Provides Preliminary Response to Points Raised at IPE Info Meeting on 961217 Re Ipe,Per Gl 88-20.NUREG/CP-0132 Also Encl

ML18026A480
Person / Time
Site:	Susquehanna
Issue date:	06/23/1997
From:	Byram R PENNSYLVANIA POWER & LIGHT CO.
To:	NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM)
Shared Package
ML17158C187	List: ML17158C186 ML18026A480
References
RTR-NUREG-CP-0132, RTR-NUREG-CP-132 GL-88-20, PLA-4631, NUDOCS 9706260226
Download: ML18026A480 (39)
v • d • e

Text

CATEGORY 1 j REGULATOR> INPORMATION 6ISTRIBUTION dTEN (RIDE)

ACCESSION NBR:9706260226 DOC.DATE: 97/06/23 NOTARIZED: NO DOCKET ¹ E'ACEL:50-387 Susquehanna Steam Electric Station, Unit 1, Pennsylva 05000387 50-388 Susquehanna Steam Electric Station, Unit 2, Pennsylva 05000388

. UTH.NAMi'. AUTHOR AFFILIATION BYRAbl,R.~;. Pennsylvania Power 6 Light Co.

RECfP.NAME RECIPf'ENT AFFILIATION ~

Document Control Branch (Document Control Desk)

SUBJEXF; Provides preliminary response to points raised at IPE info 9712i7 meeting re plant IPE,per GL 88-20.NUREG/CP-0132 encl also.

DISTR'BUTION CODE: A011.D TITLE: Generic Ltr 88-20 re COPIES RECEIVED:LTR I Individual 'Plant Evaluations ENCL t SIZE:$ 3 +~

NOTES:

G RECiPIENT COPIES RECIPIENT COPIES l'5000387 ID CODE/NAME LTTR ENCL ID,CODE/NAME LTTR ENCL PDi-2 PD 1 1 POSLUSNY,C 1 1 INTERNAL: 1 1 AEOD/SPD/RRAB 1 1 1 1 NRR/DRPE/PD1-3 1 1 NRR/DRPM/PECB 1 1 NRR/DSSA/SPSB 1 -1 RES/DST/IPEEE 1 1 RES/PRAB 3 3 RGN 1 1 1 RGN 2 1 "1 RGN 3 1 1 RGN 4 1 ERNAL: LITCO-BRYCE,J. 1 1 NOAC 1 1 D

NRC PDR 1 1 NOTES: 1 1 N

NOTE TO ALL "RIDS" RECIPIENTS:

PLEASE HELP US TO REDUCE WASTE CONTACT THE DOCUMENT CONTROL DESKi ROOM OWFN 5D-5(EXT. 415-2083) TO ELIMINATE YOUR NAME FROM DISTRIBUTION LISTS FOR DOCUMENTS YOU DON'T NEED!

TOTAL NUMBER OF COPIES REQUIRED: LTTR 20 ENCL 20

l Pennsylvania Power & Light Company Two North Ninth Street ~ Allentown, PA 18101-1179 ~ 610/774-5151 Robert G. Byram Senior Nce President Generat/on and Cl>iefNac/ear Offlcer 610/774-7502 Fax: 610/774-5019 U.S. Nuclear Regulatory Commission Attn.: Document Control Desk Mail Stop P1 - 137 Washington, D.C. 20555 SUSQUEHANNA STEAM ELECTRIC STATION RESPONSE TO POINTS RAISED AT IPE INFORMATIONMEETING Docket Nos. 50-387 PLA-4631 FILE R41-2 anrI 50-388 This letter is intended to provide preliminary responses to points raised at the IPE information meeting December 17, 1996 regarding the Susquehanna SES IPE. The attached responses address the issues identified by Staff reviewers in their prepared slides as well as additional oral questions asked during the course of the meeting and noted by PP8'cL attendees. The format of the responses is a statement of our understanding of each of the NRC questions followed by the PP&L position.

It may be noted that to address the NRC concerns typically associated with the Susquehanna IPE, specifically those of human error modeling, common cause failure, and phenomenological completeness, PPAL contracted with an independent reviewer to perform a review of the Susquehanna IPE. This nationally known PRA authority reviewed not only the SSES IPE, but also the record of correspondence between our Staffs. The review concluded that the SSES IPE method, although different &om the norm, is consistent with the direction of GL 88-20 in that it provided insights regarding possible plant vulnerabilities and has, in fact, resulted in dramatic improvements to SSES robustness with regard to nuclear safety. However, the review suggests that appropriate sensitivity and uncertainty analyses be performed, with emphasis on human error and equipment common cause failure, to increase confidence in the IPE conclusions while providing your Staff

/

with an acceptable basis for acceptance of the overall work. We would appreciate Staff concurrence that a proposed effort involving such studies is a possible method of resolving our differences.

970b260226 970628 PDR ADOCK 0500Q387 e ."-I oooq

C

~,

0

FILE R41-2 PLA-4631 Document Control Desk AAer review of the attached materials by the Staff, PP&L suggests a meeting with the reviewers to answer any additional questions and discuss the scope, schedule, and focus of additional. work including the proposed human error/common cause failure sensitivity analyses.

Very truly yours, R.. Byr m Attachment copy: NRC Region I Mr. C. Poslusny, Jr., NRC Sr. Project Manager - OWFN Mr. K. M. Jenison, NRC Sr. Resident Inspector - SSES e

I' ~ s ~

I e

.9706260226 ATI'ACHMENTA TO PLA4631 Page 1 of 20 As Built-As 0 crated vs. IPE Basis I

I

1. To what extent were plant system walk downs and procedure walk throughs performed?

In particular, was a floodin walk down performed?

Plant walk downs were performed as needed to verify plant designs. Walk downs included: verification of primary containment vent pathway, location of CRD flow control skid, design of scram discharge volume and associated instrumentation, RHR system piping for susceptibility of water hammer. The primaiy containment was walked down with specific emphasis on severe accident concerns. NRC research personnel and their ORNL contractors accompanied us in this walk down to facilitate their work on the Containment Performance Improvement Program (CPIP). Walk downs were performed to verify implementation ofEmergency Support (ES) procedures, such as alignment of the fire main system for RPV injection, or alignment of the mobile generator. Walk downs were performed to verify inputs to HVAC models of the Reactor Building, Control Structure and the Emergency Service Water Pump House. Additionally, temperature measurements have been taken to verify assumptions concerning electrical cabinet internal vs. outside ambient temperature di6erences (PLI-71824).

In addition to walk downs by IPE personnel, the IPE was reviewed by plant system engineering personnel,-plant operations, and Licensed Operator training personnel to verify the veracity of the IPE model. The review process is summarized in Section 5.2 of the IPE and documented in PP&L recorded calculation EC-MSK-0513. Emergency Operating Procedures were walked down in the simulator and exercises were witnessed.

The later exercises were witnessed by EPRI personnel as part of EPRI's Control Room Operator Response Study.

A plant walk down was specifically performed for the internal flooding study. The results of this walk down are documented in PP&L recorded calculation RA-B-NA-031, Internal Rooding Analysis for the SSES IPE.

2. As SSES is a dual unit plant, were Unit to Unit interactt'ons examined?

Dual unit considerations were included in the Susquehanna IPE. The results are summarized in Appendix G, "Influence of Shared Equipment." The greatest impact of shared equipment is to reduce the conditional containment failure probability from 0.1 for a single unit to 0.01 when equipment is shared between the units. This is largely due to the ability to rely on either unit's DC control power to operate support systems and decay heat removal equipment.

ATI'ACHMENTA TO PLA4631 Page 2 of 20

3. 8%at is the status of the analytical studiesidentifiedin Section 6.3? Specifically, discuss the following three issues:

a) Addition ofthe wetwell vent to be actuatedin non-ATS'S events, when there is no core damage.

Procedures for venting the primally containment (ES-1/273-003/4) have been put in place for venting. These procedures utilize existing SGTS duct work. Since the SGTS vent duct is expected to M once the vent is opened, actions are speci6ed in the procedure, (Section 4.2) to provide a source of core cooling that is independent of equipment (mechanical, electrical and I&C) located in reactor building. It is PP&L's intention to address the issues raised by the NRC in their review of the BWROG Accident Management Procedures concerning primly containment venting. Therefore the venting strategy is currently under evaluation as part ofthe accident management implementation project.

b) ADS SRV control during isolation events.

Control of ADS SRVs during isolation events has been dispositioned. The disposition depends upon whether the reactor is shut down or not. When the reactor is shut down sufBcient time and facilities exist to dispatch an operator to either relay room to manually control the SRVs as needed. (The relay rooms are above and below the control room. All six ADS SRVs can be controlled &om either relay room.) This action is proceduralized and the operators are tested on its implementation (Job Performance Measure 6.00.009.103, Perform Manual Operation ofADS Valves &om Relay Rooms as Required by ON-1/200-109).

In failure to scram events the RPV water level is very sensitive to SRV actuations when the RPV water level is being controlled around TAF. This is due to the relatively small &ee area at that region of the RPV and mass lost when an SRV opens. This problem has been avoided by changing the level control band for ATWS events. Unlike the BWROG procedures which instruct the operators to control RPV water level between Top of Active Fuel (TAF) and 2.5 feet below TAF, the Susquehanna level control band is TAF (-161") to -60" (about 2 feet below the feed water sparger) with a target band of -110 to -60. Using the procedure the operator has a 101 inch control band. Additionally the RPV &ee area in the PP&L target control band is about 300 R compared to 88 ft at TAF and 15.6 ft 2.5 feet below TAF. Since the level response is inversely proportional to the free area, the PP&L procedure is much less responsive to SRV actuation than the BWROG procedures. The PP&L procedures have been approved by the NRC who have urged other BWRs to adopt our level control procedure.

c) LOCA load shed aiidhigh drywellpressure isolation.

ATTACHMENTA TO PLA4631 Page 3 of 20 Several studies (e.g. EC-004-0522 provides bases for loading the D condensate pump and includes references to other work) were performed to evaluate plant voltage response to a LOCA signal. As a result of this study the Aux load shed scheme was modified to allow the operators to reload the D condensate pump on to the Aux bus and inject water into the RPV for vessel injection.

4. Have all improvements creditedin the IPE been implemented? Ifnot, what is the effect ofthose not implemented on the Core Damage Frequency? (e.g., raising the suppression pool level to extend time to HCTL'/)

All the improvements described in the IPE, plus additional modifications, have been incorporated into the units with the exception of the modification to the HPCI suction transfer logic. This modification will be installed in the units during the next refueling outage. Additionally, instead of adding a power supply to the condensate transfer pump, water hammer concerns have been alleviated via procedure changes and a second diesel fire pump is used to provide a backup source of low pressure water for extended SBO.

The impact of these modifications on the calculated core damage &equency has been evaluated using NUREG-1150 Peach Bottom analysis. The accident sequences and cut sets described in NUREG4550 were amended to include the Susquehanna modifications not incorporated in the NUREG-1150 Peach Bottom design. As an example, a switch was installed to allow the operator to bypass the Rod Sequence Control system (RSCS) during ATWS events. Bypassing the RSCS allows the operator to manually insert control rods during ATWS. This method, as described in the attached Water Reactor Safety Information Meeting paper, represents a success path that is diverse &om SLCS and was installed at Susquehanna to satisfy the severe accident defense in depth criteria described in the IPE. NUREG-1150 data and models were used in the sensitivity study when available to ensure modeling difFerences were not responsible for the risk reduction. This sensitivity study was reviewed by Dr. William Vesley. As shown in this sensitivity, the additional modifications made to the Susquehanna Plant significantly reduce the calculated core damage &equency. This sensitivity study is attached to this response.

Human Reliabili Anal sis A. Pre-initiator Human Errors

5. Pre-initiator human errors can lead to common-cause failures of important equipment; such failures will not be identified without a careful examination of plant practices. The SSES IPE assumed that equipment failures include the contribution of human errors performed during normal operations. It was not demonstrated that a systematic examination ofplant procedures and practices was performed to conPrm the applicability ofthe assumption. In particular, discuss how the followingissues were addressed during the development ofthe SSES IPE.

jl ATl'ACHMENTA TO PLA4631 Page 4 of20 Fere the maintenance, test, and calibration procedures for the systems and components reviewed by the IPE analyst? Did the reviews include discussion with operations and maintenance personnel?

Errors which lead to equipment unavailability or initiating events are incorporated into the equipment reliability blocks. The general method used to address these failures is provided in Section 2.3.6. Specific data is located in PP&L recorded calculation RA-B-NA-033, Analysis of Component Outage &

Failure Data for Use in the SSES IPE. This calculation is 3079 pages long and can be reviewed at the PP&L corporate ofHces. An example fiom this calculation is provided as Attachment B. In this example, the human error associated with test and maintenance is "incorrect fuses were removed, resulting in Unit 1 HPCI inop." Unavailability associated with these types of operator errors are accumulated for each reliability block and incorporated into the accident sequence fiequency calculation. Such errors are monitored as part of the company's condition report program. When they occur, corrective actions are taken.

In addition to the review of plant records to identify when such errors occurred, procedures were reviewed when the IPE analysts deemed it appropriate.

Discussions with plant operations and I&C engineers were performed to understand fiequency of testing and maintenance practices. Additionally, operations, systems engineers, maintenance and training personnel reviewed the IPE and provided many comments, including corrections/additions to equipment modeling. Examples of pre-initiator analysis is provided below.

Pre-initiator human errors were identified in the NUREG-1150 Peach Bottom analysis as dominant contributors to Mure of SLCS and the Low Pressure Permissive (LPP) circuit. For the IPE, PP&L test and maintenance procedures were reviewed for these systems (RA-B-NA-033 for SLCS and the LPP and additionally IPE Section C.6 page C-132) due to their importance. Failure to restore SLCS was not found to be a big contributor for SLCS. A common cause couple of 0.01 was assigned to the low pressure permissive to account for possible pre-initiator human errors.

In addition to the evaluation of potential pre-initiator errors that would render these systems failed, modifications were installed that allow the control room operator to recover fiom these or other errors in these systems. For example, a switch was installed which allows the operator to bypass the RSCS and manually insert control rods (MM) in case of ATWS. MRI is diverse to the SLCS system and is proceduralized and is initiated independent of the status of SLCS. A switch was also installed which allows the operator to bypass the failed low pressure permissive circuit. These modifications were motivated by

ATI'ACHMENTA TO PLA4631 Page 5 of20 the HRA method employed by PPM. (see attached HRA paper presented at the ARS conference.)

In summary, the Susquehanna analysis evaluated identical errors as NUREG-1150, however modifications were installed at Susquehanna to ameliorate the impacts of these errors. The modifications were installed to comply with the defense in'depth criteria that the Susquehanna IPE is based upon.

Pas the use in some cases of plant specific rather than generic data appropriatelyj Mified?

Outages of equipment for all causes, including human error, was obtained &om plant records. This included errors &om improper implementation of the maintenance procedure as shown in the attached HPCI example. In some cases, as in the case of the low pressure permissive, a common cause failure was assigned to equipment to account for errors such as mis-calibration.

Assignments of plant specific failure rates, including human error, are based on the plant data itself, supplemented by review of appropriate procedures or prior analysis. In the case of the low pressure permissive, initial work was performed by NUS corporation. Their initial estimate of failure of the LPP was 10

/demand. This value was reduced by a factor of 10 in the IPE for the following reason:

A key assumption in the NUS analysis was that all 4 switches were the same. In reality two different pressure sensors are used, a bordon tube and a diaphragm.

Due to the difference in device types, separate procedural steps and tables are used for the bourdon tube and the diaphragm devices. Therefore they are less susceptible to common cause failure due to calibration error.

8'ere recovery factors applied to pre-initiator human error? Ifso were the recovery actionsj ustified?

No credit was taken for recovery of failed equipment for any reason, unless explicitly stated. The equipment available for recovery includes: Offsite Power, Diesel Generators, and TBCCW. Additionally, credit was taken for manual aligning MOVs after loss of AC motive power (e.g. during SBO). The probability of recovery of this equipment is based on the length of time available and the type of recovery action anticipated (opening a valve vs. re-building a pump). Probability vs. time relationships are obtained &om either plant maintenance data or &om NRC NUREG/CRs -2886, 3154.

B. Post-initiator Human Errors

1 P k

ATTACHMENTA TO PLA4631 Page 6 of 20 A fundamental assumption in the Susquehamuz IPE is that the operators willenter and follow procedures. 8%at impact does this assumption have on: the core damage and containment failure frequencies, and the lessons learnedPom the IPE analysis?

The rational for this assumption is provided in the attached paper on PP&L's HRA method that was recently presented at the Advanced Reactor Safety Conference. If one assumes that the operator fails to follow procedures, then the outcome of this error is unknown. However, one could make a credible argument that the plant damage &equency is on the same order as the procedural error probability. As an example, failure of the operator to follow the procedures to place the mode switch in shutdown and start suppression pool cooling will result in containment failure for all reactor trips. Ifthe procedural error rate is determined to be 10'hen the plant damage &equency willbe on the order of 10', since the trip &equency is about 1 per year.

Note that the SSES assumption of strict procedural adherence applies only to the scram procedure and EOPs. These are the relatively few, simple, symptom based

'rocedures which are flow-charted on large boards in the control room and on which the operators are regularly trained and tested. Correct use of these procedures is an integral part of NRC requalification testing and a necessary condition for maintenance of operators'icenses. Based on the experience at SSES, strict procedural adherence to EOPs is justified.

Errors associated with procedure executionwere generally modeled as equal to 0, I, or on the order of the equipment failure rate. Thisis a non-standard method of modeling human error. Provide the bases for the approach taken in the IPE, Additionally, what impact does using more conventional human error probabilities have on: the core damage cvuE containment failure frequencies, eve the lessons learnedPom the IPE analysis?

The basis for this is described in the attached paper presented at the Advanced Reactor Safety conference. A summary ofthe rationale follows. The HRA approach used by PP&L has a requirement, that the human error probability be on the same order as the equipment failure probability. Ifthis is not the case, then modifications to either the plant, procedures or training program are performed until this goal is achieved. It is for this reason that Susquehanna's EOPs are, for many key operator actions, significantly different than the standard BWROG EOP. This point is illustrated by the following Table. The procedure steps identified in Table 5.1 of NUREG-1560 DRAFT'ere found to be important in many BWR IPEs.

Modifications to the plant, procedures or training programs have taken place to reduce the significance of these steps at Susquehanna. These actions are described below.

ATTACHMENTA TO PLA4631 Page 7 of 20 Action Modification to Address Step or Assumed Operator Error Probabili Perform Manual Removed ADS inhibit step fiom RPV Control procedure ressurization Therefore lant blowdown is automatic.

Containment Venting Assumed vent Ms during ATWS since time is insufficicnt to perform vent, and aAer core damage due to the undesirability to rcleasc fission products. Assumed 10% Kilure of vent due to corn lexi ofventin issue.

Aligning Containment Assumed operator as reliable as equipment based upon Cooling the routine nature of action and the length of time available to initiate containment coolin .

Initiate Standby Liquid Modifications to the plant design and procedures extend Control the time to initiate SLCS &0m several minutes to 40 to 60 minutes. See Sensitivity 1 in the attached NUREG 1150 scnsitivi stud .

Level Control During Susquehanna's level control band is 40 to -161 (Top of ATWS Active Fuel is -161) with a target of -110 to -80, rather than the BWROG band of -161 to

-191. Scc Sensitivity 1. Calculations demonstrate level control is not required during ATWS given our level control band. The recent NRC SER on ATWS stability changes urges other BWR utilities to adopt our level control band.

Align/Initiate Altematc Modified the plant to facilitate alignment of alternate Injection Systems injection systems and reduced the probability of their uircmcnt. Sce attached Sensitivi 2.

Recover Ultimate Heat Developed a procedure to use RWCU to perform decay Sink heat removal. %Ms application of RWCU is fully capable of nmoving decay heat while maintaining the lant Ivlthl11 desi aramctcfs.

Inhibit ADS Step removed &om RPV control procedure, ATWS level is controlled above ADS initiation set int.

Miscalibration of Prcssure PP&L installed a bypass of the low pressure permissive Sensors that allows the control room operator to quickly bypass miscalibrated switches. Sce response to question Sc and scnsitivi 4.

Initiate Iso Condenser NA Control Feedwater on Loss Fccdwater lost on loss of IAat Susquehanna.

of IA

ATTACHMENTA TO PLA4631 Page 8 of 20 Action Modification to Address Step or Assumed operator Error Probabili Manually Initiate Low Automatically initiate on -129, no operator action Pressure Core Spray required.

S Provide Alternate Room HVAC calculations show that alternate cooling not Cooling for Loss of HVAC necessary, beyond opening approximately 12 equipment cabinet doors.

Recover Injection Systems No credit for recovery of injection systcins, unless loss is caused b loss of AC wer and AC wcr is recovered.

Note that a recent independent review of the SSES IPE suggests further sensitivities be performed to judge the impact of varying human error on IPE results. PP&L plans to perform these additional sensitivities.

8. Other IPEs have identljied operator actions that must be performed under moderate to high time requirements or stress. Human error probabilities are generally adjusted in these situations using performance shaping factors. Such performance shaping factors were not discussed in the 'Susquehanna IPE Explain how performance shaping factors were accounted for in the SusquehcvmaIPE cvtd what

&nyct they have on: the core damage rvul containment failure Pequency ar4 the lessons learnedPom the IPE analysis. l.

The evaluation of operator performance, and how it is impacted by factors such as moderate to high time requirements is discussed in the attached paper on human reliability presented at the recent Advanced Reactor Safety meeting. The general approach to this potential source of operator error is to modify the equipment, procedures, or training to eliminate or reduce the source of stress until the desired performance is achieved, rather than that to accept larger operator errors caused by time induced stress. Two examples of this process appropriate to this issue are provided in this paper. The first deals with SLCS initiation and the second deals with realignment of the HPCI suction source. Initially the failure rate for SLCS initiation in 2 minutes was estimated to be 0.65 based upon simulator measurements. After significant procedure modification, derived from requirements of the procedural and interface defense in depth criteria, the SLCS initiation error rate was reduced to the order of the SLCS equipment failure rate or less. In the second case, transfer of the HPCI suction source to the CST represents a potentially high stress action due to time and environmental considerations. The plant is being modified to remove this action.

i~

Pr f

ATI'ACHMENTA TO PLA4631 Page9of20 In summary the approach to performance shaping factors was to identify those conditions which increase the operator's propensity towards error and to remove them. Procedure reviews, simulator exercises and operator interviews are used to identify these sour'ces of error. For the'IPE, performance shaping factors are essentially determined, and reduced to acceptable values, ~durin the analysis. That is, instead of reporting the high performance shaping factor and leaving it as an artifact in the IPE results, the PP&L risk management process, including satisfaction of defense-in-depth, requires that the positive safety changes needed are both identified and incorporated into equipment, procedures, and training. The IPE results then reflect the desired operator performance, based on incorporating the required improvements.

Provided a erplanation (or basis) for the times assumed to be available to perform an action.

The times available to perform a particular operator action were derived fiom transient calculations. The times are provided in Tables in Volume 4 of the IPE. As an example Table F.1-4 presents times various actions must be complete to avoid a particular event tree transition. The time required to perform time critical actions was obtained from simulator exercises or based upon interviews with operations.

IO. How were dependencies among human actions considered? In particular, discuss the influence ofthe accident atQprevioushuman failures on human performance.

Complete dependence between functionally equivalent steps is assumed. As an example, ifthe operator fails to initiate SLCS, on the mistaken belief that no ATWS exists, then there is no reason to expect the operator to manually insert control rods either. Failure to recognize ATWS necessarily implies that the operator fails to recognize the position of the control rods since the ATWS symptom is, a valid scram signal and more than one rod greater than 00". On the other hand, if the operator assigned to initiate SLCS is slow at executing the SLCS initiation procedure, this should not impact the ability of the operator assigned to drive control rods to successfully complete the procedure. These are diverse methods of accomplishing reactivity control and precede independently once the existence of ATWS is understood.

These issues of dependence and performance shaping factors are discussed in the attached paper on HRA. They have been dealt with using a combination of deterministic and statistical methods to answer the following questions:

N g

I t I 1 l

ATTACHMENTA TO PLA4631 Page 10 of 20

1. Does the operator understand the status ofthe plant?

2. Given that the plant status is understood, does he know what to do?

3. Given 1 &, 2, what are the odds of successful EOP execution?

Questions 1&2 concern the non-algorithmic mental process of understanding.

Therefore, PP&L relies on deterministic methods to evaluate them. Question 3 is amenable to statistical analysis. Therefore, simulator exercises are used to develop probability of response as a function of time curves for time limited operator actions.

Essentially we assume that ifan operator fails to perform an action because he has no idea what the plant status is or what to do, core damage and containment failure are assured. We fully recognize that an operator may intend to perform a correct action, but be unable to do so because of lack of time. This method has been used to identify and resolve deficiencies in the plant operating procedures and the operator interface.

11. Failure probabilities for actions related to AT0'S were assigned values ranging Pom 0.0 to 10 . Provide the basis for the human error data used for the ATWS model as well as other operator actions creditedin the Susquehanna IPE The basis for the human failure probability is presented in the attached paper presented at the recent Advanced Reactor Safety Conference.

12. In the ATHS analysis, why did PPcfcL use and what is the impact of assuming the human error probability of 1.0 for mamial scram aiidprimary containment venting?

What is theimpact ofthese assumptions?

There are always at least two diverse trip conditions present when a scram signal is generated. Therefore any failure to scram is dominated by either failure of the scram relays or undetected blockage of the scram discharge volume. A manual scram will not rectify either ofthese conditions. There is insufBcient time to reliably execute the venting procedure during ATWS, and the containment vent is insufBcient for removing the large amount of energy deposited during the at-power conditions of ATWS. Therefore no credit was taken for either ofthese actions.

13. Equipment repair in a PEA is typically limited to the recovery of offsite power for which there is adequate experience in nuclear power plants as well as established procedures and training. The success of equipment repair depends on many important plant-specific factors such as the type of failure, time needed for diagnosis, time needed for repair (which may range Pom a very few hours to several days), crew completing tasks under diferent accident conditions, aitd crew availability. The IPE takes credit for repair or recovery of components other than diesel generators (e.g., pumps and valves) without providing an adequate basis.

ATI'ACHMENTA TO PLA4631 Page 11 of20 Recovery actions are assumed to be perfect. Discuss hoiv these factors have been takeninto cottstderationin the SSESIPE recovery actions Credit for repair of equipment was taken in the Susquehanna IPE only in those instances where such credit could be justified. Specific cases are: diesel generators, offsite circuits, TBCCW pumps and valves. Additionally, credit was taken for manual alignment of equipment. Credit for manual alignment of equipment is necessary when incorporating the information identified in Supplements 2 & 3 of GL 88-20 since many of the proposed actions are designed to mitigate SBO sequences.

No recovery action was assumed to be perfect.

Diesel generator recovery data is discussed in Section C.2.2.3. This recovery data was developed &om plant data and represents the probability of recovering a diesel as a function of time. Additionally, credit was taken for tie in of the E diesel into the appropriate bus. Aligning the E diesel is procedurally controlled and a routine occurrence at SSES. The alignment consists of 3 breaker manipulations. Emergency lighting is available in the diesel bays to perform the alignments.

Credit was taken for repair of the Turbine Building Closed Cooling Water (TBCCW) valve and pumps. The discussion appears on pages F-10 & F-11. An exponential repair model was used with a 12 hour1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> delay before repair was assumed to begin. The Mean Time to Repair (MITR) for the valves was obtained &om NUREG/CR-3154.

The MITRfor the pumps was obtained from NUREG/CR-2886.

Credit was taken for recovery &om off'site circuits. The Loss of Offsite Power (LOOP) model is discussed on pages F-5 through F-9 and based upon NUREG-1032. Specific recovery curves for each cause of LOOP are based upon NUREG 1032 analysis and were obtained &om the NRC during September of 1985.

Additionally, credit was taken for performing the accident management measures identified in Supplements 2 and 3 of GL 88-20. In many cases these accident management strategies require that the operator manually stroke a motor operated valve. Thefailurerateusedforamanualvalve, "failsto operate" was1x10 . This value was obtained &om NUREG/CR-2728.

Plant modifications have been performed to eliminate operator actions in which the operators success rate may be less than equipment performance. These modifications were required to satisfy the PP&L Severe Accident Defense in Depth Criteria (see the Integrated Risk Reduction Study). Two examples follow.

A valve with a hose attachment was installed onto each division of the RHRSW piping. With this valve installed, the field operator need only connect one end of a pre-staged fire hose to the fire hydrant and the other end of the hose to the valve installed on the RHRSW piping. Fire water can then be injected into either the RPV

ATlACHMENTA TO PLA4631 Page 12 of 20 or the drywell by manually opening four valves. Two Geld operators perform this task per ES-013-001. The operators are periodically trained and tested (Fire Protection System Crosstie To RHR; ES-013-001 From Control Room is JPM 9.13.001.101; Fire Protection System Crosstie To RHRSW, ES-013-001 At ESW Pumphouse, is JPM 9.13.001.002) on this evolution. The tie-in procedure takes approximately 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br /> to perform 'and operators have at least 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> available (SBO) fiom the initiation of the procedure until fire suppression system injection is required.

The valves are tested as part of the ISI program and the cross connect piping has been x-rayed to verify no sludge buildup. Therefore, we are confident that the operator can successfully perform this evolution. Prior to this modification the operator had to remove a blind flange &om the RHRSW piping and install a flange with a valve. The operator would have to either let the piping system drain, which could require many hours or install the flange with water flowing out the opening.

Neither prospect had a high confidence for success. Therefore, in order to satisfy the Interface Defense in Depth Criteria this modification had to be performed.

The second example involves failure of the ECCS low pressure permissive. Failure oftwo RPV pressure channels (sensors, transmitters, switches, etc.) will prevent all 4 ECCS injection valves &om opening. Should this event occur following a RPV blowdown, the control room operator would have to dispatch a field operator to a core spray valve gallery and manually open a core spray injection valve. This action must be performed within about 10 to 20 minutes depending on the event to prevent core damage and 2 to 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br /> to prevent vessel failure. The likelihood for success, especially at preventing core damage, is low. Therefore, a low pressure permissive bypass switch was installed in the control room to allow the operator to override a failed signal. Therefore, the likelihood for success is high.

14. Discuss the connection between all procedural improvements made ajuf the IPE cvulysis results.

The previous answers address this question. Further, the impact of procedure changes on the core damage &equency cannot be segregated &om physical improvements made to the plant since many of the hardware changes were made to enhance operator reliability. See the attached NUREG-1150 sensitivity study.

15. Discuss why the risk achievement worthsfor some actions are in excess of 10,000.

Three actions are identified in IPE Volume 6 which have risk achievement worths greater than 10,000. They are: entry into EOPs,'hrottle feedwater flow, and initiate suppression pool cooling. The consequences of failing to enter the EOPs is assumed a priori to be core damage and containment failure, as discussed above. Failing to throttle FW flow in ATWS creates conditions of high power and core thermal-hydraulic instability leading to core damage. Failure to initiate suppression pool cooling eventually causes containment failure. Note that all these are manual in

ATTACHMENTA TO PLA4631 Page 13 of 20 nature. Failure of the operating crew to perform these actions will result in either core damage or containment failure. In all other actions there are alternate means of accomplishing the function, thus these actions have lower RAWs.

F~dA d

16. The ojbective of Common Cause Failure (CCF) analysis is to examine the plant to identify cvuE quantify CCF events that have occurred or have the potential to occur. Use ofplant specific data identifies only those CCFs which have occurred to date. 8%at analysis and evaluation has been performed to evaluate CCF that have the potential to occur? This shouldinclude CCF due to maintenance (including equipment calibration),

design, tmdwearout. CCFfor the emergency diesel generators batteries attd other DC power components, HPCI and RCIC valves, condensate and RHR pumps, and the ESW system needs to be includedin the SSES IPE.

CCF is specifically included in the IPE where applicable (Reference Table 2.2.1 of Volume 6). The CCF contributions are derived Rom both actual data and &om engineering judgment applied to other reported CCF results. EDG start data Rom SSES was examined for CCF contribution. Because approximately 3600 starts of these EDGs have been recorded, sufBcient data exists at SSES to provide confidence in our CCF couple for the EDGs. No battery failures have occurred at SSES and for this reason industry data was examined to determine an appropriate CCF couple. Perhaps most important, where significant potential CCFs have been discovered, they have been eliminated (e.g. low pressure vessel injection permissive).

Because the equipment used at SSES has been regularly monitored, maintained, tested and/or used during operation for approximately 20 years, the potential for CCF &om design misapplication and wear-out is judged to be minor. Maintenance should also be sufIicient to detect "new"/unanticipated failure modes (e.g. microbial deterioration of stagnant piping, zebra mussle intrusion, etc.) Thus, CCF is expected to be dominated by errors introduced during maintenance, that is, by inadvertent human error. Such errors may arise through inadequate time, training, or procedures. These types of errors were not quantified in the IPE. However, recent discussions with INC maintenance personnel at SSES indicate that gross miscalibration errors of multiple equipment has never occurred at SSES. Regardless, a recent independent review of the SSES IPE recommended sensitivity studies be performed to evaluate the impact of various "human error" CCFs on the IPE results. PP8cL plans to perform these additional sensitivity studies and report the results.

17. Failure data ofsome important systems (e.g., HPCI, RCIC, and Fire Pump) are lower by a factor of5 to 1000 compared to generic or NURI:G!CR-4550 data. Provide a basis of how SSES procedures, practices, or equipment justify this difference. In addition, explain why some failure types are omitted (e.g, ESP'failure to start or DG failure to

0 ATlACHMENTA TO PLA4631 Page 14 of20 run). 0%y do some blocks ofsimilar components have the same failure rate as blocks of dissimilar components?

The general approach to equipment failure data is reviewed in IPE Vol. 3 Section C.1.

Specific treatment of diesel generators is presented in Section C.2. DC power components are presented in Section C.7. PP&L developed equipment failure data &om in-house records. Generic data was used when in-house records were insufncient to develop meaningful statistics. A comparison of Susquehanna specific data with other IPE sources shows that in some instances the Susquehanna data is lower, e.g., core spray pump fails to start; 6.4 x 10 for Susquehanna vs. 3.5 x 10 for generic, sources and in some instances, the Susquehanna data is greater, e.g., Loss ofDC Bus Initiator, 0.026 for Susquehanna and 0.0015 for Limerick.

The process used to develop the in-house data base is based upon the SAIC proprietary document "How to Formulate and Use a Probabilistic Safety Assessment Data Base",

provided under contract to PP&L fi'om SAIC. The actual data development was performed in collaboration with the Idaho National Engineering Laboratory as part of the "Integrated Risk Assessment Data Acquisition Program" which was sponsored by the NRC. PP&L provided failure records to INEL. INEL provided PP&L with a DBASE data base and program to compute unavailabilities.

Failure data for each reliability block is presented in Volume 2 by system. Both failure on demand and failure to run is presented. For standby systems, the failure probability used in the PRAC calculation was a combination of the failure on demand probability and the failure to run probability; p = pd + XT. This is a standard method of combining probabilities. This may cause confusion, however, because entries for both standby and operating equipment appear in the PRAC input. A value of 6.9 x 10 was used for the probability of an ESW pump failure. Specifically, the ESW data can be found on A-181 and F-47. Using the above equation, the failure probability for ESW pump is computed below.

p=pd+XT=3.4x10 +(4.8x10'/hr) x72hours=6.9x10'iesel generator failure to start as wen as run was accounted for in the IPE. All diesel failures are listed in Vol. 3 Section C.2 Table C.2-1. When computing the failure probability, all failures were assumed to occur at the time of the LOOP. This is conservative since it increases the probability of SBO.

Providejustification for the followinghypotheses usedin the SSES IPI':

A ZWS calculations predict, in mad cases, core damage but no core melt, Calculations ofloss ofHVACin the control building appear to neglect the potential new failures that may come to play at elevated temperatures,

ATlACHMENTA TO PLA4631 Page 15 of 20 Procedures to increase the suppression pool inventory to prolong the time until HCTL are based onin-house calculations but are counter to BPZOG EPGs.

Responses to each question are provided below:

ATWS calculations predict, in most cases, core damage but no core melt The most likely cause of damage during ATWS is due to large reactivity insertions not loss of cooling. There are a multitude of systems for achieving vessel water injection at SSES. Several of these (e.g. LPCI, CS) require vessel depressurization for success.

However, vessel depressurization during ATWS 'puts the BWR core into thermal-hydraulic instability, with the potential for severe power spiking. This spiking can result in clad rupture and local melting, but not global core overheat and meltdown. Thus, ATWS fuel failures are expected to result more in gap release than overheat/melt release of fission products. The large insertions of reactivity during ATWS which could result in clad rupture and localized melting have been observed in calculations performed by General Electric using their TRAC-G code (NEDO-32164, Dec 1992). ATWS calculations performed using the PP&L SABRE code identified this potential form of core damage during the 1989 to 1990 time fiame as part of the industry efForts to deal with reactor thermal-hydraulic instability issues. Therefore this form of damage was included in the Susquehanna IPE. We are unaware if other IPE's have accounted for this form of damage.

Calculations of loss of HVAC in the control building appear to neglect the potential new failures that may come to play at elevated temperatures.

Calculations for loss of control structure HVAC show that the I&C equipment is expected to function adequately for the 72 hour8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> mission time of the IPE. The temperature response to loss of HVAC is a gradual increase, not an immediate shock. Temperatures remain within their EQ envelopes for hours after the onset of any accident with loss of HVAC. It is recognized that increased temperatures may cause increased drift in instrumentation/monitoring electrical equipment. However, the equipment used to cope with accidents does not rely on fine control for successful function. For example, the equipment used for vessel injection and decay heat removal (pumps and valves) are typically started/opened and then require no further operator interaction. Large control bands are specified in procedures (e.g. vessel level is controlled between -161" and +54").

High pressure vessel control is limited by mechanical springs on SRVs, and low pressure after blowdown is not specified. Rod position indication is not required, other than control rods be fully inserted. Thus, while increased control structure temperatures may cause problems for routine power operation, such temperatures are not expected to significantly hinder response to reactor accidents.

Procedures to increase the suppression pool inventory to prolong the time until HCTL are based on in-house calculations but are counter to BWROG EPGs.

ATI'ACHMENTA TO PLA-4631 Page 16 of 20 Procedure to increase mass is consistent with the BWROG EPG Rev. 4. Mass addition to the containment is only limited by the Maximum Primary Containment Water Level Limit (MPCWLL) which is 49 feet at Susquehanna.

B~k- dA d I9. Following containment failure, the SSES IPE assumes that core damage can be prevented by utilizing the diesel driven fire pumps and opening the SRVs with the aid of the mobile diesel generator to supply DC power to reactor building components.

Discuss the consideration that was given to the consequential damage to, for example, the HPCI, RCIC and ior core injection lines due to the containment failure arid a hot suppression pool. Also, explain how operators can align the required equipment locally under these extreme conditions.

Containment failure by itself is considered a form of plant damage in the Susquehanna IPE. Events that result in containment failure prior to core damage were not analyzed beyond containment failure. However Susquehanna procedures include steps to align systems external to the reactor building to provide for RPV injection prior to loss of containment integrity to enable the operator to respond to containment failure. These procedures were instituted due to the lack of confidence that reactor building equipment willreliably operate after loss of containment integrity.

Alignment of required equipment located in the reactor building is performed prior to containment failure. All reactor building actions are to be complete prior to the containment pressure exceeding 65 psig. Containment failure is not expected until 140 psig. Therefore the reactor building environment is not extreme when the actions are taking place. After containment failure, the only equipment required operable in the reactor building is piping and already open valves. HPCI and RCIC are not considered operable after containment failure. Because the injection source for the fire suppression water used for vessel injection is external to both the reactor building and containment, there is no impact on injection &om a hot suppression pool.

20. How were the impacts of uncertainties associated with in-vessel aiid ex-vessel recovery modeling included in the IPE results? Were sensitivities performed? Some vulnerabilities (diie to uncertainties in code prediction, procediire descriptions, and operator actions) may not be identifiedfrom the PPcK methodology.

In the 1986, the FAI company performed calculations for PP&L to address invessel debris recovery using the MAAP 3B computer code. These calculations demonstrate that given the MAAP modeling, vessel failure will occur 30 minutes aAer the initiating event.

PAL first reported a conditional probability of vessel failure given core damage of 0.3 in our IDCORE IPE (1986). This value of 0.3 was derived by first determining a success

ATI'ACHMENTA TO PLA4631 Page 17 of 20 I

criterion for terminating the damage progression in vessel and assessing the probability of satisfying that criterion. The criterion established by FAI associates was to restore injection prior to the peak core node exceeding 3000 'F. However MAAP was designed for evaluating source terms rather than examirnng the in-vessel damage progression with the goal of terminating such damage.

Because of this inability on the part of MAAP, PP&L contacted the NRC via a letter on 8/3/87 concerning the possibility of terminating the damage progression in-vessel. In this regard PP&L received the BWRSAR code developed by ORNL under contract to the NRC. BWRSAR is speci6cally written to model the in-vessel core damage progression for the BWR. Based upon BWRSAR calculations (and corroborated by recent MELCOR calculations) core damage will be terminated in vessel provided that the bottom head doesn't dry out. This result is corroborated by experimental results reported in NUREG/CR-6133, "Fragmentation and Quench Behavior of Corium Melt Streams in Water" (See the response to question 21 for discussion of ex-vessel phenomena.)

Although no sensitivities were performed on the details of the core damage progression per se, that is, in terms of re-writing the computer coding, sensitivity analyses were in efFect performed during the construction of the BWRSAR input. For the IPE, hundreds of BWRSAR runs were performed. Where results did not match expectations, input and coding details were examined, in consultation with the code developers, to understand the interactions and to improve the input data. Thus the BWRSAR calculations are judged to be the most accurate reflection ofthe BWR core damage progression available.

2I. How was the impact of major containment phenomena such as high-pressure melt j

eectiow'direct containment heating eve steam explosions included in the IPL results?

Discuss the effects of ex-vessel debris coolability (e.g, documentation of the geometric details ofthe cavity configuration tojustify assumptions ofeoolable debris bed).

Phenomenological Bases for the Safety Function Success Criteria The phenomenological bases for the success criteria for the core, vessel and containment are provided in Appendix E and in Volume 6. These success criteria address the most likely causes of core, vessel and containment failure. EQort was directed at deriving operational success criteria that could be used to judge the ability to prevent a particular form of damage. This process was seen as a very real way of dealing with uncertainty in the risk calculations and is based upon the following observation. The uncertainty associated with maintaining core cooling is much less than the uncertainty associated with terminating the damage progression in vessel. The uncertainty associated with terminating the damage progression in vessel is much less than the uncertainty associated with terminating the damage progression on the dryweH floor. The uncertainty associated with terminating the damage progression on the drywell floor is much less than the uncertainty associated with estimating the released source term. Finally the uncertainty associated with estimating the released source term is much less than the uncertainty associated with

ATI'ACHMENTA TO PLA4631 Page 18 of 20 estimating the latent cancers fiom the released source term. In short the uncertainty in the risk calculation explodes as the damage progresses. For this reason PP&L chose to concentrate on using the IPE to identifying mitigating measures that terminate the damage progression as early as possible to the calculation uncertainty. A discussion of the specifics follows.

Fuel Coolant Interactions When performing the Susquehanna IPE, PP&L believed that vessel or containment failure fiom thermal attack was far more likely than fiom fuel coolant interactions. Therefore this failure mode was not included in the containment evaluation. This view has been supported by recent NRC publications concerning Fuel Coolant Interactions, NUREG 1529 and the paper by Basu and Speis, "An Overview of Fuel-Coolant Interactions (FCQ Research at NRC." Based upon this paper one can conclude that FCI is of little or no significance to the overall risk fi'om a nuclear power plant operation. Furthermore, this paper points out that, "Steam explosion was not observed in experiments involving prototypic melt composition at all water subcooling levels considered."

High Pressure Melt Ejection (HPME & DCH)

At the time the Susquehanna IPE was being performed, no analysis methods existed to allow for meaningful evaluation of either HPMC, or DCH. We gained this understanding through our own investigations and our cooperative efforts with ORNL in the Mark II CPIP and other programs. This state of affairs was reflected as recently as November 21, 1994 by R. C. Schmidt and M. M. Pilch of Sandia in their Letter report to the NRC, "Assessment of the Importance of High Pressure Melt Ejection Events in the BWR Plants." They state:

Unfortunately, our current understanding cvuE modeling capabilities for these important physical processes preclude deterministic calculation that can accurately predict the importance ofHPMEinduced loads on BH% containment failure.

Additionally they point out, A necessary precursor to containment failure caused by HPME loads is vessel failure at high pressure.

And finally, the importance of the first part of the HPME equation, i.e., the conditional probability of vessel failure at high pressure given core damage, should not be overlooked. Gaining a clear understanding of why this conditional probability remains relatively high in current BWR PRA studies and finding ways to reduce it would provide an obvious benefit.

ATTACHMENTA TO PLA4631 Page 19 of 20 PP&L arrived at the same conclusions while performing the IPE. Based upon this conclusion, PP&L decided to reduce the likelihood of the necesmy precursor to containment failure caused by HPME. This approach resulted in a real reduction in plant risk and uncertainty. Specifically, PP&L has:

InstaHed a self contained mobile generator that can continuously supply power to DC loads such as the SRVs, HPCI, RCIC and instrumentation.

Deviated fi'om the generic BWROG EPGs by not inhibiting ADS in the RPV Control Procedure.

Additionally, the gas supply to the SRVs are backed by nitrogen bottles with a minimum 3 day supply. The bottles can be re-supplied ifnitrogen is required beyond 3 days. Dose calculations have been performed to verify that the doses to the maintenance workers replacing the bottles are acceptable.

Based upon the modifications to the plant design and procedures and the availability of nitrogen to the SRV, the probability of containment failure and the associated uncertainty from HPME is considered remote.

Thermal attack of corium on containment structures The Susquehanna Mark I containment is designed with a flat floor and no drains or downcomers in the inner pedestal region.;, The downcomer rises 18 inches above the drywell floor which allows a shallow pool on the drywell floor. The drywell floor in the Mark II containment represents a pressure boundary. For this reason, the drywell floor is steel lined.

At the time PP&L was performing the Susquehanna IPE, no analysis methods existed to allow for credible analysis of corium on the drywell Qoor for containments with Susquehanna's design. This state of affairs was also realized by the NRC contractors performing the Mark II CPIP calculations who state in NUREG/CR-5565 (5/91),

The choice of this design (deep-cavity design) was dictated by current CORCON and MELCOR code modeling limitations which preclude credible analyses of desigIts in which debris would be allowed to spread orflow outward from the in-pedestal to the ex-pedestal region ofthe drywellfloor.

Additionally, CORCON could not model the steel plate on the drywell Qoor which prevents concrete degassing and subsequent vapor interaction with corium provided its integrity is maintained. Therefore, PP&L decided that if the liner plate could be preserved, CCI could be substantially reduced (substantial reduction in chemical energy) and containment failure fiom thermal attack could be prevented. In house calculations based upon work performed by Fred Moody of GE demonstrated that ifthe drywell Qoor

ATTACHMENTA TO PLA4631 Page 20 of 20 was flooded, the initial metallic pours would be quenched preventing metal water reaction.

Continual supply of water fiom the drywell sprays was sufiicient to remove both sensible and decay heat 6'om the mixed oxides. Therefore, Qooding the diywell floor and maintaining a continuous supply of water was determined to prevent containment failure fiom thermal attack. This result was "verified" given the above qualifications, using CORCON. Subsequently, Theofanous corroborated that the presence of water on the drywell floor precludes containment failure fiom thermal attack, NUREG/CR-5423 (1991) and NUREG/CR-6025 (1993). Recently, the NRC asked the BWROG to confirm that the recently issued AMGs provide for drywell spray to provide for corium quenching.

We have instaHed valves with threaded attachments on both RHRSW piping to improve the probability that water can be sprayed on the diywell Qoor during a severe accident.

Additionally, two diesel fire pumps are installed at Susquehanna that automatically initiate on low header pressure. Finally, the Susquehanna Mark II design promotes debris coolability. Therefore, it is reasonable to expect that flooding the diywell floor will preclude containment failure fiom thermal attack of corium.

Summary When we were performing the Susquehanna IPE, analytical methods did not exist to perform a credible evaluation of the containment challenges such as HPME, DCH, steam explosions, etc. PP&L decided to direct eFort toward hardware and procedure changes that would reduce the probability that these containment challenges would occur.

Subsequent research by the NRC has con6rmed this judgment, that is, avoid vessel failure especially at high pressure and if vessel failure cannot be avoided, spray the diywell.

While calculations may broaden the range of success, our plant is demonstrably safer having performed these modi6cations. This course of action is fully consistent with the GL 88-20 goal of identifying areas of poor containment performance and fixing them.

22. Were source term calculations biased by the low core damage frequency (only one sequence meets the IPE screening criteria) 7 The sequences were chosen to represent a broad spectrum of accident types so that surrogate source term calculations would exist for any potential accident sequence. The goal was to select source terms spanning large early releases to late small releases with intermediate accidents in between.

23. Explain the basis for the assumption of a containment failure step firnction at 140 psig instead ofthe distribution offailure pressures as requestedin Generic Letter 88-20.

The bases of the 140 psig is provided in Section C,4. A distribution of failure pressures will be included in a future sensitivity study and this information willbe factored back into the results.

0 Ag I

i y).t i ~, t I

I

~

~" "iv'z"~i II IV vg, 4.

t p-'t,t l r,*gee <<

4 II

~

Ii 7~ 'C VI 4

\

7o7F SUSQUEH SOOR SUHHARY REPORT BY SYSTEM 4 - UNIT 2 PAGE 195 4/03/90 SORTED BY.UNIT) SYSTEH 8 SOOR 4 PHIS, REV OCCUR TREND . RESS SYS SOOR.S STAT , LER 0 - . DATE . CAUSE DESCRIPTION '

TYPE GROUP 52 52 2-87-068 2-8?"071 .

1 1,, '

'/22/87 . 4/26/87 8 B

HPCI Z

HPCZ BOOSTER PUHP IHPELLER HAS NOT "DESIGNED" FOR SSES.

DZSCHARGE CHECK VALVE HOULD NOT,SEAT DURING SO-252-002 VLVFW -

PENG PENG

. 52 2-87 078'- 1 .",; .", '.~)'t5'.";=t~j jb/02/87, 8 . 'OUD NOISES HEARD ZN CONTROL ROOH DURING HPCI RESTORATION NATERH PEtR

~

. 52 . 2-88-008 . 1 LRR88001-0 1/27/88 B HPCI LUBE OIL SAHPLE MAD EXCESSIVE AHOUNTS OF HATER PRESENT HECH'ENG

~ - 52.. 2-88-,013 1LRR88001-0 c ' 2/03/88 X. 'HPCI LUBE OIL SAHPLE CONTAINED 7000 PPH HATER) LIHIT IS 5000 PPH

,52 2-88-015 ~1.."..:,:. ",,: -~:"~."',-'." .2/08/88 B =HPCI AUX OIL Ply OPERATIONAL SHUTDOWN LED'TO HPCI TRIP=ALARH

, 52 ~ 2-88-025 1 2/21/88 B 'HPCZ OUT OF SERVICE'LARH RECEIVED DUE TO ALARH RELAY FAILURE ELEC 52., 2-'88-117. 1 = 5/09/88 X, HPCI EXHAUST VACM BREAKER ISOLATION HV-2F075,DIO NOT CLOSE IAC 52' 2-88-126 ' .-;, -;,'"" t 5/18/88 X, HPCZ FV"256)2 PISTON CUP SEALS DID NOT HEET EQ REQUZREHENTS. PENS r HPCI STOP VALVE HYDRAULIC CYLINDER DOES NOT HEET EQ EL II 52 2-88-133 1

'/27/88 5/27/88 B PENS

=

MPCI SHAFT DRIVEN OIL PUHP COUPLING DOES NOT HATCH EQEL-80-II

,52 2-88-135 1 . B PENS

. 52 2-88-136 l. ,., ~ '/27/88 X HPCI REHOTE SERVO HYDRAULIC.ACTUATOR HAS'EPLACED HZTH NON-EQEL-I CHPL 52 2-88-190 4, ' '/29/88 B SPEED OSCILLATIONS OCCURED DURING HPCZ.OVERSPEED TEST TP"252-021 52 2-88-191 ' 7/29/88 B HPCI ROON FLOODED DUE TO CONDENSER CONDENSTE PUHP DISCHARGE LEAK HECH 1',"

52 2-88-239 1 . , - 10/24/88 B HPCZ TRNSLE ALARH INVESTIGATION FOUND A FAILED RELAY IN 2D274 ELEC

)

52 2-88-247 .. ll/04/88 X - SUSPECTED HATER HAHHER DURING HPCZ qUICK START) SO-252-002. PNSS=

52 2-88-248 1 1

- ll/05/88 D HPCZ STEAH LINE HANGER DBB"214)H23 HAD TRAVEL STOPS INSTALLED. HECH 52 2-89-091 1 i - 8/05/89 X MPCZ STOP VALVE FV-25612 OPENED 20% AND THEN CLOSED DURING SURV PNSS 52 . 2-89-092 8/10/89 X HPCZ STOP VALVE.OPENDED TO 30%) CLOSED AND THEN OPENED FULLY'2

'NSS 52 52 2-89<<137 . 7, 2-89-141 2-89-150 1:,

4

'0/05/89 9/21/89 X 9/29/89 X i X

PRESS TRANSHITTER INSTALLED ON HPCI PP DSCH NOT RECONNECTED PCV-256-F035 FAILED AND LEAKING) FOUND DURING HPCZ SUCTION HYDRO HYDROLASI% OF FH F032A/8 DRAINED INTO HPCZ INJECTION LINE VLVFUN 'ENG OPS DTHER AFFECTED SYS: 45 l

I'2 2"89-166 1 ~ '...,.'" 10/16/89 X HPCI AUXILIARYOIL Pl&P OID NOT START ON SEVERAL OCCASIONS 8/A/I/I/5 CHPL 52 - 2-89-201 =1 ':.": >>: ' ll/08/89 B. = HPCI I%0ARD BYPASS) HV-255"F100 HAD DUAL INDICATION DURING SURV VLVINO 52 - 2 90-028 6 LRR 90-001-00 2/16/90 X HPCI. FLOH CONTROLLER FAILED TO PROVIDE STABLE FLOH CONTROL INSTFC 52 88-295 . 1 LER88022-0 =-

. 11/04/88 A'- INCORRECT FUSES HERE REHOVEO) RESULTING IN UNIT 1 HPCI INOP HUHAN OPS I I jei~,

)

TOTAL: - 57 )... " - ~

)

~ ++ . -'. w + +kg",'")~+g <<', ~ - -"<< .A ~', )

N I Ql PRESSUR HJECIION STSTEH Page No. 4 03/23/90 l

US OOS OOS REIIIN RETURII CRIt SD CRIt FNILT P C S N REF REF REF CCNPOHENt S D C C V f DESCRIPTION IS N T DATE 1 INK DAIE TINE fOIHZ I S TINE TINE SOTIHE EXPOSURE H H U 0 FCRHI 0

FOUG Io Y ISO A A 1

1 IHE R V

SVAN L I NP 0 L 152 I 06/05/67 1125 06/0$ /67 1250 I.CZ 0.00 I.CZ 0.00 1N012A/C Y N N HPCI 0/S TO REPLACE BANANA JACKS FOR HPCI TURSINE 06/IS/67 0500 EXHAUST PRESSURE SENSORS (PSH-IHOITABC).

152 06/ld/67 0700 26.00 0.00 Zd.oo 0.00 HOIE H/A Y N N HPCI TAKEN 0/S fOR SCHEDULED EO INSPECTIOI, 152 OTIOTIBT 1310 OTIOTI67 IC45 1.SB 0.00 I.SB 0.00 - SI- M 30$ N HPCI 0/S fOR 1HDZCBCD SURVEILLANCE (54" TRIP).

152 08/05/67 05SO 05/0$ /57 '1115 2.CZ 0.00 Z.CZ 0.00 SO- 52.004 1HOZCS/D N/A Y

T

' N N ItPCI OJT of SERVICE FOR QHIVEILLAXCE (VALVE ~

15 r OS/06/87 IC28 08/OS/67 1456 OAT 0.00 O.C7 . 0.00 Sl. 80.305 1$ 02CS/D Y N EXERCISING).

N HPCI IIIGII LEVEL CALIBRATIOI Sl IS 1 09/03/57 ICO6 09/03/67 1C45 o.'es o'.oo 0.6$ 0.00 Sl- 80.20$ IHo248/0 Y I N HPCI 0/S fOR Sl .

1$ 5 10/14/67 1400 11/05/67 1710 0.00 $31.17 531.17 0.00 A612 Id. DSA IOZ ti Y H

N N IIPCI STEAN LINE MELD DSA 102 1 1A INSPECTION ( )

fAILED IN SERVICE 15 I /2 /87 1700 11 /21/67 1906 2+10 0.00 0.00 2.00S lfood 15 2 /08 /67 OBCS 12 /08/87 0.67 0.00 .67 0.00 Y So Y N N HPCI 0/S fOt Sl MITH UNIT SIRITDOAI Ne OEPRESQÃtlZED.

T Sl 80 005 1H0248/0 T N HPCI 0/S fOR Sl CN HIGH LEVEL TRIP.

15 15 2 /10 /67 OC4S 2 /3 /67 0 0 I

12 0/6T 12 /31I67 5.50 0.00 .50 0.00 AS2 4 2 N/A Y N

N N PACKING ADJUSTHENT ON lfool Ne lfoof VALVES d.63 0.00 0.00 T STZC AS21CT 1 f007 T 8 N PAIXIHG ADJUSIHENt OH 1FOOT VALVE~

15 0 /05 /88 030 0 /05/85 0.50 0.00 o$ 0 0.00 Sl N 205 )N024$ /D T N N HPC NIQI LKVEL TRIP DISABLED FOR Sl 15 0 /Zo /85 030 01 /20/65 130S 2 Sb 0.00 0.00 A6897 I N/A N HPC TEHP CIIAHHEL 0/S fOR HAIHIENAHCE 15 02 /OTIM 0835 02 /07/85 1000 1.42 0.00 0.00 I HOZCS/0 Y N 15 02 /0 /M 1100 I 02 7/65 1247 1.75 0.00 0. 00 T S I 80 30S Y N N ItPC IIIGH LEVEL TRIP OIT OF SERVICE fOt Sl.

~

Y Sl 60 30S I HO2CS/D Y N N HPC NIQI LEVEL TRIP Olt Of SERVICE FOR Sl.

15 02 /19 /65 0510 0 /19/M 9.83 0.00 0.00 T P21058 P8022Z P71167 IP 204 Y N N HPC IN@ FOR HAINIENANCE PH'S CALISRATICN CHECK Ol 152- 02/I'9/65 0940 PIRE TRIPS (INSPECTED .TRIPS (NE AT A TINE) 1 02/19/88 1245 3.05 0.00 3.05 0.00 T A71653 1fO6 ~ Y ~ 8 N PACKING ADJUSTHENT ON NPCI tf003 VALVE - NO SLOXING USED.

152 152

'I 1

03/23/88 Nbo 03/30/88 0630-03/Zb/85 1250 03/26/M 1330 159.SO O.df 0.00 0.00 1S9.50 0.67 0.00 0.00 T T SBOC09 Sl ~ 183 208 1 f 100 IHOZCS/D N

N ltPCI MARllF VALVE SC" TRIP DISABLED (lflob) Hlo DLKL INOICATIOI, fOt QHIVEILLAHCE 152 04/06/85 1410 04/06/65 14CS 0+5$ 0.00 0.$ 6 0.00 .T Sl 180 205 tHOZCS/0 N NIGII LEVEL 'TRIP FOt HPCI 0/S ONE ht A TINE fOR ICC 152 I 0$ /03/N 0830 0$ /03/N 1015 QN VE ILLANCE.

. 1.7S 0.00 1.7$ 0.00 Y 81-180-30$ 1H024$ /D Y N N NPCI RX NIQI MATER LEVEL TRIP INOP foR IBC QXtV.

152 05/09/88 0110 OS/09/85 0210 IIKPS HPCI.

1 1;00 0.00 1.00 0.00 80.1SZ. 004 H/A Y Y N HPCI 0/S fOR VALVE STROKE IINIHC.

1$ 2 I 0$ /12/85 NSO 05/12/55 1600 7 17 0.00 7.'17 0.00 SI.152.211 1H012D T N N NPCI EXHAUSE DIAPHRAGN PRESS SMITCH PSH ECI ND12D 0$ /20/N 0125 fAILEO SURVEILLANCE ACCEPTANCE CRITERIA.

'ISZ 1 0$ /20/N 0200 Oo58 0.00 O.SB 0.00 1R203 O/I Y NPCI IHVERTER POMKR fAILURE INVERTER OF SERVICE 1$ 2 1 06/Ol/M 1121 06/01/N 1155 O.ST 0.00 0.57 0.00 T 81-180 20$ THOZCB/0 N HPCI STSTEN LEVEL 8 ACTUATIOI IHSF 0/8 MHILE PERFORNING SI ~

152 1 06/30/85 12SO 06/30/N 1320 0.$ 0 =0.00 0.$ 0 0.00 T Sl 180 20$ IHOZCS/0 N NPCI HIGH LEVEL TRIP CHAIOELS 0/8 OHE AT A TINE fOR SURV.

152 'I 07/28/68 'I I ZS 07/26/88 1245 .1.33 0.00 '1.33 0.00 81.160 30S 18024$ /0 N GUARTERLY CALIBRATION Of RX LEVEL CHARNELS.

152 06/13/65 0549 08/13/M 09ZS 0.60 ~ 0.00 0.60 0.00 Sl 1M 205 1N024$ /D N 0/S fOt SURVEILLANCE CN I,IS 821 ~ 1$ 024840 (RX LEVEL 08/19/85 0800 08/19/N 8).

152 152 1

1 09/10/85 0915 1515 09/10/88 0950 To2S O.SB -

0.00 0.00 7.2S O.SB 0.00 0.00 ~

Y A82584 Sl 180 20$

SO-1S2.002 Pb(947 H/A Y Y N SPEED CONTROLLER !IN'Ot ICC AQ) CALIBRATION.

Y 1H 0248/O Y 8 0/8 FOR QIVKILLAHCEOH LIS.SZI.1H024640 (RX LEVEL 152 1 09/28/88 1645 09/28/85 2030 3.7$ 0.00 3.7$ 0.00 81.152-313 8).

Y 186040 7 N Y toSH ES'I 1N6040 FAILED QIVEILLAXCE (PIPE ROITING 152- AREA DELTA 1).

1 10/08/N 051$ 10/08/N 0940 1.42 0.00 1AZ 0.00 Y it-t60-205 1NO248/D N NPCI 0/S fOR IHOZCS/D SWVKILLAHCE (SCo TIISINE TRIP) 152 11/01/68 1250 1 t/01/88 1430 l.dT 0.00 81.1N.30$ ~

152 I 11 04 88 0545 04/N i:50 4.$ 0 T

I.N.295 1N0248/0 y N HPCI 0/8 FOR 92 DAY CALIBRATIOI OF 1N02CS/O.

11 101$ O.'OO 0.00 T 1N0248/0 Y N HPCI NIGH LEVEL TRIP (SCi) 0/8 OUE To TRIP LOGIC FUSES RDH)VED fOR A PERHIT.

152 1 11/05/68 I '130 11/08/N '34$

2.2$ 0.00 2.2$ 0.00 T 80-152-004 1foo'I N STEAN LEAK AT VALVE PACKING Of lfool (MA STCSST MILL BE USED To REPACK VALVE THE lkEK Of 'll/'IC)~

0 &

C) mP D

cn>'t o O