Text

Ipe:Front End Audit.
	ML17349A415
Person / Time
Site:	Turkey Point
Issue date:	12/21/1991
From:	Clark J, Clark R, Darby J; SCIENCE & ENGINEERING ASSOCIATES, INC.
To:	; NRC
Shared Package
ML17349A413	List: ML17349A415; ML17349A417; ML17349A418;
References
	CON-NRC-04-91-066, CON-NRC-4-91-66 SEA-91-553-01-A, SEA-91-553-01-A:1, SEA-91-553-1-A, SEA-91-553-1-A:1, NUDOCS 9210210124
	Download: ML17349A415 (61)
	v • d • e

ENCLOSURE 2

'e SEA 91-553-01-A:1 December 21, 1991 Turkey Paint XPE: Front. End Audit I

Contractor Audit Report NRC-04-91-066, Task 1 Z. L. Darby Z. L. Clark R. A. Clark Science 4 Engineering Associates, Inc.

0 - Prepared for the Nuclear Regulatory Commission 92i02iOi24 92i015 7 08000250 PDR ADOCK P, PD

0 SEA 91-553-01-A:1 TURKEY POINT IPE: FRONT END AUDIT Contractor Audit Report NRC-04-91-066, Task 1 December 21, 1991 John L. Darby James L. Clark Robert A. Clark Science and Engineering Associates, Inc.

e Section Table of Contents Pacae 1.0 Introduction 1.1 SEA Audit Process 1.1.1 Pre-Site Visit Activities 1.1.1.1 Review of FSAR and Tech Specs 1.1.1.2 Kick-Off Meeting at NRC 1.1.1.3 Review of IPE Submittal 1.1.1.4 Review of Answers to Step 1 Questions 3 1.1.1.5 Letter Report ~ 3 1.1.2 Site Visit 3 1.1.2.1 Site Audit Process 3 1.-1.2.2 Horizontal Review 4 1.1.2.3 Selected Vertical Review 4 1.1.2.4 Personnel Interviewed 4 1.1.2.5 Plant Tour 5 2.0 Items of Major Interest 2.1 Items of Concern and Their Resolution 2.1.1 Initiating Events Not Explicitly Considered 2.1.2 Initiating Event Frequencies to be Justified 12 2.1.3 Success Criteria Details 14

2. 1. 4 System Dependencies 16 2.1.5 System Specific Details 17 2.1.6 Event Trees 19 2.1.7 Fault trees 20 2.1.8 Recovery 20 2.1.9 Calculations 20

2. 1. 10 Containment Related 21 2;2 Interface with Human Factors Review 23 2.3 Interface with Back End Review 24 3.0 The TP IPE Front End Per NUREG 1335 24 3.1 Executive Summary 24 3.2 Examination Description 24 3.2.1 General Methodology 24 3.2.2 Information Assembly 24 3.3 Front End Findings 26 3.3.1 Accident Sequence Delineation 26 3.3.1.1 Initiating Events 26 3.3.1.2'ront Line Event Trees 26 3.3.1.3 Special Event Trees 26 3.3.1.4 Support System Event Tree 26 3.3.1.5 Sequence Grouping and Back End Interfaces 26

3. 3. 2 Systems Analysis 27

3. 3.2. 1 System Description 27 3.3.2.2 Fault Tree Analysis 27 11

Section Pacae 3.3.2.3 Dependency Treatment 28 3.3.3 Sequence Quantification 28 3.3.3.1 Generic Data 28 3.3.3.2 Plant Specific Data and Analysis 28 3.3.3.3 Human Failure Data 28 3.3.3.4 Common Cause Failure Data 29 3.3.3.5 Quantification of the Unavailability of Systems and Functions 29 3.3.3.6 Generation of Support System States and Quantification of Their Probabilities 29 3.3.3.7 Quantification of Sequence Frequencies 29 3.3.3.8 Internal Flooding Analysis 29 3.3.4 Results and Screening Process 30 3.3.4.1 Application of Screening Criteria 30 3.3.4.2 Vulnerability Screening 30 3.3.4.3 Decay Heat Removal Evaluation 30 3.4 Back End Findings 30 3.5 Evaluation of Utility Participation and Internal Review Team 31 3.6 Review of Plant Improvements and Unique Safety Features 31 3.7 Review of Summary and Conclusions 32 4.0 Audit Findings 33 4.1 Overall Findings 33

4. 1. 1 Responses to Review Team Questions 33 4.1.2. Unique Features and Plant Characteristics 33

4. 1.3 Limitations and Weaknesses of the TP IPE 33 4.1.3.1 Items That Should Be Addressed by FPL 34 4.1.3.2 Items that Would Enhance the IPE 34 4.2 Significance of Limitations and Weaknesses 35 4.3 Inconsistencieswith Other PRA's 35 4.4 Resolution of Unresolved and Generic Safety Issues 35 I 4.4.1 USI A-45: Shutdown Heat Removal 35 4.4.2 Other Issues Addressed in the IPE 35 4.5 Identified Vulnerabilities and Proposed Fixes 36 4.6 Dominant Contributors to Core Damage 36 4.7 Summary of Audit 36 References 37 Appendix A. SEA Letter Report 38

List of Figures Pacae 1-1 SEA Audit Process for Turkey Point IPE Front End 2 1-2 TP Site Three Dimensional View 6 1-3 TP Site Plan View 7 av

List of Tables

~Pa e

, 2-1 Items of'Concern Discussed with FPL 10 3-1 Standard IPE Table of Contents per NUREG 1335 25

1.0 INTRODUCTION

This introduction section presents the process used by Science and Engineering Associates (SEA) to audit the front end portion of the Florida Power and Light Co. (FPL), Turkey Point (TP) units 3 and 4, Individual Plant Examination (IPE) submittal to the Nuclear Regulatory Commission (NRC) . [TP IPE Submittal] This front end audit focuses on accident sequences leading to core damage, due to internal initiating event's and internal flooding. Audits of the human factors and back end aspects of the TP IPE were'performed by the NRC with contractual assistance from Concord Associates, Inc.,

and Scientech. Inc., respectively.

1.1 SEA Audit Process The audit performed by SEA consisted of two phases. Phase one consisted of information gathering and review of pertinent material therefrom, prior to discussions with FPL personnel during the site visit. Phase two consisted of a site visit to the TP plant, which included detailed discussions with cognizant FPL staff, review of detailed TP IPE documentation beyond that provided in the submittal, and a plant tour.

Figure 1-1 summarizes our front end audit process, as subsequently described in detail.

1.1.1 Pre-Site Visit Activities SEA began work on the TP audit on* September 30. Prior to the site visit, which took place the week of November 18, pertinent information was gathered and reviewed.

1.1.1.1 Review of FSAR and Tech Specs On October 1 and 2, the latest (updated) Final Safety Analysis Report (FSAR) and Technical Specifications (Tech Specs) for TP were reviewed.[FSAR] [Tech Specs] This review was performed at NRC NRR using-up to-date documentation. provided by the NRR Project Manager

'or TP, Mr. Raj Auluck.

f

1. 1. 1. 2 Kick-Of Meeting at NRC On October 3, a project kick-off meeting was held at NRC RES.

During this meeting, chaired by Mr. John Flack of RES, the overall plan for the TP audit was finalized. In attendance at this meeting were members of the review team, including those involved in the Human Factors and Back End audits, as well as those involved in, the Front. End audit.

ACTIVITY, RESULT Gather Information Review FSAR and- List of Items of Interest Tech Specs Based on Plant Design Attend Kick-Off Plan and Schedule Meeting with NRC for Audit Review TP IPE List of Items Interface Issues Submittal and to be Resolved With Human Factors Step 1 Q&As During Site and Back End Visit Audits Letter Report to NRC Prior to Site Visit During Site Visit Generate List of Specific 'Items'o be

'tems'or Resolved Listed and Resolution Distributed Resolve 'Items'ith Cognizant FP Staff, and Check Detailed TP IPE Documentation not in Submittal Tour the Plant(s)

Documentation of Continue to Resolve Resolution of

'Items'. as Necessary All 'Items Figure 1-1. SEA Audit Process for Turkey Point Front End IPE

1.1.1.3 Review of IPE Submittal Between October 4 and November 18, a detailed review of the TP submittal was accomplished. A list of 'Items'o be resolved was prepared. Discussions were held with Mr. James Meyer and Mr. Paul Haas of Scientech and Concord, respectively, regarding front end audit interfaces with tpe Back End and Human Factors audits.

1.1.1.4 Review of Answers to Step 1 Questions Prior to the initiation of this Step 2 audit, the NRC had performed a Step 1 review of the TP IPE. As a result of this Step 1 review, a number of 'Questions'ad been forwarded to FPL, to which the licensee had provided draft 'Answers'. These

'Answers'ere reviewed by us. Some of the 'Questions'overed

'Questions'nd

'Items'dentified in our independent review of the submittal, and those that were adequately addressed in the 'Answers'ere deleted from the list of 'Items'o be resolved.

1.1.1.5 Letter Report The pre-site audit activities were concluded with a letter report dated November 5 to the NRC, attached as Appendix A to this report. This letter report summarized 'Items'o be resolved during the forthcoming site visit. Also, categories of FPL personnel to be interviewed and areas of special interest for the plant tour were identified. Between November 5 and the site visit, details of these 'Items'ere developed more fully.

1.1.2 Site Visit The visit to the TP site took place on November 19, 20, and 21, and a total of two-and-one-half days were spent at the site.

1.1.2.1 Site Audit Process Based on the prior pre-site audit activities, a number of

'Items'ad been identified to be discussed with FPL staff. ofThese

'tems'ere of two types. (1) Items addressing ofthethebreadth submittal the in submittal, and (2) items addressing the depth special areas.

The following process was used to resolve the 'tems'. On the the list of first day, the 'Items'as provided to FPL staff, and they gathered appropriate personnel and detailed TP IPE documentation necessary to resolve the 'Items'. Discussions ensued with the appropriate FPL personnel. All answers provided by the FPL personnel were checked for agreement with the detailed IPE documentation.

The plant tour was taken on November 20; general layouts were noted as well as detailed equipment locations and arrangements, for verification of the validity of the IPE modeling for specific

'Items'.

Following the plant tour, the list of 'items'as modified to reflect: those issues adequately resolved by discussion, review of detailed documentation, and the plant tour; and subsequent issues arising from the discussions, review, and the 'plant tour.'his modified list of 'tems'as provided to FPL staff on the afternoon of November 20, and resolution of this final list of 'Items'as accomplished that afternoon and on the morning of November 21.

Once all of the 'Items'ad been resolved, we reviewed specific sections of the FSAR to ensure that the IPE modeling was consistent with the licensing basis for the units.

1.1.2.2 Horizontal Review This review focused on the breadth of the TP IPE. All of the areas required for a complete front end analysis were reviewed, with specific emphasis on the 'Items'. of concern to us. To ensure completeness of this horizontal review, all, of the topics identified in NUREG 1335, as listed in section 3.0 of this report, were addressed.[NUREG 1335] .

1.1.2.3 Selected Vertical Reviews For issues associated with 'Items'f concern, a review of the depth of the TP IPE submittal was performed at the site. A complete, deta'iled review of the entire TP IPE was not performed, as it is out of scope for this audit activity; however, the areas selected-for vertical review were those of most interest based on our prior detailed review of the submittal and supporting information.

1. 1. 2. 4 Personnel Interviewed During the three day site visit, we interviewed numerous FPL personnel. Mr. Brian Vincent, Reliability and Risk Assessment Group (RRAG) Supervisor, was our overall contact, and he spent the entire three days assisting us in every way possible. Mr. Ching Guey, lead analyst for the TP IPE in the RRAG, provided most of the assistance for resolving modeling issues such as event tree structure, success criteria, and data. Operations related issues were 'addressed by Mr. John Crockford, TP Operations. Detailed questions on HVAC were addressed by Mr. Tom Gilmore, RRAG. Mr. Tom Cosgrove, TP Operations, assisted Mr. Guey in answering questions associated with a main steam line break (MSLB) accident. Mr. Jay Kabadi, Nuclear Fuels, answered questions associated with back end interface issues. Mr. Wes Johnson, Maintenance, addressed maintenance issues.

During the'plant tour, we were escorted by Mr. Vincent, Mr.

Cosgrove, and Mr. Tim Green, Performance Engineering'.

'he entire FPL staff was most cooperative. For every issue raised, the correct people were made available to us to address our concerns. The FPL staff were forthcoming with responses to our questions, and exhibited a good knowledge of both the TP IPE and the accuracy to which it models the plant systems and components.

0 e The TP IPE'as performed by FPL personnel with the assistance of Science Applications International Corporation (SAIC).'ased on our front end audit, FPL had the necessary involvem'ent in the front end part of the TP IPE as required by the IPE Generic Letter.[IPE Generic Letter) 1.1.2.5 Plant Tour The tour of TP units 3 and 4 took place on November 20. This section summarizes the areas toured. Figures 1-2 and 1-3 were provided to us. by FPL, and they show the general site layout.

The first area visited was that containing the two motor driven, non-safety related startup feedwater pumps. These pumps are located outside close to the main turbine 'area'hich itself is totally outside.

Then.,the area containing all the component cooling water (CCW) pumps for both units was visited. The CCW pumps are located outside, close to the high head safety injection (HHSI) pump room.

Next, the room in the auxiliary building containing the HHSI pumps was visited. This room is located at ground level (18 feet MSL) and connected to outside by two louvered doors,. Ventilation is provided by a common duct exhausting to the auxiliary building .

ventilation system.

The residual heat removal (RHR) room for unit 4 was toured next. This room is located within the auxiliary building with no direct connections to outside. It contains the two unit 4 RHR pumps, located two .floors below grade, and the two unit 4 RHR heat exchangers, extending vertically for two levels below grade. The room contains an exhaust duct connected to the auxiliary building ventilation system. The RHR pumps and heat exchangers for Unit 3 are located in a separate but geometrically similar room; we did not tour the'nit 3 RHR room due to the presence of minor contamination in it.

We viewed the cha'rging pump room for Unit 3 through the entry door, but did not enter this room due to low level contamination present in it. The room is at ground level,'nside of the auxiliary building, with no direct connections to outside. We noted 'the presence of hoses available for connecting service water to the three charging pumps for seal and oil cooling, should 'CCW be lost. A separate, but similar room contains the three charging pumps for Unit 4; we did not tour this room.

We saw the two co-located auxiliary building ventilation system exhaust fans. Each fan is contained within a large exhaust duct, and the two exhaust ducts are located side by side, on the ground level of the auxiliary building inside of a chain link barrier. It was noted that. the auxiliary building ventilation system is a once through system with no chillers. It was also noted that chillers for the HVAC systems servicing the switchgear room and the control room are located on the roof.

~s

~

C~~

<c e

~ ~~

~ s,~

P

,/gp' III III III III II

~ e

/

III I ~o< z/

gf'/

II II II tl III II' I I III IIII IIII I II I II s~

~

s s C+ I I

~l III@

s Hgi

~

~ e O

pg s

tsss, "~c

>ip e

~ ~,

se Mse

~ss ss s ~ s'Mes

,/

/

SNITCHYARD DEMIN. WTA STORAGE TANK

~~~eus ~~

STAATUP TRANSFORMEAS BIACKSTAATDIESEL GENERATORS s I I 4.15 LV 41b kV SWITCHQEAR SWGR ROOM ROOM IMT i TURBINE UNIT 3 TURBINE 0 CONTROL BNLDINQ I0 L AFW ~

DIESEL GENERATOR BUILDING I

DIESEL GENERATOR UNITS 1 AND 2 PQlPS FUEL ON. PUMPS 0 UNIT4 UNITS I

Q . CONTAINMENT CONTANGO ENT ~DIESEL FUEL OIL TANK STANDBY STM GEN FEED PUMPS, AUXIUAAY BQLDSQ LNIT4

- DIESEL

~N BIALDINQ STACKS RWST O O AWST INTAKE STRUCTlRE CANAL

We passed by, but did not tour, the two separate containment spray pump rooms for Units 3 and 4,'espectively, which are located on the ground -floor of the auxiliary building.

Next, we toured the turbine 'area', which is totally outside, and areas adjoining it, which can be entered directly from outside.

We passed by, but did not enter, the closed room containing the reactor trip breakers. We toured the two adjacent, but separate 4.16 kV switchgear rooms A and B for Unit 4. The room containing train B switchgear also contains the alternate shutdown panel for Unit 4. We noted the HVAC system using chilled air that serviced both of these switchgear rooms. We did not tour the switchgear rooms for Unit 3, but they are similar to the Unit 4 switchgear rooms in location relative to the turbine 'area'nd in internal arrangement. Located within the turbine 'area'ut segregated by a chain link barrier, are the three turbine driven auxiliary feedwater (AFW) pumps, looked common to both units. We entered at the pumps, drive turbines, and the chained enclosure and associated piping, valves, and fittings. The pumps and turbines are outside; the drive turbines exhaust directly to the outside atmosphere. The presence of local controls for AFW were noted.

We passed by but did not enter the new, freestanding 4B emergency diesel generator building. It was noted that switchgear used to respond to station blackout by loading the black start diesel generators onto either emergency bus A or B is located in the building.

Next, we visited the intake structure which is outside at ground level. This structure contains the two circulating water pumps and the three intake cooling water (ICW) pumps for Unit 3, and identical but separate pumps for Unit 4. Water supply is from the intake canal portion of the closed cooling water canal. (Event though TP is close to the Atlantic Ocean, it would discharge to Biscayne Bay if. once through cooling were used, and the Bay is sufficiently isolated and shallow to present environmental problems associated with thermal pollution; hence, a closed cooling canal is employed, with the Bay only providing makeup.)

We saw the elevated water tower, raised to on'the order of 100 feet, to supply service water. Gravity driven flow is sufficient to supply service water. Note, that for TP, 'service,'ater refers to non-safety related potable water and not to the water used as a heat sink for the CCW; the safety-related ICW system is the heat sink for CCW.

We passed by, but did not tour, the five black start diesels used for station blackout. We were told that these diesel generators were overhauled before being qualified for use to satisfy the NRC's station blackout rule. Also, all maintenance on these machines is presently performed by the nuclear plant maintenance staff.

We toured the cable spreading room in the control building, and noted the use of HVAC with chillers. Equipment of interest included: vital ac power panels, reactor protection system relay racks, and the AMSAC instrumentation. (AMSAC trips the motor-

generator sets which supply control rod drive power, and also initiates auxiliary feedwater. AMSAC is triggered on turbine trip simultaneous with low steam generator level, and is intended to respond to an ATWS event.)

Next, we toured the new electrical equipment room adjacent to the cable spreading room, and also noted the chilled HVAC for this room.

Finally, we toured the control rooms serving both units 3 and

4. The two control rooms are co-located with no barriers separating them, and they share some controls. The entrance to the control room is from outside, about 40 feet above ground level. We were told that all planned human factors related modifications to the control rooms have been completed, with the exception of the installation of some new, more descriptive annunciators.

2.0 ITEMS OF MAJOR INTEREST As discussed in section 1.1 of this report, our audit activities on site included the resolution of several 'Items'f potential concern that we identified both during the pre-site visit audit activities, and during the on-site audit. This section summarizes these items and their resolution.

Table 2-1 is a li'st of the 'Items'f concern that were discussed with the FPL staff.

2.1 Items of Concern and their Resolution 2.1.1 Initiating Events Not Explicitly Considered A break in a steam supply line to an AFW pump drive turbine was not considered as an initiating event. Our concern was that such an initiating event could flood the AFW pump room with steam and render AFW or portions thereof, unavailable. However as verified during the plant tour, the AFW pumps and drive turbines are located outside in the turbine 'area'nd not subject to room heatup concerns. Therefore, the AFW steam line .break 'initiating event is adequately covered in the MSLB event. We judge this item to be resolved.

The TP IPE did not discuss the possibility for a single tube rupture in a steam generator tube propagating into a multiple tube rupture event. FPL does not -consider this to'be a scenario based on the FSAR analysis.[FSAR, Section 14.2.4] The analysis in the FSAR, although performed for a single tube failure, is stated to be valid for up to a 4 to 6 inch break, which provides 18 to 40 times the mass rate loss from the single tube. Also, the FSAR states that multiple tube ruptures are unlikely. The nominal pressure at the tube wall is 1530 psi, which is a factor of 7.3 below burst pressure of 11,200 psi. Also, the tubes are tested at 7000 psi during pre-fabrication. Since the hoop stress is twice the longitudinal stress for a cylindrically shaped, thin tube, the most likely failure mechanism is a longitudinal crack, which is not

Table 2-1. Items of Concern Discussed with FPL Initiating Events not Explicitly Considered

a. Break in AFW Steam Supply Line

b. Multiple Steam Generator Tube Breaks

c. Instrument Tube LOCA d'. Assembly Blockage by Debris

e. Loss of HVAC Systems Initiating Event-Frequencies to be Justified

a. Loss of Main Feedwater

b. Spu'rious Opening of a PORV

c. Loss of Instrument Air (IA)

d. Interfacing Systems LOCA's Success Criteria Details

a. Main Steam Line Break (MSLB) Overcooling/Return to Power

b. Steam Generator Tube Rupture (SGTR)

Bad Generator if Cannot Isolate

c. Requirements for, Operator Action to Open AFW Flow Control Valves

d. Success Criteria for CCW and ICW System Dependencies

a. Cooling water For IA

b. HVAC heat sinks

c. HVAC for: AFW, CCW, ICW

d. Modeling for Chilled Water as Required for-HVAC System's

e. Reactor Coolant Pump Seal Return Flow/Isolation System Specif ic Details

a. Main Feedwater Isolation on Low Temperature

b. Feed and Bleed

c. Verify Modeling details for HVAC Systems

d. Verify Modeling Details for HHSI, Electrical Power, CCW/ICW Event Trees

a. System Level Trees From Functional Trees

b. MSLB Details

c. SGTR Details Fault Trees

a. HVAC Systems

b. AFW

c. CCW/ICW HHSI Recovery

a. Important Recovery Actions for TP 10

Table 2-1 (Continued)

9. Calculations

a. . Room Heatup Calculations

10. Containment Related

a. Containment isolation, Any Manual Actions Required?

b. Model of Containment Behavior Following LOCA, Two Cases:

(1) ECCS Recirculation with CCW Cooling of RHR Hx's but No Direct Containment Cooling (2) ECCS Recirculation without CCW Cooling of RHR Hx's and Without Direct Containment Cooling

c. Consideration of Containment Filtration System 11

likely to propagate to other tubes. We judge this item to be resolved.

The TP IPE categorized primary pipe breaks in the size range 3/8 to 2 inches equivalent-diameter as small-small LOCA's. Breaks below 3/8 inches are within the normal makeup capability using the charging pumps, and are therefore not categorized as LOCA's. In addition to makeup with HHSI, these small-small LOCA' require cooling through the steam generator(s) since the enthalpy out the break is insufficient to match decay heat at the lower end of this break regime. The details of primary to secondary cooling vary for different sizes of small-small LOCA's. The IPE did not consider an instrument tube rupture as a potential special small-small LOCA. Such an event is special because of its location being below the top of the core. All other LOCA's occur in piping elevated above the top of the core; for breaks at the upper end of the small-small LOCA range (1 to. 2 inches), given trip of the reactor coolant pumps, the break will uncover (steam) before HHSI can match-inventory loss, and the primary will saturate and flash, and heat removal to the steam generators will be through condensation cooling.[NUREG-0611] Should a break of this size be possible in an instrument tube, it cannot uncover without draining the vessel, and thus the existing small-small LOCA analysis is not directly applicable to the instrument tube break.

The instrument tube thimbles at . TP are 0. 312 inches in diameter, and are thus within the normal makeup capability. Also, should makeup fail, a 0.312 inch equivalent diameter LOCA does not require break uncovery for mass loss to be matched with HHSI makeup flow; thus the small-small LOCA success criteria does apply to the instrument tube break. We judge this item to be resolved.

The TP IPE did not consider debris blockage of flow to a fuel assembly as an initiating event. Other PRA's have screened this event from analysis also. Although flow blockage is not likely to

occur, event it from is recommended analysis.

that the TP IPE justify screening this The TP IPE did not identify any failures of HVAC systems as initiating events. FPL engineers indicated that such systems were evaluated for potential initiating events, but should the systems be lost, either mitigative cooling methods wo'old be employed, or the reactor would be shut down in a controlled. manner. Note that although TP is located in a hot part of the country, southern Florida south of Miami, much of the plant. equipment is outside. We judge this item to be resolved.

2.1.2 Initiating Event. Frequencies to be Justified The TP IPE used a mean frequency of 0.01/Ry yr for total loss of main feedwater, and a mean frequency of 0.91/Ry yr for loss of the power conversion system (PCS). The loss of PCS event included the following subevents with the indicated frequencies, in addition to total loss of main feedwater: loss of main feedwater, but recoverable (0.59); loss of main feedwater, only condensate pumps 12

e recoverable (0.16); loss of main feedwater due to feedline break (0.001); and excessive feedwater (0.15). As discussed in the, TP IPE, other PRA data bases have conservatively used a higher frequency for total" loss of feedwater. (Note that loss of grid power, which causes loss of main feedwater, is a distinct initiating event with a mean frequency for TP of 0.17, based on plant experience.)

The TP IPE value for total loss of feedwater was based on three factors: the, segregation of loss of PCS initiating events into five categories (as previously discussed),,only two of which rendered feedwater or condensate totally unavailable; if primary temperature drops below hot zero power (547 F), the main feedwater is isolated, but continues to operate using bypass flow; and, plant data from 1984 through 1989. The frequency for total loss of main feedwater used in the TP IPE is reasonable. We judge this item to be resolved.

The TP IPE assigned a mean frequency of 0.026/Ry yr for spurious opening of either of the two pressurizer PORV's as an initiating event. This value was derived by applying generic data to the TP pressurizer instrumentation system. We judge this item to be resolved.

The TP IPE used a mean value of 0.092/Ry yr for loss of instrument air as an initiating event, based on generic data; this is lower than the value used in some other PRA's. Based on discussions with FPL engineers, actual plant data, supports an even lower. value. We judge this item to be resolved.

- ~ An interfacing .systems LOCA is a break in- a system connected to the primary piping that results in primary fluid being discharged outside of containment. Such LOCA's are of special concern because the lost primary fluid is not available for recirculation from the ECCS sump, located inside containment.

SGTR's are a category of interfacing system LOCA's that are modeled as=a separate, distinct initiator.

The treatment of interfacing system LOCA's in the TP IPE was reviewed; the IPE estimated the mean frequency of an interfacing systems LOCA as about 6 X 10 '/Ry yr.

At this relatively low frequency, such events do not contribute substantially to the overall core damage frequency at TP. As a check on the TP IPE analysis of interfacing LOCA's, the CVCS normal letdown li'ne was examined. CVCS normal letdown is through penetration $ 15.. The, IPE did not model a break in this line outside of containment. The FSAR indicated that the letdown line contains a flow restriction orifice, downstream of the regenerative heat exchangers. FPL engineers told us that this orifice restricts flow so that a break in the letdown line outside of containment is within normal makeup capability, and therefore not a LOCA. We judge this item to be resolved.

13

2.1.3 Success Criteria Details The TP IPE provided a single functional event -tree for all transients, including a MSLB. Similarly, the IPE provided a single table of success criteria for all transients, including a MSLB.

The MSLB event, is substantially different from most other transients, TP, like in other that it pressurized is an overcooling water reactors event for the primary.

(PNR), -is an unrodded core'; at power reactivity is mainly controlled with chemical shim (boron in the primary water), and the control rods fine tune the reactivity control, and are substantially withdrawn. If the primary system temperature drops below hot zero power (HZP, 547 F, for TP), the fully inserted rods (wi;th the most reactive rod stuck out) cannot compensate for the negative moderator and maintain the reactor subcritical; that is, shutdown temperature'oefficient margin cannot be maintained on rods alone, and the concentration of boron must be increased to keep the reactor subcritical. For a MSLB upstream of a main steam isolation valve (MSIV),- flow out the bad steam generator (SG) cannot be isolated and the pressure in the bad SG falls; the temperature of the saturated fluid in the SG also falls along the saturation line, and reactor primary temperature follows SG temperature. During the early part of the transient, HHSI is necessary to provide borated water to the primary as it cools below HZP; later in the transient, operator action is necessary to isolate feedwater to the bad SG to terminate the cooldown. The TP success criteria for a MSLB do not consider the necessity for providing HHSI, nor do they consider the necessity for operator action to isolate feedwater.

The TP FSAR analyzes the MSLB as a design basis accident.(FSAR, Section 14.2.5) The analysis is based on an initial reactor conditionis atworse hot standby rather than full power, because the overcooling at hot standby. The. overcooling is worse at hot standby than at full power for the following reasons: more water is in the SG, the primary temperature is initially lower, and less shows heat is available to the primary from the a return to power t'hat is acceptable core. The FSAR analysis both in magnitude and duration, considering HHSI injection of borated water. The FSAR indicates that operator action to isolate feedwater flow to the bad SG is not necessary for at least 10 minutes. The TP IPE should be revised to address both HHSI operation and operator isolation of feedwater for the MSLB event.

Consideration of these effects will increase the frequency of core damage; we expect that this increase will not change the overall conclusions of the TP IPE, but this should be verified by FPL.

The TP IPE models SGTR as a special initiating event. A SGTR is a LOCA that bypasses containment. The success criteria for this event indicate that RHR shutdown cooling (SDC) was considered, but in the description of the sequence in the IPE RHR/SDC was stated to have not been considered.[TP IPE, Table 3.1-16, and Section 3.1.2.7.1] Consideration of RHR/SDC is for the situation in which the ruptured SG cannot be isolated, and the primary is cooled and 14

depressurized to essentially atmospheric pressure to stop loss of primary inventory. This reduction in pressure is accomplished before either makeup from the ECCS is lost, or makeup for the AFW supply is lost. At low pressure, RHR/SDC is required, since feed to and steaming from the SG' is not practical. (AFW is not available since no steam is, available to ~drive its turbines. The use of other sources of feedwater, such as motor driven standby feedwater, are questionable since the generator would not be steamed, and water discharge through SG relief valves would occur.

Detailed analyses are required to justify such a cooling option.)

Based on discussions with FPL engineers, the model assumed that if the ruptured SG was not isolated, the plant could be maintained at hot standby with makeup from the HHSI and cooling with the AFW. To maintain this condition, operator action is necessary to replenish both the RWST inventory for HHSI makeup and the condensate storage tank (CST) for AFW supply. (For example, FPL engineers told us that the CST can supply AFW for 18 hours2.083333e-4 days 0.005 hours 2.97619e-5 weeks 6.849e-6 months at hot standby.) The success criteria for the SGTR event should be revised to agree with the actual modeling of the event sequence.

The SGTR success criteria should address operator action to .

replenish the RWST and the CST, and/or RHR/SDC should be modeled.

These modifications are expected to have little impact on the TP IPE conclusions.

The TP IPE states that 375 gpm feedwater post reactor trip is necessary for successful core cooling, and that this flow can be obtained from one AFW pump feeding one SG. The flow control valves for flow from a given AFW pump to any single SG are set at 125 gpm.

Therefore, in certain situations operator action is necessary to open AFW flow control valves to ensure adequate AFW flow. FPL engineers confirmed that the IPE model for AFW adequately accounts for operator action if this item to be resolved.

necessary to ensure required flow. We judge The TP design does not have separate essential and nonessential CCW systems; similarly, the design does not have separate essential and nonessential ICW systems. Such a design is typical of older Bechtel plants; Davis Besse has .a similar design for CCW and service water. Newer Bechtel plants, such as South Texas, have separate systems. During a design basis accident, the nonessential loads for CCW and ICW must be isolated so that the RHR heat exchangers can be adequately cooled. It was verified with FPL engineers that the IPE model for successful operation of CCW and ICW requires isolation of nonessential loads as necessary. We judge this item to be resolved.

In normal operation the heat loads on CCW are less than during design basis accident conditions. The original TP design, as described in the FSAR, controlled CCW temperature by throttling ICW flow based on the highest of two RHR heat exchanger CCW outlet temperatures; since ICW is the heat sink for CCW, controlling ICW flow controls CCW temperature. The concept was to not operate CCW at too low of a temperature during normal operations, but provide for the necessary increased heat removal with CCW during 'accident 15

conditions. This design characteristic was incorporated into other older Bechtel plants, such as Davis Besse. At TP, this design was implemented by throttling ICW air operated valve CV2202 (designed to fail closed on loss of air) based on CCW RHR heat exchanger outlet temperature. We were concerned that an accident,- CCW would be lost.

if CV2202 closed during The concerned was heightened by the fact that the valve requires instrument air to remain open, and that with normal operation at some less-than-fully-opened position with salt water flow, the valve could mechanically fail to open fully as required under accident conditions. FPL operations staff told us that this vulnerability had been recognized in years past and corrected. The present design employs a locked open manual

'alveg 406'hat provides an alternate flow path for ICW besides that through CV2202, and CV2202 is no longer used. Valve 406 provides sufficient ICW flow during accident conditions to effectively cool CCW; Maintaining valve 406 fully open during normal operations does not pose a problem for overcooling CCW, because the geographical location of TP is such that low ICW supply temperature is not of concern. (Such a design modification would not be acceptable at a plant located in a colder part of the country, such as on Lake Erie.) We were also told that the ability to isolate turbine plant cooling water (TBCW), a nonessential part of ICW, had been improved in years past, by adding'wo motor operated valves. In our opinion, the concern over CV2202 it is suggested that in the IPE, FPL document the current design characteristic which does not require this valve to operate.

is'esolved;

2. 1. 4 .System Dependencies We asked FPL engineers required cooling water. We if thetoldaftercoolers were for the IA system no, because the aftercoolers are cooled by air using a turbine directly driven by the air compressors. We judge this item to be resolved.

The systems dependency matrix in the TP IPE does not indicate any heat sinks for the HVAC systems.[TP IPE, Table -3.2-4]

Discussions with FPL engineers verified that the detailed fault tree models for the HVAC systems did model the appropriate heat sinks. In our opinion, this item is resolved; FPL should consider adding a footnote to the systems dependency table indicating that detailed HVAC models consider the- required heat sinks.

The systems dependency matrix in the TP IPE indicates that the following system do not require HVAC: AFW, CCW, and ICW. During our plant tour, we verified that AFW, CCW, and ICW do not require HVAC, because the components of these systems are located outside.

We judge this item to be resolved.

Some of the HVAC systems, such as switchgear room cooling and cable spreading room cooling, require chilled wa'ter, which in turn requires a mechanical refrigeration unit. We verified that the fault tree models for these systems included modeling of the chilled water. We judge this item to be resolved.

16

The TP plant has Westinghouse reactor coolant. pumps (RCP);

these pumps do not employ staged seals. (Other manufactures, such as Byron Jackson, use staged seals in their reactor coolant pumps.

A staged design employs controlled bleedoff in parallel with each of typically three seals to produce an equal pressure drop across each seal. In the Westinghouse design,.the first seal takes the total pressure drop, and the second seal is available to take full pressure in, case the first seal fails; the third seal is not designed to take full pressure.)

In revie'wing the TP IPE treatment of RCP seal cooling, not clear if it loss of seal cooling due to isolation of seal return was is of concern. FPL operations stated that a relief valve that discharges to the pressurizer relief tank is in the seal return piping. The valve is set to open at 600 psig and the relief thus provided prevents loss of seal coolant flow should seal return be isolated. We judge this item to be resolved.

2.1.5 System Specific Details To avoid cooling the primary below HZP (547 F) following reactor trip, main feedwater is isolated if primary temperature drops to 547 F. We verified with FPL engineers that isolation of main feedwater on low temperature does not render main feedwater unavailable; recirculation flow is maintained. Trip of main feedwater requires parameters other than low primary temperature to reach the trip setpoint, such as those leading to a safety injection (SI) signal. It was noted that TP does not have a main feedwater flow runback system. We judge this item to be resolved.

The HHSI pumps at TP have a shutoff head of 3300 ft, or about 1400 psi.[FSAR, Table 6.2-7] They cannot pump at the pressurizer safety valves setpoint, 2485 psig.[FSAR, Table 4.4-1). The TP IPE used the following success criteria for feed and bleed: 2 PORV's opened by remote manual action from the control room, and 2 HHSI pumps. The plant procedures call for feed and.bleed if either of the following conditions exist: SG level less than 22% in any 2 SG, or pressurizer pressure greater than 2335 psig. No credit was taken in the TP IPE for the possibility of feed and bleed on the safety valves using normal charging pumps for makeup; detailed analysis would be required to justify this option. We judge this item to be resolved.

The TP IPE results'ndicate that failures of HVAC systems are not significant contributors to the core damage frequency at TP.

.of the TP plant, unimportant.

i's We investigated this conclusion; due to the geographical location not obvious that HVAC failures are Also, prior PRA s of plants in similar high temperature and high humidity locations indicate that HVAC failures are important.[NUREG/CR-5606]

The design of TP is such that many important systems components are outside, and therefore do not require room cooling.

As discussed in sections 1.1.2.5 and 2.1.4, AFW, CCW, and ICW are all outside. Also as indicated in section 1.1.2.5, the room 17

0 containing the doors opening HHSI is located on ground level with two louvered directly to the outside; thus, making it easy to institute once through forced ventilation with outside air. Of all the remaining systems and rooms requiring heat removal, the systems of most concern to us due to their locations and heat loads were:

the RHR pump and heat exchanger rooms, the electrical switchgear rooms, and the control room. The RHR rooms are within the auxiliary building, and during accident conditions the heat input into these rooms can be large, especially from the RHR heat exchangers. The auxiliary building ventilation system provides for cooling of the RHR rooms. The electrical switchgear rooms and the control room have doors that open to the outside; the HVAC systems serving these rooms require chilled water and associated mechanical refrigeration units.

We reviewed the, system notebook for the HVAC/ventilation systems and discussed the models for these systems with FPL engineers. The systems associated with the following components/rooms were examined: control room, cable spreading and computer room, dc equipment and inverter room, auxiliary building ventilation and associated areas served including RHR rooms and HHSI room, EDG unit 3, EDG unit 4, electrical switchgear rooms, 3B and 4B MCC rooms, new electrical equipment room, electrical penetration room, and the dc enclosure building. The IPE models for these systems were extensive and well done. We noted that the success criteria for many of the systems as modeled in the fault trees were, in general, more conservative than stated in the text accompanying the fault trees in the system notebook. The FPL engineer responsible for the HVAC modeling stated that the criteria reflected in the fault trees were actually used in the analysis.

The system notebook stated that it was up to the individual system analyst whether or not to integrate HVAC/ventilation systems into their specific models as a dependency. We discussed this statement with the FPL engineer responsible for the IPE HVAC/ventilation models, our concern being that without the other system modelers interacting with this knowledgeable person, necessary dependencies would be non-conservatively omitted from the models for systems

.requiring HVAC/ventilation. We were assured that the analysts who modeled the systems that could require HVAC/ventilation interacted with the engineer who had modeled the HVAC/ventilation systems.

FPL staff told us that all of the HVAC/ventilation systems as modeled in the fault trees, were included as dependencies, except for HVAC for the control room, and HVAC for the cable spreading and computer room. The HVAC for the cable spreading and computer room was excluded because the only mitigative equipment credited in the TP IPE that is located in these rooms is cabling, which is not very sensitive to high temperature and humidity. The HVAC for the control room was excluded based on engineering judgement.

We found the modeling for the HVAC/ventilation systems to be thorough. It is recommended that the TP IPE consider the following for the HVAC systems. Update the success criteria in the text in the HVAC/ventilation system notebook to be consistent with the 0 18

accompanying fault trees. Document that all of the HVAC/ventilation system dependencies as modeled in the HVAC/ventilation system notebook, were included as required support system dependencies, except for HVAC for the cable spreading room and computer room, and for the control room. Document the reasons for excluding the HVAC for these rooms from the TP IPE analysis.

For the control room, we recommend that a'ormal engineering calculation be performed arid included in the system notebook, that verifies the operability of control room instrumentation and control, and operator habitability of the control room in the absence of HVAC.

We audited the fault tree models in the appropriate IPE system notebooks for the following systems: HHSI, electrical power, CCW, and ICW. The purpose of this audit was to verify that the fault trees accurately reflected the systems as described 'in the submittal. No problems were identified. We judge this item to be resolved.

2.1.6 Event Trees The TP IPE submittal includes functional event trees for the following classes of accidents: large LOCA, medium LOCA, small

'LOCA, small-small LOCA, transients, SGTR, and ATWS. System level event trees are not included in the submittal. Success criteria for the functional event trees are included in the submittal, to a level of detail consistent with the functional event trees. The functional transient event tree and its accompanying success criteria is intended to model .all transients; the success criteria is insufficient to. accurately address all transients as discussed in section 1.2.1.3 of'his report. For example, the transient success criteria is too simplistic for a MSLB. A MSLB is an overcooling event, as distinct from most of the other transients which are undercooling events. Also, as discussed earlier in section 1.2.1.3 of this report, the success criteria for the SGTR event needs some amplification associated with cooldown to RHR SDC, and replenishment of water to the RWST and the CST for extended operation at hot standby. This need-arises from the use of only the SGTR functional event tree without a more detailed description "

of the event, either in the text or through the use of 'system

specific event trees.

During the site visit, we discussed with FPL engineers how the functional event trees, most notably the functio'nal transient event tree and the functional SGTR event tree, were used to model accident sequences associated with specific initiating events. FPL staff told us that no system specific event trees were produced; instead, mitigating system fault trees for functional events were linked with specific initiating events using conditional logic. In principle, this is a rigorous method; however, it requires careful

-implementation by the analyst to, ensure that all conditional effects are considered. The use of functional event trees only, in the TP IPE, led to incomplete modeling of the MSLB event and of 19

the SGTR event.

Although system specific event trees are not necessary, when only functional event trees are used to model unusual events such as, a MSLB (overcooling event) and a SGTR (a LOCA that bypasses containment), the analyst must ensure-that all conditional effects are included when quantifying 'the accident sequences. The TP IPE event trees should be revised to,include the complete success criteria for the MSLB and the SGTR, and these accidents should be re-quantified. As discussed in section 1.2.1.3 of this report, it is not expected that re-quantification will change the conclusions of the TP IPE, but this should be proven numerically. To avoid such problems in the future, we, recommend that the detailed onsite documentation supporting the submittal, should be expanded to include a method to interface the functional event trees and the conditional logic model used to quantify the event trees, so that initiating event specific features are completely considered.

2.1.7 Fault Trees We reviewed the fault tree models for HVAC systems, AFW, CCN, ICN, and HHSI. Detailed comments on these systems as modeled in the fault trees are'provided in preceding sections of this report.

In general, the fault tree models are good. In the AFW and HHSI fault trees, the requirement for replenishing water supply sources and associated operator actions, should be included. For example, to remain at hot standby for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , the CST supply for the AFN pumps must be replenished, and for a SGTR with no isolation of the ruptured SG and no cooldown and use of RHR SDC, the RWST supply for HHSI'robably must be replenished.

2.1.8 Recovery During the site visit, we asked FPL engineers to discuss those recovery actions most important in the TP IPE. They stated that they are as follows. If CCW supply is lost to the charging pumps for seal and oil cooling, service water from the elevated water tank can be supplied at 70 psi with local hose, connections. Ne verified that the equipment specifications for the charging pumps allow the use of service water in lieu of CCW for the pumps. Use of the motor driven standby feedwater pumps was important for some accident sequences; Use of feed and bleed was important for some accident sequences. Use of the black start diesels cross tied to the appropriate buses was important for accident sequences involving station blackout. For a few sequences, recovery of HVAC for the dc equipment inverter room was important. We judge this item to be resolved.

2.1.9 Calculations "

Due to the detailed modeling of the HVAC/ventilation systems, as discussed in section 1.2.1.5 of this report, extensive room 20

heatup calculations are, for the most part, not necessary.

However, as discussed previously, the TP IPE model assumed that control room HVAC is not necessary. As stated in section 2.1.5 of this report, it is recommended addressing control room heatup be

'hat a detailed calculation performed.

2.1.10 Containment Related To facilitate interfacing with the back end audit of the TP IPE, we addressed three containment related items with the FPL engineers during our front end audit: containment isolation, core cooling during the recirculation phase of LOCA's with no containment cooling, and the impact of the containment filtration system on the estimated source term.

(1) Containment Isolation. FPL staff verified that for containment isolation, for both phase A and B, including isolation of the containment purge system during phase A, no operator action is required. Operations personnel monitor the status of containment isolation following actuation of the isolation system, and take action only when a failure to automatically isolate occurs. In our opinion, this item is resolved, but we recommend that it be clarified in the IPE.

(2) Core Cooling. TP employs a large dry containment, consisting of pre-stressed, post-tensioned reinforced concrete for strength, with a steel liner and isolation of penetrations for leak tightness.'he TP IPE specified a mean containment failure pressure of 146 psig; the design pressure is 59 psig. For similar containments, previous PRA studies indicate that without containment heat removal during the recirculation phase of LOCA accidents, ECCS recirculation will fail due to conditions exceeding the temperature ratings of the pumps, and associated equipment inside containment.[NUREG/CR-5606] (Very early PRA studies, such as the reactor safety study, assumed that ECCS recirculation fails at the time of containment overpressurization, due to flashing of water in the containment sump, which is the supply for recirculation, and subsequent cavitation of the ECCS pumps in recirculation. [WASH 1400] This is not a good'ssumption; only about 10 % of the mass of water in the sump flashes, and the sump can be saturated and not cavitate the ECCS pumps in recirculation due to the increase in head from the sump to the RHR pumps. Note that at TP the RHR pumps are below grade, and although the HHSI pumps are at ground level, they are piggybacked onto the discharge of the RHR pumps, if they are needed during recirculation.)

containment spra'ys are operating during recirculation, they promote If thermodynamic equilibrium and tend to maintain sump and containment atmosphere temperatures almost equal; in this case the sump water is maintained subcooled due to the partial pressure of air in the closed containment. If containment is cooled by the fan coolers, and sprays are n'ot available, the sump tends to be at a higher temperature than the atmosphere since thermodynamic equilibrium is difficult to achieve without the large surface area of the spray 21

droplets; the sump is at the saturation temperature corresponding to the containment pressure, and the containment temperature is that of saturated vapor at the partial pressure of steam in the containment atmosphere ~ If'o direct containment cooling is available, but the water pumped from the sump is cooled by the RHR heat exchangers, containment will not overpressurize, but the sump will be saturated; We discussed these typical characteristics of containment cooling for large, dry PWR containments, with FPL engineers, to see how TP behaves under similar conditions. In particular, we asked about the following two cases: (a) ECCS recirculation with CCW cooling for the RHR heat exchangers, but with no direct containment cooling, and (b) ECCS recirculation with no CCW cooling for the RHR heat exchangers, and with no direct containment cooling. FPL engineers responded that for'ase (a), the sump boils but containment and ECCS recirculation by'PL, are still intact.

is Case (b) for was all not directly evaluated .since CCW required containment cooling, for RHR heat exchanger cooling, and for all ECCS recirculation pumps (seal and oil cooling); thus, this case at TP is not likely to occur. That is, loss of containment cooling and loss of RHR heat exchanger cooling is most likely accompanied by loss of ECCS recirculation. Evaluations with MAAP, performed by FPL, indicate that the containment fails at a temperature of 350 F.

FPL has not evaluated ECCS recirculation equipment operability under such conditions. We infer from this information, that the sump temperature would be about 364 F at the time of containment failure. As previouslyanddiscussed, the mean containment failure pressure is 146 psig, the sump is expected to be boiling at failure, so its temperature is the saturation temperature at 146 psig. The containment atmosphere is at 146 psig and 350 F, indicating a steam partial pressure of 119 psig, the saturation pressure corresponding to 350 F, and an air partial pressure of 27 psig. As a check on 'this simple calculation, note that the design conditions for TP containment are 59 psig and 293 F.[FSAR, Section 5.1] Following the same reasoning as just'rovided, a 27 psig partial pressure of air relative to 146 psig total, impliesa an 11 psig'artial pressure of air at 59 psig total, leaving steam of partial pressure of 48 psig which has a saturation temperature provides 295 F, close to the design value of 293 F. The FSAR

.design temperatures for the HHSI and RHR pumps of 300 F and 400 F, respectively.[FSAR, Table 6.2-7] 'ased on our simple calculations for TP, for recirculation cases involving only the RHR pumps before (e.g.,

large LOCA), the recirculation equipment may not fail containment overpressurizes, since the design temperature of the RHR pumps is not exceeded; other equipment involved in recirculation with the RHR pumps must be verified to be able to operate at the elevated temperature before it can be claimed that recirculation will remain av'ailable. For recirculation involving the HHSI pumps (e.g., small LOCA), the HHSI pumps will exceed their design temperature rating, and detailed analyses is required to verify their ability to operate until containment reaches failure 22

pressure. ~ Note, that at TP, recirculation with HHSI requires piggybacking off the RHR pumps: the HHSI pumps do not take suction directly from the containment sump.

It is recommended that the TP IPE should include a discussion

~

relative to . core cooling during accidents requiring ECCS recirculation from the containment sump, in cases for which no

~

containment cooling is available.

(3) Containment Filtration. The TP containment design includes a filtration system inside containment, to meet licensing siting criteria associated with of fsite doses from containment leakage of iodine.[FSAR, Section 6.3] [10 CFR 100] This system is not part of the containment fan cooler system. The filtration system consists of three trains, two of which are required for operation to meet the design basis licensing analysis. Each train consists of a motor driven fan which forces containment air through a demister, a HEPA filter, and a charcoal filter.

We asked FPL engineers if any credit for operation of this filtration system was given in calculations of souice terms. They said no, which is an acceptable, conservative assumption. In our opinion, this item is resolved, but we recommend that clarified in the IPE.

it be 2.2 Interface with Human Factors Review Prior.to, and during the site visit, as we conducted the front end review, we identified various issues to .Concord for use in their review of human factors in the TP IPE. Most of the, issues have been discussed in section 2.1 of this report. The issues and the section in which they were addressed are as follows.

Operator Actions to Throttle Feedwater Flow to Bad SG and to Borate Primary Following MSLB (Section 2.1.3)

Operator Actions to Open. AFW Flow Control Valves, As Necessary, to Ensure Sufficient AFW Flow to remove Decay Heat Using SG's (Section 2.1.3)

Operator Actions to replenish the CST to Allow Water Supply to AFW to Maintain Hot Standby for At Least 24 Hours (Section 2. 1. 3)

Operator Actions to Replenish the RWST to Allow Continued HHSI Makeup Following a SGTR with Failure to Isolate the Bad SG and Inability to Depressurize and Use RHR Shutdown Cooling (Section 2.1.3)

Operator Actions Associated with HVAC/Ventilation Systems (Section 2.1.5)

Operator Actions for Feed and Bleed (Section 2.1.5)

Operator Actions to Switch ECCS From Injection with the RWST to Recirculation from the Containment Sump Following a LOCA (Not previously discussed, since not associated with any purely front end items of major concern) 23

2.3 Interface with Back End Review Prior to, and during the site visit, as we conducted the front end review, we identified various issues to. Scientech for use in their review of back end analyses in the TP IPE. All of these issues were discussed in section 2.1.10 of this report. The issues are as follows.

Extent of Automatic Containment Isolation Core Cooling. During LOCA's with No Containment Cooling Effect of the Containment Filtration System on the Source Term Analysis 3.0 THE TP IPE FRONT END PER NUREG 1335 This section provides' brief description of the contents of the TP IPE, organized according to the standard table of contents from NUREG 1335; this Table is included as Table 3-1 of this report.[NUREG 1335] [Back End Step 2 review Guidance] Section 2.1 of this report discussed in detail those items of major interest to us in our front end audit. This section references that earlier section, as necessary. Unless noted otherwise in the remainder of this section, the TP IPE satisfactorily addresses the specific topics delineated in Table 3-1.

3.1 Executive Summar The TP IPE submittal contains an Executive Summary, which summarizes the objectives of the IPE, discusses the contractual assistance provided by SAIC, and states the amount of utility personnel involvement in the IPE. A summary of the major findings is also included.

3.2 Examination Descri tion 3.2.1 General Methodology The TP IPE submittal summarizes the methodology used in the analyses. The study used the small event tree, linked large fault tree methodology for the analysis of core damage.

3.2.2 Information Assembly The TP IPE submittal summarized the information used in performing the IPE, and the document control process used. As part of our site audit, we reviewed selected supporting information for the IPE that was not included in the submittal, such as system notebooks including system fault trees. The necessary information was well documented and maintained.

Table 3-1. Standard IPE Table of Contents per NUREG 1335

1. Executive Summary

2. Examination Description

2. 1 .General Methodology 2.2 Information Assembly

3. Front End Findings 3.1 Accident Sequence Delineation 3.1.1 Initiating Events 3.1.2 Front Line Event Trees 3.1.3 Special Event Trees 3.1.4 Support System Event Tree "3.1.5 Sequence Grouping and Back End Interfaces 3.2 System Analysis 3.2.1 System Description 3.2.2 Fault Tree Analysis 3.2.3 Dependency Treatment 3.3 Sequence Quantification 3.3.1 Generic Data 3.3.2 Plant Specific Data and Analysis 3.3.3 Human Failure Data (Not Part of'ront End Review) 3.3.4 Common Cause Failure Data 3.3.5 Quantification of Unavailability of Systems and Functions 3.3.6 Generation of Support System States and Quantification of Their Probabilities 3.3.7 Quantification of Sequence Frequencies 3.3.8 Internal Flooding Analysis 3.4 Results and Screening Process 3.4.1 Application of Screening Criteria 3.4.2 Vulnerability Screening 3.4.3 Decay Heat Removal Evaluation

4. Back End Findings (Not Part of Front End Review]

5. Evaluation of Utility Participation and Internal Review Team

6. Review of Plant Improvements and Unique Safety Features

7. Review of Summary and Conclusions 25

3.3 Front End Findin s 3.3.1 Accident Sequence Delineation 3.3.1.1 Initiating Events The TP IPE used a standard approach for the identification of initiating events. Sections 2.1.1" and 2.1.2 of this report provide our detailed comments on the adequacy of the identification and quantification of initiating events for the TP IPE. We have no major concerns related to the initiating events for the TP IPE; we recommend that the exclusion of fuel assembly flow blockage as an initiating event be documented.

3.3.1.2, Front- Line Event Trees The only event trees used in the TP IPE are the seven function event trees as listed in section 2.1.6 of this report. Conditional logic was used to specify system specific failure logic for specific initiating events of concern. As discussed in detail in sections 2.1.3 and 2.1.6 of this report, the success criteria and associated systems modeling for the MSLB event is incomplete. The MSLB,model should include boration with HHSI, and- termination of feedwater to the ruptured SG.

3.3.1.3 Special Event Trees 1 and The TP IPE used ATWS speci fic functional event trees for the SGTR events. System level trees were not used, as discussed in section 2.1. 6 of this report, and the SGTR model is incomplete, as discussed in section 2.1.3 of this report. The SGTR model should include makeup of water to the RWST and to the CST to maintain HHSI and AFW if the bad SG cannot be isolated. Also, the use of RHR SDC in lieu of remaining at hot standby should be clarified.

3.3.1.4 Support System Event Tree The small event tree, linked large fault tree methodology used in the TP IPE does, not require any support syst: em event trees.

Support systems are included in the fault trees for those systems that require them.

3.3.1.5 Sequence Grouping and Back End Interfaces The TP IPE adequately bins the front end core damage sequences and accounts for pre-existing conditions within a given bin'that impact the back end analysis.

26

3.3.2 Systems Analysis 3.3.2.1 System Description The TP IPE submittal provides summary system descriptions, including success criteria and dependencies. The system notebooks, maintained at the site, provide more detailed descriptive information including the fault tree models. Our review of the systems is discussed in sections 2.1.3, 2.1.4, 2.1.5, and 2.1.7 of this report, where we make the following recommendations. The IPE submittal should clarify that valve CV2202 is not required for successful cooling of the CCW heat exchangers with ICW. The system dependency diagram in the IPE submittal should include a footnote indicating that the heat sinks for the HVAC systems were considered in the detailed fault tree models for these systems. The IPE should update the success criteria in the text in the HVAC/ventilation system notebook to be consistent with the accompanying fault trees. The IPE should document that all- of the HVAC/ventilation system dependencies as modeled in the HVAC/ventilation system notebook, were included as required support system dependencies, except for HVAC for the cable spreading room and computer room, and for the control room. The IPE should document the reasons for excluding the HVAC for these rooms from the TP IPE analysis; for the control room, we recommend that a formal engineering calculation be performed and included in the system notebook, which verifies the operability of control room instrumentation and control, and operator habitability of the control room in the absence of HVAC. In the AFW and HHSI fault trees, the requirement for replenishing water supply sources and associated operator actions, should be included. For example, to remain at hot standby for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , the CST supply for the AFW pumps must be replenished, and for a SGTR with no isolation of the ruptured SG and no cooldown and use of RHR SDC, the RWST supply for HHSI'robably must be replenished.

3.3.2.2 Fault Tree Analysis The fault trees for the TP IPE are maintained in the system notebooks, which are not included in the submittal. As part of the on site audit, we reviewed numerous system notebooks and fault trees. In general, the fault trees are complete and well documented. Our specific comments on the accuracy to which the fault trees reflect system characteristics as required for accident mitigation, are provided in sections 2.1.5 and 2.1.7 of this report. The preceding section, 3.3.2. 1, summarized our comments on the systems as modeled in the fault trees. As far as the trees themselves, our summary comments are as follows. In the AFW and HHSI fault trees, the requirement for replenishing water supply sources and associated operator actions, should be included. For example, to remain at hot standby for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , the CST supply for the AFW pumps must be replenished, and for a SGTR with no isolation 27

of the ruptured SG and no cooldown and use of RHR SDC, the RWST supply for HHSI probably must be replenished.

3.3.2.3 Dependency Treatment Section 2.1.4 of this report provides a discussion of -our, concerns relative to the treatment of dependencies in the TP IPE; all of these 'tems'ere resolved. during the site visit. We recommend that the system dependency matrix in the submittal include a footnote explaining that heat sinks for the HVAC/ventilation systems were included in the detailed models of these systems.

3.3.3 Sequence Quantification 3.3.3.1 Generic Data The TP IPE used a combination of generic and plant specific, data for quantification. The submittal 'clearly points out the sources used for generic data, the major one being the SAIC Generic Data Notebook. [SAIC Data] Generic data .was. used for initiating events that do not occur frequently, for component failure rates for components where plant specific data is limited, and for, common cause failures. We identified no issues. associated with the use of generic data.

3.3.3.2 Plant Specific Data and Analysis The TP IPE uses plant specific data for the following:

initiating events that have occurred on the order of once per times, year, component failure rates where plant data is good, exposure and test and maintenance unavailabilities. The submittal clearly points out the plant specific data used in the analysis; the basis for the plant specific data is good, length

'since of it is in based on the two operation. (The units which have an appreciable time analysis used data from 1/84 to 12/89 for unit 3, and from 6/84 to 12/89 for unit 4.) Section 2.1.2 of this report provides our comments on 'Items'f concern for the frequencies assigned to the following initiating events: loss of main feedwater, loss of instrument air, and interfacing LOCA. All of these 'Items'ere resolved during the site visit. We identified no other issues associated with the use of plant. specific data.

3.3.3.3 Human Failure Data This topic is out of scope for the front end review; it is addressed in the companion audit report on Human Factors for the TP IPE, as performed by Concord Associates.

28

1~

3. 3. 3. 4

~ ~ Common Cause Failure Data

~

-Table 3.3-6 of the submittal provides beta factors from

~

generic data that were used to examine common cause failure. These values are reasonable.

3.3.3.5 Quantification of the Unavailability of Systems and Functions The TP IPE used the linked large .fault tree approach to quantify accident sequences. The CAFTA computer code was used for quantification of core damage; the analyses were done on microcomputers. We identified no issues with the quantification process.

3.3.3.6 Generation of Support System States and Quantification of Their Probabilities The TP IPE used the linked large fault tree methodology, in which support systems are modeled in the fault trees.

Consequently, no support system state event tree was created.

3.3.3.7 Quantification of Sequence Frequencies Based on our review of the TP IPE, the accident sequences have been numerically quantified correct'ly.

3.3.3.8 Internal Flooding Analysis The TP IPE concluded that internal flooding is not of major concern at TP. The core damage frequency due to internal floods, was estimated as less than 5 X 10 'er reactor year.

The relative importance of internal flooding is low, because many of the systems and components of concern are located outside due to the open design of the plant, and water cari run off to the intake or discharge canals.

Based on our plant tour, the areas of most concern to us for internal flooding are the RHR rooms, due to their location below grade in the 'auxiliary building. The IPE did'address flooding in these rooms, and it correctly points out that flooding of components in these rooms is not an initiating event, since no components in the rooms are required to operate at power.

The IPE evaluated ruptures in the condenser circulating system. Since this system is located outside, such an event does not pose a flooding threat to safety related equipment; the event Considering recovery, this results in loss of main feedwater.

event has a frequency of less than 5 X 10 'er reactor year.

The screening process used for the internal flooding analysis is clear and logical, and the quantification of flooding events that survived the screening appears to have been thoroughly performed. We conclude that the TP IPE conclusions regarding 29

internal flooding are valid. We have noted some areas that could be clarified in the IPE. These are as follows. The flooding study implicitly assumes that circuit breakers are coordinated, so that breakers, associated with flooded electrical equipment open and prevent propagation of shorts throughout 'other portions of the electrical power network. Loss of drainage due to backup of drains and plugging of drains is not discussed. The assumption that motor operators for valves are not vulnerable to spray should be discussed more fully. The frequency of core melt due to ruptures in the condenser circulating water system is given including recovery; the value without recovery should be given and recovery discussed.

3.3.4 Results and Screening Process 3.3.4.1 Application of Screening Criteria Based on our review of the front end portion of the TP IPE, reasonable screening criteria have been consistently applied in the TP IPE.

3.3.4.2 Vulnerability Screening The methodology used in the TP IPE is capable of identifying vulnerabilities. Based on our review, the application of this methodology was appropriate, and vulnerabilities were correctly determined.

3.3.4.3 Decay Heat"Removal Evaluation Based on our review of the TP IPE, the evaluation of the capability of the plant design to remove decay heat during accidents is acceptable. We recommend that the model for AFW be revised to include actions necessary to refill the CST to allow sufficient water for the AFW to maintain hot standby for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months .

This addition should not alter the conclusions of the TP IPE related to the capabilities and vulnerabilities of the decay. heat removal system's.

As discussed in section 2.1.5, the model used for feed and bleed at TP is acceptable; no unanalyzed configurations for feed and bleed were taken credit for.

3.4 Back End Findin s This topic is out of scope for the front end review; it for is addressed in the companion audit report on the Back End review the TP IPE, as performed by Scientech.

30

3.5 'Evaluation of Utilit Partici ation and Internal Review Team FPL personnel were heavily involved in the application of the IPE methodology to TP. Over 50% of the total effort was performed by FPL personnel. SAIC, provided the tools used by FPL to apply the methodology; effective transfer of technology from SAIC to FPL for the front end effort was accomplished.

During our site visit, all of our issues related to the front end analysis were handled exclusively by FPL staff, indicating that knowledge of the TP IPE process and results is resident within FPL staff.

The TP IPE effectively involved TP site personnel into the effort. Good interaction occurred between PRA analysts and site staff, most notably Operations and Systems Engineering, in the development and review of the TP IPE. It was evident during our discussions with FPL staff during the site visit, that Operations had been s'ufficiently involved in the PRA process.

3.6 Review of Plant Im rovements and Uni ue Safet Features Based on the TP IPE, FPL performed a plant modification that allows service water to be used for supply to all of the charging pumps for seal and oil cooling, if CCW is lost. This simple from internal events', from 4 X 10 'o modification significantly reduced the frequency of core damage 1 X 10 'er reactor year.

Loss of HVAC/ventilation is not of major concern at TP, due to the open design of the plant resulting in many systems and components being located outside. Internal flooding events are not important contribut'ors to core damage at TP, due to the open design of the plant resulting in many systems and components being located outside.

TP has a number of unique features worth noting, that were factored into the IPE. The service water system is not safety related, but it is unique in that it has an elevated water capable of providing gravity feed.

storage'ower All three of the safety related,AFW pumps at TP are steam tur'bine driven, but two non-safety related motor driven, standby feedwater pumps are available.

Due to the location of. the TP site, the ICW system can be operated at full flow without overcooling the CCW system;

,therefore, flow does not have to be increased for design basis accidents.

The TP site consists of two fossil plants, units 1 and 2, and two nuclear plants, units 3 and 4. Although the two fossil units can supply .power to the two nuclear units through the switchyard, no credit was taken for power from these units given a loss of grid initiating event. (As-explained in. the FPL draft responses to the step 1 review, the 'oss of Grid'nitiating event is a total loss of all power to the switchyard from the system grid. The 'Loss of Offsite Power'nitiating event is due to switchyard faults resulting in the trip of a single unit, and the loss of offsite 0 ,31

power to the tripped unit's startup transformer. .The 'Loss of-Grid'vent is most important since it has a mean frequency of 0. 17 compared to the 'Loss of Offsite Power'event which has a frequency of 9 X 10 .)

The TP site has a total of four emergency diesel generators serving the two nuclear units, and five blackstart diesel generators available for use in the case of station blackout.'he IPE model included the ability to power one unit with an emergency

,diesel generator from the other unit using the station blackout crosstie; use of the blackstart diesel generators was also factored into the IPE. The variety of options for power following 'Loss of Grid's extensive.

Dual-unit accidents are dominated by two initiating events:

loss of grid, and loss of'nstrument air; of all the dual unit accidents, only those initiated by loss of grid have a frequency greater than 1 X 10 per year. The dual unit core damage frequency

~

due to loss of grid is about 1 X 10 'er year.

3.7 Review of Summar and Conclusions The TP IPE submittal contains a section entitled Summary and Conclusions which accurately portrays the TP IPE results.

The core damage frequency from. internal events, following the implementation of the modification to supply service water to the charging pumps, is 1 X 10 'er reactor year. Dominant contributors include: Transient Induced LOCA' (56. 3%), and LOCA' (27. 8%) .

SGTR, ATWS, Transients, and Interfacing Systems LOCA's each contribute about 4%. Station blackout is not a dominant contributor at TP, due to the availability of four emergency diesel generators (EDG) and five blackstart diesel generators. The TP IPE indicates that the dominant sequence involving station blackout has a frequency of 2 X 10 'er reactor year; this sequence involves loss of the grid, followed by loss'f both EDG at the affected plant.and failure to supply power from the other plants EDG. No credit for use of the blackstart diesels generators was taken; if credit had been taken, the sequence frequency reduces to 5 X 10 '.

For TP ,station blackout should contribute less than 5% to overall core melt frequency initiated by internal events.

Internal flooding is not of major concern, due to the open

~

design of the plant.

Our audit of the front end indicates that the TP IPE was non-conservative for two types of accidents: MSLB and SGTR. As explained in sections 2.1.3 of this report, we recommend the following. The TP IPE should be revised to address both HHSI operation and operator isolation of feedwater for 'the MSLB event.

Consideration of these effects will increase the frequency of core damage; we expect that this increase will not change the overall conclusions of the TP IPE, but this should be verified by FPL. The success criteria for the SGTR event should be revised to agree with the actual modeling of the event sequence. The SGTR success criteria should address operator action to replenish the'WST and 32

the CST, and/or RHR/SDC should be modeled. These modifications are expected to have little impact on the TP IPE conclusions.

Overall, we believe that the TP IPE accurately reflects the core damage frequency and dominant contributors thereto.

4.0 AUDIT FINDINGS This section of the report summarizes the overall findings of the audit.

4.1 Overall Findin s 4.1.1 Responses to Review Team Questions The FPL staff were most cooperative in answering all of our questions associated with the front end of the TP IPE. They are proud of the effort put forward in this work. They answered our questions directly and honestly.

4.1.2 Unique Features and Plant Characteristics Section 3.6 discusses the unique design features of the TP site. In summary, those that impact the frequency of core damage are: gravity driven non-safety related service water for supply to charging pumps'; the use of three steam driven AFW pumps, with the availability of two non-safety related motor driven startup feedwater p'umps; the ICW can'be operated at full flow conditions without overcooling CCW, due to the location of the site; station blackout is unlikely since a total of nine diesel generators are available to provide onsite power; loss of HVAC is not of due to the open design of the plant; and, internal flooding major'oncern

,is not of major concern due to the open design of the plant.

TP consists of two nuclear units co-located with two fossil units. The potential availability of power from the fossil units to the nuclear units does not contribute to any significant extent to the IPE, as discussed in section 3.6 of this report.

4.1.3 Limitations and Weaknesses of the TP IPE This section summarizes our perceptions of those areas of the front end portion of the TP IPE which warrant improvement. Section 4.1.3.1 summarizes 'Items'hat we feel should be addressed by FPL in the IPE; Section 4.1.3.2 summarizes those 'Items'hat -we feel would enhance the TP IP, but which do not necessarily have to be incorporated into it. Those previous sections of this report which discuss these summary findings in more detail,=- are noted.

33

4.1.3.1 Items That Should Be Addressed by FPL The analysis of the MSLB event should include HHSI for boration, and operator action to isolate feedwater to the ruptured SG (section 2.1.3)

The analysis of the SGTR event should include actions to replenish the RWST and the CST to en'sure availability of HHSI and AFW for maintaining the plant at hot standby for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months (Section 2.1.3)

A calculation 'should be performed justifying the assumption that HVAC for the control room is not required (Section 2.1.5) 4.1.3.2 Items That Would Enhance the IPE Justification for screening blockage of flow through a fuel assembly should be p'rovided (Section 2.1.1)

Documentation of the plant modification that removed ICW valve CV2202 from operation should be included (Section 2.1.3)

The system dependency table in the submittal should have a -footnote indicating that heat sinks for the HVAC/ventilation systems are included in the detailed models for these systems (Section 2.1.4)

The success criteria for the HVAC/ventilation systems as described in the text of the system notebook, should be updated to agree with the actual success criteria used in the fault trees for these systems (Section 2.1.5)

Document that HVAC for the cable spreading room and computer room was not required in the final plant model (Section 2;1.5)

Add a method to ensure that all initiating event specific effects are considered when the functional event trees are used to analyze specific accident sequences (Section 2.1. 6)

Clarify that containment isolation, phases A 'and B, is fully automatic (Section 2.1.10)

Address core cooling for LOCA's with ECCS recirculation, but no containment cooling (Section 2.1.10)

Indicate .that no credit was taken for the containment filtration system in quantifying source terms (Section 2.1.10)

Address the following for internal flooding: circuit breaker coordination, loss of drainage, vulnerability of valve motor operators to water spray, and the recovery actions associated with ruptures in the circulating water system. (Section 3.3.3.8)

4.2 Si nificance of Limitations and Weaknesses Those limitations and weaknesses of the front end portion of the TP ZPE as identified by our audit, are summarized in Section 4.1.3. Three of these should be addressed by FPL for the IPE:

improvements to the MSLB model incorporating HHSI for boration and isolation of feedwater to the ruptured SG; inclusion of makeup to the RWST and the CST for HHSI and AFW, respectively, for the SGTR model; and, a calculation should be performed verifying the assumption that control- room cooling is not needed.

In our opinion, consideration of these items will not change the conclusions of the ZPE.

4.3 Inconsistencies with Other PRA's Zn our review, we identified items for which the TP ZPE differs from PRA's for other commercial nuclear power plants,[NUREG 1150] [NUREG/CR-5606)

The major differences are:

Station Blackout is not Dominant at TP Total, Nonrecoverable Loss of Main Feedwater is of Low Frequency at TP HVAC Failures are Not Significant at TP.

All of these differences were addressed in the TP IPE to our satisfaction. The relative small importance of station blackout can be attributed to the presence of four EDG's, and five blackstart diesel generators. The low frequency for nonrecoverable loss of main feedwater is'due to the plant design that isolates but does not trip main feedwater when primary temperature drops below HZP; the frequency assigned to this initiating event is based on plant data. Since many of the TP plant systems and components are located outside, HVAC/ventilation is not.as critical as it is at other plants.

4.4 Resolution of Unresolved and Generic Safet Issues 4.4.1 USZ A-45: Shutdown Heat Removal The TP ZPE has adequately addressed shutdown heat removal, including proper consideration of feed and bleed. We recommend that the TP IPE model incorporate the necessity for replenishing the CST to allow the use of AFW and steam relief at hot standby for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ; inclusion of this requirement should not affect the overall conclusions. regarding decay heat removal.

4.4.2 Other Zssues Addressed in the IPE The TP IPE did not focus on any unresolved or generic safety issues, other than shutdown heat removal.

35

4.5 Identified Vul'nerabilities and Pro osed Fixes The TP IPE identified the dominant core damage sequence to be as follows: loss of all CCW followed by failure of charging pump B.

Without CCW, charging pumps A and C are lost due to loss of seal and lube oil cooling; charging pump B, the only charging pump with an alternate means besides CCW for seal/oil cooling, is lost as a direct failure in the sequence, for example, due to maintenance unavailability. Loss of CCW renders RCP seal cooling through outflow of primary water ineffective, as this water is too hot to cool the seals without the CCW heat sink. Loss of all charging pumps renders RCP seal water injection unavailable. A RCP seal LOCA occurs, which cannot be mitigated by ECCS injection since all ECCS pumps, HHSI and RHR, require CCN, which has been lost, for seal and oil cooling.

This sequence was addressed by implementing a plant modification allowing service water to be supplied as backup for CCW to all three charging pumps. This modification has already been implemented at TP, and the IPE estimated that it reduces the core damage frequency for internal initiating events from 4 X 10 1 X 10 'er reactor year. 'o 4.6 Dominant Contributors to Core Dama e The TP IPE identified the following as dominant contributors t.o core damage from internal initiating events, fol lowing the implementation of the modification to allow service water to be supplied as a backup for CCW to all the charging pumps: Transient Induced LOCA's (56%); LOCA's (28%); and SGTR, ATWS, Transients, and Interfacing LOCA's (about 4% each). The overall core damage frequency from internal initiating events is about 1 X 10~ per reactor year.

We agree with this assessment.

4.7 Summar of Audit The TP IPE front end analysis meets the requirements of the IPE Generic Lett'er 88-20. The submittal adequately addresses the issues of the Generic Letter. The onsite documentation for the IPE that is not part o f the submittal, is suf ficient and is well maintained.

The overall conclusions of the TP IPE are valid. We identified three items that should be addressed in the IPE, and they are given in section 4.1.3.1 of this report. Incorporation of these items should not change the results and conclusions of the IPE, but this should be verified by FPL. We suggested a number of enhancements to the IPE, as presented in section 4.1.3.2 of this report, but consideration of these is left to the discretion of FPL.

36

1. [Back End Step 2 Review Guidance] USNRC, "Draft Step 2 Review Guidance Document", (unpublished) .

2.. [FSAR) Turke Point Units 3 and 4 Final Safet Anal sis

~Re ott, Docket 50-250 and 50-251.

3. [IPE Generic Letter] USNRC, "Individual Plant Examination for Severe Accident Vulnerabilities- 10 CFR 50.54(f)," Generic Letter No. 88-20, November 23, 1988.

4, [NUREG-0611] Generic Evaluation of Feedwater Transients and Small Break Loss-of-Coolant-Accidents in Westin house-Desi ned 0 eratin Plants, NUREG-0611, January, 1980.

5. '[NUREG 1150) Severe Accident Risks: An Assessment for Five U.S. Nuclear Power Plants, NUREG-1150, Vol.l, December, 1990.

6. [NUREG-1335]. Individual Plant Examination: Submittal Guidance, NUREG-1335, August, 1989.

7. [NUREG/CR-5606] A Review of the South Texas Pro 'ect Probabilistic Safet Anal sis for Accident Fre enc Estimates and Containment Binnin , T.A. Wheeler, J. L. Darby, et al, NUREG/CR 5606'ugus'tg 1991

'8. [SAIC Data] Generic Data Notebook for Commercial Nuclear Power Plant Probabilistic Risk Assessment, Stutzke and Gilbert, SAIC-163-90-00 Rev. 1, September 1990.

9. [Tech Specs] Turke Point Units 3 and 4 Technica'1 S ecifications, Docket 50-250 and 50-251.

10. [TP IPE Submittal] Turke Point .Plants Units 3 and 4 Probabilistic Risk Assessment Individual Plant Examination 9

ll. [WASH 1400] Reactor Safet Stud October, 1975.

12. [10 CFR 100] Part 100 of Title 10 of the Code of Federal Regulations.'7

APPENDIX A. SEA Letter Report IDENTIFICATION OF SITE VISIT NEEDS FOR TURKEY POINT John L. Darby, SEA Inc.-.

October 31, 1991 This letter report summarizes my questions related to the Turkey Point IPE submittal, that were not already covered by the previous questions prepared as a result of the tier 1 review; as of October 31, I have not seen the utilities response to these earlier questions. My recommendations on the site visit needs are based on both sets of questions.

UESTIONS The IPE includes HVAC systems as required support for numerous front line systems, as summarized in Table 3.2-4. Also, simplified schematics of the HVAC systems of importance are included in the IPE. The HVAC systems're complex and some of them are not safety related according to the USAR. Please provide details of the modeling of the HVAC systems. Also, please provide answers to the following detailed questions about the HVAC systems:

(1) Table 3.2-4 does not specify a heat sink for the HVAC systems. Why not?

(2) Table 3.2-4 indicates that DC power, auxiliary feedwater, instrument air, component cooling water, and intake cooling water do. not require HVAC. Verify that HVAC is not required for these systems.

(3) For HVAC systems using chilled water, provide the modeling of the refrigeration units.

(4) Provide details of operator actions related to operation of HVAC systems. For example, the IPE:states that HVAC for the cable spreading room should be, manually powered by an emergency diesel generator within one hour. Also, the IPE. states that the operator action is taken to control temperature in the DC equipment/inverter room.

(5) Why are no initiating events associated with HVAC systems failures?

The design of the CCW and ICW systems is such that nonessential cooling loads are isolated under design accident conditions. Based on the USAR, it appears that the ICW flow is throttled with flow, control valve CV2202 based on CCW temperature.

Please provide answers to the following questions:

How was isolation of nonessential CCW and ICW loads modeled?

(2) What is the demand failure for CV2202 to open on demand?

Is'his value based on plant data including surveillance 38

tests? ICW is a salt water system and CV2202 is not fully open during operation; has this been considered in assigning the failure number? If CV2202 is closed, how does this affect the success of ICW?

(3) Provide the models for operator actions associated with CCW and ICW for switching trains as necessary to ensure that the required number of CCW heat exchangers are in service during accident situations.

Please provide the model for quantifying operator action in switching ECCS from injection to recirculation, including piggybacking HHSI and spray recirculation off RHR as required.

The success criteria of Table 3.1-11 appear incomplete. For example, this table applies to main steam line break initiating events; however requirements for isolating the faulted generator with MSIV' and operator action to borate to maintain subcriticality below hot zero power are not in the table. Please provide a detailed description of the modeling for the steam line break initiating event. If the break-is upstream of the MSIV for the particular generator with the break, what are the requirements on runback/isolation of main feedwater and on control of auxiliary feedwater injection to the 'faulted generator to not overcool the primary before boration is accomplished? What operator actions are required to respond to this initiating event. and how were they quantified?

The success criteria for AFW (non ATWS events) is one AFW pump providing 375 gpm to one steam generator. The AFW flow .control valves are set for 125 gpm. Please provide a discussion of operator action as required to ensure adequate AFW flow to meet the success criteria.

Please verify that the RCP pump seals are not staged in operation (staging means equal pressure drop across each seal in series). [Westinghouse RCP 'seals are typically not staged; Byron Jackson RCP seals are typically staged.] Discuss the possibility for seal failure if bypass and leakoff are isolated.

Please provide the process used to screen the following initiating events: break in steam tube line supply to an AFW pump turbine, multiple steam generator breaks, instrument tube LOCA's, and localized core assembly flow blockage due to debris.

Given a small LOCA with no HHSI, was credit taken for depressurizing the primary with the ADV's on the steam generators to allow injection with the RHR pumps? If. so, please provide modeling details.

The IPE states that interfacing LOCA's in penetrations 12, 13, 14 and 15 were screened from consideration because they involve 39,

heat exchanger failures which are considered to leak before break; what is the basis for this assumption? Penetrations 14 and 15 are for normal charging and letdown; why were pipe breaks in these lines excluded from consideration as interfacing LOCA's? Do flow =

control orifices render the loss through breaks in these lines outside containment to be within normal makeup capability' Did the source term analysis take any credit for the containment filtration system? If so, please provide details.

Was credit for operator actions for containment isolation, phase A or phase B, taken in any accident sequence? If so, please.

provide details.

sprays)

Following a LOCA,

. is lost but if .containment cooling (fan coolers and recirculation to the vessel is available, please answer. the following questions:

If CCW cooling to the RHR heat exchangers is containment integrity maintained?

is available, (2) If CCW cooling to the RHR heat exchangers is not available, what fails first, the containment due to overpressure or the core recirculation system due to high temperature effects on equipment?

SITE VISIT During the site visit, I would like to tour the following areas:

'* Auxiliary EDG Building Building

Control Room

DC/Inverter Room

Power Switchgear Room

Intake Structure

AFW Structure.

I would like to talk to the following people:

Control Room Operator

PRA Systems Analyst

PRA Data Expert

Maintenance Personnel for Mechanical and Electrical Systems

Systems Engineers for HVAC, CCW, ICW, and IA.

The tier 2 information that I would like to review is that necessary to resolve the 'Questions'rovided in this letter report, and to resolve the questions previously identified by the tier 1 review.

40

ML17349A415

Text

1.0 INTRODUCTION

Navigation menu

Search