ML14183A572

From kanterella
Jump to navigation Jump to search
Safety Evaluation Accepting Util 920831 IPE Submittal in Response to GL 88-20
ML14183A572
Person / Time
Site: Robinson Duke Energy icon.png
Issue date: 08/17/1994
From:
Office of Nuclear Reactor Regulation
To:
Shared Package
ML14183A571 List:
References
GL-88-020 NUDOCS 9408220214
Download: ML14183A572 (21)
v  d  e


Text

SAFETY EVALUATION BY THE OFFICE OF NUCLEAR REACTOR REGULATION RELATED TO INDIVIDUAL PLANT EXAMINATION CAROLINA POWER & LIGHT COMPANY H. B. ROBINSON STEAM ELECTRIC PLANT, UNIT NO. 2 DOCKET NO. 50-261 9408220214 940817 PDR ADOCK 05000261 P

PDR

SAFETY EVALUATION TABLE OF CONTENTS PAGE EXECUTIVE

SUMMARY

1 I.

BACKGROUND............................. 2 II.

STAFF'S REVIEW......................... 4

1.

Licensee's IPE Process............. 4

2.

Front-End Analysis and DHR Evaluation........................ 5

3.

Back-End Analysis and Containment Performance Improvements..........

8

4.

Human Reliability Analysis......... 11

5.

Licensee Actions and Commitments... 12 III.

CONCLUSION............................ 15 APPENDIX H. B. Robinson Unit 2 IPE Information

EXECUTIVE

SUMMARY

The NRC staff completed its review of the internal events portion of the H. B. Robinson Steam Electric Plant, Unit 2, (HBR2) individual plant examination (IPE) submittal and its associated documentation, which includes licensee responses to staff generated questions and comments. The licensee's IPE is based on a full scope Level 2 PRA performed in fulfillment of Generic Letter (GL) 88-20. No specific unresolved safety issues (USIs) or generic safety issues (GSIs) were proposed for resolution as part of the IPE.

HBR2 is a Westinghouse 3-loop plant with a large dry containment. The IPE estimated the mean probabilistic core damage frequency (CDF) at 3.2E-4/yr.

Contributions from the most important initiating events include loss-of coolant accidents (LOCAs) (23%), loss of offsite power (18%), loss of either division of emergency AC power bus El or E2 (10%), loss of service water (9%),

and loss of component cooling water (5%).

In addition, a large fraction of the COF is associated with sequences which are contained in functional groupings such as RCP seal LOCAs (21%), internal flooding (21%) and station blackout (10%).

The submittal also provides a discussion of the top 23 highest frequency sequences, the first 10 of which account for about 85% of the total CDF.

The licensee did not define vulnerability in the submittal, but in response to staff questions indicated that qualitative and quantitative criteria in successive levels of screening were used to assess possible enhancements to the plant. The licensee used Nuclear Management and Resources Council (NUMARC) 91-04, Severe Accident Issue Closure Guidelines, for addressing IPE results. The guidelines were applied first to accident sequences and second to accident classes.

The HBR2 IPE did not identify any severe accident vulnerabilities associated with either core damage or containment failure. However, from the results of the analysis, the licensee has identified several improvements, which were identified in the IPE submittal, as being considered. These are identified in Section 11.5 of this report.

Based on the review of the HBR2 IPE submittal and its associated documentation, the staff concludes that the licensee met the intent of GL 88-20. This conclusion is based on the following findings: (1) the IPE is complete with respect to the information requested in GL 88-20 and the associated Supplement 3; (2) the analytic approach is technically sound and capable of identifying plant-specific vulnerabilities, including those associated with internal flooding; (3) the licensee employed a viable means to verify that the IPE models reflects the current plant design and operation at time of submittal to the NRC; (4) the IPE was peer reviewed; (5) the licensee participated in the IPE process; (6) the IPE, specifically, evaluated the decay heat removal function for vulnerabilities; (7) the licensee responded appropriately to Containment Performance Improvement (CPI) program recommendations. In addition, CP&L indicated that they are planning to make PRA "living" and use the study to address any new safety issues, and assess plant changes.

2 I.

BACKGROUND On November 23, 1988, the NRC issued Generic Letter (GL) 88-20 that requires licensees to conduct an Individual Plant Examination (IPE) to identify potential severe accident vulnerabilities at their plant, and to report the results to the Nuclear Regulatory Commission. Through the examination process, a licensee is expected to:

(1) develop an overall appreciation of severe accident behavior, (2) understand the most likely severe accident sequences that could occur, (3) gain a more quantitative understanding of the overall probabilities of core damage and fission product releases, and (4) if necessary, reduce the overall probability of core damage and radioactive material releases by modifying, where appropriate, hardware and procedures that would help prevent or mitigate severe accidents.

As stated in Appendix D of the IPE submittal guidance document NUREG-1335, all IPEs are to be reviewed by the staff to determine the extent to which each licensee's IPE process met the intent of GL 88-20. The IPE review itself is a two step process; the first step, or the "Step 1" review, focuses on completeness and the quality of the submittal.

Only selected IPE submittals, determined on a case-by-case basis, will be investigated in more detail under a second step or "Step 2" review. The decision to go to a "Step 2" review is primarily based on the ability of the licensee's methodology to identify vulnerabilities, and the consistency of the licensee's IPE findings and conclusions with previous probabilistic risk assessment (PRA) experience. A unique design may also warrant a "Step 2" review to better understand the implication of certain IPE findings and conclusions. As part of this process, the H. B. Robinson Steam Electric Plant, Unit No. 2, (HBR2) IPE only required a "Step 1" review.

On August 31, 1992, the Carolina Power & Light Company (CP&L) submitted the HBR2 IPE in response to GL 88-20 and its associated supplements. HBR2 is a single unit Westinghouse 3-loop pressurized water reactor with a large dry reinforced concrete, steel lined containment. The IPE submittal described the application of a Level 2 PRA to identify vulnerabilities, consistent with GL 88-20. The IPE submittal contains the results of an evaluation of internal events, including internal flooding. The licensee plans to provide a separate submittal on findings stemming from the Individual Plant Examination External Events (IPEEE) analysis. The staff will review the IPEEE analysis separately, within the framework prescribed in GL 88-20, Supplement 4. Information reviewed by the staff during the IPE evaluation included the IPE submittal and the licensee's response to staff questions regarding the submittal. In addition, the staff contracted Science & Engineering Associates, Inc., (SEA) to review the Level 1 analysis; Scientech, Inc., and Energy Research, Inc.

(ERI), to review the Level 2 analysis; and Concord Associates (Concord) to review the human reliability analysis. The SEA's review is documented in SEA 91-553-010-A:2, "H. B. Robinson IPE: Front-End Audit."

Scientech/ERI's review is documented in ERI/NRC 93-101, "Technical Evaluation Report of the H.B. Robinson Individual Plant Examination Report (IPE) Back-End Submittal."

Concord's review is documented in CA/TR-93-019-10, Revision 1, "H. B. Robinson Unit 2 Individual Plant Examination technical Evaluation Report (Human Reliability Analysis)."

3 On July 7, 1993, the staff sent a request for additional information to the licensee. The licensee responded to the staff's request in a letter dated September 7, 1993.

On December 13 and 14, 1993, the staff held conference calls with the licensee regarding their response and analysis of containment isolation failure probability. A follow-up submittal, dated December 29, 1993, indicated that licensee analysts had erroneously assigned a screening value to a latent human error associated with containment isolation. The corrected value has since been incorporated into the licensee's containment event tree, and new containment failure probabilities generated. The correction essentially reduced the containment isolation failure probability by two orders of magnitude (see Section II.3).

On July 2, 1993, the licensee also submitted a letter identifying the status of IPE action items for plant improvements.

4 II. STAFF'S REVIEW

1.

Licensee's IPE Process The HBR2 IPE submittal describes the method by which the licensee confirmed that the IPE represents the as-built, as-operated plant. A key element is the degree of involvement in the IPE by the HBR2 staff who brought knowledge of, and a familiarity with the plant, to the analysis. In addition to detailed document reviews by members of the PRA team, walkthroughs were performed for familiarization with plant/system operations, equipment layout for origin and susceptibility to floods, and containment walkthroughs for information to be used for the back-end analysis. Computerized video walkthroughs of areas that were inaccessible during the walkdown process were also used and were found to be particularly useful in the containment assessment.

The IPE submittal contains a summary description of the licensee's IPE process, the licensee's participation in the process, the independent review and the subsequent in-house peer review of the final product. The staff reviewed the licensee's description of the IPE program organization, composition of the peer review teams, and peer findings and conclusions. The staff notes the participation of the HBR2 personnel in virtually all aspects of the IPE, e.g., model development, reviews, data collection, and requantification of the models with plant-specific data. In addition to the IPE team, other HBR2 departments were involved to insure that the models accurately portrayed the plant. Science Applications International Corporation (SAIC) supported the front-end (fault tree) analysis, and consultants from Saros, Gabor, Kenton & Assoc., and Nuclear Utilities Service (NUS) assisted in the back-end analysis and human reliability analysis.

Separate review steps were performed for PRA task products by PRA/IPE personnel not responsible for their initial development. Other personnel from the technical support staff (systems engineers) and the operations and training staff reviewed various aspects of the analysis. In addition, a team of five consultants from outside the company reviewed the initial PRA, the results of which were used to revise and update the PRA for the IPE. CP&L indicated that they are planning to make this a living PRA and use this study to address any new safety issues and assess plant changes.

The licensee did not define vulnerability in the submittal, but in response to staff questions indicated that qualitative and quantitative criteria in successive levels of screening were used to assess possible enhancements to the plant. The quantitative criteria used were the NUMARC 91-04 (Severe Accident Issue Closure Guidelines) guidelines for addressing IPE results, applied first to accident sequences and second to accident classes. A paraphrase of the first two criteria applied to core damage frequency (CDF) are as follows:

1.

If the mean CDF per sequence group is greater than 1E-4 or greater than 50 percent of the total CDF, then find a cost effective administrative, procedural or hardware modification to reduce the likelihood of the source of the sequence initiator.

If unable to do this, then address it in emergency operating

5 procedures (EOPs) or other procedures with emphasis on prevention of core damage. If unable to do either of the above, then ensure that severe accident management guidance is in place.

2. If the mean CDF per sequence group is 1E-5 to 1E-4 or 20% to 50%

of the total CDF then find a cost effective treatment in the EOPs or other plant procedure or minor hardware change with emphasis on the prevention of core damage. If unable to do this, ensure that severe accident management guidance is in place.

From the results of the analysis, the licensee has identified several improvements that were identified in the IPE submittal as under consideration by the licensee. These are identified in Section 11.5 of this report.

2.

Front-end Analysis and Decay Heat Removal Evaluation The staff examined the front-end analysis as described in the IPE submittal for completeness and consistency with accepted probabilistic safety assessment (PSA) practices. In response to GL 88-20, CP&L has performed an Internal Events Level 2 PRA for their IPE. The front-end IPE analysis used the "small functional event tree, large linked fault tree" modeling technique. Detailed fault trees were developed for the front-line and support systems. The SAIC modified EPRI CAFTA Code package was used to perform all integration and quantification for the HBR2 IPE.

Entry into the Level 2 analysis was accomplished by linking core damage bins from the front-end event trees through a containment safeguards event tree.

This tree models the status of the containment systems, and provides the sequence attributes which define plant damage states. The information carried from the Level 1 to the Level 2 analysis accounts for pre-existing conditions that would impact the back-end analysis, consistent with other PSAs.

The Initiating Event (IE) data were derived from a combination of generic and plant-specific information sources. Frequencies for plant specific system initiating events were estimated using fault tree analysis. In response to staff questions, CP&L indicated that the frequency for loss of offsite power (LOOP) was obtained by a Bayesian update of generic data with plant specific data (not generic data as indicated in the IPE submittal). The licensee's process identified 36 IE categories for HBR2 which are captured in 3 broad groups:

loss of coolant inventory, transients, and internal floods. Eleven of these events are internal flooding events; the remainder are internal events. An assessment of front-line and key support systems was performed to identify plant specific initiators. Anticipated transient without scram (ATWS) events were not defined as separate initiating events, but were addressed by utilization of an event tree developed to analyze the sequence of events following a failure of reactor trip. Based on its review, the staff concludes that the list of generic and plant-specific IEs is complete with respect to other PRAs, and dependencies between the IEs and the mitigating systems were handled appropriately.

6 Functional event trees were developed for each unique initiating event group.

They were configured to model system responses required to support the functions necessary for mitigation of the specific IEs through the use of event tree top logic. The IPE submittal contained all event trees developed to address plant response to transients, station blackout, loss-of-coolant accidents (LOCAs), steam generator tube rupture and ATWS events. Detailed fault trees were developed for the front-line and support systems. Success criteria were presented for each initiating event category. The licensee has stated that all success criteria are based on documented analyses. The basis for the success criteria required to mitigate specific experience was considered for the maintenance and test unavailability of the major pumps and valves in the fault tree models.

The IPE has considered impacts of common cause failures (CCFs) due to system and component dependencies. The methodology used for quantification of CCF failure factors for the HBR2 IPE submittal was the Multiple Greek Letter Method. In response to staff questions, CP&L indicated that the Fussel-Vesely importance measure for common cause failure as a whole is 11 percent, (but does not include the contribution from initiating events caused by CCF).

The staff notes that the licensee's analytic treatment of CCF is consistent with NUREG/ CR-4780.

The licensee's IPE flood analysis employed a systematic methodology to determine potential flood sources, locations, propagation paths, impacts of spray, impacts on plant operation, and the ability of the operations staff to safely shut down the plant. In a response to staff questions, CP&L identified the basis for the development of frequencies for various flood initiators such as pipe, valve, and pump ruptures, the source of data used, and the treatment of blocked drains. Floods in all other buildings except the auxiliary building were screened out. The IPE submittal indicated that flooding accounted for 21 percent of the total core damage frequency. In response to subsequent requests for information, CP&L identified a 15,000 gallon per minute (gpm) service water flood at the 226 foot elevation in the auxiliary building, as the greatest single contributor (11 percent). A breakdown of the contribution from the types of flood initiators indicated that maintenance induced flooding accounted for 60 percent of the floods, but that no single maintenance scenario accounted for more than 10 percent of the floods. CP&L indicated that information and insights derived from this analysis led to a development of a procedure for coping with plant flooding, including steps to isolate the flood and limit its propagation.

Based on the review of the description of the internal flood analysis provided in the submittal and the response to staff questions, the staff finds the IPE flood assessment to be consistent with GL 88-20.

The submittal identified the dominant accident sequences in accordance with the reporting guidelines in NUREG-1335. The submittal lists the functional sequences and describes the highest 23 sequences retained after the screening process. The IPE estimates the mean CDF as 3.2E-4/yr. The results of the analysis were expressed in terms of various classes of accident sequence groupings and individual sequences. Contributions from important initiating events are as follows:

LOCAs contribute 23 percent, LOOP 18 percent, loss of either division of emergency AC power bus El or E2 10 percent, loss of

7 service water 9 percent, and loss of component cooling water 5 percent. A large fraction of the CDF is associated with sequences which are contained in functional groupings such as reactor coolant pump (RCP) seal LOCAs 21 percent, internal flooding 21 percent, and station blackout 10 percent. The submittal also provides a discussion of the top 23 highest frequency sequences, the first 10 of which account for about 85 percent of the total CDF. No other individual sequences contribute greater than 3 percent to the overall CDF.

In the IPE submittal, and in the response to staff questions, CP&L indicated that their seal LOCA model was based on information from NUREG-1150 and NUREG/CR-4550. In addition, the HBR2 IPE makes a modeling assumption which precludes seal leakage for the first hour and one half following loss of seal cooling. This assumption is consistent with the treatment of seal failures in NUREG-1150. Recently this assumption was identified as an error in the NUREG-1150 treatment of seal failure. The detailed analysis of such failures should include leakage beginning as early as 10 minutes after loss of cooling.

These early leakage mechanisms were inadvertently left out of the overall PRA model.

The impact of this error on seal LOCA sequence frequencies is now being assessed. Preliminary estimates indicate the impact is approximately a factor of two or less. Because the RCP seal LOCA issue is being addressed as Generic Safety Issue 23 (GSI-23), the staff review team did not pursue this issue further.

In accordance with the resolution of USI A-45, the licensee has performed an evaluation of the HBR2 decay heat removal (DHR) system as an intrinsic part of the HBR2 IPE examination. In response to staff questions regarding DHR, CP&L provided additional information on the results of the IPE and indications of the importance of the systems that perform the DHR function. This is measured by the percentage of CDF attributable to sequences that contain cutsets representing the systems in the quantification.

The following systems performing DHR functions were considered in the DHR evaluation:

Main feedwater Auxiliary feedwater (AFW)

Feed and bleed using the high head safety injection (SI) pumps and power-operated relief valves (PORVs)

Residual heat removal system The contribution to CDF from the loss of the DHR function during a medium or large LOCA is 6.8E-5 (21 percent). Dominant accident sequences involve failure of the operator to establish recirculation. The contribution to CDF from loss of the DHR function for transients and small LOCAs is 9.7E-5 (30 percent). The dominant sequences involve an unrecovered loss of offsite power and operator failures to provide alternate water supply to the AFW pumps, and feed and bleed. CP&L identified the Fussel-Vesely importance for the frontline and support systems associated with the DHR function as follows:

8 Auxiliary feedwater 29 percent AC power (including 22 percent diesel generators Service water 14 percent Component cooling water 13 percent High head SI 5 percent PORVs and safety valves 5 percent Low head SI 3 percent Proposed improvements concerning these contributors are addressed in Section 11.5 of this report.

Based on the staff's review of the IPE front-end analysis and the finding that the employed analytical techniques are consistent with other NRC reviewed and accepted PSAs and capable of identifying potential core damage vulner abilities, the staff finds that the HBR2 IPE front-end analysis meets the intent of GL 88-20.

3.

Back-End Analysis and Containment Performance Improvements (CPI)

The staff examined the HBR2 back-end (level 2) containment analysis for completeness and consistency with acceptable PSA practices. The level 2 IPE accident progression and containment analysis utilized a methodology similar to that exercised in the NUREG-1150 PRA, but employed Revision 17.02 of the MAAP-3.0B computer code to model the containment thermal response. The staff review examined the IPE's level 2 methodology, documentation of analytical codes exercised, input data, results, findings and conclusions. In general, the staff found the licensee's IPE approach consistent with GL 88-20, Appendix 1 (Guidance on the Examination of Containment System Performance).

Sequences generated from the front-end (level 1) analysis were grouped into 21 core damage bins. A containment safeguards event tree (CSET), which designated the status of containment systems (e.g., availability of containment fan coolers or sprays), interfaced the level 1 and level 2 analysis. The CSETs explicitly considered containment isolation. (Manual recovery of isolation failure, however, was addressed later in the Containment Event Tree (CET).

The combination of the core damage bins and the CSET end states resulted in 378 potential plant damage states (PDSs).

After eliminating those states not physically logical and those not meeting a truncation value of 1E-7/year, the total number of PDSs was reduced to 31.

The licensee developed a small CET with supporting small fault trees to address all of the potential containment failure modes as outlined in NUREG 1335. The licensee reviewed past PSA studies (including NUREG-1150) for its

9 applicability to the HBR CETs. The CETs so developed contained 12 questions (or top event nodes).

The CET end states were subsequently binned into thirteen release categories, whose spectrum accounted for similarities in accident progression and source terms characteristics. The release category source terms for HBR2 were determined by identifying representative sequences then running MAAP.

The licensee relied on an outside contractor to analyze (using standard criteria and plant-specific material properties) the capability of the HBR2 containment to withstand pressurization loads for different failure modes.

The analysis also included an assessment of the containment penetration seals.

The results of the analysis identified wall-basemat shear failure as the most limiting containment failure mode. Penetration leakage was not a major concern being bounded by other failure modes. The IPE found the median containment failure to be 130 psig, with failure modes relatively insensitive to containment temperature.

The IPE submittal estimated the following conditional containment failure probabilities:

No Containment Failure 82 percent Late containment failure 15 percent Containment Bypasses 2 percent Early Containment Failure 1 percent Containment Isolation Failure

<1 percent Containment Failure After In-Vessel Recovery

<1 percent The HBR2 IPE submittal originally reported a 12 percent conditional containment isolation failure probability. In a letter response to staff questions, the licensee indicated that a screening value had been erroneously assigned to a latent human error associated with containment isolation failure. The corrected value has since been incorporated into the licensee's containment event tree, and is reflected in the above estimated conditional failure probabilities.

Among the conditional containment failure probabilities, late containment failure is the largest contributor followed by the containment bypass. Early containment failures were dominated by hydrogen burns in low containment steam concentrations with containment heat removal available. Late containment failures stemmed from a large service water flood initiating event leading to failure to recover containment heat removal.

The estimated 0.2 cumulative containment failure probability and small contribution of early containment failure, indicate that the HBR2 containment compares favorably with other large dry containments. The licensee did not find any containment or containment system vulnerability, that could potentially lead to unusually poor containment performance.

The analysis identified several unique plant safety features (both positive and negative) at HBR2. They were accounted for in the back-end portion of the IPE and summarized below.

The containment includes a cavity and instrument area design that limits

10 the threat of direct containment heating by having the ability to retain the bulk of core material in the cavity or the RCP B bay area.

  • The RCP B bay has drain holes in the crane wall that could allow core debris to contact the containment liner. The CET includes an event to model the possibility of containment melt-through due to direct contact with the core debris; however, this failure mode was determined to have low probability.
  • Unlike other large dry containments, the cavity is not surrounded by a concrete curb on the containment floor.

The cavity therefore, will nearly always be flooded during a severe accident, even if the refueling water storage tank has not been injected.

Generic letter 88-20, Supplement 3, contains CPI recommendations which focus on the vulnerability of containments to severe accident challenges. For large dry containments like the HBR2 design, the reference contains a recommendation that IPEs consider hydrogen production.and control during severe accidents, particularly the potential for local hydrogen detonation.

Containment failure due to containment overpressurization from global hydrogen combustion has been addressed explicitly by the licensee in the HBR2 IPE.

Based on the MAAP analyses performed for HBR2, sequences without containment cooling will reach a containment pressure of about 2.5 atmospheres early in the sequence. The steam concentration approaches the inerting limit of 55 percent. For cases where containment heat removal is available, the licensee estimated that a complete burn based on 75 percent metal-water reaction will result in a final pressure of 100 pounds per square inch (psi), which remains below the containment mean capacity of 135 psi.

As a result of the evaluation and analysis of the HBR2 containment design, the licensee has concluded that there is no significant hydrogen "pocketing" inside the containment building. The licensee considered the potential hydrogen release points using a qualitative screening process. The process considered the potential for hydrogen release and increase in concentration in closed compartments. The licensee determined that the expected hydrogen release points all had good communication with different compartments and was well mixed. Local detonation of hydrogen were considered, but not deemed plausible. In addition, the licensee examined the effect of local detonation on the equipment utilized in the containment assessment. The analysis considered components located near hydrogen discharge points, (for example, the pressurizer relief tank), and the effect of detonations. No important equipment which could be affected by a local hydrogen detonation was identified.

The licensee employed an analytic process sufficient to understand and quantify severe accident progression. The process of determination of conditional containment failure probabilities and containment failure modes was consistent with the intent of GL 88-20, Appendix 1. Dominant contributors to containment failure were found to be consistent with insights from other PSAs of plants of similar design. The IPE characterized containment performance for its CET end-states by assessing containment loading.

The

11 licensee's IPE addresses the most important severe accident phenomena normally associated with large dry containments, that is, direct containment heating, induced steam generator tube rupture and hydrogen combustion. The licensee's response to CPI Program recommendations, which included searching for vulnerabilities associated with containment performance during severe accidents, is reasonable and consistent with the intent of GL 88-20 and its associated Supplement 3. The staff's review did not identify any obvious or significant problems or errors in the back-end analysis. The overall assessment of the back-end analysis is that the licensee has made reasonable use of PSA techniques in performing the back-end analysis, and that the techniques employed are capable of identifying severe accident vulnerabilities. Based on these findings, the staff concludes that the licensee's back-end IPE process is consistent with the intent of GL 88-20.

4.0 Human Reliability Analysis The HBR2 IPE submittal documents the human reliability assessment (HRA) methodology used for the front-end and back-end analysis. The staff examined the IPE HRA for completeness and consistency with acceptable PSA practices.

In performing the human reliability analysis the licensee divided the human errors into three categories:

pre-initiator events (errors that disable a system prior to a demand for their operation, such as may be made during test and maintenance); initiating event related interactions (those actions that cause an initiating event); and post-initiator events (actions performed in responding to an accident). The latter were further sub-divided into two categories, those dictated by procedures and those representing recovery.

However, the submittal indicated that all credited recovery actions in the IPE are proceduralized. The initiating event related human interactions (HI) were considered to be implicit in plant operating experience.

The licensee indicated that plant specific information was obtained through review of plant procedures, interviews with operations and training staff and walkthroughs of operator responses at the simulator and in the plant. It is indicated that the results of these interactions are captured in the analysis file for the human reliability analysis.

Pre-initiator HIs were identified and defined from operating procedures and functional tests. These HIs included misalignment and miscalibration type errors. The submittal indicated that the THERP (NUREG/CR-1278) approach was generally used to quantify the pre-initiator events however, since the ASEP(NUREG/CR-4772) procedure "gives more conservative results...it was used as a screening analysis."

The licensee indicated that THERP was used to obtain a more detailed analysis and to remove conservatisms.

The model used for evaluation of post-initiator human error probabilities (HEPs) splits the response into two phases, a detection, diagnosis and decision phase (DDD), and an execution phase. The licensee indicated that the cause-driven failure trees described in the EPRI methodology (EPRI TR-100259, "An Approach to the Analysis of Operator Actions in Probabilistic Risk Assessment") were used for the DDD phase, whereas THERP was used to determine the HEPs for the execution phase.

12 It was indicated that all of the human error events modeled in the fault trees were originally assigned a value of 1.0 to ensure that they would be evaluated in context with combinations of other human errors in the final cutsets.

Dependencies among the multiple HIs were assessed and the categories of dependence described in THERP were utilized. Guidelines, were developed and used to assure consistency in the assignment of dependencies between successive human interactions. In response to staff questions, the licensee identified the types of performance shaping factors (PSF) that were used in the analysis to modify the basic HEPs. Some PSFs, used in the EPRI approach were:

nature/clarity of cues, training, and quality of procedures. Among the PSFs identified as being addressed explicitly in applying the THERP methodology were:

stress, time, training, and crew structure.

The licensee provided a list and a discussion of five sequences that would have exceeded the reporting criteria if the HEPs were increased to 0.1.

Four out of the five were steam generator tube rupture sequences. In response to staff questions, CP&L provided a list of the contributions to CDF of the top 10 pre-and post-initiating event human interactions and a discussion of the operator actions assessed in the containment event tree. CP&L indicated that the operator actions used in the containment event tree do not greatly impact the probability of containment failure. Using "risk achievement" as a figure of merit in a sensitivity analysis, CP&L indicated that the individual events do not alter the conditional containment failure probability by more than 1 percent.

In summary, based on a review of the licensee's IPE submittal and responses to staff questions, the staff finds the licensee's assessment of human reliability, conducted as part of the IPE of HBR2, capable of discovering severe accident vulnerabilities from human errors consistent with the intent of GL 88-20. The HRA methodology described in the licensee's IPE submittal supports the quantitative understanding of the overall probability of core damage during plant operations, as well as an understanding of the contribution of human actions to that probability. Human-related plant improvements that have been implemented or under review are expected to enhance human reliability and plant safety.

In addition, the licensee's intent to maintain a living PRA program indicates that a mechanism will exist for the licensee to continue to identify and evaluate the risk significance of potentially important human actions during plant operation and maintenance.

5.

Licensee's Actions and Commitments The HBR2 IPE did not identify any severe accident vulnerabilities associated with either core damage or containment failure. However, the licensee developed procedures and provided training and equipment to use the fire water system as a backup cooling system for the charging pumps. This modification reduced the charging pumps' dependency on component cooling water, effectively reducing the likelihood of RCP seal LOCA from sequences involving loss of component cooling water, or service water. In addition, as part of the IPE process, the licensee identified several proposed improvements. In a separate transmittals (July 2. 1993 and August 12, 1994)), CP&L addressed the status of

13 these improvements as follows:

1. A new abnormal operating procedure (AOP-32) for coping with flooding events has been written and procedures AOP-08, AOP-14, and AOP-22 have been revised. These procedures assist the operator in identifying sources of flooding, potential isolation measures and include steps that limit the accumulation of water, and the potential for equipment damage.
2. The steam driven auxiliary feedwater pump is currently cooled by service water and procedures that call for manually changing to the self cooling mode on loss of service water. The licensee identified a need for additional investigation into the effects of permanent realignment to the self-cooling mode. Once the investigation is complete (by the end of 1994) the design verification documents must be developed and existing plant procedures changed if the AFW pumps will be run in the self-cooling mode.
3. A project to increase the battery capacity for the plant safety related batteries from 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> will allow more time for offsite power recovery. The proposed battery modification is currently being reevaluated due to forecasted project cost escalation. An alternate design is being evaluated and validated (expected by the end of 1994).
4. The preventative maintenance program for the dedicated shutdown diesel has been revised to improve its reliability. It is similar to the preventative maintenance procedures used for the emergency diesels.
5. The SI and containment vessel spray system valve test procedure has been revised to incorporate the issue of valve mispositioning. This change revises the order of valve testing and will reduce the likelihood that these valves will be left in the wrong position at the end of the procedure.
6. Heating, ventilation and air condition (HVAC) requirements for the El/E2 bus room were tested. The test findings have resulted in an action item to replace PC boards in Inverters A and B during Refueling Outage 15. In response to staff questions, CP&L indicated that loss of HVAC to these rooms will not impact plant operation or safe shutdown of the plant. No further action is planned.
7. The licensee identified induced steam generator tube rupture (SGTR) following a loss of decay heat removal as the most important back end insight. Existing procedures require the operators to start RCPs, which would allow the high-temperature gases to contact the SG tubes and increase their temperatures. Since changes to the existing procedures involve a change in emergency response guidelines for mitigation of a severe accident, this item has been included in the implementation of the Severe Accident Management Guidelines by the Westinghouse Owner's Group. Upon implementation

14 of these guidelines at HBR, this item will be resolved.

8. A walkthrough of the long-term Emergency Core Cooling System recirculation procedure was completed to determine if the human reliability analysis appropriately credits all features of the process and to identify possible enhancements was accomplished. It identified some improvements to labeling of equipment and changes to procedure attachments to distribute the work load evenly.

Enhancements have been made to End Path Procedure (EPP)-9, "Transfer to Cold Leg Recirculation".

No further action is planned.

9. During the PRA, it was determined that procedural guidance and equipment for use of the fire protection system for cooling of the charging pumps was a change worthy of immediate implementation.

Because of the importance of the charging system cooling dependency, an assessment of cost-effective means of eliminating the dependency is being undertaken. The evaluation to determine the most cost-effective method of providing self-cooling was completed.

However, the licensee states in their letter of August 12, 1994, that updated results from the PRA model have demonstrated that a modification for self-cooling is not cost beneficial relative to the reduction of core damage frequency that would have been obtained, and, thus, the licensee has cancelled this project.

In addition, the licensee plans to use back-end insights, such as pressurization rates, hydrogen source terms, and interaction between core cooling and containment systems, to support the development of accident management procedures, operator training, and as reference material to support training and other activities.

Although the review team did not examine closely the merits of these items in detail, the staff notes that the licensee is applying PRA/IPE findings to enhance plant safety. The staff finds the licensee's actions reasonable. In addition, the staff notes that the licensee intends to maintain a "living" PRA.

15 III.

CONCLUSION The staff finds the licensee's IPE submittal for internal events including internal flooding is consistent with the information requested in NUREG-1335.

Based on the review of the submittal, the licensee's response to questions, and associated information, the staff finds the licensee's IPE conclusion that no fundamental weakness or severe accident vulnerabilities exist at HBR2 to be reasonable. The staff notes that:

1.

HBR2 personnel were involved in the development and application of PSA techniques to the HBR2 facility, and that the associated walkdowns and documentation reviews constituted a viable process for confirming that the IPE represent the as-built, as-operated plant.

2.

The licensee's performed an in-house peer review to ensure that the IPE analytic techniques had been correctly applied and documentation is accurate.

3.

The front-end IPE analysis is complete with respect to the level of detail requested in NUREG-1335. In addition, the analytical techniques were found to be consistent with other NRC reviewed and accepted PSAs.

4.

The back-end analysis addressed the most important severe accident phenomena normally associated with large dry containments. The techniques employed in the back-end analysis are capable of identifying severe accident vulnerabilities. No obvious or significant problems or errors were identified.

5.

The HRA allowed the licensee to develop a quantitative understanding of the contribution of human errors to CDF and containment failure probabilities.

6.

The employed analytical techniques in the front-end analysis, the back end analysis, and the HRA are capable of identifying potential plant specific vulnerabilities.

7.

The licensee's IPE process searched for DHR vulnerabilities consistent with the USI A-45 (Decay Heat Removal Reliability) resolution.

8.

The licensee responded to CPI Program recommendations, which include searching for vulnerabilities associated with containment performance during severe accidents.

Based on the above findings, the staff concludes that the licensee demonstrated an overall appreciation of severe accidents, has an understanding of the most likely severe accident sequences that could occur at the HBR2 facility, has gained a quantitative understanding of core damage and fission product release, and responded appropriately to safety improvement opportunities identified during the process. The staff, therefore, finds the HBR2 IPE process acceptable in meeting the intent of GL 88-20.

16 The staff also notes that CP&L has stated that they plan to maintain their PRA as living document and "to make full use of this study in the future to address any new safety issues and assess plant changes."

The staff notes that a "living" PRA should enhance plant safety and provide additional assurance that any potentially unrecognized vulnerabilities would be identified and evaluated during the life of the plant.

Principal Contributors: E. Rodrick, RES E. Chow, RES J. Schiffgens, NRR B. Mozafari, NRR Date:

APPENDIX H. B. ROBINSON STEAM ELECTRIC PLANT, UNIT NO. 2 DATA

SUMMARY

SHEET*

(INTERNAL EVENTS) o Total core damage frequency (CDF) 3.21E-4/Year o Major initiating events:

Contribution Percent Loss of offsite power 18 (Blackout 10 percent)

(Non-blackout 8 percent)

Medium break loss-of-coolant accident (LOCA) 16 15,000 gpm service water flood in Aux Bldg el. 226' 11 Loss of service water (SW) 9 Loss of Emergency AC bus El 6

Loss of component cooling water 5

Large break LOCA 4

Loss of Emergency AC bus E2 3

All others 28 o Major contributions by accident classes:

Contribution Percent Transients 30 LOCAs 23 Transient induced LOCA 21 Flooding 21 o

Major operator action failures contribution to CDF (percent, Fussel Vesely importance measure, from response to staff questions):

Post-initiator Actions:

o Failure to switch over to cold leg recirculation at 9 percent refueling water storage tank level (16.5 percent).

o Failure to supply high pressure injection pump cooling using fire hose, offsite power available (11 percent).

o Failure to open steam driven auxiliary feedwater (AFW) pump oil cooler valves for self-cooling (8 percent).

o Failure to fill CST using fire water for AFW (7 percent) o Failure to provide AFW with service water (6 percent)

Pre-initiator Actions:

o Failure to restore steam driven AFW pump valves after test and maintenance (3 percent) o Miscalibration of steam drive AFW pump flow transmitter (2 percent)

o Conditional containment failure probability given core damage:

No Containment Failure 82 percent Late Containment Failure 15 percent Containment Bypasses 2 percent Early Containment Failure 1 percent Containment Isolation Failure

<1 percent Containment Failure After In-Vessel Recovery <1 percent o Significant Individual Plant Examination (IPE) findings:

o Service water flooding events in the Reactor Auxiliary Bldg.

226' el. hallway and the component cooling water (CCW) pump room, leading to reactor coolant pump (RCP) seal LOCAs and loss of makeup and decay heat removal are important contributors to CDF (about 20 percent), over half of which are due to maintenance errors.

o Because of the dependency of the charging pumps on component cooling water, the CCW system has an estimated importance (Fussel-Vesely) of 13 percent, even though the charging pumps are capable of being cooled by the fire protection system through hose connections that are manually connected.

o Medium break LOCAs contribute approximately 16 percent to CDF. In the IPE it was stated that for this LOCA recirculation is always used with the RHR pumps supplying water to the suction of the high head safety injection pumps (piggy-back). The dominant contributor for these sequences is the operator failure to perform the alignment. In response to staff questions, Carolina Power & Light Company (CP&L) indicated that they have revised the procedure for transfer to cold leg recirculation based on analyses that would allow the operators to a use a low head recirculation mode after verifying that the containment pressure is less than 20 psig. This alignment is expected to decrease the CDF contribution from the failure of the operator.

o Because the main and auxiliary feedwater systems depend on the service water system (SWS), the SWS is an important contributor (14 percent) even though the steam driven AFW pump may be manually aligned to be self-cooled during loss of SWS events. A permanent alignment to the self-cooling mode is currently being investigated.

o HBR2 has a third diesel generator (dedicated shutdown diesel generator) that can supply power to one SWS, CCW, and charging pump, and one battery charger, and instrumentation for the steam driven AFW pump. In response to questions, CP&L indicated that the contribution to CDF from this diesel is 9.8 percent, and a sensitivity study (risk achievement worth) indicated that the CDF would increase by approximately 61 percent if credit had not been taken for this diesel.

o Important plant hardware (Fussel-Vesely importance):

Auxiliary feedwater 29 percent AC power including diesels 22 percent Service water 14 percent Component cooling water 13 percent Fire water system 12 percent Dedicate shutdown diesel generator 10 percent High head safety injection 5 percent Primary system PORVs and safety valves 5 percent Low head safety injection 3 percent Diesel generator heating, ventilation and air conditioning (HVAC) 3 percent o

Plant improvements implemented or under evaluation:

1. Current procedures have been revised and a new procedure (AOP-32) for coping with flooding events has been written.
2. An investigation for operation of the steam-driven auxiliary feedwater pump in the self-cooling mode is currently underway.
3. Modification of the plant safety-related batteries to upgrade the battery capacity from 1 to 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> is currently being reevaluated.
4. An extensive preventative maintenance program for the dedicated shutdown diesel to improve its reliability has been in place since October of 1992.
5. A new procedure for the safety injection and control valve spray system valve test procedure has been written and has been approved for use at HBR2.
6. Tests of the HVAC requirements for the El/E2 bus room have been performed to verify that loss of HVAC to these rooms will not impact plant operation or safe shutdown of the plant.
7. Changes to the existing procedures to preclude induced steam generator tube rupture involve a change in emergency response guidelines for mitigation of a severe accident. This item is being reviewed by the Westinghouse Owner's Group for possible action in the severe accident management guidance development.
8. Walkthrough of the long-term emergency core cooling system recirculation procedure was performed and improvements for labeling equipment and better distribution of the work load were identified.
9. An evaluation of the charging pumps self-cooling modification to determine the most cost-effective method of providing self-cooling is currently scheduled for completion by the end of 1993.??????

(* Information has been taken from the H. B. Robinson Unit 2 IPE and the HBR2 response to staff questions and has not been validated by the NRC staff.)

Retrieved from "https://kanterella.com/w/index.php?title=ML14183A572&oldid=5205752"