be a calculation and can be either quantitative or qualitative. In this case, this conclusion was based on a qualitative analysis the included plant walkdowns, expert opinion from both operators and engineers, and past plant operating experience. This is considered to be an acceptable analysis for the purpose of the BFN PRA model. The condensate SY notebook was embellished to more clearly reflect the above.
Generic unavailabilities are used for two groups of components but there is no justification provided regarding the consistency of the data with BFN T&M philosophies.
The data analysis notebook section 6.1.5, Generic It is required by the SR that the use of generic unavailabilities be accompanied by a justification that the data is consistent with the T&M philosophies of the plant.
Possible Resolution:
Provide a discussion of the consistency of the data with the plant T&M philosophies.
Industry Data, which states "NUREG/CR-6928 (Reference 7) is used as the primary source of data for component failure data because it is the most recent available data and is based on a significant effort to trend and develop such distributions. The uncertainty distribution types used in this source are the beta distribution for demand failure probabilities (per demand) and the gamma distribution for failure rate probabilities (per hour). These distributions are inputs to the CAFTA model reliability database using the mean from Reference 7 and a calculated variance of the beta and gamma distributions from Reference 7. Table 4 provides the generic industry data used in the BFN PRA and their assigned type codes. The type code maintenance process using the BFN database is described in Reference 11."
This discussion is addressed further in section 6.2 Component UA Data in the Data notebook. Section 6.2.6, Generic Unavailability Data, states "The unavailabilities of some components that do not have plant-specific data available were estimated from NUREG/CR-6928 (Reference 7). These events fall into two categories. The first category includes buses, distribution boards and distribution panels and uses the unavailability labeled "BAC-TM" in Table 6-1 of NUREG/CR-6928 (Reference 7). The second category includes battery chargers and uses the unavailability labeled "BCH-TM" in Table 6-1 of Reference 7. These unavailabilities are presented in Table 9 along with the
lognormal error tactor that is provided in Table b-1 ot Reference 7."
The two groups, BAC-TM & BCH-TM, require further justification that BFN T&M philosophies are consistent with the NUREG/CR-6928. NUREG/CR-6928 Table 6-1, Train UA data and results, defines BAC-TM is "Bus (AC)
Test or Maintenance" and BCH-TM is "Battery Charger Test or Maintenance".
NUREG states that "Component/train UA is the probability that the component or train is unavailable to perform its safety function because of test or maintenance (TM) outages." The definition of "availability" and "unavailability" as used in the Maintenance Rule implementation is considered consistent allowing its use in the Data Analysis Notebook in Table 9. O-TI-346, Maintenance Rule Performance Indicator Monitoring, Trending, and Reporting - 10CFR50.65, is in compliance with NUMARC 93-01.
1-15 There is no discussion ot the screening process that is performed (per staff input),
i.e., the rationale is not justified.
Basis tor Signiticance:
The process for screening of raw failure information is not documented. It is accomplished according to staff discussion but no justification is provided as required by this SR.
Possible Resolution:
Provide a description for the screening process used in the evaluation of raw failure data.
Additional discussion related to screening process tor raw data was added to section 6.1.6 of Data notebook.'
1-17 Reviewed DA.O1. The source of demands is not discussed. Based upon discussions with the PRA staff, exposure is collected directly from plant data systems and is therefore actual component exposure.
However, post-maintenance testing demands are also included in these numbers and are not removed.
Basis for Significance:
Post-maintenance testing must be excluded from the exposure data per the SR.
Possible Resolution:
Develop a means of identifying the post-maintenance related exposure and remove them from the data calculations.
As it stands the ability to remove post maintenance testing (PMT) from the database would require a massive re-tool of the database to allow for discrete removal of specific times. The ability to perform these actions is limited due to the lack of interface between the Operations Logs and the PEDs system.
To quantify the amount of effect removal of potential PMT from the demands the following actions were performed.
Seven scenarios were analyzed with the CDF & LERF for each unit were compared.
Scenario #1: No change to the data Scenario #2:
performed Scenario #3:
performed Scenario #4:
performed Scenario #5:
performed For each failures assumed 1 PMTs For each failure assumed 2 PMTs For each failure assumed 5 PMTs For each failure assumed 10 PMTs Scenario #6: For each failure 20 PMTs performed Scenario #7: For each failure 100 PMTs performed
Note for Scenario 7 the number of demands on the HPCI/RCIC will be set to zero.
Summary of Results:
For Core Damage Frequency Unit 1 had the largest deviation from the baseline for all scenarios.
- Scenario 1: 0.00 percent change, baseline calculation
- Scenario 2: 0.03 percent change
- Scenario 3: 0.07 percent change
- Scenario 4: 0.18 percent change
- Scenario 5: 0.37 percent change
- Scenario 6: 0.82 percent change
- Scenario 7: 2.06 percent change The results show that without having an extremely unrealistic number of PMTs the data is not significantly skewed by the inclusion of the PMT data.
For Large Early Release Frequency, Unit 3 had the-largest deviation from the baseline for all scenarios
- Scenario 1: 0.00 percent change, baseline calculation
- Scenario 2: 0.01 percent change
- Scenario 3: 0.01 percent change
- Scenario 4: 0.03 percent change
- Scenario 5: 0.06 percent change
- Scenario 6: 0.12 percent change
- Scenario 7: 0.55 percent change The results show that even with an extremely unrealistic number of PMTs the data is not significantly skewed by the inclusion of the PMT data.
1-22 There is no discussion ot the process to be applied in the use of surveillance test data.
The use of this data is required for situations in which there is no MR data available (for example), so a process for its use should be in place.
Basis for Signiticance:
All levels of capability in this SR indicate that the process for use of surveillance data needs to possess specific attributes. There is no process defined.
A description ot the process to be applied in the use ot surveillance test data has been incorporated in Section 6.1.6 the Data Calculation notebook.
Possible Resolution:
Provide a process for use of surveillance data that incorporates the requirements of this SR.
1-26*
Test and maintenance basic event TMOPNLA2480000D for a DC bus uses a generic value from NUREG/CR-6928 for an AC bus. This number seems very low for a DC bus that can be taken out of service for significant amounts of time without forcing a shutdown.
Basis for Significance:
Given than such a DC bus can be out of service while the plant is at power for much longer than most AC buses, one would expect the value associated with the DC bus to be higher (not lower) than that of the AC bus.
Possible Resolution:
Use plant specific data to determine the T/M unavailability for this DC bus. If no data is available, use a more justifiable generic value.
Battery Boards are not taken out of service unless the loads are transferred. The values of the TM events for SB-A, SB-B, SB-C, and SB-D have been set to zero.
A
There is no discussion ot the review of the LERF contributors (ASME/ANS RA-Sa-2009 Table 2-2.8-9) for reasonableness per the review of the QU Notebook and LE.01.
LE-F2 is related to this F&O.
SR is NOT met.
The review ot the LERF contributors (ASME/ANS RA-Sa-2009 Table 2-2.8-9) for reasonableness was performed as discussed in section 6.3.2.3 of the QU Notebook Basis for Significance:
A review of the reasonableness of the results of the analysis of the contributors to LERF is required per the SR.
Possible Resolution:
Perform and document a review of the reasonableness of the contributors to LERF.
1-34 Additional attention should be applied to significant cutsets to determine that the bases for the cutsets are consistent with modeling and operating philosophies.
Basis tor Signiticance:
The top accident sequence cutset for both CDF and LERF deals with clogging of the intake and includes events that are very uncertain.
The attention given this cutset to minimize the uncertainty associated with the contributing basic events has not been sufficient. The approach to dealing with such important cutsets should assure that the contributors are understood and are supported by appropriate rigorous analyses and/or assessment.
Possible Resolution:
Make sure that the top cutsets (reviewed per the PRA :-
Procedures) are discussed and evaluated. During the quantification process make sure that an evaluation is performed in addition to capturing the results.
cutset reviews have been pertormed. The intake structure model has been reworked.
The sequence descriptions generally include a description of the sequences but the phenomenological conditions created are not specifically identified. Some references to phenomenology are provided but not consistently (e.g., ATWS sequence descriptions conclude with the statement "There no phenomenological conditions identified.")
basis tor Signiticance:
The SR calls for identification of the phenomenological conditions for each sequence.
The phenomenology is discussed in the ATWS sequence descriptions. The statement "There no phenomenological conditions identified" was removed from the AS notebook.
Possible Resolution:
Include a listing of phenomenological conditions that result for each sequence.
In addition, other phenomena are discussed as noted below:
Loss of suction due to venting is discussed in 6.2.2 Harsh environment is discussed in 6.2.4 I
I t
2-13 In Table B-1 of the HRA Notebook, HFL_1003_LT56A has a value of 9E-04 which is higher than the component failure of the same level transmitter yet it is not in the fault tree based on the common cause failure of all 4 level transmitters being in the fault tree (note 1 in table). The independent miscalibration should be included in the fault tree.
This is applicable to other precursor events also.
Basis for Significance:
Given that the miscalibration has a higher value than the mechanical failure it should be included as a valid failure more in the tree. One' level transmitter failing due to a hardware issue and a second due to miscalibration is a valid Possible Resolution:
As the independent miscalibration events to the fault tree Identified CCF HFLs without screening values:
HFL_1003CCFLTO056, HFL_1003CCFLTO058, HFL_1003CCFLT0203, HFL_1068CCFPTLOPR, HFL_2003CCFLT0056, HFL_2003CCFLT0058, HFL_2003CCFLT0203, HFL_2068CCFPTLOPR, HFL_3003CCFLTO056, HFL_3003CCFLTO058, HFL_3003CCFLT0203, HFL_3068CCFPTLOPR.
Table B-i of the BFN HRA Analysis notebook has been updated to include changes to the PRA model.
HFL_1003_CCFT0056 is Common cause miscalibration of all 4 level transmitters, inspection of the fault tree shows that specific pairs of failures (AC, BD) would also cause a failure to initiate the logic.
These CCF pairs should be added to the model. This will apply to other miscalibration CCFs also.
Basis tor Signiticance:
The pair CCFs will have a higher value than the 4 of 4 event thus impact the results.
The F&O relates to all ot the pre-initiators that accounted for common miscalibration errors. Fault trees have been updated and HRA notebook has been revised to reflect this change. HFL 1003_LT56A, HFL_1003_LT56B, HFL_1003_LT56C, and HFL_1003_LT56D have been added to the model.
Possible Resolution:
Calculate the pair CCFs and add to the fault tree
-~
I.
2-17 In the fault tree, only the reactor low level input is modeled for RPS. The other inputs that would be triggered by the initiators feeding the ATWS event tree such as MSIV closure (MSIV closure), reactor pressure (LOCAs SORVs),
drywell pressure (SLOCA, SORV), Turbine valve position (GTRAN involving turbine trips) are not modeled. This is not a true representation of RPS's participation in reactivity control.
Basis for Significance Because most initiators trigger multiple RPS inputs failure of RPS would be higher than its design indicates and the ATWS contribution overstated.
Possible Resolution Model other appropriate RPS inputs and link the appropriate ones to their initiating events.
Based upon recommendation of the peer review team the following resolution was created. Due to the high number of diverse RPS inputs capable of generating a reactor trip signal, an assumption has been inserted into the RPS notebook that one of the signals will successfully generate a trip signal for each condition modeled. The low water level signal input to the RPS
- has been removed fromthe model to facilitate this assumption. The RPS system notebook has been updated to reflect the changes noted above.
£ j ______________________
L __________________________________
recent operational experience, compared to unit 2 and 3, there is no discussion in the data notebook regarding the limited unit 1 specific data.
It appears that for TM the limited data was used directly and no consideration of this taken.
Basis for Significance:
Using the limiteddata for Unit 1 without consideration that the unit has limited data (less than a full cycle) likely skews the results.
Additional discussion related to T&M for Unit 1 was added to section 6.2.5 of the Data Notebook. The maintenance unavailability data from Units 1, 2 and 3 is now pooled, as described in the revised Data notebook.
In addition, a review of the plant-specific unavailability data showed that Unit I unavailabilities are generally consistent with those from Unit 2 and Unit 3.
Possible Resolution:
Examine the data used for the Unit 1 analysis and ensure that any Unit I data used is in agreement with that of Units 2 and 3. Fully document and justify the data used for Unit 1. For example, discussion with the utility revealed that Unit 2/3 data was used for Unit 1 unavailability values. The text needs to be updated to reflect the actual method used
.4 4
t 2-23 In section 3.2.6.1 of the HVAC system notebook, it states that the running ACU for unit 3 electric boards must be tripped before the standby unit can be started.
Failure of this trip to occur is not reflected in the fault tree.
Given Priority 2 because model change may be required.
Basis for Significance A breaker failing to provide tripped indication for a start permissive can happen and this failure mode should be Possible Resolution
- Include running ACU fail to trip (indicate as tripped) as a start failure for the standby ACU.
Failure of the operating unit totrip has been added to the model as a failure mode of the standby unit.
For SPC and LPCI, the LPCI injection valves and SPC return valves are required to reposition when swapping RHR modes, but this is not included in the model. The RHR system notebook indicates that these valves need to close for the opposite function. However in one location in the notebook it is indicated that flow can be split between LPCI and SPC.
Priority 2 is given because o1 the potential for model changes.
Basis for Significance:
All active components should be included in the failure modes of a system.
Possible Resolution:
Add failure mode to the fault trees and clarify documentation The injection valves do need to change position tor split LPCI/SPC flow; two valves would have tofail to modulate or close in either path to fail either system.
An operator interview was conducted to address this issue. The common cause failure probability of two MOV's to close is less than 1E-5. The RHR pump start failure probability is approximately 1.4E-3. The failure of two MOV's to close is less than 2 orders of magnitude lower than another failure that would fail the system in a similar manner. Therefore, failure to close (or modulate) either the LPCI or SPC injection path can be neglected. The RHR system notebook was modified to reflect this and the operator interview was added.
2-35 The containment structural Basis for Significance:
The LERF Notebook calculations are applicable to all analysis does not address All three unit containments must three Browns Ferry units. However, much of the the Unit 3 primary be addressed previous work, including industry studies has been containment ultimate based on BFN Unit 1. Thus, the plant description in capacity in section 6.3.
Possible Resolution:
Section 3 of the LERF Notebook which specifically Address the unit 3 containment applies to Unit 1 is supplemented with a discussion of ultimate capability, unit differences. The unit differences are examined from the perspective of LERF and it is concluded that the minor differences between the units do not impact I the LERF quantification.
The operator actions in the LERF analysis are not based on that same type of HFE calculations used in the Basis for Significance:
SR requires the same level of rigor in HRA as in level 1.
LERF HFEs have been updated in a manner consistent with the process used for Level 1 HFEs and are documented in the HRA notebook.
Level 1 analysis Possible Resolution:
Use the same HRA process as Level 1 for the LERF HFE events.
4 4
4 2-39 In the documentation for CIL it states the a fault tree is quantified and the resulting value is used in the quantification of the node.
Inspection of the fault tree shows that the containment isolation fault tree is quantified with the node directly. Direct quantification of node is the appropriate action.
Basis for Significance:
Not describing the actual method of quantifying the node can lead to errors in use of the PRA.
Possible Resolution:
Correct the CIL writeup in the LERF notebook to correctly reflect the actual model and also better reflect the information in the Primary Containment Isolation notebook.
Section A.2.2 of the LERF Notebook (LE.01 Appendix A) has been revised to address this comment.
2-4 Estimated values are Basis for Significance:
Discussion was added to the Data notebook (section provided in table 10 of the The SR requires documenting the 6.2.7) explaining the rationale for the estimated TM data notebook but no rationale. This allows the thought events.
rationale is provided for process used to create the how they were obtained, estimate to be reviewed and validated.
Possible Resolution:
Provide rationale required by the I SR.
Systems models are not developed for LERF.
Documentation indicates split fraction values with no Basis for Significance:
Systems models are needed to properly reflect impact of specific failures. It is believed that the values being used arise from the previous LERF analysis.
Systems models are now developed for LERF. The LERF Analysis documentation has been revised to reflect the updated to include descriptions of the LERF system models.
good basis for them.
Possible Resolution:
Create system models for relevant LERF functions and revise documentation accordingly.
2-6 The results of the data analysis are well documented but the process and intermediate steps are not well described.
For example in discussion with the analyst the process by which the component failures go from the CAP process to the MRule database and are extracted from it to a PRA failure screening tool to the table in the data notebook was described but the data notebook merely states the failures were extracted from CDE and the type codes assigned.
Basis for Significance:
Transparency and reproducibility are improved with better process descriptions.
Possible Resolution:
Document the processes used to perform the various data analyses.
This documentation should be sufficient for a knowledgeable reviewer to understand the entire process from raw data to final results.
Added the following text to the Data Analysis notebook in Section 6.1.6 "BFN plant specific data has been compiled from the plant database of functional failures collected for the Maintenance Rule. The BFN PRA database is linked to the Cause Determination Evaluation (CDE) Tracking System. The CDE tracking system collects information at the site about what failures have occurred within the plant systems that are monitored by the Maintenance Rule. Not all events are related to a functional failure, as some CDE entries are related to degraded conditions or unavailability conditions. To better identify events are functional failures the BFN PRA database extracts only the relevant information from the database to help make the judgment as to which type code each failure should belong. For each CDE the Event Description and Root Cause are extracted to allow for analysis of the failure mode. If not enough information is present the EPIX number is also displayed to allow for I
more research into the failure event. Plant specific data for the period 1/1/2003 to 1/1/2008 was evaluated and used as input to the Bayesian analysis. "
Plant specitied uncertainties were identitied on Table from two general types of issues, plant specific and generic. Plant specific uncertainties and assumptions should be identified and documented during the model development. The generic sources of uncertainty are listed in EPRI Report 1016737 Table A-1. Both types of uncertainties must be addressed for the base model.
Examples of plant specific uncertainties include:
(1) ISLOCA valve failing to close after testing is not listed in the sources of uncertainty, nor is the conditional probability that the break is greater than 93 or 600 gpm.
(2) For Initiating Events, the factors affecting INTAKE initiating event is not included in the assumptions section, nor are any of the other assumptions in the Sources of uncertainty must be identified and documented.
Possible Resolution NUREG-1855 and EPRI 1016737 provide an acceptable approach to identifying, documenting and characterizing sources of uncertainty. Use this method or a similar method.
A8-1 of the Quantification Notebook per SR QU-Eland QU-E2 of ASME RA-S 2005 Addendum B. Key modeling uncertainties (e.g., HVAC dependencies and intake structure plugging) were addressed in Section 6.3.3 of the Quantification Notebook per SR QU-E4 of ASME RA-S 2005 Addendum B. The requirements and procedures for characterizing generic and plant-specific modeling uncertainties are specified in SR QU-E4 of ASME-ANS RA-S 2009, RG 1.200, Revision 1, NUREG 1855,and EPRI-1016737. These requirements and procedures where formalized shortly before the peer review for BFN. The additional requirements for ASME-ANS RA-S 2009 will be implemented in the next revision of the BFN PRA model.
analysis.
(3) Specific assumptions for the detailed HFEs is not discussed, including assumptions made for timing of operator responses (versus analyzed or those observed on a simulator)
There is no evidence of an analysis for sequences that go beyond the 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> period to evaluate the appropriate treatment relative to the CC Il/111 requirements for SC-A5.
Basis for Significance:
A CC Il/111 for SC-AS requires that options other than assuming sequences in which a stable state has not been reached in 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> goes to core damage.
Possible Resolution:
Perform and document an analysis of sequences that do not achieve a stable state in 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> to determine which of the options presented in the SR would be a most appropriate disposition for that sequence. Then change the PRA model accordingly.
General Transient sequence GTRAN_5002 is a non-IORV/SORV success sequence with successful suppression pool cooling and long term HPCI or RCIC.
MAAP analysis show HPCI and RCIC can be successful for greater than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> with effective SPC. Drywell temperature, however, increases throughout this sequence due to heat transfer from the vessel and drywell piping (drywell fan coil units are not credited).
MAAP analysis shows drywell temperature increases to, but does not surpass, 300 'F within a 36 hour4.166667e-4 days <br />0.01 hours <br />5.952381e-5 weeks <br />1.3698e-5 months <br /> analysis time duration. The EOl's require the operators to emergency depressurize when drywell temperature reaches 281 'F. This will fail HPCI and RCIC and prevent further high pressure injection. This sequence was analyzed by interviews with operators and review of other non-MAAP analysis to determine 1) if the operators would emergency depressurize if there were no low pressure injection sources available, and 2) if the MAAP analysis was reasonable.
Operator interviews determined that the operators would emergency depressurize when instructed by the EOl's even if no low pressure injection systems were available. A review of General Electric calculation W79 040331 003 confirmed the conclusions drawn from the MAAP results. Since the calculation is GE Company Proprietary, the results are not presented here.
As a result of the above analysis, the sequence was changed to require successful low pressure injection for sequence success.
The quarterly SLC pump and valve operability test, which renders both trains of SLC Basis for Significance:
This is classified as a finding since it is a modeling deficiency that unavailable, is not modeled with a coincident maintenance term.
should be corrected.
Possible Resolution:
.Model a coincident unavailability term for this maintenance configuration.
A coincident maintenance term was added to the MOR that fails both trains of SLC. An interview was conducted with the system engineer who indicated the quarterly test Sl-4.4.4.a.1, Standby Liquid Control Pump Functional Test takes both SLC trains out of service for 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> at the most. The T&M event reflects an unavailability of 4/8760, or 4.57E-4 /yr.
3-28 A detailed discussion of the quantification asymmetries (with respect to different units, system alignments, etc) is not presented.
Basis for Significance:
This is an important part of the quantification documentation process.
Possible Resolution:
A detailed discussion of the quantification asymmetries (with respect to different units, system alignments, etc) should be presented in the Quantification Notebook.
Section 4.3 of the Quantification Notebook was expanded to discuss unit differences that impact the quantification results.
4.3 Unit differences This calculation documents the quantification of all three BFN units. Unit differences are explicitly addressed in the system fault tree models. Some unit differences have a significant impact on the quantification results.
The HVAC dependencies on electrical boards have a significant impact on the results. The Units 1 and 2 electrical boards are cooled by air conditioning units that depend on chillers. The Units 3 electrical boards are cooled by air conditioning units that depend on EECW.
3-31 The definitions for significant when presenting lists of important equipment, operator actions, etc. do not always conform to the strict ASME standard definition of significant. Justifications for the alternatives used are not presented.
Basis for Significance:
This issue causes the supporting requirement QU-F6 not to be met.
Section 6.3.2.4 of the Quantification Calculation was updated to address the significance criteria for important equipment and operator actions.
Possible Resolution:
When presenting lists of significant equipment strictly adhere to the ASME standard definition or present a rationale for using an alternative.
3-32 There is no evidence that the PRA maintenance and update procedures are
'living'. Note that this may be due to the fact that the procedures are relatively new and the BFN models are currently in the process of a major upgrade.
Basis for Significance:
This issue causes the SR to be Not Met.
Possible Resolution:
As the procedure is implemented, assemble evidence that this process is active. Conduct periodic self-assessments to ensure the process is being, maintained.
NEDP-26 Section 3.5.3 states that:
PRA program self-assessments should be performed periodically by personnel cognizant of the PRA process, principles, and applications. PRA self assessments shall use the current PRA MOR for the site being reviewed.
Self assessments shall be conducted in accordance with SPP 1.6, "NPG Self Assessment and Benchmarking Program."
1-:54 I ne vKA conrIguraTion control procedures lack implementation details that assist the risk analyst in how to carry out the general requirements specified by the procedures.
basIs Tor bignmcance:
This implementation detail is important in maintaining a 'living' PRA program.
Possible Resolution:
Incorporate into this document or into a lower tier work instruction implementation details for the general requirements specified.
Consider the use of the BWROG generic Guidance in procedure:
BWROG PRA Configuration Control and General Maintenance Guidance Document Rl.do c iituv-zo proviaes mne FKA conriguration controi procedures. These procedures will be updated considering the BWROG generic Guidance Document.
Scheduled manual shutdowns (especially for refueling outages) should not be included in the statistical basis for the scram initiator. This can lead to an overly conservative scram initiator frequency.
IE-A7 is related to this met.
Note that CNRM interpretation for FAQ 06-1060 (should non-forced manual trips which are part of the normal shutdown procedure be counted) states that 'a normal controlled shutdown would not present the same challenges as a trip from full power if the manual trip was prompted by conditions other than the normal shutdown procedure which could occur at full power, it should be counted.
Basis for Significance CRNM ASME Standard Interpretation #5 (for FAQ 06-1060) states that normal controlled shutdowns should not be included when counting initiating events. The current practice at Browns Ferry regarding this item, therefore, does not meet the requirements of the standard.
Possible Resolution Remove planned shutdowns from the SCRAM initiator data set.
F&O 6-15 suggests that manual shutdowns be included as an initiator. Manual shutdowns have been conservatively lumped together with automatic SCRAMs. There are no identifiable plant response differences between automatic and manual shutdown above low power situations. Low power manual shutdowns will be included in the Low Power/Shutdown PRA.
J
The U2/U3 availability factor may not be correct for Ul IE frequency calculations.
Critical hours for Unit I are only available for about 8 months in 2007 (-82%
availability).
Additional justification is needed to use Unit 2/3 critical data for Unit 1. The intent of the PRA is to reflect the as-operated plant, and it is not clear that Unit I will be operated in the future at a 95%
availability factor.
Possible Resolution Resolve or justify the discrepancy between Unit 2/3 and Unit 1 availability.
See response to F&O Task ID 29. The purpose of the PRA is to provide a realistic estimate of risk for future operations. The limited data for Unit I is for essentially a new plant that had a number of scrams during the restart process. The more recent data shows Unit 1 to be operating with a capacity factor similar to that of Units 2 and 3.
4-11 IE.01 (Initiating Events Notebook) Table 22 shows the difference between the prior and the posterior, one cannot tell whether the prior distribution was correct for the plant-specific data.
Basis for Significance IE-C4 requires justification of the selection of any informative prior distribution used. Neither the documentation nor the calculation files available provide that justification.
Possible Resolution Evaluate the prior distribution,'
plant-specific data and posterior distribution to determine whether the choice of informative prior distribution is correct.
Graphs of the prior and posterior distributions are added to the notebook as Appendix E. Each graph contains the prior and posterior means for each updated distribution.
4-12 it's not clear how the JE Basis for Significance:
I The updated JE frequencies have been re-caiculated frequencies were updated.
Many of the priors are gamma, but all the posterior distributions are Lognormal.
Neither the documentation nor the available calculation files provide adequate information to determine whether the posterior distributions are correctly calculated.
Possible Resolution:
Provide additional documentation of the Bayesian update process, including the software used, the input data, and the output files.
For example, as was done in Appendix 4 of the Data Analysis.
using the appropriate distributions. These are documented in the Initiating Events Notebook.
The following statement was added to the IE notebook in section 6.3.2:
The IE frequencies were updated using the CAFTA database bayes update feature. For each input prior distribution type (i.e. gamma, lognormal), the same distribution was selected as the output posterior distribution type.
4-17 The documentation does not provide a method to trace the operator actions identified in the Accident Sequence Analysis to the quantification of the actions or their incorporation in the model. No designators are provided in the AS Analysis to identify the operator actions.
HR-13 is related to this F&O. The SR is NOT met.
Basis for Significance:
The lack of operator action designators in the identification phase makes the review of the HRA very difficult.
Possible Resolution:
Provide operator action designators in the identification phase (e.g., AS Analysis).
The modeled operator actions have been added to the AS Notebook. Those actions for support systems that affect all front line mitigating systems were not added to the notebook.
Some operator actions assume that the execution failure probability (Pe) is including:
HFA_0_ADSINHIBIT, HFAO0 ATWSLEVEL, HFA_0024RCWINTAKE, HFA_00271NTAKE, HFA_01R2_LPI, HFA_1063SLCINJECT, HFA_00241FISOL Example 1: Several operator actions for ATWS scenarios (e.g., HFA_1063SLCINJECT:
Failure to SLC in response to an ATWS event) assume the execution failure probability (Pe) is 0.0.
Example 2: Operator action HFA_0024RCWINTAKE (Failure to clear debris at intake before reactor scram) assumes an execution error of 0.0 based on the following: 'Cleaning traveling screens does not relate to a series of manual actions, but to an effort Basis for Significance Execution failure is a required part of the HEP calculation, and the argument for ignoring execution failure is not necessarily compelling, especially for maintaininglevel (HFAO0 ATWSLEVEL). Some of the actions for which Pe is not considered are important to the overall results.
Note 1: The explanation given for no execution failure for HFA 0 ATWSLEVEL describes the actions required for starting SLC (H FA_1063SLCINJ ECT).
Note 2: Cleaning debris from traveling screens is not a simple action, an assumption, that if the actions are started they are guaranteed to be completed in 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />, is not justified.
Possible Resolution Include Pe in the quantification of HFA_1063SLCINJECT, HFA_0_ADSINHIBIT, HFA_0_ATWSLEVEL, HFA 0024RCWINTAKE and in general, model errors of omission in execution were not modeled when execution entails a single action.
Skipping the step in the procedure is already accounted for in the cognitive portion; for a single execution step, it doesn't make sense to say that the step is not skipped, but that the execution is not performed. There still could be a commission error in execution (that is, trying to implement the action but doing it wrong),
even if there is a single execution step. For the events listed, this is documented in the HRA Calculator files, except for HFAO0241FISOL which has been updated to include execution errors.
among several operators. It is assumed that, if the action is initiated within 1 hr, it will be successful.' The same rationale is provided for no execution error in HFA_0027INTAKE.
HFA_0027INTAKE. Insure that execution errors are considered appropriately in other HEPs, as well.
The joint HEP for several combined operator actions are too low and cannot be justified. Specifically, three combined actions have joint HEPs of less than 1E-7, and eight are less than 1E-6.
Note that the HRA acknowledges these low combined HEPs, but does not enforce any lower bound. Further, it states that a sensitivity will be performed in the Quantification Notebook, but none is performed.
Basis for Significance:
If the joint HEP for combined events is too low, sequence and overall results may be artificially lowered, and the importance of the operator actions may be understated.
Section 5.3.3.6 ot NUREG -1792 indicates that the total combine probability of all the HFEs in the same accident sequence/cutset should not be less than a justified value. A suggested value 1.0E-05 is provided based on potential dependent failure modes that are not usually treated. The HRA Calculator currently provides the capability to explicitly calculate the joint probability of dependent and independent post-initiator HFEs in the same accident sequence/cutset:
This methodology improvement reduces the need for a threshold value. Overly conservative threshold values have the potential for skewing the results.
Possible Resolution:
Establish a reasonable lower bound for combined HFE probabilities. Perform sensitivities to determine the significance of this lower bound.
4-23 Several operator actions that have RRW > 1.005 have HEPs with screening values.
The HFEs are:
HFAZOO74ALIG N_DWS (CDF/LERF), HFAZOO23IFISOL (CDF), HFAZO084CADALIGN (CDF),
HFAZOSPRAYMLOCA (LERF), HFAZOHCIINIT30 (LERF), and HFAZOO71CTLPOWER (LERF)
Basis for Significance:
These HFEs should be evaluated using a detailed analysis in accordance with the requirements of HR-G1.
Possible Resolution:
Perform a detailed analysis of all HFEs with RRW >1.005.
Detailed analysis has been performed for HFAs with RRW > 1.005 and results are documented in the HRA notebook.
I
There are many operator actions that use screening values; see Table 8 of the HRA. None of these actions appear to use any information to base the time available and the times to operator cues and perform the actions are not documented.
Basis for Significance Without any real timing information, it is not possible to estimate, even at a screening level, the probability of operator failure or success.
HFEs have been reviewed and detailed analyses have been performed for many HFEs that previously used screening values. In addition, timing analyses have been reviewed. Timing is based primarily on plant specific MAAP calculations, timing from BFN simulator exercises, or estimates from BFN operator interviews.
In response to this comment, updated timing analysis has been re-reviewed by BFN operations staff and additional changes have been incorporated.
All model changes are included in an update to the HRA notebook.
Possible Resolution:
Provide timing information for all operator actions, including those HEPs estimated by using screening values.
4-27 There are many "Misaligned HFE HEP Codes" assigned in Appendix A of the HRA that are not carried through the rest of the HRA or present in the PRA model (e.g.,
HARCI1, HAREA1, HAINH1, and HARHR2).
Basis for Significance:
The disposition of HFEs for non-screened potential misalignment events cannot be verified as required by HR-Cl. The PRA group indicated that the Appendix would be updated.
Possible Resolution:
Provide traceability from Appendix A of the HRA to the remainder of the pre-initiator analysis and the PRA model.
The HFE HEP codes noted in the F&O were used in the previous model and were inadvertently left in the documentation. Appendix A to the HRA notebook has been revised to correct errors allow traceability.
Non-screened miscalibration events are not provided with designators in Appendix A of the HRA.
Thus HFEs associated with these miscalibration events cannot be readily Basis tor Signiticance:
The requirements of HR-Cl cannot be verified due to lack of traceability from HRA Appendix A table to the rest of the pre-initiator analysis.
Appendix A has been updated to include the designators for the non-screened miscalibration events.
determined.
Possible Resolution:
For miscalibration events, provide traceability from Table A of the HRA to the remainder of the pre-initiator analysis and the PRA model.
I I
I.
4-29 The list of activities reviewed in the HRA Appendix A table is primarily focused on Unit 2 or Unit 0 SRs and Sis. There are a few Unit I procedures listed, but it is not clear why certain procedures from Unit I are reviewed but not others.
More importantly, there do not appear to be any Unit 3 procedures reviewed. A sample review of one procedure between all three units (3.5.1.5(CS I)) found that the Units 1/2 tests affected two relays that are Basis for Significance:
The review of procedures should not be limited to one unit.
Differences between units may present additional pre-initiator actions. Although the one example found would not likely result in a pre-initiator, the point is that there are differences between the units' procedures.
Possible Resolution:
A more complete review of the procedures for all three units is warranted. There should at least be a focus on procedures for systems that may be different between the units.
A focused on review procedures in which systems between units was performed. No changes were made to the preinitiators as a result of this review.
not tested in the Unit 3 procedure.
+
1-t 4-31 There do not appear to be any ACTIVITIES that were found in HR-Al and HR-A2 identified as affecting redundant trains or diverse
.systems.
Basis for Significance:
HR-A3 requires identification of such activities, despite the fact that the HFEs may include multiple components or trains.
Possible Resolution:
Identify and document activities from HR-Al and HR-A2 that affect redundant trains or diverse systems.
Activities from HR-Al and HR-A2 that affect redundant trains or diverse systems are identified in Table B-i of Appendix B under the heading "Common cause events." These activities are all a result of miscalibration events.
Several electrical system boards are modeled to receive power from multiple sources ( e.g., normal and alternate buses, and/or EDGs) without considering the need for undervoltage detection and operation circuitry for breakers and EDGs.
Priority 1 because model change is required.
Basis for Significance:
Component boundaries for breakers do not include such circuitry, based on NUREG/CR-6928. Note that local circuitry and protection devices are included.
Possible Resolution:
Review component boundaries and modeled events for automatic electrical bus transfers.
The EDG logic to start and load (close output breaker) are currently modeled. The component description for the circuit breaker component in Appendix A of NUREG/CR-6928 states:
The circuit breaker (CBK) is defined as the breaker itself and local instrumentation and control circuitry. External equipment used to monitor under voltage, ground faults, differential faults, and other protection schemes for individual breakers are considered part of the breaker.
External equipment used to monitor under voltage is considered part of the breaker. The modeling of automatic bus transfer in the BFN model contains both the normal supply breaker failure to open (FTO), and the alternate supply breaker failure to close (FTC).
Since both failure modes are included, and the data from NUREG/CR-6928 includes under voltage detection in the breaker boundary, the current modeling methodology is appropriate.
k
The unavailability or failure of a bus is not considered in the logic used to provide alternate electrical power supplies to other buses and boards. Example:
UISDRECA is used to re-energize 4kV SD Board A from 4kV SD Board 3A.
However, the unavailability or failure of 4kV SD Board 3A does not fail the function (it should).
Priority 2 because Model change is required.
Basis for Significance:
Unavailability or failure of the alternate power supply would prevent being able to credit it as an alternate source. Although the failure probability of a bus is much less than the failure probability of other equipment that could affect the power transfer (e.g., breaker demand failure), the unavailability could be substantial, especially during an outage Possible Resolution:
Include unavailability and/or bus failures as appropriate, or justify not modeling due to low failure probability.
I he tailure oT the bus has been included in the 1I-N PKA model. The applicable 4-kV shutdown board failure has been added to gates UISDREC_A, U2_SDRECA, U3_SDREC_A, UlSDRECB, U2_SDREC_B, U3_SDREC_B, UlSDREC_C U2_SDRECC, U3_SDREC_C, UI_SDREC_D, U2_SDRECD, and U3_SDRECD.
ie assumption that A HVAC is normally running and B HVAC is in standby leads to skewed basic event importance's and non-sensical cutsets.
For example, with A HVAC always running:
(1) The Loss of RMOV Board A importance is much higher than RMOV Board B (10%
vs. 2.5%)
(2) Non-sensical cutsets exist, such as where RMOV Board A is in maintenance and B HVAC fails to start (due to operator or hardware failure).
Basis tor Signiticance:
The assumption that one train is always normally running (the HVAC, is only an example) does not reflect the plant operation, and can result in skewed importance results or missing cutsets/sequences (i.e., how would the results be different if the other train were assumed to be running?).
Possible Resolution:
Potential resolution isto remove flag settings for what train is normally running, and use flag events to represent the fraction of time that a given train is running and standby (e.g., 0.5).
i ne running and standby tiags tor the HIVAC trains nave been changed to 0.5 to represent equal running times for all trains.
To prevent non-sensical cutsets, the MUX logic was expanded to include all events under the unit start gates (any failure event that only occurs during a unit start). In order to ensure proper application of the failure of a unit to start, the AHU fails to start after a LOOP event was made unique by adding a "LOOP" to the event name.
Instrument tap tailures (leaks) are screened in Section 6.2.3.8 on the basis that the CDF contribution of these is less than 2E-9/[year].
Basis tor Significance CDF contribution by itself is not a metric that can be used to screen initiators, per IE-C6.
The BFN IE notebook has been updated to retlect the following discussion:
Note: the initiating event document says that this meets IE screening criteria per IE-C4. This is now IE-C6 in RG 1.200 Rev. 2.
Possible Resolution If instrument tap failures are to be screened, the criteria in IE-C6 need to be met, or they should be included as initiating events.
To calculate the value of an instrument line failure, the NUREG/CR-6928 value for a VSLOCA was utilized. The mean frequency of a VSLOCA in NUREG/CR-6928 is 1.55E-03/yr. To estimate the fraction of VSLOCA initiators that is associated with instrument line failures, NUREG/CR-5750 was utilized. Section 4.4.6 of NUREG/CR-5750 discusses four events in the database; all four events were at PWR's. Two of the four events were associated with instrument lines, one a steam generator tube leak, and one a drain line. Thus an instrument line break initiator can be characterized as a very small LOCA where 2 of 4 events are associated with instrument lines. The VSLOCA frequency was split by 0.5 resulting in a frequency of 7.75E-04. Note that the one event for VSLOCA utilized in NUREG/CR-6928 occurred in 1996 and was associated with a reactor recirculation pump seal leak.
Instrument line failures can have significant impact on plants with only two reference legs, as RCIC, HPCI, and feedwater can all be adversely affected. BFN, however, has four reference legs and is only marginally impacted by reference leg leak down. This is confirmed by industry studies which indicate that reference leg leak down with the BFN configuration does not pose a significant challenge to safe shutdown. In order for the instrument line failure to be a significant challenge to safe shutdown it would require failure of two
instrument lines which would occur at less than a 1E-6 frequency (7.75E-O4*7.75E-04 = 6.01E-07). If failure of one reference leg were to occur the operators would put the channel in a tripped condition. Thus if two reference legs were to fail it would take failure of another reference leg and failure of the operators to manually start the ECCS equipment and result in core damage.
4-40 A review of non-significant cutsets found many LOOP cutsets that have combinations of two independent HFEs which should have some level'of dependency:
HFA_02114KVCRSTIE (Failure to cross-tie 4kV SD Board) AND HFA_023148OSDBTIE (Failure to provide alternate power to 480V SD Board).
Basis for Significance:
This is an example of non-significant cutsets that, had they been reviewed, would have uncovered the need to perform additional operator dependency analyses.
Dependency analysis has been re-performed and results are documented in the HRA notebook.
Possible Resolution:
(1) Re-perform operator action dependency analysis.
(2) Re-perform review of non-significant cutsets prior to finalizing and documenting results.
4-41 Offsite power recovery is applied in cutsets where it might not be possible. See U1 CDF cutset at 1.151E-08:
LOOP with common cause failure of shutdown board normal feeder breakers to open.
Basis for Significance:
Recoveries should only be applied to scenarios or cutsets where the recovery can be expected to be successful.
Possible Resolution:
Review recovery logic/rules to ensure that recoveries are not applied to non-recoverable failures.
The example cited is incorrect. If the breakers failed to open, they would still be closed and available for offsite power recovery.
notebook says that EDG boundaries included the output breakers, but the DG system notebook and the model have them as separate events. NUREG/CR-6928 lists breakers as WITHIN the boundary of the EDG.
Basis for Significance:
Apparent inconsistency in data and component boundary definitions.
The EDG output breakers 1818, 1822, 1812, 1816, 1838, 1842, 1832, and 1836 have been included within the boundary of the EDG. The output breakers are no longer explicitly modeled. The EDG system notebook and table 4 have been updated to reflect this change.
Possible Resolution:
Resolve discrepancy.
L
.1.
4-43 No dependency analysis is performed between operator Action IR2 (Operator fails to depressurize after core damage) and HFA_0001HPRVD1 (Operator fails to initiate depressurization [Level 1]).
Basis for Significance:
These two actions are in the same cutset, resulting in a combined failure probability of 6.25E-8 (2.5E-4*2.5E-4).
Possible Resolution:
A dependency analysis should be done between Level 1/Level 2 actions as well as Level 2/Level 2 actions.
Since failure to depressurize prior to core damage is a failure to properly follow/execute steps in the EOI-1 flow chart while failure to depressurize after core melt considers failure to properly follow and execute steps from the SAMG-1 flow chart, there is no dependency of the operator response for this action. Also, during execution of the SAMGs, there will be additional guidance/oversight from TSC personnel. This would further reduce likelihood of Level I to Level 2 dependencies.
In general, there will be no dependencies between HFE's from Level 1 (EOIs) to Level 2/LERF(SAMGs).
This will be treated as an assumption in the analysis and documented in the assumption section of the HRA notebook.
4-45 Reviewed LE.01. Section 7.5 implies that repair is considered within the CET structure. However, there apparently no repair credited in the model, including late recovery of offsite power.
is Basis tor Signiticance:
The model is not consistent with the documentation.
Repair is credited in the LERF Model. Recovery ot offsite power is modeled in the Level 1 PRA and is credited in the LERF model under in vessel recovery (UxIVR2).
Possible Resolution:
Sequences should be reviewed and repair credited where justified, in accordance with LEC3 (Cat II/111).
4-46 Long-term SBO events take credit in the CET for establishing injection (TD2 succeeds) and flooding containment (FD2 succeeds) without recovering offsite power. Additional cutsets are found with loss of all HVAC and successful injection and core flooding in the CET. Additional cutsets are found with loss of intake and successful core flooding (which could be from RHRSW).
Basis for Significance:
Model fails to carry forward dependencies from Level 1 to Level 2 CET, allowing recoveries to be credited that are Possible Resolution:
Fix L1/L2 interface.
Fault trees for Level 2 analysis have been added to the CAFTA model and are linked to the Level 1 fault trees.
Split Fraction FD2 (Recover, restore, align RHRSW or RHR (other unit) for injection for containment flood) is based on engineering judgment.
HEP for DW spray initiation in split fraction TD2 is 'set at 1E-2.'
Basis for Signiticance:
No analysis (detailed or screening) is performed to determine HEPs for these split fractions.
HRA's have been quantified and are now documented in the revised HRA notebook. Also, discussion has been added to LE.01 Appendix A.
Possible Resolution:
Perform HRAs on actions for FD2 and TD2.
Based containment event tree CETI failure of containment, flooding does not result in a LERF sequence. Consequently, HFAOFD2 is not a LERF contributor and need not be quantified in detail I
4-48 No credit is taken for equipment survivability or human actions following containment failure.
Basis for Significance:
LE-C21 implies credit be taken for equipment survivability following containment failure, for Cat Il/Ill.
Possible Resolution:
REVIEW significant accident progression sequences resulting in a large early release to determine if engineering analyses can support continued equipment operation or operator actions after containment failure that could reduce.
Section 3.1.3 of LERF Notebook contains the following:
The equipment survivability assessment, based on a review of the IDCOR Technical Report 17 (Reference 8),
is documented in the Structural Analysis Notebook for BFN Unit 1. As long as the drywell and torus are intact, it is assumed that the environment in the reactor and turbine buildings will not prevent the use of equipment in those buildings. However, at the time of drywell failure, it is assumed in the Level 2 assessment that any active equipment in the torus room, adjacent corner rooms, and anywhere else in the reactor building will not be available due to elevated temperature, humidity, and radiation environments. Qualitatively, this equipment survivability assessment does not take any undue credit for the operation of equipment that is exposed to an extreme environment resulting from core damage and subsequent containment breach.
Several initiating event frequencies are calculated using data from NUREG/CR-6928 and performing a Bayesian update with plant-specific data. However, there are initiating events that are common between NUREG/CR-6928 and the plant-specific data. It is incorrect to perform a Bayesian update with identical data in the generic and plant-specific sources.
Examples: 6928 data includes 1 PLFW from BFN U3 and 6 Turbine Trips from BFN U2/U3.
Basis for Significance:
Incorrect application of Bayesian update process Possible Resolution:
Prior to updating, screen plant-specific data from generic source (i.e., NUREG/CR-6928), or only update with data more recent than the generic data The generic and plant specific data were compared to identify any repeat events. Of these, one Partial-Loss of Feedwater (PLFW) was found. This event was removed from the generic data source and the generic prior gamma distribution alpha and beta factors were recalculated. The results of the recalculation can be seen as follows:
Initiator Mean Value Variance PLFW 4.5/168.8) = 8.59E-02 4.5*(1/168.8)2 = 5.09E-04 A
B 4.5 168.8 In addition, there were six turbine trip events contained in both data sources. A similar recalculation would have been done on the TT initiator; however, the TT was chosen to be based solely on plant specific data due in consideration of F&O Task ID 146.
In the case that the plant specific and generic data source time periods overlapped, and there were no plant specific failures, or the failures were outside the generic data period, the exposure time for the plant specific Bayesian update was chosen as the end of the generic and plant specific data period overlap and the end of the plant specific data period. This ensures that double counting of the zero failures in the generic and plant specific overlap does not occur. The following discussion has been included in the IE notebook in section 6.3.2.1:
In some cases, plant specitic initiators nave occurred that overlap with data provided by the generic data source, or there have been no plant specific initiating events that have occurred. For the case when the generic and plant specific data overlap, the plant specific events have been removed from the generic data and the BFN contribution to the reactor-critical years for the frequency have been removed, so they would not be double counted when the Bayesian update was performed. The generic prior frequency was then recalculated. For the case when no plant specific initiators occurred, but the generic and plant specific data period overlap, the Bayesian update exposure time was chosen as described in the following paragraph to avoid double counting the reactor-critical year contribution from BFN in the generic and plant specific data.
For these cases, when the Bayesian update was performed, the exposure time was selected as the time between.the end of the overlap (if any) of the generic data period and the plant specific data period and the end of the plant specific data period. Each data reference was reviewed for its data collection period and an exposure time calculated for each initiator. A capacity factor of 0.95 was assumed when determining the reactor-critical years in the Bayesian update exposure time. The results can be found in Table 21.
4-50 Although equipment survivability beyond equipment qualification limits is credited, there is no indication that significant accident progression sequences were reviewed to determine if continued equipment operation could be credited to REDUCE LERF.
Basis for Significance:
LE-ClO Cat i1/111 requirements are to REVIEW significant sequences to determine if engineering analyses can be used to take credit for additional equipment operation beyond normal qualification limits to reduce LERF.
Possible Resolution:
Review significant large early release sequences to determine where additional equipment credit may be taken.
Section 6.3.4.5 of the ISLOCA notebook discusses credit for isolating the LOCA before the ECCS pumps are flooded. This is intended to reduce LERF. Credit is based on a review of the ISLOCA cutsets that indicate sufficient time to depressurize the ISLOCA path to allow isolation. Depressurization is required to facilitate operation of isolation valves at lower differential pressure.
4-51 Class3A (B,C)-006 LERF Basis for Significance:
TD2 is successful if LPI, CS, AVI or DWS available. It is sequences are non-sensical.
Sequence is invalid since DWS is not guaranteed that DWS is the available system. From In these sequences, TD2 assumed to work but at the same this perspective, a subsequent failure of DWS may still succeeds (i.e., DW Spray time be unavailable, be valid. The Boolean logic works itself out when the hardware is available and failure branch fault tree models are linked in the operator initiates injection Possible Resolution:
accident sequence quantification.
per Table A.5.7-1) but DWS Review and correct CET.
fails later in the CET A review of.the old CETs indicates that the DWS top is (DWSALLSUP branch is really DWI which does not involve failure of DW sprays.
questioned).
I It should only be asked if TD fails.
Separate nodal fault trees are used to calculate node split fractions, whose values are used in the CET. By using separate nodal fault trees and not including them in a single top fault tree, the dependencies --
including sequence, support and operator action -- are not explicitly captured and the analyst must ensure that dependencies are appropriately captured.
Numerous examples of issues due to this method are provided in SRs LE-C7/C8 and LE-A4.
Basis for Significance:
Certain requirements referenced in the SR from the Tables 2-2.7-4(a),(b) and (c) are negatively affected by this method of quantification: QU-A1, QU-B1O, QU-Cl and QU-C3.
Single top for LERF has been added to fault trees and is now documented in LE.01 Appendix A.
Possible Resolution:
Consider using a single top event tree for quantifying LERF or develop the required logic needed to ensure-that dependencies are properly accounted for.
4-4-
4-54 The method used to quantify split fractions was very difficult to review and appears to be based on an old LERF model that is not consistent with the current Level 1 model. The split fraction fault trees were not provided. Further, many of the split fraction descriptions provided in Appendix A of LE.01 do not appear to be current or are Basis for Significance:
Split fraction values could not be determined by the reviewer, and descriptions for many split fractions do not appear to be valid any more.
Possible Resolution:
Review and update LE.01 Appendix A, especially to remove discussions or explanations that no longer apply to the LERF model.
LE.01 Appendix A has been revised to address this comment.
Fault tree events specific to the LERF analysis are discussed and methodology to obtain split fractions has been re-written.
no ionger usea in tne model.
.1.
4-4 4-7 Initiating Event Frequencies for Special Initiators (LOPA, LRCW, INTAKE and %DC) are not provided in the Initiating Event Analysis, and no comparison with generic industry data for these initiators.
Basis for Significance:
A check on reasonableness and explanation of differences for IE frequencies is required by IE-C12.
If generic data is not applicable due to plant specific features, that should be so stated. If this comparison were done, some errors noted in the fault tree initiating event calculations may have been avoided.
Possible Resolution:
Compare special initiator frequencies with any applicable generic data and explain differences.
Frequencies are now provided in section 6.3 of the BFN initiating events notebook for special initiators LOPA, LRCW, INTAKE and %DC. A comparison to NUREG/CR-6928 values is also included for the respective initiators.
A 4
Section 6.3.2 ot the Initiating Event Analysis discusses applying Unit 2/3 data to all three BFN units.
However, it is noted that there have been 7 scrams in the short history of Unit 1 since re-start (-4800 critical hours). This may indicate that U2/U3 data is not applicable to Unit 1, or that Unit 1 data should be included in the population for all 3 units.
Without more information on the data (causes of scrams, actions to prevent future scrams) and additional Unit 1 history (performance in 2008/2009), it cannot be determined whether it is correct to exclude Unit 1 data and/or apply Unit 2/3 data to Unit 1.
Basis tor Signiticance IE-C2 requires that excluded data be justified. The case has not been made for excluding Unit 1 data.
According to NURE(6/CR-5750, the learning period tor new plants should be excluded when calculating initiating event frequencies. BFN Unit 1 is essentially a new plant. It was shutdown for over 20 yearsand had a great deal of equipment replaced for the restart. BFN Unit 1 had 5 scrams in the first 4.5 months of operation. Since November 2007, BFN Unit 1 has had only one scram. This is on par with BFN Units 2 and 3.
Possible Resolution Provide additional details that justify: (1) excluding Unit 1 data, and/or (2) applying Unit 2/3 data to Unit 1.
As stated in Section 6.3.2 of the IE notebook "Between late 1984 and mid 1985, all 3 Units were shut down and have undergone substantial changes to equipment, procedures, and operating and maintenance policies. It was judged that the old data (prior to shutdown) are not applicable to BFN. Among the changes with the most significant impact was the 5% power uprate applied to Unit 1 in May of 2007. The plant SCRAMs following the shutdown period have been graphed (see Appendix C) to show behavioral trends and determine the time frame that most accurately represents the present operating conditions for the three units. An uncharacteristically high number of SCRAMs occurred in the year following the restart of Units 1 and 3; for this reason the data collection period has been limited to the years from 1997 through 2007, excluding data from Unit 1."
Also stated in Section 6.3.2.1 "All three units are similar in design (with respect to initiating events) and Unit 1 will be operated with the same procedures and management philosophy as the other units. Units 2
and 3 have established a significant operational history to assist in the development of appropriate initiating event frequencies for use in the plant PRA models. Due to the fact that Unit 1 has been out of service since 1985 there is not significant operational history. Hence, Unit 2 and Unit 3 data through December 2007 are pooled to form a pseudo plant specific database for Units 1, 2 and 3."
An assumption/uncertainty is also included which states "All three BFN units are similar in design (with respect to initiating events) and will be operated with the same procedures and management philosophy as the other units. Thus the Unit 2 and 3 combined data are used for all BFN units to calculate the initiating event frequency in the model."
Additional Unit 1 history (performance in 2008/2009) was not utilized because it was not available during the update of the IE notebook. During the next revision of the IE notebook this data will be re-evaluated to include data from Unit 1 which does not represent a "learning period".
The following discussion has been included in the IE notebook in section 6.3.2:
BFN Unit 1 was essentially a new plant following restart in May of 2007. It was shutdown for over 20 years and had a great deal of equipment replaced for the restart.
BFN Unit 1 had 5 scrams in the first 4.5 months of operation. According to NUREG/CR-5750, the learning
period tor new plants should be excluded when calculating initiating event frequencies.
Tables 8, 9, and 10 (of the Data Notebook) list the plant-specific, generic, and estimated unavailabilities used in the model.
However, the raw data used to calculate the unavailabilities in Table 8 are not documented.
Basis for Significance:
Without the raw data there is no way for a reviewer to validate the correctness of the plant-specific maintenance is created and added to the Data Analysis Notebook. The attachment contains a summary of number of planned unavailability hours, unplanned unavailabilityhours, total unavailability hours, required hours and number of estimated maintenance events.
Possible Resolution:
Provide in an appendix the raw data used to calculate the plant-specific maintenance unavailabilities.
5-3 The data analysis does not appear to consider outlier components.
Basis for Significance:
The inclusion of outlier components can incorrectly impact the failure rate assigned to a component group. Such outlier components should be placed into a separate suitable component group.
Possible Resolution:
Add to Section 6.1.4 of DA.01 a discussion of how outlier components were analyzed. If outlier components were not analyzed, then add such a discussion and perform the required analysis.
The plant-specific raw data was reviewed to identify any outlier components; none were found. Discussion was added to section 6.1.4 as an additional bullet.
DA.O1 does not discuss Technical Specifications of Basis tor Significance:
Changes in T/S requirements can have an impact on the calculation of T/M unavailabilites.
shared systems changing due to maintenance activities.
Additional discussion related to Tech Specs for shared systems was added to section 6.2.5. Coincident maintenance events were addressed by reviewing work week assessments as described in section 6.2.5 of the Data notebook.
Possible Resolution:
Analyze and document the impacts of T/S changes in shared systems due to test and maintenance activities.
5-5 Section 6.3.2.4.1 of the Accident Sequence Analysis states that if Alternate Rod Insertion succeeds and either the recirculation pumps fail to trip of the SRVs fail to open, then a non-ATWS LOCA occurs which is not modeled in the PRA. While this new LOCA might be quantitatively insignificant, no qualitative argument is made to justify its omission.
Basis for Significance:
The omission of this sequence could result in an incorrectly-low CDF or cause the analyst to miss important insight about the event.
Possible Resolution:
Either model the sequence explicitly or qualitatively justify its omission in the Accident Sequence Analysis.
A qualitative argument was added to the Accident Sequence Notebook. It essentially says that the frequency of an ATWS induced non-ATWS LOCA is less than the ASME standard recommended cutoff of 1E-7
/yr.
5-7 Control power tor the RHRSW and RCW pumps is currently modeled such that failure of control power will result in failure of the -
pumps to continue running.
Typically, control power is only needed for starting the pump.
Priority 1 because model change is required.
Basis for Significance:
Currently the model overestimates the dependency on control power.
Possible Resolution:
Move the DC control logic under the gate associated with RHRSW and RCW pump start. Review this also for other normally running pump fault trees.
Control power was placed under pump start gates tor all pumps and air compressors where it was determined that control power was not necessary to maintain a running pump.
6-1 HRA Method (Section Basis for Significance:
Median values have been converted to mean values 6.2.2.1) applies ASEP values Systematic Error in determining and Table 5 has been updated to add the mean values.
as though they are mean the probability of HEPs using ASEP values. ASME Inquiry 08-506 on this says this is not Possible Resolution:
acceptable, and the values Apply ASEP method assuming the should be treated as Median point estimates are Median values Values.
CCF for Battery Chargers is not included in the Initiating Event Fault Tree for loss of 2 DC buses, other than for the standby chargers (not in the yearly failure rate logic).
Basis for Significance Can affect the loss of DC initiating events by a factor of 10, depending on how CCF is calculated.
Possible Resolution Include CCF under the yearly failure rate logic or as a top event for all loss of DC initiating events.
CCFs were not included in fault tree initiating events with year-long mission times. As stated in Support System Initiating Events: Identification and Quantification Guideline. EPRI, Palo Alto, CA, and U.S.
Nuclear Regulatory Commission, Washington, D.C.:
2008. 1016741: Current models and data for common cause failure (CCF) of operating components are often based on minimal data that have been evaluated and developed for use in a post-initiator, 24-hour mission time model (which typically involves some conservatism). While the conservatism may be acceptable for a 24-hour mission time, extrapolation of this data to model common cause failure frequencies for the year-long mission time used in initiating event modeling often results in frequencies exceeding those observed in industry experience.
Based on the above recommendation, CCF of battery chargers has not been added to the yearly failure rate logic in the Loss of 2 DC bus initiating events fault tree.
No changes to the model or the documentation are required.
6-11 For a multi-unit LOOP, Basis for Significance:
The BFN PRA model has been updated to fail the cross-crosstie to another unit's Model change to remove the tie from the other unit's power when the IE is a multi-power is credited, even credit to electrically crosstie to unit LOOP. This was done by adding the multi-unit though the other unit is in a another unit would result in a CDF LOOP IE underneath gates Ux_SDREC_A, Ux_SDREC_B, LOOP and cannot provide increase for all three Ux_SDREC_C, and Ux_SDREC_D where x is 1, 2, or 3 power.
designating the applicable unit. The unit Possible Resolution:
differences/assumptions section of the EDG notebook Modify the model to account for has been updated to reflect this model change.
multiple unit LOOP events.
The impact of Surveillance Procedures is not included in the ISLOCA Calculation.
For example, for Core Spray, Surveillances in the CS Notebook indicate an MOV opening every 92 days. The likelihood of an ISLOCA during this MOV test is not calculated in the ISLOCA IE Fault Tree, including the sequence where the check valve would have previously failed prior to the surveillance.
Basis for Significance:
Unknown impact on the ISLOCA Frequency, without analyzing the specifics of the site procedure. If the procedure has the operator check downstream pressure (etc.)
prior to opening the MOV, likely there is minimal impact. However, given the ISLOCA has a large impact on LERF, the impact could be significant.
Possible Resolution:
Include the impact of Surveillance Procedures in the ISLOCA Analysis.
The impact of surveillance procedures for the CS and RHR injection paths are addressed in the third and fourth paragraphs of Section 6.3.1.7 of the ISLOCA Notebook. The fourth paragraph and remaining paragraphs of this section addresses the methodology used to address the quantification of the surveillance test impact.
6-16 The frequency of intake Basis for Significance An intake plugging event that causes a three unit scram plugging included in Changes in the values will have a and fails RCW was developed from plant specific data.
calculation for %1INTAKE significant impact on the overall This event was incorporated in the MOR and discussed calculation appears to have CDF results.
in the initiating events notebook and the RCW no basis. %1INTAKE is the notebook. The event was also added to the accident most risk significant Possible Resolution sequence notebook.
initiating event, and the Provide a plant-specific basis for likelihood of an intake the frequency of intake structure blockage is a direct input to plugging.
the frequency calculation.
II
6-17 System models do not appear to incorporate operating experience in developing the fault tree logic. RHR Service Water operating experience does not appear to be complete or reviewed. HVAC Notebook says LERs and OER was reviewed, but none are listed (no evidence of the review). Similarly for 120 VAC and others. CRD Notebook includes only a discussion of the BFN Fire, but no review of OE is presented.
Basis tor Signiticance:
Review of experience from BFN and other plants does not appear to be used in developing the fault tree system logic or data. In some cases, review of BFN OE is not included in the notebooks.
I ne write-up in tfe system notebooKs discussing tne level of SER, OER and LER reviews has been enhanced.
There is no requirement in the ASME standard that requires a detailed listing or discussion of the generic or plant specific experience reviewed.
Possible Resolution:
Expand operating experience review and account for any lessons learned in the PRA model.
HFEs are included in the System Models that do not appear to be possible, given the developed logic. For example, HFA_0002RPV LVL is included in the gate U3_CND_G1i, even though logic under the AND gate would result in failure of condensate which would not be recoverable. See also gate U3 IVOG72 where the operator actions may not be possible, depending on the system failures in the cutsets. Also, event HFA_0032MSIV_N2 may not be applicable for sequences involving %21F-TB-CW, which come up through gate U3_MSIVOTBD Basis for Significance:
The 0.1 screening appears to be applied systematically, without review of whether the operator action is possible.
The level control logic under Gate UxCND_G1i was improved to better accommodate the human action.
Possible Resolution:
Review HRA application of 0.1 screening, to ensure the HFEs are possible for all possible logic (under each AND gate) prior to applying a 0.1 probability.
Gate U3_IVOG72 models the operator allowing the level to drop below the MSIV closure setpoint during an ATWS without bypassing the closure setpoint as directed by procedure. These actions are anded with the RPS failure so they will only be considered during an ATWS. All three of these events have to happen for the MSIVs to close (without hardware failure) during an ATWS. The current logic is correct.
Flood event %11F-TB-CW fails plant air and other portions of the main condenser and condensate system. The action HFA_0032MSIV_N2 models the operator establishing Nitrogen backup to the outboard MSIVs in the event plant air fails. The flood fails PCS making the action moot; the flood initiator was removed from the logic.
No other logic issues relating to HFE's with a.1 screening value were found.
event is screened, based on the 1995 PRA of the event.
It appears the model and the assumptions for loss of HVAC have changed, and loss of HVAC as an initiating event should not be screened.
Basis for Significance Modeling changes have resulted in HVAC becoming one of the top 5 systems in the present PRA. Based on this, a loss of HVAC initiating event is likely to be significant as a contributor to core damage, and should not be screened.
Screening of the loss of HVAC initiating event is based upon the current HVAC system notebook. Discussion of the 1995 PRA model was included to add additional insight into the impact of loss of HVAC. Discussion of the 1995 PRA model has been removed from the IE notebook to avoid confusion in the future.
Possible Resolution Add Loss of HVAC initiating events to the analyzed events for the PRA.
The HVAC system notebook states "It is not expected that failure of any of these systems will cause a scram due to the long time available to repair them, provide a backup, or provide alternate room cooling.
Additionally, many of the systems cool areas that do not have high heat loads during normal power operations or do not have equipment necessary for normal operation."
The IE notebook has been updated to state "The loss of important HVAC systems is well annunciated, and heat up calculations show that there is ample time for the operators to restore HVAC or-take procedurally guided steps to prevent unnecessary isolation or SCRAM.
Additionally, many of the systems cool areas that do not have high heat loads during normal power operations or do not have equipment necessary for normal operation. For additional discussion see the BFN PRA HVAC system notebook."
This meets ASME standard IE-C4 part c screening criteria which states "the resulting reactor shutdown is not an immediate occurrence. That is, the event does not require the plant to go to shutdown conditions until sufficient time has expired during which the initiating event conditions, with a high degree of certainty (based
on supporting calculations), are detected and corrected before normal plant operation is curtailed (either administratively or automatically)."
i I
Event STRPLISTIN_0750664, CS Suction Strainer Plugging, is only assumed for Large LOCA in the Model. The phenomenon causing plugging is not limited to large LOCA only, and is possible on Medium LOCA, SRV opening, etc. A question was asked to the analyst on this, and the reference to the absence of permanently installed air filters or other sources in the drywell.
However, the debris, if present, would be swept into the suction strainer by any LOCA.
Basis tor Signiticance:
Affects multiple Initiating Events.
Pre-existing material in the Torus can also affect the strainer plugging likelihood.
i ne strainer plugging event was acaea tor IVILUL/A. All SRVs discharge directly to the suppression pool, so a stuck open SRV could not dislodge material from the drywell.
Possible Resolution:
Include CS Suction Strainer failure for all applicable LOCA events, including SRV lift events. It is possible to use different plugging likelihood values for each LOCA size.
6-22 The Timing used for recovery of Clogged Intake.
appears to be based on rough estimates, and without statistical basis, such as historical information. A question was asked to the system analysts, and the response was that additional review of the basis is needed.
Additionally, the credit for recovery, including the use Basis for Significance:
Recovery value is significant to the results.
Possible Resolution:
Provide better basis for the intake recovery HFE.
This action has been removed from the model.
of extra crew does not appear to be supported (does the procedure usually involve more than 1 crew member, and would that extra crew be supporting the initial operator or performing other actions).
4-4 6-25 Event HFA_3003 P_START_A does not appear to be applied correctly in the model. A question was asked of the analysts on the logic, and the response referred to gate U3_FWH_INITfor events were FW recovery is not credited. However, the logic under gate U3_FWHG50 limits the operator failure event to only excessive FW events; resulting in no failures coming through for other events were FW is credited.
Basis for Significance:
Significance is unknown, since model modification is required in order to determine the impact.
Possible Resolution:
Remove the requirement for excessive FW events only when applying the HFE.
The human action HFA_3003PSTARTA is used in every situation where a feedwater pump has to be started. One of those cases is where the pump is running and is tripped due to excessive feedwater flow.
It is assumed the pump can still be operated but must be restarted. This gate is OR'd with a gate where the feedwater pump is not running and either has to be started or is in T&M. This Human Action is used in that tree also. There is no incorrect logic with this human action. No changes are necessary.
b-2b The post-processing ot HEPs appears not to account for all dependencies in the HFEs. Numerous cutsets contain Combo events as well as other events post-processed into the cutsets.
A questions was submitted to the Analyst, but the independence of all combinations in the cutsets was not documented in the HRA notebook.
Basis tor Signiticance:
Systematic issue with applying dependencies. Likely if all dependencies were accounted for, the CDF would significantly increase.
Possible Resolution:
Recommend revising combination analysis to include additional combinations that appear in the cutset results.
The combination analysis has been revised to include additional combinations. Results documented in the HRA notebook.
6-28 Basis for operator action Basis for Significance:
HFA_0085ALIGNCST is used in fault trees for medium time (30 min) for Event provides over 5% of CDF.
LOCA sequences. Thus, timing analysis has been HFA_0085ALIGNCST appears revised to reflect medium LOCAs. Two separate MAAP to be roughly estimated, as Possible Resolution:
cases documented in the BFN Thermal Hydraulic is the time available (7 Provide more a more accurate Notebook (SC.02) are applicable and were considered hours).
assessment for the timing for to define the total accident time window: MAAP HFA_0085ALIGNCST.
CASE03 shows CST depletion at 5.8 hrs and MAAP CASE04 shows CST depletion at 6.9 hrs. The total time window has been reduced to 5.8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> based on the limiting MAAP case.
1 6-30 Dependencies between operator actions appear to be non-conservatively applied. Mainly, the Zero Dependence (ZD) between actions is commonly applied, simply when one of the actions takes longer than 60 minutes. What appears to be the mistake is applying the last event tree node in the Dependency Event Tree. In this tree, if the stress of either HFE is moderate or high, the upper leg of the event tree is used.
SO for combo 2, the HRA assumes ZD, while the event tree would designate Low Dependency.
Basis for Significance:
Systematic error affecting around 1/2 of the combo events, including combo 18.
Possible Resolution:
Correct dependency analysis in the HRA.
In general, dependencies between operator actions have been derived within the rules outlined in the HRA Calculator. In one case, the dependency rules have been over-ridden by a user defined rule. In this particular case, a note was added stating the reason for the over-ride.
"Need to depressurize would arise no less than 2 hr after ability to initiate SPC would no longer permit use of HPCI/RCIC after CST depletion." This statement is under the dependency event tree and occurs for combinations of HFA_0074HPSPC1, Failure to align RHR for suppression pool cooling (non-ATWS/IORV) and HFA_O001HPRVD1, Failure to initiate reactor-vessel depressurization (transient or ATWS). The timing for the cues implies that there should be a complete dependence, however the timing for HFA_OO74HPSPC1 occurs over 5.4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> and therefore there is no time dependence. The cue comes in, but the required action has such a long time in which to be accomplished, there is no dependence, hence zero dependence was manually chosen. The note in the calculator is sufficient to address the issue and the HRA notebook addresses this in section 6 just prior to section 7, conclusions.
I
.1.
6-34 Bistable failure rate is applied to the following events: LEVEL CONTROLLER FIC 71-0036A FAILS, HPCI FLOW CONTROLLER FIC 073-0033 FAIL, ANALOG TRIP UNIT LS-3-208A FAILS TO ACTUATE ON DEMAND (and others).
Basis for Significance:
Failure rates for level controller and flow controller are higher than for bistable.
Possible Resolution:
Use the Level Controller, Flow controller and trip unit values from NUREG/CR-6928 for these events in the DB.
New type codes have been created for level controller fails on demand (LVCFD), flow controller fails on demand (FLCFD), and analog trip unit fails on demand (ATUFD). The new type codes use data for process logic fails on demand (mean = 6.25E-04) instead of bistable fails on demand (mean = 5.44E-04). Common cause groups Ux 00304BISFD8 (where x is the unit number) have been renamed to Ux_00304ATUFD to reflect that these common cause groups consist of analog trip units.
6-35 Assumptions in each system notebook are not summarized in the assumptions section. For example, in CRD notebook, the excluded components section is not summarized in the assumptions section. As such, the system notebooks typically contain few assumptions.
Basis for Significance:
Sources of uncertainty are used in the quantification of the final results and are later used in applications.
Possible Resolution:
Review the assumptions listed in other parts of the system notebooks, and add these to the Assumption and Uncertainty Section of each system notebook.
Assumptions made in the system notebooks were summarized in the Assumptions section.
Break Frequencies calculated for the analysis appear to be too low, in comparison with other pants. From NUREG/CR-5102, Appendix F, Table 2, the RHR and CS piping would generally get a failure probability of 2.65E-02 and 2.54E-03 respectively. Other reference documents used should get similar results.
The BFN analysis is supported by and Excel Spreadsheet for the overpressure estimate, and this analysis is not included in the system notebook. In the excel spreadsheet it appears the temperature assumed for the CS and RHR analysis assumes room temperature, where as full RCS temperature is more appropriate.
ISLOCA is a significant contributor to LERF Possible Resolution:
Revise the conditional pipe break frequencies to match industry accepted values, based on use of RCS temperature in the CS and RHR piping. Benchmarking of other plant methods and values may be useful here. Include the overpressure/pipe break analysis (excel spreadsheet) as a part of the reviewed system notebook.
were expanded to include calculation details for the ISLOCA break frequencies assuming a temperature of 600F.
6-41 Fuel oil transfer pumps to refill the day tank are not part of the EDG boundary in NUREG/CR-6928.
Priority I is given because a model is required.
Basis for Significance:
Issue with EDG Component Boundary.
Possible Resolution:
Add separate failure of fuel oil transfer to the EDG Fault Tree Model.
NUREC3/CR-b928 states that the EDU boundary Is tne following:
"The EDG boundary includes the diesel engine with all components in the exhaust path, electrical generator, generator exciter, output breaker, combustion air, lube oil systems, fuel oil system, and starting compressed air system, and local instrumentation and control circuitry.
However, the sequencer is not included. For the service water system providing cooling to the EDGs, only the devices providing control of cooling flow to the EDG heat exchangers are included. Room heating and ventilating is not included."
The "fuel oil system" is interpreted as up to the fuel oil day tank including the fuel oil transfer pumps. Each EDG at BFN has a 550-gallon day tank that provides enough fuel to operate for 2-1/2 hours at full load. Fuel is then transferred from the 40,000-gallon 7-day diesel
-storage tank with the diesel fuel oil transfer pump to continue operation. There is one 40,000-gallon 7-day diesel storage tank for each diesel generator and it is included in the diesel generator boundary. The pumps that transfer fuel from the yard storage tank are outside the boundary and are not considered in the model.
PRA Process includes discussion of PRA model changes, ASME Requirements, etc.
However, there is not a requirement that the PRA Basis tor Signiticance:
Review of NEDP-26 does not include any requirements on the PRA model changes.
MU-B3: "PRA changes shall be pertormed consistent with the previously defined SRs" update be performed in accordance with the previously defined SRs.
Possible Resolution:
Recommend adding a statement to NEDP-26 that the changes should be performed to a similar technical level as the original analysis, ensuring the Capability of the PRA remains at a minimum to the same level of the original PRA.
Section 3.3 of NEDP-26 states:
NPG PRA Updates shall follow the guidelines established by the ASME RA-S-2002 Standard for Probabilistic Risk Assessment for Nuclear Power Plant Applications for a minimum of a Category II assessment.
Section 1-5.4 of ASME RA-Sa-2009 does not state or indicate that PRA changes are to be performed consistent with previously defined SRs. Given the statement in Section 3.3 of NEDP-26 we meet the statement: Changes to a PRA due to PRA maintenance and PRA upgrade shall meet the requirements of the Technical Requirements Section of each respective Part of the ASME PRA Standard.
4 I.
6-46 NEDP-26 requires models to be updated every other refueling cycle or sooner if estimated cumulative impact of plant configuration changes exceeds +10% of CDF. There is no requirement to perform updates when the risk impact is negative (a risk reduction).
Basis for Significance:
Risk reductions can have significant impacts to PRA applications Possible Resolution:
Modify requirements to + or - 10%
or provide separate guidance of when to modify the PRA when the PRA results are going down.
NEDP-26 Section 3.3 has been updated to state that +/-
b-4 /
I'JtLWP-LL requires moueis io be updated every other refueling cycle or sooner if estimated cumulative impact of plant configuration changes exceeds +10% of CDF. There is no requirement update with the LERF model is impacted.
tbasIs Tor bignITIcance:
Changes in LERF can impact risk applications.
NEDP-26 Section 3.3 has been updated to state that +/-
Possible Resolution:
Add LERF requirements to the change and update process.
6-48 In the ISLOCA Analysis, Table 6-22 is applied to Check Valve Leakages. The factors (e.g. leak >600 gpm).are applied to Check Valve internal leak, large, from NUREG/CR-6928. The data in 6928 already includes a reduction from small leak (1.48E-06/hr) to large leak (2.96E-08/hr). The application of an additional severity factor developed from a separate set of data is inappropriate, and double counts the large to small leak severity factor ratio.
Basis for Significance:
ISLOCA is significant for LERF considerations.
Possible Resolution:
Remove credit for severity factors applied using Table 6-22 of the ISLOCA Notebook, including events U*_ISLV41, 42, 43 events and other similar events.
The events on Table 6-22 are described in Section 6.3.4.3 of the ISLOCA Notebook.
Table 5-1 of NUREG/CR-6928 indicates that a small check valve internal leak is between 1 and 50 gpm and a large check valve internal leak is greater than 50 gpm.
The frequency a large check valve internal leak is 0.02 or 2% of the frequency of small check valve internal leak.
Figure 6-18 of the ISLOCA Notebook indicates that frequency of exceeding a check valve internal leak is greater than 50 gpm is approximately 3.0e-08/yr. This is relatively close to the NUREG/CR-6928 frequency of 2.96e-08 for large check valve internal leak. It is concluded that Figure 6-18 can be used to calculate the conditional probabilities on Table 6-22.
Section 6.3.4.3 of the ISLOCA Notebook addresses the methodology used to calculate the values on Table 6-
- 22. The conditional probabilities were calculated by ý dividing the mean frequency of exceeding 600 gpm by the mean frequency for exceeding the relief capacity of the ISLOCA path. The relief capacity of the ISLOCA path translates to a check valve leakageranging from 52 gpm to 267 gpm, which corresponds to a large check valve internal leakage, as defined in NUREG/CR-6928.
It is therefore concluded that it is valid to use the NUREG/CR-6928 frequency of 2.96e-08 for large check valve internal leak in the model combined with
conditional probabilities provided on Table 6-22.
This is not a valid F&O
6-49 The %1IN TAKE initiating event is modeled in a simplistic manner, and does not appear to represent the expected plant and operating response. ON the conservative side, the plant in many instances can reduce power to extend the time to clean the screens.
On the non-conservative side, there are possible events that operator actions (cleaning the screens) will not prevent plugging, given a very large amount of material plugging the intake.
Additionally, some events could break through the screens causing plugging of the system.(Hx, strainers, or pumps). The above events have actually occurred at other plants.
This F&U is given a Priority 1 since model changes are required for the Intake Plugging event.
Basis for Significance:
%1INTAKE is the number 1 CDF and LERF contributor.
Possible Resolution:
Modify the model to include the factors the affect risk, including power reductions, screen breakthroughs, operator actions causing screen break throughs, and the likelihood that an event would occur where cleaning activities will not prevent plugging. Other plants have typically assumed a single CCF event (much lower in frequency) for plugging of all intakes, where.
operator response for cleaning is not possible, but with other sequences where partial plugging occurs.
in intaKe plugging initiator that scrams all three units and fails RCW was developed from plant specific data.
This initiator replaces the current initiator estimate and operator actions in the model. A conditional probability event of the RHRSW/EECW system failure due to intake plugging was developed that replaces the human action in the model. The model, along with the AS notebook, IE notebook, RCW notebook, RHRSW notebook, and EECW notebook are changed accordingly.
The calculation of HPCI Steam Lines breaks (IE Section 6.2.3.8) does not appear to be reasonable, using older EPRI data and Wash-1400 data. The resulting steam line break calculated is 4.55E-10/year, which does not compare with results from other plants. Using newer data, the pipe break frequencies would likely be 2-orders of magnitude higher.
Additionally, although the isolation valves may be available to eventually isolate the break, the impact of the break may have already occurred prior to isolation.
Basis tor Signiticance Pipe break in the HPCI line can affect RCIC and many other components, due to the HPCI pump being open to other areas.
The modeling as documented does not provide basis for screening, and if reperformed, the analysis will likely result in orders of magnitude increases here.
I he newer revision ot the -PKI pipe rupture trequency data has not been made available to the public. The steam line break calculations will be revised and new data incorporated at the time the document is released.
Possible Resolution Consider including a HELB for HPCI in the PRA. Also, look at the impact of the HPCI analysis with respect to the RCIC.
DCD BFN-80-707 R19 states: Temperature detectors shall be located in the HPCI equipment area and shall initiate isolation before ambient room temperature reaches the Environmental Qualification (EQ) temperature limits for safety related devices located in this area. This statement with a reference to the Design Criteria Document has been added to the IE notebook.
The generic MOV FTC value of 1.07E-03/demand is now utilized.
The HPCI MOV FTC CCF probability has been updated to the value of 1.41E-02.
The updated HPCI Steam Line Break value is 1.97E-09 /
year. However, this does not change the conclusion of the IE notebook to not include this IE in the BFN PRA model.
Also, the generic MOV FTC value (from NUREG/CR-6928) in Data Table 4 is 1.07E-03/demand.
Finally, the CCF probability used should be changed to the HPCI MOV FTC, with Alpha = 1.41E-02.
Some ot the MOVs credited in the ISLOCA Fault Tree are not tested to close against full DP. These MOVs are not originally included in the design as RCS isolation valves. Examples include 74-55 and 74-66 (note: this is not a complete list, but 2 of 4 valves reviewed were not in the MOVATs 89-10 program).
Basis tor Signiticance:
MOVs closing for ISLOCA are risk significant, with a RAW of greater than 2.
Credit tor MOV closure tor isolation during an ISLOCA event is based on alarm procedural actions to reduce RCS pressure as RCS inventory is discharged through the break. Reduced differential pressure across the MOVs allows for ISLOCA isolation prior to flooding the ECCS pumps. This clarification was added to the second paragraph of Section 6.3.4.5 of the ISLOCA Calculation Notebook.
Possible Resolution:
Do not credit MOVs in the ISLOCA without verification the valves will close against full DP of RCS pressure.
The following alarms are in the control room on Panel 1-9-3:
Path Pressure Sensor Trip Point (psig)
Panel Alarm Core Spray Discharge I PS-75-24 400 PA-75-24 Core Spray Discharge II PS-75-52 400 PA-75-52 RHR Discharge I PS-74-51 400 PA-74-51 RHR Discharge II PS-74-65 400 PA-74-51 RHR Suction PS-74-93 100 PA-74-51 The alarm response procedures correctly identify the ISLOCA initiating paths as the probable cause and direct the operators to verify pressure on Panel 1-9-3. Then, alarm response procedure for PA 75 52 directs the operators to perform the following:
.1. __________________
L __________________________________
-CHECK 1-FCV-75-53 and 1-FCV-75-54 closed, on Panel 1-9-3.
-REDUCE pressure by cycling CORE SPRAY SYS 11 TEST VALVE, 1-FCV 75-50.
-If alarm returns, CLOSE CORE SPRAY SYS II OUTBOARD INJECTION VALVE, 1 FCV-75-51 to protect low-pressure piping.
-REFER to T. S. 3.5.A.
The response for PA-75-24, core spray system I is similar to the above. The response for PA 74-51 refers to 2-01-74. If high pressure is on one of the discharge paths, the operators are instructed to throttle open the suppression pool path. The procedures do not instruct operatorsto close the outboard injection valves to protect low-pressure piping. If high pressure is not indicated in either discharge path, the operators are instructed to check RHR suction by requesting maintenance to connect a hose (1-1/4 inch) from the discharge of 1-74-666 (SD CLG SPLY HDR TEST) and then open 1 74-666 and crack open 1-74 665.
Whether the leak is'large (rupture with large initiator leak) or small (rupture with small initiator leak or no rupture but leakage > GLP) affects the plant response and determines the time required to flood the pumps in the reactor building. The relief valves discharge to sumps (CRW) in the reactor building corner rooms on Elevation 519'. There are temperature and level alarms in the control room. In fact, these alarms are entry conditions to the emergency operating instructions, which direct the operators to identify and isolate the leak as well as scram the reactor if required.
RWCU Break Frequency uses the HPCI break calculations, which includes closure of the isolation valve. In the discussion, it says a leak in the HX causes isolation.
However, breaks elsewhere would not. Therefore, the HPCI calculation is not applicable. RWCU Line Case 3: Additionally, please provide justification that the isolation valves will be closed prior to flooding or steam damage to the surrounding area.
Basis for Significance:
RWCU is at the bottom of the vessel and could result in core uncovery if unmitigated.
Possible Resolution Revise RWCU initiating events analysis.
Leak and break detection is provided in the area o1 RWCU piping and components. According to OPL 171.013 Rev 17, leak detection is provided in the following areas: Main Steam Tunnel, Pipe Trench, "A" Pump Room, "B" Pump Room, East Wall Hx Room, and West Wall HX Room. There are 4 temperature switches in each area for a total of 24 temperature switches.
Actuation of any two of the temperature switches will cause actuation of RWCU isolation valves FCV-69-1 and FCV-69-2 (as well as the return valve FCV-69-12). Based on this information, the HPCI analysis cases 1 and 2 do apply to the RWCU HELB analysis as described in the Initiating Events Analysis Notebook. This is stated in the notebook as : The RWCU isolation valves are closed by the following signals:
a Low reactor water level (level 3) to protect the core in case of a break in RWCU System piping or equipment.
-High temperature in areas occupied by RWCU equipment and piping to isolate system in case of a piping break.
'-Standby Liquid Control System initiation to prevent removal of the boron by the ion exchange resin
-High temperature at the outlet of the NRHX (1407F, TIS-69-11) to protect the ion exchange resin from damage due to high temperature. An alarm is provided on Panel 9-4 from TIC-69-10
-Loss of RPS A willresult in an inboard and outboard Group 3 (RWCU) isolation. Loss of RPS B will result in an outboard Group 3 (RWCU) isolation For RWCU case three, the RWCU system DCD states the
RWCU isolation valves are environmentally qualified.
The RWCU isolation valves are the only credited PRA component in these rooms. Therefore, no changes to the documentation or the model are required.
LER 260-2003-02 involved a poor connection that Experience does not appear to be reviewed in determining new failure modes that may leave equipment unavailable. For example, HPCI notebook, 3.2.6.1 includes LER 260-2003-02. The experience appears to be relevant but does not appear to be treated further. Similar issue with RCIC notebook experience. See also F&O on some system notebooks not including detailed discussion on OE.
SR is not met.
Basis for Significance:
Appears to be a systematic error for all systems.
Possible Resolution:
Add a review of plant specific or generic events involving human errors to see in anything additional is identified.
resulted in isolation of the HPCI steam supply due a sensed high steam flow. This is not a new failure mode and should be included in the HPCI fail to run data. The write-up in the system notebooks discussing the level of SER, OER and LER reviews has been enhanced. There is no requirement in the ASME standard that requires a detailed listing or discussion of the generic or plant specific experience reviewed.
K(w initiating event appears to be incorrectly reduced by factor RCWMTCF for combinations where the reduction factor does not appear to be valid.
In particular, the event is applied to cutsets containing common transformer events. Also, reduction factor appears to be calculated incorrectly (1/365)**2.
tsasIs Tor ýignirlcance:
Loss of RCW initiating event appears to be reduced by a factor of 1E-02 from the actual The rule-based recovery tile was moditied to address different conversion factors based on specific events with annual exposures in the cutsets as follows:
Possible Resolution Correct the fault tree initiating event for Loss of RCW to get correct results.
ADD RCW CONVERSION FACTOR
- RESET
- CLEAR RECOVERY FLAGS**
- MAX RECOVERIES** 1
- CHANG EEVENTS* * +RCWMTCF1 -RCWMTCF
%ILRCW XRFFR1OXF_23600011E RCWMTCF SUMMER PROB
%1LRCW XRFFR2OXF 23600021E RCWMTCF SUMMERPROB
%1LRCW XRFFR3OXF 23600031E RCWMTCF SUMMER PROB
- CHANGEEVENTS** +RCWMTCF2 -RCWMTCF
%1LRCW XRFFR10XF_2430001BIE RCWMTCF
%1LRCW XRFFR20XF_2430002BIE RCWMTCF
%1LRCW XRFFR3OXF_2430003BIE RCWMTCF
%1LRCW XRFFR1OXF_23600011E RCWMTCF SPRINGFALLPROB
%lLRCW XRFFR2OXF_23600021E RCWMTCF SPRINGFALLPROB
%1LRCW XRFFR30XF_23600031E RCWMTCF SPRINGFALLPROB
- CHANGEEVENTS**
+RCWMTCF3 -RCWMTCF
%lLRCW RCWMTCF
- CHANGEEVENTS** +RCWMTCF1 -RCWMTCF
%2LRCW XRFFR1OXF_23600011E RCWMTCF SUMMERPROB
%2LRCW XRFFR20XF_23600021E RCWMTCF SUMMERPROB
%2LRCW XRFFR3OXF_23600031E RCWMTCF SUMMERPROB
- CHANGEEVENTS**
+RCWMTCF2 -RCWMTCF
%2LRCW XRFFRIOXF_2430001BIE RCWMTCF
%2LRCW XRFFR20XF_2430002BIE RCWMTCF
%2LRCW XRFFR30XF_2430003BIE RCWMTCFSPRINGFALLPROB
%2LRCW XRFFR20XF_23600021E RCWMTCF SPRINGFALLPROB
%2LRCW XRFFR30XF_23600031E RCWMTCF SPRINGFALLPROB
- CHANGEEVENTS** +RCWMTCF3 -RCWMTCF
%2LRCW RCWMTCF
- CHANGEEVENTS** +RCWMTCF1 -RCWMTCF
%3LRCW XRFFR1OXF_23600011E RCWMTCF SUMMERPROB
%3LRCW XRFFR20XF_23600021E RCWMTCF SUMMER PROB
%3LRCW XRFFR3OXF_23600031E RCWMTCF SUMMERPROB
- CHANGEEVENTS** +RCWMTCF2 -RCWMTCF
%3LRCW XRFFR1OXF_2430001BIE RCWMTCF
%3LRCW XRFFR20XF_2430002BIE RCWMTCF
%3LRCW XRFFR30XF_2430003BIE RCWMTCF
%3LRCW XRFFR1OXF_23600011E RCWMTCF SPRINGFALLPROB
%3LRCW XRFFR2OXF_23600021E RCWMTCF SPRINGFALLPROB
%3LRCW XRFFR30XF_23600031E RCWMTCF SPRINGFALLPROB
- CHANGEEVENTS**
+RCWMTCF3 -RCWMTCF
%3LRCW RCWMTCF
'-5 wnere system moaeis atTect the quantification of a CET top event, they are often not included in the model.
basis Tor ýignlflcance:
The model does not appear to explicitly account for the dependencies between Level 1 and Level 2 events as required by this SR.
vaunt trees Tor Levei z anaiysis nave Deen aaaea to ine CAFTA model and are linked to the Level 1 fault trees.
Possible Resolution:
Incorporate the fault trees shown in the documentation into the model in order to capture Level 1 -
Level 2 dependencies instead of using single basic events.
7-6 Section 7.1 of LE.01 directly Basis for Significance:
There were no plant specific contributors to LERF addresses those The SR requires the consideration identified.
contributors from the table, of unique plant issues.
but plant specific issues do not appear to be addressed.
Possible Resolution:
Include discussion of plant specific issues that may contribute to LERF.
Where system models affe the quantification of a CET top event, they are often not included in the model.
Basis for Significance:
The model does not appear to explicitly account for the dependencies between Level 1 and Level 2 events as required by this SR.
Fault trees for Level 2 analysis have been added to the CAFTA model and are linked to the Level 1 fault trees.
Possible Resolution:
Incorporate the fault trees shown in the documentation into the model in order to capture Level 1 -
Level 2 dependencies instead of using single basic events.
7-6 Section 7.1 of LE.O1 directly Basis for Significance:
There were no plant specific contributors to LERF addresses those The SR requires the consideration identified.
contributors from the table, of unique plant issues.
but plant specific issues do not appear to be addressed.
Possible Resolution:
Include discussion of plant specific issues that may contribute to LERF.
The definition of Early appears to be inconsistent and may eliminate some scenarios from consideration for LERF.
Basis for Significance:
Definition of the timing of accident sequences determines whether a sequence can contribute to LERF. Timing based from accident initiation will be different than timing from declaration of General Emergency.
Sections 6.1.2 and 6.1.3 have been added to the LERF notebook to clarify the timing definition used and include information that shows the timing used for each scenario or group of scenarios based on the MAAP calculations.
Possible Resolution Clarify the timing definition used and include information that shows the timing used for each scenario or group of scenarios based on the MAAP calculations.
II-tV-A5b-UJt
-or T1ooaing events tnat cannot result in the "major flood" scenario due to limit in the flood source system inventory, the portion of the piping system failure frequencies for "major flood" should be combined with the "flood" scenario. In this case, only the "flood" i ne spray ana TIooa Trequencies tor aij appiicaoie TIOOOS was combined.
impact should be modeled.
For example, the total frequency for the RBCCW flood on El. 593' or El. 565' of Reactor Building (derived from the total piping system failure frequency) was split into three portions based on the possible spill rate: major flood (> 2,000 gpm), flood (between 100 gpm and 2,000 gpm), and spray (up to 100 gpm). Even though the RBCCW could not cause the impact of a "major flood" because of the limited system inventory, the total flood frequency resulting from failure of the RBCCW piping system should be accounted for in modeling
mne KtsLLw-inaucea flooding scenario (by combining both the "major flood" frequency and the "flood" frequency for the "flood" scenario) since the RBCCW pipe dimension permits a spill rate in excess of 2,000 gpm.
IFEV-A6-01 Only generic data is used in the estimation of pipe failure and flooding frequencies including pressure boundary rupture and human-induced breach of boundary. No plant-specific operating experience is accounted for.
Browns Ferry has no documented at-power flooding events. This documented in the Internal Flooding notebook.
IFEV-A6-02 It appears that the data used for the Circulating Water expansion joint may not be consistent with the latest version of EPRI data as documented in EPRI report 1013141 (Reference 6).
Additionally, it is not clear why the analysis did not consider the possibility of "flood" scenario (i.e., leak rate between 100 gpm and 2,000 gpm) for expansion joint failure (no justification was given in the IFPRA notebook). The most recent version of EPRI data represents the "major flood" resulting from expansion joint failure by two separate scenarios: one between 2,000 gpm and An assumption was added to the assumptions section to address this. In essence, Browns Ferry is unique in that it has a very large lower area in the turbine building that has to be flooded. This is because the lower areas of all three units' turbine areas are interconnected. Most plants only have to fill the area under a single turbine unit before significant damage is encountered. The time available to detect and mitigate this accident is much greater for Browns Ferry. This same condition also significantly reduces the difference between a "small" major flood and a "large" major flood.
10,000 gpm, and another one greater than 10,000 gpm. However, the BFN IFPRA only has one scenario for "major flood" representing a flood spill rate of more than 2,000 gpm.
Generic data was used to estimate the frequency of human-induced flooding scenarios associated with maintenance on the EECW/RCW system [Section 6.5 indicates 2 events for EECW in the Reactor Building (not accounted for in the BFN IFPRA result),
while Appendix G indicates I event for RCW in the Turbine Building (not clearly documented in Section 6.5)]. Systematic evaluation of all of the systems potentially susceptible to this type of flooding scenarios was not consistently provided.
Maintenance-related human-induced flooding scenarios are highly plant-specific and system-specific.
Using only sparse generic data cannot systematically identify vulnerable areas for human-induced flooding scenarios that may result during power operation; e.g., maintenance of the The reterenced table in section 6-5 was removed and a more detailed write-up provided for treatment of maintenance induced flooding. This write-up also discussed the TB flood example cited in Appendix G.
conaenser water ooxes (opening of the manways for tube plugging), RBCCW heat exchanger maintenance (opening of the heat exchanger),
maintenance of the fire water pre-action/clapper valves, frequent maintenance on the chillers, etc. The description of analysis for operation/maintenance-related flood associated with condenser waterboxes given in the IFPRA notebook indicates that human-induced flood is extremely unlikely because of the local operator monitoring, etc.
However, with the same types of protection, human-induced flooding events resulting from condenser waterbox maintenance has actually occurred in the past at other plant. The description of analysis for operation/maintenance-related flood associated with EECW and A/C
equipment inaicates tnat human-induced flood is very unlikely because the system is rarely opened for maintenance and local operator monitoring of the proper isolation of chillers.
However, chiller maintenance is actually a quite frequent event. More thorough and better justifications should be considered, including the size of the possible human-induced leak/flood, etc.
II-LV-bL-UI it appears tnat not all OT tne assumptions used in the analysis were documented; e.g., the assumption that the pipe diameters and pipe lengths for the same systems at the same locations are approximately identical among the 3 units was used for some areas, but was not documented.
All assumptions nave oeen aocumentea in tne Assumptions section.
IFEV-B3-01 Sources of uncertainty and relevant assumptions associated with potential flood initiating events were not identified consistently.
Table 4-1 did not identify sources of uncertainty relative to the flood-induced risk contributors (e.g.,
frequencies of failure/leakage/rupture from the various flood sources, and other mitigation factors such as door failure likelihood, etc.).
All assumptions were listed in the assumptions section.
The uncertainty table was expanded to include more discussion on potential uncertainties.
Operator actions tor flood mitigation analyzed are not listed in Table F-i as stated in Section 6.8. Table 4 in Appendix H provides the description of two actions (i.e., Reactor Building major The HRA was better delineated in the tlooding report.
flood isolation, HFA_0_RXMAJORFLOOD; and isolation of major RCW flood in Turbine Building, HFA_024RCW-M with a HEP value of 1.0). The same HEP for HFA_0_RXMAJORFLOOD is used for all scenarios where this action is applied.
However, no analysis details (e.g., performance shaping factors such as timing, accessibility, etc.) were documented in the IFPRA notebook for either HFE.
Based on a word search, HFA_0_RXMAJORFLOOD was not found in any of the HRA notebooks. It is not clear what instrumentation was relied on for the detection of a flood event and for the identification of the flood source and the
location of the breach which are required to determine the specific isolation action to perform (e.g., the specific valves to close for the isolation of the breach).
IFQU-A6-01 The effects of flood on the human actions modeled in the internal events PRA that are not directly related to flood mitigation (i.e.,
isolation of the flood) may not have been considered consistently. Only one human action event (HFAOO74UNITXTIE) is listed in Table 4 of Appendix H. It is not clear if this is the only non-flood human action in the PRA model for which no credit is taken due to the effects of the flood.
Typically, the effects of flood on these human actions may result in either an increase in the HEP (e.g.,
due to increase in stress, workload, etc.) or failure of the human action (i.e., no credit can be taken for the human action if it is an ex-control room action performed in an area affected by the flooding effects). Additionally, manual isolation action to terminate the flooding The HRA's were better delineated in the flooding report. Non-flooding HAs that could be impacted by flooding events were identified and modified accordingly.
scenario may not have been applied to all applicable scenarios where appropriate.
I IFQU-A7-01 The flood-induced CDF and LERF for selected spray Spray floods have been added and refined to more specific areas within the flood area if possible.
scenarios (e.g., such high CDF/LERF contribution scenarios as %IFSIRB565-ECS, %IFS2RB565-RCW,
%IFS3RB565-ECS,
%IFS3RB565-RCW, etc.) are probably conservative without considering some of the unique characteristics of water spray; e.g., portion of the piping system considered in the calculation of the spray frequency may be outside the spray impact range, equipment within the spray impact range (3600) may not be damaged simultaneously in the same spray scenario due to the directional nature of spray, equipment being sprayed on may not necessarily fail even if the component is not designed for water intrusion proof, etc.
d
IFQU-B8-01 The derivation of the XINIT input file and the XINIT input information should be presented in the Internal Flood PRA notebook. Table 4 in Appendix H lists the impact of the flood scenarios (i.e., components failed and human failure events). However, the specific model elements affected by these flood impacts and incorporated into the PRA model are not documented in the IFPRA report (e.g., how the effects of the initiating event is modeled in the PRA).
Appendix H has been updated to include the basic events that are failed in the PRA model.
IFQU-B2-01 Description should be Descriptions of flooding scenarios are provided in Table provided for each of the top 7 of the Flooding Notebook along with CDF and LERF (based on CDF/LERF contributions. Discussion of the top CDF/LERF flooding contribution) flooding scenarios has been included in the results section scenarios presented in the (Section 7.0).
results section.
IFQU-B3-01 Sources of uncertainty and relevant assumptions associated with potential flood initiating events were not identified consistently.
Table 4-1 did not identify sources of uncertainty relative to the flood-induced risk contributors (e.g.,
Failure probabilities of operator flood mitigation actions, impact of flooding scenarios on the HEPs associated with the non-flood operator actions included in the internal events PRA model, effects of the initiating event group selection for modeling the flooding scenarios in the PRA model. etc.).
All assumptions were listed in the assumptions section.
The uncertainty table was expanded to include more discussion on potential uncertainties.
IFSN-A1O-01 Flood scenarios resulting Analysis shows that at least 500,000 gal is required to from failure of the CST flood the RB519 level to a point where equipment is suction lines causing failure failed by submergence. The CST maximum volume is of RCIC or HPCI were not only 375,000 gal; therefore, this flood cannot fail enumerated in Tables 6-4, F-components due to submergence. Walk downs have 1, and Appendix H. Even if confirmed that all of the PRA components in the quads the water inventory in each are protected from sprays. The CST flooding scenario is CST is insufficient to cause therefore screened. This discussion has been added to PRA equipment damage in section xxx of the report.
the Reactor Building
basement due to water submergence, some PRA components could still be damaged by spray effects.
4
+
I IFSN-A10-02 The use of the pre-action fire water system reduces the likelihood of flooding resulting from failure of the dry pipe segments and spurious actuation.
However, failure of the wet pipe segments (i.e.,
upstream of the pre-action/clapper valves) in the buildings evaluated could still lead to the water spray.
and submergence effects considering the "unlimited" supply of fire water. The wet pipe segments should be present in the Reactor Building, Turbine Building, and the Control Bay Corridor. No flood submergence scenarios resulting from Fire Water Discussions with the BFN fire protection engineer determined that all of the preaction clapper valves for the control bay are in the turbine building. Walk downs provided the pipe lengths and locations for these sections of fire protection piping in the reactor building.
Initiators for these RB flood sources have been included. Turbine building elevation 565' is the only area that has the water charged sections of fire protection piping.
piping system tailure are shown in Table 7, Appendix G, and Appendix H. Only spray scenarios resulting from the Fire Water piping system failure in the Turbine Building are considered in Table 7, Appendix G, and Appendix H.
IFSN-A1O-03 Consideration, analysis, or documentation of the flood scenarios do not appear to be consistent between the 3 units. For example, The initiating event frequency calculations in Appendix G only include flooding scenarios for Unit 1 and Unit 2 Raw Cooling Water on El.
593' in Reactor Building, while the walkdown sheet in Appendix A documents the Raw Cooling Water lines on El. 593' in the Unit 3 Reactor Building. However, Table 4 in Appendix H includes "major flood" scenarios resulting from Raw Cooling Water piping system failure on El. 593' in the Reactor Building for all 3 units.
Additionally, the spray effects were not considered for any of these "spray",
"flood", and "major flood" scenarios. "Spray" and "flood" scenarios were screened out even though PRA equipment could be damaged by the spray Walk downs were conducted for all three units.
Initiators were developed for all three units for both spray and submergence. This was reflected in the body of the flooding report as well as in the appendices in a consistent manner.
I
errects Lno proDaoinisuc basis provided to satisfy standard requirement IFEV-A8(b)]. Treatment of the spray effects for EECW line failure on El. 565' in the Unit 1 Reactor Building and for piping system failures in the Reactor Building suppression pool area is similar (i.e., "spray" and "flood" scenarios were screened out).
IFSN-A1O-04 Inconsistency exists between Table F-i, Appendix G and Appendix H for failure of the Raw Cooling Water piping system in shutdown board room B on El. 593' in Reactor Building. Table F-1 indicates that both "flood" and "1spray" scenarios for the RCW line in the shutdown board room B on El. 593' in Unit 1 Reactor Building should be analyzed.
However, Appendix H only includes the frequencies for the "major flood" and "flood" scenarios for the RCW line in the shutdown board room B on El. 593' in Unit 1 Reactor Building.
Also, Table F-1 indicates that the "spray" and "major flood" scenarios resulting from failure of the RCW piping system in shutdown board room A on El. 621 in Unit 1 Reactor Building are not screened and should be analyzed. However, neither Appendix G nor Appendix H The piping in the shutdown board room was found to be drain piping from the roof. The shutdown board rooms in the reactor building have no sources including drains thatmight allow propagation into the rooms.
Documentation has been changed to reflect this.
included the analysis of flooding scenarios in shutdown board room A on El. 621 in Unit 1 Reactor Building.
IFSN-A12-01 Some of the rooms/zones Sources were located, components identified, and were qualitatively screened sprays assessed in all flood areas of the reactor out (in Table 6-4 and F-i) buildings, control bay, diesel generator buildings, and solely based on the intake pumping station. The turbine building spray was consideration of flood handled differently as discussed in the original flooding submergence (i.e.,
report.
insufficient flood volume);
I i.e., without considering the
possible damage potential by the spray effects.
.4
.4 IFSN-A12-02 DG building was screened out because flood damage to the DG equipment would not lead to an automatic reactor scram or immediate plant shutdown (Section 6.4). This does not meet the requirement for IFSN-A12 in which an area is only screened out if flooding of the area would not cause an initiating event and would not cause damage to mitigating equipment. To screen out the DG flood areas in this case, justification should be provided to satisfy PRA standard requirement IFEV-AS(b). Damage to a major component (e.g., DG) due to spray resulting from failure of other equipment (piping associated with other Flooding in the DG building was evaluated in a manner consistent with the other plant areas. Initiators were included even if they did not cause a plant scram.
systems sucn as ttLvW) is typically not accounted for in the generic and plant-specific random failure rates of the affected component (Assumption 2 in Section 4.1).
IFSN-A12-03 RHRSW/EECW pump bays in the Pumping Station were screened out because it was determined that there is no PRA impact (Section 6.4 and Tables 6-4 and F-i).
However, 3 of these pumps could be damaged if one bay is flooded. In accordance with PRA Flooding in the pumping station was evaluated in a manner consistent with the other plant areas. initiators were included even if they did not cause a plant scram.
standard requirements IFSN-A12 and IFSN-A13, this flood area should be retained. Note that PRA standard requirement IFEV-A8(b) may not be applicable since multiple components are involved.
-~
I.
IFSN-A12-04 Some of the flood sources in the Reactor Building were screened out (e.g., rupture of EECW piping) because only limited PRA equipment is damaged (e.g., one loop of Core Spray, one loop of RHR, or RCIC) requiring no immediate plant shutdown (and would not cause an automatic scram). See Tables 6-4, F-i, and Appendix H. This does not These sources were evaluated instead of being screened. Some of them were screened for other reasons (i.e. all piping in area was insulated or sheathed) after this evaluation.
j I
satisfy the PRA standard requirements IFSN-A12 and IFSN-A13. To allow screening of these flood areas, justification should be provided to satisfy PRA standard requirement IFEV-A8(b).
4 4
4 IFSN-A15-01 Spray scenario resulting from failure of the RBCCW line was screened out based on the consideration that break is not large enough to cause failure of the RBCCW system and thus will not cause a reactor scram (Tables 6-4 and F-i). This is questionable because RBCCW is a closed loop system with no automatic makeup. Loss of inventory will result in failure of the RBCCW and thus a scram eventually due to impact to its loads.
The RBCCW line failures were evaluated further and not screened just because they may not cause a scram.
j ______________________
a __________________________________________
Table 6-1 in Section 6.1 is intended to also identify SSCs for each flood area.
However, no SSCs are listed in this table. The only section that includes the SSCs by location is in Table 6-3C, Appendix A.2, and Appendix H. However, the flood damage susceptible components listed in Table 6-3C are high level, descriptive (does not distinguish between MOVs/AOVs, etc. and does not include component IDs).
Both Table 6-3C and Appendix A.2 only include SSCs for locations that were walked down. Similarly, Appendix H does not include all flood areas either. The information related to SSCs should include the full component IDs (tag numbers), not just the train designation and descriptive name. Selected information collected during plant walkdowns should be documented in Appendix A Due to the number ot PRA components in the flood areas, they are now delineated in Appendix A and Appendix H of the report. They include the component ID numbers. A component location table, Appendix I, has also been included that delineates, in addition to the component ID numbers, the component locations.
The main body of the report was changed to reflect this.
walkdown sheets (e.g.,
spray shield, whether the component is located within the spray impact range, etc.).
6 a
The effects ot high energy line breaks for Main Steam, Feedwater, RWCU, HPCI steam supply line, and RCIC steam supply line (e.g., jet impingement, high temperature/humidity, pipe whip, etc.) are not fully The High Energy Line Break analysis was pertormed earlier for BFN for the power uprate. The HELB report has been identified in the reference section for this flooding report. That analysis was limited to break scenarios that were successfully isolated. Main steam line and feedwater line breaks that are not successfully isolated are treated in the non-flood PRA model with break outside containment events that consider the initiator frequencies based on line lengths.
addressed and accounted for in the flood scenario analysis (see Section 6.5 under Initiating Events). The detrimental effects of the high energy line break could cause damage to cables and other equipment that would not otherwise be failed by water submergence and spray. Although this is a Capability Category III issue, it needs to be considered for such application as Risk-Informed Inservice Inspection of Piping. It is possible that the effects of high energy line breaks were already evaluated in the previous RI-ISI program completed for BFN.
i ne water spray effects may not have been modeled consistently for all flooding scenarios considered. In many instances, the All spray scenarios from all sources have been considered and either modeled or justification provided for not modeling the spray source.
decisions to not quantitatively evaluate the flooding scenarios were based on the consideration of PRA equipment damage due to water submergence only (i.e., without considering the damage effects of water spray). For example, only two flooding scenarios were quantitatively considered for the Control Bay, while there may be other spray damage scenarios that should have been quantitatively evaluated.
IFSN-A8-01 No actual consideration was given in the evaluation for inter-area propagation through drain lines or back flow through drain lines due to failed back flow prevention devices (e.g.,
check valves or other isolation valves).
The diesel generator tlood areas are served by large (24") drains to the outside so there are no propagation paths through drains. The intake pumping station rooms are not interconnected by drains so there are no propagation paths through drains. All of the reactor building drains go to the RB sumps on the 519 level.
Most of these drains interconnect on their way to the sumps; however, the same areas have large open hatches or stairwells that go to the 519 level so the drains are immaterial. The only way the drains could cause a problem is if they backed up into a shutdown board room, and the shutdown board rooms do not have any floor drains. The turbine building drains are immaterial due to the way the flooding analysis is performed in that area.
.1.
IFSN-A9-01 A screening value of 0.1 is used for the failure of the door to the air conditioning equipment room at El. 606 in Control Bay (IF-CB593-DOOR for %IFM1CB606-AC).
Flooding in this room (resulting from failure of the EECW piping system) could potentially cause water accumulation to a height in excess of several feet according to the flood height analysis performed for 1CB606-ACM (Appendix E). Since this door opens outward from the room, the door could potentially fail with an internal flood height in excess of 1' to 4' (per EPRI draft final guideline for IFPRA). As such, the use of a screening value of 0.1 (without actual structural analysis of the door capability) for scenario
%IFM1CB606-AC is probably optimistic. For %IFL1CB606-AC, the flood accumulation in the room could potentially reach to more Flooding scenarios within the Control bay show propagation from the '606 elevation to the stairwell and subsequently to the 593' corridor. At this level, the continued accumulation of flood water will release to the outside through the double door emergency exit doors at the Unit 3 end of the corridor. However, a 0.1 factor was applied to the failure of this emergency door to release flood waters and to cause the propagation to the battery rooms and battery board rooms for the units. This factor of 0.1 is conservative given the glass double door emergency exit opens easily to the outside and the single doors to the adjacent rooms open outward (into the CB corridor).
than 2', which in principle could also cause failure of this door to withstand the static pressure from the flood.
i
Flood height calculations for selected Control Bay scenarios were provided in Appendix E. For Reactor Building and Turbine Building, however, no calculations are provided to demonstrate that selected flood sources would not cause damage to PRA equipment due to flood immersion in the basement.
For example, it is indicated in the IFPRA notebook that neither CST has sufficient inventory to result in a flood height severe enough to cause failure of the PRA equipment located at the lowest level in the Reactor Building, but no actual analysis is provided to substantiate that conclusion.
Two RB calculations were performed to obtain timing for 2,000 gpm floods (upper limit for Flood) and 24,000 gpm floods (upper limit for Major Floods. These are the only two calculations needed since all reactor building breaks flow to the 519 level without submerging any other area that contains PRA equipment that could be failed by submergence.
Information collected during the walkdown should be documented more fully and consistently in the walkdown sheets [e.g., the type of doors (normally open/closed egress door, fire door, door with card key entry, water tight submarine door, etc.), floor/wall/ceiling openings, sumps and sump capacity, sump level instrumentation, number, size, and condition of drains, equipment occupancy fraction, etc.]. There are some inconsistencies in the information related to these items presented between different sections of the report. For example, the walkdown sheets show no drain in the corridor area on El. 593' in the Control Bay.
However, the flood height evaluation in Appendix E shows 2 drains in this area.
Additional walk downs were conducted and documented. Plant studies and drawings were examined to locate all of the PRA components in flood areas. The original walk down notes were archived at the end of Appendix A and the main Appendix A tables were used to identify all sources, components and flood area features regardless of how these items were identified.
Tables 6-1 and 6-2 provide a list of the potential flooding sources. However, some of the plant water and steam systems (e.g., domestic water/potable water/
sanitary water system, chilled water system, hot water system, main steam, etc.) appear to be absent from the evaluation considered in these tables.
In addition, there is no documentation of the complete flood sources for locations that were not walked down (the flood sources documentation is geared to the walk down).
Flood sources need to be identified by location as the basis for developing flooding scenarios.
A complete list of flood sources for each flood area has been added for the reactor building, control bay, diesel generator buildings and the intake pumping station.
The Turbine building is being handled in a manner that does not require detailed listing of flood sources.
Tables 6-1 and 6-2 have been updated. The sources have also been listed in Appendix A.
ENCLOSURE 2 Browns Ferry Nuclear Plant, Units 1, 2, and 3 Technical Specifications (TS) Change 468 ELECTRICAL DISTRIBUTION SYSTEM UNIT 0 BROWNS FERRY NUCLEAR PLANT
THIS PAGE IS AN, OVERSIZED DRAWING OR
- FIGURE, THAT CAN BE VIEWED AT THE RECORD TITLED:
"ELECTRICAL DISTRIBUTION SYSTEM, UNIT 0, BROWNS FERRY NUCLEAR PLANT" PIP-02-03 WITHIN THIS PACKAGE... OR BY SEARCHING USING THE D-01X