Text

Technical Evaluation Rept of IPE Submittal & RAI Responses for St Lucie Nuclear Plant.
	ML17229A415
Person / Time
Site:	Saint Lucie
Issue date:	05/27/1997
From:	Forester J, Lin C, Musicki Z; SANDIA NATIONAL LABORATORIES
To:	; NRC OFFICE OF NUCLEAR REGULATORY RESEARCH (RES)
Shared Package
ML17229A414	List: ML17229A415;
References
	CON-FIN-W-6449 NUDOCS 9707250011
	Download: ML17229A415 (84)
	v • d • e

TECIiNICALREPORT FIN W-6449 Rev. 05/27/97 TECHNICAL EVALUATION REPORT OF THE IPE SuSMITTAL Arm RAI RESPONSES FOR THZ ST. LUCIE NUCLEAR PLANT Zoran Musicki C. C. Lin John Forester'ohn I.ehner, Editor Department of Advanced Technology, Brookhaven National Laboratory Upton, New York 11973 Prepared for the U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research Contract No. DE-AC02-76CH00016

'Sandia National Laboratories 97072500ii 970721 PDR ADQCK 05000835 P eDR

E t

E

,1

CONTENTS Page EXECUTIVE

SUMMARY

.............. v NOMENCLATURE XXIll INTRODUCTION 1.1 Review Process ...... 1 1.2 Plant Characterization ...... 1

2. TECHNICAL REVIEW.................................. ...... 5 2.1'icensee's IPE Process ...... 5 2.1.1 Completeness and Methodology ...................

2.12 Multi-UnitEffects and As-Built, As-Operated Status ......

...... 5

...... 7 2.1.3 Licensee Participation and Peer Review ...... 8 2.2 Front End Technical Review ..........................

2.2.1 Accident. Sequence Delineation and System Analysis ......

...... 9

...... 9 2.2.2 Quantitative Process 13 2.2.3 Interface Issues ..... 20 2.2.4 Internal Flooding ..... 20 2.2.5 Core Damage Sequence Results ..... 21 2.3 Human Reliability Analysis Technical Review 2.3.1 Pre-Initiator Human Actions

............... 29

..... 29 2.3.2 Post-Initiator Human Actions..................... ..... 30 2.4 'ack End Technical Review ..... 36 2.4.1 Containment Analysis/Characterization............... ..... 36 2.4.2 Accident Progression and Containment Performance Analysis ..... 45 2.5 Evaluation of Decay Heat Removal and Other Safety Issues ..... 49 2.5.1 Evaluation of Decay Heat Removal................. ..... 49 2.5.2 Other GSls/USIs Addressed in the Submittal ........... ..... 50

..... 50 2.5.3 Response to CPI Program Recommendations...........

2.6 Vulnerabilities and Plant Improvements ..... 50 CONTRACTOR OBSERVATIONS AND CONCLUSIONS ................... 53 REFERENCES ......... 59

TASI ES Table Page E-la Accident Types and Their Contribution to the CDF, Unit 1...... IX E-lb Accident Types and Their Contribution to the CDF, Unit 2...... IX E-2a. Dominant Initiating Events and Their Contribution to the CDF, Unit 1 X E-2b Dominant Initiating Events and Their Contribution to the CDF, Unit 2 X E-3 Containment Failure as a Percentage of Total CDF ........... XIII 1 Plant and Containment Characteristics for St. Lucie Plant....... ... 3 2 IPE vs. NSAC-147, Nonrecovery of Offsite Power........... 13 3 Comparison of Failure Data 15 4 Comparison of Common-Cause Failure Factors 16 5 Initiating Event Frequencies for St. Lucie IPE.............. 19 6a Accident Types and Their Contribution to the CDF, Unit 1 .. 22 6b Accident Types and Their Contribution to the CDF, Unit 2 .. 23 7a Dominant Initiating Events and Their Contribution to the CDF, Unit 1 .. 23 7b Dominant Initiating Events and Their Contribution to the CDF, Unit 2 24 8a 8b Dominant Core Damage Sequences, Unit 1 Dominant Core Damage Sequences, Unit 2................ ..

24 26 9 Important Human Actions........................... .. 36 10 Containment Failure as a Percentage of Total CDF ........... .. 46 FIGURES Figure Page la System Importance for St. Lucie Unit 1 ........ 28 lb System Importance for St. Lucie Unit 2 ........ .............. .....

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

~

~ ~ ~

28

This Technical Evaluation Report g ER) documents the findings from a review of the Individual Plant Examination (IPE) for the St. Lucie nuclear power plant. The primary purpose of the review is to ascertain whether or not, and to what extent, the IPE submittal satisfies the major intent of Generic Letter (GL) 88-20 and achieves the four IPE sub-objectives. The review utilized both the information provided in the IPE submittal and additional information (RAI Responses) provided by the licensee, the Florida Power & Light Company (FPL), in the response to a request for additional information (RAI) b y thee NRC.

E.1 Plant Characterization The St. Lucie Nuclear Plant is a twin unit nuclear power station and is operated by Florida Po wer &

Liigh t Company of Fort Pierce, Florida.. Each unit is a 2700 MWth Combustion Engineering pressurized water reactor (PWR). The reactor coolant system (RCS) consists of the reactor vessel, two U-tube steam generators, 4 shaft-sealed reactor coolant pumps, an electrically heated pressurizer and interconnected piping. Unit 1 began commercial operation in December 1976 and Unit 2 in August 1983.

Design features at St. Lucie that impact the core damage frequency (CDF) are as follows:

The plant has feed and bleed capability. For success both PORVs at Unit 1 are needed, but only 1 PORV at Unit 2. One Unit 2 PORV is blocked off during normal operation.

The motor driven main feedwater pumps will continue to run for most transients, as the pump flow output is automatically matched to the decay heat level.

4 AFW pumps do not need room cooling (located outside).

The DC batteries have an 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months life under SBO conditions. This assumes load shedding within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months of SBO. The batteries have a 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months life without load shedding.

The RCP seals are the 4-stage Byron Jackson type; the RCPs need to be tripped within 10 minutes of a loss of CCW.

There are two emergency diesel generators (EDGs) per unit. The EDGs are self cooled.

The instrument air system is relatively reliable, and dependency on instrument air is relatively light.

HVAC is needed for many important frontline and support systems. ~

The switchover to recirculation is automatic.

~ Cross connection between the units is provided for the instrument air, the auxiliary feed water (AFW) suction (i.e., the condensate storage tanks (CSTs)) and the EDGs. One of the four EDGs can provide requisite loads for both units (i.e., one safety bus per unit).

~ The St. Lucie switchyard (shared by the two units) seems to be relatively reliable.

St. Lucie is a relatively open plant, and the turbine building is not enclosed, so that flooding should be less of a problem here than in a more enclosed geometry.

The St. Lucie containment is a large, dry, steel containment vessel surrounded by an annular space and enclosed by a reinforced concrete shield building: The containment has a volume of approximately 2.5 million cu. ft. and a design pressure of 40 psig. Both the power level and containment free volume of St. Lucie are less than those of Zion and greater than those of Surry.

The plant characteristics important to the back-end analysis are:

A Steel containment that may be vulnerable to direct attack of dispersed core debris. However, according to the licensee's response to the RAI, the probability of the dispersed debris coming into contact with the containment steel shell is negligible because of the thermal shields around the vessel and the very narrow gap for the debris. dispersion path.

The large containment volume, high containment pressure capability, and the open nature of compartments which facilitates good atmospheric mixing.

A cavity design which facilitates flooding of the reactor cavity. Ex-vessel cooling is likely to occur due to reactor cavity flooding and the low placement of the reactor vess I Th ed e pro abi ity of vessel failure and is credited in CET quantification'. The cavity configuration is a deep cylinder, which would likely result in the formation of a deep molten core debris pool if all of the core mass pours into the cavity.

~ There are no lower head penetrations in the St. Lucie reactor vessel. This may delay the time of vessel failure.

E.Z I icensee's IPE Process The IPE was initiated in October 1989. The model reflects the plant as of November 1991. Other PRA studies were also reviewed: WASH-1400, Seabrook PSA by PLG, Millstone 3 PSA by Northeast Utilities, Oconee 3 PRA by EPRI (NSACM), and the Crystal River 3 Safety study in NUREG/CR-2515.

Several PRA reviews were also studied. These were the NRC reviews of the Oconee 3 PRA (NUREG/CRR374), Crystal River 3 PRA (NUREG/CR-5245), Seabrook PSA Level 2 (NUREG/CR-4552), Millstone 3 PSA (NUREG/CR-4142) and Yankee Rowe PSA (NUREG/CR<589). Several IPE submittals were also reviewed: the ones for Waterford 3, ANO-2 and San Onofre Units 2 and 3.

With the cavity flooded, a vessel failure probability of 0.1 (i.e., 0.9 probability of preventing vessel failure by ex-vessel cooling) is used in the IPE.

The licensee performed the St. Lucie IPE work with minimal contractor support, based on experience gained by performing the Turkey Point IPE, with Science Applications International Corp. (SAIC). ABB Combustion Engineering contributed 50% of the systems notebook development work.

PRA experts from ERIN Engineering, FRH, INC., NUS and Baltimore Gas & Electric (Level 1) contributed to a broad review of the entire PRA. Frank Hubbard from FRH and Niall Hunt from NUS were cited as reviewers knowledgeable in HRA. Plant personnel were also involved in a formal review, as well as an ongoing review as part of the QA procedures.

The licensee states that the human reliability analysis (HRA) effort was performed entirely by utility personnel. The methodology was acquired from SAIC and used by Florida Power and Light for the Turkey Point and St. Lucie IPEs.

Regarding the IPE HRA representing the as-built, as-operated plant, the submittal states that the HRA analyst "reviewed procedures, walked down the plant and control room facilities and had discussions with various plant personnel in the Operations and Training Departments." It was also stated that "the human failure probabilities are based on published generic information from other analyses, simulator evaluations, and insights from past PRAs" and that "site specific information from St. Lucie is used when appropriate." Although the submittal and response to the NRC's RAIs indicate that results from simulator runs were apparently evaluated, it was not clear that simulator runs were conducted specifically for the IPE. The HRA analyst was involved in the initial sequence and system modeling efforts Thus, it appears that steps were taken to assure that the HRA represented the as-built, as-operated plant.

Response times for some actions outside the control room were based on interviews with operators. For others, time measurements and walkdowns were performed. Both pre-initiator actions (performed during maintenance, test, surveillance, etc.) and post-initiator actions (performed as part of the response to an accident) were addressed in the IPE. A list of important human actions (as determined with a Fussell-Vesely analysis) was provided and at least one recommended improvement,to the plant was based on the IPE. A new off-normal procedure was implemented to have operators fill the condensate storage tank (CST) from the treated water storage tank when long-term operation (beyond 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months ) of AFW is demanded.

The licensee intends to maintain a living PRA.

E.3 IPE Analysis K.3.1 Front-End Analysis The methodology chosen for the front-end analysis was a Level 1 PRA; the small event tree-large fault tree with fault tree linking approach was used. The computer code used for modeling and quantification was CAFTA.

The IPE quantified the following initiating event categories: 6 LOCAs (including one SGTR and two ISLOCAs), 9 support systems initiators and 12 general transients. No flooding initiators are in this list, as flooding was a negligible contributor to core damage. The IPE developed 6 event trees to model the plant response to these initiating events (3 LOCA event trees, 1 SGTR event tree, one transient event tree and one ATWS event tree). The flooding analysis utilized the existing transient event tree.

In general, the search for initiating events appeared thorough and adequately thought out. Where problems occurred, it was in the data area due to lack of plant-specific considerations.

Success criteria are based on CE non-proprietary reports, the FSAR and plant-specific MAAP analyses performed for the IPE. The success criteria appear generally reasonable and in line with most other PWR success criteria.

Containment heat removal is needed long term after a LOCA or after using feed and bleed.

Small and small-small LOCAs require control rod insertion for reactivity control. Both small and small-small LOCAs utilize HPSI pump injection from the RWT for short term cooling, with the alternative, in the case of the small LOCA, of using LPSI in conjunction with timely depressurization via.secondary cooling. This is not credited (in the injection phase) for small-small LOCAs.

Recirculation for all LOCAs is accomplished by the use of HPSI pumps. The switchover from cold leg to hot leg recirculation late in the accident (to prevent boron precipitation) is not deemed necessary at St.

Lucie due to "low boron concentration", according to the submittal.

In case of transients, it is stated that the pressurizer SRVs will never be challenged, even if the PORVs fail to open. Also, in case of transients, there is deviation from the NRC recommended value (0.014 for reactor trip events, 0.1 for LOOP and loss of buses, and 1.0 for events which fail both condenser and atmospheric dumps) of the PORV challenge conditional probability (a smaller value is used).

The ATWS success criteria specify that only one MDAFW pump is sufficient for success, but both steam generators need to be fed. Both PORVs (only one PORV on Unit 2) and all three SRVs need to lift to relieve the pressure sufficiently. The limiting peak pressure will be exceeded, regardless, if the core power level is high and the moderator temperature coefficient is not sufficiently negative (which happens 5% of the time for Unit 2, but 25% of the time for Unit 1). No mention is made of the turbine trip as being helpful in combating ATWS.

As stated above, the RCP seals are the Byron Jackson type. It is assumed they would fail only if the operators fail to trip the RCPs within 10 minutes of a loss of CCW.

The SGTR success criteria specify that for successful SG isolation, both the pressurizer sprays and the secondary depressurization must work. If the faulted SG is not isolated, but the secondary heat removal works, then HPSI injection can provide core cooling long term, apparently without depleting the RWT within the mission time.

The data collection process period was from 1/85 to 10/91 for Unit 1 and 6/86 to 4/92 for Unit 2.

Compared with many other PRA analyses, there is a relative scarcity of plant-specific data used in the St. Lucie IPE analysis. Apparently, the reason for the scarcity is the fact that good records exist for relatively few components.

St. Lucie data are generally consistent with the data in NUREG/CR-4550. The TDAFW run failure data is substantially lower, and MDAFW common cause failure (CCF) factors are somewhat lower. The LOCA initiating event frequencies appear low. The power recovery curve is considerably lower (by a factor of 2-3) than that used in NSAC-147.

The beta factor approach was used for common cause failures, using established procedures. CCF failure

>f all 4 EDGs (on both units) was considered.

I'he flooding analysis seems to have considered all relevant issues and, given the description in the

<<ubmittal, the analysis and associated results appear reasonable.

1'he internal core damage frequency is 2.3E-S/yr for Unit 1 and 2.6E-S/yr for Unit 2. Flooding xmtributes less than S.E-7/yr per unit. The internal accident types and initiating events that contribute nost to the CDF and their percent contributions are listed below in Tables E-l and E-2 (subtables a and

) for Unit 1 and Unit 2, respectively). It should be noted that, according to RAI responses by the icensee, the original ATWS analysis was incorrect and the new analysis shows Unit 1 having a emparable ATWS contribution to that of Unit 2.

Table E-la Accident Types and Their Contribution to the CDF, Unit 1 Initiating Event Group Contribution to CDF (/yr)

LOCAS 1.22E-S 53 Transients 7.7E-6 33 ISLOCA 1.74E-6 SGTR 8.13E-7 ATWS 4.13E-7 Flooding (not included in total) (<S.E-7) (<2)

TOTAL INTERNAL CDF 2.32E-S 100.0 Table E-lb Accident Types and Their Contribution to the CDF, Unit 2 Initiating Event Group Contribution to CDF (/yr)

LOCAS 1.29E-S 49 Transients 7.93E-6 31 ISLOCA 2.73E-6 10 ATWS 1.76E-6 SGTR 9.09E-7 Flooding (not included in total) (<S.E-7) (< 2)

TOTAL INTERNAL CDF 2.62E-S 100.0

Table E-2a. Dominant Initiating Events and Their Contribution to the CDF, Unit 1 Initiating Event Contribution to CDF (/yr)

Small-small LOCA 7.09E-6 30 Loss of grid 4.11EA 18 Large LOCA 3.48E-6 15 ISLOCA 1.74E-6 Small LOCA 1.60E-6 Loss of DC bus 1B 1.08E-6 Loss of DC bus 1A 9.75E-7 Steaml inc break downstream of MSIVs 6.60E-7 SGTR, SG lA '.29E-7 SGTR, SG 1B 3.86E-7 Table E-2b Dominant Initiating Events and Their Contribution to the CDF, Unit 2 Initiating Event Contribution to CDF (/yr)

Small-small LOCA 29 Loss of grid 7.49'.95'.30E-6 19 Large LOCA 13 IS LOCA 10 2.73'.IIEET Small LOCA Reactor trip 1.17'.99E-7 Steamline break downstream of MSIVs Loss of DC bus 2B 6.67E-7 Loss of DC bus 2A 5.69E-7 E.3.2 Human Reliability Analysis The BRA process for the St. Lucie IPE addressed both pre-initiator actions (performed during maintenance, test, surveillance, etc.) and post-initiator actions (performed as part of the response to an

ident). The analysis of pre-initiator actions included both miscalibrations and restoration faults. A

reening" analysis was performed on pre-initiator human action using a method based on THERP UREG/CR-1278). However, none of the pre-initiator events received analysis beyond the screening iroach. In their response to the NRCs RAI, the licensee notes that the values assigned to pre-initiator man errors were actually assumed to be "nominal" values and that they were "consistent with those d in another unit's IPE and found to be acceptable" by the NRC. While the values may be acceptable, fact that pre-initiator events appeared in dominant accident sequences indicates that a more detailed iiysis of the events would have been appropriate.

"SAIC method" described in the book Human Reliability AnaIysis by Dougherty and Fragola was d to be the basis of the analysis of post-initiator events. Post-initiator human actions modeled ntially included both response-type (rule-based) and recovery-type actions, but the terminology and gorization used in the submittal was somewhat different. The licensee indicated that all post-initiator Es included in the models (fault trees) were initially given HEPs of 1.0 in order to assure that they uld not be inadvertently truncated from the cutset results. A review of the cutsets determined the licability of each event and "where applicable", actual probabilities were computed and used. Thus, uantitative screening analysis was not conducted. After initial quantification, surviving cutsets were mined and appropriate post-initiator operator actions were added.

proximately thirteen human actions (for each unit) were treated as "slips" and quantified with a time-gendent technique (the same as was used for pre-initiators) that was derived by SAIC from THERP.

remaining actions', including in- and ex-control room actions were quantified with a time reliability relation approach developed by SAIC. Brief discussions of the input parameters for the quantification roach were provided in the submittal and additional detail was provided in the response to the RAI.

critical elements for the time-dependent in-control room model include: the available response time an estimate of the median response time for the event examined, along with adjustments for type of

~avior (verification, rule-based, and response type, see section 2.3.2.1 for descriptions), degree of w burden", success likelihood (an index that can be used to reflect the impact of PSFs), and model ertainty. For the ex-control room model, similar parameters are modeled, along with adjustments to ionse time for potential "delaying hazards" outside the control room. The model uncertainty factor also be adjusted for uncertainty due to other influences or hazards. Details regarding adjustments hazard factors were not provided.

limitation of the post-initiator analysis concerns the extent to which plant-specific performance ping factors (PSFs) were considered. Another concerns the fact that multiple post-initiator human ons were quantified with a time-independent technique that does not explicitly consider the diagnosis se of operator actions. These limitations are discussed in more detail in Section 2.3.2.4.

iendence among multiple human actions was handled in the St. Lucie submittal essentially by mining such combinations of modeled human events and determining that the combinations involved nts that were either separated in time, involved completely different systems, or were performed by went individuals. The licensee stated that "where it was identified that multiple operator actions were appropriate, certain actions were either removed from the model or the probability was left at 1.0 in cutsets." They further state that "these actions were then manually added only to the cutsets where e was no dependency with other actions.

~ licensee also notes that "the appropriateness of an action may also have been sequence dependent."

wever, the licensee did not compute different HEPs for similar events occurring in different contexts.

Ikey addressed this issue by simply using the most pessimistic value in all cases. While this approach

.~ay have reduced the realism of the results of the HRA and PRA somewhat, it does not appear that it would significantly preclude identification of human related vulnerabilities.

E.3.3 Back-End Analysis The Approach used for Back-End Analysis Fhe methodology employed in the St. Lucie IPE for the back-end evaluation is clearly described in the

'iubmittal. Containment event trees (CETs) were developed to determine the containment response and iltimately the type of release mode given that a core damage accident has occurred. The front-to-back md interface are provided in the IPE by the definition of 15 Plant Damage States (PDSs) for Unit 1 and l4 PDSs for Unit 2. These PDSs are identified by core damage state, determined by core melt timing md RCS pressure, and containment state, determined by containment pressure boundary status and containment safeguards system status.

fhe top events of the CET are quantified by the use of fault trees (called logic trees in the IPE submittal),

vhich address the phenomenological, systems, and operator human response issues important to accident progression. The CET and the logic trees used in the St. Lucie IPE provide a structure for the evaluation

)f all of the containment failure modes discussed in NUREG-1335. The quantification of the CET in the it. Lucie IPE is based on NUREG-1150 data and plant-specific MAAP calculations The result of the

'vel 2 analysis are grouped to forty five release modes. Release fractions for these release modes are letermined by the development of a parametric code similar to that used in NUREG-1150 (i.e., X-SOR) ind plant-specific MAAP calculations.

Pere are a number of inconsistencies in the St. Lucie IPE submittal. Some of the inconsistencies involve he grouping of accident sequences to the plant damage states, and some are due to poor documentation.

M'example of the former is the grouping of small LOCA sequences (which according to the break size ised in the IPE may have a RCS pressure greater than that defined in the IPE for low pressure PDS) iiong with large LOCA sequences to low pressure PDSs. This inconsistency may not have a significant

ffect on the IPE results brause of the relatively low frequency of small LOCA sequences (when

ompared with the frequency of all the high or intermediate pressure PDSs). Examples of the latter nconsistency include some basic events that were discussed in the text but not presented in the fault tree nodels (and vice versa), and the display of different values in the various parts of the submittal for the arne parameter. According to the licensee's response to an RAI on these issues, these inconsistencies are irimarily due to the use of the NSAC-60 study as the basis for the IPE submittal (e.g., NSAC-60 trees vere used as templates). The values of some parameters appearing in the IPE submittal were taken from he NSAC-60 study despite the fact that they were changed in the St. Lucie IPE. According to the icensee, these are simply documentation problems because correct values were used in St. Lucie IPE tuantification. Although the inconsistencies in the present IPE submittal may not have a significant impact in the IPE results, they should be corrected for any future use of the IPE to provide a more accurate and mambiguous representation of the accident conditions and parameter values used in the analysis.

)espite some inconsistencies, the definition of the interface between the Level 1 and Level 2 analyses s in general reasonable for the St. Lucie IPE. The CET and the associated fault trees used for CET top vent quantification are clearly described in the submittal. They provide a detailed structure for the Level

! process and are in sufficient detail to identify plant-specific features that may have a significant effect

n containment failure and fission product release and indicate an overall appreciation by the licensee of vere accident behavior at St. Lucie. The quantification of the CETs also seems adequate and allows a uantitative understanding of the overall probability of fission product releases. The MAAP calculations f selected sequences and the sensitivity analyses of some sequences for some parameters used in the fAAP calculations assist the licensee to obtain an appreciation and quantitative understanding of severe

cident behavior at St. Lucie.

ack-End Analysis Results or St. Lucie, the leading PDS, which contributes about 18% to total CDF, is a PDS with early core ielt, with the RCS at high pressure, and with all containment systems available (PDS 3B). The accident quences that contribute to this PDS are transient initiated sequences. This PDS is followed by a lour

essure PDS (13%, PDS SB) and an intermediate pressure PDS (12%, PDS 1B), both with early core

.elt and all containment systems available, and another high pressure PDS with early melt but with no intainment system available (12%, PDS 3H). The latter high pressure PDS (PDS 3H) includes the SBO quences and is the dominant contributor to both early and late containment failures.

Ible E-3 shows the probabilities of containment failure modes for St. Lucie as percentages of the total DF. Results from the NUREG-1150 analyses for Surry and Zion are also presented for comparison.

Table F 3 Containment Failure as a Percentage of Total CDF St. Lucie Plant St. Lucie Plant Containment Surry Zion Failure Mode IPE, Unit IPE, Unit NUREG-1150 NURE6-1150 1++ 2++

Early Failure 0.7 1.4 Late Failure 15 13 5.9 24.0 12 15 12.2 0.7 Isolation Failure Intact 81.2 '73.0 CDF (1/ry) 2.3E-S 2.6F:5 4.0E-5 3.4E-4 The data presented for St. Lucie are based on Figure 4.0-4 of the IPE submittal. The difference between Unit 1 and Unit 2 is due to different Level 1 analysis results.

Included in Early Failure, approximately 0.1%.

in Early Failure, approximately 0.5%. 'ncluded Included in Early Failure, 0.1%.

shown in the above table, the conditional probability of containment bypass for St. Lucie is 12% of al CDF for Unit 1 and 15% for Unit 2. Containment bypass comes from ISLOCA and SGTR with

.OCA being the primary contributor (70% of all bypass for Unit 1 and 77% for Unit 2).

The conditional probability of early containment failure for both Unit I and Unit 2 is about 1% of total According to the results presented in the IPE submittal and the licensee's response to the RAI questions, early containment failure for St. Lucie is dominated by two CET end states (E3-R and E4-R) or . These two CET end states contribute over 70% of total early failure probability, and both of them are associated with successful RCS depressurization, and with the major contributor to containment failure from overpressurization. HPME is not a major contributor because of the high probability of successful RCS depressurization. Among the PDSs early failure comes pr ma l fr (hig pressure PDSs, including SBO sequences, over 80% early failure probability). This is followed by PDS 28 (intermediate pressure PDS, primarily from small-small LOCA,, aabout out 10%o earl early failure probability).

The conditional probability of late containment failure for St. Lucie is 15% of total CDF for Unit 1 and 3% for Unit 2. According to the results presented in the IPE submittal and the RAI response, late containment failure for St. Lucie is dominated by two CET end states, C4-L of PDS 3H and C5-L of PDS 2B. They contribute over 60% of total late containment failure probability for both units. End State C4-L is associated with successful RCS depressurization, failure of in-vessel coolant recovery, and ex-vessel debris not cooled (i.e., with CCI). End State C5-L is associated with failure of RCS depressurization, failure of in-vessel coolant recovery, and ex-vessel debris not cooled. Of all late failure probability, over 90% is due to overpressure failure associated.,with CCI, the contribution from steam failureforUnit1,43% for Unit2). This is followed by PDS2B(26% f r U t1 30%%u f U PDS 2F ( 16 %o for Unit 1 and 10% for Unit 2). The high late failure probability for these PDSs is partly

')

pressurization alone is small. PDS 3H is the major contributor to late containment failure (44% of all late due to the low in-vessel recovery probability of these PDSs'.

Some statements made in the "Summary and Conclusions" section of the submittal (Section 4.8) are not consistent with the CET quantification results obtained from the IPE discussed above. The statements that "The major contributors to early containment failure for St. Lucie include contain e t th ts d loa from high RCS pressure core damage accidents, steam explosion events for low pressure to HPME loads sequences, and isolation failures." and that "The major contributor to late containment failures is steam overpressure in long term (hydrogen burning is likely'o be precluded due to the steam inerted containment atmosphere)" are inconsistent with the CET results. According to the licensee's response to a follow-up RAI question, these statements were made based on insights and information provided in the Safety Analysis Center report (NSAC-159) and on plant specific MAAP ccalccu I ations, th ey 'uclear ased on CET quanttficatron results. This seems to indicate a lack of sufficient examination and were not based understanding of the CET quantification results on part of the licensee. However, in the RAI response the licensee did acknowledge the significant difference between NSAC-159 and the CET quantification results, as pointed out in the RAI. In the response the licensee mentioned the difficulty they faced in presenting the various points of view that would emerge from using various assumptions. According to the response, early failure would be dominated by HPME if a less realistic i.e. more conse t p ity o RCS depressunzation was used in CET quantification, and late failure would be dominated y steam pressurization if a less conservative probability on ex-vessel debris coolability,i.e., like that predicted in MAAP code calculations, was used in the quantification. Although the discussion in the IPE submittal itself is not clear and not focused on the CET quantification results, the licensee's responses In-vessel recovery'recludes CCI and thus the challenge of late oyerpressure failure associated ia with CCI.

xiv

to the RAls and during a number of tele-conferences indicate this may not be caused by a lack of understanding of the IPE results but by a poor presentation in the submittal.

Source terms are provided in the IPE for 45 release modes (i.e., the CET end states). The source terms for the release modes are calculated in the IPE using a combination of plant-specific MAAP calculations and the parametric model developed in NUREG-1150 (i.e., the X-SOR program). The approach seems appropriate and the use of plant-specific MAAP calculation results in the parametric model also seems reasonable. It is noted that, source terms calculated by the above method (with results presented in Table 4.0-7) are only for non-bypass release modes. Release fractions for bypass sequences can be obtained from the MAAP calculation results presented in the IPE submittal.

Sensitivity studies were performed in the St. Lucie IPE for MAAP calculation parameters only. Although the CET quantification involves the use of assumptions and data that have significant uncertainties (e.g.,

the parameters that determine the probability of in-vessel recovery and 'ex-vessel cooling), the IPE submittal does not provide information on any sensitivity study to evaluate the effects of these assumptions on the IPE results (e.g., containment failure probabilities). According to the licensee's response to a follow up RAI question, limited sensitivity analyses were performed in the St. Lucie IPE but were not reported in the submittal. The sensitivity analysis presented in the RAI response is related to the effect of in-vessel recovery on containment failure probability.

The probability of in-vessel recovery (i.e., core melt terminated) is high for most PDSs. This is due to the high probabilities of success assigned to RCS depressurization, core coolant injection recovery, and core debris in a eoolable formation assumed in the IPE. In-vessel recovery eliminates challenges to early containment failure due to HPME and reduces challenges to late containment failure associated with core-concrete interaction. The effects of the assumptions related to in-vessel recovery on the overall containment failure probabilities for St. Lucie are not evaluated and discussed in the submittal. However, in response to a follow on question to the original RAI, the licensee discussed the effect of in-vessel recovery on a PDS with high pressure and with no mitigating system available (PDS 3H). According to the response, in-vessel recovery has a significant effect on containment failure probability for this PDS, but "the total containment failure probability is only slightly affected because PDS 3H contributes approximately 10% to the total PDSs of interest." This seems to indicate that PDS 3H is the only PDS where in-vessel recovery plays an important role. This may not be correct because, according to the CET models, for all PDSs, there is a high probability of CCI (i.e., eoolable debris not formed ex-vessel) if the vessel fails, and containment failure is almost assured if the ex-vessel debris is not eoolable (partly due to the cavity configuration of St. Lucie). The effect of in-vessel recovery therefore may be more significant on containment failure probability than that discussed in the response to the RAI. The significant effect of in-vessel recovery on containment failure probability is partly due to the high probability of CCI assumed in the IPE (varies from 0.5 to 1.0 for the various conditions in the PDSs).

According to a response to another RAI question, in all of the licensee's MAAP analyses negligible CCI took place due to wet cavity configurations (except for sensitivity studies where the CCI parameters were conservatively forced). If this is the case, the effect of in-vessel recovery on containment failure probability may be significantly diminished.

E.4 Generic Issues and Containment Performance Improvements The IPE addresses decay heat removal (DHR). CDF contributions were estimated for the following DHR methods: secondary cooling (main feedwater, auxiliary feedwater, emergency feedwater, condensate, xv

turbine bypass and atmospheric dump valves) and primary inventory control (HPSI and charging systems). Failures of the AFW and HPSI were found to make a major contribution to the total CDF.

The AFW failures in the most important sequences are dominated* b y TDAFW pump failure to start,'na MDAFW pump um common cause failures, operator failure to provide AFW suction when CST iis e xh aust ed.

The HPS I failures are caused by common cause failures of A and B pumps, o t or mechanical pumps operator h cal ures with pump AB, failure in the CCW system to provide HPSI pump cooling and HVAC failures.

failures The DHR function contributes less than the 3.0E-5/yr criterion for the "acceptably low" DHR contribution in NUREG-1289. Therefore, this issue is considered closed by the licensee.

No other generic issues are discussed in the submittal.

E.S Vulnerabilities and Plant Improvements The vulnerability criteria used for the IPE are as follows:

1) "A failure which contributes a disproportionately large contribution to the total CDF or significant release probabilities and in turn is considered significantly higher than those of PRAs for similar plants, or"

2) "A failure which has any unusual and significant impact on the total CDF or re 1 ease probabilities."

Based on these criteria no vulnerabilities were found.

The following improvement was considered as a result of the IPE:

A minor enhancement of the procedure to makeup Unit 1 CST from Unit 2 prior to depletion, adding more detailed steps in the makeup procedure, was implemented prior to IPE completion.

The CDF impact of this improvement is negligible, as this is just a minor enhancement of an existing procedure on which the operators are trained.

The following change was made'n response to the SBO rule:

Blackout crosstie provides power to the blacked out unit from the opposite unit.

No CDF impact of this change is evaluated.

The backwnd analysis did not identify the need for any plant improvements.

E.6 Observations A review of the St. Lucie Nuclear Plant IPE submittal indicates that the examination carried out by the licensee fulfillsthe purposes of the IPE program as stated in Generic Letter 88-20, although in some areas only marginally so. For example, based on the level 1 review of the St. Lucie IPE the licensee appears to have analyzed the design and operations of St. Lucie to discover instances of particular vulnerability xvi

to core damage. It also appears that the licensee has: developed an overall appreciation of severe accident behavior; gained an understanding of the most likely severe accidents at St. Lucie; and implemented changes to the plant to help prevent and mitigate severe accidents. However, it is not clear that a complete quantitative understanding of the overall probabilities of core damage was gained by the licensee. This possibly incomplete quantitative understanding is mainly due to the data problems discussed in the section on level 1 weaknesses below.

Strengths of the level 1 IPE analysis are as follows: Thorough analysis of initiating events and their impact, descriptions of the plant systems, modeling of accident scenarios, generally reasonable failure ata an common cause factors employed. The results are reasonable and the licensee tried to derive insights. Utility involvement was maximized and an effort was made to model o e thee as b ui'ltt as operated ed p I ant. Several plant walkdowns were performed. The flooding analysis seems to have been reasonable and thorough.

The weaknesses were in the relative scarcity of plant specific data, due to past deficiencies in raw data collection procedures. Some initiating event (IE) frequencies were lower than expected ( for instance LOCAs), while some came from generic data, instead of plant specific fault trees. The loss of a dc bus is an important example where the results may be sensitive to the assumptions used. The licensee's IE equency o 3.8E-5/yr is in the lower part of the industry range. Typical values in the industry are 10 to 100 times higher. As the CDF contribution from this initiator is already significant (about 1% for Unit and 5% for Unit 2) an increase in the IE frequency by 1 to 2 orders of magnitude would make this the dominant initiator. An extreme increase could possibly even indicate a vulnerability. It would seem that or such an important initiator, plant specific fault trees would be constructed and plant specific data used in quantification. The licensee used generic data for a dc bus failure to arrive at the IE frequency, i.e.,

only one failure mode was modeled. This issue is further discussed in Section 2.2.2 of this report.

Other weaknesses include: isolated failure data and common cause factors were lower than expected (AFW pump, ICW pumps), while a few CCF categories were not modeled. The power recovery curve was optimistic (however, the loss of grid initiating event frequency may be too high, thus partially ofisetting this weakness). Some RAI responses were not particularly helpful. The ATWS modeling (at least for Unit 1) was incorrect, according to RAI responses, but has been corrected. There is inconsistency between different sections of the submittal, such that it is not clear if as-built-as operated features of the plant were always properly modeled (e.g., is hot leg recirculation upon failure of cold leg recirculation credited; is the usage of condensate pumps, in conjunction with depressurization credited').

Some important operator actions were left at their screening values (e.g., miscalibration of RWT level transmitters) and some pessimistic assumptions were made (e.g., recovery of failure to isolate the CCW N-header not modeled). Two unit effects were not thoroughly discussed. The outside peer review of e analysis seems weak since apparently there was no review of the final results.

Based on the level 1 review of the submittal and experience with other IPEs, it is expected that these shortcomings may not detract significantly from the perception of the correct risk profile of the plant but may r uce the quantitative understanding of the likelihood of various core damage sequences from that which the licensee could have gained if these weaknesses did not exist. It is likely that th 1 h identified thee important contributors to core damage at the plant, but the relative ranking and contribution to CDF of individual accident sequences cataloged in the examination are subject to question due to the above listed weaknesses.

xvii

TheIPE determined that failures in HPSI, emergency power, CCW, AFW, ICW and ESFAS/RPS dominate the risk profile. The dominant initiators are the small-small LOCA (30% of CDF at Unit 1, 29% at Unit 2), loss of grid (18% at Unit 1, 19% at Unit 2) and large LOCA (15% at Unit 1, 13% at Unit 2). These three initiators contribute 63% at Unit 1 and 61% at Unit 2. Altogether LOCAs (excluding ISLOCA and SGTR) contribute 53% at Unit 1 and 49% at Unit 2. SBO accounts for about 10% of the CDF. The CDF is dominated by 6 accident sequences, plus (for containment bypass) two ISLOCAs and two SGTR sequences at Unit 1 (nine dominant sequences plus one ISLOCA and one SGTR sequence at Unit 2).

The HRA review of the St. Lucie IPE submittal and a review of the licensees responses to HRA related questions asked in the NRC RAI, revealed several weaknesses in the HRA as documented. In general, a viable approach (the Dougherty and Fragola method) was used in performing the HRA, but several weaknesses were identified in how the analysis was conducted. While the weaknesses are not severe enough to conclude that the licensee's submittal failed to meet the objectives for the IPE as stated in Generic Letter 88-20 in regards to the HRA, they do suggest the licensee may not have learned as much about the role of humans during accidents at their plant as would have been possible. Important elements (both strengths and weaknesses) pertinent to this determination include the following:

1) The submittal indicates that utility personnel were significantly involved in the HRA. Regarding the IPE HRA representing the as-built, as-operated plant, the submittal states that the HRA was analyst "reviewed procedures, walked down the plant and control room facilities and had

. discussions with various plant personnel in the Operations and Training Departments." The HRA analyst was involved in the initial sequence and system modeling efforts. It was also stated that "the human failure probabilities are based on published generic information from other analyses, simulator evaluations, and insights from past PRAs" and that "site specific information from St.

Lucie is used when appropriate." Although the submittal and response to the NRC's RAIs indicate that results from simulator runs were apparently evaluated, it was not clear that simulator runs were conducted specifically for the IPE. Thus, it appears that steps were taken to assure that the HRA represented the as-built, as-operated plant.

2) The submittal indicates that the analysis of pre-initiator actions included both miscalibrations and restoration faults. While an acceptable screening analysis was conducted, no additional quantification or detailed analysis of pre-initiators was performed after initial quantification. Thus, all pre-initiator events were left at their initial screening values. A list of the dominant sequences provided in Tables 3.7-4 and 3.7-8 of the submittal for Units 1 and 2, respectively, shows that some of the more dominant sequences contained miscalibration events. While the HEPs for these events were reasonable, it is possible that a more detailed analysis after initial quantification may have resulted in lower HEPs for these events, which in turn may have slightly reduced the importance of these sequences and their associated contribution to CDF. While the pre-initiator approach did not preclude identification of important pre-initiator events, the lack of a "fine screening" analysis of important pre-initiator events must be considered a minor weakness of the St. Lucie IPE.

3) A strength of the analysis of post-initiator events was that all events modeled in the fault trees were initially quantified using a value of 1.0. After initial quantification, surviving cutsets were examined and appropriate post-initiator "recovery" operator actions were added. This approach helped ensure that important post-initiator actions were not inappropriately truncated.

xviii

) The post-initiator analysis included appropriate types of operator actions and had a viable process for identifying, selecting, and quantifying operator actions.

) One apparent weakness of the post-initiator analysis concerns the extent to which plant-specific factors were considered. While the model itself provides reasonable mechanisms for addressing relevant plant -specific factors, on the basis of examples provided, it would appear that many of the parameters were left at their default values. In particular, all success likelihood indices (SLls) were left at their default values. That is, plant related performance shaping factors (PSFs) were assumed to have no effect. By leaving the SLIs for the modeled events at their default values, the analysts are basically assuming St. Lucie is an "average" plant in terms of its PSFs. Thus, the resulting analysis is to some extent "generic" rather than plant-specific, and may or may not adequately represent the plant in all cases. However, the method used did consider scenario-specifics factors such as stress, burden, and task type on operator performance and therefore the licensee did attempt to reach some degree of realism in the HEP calculations.

Thirteen post-initiator human actions (apparently per unit) were modeled as slips and quantified with the time-independent technique. While the analysis performed appeared conscientious, treating post-initiator human actions with the time-independent approach is troublesome for two reasons. First, the approach does not model the diagnosis or decision-making portion of the human action. It is asserted that the operators are well trained on these actions and that they are simply following steps in their emergency procedures. Therefore the actions "would require minimum diagnosis." While this may be the case, the failure to explicitly consider factors that could influence an operator's decision to act certainly has the potential to over-estimate the likelihood of success. Second, time is not considered to be a limiting factor in the performance of these actions. That is, the impact of time is not directly considered in determining their.HEPs.

For cases in which relatively large amounts of time are available, indications are obvious, and execution times are short, a viable time-independent technique would be acceptable.

However, for at least three of the actions treated as slips, this was not obviously the case. Thus, quantification of multiple post-initiator human actions with the time-independent technique must be considered a weakness of the St. Lucie IPE. Most other IPEs using the SAIC approach have modeled only a few (if any) post-initiators with the time-independent technique. Nevertheless, the HEPs for the events modeled as slips were not unreasonable (particularly for the many events with substantial time available), reasonable credit for recovery by other personnel was taken, and several of the events modeled in this way showed-up as being important. Therefore, there is no reason to believe that the approach necessarily precluded detection of vulnerabilities. More detail on the issue is provided in section 2.3.2.4 below.

Dependence among multiple human actions was handled in the St. Lucie submittal essentially by examining such combinations of modeled human events and determining that the combinations involved events that were either separated in time, involved completely different systems, or were performed by different individuals. The licensee stated that "where it was identified that multiple operator actions were not appropriate, certain actions were either removed from the model or the probability was left at 1.0 in the cutsets." They further state that "these actions were then manually added only to the cutsets where there was no dependency with other actions. The licensee also notes that "the appropriateness of an action may also have been sequence dependent."

However, the licensee did not compute different HEPs for similar events occurring in different xix

contexts. They addressed this issue by simply using the most pessimistic value in all cases. This approach may have reduced the realism of the results of the HRA and PRA somewhat.

8) A list of important human actions based on their contribution to core damage frequency was provided in the submittal.

9) The HRA portion of the flooding and level 2 analyses appeared reasonable.

The technical evaluation of the IPE back-end analysis indicates that again the analyses appears to fulfill the purposes outlined in GL 88-20, but again only marginally so in some areas due to the weaknesses discussed further below.

The strengths of the level 2 analyses are the following: The containment event tree (CET) and the associated fault trees used for CET top event quantification are clearly described in the IPE submittal.

They provide a detailed structure for the Level 2 IPE process and contain sufficient detail to identify plant-specific features that may have a significant effect on containment failure and fission product release and indicate an overall appreciation by the licensee of severe accident behavior at St. Lucie. The quantification of the CETs also seems adequate and appears to allow an understanding of the overall probability of fission product releases. Severe accident progression at St. Lucie was also evaluated in the IPE by selected MAAP calculations based on the dominant sequences found in the PDSs, and by sensitivity analyses of some of the sequences for some parameters used in the MAAP.calculations. These MAAP calculations assist the licensee in obtaining an appreciation and quantitative understanding of severe accident behavior at St. Lucie. The licensee has also addressed the recommendations of the CPI pi'Ogi'aill.

There are some weaknesses in the Level 2 IPE that warrant further consideration. The most significant weakness is the lack of sufficient discussion of the CET quantification results in the IPE submittal. The major contributors to early and late containment failure probabilities discussed in the summary and conclusion section of the IPE submittal are based on the insights obtained from a generic report and some plant-specific MAAP calculations and not on the results obtained from CET quantification. According to the licensee (in response to an RAI) this was done in order to provide the various points of view on accident progression. This seems to indicate a lack of sufficient examination and confidence in the CET quantification results. However, additional discussions with the FPL personnel (through telephone conference calls) and the licensee's response to a follow up RAI question seem to indicate that, although the discussion presented in the IPE submittal is ambiguous and does not focus on CET quantification results, it may not be caused by a lack of understanding of the IPE results.

Another potential weakness is the high probability of in-vessel recovery and the lack of evaluation of the impact of in-vessel recovery on the containment failure probability in the St. Lucie IPE. Although this issue is addressed in the licensee's response to one of the RAI follow up questions, the conclusion in the response, that containment failure was only slightly affected based on the sensitivity study of a single PDS, may not be correct. A review of the CET top event probabilities obtained in the IPE shows that the containment failure probability may be significantly affected by the probability of in-vessel recovery (for all PDSs and thus the total CDF). The significant effect of in-vessel recovery on containment failure is partly caused by the high CCI probability, and the high containment failure probability given CCI, used in CET quantification. Since plant-specific MAAP analyses showed CCI is unlikely to occur, the effect of in-vessel recovery on containment failure probability may not be as significant as that indicated by the CET models.

XX

Lack of consistency throughout the IPE submittal is another problem. Some of the inconsistencies are due to the lack of attention to details and some are due to poor documentation. Examples of the former include the grouping of small LOCA sequences with large LOCA sequences to a low pressure PDS.

Examples of the latter are the different values presented in the various parts of the IPE submittal for the same parameter. Although these inconsistencies may not have a significant effect on CET quantification, they should be corrected to provide a more accurate and unambiguous representation of plant conditions used in the analysis.

In summary, a review of the St. Lucie Plant IPE submittal reveals that on balance the licensee has largely fulfilled the purposes of the individual plant examination stated in GL 88-20, although, based on the submittal and subsequent interactions with the licensee, this appears to have been only marginally accomplished in a number of areas.

xxi

XXLI NOMENCLATURE ABOA As-Built-As-Operated AFW Auxiliary Feedwater ANO Arkansas Nuclear One AOV Air Operated Valves ATWS Anticipated Transient Without Steam CCF Common Cause Failure CCI Core Concrete Interaction CCW Component Cooling Water CDF Core Damage Frequency CE Combustion Engineering CET Containment Event Tree CSS Containment Spray System CST Condensate Storage Tank CVCS Chemical and Volume Control System DC Direct Current DHR Decay Heat Removal DNBR Departure from Nucleate Boiling Ratio EDG Emergency Diesel Generator EOP Emergency Operating Procedures EPRI Electric Power Research Institute EPS Emergency Power System EQ Equipment Qualification ESFAS Engineered Safety Feature Actuation System FPL Florida Power and Light FSAR Final Safety Analysis Report FTR Failure to Run FTS Failure to Start GL Generic Letter HCR Human Cognitive Reliability HEP Human Error Probability HFE Human Failure Event HPME High Pressure Melt Ejection HPSI High Pressure Safety Injection HRA Human Reliability Analysis HVAC Heating, Ventilating and Air Conditioning ICW , Intake Cooling Water IE Initiating Event IPE Individual Plant Evaluation IS LOCA Interfacing Systems Loss of Coolant Accident LOCA Loss of Coolant Accident XXI I I

NOMENCLATURE (Cont'd)

LOFW Loss of Feedwater LPSI Low Pressure Safety Injection MAAP Modular Accident Analysis Program MDAFW Motor Driven Auxiliary Feedwater MDP Motor Driven Pump MOV Motor Operated Valves MSIS Main Steam Isolation System MSIV Main Steam Isolation Valve Mwth Megawatt Thermal NRC Nuclear Regulatory Commission OTC Once Through Cooling PCS Power Conversion System PDS Plant Damage State PLG Pickard, Lowe & Garrick PORV Power Operated Relief Valve PRA Probabil istic Risk Assessment PSA Probabilistic Safety Assessment PSF Performance Shaping Factor PWR Pressurized Water Reactor QA Quality Assurance RAI Request for Additional Information RCP Reactor Coolant Pump RCS Reactor Cooling System RPS Reactor Protection System RWT Refueling Water Tank SAIC Science Application International Co mpany SBO Station Blackout SDC Shut Down Cooling SG Steam Generator SGTR Steam Generator Tube Rupture SIAS Safety Injection Actuation System SIT Safety Injection Tank SLI Success Likelihood Index SRV Safety Relief Valve SW Service Water TCW Turbine Cooling Water TDAFW Turbine Driven Auxiliary Feedwater TER Technical Evaluation Report THERP Techniques for Human Error Rate Pr ediction TRC Time Reliability Correlation xxtv

1. INTRODUCTION 1.1 Review Process This technical evaluation report (TER) documents the results of the BNL review of the St. Lucie Nuclear Plant Individual Plant Examination (IPE) submittal [IPE submittal, RAI Responses]. This technical evaluation report adopts the NRC review objectives, which include the following:

To assess if the IPE submittal meets the intent of Generic Letter 88-20, and To determine if the IPE submittal provides the level of detail requested in the "Submittal Guidance Document," NUREG-1335.

A Request of Additional Information (RAI), which resulted from a preliminary review of the IPE submittal, was prepared by BNL and discussed with the NRC on January 25, 1996. Based on this discussion, the NRC staff submitted an RAI to the Florida Power & Light Company (FPL) on Mar arc h 19 1 996. Florida Power & Light Company responded to the RAI in a document dated May 23, 1996 and to the supplemental RAI for follow-on RAI questions in a document dated January 7, 1997. This TER is based on the original submittal and the response to the RAI (RAI Responses) and the supplemental RAI (Supplemental RAI Responses).

1.2 Plant Characterization The St. Lucie Nuclear Plant is a twin unit nuclear power station operated by FPL. Each unit is a 2700 MWth Combustion Engineering pressurized water reactor (PWR). The reactor coolant system (RCS) consists of the reactor vessel, two U-tube steam generators, 4 shaft-sealed reactor coolant pumps, an electrically heated pressurizer and interconnected piping. The plant is operated by FPL. Unit 1 began commercial operation in 12/76 and Unit 2 in 8/83.

Design features at St. Lucie that impact the core damage frequency (CDF) are as follows:

The plant has feed and bleed capability. The success criterion requires both PORVs at Unit 1 but only 1 PORV at Unit 2. One Unit 2 PORV is blocked off during normal operation, as it is not needed (bamng problems with the other PORV).'ven in an ATWS'for Unit 2, success criteria specify only one PORV, but in conjunction with the three safety relief valves (SRVs).

The motor driven main feedwater pumps will continue to run for most transients, as the pump flow output is automatically matched to the decay heat level.

There are two motor driven (capacity 325 gpm each, 300 gpm for Unit 2) and one turbine driven (capacity 600 gpm, 575 gpm for Unit 2) AFW pump. The AFW system is automatically started and controlled. The Unit 1 condensate storage tank (CST) is not sized for a 24-hour mission time (sufficient for approximately 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months ), whereas the missile-protected Unit 2 CST is. Cross-connection capability between the two units'STs exists.

The TDAFW pump depends only on DC power, which can be supplied from either A or B train safety batteries. Non-safety batteries can also be connected to provide power to the TDAFW

pump, but this is not credited in the analysis. Also, the TDAFW pump could be operated locally without DC power, this is not credited either.

~ The DC batteries have an 8 hour9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months life under SBO conditions. This assumes load shedding within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months of SBO. However, the analysis credits only a 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months battery life, which apparently doesn' necessitate load shedding (RAI responses).

~ In an ATWS, any one AFW pump is sufficient for success of that function (either MDAFW pump has about half the capacity of the TDAFW pump), but the flow has to be delivered to both steam generators.

~ Condensate pumps may be used to provide feedwater to the steam generators, provided the secondary system has been depressurized to 600 psig. There are three parallel condensate pumps.

~ The RCP seals are the 4-stage Byron Jackson type (each stage can take the full RCS pressure);

the operators are instructed to trip the RCPs if the CCW cannot be restored within 10 minutes.

If the operators fail to trip the RCPs within 10 minutes of loss of CCW, it is assumed that a catastrophic seal failure will result. No seal failure would therefore occur under SBO conditions.

CCW cooling is the only type of cooling for these seals. Seal injection from charging was initially provided, but was disconnected after being suspect in two RCP shaft failures due to thermal stress.

~ There are three trains of intake cooling water (ICW), (also known elsewhere as service water) and CCW. There are also three safety electrical ac and three safety dc buses (A, B and AB).

There are two emergency diesel generators (EDGs) per unit. The EDGs are self cooled.

~ The CCW is needed for operation of the HPSI pumps, the LPSI pumps (Unit 1 only), containment spray pumps (Unit 1 only), shutdown heat exchangers, containment fans, and inside containment instrument air (on Unit 1 only).

~ The instrument air system (IA) is necessary for operation of the power conversion system CVCS, LPSI and CSS. There is a lot of redundancy in this system (4 compressors for Unit 2, 6 compressors for Unit 1), including an automatic cross-connection to the other Unit's IA system, and a manual cross~nnect between the service air systems. The instrument air compressors are cooled by the turbine cooling water system (TCW) with the exception of the Unit 1 inside containment compressors. Most of the compressors have a backup. air-cooled cooling system.

Room cooling or ventilation is needed for several important systems: HPSI, LPSI, containment sprays, SDC, power conversion system components, ac power, dc power (partially) and Unit 2 4

intake cooling water system. On the other hand, the AFW pumps are located outside and don' need room cooling.

~ The switchover to recirculation is automatic. Upon switchover, LPSI pumps are automatically stopped (ifoperating) and HPSI pumps are aligned for cold leg recirculation. As an alternative, hot leg recirculation may be accomplished by appropriately aligning the HPSI pumps for Unit 2 and LPSI pumps for Unit 1. The switchover from cold leg to hot leg recirculation late in the accident (to prevent boron precipitation) is not deemed necessary at St. Lucie due to "low boron.

concentration", according to the submittal.

~ Cross connection between the units is provided for the instrument air, the AFW suction (i.e., the CSTs) and the EDGs. One 3.5-3.8 MW EDG can provide requisite loads for both units (i.e., one safety bus per unit). There seems to be more than one way of connecting the electrical systems between the units, but only the blackout crosstie is credited in the analysis (buses AB).

~ The St. Lucie switchyard (shared by the two units) seems to be relatively reliable, with two full capacity operating buses and four bays, each consisting of one breaker, such that failure in any one transmission line, main bus, bay breaker or transformer will not cause a loss of offsite power to the unit safety buses.

~ St. Lucie is a relatively open plant, and the turbine building is not enclosed, so that flooding should be less of a problem than at plants with a more enclosed geometry.

The St. Lucie containment is a large, dry, steel containment vessel surrounded by an annular space and enclosed by a reinforced concrete shield building. The containment has a volume of approximately 2.5 million cu. It. and a design pressure of 40 psig. The reactor coolant system is a Combustion Engineering (CE) two-loop design. Some of the plant characteristics important to the back-end analysis are summarized in Table 1 of this report.

Table 1 Plant and Containment Characteristics for St. Lucie Plant Characteristic St. Lucie Zion Surry Thermal Power, MW(t) 2700 3236 2441 RCS Water Volume, 12,700 9200 Free volume, fP ft'ontainment 2,500,000 2,860,000 1,800,000 Mass of Fuel, Ibm 207,000 216,000 175,000 Mass of Zircalloy, Ibm 58,700 44,500 36,200 Containment Design Pressure, psig 40 47 45 Median Containment Failure Pressure, psig 95 135 126 RCS Water Volume/Power, ft'/MW(t) NP* 3.9 3.8 Containment Volume/Power, ft'/MW(t) 926 884 737 Zr Mass/Containment Volume, Ibm/ 0.023 0.016 0.020 ft'uel Mass/Containment Volume, Ibm/ 0.083 0.076 0.097 ft'ot provided in the IPE submittal.

Both the power level and containment free volume of St. Lucie are less than those of Zion and greater than those of Surry. Although the ratio of contairunent volume to reactor thermal power for St. Lucie is greater than that for Zion and Surry, the containment design pressure and the medium containment failure pressure are less for St. Lucie than for Zion and Surry. In comparison, the Zirconium mass, which relates to the amount of hydrogen produced in the containment, is greater for St. Lucie than for Zion and Surry.

It is noted that the parameters presented in the above table provide only rough indications of the

containment's capability to meet severe accident challenges and that both the containment strength and the challenges associated with the severe accident involve significant uncertainties.

The reactor cavity of St. Lucie has a floor area of about 460 ft~. The depth of the water in the reactor cavity can be 21 ft if all of the RWST water is injected into the containment. Since the bottom of the vessel bottom head is only about 5 ft from the cavity floor, the reactor vessel is likely to be submerged if the RWST water is injected into the containment.

The plant characteristics important to the back-end analysis are:

A steel containment that may be vulnerable to direct attack of dispersed core debris. However, according to the licensee's response to the RAI, because of the thermal shields around the vessel.

and the very narrow gap for the debris dispersion path, the probability of the dispersed debris coming into contact with the containment steel shell is negligible.

The large containment volume, high containment pressure capability, and the open nature of compartments which facilitates good atmospheric mixing.

A cavity design which facilitates flooding of the reactor cavity. Ex-vessel cooling is likely to occur due to reactor cavity flooding and the low placement of the reactor vessel. This reduces the probability of vessel failure and is credited in CET quantification'. The cavity configuration is a deep cylinder, which would likely result in the formation of a deep molten core debris pool if all of the core mass pours into the cavity.

There are no lower head penetrations in the St. Lucie reactor vessel. This may delay the time of vessel failure.

'ith the cavity flooded, a vessel failure probability of O. I (i.e., 0.9 probability of preventing vessel failure by ex-vessel cooling) is used in the IPE.

2. TECHNICAL REVIEW,

.I Licensee's IPE Process 1.1 Completeness and Methodology ie licensee has provided the type of information requested by Generic Letter 88-20 and NUREG 1335.

ie front-end portion of the IPE is a Level 1 PRA. The specific technique used for the Level 1 PRA I a small event tree/large fault tree with fault tree linking, and it is clearly described in the submittal.

ternal initiating events and internal flooding were considered. Event trees were developed for all Sses of initiating events. Several sensitivity analyses were performed. The importance (Fussel-Vesely) basic events and systems was calculated. An uncertainty analysis was also performed.

ie IPE was initiated in October, 1989 (program plan for St. Lucie and Turkey Point submitted to the kC). The Turkey Point IPE was finished first, and then the technology and the personnel were msferred to the St. Lucie project. The model reflects the plant as of November, 1991. Past PRA idies were reviewed to gain understanding of the issues and the technology: WASH-1400, Seabrook

'A by PLG, Millstone 3 PSA by Northeast Utilities, Oconee 3 PRA by EPRI (NSAC-60), and the ystal River 3 Safety Study in NUREG/CR-2515. Several PRA reviews were also studied. These were

NRC reviews of the Oconee 3 PRA (NUREG/CR-4374), Crystal River 3 PRA (NUREG/CR-5245),

abrook PSA Level 2 (NUREG/CRP552), Millstone 3 PSA (NUREG/CR-4142) and Yankee Rowe PSA UREG/CRP589). Several IPE submittals were also reviewed: the ones for Waterford 3, ANO-2 and n Onofre Units 2 and 3.

ie submittal information on the HRA process was generally inadequate in scope. Additional

ormation/clarification was obtained from the licensee through an NRC request for additional

ormation. The HRA process for the St. Lucie IPE addressed both pre-initiator actions (performed ring maintenance, test, surveillance, etc.) and post-initiator actions (performed as part of the response an accident). The analysis of pre-initiator actions included both miscalibrations and restoration faults.

hile an acceptable screening analysis was conducted, no additional quantification or detailed analysis pre-initiators was performed after initial quantification. In light of the fact that pre-initiator events

>eared in dominant sequences, the lack of a "fine screening" or detailed analysis of those pre-initiator nts must be considered a minor weakness of the St. Lucie IPE.

ie post-initiator human actions modeled essentially included both response-type and recovery-type ions. All post-initiator human events in the fault trees were initially quantified with an HEP value of

). After initial quantification, surviving cutsets were examined and appropriate post-initiator operator lions were added. These actions, including in- and ex-control room actions, were quantified using iugherty and Fragola's (SAICs) approach. Brief discussions of the input parameters for the antification approach were provided in the submittal and more detail was provided in the response to

RAI. One limitation of the post-initiator analysis concerns the extent to which plant-specific rformance shaping factors (PSFs) were considered. Another concerns the fact that multiple post-tiator human actions were quantified with a time-independent technique that does not explicitly consider

diagnosis phase of operator actions. Detail on these issues is provided below in section 2.3.2.4.

Dependence among multiple human actions was handled in the St. Lucie submittal essentially by examining such combinations of modeled human events and determining that the combinations involved events that were either separated in time, involved completely different systems, or were performed by different individuals. The licensee stated that "where it was identified that multiple operator actions were not appropriate, certain actions were either removed from the model or the probability was left at 1.0 in e cutsets." They further state that "these actions were then manually added only to the cutsets where there was no dependency with other actions.

The licensee also notes that "the appropriateness of an action, may also have been sequence dependent."

However, the licensee did not compute different HEPs for similar events occurring in different contexts.

They addressed this issue by simply using the most pessimistic value in all cases. While this approach may have reduced the realism of the results of the HRA and PRA somewhat, it does not appear that it wou d significantly preclude identification of human related vulnerabilities. A list of important human actions was provided.

The St. Lucie Plant Individual Plant Examination (IPE) back-end submittal is essentially consistent with respect to the level of detail requested in NUREG-1335.

The methodology employed in the St. Lucie IPE submittal for the back-end evaluation is clearly described. The analysis makes use of the EPRI Generic Framework for IPE back-end analysis for containment event tree (CEQ logic model development and quantification [NSAC/159]. This is supported by an analysis of the containment performance using plant specific MAAP 3.0B accident simulation code calculations. In certain cases, the containment's response to the physical processes during an accident progression is evaluated comparatively against existing reference plant analysis (e.g., NUREG-1150 analysis).

In the St. Lucie IPE, containment event trees (CETs) were developed to determine the containment response and ultimately the type of release mode given that a core damage accident has occurred.

Although different Level 2 analysis results were reported in the IPE submittal for Unit 1 and Unit 2 the difference is due to the difference in the front-end analysis results (which provide the back-end initial conditions). The method and the data used in the back-end analysis for Unit 1 and Unit 2 are the same.

The front-to-back end interface are provided in the IPE by the definition of 15 Plant Damage States (PDSs) for the Unit 1 analysis and 14 PDSs for the Unit 2 analysis. These PDSs are identified by core damage state, determined by core melt timing and RCS pressure, and containment state, determined by containment pressure boundary status and containment safeguards system status.

The top events of the CET are quantified by the use of fault trees (called logic trees in the IPE submittal),

which address the phenomenological, systems, and operator human response issues important to accident progression. The CEI'nd the logic trees used in the St. Lucie IPE provide a structure for the evaluation of all of the containment failure modes discussed in NUREG-1335. The quantification of the CET in the

t. cie IPE is based on NUREG-1150 data and plant-specific MAAP calculations. The results of the Level 2 analysis are grouped into sets of release modes. Release fractions for these release modes are detertnined by the use of a parametric model similar to the X-SOR code used in NUREG-1150 analyses',

and plant-specific MAAP calculations.

2.1.2 Multi-Unit Effects and As-Built, As-Operated Status Ihere are two units on site. There are no significant systems, relevant to an internal Level 1 PRA, ihared between the units (the intake structure and the associated intake canal for the ICW, i.e., the

ervice water, is shared). Other shared facilities include the switchyard, the fire protection system and he service building. Any shared rooms seem to have been accounted for in the flooding analysis. It

eems that the IPE did analyze dual unit initiators, at least a statement is made to that effect in the nitiating event section of the submittal. However, there is no in4epth discussion of such initiators in he initiating events, event trees or the results sections (e.g., dual unit LOOP, dual unit loss of ICW).

fhe systems that can be cross-connected are relatively few (instrument air, the EDGs and the CSTs) and he cross-connection was modeled.

( wide variety of up-to4ate information sources were used to develop the IPE: FSAR system

.escription, piping and instrumentation drawings, electrical one line drawings, licensee event reports, monthly operating reports, technical specifications, emergency and off-normal operating procedures and pecial studies and analyses. The analysis was applied to the plant configuration as it existed in november, 1991. The data was collected from 1/85 to 10/91 for Unit 1 and 6/86 and 4/92 for Unit 2 ibout 6 years of operation for each Unit, including shutdowns). Walkdowns were performed for the ystems analysis, recovery actions, flooding analysis and containment analysis.

'he licensee is confident the model represents the "as built as operated plant" because of complete ocumentation of the model with adequate control and review of any changes made, access to and use f controlled plant drawings and emergency operating procedures, reviews by and interactions with perations, engineering and other plant personnel, review of the system models by plant personnel and utside contractor experts, and plant walkdowns as described above.

seems that the licensee did analyze the as built as operated (ABAO) plant, based on the information

ovided in the submittal. A caveat is noted, however, that there is a relative paucity of the plant specific sta (see the data section), which is part of the ABAO item. This seems to have been outside of the fusee control (as far as the PRA analysts are concerned) in that it was difficult to obtain certain types

'data, because it apparently was not well kept or collected by plant personnel in the past. In addition, ere are inconsistencies in description between different sections of the submittal which cause some nbiguity with respect to certain plant features. The licensee seems to have expended reasonable effort ased on the submittal and the RAI responses) to address the ABAO concern, and there are indications at this issue would be addressed in future PRA updates, as more data becomes available.

garding the IPE HRA representing the as-built, as~perated plant, the submittal states that the HRA alyst "reviewed procedures, walked down the plant and control room facilities and had discussions with rious plant personnel in the Operations and Training Departments." It was also stated that "the human ilure probabilities are based on published generic information from other analyses, simulator aluations, and insights from past PRAs" and that "site specific information from St. Lucie is used when propriate." Although the submittal and response to the NRC's RAIs indicate that results from simulator ns were apparently evaluated, it was not clear that simulator runs were conducted specifically for the E. The HRA analyst was involved in the initial sequence and system modeling efforts Response times r some actions outside the control room were based on interviews with operators. For others, time murements and walkdowns were performed. Thus, it appears that steps were taken to assure that the

HRA represented the as-built, as-operated plant. However, it did not appear that the HRA gave detailed consideration of plant-specific PSFs in determining all HEPs.

Regarding multi-unit effects, St. Lucie Unit.l is co-located with St. Lucie Unit 2. With the exception of the start-up transformers, seismic instrumentation, and the ultimate heat sink, the licensee states that no other structures, systems, or components important to safety are shared between the two units.

However, cross-ties allow operators to restore power from one unit to the other and an operator action was modeled to switch the Unit I AFW to the Unit 2 condensate storage tank (CST) for long-term heat removal. The Unit 2 CST is larger than that of Unit 1.

Insofar as the back-end analyses are concerned, it appears that all the St. Lucie containment specific features are modeled. A containment walkdown was conducted during the Unit 2 refueling outage of 1992 (according to the IPE submittal, the two units are essentially identical). During the walkdown by the PRA team members assigned to the containment performance analysis task various elevations and compartments of the containment were assessed.

The licensee intends to maintain a "living PRA".

2.1.3 Licensee Participation and Peer Review The licensee developed the St. Lucie IPE with "minimal contractor support" based on the expertise gained with the Turkey Point IPE. The Turkey Point contractor was SAIC, it is not clear if they were the ones providing the "minimal support" for the St. Lucie IPE. ABB Combustion Engineering assisted in preparation (approximately 50%) of the system description notebooks.

The reviews performed for the IPE included both independent in-house reviews and an external review.

There were three levels of review: normal engineering quality assurance carried out by the organization performing the analysis, which consisted of a qualified individual with knowledge of PRA methods and plant systems performing an independent review of results for each task. The second level of review was performed by plant personnel not directly involved with the development of the PRA model and consisted of individuals from Operations, Technical, Training and Independent Safety Evaluation groups who reviewed the system models and accident sequence description. The third level of review was performed by outside PRA experts from ERIN Engineering, FRH, Inc., NUS and Baltimore Gas and Electric. The review team concentrated on the overall PRA methodology, accident sequence analysis, system fault trees, and draft quantification results. The intent was to provide early feedback to the St. Lucie staff concerning the adequacy and accuracy of the reviewed products. A summary of the major areas of review comments is provided in the submittal (the comments stating that the areas of review were acceptable).

The licensee makes the statement in the submittal that the methodologies used for the St. Lucie IPE were similar to the ones used in the Turkey Point IPE.

A slight concern of this review is that the utility performed almost all the work (and the utility ma have biases). This is offset by the outside review, but it is not clear what level of effort and resources went'nto the outside review (the comments provided in the IPE are very general in nature to the effect that the areas reviewed were done correctly). Also, nothing is said about an outside review of the flooding analysis, the data section, the final cutsets and dominant sequences, or Level 2.

J From the description provided in the IPE submittal it seems that the intent of Generic Letter 88-20 is satisfied, with the above caveats.

2.2 Front End Technical Review 2.2.1 Accident Sequence Delineation and System Analysis 2.2.1.1 Initiating Events The identification of initiating events proceeded in a three step approach: 1) review of existing sources, including other PRAs and their NRC reviews (Oconee, Crystal River, Seabrook, Millstone 3, Yankee Rowe), EPRI NP-2230, plant safety analyses of both limiting and likely events (e.g., the FSAR) and St.

Lucie reactor trips; 2) organizing the list into groups with equivalent impact on the plant within each group and 3) including additional initiators on a case by case basis based on the systems fault tree analysis md the success criteria analyses for the event trees.

As a result, a total of 27 initiating events were identified. Some of the initiators are further subdivided ato subcategories. In addition, the reactor vessel rupture was not really discussed in the submittal (other Aan saying it is negligible), but was later briefly discussed in the RAI responses, as being a negligible contributor (no frequency estimate was provided other than quoting a range of values from the literature).

Che list includes 2 ISLOCA initiators. Flooding initiators are not in the list due to negligible xintribution. The internal initiators are:

.OCAs:

Large I.OCA Small LOCA Small-small LOCA Steam generator tube rupture ISLOCA in an injection line ISLOCA in the SDC suction line

'ransients:

Reactor/turbine trip Reactor trip with PORV challenge Loss of feedwater (LOFW), recoverable LOFW, irrecoverable Feedline break, upstream, or downstream of either-SG Excessive feedwater Loss of offsite power, A train or B train Steaml inc break, upstream of either steam generator Steaml inc break, downstream Spurious MSIS, spurious SI PORV sticking open on the A steam generator PORV sticking open on the B steam generator

Support systems initiators:

Loss of DC bus, A or B train Loss of 4 kV bus, A or B train Loss of 6.9 kV bus, A or B train Loss of 120 VAC instrument bus Loss of turbine cooling water Loss of intake cooling water Loss of CCW Loss of instrument air Loss of grid

'Ihe nomenclature used in the IPE is somewhat unusual: small LOCA roughly corresponds to the medium LOCA elsewhere, small-small LOCA roughly corresponds to a small LOCA elsewhere i tak w is commo y known as service water; loss of grid (in the support systems category) refers to what is commonly known as loss of offsite power, whereas loss of offsite power (in the transient category) refers to switchyard failures which disable one of the two safety buses. The initiating event list seems to be generally complete and comparable to events considered in other PRAs.

HUAC failures do not lead to initiating events because of probabilistic arguments (long heat up times, recovery actions, distributed nature of the HVAC system), and some important systems such as AFW not,.

requiring HVAC.

As stated above, spurious failure of RCP seals was not considered a credible initiator (this is usually considered a very small LOCA), due to the nature of the Byron Jackson eal b t 'ts ff oun y t e small and small-small LOCA initiator event trees. In addition, a certain fraction of interfacing LOCAs inside the containment may contribute to the frequency of large, small and small-small LOCA, but this does not seem to have been considered.

In general, the search for, and selection of, initiating events seems to have been thorou well and we roug h an thought out.

2.2.1.2, Event Trees The IPE developed 6 event trees: the general transient event tree, the ATWS event tree, the small-small LOCA event tree, the small LOCA event tree, the l~ge LOCA event tree and the SGTR event tree. No event tree was developed for the interfacing LOCA, as it was assumed that this event leads directly to core damage. Existing event trees were used for the flooding analysis.

The event trees are functional. The mission time used in the core damage analysis was 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , unless a shorter time was indicated (e.g., LOCA injection phase).

The analysts used the peak cladding temperature of 2200'F or violation of the design basis DNBR (departure from nucleate boiling regime) requirement as criteria for core damage. The event tree end states are divided into "no core damag'e" or various core damage bins.

Success criteria are based on CE non-proprietary reports, the FSAR and plant-specific MAAP analyses performed for the IPE. The success criteria appear generally reasonable and in line with most other PWR success criteria.

10

Large LOCAs require injection from all three safety injection tanks attached to the intact loops, and injection from of 2 LPSI pumps into one intact loop.

1 For the long term cooling of all three types of LOCAs, containment heat removal via either containment sprays or the fan coolers is required. The same is true if feed and bleed (called once through cooling, or OTC) is used.

Small and small-small LOCAs require control rod insertion for reactivity control. Both small and small-small LOCAs utilize HPSI pump injection from the RWT for short term cooling, with the alternative, in the case of the small LOCA, of using LPSI in conjunction with timely depressurization via secondary cooling. This is not credited (in the injection phase) for small-small LOCAs.

Recirculation for all LOCAs is accomplished by the use of HPSI pumps. LPSI pumps are not used and are stopped on recirculation (unless hot leg recirculation is used as an alternative to cold leg recirculation, in which case, for Unit 1, LPSI pumps are used, whereas HPSI pumps are still used for Unit 2). The switchover, from cold leg to hot leg recirculation late in the accident (to prevent boron precipitation) is not deemed necessary at St. Lucie due to "low boron concentration", according to the submittal.

In case of small-small LOCAs, heat removal through one of the steam generators, using one AFW pump, is so required, as the break flow is insufficient to remove all decay heat. In case of most transients, an MFW pump can be utilized instead of the AFW pump.

In case of transients, it is stated that the pressurizer SRVs will never be challenged 'I even if the PORVs f'il to open. This is somewhat unusual. Also, in case of transients, there is deviation from the NRC recommended value (0.014 for reactor trip events, 0.1 for LOOP and loss of buses, and 1.0 for events which fail both condenser and atmospheric dumps) for the PORV challenge conditional probability (a smaller value is used). It is not clear how this value is derived, but the implication is that a plant specific analysis was performed.

The pressure control success criterion for ATWS specifies 3700 psia as the limiting RCS pressure. This is in line with other CE plants, and may even be somewhat conservative (based on other IPEs reviewed).

The ATWS success criteria are a little unusual in that only one MDAFW pump is sufficient for success, but both steam generators need to be fed. Both PORVs (only one PORV on Unit 2) and all three SRVs need to lift to relieve the pressure sufficiently. The limiting peak pressure will still be exceeded if the core power level is high and the moderator temperature coefficient is not sufficiently negative (which appens 5% of the time for Unit 2, but 25% of the time for Unit 1). No mention is made of turbine trip as being helpful in combatting ATWS.

Long term reactivity control via emergency boration is modeled by operation of one charging pump taking suction from the boric acid tank, and the RCS remaining at elevated temperature.

As stated above, the RCP seals are the Byron Jackson type. It is assumed they would fail only if the operators fail to trip the RCPs within 10 minutes of a loss of CCW.

Station blackout events are handled using the convolution technique (according to a phone conversation with plant personnel), details of which have not been supplied. According to the IPE, one EDG is sufficient to take care of emergency power needs of both units (i.e., one safety bus per unit), via the 11

blackout crosstie. No credit is given to battery load shedding, nor to manual operation of the turbine driven AFW pump.

The SGTR success criteria specify that for successful SG isolation, both the pressurizer sprays and the secondary depressurization must work. If the faulted SG is not isolated, but the secondary heat removal works, then HPSI injection can provide core cooling long term, apparently without depleting the RWT within the mission time. It seems in that case enough depressurization is provided by secondary cooling to limit the fluid loss outside the containment. Technical specifications for the RWTs call for providing a minimum of about 400,000 gal. Successful long term cooling using the shutdown cooling system also requires boration via charging pumps (to account for increased reactivity at lower temperatures), as is the case during a normal shutdown.

As stated above, the success criteria appear generally reasonable and consistent with those used in other PWR PRAs.

2.2.1.3 Systems Analysis A total of 17 systems/functions are described in Appendix B of the Submittal. Included are descriptions of the following systems: safety injection tanks, AFW, CCW, containment isolation system, CSS, CVCS, containment heat removal system (containment fan coolers), electric power system, ESFAS and RPS, HPSI, HVAC, instrument air, intake'cooling water, LPSI, PCS, primary pressure control system and shield building ventilation system.

Note that the third HPSI pump on Unit 1 has been abandoned.

Each system description includes a discussion of the system function, configuration, success criteria, normal operation and accident operation.

Also included for many systems are simplified schematics that show major equipment items and important flow and configuration information.

System dependencies are summarized in a matrix form.

Section 1.2 of this TER describes important plant features.

2.2.1.4 System Dependencies The IPE addressed and considered the following types of dependencies: shared component, instrumentation and control, isolation, motive power, direct equipment cooling, areas requiring HVAC, and operator actions. There is not much discussion of environmental effects, apart from HUAC and flooding/spray considerations.

In case of HUAC, there is a relatively complete description in the submittal and the RAI responses including HUAC design, rooms requiring HVAC and HVAC modeling considerations. The HVAC is a distributed system, consisting of several subsystems cooling individual plant areas.

Table 3.2-5 of the submittal contains the overall system dependency matrix, including both support on-support and frontline-on-support dependencies.

12

System dependencies seem to have been adequately considered in the analysis.

22.2 Quantitative Process 2.2.2.1 Quantification of Accident Sequence Frequencies The IPE used a small event tree/large fault tree technique to quantify core damage sequences. The event trees were functional. The CAFTA workstation software package was used for development and quantification of top event probabilities and accident frequencies.

The cut set truncation limit used was between 1.E-6 and 1.E-8, before the initiators were factored in and before recovery actions. It should be noted that some initiators are on the order of 1/yr (e.g. reactor trip). It is not known which limits were used for which initiator. The licensee maintains the residual should be small, based on stricter limits used while working on the IPE update (this is based on a phone conversation).

The IPE took credit for various recovery activities, including the recovery of offsite power. The IPE power recovery curve can be partially deduced from a table in the RAI responses.

Table 2 shows a comparison between the offsite nonrecovery probability at the times of interest from the RAI responses vs. that given in NSAC-147. The latter EPRI document contains industry average data on offsite power recovery.

Table 2 IPE vs. NSAC-147, Nonrecovery of Offsite Power IPE probability of nonrecovery NSAC-147 probability of Time after initiator (hr) of offsite power nonrecovery of offsite power 0.184 0.25 0.042 0.12 It appears that, in comparison to NSAC-147 data, the offsite power recovery factors are optimistic and will considerably impact the results.

2.2.2.2 Point Estimates and Uncertainty/Sensitivity Analyses Mean values were used for the point estimate initiator frequencies and all other basic events. An uncertainty analysis was performed. Importance measures (Fussell-Vesely) are given for systems, basic events, initiating events, and sequences. The most important basic events are the following, each one having a F-V importance > 5%: PORV block valves being closed (Unit 2), common cause failure (CCF) of HPSI injection valves to open, CCF of diesel generators to run, N-header AOVs fail to close due to CCF (Unit 1). 'Ihe most important systems are HPSI, EPS, CCW, AFW, RPS/ESFAS, ICW, and SIT.

Sensitivity studies were also performed. Increasing all MOV failure rates by a factor of 10 resulted in a 486% increase in CDF on Unit 1 (SQ3% on Unit 2); increasing all common cause factors 10 times raised the CDF by 291% (272%); increasing EDG fail-to-start (FTS) and fail-to-run (FTR) rate 10 times 13

raised the CDF by 261% (258%); increasing all test and maintenance probabilities by a factor of 10 raised the CDF by 248% (235%); decreasing test and maintenance probabilities by a factor of 10 cut the CDF by 17% (16%); increasing all motor driven pump (MDP) FTS rates 10 times raised the CDF by 66% (58%); increasing all MDP FTR rates 10 times raised the CDF by 102% (101%); increasing the Unit I PORV flow path unavailability to a value similar to that used for Unit 2 increased the CDF b 226%, whereas decreasing the Unit 2 PORV flow path unavailability to that used for Unit 1 cut the CDF by (10%); increasing all offsite power nonrecovery probabilities 10 times raised the CDF by 115%

(141%); increasing all operator nonrecovery probabilities 10 times raised the CDF by 97% (121%);

increasing all preinitiator HFEs raised the CDF by 91% (83%); and assuming that hot leg recirculation is needed late in large LOCA scenarios raised the CDF by 28% (8%).

2.2.2.3 Use of Plant Specific Data The licensee attempted to use plant specific data where possible, but due to an apparent lack of data collection or a poor collection process, good data was available for relatively few components.

The data collection process period was from 1/85 to 10/91 for Unit 1 and 6/86 to 4/92 for Unit 2. This represents approximately 5.75 years of operating experience for either unit, according to the IPE. It seems that somewhat artificial guidelines were set for this, which may have resulted in a relative paucity of plant specific data. The guidelines were borrowed from the Turkey Point IPE project in that a minimum of 5 years of data was required, and so the project used the closest refueling outages to this target.

Component history from both units was combined to arrive at the raw data used to derive the plant specific data used in the IPE. Relatively few components ended up having meaningful plant specific data:

EDG failure to start and to run, MOV (failure to open and failure to close), motor driven pump (failure to start and failure to run), air operated valves (failure to operate), 4kV circuit breakers (failure to operate) and battery chargers (no output). For most of these components, Bayesian updating was used, except for EDG failure to run (a combination of generic and plant specific data was used), 4kV circuit breakers (straight plant specific data was used) and battery chargers (straight plant specific data was used).

Note that all motor driven pumps were rolled into one category, regardless of service and specifications (including salt water pumps). (The CCF data, on the other hand, distinguishes among various types pes,of 0

p ps). No plant specific data is provided for the turbine driven AFW pumps. No plant specific data exists for the multitude of air compressors on site, because these were replaced with a different brand compressor in late 1988-89, and thus it was deemed that insufficient experience had been compiled with the new compressors.

The reason why plant specific data exists for telatively few components is that apparently few g ood ecords exist as to the number of demands and number of operating hours. The plant specific data was taken from the NPRDS (nuclear plant reliability data system) database, the FPL Nuclear Job Plannin System (NJPS) and/or interviews with engineers, maintenance and operations personnel. Only failures judged to be catastrophic were included. This may somewhat underestimate the failure rates.

As for the test/maintenance data, for cross-connected systems, it was not considered that the other unit may be in shutdown with extended test/maintenance of cross-connected systems (IA EDGs alld CST 0 f ru 2.

Unit ). However, as part of RAI responses, a sensitivity case for EDGs was run where it was assumed

that a downtime of 7 days occurs, this did not impact the results significantly (in a phone conversation ~

it was reiterated that a 74ay downtime at shutdown was in accord with plant experience).

Table 3 of this review compares the failure data for selected components from the IPE to values typically used in PRA and IPE studies, using the NUREG/CR<550 data for comparison [NUREG/CR 4550, Methodology]. Most of the data in the table is generic data.

St. Lucie data are generally in agreement with the NUREG/CR-4550 data. The EDG failure to start is low, by a factor of 4, while the TDAFW FTR is substantially lower than NUREG/CR-4550 data, (as is the case in many IPEs).

Table 3 Comparison of Failure Data Component Failure Mode St. Lucie data 4550 data urbine driven pump (generic) fail to start 2.6E-2 3.0E-Z fail to run 8.9E-5/hr 5.0E-3/hr Motor driven pump fail to start 1.8E-3 3.0E-3 fail to run 6.9E-5/hr 3.0E-5/hr Instrument air compressor fail to start 1.3E-1 8.0E-Z (generic) fail to run 2.5E-3/hr 2.0E-4/hr Battery charger fails to operate 4.5E-5/hr 1.0E4/hr Circuit breaker (4kV) fail to operate 2.8E-3 3.0E-3 AC bus ( 4kV (generic) fault 1.2E-7/hr 1.QE-7/hr Check valve (generic) ail to open 1.4E-4 1. E-4 ail to close 1.6E- 1. E-3 MOV ail to open .2E- . E-ai to close 2.4E-Emergency diesel generator tail to start E- . E-2 tail to run 2.5E- /hr 2.0E-3/hr Notes: (1) 4550 are mean values taken from NUREG/CR-4550, i.e. from the NUREG-1150 study of five U.S. nuclear power plants.

(2) Demand failures are probabilities per demand. Failures to run or operate are frequencies expressed in number of failures per hour.

E.2.2.4 Use of Generic Data As discussed in Section 2.2.2.3 above, most failure data used in the IPE was generic data. The data mostly comes from the SAIC generic data base.

E.2.2.5 Common-Cause Quantification The common cause probabilities were based on the procedure presented in NUREG/CR<780 and the data

>resented in NRC and EPRI sources. The approach used was the beta factor approach.

The common cause failure between the TDAFW pump and the two MDAFW pumps was not considered credible due to a different driver. However, there could be common problems such as steam binding.

The licensee states in RAI responses that including such CCF would be difficult due to lack of data and would likely lead to overestimation of the CCF contribution. The MDAFW pump CCF is lower than the NUREGICR-4550 recommended values by about a factor of 2. AFW is an important system, contributing about 13% to core damage. Thus its modeling is important. Failures of pumps with different drivers (common cause) have been modeled in PRAs and are included in EPRI documents (for example the ALWR requirements data base).

A comparison of effective P factors in the submittal vs. those suggested in NUREGICR-4550 ("reference P factor" ) is presented in Table 4.

Table 4 Comparison of Common-Cause Failure Factors, Component Submittal P Reference P factor factor HPSI pumps, LPSI 0.17 HPSI 0.21 HPSI pumps 0.11 LPSI 0.15 LPSI containment spray 0.05 0.11 pumps CCW pumps, ICW 0.03 0.026(SW) pumps 0.056(AFW)

AFW pumps chillers 0.11 MOU, CCF of 2 0.08 0.088

.,valves Battery 0.05 HVAC ventilation 0.13 fans Diesel Generator, 0.05 0.038 CCF of 2 EDGs In addition, all other pumps are given a beta of 0.10; all 4 diesel generators are given a beta of 0.01; and a beta of 0.10 was used for compressors. It is not clear how a CCF of more than two components was modeled (other than in the case of the EDGs), e.g., air compressors, ICW pumps, CCW pumps. ~

Apparently, an adjustment in the beta factors was made. Most CCF data seems to be reasonable.

The table shows general consistency between the St. Lucie CCF data and that recommended in NUREGICRR550. Most of the CCF factors are in agreement, except the MDAFWyumps'nd the CSS pumps'CF factors are lower by a factor of 2 in the IPE. The MDAFW CCF may have some 16

measurable impact on the results. Also, it can be argued that salt water ICW pumps should have a higher beta than fresh water SW pumps, but the licensee claims the data do not show this.

The list of CCF components considered is relatively comprehensive, especially when compared to many other IPEs. Omitted were such components as circuit breakers, inverters, relays, switches, transmitters and solenoid valves. Re licensee states there is not sufficient data for such components, otherwise they would have been included in NUREG/CRC780, Table 3-7. The impact of their omission on IPE results is probably not great.

In conclusion the CCF analysis seems to be reasonable.

2.2.2.6 Initiating Event Frequency Quantification The initiating event frequencies were calculated by four methods: St. Lucie specific experience, generic industry data, fault tree modeling of St. Lucie systems, and Bayesian updating.

The plant specific experience was used for the reactor/turbine trip (with or without PORV challenge), loss 'f feedwater (recoverable or irrecoverable); excessive feedwater, spurious MSIS and loss of 120 VAC instrument bus. Fault tree analysis was used for loss of offsite power in the A or B train. Bayesian updating was used for loss of TCW, loss of ICW and loss of CCW. For all other initiating events, including loss of grid (elsewhere known as loss of offsite power) generic data was used.

The initiating event frequencies used in the IPE are presented in Table 5.

The initiating event'frequencies generally seem reasonable and are comparable to other PRA studies. One

. could argue that certain initiator frequencies should have been computed using plant specific fault trees (e.g. loss of various ac and dc buses, loss of CCW, loss of ICW, etc.) in order to look for plant specific vulnerabilities. For example, a wide variation in loss of dc bus frequency is reported in the literature.

Diferent methods have been used, either plant specific fault trees, or industry/plant specific experience.

The loss of a dc bus is an example where the results may be sensitive to the assumptions used. The icensee's IE frequency of 3.9E-4/yr is low compared to some values in the industry which are 10 to 100 times higher. As the CDF contribution from this initiator is already significant (about 10% for Unit 1 and 5% for Unit 2) an increase in the IE frequency by one to two orders of magnitude would make this the dominant initiator. It would seem that for such an important initiator, plant specific fault trees would be constructed and plant specific data used in quantification. The licensee used generic data for a dc bus failure to arrive at the IE frequency, i.e., only one failure mode was modeled. The licensee states that no recovery actions were modeled to either recover dc power on the bus or for subsequent coping (e.g.,

manual control of the TDAFW pump after battery depletion, or manual alignment of the blackout tie from the other unit). It should be noted that other failure modes leading to the initiator have been modeled in o er studies, including other IPEs, some of which may not be immediately recoverable. Some examples of additional failure modes are loss of a distribution panel, switching errors in conjunction with testing/maintenance, battery failures, improper charging levels, blown fuses, etc. Some of these ma or may not be applicable to the design at St. Lucie, but a discussion of these issues and their proper dispositioning would. help. verify that the plant specific search during the IPE process was exhaustive.

Recovery of dc power is not usually modeled in PRAs.

Many licensees have used the generic value of 3.94E-4/yr for the frequency of losses of various ac and dc buses in their.IPEs. Ifthe CDF numbers prove to be relatively sensitive to these IE numbers (as is 17

the case for St. Lucie in the case of dc bus losses), then a fault tree analysis would be helpful to verify that the IE frequencies used were of the right magnitude, for this initiator.

I is not clear why Bayesian updating was used for a few specific but relatively rare events such as losses of ICW, TCW and CCW (unless the plant actually experienced such events. The fact that the plant experienced 0 failures in 12 years for an event which occurs once every 1,000-10,000 years does not add any meaningful information, and the Bayesian updating should yield the generic value; if not, something is wrong with the Bayesian updating scheme).

The large LOCA, small LOCA and small-small LOCA frequencies seem somewhat lower than expected (2.66E-4/yr, 4.06'/yr and 1.42E-3/yr, respectively). The NUREG-1150 values for such events are 5.E-4/yr, 1.0E-3/yr and 1.4E-2/yr, assuming that the NUREG-1150 medium LOCA category corresponds, roughly to St. Lucie's small LOCA, while the combination of NUREG-1150 small and very small LOCA corresponds to St. Lucie's small-small LOCA. As the LOCAs are a major contributor to the CDF and important sequences, it is important which values are used for the initiating event frequencies. The licensee states that the LOCA numbers reported in literature are subjective expert opinion, due to lack of hard data, and quotes various numbers from various sources. Also, the IPE submittal implies that the RCP seal failure frequency (part of the small and small-small LOCA) should be negligible due to improvements in seal designs, and sturdiness of Byron Jackson seals, relative to other seal designs.

It is possible that there have been substantial improvements in seal design and materials over time.

However, NUREG/CRQ550 accounts for that by doing a Bayesian updating of early failures in the period 1974 through 1980 with lack of failures in the period 1981-1988. This yields an estimate of 3.9E-3/yr for spurious RCP seal LOCAs. Even if this is deducted from the 1150 small LOCA frequency of 1.4E-2/yr, there is still a wide gap between the remainder of the NUREG-1150 small LOCA frequency and that reported in the St. Lucie IPE for small-small LOCAs (8.E-3/yr vs. 1.4E-3/yr).

Also, other categories of very small LOCAs are estimated in NUREG/CR-4550 to have a frequency of 1.7E-3/yr for very small LOCA pipe breaks and 7.6E-3/yr for component boundary failures. Events with leakage rates greater than 15 gpm were counted, which occurred during startup or power operation, and, for pipe breaks, a ratio of LOCA sensitive piping to all other piping of 18% for Westinghouse plants was Used.

In conclusion, the LOCA numbers used in this !PE are in line with most other IPEs, but may be underestimated based on the state of knowledge and in comparison to NUREG-1150 numbers. This should have a relatively significant effect on the total CDF, but not on the important sequences and contributors, as LOCAs are already recognized as prime contributors to the CDF. In addition, it is not clear if the initiating 'event frequency of a loss of a dc bus was treated correctly, which could impact the final results and conclusions considerably.

It should be noted that the SGTR frequency may be lower than expected, especially for Unit 1. This Unit has experienced steam generator problems, such that today 25% of the tubes are plugged.

No error factors are quoted for initiating events.

18

Table 5 Initiating Event Frequencies for St. Lucie IPE Initiating Event Frequency (/yr)

Reactor/turbine trip 1.58 Reactor trip with PORV challenge 0.297 LOFW-recoverable 0.396 LOFW-irrecoverable 9.89E-2 Feedl inc break-upstream 1.00E-3 Feedline break-downstream of SG A 1.00E-3 Feedline break-downstream of SG B 1.00E-3 Excessive feedwater 0.198 Loss of offsite power, A train 1.83E-6 loss of offsite power, B train 1.83E-6 Steamline break, upstream of SG A 5.00E-5 Steamline break, upstream of SG B 5.00E-5 Steaml inc break-downstream 4.00E-4 Spurious MSIS 9.89E-2 spurious SI 5.00E-2 PORV sticking open, A SG 1.03E-3 PORV sticking open, B SG 1.03E-3 Small-small LOCA 1.42E-3 Small LOCA 4.06E-4 Large LOCA 2.66E-4 A SGTR 4.89E-3 B SGTR 4.89E-3 Loss of DC bus, A train loss of DC bus, B train 3.94'.94'.94E-4 Loss of 4 kV bus, A train Loss of 4 kV bus, B train 3.94E-4 Loss of 6.9 kV bus, A train 3.94E-4 loss of 6.9 kV bus, B train 3.94E-4 Loss of 120 VAC instrument bus 9.89E-2 Loss of TCW 9.41E-4 Loss of ICW 2.68'9

Loss of CCW 9.41E-4 Loss of instrument air 9.20E-2 Loss of grid 0.15 2.2.3 Interface Issues 2.2.3.1 Front-End and Back-End Interfaces The IPE assumes that containment heat removal is necessary for core heat removal when recirculation is required. Both CSS pumps (Unit 1 only) and containment fan coolers require CCW cooling. Note that during both injection and recirculation, CSS discharge passes through shutdown cooling heat exchangers. Thus, CSS is necessary in recirculation. Also, in Unit 1, the portion of CSS flow passing through the SDC heat exchangers can be diverted to the HPSI pump suction, thus providing additional core cooling.

Section 2.4 provides more information on Level 2 considerations.

2.2.3.2 Human Factors Interfaces Section 2.3 provides more information on HRA considerations. Based on the level 1 'review, some likely important operator actions are stopping the RCPs within 10 minutes of a loss of CCW, using the blackout cross tie in a station blackout, cross-connecting the CSTs in case of Unit 1, recovery from HVAC failures, modeling of feed and bleed, using the condenser pumps for secondary cooling, manual switchover after automatic recirculation switchover failure, recovery of MFW, aligning of the AB dc bus (used for TDAFW control) to the non-faulted dc bus (A or B), and emergency boration in an ATWS.

2.2.4 Internal Flooding 2.2.4.1 Internal Flooding Methodology The flooding scenarios were developed by considering initiation and propagation of floods or sprays in fire zones, effects of such events on the PRA equipment, and inducing initiating events due to flooding.

The flooding scenario development was supported by plant walkdown(s).

The screening criterion for flooding scenarios was 1.E<lyr.

Effects on terminal boxes were considered. Floods and sprays were assumed to fail all the equipment 'n the initiating room. Critical flood height was documented for sensitive equipment. Flooding and spraying from the fire suppression equipment was also considered.

Drains were generally not credited, except for. small leaks. Back propagation through drains was considered where appropriate. Fire doors are not watertight, in general, and were generally assumed to leak. In some cases, a sensitivity analysis was performed as to the effect of a closed versus an open fire door.

20

The submittal notes that there are numerous alarms which would alert the operators to a flood: various sump level a!arms, CCW surge tank and RWT level alarms, and fire pump auto start alarms. In addition, frequent patrols would discover a potential flood. However, no credit is apparently given for the above operator actions. For the rest of the analysis (quantifying the CDF sequences), the Level I HEPs were used as is, implying no,additional stress due to a flood.

No maintenance errors were explicitly considered. The licensee states these are not credible, due to checks and procedures.

pre'tartup St. Lucie is a relatively open plant: the turbine building is not enclosed, the AFW system is outside. As a result, the flooding CDF is relatively low, on the order of 5.E-7/yr for either unit. No estimate is provided for the residual, other than stating that it should be below I.E-7/yr.

2.2.4.2 Internal Flooding Results The internal event model was used to quantify the surviving flooding scenarios. The following two scenarios had reportable CDFs:

I) Unit I, flood zone 14 and 15; Unit 2, flood zone 47; loss of all three condensate pumps from rupture of circulating water piping and resulting irrecoverable loss of MFW.

Frequency of core damage is 2.E-7/yr for Unit I and 2.E-7/yr for Unit 2.

2) Unit 2, flood zone 34; rupture of fire suppression piping leads to a loss of dc bus 2B.

Estimated CDF is less than I.E-7/yr.

The total flooding CDF is less than 5.E-7/yr for Unit I and S.E-7/yr for Unit 2.

It seems that the flooding analysis was reasonable.

2.2.5 Core Damage Sequence Results 2.2.5.1 Dominant Core Damage Sequences The results of the IPE analysis are in the form of functional sequences, therefore NUREG-1335 screening criteria for reporting of such sequences are used. The point estimate for the core damage frequency from internal events is 2.32E-S/yr for Unit I and 2.62E-5/yr for Unit 2, with internal flooding contributing an additional 5.E-7/yr per unit. Accident types and their percent contribution to the CDF, are listed in Tables 6a and 6b, for Unit I and Unit 2, respectively. The most important initiators are given in Tables 7a (Unit I) and 7b (Unit 2).

Six dominant sequences and two ISLOCA and two SGTR containment bypass sequences were described in detail for Unit I (four LOCAs, I station blackout, I general transient, two ISLOCA, 2 SGTRs). Nine dominant sequences and one ISLOCA and one SGTR containment bypass sequence were described in detail for Unit 2 (five LOCAs, I station blackout, 2 transients, one ATWS, I ISLOCA, 1 SGTR). Each of these important sequences has a frequency greater than I.E-6/yr and/or a greater than 5% contribution to the total unit CDF, except ISLOCA and SGTR, which are greater than I.E-7/yr. The important sequences are summarized below in Tables Sa (Unit I) and Sb (Unit 2). System Importances are presented in Figures la and lb, for Unit I and Unit 2, respectively.

21

The RCP seal LOCA contribution is negligible. The SBO contribution is 2.64E4/yr for either Unit, which is 11% of CDF for Unit 1 and 10% for Unit 2. The small-small LOCA, the loss of grid and the large LOCA are the most important events.

Loss of a dc bus is a substantial contributor to the CDF, contributing almost 10% to the Unit 1 CDF and 5% for the Unit 2 CDF. The sensitivity of this plant to a loss of dc stems from the success criteria for feed and bleed in conjunction with the plant specific data on maintenance on the 1E 4kV components (e.g, startup transformer) and the AFW system. The success criteria for feed and bleed specify both PORVs

'n Unit 1 (however one is disabled due to the initiation) and one PORV on Unit 2 (however one PORV is always blocked due to plant procedures).

Note that Tables 6 through 8 are inconsistent with respect to the ATWS contribution, especially for Unit

1. Unit 1 should have a larger ATWS contribution than Unit 2 (which is the opposite of what is shown in the Tables) because of several plant design features, most notably the larger fraction of time with the unfavorable moderator temperature coefficient (25% vs. 5%) and the need to replenish the CST from Unit 2 within the mission time, and the heavier dependency on CCW (for example CSS pumps). According to the RAI responses, the original ATWS analysis was incorrect, and the new analysis shows Unit 1 having a comparable ATWS contribution to that of Unit 2.

Many of the dominant operator errors in Tables 8a and 8b were left at their screening values (e.g., the miscalibration errors), thus possibly skewing the results and the insights. It is not clear, why cold leg recirculation failure in a large LOCA leads to core damage, when it is stated elsewhere in the submittal that hot leg,recirculation is an acceptable alternative. Large LOCA sequences are dominant contributors in this plant. It is also not clear if condensate pump operation is credited for secondary cooling (in conjunction with depressurization to 600 psig), in case of AFW and MFW failure.

Table 6a Accident Types and Their Contribution to the CDF, Unit 1 Initiating Event Group Contribution to CDF (/yr)

LOCAS 1.22E-S 53 Transients 7.7E-6 33 ISLOCA 1.74'.13E-7 SGTR ATWS 4.13E-7 Flooding (not included in total) (<S.E-7) (<2)

TOTAL INTERNAL CDF 2.32E-S 100.0 22

Table 6b Accident Types and Their Contribution to the CDF, Unit 2 Initiating Event Group Contribution to CDF (/yr)

LOCAS 1.29E-S 49 Transients 7.93E-6 31 IS LOCA 2.73E-6 10 ATWS 1.76E-6 SGTR 9.09E-7 Flooding (not included in total) ((S.E-7) (<2)

TOTAL INTERNAL CDF 2.62E-S 100.0 Table 7a Dominant Initiating Events and Their Contribution to the CDF, Unit 1 Initiating Event Contribution to CDF (/yr)

Small-small LOCA 7.09E-6 30 Loss of grid 4.11E-6 18

'5 Large LOCA 3.48E-6 IS LOCA 1.74E-6 Small LOCA 1.60E-6 Loss of DC bus 1B 1.08E-6 Loss of DC bus lA 9.75E-7 Steamline break downstream of MSIVs 6.60E-7 SGTR, SG 1A 4.29E-7 SGTR, SG 1B 3.86E-7 23

Table 7b Dominant Initiating Events and Their Contribution to the CDF, Unit 2 Initiating Event Contribution to CDF (/yr)

Small-small LOCA 7.49E-6 29 Loss of grid 4.95E-6 19 Large LOCA 3.30E-6 13 IS LOCA 2.73E-6 10 Small LOCA 2.11E-6 Reactor trip 1.17'.99E-7 Steamline break downstream of MSIVs Loss of DC bus 2B 6.67E-7 3 Loss of DC bus 2A 5.69E-7 Table Sa Dominant Core Damage Sequences, Unit I Initiating Event Dominant Subsequent Failures in Sequence % of CDF mall-small L A Long term core coolmg allure (caused by atlures o W N-isolation valves to close, thus failing the shutdown cooling option; common cause failure of containment sump alves to open, thus failing the high pressure recirculation ption; common cause miscalibration of RWT level ransmitters; common cause failure of ICW MOVs which ails isolation of TCW loads from ICW; and common cause failure of HPSI pumps (to run); dominant operator.

ailures include failure to switch over to recirculation ollowing failure of the automatic signal and failure to restart the electrical equipment room fans following a loss f power 24

% of Initiating Event Dominant Subsequent Failures in Sequence CDF ransient (steamlme break and econdary heat removal ailure (caused by lack of R loss of a dc bus dominant) makeup in case of steamline break due to common cause failure of HPSI injection valves or HPSI pumps; in case of DC bus loss caused by failure of the other bus and battery epletion or caused by hardware failures in the other MDAFW pump and the TDAFW pump); OTC (feed and leed) failure (caused by CCF failure of HPSI injection alves or HPSI pumps in case of steamline break; caused y loss of the other DC bus in case of DC bus loss initiator); also failures may be caused by operator error (failure to initiate feed and bleed, or failure to re-align the 1AB dc bus (used for TDAFW control) to the IA dc bus ollowing the loss of the IB dc bus; non-blackout mall-small L A Ingection failure (common cause ailure o HP I in~ection 12 alves; HPSI minimum recirculation line transfers closed; common cause failure of HPSI pumps to start; common cause failure of HPSI pumps to run during injection); no perator errors associated with dominant cutsets ransient (loss o gnd dominant) econdary heat removal failure; T ailure; b ackout; caused by failure of all,4 EDGs (dominant failures are CCF failure of all 4 EDGs, or failure of one Unit both EDGs with failure to align the blackout crosstie (hardware r operator failure)

Large L A In~ection failure (caused by common cause ailure o LP I injection valves; failure of SIT flowpaths; common cause failure of SITs due to miscalibration of level or pressure ransmitters; LPSI pump common discharge header flow control valve and flow control valve bypass valve transfer closed during standby; common cause failure of LPSI umps to start or run during injection); dominant operator ailure is failure to manually start ECCS components ollowing failure of the automatic signal I L A (through shutdown None, leads directly to core damage cooling suction lines dominant; athway through the four safety injection lines also contributing, ut just slightly over the 1.0E-

/yr reporting cutoff) 25

Initiating Event Dominant Subsequent Failures in Sequence

%of CDF Large L A old leg recirculation failure (dominant causes are common cause failure of CCW N-header isolation valves o close; common cause failure of HPSI injection valves to pen; common cause failure of containment sump valves to pen; common cause failure of HPSI pumps to run during recirculation); dominant operator errors include the perator failing to manually start recirculation or ECCS components following failure of the automatic signals and perator failure to re-start electrical equipment room fans following a loss of power

'ransient R integrity ailure; long term core cooling failure 4.

mall L A Long term core coolmg ailure m L A lngection ai ure TR Isolation failure; long term core cooling ailure; dommant ardware failures are RWT failures, CCF failure of HPSI alves and CCF failure of HPSI pumps; dominant operator failure are failure to switch charging pump from VCT to RWT prior to VCT depletion, failure to bypass failed EDG fuel oil fill valve, failure to manually initiate ECCS components, failure to initiate long term coo)ing and failure to align 1A or 1B instr air comp after loss of normal air comp (1C or 1D)

TR Failure o secondary heat removal (MFW or AFW);

failure of OTC; dominant failures are failures of AFW and e operator failing to recover MFW or initiate OTC Table Sb Dominant Core Damage Sequences, Unit 2

% of Initiating Event Dominant Subsequent Failures in Sequence CDF mall-small L A Long term core coolmg failure (see Umt 1 description 19 above) ransient (steamlme break and econdary heat removal ailure; T (feed and bleed) 12 loss of a dc bus dominant) failure; non-blackout; hardware failures same as for Unit 1 above; dominant operator error failure to initiate OTC or eed and bleed) 1 L A shut own coo mgpa None, eads direct y to core damage ominant) ransient (loss o gnd ommant econdary heat removal ailure; T ailure; blackout; see Unit 1 description above for dominant failures 26

Initiating Event Dominant Subsequent Failures in Sequence

%of CDF Small-small L A Injection failure (dominant contributors are common cause 10 failure of HPSI injection valves to open; common cause failure of HPSI pumps to start; common cause failure of HPSI pumps to run during injection); dominant operator errors are failure to recover an EDG after a failure of the el oil tank automatic fill valves; failure to initiate ECCS components after automatic signal failure Large L A Ingection ailure (dommant causes are common cause ailure of LPSI injection valves to open; common cause ailure of SITs due to miscalibration of level or pressure ransmitters LPSI pump common discharge header flow control valve and flow control valve bypass valve transfer closed during standby; common cause failure of LPSI umps to start or run; there are no dominant operator actions Any except large L A (mostly RP ailure (ATW ) due to a mechamcal ault with a ansient) avorable moderator temperature coefficient; short term core cooling failure (dominant cause is unavailability of oth PORV paths); dominant operator errors are failure to initiate emergency boration and failure to align charging ump suction to the RWT before VCT depletion mall L A Long term core coo ing tailure (dommant causes are common cause failure of the CCW N-header isolation alves to close; common cause failure of containment ump valves to open; common cause miscalibration of RWT level transmitters; common cause failure of HPSI umps to run during recirculation; dominant operator error is failure to use hot leg recirculation when cold leg recirculation fails ransient (loss o gnd dominant) Secondary heat removal ailure; long term core cooling ailure; dominant causes are failure of one EDG, failure of e other train's MDAFW pump and failure to recover the electrical equipment room HVAC (this leads to failure of oth dc safety buses, leading to failure of the TDAFW ump and failure of control of high pressure recirculation components); dominant operator errors are failure to recover EE room HVAC, failure to bypass a failed EDG el oil fill valve, failure to align AFW cross-connect alves for AFW recovery and failure to manually actuate recirculation components following failure of the automatic ignal Large L A ol eg recirculation ailure; dominant ardware ailures arne as in Unit 1; dominant operator errors are failure to manually actuate ECCS components following failure of e automatic signal 27

% of Initiating Event Dominant Subsequent Failures in Sequence CDF ransient R integrity failure; long term core cooling failure TR Failure to termmate leakage; long term core coolmg failure; see Unit l description above for dominant ardware failures; dominant operator errors are failure to witch charging pump suction from the VCT to the RWT rior to VCT depletion and failure to initiate long term cooling mal L A lngection ailure ci5%

d0%~

35%)

z 30%)

cr 25%

0 20%

15o%%d 10%9 5%~

0%: ~

cn cn U U cn cn cn cg o ~ o cc U ~ ~ < U O

0 ?

SYSTEM Figure la System Importance for St. Lucie Unit I 50 ci0'/o-c i

?

35'/ ~c i

O Z 3P/o.I 1 il cg 25'/o l I 0~

20%~

15'/ $

10%~

I 5%0 0% +

z g0 cn cn cn cn go cn< g go c cn Q Q LU o

CL.

) 0 V c SYSTEM Figure lb System Importance for St. Lucie Unit 2 2S

2.3 Human Reliability Analysis Technical Review 2.3.1 Pre-Initiator Human Actions Errors in the performance of pre-initiator human actions (such as failure to restore or properly align equipment after testing or maintenance, or miscalibration of system logic instrumentation), may cause components, trains, or entire systems to be unavailable on demand during an initiating event. The review of the human reliability analysis (HRA) portion of the IPE examines the licensee's HRA process to determine the extent to which pre-initiator human events were considered, how potential events were identified, the effectiveness of any quantitative and/or qualitative screening processes used, and the processes used to account for plant-specific performance shaping factors (PSFs), recovery factors, and dependencies among multiple actions.

2.3.1.1 Types of Pre-Initiator Human Actions Considered The St. Lucie IPE submittal indicated that it considered both of the traditional types of pre-initiator human actions: failures to restore systems after test, maintenance, or surveillance activities and instrument miscalibrations. Consistent with other HRA methods, "slips" were the only pre-initiator error mode modeled.

2.3.1.2 Process for Identification and Selection of Pre-Initiator Human Actions The licensee stated that the systems analysis procedure directed analysts to include miscalibrations if, based on their understanding of the system design and operation, there were failures which could be significant contributors to the CDF. They also noted that modeling pre-initiators only adds another failure mode to systems and components that must already be modeled. Regarding failure to restore events, in their response to the NRCs RAI, the licensee indicated that maintenance, operating, and test procedures were reviewed to identify systems, trains, or components on which maintenance or tests were performed. Ifthe analyst determined that the maintained system, train, or component is not completely tested for its design function following maintenance, a failure to restore event was added to the fault trees. They were not modeled only if the components are realigned to a correct configuration following a system actuation signal.

2.3.1.3 Screening Process for Pre-Initiator Human Actions A screening value of 0.003 was assigned as the basic probability of a slip involving a single train of equipment, e.g., failing to restore equipment in HPSI train A. The screening probability of a slip affecting multiple trains was set at 0.0003 (e.g., miscalibration of both RB pressure sensors), which is a train or "beta factor" of 0.1. THERP (NUREG/CR-1278) was cited as the source from which these values were derived. All miscalibrations of like instruments were treated as common-cause events.

Restorations were modeled at the train level, e.g., AFW pump 1A manual valve, and it was assumed that maintenance etc. on separate trains was independent. No additional quantifcation or detailed analysis was performed after initial quantifcation. Thus, all pre-initiator events were left at their initial screening values. A list of the dominant sequences provided in Tables 3.7P and 3.7-8 of the submittal for Units 1 and 2, respectively, shows that some of the more dominant sequences contained miscalibration events.

While the HEPs for these events were reasonable, it is possible that a more detailed analysis after initial quantifcation may have resulted in lower HEPs for these events, which in turn may have slightly reduced the importance of these sequences and their associated contribution to CDF. While the pre-initiator 29

approach did not preclude identification of important pre-initiator events, the lack of a "tine screening" or more detailed analysis of important pre-initiator events must be considered a weakness of the St. Lucie IPE.

2.3.1.4 Quantification of Pre-Initiator Human Actions As noted above in section 2.3.1.3, no additional quantifcation of pre-initiator events was performed after the initial quantifcation with screening values. In the response to the NRCs RAI, the licensee notes that the values assigned to pre-initiator human errors were actually assumed to be "nominal" values and that they were "consistent with those used in another unit's IPE and found to be acceptable" by the NRC.

While the values may be acceptable, a more detailed analysis of the events may have led to a somewhat different pattern of dominant accident sequences.

2.3.2 Post-Initiator Human Actions Post-initiator human actions are those required in response to initiating events or related system failures.

Although different labels are often applied, there are two important types of post-initiator human actions that are usually addressed in PRAs: response actions and recovery actions. Response actions are generally distinguished from recovery actions in that response actions are usually explicitly directed by emergency operating procedures (EOPs). Alternatively, recovery actions are usually performed in order to recover a specific system in time to prevent undesired consequences. Recovery actions.may entail going beyond EOP directives and using systems in relatively unusual ways. Credit for recovery actions is normally not taken unless at least some procedural guidance is available.

The review of the human reliability analysis (HRA) portion of the IPE determines the types of post-initiator human actions considered by the licensee and evaluates the processes used to identify and select, screen, and quantif'y the post-initiator actions. The licensees treatment of operator action timing, dependencies among human actions, consideration of accident context, and consideration of plant-specific PSFs is also examined.

2.3.2.1 Types of Post-Initiator Human Actions Considered The St. Lucie IPE categorizes human actions as either human failure events (HFEs) or recovery actions.

The distinction is "functional" in the sense that HFEs are included in the fault or event trees, while recovery actions are applied at the cutset level. HFEs included both pre- and post-initiator events.

Information from the submittal and the response to the RAI indicates that approximately 60% of the post-initiator HFEs modeled would be considered "response" type actions as defined in section 2.3.2 above.

'IIie remaining would be "recovery" actions. The response to the RAI indicates that potential recovery actions were discussed with operations and/or training personnel and that operating procedures were reviewed to determine ifthe proposed action was addressed procedurally. Two non-proceduralized actions were credited in the IPE and a reasonable justification for including these actions was provided. As will be seen below in section 2.3.2.4, a more important issue for St. Lucie HRA analysts concerned whether or not the actions were time4ependent and whether they were in- or ex-control room actions. In any case, a review of the recovery actions as indicated in the response to the RAI did not suggest that extraordinary behavior was being asked of the operators and the HEPs did not appear to be unreasonable based on the descriptions of the actions.

30

2.3.2.2 Process for Identification and Selection of Post-Initiator IIuman Actions The licensee's response to the RAI documents a reasonable process for the identificatio and selection of post-initiator human actions. Interviews with plant operations and training staff and reviews of EOPs, operating experience, other PRAs, and NRC PRA reviews were conducted: This information was used in the accident sequence and systems analysis task. Accident sequence event trees and top logic fault trees were developed. Human actions related to system operation were included in the top logic fault trees. The submittal and the response to the RAI indicate that post-initiator recovery human actions were selected by manually reviewing cutsets and determining if operator actions could mitigate the sequence.

The response to the RAI also states that potential recovery actions were identified and discussed with operations and/or training personnel.

While the submittal and response to the RAI suggest that some simulator exercises were conducted, it was not clear that they were directly related to the IPE or that they had any role in determining which actions were modeled. The simulator runs and their use appeared to be more related to examining particular actions and the timing for those actions.

2.3.2.3 Screening Process for Post-Initiator Response Actions The licensee indicated that all post-initiator HFEs included in the models (fault trees) were initially given HEPs of 1.0 in order to assure that they would not be inadvertently truncated from the cutset results.

A review of the cutsets determined the applicability of each event and "where applicable", actual probabilities were computed and used. Thus, a quantitative screening analysis was not conducted .

2.3.2.4 Quantification of Post-Initiator Human Actions The licensee asserts that a time-independent technique was applied to the quantifcation of "slips", whether occurring pre- or post-initiator. A time4ependent technique was applied to "untimely responses, i.e.,

the major decisional actions made from the control room or the equipment manipulations made locally, ex-control room." The time4ependent technique, which is referred to as the SAIC method, is documented in the book by Dougherty and Fragola. The technique is based on a system of time reliability correlations (TRCs) and apparently is similar to the human cogniti've reliability (HCR) (NUS-4531) and RMIEP (NUREG/CR<834) TRC methods. As noted in the discussion above on pre-initiators, the time-independent technique was stated as being derived from THERP (NUREG/CR-1278).

Events treated with the time - independent technique are assigned a basic HEP of 0.003 and are adjusted as a function of assumed stress levels and the potential for recovery by other control room personnel.

Thirteen post-initiator human actions (apparently per unit) were modeled as slips and quantified with the time-independent technique. While the analysis performed appeared thorough and conscientious, treating post-initiator human actions with the time-independent approach is troublesome for two reasons. First, the approach does not model the diagnosis or decision-making portion of the human action. It is asserted that the operators are well trained on these actions and that they are simply following steps in their emergency procedures. Therefore the actions "would require minimum diagnosis." While this may be the case, the failure to explicitly consider factors that could influence an operator's decision to act certainly has the potential to over-estimate the likelihood of success. Second, time is not considered to be a limiting factor in the performance of these actions. That is, the impact of time is not directly considered in determining their HEPs. For cases in which relatively large amounts of time are available, 31

indications are obvious, and execution times are short, a viable time-independent technique would he acceptable. However, for at least three of the actions treated as slips, this was not obviously the case.

The operator actions to initiate once-through-cooling, to manually initiate recirculation actuation components following loss of the automatic signal, and to secure the reactor coolant pumps after loss of seal cooling are relatively short-time frame events. In addition, while these actions may be clearly indicated by procedure, it would seem that they are actions which would be carefully considered before performing. Thus, in at least these three cases, the failure to explicitly consider time and the failure to model the diagnosis portion of the tasks may have led to overly optimistic values. While the assi ned f

HEP s or these events were neither extraordinarily low nor inconsistent with values for similar events in other IPEs (7.5E-3, 1.5E-3, and 3.0E-4, respectively), the possibility remains that they may not be realistic for St. Lucie. It should be noted that time (and its influence on performance) was at least indirectly considered in obtaining the HEP for once-through-cooling (OTC) by assuming a high level of stress and adjusting the HEP accordingly. The RAI also notes that "simulator scenarios have shown that the required actions can be taken in ample time to ensure successful OTC initiation."

While the remaining actions treated as slips were apparently not time-limited as described in the licensee's response to the RAI, it is not obvious that the diagnosis portion of the task would be trivial. The licensee argues that these events involve only non-diagnostic, non-decisional modes of failure, but the differences between these actions and many of those modeled with the time-dependent technique (which explicitly considers diagnosis) were not easily discerned. Thus, quantification of multiple post-initiator human actions with the time-independent technique must be considered a weakness of the St. Lucie IPE. Most other IPEs using the SAIC approach have modeled only a few (if any) post-initiators with the time-independent technique.

However, the HEPs for the events modeled as slips were not unreasonable (only limited credit for control room personnel recovery was taken) and several of the events modeled in this way still showed-up as being important. Therefore, there is no reason to believe that the approach necessarily precluded detection of HRA related vulnerabilities.

Regarding the time - dependent technique, the basic form of the of the time - dependent TRCs was provided in the licensee's response to the RAI and discussions regarding the relevant input parameters for both an in-control room model and an ex-control model (i.e., for actions to be performed outside the control room) were provided in the submittal. In addition, the response to the RAI pr vi provided exam les examp es of data sheets tl for both in- and ex-control room actions, which showed the parameters selected. The critical elements for the in-control room model include: the available response time and an estimate of the median response time for the event examined (assumed to be 4 minutes in most cases), along with adjustments for type of behavior (verification, rule-based, and response type), degree of "crew burden",

success likelihood (an index that can be used to reflect the impact of PSFs), and model uncertainty. The model uncertainty factor is fixed at 1.68, apparently to reflect that the model uncertainty is distributed lognormally about the mean.

For the ex-control room model, similar parameters are modeled but apparently there are prov s o t 7

alloow adjustments to response time for potential "delaying hazards" outside the control room. The model uncertainty factor can also be adjusted for uncertainty due to other influences or hazards. Details relating to the adjustments for hazard factors were not provided in the submittal and were only briefly discussed in the response to the RAI. It is stated that these factors were considered on a case by case basis and that mean response time or the data error factor was adjusted to reflect these concerns.

The basic TRCs used in the time - dependent approach are apparently consistent with those used by other methods and the approach does attempt to provide mechanisms for addressing various factors that should influence operator performance. However, as with all HRA methods, the validity of the results can be no better than the quality of the analysis on which the analysts base their judgments. For example, to what extent were plant-specific PSFs considered and how accurate were the estimates of the timing parameters? These and other aspects related to the quality of the St. Lucie HRA are discussed below.

The response to the RAI indicated that all success likelihood indices (SLls) were left at their default values. That is, plant-related PSFs were assumed to have no effect. By leaving the SLls for the modeled events at their default values, the analysts are basically assuming St. Lucie is an "average" plant in terms of its PSFs. The resulting analysis may therefore be "generic" rather than plant-specific and may or may not adequately represent the plant. No additional information was provided regarding the extent to which plant-specific PSFs were actually examined to support the validity of the assumption that St.'ucie is "average" in terms of PSFs for all the events modeled. Other parameters of the model such as stress, response type, and burden were used to reflect variations in the nature of the events, and their impact on operator performance. Thus, the licensee did attempt to reach some degree of realism in the HEP values.

In general, the way in which the SAIC time-dependent method was applied in the St. Lucie IPE did not appear to violate its basic tenets and the resulting HEPs would not be considered unusual. The main concern in regard to the general application of the method is the extent to which plant-specific and scenario-specific PSFs were carefully considered. As noted above, the information provided suggests that in many cases "default" values were assumed. Whether or not these judgments were based on thorough analyses is difficult to determine, but examples of the HEP calculations provided in the response to the RAI suggest that the factors in the model were reasonably well considered. Most of the HEP values themselves would not suggest that identification of human action vulnerabilities was precluded. Another important factor that relates to the adequacy of the application. of the method is the determination of timing paraineters. This aspect is discussed below in section 2.3.2.4.1.

2.3.2.4.1 Estimates and Consideration of Operator Response Time The determination of the time available for operators to diagnose and perform event related actions is a critical aspect of HRA methods which rely on TRCs to assess the probability of operator failure. In order to appropriately use the SAIC TRCs, the net available time for an operator to respond must be determined by considering the appearance of cues, such as control room alarms or other indications, that signal the operators that a particular response is required. In many cases the time at which operators receive the relevant cues is significantly later than when the event to be responded to actually occurred. Thus, if the point at which the relevant cues occur is not considered in determining available time, the resulting estimates could be significantly greater than the actual time available. Moreover, if significant, the time needed to perform a certain action must be subtracted from the total available time before the TRCs are used. For example, if the actions necessary to accomplish a particular task, such as the switchover to recirculation, require 15 minutes and only 30 minutes total time is available, then the operators have only 15 minutes available to initiate a response. Thus, 15 minutes rather than 30 minutes should be used with the TRC equation and the result is non-trivial (e.g., an order of magnitude in difference).

The submittal and the licensee's response to the NRC RAI provide information on the approach used to determine or estimate the time available for operator actions. The available time was determined from applicable system response analyses, including 'MAAP code analyses etc. The response to the RAI indicates that the temporal occurrence of relevant cues was considered in determining available time for 33

each event. A default median response time of four minutes was assumed for all but a few of the in-control room actions modeled. That is, adjustments according to <he type of behavior involved in the task were made for only a few events. The median response time (default or not) for in-control room actions apparently includes diagnosis time and response execution time.

Regarding ex-control room actions, actual estimates were obtained for the time required to diagnose and complete the required actions . These times were primarily based on interviews with operators and plant personnel, but time measurements and walkdowns occurred in some cases . Exactly how many operators were interviewed and the approach for soliciting the estimates were not discussed. Other methods, such as THERP have argued that time estimates obtained from operators should be doubled, but this is not mentioned by the licensee. Regardless, the response times used did not appear unreasonable.

2.3.2.4.2 Other Performance Shaping Factors Considered Other than those discussed above, there was no evidence of any other PSFs being considered.

2.3.2.4.3 Consideration of Dependencies Two basic types of dependencies are normally considered in quantifying post-initiator human actions:

1) time dependence and 2) dependencies between multiple actions in a sequence or cut set. One type of time dependence is concerned with the fact that the time needed to perform an action influences the time available to recognize that a problem has occurred and to diagnose the need for an action. This type of time dependence is handled by the Dougherty and Fragola method by using TRCs which reflect the likelihood of operators diagnosing and performing the related actions in a particular time window.

Another aspect of time dependence is that when sequential actions are considered, the time to complete one action will impact the time available to complete another. Similarly, the sooner one action is performed, the slower or quicker the condition of the plant changes. This type of time dependence is normally addressed by making conservative assumptions with respect to accident sequence definitions.

One aspect of this approach is to let the timing of the first action in a sequence initially minimize the time window for subsequent actions. The occurrence of cues for later actions are then used as new time origins. This type of dependence was apparently handled in the same way as other context effects and is discussed below.

The second type of dependence considers the extent to which the failure probabilities of multiple human actions within a sequence or cutset are related. There are clearly cases where the context of the accident and the pattern of successes and failure can influence the probability of human error. Thus, in many cases it would clearly be inappropriate to assume that multiple human actions in a sequence or cut set would be independent. Furthermore, context effects should be examined even for single actions in a cut set.

While the same basic action can be asked in a number of different sequences, different contexts can obviously lead to different likelihoods of success. Dependence among multiple human actions was handled in the St. Lucie submittal essentially by examining such combinations of modeled human events and determining that the combinations involved events that were either separated in time, involved completely different systems, or were performed by different individuals. The licensee stated that "where it was identified that multiple operator actions were not appropriate, certain actions were either removed from the model or the probability was left at 1.0 in the cutsets." They further state that "these actions were then manually added only to the cutsets where there was no dependency with other actions."

34

The licensee also notes that "the appropriateness of an action may also have been sequence dependent."

However, the licensee did not compute different HEPs for similar events occurring in different contexts.

They addressed this issue by simply using the most pessimistic value in all cases. While this approach may have reduced the realism of the results of the HRA and PRA somewhat, it does not appear that it would significantly preclude identification of human related vulnerabilities.

2.3.2.4.4 Quantification of Recovery Type Actions All post-initiator human actions were quantified with the approaches described above in section 2.3.2.4.

The two non-proceduralized recovery actions modeled were quantified with the time-dependent technique.

2.3.2.4.5 Human Actions in the Flooding Analysis The licensee states that "very little credit was taken for flooding related operator actions" and that "any specific actions considered for flooding were approached qualitatively, versus quantitatively, with no numerical credit taken." A review of those operator actions as discussed in the response to the RAI indicates that while operators could facilitate the response to flooding, no flood- specific operator actions were critical. The licensee also indicated that human actions already in the model were not adjusted to reflect any additional stress related to the flood. They stated that they did not believe flooding adds any additional stress above that associated with those events. While this belief may be debatable, they may very well be correct.

2.3.2.4.6 Human Actions in the Level 2 Analysis The recovery actions considered in the level 1 analysis were directly incorporated into the PDS cutsets.

Thus the list of human actions before core damage is identical to that considered in the level 1 analysis.

In addition, some HEPs from the level 1 analysis were "extended" in the level 2 analysis due to the longer time available. Finally, a "scoping" value of 0.02 was assigned to the operator action to depressurize the RCS. This was a best-estimate that included both operator and hardware failure. The 0.01 value for the operator failure was based on an examination of EOPs and likely activities at this point in the accident scenario. The actual value was based on judgement. Such a value is consistent with those used in other IPEs'looding analysis.

2.3.2.5 Important Human Actions The St. Lucie submittal presents a list of basic event importance as determined by Fusel-Vesely (F-V) measures. The top ten operator actions in terms of their contribution to CDF are presented in Table 9 below, along with their F-V values and their HEPs.

35

Table 9 Important Human Actions Event Description F-V HEP Operator fails to secure RCPs following loss of seal cooling 0.031 3.0E-4 Common cause miscalibration of the RWT level transmitter 0.026 3.0E-4 Operator fails to restore power to Unit 1 from Unit 2 0.025 1.88E-2 Operators fail to do once through cooling for transient (Feed and 0.023 7.5E-3 Bleed)

Operators fail to restore Pump 1A after maintenance 0.016 3.0E-3 Operators fail to restore Pump 1B 'after maintenance 0.015 3.0E-3 Operators fail to restore electrical equipment room fans following 0.015 5.59E-3 LOOP Operators fail to do once through cooling for SGTR (Feed and 0.007 7.5E-3 Bleed)

Operators fail to recover PCS following SIAS 0.007 1.5E-3 Operators fail to realign power supply to "AB" DC bus 0.006 5.57E-3 2.4 Back End Technical Review 2.4.1 Containment Analysis/Characterization 2.4.1.1 Fronted Backed Dependencies The interfaces between the front-end and back-end analyses are provided in the IPE by the definition of 15 Plant Damage States (PDSs) for Unit 1 and 14 PDSs for Unit 2'. A PDS is defined in the IPE as a group of core damage sequences that have similar characteristics with respect to the severe accident progression and containment response. Definition of the accident classes is discussed in Section 4.3 and Appendix D of the IPE submittal.

A plant damage state is defined by the characteristics of core damage sequences (CDSs) and the status of the containment systems (using an event tree structure called a "containment systems bridge tree" in the IPE submittal). The factors used to define a PDS include:

.1. Core melt timing,

2. RCS pressure, Two PDSs for each unit are truncated and not used in CET quantification.

36

3. Containment pressure boundary status,

4. Containment mitigating systems availability - Containment spray status,

5. Fan cooler availability during core degradation.

The PDSs as defined in the St. Lucie IPE by the above parameters to provide front-end back-end dependencies for the Level 2 analysis of the IPE seem adequate. Although the binning of some of the Level 1 sequences to the PDSs is not consistent with the above definition, the effect on the conclusions of the IPE does not seem to be significant. For example, transient sequences with failure of long term cooling, although having a core melt timing much longer than that defined in the IPE for late core melt, is grouped to an early melt PDS. This may not be appropriate, but is pessimistic. Another example is the binning of small LOCA sequences to low pressure PDSs. According to the break size of a small LOCA defined in the IPE the RCS pressure for small LOCA sequences may be higher than that used in the IPE for the definition of low pressure PDS. The grouping of small LOCA sequences with large LOCA sequences in low pressure PDSs may not be appropriate because the importance of containment challenges associated with high pressure melt ejection (HPME). However, this may not have a significant effect on IPE results because of the relatively low frequency of small LOCA sequences (7% of total CDF for Unit 1 and 8% for Unit 2) in comparison with that of high or intermediate pressure PDSs (66% for Unit 1 and 64% for Unit 2).

Another type of inconsistencies in the IPE submittal involves poor documentation (or report writing).

According to the licensee's responses to RAI questions (on inconsistencies between the information provided in the various parts of the IPE submittal), these inconsistencies are due to the use of the NSAC-60 study [NSAC40] as the basis for the St. Lucie analysis - some modifications to the NSAC-60 study for the St. Lucie IPE are not reflected in the St. Lucie submittal. For example, one table in the IPE submittal shows the definition of an SBO PDS. However, according to the licensee's response to the RAI on this issue, SBO sequences are not grouped in the IPE in a separate PDS, as in NSAC-60, but are grouped in the St. Lucie IPE with other high pressure sequences. In addition, the values used for some basic events of the CET are not reported consistently throughout the IPE submittal.

Although the inconsistencies in the present IPE submittal may not have a significant impact on the IPE results, they should be corrected for the future updates (e.g., for a living PRA) to provide a more accurate representation of the plant conditions.

The leading PDS for both Unit 1 and Unit 2 is a PDS (PDS 3B) with early core melt (within 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months of accident initiation), with the RCS at high pressure (greater than 2,000 psig), and with both fan coolers and containment spray available (17% of total CDF for Unit 1 and 19% for Unit 2). The accident sequences that contribute to this PDS include those initiated by transients such as loss of main feed water and other reactor trips. This PDS is followed by a PDS (PDS 5B) with low RCS pressure with similar containment system condition (from small and large LOCAs, 13% for Unit 1 and 12% for Unit 2), an intermediate pressure PDS (PDS 1B) with similar containment system condition (from small-small LOCA, 12% for Unit 1 and 10% for Unit 2), and another high pressure PDS (PDS 3H) with the loss of all containment systems (from SBO and transient with no AFW, 12% for Unit 1 and 11% for Unit 2).

Containment bypass comes primarily from ISLOCA (70% of all bypass for Unit 1 and 77% for Unit 2).

2.4.1.2 Containment Event Tree Development Except for SGTR and ISLOCA sequences, in which the containment is bypassed, containment failure for other sequences (through the definition of PDSs) are quantified by the use of containment event trees 37

(CETs). The development of the CETs is discussed in Sections 4.4 and Appendix E of the IPE submittal.

Th'e CETs includes the following top events:

Plant Damage State, RCS Depressurized Before Vessel Breach Coolant Recovered In-Vessel, No Vessel Breach, No Early Containment Failure, Coolable Debris Formed Ex-Vessel, No Late Containment Failure, Fission Product Removal Occurs, Containment Failure Modes.

Figures 4.0-5 through 4.0-11 of the IPE submittal show the CETs with the branch split fractions for the various PDSs'. The CETs in the St. Lucie IPE have 48 distinctive end states, of which 45 involve containment failure (with 35 having nonzero frequencies). The top events of the CET are quantified by fault trees (called logic trees in the IPE submittal), which address the phenomenological, systems, and operator human response issues important to accident progression. In general, the CETs developed in the St. Lucie IPE are well structured and easy to understand. The top events of the CET cover the important issues that determine the RCS integrity, containment response, and eventual release from the containment.

The quantification of the CET in the St. Lucie IPE is based on system performance for core damage sequences determined from the Level 1 analysis, reference plant analyses (e.g., NUREG-1150 analysis),

and a number of plant-specific MAAP analyses. According to the IPE submittal, the probability values used for the phenomenological issues contained in the logic trees are based on the NUREG-1150 accident progression event tree analysis (contained in the NUREG/CR-4551 assessment of the ranges of event likelihood) and plant-specific MAAP 3.0B calculations for St. Lucie. In general, the quantification process used in the IPE is systematic and traceable.

Similar to the PDS definition, inconsistencies in the information provided in the various parts of the IPE submittal also exist for CET definition. In some cases, the discussions provided in Section 4.5 are not consistent with those provided in the Appendix. For example, some basic events that are discussed in Section 4.5 cannot be found in the logic trees presented in the Appendix. On the other hand, some basic events that are presented in the logic trees are not discussed in the IPE submittal. The probability values for some basic events used in CET quantification are also confusing. For example, the probability value of HOP-DP (the operator fails to depressurize RCS) is stated as 0.02 in Section 4.5 and 1.0 in both Table 4.0-3 (described as being quantified as certain on the basis of the lack of emergency operating procedures) and the logic diagram in Appendix E. According to the licensee's response to the RAI (Question 5), the inconsistencies are primarily due to the use of templates for St. Lucie CET quantification. The basic event probabilities presented in the submittal are typical and may not represent the values used in all PDSs.

. The CET sequence (or end state) probabilities presented in the most of the figures are not consistent with those presented in Table 3.7-15 and 3.7-16 of the IPE submittal or those derived from Attachment 12 of the responses to the RAI. Correct figures are presented in Attachment 13 of the RAI responses. Later references of these figures (i.e., Figures 4.0-5 to 4.0-11) are those included in Attachment 13 of the responses.

38

Although a list of all basic events used in the CET fault trees provided in the response clarifies the confusion, the inconsistencies should be corrected in the submittal to correctly reflect the values used in the IPE and their basis. It is noted that, for HOP-DP, although both 0.02 and 1.0 are used the IPE for different PDSs, it is simply stated in the IPE submittal that, 'For this analysis, a value of 0.02 is used based on judgment'p4.0-9) with no discussion on its dependency on the PDSs. This is another example of poor documentation of the St. Lucie IPE submittal.

Some values used in CET quantification are termed scoping values (e.g., the probability of recovering alternate high pressure injection) and sufticient justification is not provided in the IPE submittal. Although most of the values assigned in the IPE seem adequate, sufficient basis and discussion are not provided in the submittal, and their adequacy cannot be verified in this technical evaluation report because of the limited scope of this evaluation. Some items that are of interest are discussed in the following.

RCS Depressurization The RCS depressurization mechanisms considered in the IPE include stuck-open SRV, RCP seal failure after core damage, steam generator tube rupture, hot leg/surge line failure and operator action. Except for RCS depressurization by operator actions, the probability values used for other depressurization mechanisms are similar to those developed in NUREG-1150.

As discussed above, there are inconsistencies on the values reported in the IPE submittal for successful operator depressurization. Back-end Question 8 of the RAI requested a discussion of the basis for the value used in the IPE, including the support systems required for RCS depressurization, as well as the

'time available, the procedures involved, and the operator actions required for successful depressurization.

According to the response, for both LOCA and loss of feedwater scenarios, the EOPs provide instructions to perform a rapid cooldown using the secondary side and to depressurize the RCS using pressurizer sprays and PORVs. The value of 0.02 used in the IPE was based on 0.01 for operator failure and 0.01 for hardware failure. Although RCS depressurization requires AC power, this low failure probability is also used for the PDS that include primarily SBO sequences (PDS 3H). The response does not provide any discussion on the basis for the value of 1.0 used in PDSs 2B and 2F.

According to data presented in Figures 4.0-5 through 4.0-11 (or Attachment 13 of the RAI responses),

except for PDSs 2B and 2F, the probability of successful RCS depressurization for high and intermediate pressure PDSs range from 0.98 to 0.99 (or depressurization failure of 0.0086 to 0.02). The probability of the high or intermediate pressure PDSs to remain at pressure, and thus the challenge by HPME for early failure, is thus significantly diminished. On the other hand, the probability of alpha mode failure increases. Since the conditional probability of early containment failure as shown in the figures is about, 0.009 for the RCS at low pressure (primarily alpha mode failure) and 0.01 to 0.02 for the RCS at high pressure', the effect of RCS depressurization on overall early containment failure probability may not be significant ifthese two failure modes are the dominant early failure modes for St. Lucie. However, this is shown not to be the case for St. Lucie by the IPE results. The dominant early failure modes for St.

Except for PDS 3H, a high pressure PDS with the loss of all containment systems. The probability of early containment failure is assumed to be assured if RCS depressurization and coolant make-up recovery is not successful and 0.11 if RCS depressurization is successful but vessel failure is not prevented.

39

Lucie is containment overpressurization after low pressure vessel failure. ln addition to its effect on early containment failure, successful RCS depressurization leads to a higher in-vessel recovery probability, which in turn leads to a lower late containment failure probability because of the removal of CCI.

In addition to high and intermediate pressure PDSs, the figures presented in Attachment 13 of the RAI response also show a RCS depressurization failure probability of 0.14 for low pressure PDSs. It is not clear why RCS depressurization is required for low pressure PDSs and what is the basis for this probability value.

In conclusion, the probability of successful RCS depressurization used in the IPE seems to be optimistic for most of the high and intermediate pressure PDSs, and sufficient basis on the values used in the IPE is not provided in the submittal. Because of the uncertainties associated with the parameters used in the IPE for RCS depressurization, its effect on containment failure should be evaluated in the sensitivity studies. Furthermore, according to the data presented in Attachment 13 of the responses to the RAI, an RCS depressurization failure probability of 0.14 is used in the IPE for low pressure PDSs. Although this may lead to pessimistic results, the consideration of RCS depressurization for low pressure PDSs needs further discussion.

In-Vessel Recovery The methods of-in-vessel coolant makeup recovery considered in the IPE include: initiation of low pressure coolant injection upon RCS depressurization, active operator action to recovery alternative injection sources, recovery of high pressure injection system, and recovery of ac power. In the St. Lucie IPE, a probability of 0.5 is assumed for the recovery of high pressure injection system. The alternative injection source considered in the IPE is that due to the operation of the CVCS (the charging system).

Except'for PDSs 2B and 2F, a probability of 0.9 is used in the IPE for successful recovery of the alternate high pressure injection system {or 0.1 failure probability). According to the response to the RAI, the failure probability of 0.1 is based on an estimate of 0.05 for hardware failure probability and 0.05 for human failure probability. They are believed to be reasonable values because EOP functional recovery

{EOP-15) associated with RCS inventory control provides instructions to maximize the charging flow and ensure the suction source for the charging pumps. Because of the various systems considered in the IPE for recovery and the high probabilities assumed in the IPE for these recoveries, the overall probability of injection recovery is high for most of the PDSs. Except for PDSs 2B and 2F, which have a combined frequency of about 10% of the total CDF, the probability of successful injection recovery for the other PDSs is 0.89 if RCS depressurization fails and 0.965 if RCS depressurization is successful'.

Once core injection is recovered, vessel failure is prevented if the core debris is eoolable. In the St. Lucie IPE, the probability of "eoolable debris not formed in-vessel" is assigned a value of 0.1. This is similar to that developed in NUREG-I 150. In addition to in-vessel coolant recovery, the termination of core melt due to lower head cooling via ex-vessel heat removal is also considered in the St. Lucie IPE. Despite the lack of sufIicient information at this time to determine the viability of establishing heat transfer through the vessel wall, as acknowledged in the IPE submittal, a probability of 0.9 is used in the IPE for preventing vessel failure by ex-vessel cooling {i.e., a 0.1 failure probability). The combination of the One exception is PDS 3H. Instead of 0.965, the probability of injection recovery with RCS depressurization is 0.5.

above two mechanisms results in very high probability ot'n-vessel recovery (i.e., no vessel failure) for St. Lucie.

In-vessel recovery seems to have a significant effect on containment failure probabilities for St. Lucie.

According to the CET quantification results, containment failure probabilities are controlled by the PDSs that have low probabilities of in-vessel recovery. For example, the primary contributor to early and late containment failures is PDS 3H, which has a lower coolant make up recovery probability (and thus a higher vessel failure probability). In addition to PDS 3H, PDS 2B, where the probability of in-vessel recovery is zero, is an important contributor to late containment failure. Because of the significant associated with the probabilities of in-vessel recovery and the effect on containment failure 'ncertainties probabilities, sensitivity studies on the parameter values used in the.lPE for in-vessel recovery should be performed.

Early Containment Failure The time frame defined in the St. Lucie IPE for early containment failure is that from early phases of core degradation to vessel breach. The containment challenges evaluated in the IPE for early containment failure include those from:

High pressure melt ejection (HPME) loads generated by phenomena such as combustion of hydrogen released prior to and at vessel breach and direct containment heating (DCH),

Pressure spikes occurring due to blowdown at reactor pressure vessel (RPV) failure with the RCS at high pressure, and Fuel coolant interaction resulting in rapid steam generation within the vessel at core slump or in the reactor cavity at vessel breach.

All the early containment failure modes discussed in NUREG-1335 are addressed in the St. Lucie CET.

Containment isolation failure is, also included in the early failure logic tree. The basic event probability associated with containment isolation failure is 1.0E-3. It is obtained from the containment isolation system fault tree models and other considerations (see Section 2.4.1.4).

For alpha and rocket failure modes the probability values obtained in NUREG-1150 are used in the St.

Lucie IPE. For rapid containment pressurization, such as that associated with HPME, the containment failure pressure obtained from MAAP calculations is compared with the ultimate pressure capacity of the St. Lucie containment to determine whether the containment fails. According to the data presented in Attachments 12 and 13 of the licensee's responses to the RAI, with the exception of PDS 3H, the conditional probability of early containment failure due to HPME is 1.0E-1 if the cavity is wet and 2.0E-2 if the cavity is dry. For PDS 3H, a high pressure PDS with the failure of all containment systems, containment failure is assured (a probability of 1.0) if the cavity is dry. It is noted that HPME does not contribute significantly to early containment failure for St. Lucie because of the high probabilities of RCS depressurization and core injection recovery assumed in the IPE. For PDS 3H, the probability of depressurization failure is less than 0.01 and the probability of injection recovery failure is about 0.1. So, although containment failure from HPME is assured for PDS 3H if the cavity is dry, only a very small fraction (i.e., about 1.0E-3) of PDS 3H meets this condition and, as a result, early failure is not controlled by this failure mode.

In the St. Lucie IPE, early containment failure is dominated by low pressure vessel breach for PDS 3H.

Although the probability of early containment failure is low (1.EP) for all other PDSs, a containment 41

overpressure failure probability of O.l is assigned in the IPE for PDS 3H. This, combined with the high probability of RCS depressurization (more than 0.99) and the relatively low probability of in-vessel recovery, causes this failure mode to be the dominant early failure mode for St. Lucie. The conditional early failure probabilities assigned to PDS 3H (1.0 for HPME and 0.1 for low pressure vessel failure) seem to be high when compared with other IPEs. This may be partially due to the relatively high Zirconium content in the St. Lucie reactor and relatively low ultimate failure pressure of the St. Lucie containment when compared with other PWR plants with large dry containments.

Debris Coolability and Late Containment Failure In the St. Lucie IPE, successful cooling of ex-vessel core debris requires two things: (a) that there is water over the debris, and (b) that the debris is in a eoolable configuration. In the St. Lucie IPE, the debris is assumed not eoolable if both containment spray and low pressure injection fail, and the probability of forming a eoolable core debris ex-vessel depends on the RCS pressure at vessel breach and whether HPME or an ex-vessel steam explosion (EVSE) occurs. Data presented in the CETs of 3 of the RAI response show that the probability of core debris not successfully cooled varies from about 0.5 to 1.0 for the various conditions in the PDSs. Therefore, according to the results of the IPE, the debris in the reactor cavity is not successfully cooled more than half of the time'. However, its impact to containment failure is not as significant because of the high probability of in-vessel recovery (and thus debris coolability is not an issue) in most of the PDSs of the St. Lucie IPE.

The late containment failure mechanisms considered in the St. Lucie IPE include those from hydrogen burn, steam and/or rioncondensible gas pressurization, and basemat melt-through. Containment shell melt-through (for the steel containment shell) from direct corium attack and thermal failure of penetrations are considered to be negligible in the St. Lucie IPE'. In general, late containment failure is assured if ex-vessel core debris is not successfully cooled". Late containment failure also occurs if the debris is cooled but containment heat removal is not adequate or if a large hydrogen burn occurs.

The fault trees used in the St. Lucie IPE for the determination of late containment failure are complicated and address all important failure modes discussed in NUREG-1335. Results from the quantification show significant variation of late containment failure probability for the cases with eoolable debris among PDSs. In general, the probability is negligible (less than about 2E-2) for PDSs with both fan coolers and containment spray injection available (PDSs 3B, 1B, 2A, and 2B), moderate (about 0.1) for low pressure PDSs (PDSs 5B, 6A, 6B, and 2E), high (greater than 0.5) for PDSs with high RCS pressure and the According to the IPE submittal, the St. Lucie cavity configuration is a deep cylinder, which would likely result in the formation of a deep molten core debris if all the core mass pours into the cavity. Coolability is considered in the IPE as uncertain even with a wet cavity.

The licensee's response to RAI back-end Questions 16 and 17 provide a more detailed discussion on these two failure modes.

The only exception is that for some PDSs there is a small probability of avoiding a late containment failure if core injection is recovered in-vessel.

42

failure of all containment systems (PDS 3H) and assured (a probability of 1.0) for a PDS with intermediate RCS pressure, the loss of fan coolers and the availability of containment spray (PDSs 2F).

The IPE submittal does not provide any discussion of the results or insights obtained from these results.

As discussed above, the probability of in-vessel recovery is high in most of the St. Lucie PDSs. Although late containment failure by overpressurization may occur even with no vessel failure, the probability is usually small (less than about 0.01). The probability'of late containment failure is dominated by the PDSs with low in-vessel recovery (i.e., PDSs 2B, 2F, and 3H). The CET end states that contribute most to late containment failure are C4-L of PDS 3H, an end state with successful RCS depressurization, failure of in-vessel coolant recovery and ex-vessel core debris not eoolable, and C5-L of PDS 2B, an end state with RCS depressurization failure, failure of in-vessel coolant recovery and ex-vessel core debris not eoolable.

Although the approach used to determine the probability of late containment failure as discussed in the IPE submittal is in general reasonable, the effect of in-vessel recovery on late containment failure may be significant and, because of the uncertainty associated with the probability of in-vessel recovery, may need to be examined in more detail.

Source Term Scrubbing Fission product removal mechanisms considered in the IPE include in-vessel retention and fission product scrubbing by an overlying pool or containment spray. Revitalization of fission products is also considered in the fault trees.

Containment Bypass and Induced Steam Generator Tube Rupture PSGTR)

Containment bypass is one of the dominant containment failure modes for St. Lucie. Containment bypass considered in the St. Lucie IPE includes those due to SGTR and ISLOCA as initiating events. Induced creep rupture of the steam generator tubes (ISGTR) during accident progression, although included in the CET fault trees as a RCS depressurization mechanism, is not included in the IPE as part of a containment failure mechanism. According to the licensee's response to the RAI (Back-end question 12), containment bypass due to SGTR is increased by about 15% if ISGTR is included (using the failure probability data from NUREG-1150).

Containment bypass contributes about 12% (of total CDF) for Unit 1 and 15% for Unit 2. As mentioned above, CETs are not developed for SGTR and ISLOCA accident classes and containment bypass is assured for these accident classes. The contributions from SGTR and ISLOCA to the total CDF, as obtained from the Level 1 analysis, are 4% and 8%, respectively, for Unit 1 and 3% and 11%,

respectively, for Unit 2.

Another issue associated with the probability of containment bypass is the effect of RCP operation on the probability of ISGTR. In some IPEs, the probability of induced SGTR increases significantly as the RCP is restarted after core damage following the direction of procedures. This issue is not addressed in the IPE submittal but is discussed in the licensee's response to the RAI. According to the response, RCP restart at St. Lucie requires the satisfaction of many criteria (EOP-15 Functional Recovery) and the probability of meeting all the criteria for RCP restart is negligible.

43

2.4.1.3 Containment Failure Modes and Timing The St. Lucie containment ultimate strength evaluation is described in Appendix G of the IPE submittal.

'The St. Lucie containment is a free-standing carbon steel shell. The containment pressure capability is obtained in the St. Lucie IPE by a simple formula for hoop stresses with a 110% steel shell yield strength. The containment pressure capability obtained in the IPE is 95 psig. According to the IPE submittal, the penetrations of the containment are reinforced according to ASME requirements insuring a higher resistance than that of the unpenetrated shell. It is thus assumed in the IPE that failure in the vessel penetration intersection or in the penetration wall is much less probable than the basic shell.

The containment fragility curve used in the St. Lucie IPE is discussed in Section 4.5.4 of the IPE submittal. It has a medium value of 95 psig, an upper bound of 120 psig, and a lower bound of 80 psig.

According to the IPE submittal, a containment failure probability of 1.0E-4 is assumed if containment pressure is less than 80 psig and containment failure is assured if containment pressure exceeds 120 psig.

The distribution between these two bounding values is obtained from the curve used in the Turkey Point IPE.

The containment failure pressures and their distributions obtained in the St. Lucie IPE seem to be consistent with those obtained in other IPEs. For St. Lucie, a large catastrophic failure is'assumed for early containment failure. The probability of rupture failure for late containment failure is assumed to be 0.0025.

2.4.1.4 Containment Isolation Failure In the St. Lucie IPE, the probability of containment isolation failure, quantified separately from the PDS definition, is incorporated in the CET as part of early containment failure. According to the response to the RAI (Back-End Question 20) all five areas identified in NUREG-1335 were evaluated and included in the St. Lucie model as appropriate.

It is also noted in the RAI response that the containment isolation failure probabilities originally estimated for the St. Lucie IPE were 2.09E-2 and 2.10E-2 for Unit 1 and Unit 2 respectively. According to the response, further investigation revealed some considerable conservatism in the original model. For example, the failure of Airlock //I Gaskets and Airlock //2 Gaskets were conservatively evaluated at 6.52E-3 as if there were only one door. Because the airlocks have two doors, each with double gaskets which are tested within 3 days after each opening, the failure probability should be much more smaller than that used in the model. The response also mention that there were other conservative assumptions, including the failure data used in the model and the lack of recovery actions associated with certain failure modes of the solenoid valves. Because of all these conservatisms, a value of 0.001 was actually used in the St. Lucie back-end analysis for containment isolation failure. It is noted that, this value is not based on a requantification of the original model with the conservatism removed, but based on a comparison with the containment isolation system analysis of the Seabrook PRA (Volume 6).

2.4.1.5 System/Human Responses In the St. Lucie IPE, Level 2 modeling included not only recovery actions that were carried forward from the Level 1 analysis, but also some considerations of actions beyond the Level 1 effort. These included several accident mitigation and recovery actions that require ex-control room equipment manipulation.

According to the IPE submittal, walkdowns were performed to assess the human reliability for these actions.

Recovery actions seem to play a significant role in the St. Lucie IPE. The probability of in-vessel recovery (i.e., terminating core melt) is high (over 80%) for most PDSs. Since in-vessel recovery eliminates the challenge of early containment failure associated with vessel breach and reduces the challenge of late containment failure by removing the problems associated with ex-vessel core concrete interaction, its effect on overall containment failure probability may be significant. According to the CET model, in-vessel recovery depends on the probability of RCS depressurization and the recovery of coolant make-up, both of which are assigned high success probabilities for most of the PDSs and most of which are based on scoping values. More detailed evaluation and discussion and/or sensitivity studies may help to identify the important contributors to containment failure.

2.4.1.6 Radionuciide Release Characterization There are 45 CET end states with containment failure. They are referred in the St. Lucie IPE as release modes. In addition to the CET end states, there are also two SGTR and one ISLOCA PDSs for Unit 1 and one SGTR and one ISLOCA PDSs for Unit 2.

The parameters considered in the definition of a release category include:

1. Time of containment failure,

2. Size of containment failure,

3. In-vessel recovery status, 4 Core-concrete interaction (CCI) status, and

5. Release mitigation status.

Table 4.S4 of the IPE submittal describes the characteristics of the various release modes and Attachment 12 of the RAI response provides the C-Matrix, the distributions of the PDSs to the various release modes.

Source terms for the release categories are provided in Table 4.0-7 of the submittal.

The source terms for the release modes are calculated in the IPE using a combination of plant-specific MAAP calculations and the parametric model developed in NUREG-1150 (i.e., the X-SOR program).

Th'e approach seems appropriate and the use of plant-specific MAAP calculation results in the parametric model also seems reasonable. It is noted that source terms calculated by the above method (with results presented in Table 4.0-7) are only for non-bypass release modes. Release fractions for bypass sequences can be obtained from the MAAP calculation results presented in Tables F-28 to F-30 of the IPE submittal.

2.4.2 Accident Progression and Containment Performance Analysis 2.4.2.1 Severe Accident Progression Sequence selection for accident progression quantification and fission product release characterization is discussed in Appendix F of the St. Lucie IPE submittal. According to the submittal, the objective of the MAAP analyses is to provide the plant specific RCS and containment response to severe accident phenomena in support of the CET analysis for the St. Lucie PRA study. Sequence selection for MAAP analyses is therefore based on choosing specific accident progression scenarios that would characterize the dominant PDSs. A "baseline" scenario is selected in the IPE to represent the most likely conditions

within the sequences cutsets binned into the PDSs. Additionally, in order to reduce the number of MAAP runs, it was determined in the IPE to use a bounding approach by analyzing the thermal-hydraulic response of the most challenging scenarios for each bin. The discussion of sequence selection provided in the IPE submittal is of sufficient detail. The sequences selected for severe accident analyses and source term definition seem to be adequate.

2.4.2.2 Dominant Contributors: Consistency with IPE Insights Containment failure modes and their frequencies obtained from the St. Lucie CET quantification are briefly discussed in Section 4.6 of the submittal. Table 10, below, shows a comparison of the conditional probabilities for the various containment failure modes obtained from the St. Lucie IPE with those obtained from the Surry and Zion NUREG-1150 analyses.

Table 10 Containment Failure as a Percentage of Total CDF St. Lucie Plant St. Lucie Plant Containment Surry Zion IPE, Unit IPE, Unit Failure Mode NUREG-1150 NUREG-1150 1++ 2++

Early Failure 0.7 1.4 Late Failure 15 13 5.9 24.0 12 15 12.2 0.7 Bypass'solation Failure Intact 72 71 81.2 73.0 CDF (1/ry) 2.3E-5 2.6E-5 4.0E-5 3.4E-4 The data presented or St. Lucie are based on Figure 4. -4 o the IPE submittal. The difference between Unit 1 and Unit 2 is due to different Level 1 analysis results.

Included in Early Failure, approximately 0.1%.

Included in Early Failure, approximately 0.5%.

Included in Early Failure, 0.1%.

As shown in the above table, the conditional probability of containment bypass for St. Lucie is 12% of total CDF for Unit 1 and 15% for Unit 2. Containment bypass comes from ISLOCA and SGTR with ISLOCA the primary contributor (70% of all bypass for Unit 1 and 77% for Unit 2).

The conditional probability of early containment failure for both Unit 1 and Unit 2 is about 1% of total CDF. According to the "Summary and Conclusions" section of the IPE submittal (Section 4.8), "The major contributors to early containment failure for St. Lucie include containment threats due to HPME loads &om high RCS pressure core damage accidents, steam explosion events for low pressure sequences, and isolation failures." This is not consistent with CET results. According to the results presented in the IPE submittal and the licensee's response to the RAI questions, early containment failure for St. Lucie is dominated by two CET end states (E3-R and E4-R) for PDS 3H. These two CET end states contribute over 70% of total early failure probability for St. Lucie, and both of them are associated with successful RCS depressurization (thus not from HPME), and with the major contributor to containment failure from overpressurization (with a conditional probability of 0.1), not steam explosion (with a conditional probability of 0.8%). HPME is not a major contributor because of the high probability of successful RCS depressurization. According to the licensee's response to the supplemental RAI, the above statement was

made because MAAP calculations showed that the failure mechanisms would be dominated byHPME should RCS depressurization not occur. It was not based on CET quantification results.

Regarding the contributions of the various PDSs to early containment failure, early failure comes primarily from PDS 3H (high pressure" PDSs, including SBO sequences, over 80% early failure probability). This is followed by PDS 2B (intermediate pressure PDS, primarily from small-small LOCA, about 10% early failure probability).

The conditional probability of late containment failure for St. Lucie is 15% of total CDF for Unit 1 and 13% for Unit 2. According to the "Summary and Conclusions" of the IPE (Section 4.8 of the submittal),

"The major contributor to late containment failures is steam overpressure in the long term (hydrogen burning is likely to be precluded due to the steam inerted containment atmosphere)." This is not completely consistent with CET quantification results. It fails to mention that the major contributors to late containment failure are CET end states associated with core~ncrete interaction (or eoolable debris not formed ex-vessel). According to the data presented in the IPE, the probability of containment failure due to steam pressure alone (without CCI) is in general much less than that with CCI. The above statement was made, according to the licensee's response to the supplemental RAI, because it would be the case if a more realistic (i.e., less conservative than that used in CET quantification) value was used for ex-vessel core debris coolability. According to the response, in all of the licensee's MAAP qualitative analyses, except for conservatively forcing the CCI parameters for sensitivity studies, negligible CCI took place due to a wet cavity configuration.

Based on the results presented in the IPE submittal and the RAI response, late containment failure for St.

Lucie is dominated by two CET end states, C4-L of PDS 3H and C5-L of PDS 2B. They contribute over 60% of total late containment failure probability for both units of St. Lucie. End State C4-L is associated with successful RCS depressurization, failure of in-vessel coolant recovery, and ex-vessel debris not cooled (i.e., with CCI). End State CS-L is associated with failure of RCS depressurization, failure of in-vessel coolant recovery, and ex-vessel debris not cooled. For all late failure probability, over 90% is due to overpressure failure associated with CCI. The contribution from steam pressurization alone is small.

PDS 3H is the major contributor to late'containment failure (44% of all late failure for Unit 1, 43% for Unit 2). This is followed by PDS 2B (26% for Unit 1, 30% for Unit 2) and PDS 2F (16% for Unit 1 and 10% for Unit 2). The high late failure probability for these PDSs is partly due to the low in-vessel recovery probability of these PDSs".

2.4.2.3 Characterization of Containment Performance N

As shown in Table 10, for St. Lucie the core damage frequency (CDF) is lower than that obtained in NUREG-1150 for Zion and Surry. The conditional probability of containment bypass obtained in the St.

Lucie IPE is higher than that for Zion and comparable to that for Surry. For the other failure modes, the conditional probability of late containment failure for St. Lucie is between those from both Zion and Surry. The containment failure profile obtained in the St. Lucie IPE is in general consistent with those obtained in NUREG-1150.

In-vessel recovery precludes CCI and thus the challenge of late overpressure failure associated with CCI.-

47

The C-Matrix, which shows the conditional probabilities of CET end states (or containment failure modes) for the accident classes (or PDSs), can be obtained from Attachment 12 of the licensee's response to the RAI.

2.4.2.4 Impact on Equipment Behavior Although there are basic events in the CET structure that seem to address this issue, they are not discussed in the IPE submittal. For example, basic event PRDEST-CFE and PRDESTNCFE are described in Attachment E-2 of the IPE submittal (i.e., the fault trees) and Attachment 11 of the RAI response (i.e.,

basic event probabilities) as 'sprays. destroyed'iven CFE (i.e., early containment failure) and no CFE, respectively (with probability values of 0.825 and 0.5, respectively)'. This question was asked in the RAI (Back-End Question 24). However, according to the response, the survivability issue was not considered in the CET explicitly. It is noted that, according to the IPE submittal, the EQ limit for containment fan coolers and containment sprays is set in the MAAP model as 44 psig for containment pressure and 264'F for containment temperature. According to the RAI response, the survivability issue is thus embodied in the MAAP analysis.

For St. Lucie, the containment spray sumps, where the containment spray pumps take suction, are located outside the reactor cavity compartment at a higher elevation separated from the cavity by a concrete floor and walls and would-not be affected by the dispersed core debris.

2.4.2.5 'Uncertainties and Sensitivity Analysis Although NUREG-1150 information is used in the St. Lucie IPE for'he quantification of some phenomenological issues contained in the logic tree, probability distributions, which are developed and used in the NUREG-1150 analyses, are not used in St. Lucie IPE. The probability values used in the quantification of the St. Lucie IPE are not sampled from the distributions, but are estimated based on the mid-range values. In addition to NUREG-1150 data, plant-specific MAAP calculations were also performed to support CET analysis. In this regard, "baseline" scenarios were selected to represent the most likely conditions within the sequence cutsets binned into the PDSs. According to the IPE submittal, the baseline scenarios include the current understanding of the phenomenological issues that are important in severe accident risk assessments as implemented in MAAP, and uncertainties delineated in GL 88-20 and evaluated in NUREG-1150 reflecting NRC's positions on key issues are addressed in the sensitivity analyses.

Sensitivity studies are discussed in Appendix F.6 of the IPE submittal. The sensitivity studies for phenomenological uncertainties performed in the IPE by MAAP calculations include:

I

1. In-vessel core melt progression and relocation,

2. Ex-vessel corium water interactions and core-concrete interactions,

3. Fission product release from the fuel and transport within the containment system,

4. Containment performance (i.e., failure modes, failure locations or failure size), and

5. Active operator actions involving systems operations and actuation (e.g., steam generator depressurization).

Sensitivity analyses are performed in the St. Lucie IPE only for MAAP calculations. Although the CET quantification involves the use of assumptions and data that have significant uncertainties (e.g., the parameters that determine the probability of in-vessel recovery and ex-vessel cooling), the IPE does not 48

provide a sensitivity study for CET quantification to evaluate the effect of these assumptions on the IPE results (e.g., containment failure probabilities)"-.

2.5 Evaluation of Decay Heat Removal and Other Safety Issues 2.5.1 Evaluation of Decay Heat Removal 2.5.1.1 Examination of DHR The IPE addresses decay heat removal (DHR). DHR is defined as those systems required for primary and secondary inventory control and heat transfer from the RCS to an UHS following shutdown of the reactor for transients and small LOCAs. Several methods of DHR are mentioned, including the main feedwater system, the auxiliary feedwater system, the condensate system (in conjunction with secondary depressurization using the turbine bypass or the atmospheric dump system), as well as the feed and bleed operation (here called once through cooling, or OTC) and HPSI for small LOCA inventory control.

Containment cooling is necessary if core heat is transferred to the containment (as in case of OTC or LOCA recirculation phase).

DHR function loss contributes 1.4E-S/yr (1.7E-S/yr) to the CDF for Unit 1 (Unit 2) and is thus below the 3.0E-S/yr criterion used to define acceptably low DHR failure frequencies in NUREG-1289.

Contribution to the CDF from the DHR frontline systems and their support systems is calculated and presented (see Fig. la and 1b). Contribution of components and support systems to each DHR system's unavailability is not calculated or readily available.

The IPE agrees with an NRC report, NUREG/CR<710, which lists the major DHR "vulnerabilities",

or dominant failures at St. Lucie, and concludes that no modifications are necessary. The dominant failures listed in that report are mainly various common cause failures.

2.5.1.2 Diverse Means of DHR The IPE evaluated the diverse means for DHR, including: MFW, AFW, condensate, steam relief, HPSI and once through cooling. Shutdown cooling was also considered. Cooling for the RCP seals was taken into account. In addition, containment cooling was addressed.

Limited CET sensitivity analyses were performed in the St. Lucie IPE but were not reported in the IPE submittal. In the licensee's response to the supplemental RAI, a sensitivity analysis of PDS 3H (a high pressure PDS) was discussed to show the effect of in-vessel recovery on containment failure. Although the results showed a significant effect for PDS 3H, the licensee argued in the response that the total containment failure probability will only be slightly affected by the value used in the IPE for in-vessel recovery because of the low contribution of PDS 3H to the total PDSs. Since in-vessel recovery affect both early and late failure probabilities for PDSs with both high and low pressures, the one example discussed in the response does not provide the whole picture.

49

2.5.1.3 Unique Features of DHR Section 1.2 includes the unique features of St. Lucie that pertain to the DHR function. The licensee states in the responses to the RAls that the primary DHR system is the AFW system in conjunction with the SGs. The only support system required for the AFW is electric power (manual operation of TDAFW pumps is not credited). The AFW pumps are located outdoors, shielded only by a security barrier, thus HVAC is not needed. CCW is not needed for EDG operation, as the diesels are self cooled. However, safety dc power is needed. CCW is used'to cool the SDC heat exchangers (considered as a means of long term DHR in certain sequences) and to support once through cooling (cooling for HPSI pumps and containment heat removal):

2.5.2 Other GSIs/USIs Addressed in the Submittal No other GSIs/USIs are addressed in the submittal.

2.5.3 Response to CPI Program Recommendations The CPI recommendation for PWRs with a dry containment is the evaluation of containment and equipment vulnerabilities to localized hydrogen combustion and the need for improvements. Although the effects of hydrogen combustion on containment integrity and equipment are discussed in the submittal, the CPI issue is not specifically addressed in the submittal. More detailed information on this issue is provided in the licensee's response to the RAI. According to.the response, a walkdown of the St. Lucie containment was performed in the early development of the IPE to gain a general understanding of the free volumes and potential reactor hydrogen release paths, and the walkdown indicated that local hydrogen pocketing was very unlikely due to the large free volume and no noticeable tight compartmentalization. In addition, according to the response, MAAP calculations based on conservative assumptions indicated that the hydrogen concentration in the containment would remain below 6%, well below the value under which detonation from deflagrationdetonation-transition is likely to occur.

2.6 Vulnerabilities and Plant Improvements The vulnerability criteria used for the IPE are as follows:

1) "A failure which contributes a disproportionately large contribution to the total CDF or significant release probabilities and in turn is considered significantly higher than those of PRAs for similar plants, or"

2) "A failure which has any unusual and significant impact on the total CDF or release probabilities."

Based on these criteria'no vulnerabilities were found.

In the plant improvement section of the IPE, it was stated that no modifications to either hardware or procedures were required to address a vulnerability. However, one procedural change was implemented to support operators in fillingthe condensate storage tank long-term operation (beyond 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months ) of AFW is demanded.

(~ from the treated water storage tank when 50

C ~

The CDF impact of this improvement is negligible, as this is just a minor enhancement of an existing procedure on which the operators are trained. W The following change was made in response to the SBO rule: Blackout crosstie provides power to the blacked out unit from the opposite unit.

'o CDF impact of this change is evaluated.

The back-end analysis did not identify the need for any plant improvements.

51

52

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS A review of the St. Lucie Nuclear Plant IPE submittal indicates that the examination carried out by the licensee fulfills the purposes of the IPE program as stated in Generic Letter 88-20, although in some areas only marginally so. For example, based on the level 1 review of the St. Lucie IPE the licensee appears to have analyzed the design and operations of St. Lucie to discover instances of particular vulnerability to core damage. It also appears that the. licensee has: developed an overall appreciation of severe accident behavior; gained an understanding of the most likely severe accidents at St. Lucie; and implemented changes to the plant to help prevent and mitigate severe accidents. However, it is not clear that a complete quantitative understanding of the overall probabilities of core damage was gained by the licensee. This possibly incomplete quantitative understanding is mainly due to the data problems discussed in the section on level 1 weaknesses below.

Strengths of the level 1 IPE analysis are as follows: Thorough analysis of initiating events and their impact, descriptions of the plant systems, modeling of accident scenarios, generally reasonable failure data and common cause factors employed. The results are reasonable and the licensee tried to derive insights. Utility involvement was maximized and an effort was made to model the as built as operated plant. Several plant walkdowns were performed. The flooding analysis seems to have been reasonable and thorough.

The weaknesses were in the relative scarcity of plant specific data, due to past deficiencies in raw data collection procedures. Some initiating event (IE) frequencies were lower than expected ( for instance LOCAs), while some came from generic data, instead of plant specific fault trees. The loss of a dc bus is an important example where the results may be sensitive to the assumptions used. The licensee's IE frequency of 3.8E-S/yr is in the lower part of the industry range. Typical values in the industry are 10 to 100 times higher. As the CDF contribution from this initiator is already significant (about 1% for Unit 1 and 5% for Unit 2) an increase in the IE frequency by 1 to 2 orders of magnitude would make this the dominant initiator. An extreme increase could possibly even indicate a vulnerability. It would seem that for such an important initiator, plant specific fault trees would be constructed and plant specific data used in quantification. The licensee used generic data for a dc bus failure to arrive at the IE frequency, i.e.,

only one failure mode was modeled. This issue is further discussed in Section 2.2.2 of this report.

Other weaknesses include: isolated failure data and common cause factors were lower than expected (AFW pump, ICW pumps), while a few CCF categories were not modeled. The power recovery curve was optimistic (however, the loss of grid initiating event frequency may be too high, thus partially offsetting this weakness). Some RAI responses were not particularly helpful. The ATWS modeling (at least for Unit 1) was incorrect, according to RAI responses, but has been corrected. There is inconsistency between different sections of the submittal, such that it is not clear if as-built-as operated features of the plant were always properly modeled (e.g., is hot leg recirculation upon failure of cold leg recirculation credited; is the usage of condensate pumps, in conjunction with depressurization credited?).

Some important operator actions were left at their screening values (e.g., miscalibration of RWT level transmitters) and some pessimistic assumptions were made (e.g., recovery of failure to isolate the CCW N-header not modeled). Two unit effects were not thoroughly discussed. The outside peer review of the analysis seems weak since apparently there was no review of the final results.

53

Based on the level l review of the submittal and experience with other IPEs, it is expected that these shortcomings may not detract significantly from the perception of the correct risk profile of the plant but may reduce the quantitative understanding of the likelihood of various core damage sequences from that which the licensee could have gained if these weaknesses did not exist. It is likely that the licensee has identified the important contributors to core damage at the plant, but the relative ranking and contribution to CDF of individual accident sequences cataloged in the examination are subject to question due to the above listed weaknesses.

The IPE determined that failures in HPSI, emergency power, CCW, AFW, ICW and ESFAS/RPS dominate the risk profile. The dominant initiators are the small-small LOCA (30% of CDF at Unit 1, 29% at Unit 2), loss of grid (18% at Unit 1, 19% at Unit 2) and large LOCA (15% at Unit 1, 13% at Unit 2). These three initiators contribute 63% at Unit 1 and 61% at Unit 2. Altogether 'LOCAs (excluding ISLOCA and SGTR) contribute 53% at Unit 1 and 49% at Unit 2. SBO accounts for about 10% of the CDF. The CDF is dominated by 6 accident sequences, plus (for containment bypass) two ISLOCAs and two SGTR sequences at Unit 1 (nine dominant sequences plus one ISLOCA and one SGTR sequence at Unit 2).

The HRA review of the St. Lucie IPE submittal and a review of the licensees responses to HRA related questions asked in the NRC RAI, revealed several weaknesses in the HRA as documented. In general, a viable approach (the Dougherty and Fragola method) was used in performing the HRA, but several weaknesses were identified in how the analysis was conducted. While the weaknesses are not severe enough to conclude that the licensee's submittal failed to meet the objectives for the IPE as stated in Generic Letter 88-20 in regards to the HRA, they do suggest the licensee may not have learned as much about the role of humans during accidents at their plant as would have been possible. Important elements (both strengths and weaknesses) pertinent to this determination include the following:

1) The submittal indicates that utility personnel were significantly involved in the HRA. Regarding the IPE HRA representing the as-built, as-operated plant, the submittal states that the HRA was analyst "reviewed procedures, walked down the plant and control room facilities and had discussions with various plant personnel in the Operations and Training Departments." The HRA analyst was involved in the initial sequence and system modeling efforts. It was also stated that "the human failure probabilities are based on published generic information from other analyses, simulator evaluations, and insights from past PRAs" and that "site specific information from St.

Lucie is used when appropriate." Although the submittal and response to the NRC's RAIs indicate that results from simulator runs were apparently evaluated, it was not clear that simulator runs were conducted specifically for the IPE. Thus, it appears that steps were taken to assure that the HRA represented the as-built, as-operated plant.

2) The submittal indicates that the analysis of pre-initiator actions included both miscalibrations and restoration faults. While an acceptable screening analysis was conducted, no additional quantification or detailed analysis of pre-initiators was performed after initial quantification. Thus, all pre-initiator events were left at their initial screening values. A list of the dominant sequences provided in Tables 3.7-4 and 3.7-8 of the submittal for Units 1 and 2, respectively, shows that some of the more dominant sequences contained miscalibration events. While the HEPs for these events were reasonable, it is possible that a more detailed analysis after initial quantification may have resulted in lower HEPs for these events, which in turn may have slightly reduced the importance of these sequences and their associated contribution to CDF. While the pre-initiator approach did not preclude identification of important pre-initiator events, the lack. of a "fine 54

screening" analysis of important pre-initiator events must be considered a minor weakness of the St. Lucie IPE.

A strength of the analysis of post-initiator events was that all events modeled in the fault. trees were initially quantified using a value of 1.0. After initial quantification, surviving cutsets were examined and appropriate post-initiator "recovery" operator actions were added. Tais approach helped ensure that important post-initiator actions were not inappropriately truncated.

The post-initiator analysis included appropriate types of operator actions and had a viable process for identifying, selecting, and quantifying operator actions.

One apparent weakness of the post-initiator analysis concerns the extent to which plant-specific factors were considered. While the model itself provides reasonable mechanisms for addressing relevant plant -specific factors, on the basis of examples provided, it would appear that many of the parameters were left at their default values. In particular, all success likelihood indices (SLIs) were left at their default values. That is, plant related performance shaping factors (PSFs) were assumed to have no effect. By leaving the SLIs for the modeled events at their default values, the analysts are basically assuming St. Lucie is an "average" plant in terms of its PSFs. Thus, the resulting analysis is to some extent "generic" rather than plant-specific, and may or may not adequately represent the plant in all cases. However, the method used did consider scenario-specifics factors such as stress, burden, and task type on operator performance and therefore the

'licensee did attempt to reach some degree of realism in the HEP calculations.

Thirteen post-initiator human actions (apparently per unit) were modeled as slips and quantified with the time-independent technique. While the analysis performed appeared conscientious, treating post-initiator human actions with the time-independent approach is troublesome for two reasons. First, the approach does not model the diagnosis or decision-making portion of the human action. It is asserted that the operators are well trained on these actions and that they are simply following steps in their emergency procedures. Therefore the actions "would require minimum diagnosis." While this may be the case, the failure to explicitly consider factors that could influence an operator's decision to act certainly has the potential to over-estimate the likelihood of success. Second, time is not considered to be a limiting factor in the performance of these actions. That is, the impact of time is not directly considered in determining their HEPs.

For cases in which relatively large amounts of time are available, indications are obvious, and execution times are short, a viable time-independent technique would be acceptable.

However, for at least three of the actions treated as slips, this was not obviously the case. Thus, quantification of multiple post-initiator human actions with the time-independent technique must be considered a weakness of the St. Lucie IPE. Most other IPEs using the SAIC approach have modeled only a few (if any) post-initiators with the time-independent technique. Nevertheless, the HEPs for the events modeled as slips were not unreasonable (particularly for the many events with substantial time available), reasonable credit for recovery by other personnel was taken, and several of the events modeled in this way showed-up as being important. Therefore, there is no reason to believe that the approach necessarily precluded detection of vulnerabilities. More detail on the issue is provided in section 2.3.2.4 below.

Dependence among multiple human actions was handled in the St. Lucie submittal essentially by examining such combinations of modeled human events and determining that the combinations 55

involved events that were either separated in time, involved completely ditferent systems, or were performed by different individuals. The licensee stated that "where it was identified that multiple operator actions were not appropriate, certain actions were either removed from the model or the probability was left at 1.0 in the cutsets." They further state that "these actions were then manually added only to the cutsets where there was no dependency with other actions. The licensee also notes that "the appropriateness of an action may also have been sequence dependent."

However, the licensee did not compute different HEPs for similar events occurring in different contexts. They addressed this issue by simply using the most pessimistic value in all cases. This approach may have reduced the realism of the results of the HRA and PRA somewhat.

8) A list of important human actions based on their contribution to core damage frequency was provided in the submittal.

9) The HRA portion of the flooding and level 2 analyses appeared reasonable.

The technical evaluation of the IPE back-end analysis indciates that again the analyses appears to fulfill the purposes outlined in GL 8&-20, but again only marginally so in some areas due to the weaknesses discussed further below.

The strengths of the level 2 analyses are the following: The containment event tree (CET) and the associated fault trees used for CET top event quantification are clearly described in the IPE submittal.

They provide a detailed structure for the Level 2 IPE process and contain sufficient detail to identify plant-specific features that may have a significant effect on containment failure and fission product release and indicate an overall appreciation by the licensee of severe accident behavior at St. Lucie. The ~

quantification of the CETs also seems adequate and appears to allow an understanding of the overall probability of fission product releases. Severe accident progression at St. Lucie was also evaluated in the IPE by selected MAAP calculations based on the dominant sequences found in the PDSs, and by sensitivity analyses of some of the sequences for some parameters used in the MAAP calculations. These MAAP calculations assist the licensee in obtaining an appreciation and quantitative understanding of severe accident behavior at St. Lucie. The licensee has also addressed the recommendations of the CPI program.

There are some weaknesses in the Level 2 IPE that warrant further consideration. The most significant weakness is the lack of sufficient discussion of the CET quantification results in the IPE submittal. The major contributors to early and late containment failure probabilities discussed in the summary and conclusion section of the IPE submittal are based on the insights obtained from a generic report and some plant-specific MAAP calculations and not on the results obtained from CET quantification. According to the licensee (in response to an RAI) this was done in order to provide the various points of view on accident progression. This seems to indicate a lack of sufficient examination and confidence in the CET quantification results. However, additional discussions with the FPL personnel (through telephone conference calls) and the licensee's response to a follow up RAI question seem to indicate that, although.

the discussion presented in the IPE submittal is ambiguous and does not focus on CET quantification results, it may not be caused by a lack of understanding of the IPE results.

Another potential weakness is the high probability of in-vessel recovery and the lack of evaluation of the impact of in-vessel recovery on the containment failure probability in the St. Lucie IPE. Although this issue is addressed in the licensee's response to one of the RAI follow up questions, the conclusion in the response, that containment failure was only slightly affected based on the sensitivity study of a single 56

PDS, may not be correct. A review of the CET top event probabilities obtained in the IPE shows that the containment failure probability may be significantly affected by the probability of in-vessel recovery (for all PDSs and thus the total CDF). The significant effect of in-vessel recovery on containment failure is partly caused by the high CCI probability, and the high containment failure probability given CCI, used in CET quantification. Since plant-specific MAAP analyses showed CCI is unlikely to occur, the effect of in-vessel recovery on containment failure probability may not be as significant as that indicated by the CET models.

Lack of consistency throughout the IPE submittal is another problem. Some of the inconsistencies are due to the lack of attention to details and some are due to poor documentation. Examples of the former include the grouping of small LOCA sequences with large LOCA sequences to a low pressure PDS.

Examples of the latter are the different values presented in the various parts of the IPE submittal for the same parameter. Although these inconsistencies may not have a significant effect on CET quantification, they should be corrected to provide a more accurate and unambiguous representation of plant conditions used in the analysis.

In summary, a review of the St. Lucie Plant IPE submittal reveals that on balance the licensee has largely fulfilled the purposes of the individual plant examination stated in GL 88-20, although, based on the submittal and subsequent interactions with the licensee, this appears to have been only marginally accomplished in a number of areas.

57

58 A'.

C,

[IPE]

REFERENCES St. Lucie Plant Individual Plant Examination, Florida Power &,

Light Company, 1992.

fRAI Responses] Response to NRC Request for Additional Information, St. Lucie Plant IPE," Florida Power & Light Company, June, 1996.

[Supplemental RAI Responses] Response to Supplemental Request for Additional Information, St.

Lucie Plant IPE," Florida Power & Light Company, January, 1997.

[NSACM] Oconee PRA, A Probabilistic Risk Assessment of Oconee Unit 3.

[NSAC/159] Generic Framework for IPE Back-End (Level 2) Analysis, October 1991.

[Book] E. M..Dougherty and J. R. Fragola, Human Reliability Analysis:

A Systems Engineering Approach with Nuclear Power Plant Applications, NY: John Wiley & Sons, 1988.

[NUREG/CR-1278] A. D. Swain and H. E. Guttman, Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Applications Technique for Human Error Rate Prediction, NUREG/CR-1278, U.S. Nuclear Regulatory Commission, Washington D.C., 1983.

fNUREG/CR-4772] A. D. Swain, Accident Sequence Evaluation Program Human Reliability

[NUREG/CR-4834] D. W. Whitehead, Recovery Actions in PRA for the Risk Methods Integration and Evaluation Program (RMIEP), Volume 2:

Application of the Data-Based Method, NUREG/CR-4834, U.S.

Nuclear Regulatory Commission, Washington, DC, December 1987.

[NUS-4531] G. W. Hannaman, et al., Human Cognitive Reliability (HCR)

Model for PRA Analysis, NUS Corporation, Gaithersburg, MD, December 1984.

59

V ~

ML17229A415

Text

SUMMARY

Navigation menu

Search