ML17310B422
| ML17310B422 | |
| Person / Time | |
|---|---|
| Site: | Palo Verde  |
| Issue date: | 07/01/1994 |
| From: | Brian Holian Office of Nuclear Reactor Regulation |
| To: | Stewart W ARIZONA PUBLIC SERVICE CO. (FORMERLY ARIZONA NUCLEAR |
| References | |
| REF-GTECI-A-23, REF-GTECI-CO, TASK-023, TASK-23, TASK-OR GL-88-20, TAC-M74445, TAC-M74446, TAC-M74447, NUDOCS 9407120076 | |
| Download: ML17310B422 (37) | |
Text
'~PS Rf00 Cy g
>>>>>>*+
UNITED STATES NUCLEAR REGULATORY COIVIMISSION WASHINGTON, D.C. 20555-0001 July 1, 1994 Docket Nos.
STN 50-528, STN 50-529, and STN 50-530 Hr. William L. Stewart Executive Vice President, Nuclear Arizona Public Service Company Post Office Box 53999 Phoenix,. Arizona 85072-3999 Dear Nr. Stewart;
SUBJECT:
STAFF EVALUATION OF THE PALO VERDE NUCLEAR GENERATING STATION INDIVIDUAL PLANT EXAMINATION (IPE)
FOR INTERNAL EVENTS UNIT NOS.
1, 2, AND 3 (TAC NOS.
- H74445, H74446, AND N74447)
The staff has completed its evaluation of the Palo Verde Individual Plant Evaluation (IPE) for internal events and internal flood.
Our review examined the Palo Verde IPE submittal (internal events only) and associated documentation, which included your Level 2 probabilistic risk assessment (PRA) and responses to staff questions.
No specific unresolved safety issues or generic safety issues were proposed for resolution as part of the Palo Verde IPE.
The IPE was performed in two stages.
The results of the preliminary stage, completed in mid-1990, showed a core damage frequency (CDF) of I.OE-3/reactor-year.
Two transient initiators accounted for over 70% of the CDF, namely, loss of heating, ventilation, and air conditioning (HVAC) to the train A DC equipment rooms and loss of Class IE channel A DC power.
To reduce the importance of these initiating events and also enhance the capability of feedwater, you identified four modifications and completed them in all units by the spring of 1993.
Your IPE took credit for these modifications, reducing the CDF to 9.0E-5.
The IPE does not take credit for the installation of gas turbine generators planned in response to the SBO Rule.
The gas turbine generators are installed and are currently connected to Units 1 and 3, further reducing the calculated CDF to 6.3E-5.
The single largest contributor to the CDF identified in this IPE is station blackout (SBO) at 21%, followed by loss of offsite power (LOOP) at 18% and miscellaneous reactor trips, also at 18%.
Additionally, the single functional failure that contributes to over 85% of the CDF is loss of steam generator cooling following an accident.
(Palo Verde is not equipped with power-operated relief valves, which would facilitate feed and bleed in this situation.
Reactor coolant pump (RCP) seal failure, which was included in the analysis of SBO and LOOP events, was found to be an insignificant contributor to CDF.
However, the staff notes that you assumed that excessive RCP seal leakage within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> of an SBO event is not likely.
Your RCP seal loss-of-coolant 9407120076 940701 PDR ADGCK 05000528 P
I I
rr "1
Mr. William L. Stewart Vuly 1, 1994 I',
accident (LOCA) model is dependent on the CE Owners'roup conclusions concerning the operating experience related to the seal performance of CE RCPs.
Because the issue of RCP seal LOCA is being addressed as part of Generic Safety Issue (GSI) 23, "RCP Seal Failures," the staff did not pursue this issue further.
Pending the resolution of GSI-23, this aspect of the Palo Verde IPE may need to be reexamined.
Otherwise, our evaluation of your April 28, 1992, submittal, as supplemented, is complete.
Based on our review, we conclude that the licensee has met the intent of Generic L'etter 88-20 for internal events.
The staff recognizes the significant effort of your staff in participating in virtually all aspects of the
The staff does not plan on performing a Step 2 review.
Should you have any questions, please contact me at (301) 504-3121 or Linh Tran at (301) 504-1361.
Sincerely,
Enclosure:
Safety Evaluation cc w/enclosure:
See next page ORIGINAL SIGNED BY:
Brian E. Holian, Senior Project Manager Project Directorate IV-2 Division of Reactor Projects III/IV Office of Nuclear Reactor Regulation DISTRIBUTION w/encl osure:
- .Docket=Fi.l e=
NRC 5, Local PDRs PDIV-2 Reading LTran BHolian DFoster-Curseen
- KPerkins, RIV/WCFO w/Data Summary Sheet:
JRoe
P-315 TQuay RHernan OFFICE DRPW/LA PDIV-2 PM PDIV-2 D DFoster-4r NAME BHolian:
TQuay 7/
94 DATE 94 v
/94 OFFICIAL RECORD COPY DOCUMENT NAME:
PV74445. IPE
Mr. William L. Stewart Ouly 1, 1994 accident (LOCA) model is dependent on the CE Owners'roup conclusions c ncerning the operating experience related to the seal performance of CE RCPs.
Because the issue of RCP seal LOCA is being addressed as part of Generic Safety Issue (GSI) 23, "RCP Seal Failures," the staff did not pursue this issue further.
Pending the resolution of GSI-23, this aspect of the Palo Verde IPE may need to be reexamined.
Otherwise, our evaluation of your April 28, 1992, submittal, as supplemented, is complete.
Based on our review, we conclude that the licensee has met the intent of Generic Letter 88-20 for internal events.
The staff recognizes the significant effort of your staff in participating in virtually all aspects of the
The staff does not plan on performing a Step 2 review.
Should you have any questions, please contact me at (301) 504-3121 or Linh (301) 504-1361.
Sincerely, inclosure:
Safety Evaluation cc w/enclosure:
See next page ORIGINAL SIGNED BY:
Brian E. Holian, Senior Project Manager Project Directorate IV-2 Division of Reactor Projects - III/IV Office of Nuclear Reactor Regulation DISTRIBUTION w/enclosure:
Docket File NRC L Local PDRs PDIV-2 Reading LTran BHolian DFoster-Curseen
- KPerkins, RIV/WCFO w/Data Summary Sheet:
JRoe
P-315 Tguay RHernan PDIV-2/D TQuay 7/
/94 PDIV-2 PM DRPW/LA OFFICE DFoster-M5a BHolian:
NAME
'7 /
/94
> /
/94 DATE OFFICIAL RECORD COPY DOCUMENT NAME:
PV74445. IPE
I l
Hr. William L. Stewart accident (LOCA) model is dependent on the CE Owners'roup conclusions concerning the operating experience related to the seal performance of CE RCPs.
Because the issue of RCP seal LOCA is being addressed as part of Generic Safety Issue (GSI) 23, "RCP Seal Failures," the staff did not pursue this issue further.
Pending the resolution of GSI-23, this aspect of the Palo Verde IPE may need to be reexamined.
Otherwise, our evaluation of your April 28, 1992, submittal, as supplemented, is complete.
Based on our review, we conclude that the licensee has met the intent of Generic Letter 88-20 for internal events.
The staff recognizes the significant effort of your staff in participating in virtually all aspects of the
The staff does not plan on performing a Step 2 review.
Should you have any questions, please contact me at (301) 504-3121 or Linh Tran at (301) 504-1361.
Sincerely,
Enclosure:
Safety Evaluation cc w/enclosure:
See next page Brian E. Holian, Senior Project Manager Project Directorate IV-2 Division of Reactor Projects III/IV Office of Nuclear Reactor Regulation
I
Mr. William L. Stewart Arizona Public Service Company Palo Verde CC:
Mr. Steve Olea Arizona Corporation Commission 1200 W. Washington Street Phoenix, Arizona 85007 T.
E. Oubre, Esq.
Southern California Edison Company P. 0.
Box 800
- Rosemead, California 91770 Senior Resident Inspector Palo Verde Nuclear Generating Station 5951 S. Wintersburg Road
- Tonopah, Arizona 85354-7537 Regional Administrator, Region IV U.
S. Nuclear Regulatory Commission Harris Tower
& Pavillion 611 Ryan Plaza Drive, Suite 400 Arlington, Texas 76011-8064 Mr. Charles B. Brinkman, Manager Washington Nuclear Operations ABB Combustion Engineering Nuclear Power 12300 Twinbrook Parkway, Suite 330 Rockville, Maryland 20852 Mr. Aubrey V. Godwin, Director Arizona Radiation Regulatory Agency 4814 South 40 Street Phoenix, Arizona 85040 Jack R.
- Newman, Esq.
Newman
& Holtzinger, P.C, 1615 L Street, N.W., Suite 1000 Washington, D.C.
20036 Mr. Curtis Hoskins Executive Vice President and Chief Operating Officer Palo Verde Services 2025 N. 3rd Street, Suite 220
- Phoenix, Arizona 85004 Roy P.
Lessey. Jr.,
Esq.
Akin, Gump, Strauss, Hauer and Feld El Paso Electric Company 1333 New Hampshire
- Avenue, Suite 400 Washington, DC.
20036 Ms. Angela K. Krainik, Manager Nuclear Licensing Arizona Public Service Company P. 0.
Box 52034
- Phoenix, Arizona 85072-2034
- Chairman, Maricopa County Board of Supervisors 111 South Third Avenue
- Phoenix, Arizona 85003
ENCLOSURE STAFF EVALUATION OF PALO VERDE UNITS I, 2 and 3
INDIVIDUAL PLANT EXAMINATION (IPE)
( INTERNAL EVENTS ONLY)
e
TABLE OF CONTENTS PAGE EXECUTIVE
SUMMARY
1 I.
BACKGROUNDo ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
~
~
~
~
~
~
~
~
3 II.
STAFF'S REVIEW..........................
4 1.
Licensee's IPE Process........
~...
4 2.
Front-End Analysis..........
~
~
~
6 3.
Back-End Analysis 8
4.
Human Factor Considerations......
10 5.
Containment Performance Improvements (CPI).........
12 6.
Evaluation.o
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
12 7.
Licensee Actions and Commitments from the IPE:........
13 III.
CONCLUSION......
14 APPENDIX:
PALO VERDE UNITS 1, 2, and 3
DATA
SUMMARY
SHEET 17
\\
EXECUTIVE
SUMMARY
The NRC staff completed its review of the internal events portion of the Palo Verde Units 1, 2 and 3 Individual Plant Examination (IPE) submittal and associated information.
The latter includes licensee responses to staff generated questions seeking clarification of the licensee's process.
No specific unresolved safety issues (USIs) or generic safety issues (GSIs) were proposed for resolution as part of the Palo Verde IPE.
The licensee's IPE is based on a Palo Verde Level 2 probabilistic risk assessment (PRA).
Arizona Public Service Company (APS) personnel maintained involvement in the development and application of PRA techniques to the Palo Verde facility, with the objective of transfer of PRA technology to the APS personnel.
The staff notes that major plant departments provided input to the IPE/PRA development.
Tt:e ]~: was performed in two stages.
The results of the preliminary stage, completed in mid-1990, showed a core damage frequency (CDF) of 1.0E-3/reactor year.
Two transient initiators accounted for over 70% of the CDF, namely, loss of Hv'AC to the train A DC equipment
- rooms, and loss of Class 1E channel A
"" o e
~n reduce the importance of these initiating events (IEs) and also enhance the capability of feedwater (FW), the licensee identified four mooifications that were installed in all units by the Spring of 1993.
The licensee's (PE described in its submittal took credit for these modifications.
As a consequence of these
- changes, the CDF was reduced to 9.0E-5.
The licensee used a set of conceptual guidelines to identify vulnerabilities.
- .
- :-um..ieiy, these guidelines involve safety or non-safety components, support
- systems, or operator actions that contribute significantly to CDF and containment failure with a high probability of occurrence in comparison to other large dry PWRs.
Based on these guidelines, the IPE indicates that no vulnerabilities with respect to core damage and containment failure exist at Palo Verde, The single largest contributor to the CDF identified in this IPE is station blackout at 21%, followed by loss of offsite power (LOOP) at 18%,
and miscellaneous reactor trips, also at 18% (The IPE does not take credit for the installation of gas turbine generators planned in response to the SBO Rule).
Additionally, the single functional failure that contributes to over 85% of the CDF is loss of steam generator cooling following an accident.
Based on the review of the Palo Verde IPE submittal and associated documentation, the staff concludes that the licensee met the intent of Generic Letter 88-20.
This conclusion is based on the following findings:
(1) the IPE is complete with respect to the information requested in Generic Letter 88-20 and.associated NUREG-1335 submittal guidance document; (2) the front-end systems
- analysis, the back-end containment performance
- analysis, and the human reliability analysis are technically sound and capable of identifying plant-specific vulnerabilities to severe accidents; (3) the licensee employed viable means (document review and walkdowns) to verify that the IPE reflected the current plant design and operation; (4) the PRA which formed the basis of the IPE had an extensive peer review; (5) the licensee participated fully in the IPE process consistent with the intent of Generic Letter 88-20; (6) the
licensee appropriately evaluated Palo Verde's decay heat removal (DHR) function for vulnerabilities, consistent with the intent of the USI A-45 resolution; and (7) the licensee responded appropriately to recommendations stemming from the containment performance improvement (CPI) program.
In
- addition, the licensee intends to maintain a "living" PRA.
It should be noted that the staff's review primarily focused on the licensee's ability to examine Palo Verde for severe accident vulnerabilities.
Although certain aspects of the IPE were explored in more detail than others, the review is not intended to validate the accuracy of the licensee's detailed findings (or quantification estimates) which stemmed from the examination.
t
,l V
I.
BACKGROUND On November 23, 1988, the NRC issued Generic Letter 88-20 which requires licensees to conduct an Individual Plant Examination in order to identify potential severe accident vulnerabilities at their plant, and report the results to the Commission.
Through the examination
- process, a licensee is expected to (1) develop an overall appreciation of severe accident behavior, (2) understand the most likely severe accident sequences that could occur at its plant, (3) gain a more quantitative understanding of the overall probabilities of core damage and fission product releases, and (4) if necessary, reduce the overall probability of core damage and radioactive material releases by modifying, where appropriate, hardware and procedures that would help prevent or mitigate severe accidents.
As stated in Appendix D of the IPE submittal guidance document NUREG-1335, all IPEs are to be reviewed by NRC teams to determine the extent to which each licensee's IPE process met the intent of Generic Letter 88-20.
The IPE review itself is a two step process; the first step, or "Step 1" review, focuses on completeness and the quality of the submittal.
Only selected IPE submittals, determined on a case-by-case basis, will be investigated in more detail under a second step or "Step 2" review.
The decision to go to a "Step 2" review is primarily based on the ability of the licensee's methodology to identify vulnerabilities, and the consistency of the licensee's IPE findings and conclusions with previous PRA experience.
A unique design may also warrant a
"Step 2" to better understand the implication of certain IPE findings and conclusions.
As part of this process, the Palo Verde IPE only required a
"Step 1" review.
On April 28, 1992, Arizona Public Service Company (APS) submitted the Palo Verde IPE in response to Generic Letter 88-20 and associated supplements.
The IPE submittal, based on the Palo Verde PRA, consists of a Level 2
PRA.
The IPE submittal contains the results of an evaluation of internal
- events, including internal flooding.
The licensee plans to provide a separate submittal on findings stemming from the IPE for external events (IPEEE).
The staff will review the IPEEE separately, within the framework prescribed in Generic Letter 88-20 Supplement 4.
As part of its review, the NRC contracted with Science 5 Engineering Associates, Inc.
(SEA), Scientech Inc./ Energy Research Inc.,
and Concord Associates to review the front-end analysis, the back-end analysis, and the human reliability analysis, respectively.
SEA's review is documented in SEA 91-553-03-A: 1, "Palo Verde IPE:
Front-End Audit."
Scientech's review is documented in SCIE-NRC-209-92, "Technical Evaluation Report of the Palo Verde Individual Plant Examination Back-End Submittal."
Concord's review is documented in CA/TR 92-019-03, "Technical'valuation Report:
Palo Verde Nuclear Generating Station Individual Plant Examination Human Reliability Analysis,'tep 1 Review."
On November 9,
- 1992, the staff sent a set of questions to the licensee seeking additional information and clarification.
On November 24,
- 1992, the licensee held a conference call with the staff and its contractors and responded to the
\\
staff's questions.
The licensee provided its formal response to the staff's questions in a letter dated February 25, 1993.
This report documents findings and conclusions which stemmed from the NRC review.
Specific numerical results and other insights taken from the licensee's IPE submittal are listed in the appendix.
II.
STAFF'S REVIEW 1.
Licensee's IPE Process The Palo Verde IPE submittal describes the approach taken by the licensee to confirm that the IPE represents the as-built, as-operated plant.
In addition to detailed document reviews by members of the PRA team (consultants and licensee personnel, including those responsible for 10 CFR 50.59 safety evaluations),
walk-throughs were performed for familiarization with plant/system operations, equipment layout for origin and susceptibility to floods and containment walk-throughs for information to be used for the back-end analysis.
Based on review of the information submitted with the IPE, the staff concludes that the licensee's walkdowns and documentation reviews constituted a viable process for confirming that the IPE represents the as-built, as-operated plant.
The IPE submittal contains a summary description of the licensee's IPE
- process, the licensee's personnel participation in the process, and the subsequent in-house peer review of the final product.
The staff reviewed the licensee's description of the IPE program organization, composition of the peer review teams, and peer findings and conclusions.
The staff notes the participation of the APS personnel in virtually all aspects of the IPE through technology transfer, model development,
- reviews, data collection, and requantification of the models with plant-specific data.
In addition to the IPE team, other APS departments were involved to insure that the models accurately portrayed the plant.
The licensee intends to maintain a "living" PRA.
As part of the IPE process APS established an independent review team which consisted of personnel from all appropriate organizations including engineering, operations, and training.
This review was in addition to internal reviews performed by APS PRA engineers.
The staff concludes that the IPE peer review process was consistent with the guidance of NUREG-1335.
Based on the review of the IPE submittal and associated documentation, the staff concludes the licensee's peer review process provided reasonable assurance that the IPE analytic techniques had been correctly applied.
The licensee used the following.conceptual guidelines to identify vulnerabilities:
(1)
A single failure of safety-or nonsafety-related equipment that has a
significant impact on the CDF.
(2)
Multiple safety-or nonsafety-related components
- that, due to physical proximity, systems interactions, or environmental consideration, have a
high potential for common cause failure and have a significant impact on the CDF.
(3)
A support system that has a high probability of failure, results in an unant'.cipated plant transient not covered by procedures, results in the loss of multiple front-line and/or support
- systems, and has a
significant impact on the CDF.
(4)
An operator action that has a reasonable probability of being demanded over the plant lifetime, has a moderately high probability of failure due to complex procedures or unfamiliarity, and has a significant impact on the CDF.
(5)
A mode of containment failure that has a high probability of occurrence in comparison to other large dry PWRs.
The licensee probed the results by performing uncertainty analysis that quantified data uncertainties associated with initiating events
( IEs),
seq.,ence quantification, and common cause failures.
Consistent with these guidelines, the IPE indicates that no "vulnerability" exists at Palo Verde due to human, system or containment performance.
Based un the review of the Palo Verde IPE submittal and associated documentation, the staff finds reasonable the licensee's IPE conclusion regarding core damage and containment vulnerabilities.
The staff finds the Palo Verde IPE process capable of identifying severe accident risk contributors (or vulnerabilities) and that such capability is consistent with the objective of Generic Letter 88-20.
'-E The staff examined the front-end analysis for completeness and consistency with accepted PRA practices.
The front-end IPE analysis used the small functional event tree and large linked fault tree methodology.
A different functional event tree was developed for small loss of coolant accident (LOCA), medium LOCA, large
- LOCA, steam generator tube rupture (SGTR),
secondary line break, FW line break, grouped transient, loss of main FW/condensate pump, station blackout (SBO),
and anticipated transients without scram (ATWS).
The functional event trees were configured to model system response to specific IEs through the use of event tree top logic.
Detailed fault trees were developed for all front-line and support systems.
The Palo Verde IPE used Set Equation Transformation System (SETS) for sequence quantification and event tree/fault tree linking.
A sequence frequency truncation value of I.OE-S was. used to screen out some of the unimportant sequences.
Latin Hypercube Sampling (LHS) and Top Event Matrix Analysis Code (TEHAC) were used for uncertainty-analyses that quantified data uncertainty.
Additionally, the uncertainty analyses utilized importance ranking of IEs by risk reduction and partial derivative.
The IE data were derived from a combination of generic -and plant-specific information sources, The sources of data were explicitly identified, and the
P
rationale was provided in cases where generic data were used.
Plant-specific initiators were selected based on emergency procedures, abnormal operating procedures, piping and instrumentation drawings (PAID), design documents, Palo Verde licensee event reports, and other plant documentation.
The discussion of IE quantification is very thorough, and describes four methods used in the quantification process including generic point estimate, plant-based tabular "OR" point estimate, plant-based fault tree estimate, and plant-based equation.
Based on its review, the staff concludes that the list of generic and plant-specific IEs is complete with respect to other
- PRAs, and dependencies between the IEs and the mitigating systems were handled appropriately.
For the components which were most important to the PRA results, plant-specific.experience was collected, and the generic and plant-specific data were combined by a Bayesian update process.
Plant-specific experience was considered to estimate the maintenance unavailability of the major pumps and valves in the fault tree models, and in the quantification of several special event basic events.
In the longer term, the licensee intends to incorporate plant-specific experience into the IE analysis and other important component failure events as part of its use of its living PRA.
The licensee submitted two dependency matrices; the first one presenting dependence of front-line systems on the support
- systems, and the second one focusing on support system-support system dependencies.
Depending on the type of system, the discussion in the IPE submittal covered areas such as power supply and control power, actuation, cooling water, and related operator actions.
Common cause failure events were modeled per the general screening method described in NUREG/CR-4780.
The screening process includes identifying important root causes of common cause failures and identifying component groups that can cause system failures.
The methodology for common cause quantification was clearly identified and used the simple beta factor method for cases of two component failures and the lethal shock method for the quantification of selected common cause events in which more than two compo-nents fail.
In addition, the licensee's uncertainty analyses included specific analyses to quantify uncertainty in the common cause data.
The submittal identified the dominant accident sequences in accordance with the reporting guidelines in NUREG-1335 and presents the 200 highest frequency sequences.
The IPE estimates the point estimate for total CDF as 9.0E-5/year (mean is 8.6E-5/year).
The dominant IEs are station blackout (SBO) (including LOOP), miscellaneous reactor trip loss of instrument air, and loss of turbine cooling water and plant cooling water (The IPE does not take credit for the installation of gas turbine generators planned in response to the SBO Rule).
Together they contribute about 71% of the total CDF.
The largest other contributors are turbine trip, small LOCA and ATWS, each contributing about 3.5% of the total CDF.
The dominant function that contributes about 85% of the total CDF is loss of steam generator cooling following an accident.
This is expected since Palo Verde is not equipped with power operated relief valves (PORVs) which could facilitate feed and bleed.
The licensee determined that the Palo Verde reactor coolant pump (RCP)
(CE-KSB) seals are similar to CE-Byron Jackson pump seals.
The CE-Byron Jackson pump has three seals, each of which is designed to withstand full pressure.
This determination resulted in two assumptions:
(1) only the failure of all three stages of the seals leads to a small LOCA, with leakage not exceeding 600 gpm per pump; and (2) the failure frequency of CE-BJ RCPs are applicable to CE-KSB pumps.
As a result of these assumptions, the RCP seal LOCA is modeled as a small LOCA initiating event with a frequency of 3.9E-3/year.
RCP seal failure was included in the analysis of SBO and LOOP.
The licensee's IPE results indicate that the contribution of RCP seal LOCA to CDF is insignificant.
However, the staff notes that the licensee assumed that excessive RCP seal leakage prior to 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> after an SBO event is not likely.
The licensee's RCP seal LOCA model is mainly dependent on the CE Owners'roup (CEOG) conclusions concerning the operating experience related to the seal performance of CE RCPs.
Because the issue of RCP seal LOCA is being addressed as part of Generic Safety Issue (GSI)-23, "RCP Seal Failures",
the staff review team did not pursue this issue further.
i iicensee used the flooding analysis methodology described in Appendix D of the ',ndustry degraded core rulemaking (IDCOR) Technical Report 86.3A1, "Individual Plant Evaluation Methodology for Pressurized Water Reactors."
A screening analysis was used in which a preliminary set of questions was asked aboUl ca"h vf 144 flooding zones.
Depending on the answer, the zones were either eliminated from further analysis or a second series of questions were asked.
This process was repeated to identify which zones would be significant cont;riuu-.n~ s to the total CDF.
The areas analyzed were the containment building, auxiliary building, control building, diesel generator building, main steam support system building, and turbine building.
The licensee determined that the contribution of internal flooding to CDF is less than l.GE-7.
Based on the IPE description and licensee responses to questions, the staff finds the licensee's IPE methodology clearly described and justified in its submittal.
Based on the staff's review of the front-end analysis and the staff's finding that the analytical technques used are capable of identifying potential core damage vulnerabilities, the staff concludes that the IPE front-end analysis meets the intent of Generic Letter 88-20.
3.
Back-End Anal sis The staff examined the Palo Verde back-end (Level
- 2) analysis for completeness and consistency with acceptable PRA practices.
The analysis utilized methodology similar to that exercised in the NUREG-1150
- PRA, and employed Revision 17.02 of the MAAP-3.0B computer code to model the containment thermal response.
The ANSIS computer code was used to determine ultimate containment failure pressure, failure mode, and location, As part of the review, the staff examined the licensee's methodology, documentation of analytical codes exercised, and input data.
The staff found the'approach to be consistent with Generic Letter 88-20, Appendix 1 (Guidance on the Examination of Containment System Performance).
Sequences generated from the front-end (Level
- 1) analysis were grouped into plant damage states (PDSs) via a
PDS grouping logic diagram which uses nine
-parameters to characterize the thermodynamic conditions in the reactor coolant system (RCS) and containment, and availability of the plant systems and features.
The PDSs were used as the entry states to the containment event trees (CETs).
To develop the CETs for Palo Verde, the licensee reviewed'he events developed for NUREG-1150 and NUREG/CR-4551, examined past PRA/IPE and IDCOR results, and considered plant-specific design and operational characteristics.
In addition, the licensee performed HAAP analyses to understand the plant-specific accident processes.
Seven CET events were chosen to represent physical phenomena, operator actions, and system response in severe accident environment.
To quantify the probabilities of the CET
- events, the licensee used decomposition event trees to further develop the CET events.
.The CET end states were subsequently used to develop 22 source term categories.
The licensee used the NUCAP+ computer code to quantify the CET to estimate source term frequencies.
The source terms for the dominant source term bins were first developed using the HAAP computer code and later compared with the source term code package (STCP) results.
The IPE submittal estimated the following contributions to total containment failure probability given core damage:
Early Containment Failure Late Containment Failures Overpressurization Basemat Helt-through SGTR Event V/Containment not isolated No Containment Failure 0.10 0.08 0.05 0.03 0.01 0.73 The licensee also examined the failure of containment penetration seals and identified various contributors to containment isolation failures.
Based on the licensee's findings, the licensee estimated that the containment isolation failure probability is 5.7E-4.
The licensee's IPE performed sensitivity analyses to address the most important severe accident phenomena normally associated with large dry containments.
For example, to assess the impact of the important assumptions contributing to direct containment heating (DCH) on the early containment failure probabiity, sensitivity analyses were performed by varying probabilities assigned to different fraction of entrained debris fragmented.
Only negligible changes in the containment failure probability were observed.
The results of the sensitivity analyses indicated that only the late containment failure is strongly affected by the significant uncertainties involving hot-leg failure and in-vessel debris cooling.
The licensee noted that the early containment failures are dominated by LOCAs (including induced LOCAs) with failure of containment sprays/heat removal.
Even though these sequences are designated as "early", the licensee notes that containment does not fail until 26 hours3.009259e-4 days <br />0.00722 hours <br />4.298942e-5 weeks <br />9.893e-6 months <br /> after the IE and a significant amount time would be available to recover failed equipment or provide an alternate
~
~
method of containment heat removal.
Therefore, the licensee decided to consider these sequences i,n the Palo Verde accident management program.
In
- addition, the licensee has installed two gas turbine generators onsite (currently operational to Units I and 3), reducing the contribution of early containment failures due to the dominance of the LOOP initiator on the CDF.
The staff notes that the IPE results have not taken credit for these considerations, and that the licensee plans to pursue these considerations during accident management program development.
The staff's review did not identify any obvious or significant problems or errors in the back-end analysis.
The process of determination of conditional containment failure probabilities and containment failure modes was consistent with the intent of Generic Letter 88-20, Appendix 1.
Dominant contributors to containmpnt failure were found to be consistent with insights from other PRAs.
The IPE characterized containment performance for each of the CET end-states by assessing containment loading.
The licensee's IPE addresses the most important severe accident phenomena normally associated with large dry containments, that is, direct containment heating (DCH), induced
The licensee considered the failure of containment penetration seals and examined various contributors to containment isolation failures.
The overall assessment of the back-end analysis is that the licensee has made reasonable use of PRA techniques in performing the back-end
- analysis, and that the techniques employed are capable of identifying severe accident vulnerabilities.
Based on these findings, the staff concludes that the licensee's back-end IPE process is consistent with the intent of Generic Letter 88-20.
4.
Human Factor Considerations The IPE submittal is essentially complete with respect to the type of information and level of detail requested in NUREG-1335.
The Palo Verde IPE submittal provides thorough documentation of the human reliability analysis (HRA) conducted.
The HRA was performed using a modified Systematic Human Action Reliability Procedure (SHARP) framework (EPRI NP-3583, June 1984).
Three general types of human actions were evaluated as part of the IPE, including:
(I) unavailability errors, i.e., those actions that occur during maintenance and operations prior to an initiator and affect system availability and safety either by inadvertently disabling equipment during testing or maintenance, or by restoring failed equipment through testing and maintenance; (2) failure-to-perform errors, i.e.,
those actions that include procedural errors (i.e.,
human errors while responding to the anticipated or expected event progressions that follow a given transient) and recovery errors (i.e., operator failure to rectify a non-normal situation, such as equipment failures or inoperability, following a transient; and (3) personnel-initiated events (that are not specifically treated in this analysis but are assumed to be included in IE frequencies).
This human action taxonomy is logical and representative of'"those used in other
- PRAs, and it supports the identification of important human actions.
Screening values and generic human error probabilities (HEPs), for initial quantificaLion of operator diagnosis errors and operator failure to properly 9
implement critical steps required to mitigate a diagnosed
- event, were taken from NUREG/CR-1278, "Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications," (August 1983).
Plant-specific, sequence-specific performance shaping factors (PSFs) were applied in the calculation of HEPs.
The licensee states that it used a conservative approach in use of the NUREG/CR-1278 values.
The IPE submittal provides a detailed description of the procedural errors modeled which are human errors while responding to the expected event progressions during a transient.
These errors are generally included in the system fault trees and top level logic as basic events.
The discussion includes a description of the action, the success criteria, important
- PSFs, comments on the HEP quantification, the quantification of the
- HEP, and where the event was used in the modeling.
The results of an analysis of the importance of human actions to core damage are provided in the submittal and are repeated in the appendix to this staff evaluation report.
The licensee did not consider any human actions for recovery following core damage in its back-end analysis.
The reasons are that Palo Verde does not have PORVs and does not allow water injection into the reactor cavity prior to reactor vessel/RCS failure, However, the licensee identified that refilling the refueling water tank (RWT) becomes necessary if cooldown and depressurization of the primary system is not achieved in a timely manner following a SGTR or upon failure of containment recirculation.
There were previously no explicit instructions to fill the RWT when its inventory gets low.
The licensee noted that the failure rate for this action could be reduced if specific instructions existed in the emergency procedures to perform this action.
The licensee stated in a discussion on May 10,
- 1994, that the relevant procedures have been revised to require this action.
In summary, and based on a review of the licensee's IPE submittal, the staff finds the licensee's assessment of human reliability, conducted as part of the Palo Verde IPE, capable of discovering severe accident vulnerabilities from human errors consistent with the intent of Generic Letter 88-20.
The HRA methodology described in the licensee's IPE submittal supports the quantitative understanding of the overall probability of core damage during plant operations, as well as an understanding of the contribution of human actions to that probability.
Human-related plant improvements that are planned or under review, such as those to implement procedures, are expected to enhance human reliability and plant safety.
In addition, the licensee's stated intention to maintain the PRA will ensure that a mechanism exists for the licensee to continue to identify and evaluate the risk significance of potentially important human actions during plant operation and maintenance.
5.
Containment Performance Im rov'ements CPI Generic letter 88-20, Supplement 3, contains CPI recommendations which focus on the vulnerability of containments to severe accident challenges.
For large dry containments, such as the Palo Verde design, the reference contains a
recommendation that IPEs consider hydrogen production and control during severe accidents, particularly the potential for local hydrogen detonation.
10
Containment failure due to containment overpressurization from hydrogen deflagrations has been addressed explicitly by the licensee in the Palo Verde IPE.
Based on the MAAP calculations, hydrogen deflagrations will not produce peak pressures which will challenge containment integrity.
Therefore, the licensee found that deflagration is not likely to fail the Palo Verde containment.
With respect to the possibility of local hydrogen detonation, the licensee investigated the problem of hydrogen "pocketing" in the containment.
As a
result of the evaluation and analysis of the Palo Verde containment
- design, the licensee does not expect any significant problem related to hydrogen "pocketing" for the steam generator and pressurizer cubicles because they are open at the top.
The licensee noted that the only area where hydrogen "pocketing" can occur is in the reactor drain tank (RDT) cubicle.
- However, the licensee stated that local detonation is not a concern due to the lack of vital equipment in the RDT cubicle.
The staf,, therefore, concludes that the licens'ee's response to CPI Program recommendations, which included searching for vulnerabilities associated with containment performance during severe accidents, is reasonable and consistent with the intent of Generic Letter 88-20 and associated Supplement 3.
6.
Reca" Heat Removal DHR Evaluation In accordance with the resolution of USI A-45, the licensee performed an examination of Palo Verde to identify DHR vulnerabilities, to investigate various design and procedure change options, and to assess the potential value
~F the~@
changes in improving DHR reliability at Palo Verde.
The Palo Verde plant design relies on secondary cooling to provide DHR for non-LOCA events and for SGTR and small LOCA events where the decay heat removed through the primary breach is not sufficient to provide adequate core cooling.
The Palo Verde PRA credits two systems which can provide secondary cooling auxiliary feedwater (AFW) and alternate FW.
Additionally, for some LOCA events, DHR can be provided by the safety injection systems.
The licensee's analysis evaluated the reduction in CDF attained from:
(1) installation of two gas turbine generators to improve the reliability of the electric power system; (2) installation of PORVs which provide an additional means of DHR; (3) a procedure change which improved the ability of the downcomer FW isolation valves (FWIVs) and FW control valves (FWCVs) to remain operable following an IE involving loss of instrument air; and (4) combinations of these three modifications.
Modifications completed by the spring of 1993 (and taken credit for in the IPE) include:
(1) changing the source of power for trie main steam and feedwater isolation valve (MSFIV) logic cabinets; (2) changing the loss of power failure mode of the trai'n A steam generator downcomer containment isolation valves to fail open; (3) providing a backup source of control power for the train N AFW pump circuit breaker; and (4) installing temperature detectors in the DC equipment rooms, with an alarm in the control
- room, and 11
~
~
developing procedures by which the operator will open the DC equipment room doors and provide fan cooling to the equipment in the event of loss of HVAC.
An additional modification underway is installation of gas turbine generators as an additional power source (reducing the calculated CDF from 9E-5 to 6.3E-5).
The licensee determined that the further risk reduction that would result from the installation of PORVs as well is not significant to warrant the extra cost (estimated to be
$ 5.5 million).
Based on the process that the licensee used to search for DHR vulnerabilities, and review of plant-specific features, the staff finds the licensee's DHR evaluation to be consistent with the intent of Generic Letter 88-20 and resolution of USI A-45.
7.
Licensee Actions and Commitments from the IPE As part of the preliminary stage of the licensee's IPE process, the licensee identified two transient initiators responsible for over 70% of the total
- rooms, and (2) loss of Class 1E channel A DC power.
To reduce the importance of these IEs and also enhance the capability of FW, the licensee identified four modifications for implementation by Spring of 1993:
(1)
Change the source of power for the NSFIV logic cabinets.
(2)
Change the loss of power failure mode of the train A downcomer isolation valves to fail open.
'3)
Provide a backup source of control power for the train N AFW pump circuit breaker.
(4)
Install temperature detectors in the DC equipment rooms, with an ala@a in the control room.
Taking credit for these modification in the later-phase IPE submittal, the single largest contributor identified is SBO at 21N, followed by LOOP and miscellaneous reactor trips.
In its response to staff questions, the licensee indicated that it is proceeding with installation of gas turbine generators.
As noted in the
- IPE, and subsequently completed, the licensee also evaluated procedure modifications to provide explicit instructions to fill the RWT when its inventory gets low. Furthermore, the licensee plans to evaluate the following items further during accident management program development:
(1) recovery of failed containment
- sprays, and (2) implementation of alternate spray capability.
Although the review team did not closely examine the merits of these items in detail, the staff notes that the licensee is applying PRA/IPE findings to enhance plant safety.
The staff finds the licensee's actions reasonable.
The staff believes the licensee's proposed actions in response to the IPE-identified contributors to core damage and containment failure are consistent with the intent of Generic Letter 88-20.
In addition, the staff notes that the licensee intends to maintain a "living" PRA.
12
~
~
III.
CONCLUSION The staff finds the licensee's IPE submittal for internal events including internal flooding
- complete, with the level of detail consistent with the ir ~ormation requested in NUREG-1335.
Based on the review of the submittal and the associated supporting information, the staff finds reasonable the licensee's IPE conclusion that, except for.the identified "vulnerabilities,"
no other fundamental weakness or severe accident vulnerabilities exist at Palo Verde.
The staff notes that:
(1)
APS personnel were involved in the development and application of PRA techniques to the Palo Verde facility, and that the associated walkdowns and documentation reviews constituted a viable process for confirming that the IPE represents the as-built, as-operated plant.
(2)
The front-end IPE analysis appears
- complete, with the level of detail consistent with the information requested in NUREG-1335.
In addition, the employed analytical techniques are consistent with other NRC
. @viewed and accepted PRAs and capable of identifying potential core damage vulnerabilities.
(3)
The hack-end analysis addressed the most important severe accident
~.i.:n~i-iena normally associated with large dry containments.
The techniques employed in the back-end analysis are capable of identifying severe accident vulnerabilities.
No obvious or significant problems or er; o~ s were identified.
(4) 1he HRA allowed the licensee to develop a quantitative understanding of the contribution of human errors to CDF and containment failure p"oba~ilities.
The assessment of human reliability was capable of discovering severe accident vulnerabilities from human errors.
(5)
Based on the licensee's IPE process used to search for DHR vulnerabilities, and review of Palo Verde plant-specific features, the staff finds the licensee's DHR evaluation consistent with the intent of the USI A-45 (Decay Heat Removal Reliability) resolution.
(6)
The licensee's response to CPI Program recommendations, which include searching for vulnerabilities associated with containment performance during severe accidents, is reasonable and consistent with the intent of Generic Letter 88-20 Supplement 3.
In addition, and consistent with the intent of Generic Letter 88-20, the staff believes the licensee's peer review process provided assurancethat the IPE analytic techniques had been correctly applied and that the effort had been properly documented.
Based on the above findings, the staff concludes that the licensee demonstrated an overall appreciation of severe accidents, has an understanding of the most likely severe accident sequences that could occur at the Palo Verde facility, has gained a quantitative understanding of core damage and fission product release, and responded appropriately to safety improvement 13
opportunities.
The staff, therefore, finds the Palo Verde IPE process acceptable in meeting the intent of Generic Letter 88-20.
The staff also notes that the licensee's intent to continue to use and maintain its PRA will enhance plant safety and provide additional assurance that any potentially unrecognized vulnerabilities would be identified and evaluated during the lifetime of the plant.
14
APPENDIX PALO VERDE DATA
SUMMARY
SHEET*
INTERNAL EVENTS o
Total core damage frequency (CDF) 9.0E-5/Year o
Hajor initiating events and contribution to CDF:
Contribution Station blackout (SBO)
Hiscellaneous reactor trips Loss of turbine or plant cooling water (component L service water)
Loss of instrument air Small loss of coolant accident (LOCA)
Anticipated transient without scram (ATWS)
Steam generator tube rupture (SGTR)
Others 21%
18%
18%
8%
6%
4%
4%
2%
19%
o Hajor operator action failures:
Operator failure to Operator failure to nitrogen.
Operator failure to Operator failure to Operator failure to actuation signal.
'ecover offsite power within 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />.
isolate high pressure nitrogen from low pressure align diesel-driven air compressor.
align alternate feedwater within 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.
manually actuate auxiliary feedwater (AFW) o Contribution to total containment failure probability given core damage:
Early Containment Failure Late Containment Failures Overpressurization Basemat Helt-through SGTR
., Event V/Containment not isol-.ted No Containment Failure 0.10 0.08 0.05 0.03 0.01 0.73 15
I
o Significant PRA findings:
~
Loss of heating ventilation and air conditioning (HVAC) space cooling to the train A DC equipment room results in loss of channel A DC.
Loss of channel A DC power makes four of the five sources of feedwater unavailable.
o Important plant functional characteristics (percent CDF):
Steam generator cooling High pressure injection Low pressure injection High pressure recirculation cooling Reactor Scram Reactor coolant system integrity Hot leg recirculation Low pressure recirculation cooling Loss of steam generator integrity Interfacing system LOCA (85.0/o)
( 4.9/o)
( 3.8X)
( 3.7X)
( 3.5X)
( 1.4X)
( 1.3X)
( 0.5X)
( 0.3X) 0.2X) o Enhanced plant hardware, procedures, and operator actions:
~
Configuration for the 125V DC channel A load distribution was modified to provide power for the main steam and feedwater isolation valve logic.
~
Train A downcomer isolation valves were modified to fail open upon loss of channel A DC power.
~
The non-essential AFW pump will have a manual transfer switch to permit supply of DC control power directly from the channel A
battery charger should the DC bus fail.
~
All four class DC equipment rooms have high temperature alarms that indicate an HVAC problem.
~
Installation of two gas-powered turbine generators.
o Potential improvements under evaluation:
Internal flooding: Zone boundaries features be regularly surveilled including the floor drain check valves, sump room level detection equipment and associated alarm circuits.
The integrity of walls,
- ceilings, and piping penetration seals also would be scrutinizel to ensure the integrity.
Implementation of procedure changes to improve the reliability of the downcomer valves (FW isolation and control valves) following events involving loss of instrument air: manual isolation of the high pressure from the low pressure nitrogen upon loss of instrument air.
16
~
Expanding the scope of shutdown risk evaluation.
~
t1odification of procedure for refilling the refueling water tank.
Providing operator guidance for recovery of failed containment sprays.
~
Implementation of alternate containment spray capability.
o Future activities:
Applications and upgrading of PRA for:
~
Design changes.
~
Evaluation of compliance issues (justifications for continuing operation and technical specifications waivers).
~
Upgrading emergency operating procedures.
Training licensed operators on risk insights.
(* Information has been taken from the Palo Verde Units I, 2 and 3 IPE and has not. been validated by the NRC staff.)
17