ML18038A931
| ML18038A931 | |
| Person / Time | |
|---|---|
| Site: | Browns Ferry  |
| Issue date: | 09/28/1994 |
| From: | Williams J Office of Nuclear Reactor Regulation |
| To: | Kingsley O TENNESSEE VALLEY AUTHORITY |
| Shared Package | |
| ML18038A932 | List: |
| References | |
| TAC-M74385, NUDOCS 9410040157 | |
| Download: ML18038A931 (40) | |
Text
~o,R RECy(
0 cu
~j
)t~*y+
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 September 28, 1994 Mr. Oliver D. Kingsley, Jr.
President, TVA Nuclear and Chief Nuclear Officer Tennessee Valley Authority 6A Lookout Place 1101 Market Street Chattanooga, Tennessee 37402-2801
SUBJECT:
BROMNS FERRY NUCLEAR PLANT UNIT 2 INDIVIDUALPLANT EXAMINATION SUBMITTAL FOR INTERNAL EVENTS (TAC NO. M74385)
Dear Mr. Kingsley:
This letter provides the NRC staff evaluation of the Individual Plant Examination (IPE) for internal events and internal flooding at the Browns Ferry Nuclear Plant (BFN) Unit 2, which was submitted by the Tennessee Valley Authority on September 1,
1992.
Additional. information was provided by TVA in letters dated September 21, 1993 and December 23, 1993, in response to requests by the staff dated August 4, 1993 and November 19,
- 1993, respectively.
The staff also considered information provided by TVA on February 7, 1992 regarding performance of limited scope multiunit probabilistic risk assessment addressing operation of all three BFN reactors.
The staff's evaluation package consists of four enclosures.
Enclosure 1 is the Staff Evaluation Report; Enclosures 2, 3, and 4 are contractor Technical Evaluation Reports addressing the "front-end," or core damage frequency, "back-end," or containment performance, and human reliability aspects of the IPE, respectively.
The NRC staff concludes that, in general, TVA's IPE submittal for internal events is complete with the level of detail consistent with the information requested in NUREG-1335.
Closure of IPE activities for the Browns Ferry site is dependent on receipt and review of TVA's multiunit PRA.
TVA is requested to address the feasibility of evaluating the potential benefit of two containment performance improvement items in the multiunit PRA.
These items are (1) the Ose of the diesel-driven fire protection system pump to inject water into the reactor vessel upon loss of AC power, and (2) the need for power to the automatic depressurization system solenoid valves to 0 Q 0 Ogrp)~
94sooaoxo7 94ovoe g PDR ADOCK 05000259 t:
P
PDR)~
(nH>
ImI: RI.E CEmTIEII COPy
~" ~
g I
~
- 0. Kingsley, Jr.
to permit depressurization of the reactor following loss of AC power and depletion of batteries.
The staff believes this enhancements may be important because of the significance of station blackout to BFN Unit 2.
Please call me at (301)504-1470 if you have any questions regarding this topic.
Sincerely, Original. signed by L
Joseph F. Williams, Project Manager Project Directorate II-4 Division of'eactor Projects I/II Office of Nuclear Reactor Regulat'ion Docket Nos.
50-259, 50-260, and 50-296
Enclosures:
As stated (4) cc w/enclosures:
Dist 'butio w e clos es Docket - Fi-1 e PUBLIC BFN Rdg. File S. Varga G. Lainas OGC ACRS (10)
B. Boger RII J. Flack R. Hernan E. Butcher Distribution w enclosure 1
E. Lois J. Ridgely E. Chelliah DOCUMENT HAHE:
IPELTR.BFH To receive a copy of this docunent, indicate in the box:
eC" -" Copy without attachment/enclosure "E" -" Co y with attachment/enclosure "H" "-Ho co OFFICE PDI I-4/LA PD II-4/PH P.
PD II-4/D C
HAHE BClayton Jwilliams FHebdon DATE 09/
/9 09/g$ /94 09/Qg/94 0 FICIAL R CORD COP
~,
fl
Mr. Oliver D. Kingsley, Jr.
Tennessee Valley Authority CC:
Mr. Craven Crowell, Chairman Tennessee Valley Authority ET 12A 400 West Summit Hill Drive Knoxville, TN 37902 Mr.
W.
H. Kennoy, Director Tennessee Valley Authority ET 12A 400 West Summit Hill Drive Knoxville, TN 37902 Mr. Johnny H. Hayes, Director Tennessee Valley Authority ET 12A 400 West Summit Hill Drive Knoxville, TN 37902 Mr. 0. J. Zeringue, Sr. Vice President Nuclear Operations Tennessee Valley Authority 3B Lookout Place 1101 Market Street Chattanooga, TN 37402-2801 Dr, Mark 0. Medford, Vice President Engineering 5 Technical Services Tennessee Valley Authority 3B Lookout Place 1101 Market Street Chattanooga, TN 37402-2801 Mr. D.
E.
Nunn, Vice President New Plant Completion Tennessee Valley Authority 3B Lookout Place 1101 Market Street Chattanooga, TN 37402-2801 Mr. R.
D. Machon, Site Vice President Browns Ferry Nuclear Plant Tennessee Valley Authority P.O.
Box 2000
- Decatur, AL 35602 General Counsel Tennessee Valley Authority ET 11H 400 West Summit Hill Drive Knoxville, TN 37902 BROWNS FERRY NUCLEAR PLANT Mr. Roger W. Huston, Manager Nuclear Licensing and Regulatory Affairs Tennessee Valley Authority 4G Blue Ridge 1101 Market Street Chattanooga, TN 37402-2801 Mr. T.
D. Shriver Nuclear Assurance and Licensing Browns Ferry Nuclear Plant Tennessee Valley Authority P.O.
Box 2000
- Decatur, AL 35602 Mr. Pedro Salas Site Licensing Manager Browns Ferry Nuclear Plant Tennessee Valley Authority P.O.
Box 2000
- Decatur, AL 35602 TVA Representative Tennessee Valley Authority 11921 Rockville Pike, Suite 402 Rockville, MD 20852 Regional Administrator U.S. Nuclear Regulatory Commission Region II 101 Marietta Street, NW., Suite 2900
- Atlanta, GA 30323 Mr. Leonard D. Wert Senior Resident Inspector Browns Ferry Nuclear Plant U.S, Nuclear Regulatory Commission 10833 Shaw Road
- Athens, AL 35611 Chairman Limestone County Commission 310 West Washington Street
- Athens, AL 35611 State Health Officer Alabama Department of Public Health 434 Monroe Street Montgomery, AL 36130-1701
C.
l 0
~ 5W~~lE J
c A~QCA>i iq t I
V k
STAFF EVALUATION BROWNS FERRY NUCLEAR PLANT, UNIT 2 INDIVIDUALPLANT EXAMINATION Internal Events and Internal Flood Only
'410040157 ENCLOSU E I
I
TABLE OF CONTENTS EXECUTIVE
SUMMARY
- 1. 0 INTRODUCTION 2.0 STAFF'S REVIEW
~
~
~
~
~
~
~
~
~
~
~
1 1
2.1 LICENSEE'S IPE PROCESS 2.2 FRONT-END ANALYSIS 2.3 BACK-END ANALYSIS.
2.4 HUMAN FACTOR CONSIDERATIONS 2.5 CONTAINMENT PERFORMANCE IMPROVEMENTS 2.6 DECAY HEAT REMOVAL (DHR)
EVALUATION.
~
~
~
~
~
~
~
2
~
~
~
~
2 5
~
~
~
~
7 8
~
~
~
~
ll 2.7 LICENSEE ACTIONS AND COMMITMENTS FROM THE IPE.........
12
3.0 CONCLUSION
S APPENDIX - DATA
SUMMARY
FOR BROWNS FERRY UNIT 2 13
~
~
~
~
~
~
~
A 1
Cl
EXECUTIVE
SUMMARY
The NRC staff completed its review of the internal events portion of the Browns Ferry Nuclear Plant (BFN), Unit 2 Individual Plant Examination (IPE) submittal, and associated documentation which includes licensee responses to staff generated questions and comments.
The licensee's IPE is based on a
Level 2 Probabilistic Risk Assessment (PRA) consistent with guidance issued in Generic Letter (GL) 88-20, Appendix 1.
No specific Unresolved Safety Issues (USIs) or Gener ic Safety Issues (GSIs) were proposed for resolution as part of the IPE.
The licensee used a viable process to ensure that the system and containment models represent the as-built and as-operated plant.
Tennessee Valley Authority (TVA) personnel maintained involvement throughout the development and application of PRA techniques to the BFN Unit 2 facility with the objective to transfer PRA technology to the plant personnel.
The staff notes that various plant departments provided input to the IPE development as part of a peer review.
The BFN Unit 2 IPE represents the currently as-built and as-operated plant as of December 1991.
The IPE used the large event tree small fault tree methodology and capitalized on NUREG-1150 insights and PRAs performed by the licensee in the past.
The process used to delineate accident sequences included the identification of initiating events (IEs) and associated success criteria, the development of event trees, and grouping of sequences based on back-end characteristics.
The process identified and modelled both generic and plant-specific initiators.
These initiators included general plant transients, LOCAs, support system failures, and internal floods.
The BFN Unit 2 IPE used primarily generic data for the quantification of the top event and sequence models.
Some plant-specific data were used to update the generic data by generating posterior distributions based on Bayesian methods.
The IPE estimated a mean core damage frequency (CDF) of 4.8E-5 per reactor year.
Loss of normal power (non-station'lackout) contributes 42X, station blackout 27X, loss of vital DC power llX, internal flooding 10X, reactor high pressure transient 9X, ATWS events 3X, and LOCAs outside containment (V-sequences) contribute less than 1X of the CDF.
Major contributors to dominant core damage sequences include fail-to-recover offsite power in 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> following the IE, and.loss of DC power beyond a 4-hour period.
Common cause failures of on-site diesels were also found to be important.
The dominant contributors to BFN Unit 2 CDF were found to be consistent with insights from other analysis of similar designs.
The IPE estimated a mean containment failure pressure of 128 psig at 400 'F.
The conditional containment failure probabilities given core damage are as follows: Drywell 70.0X, (liner melt-through 44X, structural failure 26X),
bypass 2.0X, intact 28.0X.
The licensee considered the effects of containment temperature and pressure on elastomer
- seals, containment isolation failures, decontamination effectiveness of the reactor building, and the mean ultimate containment failure pressure.
The dominant contributors to containment
failure were found to be consistent with insights from other analysis of similar designs.
Human performance (prior to the start of the initiating events and after the start of the initiator) was considered and significant human (operator) actions were identified by the licensee.
The top five human actions are:
manually depressurize the reactor vessel using the Safety Relief Valves (SRVs), control reactor vessel level using the Low Pressure Coolant Injection (LPCI) system and Low Pressure Core Spray (LPCS) system, recover suppression pool cooling by closing alternate LPCI valves or by loca)-manual operation of Suppression Pool valves, and align alternate injection to the vessel via Unit I to Unit 2 RHR cross-ties.
The licensee defined "vulnerability" as the failure of critical components, support
- systems, or operator actions that contribute significantly (greater than 5E-4 per reactor-year) to the overall CDF or that contribute significantly (greater than 5E-5 per reactor-year) to the early release frequency.
Based on these criteria, the licensee did not identify any vulnerabilities and, therefore, no plant modifications were identified.
In addition, the licensee considered safety enhancements if a single initiator, component failure, or operator action resulted in.a CDF greater than 5E-5 per reactor year, or a single contribution of a single system division resulted in a
CDF greater than 1E-4 per reactor year.
No contributors,
- however, were identified.
The staff notes, however, that this result is due, in part, to the use of redundant components from the nonoperating Units I and 3.
The licensee used another set of probabilistic criteria to identify potential plant enhancements in combination with cost/benefit considerations.
Application of these criteria also did not result in the identification of any enhancements.
Based on the review of the BFN Unit 2 IPE submittal and associated documentation, the staff concludes that the licensee has met the intent of GL 88-20, with the exception that certain containment performance improvement (CPI) recommendations.
This conclusion is based on the following findings:
1.
The IPE is complete with respect to the information requested in GL 88-20 and associated NUREG-1335 submittal guidance document;.
2.
The front-end systems
- analysis, the back-end containment performance analysis and the human reliability analysis are technically sound and capable of identifying plant-specific vulnerabilities to severe accidents; 3.
The licensee employed a viable means (walkdowns) to verify that the IPE reflected the current plant design and operation; 4.
The PRA which formed the basis of the IPE had an extensive peer review; 5.
The licensee participated fully in the IPE process consistent with the intent of GL 88-20;
~
~ll
6.
The licensee appropriately evaluated BFN Unit 2's decay heat removal (DHR) function for vulnerabilities, consistent with the intent of the USI A-45 resolution; and 7.
The licensee responded to all but two of the recommendations stemming from the CPI program.
As discussed in the
I) the use of the diesel-driven fire protection system pump to inject water into the reactor vessel as well as the drywell spray header upon loss of AC power and 2) power for the ADS solenoid valves to permit depressurization of the reactor following a loss of AC power and depletion of the batteries.
The staff recommends that TVA specifically address these potential enhancements in the multiunit IPE to be submitted next year.
On November 23, 1988, the Nuclear Regulatory Commission (NRC) issued GL 88-20 (Ref.
- 1) which requested licensees to conduct an Individual Plant Examination (IPE) in order to identify potential severe accident vulnerabilities at their
- plant, and report the results to the Commission.
Through the examination
- process, a licensee is expected to (a) develop an overall appreciation of severe accident behavior, (b) understand the most likely severe accident sequences that could occur at its plant, (c) gain a more quantitative understanding of the overall probabilities of core damage and fission product releases and, if necessary, reduce the overall probability of core damage and radioactive material releases by modifying, where appropriate, hardware and procedures that would help prevent or mitigate severe accidents.
All IPEs are to be reviewed to determine the extent to which each licensee's IPE process met the intent of GL 88-20.
The NRC review of the licensee's IPE process may involve two steps; the first step (or Step 1 review) focuses on completeness and the quality of the submittal.
Selected IPE submittals, determined on a case-by-case basis, will be investigated in more detail under a second step (or Step 2 review).
The decision to go to a Step 2 review is primarily based on the staff's need to determine the ability of the licensee's applied methodology to identify severe accident vulnerabilities.
As part of this review process, a Step 1 review was performed.
On September 1,
- 1992, Tennessee Valley Authority (TVA) submitted the IPE for Browns Ferry Nuclear Plant (BFN) Unit 2 in response to GL 88-20 and associated supplements.
The IPE submittal consisted of a Level 2 Probabilistic Risk Assessment (PRA) consistent with GL 88-20 Appendix 1.
The IPE review only focused on the internal events portion including internal flooding.
The licensee plans to provide a separate submittal on findings stemming from the IPE for external events (IPEEE).
The IPEEE will be evaluated separately by the staff within the framework prescribed in GL 88-20, Supplement 4.
As part of its review, the NRC contr acted with Science 5 Engineering Associates, Inc.
(SEA), Scientech Inc./Energy Research Inc.,
and Concord Associates to review the front-end analysis, the back-end analysis, and the human reliability analysis, respectively.
SEA's review is documented in "Browns Ferry Unit 2 IPE: Front End Review," Scientech's in "Browns Ferry Unit 2, Technical Evaluation Report on the Individual Plant Examination Back-End Submittal,"
and Concord's in "Technical Evaluation Report, Browns Ferry Nuclear Power Plant Unit 2, Individual Plant Examination, Human Reliability
- Analysis, Step 1 Review."
During the review the staff requested additional information on August 4, 1993 and November 19, 1993.
The licensee responded to these requests on September 21,
- 1993, and December 23, 1993.
This report documents the NRC staff's findings and conclusions which stemmed from review of the IPE submittal, associated information and the contractor's TERs.
Appendix A summarizes key plant information, numerical results and other insights derived from the IPE.
2.0 STAFF'S REVIEW
- 2. I LICENSEE'S IPE PROCESS The staff examined the process used by TVA to perform the BFN Unit 2 IPE.
The IPE submittal documents and describes the techniques used to address each of the three major technical areas:
the front-end systems
- analysis, back-end containment performance
- analysis, and the human reliability analysis (HRA).
The methodology chosen for performing the BFN Unit 2 IPE analysis is consistent with the methods of examination identified in GL 88-20.
The licensee performed a Level I PRA for the front-end analysis, a Level 2
PRA for the back-end analysis, and used the Techniques for Human Error Prediction (THERP) and the Success Likelihood Index Methodology in the HRA.
BFN Unit 2 is a General Electric (GE)
BWR 4, with a Hark I containment.
The licensee used a viable process to ensure that the system and containment models represent the as-built and as-operated plant.
TVA personnel maintained involvement throughout the development and application of PRA techniques to the BFN Unit 2 facility.
Several major plant departments provided support to the IPE/PRA development.
The licensee used contractor assistance.
The principal outside contractor was Pickard,
- Lowe, and Garrick, Inc.
(PLG).
Other consultants were ERIN Engineering,
- Gabor, Kenton and Associates (GKA) and EgE Engineering, Inc.
To ensure that the IPE analytic models represented the as-built, as-operated plant, the licensee made use of findings developed as part of the Design Baseline and Verification Program conducted in 1988 which was previously evaluated and accepted by the staff (Supplement 2 of NUREG-1232).
In addition, the licensee performed walkdowns for flooding and interfacing system
- LOCAs, and held interviews with key plant personnel.
A peer review of the analytic techniques was performed by utility personnel from in-house management, operations personnel, and contractor personnel.
2.2 FRONT-END ANALYSIS The staff examined the licensee's front-end systems analysis for completeness and consistency with accepted PRA practices.
The BFN Unit 2 IPE used the large event tree - small fault tree methodology consistent with methods identified in GL 88-20 for performing the IPE.
The analysis capitalized on NUREG-1150 insights and PRAs performed by the licensee in the past.
The process used to delineate accident sequences included identification of initiating events (IEs) and associated success criteria, development of event
- trees, and grouping of sequences based on back-end characteristics.
The process identified and modelled both generic and plant-specific initiators.
These initiators included general plant transients, loss of coolant accidents (LOCAs), support system failures, and internal floods.
The licensee systematically searched for potential initiating events (IEs) through a
detailed Failure Node and Effects Analysis (FHEA), the review of plant-specific and generic BWR operating experience, and the use of feedback from other PRA analyses.
The initiators included general plant transients, Anticipated Transients Without Scram (ATWS) events, LOCAs, support system failures and internal floods.
LOCAs included IEs that are not usually considered in PRAs, such as suction line break, recirculation discharge line
- break, and core sp} ay line break.
In order to develop accident sequences for each IE group, large systemic event trees were developed depending on the reactor vessel pressure and the type of IEs.
The IPE contains event trees for high vessel pressure and low vessel pressure conditions.
Top event success criteria were developed for each event tree based on the BFN Unit 2 procedures, on the final safety analysis report (FSAR),
and on General Electric (GE) thermal hydraulic analyses.
The Level I and Level 2 interface was addressed through a plant damage state binning process.
The IPE systems analysis examined both front-line and support systems important to the prevention and mitigation of core damage accidents through a
separate FMEA study.
A total of 24 systems (15 front-line systems and 9 support systems) were evaluated through this separate FNEA.
For each of the 24 systems, a separate fault tree was developed to derive failure probability estimates (referred to as split fractions) for each of the applicable top events of the systemic event trees.
These systems were modeled to the component level of detail and included hardware failures, common cause failures and human errors.
The IPE explicitly addressed dependencies in the analysis.
Dependencies were identified during the system review and plant walkdowns (spatial dependencies) and detailed dependency matrices were developed and used throughout the analysis.
Tables presenting dependencies due to support systems-to-IEs are also included.
Dependencies that can initiate events (i.e, systemic common cause initiators, or flooding events) or effect system performance due to the system's functional, support system, or human action requirements, were identified and considered in the analysis.
The dependencies were treated primarily through the large event trees where, for example, each train of a front-line or support system is treated as a separate top event.
Conditional failure probabilities (split fractions) were developed for each top event.
The logic rules applied for split fraction assignment in the quantification process are clearly described.
- Further, the "multiple Greek letter" method was employed in order to account for common cause failures.
A PC-based software code, "RISKHAN," developed by PLG ("An Integrated Code Package for PC-Based Work-stations,"
1991) was used for quantification of system unavailability estimates and sequence frequency estimates, including the Co} e Damage Frequency (CDF).
The PRA data base is primarily based on the generic nuclear plant and component data collected and analyzed by PLG.
BFN Unit 2 was shut down September 15, 1984 for refueling and restarted on Hay 24, 1991 after extensive modifications and other corrective actions.
BFN Units I and 3 shut down in March 1985 for similar actions and modifications, and are still shutdown.
Prior to the extended
- outages, the three units had about 22 years collectively of commercial operating experience.
TVA's stated reason for not including more plant-specific experience in the data base was that the units
"...have undergone substantial changes in equipment, procedures, and operating and maintenance policies...,"
and "It was judged that the old data are not applicable anymore."
The licensee performed a detailed examination to identify potential flooding sources including interunit flooding sources and postulated flood scenarios for five major buildings.
Identified flood zones were examined through a
cause-impact analysis (i.e.,
a detailed flood source identification, categorization, and impact evaluation).
Postulated flooding events were included in the analysis if they would cause a reactor trip that was not bounded by an internal event analysis or would affect the availability of a system that is typically included in a PRA.
Flood initiating event frequency of a given zone was based on pipe locations, flood sources (including
- spraying, splashing and intrusion), location of safety system components, and interzone or interbuilding flood propagation mechanisms.
Flooding scenarios were postulated and quantified using the internal event analysis process described above.
The IPE estimated a mean CDF of 4.8E-5 per reactor year for the BFN Unit 2 facility.
Loss of normal
- power, no station blackout (SBO), contributes
- 42X, SBO events 27X, loss of vital DC power llX, reactor high pressure transient 9X, ATWS events 3X and LOCAs outside containment (event V-sequences) contribute less than 1X of the CDF.
Major contributors to dominant core damage sequences include fail-to-recover offsite power in 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> following the IE, and loss of DC power beyond a 4-hour period.
The common cause failures of on-site diesels were also found to be important.
The CDF mean frequency from all flood sequences is about 5E-6 per reactor year.
It is dominated by floods in the Turbine Building (TB).
The licensee did not identify any significant design weaknesses associated with the current TB design.
The staff finds the licensee's source-cause-impact type flood analysis and their evaluation of the available plant-features for mitigating or minimizing the flood impact on the overall CDF to be technically sound and consistent with the intent of GL 88-20.
The licensee applied a ranking criterion from NUREG-1335 to the core damage sequences and reported the top 100 sequences, which accounts for all sequences whose individual frequency is greater than approximately 5.6E-8/yr.
All sequences with a frequency estimate of greater than 1E-7 per reactor year contribute approximately 78X of the overall CDF.
The staff notes that the licensee performed sensitivity and uncertainty analysis to gain a better understanding of the quantitative results.
A discussion of these analyses is provided in the submittal.
The staff's review did not identify any significant problems or errors in the front-end analysis.
The overall assessment is that the licensee has made reasonable use of the techniques in performing the front-end analysis and is capable of identifying major severe accident vulnerabilities.
The staff, therefore, concludes that the BFN Unit 2 IPE front-end analysis meets the intent of GL 88-20.
2.3 ACK-ND A A S
The staff examined the licensee's back-end analysis for completeness and consistency with the guidance specified in GL 88-20, Appendix I.
The BFN Unit 2 consultant, PLG Inc. used the RISKHAN methodology to quantify the event trees.
Version 7.03 of the NAP-3.0B code was used to analyze accident progression.
The licensee, through
- PLG, had EgE Engineering Consultants perform a plant specific containment structural analysis to develop containment failure pressure, temperature, and location insights.
The mean ultimate containment failure pressure was determined to be 128 psig at 400 F.
The translation o'f the Level 1 accident sequences into Level 2 Containment Event Tree (CET) and accident release characteristics was performed by mapping each of the accident sequences into Plant Damage States (PDS).
The PDS were defined by the condition of the plant at the end of the Level 1 analysis.
The PDS considers the reactor pressure (high or low), drywell floor conditions (wet or dry), containment integrity (intact,
- bypassed, failure within a few hours of event initiation, or fails later), status of active systems (containment
- vent, suppression pool cooling, drywell sprays, and water to cool debris),
and status of reactor building (isolated and SGTS operability).
Except for containment
The source term was evaluated using a source term event tree (STET).
The STET considered six questions:
in-vessel recovery and drywell spray availability; reactor pressure at time of vessel failure, condition of containment (intact,
- vented, early or late failure); containment failure mode (leak or gross);
availability of pool scrubbing; and availability of reactor building mitigation.
The results of the STET were grouped into 10 key release categories based on similarities of containment failure, timing, and mitigative features.
Only noble gases and Cesium-Iodide were reported as the source term in the submittal; the other elements normally modeled in source term assessments were part of the NAP results.
The timing of the release was
- based, in part, on the estimated containment failure time from vessel breach as follows:
~ Early (E):
0 to 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />, however, characterized by limited opportunities for release mitigation by natural processes and pool scrubbing prior to containment failure; and
~ Late (L):
Nore than 3 hours3.472222e-5 days <br />8.333333e-4 hours <br />4.960317e-6 weeks <br />1.1415e-6 months <br />.
Sensitivity studies were performed to investigate severe accident phenomenology (such as accident progression, liner melt-through, direct containment heating, debris coolability, and containment failure location and area) as recommended in NUREG-1335.
The licensee considered the effects of containment temperature and pressure on the elastomer seals.
These seals are used for the drywell head flange and equipment and manway hatches.
For all of the potential accident sequences considered, the temperature and pressure profiles are expected to result in
little or no leakage.
This result is based on their consultant's (EgE) analysis and agrees with the results of analysis discussed in NUREG/CR-5565, NUREG/CR-4944, NUREG/CR-5096, and NUREG/CR-4064.
Containment isolation failure is binned in the same PDS as early containment failure (within a few hour s of accident initiation).
Containment bypass sequences are not considered as part of the CET but are part of the source term determination.
The licensee has listed the top 30 level 2 sequences with a frequency cutoff of 3E-12.
Of these sequences, the first nine represent 99.7X of the total core damage frequency.
This is consistent with the NUREG-1335 screening guidelines.
The effectiveness of the reactor building (and the turbine building when appropriate) on the release has been considered as part of the CET. If the decontamination factor (DF) of the reactor building calculated by the HAAP code was equal to or greater than 10, then the reactor building was considered to be effective in the CET.
The licensee employed a process to understand and quantify severe accident progression.
The process led to a determination of conditional containment failure probabilities and containment failure modes consistent with the intent of GL 88-20, Appendix 1.
Sensitivity studies were performed.
Failures of containment due to phenomenological considerations and uncertainties (such as liner melt-through failure area) were considered.
Containment Fail e
ocations
~ Drywell (Liner
~ Wetwell
~ Bypass
~ Intact 70.0X melt-through 44X, Structural failure 26X) 0.0X 2.0X 28.0X Although the licensee did not commit to the use of the fire protection system to flood the drywell prior to vessel failure, the results of the sensitivity studies indicate that its use would reduce the liner failure probability from 44X to 14X.
The IPE identified that the probability of liner melt-through was low for scenarios where the vessel failure occurred at low pressure (due to slow transport across the drywell floor, high retention within the reactor pedestal
- area, and crust formation on the moving front) and high for high pressure releases (due to transport of most of released material to the ex-pedestal region).
There was no apparent consideration of the high pressure release dispersing the material over the entire containment and thus minimizing the heat transfer to the containment liner at a specific location.
This is counter to other findings, such as in NUREG-1150 and other IPEs.
The dominant contributors to containment failure were found to be consistent with insights from other analysis of similar designs.
The licensee 1
characterized containment performance for each of the CET end-states.
The overall assessment of the back-end analysis is that the licensee has made reasonable use of probabilistic techniques in performing the back-end
- analysis, and that the techniques employed are capable of identifying plant vulnerabilities.
The licensee,
- however, found no plant vulnerabilities.
Based on these. findings, the staff concludes that the licensee's back-end IPE process is consistent with the intent of the GL 88-20.
2.4 HUMAN FACTOR CONSIDERATIONS The licensee identified and modeled two types of human errors, preinitiator human events associated with errors during "routine" activities (such as maintenance) leaving equipment disabled and postinitiator human events associated with errors during operator response to an initiator.
Postinitiator events are further distinguished to "dynamic" events associated with operator response to an initiator according to plant emergency operating procedures (EOPs)
(response-type events) and to recoveries associated with operator actions (according to EOPs or other procedures) to restore a
completely or partially disabled system.
Preinitiator human events were identified by reviewing the equipment location, the control room indications, and the surveillance procedures (primarily) in order to determine conditions that would allow systems to be left in an undetected failed state.
In order to identify the more critical preinitiator human events to be included in the quantification the licensee developed event screening specific criteria.
Based on these criteria, post-test or postmaintenance human errors for which it was determined that adequate controls exist to assure their detection were not modeled.
Preinitiator, human events that were modeled in the IPE include realignment of'omponents or flow path after testing, maintenance, or inspection, removal of jumpers or other temporary alterations to restore equipment to service, and calibration and alignment of equipment.
To quantify the preinitiator events the licensee used the THERP method (NUREG/CR-1278).
The method was applied to develop probability distributions for different types of potential preinitiators, and to account for factors such as the location and the complexity of the action.
The IPE clearly describes the method used to derive preinitiator event human error probabilities (HEPs), its underlying hypotheses, and the assumptions used to modify generic HEPs according to plant specific practices.
No preinitiator events were found to be important contributors to risk.
Response-type events were identified by reviewing operating procedures to determine those operator actions that will bring the plant to a safe shutdown.
Identified actions were evaluated qualitative on a scenario-by-scenario basis to ensure that they were appropriately identified and modeled.
Recoveries were identified by reviewing the sequences contributing to core damage frequency after an initial core damage frequency quantification.
The licensee identified some recovery actions that were not part of the EOPs.
During the evaluation of postinitiator events care was taken to ensure that these actions appropriately reflected operator knowledge and training as well as plant practices and procedures.
The licensee employed the Success Likelihood Index Methodology to quantify postinitiator events.
The IPE discusses the important aspects of postinitiator event analysis; for example, the underlying assumptions for converting operator judgments into HEPs, the performance-shaping factors (influencing the operator ability, positively or negatively, to perform a task),
the plant-human and human-human dependencies, the boundary conditions, the success criteria, and the timing for each human action.
The staff especially notes the licensee's elaboration on the important HRA elements and factors that make an analysis valuable as well as traceable.
The postinitiator quantitative results and the insights derived from the analysis are also discussed in a clear and concise manner in the IPE.
The IPE lists (Table 3.4-6) and discusses the eleven most important human actions in the context of their contribution to the total core damage frequency.
The most impo}tant human actions to CDF is manual depressurization of the reactor vessel using the safety relief valves (9.2X of the total CDF), followed by failure to control the reactor vessel level at low pressure using RHR or core spray (7X).
The IPE performed an importance and sensitivity analysis.
The results of the sensitivity analysis indicated that failure of two or more operator actions would result in new sequences when higher HEPs are applied.
The IPE did not identify any plant improvements as a result of the HRA.
The staff found the BFN Unit 2 HEPs reasonable and compatible with HEPs used in other HRAs reviewed and accepted by the staff.
The staff's review did not identify any significant problems or errors in the human reliability analysis.
The overall assessment is that the licensee has made reasonable use of the techniques in performing the human reliability analysis that is capable of identifying severe accident vulnerabilities.
The staff, therefore, concludes that the BFN Unit 2 IPE human reliability analysis meets the intent of GL 88-20.
2.5 CONTAINMENT PERFORMANCE IMPROVEMENTS As the result of the Containment Performance Improvement (CPI) program, recommendations were made for licensees to consider as part of the IPE process.
These recommendations were identified in GL 88-20, Supplement I for Mark I plants.
Each of these proposed improvements is discussed separately below.
te te at In TVA's supplemental response of December 23,
- 1993, TVA stated that "the Browns Ferry facility, procedures and operator training provide for provisions to line up alternate water supplies for use in reactor vessel injection."
The licensee discussed a number of these alternate water supplies.
The licensee has considered alternate water supply for vessel injection to be the use of normal systems in abnormal modes.
These include the following capabilities.
The RHR crossties permit the Unit I B or D RHR pumps to circulate Unit 2 suppression pool or reactor vessel water through the Unit I B or D heat exchangers.
The standby coolant supply and RHR crossties allow the Dl or D2 RHR Service Mater Pumps and headers to supply raw river-water directly to the Unit 2 reactor vessel via RHR piping.
The standby liquid control system can
be used as an alternate injection source.
The RHR drain pumps can pump suppression pool water through the RHR system to the vessel.
Finally, the auxiliary boiler can supply steam for the high pressure coolant injection or reactor core isolation cooling steam turbines.
All of these options,
- however, rely on AC to power existing systems.
In addition, the first "alternative" requires the use of Unit I components, but the operability status of the equipment was not addressed, even though BFN Unit I is projected to remain shutdown for several more years.
The generic letter noted that "an important improvement would be to employ a backup or alternate supply of water and pumping capability that is independent of normal and emergency AC power."
BFN Unit 2 has a connection from the firewater system to the Residual Heat Removal (RHR) system.
During a postulated LOCA, coincident with a prolonged station blackout (SBO), the diesel-driven firewater pump could be used to inject raw river water through the RHR system into the drywell spray header.
The diesel-driven firewater pump can deliver 1000 gpm at a 200 psig head.
TVA concluded that the pump has more than ample capacity to provide 200 gpm through the drywell spray header to flood the drywell floor and cool core debris from a postulated vessel breach.
As stated in TVA's letter of December 23, 1993, the procedure for using the diesel-driven fire pump as a
backup means of supplying water to cool core debris on the drywell floor was not in the plant approved procedures as of the cut-off date for modeling the plant and the use of this pump was not evaluated in the Level I analyses.
Therefore, the base case Level 2 analyses of this plant damage state (PDS) had a dry drywell floor at the time of vessel breach with a correspondingly high probability of drywell shell melt-through following vessel breach.
TVA performed a sensitivity analysis which evaluated the availability of the diesel-driven firewater pump and the success of the operator actions to align this alternate water source to the drywell and the spray line (including access to the necessary valves under accident radiation levels) and to initiate spray prior to vessel
- breach, assuming an extended SBO.
The assessment concluded that the alternate water supply could be aligned within the necessary time frame and that this would reduce the early containment failure release category from 44X in the base case to 14X in the sensitivity analysis.
In a station blackout, high pressure coolant injection (HPCI) and reactor core isolation cooling (RCIC) are the only normal systems that can add water to the reactor vessel.
However, these two systems can only operate about 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> due to depletion of the batteries.
This is a relatively short period of time compared to other BWRs.
In the multiunit IPE, TVA should address an alternate supply of water and a pumping capability that is independent of normal and emergency AC power and that could be used, if necessary, to add water to the reactor vessel.
Enhanced Reactor Pressure Vesse PV De essuriz tio S stem Reliab 't As discussed in Section 4.4 of the Browns Ferry Final Safety Analysis Report (FSAR),
BFN Unit 2 has 13 two-stage Target Rock combination safety/relief
~
~
valves (SRVs).
Six of the 13 valves can be selectively actuated automatically
or manually from inside or outside the control room and are the automatic depressurization system (ADS) valves.
In their letter of December 23,
- 1993, TVA described the modifications they had made to the ADS pneumatic supply system in response to NUREG-0737 (TMI Task Action Plan),
Item II.K.3.28 to enhance the long-term (100 days) oper ability of the ADS valves.
The licensee,
- however, has not considered any enhancements beyond the THI Task Action Plan, as proposed in GL 88-20.
The modifications included:
(1) separating the drywell control air system into two separate trains and (2) supplying each train with pressurized nitrogen from one of the separ ate containment air dilution system supply lines.
These modifications adequately address the motive power (pneumatic supply for the ADS valves).
Selective operation of the ADS valves at system pressure other than the set pressure is controlled by a diaphragm-type, pneumatic activator which must be activated to open the valve.
It is actuated by means of a solenoid control valve which admits drywell control air to the air-operator piston chamber.
The solenoid valve requires DC power to operate.
As discussed previously, the BFN Unit 2 IPE predicts that for station blackout without timely recovery of AC power, the HPCI and RCIC systems fail in about 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> due to loss of DC control power (prior even to failure due to loss of suppression pool cooling).
In view of the relatively short time for depletion of the batteries, in the multiunit PRA, TVA should address the longer term availability of DC power for the solenoid valves and depressurization capability.
mer enc Procedures and r
in The BFN Unit 2 IPE was based on Revision 3 of the Boiling Mater Reactors Owners Group Emergency Procedure Guidelines (EPGs).
TVA's letter of June 15, 1993 notified the NRC that they had implemented Revision 4 of the EPGs into the BFN Unit 2 Emergency Operating Instructions (EOIs).
TVA's letter of December 23, 1993 explained that by the time Revision 4 of the EPGs was implemented, the draft IPE was in preparation and that there was inadequate time to revise the computer models, re-interview the operators, requantify the results and meet the commitment to submit the IPE by September 1,
1992.
Revision 4 of the EPGs should be reflected in the multiunit PRA.
Hardened Vent By letter dated June 21,
- 1993, TVA notified the NRC that installation of a hardened wetwell vent had been completed on BFN Unit 2 in response to GL 89-16.
At the time the BFN Unit 2 IPE was submitted,
- however, the design and projected operation of the hardened vent had not been finalized and, therefore, was not included in the IPE which had been based on a cutoff date of December 1991 for the as-built, as-operated plant.
TVA has reiterated their commitment in various correspondence, including their letter of December 23, 1993, that the Browns Ferry PRA will be a living document and that they will incorporate the hardened vent into the next update.
Based on the above, we conclude that TVA has addressed in part, some of the containment performance improvement program recommendations identified in
ll GL 88-20 Supplement 1.
- However, because of the potential benefit that could be realized from implementation of two CPI recommendations, the staff recommends that TVA specifically address in their multiunit PRA:
(I) the use of the diesel driven fire protection system pump to inject water into the reactor vessel upon loss of AC power (station blackout),
and (2) backup power for the ADS valves to permit reactor depressurization following loss of AC and DC power (depletion) given SBO.
2.6 DECAY HEAT REMOVAL (DHR)
EVALUATION In accordance with the guidance in NUREG-1335, the resolution of Unresolved Safety Issue (USI) A-45, "Shutdown Decay Heat Removal Requirements" was incorporated in the IPE.
The licensee performed a plant-specific examination of the BFN Unit 2 DHR functions for all accident sequences to identify potential vulnerabilities.
The submittal focused on the systems that directly perform the decay heat removal functions, these being the main condenser, the Residual Heat Removal (RHR) system in the suppression pool cooling mode, and the RHR system in the shutdown cooling mode.
In summary, the IPE concluded that failure to remove decay heat accounts for 64X if the total CDF.
The failure to removal decay heat includes scenarios in which a loss of offsite power develops into a station blackout.
If this large group of sequences is excluded from the examination, the failure to remove decay heat contributes only 37K to the total core damage.
No vulnerabilities for DHR were identified; the majority of the CDF from loss of DHR is due to station blackout.
The IPE discusses the functional sequences contributing to the overall DHR function.
According to the IPE, the major safety functions to be accomplished following anticipated transients and small LOCA events are:
(a) decay heat removal through the power conversion system (PCS),
(b) maintaining primary system integrity, (c) coolant injection to the reactor, and (d) containment heat removal.
Regarding these functions:
(a)
The licensee took credit in the IPE for the availability of PCS and condensate system following a transient or small LOCA event.
The IPE evaluated applicable operator actions and operating procedures for reopening or bypassing the HSIVs in a timely fashion.
The analysis concluded that the BFN Unit 2 facility is not significantly vulnerable to a loss DHR function because of the availability of PCS.
(b)
The licensee evaluated the various design features affecting the integrity of the reactor primary system as, for example, recirculation and SRV discharge system piping design features or recirculation and RHR pump seals design features.
The analysis found that seal failures of the recirculation pumps following a station blackout scenario will be prevented due to isolation of the recirculation loops and that the seals of the RHR pumps have been designed to survive high temperature.
The IPE also evaluated potential accident scenarios that could result from failure of the SRV discharge piping and vacuum breakers and pertinent operator actions for avoiding early containment failure (prior to core damage) due to wetwell overpressurization.
The IPE identified all DHR scenarios involving injection failures and evaluated the design and operational features of systems providing independent means of short and long term coolant injection (at either high or low pressure),
including alternate water injection sources such as RHR service water or diesel-driven fire water pumps.
The analysis concluded that the BFN Unit 2 facility is not significantly vulnerable to a loss of injection sequences following a transient.
(d)
The licensee evaluated the design features of suppression pool cooling, drywell spray and wetwell spray through
- RHR, RHR shutdown cooling, and manual venting of the drywell and the wetwell (that provide independent means of containment heat removal) and operational features such as inhibiting and overriding certain design-intended functions.
The analysis shows that if RHR is unavailable, the containment pressure could be effectively reduced by manual venting of both drywell and wetwell prior to reaching the point of a gross containment failure.
Although the IPE did not model critical aspects of venting features, the licensee has established venting provisions along with operator training and procedures for overriding equipment when necessary.
However, the IPE did not take credit for operator venting.
Based on the licensee's IPE's methods used to search for DHR vulnerabilities, and the staff's review of BFN Unit 2 specific features, the staff concludes that the licensee's DHR evaluation is consistent with the intent of the resolution of USI A-45 (Decay Heat Removal Reliability Problems).
2.7 LICENSEE ACTIONS AND COMMITMENTS FROM THE IPE In Section 6 of the submittal, TVA discussed the unique plant strengths and weaknesses that were identified by the IPE, along with potential plant and procedural improvements and lessons learned as a result of the examination.
TVA has adopted two sets of criteria for identifying vulnerabilities; one set is based on the results of core damage frequency that are used to evaluate potential vulnerabilities in the systems that protect the reactor core integrity.
The second set is based on the results for large, early release frequency that are used to evaluate vulnerabilities from the point of view of containment integrity.
Each set includes criteria for the numerical results, how the results are distributed across the underlying contributors, and the availability of cost-effective ways to reduce core damage or large, early release frequency.
The licensee defined "vulnerability" as the failure of critical components, support
- systems, or operator actions that contribute significantly (greater than 5E-5 per reactor-year) to the overall CDF or contribute significantly (greater than 5E-5 per reactor year) to the early release frequency.
Based on these criteria, the licensee did not identify any vulnerabilities that warrant modifications to the BFN Unit 2 facility at this time.
The licensee used another set of probabilistic criteria to identify potential plant enhancements in combination with cost/benefit considerations.
According to these criteria, plant enhancements will be considered if the
- CDF, due to an individual initiator, single component failure, or single oper ator action CDF exceeds the value of 5E-5 per reactor-year, or if the CDF, due to a single system division (or a train), exceeds 1E-4 per reactor year.
Application of these criteria did not result in the identification of any enhancements.
As TVA stated in their initial IPE submittal and in their supplemental response of September 21, 1993, the BFN Unit 2 IPE represents the as-built, as-operated plant as of December 1991.
In discussions with plant operating personnel, the licensee's IPE team determined that the operators routinely block the actuation of the automatic depressurization system (ADS) for all nonATWS general transient initiators.
The purpose of blocking the ADS actuation is to allow the operators time to fully pursue recovery of high pressure injection sources before reactor vessel depressurization occurs.
This mode of operation was modeled in the PRA and found to be beneficial.
With respect to follow-on actions:
1.
TVA will perform an expanded PRA which includes 10 shared systems and considers all three units in operation with two initiating events as described in TVA's letter of February 7, 1992 and NRC's letter of July 22, 1992.
2.
TVA will model the hardened vent into the Browns Ferry PRA as discussed in their letter of December 23, 1993.
3.
The Browns Ferry PRA is intended to be a living document and will be periodically updated to reflect the current design of the plant.
4.
As discussed in TYA's letter of June 25, 1992, Revision 4 of the BWROG's EPGs have been incorporated in the Browns Ferry Emergency Operating Instructions.
3.0 CONCLUSION
S The staff finds the licensee's IPE submittal for internal events including internal flooding consistent with the information requested in NUREG-1335, except as related to two parts of the CPI Recommendations.
Based on the review of the IPE, the staff finds the licensee's IPE conclusion that no fundamental weakness or severe accident vulnerabilities exist at BFN Unit 2 to be reasonable.
The staff notes that:
1.
TVA personnel were involved in the development and application of PRA techniques to the BFN Unit 2 facility, and that the associated walkdowns and documentation reviews constituted a viable process for confirming that the IPE represent the as-built, as-operated plant.
2.
The licensee performed both inhouse and independent peer review to ensure that the IPE analytic techniques had been correctly applied and documentation is accurate.
3.
The front-end IPE analysis is complete with respect to the level of detail requested in NUREG-1335.
4.
The back-end analysis addressed the most important severe accident phenomena normally associated with Nark I containments.
No obvious or significant problems or errors were identified.
5.
The licensee developed a quantitative understanding of the contribution of human errors to core damage frequency and containment failure probabilities.
6.
The employed analytical techniques in the front-end analysis, the back-end analysis, and the HRA are capable of identifying potential plant-specific vulnerabilities.
7.
The licensee's IPE process searched for DHR vulnerabilities consistent with the USI A-45 (Decay Heat Removal Reliability) resolution.
8.
Although the licensee addressed in part some of the CPI recommendations, the staff recommends that TVA address two of the Hark I containment performance improvement recommendations in their multiunit PRA submittal.
Based on the above findings, the staff concludes that the licensee demonstrated an overall appreciation of severe accidents, has an understanding of the most likely severe accident sequences that could occur at the BFN Unit 2 facility, has gained a quantitative understanding of core damage and fission product release, and responded appropriately to safety improvement opportunities identified during the process.
The staff, therefore, finds the BFN Unit 2 IPE as meeting the intent of GL 88-20 with the exception of the licensee's response to two parts of the CPI recommendations (i.e., diesel driven pump for vessel injection and longer term DC power for the ADS solenoid valves).
These two CPI recommendations should be addressed as part of the multiunit PRA submittal.
Principal Contributors:
E. Lois, J. Ridgely, E. Chelliah Dated:
DATA
SUMMARY
FOR BROWNS FERRY UNIT 2 INDIVIDUALPLANT EXAMINATION INTERN ENTS AND IN NAL LOODS Total Mean Core Damage Frequency 4.8E-5 per Reactor Year (RY)
Individual Contributions to Overall Nean Core Damage Frequency (CDF) by Initiating Events (IEs)
C te Loss of Offsite Power (Non-SB Cases)
Loss of Offsite Power (SB Cases)
Transients (Vessel isolation)
Transients (No Vessel isolation)
Stuck Open Relief Valves Loss of All Support Systems ISLOCA All Other LOCAs Internal Floods ATWS Top Two Dominant Sequences e
e 2.0E-5 1.3E-5 3.9E-6 4.5E-6 7.3E-6 6.6E-7 4.6E-8 7.0E-7 4.7E-6
- 1. 3E-6 42 27 2
1
<I 1
10 NA Se uence 1 - Loss of offsite power followed by failure of the on-site diesel generators, operator failure to recover offsite power within 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> resulting in a long-term station blackout (SBO).
The coolant make up to the reactor through the turbine-driven HPCI system (or the RCIC system) is assumed to be successfully operational during the initial 4-hour period following the SBO event.
After this period, the HPCI system (or the RCIC system) is expected to fail due to station battery depletion and results in core damage.
The operator successfully depressurized the reactor prior to the battery depletion.
Frequency estimate 6.5E-6 per reactor year (14X of total CDF).
~5 L
g T
bi f1 di g
t 1t i
b1 of AC power from both the 500 kV system and the 161 kV system, followed by failure of on-site diesels resulting in a long term SBO event.
HPCI or RCIC systems are assumed to be successfully operational during the initial four hour period of this SBO event.
However, the operator cannot depressurize the reactor prior to the battery depletion due to the loss of both the plant control air and the drywell control air systems to the initiator.
Frequency estimate 1.4E-6 per reactor year (3X of total CDF).
A-1
~
Conditional containment failure probability given core damage:
~
Drywell 70.0X (Liner melt-through 44X, Structural failure 26X)
~
Metwell
~
Bypass
~
Intact 0.0X 2.0X 28.0X
~
Important Operator Actions to Prevent A Core Damage Event
~
Manual depressurization of the reactor vessel using the SRVs
~
Control of reactor vessel level at low pressure using RHR or Core Spray
~
Recovery of pool cooling by closing alternate LPCI valves or local manual operation of Suppression Pool valves
~
Alignment of alternate injection to the vessel via Unit 1 to Unit 2 RHR cross-tie
~
Start of the RHR pumps or the LPCS pumps, given high pressure injection systems have failed
~
Restoration of AC power to 480V Reactor NOV Boards
~
Transfer Unit 1 and Unit 2 4kV Unit Boards to 161kV power source, given loss of SOOkV power
~
Start of the Standby Liquid Control system, given a fail-to-scram event with the reactor vessel isolated
~
Align RHR for drywe11 spray during non-ATWS scenarios Actions taken by Tennessee Valley Authority (TVA) to address characterized vulnerabilities As part of its previous PRA activities, TVA identified and installed some plant improvements.
During the IPE the benefits of these improvements were confirmed and documented in Section 6.2 of the IPE.
Follow up Action by TYA TVA did not identify any cost-beneficial plant modification.
TVA intends to maintain the Browns Ferry PRA as a living document by periodically updating it.
A-2
~ Significant PRA findings:
0 The most significant risk-reduction events are:
~
Failure of diesel generator A during startup
~
Failure of diesel generator B during startup
~
Failure of diesel generator C during startup
~
Failure of RHR Pump D given 1 previous bypass and two failures.
o The most significant risk-achievement events are:
~
RHR pump A fails, all support available
~
Failure of diesel generator A during startup
~
Failure of diesel generator B during startup
~
All support available
~
Failure of diesel generator C during startup
~ Improvements stemming from IPE study:
None
~ Important plant hardware and plant characteristics:
0 Unit 2 takes credit for some of Unit 1 structures,
- systems, and components.
0 Relatively short battery lifetime (4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />) results in loss of HPCI/RCIC four hours after station blackout.
This provides a
relatively short time for recovery of offsite power.
~ Potential improvements under evaluation:
None The above information is from the Browns Ferry Unit 2 IPE and has not been validated by the NRC staff.
The factor decrease in the CDF when the conditional failure probabilities associated with the event is reassigned to a value of 0.0 The factor increase in the CDF when the conditional failure probabilities for the event is reassigned to a value of 1.0 A-3
BROWNS FERRY UNIT 2 IPE:
FRONT END REVIEW TECHNICAL EVALUATION REPORT ENCLOSURE 2