Text

Technical Evaluation Rept of Plant IPE Front End Analysis
	ML18101B286
Person / Time
Site:	Salem
Issue date:	08/31/1995
From:	Thomas W; SCIENCE & ENGINEERING ASSOCIATES, INC.
To:	; NRC
Shared Package
ML18101B285	List: ML18101B284; ML18101B286; ML18101B287; ML18101B288;
References
	CON-NRC-04-91-066, CON-NRC-4-91-66 SEA-94-2300-40, SEA-94-2300-40-A:3, NUDOCS 9603260227
	Download: ML18101B286 (50)
	v • d • e

Salem Generating Station Technical Evaluation Report on the Individual Plant Examination Front End Analysis NRC-04-91-066, Task 40 Willard Thomas Science and Engineering Associates, Inc.

Prepared for the Nuclear Regulatory Commission S EA-94-2300-40-A: 3 August 31, 1995 ENCLOSURE L.

TABLE OF CONTENTS E. EXECUTIVE

SUMMARY

1 E.1 Plant Characterization......................... *..........

1 E.2 Licensee's IPE Process.................................

2 E.3 Front-End Analysis.....................................

3 E.4 Generic Issues........... *.............................

5 E.5 Vulnerabilities and Plant Improvements.......... ;...........

6 E.6 Observations.........................................

7

1. INTRODUCTION....................... ;....................

8 1.1 Review Process.......................................

8 1.2 Plant Characterization...................................

8

2. TECHNICAL REVIEW........................................

10 2.1 Licensee's IPE Process.................... ;.............

10 2.1.1 Completeness and Methodology.....................

10 2.1.2 Multi-Unit Effects and As-Built. As-Operated Status........

10 2.1.3 Licensee Participation and Peer Review................

11 2.2 Accident Sequence Delineation and System Analysis............. 13 2.2.1 Initiating Events *.................................

13 2.2.2 Event Trees....................................

17 2.2.3 Systems Analysis................................

18 2.2.4 System Dependencies............................

1 9 2.3 Quantitative Process................... *................. 21 2.3.1 Quantification of Accident Seguence Freguencies.........

21 2.3.2 Point Estimates and Uncertainty/Sensitivity Analyses...... 22 2.3.3 Use of Plant-Specific Data......................... 23 2.3.4 Use of Generic Data.............................. 26 2.3.5 Common-Cause Quantification...................... 27 2.4 Interface Issues....................................... 29 2.4.1.Front-End and Back-End Interfaces.................... 29 2.4.2 Human Factors Interfaces........................... 30 2.5 Evaluation of Decay Heat Removal and Other Safety Issues....... 30 2.5.1 Examination of OHR.............................. 30 2.5.2 Diverse Means of OHR................. *....... *....

31 2.5.3 Unigue Features of OHR...........................

31 2.5.4 Other GSl/USls Addressed in the Submittal............. 32 2.6 Internal Flooding........................................ 32 2.6.1 Internal Flooding Methodology....................... 32 2.6.2 Internal Flooding Results.......................... 32

2.7 Core Damage Sequence Results........................... 33 2.7.1 9ominant Core Damage Seguences..................

33 ii

2. 7.2 Vulnerabilities...... -.............................

36 2.7.3 Proposed Improvements and Modifications..............

37

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS...... :........

39

4. DATA

SUMMARY

SHEETS....................................

40 REFERENCES................................................

44 iii

Table 2-1.

Table 2-2.

Table 2-3.

Table 2-4.

Table 2-5.

Table 2-6.

Table 2-7.

Table 2-8.

LIST OF TABLES Plant-Specific Component Demand Failure Data

.............. 25 Generic Component Failure Data................ *.......... 27 Common-Cause Beta Factors............................. 29 Internal Flooding Results................................

33 Accident Types and Their Contribution to GDF.................

34 Initiating Events and Their Contribution to GDF................ 34 Dominant Core Damage Sequences........................ 35 Summary of Plant Changes Due to Station Blackout Rule......... 38 iv

I E. EXECUTIVE

SUMMARY

This report summarizes the results of our review of the front-end portion of the Individual Plant Examination (IPE) for the Salem Generating Station (SGS). This review is based on information contained in the IPE submittal [IPE Submittal] along with the licensee's responses [RAI Responses] to a request for additional information (RAI).

E.1 Plant Characterization The Salem Generating Station (SGS) consists of two Westinghouse Pressurized Water Reactors (PWRs), Unit 1 (SGS-1) and Unit 2 (SGS-2). Both units are four-loop designs with large, dry containments. The SGS is operated by the Public Service Electric and Gas Company (PSE&G).

Design features at SGS that impact the core damage frequency (CDF) relative to other PWRs are as follows:

Ability to perform feed and bleed once-through cooling. This design feature lowers the CDF by providing an alternative method of core cooling given unavailability of the auxiliary feedwater (AFW) system.

Onsite gas turbine. This design feature lowers the CDF by providing an alternate source of onsite power in the event a loss of offsite power (LOSP) occurs.

Reguirement that at least 2 of 3 diesel generators must operate to provide emergency AC power given a LOSP and unavailability of the gas turbine. At least 2 service water pumps must operate to provide adequate flow to the diesel generator cooling water system. Because each diesel generator can

. provide sufficient.power for only one service water pump, at least 2 of 3 diesel generators must operate to provide sufficient cooling to the diesel generator cooling water system. Therefore, while the electrical output from only one diesel generator may be sufficient in some situations to support reactor cooling functions, 2 diesel generators must operate to ensure adequate diesel generator cooling. This design feature tends to increase the CDF.

Dependency of motor-driven AFW pumps on room cooling. This dependency tends to increase the CDF.

Control air system cross-connection between Units 1 and 2.

This design feature tends to decrease the CDF. Credit for this cross-connection was taken in the analysis.

1

Chilled water cross-connection between Units 1 and 2. This design feature tends to decrease the CDF. Credit for this cross-connection was taken in the analysis.

Manual emergency core cooling system (ECCS) switchover to recirculation.

This design feature tends to increase the CDF over what it would be otherwise with an automatic system.

Containment fan cooler units. The containment fan cooler units provide a method of containment cooling that is independent of the containment spray system. This design feature tends to lower the CDF.

E.2 Licensee's IPE Process The licensee undertook its first risk assessment of the SGS in 1984. The results from this study were published in 1985 [Salem Baseline Risk]. This early study was performed with a minimal amount of plant-specific data. Recognizing the importance of plant-specific models for assessing plant risk, PSE&G initiated a Level 1 probabilistic risk assessment (PRA) project that was begun on July 1987 and completed in August 1988, before issuance of Generic Letter 88-20. To meet the requests of Generic Letter 88-20, this Level 1 PRA was updated [Salem PRA Update],

and a Level 2 PRA was developed [Salem Cont. Pert.]. The IPE represents a condensation of these Level 1 and 2 PRA studies. The front-end analysis accounts for plant changes as of August 31, 1990, while the back-end portion of the analysis was frozen as of December 31, 1991.

The IPE includes a separate analysis of each SGS unit (SGS-1 and SGS-2). The analysis was initially performed for SGS-1. Where appropriate, the SGS-1 models and data were modified to reflect SGS-2, and the CDF and containment accident sequences requantified. Walkdowns were performed for the flooding analysis, as well to confirm the accuracy of plant system modeling for other purposes, such as areas impacted by heating, ventilating, and air conditioning (HVAC) failures.

The IPE was prepared primarily by PSE&G staff engineers. PSE&G utilized contractor support to train the PSE&G staff in PRA technologies, with emphasis on hands-on training. Contractors were used only to provide instruction for sequence quantification.

The original SGS Level 1 PRA completed before the issuance of Generic Letter 88-20 involved 3 PSE&G engineers, while a "leading contractor" (apparently Pickard Lowe and Garrick) provided technical direction and performed major portions of the analysis.

A peer group including various industry PRA experts reviewed the initial modeling efforts for the original SGS Level 1 PRA. An independent formal review was also made of the front and back-end portions of the IPE. The independent review team 2

was composed of five individuals with experience in PRA, emergency and normal operating procedures, systems engineering, safety analysis, and maintenance. The technical lead for the independent review team was a consultant from Reliability and Performance Associates. The other four independent review team members were PSE&G employees. The submittal summarizes independent review team comments and resolutions.

The licensee intends to maintain a "living" PRA to support operations, design changes, and severe accident management.

E.3 Front-End Analysis The methodology chosen for the SGS IPE front-end analysis was a Level 1 PRA; the small event tree/large fault tree technique with fault tree linking was used and quantification was performed with the Set Equation Transformation System (SETS) software.

The success criteria are stated to be best estimate and were based on a variety of information, including PRAs for other similar plants and limited SGS-specific thermal hydraulic analyses. It appears that the Modular Accident Analysis Program (MAAP) code was used for most of the SGS-specific thermal hydraulic analyses. The onset of core damage was defined as the beginning of sustained core uncovery; that is, the water level within the vessel has receded such that there is uncovery of the top of active fuel.

The IPE quantified 15 initiating events (exclusive of internal flooding): 3 generic or typical transients; 3 plant-specific support system failures; 2 steam/feedwater line break events; and 7 loss of coolant accident (LOCA) events, including steam generator tube rupture (SGTR) and interfacing systems LOCA (ISLOCA). The IPE developed 20 systemic event trees to model the plant response to each of these initiating events. For the internal flooding analysis, the licensee quantified 31 initiating event categories and developed 6 special event trees.

The IPE used both plant-specific data and generic data to quantify component failures and maintenance unavailabilities. The plant-specific component failure data were used to support a Bayesian update of generic component failure data.

A formal statistical uncertainty analysis of the CDF was performed on the internal events portion of the analysis (exclusive of flooding). An importance analysis was performed and described in the submittal. Thirteen different sensitivity analyses were performed for the front-end portion of the analysis.

3

The multiple Greek letter (MGL) method was used to quantify common cause failure events within systems. The common cause events were incorporated into the fault tree models. As further discussed in Section 2.3.5 of this report, the number of categories of equipment items considered in the common cause analysis was more limited compared to some other IPE/PRA studies.

Point estimate internal events GDF contributions (exclusive of internal flooding) are 4.45E-05/yr (SGS-1) and 4.82E-05/yr (SGS-2). The point.estimate internal flooding GDF contributions are 7.31 E-06/yr (SGS-1) and 7.21 E-06/yr (SGS-2). By combining these point estimates, the overall GDF estimates for SGS-1 and SGS-2 are 5.2E-05/yr and 5.5E-05/yr, respectively.

Dominant initiating event contributors to the GDF are as follows:

1 SGS-1:

LOSP 49%

Transient with power conversion system (PCS) available 10%

Non-isolable flood 84-ft elev of aux. bldg.

8.1 %

Intermediate LOCA 6.0%

Propagation of flood water to 64-ft. switchgear room 5.0%

Small LOCA 4.8%

SGS-2:

LOSP Transient with PCS available Non-isolable flood 84-ft elev of aux. bldg.

Intermediate LOCA Transient with PCS unavailable Rupture of fire prot. piping in 64-ft switchgear room Contributors to GDF by accident type are as follows:

SGS-1:

Station blackout Transient LOCA Internal Flooding Anticipated transient without scram (A TWS)

ISLOCA SGTR 36%

20%.

7.6%

7.4%

5.. 6%

4.5%

41%

25%

15%

14%

2.7%

1.1%

0.6%

1 A complete list of initiating event conlributors for each unit is provided in Table 2-6 of this report.

4

SGS-2:

Transient Station blackout LOCA Internal Flooding ATWS ISLOCA SGTR 36%

31%

16%

13%

2.3%

1.0%

0.3%

Differences in the results between SGS-1 and SGS-2 are mainly the result of unit-specific data related to initiating events, testing and maintenance outages, and component failures. For example, over the period for the plant-specific initiating event evaluation, SGS-2 experienced more transients than SGS-1. This situation was related to the fact that SGS-2 had an undersized condensate system and a higher thermal rating than SGS-1. The condensate system has been corrected and the thermal ratings of the two units are now the same.

Based on the risk reduction measure, the most important non-initiating events at both units are (in order): non-recovery of power within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , non-recovery of power within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , non-recovery of power within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , and reactor coolant pump (RCP) seal LOCA at 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months after loss of cooling.

The Level-1 endstates were collapsed into a set of representative plant damage states (PDSs) for investigation of containment response.

E.4 Generic Issues The licensee specifically addresses decay heat removal (OHR). One part of the licensee's OHR examination involves a review of the basic event importance measures associated with the AFW system. The licensee concludes that AFW failures are important to the risk profile. The licensee also notes that a comparative evaluation of SGS results with 9 other plants showed that no unique vulnerabilities exist at the SGS units.

The licensee also made a review of the event importance measures associated with the power operated relief valves (PORVs) to judge the significance of the feed and bleed function. While the PORVs are less important than the AFW equipmerit items, they nevertheless are significant from a risk reduction measure. A sensitivity analysis demonstrated that loss of feed and bleed capability would more than double the GDF at SGS-1 (from 5.2E-05/yr to over 1 E-04/yr). However, the licensee points out that feed and bleed is recognized as being important to safety, and training is emphasized for this function. Finally, the licensee made a probabilistic assessment of Technical Specification changes for the operations of PORVs and their associated block valves 5

as requested by Generic Letter 90-06 [GL 90 06]. The more restrictive limiting conditions of operations for the PORVs and block valves associated with the generic letter were estimated to decrease the CDF by 4.5% at SGS-1 (from 5.2E-05/yr to about 5.0E-05/yr). It was judged by the licensee that this level of GDF decrease did not indicate any particular DHR weakness. For SGS-2, historical equipment outage times were less than the requested outage times, and there was no impact on the CDF.

In summary, no vulnerabilities were identified by the licensee in conjunction with the OHR evaluation.

The IPE was not used to resolve any generic safety issues/unresolved safety issues (GSl/USls) beyond USI A-45.

E.5 Vulnerabilities and Plant Improvements For a sequence or event to be considered a vulnerability, it had to pass the systemic sequence reporting criteria provided in NUREG-1335 and contribute inordinately to the CDF with respect to either:

Other SGS core damage sequences or events, or In comparison to similar sequences or events for other plants as determined from PAA results.

Importance analyses, sensitivity studies, and comp*arisons of SGS results with other PRAs from other Westinghouse plants were used to determine whether the above criteria were satisfied.

The licensee identified one vulnerability from the IPE analysis. Emergency Operating Procedures (EOPs) in place at the time the IPE analysis was performed checked for LOCAs inside containment before considering the possibility of a LOCA outside containment. For plants like Salem where the residual heat removal (AHR) relief valves direct flow into the pressure relief tank, the blowout of the pressure relief tank rupture disk will indicate a small LOCA. Consequently, the operators may transfer to the LOCA procedures and never to the procedure for a LOCA outside containment.

This procedure weakness was stated to be common to Westinghouse PWRs and identified as a vulnerability.

The licensee made one pl~nt improvement as a result of the IPE. This improvement was made to address the ISLOCA procedural weakness described above. Assuming a human error probability (HEP) of 0.10, the licensee estimates that this procedural modification reduces that overall CDF and large early release frequency by 1 % and 4%, respectively.

6

Finally, the licensee summarized the following plant changes made in response to the station blackout rule: (1) installation of explosion-proof battery room heaters, (2) installation of a diesel-driven air compressor, and (3) enhancement of plant procedures to require battery load shedding and opening of doors to enhance ventilation in various rooms. The IPE appears to have taken credit for the function of the diesel-driven air compressor (item no. 2 above) during station blackout conditions, though this air compressor was not explicitly modeled in the analysis.

E.6 Observations The licensee appears to have analyzed the design and operations of the SGS to discover instances of particular vulnerability to core damage. It also appears that the.

licensee has: developed an overall appreciation of severe accident behavior; gained an understanding of the most likely severe accidents at the SGS; gained a quantitative understanding of the overall frequency of core damage; and implemented changes to the plant to help prevent and mitigate severe accidents.

One strength of the IPE was identified. Specifically, the licensee has performed a

separate analysis for each SGS unit. While both units are very similar, there have been historical differences related to initiating event frequencies, testing and maintenance outages, and component failures. There are also unit-specific design differences that influence the internal flooding analysis. These differences between the two SGS units are accounted for in the IPE.

One weakness of the IPE was identified. Specifically, the number of equipment types analyzed in the common cause analysis is more limited than in some other IPE/PRA studies.

Significant level-one IPE findings are as follows:

Station blackout is a dominant contributor to CDF at both units.

Like a number of other PWR IPE/PRA studies, station blackout is a dominant contributor to CDF at the SGS. Important contributors to station blackout CDF include failure of the turbine-driven AFW train and the possibility of an RCP seal LOCA.

Another contributor to station blackout is the fact that a single diesel generator cannot by itself support sufficient cooling water flow to sustain its own operation. While the electrical output from a single diesel generator may be sufficient to support reactor cooling functions, 2 diesel generators must operate to ensure adequate diesel ger:ierator cooling from the service water system. Finally, it is noted that the station blackout contribution would have been significantly higher if the site did not have an onsite gas turbine generator.

7

1. INTRODUCTION 1.1 Review Process This report summarizes the results of our review of the front-end portion of the IPE for the SGS. This review is based on information contained in the IPE submittal [IPE.

Submittal] along with the licensee's responses [RAI Responses] to a request for additional information (RAI).

1.2 Plant Characterization The SGS consists of two Westinghouse PWRs, Unit 1 (SGS-1) and Unit 2 (SGS-2).

Both units are four-loop designs with large, dry containments. Both units have power ratings of 3,411 megawatt thermal (MWt) and 1, 115 net megawatt electric (MWe).

SGS-1 began commercial operation in June 1977, while SGS-2 began commercial operation in October 1981. The SGS is operated by the PSE&G. The PSE&G also designed and constructed the SGS units. United Engineers and Constructors provided supervision of field erection. [pp. 1.2-1, 1.4-1 of UFSAR, 2-1 of submittal]

The SGS facility is located in New Jersey on the eastern shore of the Delaware River, about 18 miles south of Wilmington, Delaware. Co-located on the SGS site is the Hope Creek Generating Station, a single unit boiling water reactor (BWR) 4/Mark 1 plant. Hope Creek is also operated by the PSE&G.

[pp. 1.2-1 of UFSAR, 1-2, 1-13 of submittal]

There are several other Westinghouse four-loop plants with large dry containments that are similar to Salem, for example Zion 1 and 2, Indian Point 2 and 3, Diablo Canyon 1 and 2, and Byron 1 and 2. The licensee used the Zion NUREG-1150 analysis to establish a comparative plant safety baseline with the SGS results.

[pp. 1-7, 7-20 of submittal]

Design features at SGS that impact the core damage frequency (CDF) relative to other PWRs are as follows:

Ability to perform feed and bleed once-through cooling. This design feature lowers the CDF by providing an alternative method of core cooling given unavailability of the AFW system.

Onsite gas turbine..This design feature lowers the CDF by providing an alternate source of onsite power in the event a LOSP occurs.

Requirement that at least 2 of 3 diesel generators must operate to provide emergency AC power given a LOSP and unavailability of the gas tu.rbine. At 8

least 2 service water pumps must operate to provide adequate flow to the diesel generator cooling water system. Because each diesel generator can provide sufficient power for only one service water pump, at least 2 of 3 diesel generators must operate to provide sufficient cooling to the diesel generator

cooling water system. Therefore, while the electrical output from only one diesel generator may be sufficient in some situations to support reactor cooling functions, 2 diesel generators must operate to ensure adequate diesel generator cooling. This design feature tends to increase the GDF.

Dependency of motor-driven AFW pumps on room cooling. This dependency tends to increase the GDF.

Control air system cross-connection between Units 1 and 2.

This design feature tends to decrease the GDF. Credit for this cross-connection was taken in the analysis.

Chilled water cross-connection between Units 1 and 2. This design feature tends to decrease the GDF. Credit for this cross-connection was taken in the analysis.

Manual ECCS switchover to recirculation.

This design feature tends to increase the GDF over what it would be otherwise with an automatic system.

[pp. 3.2-23, 3.2-30 of submittal]

Containment fan cooler units. The containment.fan cooler units provide a method of containment cooling that is independent of the containment spray system. This design featur~ tends to lower the GDF.

9

2. TECHNICAL REVIEW 2.1 Licensee's IPE Process We reviewed the process used by the licensee with respect to: completeness and methodology; multi-unit effects and as-built, as-operated status; and licensee participation and peer review.

2.1.1 Completeness and Methodology.

The submittal is complete with respect to the type of information requested by Generic Letter 88-20 and NUREG-1335.

The front-end portion of the IPE is a Level 1 PRA. The specific technique used for the Level 1 PRA was the small eventtree/large fault tree technique with fault tree linking, and it was clearly described in the submittal.

Internal initiating events and internal flooding were considered. Event trees were developed for all classes of initiating events. Support systems were modeled with fault trees and linked with the appropriate frontline system fault trees. All pertinent intersystem dependencies appear to have been accounted for. An importance analysis was performed and described in the submittal. Sensitivi.ty analyses were performed for the front-end portion of the analysis. A formal statistical uncertainty analysis of the CDF was performed on the internal events portion of the analysis (exclusive of flooding).

2.1 ~2 Multi-Unit Effects and As-Built. As-Operated Status.

Sharing of systems between SGS-1 and SGS-2 is limited to compressed air, demineralized water, bulk nitrogen supply, and the solid radwaste handling system.

One auxiliary building is used for both SGS units. This building houses the control rooms and most of the ex-containment safety systems, including the diesel generators.

A single turbine building is used for both units. In addition, a single 4-bay service water intake structure provides cooling water to these two units, with two bays dedicated to each unit. Other buildings shared between SGS-1 and SGS-2 include the circulating water intake structure and radwaste building. Credit was taken in the analysis for providing SGS-1 control air system (CAS) from SGS-2 compressor equipment,.and vice versa. [pp. 3.1-4 of UFSAR, 1-3, 2-29, 3.2-104 of submittal]

A cross-connection of the SGS-1 and SGS-2 chilled water systems can be made via the alignment of manual valves. Chilled water is used to supply cooling to the control area coolers and emergency air compressor. Credit for this cross-connection was taken in the flooding analysis. [pp. 3.2-77, 3.3-42 of submittal]

10

A gas turbine of approximately 40 MW output capacity is located on the SGS site.

This gas turbine is capable of providing SGS-1 or SGS-2 with an alternate supply of onsite power. Credit was taken in the analysis for the gas turbine unit. [pp. 8.3-8, Fig.

8.3-2 of UFSAR, 3.1-80, 3.2-54, 3.2-55 of submittal]

Co-located on the same site with SGS-1 and SGS-2 is the Hope Creek BWR. One of the three 500 kV transmission lines from the SG.S switching station serves as a tie line to the Hope Creek 500 kV switchyard. It is not clear if credit was taken for supplying offsite power to the SGS units from the Hope Creek tie line.

Also, it is not clear if credit was taken for supplying offsite power from one SGS unit to the other SGS unit.

[p. 8.1-1 of UFSAR] [pp. 3.1-71, 3.1-108 of submittal]

Based on information contained in the UFSAR and submittal regarding shared facilities and systems, it appears that the IPE has accounted for multi-plant interconnections and shared systems.

A variety of plant-specific information was used to support the IPE including: the UFSAR, system descriptions and configuration baseline documents, various plant and system drawings, Technical Specifications, normal and emergency operating procedures, test and maintenance procedures, and the operator training manual.

Walkdowns were performed for the flooding analysis, as well to confirm the accuracy of plant system modeling for other purposes, such as areas impacted by heating, ventilating, and air conditioning (HVAC) failures.

[pp. 2-42 to 2-44, 4.1-2 of submittal]

The internal front-end analysis accounts for plant changes as of August 31, 1990, while the back-end portion of the analysis was frozen as of December 31, 1991. [pp.

2-42, 5-1 of submittal]

2.1.3 Licensee Participation and Peer Review.

As stated in the submittal, it has been an objective of PSE&G to involve the maximum number of PSE&G personnel in all activities associated with the IPE and to minimize the use of contractor support. PSE&G utilized contractor support to train the PSE&G staff in PRA technologies, with emphasis on hands-on training. The IPE was prepared primarily by PSE&G staff engineers. Various SGS systems engineers were involved in reviews of various portions of the IPE. In addition, PSE&G personnel performed the quantification of both the Level 1 and Level 2 models. Contractors were used only to provide instruction for sequence quantification. [pp. 2-3, 2-5, 2-7, 2-8 of submittal]

The original SGS Level 1 PRA completed before the issuance of Generic Letter 88-20 involved 3 PSE&G engineers, while a "leading contractor" (apparently Pickard Lowe and Garrick) provided technical direction and performed major portions of the analysis.

Additional subcontractors were utilized for human reliability analysis support. As 11

further noted in the submittal, PSE&G contracted with another "leading contractor" (apparently also Pickard Lowe and Garrick) in August 1990 to update and refine the initial SGS PRA models and to provide leadership in a plant-specific containment bypass study and Level 2 PRA. As was previously noted, the update of the original SGS PRA formed the basis for the IPE. [pp. 2-3, 2-5, 2-6 of submittal]

The acknowledgment section of the submittal lists several contractors and areas of involvement. This information is summarized below: [p. I of submittal]

El International (technical guidance and some support of original SGS PRA)

Advance Resource Development Corporation (HRA assessment for original SGS PRA)

Pickard Lowe and Garrick (technical guidance and services to update SGS Level I PRA throughout 1990; technical guidance and assistance with Level 2 PRA; with assistance from Safety Factor Associates, performed a plant-specific containment bypass analysis)

ABB Impel! Corp. (SGS-specific probabilistic containment capacity analysis)

Utility Resource Associates (development of reactor core model for MAAP)

Gabor. Kenton and Associates (technical resolution of modeling unique SGS characteristics with MAAP)

Reliability and Performance Associates (technical guidance and support of IPE independent review)

A peer group including various industry PRA e*xperts reviewed the initial modeling efforts for the original SGS Level 1 PRA. Various portions of the IPE were reviewed by SGS systems engineers. [pp. 2-5, 2-7 of submittal}

An independent formal review was made of the front and back-end portions of the IPE.

Areas for the review included the IPE process, initiating events, event trees, system modeling, hum.an factors, walkdowns, data, internal flooding, and results. The review team was composed of five individuals with experience in PRA, emergency and normal operating procedures, systems engineering, safety analysis, and maintenance.

The technical lead for the independent review team was a consultant from Reliability and Performance Associates. The other four review team members were PSE&G '

employees. [pp. 5-1, 5-2 of submittal]

12

The submittal lists the review comments and responses. A summary of the 14 review team suggestions is provided in Table 5.A of the submittal. [pp. 5-1 to 5-24 of submittal]

2.2 Accident Sequence Delineation and System Analysis This section of the report documents our review of both the accident sequence delineation and the evaluation of system performance and system dependencies provided in the submittal.

2.2.1 Initiating Events.

The identification of initiating events included reviews of information from an Electric Power Research Institute (EPRI) study [EPRI 2230], an NRG-sponsored report

[NU REG/CR 3862], a search of licensee event report (LER) data, and reviews *of several other PRA studies. The licensee also performed a review of SGS-1 support systems to identify failures that would cause a plant trip and adversely affect frontline systems. A survey of SGS-1 high-to-low pressure piping interfaces was made to identify potential ISLOCA initiating events. [pp. 3.1-1 to 3.1-6 of submittal]

The specific categories of initiating events retained in the analysis are listed below:

[pp. 3.1.;6, 3.1-62 to 3.1-64, 3.1-90, 3.1-91, 3.1-108, 3.3-176, 3.3-177 of submittal].

General/Typical Transients:

Transient with PCS Initially Available Transient with PCS Unavailable Loss of Offsite Power Special (front-line/support system) Transients:

Loss of DC Bus - includes 3 separate buses Loss of Control Air Loss of Service Water Steam/Feedline Breaks:

Steam Line Break - steam line break outside containment Feedwater Line Break - includes steam line break inside containment LOCAs:

Very Small LOCA (less than 0.5" equiv. dia.)

Small LOCA (0.5" to 2 " equiv. dia.)

Intermediate LOCA (2" to 6" equiv. dia.)

Large LOCA (greater than 6" equiv. dia.)

Excessive LOCA (reactor vessel rupture) 13

SGTR.

ISLOCA - residual heat removal (RHR} cold leg injection or suction line Internal Flooding:

31 separate initiating event categories (per Table 3.3.8-1 of submittal}

Two HVAC initiating event categories were initially considered in the analysis, specifically the loss of control area air conditioning and the loss of switchgear room ventilation. However, as stated in the submittal, conservative room heat up calculations indicated that it would take more than 5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months for temperatures to. exceed Technical Specification limits in the 84-foot elevation switchgear room. In addition, it would take more than 9 hours1.041667e-4 days 0.0025 hours 1.488095e-5 weeks 3.4245e-6 months to exceed Technical Specification limits in either the control room or 64-foot elevation switchgear room. Consequently, these two HVAC initiating event categories were later excluded from the analysis because they do not lead t6 a direct trip or an immediate shutdown.

As will be described in more detail in Section 2.2.4 of this report, HVAC is also used to support the operation of equipment in a number of other areas, including: the charging pump rooms, the service water pump bays, and the service water control room. Loss of HVAC to these areas were excluded as initiating events based on their low estimated frequencies. Loss of charging pump HVAC would require both loss of the auxiliary building ventilation system and failure of the room cooler to each of the charging pump rooms. The total loss of service water HVAC was estimated to occur with a frequency less than 1 E-08/yr, which is negligible compared to the 8.2E-06/yr loss of service water initiating event frequency. [pp. 1, 2 of RAI Responses] [p. 2-16 of submittal]

Even though the frequency for loss of component cooling water (CCW) is similar to the frequency for loss of service water, loss of CCW was not modeled as an initiating event, as it has a much more limited impact on plant systems. More.specifically, while loss o*f CCW does cause loss of RCP thermal barrier cooling, RCP seal injection can be maintained because the centrifugal charging pumps do not have CCW-dependencies. On the: other hand, loss of service water would cause* a loss of all RCP seal cooling and at the same time disable all high pressure primary system makeup. This condition would occur from a loss of service water because: (1) RCP thermal barrier cooling requires CCW (which would in turn be disabled by loss of service water), (2) lube oil cooling for the centrifugal charging and high head safety injection pumps is directly provided by service water and (3) lube oil cooling for the positive displacement charging pump is provided by CCW (which would be disabled by loss of service water}. As a final comment, it is noted that CCW also supplies cooling water to the RCP motor bearings, and interruption of CCW to operating RCPs has the potential to lead to a vibration-induced RCP seal LOCA. The possibility of a vibration-induced RCP seal LOCA was not modeled in the IPE. However, the licensee states 14

that the core damage contribution from a vibration-induced RCP seal LOCA would be negligibly small due to a number of factors, one of which is the small estimated human error probability (HEP) associated with operator trip of the RCPs. [pp. 10, 11 of RAI Responses] [pp. 9.2-20, 9.2-27 of UFSAR, 3.1-40, 7-1 of submittal]

The IPE does not treat losses of AC buses or inverters with separate special initiating event categories. The licensee states that loss of a non-vital 4, 160 V AC bus was considered as a potential initiating event and is included in the "Transient with PCS Initially Available" initiating event category, as opposed to being listed separately. Vital bus and inverter failures were also consiqered as candidates for special initiating events. However, vital bus and inverter failures were not explicitly modeled as initiating events, as these failures would not cause a reactor trip condition beyond the trip conditions included in other initiating events.

[p. 1 of RAI Responses] [p. 3.1-62 of submittal]

A break in the steam supply to the turbine-driven AFW pump would render the pump unavailable and also result in a manual reactor shutdown. While this potential initiating event was omitted from the analysis, its omission has a negligible impact on the overall plant GDF. As estimated by the licensee, the overall GDF would increase by only 7.0E-09/yr if this initiating event had been included in the IPE. [pp. 6-7 of RAI Responses]

In past years, the SGS units have experienced plant trips related to the fouling of circulating water system traveling screens from detritus (debris). A total of 4 plant trips related to debris fouling of traveling screens have been experienced during 31.6 reactor years of operation, or 0.126 events per year. Loss of circulating water is represented in the IPE as a contributor to the "Transient With PCS Unavailable" initiating event category. The licensee states that service water flow has never been compromised by fouling of traveling screens from debris. The licensee further states that service water flow is unlikely to be compromised in the future by this phenomena because: (1) the zone of influence of the circulating water system does not encompass the service water system, (2) control alarms and indications are provided for screen and strainer delta-p as well as for loss of service water header pressure and pump cavitation, and (3) operators have specific instruction on corrective actions. Thus, the licensee concludes that loss of service water from debris fouling is unlikely, either concurrently or independent of loss of circulating water. The IPE has used the following initiating event frequencies for complete loss of service water: 3.6E-06/yr (SGS-1) and 8.2E-06/yr (SGS-2). These initiating event frequencies do not appear to account for loss of service water due to intake fouling.

In our judgment, the likelihood of service water intake fouling could be comparable or greater than the IPE frequencies used for loss of service water. [pp. 3.1-62, 3.1-108, 3.4-41 of submittal]

[p. 5 of RAI Responses]

15

The submittal does not explicitly state whether the initiating event for loss of offsite power represents power loss at an individual SGS units or at both SGS-1 and SGS-2.

Also, it is not clear if credit was taken for supplying offsite power from the opposite SGS unit or from the Hope Creek unit. [pp. 3.1-71, 3.1-108 of submittal]

The submittal describes the initiating event quantification process. For the general transients listed above, a generic prior frequency distribution was determined, with a subsequent Bayesian update from SGS-1 plant experience. Generic prior data for this category of initiating events was taken from an NRG-sponsored report [NUREG/CR 3862]. The special transients were quantified on a case-by-case basis. The DC bus failure initiator frequency was developed from generic component failure data and an SGS-1 unit capacity factor of 60%. The remaining special transients were quantified by the use of system fault tree developments. These fault tree developments were quantified with a combination of generic and plant-specific data. [pp. 3.1-6, 3.1-7 of submittal]

All LOCAs except ISLOCAs were quantified based on a survey of past PAA studies, including PRAs for Seabrook [Seabrook PRA], Oconee [NSAC 60], Sequoyah

[NUREG/CR 4550 Sequoyah], and Surry [NUREG/CR 4550 Surry]. Data from the.

Reactor Safety Study [WASH 1400] were also included in this survey. The LOCA initiator data used in the analysis are summarized in Table 3.1.1-1 O of the submittal.

[pp. 3.1-9, 3.1-73 of submittal]

Two ISLOCA categories were quantified following a qualitative screening process involving 11 candidate high-to-low piping interfaces. The two ISLOCA categories quantified were the AHR cold leg injection and suction lines. The quantification of these ISLOCAs was performed with a plant-specific analysis that is summarized in 3.1.1.3 of the submittal. This quantification process included data extracted from an NRG-sponsored study [NU REG/CR 5102]. The quantification of these ISLOCA events is further described in a separate report [Cont. Bypass].

[pp. 3.1-4, 3.1-9 through 3.1-13 of submittal]

Table 3.4.6-1 of the submittal provides a summary of SGS-1 mean initiating event frequencies. Tables 3.1.5.1-5 and 3.4.7-10 of the submittal summarize SGS-2 frequency data. The quantification of the initiating events appears consistent with other PWR PRA/IPE studies.

Over the period for the plant-specific initiating event evaluation, SGS-2 experienced more transients than SGS-1. This situation was related to the fact that SGS-2 had an undersized condensate system and a higher thermal rating than SGS-1. The condensate system has been corrected and the thermal ratings of the two units are now the same. Minor differences in the quantification of SGS-1 and SGS-2 transient 16

initiator frequencies reflect this historical difference between the two units. [pp. 3.1-53, 3.1-108, 3.4-41, 3.4-87 of submittal]

2.2.2 Event Trees.

The following systemic event trees were-used in the analysis: _[pp. 3.1-16 to 3.1-51 of submittal]

Transient with PCS Available Transient with PCS Unavailable Loss of Offsite Power Station Blackout Loss of a DC Bus Loss of Control Air System Loss of Service Water Steam Line Break Main Feedwater Break Very Small LOCA Small LOCA Intermediate LOCA Large LOCA_

SGTR V-Seque~ce

-ATWS Transient with Loss of Control Area Air Conditioning System Loss of Offsite Power with Loss of Control Area Air Conditioning System Transient with Loss of Switchgear HV AC Loss of Offsite Power with Loss of Switchgear HVAC Internal flooding (6 event trees)

The station blackout event tree is used to accommodate an entry state from the loss of offsite power event tree. This entry state represents a LOSP condition combined with the failures of the diesel generators and the gas turbine. Ukewise, the A TWS event tree was used to accommodate an entry from other event trees. [pp. 3.1-23, 3.1-25 of submittal]

Four of the event trees listed above were used to address control area or switchgear HVAC failures following a transient or LOCA initiator. Loss of offsite power was considered separately because the HVAC systems stop and then must restart, given a loss of offsite power event. [pp. 3.1-37 through 3.1-40 of submittal]

The onset of core damage was defined as the beginning of sustained core uncovery; that is, the water level within the vessel has receded such that there is uncovery of the 17

top of active fuel. The overall mission time for the front-end analysis was defined to be 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months . [pp. 3.3-29, 4.3-1 of submittal]

The success criteria are stated to be best estimate and were based on: PRAs for Seabrook [Seabrook PRA], Surry [NU REG/CR 4550 *Surry], and Sequoyah

[NUREG/CR 4550 Sequoyah]; a Westinghouse Owners Group document on emergency response guidelines [WEST ERG]; an NRG-sponsored document on severe accident radionuclide release calculations [NUREG/CR 4624]; the SGS UFSAR; and limited SGS-specific thermal hydraulic analyses performed for the Level 1 PRA. It appears that the MAAP code was used for most of the SGS-specific thermal hydraulic analyses. The front-end analysis considers the status of containment cooling in instances where it is required to support core cooling. [pp. 2-16, 4.3-1 of submittal]

Unlike some other PWR IPE studies, the SGS IPE does not take credit for the use of primary system depressurization via the secondary system so that low head safety injection can be used to mitigate a small LOCA. Credit is taken in the SGS IPE for primary system feed and bleed cooling via the power operated relief valves (PORVs) as an alternative to secondary cooling for transients, and small and very small LOCAs.

Credit is also taken for the use of condensate pumps as a secondary cooling method for these same initiator classes. [pp. 3.1-79, 3.1-84, 3.1-85 of submittal]

Expert opinion elicited for the NUREG-1150 program (as described in NUREG/CR-5116) was used to develop an RCP seal LOCA model for the station blackout event tree. For loss of service water event tree, failure to recover service water within a short time (1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months ) was assumed to lead to core damage. For other categories of transient initiating events where RCP seal cooling was subsequently lost during the accident mission time, the IPE assumed that core damage would always occur. [pp.

3.1-46, 3.1-4 7, 3.1-133 of submittal]

The above RCP seal LOCA model was assumed to be appropriate for the SGS RCP seals, which used the "older design" seal material at the time the original PRA was completed. However, by the time the Level 2 analysis was* underway, the "older design" seals at SGS had been upgraded. A revised seal LOCA model was developed based on NUREG/CR 4550 expert judgment elicitation [NUREG/CR 4550 EE]. This revised model was used to analyze station blackout sequences in the back-end analysis. [pp. 3.1-46, 3.1-47, 4.7-5 to 4.7-8 of submittal]

2.2.3 Systems Analysis.

The submittal provides descriptions for 21 systems, including safety injection, electrical power (AC and DC), engineered safety features actuation system (ESFAS), control air, service water, CCW, AFW, and several HVAC systems. System differences between SGS-1 and SGS-2 are described in Section 3.2.3 of the submittal. Each system 18

description discusses the system function, system components, system interfaces, instrumentation and control, operator actions, Technical Specifications, success criteria, operational experience, system operation, and system fault tree modeling assumptions. Also included are simplified schematics that show major equipment items and important flow and configuration information. The major equipment items are explicitly labeled with component identifiers.

2.2.4 System Dependencies.

The IPE addressed and considered dependencies in the following categories: shared component, instrumentation and control, isolation, motive power, direct equipment cooling, HVAC, and operator actions. A summary of front-line and support system dependencies modeled in the SGS-1 analysis is provided in Tables 3.2.2-2 and 3.2.2-3 of the submittal. Corresponding data for SGS-2 are provided in Tables 3.2.3.2-3 and 3.2.3.2-4 of the submittal. Additional discussions of dependencies are contained in the system descriptions. The dependency information contained in the submittal identifies asymmetries. [p. 3.2-129, 3.2-130, 3.2-140, 3.2-155 to 3.2-184b, 3.2-189 to 3.2-227 of submittal]

Several HVAC systems are used to support the operation of various equipment items.

These HVAC systems and supported equipment items include: [pp. 9.4-1 through 9.4-7, 9.4-39 through 9.4-37, Fig. 9.4-1 A of UFSAR]

Control area air conditioning system Services equipment in several areas, including: control room, control electrical equipment room, control area relay room Auxiliary building ventilation system Containment spray pumps RHR pumps

CCW pumps AFW pumps Charging pumps (both centrifugal and positive displacement)

Safety injection pumps Diesel generator area ventilation system Diesel generators Switchgear room ventilation system Switchgear rooms on 64 and 84 foot elevations Service water intake structure ventilation Service water. pumps Service water control room equipment The IPE has included HVAC dependencies in the analysis for the majority of the

equipment items/areas listed above, with the following exceptions: [3.2-4, 3.2-9, 3.2-19

19, 3.2-26, 3.2-28, 3.2-31, 3.2-40, 3.2-41, 3.2-66, 3.2-72, 3.2-75, 3.2-82, 3.2-85, 3.2-87, 3.2-91, 3.2-92, 3.2-94, 3.2-100 of submittal]

Control room, Containment spray pumps, Turbine driven AFW pump, Service water pumps, and Service water control room.

The licensee's bases for omitting HVAC dependencies for the above equipment and plant locations are discussed in the following paragraphs.

The IPE did not model loss of HVAC to the control room because of the relatively low probability that control room HVAC would be lost. HVAC for the control room is provided by the Control Area Air Conditioning System (CAACS) which includes two separate systems, specifically the Control Room Supply System (CRSS) and the Emergency Air Conditioning Supply (EACS) System. The licensee states that the CRSS path to the control room is redundantly supplied by the EACS, and that the dominant failure of the EACS (plugging of the emergency air filtration unit) would h*ave a probability of 1 E-04 over the 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months mission time. On the other hand, the IPE did model loss of HVAC to the control area relay room and electrical equipment rooms, which are also ventilated by the CAACS.. However, the ventilation paths to the relay and electrical rooms do not have the level of redundancy that is associated with the main control room ventilation paths. Thus, loss of HVAC was estimated to be much.

more likely to occur in the relay and electrical rooms than in the main control room.

[pp. 2,3 of RAI Responses]

The IPE assumes that room HVAC is not required for the containment spray pumps, because these pumps would be used only during the injection phase of an accident, and are shut off once the refueling water storage tank (RWST) is depleted. The elimination of HVAC requirements for the cbntainment spray pumps is consistent with some other PRA/IPE studies.

HVAC for the turbine-driven AFW pumps was initially considered as a dependency in the IPE but subsequently ruled out based on engineering judgment. The turbine-driven pump is located within a steel enclosure that would allow substantial heat transfer through the walls. In addition, during a heat-up of the room, the only equipment items (other than the pump itself) within the enclosure needed for pump operation are an air-operated isolation valve (that fails open on loss of power) and a governoi valve (normally open and fails as is). The environmentally sensitive controls for these valves are located outside the enclosure and consequently would not be

subjected to adverse effects from room-heatup. Even if HVAC failure had been included in the AFW logic model, the licensee judged that its effect on the IPE results 20

would be minimal since the total unavailability of the AFW injection as reflected in the IPE model is approximately 0.1. The licensee estimates that any ventilation failures would be at least an order of magnitude less than the unavailability of the AFW injection function. [p. 2 of RAI Responses] [p. 3.2-100 of submittal]

The IPE assumed that HVAG for the service water intake structure and service water control room would not be required. However, the licensee states that this assumption may not be valid for the warmer months of the year. To further investigate the impact of omitting this HVAG dependency, the licensee made a sensitivity study by adding service water HVAG dependencies to the existing SGS-1 IPE model.

The analysis of this sensitivity model resulted in a 2.8% increase in the SGS-1 GDF.

The licensee states that this GDF increase is small compared to the overall risk significance of the service water system, and that no new insights or vulnerabilities were identified with this sensitivity study. [pp. 3.2-19, 3.2-40, 3.2-41, 3.2-75, 3.2-87, 3.2-91, 3.2-100 of submittal] [pp. 11, 12 of RAI Responses]

The IPE has modeled service water system {SWS) lube oil cooling dependencies for the safety injection pumps and centrifugal charging pumps. In addition, the IPE appears to have accounted for the GGW lube oil dependency of the positive displacement charging pump. [p. 11 of RAI Responses] [pp. 6.3-4 of UFSAR, 3.2-69, 3.2-74, 3.2-115, 3.2-118 of submittal]

The GGW system provides seal cooling water to the charging pumps, the AHR pumps, and the safety injection pumps. _Seal water cooling is not necessary for continued operation of the charging pumps. While seal water cooling for the AHR and safety injection pumps is not required during the injection phase of an accident, it would be required during the recirculation phase of an accident. The IPE has accounted for recirculation-phase seal cooling dependencies of th_e AHR and safety injection pumps.

[pp. 3, 4 of RAI Responses] [pp. 6.3-51, 9.2-13 of UFSAR, 3.2-12, 3.2-66, 3.2-69, 7-1 of submittal]

2.3 Quantitative Process This section of the report summarizes our review of the process by which the IPE quantified core damage accident sequences. It also summarizes our review of the data base, including consideration given to plant-specific data, in the IPE. The uncertainty and/or sensitivity analyses that were performed were also reviewed.

2.3.1-Quantification of Accident Seguence Freguencies.

The IPE used a small event tree/large-fault technique with fault tree linking to quantify core damage sequences. Fault tree models were developed for systems depicted in the event tree top logic and their support systems. The event trees were for the most 21

part systemic. The SETS code was used to generate the accident sequence analysis.

Accident sequence -cut sets were developed to the level of specific component failures or basic events.

[pp. 2-15, 2-25, 2-25, 3.3-32, 3.3-33 of submittal]

The submittal states that in general, cut sets with a frequency less than 1.0E-1 O/yr were truncated. It is not clear if there were exceptions to this truncation value. The licensee's data for recovery of offsite power are comparable to industry data presented in an EPRI study [NSAG 147]. [pp. 2-15, 2-25, 2-25, 3.1-96, 3.3-32, 3.3-33 of submittal]

2.3.2 Point Estimates and Uncertainty/Sensitivity Analyses.

Mean values were used to represent the initiating events and the fault tree failure event probabilities in the accident analysis calculations. Separate results are reported for SGS-1 and SGS-2. The overall GDF results for internal initiators and flooding are presented separately. A formal statistical uncertainty analysis of the GDF was performed on the internal events portion of the analysis (exclusive of flooding) for. both SGS-1 and SGS-2. [pp. 3.4-1 through 3.4-15 of submittal] [RAI Responses]

A set of 13 sensitivity analyses was performed on the front-end analysis. While these analyses were performed for both SGS-1 and SGS-2, only the SGS-1 results are presented. The submittal states that results of the sensitivity case analyses for SGS-2

were similar to SGS-1. The 13 front-end sensitivity analyses are listed below:

[pp. 3-.4-6, 3.4-14, 3.4-9, 3.4-10, 3.4-38, 3.4-39, 3.4-15 of submittal]

(1)

(2)

(3)

(4)

(5)

(6)

(7)

(8)

(9)

(10)

(11)

(12)

All dependent event probabilities set to zero All dependent event probabilities multiplied by a factor of 3 Human error event probabilities divided by a factor of 1 O (recovery events not included)

Human error event probabilities multiplied by a factor of 10 (recovery events not included)

Recovery event probabilities divided by a factor of 1 O Recovery event probabilities multiplied by a factor of 1 O Test and maintenance event probabilities divided by a factor of 1 O Need for HVAG eliminated in switchgear, electrical equipment, and relay rooms Requirement for GGW room coolers eliminated Requirement for charging pump seal dependency on GGW eliminated Requirement for charging/safety injection pumps eliminated during post LOCA recirculation phase for very small, small, and intermediate LOGAs (low pressure recirculation flow from RHR pumps assumed sufficient)

No credit taken for availability of PORVs for feed and bleed 22

(13)

Assume that no significant RCP seal LOCA condition will occur given loss of seal cooling It is noted that case (10), the elimination of charging pump seal dependency on CCW, is inconsistent with the analysis. As noted earlier in Section 2.2.4 of this report, the IPE assumed that seal cooling was not required for the charging pumps. [pp. 3.2-12, 3.2-66, 3.2-69, 7-1 of submittal]

The submittal provides SGS-1 results for sensitivity analysis cases (3), (4), (5), (6), (7),

(9), and (12). -The elimination of CCW room coolers, as represented by case (9),

would reduce the GDF by approximately one third. Complete unavailability of the PORVs for feed and bleed, as represented by case (12), would more than double the GDF (from 5.2E-05/yr to over 1 E-04/yr). [pp. 3.4-6, 3.4-39 of submittal]

An importance analysis was performed and described in the submittal. The importance analysis generated three importance measures for non-initiating events, specifically partial derivative, risk reduction, and risk increase. The partial derivative and risk reduction measures were generated for the initiating events. Tables 3.4.1-9 and 3.4.7-8 of the submittal presents importance measure results for SGS-1 and SGS-2, respectively. For initiating events, these tables list both the quantitative values of the importance measures as well as rankings. For the non-initiating events, only relative rankings are presented. [pp. 3.4-5, 3.4-14, 3.4-28 to 3.4:-35, 3.4-85a to 3.4-85i

of submittal]

Based on the risk reduction measure, the most important non-initiating events at both units are (in order). [pp. 3.4-28 to 3.4-35, 3.4-85a to 3.4-85i of submittal]

Non-recovery of power within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months Non-recovery of power within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Non-recovery of power within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months RCP seal LOCA at 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months after loss of cooling.

2.3.3 Use of Plant-Specific Data.

Plant-specific data were collected for the following categories of fault tree events: [p.

3.3-8 of submittal]

Testing and maintenance outages for most systems modeled Pump failures to start for most systems modeled Containment fan-cooler unit failures to start Diesel generator failures to start Gas turbine generator failures to start 23

Events submitted to the Nuclear Plant Reliability Data System (NPRDS) covering 1984 through 1986 were used to support the development of SGS-1 component failure data.

Data for diesel generator start failures were obtained from monthly station reports

[Station Reports] for 1986. The gas turbine failure data were obtained from the station annual report for 1986 and 1989 [Annual Report]. An examination of the 1989 control room logs for component failures and demands was also used to develop SGS-1 component failure data. The submittal states that a similar process was used to derive component failure data for SGS-2. Considering the fact that SGS-1 and SGS-2 have _operated since 1977 and 1981, respectively, it appears that the licensee could have gathered additional plant-specific data to support the analysis. IPE studies for other plants have typically gathered failure data for the most recent 4-5 year period of plant operation. [pp. 3.3-9, 3.3-10, 3.3-48 of submittal]

The licensee used the plant-specific component failure data to update generic component failure data. This update process was performed with the use of Bayesian techniques. [p. 3.3-11 of submittal]

Table 2-1 of this review compares plant-specific failure data for selected components from the IPE to values typically used in PRA and IPE studies, using the NUREG/CR-4550 data for comparison [NUREG/CR-4550, Methodology]. As noted above, only start (demand) failures were quantified with plant-specific data. [pp. 3.3-76, 3.3-77, 3.3-195, 3.3-196 of submittal]

As can be seen from Table 2-1, several of the component groups had zero failures in the limited data collection period. However, the AFW, CVCS, SWS, CCW (unit 2) and diesel generator component groups did experience failures that occurred during the data collection period. The plant-specific and generic data are in agreement for these five categories, with the exception of the SGS-2 TD AFW pump and the diesel generators. The SGS-2 TD AFW pump failure data is based on 1 failure in 168 demands. The plant-specific data related to the diesel generators is based on a total of 4 failures in 620 demands at SGS-1 and 2 failures in 569 demands at SGS-2.

24

Table 2-1.

Plant-Specific Component Demand Failure Data a. b Component SGS-1 Point SGS-2 Point NUREG/CR 4550 Value Value Mean Value Estimate Estimate Estimate Turbine Driven (TD) AFW 3.6E-02 6.0E-03 3E-02 Pump Motor Driven AFW Pump 0.0 for both average=

3E-03 pumps 4.7E-03 Chemical and Volume Control 0.0 for the two 0.0 for the two 3E-03 System (CVCS) Pump centrifugal centrifugal pumps pumps RHR Pump 0.0 for both 0.0 for both 3E-03 pumps pumps SWS Pump average=

average=

3E-03 2.8E-03 1.7E-03 CCW Pump 0.0 for all 3 average=

3E-03 pumps 2.7E-03 Diesel Generator average=

average=

3E-02 6.5E-03 3.5E-03 All data represent start failure probabilities Notes: (a)

(b)

The plant data listed in this table are "raw" values that were used to update generic*

component failure data. The submittal does not provide a list of the actual component failure data used in the analysis.

The development of plant-specific test and maintenance outage data for SGS-1 included an examination of Limiting Conditions for Operation (LCO) system reports for the period 1984 through 1986. The examination of LCO data was limited to this 3-year interval to most accurately reflect the most recent plant experience. The development of derivation of SGS-1 plant-specific test and maintenance outage data also included a review of control room logs for 1989. For SGS-2, an LCO file similar to the one for SGS-1 did not exist. As a result, the SGS-2 plant-specific test and maintenance outage data were gathered from control room logs from an unspecified time period. [pp. 3.3-8, 3~3-9, 3.3-48, 3.3-73 to 3.3-75, 3.3-193, 3.3-194 of submittal]

Plant-specific data were used to support the quantification of initiating events.

For the general transients, a generic prior frequency distribution was determined, with a subsequent Bayesian update from plant experience. The special transients were 25

quantified on a case-by-case basis. The DC bus failure initiator frequency was developed from generic component failure data and unit capacity factors. The other transients were quantified by the use of system fault tree developments. These fault tree developments were quantified with a combination of generic and plant-specific da~a.. [pp. 3.1-6, 3.1-7 of submittal]

2.3.4 Use of Generic Data.

Over 20 data sources were used to develop the SGS generic data base, including:

LEA surveys, NPRDS data, WASH-1400, Interim Reliability Evaluation Program (IREP) data [NUREG/CR 2728], EPRI data [EPRI 2230], and Institute of Electrical and Electronics Engineers (IEEE) data [IEEE 500]. Also used were pump reliability data from the French nuclear program. [pp. 3.3-3, 3.3-7, 3.3-48, 3.3-61 of submittal]

We performed a comparison of IPE generic data to generic values used in the NUREG/CR-4550 studies [NUREG/CR 4550, Methodology]. This comparison is summarized in Table 2-2. [pp. 3.3-51 a to 3.3-71 of submittal]

With the exception of the turbine-driven pump run failure data, the SGS generic data listed in Table 2-2 are generally consistent with the NUREG/CR-4550 data.

The licensee's turbine-driven pump run failure rate (5.0E-05/hr) is two orders of magnitude lower than the NUREG/CR-4550 data. The licensee derived this generic estimate from the geometric average of pertinent turbine pump data from 9 different sources,*

including: the In-Plant Reliability Data Base (IPRDS), the NPRDS, LEA data, WASH 1400, IREP, and the French nuclear program. [pp. 9, 1 O of RAI Responses]

The IPE also developed a set of generic data to represent component outages from repair (unscheduled maintenance) activities. Component repair durations were obtained from WASH-1400 and IPRDS reports [NUREG/CR 2886] and [NUREG/CR 3154]. Frequencies for repair were based on information in: the IPRDS reports -

[NUREG/CR 2886] and [NUREG/CR 3154]; PRA studies - [Oconee PAA], [Seabrook PAA] and [Shoreham PAA]; and an IEEE publication [IEEE 500].

[pp. 3.3-3 to 3.3-5 of submittal]

Generic data were used to support the quantification of initiating events.

For the general transients, a generic prior frequency distribution was determined, with a subsequent Bayesian update from plant experience. The special transie-nts were quantified on a case-by-case basis. The DC bus failure initiator frequency was developed from generic coi:nponent failure data and unit capacity factors. The other transients were quantified by the use of system fault tree developments. These fault tree developments were quantified with a combination of generic and plant-specific data. [pp. 3.1-6, 3.1-7 of submittal]

26

Table 2-2. Generic Component Failure Dataa Component IPE Mean Value NUREG/CR 4550 Mean Estimate Value Estimate Turbine Driven Pump 5.0E-02 Fail to Start 3E-02 Fail to Start 5.0E-05 Fail to Run 5E-03 Fail to Run Motor Driven 1.0E-03 Fail to Start 3E-03 Fail to Start Pump 1.0E-05 Fail to Run 3E-05 Fail to Run Motor Operated Valve 1.0E-03 Fail to Close 3E-03 Fail to Operate 1.0E-03 Fail to Open Check Valve 1.0E-04 Fail to Open 1 E-04 Fail to Open Battery Charger 2.0E-06 Rectifier failure 1 E-06 Fail to Operate Battery 1.2E-06 No Output 1 E-06 Failure (unspecified mode)

Inverter 5.0E-05 Fail to Run 1 E-04 Failure (unspecified mode)

Circuit Breaker (indoor) 5.0E-04 Fail to Open 3E-03 Fail to Transfer 1.0E-03 Fail to Close Diesel Generator 1.0E-02 Fail to Start 3E-02 Fail to Start 3.0E-03 Fail to Run 2E-03 Fail to Run Strainer 5.0E-06 Plugs 3E-05 Plugs Transformer (KV) 5.0E-07 Failure 2E-06 Short or Open Transmitter 5.0E-06 Failure (temp.)

1 E-06 Fail to Operate 3.0E-06 Failure (press) 3.0E-06 Failure (flow) 5.0E-06 Failure (level)

Notes: (a) Failures to start, open, close, operate, or transfer are probabilities of failure on demand. The other failures represent frequencies expressed per hour.

2.3.5 Common-Cause Quantification.

The SGS common cause analysis was performed with the MGL methodology. The method was extended to the delta level. Most of the input data for the SGS common cause analysis was developed by screening a generic industry database [PLG 500] for applic;:ability to the SGS-1 design. The development of a plant-specific common cause database closely followed the procedures presented in NUREG/CR-4780. [pp. 3.2-140, 3.2-185, 3.3-18, 3.3-20 to 3.3-26, 3.3-148 of submittal]

27

Candidate groups of similar components were identified from reviews of the system fault trees. With one exception, the scope of the study was limited to redundant similar components within a given system. The exception to this scope was the

quantification of the dependent failure of all three AFW pumps (2 motor-driven and 1 turbine-driven) to start.2 Common cause events were added to the fault tree models as basic events. [pp. 3.2-185, 3.3-18, 3.3-26, 3.3-148 of submittal]

The IPE common cause analysis included motor operated valves (MOVs), air operated valves (AOVs), diesel generators, containment fan cooler units, and pumps. Pumps from the following systems were included in the analysis: AFW, safety injection, CVCS, RHR, chilled water, component cooling water, service water, and containment spray. [pp. 3.2-185, 3.3-18, 3.3-26, 3.3-148 of submittal]

The IPE did not include common cause failures of some.component groups that have been modeled in some other IPE/PRA studies, specifically: Circuit breakers, electrical switchgear/buses, batteries, inverters, check valves, room ventilation fans (outside containment), and air compressors. As stated by the licensee, there was no significant common cause failure database for these components at the time the IPE was developed. The licensee further states that no plant-specific vulnerabilities would be found even if these equipment categories were included in the IPE, due to similarities in the design of Salem and other plants. However, the licensee does not provide any estimates of the increase in overall plant GDF if the omitted component groups had been included in the common cause analysis. It is noted that common cause failures of batteries contributed about 15% of the overall GDF in the AN0-1 IREP study.

With the exception of a very minor difference in the beta factor for containment fan cooler run failures, the SGS-1 and SGS-2 MGL common cause data are identical. We made a comparison of IPE common-cause beta factors with generic values used in the NUREG/CR-4550 studies [NUREG/CR 4550, Methodology]. This comparison is summarized in Table 2-3. [pp. 3.2-185, 3.3.,148 of submittal]

The data in Table 2-3 indicate that some of the IPE common-cause beta factors for failure to start are somewhat lower than NUREG/CR 4550 data. For example, the IPE common cause factors for start failures related to the SWS and CCW pumps are over a factor of 3 lower than the corresponding NUREG/CR 4550 data. On the other hand, the SGS common cause data appear generally consistent with a number of other PRA/IPE studies.

2 Data for the dependent failure of all 3 AFW pumps were extracted from EPRI 3967 and NUREG/CR-2098.

28

Table 2-3. Common-Cause Beta Factorsa Component IPE Mean Beta Factor NUREG/CR 4550 Mean Value Beta Factor SWS Pump 0.007 Fail to Start 0.026 Fail to Start 0.024 Fail to Run CCW Pump 0.007 Fail to Start 0.026 Fail to Start 0.003 Fail to Run RHR Pump 0.131 Fail to Start 0.15 Fail to Start 0.01 O Fail to Run SJ Pump 0.106 Fail to Start 0.21 Fail to Start 0.011 Fail to Run Containment Spray Pump 0.127 Fail to Start 0.11 Fail to Start 0.01 O Fail to Run MOV 0.057 Fail to Open or Close 0.088 Fail to Open Diesel Generator 0.014 Fail to Start 0.038 Fail to Start 0.010 Fail to Run Notes: (a)

All of the NUREG/CR 4550 data apply to a group size of two components. Except for the diesel generators, the IPE beta factors also apply to a group size of two. The IPE diesel generator data apply to a group size of 3.

2.4 Interface Issues This section of the report summarizes our review of the interfaces between the front-end and back-end analyses, and the interfaces between the front-end and human factors analyses. The focus of the review was on significant interfaces that affect the ability to prevent core damage.

2.4.1 Front-End and Back-End Interfaces.

Each SGS unit has 5 containment fan-cooler units (CFCUs) and 2 containment spray trains that provide containment cooling functions. During the injection phase of an accident, the containment spray function is provided by the two containment spray pumps. During the recirculation mode, containment spray is provided by the RHR system. The CFCU units receive external cooling from the service water system. The RH R heat exchangers are cooled with the component cooling water system. [pp. 3.2-27 to 3.2-31, 3.2-36 to 3.2-48 of submittal]

The Level-1 endstates were collapsed into a set of representative plant damage states -

(PDSs) for investigation of containment response. The PDS binning process appears 29

consistent with other IPE/PRA studies. A set of 9 key PDSs were ultimately used in the back-end analysis. [pp. 3.1-52, 4.3-1, 4.3-2, 4.3-5, 4.3-6, 4.6-2, 4.6-7, 4.6-8 of submittal]

2.4.2 Human Factors Interfaces.

The most important human failure event at SGS-1 and SGS-2 based.on the partial derivative and risk increase measures is the miscalibration of engineered safety features (ESF) undervoltage sensors. The most important human failure events from a risk reduction measure include: operator actions associated with th~ failure to recover offsite power, failure to open doors/use fans to establish alternate ventilation after loss of control area air conditioning, failure to shutdown the reactor from the remote shutdown panel, and failure to establish ECCS recirculation.

[pp. 3.4-29, 3.4-30 to 3.4-32, 3.4-54, 3.4-46, 3.4-85e of submittal]

As defined in the IPE, recovery actions represent actions performed to recover a specific failure or fault (primarily equipment failure/fault) such as recovery of offsite power or recovery of a front-line safety system that was unavailable on demand earlier in the event. Recovery actions were applied only to longer-term accidents such as*

loss of decay heat removal. Recovery was not applied to intermediate and large LOCA sequences. In some cases, more than one recovery action was applied to an accident sequence cut set if the recovery actions could be considered independent.

[pp. 3.3-14, 3.3-94, 3.3-95, 3.3-174, 3.3-175, 3.4-6, 3.4-8, 3.4-38 of submittal]

Finally, it is noted that some recovery actions are modeled in the event trees. These recovery actions are listed in Table 3.3.7-6 of the submittal. There were 3 instances in which credit for two recovery actions at the event tree level reduced sequence CDF values below the 1 E-08/yr truncation value. [pp. 3.3-175, 3.4-8, 3.4-40, 3.4-41, 3.4-42 of submittal]

2.5 Evaluation of Decay Heat Removal and Other Safety Issues This section of the report summarizes our review of the evaluation of Decay Heat Removal (OHR) provided in the submittal. Other GSl/USls, if they were addressed in the submittal, were also reviewed.

2.5.1 Examination of OHR.

One part of the licensee's OHR examination involved a review of the basic event importance measures associated with the AFW system, including component failure modes, human errors, and recovery actions. The licensee concludes that AFW failures, including maintenance errors, are important to the risk profile. However, the licensee points out that this result is explainable because station blackout sequences 30

are major contributors to CDF. The licensee also notes that a comparative evaluation of SGS results with 9 other plants showed that no_ uni_que vulnerabilities exist at the SGS units. [pp. 2-1 O, 3.4-7, 3.4-8, 3.4-15, 3.4-28 to 3.4-35 of submittal]

The licensee also made a review of the event importance measures associated with the PORVs to judge the significance of the feed and bleed function. While the PORVs are less important than the AFW equipment items, they nevertheless are significant from a risk reduction measure. A sensitivity analysis demonstrated that loss of feed and bleed capability would more than double the CDF at SGS-1 (from 5.2E-05/yr. to over 1 E-04/yr). However, the licensee points out that feed and bleed is recognized as being important to safety, and training is emphasized for this function. [pp. 3.4-6, 3.4-8, 3.4-15, 3.4-30, 3.4-31 of submittal]

Finally, the licensee made a probabilistic assessment of Technical Specification changes for the operations of PORVs and their associated block valves as requested by Generic Letter 90-06 [GL 90 06]. The more restrictive limiting conditions of operations for the PORVs and block valves associated with the generic letter were estimated to decrease the CDF by 4.5% at SGS-1 (from 5.2E-05/yr to about 5.0E-05/yr). It was judged by the licensee that this level of CDF decrease did not indicate any particular DHR weakness. For SGS-2, historical equipment outage times were less than the requested outage times, and there was no impact on the CDF. The submittal states that the PORV block valves are normally open. The IPE analysis did account for unavailability of the PORV relief paths based on plant-specific data. [pp.

3.2-50, 3.2-51, 3.3-73, 3.3-75, 3.4-8, 3.4-15 of submittal]

2.5.2 Diverse Means of DHR.

The IPE considered the diverse means for accomplishing DHR, including: use of the power conversion system, feed and bleed, auxiliary feedwater, and ECCS. Cooling for RCP seals was considered. In addition, containment cooling was addressed.

2.5.3 Unigue Features of DHR.

The unique features at SGS that directly impact the ability to provide DHR are as follows:

Ability to perform feed and bleed once-through cooling. This design feature lowers the CDF by providing an alternative method of core cooling given unavailability of the auxiliary feedwater (AFW) system.

Onsite gas turbine. This design feature lowers the CDF by providing an alternate source of onsite power in the event a loss of offsite power (LOSP) occurs.

31

Containment fan cooler units. The containment fan cooler units provide a method of containment cooling that is independent of the containment spray system. This design feature tends to lower the CDF.

2.5.4 Other GSl/USls Addressed in the Submittal.

The submittal does not address GSl/USls other than DHR. However, the submittal states that PSE&G reserves the right to use the IPE for responses to other USls and GSls in the future. [p. 3.4-8 of submittal]

2.6 Internal Flooding This section of the report summarizes our reviews of the process used to model internal flooding and of the results of the analysis of internal flooding.

2.6.1 Internal Flooding Methodology.

The flooding analysis considered a number of flooding sources, including pipes, heat exchangers, tanks, gaskets, valve stems, and pumps. Also considered was the inadvertent actuation of fire sprinklers. The analysis considered the effects of submergence, steam blanketing, spray, and damage from pipe whip. Source flow rates, drainage capacities, and flood accumulations were accounted for.

[pp. 3.3-36 to 3.3-46 of submittal]

The licensee reviewed records of previous flooding events to identify the types of floods that have previously occurred in US nuclear plants. Walkdowns were performed to identify plant-specific flooding events and to determine differences between SGS-1 and SGS-2. Event trees were used to support the development of core damage sequences. The IPE used several sources of data to quantify flood-related initiating events, including WASH 1400, the Nuclear Plant Reliability Data System (NPRDS), and LERs. It appears that 31 separate initiating event categories were analyzed. [pp. 2-27, 3.3-35, 3.3-51, 3.3-176, 3.3-177, 3.3-251 to 3.3-256 of submittal] [pp. 8, Attachment 1 of RAI Responses]

2.6.2 Internal Flooding Results.

For the purpose of the flooding analysis, a risk-significant core damage sequence was defined as any sequence with a frequency greater than 1.0E-07/yr. Sequences less than this value were not reported in the flood quantification results. [pp. 2-28, 3.3-188 of submittal]

Results from the internal flooding analysis are summarized in Table 2-4 below: [pp. 8, 9 of RAI Responses]

32

Table 2-4. Internal Flooding Results Initiator CDF (per year)

SGS-1 SGS-2 Non-isolable flood on 84-ft elevation 4.2E-06 4.2E-06 of auxiliary bldg.

Propagation of water to 64-ft.

2.6E-06 elevation switchgear room lsolable flood on 84-ft elevation of 5.1 E-07 5.1 E-07 auxiliary bldg.

Rupture of fire protection piping in 2.5E-06 64-ft. elevation switchgear room Total 7.31E-06 7.21E-06*

2. 7 Core Damage Sequence Results This section of the report reviews the dominant core damage sequences reported in the submittal. The reporting of core damage sequences-whether systemic or functional-is reviewed for consistency with the screening criteria of NUREG-1335.

The definition of vulnerability provided in the submittal is reviewed. Vulnerabilities, enhancements, and plant hardware and procedural modifications, as reported in the submittal, are reviewed.

2.7.1 Dominant Core Damage Seguences.

The IPE used the screening criteria from Generic Letter 88-20 for systemic sequences.

Point estimate internal events CDF contributions (exclusive of internal flooding) are 4.45E-05/yr (SGS-1) and 4.82E-05/yr (SGS-2). The point estimate internal flooding CDF contributions are 7.31 E-06/yr (SGS-1) and 7.21 E-06/yr (SGS-2). By combining these point estimates, the overall CDF estimates for SGS-1 and SGS-2 are 5.2E-05/yr and 5.5E-05/yr, respectively. [pp. 1-7, 3.4-10, 3.4-11, 3.4-15, 3.4-67 of submittal]

[transmittal letter of submittal] [p. 6 or RAI Responses]

Accident types and initiating events that contributed the most to the total CDF and their percent contribution, are listed in Tables 2-5 and 2-6.3 [pp. 7-19, 7-33, 7-35 of submittal] [pp. 14, 15 of RAI Responses]

3The percent GDF contributions provided in these tables have been revised from the submittal to account for the licensee's updated internal flooding analysis.

33

L Table 2-5. Accident Types and Their Contribution to GDF Accident Type Percent Contribution to CDF SGS-1 SGS-2 Station Blackout 41 31 Transient 25 36 LOCA 15 16 Internal Flooding 14 13 ATWS 2.7 2.3 ISLOCA 1.1 1.0 SGTR 0.6 0.3.

Table 2-6. Initiating Events and Their Contribution to GDF Initiating Event Percent Contribution to CDF SGS-1 SGS-2 LOSP 49 36 Transient with PCS Available 10 20 Non-isolable flood on 84-ft elevation of 8.1 7.6 auxiliary building (internal flood event)

Intermediate LOCA 6.0 7.4 Propagation of water to 64-ft. elevation 5.0 switchgear room (internal flood event)

Rupture of fire prot. piping in 64-ft.

4.5 elev. switchgear room (internal flood)

Small LOCA 4.8 4.2 Main Feedwater Line Break 2.7 2.5 ATWS4 2.7 2.3 Loss of Service Water 2.3 2.0 Large LOCA 2.3 1.8 Very Small LOCA 1.2 2.5 4 The submittal lists ATWS as an "initiating event"; other IPE/PRA studies generally categorize ATWS as an accident type.

34

Initiating Event Percent Contribution to CDF SGS-1 SGS-2 ISLOCA 1.1 1.0 Transient with PCS Unavailable 1.0 5.6 lsolable flood on 84-ft elevation of 1

0.9 auxiliary building (internal flood event)

Loss of DC Bus 0.7 0.7 SGTR 0.6 0.3 Vessel Rupture 0.6 0.5 Steam Line Break 0.1 0.1 The results listed above in Tables 2-5 and 2-6 are generally consistent with results from other PWR PRA/IPE studies. Differences between the front-end analyses for the two SGS units are mainly the result of µnit-specific data related to initiating events, testing and maintenance outages, and component failures. [pp. 1-5, 2-29 of submittal]

Dominant core damage sequences for each unit (including internal flooding) are listed below in Table 2-7.5 [pp. 3.4-2, 3.4-11, 3.3-40, 3.3-41, 7-17, 7-18 of submittal]

Table 2-7. Dominant Core-Damage Sequences Initiating Event Dominant Subsequent

% Contribution Failures in Sequence to CDF SGS-1 SGS-2 LOSP Station blackout, loss of TD AFW 10 4.9 train leading to early core damage, power recovered by 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months Non-isolable flood on 84-ft Failure of AFW pumps, charging 8.1 7.6 elevation of auxiliary bldg.

pumps, SI pumps, CS pumps, west valve vital control center LOSP Station blackout, RCP seal LOCA at 7.5 6.3 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , power not recovered by 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months 5The percent CDF contributions provided in this table have been revised from the submittal to account for the licensee's updated internal flooding analysis.

35

Initiating Event Dominant Subsequent

% Contribution Failures in Sequence to CDF SGS-1 SGS-2 LOSP Station blackout, RGP seal LOGA at 7.5 6.4 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , power not recovered at 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , power recovered at 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months LOSP Station blackout, RGP seal LOGA at 7.5 6.4 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , power not recovered by 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months LOSP Station blackout, power not 6.2 5.1 recovered by 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , PORV fails to reseat, power recovered at 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months (after start of core damage)

Turbine trip Loss of cooling to RGP seals; 5.6 15 dominant failures include T/M unavailability of charging pump room coolers and failure of GGW system 2.7.2 Vulnerabilities.

For a sequence or event to be considered a vulnerability, it had to pass the systemic sequence reporting criteria provided in NUREG-1335 and contribute inordinately to the GDF with respect to either: [p. 3.4-5 of submittal]

Other SGS core damage sequences or events, or In comparison to similar sequences or events for other plants as determined from PAA results.

Importance analyses, sensitivity studies, and comparisons of SGS results with PRAs from other Westinghouse plants were used to determine whether the above criteria were satisfied. [pp. 3.4-5, 3.4-36, 3.4-37, 3.4-112, 3.4-113 of submittal] [p. 6, RAI Responses]

A sequence or event was considered to contribute inordinately to risk if the SGS results were unusually high. The licensee provided two examples of how the term "contribute inordinately" was applied in conjunction with the identification of vulnerabilities. In one example, the licensee initially identified a flooding scenario related to an eyewash line rupture that contributed over 16% of the internal events GDF (not including flood-related contributions). The licensee judged that this eyewash-related flooding scenario was inordinately high and initially identified it as a 36

vulnerability. (Following a further analysis, this flooding sequence was subsequently found to be invalid.) The licensee's other example of vulnerability identification involved the relatively large contribution of station blackout sequences at SGS-1 (over 47% of the non-flood related portion of the CDF). Because most Westinghouse PWRs also have a CDF dominated by station blackout, 'the licensee determined that the SGS station blackout accidents do not contribute inordinately to risk, and thus do not represent a vulnerability.. [p. 6 of RAI Responses]

The licensee identified one vulnerability from the IPE analysis. EOPs in place at the time the IPE analysis was performed checked for LOCAs inside containment before considering the possibility of a LOCA outside containment. For plants like Salem where the RHR relief valves direct flow into the pressure relief tank, the blowout of the pressure relief tank rupture disk will indicate a small LOCA. Consequently, the operators may transfer to the LOCA procedures and never to the procedure for a LOCA outside containment. This procedure weakness was stated to be common to Westinghouse PWRs and identified as a vulnerability. [pp. 1-9, 3.4-7, 6-2, transmittal letter of submittal]

2.7.3 Proposed Improvements and Modifications.

The licensee made one plant improvement as a result of the IPE. This improvement was made to address the procedural weakness related to ISLOCA scenarios described above in Section 2.7.2 of this report. The licensee submitted a work request to the Westinghouse Owners Group (WOG) requesting an evaluation and Emergency Response Guidelines (ERG) revision as appropriate. The WOG ERGs and Salem EOPs (which are based on the WOG ERGs) were modified to include this improvement. Assuming an HEP of 0.10, the licensee estimates that this procedural modification reduces that overall CDF and large early release frequency by 1 % and 4%, respectively. [transmittal letter of submittal] [p. 12 of RAI Responses]

The licensee provided information concerning plant changes made in response to the Station Blackout rule. These changes are summarized in Table 2-8. The licensee did not formally analyze the CDF impacts related to these changes. [pp. 12 to 14 of RAI Responses]

37

Table 2-8. Summary of Plant Changes Due to Station Blackout Rule Description of Plant Change Extent to Which Plant Change CDF Impact Accounted for in IPE (1) Installation of explosion-proof Not incorporated into IPE; the No significant heaters in "C" battery room of each IPE was completed prior to CDF reduction unit to ensure that battery electrolyte this change expected (no temperatures will be above 65 deg. F formal CDF prior to the initiation of a station analysis done blackout event; the analysis indicated by licensee) that no other battery rooms required heaters (2) Installation of diesel driven air Diesel air compressor not Some degree compressor to supply the emergency modeled in IPE; however, the of CDF.

control air header for each unit; this IPE assumed that the reduction modification makes it possible for operators could remotely open expected (no operators to remotely open the

.the steam generator relief formal CDF steam generator relief valves during valves from the control room analysis done a station blackout during a station blackout by licensee)

(3) Enhancement of plant procedures Battery load shedding and No formal CDF to require battery load shedding and door opening for battery rooms analysis opening of doors to provide better were not modeled in IPE; performed; no ventilation for various rooms; this rather, it was assumed that the impact on CDF procedure enhancement ensures that batteries will last for the predicted in batteries will last for four hours duration for which they are IPE designed 38

3. CONTRACTOR OBSERVATIONS AND CONCLUSIONS This section of the report provides an overall evaluation of the quality of the IPE based on this review. Strengths and weaknesses of the IPE are summarized. Important assumptions of the model are summarized. Major insights from the IPE are presented.

One strength of the IPE was identified. Specifically, the licensee has performed a separate analysis for each SGS unit. While both units are very similar, there have been historical differences related to initiating event frequencies, testing and maintenance outages, and component failures. There are also unit-specific design differences that influence the internal flooding analysis. Thes~ differences between the two SGS units are accounted for in the IPE.

One weakness of the IPE was identified. Specifically, the number of equipment types analyzed in the common cause analysis is more limited than in some other IPE/PRA studies.

Significant level-one IPE findings are as follows:

Station blackout is a dominant contributor to GDF at both units.

Like a number of other PWR IPE/PRA studies, station blackout is a dominant contributor to GDF at the SGS. Important contributors to station blackout GDF include failure of the turbine-driven AFW train and the possibility of an RGP seal LOGA.

Another contributor to station blackout is the fact that a single diesel generator cannot by itself support sufficient cooling water flow to sustain its own operation. While the electrical output from a single diesel generator may be sufficient to support reactor cooling functions, 2 diesel generators must operate to ensure adequate diesel generator cooling from the service water system. Finally, it is noted that the station blackout contribution would have been significantly higher if the site did not have an onsite gas turbine generator.

39

4. DATA

SUMMARY

SHEETS This section of the report provides a summary of information from our review.

Overall GDF Point estimate internal events GDF contributions (exclusive of internal flooding) are 4.45E-05/yr (SGS-1) and 4.82E-05/yr (SGS-2). The point estimate internal flooding GDF contributions i;i.re 7.31 E-06/yr (SGS-1) and 7.21 E-06/yr (SGS-2). By combining these point estimates, the overall CDF estimates for SGS-1 and SGS-2 are 5.2E-05/yr and 5.5E-05/yr, respectively.

Dominant Initiating Events Contributing to CDF6 SGS-1:

LOSP 49%

Transient with PCS available 1 0%

Non-isolable flood 84-ft elev of aux. bldg.

8.1 %

Intermediate LOCA 6.0%

Propagation of flood water to 64-ft. switchgear room 5.0%

Small LOCA 4.8%

SGS-2:

LOSP 36%

Transient with PCS available 20%

Non-isolable flood 84-ft ele~ of aux. bldg.

7.6%

Intermediate LOCA 7.4%

Transient with PCS unavailable 5.6%

Rupture of fire prot. piping in 64-ft switchgear room 4.5%

- Dominant Hardware Failures and Operator Errors Contributing to GDF Dominant hardware failures contributing to GDF (partial derivative and risk increase measures) include:

SGS-1:

Reactor trip failure 4,160 VAC Vital Bus-1C Fault RWST and piping faults 4, 160 VAC Vital Bus-1 B Fault 6 A complete list of initiating event contributors for each unit is provided in Table 2-6 of this report.

40

SGS-2:

Reactor trip failure 4, 160 VAC Vital Bus-28 Fault 4, 160 VAC Vital Bus-2C Fault RWST and piping faults Dominant human errors and recovery factors contributing to CDF include:

Miscalibration of ESF undervoltage sensors (partial derivative and risk increase measures)

Failure to recover offsite power (risk reduction).

Dominant Accident Classes Contributing to CDF SGS-1:

Station blackout Transient LOCA Internal Flooding ATWS ISLOCA SGTR SGS-2:

Transient Station blackout LOCA Internal Flooding ATWS ISLOCA SGTR Design Characteristics Important for CDF 41%

25%

15%

14%

2.7%

1.1%

0.6%

36%

. 31%

16%

13%

2.3%

1.0%

0.3%

Ability to perform feed and bleed once-through cooling. This design feature lowers the CDF by providing an alternative method of core cooling given unavailability of the AFW system.

Onsite gas turbine. This design feature lowers the CDF by providing an alternate source of onsite power in the event LOSP occurs.

41

Reguirement that at least 2 of 3 diesel generators must operate to provide emergency AC power given a LOSP and unavailability of the gas turbine. At least 2 service water pumps must operate to provide adequate flow to the*

diesel generator cooling water system. Because each diesel generator can provide sufficient power for only one service water pump, at least 2 of 3 diesel generators must operate to provide sufficient cooling to the diesel generator cooling water system. Therefore, while the electrical output from only one diesel generator may be sufficient in some situations to support reactor cooling functions, 2 diesel generators must operate to ensure adequate diesel generator cooling. This design feature tends to increase the CDF.

Dependency of motor-driven AFW pumps on room codling. This dependency tends to increase the CDF.

Control air system cross-connection between Units 1 and 2.

This design feature tends to decrease the CDF. Credit for this cross-connection was taken in the analysis.

Chilled water cross-connection between Units 1 and 2. This design feature*

tends to decrease the CDF. Credit for this cross-connection was taken in the analysis.

Manual ECCS switchover to recirculation.

This design feature tends to

increase the GDF over what it would be otherwise with an automatic system.

Containment fan cooler units. The containment fan cooler units provide a method of containment cooling that is independent of the containment spray system. This design feature tends to lower the GDF.

Modifications The licensee made one plant improvement as a result of the IPE. This improvement was made to address a procedural weakness related to ISLOCA scenarios. More specifically, EOPs in place at the time the IPE analysis was performed checked for LOCAs inside containment before considering the possibility of a LOCA outside containment. For plants like Salem where the RHR relief valves direct flow into the pressure relief tank, the blowout of the pressure relief tank rupture disk will indicate a small LOCA. Consequently, the operators may transfer to the LOCA procedures and never to the procedure for.a LOCA outside containment. This procedure weakness was stated to be common to Westinghouse PWRs and identified as a vulnerability.

The licensee submitted a work request to the Westinghouse Owners Group (WOG) requesting an evaluation and Emergency Response Guidelines (ERG) revision as appropriate. The WOG ERGs and Salem EOPs (which are based on the WOG 42

ERGs) were modified to include this improvement. Assuming an HEP of 0.10, the licensee estimates that this procedural modification reduces that overall GDF and large early release frequency by 1 % and 4%, respectively.

Finally, the licensee summarized the following plant changes made in response to the station blackout rule: (1) installation of explosion-proof battery room heaters, (2) installation of a diesel driven air compressor, and (3) enhancement of plant procedures to require battery load shedding and opening of doors to enhance ventilation in various rooms.

Other USl/GSls Addressed The IPE does not address USl/GSls other than USI A-45.

Significant PRA Findings Significant findings on the front-end portion of the IPE are as follows:

Station blackout is a dominant contributor to GDF at both units.

Like a number of other PWR IPE/PRA studies, station blackout is a dominant

contributor to GDF at the SGS. Important contributors to station blackout GDF include failure of the turbine-driven AFW train and the possibility of an RGP seal LOGA.

Another contributor to station blackout is the fact that a single diesel generator cannot by itself support sufficient cooling water flow to sustain its own operation. While the electrical output from a single diesel generator may be sufficient to support reactor cooling functions, 2 diesel generators must operate to ensure adequate diesel generator cooling from the service water system. Finally, it is noted that the station blackout contribution would have been significantly higher if the site did not have an onsite gas turbine generator.

43

[Annual Report]

[AN0-1 IREP]

[Cont. Bypass]

[EPRI 3967]

[EPRI 2230]

[GL 90 06]

[IEEE 500]

[IPE Submittal]

[NSAC-147]

[NUREG/CR2098]

[NUREG/CR 2728]

[NUREG/CR 2886]

REFERENCES PSEG Generating Station Annual Report for 1986 and 1989.

Interim Reliability Evaluation Program: Analysis of the Arkansas Nuclear One - Unit 1 Nuclear Power Plant, NUREG/CR-2787, June 1982.

Containment Bypass Analysis, PLG, Inc., PLG-0826, July 1991.

Classification and Analysis of Reactor Operating Experience Involving Dependent Failures, EPRI NP-3967, June 1985.

A TWS: A Reappraisal, Part 3: Frequency of Anticipated Transients, EPRI NP-2230, Interim Report, January 1982.

Resolution of Generic Issues 70, "PORV and Block Valve Reliability," and 94, "Additional L TOP Protection for PWRs",

June 25, 1990.

IEEE Guide to the Collection and Presentation of Electrical, Electronic Sensing Component, and Mechanical Equipment Reliability Data for Nuclear Power Generating Stations, IEEE Std. 500-1984, 1983.

Salem Generating Station IPE Submittal, July, 1993.

Losses of Off-site Power at U. S Nuclear Power Plants Through 1989, March 1980.

Common Cause Fault Rates for Pumps, NUREG/CR-2098, February 1983.

Interim Reliability Evaluation Program (IREP) Procedures Guide, NUREG/CR-2728, January 1983.

The In-Plant Reliability Data Base for Nuclear Plant Components: Interim Data Report - The Pump Component, NUREG/CR-2886, December 1982..

44

[NUREG/CR 3154]

[NUREG/CR 3862]

[NUREG/CR 4550 EE]

The In-Plant Reliability Data Base for Nuclear Plant Components: Interim Data Report - The Valve Component, NUREG/CR-3154, December 1983.

Development of Transient Initiating Event Frequencies for Use in Probabilistic Risk Assessment, NUREG/CR-3862, June 1984.

Analysis of Core Damage Frequency from Internal Events:

Expert Judgment Elicitation, NUREG/CR-4550, Vol. 2, Part 1, April 1989.

[NUREG/CR 4550 Sequoyah]

NUREG/CR-4550, Analysis of Core Damage Frequency From Internal Events: Sequoyah Power Station, Unit 1, NUREG/CR-4550, Vol. 5, February 1987.

[NUREG/CR 4550 Surry]

NUREG/CR-4550, Analysis of Core Damage Frequency From Internal Events: Surry Power Station, Unit 1, NUREG/CR-4550, Vol. 3, November 1986.

[NUREG/CR 4624]

[NUREG/CR 4780]

[NU REG/CR 5102]

[NUREG/CR 5116]

[Oconee PRA]

[PLG 500]

Radionuclide Release Calculations for Selected Severe Accident Scenarios, NUREG/CR-4624, Vol. 5, July 1986.

Procedures for Treating Common Cause Failures in Safety and Reliability Studies, NUREG/CR-4780, Vols. 1 and 2, January 1988.

Interfacing System LOCA: Pressurized Water Reactors, NUREG/CR-5102, February 1989.

Results of Expert Opinion Elicitation on Internal Event Front-End Issues for NUREG-1150: Expert Panel, NUREG/CR-5116, Vol. 1, April 1988.

Oconee PRA: A Probabilistic Risk Assessment of Oconee Unit 3, NSAC-60, June 1984.

Database for Probabilistic Risk Assessment of Light Water Nuclear Power Plants, Pickard, Lowe and Garrick, Inc.,

PLG-0500, 1989.

45

[RAI Responses]

[Salem Cont. Pert.]

[Salem PRA Update]

[Salem Baseline Risk]

[Seabrook PRA]

[Shoreham PRA]

[Station Reports]

[UFSAR]

[Wash 1400]

[WEST ERG]

LR-N95109, Letter from E. Simpson (PSE&G) to NRC, August 1, 1995.

Probabilistic Engineering Evaluation of Sal*em Unit 1 and Containment Performance for Beyond Design Basis Conditions, PSE&G Engineering Evaluation No. S-C.ZZ-NEE-0686, Wesley, D. A. et al., April 1992.

Salem Nuclear Generating Station, Probabilistic Risk Assessment (Update), PSE&G and PLG, Inc., PLG-0792,.

November 1990.

Salem Baseline Risk Assessment, Pickard, Lowe and Garrick, Inc., May 28, 1985.

Probabilistic Risk Assessment, Seabrook Station, Public Service Company of New Hampshire, December 1983.

Probabilistic Risk Assessment, Shoreham Nuclear Powe*r Station, Long Island Lighting Company, June 1983.

Electric Production Department Generating Station Reports, E113 (Part A) for 1986.

Salem Generating Station Updated Final Safety Analysis Report.

Reactor Safety Study, October 1975.

Emergency Response Guidelines, Westinghouse Electric Corporation, Rev. 1, September 1983.

46

ML18101B286

Contents

Text

SUMMARY

SUMMARY

SUMMARY

SUMMARY

Navigation menu

ML18101B286

Text

SUMMARY

SUMMARY

SUMMARY

SUMMARY

Navigation menu

Search