Text

NUREG/CR-7154 Vol 1 Risk Informing Emergency Preparedness Oversight: Evaluation of Emergency Action Levels - a Pilot Study of Peach Bottom, Surry and Sequoyah (Main Report, Appendices a and B)
	ML13031A500
Person / Time
Site:	Peach Bottom, Sequoyah, Surry
Issue date:	01/31/2013
From:	Azarm M, Gitnick T, Jessica Kratchman, Morell-Gonzalez M, Reggie Sullivan, Zamanali J, Herrick S; NRC/RES/DRA
To:	;
	Beltz, G
References
	NUREG/CR-7154 Vol 1
	Download: ML13031A500 (155)
	v • d • e

NUREG/CR-7154, Vol. 1 Risk Informing Emergency Preparedness Oversight:

Evaluation of Emergency Action LevelsA Pilot Study of Peach Bottom, Surry and Sequoyah Main Report, Appendices A and B Office of Nuclear Regulatory Research

AVAILABILITY OF REFERENCE MATERIALS IN NRC PUBLICATIONS NRC Reference Material Non-NRC Reference Material As of November 1999, you may electronically access Documents available from public and special technical NUREG-series publications and other NRC records at libraries include all open literature items, such as books, NRCs Public Electronic Reading Room at journal articles, transactions, Federal Register notices, http://www.nrc.gov/reading-rm.html. Publicly released Federal and State legislation, and congressional reports.

records include, to name a few, NUREG-series Such documents as theses, dissertations, foreign reports publications; Federal Register notices; applicant, and translations, and non-NRC conference proceedings licensee, and vendor documents and correspondence; may be purchased from their sponsoring organization.

NRC correspondence and internal memoranda; bulletins and information notices; inspection and investigative Copies of industry codes and standards used in a reports; licensee event reports; and Commission papers substantive manner in the NRC regulatory process are and their attachments. maintained at The NRC Technical Library NRC publications in the NUREG series, NRC Two White Flint North regulations, and Title 10, Energy, in the Code of 11545 Rockville Pike Federal Regulations may also be purchased from one Rockville, MD 20852-2738 of these two sources.

1. The Superintendent of Documents These standards are available in the library for reference U.S. Government Printing Office Mail Stop SSOP use by the public. Codes and standards are usually Washington, DC 20402-0001 copyrighted and may be purchased from the originating Internet: bookstore.gpo.gov organization or, if they are American National Standards, Telephone: 202-512-1800 from Fax: 202-512-2250 American National Standards Institute

2. The National Technical Information Service 11 West 42nd Street Springfield, VA 22161-0002 New York, NY 10036-8002 www.ntis.gov www.ansi.org 1-800-553-6847 or, locally, 703-605-6000 212-642-4900 A single copy of each NRC draft report for comment is available free, to the extent of supply, upon written Legally binding regulatory requirements are stated request as follows: only in laws; NRC regulations; licenses, including Address: U.S. Nuclear Regulatory Commission technical specifications; or orders, not in NUREG-Office of Administration series publications. The views expressed in Publications Branch contractor-prepared publications in this series are Washington, DC 20555-0001 not necessarily those of the NRC.

E-mail: DISTRIBUTION.RESOURCE@NRC.GOV Facsimile: 301-415-2289 The NUREG series comprises (1) technical and administrative reports and books prepared by the Some publications in the NUREG series that are staff (NUREG-XXXX) or agency contractors posted at NRCs Web site address (NUREG/CR-XXXX), (2) proceedings of http://www.nrc.gov/reading-rm/doc-collections/nuregs conferences (NUREG/CP-XXXX), (3) reports are updated periodically and may differ from the last resulting from international agreements printed version. Although references to material found on (NUREG/IA-XXXX), (4) brochures (NUREG/BR-a Web site bear the date the material was accessed, the XXXX), and (5) compilations of legal decisions and material available on the date cited may subsequently be orders of the Commission and Atomic and Safety removed from the site. Licensing Boards and of Directors decisions under Section 2.206 of NRCs regulations (NUREG-0750).

DISCLAIMER: This report was prepared as an account of work sponsored by an agency of the U.S. Government.

Neither the U.S. Government nor any agency thereof, nor any employee, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for any third partys use, or the results of such use, of any information, apparatus, product, or process disclosed in this publication, or represents that its use by such third party would not infringe privately owned rights.

NUREG/CR-7154, Vol. 1 p

Risk Informing Emergency Preparedness Oversight:

Evaluation of Emergency Action LevelsA Pilot Study of Peach Bottom, Surry and Sequoyah Main Report, Appendices A and B Manuscript Completed: October 2012 Date Published: January 2013 Prepared by:

M. Azarm, T. Gitnick, S. Herrick, J. Kratchman, M. Morell-Gonzalez, R. Sullivan, J. Zamanali Project Manager: Sandra L. Herrick Principal Investigator: M. Ali Azarm Prepared for:

Division of Risk Analysis Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission Washington, DC 20555-0001

ABSTRACT The Evaluation of Emergency Action Levels (EALs) project applied probabilistic risk assessment (PRA) methods to selected emergency action levels (EALs). The objective of this study is to explore the feasibility of using PRA to provide risk insights about EAL schemes. This study is the first effort to apply PRA methodology to nuclear power plant (NPP) EAL schemes. Peach Bottom, Surry and Sequoyah were selected as the pilot plants as they represent, respectively,

1) boiling water reactors (BWRs) with a Mark I containment, 2) pressurized water reactors (PWRs) with a large dry containment, and 3) PWRs with an ice condenser containment. EAL threshold conditions, as stated in the plant-specific emergency plan documents, are mapped into scenarios specific to the Standardized Plant Analysis Risk (SPAR) models for these plants.

Conditional core damage probability (CCDP) is used as the risk metric to evaluate each EAL scenario. The results of this study provide generic and plant specific insights to be considered when developing future risk informed emergency planning (EP) regulatory activities. The results show that the current EAL schemes are generally logical in that plant risk increases as the emergency classification (EC) severity increases. However, the results also suggest that there are inconsistencies in the EC ranking of some EALs. These inconsistencies are identified for further consideration. The risk insights from this report may be applied to improve the current NRC approved EAL schemes. Nevertheless, it is important to note that regulatory decisions for EP are complex and should not be made solely considering CCDP values, but should be substantiated by deterministic approaches along with the PRA insights.

iii

FOREWORD This report documents a pilot risk study applying PRA to evaluate selected EALs. The analyses of this study were conducted by a team of risk analysts and emergency response experts from the U.S. Nuclear Regulatory Commission (NRC) and its contractors from Information System Laboratories, Inc. (ISL), and Innovative Engineering & Safety Solutions, LLC. The objective of this study is to explore the feasibility of using PRA to provide risk insights about EAL schemes.

The original EAL scheme was developed in the post-Three Mile Island accident era and documented in NUREG-0654/FEMA-REP-1, Criteria for Preparation and Evaluation of Radiological Emergency Response Plans and Preparedness in Support of Nuclear Power Plants [Ref. 1]. The most recent EAL scheme is in Nuclear Energy Institutes NEI 99-01, Methodology for Development of Emergency Action Levels, [Ref. 2] and is endorsed by the NRC in Revision 5 of Regulatory Guide 1.101, Emergency Planning and Preparedness for Nuclear Power Reactors [Ref. 3]. However, neither of these schemes used a PRA study to systematically evaluate EALs as applied to ECs during their development.

In 2008, the Commission directed the staff to quantify the level of protection that should result from actions taken in support of EP plans and codify them in regulations that are transparent

[Ref. 4]. This scope of work explores the feasibility of applying risk-informed methodology to EALs. The insights of this study may be applied to improve NRCs ability to evaluate licensees EAL schemes via PRA results of selected EAL scenarios.

The analyses of this study are similar to that performed in the Accident Sequence Precursor (ASP) Program [Ref. 5] to determine the risk significance of an initiating event. NRCs Systems Analysis Programs for Hands on Integrated Reliability Evaluations (SAPHIRE) software and SPAR models, which were originally used to provide risk insights for NRC activities, such as the Reactor Oversight Program (ROP) and the ASP Program, served as the risk calculation tool for this study. Peach Bottom, Surry, and Sequoyah were selected as pilot plants to represent BWRs and PWRs, respectively. The EAL threshold conditions stated in the EP documents are incorporated into the Peach Bottom, Surry and Sequoyah SPAR models and conditional core damage probability (CCDP) is calculated. CCDP is used as a risk metric in this study and the CCDP results serve as a means to compare and evaluate EAL scenarios that are in the same EC. This study compares the CCDP values for EALs that are in the same EC to determine internal consistency. While ranges of CCDP for ECs are identified, there is no intention to codify those ranges. Rather, a comparison within, and across, ranges provides risk insights.

The results provide generic and plant-specific insights to be considered when developing future risk-informed EP regulatory activities. In general, the analysis results show a consistent relationship between the EC and the CCDP valuesa higher severity of EC generally corresponds to a higher risk as indicated by the computed CCDP values for different EAL scenarios. However, the results also suggest that there are inconsistencies in the EC ranking of some EALs. These inconsistencies are identified for further consideration. The results and insights also provided risk-informed considerations that may enhance the current NRC approved EAL schemes. However, the regulatory decision making for EP is a complex process and should consider information from deterministic approaches along with the PRA insights.

v

TABLE OF CONTENTS ABSTRACT ................................................................................................................................ iii FOREWORD ..............................................................................................................................v LIST OF FIGURES .....................................................................................................................x LIST OF TABLES. ......................................................................................................................x ACKNOWLEDGEMENTS .......................................................................................................... xi ACRONYMS ............................................................................................................................ xiii

1. INTRODUCTION ................................................................................................................ 1 1.1 Background of EALs ................................................................................................. 1 1.2 PRA Applications in Risk-Informed Regulatory Programs ......................................... 2 1.3 Research Objective of Risk-Informing EAL ............................................................... 3

2. TECHNICAL APPROACH OF MODELING EAL SCENARIOS ........................................... 7 2.1 SAPHIRE and SPAR Models .................................................................................... 7 2.2 Modeling EAL Scenarios Using SAPHIRE and SPAR Models .................................. 7 2.2.1 Step 1: Gathering of Available Scenario Information ................................. 8 2.2.2 Step 2: Mapping of the Incident Context into the SPAR model (Scenario Development)............................................................................. 8 2.2.3 Step 3: Use of the PRA to Determine Scenario-Specific Risk Measure ....................................................................................................10 2.3 Uncertainty and its Impact on Risk-Informed EAL Evaluation ..................................12 2.3.1 Uncertainties Associated with Quantitative PRA Results ...........................13 2.3.2 Uncertainties Associated with EAL Assessment Process ..........................14

3.

SUMMARY

OF RESULTS AND RISK INSIGHTS ..............................................................15 3.1 Summary of Results ................................................................................................15 3.2 EAL Outliers ............................................................................................................17 3.2.1 One Source Away from SBO .....................................................................21 3.2.2 Loss of All Vital DC Power.........................................................................22 3.2.3 Total Loss of All AC and DC ......................................................................22 3.2.4 Automatic Trip Failed, but Manual Trip Succeed .......................................23 3.2.5 Loss of Annunciation and/or Indication ......................................................23 3.2.6 Toxic Gas Effects ......................................................................................24 3.3 Risk Perspectives of Differences among Peach Bottom, Surry and Sequoyah ........26 3.3.1 Risk Perspectives of Differences between Surry and Sequoyah................27 3.3.2 Unplanned Release of Toxic and Flammable Gases within the Site Perimeter ..................................................................................................27 3.3.3 Unplanned Release of Toxic and Flammable Gases within the Vital Structures..................................................................................................28 3.3.4 Unplanned Loss of Most or All Safety System Annunciators or Indications in the Control Room for >15 Minutes .......................................28 3.4 Risk Perspectives on Important Design Features in Operating Reactors .................29

4. ANALYSIS AND IMPLICATIONS OF PEACH BOTTOM RESULTS ..................................31 4.1 MU1Loss of All Offsite Power to Essential Buses for Greater Than 15 Minutes ...............................................................................................................31 4.2 MU6Unplanned Loss of Most or All Safety System Annunciator or Indication in the Control Room .................................................................................32 4.3 MU7Reactor Coolant System Leakage ................................................................34 4.4 HU7Release of Toxic or Flammable Gases Deemed Detrimental to Normal Operation of the Plant ..............................................................................................35 vii

4.5 MA1AC Power Capability to Essential Buses Reduced to a Single Power Source for Greater than 15 Minutes Such that any Additional Single Failure Would Result in SBO ...............................................................................................36 4.6 MA3Failure of Reactor Protection System Instrumentation to Complete or Initiate an Automatic Reactor Scram Once a Reactor Protection System Setpoint Has Been Exceeded ..................................................................................38 4.7 MA6Unplanned Loss of Most or All Safety System Annunciation or Indication in Control Room with Either (1) a Significant Transient in Progress, or (2) Compensatory Non-Alarming Indicators are Unavailable................................39 4.8 HA7Release of Toxic or Flammable Gases within or Contiguous to a Vital Area, Which Jeopardizes Operation of Systems Required to Maintain Safe Operations or Establish or Maintain Safe Shutdown ................................................42 4.9 MS1Loss of All Offsite and all Onsite AC Power to Essential Buses.....................44 4.10 MS4Loss of All Vital DC Power ............................................................................45 4.11 MS3Failure of Reactor Protection System Instrumentation to Complete or Initiate an Automatic Reactor Scram Once a Reactor Protection System Setpoint Has Been Exceeded and Manual Scram Was Not Successful ...................46 4.12 MS5Complete Loss of Heat Removal Capability ..................................................47 4.13 MS6Inability to Monitor a Significant Transient in Progress ..................................47 4.14 MG1Prolonged Loss of All Offsite Power and Prolonged Loss of All Onsite AC Power ................................................................................................................49 4.15 MG3Failure of the Reactor Protection System to Complete an Automatic Scram and Manual Scram was NOT Successful and There is Indication of an Extreme Challenge to the Ability to Cool the Core ...................................................50

5. ANALYSIS AND IMPLICATIONS OF SURRY RESULTS ..................................................51 5.1 SU1.1Loss of All Offsite Power to Essential Buses for Greater Than 15 Minutes ...............................................................................................................51 5.2 SU4.1Unplanned Loss of Most or All Safety System Annunciator or Indication in the Control Room .................................................................................52 5.3 SU6.1Reactor Coolant System Leakage ..............................................................54 5.4 HU3.1Report of Detection of Toxic, Corrosive, Asphyxiant or Flammable Gases That Have or Could Enter the Owner Controlled Area in Amounts that Can Affect Normal Plant Operations ........................................................................55 5.5 SA1.1AC Power Capability to Emergency Buses Reduced to a Single Power Source for 15 Minutes or Longer Such that any Additional Single Failure Would Result in SBO ...................................................................................56 5.6 SA2.1 Failure of Reactor Protection System Instrumentation to Complete or Initiate an Automatic Reactor Scram Once a Reactor Protection System Setpoint Has Been Exceeded and Manual Scram Was Successful .........................58 5.7 SA4.1 Unplanned Loss of Safety System Annunciator or Indication in Control Room with a Significant Transient in Progress ............................................59 5.8 HA3.1 Access to a Safe Shutdown Area is Prohibited Due to Release of Toxic, Corrosive, Asphyxiant or Flammable Gases Which Jeopardize Operation of Systems Required to Maintain Safe Operations or Safely Shutdown the Reactor .............................................................................................63 5.9 SS1.1Loss of all Offsite and all Onsite AC Power to Emergency Buses for 15 Minutes or Longer ...............................................................................................64 5.10 SS1.2Loss of all Vital DC Power ..........................................................................65 5.11 SS2.1Failure of Reactor Protection System Instrumentation to Complete or Initiate an Automatic Reactor Scram Once a Reactor Protection System Setpoint Has Been Exceeded and Manual Scram Was NOT Successful .................66 viii

5.12 SS4.1Inability to Monitor a Significant Transient in Progress ................................67 5.13 SG1.1Prolonged Loss of all Offsite and Onsite AC Power ....................................69 5.14 SG2.1Failure of the Reactor Protection System to Complete Both Automatic and Manual Trip and There is Indication of an Extreme Challenge to the Ability to Cool the Core ..................................................................................70

6. ANALYSIS AND IMPLICATIONS OF SEQUOYAH RESULTS...........................................73 6.1 SU1Loss of Offsite Power to Either Unit for > 15 Minutes.....................................73 6.2 SU3On Either Unit Unplanned Loss of > 75 Percent of the MCR Annunciators or > 75 Percent of Safety System Indications for > 15 Minutes and ICS Available ....................................................................................................74 6.3 SU5Unidentified or Pressure Boundary RCS Leakage > 10 GPM, or Identified RCS Leakage >25 GPM ...........................................................................76 6.4 HU3Unplanned Release of Flammable Gas Within the Site Perimeter .................77 6.5 SA5Loss of Offsite Power to Either Unit with Degraded Onsite AC Power for >15 Minutes ........................................................................................................78 6.6 SA2Automatic Reactor Trip Did Not Occur After Valid Trip Signal and Manual Trip from MCR was Successful ...................................................................80 6.7 SA4On Either Unit an Unplanned Loss of > 75 Percent of the MCR Annunciators and Annunciator Printer or > 75 Percent of Safety System Indications for > 15 Minutes with a Significant Transient in Progress or ICS Unavailable ..............................................................................................................81 6.8 HA3Unplanned Release of Flammable Gas within a Facility Structure Containing Safety-Related Equipment or Associated with Power Production ...........84 6.9 SS1Loss of All Offsite and All Onsite AC Power to Either Unit for

> 15 Minutes ............................................................................................................86 6.10 SS3Loss of all Vital DC Power for > 15 Minutes ...................................................86 6.11 SS2Reactor Power > 5 Percent and Not Decreasing after Valid Auto and Manual Trip Signals .................................................................................................87 6.12 SS6Inability to Monitor a Significant Transient in Progress on Either Unit ............88 6.13 SG1Prolonged Loss of All Offsite and All Onsite AC Power to Either Unit ............90 6.14 SG2Loss of Core Cooling Capability and Valid Trip Signals Did Not Result in a Reduction of Reactor Power to < 5 Percent ......................................................91

7. PROPOSED AREAS FOR FUTURE WORK......................................................................93

8. REFERENCES ..................................................................................................................95 APPENDIX A GRAPHICAL RESULTS ................................................................................. A-1 APPENDIX B

SUMMARY

OF SPAR CASE RUNS: INPUT AND RESULTS ........................ B-1 APPENDIX C SEQUENCES AND CUTSETS ...................................................................... C-1 APPENDIX D ET TOP SYSTEM DEFINITIONS................................................................... D-1 APPENDIX E MODIFIED HEPS USING SPAR HRA ........................................................... E-1 APPENDIX F BASIC EVENT DESCRIPTIONS .................................................................... F-1 ix

LIST OF FIGURES Figure 2-1. Peach Bottom Unit 2 SPAR Model RPS FT ...........................................................10 Figure 2-2. CCDP Range for each EC .....................................................................................11 Figure 2-3. Presumed CCDP Ranges for Various ECs.............................................................12 Figure 3-1. Graphical Results of all Selected EAL Scenarios ...................................................16 Figure 4-1. CCDP of MU6 from 15 Minutes to Eight Hours.......................................................34 Figure 5-1. CCDP of SU4.1 from 15 Minutes to Eight Hours ....................................................54 Figure 6-1. CCDP of SU3 from 15 Minutes to Eight Hours .......................................................76 Figure A-1. NOUE CCDP Results .......................................................................................... A-1 Figure A-2. Alert CCDP Results ............................................................................................. A-2 Figure A-3. SAE CCDP Results ............................................................................................. A-3 Figure A-4. GE CCDP Results ............................................................................................... A-4 Figure A-5. All CCDP Results ................................................................................................ A-5 LIST OF TABLES Table 1-1. Emergency Action Levels Selected for Risk Evaluation ............................................ 4 Table 3-1. EALs with CCDPs Outside the Presumed Ranges ..................................................17 Table 3-2. Major Physical Differences between Surry and Sequoyah ......................................27 Table 3-3. Key Plant Features for Reducing Risk .....................................................................29 Table B-1. Peach Bottom Case Run Inputs and Results ........................................................ B-1 Table B-2. Surry Case Run Inputs and Results ...................................................................... B-8 Table B-3. Sequoyah Case Run Inputs and Results ............................................................ B-18 x

ACKNOWLEDGEMENTS This report would not have been possible without the guidance and the help of several individuals who contributed and extended their valuable assistance in the preparation and completion of this EAL pilot study. They did not only contribute their expert knowledge to the project, but devoted their valuable personal time, including evenings and weekends to assist whenever needed.

The project was conceived by Randolph Sullivan (NRC/NSIR). Gary DeMoss (NRC/RES) provided the technical vision for implementation. Special thanks should be given to our technical consultants, Clifford Marks (ISL), Zoran Musicki (Energy Math Solutions), Wayne Schmit (NRC/Region I) and Cale Young (NRC/Region I) for their expertise answering our PRA or plant related questions.

xi

ACRONYMS AAC Alternate AC AC Alternating Current ADS Automatic Depressurization System AFW Auxiliary Feed Water ARI Alternate Rod Insertion ASP Accident Sequence Precursor ATWS Anticipated Transient Without Scram BE Basic Event BWR Boiling Water Reactor CCDP Conditional Core Damage Probability CCF Common Cause Failure CCW Component Cooling Water CFR Code of Federal Regulations CPC Charging Pump Cooling CRD Control Rod Drive CSR Containment Spray Recirculation CST Condensate Storage Tank CWG Conowingo DC Direct Current DG Diesel Generator DHR Decay Heat Removal EAL Emergency Action Level EC Emergency Classification ECCS Emergency Core Cooling System ECST Emergency Condensate Storage Tank EDG Emergency Diesel Generator EOP Emergency Operating Procedure xiii

EP Emergency Preparedness EPA Environmental Protection Agency ERCW Essential Raw Cooling Water ET Event Tree F Fahrenheit FT Fault Tree FPB Fission Product Barrier GE General Emergency gpm Gallons Per Minute HEP Human Error Probability HPCI High Pressure Coolant Injection HPI High Pressure Injection HPR High Pressure Recirculation HPSW High Pressure Service Water HRA Human Reliability Analysis HVAC Heating, Ventilation and Air Conditioning IC Initiating Condition IE Initiating Event INL Idaho National Laboratories IORV Inadvertent Open Relief Valve IPE Individual Plant Examination ISL Information Systems Laboratories, Inc.

LEL Lower Explosive Limit LOCA Loss of Coolant Accident LOCHS Loss of Condenser Heat Sink LOMFW Loss of Main Feedwater LOOP Loss of Offsite Power LOOPGR Loss of Offsite Power Grid Related LPCI Low Pressure Coolant Injection xiv

LPR Low Pressure Recirculation MCR Main Control Room MDAFW Motor Driven Auxiliary Feedwater MFW Main Feedwater NEI Nuclear Energy Institute NOUE Notification of Unusual Event NPP Nuclear Power Plant NRC Nuclear Regulatory Commission NSIR Nuclear Security and Incident Response NUMARC Nuclear Utility Management and Resources Council PCS Plant Computer System PORV Power Operated Relief Valve PRA Probabilistic Risk Assessment PSF Performance Shaping Factor PWR Pressurized Water Reactor QA Quality Assurance RCIC Reactor Core Isolation Cooling RCP Reactor Coolant Pump RCS Reactor Coolant System RES Office of Nuclear Regulatory Research RHR Residual Heat Removal ROP Reactor Oversight Program RPS Reactor Protection System RPV Reactor Pressure Vessel RWST Refueling Water Storage Tank SAE Site Area Emergency SAMG Severe Accident Management Guideline SAPHIRE Systems Analysis Programs for Hands-on Integrated Reliability Evaluations SBO Station Black Out xv

SDP Significance Determination Process SG Steam Generator SLC Standby Liquid Control SLOCA Small Loss of Coolant Accident SPAR Standardized Plant Analysis Risk SRV Safety Relief Valve SSCs Structures, Systems, and Components SW Service Water TBV Turbine Bypass Valve TDAFW Turbine Driven Auxiliary Feedwater TMI Three Mile Island TS Technical Specifications V Volts xvi

1. INTRODUCTION 1.1 Background of EALs NRC regulations in Title 10 of the Code of Federal Regulations (10 CFR) 50.47(b) (4) [Ref. 6]

require that NPP licensees use a standard EC and EAL scheme. The original EAL scheme was published in Appendix 1 to NUREG-0654, FEMA-REP-1, Criteria for Preparation and Evaluation of Radiological Emergency Response Plans and Preparedness in Support of Nuclear Power Plants [Ref. 1]. EP regulations were developed directly after the TMI NPP accident, which took place March 28, 1979, and published as final in August 1980. As lessons were learned in EAL scheme implementation, improvements were identified and documented in NUMARC/NESP-007, Methodology for Development of Emergency Action Levels, [Ref. 7] and subsequently NEI 99-01, Methodology for Development of Emergency Action Levels, [Ref. 2],

both of which NRC also endorsed for use. All NPPs use either NUMARC-007 or NEI 99-01 EAL scheme.

The existing radiological EC levels in which EALs are classified are established by the NRC according to (1) their relative radiological seriousness, and (2) the time-sensitive onsite and offsite radiological EP actions necessary to respond to such conditions. In ascending order of severity, these ECs are defined in NRC Bulletin 2005-02 [Ref. 8] as:

Notification of Unusual Event (NOUE): Events are in process or have occurred, which indicate a potential degradation of the level of safety of the plant or indicate a security threat to facility protection. No releases of radioactive material requiring offsite response or monitoring are expected unless further degradation of safety systems occurs.

Alert: Events are in process or have occurred, which involve an actual or potential substantial degradation of the level of safety of the plant or a security event that involves probable life threatening risk to site personnel or damage to site equipment because of intentional malicious dedicated efforts of a hostile act. Any releases are expected to be limited to small fractions of the EPA Protective Action Guideline exposure levels.

Site Area Emergency (SAE): Events are in process or have occurred, which involve an actual or likely major failures of plant functions needed for protection of the public or security events that result in intentional damage or malicious acts: (1) toward site personnel or equipment that could lead to the likely failure of; or (2) prevents effective access to equipment needed for the protection of the public. Any releases are not expected to result in exposure levels, which exceed EPA Protective Action Guideline exposure levels beyond the site boundary.

General Emergency (GE): Events are in process or have occurred, which involve actual or imminent substantial core degradation or melting with potential for loss of containment integrity or security events that result in an actual loss of physical control of the facility.

Releases can be reasonably expected to exceed EPA Protective Action Guideline exposure levels offsite for more than the immediate site area.

NEI 99-01 [Ref. 2] defines an initiating condition (IC) as a predetermined subset of NPP conditions where either the potential exists for a radiological emergency, or such an emergency has occurred. The IC can be a continuous, measurable function that is outside technical specifications, such as elevated reactor coolant system (RCS) temperature or falling reactor 1

coolant level (a symptom). It also encompasses occurrences such as fire (an event) or reactor coolant pipe failure (an event or a barrier breach). 1 Each plant-specific EAL is determined by some observable threshold conditions that places the plant in a given EC. These threshold conditions are dependent on specific plant configuration, systems, structures and components layout to meet NEI 99-01 IC [Ref. 2] guidelines. Some examples of ICs are: instrument malfunctions; issues with a measurable parameter (onsite or offsite); a discrete, observable event; results of analyses; entry into specific emergency operating procedures; or another phenomenon, which if it occurs, indicates entry into a particular EC.

NRC has endorsed the alternative EAL schemes in NUMARC/NESP-007 and NEI 99-01.

Licensees have broadly used them. These schemes have greatly improved consistent implementation and eliminated EALs that were not risk significant, when compared with Appendix 1 of NUREG-0654 [Ref. 1]. Subject matter experts experienced in implementing EALs developed these documents. Improvements in the specificity of EALs and other enhancements, such as mode applicability, were included in the revisions to the EAL schemes.

However, an analysis of EAL conditions using PRA techniques was not performed when developing these EAL schemes.

NSIR staff requested that RES conduct a risk assessment of applicable EALs using available tools. This work is part of a broader effort to more fully risk inform NRC oversight of NPP EP. It was expected that the study could identify whether any EALs were outliers in terms of risk to the public and potentially, any gaps in EALs. Where such issues are identified changes to NRC endorsed EAL schemes could result. The staff recognized that only EALs related to plant system malfunction could be analyzed using current risk assessment tools. While this limits the extent of the analysis, it has provided valuable insights.

1.2 PRA Applications in Risk-Informed Regulatory Programs Since the late 1990s, the NRC has increased the use of risk-informed regulation. The increase in risk-informed regulatory activities leads to increased development and usage of risk-informed software and tools. Today, SAPHIRE and SPAR models are used broadly in NRC risk-informed programs. These programs are listed below:

NRC Incident Investigation Programevent response evaluation. The main purpose of the event response evaluation is to determine the appropriate level of reactive inspection in response to a significant event. A potentially significant event is evaluated on the basis of both deterministic criteria and risk significance such as CCDP to define the severity of an event. Details of this program are published in Management Directive 8.3

[Ref. 9].

Significance Determination Process (SDP)part of the Reactor Oversight Process (ROP). SDP is a three-phased approach to determine the significance of inspection 1

The term emergency action level has been defined by example in the regulations, as noted in the above discussion concerning regulatory background. The term had not, however, been defined operationally in a manner to address all contingencies. There are times when an EAL will be a threshold point on a measurable continuous function, such as a primary system coolant leak that has exceeded technical specifications for a specific plant. At other times, the EAL and the IC will coincide, both identified by a discrete event that places the plant in a particular emergency class. For example, Train Derailment Onsite is an example of an NOUE IC in NUREG-0654 that also can be an event-based EAL.

2

findings in the initiating events (IEs), mitigating systems, and barrier integrity cornerstones. The details of the SDP can be found in Inspection Manual Chapter, IMC 0609 [Ref. 10].

ASP Program [Ref. 5]established in 1979 in response to the Risk Assessment Review Group report (NUREG/CR-0400) [Ref. 11] for assessing risk significance issues and events. The ASP program applies the results of core damage on dominant core damage scenarios predicted by probabilistic risk assessments (PRAs) to provide insights and feedback to risk-informed regulatory activities. Significant precursors (events with CCDP or change in core damage probability > 1x10-3) are required to be input to the Annual Abnormal Occurrence Report and be reported to the Congress by the NRC.

The NRC has used risk informed techniques in the ROP program for more than a decade including oversight of EP. However, this study marks the first time quantitative risk techniques have been applied to EALs.

1.3 Research Objective of Risk-Informing EAL The objective of this study is to explore the feasibility of using PRA to provide risk insights about EAL schemes. This study evaluates the risk implications of the selected EAL scenarios using plant-specific PRA models and generates the results in the form of a surrogate risk metric:

Conditional Core Damage Probability (CCDP).

CCDP is a Level-1 PRA risk metric used as a measure of the significance of a specific EAL.

Each EAL is translated into a scenario with conditions that can be analyzed by the plant-specific PRA models, while fulfilling the threshold conditions of that EAL. A typical PRA model can be used to compute CCDPs of two types of hazardsinternal and external hazards. A hazard could cause the occurrence of an incident and degradation of mitigating systems. Internal hazards (internal events) are caused by system malfunctions precipitated by hardware failures or human errors within the plant. Examples of internal events include general transients, loss of offsite power (LOOP), loss of main feedwater (LOMFW), and small loss of coolant accidents (SLOCA). External hazards (external events) include fires, floods, seismic, high wind, and other man-made hazards such as explosions and aircraft impact. In this study, the focus is on internal hazards. Performing analyses of EALs related to external hazard is beyond the scope of this study.

CCDP results can be used to compare EALs within an EC for consistency and risk insights.

Readers should be aware that CCDP is not truly equivalent to NPP risk. NPP risk is conventionally defined by the product of the probability of an accident and its consequences.

These consequences involve onsite and offsite releases. However, CCDP is a reasonable surrogate for risk in this EAL study, since it measures the probability of an accident.

The CCDP results and insights of this study can be used as part of risk-informing considerations to modify current EAL schemes. However, there are EALs that cannot be addressed by CCDP alone. Some EAL threshold conditions may be appropriate, even though the threshold conditions generate low CCDPs. This is particularly relevant to the lower ECsNOUE and Alert. For example, loss of all offsite power, a non-safety-related system, for a protracted period may never lead to core damage, but it will represent a potential challenge to the plant operators and warrants a NOUE classification as a potential degradation of the level of safety of the plant, even if the emergency diesel generators (EDGs) start and load. The regulatory decision making 3

for EP is a complex process and should consider information from deterministic approaches along with the PRA insights.

Peach Bottom, Surry and Sequoyah are the three pilot plants selected for this study. Peach Bottom represents a typical BWR 4 design with a Mark I containment; Surry represents a three-loop Westinghouse PWR design with a large, dry containment; Sequoyah represents a four-loop Westinghouse PWR design with a wet, ice containment. This document contains a technical approach, a summary of insights, detailed analyses and results of selected EAL scenarios, which are listed in Table 1-1.

In conclusion, this study has established the feasibility to continue applying PRA, including Level-2 and Level-3 PRA for additional applied research to provide insights for enchancing the current EAL schemes. Recommendations for future studies are discussed in Chapter 7 of this report.

Table 1-1. Emergency Action Levels Selected for Risk Evaluation Peach NEI Surry Sequoyah EC IC Stated in NEI 99-01 V5 Bottom 99-01 V5 EAL EAL EAL NOUE Loss of all offsite AC power to emergency buses SU1 MU1 SU1.1 SU1 for 15 minutes or longer.

NOUE Unplanned loss of safety system annunciation or SU3 MU6 SU4.1 SU3 indication in the control room for 15 minutes or longer.

NOUE RCS leakage. Op. modes: power operation, SU5 MU7 SU6.1 SU5 startup, hot standby, hot shutdown NOUE Release of toxic, corrosive, asphyxiant or HU3 HU7 HU3.1 HU3 flammable gases deemed detrimental to normal operation of the plant.

Alert AC power capability to emergency buses SA5 MA1 SA1.1 SA5 reduced to a single power source for 15 minutes or longer such that any additional single failure would result in station blackout (SBO).

Alert Automatic scram (trip) fails to shut down the SA2 MA3 SA2.1 SA2 reactor and the manual actions taken from the reactor control console are successful in shutting down the reactor.

Alert Unplanned loss of safety system annunciation or SA4 MA6 SA4.1 SA4 indication in control room with either (1) a significant transient in progress or (2) compensatory indicators are unavailable.

4

Table 1-1. Emergency Action Levels Selected for Risk Evaluation (Continuation)

Peach NEI Surry Sequoyah EC IC Stated in NEI 99-01 V5 Bottom 99-01 V5 EAL EAL EAL Alert Access to a VITAL AREA is prohibited due to HA3 HA7 HA3.1 HA3 toxic, corrosive, asphyxiant or flammable gases which jeopardize operation of operable equipment required to maintain safe operations or safely shutdown the reactor.

SAE Loss of all offsite and all onsite AC power to SS1 MS1 SS1.1 SS1 emergency buses.

SAE Automatic scram (trip) fails to shut down the SS2 MS3 SS2.1 SS2 reactor and manual actions taken from the reactor control console are not successful in shutting down the reactor.

SAE Loss of all vital DC power for 15 minutes or SS3 MS4 SS1.2 SS3 longer.

2 SAE Complete loss of heat removal capability (NEI SS4 MS5 n/a n/a Revision 4 only; has been deleted in Revision 5)

SAE Inability to monitor a significant transient in SS6 MS6 SS4.1 SS6 progress.

GE Prolonged loss of all offsite and all onsite AC SG1 MG1 SG1.1 SG1 power to emergency buses.

GE Automatic scram (trip) and all manual actions fail SG2 MG3 SG2.1 SG2 to shut down the reactor and indication of an extreme challenge to the ability to cool the core exists.

2 This EAL is listed in NEI 99-01, Revision 4, but it is eliminated in NEI 99-01, Revision 5. Peach Bottom EALs refer to NEI 99-01, Revision 4, while Surry and Sequoyah EALs refer to NEI 99-01, Revision 5. Therefore, Surry and Sequoyah EALs do not have an SS4-equivalent scenario.

5

2. TECHNICAL APPROACH OF MODELING EAL SCENARIOS 2.1 SAPHIRE and SPAR Models The increased applications in risk-informed regulatory activities lead to rapid development and usage of risk-informed software and tools. Today, Systems Analysis Programs for Hands-on Integrated Reliability Evaluations (SAPHIRE) is used broadly in the NRC risk-informed programs as defined in the Management Directive 8.3 [Ref. 9]. The SAPHIRE software was developed by the Idaho National Laboratories (INL) sponsored by NRC. SAPHIRE has been used by the NRC to perform PRAs. It allows risk analysts to model a plant's response to IEs, quantify core damage frequencies, and identify important contributors to core damage (Level-1 PRA) by solving plant-specific model logic, including event trees (ETs), fault trees (FTs),

sequences and cutsets. It also allows users to modify basic event (BE) data, create change sets and perform uncertainty analyses.

SPAR models 3 were created in conjunction with the SAPHIRE platform. Each SPAR model was created with site-specific modeling logic and developed with consistent modeling assumptions, nomenclature, and industry data for IE frequencies and component failure rates. The NRC has performed quality assurance (QA) 4 and benchmarked of the SPAR models with the licensees PRA to ensure the following model review objectives are met:

To check whether the SPAR model reflects the as-built, as-operated plant for the important sequences that are impacted by the operational event under consideration.

To check that the SPAR model reflects the plant features required to model the operational event and/or to replace overly conservative model assumptions with best available information on more realistic assumptions.

Today, SAPHIRE has evolved to Version 8 and SPAR models are used broadly in the NRC risk-informed programs.

2.2 Modeling EAL Scenarios Using SAPHIRE and SPAR Models In this study, the SAPHIRE software, Version 8 is used to compute CCDPs. The SPAR models, in conjunction with the SAPHIRE software, are used to perform plant-specific PRA analyses.

The Peach Bottom Unit 2 SPAR model, PBT2- EE- L2- 819.exe; Surry Unit 1 SPAR model, SURY- EE- 817.exe; and Sequoyah SPAR model, SEQH-EE-L2-815 are used to analyze the Peach Bottom, Surry and Sequoyah EAL scenarios, respectively.

A process that is analogous to that used by the ASP Program to evaluate operational events is applied to analyze selected EAL scenarios. The following general steps are used to analyze the EAL conditions:

Step 1: Gathering of available scenario information Step 2: Mapping of the incident context into the SPAR model (scenario development)

Step 3: Use of the PRA to determine scenario-specific risk measure 3

SPAR models are non-publically available.

4 Documents pertinent to SPAR model QA process are non-publically available.

7

For illustration purposes, one of the Alert scenarios in Peach Bottom, MA3 (Case 2), is selected as an example. Readers can follow how each of the steps above applies to a specific EAL analysis. SAPHIRE 8 User Guide [Ref. 12] may be referred to for detailed modeling techniques.

2.2.1 Step 1: Gathering of Available Scenario Information In Step 1, the analysts study the EAL threshold conditions and basis information to understand how the EAL scenario is defined. For the MA3 example, the EC is Alert and its threshold conditions are [Ref. 13]:

1. A reactor protection system (RPS) setpoint was exceeded.

AND

2. Automatic scram did not reduce Reactor Power to subcritical with power below the Heating Range (1.00 percent).

The MA3 EAL technical basis states that:

The second condition of this EAL indicates a failure of the automatic RPS scram function to rapidly insert a sufficient number of control rods to achieve reactor shutdown. The CRD system backup scram valves and the Alternate Rod Insertion (ARI) system provide automatic, alternate methods of completing the scram function. These backups, however, insert control rods at a much slower rate than the automatic RPS scram function. For the purpose of EC at the Alert level, reactor shutdown achieved by automatic backup scram valve operation and ARI initiation does not constitute a successful RPS automatic scram If by procedure, operators actions include the initiation of an immediate manual scram following receipt of an automatic scram signal and there are no clear indications that the automatic scram failed [Ref. 13]

After reviewing the above EAL information, the analysts take note of information that can be mapped into the model. In order to understand how plant-specific features and procedures affect an EAL, the analysts also examine other plant-specific technical documents, such as the Technical Specification, the Final Safety Analysis Report, and abnormal and emergency operating procedures (EOPs). These documents constitute what is defined in Step 1 to be available information for each EAL scenario.

2.2.2 Step 2: Mapping of the Incident Context into the SPAR model (Scenario Development)

In Step 2, the SPAR Model is used to reproduce the scenario described by the EAL threshold conditions and basis. The analysts first select a suitable IE, which is also known as an initiator, in the SPAR model to simulate the starting point of the threshold conditions in the EAL. The IE disrupts the steady state operation of the plant and leads to a plant transient. The cause of an IE can be either internal or external to the plant. It can be caused by hardware failure, natural disasters, human errors or attack. Some examples of IEs that are used in this study are:

grid-related LOOP (IE-LOOPGR), transient (IE-TRANS) and Small LOCA (IE-SLOCA).

8

The MA3 threshold condition 1 above indicates that a transient occurred in the plant. In the example MA3 (Case 2), it is assumed that the transient does not lead to a reactivity spike in the reactor. Therefore, the most appropriate IE from the Peach Bottom SPAR model is the transient initiator (IE-TRANS). The IE probability of INT-TRANS is set to 1, which means transient occurs. All other IEs in the model are set to 0, which means they did not occur.

After selecting the suitable IE and setting it to the correct value, the applicable BEs are selected to match the threshold conditions. A BE is an occurrence that is at the minimum level of detail being analyzed in a PRA model. BEs are plant-specific due to the unique design and operating procedures in each plant. The following shows the most common types of BEs in SPAR models and an example associated with each type in the Peach Bottom SPAR model:

1. Equipment failures or unavailability, for example, 4160 volts (V) alternating current (AC)

Bus E42 (20A18) is unavailable (ACP-BAC-LP-E42).

2. Human errors, for example, the operator failed to recover EDG in 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months (EPS-XHE-XL-NR01H).

3. Common-cause failure events, for example, common cause failure (CCF) of all direct current (DC) battery (DCP-BAT-CF-ALL).

If any BE occurs, the BE failure probability is set to TRUE (i.e., failure probability = 1.0). In contrast, if a BE succeeds, the BE failure probability is set to FALSE (i.e., failure probability = 0).

In some cases, the BE failure probabilities are calculated according to the SPAR-H methods documented in NUREG/CR-6883 [Ref. 14] or based on expert judgment. For those cases, the assumptions behind the BE modifications are discussed in the Mapping of EAL Scenario to the SPAR Model sub-sections in Chapters 4, 5 and 6 of this report. The nominal BE failure probabilities, in the base models, are used in the analysis for all other BEs that are not affected by the scenario definition.

The applicable BEs for each scenario are selected in the FT located under the ET system top events. ETs are logical representations of significant plant responses to IEs with each sequence resulting in either a safe condition (such as safe shutdown) or an accident condition, such as core damage. ET system top events are modeled using FTs. FTs identify all of the credible sequences that can cause an undesired event to occur. The undesired event is stated at the top of the FT. The FT gates specify the logical combinations of BEs that lead to the top event [Ref. 12]. The ET system top events are listed in Appendix D of this report.

In the MA3 example, the RPS FT is applied, since the BEs for the reactor trip system are located under the RPS FT. The RPS FT is shown in Figure 2-1 below.

9

Figure 2-1. Peach Bottom Unit 2 SPAR Model RPS FT The EAL technical basis [Ref. 13] indicates that the plant can be tripped successfully by the operators. Therefore, the failure probability for manual scram fails BE, RPS-XHE-XM-SCRAM is set to FALSE. The adjustment of this BE credits the operator action for scramming the reactor successfully in this scenario. The MA3 threshold conditions state that the auto scram system failed and the basis states that the ARI failed. Therefore, the two BEs that contribute to the auto scram function are set to TRUE. These two BEs are the trip system electrical failure (RPS-SYS-FC-ELECT) and the ARI failure (RPS-SYS-FC-ARI).

After adjusting all the IE and BEs in a scenario, the CCDP is computed with a 1x10-12 truncation value. The truncation value is used to capture the dominant minimal cutsets. A minimal cutset describes a combination of failures represented by BEs that leads to an undesirable event, which is core damage for all the analyses in this volume of NUREG/CR. A minimal cutset is a minimum combination of BEs that can lead to CD. All the BEs in a minimal cutset are required to result in a CD sequence. The truncation value is set at a sufficiently low value to ensure that the cutsets screened out have only a negligible contribution to the CCDP result. The analysts examine the top 90 percent of the minimal cutsets to ensure the fidelity of the model and the appropriateness of the simulated conditions described in Step 2. The cutset examination process is iterative. If the analysts find any significant deviations, the input conditions mapped into the SPAR model will be adjusted and the CCDP will be re-computed accordingly.

2.2.3 Step 3: Use of the PRA to Determine Scenario-Specific Risk Measure The purpose of Step 3 is not only to compute PRA results for each EAL scenario, but also to develop insights based on the PRA results. There are three sub-steps in Step 3:

a. Analysts first obtain the CCDP for each EAL scenario and create graphical results for all the CCDP data. Figure 2-2 shows the graphical results for the CCDP range.

10

CCDP Ranges for all ECs 1.E+00 PBOT NOUE 1.E-01 Surry NOUE 1.E-02 SEQH NOUE 1.E-03 PBOT Alert Surry Alert 1.E-04 SEQH Alert CCDP 1.E-05 PBOT SAE 1.E-06 Surry SAE 1.E-07 SEQH SAE 1.E-08 PBOT GE Surry GE 1.E-09 SEQH GE 1.E-10 1.E-11 Figure 2-2. CCDP Range for each EC

b. Figure 2-3 shows a general trendan increasing CCDP as the EC ranking of an EAL scenario becomes more severe. Although most EAL scenarios follow this general trend, there are some outliers that do not follow this trend. In order to identify these outliers and to develop meaningful insights, the analysts establish CCDP ranges for different EC based on the computed CCDPs. These ranges serve as a screening tool for this EAL study to identify outliers. It is important to note that they cannot be used as acceptance criteria for regulatory purposes, nor do they address any safety requirements. They were primarily based on the CCDP ranges observed in the results of Peach Bottom, Surry and Sequoyah. They do not indicate any regulatory or policy considerations.

Creation of generic ranges for all U.S. NPPs would be possible, but would require more research.

The presumed CCDP ranges for different ECs are depicted as the following:

NOUEbelow 1 x 10-5;

Alertbetween 1 x 10-5 and 1 x 10-3;

SAEbetween 1 x 10-3 and 1 x 10-1;

GEbetween 1 x 10-1 and 1.

11

NOUE --> Alert --> SAE --> GE 1 x 10-5 1 x 10-3 1 x 10-1 Figure 2-3. Presumed CCDP Ranges for Various ECs

c. After establishing a CCDP range for each EC, the analysts compared the CCDP result in a scenario to the established CCDP range. This determines if that EAL scenario is within the established range, or if it falls outside the range. If the result is outside the established range, it means that the EAL should be considered for further review.

Before generating the insights, the analysts also examine the sequences and the cutsets of each EAL scenario, and compare them with those that have similar threshold conditions to examine the consistency and difference of the results among similar EAL scenarios. The insights are organized and documented in Chapter 3 and the analysis results are in the SPAR Model Results and their Implications sub-sections in Chapters 4, 5 and 6 of this report.

In the MA3 example, the CCDP is 7.85 x 10-8, which is much lower than the presumed Alert EAL range. This means it is an outlier. The analysts then take a closer look at the EAL threshold conditions and compare their sequences and cutsets with those EAL scenarios with similar threshold conditions. In this case, the analysts compare the MA3 scenario with MS3 (Failure of RPS Instrumentation to Complete or Initiate an Automatic Reactor Scram Once a Reactor Protection System Setpoint Has Been Exceeded and Manual Scram Was NOT Successful [Ref.

13]) and MG3 (Failure of the RPS to Complete an Automatic Scram and Manual Scram was NOT Successful and There is Indication of an Extreme Challenge to the Ability to Cool the Core

[Ref. 13]), which have similar threshold conditions associated with the failure of reactor scram system. After comparing the results, the analysts review the consistency and difference among these EAL scenarios and develop the insights.

2.3 Uncertainty and its Impact on Risk-Informed EAL Evaluation The importance of various sources of uncertainties is generally evaluated based on their potential impact on the assessment outcomes. The impact on the assessment outcomes depends on the assessment process. Therefore, it is crucial to identify the most important sources of uncertainties that need to be addressed by the assessment process. The assessment process used in this study was to assign the threshold conditions defined by various EALs to the appropriate bins. These bins are the assessment outcomes, which group EAL scenarios based on their likelihood of core damage. The likelihood of core damage is the risk metric, which is measured by CCDP. In most cases there could be several scenarios that meet an EAL initiating condition. The scenario that leads to the highest CCDP is generally selected for making the binning assessment. The binning process is done by comparing the calculated CCDP against the CCDP thresholds for the various EAL bins.

12

There are several ways in which uncertainties can enter the assessment process, thereby impacting the assessment outcomes. The two main areas for uncertainties are:

1. Uncertainties associated with the quantitative results from the PRA model, and

2. Uncertainties associated with the process of translating the EAL threshold conditions into PRA input.

This study does not depend upon the CCDP results in an absolute sense, but rather compares the CCDP results for consistency within ECs. This being the case, the uncertainties mentioned apply to all cases, and are relatively similar for all cases. Since the comparison is for internal consistency among EALs in a given EC the tool is adequate for risk information purposes. If NRC should establish a numeric threshold for EALs, a rigourous uncertainty analysis such as described in NUREG 1855 would be appropriate to understand which assumptions could change the decision related to the threshold.

Following NUREG-1855, Guidance on the Treatment of Uncertainties Associated with PRAs in Risk-Informed Decision Making, [Ref. 15], the uncertainties associated with the quantitative PRA results mainly stem from the epistemic uncertainties, which are uncertainties due to insufficient knowledge of the PRA model, such as input reliability data or modeling of system logics. These epistemic uncertainties include parametric uncertainties, model uncertainties, and completeness uncertainties. These sources of uncertainties are discussed followed by the uncertainties associated with EAL-specific evaluation approach.

2.3.1 Uncertainties Associated with Quantitative PRA Results In the past, PRAs were used along with additional engineering or deterministic evaluations.

This was done because PRAs did not explicitly account for all sources of uncertainties and embedded assumptions. Standardization of PRA methods and assumptions in recent years has eliminated some of the inconsistencies and provided a better understanding of the sources of uncertainties involved. Further research could reduce the PRA modeling uncertainty, but it would be beyond the scope of this study.

The uncertainties associated with estimation of the core damage probabilities (Level-1 PRAs) in NPPs result from the uncertainties in the different components of PRA models. These components include: data associated with IEs and BEs, success criteria, CCF analysis, and human reliability analysis (HRA). Additional sources of uncertainties associated with external initiators could include component fragilities, external event loads (seismic and fire loads), fire response impact, and other modeling uncertainties. It is worth noting that the current study for risk-informed EAL evaluation is limited to the internal event initiators during full power operation.

SPAR models address the uncertainties associated with different components of PRA models via SPAR model standardized approach. Recent studies supporting the SPAR Program documented in NUREG-1953, Confirmatory Thermal-Hydraulic Analysis to Support Specific Success Criteria in the Standardized Plant Analysis Risk ModelsSurry and Peach Bottom,

[Ref. 16] have attempted to address the uncertainties associated with the thermal-hydraulic success criteria and the timing issues related to human error analysis. However, these uncertainty sources have not been fully quantified by the SPAR model developer.

Another source of uncertainty is introduced during the PRA model development process. These could include potential errors in system FTs due to misinterpretation of system design requirements, improper assumptions about the system operation, error in modeling of plant 13

response through ETs, and misinterpretation of EOPs or severe accident management guidelines (SAMGs). PRA model developers have to be knowledgeable about the plant, system, and operator responses during various conditions and appropriately transfer the knowledge of the plant-specific information into the associated PRA models and data. Peer review and QA of the PRA models have revealed inconsistencies that could have affected the risk profile. Improving the peer review and QA process of the PRA model development would reduce this source of uncertainty, but it would be beyond the scope of this study.

Uncertainties analyzed by SAPHIRE code with the uncertainty distributions specified in each SPAR model can be considered as a means to estimate the statistical characteristics of the predicted PRA numerical results. This can address some of the uncertainty sources identified here. Additional research may be required to address other sources of uncertainty that are not fully integrated into the modeling process.

2.3.2 Uncertainties Associated with EAL Assessment Process Binning is a process that is typically performed by taking a well-defined statistical measure of the PRA results (mean, or a specific percentile) of the estimated CCDP distribution for an EAL condition. We denote this condition X, and check if X belongs to the range of values defining bin j. In most cases, where the uncertainties are managed, the consequence of uncertainty could be manifested by improper assignment of X to any of the two adjacent bins; j-1 or j+1.

The importance of uncertainty is, therefore, measured by an answer to the question, how bad is the consequence of choosingj-1 or j+1 when the appropriate bin is j. This is the main reason why some analysts have erred on the side of conservative assumptions or bounding evaluations, in order to ensure that the bin selected would be safe (i.e., have the least impact on the outcome) even if it is not correct [Ref. 17]. For example, assigning an EAL to Alert would be safer for a particular scenario from a regulatory standpoint, even if the CCDP fell within the established NOUE range. In this study, each EC is considered as a bin, and the EALs within the same EC are in the same bin.

The major sources of uncertainty for the proposed EAL assessment process deal with: (1) identifying one or more scenarios that can meet the EAL threshold conditions, and (2) translating those scenarios into a well-defined set of inputs for the SPAR models. The latter source of uncertainty is particularly important, when accounting for the limited scope of the SPAR models, as compared to the modeling needs of the EAL conditions. For example, there is no BE available in the SPAR model for mapping the loss of annunciator/indicator event in MA6. Therefore, for this scenario, the analysts were required to manipulate the relevant human error probabilities (HEPs) to indirectly model it. In order to perform a sensitivity analysis, the analysts applied different HEPs to different cases for this same EAL scenario to find the bounding CCDPs.

Both sensitivity analysis and uncertainty evaluations are important in evaluating different assumptions. In general, model uncertainties are addressed by determining the sensitivity of the PRA results to different assumptions or models [Ref. 15]. In this study, sensitivity analyses were performed to the extent possible to generate robust insights. Readers should keep in mind that this study is not intended to provide absolute CCDP values for the various EAL scenarios for regulatory use, but rather it uses the CCDP values to determine the consistency of EALs within a given EC.

14

3.

SUMMARY

OF RESULTS AND RISK INSIGHTS As stated in Chapter 2 of this report, CCDP was used as a risk metric to establish risk insights.

The established CCDP ranges (Figure 2-3) were applied to differentiate the outliers in different ECs. These outliers were further examined for their result implications and risk significance.

Although the CCDP ranges are determined based on only three plants, the ranges have been selected to prove the concept that ranges can be used. They may or may not be appropriate for fleet-wide use.

This pilot study evaluated selected EALs for different types of threshold conditions. These conditions include loss of AC or DC power, failure of the reactor trip system, loss of annunciation and/or indication, and toxic gas releases. The results and implications of the outliers are summarized in Sections 3.1 to 3.2. The differences in risk perspectives among the three plants are discussed in Section 3.3. This is expanded to include other plant features that would affect the risk perspectives in Section 3.4. Detailed discussions of each EAL analyzed are provided in Chapters 4, 5 and 6. The graphical results for each EC are shown in Appendix A; BEs used for each EAL and a summary of the numerical results are shown in Appendix B; core damage sequences and cutsets are shown in Appendix C of this report. The descriptions of the BEs in the cutsets are in Appendix F.

3.1 Summary of Results Figure 3-1 shows the CCDPs for all EAL scenarios analyzed. They are arranged by the severity of their ECsgreen labels indicate the NOUE EAL results; yellow labels indicate the Alert EAL results; orange labels indicate the SAE EAL results; red labels indicate the GE EAL results.

Larger versions of these result figures, grouped by EC, are located in Appendix A of this report.

15

Figure 3-1. Graphical Results of all Selected EAL Scenarios 16

The results show general consistency between ECs and CCDP valuesa higher EC corresponds to a higher risk as estimated by the associated CCDPs. Although the CCDPs of most EALs with the same EC reside within the presumed CCDP range, there are outliers among the three plants.

The CCDPs of some EALs within the same EC can reside outside the range. These outliers have CCDPs either above or below the presumed range. For a particular scenario, sometimes all three plants contain outliers, while sometimes only one or two reside outside the range. A discussion of these outliers is provided in Section 3.2 below.

For some cases, where the CCDPs reside within the presumed range, there are significant differences in CCDP values among the plants. These differences are as high as two orders of magnitude. A discussion of the EALs that have significantly different CCDP values is provided in Section 3.3.

3.2 EAL Outliers This section discusses plant-specific insights obtained as a result of the EAL risk evaluations for Peach Bottom, Surry and Sequoyah NPPs. The discussion is limited to those EALs where at least one of the plants has CCDP that is outside the presumed range for their corresponding EC. For the scenarios that have outliers, Table 3-1 provides a high level summary about the outliers of the three pilot plants. It also summarizes the proposed changes to the EAL for further consideration. Readers may refer to the reference sections indicated on the right hand column of the table for specific details of each EAL. Details of all EAL analyses, including both outliers and non-outliers are presented in Chapters 4, 5 and 6.

Table 3-1. EALs with CCDPs Outside the Presumed Ranges Considerations for EALs Based on Related EALs Result Summary Ref.

CCDP Results The analysis results do not support PBOT MU1 The CCDP is within the expected §4.1 any modification of the NOUE EALs result range of other NOUE EAL associated with loss of all offsite AC scenarios.

power to emergency buses for Surry SU1.1 The CCDP is slightly higher than the §5.1 15 minutes or longer. Surry and expected result range of other NOUE Sequoyah have CCDPs which are EAL scenarios.

slightly higher than the presumed range. However, if the plant can be SEQH SU1 The CCDP is slightly higher than the §6.1 shut down safely without any expected result range of other NOUE complication, the risk is very low. EAL scenarios.

The NOUE EALs associated with PBOT MU6 The CCDPs for all three plants are §4.2 unplanned loss of safety system (Cases 1 and 2) lower than the expected result range annunciation or indication in the of other NOUE EAL scenarios.

control room for 15 minutes or longer Surry SU4.1 §5.2 (Cases 1 and 2) can be considered for elimination, based on the analyses of the SEQH SU3 §6.2 degraded condition for eight hours. (Cases 1 and 2) 17

Table 3-1. EALs with CCDPs Outside the Presumed Ranges (Continuation)

Considerations for EALs Based on Related EALs Result Summary Ref.

CCDP Results The analysis results do not support PBOT MU7 The CCDP is within the expected result §4.3 any modification of the NOUE EALs range of other NOUE EAL scenarios, associated with very small RCS with acceptable uncertainty.

leakage (identifiable leakage: 25 gpm; Surry SU6.1 The CCDP is higher than the expected §5.3 unidentifiable leakage: 10 gpm). result range of other NOUE EAL scenarios due to the conservative interpretation and mapping of this EAL to the PRA model.

SEQH SU5 The CCDP is within the expected result §6.3 range of other NOUE EAL scenarios.

The NOUE EALs associated with PBOT HU7 The CCDPs for all three plants are §4.4 release of toxic, corrosive, asphyxiant lower than the expected result range of or flammable gases deemed other NOUE EAL scenarios.

detrimental to normal operation of the Surry HU3.1 §5.4 plant can be considered for elimination. The reportability of such SEQH HU3 §6.4 events is covered under 10 CFR 50.72 [Ref. 18].

Clarification of the threshold PBOT MA1 The CCDP is within the expected result §4.5 conditions of the Alert EALs range of other Alert EAL scenarios.

associated with AC power capability The threshold conditions, which are to emergency buses reduced to a applicable to all three plants, only single power source for 15 minutes or require one DG from each plant unit to longer such that any additional single cope with SBO. Although Peach failure would result in SBO can be Bottom EALs meet the guidance of considered. The definition of a single NEI 99-01, the essential cooling water source for the plant to handle SBO (ECW) pumps of Peach Bottom are condition may need to be clarified, powered by Unit 2 emergency buses, particularly for multiple-unit sites with while the motor operated valve of the shared electrical systems. suction from the cooling tower is powered by Unit 3 emergency bus.

Therefore, Peach Bottom requires at least two EDGsone from each unit, to keep the plant away from an SBO condition.

Surry SA1.1 The CCDP is higher than the expected §5.5 result range of other Alert EAL scenarios, due to the plant-specific features of Surry.

SEQH SA5 The CCDP is within the expected result §6.5 range of other NOUE EAL scenarios.

18

Table 3-1. EALs with CCDPs Outside the Presumed Ranges (Continuation)

Considerations for EALs Based on Ref Related EALs Result Summary CCDP Results .

In both BWRs and PWRs, the Alert PBOT MA3 The CCDPs for both reactivity §4.

EALs associated with automatic (Cases 1 and 2) transients (Case 1) and simple 6 scram (trip) fails to shut down the transients (Case 2) are lower than the reactor and the manual actions taken expected result range of other Alert from the reactor control console are EAL scenarios.

successful in shutting down the Surry SA2.1 The CCDP of a reactivity transient §5.

reactor can be considered for (Cases 1 and 2) (Case 1) is within the expected result 6 downgrading to NOUE for all plant range, while the CCDP of a simple transients that are not considered as transient (Case 2) is lower than the reactivity transients. expected result range of other Alert However, in PWRs, the Alert EAL scenarios.

classification is appropriate for reactivity transients, such as plant SEQH SA2 The CCDP of a reactivity transient §6.

overcooling transients. (Cases 1 and 2) (Case 1) is within the expected result 6 Unless it can be determined that range, while the CCDP of a simple reactivity transients are covered by transient (Case 2) is lower than the other EALs, it may not be appropriate expected result range of other Alert to modify this EAL. EAL scenarios.

The Alert EALs associated with unplanned loss of safety system (1) annunciation or (2) indication in control room with either a significant transient in progress or compensatory indicators are unavailable are discussed separately in the next two rows.

(1) The Alert EALs associated with PBOT MA6 The CCDPs of the different types of §4.7 unplanned loss of safety system (Cases 1, 3, 5) transients with loss of annunciation annunciation can be considered for analyzed (Cases 1, 3 and 5) for all downgrading to NOUE from Alert. Surry SA4.1 three plants are lower than the §5.7 (Cases 1, 3, 5) expected result range of other Alert SEQH SA4 EAL scenarios. §6.7 (Cases 1, 3, 5)

(2) The analysis results do not PBOT MA6 The CCDPs with transients related §4.7 support any modification of the Alert (Cases 2, 4, 6) to loss of condenser heat sink EALs associated with unplanned loss (LOCHS) (Case 2), loss of main of safety system indication. The low feedwater (Case 4) and simple CCDPs have resulted from plant- transients (Case 6) are all within the specific features of Sequoyah, which expected result range of other Alert are not shared by Peach Bottom and EAL scenarios.

Surry. Surry SA4.1 The CCDPs with transients related §5.7 (Cases 2, 4, 6) to loss of condenser heat sink (Case 2) and loss of main feedwater (Case 4) are within the expected result range, while the CCDP of a simple transient (Case 6) is lower than the expected result range of other Alert EAL scenarios.

SEQH SA4 The CCDPs with transients related §6.7 (Cases 2, 4, 6) to loss of condenser heat sink (Case 2), loss of main feedwater (Case 4) and simple transients (Case 6) are below the expected Alert result range.

19

Table 3-1. EALs with CCDPs Outside the Presumed Ranges (Continuation)

Considerations for EALs Based on Related EALs Result Summary Ref.

CCDP Results The Alert EALs associated with PBOT HA7 The CCDPs are significantly lower §4.8 access to a vital area is prohibited (Cases 1, 2, 3) than the expected result range of due to toxic, corrosive, asphyxiant or other Alert EAL scenarios, flammable gases which jeopardize Surry HA3.1 regardless of whether the release is §5.8 operation of operable equipment (Cases 1, 2, 3) in the DG room (Case 1), switchgear required to maintain safe operations SEQH HA3 room (Case 2) or all local operator §6.8 or safely shutdown the reactor can be (Cases 1, 2, 3) actions failed (Case 3).

considered for downgrading to NOUE or be eliminated. Based on the CCDPs of all Alert cases (EDG room, switchgear room and sensitivity cases) analyzed for the three pilot plants, the presence of toxic gas for a short duration (< 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months ) will not pose significant risk. For all other toxic and flammable gases, there could be a possibility of fire or explosion, which is not included in the analyses. However, fire explosions are already covered as a part of other EALs.

The analysis results do not support PBOT MS1 The CCDP is slightly lower than the §4.9 any modification of the SAE EALs expected result range of other SAE associated with Loss of all offsite and EAL scenarios, due to the credits all onsite AC power to emergency given to offsite power source buses, despite the Peach Bottom supplied by Conowingo river.

lower CCDP result. Surry SS1.1 The CCDP is within the expected §5.9 result range of other SAE EAL scenarios.

SEQH SS1 The CCDP is within the expected §6.9 result range of other SAE EAL scenarios.

The SAE EALs associated with loss PBOT MS4 The CCDPs are higher than the §4.10 of all vital DC power for 15 minutes or expected result range of other SAE longer can be considered for EAL scenarios. The SPAR models upgrading to GE. Perhaps a two step Surry SS1.2 do not credit all possible local §5.10 time frame (e.g., 15 minutes to manual actions for this scenario. In 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months sSAE; greater than two SEQH SS3 addition, credits are not given to §6.10 hour1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months sGE) may be considered. possibility of DC power recovery.

However, even with recovery possibility, prolonged loss of DC would result in core damage.

20

Table 3-1. EALs with CCDPs Outside the Presumed Ranges (Continuation)

Considerations for EALs Based on Related EALs Result Summary Ref.

CCDP Results The analysis results do not support PBOT MS6 The CCDPs are within the expected §4.13 any modification of the SAE EALs result range of other SAE EAL associated with inability to monitor a scenarios.

significant transient in progress, Surry SS4.1 The CCDPs are slightly lower than §5.12 despite the lower CCDP results for the expected result range of other Surry. SAE EAL scenarios because the motor driven auxiliary feedwater (MDAFW) pumps at Surry are capable of operating continuously under the threshold conditions.

SEQH SS6 The CCDPs are within the expected §6.12 result range of other SAE EAL scenarios In general, the outliers that may consider: (1) modifications to the EALs or (2) re-rank of their EC can be grouped into the one of the following categories:

One Source Away from SBO

Loss of All Vital DC Power

Simultaneous loss of all AC and DC (note that this scenario is currently not in any plant-specific EAL, but it is important for EP)

Loss of Annunciation and/or Indication

Successful and Effective Manual Scram (Trip)

Toxic Gas Effects Sections 3.2.1 to 3.2.6 discuss risk insights developed based on the analysis results of the three plants. They are grouped by the EAL outliers list above. Some of the plant-specific features from the three plants may serve as examples for illustration purpose. Although these insights are based on the analyses of three plants, it appears that many of their implications can be applicable to other NPPs.

3.2.1 One Source Away from SBO If a plant experiences a LOOP and the emergency AC is degraded to a single power source for greater than 15 minutes, an Alert would be declared. The risk evaluation of this EAL revealed some generic needs for further clarifications of the EAL condition for at least two areas; the definition of single AC power source and the treatment of non-safety alternate AC (AAC) power sources. These are discussed below:

Depending on plant-specific features, a single emergency power source (i.e., one EDG) may not be sufficient to bring the plant to a stable shutdown at any of the units in a 21

multiple-unit site. As an example, in Peach Bottom, the successful operation of two EDGs is needed to achieve a stable shutdown. Therefore, if the above EAL condition lasts for several hours with no other power sources recovered except one EDG, it could result in core damage. Therefore, for a prolonged condition when only one EDG is available for the Peach Bottom case discussed above, risk information indicates that the Alert classification could be elevated to an SAE or a GE.

An AAC source could be a black start DG, an offsite hydro unit, or AC source provided by gas turbines. The alignment and loading of the AAC power source is in most cases manual. Therefore, it takes some time to utilize the AAC source. If this time is less than 15 minutes, then the AAC source can be explicitly credited as a single source of AC for this EAL. On the contrary, if the AAC source alignment and loading take more than 15 minutes, the EAL condition could only be met when at least one other source of emergency AC is available.

The quantification of the CCDPs and the risk insights related to the EALs associated with this scenario are provided in Sections 4.5, 5.5 and 6.5 for Peach Bottom, Surry and Sequoyah, respectively.

3.2.2 Loss of All Vital DC Power Loss of all vital DC power in a BWR generally causes the loss of reactor core isolation cooling (RCIC), high pressure coolant injection (HPCI), the loss of main feed water (MFW), and the loss of control power for all 4160V and 480V breakers. Similarly for PWRs, loss of DC generally causes loss of main feed water, and loss of control power to all trains of 4160V and 480V switchgear resulting in failure of remote breaker operation for all trains of the safety systems.

Although in Surry, loss of DC power does not result in failure of the turbine-driven auxiliary feed water (TDAFW) pump, it is considered a plant-specific feature, which is not shared by other PWRs. Under prolonged loss of DC power with no recovery actions and no TDAFW for PWRs, core damage is predicted in about an hour. However, following a loss of all DC power, manual local operation of the breakers can be credited as a recovery action to compensate for the loss of control power. In addition, local manual actions to start and control the flow of some injection trains can also be performed. Availability of AC power facilitates the success of these local manual actions by providing sufficient lighting and ease of access. However, none of these recovery actions are currently modeled in the SPAR models used in this study.

The current conservative assumptions and lack of credits to the potential recovery actions in PRA appears to be generic. This issue can benefit from additional plant-specific risk evaluations and development of the required recovery models. Therefore, the loss of all vital DC power and plant response including possible recovery actions has to be given additional attention.

The quantification of the CCDPs and the risk insights related to the EALs associated with this scenario are provided in Sections 4.10, 5.10 and 6.10 for Peach Bottom, Surry and Sequoyah, respectively.

3.2.3 Total Loss of All AC and DC There is no existing EAL that describes the condition of a total loss of AC and DC. This case is modeled by assuming LOOP, failure of all EDGs to start, and loss of DC power. All these failures are assumed to have occurred at the time of the reactor trip. The plant response will be 22

quite similar to that of loss of all DC, except the success of any of the manual recovery actions is unlikely in a prolonged loss of AC and DC. There could be some plant-specific features that can slow the degradation in a loss of AC and DC event. For example, at Surry, the TDAFW could be started and then inject into steam generators (SGs) at a maximum flow. Such uncontrolled injection (blind operation of TDAFW) will overfill the SG and consequently fail the TDAFW. Although it is unlikely that the operators succeed in local manual control of the TDAFW flow during total loss of AC and DC, the noted plant-specific feature could postpone the core damage. In the case of Peach Bottom, when no recovery actions are assumed, a CCDP of 1 is estimated. It is generally concluded that prolonged loss of AC and DC could eventually result in core damage. The time to core damage and containment failure depends on plant-specific features. Therefore, total loss of all AC and DC should be classified as a GE.

3.2.4 Automatic Trip Failed, but Manual Trip Succeed Manual scram of the reactor after a failure of automatic scram has the EC of an Alert. Failure of auto scram in general is a risk-significant event and would require post-incident examination to ensure that the underlying causes are identified and future occurrences are eliminated.

However, for this EAL scenario, which assumes that timely and effective manual scram has terminated the adverse impact of the failure of auto scram, the expected risk is considered to be low for both PWRs and BWRs.

For some transients, the failure of auto scram could result in a rapid increase in power level.

Consequently, the reactor pressure could increase so fast that manual scram cannot prevent the initial pressure spike. The pressure spike could result in opening of primary relief valves with a potential for subsequent failure of at least one valve to close. Under this conservative assumption, the scenario leads to a loss of primary inventory. The CCDP results for BWRs even under such a severe condition are low, due to multiple redundant and diverse means to inject into the vessel. Therefore, the EALs associated with failure of auto-scram with successful manual scram for BWRs could be reassigned to a lower EC.

Similarly for PWRs and for most transients, which do not insert any reactivity into the core, and thereby do not have any primary pressure spike, this EAL could be reassigned to a NOUE from an Alert. The Alert categorization however, would be appropriate for those transients that could cause reactivity insertions, such as plant overcooling transients.

The quantification of the CCDPs and the risk insights related to the EALs associated with this scenario are provided in Sections 4.6, 5.6 and 6.6 for Peach Bottom, Surry and Sequoyah, respectively.

3.2.5 Loss of Annunciation and/or Indication Loss of majority of control room annunciators and/or indicators during plant operation or post transients is covered under several EALs. This study shows that the loss of annunciators and the loss of indicators are not equivalent events considering the resultant CCDPs. The loss of annunciators is expected not to cause any major difficulty in the control room operator's ability to recover from a transient, as long as the control room indicators remain operable. However, loss of annunciators would impact the operators ability to rapidly detect the transient or readiness to cope with potential degraded conditions. Control room operators rely on annunciators for calling their attention to off-normal conditions. In most control rooms, some important indicators may not be viewable from the reactor operators station. Plant alarm procedures are generally indexed to particular annunciator windows.

23

For some plant conditions, annunciators are the primary means that alerts operators to take immediate actions. These include loss of a vital bus, flooding in a critical safety area, and trip or failure of an operating safety critical component that affects the plants critical parameters. Loss of indicators in contrast to loss of annunciators would reduce the ability of the operators to monitor critical safety parameters and systems to perform the necessary actions. The impact of loss of indicators on the operators ability to perform various actions will depend on the available time for diagnostics. The impact is reduced as more time becomes available for actions.

The EAL threshold conditions do not specify the relative importance of the loss of different types of annunciators or indicators, even though they require different operator diagnosis and recovery actions. As different types of operator actions have various HEPs, the CCDP associated with the loss of different types of annunciators or indicators is different. Also, Technical Specifications state different requirements for different loss of instrumental signals.

Loss of some important signals requires initiating hot shutdown within one hour; while loss of lesser important signals allows time for repair before initiating hot shutdown. Therefore, a more precise definition of loss of 75% of safety-related annunciators or indicators would improve the PRA quantification for these EAL scenarios and allow a risk-informed design of these EALs.

There is a possibility that the loss of annunciators or indicators condition is caused by the loss of an electrical bus. However, the operators generally rely on the annunciators and/or indicators to monitor loss-of-bus or under-voltage conditions. If there is a loss of annunciators or indicators, the operator may not be able to diagnose the loss-of-bus condition. The analysts recommend the loss of a single bus condition be addressed in the EAL threshold conditions.

The quantification of the CCDPs and the risk insights related to the EALs associated with this scenario are provided in Sections 4.2, 4.7 and 4.13 for Peach Bottom, Sections 5.2, 5.7 and 5.12 for Surry, and Sections 6.2, 6.7, and 6.12 for Sequoyah.

3.2.6 Toxic Gas Effects EALs categorize the release of toxic, corrosive, asphyxiant, or flammable gases into the categories of NOUE and Alert. For NOUE, the normal operations of the plant may be affected.

For Alert, not only the normal operations, but also safe shutdown operations may be affected, due to the potential that toxic gas is released into a plants vital area. There are many examples that can fall into toxic gas EALs. Release of toxic gas would hinder operator actions with various levels of severity. Some examples follow:

Sodium hypochlorite used at a plant for controlling bio-fouling leaks through a ruptured pipe in the chemical batching areaAs a result of this event, an immediate evacuation of the affected building and isolation of the ruptured pipe are required. The toxic gas may accumulate in the intake pumping station, since the chemical batching area is usually adjacent to it. The plant is required to declare a NOUE even if the leaks can be isolated. If the leaks cannot be isolated and the toxic gas transfers to the intake pumping station, an Alert will be declared.

Spill of hydrazine while injecting it into the feedwater system for corrosion control and oxygen scavengingHydrazine evaporates into a gas form and accumulates in the turbine building. An Alert then will be required due to toxic gas concentration in the turbine building, which is a vital area. Immediate evacuation of the area by plant 24

personnel and maintenance crew could result in other complications. In extreme cases a plant trip may occur due to a loss of condenser vacuum.

The release of chromates in the vicinity of the operating units TDAFW pump Chromates are used to control corrosion for component cooling water (CCW) heat exchangers. However, this chemical is known to be carcinogenic and working with it requires special hazmat equipment to be worn. Prior to performing a maintenance or repair on the CCW components, the system is usually dechoromated through a hose (approximately 4 inches in diameter). Chromates may be released to the auxiliary building. An Alert will be declared.

Despite different levels of severity of these examples, the conditional CCDPs associated with them are expected to be low. The EAL analyses associated with toxic gas releases, which are the bounding cases, show that their risk is less than other EALs with the same ECsboth NOUE and Alerts. Alerts have also been declared by numerous NPPs due to the spurious actuation of fire suppression systems that use halon or CO2 in a protected area. Spurious actuations are defined as scenarios in which the suppressant is discharged when there is no fire in the area. In addition to spurious discharges during test and maintenance, halon could also be spuriously discharged due to seismic events, thermal effects of steam leak, random component failures, or maintenance mishaps. Spurious actuations are not expected to have any impact on plant systems and components. However, the affected areas must be evacuated and no personnel can be allowed entry until the halon is completely purged. Past occurrences of spurious halon actuations, due to test or maintenance by plant staff, have lasted an average of two hours.

For the NOUE due to release of toxic gas at a plant site, a bounding risk associated with the declaration of a NOUE was modeled by assuming a duration of eight hours for dissipation of the toxic gas concentration, and increasing the failure probability of all actions that require the staff to be outdoors. These actions include working on the switchyard, or performing a recovery action at remote locations such as the intake structure or service water (SW) building. The adjustments to the selected human failure probabilities were determined based on the need for additional time for the HAZMAT personnel to assess the condition, provide instructions, and for the plant staff to take appropriate protective measures. These measures could include wearing protective gear and using self-contained breathing apparatus. These conditions could also increase the levels of stress and the difficulty for plant staff to perform the recovery tasks.

All CCDPs estimated by SPAR are significantly below the risk threshold for NOUE for the three plants analyzed. However, the conditional core damage probability for Sequoyah was significantly higher, although still below the NOUE threshold. This stemmed from the higher likelihood that the plant staff had to go outdoors to perform local manual actions to recover from an essential raw cooling water (ERCW) screen plugging event. Furthermore, the severity and duration of release of toxic gas at a plant site could significantly vary based on plant-specific site characteristics. As an example, for some sites, there could be other non-nuclear facilities within the site boundary or near the site boundary (e.g., gas or petrochemical facilities). Therefore, the conditional plant core damage probability for release of toxic gases at the plant site could significantly vary among various plants. Elimination of the EAL is recommended for consideration, while retaining an EAL for toxic gas affecting a vital area.

For an Alert due to release of toxic gas, the plant-specific risk analysis was performed for three cases for the three pilot plants. These cases were selected since they are the most likely rooms where spurious halon actuations could occur. The three cases were: toxic gas in an EDG 25

room, in a switchgear room, and in all protected areas such that no local manual actions could be performed. In all these cases the control room is assumed to be unaffected by this event, as the abandonment of the control room is covered under a different EAL. A duration of eight hours was considered for these evaluations, which is conservative since past operational events have shown that most spurious actuations of halon were recovered within two hours.

For the EDG room, the affected EDG was assumed to be unavailable for a period of one shift, eight hours, with no recovery actions. The loss of the EDG was assumed since either the operator would block the start of the affected EDG in fear of potential explosion due to flammable gases or the EDG may trip due to high room temperature caused by the heating, ventilation, and air conditioning (HVAC) isolation. For the switchgear room, all manual recovery actions were identified and assumed not to be possible during the period of eight hours, which is the assumed time required to purge the suppressant and make the switchgear room accessible.

All local manual actions that are modeled in PRA and are performed in the protected areas were assumed not to be possible for eight hours, in the third sensitivity case run. No equipment was assumed to be unavailable, i.e., no impact on EDGs was assumed for this sensitivity case run.

Based on all three Alert cases (EDG room, switchgear room and sensitivity case) analyzed for the three pilot plants, it can be generally concluded that the temporary presence of toxic gas for a period of less than eight hours will not pose any significant risk and, therefore, declaration of Alert could be reduced to NOUE. The results also showed that the presence of halon or a flammable gas in an EDG room is the most risk-significant case. However, this worst case is still significantly below the expected result range of other Alert EAL scenarios and below the NOUE presumed range as well.

The analyses performed here mainly addressed the spurious actuations of a Halon system.

They clearly show that an Alert due to the spurious actuation of halon can be assigned to a lower EC or eliminated. For all other toxic and flammable gases, there could be a possibility of fire/explosion, which is not included as part of these evaluations. However, fires/explosions are considered as part of other EALs. Therefore, this EAL can be assigned to a lower EC or eliminated for all cases. It may be appropriate to consider elimination of the EAL for spurious fire system actuations or perhaps when a single vital area is effected.

The quantification of the CCDPs and the risk insights related to the EALs associated with this scenario are provided in in Sections 4.4 and 4.8 for Peach Bottom; Sections 5.4 and 5.8 for Surry; and Sections 6.4 and 6.8 for Sequoyah.

3.3 Risk Perspectives of Differences among Peach Bottom, Surry and Sequoyah For those cases where the CCDPs reside within the range, there could be significant differences in CCDP values amongst the plants. These differences are as high as two orders of magnitude off of the presumed range. Although major differences are expected between the CCDPs for some PWRs and BWRs, differences in CCDPs within a class of plants (e.g., PWRs such as between Surry and Sequoyah) are not as intuitive.

As presented in Figure 3-1 and Table 3-1, there was general consistency between the results of Surry and Peach Bottom. For all EALs, where the results of risk evaluations were within the range, the CCDP for Surry and Peach Bottom generally clustered within a small range with the Sequoyah results sometimes separated by one or two orders of magnitude. Therefore, a discussion of those differences between Surry and Sequoyah that significantly impact the 26

calculated CCDP values for specific EALs is provided in Sections 3.3.1 to 3.3.4. Section 3.4 provides some generic insights based on the lessons learned from the existing PRAs on what could be the key plant features that can significantly affect CCDP values.

3.3.1 Risk Perspectives of Differences between Surry and Sequoyah Unique plant features rather than differences in the SPAR modeling approach and data were identified as the main reason for the discrepancies between the CCDP results for Sequoyah and Surry. Table 3-2 below highlights the major plant differences that contribute to the disparity in the estimated CCDPs for the similar EALs.

Table 3-2. Major Physical Differences between Surry and Sequoyah Sequoyah Surry Shared electrical systems, and some No shared electrical system, and no cross-connections between the fluid systems cross-connections for fluid systems between the (e.g., Auxiliary feedwater (AFW) system) shared two units between the two units Shared SW systems between the two units; Shared SW system between the two units, which however, the PRA model is currently assuming that is highly susceptible to bio-fouling.

it is not susceptible to bio-fouling.

The two RHR trains perform cooling of the Containment and sump cooling is done via containment sump during recirculation, containment recirculation trains and that function is containment cooling and spray, and the normal separated from RHR trains.

RHR function.

Although designed as a two train/two division Limited number of redundancies, such that the system, safety functions can be performed by the plant can be considered as a two train system with two designed trains plus an additional train, which no manually aligned backup train.

can be manually aligned from the other unit.

It should be noted that low CCDP (i.e., below 1 x 10-6) values, calculated by the PRA models, may contain higher uncertainties. In such cases decisions shall not exclusively be made based on the CCDP values. The differences between the CCDP of the toxic gas releases and annunciators and/or indicators scenarios due to the above differences in plant features are discussed below.

3.3.2 Unplanned Release of Toxic and Flammable Gases within the Site Perimeter This EAL was evaluated by increasing the failure probabilities for the human actions that required plant staff to go outdoors. Such actions include recovery actions for SW system or offsite power. The CCDP results for Surry and Sequoyah for this EAL are 3.64 x 10-9 and 1.24 x 10-7, respectively. The difference is about a factor of 34 and has resulted because of the following reasons:

1. Sequoyah PRA reflects a much higher probability of ERCW screen plugging than Surry for SW screens. Local manual actions are required in accordance with abnormal procedures and are credited in PRA for recovering from the screen plugging events.

These actions would require the plant staff to go outdoors since the intake structures are generally located away from the main buildings. If these actions are hindered by the 27

presence of toxic gas at the site, the probability of loss of ERCW would become significantly higher in Sequoyah in comparison to Surry.

2. Both Sequoyah and Surry model the recovery actions for LOOP. Some offsite power recovery actions could be encumbered by the presence of toxic gas in both plants.

However, the effect on CCDP is smaller in Surry due to the ability to share electrical systems.

The quantification of the CCDPs and the risk insights related to the EALs associated with this scenario are provided in Sections 5.4 and 6.4 for Surry and Sequoyah, respectively.

3.3.3 Unplanned Release of Toxic and Flammable Gases within the Vital Structures This EAL was evaluated for the DG room, Switchgear room, and a hypothetical room for the purpose of sensitivity analyses. With the exception of the DG room, where the affected DG was assumed not to be available for the duration of the event, all other equipment was assumed to be operable. The success of this EAL depends on the operators ability to access the affected area, which could have been encumbered by the toxic gas presence. The CCDP results for Surry and Sequoyah for the three cases analyzed were 1.06 x 10-8 and 1.00 x 10-7, 4.68 x 10-9 and 1.40 x 10-8, and 1.40 x 10-8 and 3.04 x 10-7, respectively. The difference is about a factor of 10 for all three cases. The higher Sequoyah CCDPs resulted from the lesser degree of redundancy in Sequoyah. Sequoyah, unlike Surry, has two trains with no cross-tie or manual alignment of an additional train. A slightly higher contribution from LOOP has also contributed to the differences in CCDPs but to a much lesser extent.

The quantification of the CCDPs and the risk insights related to the EALs associated with this scenario are provided in Sections 5.8 and 6.8 for Surry and Sequoyah, respectively.

3.3.4 Unplanned Loss of Most or All Safety System Annunciators or Indications in the Control Room for >15 Minutes The success of this EAL depends on the operators ability to diagnose and recover a degraded condition, given the loss of either annunciators or indicators. The CCDP results for Surry and Sequoyah for the two cases analyzed, loss of annunciators and loss of indications, were 9.02 x 10-11 and 7.78 x 10-9 and 1.88 x 10-9 and 6.26 x 10-9, respectively. The major CCDP difference in loss of annunciators between the two plants, almost two orders of magnitude, is driven by higher likelihood of ERCW screen plugging in Sequoyah. Alarms associated with high differential pressure and low flow that are caused by ERCW screen plugging, are the first signal to the operator to take remedial actions. Loss of annunciators is assumed to significantly affect the ability of the operator to diagnose the screen plugging in a timely manner. Furthermore, tripping of reactor coolant pumps (RCPs) during a loss of CCW or ERCW event is required to prevent potential LOCA due to RCP seal failures. Operators rely mainly on high-temperature alarms to diagnose the need for tripping RCPs. Therefore the loss of annunciators can hinder the operators ability to trip the RCPs, in case of loss of CCW or ERCW, which will increase the likelihood of seal LOCAs.

The above EAL scenarios clearly show the pronounced effect of the CCDP discrepancies due to plant-specific features in the low CCDP ranges (<1.0 x 10-6). Regulatory decisions should not be made solely on CCDP values, but should be substantiated by additional engineering evaluation.

28

The quantification of the CCDPs and the risk insights related to the EALs associated with this scenario are provided in Sections 5.2, 5.7 and 5.12 for Surry; and Sections 6.2, 6.7, and 6.12 for Sequoyah.

3.4 Risk Perspectives on Important Design Features in Operating Reactors Valuable lessons can be gained by examining past operational events, performing periodic self-assessments, and identifying major contributors to core damage frequency. As stated in a report to NRC Chairman entitled A Proposed Risk Management Regulatory Framework, The NRC should apply lessons learned from PRAs performed to date in its comprehensive review of the regulatory framework for spent fuel storage and transportation. [Ref. 19]

The PRAs have in the past identified major contributors to core damage frequencies. These insights from the PRAs are generally used in design enhancement of operating reactors, and the selection of design features for new reactors in order to reduce contribution to risk in a cost-effective manner. The insights and lessons learned from PRAs were significantly improved after the completion of NUREG-1150 and the performance of 75 Individual Plant Examinations (IPEs). These reports documented the risk importance of key features of various plants, which improved the NRCs capability to prioritize inspection activities and the use of PRA risk insights.

Comparison of lessons learned from severe accidents (e.g., TMI and Fukushima), as well as operational experience and IPE reports would provide insights for in developing regulatory requirements including the EAL classifications. These lessons have generally indicated that minor plant differences could play an important role in the calculated risk results (e.g., CCDP).

Developing a complete list of the risk insights to manage risks from all hazards (both internal and external hazards), and identifying accident management strategies from PRAs that are effective in controlling risk from severe accidents, is a significant undertaking and beyond the scope of this project.

However, even an informal compilation of lessons learned can improve the understanding of the differences among plants as related to risk-informed evaluation of EALs. Table 3-3 contains a preliminary list of EAL initiating events and the key plant-specific features that can reduce risk during the event. The unique design of these key features, in each plant, impacts the CCDP within an EAL scenario and creates plant-specific risk profiles.

Table 3-3. Key Plant Features for Reducing Risk Mitigation Challenge in Different EAL Key Features Scenarios Mitigation of LOOP

Redundancy in EDGs

Diversity of alternate AC source; e.g., availability of a hydro unit nearby

Shared redundancy: SBO DGs

Shared Redundancy: Electrical cross-connection with other unit 29

Mitigation Challenge in Different EAL Key Features Scenarios Mitigation of Total Loss

Longer battery duration of AC (SBO)

Ability to cool the core post battery depletion (e.g., manual operation of TDAFW post battery depletion)

Not to be susceptible to SBO induced LOCAs (e.g., RCP seal failure, or PORV stuck open)

Reliance on equipment that do not need AC for operation (diesel driven pumps, turbine driven pumps, passive systems)

Shared safety and support systems or ability to cross-connect

Ability to depressurize the core and maintain it depressurized Mitigation of total loss

Ability to cool the core without AC and DC (e.g., passive cooling, such as of AC/DC in-containtment refueling water storage tank (RWST), start and manual operation of TDAFW without DC)

Not susceptible to SBO induced LOCAs (e.g., RCP seal failure, or safety relief valve (SRV) stuck open)

Means for recovery from loss of DC by manual actions and use of in-house equipment (such as portable generators)

Ability to cross-connect to the other unit (electrical or other systems)

Ability to depressurize the core and maintain it depressurized (e.g., use of explosive squib valves in AP1000)

Mitigation of VSLOCA:

Diversity for long term injection supply (e.g., makeup to RWST diverse Very Small LOCAs in source from the sump for PWRs, make up to condensate storage tank excess of Tech Spec (CST) diverse source from the suppression pool for BWRs)

Limits

Redundancy and diversity in cool-down and primary depressurization (startup feed pump as a backup to AFW for PWRs and redundant DHR trains and diverse support systems for BWRs)

Diversity in support cooling systems (e.g. CCW, SW, and chilled water) to defend against CCFs

Reliability (redundancy and diversity) of the ultimate heat sink (e.g. SW system, and associated intake structure)

Mitigation of ATWS PWRs

High reliability of RPS including the digital I&C system

Reduction of the operating period with unfavorable Moderator Temperature Coefficient

Redundancy and high pressure relief capacity via PORVs and SRVs

Large capacity turbine bypass

Operator training and procedure for turbine trip, level control, and emergency boration

Increased redundancy and secondary cooling capabilities BWRs

High reliability of RPSboth signal and actuation of scram and auxiliary functions such as recirculation pump trip

Redundancy and high capacity depressurization system (e.g. SRVs)

Procedure and training for level control, inhibit automatic depressurization system (ADS), and initiate standby liquid control (SLC) 30

4. ANALYSIS AND IMPLICATIONS OF PEACH BOTTOM RESULTS All the EAL threshold conditions in this chapter are excerpted from the Peach Bottom Emergency Plan [Ref. 13].

4.1 MU1Loss of All Offsite Power to Essential Buses for Greater Than 15 Minutes EAL Threshold Condition:

Loss of power to 2 Emergency Auxiliary Transformer (OAX04) and 3 Emergency Auxiliary Transformer (OBX04) for > 15 minutes.

Mapping of EAL Scenario to the SPAR Model:

1. In this scenario, the initiator of grid-related LOOP (IE-LOOPGR) in the SPAR model was selected, since the majority of LOOP events in the U.S. are grid related. The two emergency auxiliary transformers would be de-energized due to LOOP.

2. All DGs were assumed to start automatically due to the LOOP. No DGs were undergoing test or maintenance and there was no CCF

3. All batteries and battery chargers were assumed to be operable, since the DGs were able to charge the batteries and supply power to the battery chargers. There was no CCF of the batteries and battery chargers that could affect their functions.

4. All DG load sequencers were assumed to be operable in this scenario. Otherwise, the DGs would not be able to supply power to the safety-related load.

5. The duration of the LOOP in this scenario was greater than 15 minutes. However, the SPAR model does not contain a BE to account for the 15-minute loss. It was conservatively assumed that the recovery of offsite power was not possible within 30 minutes, since the BE representing a 30-minute loss was included in the SPAR model.

6. The failure probabilities of recovering offsite power in one hour, two hours and twelve hours were calculated based on the condition that there was no successful offsite power recovery in the first 30 minutes.

SPAR Model Results and their Implications:

The CCDP of this EAL scenario is 2.25 x 10-6, which is within the result range of other NOUE EAL scenarios. Therefore, the analysis result does not support any modification to this EAL. If the plant can be shut down safely without any complication, the risk is very low.

There are two dominant core damage sequences for this EAL:

1. The first group of the core damage sequences involves failure of HPCI system followed by operator failure to depressurize. The operator could not use the low pressure coolant injection (LPCI) since the reactor is not depressurized. Core damage occurs relatively early since the core would be uncovered due to loss of makeup.

31

2. Failure of HPCI system followed by successful depressurization but failure of operator to control and maintain LPCI. It should be noted that the flow controls for both high pressure and low pressure injection systems are considered to be manual. Therefore, human errors associated with failure to control HPCI/LPCI flow are the dominant contributor.

The analysis results do not support any modification of the NOUE EALs associated with loss of all offsite AC power to emergency buses for 15 minutes or longer. Surry and Sequoyah have CCDPs, which are slightly higher than the presumed range.

4.2 MU6Unplanned Loss of Most or All Safety System Annunciator or Indication in the Control Room EAL Threshold Conditions:

1. Unplanned loss of most (approximately 75 percent) safety system (ECCS, containment isolation, reactor scram, process radiation monitoring) annunciators for > 15 minutes; OR

2. Unplanned loss of most (approximately 75 percent) indications associated with safety functions (reactivity control, RCS inventory, decay heat removal (DHR), fission product barrier (FPB)) for > 15 minutes.

Mapping of EAL Scenario to the SPAR ModelCase 1: Modeling Loss of Annunciators (Threshold Condition 1):

1. As the plant was assumed to be stable and in automatic operation at the start, no transient was expected. Therefore, no initiator was selected in the SPAR model.

2. The loss of annunciation would limit the ability of the operators to perform some of the manual actions, if necessary. The operator actions, which included performing the following functions, were represented in the SPAR model as BEs.

Aligning alternate air supply;

Starting or controlling feedwater injection;

Starting or controlling RCIC injection; Therefore, the HEPs for these BEs were adjusted in the model according to the SPAR-H NUREG guidance [Ref. 14]. The performance shaping factor (PSF) adjustments and the SPAR-H worksheet for this scenario are documented in Appendix E of this report.

3. A NOUE was assumed to be declared 15 minutes after the event started. Therefore, only the early recovery actions were modified, while the late recovery actions were assumed to have nominal HEPs.

32

Mapping of EAL Scenario to the SPAR ModelCase 2: Modeling Loss of Indicators (Threshold Condition 2):

1. (Same as Case 1)

2. The loss of indication would limit the ability of the operators to perform some of the manual actions, if necessary. The operator actions, which included performing the following functions, were represented in the SPAR model as BEs:

Depressurizing the reactor;

Starting or controlling HPC system;

Starting or controlling LPCI system;

Starting, controlling or maintaining MFW flow;

Starting or controlling RCIC injection.

Therefore, the HEPs for these BEs were adjusted in the model according to the SPAR-H NUREG guidance [Ref. 14]. The PSF adjustments and the SPAR H worksheet for this scenario are documented in Appendix E.

3. (Same as Case 1)

SPAR Model Results and their Implications:

The CCDPs of Case 1 and Case 2 calculated at 15 minutes are 6.74 x 10-11 and 7.99 x 10-9, respectively, which are below the result range of other NOUE EAL scenarios. These CCDPs are calculated at 15 minutes after the loss of annunciators (Case 1) or indicators (Case 2) occurs; the CCDPs would increase if the duration is longer. Figure 4-1 shows the CCDPs for both cases from 15 minutes to eight hours, accounting for the likelihood of all possible transients may occur during this period.

33

Peach Bottom MU6 1.E-06 1.E-07 1.E-08 CCDP 1.E-09 1.E-10 Loss of Annunciation Loss of Indication 1.E-11 0 1 2 3 4 5 6 7 8 Time (hrs)

Figure 4-1. CCDP of MU6 from 15 Minutes to Eight Hours The loss of annunciators modeled in Case 1 has less impact on the CCDP values than the loss of indication modeled in Case 2. Although the loss of annunciators seems to have lesser impact for Peach Bottom, there may be plant-specific features in other NPPs that require operators to rely more heavily on annunciators to respond. In those conditions, annunciators and indicators are equally important. Also, the CCDP would be increasingly higher if the condition lasts longer, and possibly meets the range of other NOUE EAL scenarios.

Although the duration of the degraded condition varies on a case by case basis, when the degraded condition lasts for less than eight hours, this EAL can be considered for elimination.

4.3 MU7Reactor Coolant System Leakage EAL Threshold Conditions:

1. Unidentified Primary System Leakage > 10 gallons per minute (gpm),

OR

2. Identified Primary System Leakage > 25 gpm.

Mapping of EAL Scenario to the SPAR Model:

1. In this scenario, the RCS leakage was conservatively modeled as an SLOCA event, since SPAR models do not have any surrogate for events involving leak rates less than a SLOCA.

In SPAR models, the SLOCA initiator (IE-SLOCA) was defined as a coolant pipe break that can be mitigated with high pressure safety injection.

34

2. The thresholds conditions indicated that the Peach Bottom Technical Specifications (TS)

[Ref. 20] limit of a primary system leakage was exceeded. Therefore, the operator was required to shutdown the plant. The manual trip was assumed to be successful.

3. The leakage was considered to be very small; therefore, it could be compensated by the condensate or HPCI systems. However, the operator was required to refill the RWST.

Therefore, the nominal failure probability of operator action (1 x 10-3) from SPAR-H [Ref. 14]

was assigned to the operator action of refilling the RWST.

SPAR Model Results and their Implications:

The CCDP is within the expected result range of other NOUE EAL scenarios, with acceptable uncertainty. Therefore, the analysis result does not support any modification of this EAL.

There are two types of core damage sequences for this EAL; late and early core damage sequences. The late core damage sequences, which typically occur after 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months account for more than 90 percent of the core damage contribution. The early core damage sequences account for less than 10 percent of the overall core damage probability. These two categories of sequences are described below:

1. The late core damage sequences generally involve failure of suppression pool cooling residual heat removal (RHR) function for suppression pool cooling) after the occurrence of SLOCA. The heat up of the suppression pool would continue over the next 20 hours2.314815e-4 days 0.00556 hours 3.306878e-5 weeks 7.61e-6 months requiring containment venting. If containment venting is successful, the operator should align sources of late injection since the water in the suppression pool could not be used.

The high temperature and low pressure in the suppression pool water could cause cavitations in emergency pumps. Failure of either containment venting or aligning late injection would result in late core damage.

2. The early core damage sequences generally involve failure of HPCI followed by either failure of manual depressurization or low pressure injection. The probability for this sequence is mainly dominated by human errors and to a lesser extent by hardware failures.

4.4 HU7Release of Toxic or Flammable Gases Deemed Detrimental to Normal Operation of the Plant EAL Threshold Conditions:

1. Report or detection of toxic, asphyxiant or flammable gases that has or could affect normal plant operations.

OR

2. Report by Local, County or State Officials for evacuation or sheltering of site personnel based on offsite event.

Mapping of EAL Scenario to the SPAR Model:

1. Operators would need to wear protective gear, which might include respirators, gloves and protective clothing depending on the nature of the asphyxiant or flammable gas. This 35

impediment would make performing the manual actions at the affected site area take a longer time. The operator actions, which included performing the following functions, were represented in the SPAR model as BEs:

Aligning the power source to the Conowingo (CWG) river source inside the control room, in case if an SBO occurred during the presence of toxic gas, and the recovery actions from the control room had failed.

Recovery actions at the switchyard, if there were a LOOP during the presence of toxic gas.

2. It was conservatively assumed that the duration was eight hours in this scenario, although most toxic gas scenarios lasted for about two to six hours.

SPAR Model Results and their Implications:

The CCDP of this EAL scenario is 2.05 x 10-9, which is lower than the result range of other NOUE EAL scenarios. There are no dominant contributors to the core damage sequences.

However, the plant-specific features that lead to a low CCDP in Peach Bottom were not observed in all of the three pilot plants. Also, Peach Bottom can credit CWG as one of its offsite power supplies.

Since the CCDP is low and the reportability of events associated with release of toxic, corrosive, asphyxiant or flammable gases is covered under 10 CFR 50.72 [Ref. 18], this EAL can be considered for elimination.

4.5 MA1AC Power Capability to Essential Buses Reduced to a Single Power Source for Greater than 15 Minutes Such that any Additional Single Failure Would Result in SBO EAL Threshold Conditions:

1. AC power capability to unit 4 kV Safeguards Buses reduced to only one of the following sources for > 15 minutes.

2 Emergency Auxiliary Transformer (OAXO4)

3 Emergency Auxiliary Transformer (OBX04)

DG E1

DG E2

DG E3

DG E4 AND

2. Any additional single power source failure will result in a unit blackout.

36

Mapping of EAL Scenario to the SPAR Model:

1. In this scenario, the initiator of grid-related LOOP (IE-LOOPGR) in the SPAR model was selected, since the majority of LOOP events in the U.S. are grid related. The two emergency auxiliary transformers would be de-energized due to LOOP.

2. DG E1 was assumed to start automatically to provide a single power source to meet the second threshold condition. Since DG E1 started successfully, there should not be any test and maintenance being performed on DG E1. There was no CCF of the DGs that could affect the operation of DG E1.

3. DGs E2, E3 and E4 were assumed to be inoperable, since DG E1 was assumed to be the only power source available in this scenario.

4. The batteries were assumed to be operable, since DG E1 was able to charge the batteries.

There was no CCF of the batteries that could affect their functions.

5. The diesel load sequencer for DG E1 was assumed to be operable in this scenario.

Otherwise, DG E1 would not be able to supply power to the safety-related load.

6. The duration of the LOOP in this scenario was greater than 15 minutes. However, the SPAR model does not contain a BE to account for the 15-minute loss. It was conservatively assumed that the recovery of offsite power was not possible within 30 minutes, since the BE representing a 30-minute loss was included in the SPAR model.

7. The failure probabilities of recovering offsite power in one hour, two hours and twelve hours were calculated based on the condition that there was no successful offsite power recovery in the first 30 minutes.

SPAR Model Results and their Implications:

The CCDP of this EAL scenario is 4.41 x 10-4, which is within the result range of other Alert EAL scenarios. There could be both early and late core damage sequences resulting from the condition imposed by this EAL:

1. The contribution from the early core damage sequences accounts for more than 90 percent of the overall core damage probability. In almost all cases the early core damage sequences would involve consequential SLOCA from the recirculation pump seal failures.

The occurrence of SLOCA following the conditions imposed by EAL and failure to recover additional AC sources within the first two hours would result in core damage. There are several different means available for the operator to restore an additional power source within two hours. These include aligning the Conowingo line, recovering an offsite power line, or restoring a failed DG.

2. The small contribution of the late core damage sequences involves scenarios where seal LOCA from failures of the recirculation pumps did not occur and operator was able to extend the operation of RCIC. However, the operator has to eventually recover an additional AC source to perform required actions during the late phases of accidents, such as refilling the CST when it was emptied. Failure of the operator to do so would result in late core damage.

37

In this study, the scenario was modeled in accordance with the EAL threshold conditions, i.e., only one DG is assumed to be available. However, according to the Peach Bottom FSAR

[Ref. 21], the two essential SW pumps are powered by the Unit 2 emergency buses, while the essential cooling water (ECW) pump, which supplies cooling to the ECW, is powered by a Unit 3 emergency bus. Therefore, the DG cooling of Peach Bottom requires DGs from both units, in order to avoid SBO conditions.

Although the CCDP is within the presumed range, the threshold conditions of the Alert EALs associated with LOOP, while one power source is still available to keep the plant from SBO, require clarification. The definition of a single source for the plant to handle SBO conditions needs to be clarified, particularly for multiple-unit sites with shared electrical systems.

4.6 MA3Failure of Reactor Protection System Instrumentation to Complete or Initiate an Automatic Reactor Scram Once a Reactor Protection System Setpoint Has Been Exceeded EAL Threshold Conditions:

1. A Reactor Protection System (RPS) setpoint was exceeded.

AND

2. Automatic SCRAM did not reduce Reactor Power to subcritical with power below the Heating Range (1.00E + 0%).

Mapping of EAL Scenario to the SPAR ModelCase 1: Modeling a Transient with Reactor Pressure Spike:

1. In this scenario, a transient was in progress, but the automatic scram system failed. Before the operator has a chance to scram the reactor, the reactor pressure increased. This pressure increase was sufficient to cause the SRVs to open. After the primary pressure returned to normal, at least one of the SRVs remained stuck open. Therefore, the initiator for an inadvertent open relief valve (IE-IORV) was selected in the SPAR model.

2. The electrical scram system and the ARI system were assumed to have failed.

3. The operator was assumed to have tripped the reactor successfully.

Mapping of EAL Scenario to the SPAR ModelCase 2: Modeling a Transient without Reactor Pressure Spike:

1. In this scenario, it was assumed that the operator was able to scram the reactor before the reactor pressure spiked and the SRVs opened. Therefore, the initiator for general transients (IE-TRANS) was selected in the SPAR model.

2. The electrical scram system and the ARI system were assumed to have failed.

3. The operator was assumed to have tripped the reactor successfully.

38

SPAR Model Results and their Implications:

The CCDPs of Case 1 and Case 2 of this EAL scenario are 4.43 x 10-6 and 5.59 x 10-8, respectively. Case 1 is considered the upper bound for this EAL, while Case 2 is considered the lower bound for this EAL. The CCDPs of both cases are below the result range of other Alert EAL scenarios. A timely and effective manual scram would alleviate the adverse impact of the failure of auto scram. Under the worst condition, a reactivity transient would result in a stuck open SRV where the resulting CCDP should be higher. However, Peach Bottom, by design, has several redundant systems capable of mitigating LOCAs including those caused by stuck open SRVs and has a lower CCDP. Other plants may not have the same features and would have higher CCDPs as a result of a reactivity transient.

This EAL can be considered for downgrading to NOUE for all plant transients that are not considered as reactivity transients. However, in PWRs, the Alert classification is appropriate for reactivity transients, such as plant overcooling transients. Unless it can be determined that reactivity transients are covered by other EALs, it may not be appropriate to modify this EAL.

4.7 MA6Unplanned Loss of Most or All Safety System Annunciation or Indication in Control Room with Either (1) a Significant Transient in Progress, or (2) Compensatory Non-Alarming Indicators are Unavailable EAL Threshold Conditions:

1. a. Unplanned loss of most (approximately 75 percent) safety system annunciators, (ECCS, containment isolation, reactor scram, process radiation monitoring) for

> 15 minutes.

OR

b. Unplanned loss of most (approximately 75 percent) indications associated with safety functions (Reactivity Control, RCS Inventory, DHR, FPB) for > 15 minutes.

AND

2. a. SIGNIFICANT TRANSIENT in progress (turbine trip, reactor scram, ECCS actuation, runback > 25 percent power change, thermal power oscillations > 10 percent).

OR

b. COMPENSATORY NON-ALARMING INDICATIONS (computer points) are unavailable.

Mapping of EAL Scenario to the SPAR ModelCase 1: Modeling Loss of Annunciators (Threshold Conditions 1. a. and 2.) with Loss of Condenser Heat Sink:

1. The LOCHS initiator (IE-LOCHS) was selected to model the significant transient in progress.

2. The operator was assumed to have scrammed the reactor successfully.

39

3. The loss of annunciation would limit the ability of the operators to perform some of the manual actions, if necessary. These operator actions involved performing the following functions were represented in the SPAR model as BEs.

Aligning alternate air supply;

Starting or controlling feedwater injection;

Starting or controlling RCIC injection; Therefore, the HEPs of these BEs were adjusted in the model according to the SPAR-H NUREG guidance [Ref. 14]. The performance shaping factor (PSF) adjustments and the SPAR-H worksheet for this scenario are documented in Appendix E.

4. The dependencies among different operators actions were examined and the affected HEPs were calculated based on the SPAR-H NUREG guidance [Ref. 14].

5. An Alert was assumed to be declared 15 minutes after the event started. Therefore, only the early recovery actions were modified, while the late recovery actions were assumed to have nominal HEPs..

Mapping of EAL Scenario to the SPAR ModelCase 2: Modeling Loss of Indicators (Threshold Condition 1. b. and 2.) with Loss of Condenser Heat Sink:

1. The LOCHS initiator (IE-LOCHS) was selected to model the significant transient in progress.

2. The operator was assumed to have scrammed the reactor successfully.

3. The loss of indication would limit the ability of the operators to perform some of the manual actions, if necessary. These operator actions involved performing the following functions, were represented in the SPAR model as BEs:

Depressurizing the reactor;

Starting or controlling HPC system;

Starting or controlling LPCI system;

Starting, controlling or maintaining MFW flow;

Starting or controlling RCIC injection.

Therefore, the HEPs of these BEs were adjusted in the model according to the SPAR-H NUREG guidance [Ref. 14]. The performance shaping factor (PSF) adjustments and the SPAR H worksheet for this scenario are documented in Appendix E.

4. The dependencies among different operators actions were examined and the affected HEPs were calculated based on the SPAR-H NUREG guidance [Ref. 14].

5. (Same as Case 1.)

40

Mapping of EAL Scenario to the SPAR ModelCase 3: Modeling Loss of Annunciators (Threshold Condition 1.a.) with Loss of Main Feedwater:

1. The LOMFW initiator (IE-LOMFW) was selected to model the significant transient in progress.

2. to 5. (Same as Case 1)

Mapping of EAL Scenario to the SPAR ModelCase 4: Modeling Loss of Indicators (Threshold Condition 1.b.) with Loss of Main Feedwater:

1. The LOMFW initiator (IE-LOMFW) was selected to model the significant transient in progress.

2. to 5. (Same as Case 2)

Mapping of EAL Scenario to the SPAR ModelCase 5: Modeling Loss of Annunciators (Threshold Condition 1.a.) with General Transient:

1. The general transient initiator (IE-TRANS) was selected to model the significant transient in progress.

2. to 5. (Same as Case 1)

Mapping of EAL Scenario to the SPAR ModelCase 6: Modeling Loss of Indicators (Threshold Condition 1.b.) with General Transient:

1. The general transient initiator (IE-TRANS) was selected to model the significant transient in progress.

2. to 5. (Same as Case 2)

SPAR Model Results and their Implications:

The CCDPs for Cases 1 to 6 of this EAL scenario are 2.55 x 10-6, 5.87 x 10-4, 2.45 x 10-6, 5.87 x 10-4, 6.14 x 10-8 and 2.58 x 10-5, respectively. The CCDPs of Cases 1, 3 and 5 are below the result range of other Alert EAL scenarios, while the CCDPs of Cases 2, 4 and 6 are within the result range of other Alert EAL scenarios. In Cases 1, 3 and 5, the loss of annunciators is expected to result in a minimal impact in the control room operator's ability to recover from a transient, as long as the associated control room indicators remain operable. There are three different transients modeledLOMFW in Cases 1 and 2; LOCHS in Cases 3 and 4; general transient in Cases 5 and 6. The resulting CCDPs were the similar for these initiators, since the operators are expected to perform similar recovery actions.

The dominant minimal cutsets for Cases 1, 3 and 5 were the same as those that were generated by the base SPAR models for the three initiators. The dominant contributors for Cases 2, 4 and 6 were mainly driven by the operator failures in establishing and controlling sources of injections. The major operator failures identified in the dominant minimal cutsets were failure to control the HPCI flow from HPCI/RCIC, and the subsequent failures to depressurize the reactor or to control the Low pressure injection flow.

41

The Alert EALs associated with of loss of annunciators can be considered for being downgraded to NOUE from Alert. However, the analysis results do not support any modification of the Alert EALs associated with of loss of indicators.

4.8 HA7Release of Toxic or Flammable Gases within or Contiguous to a Vital Area, Which Jeopardizes Operation of Systems Required to Maintain Safe Operations or Establish or Maintain Safe Shutdown EAL Threshold Conditions:

1. Report or detection of toxic or asphyxiant gases within the following, or area that restricts access to the following in concentrations that result in an atmosphere immediately dangerous to life and health.

Reactor Building

Control Room

DG Building

Emergency Pump Structure

Inner Screen Structure

Emergency Cooling Tower

Emergency Switchgear/Battery Rooms

Cable Spread Room OR

2. Report or detection of flammable gases within the above area or area that restricts access to above area in concentration greater than the lower explosive limit (LEL).

Mapping of EAL Scenario to the SPAR ModelCase 1: Modeling the Presence of Toxic Gas in the DG Room:

1. The loss of the DG was assumed, since either the operator blocks the start of the affected DG in fear of potential explosion due to flammable gases or the DG may trip due to high room temperature. The high room temperature that could trip DG is expected shortly after DG start, since HVAC is isolated.

2. It was conservatively assumed that the duration was eight hours in this scenario, although most toxic gas scenarios lasted for about two to six hours.

3. The loss of the 4 kV bus E12 is a special initiator for Peach Bottom. The likelihood of this initiating event is expected to increase if DG-A is not available. The SPAR model for Peach Bottom does not model the support system initiators through fault trees. Therefore, to account for this impact the initiator frequency for bus E12 was raised by a factor of ten.

4. The probabilities for DG recovery in one hour and four hour were reduced to account for the lost DG that cannot be recovered in eight hours.

42

Mapping of EAL Scenario to the SPAR ModelCase 2: Modeling the Presence of Toxic Gas in the Switchgear Room:

1. It was assumed that the toxic gas did not dissipate in eight hours. During this time period it is not possible to manually operate breakers in the switch gear room (e.g., for aligning DGs).

Therefore, the operator cannot recover any DG failure in eight hours.

2. It was conservatively assumed that the duration was eight hours in this scenario, although most toxic gas scenarios lasted for about two to six hours.

3. It was also assumed that the recovery of a LOOP due to a plant-center or a switchyard incident was unsuccessful in the first eight hours.

Mapping of EAL Scenario to the SPAR ModelCase 3: Sensitivity Analysis:

1. This case served as a sensitivity analysis to study the effect of all the failures of all possible local operator actions. It was conservatively assumed that the operators cannot perform any local actions at all the affected areas with the presence of toxic gas.

2. It was assumed that the toxic gas did not dissipate in eight hours. Therefore, the operator cannot recover any DG failure in eight hours.

3. It was conservatively assumed that the duration was eight hours in this scenario, although most toxic gas scenarios lasted for about two to six hours.

4. It was also assumed that the recovery of a LOOP due to a plant-center or a switchyard incident was unsuccessful in the first eight hours.

SPAR Model Results and their Implications:

The CCDPs of Cases 1, 2 and 3 are 1.11 x 10-8, 2.03 x 10-9 and 2.10 x 10-9, respectively, which are all below the result range of other Alert EAL scenarios. The dominant cutsets for Case 1 are driven by the increased likelihood of the loss of the emergency bus fed by the affected EDG.

This failure combined with the failure of DC Division IV or failure of the other emergency AC bus resulted in a prolonged SBO condition, which eventually led to core damage. The dominant cutsets for Case 2 also result from the increased likelihood of SBO events, but are mainly driven by the lower probability of restoring the offsite power due to inaccessibility of switchgear room.

The dominant minimal cutsets for Case 3 were similar to those of Case 2 since the most important affected human errors dealt with recovery of offsite power.

43

In light of the low CCDPs for all three cases, the EC of this EAL may be considered for downgrading to NOUE or be eliminated, if it is caused by a spurious actuation of a fire suppression system. For all other toxic and flammable gases, there could be a possibility of fire or explosion, which is not included in the analyses. However, fire explosions are already covered as a part of other EALs.

4.9 MS1Loss of All Offsite and all Onsite AC Power to Essential Buses EAL Threshold Conditions:

1. Loss of power to 2 Emergency Auxiliary Transformer (OAX04) and 3 Emergency Auxiliary Transformer (OBX04).

AND

2. Failure of EDGs E1, E2, E3 and E4 to supply power to unit 4 kV Safeguards Buses.

AND

3. Failure to restore power to at least one unit 4 kV Safeguards Bus within 15 minutes from the time of loss of both offsite and onsite AC power.

Mapping of EAL Scenario to the SPAR Model:

1. In this scenario, the initiator of grid-related LOOP (IE-LOOPGR) in the SPAR model was selected, since the majority of LOOP events in the U.S. are grid related. The two emergency auxiliary transformers would be de-energized due to LOOP.

2. When LOOP occurred, all DGs were assumed to be inoperable to model the SBO condition.

3. The duration of the LOOP in this scenario was greater than 15 minutes. However, the SPAR model does not contain a BE to account for the 15-minute loss. It was conservatively assumed that the recovery of offsite power was not possible within 30 minutes, since the BE representing a 30-minute loss was included in the SPAR model.

4. The failure probabilities of recovering one of the DGs or offsite power in one hour, two hours and twelve hours were calculated based on the condition that there was no successful recovery of any of the DGs or offsite power during the first 30 minutes.

SPAR Model Results and their Implications:

The CCDP of this EAL scenario is 4.81 x 10-4, which is below the result range of other SAE EAL scenarios. The EAL is interpreted as a loss of all onsite emergency DGs simultaneous with LOOP lasting more than 15 minutes. However, the Conowingo River offsite power supply is assumed to be energized and can be aligned after 15 minutes. Therefore, in the first 15 minutes, the EAL condition is met, although the Conowingo River offsite power supply is available. However, if the Conowingo River offsite power supply is aligned in less than 15 minutes, this EAL will not be activated. An optimistic assumption present in the SPAR model credits the Conowingo river offsite power source with a reliability of more than 99.7 percent.

This high reliability assigned to the Conowingo River offsite power supply availability and alignment is a major factor that contributes to a lower risk significance value being estimated.

44

Although most of the dominant sequences involved SBO sequences, less than 20 percent of the total CCDP contribution resulted from SLOCA sequences caused by loss of recirculation pump seals and failures of to provide the required injection (coolant makeup).

Considering the assumptions in interpreting and mapping the EAL conditions, as well as the optimistic assumptions within SPAR models, the analysis result does not support any modification of this EAL.

4.10 MS4Loss of All Vital DC Power EAL Threshold Condition:

Loss of All Vital DC Power based on < 107.5 VDC on 125 VDC battery buses 2(3)0D021, 2(3)0D022, 2(3)0D023, and 2(3)0D024 for > 15 minutes.

Mapping of EAL Scenario to the SPAR Model:

1. Loss of all vital DC is assumed to cause losses of RCIC and HPCI (closure of steam admission valves), cause loss of MFW and isolation of main steam lines, and loss of the breaker control power for all 4160 and 480 VAC breakers. Therefore, the LOMFW initiator (IE-LOMFW) was selected.

2. All the vital DC buses were assumed to have failed.

3. The main steam isolation valves were assumed to be closed to mimic the failure of the main steam system.

SPAR Model Results and their Implications:

The CCDP of this EAL scenario is between 0.1 and 1, which is higher than the result range of other SAE EAL scenarios. Under prolonged condition of loss of DC with no recovery actions, core damage is expected in about an hour due to repeated cycling of SRVs and no inventory makeup. However, in loss of all DC, manual local operation of breakers can be credited as recovery actions to buy time and compensate for loss of control power. The operator could also initiate or recover the RCIC or HPCI by local manual opening of the steam admission valves.

Additional local manual actions required for flow control of RCIC and HPCI can also be performed. Availability of AC power would facilitate the success of these local manual actions by providing sufficient lighting and ease of access. However, none of these recovery actions are currently credited in SPAR models. Therefore, the CCDP lines between a value of 0.1 and 1 to include credits for the recovery actions that can be performed outside the control room.

The SPAR model does not credit all possible local manual actions for this scenario. In addition, some of the events causing loss of DC can be recovered, but some cannot. In this analysis, it was conservatively assumed that DG cannot be recovered. However, even with recovery possibility, prolonged loss of DC would result in core damage. This EAL can be considered for upgrading to GE. Perhaps a two step time frame (e.g., 15 minutes to 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months sSAE; greater than two hoursGE) may be considered.

45

4.11 MS3Failure of Reactor Protection System Instrumentation to Complete or Initiate an Automatic Reactor Scram Once a Reactor Protection System Setpoint Has Been Exceeded and Manual Scram Was Not Successful EAL Threshold Conditions:

1. Automatic scram, Manual scram and ARI were not successful from the Reactor Console as indicated by EITHER:

a. Reactor Power remains > 4 percent.

OR

b. Torus temperature> 110°Fahrenheit (F) AND boron injection required for reactivity control.

Mapping of EAL Scenario to the SPAR ModelCase 1: Modeling a Transient with IORV:

1. In this scenario, a transient was in progress, but the automatic scram system failed. It was assumed that the transient was caused by IORV. Therefore, the initiator for IORV event (IE-IORV) was selected in the SPAR model.

2. The electrical scram system and the ARI system were assumed to have failed.

3. The operator was assumed to have failed to scram the reactor.

Mapping of EAL Scenario to the SPAR ModelCase 2: Modeling a General Transient:

1. In this scenario, a transient was in progress, but the automatic scram system failed. It was assumed that a general transient has occurred. Therefore, the initiator for general transient (IE-TRANS) was selected in the SPAR model.

2. to 3. (Same as Case 1)

SPAR Model Results and their Implications:

The CCDPs for Case 1 and Case 2 of this EAL scenario are 9.86 x 10-3 and 8.30 x 10-3, respectively. The results of both cases are within the result range of other SAE EAL scenarios.

For both cases, the dominant minimal cutsets were driven by a single failure. The examples of single failure were; tripping of the recirculation pumps, inhibiting the ADS, or failing to inject and control SLC system. These are standard actions or system operations that are required during anticipated transients without scram (ATWS) scenarios. The small numerical difference between the two cases resulted from the longer term needs for coolant injection during IORV scenario versus transients.

46

4.12 MS5Complete Loss of Heat Removal Capability EAL Threshold Conditions:

1. Heat Capacity Temperature Limit (T-1 02 Curve T/T-1) exceeded.

Mapping of EAL Scenario to the SPAR Model:

1. The LOCHS initiator (IE-LOCHS) was selected in the SPAR model to mimic the occurrence of LOCHS.

2. The CST was assumed to have failed to eliminate all possibility of recovering cooling supply provided by the condensate system.

3. All of the RHR motor-driven pumps were assumed to have failed, to model the total loss of RHR capability and the low pressure injection capability.

4. All the suppression pool motor-operated valves in the injection path were assumed to have closed, so that there would be no suppression pool cooling available.

SPAR Model Results and their Implications:

The CCDP of this EAL scenario is 5.09 x 10-3, which is within the result range of other SAE EAL scenarios. Under the conditions imposed by this EAL, the only means of protecting the core and preventing core damage is to inject make up to the vessel from a source outside the containment. The dominant cutsets, therefore, reflect the failure to align, establish, and control low pressure make up flow from a source located outside the containment that does not rely on the suppression pool for water supply. The dominant minimal cutsets involve failures of any of the two high pressure service water (HPSW)/RHR cross-tie valves or the associated operator actions including depressurizing the reactor in preparation of low pressure makeup/injection from sources outside the containment.

4.13 MS6Inability to Monitor a Significant Transient in Progress EAL Threshold Conditions:

1. Loss of most (approximately 75 percent) safety system annunciators (ECCS, containment isolation, reactor scram, process radiation monitoring) for > 15 minutes.

AND

2. Indications needed to monitor safety functions (Reactivity Control, RCS Inventory, DHR, FPB) are unavailable.

AND

3. SIGNIFICANT TRANSIENT in progress (turbine trip, reactor scram, ECCS actuation, runback > 25 percent power change, thermal power oscillations > 10 percent).

47

AND

4. COMPENSATORY NON-ALARMING INDICATIONS (computer points) are unavailable.

Mapping of EAL Scenario to the SPAR ModelCase 1: Loss of Condenser Heat Sink:

1. The LOCHS initiator (IE-LOCHS) was selected to model the significant transient in progress.

2. The loss of annunciation and indication would severely affect the ability of the operators to perform some of the manual actions, if necessary. The affected operator actions represented in the SPAR model were:

Aligning alternate air supply;

Starting or controlling feedwater injection;

Starting, controlling or maintaining MFW flow;

Depressurizing the reactor;

Starting or controlling RCIC injection;

Starting or controlling HPC system;

Starting or controlling LPCI system; Therefore, the HEPs of these BEs were set to TRUE (failure probability = 1) in the model according to the SPAR-H NUREG guidance [Ref. 14].

3. The loss of both annunciation and indication was assumed to have an insignificant impact on late recovery actions. Therefore, all late recovery actions were assumed to have nominal HEPs.

Mapping of EAL Scenario to the SPAR ModelCase 2: Loss of Main Feedwater:

1. The LOMFW initiator (IE-LOMFW) was selected to model the significant transient in progress.

2. to 4. (Same as Case 1)

Mapping of EAL Scenario to the SPAR ModelCase 3: General Transient:

1. The general transient initiator (IE-TRANS) was selected to model the significant transient in progress.

2. to 4. (Same as Case 1)

SPAR Model Results and their Implications:

The CCDPs for Cases 1, 2 and 3 of this EAL scenario are computed to be 1.0. However, the SPAR model does not credit the operator actions to shutdown the reactor from a remote shutdown panel. Therefore, there is only one dominant sequence for this case, which is the failure to safely shutdown the reactor from outside the control room. The probability of failure to shutdown the reactor from a remote location is judged to be 8.00 x 10-2, based on the previous 48

fire PRA studies in most NPP IPE Reports. This estimate is within the result range of other SAE scenarios. The analysis result does not support any modification of this EAL.

4.14 MG1Prolonged Loss of All Offsite Power and Prolonged Loss of All Onsite AC Power EAL Threshold Conditions:

1. Loss of power to 2 Emergency Auxiliary Transformer (OAX04) and 3 Emergency Auxiliary Transformer (OBX04).

AND

2. Failure of EDGs E1, E2, E3 and E4 to supply power to unit 4 kV Safeguards Buses.

AND

3. a. Restoration of at least one unit 4 kV Safeguards Bus within two hours is not likely.

OR

b. Reactor pressure vessel (RPV) level cannot be determined to be > -172 inches.

Mapping of EAL Scenario to the SPAR Model:

1. In this scenario, the initiator of grid-related LOOP (IE-LOOPGR) in the SPAR model was selected, since the majority of LOOP events in the U.S. are grid related. The two emergency auxiliary transformers would be de-energized due to LOOP.

2. When LOOP occurred, all DGs were assumed to be inoperable to model the SBO condition.

3. Since the duration of SBO in this scenario was greater than two hours, it was assumed that the recovery of any of the DGs or offsite power were not possible within two hours. The failure probabilities of recovering one of the DGs or offsite power in twelve hours were calculated based on the condition that there was no successful recovery of any of the DGs or offsite power during the first two hours.

4. RPV level condition could not be modeled, since the model does not contain events that are related to the RPV level.

SPAR Model Results and their Implications:

The CCDP of this EAL scenario is 2.36 x 10-1, which is within the result range of other GE EAL scenarios. The operation of HPCI and RCIC is initially supported by DC. However, the extended operation of RCIC including make up to CST during SBO requires operator action.

The dominant contributors identified were the either failure of recirculation pump seals or failure of the operator to extend the RCIC operation.

49

4.15 MG3Failure of the Reactor Protection System to Complete an Automatic Scram and Manual Scram was NOT Successful and There is Indication of an Extreme Challenge to the Ability to Cool the Core EAL Threshold Conditions:

1. Automatic scram, Manual scram and ARI were not successful from Reactor Console as indicated by EITHER:

a. Reactor Power remains > 4 percent.

OR

b. Torus temperature > 110°F AND boron injection required for reactivity control.

AND

2. a. RPV level cannot be restored and maintained > -195 inches.

OR

b. Heat Capacity Temperature Limit (T-102 Curve T/T-1) exceeded.

Mapping of EAL Scenario to the SPAR Model:

1. In this scenario, a transient was in demand, but both the automatic and manual scram failed.

The reactor pressure and temperature would increase and lead to an LOMFW event.

Therefore, the initiator for LOMFW (IE-LOMFW) was selected in the SPAR model.

2. The electrical scram system and the ARI system were assumed to have failed.

3. The operator was assumed to have failed to scram the reactor.

4. The SRVs were assumed to have failed to open to model the degenerating heat removal capability in the reactor.

SPAR Model Results and their Implications:

The CCDP of this EAL scenario is 1.0, which is within the result range of other GE EAL scenarios. The EAL scenario would directly result in core damage since the ATWS conditions specified by the EAL are such that the core damage could not be prevented. There is no minimal cutset for this case run.

50

5. ANALYSIS AND IMPLICATIONS OF SURRY RESULTS All the EAL threshold conditions in this chapter are excerpted from the Surry Emergency Plan

[Ref. 22].

5.1 SU1.1Loss of All Offsite Power to Essential Buses for Greater Than 15 Minutes EAL Threshold Condition:

Loss of all offsite AC power to the 4160V emergency buses H and J for > 15 minutes.

Mapping of EAL Scenario to the SPAR Model:

1. In this scenario, the initiator of grid-related LOOP (IE-LOOPGR) in the SPAR model was selected, since the majority of LOOP events in the U.S. are grid related. The emergency buses H and J would be de-energized due to LOOP.

2. DG1, which is the dedicated DG and DG3 (which is a swing DG aligned to Unit 1), were assumed to start automatically due to the initiation of LOOP. DG1 and DG3 were not undergoing test or maintenance and there was no CCF.

3. All batteries were assumed to be operable, since the DGs were able to charge the batteries.

There was no CCF of the batteries that could affect their functions.

4. The batteries would not be depleted as long as an AC power source is available, as they would be recharged by this source. In an SBO sequence, the battery depletion depends on the likelihood of recovering a source of AC power. The probability of battery depletion at the fourth hour was set to the product of the non-recovery probability of offsite power in four hours (1.537 x 10-1) and the non-recovery probability of a DG in four hours (5.568 x 10-1).

Therefore, the battery depletion probability at the fourth hour was calculated to be 8.56 x 10-2.

5. All DG load sequencers were assumed to be operable in this scenario. Otherwise, the DGs would not be able to supply power to the safety-related load.

6. Since the duration of LOOP in this scenario was greater than 15 minutes, it was conservatively assumed that the recovery of offsite power was not possible within 30 minutes. The failure probabilities of recovering offsite power in one hour, two hours, three hours, four hours, six hours and eight hours were calculated based on the condition that there was no successful offsite power recovery in the first 30 minutes.

SPAR Model Results and their Implications:

The CCDP of this EAL scenario is 1.18 x 10-5, which is slightly higher than the result range of other NOUE EAL scenarios. The CCDP difference is not large in comparison with the precision of the result range of other NOUE EAL scenarios. Therefore, the analysis result does not support any modification to this EAL. If the plant can be shut down safely without any complication, the risk is very low.

51

There are two types of dominant core damage scenarios for this EAL; late and early core damage scenarios:

1. The late core damage scenarios involved loss of secondary cooling due to failure of the AFW after CST was depleted. In these scenarios CST makeup or cross-connect to the AFW of the other unit had been failed due to various human errors. This failure was then followed by operator failure to perform feed and bleed function.

2. The early core damage scenarios typically resulted from the initiating condition progressing to a prolonged SBO scenario, with a SLOCA caused by RCP seal failure.

5.2 SU4.1Unplanned Loss of Most or All Safety System Annunciator or Indication in the Control Room EAL Threshold Conditions:

1. Unplanned loss of most (approximately 75 percent) or all of EITHER:

a. Annunciators (Panels "A" thru "K")

OR

b. Indicators associated with safety-related structures, systems, and components (SSCs) on the unit main control room (MCR) Bench Boards 1 and 2 and Vertical Boards 1 and 2 for > 15 minutes.

Mapping of EAL Scenario to the SPAR ModelCase 1: Modeling Loss of Annunciators (Threshold Condition 1.a.):

1. As the plant was assumed to be stable and in automatic operation at the start, no transient was expected. There was no transient expected. Therefore, no initiator was selected in the SPAR model.

2. The loss of annunciation would limit the ability of the operators to perform some of the manual actions, if necessary. The operator actions, which included performing the following functions, were represented in the SPAR model as BEs.

Aligning alternate train of the CCW heat exchanger;

Diagnosing interfacing systems LOCA;

Diagnosing and isolating ruptured SGs;

Tripping the RCPs;

Closing the pressurizer power operated relief valve (PORV) block valves;

Recovering SW to CCW heat exchangers;

Starting the backup SW pump.

Therefore, the HEPs of these BEs were adjusted in the model according to the SPAR-H NUREG guidance [Ref. 14]. The PSF adjustments and the SPAR-H worksheet for this scenario are documented in Appendix E of this report.

52

3. A NOUE was assumed to be declared 15 minutes after the event started. Therefore, only the early recovery actions were modified, while the late recovery actions were assumed to have nominal HEPs.

Mapping of EAL Scenario to the SPAR ModelCase 2: Modeling Loss of Indicators (Threshold Condition 1.b.):

1. (Same as Case 1)

2. The loss of indication would limit the ability of the operators to perform some of the manual actions, if necessary. These operator actions involved performing the following functions, were represented in the SPAR model as BEs.

Performing AFW cross-tie between the units;

Aligning alternate train of the CCW heat exchanger;

Maintaining hotwell level;

Restoring chilled water for room cooling;

Aligning Unit 1 HPI suction to Unit 2 RWST;

Establishing alternate HPI;

Initiating feed and bleed;

Aligning the backup HPI MDP 1C;

Throttling HPI flow;

Diagnosing interfacing systems LOCA;

Diagnosing and isolating ruptured SGs;

Tripping the RCPs;

Closing the pressurizer PORV block valves;

Recovering SW to CCW heat exchangers;

Starting the backup SW pump.

Therefore, the HEPs of these BEs were adjusted in the model according to the SPAR-H NUREG guidance [Ref. 14]. The PSF adjustments and the SPAR-H worksheet for this scenario are documented in Appendix E of this report.

3. (Same as Case 1)

SPAR Model Results and their Implications:

The CCDPs of Case 1 and Case 2 are 9.02 x 10-11 and 1.88 x 10-9, respectively, which are below the result range of other NOUE EAL scenarios. These CCDPs are calculated at 15 minutes after the loss of annunciators (Case 1) or indicators (Case 2) occurs; the CCDPs would increase if the duration is longer. Figure 5-1 shows the CCDPs for both cases from 15 minutes to eight hours, assuming that no transients have occurred during that period.

53

Surry SU4.1 1.E-06 1.E-07 1.E-08 CCDP 1.E-09 1.E-10 Loss of Annunciation Loss of Indication 1.E-11 0 1 2 3 4 5 6 7 8 Time (hrs)

Figure 5-1. CCDP of SU4.1 from 15 Minutes to Eight Hours The loss of annunciators modeled in Case 1 has less impact on the CCDP values than the loss of indication modeled in Case 2. Although the loss of annunciators seems to have lesser impact for Surry, there may be plant-specific features in other NPPs that require operators to rely more heavily on annunciators to respond. In those conditions, annunciators and indicators are equally important. Also, the CCDP could be higher if the condition lasts longer.

Although the duration of the degraded condition varies on a case by case basis, when the degraded condition lasts for less than eight hours, this EAL can be considered for elimination.

5.3 SU6.1Reactor Coolant System Leakage EAL Threshold Conditions:

1. Unidentified or pressure boundary leakage > 10 gpm.

OR

2. Identified leakage > 25 gpm.

Mapping of EAL Scenario to the SPAR Model:

1. In this scenario, the RCS leakage was conservatively modeled as an SLOCA event, since SPAR models do not have any surrogate for events involving leak rates less than a SLOCA.

In SPAR models, the SLOCA initiator (IE-SLOCA) was defined as a primary break that can be mitigated with high-pressure safety injection.

54

2. The threshold conditions indicated that the Surry Technical Specifications (TS) limit(s) of a primary system leakage was/were exceeded [Ref. 23]. Therefore, the operator was required to shutdown the plant. The manual trip was assumed to be successful.

3. The leakage was very small and could be compensated by the high pressure recirculation (HPR) system.

4. It was assumed that no human errors had occurred prior to this event, during the calibration, test and maintenance processes.

5. All batteries were assumed to be operable in this scenario.

SPAR Model Results and their Implications:

The CCDP of this EAL scenario is 4.05 x 10-5, which is higher than the result range of other NOUE EAL scenarios. This EAL condition is modeled by an SLOCA initiator within SPAR models. SLOCAs are leaks in the RCS pressure boundary into the containment with nominal leak rates that are equivalent to those which would be produced by ideal break sizes from about 1/2 inch to 2 inches in diameter. Such LOCAs are in excess of normal charging capacity

(~80 gpm at nominal reactor operating pressure). Simulating this EAL condition with a SLOCA is, therefore, considered conservative. For RCS leakage of the magnitudes quoted by this EAL condition, the operator will perform a normal reactor shutdown to meet the plants TS. Reactor scram due to SLOCA is by far more severe than the stated EAL condition. The assumption of SLOCA has resulted in a higher CCDP than expected. This EAL can be best described by a range of CCDPs from ~ 1.3 x 10-7 to ~ 3.6 x 10-5; with the lower bound being a manual scram and the upper bound being a SLOCA initiator.

Considering the current conservative interpretation and mapping of this EAL to the PRA domain, the analysis result does not support any modification of this EAL.

5.4 HU3.1Report of Detection of Toxic, Corrosive, Asphyxiant or Flammable Gases That Have or Could Enter the Owner Controlled Area in Amounts that Can Affect Normal Plant Operations EAL Threshold Condition:

Report or detection of toxic, corrosive, asphyxiant or flammable gases that have or could enter the Owner Controlled Area in amounts that can affect normal plant operations Mapping of EAL Scenario to the SPAR Model:

1. Operators would need to wear protective gear, which might include respirators, gloves and protective clothing. This would take longer time to performing the manual actions at the affect site area. The operator actions, which included performing the following functions, were represented in the SPAR model as BEs:

Performing actions related to SW makeup or isolation.

Recovery actions at the switchyard, if there were a LOOP during the presence of toxic gas.

55

2. It was conservatively assumed that the duration was eight hours in this scenario, although most toxic gas scenarios lasted for about two to six hours.

SPAR Model Results and their Implications:

The CCDP of this EAL scenario is 3.64 x 10-9, which is lower than the result range of other NOUE EAL scenarios. There are no dominant contributors to the core damage sequences.

However, the plant-specific features that led to a low CCDP in Surry were not observed in all of the three pilot plants.

Since the CCDP is low and the reportability of events associated with release of toxic, corrosive, asphyxiant or flammable gases is covered under 10 CFR 50.72 [Ref. 18], this EAL can be considered for elimination.

5.5 SA1.1AC Power Capability to Emergency Buses Reduced to a Single Power Source for 15 Minutes or Longer Such that any Additional Single Failure Would Result in SBO EAL Threshold Conditions:

1. AC power capability to Unit ( ) 4160V emergency buses H and J reduced to a single power source for > 15 minutes.

AND

2. Any additional single failure would result in loss of all AC power to the emergency buses.

Mapping of EAL Scenario to the SPAR Model:

1. In this scenario, the initiator of grid-related LOOP (IE-LOOPGR) in the SPAR model was selected, since the majority of LOOP events in the U.S. are grid related. The two emergency auxiliary transformers would be de-energized due to LOOP.

2. DG1 was assumed to start automatically to provide a single power source to meet the second threshold condition. Since DG1 started successfully, there should not be any test and maintenance being performed on DG1. There was no CCF of the DGs that could affect the operation of DG1 either.

3. DG3 and the SBO DG were both assumed to be inoperable, since DG1 was assumed to be the only power source available in this scenario.

4. The batteries were assumed to be operable, since DG1 was able to charge the batteries.

There was no CCF of the batteries that could affect their functions.

5. The DG load sequencers for DG1 and DG3 were assumed to be operable in this scenario.

Otherwise, DG1 and DG3 would not be able to supply power to the safety-related load.

6. It was assumed that the probability of an SBO during a LOOP is very low. However, if it had occurred, the AC power sources could be recovered in four hours, the depleting batteries 56

would have been recharged. Therefore, the recovery of an AC source could prevent battery depletion and should be credited in the SPAR model. The AC recovery could be achieved by either recovering offsite power or recovering one of the DGs. The battery depletion probability at the fourth hour was the product of the non-recovery probability of offsite power in four hours (1.54 x 10-1) and the non-recovery probability of a DG in four hours (5.57 x 10-1). Therefore, the battery depletion probability at the fourth hour was calculated to be 8.56 x 10-2.

7. The duration of the LOOP in this scenario was greater than 15 minutes. However, the SPAR model does not contain a BE to account for the 15-minute loss. It was conservatively assumed that the recovery of offsite power was not possible within 30 minutes, since the BE representing a 30-minute loss was included in the SPAR model.

8. The failure probabilities of recovering offsite power in one hour, two hours and twelve hours were calculated based on the condition that there was no successful offsite power recovery in the first 30 minutes.

SPAR Model Results and their Implications:

The CCDP of this EAL scenario is 2.38 x 10-3, which above the result range of other Alert EAL scenarios. This is mainly attributed to the plant-specific features in Surry. The EAL condition is interpreted as LOOPGR with only the dedicated EDG-1 feeding Unit 1. Another option to simulate this EAL condition is to assume that only EDG-3 is available and feeding bus J of Unit 1 [Ref. 24]. This case was not considered due to complications that could result from a dual-unit LOOP and the potential use of swing EDG for the opposite unit.

In Surry, the DGs are self-cooled using water-air radiators. They are provided with independent batteries, air starting systems which take suction directly from outside air, two fuel oil transfer pumps and separate day tanks. The fuel in each day tank is sufficient for four hours. The failure of EDG to run is, therefore, expected to be less than other PWRs, and not expected to contribute significantly to CCDP.

A detailed examination of the cutsets indicated that the dominant contribution to risk is failure of the running booster SW pump that cools the charging pumps (CCP-SW pump). As a result of this failure, the running charging pump will eventually fail (typically within 30 minutes) and the seal injection cooling to the RCP seal will be lost. However, the seal cooling provided by CCW and the running SW pump (not the booster pumps) should not be affected. In Surry there are other plant-specific features that would cause the failure of RCP seal cooling [Ref. 24].

Surry EDG 3 feeds the AC Bus J, which feeds two instrumentation air compressors. On the contrary, EDG 1 feeds H bus, which does not support any compressor. The SBO-EDG is also capable of supporting an instrument air compressor. In a scenario simulated here, where the AC source is from EDG 1, no instrument air compressor will be available. The loss of instrument air is, therefore, assumed after some time. As a result the CCW to RCP thermal barrier heat exchanger will be isolated.

The combined effect of loss of RCP seal cooling and seal injection would result in a consequential SLOCA via seal failure in Westinghouse plants. The high pressure injection (HPI) system will also not be available due to loss of running SW booster pump. The consequential RCP seal LOCA would result in early core damage in about two hours if no recovery action takes place.

57

While it is not recommended to rerank the EC of this EAL due to the model uncertainty, based on the ECW system dependency of Peach Bottom (Section 4.5), the definition of one power source is still available to keep the plant from SBO, in the threshold condition may require clarification, particularly for multiple-unit sites with shared electrical systems.

5.6 SA2.1 Failure of Reactor Protection System Instrumentation to Complete or Initiate an Automatic Reactor Scram Once a Reactor Protection System Setpoint Has Been Exceeded and Manual Scram Was Successful EAL Threshold Condition:

An automatic trip failed to shutdown the reactor and manual actions (i.e., trip pushbuttons) taken at the MCR Bench Board successfully shutdown the reactor as indicated by reactor power

< 5 percent.

Mapping of EAL Scenario to the SPAR ModelCase 1: Modeling a Transient with Primary Pressure Spike:

1. For sensitivity analysis, a transient capable of inserting reactivity was considered. An abnormal increase in feedwater flow causing an over cooling transient is one example of such a transient. The reactivity transient could cause a pressure spike prior to a manual scram. The effect of reactivity and the magnitude of the pressure spike would vary depending on the time since the last refueling outage due to moderator temperature reactivity feedback. A large pressure spike, if it occurs, could cause the opening of one or more primary relief paths. The worst condition resulting from this chain of events is an eventual reactor scram, i.e., a manual scram, a stuck open primary relief valve (stuck open SRV), ECCS actuation due to resulting low pressurizer level, and loss of main feed water.

2. The chain of events described above is modeled as a LOMFW transient with stuck open the pressurizer PORVs and/or the SRVs in the SPAR model.

3. Since the automatic trip failed, the reactor protective system analog process logic modules, the bi-stable channels and the under-voltage drivers were assumed to have failed.

4. The operator was assumed to have tripped the reactor successfully.

5. In order to trip the reactor successfully, the reactor trip breakers and the rod cluster control assembly must be manually operable.

Mapping of EAL Scenario to the SPAR ModelCase 2: Modeling a Transient without Primary Pressure Spike:

1. In this scenario, it was assumed that the operator was able to trip the reactor before the primary pressure spiked. Therefore, the initiator for general transients (IE-TRANS) was selected in the SPAR model.

2. Since the automatic trip failed, the reactor protective system analog process logic modules, the bi-stable channels and the under-voltage drivers were assumed to have failed.

58

3. The operator was assumed to have tripped the reactor successfully.

4. In order to trip the reactor successfully, the reactor trip breakers and the rod cluster control assembly must be manually operable.

SPAR Model Results and their Implications:

In this scenario, the CCDPs for Case 1 and Case 2 are 4.71 x 10-5 and 5.37 x 10-9, respectively.

Case 1 is considered the upper bound for this EAL, while Case 2 is considered the lower bound for this EAL. Case 1 is within the result range of other Alert EAL scenarios, while Case 2 is slightly lower than that range.

Most of the dominant accident sequences for Case 1 involved the failure of the HPI system and failure to perform cross tie of Unit 2 charging pumps to Unit 1 HPI suction lines. Failure of HPI system was dominated by CCFs of various components in redundant HPI trains. The CCFs of SW charging pump cooling were also a dominant contributor to the eventual failure of HPI system. Failure to cross tie of the Unit 2 charging pumps to Unit 1 HPI suction lines was dominated by operator errors.

The dominant minimal cutsets for Case 2 were similar to that of simple transients, except that the ATWS contribution had been removed. The dominant accident sequences for Case 2, therefore, involved CCF of the CCW system causing RCP seal LOCA followed by failure of HPI, or failure of secondary cooling followed by subsequent failure of feed and bleed operation.

The results from this analysis indicate that for most transients, which do not insert any reactivity to the core, and thereby do not accompany any primary pressure spike, this EAL can be downgraded to NOUE from Alert. However, the Alert classification is appropriate for reactivity transients in PWRs, such as plant overcooling transients. Unless it can be determined that reactivity transients are covered by other EALs, it may not be appropriate to modify this EAL.

5.7 SA4.1 Unplanned Loss of Safety System Annunciator or Indication in Control Room with a Significant Transient in Progress EAL Threshold Conditions:

1. Unplanned loss of most (approximately 75 percent) or all of:

a. Annunciators (Panels A thru K)

OR

b. Indicators associated with safety-related SSCs on unit MCR Bench Boards 1 and 2 and Vertical Boards 1 and 2 for > 15 minutes.

59

AND

2. a. A significant transient is in progress.

OR

b. Plant computer system (PCS) is unavailable.

Mapping of EAL Scenario to the SPAR ModelCase 1: Modeling Loss of Annunciators (Threshold Conditions 1 a. and 2) with Loss of Condenser Heat Sink:

1. The LOCHS initiator (IE-LOCHS) was selected to model the significant transient in progress.

2. The operator was assumed to have tripped the reactor successfully.

3. The loss of annunciation would limit the ability of the operators to perform some of the manual actions, if necessary. These operator actions involved performing the following functions, were represented in the SPAR model as BEs.

Aligning alternate train of the CCW heat exchanger;

Diagnosing interfacing systems LOCA;

Diagnosing and isolating ruptured SGs;

Tripping the RCPs;

Closing the pressurizer PORV block valves;

Recovering SW system to CCW heat exchangers;

Starting the backup SW pump.

Therefore, the HEPs of these BEs were adjusted in the model according to the SPAR-H NUREG guidance [Ref. 14]. The PSF adjustments and the SPAR-H worksheet for this scenario are documented in Appendix E of this report.

4. The dependencies among different operators actions were examined and the affected HEPs were calculated based on the SPAR-H NUREG guidance [Ref. 14].

5. An Alert was assumed to be declared 15 minutes after the event started. Therefore, only the early recovery actions were modified, while the late recovery actions were assumed to have nominal HEPs.

Mapping of EAL Scenario to the SPAR ModelCase 2: Modeling Loss of Indicators (Threshold Conditions 1 b. and 2.) with Loss of Condenser Heat Sink:

1. The LOCHS initiator (IE-LOCHS) was selected to model the significant transient in progress.

2. The operator was assumed to have tripped the reactor successfully.

60

3. The loss of indication would limit the ability of the operators to perform some of the manual actions, if necessary. These operator actions involved performing the following functions, were represented in the SPAR model as BEs.

Performing AFW cross-tie between the units;

Aligning alternate train of the CCW heat exchanger;

Maintaining hotwell level;

Restoring chilled water for room cooling;

Aligning Unit 1 HPI suction to Unit 2 RWST;

Establishing alternate HPI;

Initiating feed and bleed;

Aligning the backup HPI MDP 1C;

Throttling HPI flow;

Diagnosing interfacing systems LOCA;

Diagnosing and isolating ruptured SGs;

Tripping the RCPs;

Closing the pressurizer PORV block valves;

Recovering SW to CCW heat exchangers;

Starting the backup SW pump.

Therefore, the HEPs of these BEs were adjusted in the model according to the SPAR-H NUREG guidance [Ref. 14]. The PSF adjustments and the SPAR-H worksheet for this scenario are documented in Appendix E of this report.

4. The dependencies among different operators actions were examined and the affected HEPs were calculated based on the SPAR-H NUREG guidance [Ref. 14].

5. (Same as Case 1)

Mapping of EAL Scenario to the SPAR ModelCase 3: Modeling Loss of Annunciators (Threshold Condition 1.a.) with Loss of Main Feedwater:

1. The LOMFW initiator (IE-LOMFW) was selected to model the significant transient in progress.

2. to 5. (Same as Case 1)

Mapping of EAL Scenario to the SPAR ModelCase 4: Modeling Loss of Indicators (Threshold Condition 1. b.) with Loss of Main Feedwater:

1. The LOMFW initiator (IE-LOMFW) was selected to model the significant transient in progress.

2. to 5. (Same as Case 2)

Mapping of EAL Scenario to the SPAR ModelCase 5: Modeling Loss of Annunciators (Threshold Condition 1.a.) with General Transient:

1. The general transient initiator (IE-TRANS) was selected to model the significant transient in progress.

61

2. to 5. (Same as Case 1)

Mapping of EAL Scenario to the SPAR ModelCase 6: Modeling Loss of Indicators (Threshold Condition 1. b.) with General Transient:

1. The general transient initiator (IE-TRANS) was selected to model the significant transient in progress.

2. to 5. (Same as Case 2)

SPAR Model Results and their Implications:

The CCDPs for Cases 1 to 6 of this EAL scenario are 1.02 x 10-8, 7.39 x 10-6, 4.13 x 10-6, 3.60 x 10-4, 6.60 x 10-9 and 7.30 x 10-6, respectively. The CCDPs of Cases 1, 2, 3, 5 and 6 are below the result range of other Alert EAL scenarios, while the CCDP of Case 4 is within the result range of other Alert EAL scenarios. In Cases 1, 3 and 5, the CCDPs are below the normal result range because the loss of annunciators is expected to result in a minimal impact in the control room operator's ability to recover from a transient, as long as the associated control room indicators remains operable. The CCDPs for the cases that model loss of indicators (Cases 2, 4, and 6) are in general higher than the cases that model loss of annunciators. Cases 2 and 6, which modeled the LOCHS and general transient, respectively, are lower than Case 4, which modeled the LOMFW. The reasons for this discrepancy stems from the assumptions of SPAR models. SPAR models credit recovery of main feedwater (MFW) system in LOCHS; whereas, such credit is not provided for LOMFW initiators. In fact, the results from the two analyses are closely comparable if the recovery credit for MFW system is removed. This latter case is similar to EAL condition MA6 for Peach Bottom for loss of indication with significant transient in progress, where the results for both LOCHS and LOMFW were approximately the same.

The dominant contributors for Case 4 were mainly driven by the operator failures to align and control a source of secondary cooling followed by the failure of feed and bleed operation.

These operator failures were:

failure to provide make up to emergency condensate storage tank (ECST) to ensure continued operation of AFW,

failure to cross-connect to other unit AFW, and

failure to perform the feed and bleed operation.

The Alert EALs associated with of loss of annunciators can be considered for being downgraded to NOUE from Alert. However, the analysis results do not support any modification of the Alert EALs associated with of loss of indicators.

62

5.8 HA3.1 Access to a Safe Shutdown Area is Prohibited Due to Release of Toxic, Corrosive, Asphyxiant or Flammable Gases Which Jeopardize Operation of Systems Required to Maintain Safe Operations or Safely Shutdown the Reactor EAL Threshold Condition:

Access to the following area is prohibited due to toxic, corrosive, asphyxiant or flammable gases which jeopardize operation of systems required to maintain safe operations or safely shutdown the reactor:

Cable Vaults and Tunnels

Emergency Switchgear and Relay Rooms

Unit Switchgear Room

Reactor Containment

Safeguards Complex (including Cont. Spray Pump Area and Main Steam Valve House)

Main Control Room

EDG Rooms 1, 2 and 3

Auxiliary / Fuel / Decontamination Buildings

Underground Fuel Oil Pump House Rooms

Intake Structure - Emergency SW Pump

House

Turbine Building

Mechanical Equipment Rooms 3, 4 and 5

Cable Tray Room Mapping of EAL Scenario to the SPAR ModelCase 1: Modeling the Presence of Toxic Gas in the DG Room:

1. The loss of the EDG was assumed, since either the operator blocks the start of the affected EDG in fear of potential explosion due to flammable gases or the DG may trip due to high room temperature. The high room temperature that could trip DG is expected shortly after DG start since HVAC is isolated.

2. It was conservatively assumed that the duration was eight hours in this scenario, although most toxic gas scenarios lasted for about two to six hours.

3. The probabilities for DG recovery in one hour and four hour were reduced to account for the lost DG that cannot be recovered in eight hours.

Mapping of EAL Scenario to the SPAR ModelCase 2: Modeling the Presence of Toxic Gas in the Switchgear Room:

1. It was assumed that the toxic gas did not dissipate in eight hours. During this time period it is not possible to manually operate breakers in the switch gear room (e.g., for aligning EDGs). Therefore, the operator cannot recover any DG failure in eight hours.

2. It was conservatively assumed that the duration was eight hours in this scenario, although most toxic gas scenarios lasted for about two to six hours.

63

3. It was also assumed that the recovery of a LOOP due to a plant-center or a switchyard incident was unsuccessful in the first eight hours.

Mapping of EAL Scenario to the SPAR ModelCase 3: Sensitivity Analysis:

1. This case served as a sensitivity analysis to study the effect of all the failures of all possible local operator actions. It was conservatively assumed that the operators cannot perform any local actions at all the affected areas with the presence of toxic gas.

2. It was assumed that the toxic gas did not dissipate in eight hours. Therefore, the operator cannot recover any DG failure in eight hours.

3. It was conservatively assumed that the duration was eight hours in this scenario, although most toxic gas scenarios lasted for about two to six hours.

4. It was also assumed that the recovery of a LOOP due to a plant-center or a switchyard incident was unsuccessful in the first eight hours.

SPAR Model Results and their Implications:

The CCDPs of Cases 1, 2 and 3 are 2.59 x 10-8, 4.86 x 10-9 and 1.40 x 10-8, respectively, which are all below the result range of other Alert EAL scenarios. The dominant cutsets for Case 1 are mainly driven by the increased likelihood of an SBO or loss of an emergency bus associated with the unavailable EDG. The dominant cutsets for Case 2 also result from the increased likelihood of SBO events, but are mainly driven by the lower probability of restoring the offsite power due to inaccessibility of switchgear room. The dominant minimal cutsets for Case-3 are driven by the failure of operators to establish the cross-tie of the AFW between the two units after the failure of the dedicated AFW system in one unit. The remainder of contributors is similar to that of Case 2.

In light of the low CCDPs for all three cases, the EC of this EAL may be considered for downgrading to NOUE or be eliminated, if it is caused by a spurious actuation of a fire suppression system. For all other toxic and flammable gases, there could be a possibility of fire or explosion, which is not included in the analyses. However, fire explosions are already covered as a part of other EALs.

5.9 SS1.1Loss of all Offsite and all Onsite AC Power to Emergency Buses for 15 Minutes or Longer EAL Threshold Condition:

Loss of all offsite and onsite AC power to Unit 4160V emergency buses H and J for

> 15 minutes.

Mapping of EAL Scenario to the SPAR Model:

1. In this scenario, the initiator of grid-related LOOP (IE-LOOPGR) in the SPAR model was selected, since the majority of LOOP events in the U.S. are grid related. The emergency buses H and J would be de-energized due to LOOP.

64

2. When LOOP occurred, all DGs were assumed to be inoperable to model the SBO condition.

3. During the SBO, if AC power sources could have been recovered in four hours, the depleting batteries would have been recharged. Therefore, the recovery of an AC source could prevent battery depletion and should be credited in the SPAR model. The AC recovery could be achieved by either recovering offsite power or recovering one of the DGs.

The battery depletion probability at the fourth hour was the product of the non-recovery probability of offsite power in four hours and the non-recovery probability of a DG in four hours.

4. The duration of the LOOP in this scenario was greater than 15 minutes. However, the SPAR model does not contain a BE to account for the 15-minute loss. It was conservatively assumed that the recovery of offsite power was not possible within 30 minutes, since the BE representing a 30-minute loss was included in the SPAR model.

5. The failure probabilities of recovering one of the DGs or offsite power in one hour, two hours, three hours, four hours, six hours and eight hours were calculated based on the condition that there was no successful recovery of any of the DGs or offsite power in the first 30 minutes.

SPAR Model Results and their Implications:

The CCDP of this EAL scenario is 3.02 x 10-2, which is within the result range of other SAE EAL scenarios.

Almost all dominant sequences involve SLOCA caused by RCP seal failure and failure to recover at least one source of power. In most cases, the core damage would occur early, within the first two hours after LOOP.

The analysis result does not support any modification of this EAL.

5.10 SS1.2Loss of all Vital DC Power EAL Threshold Condition:

Loss of all vital DC power based on < 105V DC bus voltage indications for > 15 minutes.

Mapping of EAL Scenario to the SPAR Model:

1. In this scenario, LOMFW was assumed to occur upon the loss all vital DC power. The LOMFW was assumed to occur due to a series of competing faults, including the loss of control of feedwater regulating valves causing feedwater isolation. Therefore, the LOMFW initiator (IE-LOMFW) was selected.

2. All the vital DC buses were assumed to have failed.

3. The TDAFW system in Surry did not require DC power to start. However, the TDAFW flow had to be controlled manually to prevent SG overfill and the pumps failure due to water carryover. The Surry SPAR model originally associated several different HEPs to this operator control action. These HEP values vary depending on the scenario. In this 65

scenario, an HEP of 0.1, which is a generic PRA value used by other plant-specific SPAR model for TDAFW flow control, was assigned. (Note that an HEP of 0.3 was applied when all AC and DC were lost, while an HEP of 0.03 was used when all instrument air was lost.)

SPAR Model Results and their Implications:

The CCDP of this EAL scenario is 1.52 x 10-1, which is higher than the result range of other SAE EAL scenarios. The PRA model for Surry does not credit the specific recovery actions that could possibly be performed during loss of all DC. These are described below.

In the loss of all DC, manual local operation of the breakers can be credited as recovery actions to compensate for loss of control power, for example for starting and controlling the MDAFW pumps. Availability of AC power facilitates the success of these local manual actions by providing sufficient lighting and ease of access. Success of such recovery actions would eliminate the need for manual flow control of TDAFW, or significantly reduce the length of time that manual control is needed. The flow control of TDAFW is only needed for sufficient time to either recover the DC or perform other recovery actions involving the manual breaker operations. Therefore, a CCDP that is slightly lower than 1.52 x 10-1 would be expected, if manual operation of breakers to supply AC power is credited. The recovery action probabilities for manual operation of breakers and the flow control of TDAFW are dependent on each other.

However, the manual operation of breakers is currently not credited in the model. The combined impact of all dependent recovery actions would only contribute to a slight change in CCDP and would not impact the risk insights.

In this analysis, it was conservatively assumed that DC cannot be recovered. However, even with recovery possibility, prolonged loss of DC would result in core damage. This EAL can be considered for upgrading to GE. Perhaps a two step time frame (e.g., 15 minutes to 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months SAE; greater than two hoursGE) may be considered.

5.11 SS2.1Failure of Reactor Protection System Instrumentation to Complete or Initiate an Automatic Reactor Scram Once a Reactor Protection System Setpoint Has Been Exceeded and Manual Scram Was NOT Successful EAL Threshold Condition:

An automatic trip failed to shutdown the reactor and manual actions (i.e., trip pushbuttons) taken at the MCR Bench Board do not shutdown the reactor as indicated by reactor power

> 5 percent.

Mapping of EAL Scenario to the SPAR ModelCase 1: Modeling a Transient with LOMFW:

1. In this scenario, a transient was in demand, but both the automatic and manual trip failed.

The primary pressure and temperature would increase and lead to an LOMFW event.

Therefore, the initiator for LOMFW (IE-LOMFW) was selected in the SPAR model.

2. The operator was assumed to have failed to trip the reactor.

3. The reactor trip breakers and the rod cluster control assembly were assumed to have failed, such that the manual trip process could not be completed.

66

Mapping of EAL Scenario to the SPAR ModelCase 2: Modeling a General Transient:

1. In this scenario, a transient was in progress, but the automatic scram system failed. It was assumed that a general transient has occurred. Therefore, the initiator for general transient (IE-TRANS) was selected in the SPAR model.

2. Since the automatic trip failed, the reactor protective system analog process logic modules, the bi-stable channels and the under-voltage drivers were assumed to have failed.

3. The operator was assumed to have failed to trip the reactor.

4. The reactor trip breakers and the rod cluster control assembly were assumed to have failed, such that the manual trip process could not be completed.

SPAR Model Results and their Implications:

In this scenario, the CCDPs for Case 1 and Case 2 are both 4.92 x 10-2. Both cases are within the result range of other SAE scenarios.

The dominant sequences for both cases were similar to that of ATWS scenarios. They generally involved a single failure, such as failure to initiate the emergency boration, existence of an unfavorable temperature coefficient, failure to relieve the pressure from the initial spike after an ATWS scenario, etc. There were no differences between the dominant contributors and minimal cutsets between the two cases analyzed.

5.12 SS4.1Inability to Monitor a Significant Transient in Progress EAL Threshold Conditions:

1. Loss of most (approximately 75 percent) or all annunciators (Panels "A" thru "K") associated with safety-related SSCs on Unit MCR Bench Boards 1 and 2 and Vertical Boards 1 and 2.

AND

2. PCS is unavailable.

AND

3. Complete loss of ability to monitor any critical safety function status.

AND

4. Any of the following significant transient is in progress:

a) Automatic turbine runback > 25 percent thermal reactor power; b) Electrical load rejection > 25 percent full electrical load; c) Reactor trip; d) Safety injection activation; e) Thermal power oscillations of > 10 percent.

67

Mapping of EAL Scenario to the SPAR ModelCase 1: Loss of Condenser Heat Sink:

1. The LOCHS initiator (IE-LOCHS) was selected to model the significant transient in progress.

2. The operator was assumed to have tripped the reactor successfully.

3. The loss of annunciation and indication would severely affect the ability of the operators to perform some of the manual actions, if necessary. The affected operator actions represented in the SPAR model were:

Aligning alternate train of the CCW heat exchanger;

Diagnosing interfacing systems LOCA;

Diagnosing and isolating ruptured SGs;

Tripping the RCPs;

Closing the pressurizer PORV block valves;

Recovering SW to CCW heat exchangers;

Starting the backup SW pump.

Performing AFW cross-tie between the units;

Maintaining hotwell level;

Restoring chilled water for room cooling;

Aligning Unit 1 HPI suction to Unit 2 RWST;

Establishing alternate HPI;

Initiating feed and bleed;

Aligning the backup HPI MDP 1C;

Throttling HPI flow; Therefore, the HEPs of these BEs were set to TRUE (failure probability = 1) in the model according to the SPAR-H NUREG guidance [Ref. 14].

4. The loss of both annunciation and indication was assumed to have an insignificant impact on late recovery actions. Therefore, all the late recovery actions were assumed to have nominal HEPs.

Mapping of EAL Scenario to the SPAR ModelCase 2: Loss of Main Feedwater:

1. The LOMFW initiator (IE-LOMFW) was selected to model the significant transient in progress.

2. to 4. (Same as Case 1)

Mapping of EAL Scenario to the SPAR ModelCase 3: General Transient:

1. The general transient initiator (IE-TRANS) was selected to model the significant transient in progress.

2. to 4. (Same as Case 1) 68

SPAR Model Results and their Implications:

The CCDPs of Cases 1, 2 and 3 of this EAL scenario are all 8.18 x 10-4. The results of all cases are below the result range of other SAE scenarios. In the Surry plant, the SGs will be fed by either of the two MDAFW trains or the TDAFW train during this EAL condition. However, continued operation of AFW without the ability to monitor critical safety functions, which is known as blind operation, will result in overfilling of SGs. It can cause failure of TDAFW due to water carryover to the turbine; however, it will not affect the operation of the MDAFW trains.

The dominant minimal cutsets for both case runs included CCF of AFW motor driven pumps, and failure of the operator to provide makeup into the ECST to ensure long term operation of AFW.

The analysis result does not support any modification of this EAL, despite the lower CCDP results for Surry.

5.13 SG1.1Prolonged Loss of all Offsite and Onsite AC Power EAL Threshold Conditions:

1. Loss of all offsite and onsite AC power to Unit ( ) 4160V emergency buses H and J.

AND EITHER:

2. Restoration of any 4160V emergency bus within four hours is not likely.

OR

3. CSFST Core Cooling-RED or ORANGE path.

Mapping of EAL Scenario to the SPAR Model:

1. In this scenario, the initiator of grid-related LOOP (IE-LOOPGR) in the SPAR model was selected, since the majority of LOOP events in the U.S. are grid related. The emergency buses H and J would be de-energized due to LOOP.

2. When LOOP occurred, all DGs were assumed to be inoperable to model the SBO condition.

3. During the SBO, if AC power sources could have been recovered in four hours, the depleting batteries would have been recharged. Therefore, the recovery of an AC source could prevent battery depletion and should be credited in the SPAR model. The AC recovery could be achieved by either recovering offsite power or recovering one of the DGs.

The battery depletion probability at the fourth hour was the product of the non-recovery probability of offsite power in four hours and the non-recovery probability of a DG in four hours.

4. Since the duration of SBO in this scenario was greater than four hours, it was assumed that the recovery of any of the DGs or offsite power was not possible within four hours. The failure probabilities of recovering one of the DGs or offsite power in six hours and eight hours were calculated based on the condition that there was no successful recovery of any of the DGs or offsite power during the first four hours.

69

SPAR Model Results and their Implications:

The CCDP of this EAL scenario is 3.86 x 10-1, which is within the result range of other GE EAL scenarios.

There were two dominant sequences of core damage for this EAL:

1. The first scenario involved failure of RCP seals, which resulted in SLOCA. For this scenario, the core damage was considered early and expected to occur within two hours.

2. In the dominant sequences, there were no RCP seal failures (i.e., no LOCA), the operator failure to extend the operation of TDAFW pumps after batteries had depleted was, therefore, the main contributor.

5.14 SG2.1Failure of the Reactor Protection System to Complete Both Automatic and Manual Trip and There is Indication of an Extreme Challenge to the Ability to Cool the Core EAL Threshold Conditions:

1. An automatic trip failed to shutdown the reactor and all manual actions do not shutdown the reactor as indicated by reactor power > 5 percent.

AND EITHER:

2. CSFST Core Cooling-RED.

OR

3. CSFST Heat Sink-RED.

Mapping of EAL Scenario to the SPAR Model:

1. In this scenario, during a transient, both the automatic and manual trip failed. The primary pressure and temperature increase and leads to an LOMFW event. Therefore, the initiator for LOMFW (IE-LOMFW) was selected in the SPAR model.

2. Since the automatic trip failed, the reactor protective system analog process logic modules, the bi-stable channels and the under-voltage drivers were assumed to have failed.

3. The operator was assumed to have failed to trip the reactor.

4. The reactor trip breakers and the rod cluster control assembly were assumed to have failed, such that the manual trip process could not be completed.

5. The AFW system and the manual action to crosstie the AFW from Unit 2 were assumed to have failed to model the degenerating condition of the core cooling.

70

SPAR Model Results and their Implications:

The CCDP of this EAL scenario is 1, which is within the result range of other GE EAL scenarios.

The EAL scenario would directly result in core damage since the ATWS conditions specified by the EAL are such that core damage could not be prevented.

71

6. ANALYSIS AND IMPLICATIONS OF SEQUOYAH RESULTS All the EAL threshold conditions in this chapter are excerpted from the Sequoyah Emergency Plan [Ref. 25].

6.1 SU1Loss of Offsite Power to Either Unit for > 15 Minutes EAL Threshold Conditions:

1. All four 6.9 kV unit boards de-energized for > 15 minutes.

AND

2. Both unit-related 6.9 kV shutdown boards are energized.

Mapping of EAL Scenario to the SPAR Model:

1. In this scenario, the initiator of grid-related LOOP (IE-LOOPGR) in the SPAR model was selected, since the majority of LOOP events in the U.S. are grid related. The emergency buses H and J would be de-energize due to LOOP.

2. All DGs were assumed to start automatically due to the LOOP. No DGs were undergoing test or maintenance and there was no CCF.

3. All batteries and battery chargers were assumed to be operable, since the DGs were able to charge the batteries and supply power to the battery chargers. There was no CCF of the batteries and battery chargers that could affect their function.

4. The DG load sequencer was assumed to be operable in this scenario. Otherwise, the DGs would not be able to supply power to the safety-related load.

5. All DC buses were assumed to be working.

6. Since the duration of LOOP in this scenario was greater than 15 minutes, it was conservatively assumed that the recovery of offsite power was not possible within 30 minutes.

7. The failure probabilities of recovering offsite power in one hour, two hours, three hours, four hours, six hours and eight hours were calculated based on the condition that there was no successful offsite power recovery in the first 30 minutes.

SPAR Model Results and their Implications:

The CCDP of this EAL scenario is 1.98 x 10-5, which is slightly higher than the result range of other NOUE EAL scenarios. This higher CCDP results from plant-specific features associated with Sequoyah. There is no cross tie between the Emergency AC bus for two units in Sequoyah in contrast to Peach Bottom and Surry. Therefore, a slightly higher likelihood for extended SBOs initiated by this EAL is expected. The CCDP difference is not large in comparison with the presumed result range of other LOOP related NOUE scenarios. Therefore, the analysis 73

result does not support any modification to this EAL. If the plant can be shut down safely without any complication, the risk is very low.

6.2 SU3On Either Unit Unplanned Loss of > 75 Percent of the MCR Annunciators or > 75 Percent of Safety System Indications for

> 15 Minutes and ICS Available EAL Threshold Conditions:

1. a. Unplanned loss of > 75 percent of both channels of MCR annunciator windows and the annunciator printer and the annunciator CRT in the horseshoe for > 15 minutes.

OR

b. > 75 percent of safety system indications for > 15 minutes.

AND

2. SM/SED judgment that increased surveillance is required (>shift compliment) to safely operate the unit.

AND

3. The ICS is capable of displaying data requested.

Mapping of EAL Scenario to the SPAR ModelCase 1: Modeling Loss of Annunciators (Threshold Conditions 1a, 2 and 3)

1. As the plant was assumed to be stable and in automatic operation at the start, no transient was expected. There was no transient expected. Therefore, no initiator was selected in the SPAR model.

2. The loss of annunciation would limit the ability of the operators to perform some of the manual actions, if necessary. The operator actions, which included performing the following functions, were represented in the SPAR model as BEs.

Isolating ruptured SGs;

Starting the standby CCW pump;

Swapping suction from VCT to RWST;

Diagnosing interfacing systems LOCA;

Initiating cooldown upon discovery of SGTR;

Closing the pressurizer PORV block valves;

Tripping the RCPs;

Diagnosing and isolating ruptured SGs;

Establishing the ERCW flow.

Therefore, the HEPs of these BEs were adjusted in the model according to the SPAR-H NUREG guidance [Ref. 14]. The PSF adjustments and the SPAR-H worksheet for this scenario are documented in Appendix E of this report.

74

3. A NOUE was assumed to be declared 15 minutes after the event started. Therefore, only the early recovery actions were modified, while the late recovery actions were assumed to have nominal HEPs.

Mapping of EAL Scenario to the SPAR ModelCase 2: Modeling Loss of Indicators (Threshold Conditions 1b, 2 and 3)

1. (Same as Case 1)

2. The loss of indication would limit the ability of the operators to perform some manual actions, if necessary. The operator actions, which included performing the following functions, were represented in the SPAR model as BEs.

Isolating ruptured SGs;

Starting the standby CCW pump;

Swapping suction from VCT to RWST;

Diagnosing interfacing systems LOCA;

Initiating cooldown upon discovery of SGTR;

Closing the pressurizer PORV block valves;

Tripping the RCPs;

Diagnosing and isolating ruptured SGs;

Establishing the ERCW flow;

Initiating feed and bleed;

Throttling HPI flow;

Initiating cooldown of primary and secondary; Therefore, the HEPs of these BEs were adjusted in the model according to the SPAR-H NUREG guidance [Ref. 14]. The PSF adjustments and the SPAR-H worksheet for this scenario are documented in Appendix E of this report.

3. (Same as Case 1)

SPAR Model Results and their Implications:

The CCDPs of Case 1 and Case 2 are 7.78 x 10-9 and 6.26 x 10-9, respectively, which are below the result range of other NOUE EAL scenarios. These CCDPs are calculated at 15 minutes after the loss of annunciators (Case 1) or indicators (Case 2) occurs; the CCDPs would increase if the duration is longer. Figure 6-1 shows the CCDPs for both cases from 15 minutes to eight hours.

75

Sequoyah SU3 1.E-06 1.E-07 1.E-08 CCDP 1.E-09 1.E-10 Loss of Annunciation Loss of Indication 1.E-11 0 1 2 3 4 5 6 7 8 Time (hrs)

Figure 6-1. CCDP of SU3 from 15 Minutes to Eight Hours The effect of losing annunciation or indication is similar. The dominant sequences in this scenario are driven by different types of operator actions due to loss of annunciators and indicators. Although the CCDP results for both losses of annunciators and indicators are below the expected range for NOUE. They could be higher if the conditions last longer.

Although the duration of the degraded condition varies on a case by case basis, when the degraded condition lasts for less than eight hours, this EAL can be considered for elimination.

6.3 SU5Unidentified or Pressure Boundary RCS Leakage > 10 GPM, or Identified RCS Leakage >25 GPM EAL Threshold Conditions:

1. Unidentified or pressure boundary leakage (as defined by Tech. Specs.) > 10 GPM as indicated by:

a. SI-OPS-068-137.0 results or RCS Flow Balance Calculation (AOP-R.05, Appendix I or J).

OR

b. With RCS temperature and pressurizer level stable, the VCT level on LI-62-129 or LI-62-130 is dropping at a rate > 10 GPM.

OR 76

2. Identified RCS leakage (as defined by Tech. Specs.) > 25 GPM as indicated by:

a. SI-OPS-068-137.0 results or RCS Flow Balance Calculation (AOP-R.05, Appendix I or J)

OR

b. Level rise in excess of 25 GPM total into PRT, RCDT or CVCS holdup tank (Refer to TI-28).

OR

c. RCS leakage through a steam Mapping of EAL Scenario to the SPAR Model:

1. In this scenario, the RCS leakage was modeled as a very small SLOCA event, since SPAR models do not have any surrogate for events involving leak rates less than a SLOCA. In SPAR models, the SLOCA initiator (IE-SLOCA) was defined as a primary break that can be mitigated with high-pressure safety injection.

2. The threshold conditions indicated that the Sequoyah TS limit(s) of a primary system leakage was/were exceeded [Ref. 26]. Therefore, the operator was required to shutdown the plant. The manual trip was assumed to be successful.

3. The leakage was considered to be very small; therefore, it could be compensated by the HPCI systems. However, the operator was required to refill the RWST. Therefore, the nominal failure probability of operator action (1 x 10-3) from SPAR-H [Ref. 14] was assigned to the operator action of refilling the RWST.

SPAR Model Results and their Implications:

The CCDP of this EAL scenario is 6.19 x 10-6, which is within the result range of other NOUE EAL scenarios. The dominant contributors to the core damage sequences resulted from the failure to continue HPI, followed by failure to depressurize the primary and continue with low pressure injection. The dominant minimal cutsets reflect the failures of these systems, failures of their support systems, and the human errors related to manual depressurization. The major support systems that contributed to the estimated CCDP are loss of ERCW and loss of room cooling.

Considering the current conservative interpretation and mapping of this EAL to the PRA domain, the analysis result does not support any modification of this EAL.

6.4 HU3Unplanned Release of Flammable Gas Within the Site Perimeter EAL Threshold Conditions Unplanned release of flammable gas within the site perimeter:

a. Plant personnel report the average of three readings taken in a 10-foot triangular area is

> 25 percent LEL as indicated on the monitoring instrument within the site perimeter:

77

Unit 1 and 2 Reactor Buildings

Auxiliary Building

Control Building

DG Building

Additional DG Building

Intake Pumping Station

Additional Equipment Buildings (Unit 1 and 2)

CDWE Building

Turbine Building OR

b. Confirmed report by local, county, or state officials that a large offsite flammable gas release has occurred within one mile of the site with potential to enter the site perimeter in concentrations >25 percent of LEL.

Mapping of EAL Scenario to the SPAR Model:

1. Operators would need to wear protective gear, which might include respirators, gloves and protective clothing. This would take longer time to performing the manual actions at the affect site area. The operator actions, which included performing the following functions, were represented in the SPAR model as BEs:

Performing actions related to recovering SW or clearing the SW strainers.

Recovery actions at the switchyard, if there were a LOOP during the presence of toxic gas.

2. It was conservatively assumed that the duration was eight hours in this scenario, although most toxic gas scenarios lasted for about two to six hours.

SPAR Model Results and their Implications:

The CCDP of this EAL scenario is 1.24 x 10-7, which is lower than the result range of other NOUE EAL scenarios. The top two sequences account for 80 percent of the CCDP. The minimal cutsets indicate that any failure or degradation of the ERCW system, such as strainer clogging, would require operator actions to be performed at a remote area of the plant and will be significantly hindered by the presence of toxic gas. Other contributors to the CCDP include restoration activities of offsite power that may require plant staff to go to switchyard.

Since the CCDP is low and the reportability of events associated with release of toxic, corrosive, asphyxiant or flammable gases is covered under 10 CFR 50.72 [Ref. 18], this EAL can be considered for elimination.

6.5 SA5Loss of Offsite Power to Either Unit with Degraded Onsite AC Power for >15 Minutes EAL Threshold Conditions:

1. a. All four 6.9 kV unit boards de-energized for >15 minutes.

78

AND

b. One unit related 6.9 kV shutdown board de-energized for > 15 minutes.

OR

2. Any AC power condition lasting >15 minutes where an additional single failure will result in a unit blackout.

Mapping of EAL Scenario to the SPAR Model:

1. In this scenario, the initiator of grid-related LOOP (IE-LOOPGR) in the SPAR model was selected, since the majority of LOOP events in the U.S. are grid related. The two emergency auxiliary transformers would de-energize instantly due to LOOP.

2. DG 1A was assumed to start automatically to provide a single power source to meet the second threshold condition. Since DG 1A started successfully, there should not be any test and maintenance being performed on DG 1A. There was no CCF of the DGs that could affect the operation of DG 1A either.

3. DG 1B was assumed to be inoperable, since DG 1A was assumed to be the only power source available in this scenario.

4. The batteries were assumed to be operable, since DG 1A was able to charge the batteries.

There was no CCF of the batteries that could affect their functions.

5. The DG load sequencer was assumed to be operable in this scenario. Otherwise, DG1A would not be able to supply power to the safety-related load.

6. The duration of the LOOP in this scenario was greater than 15 minutes. However, the SPAR model does not contain a BE to account for the 15-minute loss. It was conservatively assumed that the recovery of offsite power was not possible within 30 minutes, since the BE representing a 30-minute loss was included in the SPAR model.

7. The failure probabilities of recovering offsite power in one hour, two hours and twelve hours were calculated based on the condition that there was no successful offsite power recovery in the first 30 minutes.

SPAR Model Results and their Implications:

The CCDP of this EAL scenario is 4.99 x 10-4, which is within the result range of other Alert EAL scenarios. There are three dominant core damage sequences for this EAL. The first sequence is a SBO sequence with small LOCA resulting from RCP seal failure. The second sequence is also a prolonged SBO with failure to control TDAFW flow after battery depletion. The third sequence is related to ERCW failure that would affect the cooling of the RCPs and DGs, which would lead to a core melt.

It is unnecessary to rerank the EC of this EAL based on the CCDP of Sequoyah. However, the definition of one power source is still available to keep the plant from SBO, in the threshold condition may require clarification, particularly for multiple-unit sites with shared electrical systems, based on the ECW system dependency of Peach Bottom (Section 4.5).

79

6.6 SA2Automatic Reactor Trip Did Not Occur After Valid Trip Signal and Manual Trip from MCR was Successful EAL Threshold Conditions:

1. Valid reactor trip signal received or required AND

2. Manual reactor trip from the MCR was successful and power is <5 percent and decreasing.

Mapping of EAL Scenario to the SPAR ModelCase 1: Modeling a Transient with Primary Pressure Spike:

1. For sensitivity analysis, a transient capable of inserting reactivity was considered. An abnormal increase in feedwater flow causing an over cooling transient is one example of such a transient. The reactivity transient could cause a pressure spike prior to manual scram. The effect of reactivity and the magnitude of the pressure spike would vary depending on the time since the last refueling outage due to the temperature reactivity feedback. A large pressure spike, if it occurs, could cause the opening of one or more primary relief paths. The worst condition resulting from this chain of events is eventual reactor scram due to manual scram, a stuck open primary relief valve (stuck open SRV),

ECCS actuation due to resulting low pressurizer level, and loss of main feed water.