ML16342A164

From kanterella
Jump to navigation Jump to search
Safety Evaluation Concluding That Licensee Met Intent of GL 88-20
ML16342A164
Person / Time
Site: Diablo Canyon  Pacific Gas & Electric icon.png
Issue date: 06/30/1993
From:
Office of Nuclear Reactor Regulation
To:
Shared Package
ML16342A163 List:
References
REF-GTECI-A-45, REF-GTECI-DC, TASK-A-45, TASK-OR GL-88-20, NUDOCS 9307190019
Download: ML16342A164 (22)
v  d  e


Text

ENCLOSURE 1 STAFF EVALUATION OF DIABLO CANYON UNITS 1 AND 2 INDIVIDUALPLANT EXAMINATION (IPE)

(INTERNAL EVENTS ONLY) 9307i90019 930630 ~)

PDR ADOCK

~ 05000275,

P PDR,,

I

TABLE OF CONTENTS PAGE EXECUTIVE

SUMMARY

oo ~

~ ~ o ~ ~

~ ~ ~

~ ~ ~ i ~ seoo

~ ~

1 BACKGROUND.............................

3 II.

STAFF'S REVIEW......

4 1.

Licensee's IPE Process............

4 2.

Front-End Analysis................

5 3.

Back-End Analysis..........

4.

Human Factor Considerations

~ ~

~

~

~

~ ~

9

~

~

~ ~

~

~ ~

12 5.

Containment Performance ImProvements (CPI)................

13 6.

Decay Heat Removal (DHR)

Evaluation........................

14 7 0 Licensee Actions and Commitments from the IPE..........

15 III'ONCLUSION.. ~...

~

~

~

~

~

~

~

~

~

~

~

~

~

~

~

~

~

~

~

~

~

~

~

~

16 APPENDIX DIABLO CANYON UNITS 1 AND 2 DATA

SUMMARY

SHEET..........................o.

18

~ ~

EXECUTIVE SUMMAR The NRC staff completed its review of the internal events portion of the Diablo Canyon Units 1 and 2 Individual Plant Examination (XPE) submittal and associated information.

The latter includes licensee responses to staff generated questions seeking clarification of the licensee s process.

No specific unresolved safety issues (USIs) or generic safety issues (GSIs) were proposed for resolution as part of the Diablo Canyon IPE.

The licensee's IPE is based on a Level 1 and 2 Diablo Canyon Unit 1 probabilistic risk assessment (PRA), an enhancement of the 1988 Level 1 Diablo Canyon PRA.

The Pacific Gas and Electric Company (PG&E) personnel maintained involvement in the development and application of PRA techniques to the Diablo Canyon facility.

The staff notes that virtually all of the plant departments provided input to the IPE/PRA development.

The licensee used the NUMC Severe Accident Issue Closure Guidelines (NUMARC 91-04) for purpose of screening for vulnerabilities.

Based on these guidelines, the licensee did not identify any vulnerabilities with respect to core damage or containment performance.

Based on the review of the Diablo Canyon IPE submittal and associated documentation, the staff concludes that the licensee met the intent of Generic Letter 88-20.

This conclusion is based on the following findings:

(1) the IPE is complete with respect to the information requested in Generic Letter 88-20 and associated NUREG-1335 submittal guidance document; (2) the front-end systems

analysis, the back-end containment performance
analysis, and the human reliability analysis are technically sound and capable of identifying plant-specific vulnerabilities to severe accidents; (3) the licensee employed viable'means (document review and walkdowns) to verify that. the IPE reflected the current plant design and operation; (4) the PRA which formed the basis of the IPE had an extensive peer review; (5) the licensee participated fully in the IPE process consistent with the intent of Generic Letter 88-20; (6) the licensee appropriately evaluated Diablo Canyon's decay heat removal (DHR) function for vulnerabilities, consistent with the intent of the USX A-45 resolution; and (7) the licensee responded appropriately to recommendations stemming from the containment. performance improvement (CPI) program.

In addition, the licensee intends to maintain a "living" PRA.

Xt should be noted, however, that the staff's review is a process review which, in general, is not intended to validate the accuracy of the licensee's IPE findings.

Although certain aspects of the IPE were explored in more detail than others, the review primarily focused on the licensee's ability to examine Diablo Canyon for severe accident vulnerabilities, and not

specifically on the detailed findings (or quantification estimates) which stemmed from the examination.

I'ACKGROUND On November 23, 1988, the NRC issued Generic Letter 88-20 which requires licensees to conduct an Individual Plant Examination in order to identify potential severe accident vulnerabilities at their plant, and report the results to the Commission.

Through the examination process, a licensee is expected to (1) develop an overall appreciation of severe accident behavior, (2) understand the most likely severe accident sequences that could occur at its

plant, (3) gain a more quantitative understanding of the overall probabilities of core damage and fission product releases, and (4) if necessary, reduce the overall probability of core damage and radioactive material releases by modifying, where appropriate, hardware and procedures that would help prevent or mitigate severe accidents.

As stated in Appendix D of the IPE submittal guidance document NUREG-1335, all IPEs are to be reviewed by NRC teams to determine the extent to which each licensee's IPE process met the intent of Generic Letter 88-20.

The IPE rev'iew itself is a two step process; the first step, or "Step 1" review, focuses on completeness and the quality of the submittal.

Only selected IPE submittals, determined on a case-by-case basis, will be investigated in more detail under a second step or "Step 2" review.

The decision to go to a "Step 2" review is primarily based on the ability of the licensee's methodology to identify vulnerabilities,'nd the consistency of the licensee's IPE findings and conclusions with previous PRA experience.

A unique design may also warrant a "Step 2" to better understand the implication of certain IPE findings and conclusions.

As part of this process, the Diablo Canyon IPE only required a "Step 1" review.

On April 14, 1992, Pacific Gas and Electric Company (PG&E) submitted the Diablo Canyon IPE in response to Generic Letter 88-20 and associated supplements.

The IPE submittal is based on a Level 1 Diablo Canyon PRA (DCPRA-1988) which PG&E submitted to the staff in 1988 as part of the long term seismic program.

The DCPRA-1988 was later reviewed by the staff's contractor/

Brookhaven National Laboratory (BNL).

BNL documented its findings in NUREG/CR-5726, and the staff published its SER in NUREG-0675 Supplement No. 34.

The IPE consists of a 1991 update and enhancement of the Level 1 PRA, and a Level 2 containment performance assessment (DCPRA-1991) consistent with Generic Letter 88-20 Appendix 1.

The IPE submittal contains the results of an evaluation of internal events, including internal flooding.

The licensee plans to provide a separate submittal on findings stemming from the IPE for external events (IPEEE).

The staff will. review the IPEEE separately, within the framework prescribed in Generic Letter 88-20 Supplement 4.

On November 19, 1992, the staff sent a set of questions to the licensee seeking additional information and clarification.

A conference call between the staff and the licensee was held on January 11, 1993 to clarify some of the questions.

The licensee responded to the staff's 'request in a letter dated January 15, 1993.

In addition, the staff contracted Scientech Inc. to review the back-end analysis.

Scientech's review is documented in SCIE-NRC-210-92, "Technical Evaluation Report of the Diablo Canyon Individual Plant Examination Back-End Submittal."

This report documents findings and conclusions which stemmed from the NRC review.

Specific numerical results and other insights taken from the licensee's IPE submittal are listed in the appendix.

XI STAFF'S REV EW 1.

Licensee's IPE Process The Diablo Canyon IPE submittal describes the approach taken by the licensee to confirm that the IPE represents the as-built, as operated plant.

In addition to detailed document reviews by members of the PRA team (consultants and licensee personnel),

walk-throughs were performed for familiarization with plant/system operations, equipment layout for origin and susceptibility to floods, and containment walk-throughs for information to be used for the back-end analysis.

Based on review of the information submitted with the IPE, the staff concludes that the licensee's walkdowns and documentation reviews constituted a viable process for confirming that the IPE represents the as-built, as-operated plant.

The IPE submittal contains a summary description of the licensee's IPE process, the licensee's personnel participation in the process, and the subsequent in-house peer review of the final product.

The staff reviewed the licensee's description of the IPE program organization, composition of the peer review teams, and peer findings and conclusions.

The licensee has established and maintained a permanent PRA group within the Nuclear Operations Support Department which manages and conducts the PRA program.

The staff notes the considerable participation of the PG&E personnel in virtually all aspects of the IPE through technology transfer, model development,

reviews, data collection, and requantification of the models. with plant-specific data.

In addition to the IPE team, other PG&E departments were involved to insure that the models accurately portrayed the plant.

As part of the IPE process, PG&E and its contractor,

Pickard, Lowe and Garrick, Inc.

(PLG) performed internal reviews of the IPE.

In addition, PG&E made use of two independent teams of

consultants to review the ZPE.

They were the IPE Partnership (IPEP) and the Electric Power Research Institute (EPRZ).

Based on the review of the IPE submittal and associated documentation, the staff concludes the licensee's peer review process provided reasonable assurance that the ZPE awalytic techniques had been correctly applied, and documentation was accurate.

The licensee used the NUMARC Severe Accident Issue Closure Guidelines for purpose of screening for vulnerabilities.

Based on these guidelines, a vulnerability refers to any component,

system, operator action, or accident sequence that contributes more than 50% to the CDF or has a frequency that exceeds 1.0E-4/yr.

In addition, any containment bypass sequence with a frequency exceeding 1.0E-5/yr. is considered to be a vulnerability.

Based on this criteria, the licensee did not identify any vulnerabilities with respect to core damage or containment performance.

Based on the review of the Diablo Canyon IPE submittal and associated documentation, the staff finds reasonable the licensee's IPE conclusion that no fundamental weakness or severe accident vulnerabilities now exist at Diablo Canyon.

The staff finds the Diablo Canyon IPE process capable of identifying severe accident risk contributors (or vulnerabilities) and that such capability is consistent with the objective of Generic Letter 88-20.

2.

Front-End Anal sis The staff examined the front-end analysis for completeness and consistency with accepted PRA practices.

The methodology chosen for the Diablo Canyon IPE was a full scope Level 2 PRA.

The front-end IPE analysis used the large event tree/small fault tree methodology for CDF quantification. It was noted by the licensee that because of the enhanced capabilities of the RISKMAN software it was not necessary to introduce support system states as had been used in the DCPRA-1988 but that the support system event trees and the front line trees could be directly linked creating essentially a large event tree.

Fault trees are used to quantify system unavailability values which are used as inputs to the event tree nodes.

The RZSKMAN software was used for quantification of the CDF.

Based on the ZPE description and licensee's response to the staff's questions, the staff finds the employed methodology straight forward and justified for selection.

The chosen methodology is consistent with methods identified in Generic Letter 88-20.

The licensee's process identified 39 initiating events for Diablo Canyon which were categorized in three broad groups:

1) eight loss of reactor coolant inventory,

2) fourteen transients and 3) seventeen common cause events which include fourteen loss of support system events and three flooding events.

The initiating events were arrived at through a combination of methods: i.e.,

a master logic diagram, heat balance fault tree and failure modes and effect analysis (FEMA) for plant-specific initiators.

Comparisons were made with various other sources including EPRI NP-2230 and NUREG/CR-2300 to ensure completeness.

In the DCPRA-1991, anticipated transients without trip (ATWT) events are not modeled as a separate category of initiating events; however, they were addressed through the development of an event tree for events that are followed by a failure of reactor trip.

$)

The staff i>as compared the list of initiators with lists from other PRAs and NUREG-2300, reviewed the licensee's response to questions on initiating events concerning loss of instrument air and loss of power to a single AC bus, and found them to be consistent with conventional techniques.

Systemic event trees were developed for each unique initiating event group.

The IPE submittal contains all frontline and support system event trees, and special event trees including steam generator tube rupture (SGTR), anticipated transient without trip (ATWT), interfacing system loss of coolant accident (ISLOCA), and recovery action event trees.

System success criteria were presented for each initiating event category and based on the FSAR success criteria, Westinghouse analysis, plant-specific analysis and expert judgement.

In general the staff finds the Diablo Canyon event trees and special trees to be consistent with respect to the treatment of initiating events, associated success criteria and dependencies between top events.

The IPE analyzed front-line and support systems consistent with other PRAs.

A system analysis was done for each of the top events in the plant event trees and included the major components required for system success.

4 A fault tree was developed for each of these top events which were used in conjunction with the RISKMAN software to quantify the top event split fractions.

The logic models included causes of unavailability due to lack of required support, independent and dependent hardware failure, testing and maintenance, and human errors.

These models were updated to reflect changes and comments and recommendations made by the staff and its contractor BNL during the review of the DCPRA-1988.

Based on the review of the IPE submittal and previous staff's reviews, the staff finds that all the front line and support systems important to the

~

~

prevention and mitigation of accidents, were analyzed to uncover potential vulnerabilities.

The IPE submittal explicitly addressed dependencies by providing dependency matrices which identified support to support and support to frontline systems dependencies on a "train" basis.

Dependent failures were explicitly modeled in the event tree logic, which included auxiliary salt water (ASW), vital AC and DC

power, and switchgear heating ventilation air conditioning (HVAC)

Diablo Canyon Unit 1 systems are symmetric with respect to Unit 2.

The only system shared between the units is the swing diesel generator which can supply power to either unit's safety bus (in addition to each unit s two dedicated diesel generators).

Failure of this swing diesel contributes to sequences which account for 34% of the CDF.

The licensee is planning to upgrade the emergency power systems (not IPE related in origin) by installing a sixth diesel generator in 1993.

The sixth diesel is not currently modeled in the licensee's IPE.

The addition of this diesel is expected to reduce the contribution of loss of offsite power (LOOP) to the CDF by approximately 14% to 184.

Since LOOP is a major contributor (414), this modification will address a significant contributor.

The licensee's analysis identified and took credit for the cross-tie capability of the auxiliary salt water system (ASW) between the two units.

Each ASW system has two pumps, only one of which is required to supply cooling water to two component cooling water (CCW) heat exchangers in its respective unit.

Upon failure of both ASW pumps in either one of the units, operator recovery actions can cross-tie the headers together and provide auxiliary salt water cooling to the failed unit's heat exchanger.

The IPE also found that reactor coolant pump (RCP) seal failure contributes to sequences which account for 42.9% of the, CDF (3.94 for station blackout (SBO) and 39% for non-SBO).

In response to a question on RCP seal LOCA model which was not addressed in the submittal, the licensee indicated that the seal LOCA probability was based on WCAP-10541, Rev.

2, with the additional conservatism outlined in WCAP-11550, and that timing of core uncovery was determined with MAAP analyses based on different RCP seal LOCA sizes.

The MAAP analyses assumed that seal failures occur within ten minutes of loss of seal cooling.

In response to staff's questions, PG&E indicated that as part of the IPE process, improvements to plant procedures "Cg? AP-10 and 11" were made to reduce the likelihood of RCP seal LOCAs.

This change now directs the operators to consider hooking up fire water cooling to any one of the three centrifugal charging pumps if they are unable to recover or cross-tie the ASW system.

This is in addition to situations where all CCW pumps fail to operate.

The Diablo Canyon IPE used both generic and plant-specific data for quantification of the model.

Mean values were employed.

Plant.-specific data included component failure rates, and testing and maintenance unavailabilities which were collected from Unit 1 from July 1986 to December 1989.

Initiating event data were collected from Units 1 and 2 from January 1988 to December 1989.

These data were used to update the values used in the DCPRA-1988 with a Bayesian updating technique.

The values used in the DCPRA-1988 were generic values updated by the earlier plant-specific data.

Generic data was obtained from the PLG generic database PLG-0500.

The IPE has considered impacts of common cause failures (CCFs) due to system dependencies by incorporating them explicitly in the event tree logic.

Additionally CCFs due to such conditions as design errors, construction errors, procedural deficiencies, and unforeseen env.'~onmental conditions are accounted for in their contributions to system unavailabilities through plant-specific CCF factors.

The IPE used the alpha factor method to quantify the effect of CCFs.

The licensee states that this methodology is consistent with the procedures set forth in NUREG/CR-4780.

The source of the generic common cause data was the PLG generic data base screened to extract the failures that were applicable to the DCPP systems.

The IPE used the alpha factor distributions that were used in the DCPRA-1988 and since there were no common cause failure events at DCPP since that time, the licensee believes the factors slightly conservative.

The submittal addresses the methodology used to treat internal floods.

The licensee states that. the original internal flooding analysis provided in DCPRA-1988 has been updated for this

.submittal, and discusses the key steps of the analysis.

The "Appendix R" review, DCPRA spatial interactions analysis and other plant information including plant walk-throughs were used in identifying potential flood locations and locations of important systems and equipment.

The submittal describes the steps in flood screening and quantification analysis.

In response to staff's questions, the licensee stated that if the flooding scenario frequency was insignificant (i.e.,

< 14) compared to the initiating event frequency of other modeled events that have a similar impact, then the flooding scenario was screened out.

No flood scenarios were dropped due to credit taken for human action.

The licensee also noted that the upper bound contribution to CDF from all the screened out flooding scenarios is less than 0.14 of the total CDF.

The IPE reported a flood-induced CDF of 3.2E-6/yr.

(3.64 of the total) stemming from three flooding scenarios:

(1)

CCW initiated flood, (2) flooding from charging pump suction header break, (3) failure of two motor driven AFW pumps due to flood or spray from a pipe break.

Based on the

(

f previous staff reviews, the review of the IPE submittal, and the response to staff's questions, the staff finds the IPE flood assessment to be consistent with Generic Letter 88-20.

The licensee applied the systemic screening criteria from NUREG-1335 to the core damage sequences and reported the top 100 sequences, which accounts for all sequences whose individual frequency is greater than approximately 1.3E-7/yr.

These 100 sequences represent the contribution of approximately 554 of the CDF.

The IPE has identified a point estimate of CDF as 8.8E-5/yr. with a mean of 9.5E-5/yr.

(DCPRA-1988 estimated a mean CDF of 1.3E-4/yr.).

Loss of offsite power contributes 414, general transients

264, LOCAs 9.3%

(medium LOCA 5.3%, large LOCA 2.74, and small isolable and non-i~olable both less than 14).

Contr'~ution from loss of ASW or CCW is 6.2%.

For sequences of specific interest a large fraction of the CDF is associated with non-station blackout (SBO)

RCP seal LOCA (39%) caused by failure of the RCP seal cooling.

The licensee has noted that the loss of offsite power combined with failure of one or more diesel generators can lead to degradation of power to and subsequent loss of systems used for cooling the RCP seals.

Another major core damage type contributor is transient induced LOCA occurring through a stuck open pressurizer power operated relief valve (PORV)

(25%).

As in the case of the non-SBO RCP seal LOCA, this event is also strongly influenced by loss of offsite power (LOSP) and failure of the diesel generators causing degradation of systems supplying inventory makeup and PORV isolation.

The installation of the sixth diesel generator as noted previously should diminish the contribution from these events.

SBO (a

subset of LOOP) contributes 5.74 to CDF.

Based on the staff's review of the front-end analysis and the staff's finding that the employed analytical techniques are consistent with other NRC reviewed and accepted PRAs and capable of identifying potential core damage vulnerabilities, the staff finds the IPE front-end analysis meets the intent of Generic Letter 88-20.

3.

Back-End Anal sis The staff examined the Diablo Canyon back-end (Level 2) analysis for completeness and consistency with acceptable PRA practices.

PG&E retained Pickard, Lowe and Garrick, Inc.

(PLG) to help the Diablo Canyon PRA team perform the Level 2 portion of the IPE.

Since the Diablo Canyon and Zion plants both utilize four-loop Westinghouse PWRs in dry, steel-lined, reinforced concrete containments with a 140-ft inside diameter and a design pressure of 47 psig, the licensee used the Zion NUREG-1150 phenomena analyses in various cases.

The licensee's back-end analysis

utilized methodology similar to that exercised in the Zion-NUREG-1150

PRA, and employed Revision 17 of the MAAP-3.0B computer code to model the containment thermal response, and the STADIC computer code to predict the likelihood and size of containment failure.

As part of the review, the staff examined the licensee's methodology, documentation of analytical codes exercised, and input data.

The staff found the approach to be consistent with Generic Letter SS-20, Appendix 1 (Guidance on the Examination of Containment System Performance).

Sequences generated from the front-end (Level 1) analysis were grouped into plant damage states (PDSs) which are characterized by the thermodynamic conditions in the reactor coolant system

'RCS) and containment, and availability of the plant systems and features.

The PDSs were rebinned into 16 key plant damage states (KPDS) using a set of general guidelines.

The KPDS were used as the entry states to the con+ ainment event trees (CETs).

To develop the CETs for Diablo Canyon, the licensee reviewed each of the 72 top events identified in NUREG/CR-4551 for the Zicn accident progression event tree (APET) and selected 30 top

events, with split fraction values reflecting plant.-specific analyses where applicable.

Otherwise, NUREG-1150 (primarily Zion) values were used.

The CET end states were subsequently binned into 37 release categories.

RISKMAN software was used to link the CETs to the release categories and generated the frequencies of the release categories.

The release category source terms were developed using two computer codes, ZISOR and MAAP The IPE submittal estimated the following conditional containment failure probabilities:

Small, Early Containment Failure Large, Early Containment Failure Late Containment Failure Containment Bypass Failure No Containment Failure 0 ~ 09

0. 03 0.45 0.02 0.41 (The small, early containment failures include failures occurring within four hours of vessel breach and having a containment failure equivalent to three inches or less in diameter.)

The licensee addressed and found containment isolation failure was a major contributor to small, early containment failures.

Dependencies between the front-end safety systems, containment

systems, and support systems, which included containment isolation and other active containment systems (containment sprays and containment fan cooler units (CFCUs))

were modeled explicitly in the front-end event trees.

However, no credit was taken for operator action to locally or remotely close the containment isolation valves if valves do not automatically close.

10

The licensee also reviewed the back-end results related to containment bypass sequences to identify potential containment vulnerabilities.

The containment bypass sequences include both interfacing system LOCAs and steam generator tube ruptures (SGTRs).

Using the guidelines in NUMARC Report 91-04, the licensee considered any containment bypass sequence with a frequency exceeding 1.0E-5/yr.

as a vulnerability.

Although no vulnerabilities were identified using this criterion, the CDF related to the SGTR events did fall in the range from 1.0E-6/yr.

to 1.0E-7/yr.

The licensee stated that consideration will be given to incorporating insights from the SGTR results in the establishment of the Diablo Canyon severe accident. accident management guidelines.

The major contributions to late containment releases were found to be long-ter... overpressurization, basemat me~5-through, and hydrogen burns.

The licensee noted that for many long-term pressurization sequences, containment failure occurs in excess of 48 hours5.555556e-4 days <br />0.0133 hours <br />7.936508e-5 weeks <br />1.8264e-5 months <br /> after event initiation.

Most of the containment failures for these long-term pressurization sequences are due to a loss of containment heat removal capability.

The licensee noted that the recovery of either CFCUs or containment sprays is highly likely (90%) in the time prior to containment failure and took credit for this recovery action in the analysis (32~ of the late containment overpressurization sequences were arrested).

The licensee performed a sensitivity analysis and determined that a relatively simple modification to flood the reactor cavity using the RWST water would prevent the reactor pressure vessel bottom failure and reduce early containment failures by 50% and late containment failures by 194.

The modification calls for removal of a section of the bottom of the'eactor coolant drain tank (RCDT) door and replacing it with a hinged section.

However, the licensee identified the downside risks associated with this modification (but did not quantify the impact due to these risks): increased likelihood of ex-vessel steam explosions and faster steam pressurization of containment, which reduces the time for potential recovery actions.

The licensee is tracking the progress of industry studies concerning this issue and will consider performing a more rigorous design evaluation after more conclusive findings are available.

In general, the licensee employed a Level 2 analysis consistent with Generic Letter 88-20 Appendix 1 and current understanding of severe accident phenomena.

The IPE characterized containment performance for each of the CET end-states by assessing containment loading.

The licensee's IPE addresses the most important severe accident phenomena normally associated with large dry containments; direct containment heating (DCH), induced steam generator tube rupture (ISGTR) and hydrogen combustion.

The IPE considered various failure modes related to containment 11

~

~

penetrations, and identified various contributors to containment isolation failures.

The staff s review did not identify any obvious or significant problems or errors in the back-end analysis.

The overall assessment found that the licensee made reasonable use of PRA techniques in performing the back-end

analysis, and that the techniques employed are capable of identifying severe accident vulnerabilities.

Based on these findings, the staff concludes that the licensee's back-end IPE process is consistent with the intent of Generic Letter 88-20.

4.

uman Factor Considerations The IPE submittal is essentially complete with respect to the type of information and level of detail requested in NUREG-1335 for human factors.

The licensee has stated that the scenario-specific human actions were updated f-.om the DCPRA-1988 to reflect the as built/as operated plant, and that the update process employed the'uccess likelihood index method (SLIM) as it was used in the DCPRA-1988.

The DCPP IPE submittal provided documentation of the human reliability analysis (HRA) that was conducted as part of the IPE.

Two basic types of human actions were evaluated; pre-initiating event (including testing and maintenance),

and scenario-specific (human actions driven by the necessity to respond to plant transients) including recovery actions.

The data source for human errors associated with incorrect system alignments as part of pre-initiating events was identified as PLG-0500 which used NUREG/CR-1278 as its primary source.

The methodology used for the scenario-specific HRA was the success likelihood index method (SLIM).

This was used to qualitatively and quantitatively evaluate and estimate human reliability.

The licensee indicated that the SLIM method used is similar to that of NUREG/CR-2986 and NUREG/CR-3518.

The IPE submittal described the steps used in the development".and implementation stages of the model.

This description included the development stage which considered among others the classification of actions into knowledge, skill, and rule-based and further subdivided these into 3 phases (identification, diagnoses and response);

performance shaping factors; performance shaping factor survey and rating forms; and quantification steps.

The results of the analysis of the importance of human actions to core damage is provided in the submittal; a portion of which is repeated in the Appendix to this report.

The licensee also included, as per the request in NUREG-1335,. an analysis of the impact of increasing the human failure rate to 0.1,'by presenting the top 50 sequences which, except for a low'perator action failure rate, would have been above the CDF 12

~

~

screening limits.

The submittal includes a discussion of the new sequences whose frequency was above 1.0E-7 and the human actions associated with those sequences.

Based on the staff's previous review of the DCPRA-1988/

review of the IPE submittal and responses to staff's questions, the staff finds the licensee's assessment of human reliability, conducted as part of the IPE, capable of discovering vulnerabilities to severe accidents from human errors consistent with the intent of Generic Letter 88-20.

The HRA methodology described in the licensee's IPE submittal supports the quantitative understanding of the overall probability of core damage during plant operations as well as an understanding of the contribution of human actions to that probability.

The licensee's stated intention to maintain a "living" PRA will ensure that a mechanism exists for the licensee to continue to identify and evaluate th~ risk significance of potentially important human actions during plant operation and maintenance.

5.

Containment Performance Im rovements CPI Generic letter 88-20, Supplement 3 contains CPI recommendations which focus on the vulnerability of containments to severe accident challenges.

For large dry containments, such as the Diablo Canyon design, the reference contains a recommendation that IPEs consider hydrogen production and control during severe accidents, particularly the potential for local hydrogen detonation.

As a result of the evaluation and analysis of the Diablo Canyon containment design and comparisons to the Zion containment design and the information obtained from containment walk-throughs, the licensee concluded that containment or containment heat removal equipment failure due to local hydrogen detonation is unlikely.

The licensee bases this conclusion upon the following observations:

(1)

Generally, hydrogen concentration is minimized by the large open containment structure, with minimal enclosed spaces and liberal use of open floor gratings.

(2)

The upper compartment of the Diablo Canyon containment is

open, which should promote good mixing of the upper compartment, atmosphere even if the containment sprays and containment fan coolers (CFCUs) are not operating, and preclude localized hydrogen combustion.

As a result, the containment components important for containment heat removal (CFCUs and containment spray headers) are not unusually susceptible to localized hydrogen combustion.

13

(3)

The compartments most likely to have high local hydrogen concentration are the cavity and the lower compartment, which lack equipment required to mitigate a severe accident.

(4)

Since the containment pressure retaining walls are not adjacent to the cavity or the lower compartment where hydrogen concentration is most likely, the containment wall is not unusually susceptible to the effects of local hydrogen detonation.

The staff, therefore, concludes that the licensee's response to CPI Program recommendations, which included searching for vulnerabilities associated with containment performance during severe accidents, is reasonable and consistent with the intent of Generic Letter 88-20 and associated Supplement 3.

6.

DHR Evaluation In accordance with the resolution of USI A-45, the licensee performed an examination of Diablo Canyon to identify DHR vulnerabilities.

The results of the IPE provide indications of the importance of the systems that provide the DHR function as a

response to the initiating events postulated in the IPE.

The following system features were considered in the DHR evaluation:

AFW Feed and bleed cooling with charging and injection pumps through the PORVs Residual heat removal (RHR)

The IPE and the response to staff's questions provide an indication of the importance of the systems supporting the DHR function.

This is measured by the percentage of CDF.attributable to sequences with split fractions which represent systems in the quantification.

The contribution to CDF of the DHR systems with all support systems available is relatively small; e.g., contribution from the AFW is 44, and the contribution from feed and bleed is 2.54.

The total contribution from AFW, feed and bleed, and the RHR is 20.84, 10.94, and 9.1% respectively.

The impact of loss of support systems on the percentage contribution for the RHR, charging and safety injection was not provided although an indication of the major support system failures. leading to the front-line system failure were provided (e.g., diesel generators,

CCW, ASW, DC, vital 4KV power, control room and switchgear ventilation, and solid state protection system (SSPS)).

14

Based on the process that the licensee used to search for DHR vulnerabilities, and review of plant-specific features, the staff finds the licensee's DHR evaluation to be consistent with the intent of Generic Letter 88-20, and resolution of USI A-45.

7.

Licensee Actions and Commitments from the IP During the development of the DCPRA-1988 (prior to the IPE) several plant modifications were implemented.

Two modifications of notable interest as identified in Section 6.0 of the IPE submittal include:

Diesel generator fuel oil pump recirculation paths Charging pump backup cooling from fire water system.

In addition, although not IPE rel ted in origin, the licensee plans to add in 1993 a sixth emergency diesel generator in order to reduce the contribution of LOOP to the CDF.

The licensee identified the following items to be considered for plant improvement:

Plant procedures "OP AP-10 and 11" were modified to direct the operators to consider hooking up fire water cooling to any one of the three centrifugal charging pumps if they are unable to recover or cross-tie the ASW system.

The RCDT door may be modified in order to flood the reactor cavity using RWST water.

This item needs further investigation.

Consideration will be given to incorporating insights from the SGTR results in the establishment of the Diablo Canyon severe accident management.

The licensee recogn'izes the potential benefits of a PRA and will maintain a "living" PRA with periodic updates and use it to develop a risk management program.

The licensee is currently conducting a shutdown risk assessment with the assistance of Westinghouse and EPRI personnel.

The licensee also plans to use the PRA to analyze scheduled maintenance activities, and associated contribution to risk during full-power operation.

I In support of licensee's involvement and technology transfer, the PRA group and training department have conducted training sessions to introduce to Diablo Canyon operators and engineers the PRA methods, future applications, and IPE insights.

The training department also has utilized the interfacing system LOCA model, thermal hydraulic analyses, AFW system model, CCW system

model, and auxiliary saltwater system model to develop training

sessions for licensed operators.

This training is intended to increase awareness and safety at Diablo Canyon.

Although the review team did not examine closely the merits of these items in detail, the staff notes that the licensee is applying PRA/IPE findings to enhance plant safety.

The staff finds the licensee's actions reasonable.

The staff believes the licensee's proposed actions in response to the IPE findings consistent with the intent of Generic Letter 88-20.

III. CONCLUSION The staff finds the licensee's IPE submittal for internal events including internal flooding essentially complete, with the level of detail consistent with the information requested in NUREG-1335.

Based on'the review of the submittal and he associated supporting information, the staff finds reasonable the licensee's IPE conclusion that no fundamental weakness or severe accident vulnerabilities exist at Diablo Canyon.

The staff notes that:

(1)

PG&E personnel were involved in the development and application of PRA techniques to the Diablo Canyon facility, and that the associated walkdowns and documentation reviews constituted a viable process for confirming that the IPE represents the as-built, as-operated plant.

(2)

The front-end IPE analysis appears complete, with the level of detail consistent with the information requested in NUREG-1335. In addition, the employed analytical techniques are consistent with other NRC reviewed and accepted PRAs and capable of identifying potential core damage vulnerabilities.

(3)

The back-end analysis addressed the most important severe accident phenomena normally associated with large dry containments.

The techniques employed in the back-end analysis are capable of identifying severe accident vulnerabilities.

No obvious or significant problems or errors were identified.

(4)

The HRA allowed the licensee to develop a quantitative understanding of the contribution of human errors to CDF and containment failure probabilities.

The assessment of human reliability was capable of discovering severe accident vulnerabilities from human errors.

(5)

Based on the licensee's IPE process used to search for DHR vulnerabilities, and review of Diablo Canyon plant-specific

features, the staff finds the licensee's DHR evaluation 16

consistent with the intent of the USI A-45 (Decay Heat Removal Reliability) resolution.

(6)

The licensee's response to CPI Program recommendations, which include searching for vulnerabilities associated with containment performance during severe accidents, is reasonable and consistent with the intent of Generic Letter 88-20 Supplement 3.

In addition, and consistent with the intent of Generic Letter 88-20, the staff believes the licensee's peer review process provided assurance that the IPE analytic techniques had been correctly applied and that the effort had been properly documented.

Based on the above findings, the staff concludes that the licensee demonstrated an overall appreciation of severe accidents, has an understanding of the most likely severe accident sequences that could occur at the Diablo Canyon facility, has gained a quantitative understanding of core damage and fission product release, and responded appropriately to safety improvement opportunities.

The staff, therefore, finds the Diablo Canyon IPE process acceptable in meeting the intent of Generic Letter 88-20.

The staff also notes that the licensee's intent to use and maintain its PRA document will enhance plant safety and provide additional assurance that any potentially unrecognized vulnerabilities would be identified and evaluated during the lifetime of the plant.

17

~PPENDIX DIABLO CANYYON DATA

SUMMARY

SHEET*

INTERNAL EVENTS o

Total core damage frequency (CDF):

9.5E-5/yr.

mean estimate 8.8E-5/yr. point estimate o

Major initiating event contributions to point estimate CDF:

Contribution Loss of offsite power General transients Loss of coolant accidents (LOCAs)

Loss of one 125 VDC bus Loss of auxiliary saltwater system or component cooling water system Internal floods Loss of ventilation (control room or 480V switchgear room)

Steam generator tube rupture Interfacing system LOCAs 414 264 9.34 8.24 (ASW)

(CCW)

6. 24
3. 6%

3.3%

24

<14 o

Major contributions to dominant core damage sequences:

Station blackout (SBO)

Reactor coolant pump (RCP) seal Other Transient-induced LOCA Non-SBO RCP seal LOCA Feed and bleed Pressurized thermal shock Anticipated transient without trip 5.74 LOCA 3.94 1.84 254 39%

11%

5%

(ATWT)

<14 o

Major operator action failures (contribution to CDF):

Reduce unnecessary header "C" component cooling water (CCW) loads Backup cooling with firewater for centrifugal charging pump on loss of CCW 480 V switchgear ventilation recovery Electric power recovery during partial or full SBO Switchover to recirculation mode during large or medium LOCA Initiation of feed and bleed cooling 16 ~ 6%

114 3.34 1.84 18

o Conditional containment failure probability given core damage:

Small, Early Containment Failure Large, Early Containment Failure Late Containment Failure Containment Bypass Failure No Containment Failure 0

09

0. 03 0 ~ 45 0 ~ 02 0 41 o

System importance ranking (percent CDF not mutually exclusive):

(includes independent system failures leading to an initiating event or occurring during recovery actions)

Emergency Diesel Generator 1-3, Bus F Emergency Diesel Generator 1-2, Bus G

Component cooling water system RCS pressure relief and PORV reclosure Reactor coolant system pump seal Auxiliary feedwater system Auxiliary salt water system 125 VDC Bus G

Emergency Diesel Generators 1-1, Bus H

125 VDC Bus H

344 284 "54 244 19%

16%

144 12>o 124 114 o

Significant PRA findings:

The failure of RCP seal cooling contributes to over 404 of the CDF.

The unavailability of the swing EDG 1-3 (bus F) either being aligned to Unit 2 or for scheduled maintenance contributes to 34% of the CDF.

Loss of EDGs 1-2 and 1-3 or their buses causes loss of both ASW pumps requiring operator action to cross-tie the ASW system from the other unit.

Failure to recover ASW system causes loss of all CCW pumps causing loss of cooling for the charging pumps, safety injection pumps, RHR pumps, and the containment fan cooler units.

Failure to recover ASW system contributes to 4.54 of the CDF.

Loss of EDGs 1-2 and 1-3 also causes loss of all charging pumps and loss of 2 of 3 CCW pumps requiring operator action to reduce heat loads on header C to meet the success criteria for operation of 1 CCW pump.

19

o Enhanced plant hardware, procedures, and operator actions:

(implemented after 1988 PRA)

Diesel generator fuel-transfer system Charging pump backup cooling from fire water Substation spare parts for seismic events Overcurrent relay remote reset Valve control switch replacement o

Other completed, ongoing, or potential improvements not modeled:

Addition of the sixth diesel generator Installation of Westinghouse ATWS mitigation system (AMSAC)

Digital feedwater control Boron injection tank elimination RHR check valves 480 V switchgear ventilation Modification of the reactor coolant drain tank door

(* Information has been taken from the Diablo Canyon Units 1 and 2 IPE and has not been validated by the NRC staff.)

20

Retrieved from "https://kanterella.com/w/index.php?title=ML16342A164&oldid=5157031"