Staff Evaluation of DC Cook Units One & Two IPE (Internal Events Only)

ML17333A550
Person / Time
Site:	Cook
Issue date:	09/06/1996
From:	NRC (Affiliation Not Assigned)
To:
Shared Package
ML17333A549	List: ML17333A548 ML17333A550 ML17333A551
References
NUDOCS 9609110066
Download: ML17333A550 (27)
v • d • e

Text

STAFF EVALUATION OF D.C.

COOK UNITS I AND 2 INDIVIDUALPLANT EXAMINATION (IPE)

( INTERNAL EVENTS ONLY) 9609ii0066 960906 PDR ADQCK 050003i5 P

PDR Enclosure 1

EXECUTIVE

SUMMARY

BACKGROUND II.

STAFF'S REVIEW TABLE OF CONTENTS PAGE 2.

3.

5.

Licensee's IPE Process Front-End Anal sis and Deca Heat Removal Evaluation Back-End Anal sis and Containment Performance Im rovements Evaluation Human Factors Considerations Licensee Actions and Commitments from the IPE 10 13 16 III. CONCLUSIONS 17 APPENDIX D.C.

COOK DATA

SUMMARY

SHEET*

(INTERNAL EVENTS) 19

EXECUTIVE

SUMMARY

The U.S. Nuclear Regulatory Commission staff completed its review of the internal events portion of the D.C.

Cook Units 1 and 2 Individual Plant Examination

( IPE) submittal and associated information.

The latter includes licensee responses to staff generated questions seeking clarification of the licensee's process and a site audit of the methodology used by the licensee in the human reliability analysis portion of the IPE.

No specific unresolved safety issues (USIs) or generic safety issues were proposed for resolution as part of the D.C.

Cook IPE.

The American Electric Power Service Corporation (AEPSC) personnel maintained involvement in the development and application of probabilistic risk assessment techniques to the D.C.

Cook facility.

The staff notes that virtually all of the plant departments provided input to the IPE.

D.C.

Cook, Units 1

and 2 are Westinghouse 4-loop plants with ice condenser containments.

The results of the IPE show a core damage frequency of 6.26E-5 from internally initiated events, including the contribution from internal floods.

The IPE identified the dominant accident sequences in accordance with Appendix 2 to Generic Letter 88-20.

Small loss of coolant accident (LOCA) sequences dominate the core damage frequency with a 47% contribution; loss of component cooling water and steam generator tube rupture contribute 22% and 11%, respectively; and other LOCAs, anticipated transients without scram, station blackout, other transients, and interfacing LOCA's contributing from 7% to much less than 1%, respectively.

The IPE identified emergency core cooling system failure (caused by common cause failure of the safety injection pumps and by failure of the engineered safety feature) as the significant contributor to core damage.

The licensee used the following criteria for the screening of vulnerabilities (1) safety and non-safety related component failure that have a significant impact on core damage frequency, (2) operator actions whose failure has a

significant impact on core damage frequency, and (3) a mode of containment failure whose consequences or frequency of occurrence have a sever impact on offsite releases.

Based on these guidelines, the licensee did not identify..

any major vulnerabilities with respect to core damage or containment performance.

Regarding the human reliability analysis (HRA) portion of the IPE, the staff identified several ignificant weaknesses with AEPSC's application of the post-initiator HRA model in using the THERP process and with AEPSC's treatment of time available for operator action.

The licensee's model (a fault tree approach) resulted in incorrect applications of THERP values.

For example, the diagnosis model in THERP pertains to the entire control room crew;

however, diagnosis events are reduced by other "recoveries" which is inappropriate.

Performance shaping factors were discretized to a level that is not justified and beyond the current state-of-knowledge, and therefore, over credited.

Dependencies and conditionalities are not considered; therefore, operator performance is assessed independent of the accident sequence.

The time available to the operators versus the time required to diagnose and perform the necessary activities are not appropriately treated.

These various weaknesses resulted in the very low human error probabilities (HEPs) seen in the D.C.

Cook IPE.

The staff had the HRA portions of the Cook

IPE reviewed by a contractor (Alan D. Swain).

This assessment is documented in a report entitled "Evaluation of Cook IPE/HRA Haterials," dated December 5,

1994, As a result of the staff site visit, AEPSC conducted several sensitivity studies to indicate that significant vulnerabilities were not overlooked.

The HEPs were increased and the core damage frequency.

(CDF) requantified.

Although the CDF increased, new dominant accident sequences and contributors did not appear an the relative ranking of accident sequences and contributors (i.e., percent contribution) did not change.

Based on these sensitivities, the staff has concluded that significant vulnerabilities were not overlooked.

However, the st'aff believes these weaknesses in the HRA will substantially limit any future use of the IPE.

The licensee has noted its intention to revise the HRA with regard to the following: (1) human reliability action specific to sequences, (2) dependence

modeling, (3) performance shaping factor in diagnosis, (4) explicit consideration of time, (5) consistent use of second person

checking, and (6) training performance shaping factors.

While the staff agrees with AEPSC intended modification, these changes need to address the specific issues raised above.

The staff also encourages AEPSC to perform an independent peer review of the HRA using HRA experts to ensure that the misapplications are appropriately addressed.

Based on the review of the D.C.

Cook IPE submittal and associated documentation, the staff concludes that the licensee has met the intent of Generic Letter 88-20.

This conclusion is based on the following findings:

(1) the IPE submittal is complete with respect to the information requested in Generic Letter 88-20 and the associated NUREG-1335 submittal guidance document; (2) the front-end systems analysis and the back-end containment performance analysis are capable of identifying plant-specific vulnerabilities to severe accidents, and the human reliability analysis did not overlook any significant vulnerability; (3) the licensee employed viable means (document review and walkdowns) to verify that the IPE reflected the current plant design and operation; (4) the IPE had an extensive peer review; (5) the licensee participated fully in the IPE process consistent with the intent of Generic Letter 88-20; (6) the licensee appropriately evaluated D.C. Cook' decay heat removal function for vulnerabilities, consistent with the intent of the USI A-45 resolution; and (7) the licensee responded appropriately to recommendations resulting from the containment performance improvement program.

In addition, the licensee intends to maintain a "living" PRA.

It should be noted, however, that the staff's review primarily focused on the licensee's ability to examine D.C.

Cook for severe accident vulnerabilities.

Although certain aspects of the IPE were explored in more detail than others, the review is not intended to validate the accuracy of the licensee's detailed findings (or quantification estimates) that stemmed from the examination.

I.

BACKGROUND On November 23,

1988, the U.S. Nuclear Regulatory Commission (NRC) issued Generic Letter 88-20 that requires licensees to conduct an Individual Plant Examination

( IPE) in order to,identify potential severe accident vulnerabilities at their plant, and report the results to the Commission.

Through this examination

process, a licensee is expected to (1) develop an overall appreciation of severe accident

behavior, (2) understand the most likely severe accident sequences that could occur at its plant, (3) gain a

more quantitative understanding of the overall probabilities of core damage and fission product release, and (4) if necessary, reduce the overall probability of core damage and radioactive material releases by modifying, where appropriate, hardware and procedures that would help prevent mitigate severe accidents.

As stated in Appendix D of the IPE submittal guidance document (NUREG-1335),

all IPEs are to be reviewed by NRC teams to determine the extent to which each licensee's IPE process met the intent of Generic Letter 88-20.

The IPE review is a two step process.

The first step, or "Step 1 review," focuses on reviewing,

one, the completeness of the information submitted relative to what was requested, and two, the quality of the information contained in the submittal relative to its scope, assumptions and results.

Only selected IPE submittals, determined on a case-by-case

basis, are investigated in more detail under a second step or "Step 2 review."

The decision to go to a Step 2

review is primarily based on the ability of the licensee's methodology to identify vulnerabilities, and the consistency of the licensee's IPE findings and conclusion with previous probabilistic risk assessment (PRA) experience.

A unique design may also warrant a Step 2 review to better understand the implication of certain IPE findings and conclusions.

As part of this process, the D.C.

Cook IPE required a Step 2 review for the human reliability analysis (HRA) portion of the IPE.

On Hay 1,

1992, American Electric Power Service Corporation (AEPSC) submitted the D.C.

Cook IPE in response to Generic Letter 88-20 and associated supplements, D.C.

Cook, Units 1 and 2 are Westinghouse 4-Loop PWRs with ice-condensor containments.

The IPE submittal contains the results of an evaluation of internal

events, (including internal flooding) and external events.

The staff is reviewing the IPE External Events submittal separately, within the framework prescribed in Generic Letter 88-20, Supplement 4.

On December 23,

1992, the staff sent a Request for Additional Information to

.the licensee seeking additional information and clarification.

The licensee responded to the staff's request in a letter dated February 24, 1993.

On October 8,

1993, the licensee met with the staff to present the results of the IPE.

The staff raised several question to which the licensee formally responded in a letter dated December 3,

1993.

On February 23 and 24,

1994, the staff performed an HRA audit at the D.C.

Cook site.

Additional information was requested as a result of the audit.

The licensee responded to the staff's request in a letter dated April 25, 1994.

In addition, the staff had the HRA portions of the Cook IPE reviewed by a contractor (Alan D. Swain).

This assessment is documented in a report entitled "Evaluation of Cook IPE/HRA Haterials," dated December 5,

1994.

This report documents the findings and conclusions that stemmed from the NRC review.

Specific numerical results and other insight's taken from the licensee's IPE submittal are listed in the attached appendix.

II.

STAFF'S REVIEW 1.

Licensee's IPE Process In response to Generic Letter 88-20, AEPSC has performed an IPE of the D.C.

Cook nuclear power plant.

The D.C.

Cook IPE submittal describes the approach taken by the licensee to confirm that the IPE represents the currently as-built, as-operated

plant, In addition to detailed document reviews by in-house personnel, several plant walkdowns were performed:

system level walkdowns to allow the PRA team to become familiar with equipment locations, system operations, test and maintenance; containment walkdowns to examine compartments and study the potential for containment bypass; and internal flood walkdowns to obtain a spacial perspective of equipment.

Based on review of the information submitted with the IPE, the staff concludes that the walkdowns and reviews constituted a viable process capable of confirming that the IPE represents the as-built, as-operated plant.

The IPE submittal contains a summary description of the licensee's IPE

process, the licensee's staff participation in the process and the subsequent in-house peer review of the final product.

The staff reviewed the licensee's description of the IPE program organization, composition of the peer review

team, and peer findings and conclusions.

The staff notes that AEPSC personnel maintained considerable involvement in the development and application of PRA techniques to the D.C.

Cook facility, with the objective of bringing PRA technology "in-house."

To this end, AEPSC has developed and maintained a

permanent group of engineers with the responsibility for maintaining and applying the IPE/PRA.

The staff recognizes AEPSC's intention of maintaining the IPE as a "living" document.

The licensee committed the IPE process to a quality assurance program that meets the requirements of IOCFR50, Appendix B.

Audits were conducted on project activities, and reviews were performed by licensee personnel not connected directly with project development.

The licensee also employed an independent review team to evaluate the IPE methods used and their translation into output documents.

The independent review team included personnel from all appropriate organizations:

plant operations,

design, nuclear engineering, nuclear operations, and quality assurance.

The licensee's peer review process only provided assurance that the IPE had been properly documented.

The staff does not believe the review process provided assurance that the IPE analytic techniques had been correctly applied, particularly in regards to the HRA portion of the IPE.

The licensee's IPE submittal provides a discussion of the criteria used to define "vulnerability."

The licensee developed the following criteria for vulnerability identification and treatment:

(1) component or human failures that have a significant impact on core damage frequency or a mode of containment failure whose consequences or frequency have a severe impact on offsite releases was used to identify vulnerabilities; and (2) immediate

action would be taken for major vulnerabilities while action on lesser vulnerabilities would be taken on a cost-benefit basis.

No major vulnerabilities were identified in the D.C Cook IPE.

Based on the review of the D.C~ Cook IPE submittal and associated documentation, the staff finds the licensee's IPE conclusion reasonable that no fundamental weakness or severe accident vulnerabilities exist at D.C.

Cook Although the staff has concerns regarding the HRA portion of the

IPE, based on the sensitivity analyses performed by AEPSC, the staff believes that significant vulnerabilities were not overlooked.

The licensee has indicated its intention to revise the HRA; these modification include: (I) human reliability action pecific to sequences, (2) dependence

modeling, (3) performance shaping factor in diagnosis, (4) explicit consideration of time, (5) consistent use cf second person

checking, and (6) training performance shaping factors.

The staff agrees that these modifications will significantly improve the HRA.

2.

Front-End Anal sis and Deca Heat Removal Evaluation The staff examined the IPE front-end analysis for completeness and consistency with acceptable PRA practices.

Based on the IPE description and licensee's response to the staff's questions, the staff finds the employed methodology clearly described and justified for selection.

The chosen methodology, as summarized below, is consistent with methods identified in Generic Letter 88-20.

The front-end IPE analysis employed the small-event-tree, large-fault-tree methodology and utilized the GRAFTER and WLINK computer codes for core damage quantification.

The licensee's IPE process identified 16 initiator groups.

The licensee searched for plant-specific initiators (e.g.,

steam generator overfill) and dual unit initiators (loss of offsite power and loss of instrument air) using actual plant experience.

Additional initiators were identified and evaluated during the fault tree systems analysis phase.

The IPE employed Updated Final Safety Analysis Report core cooling information to establish plant-specific success criteria for the major initiating event groups.

Generic initiating events were found to be consistent with those generated by other PRAs and NUREG/CR-2300.

Systemic event trees were developed for each unique initiating group, with event tree top logic linked to system failure criteria.

In general, the staff audit found the D.C.

Cook IPE event trees and special event trees consistent with regard to the initiating events, associated success criteria, and dependencies between top events.

The front-end and back-end interface was accomplished in a two step process.

Applicable containment protection systems were incorporated into the front-end event trees.

These accident sequences (or damage states) serve as the

,initiators for the containment event tree (CET).

Accident sequences were binned into damage states according to initiator, reactor system pressure and the status of containment and containment protection systems at the onset of core damage.

The damage states are found to account for pre-existing conditions that would impact the back-end analysis and are consistent with current PRA practices.

The IPE analyzed front-line and support systems

consistent with other PRAs.

System dependencies and dependencies due to asymmetries were explicitly treated in the systems analysis.

The D.C.

Cook IPE utilized both generic data and plant-specific data for quantification.

Mean values were employe'd.

Data analysis included both classical statistics and Bayesian

updating, the latter applied in situations where limited failure data existed.

Plant-specific data was used for selected initiating events, component failure rates, exposure

times, and test and maintenance unavailabilities.

Plant-specific data has been based on operating experience which extends from 1/83 to 8/89.

The IPE screened for significant common cause failure (CCF) events using the multiple greek letter approach and were classified using EPRI NP-3967.

Common cause factors were determined as a step in the data analysis utilizing generic data available from RMOI Guidebook 2, Westinghouse.

The CCFs are consistent with those reviewed by NRC for other PRAs.

The IPE did consider the effects of severe environments on essential equipment and identified equipment which could be potentially affected.

The licensee's IPE flood analysis employed a screening evaluation using details developed as part of Appendix R-related activities to identify flood zones.

The analysis identified significant flood or spray sources, and flow paths and determined their impact on components critical to safe shutdown.

The IPE estimated the core damage frequency from internal flooding to be less than 2E-7/yr and involved an essential service water discharge line break.

The turbine building subbasement becomes flooded which fails the nonessential service water pumps causing failure of plant and control air compressors.

Based on the review of the internal flood analysis, the staff finds the IPE flood assessment consistent with the intent of Generic Letter 88-20.

The IPE identified the dominant accident sequences in accordance with Appendix 2 to Generic Letter 88-20.

Small loss of coolant accident (LOCA) sequences dominate the core damage frequency with a 47% contribution; loss of component cooling water (CCW) and steam generator tube rupture contribute 22%

and 11%, respectively; and other LOCAs, anticipated transients without scram, station blackout, other transients, and interfacing LOCA's contributing from 7% to much less than 1%, respectively.

The IPE estimated the core damage frequency at 6.26E-5/yr.

The IPE identified emergency core cooling system (ECCS) failure (caused by CCF of safety injection pumps and by failure of the engineered safety features to actuate the ECCS) as the significant contributor to core damage.

In accordance with the resolution of USI A-45, the licensee performed an examination of D.C.

Cook to identify decay heat removal (DHR) vulnerabilities The results of the

'IPE provide indications of the importance of the systems that provide the DHR function as a response to the initiating events postulated in the IPE.

The following system features were considered in the DHR evaluation:

~

The auxiliary feedwater (AFW) system, consisting of two motor driven pump trains each capable of feeding two steam generators and a turbine

driven pump train capable of feeding four steam generators, was credited.

In addition, the capability of cross-tieing the opposite unit's motor driven pumps was included in the analysis.

~

An alternate feedwater f)ow path to the steam generators via the main feedwater pumps was credited in the analysis.

~

The plant has a bleed and feed cooling capability using the charging and safety injection pumps (HP2) through the power operated relief valves (PORVs).

Two of three pressurizer PORVs are required for the bleed operation to prevent reactor coolant system (RCS) overpressurization.

Although one of two charging pumps and one of two safety injection pumps was modeled in the quantification, only one of four is needed for the feed operation.

~

The recirculation phase was credited in the analysis that involves either high head recirculation or low head recirculation for maintaining the plant in a long-term stable condition for sequences with the RCS pressure either above the residual heat removal (RHR) pump shutoff head or below the RHR pump shutoff head, respectively.

The high pressure recirculation (HPR) system consists of the two safety injection pumps and two charging pumps and requires suction from the RHR pumps, The low pressure recirculation system consists of two RHR pumps.

The IPE and the response to staff's questions provide an indication of the importance of the systems supporting the DHR function.

In general, AFW, bleed and feed or RHR will be used for DHR.

Overall, the licensee has identified the DHR sequences that have been found to have a core damage frequency estimate of more than lE-6/reactor year and include the following:

~

Small LOCA followed by HPR failur'e due to CCF of the high pressure system during recirculation phase.

~

Small LOCA followed by HP2 failure due to CCF of the high pressure system during injection phase.

~

Loss of CCW followed by HPR failure due to-CCF.

~

Medium LOCA followed by HPR failure due to CCF.

The dominant contributors to the DHR function include CCF of the

HPR, HP2 and engineered safety features actuation system signals.

As noted previously, station blackout was estimated by the licensee to be a

very small contributor (1.8%) to potential core damage.

Loss of offsite power only contributed 0.28% to CDF.

The licensee assumed an initiating event frequency of 4.0E-2 per year for loss of offsite power.

This is an order of magnitude lower than the contribution assumed by many licensees.

The licensee stated that "the loss of offsite power was determined from a detailed study of the AEPSC (American Electric Power Service Corporation) grid reliability."

In their summary of the IPE results, the

licensee stated that "the extremely reliable electric power grid of which Cook Nuclear Plant is a part, greatly influenced the initiating event frequencies for the Loss of Offsite Power and Station Blackout events, thus directly influencing their small contributions to core damage frequency."

Based on the licensee's submittals for the Station Blackout Rule, the staff accepted this underlying basis for the Cook IPE.

The staff notes that other licensees in the "Pl" offsite power classification group (the most reliable classification) assumed higher initiating event frequencies for loss of offsite power and station blackout.

The Cook IPE considers that essential service water (ESW) and component cooling water (CCW) systems as key support systems whose failure would lead to the loss of RCP seal cooling, causing a small LOCA.

The loss of ESW leads to the loss of CCW, which in turn leads to the loss of cooling to the SI pumps, charging pumps and the RCP thermal barriers.

With the RCP seal support systems unavailable, leakage of RCS fluid through the RCP seals will occur without makeup capability.

The licensee used the Westinghouse Reactor Coolant Pump (RCP) seal LOCA methodology to model RCP seal LOCAs.

(The licensee did not propose to use the IPE to resolve GI-23.)

The RCP model considers the probability of immeuiate catastrophic failure resulting in a 480 gpm leak rate per RCP.

The RCP seal LOCA model conservatively assumes catastrophic leakage occurs at all RCPs at the same time.

This is followed by a seal leak rate model probability distribution of increasing RCP 0-ring leakage over time.

The leak rates range from an initial value of 21 gpm up to 480 gpm per pump.

This model determines the probability of core uncovery, which likewise increases over time.

Thus, at the time AC power is restored and ESW and CCW are recovered, the probability of core uncovery from RCP seal leakage is evaluated.

If the core has uncovered, core damage is assumed.

If the core is not uncovered, then core damage can be prevented if subsequent recovery actions are successful.

As discussed initially, small LOCA, Loss of Component Cooling Water and Steam Generator Tube Rupture are the top three contributing accidents to CDF with contributions of 47.3%,

22. 1% and 11.3%, respectively.

The loss of CCW event was dominated by three sequences.

Operator failure to trip the RCPs after losing seal cooling when RCP seal temperatures rise above safe limits (thus leading to gross seal failure) contributes 18% of the overall CDF with an estimated contribution of 1. 18E-5.

As one of the identified plant improvements resulting from the IPE, the licensee revised the Emergency Operating Procedures (EOPs) to add emphasis on monitoring RCP seal temperature and further guidance on tripping the RCPs.

The licensee is also evaluating a procedure to revise the instructions to open the chemical volume and control system (CVCS) cross-tie valve to the opposite unit early in the accident response to provide RCP seal cooling.

In the IPE, only D.C.

Cook, Unit 1 was specifically modeled as the base analysis.

Throughout the IPE, the licensee emphasized that special attention was paid to the consideration of dual unit issues and that "the interactions of the two unit's systems were modeled explicitly,"

"A careful documentation for both unit's systems were performed.

Any key differences were identified and explicitly documented in the system notebooks.

Shared systems were identified, including the degree of sharing and the systems'referential alignments.

Any unit-to-unit cross ties, along with the normal alignment and emergency alignment capabilities were identified."

Plant operating

surveillance and maintenance procedures were reviewed for potential differences.

Data collected to determine the relevant initiating events and the system dependencies were examinated to identify intersystem dependencies between units that could result from particular initiators.

No inter-unit dependencies were identified, which would have had an impact on the internal initiating events analysis.

The treatment of shared systems was discussed in detail in Item II of the licensee's response of February 24, 1993 to the staff's request for additional information.

The staff's assessment is that IPE adequately represents both Cook Nuclear Plant, Units 1

and 2.

The licensee's IPE estimated that interfacing systems LOCAs

( ISLOCA) would have an initiating event frequency of 6.7E-7 per year or about 1% of the CDF.

The ISLOCA system success criteria was described in Table 3. 1-6 of the IPE

~

In item 4 of the licensee's response of February 24, 1993 to the staff's request for additional information, they provided the basis for the initiating event frequencies used for ISLOCAs, which pressure boundaries were evaluated and the postulated event progression.

The licensee's assessment of ISLOCAs appears reasonable.

The licensee used several means to assess what success criteria to use in determining whether or not plant systems achieved their intended function as well as success criteria for system and operator performed actions.

For some accident scenarios, the licensee used the Modular Accident Analysis Program (MAAP) along with other available information to assess plant response.

The MAAP Code was not used extensively in all of these evaluations, and the code's use was typically limited to timing or sensitivity studies to better understand the phenomenon.

Table 4.7-4 of the IPE lists the phenomena identified for sensitivity analysis, the analyses performed to address the corresponding phenomena and related MAAP parameters for sensitivity runs.

Table 4.7-5 lists the suggested values of MAAP parameters according to EPRI TR-100167 in consideration of uncertainties in the parameters themselves or uncertainties in the use of those parameters.

The staff finds the licensee's front-end IPE analysis essentially

complete, with documentation consistent with the information requested in NUREG-1335

[Table 2. 1, Standard Table of Contents of Utility Submittal, Sections 2 and 3, front-end only].

The IPE submittal contains a

summary description of the licensee's participation in the systems analysis and subsequent in-house peer review of the final product.

The staff notes that an extensive peer review was performed and that utility personnel were substantially involved in the IPE process.

In addition, the licensee intends to continue the process and maintain the IPE as a "living document."

Based on the IPE description and the licensee's response to questions, the staff finds the licensee's IPE methodology clearly described and justified in its submittals.

Based on the staff's review of the front-end analysis and the staff's findings that the employed analytical techniques are capable of identifying potential core damage vulnerabilities, the staff finds the D.C.

Cook IPE front-end analysis meets the intent of Generic Letter 88-20.

3.

Back-End Anal sis and Containment Performance Im rovements Evaluation The staff examined the IPE back-end, or Level 2, containment performance and source term analysis for completeness and consistency with the practices summarized in Generic Letter 88-20, Appendix 1.

The licensee's approach involved key phenomena and processes that could occur during the evolution of severe accidents in the D.

C.

Cook containment and evaluated the impact on containment and containment system performance.

The licensee used Revision 17.02 of the Modular Accident Analysis Program (HAAP) 3.0B code to model the containment thermal response and fission product behavior.

The IPE examined each of the failure modes and mechanisms listed in NUREG-1335, Appendix 2, Table 2.

D.

C.

Cook is an ice condenser containment structure of reinforced concrete with a steel liner.

The licensee used plant-specific structural analyses to determine containment failure pressure,

location, and size.

The licensee developed a plant-specific probability distribution for the likelihood of containment failure over the range of failure pressures.

A mean failure pressure of 36 psig was estimated with the dominant failure mode from overpressure resulting in bending shear failure in the concrete basemat adjacent to the containment wall with an equivalent size of 0. 17 ft2.

The risk assessment methodology used by the licensee addressed the interface between the Level 1 front-end systems analysis and the Level 2 entry condition by identifying those Level 1

and Level 2 parameters that are key to modeling accident progression.

Level 1 sequences having a similar effect on plant performance were binned into groups or plant damage states that represented similar status of the reactor, containment, and associated cooling systems.

These states were systematically analyzed by the use of CETs that provided a

structure for assessing accident progression.

The CET accident sequences for each initiator group were classified into one of six plant damage groups.

A representative sequence from each group was analyzed for fission product behavior.

The CET analysis included the assessment of containment isolation failure, and dominant contributors to containment isolation failure.

A screening criteria was used to assess the 98 fluid system penetrations and two access hatches.

Host lines were eliminated from consideration as a result of this screening criteria.

Purge and vent valves were also judged to have a low probability oF leaking in a post accident environment despite their low operating pressure (approximately 0.5 psig).

Lines remaining from this screening process were modeled in the containment isolation fault tree.

The largest contributor to containment isolation failure involved common mode failure of valve operation and isolation signal generation.

The next most significant failure mode was human error failure to maintain closed the administratively controlled

.penetrations.

The analysis considered penetration elastomer seal material and its potential susceptibility to prolonged high temperature.

Thermal attack on seal penetrations was assumed to not be a threat because:

(1) the expected gas temperatures would not exceed the design limits of the non-metallic seals, (2) no standing hydrogen flames would exist near penetrations, and (3) no core 10

debris would come in contact with penetrations.

Vessel thrust forces were also concluded not to challenge containment integrity because the forces resulting from vessel failure would be insufficient to lift the vessel.

In

addition, the containment design is such that the forces would not be transmitted to the containment structure.

The IPE characterized containment performance for each of the CET end-states by assessing containment loading.

The CETs were quantified and identified probable potential containment failure mechanisms.

However, some of the potential comtainment failure modes listed in NUREG-1335, Table A.4, were not included in the CET, but were addressed by phenomenology reports (discussed below) by the consultant, Fauske and Associates.

Using the combination of CET results and phenomenolgy reports, the Level 2 process determined the conditional containment failure probabilities and containment failure modes as identified in Generic Letter 88-20, Appendix 1, and NUREG-1335.

For example, the licensee concluded that the resultant pressure increase from direct containment heating (DCH) and steam explosions would not threaten containment integrity.

Core-concrete interaction was concluded to result in basemat meltthrough, however, it occurred well beyond 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> so that containment failure would have already occurred as a result of overpressurization.

Phenomenological uncertainties were addressed qualitatively in the D.C.

Cook IPE submittal and were based on technical position papers generated by Fauske and Associates which included a literature search as part of the basis for the positions taken.

A~

a result of these evaluations, the licensee concluded that the following phenomena would not cause containment, failure:

DCH, thrust forces at vessel failure, in-vessel steam explosions, molten core concrete interactions, and hydrogen detonation.

Despite these considerations, differences of varying degree exist between the D.C.

Cook treatment of certain phenomena and that of other ice condenser plants.

For instance, based on small scale experiments performed by Fauske and Associates, the licensee concluded that direct containment heating (DCH) would not occur and consequently no containment failure would result from it.

This conclusion resulted in the elimination of early containment failure from the IPE results.

Other ice condenser analyses

however, such as NUREG-1150, do point to the possibility of early containment failure from high pressure melt ejection induced DCH.

For example, NUREG-1150 examined the containment performance of the Sequoyah ice condenser containment.

It found that there was a

7 percent conditional probability of containment failure due to effects such as hydrogen combustion,

DCH, and debris contact with the containment wall.

Although the licensee found no basis to conclude that high pressure early containment failure effects are likely at D.C.

Cook and the staff does not disagree, we believe that the licensee would benefit by including the issue of primary system depressurization in future accident management studies.

The Level 2 process determined the conditional containment failure probabilities and containment failure modes consistent with those identified in Generic Letter 88-20, Appendix 1, and NUREG-1335.

Containment failure was concluded by the licensee to be exclusively dominated by overpressurization, therefore, no containment-matrix was provided.

11

The following conditional failure probabilities were estimated:

Early Containment Failure

0.0 Late Containment Failure 0.033 Containment Bypass 0,12 No Containment Failure 0.85 The events driving the relative contribution to containment failure include containment bypass and late containment failure by overpressurization.

The major contributor to containment bypass involves steam generator tube rupture Failure to inject from the reactor water storage tank and failure to align recirculation are primary contributors to containment overpressure'ailure.

Using the Level 2 analysis the licensee addressed the Containment Performance Improvements (CPI) program issues for ice condenser plants.

For ice condenser plants, this consists of performing an evaluation of the need for back-up power to the hydrogen igniters.

The licensee examined three sequences (two station blackout and one loss of off site power) as bounding cases.

Without power available, these sequences indicate that the hydrogen inventory can easily accumulate to combustible levels.

To assess the effect of hydrogen combustion, all cases were first run using MAAP 3.0B with hydrogen burns suppressed to determine the maximum levels attainable in the upper compartment.

Once these levels were determined HAAP was again run allowing combustion to occur via an assumed ignition source following vessel breach an before ice depletion to preclude a steam inerted containment.

Using the containment failure pressure criteria discussed

above, one of the station blackout sequences resulted in containment failure at approximately 16 hours1.851852e-4 days <br />0.00444 hours <br />2.645503e-5 weeks <br />6.088e-6 months <br />.

Based on rationale provided in the IPE submittal, the licensee concluded that this sequence was not indicative of an early containment failure, and therefore, would not be considered as such.

In addition, the licensee evaluated the possibility of hydrogen detonation resulting from the phenomena known as deflagration to detonation transition in the ice condenser plenum and the steam generator doghouses and again concluded that this phenomena is very unlikely.

As pointed out above, the staff concludes that these results may not be entirely consistent with results obtained from other sources such as NUREG-1150 and other IPEs.

For

example, NUREG-1150 estimated late containment failure at a conditional probability of 21 percent versus only 3.3 percent in the D.C.

Cook IPE, both owing to basemat meltthrough.

Nevertheless, the staff believes the licensee has demonstrated an understanding of the phenomena involved, especially in regards to their responses to staff's questions, and has examined these effects in relation to the containment response of D.C.

Cook.

The overall assessment found that the licensee made reasonable use of back-end techniques in performing the back-end analysis, and that the implementation of the techniques employed are capable of identifying severe accident vulnerabilities.

It must be noted, however, that the D.C.

Cook containment event tree did not include important phenomena which were addressed in the Fauske position papers, such as molten core concrete interactions, and 12

therefore did not consider, to a large extent, the effect of uncertainties associated with these phenomena within the event trees.

Despite the aforementioned limitation, the staff concludes that the licensee's back-end IPE process, including the licensee's response to the CPI program recommendations (Supplement 3 '6f Generic Letter 88-20), is consistent with the intent of Generic Letter 88-20.

4.

Human Factors Considerations The staff examined the IPE HRA for completeness and consistency with acceptable PRA HRA practices.

The IPE submittal and associated documentation is essentially complete with respect to the type of information and level of detail requested in NUREG-1335;

however, the staff has several reservations in regards to the application of the HRA method used in the D.C.

Cook IPE.

Although the staff has concluded that the licensee has identified the more likely contributors to core

damage, there are several significant weaknesses with the HRA portion of the IPE that will prevent its future use.

The licensee identified and modeled two types of operator tasks, activities that disable a system (i.e., pre-initiator human events) or activities that are needed during an accident for mitigation (i.e., post-initiator human events),

The actions were modeled in either the event trees as a top event or in the fault trees as a basic event.

The. error probabilities were estimated using THERP by applying plant-specific shaping factors to generic human error probabilities (HEPs).

The licensee reviewed plant operating procedures, emergency procedures and interviewed plant personnel.

In evaluating pre-initiator human events, the licensee evaluated generic human events (e.g.,

manual valve restoration after test and maintenance).

While AEPSC indicated that system-specific or component-specific procedures do not exist for D,C.

Cook, the actual practices were not examined as part of the evaluation.

The process by which the maintenance or test activity is implemented, will determine if there are practices that are creating the potential for leaving a system (or component) in an undetected, disabled state.

Therefore, routine personnel activities need to be examined.

Although AEPSC did examine the generic procedures, the staff finds the lack of examination of the "implementation" or "practices" as a weakness in the pre-initiator HRA.

In reviewing the post-initiator HRA of the D.C.

Cook IPE, the staff finds several significant weaknesses with AEPSC's application of the HRA model in using the THERP process, and with AEPSC's treatment of time available for operator action.

Since the licensee stated that the HRA was based on THERP, the staff had the HRA portions of the Cook IPE reviewed by a contractor knowledgeable regarding THERP (Alan D. Swain).

This assessment is documented in a report entitled "Evaluation of Cook IPE/HRA Materials," dated December 5,

1994.

AEPSC employed a fault-tree approach to analyze the post-initiator human events.

While this approach is not incorrect, it is difficult for an analyst to properly account for the dynamic, sequential t'ime dependent nature of the 13

human performance.

This difficulty is seen in AEPSC's misapplication of

THERP, inadequate justification of the performance shaping factors (PSFs),

and improper consideration of such items as dependency and conditionality in operator performance.

Misapplications are seen with the treatment of "diagnosis."

The diagnosis values in the D.C.

Cook IPE are primarily based on Tables 12-4 or 11-13 from

THERP, It is clearly stated in THERP that, in using Table 12-4, "this model pertains to the control room crew rather than to one individual."

Therefore, the values in this model include other activities that would aid in the diagnosis.

In the D.C.

Cook IPE, although the quantification of specific diagnose events do not include other "recoveries,"

the quantification of the overall HRA model results in a recovery being inappropriately applied to the diagnostic portion.

Examples:

In the quantification of "Operator Fails to Restore Control Air Through Use of the Plant Air Compressor During Loss of Offsite Power," the event gl (i.e., Operator Fails to respond to a compelling signal within 10 min and diagnose the need to start plant air compressor) is reduced by event g6 (i.e., Operator fails to notice lack of compressed air through subsequent mitigating actions).

In the quantification of Primary Feed and Bleed, the event PBF-SGALARM-HE (i.e., failure to responded to SG low-low-level annunciator) is reduced by the event PBF-DIAG-MN-HE (i.e., failure to diagnose within 30 minutes of a compelling signal).

It is also clearly stated in THERP for Table 11-13 that "the HEPs include the effects of stress and should not be increased in consideration of stress effects."

In the D.C.

Cook HRA, the HEPs for operator failing to respond to annunciator are frequently modified for stress.

AEPSC in quantifying the HEPs modified the basic HEP by applying PSFs.

Some of these PSFs included: training, memorization, cautions in EOPs, control room indication, controls clearly marked, trained in entering EOPs, multiple support indication/instrumentation.

In the quantification of the

HEPs, the basic HEP for a single operator activity is modified by one or more of these

PSF, or a

PSF is applied more than once; therefore, the basic HEP is general reduced at least two orders of magnitude.

For example, the event "Operator Fails to Restore Control Air Through Use of the Plant Air Compressor During Loss of Offsite Power" is comprised of six separate operator activities.

The basic HEP of each activity is reduced by the PSF of "training" with a value of

0. l.

However, in the quantification of this event, several of these HEPs are multiplied together so that instead of 0. 1 being credited for training, a

reduction of 0.001 is realized.

The staff recognizes that training, etc.

provides positive assistance to the operator (i.e., decreases the likelihood of failure); however, AEPSC has attempted to discretize the actual contribution of each factor that is not justified and that is beyond the current state-of-knowledge.

Although AEPSC states that dependencies were accounted for in the HRA, this statement is not reflected in the quantification and integration of the HEPs

into the accident sequences (as reported in the IPE submittal).

For example, the HEPs of operator actions OA6 (RCS cooldown using AFW and steam dump) and PBF (primary bleed and feed) are multiplied together with a combined value of 2E-8.

The licensee treats them independently because they are "not influence by stress" once the diagnose is complete.

Factors such as control room interaction and communicationl"operator location and responsibility, other operator activities, do not appear to be considered.

Therefore, AEPSC assumes that what has preceded in the accident has no influence on operator performance.

The staff disagrees with this assumption and finds it as a

significant weakness.

The last major weakness in the D,C.

Cook IPE HRA is the mistreatment of time in applying the THERP process.

AEPSC considered four times:

Success time defined as the total time from when reactor conditions indicate the need for an action to the time when the action needs to be completed for success.

Diagnosis time that is assumed to be the same's the success time.

~

Action time that is stated to be "usually small compared with the success time,...

and can be ignored in the analysis."

~

Recovery time as the time spent by the Shift Technical Advisor whose function is available over the entire success time.

If the d'iagnosis time is assumed the same as the success

time, and since success time is that time by when the action needs to be completed for

success, there is, therefore, no time remaining for the operator to successfully complete the action.

For example, for operator task of "Unit 2 AFW Crosstie,"

30 minutes is stated for success

time, 30 minutes for diagnosis

time, and 30 minutes for action time.

If only 30 min is available by when the operator must complete the task to succeed, and if it takes the operator 30 minutes to perform the action, then 30 minutes is not available for the operator. to diagnose the need for this action.

This mistreatment of time in the HRA is a significant weakness in the HRA.

The staff believes that the above identified weaknesses have resulted in the very low HEPs quantified in the D.C.

Cook IPE.

As a result of the staff site

visit, AEPSC conducted several sensitivities to indicate that major vulnerabilities were not overlooked.

These sensitivities included:

~

Core damage frequency requantified where all the HEPS less than lE-3 were increased to 1E-3.

~

Core damage frequency requantified where each HEP was increased by a

factor of 10.

The results of the sensitivities indicate that, although the CDF was increased to 9.2E-5 and 1.69E-4 per year, respectively, major contributors to core damage were not overlooked.

That is, as a result of the sensitivities, new dominant accident sequence and dominant contributors did not appear, and the 15

relative ranking of the dominant accident sequences and dominant contributors did not change.

Based on these sensitivities, the staff concludes that no significant vulnerabilities were overlooked.

Nonetheless, the staff believes the weaknesses in the D.C.

Cook HRA will substantially limit any future use.

AEPSC has,

however, indicated its intention to revise the HRA with regard to the following: (1) human reliability action specific to sequences, (2) dependence

modeling, (3) performance shaping factor in diagnosis, (4) explicit consideration of time, (5) consistent use of second person

checking, and (6) training performance shaping factors.

While the staff agrees with AEPSC intended modifications to the HRA, these revisions need to address the specific issues raised above.

The staff also encourages AEPSC to perform an independent peer review by HRA experts to ensure that the HRA techniques are correctly applied.

5.

Licensee Actions and Commitments from the IPE The licensee identified no major severe accident vulnerabilities that required immediate corrective action.

AEPSC is, however, currently investigating possible modifications to procedures and components that were dominant contributors to core damage frequency and containment failure and include the following:

~

Added emphasis on reactor coolant pump seal temperature in the emergency operating procedures.

~

Instruction to open the CVCS crosstie valve to the opposite unit early in the accident response.

~

Hodifications to the compressed air system to increase the capacity of the system.

~

Operator training on the impact of primary and secondary system heat removal on containment pressure response and the possibility of containment failure preceding core melt.

In addition, procedural upgrades will be considered to minimize the possibility of such si,tuations arising.

~

Hodifications to the EOPs to instruct the operators to maintain feedwater flow to the faulted steam generator during a steam generator tube rupture event when secondary side integrity can not be maintained.

~

Operator training on the importance of a wet reactor cavity on potential fission product releases.

Although the IPE review team did not examine the above items in detail, the staff notes that the licensee is applying the IPE findings to enhance plant safety.

The staff finds the above actions reasonable.

The staff also believes that the licensee's proposed

actions, in response to the core damage and containment failure contributors, are consistent with the intent of Generic Letter 88-20.

In addition, the staff notes AEPSC's intention to revise the HRA and to maintain the IPE as a "living" PRA.

16

III.

CONCLUSIONS The staff finds the licensee's IPE submittal for internal events including internal flooding essentially

complete, with the level of detail consistent with the information requested in NUREG-1335 'ased on the review of the submittal and the associated supporting information, the staff finds the licensee's IPE conclusion that no fundamental weakness or severe accident vulnerabilities exist at D.C.

Cook as reasonable.

The staff notes the following:

(1)

AEPSC personnel were involved in the development and application of PRA techniques to the D.C.

Cook facility and that the associated walkdowns and documentation reviews constituted a viable process for confirming that the IPE represents the as-built, as-operated plant.

(2)

The front-end IPE analysis appears

complete, with the level of detail consistent with the information requested in NUREG-1335.

In addition, the employed analytical techniques are consistent with other NRC reviewed and accepted PRAs and capable of identifying potential core damage vulnerabilities

~

(3)

The back-end analysis qualitatively addressed the most important severe accident phenomena normally associated with ice condenser containments.

The techniques employed in the back-end analysis, although limited in not allowing for significant phenomenological sensitivity studies, are capable of identifying severe accident vulnerabilities.

(4)

The HRA has significant weaknesses; however, sensitivities performed by AEPSC indicate that significant vulnerabilities were not overlooked.

(5)

Based on the licensee's IPE process used to search for DHR vulnerabilities, and review of D.C.

Cook plant-specific features, the staff finds the licensee's DHR evaluation consistent with the intent of the USI A-45 (DHR reliability) resolution.

(6)

The licensee's response to CPI program recommendations, which include searching for vulnerabilities associated with containment performance during severe accidents, is reasonable and consistent with the intent of Generic Letter 88-20, Supplement 3.

In addition, the staff believes that, although the licensee's peer review process provided assurance that the IPE effort had been properly documented, the review process did not assure that the IPE analytic techniques had been correctly applied as noted by the staff's findings regarding the weaknesses of the HRA.

The staff encourages

AEPSC, as part of their intended revision to the HRA, to perform a independent peer review that includes HRA experts to ensure that HRA techniques are correctly applied in the revision.

Based on the above findings, the staff concludes that the licensee has demonstrated an overall appreciation of severe accidents, has an understanding of the most likely severe accident sequences that could occur at the D.C.

Cook facility, has gained a quantitative understanding of core damage and fission 17

product release, and has responded appropriately to safety improvement opportunities.

The staff, therefore, finds the D.C.

Cook IPE process acceptable in meeting the intent of Generic Letter 88-20.

The staff notes, however, that the licensee intends to update its IPE by revising its HRA.

This update, provided it properly addresses the staff's concerns, will significantly increase the future usefulness of the licensee's IPE in other applications.

18

APPENDIX D.C.

COOK DATA

SUMMARY

SHEET*

( INTERNAL EVENTS)

~

Total core damage frequency (CDF): 6.26E-5/Year

~

Major initiating events and contribution to CDF:

Small LOCA Loss of CCW SGTR Medium LOCA ATWS SBO Large LOCA Loss of Essential service water Loss of 250 VAC power Steam line break Reactor vessel failure Contribution 47%

22%

11%

7%

5%

2%

2%

1%

1%

1%

<1%

Major contributions to dominant core damage sequences:

Failure of ECCS during cold leg injection on small LOCA.

Failure of ECCS during recirculation phase on small LOCA.

Functional failures to cool RCS followed by failure to initiate primary feed-and bleed cooling on small LOCA.

Hardware or common mode failure of compressed air system and failures of ESF signals after

SGTR, Major operator action failures:

Operator failure to trip RCP after loosing seal cooling from CCW.

Failure to initiate feed-and-bleed cooling on small LOCA.

Operator error resulting functional failure to restore reactor inventory after CCW was restored.

Operator failure to cross-tie AFWS.

Operator failure to establish an alternate feedwater flow to the steam generator via the main feedwater after failing to cross-tie the AFWS.

19

Conditional containment failure probability given core damage:

No containment Failure Containment Bypass Overpressure Containment Failure Isolation Failure 85/

11%

3%

0.01%

Significant IPE findings:

No vulnerability was identified as per the screening criteria (Screening criteria per Generic Letter 88-20, Appendix 2).

Important plant hardware characteristics:

The ability to cross-tie from the opposite unit:

Auxiliary feedwater systems Component cooling water systems Essential service water systems The common cause failure of high head recirculation system.

Potential improvements under evaluation:

Emergency operating procedure on RCPs on loss of CCW and ESW.

Cross-tie procedure of CVCS unit cross-tie valve to protect against RCP seal LOCA.

ModiFication of compressed air system.

Operator training on dominant contributor to CDF.

Revisions to EOPs

• Information has been taken from the D.C.

Cook Unit 1 and 2

IPE and has not been validated by the NRC staff.

20

SUMMARY

OF THE D.C.

COOK UNITS I AND 2 INDIVIDUAL PLANT EXAMINATION (IPE)

SUBMITTAL ON INTERNAL EVENTS Enclosure 2

Summar of the D.C.

Cook Individual Plant Examination Submittal on Internal Events and Internal Floodin The U.S. Nuclear Regulatory Commission staff completed its review of the internal events portion of the D.C.

Cook Units I and 2 Individual Plant Examination (IPE) submittal and associated information.

The latter includes licensee responses to staff generated questions seeking clarification of the licensee's process.

No specific unresolved safety issues (USIs) or generic safety issues were proposed for resolution as part of the D.C.

Cook IPE.

The American Electric Power Service Corporation (AEPSC) personnel maintained involvement in the development and application of probabilistic risk assessment techniques to the D.C.

Cook facility.

The staff notes that virtually all of the plant departments provided input to the IPE.

The licensee used the following criteria for the screening of vulnerabilities (I) safety and non-safety related component failure that have a significant impact on core damage frequency, (2) operator actions whose failure has a

significant impact on core damage frequency, and (3) a mode of containment failure whose consequences or frequency of occurrence have a sever impact on offsite releases.

Based on these guidelines, the licensee did not identify any major vulnerabilities with respect to core damage or containment performance.

Regarding the human reliability analysis (HRA) portion of the IPE, the staff identified several significant weaknesses with AEPSC's application of the post-initiator HRA model in using the THERP process and with AEPSC's treatment of time.

The licensee's model (a fault tree approach) resulted in incorrect applications of THERP values.

For example, the diagnosis model in THERP pertains to the entire control room crew;

however, diagnosis events are reduced by other "recoveries" which is inappropriate.

Performance shaping factors were discretized to a level that is not justified and beyond the current state-of-knowledge, and therefore, over credited.

Dependencies and conditionalities are not considered, therefore, operator performance is assessed independent of the accident sequence.

The time available to the operators versus the time required to diagnose and perform the necessary activities are not appropriately treated.

These various weaknesses resulted in the very low human error probabilities (HEPs) seen in the D.C.

Cook IPE.

As a result of the staff site visit, AEPSC conducted several sensitivities to indicate that significant vulnerabilities were not overlooked.

The HEPs were increased and the core damage frequency (CDF) requantified.

Although the CDF increased, new dominant accident sequences and contributors did not appear an the relative ranking of accident sequences and contributors (i.e.,

contribution) did not change.

Based on these sensitivities, the staff has concluded that significant vulnerabilities were not overlooked.

However, the staff believes these weaknesses in the HRA will substantially limit any future use of the IPE.

The licensee has noted its intention to revise the HRA with regard to the following: (I) human reliability action specific to sequences, (2) dependence

modeling, (3) performance shaping factor in diagnosis, (4) explicit

consideration of time, (5) consistent use of second person

checking, and (6) training performance'haping factors.

Based on the review of the D.C.

Cook IPE submittal and associated documentation, the staff concludes that the licensee has met the intent of Generic Letter 88-20.

In addition, the licensee intends to maintain a

"living" PRA.

The licensee's IPE results are summarized below:*

Plant type:

Westinghouse 4-loop PWR Containment type:

Ice Condenser Total core damage frequency (CDF):

6.26E-5/Year Najor initiating events and contribution to CDF:

Initiator Contribution Small LOCA Loss of CCW SGTR Nedium LOCA ATWS SBO Large LOCA Loss of Essential service water Loss of 250 VAC power Steam line break Reactor vessel failure 47%

22%

11/

7%

5%

2%

2%

1%

1%

1%

<1%

Najor contributions to dominant core damage sequences:

Failure of ECCS during cold leg injection on small LOCA.

Failure of ECCS during recirculation phase on small LOCA.

Functional failures to cool RCS followed by failure to initiate primary feed-and bleed cooling on small LOCA.

Hardware or common mode failure of compressed air system and failures of ESF signals after SGTR.

Najor operator action failures:

Operator failure to trip RCP after loosing seal cooling from CCW.

Failure to initiate feed-and-bleed cooling on small LOCA.

Operator error resulting functional failure to restore reactor inventory after CCW was restored.

Operator failure to cross-tie AFWS.

Operator failure to establish an alternate feedwater flow to the steam generator via the main feedwater after failing to cross-tie the AFWS.

Conditional containment failure probability given core damage:

No containment Failure Containment Bypass Overpressure Containment Failure Isolation Failure 85/

11%

3%

0.01%

Significant IPE findings:

No vulnerability was identified as per the screening criteria (Screening criteria per Generic Letter 88-20, Appendix 2).

Important plant hardware characteristics:

The ability to cross-tie from the opposite unit:

Auxiliary feedwater systems Component cooling water systems Essential service water systems The common cause failure of high head recirculation system.

Potential improvements under evaluation:

Emergency operating procedure on RCPs on loss of CCW and ESW.

Cross-tie procedure of CVCS unit cross-tie valve to protect against RCP seal LOCA.

Hodification of compressed air system.

Operator training on dominant contributors to CDF.

Revisions to EOPs

• Information has been taken from the D.C..Cook Unit 1 and 2 IPE and has not been validated by the NRC staff.

l ~

I C~

~