Text

IPE Submittal Rept Main Summary, Including Executive Summary
	ML17179A833
Person / Time
Site:	Dresden
Issue date:	01/31/1993
From:	; COMMONWEALTH EDISON CO.
To:	;
Shared Package
ML17179A834	List: ML17179A833; ML17179A835;
References
	NUDOCS 9304130186
	Download: ML17179A833 (52)
	v • d • e

r,.\\

726302SU.1 CV/011893 DRESDEN NUCLEAR POWER STATION UNITS 2 AND 3 INDIVIDUAL PLANT EXAMINATION

~

SUBMITTAL REPORT -

MAIN

SUMMARY

JANUARY 1993 Submitted By COMMONWE~L TH EDISON COMPANY

~~~~~T(~_~_1~~~ij4~1~_30i<ii_1i86~9~a~o~1~28~**====-=~-,ill_~.~~~~~~~~~~~~~~~~~~~

I P. '

ADOCK 05000237

!I

\\

[j -*,

PDR

/.'**~, *

. Commonwealth

Edison

Dresden Station

. INDIVIDUAL PL.ANT EXAM-INATION SUBMITTAL REPORT Main Summary t,13822.00I 1_2-90

MAIN

SUMMARY

REPORT TABLE OF CONTENTS TOPIC PAGE 1.1 Philosophy and Conformance with GL88-20 1-1 1.2 Project Organization 1-2 1.3 Methodology 1-2 1.4 Supporting Analysis 1-14 1.5 IPE Results 1-21 1.6 IPE Evaluations 1-34 1.7 Accident Management 1-39 1.8 Conclusions 1-40 726302SU.1 CV/011893

1.0

SUMMARY

OF THE DRESDEN IPE This section provides a summary of the Dresden Individual Plant Examination (IPE); all bf the information presented in this section can be found in greater detail in subsequent sections of this document.

1.1 Philosophy and Conformance with GL 88-20 The Dresden IPE has been performed to identify and resolve severe accident.issues germane to Dresden Station. To assure that this purpose was accomplished, CECo performed a full-scope Level II Probabilistic Risk Assessment (PAA}, into which Accident Management (AM) considerations were fully integrated.

Commonwealth Edison Company (CECo) conducted the Dresden Level II PAA to be in full compliance with the requirements of NRC Generic Letter 88-20 and its Supplement 1.

CECo's approach to the IPE has been to perform realistic evaluations of Dresden Station's capability with emphasis on the prevention of severe accidents and on the need to effectively respond to accident sequence progression in the event of a severe accident.

CECo's evaluations were carried out in a manner that supported senior management decision-making processes, relative to potential en~ancement of plant design and/or operation, aimed at reduction of risk from severe accidents.

Integrated throughout the IPE was the development of insights and information that either suggested plant improvements, or which evolved into the framework of an accident management program for Dresden Station. In performing the IPE, standard PAA systems analysis practices such as those outlined in the PAA Procedures Guide (NUREG/CR-2300) were used. The Dresden IPE employs the large event tree/support state method. An innovative approach to integrating the traditional systems analysis and containment analysis portions of the PAA was used that involves the development of combined, fully integrated, event trees referred to as Plant Response Trees (PRTs). The methods employed were presented to the NRC during a series of technical exchange meetings which took place during 1991.

The focus of the investigation was on realistic assessment of the plant response to potential accident sequences, so that insights feeding CECo's accident management program represented CECo's best understanding of the plant response. The Dresden IPE specifically models the Dresden Emergency Operating Procedures (EOPs), which are based on the generic Boiling Water Reactor Owners Group (BWROG) symptom-based guidance. The success criteria used to determine whether or not plant systems achieve their intended safety function was realistically determined for each important type of accident sequence rather than relying on the Dresden FSAR (Final Safety Analysis Report) success criteria.

These success criteria considered both equipment capability and timing of the accident progression. Well-known, detailed approaches for common cause failure and human error that supporte_d the conduct of realistic studies were adopted for the Dresden IPE.

Special attention was also given to the treatment of dual-unit site issues.

726302SU.11/011893 1-1

1.2 Project Organization Commonwealth Edison Company engaged the Individual Plant Evaluation Partnership (IPEP) to support the analysis efforts on the Dresden IPE and the IPE's for CECo's other nuclear generating stations.

The IPEP companies are Westinghouse, Fauske and Associates, Inc. and TENERA. CECo created an organization for the performance of these projects which effectively utilizes its personnel resources and provides CECo with complete control and involvement in the analysis of each plant. The CECo personnel assigned to conduct the IPE program collectively have extensive experience in plant operations and systems engineering, as well as PRA experience. Many of the methods used in the Dresden IPE were originated by CECo. IPEP personnel performed the basic modeling and analysis, while CECo personnel performed success criteria analysis using MAAP and conducted detailed reviews of the models, assumptions, and results.

Interactions between CECo personnel and the IPEP analysts were conducted on a conti.nual basis and intensively at each intermediate step to resolve CECo comments and incorporate plant-specific knowledge.

Figure 1 :2-1 shows the overall organizational structure for the CECo IPE program. Insights developed during the performance of the PAA were evaluated by a "Tiger Team" of experienced IPEP and CECo personnel. Key insights and key results from each stage of the study were also reviewed by an IPEP Senior Management Support Team (SMST). The SMST consisted of a senior manager from each IPEP company who was not involved in the day-to-day conduct of the IPE.

In addition, CECo senior management actively reviewed all results and insights as well as the IPE program team's recommendation to decide which of the insights and/or recommendations to pursue. As noted in the initial CECo response to the Nuclear Regulatory Commission (NRG) on Generic Letter 88-20, no separate "independent review" of the Dresden IPE was performed. It is CECo's view that the quality of the study is assured by the employment of knowledgeable, experienced analysts both at IPEP and at CECo, as well as the many levels of review within the CECo program.

1.3 Methodology This section summarizes the overall PRA methodology used for the Dresden IPE/AM Program.

1.3.1 Overall Model The IPE was conducted using standard analysis practices, such as those outlined in NUREG/CR-2300, "PRA Procedures Guide - A Guide to the Performance of Probabilistic

Risk Assessments for Nuclear Power Plants" and NUREG/CR-2815, "Probabilistic Safety Analysis Procedures Guide." However, innovative techniques were developed for several areas of the analysis. The traditional systems analysis and containment analysis portions of the PRA were fully integrated by plant response trees that depict the combinations of interactions that can impact the plant behavior from the initiating everit to an end state characterized by retention of fission products within the containment boundary or release to the environment. The MAAP computer code was utilized to characterize success criteria, timing and containment response.

726302SU.11/011893 1-2

IPEP SMST Nick Liparulo Bob Henry John Raulston IPEP FIGURE 1.2*1 CECO IPE/AM PROGRAM ORGANIZATIONAL STRUCTURE CECo IPE/AM Program Manager George Klopp Tiger Team*

CECo Dresden PRA Group CE Co Support Dresden Site Interface Bruce Monty Bob_ Hammersley Tim Andreychek Jim Carter Robert Harding*

Rod Stanisic Randall Tate Leland Raney*

James Hawley Bernard Christel*

Milad Kalache Kong Wang Paul Knoespel*

Xavier Polanski Raymond Christensen*

Phil Cretans IPEP Program Manager Bob Osterrieder IPEP Dresden Project Manager Ed Krantz Containment Assessment\\

Accident Management Manager Bill Berger Bob Buell, Data Collection & Analysis Task Leader Bob Osterrieder, PAT Development Task Leader Jack Trainer*, Accident Management Coordinator James Hawley, Containment and Source Term Task Leader Ed Krantz, Accident Sequence Quantification Task Marty Hinton, System Analysis Task Leader

Also Members of the Tiger Team.

726302SU.11/011893 1-3

The models developed in the IPE represent with minor exception the as-built, as-operated Dresden Station, as of a data cut-off date in January 1991. Extreme care has been taken to ensure that only formal procedures, which the operators are trained to use, have been credited.

The key tasks in the overall I PE model are described below:

Plant familiarization was accomplished by the analysts through a review of the Dresden Updated Final Safety Analysis Report (UFSAR), design drawings, design descriptions, training materials, normal and emergency procedures, technical specifications, test procedures, location and layout drawings, and plant walkdowns.

Plant specific information was coll~cted from a variety of logs, reports, and operator interviews for the period from January 1, 1984 to December 31, 1990 to examine plant specific component failure, testing and maintenance data, as well as initiating events which have led to reactor trips. Generic data from IEEE-500,

. NUREG-2815; Revision 1, and other sources were used to supplement the plant specific information. For common cause failure, the Multiple Greek Letter (MGL) method was used to generate failure probabilities.

. The accident initiators were identified from the collection and analysis of plant trip data. This was supplemented by the use of other industry sources, such as NUREG/CR-3862, where Dresden plant specific data was insufficient due to low or non-existent frequency of occurrences. Some of the loss of coolant accident initiating event information was derived from WASH-1400. Special initiators for Dresden Station were identified through analyses of selected systems, such as DC power. Loss of offsite power and plant centered losses were derived from generic data in NUREG-1032, NSAC-147 and NSAC-166 which are applicable to the dual unit Dresden Station.

Internal flooding was treated as a special initiator.

Separate analyses were performed to determine whether there are areas in Dresden Station that are susceptible to flooding or spray from pipe breaks and whether there is sensitive equipment in those areas that could cause plant shutdown or result in a failed safety system.

A detailed analysis of the various front-line safety systems and supporting systems was conducted for each of the identified initiators and for the interactions between the two Dresden units.

Plant Response Trees (PRTs) and support system event trees were used to develop the Dresden accident sequence model.

A plant response tree was developed for each initiator; a support system event tree model was developed for each major class of initiating events. The support system event tree model was developed as a dual unit model, where appropriate, because the two Dresden units share important support systems. The MAAP computer code was used to develop 726302SU.11/011893 1-4

1.3.2 realistic accident sequence models, including success criteria and operator actions,

. so that the accident sequences represent the best estimate plant response.

The Dresden systems represented in the PRTs were modeled with fault trees. The development of the fault trees was done starting from the success criteria for the system specified in the PRTs.

The relationship between the two units was carefully examined and, where appropriate, modeled.

The systems modeled include safety systems, support systems, containment systems and miscellaneous systems, as dictated by the PRTs.

Extensive phenomenological evaluations were made to study accident progression and the possible containment failure mechanisms. These evaluations serve as the primary means by which phenomenological issues were addressed. A combination of these evaluations and MAAP analyses were used to assess the importance of the phenomenological issues and the significance of uncertainty. For some issues, Dresden specific experiments were developed and performed to support the phenomenological evaluations.

Source terms were developed by analyzing the dominant accident sequences that led to containment failure, using the MAAP code. Source terms were binned into release categories based on type, timing, and magnitude of release.

Initiating Events The Dresden-specific initiating events considered in the IPE are as follows:

Large Loss of Coolant Accident (LOCA}

Medium Loss of Coolant Accident (LOCA}

Small Loss of Coolant Accident (LOCA}

Interfacing Systems LOCA (ISLOCA}

Inadvertent Opening of a (Main Steam} Relief Valve (IORV}

Anticipated Transients Single Unit Loss of Offsite Power (LOSP}

Dual Unit LOSP (DLOSP}

Loss of the 125VDC from one Unit (LODC}

In addition, two events were treated as consequential failures in the accident sequence analysis and thus, no frequencies were calculated:

Loss of all AC Power (Station Blackout (SBO Anticipated Transient Without Scram (ATWS} The LOCA frequencies were taken from WASH-1400 for this analysis. The interfacing system LOCA frequency was determined by a Dresden specific calculation considering all *likely flow paths. The frequency of an inadvertent opening of a relief valve was determined from plant-specific and industry data on such events. 726302SU.11/011893 1-5

Transient events were identified through BWR operating experience. The steps taken to create a database of transient initiating events and make them specifically applicable to .Dresden Station include the following: The trip history was reviewed to identify events that have occurred at Dresden Station. Data from NUREG/CR-3862 was used to supplement historical Dresden anticipated transient data. The results of plant systems analyses were utilized to identify potential initiating events. The general transient frequency is the sum of anticipated transient frequencies for Dresden Station. The NUREG/CR-3862 anticipated transient categories relevant to Dresden Station are grouped as one initiating event, with the exception of LOSP, and loss of 125VDC power in one unit which were considered as special initiators. The frequency for loss of 125VDC power in one unit was determined by fault tree analysis techniques. Loss of 125VDC in one unit affects both units due to the cross-connected design. Loss of the unit's own 125VDC bus was selected as the bus lost since this bus would provide the worst plant response. The loss of heating, ventilation, and air conditioning (HVAC) systems and the loss of instrument air were not included as initiating events, based upon Dresden Station spedfic analyses. The frequencies for single unit LOSP and dual unit LOSP were calculated separately. The methodology and site specific values developed in NUREG-1032 for grid related losses, weather related losses, and extreme weather related losses were used to calculate the LOSP frequencies. The values for Plant Centered Loss (PCL) were calculated from generic data presented in NSAC-147 and NSAC-166 for LOSP at dual unit sites. The generic PCL frequencies for dual unit and single unit at a dual unit site were used in the Dresden specific analysis. 1.3.3 Systems Analysis . To develop an understanding of the contribution of system performance to accident sequences and to quantify the Plant Response Trees, a comprehensive analysis of all key plant systems (from a risk perspective) was performed. This included a plant familiarization activity, a search for dependencies between plant systems, and detailed fault tree analysis for each key system. To ensure the I PE accurately represents how the plant's systems contribute to the overall risk profile, a thorough understanding of key frontline and support systems is essential. Prior to the development of. the fault trees, a comprehensive evaluation was performed for each system, which included collection, evaluation, and documentation of information. 726302SU.11/011893 1-6

Included in this documentation are the important dependencies, instrumentation and control requirements, and the results of a review of equipment maintenance and surveillance practices. A plant walkdown was used to-verify that the plant configuration modeled in* the IPE is consistent with the manner in which the individual systems are installed and operated.

The results of an operating experience review are also documented, to be sure that plant specific operating experience is reflected in the model development and in the quantification of system and component performance parameters. Because Dresden Station is a dual unit site, a careful examination of the documentation for both unit's systems was performed. Any key differences were identified and documented. Shared systems or shared components were identified, including the type of sharing (total or partial) and any preferential alignments. Any unit-to-unit cross-ties, along with the normal alignment and emergency alignment capabilities, were identified. Plant procedures, operator training manuals, and plant administrative policies were reviewed concerning such shared and cross-tied systems to be sure accurate modeling was performed in the IPE and that the full plant capabilities were understood from an accident management perspective. Any configuration or uses of a system which could be important in accident management were identified and documented. Examples of this type of information include the identification of other systems that could fulfill the same function, instrumentation that might be beneficial in restoring certain systems, equipment access pathways and location, etc. The systems modeled in the Dresden IPE are: Isolation Condenser System Feedwater and Condensate System High Pressure Coolant Injection System Automatic Depressurization System Low Pressure Coolant Injection System including containment cooling service water, suppression pool cooling and containment sprays Core Spray System Turbine Building Closed Cooling Water System Common Actuation including components actuating HPCI, LPCI and CS Containment Vents including two Torus and two Drywall vent paths Service Water System Electric Power System including AC, DC and diesel generators Fault trees were used to model the performance of plant systems in the Dresden IPE. These fault tree models depict the various combinations of hardware faults, human errors, test and maintenance unavailabilities, and other events that can lead to a failure to ' perform a given safety function, The definition of success for each fault tree is determined by the success criteria established for each PAT heading involving system performance. 726302SU.11/011893 1-7

Fault trees were developed for both frontline, containment, miscellaneous and support systems. Their analysis is conditional on both the initiating event (and its effects), and the availability of support systems that impact system operation. 1.3.4 Support System Modeling The "support state methodology" was used to model the key support systems and their impact on the safety systems that are required to respond to the modeled initiating events. The concept of a support state model allowed the major support systems to be modeled outside of the accident sequence plant response trees. Dresden Station contains two units which share major support systems. Shared systems were modeled to ensure that the influence on both units is captured. A support system is defined as a system that is depended upon for the successful operation of frontline systems, safety systems, miscellaneous systems or other support systems. The support systems were identified by reviewing the Dresden Station Updated Final Safety Analysis Report (UFSAR), system descriptions, and piping and instrumentation diagrams. The second step in the development of the support state model was a review of the system dependency matrices.. The dependency matrices were developed to identify the interrelationships among the various systems modeled in the IPE and focus the investigation on key dependencies between initiating events, support systems, and frontline systems for major system co_mponents. The dependencies considered in the development of these matrices considered partial dependence as well as complete dependence. The third step in developing the support state model was to identify the key support systems. The key support systems are those systems which interact with the other frontline and support systems. The criteria for identifying key support systems include whether the system supports multiple frontline systems and whether the frontline systems would not function without the support system (further discussion of the selection of key support systems is provided in Section 4). Based on the review of system descriptions and the system depe.ndency matrices, the following key support systems were selected for modeling in the support system event trees: Electrical Power - DC Electrical Power - AC

Common Actuation System - CAS Service Water - SW Turbine Building Closed Cooling Water - TBCCW The AC and DC electric power systems provide the motive or control power for a majority of the safety-related pumps and valves. The CAS provides the actuation signals for the safety systems on an ECCS signal. The SW system provides the ultimate heat sink for the cooling of major heat loads and the TBCCW system provides the cooling for the feed and condensate system pumps and other turbine building auxiliaries.

726302SU.11/011893 1-8

Following' the identification of the key support systems, the fourth step in the support state modeling process was to identify the possible operating states for each key support system, and from these develop the support system event trees. This step was completed by identifying the possible operational states for each key support system individually. Having identified the various operational states associated with each support system, the states were combined to form a support system event tree (SSET) model. Several support system event trees were developed based on the differing impact of the initiator on the response of the plant. Vector impact analysis to reduce the number of support states that had to be evaluated was not performed for Dresden because the computer code that was used for event tree quantification is capable of quantifying all support model and plant response tree sequences. Each plant response tree was then quantified for each support model sequence. 1.3.5 Plant Response Trees Plant Response Trees (PRTs) are used to logically model the accident progression of each initiating event through successful mitigation or core damage and containment disposition. The plant response trees were used to define the possible outcomes: of each initiating event as determined by the availability of plant systems and the success of essential operator actions. These outcomes, or 'end states', were then used as part of the IPE process to assess the design and operation of Dresden Station. The plant response tree approach developed for the Dresden IPE differs somewhat from the traditional PAA event tree approach (NUREG/CR-2300). The traditional approach consists of two nearly independent analyses, the Level 1 or "front end" analysis and the Level 2 or *"back end" analysis. The Level 1 analysis considers the plant systems and models the event progression from initiating event through core damage, while the Level 2 analysis considers the containment safety systems and models the event progression from core damage states through final containment disposition. As a result, separate event trees were developed for each of these analyses. For the Dresden IPE, the PRT concept was developed to model the plant response from initiating event through the entire accident progression including the containment response. This logic involves a complete integration of the traditional Level 1 and Level 2 PAA analyses thereby permitting synergistic modeling of the plant. Additionally, the traditional PRA approach considers only high level operator actions (e.g.,

initiation of suppression pool cooling) while the PRTs incorporate a direct causal relationship between accident progression and symptom-based operator actions from the Dresden Emergency Operating Procedures. Also, traditional PRA methods incorporate very conservative definitions of system success which results in a higher likelihood of system failure and, ultimately, in unnecessarily pessimistic overall results. The PRTs incorporate realistic analyses to define success of a system or operator action; thus resulting in a *true "best estimate" understanding of risk.

In this respect, po~ential weaknesses are not masked by conservatisms in the analysis. 726302SU.11/011893 1-9

A final important facet of this integrated PRT approach is the ability to excerpt meaningful accident management insights from an evaluation of the various PRT accident sequences. The coupling of the plant systems, operator actions and containment systems allows a more direct examination of the factors which influence risk. As a result, insights regarding these 'risks' can be developed which aid in the management of a severe accident, in the unlikely event that one occurs. The plant response tree consists of an initiating event, nodes, accident sequence paths and an end state for each path. An initiating event was defined as an event which causes plant trip and places some demand on plant safety systems. The nodes are the decision points on the tree and are shown across the top of the tree. These nodes represent success or failure of a plant system or operator action and are ordered to consider the time phasing and hierarchy of cause and effect. The paths, or sequences, are simply the representations of credible combinations of successes and failures of the plant systems and/or operator actions. Ultimately, the product of the PRT is the frequency of these paths. The end states define the unique set of plant system conditions following the initiating event. The development of a PRT consists of a number of major, distinct steps. These steps are discussed below: STEP 1 Define Critical Safety Functions Preventive actions are required to maintain the plant in a safe, stable condition following an initiating event. These actions can be defined in terms of critical safety functions. Critical safety functions which prevent core damage are defined first; additional* safety functions*are defined as needed (i.e., post-core damage) to prevent contain~ent failure and minimize fission product releases. The critical safety functions required to prevent core damage are as follows: Reactivity Control Reactor Coolant System Inventory Control Decay Heat Removal, which consists of: Coolant Inventory Makeup, and Coolant Heat Removal The critical safety function to prevent containment failure and to minimize fission product releases, if core damage results, is: Containment Integrity, which consists of: Containment Heat Removal functions Containment Isolation Radioactivity Scrubbing 726302SU.11/011893 '1-10

STEP 2 Develop Core Damage Prevention Models

These models identify the requisite combinations of systems and operator actions required to bring the plant to a safe, stable condition and prevent core damage. The resulting accident sequences accurately represent the combination of plant systems and operator actions needed to prevent core damage. Only operator actions defined in the Dresden EOPs are modeled.

STEP 3 Integrate Containment Systems Containment systems which satisfy the containment critical safety function are included in the PAT in order to determine the containment disposition as well as to consider possible dependencies with other 'front end' systems. The integration of the plant systems, operator actions AND containment systems allows* treatment of the plant synergistically, as a complete "system". STEP 4 Endstate Definition Each initiating event is tracked through its own PAT, evaluating the success or failure of each plant system, operator action and containment system. Each accident path, or sequence, eventually results in a unique 'end state' depending upon the initiating event and the combinations of success/failure of the nodes addressed. These PAT outcomes, or 'end states', are then categorized by assigning an identifier. For those paths which end in a long-term safe stable state, the end state is designated SCS, meaning success. Those paths which end in a safe, stable state for 24 hours; but in which additional actions or functions are necessary to maintain this state in the long term are designated SAM, (Success with Accident Management). Finally, those sequences ending in core damage are designated by 5-character identifiers to characterize fission product releases. STEP 5 . Definition of Accident Sequence and Success Criteria Determining the sequence success states is one of the most important tasks in developing the PAT structure. The objective is to determine the combinations of plant systems, operator actions and containment systems that are realistically expected to activate chronologically to prevent core damage and/or maintain containment integrity. To determine PAT nodal success criteria, detailed information regarding plant functions, plant systems, plant operation, emergency operating procedures, abnormal operating procedures, engineered safeguards features, technical specification, etc. is necessary. 726302SU.11/011893 . 1-11

Best estimate thermal hydraulic analyses, using the MAAP computer code, were used to determine success criteria for the aforementioned critical safety functions. These analyses also establish the time available to accomplish the operator actions to prevent core damag*e and/or containment failure. STEP 6 Accident Management The final step in the development of a PAT is the definition of potential accident management enhancements which could mitigate the accident. As part of the Dresden IPE Program, an additional PAT endstate designation (SAM, for Success with Accident Management) was defined in order to highlight those accident sequences which require accident management activities to achieve an ultimate safe, stable state in the period after the initial 24 hours. Traditionally, in PRAs, if core damage had not occurred during the first 24 hours, the endstate was considered a success. In the Dresden IPE, end states in which core damage could occur after 24 hours unless something is done, are categorized separately and assigned the designator "SAM." Consistent with traditional PAA philosophy, the PAT accident sequences designated as SAM are not core damage sequences. However, accident management activities are required to ensure that the plant attains a long term safe, stable state. 1.3.6 Containment Analysis Dresden employs a BWR-3 Mark I containment design. The primary containment consists of a drywell, a pressure suppression pool chamber (torus}, and interconnecting vent pipes (downcomer pipes). The primary containment surrounds the reactor pressure vessel (FWV) and the recirculation cooling system and provides the first barrier to offsite radioactivity releases. Any leakage from the primary containment system will go directly to the secondary containment system (Reactor Building). The wetwell or drywell may be vented through either the Standby Gas Treatment (SBGT) system or directly to the 31 O foot chimney through the 10-inch "hardened" vent. The drywell design free volume is 158,236 ft3 with a gas space height of 102 feet. The drywell is a steel pressure vessel with a 66' diameter spherical lower portion and a 37' diameter cylindrical upper portion. This vessel is enclosed in reinforced concrete for shielding purposes with a two-inch gap between the steel shell and concrete to allow for thermal expansion of the steel shell. The internal design pressures of this structure are 62 psig and -2 psig at 281°F. The ambient drywell atmosphere temperature ranges from 135°F to 150°F. There are eight circular vent pipes which form a connection between the drywell and suppression pool (wetwell) to control drywall pressurization under accident conditions. The pipes are enclosed in sleeves and are provided with expansion joints (bellows) to accommodate differential motion between the drywell and the wetwell. These pipes, in turn, are connected to a toroidal vent header contained in the airspace of the wetwell.

7-26302SU.-U/Q_1_t893 ________

---L1-:.J..12~------------------

Projecting downward from the header assembly are 96 downcomer pipes which terminate roughly 4 feet below the surface of the suppression pool water line. Other than the suppression pool, several other systems exist to control primary containment pressure. The Dresden design implements the following systems to aid the suppression pool in containment heat removal:

1.

Low Pressure Coolant Injection (LPCI) can be lined up to discharge to either the drywell or wetwell spray headers. These pumps can alternately be used in conjunction with the LPCI heat exchangers to provide suppression pool cooling.

2.

Operators are instructed to restart the drywell coolers in certain circumstances to-assist in primary containment pressure control.

3.

Drywell or wetwell venting is also performed as a means of primary containment pressure control. A Dresden containment (Mark I) fragility curve was produced. Several observations and conclusions are evident:

1.

Low pressure failures are dominated by the drywell head closure, which follows directly from the high degree of uncertainty associated with this location.

2.

The mean failure pressure of the Dresden containment is shown to be approximately 105 psig for temperatures below 300°F.

3.

If containment fails at relatively high pressures, it is likely to be at one of the eight vent line bellows because they have the lowest mean failure pressure of the containment structural components. The containment studies reviewed in conjunction with constructing the Dresden fragility curve (see Section 4.3) generally considered containment pressure loadings applied at relatively low temperatures (i.e~, up to the design limit of 281°f). Beyond 281°f, the high pressure performance of the containment is expected to degrade due to reductions in material strength and seal properties. Thus, a figure was constructed to show the temperature effects on the ultimate pressure capacity of the containment. Source term analyses are performed following accident sequence quantification and designation of PAT endstates. The purpose of the source term* analysis is to quantify* the radionuclide release characteristics for core damage accident sequences. The source term analysis includes the specification of containment failure timing and fission product release magnitude. Source term analysis was performed with the CECo Dresden-specific version of MAAP 3.08 Revision 7.03. Since assumptions regarding key severe accident phenomena may dictate the analysis outcome, due consideration of phenomenological uncertainties is a cornerstone of the CECo IPE approach to the containment and source term analysis. The CECo IPE 726302SU.11/011893 1-13

methodology addresses the phenomenological issues in two ways, 1) plant-specific phenomenological evaluations, and 2) MAAP sensitivity studies. This approach provides a bounding assessment of source term release timing and magnitude. Phenomenological Evaluations Dresden-specific phenomenological evaluation summaries are a principal means of addressing the impact of phenomenological uncertainties on plant response. These summaries address a wide range of phenomenological issues and provide an in-depth .review of plant-specific features which influence the uncertainty; or act to mitigate, the consequences of such phenomena. The phenomenological evaluation summaries investigate both the likelihood of occurrence and the probable consequences of key severe accident phenomena. Sensitivity Studies The purpose of the sensitivity studies is to determine which remaining phenomenological uncertainties have a significant impact on the likelihood or timing of containment failure and the magnitude of the source term release. In performing Dresden MAAP calculations, a limited number of model parameters are investigated with respect to the influences of modeling uncertainties on the radionuclide source terms. In particular, uncertainties in the various physical processes were considered as documented in the IDCOR/NRC issue resolution process. The various phenomena and the uncertainties are described in several NRC and EPRI documents (e.g., NUREG-1335, EPRI TR-100167) and in the IPE Generic Letter 88-20 (including supplements). 1.4 J Supporting Analysis The following sections describe several analyses that support the quantification of the fault trees and the plant response trees. These supporting analyses include the generation of plant specific and generic component data, the generation of human error probabilities, the generation of plant specific common cause failure probabilities, the identification of any internal flooding initiating events, and the analysis of equipment survivability under the expected accident conditions. 1.4.1 Data Analysis The purpose of the data analysis task was to collect data and obtain realistic estimates

of the failure rates and unavailabilities of basic components of the IPE. Random failure rates (including failure probabilities per demand), unavailabilities due to maintenance, and common cause failure rates were the basic quantities that were evaluated extensively in the data analysis task.

At the onset of the data collection task, important key components were identified as "likely to dominate" or "have an important impact on" core damage frequencies, t;>ased on knowledge of previous PRAs. The list of key components for the Dresden IPE defined the scope of the intensive phase of the plant-specific data collection effort. The key 726302SU.11/011893 1-14

component approach permitted resources to be focused on the most important failures and unavailabilities. Failure and unavailability data for non-key components was obtained from generic data sources. The failure and component unavailability data collected for the Dresden IPE spanned the period of January 1, 1984 through 1990. The most recent 7 year period (i.e., 1984 through 1990) gives failure rate and unavailability results that come the closest to the current true state of unreliability of the key components. Plant-specific data was collected from the operating records of both units and was combined to form one data base. No significant differences between the components of Unit 2 and Unit 3 were identified; therefore, no basis was found for pursuing the hypothesis that the unreliability of Unit 2 components could be different from the unreliability of Unit 3 comp9nents. Failure rates were calculated as point-estimate values. An hourly failure rate is defined as the number of failures that occur during a particular period of component operation divided by the operating hours of the component. This type of point estimate was used to calculate the failure rates of pumps and diesel generators failing to run. The demand failure rate is the number of failures during a particular period of time divided by the number of component demands that occurred during the same period. This type of point estimate was used to calculate the failure rates of components failing to start, and motor-operated valves failing to open or close. The boundaries of each component were also considered in the screening of failures and maintenance events. For example, circuit breakers and handswitches were included within the boundaries of pumps, and failures of the subcomponents were counted as failures of the pump. NUREG/CR-2815 was the primary source of generic failure rate data. NUREG/CR-2815 was the first source consulted and was used except in cases where it did not provide data for the particular failure mode needed or where some other source was determined to provide more relevant data. NUREG/CR-4550 was the primary source of generic maintenance unavailability data. Generic data were obtained from other industry sources for use in this task, including IEEE Std. 500-1984 and WASH-1400. Testing was found to affect the unavailability of only a few systems analyzed (Isolation Condenser and Anticipated Transient Without Scram systems). These unavailabilities were calculated from the test frequencies and their average durations based on . Dresden-specific experience and documentation. 1.4.2 Success Criteria For the Dresden IPE/AM project, a large number of plant specific analyses were performed to define the 'success criteria' for the Dresden modeL These analyses were performed using computer codes and hand calculations. 726302SU.11/011893 1-15

In order to develop the success criteria, the following definitions of success related to core cooling (prevention of core damage) and containment integrity (prevention of containment. .failure) were used. Core Cooling Success Core cooling is defined as being successful if the hottest fuel temperature never exceeds 4040°F. This temperature corresponds to the melting temperature of the U-Zr-0 eutectic formed during core degradation. Containment Integrity Success If the containment pressure exceeds the allowable pressure at the given drywell shell temperature, containment failure is assumed, and release of fission products from the containment, beyond that associated with *normal leakage, is initiated. Using the broad definitions of successful core cooling and containment integrity, the success criteria *for systems, components and operator actions were developed. These success criteria can be grouped into support systems, PRT systems, operator actions and equipment survivability. Support System Event Tree Model Development Analyses performed previously by CE Co were used to show that the failure of the reactor building HVAC system does not lead to the failure of equipment modeled in the PRTs and therefore, does not need to be included in the Support System Event Tree. Systems Analysis and Plant Response Tree Development Extensive analyses were performed to support the development of the PRTs. These analyses determined which systems and combinations of systems are required to prevent core damage and containment failure, and the specific success criteria for the different systems in each sequence on the PRTs. The analyses also were used to determine the mission times to be used in the systems analyses. Extensive analyses were also performed to determine the definition of the Loss-of-Coolant break ranges., Human Reliability Analysis The MAAP code was used to develop realistic times available to complete operator actions modeled in the PRTs, based on the Dresden EOPs. This timing information was then used in the HRA analyses. Equipment Survivability Analyses Analyses were performed to predict the reactor building response following an interfacing system LOCA outside containment, specifically the rupture of low pressure LPCI piping. 726302SU.11/011893 1-16

COMPACT was used for the reactor building analysis and MAAP was used to predict containment and RCS responses for the equipment survivability evaluations. 1.4.3 Human Reliability Analysis The Human Reliability Analysis (HRA) for the Dresden IPE consists of two phases. The Phase 1 HRA effort developed and quantified the Human Error Probabilities (HEPs) for plant operator actions modeled in the PRTs and fault trees, and included cognitive errors in the diagnosis process and recovery errors in the checking process. The Phase 2 HRA was an expert judgement method in which the Phase 1 results were verified I validated by discussing operator actions with Dresden training personnel and by observing a set of selective operator actions at the Dresden simulator. Both the Phase 1 and the Phase 2 HRA are complementary to each other and reinforce the final HRA results. The Techniques for Human Error Rate Prediction (THERP) method was chosen for the Phase 1 HRA. The THERP method is not a "model" in the usual sense of a hypothetical analogy. In the Phase 1 HRA, it was treated as a form of Boolean modeling which represents operator behavior by simple equations dealing with plant equipment parameters, human redundancy, training, stress levels, etc. It is a relatively simple method to identify and quantify human error probabilities, and to evaluate the degradation of a man-machine system likely to be caused by human errors alone, by operational procedures and plant practices, or by other human characteristics that influence plant operator's behavior. The implementation of the THERP method is similar to the application of fault tree. methodology; first, it breaks an operator action into subtasks similar to various events in a fault tree, the subtasks are then assembled together through the use of ANDed or ORed operations similar to "AND" or "OR" Boolean operations in a fault tree application. The subtask analysis was the first step in the Phase 1 HRA methodology. This step was performed after the Plant Response Trees (PRTs) were fully developed. In the subtask analysis, all operator actions identified by PAT analysts were broken down into specific operator steps per Dresden procedures or job performance measures; those steps which are absolutely necessary for the operator actions to be successful were included in the HRA model. All operator actions identified by fault tree analysts pertaining to system alignment were also broken down into operator steps in the same fashion. The quantification of subtasks was the next step in the Phase 1 HRA methodology. This

step was achieved by mathematical presentation and conversion of all independent, conditional and joint operator steps into HEPs. In the conversion process, HRA analysts determined five probabilistic parameters (error of commission, omission, and detection; recovery, and failure to use procedures, if applicable). Performance shaping factors (PSFs) were used to modify the nominal HEPs; the nominal HEPs were taken from NUREG/CR-1278 (Swain Handbook).

The Phase 2 HRA was an expert judgement method in which the Phase 1 results were verified or validated by discussing selected operator actions with Dresden training 726302SU.11/011893 1-17

instructors and by observing a set of selected operator actions at the Dresden simulator. In addition to the verification/validation of the Phase 1 results, several potentially viable recovery factors associated with slack time were extensively studied. The Phase II HRA results were incorporated into the IPE quantification process. 1.4.4 Common Cause Analysis "Common cause" describes multiple failures of functionally identical components due to a single, shared cause. Common cause analysis (CCA) evaluates the effects of these dependencies that may affect the ability of a system to prevent or mitigate a severe accident. The Dresden CCA modeled common cause failures at the basic event level, employing the Multiple Greek Letter (MGL) method as defined in NUREG/CR-4780, "Procedures for Treating Common c.ause Failure in Safety and Reliability Studies." The evaluation of Dresden failure data indicated that there had been no common cause events at the Dresden site applicable to current maintenance and operating practices. As a result, to more realistically model current experience at Dresden, a Dresden-specific evaluation of common cause failure events was performed. Dresden-specific common cause parameters were developed for components that had data available, including the following: Circuit Breakers Check Valves Service Water Pumps Diesel Generators Motor-operated Valves Relief Valves HPCI Room Coolers Fans A generic common cause failure database was developed from EPRI NP-3967, "Classification and Analysis of Reactor Operating Experience Involving Dependent Events", supplemented with events from the September 1990 EPRI draft report, "A Database of Common Cause Events for Risk and Reliability Evaluations". A four.:.member expert judgement panel reviewed data from the generic common cause failure database for applicability to CECo plants. The expert panel came to a consensus opinion on each generic common cause event's applicability to Dresden, based upon current Dresden system configuration, and maintenance and operating practices. Events involving known common cause mechanisms addressed by specific programs in place at Dresden were discarded from the database as were common cause events that occurred due to specific system configurations not present at Dresden. Events involving common cause mechanisms that have been addressed in general by maintenance or operating practices at Dresden were assigned a lesser probability of occurrence based on judgement of the panel. . 726302SU.11/011893 1-18

An average common cause component group was quantified from a composite of all the common cause failures for all components in the database. Use of the parameters calculated for this average common cause group was extended to components that have no. history of common cause failure, but were judged by the analyst to have some potential for common cause failure. The common cause contribution for the following components was calculated using the average MGL values: . Relays, including contacts and coils Switches, including temperature, level, and pressure switches Dampers Explosive valves Solenoid-operated valves Diesel-driven pumps Strainers and filters Stop check valves Timing relays In general, the components included in this list were judged to be less complex than the components in the database and thought to have less potential for common cause failure mechanisms. Therefore, assignment of the average common cause parameters is judged to be realistic. 1.4.5 Internal Flooding Analysis The internal flooding analysis was performed to identify potential sources of flooding and _ spraying from pipe breaks internal to Dresden Station, and the event sequences associated with these sources that could potentially lead to core damage. Pipe, tank, and valve ruptures, etc., could lead to flooding and/or spraying of plant equipment, resulting in failures that could trip the reactor and impair the operation of equipment needed to safely shutdown the plant. The impact of the potential flooding/spraying was assessed to assure that all potential core damage sequences of high probability would be identified. Much of the information needed for the analysis was taken from the Safe Shutdown Report (SSA) prepared in response to the requirements of 1 OCFR Part 50, Appendix R. The fire zones developed for the SSR were found to be acceptable for use as flooding zones. The list of equipment necessary for safe shutdown developed for the SSR was used for the internal flooding analysis as well. Additional information was collected during plant walkdowns. This included investigation of the potential flooding and spraying sources, the equipment that would be affected by these sources, the potential for flooding propagation between areas, and flood mitigation features in the various areas. The walkdowns encompassed those areas judged to be of possible significance in terms of core damage potential in a flooding zone screening process. 726302SU.11/011893 1-19

Flooding events such as pipe, valve, and tank breaks or ruptures are sufficiently infrequent to be unimportant as trip initiators alone. Only if the same flooding event also degrades safe shutdown capability will the potential for core damage become significant. The information gathered was used to analyze the flooding zones with the potential to result in equipment failures that could lead to core damage. Many zones were found to have drainage adequate to mitigate the effects of any flooding that could affect the zone. The potential for flood propagation to other zones and the potential for water spray to result in equipment failure was investigated. Shielding and distance from potential spray sources was also considered in the evaluation, as well as the qualification of equipment for operation in adverse environments. All of the flooding zones except for the Unit 2 and 3 Turbine Building Condensate Pump Rooms were eliminated from consideration during the qualitative analysis. The frequency for flooding occurring in the Condensate Pump rooms is approximately 1.2E-02 per year: This event would be similar to a loss of feedwater transient which is already considered in the evaluation of transient events. This contribution to the transient initiator is probabilistically insignificant in comparison with the transient initiator frequency. 1.4.6 Equipment Survivability As part of the Dresden IPE, equipment important for prevention of core damage and/or containment failure was evaluated for survivability during the range of accident conditions postulated in the IPE. To accomplish this task, the Dresden equipment survivability study was divided into three phases: Phase I: Phase II: Phase Ill: Support State and Fault Tree Assumptions I PE Conditions Accident Management/Core Damage Conditions. For Phase I of the study, the assumptions regarding support equipment in the support state and fault tree models were reviewed. Analyses were then completed, as necessary, to verify the assumptions. All support state and fault tree assumptions were confirmed by this analysis. Phase II of the study involved a review of all Plant Response Trees (PRTs) for a determination of the components (including instrumentation) important in achieving 'successful' end states. The limiting conditions, with respect to the PRTs, were then i_dentified for each piece of equipment and a survivability evaluation was completed. The results of the phase II investigation show that all components that are modeled in the PRTs would be available for the appropriate accident sequences. Phase Ill of the study will consider the equipment identified for accident management purposes. This will include the equipment needed for post-24 hour accident management to maintain the plant in a safe, stable state (i.e, a SAM endstate); the equipment needed for containment accident management following a core damage event; and any other equipment which is identified for the overall CECo accident management program. The 726302SU.11/011893 1-20

Phase Ill effort is beyond the scope of the IPE and will be included in the implementation portion of the CECo accident management program for Dresden Station. 1.4.7 Source Term Analysis Any sequence of events that causes core damage may result in a release of radioactivity to the environment in excess of design-basis limits. Such radioactivity releases are possible whether or not the containment building remains intact, because no structure is perfectly leak-tight. The amount of radioactivity that may be released from the containment building if core damage occurs is sequence-dependent and strongly influenced by the. size and complexity of the flow paths out of the building. The amounts of radioactivity released from containment, reported as various isotopes, constitute the so-called source term for an accident sequence. The purpose of a source term analysis is to quantitatively estimate the masses of the various fission products that are released from the containment structure for the PAT end-states (or sequences) that result in core damage. Performing actual source term calculations for each sequence is an impossibility, however, given the large number of sequences defined by the PRTs. Thus, the scope of the source term analysis was limited to a consideration of the 100 highest-frequency sequences. The number of fission product release calculations performed was further reduced by binning the 100 highest- .frequency sequences according to *each unique combination of their 3rd and 4th PDS designator letters. Since these two PDS designator letters describe functional failures, accident progression, and fission product release path after core damage in great detail, differences between the containment behavior and fission product releases for sequences within a bin should be enveloped by the precision of the analysis for these sequence characteristics. A total of seven source term bins were identified from the 100 highest-frequency sequenc~s.. A large majority of these sequences belong to two bins; these sequences are characterized by containment failure predicted to occur between 25 and 48 hours after the start of the sequence. For one of the remaining source term bins, drywall sprays and suppression pool cooling operate and prevent containment failure within 48 hours. For the other remaining source term bins, containment failure was predicted to occur within 24 hours of the start of the sequence. Several sequences within this latter group were considered which had low frequencies and potentially large consequences: a station blackout without AC power recovery, an ATWS with wetwell venting and wetwell failure, . and an ATWS with drywall failure. 1.5 IPE Results This section provides a discussion and explanation of the Dresden IPE accident sequence results. First, traditional results based on the mission time of 24 hours are reported: overall core damage frequency, with a subsequent breakdown of core damage frequency by initiating event, Plant Damage State, containment status, equipment/operator failures, 726302SU.11/011893 1-21

and sequences. Then, an innovative aspect of the Dresden IPE/AM program is reported: the frequency of occurrence of so-called Accident Management (AM) sequence endstates. In the Dresden IPE/AM Program, two types of AM sequences have been defined. "Success with Accident Management" or "SAM" endstates have been defined for sequences with no core damage within 24 hours, but requiring accident management actions after 24 hours to assure continued long-term core cooling. "Containment success with Accident Management" or "CAM" endstates have been defined for sequences with core damage and no containment failure within 24 hours, but requiring accident management actions after 24 hours to assure continued long-term containment integrity. The method used for classifying sequences in the Dresden IPE/AM project is shown in Table 1.5-1. 1.5.1 Summary of Results The core damage frequency for Dresden Station is 1.85E-05/yr. Of this total, the frequency of core damage and containment success is 2.1 E-06/yr. The remainder of the core damage frequency would result in fission product releases due to venting the containment or containment failure (or both), that exceed normal containment leakage. The core *damage frequency (CDF) and the initiating event frequency are shown in Table 1.5.1-1 by initiating event. As can be seen from this table, over 94.5% of the CDF comes from four initiating events with one single initiator contributing 60.2%. The other initiating events contribute about 5% of the total core damage frequency. The top contributor to core damage frequency is Loss of DC Power at 60.2% followed by Single Unit Loss of Offsite Power at 19.9%. The core damage frequency by "plant damage state" is shown in Table 1.5.1-2. As can be seen from this table, a large number of the plant damage states involve a failure of the Suppression Pool Cooling (SPC) function. In fact, over 81 % of the top. 94.5% contribution to the CDF involve plant damage states with a loss of the SPC function. This is primarily attributed to loss of DC Power combined with either SPC hardware failures or failure of the operator to establish SPC. The plant damage states shown in Table 1.5.1-2 also provide an indication of the capability of the plant to contain radioactive fission products within the plant boundaries. For core damage sequences, 11.2% of the CDF is represented by sequences in which the containment is intact and not vented. These sequence plant damage states are

represented by the letters B, M, or G in the fourth position. The vented-and-failed states (representing controlled releases through one of the vent paths prior to containment failure) compose 82.3% of the CDF and are those states having L, 0, or Pin the fourth position of the endstate designator. These two sequence groups combined represent 94.0% of the CDF.

Containment failures are represented by plant damage states in which the containment fails after having been previously vented or in which the containment fails directly due to high pressure. Sequences represented by "O" are vented-and-failed sequences 726302SU.11/011893 1-22

TABLE 1.5-1 SEQUENCE CLASSIFICATION METHOD SEQUENCE CLASSIFIED AS: SEQUENCE TIME 0 to 24 HR > 24 HR SUCCESS CD NO CD Vent NO Vent CF N/A CF SUCCESS WITH ACCIDENT CD NO CD MANAGEMENT (SAM) Vent NO Vent CF NIA CF COREDAMAGE,CONT~NMENT CD YES CD VENTED AND INTACT Vent YES Vent CF NO CF CORE DAMAGE, CONTAINMENT CD YES CD VENTED AND INTACT Vent YES Vent (POSSIBLE CAM) CF NO CF CORE DAMAGE, CONTAINMENT CD YES CD NOT VENTED AND INTACT Vent NO Vent (POSSIBLE CAM) CF NO CF CORE DAMAGE, CONTAINMENT CD YES CD VENTED AND FAILS i Vent YES Vent CF YES CF CORE DAMAGE, CONTAINMENT CD YES CD NOT VENTED AND FAILS Vent NO Vent CF YES CF CD = Core Damage Vent = Wetwell vent operated in accordance with the EOPs within 24 hours CF = Containment Failure N/A =Not Applicable = Not Estimated CAM = Containment success with Accident Management NO NO N/A YES NO NIA YES YES NO YES YES YES YES NO YES YES YES YES YES NO YES APPROXIMATE SOURCE TERM MAGNITUDE AT 24 HR AT 48 HR Noble Gas 0 Noble Gas 0 Volatile 0 Volatile 0 Noble Gas 0 Noble Gas Volatile 0 Volatile Noble Gas -25% Noble Gas -100% Volatile -0.01% Volatile -0.01% Noble Gas -25% Noble Gas -100% Volatile -0.01% Volatile -10% Noble Gas 0 Noble Gas. -100% Volatile 0 Volatile -10% Noble Gas -100% Noble Gas -100% Volatile -10% Volatile -10% Noble Gas -100% Noble Gas -100% Volatile -10% Volatile -10% Note: A sequence is designated as "core damage" if core damage is predicted to occur within 24 hours, in accordance with the traditional approach. Similarly, a sequence is designated as "containment intact" if containment failure is not predicted to occur within 24 hours, in accordance with the traditional approach. 726302SU.11/011893 1-23

1.

LOSP = Loss of Offsite Power

2.

LOCA = Loss of Coolant Accident

3.

ATWS = Anticipated Transient Without Scram

4.

IORV = Inadvertent Open Relief Valve

5.

ISLOCA = Interfacing System LOCA 726302SU.11/011893 1-24

TABLE 1.5.1-2 CORE DAMAGE FREQUENCY BY PLANT DAMAGE STATE PERCENT STATE DESCRIPTION FREQUENCY CONTRIB DLCO Loss of DC Power with late core damage 1.06E-05 57.2 (6-24 hours) and SPC fails LLCO Loss of Offsite Power (single or dual 3.27E-06 17.7 unit) with late core damage _(6-24 hours) and SPC fails MLCO Meaium LOCA with late core damage 7.56E-07 4.1 (6-24 hours) and SPC fails MEAS Medium LOCA with early core damage 6.20E-07 3.3 (0-2 hours), high pressure makeup fails and operator fails to depressurize BLAB Station Blackout with late core damage 6.02E-07 3.3 (6-24 hours), operator fails to recover offsite power and keep IC online with or without low pressure makeup failure LIAS Loss of Offsite Power (single or dual 4.45E-07 2.4 unit) with core damage at 2-6 hours, failure to make.up to IC, loss of high pressure makeup, operator fails to depressurize and recover offsite power. TEEQ A TWS with early core damage (0-2 4.14E-07 2.2 hours) with failure to trip recirc pumps or failure to inject SLC DIBO Loss of DC Power with core damage at 3.07E-07 1.7 2-6 hours LPCI and CS fails BLAY Station Blackout with late core damage 2.81 E-07 1.5 (6-24 hours), operator fails to recover offsite power and keep IC on line TLCO Transient event with late core damage 2.16E-07 1.2 (6-24 hours), IC or makeup to IC failure, FW failure, and SPC failure iLCO Inadvertent open relief valve with core 1.77E-07 .LQ damage late (6-24 hours)*, and SPC fails TOTAL 1.77E-05 95.5% of total CDF 726302SU.11/011893 1-25

contributing 84.2% to the CDF. Late high temperature/pressure contain*ment failures ("X" or "Y") contribute 1.5%. Rapid containment failures compose 2.9% of the CDF and are represented by N, Q, R, S, T, U, or V endstate designators in the fourth position. Table 1.5.1-3 identifies the key contributors, both hardware failures and operator errors for each of the top 23 core damage sequences. These 23 sequences contribute approximately 79% to the CDF. The core damage frequency of 1.85E-05 for Dresden is dominated (44.2% of CDF) by sequence #1, loss of DC initiating event and subsequent loss of suppression pool cooling, leading to late (6-24 hours) core damage. The loss of DC initiator contributes 60.2% of the CDF. The single-unit loss of offsite power initiator contributes 19.9% of the CDF, the Medium LOCA contributes 7.5% and the dual-unit loss of offsite power contributes another 6.9%. The loss of DC and loss of offsite power initiators combined contribute 87% of the CDF. The medium LOCA initiator contributes another 7.5% and these top 4 initiators contribute 94.5% of the CDF. The top 19 accident sequences are composed of these 4 top initiators. The top 13 sequences have individual contributions greater than 1 % of the CDF and from sequences numbered #14 and higher the contributions are less than 1 % and the distribution of sequence frequencies becomes nearly flat. These results show a significant contribution to CDF from support systems, specifically DC and AC power. Also, there is a significant contribution to CDF from suppression pool cooling failure. There is a minor contribution from operator actions such as failure to initiate suppression pool cooling, makeup to the isolation condenser, or depressurize. Most of the CDF occurs late (6-24 hours) which would allow for recovery actions not included in the model. Containment rapid high-pressure failure contribution is small (11 of the top 100 sequences, all composed of ATWS sequences); however, containment venting and subsequent failure occurs in 70 of the top 100 sequences. In 19 of the top 100 sequences, the containment is intact without venting. 1.5.2 AM Endstates SAM Endstates - The SAM endstates occur with a cumulative frequency of 7.39E-07. The 15 accident sequences with highest frequency of a SAM endstate represent 91 % of the total SAM frequency; these 15 are presented in Table 1.5.2-1. Based on a review of the dominant sequences with a SAM endstate, a set of possible accident management strategies to bring the plant to a long term safe, stable state can be developed. Since a relatively long time is available for accident management activities for the SAM endstates, the possible accident management activities include both repair of unavailable equipment and the implementation of alternate methods of achieving a safe, stable state. The information developed from the review of the SAM sequences represents *input to the Accident Management Program for Dresden Station, for sequences which otherwise would progress to core damage at a time beyond 24 hours after the initiating event. 726302SU.11/011893 1-26

TABLE 1.5.1-3 KEY CONTRIBUTORS TO DOMINANT ACCIDENT SEQUENCES SEQUENCE EVENT NODE DESCRIPTION OF KEY CONTRIBUTORS LDC SPC One train unavailable due to loss of AC and other train fails due to MOV failures. 2 LDC OSPC Operator omission of procedure steps to initiate SPC or failure to acknowledge alarm. 3 MLOCA OSPC Operator omission of procedure steps to initiate SPC or failure to acknowledge alarm. 4 LOSP DGB Failure of DG 213 to start or run, or maintenance unavailability. 24

Failure of Bus 24 due to operator failure to align to Bus 24-1.

OMUP Operator fails to provide makeup to IC by failing to start clean demineralized water pump or by selecting wrong switch for pumps or valv.es. ROP1 No credit is taken for recovering offsite power if some source of onsite power is available. SPC SPC is failed because Susses 23 and 24 are unavailable to run the CCSW pumps. 5 MLOCA OAD Operator failure misreading reactor vessel water level or omission of step in depressurization procedure. HP2 Failure.of HPCI pump to start or run.

s LOSP DGB Failure of DG 2/3 to start or run, or maintenance unavailability.

24 Failure of Bus 24 due to operator failure to align to Bus 24-1. MUP Failure of MOV 2-4399-74, diesel driven pump, and electric pump. ROP1 No credit is taken for recovering offsite power if some source of onsite power is available. SPC SPC is failed because Susses 23 and 24 are unavailable to run the CCSW pumps. 726302SU.11/011893 1-27

TABLE 1.5.1-3 (Continued) KEY CONTRIBUTORS TO DOMINANT ACCIDENT SEQUENCES SEQUENCE EVENT NODE DESCRIPTION OF KEY CONTRIBUTORS 7 DLOSP DGB Failure of DG 213 to start or run, or maintenance unavailability. DG2 Common cause failure to start or run of DG2. DG3 Common cause failure to start or run of DG3. SBO Station blackout occurs in Unit 2 and Unit 3. ROP1 Failure to recover offsite power within 4 hours to prevent core damage. OIC2 No credit is taken for the operator to prevent loss of DC failure of IC due to no current procedure. 8 LOSP DGB Failure of DG 213 to start or run, or maintenance unavailability. OMUP Operator fails to provide makeup to IC by failing to start clean demineralized water pump or by selecting wrong switch for pumps or valves. ROP1 No credit is taken for recovering offsite power if some source of onsite power is available. SPC One train unavailable due to loss of AC and other train fails due to MOV failures. 9 LDC HP1 Failure of HPCI pump to start or run, or maintenance unavailability~ SPC One train unavailable due to loss of AC and other train fails due to MOV failures. 10 MLOCA HP1 Failure of HPCI pump to start or run, or maintenance unavailability. OAD Operator failure misreading reactor vessel water level or omission of step in depressurization procedure. 11 MLOCA SPC Common cause failure of system due to plugging or common cause MOV failures. 12 LDC SPC One train unavailable due to loss of AC and other train fails due to MOV failures. svw Failure of SBGT system fan to run or maintenance unavailability. SVD Failure of SBGT system fan to run or maintenance unavailability. 726302SU.111011 893 1-28

TABLE 1.5.1-3 (Continued) KEY CONTRIBUTORS TO DOMINANT ACCIDENT SEQUENCES SEQUENCE EVENT NODE DESCRIPTION OF KEY CONTRIBUTORS 13 LOSP OMUP Operator fails to provide makeup to IC by failing to start clean demineralized water pump or by selecting wrong switch for pumps or valves. HP1 Failure of HPCI pump to start or run, or maintenance unavailability. OAD Operator failure dependent upon previous OMUP failure. ROP1 No credit is taken for recovering offsite power if some source of onsite power is available. 14 DLOSP DGB Failure of DG 213 to start or run, or maintenance unavailability. DG2 Common cause failure to start or run of DG2. DG3 Common cause failure to start or run of DG3. SBO Station blackout occurs in Unit 2 and Unit 3. ROP1 Failure to recover offsite power within 4 hours to prevent core damage. OIC2 No credit is taken for the operator to prevent loss of DC failure of IC due to no current procedure. ROP2 Failure to recover offsite power within 6 hours {given offsite power was not recovered by 4 hours) to prevent containment failure. 15 LOSP DGB Failure of DG 2/3 to start or run, or maintenance unavailability. DG2 Common cause failure to start or run of DG2. 241 Failure of Bus 24-1 due to failure of operator to crosstie to Bus 34-

1.

SBO Station blackout occurs in Unit 2. ROP1 Failure to recover offsite power within 4 hours to prevent core damage. OIC2 No credit is taken for the operator to prevent loss of DC failure of IC due to no current procedure. 16 LDC 241 Failure of Bus 24-1 due to failure of feeder breaker from Bus 24. LP Failure of LP due to loss of Susses 23-1 and 24-1. cs Failure of CS due to loss of Susses 23-1 and 24-1. 726302SU.11/011893 1-29

TABLE 1.5.1-3 (Continued) KEY CONTRIBUTORS TO DOMINANT ACCIDENT SEQUENCES SEQUENCE EVENT NODE DESCRIPTION OF KEY CONTRIBUTORS 17 LOSP OMUP Operator fails to provide makeup to IC by failing to start clean demineralized water pump or by selecting wrong switch for pumps or valves. ROP1 No credit is taken for recovering offsite power if some source of onsite power is available. SPC Common cause failure of system due to plugging or common cause MOV failures. 18 LOSP DGB Failure of DG 2/3 to start or run, or maintenance unavailability. 24 Failure of Bus 24 due to operator failure to align to Bus 24-1. ICH1. IC failure due to failure of return MOV 2-1301-3. ROP1 No credit is taken for recovering offsite power if some source of onsite power is available. SPC SPC is failed because Susses 23 and 24 are unavailable to run the CCSW pumps. 19 LOSP 23 Failure of Bus 23 due to operator failure to align to Bus 23-1. 24 Failure of Bus 24 (given operator failed to align Bus 23). due to operator failure to align to Bus 24-1. OMUP Operator fails to provide makeup to IC by failing to start clean demineralized water pump or by selecting wrong switch for pumps or valves. ROP1 No credit is taken for recovering offsite power if some source of onsite power is available. SPC SPC is failed because busses 23 and 24 are unavailable to run the CCSW pumps. 20 IORV FW Operator fails to control level causing pump trip. OSPC Operator omission of procedure steps to initiate SP.C or failure to acknowledge alarm. 726302SU.11/011893 1-30

TABLE 1.5.1-3 (Continued) KEY CONTRIBUTORS TO DOMINANT ACCIDENT SEQUENCES -SEQUENCE EVENT NODE DESCRIPTION OF KEY,CONTRIBUTORS 21 LDC HP1 Failure of HPCI pump to start or run, or maintenance unavailability. OAD Operator failure misreading reactor vessel water level or omission of step in depressurization procedure. 22 LOSP 23 Failure of Bus 23 due to operator failure to align to Bus 23-1. 24 Failure of Bus 24 (given operator failed to align Bus 23) due to operator failure to align to Bus 24-1. MUP Failure of MOV 2-4399-74, diesel driven pump, and electric pump. ROP1 No credit is taken for recovering offsite power if some source of onsite power is available. SPC SPC is failed because Susses 23 and 24 are unavailable to run the CCSW pumps. 23 ATWS MC Main condenser unavailable. RCFM Control rod mechanical failure. AT ATWS system actuation of recirc pump trip fails. 726302SU.11/011893 1-31

TABLE 1.5.2-1 KEY CONTRIBUTORS TO "SAM" ACCIDENT SEQUENCES SEQUENCE EVENT NODE DESCRIPTION OF KEY CONTRIBUTORS ATWS OMUP Operator omits DEOP or action step or selects wrong equipment switch. 2 ATWS OMUP Operator omits DEOP or action step or selects wrong equipment switch. 3 ATWS OMUP Operator omits DEOP or action step or selects wrong equipment switch. 4 ATWS OSL1,0SL2 Operator omits DEOP or action step or selects wrong equipment switch. 5 ATWS OMUP Operator omits DEOP or action step or selects wrong equipment switch. 6 ATWS MUP Makeup to the IC fails due to MOV 2-4399-7 4 failure or maintenance unavailability. 7 ATWS ICH2 Isolation condenser cooling fails due to MOV 2-1301-3 failure or maintenance unavailability. 8 ATWS OMUP Operator omits DEOP or action step or selects wrong equipment switch. 9 ATWS MUP Makeup to the IC fails due to MOV 2-4399-74 failure or maintenance unavailability. 10 ATWS ICH2 Isolation condenser cooling fails due to MOV 2-1301-3 failure or maintenance unavailability. 11 ATWS MUP Makeup to the IC fails due to MOV 2-4399-7 4 failure or maintenance unavailability. 12 ATWS ICH2 Isolation condenser cooling fails due to MOV 2-1301-3 failure or rnaintenance unavailability. 13 ATWS OMUP Operator omits DEOP or action step or selects wrong equipment switch. 14 ATWS MUP Makeup to the IC fails due to MOV 2-4399-74 failure or maintenance unavailability. 15 ATWS ICH2 Isolation condenser cooling fails due to MOV 2-1301-3 failure or maintenance unavailability. 726302SU.11/011893 1-32

In identifying the possible accident management activities which could be used for each SAM accident sequence, an important facet of the IPE study became apparent: the failed equipment PAT nodes do not include any recovery of the equipment during the first 24 hours (except AC power recovery for the loss of all AC power sequences). *The fault trees for each of the failed equipment nodes for the dominant SAM sequences were reviewed to determine the dominant failure modes for the equipment. The two dominant equipment failure modes for the equipment failures leading to a SAM endstate are failure of the makeup (MUP) MOV which can be recovered and failure of the IC MOV (ICH2) which cannot be recovered. It is likely that the MUP MOV malfunctions would be recovered well before the 24 hour time frame. Thus, it can be concluded that if the IPE model had included recovery of failed equipment, those SAM accident sequences which result in MUP MOV failures would have been labeled success with a high frequency. Since the SAM sequences involving ICH2 MOV failures are not recoverable, the SAM frequencies for those sequences would not change significantly if recovery were modeled in the IPE. Thus, the primary accident management activities should focus on recovery of failed equipment.

The IPE analyses of human errors includes the modeling of recovery from errors of commission as well as recovery from errors of omission. However, the recovery from human errors only credits personnel in the control room. The results of analysis of the human error rate indicate that the human errors which dominate the SAM accident sequences are errors of omission. The majority of these errors are recoverable at considerable times after the error has been made.

CAM Endstates - These sequences have end state designators with "AB" as the third and fourth characters. Within the top 100 core damage sequences, there are 18 sequences in this category.1 These sequences were investigated to determine whether the containment was pressurizing, heating up, or whether conditions were stable. The type "AB" sequences, in which SPC and injection to the core debris bed continue, result in containment failure at a much later time. These sequences have a significant potential for avoiding containment failure through use of containment sprays to periodically cool the containment atmosphere, in conjunction with suppression pool cooling. If SPC fails at some time after 24 hours, several alternate sources of water to the core debris remain: the condensate storage tank, Standby Coolant Supply, and cross-connect to the unaffected unit's LPCI system. Repair of the affected unit's LPCI and CCSW systems can also return SPC and LPCI capability. 11

Six of the CAM sequences are Station Blackout (SBO) sequences in which offsite power is not recovered in time to prevent core melt, but is recovered in time to supply containment systems and to reduce containment failure likelihood. Likewise, SPC and The analysis of "CO" type sequences indicates that containment structural failure due to high temperature would occur at about 27-28 hours into the event. Although potentially CAM sequences, the "CO" sequences are considered in this study to be containment failure sequences.

726302SU.11/011893 1-33

injection to the core debris bed need to be maintained and used in conjunction with containment sprays to prevent containment failure. 1.6 IPE Evaluations 1.6.1 IPE Insight Development In the broadest sense, insights are those observations regarding the station configuration or practices which may affect the risk profile of the plant. Insights can suggest changes to enhance the capability of the plant and the plant operators to respond to an initiating event to either prevent core damage or to mitigate the consequences of core damage. Insights can also include those "good features" which have been identified during the IPE process. The IPE insights described in this section address the capability of the existing plant (January 1991) to respond to an initiating event. IPE insights are distinguished from Accident Management Insights which deal with enhancements to the capability of the plant emergency response organization to respond to a core. damage accident situation, given that it has occurred. In order to focus the IPE analysts on the identification of IPE insights, it was necessary to develop structured guidance. The development of the guidance began with the definition of the aspects of the plant which can impact the severe accident risk profile including: plant design features, testing and maintenance activities, the EOPs and DGAs, training, and plant status information. These broad features were then correlated to the IPE work products to define the types of IPE insights which could be obtained from each task of the IPE analyses. This detailed correlation of possible plant features versus IPE work products was used to define a set of questions for each IPE task which would focus and stimulate the IPE analysts to identify insights as the tasks were being performed. Therefore, at each step of the risk assessment, analysts were systematically required to answer questions to stimulate the identification of insights. In addition to changes to Dresden Station to improve the accident risk profile, the IPE insights also include good features of Dresden Station which contribute to its present risk profile. The IPE insights identified in the current study are, in many cases, significantly different from those identified in previous PAA studies. The primary difference is in completeness of the search for insights and the comprehensive coverage of all of the aspects of the IPE. The Dresden IPE insight development methodology prescribes the identification of insights by each analyst as the work is ongoing, instead of the process employed in previous PAA studies, which was backward looking from the IPE results. Another aspect of the IPE insights identified during this study is the overall approach of using best estimate analyses for the accident progression and mapping the plant procedures to the accident progression to determine those operator actions which can impact the accident progression. This has resulted in a comprehensive review of the plant procedures for their impact on the progression of accidents, including core damage accidents. As a result of this review, a significant number of insights were deveJoped relating to enhancements to the procedures, primarily to improve clarity and the likelihood that appropriate operator actions will be taken in response to plant parameters. 726302SU.11/011893 1-34

IPE Insight Evaluation For each of the over 130 IPE insights developed during the IPE, a process of evaluation was followed. The first step of the process was a distillation of the insights by a Tiger Team", composed of individuals from CECo and the IPE Partnership. The first step of the distillation consisted of verifying the technical accuracy of each of the insights. The Tiger Team then grouped all of the insights related to the same subject together for further evaluation. Groupings were performed for the following subject areas: 125VDC Power Containment Flooding ISLOCA NRC Strategies Loss of Offsite Power Plant Procedures Containment Performance At that point the insights within a group were evaluated for their effect on the risk profile of the plant. The insights with the greatest impact on the risk profile were identified. Of particular interest are those insights which provide a major benefit to risk reduction and can be implemented with minor impact to plant hardware or procedures. A further grouping of insights was performed to facilitate the disposition of plant enhancements by CE Co management. This grouping consisted of the following types of enhancements: Generic Procedure Enhancements (11 % of insights}, Plant Specific Procedure Enhancements (42%), Hardware Enhancements (27%), Training (6%), Information (11 %) and Test & Maintenance (3%). All of the insight evaluation information was then presented to the Senior Edison Management Review Team (SEMRT) for final evaluation and disposition. As part of their evaluation process, the SEMRT utilized the NUMARC Severe Accident Closure Guidelines (NUMARC 91-04). 1.6.2 Evaluation Against NUMARC Severe Accident Issue Closure Guidelines The results of the Dresden IPE have been evaluated against the NUMARC Severe Accident Closure Guidelines. The guidelines were used to assess the proposed enhancements developed via insights related to severe accidents. The first step in using the Severe Accident Closure Guidelines was to group the core damage sequences; the groupings used were those of Table B-1 of that document. The grouping was carried out for all core damage sequences down to the quantification frequency cutoff of 1 E-15 for a given sequence. The following groups contain some contribution to the total core damage frequency: 726302SU.11/011893 1-35

IA Accident sequences involving loss of coolant inventory makeup in which the reactor pressure remains high. Accident sequences involving a loss of all AC power and loss of coolant inventory makeup (i.e., station blackout). ID Accident sequences involving a loss of coolant inventory makeup in which reactor pressure has been successfully reduced. II Accident sequences involving loss of containment heat removal leading to containment failure and subsequent loss of coolant inventory makeup. 1118 Accident sequences initiated or resulting in small or medium LOCAs for which the reactor cannot be depressurized and inadequate coolant inventory makeup is available. lllC Accident sequences initiated or resulting in medium or large LOCAs for which the reactor cannot be depressurized and inadequate coolant inventory makeup is available~ IV Accident sequences involving an ATWS leading to containment failure due to high pressure and subsequent loss of inventory makeup. v Unisolated LOCA outside containment leading to loss of effective coolant inventory makeup. The sequence numbers of the top 100 sequences included in each group are listed in Table 1.6.2-1 with the resulting mean group core damage frequency and percent contribution to the total core damage frequency. The group core damage frequency and contribution is based upon all sequences. The core damage frequency and percent contribution to the total core damage frequency for each group were then evaluated against Tables 1 and 2 of the Severe Accident Closure Guidelines. Table 2 was used for the containment bypass sequences (group V only), and Table 1 was used for all other groups. The comparison shows that only the IA and II groupings are of interest with respect to the Severe Accident Closure Guidelines. The IA group falls into the category in Table 1 that suggests the licensee ensure that Severe Accident Management Guidance (SAMG) is in place with emphasis on prevention/mitigation of core damage or vessel failure, and containment failure. The II group falls into the category in Table 1 that suggests the licensee perform the following:

1.

Find a cost effective plant administrative, procedural or hardware modification with emphasis on eliminating or reducing the likelihood of the source of the accident sequence initiator; or 726302SU.11/011893 1-36

TABLE 1.6.2-1 NUMARC SEVERE ACCIDENT CLOSURE GUIDELINES SEQUENCE GROUPING INFORMATION TOTAL GROUP SEQUENCE SEQUENCE CORE DAMAGE % CONTRIBUTION GROUP NUMBERS1 FREQUENCY TO TOTAL CDF IA 13,21, 41, 42,46,57, 5.5E-07. 3% 60, 65, 76, 93 18 7, 14, 15, 32,62, 68, 8.6E-07 5% 88,99 ID 16, 26, 34, 55,64 3.7E-07 2% IV 23, 29, 47, 52,53,56, 4.4E-07 2% 58, 61, 71, 90, 100 II 1, 2, 4, 6, 8, 9, 12, 1.4E-05 74% 17, 18, 19, 20, 22, 24, 25,27, 28, 30,31,33, 35,36, 37, 38,39,40, 43,44, 45, 48,49,50, 51, 54, 59, 63,66,67, 69, 70, 72, 74, 75, 77, 78, 79, 80, 81,82,83, 84,85, 87, 89,91,92, 94,95, 96, 97,98 1118 5, 10 6.1 E-07 3% lllC 3, 11, 73, 86 7.5E-07 4% v (None in top 100 4.3E-10 ( <<1% sequences) Refers to the sequence position in the ranking of core damage sequences in descending magnitude of core damage frequency. 726302SU.11/011893 1-37

2.

3.

If unable to satisfy above response, treat in EOPs or other plant procedure with emphasis on prevention of core damage; or If unable to satisfy above responses, ensure SAMG is in place with emphasis on prevention/mitigation of core damage or vessel failure, and containment failure. These suggested actions were considered by the. SEMRT in their review of potential plant enhancements. 1.6.3 Conclusions of IPE Enhancement Evaluations The utilization of the NUMARC Severe Accident Closure Guidelines identified the need for the implementation of one or more plant enhancements at Dresden Station related to sequences in which suppression pool cooling has failed. The Tiger Team evaluation of the risk significance of the different insights showed that the greatest improvement in plant risk could be realized by implementing a procedure enhancement related to alignment of LPCI or Core Spray pump suction to the condensate storage tank when suppression pool cooling cannot be established. This enhancement allows injection to the reactor vessel to be maintained when it would otherwise be lost due to insufficient net positive suction head for the low pressure ECCS pumps as the suppression pool water is heated. Intermittent operation of LPCI or CS to control level in the reactor pressure vessel based upon the volume of water available in the CST would provide core cooling well beyond 24 hours. The procedure enhancement relating to this plant condition has a significant.impact on the sequence class requiring action by the Closure Guidelines. Commonwealth Edison has decided that this procedure change should be implemented at Dresden station. CECo has initiated actions to determine the details of implementing the change. The frequency of the class of sequences relating to station blackout conditions fell just below the cutoff of the Closure Guidelines for requiring enhancements or accident management guidance. However, since SBO sequences can potentially lead to significant fission product releases, CECo believes it is prudent to consider a procedural enhancement to further reduce the frequency of SBO sequences. Modifying plant procedures for loss of all AC power to instruct the plant operators to manually open the circuit breakers to the isolation condenser's 250VDC motor-operated valves prior to depletion of the 125VDC batteries, would allow for continued operation of the ICs, even under extended SBO conditions. No other specific enhancements are required to satisfy the NUMARC Severe Accident Closure Guidelines. CECo is evaluating the significant insights. The generic procedure insights are being forwarded to the BWR Owners Group for review and possible implementation. The plant specific procedure insights other than those related to meeting the Closure Guidelines are being considered. Changes in plant design or operation, including insight implementation, which may affect the risk profile will be** evaluated as part of the periodic review and update of the Dresden PAA. 726302SU.11/011893 1-38

1. 7 Accident Management Commonwealth Edison has integrated the definition of an Accident Management (AM)

Program with the performance of the IPE. The CECo AM elements are similar to those proposed by the NRC. The five elements of the CECo AM program are: Organization and Decision Making, Accident Management Guidance (Strategies), Calculational Tools, Training, and Plant Status Information. Differences from the NRC approach include the expansion of the plant instrumentation area to include vital plant information needs for AM, the expansion of AM guidance to include the interface with the site emergency plan, and the consideration of predictive and decision-making tools within the calculational tool element. CECo believes that the management of severe accidents with potential or actual core damage, where the situation is beyond the realm of the EOPs, should be the responsibility of the emergency response organization, outside the Control Room. The CECo AM program is being developed with this philosophy. The methodology used by CECo is a forward-looking process incorporated in each phase of.the IPE work. The CECo approach encompasses the key aspects of the EP~I and NRC methodologies and employs a simultaneous top-down" and "bottom-up" method. The top-down evaluation has logically defined the elements of an intuitive AM program framework, as described above, and identified where the various aspects of the IPE effort could support enhancement of these elements. The bottom-up approach examined the technical analysis at each of the major steps of the IPE for observations that could fall into one or more of the five AM framework elements. The search for AM insights covers all aspects of the IPE analysis, not just the dominant accident sequences. Potential and possibly subtle strategies and insights are best identified and documented while related information is actively under evaluation by the I PE analysts. Improved understanding of the plant capability to respond to accidents and the operator response to accident symptoms is one of the most important benefits to be obtained from the Dresden IPE, and the decision to develop and evaluate AM insights at the onset of the IPE for Dresden Station has maximized this benefit. A detailed matrix of the above AM program elements and IPE work products was used to define a set of questions for each IPE task which would focus and stimulate the IPE analysts to identify applicable AM insights as the IPE tasks were being performed. As was the case for IPE insights for plant enhancements to prevent core damage, each of the individual AM insights was evaluated by a "Tiger Team," composed of individuals from. CECo and the IPE Partnership. The individual insights identified by the bottom-up approach were evaluated on their technical merit. Insights were combined, where appropriate, and a qualitative assessment was then performed. 726302SU.11/011893 1-39

A number of individual AM insights for Dresden Station were identified by the IPE analysts and evaluated by the Dresden Tiger Team. The distribution of insights over the elements of the AM framework was concentrated in accident management strategies and information, as expected: Organization 1 % AM Guidance 39% AM Tools 19% AM Training 1 % AM Information 40% A series of experiments performed as part of the Dresden IPE/AM program verified that submerging the bottom portion of the reactor vessel can prevent vessel failure after relocation of the damaged core to the lower head, given that the RPV support skirt is modified to allow the egress of steam. This would eliminate the subsequent postulated containment challenges related to ex-vessel phenomena such as direct containment heating, ex-vessel steam explosions, and core-concrete interactions. AM insights have identified the need for providing alternate means of achieving containment sprays to control fission product release fractions, especially under station blackout conditions. Finally the IPE analyses have indicated the importance of being able to monitor and understand the progression of the core damage accident. As a result of these* insights and work performed by NUMARC, additional computational aids and tools will be developed for the emergency response organizations. This will necessitate supplementing the current organizations with additional personnel to perform these functions and training in the use of these AM tools. 1.8 Conclusions The Dresden IPE/AM project is believed to be one of the most comprehensive PRAs ever undertaken. It has provided a new level of understanding of the plant and its behavior under a variety of potential accidents. The realistic modeling employed in the Dresden IPE shows that Dresden Station is a very good plant with reliable systems. The Dresden EOPs are effective in responding to severe accidents, and they contribute to Dresden Station's low core damage frequency. Dresden Station was found to have no serious weaknesses or vulnerabilities.* The core damage frequency was calculated to be 1.85E-05/yr. Dresden Station is . somewhat sensitive to one particular initiating event, "Loss of DC Power in One Unit." Of the total core damage frequency, 95% is spread over four initiating events; the Loss of 125VDC Power in One Unit contributes 60% toward this total. The next three types of events are Single Unit Loss of Offsite Power (20%), Medium LOCA (8%), and Dual Unit Loss of Offsite Power (7%). The frequency of the most likely sequence, a Loss of DC Power in One Unit with subsequent failure of suppression pool cooling, is 8.2E-06/yr; this constitutes about 44% to the total core damage frequency. The next most likely sequence is identical except that the suppression pool cooling failure is due to operator error; this sequence 726302SU.11/011893 1-40

contributes about 9% to the core damage frequency (1.7E-06/yr). The next five most likely sequences (two medium LOCAs, a dual-unit loss of offsite power leading to station blackout, and two single-unit losses of offsite power) each contribute 2% to 3% of the

total.

A review of th~ results using Fussell-Vesely importance measures indicates that the most significant hardware contributor is the equipment used for suppression pool cooling especially under degraded support conditions such as loss of 125VDC power, and the most significant operator contributor is the operator action to align the LPCI system for suppression pool cooling. The enhancement with the greatest potential for reducing core damage frequency relates to recovering from failure of the ability to cool the suppression pool. A review of the IPE results against NUMARC Severe Accident Issue Closure Guidelines (NUMARC 91-04, January 1992), shows the need to investigate improvements to reduce one class of sequences--sequences involving loss of containment heat removal with a subsequent loss of coolant inventory makeup. These improvements are called for on the basis of the fraction of total core damage frequency represented by these sequences. An enhancement to procedures relating to realignment of emergency core cooling system (ECCS) pump suction successfully reduces the contribution from this class of sequences (loss of containment heat removal). With these chan*ges implemented, Dresden.Station has a core damage frequency of 3.BE-06/yr. In accordance the recommendations provided by the NUMARC Closure Guidelines, accident management guidance will be developed for one other class of sequences: those involving a loss of all onsite AC power (station blackout sequences). ATWS sequences also deserve specific attention, although their frequency is well below the NUMARC Closure Guidelines, due to the associated source term and because the IPE/AM insights indicate that this source term could potentially be reduced by appropriate use of drywell sprays. The use of realistic analyses, in conjunction with modeling the EOPs, has shown that .some accident sequences do not achieve core damage until well after 24 hours. Rather than assuming that these sequences were successes, as has been done in past PRAs, these sequences were separately identified and were categorized as resulting in the success with accident management (SAM) endstate. The SAM sequences have a predicted frequency of occurrence of 7.4E-07/yr. It was found that simple actions for each of these sequences could restore the plant to a long-term safe, stable state. The frequency of uncontrolled release caused by high pressure and/or high temperature was calculated to be 8.2E-07 /yr. This frequency consisted of A TWS and station blackout events where venting would be unavailable or ineffective. Source terms in these sequences are much larger than those due to other types of accident sequences. A significant portion of the total core damage frequency is due to sequences in which the containment is vented during the event and, though vented, fails later due to high temperature (1.SE-05/yr). Another group of sequences involve venting the containment with the containment remaining intact; these contribute 3.SE-08/yr. In yet other sequences, LPCI injection or drywall sprays are used in combination with suppression 726302SU.11/011893 1-41

pool cooling to prevent containment failure and limit source terms to containment leakage. The interfacing systems LOCA sequence frequency of 4.3E-1 O/yr at Dresden makes ISLOCA a negligible contributor to source term and plant risk. For an inerted containment, the likelihood of plant operation with a failure to Isolate is extremely remote. The Dresden IPE demonstrated that MAAP is a very useful tool for plant analysis. It was found to be of value for system success criteria and for event timing, as well as for

calculation of fission product releases.

The Commonwealth Edison engineering staff has been intimately involved in the IPE process and has acted as both originator of IPE analyses and reviewer of all IPE analyses. As a result of the Integrated IPE/AM Program, the CECo PAA staff has developed a unique understanding of the behavior of the plant under accident conditions and of the total plant capabilities to respond to accidents. As an indication of the utility of the IPE model, a proposed plant modification, the installation of additional diesel generators at the station, was evaluated to estimate its impact on plant core damage frequency. Although it was found that this modification reduces core damage frequency only minimally, the evaluation process demonstrates the utility of the IPE as an input to the plant management process. The principal purpose of the Dresden IPE was to develop an understanding. of the response of the plant to severe accidents. It accomplished this purpose. A second purpose of the Dresden IPE was to serve as the basis for an Accident Management program. The insights developed during performance of the Dresden IPE will form the basis for future development and implementation of the Dresden Accident Management program. The final results of the study support the idea that the best improvement for plant safety is a good Accident Management program. 726302SU.11/011893 1-42

r.,

J.

Dresden Station INDIVIDUAL PLANT EXAMINATION SUBMITTAL REPORT Executive Summary \\

OVERVIEW EXECUTIVE

SUMMARY

OF THE DRESDEN INDIVIDUAL PLANT EXAMINATION The Dresden Individual Plant Examination (IPE) conducted by Commonwealth Edison and the Individual Plant Evaluation Partnership (IPEP) demonstrates that no severe accident issue requiring remedial action exists. The IPE results are well within the safety goals established by the Nuclear Regulatory Commission (NRC). The IPE concludes that Dresden Station functions well within accepted safety limits due to safety margins incorporated in the original design and to the effectiveness of the emergency procedures. The following paragraphs present more detailed information on the features and results of the IPE. FEATURES OF THE DRESDEN IPE The Dresden IPE is a Probabilistic Risk Assessment (PAA) study which has been integrated with an Accident Management Program. During each step of the study, there was a systematic search for insights to identify plant characteristics that are good "as-is," as well as to identify potential enhancements for improving plant safety relative to severe accidents and, in the future, for developing a Severe Accident Management Program. The study employed realistic, best-estimate analyses and realistic treatment of operator actions. The Dresden IPE incorporated a number of significant innovative features such as the following: The development of plant response trees (PRTs). These improvements on traditional event trees; which trace a sequence of events and subsequent actions, permitted an evaluation of the total plant response to a severe accident. Because this methodology considers the total plant response, the interface between the core damage analysis and the containment analysis is fully integrated. The full,integration of the Dresden Emergency Operating Procedures (DEOPs) and the abnormal operating procedures. The accident progression reflected a realistic operator response and its impact on the accident consequences.: Alternative recovery strategies, already included in the.DEOPs, were considered as well as the total capabilities of the plant, rather than just the capabilities of the dedicated safety systems. The development of realistic success criteria for systems and operators based on many transient calculations which utiliz!3d.the MAAP computer code.* These computer . analyses defined the minim.u"l system funct,i,onal requirements and the time windows for successful operator action. 726302SU.1 ES/O 11893 ES-1

Experiments were conducted using Dresden-specific geometries to investigate lower vessel head cooling. The introduction of a Success with Accident Management (SAM) endstate to track and collect sequences that would progress to core damage well after the traditional 24 hour evaluation time of PRAs. In traditional PRAs, these sequences would be grouped with all of the other "success" sequen_ces which are in a safe, stable state before 24 hours. However, Commonwealth Edison did not want to lose information to be gained from these sequences in regard to the development of an Accident Management program. The Dresden IPE represents the plant as of the data cut-off date of January 1991. Changes in plant design or operation since that time which may affect the risk profile will be evaluated as part of the periodic review and update of the Dresden PRA - the "living P RA" process. DRESDEN IPE RESULTS Two basic measures of severe accident risks were employed for these studies: The frequency of damage to the reactor core in any given year (or core damage frequency, referred to as CDF). CDF is expressed as "chances" of core damage per year of reactor operati_on. The frequency in any given year of releases of radioactive material from the plant which could result in health risks to the population surrounding the plant. Although such offsite risks are more difficult to express, two measures can be used: (1) frequency of controlled, semi-controlled or uncontrolled releases (CRF, SCRF and URF, respectively) and (2) frequency of each type of release greater than a certain magnitude using 10CFR100 licensing criteria as a reference point,* called the frequency of releases exceeding 10CFR100 (FRE100). The IPE study produced the following statistics which provide a better appreciation of the high level of safety provided by the station design and operating practices: The CDF is 1.85 x 10-s per year or once in 54,050 years of operation. The CRF is 3.50 x 1 o-a per year or once in 28,000,000 years of operation. The SCRF is 1.56 x 1 o-s per year -or once in 64, 100 years of operation. The URF is 8.21 x 10-7 per year or once in 1,218,000 years of operation. The FRE100 is 1.65 x 10-5 per year or once in 60,700 years of operation. 726302SU.1 ES/011893 ES-2

The following summarizes important characteristics of the Dresden IPE analysis: Of the total CDF, 95% is due to four initiating events. The Loss of DC Power initiator contributes 60%. The Single Unit Loss of Offsite Power initiator contributes 20%. The Medium Loss of Coolant Accident (LOCA) initiator contributes 8%. The Dual Unit Loss of Offsite Power initiator contributes 7%. Thirteen accident sequences have individual contributions to the total CDF exceeding 1 %. A single ~equence initiated by a Loss of DC Power and in which suppression pool cooling (SPC) fails to function contributes 44% of the CDF. A single sequence initiated by a Loss of DC Power and in which SPC fails due to human error contributes 9% of the CDF. The contribution of each of the remaining 11 sequences varies between 1 % and 3% of the total CDF. Failure of the SPC function contributes to over 82% of the CDF. SPC failure is dominated by hardware failures during conditions of degraded DC power. Containment failure is associated with 89% of the total CDF. Sequences accounting for 11 % of the CDF result in an intact containment. Sequences accounting for 84% of the CDF result in a high temperature structural failure subsequent to having vented the containment. Sequences accounting for 3% of the CDF result in rapid high pressure structural failure. Sequences accounting for 2% of the CDF result in late high temperature/pressure structural failure. Plant procedure enhancements were identified and are being implemented which will reduce the contribution to CDF due to SPC failure. These same enhancements will reduce the likelihood of containment failure by reducing the CDF. NEW EXPERIMENTAL STUDIES An experimental study was commissioned as part of the IPE to provide new insights to the response of the Dresden reactor and containment under severe accident conditions. The experimental program dealt with the potential for external cooling of the reactor vessel by water accumulated in containment. During an accident, water injected into the Dresden containment, either from the accident condition or from the drywall sprays, could eventually accumulate in the containment and fill the reactor pedestal volume directly underneath the vessel. If the water can make direct contact with the vessel wall, substantial heat removal would result through the vessel, the core would remain in the vessel, and the accident progression would be terminated. Two experiments were performed: the first considered the Dresden plant geometry, complete with simulated_ lower RPV head and support skirt, and, the second considered the same configuration 726302SU.1 ES/011893 ES-3

with vent holes introduced into the support skirt. The first experiment showed that accumulation of steam in the skirt inhibited contact between water and the vessel, leading to relatively poor heat transfer. In the second experiment, the introduction of vent holes in the skirt allowed for good contact and heat transfer. ENHANCEMENTS The Commonwealth Edison IPE/AM program has identified over 210 Dresden-related insights. IPE insights deal with plant procedures, hardware, training, information, and test/maintenance. Accident management insights address issues involving Accident Management strategies, organization, training, computational tools, and information systems. Most insights are fairly minor in significance. However, CECo has initiated action to implement the recommendations of two of the IPE insights, as discussed below. A review of the IPE results against NUMARC Severe Accident Issue Closure Guidelines (NUMARC 91-04, January 1992), indicated the need to investigate improvements to reduce one class of sequences--sequences involving loss of containment heat removal causing a subsequent loss of coolant inventory makeup. These improvements are called for on the basis of the fraction of total core damage frequency represented by these sequences. It was determined that the greatest improvement in plant risk could be realized by"implementing IPE insights recommending a procedure enhancement related to alignment of low pressure coolant injection (LPCI) or core spray (CS) pump suction to the condensate storage tank (CST) when suppression pool cooling cannot be established. This enhancement would allow injection to the reactor vessel to be maintained when it would otherwise be lost due to insufficient net positive suction head for the low pressure emergency core cooling system (ECCS) pumps as the suppression pool water is heated. Intermittent operation of LPCI or CS to control level in the reactor pressure vessel based upon the volume of water available in the CST would provide core cooling well beyond 24 hours. CECo has initiated actions to implement this procedure modification. This will bring Dresden into agreement with the NUMARC guidelines addressing the most likely accident class. In accordance with the recommendations provided by the NUMARC Closure Guidelines, accident management guidance will be developed for one other class of sequences: those involving a loss of all onsite AC power (station blackout (SBO) sequences). IPE insights related to these sequences recommended a procedure change which would maintain the operation of the isolation condenser during extended SBO sequences. The frequency of the SBO class of sequences fell just below the cutoff of the Closure Guidelines for requiring action. However, since these sequences can potentially lead to significant fission product releases, CECo believes it is prudent to implement a procedure change which will further reduce the frequency of these sequences and has initiated action to implement this procedure change, also. CONCLUSIONS The IPE took several major steps toward injecting more realism into the evaluation for severe accidents at Dresden Station. These included the following: 726302SU.1 ES/011893 ES-4

Integration of Level 1 and Level 2 analyses using plant response trees Use of best-estimate success criteria Implementation of the control room operator DEOPs into the accident evaluation The realistic modeling employed shows that Dresden Station is a very good plant with reliable systems. The DEOPs are effective in responding to severe accidents, and they contribute to Dresden Station's low core damage frequency (1.85x10-5 per year). Dresden Station was found to have no serious weaknesses or vulnerabilities. The NUMARC Closure Guidelines indicated the need to address the class of accident sequences in which suppression pool cooling failures ultimately lead to the inability to supply coolant to the vessel. A procedure change was identified to enhance the ability to maintain the rea_ctor water vessel inventory. With these changes implemented, Dresden Station core damage frequency is reduced by 80% to 3.8x1 o-s per year and this accident class is brought into compliance with the NUMARC Guidelines. Although not required for compliance with the NUMARC Guidelines, a procedure modification was identified to reduce the contribution to CDF by station blackout sequences. This procedure change will allow the isolation condenser to continue to operate under extended station blackout conditions. The Commonwealth Edison engineering staff has been intimately involved in the IPE process and has acted as both originator of IPE analyses and reviewer *of all IPE analyses. As a result of the Integrated IPE/AM Program, the CECo PAA staff has developed a unique understanding of the behavior of the plant under accident conditions and of the total plant capabilities to respond to accidents. The principal purpose of the Dresden IPE was to develop an understanding of the response of the plant to severe accidents. It accomplished this purpose. A second purpose of the Dresden IPE was to serve as the basis for an Accident Management program. The insights developed during performance of the Dresden IPE will form the basis for future development and implementation of the Dresden Accident Management program. The final results of the study support the idea that the best improvement for plant safety is a good Accident Management program. 726302SU.1 ES/O 11893 ES-5

I \\ I -NOTICE-THE ATTACHED FILES ARE OFFICIAL. RECORDS OF THE INFORMATION & REPORTS MANAGEMENT BRANCH. THEY HAVE BEEN CHARGED TO YOU FOR A LIMITED TIME PERIOD AND MUST BE RETURNED TO THE RE-CORDS & ARCHIVES SERVICES SEC-TION P1-22 WHITE FLINt PLEASE DO NOT SEND DOCUMENTS CHARGED OUT THROUGH THE MAIL. REMOVAL OF ANY PAGE(S) FROM DOCUMENT FOR REPRODUCTION MUST BE RE- . FERR ED TO FILE PERSONNEL. -NOTIC,E~ ~**

4.w.}}

ML17179A833

Contents

Text

SUMMARY

SUMMARY

SUMMARY

SUMMARY

Navigation menu

ML17179A833

Text

SUMMARY

SUMMARY

SUMMARY

SUMMARY

Navigation menu

Search